summaryrefslogtreecommitdiffstats
path: root/debian/slapd.config
blob: 7595729770c550e552c7e3d202d5dec78fa6d933 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
#! /bin/sh

set -e

# Load debconf
. /usr/share/debconf/confmodule

# This will be replaced with debian/slapd.scripts-common which includes
# various helper functions and $OLD_VERSION and $SLAPD_CONF
#SCRIPTSCOMMON#

# Check if the user wants to configure slapd manually
want_manual_configuration() {
  db_input medium slapd/no_configuration || true
  db_go || true
  db_get slapd/no_configuration
  no_configuration="$RET"
  
  if [ "$no_configuration" = "true" ]; then
    return 0
  fi
  return 1
}

# Make sure the values entered make sense
validate_initial_config() {
  local invalid
  invalid=""
 
  # Make sure the domain name is valid
  # The regexp doesn't work for UTF-8 domain names, but for that to
  # work, we would also need to Base64 encode it in the LDIF; since
  # we're not doing it at the moment, this should be fine for now
  db_get slapd/domain
  if [ -z "$RET" ] || ! echo "$RET" | LC_COLLATE='C.UTF-8' grep -q '^[a-zA-Z0-9.-]*$'; then
    db_fset slapd/domain seen false
    invalid=true
  fi
 
  # Suffix and Organization may not be empty
  db_get shared/organization
  if [ -z "$RET" ]; then
    db_fset shared/organization seen false
    invalid=true
  fi

  # Make sure the passwords match
  local pass1 pass2
  db_get slapd/password1
  pass1="$RET"
  db_get slapd/password2
  pass2="$RET"
  
  if [ "$pass1" != "$pass2" ]; then
    db_fset slapd/password1 seen false
    db_fset slapd/password2 seen false
    invalid=true
  fi

  # Tell the user
  if [ "$invalid" ]; then
    db_fset slapd/invalid_config seen false
    db_input critical slapd/invalid_config || true
    db_go || true
    db_get slapd/invalid_config
    if [ "$RET" != "true" ]; then
      db_set slapd/no_configuration true
      invalid=
    fi
  fi

  if [ "$invalid" ]; then 
    return 1
  else
    return 0
  fi
}

# Query the information we need to create an initial directory
query_initial_config() {
  while true; do
    db_input medium slapd/domain || true
    db_input medium shared/organization || true
    db_input high slapd/password1 || true
    db_input high slapd/password2 || true
    db_input low slapd/purge_database || true
    # XXX - should be done more general, but for now this should do
    # the trick
    if [ -e "/var/lib/ldap" ] && ! is_empty_dir /var/lib/ldap; then
      db_input low slapd/move_old_database || true
    fi
    db_go || true

    if validate_initial_config; then
      break
    fi
  done
}

# ----- Configuration of LDIF dumping and reloading---------------------  {{{
#
# Dumping the database can have negative effects on the system we are
# running on. If there is a lot of data dumping it might fill a partition
# for example. Therefore we must give the user exact control over what we
# are doing.

configure_dumping() {							# {{{
# Ask the user for the configuration of the dumping component
# Usage: configure_dumping

  # Look if the user wants to migrate to the BDB backend
  if ! database_dumping_enabled; then
    return 0
  fi

	# Configure if and where to dump the LDAP databases
	db_input medium slapd/dump_database || true
	db_go || true
	db_get slapd/dump_database

	# Abort if the user does not want dumping
	if [ "$RET" = never ]; then
		return 0
	fi

	db_input medium slapd/dump_database_destdir || true
	db_go || true

	# If the user entered the empty value, go back to the default
	db_get slapd/dump_database_destdir 
	if [ "$RET" = "" ]; then
		db_reset slapd/dump_database_destdir
	fi
}

# }}}
# }}}

warn_about_selfwrite_acl() {						# {{{
# Warn about databases having an acl beginning with "to * by self 
# write", installed by default in previous versions of slapd.init.ldif 
# but having possible security implications.
	if [ -d "$SLAPD_CONF" ]; then
		if grep -q '^olcAccess: {[0-9]*}to \* by self write' \
			"$SLAPD_CONF"/cn\=config/olcDatabase*.ldif 2>/dev/null; then
			db_input high slapd/unsafe_selfwrite_acl || true
		fi
	fi
}
# }}}

# Create an initial directory on fresh install
if is_initial_configuration "$@"; then
	if ! want_manual_configuration; then
		set_defaults_for_unseen_entries
		query_initial_config
	fi
fi

# Configure the dumping component if we are upgrading some older version.
if [ "$1" = configure ] && [ -n "$2" ]; then
	configure_dumping
	warn_about_selfwrite_acl
fi
   
db_go || true

exit 0