26f8149218
The MDB backend is the default in Ubuntu and specifying HDB in debconf doesn't change it to HDB. Closes-Bug: #1939700 Change-Id: If98f7fc8395678365fb73f0c5cd926cef083e470
197 lines
5.6 KiB
Bash
197 lines
5.6 KiB
Bash
#!/bin/bash
|
|
#
|
|
# lib/ldap
|
|
# Functions to control the installation and configuration of **ldap**
|
|
|
|
# ``lib/keystone`` calls the entry points in this order:
|
|
#
|
|
# - install_ldap()
|
|
|
|
# Save trace setting
|
|
_XTRACE_LDAP=$(set +o | grep xtrace)
|
|
set +o xtrace
|
|
|
|
|
|
LDAP_DOMAIN=${LDAP_DOMAIN:-openstack.org}
|
|
# Make an array of domain components
|
|
DC=(${LDAP_DOMAIN/./ })
|
|
|
|
# Leftmost domain component used in top-level entry
|
|
LDAP_BASE_DC=${DC[0]}
|
|
|
|
# Build the base DN
|
|
dn=""
|
|
for dc in ${DC[*]}; do
|
|
dn="$dn,dc=$dc"
|
|
done
|
|
LDAP_BASE_DN=${dn#,}
|
|
|
|
LDAP_MANAGER_DN="${LDAP_MANAGER_DN:-cn=Manager,${LDAP_BASE_DN}}"
|
|
LDAP_URL=${LDAP_URL:-ldap://localhost}
|
|
|
|
LDAP_SERVICE_NAME=slapd
|
|
|
|
if is_ubuntu; then
|
|
LDAP_OLCDB_NUMBER=1
|
|
LDAP_OLCDB_TYPE=mdb
|
|
LDAP_ROOTPW_COMMAND=replace
|
|
elif is_fedora; then
|
|
LDAP_OLCDB_NUMBER=2
|
|
LDAP_OLCDB_TYPE=hdb
|
|
LDAP_ROOTPW_COMMAND=add
|
|
elif is_suse; then
|
|
# SUSE has slappasswd in /usr/sbin/
|
|
PATH=$PATH:/usr/sbin/
|
|
LDAP_OLCDB_NUMBER=1
|
|
LDAP_OLCDB_TYPE=hdb
|
|
LDAP_ROOTPW_COMMAND=add
|
|
LDAP_SERVICE_NAME=ldap
|
|
fi
|
|
|
|
|
|
# Functions
|
|
# ---------
|
|
|
|
# Perform common variable substitutions on the data files
|
|
# _ldap_varsubst file
|
|
function _ldap_varsubst {
|
|
local infile=$1
|
|
local slappass=$2
|
|
sed -e "
|
|
s|\${LDAP_OLCDB_NUMBER}|$LDAP_OLCDB_NUMBER|
|
|
s|\${LDAP_OLCDB_TYPE}|$LDAP_OLCDB_TYPE|
|
|
s|\${SLAPPASS}|$slappass|
|
|
s|\${LDAP_ROOTPW_COMMAND}|$LDAP_ROOTPW_COMMAND|
|
|
s|\${BASE_DC}|$LDAP_BASE_DC|
|
|
s|\${BASE_DN}|$LDAP_BASE_DN|
|
|
s|\${MANAGER_DN}|$LDAP_MANAGER_DN|
|
|
" $infile
|
|
}
|
|
|
|
# clean_ldap() - Remove ldap server
|
|
function cleanup_ldap {
|
|
uninstall_package $(get_packages ldap)
|
|
if is_ubuntu; then
|
|
uninstall_package slapd ldap-utils libslp1
|
|
sudo rm -rf /etc/ldap/ldap.conf /var/lib/ldap
|
|
elif is_fedora; then
|
|
sudo rm -rf /etc/openldap /var/lib/ldap
|
|
elif is_suse; then
|
|
sudo rm -rf /var/lib/ldap
|
|
fi
|
|
}
|
|
|
|
# init_ldap
|
|
# init_ldap() - Initialize databases, etc.
|
|
function init_ldap {
|
|
local keystone_ldif
|
|
|
|
local tmp_ldap_dir
|
|
tmp_ldap_dir=$(mktemp -d -t ldap.$$.XXXXXXXXXX)
|
|
|
|
# Remove data but not schemas
|
|
clear_ldap_state
|
|
|
|
# Add our top level ldap nodes
|
|
if ldapsearch -x -w $LDAP_PASSWORD -D "$LDAP_MANAGER_DN" -H $LDAP_URL -b "$LDAP_BASE_DN" | grep -q "Success"; then
|
|
printf "LDAP already configured for $LDAP_BASE_DC\n"
|
|
else
|
|
printf "Configuring LDAP for $LDAP_BASE_DC\n"
|
|
# If BASE_DN is changed, the user may override the default file
|
|
if [[ -r $FILES/ldap/${LDAP_BASE_DC}.ldif.in ]]; then
|
|
local keystone_ldif=${LDAP_BASE_DC}.ldif
|
|
else
|
|
local keystone_ldif=keystone.ldif
|
|
fi
|
|
_ldap_varsubst $FILES/ldap/${keystone_ldif}.in >$tmp_ldap_dir/${keystone_ldif}
|
|
if [[ -r $tmp_ldap_dir/${keystone_ldif} ]]; then
|
|
ldapadd -x -w $LDAP_PASSWORD -D "$LDAP_MANAGER_DN" -H $LDAP_URL -c -f $tmp_ldap_dir/${keystone_ldif}
|
|
fi
|
|
fi
|
|
|
|
rm -rf $tmp_ldap_dir
|
|
}
|
|
|
|
# install_ldap
|
|
# install_ldap() - Collect source and prepare
|
|
function install_ldap {
|
|
echo "Installing LDAP inside function"
|
|
echo "os_VENDOR is $os_VENDOR"
|
|
|
|
local tmp_ldap_dir
|
|
tmp_ldap_dir=$(mktemp -d -t ldap.$$.XXXXXXXXXX)
|
|
|
|
printf "installing OpenLDAP"
|
|
if is_ubuntu; then
|
|
configure_ldap
|
|
elif is_fedora; then
|
|
start_ldap
|
|
elif is_suse; then
|
|
_ldap_varsubst $FILES/ldap/suse-base-config.ldif.in >$tmp_ldap_dir/suse-base-config.ldif
|
|
sudo slapadd -F /etc/openldap/slapd.d/ -bcn=config -l $tmp_ldap_dir/suse-base-config.ldif
|
|
sudo sed -i '/^OPENLDAP_START_LDAPI=/s/"no"/"yes"/g' /etc/sysconfig/openldap
|
|
start_ldap
|
|
fi
|
|
|
|
echo "LDAP_PASSWORD is $LDAP_PASSWORD"
|
|
local slappass
|
|
slappass=$(slappasswd -s $LDAP_PASSWORD)
|
|
printf "LDAP secret is $slappass\n"
|
|
|
|
# Create manager.ldif and add to olcdb
|
|
_ldap_varsubst $FILES/ldap/manager.ldif.in $slappass >$tmp_ldap_dir/manager.ldif
|
|
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f $tmp_ldap_dir/manager.ldif
|
|
|
|
# On fedora we need to manually add cosine and inetorgperson schemas
|
|
if is_fedora; then
|
|
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
|
|
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
|
|
fi
|
|
|
|
rm -rf $tmp_ldap_dir
|
|
}
|
|
|
|
# configure_ldap() - Configure LDAP - reconfigure slapd
|
|
function configure_ldap {
|
|
sudo debconf-set-selections <<EOF
|
|
slapd slapd/internal/generated_adminpw password $LDAP_PASSWORD
|
|
slapd slapd/internal/adminpw password $LDAP_PASSWORD
|
|
slapd slapd/password2 password $LDAP_PASSWORD
|
|
slapd slapd/password1 password $LDAP_PASSWORD
|
|
slapd slapd/dump_database_destdir string /var/backups/slapd-VERSION
|
|
slapd slapd/domain string Users
|
|
slapd shared/organization string $LDAP_DOMAIN
|
|
slapd slapd/backend string ${LDAP_OLCDB_TYPE^^}
|
|
slapd slapd/purge_database boolean true
|
|
slapd slapd/move_old_database boolean true
|
|
slapd slapd/allow_ldap_v2 boolean false
|
|
slapd slapd/no_configuration boolean false
|
|
slapd slapd/dump_database select when needed
|
|
EOF
|
|
sudo apt-get install -y slapd ldap-utils
|
|
sudo dpkg-reconfigure -f noninteractive $LDAP_SERVICE_NAME
|
|
}
|
|
|
|
# start_ldap() - Start LDAP
|
|
function start_ldap {
|
|
sudo service $LDAP_SERVICE_NAME restart
|
|
}
|
|
|
|
# stop_ldap() - Stop LDAP
|
|
function stop_ldap {
|
|
sudo service $LDAP_SERVICE_NAME stop
|
|
}
|
|
|
|
# clear_ldap_state() - Clear LDAP State
|
|
function clear_ldap_state {
|
|
ldapdelete -x -w $LDAP_PASSWORD -D "$LDAP_MANAGER_DN" -H $LDAP_URL -r "$LDAP_BASE_DN" || :
|
|
}
|
|
|
|
# Restore xtrace
|
|
$_XTRACE_LDAP
|
|
|
|
# Tell emacs to use shell-script-mode
|
|
## Local variables:
|
|
## mode: shell-script
|
|
## End:
|