diff --git a/contrib/README b/contrib/README index d2ed2ac546..94fa431ad2 100644 --- a/contrib/README +++ b/contrib/README @@ -43,6 +43,9 @@ Current contributions: slapi-plugins SLAPI plugins + packaging/CentOS/7 + Files required to perform RPM packaging for the whole project. + OpenLDAP Contributing Guidelines are available at: . diff --git a/contrib/packaging/CentOS/7/DB_CONFIG.example b/contrib/packaging/CentOS/7/DB_CONFIG.example new file mode 100644 index 0000000000..674f9aae98 --- /dev/null +++ b/contrib/packaging/CentOS/7/DB_CONFIG.example @@ -0,0 +1,28 @@ +# $OpenLDAP$ +# Example DB_CONFIG file for use with slapd(8) BDB/HDB databases. +# +# See the Oracle Berkeley DB documentation +# +# for detail description of DB_CONFIG syntax and semantics. +# +# Hints can also be found in the OpenLDAP Software FAQ +# +# in particular: +# + +# Note: most DB_CONFIG settings will take effect only upon rebuilding +# the DB environment. + +# one 0.25 GB cache +set_cachesize 0 268435456 1 + +# Data Directory +#set_data_dir db + +# Transaction Log settings +set_lg_regionmax 262144 +set_lg_bsize 2097152 +#set_lg_dir logs + +# Note: special DB_CONFIG flags are no longer needed for "quick" +# slapadd(8) or slapindex(8) access (see their -q option). diff --git a/contrib/packaging/CentOS/7/README.md b/contrib/packaging/CentOS/7/README.md new file mode 100644 index 0000000000..bdf101a341 --- /dev/null +++ b/contrib/packaging/CentOS/7/README.md @@ -0,0 +1,37 @@ +# RPM packaging specfile for CentOS 7 + +## Overview +This is bootstrapping specfile. It is able to +determine git repo owner, branch, tag and commit, then +reuse this information during package build. + +## Requirements +You should have **rpm-devel** package installed, +also all those packages which are required by ReOpenLDAP +itself. + +## Usage +A couple of commands is required to build the package: + +>spectool -R -g reopenldap.spec +>rpmbuild -bb reopenldap.spec + +First command downloads source file to the directory +where rpmbuild expects to find it. Second command builds +a set of binary packages. + +##Tips and tricks +If you ever need to find out +package file paths, you could use this command: +>spectool -R -g reopenldap.spec +>rpmbuild -bb reopenldap.spec 2>&1 | tee /tmp/build.log +>grep -n -E '(Wrote: )(.+)$' /tmp/build.log | awk '{print $2;}' + +## Authors + Specfile initially has been contributed by Ivan Viktorov + (https://github.com/Ivan-Viktorov) as a comment on issue #34 + of original project + (https://github.com/ReOpen/ReOpenLDAP/issues/33#issuecomment-249861076). + + Tune-up and bootsrapping has been implemented by + Sergey Pechenko (https://github.com/tnt4brain/ReOpenLDAP/tree/devel) diff --git a/contrib/packaging/CentOS/7/ldap.conf b/contrib/packaging/CentOS/7/ldap.conf new file mode 100644 index 0000000000..9756fb138b --- /dev/null +++ b/contrib/packaging/CentOS/7/ldap.conf @@ -0,0 +1,17 @@ +# LDAP Defaults +# +# See ldap.conf(5) for details +# This file should be world readable but not world writable. + +#BASE dc=example,dc=com +#URI ldap://ldap.example.com ldap://ldap-master.example.com:666 + +#SIZELIMIT 12 +#TIMELIMIT 15 +#DEREF never + +#TLS_CACERT /etc/reopenldap/certs/ca.crt +TLS_CACERTDIR /etc/reopenldap/certs + +# Turning this off breaks GSSAPI used with krb5 when rdns = false +SASL_NOCANON on diff --git a/contrib/packaging/CentOS/7/libexec-check-config.sh b/contrib/packaging/CentOS/7/libexec-check-config.sh new file mode 100644 index 0000000000..a25dc39b77 --- /dev/null +++ b/contrib/packaging/CentOS/7/libexec-check-config.sh @@ -0,0 +1,91 @@ +#!/bin/sh +# Author: Jan Vcelak + +. /usr/libexec/reopenldap/functions + +function check_config_syntax() +{ + retcode=0 + tmp_slaptest=`mktemp --tmpdir=/var/run/reopenldap` + run_as_ldap "/usr/sbin/slaptest $SLAPD_GLOBAL_OPTIONS -u" &>$tmp_slaptest + if [ $? -ne 0 ]; then + error "Checking configuration file failed:" + cat $tmp_slaptest >&2 + retcode=1 + fi + rm $tmp_slaptest + return $retcode +} + +function check_certs_perms() +{ + retcode=0 + for cert in `certificates`; do + run_as_ldap "/usr/bin/test -e \"$cert\"" + if [ $? -ne 0 ]; then + error "TLS certificate/key/DB '%s' was not found." "$cert" + retcoder=1 + continue + fi + run_as_ldap "/usr/bin/test -r \"$cert\"" + if [ $? -ne 0 ]; then + error "TLS certificate/key/DB '%s' is not readable." "$cert" + retcode=1 + fi + done + return $retcode +} + +function check_db_perms() +{ + retcode=0 + for dbdir in `databases`; do + [ -d "$dbdir" ] || continue + for dbfile in `find ${dbdir} -maxdepth 1 -name "*.dbb" -or -name "*.gdbm" -or -name "*.bdb" -or -name "__db.*" -or -name "log.*" -or -name "alock"`; do + run_as_ldap "/usr/bin/test -r \"$dbfile\" -a -w \"$dbfile\"" + if [ $? -ne 0 ]; then + error "Read/write permissions for DB file '%s' are required." "$dbfile" + retcode=1 + fi + done + done + return $retcode +} + +function check_everything() +{ + retcode=0 + check_config_syntax || retcode=1 + # TODO: need support for Mozilla NSS, disabling temporarily + #check_certs_perms || retcode=1 + check_db_perms || retcode=1 + return $retcode +} + +if [ `id -u` -ne 0 ]; then + error "You have to be root to run this script." + exit 4 +fi + +load_sysconfig + +if [ -n "$SLAPD_CONFIG_DIR" ]; then + if [ ! -d "$SLAPD_CONFIG_DIR" ]; then + error "Configuration directory '%s' does not exist." "$SLAPD_CONFIG_DIR" + else + check_everything + exit $? + fi +fi + +if [ -n "$SLAPD_CONFIG_FILE" ]; then + if [ ! -f "$SLAPD_CONFIG_FILE" ]; then + error "Configuration file '%s' does not exist." "$SLAPD_CONFIG_FILE" + else + error "Warning: Usage of a configuration file is obsolete!" + check_everything + exit $? + fi +fi + +exit 1 diff --git a/contrib/packaging/CentOS/7/libexec-functions b/contrib/packaging/CentOS/7/libexec-functions new file mode 100644 index 0000000000..68aa8548f5 --- /dev/null +++ b/contrib/packaging/CentOS/7/libexec-functions @@ -0,0 +1,134 @@ +# Author: Jan Vcelak + +SLAPD_USER= +SLAPD_CONFIG_FILE= +SLAPD_CONFIG_DIR= +SLAPD_CONFIG_CUSTOM= +SLAPD_GLOBAL_OPTIONS= +SLAPD_SYSCONFIG_FILE= + +function default_config() +{ + SLAPD_USER=ldap + SLAPD_CONFIG_FILE=/etc/reopenldap/slapd.conf + SLAPD_CONFIG_DIR=/etc/reopenldap/slapd.d + SLAPD_CONFIG_CUSTOM= + SLAPD_GLOBAL_OPTIONS= + SLAPD_SYSCONFIG_FILE=/etc/sysconfig/slapd +} + +function parse_config_options() +{ + user= + config_file= + config_dir= + while getopts :u:f:F: opt; do + case "$opt" in + u) + user="$OPTARG" + ;; + f) + config_file="$OPTARG" + ;; + F) + config_dir="$OPTARG" + ;; + esac + done + + if [ -n "$user" ]; then + SLAPD_USER="$user" + fi + + if [ -n "$config_dir" ]; then + SLAPD_CONFIG_DIR="$config_dir" + SLAPD_CONFIG_FILE= + SLAPD_CONFIG_CUSTOM=1 + SLAPD_GLOBAL_OPTIONS="-F '$config_dir'" + elif [ -n "$config_file" ]; then + SLAPD_CONFIG_DIR= + SLAPD_CONFIG_FILE="$config_file" + SLAPD_CONFIG_CUSTOM=1 + SLAPD_GLOBAL_OPTIONS="-f '$config_file'" + fi +} + +function uses_new_config() +{ + [ -n "$SLAPD_CONFIG_DIR" ] + return $? +} + +function run_as_ldap() +{ + /sbin/runuser --shell /bin/sh --session-command "$1" "$SLAPD_USER" + return $? +} + +function ldif_unbreak() +{ + sed ':a;N;s/\n //;ta;P;D' +} + +function ldif_value() +{ + sed 's/^[^:]*: //' +} + +function databases_new() +{ + slapcat $SLAPD_GLOBAL_OPTIONS -c \ + -H 'ldap:///cn=config???(|(objectClass=olcBdbConfig)(objectClass=olcHdbConfig))' 2>/dev/null | \ + ldif_unbreak | \ + grep '^olcDbDirectory: ' | \ + ldif_value +} + +function databases_old() +{ + awk 'begin { database="" } + $1 == "database" { database=$2 } + $1 == "directory" { if (database == "bdb" || database == "hdb") print $2}' \ + "$SLAPD_CONFIG_FILE" +} + +function certificates_new() +{ + slapcat $SLAPD_GLOBAL_OPTIONS -c -H 'ldap:///cn=config???(cn=config)' 2>/dev/null | \ + ldif_unbreak | \ + grep '^olcTLS\(CACertificateFile\|CACertificatePath\|CertificateFile\|CertificateKeyFile\): ' | \ + ldif_value +} + +function certificates_old() +{ + awk '$1 ~ "^TLS(CACertificate(File|Path)|CertificateFile|CertificateKeyFile)$" { print $2 } ' \ + "$SLAPD_CONFIG_FILE" +} + +function certificates() +{ + uses_new_config && certificates_new || certificates_old +} + +function databases() +{ + uses_new_config && databases_new || databases_old +} + + +function error() +{ + format="$1\n"; shift + printf "$format" $@ >&2 +} + +function load_sysconfig() +{ + [ -r "$SLAPD_SYSCONFIG_FILE" ] || return + + . "$SLAPD_SYSCONFIG_FILE" + [ -n "$SLAPD_OPTIONS" ] && parse_config_options $SLAPD_OPTIONS +} + +default_config diff --git a/contrib/packaging/CentOS/7/libexec-upgrade-db.sh b/contrib/packaging/CentOS/7/libexec-upgrade-db.sh new file mode 100644 index 0000000000..a3bfd828fb --- /dev/null +++ b/contrib/packaging/CentOS/7/libexec-upgrade-db.sh @@ -0,0 +1,40 @@ +#!/bin/sh +# Author: Jan Vcelak + +. /usr/libexec/reopenldap/functions + +if [ `id -u` -ne 0 ]; then + error "You have to be root to run this command." + exit 4 +fi + +load_sysconfig +retcode=0 + +for dbdir in `databases`; do + upgrade_log="$dbdir/db_upgrade.`date +%Y%m%d%H%M%S`.log" + bdb_files=`find "$dbdir" -maxdepth 1 -name "*.bdb" -printf '"%f" '` + + # skip uninitialized database + [ -z "$bdb_files"] || continue + + printf "Updating '%s', logging into '%s'\n" "$dbdir" "$upgrade_log" + + # perform the update + for command in \ + "/usr/bin/db_recover -v -h \"$dbdir\"" \ + "/usr/bin/db_upgrade -v -h \"$dbdir\" $bdb_files" \ + "/usr/bin/db_checkpoint -v -h \"$dbdir\" -1" \ + ; do + printf "Executing: %s\n" "$command" &>>$upgrade_log + run_as_ldap "$command" &>>$upgrade_log + result=$? + printf "Exit code: %d\n" $result >>"$upgrade_log" + if [ $result -ne 0 ]; then + printf "Upgrade failed: %d\n" $result + retcode=1 + fi + done +done + +exit $retcode diff --git a/contrib/packaging/CentOS/7/reopenldap.spec b/contrib/packaging/CentOS/7/reopenldap.spec new file mode 100644 index 0000000000..29f2413a87 --- /dev/null +++ b/contrib/packaging/CentOS/7/reopenldap.spec @@ -0,0 +1,407 @@ +%global systemctl_bin /usr/bin/systemctl +%define packaging_dir contrib/packaging/CentOS/7 +%global owner_ssh %(git config --get remote.origin.url | sed -n -e 's!^git@github.com:\\(.*\\)\\/.*$!\\1!p') +%global owner_https %(git config --get remote.origin.url | sed -n -e 's!^https://github.com/\\(.*\\)\\/.*$!\\1!p') +%global owner %{owner_ssh}%{owner_https} +%global commit0 %(git log -n 1 --pretty=format:"%H") +%global gittag0 %(git describe --abbrev=0 --tags) +%global ver %(c=%{gittag0}; echo ${c:1}) +%global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) + +Name: ReOpenLDAP +Version: %{ver} +Release: %{shortcommit0}%{?dist} +Summary: The fork of OpenLDAP with a few new features (mostly for highload and multi-master clustering), additional bug fixing and code quality improvement. + +Group: System Environment/Daemons +License: AGPLv3 +URL: https://github.com/%{owner}/ReOpenLDAP +Source0: https://github.com/%{owner}/%{name}/archive/%{commit0}.tar.gz + +BuildRequires: cyrus-sasl-devel, krb5-devel, tcp_wrappers-devel, unixODBC-devel libuuid-devel elfutils-libelf-devel +BuildRequires: glibc-devel, libtool, libtool-ltdl-devel, groff, perl, perl-devel, perl(ExtUtils::Embed) +BuildRequires: openssl-devel, nss-devel +BuildRequires: bc git +Requires: rpm, coreutils, nss-tools + +%description +The fork of OpenLDAP with a few new features (mostly for highload and multi-master clustering), additional bug fixing and code quality improvement. + +# Disabled due to request: https://github.com/leo-yuriev/ReOpenLDAP/pull/145#issuecomment-358626660 +#%package devel +#Summary: LDAP development libraries and header files +#Group: Development/Libraries +#Requires: %{name}%{?_isa} = %{version}-%{release}, cyrus-sasl-devel%{?_isa} +# +#%description devel +#The openldap-devel package includes the development libraries and +#header files needed for compiling applications that use LDAP +#(Lightweight Directory Access Protocol) internals. LDAP is a set of +#protocols for enabling directory services over the Internet. Install +#this package only if you plan to develop or will need to compile +#customized LDAP clients. + +%package servers +Summary: LDAP server +License: AGPLv3 +Requires: %{name}%{?_isa} = %{version}-%{release}, libdb-utils +Requires(pre): shadow-utils +Requires(post): systemd, systemd-sysv, chkconfig +Requires(preun): systemd +Requires(postun): systemd +BuildRequires: libdb-devel +BuildRequires: systemd-units +BuildRequires: cracklib-devel +Group: System Environment/Daemons +# migrationtools (slapadd functionality): +Provides: ldif2ldbm + +%description servers +OpenLDAP is an open-source suite of LDAP (Lightweight Directory Access +Protocol) applications and development tools. LDAP is a set of +protocols for accessing directory services (usually phone book style +information, but other information is possible) over the Internet, +similar to the way DNS (Domain Name System) information is propagated +over the Internet. This package contains the slapd server and related files. + +%package clients +Summary: LDAP client utilities +Requires: %{name}%{?_isa} = %{version}-%{release} +Group: Applications/Internet + +%description clients +OpenLDAP is an open-source suite of LDAP (Lightweight Directory Access +Protocol) applications and development tools. LDAP is a set of +protocols for accessing directory services (usually phone book style +information, but other information is possible) over the Internet, +similar to the way DNS (Domain Name System) information is propagated +over the Internet. The openldap-clients package contains the client +programs needed for accessing and modifying OpenLDAP directories. + +%prep +%autosetup -n %{name}-%{commit0} +#setup -q -n %{name}-%{commit0} +# alternative include paths for Mozilla NSS +ln -s %{_includedir}/nss3 include/nss +ln -s %{_includedir}/nspr4 include/nspr + +%build +%ifarch s390 s390x + export CFLAGS="-fPIE" +%else + export CFLAGS="-fpie" +%endif +export LDFLAGS="-pie" +# avoid stray dependencies (linker flag --as-needed) +# enable experimental support for LDAP over UDP (LDAP_CONNECTIONLESS) +export CFLAGS="${CFLAGS} %{optflags} -Wl,--as-needed -DLDAP_CONNECTIONLESS" +%configure \ + --sysconfdir=%{_sysconfdir}/reopenldap \ + --enable-deprecated \ + --enable-syslog \ + --enable-proctitle \ + --enable-ipv6 \ + --enable-local \ + \ + --enable-slapd \ + --enable-dynacl \ + --disable-aci \ + --enable-cleartext \ + --enable-crypt \ + --enable-lmpasswd=no \ + --enable-spasswd \ + --enable-modules \ + --enable-rewrite \ + --enable-rlookups \ + --enable-slapi \ + --disable-slp \ + --enable-wrappers \ + \ + --enable-backends=mod \ + --enable-mdb=yes \ + --disable-hdb \ + --disable-bdb \ + --disable-dnssrv \ + --enable-ldap=mod \ + --enable-meta=mod \ + --enable-monitor=yes \ + --disable-ndb \ + --enable-null=mod \ + --disable-passwd \ + --disable-perl \ + --disable-relay \ + --disable-shell \ + --disable-sock \ + --disable-sql \ + \ + --enable-overlays=mod \ + \ + --disable-static \ + --enable-shared \ + \ + --with-cyrus-sasl \ + --with-gssapi \ + --without-fetch \ + --with-pic \ + --with-gnu-ld \ + --with-tls=moznss \ + \ + --libexecdir=%{_libdir} +make %{?_smp_mflags} + + +%install +mkdir -p %{buildroot}%{_libdir}/ +make install DESTDIR=%{buildroot} STRIP="" + +# setup directories for TLS certificates +mkdir -p %{buildroot}%{_sysconfdir}/reopenldap/certs + +# setup data and runtime directories +mkdir -p %{buildroot}%{_sharedstatedir} +mkdir -p %{buildroot}%{_localstatedir} +install -m 0700 -d %{buildroot}%{_sharedstatedir}/ldap +install -m 0755 -d %{buildroot}%{_localstatedir}/run/reopenldap + +# setup autocreation of runtime directories on tmpfs +mkdir -p %{buildroot}%{_tmpfilesdir}/ +install -m 0644 %{packaging_dir}/slapd.tmpfiles %{buildroot}%{_tmpfilesdir}/slapd.conf + +# install default ldap.conf (customized) +rm -f %{buildroot}%{_sysconfdir}/reopenldap/ldap.conf +install -m 0644 %{packaging_dir}/ldap.conf %{buildroot}%{_sysconfdir}/reopenldap/ldap.conf + +# Надо разобраться, что нам нужно из этих самых скриптов и кого из них запускать в %post. +## setup maintainance scripts +mkdir -p %{buildroot}%{_libexecdir} +install -m 0755 -d %{buildroot}%{_libexecdir}/reopenldap +install -m 0644 %{packaging_dir}/libexec-functions %{buildroot}%{_libexecdir}/reopenldap/functions +install -m 0755 %{packaging_dir}/libexec-check-config.sh %{buildroot}%{_libexecdir}/reopenldap/check-config.sh +install -m 0755 %{packaging_dir}/libexec-upgrade-db.sh %{buildroot}%{_libexecdir}/reopenldap/upgrade-db.sh + +# remove build root from config files and manual pages +perl -pi -e "s|%{buildroot}||g" %{buildroot}%{_sysconfdir}/reopenldap/*.conf +perl -pi -e "s|%{buildroot}||g" %{buildroot}%{_mandir}/*/*.* + +# install an init script for the servers +mkdir -p %{buildroot}%{_unitdir} +install -m 0644 %{packaging_dir}/slapd.service %{buildroot}%{_unitdir}/slapd.service + +# install syconfig/slapd +mkdir -p %{buildroot}%{_sysconfdir}/sysconfig +install -m 644 %{packaging_dir}/slapd.sysconfig %{buildroot}%{_sysconfdir}/sysconfig/slapd + +# ldapadd point to buildroot. +rm -f %{buildroot}%{_bindir}/ldapadd +pushd %{buildroot}%{_bindir} +ln -s ldapmodify ldapadd +popd + +# tweak permissions on the libraries to make sure they're correct +chmod 0755 %{buildroot}%{_libdir}/reopenldap/lib*.so* +chmod 0644 %{buildroot}%{_libdir}/reopenldap/lib*.*a + +# slapd.conf(5) is obsoleted since 2.3, see slapd-config(5) +# new configuration will be generated in %%post +mkdir -p %{buildroot}%{_datadir} +install -m 0755 -d %{buildroot}%{_datadir}/reopenldap-servers +install -m 0644 %{packaging_dir}/slapd.ldif %{buildroot}%{_datadir}/reopenldap-servers/slapd.ldif +install -m 0644 %{packaging_dir}/DB_CONFIG.example %{buildroot}%{_datadir}/reopenldap-servers/DB_CONFIG.example +install -m 0700 -d %{buildroot}%{_sysconfdir}/reopenldap/slapd.d +rm -f %{buildroot}%{_sysconfdir}/reopenldap/slapd.conf +rm -f %{buildroot}%{_sysconfdir}/reopenldap/slapd.ldif + +# move doc files out of _sysconfdir +mv %{buildroot}%{_sysconfdir}/reopenldap/schema/README README.schema +#mv %{buildroot}%{_sysconfdir}/schema %{buildroot}%{_sysconfdir}/reopenldap + +# remove files which we don't want packaged +rm -f %{buildroot}%{_libdir}/reopenldap/*.la +rm -f %{buildroot}%{_mandir}/man5/ldif.5* +rm -f %{buildroot}%{_mandir}/man5/ldap.conf.5* + +# Disabled due to request: https://github.com/leo-yuriev/ReOpenLDAP/pull/145#issuecomment-358626660 +# devel +rm -f %{buildroot}%{_includedir}/reopenldap/* +rm -f %{buildroot}%{_mandir}/man3/* + + +%clean +rm -rf %{buildroot} + +%post +/sbin/ldconfig + +%postun -p /sbin/ldconfig + +%pre servers +# create ldap user and group +getent group ldap &>/dev/null || groupadd -r -g 55 ldap +getent passwd ldap &>/dev/null || \ + useradd -r -g ldap -u 55 -d %{_sharedstatedir}/ldap -s /sbin/nologin -c "OpenLDAP server" ldap +if [ $1 -eq 2 ]; then + # package upgrade + old_version=$(rpm -q --qf=%%{version} reopenldap-servers) + new_version=%{version} + if [ "$old_version" != "$new_version" ]; then + touch %{_sharedstatedir}/ldap/rpm_upgrade_reopenldap &>/dev/null + fi +fi +exit 0 + +%post servers + +/sbin/ldconfig -n %{_libdir}/reopenldap +%systemd_post slapd.service + +# generate configuration if necessary +if [[ ! -f %{_sysconfdir}/reopenldap/slapd.d/cn=config.ldif && \ + ! -f %{_sysconfdir}/reopenldap/slapd.conf + ]]; then + # if there is no configuration available, generate one from the defaults + mkdir -p %{_sysconfdir}/reopenldap/slapd.d/ &>/dev/null || : + /usr/sbin/slapadd -F %{_sysconfdir}/reopenldap/slapd.d/ -n0 -l %{_datadir}/reopenldap-servers/slapd.ldif + chown -R ldap:ldap %{_sysconfdir}/reopenldap/slapd.d/ + %{systemctl_bin} try-restart slapd.service &>/dev/null +fi +start_slapd=0 + +# upgrade the database +if [ -f %{_sharedstatedir}/ldap/rpm_upgrade_reopenldap ]; then + if %{systemctl_bin} --quiet is-active slapd.service; then + %{systemctl_bin} stop slapd.service + start_slapd=1 + fi + + %{_libexecdir}/reopenldap/upgrade-db.sh &>/dev/null + rm -f %{_sharedstatedir}/ldap/rpm_upgrade_reopenldap +fi + +# restart after upgrade +if [ $1 -ge 1 ]; then + if [ $start_slapd -eq 1 ]; then + %{systemctl_bin} start slapd.service &>/dev/null || : + else + %{systemctl_bin} condrestart slapd.service &>/dev/null || : + fi +fi +exit 0 + +%preun servers +%systemd_preun slapd.service + +%postun servers +/sbin/ldconfig +%systemd_postun_with_restart slapd.service + +%triggerin servers -- libdb + +# libdb upgrade (setup for %%triggerun) +if [ $2 -eq 2 ]; then + # we are interested in minor version changes (both versions of libdb are installed at this moment) + if [ "$(rpm -q --qf="%%{version}\n" libdb | sed 's/\.[0-9]*$//' | sort -u | wc -l)" != "1" ]; then + touch %{_sharedstatedir}/ldap/rpm_upgrade_libdb + else + rm -f %{_sharedstatedir}/ldap/rpm_upgrade_libdb + fi +fi +exit 0 +%triggerun servers -- libdb + +# libdb upgrade (finish %%triggerin) +if [ -f %{_sharedstatedir}/ldap/rpm_upgrade_libdb ]; then + if %{systemctl_bin} --quiet is-active slapd.service; then + %{systemctl_bin} stop slapd.service + start=1 + else + start=0 + fi + %{_libexecdir}/reopenldap/upgrade-db.sh &>/dev/null + rm -f %{_sharedstatedir}/ldap/rpm_upgrade_libdb + [ $start -eq 1 ] && %{systemctl_bin} start slapd.service &>/dev/null +fi +exit 0 + + +%files +%doc ANNOUNCEMENT.OpenLDAP +%doc CHANGES.OpenLDAP +%doc ChangeLog +%doc COPYRIGHT +%doc LICENSE +%doc README +%doc README.md +%doc README.OpenLDAP +%dir %{_sysconfdir}/reopenldap +%dir %{_sysconfdir}/reopenldap/certs +%config(noreplace) %{_sysconfdir}/reopenldap/ldap.conf +%{_libdir}/reopenldap/libreldap*.so* +%{_libdir}/reopenldap/libreslapi*.so* +#%{_mandir}/man5/ldif.5* +#%{_mandir}/man5/ldap.conf.5* + +%files servers +%doc contrib/slapd-modules/smbk5pwd/README +%doc README.schema +%config(noreplace) %dir %attr(0750,ldap,ldap) %{_sysconfdir}/reopenldap/slapd.d +%config(noreplace) %{_sysconfdir}/reopenldap/schema +%config(noreplace) %{_sysconfdir}/sysconfig/slapd +%config(noreplace) %{_tmpfilesdir}/slapd.conf +%dir %attr(0700,ldap,ldap) %{_sharedstatedir}/ldap +%dir %attr(-,ldap,ldap) %{_localstatedir}/run/reopenldap +%{_unitdir}/slapd.service +%{_bindir}/mdbx_* +%{_datadir}/reopenldap-servers/ +%{_libdir}/reopenldap/autoca*.so* +%{_libdir}/reopenldap/accesslog*.so* +%{_libdir}/reopenldap/auditlog*.so* +%{_libdir}/reopenldap/back_ldap*.so* +%{_libdir}/reopenldap/back_meta*.so* +%{_libdir}/reopenldap/back_null*.so* +%{_libdir}/reopenldap/collect*.so* +%{_libdir}/reopenldap/constraint*.so* +%{_libdir}/reopenldap/dds*.so* +%{_libdir}/reopenldap/deref*.so* +%{_libdir}/reopenldap/dyngroup*.so* +%{_libdir}/reopenldap/dynlist*.so* +%{_libdir}/reopenldap/memberof*.so* +%{_libdir}/reopenldap/pcache*.so* +%{_libdir}/reopenldap/ppolicy*.so* +%{_libdir}/reopenldap/refint*.so* +%{_libdir}/reopenldap/retcode*.so* +%{_libdir}/reopenldap/rwm*.so* +%{_libdir}/reopenldap/seqmod*.so* +%{_libdir}/reopenldap/sssvlv*.so* +%{_libdir}/reopenldap/syncprov*.so* +%{_libdir}/reopenldap/translucent*.so* +%{_libdir}/reopenldap/unique*.so* +%{_libdir}/reopenldap/valsort*.so* +%dir %{_libexecdir}/reopenldap/ +%{_libexecdir}/reopenldap/functions +%{_libexecdir}/reopenldap/check-config.sh +%{_libexecdir}/reopenldap/upgrade-db.sh +%{_sbindir}/slap* +%{_mandir}/man5/slap* +%{_mandir}/man8/* +%{_mandir}/ru/man5/* +%{_mandir}/ru/man8/* +# obsolete configuration +%ghost %config(noreplace,missingok) %attr(0640,ldap,ldap) %{_sysconfdir}/reopenldap/slapd.conf +%ghost %config(noreplace,missingok) %attr(0640,ldap,ldap) %{_sysconfdir}/reopenldap/slapd.conf.bak + +%files clients +%{_bindir}/ldap* +%{_mandir}/man1/* +%{_mandir}/ru/man1/* +%ghost %config(noreplace,missingok) %attr(0640,ldap,ldap) %{_sysconfdir}/reopenldap/slapd.conf + +# https://github.com/leo-yuriev/ReOpenLDAP/pull/145#issuecomment-358626660 +#%files devel +#%{_includedir}/reopenldap/* +#%{_mandir}/man3/* + + +%changelog +* Fri May 19 2017 Sergey Pechenko - 1.1.5-641ffb2.1 +- Initial bootstrapping ReOpenLDAP RPM specfile release. Based on contribution by Ivan Viktorov +(https://github.com/ReOpen/ReOpenLDAP/issues/33#issuecomment-249861076) diff --git a/contrib/packaging/CentOS/7/slapd.ldif b/contrib/packaging/CentOS/7/slapd.ldif new file mode 100644 index 0000000000..85b293b06a --- /dev/null +++ b/contrib/packaging/CentOS/7/slapd.ldif @@ -0,0 +1,147 @@ +# +# See slapd-config(5) for details on configuration options. +# This file should NOT be world readable. +# + +dn: cn=config +objectClass: olcGlobal +cn: config +olcArgsFile: /run/reopenldap/slapd.args +olcPidFile: /run/reopenldap/slapd.pid +olcLogLevel: stats +# TLS settings +olcTLSCACertificatePath: /etc/reopenldap/certs +olcTLSCertificateFile: "ReOpenLDAP Server" +olcTLSCertificateKeyFile: /etc/reopenldap/certs/password + +# +# Do not enable referrals until AFTER you have a working directory +# service AND an understanding of referrals. +# +#olcReferral: ldap://root.openldap.org +# +# Sample security restrictions +# Require integrity protection (prevent hijacking) +# Require 112-bit (3DES or better) encryption for updates +# Require 64-bit encryption for simple bind +# +#olcSecurity: ssf=1 update_ssf=112 simple_bind=64 + + +# +# Load dynamic backend modules: +# - modulepath is architecture dependent value (32/64-bit system) +# - back_sql.la backend requires openldap-servers-sql package +# - dyngroup.la and dynlist.la cannot be used at the same time +# + +#dn: cn=module,cn=config +#objectClass: olcModuleList +#cn: module +#olcModulepath: /usr/lib/reopenldap +#olcModulepath: /usr/lib64/reopenldap +#olcModuleload: accesslog.la +#olcModuleload: auditlog.la +#olcModuleload: back_dnssrv.la +#olcModuleload: back_ldap.la +#olcModuleload: back_mdb.la +#olcModuleload: back_meta.la +#olcModuleload: back_null.la +#olcModuleload: back_passwd.la +#olcModuleload: back_relay.la +#olcModuleload: back_shell.la +#olcModuleload: back_sock.la +#olcModuleload: collect.la +#olcModuleload: constraint.la +#olcModuleload: dds.la +#olcModuleload: deref.la +#olcModuleload: dyngroup.la +#olcModuleload: dynlist.la +#olcModuleload: memberof.la +#olcModuleload: pcache.la +#olcModuleload: ppolicy.la +#olcModuleload: refint.la +#olcModuleload: retcode.la +#olcModuleload: rwm.la +#olcModuleload: seqmod.la +#olcModuleload: smbk5pwd.la +#olcModuleload: sssvlv.la +#olcModuleload: syncprov.la +#olcModuleload: translucent.la +#olcModuleload: unique.la +#olcModuleload: valsort.la + + +# +# Schema settings +# + +dn: cn=schema,cn=config +objectClass: olcSchemaConfig +cn: schema + +include: file:///etc/reopenldap/schema/core.ldif + +# +# Frontend settings +# + +dn: olcDatabase=frontend,cn=config +objectClass: olcDatabaseConfig +olcDatabase: frontend +# +# Sample global access control policy: +# Root DSE: allow anyone to read it +# Subschema (sub)entry DSE: allow anyone to read it +# Other DSEs: +# Allow self write access +# Allow authenticated users read access +# Allow anonymous users to authenticate +# +#olcAccess: to dn.base="" by * read +#olcAccess: to dn.base="cn=Subschema" by * read +#olcAccess: to * +# by self write +# by users read +# by anonymous auth +# +# if no access controls are present, the default policy +# allows anyone and everyone to read anything but restricts +# updates to rootdn. (e.g., "access to * by * read") +# +# rootdn can always read and write EVERYTHING! +# + +# +# Configuration database +# + +dn: olcDatabase=config,cn=config +objectClass: olcDatabaseConfig +olcDatabase: config +olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c + n=auth" manage by * none + +# +# Server status monitoring +# + +dn: olcDatabase=monitor,cn=config +objectClass: olcDatabaseConfig +olcDatabase: monitor +olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c + n=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none + +# +# Backend database definitions +# + +dn: olcDatabase=mdb,cn=config +objectClass: olcDatabaseConfig +objectClass: olcMdbConfig +olcDatabase: mdb +olcSuffix: dc=my-domain,dc=com +olcRootDN: cn=Manager,dc=my-domain,dc=com +olcDbDirectory: /var/lib/ldap +olcDbIndex: objectClass eq,pres +olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub diff --git a/contrib/packaging/CentOS/7/slapd.service b/contrib/packaging/CentOS/7/slapd.service new file mode 100644 index 0000000000..46a6a93b5c --- /dev/null +++ b/contrib/packaging/CentOS/7/slapd.service @@ -0,0 +1,18 @@ +[Unit] +Description=ReOpenLDAP Server Daemon +After=syslog.target NetworkManager-wait-online.service +Documentation=man:slapd +Documentation=man:slapd-config +Documentation=man:slapd-hdb +Documentation=man:slapd-mdb + +[Service] +Type=forking +PIDFile=/var/run/reopenldap/slapd.pid +Environment="SLAPD_URLS=ldap:/// ldapi://%2Fvar%2Frun%2Fldapi" "SLAPD_OPTIONS=" +EnvironmentFile=/etc/sysconfig/slapd +ExecStartPre=/usr/libexec/reopenldap/check-config.sh +ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS + +[Install] +WantedBy=multi-user.target diff --git a/contrib/packaging/CentOS/7/slapd.sysconfig b/contrib/packaging/CentOS/7/slapd.sysconfig new file mode 100644 index 0000000000..9250069259 --- /dev/null +++ b/contrib/packaging/CentOS/7/slapd.sysconfig @@ -0,0 +1,17 @@ +# OpenLDAP server configuration +# see 'man slapd' for additional information + +# Where the server will run (-h option) +# - ldapi:/// is required for on-the-fly configuration using client tools +# (use SASL with EXTERNAL mechanism for authentication) +# - default: ldapi:/// ldap:/// +# - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:/// +SLAPD_URLS="ldapi://%2Fvar%2Frun%2Fldapi ldap:///" + +# Any custom options +#SLAPD_OPTIONS="" +# Example of slpad.d-based configuration +#SLAPD_OPTIONS="-F /etc/reopenldap/slapd.d" + +# Keytab location for GSSAPI Kerberos authentication +#KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab" diff --git a/contrib/packaging/CentOS/7/slapd.tmpfiles b/contrib/packaging/CentOS/7/slapd.tmpfiles new file mode 100644 index 0000000000..225579e94d --- /dev/null +++ b/contrib/packaging/CentOS/7/slapd.tmpfiles @@ -0,0 +1,3 @@ +# openldap runtime directory for slapd.arg and slapd.pid +d /var/run/reopenldap 0755 ldap ldap - +d /var/run/run/slapd 0755 ldap ldap -