d8aedf8bed
- Modify the -config.patch, ldap.init, and this spec file to put the
pid file and args file in an ldap-owned openldap subdirectory under
/var/run.
- Move back_sql* out of %{_sbindir}/openldap , which requires
hand-moving slapd and slurpd to _sbindir, and recreating symlinks
by hand.
- Retire openldap-2.3.11-ads.patch, which went upstream.
- Update the ldap.init script to run slaptest as the ldap user rather
than as root. This solves
bz#150172 Startup failure after database problem
- Add to the servers post and preun scriptlets so that on preun, the
database is slapcatted to /var/lib/ldap/upgrade.ldif and the
database files are saved to /var/lib/ldap/rpmorig. On post, if
/var/lib/ldap/upgrade.ldif exists, it is slapadded. This means that
on upgrades from 2.3.16-2 to higher versions, the database files may
be automatically upgraded. Unfortunatly, because of the changes to
the preun scriptlet, users have to do the slapcat, etc by hand when
upgrading to 2.3.16-2. Also note that the /var/lib/ldap/rpmorig
files need to be removed by hand because automatically removing your
emergency fallback files is a bad idea.
- Upgrade internal bdb to db-4.4.20. For a clean upgrade, this will
require that users slapcat their databases into a temp file, move
/var/lib/ldap someplace safe, upgrade the openldap rpms, then
slapadd the temp file.
232 lines
5.7 KiB
Bash
232 lines
5.7 KiB
Bash
#!/bin/bash
|
|
#
|
|
# ldap This shell script takes care of starting and stopping
|
|
# ldap servers (slapd and slurpd).
|
|
#
|
|
# chkconfig: - 27 73
|
|
# description: LDAP stands for Lightweight Directory Access Protocol, used \
|
|
# for implementing the industry standard directory services.
|
|
# processname: slapd
|
|
# config: /etc/openldap/slapd.conf
|
|
# pidfile: /var/run/openldap/slapd.pid
|
|
|
|
# Source function library.
|
|
. /etc/init.d/functions
|
|
|
|
# Source networking configuration and check that networking is up.
|
|
if [ -r /etc/sysconfig/network ] ; then
|
|
. /etc/sysconfig/network
|
|
[ ${NETWORKING} = "no" ] && exit 0
|
|
fi
|
|
|
|
# Source an auxiliary options file if we have one, and pick up OPTIONS,
|
|
# SLAPD_OPTIONS, SLURPD_OPTIONS, SLAPD_LDAPS, SLAPD_LDAPI, and maybe
|
|
# KRB5_KTNAME.
|
|
if [ -r /etc/sysconfig/ldap ] ; then
|
|
. /etc/sysconfig/ldap
|
|
fi
|
|
|
|
slapd=/usr/sbin/slapd
|
|
slurpd=/usr/sbin/slurpd
|
|
slaptest=/usr/sbin/slaptest
|
|
[ -x ${slapd} ] || exit 0
|
|
[ -x ${slurpd} ] || exit 0
|
|
|
|
RETVAL=0
|
|
|
|
#
|
|
# Pass commands given in $2 and later to "test" run as user given in $1.
|
|
#
|
|
function testasuser() {
|
|
local user= cmd=
|
|
user="$1"
|
|
shift
|
|
cmd="$@"
|
|
if test x"$user" != x ; then
|
|
if test x"$cmd" != x ; then
|
|
/sbin/runuser -f -m -s /bin/sh -c "test $cmd" -- "$user"
|
|
else
|
|
false
|
|
fi
|
|
else
|
|
false
|
|
fi
|
|
}
|
|
|
|
#
|
|
# Check for read-access errors for the user given in $1 for a service named $2.
|
|
# If $3 is specified, the command is run if "klist" can't be found.
|
|
#
|
|
function checkkeytab() {
|
|
local user= service= klist= default=
|
|
user="$1"
|
|
service="$2"
|
|
default="${3:-false}"
|
|
if test -x /usr/kerberos/bin/klist ; then
|
|
klist=/usr/kerberos/bin/klist
|
|
elif test -x /usr/bin/klist ; then
|
|
klist=/usr/bin/klist
|
|
fi
|
|
KRB5_KTNAME="${KRB5_KTNAME:-/etc/krb5.keytab}"
|
|
export KRB5_KTNAME
|
|
if test -s "$KRB5_KTNAME" ; then
|
|
if test x"$klist" != x ; then
|
|
if LANG=C $klist -k "$KRB5_KTNAME" | tail -n 4 | awk '{print $2}' | grep -q ^"$service"/ ; then
|
|
if ! testasuser "$user" -r ${KRB5_KTNAME:-/etc/krb5.keytab} ; then
|
|
true
|
|
else
|
|
false
|
|
fi
|
|
else
|
|
false
|
|
fi
|
|
else
|
|
$default
|
|
fi
|
|
else
|
|
false
|
|
fi
|
|
}
|
|
|
|
function configtest() {
|
|
local user= ldapuid= dbdir= file=
|
|
# Check for simple-but-common errors.
|
|
user=ldap
|
|
prog=`basename ${slapd}`
|
|
ldapuid=`id -u $user`
|
|
# Unaccessible database files.
|
|
slaptestflags=
|
|
for dbdir in `LANG=C egrep '^directory[[:space:]]+[[:print:]]+$' /etc/openldap/slapd.conf | sed s,^directory,,` ; do
|
|
for file in `find ${dbdir}/ -not -uid $ldapuid -and \( -name "*.dbb" -or -name "*.gdbm" -or -name "*.bdb" \)` ; do
|
|
echo -n $"$file is not owned by \"$user\"" ; warning ; echo
|
|
done
|
|
if ! test -s ${dbdir}/id2entry.dbb ; then
|
|
if ! test -s ${dbdir}/id2entry.gdbm ; then
|
|
if ! test -s ${dbdir}/id2entry.bdb ; then
|
|
slaptestflags=-u
|
|
fi
|
|
fi
|
|
fi
|
|
done
|
|
# Unaccessible keytab with an "ldap" key.
|
|
if checkkeytab $user ldap ; then
|
|
file=${KRB5_KTNAME:-/etc/krb5.keytab}
|
|
echo -n $"$file is not readable by \"$user\"" ; warning ; echo
|
|
fi
|
|
# Unaccessible TLS configuration files.
|
|
tlsconfigs=`LANG=C egrep '^(TLSCACertificateFile|TLSCertificateFile|TLSCertificateKeyFile)[[:space:]]' /etc/openldap/slapd.conf | awk '{print $2}'`
|
|
for file in $tlsconfigs ; do
|
|
if ! testasuser $user -r $file ; then
|
|
echo -n $"$file is not readable by \"$user\"" ; warning ; echo
|
|
fi
|
|
done
|
|
# Check the configuration file.
|
|
if ! action $"Checking configuration files for $prog: " /sbin/runuser -f -m -s /bin/sh -c "$slaptest $slaptestflags" -- "$user" ; then
|
|
if /sbin/runuser -f -m -s /bin/sh -c "$slaptest -u" -- "$user" > /dev/null 2> /dev/null ; then
|
|
dirs=`LANG=C egrep '^directory[[:space:]]+[[:print:]]+$' /etc/openldap/slapd.conf | awk '{print $2}'`
|
|
for directory in $dirs ; do
|
|
if test -r $directory/__db.001 ; then
|
|
echo -n $"stale lock files may be present in $directory" ; warning ; echo
|
|
fi
|
|
done
|
|
fi
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
function start() {
|
|
configtest
|
|
# Define a couple of local variables which we'll need. Maybe.
|
|
user=ldap
|
|
prog=`basename ${slapd}`
|
|
# Build a wrapper script to exec slapd with the right arguments, to
|
|
# avoid being tripped out by changes or weirdness in how daemon()
|
|
# handles quoted arguments.
|
|
wrapper=`mktemp ${TMP:-/tmp}/start-slapd.XXXXXX`
|
|
harg="ldap:///"
|
|
if grep -q ^TLS /etc/openldap/slapd.conf || test x$SLAPD_LDAPS = xyes ; then
|
|
harg="$harg ldaps:///"
|
|
fi
|
|
if test x$SLAPD_LDAPI = xyes ; then
|
|
harg="$harg ldapi:///"
|
|
fi
|
|
if test -z "$wrapper" ; then
|
|
return 1
|
|
fi
|
|
cat >> $wrapper <<- EOF
|
|
exec ${slapd} -h "$harg" -u ${user} $OPTIONS $SLAPD_OPTIONS
|
|
EOF
|
|
chmod u+x $wrapper
|
|
trap "rm -f $wrapper" EXIT
|
|
# Start daemons.
|
|
echo -n $"Starting $prog: "
|
|
daemon --check=$prog $wrapper
|
|
RETVAL=$?
|
|
echo
|
|
if [ $RETVAL -eq 0 ]; then
|
|
if grep -q "^replogfile" /etc/openldap/slapd.conf; then
|
|
prog=`basename ${slurpd}`
|
|
echo -n $"Starting $prog: "
|
|
daemon ${slurpd} $OPTIONS $SLURPD_OPTIONS
|
|
RETVAL=$?
|
|
echo
|
|
fi
|
|
fi
|
|
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/ldap
|
|
return $RETVAL
|
|
}
|
|
|
|
function stop() {
|
|
# Stop daemons.
|
|
prog=`basename ${slapd}`
|
|
echo -n $"Stopping $prog: "
|
|
killproc ${slapd}
|
|
RETVAL=$?
|
|
echo
|
|
if [ $RETVAL -eq 0 ]; then
|
|
if grep -q "^replogfile" /etc/openldap/slapd.conf; then
|
|
prog=`basename ${slurpd}`
|
|
echo -n $"Stopping $prog: "
|
|
killproc ${slurpd}
|
|
RETVAL=$?
|
|
echo
|
|
fi
|
|
fi
|
|
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/ldap /var/run/slapd.args
|
|
return $RETVAL
|
|
}
|
|
|
|
# See how we were called.
|
|
case "$1" in
|
|
configtest)
|
|
configtest
|
|
;;
|
|
start)
|
|
start
|
|
;;
|
|
stop)
|
|
stop
|
|
;;
|
|
status)
|
|
status ${slapd}
|
|
if grep -q "^replogfile" /etc/openldap/slapd.conf ; then
|
|
status ${slurpd}
|
|
fi
|
|
;;
|
|
restart)
|
|
stop
|
|
start
|
|
;;
|
|
condrestart)
|
|
if [ -f /var/lock/subsys/ldap ] ; then
|
|
stop
|
|
start
|
|
fi
|
|
;;
|
|
*)
|
|
echo $"Usage: $0 {start|stop|restart|status|condrestart}"
|
|
RETVAL=1
|
|
esac
|
|
|
|
exit $RETVAL
|