FDS Folks, Another automated script from me. Gary > #! /bin/sh > # > # rebuild_fds.sh - ReBuild Fedora Directory Server > # > # Gary Tay > # > # NOTE: This script will rebuild a FDS Server compatible with BOTH > # RedHat and Solaris LDAP Clients > # > # 1) Make sure 'root' is used to run this script > # 2) Make sure /home/ldap/dirmgr.pwd contains password of cn=Direcyory > Manager > # > #set -vx > IS_ROOT_UID=`id | grep "uid=0(root)"` > if [ ! -n "$IS_ROOT_UID" ]; then > echo "Please run this script as root" > exit 1 > fi > if [ ! -f /home/ldap/dirmgr.pwd ]; then > echo "Please setup /home/ldap/dirmgr.pwd." > exit 1 > else > chmod 600 /home/ldap/dirmgr.pwd > fi > # Pls customize the followings > FDS1_PATH=/opt/fedora-ds > HOST=ldap1 > DOMAIN="example.com" > BASEDN="dc=example,dc=com" > SLAPD_OWNER=nobody > SLAPD_GROUP=nobody > LD_LIBRARY_PATH=$FDS1_PATH/shared/lib:$FDS1_PATH/lib > export LD_LIBRARY_PATH > PATH=$FDS1_PATH/shared/bin:$PATH; export PATH > echo "ASSUMPTION: This script assumes that you have performed" > echo "'rpm -e' and then 'rpm -ivh' to reinstall Fedora Directory > Server" > echo "and you have re-run the setup program" > echo "ns-slapd should be running" > echo "Press [Ctrl-C] to abort, enter [Yes] to continue..." > read a_key > [ "$a_key" != "Yes" ] && exit 1 > # Load schemas > cat <<EOF >/tmp/61DUAConfigProfile.ldif > dn: cn=schema > attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.0 NAME 'defaultServerList' > DESC 'Default LDAP server host address used by a DUA' EQUALITY > caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) > attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.1 NAME 'defaultSearchBase' > DESC 'Default LDAP base DN used by a DUA' EQUALITY > distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 > SINGLE-VALUE ) > attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.2 NAME 'preferredServerList' > DESC 'Preferred LDAP server host addresses to be used by a DUA' > EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 > SINGLE-VALUE ) > attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.3 NAME 'searchTimeLimit' DESC > 'Maximum time in seconds a DUA should allow for a search to complete' > EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 > SINGLE-VALUE ) > attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.4 NAME 'bindTimeLimit' DESC > 'Maximum time in seconds a DUA should allow for the bind operation to > complete' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 > SINGLE-VALUE ) > attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.5 NAME 'followReferrals' DESC > 'Tells DUA if it should follow referrals returned by a DSA search > result' EQUALITY caseIgnoreIA5Match SYNTAX > 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) > attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.6 NAME 'authenticationMethod' > DESC 'A keystring which identifies the type of authentication method > used to contact the DSA' EQUALITY caseIgnoreMatch SYNTAX > 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) > attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.7 NAME 'profileTTL' DESC > 'Time to live, in seconds, before a client DUA should re-read this > configuration profile' EQUALITY integerMatch SYNTAX > 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) > attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.14 NAME > 'serviceSearchDescriptor' DESC 'LDAP search descriptor list used by a > DUA' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) > attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.9 NAME 'attributeMap' DESC > 'Attribute mappings used by a DUA' EQUALITY caseIgnoreIA5Match SYNTAX > 1.3.6.1.4.1.1466.115.121.1.26 ) > attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.10 NAME 'credentialLevel' > DESC 'Identifies type of credentials a DUA should use when binding to > the LDAP server' EQUALITY caseIgnoreIA5Match SYNTAX > 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) > attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.11 NAME 'objectclassMap' DESC > 'Objectclass mappings used by a DUA' EQUALITY caseIgnoreIA5Match > SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) > attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.12 NAME 'defaultSearchScope' > DESC 'Default search scope used by a DUA' EQUALITY caseIgnoreIA5Match > SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) > attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.13 NAME > 'serviceCredentialLevel' DESC 'Identifies type of credentials a DUA > should use when binding to the LDAP server for a specific service' > EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) > attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.15 NAME > 'serviceAuthenticationMethod' DESC 'Authentication method used by a > service of the DUA' EQUALITY caseIgnoreMatch SYNTAX > 1.3.6.1.4.1.1466.115.121.1.15 ) > objectClasses: ( 1.3.6.1.4.1.11.1.3.1.2.4 NAME 'DUAConfigProfile' SUP > top STRUCTURAL DESC 'Abstraction of a base configuration for a DUA' > MUST ( cn ) MAY ( defaultServerList $ preferredServerList $ > defaultSearchBase $ defaultSearchScope $ searchTimeLimit $ > bindTimeLimit $ credentialLevel $ authenticationMethod $ > followReferrals $ serviceSearchDescriptor $ serviceCredentialLevel $ > serviceAuthenticationMethod $ objectclassMap $ attributeMap $ > profileTTL ) ) > EOF > cat <<EOF >/tmp/62nisDomain.ldif > dn: cn=schema > attributeTypes: ( 1.3.6.1.1.1.1.30 NAME 'nisDomain' DESC 'NIS domain' > SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) > objectClasses: ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' SUP top > STRUCTURAL MUST nisDomain X-ORIGIN 'user defined' ) > EOF > /bin/cp -f /tmp/61DUAConfigProfile.ldif > $FDS1_PATH/slapd-$HOST/config/schema > /bin/cp -f /tmp/62nisDomain.ldif $FDS1_PATH/slapd-$HOST/config/schema > chown $SLAPD_OWNER:$SLAPD_GROUP > $FDS1_PATH/slapd-$HOST/config/schema/61DUAConfigProfile.ldif > chown $SLAPD_OWNER:$SLAPD_GROUP > $FDS1_PATH/slapd-$HOST/config/schema/62nisDomain.ldif > $FDS1_PATH/slapd-$HOST/stop-slapd > $FDS1_PATH/slapd-$HOST/start-slapd > # Add nisDomainObject > cat <<EOF >/tmp/add_nisDomainObject.ldif > dn: $BASEDN > changetype: modify > add: objectclass > objectclass: nisdomainobject > - > replace: nisdomain > nisdomain: $DOMAIN > > EOF > ldapmodify -D "cn=Directory Manager" -w `cat /home/ldap/dirmgr.pwd` -f > /tmp/add_nisDomainObject.ldif > # Add two ACIs > cat <<EOF >/tmp/add_two_ACIs.ldif > dn: $BASEDN > changetype: modify > add: aci > aci: (targetattr = > "cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shado > wMin||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFl > ag||memberUid")(version 3.0; acl > LDAP_Naming_Services_deny_write_access;deny (write) userdn = > "ldap:///self";;) > - > add: aci > aci: (target="ldap:///$BASEDN";)(targetattr="userPassword")(version > 3.0; acl LDAP_Naming_Services_proxy_password_read; allow > (compare,search) userdn = "ldap:///cn=proxyagent,ou=profile,$BASEDN";;) > > EOF > ldapmodify -D "cn=Directory Manager" -w `cat /home/ldap/dirmgr.pwd` -f > /tmp/add_two_ACIs.ldif > # Modify default password storage scheme > cat <<EOF >/tmp/mod_passwordStorageScheme.ldif > dn: cn=config > changetype: modify > replace: passwordStorageScheme > passwordStorageScheme: CRYPT > EOF > ldapmodify -D "cn=Directory Manager" -w `cat /home/ldap/dirmgr.pwd` -f > /tmp/mod_passwordStorageScheme.ldif > # Create ou=group, proxyAgent and ldapclient profiles > cat <<EOF >/tmp/People.ldif > dn: uid=gtay, ou=People, $BASEDN > givenName: Gary > sn: Tay > loginShell: /bin/bash > uidNumber: 6167 > gidNumber: 102 > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetorgperson > objectClass: posixAccount > objectClass: shadowAccount > uid: gtay > cn: Gary Tay > homeDirectory: /home/gtay > userPassword: {CRYPT}U8bo2twhJ9Kkg > > dn: uid=tuser, ou=People, $BASEDN > givenName: Test > sn: User > loginShell: /bin/bash > uidNumber: 9999 > gidNumber: 102 > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetorgperson > objectClass: posixAccount > objectClass: shadowAccount > uid: tuser > cn: Test User > homeDirectory: /home/tuser > userPassword: {SHA}MWxHz/4F3kXGXlfK4EvIJUo2C2U= > > EOF > $FDS1_PATH/shared/bin/ldapmodify -a -c -D "cn=Directory Manager" -w > `cat /home/ldap/dirmgr.pwd` -f /tmp/People.ldif > cat <<EOF >/tmp/group_and_other_OUs.ldif > dn: ou=group,$BASEDN > objectClass: organizationalUnit > objectClass: top > ou: group > > dn: cn=Users,ou=group,$BASEDN > cn: Users > gidNumber: 102 > objectClass: top > objectClass: posixGroup > memberUid: gtay > memberUid: tuser > > dn: ou=netgroup,$BASEDN > objectClass: organizationalUnit > objectClass: top > ou: netgroup > > dn: ou=sudoers,$BASEDN > objectClass: organizationalUnit > objectClass: top > ou: sudoers > > EOF > $FDS1_PATH/shared/bin/ldapmodify -a -c -D "cn=Directory Manager" -w > `cat /home/ldap/dirmgr.pwd` -f /tmp/group_and_other_OUs.ldif > cat <<EOF >/tmp/proxyAgent_and_profiles.ldif > dn: ou=profile,$BASEDN > objectClass: top > objectClass: organizationalUnit > ou: profile > > dn: cn=proxyAgent,ou=profile,$BASEDN > objectClass: top > objectClass: person > cn: proxyAgent > sn: proxyAgent > userPassword: {CRYPT}l14aeXtphVSUg > > dn: cn=default,ou=profile,$BASEDN > objectClass: top > objectClass: DUAConfigProfile > defaultServerList: $HOST.$DOMAIN > defaultSearchBase: $BASEDN > authenticationMethod: simple > followReferrals: TRUE > defaultSearchScope: one > searchTimeLimit: 30 > profileTTL: 43200 > cn: default > credentialLevel: proxy > bindTimeLimit: 2 > serviceSearchDescriptor: passwd: ou=People,$BASEDN?one > serviceSearchDescriptor: group: ou=group,$BASEDN?one > serviceSearchDescriptor: shadow: ou=People,$BASEDN?one > serviceSearchDescriptor: netgroup: ou=netgroup,$BASEDN?one > serviceSearchDescriptor: sudoers: ou=sudoers,$BASEDN?one > > dn: cn=tls_profile,ou=profile,$BASEDN > ObjectClass: top > ObjectClass: DUAConfigProfile > defaultServerList: $HOST.$DOMAIN > defaultSearchBase: $BASEDN > authenticationMethod: tls:simple > followReferrals: FALSE > defaultSearchScope: one > searchTimeLimit: 30 > profileTTL: 43200 > bindTimeLimit: 10 > cn: tls_profile > credentialLevel: proxy > serviceSearchDescriptor: passwd: ou=People,$BASEDN?one > serviceSearchDescriptor: group: ou=group,$BASEDN?one > serviceSearchDescriptor: shadow: ou=People,$BASEDN?one > serviceSearchDescriptor: netgroup: ou=netgroup,$BASEDN?one > serviceSearchDescriptor: sudoers: ou=sudoers,$BASEDN?one > > EOF > $FDS1_PATH/shared/bin/ldapmodify -a -c -D "cn=Directory Manager" -w > `cat /home/ldap/dirmgr.pwd` -f /tmp/proxyAgent_and_profiles.ldif > echo "Rebuild done." > > ===Sample Run=== > > # ./rebuild_fds.sh > ASSUMPTION: This script assumes that you have performed > 'rpm -e' and then 'rpm -ivh' to reinstall Fedora Directory Server > and you have re-run the setup program > ns-slapd should be running > Press [Ctrl-C] to abort, enter [Yes] to continue... > Yes > modifying entry dc=example,dc=com > > modifying entry dc=example,dc=com > ldap_modify: Type or value exists > > modifying entry cn=config > > adding new entry uid=gtay, ou=People, dc=example,dc=com > > adding new entry uid=tuser, ou=People, dc=example,dc=com > > adding new entry ou=group,dc=example,dc=com > > adding new entry cn=Users,ou=group,dc=example,dc=com > > adding new entry ou=netgroup,dc=example,dc=com > > adding new entry ou=sudoers,dc=example,dc=com > > adding new entry ou=profile,dc=example,dc=com > > adding new entry cn=proxyAgent,ou=profile,dc=example,dc=com > > adding new entry cn=default,ou=profile,dc=example,dc=com > > adding new entry cn=tls_profile,ou=profile,dc=example,dc=com > > Rebuild done. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20060413/875b3886/attachment.html
