[Pkg-openldap-devel] Adding schemas and ACL's to slapd.conf

Soren Hansen soren at ubuntu.com
Sun Jul 29 23:19:32 UTC 2007


On Sun, Jul 29, 2007 at 11:45:32AM -0700, Russ Allbery wrote:
> > So, to sum up: If I make the update-slapd-{acl,schemas} ignore
> > *.dpkg-{old,new} my patch could be considered for inclusion?
> Barring any objections from other openldap package maintainers, yes.
> I'm convinced.

New patch attached. Changes since the previous patch:
 * Don't add include directives for *.dpkg-{old,new} 
 * Call update-slapd-{acl,schemas} from init script
 * Changed wording of warning

-- 
Soren Hansen
Ubuntu Server Team
http://www.ubuntu.com/
-------------- next part --------------
diff -u openldap2.3-2.3.35/debian/slapd.README.Debian openldap2.3-2.3.35/debian/slapd.README.Debian
--- openldap2.3-2.3.35/debian/slapd.README.Debian
+++ openldap2.3-2.3.35/debian/slapd.README.Debian
@@ -106,6 +106,34 @@
    and it will generate the files for you.  You will need appropriate
    privileges, of course.
 
+++ update-slapd-schemas and update-slapd-acl
+
+   Versions of slapd newer than 2.3.35-1 support the new update-slapd-schemas
+   and update-slapd-acl scripts. These scripts were added to make it easy for
+   other packages to add schemas and ACL stanzas to slapd.conf without touching
+   the configuration file directly.
+
+   The scripts look in /etc/ldap/schemas-enabled and /etc/ldap/acl.d,
+   respectively, and generate /etc/ldap/schemas.conf and /etc/ldap/acl.conf
+   based on the contents of these two directories. Any file in the directory
+   results in an "include /full/path/to/file" in the corresponding .conf file.
+   They are added in ASCIIbetical order.
+
+   New installations support these scripts out of the box, but if you're
+   upgrading from 2.3.35-1 or older, you'll need to edit your slapd.conf
+   manually. /etc/ldap/acl.d has been populated with the default ACL's. If you
+   haven't changed the default ACL configuration, all you need to do is remove
+   the current ACL (access to ...) stanzas from /etc/ldap/slapd.conf, and
+   replace them with:
+   include  /etc/ldap/acl.conf
+
+   For schemas, /etc/ldap/schemas-enabled has been populated with symlinks to
+   the set of schemas from /etc/ldap/schemas that used to be enabled by default
+   (core.schema, cosine.schema, nis.schema, and inetorgperson.schema). If those
+   are the only ones you're using, you can replace the 4 include directives in
+   your slapd.conf with:
+   include  /etc/ldap/schemas.conf
+
  -- The Debian OpenLDAP maintainers
      Torsten Landschoff <torsten at debian.org>
      Roland Bauerschmidt <rb at debian.org>
diff -u openldap2.3-2.3.35/debian/slapd.postinst openldap2.3-2.3.35/debian/slapd.postinst
--- openldap2.3-2.3.35/debian/slapd.postinst
+++ openldap2.3-2.3.35/debian/slapd.postinst
@@ -31,6 +31,13 @@
 	echo done. >&2
 
 	configure_v2_protocol_support
+
+	if previous_version_older 2.3.35-1ubuntu1; then
+		db_get slapd/domain
+		local basedn="dc=`echo $RET | sed 's/^\.//; s/\./,dc=/g'`"
+		create_standard_acl_configuration "$basedn"
+	fi
+
 	if previous_version_older 2.1; then
 		autoconfigure_modules
 	fi
diff -u openldap2.3-2.3.35/debian/slapd.examples openldap2.3-2.3.35/debian/slapd.examples
--- openldap2.3-2.3.35/debian/slapd.examples
+++ openldap2.3-2.3.35/debian/slapd.examples
@@ -3,0 +4,3 @@
+debian/acl.d/restrict_password.acl
+debian/acl.d/base_read.acl
+debian/acl.d/default.acl
diff -u openldap2.3-2.3.35/debian/slapd.manpages openldap2.3-2.3.35/debian/slapd.manpages
--- openldap2.3-2.3.35/debian/slapd.manpages
+++ openldap2.3-2.3.35/debian/slapd.manpages
@@ -43,0 +44,2 @@
+debian/update-slapd-schemas.8
+debian/update-slapd-acl.8
diff -u openldap2.3-2.3.35/debian/slapd.conf openldap2.3-2.3.35/debian/slapd.conf
--- openldap2.3-2.3.35/debian/slapd.conf
+++ openldap2.3-2.3.35/debian/slapd.conf
@@ -8,10 +8,7 @@
 #allow bind_v2
 
 # Schema and objectClass definitions
-include         /etc/ldap/schema/core.schema
-include         /etc/ldap/schema/cosine.schema
-include         /etc/ldap/schema/nis.schema
-include         /etc/ldap/schema/inetorgperson.schema
+include         /etc/ldap/schemas.conf
 
 # Where the pid file is put. The init.d script
 # will not stop the server if you change this.
@@ -74,33 +71,7 @@
 # Where to store the replica logs for database #1
 # replogfile	/var/lib/ldap/replog
 
-# The userPassword by default can be changed
-# by the entry owning it if they are authenticated.
-# Others should not be able to see it, except the
-# admin entry below
-# These access lines apply to database #1 only
-access to attrs=userPassword,shadowLastChange
-        by dn="@ADMIN@" write
-        by anonymous auth
-        by self write
-        by * none
-
-# Ensure read access to the base for things like
-# supportedSASLMechanisms.  Without this you may
-# have problems with SASL not knowing what
-# mechanisms are available and the like.
-# Note that this is covered by the 'access to *'
-# ACL below too but if you change that as people
-# are wont to do you'll still need this if you
-# want SASL (and possible other things) to work 
-# happily.
-access to dn.base="" by * read
-
-# The admin dn has full write access, everyone else
-# can read everything.
-access to *
-        by dn="@ADMIN@" write
-        by * read
+include         /etc/ldap/acl.conf
 
 # For Netscape Roaming support, each user gets a roaming
 # profile for which they have write access to
diff -u openldap2.3-2.3.35/debian/slapd.scripts-common openldap2.3-2.3.35/debian/slapd.scripts-common
--- openldap2.3-2.3.35/debian/slapd.scripts-common
+++ openldap2.3-2.3.35/debian/slapd.scripts-common
@@ -369,7 +369,7 @@
 			file=`eval echo $data`
 			read_slapd_conf < $file
 		else
-			echo $command $data
+			echo "$command" "$data"
 		fi
 	done
 }
@@ -643,6 +643,9 @@
 		move_old_database_away /var/lib/ldap
 	fi
 	create_new_slapd_conf "$basedn" "$backend"
+	create_standard_acl_configuration "$basedn"
+	update-slapd-schemas
+	update-slapd-acl
 	create_ldap_directories
 	create_new_directory "$basedn" "$dc"
 
@@ -654,6 +657,46 @@
   wipe_admin_pass
 }
 # }}}
+create_standard_acl_configuration() {						# {{{
+# Creates the new ACL configuration for the suffix given
+# Usage: create_standard_acl_configuration <basedn>
+#
+	local basedn
+	
+	basedn="$1"
+
+	create_acl_conf "$basedn" "/etc/ldap/acl.d/110restrict_password.acl" \
+		"/usr/share/slapd/110restrict_password.acl"
+	create_acl_conf "$basedn" "/etc/ldap/acl.d/120base_read.acl" \
+		"/usr/share/slapd/120base_read.acl"
+	create_acl_conf "$basedn" "/etc/ldap/acl.d/900default.acl" \
+		"/usr/share/slapd/900default.acl"
+
+}
+# }}}
+create_acl_conf() {						# {{{
+# Creates a new ACL configuration file from the given template, for the suffix
+# given, and stores it in destfile.
+# Usage: create_acl_conf <basedn> <destfile> <template>
+
+	local basedn destfile template
+
+	basedn="$1"
+	destfile="$2"
+	template="$3"
+
+	if [ ! -e "${destfile}" ]
+	then
+		echo -n "  Creating initial `basename ${destfile}` ... " >&2
+		sed <"${template}" >"${destfile}" \
+			-e "s/@SUFFIX@/$basedn/g" \
+			-e "s/@ADMIN@/cn=admin,$basedn/g"
+		# Assign same permissions as slapd.conf
+		assign_permissions "$SLAPD_CONF" "${destfile}"
+		echo "done." >&2
+	fi
+} 
+# }}}
 create_new_slapd_conf() {						# {{{
 # Creates a new slapd.conf for the suffix given
 # Usage: create_new_slapd_conf <basedn> <backend>
diff -u openldap2.3-2.3.35/debian/slapd.dirs openldap2.3-2.3.35/debian/slapd.dirs
--- openldap2.3-2.3.35/debian/slapd.dirs
+++ openldap2.3-2.3.35/debian/slapd.dirs
@@ -4,0 +5,2 @@
+etc/ldap/acl.d
+etc/ldap/schemas-enabled
diff -u openldap2.3-2.3.35/debian/slapd.postrm openldap2.3-2.3.35/debian/slapd.postrm
--- openldap2.3-2.3.35/debian/slapd.postrm
+++ openldap2.3-2.3.35/debian/slapd.postrm
@@ -22,6 +22,11 @@
 if [ "$1" = "purge" ]; then
   echo -n "Removing slapd configuration... "
   rm -f /etc/ldap/slapd.conf 2>/dev/null || true
+  rm -f /etc/ldap/schemas.conf 2>/dev/null || true
+  rm -f /etc/ldap/acl.conf 2>/dev/null || true
+  rm -f /etc/ldap/acl.d/110restrict_password.acl || true
+  rm -f /etc/ldap/acl.d/120base_read.acl || true
+  rm -f /etc/ldap/acl.d/900default.acl || true
   rmdir --ignore-fail-on-non-empty /etc/ldap/schema
   echo done
 
diff -u openldap2.3-2.3.35/debian/control openldap2.3-2.3.35/debian/control
diff -u openldap2.3-2.3.35/debian/slapd.init openldap2.3-2.3.35/debian/slapd.init
--- openldap2.3-2.3.35/debian/slapd.init
+++ openldap2.3-2.3.35/debian/slapd.init
@@ -176,10 +176,16 @@
 		--exec /usr/sbin/slurpd 2>&1`"
 }
 
-# Start the OpenLDAP daemons
+# Run update-slapd-{schemas,acl}
+run_update_scripts() {
+	update-slapd-schemas
+	update-slapd-acl
+}
+
 start() {
 	echo -n "Starting OpenLDAP:"
 	trap 'report_failure' 0
+	run_update_scripts
 	start_slapd
 	start_slurpd
 	trap "-" 0
diff -u openldap2.3-2.3.35/debian/slapd.links openldap2.3-2.3.35/debian/slapd.links
--- openldap2.3-2.3.35/debian/slapd.links
+++ openldap2.3-2.3.35/debian/slapd.links
@@ -1,5 +1,12 @@
 usr/share/doc/slapd/examples/DB_CONFIG usr/share/slapd/DB_CONFIG
 usr/share/doc/slapd/examples/slapd.conf usr/share/slapd/slapd.conf
+usr/share/doc/slapd/examples/restrict_password.acl usr/share/slapd/110restrict_password.acl
+usr/share/doc/slapd/examples/base_read.acl usr/share/slapd/120base_read.acl
+usr/share/doc/slapd/examples/default.acl usr/share/slapd/900default.acl
+etc/ldap/schema/core.schema etc/ldap/schemas-enabled/110core.schema
+etc/ldap/schema/cosine.schema etc/ldap/schemas-enabled/120cosine.schema
+etc/ldap/schema/nis.schema etc/ldap/schemas-enabled/130nis.schema
+etc/ldap/schema/inetorgperson.schema etc/ldap/schemas-enabled/140inetorgperson.schema
 usr/sbin/slapd usr/sbin/slapacl
 usr/sbin/slapd usr/sbin/slapadd
 usr/sbin/slapd usr/sbin/slapauth
diff -u openldap2.3-2.3.35/debian/slapd.install openldap2.3-2.3.35/debian/slapd.install
--- openldap2.3-2.3.35/debian/slapd.install
+++ openldap2.3-2.3.35/debian/slapd.install
@@ -9,0 +10,2 @@
+debian/update-slapd-schemas usr/sbin/
+debian/update-slapd-acl usr/sbin/
diff -u openldap2.3-2.3.35/debian/slapd.default openldap2.3-2.3.35/debian/slapd.default
--- openldap2.3-2.3.35/debian/slapd.default
+++ openldap2.3-2.3.35/debian/slapd.default
@@ -25,6 +25,10 @@
 # Example usage:
 # SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
 
+# If set to "true" the update-slapd-{acl,schemas} scripts
+# will not check if the proper includes are in $SLAPD_CONF.
+NO_INCLUDE_CHECK=false
+
 # Additional options to pass to slapd and slurpd
 SLAPD_OPTIONS=""
 SLURPD_OPTIONS=""
diff -u openldap2.3-2.3.35/debian/changelog openldap2.3-2.3.35/debian/changelog
only in patch2:
unchanged:
--- openldap2.3-2.3.35.orig/debian/update-slapd-schemas.8
+++ openldap2.3-2.3.35/debian/update-slapd-schemas.8
@@ -0,0 +1,28 @@
+.TH UPDATE-SLAPD-SCHEMAS 8 "Jul 2007"
+.SH NAME
+update-slapd-schemas \- Regenerate schemas.conf for slapd
+.SH SYNOPSIS
+.B update-slapd-schemas
+.SH DESCRIPTION
+This manual page documents briefly the
+.B update-slapd-schemas
+command.
+.PP
+.B update-slapd-schemas
+is a program that generates
+.B /etc/ldap/schemas.conf
+based on the files in \fB/etc/ldap/schemas-enabled\fR.
+.B update-slapd-schemas
+checks at startup if the current
+.B /etc/ldap/slapd.conf
+contains the proper includes and warns the user if that's not the case.
+.SH OPTIONS
+.B update-slapd-schemas
+accepts no options.
+.SH SEE ALSO
+.BR slapd.conf (5), /usr/share/slapd/README.Debian
+.SH AUTHOR
+update-slapd-schemas was written by Soren Hansen <soren at ubuntu.com>.
+.PP
+This manual page was written by Soren Hansen <soren at ubuntu.com>
+for Ubuntu (but may be used by others).
only in patch2:
unchanged:
--- openldap2.3-2.3.35.orig/debian/update-slapd-acl
+++ openldap2.3-2.3.35/debian/update-slapd-acl
@@ -0,0 +1,60 @@
+#!/bin/sh
+#
+# update-slapd-acl: utility to add/remove ACL files to/from slapd's config
+#
+# Author: Soren Hansen <soren at ubuntu.com>
+# Copyright (C) 2007 Canonical Ltd.
+#
+#    update-slapd-acl is free software; you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by the
+#    Free Software Foundation; either version 2 of the License, or (at your
+#    option) any later version.
+#
+#    update-slapd-acl is distributed in the hope that it will be useful, but
+#    WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+#    or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+#    for more details.
+#
+#    You should have received a copy of the GNU General Public License along
+#    with update-slapd-acl; if not, write to the Free Software Foundation,
+#    Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+
+test -f /etc/default/slapd && . /etc/default/slapd
+
+check_include() {
+	if ! grep -qxE 'include[[:space:]]*/etc/ldap/acl.conf' /etc/ldap/slapd.conf
+	then
+		echo
+		echo "WARNING: Your /etc/ldap/slapd.conf does not support"
+		echo "         update-ldap-acl. See /usr/share/doc/slapd/README.Debian"
+		echo "         for more information. You can disable this check by"
+		echo "         setting NO_INCLUDE_CHECK=true in /etc/default/slapd"
+	fi
+}
+
+if [ ${NO_INCLUDE_CHECK} != "true" ]
+then
+	check_include
+fi
+
+extraconf="/etc/ldap/acl.conf"
+confdir="/etc/ldap/acl.d"
+
+echo '#' > ${extraconf}
+echo '# This file is automatically generated by update-slapd-acl(8).' >> $extraconf
+echo '# Do not edit it by hand.' >> $extraconf
+echo '#' >> $extraconf
+
+if [ "`echo ${confdir}/*`" != "${confdir}/*" ]
+then
+	for acl in ${confdir}/*
+	do
+		if ! echo "$acl" | grep -qE '\.dpkg-(new|old)$'
+		then
+			echo "include ${acl}"
+		fi
+	done >> ${extraconf}
+fi
+
+exit 0
only in patch2:
unchanged:
--- openldap2.3-2.3.35.orig/debian/update-slapd-schemas
+++ openldap2.3-2.3.35/debian/update-slapd-schemas
@@ -0,0 +1,60 @@
+#!/bin/sh
+#
+# update-slapd-schemas: utility to update list of included schemas in slapd.conf
+#
+# Author: Soren Hansen <soren at ubuntu.com>
+# Copyright (C) 2007 Canonical Ltd.
+#
+#    update-slapd-schemas is free software; you can redistribute it and/or
+#    modify it under the terms of the GNU General Public License as published
+#    by the Free Software Foundation; either version 2 of the License, or (at
+#    your option) any later version.
+#
+#    update-slapd-schemas is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+#    General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with update-slapd-schemas; if not, write to the Free Software
+#    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
+#    USA.
+
+test -f /etc/default/slapd && . /etc/default/slapd
+
+check_include() {
+	if ! grep -qxE 'include[[:space:]]*/etc/ldap/schemas.conf' /etc/ldap/slapd.conf
+	then
+		echo
+		echo "WARNING: Your /etc/ldap/slapd.conf does not support"
+		echo "         update-ldap-schemas. See /usr/share/doc/slapd/README.Debian"
+		echo "         for more information. You can disable this check by"
+		echo "         setting NO_INCLUDE_CHECK=true in /etc/default/slapd"
+	fi
+}
+
+if [ ${NO_INCLUDE_CHECK} != "true" ]
+then
+	check_include
+fi
+
+extraconf="/etc/ldap/schemas.conf"
+confdir="/etc/ldap/schemas-enabled"
+
+echo '#' > ${extraconf}
+echo '# This file is automatically generated by update-slapd-schemas(8).' >> $extraconf
+echo '# Do not edit it by hand.' >> $extraconf
+echo '#' >> $extraconf
+
+if [ "`echo ${confdir}/*`" != "${confdir}/*" ]
+then
+	for schema in ${confdir}/*
+	do
+		if ! echo "$schema" | grep -qE '\.dpkg-(new|old)$'
+		then
+			echo "include ${schema}"
+		fi
+	done >> ${extraconf}
+fi
+
+exit 0
only in patch2:
unchanged:
--- openldap2.3-2.3.35.orig/debian/acl.d/default.acl
+++ openldap2.3-2.3.35/debian/acl.d/default.acl
@@ -0,0 +1,6 @@
+# The admin dn has full write access, everyone else
+# can read everything.
+access to *
+        by dn="@ADMIN@" write
+        by * read
+
only in patch2:
unchanged:
--- openldap2.3-2.3.35.orig/debian/acl.d/restrict_password.acl
+++ openldap2.3-2.3.35/debian/acl.d/restrict_password.acl
@@ -0,0 +1,12 @@
+# The userPassword by default can be changed
+# by the entry owning it if they are authenticated.
+# Others should not be able to see it, except the
+# admin entry below
+# These access lines apply to database #1 only
+access to attrs=userPassword,shadowLastChange
+        by dn="@ADMIN@" write
+        by anonymous auth
+        by self write
+        by * none
+
+
only in patch2:
unchanged:
--- openldap2.3-2.3.35.orig/debian/acl.d/base_read.acl
+++ openldap2.3-2.3.35/debian/acl.d/base_read.acl
@@ -0,0 +1,11 @@
+# Ensure read access to the base for things like
+# supportedSASLMechanisms.  Without this you may
+# have problems with SASL not knowing what
+# mechanisms are available and the like.
+# Note that this is covered by the 'access to *'
+# ACL below too but if you change that as people
+# are wont to do you'll still need this if you
+# want SASL (and possible other things) to work 
+# happily.
+access to dn.base="" by * read
+
only in patch2:
unchanged:
--- openldap2.3-2.3.35.orig/debian/update-slapd-acl.8
+++ openldap2.3-2.3.35/debian/update-slapd-acl.8
@@ -0,0 +1,28 @@
+.TH UPDATE-SLAPD-ACL 8 "Jul 2007"
+.SH NAME
+update-slapd-acl \- Regenerate acl.conf for slapd
+.SH SYNOPSIS
+.B update-slapd-acl
+.SH DESCRIPTION
+This manual page documents briefly the
+.B update-slapd-acl
+command.
+.PP
+.B update-slapd-acl
+is a program that generates
+.B /etc/ldap/acl.conf
+based on the files in \fB/etc/ldap/acl.d\fR.
+.B update-slapd-acl
+checks at startup if the current
+.B /etc/ldap/slapd.conf
+contains the proper includes and warns the user if that's not the case.
+.SH OPTIONS
+.B update-slapd-acl
+accepts no options.
+.SH SEE ALSO
+.BR slapd.conf (5),
+.SH AUTHOR
+update-slapd-acl was written by Soren Hansen <soren at ubuntu.com>.
+.PP
+This manual page was written by Soren Hansen <soren at ubuntu.com>
+for Ubuntu (but may be used by others).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20070730/06f279d0/attachment-0001.pgp 


More information about the Pkg-openldap-devel mailing list