aboutsummaryrefslogblamecommitdiff
path: root/scripts/hostclass/idm_server/10-slapd
blob: 204c405622de9dbcdf75b7ee28f62e1faaeee8b7 (plain) (tree)
1
2
3
4
5
6
7
8
9
10
11
12











                                                      
                                        



                                      

                                                                   

























































                                                                                                 

                                                                                                            












































































                                                                                        





                                                                       











                                         
#!/bin/sh

: ${slapd_root_dn:='cn=admin'}
: ${slapd_replicator_dn:="cn=replicator,${basedn}"}
: ${slapd_result_size_limit:='10000'}
: ${slapd_db_max_size:='1073741824'} # 1 GB
: ${slapd_accesslog_db_max_size:='134217728'} # 128 MB
: ${slapd_syncrepl_checkpoint_ops:='100'}
: ${slapd_syncrepl_checkpoint_minutes:='10'}
: ${slapd_syncrepl_session_log:='1000'}
: ${slapd_syncrepl_cleanup_age:='7'}
: ${slapd_syncrepl_cleanup_interval:='1'}
: ${slapd_admin_role:='role-ldap-admin'}

slapd_user=ldap
slapd_data_dir=/var/db/openldap-data
slapd_conf_dir=/usr/local/etc/openldap
slapd_socket=/var/run/openldap/ldapi
slapd_ldapi_uri="ldapi://$(echo "$slapd_socket" | sed 's|/|%2f|g')"
slapd_tls_cert="${slapd_conf_dir}/slapd.crt"
slapd_tls_key="${slapd_conf_dir}/slapd.key"
slapd_replicator_tls_cert="${slapd_conf_dir}/replicator.crt"
slapd_replicator_tls_key="${slapd_conf_dir}/replicator.key"
slapd_keytab="${keytab_dir}/slapd.keytab"

is_primary_server(){
  # Return 0 if the current hostname is equal to $idm_primary_server.
  # If $idm_primary_server is unset, use the first hostname in $idm_server_list.
  _primary="${idm_primary_server:-$(echo "$idm_server_list" | awk 'NR==1{print $1}')}"
  test "$BOXCONF_HOSTNAME" = "$_primary"
}

pkg install -y \
  openldap26-server \
  cyrus-sasl-saslauthd

# Create ZFS dataset for OpenLDAP DB.
create_dataset -o "mountpoint=${slapd_data_dir}" "${state_dataset}/openldap-data"

# Copy TLS certificate for LDAP server.
install_certificate     -o "$slapd_user" -g "$slapd_user" slapd "$slapd_tls_cert"
install_certificate_key -o "$slapd_user" -g "$slapd_user" slapd "$slapd_tls_key"

# Copy client certificate for LDAP replication.
install_certificate     -o "$slapd_user" -g "$slapd_user" replicator "$slapd_replicator_tls_cert"
install_certificate_key -o "$slapd_user" -g "$slapd_user" replicator "$slapd_replicator_tls_key"

# Copy LDIF for the cn=config database.
install_template -m 0600 "${slapd_conf_dir}/slapd.ldif"

# Copy third-party schema files.
install_file -m 0644 \
  "${slapd_conf_dir}/schema/rfc2307bis.ldif" \
  "${slapd_conf_dir}/schema/kerberos.ldif" \
  "${slapd_conf_dir}/schema/openssh-lpk.ldif" \
  "${slapd_conf_dir}/schema/sudo.ldif" \
  "${slapd_conf_dir}/schema/dnsdomain2.ldif" \
  "${slapd_conf_dir}/schema/mailservice.ldif"

# Create the directories for the LDAP databases.
install_directory -m 0770 -o "$slapd_user" -g "$slapd_user" \
  "${slapd_data_dir}" \
  "${slapd_data_dir}/accesslog"

# If slapd.d doesn't exist, populate it with slapd.ldif.
if [ ! -d "${slapd_conf_dir}/slapd.d" ]; then
  install_directory -m 0700 -o "$slapd_user" "${slapd_conf_dir}/slapd.d"
  slapadd -v -n0 -F "${slapd_conf_dir}/slapd.d" -l "${slapd_conf_dir}/slapd.ldif"
  chown -R "${slapd_user}:${slapd_user}" "${slapd_conf_dir}/slapd.d"
fi

# Enable OpenLDAP in /etc/rc.conf, and start it.
# Note: whatever LDAP IP you specified in $slapd_server_list must be present in
# the `-h` argument to slapd. That's how slapd figures out its own server ID.
sysrc -v \
  slapd_enable=YES \
  slapd_cn_config=YES \
  slapd_flags="-h '${slapd_ldapi_uri}/ ldap://0.0.0.0/ ldaps://0.0.0.0/ ldaps://${BOXCONF_DEFAULT_IPV4}/'" \
  slapd_sockets="$slapd_socket" \
  slapd_krb5_ktname="$slapd_keytab"

service slapd restart

# Copy the LDAP client configs.
install_template -m 0644 "${slapd_conf_dir}/ldap.conf"

# Copy slapd SASL configuration.
install_template -m 0644 /usr/local/lib/sasl2/slapd.conf

# Allow slapd to read the saslauthd socket.
install_directory -m 0750 -o "$saslauthd_user" -g "$slapd_user" "$saslauthd_runtime_dir"

# Enable and start saslauthd.
sysrc -v \
  saslauthd_flags='-a kerberos5' \
  saslauthd_enable=YES
service saslauthd restart

# Create directory tree.
if is_primary_server; then
  # dc=example,dc=com
  ldap_add "$basedn" <<EOF
objectClass: dcObject
objectClass: organization
dc: $(ldap_rdn_value "$basedn")
o: ${site}
EOF

  # ou=accounts,dc=example,dc=com
  ldap_add "$accounts_basedn" <<EOF
objectClass: organizationalUnit
ou: $(ldap_rdn_value "$accounts_basedn")
EOF

  # ou=people,ou=accounts,dc=example,dc=com
  ldap_add "$people_basedn" <<EOF
objectClass: organizationalUnit
ou: $(ldap_rdn_value "$people_basedn")
EOF

  # ou=robots,ou=accounts,dc=example,dc=com
  ldap_add "$robots_basedn" <<EOF
objectClass: organizationalUnit
ou: $(ldap_rdn_value "$robots_basedn")
EOF

  # ou=hosts,ou=accounts,dc=example,dc=com
  ldap_add "$hosts_basedn" <<EOF
objectClass: organizationalUnit
ou: $(ldap_rdn_value "$hosts_basedn")
EOF

  # ou=services,ou=accounts,dc=example,dc=com
  ldap_add "$services_basedn" <<EOF
objectClass: organizationalUnit
ou: $(ldap_rdn_value "$services_basedn")
EOF

  # ou=groups,ou=accounts,dc=example,dc=com
  ldap_add "$groups_basedn" <<EOF
objectClass: organizationalUnit
ou: $(ldap_rdn_value "$groups_basedn")
EOF

  # ou=userprivate,ou=groups,ou=accounts,dc=example,dc=com
  ldap_add "$private_groups_basedn" <<EOF
objectClass: organizationalUnit
ou: $(ldap_rdn_value "$private_groups_basedn")
EOF

  # ou=roles,ou=groups,ou=accounts,dc=example,dc=com
  ldap_add "$roles_basedn" <<EOF
objectClass: organizationalUnit
ou: $(ldap_rdn_value "$roles_basedn")
EOF

  # cn=role-ldap-admin,ou=roles,ou=groups,ou=accounts,dc=example,dc=com
  ldap_add "cn=${slapd_admin_role},${roles_basedn}" <<EOF
objectClass: groupOfMembers
cn: ${slapd_admin_role}
EOF

  # ou=automount,dc=example,dc=com
  ldap_add "$automount_basedn" <<EOF
objectClass: organizationalUnit
ou: $(ldap_rdn_value "$automount_basedn")
EOF

  # ou=sudo,dc=example,dc=com
  ldap_add "$sudo_basedn" <<EOF
objectClass: organizationalUnit
ou: $(ldap_rdn_value "$sudo_basedn")
EOF
fi