#!/bin/sh
-REAL_PATH=$(realpath $(dirname $0))
-DATA_PATH=$(realpath $REAL_PATH/../data)
-
-
-INSTANCE_NAME=user
-
-
/usr/local/bin/restorefds.sh
-if [ $? -eq 0 ]
-then
- exit 0
-fi
-
-if [ ! -f $DATA_PATH/${INSTANCE_NAME}.inf ]
-then
- dscreate create-template $DATA_PATH/${INSTANCE_NAME}.inf
- vi $DATA_PATH/${INSTANCE_NAME}.inf
-fi
-
-dscreate from-file $DATA_PATH/${INSTANCE_NAME}.inf
-dsconf $INSTANCE_NAME config replace nsslapd-auditlog-logging-enabled=on
-dsconf $INSTANCE_NAME config replace nsslapd-auditfaillog-logging-enabled=on
-dsconf $INSTANCE_NAME plugin memberof enable
-dsconf $INSTANCE_NAME pwpolicy set \
- --pwdmustchange on \
- --pwdtrack on \
- --pwdexpire on \
- --pwdmaxage 31536000 \
- --pwdgracelimit 5 \
- --pwdlockout on \
- --pwdchecksyntax on \
- --pwdminlen 14 \
- --pwdmindigits 1 \
- --pwdminalphas 1 \
- --pwdminuppers 1 \
- --pwdminlowers 1 \
- --pwdminspecials 1 \
- --pwdmaxrepeats 3 \
- --pwdpalindrome on \
- --pwdmincatagories 4 \
- --pwddictcheck on
-
-LDIF_FILE=$(mktemp)
-echo 'dn: ou=people,dc=user,dc=hu' >$LDIF_FILE
-echo 'changetype: modify' >>$LDIF_FILE
-echo 'add: aci' >>$LDIF_FILE
-echo 'aci: (targetattr="pwdUpdateTime")(version 3.0; acl "Enable anyone read pwdUpda' >>$LDIF_FILE
-echo ' teTime"; allow(read)(userdn="ldap:///anyone");)' >>$LDIF_FILE
-
-ldapmodify -D "cn=Directory Manager" \
- -w Passw@rd01 \
- -f $LDIF_FILE
-rm --force $LDIF_FILE
-/usr/local/bin/replacedirsrvcerts.sh
+# from absolute zero:
+# dscreate create-template create.template
+# vi create.template
+# dscreate from-file create.template
do
LOGIN_UID=$(echo $LOGIN_MD5SUM | cut -c ${UID_POSITION}- | cut -c 1-4)
INT_UID=$(($UID_SHIFT + 16#$LOGIN_UID % 8192))
- grep $INT_UID $UIDS_FILE >/dev/null 2>&1
+ grep -w $INT_UID $UIDS_FILE >/dev/null 2>&1
if [ $? -eq 1 ]
then
echo $INT_UID >>$UIDS_FILE
+++ /dev/null
-
-;
-; This is a version 2 ds setup inf file.
-; It is used by the python versions of setup-ds-*
-; Most options map 1 to 1 to the original .inf file.
-; However, there are some differences that I envision
-; For example, note the split backend section.
-; You should be able to create, one, many or no backends in an install
-;
-; The special value {instance_name} is substituted at installation time.
-;
-; By default, all configuration parameters in this file are commented out.
-; To use an INF file with dscreate, you must at least set the parameters
-; flagged with [REQUIRED].
-
-[general]
-# defaults (str)
-# Description: Directory Server enables administrators to use the default values for cn=config entries from a specific version. If you set this parameter to "999999999", which is the default, the instance always uses the default values of the latest version. For example, to configure that the instance uses default values from version 1.3.5, set this parameter to "001003005". The format of this value is XXXYYYZZZ, where X is the major version, Y the minor version, and Z the patch level. Note that each part of the value uses 3 digits and must be filled with leading zeros if necessary.
-# Default value: 999999999
-;defaults = 999999999
-
-# full_machine_name (str)
-# Description: Sets the fully qualified hostname (FQDN) of this system. When installing this instance with GSSAPI authentication behind a load balancer, set this parameter to the FQDN of the load balancer and, additionally, set "strict_host_checking" to "false".
-# Default value: fds.useribm.hu
-;full_machine_name = fds.useribm.hu
-
-# start (bool)
-# Description: Starts the instance after the install completes. If false, the instance is created but started.
-# Default value: True
-start = False
-
-# strict_host_checking (bool)
-# Description: Sets whether the server verifies the forward and reverse record set in the "full_machine_name" parameter. When installing this instance with GSSAPI authentication behind a load balancer, set this parameter to "false". Container installs imply "false".
-# Default value: False
-;strict_host_checking = False
-
-[slapd]
-# instance_name (str)
-# Description: Sets the name of the instance. You can refer to this value in other parameters of this INF file using the "{instance_name}" variable. Note that this name cannot be changed after the installation!
-# Default value: localhost
-instance_name = __INSTANCE__
-
-# ldapi (str)
-# Description: Sets the location of socket interface of the Directory Server.
-# Default value: /run/slapd-{instance_name}.socket
-;ldapi = /run/slapd-{instance_name}.socket
-
-# port (int)
-# Description: Sets the TCP port the instance uses for LDAP connections.
-# Default value: 389
-;port = 389
-
-# root_password (str)
-# Description: Sets the password of the "cn=Directory Manager" account ("root_dn" parameter).You can either set this parameter to a plain text password dscreate hashes during the installation or to a "{algorithm}hash" string generated by the pwdhash utility. The password must be at least 8 characters long. Note that setting a plain text password can be a security risk if unprivileged users can read this INF file!
-# Default value: Directory_Manager_Password
-root_password = Passw@rd01
-
-# secure_port (int)
-# Description: Sets the TCP port the instance uses for TLS-secured LDAP connections (LDAPS).
-# Default value: 636
-;secure_port = 636
-
-# self_sign_cert (bool)
-# Description: Sets whether the setup creates a self-signed certificate and enables TLS encryption during the installation. The certificate is not suitable for production, but it enables administrators to use TLS right after the installation. You can replace the self-signed certificate with a certificate issued by a Certificate Authority. If set to False, you can enable TLS later by importing a CA/Certificate and enabling 'dsconf <instance_name> config replace nsslapd-security=on'
-# Default value: True
-;self_sign_cert = True
-
-# self_sign_cert_valid_months (int)
-# Description: Set the number of months the issued self-signed certificate will be valid.
-# Default value: 24
-;self_sign_cert_valid_months = 24
-
-[backend-userroot]
-# create_suffix_entry (bool)
-# Description: Set this parameter to "True" to create a generic root node entry for the suffix in the database.
-# Default value: False
-create_suffix_entry = True
-
-# require_index (bool)
-# Description: Set this parameter to "True" to refuse unindexed searches in this database.
-# Default value: False
-;require_index = False
-
-# sample_entries (str)
-# Description: Set this parameter to 'yes' to add latest version of sample entries to this database. Or, use '001003006' to use the 1.3.6 version sample entries. Use this option, for example, to create a database for testing purposes.
-# Default value: no
-;sample_entries = no
-
-# suffix (str)
-# Description: Sets the root suffix stored in this database. If you do not uncomment and set the suffix attribute the install process will NOT create the backend/suffix. You can also create multiple backends/suffixes by duplicating this section.
-# Default value:
-suffix = dc=template,dc=instance
#!/bin/sh
-set -x
+#set -x
BACKUP_BASE=$(mktemp --directory)
TMP_PATH=$(dirname $BACKUP_BASE)
-mkdir $BACKUP_PATH
-dsctl --list | sed 's/^slapd-//' >>$BACKUP_PATH/instances
-cat $BACKUP_PATH/instances | while read INSTANCE
-do
- echo "Starting backup of $INSTANCE directory server instance"
+create_instance_create_template()
+{
+ INSTANCE=$1
+ CREATE_TEMPLATE=$2/$3
+
+ echo "[general]" >$CREATE_TEMPLATE
+ echo "start = False" >>$CREATE_TEMPLATE
+ echo "" >>$CREATE_TEMPLATE
+ echo "[slapd]" >>$CREATE_TEMPLATE
+ echo "instance_name = $INSTANCE" >>$CREATE_TEMPLATE
+ PORT=$(dsconf $INSTANCE config get nsslapd-port | cut -f 2 -d ' ')
+ echo "port = $PORT" >>$CREATE_TEMPLATE
+ SECURE_PORT=$(dsconf $INSTANCE config get nsslapd-securePort \
+ | cut -f 2 -d ' ')
+ echo "secure_port = $SECURE_PORT" >>$CREATE_TEMPLATE
+ SUFFIXES=$(dsconf $INSTANCE backend suffix list)
+ echo "$SUFFIXES" | while read SUFFIX_BACKEND
+ do
+ SUFFIX=$(echo $SUFFIX_BACKEND | cut -f 1 -d ' ')
+ BACKEND=$(echo $SUFFIX_BACKEND | cut -f 2 -d ' ' | tr -d '()')
+ echo "" >>$CREATE_TEMPLATE
+ echo "[backend-${BACKEND}]" >>$CREATE_TEMPLATE
+ echo "suffix = $SUFFIX" >>$CREATE_TEMPLATE
+ done
+}
+
+get_instance_status()
+{
+ INSTANCE=$1
+
INSTANCE_STATUS=$(dsctl $INSTANCE status)
echo $INSTANCE_STATUS | grep 'is running$' >/dev/null 2>&1
RC=$?
if [ $RC -eq 0 ]
then
- INSTANCE_ORIG_STATUS="running"
- echo "Stopping $INSTANCE directory server instance"
- dsctl $INSTANCE stop
+ echo "running"
else
- INSTANCE_ORIG_STATUS="not running"
+ echo "not running"
fi
- INSTANCE_STATUS=$(dsctl $INSTANCE status)
- echo $INSTANCE_STATUS | grep 'is not running$' >/dev/null 2>&1
+}
+
+start_instance()
+{
+ INSTANCE="$1"
+ PREFIX="$2"
+
+ INSTANCE_STATUS=$(get_instance_status $INSTANCE)
+ if [ "$INSTANCE_STATUS" == "running" ]
+ then
+ return 0
+ fi
+ echo "${PREFIX}Starting $INSTANCE directory server instance"
+ dsctl $INSTANCE start
+ INSTANCE_STATUS=$(get_instance_status $INSTANCE)
+ if [ "$INSTANCE_STATUS" == "running" ]
+ then
+ return 0
+ fi
+ echo "${PREFIX}Could not start $INSTANCE directory server instance" >&2
+ return 1
+}
+
+stop_instance()
+{
+ INSTANCE="$1"
+ PREFIX="$2"
+
+ INSTANCE_STATUS=$(get_instance_status $INSTANCE)
+ if [ "$INSTANCE_STATUS" == "not running" ]
+ then
+ return 0
+ fi
+ echo "${PREFIX}Stopping $INSTANCE directory server instance"
+ dsctl $INSTANCE stop
+ INSTANCE_STATUS=$(get_instance_status $INSTANCE)
+ if [ "$INSTANCE_STATUS" == "not running" ]
+ then
+ return 0
+ fi
+ echo "${PREFIX}Could not stop $INSTANCE directory server instance" >&2
+ return 1
+}
+
+
+mkdir $BACKUP_PATH
+dsctl --list | sed 's/^slapd-//' >>$TMP_PATH/instances
+while read INSTANCE
+do
+ echo "Starting backup of $INSTANCE directory server instance"
+ INSTANCE_ORIG_STATUS=$(get_instance_status $INSTANCE)
+ if [ "$INSTANCE_ORIG_STATUS" == "not running" ]
+ then
+ start_instance $INSTANCE " "
+ RC=$?
+ if [ $RC -ne 0 ]
+ then
+ exit $RC
+ fi
+ fi
+ mkdir $BACKUP_PATH/$INSTANCE
+ create_instance_create_template $INSTANCE \
+ $BACKUP_PATH/$INSTANCE \
+ create.template
+ stop_instance $INSTANCE " "
RC=$?
if [ $RC -ne 0 ]
then
- echo "Could not stop $INSTANCE directory server instance, exiting" >&2
- exit 1
+ exit $RC
+ fi
+ LDIF_PATH=/var/lib/dirsrv/slapd-$INSTANCE/ldif
+ grep '^\[backend-' $BACKUP_PATH/$INSTANCE/create.template \
+ | sed 's/^\[backend-\(.*\)\]$/\1/' | while read BACKEND
+ do
+ rm --force $LDIF_PATH/${BACKEND}.ldif
+ echo " Backing up $INSTANCE directory server instance (${BACKEND})"
+ dsctl $INSTANCE db2ldif $BACKEND $LDIF_PATH/${BACKEND}.ldif
+ cp --archive $LDIF_PATH/${BACKEND}.ldif $BACKUP_PATH/$INSTANCE
+ done
+ if [ "$1" == "--norestart" ]
+ then
+ INSTANCE_ORIG_STATUS="not running"
fi
- echo "Backing up $INSTANCE directory server instance"
- rm --force --recursive $TMP_PATH/$INSTANCE
- dsctl $INSTANCE db2bak $TMP_PATH/$INSTANCE
- mv $TMP_PATH/$INSTANCE $BACKUP_PATH
- tar --create \
- --file $BACKUP_PATH/${INSTANCE}.etc.tar \
- /etc/dirsrv/slapd-$INSTANCE
if [ "$INSTANCE_ORIG_STATUS" == "running" ]
then
- echo "Restarting $INSTANCE directory server instance"
- dsctl $INSTANCE start
+ start_instance $INSTANCE " "
+ RC=$?
+ if [ $RC -ne 0 ]
+ then
+ exit $RC
+ fi
fi
echo "Finished backup of $INSTANCE directory server instance"
-done
+done <$TMP_PATH/instances
echo "Creating backup archive"
tar --create \
backup
rm --force --recursive $BACKUP_BASE
+rm --force $TMP_PATH/instances
#!/bin/sh
-INSTANCE_NAME=user
+DIRSRV_INSTANCE=$1
+LETSENCRYPT_BASE_PATH=/etc/letsencrypt
+LETSENCRYPT_CERT_NAME=useribm
TMP_PATH=$(mktemp --directory)
-if [ -d /etc/letsencrypt ]
+if [ -d $LETSENCRYPT_BASE_PATH ]
then
- LETSENCRYPT_BASE=/etc/letsencrypt
- CERT_PATH=$LETSENCRYPT_BASE/live/useribm
+ CERT_PATH=$LETSENCRYPT_BASE_PATH/live/$LETSENCRYPT_CERT_NAME
for CACERT in ca-certificate certificate
do
- dsconf $INSTANCE_NAME security $CACERT list \
+ dsconf $DIRSRV_INSTANCE security $CACERT list \
| grep '^Certificate Name:' | cut -f 2- -d ':' \
| while read CACERT_NAME
do
- dsconf $INSTANCE_NAME security $CACERT del "$CACERT_NAME"
+ dsconf $DIRSRV_INSTANCE security $CACERT del "$CACERT_NAME"
done
done
CA_SERIAL=0
cat $CERT_PATH/chain.pem | while read LINE
do
- echo $LINE | grep 'BEGIN CERTIFICATE'
+ echo $LINE | grep --quiet 'BEGIN CERTIFICATE'
if [ $? -eq 0 ]
then
- CA_SERIAL=$(( $CA_SERIAL + 1 ))
+ CA_SERIAL=$(($CA_SERIAL + 1))
CA_FILE=$TMP_PATH/ca${CA_SERIAL}.pem
fi
echo $LINE >>$CA_FILE
do
CERT_SUBJECT=$(openssl x509 -noout -subject -in $CERT_FILE \
| sed 's/^.*O \?= \?\([^,]*\), \?CN \?= \?\(.*\)$/\1 \2/')
- dsconf $INSTANCE_NAME security ca-certificate add \
+ dsconf $DIRSRV_INSTANCE security ca-certificate add \
--file $CERT_FILE \
--name "$CERT_SUBJECT"
done
# cannot use dsconf, need key as well
- dsctl $INSTANCE_NAME tls import-server-key-cert \
+ dsctl $DIRSRV_INSTANCE tls import-server-key-cert \
$CERT_PATH/cert.pem \
$CERT_PATH/privkey.pem
- dsctl $INSTANCE_NAME restart
+ dsctl $DIRSRV_INSTANCE restart
fi
rm --force --recursive $TMP_PATH
#!/bin/sh
-set -x
+#set -x
DIRSRV_BACKUP_BASE=/var/lib/dirsrv
TMP_PATH=$(dirname $RESTORE_BASE)
+get_instance_status()
+{
+ INSTANCE=$1
+
+ INSTANCE_STATUS=$(dsctl $INSTANCE status)
+ echo $INSTANCE_STATUS | grep 'is running$' >/dev/null 2>&1
+ RC=$?
+ if [ $RC -eq 0 ]
+ then
+ echo "running"
+ else
+ echo "not running"
+ fi
+}
+
+start_instance()
+{
+ INSTANCE="$1"
+ PREFIX="$2"
+
+ INSTANCE_STATUS=$(get_instance_status $INSTANCE)
+ if [ "$INSTANCE_STATUS" == "running" ]
+ then
+ return 0
+ fi
+ echo "${PREFIX}Starting $INSTANCE directory server instance"
+ dsctl $INSTANCE start
+ INSTANCE_STATUS=$(get_instance_status $INSTANCE)
+ if [ "$INSTANCE_STATUS" == "running" ]
+ then
+ return 0
+ fi
+ echo "${PREFIX}Could not start $INSTANCE directory server instance" >&2
+ return 1
+}
+
+stop_instance()
+{
+ INSTANCE="$1"
+ PREFIX="$2"
+
+ INSTANCE_STATUS=$(get_instance_status $INSTANCE)
+ if [ "$INSTANCE_STATUS" == "not running" ]
+ then
+ return 0
+ fi
+ echo "${PREFIX}Stopping $INSTANCE directory server instance"
+ dsctl $INSTANCE stop
+ INSTANCE_STATUS=$(get_instance_status $INSTANCE)
+ if [ "$INSTANCE_STATUS" == "not running" ]
+ then
+ return 0
+ fi
+ echo "${PREFIX}Could not stop $INSTANCE directory server instance" >&2
+ return 1
+}
+
+
if [ ! -f $POSTINSTALL_SCP_PATH/fds.tar ]
then
echo "No restore file found, exiting" >&2
--directory=$RESTORE_BASE \
--file $POSTINSTALL_SCP_PATH/fds.tar
-cat $RESTORE_PATH/instances | while read INSTANCE
+ls $RESTORE_PATH | while read INSTANCE
do
echo "Starting restore of $INSTANCE directory server instance"
INSTANCE_EXISTS=$(dsctl --list | grep -w $INSTANCE | wc -l)
if [ $INSTANCE_EXISTS -eq 1 ]
then
- INSTANCE_STATUS=$(dsctl $INSTANCE status)
- echo $INSTANCE_STATUS | grep 'is running$' >/dev/null 2>&1
- RC=$?
- if [ $RC -eq 0 ]
- then
- echo "Stopping $INSTANCE directory server instance"
- dsctl $INSTANCE stop
- fi
- INSTANCE_STATUS=$(dsctl $INSTANCE status)
- echo $INSTANCE_STATUS | grep 'is not running$' >/dev/null 2>&1
- RC=$?
- if [ $RC -ne 0 ]
+ INSTANCE_STATUS=$(get_instance_status $INSTANCE)
+ if [ "$INSTANCE_STATUS" == "running" ]
then
- echo "Could not stop $INSTANCE directory server instance, exiting" >&2
- exit 1
+ stop_instance $INSTANCE " "
+ RC=$?
+ if [ $RC -ne 0 ]
+ then
+ exit $RC
+ fi
fi
else
- sed "s/__INSTANCE__/$INSTANCE/" \
- <$POSTINSTALL_DATA_PATH/template.inf \
- >$POSTINSTALL_DATA_PATH/${INSTANCE}.inf
- dscreate from-file $POSTINSTALL_DATA_PATH/${INSTANCE}.inf
- #rm --force $POSTINSTALL_DATA_PATH/${INSTANCE}.inf
+ dscreate from-file $RESTORE_PATH/$INSTANCE/create.template
fi
- echo "Restoring $INSTANCE directory server instance"
- rm --force --recursive /etc/dirsrv/slapd-$INSTANCE/*
- tar --extract \
- --directory=/ \
- --file $RESTORE_PATH/${INSTANCE}.etc.tar
- INSTANCE_RESTORE_PATH=$DIRSRV_BACKUP_BASE/slapd-$INSTANCE/bak/restore
- rm --force --recursive $INSTANCE_RESTORE_PATH
- cp --archive $RESTORE_PATH/$INSTANCE $INSTANCE_RESTORE_PATH
- dsctl $INSTANCE bak2db $INSTANCE_RESTORE_PATH
- echo "(Re)starting $INSTANCE directory server instance"
- dsctl $INSTANCE start
+ echo " Restoring $INSTANCE directory server backend(s)"
+ INSTANCE_LDIF_PATH=$DIRSRV_BACKUP_BASE/slapd-$INSTANCE/ldif
+ ls $RESTORE_PATH/$INSTANCE/*.ldif | while read FQ_LDIF_FILE
+ do
+ LDIF_FILE=$(basename $FQ_LDIF_FILE)
+ cp --archive $FQ_LDIF_FILE $INSTANCE_LDIF_PATH
+ BACKEND=$(basename $LDIF_FILE .ldif)
+ dsctl $INSTANCE ldif2db $BACKEND $INSTANCE_LDIF_PATH/$LDIF_FILE
+ done
+ start_instance $INSTANCE " "
+ if [ $INSTANCE_EXISTS -eq 0 ]
+ then
+ dsconf $INSTANCE config replace nsslapd-auditlog-logging-enabled=on
+ dsconf $INSTANCE config replace nsslapd-auditfaillog-logging-enabled=on
+ dsconf $INSTANCE plugin memberof enable
+ dsconf $INSTANCE pwpolicy set \
+ --pwdtrack on \
+ --pwdmustchange on \
+ --pwdlockout on \
+ --pwdchecksyntax on \
+ --pwdminlen 10 \
+ --pwdmindigits 1 \
+ --pwdminuppers 1 \
+ --pwdminlowers 1 \
+ --pwdminspecials 1 \
+ --pwdmaxrepeats 2 \
+ --pwdmincatagories 4 \
+ --pwddictcheck on
+ fi
+ /usr/local/bin/replacedirsrvcerts.sh $INSTANCE
echo "Restored $INSTANCE directory server instance"
done
# target_host target_user target_executable
-fds.in.useribm.hu root /usr/local/bin/backupfds.sh
+fds.in.useribm.hu root /usr/local/bin/backupfds.sh --norestart
https://git.useribm.hu / user-lxc.git / commitdiff