[Fedora-directory-users] Another one-button script - rebuild_fds.sh
Tay, Gary
Gary_Tay at platts.com
Thu Apr 13 10:24:36 UTC 2006
FDS Folks,
Another automated script from me.
Gary
> #! /bin/sh
> #
> # rebuild_fds.sh - ReBuild Fedora Directory Server
> #
> # Gary Tay
> #
> # NOTE: This script will rebuild a FDS Server compatible with BOTH
> # RedHat and Solaris LDAP Clients
> #
> # 1) Make sure 'root' is used to run this script
> # 2) Make sure /home/ldap/dirmgr.pwd contains password of cn=Direcyory
> Manager
> #
> #set -vx
> IS_ROOT_UID=`id | grep "uid=0(root)"`
> if [ ! -n "$IS_ROOT_UID" ]; then
> echo "Please run this script as root"
> exit 1
> fi
> if [ ! -f /home/ldap/dirmgr.pwd ]; then
> echo "Please setup /home/ldap/dirmgr.pwd."
> exit 1
> else
> chmod 600 /home/ldap/dirmgr.pwd
> fi
> # Pls customize the followings
> FDS1_PATH=/opt/fedora-ds
> HOST=ldap1
> DOMAIN="example.com"
> BASEDN="dc=example,dc=com"
> SLAPD_OWNER=nobody
> SLAPD_GROUP=nobody
> LD_LIBRARY_PATH=$FDS1_PATH/shared/lib:$FDS1_PATH/lib
> export LD_LIBRARY_PATH
> PATH=$FDS1_PATH/shared/bin:$PATH; export PATH
> echo "ASSUMPTION: This script assumes that you have performed"
> echo "'rpm -e' and then 'rpm -ivh' to reinstall Fedora Directory
> Server"
> echo "and you have re-run the setup program"
> echo "ns-slapd should be running"
> echo "Press [Ctrl-C] to abort, enter [Yes] to continue..."
> read a_key
> [ "$a_key" != "Yes" ] && exit 1
> # Load schemas
> cat <<EOF >/tmp/61DUAConfigProfile.ldif
> dn: cn=schema
> attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.0 NAME 'defaultServerList'
> DESC 'Default LDAP server host address used by a DUA' EQUALITY
> caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
> attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.1 NAME 'defaultSearchBase'
> DESC 'Default LDAP base DN used by a DUA' EQUALITY
> distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
> SINGLE-VALUE )
> attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.2 NAME 'preferredServerList'
> DESC 'Preferred LDAP server host addresses to be used by a DUA'
> EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
> SINGLE-VALUE )
> attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.3 NAME 'searchTimeLimit' DESC
> 'Maximum time in seconds a DUA should allow for a search to complete'
> EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
> SINGLE-VALUE )
> attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.4 NAME 'bindTimeLimit' DESC
> 'Maximum time in seconds a DUA should allow for the bind operation to
> complete' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
> SINGLE-VALUE )
> attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.5 NAME 'followReferrals' DESC
> 'Tells DUA if it should follow referrals returned by a DSA search
> result' EQUALITY caseIgnoreIA5Match SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
> attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.6 NAME 'authenticationMethod'
> DESC 'A keystring which identifies the type of authentication method
> used to contact the DSA' EQUALITY caseIgnoreMatch SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
> attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.7 NAME 'profileTTL' DESC
> 'Time to live, in seconds, before a client DUA should re-read this
> configuration profile' EQUALITY integerMatch SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
> attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.14 NAME
> 'serviceSearchDescriptor' DESC 'LDAP search descriptor list used by a
> DUA' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
> attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.9 NAME 'attributeMap' DESC
> 'Attribute mappings used by a DUA' EQUALITY caseIgnoreIA5Match SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.26 )
> attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.10 NAME 'credentialLevel'
> DESC 'Identifies type of credentials a DUA should use when binding to
> the LDAP server' EQUALITY caseIgnoreIA5Match SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
> attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.11 NAME 'objectclassMap' DESC
> 'Objectclass mappings used by a DUA' EQUALITY caseIgnoreIA5Match
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
> attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.12 NAME 'defaultSearchScope'
> DESC 'Default search scope used by a DUA' EQUALITY caseIgnoreIA5Match
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
> attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.13 NAME
> 'serviceCredentialLevel' DESC 'Identifies type of credentials a DUA
> should use when binding to the LDAP server for a specific service'
> EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
> attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.15 NAME
> 'serviceAuthenticationMethod' DESC 'Authentication method used by a
> service of the DUA' EQUALITY caseIgnoreMatch SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 )
> objectClasses: ( 1.3.6.1.4.1.11.1.3.1.2.4 NAME 'DUAConfigProfile' SUP
> top STRUCTURAL DESC 'Abstraction of a base configuration for a DUA'
> MUST ( cn ) MAY ( defaultServerList $ preferredServerList $
> defaultSearchBase $ defaultSearchScope $ searchTimeLimit $
> bindTimeLimit $ credentialLevel $ authenticationMethod $
> followReferrals $ serviceSearchDescriptor $ serviceCredentialLevel $
> serviceAuthenticationMethod $ objectclassMap $ attributeMap $
> profileTTL ) )
> EOF
> cat <<EOF >/tmp/62nisDomain.ldif
> dn: cn=schema
> attributeTypes: ( 1.3.6.1.1.1.1.30 NAME 'nisDomain' DESC 'NIS domain'
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )
> objectClasses: ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' SUP top
> STRUCTURAL MUST nisDomain X-ORIGIN 'user defined' )
> EOF
> /bin/cp -f /tmp/61DUAConfigProfile.ldif
> $FDS1_PATH/slapd-$HOST/config/schema
> /bin/cp -f /tmp/62nisDomain.ldif $FDS1_PATH/slapd-$HOST/config/schema
> chown $SLAPD_OWNER:$SLAPD_GROUP
> $FDS1_PATH/slapd-$HOST/config/schema/61DUAConfigProfile.ldif
> chown $SLAPD_OWNER:$SLAPD_GROUP
> $FDS1_PATH/slapd-$HOST/config/schema/62nisDomain.ldif
> $FDS1_PATH/slapd-$HOST/stop-slapd
> $FDS1_PATH/slapd-$HOST/start-slapd
> # Add nisDomainObject
> cat <<EOF >/tmp/add_nisDomainObject.ldif
> dn: $BASEDN
> changetype: modify
> add: objectclass
> objectclass: nisdomainobject
> -
> replace: nisdomain
> nisdomain: $DOMAIN
>
> EOF
> ldapmodify -D "cn=Directory Manager" -w `cat /home/ldap/dirmgr.pwd` -f
> /tmp/add_nisDomainObject.ldif
> # Add two ACIs
> cat <<EOF >/tmp/add_two_ACIs.ldif
> dn: $BASEDN
> changetype: modify
> add: aci
> aci: (targetattr =
> "cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shado
> wMin||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFl
> ag||memberUid")(version 3.0; acl
> LDAP_Naming_Services_deny_write_access;deny (write) userdn =
> "ldap:///self";)
> -
> add: aci
> aci: (target="ldap:///$BASEDN")(targetattr="userPassword")(version
> 3.0; acl LDAP_Naming_Services_proxy_password_read; allow
> (compare,search) userdn = "ldap:///cn=proxyagent,ou=profile,$BASEDN";)
>
> EOF
> ldapmodify -D "cn=Directory Manager" -w `cat /home/ldap/dirmgr.pwd` -f
> /tmp/add_two_ACIs.ldif
> # Modify default password storage scheme
> cat <<EOF >/tmp/mod_passwordStorageScheme.ldif
> dn: cn=config
> changetype: modify
> replace: passwordStorageScheme
> passwordStorageScheme: CRYPT
> EOF
> ldapmodify -D "cn=Directory Manager" -w `cat /home/ldap/dirmgr.pwd` -f
> /tmp/mod_passwordStorageScheme.ldif
> # Create ou=group, proxyAgent and ldapclient profiles
> cat <<EOF >/tmp/People.ldif
> dn: uid=gtay, ou=People, $BASEDN
> givenName: Gary
> sn: Tay
> loginShell: /bin/bash
> uidNumber: 6167
> gidNumber: 102
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetorgperson
> objectClass: posixAccount
> objectClass: shadowAccount
> uid: gtay
> cn: Gary Tay
> homeDirectory: /home/gtay
> userPassword: {CRYPT}U8bo2twhJ9Kkg
>
> dn: uid=tuser, ou=People, $BASEDN
> givenName: Test
> sn: User
> loginShell: /bin/bash
> uidNumber: 9999
> gidNumber: 102
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetorgperson
> objectClass: posixAccount
> objectClass: shadowAccount
> uid: tuser
> cn: Test User
> homeDirectory: /home/tuser
> userPassword: {SHA}MWxHz/4F3kXGXlfK4EvIJUo2C2U=
>
> EOF
> $FDS1_PATH/shared/bin/ldapmodify -a -c -D "cn=Directory Manager" -w
> `cat /home/ldap/dirmgr.pwd` -f /tmp/People.ldif
> cat <<EOF >/tmp/group_and_other_OUs.ldif
> dn: ou=group,$BASEDN
> objectClass: organizationalUnit
> objectClass: top
> ou: group
>
> dn: cn=Users,ou=group,$BASEDN
> cn: Users
> gidNumber: 102
> objectClass: top
> objectClass: posixGroup
> memberUid: gtay
> memberUid: tuser
>
> dn: ou=netgroup,$BASEDN
> objectClass: organizationalUnit
> objectClass: top
> ou: netgroup
>
> dn: ou=sudoers,$BASEDN
> objectClass: organizationalUnit
> objectClass: top
> ou: sudoers
>
> EOF
> $FDS1_PATH/shared/bin/ldapmodify -a -c -D "cn=Directory Manager" -w
> `cat /home/ldap/dirmgr.pwd` -f /tmp/group_and_other_OUs.ldif
> cat <<EOF >/tmp/proxyAgent_and_profiles.ldif
> dn: ou=profile,$BASEDN
> objectClass: top
> objectClass: organizationalUnit
> ou: profile
>
> dn: cn=proxyAgent,ou=profile,$BASEDN
> objectClass: top
> objectClass: person
> cn: proxyAgent
> sn: proxyAgent
> userPassword: {CRYPT}l14aeXtphVSUg
>
> dn: cn=default,ou=profile,$BASEDN
> objectClass: top
> objectClass: DUAConfigProfile
> defaultServerList: $HOST.$DOMAIN
> defaultSearchBase: $BASEDN
> authenticationMethod: simple
> followReferrals: TRUE
> defaultSearchScope: one
> searchTimeLimit: 30
> profileTTL: 43200
> cn: default
> credentialLevel: proxy
> bindTimeLimit: 2
> serviceSearchDescriptor: passwd: ou=People,$BASEDN?one
> serviceSearchDescriptor: group: ou=group,$BASEDN?one
> serviceSearchDescriptor: shadow: ou=People,$BASEDN?one
> serviceSearchDescriptor: netgroup: ou=netgroup,$BASEDN?one
> serviceSearchDescriptor: sudoers: ou=sudoers,$BASEDN?one
>
> dn: cn=tls_profile,ou=profile,$BASEDN
> ObjectClass: top
> ObjectClass: DUAConfigProfile
> defaultServerList: $HOST.$DOMAIN
> defaultSearchBase: $BASEDN
> authenticationMethod: tls:simple
> followReferrals: FALSE
> defaultSearchScope: one
> searchTimeLimit: 30
> profileTTL: 43200
> bindTimeLimit: 10
> cn: tls_profile
> credentialLevel: proxy
> serviceSearchDescriptor: passwd: ou=People,$BASEDN?one
> serviceSearchDescriptor: group: ou=group,$BASEDN?one
> serviceSearchDescriptor: shadow: ou=People,$BASEDN?one
> serviceSearchDescriptor: netgroup: ou=netgroup,$BASEDN?one
> serviceSearchDescriptor: sudoers: ou=sudoers,$BASEDN?one
>
> EOF
> $FDS1_PATH/shared/bin/ldapmodify -a -c -D "cn=Directory Manager" -w
> `cat /home/ldap/dirmgr.pwd` -f /tmp/proxyAgent_and_profiles.ldif
> echo "Rebuild done."
>
> ===Sample Run===
>
> # ./rebuild_fds.sh
> ASSUMPTION: This script assumes that you have performed
> 'rpm -e' and then 'rpm -ivh' to reinstall Fedora Directory Server
> and you have re-run the setup program
> ns-slapd should be running
> Press [Ctrl-C] to abort, enter [Yes] to continue...
> Yes
> modifying entry dc=example,dc=com
>
> modifying entry dc=example,dc=com
> ldap_modify: Type or value exists
>
> modifying entry cn=config
>
> adding new entry uid=gtay, ou=People, dc=example,dc=com
>
> adding new entry uid=tuser, ou=People, dc=example,dc=com
>
> adding new entry ou=group,dc=example,dc=com
>
> adding new entry cn=Users,ou=group,dc=example,dc=com
>
> adding new entry ou=netgroup,dc=example,dc=com
>
> adding new entry ou=sudoers,dc=example,dc=com
>
> adding new entry ou=profile,dc=example,dc=com
>
> adding new entry cn=proxyAgent,ou=profile,dc=example,dc=com
>
> adding new entry cn=default,ou=profile,dc=example,dc=com
>
> adding new entry cn=tls_profile,ou=profile,dc=example,dc=com
>
> Rebuild done.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060413/875b3886/attachment.htm>
More information about the Fedora-directory-users
mailing list