Codebase list debian-edu-config / 9573d80
Move LDAP database backend from deprecated BDB to default MDB one Add share/debian-edu-config/slapd-debian-edu-mdb.conf (configuration) Adjust cf3/cf.ldapserver to copy/link configuration file conditionally Adjust debian/debian-edu-config.postinst to handle the migration upon upgrades Signed-off-by: Wolfgang Schweer <wschweer@arcor.de> Wolfgang Schweer 2 years ago
5 changed file(s) with 203 addition(s) and 2 deletion(s). Raw diff Collapse all Expand all
+1
-1
Makefile less more
101101 php/apache2/php-debian-edu.ini \
102102 insserv/overrides/ntp \
103103 ldap/rootDSE-debian-edu.ldif \
104 ldap/slapd-debian-edu.conf \
105104 samba/smb-debian-edu.conf \
106105 slbackup-php/config.php \
107106 smbldap-tools/smbldap_bind.conf \
341340 share/debian-edu-config/isc-dhcp-server.service \
342341 share/debian-edu-config/isc-dhcp-server.service.eth1_only \
343342 share/debian-edu-config/killer.cron \
343 share/debian-edu-config/slapd-debian-edu-mdb.conf \
344344 share/pam-configs/edu-group \
345345 share/pam-configs/edu-umask \
346346 share/perl5/Debian/Edu.pm \
+3
-1
cf3/cf.ldapserver less more
77
88 debian.server.installation::
99
10 "etc/ldap/slapd-debian-edu-mdb.conf"
11 copy_from => local_cp("/usr/share/debian-edu-config/slapd-debian-edu-mdb.conf");
1012 "/etc/ldap/slapd.conf"
11 link_from => ln_s("/etc/ldap/slapd-debian-edu.conf"),
13 link_from => ln_s("/etc/ldap/slapd-debian-edu-mdb.conf"),
1214 move_obstructions => "true";
1315
1416 commands:
+16
-0
debian/debian-edu-config.postinst less more
252252 sed -i '/post-up/d' /etc/network/interfaces
253253 fi
254254 fi
255 # Move LDAP BDB data base to default MDB one.
256 if dpkg --compare-versions "$2" le "2.12.1" && grep -q Main-Server /etc/debian-edu/config && \
257 [ ! -f /var/lib/ldap/data.mdb ] ; then
258 TMPDIR=$(mktemp -d)
259 slapcat > $TMPDIR/all.ldif
260 service slapd stop
261 rm /var/lib/ldap/*
262 cp /usr/share/debian-edu-config/slapd-debian-edu-mdb.conf /etc/ldap
263 ln -sf /etc/ldap/slapd-debian-edu-mdb.conf /etc/ldap/slapd.conf
264 service slapd start
265 slapadd -l $TMPDIR/all.ldif
266 if [ -f /var/lib/ldap/data.mdb ] ; then
267 rm $TMPDIR/all.ldif
268 rm -f /etc/ldap/slapd-debian-edu.conf
269 fi
270 fi
255271 ;;
256272 esac
257273
+165
-0
share/debian-edu-config/slapd-debian-edu-mdb.conf less more
0 # The Debian Edu specific slapd configuration file
1 # Last edit: 2021-08-15
2
3 # Schema and objectClass definitions
4 include /etc/ldap/schema/core.schema
5 include /etc/ldap/schema/cosine.schema
6 include /etc/ldap/schema/nis.schema
7 include /etc/ldap/schema/autofs-debian-edu.schema
8 include /etc/ldap/schema/inetorgperson.schema
9 include /etc/ldap/schema/gosa/dhcp.schema
10 include /etc/ldap/schema/gosa/dnszone.schema
11 include /etc/ldap/schema/kerberos.schema
12 include /etc/ldap/schema/ltspclientaux.schema
13
14 ## gosa:
15 include /etc/ldap/schema/gosa/samba3.schema
16 include /etc/ldap/schema/gosa/trust.schema
17 include /etc/ldap/schema/gosa/gosystem.schema
18 include /etc/ldap/schema/gosa/gofon.schema
19 include /etc/ldap/schema/gosa/goto.schema
20 include /etc/ldap/schema/gosa/gosa-samba3.schema
21 include /etc/ldap/schema/gosa/gofax.schema
22 include /etc/ldap/schema/gosa/goserver.schema
23 include /etc/ldap/schema/gosa/goto-mime.schema
24 include /etc/ldap/schema/gosa/sudo.schema
25
26 # Where the pid file is put. The init.d script
27 # will not stop the server if you change this.
28 pidfile /run/slapd/slapd.pid
29
30 # Read slapd.conf(5) for possible values
31 #loglevel 65535
32 loglevel none
33
34 rootDSE /etc/ldap/rootDSE-debian-edu.ldif
35
36 # TLS/SSL
37 TLSCACertificateFile /etc/ssl/certs/Debian-Edu_rootCA.crt
38 TLSCertificateKeyFile /etc/ssl/private/debian-edu-server.key
39 TLSCertificateFile /etc/ssl/certs/debian-edu-server.crt
40
41 modulepath /usr/lib/ldap
42 moduleload back_mdb
43 moduleload back_monitor
44
45 defaultsearchbase "dc=skole,dc=skolelinux,dc=no"
46 security update_ssf=128 simple_bind=128
47
48 # Access via ldapi/unix socket is assumed to have 128 bit encryption.
49 # This is required to allow the kerberos and powerdns daemon to
50 # connect.
51 localssf 128
52
53 backend mdb
54 backend monitor
55
56 #######################################################################
57 # MDB database definitions
58 #######################################################################
59
60 # The backend type, ldbm, is the default standard
61
62 database mdb
63 # Set the database in memory cache size.
64 #
65 #cachesize 4000
66 #dbnosync
67 #sizelimit 4000
68
69 # First database
70 suffix "dc=skole,dc=skolelinux,dc=no"
71 rootdn "cn=admin,ou=ldap-access,dc=skole,dc=skolelinux,dc=no"
72 # Where the database file are physically stored
73 directory "/var/lib/ldap"
74
75 # Indices to maintain
76 index objectClass pres,eq
77 index cn,sn,ou pres,eq,sub
78 index uid pres,eq,sub
79 index krbPrincipalName pres,eq,sub
80 index uidNumber eq
81 index gidNumber eq
82 index memberUid eq
83 index default eq
84 #for some clients, even if not used
85 index givenname eq
86 index displayName eq
87 #index telephoneNumber eq
88
89 # ldap2zone index
90 index zoneName eq
91 index relativeDomainName eq
92
93 # Sudo
94 index sudoUser eq,sub
95
96 # LTSP configuration index (dhcpHWAddress also used by dhcpd)
97 index macAddress eq
98 index dhcpHWAddress eq
99
100 # libnss-ldapd look for this one. Make sure it is indexed to avoid
101 # lots of log messages.
102 index uniqueMember eq
103
104 # lwat cron job uses this
105 index createTimestamp eq
106
107 # Save the time that the entry gets modified
108 lastmod on
109
110 ## map authentication via gssapi on user dn:
111 authz-regexp "uid=([^,]*),cn=gssapi,cn=auth"
112 "ldap:///dc=skole,dc=skolelinux,dc=no??sub?(uid=$1)"
113
114 ## default: no access, but allow members of the ldap-admins group full
115 ## access.
116 access to *
117 by group.exact="cn=ldap-admins,ou=ldap-access,dc=skole,dc=skolelinux,dc=no" manage
118 by * none break
119
120 access to attrs=userPassword
121 by self =wx
122 by anonymous auth
123 by set="[cn=admins,ou=group,dc=skole,dc=skolelinux,dc=no]/member & this" none
124 by * none
125
126 access to attrs=shadowLastChange
127 by self ssf=128 =w
128 by set="[cn=admins,ou=group,dc=skole,dc=skolelinux,dc=no]/member & this" none
129 by * none
130
131 access to dn.subtree="dc=skole,dc=skolelinux,dc=no"
132 attrs=children,entry
133 by * none break
134
135 # Control access to kerberos attributes
136 access to attrs=krbPrincipalKey,krbExtraData
137 by dn.exact="cn=kdc-service,cn=kerberos,dc=skole,dc=skolelinux,dc=no" read
138 by dn.exact="cn=kadmin-service,cn=kerberos,dc=skole,dc=skolelinux,dc=no" write
139 by self read
140 by * auth
141
142 access to attrs=krbPrincipalName,krbLastPwdChange
143 by dn.exact="cn=kdc-service,cn=kerberos,dc=skole,dc=skolelinux,dc=no" read
144 by dn.exact="cn=kadmin-service,cn=kerberos,dc=skole,dc=skolelinux,dc=no" write
145 by * auth
146 by * read
147
148 # Limit access to kerberos data in cn=kerberos. Allow everyone to
149 # see the objects, as long as the attributes
150 # krbPrincipalKey,krbLastPwdChange and krbExtraData are hidden.
151 access to dn.subtree="cn=kerberos,dc=skole,dc=skolelinux,dc=no"
152 by dn.exact="cn=kdc-service,cn=kerberos,dc=skole,dc=skolelinux,dc=no" read
153 by dn.exact="cn=kadmin-service,cn=kerberos,dc=skole,dc=skolelinux,dc=no" write
154 by * read
155
156 # Default access; kadmin needs full access:
157 access to *
158 by dn.exact="cn=kadmin-service,cn=kerberos,dc=skole,dc=skolelinux,dc=no" write
159 by * read
160
161 # Last database.. back-monitor is nice to have. Use 'cn=monitor' as base
162 database monitor
163
164 # End of ldapd configuration file
+18
-0
share/debian-edu-config/tools/move-ldap-bdb-to-mdb less more
0 #!/bin/sh
1 set -e
2
3 TMPDIR=$(mktemp -d)
4 # Move LDAP data base from Berkeley bdb to default LDAP mdb.
5 if [ ! -f /var/lib/ldap/data.mdb ] ; then
6 slapcat > $TMPDIR/all.ldif
7 service slapd stop
8 rm /var/lib/ldap/*
9 cp /usr/share/debian-edu-config/slapd-debian-edu-mdb.conf /etc/ldap
10 ln -sf /etc/ldap/slapd-debian-edu-mdb.conf /etc/ldap/slapd.conf
11 service slapd start
12 slapadd -l $TMPDIR/all.ldif
13 if [ -f /var/lib/ldap/data.mdb ] ; then
14 rm $TMPDIR/all.ldif
15 rm -f /etc/ldap/slapd-debian-edu.conf
16 fi
17 fi