blob: 8225b778cd86ea7160820eea2ef75a3bd7ab49af (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
|
#! /bin/sh
set -e
# Load debconf
. /usr/share/debconf/confmodule
# This will be replaced with debian/slapd.scripts-common which includes
# various helper functions and $OLD_VERSION and $SLAPD_CONF
#SCRIPTSCOMMON#
# Check if the user wants to configure slapd manually
want_manual_configuration() {
db_input medium slapd/no_configuration || true
db_go || true
db_get slapd/no_configuration
no_configuration="$RET"
if [ "$no_configuration" = "true" ]; then
return 0
fi
return 1
}
# Make sure the values entered make sense
validate_initial_config() {
local invalid
invalid=""
# Make sure the domain name is valid
# The regexp doesn't work for UTF-8 domain names, but for that to
# work, we would also need to Base64 encode it in the LDIF; since
# we're not doing it at the moment, this should be fine for now
db_get slapd/domain
if [ -z "$RET" ] || ! echo "$RET" | grep -q '^[a-zA-Z0-9.-]*$'; then
db_fset slapd/domain seen false
invalid=true
fi
# Suffix and Organization may not be empty
db_get shared/organization
if [ -z "$RET" ]; then
db_fset shared/organization seen false
invalid=true
fi
# Make sure the passwords match
local pass1 pass2
db_get slapd/password1
pass1="$RET"
db_get slapd/password2
pass2="$RET"
if [ "$pass1" != "$pass2" ]; then
db_fset slapd/password1 seen false
db_fset slapd/password2 seen false
invalid=true
fi
# Tell the user
if [ "$invalid" ]; then
db_fset slapd/invalid_config seen false
db_input critical slapd/invalid_config || true
db_go || true
db_get slapd/invalid_config
if [ "$RET" != "true" ]; then
db_set slapd/no_configuration true
invalid=
fi
fi
if [ "$invalid" ]; then
return 1
else
return 0
fi
}
# Query the information we need to create an initial directory
query_initial_config() {
while true; do
db_input medium slapd/domain || true
db_input medium shared/organization || true
db_input high slapd/password1 || true
db_input high slapd/password2 || true
db_input low slapd/backend || true
db_input low slapd/purge_database || true
# XXX - should be done more general, but for now this should do
# the trick
if [ -e "/var/lib/ldap" ] && ! is_empty_dir /var/lib/ldap; then
db_input low slapd/move_old_database || true
fi
db_go || true
if validate_initial_config; then
break
fi
done
}
# ----- Configuration of LDIF dumping and reloading--------------------- {{{
#
# Dumping the database can have negative effects on the system we are
# running on. If there is a lot of data dumping it might fill a partition
# for example. Therefore we must give the user exact control over what we
# are doing.
configure_dumping() { # {{{
# Ask the user for the configuration of the dumping component
# Usage: configure_dumping
# Look if the user wants to migrate to the BDB backend
if ! database_dumping_enabled; then
return 0
fi
# Configure if and where to dump the LDAP databases
db_input medium slapd/dump_database || true
db_go || true
db_get slapd/dump_database
# Abort if the user does not want dumping
if [ "$RET" = never ]; then
return 0
fi
db_input medium slapd/dump_database_destdir || true
db_go || true
# If the user entered the empty value, go back to the default
db_get slapd/dump_database_destdir
if [ "$RET" = "" ]; then
db_reset slapd/dump_database_destdir
fi
}
# }}}
# }}}
warn_about_selfwrite_acl() { # {{{
# Warn about databases having an acl beginning with "to * by self
# write", installed by default in previous versions of slapd.init.ldif
# but having possible security implications.
if [ -d "$SLAPD_CONF" ]; then
if grep -q '^olcAccess: {[0-9]*}to \* by self write' \
"$SLAPD_CONF"/cn\=config/olcDatabase*.ldif 2>/dev/null; then
db_input high slapd/unsafe_selfwrite_acl || true
fi
fi
}
# }}}
# Create an initial directory on fresh install
if is_initial_configuration "$@"; then
if ! want_manual_configuration; then
set_defaults_for_unseen_entries
query_initial_config
fi
fi
# Configure the dumping component if we are upgrading some older version.
if [ "$1" = configure ] && [ -n "$2" ]; then
configure_dumping
warn_about_selfwrite_acl
fi
db_go || true
exit 0
|