Add configuration for LDAPS

Change-Id: I862e0b2c6c708852fe2b8f52828d1b90b640dded
2016-06-28 16:18:31 +02:00 · 2016-06-28 16:18:31 +02:00 · dc2fe09ea6
commit dc2fe09ea6
parent 1aadb186aa
2 changed files with 41 additions and 2 deletions
--- a/fixtures/ldap/Readme.md
+++ b/fixtures/ldap/Readme.md
@ -15,8 +15,11 @@ perform the following actions:
    - *uadmin* user that will belong to admins group
    - *uviewer* user that will belong to viewers group

-To check that every is fine you can do the following search that should show
-all inputs listed above.
+To check that everything works well you can perform the following search
+that should show all inputs listed above.
 ```
 ldapsearch -x -b "dc=stacklight,dc=ci" -D "cn=admin,dc=stacklight,dc=ci" -W
 ```
+
+The server is running LDAP and LDAPS. The self-signed certificate is generated
+by the script and stored in */etc/ldap/ssl/slapd.pem*.
--- a/fixtures/ldap/install_slapd.sh
+++ b/fixtures/ldap/install_slapd.sh
@ -9,6 +9,12 @@ then echo "Please run as root"
    exit 1
 fi

+OPENSSL=$(which openssl)
+if [ "$?" -ne 0 ]; then
+    echo "openssl: command not found"
+    exit 1
+fi
+
 DOMAIN="stacklight.ci"
 BASE_DN="dc=stacklight,dc=ci"
 BIND_DN="cn=admin,${BASE_DN}"
@ -95,6 +101,36 @@ objectclass: posixGroup
 objectclass: top
 EOF

+# ############################################################################
+# Configure LDAPS
+
+SLAPD_CERT_DIR="/etc/ldap/ssl"
+SLAPD_CERT="${SLAPD_CERT_DIR}/slapd.pem"
+mkdir -p $SLAPD_CERT_DIR
+$OPENSSL req -newkey rsa:2048 -x509 -nodes -days 3650 \
+    -out $SLAPD_CERT -keyout $SLAPD_CERT \
+    -subj "/C=FR/ST=Rhone-Alpes/L=Grenoble/O=Mirantis/OU=StackLight CI/CN=localhost"
+chown -R openldap:openldap $SLAPD_CERT_DIR
+chmod 0400 $SLAPD_CERT
+
+
+ldapmodify -Y EXTERNAL -H ldapi:/// << EOF
+add: olcTLSCACertificateFile
+olcTLSCACertificateFile: "${SLAPD_CERT}"
+-
+add: olcTLSCertificateFile
+olcTLSCertificateFile: "${SLAPD_CERT}"
+-
+add: olcTLSCertificateKeyFile
+olcTLSCertificateKeyFile: "${SLAPD_CERT}"
+EOF
+
+# Enable ldaps in the configuration file
+sed -i 's,^SLAPD_SERVICES=.*$,SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///",g' /etc/default/slapd
+
+# Restart the service
+/etc/init.d/slapd restart
+
 # ############################################################################
 # Validate the installation