/usr/bin/ldap-debian-edu-install is in debian-edu-config 1.702.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 | #!/bin/bash
set -e
#
# to re-run the LDAP/GOsa/Samba bootstrap...
#
# [[[ WATCH OUT ]]] ... if you do this, your TJENER will be initialized
# YOU WILL LOOSE ALL SETTINGS STORED IN LDAP!!!
# DO THIS AT YOUR OWN RISK!!!
#
# o ... create little script with the following lines:
#
# <quote>
# #!/bin/bash
# . /usr/share/debconf/confmodule
# db_set debian-edu-config/ldap-password <rootpw>
# db_set debian-edu-config/kdc-password <rootpw>
# </quote>
#
# o then: run this script, you have to run it using its full path
# (otherwise debconf will throw an error)
# o edit /etc/gosa/gosa.conf and replace password hashes after options
# named ,,adminPassword'' and ,,snapshotAdminPassword'' with the
# placeholder string ,,$GOSAPWD''
# o edit /etc/smbldap-tools/smbldap_bind.conf and replace the passwords
# there with the placeholder string ,,$SAMBAPWD''
# o Then run these commands from a terminal
#
# $ /etc/init.d/samba stop
# $ /etc/init.d/slapd stop
# $ rm /var/lib/ldap/*
# $ rm /var/lib/samba/*
# $ /etc/init.d/slapd start
# $ /etc/init.d/samba start
# $ rm /etc/krb5kdc/stash
#
# o Then run
#
# $ ldap-debian-edu-install
#
# o And finally restart your webservice, e.g.
#
# $ /etc/init.d/apache2 restart
#
################# fetch LDAP password from debconf ################
#export DEBCONF_DEBUG='developer'
. /usr/share/debconf/confmodule
db_get debian-edu-config/ldap-password
ROOTPWDCLEAR="$RET"
RESTARTSLAPD=false
if db_get debian-edu-config/first-user-name && [ "$RET" ] ; then
FIRSTUSERNAME="$RET"
else
echo "error: no value in first-user-name, passing debconf values fail? Creating localadmin user instead" 1>&2
FIRSTUSERNAME="localadmin"
db_set debian-edu-config/first-user-name "$FIRSTUSERNAME"
fi
if db_get debian-edu-config/first-user-fullname && [ "$RET" ] ; then
# Last word
FIRSTUSERLASTNAME="$(echo "$RET" | awk '{print $NF}')"
# Everything extept the last word
FIRSTUSERGIVENNAME="$(echo "$RET" | awk '{for (i=1; i<NF; i++) printf("%s ",$i);print ""}')"
if [ -z "$FIRSTUSERGIVENNAME" ] ; then
FIRSTUSERGIVENNAME="$FIRSTUSERLASTNAME"
fi
# GECOS in LDAP must be ASCII (IA5String), convert to this
FIRSTUSERGECOS="$(echo $RET | iconv -t ASCII//TRANSLIT)"
else
echo "error: no value in first-user-fullname, passing debconf values fail?" 1>&2
FIRSTUSERGECOS="LDAP initial admin user"
db_set debian-edu-config/first-user-fullname "$FIRSTUSERGECOS"
FIRSTUSERLASTNAME="LDAP"
FIRSTUSERGIVENNAME="initial admin user"
fi
if db_get debian-edu-config/first-user-password && [ "$RET" ] ; then
FIRSTUSERPWD="$RET"
else
echo "error: no value in first-user-password, passing debconf values fail?" 1>&2
FIRSTUSERPWD="$ROOTPWD"
db_set debian-edu-config/first-user-password "$FIRSTUSERPWD"
fi
echo "info: Creating first user <$FIRSTUSERNAME> '$FIRSTUSERGECOS'."
FIRSTUSERPWDHASH=$(slappasswd -s "$FIRSTUSERPWD" -h {SSHA})
## Make sure to ask for the password if it is not available
if [ -f /etc/debian-edu/config ] && grep -q Main-Server /etc/debian-edu/config \
&& [ ! -f /var/lib/ldap/__db.001 ] && [ -z "$ROOTPWDCLEAR" ]; then
loop=0
while [ $loop -lt 50 ]; do
loop=$(($loop+1))
db_input critical debian-edu-config/ldap-password || true
db_input critical debian-edu-config/ldap-password-again || true
db_go
## Check if password is non-empty:
db_get debian-edu-config/ldap-password
ROOTPWDCLEAR="$RET"
if [ -z "$ROOTPWDCLEAR" ]; then
db_set debian-edu-config/ldap-password ""
db_set debian-edu-config/ldap-password-again ""
db_fset debian-edu-config/ldap-password-empty seen false
db_input critical debian-edu-config/ldap-password-empty
db_fset debian-edu-config/ldap-password seen false
db_fset debian-edu-config/ldap-password-again seen false
continue
fi
## Check if both entered passwords are identical:
db_get debian-edu-config/ldap-password-again
if [ "$ROOTPWDCLEAR" != "$RET" ]; then
db_set debian-edu-config/ldap-password ""
db_set debian-edu-config/ldap-password-again ""
db_fset debian-edu-config/ldap-password-mismatch seen false
db_input critical debian-edu-config/ldap-password-mismatch
db_fset debian-edu-config/ldap-password seen false
db_fset debian-edu-config/ldap-password-again seen false
else
break
fi
done
else
echo "To initialize a brand new LDAP+KDC: " 1>&2
echo "rm /var/lib/ldap/__db* /var/lib/ldap/*.bdb" 1>&2
echo "rm /etc/krb5kdc/stash /etc/krb5.keytab*" 1>&2
fi
## clear passwords in the database:
db_set debian-edu-config/ldap-password ''
db_set debian-edu-config/ldap-password-again ''
## reset all questions/templates:
db_fset debian-edu-config/ldap-password seen false
db_fset debian-edu-config/ldap-password-mismatch seen false
db_fset debian-edu-config/ldap-password-again seen false
db_fset debian-edu-config/ldap-password-empty seen false
echo "LDAP passwords cleared from debconf database."
## check if the provided LDAP password is non-empty:
if [ -z "$ROOTPWDCLEAR" ]; then
echo "The provided LDAP password is empty: Skipping LDAP setup."
exit 1
else
echo "The provided LDAP password is valid."
fi
################# password available now ##################
# Some easy means to start/stop the mail spool
#if [ -x /etc/init.d/exim ] ; then
# MTAINIT=/etc/init.d/exim
#elif [ -x /etc/init.d/exim4 ] ; then
# MTAINIT=/etc/init.d/exim4
#else
# echo "error: unknown MTA, exiting..."
# exit 9
#fi
copy_example_DB_CONFIG() {
#function to set a DB_CONFIG, ripped from slapd.postinst
# Copy an example DB_CONFIG file
# copy_example_DB_CONFIG <directory>
local directory srcdir
directory="$1"
srcdir="/usr/share/slapd"
if ! [ -f "${directory}/DB_CONFIG" ] && [ -d "$directory" ]; then
cp $srcdir/DB_CONFIG "${directory}/DB_CONFIG"
fi
}
lookup_mac_addrs() {
PATH=/sbin:$PATH LANG=C ifconfig 2>/dev/null | grep -i hwaddr | awk '{print $5}' | sort -u
}
slapd_stop() {
# Check if slapd is running. Use pidfile to avoid detecting the wrong
# daemon when running in a chroot.
if [ -f /var/run/slapd/slapd.pid ] &&
kill -0 $(cat /var/run/slapd/slapd.pid) ; then
RESTARTSLAPD=true
/etc/init.d/slapd stop
# Make sure slapd is really stopped
SLAPPIDS=$(pidof slapd || /bin/true)
if [ "$SLAPPIDS" ] ; then
echo -n "warning: slapd is still running, trying to TERM it"
for SLAPPID in $SLAPPIDS ; do
kill $SLAPPID || /bin/true
done
fi
# Not sure why, but it seem like slapd takes some time to shut down
LOOP=0
while [ $LOOP -lt 10 ] ; do
SLAPPIDS=$(pidof slapd || /bin/true)
if [ "$SLAPPIDS" ] ; then
LOOP=$(($LOOP + 1))
sleep 1
echo -n "."
else
LOOP=10
fi
done
echo
if [ "$SLAPPIDS" ] ; then
echo -n "error: slapd is still running, I'll KILL it"
for SLAPPID in $SLAPPIDS ; do
kill -9 $SLAPPID || /bin/true
done
fi
# Not sure why, but it seem like slapd takes some time to shut down
LOOP=0
while [ $LOOP -lt 10 ] ; do
SLAPPIDS=$(pidof slapd || /bin/true)
if [ "$SLAPPIDS" ] ; then
LOOP=$(($LOOP + 1))
sleep 1
echo -n "."
else
LOOP=10
fi
done
echo
if [ "$SLAPPIDS" ] ; then
echo "error: Critical: slapd is still running, I'm giving up"
exit 9
fi
fi
}
# Init tree
init_ldap () {
rm -f /var/lib/ldap/*
copy_example_DB_CONFIG /var/lib/ldap
if [ -f /etc/shadow ] ; then
FILE=/etc/shadow
else
FILE=/etc/passwd
fi
ROOTPWDHASH=`grep ^root: < $FILE | cut -d':' -f2`
# Calculate the ssha hash
ROOTPWDSSHAHASH=$(slappasswd -h {ssha} -s "$ROOTPWDCLEAR")
HOSTNAME=`hostname -s`
## Create and distribute a random password and
## its hash for the ldap gosa-admin account:
GOSAPWD=`slappasswd -g -h {CLEARTEXT}`
GOSAPWDHASH=`slappasswd -s "$GOSAPWD" -h {SSHA}`
GOSACONFDIR="/etc/gosa/"
GOSACONF="gosa.conf"
GOSAADMINSDN=$(awk '/dn: cn=gosa-admins,/ { print $2 }' /etc/ldap/gosa.ldif)
GOSAADMINSDN64=$(echo -n "$GOSAADMINSDN" | base64 -w0)
ADMINROLEDN=$(awk '/dn: cn=admin-role,/ { print $2 }' /etc/ldap/gosa.ldif)
ADMINROLEDN64=$(echo -n "$ADMINROLEDN" | base64 -w0)
JRADMINROLEDN=$(awk '/dn: cn=jradmin-role,/ { print $2 }' /etc/ldap/gosa.ldif)
JRADMINROLEDN64=$(echo -n "$JRADMINROLEDN" | base64 -w0)
TEACHERSDN=$(awk '/dn: cn=teachers,/ { print $2 }' /etc/ldap/gosa.ldif)
TEACHERSDN64=$(echo -n "$TEACHERSDN" | base64 -w0)
MAC=$(lookup_mac_addrs|head -1)
## query debconf data base for time zone and locale:
AREA=`debconf-show tzdata | grep "^* tzdata/Areas:" | \
sed "s/.*:[[:space:]]*\([[:alpha:]]*\)$/\1/"`
ZONE=`debconf-show tzdata | grep "^* tzdata/Zones/$AREA:" | \
sed "s/.*:[[:space:]]*\([[:alpha:]]*\)$/\1/"`
TIMEZONE=$AREA/$ZONE
LANGUAGE=`debconf-show locales | grep "^* locales/default_environment_locale:" | \
sed "s/.*:[[:space:]]*\([^[:space:]]*\)$/\1/"`
## FIXME: make sure gosa.conf is in place if it is missing:
if [ -f $GOSACONFDIR$GOSACONF ] && grep -q \$GOSAPWD $GOSACONFDIR$GOSACONF ; then
sed -i "s:\$GOSAPWD:$GOSAPWD:g" $GOSACONFDIR$GOSACONF
sed -i "s:\$TIMEZONE:$TIMEZONE:g" $GOSACONFDIR$GOSACONF
sed -i "s:\$LANGUAGE:$LANGUAGE:g" $GOSACONFDIR$GOSACONF
rm -f $GOSACONFDIR/gosa.random_secret
chown root:www-data $GOSACONFDIR$GOSACONF
chmod 0640 $GOSACONFDIR$GOSACONF
## run gosa-encrypt-passwords:
rm -f /etc/gosa/gosa.secrets
gosa-encrypt-passwords > /dev/null
else
mkdir -p $GOSACONFDIR
touch $GOSACONFDIR/gosa.random_secret
chmod 0600 $GOSACONFDIR/gosa.random_secret
cat > $GOSACONFDIR/gosa.random_secret <<EOF
## The gosa configuration file "$GOSACONFDIR$GOSACONF" has
## been missing during bootstrap of the ldap database or
## does not contain the string \$GOSAPWD.
## The password used by the gosa-admin in ldap is:
## $GOSAPWD
## Make sure to use this password in "$GOSACONFDIR$GOSACONF".
## Finally, run 'gosa-encrypt-passwords' if anything
## works fine and remove this file.
EOF
fi
## Create and distribute a random password and its hash
## for the kdc service accounts kadmin and kdc-service:
KDCPWD=`slappasswd -g -h {CLEARTEXT}`
KDCPWDHASH=`slappasswd -s "$KDCPWD" -h {SSHA}`
KDCCONFDIR="/etc/krb5kdc/"
KEYFILE="service.keyfile"
## convert to {HEX} encoding:
KDCPWDHEX=`echo "$KDCPWD" | xxd -g0 -ps | sed "s/0a$//"`
KRB_CONT_DN=`awk '/dn: cn=kerberos,/ { print $2 }' /etc/ldap/krb5.ldif`
mkdir -p $KDCCONFDIR
touch $KDCCONFDIR$KEYFILE
chmod 0600 $KDCCONFDIR$KEYFILE
cat > $KDCCONFDIR$KEYFILE <<EOF
cn=kdc-service,$KRB_CONT_DN#{HEX}$KDCPWDHEX
cn=kadmin-service,$KRB_CONT_DN#{HEX}$KDCPWDHEX
EOF
## bootstrap ldap with passwords inserted:
# generate Samba passwd already here
SAMBAPWD=$(slappasswd -g -h {CLEARTEXT})
# then generate hashed Samba password, this will be needed for bootstrapping
# cn=smbadmin in root.ldif
SAMBAPWDHASH=$(slappasswd -u -s "$SAMBAPWD")
# first portion of bootstrap (everything except samba.ldif)
for ldif in \
/etc/ldap/root.ldif \
/etc/ldap/ipnetworks.ldif \
/etc/ldap/netgroup.ldif \
/etc/ldap/autofs.ldif \
/etc/ldap/sudo.ldif \
/etc/ldap/gosa.ldif \
/etc/ldap/gosa-server.ldif \
/etc/ldap/ltsp.ldif \
/etc/ldap/firstuser.ldif \
/etc/ldap/krb5.ldif
## removed for gosa-sever to work:
# /etc/ldap/dhcp.ldif \
# /etc/ldap/dhcp_hosts.ldif \
# /etc/ldap/dns_skole.ldif \
# /etc/ldap/dns_ranges.ldif \
do
if cat $ldif | sed -e "s:\$ROOTPWDHASH:$ROOTPWDHASH:" \
-e "s/\$MAC/$MAC/" \
-e "s:\$GOSAPWDHASH:$GOSAPWDHASH:" \
-e "s:\$GOSAADMINSDN64:$GOSAADMINSDN64:" \
-e "s:\$ADMINROLEDN64:$ADMINROLEDN64:" \
-e "s:\$JRADMINROLEDN64:$JRADMINROLEDN64:" \
-e "s:\$TEACHERSDN64:$TEACHERSDN64:" \
-e "s:\$KDCPWDHASH:$KDCPWDHASH:" \
-e "s:\$ROOTPWDSSHAHASH:$ROOTPWDSSHAHASH:" \
-e "s:\$SAMBAPWDHASH:$SAMBAPWDHASH:" \
-e "s:\$SAMBAPWD:$SAMBAPWD:" \
-e "s:\$FIRSTUSERNAME:$FIRSTUSERNAME:" \
-e "s:\$FIRSTUSERGECOS:$FIRSTUSERGECOS:" \
-e "s:\$FIRSTUSERLASTNAME:$FIRSTUSERLASTNAME:" \
-e "s:\$FIRSTUSERGIVENNAME:$FIRSTUSERGIVENNAME:" \
-e "s:\$FIRSTUSERPWDHASH:$FIRSTUSERPWDHASH:" \
| /usr/sbin/slapadd ; then
echo "info: added '$ldif' to ldap database."
else
echo "error: Unable to load '$ldif'"
exit 1
fi
done
# in Etch, Lenny, Squeeze..., the database must be owned by openldap
if getent passwd openldap | grep -q openldap ; then
chown -R openldap:openldap /var/lib/ldap
fi
# For some lines of code, we need LDAP up and running again
## check if slapd is running:
if [ -x /sbin/start-stop-daemon.REAL ] ; then
## needed to start slapd during installation:
mv /sbin/start-stop-daemon /sbin/start-stop-daemon.FAKE
cp /sbin/start-stop-daemon.REAL /sbin/start-stop-daemon
fi
PID=`pidof slapd || /bin/true`
if [ -z "$PID" ]; then
echo "The LDAP server slapd seems not to be running. Trying to start slapd." 1>&2
/etc/init.d/slapd start
slapd_started=true
fi
PID=`pidof slapd || /bin/true`
if [ -z "$PID" ]; then
echo "error: the LDAP server is not running. Skipping Samba setup." 1>&2
exit 1
else
## FIXME: this next part now is experimental... it needs sanity checks...
# Samba will also need DNS to bind to LDAP
/etc/init.d/bind9 start
# sync DNS from LDAP for the first time... (this has to run as uid ,,bind''!)
su -s /bin/sh -c "PATH=/usr/sbin:/sbin:/usr/bin:/bin /usr/sbin/ldap2bind" - bind
## END OF FIXME
cat > /etc/samba/smb-debian-edu-ldapbootstrap.conf <<EOF
#
# Samba configuration Skolelinux LDAP bootstrap, this file is temporary
#
#======================= Global Settings =======================
[global]
netbios name = TJENER
security = USER
workgroup = SKOLELINUX
encrypt passwords = true
passdb backend = ldapsam:"ldap://ldap.intern"
ldapsam:trusted = yes
ldap suffix = ou=samba,dc=skole,dc=skolelinux,dc=no
ldap admin dn = "cn=admin,ou=ldap-access,dc=skole,dc=skolelinux,dc=no"
ldap ssl = start_tls
local master = yes
domain logons = yes
domain master = yes
preferred master = yes
lanman auth = yes
ntlm auth = yes
os level = 127
name resolve order = bcast host lmhosts wins
wins support = yes
dns proxy = yes
EOF
# Store root's password temporarily in secrets.tdb (for cn=admin,ou=ldap-access,BASEDN)
smbpasswd -c /etc/samba/smb-debian-edu-ldapbootstrap.conf -w "$ROOTPWDCLEAR"
# This will initialize the sambaDomainName=<DOMAIN> object in LDAP and
# generate a sambaSID for <DOMAIN>.
net -s /etc/samba/smb-debian-edu-ldapbootstrap.conf getlocalsid &> /dev/null
# start from scratch with secrets.tdb...
rm -f /var/lib/samba/secrets.tdb
# remove the bootstrap smb.conf again... this file was really temporary...
rm -f /etc/samba/smb-debian-edu-ldapbootstrap.conf
# now set up our auto-generated Samba password (created further above) that shall be
# used in smb.conf and with smbldap-tools
# (i.e. for cn=smbadmin,ou=samba,dc=skole,dc=skolelinux,dc=no)...
smbpasswd -c /etc/samba/smb.conf -w "$SAMBAPWD"
# also put the $SAMBAPWD also into smbldap_bind.conf
chmod 0600 /etc/smbldap-tools/smbldap_bind.conf
sed -i "s:\$SAMBAPWD:$SAMBAPWD:g" /etc/smbldap-tools/smbldap_bind.conf
echo "info: Fetching SMB domain SID."
SAMBASID=`net -s /etc/samba/smb.conf getlocalsid SKOLELINUX 2>/dev/null | awk '{ print $6 }'`
if [ -z "$SAMBASID" ] ; then
echo "error: unable to fetch Samba SID"
exit 1
fi
# the next line is unknowingly dirty, but it fixes a ,,Can't fetch domain SID
# for name: TJENER'' error if running ,,net getlocalsid'' after the bootstrap.
net getlocalsid -s /dev/null &> /dev/null
# and now... stop slapd again... and restore start-stop-daemon script
remember_RESTARTSLAPD=$RESTARTSLAPD
slapd_stop
RESTARTSLAPD=$remember_RESTART_SLAPD
# stop DNS service, as well
PID=`pidof named || /bin/true`
if [ -n "$PID" ]; then
/etc/init.d/bind9 stop
fi
if [ -x /sbin/start-stop-daemon.REAL ] ; then
mv /sbin/start-stop-daemon.FAKE /sbin/start-stop-daemon
fi
fi
# Generate NT/LM hashes for Samba's Administrator account
SAMBA_ADMPWD_HASHES=$(perl -MCrypt::SmbHash -e "print join(q[:],ntlmgen \$ARGV[0]), $/;" "$ROOTPWDCLEAR")
SAMBA_ADMPWD_LMHASH=$(echo $SAMBA_ADMPWD_HASHES | cut -d ":" -f1)
SAMBA_ADMPWD_NTHASH=$(echo $SAMBA_ADMPWD_HASHES | cut -d ":" -f2)
# perform the rest of the LDAP bootstrap
for ldif in \
/etc/ldap/samba.ldif
do
if cat $ldif | sed -e "s:\$ROOTPWDHASH:$ROOTPWDHASH:" \
-e "s:\$SAMBASID:$SAMBASID:" \
-e "s:\$SAMBAPWD:$SAMBAPWD:" \
-e "s:\$SAMBAPWDHASH:$SAMBAPWDHASH:" \
-e "s:\$SAMBA_ADMPWD_LMHASH:$SAMBA_ADMPWD_LMHASH:" \
-e "s:\$SAMBA_ADMPWD_NTHASH:$SAMBA_ADMPWD_NTHASH:" \
-e "s:\$FIRSTUSERNAME:$FIRSTUSERNAME:" \
| /usr/sbin/slapadd ; then
echo "info: added '$ldif' to ldap database."
else
echo "error: Unable to load '$ldif'"
exit 1
fi
done
# Migrate to new style LDAP configuration first. Required since
# slapd version 2.4.23-4.
# A better way is to convert our configuration to slapd.d config and
# include those files in the package.
# Disabled after openldap in squeeze (since 2.4.23-5) no longer
# require slapd.d config.
if false && [ ! -d /etc/ldap/slapd.d ] ; then
echo "info: migrating SLAPD configuration to slapd.d format"
mkdir /etc/ldap/slapd.d
slapd -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d
/etc/init.d/slapd stop
chown -R openldap:openldap /etc/ldap/slapd.d
# In case the init.d script fail to stop the service (which it
# does when testing 2010-09-07).
killall slapd
fi
# again: in Etch, Lenny, Squeeze..., the database must be owned by openldap
if getent passwd openldap | grep -q openldap ; then
chown -R openldap:openldap /var/lib/ldap
fi
}
# Create ldap-tree on the initial install
#$MTAINIT stop
slapd_stop
if slapcat 2> /dev/null | grep -q "dn: cn=all-hosts" ; then
echo "info: found existing data (cn=all-hosts): skipping initalization"
echo "info: use rm /var/lib/ldap/__db* /var/lib/ldap/*.bdb to reinitialize"
else
init_ldap
# Instead of registering unix groups in samba like this
# net groupmap add unixgroup=teachers \
# type=domain ntgroup="teachers" \
# comment="All teachers in the institution"
# we add the sambaSID attribute to LDAP objects when they are created,
# with static RID part.
## initialize Kerberos KDC, use gosa-admin account to access ldap:
if [ -x /usr/share/debian-edu-config/tools/kerberos-kdc-init ] ; then
if /usr/share/debian-edu-config/tools/kerberos-kdc-init "$GOSAPWD" ; then
:
else
echo "error: critical: setting up Kerberos failed"
fi
fi
fi
# Restart ldap server if we stopped it and it aint already running
SLAPPIDS=$(pidof slapd || /bin/true)
if [ true = "$RESTARTSLAPD" ] && [ -z "$SLAPPIDS" ] ; then
/etc/init.d/slapd start
fi
chown mail.mail /var/lib/maildirs/
#$MTAINIT start
## restart Kerberos KDC and admin server:
#/etc/init.d/krb5-kdc restart
#/etc/init.d/krb5-admin-server restart
|