From ced0da84528b933502fb2b94d5ccdd49f6688ae4 Mon Sep 17 00:00:00 2001 From: Ryan Tandy Date: Sun, 7 May 2017 20:16:00 +0000 Subject: [PATCH 01/11] reldap: check result of ldap_int_initialize in ldap_{get,set}_option (ITS#8648). Change-Id: I76e5e628859c0ebe665d9990f667382f0f09a46b --- libraries/libreldap/ldap_options.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libraries/libreldap/ldap_options.c b/libraries/libreldap/ldap_options.c index c6e48dd23c..f0b53e56d6 100644 --- a/libraries/libreldap/ldap_options.c +++ b/libraries/libreldap/ldap_options.c @@ -106,6 +106,8 @@ ldap_get_option( if( lo->ldo_valid != LDAP_INITIALIZED ) { ldap_int_initialize(lo, NULL); + if ( lo->ldo_valid != LDAP_INITIALIZED ) + return LDAP_LOCAL_ERROR; } if(ld != NULL) { @@ -446,6 +448,8 @@ ldap_set_option( if( lo->ldo_valid != LDAP_INITIALIZED ) { ldap_int_initialize(lo, dbglvl); + if ( lo->ldo_valid != LDAP_INITIALIZED ) + return LDAP_LOCAL_ERROR; } if(ld != NULL) { From 605efafe2a5b249c432fef735e9a6ca106168a35 Mon Sep 17 00:00:00 2001 From: pechenko Date: Thu, 18 May 2017 17:55:22 +0300 Subject: [PATCH 02/11] Initial version of packaging script and its helper files --- contrib/README | 2 + contrib/packaging/CentOS/7/DB_CONFIG.example | 28 ++ contrib/packaging/CentOS/7/ldap.conf | 17 + .../CentOS/7/libexec-check-config.sh | 91 +++++ contrib/packaging/CentOS/7/libexec-functions | 134 ++++++ .../packaging/CentOS/7/libexec-upgrade-db.sh | 40 ++ contrib/packaging/CentOS/7/reopenldap.spec | 386 ++++++++++++++++++ contrib/packaging/CentOS/7/slapd.ldif | 147 +++++++ contrib/packaging/CentOS/7/slapd.service | 18 + contrib/packaging/CentOS/7/slapd.sysconfig | 15 + contrib/packaging/CentOS/7/slapd.tmpfiles | 3 + 11 files changed, 881 insertions(+) create mode 100644 contrib/packaging/CentOS/7/DB_CONFIG.example create mode 100644 contrib/packaging/CentOS/7/ldap.conf create mode 100644 contrib/packaging/CentOS/7/libexec-check-config.sh create mode 100644 contrib/packaging/CentOS/7/libexec-functions create mode 100644 contrib/packaging/CentOS/7/libexec-upgrade-db.sh create mode 100644 contrib/packaging/CentOS/7/reopenldap.spec create mode 100644 contrib/packaging/CentOS/7/slapd.ldif create mode 100644 contrib/packaging/CentOS/7/slapd.service create mode 100644 contrib/packaging/CentOS/7/slapd.sysconfig create mode 100644 contrib/packaging/CentOS/7/slapd.tmpfiles diff --git a/contrib/README b/contrib/README index 387a29c27a..3c279d265d 100644 --- a/contrib/README +++ b/contrib/README @@ -43,6 +43,8 @@ Current contributions: slapi-plugins SLAPI plugins + packaging/CentOS/7 + Files required to perform RPM packaging for the whole project OpenLDAP Contributing Guidelines are available at: . diff --git a/contrib/packaging/CentOS/7/DB_CONFIG.example b/contrib/packaging/CentOS/7/DB_CONFIG.example new file mode 100644 index 0000000000..674f9aae98 --- /dev/null +++ b/contrib/packaging/CentOS/7/DB_CONFIG.example @@ -0,0 +1,28 @@ +# $OpenLDAP$ +# Example DB_CONFIG file for use with slapd(8) BDB/HDB databases. +# +# See the Oracle Berkeley DB documentation +# +# for detail description of DB_CONFIG syntax and semantics. +# +# Hints can also be found in the OpenLDAP Software FAQ +# +# in particular: +# + +# Note: most DB_CONFIG settings will take effect only upon rebuilding +# the DB environment. + +# one 0.25 GB cache +set_cachesize 0 268435456 1 + +# Data Directory +#set_data_dir db + +# Transaction Log settings +set_lg_regionmax 262144 +set_lg_bsize 2097152 +#set_lg_dir logs + +# Note: special DB_CONFIG flags are no longer needed for "quick" +# slapadd(8) or slapindex(8) access (see their -q option). diff --git a/contrib/packaging/CentOS/7/ldap.conf b/contrib/packaging/CentOS/7/ldap.conf new file mode 100644 index 0000000000..d7f0045ad6 --- /dev/null +++ b/contrib/packaging/CentOS/7/ldap.conf @@ -0,0 +1,17 @@ +# LDAP Defaults +# +# See ldap.conf(5) for details +# This file should be world readable but not world writable. + +#BASE dc=example,dc=com +#URI ldap://ldap.example.com ldap://ldap-master.example.com:666 + +#SIZELIMIT 12 +#TIMELIMIT 15 +#DEREF never + +#TLS_CACERT /etc/openldap/certs/ca.crt +TLS_CACERTDIR /etc/openldap/certs + +# Turning this off breaks GSSAPI used with krb5 when rdns = false +SASL_NOCANON on diff --git a/contrib/packaging/CentOS/7/libexec-check-config.sh b/contrib/packaging/CentOS/7/libexec-check-config.sh new file mode 100644 index 0000000000..a25dc39b77 --- /dev/null +++ b/contrib/packaging/CentOS/7/libexec-check-config.sh @@ -0,0 +1,91 @@ +#!/bin/sh +# Author: Jan Vcelak + +. /usr/libexec/reopenldap/functions + +function check_config_syntax() +{ + retcode=0 + tmp_slaptest=`mktemp --tmpdir=/var/run/reopenldap` + run_as_ldap "/usr/sbin/slaptest $SLAPD_GLOBAL_OPTIONS -u" &>$tmp_slaptest + if [ $? -ne 0 ]; then + error "Checking configuration file failed:" + cat $tmp_slaptest >&2 + retcode=1 + fi + rm $tmp_slaptest + return $retcode +} + +function check_certs_perms() +{ + retcode=0 + for cert in `certificates`; do + run_as_ldap "/usr/bin/test -e \"$cert\"" + if [ $? -ne 0 ]; then + error "TLS certificate/key/DB '%s' was not found." "$cert" + retcoder=1 + continue + fi + run_as_ldap "/usr/bin/test -r \"$cert\"" + if [ $? -ne 0 ]; then + error "TLS certificate/key/DB '%s' is not readable." "$cert" + retcode=1 + fi + done + return $retcode +} + +function check_db_perms() +{ + retcode=0 + for dbdir in `databases`; do + [ -d "$dbdir" ] || continue + for dbfile in `find ${dbdir} -maxdepth 1 -name "*.dbb" -or -name "*.gdbm" -or -name "*.bdb" -or -name "__db.*" -or -name "log.*" -or -name "alock"`; do + run_as_ldap "/usr/bin/test -r \"$dbfile\" -a -w \"$dbfile\"" + if [ $? -ne 0 ]; then + error "Read/write permissions for DB file '%s' are required." "$dbfile" + retcode=1 + fi + done + done + return $retcode +} + +function check_everything() +{ + retcode=0 + check_config_syntax || retcode=1 + # TODO: need support for Mozilla NSS, disabling temporarily + #check_certs_perms || retcode=1 + check_db_perms || retcode=1 + return $retcode +} + +if [ `id -u` -ne 0 ]; then + error "You have to be root to run this script." + exit 4 +fi + +load_sysconfig + +if [ -n "$SLAPD_CONFIG_DIR" ]; then + if [ ! -d "$SLAPD_CONFIG_DIR" ]; then + error "Configuration directory '%s' does not exist." "$SLAPD_CONFIG_DIR" + else + check_everything + exit $? + fi +fi + +if [ -n "$SLAPD_CONFIG_FILE" ]; then + if [ ! -f "$SLAPD_CONFIG_FILE" ]; then + error "Configuration file '%s' does not exist." "$SLAPD_CONFIG_FILE" + else + error "Warning: Usage of a configuration file is obsolete!" + check_everything + exit $? + fi +fi + +exit 1 diff --git a/contrib/packaging/CentOS/7/libexec-functions b/contrib/packaging/CentOS/7/libexec-functions new file mode 100644 index 0000000000..990d2b80ad --- /dev/null +++ b/contrib/packaging/CentOS/7/libexec-functions @@ -0,0 +1,134 @@ +# Author: Jan Vcelak + +SLAPD_USER= +SLAPD_CONFIG_FILE= +SLAPD_CONFIG_DIR= +SLAPD_CONFIG_CUSTOM= +SLAPD_GLOBAL_OPTIONS= +SLAPD_SYSCONFIG_FILE= + +function default_config() +{ + SLAPD_USER=ldap + SLAPD_CONFIG_FILE=/etc/openldap/slapd.conf + SLAPD_CONFIG_DIR=/etc/openldap/slapd.d + SLAPD_CONFIG_CUSTOM= + SLAPD_GLOBAL_OPTIONS= + SLAPD_SYSCONFIG_FILE=/etc/sysconfig/slapd +} + +function parse_config_options() +{ + user= + config_file= + config_dir= + while getopts :u:f:F: opt; do + case "$opt" in + u) + user="$OPTARG" + ;; + f) + config_file="$OPTARG" + ;; + F) + config_dir="$OPTARG" + ;; + esac + done + + if [ -n "$user" ]; then + SLAPD_USER="$user" + fi + + if [ -n "$config_dir" ]; then + SLAPD_CONFIG_DIR="$config_dir" + SLAPD_CONFIG_FILE= + SLAPD_CONFIG_CUSTOM=1 + SLAPD_GLOBAL_OPTIONS="-F '$config_dir'" + elif [ -n "$config_file" ]; then + SLAPD_CONFIG_DIR= + SLAPD_CONFIG_FILE="$config_file" + SLAPD_CONFIG_CUSTOM=1 + SLAPD_GLOBAL_OPTIONS="-f '$config_file'" + fi +} + +function uses_new_config() +{ + [ -n "$SLAPD_CONFIG_DIR" ] + return $? +} + +function run_as_ldap() +{ + /sbin/runuser --shell /bin/sh --session-command "$1" "$SLAPD_USER" + return $? +} + +function ldif_unbreak() +{ + sed ':a;N;s/\n //;ta;P;D' +} + +function ldif_value() +{ + sed 's/^[^:]*: //' +} + +function databases_new() +{ + slapcat $SLAPD_GLOBAL_OPTIONS -c \ + -H 'ldap:///cn=config???(|(objectClass=olcBdbConfig)(objectClass=olcHdbConfig))' 2>/dev/null | \ + ldif_unbreak | \ + grep '^olcDbDirectory: ' | \ + ldif_value +} + +function databases_old() +{ + awk 'begin { database="" } + $1 == "database" { database=$2 } + $1 == "directory" { if (database == "bdb" || database == "hdb") print $2}' \ + "$SLAPD_CONFIG_FILE" +} + +function certificates_new() +{ + slapcat $SLAPD_GLOBAL_OPTIONS -c -H 'ldap:///cn=config???(cn=config)' 2>/dev/null | \ + ldif_unbreak | \ + grep '^olcTLS\(CACertificateFile\|CACertificatePath\|CertificateFile\|CertificateKeyFile\): ' | \ + ldif_value +} + +function certificates_old() +{ + awk '$1 ~ "^TLS(CACertificate(File|Path)|CertificateFile|CertificateKeyFile)$" { print $2 } ' \ + "$SLAPD_CONFIG_FILE" +} + +function certificates() +{ + uses_new_config && certificates_new || certificates_old +} + +function databases() +{ + uses_new_config && databases_new || databases_old +} + + +function error() +{ + format="$1\n"; shift + printf "$format" $@ >&2 +} + +function load_sysconfig() +{ + [ -r "$SLAPD_SYSCONFIG_FILE" ] || return + + . "$SLAPD_SYSCONFIG_FILE" + [ -n "$SLAPD_OPTIONS" ] && parse_config_options $SLAPD_OPTIONS +} + +default_config diff --git a/contrib/packaging/CentOS/7/libexec-upgrade-db.sh b/contrib/packaging/CentOS/7/libexec-upgrade-db.sh new file mode 100644 index 0000000000..1543c80b40 --- /dev/null +++ b/contrib/packaging/CentOS/7/libexec-upgrade-db.sh @@ -0,0 +1,40 @@ +#!/bin/sh +# Author: Jan Vcelak + +. /usr/libexec/openldap/functions + +if [ `id -u` -ne 0 ]; then + error "You have to be root to run this command." + exit 4 +fi + +load_sysconfig +retcode=0 + +for dbdir in `databases`; do + upgrade_log="$dbdir/db_upgrade.`date +%Y%m%d%H%M%S`.log" + bdb_files=`find "$dbdir" -maxdepth 1 -name "*.bdb" -printf '"%f" '` + + # skip uninitialized database + [ -z "$bdb_files"] || continue + + printf "Updating '%s', logging into '%s'\n" "$dbdir" "$upgrade_log" + + # perform the update + for command in \ + "/usr/bin/db_recover -v -h \"$dbdir\"" \ + "/usr/bin/db_upgrade -v -h \"$dbdir\" $bdb_files" \ + "/usr/bin/db_checkpoint -v -h \"$dbdir\" -1" \ + ; do + printf "Executing: %s\n" "$command" &>>$upgrade_log + run_as_ldap "$command" &>>$upgrade_log + result=$? + printf "Exit code: %d\n" $result >>"$upgrade_log" + if [ $result -ne 0 ]; then + printf "Upgrade failed: %d\n" $result + retcode=1 + fi + done +done + +exit $retcode diff --git a/contrib/packaging/CentOS/7/reopenldap.spec b/contrib/packaging/CentOS/7/reopenldap.spec new file mode 100644 index 0000000000..ad16bac2ff --- /dev/null +++ b/contrib/packaging/CentOS/7/reopenldap.spec @@ -0,0 +1,386 @@ +%global systemctl_bin /usr/bin/systemctl +%define packaging_dir contrib/packaging/CentOS/7 + +Name: reopenldap +Version: 1.1.5 +Release: %{?dist} +Summary: The fork of OpenLDAP with a few new features (mostly for highload and multi-master clustering), additional bug fixing and code quality improvement. + +Group: System Environment/Daemons +License: AGPLv3 +URL: https://github.com/ReOpen/ReOpenLDAP +Source0: %{name}-%{version}.tar.gz + +BuildRequires: cyrus-sasl-devel, krb5-devel, tcp_wrappers-devel, unixODBC-devel libuuid-devel elfutils-libelf-devel +BuildRequires: glibc-devel, libtool, libtool-ltdl-devel, groff, perl, perl-devel, perl(ExtUtils::Embed) +BuildRequires: openssl-devel, nss-devel +BuildRequires: bc git +Requires: rpm, coreutils, nss-tools +Conflicts: openldap-servers, openldap-servers-sql, openldap-clients, openldap-devel + +%description +The fork of OpenLDAP with a few new features (mostly for highload and multi-master clustering), additional bug fixing and code quality improvement. + +%package devel +Summary: LDAP development libraries and header files +Group: Development/Libraries +Requires: %{name}%{?_isa} = %{version}-%{release}, cyrus-sasl-devel%{?_isa} +Provides: ldap-devel + +%description devel +The openldap-devel package includes the development libraries and +header files needed for compiling applications that use LDAP +(Lightweight Directory Access Protocol) internals. LDAP is a set of +protocols for enabling directory services over the Internet. Install +this package only if you plan to develop or will need to compile +customized LDAP clients. + +%package servers +Summary: LDAP server +License: AGPLv3 +Requires: %{name}%{?_isa} = %{version}-%{release}, libdb-utils +Requires(pre): shadow-utils +Requires(post): systemd, systemd-sysv, chkconfig +Requires(preun): systemd +Requires(postun): systemd +BuildRequires: libdb-devel +BuildRequires: systemd-units +BuildRequires: cracklib-devel +Group: System Environment/Daemons +# migrationtools (slapadd functionality): +Provides: ldif2ldbm, ldap-server + +%description servers +OpenLDAP is an open-source suite of LDAP (Lightweight Directory Access +Protocol) applications and development tools. LDAP is a set of +protocols for accessing directory services (usually phone book style +information, but other information is possible) over the Internet, +similar to the way DNS (Domain Name System) information is propagated +over the Internet. This package contains the slapd server and related files. + +%package clients +Summary: LDAP client utilities +Requires: %{name}%{?_isa} = %{version}-%{release} +Group: Applications/Internet + +%description clients +OpenLDAP is an open-source suite of LDAP (Lightweight Directory Access +Protocol) applications and development tools. LDAP is a set of +protocols for accessing directory services (usually phone book style +information, but other information is possible) over the Internet, +similar to the way DNS (Domain Name System) information is propagated +over the Internet. The openldap-clients package contains the client +programs needed for accessing and modifying OpenLDAP directories. + +%prep +%setup -q -n %{name}-%{version} +# alternative include paths for Mozilla NSS +ln -s %{_includedir}/nss3 include/nss +ln -s %{_includedir}/nspr4 include/nspr + +%build +%ifarch s390 s390x + export CFLAGS="-fPIE" +%else + export CFLAGS="-fpie" +%endif +export LDFLAGS="-pie" +# avoid stray dependencies (linker flag --as-needed) +# enable experimental support for LDAP over UDP (LDAP_CONNECTIONLESS) +export CFLAGS="${CFLAGS} %{optflags} -Wl,--as-needed -DLDAP_CONNECTIONLESS" +%configure \ + --sysconfdir=%{_sysconfdir}/openldap \ + --enable-deprecated \ + --enable-syslog \ + --enable-proctitle \ + --enable-ipv6 \ + --enable-local \ + \ + --enable-slapd \ + --enable-dynacl \ + --disable-aci \ + --enable-cleartext \ + --enable-crypt \ + --enable-lmpasswd=no \ + --enable-spasswd \ + --enable-modules \ + --enable-rewrite \ + --enable-rlookups \ + --enable-slapi \ + --disable-slp \ + --enable-wrappers \ + \ + --enable-backends=mod \ + --enable-mdb=yes \ + --disable-hdb \ + --disable-bdb \ + --disable-dnssrv \ + --enable-ldap=mod \ + --enable-meta=mod \ + --enable-monitor=yes \ + --disable-ndb \ + --enable-null=mod \ + --disable-passwd \ + --disable-perl \ + --disable-relay \ + --disable-shell \ + --disable-sock \ + --disable-sql \ + \ + --enable-overlays=mod \ + \ + --disable-static \ + --enable-shared \ + \ + --with-cyrus-sasl \ + --with-gssapi \ + --without-fetch \ + --with-pic \ + --with-gnu-ld \ + --with-tls=moznss \ + \ + --libexecdir=%{_libdir} +make %{?_smp_mflags} + + +%install +mkdir -p %{buildroot}%{_libdir}/ +make install DESTDIR=%{buildroot} STRIP="" + +# setup directories for TLS certificates +mkdir -p %{buildroot}%{_sysconfdir}/openldap/certs + +# setup data and runtime directories +mkdir -p %{buildroot}%{_sharedstatedir} +mkdir -p %{buildroot}%{_localstatedir} +install -m 0700 -d %{buildroot}%{_sharedstatedir}/ldap +install -m 0755 -d %{buildroot}%{_localstatedir}/run/reopenldap + +# setup autocreation of runtime directories on tmpfs +mkdir -p %{buildroot}%{_tmpfilesdir}/ +install -m 0644 %{packaging_dir}/slapd.tmpfiles %{buildroot}%{_tmpfilesdir}/slapd.conf + +# install default ldap.conf (customized) +rm -f %{buildroot}%{_sysconfdir}/openldap/ldap.conf +install -m 0644 %{packaging_dir}/ldap.conf %{buildroot}%{_sysconfdir}/openldap/ldap.conf + +# Надо разобраться, что нам нужно из этих самых скриптов и кого из них запускать в %post. +## setup maintainance scripts +mkdir -p %{buildroot}%{_libexecdir} +install -m 0755 -d %{buildroot}%{_libexecdir}/reopenldap +install -m 0644 %{packaging_dir}/libexec-functions %{buildroot}%{_libexecdir}/reopenldap/functions +install -m 0755 %{packaging_dir}/libexec-check-config.sh %{buildroot}%{_libexecdir}/reopenldap/check-config.sh +install -m 0755 %{packaging_dir}/libexec-upgrade-db.sh %{buildroot}%{_libexecdir}/reopenldap/upgrade-db.sh + +# remove build root from config files and manual pages +perl -pi -e "s|%{buildroot}||g" %{buildroot}%{_sysconfdir}/openldap/*.conf +perl -pi -e "s|%{buildroot}||g" %{buildroot}%{_mandir}/*/*.* + +# install an init script for the servers +mkdir -p %{buildroot}%{_unitdir} +install -m 0644 %{packaging_dir}/slapd.service %{buildroot}%{_unitdir}/slapd.service + +# install syconfig/slapd +mkdir -p %{buildroot}%{_sysconfdir}/sysconfig +install -m 644 %{packaging_dir}/slapd.sysconfig %{buildroot}%{_sysconfdir}/sysconfig/slapd + +# ldapadd point to buildroot. +rm -f %{buildroot}%{_bindir}/ldapadd +pushd %{buildroot}%{_bindir} +ln -s ldapmodify ldapadd +popd + +# tweak permissions on the libraries to make sure they're correct +chmod 0755 %{buildroot}%{_libdir}/reopenldap/lib*.so* +chmod 0644 %{buildroot}%{_libdir}/reopenldap/lib*.*a + +# slapd.conf(5) is obsoleted since 2.3, see slapd-config(5) +# new configuration will be generated in %%post +mkdir -p %{buildroot}%{_datadir} +install -m 0755 -d %{buildroot}%{_datadir}/reopenldap-servers +install -m 0644 %{packaging_dir}/slapd.ldif %{buildroot}%{_datadir}/reopenldap-servers/slapd.ldif +install -m 0644 %{packaging_dir}/db_config.example %{buildroot}%{_datadir}/reopenldap-servers/DB_CONFIG.example +install -m 0700 -d %{buildroot}%{_sysconfdir}/openldap/slapd.d +rm -f %{buildroot}%{_sysconfdir}/openldap/slapd.conf +rm -f %{buildroot}%{_sysconfdir}/openldap/slapd.ldif + +# move doc files out of _sysconfdir +mv %{buildroot}%{_sysconfdir}/openldap/schema/README README.schema +#mv %{buildroot}%{_sysconfdir}/schema %{buildroot}%{_sysconfdir}/openldap + +# remove files which we don't want packaged +rm -f %{buildroot}%{_libdir}/reopenldap/*.la +rm -f %{buildroot}%{_mandir}/man5/ldif.5* +rm -f %{buildroot}%{_mandir}/man5/ldap.conf.5* + +%post +/sbin/ldconfig + +%postun -p /sbin/ldconfig + +%pre servers +# create ldap user and group +getent group ldap &>/dev/null || groupadd -r -g 55 ldap +getent passwd ldap &>/dev/null || \ + useradd -r -g ldap -u 55 -d %{_sharedstatedir}/ldap -s /sbin/nologin -c "OpenLDAP server" ldap +if [ $1 -eq 2 ]; then + # package upgrade + old_version=$(rpm -q --qf=%%{version} reopenldap-servers) + new_version=%{version} + if [ "$old_version" != "$new_version" ]; then + touch %{_sharedstatedir}/ldap/rpm_upgrade_reopenldap &>/dev/null + fi +fi +exit 0 + +%post servers + +/sbin/ldconfig -n %{_libdir}/reopenldap +%systemd_post slapd.service + +# generate configuration if necessary +if [[ ! -f %{_sysconfdir}/openldap/slapd.d/cn=config.ldif && \ + ! -f %{_sysconfdir}/openldap/slapd.conf + ]]; then + # if there is no configuration available, generate one from the defaults + mkdir -p %{_sysconfdir}/openldap/slapd.d/ &>/dev/null || : + /usr/sbin/slapadd -F %{_sysconfdir}/openldap/slapd.d/ -n0 -l %{_datadir}/reopenldap-servers/slapd.ldif + chown -R ldap:ldap %{_sysconfdir}/openldap/slapd.d/ + %{systemctl_bin} try-restart slapd.service &>/dev/null +fi +start_slapd=0 + +# upgrade the database +if [ -f %{_sharedstatedir}/ldap/rpm_upgrade_reopenldap ]; then + if %{systemctl_bin} --quiet is-active slapd.service; then + %{systemctl_bin} stop slapd.service + start_slapd=1 + fi + + %{_libexecdir}/reopenldap/upgrade-db.sh &>/dev/null + rm -f %{_sharedstatedir}/ldap/rpm_upgrade_reopenldap +fi + +# restart after upgrade +if [ $1 -ge 1 ]; then + if [ $start_slapd -eq 1 ]; then + %{systemctl_bin} start slapd.service &>/dev/null || : + else + %{systemctl_bin} condrestart slapd.service &>/dev/null || : + fi +fi +exit 0 + +%preun servers +%systemd_preun slapd.service + +%postun servers +/sbin/ldconfig +%systemd_postun_with_restart slapd.service + +%triggerin servers -- libdb + +# libdb upgrade (setup for %%triggerun) +if [ $2 -eq 2 ]; then + # we are interested in minor version changes (both versions of libdb are installed at this moment) + if [ "$(rpm -q --qf="%%{version}\n" libdb | sed 's/\.[0-9]*$//' | sort -u | wc -l)" != "1" ]; then + touch %{_sharedstatedir}/ldap/rpm_upgrade_libdb + else + rm -f %{_sharedstatedir}/ldap/rpm_upgrade_libdb + fi +fi +exit 0 +%triggerun servers -- libdb + +# libdb upgrade (finish %%triggerin) +if [ -f %{_sharedstatedir}/ldap/rpm_upgrade_libdb ]; then + if %{systemctl_bin} --quiet is-active slapd.service; then + %{systemctl_bin} stop slapd.service + start=1 + else + start=0 + fi + %{_libexecdir}/reopenldap/upgrade-db.sh &>/dev/null + rm -f %{_sharedstatedir}/ldap/rpm_upgrade_libdb + [ $start -eq 1 ] && %{systemctl_bin} start slapd.service &>/dev/null +fi +exit 0 + + +%files +%doc ANNOUNCEMENT.OpenLDAP +%doc CHANGES.OpenLDAP +%doc ChangeLog +%doc COPYRIGHT +%doc LICENSE +%doc README +%doc README.md +%doc README.OpenLDAP +%dir %{_sysconfdir}/openldap +%dir %{_sysconfdir}/openldap/certs +%config(noreplace) %{_sysconfdir}/openldap/ldap.conf +%{_libdir}/reopenldap/libreldap*.so* +%{_libdir}/reopenldap/libreslapi*.so* +#%{_mandir}/man5/ldif.5* +#%{_mandir}/man5/ldap.conf.5* + +%files servers +%doc contrib/slapd-modules/smbk5pwd/README +%doc README.schema +%config(noreplace) %dir %attr(0750,ldap,ldap) %{_sysconfdir}/openldap/slapd.d +%config(noreplace) %{_sysconfdir}/openldap/schema +%config(noreplace) %{_sysconfdir}/sysconfig/slapd +%config(noreplace) %{_tmpfilesdir}/slapd.conf +%dir %attr(0700,ldap,ldap) %{_sharedstatedir}/ldap +%dir %attr(-,ldap,ldap) %{_localstatedir}/run/reopenldap +%{_unitdir}/slapd.service +%{_bindir}/mdbx_* +%{_datadir}/reopenldap-servers/ +%{_libdir}/reopenldap/accesslog*.so* +%{_libdir}/reopenldap/auditlog*.so* +%{_libdir}/reopenldap/back_ldap*.so* +%{_libdir}/reopenldap/back_meta*.so* +%{_libdir}/reopenldap/back_null*.so* +%{_libdir}/reopenldap/collect*.so* +%{_libdir}/reopenldap/constraint*.so* +%{_libdir}/reopenldap/dds*.so* +%{_libdir}/reopenldap/deref*.so* +%{_libdir}/reopenldap/dyngroup*.so* +%{_libdir}/reopenldap/dynlist*.so* +%{_libdir}/reopenldap/memberof*.so* +%{_libdir}/reopenldap/pcache*.so* +%{_libdir}/reopenldap/ppolicy*.so* +%{_libdir}/reopenldap/refint*.so* +%{_libdir}/reopenldap/retcode*.so* +%{_libdir}/reopenldap/rwm*.so* +%{_libdir}/reopenldap/seqmod*.so* +%{_libdir}/reopenldap/sssvlv*.so* +%{_libdir}/reopenldap/syncprov*.so* +%{_libdir}/reopenldap/translucent*.so* +%{_libdir}/reopenldap/unique*.so* +%{_libdir}/reopenldap/valsort*.so* +%dir %{_libexecdir}/reopenldap/ +%{_libexecdir}/reopenldap/functions +%{_libexecdir}/reopenldap/check-config.sh +%{_libexecdir}/reopenldap/upgrade-db.sh +%{_sbindir}/slap* +%{_mandir}/man5/slap* +%{_mandir}/man8/* +%{_mandir}/ru/man5/* +%{_mandir}/ru/man8/* +# obsolete configuration +%ghost %config(noreplace,missingok) %attr(0640,ldap,ldap) %{_sysconfdir}/openldap/slapd.conf +%ghost %config(noreplace,missingok) %attr(0640,ldap,ldap) %{_sysconfdir}/openldap/slapd.conf.bak + +%files clients +%{_bindir}/ldap* +%{_mandir}/man1/* +%{_mandir}/ru/man1/* + +%files devel +%{_includedir}/reopenldap/* +%{_mandir}/man3/* + + +%changelog + diff --git a/contrib/packaging/CentOS/7/slapd.ldif b/contrib/packaging/CentOS/7/slapd.ldif new file mode 100644 index 0000000000..ef59896d4a --- /dev/null +++ b/contrib/packaging/CentOS/7/slapd.ldif @@ -0,0 +1,147 @@ +# +# See slapd-config(5) for details on configuration options. +# This file should NOT be world readable. +# + +dn: cn=config +objectClass: olcGlobal +cn: config +olcArgsFile: /run/reopenldap/slapd.args +olcPidFile: /run/reopenldap/slapd.pid +olcLogLevel: stats +# TLS settings +olcTLSCACertificatePath: /etc/openldap/certs +olcTLSCertificateFile: "ReOpenLDAP Server" +olcTLSCertificateKeyFile: /etc/openldap/certs/password + +# +# Do not enable referrals until AFTER you have a working directory +# service AND an understanding of referrals. +# +#olcReferral: ldap://root.openldap.org +# +# Sample security restrictions +# Require integrity protection (prevent hijacking) +# Require 112-bit (3DES or better) encryption for updates +# Require 64-bit encryption for simple bind +# +#olcSecurity: ssf=1 update_ssf=112 simple_bind=64 + + +# +# Load dynamic backend modules: +# - modulepath is architecture dependent value (32/64-bit system) +# - back_sql.la backend requires openldap-servers-sql package +# - dyngroup.la and dynlist.la cannot be used at the same time +# + +#dn: cn=module,cn=config +#objectClass: olcModuleList +#cn: module +#olcModulepath: /usr/lib/reopenldap +#olcModulepath: /usr/lib64/reopenldap +#olcModuleload: accesslog.la +#olcModuleload: auditlog.la +#olcModuleload: back_dnssrv.la +#olcModuleload: back_ldap.la +#olcModuleload: back_mdb.la +#olcModuleload: back_meta.la +#olcModuleload: back_null.la +#olcModuleload: back_passwd.la +#olcModuleload: back_relay.la +#olcModuleload: back_shell.la +#olcModuleload: back_sock.la +#olcModuleload: collect.la +#olcModuleload: constraint.la +#olcModuleload: dds.la +#olcModuleload: deref.la +#olcModuleload: dyngroup.la +#olcModuleload: dynlist.la +#olcModuleload: memberof.la +#olcModuleload: pcache.la +#olcModuleload: ppolicy.la +#olcModuleload: refint.la +#olcModuleload: retcode.la +#olcModuleload: rwm.la +#olcModuleload: seqmod.la +#olcModuleload: smbk5pwd.la +#olcModuleload: sssvlv.la +#olcModuleload: syncprov.la +#olcModuleload: translucent.la +#olcModuleload: unique.la +#olcModuleload: valsort.la + + +# +# Schema settings +# + +dn: cn=schema,cn=config +objectClass: olcSchemaConfig +cn: schema + +include: file:///etc/openldap/schema/core.ldif + +# +# Frontend settings +# + +dn: olcDatabase=frontend,cn=config +objectClass: olcDatabaseConfig +olcDatabase: frontend +# +# Sample global access control policy: +# Root DSE: allow anyone to read it +# Subschema (sub)entry DSE: allow anyone to read it +# Other DSEs: +# Allow self write access +# Allow authenticated users read access +# Allow anonymous users to authenticate +# +#olcAccess: to dn.base="" by * read +#olcAccess: to dn.base="cn=Subschema" by * read +#olcAccess: to * +# by self write +# by users read +# by anonymous auth +# +# if no access controls are present, the default policy +# allows anyone and everyone to read anything but restricts +# updates to rootdn. (e.g., "access to * by * read") +# +# rootdn can always read and write EVERYTHING! +# + +# +# Configuration database +# + +dn: olcDatabase=config,cn=config +objectClass: olcDatabaseConfig +olcDatabase: config +olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c + n=auth" manage by * none + +# +# Server status monitoring +# + +dn: olcDatabase=monitor,cn=config +objectClass: olcDatabaseConfig +olcDatabase: monitor +olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c + n=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none + +# +# Backend database definitions +# + +dn: olcDatabase=mdb,cn=config +objectClass: olcDatabaseConfig +objectClass: olcMdbConfig +olcDatabase: mdb +olcSuffix: dc=my-domain,dc=com +olcRootDN: cn=Manager,dc=my-domain,dc=com +olcDbDirectory: /var/lib/ldap +olcDbIndex: objectClass eq,pres +olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub diff --git a/contrib/packaging/CentOS/7/slapd.service b/contrib/packaging/CentOS/7/slapd.service new file mode 100644 index 0000000000..46a6a93b5c --- /dev/null +++ b/contrib/packaging/CentOS/7/slapd.service @@ -0,0 +1,18 @@ +[Unit] +Description=ReOpenLDAP Server Daemon +After=syslog.target NetworkManager-wait-online.service +Documentation=man:slapd +Documentation=man:slapd-config +Documentation=man:slapd-hdb +Documentation=man:slapd-mdb + +[Service] +Type=forking +PIDFile=/var/run/reopenldap/slapd.pid +Environment="SLAPD_URLS=ldap:/// ldapi://%2Fvar%2Frun%2Fldapi" "SLAPD_OPTIONS=" +EnvironmentFile=/etc/sysconfig/slapd +ExecStartPre=/usr/libexec/reopenldap/check-config.sh +ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS + +[Install] +WantedBy=multi-user.target diff --git a/contrib/packaging/CentOS/7/slapd.sysconfig b/contrib/packaging/CentOS/7/slapd.sysconfig new file mode 100644 index 0000000000..cdeb83f7b4 --- /dev/null +++ b/contrib/packaging/CentOS/7/slapd.sysconfig @@ -0,0 +1,15 @@ +# OpenLDAP server configuration +# see 'man slapd' for additional information + +# Where the server will run (-h option) +# - ldapi:/// is required for on-the-fly configuration using client tools +# (use SASL with EXTERNAL mechanism for authentication) +# - default: ldapi:/// ldap:/// +# - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:/// +SLAPD_URLS="ldapi://%2Fvar%2Frun%2Fldapi ldap:///" + +# Any custom options +#SLAPD_OPTIONS="" + +# Keytab location for GSSAPI Kerberos authentication +#KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab" diff --git a/contrib/packaging/CentOS/7/slapd.tmpfiles b/contrib/packaging/CentOS/7/slapd.tmpfiles new file mode 100644 index 0000000000..225579e94d --- /dev/null +++ b/contrib/packaging/CentOS/7/slapd.tmpfiles @@ -0,0 +1,3 @@ +# openldap runtime directory for slapd.arg and slapd.pid +d /var/run/reopenldap 0755 ldap ldap - +d /var/run/run/slapd 0755 ldap ldap - From 4482bf900166e19095b385e9c83d78a72b020416 Mon Sep 17 00:00:00 2001 From: pechenko Date: Thu, 18 May 2017 18:44:10 +0300 Subject: [PATCH 03/11] More or less universal stuff for reading out repo owner --- contrib/packaging/CentOS/7/reopenldap.spec | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/contrib/packaging/CentOS/7/reopenldap.spec b/contrib/packaging/CentOS/7/reopenldap.spec index ad16bac2ff..6d31bc4428 100644 --- a/contrib/packaging/CentOS/7/reopenldap.spec +++ b/contrib/packaging/CentOS/7/reopenldap.spec @@ -1,5 +1,9 @@ %global systemctl_bin /usr/bin/systemctl %define packaging_dir contrib/packaging/CentOS/7 +%define owner %(git config --get remote.origin.url | sed -n -e 's!^git@github.com:\(.*\)\/.*$!\1!p') +%global commit0 %(git log -n 1 --pretty=format:"%H") +%global gittag0 v1.1.5 +%global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) Name: reopenldap Version: 1.1.5 @@ -8,8 +12,8 @@ Summary: The fork of OpenLDAP with a few new features (mostly for highload and m Group: System Environment/Daemons License: AGPLv3 -URL: https://github.com/ReOpen/ReOpenLDAP -Source0: %{name}-%{version}.tar.gz +URL: https://github.com/%{owner}/ReOpenLDAP +Source0: https://github.com/%{owner}/%{name}/archive/%{commit0}.tar.gz#/%{name}-%{shortcommit0}.tar.gz BuildRequires: cyrus-sasl-devel, krb5-devel, tcp_wrappers-devel, unixODBC-devel libuuid-devel elfutils-libelf-devel BuildRequires: glibc-devel, libtool, libtool-ltdl-devel, groff, perl, perl-devel, perl(ExtUtils::Embed) @@ -73,7 +77,8 @@ over the Internet. The openldap-clients package contains the client programs needed for accessing and modifying OpenLDAP directories. %prep -%setup -q -n %{name}-%{version} +%autosetup -n %{name}-%{commit0} +#%setup -q -n %{name}-%{version} # alternative include paths for Mozilla NSS ln -s %{_includedir}/nss3 include/nss ln -s %{_includedir}/nspr4 include/nspr From d7d5f453cd2ec41711ebb909cb5d90bbec634b01 Mon Sep 17 00:00:00 2001 From: pechenko Date: Thu, 18 May 2017 19:08:33 +0300 Subject: [PATCH 04/11] Better version handling --- contrib/packaging/CentOS/7/reopenldap.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/packaging/CentOS/7/reopenldap.spec b/contrib/packaging/CentOS/7/reopenldap.spec index 6d31bc4428..4aa08cfef7 100644 --- a/contrib/packaging/CentOS/7/reopenldap.spec +++ b/contrib/packaging/CentOS/7/reopenldap.spec @@ -13,7 +13,7 @@ Summary: The fork of OpenLDAP with a few new features (mostly for highload and m Group: System Environment/Daemons License: AGPLv3 URL: https://github.com/%{owner}/ReOpenLDAP -Source0: https://github.com/%{owner}/%{name}/archive/%{commit0}.tar.gz#/%{name}-%{shortcommit0}.tar.gz +Source0: https://github.com/%{owner}/%{name}/archive/%{commit0}.tar.gz BuildRequires: cyrus-sasl-devel, krb5-devel, tcp_wrappers-devel, unixODBC-devel libuuid-devel elfutils-libelf-devel BuildRequires: glibc-devel, libtool, libtool-ltdl-devel, groff, perl, perl-devel, perl(ExtUtils::Embed) From 641ffb270cfa573883b102c2c7361e572e4054a2 Mon Sep 17 00:00:00 2001 From: pechenko Date: Fri, 19 May 2017 11:24:00 +0300 Subject: [PATCH 05/11] Final version of bootstrapping specfile --- contrib/packaging/CentOS/7/reopenldap.spec | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/contrib/packaging/CentOS/7/reopenldap.spec b/contrib/packaging/CentOS/7/reopenldap.spec index 4aa08cfef7..52f4cb7a14 100644 --- a/contrib/packaging/CentOS/7/reopenldap.spec +++ b/contrib/packaging/CentOS/7/reopenldap.spec @@ -1,13 +1,16 @@ %global systemctl_bin /usr/bin/systemctl %define packaging_dir contrib/packaging/CentOS/7 -%define owner %(git config --get remote.origin.url | sed -n -e 's!^git@github.com:\(.*\)\/.*$!\1!p') +%global owner_ssh %(git config --get remote.origin.url | sed -n -e 's!^git@github.com:\\(.*\\)\\/.*$!\\1!p') +%global owner_https %(git config --get remote.origin.url | sed -n -e 's!^https://github.com/\\(.*\\)\\/.*$!\\1!p') +%global owner %{owner_ssh}%{owner_https} %global commit0 %(git log -n 1 --pretty=format:"%H") -%global gittag0 v1.1.5 +%global gittag0 %(git describe --abbrev=0 --tags) +%global ver %(c=%{gittag0}; echo ${c:1}) %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) -Name: reopenldap -Version: 1.1.5 -Release: %{?dist} +Name: ReOpenLDAP +Version: %{ver} +Release: %{shortcommit0}%{?dist} Summary: The fork of OpenLDAP with a few new features (mostly for highload and multi-master clustering), additional bug fixing and code quality improvement. Group: System Environment/Daemons @@ -78,7 +81,7 @@ programs needed for accessing and modifying OpenLDAP directories. %prep %autosetup -n %{name}-%{commit0} -#%setup -q -n %{name}-%{version} +#setup -q -n %{name}-%{commit0} # alternative include paths for Mozilla NSS ln -s %{_includedir}/nss3 include/nss ln -s %{_includedir}/nspr4 include/nspr @@ -204,7 +207,7 @@ chmod 0644 %{buildroot}%{_libdir}/reopenldap/lib*.*a mkdir -p %{buildroot}%{_datadir} install -m 0755 -d %{buildroot}%{_datadir}/reopenldap-servers install -m 0644 %{packaging_dir}/slapd.ldif %{buildroot}%{_datadir}/reopenldap-servers/slapd.ldif -install -m 0644 %{packaging_dir}/db_config.example %{buildroot}%{_datadir}/reopenldap-servers/DB_CONFIG.example +install -m 0644 %{packaging_dir}/DB_CONFIG.example %{buildroot}%{_datadir}/reopenldap-servers/DB_CONFIG.example install -m 0700 -d %{buildroot}%{_sysconfdir}/openldap/slapd.d rm -f %{buildroot}%{_sysconfdir}/openldap/slapd.conf rm -f %{buildroot}%{_sysconfdir}/openldap/slapd.ldif @@ -341,6 +344,7 @@ exit 0 %{_unitdir}/slapd.service %{_bindir}/mdbx_* %{_datadir}/reopenldap-servers/ +%{_libdir}/reopenldap/autoca*.so* %{_libdir}/reopenldap/accesslog*.so* %{_libdir}/reopenldap/auditlog*.so* %{_libdir}/reopenldap/back_ldap*.so* From 8566ccaeca2d34418e26c0a60a013627e62959cf Mon Sep 17 00:00:00 2001 From: pechenko Date: Fri, 19 May 2017 16:21:08 +0300 Subject: [PATCH 06/11] Added proper README.md --- contrib/README | 3 +- contrib/packaging/CentOS/7/README.md | 37 ++++++++++++++++++++++ contrib/packaging/CentOS/7/reopenldap.spec | 10 ++++-- 3 files changed, 46 insertions(+), 4 deletions(-) create mode 100644 contrib/packaging/CentOS/7/README.md diff --git a/contrib/README b/contrib/README index 3c279d265d..ed1542aec5 100644 --- a/contrib/README +++ b/contrib/README @@ -44,7 +44,8 @@ Current contributions: SLAPI plugins packaging/CentOS/7 - Files required to perform RPM packaging for the whole project + Files required to perform RPM packaging for the whole project. + OpenLDAP Contributing Guidelines are available at: . diff --git a/contrib/packaging/CentOS/7/README.md b/contrib/packaging/CentOS/7/README.md new file mode 100644 index 0000000000..bdf101a341 --- /dev/null +++ b/contrib/packaging/CentOS/7/README.md @@ -0,0 +1,37 @@ +# RPM packaging specfile for CentOS 7 + +## Overview +This is bootstrapping specfile. It is able to +determine git repo owner, branch, tag and commit, then +reuse this information during package build. + +## Requirements +You should have **rpm-devel** package installed, +also all those packages which are required by ReOpenLDAP +itself. + +## Usage +A couple of commands is required to build the package: + +>spectool -R -g reopenldap.spec +>rpmbuild -bb reopenldap.spec + +First command downloads source file to the directory +where rpmbuild expects to find it. Second command builds +a set of binary packages. + +##Tips and tricks +If you ever need to find out +package file paths, you could use this command: +>spectool -R -g reopenldap.spec +>rpmbuild -bb reopenldap.spec 2>&1 | tee /tmp/build.log +>grep -n -E '(Wrote: )(.+)$' /tmp/build.log | awk '{print $2;}' + +## Authors + Specfile initially has been contributed by Ivan Viktorov + (https://github.com/Ivan-Viktorov) as a comment on issue #34 + of original project + (https://github.com/ReOpen/ReOpenLDAP/issues/33#issuecomment-249861076). + + Tune-up and bootsrapping has been implemented by + Sergey Pechenko (https://github.com/tnt4brain/ReOpenLDAP/tree/devel) diff --git a/contrib/packaging/CentOS/7/reopenldap.spec b/contrib/packaging/CentOS/7/reopenldap.spec index 52f4cb7a14..1a9f00fa01 100644 --- a/contrib/packaging/CentOS/7/reopenldap.spec +++ b/contrib/packaging/CentOS/7/reopenldap.spec @@ -32,7 +32,6 @@ The fork of OpenLDAP with a few new features (mostly for highload and multi-mast Summary: LDAP development libraries and header files Group: Development/Libraries Requires: %{name}%{?_isa} = %{version}-%{release}, cyrus-sasl-devel%{?_isa} -Provides: ldap-devel %description devel The openldap-devel package includes the development libraries and @@ -55,7 +54,7 @@ BuildRequires: systemd-units BuildRequires: cracklib-devel Group: System Environment/Daemons # migrationtools (slapadd functionality): -Provides: ldif2ldbm, ldap-server +Provides: ldif2ldbm %description servers OpenLDAP is an open-source suite of LDAP (Lightweight Directory Access @@ -221,6 +220,9 @@ rm -f %{buildroot}%{_libdir}/reopenldap/*.la rm -f %{buildroot}%{_mandir}/man5/ldif.5* rm -f %{buildroot}%{_mandir}/man5/ldap.conf.5* +%clean +rm -rf %{buildroot} + %post /sbin/ldconfig @@ -392,4 +394,6 @@ exit 0 %changelog - +* Fri May 19 2017 Sergey Pechenko - 1.1.5-641ffb2.1 +- Initial bootstrapping ReOpenLDAP RPM specfile release. Based on contribution by Ivan Viktorov +(https://github.com/ReOpen/ReOpenLDAP/issues/33#issuecomment-249861076) From bd159cf62dc69896227c08880b16f19d74199d00 Mon Sep 17 00:00:00 2001 From: pechenko <10977752+tnt4brain@users.noreply.github.com> Date: Wed, 22 Aug 2018 17:17:48 +0300 Subject: [PATCH 07/11] Minor fix for spec-file --- contrib/packaging/CentOS/7/reopenldap.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/contrib/packaging/CentOS/7/reopenldap.spec b/contrib/packaging/CentOS/7/reopenldap.spec index 1a9f00fa01..33e48afd0d 100644 --- a/contrib/packaging/CentOS/7/reopenldap.spec +++ b/contrib/packaging/CentOS/7/reopenldap.spec @@ -387,6 +387,7 @@ exit 0 %{_bindir}/ldap* %{_mandir}/man1/* %{_mandir}/ru/man1/* +%ghost %config(noreplace,missingok) %attr(0640,ldap,ldap) %{_sysconfdir}/openldap/slapd.conf %files devel %{_includedir}/reopenldap/* From bae39f7a9943bcce038419e300c06b9dc88bc41c Mon Sep 17 00:00:00 2001 From: pechenko <10977752+tnt4brain@users.noreply.github.com> Date: Wed, 22 Aug 2018 17:19:01 +0300 Subject: [PATCH 08/11] Updated specfile --- contrib/packaging/CentOS/7/reopenldap.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/packaging/CentOS/7/reopenldap.spec b/contrib/packaging/CentOS/7/reopenldap.spec index 33e48afd0d..a8072b87f5 100644 --- a/contrib/packaging/CentOS/7/reopenldap.spec +++ b/contrib/packaging/CentOS/7/reopenldap.spec @@ -328,7 +328,7 @@ exit 0 %doc README.OpenLDAP %dir %{_sysconfdir}/openldap %dir %{_sysconfdir}/openldap/certs -%config(noreplace) %{_sysconfdir}/openldap/ldap.conf +%ghost %config(noreplace) %{_sysconfdir}/openldap/ldap.conf %{_libdir}/reopenldap/libreldap*.so* %{_libdir}/reopenldap/libreslapi*.so* #%{_mandir}/man5/ldif.5* From dfb9d64f9314b7c966fc7a3702fe62af5df6cd9e Mon Sep 17 00:00:00 2001 From: pechenko <10977752+tnt4brain@users.noreply.github.com> Date: Thu, 23 Aug 2018 11:39:06 +0300 Subject: [PATCH 09/11] Specfile changes --- contrib/packaging/CentOS/7/reopenldap.spec | 47 +++++++++++----------- 1 file changed, 23 insertions(+), 24 deletions(-) diff --git a/contrib/packaging/CentOS/7/reopenldap.spec b/contrib/packaging/CentOS/7/reopenldap.spec index a8072b87f5..b61f3d73ae 100644 --- a/contrib/packaging/CentOS/7/reopenldap.spec +++ b/contrib/packaging/CentOS/7/reopenldap.spec @@ -23,7 +23,6 @@ BuildRequires: glibc-devel, libtool, libtool-ltdl-devel, groff, perl, perl-devel BuildRequires: openssl-devel, nss-devel BuildRequires: bc git Requires: rpm, coreutils, nss-tools -Conflicts: openldap-servers, openldap-servers-sql, openldap-clients, openldap-devel %description The fork of OpenLDAP with a few new features (mostly for highload and multi-master clustering), additional bug fixing and code quality improvement. @@ -96,7 +95,7 @@ export LDFLAGS="-pie" # enable experimental support for LDAP over UDP (LDAP_CONNECTIONLESS) export CFLAGS="${CFLAGS} %{optflags} -Wl,--as-needed -DLDAP_CONNECTIONLESS" %configure \ - --sysconfdir=%{_sysconfdir}/openldap \ + --sysconfdir=%{_sysconfdir}/reopenldap \ --enable-deprecated \ --enable-syslog \ --enable-proctitle \ @@ -155,7 +154,7 @@ mkdir -p %{buildroot}%{_libdir}/ make install DESTDIR=%{buildroot} STRIP="" # setup directories for TLS certificates -mkdir -p %{buildroot}%{_sysconfdir}/openldap/certs +mkdir -p %{buildroot}%{_sysconfdir}/reopenldap/certs # setup data and runtime directories mkdir -p %{buildroot}%{_sharedstatedir} @@ -168,8 +167,8 @@ mkdir -p %{buildroot}%{_tmpfilesdir}/ install -m 0644 %{packaging_dir}/slapd.tmpfiles %{buildroot}%{_tmpfilesdir}/slapd.conf # install default ldap.conf (customized) -rm -f %{buildroot}%{_sysconfdir}/openldap/ldap.conf -install -m 0644 %{packaging_dir}/ldap.conf %{buildroot}%{_sysconfdir}/openldap/ldap.conf +rm -f %{buildroot}%{_sysconfdir}/reopenldap/ldap.conf +install -m 0644 %{packaging_dir}/ldap.conf %{buildroot}%{_sysconfdir}/reopenldap/ldap.conf # Надо разобраться, что нам нужно из этих самых скриптов и кого из них запускать в %post. ## setup maintainance scripts @@ -180,7 +179,7 @@ install -m 0755 %{packaging_dir}/libexec-check-config.sh %{buildroot}%{_libexecd install -m 0755 %{packaging_dir}/libexec-upgrade-db.sh %{buildroot}%{_libexecdir}/reopenldap/upgrade-db.sh # remove build root from config files and manual pages -perl -pi -e "s|%{buildroot}||g" %{buildroot}%{_sysconfdir}/openldap/*.conf +perl -pi -e "s|%{buildroot}||g" %{buildroot}%{_sysconfdir}/reopenldap/*.conf perl -pi -e "s|%{buildroot}||g" %{buildroot}%{_mandir}/*/*.* # install an init script for the servers @@ -207,13 +206,13 @@ mkdir -p %{buildroot}%{_datadir} install -m 0755 -d %{buildroot}%{_datadir}/reopenldap-servers install -m 0644 %{packaging_dir}/slapd.ldif %{buildroot}%{_datadir}/reopenldap-servers/slapd.ldif install -m 0644 %{packaging_dir}/DB_CONFIG.example %{buildroot}%{_datadir}/reopenldap-servers/DB_CONFIG.example -install -m 0700 -d %{buildroot}%{_sysconfdir}/openldap/slapd.d -rm -f %{buildroot}%{_sysconfdir}/openldap/slapd.conf -rm -f %{buildroot}%{_sysconfdir}/openldap/slapd.ldif +install -m 0700 -d %{buildroot}%{_sysconfdir}/reopenldap/slapd.d +rm -f %{buildroot}%{_sysconfdir}/reopenldap/slapd.conf +rm -f %{buildroot}%{_sysconfdir}/reopenldap/slapd.ldif # move doc files out of _sysconfdir -mv %{buildroot}%{_sysconfdir}/openldap/schema/README README.schema -#mv %{buildroot}%{_sysconfdir}/schema %{buildroot}%{_sysconfdir}/openldap +mv %{buildroot}%{_sysconfdir}/reopenldap/schema/README README.schema +#mv %{buildroot}%{_sysconfdir}/schema %{buildroot}%{_sysconfdir}/reopenldap # remove files which we don't want packaged rm -f %{buildroot}%{_libdir}/reopenldap/*.la @@ -249,13 +248,13 @@ exit 0 %systemd_post slapd.service # generate configuration if necessary -if [[ ! -f %{_sysconfdir}/openldap/slapd.d/cn=config.ldif && \ - ! -f %{_sysconfdir}/openldap/slapd.conf +if [[ ! -f %{_sysconfdir}/reopenldap/slapd.d/cn=config.ldif && \ + ! -f %{_sysconfdir}/reopenldap/slapd.conf ]]; then # if there is no configuration available, generate one from the defaults - mkdir -p %{_sysconfdir}/openldap/slapd.d/ &>/dev/null || : - /usr/sbin/slapadd -F %{_sysconfdir}/openldap/slapd.d/ -n0 -l %{_datadir}/reopenldap-servers/slapd.ldif - chown -R ldap:ldap %{_sysconfdir}/openldap/slapd.d/ + mkdir -p %{_sysconfdir}/reopenldap/slapd.d/ &>/dev/null || : + /usr/sbin/slapadd -F %{_sysconfdir}/reopenldap/slapd.d/ -n0 -l %{_datadir}/reopenldap-servers/slapd.ldif + chown -R ldap:ldap %{_sysconfdir}/reopenldap/slapd.d/ %{systemctl_bin} try-restart slapd.service &>/dev/null fi start_slapd=0 @@ -326,9 +325,9 @@ exit 0 %doc README %doc README.md %doc README.OpenLDAP -%dir %{_sysconfdir}/openldap -%dir %{_sysconfdir}/openldap/certs -%ghost %config(noreplace) %{_sysconfdir}/openldap/ldap.conf +%dir %{_sysconfdir}/reopenldap +%dir %{_sysconfdir}/reopenldap/certs +%ghost %config(noreplace) %{_sysconfdir}/reopenldap/ldap.conf %{_libdir}/reopenldap/libreldap*.so* %{_libdir}/reopenldap/libreslapi*.so* #%{_mandir}/man5/ldif.5* @@ -337,8 +336,8 @@ exit 0 %files servers %doc contrib/slapd-modules/smbk5pwd/README %doc README.schema -%config(noreplace) %dir %attr(0750,ldap,ldap) %{_sysconfdir}/openldap/slapd.d -%config(noreplace) %{_sysconfdir}/openldap/schema +%config(noreplace) %dir %attr(0750,ldap,ldap) %{_sysconfdir}/reopenldap/slapd.d +%config(noreplace) %{_sysconfdir}/reopenldap/schema %config(noreplace) %{_sysconfdir}/sysconfig/slapd %config(noreplace) %{_tmpfilesdir}/slapd.conf %dir %attr(0700,ldap,ldap) %{_sharedstatedir}/ldap @@ -380,14 +379,14 @@ exit 0 %{_mandir}/ru/man5/* %{_mandir}/ru/man8/* # obsolete configuration -%ghost %config(noreplace,missingok) %attr(0640,ldap,ldap) %{_sysconfdir}/openldap/slapd.conf -%ghost %config(noreplace,missingok) %attr(0640,ldap,ldap) %{_sysconfdir}/openldap/slapd.conf.bak +%ghost %config(noreplace,missingok) %attr(0640,ldap,ldap) %{_sysconfdir}/reopenldap/slapd.conf +%ghost %config(noreplace,missingok) %attr(0640,ldap,ldap) %{_sysconfdir}/reopenldap/slapd.conf.bak %files clients %{_bindir}/ldap* %{_mandir}/man1/* %{_mandir}/ru/man1/* -%ghost %config(noreplace,missingok) %attr(0640,ldap,ldap) %{_sysconfdir}/openldap/slapd.conf +%ghost %config(noreplace,missingok) %attr(0640,ldap,ldap) %{_sysconfdir}/reopenldap/slapd.conf %files devel %{_includedir}/reopenldap/* From 65c1146c758c5cf7e5dd114098d789904ce1926c Mon Sep 17 00:00:00 2001 From: pechenko <10977752+tnt4brain@users.noreply.github.com> Date: Thu, 23 Aug 2018 14:05:19 +0300 Subject: [PATCH 10/11] Finally changed "openldap" to "reopenldap" strings --- contrib/packaging/CentOS/7/ldap.conf | 4 +-- contrib/packaging/CentOS/7/libexec-functions | 4 +-- .../packaging/CentOS/7/libexec-upgrade-db.sh | 2 +- contrib/packaging/CentOS/7/reopenldap.spec | 34 ++++++++++--------- contrib/packaging/CentOS/7/slapd.ldif | 6 ++-- contrib/packaging/CentOS/7/slapd.sysconfig | 2 ++ 6 files changed, 28 insertions(+), 24 deletions(-) diff --git a/contrib/packaging/CentOS/7/ldap.conf b/contrib/packaging/CentOS/7/ldap.conf index d7f0045ad6..9756fb138b 100644 --- a/contrib/packaging/CentOS/7/ldap.conf +++ b/contrib/packaging/CentOS/7/ldap.conf @@ -10,8 +10,8 @@ #TIMELIMIT 15 #DEREF never -#TLS_CACERT /etc/openldap/certs/ca.crt -TLS_CACERTDIR /etc/openldap/certs +#TLS_CACERT /etc/reopenldap/certs/ca.crt +TLS_CACERTDIR /etc/reopenldap/certs # Turning this off breaks GSSAPI used with krb5 when rdns = false SASL_NOCANON on diff --git a/contrib/packaging/CentOS/7/libexec-functions b/contrib/packaging/CentOS/7/libexec-functions index 990d2b80ad..68aa8548f5 100644 --- a/contrib/packaging/CentOS/7/libexec-functions +++ b/contrib/packaging/CentOS/7/libexec-functions @@ -10,8 +10,8 @@ SLAPD_SYSCONFIG_FILE= function default_config() { SLAPD_USER=ldap - SLAPD_CONFIG_FILE=/etc/openldap/slapd.conf - SLAPD_CONFIG_DIR=/etc/openldap/slapd.d + SLAPD_CONFIG_FILE=/etc/reopenldap/slapd.conf + SLAPD_CONFIG_DIR=/etc/reopenldap/slapd.d SLAPD_CONFIG_CUSTOM= SLAPD_GLOBAL_OPTIONS= SLAPD_SYSCONFIG_FILE=/etc/sysconfig/slapd diff --git a/contrib/packaging/CentOS/7/libexec-upgrade-db.sh b/contrib/packaging/CentOS/7/libexec-upgrade-db.sh index 1543c80b40..a3bfd828fb 100644 --- a/contrib/packaging/CentOS/7/libexec-upgrade-db.sh +++ b/contrib/packaging/CentOS/7/libexec-upgrade-db.sh @@ -1,7 +1,7 @@ #!/bin/sh # Author: Jan Vcelak -. /usr/libexec/openldap/functions +. /usr/libexec/reopenldap/functions if [ `id -u` -ne 0 ]; then error "You have to be root to run this command." diff --git a/contrib/packaging/CentOS/7/reopenldap.spec b/contrib/packaging/CentOS/7/reopenldap.spec index b61f3d73ae..384c830cda 100644 --- a/contrib/packaging/CentOS/7/reopenldap.spec +++ b/contrib/packaging/CentOS/7/reopenldap.spec @@ -27,18 +27,19 @@ Requires: rpm, coreutils, nss-tools %description The fork of OpenLDAP with a few new features (mostly for highload and multi-master clustering), additional bug fixing and code quality improvement. -%package devel -Summary: LDAP development libraries and header files -Group: Development/Libraries -Requires: %{name}%{?_isa} = %{version}-%{release}, cyrus-sasl-devel%{?_isa} - -%description devel -The openldap-devel package includes the development libraries and -header files needed for compiling applications that use LDAP -(Lightweight Directory Access Protocol) internals. LDAP is a set of -protocols for enabling directory services over the Internet. Install -this package only if you plan to develop or will need to compile -customized LDAP clients. +# Disabled due to request: https://github.com/leo-yuriev/ReOpenLDAP/pull/145#issuecomment-358626660 +#%package devel +#Summary: LDAP development libraries and header files +#Group: Development/Libraries +#Requires: %{name}%{?_isa} = %{version}-%{release}, cyrus-sasl-devel%{?_isa} +# +#%description devel +#The openldap-devel package includes the development libraries and +#header files needed for compiling applications that use LDAP +#(Lightweight Directory Access Protocol) internals. LDAP is a set of +#protocols for enabling directory services over the Internet. Install +#this package only if you plan to develop or will need to compile +#customized LDAP clients. %package servers Summary: LDAP server @@ -327,7 +328,7 @@ exit 0 %doc README.OpenLDAP %dir %{_sysconfdir}/reopenldap %dir %{_sysconfdir}/reopenldap/certs -%ghost %config(noreplace) %{_sysconfdir}/reopenldap/ldap.conf +%config(noreplace) %{_sysconfdir}/reopenldap/ldap.conf %{_libdir}/reopenldap/libreldap*.so* %{_libdir}/reopenldap/libreslapi*.so* #%{_mandir}/man5/ldif.5* @@ -388,9 +389,10 @@ exit 0 %{_mandir}/ru/man1/* %ghost %config(noreplace,missingok) %attr(0640,ldap,ldap) %{_sysconfdir}/reopenldap/slapd.conf -%files devel -%{_includedir}/reopenldap/* -%{_mandir}/man3/* +# https://github.com/leo-yuriev/ReOpenLDAP/pull/145#issuecomment-358626660 +#%files devel +#%{_includedir}/reopenldap/* +#%{_mandir}/man3/* %changelog diff --git a/contrib/packaging/CentOS/7/slapd.ldif b/contrib/packaging/CentOS/7/slapd.ldif index ef59896d4a..85b293b06a 100644 --- a/contrib/packaging/CentOS/7/slapd.ldif +++ b/contrib/packaging/CentOS/7/slapd.ldif @@ -10,9 +10,9 @@ olcArgsFile: /run/reopenldap/slapd.args olcPidFile: /run/reopenldap/slapd.pid olcLogLevel: stats # TLS settings -olcTLSCACertificatePath: /etc/openldap/certs +olcTLSCACertificatePath: /etc/reopenldap/certs olcTLSCertificateFile: "ReOpenLDAP Server" -olcTLSCertificateKeyFile: /etc/openldap/certs/password +olcTLSCertificateKeyFile: /etc/reopenldap/certs/password # # Do not enable referrals until AFTER you have a working directory @@ -80,7 +80,7 @@ dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema -include: file:///etc/openldap/schema/core.ldif +include: file:///etc/reopenldap/schema/core.ldif # # Frontend settings diff --git a/contrib/packaging/CentOS/7/slapd.sysconfig b/contrib/packaging/CentOS/7/slapd.sysconfig index cdeb83f7b4..9250069259 100644 --- a/contrib/packaging/CentOS/7/slapd.sysconfig +++ b/contrib/packaging/CentOS/7/slapd.sysconfig @@ -10,6 +10,8 @@ SLAPD_URLS="ldapi://%2Fvar%2Frun%2Fldapi ldap:///" # Any custom options #SLAPD_OPTIONS="" +# Example of slpad.d-based configuration +#SLAPD_OPTIONS="-F /etc/reopenldap/slapd.d" # Keytab location for GSSAPI Kerberos authentication #KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab" From 88ed1b33eb621e0a1e3e85ba7091519a971c8ee9 Mon Sep 17 00:00:00 2001 From: pechenko <10977752+tnt4brain@users.noreply.github.com> Date: Thu, 23 Aug 2018 14:24:53 +0300 Subject: [PATCH 11/11] Removed "devel" package --- contrib/packaging/CentOS/7/reopenldap.spec | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/contrib/packaging/CentOS/7/reopenldap.spec b/contrib/packaging/CentOS/7/reopenldap.spec index 384c830cda..29f2413a87 100644 --- a/contrib/packaging/CentOS/7/reopenldap.spec +++ b/contrib/packaging/CentOS/7/reopenldap.spec @@ -220,6 +220,12 @@ rm -f %{buildroot}%{_libdir}/reopenldap/*.la rm -f %{buildroot}%{_mandir}/man5/ldif.5* rm -f %{buildroot}%{_mandir}/man5/ldap.conf.5* +# Disabled due to request: https://github.com/leo-yuriev/ReOpenLDAP/pull/145#issuecomment-358626660 +# devel +rm -f %{buildroot}%{_includedir}/reopenldap/* +rm -f %{buildroot}%{_mandir}/man3/* + + %clean rm -rf %{buildroot}