diff --git a/user_saml-dirsrv/Dockerfile b/user_saml-dirsrv/Dockerfile new file mode 100644 index 00000000..682cc699 --- /dev/null +++ b/user_saml-dirsrv/Dockerfile @@ -0,0 +1,29 @@ +FROM quay.io/389ds/dirsrv:latest + +ENV DS_DM_PASSWORD admin +ENV DS_SUFFIX_NAME dc=idptestbed + +ADD conf/* /var/opt/ + +RUN rm -Rf /data/* +RUN /usr/libexec/dirsrv/dscontainer -r & \ + sleep 60; \ + WAIT_TIME=60; \ + while : ; do \ + if /usr/libexec/dirsrv/dscontainer -H; then \ + break; \ + fi; \ + sleep 5; \ + WAIT_TIME=$((WAIT_TIME + 5)); \ + if [ ${WAIT_TIME} -gt 180 ]; then \ + echo "dirsrv not ready – giving up checking after 3min"; \ + exit 3 ;\ + fi; \ + done; \ + dsconf localhost backend create --suffix dc=idptestbed --be-name ci_root; \ + mv /var/opt/98nextcloud-schema.ldif /etc/dirsrv/slapd-localhost/schema/; \ + dsconf localhost schema reload; \ + dsconf localhost backend import "dc=idptestbed" /var/opt/entries.ldif; \ + rm /var/opt/entries.ldif; + +EXPOSE 3389 diff --git a/user_saml-dirsrv/conf/98nextcloud-schema.ldif b/user_saml-dirsrv/conf/98nextcloud-schema.ldif new file mode 100644 index 00000000..12114945 --- /dev/null +++ b/user_saml-dirsrv/conf/98nextcloud-schema.ldif @@ -0,0 +1,13 @@ +dn: cn=schema +objectClass: top +objectClass: ldapSubentry +objectClass: subschema +cn: schema +aci: (target="ldap:///cn=schema")(targetattr !="aci")(version 3.0;acl "anonymous, no acis"; allow (read, search, compare) userdn = "ldap:///anyone";) +modifiersName: cn=Directory Manager +modifyTimestamp: 20230412120423Z +objectClasses: ( 1.3.6.1.4.1.49213.1.2.1 NAME 'nextcloudUser' AUXILIARY MUST cn MAY (nextcloudEnabled $ nextcloudQuota ) X-ORIGIN 'user defined' ) +objectClasses: ( 1.3.6.1.4.1.49213.1.2.2 NAME 'nextcloudGroup' AUXILIARY MUST cn MAY nextcloudEnabled X-ORIGIN 'user defined' ) +attributeTypes: ( 1.3.6.1.4.1.49213.1.1.1 NAME 'nextcloudEnabled' DESC 'whether user or group should be available in Nextcloud' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'user defined' ) +attributeTypes: ( 1.3.6.1.4.1.49213.1.1.2 NAME 'nextcloudQuota' DESC 'defines how much disk space is available for the user (e.g. 2 GB)' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' ) +nsSchemaCSN: 64369e47000000000000 diff --git a/user_saml_shibboleth/ldap/users.ldif b/user_saml-dirsrv/conf/entries.ldif similarity index 61% rename from user_saml_shibboleth/ldap/users.ldif rename to user_saml-dirsrv/conf/entries.ldif index e5d61123..3ba1998a 100644 --- a/user_saml_shibboleth/ldap/users.ldif +++ b/user_saml-dirsrv/conf/entries.ldif @@ -1,3 +1,11 @@ + +dn: dc=idptestbed +objectClass: top +objectClass: domain +dc: idptestbed +description: dc=idptestbed +aci: (targetattr = *) (targetfilter = "(objectclass=*)") (version 3.0; acl "Any read"; allow (search, read, compare) (userdn = "ldap:///anyone" );) + dn: cn=admin,dc=idptestbed objectClass: simpleSecurityObject objectClass: organizationalRole @@ -5,40 +13,50 @@ cn: admin userPassword: password description: LDAP administrator +dn: ou=Groups,dc=idptestbed +objectClass: top +objectClass: organizationalunit +ou: Groups + +dn: ou=People,dc=idptestbed +objectClass: top +objectClass: organizationalunit +ou: People + dn: uid=student1,ou=People,dc=idptestbed objectClass: organizationalPerson objectClass: person objectClass: top objectClass: inetOrgPerson -objectClass: ownCloud +objectClass: nextcloudUser givenName: Stud uid: student1 sn: Ent cn: Stud Ent mail: student1@idptestbed.edu userPassword: password -quota: 200 MB +nextcloudQuota: 200 MB dn: uid=student2,ou=People,dc=idptestbed objectClass: organizationalPerson objectClass: person objectClass: top objectClass: inetOrgPerson -objectClass: ownCloud +objectClass: nextcloudUser givenName: Stud uid: student2 sn: Ent2 cn: Stud Ent2 mail: student2@idptestbed.edu userPassword: password -quota: 1 GB +nextcloudQuota: 1 GB dn: uid=staff1,ou=People,dc=idptestbed objectClass: organizationalPerson objectClass: person objectClass: top objectClass: inetOrgPerson -objectClass: ownCloud +objectClass: nextcloudUser givenName: St uid: staff1 sn: aff diff --git a/user_saml_shibboleth-idp/Dockerfile b/user_saml_shibboleth-idp/Dockerfile new file mode 100644 index 00000000..62642678 --- /dev/null +++ b/user_saml_shibboleth-idp/Dockerfile @@ -0,0 +1,8 @@ +FROM cscfi/shibboleth-idp:release-4.1.4 + +ADD shibboleth-idp/ /opt/shibboleth-idp/ +ADD start.sh /usr/local/bin/ + +RUN chmod a+x /usr/local/bin/start.sh + +CMD "start.sh" diff --git a/user_saml_shibboleth-idp/shibboleth-idp/conf/attribute-filter.xml b/user_saml_shibboleth-idp/shibboleth-idp/conf/attribute-filter.xml new file mode 100644 index 00000000..92513ef3 --- /dev/null +++ b/user_saml_shibboleth-idp/shibboleth-idp/conf/attribute-filter.xml @@ -0,0 +1,44 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/user_saml_shibboleth/shibboleth/conf/attribute-resolver.xml b/user_saml_shibboleth-idp/shibboleth-idp/conf/attribute-resolver.xml similarity index 79% rename from user_saml_shibboleth/shibboleth/conf/attribute-resolver.xml rename to user_saml_shibboleth-idp/shibboleth-idp/conf/attribute-resolver.xml index de435b56..0e4a0cd5 100644 --- a/user_saml_shibboleth/shibboleth/conf/attribute-resolver.xml +++ b/user_saml_shibboleth-idp/shibboleth-idp/conf/attribute-resolver.xml @@ -1,46 +1,36 @@ - - + xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd"> - - - - - - - - - - - + + + + + + + + + + + - - - - - + + + + + - - - - - - - - - - - + + + + + + + + + + + - - - - - + + + + + - - + - + - + - + diff --git a/user_saml_shibboleth-idp/shibboleth-idp/conf/attributes/default-rules.xml b/user_saml_shibboleth-idp/shibboleth-idp/conf/attributes/default-rules.xml new file mode 100644 index 00000000..956852eb --- /dev/null +++ b/user_saml_shibboleth-idp/shibboleth-idp/conf/attributes/default-rules.xml @@ -0,0 +1,14 @@ + + + + + + diff --git a/user_saml_shibboleth/shibboleth/conf/cas-protocol.xml b/user_saml_shibboleth-idp/shibboleth-idp/conf/cas-protocol.xml similarity index 100% rename from user_saml_shibboleth/shibboleth/conf/cas-protocol.xml rename to user_saml_shibboleth-idp/shibboleth-idp/conf/cas-protocol.xml diff --git a/user_saml_shibboleth/shibboleth/conf/idp.properties b/user_saml_shibboleth-idp/shibboleth-idp/conf/idp.properties similarity index 98% rename from user_saml_shibboleth/shibboleth/conf/idp.properties rename to user_saml_shibboleth-idp/shibboleth-idp/conf/idp.properties index d71cbc6c..048fd9b7 100644 --- a/user_saml_shibboleth/shibboleth/conf/idp.properties +++ b/user_saml_shibboleth-idp/shibboleth-idp/conf/idp.properties @@ -193,3 +193,9 @@ idp.ui.fallbackLanguages= en,fr,de #idp.fticks.salt=somethingsecret #idp.fticks.loghost=localhost #idp.fticks.logport=514 + +idp.loglevel.idp = DEBUG +idp.loglevel.messages = DEBUG +idp.loglevel.opensaml = DEBUG +idp.loglevel.encryption = DEBUG +idp.loglevel.ldap = INFO diff --git a/user_saml_shibboleth/shibboleth/conf/ldap.properties b/user_saml_shibboleth-idp/shibboleth-idp/conf/ldap.properties similarity index 93% rename from user_saml_shibboleth/shibboleth/conf/ldap.properties rename to user_saml_shibboleth-idp/shibboleth-idp/conf/ldap.properties index c6d8c2ec..b78ca1f2 100644 --- a/user_saml_shibboleth/shibboleth/conf/ldap.properties +++ b/user_saml_shibboleth-idp/shibboleth-idp/conf/ldap.properties @@ -5,7 +5,8 @@ #idp.authn.LDAP.authenticator = anonSearchAuthenticator ## Connection properties ## -idp.authn.LDAP.ldapURL = ldap://localhost:389 +# the LDAP server is typically a service container, reachable via "directory" +idp.authn.LDAP.ldapURL = ldap://directory:3389 idp.authn.LDAP.useStartTLS = false idp.authn.LDAP.useSSL = false #idp.authn.LDAP.connectTimeout = 3000 @@ -56,4 +57,4 @@ idp.attribute.resolver.LDAP.searchFilter = (uid=$requestContext.principal #idp.pool.LDAP.prunePeriod = 300 #idp.pool.LDAP.idleTime = 600 #idp.pool.LDAP.blockWaitTime = 3000 -#idp.pool.LDAP.failFastInitialize = false \ No newline at end of file +#idp.pool.LDAP.failFastInitialize = false diff --git a/user_saml_shibboleth/shibboleth/conf/metadata-providers.xml b/user_saml_shibboleth-idp/shibboleth-idp/conf/metadata-providers.xml similarity index 80% rename from user_saml_shibboleth/shibboleth/conf/metadata-providers.xml rename to user_saml_shibboleth-idp/shibboleth-idp/conf/metadata-providers.xml index f1eae46e..39919979 100644 --- a/user_saml_shibboleth/shibboleth/conf/metadata-providers.xml +++ b/user_saml_shibboleth-idp/shibboleth-idp/conf/metadata-providers.xml @@ -2,15 +2,9 @@ - + xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd"> + @@ -19,7 +13,7 @@ - + @@ -33,35 +27,35 @@ it with them via some out of band mechanism (e.g., a fingerprint on a secure page). The EntityRoleWhiteList saves memory by only loading metadata from SAML roles - that the IdP needs to interoperate with. + that the IdP needs to interoperate with. --> - + + --> - + - - + + diff --git a/user_saml_shibboleth/shibboleth/conf/nextcloud.xml b/user_saml_shibboleth-idp/shibboleth-idp/conf/nextcloud.xml similarity index 94% rename from user_saml_shibboleth/shibboleth/conf/nextcloud.xml rename to user_saml_shibboleth-idp/shibboleth-idp/conf/nextcloud.xml index 7697b086..0274e16e 100644 --- a/user_saml_shibboleth/shibboleth/conf/nextcloud.xml +++ b/user_saml_shibboleth-idp/shibboleth-idp/conf/nextcloud.xml @@ -1,5 +1,5 @@ - + @@ -16,7 +16,7 @@ urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified - + diff --git a/user_saml_shibboleth-idp/shibboleth-idp/conf/oidc-credentials.xml b/user_saml_shibboleth-idp/shibboleth-idp/conf/oidc-credentials.xml new file mode 100644 index 00000000..dbfe5855 --- /dev/null +++ b/user_saml_shibboleth-idp/shibboleth-idp/conf/oidc-credentials.xml @@ -0,0 +1,44 @@ + + + + + + + + + + + + + + + + + + + + diff --git a/user_saml_shibboleth/shibboleth/conf/relying-party.xml b/user_saml_shibboleth-idp/shibboleth-idp/conf/relying-party.xml similarity index 76% rename from user_saml_shibboleth/shibboleth/conf/relying-party.xml rename to user_saml_shibboleth-idp/shibboleth-idp/conf/relying-party.xml index 271abb6c..d4724c55 100644 --- a/user_saml_shibboleth/shibboleth/conf/relying-party.xml +++ b/user_saml_shibboleth-idp/shibboleth-idp/conf/relying-party.xml @@ -1,29 +1,25 @@ - + - + @@ -33,24 +29,23 @@ --> - + - + - - - - - - + + + + + - + - + diff --git a/user_saml_shibboleth/shibboleth/conf/saml-nameid.xml b/user_saml_shibboleth-idp/shibboleth-idp/conf/saml-nameid.xml similarity index 100% rename from user_saml_shibboleth/shibboleth/conf/saml-nameid.xml rename to user_saml_shibboleth-idp/shibboleth-idp/conf/saml-nameid.xml diff --git a/user_saml_shibboleth/shibboleth/credentials/idp-backchannel.crt b/user_saml_shibboleth-idp/shibboleth-idp/credentials/idp-backchannel.crt similarity index 100% rename from user_saml_shibboleth/shibboleth/credentials/idp-backchannel.crt rename to user_saml_shibboleth-idp/shibboleth-idp/credentials/idp-backchannel.crt diff --git a/user_saml_shibboleth/shibboleth/credentials/idp-backchannel.p12 b/user_saml_shibboleth-idp/shibboleth-idp/credentials/idp-backchannel.p12 similarity index 100% rename from user_saml_shibboleth/shibboleth/credentials/idp-backchannel.p12 rename to user_saml_shibboleth-idp/shibboleth-idp/credentials/idp-backchannel.p12 diff --git a/user_saml_shibboleth/shibboleth/credentials/idp-browser.p12 b/user_saml_shibboleth-idp/shibboleth-idp/credentials/idp-browser.p12 similarity index 100% rename from user_saml_shibboleth/shibboleth/credentials/idp-browser.p12 rename to user_saml_shibboleth-idp/shibboleth-idp/credentials/idp-browser.p12 diff --git a/user_saml_shibboleth/shibboleth/credentials/idp-encryption.crt b/user_saml_shibboleth-idp/shibboleth-idp/credentials/idp-encryption.crt similarity index 100% rename from user_saml_shibboleth/shibboleth/credentials/idp-encryption.crt rename to user_saml_shibboleth-idp/shibboleth-idp/credentials/idp-encryption.crt diff --git a/user_saml_shibboleth/shibboleth/credentials/idp-encryption.key b/user_saml_shibboleth-idp/shibboleth-idp/credentials/idp-encryption.key similarity index 100% rename from user_saml_shibboleth/shibboleth/credentials/idp-encryption.key rename to user_saml_shibboleth-idp/shibboleth-idp/credentials/idp-encryption.key diff --git a/user_saml_shibboleth/shibboleth/credentials/idp-signing.crt b/user_saml_shibboleth-idp/shibboleth-idp/credentials/idp-signing.crt similarity index 100% rename from user_saml_shibboleth/shibboleth/credentials/idp-signing.crt rename to user_saml_shibboleth-idp/shibboleth-idp/credentials/idp-signing.crt diff --git a/user_saml_shibboleth/shibboleth/credentials/idp-signing.key b/user_saml_shibboleth-idp/shibboleth-idp/credentials/idp-signing.key similarity index 100% rename from user_saml_shibboleth/shibboleth/credentials/idp-signing.key rename to user_saml_shibboleth-idp/shibboleth-idp/credentials/idp-signing.key diff --git a/user_saml_shibboleth/shibboleth/credentials/idp.crt b/user_saml_shibboleth-idp/shibboleth-idp/credentials/idp.crt similarity index 100% rename from user_saml_shibboleth/shibboleth/credentials/idp.crt rename to user_saml_shibboleth-idp/shibboleth-idp/credentials/idp.crt diff --git a/user_saml_shibboleth/shibboleth/credentials/idp.key b/user_saml_shibboleth-idp/shibboleth-idp/credentials/idp.key similarity index 100% rename from user_saml_shibboleth/shibboleth/credentials/idp.key rename to user_saml_shibboleth-idp/shibboleth-idp/credentials/idp.key diff --git a/user_saml_shibboleth/shibboleth/credentials/sealer.jks b/user_saml_shibboleth-idp/shibboleth-idp/credentials/sealer.jks similarity index 100% rename from user_saml_shibboleth/shibboleth/credentials/sealer.jks rename to user_saml_shibboleth-idp/shibboleth-idp/credentials/sealer.jks diff --git a/user_saml_shibboleth/shibboleth/credentials/sealer.kver b/user_saml_shibboleth-idp/shibboleth-idp/credentials/sealer.kver similarity index 100% rename from user_saml_shibboleth/shibboleth/credentials/sealer.kver rename to user_saml_shibboleth-idp/shibboleth-idp/credentials/sealer.kver diff --git a/user_saml_shibboleth/shibboleth/metadata/idp-metadata.xml b/user_saml_shibboleth-idp/shibboleth-idp/metadata/idp-metadata.xml similarity index 91% rename from user_saml_shibboleth/shibboleth/metadata/idp-metadata.xml rename to user_saml_shibboleth-idp/shibboleth-idp/metadata/idp-metadata.xml index 7a351b60..7daa5c01 100644 --- a/user_saml_shibboleth/shibboleth/metadata/idp-metadata.xml +++ b/user_saml_shibboleth-idp/shibboleth-idp/metadata/idp-metadata.xml @@ -5,23 +5,13 @@ This metadata is not dynamic - it will not change as your configuration changes. --> - + - - - example.org - - - @@ -130,10 +120,6 @@ GrYd+TvG2duNh6z69Ppj2WuD - - example.org - - diff --git a/user_saml_shibboleth/shibboleth/views/client-storage/client-storage-read.vm b/user_saml_shibboleth-idp/shibboleth-idp/views/client-storage/client-storage-read.vm similarity index 100% rename from user_saml_shibboleth/shibboleth/views/client-storage/client-storage-read.vm rename to user_saml_shibboleth-idp/shibboleth-idp/views/client-storage/client-storage-read.vm diff --git a/user_saml_shibboleth/shibboleth/views/client-storage/client-storage-write.vm b/user_saml_shibboleth-idp/shibboleth-idp/views/client-storage/client-storage-write.vm similarity index 100% rename from user_saml_shibboleth/shibboleth/views/client-storage/client-storage-write.vm rename to user_saml_shibboleth-idp/shibboleth-idp/views/client-storage/client-storage-write.vm diff --git a/user_saml_shibboleth/shibboleth/views/duo.vm b/user_saml_shibboleth-idp/shibboleth-idp/views/duo.vm similarity index 100% rename from user_saml_shibboleth/shibboleth/views/duo.vm rename to user_saml_shibboleth-idp/shibboleth-idp/views/duo.vm diff --git a/user_saml_shibboleth/shibboleth/views/error.vm b/user_saml_shibboleth-idp/shibboleth-idp/views/error.vm similarity index 100% rename from user_saml_shibboleth/shibboleth/views/error.vm rename to user_saml_shibboleth-idp/shibboleth-idp/views/error.vm diff --git a/user_saml_shibboleth/shibboleth/views/intercept/attribute-release.vm b/user_saml_shibboleth-idp/shibboleth-idp/views/intercept/attribute-release.vm similarity index 100% rename from user_saml_shibboleth/shibboleth/views/intercept/attribute-release.vm rename to user_saml_shibboleth-idp/shibboleth-idp/views/intercept/attribute-release.vm diff --git a/user_saml_shibboleth/shibboleth/views/intercept/expiring-password.vm b/user_saml_shibboleth-idp/shibboleth-idp/views/intercept/expiring-password.vm similarity index 100% rename from user_saml_shibboleth/shibboleth/views/intercept/expiring-password.vm rename to user_saml_shibboleth-idp/shibboleth-idp/views/intercept/expiring-password.vm diff --git a/user_saml_shibboleth/shibboleth/views/intercept/terms-of-use.vm b/user_saml_shibboleth-idp/shibboleth-idp/views/intercept/terms-of-use.vm similarity index 100% rename from user_saml_shibboleth/shibboleth/views/intercept/terms-of-use.vm rename to user_saml_shibboleth-idp/shibboleth-idp/views/intercept/terms-of-use.vm diff --git a/user_saml_shibboleth/shibboleth/views/login-error.vm b/user_saml_shibboleth-idp/shibboleth-idp/views/login-error.vm similarity index 100% rename from user_saml_shibboleth/shibboleth/views/login-error.vm rename to user_saml_shibboleth-idp/shibboleth-idp/views/login-error.vm diff --git a/user_saml_shibboleth/shibboleth/views/login.vm b/user_saml_shibboleth-idp/shibboleth-idp/views/login.vm similarity index 100% rename from user_saml_shibboleth/shibboleth/views/login.vm rename to user_saml_shibboleth-idp/shibboleth-idp/views/login.vm diff --git a/user_saml_shibboleth/shibboleth/views/logout-complete.vm b/user_saml_shibboleth-idp/shibboleth-idp/views/logout-complete.vm similarity index 100% rename from user_saml_shibboleth/shibboleth/views/logout-complete.vm rename to user_saml_shibboleth-idp/shibboleth-idp/views/logout-complete.vm diff --git a/user_saml_shibboleth/shibboleth/views/logout-propagate.vm b/user_saml_shibboleth-idp/shibboleth-idp/views/logout-propagate.vm similarity index 100% rename from user_saml_shibboleth/shibboleth/views/logout-propagate.vm rename to user_saml_shibboleth-idp/shibboleth-idp/views/logout-propagate.vm diff --git a/user_saml_shibboleth/shibboleth/views/logout.vm b/user_saml_shibboleth-idp/shibboleth-idp/views/logout.vm similarity index 100% rename from user_saml_shibboleth/shibboleth/views/logout.vm rename to user_saml_shibboleth-idp/shibboleth-idp/views/logout.vm diff --git a/user_saml_shibboleth/shibboleth/views/spnego-unavailable.vm b/user_saml_shibboleth-idp/shibboleth-idp/views/spnego-unavailable.vm similarity index 100% rename from user_saml_shibboleth/shibboleth/views/spnego-unavailable.vm rename to user_saml_shibboleth-idp/shibboleth-idp/views/spnego-unavailable.vm diff --git a/user_saml_shibboleth/shibboleth/views/user-prefs.js b/user_saml_shibboleth-idp/shibboleth-idp/views/user-prefs.js similarity index 100% rename from user_saml_shibboleth/shibboleth/views/user-prefs.js rename to user_saml_shibboleth-idp/shibboleth-idp/views/user-prefs.js diff --git a/user_saml_shibboleth/shibboleth/views/user-prefs.vm b/user_saml_shibboleth-idp/shibboleth-idp/views/user-prefs.vm similarity index 100% rename from user_saml_shibboleth/shibboleth/views/user-prefs.vm rename to user_saml_shibboleth-idp/shibboleth-idp/views/user-prefs.vm diff --git a/user_saml_shibboleth/shibboleth/webapp/css/consent.css b/user_saml_shibboleth-idp/shibboleth-idp/webapp/css/consent.css similarity index 100% rename from user_saml_shibboleth/shibboleth/webapp/css/consent.css rename to user_saml_shibboleth-idp/shibboleth-idp/webapp/css/consent.css diff --git a/user_saml_shibboleth/shibboleth/webapp/css/logout.css b/user_saml_shibboleth-idp/shibboleth-idp/webapp/css/logout.css similarity index 100% rename from user_saml_shibboleth/shibboleth/webapp/css/logout.css rename to user_saml_shibboleth-idp/shibboleth-idp/webapp/css/logout.css diff --git a/user_saml_shibboleth/shibboleth/webapp/css/main.css b/user_saml_shibboleth-idp/shibboleth-idp/webapp/css/main.css similarity index 100% rename from user_saml_shibboleth/shibboleth/webapp/css/main.css rename to user_saml_shibboleth-idp/shibboleth-idp/webapp/css/main.css diff --git a/user_saml_shibboleth/shibboleth/webapp/images/dummylogo-mobile.png b/user_saml_shibboleth-idp/shibboleth-idp/webapp/images/dummylogo-mobile.png similarity index 100% rename from user_saml_shibboleth/shibboleth/webapp/images/dummylogo-mobile.png rename to user_saml_shibboleth-idp/shibboleth-idp/webapp/images/dummylogo-mobile.png diff --git a/user_saml_shibboleth/shibboleth/webapp/images/dummylogo.png b/user_saml_shibboleth-idp/shibboleth-idp/webapp/images/dummylogo.png similarity index 100% rename from user_saml_shibboleth/shibboleth/webapp/images/dummylogo.png rename to user_saml_shibboleth-idp/shibboleth-idp/webapp/images/dummylogo.png diff --git a/user_saml_shibboleth/shibboleth/webapp/images/failure-32x32.png b/user_saml_shibboleth-idp/shibboleth-idp/webapp/images/failure-32x32.png similarity index 100% rename from user_saml_shibboleth/shibboleth/webapp/images/failure-32x32.png rename to user_saml_shibboleth-idp/shibboleth-idp/webapp/images/failure-32x32.png diff --git a/user_saml_shibboleth/shibboleth/webapp/images/success-32x32.png b/user_saml_shibboleth-idp/shibboleth-idp/webapp/images/success-32x32.png similarity index 100% rename from user_saml_shibboleth/shibboleth/webapp/images/success-32x32.png rename to user_saml_shibboleth-idp/shibboleth-idp/webapp/images/success-32x32.png diff --git a/user_saml_shibboleth/shibboleth/webapp/js/Duo-Web-v2.min.js b/user_saml_shibboleth-idp/shibboleth-idp/webapp/js/Duo-Web-v2.min.js similarity index 100% rename from user_saml_shibboleth/shibboleth/webapp/js/Duo-Web-v2.min.js rename to user_saml_shibboleth-idp/shibboleth-idp/webapp/js/Duo-Web-v2.min.js diff --git a/user_saml_shibboleth/shibboleth/webapp/js/jquery-2.1.4.min.js b/user_saml_shibboleth-idp/shibboleth-idp/webapp/js/jquery-2.1.4.min.js similarity index 100% rename from user_saml_shibboleth/shibboleth/webapp/js/jquery-2.1.4.min.js rename to user_saml_shibboleth-idp/shibboleth-idp/webapp/js/jquery-2.1.4.min.js diff --git a/user_saml_shibboleth-idp/start.sh b/user_saml_shibboleth-idp/start.sh new file mode 100644 index 00000000..92a7a67f --- /dev/null +++ b/user_saml_shibboleth-idp/start.sh @@ -0,0 +1,13 @@ +#!/usr/bin/env bash + +#set -x + +#sed 's/^::1.*localhost/::1\tip6-localhost/g' /etc/hosts > /etc/hosts.tmp +#cat /etc/hosts.tmp > /etc/hosts +#rm -f /etc/hosts.tmp + +export JETTY_BACKCHANNEL_SSL_KEYSTORE_PASSWORD=nextcloud +export JETTY_BROWSER_SSL_KEYSTORE_PASSWORD=nextcloud + +init-idp.sh +$JAVA_HOME/bin/java -jar $JETTY_HOME/start.jar jetty.home=$JETTY_HOME jetty.base=$JETTY_BASE -Djetty.sslContext.keyStorePassword=$JETTY_KEYSTORE_PASSWORD -Djetty.sslContext.keyStorePath=$JETTY_KEYSTORE_PATH diff --git a/user_saml_shibboleth/Dockerfile b/user_saml_shibboleth/Dockerfile deleted file mode 100755 index 0c35bc4c..00000000 --- a/user_saml_shibboleth/Dockerfile +++ /dev/null @@ -1,34 +0,0 @@ -FROM unicon/shibboleth-idp:3.2.0 -MAINTAINER lukas@statuscode.ch - -# Add Shibboleth config stuff -ADD shibboleth/ /opt/shibboleth-idp/ - -# Install the LDAP server -RUN yum install -y https://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-10.noarch.rpm -RUN yum install -y --enablerepo=centosplus 389-ds -RUN rm -fr /var/lock /usr/lib/systemd/system -ADD ldap/ds-setup.inf /ds-setup.inf -ADD ldap/users.ldif /users.ldif -ADD ldap/nextcloud.ldif /nextcloud.ldif -RUN sed -i 's/checkHostname {/checkHostname {\nreturn();/g' /usr/lib64/dirsrv/perl/DSUtil.pm -RUN sed -i 's/updateSelinuxPolicy($inf);//g' /usr/lib64/dirsrv/perl/* -ADD ldap/DSCreate.pm /usr/lib64/dirsrv/perl/DSCreate.pm -ADD ldap/AdminServer.pm /usr/lib64/dirsrv/perl/AdminServer.pm -RUN setup-ds-admin.pl --silent --file /ds-setup.inf -RUN /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-dir && sleep 3 && ldapadd -H ldap:/// -f nextcloud.ldif -x -D "cn=Directory Manager" -w password && ldapadd -H ldap:/// -f users.ldif -x -D "cn=Directory Manager" -w password -RUN rm /*.ldif - -# Install Apache and PHP 7.0 for Nextcloud -RUN yum -y install centos-release-scl -RUN yum -y install rh-php56 rh-php56-php rh-php56-php-gd rh-php56-php-mbstring rh-php56-php-sqlite httpd git rh-php56-mcrypt rh-php56-php-pdo sudo -RUN scl enable rh-php56 bash -RUN yum -y install https://www.softwarecollections.org/en/scls/remi/php56more/epel-7-x86_64/download/remi-php56more-epel-7-x86_64.noarch.rpm -RUN yum -y install more-php56-php-mcrypt.x86_64 -RUN chmod -R 777 /opt/ -RUN rm -f /etc/httpd/conf.d/nss.conf -ADD apache/httpd.conf /etc/httpd/conf/httpd.conf - -# Add the startup file -ADD start.sh /start.sh -RUN chmod a+x /start.sh diff --git a/user_saml_shibboleth/apache/httpd.conf b/user_saml_shibboleth/apache/httpd.conf deleted file mode 100644 index 68bea955..00000000 --- a/user_saml_shibboleth/apache/httpd.conf +++ /dev/null @@ -1,359 +0,0 @@ -# -# This is the main Apache HTTP server configuration file. It contains the -# configuration directives that give the server its instructions. -# See for detailed information. -# In particular, see -# -# for a discussion of each configuration directive. -# -# Do NOT simply read the instructions in here without understanding -# what they do. They're here only as hints or reminders. If you are unsure -# consult the online docs. You have been warned. -# -# Configuration and logfile names: If the filenames you specify for many -# of the server's control files begin with "/" (or "drive:/" for Win32), the -# server will use that explicit path. If the filenames do *not* begin -# with "/", the value of ServerRoot is prepended -- so 'log/access_log' -# with ServerRoot set to '/www' will be interpreted by the -# server as '/www/log/access_log', where as '/log/access_log' will be -# interpreted as '/log/access_log'. - -# -# ServerRoot: The top of the directory tree under which the server's -# configuration, error, and log files are kept. -# -# Do not add a slash at the end of the directory path. If you point -# ServerRoot at a non-local disk, be sure to specify a local disk on the -# Mutex directive, if file-based mutexes are used. If you wish to share the -# same ServerRoot for multiple httpd daemons, you will need to change at -# least PidFile. -# -ServerRoot "/etc/httpd" - -# -# Listen: Allows you to bind Apache to specific IP addresses and/or -# ports, instead of the default. See also the -# directive. -# -# Change this to Listen on specific IP addresses as shown below to -# prevent Apache from glomming onto all bound IP addresses. -# -#Listen 12.34.56.78:80 -Listen 80 - -# -# Dynamic Shared Object (DSO) Support -# -# To be able to use the functionality of a module which was built as a DSO you -# have to place corresponding `LoadModule' lines at this location so the -# directives contained in it are actually available _before_ they are used. -# Statically compiled modules (those listed by `httpd -l') do not need -# to be loaded here. -# -# Example: -# LoadModule foo_module modules/mod_foo.so -# -Include conf.modules.d/*.conf - -# -# If you wish httpd to run as a different user or group, you must run -# httpd as root initially and it will switch. -# -# User/Group: The name (or #number) of the user/group to run httpd as. -# It is usually good practice to create a dedicated user and group for -# running httpd, as with most system services. -# -User apache -Group apache - -# 'Main' server configuration -# -# The directives in this section set up the values used by the 'main' -# server, which responds to any requests that aren't handled by a -# definition. These values also provide defaults for -# any containers you may define later in the file. -# -# All of these directives may appear inside containers, -# in which case these default settings will be overridden for the -# virtual host being defined. -# - -# -# ServerAdmin: Your address, where problems with the server should be -# e-mailed. This address appears on some server-generated pages, such -# as error documents. e.g. admin@your-domain.com -# -ServerAdmin root@localhost - -# -# ServerName gives the name and port that the server uses to identify itself. -# This can often be determined automatically, but we recommend you specify -# it explicitly to prevent problems during startup. -# -# If your host doesn't have a registered DNS name, enter its IP address here. -# -#ServerName www.example.com:80 - -# -# Deny access to the entirety of your server's filesystem. You must -# explicitly permit access to web content directories in other -# blocks below. -# - - AllowOverride none - Require all denied - - -# -# Note that from this point forward you must specifically allow -# particular features to be enabled - so if something's not working as -# you might expect, make sure that you have specifically enabled it -# below. -# - -# -# DocumentRoot: The directory out of which you will serve your -# documents. By default, all requests are taken from this directory, but -# symbolic links and aliases may be used to point to other locations. -# -DocumentRoot "/var/www/html" - -# -# Relax access to content within /var/www. -# - - AllowOverride All - # Allow open access: - Require all granted - - -# Further relax access to the default document root: - - # - # Possible values for the Options directive are "None", "All", - # or any combination of: - # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews - # - # Note that "MultiViews" must be named *explicitly* --- "Options All" - # doesn't give it to you. - # - # The Options directive is both complicated and important. Please see - # http://httpd.apache.org/docs/2.4/mod/core.html#options - # for more information. - # - Options Indexes FollowSymLinks - - # - # AllowOverride controls what directives may be placed in .htaccess files. - # It can be "All", "None", or any combination of the keywords: - # Options FileInfo AuthConfig Limit - # - AllowOverride All - - # - # Controls who can get stuff from this server. - # - Require all granted - - -# -# DirectoryIndex: sets the file that Apache will serve if a directory -# is requested. -# - - DirectoryIndex index.php - - -# -# The following lines prevent .htaccess and .htpasswd files from being -# viewed by Web clients. -# - - Require all denied - - -# -# ErrorLog: The location of the error log file. -# If you do not specify an ErrorLog directive within a -# container, error messages relating to that virtual host will be -# logged here. If you *do* define an error logfile for a -# container, that host's errors will be logged there and not here. -# -ErrorLog "logs/error_log" - -# -# LogLevel: Control the number of messages logged to the error_log. -# Possible values include: debug, info, notice, warn, error, crit, -# alert, emerg. -# -LogLevel warn - - - # - # The following directives define some format nicknames for use with - # a CustomLog directive (see below). - # - LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined - LogFormat "%h %l %u %t \"%r\" %>s %b" common - - - # You need to enable mod_logio.c to use %I and %O - LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio - - - # - # The location and format of the access logfile (Common Logfile Format). - # If you do not define any access logfiles within a - # container, they will be logged here. Contrariwise, if you *do* - # define per- access logfiles, transactions will be - # logged therein and *not* in this file. - # - #CustomLog "logs/access_log" common - - # - # If you prefer a logfile with access, agent, and referer information - # (Combined Logfile Format) you can use the following directive. - # - CustomLog "logs/access_log" combined - - - - # - # Redirect: Allows you to tell clients about documents that used to - # exist in your server's namespace, but do not anymore. The client - # will make a new request for the document at its new location. - # Example: - # Redirect permanent /foo http://www.example.com/bar - - # - # Alias: Maps web paths into filesystem paths and is used to - # access content that does not live under the DocumentRoot. - # Example: - # Alias /webpath /full/filesystem/path - # - # If you include a trailing / on /webpath then the server will - # require it to be present in the URL. You will also likely - # need to provide a section to allow access to - # the filesystem path. - - # - # ScriptAlias: This controls which directories contain server scripts. - # ScriptAliases are essentially the same as Aliases, except that - # documents in the target directory are treated as applications and - # run by the server when requested rather than as documents sent to the - # client. The same rules about trailing "/" apply to ScriptAlias - # directives as to Alias. - # - ScriptAlias /cgi-bin/ "/var/www/cgi-bin/" - - - -# -# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased -# CGI directory exists, if you have that configured. -# - - AllowOverride All - Options None - Require all granted - - - - # - # TypesConfig points to the file containing the list of mappings from - # filename extension to MIME-type. - # - TypesConfig /etc/mime.types - - # - # AddType allows you to add to or override the MIME configuration - # file specified in TypesConfig for specific file types. - # - #AddType application/x-gzip .tgz - # - # AddEncoding allows you to have certain browsers uncompress - # information on the fly. Note: Not all browsers support this. - # - #AddEncoding x-compress .Z - #AddEncoding x-gzip .gz .tgz - # - # If the AddEncoding directives above are commented-out, then you - # probably should define those extensions to indicate media types: - # - AddType application/x-compress .Z - AddType application/x-gzip .gz .tgz - - # - # AddHandler allows you to map certain file extensions to "handlers": - # actions unrelated to filetype. These can be either built into the server - # or added with the Action directive (see below) - # - # To use CGI scripts outside of ScriptAliased directories: - # (You will also need to add "ExecCGI" to the "Options" directive.) - # - #AddHandler cgi-script .cgi - - # For type maps (negotiated resources): - #AddHandler type-map var - - # - # Filters allow you to process content before it is sent to the client. - # - # To parse .shtml files for server-side includes (SSI): - # (You will also need to add "Includes" to the "Options" directive.) - # - AddType text/html .shtml - AddOutputFilter INCLUDES .shtml - - -# -# Specify a default charset for all content served; this enables -# interpretation of all content as UTF-8 by default. To use the -# default browser choice (ISO-8859-1), or to allow the META tags -# in HTML content to override this choice, comment out this -# directive: -# -AddDefaultCharset UTF-8 - - - # - # The mod_mime_magic module allows the server to use various hints from the - # contents of the file itself to determine its type. The MIMEMagicFile - # directive tells the module where the hint definitions are located. - # - MIMEMagicFile conf/magic - - -# -# Customizable error responses come in three flavors: -# 1) plain text 2) local redirects 3) external redirects -# -# Some examples: -#ErrorDocument 500 "The server made a boo boo." -#ErrorDocument 404 /missing.html -#ErrorDocument 404 "/cgi-bin/missing_handler.pl" -#ErrorDocument 402 http://www.example.com/subscription_info.html -# - -# -# EnableMMAP and EnableSendfile: On systems that support it, -# memory-mapping or the sendfile syscall may be used to deliver -# files. This usually improves server performance, but must -# be turned off when serving from networked-mounted -# filesystems or if support for these functions is otherwise -# broken on your system. -# Defaults if commented: EnableMMAP On, EnableSendfile Off -# -#EnableMMAP off -EnableSendfile on - -# Supplemental configuration -# -# Load config files in the "/etc/httpd/conf.d" directory, if any. -IncludeOptional conf.d/*.conf -LoadModule php5_module /opt/rh/httpd24/root/usr/lib64/httpd/modules/librh-php56-php5.so -LoadModule env_module modules/mod_env.so - - -SetHandler application/x-httpd-php - diff --git a/user_saml_shibboleth/ldap/AdminServer.pm b/user_saml_shibboleth/ldap/AdminServer.pm deleted file mode 100644 index e17fa55c..00000000 --- a/user_saml_shibboleth/ldap/AdminServer.pm +++ /dev/null @@ -1,953 +0,0 @@ -# BEGIN COPYRIGHT BLOCK -# This Program is free software; you can redistribute it and/or modify it under -# the terms of the GNU General Public License as published by the Free Software -# Foundation; version 2 of the License. -# -# This Program is distributed in the hope that it will be useful, but WITHOUT -# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS -# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along with -# this Program; if not, write to the Free Software Foundation, Inc., 59 Temple -# Place, Suite 330, Boston, MA 02111-1307 USA. -# -# Copyright (C) 2007 Red Hat, Inc. -# All rights reserved. -# END COPYRIGHT BLOCK -# - -package AdminServer; -require Exporter; -@ISA = qw(Exporter); -@EXPORT = qw(createAdminServer reconfigAdminServer - createASFilesAndDirs setFileOwnerPerms updateHttpConfFiles - startAdminServer stopAdminServer removeAdminServer setDefaults - updateSelinuxPolicy); -@EXPORT_OK = qw(createAdminServer reconfigAdminServer - createASFilesAndDirs setFileOwnerPerms updateHttpConfFiles - startAdminServer stopAdminServer removeAdminServer setDefaults - updateSelinuxPolicy); - -use File::Path; -use File::Copy; -use File::Basename; -use File::Temp; - -my $template_backup_dir = "tmpdirXXXX"; -my $secfile_backup_dir = ""; - -# tempfiles -use File::Temp qw(tempfile tempdir); - -# load perldap -use Mozilla::LDAP::Conn; -use Mozilla::LDAP::Utils qw(normalizeDN); -use Mozilla::LDAP::API qw(ldap_url_parse); -use Mozilla::LDAP::LDIF; - -use DSUtil; -use Inf; -use Setup; -use AdminUtil; - -sub setDefaults { - my $setup = shift; - - if (!defined($setup->{inf}->{admin}->{ServerIpAddress})) { - $setup->{inf}->{admin}->{ServerIpAddress} = '0.0.0.0'; - } - if (!defined($setup->{inf}->{admin}->{Port})) { - $setup->{inf}->{admin}->{Port} = 9830; - } - if (!defined($setup->{inf}->{admin}->{SysUser})) { - my $user = $setup->{inf}->{General}->{SuiteSpotUserID}; - if (!defined($user)) { - if ($> == 0) { # if root, use the default user - $user = "nobody"; - } else { # if not root, use the user's uid - $user = getLogin; - } - } - $setup->{inf}->{admin}->{SysUser} = $user; - } - if (!defined($setup->{inf}->{admin}->{ServerAdminID})) { - my $id = $setup->{inf}->{General}->{ConfigDirectoryAdminID}; - if (isValidDN($id)) { - $id =~ s/^(.*)=.*/$1/; - } - $setup->{inf}->{admin}->{ServerAdminID} = $id; - } - if (!defined($setup->{inf}->{admin}->{ServerAdminPwd})) { - my $pwd = $setup->{inf}->{General}->{ConfigDirectoryAdminPwd}; - $setup->{inf}->{admin}->{ServerAdminPwd} = $pwd; - } - - return 1; -} - -sub checkRequiredParameters { - my $setup = shift; - for my $asparam (qw(ServerIpAddress Port SysUser ServerAdminID ServerAdminPwd)) { - if (!defined($setup->{inf}->{admin}->{$asparam})) { - $setup->msg($FATAL, "missing_adminserver_param", $asparam); - return 0; - } - } - - for my $general (qw(AdminDomain SuiteSpotUserID SuiteSpotGroup ConfigDirectoryLdapURL)) { - if (!defined($setup->{inf}->{General}->{$general})) { - $setup->msg($FATAL, "missing_general_param", $general); - return 0; - } - } - - return 1; -} - -sub usingSELinux { - my $mydevnull = (-c "/dev/null" ? " /dev/null " : " NUL "); - - if ((getLogin() eq 'root') and "yes" and -f "/usr/sbin/sestatus" and - !system ("/usr/sbin/sestatus | egrep -i \"selinux status:\\s*enabled\" > $mydevnull 2>&1")) { - # We are using SELinux - return 1; - } - return 0; -} - -sub setFileOwnerPerms { - my $setup = shift; - my $configdir = shift; - my $admConf = getAdmConf($configdir); - my $uid = getpwnam $admConf->{sysuser}; - - # chown the config directory - $! = 0; # clear errno - chown $uid, -1, $configdir; - if ($!) { - $setup->msg($FATAL, 'error_chowning_file', $configdir, - $admConf->{sysuser}, $!); - return 0; - } - - # chown and chmod other files appropriately - for (glob("$configdir/*")) { - # these are owned by root - next if (/httpd.conf$/); - next if (/nss.conf$/); - next if (/admserv.conf$/); - next if (! -f $_); # should never happen - # all other files should be owned by SysUser - $! = 0; # clear errno - chown $uid, -1, $_; - if ($!) { - $setup->msg($FATAL, 'error_chowning_file', $_, - $admConf->{sysuser}, $!); - return 0; - } - # the files should be writable - $! = 0; # clear errno - chmod 0600, $_; - if ($!) { - $setup->msg($FATAL, 'error_chmoding_file', $_, $!); - return 0; - } - } - - return 1; -} - -sub createASFilesAndDirs { - my $setup = shift; - my $configdir = shift; - my $securitydir = shift; - my $logdir = shift; - my $rundir = shift; - - my $uid = getpwnam $setup->{inf}->{admin}->{SysUser}; - my $gid = getgrnam $setup->{inf}->{General}->{SuiteSpotGroup}; - - $setup->msg('create_adminserver_filesdirs'); - - # these paths are owned exclusively by admin sever - my @errs; - for ($configdir, $securitydir, $logdir) { - @errs = makePaths($_, 0700, $setup->{inf}->{admin}->{SysUser}, - $setup->{inf}->{General}->{SuiteSpotGroup}); - if (@errs) { - $setup->msg($FATAL, @errs); - return 0; - } - $! = 0; # clear errno - chmod 0700, $_; - if ($!) { - $setup->msg($FATAL, 'error_chmoding_directory', $_, $!); - return 0; - } - chown $uid, -1, $_; - if ($!) { - $setup->msg($FATAL, 'error_chowning_directory', $_, - $setup->{inf}->{admin}->{SysUser}, $!); - return 0; - } - } - - # these paths are shared by SuiteSpotGroup members - @errs = makePaths($rundir, 0770, $setup->{inf}->{admin}->{SysUser}, - $setup->{inf}->{General}->{SuiteSpotGroup}); - if (@errs) { - $setup->msg($FATAL, @errs); - return 0; - } - $! = 0; # clear errno - chmod 0770, $rundir; - if ($!) { - $setup->msg($FATAL, 'error_chmoding_directory', $rundir, $!); - return 0; - } - chown -1, $gid, $rundir; - if ($!) { - $setup->msg($FATAL, 'error_chgrping_directory', $rundir, - $setup->{inf}->{General}->{SuiteSpotGroup}, $!); - return 0; - } - - return 1; -} - -sub makeConfFiles { - my $setup = shift; - my $configdir = shift; - - my @start_slapd; - if ($setup->{inf}->{slapd}->{SlapdConfigForMC} =~ /yes/i) { - my $sbindir = $setup->{inf}->{slapd}->{sbindir}; - my $inst_name = $setup->{inf}->{slapd}->{ServerIdentifier}; - @start_slapd = ('ldapStart', "$sbindir/start-dirsrv $inst_name"); - } - $setup->msg('updating_admconf'); - my $rc = updateAdmConf({ldapurl => $setup->{inf}->{General}->{ConfigDirectoryLdapURL}, - SuiteSpotUserID => $setup->{inf}->{General}->{SuiteSpotUserID}, - SuiteSpotGroup => $setup->{inf}->{General}->{SuiteSpotGroup}, - sysuser => $setup->{inf}->{admin}->{SysUser}, - sysgroup => $setup->{inf}->{General}->{SuiteSpotGroup}, - AdminDomain => $setup->{inf}->{General}->{AdminDomain}, - @start_slapd}, - $configdir); - if (!$rc) { - $setup->msg($FATAL, 'error_updating_admconf', $!); - return 0; - } - - $setup->msg('updating_admpw'); - $rc = updateAdmpw($setup->{inf}->{admin}->{ServerAdminID}, - $setup->{inf}->{admin}->{ServerAdminPwd}, - $configdir); - if (!$rc) { - $setup->msg($FATAL, 'error_updating_admpw'); - return 0; - } - - return 1; -} - -# sub addDefaultSecurityInfo { -# my $setup = shift; -# my $inf = $setup->{inf}; -# my $configdir = shift; -# my $reconfig = shift; -# my @errs; - -# my $admConf = getAdmConf($configdir); -# my $localconf = "$configdir/local.conf"; -# if (!open(LOCALCONF, ">$localconf")) { -# $setup->msg($FATAL, 'error_updating_localconf', $localconf, $!); -# return 0; -# } - -# if (!open(CONSOLECONF, "$admConf->{configdir}/console.conf")) { -# debug(0, "Error opening $admConf->{configdir}/console.conf: $!"); -# return 0; -# } - -# print LOCALCONF "configuration.Encryption\n"; - -# close(LOCALCONF); -# return 1; -# } - -# This is how we extract the sie and isie as the as entries are -# being added -sub registercb { - my ($context, $entry, $errs) = @_; - - my $rc = check_and_add_entry([$context->{conn}], $entry, $errs); - my $setup = $context->{setup}; - if ($rc) { - if ($entry->hasValue('objectclass', 'nsApplication', 1)) { - $context->{isie} = $entry->getDN(); - } elsif ($entry->hasValue('objectclass', 'nsAdminServer', 1)) { - $context->{sie} = $entry->getDN(); - } - - if ($context->{sie}) { - $rc = updateLocalConf($entry, $context->{sie}, $context->{localfh}); - if (!$rc) { - $setup->msg($FATAL, 'error_updating_localconf_entry', $entry->getDN()); - } - } - } else { - $setup->msg(@{$errs}); - $setup->msg($FATAL, 'error_adding_adminserver_config_entry', $entry->getDN()); - } - - return $rc; -} - -sub registerASWithConfigDS { - my $setup = shift; - my $inf = $setup->{inf}; - my $configdir = shift; - my @errs; - - $setup->msg('registering_adminserver'); - # open a connection to the configuration directory server - my $conn = getConfigDSConn($inf->{General}->{ConfigDirectoryLdapURL}, - $inf->{General}->{ConfigDirectoryAdminID}, - $inf->{General}->{ConfigDirectoryAdminPwd}, - $configdir, \@errs); - - if (@errs) { - $setup->msg($FATAL, @errs); - return 0; - } - - # add the Admin Server configuration entries - my @ldiffiles = ("/usr/share/dirsrv/data/20asdata.ldif.tmpl", - "/usr/share/dirsrv/data/21astasks.ldif.tmpl", - "/usr/share/dirsrv/data/22ascommands.ldif.tmpl" - ); - my @infs = getInfs("admin", "setup"); - my $mapper = new Inf("/usr/share/dirsrv/inf/adminserver.map"); - - $mapper = process_maptbl($mapper, \@errs, $inf, @infs); - if (!$mapper or @errs) { - $conn->close(); - $setup->msg(@errs); - $setup->msg($FATAL, 'error_creating_adminserver_maptbl'); - return 0; - } - - # context will get filled in with isie and sie in registercb - my $localconf = "$configdir/local.conf"; - my $isnew; - if (! -f $localconf) { - $isnew = 1; - } - if (!open(LOCALCONF, ">$localconf")) { - $setup->msg($FATAL, 'error_updating_localconf', $localconf, $!); - return 0; - } - my $context = {conn => $conn, localfh => \*LOCALCONF, setup => $setup}; - getMappedEntries($mapper, \@ldiffiles, \@errs, \®istercb, $context); - close(LOCALCONF); - - if ($isnew) { - my $admConf = getAdmConf($configdir); - my $uid = getpwnam $admConf->{sysuser}; - chmod 0600, "$localconf"; - chown $uid, -1, "$localconf"; - } - - $setup->msg('updating_admconf_configds'); - if ($context->{sie} or $context->{isie}) { - if (!updateAdmConf({sie => $context->{sie}, - isie => $context->{isie}, - userdn => $conn->{adminbinddn}}, - $configdir)) { - $setup->msg($FATAL, 'error_updating_admconf', $!); - return 0; - } - } - - $conn->close(); - return @errs ? 0 : 1; -} - -my @saveconffiles = qw(admserv.conf httpd.conf nss.conf console.conf); -my @savesecfiles = qw(cert8.db key3.db secmod.db password.conf); -my @reconfigsavefiles = qw (httpd.conf nss.conf cert8.db key3.db secmod.db password.conf); - -# update other config files - these are the fields which users typically want to -# change during an install or an upgrade, that also must be synced to the Apache -# style config files - we use the config CGI in command line mode because it -# already has all of the logic to update the files correctly -sub updateHttpConfFiles { - my $serverAddress = shift; - my $port = shift; - my $configdir = shift; - my $origport = shift; - my $admConf = getAdmConf($configdir); - my $user = $admConf->{sysuser}; - - # this is required on some platforms in order to execute the config command - my $savepath = $ENV{SHLIB_PATH} || $ENV{LD_LIBRARY_PATH}; - $ENV{LD_LIBRARY_PATH} = ""; - libpath_add("/usr/lib64"); - libpath_add("$savepath"); - $ENV{SHLIB_PATH} = $ENV{LD_LIBRARY_PATH}; - - if (! -d "$admConf->{configdir}/bakup") { - if (system ("mkdir -p $admConf->{configdir}/bakup")) { - debug(0, "Error backing up $admConf->{configdir}/console.conf failed: $!"); - } - } - # backup the savefiles for "remove-ds-admin.pl -a" - foreach my $savefile (@saveconffiles, @savesecfiles) { - if (! -f "$admConf->{configdir}/bakup/$savefile") { - if (-e "$admConf->{configdir}/$savefile"){ - if(system ("cp -p $admConf->{configdir}/$savefile $admConf->{configdir}/bakup")) { - debug(0, "Error backing up $admConf->{configdir}/$savefile failed: $!\n"); - } - } - } - } - - my $cmd = "/usr/lib64/dirsrv/cgi-bin/config op=set configuration.nsSuiteSpotUser=\"$user\""; - if (!defined($origport) or ($port != $origport)) { # need to change the port number - $cmd .= " configuration.nsServerPort=\"$port\""; - } - if ($serverAddress) { - $cmd .= " configuration.nsServerAddress=\"$serverAddress\""; - } - debug(1, "Running $cmd ..."); - $? = 0; # clear error - my $output = `$cmd 2>&1`; - # Check the output of the config CGI to see if something bad happened. - if ($? || $output =~ /NMC_Status: 1/) { - debug(0, "Error updating console.conf:\n"); - debug(0, $output); - $ENV{LD_LIBRARY_PATH} = $savepath; - $ENV{SHLIB_PATH} = $savepath; - return 0; - } - - debug(1, $output); - $ENV{LD_LIBRARY_PATH} = $savepath; - $ENV{SHLIB_PATH} = $savepath; - - # update Group in console.conf - if ($admConf->{sysgroup}) { - if (!open(CONSOLECONF, "$admConf->{configdir}/console.conf")) { - debug(0, "Error opening $admConf->{configdir}/console.conf: $!"); - return 0; - } - my @contents = ; - close (CONSOLECONF); - grep { s/^Group.*$/Group $admConf->{sysgroup}/ } @contents; - if (!open(CONSOLECONF, ">$admConf->{configdir}/console.conf")) { - debug(0, "Error writing new group $admConf->{sysgroup} to $admConf->{configdir}/console.conf: $!"); - return 0; - } - print CONSOLECONF @contents; - close (CONSOLECONF); - } - - return 1; -} - -sub startAdminServer { - return 1; - my $setup = shift; - my $configdir = shift; - my $logdir = shift; - my $rundir = shift; - my $isrunning; - - $pidfile = "$rundir/admin-serv.pid"; - if (-f $pidfile) { - open(PIDFILE, $pidfile); - my $pid = ; - close(PIDFILE); - if (kill 0, $pid) { - $isrunning = 1; - } - } - - my ($fh, $filename) = tempfile("asstartupXXXXXX", UNLINK => 1, - SUFFIX => ".log", DIR => File::Spec->tmpdir); - close($fh); - my $rc; - my $selinux_cmd = ""; - - # If we're using selinux, start the server with the proper context - # to allow the process to transition to the proper domain. - if (usingSELinux()) { - $selinux_cmd = "runcon -u system_u -r system_r -t initrc_t"; - } - - if ($isrunning) { - $setup->msg('restarting_adminserver'); - if ("") { - $rc = system("service dirsrv-admin restart > $filename 2>&1"); - } elsif ("/usr/lib/systemd/system") { - $rc = system("/bin/systemctl restart dirsrv-admin.service > $filename 2>&1"); - } else { - $rc = system("$selinux_cmd /usr/sbin/restart-ds-admin > $filename 2>&1"); - } - } else { - $setup->msg('starting_adminserver'); - if ("") { - $rc = system("service dirsrv-admin start > $filename 2>&1"); - } elsif ("/usr/lib/systemd/system") { - $rc = system("/bin/systemctl start dirsrv-admin.service > $filename 2>&1"); - } else { - $rc = system("$selinux_cmd /usr/sbin/start-ds-admin > $filename 2>&1"); - } - } - - open(STARTLOG, "$filename"); - while () { - $setup->msg('adminserver_startup_output', $_); - } - close(STARTLOG); - unlink($filename); - - if ($rc) { - $setup->msg($FATAL, 'error_starting_adminserver', $rc); - return 0; - } - - $setup->msg('success_starting_adminserver'); - return 1; -} - -sub reconfig_backup_secfiles -{ - # - # Backup the security files, because when we reconfigure the admin - # server it overwrites these files and breaks SSL. - # - my $configdir = shift; - - my $dirname = dirname $configdir; - my $my_template_backup_dir = $dirname . "/" . $template_backup_dir; - $secfile_backup_dir = mkdtemp($my_template_backup_dir); - if ( ! -d $secfile_backup_dir){ - $setup->msg($FATAL, 'error_creating_secfile_backup', $secfile_backup_dir, $!); - return 0; - } - foreach my $savefile (@reconfigsavefiles) { - if ( -e "$configdir/$savefile"){ - # To keep the ownership and modes, use move for backup. - move ("$configdir/$savefile", "$secfile_backup_dir/$savefile"); - debug(1, "Backing up $configdir/$savefile to $secfile_backup_dir/$savefile\n"); - if (! -e "$secfile_backup_dir/$savefile"){ - debug(0, "Backup file $secfile_backup_dir/$savefile not found, error $!\n"); - } - } - } - return 1; -} - -sub reconfig_restore_secfiles -{ - # - # Restore security files - # - my $configdir = shift; - - if ( ! -d $secfile_backup_dir){ - $setup->msg($FATAL, 'error_accessing_secfile_backup', $secfile_backup_dir); - return 0; - } - foreach my $savefile (@reconfigsavefiles) { - move ("$secfile_backup_dir/$savefile" ,"$configdir/$savefile"); - debug(1, "Restoring $configdir/$savefile with $secfile_backup_dir/$savefile\n"); - } - rmdir ($secfile_backup_dir); - return 1; -} - -sub createAdminServer { - my $setup = shift; - my $reconfig = shift; - # setup has inf, res, and log - - if (!setDefaults($setup)) { - return 0; - } - - if (!checkRequiredParameters($setup)) { - return 0; - } - - my $configdir = $setup->{inf}->{admin}->{config_dir} || - $ENV{ADMSERV_CONF_DIR} || - $setup->{configdir} . "/admin-serv"; - - my $securitydir = $setup->{inf}->{admin}->{security_dir} || - $configdir; - - my $logdir = $setup->{inf}->{admin}->{log_dir} || - $ENV{ADMSERV_LOG_DIR} || - "/var/log/dirsrv/admin-serv"; - - my $rundir = $setup->{inf}->{admin}->{run_dir} || - $ENV{ADMSERV_PID_DIR} || - "/var/run/dirsrv"; - - if ($reconfig) { - $setup->msg('begin_reconfig_adminserver'); - if (!reconfig_backup_secfiles($configdir)) { - foreach my $savefile (@reconfigsavefiles) { - if (-e "$secfile_backup_dir/$savefile") { - move ("$secfile_backup_dir/$savefile" ,"$configdir/$savefile"); - debug(1, "Restoring $configdir/$savefile with $secfile_backup_dir/$savefile\n"); - } - } - return 0; - } - } else { - $setup->msg('begin_create_adminserver'); - } - - # if we're just doing the update, just register and return - if ($setup->{update}) { - if (!registerASWithConfigDS($setup, $configdir)) { - return 0; - } - - # Update SELinux policy if needed - updateSelinuxPolicy($setup, $configdir, $securitydir, $logdir, $rundir); - - # Restore the security files before we start the server - if ($reconfig) { - if (!reconfig_restore_secfiles($configdir)) { - return 0; - } - } - - return 1; - } - - if (!createASFilesAndDirs($setup, $configdir, $securitydir, $logdir, $rundir)) { - return 0; - } - - if (!makeConfFiles($setup, $configdir)) { - return 0; - } - - if (!registerASWithConfigDS($setup, $configdir)) { - return 0; - } - - $setup->msg('updating_httpconf'); - if (!updateHttpConfFiles($setup->{inf}->{admin}->{ServerIpAddress}, - $setup->{inf}->{admin}->{Port}, - $configdir, $setup->{asorigport})) { - $setup->msg($FATAL, 'error_updating_httpconf'); - return 0; - } - - if (!setFileOwnerPerms($setup, $configdir)) { - return 0; - } - - # Update SELinux policy if needed - updateSelinuxPolicy($setup, $configdir, $securitydir, $logdir, $rundir); - - # Restore the security files before we start the server - if ($reconfig) { - if (!reconfig_restore_secfiles($configdir)) { - return 0; - } - } - - if (!startAdminServer($setup, $configdir, $logdir, $rundir)) { - return 0; - } - - # Force to make log files owned by admin user and group - # to maintain consistency with the log files created via CGI/Console - my $uid = getpwnam $setup->{inf}->{admin}->{SysUser}; - my $gid = getgrnam $setup->{inf}->{General}->{SuiteSpotGroup}; - # chown log files appropriately - for (glob("$logdir/*")) { - $! = 0; # clear errno - debug(1, "Changing the owner of $_ to \($uid, $gid\)\n"); - chown $uid, $gid, $_; - if ($!) { - $setup->msg($FATAL, 'error_chowning_file', $_, - $admConf->{sysuser}, $!); - return 0; - } - } - - if ($reconfig) { - $setup->msg('end_reconfig_adminserver'); - } else { - $setup->msg('end_create_adminserver'); - } - return 1; -} - -sub reconfigAdminServer { - my $setup = shift; - return createAdminServer($setup, 1); -} - -sub stopAdminServer { - my $prog = "/usr/sbin/stop-ds-admin"; - if ("") { - $prog = "service dirsrv-admin stop"; - } elsif ("/usr/lib/systemd/system") { - $prog = "/bin/systemctl stop dirsrv-admin.service"; - } elsif (! -x $prog) { - debug(1, "stopping admin server: no such program $prog: cannot stop server\n"); - return 0; - } - $? = 0; - # run the stop command - my $output = `$prog 2>&1`; - my $status = $?; - debug(3, "stopping admin server returns status $status: output $output\n"); - if ($status) { - # Ignore the stop failure - debug(1,"Warning: Could not stop admin server: status $status: output $output\n"); - return 1; - } - - debug(1, "Successfully stopped admin server\n"); - return 1; -} - -sub removeAdminServer { - my $baseconfigdir = shift; - my $force = shift; - my $all = shift; - if (!stopAdminServer()) { - if ($force) { - debug(1, "Warning: Could not stop admin server - forcing continue\n"); - } else { - debug(1, "Error: Could not stop admin server - aborting - use -f flag to force removal\n"); - return ( [ 'error_stopping_adminserver', $! ] ); - } - } - - my $configdir = $ENV{ADMSERV_CONF_DIR} || $baseconfigdir . "/admin-serv"; - - my $securitydir = $configdir; - - my $logdir = $ENV{ADMSERV_LOG_DIR} || "/var/log/dirsrv/admin-serv"; - - my $rundir = $ENV{ADMSERV_PID_DIR} || "/var/run/dirsrv"; - - # Need to unlabel the port if we're using SELinux. - if (usingSELinux()) { - my $port; - - # Read the console.conf file to find the port number. - if (!open(CONSOLECONF, "$configdir/console.conf")) { - if ($force) { - debug(1, "Warning: Could not open $configdir/console.conf: $!"); - } else { - debug(1, "Error: Could not open $configdir/console.conf: $!"); - return( [ 'error_reading_conffile', "$configdir/console.conf", $! ] ); - } - } else { - # Find the Listen directive and read the port number. - while () { - if (/^Listen /g) { - # The port is after the last ':' - my @listenline = split(/:/); - $port = $listenline[-1]; - } - } - close(CONSOLECONF); - } - - if (!$port) { - if ($force) { - debug(1, "Warning: Could not determine port number - forcing continue\n"); - debug(1, "Warning: Port not removed from selinux policy correctly. Remove label manually using semanage.\n"); - } else { - debug(1, "Error: Could not determine port number - aborting - use -f flag to force removal\n"); - return ( [ 'error_reading_port' ] ); - } - } else { - # Attempt to remove the http_port_t label from the port used by Admin Server. - my $semanage_err = `semanage port -d -t http_port_t -p tcp $port 2>&1`; - if ($? != 0) { - if ($semanage_err !~ /defined in policy, cannot be deleted/) { - debug(1, "Warning: Port $port not removed from selinux policy correctly. Error: $semanage_err\n"); - if (!$force) { - return( [ 'error_removing_port_label', $port, $semanage_err ] ); - } - } - } - } - - # turn off the switch to allow admin server to connect to the ldap port - $? = 0; # clear error - - my $cmd = "getsebool httpd_can_connect_ldap"; - my $output = `$cmd 2>&1`; - chomp($output); - if ($output =~ /Error getting active value for httpd_can_connect_ldap/) { - # this version of selinux does not support the boolean value - debug(1, "This version of selinux does not support httpd_can_connect_ldap\n"); - } elsif ($?) { - $setup->msg($SetupLog::WARN, 'error_running_command', $cmd, $output, $!); - } elsif ($output =~ /on$/) { - $cmd = "setsebool -P httpd_can_connect_ldap off"; - $? = 0; # clear error - $output = `$cmd 2>&1`; - chomp($output); - if ($?) { - $setup->msg($SetupLog::WARN, 'error_running_command', $cmd, $output, $!); - } else { - debug(1, "$cmd was successful\n"); - } - } else { - debug(1, "selinux boolean httpd_can_connect_ldap is already off - $output\n"); - } - } - - # remove admin server files in $rundir - my $file; - for $file (glob("$rundir/admin-serv.*")) { - unlink($file); - } - - # remove admin server log dir - if ($logdir =~ /admin-serv/) { # make sure directory has admin-serv in it somewhere - if (!rmtree($logdir)) { - debug(1, "Warning: Could not remove directory $logdir: $!\n"); - if (!$force) { - return ( [ 'error_removing_path', $logdir, $! ] ); - } - } - } - - # remove config files - my @savefiles = (@savesecfiles, @saveconffiles); # save security and conf files by default - if ($all) { - @savefiles = @saveconffiles; # $all means remove everything, except the files in rpm. - } - if (opendir(CONFDIR, $configdir)) { - while ($file = readdir(CONFDIR)) { - next if ($file eq '.' || $file eq '..'); - if (-d "$configdir/$file") { - debug(1, "Skipping directory $configdir/$file - remove manually\n"); - next; - } - if (grep /^$file$/, @savefiles) { - debug(1, "saving file $configdir/$file\n"); - } else { - debug(1, "removing file $configdir/$file\n"); - unlink("$configdir/$file"); - } - } - closedir(CONFDIR); - # restore original conf files - foreach my $savefile (@saveconffiles) { - if (-f "$configdir/bakup/$savefile") { - if (system ("mv $configdir/bakup/$savefile $configdir")) { - debug(0, "Error Restoring $configdir/$savefile failed: $!"); - } - } - } - # Clean up the bakup dir - system ("rm -rf $configdir/bakup"); - } else { - debug(1, "Error: could not read config files in $configdir: $!"); - if (!$force) { - return ( [ 'error_removing_path', $configdir, $! ] ); - } - } - - return; -} - -sub updateSelinuxPolicy { - my $setup = shift; - my $configdir = shift; - my $securitydir = shift; - my $logdir = shift; - my $rundir = shift; - - # if selinux is not available, do nothing - if (usingSELinux()) { - # run restorecon on all directories we created - system("restorecon -R $configdir $securitydir $logdir $rundir"); - - # Label the selected port as http_port_t. - if ($setup->{inf}->{admin}->{Port}) { - my $need_label = 1; - - # check if the port is already labeled properly - my $portline = `semanage port -l | grep http_port_t | grep tcp`; - chomp($portline); - $portline =~ s/http_port_t\s+tcp\s+//g; - my @labeledports = split(/,\s+/, $portline); - foreach my $labeledport (@labeledports) { - if ($setup->{inf}->{admin}->{Port} == $labeledport) { - $need_label = 0; - last; - } - } - - if ($need_label == 1) { - system("semanage port -a -t http_port_t -p tcp $setup->{inf}->{admin}->{Port}"); - } - } - - # turn on the switch to allow admin server to connect to the ldap port - $? = 0; # clear error - - my $cmd = "getsebool httpd_can_connect_ldap"; - my $output = `$cmd 2>&1`; - chomp($output); - if ($output =~ /Error getting active value for httpd_can_connect_ldap/) { - # this version of selinux does not support the boolean value - debug(1, "This version of selinux does not support httpd_can_connect_ldap\n"); - } elsif ($?) { - $setup->msg($SetupLog::WARN, 'error_running_command', $cmd, $output, $!); - } elsif ($output =~ /off$/) { - $cmd = "setsebool -P httpd_can_connect_ldap on"; - $? = 0; # clear error - $output = `$cmd 2>&1`; - chomp($output); - if ($?) { - $setup->msg($SetupLog::WARN, 'error_running_command', $cmd, $output, $!); - } else { - debug(1, "$cmd was successful\n"); - } - } else { - debug(1, "selinux boolean httpd_can_connect_ldap is already on - $output\n"); - } - } -} - -sub libpath_add { - my $libpath = shift; - - if ($libpath) { - if ($ENV{'LD_LIBRARY_PATH'}) { - $ENV{'LD_LIBRARY_PATH'} = "$ENV{'LD_LIBRARY_PATH'}:$libpath"; - } else { - $ENV{'LD_LIBRARY_PATH'} = "$libpath"; - } - } -} - -1; - -# emacs settings -# Local Variables: -# mode:perl -# indent-tabs-mode: nil -# tab-width: 4 -# End: \ No newline at end of file diff --git a/user_saml_shibboleth/ldap/DSCreate.pm b/user_saml_shibboleth/ldap/DSCreate.pm deleted file mode 100644 index 627a67cf..00000000 --- a/user_saml_shibboleth/ldap/DSCreate.pm +++ /dev/null @@ -1,1570 +0,0 @@ -# BEGIN COPYRIGHT BLOCK -# Copyright (C) 2013 Red Hat, Inc. -# All rights reserved. -# -# License: GPL (version 3 or any later version). -# See LICENSE for details. -# END COPYRIGHT BLOCK -# - -########################### -# -# This perl module provides a way to create a new instance of -# directory server. -# -########################## - -package DSCreate; -use DSUtil; -use Inf; -use FileConn; -use Config; - -use Sys::Hostname; -# tempfiles -use File::Temp qw(tempfile tempdir); -use File::Path; -use File::Copy; -use File::Basename qw(basename dirname); -use POSIX qw(:errno_h); - -# load perldap -use Mozilla::LDAP::Conn; -use Mozilla::LDAP::Utils qw(normalizeDN); -use Mozilla::LDAP::API qw(ldap_explode_dn); -use Mozilla::LDAP::LDIF; - -use POSIX ":sys_wait_h"; - -use Exporter; -@ISA = qw(Exporter); -@EXPORT = qw(createDSInstance removeDSInstance setDefaults createInstanceScripts - makeOtherConfigFiles installSchema updateSelinuxPolicy updateTmpfilesDotD - get_initconfigdir updateSystemD makeDSDirs); -@EXPORT_OK = qw(createDSInstance removeDSInstance setDefaults createInstanceScripts - makeOtherConfigFiles installSchema updateSelinuxPolicy updateTmpfilesDotD - get_initconfigdir updateSystemD makeDSDirs); - -use strict; - -use SetupLog; - -sub get_initconfigdir { - my $prefix = shift; - - # determine initconfig_dir - if (getLogin eq 'root') { - return "$prefix/etc/sysconfig"; - } else { - return "$ENV{HOME}/.dirsrv"; - } -} - -sub checkPort { - my $inf = shift; - - # allow port 0 if ldapi is used - if ("1") { - if ($inf->{slapd}->{ldapifilepath} && - ($inf->{slapd}->{ServerPort} == 0)) { - return (); - } - } - - if ($inf->{slapd}->{ServerPort} !~ /^\d+$/) { - return ('error_port_invalid', $inf->{slapd}->{ServerPort}); - } - if (!portAvailable($inf->{slapd}->{ServerPort})) { - return ('error_port_available', $inf->{slapd}->{ServerPort}, $!); - } - - return (); -} - -# checks the parameters in $inf to make sure the supplied values -# are valid -# returns null if successful, or an error string for use with getText() -sub sanityCheckParams { - my $inf = shift; - my @errs = (); - - # if we don't need to start the server right away, we can skip the - # port number checks - if (!defined($inf->{slapd}->{start_server}) or - ($inf->{slapd}->{start_server} == 1)) { - - if (@errs = checkPort($inf)) { - return @errs; - } - } - - if($inf->{slapd}->{ServerIdentifier} eq "admin"){ - return ('error_reserved_serverid' ,"admin"); - } elsif (!isValidServerID($inf->{slapd}->{ServerIdentifier})) { - return ('error_invalid_serverid', $inf->{slapd}->{ServerIdentifier}); - } elsif (-d $inf->{slapd}->{config_dir}) { - return ('error_server_already_exists', $inf->{slapd}->{config_dir}); - } - - if (@errs = isValidUser($inf->{General}->{SuiteSpotUserID})) { - return @errs; - } - - if (@errs = isValidGroup($inf->{General}->{SuiteSpotGroup})) { - return @errs; - } - - if (!isValidDN($inf->{slapd}->{Suffix})) { - return ('dialog_dssuffix_error', $inf->{slapd}->{Suffix}); - } - - if (!isValidDN($inf->{slapd}->{RootDN})) { - return ('dialog_dsrootdn_error', $inf->{slapd}->{RootDN}); - } - - if ($inf->{slapd}->{RootDNPwd} =~ /^\{\w+\}.+/) { - debug(1, "The root password is already hashed - no checking will be performed\n"); - } elsif (length($inf->{slapd}->{RootDNPwd}) < 8) { - debug(0, "WARNING: The root password is less than 8 characters long. You should choose a longer one.\n"); - } - - $inf->{General}->{StrictHostCheck} = lc $inf->{General}->{StrictHostCheck}; - - if ("true" ne $inf->{General}->{StrictHostCheck} && "false" ne $inf->{General}->{StrictHostCheck}) { - debug(1, "StrictHostCheck is not a valid boolean"); - return ('error_invalid_boolean', $inf->{General}->{StrictHostCheck}); - } - - if ($inf->{General}->{StrictHostCheck} eq "true" ) { - if (@errs = checkHostname($inf->{General}->{FullMachineName}, 0)) { - debug(1, @errs); - return @errs; - } - } - - # We need to make sure this value is lowercase - $inf->{slapd}->{InstScriptsEnabled} = lc $inf->{slapd}->{InstScriptsEnabled}; - - if ("true" ne $inf->{slapd}->{InstScriptsEnabled} && "false" ne $inf->{slapd}->{InstScriptsEnabled}) { - debug(1, "InstScriptsEnabled is not a valid boolean"); - return ('error_invalid_boolean', $inf->{slapd}->{InstScriptsEnabled}); - } - - - return (); -} - -sub getMode { - my $inf = shift; - my $mode = shift; - my $rest = shift; - if (!$rest) { - $rest = "0"; - } - if (defined($inf->{General}->{SuiteSpotGroup})) { - $mode = "0" . $mode . $mode . $rest; - } else { - $mode = "0" . $mode . $rest . $rest; - } - - return oct($mode); -} - -# This is used to change the ownership and permissions of files and directories -# The mode is just a single digit octal number (e.g. 4 6 7) -# If there is a group, the ownership and permissions will allow group access -# otherwise, only the owner will be allowed access -sub changeOwnerMode { - my $inf = shift; - my $mode = shift; - my $it = shift; - my $gidonly = shift; - my $othermode = shift; - - my $uid = getpwnam $inf->{General}->{SuiteSpotUserID}; - my $gid = -1; # default to leave it alone - my $mode_string = ""; - - if (defined($inf->{General}->{SuiteSpotGroup})) { - $gid = getgrnam $inf->{General}->{SuiteSpotGroup}; - } - - $mode = getMode($inf, $mode, $othermode); - - $! = 0; # clear errno - chmod $mode, $it; - if ($!) { - return ('error_chmoding_file', $it, $!); - } - - $mode_string = sprintf "%lo", $mode; - debug(1, "changeOwnerMode: changed mode of $it to $mode_string\n"); - - $! = 0; # clear errno - if ( $gidonly ) { - chown -1, $gid, $it; - } else { - chown $uid, $gid, $it; - } - if ($!) { - return ('error_chowning_file', $it, $inf->{General}->{SuiteSpotUserID}, $!); - } - - if ( $gidonly ) { - debug(1, "changeOwnerMode: changed group ownership of $it to group $gid\n"); - } else { - debug(1, "changeOwnerMode: changed ownership of $it to user $uid group $gid\n"); - } - - return (); -} - -sub makeDSDirs { - my $inf = shift; - my $verbose = ($DSUtil::debuglevel > 0); - my $mode = getMode($inf, 7); - my @errs; - - my @dsdirs = qw(config_dir schema_dir log_dir lock_dir run_dir tmp_dir cert_dir db_dir ldif_dir bak_dir); - if ($inf->{slapd}->{InstScriptsEnabled} eq "true") { - @dsdirs = qw(inst_dir config_dir schema_dir log_dir lock_dir run_dir tmp_dir cert_dir db_dir ldif_dir bak_dir); - } - - # These paths are owned by the SuiteSpotGroup - # This allows the admin server to run as a different, - # more privileged user than the directory server, but - # still allows the admin server to manage directory - # server files/dirs without being root - for my $kw (@dsdirs) { - my $dir = $inf->{slapd}->{$kw}; - @errs = makePaths($dir, $mode, $inf->{General}->{SuiteSpotUserID}, - $inf->{General}->{SuiteSpotGroup}); - if (@errs) { - return @errs; - } - } - # run_dir is a special case because it is usually shared among - # all instances and the admin server - # all instances must be able to write to it - # if the SuiteSpotUserID is root or 0, we can just skip - # this because root will have access to it - we really - # shouldn't be using root anyway, primarily just for - # legacy migration support - # if there are two different user IDs that need access - # to this directory, then SuiteSpotGroup must be defined, - # and both users must be members of the SuiteSpotGroup - if (($inf->{General}->{SuiteSpotUserID} eq 'root') || - (defined($inf->{General}->{SuiteSpotUserID}) && - ($inf->{General}->{SuiteSpotUserID} =~ /^0$/))) { - # skip - debug(3, "Root user " . $inf->{General}->{SuiteSpotUserID} . " already has access to $inf->{slapd}->{run_dir} - skipping\n"); - } else { - my $dir = $inf->{slapd}->{run_dir}; - # rwx by user only, or by user & group if a group is defined. Also only change the group ownership. - @errs = changeOwnerMode($inf, 7, $dir, 1); - debug(3, "\t" . `/bin/ls -ld $dir`); - } - # set the group of the parent dir of config_dir and inst_dir - if (defined($inf->{General}->{SuiteSpotGroup})) { - for my $kw (qw(inst_dir config_dir)) { - my $dir = $inf->{slapd}->{$kw}; - my $parent = dirname($dir); - # changeOwnerMode(inf, mode, file, gidonly, othermode); - @errs = changeOwnerMode($inf, 7, $parent, 1, 5); - if (@errs) { - return @errs; - } - } - } - - return @errs; -} - -sub createInstanceScripts { - my $inf = shift; - my $skip = shift; - my $perlexec = "/usr/bin/perl" || "/usr/bin/env perl"; - my $myperl = "!$perlexec"; - my $mydevnull = (-c "/dev/null" ? " /dev/null " : " NUL "); - - # If we have InstScriptsEnabled, we likely have setup.inf or the argument. - # However, during an upgrade, we need to know if we should upgrade the template files or not. - # For now, the easiest way is to check to if the directory exists, and if is does, we assume we want to upgrade / create the updated scripts. - if ($inf->{slapd}->{InstScriptsEnabled} eq "true" || -d $inf->{slapd}->{inst_dir} ) { - debug(1, "Creating or updating instance directory scripts\n"); - # determine initconfig_dir - my $initconfig_dir = $inf->{slapd}->{initconfig_dir} || get_initconfigdir($inf->{General}->{prefix}); - - my %maptable = ( - "DS-ROOT" => $inf->{General}->{prefix}, - "SEP" => "/", # works on all platforms - "SERVER-NAME" => $inf->{General}->{FullMachineName}, - "SERVER-PORT" => $inf->{slapd}->{ServerPort}, - "PERL-EXEC" => $myperl, - "DEV-NULL" => $mydevnull, - "ROOT-DN" => $inf->{slapd}->{RootDN}, - "LDIF-DIR" => $inf->{slapd}->{ldif_dir}, - "SERV-ID" => $inf->{slapd}->{ServerIdentifier}, - "BAK-DIR" => $inf->{slapd}->{bak_dir}, - "SERVER-DIR" => $inf->{General}->{ServerRoot}, - "CONFIG-DIR" => $inf->{slapd}->{config_dir}, - "INITCONFIG-DIR" => $initconfig_dir, - "INST-DIR" => $inf->{slapd}->{inst_dir}, - "RUN-DIR" => $inf->{slapd}->{run_dir}, - "PRODUCT-NAME" => "slapd", - "SERVERBIN-DIR" => $inf->{slapd}->{sbindir}, - "DB-DIR" => $inf->{slapd}->{db_dir} - ); - - - my $dir = "$inf->{General}->{prefix}/usr/share/dirsrv/script-templates"; - for my $file (glob("$dir/template-*")) { - my $basename = $file; - $basename =~ s/^.*template-//; - my $destfile = "$inf->{slapd}->{inst_dir}/$basename"; - debug(1, "$destfile\n"); - - next if ($skip and -f $destfile); # in skip mode, skip files that already exist - - if (!open(SRC, "< $file")) { - return ("error_opening_scripttmpl", $file, $!); - } - if (!open(DEST, "> $destfile")) { - return ("error_opening_scripttmpl", $destfile, $!); - } - my $contents; # slurp entire file into memory - read SRC, $contents, int(-s $file); - close(SRC); - while (my ($key, $val) = each %maptable) { - $contents =~ s/\{\{$key\}\}/$val/g; - } - print DEST $contents; - close(DEST); - my @errs = changeOwnerMode($inf, 5, $destfile); - if (@errs) { - return @errs; - } - } - } else { - debug(1, "No instance directory scripts will be updated or created\n"); - } - - return (); -} - -sub createConfigFile { - my $inf = shift; - my $conffile = "$inf->{slapd}->{config_dir}/dse.ldif"; - my $conn = new FileConn; - my @errs; - - # first, create the basic config - my $mapper = new Inf("$inf->{General}->{prefix}/usr/share/dirsrv/inf/dscreate.map"); - my $dsinf = new Inf("$inf->{General}->{prefix}/usr/share/dirsrv/inf/slapd.inf"); - if (!$inf->{slapd}->{ds_bename}) { - $inf->{slapd}->{ds_bename} = "userRoot"; # for suffix-db - } - $mapper = process_maptbl($mapper, \@errs, $inf, $dsinf); - if (!$mapper or @errs) { - $conn->close(); - if (!@errs) { - @errs = ('error_creating_file', $conffile, $!); - } - return @errs; - } - - my @ldiffiles = ("$inf->{General}->{prefix}/usr/share/dirsrv/data/template-dse.ldif", - "$inf->{General}->{prefix}/usr/share/dirsrv/data/template-suffix-db.ldif", - "$inf->{General}->{prefix}/usr/share/dirsrv/data/template-sasl.ldif"); - if ("1") { - push @ldiffiles, "$inf->{General}->{prefix}/usr/share/dirsrv/data/template-pampta.ldif"; - } - if ("1") { - push @ldiffiles, "$inf->{General}->{prefix}/usr/share/dirsrv/data/template-bitwise.ldif"; - } - if ("1") { - push @ldiffiles, "$inf->{General}->{prefix}/usr/share/dirsrv/data/template-dnaplugin.ldif"; - } - if (-f "$inf->{General}->{prefix}/usr/share/dirsrv/updates/50replication-plugins.ldif") { - push @ldiffiles, "$inf->{General}->{prefix}/usr/share/dirsrv/updates/50replication-plugins.ldif"; - } - if (-f "$inf->{General}->{prefix}/usr/share/dirsrv/updates/50posix-winsync-plugin.ldif") { - push @ldiffiles, "$inf->{General}->{prefix}/usr/share/dirsrv/updates/50posix-winsync-plugin.ldif"; - } - - if (-f "$inf->{General}->{prefix}/usr/share/dirsrv/data/90betxn-plugins.ldif") { - push @ldiffiles, "$inf->{General}->{prefix}/usr/share/dirsrv/data/90betxn-plugins.ldif"; - } - - # additional configuration LDIF files - if (exists($inf->{slapd}->{ConfigFile})) { - if (ref($inf->{slapd}->{ConfigFile})) { - push @ldiffiles, @{$inf->{slapd}->{ConfigFile}}; - } else { - push @ldiffiles, $inf->{slapd}->{ConfigFile}; - } - } - - getMappedEntries($mapper, \@ldiffiles, \@errs, \&check_and_add_entry, - [$conn]); - - if (@errs) { - $conn->close(); - return @errs; - } - - if ("1") { - my $ent = $conn->search("cn=config", "base", "(objectclass=*)"); - if (defined($inf->{slapd}->{ldapifilepath})) { - $ent->setValues("nsslapd-ldapifilepath", $inf->{slapd}->{ldapifilepath}); - $ent->setValues("nsslapd-ldapilisten", "on"); - } else { - my $parent = dirname($inf->{slapd}->{run_dir}); - $ent->setValues("nsslapd-ldapifilepath", - "$parent/slapd-$inf->{slapd}->{ServerIdentifier}.socket"); - $ent->setValues("nsslapd-ldapilisten", "off"); - } - if ("1") { - $ent->setValues("nsslapd-ldapiautobind", "off"); - $ent->setValues("nsslapd-ldapimaprootdn", $inf->{slapd}->{RootDN}); - $ent->setValues("nsslapd-ldapimaptoentries", "off"); - $ent->setValues("nsslapd-ldapiuidnumbertype", "uidNumber"); - $ent->setValues("nsslapd-ldapigidnumbertype", "gidNumber"); - $ent->setValues("nsslapd-ldapientrysearchbase", $inf->{slapd}->{Suffix}); - if ("") { - $ent->setValues("nsslapd-ldapiautodnsuffix", "cn=peercred,cn=external,cn=auth"); - } - } - $ent->setValues("nsslapd-defaultNamingContext", $inf->{slapd}->{Suffix}); - if (!$conn->update($ent)) { - $conn->close(); - return ("error_enabling_feature", "ldapi", $conn->getErrorString()); - } - } - - if ($inf->{slapd}->{sasl_path}) { - my $ent = $conn->search("cn=config", "base", "(objectclass=*)"); - $ent->setValues("nsslapd-saslpath", $inf->{slapd}->{sasl_path}); - if (!$conn->update($ent)) { - $conn->close(); - return ("error_enabling_feature", "sasl_path", $conn->getErrorString()); - } - } - - if (!$conn->write($conffile)) { - $conn->close(); - return ("error_writing_ldif", $conffile, $!); - } - $conn->close(); - - if (@errs = changeOwnerMode($inf, 6, $conffile)) { - return @errs; - } - # make a copy - my $origconf = "$inf->{slapd}->{config_dir}/dse_original.ldif"; - $! = 0; # clear errno - copy($conffile, $origconf); - if ($!) { - return ('error_copying_file', $conffile, $origconf, $!); - } - if (@errs = changeOwnerMode($inf, 4, $origconf)) { - return @errs; - } - - return @errs; -} - -sub makeOtherConfigFiles { - my $inf = shift; - my $skip = shift; - my @errs; - my %maptable = ( - "DS-ROOT" => $inf->{General}->{prefix}, - "SERVER-DIR" => $inf->{General}->{ServerRoot}, - "CONFIG-DIR" => $inf->{slapd}->{config_dir}, - "INST-DIR" => $inf->{slapd}->{inst_dir}, - "RUN-DIR" => $inf->{slapd}->{run_dir}, - "PRODUCT-NAME" => "slapd", - "SERVERBIN-DIR" => $inf->{slapd}->{sbindir}, - ); - - # install certmap.conf at - my $src = "$inf->{General}->{prefix}/etc/dirsrv/config/certmap.conf"; - my $dest = "$inf->{slapd}->{config_dir}/certmap.conf"; - $! = 0; # clear errno - - #in skip mode, skip files that already exist - unless ($skip and -f $dest) { - copy($src, $dest); - if ($!) { - return ('error_copying_file', $src, $dest, $!); - } - if (@errs = changeOwnerMode($inf, 4, $dest)) { - return @errs; - } - } - - $src = "$inf->{General}->{prefix}/etc/dirsrv/config/slapd-collations.conf"; - $dest = "$inf->{slapd}->{config_dir}/slapd-collations.conf"; - - $! = 0; # clear errno - - #in skip mode, skip files that already exist - unless ($skip and -f $dest) { - copy($src, $dest); - if ($!) { - return ('error_copying_file', $src, $dest, $!); - } - if (@errs = changeOwnerMode($inf, 4, $dest)) { - return @errs; - } - } - - # determine initconfig_dir - my $initconfig_dir = $inf->{slapd}->{initconfig_dir} || get_initconfigdir($inf->{General}->{prefix}); - - # install instance specific initconfig script - $src = "$inf->{General}->{prefix}/etc/dirsrv/config/template-initconfig"; - $dest = "$initconfig_dir/dirsrv-$inf->{slapd}->{ServerIdentifier}"; - - $! = 0; # clear errno - - # in skip mode, skip files that already exist - unless ($skip and -f $dest) { - if (!open(SRC, "< $src")) { - return ("error_opening_scripttmpl", $src, $!); - } - if (!open(DEST, "> $dest")) { - return ("error_opening_scripttmpl", $dest, $!); - } - my $contents; # slurp entire file into memory - read SRC, $contents, int(-s $src); - close(SRC); - while (my ($key, $val) = each %maptable) { - $contents =~ s/\{\{$key\}\}/$val/g; - } - print DEST $contents; - close(DEST); - if (@errs = changeOwnerMode($inf, 4, $dest)) { - return @errs; - } - } - - return (); -} - -sub installSchema { - my $inf = shift; - my $skip = shift; - my @errs; - my @schemafiles = (); - if (!defined($inf->{slapd}->{install_full_schema}) or - $inf->{slapd}->{install_full_schema}) { - push @schemafiles, glob("$inf->{General}->{prefix}/etc/dirsrv/schema/*"); - } else { - push @schemafiles, "$inf->{General}->{prefix}/etc/dirsrv/schema/00core.ldif", - "$inf->{General}->{prefix}/etc/dirsrv/schema/01core389.ldif"; - } - - # additional schema files - if (exists($inf->{slapd}->{SchemaFile})) { - if (ref($inf->{slapd}->{SchemaFile})) { - push @schemafiles, @{$inf->{slapd}->{SchemaFile}}; - } else { - push @schemafiles, $inf->{slapd}->{SchemaFile}; - } - } - for my $file (@schemafiles) { - my $src = $file; - my $basename = basename($src); - my $dest = "$inf->{slapd}->{schema_dir}/$basename"; - - next if ($skip and -f $dest); # skip files that already exist - - $! = 0; # clear errno - copy($src, $dest); - if ($!) { - return ('error_copying_file', $src, $dest, $!); - } - my $mode = 4; # default read only - if ($basename eq "99user.ldif") { - $mode = 6; # read write - } - if (@errs = changeOwnerMode($inf, $mode, $dest)) { - return @errs; - } - } - - return (); -} - -# maps the suffix attr to the filename to use -my %suffixTable = ( - 'o' => "/usr/share/dirsrv/data/template-org.ldif", - 'dc' => "/usr/share/dirsrv/data/template-domain.ldif", - 'ou' => "/usr/share/dirsrv/data/template-orgunit.ldif", - 'st' => "/usr/share/dirsrv/data/template-state.ldif", - 'l' => "/usr/share/dirsrv/data/template-locality.ldif", - 'c' => "/usr/share/dirsrv/data/template-country.ldif" -); - -sub initDatabase { - my $inf = shift; - my $istempldif = 0; - # If the user has specified an LDIF file to use to initialize the database, - # load it now - my $ldiffile = $inf->{slapd}->{InstallLdifFile}; - if ($ldiffile =~ /none/i) { - debug(1, "No ldif file or org entries specified - no initial database will be created\n"); - return (); - } elsif ($ldiffile && ($ldiffile !~ /suggest/i)) { - debug(1, "Loading initial ldif file $ldiffile\n"); - if (! -r $ldiffile) { - return ('error_opening_init_ldif', $ldiffile); - } - } elsif (($inf->{slapd}->{Suffix} =~ /^(.*?)=/) && $suffixTable{$1}) { - my @errs; - my $template = $inf->{General}->{prefix} . $suffixTable{$1}; - my $mapper = new Inf("$inf->{General}->{prefix}/usr/share/dirsrv/inf/dsorgentries.map"); - my $dsinf = new Inf("$inf->{General}->{prefix}/usr/share/dirsrv/inf/slapd.inf"); - my @rdns = ldap_explode_dn($inf->{slapd}->{Suffix}, 1); - $inf->{slapd}->{naming_value} = $rdns[0]; - $mapper = process_maptbl($mapper, \@errs, $inf, $dsinf); - if (!$mapper or @errs) { - return @errs; - } - - my @ldiffiles = ($template, "$inf->{General}->{prefix}/usr/share/dirsrv/data/template-baseacis.ldif"); - # default is to create org entries unless explicitly set to none - if (!exists($inf->{slapd}->{InstallLdifFile}) or - ($inf->{slapd}->{InstallLdifFile} =~ /suggest/i)) { - push @ldiffiles, "$inf->{General}->{prefix}/usr/share/dirsrv/data/template.ldif"; - } - - my ($fh, $templdif) = tempfile("ldifXXXXXX", SUFFIX => ".ldif", OPEN => 0, - DIR => File::Spec->tmpdir); - if (!$templdif) { - return ('error_creating_templdif', $!); - } - my $conn = new FileConn; - $conn->setNamingContext($inf->{slapd}->{Suffix}); - getMappedEntries($mapper, \@ldiffiles, \@errs, \&check_and_add_entry, - [$conn]); - if (@errs) { - $conn->close(); - return @errs; - } - if (!$conn->write($templdif)) { - $conn->close(); - return ('error_writing_ldif', $templdif, $!); - } - $conn->close(); - if (@errs) { - return @errs; - } - if (@errs = changeOwnerMode($inf, 4, $templdif)) { - unlink($ldiffile); - return @errs; - } - # $templdif now contains the ldif to import - $ldiffile = $templdif; - $istempldif = 1; - } - if (!$ldiffile) { - return (); - } - - my $cmd = "$inf->{slapd}->{sbindir}/ldif2db -Z $inf->{slapd}->{ServerIdentifier} -n $inf->{slapd}->{ds_bename} -i \'$ldiffile\'"; - $? = 0; # clear error condition - my $output = `$cmd 2>&1`; - my $result = $?; - if ($istempldif) { - unlink($ldiffile); - } - if ($result) { - return ('error_importing_ldif', $ldiffile, $result, $output); - } - - debug(1, $output); - - return (); -} - -sub startServer { - my $inf = shift; - return () if (defined($inf->{slapd}->{start_server}) && !$inf->{slapd}->{start_server}); - - my @errs; - # get error log - my $errLog = "$inf->{slapd}->{log_dir}/errors"; - my $startcmd = "/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-dir && sleep 3"; - if ("/usr/lib/systemd/system" and (getLogin() eq 'root')) { - $startcmd = "/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-dir && sleep 3"; - } - - # emulate tail -f - # if the last line we see does not contain "slapd started", try again - my $done = 0; - my $started = 0; - my $code = 0; - my $lastLine = ""; - my $cmdPat = 'slapd started\.'; - my $timeout = $inf->{slapd}->{startup_timeout}; - - $timeout = $timeout?$timeout:600; # default is 10 minutes - $timeout = time + $timeout; - - debug(1, "Starting the server: $startcmd\n"); - - # We have to do this because docker is incapable of sane process management - # Sadly we have to sacrifice output collection, because of perl issues - my $cpid = open(my $output, "-|", "$startcmd 2>&1"); - my $code = -512; - if ($cpid) { - # Parent process - waitpid($cpid,0); - $code = $?; - } - close($output); - if ($code) { - debug(0, "Process returned $code\n"); - } else { - debug(1, "Process returned $code\n"); - } - - # try to open the server error log - my $ii = 0; - while (time < $timeout) { - if (open(IN, $errLog)) { - last; - } - sleep(1); - if (!($ii % 10)) { - debug(0, "Attempting to obtain server status . . .\n"); - } - ++$ii; - } - - if (! -f $errLog) { - debug(0, "Error: Could not read error log $errLog to get server startup status. Error: $!\n"); - return ('error_starting_server', $startcmd, "no status", $!); - } - if (time >= $timeout) { - debug(0, "Error: timed out waiting for the server to start and write to $errLog"); - return ('error_starting_server', $startcmd, "timeout", 0); - } - - my $pos = tell(IN); - my $line; - while (($done == 0) && (time < $timeout)) { - for (; ($done == 0) && ($line = ); $pos = tell(IN)) { - $lastLine = $line; - debug(1, $line); - if ($line =~ /$cmdPat/) { - $done = 1; - $started = 1; - } elsif ($line =~ /Initialization Failed/) { - debug(1, "Server failed to start, retrying . . .\n"); - $code = system($startcmd); - } elsif ($line =~ /exiting\./) { - debug(1, "Server failed to start, retrying . . .\n"); - $code = system($startcmd); - } - } - if ($lastLine =~ /PR_Bind/) { - # server port conflicts with another one, just report and punt - debug(0, $lastLine); - @errs = ('error_port_available', $inf->{slapd}->{ServerPort}, $!); - $done = 1; - } - if ($done == 0) { - # rest a bit, then . . . - sleep(2); - # . . . reset the EOF status of the file desc - seek(IN, $pos, 0); - } - } - close(IN); - - if (!$started) { - $! = $code; - my $now = time; - if ($now > $timeout) { - debug(0, "Possible timeout starting server: timeout=$timeout now=$now\n"); - } - @errs = ('error_starting_server', $startcmd, $lastLine, $!); - } else { - debug(1, "Your new directory server has been started.\n"); - } - - return @errs; -} - -sub set_path_attribute { - my $val = shift; - my $defaultval = shift; - my $prefix = shift; - - if ($val) { - return "$prefix" . "$val"; - } else { - return "$prefix" . "$defaultval"; - } -} - -sub set_localrundir { - my $val = shift; - my $prefix = shift; - - if ($val) { - return "$prefix" . "$val"; - } else { - return ""; - } -} - -sub setDefaults { - my $inf = shift; - # set default values - - # this turns off the warnings - if (!defined($inf->{General}->{prefix})) { - $inf->{General}->{prefix} = ""; - } - - if (!$inf->{General}->{FullMachineName}) { - $inf->{General}->{FullMachineName} = hostname(); - } - - if (!$inf->{General}->{SuiteSpotUserID}) { - if ($> != 0) { # if not root, use the user's uid - $inf->{General}->{SuiteSpotUserID} = getLogin; - } else { - return('error_missing_userid'); - } - } - - if (!$inf->{General}->{SuiteSpotGroup}) { - # If the group wasn't specified, use the primary group - # of the SuiteSpot user - $inf->{General}->{SuiteSpotGroup} = getGroup($inf->{General}->{SuiteSpotUserID}); - } - - if (!$inf->{slapd}->{RootDN}) { - $inf->{slapd}->{RootDN} = "cn=Directory Manager"; - } - - if (!$inf->{slapd}->{Suffix}) { - my $suffix = $inf->{General}->{FullMachineName}; - # convert fqdn to dc= domain components - $suffix =~ s/^[^\.]*\.//; # just the domain part - $suffix = "dc=$suffix"; - $suffix =~ s/\./,dc=/g; - $inf->{slapd}->{Suffix} = $suffix; - } - $inf->{slapd}->{Suffix} = normalizeDN($inf->{slapd}->{Suffix}); - - if (!$inf->{slapd}->{ServerIdentifier}) { - my $servid = $inf->{General}->{FullMachineName}; - # strip out the leftmost domain component - $servid =~ s/\..*$//; - $inf->{slapd}->{ServerIdentifier} = $servid; - } - - if ("") { - $inf->{General}->{ServerRoot} = "$inf->{General}->{prefix}/opt/dirsrv"; - } else { - $inf->{General}->{ServerRoot} = "$inf->{General}->{prefix}/usr/lib64/dirsrv"; - } - - if (!defined($inf->{slapd}->{sasl_path})) { - if ($Config{'osname'} ne "linux") { - $inf->{slapd}->{sasl_path} = "$inf->{General}->{prefix}/usr/lib64/sasl2"; - } - } - - if (!defined($inf->{slapd}->{ServerPort}) and - !defined($inf->{slapd}->{ldapifilepath})) { - if ("1") { - return ('error_missing_port_and_ldapi'); - } else { - return ('error_missing_port'); - } - } - - if (!defined($inf->{slapd}->{ServerPort})) { - $inf->{slapd}->{ServerPort} = 0; - } - - $inf->{slapd}->{HashedRootDNPwd} = getHashedPassword($inf->{slapd}->{RootDNPwd}); - - $inf->{slapd}->{localstatedir} = set_path_attribute($inf->{slapd}->{localstatedir}, - "/var", - $inf->{General}->{prefix}); - my $localstatedir = $inf->{slapd}->{localstatedir}; - my $servid = $inf->{slapd}->{ServerIdentifier}; - $inf->{slapd}->{sysconfdir} = set_path_attribute($inf->{slapd}->{sysconfdir}, - "/etc", - $inf->{General}->{prefix}); - my $sysconfdir = $inf->{slapd}->{sysconfdir}; - $inf->{slapd}->{bindir} = set_path_attribute($inf->{slapd}->{bindir}, - "/usr/bin", - $inf->{General}->{prefix}); - $inf->{slapd}->{sbindir} = set_path_attribute($inf->{slapd}->{sbindir}, - "/usr/sbin", - $inf->{General}->{prefix}); - $inf->{slapd}->{datadir} = set_path_attribute($inf->{slapd}->{datadir}, - "/usr/share", - $inf->{General}->{prefix}); - - if (!defined($inf->{slapd}->{InstScriptsEnabled})) { - $inf->{slapd}->{InstScriptsEnabled} = "true"; - } - - if (!defined($inf->{General}->{StrictHostCheck})) { - $inf->{General}->{StrictHostCheck} = "true"; - } - - if (!defined($inf->{slapd}->{inst_dir})) { - $inf->{slapd}->{inst_dir} = "$inf->{General}->{ServerRoot}/slapd-$servid"; - } - - if (!defined($inf->{slapd}->{config_dir})) { - $inf->{slapd}->{config_dir} = "$inf->{General}->{prefix}/etc/dirsrv/slapd-$servid"; - } - $ENV{DS_CONFIG_DIR} = $inf->{slapd}->{config_dir}; - - if (!defined($inf->{slapd}->{schema_dir})) { - $inf->{slapd}->{schema_dir} = "$sysconfdir/dirsrv/slapd-$servid/schema"; - } - - if (!defined($inf->{slapd}->{lock_dir})) { - if ("") { - $inf->{slapd}->{lock_dir} = "$localstatedir/dirsrv/slapd-$servid/lock"; - } else { - $inf->{slapd}->{lock_dir} = "$localstatedir/lock/dirsrv/slapd-$servid"; - } - } - - if (!defined($inf->{slapd}->{log_dir})) { - if ("") { - $inf->{slapd}->{log_dir} = "$localstatedir/dirsrv/slapd-$servid/log"; - } else { - $inf->{slapd}->{log_dir} = "$localstatedir/log/dirsrv/slapd-$servid"; - } - } - - if (!defined($inf->{slapd}->{run_dir})) { - if ("") { - $inf->{slapd}->{run_dir} = "$localstatedir/dirsrv/slapd-$servid/run"; - } else { - $inf->{slapd}->{run_dir} = "$localstatedir/run/dirsrv"; - } - } - $ENV{DS_RUN_DIR} = $inf->{slapd}->{run_dir}; - - if (!defined($inf->{slapd}->{db_dir})) { - if ("") { - $inf->{slapd}->{db_dir} = "$localstatedir/dirsrv/slapd-$servid/db"; - } else { - $inf->{slapd}->{db_dir} = "$localstatedir/lib/dirsrv/slapd-$servid/db"; - } - } - - if (!defined($inf->{slapd}->{bak_dir})) { - if ("") { - $inf->{slapd}->{bak_dir} = "$localstatedir/dirsrv/slapd-$servid/bak"; - } else { - $inf->{slapd}->{bak_dir} = "$localstatedir/lib/dirsrv/slapd-$servid/bak"; - } - } - $ENV{DS_BAK_DIR} = $inf->{slapd}->{bak_dir}; - - if (!defined($inf->{slapd}->{ldif_dir})) { - if ("") { - $inf->{slapd}->{ldif_dir} = "$localstatedir/dirsrv/slapd-$servid/ldif"; - } else { - $inf->{slapd}->{ldif_dir} = "$localstatedir/lib/dirsrv/slapd-$servid/ldif"; - } - } - - if (!defined($inf->{slapd}->{tmp_dir})) { - if ("") { - $inf->{slapd}->{tmp_dir} = "/tmp"; - } else { - $inf->{slapd}->{tmp_dir} = "/tmp"; - } - } - $ENV{DS_TMP_DIR} = $inf->{slapd}->{tmp_dir}; - - if (!defined($inf->{slapd}->{cert_dir})) { - $inf->{slapd}->{cert_dir} = $inf->{slapd}->{config_dir}; - } - - return (); -} - -sub updateSelinuxPolicy { - my $inf = shift; - my $mydevnull = (-c "/dev/null" ? " /dev/null " : " NUL "); - - # if selinux is not available, do nothing - # In perl, exit(1) is 256 from system. ds_selinux_enable returns 1 on true, 0 on false. - if ((getLogin() eq 'root') and "yes" and system("$inf->{slapd}->{sbindir}/ds_selinux_enabled") == 256 ) { - debug(1, "Selinux is enabled or permissive, fixing contexts\n"); - # -f "/usr/sbin/sestatus" and !system ("/usr/sbin/sestatus | egrep -i \"selinux status:\\s*enabled\" > $mydevnull 2>&1")) { - my $localstatedir = $inf->{slapd}->{localstatedir}; - - # run restorecon on all of the parent directories we - # may have created (this only happens if this is the - # first instance created). - if ("") { - system("restorecon -R $localstatedir/dirsrv"); - } else { - system("restorecon -R $localstatedir/lock/dirsrv"); - system("restorecon -R $localstatedir/log/dirsrv"); - system("restorecon -R $localstatedir/run/dirsrv"); - system("restorecon -R $localstatedir/lib/dirsrv"); - } - - my @inst_dirs = qw(config_dir schema_dir log_dir lock_dir run_dir tmp_dir cert_dir db_dir ldif_dir bak_dir); - if ($inf->{slapd}->{InstScriptsEnabled} eq "true") { - @inst_dirs = qw(inst_dir config_dir schema_dir log_dir lock_dir run_dir tmp_dir cert_dir db_dir ldif_dir bak_dir); - } - # run restorecon on all instance directories we created - for my $kw (@inst_dirs) { - my $dir = $inf->{slapd}->{$kw}; - system("restorecon -R $dir"); - } - - # label the selected port as ldap_port_t - # We should be doing this for secure port too ..... - if ($inf->{slapd}->{ServerPort} != 0) { - my $port_query_cmd = ("$inf->{slapd}->{sbindir}/ds_selinux_port_query $inf->{slapd}->{ServerPort} ldap_port_t 2> $mydevnull"); - my $need_label = 0; - my $result = system($port_query_cmd); - - # 0 is false, 1 is true. True means 'already in policy'. - if ($result == 0) { - debug(1, "Port $inf->{slapd}->{ServerPort} must be labeled as ldap_port_t \n"); - $need_label = 1; - } - if ($result == 512) { - $need_label = 0; - debug(0, "Port $inf->{slapd}->{ServerPort} already belongs to another selinux type.\n"); - debug(0, " The command below will show you the current type that owns the port.\n"); - debug(0, "sudo $inf->{slapd}->{sbindir}/ds_selinux_port_query $inf->{slapd}->{ServerPort} ldap_port_t\n"); - debug(0, " It is highly likely your server will fail to start ... \n"); - } - if ($result == 131072) { - $need_label = 0; - debug(0, "An error occured running ds_selinux_port_query. This is probably a bug\n"); - debug(0, "$port_query_cmd \n"); - } - - if ($need_label == 1) { - my $semanage_err; - my $rc; - # 60 is a bit excessive, we should fail faster. - my $retry = 2; - $ENV{LANG} = "C"; - while (($retry > 0) && ($semanage_err = `semanage port -a -t ldap_port_t -p tcp $inf->{slapd}->{ServerPort} 2>&1`) && ($rc = $?)) { - debug(1, "Adding port $inf->{slapd}->{ServerPort} to selinux policy failed - $semanage_err (return code: $rc, $retry attempts remain).\n"); - debug(1, "Retrying in 5 seconds\n"); - sleep(5); - $retry--; - } - if (0 == $retry) { - debug(1, "Adding port $inf->{slapd}->{ServerPort} to selinux policy failed - $semanage_err (return code: $rc).\n"); - debug(1, "Reached time limit.\n"); - } - } - } - } -} - -sub updateTmpfilesDotD { - my $inf = shift; - my $dir = "/etc/tmpfiles.d"; - my $rundir; - my $lockdir; - my $parentdir; - - # if tmpfiles.d is not available, do nothing - if ((getLogin() eq 'root') and $dir and -d $dir) { - my $filename = "$dir/dirsrv-$inf->{slapd}->{ServerIdentifier}.conf"; - if (-f $filename) { - debug(3, "Removing the old tmpfile: $filename\n"); - if (!unlink($filename)){ - debug(1, "Can not delete old tmpfile $filename ($!)\n"); - return(); - } - } - debug(3, "Creating $filename\n"); - my $username = ""; - my $groupname = ""; - my $conffile = "$inf->{slapd}->{config_dir}/dse.ldif"; - # use the owner:group from the dse.ldif for the instance - if (-f $conffile) { - my ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size, - $atime,$mtime,$ctime,$blksize,$blocks) - = stat(_); - $username = getpwuid($uid); - if (!$username) { - debug(1, "Error: could not get username from uid $uid\n"); - } - $groupname = getgrgid($gid); - } - # else, see if we were passed in values to use - if (!$username) { - $username = $inf->{General}->{SuiteSpotUserID}; - } - if (!$groupname) { - if (defined($inf->{General}->{SuiteSpotGroup})) { - $groupname = $inf->{General}->{SuiteSpotGroup}; - } else { # $groupname - $groupname = "-"; # use default - } - } - if (!open(DOTDFILE, ">$filename")) { - return ( [ 'error_creating_file', $filename, $! ] ); - } - # Type Path Mode UID GID Age - # d /var/run/user 0755 root root 10d - # we don't use age - my $localrundir = set_localrundir("/run", $inf->{General}->{prefix}); - if( $localrundir ne "" && -d "$localrundir"){ - $rundir = "$localrundir/dirsrv"; - $lockdir = "$localrundir/lock/dirsrv/slapd-$inf->{slapd}->{ServerIdentifier}"; - $parentdir = "$localrundir/lock/dirsrv"; - } else { - $rundir = $inf->{slapd}->{run_dir}; - $lockdir = $inf->{slapd}->{lock_dir}; - $parentdir = dirname($inf->{slapd}->{lock_dir}); - } - print DOTDFILE "d $rundir 0770 $username $groupname\n"; - print DOTDFILE "d $parentdir 0770 $username $groupname\n"; - print DOTDFILE "d $lockdir 0770 $username $groupname\n"; - - close DOTDFILE; - } else { - debug(3, "no tmpfiles.d - skipping\n"); - } - - return (); -} - -sub updateSystemD { - my $noservicelink = shift; - my $inf = shift; - my $unitdir = "/usr/lib/systemd/system"; - my $confbasedir = "/etc/systemd/system"; - my $confdir = "$confbasedir/dirsrv.target.wants"; - - if ((getLogin() ne 'root') or !$unitdir or !$confdir or ! -d $unitdir or ! -d $confdir) { - debug(3, "no systemd - skipping\n"); - return (); - } - - my @errs = (); - my $initconfigdir = $inf->{slapd}->{initconfigdir} || get_initconfigdir($inf->{General}->{prefix}); - debug(1, "updating systemd files in $unitdir and $confdir for all directory server instances in $initconfigdir\n"); - my $pkgname = "dirsrv"; - my $changes = 0; - # installation should already have put down the files and - # directories - we just need to update the symlinks - my $servicefile = "$unitdir/$pkgname\@.service"; - # first, look for new instances - for my $file (glob("$initconfigdir/$pkgname-*")) { - my $inst = $file; - $inst =~ s/^.*$pkgname-//; - # see if this is the admin or snmp or some other service - if (-f "$unitdir/$pkgname-$inst.service") { - debug(1, "$unitdir/$pkgname-$inst.service already exists - skipping\n"); - next; - } elsif (-f "$confbasedir/$pkgname-$inst.service") { - debug(1, "$confbasedir/$pkgname-$inst.service already exists - skipping\n"); - next; - } else { - my $servicelink = "$confdir/$pkgname\@$inst.service"; - if (! -l $servicelink && ! $noservicelink) { - if (!symlink($servicefile, $servicelink)) { - debug(1, "error updating link $servicelink to $servicefile - $!\n"); - push @errs, [ 'error_linking_file', $servicefile, $servicelink, $! ]; - } else { - debug(2, "updated link $servicelink to $servicefile\n"); - } - $changes++; - } - } - } - # next, look for instances that have been removed - for my $file (glob("$confdir/$pkgname\@*.service")) { - my $inst = $file; - $inst =~ s/^.*$pkgname\@(.*?).service$/$1/; - if (! -f "$initconfigdir/$pkgname-$inst") { - if (!unlink($file)) { - debug(1, "error removing $file - $!\n"); - push @errs, [ 'error_removing_path', $file, $! ]; - } else { - debug(2, "removed systemd file $file for removed instance $inst\n"); - } - $changes++; - } - } - if ($changes > 0) { - $? = 0; - my $cmd = '/bin/systemctl --system daemon-reload'; - # run the reload command - my $output = `$cmd 2>&1`; - my $status = $?; - if ($status) { - debug(1, "Error: $cmd failed - output $output: $!\n"); - push @errs, [ 'error_running_command', $cmd, $output, $! ]; - } else { - debug(2, "$cmd succeeded\n"); - } - } else { - debug(1, "No changes to $unitdir or $confdir\n"); - } - - - return @errs; -} - -sub createDSInstance { - my $inf = shift; - my @errs; - - if (@errs = setDefaults($inf)) { - return @errs; - } - - if (@errs = sanityCheckParams($inf)) { - return @errs; - } - - if (@errs = makeDSDirs($inf)) { - return @errs; - } - - if (@errs = createConfigFile($inf)) { - return @errs; - } - - if (@errs = makeOtherConfigFiles($inf)) { - return @errs; - } - - if (@errs = createInstanceScripts($inf)) { - return @errs; - } - - if (@errs = installSchema($inf)) { - return @errs; - } - - if (@errs = initDatabase($inf)) { - return @errs; - } - - - - if (@errs = updateTmpfilesDotD($inf)) { - return @errs; - } - - if (@errs = updateSystemD(0, $inf)) { - return @errs; - } - - if (@errs = startServer($inf)) { - return @errs; - } - - return @errs; -} - -sub stopServer { - my $instance = shift; - my $prog = "/usr/sbin/stop-dirsrv"; - if (-x $prog) { - $? = 0; - # run the stop command - my $output = `$prog $instance 2>&1`; - my $status = $?; - debug(3, "stopping server $instance returns status $status: output $output\n"); - if ($status) { - debug(1,"Warning: Could not stop directory server: status $status: output $output\n"); - # if the server is not running, that's ok - if ($output =~ /not running/) { - $! = ENOENT; - return 1; - } - # else, some other error (e.g. permission) - return false for error - return; - } - } else { - debug(1, "stopping server: no such program $prog: cannot stop server\n"); - return; - } - - debug(1, "Successfully stopped server $instance\n"); - return 1; -} - -# NOTE: Returns a list of array ref - each array ref is suitable for passing -# to Resource::getText -sub removeDSInstance { - my $inst = shift; - my $force = shift; - my $all = shift; - my $initconfig_dir = shift || get_initconfigdir(); - my $baseconfigdir = $ENV{DS_CONFIG_DIR} || "/etc/dirsrv"; - my $instname = "slapd-$inst"; - my $configdir; - my $rundir; - my $product_name; - my @errs; - - my $initconfig = "$initconfig_dir/dirsrv-$inst"; - my $pkglockdir = "/var/lock/dirsrv"; - my $pkgrundir = "/var/run/dirsrv"; - my $pkglibdir = "/var/lib/dirsrv"; - - # Get the configdir, rundir and product_name from the instance initconfig script. - unless(open(INFILE, $initconfig)) { - return ( [ 'error_no_such_instance', $instname, $! ] ); - } - - my $line; - while($line = ) { - if ($line =~ /CONFIG_DIR=(.*) ; export CONFIG_DIR/) { - $configdir = $1; - } elsif ($line =~ /CONFIG_DIR=(.*)$/) { - $configdir = $1; - } elsif ($line =~ /RUN_DIR=(.*) ; export RUN_DIR/) { - $rundir = $1; - } elsif ($line =~ /RUN_DIR=(.*)$/) { - $rundir = $1; - } elsif ($line =~ /PRODUCT_NAME=(.*) ; export PRODUCT_NAME/) { - $product_name = $1; - } elsif ($line =~ /PRODUCT_NAME=(.*)$/) { - $product_name = $1; - } - } - close(INFILE); - - if ( ! -d $configdir ) - { - debug(1, "Error: $configdir does not exist: $!\n"); - return ( [ 'error_no_such_instance', $configdir, $! ] ); - } - # read the config file to find out the paths - my $dseldif = "$configdir/dse.ldif"; - my $conn = new FileConn($dseldif, 1); - if (!$conn) { - debug(1, "Error: Could not open config file $dseldif: Error $!\n"); - return ( [ 'error_opening_dseldif', $dseldif, $! ] ); - } - - my $dn = "cn=config"; - my $entry = $conn->search($dn, "base", "(cn=*)", 0); - if (!$entry) - { - debug(1, "Error: Search $dn in $dseldif failed: $entry\n"); - push @errs, [ 'error_finding_config_entry', $dn, $dseldif, $conn->getErrorString() ]; - } - - $dn = "cn=config,cn=ldbm database,cn=plugins,cn=config"; - my $dbentry = $conn->search($dn, "base", "(cn=*)", 0); - if (!$dbentry) - { - debug(1, "Error: Search $dn in $dseldif failed: $dbentry\n"); - push @errs, [ 'error_finding_config_entry', $dn, $dseldif, $conn->getErrorString() ]; - } - $conn->close(); - - # stop the server - if (!stopServer($inst)) { - if ($force) { - debug(1, "Warning: Could not stop directory server - Error: $! - forcing continue\n"); - } elsif ($! == ENOENT) { # stop script not found or server not running - debug(1, "Warning: Could not stop directory server: already removed or not running\n"); - push @errs, [ 'error_stopping_server', $inst, $! ]; - } else { # real error - debug(1, "Error: Could not stop directory server - aborting - use -f flag to force removal\n"); - push @errs, [ 'error_stopping_server', $inst, $! ]; - return @errs; - } - } - - # remove physical dirs/files - if ($dbentry) { - push @errs, remove_tree($dbentry, "nsslapd-directory", $instname, 1); - push @errs, remove_tree($dbentry, "nsslapd-db-logdirectory", $instname, 1); - } - if ($entry) { - push @errs, remove_tree($entry, "nsslapd-lockdir", $instname, 0); - push @errs, remove_tree($entry, "nsslapd-tmpdir", $instname, 0); - push @errs, remove_tree($entry, "nsslapd-bakdir", $instname, 1); - push @errs, remove_tree($entry, "nsslapd-errorlog", $instname, 1); - } - - - # instance dir - my $instdir = ""; - if ($entry) { - foreach my $instdir ( @{$entry->{"nsslapd-instancedir"}} ) - { - if ( -d $instdir && $instdir =~ /$instname/ ) - { - # clean up pid files (if any) - remove_pidfile("STARTPIDFILE", $inst, $instdir, $instname, $rundir, $product_name); - remove_pidfile("PIDFILE", $inst, $instdir, $instname, $rundir, $product_name); - - my $rc = rmtree($instdir); - if ( 0 == $rc ) - { - push @errs, [ 'error_removing_path', $instdir, $! ]; - debug(1, "Warning: $instdir was not removed. Error: $!\n"); - } - } - } - } - # Finally, config dir - if ($all) { - push @errs, remove_tree($entry, "nsslapd-schemadir", $instname, 1); - } else { - push @errs, remove_tree($entry, "nsslapd-schemadir", $instname, 1, "\.db\$"); - } - - # Remove the instance specific initconfig script - if ( -f $initconfig ) { - my $rc = unlink($initconfig); - if ( 0 == $rc ) - { - push @errs, [ 'error_removing_path', $initconfig, $! ]; - debug(1, "Warning: $initconfig was not removed. Error: $!\n"); - } - } - - my $tmpfilesdir = "/etc/tmpfiles.d"; - my $tmpfilesname = "$tmpfilesdir/dirsrv-$inst.conf"; - if ((getLogin() eq 'root') && $tmpfilesdir && -d $tmpfilesdir && -f $tmpfilesname) { - my $rc = unlink($tmpfilesname); - if ( 0 == $rc ) - { - push @errs, [ 'error_removing_path', $tmpfilesname, $! ]; - debug(1, "Warning: $tmpfilesname was not removed. Error: $!\n"); - } - } - - # remove the selinux label from the ports if needed - my $mydevnull = (-c "/dev/null" ? " /dev/null " : " NUL "); - if ((getLogin() eq 'root') and "yes" and system("/usr/sbin/ds_selinux_enabled") == 256 ) { - foreach my $port (@{$entry->{"nsslapd-port"}}) - { - - my $need_remove_label = 0; - my $port_query_cmd = ("/usr/sbin/ds_selinux_port_query $port ldap_port_t 2> $mydevnull"); - my $result = system($port_query_cmd); - - if ($result == 256) { - debug(1, "Port $port may be removed as ldap_port_t \n"); - $need_remove_label = 1; - } - if ($result == 131072) { - $need_remove_label = 0; - debug(0, "An error occured running ds_selinux_port_query. This is probably a bug\n"); - debug(0, "$port_query_cmd \n"); - } - - my $semanage_err; - my $rc; - my $retry = 5; - $ENV{LANG} = "C"; - if ($need_remove_label) { - while (($retry > 0) && ($semanage_err = `semanage port -d -t ldap_port_t -p tcp $port 2>&1`) && ($rc = $?)) { - if (($semanage_err =~ /defined in policy, cannot be deleted/) || ($semanage_err =~ /is not defined/)) { - $retry = -1; - } else { - debug(1, "Warning: Port $port not removed from selinux policy correctly, $retry attempts remain. Error: $semanage_err\n"); - debug(1, "Retrying in 5 seconds\n"); - sleep(5); - $retry--; - } - } - if (0 == $retry) { - push @errs, [ 'error_removing_port_label', $port, $semanage_err]; - debug(1, "Warning: Port $port not removed from selinux policy correctly. Error: $semanage_err\n"); - debug(1, "Reached time limit.\n"); - } - } - } - - foreach my $secureport (@{$entry->{"nsslapd-secureport"}}) - { - my $need_remove_label = 0; - my $port_query_cmd = ("/usr/sbin/ds_selinux_port_query $secureport ldap_port_t 2> $mydevnull"); - my $result = system($port_query_cmd); - - if ($result == 256) { - debug(1, "Port $secureport may be removed as ldap_port_t \n"); - $need_remove_label = 1; - } - if ($result == 131072) { - $need_remove_label = 0; - debug(0, "An error occured running ds_selinux_port_query. This is probably a bug\n"); - debug(0, "$port_query_cmd \n"); - } - my $semanage_err; - my $rc; - my $retry = 60; - $ENV{LANG} = "C"; - if ($need_remove_label) { - while (($retry > 0) && ($semanage_err = `semanage port -d -t ldap_port_t -p tcp $secureport 2>&1`) && ($rc = $?)) { - if (($semanage_err =~ /defined in policy, cannot be deleted/) || ($semanage_err =~ /is not defined/)) { - $retry = -1; - } else { - debug(1, "Warning: Port $secureport not removed from selinux policy correctly. Error: $semanage_err\n"); - debug(1, "Retrying in 5 seconds\n"); - sleep(5); - $retry--; - } - } - if (0 == $retry) { - push @errs, [ 'error_removing_port_label', $secureport, $semanage_err]; - debug(1, "Warning: Port $secureport not removed from selinux policy correctly. Error: $semanage_err\n"); - debug(1, "Reached time limit.\n"); - } - } - } - } - - # update systemd files - push @errs, updateSystemD(0); - - # if we got here, report success - if (@errs) { - debug(1, "Could not successfully remove $instname\n"); - } else { - if (!<$pkglockdir/*>){ - # If this was the last instance, remove /var/lock/dirsrv & /var/run/dirsrv - rmdir $pkglockdir; - rmdir $pkgrundir; - } - debug(1, "Instance $instname removed.\n"); - } - - return @errs; -} - -1; - -# emacs settings -# Local Variables: -# mode:perl -# indent-tabs-mode: nil -# tab-width: 4 -# End: \ No newline at end of file diff --git a/user_saml_shibboleth/ldap/ds-setup.inf b/user_saml_shibboleth/ldap/ds-setup.inf deleted file mode 100644 index 677e7c75..00000000 --- a/user_saml_shibboleth/ldap/ds-setup.inf +++ /dev/null @@ -1,28 +0,0 @@ -[General] -AdminDomain =idptestbed -ConfigDirectoryAdminID = admin -ConfigDirectoryAdminPwd = admin -ConfigDirectoryLdapURL = ldap://localhost:389/o=NetscapeRoot -FullMachineName = localhost -ServerRoot = /usr/lib64/dirsrv -SuiteSpotGroup = nobody -SuiteSpotUserID = nobody - -[admin] -Port = 9830 -ServerAdminID = admin -ServerAdminPwd = admin -ServerIpAddress = 0.0.0.0 -SysUser = nobody - -[slapd] -AddOrgEntries = Yes -AddSampleEntries = No -InstallLdifFile = suggest -RootDN = cn=Directory Manager -RootDNPwd = password -ServerIdentifier = dir -ServerPort = 389 -SlapdConfigForMC = yes -Suffix = dc=idptestbed -UseExistingMC = No \ No newline at end of file diff --git a/user_saml_shibboleth/ldap/nextcloud.ldif b/user_saml_shibboleth/ldap/nextcloud.ldif deleted file mode 100644 index ddcbfd0f..00000000 --- a/user_saml_shibboleth/ldap/nextcloud.ldif +++ /dev/null @@ -1,33 +0,0 @@ -# -# SCHEMA 'ownCloud' for OpenLDAP OLC (cn=config) -# -# From http://doc.owncloud.org/server/6.0/admin_manual/configuration/auth_ldap.html -# -# Quota Field: -# ownCloud can read an LDAP attribute and set the user quota according to its value. -# Specify the attribute here, otherwise keep it empty. The attribute shall return -# human readable values, e.g. "2 GB". -# -# INSTALLATION: -# sudo ldapadd -Y EXTERNAL -H ldapi:/// -f owncloud.ldif -# -# SOURCE: -# https://github.com/valerytschopp/owncloud-ldap-schema -# -# WARNING: the spaces ' ' in the definitions are very important!!! - -dn: cn=owncloud,cn=schema,cn=config -objectClass: olcSchemaConfig -cn: owncloud -olcAttributeTypes: ( 1.3.6.1.4.1.39430.1.1.1 - NAME 'quota' - DESC 'User Quota (e.g. 2 GB)' - EQUALITY caseExactMatch - SUBSTR caseIgnoreSubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 - SINGLE-VALUE ) -olcObjectClasses: ( 1.3.6.1.4.1.39430.1.2.1 - NAME 'ownCloud' - DESC 'ownCloud LDAP Schema' - AUXILIARY - MAY ( quota ) ) \ No newline at end of file diff --git a/user_saml_shibboleth/shibboleth/conf/attribute-filter.xml b/user_saml_shibboleth/shibboleth/conf/attribute-filter.xml deleted file mode 100644 index 4dcd5486..00000000 --- a/user_saml_shibboleth/shibboleth/conf/attribute-filter.xml +++ /dev/null @@ -1,51 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/user_saml_shibboleth/start.sh b/user_saml_shibboleth/start.sh deleted file mode 100644 index acce5053..00000000 --- a/user_saml_shibboleth/start.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/sh - -#set -x - -export JAVA_HOME=/opt/jre-home -export PATH=$PATH:$JAVA_HOME/bin -export JETTY_BACKCHANNEL_SSL_KEYSTORE_PASSWORD=nextcloud -export JETTY_BROWSER_SSL_KEYSTORE_PASSWORD=nextcloud - -if [ -e "/opt/shibboleth-idp/ext-conf/idp-secrets.properties" ]; then - export JETTY_BACKCHANNEL_SSL_KEYSTORE_PASSWORD=`gawk 'match($0,/^jetty.backchannel.sslContext.keyStorePassword=\s?(.*)\s?$/, a) {print a[1]}' /opt/shibboleth-idp/ext-conf/idp-secrets.properties` - export JETTY_BROWSER_SSL_KEYSTORE_PASSWORD=`gawk 'match($0,/^jetty\.sslContext\.keyStorePassword=\s?(.*)\s?$/, a) {print a[1]}' /opt/shibboleth-idp/ext-conf/idp-secrets.properties` -fi - -export JETTY_ARGS="jetty.sslContext.keyStorePassword=$JETTY_BROWSER_SSL_KEYSTORE_PASSWORD jetty.backchannel.sslContext.keyStorePassword=$JETTY_BACKCHANNEL_SSL_KEYSTORE_PASSWORD" -sed -i "s/^-Xmx.*$/-Xmx$JETTY_MAX_HEAP/g" /opt/shib-jetty-base/start.ini - -apachectl -k start & -/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-dir & -/etc/init.d/jetty run &