simplify package even more by removing certificate generation
Creating self-signed certificates for localhost is pointless. If anyone uses TLS, they probably have their own. Testers can generate their own as well, the package does't have to be plagued by scripts just because of that.
This commit is contained in:
Jan Synacek
parent
72da77adb6
commit
b730f13ce0
@ -1,70 +0,0 @@
|
||||
#!/bin/bash
|
||||
# Author: Jan Vcelak <jvcelak@redhat.com>
|
||||
|
||||
set -e
|
||||
|
||||
# default options
|
||||
|
||||
CERTDB_DIR=/etc/openldap/certs
|
||||
|
||||
# internals
|
||||
|
||||
MODULE_CKBI="$(rpm --eval %{_libdir})/libnssckbi.so"
|
||||
RANDOM_SOURCE=/dev/urandom
|
||||
PASSWORD_BYTES=32
|
||||
|
||||
# parse arguments
|
||||
|
||||
usage() {
|
||||
printf "usage: create-certdb.sh [-d certdb]\n" >&2
|
||||
exit 1
|
||||
}
|
||||
|
||||
while getopts "d:" opt; do
|
||||
case "$opt" in
|
||||
d)
|
||||
CERTDB_DIR="$OPTARG"
|
||||
;;
|
||||
\?)
|
||||
usage
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
[ "$OPTIND" -le "$#" ] && usage
|
||||
|
||||
# verify target location
|
||||
|
||||
if [ ! -d "$CERTDB_DIR" ]; then
|
||||
printf "Directory '%s' does not exist.\n" "$CERTDB_DIR" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ ! "$(find "$CERTDB_DIR" -maxdepth 0 -empty | wc -l)" -eq 1 ]; then
|
||||
printf "Directory '%s' is not empty.\n" "$CERTDB_DIR" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# create the database
|
||||
|
||||
printf "Creating certificate database in '%s'.\n" "$CERTDB_DIR" >&2
|
||||
|
||||
PASSWORD_FILE="$CERTDB_DIR/password"
|
||||
OLD_UMASK="$(umask)"
|
||||
umask 0377
|
||||
dd if=$RANDOM_SOURCE bs=$PASSWORD_BYTES count=1 2>/dev/null | base64 > "$PASSWORD_FILE"
|
||||
umask "$OLD_UMASK"
|
||||
|
||||
certutil -d "$CERTDB_DIR" -N -f "$PASSWORD_FILE" &>/dev/null
|
||||
|
||||
# load module with builtin CA certificates
|
||||
|
||||
echo | modutil -dbdir "$CERTDB_DIR" -add "Root Certs" -libfile "$MODULE_CKBI" &>/dev/null
|
||||
|
||||
# tune permissions
|
||||
|
||||
for dbfile in "$CERTDB_DIR"/*.db; do
|
||||
chmod 0644 "$dbfile"
|
||||
done
|
||||
|
||||
exit 0
|
||||
@ -1,118 +0,0 @@
|
||||
#!/bin/bash
|
||||
# Author: Jan Vcelak <jvcelak@redhat.com>
|
||||
|
||||
set -e
|
||||
|
||||
# default options
|
||||
|
||||
CERTDB_DIR=/etc/openldap/certs
|
||||
CERT_NAME="OpenLDAP Server"
|
||||
PASSWORD_FILE=
|
||||
HOSTNAME_FQDN="$(hostname --fqdn)"
|
||||
ALT_NAMES=
|
||||
ONCE=0
|
||||
|
||||
# internals
|
||||
|
||||
RANDOM_SOURCE=/dev/urandom
|
||||
CERT_RANDOM_BYTES=256
|
||||
CERT_KEY_TYPE=rsa
|
||||
CERT_KEY_SIZE=1024
|
||||
CERT_VALID_MONTHS=12
|
||||
|
||||
# parse arguments
|
||||
|
||||
usage() {
|
||||
printf "usage: generate-server-cert.sh [-d certdb-dir] [-n cert-name]\n" >&2
|
||||
printf " [-p password-file] [-h hostnames]\n" >&2
|
||||
printf " [-a dns-alt-names] [-o]\n" >&2
|
||||
exit 1
|
||||
}
|
||||
|
||||
while getopts "d:n:p:h:a:o" opt; do
|
||||
case "$opt" in
|
||||
d)
|
||||
CERTDB_DIR="$OPTARG"
|
||||
;;
|
||||
n)
|
||||
CERT_NAME="$OPTARG"
|
||||
;;
|
||||
p)
|
||||
PASSWORD_FILE="$OPTARG"
|
||||
;;
|
||||
h)
|
||||
HOSTNAME_FQDN="$OPTARG"
|
||||
;;
|
||||
a)
|
||||
ALT_NAMES="$OPTARG"
|
||||
;;
|
||||
o)
|
||||
ONCE=1
|
||||
;;
|
||||
\?)
|
||||
usage
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
[ "$OPTIND" -le "$#" ] && usage
|
||||
|
||||
# generated options
|
||||
|
||||
ONCE_FILE="$CERTDB_DIR/.slapd-leave"
|
||||
PASSWORD_FILE="${PASSWORD_FILE:-${CERTDB_DIR}/password}"
|
||||
ALT_NAMES="${ALT_NAMES:-${HOSTNAME_FQDN},localhost,localhost.localdomain}"
|
||||
|
||||
# verify target location
|
||||
|
||||
if [ "$ONCE" -eq 1 -a -f "$ONCE_FILE" ]; then
|
||||
printf "Skipping certificate generating, '%s' exists.\n" "$ONCE_FILE" >&2
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if ! certutil -d "$CERTDB_DIR" -U &>/dev/null; then
|
||||
printf "Directory '%s' is not a valid certificate database.\n" "$CERTDB_DIR" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
printf "Creating new server certificate in '%s'.\n" "$CERTDB_DIR" >&2
|
||||
|
||||
if [ ! -r "$PASSWORD_FILE" ]; then
|
||||
printf "Password file '%s' is not readable.\n" "$PASSWORD_FILE" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if certutil -d "$CERTDB_DIR" -L -a -n "$CERT_NAME" &>/dev/null; then
|
||||
printf "Certificate '%s' already exists in the certificate database.\n" "$CERT_NAME" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# generate server certificate (self signed)
|
||||
|
||||
|
||||
CERT_RANDOM=$(mktemp --tmpdir=/var/run/openldap)
|
||||
dd if=$RANDOM_SOURCE bs=$CERT_RANDOM_BYTES count=1 of=$CERT_RANDOM &>/dev/null
|
||||
|
||||
certutil -d "$CERTDB_DIR" -f "$PASSWORD_FILE" -z "$CERT_RANDOM" \
|
||||
-S -x -n "$CERT_NAME" \
|
||||
-s "CN=$HOSTNAME_FQDN" \
|
||||
-t TC,, \
|
||||
-k $CERT_KEY_TYPE -g $CERT_KEY_SIZE \
|
||||
-v $CERT_VALID_MONTHS \
|
||||
-8 "$ALT_NAMES" \
|
||||
&>/dev/null
|
||||
|
||||
rm -f $CERT_RANDOM
|
||||
|
||||
# tune permissions
|
||||
|
||||
if [ "$(id -u)" -eq 0 ]; then
|
||||
chgrp ldap "$PASSWORD_FILE"
|
||||
chmod g+r "$PASSWORD_FILE"
|
||||
else
|
||||
printf "WARNING: The server requires read permissions on the password file in order to\n" >&2
|
||||
printf " load it's private key from the certificate database.\n" >&2
|
||||
fi
|
||||
|
||||
touch "$ONCE_FILE"
|
||||
exit 0
|
||||
@ -18,8 +18,6 @@ Source10: ltb-project-openldap-ppolicy-check-password-%{check_password_version}.
|
||||
Source50: libexec-functions
|
||||
Source52: libexec-check-config.sh
|
||||
Source53: libexec-upgrade-db.sh
|
||||
Source54: libexec-create-certdb.sh
|
||||
Source55: libexec-generate-server-cert.sh
|
||||
|
||||
# patches for 2.4
|
||||
Patch0: openldap-manpages.patch
|
||||
@ -248,8 +246,6 @@ install -m 0755 -d %{buildroot}%{_libexecdir}/openldap
|
||||
install -m 0644 %SOURCE50 %{buildroot}%{_libexecdir}/openldap/functions
|
||||
install -m 0755 %SOURCE52 %{buildroot}%{_libexecdir}/openldap/check-config.sh
|
||||
install -m 0755 %SOURCE53 %{buildroot}%{_libexecdir}/openldap/upgrade-db.sh
|
||||
install -m 0755 %SOURCE54 %{buildroot}%{_libexecdir}/openldap/create-certdb.sh
|
||||
install -m 0755 %SOURCE55 %{buildroot}%{_libexecdir}/openldap/generate-server-cert.sh
|
||||
|
||||
# remove build root from config files and manual pages
|
||||
perl -pi -e "s|%{buildroot}||g" %{buildroot}%{_sysconfdir}/openldap/*.conf
|
||||
@ -342,9 +338,6 @@ exit 0
|
||||
/sbin/ldconfig
|
||||
%systemd_post slapd.service
|
||||
|
||||
# generate sample TLS certificate for server (will not replace)
|
||||
%{_libexecdir}/openldap/generate-server-cert.sh -o &>/dev/null || :
|
||||
|
||||
# generate configuration if necessary
|
||||
if [[ ! -f %{_sysconfdir}/openldap/slapd.d/cn=config.ldif && \
|
||||
! -f %{_sysconfdir}/openldap/slapd.conf
|
||||
@ -437,7 +430,6 @@ exit 0
|
||||
%dir %{_sysconfdir}/openldap/certs
|
||||
%config(noreplace) %{_sysconfdir}/openldap/ldap.conf
|
||||
%dir %{_libexecdir}/openldap/
|
||||
%{_libexecdir}/openldap/create-certdb.sh
|
||||
%{_libdir}/liblber-2.4*.so.*
|
||||
%{_libdir}/libldap-2.4*.so.*
|
||||
%{_libdir}/libldap_r-2.4*.so.*
|
||||
@ -495,7 +487,6 @@ exit 0
|
||||
%{_libexecdir}/openldap/functions
|
||||
%{_libexecdir}/openldap/check-config.sh
|
||||
%{_libexecdir}/openldap/upgrade-db.sh
|
||||
%{_libexecdir}/openldap/generate-server-cert.sh
|
||||
%{_sbindir}/sl*
|
||||
%{_mandir}/man8/*
|
||||
%{_mandir}/man5/slapd*.5*
|
||||
@ -517,6 +508,7 @@ exit 0
|
||||
%changelog
|
||||
* Tue Jan 27 2015 Jan Synáček <jsynacek@redhat.com> - 2.4.40-8
|
||||
- link against openssl by default
|
||||
- simplify package even more by removing certificate generation
|
||||
|
||||
* Mon Jan 26 2015 Jan Synáček <jsynacek@redhat.com> - 2.4.40-7
|
||||
- remove tmpfiles config since it's no longer needed
|
||||
|
||||
Loading…
Reference in New Issue
Block a user