#!/bin/bash # Wait till the server answers tries=0 while [ "${tries}" -lt "40" ]; do ldapsearch -x -P3 -s base -H ldap://${rg_ldap_addr}:${rg_ldap_port} &>/dev/null if [ "${?}" != "0" ]; then sleep .5 tries=$((${tries} + 1)) continue fi break done # All or nothing set -e echo "=== Set path to the database..." cat<<EOF | ldapadd -Y EXTERNAL -H ldapi://ldapi-${rg_ldap_ns}.sock dn: olcDatabase={2}mdb,cn=config changeType: modify replace: olcDbDirectory olcDbDirectory: chroot-${rg_ldap_ns}/var/lib/ldap EOF # Seems this is not allowed #echo "=== Set log file..." #cat<<EOF | ldapadd -Y EXTERNAL -H ldapi://ldapi-${rg_ldap_ns}.sock #dn: olcDatabase={2}mdb,cn=config #changeType: modify #replace: olcLogFile #olcLogFile: chroot-${rg_ldap_ns}/var/lib/ldap/slapd.log #EOF echo "=== Copying certificates and keys..." dst="chroot-${rg_ldap_ns}/etc/ssl" mkdir -p "${dst}/certs" cp ../ca/ldap/certs/cacert.pem "${dst}/certs/" cp ../ca/ldap/certs/localhost.pem "chroot-${rg_ldap_ns}/etc/openldap/" cp ../ca/ldap/private/localhost.key "chroot-${rg_ldap_ns}/etc/openldap/" echo "=== Changing ServerID..." cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi://ldapi-${rg_ldap_ns}.sock dn: cn=config changeType: modify replace: olcServerID olcServerID: ${rg_ldap_server_id} EOF echo "=== Loading schemas..." for s in cosine nis inetorgperson; do ldapadd -Y EXTERNAL -H ldapi://ldapi-${rg_ldap_ns}.sock \ -f /etc/openldap/schema/${s}.ldif done echo "=== Enabling TLS..." cat<<EOF | ldapmodify -Y EXTERNAL -H ldapi://ldapi-${rg_ldap_ns}.sock dn: cn=config replace: olcTLSCACertificateFile olcTLSCACertificateFile: ${PWD}/chroot-${rg_ldap_ns}/etc/ssl/certs/cacert.pem - replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: ${PWD}/chroot-${rg_ldap_ns}/etc/openldap/localhost.key - replace: olcTLSCertificateFile olcTLSCertificateFile: ${PWD}/chroot-${rg_ldap_ns}/etc/openldap/localhost.pem EOF # http://www.openldap.org/doc/admin24/replication.html#N-Way%20Multi-Master echo "=== Adding syncrepl module and overlay..." cat<<EOF | ldapadd -Y EXTERNAL -H ldapi://ldapi-${rg_ldap_ns}.sock dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModuleLoad: syncprov dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config objectClass: olcConfig objectClass: olcSyncProvConfig objectClass: olcOverlayConfig objectClass: top olcOverlay: syncprov EOF echo "=== Adding memberOf module and overlay..." cat<<EOF | ldapadd -Y EXTERNAL -H ldapi://ldapi-${rg_ldap_ns}.sock dn: cn=module,cn=config cn: module objectclass: olcModuleList objectclass: top olcmoduleload: memberof dn: olcOverlay=memberof,olcDatabase={2}mdb,cn=config objectClass: olcConfig objectClass: olcMemberOf objectClass: olcOverlayConfig objectClass: top olcOverlay: memberof EOF echo "=== Adding refInt module and overlay..." cat<<EOF | ldapadd -Y EXTERNAL -H ldapi://ldapi-${rg_ldap_ns}.sock dn: cn=module,cn=config cn: module objectclass: olcModuleList objectclass: top olcmoduleload: refint dn: olcOverlay=refint,olcDatabase={2}mdb,cn=config objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcRefintConfig objectClass: top olcOverlay: refint olcRefintAttribute: memberof member manager owner EOF cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi://ldapi-${rg_ldap_ns}.sock dn: olcDatabase={2}mdb,cn=config replace: olcRootPW olcRootPW: ${rg_ldap_pass} EOF if [ "${rg_ldap_producer_url}" != "" ]; then echo "=== We are consumer for ${rg_ldap_producer_url}!" cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi://ldapi-${rg_ldap_ns}.sock dn: olcDatabase={2}mdb,cn=config changeType: modify add: olcLimits olcLimits: dn.exact="cn=Manager,dc=my-domain,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited - add: olcSyncRepl olcSyncRepl: rid=${rg_ldap_producer_rid} provider=${rg_ldap_producer_url} binddn="cn=Manager,dc=my-domain,dc=com" bindmethod=simple credentials=${rg_ldap_pass} searchbase="dc=my-domain,dc=com" type=refreshAndPersist retry="5 5 300 5" timeout=3 - add: olcMirrorMode olcMirrorMode: TRUE EOF fi if [ "${rg_ldap_add_data}" = "0" ]; then touch "chroot-${rg_ldap_ns}/prep.done" exit 0 fi cat <<EOF | ldapadd -x -w${rg_ldap_pass} -D "cn=Manager,dc=my-domain,dc=com" -H ldapi://ldapi-${rg_ldap_ns}.sock dn: dc=my-domain,dc=com objectClass: top objectClass: domain dc: my-domain dn: cn=Manager,dc=my-domain,dc=com objectClass: organizationalRole cn: Manager dn: ou=People,dc=my-domain,dc=com objectClass: organizationalUnit ou: People dn: ou=Group,dc=my-domain,dc=com objectClass: organizationalUnit ou: Group dn: cn=posix_group1,ou=Group,dc=my-domain,dc=com cn: posix_group1 objectClass: top objectClass: posixGroup gidNumber: 100000 dn: cn=posix_group2,ou=Group,dc=my-domain,dc=com cn: posix_group2 objectClass: top objectClass: posixGroup gidNumber: 100001 dn: uid=user1-${rg_ldap_user_key},ou=People,dc=my-domain,dc=com objectClass: top objectClass: inetOrgPerson objectClass: shadowAccount objectClass: posixAccount uid: user1-${rg_ldap_user_key} userPassword: ${rg_ldap_user_pass} sn: surname-user1-${rg_ldap_user_key} gn: givenname-user1-${rg_ldap_user_key} cn: User1 ${rg_ldap_user_key} uidNumber: 100000 gidNumber: 100000 mail: user1-${rg_ldap_user_key}@my-domain.com mail: user1-${rg_ldap_user_key}-backup@my-domain.com homeDirectory: /home/user1-${rg_ldap_user_key} description: This is a description of user user1 dn: uid=user2-${rg_ldap_user_key}-uid,ou=People,dc=my-domain,dc=com objectClass: top objectClass: inetOrgPerson objectClass: shadowAccount objectClass: posixAccount uid: user2-${rg_ldap_user_key}-uid userPassword: ${rg_ldap_user_pass} sn: surname-user2-${rg_ldap_user_key} gn: givenname-user2-${rg_ldap_user_key} cn: User2 ${rg_ldap_user_key} uidNumber: 100001 gidNumber: 100001 mail: user2-${rg_ldap_user_key}@my-domain.com mail: user2-${rg_ldap_user_key}-backup@my-domain.com homeDirectory: /home/user2-${rg_ldap_user_key} description: user2-${rg_ldap_user_key} dn: uid=user3-${rg_ldap_user_key},ou=People,dc=my-domain,dc=com objectClass: top objectClass: inetOrgPerson uid: user3-${rg_ldap_user_key} userPassword: ${rg_ldap_user_pass} sn: surname-user3-${rg_ldap_user_key} cn: User3 ${rg_ldap_user_key} mail: user3-${rg_ldap_user_key}@my-domain.com mail: user3-${rg_ldap_user_key}-backup@my-domain.com dn: uid=user4-${rg_ldap_user_key},ou=People,dc=my-domain,dc=com objectClass: top objectClass: inetOrgPerson uid: user4-${rg_ldap_user_key} userPassword: ${rg_ldap_user_pass} sn: surname-user4-${rg_ldap_user_key} gn: givenname-user4-${rg_ldap_user_key} cn: User4 ${rg_ldap_user_key} mail: user4-${rg_ldap_user_key}@my-domain.com mail: user4-${rg_ldap_user_key}-backup@my-domain.com # groupOfNames must be created after creating the users, else 'memberOf' will not be set dn: cn=group1,ou=Group,dc=my-domain,dc=com objectClass: top objectClass: groupOfNames cn: group1 member: uid=user1-${rg_ldap_user_key},ou=People,dc=my-domain,dc=com member: uid=user2-${rg_ldap_user_key}-uid,ou=People,dc=my-domain,dc=com member: uid=invalid,ou=People,dc=my-domain,dc=com dn: cn=group_unique,ou=Group,dc=my-domain,dc=com objectClass: top objectClass: groupOfUniqueNames cn: group_unique uniqueMember: uid=user2-${rg_ldap_user_key}-uid,ou=People,dc=my-domain,dc=com uniqueMember: uid=invalid2,ou=People,dc=my-domain,dc=com dn: cn=Admins,ou=Group,dc=my-domain,dc=com objectClass: top objectClass: groupOfNames cn: Admins member: uid=user1-${rg_ldap_user_key},ou=People,dc=my-domain,dc=com EOF # Signal that preparation is ready touch "chroot-${rg_ldap_ns}/prep.done"