Added ldap.usr (cvm -> vhost migration, Fedora 31 upgrade).

diff --git a/sources/ldap.usr/config b/sources/ldap.usr/config
new file mode 100644 (file)
index 0000000..1068360
--- /dev/null
+++ b/sources/ldap.usr/config
@@ -0,0 +1,22 @@
+lxc.include = /usr/share/lxc/config/common.conf
+
+lxc.arch = x86_64
+lxc.uts.name = ldap.usr.user.hu
+lxc.rootfs.path = __CONTAINER_PATH__/rootfs
+lxc.mount.auto = proc:rw sys:ro
+
+lxc.net.0.type = veth
+lxc.net.0.flags = up
+lxc.net.0.link = bri-dev
+lxc.net.0.hwaddr = 02:0c:18:03:6d:fc
+
+lxc.cgroup.devices.allow =
+lxc.cgroup.devices.deny =
+
+lxc.autodev = 1
+
+lxc.signal.halt = SIGRTMIN+4
+
+lxc.start.auto = 1
+lxc.start.order = 24
+lxc.start.delay = 3

diff --git a/sources/ldap.usr/envvars b/sources/ldap.usr/envvars
new file mode 100644 (file)
index 0000000..7cabee7
--- /dev/null
+++ b/sources/ldap.usr/envvars
@@ -0,0 +1,5 @@
+DISTRIBUTION=Fedora
+DISTRIBUTION_VERSION=31
+BASE_PACKAGES="NetworkManager hostname initscripts iproute iputils logrotate rootfiles rsyslog tar vim-minimal"
+SPEC_PACKAGES="openssh-server openssh-clients openssh-ldap sudo"
+SPEC_PACKAGES="$SPEC_PACKAGES authselect openldap-servers openldap-clients nss-pam-ldapd oddjob-mkhomedir pam_ssh passwd python3 sssd-ldap"

diff --git a/sources/ldap.usr/firstboot/01_setupnetworking.sh b/sources/ldap.usr/firstboot/01_setupnetworking.sh
new file mode 100755 (executable)
index 0000000..e78cb34
--- /dev/null
+++ b/sources/ldap.usr/firstboot/01_setupnetworking.sh
@@ -0,0 +1,55 @@
+#!/bin/sh
+
+
+sleep 1
+systemctl --quiet is-active NetworkManager.service
+NM_RC=$?
+WAITED=0
+while [ $NM_RC -ne 0 ]
+do
+    echo -n .
+    sleep 1
+    WAITED=1
+    systemctl --quiet is-active NetworkManager.service
+    NM_RC=$?
+done
+[ $WAITED -eq 1 ] && echo
+
+CONNECTIONS=$(nmcli --terse connection show | wc -l)
+while [ $CONNECTIONS -ne 1 ]
+do
+    echo "Number of connections: $CONNECTIONS" >&2
+    sleep 1
+    CONNECTIONS=$(nmcli --terse connection show | wc -l)
+done
+
+nmcli --terse connection show | grep ':$' >/dev/null
+ALL_CONNECTION_DEVICES_KNOWN=$?
+while [ $ALL_CONNECTION_DEVICES_KNOWN -eq 0 ]
+do
+    echo "Not all connection devices are known yet" >&2
+    sleep 1
+    nmcli --terse connection show | grep ':$' >/dev/null
+    ALL_CONNECTION_DEVICES_KNOWN=$?
+done
+
+CONNECTION_LINE=$(nmcli --terse connection show)
+CONNECTION_UUID=$(echo $CONNECTION_LINE | cut -f 2 -d ':')
+CONNECTION_DEVICE=$(echo $CONNECTION_LINE | cut -f 4 -d ':')
+
+nmcli connection delete uuid "$CONNECTION_UUID"
+
+nmcli connection add \
+    connection.autoconnect yes \
+    connection.id internal \
+    connection.interface-name $CONNECTION_DEVICE \
+    connection.type 802-3-ethernet \
+    ipv4.addresses "10.228.109.252/16" \
+    ipv4.dns "10.228.109.104, 10.228.109.253" \
+    ipv4.dns-search "usr.user.hu" \
+    ipv4.gateway "10.228.109.254" \
+    ipv4.method "manual" \
+    ipv6.method "ignore" \
+    save yes
+
+nmcli connection show

diff --git a/sources/ldap.usr/firstboot/02_settimezone.sh b/sources/ldap.usr/firstboot/02_settimezone.sh
new file mode 100755 (executable)
index 0000000..20b2a71
--- /dev/null
+++ b/sources/ldap.usr/firstboot/02_settimezone.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+
+sleep 1
+systemctl --quiet is-active dbus.service
+DBUS_RC=$?
+WAITED=0
+while [ $DBUS_RC -ne 0 ]
+do
+    if [ $WAITED -eq 0 ]
+    then
+        echo -n "Waiting for dbus.service"
+    fi
+    echo -n .
+    sleep 1
+    WAITED=1
+    systemctl --quiet is-active dbus.service
+    DBUS_RC=$?
+done
+[ $WAITED -ne 0 ] && echo
+timedatectl set-timezone Europe/Budapest

diff --git a/sources/ldap.usr/firstboot/10_createldapcert.sh b/sources/ldap.usr/firstboot/10_createldapcert.sh
new file mode 100755 (executable)
index 0000000..3ad9be8
--- /dev/null
+++ b/sources/ldap.usr/firstboot/10_createldapcert.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+set -x
+
+read -n 1 -p "Recreate ldap certificate? y/[n] " -t 5 RECREATE
+if [ "$RECREATE" = "y" ]
+then
+    cd /etc/pki/tls/certs
+    openssl genrsa -aes128 2048 >tmp.key
+    openssl rsa -in tmp.key -out slapd.key
+    openssl req -utf8 -new -key slapd.key -out slapd.csr
+    openssl x509 -in slapd.csr -out slapd.crt -req -signkey slapd.key -days 3650
+    chmod 600 slapd.key
+    rm -f slapd.csr tmp.key
+fi
+
+cp -p /etc/pki/tls/certs/slapd.key \
+      /etc/pki/tls/certs/slapd.crt \
+      /etc/pki/tls/certs/ca-bundle.crt \
+      /etc/openldap/certs/
+
+chown ldap.ldap /etc/openldap/certs/slapd.key \
+                /etc/openldap/certs/slapd.crt \
+                /etc/openldap/certs/ca-bundle.crt

diff --git a/sources/ldap.usr/firstboot/11_createusers.sh b/sources/ldap.usr/firstboot/11_createusers.sh
new file mode 100755 (executable)
index 0000000..99eb9c7
--- /dev/null
+++ b/sources/ldap.usr/firstboot/11_createusers.sh
@@ -0,0 +1,59 @@
+#!/bin/sh
+
+
+REAL_PATH=$(realpath $(dirname $0))
+
+
+>$REAL_PATH/SEED.txt
+>$REAL_PATH/UIDS.txt
+cat $REAL_PATH/USERS.txt | while read LINE
+do
+    COMPACT_LINE=$(echo $LINE | sed 's/, /,/g')
+    LOGIN=$(echo $COMPACT_LINE | cut -f 1 -d ',')
+    LOGIN_MD5SUM=$(echo $LOGIN | md5sum | awk '{print $1}')
+    UID_POSITION=30
+    UID_IS_UNIQUE=0
+    while [ $UID_IS_UNIQUE -eq 0 ]
+    do
+        LOGIN_UID=$(echo $LOGIN_MD5SUM | cut -c ${UID_POSITION}- | cut -c 1-3)
+        grep $LOGIN_UID $REAL_PATH/SEED.txt >/dev/null 2>&1
+        if [ $? -eq 1 ]
+        then
+            INT_UID=$(python3 -c "print(10000 + int('$LOGIN_UID', 16))")
+            HEX_UID=$(python3 -c "print(hex($INT_UID))")
+            #echo $LOGIN $LOGIN_MD5SUM $LOGIN_UID $INT_UID $HEX_UID
+            echo $LOGIN_UID >>$REAL_PATH/SEED.txt
+            echo "${INT_UID},${HEX_UID},$COMPACT_LINE" >>$REAL_PATH/UIDS.txt
+            UID_IS_UNIQUE=1
+        else
+            UID_POSITION=$(( $UID_POSITION - 1 ))
+            echo "shifted $LOGIN to $UID_POSITION"
+            if [ $UID_POSITION -eq 0 ]
+            then
+                echo "Cannot generate unique uid for $LOGIN" >&2
+                exit 1
+            fi
+        fi
+    done
+    #echo $LOGIN $LOGIN_UID $INT_UID $LOGIN_MD5SUM
+done
+
+>$REAL_PATH/setupusers.ldif
+cat $REAL_PATH/UIDS.txt | while read LINE
+do
+    INT_UID=$(echo $LINE | cut -f 1 -d ',')
+    HEX_UID=$(echo $LINE | cut -f 2 -d ',')
+    LOGIN=$(echo $LINE | cut -f 3 -d ',')
+    FIRSTNAME=$(echo $LINE | cut -f 4 -d ',')
+    LASTNAME=$(echo $LINE | cut -f 5 -d ',')
+    MAIL_ADDRESS=$(echo $LINE | cut -f 6 -d ',')
+    MOBILE_NUMBER=$(echo $LINE | cut -f 7 -d ',')
+    sed -e "s/__UID__/$INT_UID/" \
+        -e "s/__LOGIN__/$LOGIN/" \
+        -e "s/__FIRSTNAME__/$FIRSTNAME/" \
+        -e "s/__LASTNAME__/$LASTNAME/" \
+        -e "s/__MAIL__/$MAIL_ADDRESS/" \
+        -e "s/__MOBILE__/$MOBILE_NUMBER/" \
+        <$REAL_PATH/user_template.ldif \
+        >>$REAL_PATH/setupusers.ldif
+done

diff --git a/sources/ldap.usr/firstboot/20_setupldap.sh b/sources/ldap.usr/firstboot/20_setupldap.sh
new file mode 100755 (executable)
index 0000000..d177823
--- /dev/null
+++ b/sources/ldap.usr/firstboot/20_setupldap.sh
@@ -0,0 +1,54 @@
+#!/bin/sh
+set -x
+
+REAL_PATH=$(realpath $(dirname $0))
+SLAPD_RUNNING=0
+
+
+while [ $SLAPD_RUNNING -ne 1 ]
+do
+    echo -n '.'
+    sleep 1
+    systemctl --quiet is-active slapd.service
+    SLAPD_RUNNING=$(( $? + 1 ))
+done
+
+read -n 1 -p "Recreate ldap database? y/[n] " -t 5 RECREATE
+
+ldapadd -Y EXTERNAL -H ldapi:/// -f $REAL_PATH/setup0config.ldif
+ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
+ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
+ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
+ldapadd -Y EXTERNAL -H ldapi:/// -f /usr/share/doc/openssh-ldap/openssh-lpk-openldap.ldif
+ldapmodify -Y EXTERNAL -H ldapi:/// -f $REAL_PATH/setup1monitor.ldif
+ldapmodify -Y EXTERNAL -H ldapi:/// -f $REAL_PATH/setup2mdb.ldif
+ldapmodify -Y EXTERNAL -H ldapi:/// -f $REAL_PATH/setuptls.ldif
+if [ "$RECREATE" = "y" ]
+then
+    ldapadd -x -D cn=Manager,dc=user,dc=hu -w pwd -f $REAL_PATH/setupdomain.ldif
+    ldapadd -x -D cn=Manager,dc=user,dc=hu -w pwd -f $REAL_PATH/setupusers.ldif
+fi
+ldapmodify -Y EXTERNAL -H ldapi:/// -f $REAL_PATH/replacerootpw.ldif
+
+if [ "$RECREATE" != "y" ]
+then
+    systemctl stop slapd.service
+    slapadd -n 2 -l $REAL_PATH/data.ldif
+    chown -R ldap.ldap /var/lib/ldap
+    systemctl start slapd.service
+fi
+
+authselect select sssd with-mkhomedir --force
+systemctl restart oddjobd.service
+systemctl restart sssd.service
+
+# back up passwords
+#ldapsearch -x -D cn=Manager,dc=user,dc=hu -W -b "ou=People,dc=user,dc=hu" "objectClass=*" userPassword shadowLastChange
+
+# back up openldap
+#slapcat -n 0 >/tmp/config.ldif
+#slapcat -n 2 >/tmp/data.ldif
+
+# restore openldap
+#slapadd -n 0 -F /etc/openldap/slapd.d -l /tmp/config.ldif
+#slapadd -n 2 -F /etc/openldap/slapd.d -l /tmp/data.ldif

diff --git a/sources/ldap.usr/firstboot/99_cleanup.sh b/sources/ldap.usr/firstboot/99_cleanup.sh
new file mode 100755 (executable)
index 0000000..b87f2f4
--- /dev/null
+++ b/sources/ldap.usr/firstboot/99_cleanup.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+
+REAL_PATH=$(dirname $(realpath $0))
+
+echo rm -Rf $REAL_PATH

diff --git a/sources/ldap.usr/firstboot/USERS.txt b/sources/ldap.usr/firstboot/USERS.txt
new file mode 100644 (file)
index 0000000..7c6bc48
--- /dev/null
+++ b/sources/ldap.usr/firstboot/USERS.txt
@@ -0,0 +1,18 @@
+akosztolanyi,  Árpád,                Kosztolányi,   arpad.kosztolanyi@userrendszerhaz.hu,   +36 20 583 7539
+azsamboki,     Attila,         Zsámboki,      attila.zsamboki@userrendszerhaz.hu,     +36 20 980 6592
+bcsoka,                Barnabás,      Csóka,         barnabas.csoka@userrendszerhaz.hu,      +36 30 939 7023
+csgulyas,      Csaba,          Gulyás,                csaba.gulyas@userrendszerhaz.hu,        +36 30 374 4065
+cslevai,       Csilla,         Lévai,         csilla.levai@userrendszerhaz.hu,        +36 30 280 8517
+dhorvath,      Dénes,         Horváth,       denes.horvath@userrendszerhaz.hu,       +36 30 971 8563
+dvasary,       Dániel,                Vásáry,               daniel.vasary@userrendszerhaz.hu,       +36 30 515 9417
+fritter,       Ferenc,         Ritter,         ferenc.ritter@userrendszerhaz.hu,       +36 20 937 8022
+fschnell,      Ferenc,         Schnellbach,    ferenc.schnellbach@userrendszerhaz.hu,  +36 30 950 2529
+ibartakovics,  István,                Bartakovics,    istvan.bartakovics@userrendszerhaz.hu,  +36 30 630 4920
+ifabian,       Ildikó,                Fábián,               ildiko.fabian@userrendszerhaz.hu,       +36 30 239 9891
+khorvath,      Kálmán,               Horváth,       kalman.horvath@userrendszerhaz.hu,      +36 20 444 8693
+kkele,         Károly,                Kele,           karoly.kele@userrendszerhaz.hu,         +36 70 942 2450
+mszabo,                Marcell,        Szabó,         marcell.szabo@userrendszerhaz.hu,       +36 70 458 1234
+rrendek,       Róbert,                Rendek,         robert.rendek@userrendszerhaz.hu,       +36 30 977 5888
+tlevai,                Tibor,          Lévai,         tibor.levai@userrendszerhaz.hu,         +36 30 297 6481
+zbartakovics,  Zoltán,                Bartakovics,    zoltan.bartakovics@userrendszerhaz.hu,  +36 30 944 0299
+zfelleg,       Zoltán,                Felleg,         zoltan.felleg@userrendszerhaz.hu,       +36 20 954 1513

diff --git a/sources/ldap.usr/firstboot/pwd.txt b/sources/ldap.usr/firstboot/pwd.txt
new file mode 100644 (file)
index 0000000..d096bb7
--- /dev/null
+++ b/sources/ldap.usr/firstboot/pwd.txt
@@ -0,0 +1,2 @@
+temp (pwd): {SSHA}PaJYPlbWfzdt301XlzPy7PhfJkIDohyc
+final     : {SSHA}RWEH1A6dxFFVufJrFI5BchIyq3AIAq4I

diff --git a/sources/ldap.usr/firstboot/replacerootpw.ldif b/sources/ldap.usr/firstboot/replacerootpw.ldif
new file mode 100644 (file)
index 0000000..275d24c
--- /dev/null
+++ b/sources/ldap.usr/firstboot/replacerootpw.ldif
@@ -0,0 +1,4 @@
+dn: olcDatabase={2}mdb,cn=config
+changetype: modify
+replace: olcRootPW
+olcRootPW: {SSHA}RWEH1A6dxFFVufJrFI5BchIyq3AIAq4I

diff --git a/sources/ldap.usr/firstboot/setup0config.ldif b/sources/ldap.usr/firstboot/setup0config.ldif
new file mode 100644 (file)
index 0000000..15347ac
--- /dev/null
+++ b/sources/ldap.usr/firstboot/setup0config.ldif
@@ -0,0 +1,9 @@
+dn: olcDatabase={0}config,cn=config
+changetype: modify
+add: olcRootPW
+olcRootPW: {SSHA}Qta8GXQLA1k8WpxRd9FQ2qzi3jcJBfob
+
+#dn: cn=config
+#changetype: modify
+#replace: olcLogLevel
+#olcLogLevel: Conns ACL

diff --git a/sources/ldap.usr/firstboot/setup1monitor.ldif b/sources/ldap.usr/firstboot/setup1monitor.ldif
new file mode 100644 (file)
index 0000000..4f225c2
--- /dev/null
+++ b/sources/ldap.usr/firstboot/setup1monitor.ldif
@@ -0,0 +1,7 @@
+dn: olcDatabase={1}monitor,cn=config
+changetype: modify
+replace: olcAccess
+olcAccess: {0}to *
+  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
+  by dn.base="cn=Manager,dc=user,dc=hu" read
+  by * none

diff --git a/sources/ldap.usr/firstboot/setup2mdb.ldif b/sources/ldap.usr/firstboot/setup2mdb.ldif
new file mode 100644 (file)
index 0000000..690f1da
--- /dev/null
+++ b/sources/ldap.usr/firstboot/setup2mdb.ldif
@@ -0,0 +1,32 @@
+dn: olcDatabase={2}mdb,cn=config
+changetype: modify
+replace: olcSuffix
+olcSuffix: dc=user,dc=hu
+
+dn: olcDatabase={2}mdb,cn=config
+changetype: modify
+replace: olcRootDN
+olcRootDN: cn=Manager,dc=user,dc=hu
+
+dn: olcDatabase={2}mdb,cn=config
+changetype: modify
+add: olcRootPW
+olcRootPW: {SSHA}PaJYPlbWfzdt301XlzPy7PhfJkIDohyc
+
+dn: olcDatabase={2}mdb,cn=config
+changetype: modify
+add: olcAccess
+olcAccess: {0}to attrs=userPassword
+  by dn="cn=Manager,dc=user,dc=hu" write
+  by anonymous auth
+  by self write
+  by * none
+olcAccess: {1}to attrs=shadowLastChange
+  by dn="cn=Manager,dc=user,dc=hu" write
+  by self write
+  by * read
+olcAccess: {2}to dn.base=""
+  by * read
+olcAccess: {3}to *
+  by dn="cn=Manager,dc=user,dc=hu" write
+  by * read

diff --git a/sources/ldap.usr/firstboot/setupdomain.ldif b/sources/ldap.usr/firstboot/setupdomain.ldif
new file mode 100644 (file)
index 0000000..aaa0ccc
--- /dev/null
+++ b/sources/ldap.usr/firstboot/setupdomain.ldif
@@ -0,0 +1,19 @@
+dn: dc=user,dc=hu
+objectClass: top
+objectClass: dcObject
+objectclass: organization
+o: USER Sytemhouse
+dc: user
+
+dn: cn=Manager,dc=user,dc=hu
+objectClass: organizationalRole
+cn: Manager
+description: Directory Manager
+
+dn: ou=People,dc=user,dc=hu
+objectClass: organizationalUnit
+ou: People
+
+dn: ou=Group,dc=user,dc=hu
+objectClass: organizationalUnit
+ou: Group

diff --git a/sources/ldap.usr/firstboot/setuptls.ldif b/sources/ldap.usr/firstboot/setuptls.ldif
new file mode 100644 (file)
index 0000000..141428c
--- /dev/null
+++ b/sources/ldap.usr/firstboot/setuptls.ldif
@@ -0,0 +1,10 @@
+dn: cn=config
+changetype: modify
+add: olcTLSCACertificateFile
+olcTLSCACertificateFile: /etc/openldap/certs/ca-bundle.crt
+-
+replace: olcTLSCertificateFile
+olcTLSCertificateFile: /etc/openldap/certs/slapd.crt
+-
+replace: olcTLSCertificateKeyFile
+olcTLSCertificateKeyFile: /etc/openldap/certs/slapd.key

diff --git a/sources/ldap.usr/firstboot/user_template.ldif b/sources/ldap.usr/firstboot/user_template.ldif
new file mode 100644 (file)
index 0000000..5ba1f24
--- /dev/null
+++ b/sources/ldap.usr/firstboot/user_template.ldif
@@ -0,0 +1,24 @@
+# __LOGIN__
+dn: uid=__LOGIN__,ou=People,dc=user,dc=hu
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: shadowAccount
+cn: __LOGIN__
+gn: __FIRSTNAME__
+sn: __LASTNAME__
+mail: __MAIL__
+mobile: __MOBILE__
+loginShell: /bin/bash
+uidNumber: __UID__
+gidNumber: __UID__
+homeDirectory: /home/__LOGIN__
+userPassword: {SSHA}Be0QldINCqu8gM+Fii1cR2fpjCzSqEcO
+shadowLastChange: 0
+shadowMax: 3650
+
+dn: cn=__LOGIN__,ou=Group,dc=user,dc=hu
+objectClass: posixGroup
+cn: __LOGIN__
+gidNumber: __UID__
+memberUid: __LOGIN__
+

diff --git a/sources/ldap.usr/postinstall/01_setownership.sh b/sources/ldap.usr/postinstall/01_setownership.sh
new file mode 100755 (executable)
index 0000000..0dd1234
--- /dev/null
+++ b/sources/ldap.usr/postinstall/01_setownership.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+
+REAL_PATH=$(dirname $(realpath $0))
+SOURCE_PATH=$REAL_PATH/install
+
+
+chown -R root.root $SOURCE_PATH
+chown -R ldap.ldap $SOURCE_PATH/var/lib/ldap
+
+chgrp ssh_keys $SOURCE_PATH/etc/ssh/*_key

diff --git a/sources/ldap.usr/postinstall/02_setpermissions.sh b/sources/ldap.usr/postinstall/02_setpermissions.sh
new file mode 100755 (executable)
index 0000000..6779033
--- /dev/null
+++ b/sources/ldap.usr/postinstall/02_setpermissions.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+
+REAL_PATH=$(dirname $(realpath $0))
+SOURCE_PATH=$REAL_PATH/install
+
+
+chmod 600 $SOURCE_PATH/etc/pki/tls/certs/slapd.key
+chmod 400 $SOURCE_PATH/etc/ssh/*_key
+chmod 444 $SOURCE_PATH/etc/ssh/*.pub
+chmod 600 $SOURCE_PATH/etc/sssd/sssd.conf

diff --git a/sources/ldap.usr/postinstall/03_installfiles.sh b/sources/ldap.usr/postinstall/03_installfiles.sh
new file mode 100755 (executable)
index 0000000..f190caf
--- /dev/null
+++ b/sources/ldap.usr/postinstall/03_installfiles.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+
+REAL_PATH=$(dirname $(realpath $0))
+
+tar --create \
+    --directory=$REAL_PATH \
+    --to-stdout \
+    install \
+    | tar --extract \
+          --backup \
+          --directory=/ \
+          --no-overwrite-dir \
+          --strip-components=1 \
+          --suffix=.orig

diff --git a/sources/ldap.usr/postinstall/10_setupservices.sh b/sources/ldap.usr/postinstall/10_setupservices.sh
new file mode 100755 (executable)
index 0000000..e8ab8f0
--- /dev/null
+++ b/sources/ldap.usr/postinstall/10_setupservices.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+
+systemctl enable oddjobd.service
+systemctl enable slapd.service
+systemctl enable sssd.service
+systemctl enable NetworkManager-wait-online.service
+
+systemctl mask wpa_supplicant.service

diff --git a/sources/ldap.usr/postinstall/20_setupsshldap.sh b/sources/ldap.usr/postinstall/20_setupsshldap.sh
new file mode 100755 (executable)
index 0000000..177e4db
--- /dev/null
+++ b/sources/ldap.usr/postinstall/20_setupsshldap.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+
+echo "AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper" >>/etc/ssh/sshd_config
+echo "AuthorizedKeysCommandUser nobody" >>/etc/ssh/sshd_config

diff --git a/sources/ldap.usr/postinstall/99_cleanup.sh b/sources/ldap.usr/postinstall/99_cleanup.sh
new file mode 100755 (executable)
index 0000000..b87f2f4
--- /dev/null
+++ b/sources/ldap.usr/postinstall/99_cleanup.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+
+REAL_PATH=$(dirname $(realpath $0))
+
+echo rm -Rf $REAL_PATH

diff --git a/sources/ldap.usr/postinstall/install/etc/hosts b/sources/ldap.usr/postinstall/install/etc/hosts
new file mode 100644 (file)
index 0000000..10caea9
--- /dev/null
+++ b/sources/ldap.usr/postinstall/install/etc/hosts
@@ -0,0 +1,4 @@
+127.0.0.1      localhost.localdomain localhost localhost4.localdomain4 localhost4
+::1            localhost6.localdomain6 localhost6
+
+10.228.109.252 ldap.usr.user.hu ldap

diff --git a/sources/ldap.usr/postinstall/install/etc/openldap/ldap.conf b/sources/ldap.usr/postinstall/install/etc/openldap/ldap.conf
new file mode 100644 (file)
index 0000000..cd331f3
--- /dev/null
+++ b/sources/ldap.usr/postinstall/install/etc/openldap/ldap.conf
@@ -0,0 +1,30 @@
+#
+# LDAP Defaults
+#
+
+# See ldap.conf(5) for details
+# This file should be world readable but not world writable.
+
+#BASE  dc=example,dc=com
+#URI   ldap://ldap.example.com ldap://ldap-master.example.com:666
+
+#SIZELIMIT     12
+#TIMELIMIT     15
+#DEREF         never
+
+# When no CA certificates are specified the Shared System Certificates
+# are in use. In order to have these available along with the ones specified
+# by TLS_CACERTDIR one has to include them explicitly:
+#TLS_CACERT    /etc/pki/tls/cert.pem
+
+# System-wide Crypto Policies provide up to date cipher suite which should
+# be used unless one needs a finer grinded selection of ciphers. Hence, the
+# PROFILE=SYSTEM value represents the default behavior which is in place
+# when no explicit setting is used. (see openssl-ciphers(1) for more info)
+#TLS_CIPHER_SUITE PROFILE=SYSTEM
+
+# Turning this off breaks GSSAPI used with krb5 when rdns = false
+SASL_NOCANON   on
+
+BASE   dc=user,dc=hu
+URI    ldap://ldap.usr.user.hu

diff --git a/sources/ldap.usr/postinstall/install/etc/pki/tls/certs/slapd.crt b/sources/ldap.usr/postinstall/install/etc/pki/tls/certs/slapd.crt
new file mode 100644 (file)
index 0000000..23e110a
--- /dev/null
+++ b/sources/ldap.usr/postinstall/install/etc/pki/tls/certs/slapd.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDMjCCAhoCCQC4bVg+Y9rSOjANBgkqhkiG9w0BAQsFADBbMQswCQYDVQQGEwJI
+VTERMA8GA1UEBwwIQnVkYXBlc3QxHjAcBgNVBAoMFVVTRVIgU3lzdGVtaG91c2Ug
+THRkLjEZMBcGA1UEAwwQbGRhcC51c3IudXNlci5odTAeFw0xODEwMDEwOTU0MjJa
+Fw0yODA5MjgwOTU0MjJaMFsxCzAJBgNVBAYTAkhVMREwDwYDVQQHDAhCdWRhcGVz
+dDEeMBwGA1UECgwVVVNFUiBTeXN0ZW1ob3VzZSBMdGQuMRkwFwYDVQQDDBBsZGFw
+LnVzci51c2VyLmh1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAm1g5
+LJtdXNjzxSonx/FH5Mxo3Jx8pYOSjPfkQGMLn7k9hpaZFjlZQlMZURlP3lBntSpz
+7ZUecEpIP1f5Yompk/zdDrAAToLpFoKwhp2sBwlcqgPMw8hi2WD88/jVcigbdQL+
+jhqHtYHXBF4HfwQf5AiJgqnQ+jY8jOKQgwSUsrNKVL/LDRW9rJzGrUwf1k0IYfnL
+/eOhwzJj7aCpFY5cf9cMP1SeBq9UL7tzT2tIGneQLhxb38/aPKYVEP4vZavCW/G1
+B/p0DOXZ9njyy8sOj02vdZN8CIuOqyIOS79rWRkQlXt85httRF+rNOtHg6LqviH6
+ZKsbkjsALnyWj1FnwQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQADOaFtkRiO3pSn
+5BGeWYIPu0iE0ADaZDjMIxd+7fQyMb8jx7S114ylWvdpmQAhUPqDgojW4xrSteR+
+fGIY2ai2ZBoVHgFqhDGcg/iAv/BeblspD81AdYy9/OGLkmNi2nvggmNQ5pEATqAO
+CavZ6DIZp/i1Y2dxKvlnkKFo9jwpZVIqZdFYLsybq9xIcI5L942I0LVYL0Mgyhr0
+3VF1uwxva0apM7yl0KZ/MNcwsJU1s6ObnWyeybNwTnCKlyIStfhV3e3KJ5bHQLaI
+snX6owJIAve99AmVw6aneGu27qlKYbuENYC06K+RuYrbYHRzrjbF5SGEHcLAhFVN
+/Cb2K+qe
+-----END CERTIFICATE-----

diff --git a/sources/ldap.usr/postinstall/install/etc/pki/tls/certs/slapd.key b/sources/ldap.usr/postinstall/install/etc/pki/tls/certs/slapd.key
new file mode 100644 (file)
index 0000000..195323b
--- /dev/null
+++ b/sources/ldap.usr/postinstall/install/etc/pki/tls/certs/slapd.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAm1g5LJtdXNjzxSonx/FH5Mxo3Jx8pYOSjPfkQGMLn7k9hpaZ
+FjlZQlMZURlP3lBntSpz7ZUecEpIP1f5Yompk/zdDrAAToLpFoKwhp2sBwlcqgPM
+w8hi2WD88/jVcigbdQL+jhqHtYHXBF4HfwQf5AiJgqnQ+jY8jOKQgwSUsrNKVL/L
+DRW9rJzGrUwf1k0IYfnL/eOhwzJj7aCpFY5cf9cMP1SeBq9UL7tzT2tIGneQLhxb
+38/aPKYVEP4vZavCW/G1B/p0DOXZ9njyy8sOj02vdZN8CIuOqyIOS79rWRkQlXt8
+5httRF+rNOtHg6LqviH6ZKsbkjsALnyWj1FnwQIDAQABAoIBABvNOUZLc/UW+uGx
+frcg7n37O1UoSIKSvpquDtKbJ0xpqaI5t6Irl1bwalqCTjH6b+UTePXvNyhfkviL
+NR22h3vtyF5Fj3h9o1uc/hzJgS0tNsFStsXfShmfawX65bBtjyRs6cPi6aDJYQLu
+FSddRJvaD0osPDNbm5CXR8e6/SXR+zdDsdOTFnnM6KsNqw0SQgNVBoTHIHMGKU//
+SprTYNgP5Jhib4kuUNa+iaNwv/I8BEzooRG+JXJezhtbUecM0poI1izyKhPTlFgx
+KTJ0FmzpPtypOGWnPazt710wIUU/O4dODOKB/J6eF578QkHoOZ4Z0Ykes9p6RWMF
+oPqb07ECgYEAzJKOf6fNWrWjzZksiP6NB5jvfEF3Fb3IyclH3z0cYLJ40DHYehp7
+Qs2/2BikPd4zsZHLCcp08gjlT8LsZQwYdJK4BsQ80xHVsiZY3Gfqm867EJJlnZ7b
+Le1h0iCXmrkh9KeNHeWZdOpttJPo/5kvf9TdNL1dk3VHxXuVy9mBat0CgYEAwmWQ
+Xh3egaIPYNdlPAeK8Q67CrQ0CKriwJMUeyMzU+IhbyRQgus5dWOnvdS0Jt8tT7dA
+thrfWDQCaeSjsXW8vNdQxK9WMZoCYSI5gayu0WmlX9Vcgp1LSxuRkGpJvqdU4SlU
+XGoP7NuIqxvDJ3TiWVV+1nufk74XLhlEKhuG6DUCgYAHQE6iwbzqsTOMLxjABl3T
+Xh1nBx8Ee0SpumO8yvq9hrX3kzy8H0ItPQPG0iDIPJ8SdTuALlf02FHggOVGM6aO
+Q0EYpE4PoTs05F0T+u769Nn2nWnSq3XTa+2iuBsHlfZZKLM80w2cck7PLsr8fF6N
+pmrs2qV9e5O+sUG/BweqVQKBgFfvtaS9gj/F3YsDJMpI5zMwZK/s4HTjSHuwjN0/
+CSLy8gjitoDigzV1BRY8N9o1rruWu/Ekqs+th0H7qYjHJ7+M7v5qCmWZs2XZI4Zj
+ZRlZ3vNBAv4axUqOiAR58C4MZ7sLBRxg5h9RF7u/bUJV/2ZF5ICFn6Qnozi5OTqL
+BTXZAoGAS8bsX6GVqWd/FkBJCqFVbUQcbawQKy0ZVlEIPg06hPtxRcmNZt+dtOWT
+6W/yoer/7oGGUoSHE1y6a5SX0vHOvtkToYy4zUjESaMsa9Wr/DoP9RDkCqUJijxY
+zG3XPCj7maygTKSC77ao2bCyQqKYyjIU80CjmI8X8ybAQIkdgAo=
+-----END RSA PRIVATE KEY-----

diff --git a/sources/ldap.usr/postinstall/install/etc/ssh/ldap.conf b/sources/ldap.usr/postinstall/install/etc/ssh/ldap.conf
new file mode 100644 (file)
index 0000000..30358af
--- /dev/null
+++ b/sources/ldap.usr/postinstall/install/etc/ssh/ldap.conf
@@ -0,0 +1,95 @@
+# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
+#
+# This is the example configuration file for the OpenSSH
+# LDAP backend
+# 
+# see ssh-ldap.conf(5)
+#
+
+# URI with your LDAP server name. This allows to use
+# Unix Domain Sockets to connect to a local LDAP Server.
+uri ldap://127.0.0.1/
+#uri ldaps://127.0.0.1/   
+#uri ldapi://%2fvar%2frun%2fldapi_sock/
+# Note: %2f encodes the '/' used as directory separator
+
+# Another way to specify your LDAP server is to provide an
+# host name and the port of our LDAP server. Host name
+# must be resolvable without using LDAP.
+# Multiple hosts may be specified, each separated by a 
+# space. How long nss_ldap takes to failover depends on
+# whether your LDAP client library supports configurable
+# network or connect timeouts (see bind_timelimit).
+#host 127.0.0.1
+
+# The port.
+# Optional: default is 389.
+#port 389
+
+# The distinguished name to bind to the server with.
+# Optional: default is to bind anonymously.
+#binddn cn=openssh_keys,dc=example,dc=org
+
+# The credentials to bind with. 
+# Optional: default is no credential.
+#bindpw TopSecret
+
+# The distinguished name of the search base.
+#base dc=example,dc=org
+
+# The LDAP version to use (defaults to 3
+# if supported by client library)
+#ldap_version 3
+
+# The search scope.
+#scope sub
+#scope one
+#scope base
+
+# Search timelimit
+#timelimit 30
+
+# Bind/connect timelimit
+#bind_timelimit 30
+
+# Reconnect policy: hard (default) will retry connecting to
+# the software with exponential backoff, soft will fail
+# immediately.
+#bind_policy hard
+
+# SSL setup, may be implied by URI also.
+ssl no
+#ssl on
+#ssl start_tls
+
+# OpenLDAP SSL options
+# Require and verify server certificate (yes/no)
+# Default is to use libldap's default behavior, which can be configured in
+# /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
+# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
+#tls_checkpeer hard
+
+# CA certificates for server certificate verification
+# At least one of these are required if tls_checkpeer is "yes"
+#tls_cacertfile /etc/ssl/ca.cert
+#tls_cacertdir /etc/pki/tls/certs
+
+# Seed the PRNG if /dev/urandom is not provided
+#tls_randfile /var/run/egd-pool
+
+# SSL cipher suite
+# See man ciphers for syntax
+#tls_ciphers TLSv1
+
+# Client certificate and key
+# Use these, if your server requires client authentication.
+#tls_cert
+#tls_key
+
+# OpenLDAP search_format
+# format used to search for users in LDAP directory using substitution
+# for %u for user name and %f for SSH_Filter option (optional, empty by default)
+#search_format (&(objectclass=%c)(objectclass=ldapPublicKey)(uid=%u)%f)
+
+#AccountClass posixAccount
+

diff --git a/sources/ldap.usr/postinstall/install/etc/ssh/ssh_host_ecdsa_key b/sources/ldap.usr/postinstall/install/etc/ssh/ssh_host_ecdsa_key
new file mode 100644 (file)
index 0000000..495ef44
--- /dev/null
+++ b/sources/ldap.usr/postinstall/install/etc/ssh/ssh_host_ecdsa_key
@@ -0,0 +1,8 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS
+1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQRNhyIFsn1XHUZl3cXseM3xVxjVTDL4
+wBFyEQELvVGAEGmxqhETsNPb0xzFGXstoNZkQeBO72huapDROPbs72JXAAAAoLbGMeS2xj
+HkAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBE2HIgWyfVcdRmXd
+xex4zfFXGNVMMvjAEXIRAQu9UYAQabGqEROw09vTHMUZey2g1mRB4E7vaG5qkNE49uzvYl
+cAAAAhALkbjaiJrtAkV7WAjDoFzCcjYavVqLSDWyq549QfKliMAAAAAAECAwQFBgc=
+-----END OPENSSH PRIVATE KEY-----

diff --git a/sources/ldap.usr/postinstall/install/etc/ssh/ssh_host_ecdsa_key.pub b/sources/ldap.usr/postinstall/install/etc/ssh/ssh_host_ecdsa_key.pub
new file mode 100644 (file)
index 0000000..d1e2908
--- /dev/null
+++ b/sources/ldap.usr/postinstall/install/etc/ssh/ssh_host_ecdsa_key.pub
@@ -0,0 +1 @@
+ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBE2HIgWyfVcdRmXdxex4zfFXGNVMMvjAEXIRAQu9UYAQabGqEROw09vTHMUZey2g1mRB4E7vaG5qkNE49uzvYlc= 

diff --git a/sources/ldap.usr/postinstall/install/etc/ssh/ssh_host_ed25519_key b/sources/ldap.usr/postinstall/install/etc/ssh/ssh_host_ed25519_key
new file mode 100644 (file)
index 0000000..5c432d4
--- /dev/null
+++ b/sources/ldap.usr/postinstall/install/etc/ssh/ssh_host_ed25519_key
@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACAPqi+85zTZURcO07ZEkK/+WbPE0jeqbs5ezIefribFxwAAAIgiYFM1ImBT
+NQAAAAtzc2gtZWQyNTUxOQAAACAPqi+85zTZURcO07ZEkK/+WbPE0jeqbs5ezIefribFxw
+AAAEDv3ANgLBg7Rq+8xAZZLTCknzJn4WtmPtyQ9aqJUqFJMQ+qL7znNNlRFw7TtkSQr/5Z
+s8TSN6puzl7Mh5+uJsXHAAAAAAECAwQF
+-----END OPENSSH PRIVATE KEY-----

diff --git a/sources/ldap.usr/postinstall/install/etc/ssh/ssh_host_ed25519_key.pub b/sources/ldap.usr/postinstall/install/etc/ssh/ssh_host_ed25519_key.pub
new file mode 100644 (file)
index 0000000..139e2f2
--- /dev/null
+++ b/sources/ldap.usr/postinstall/install/etc/ssh/ssh_host_ed25519_key.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA+qL7znNNlRFw7TtkSQr/5Zs8TSN6puzl7Mh5+uJsXH 

diff --git a/sources/ldap.usr/postinstall/install/etc/ssh/ssh_host_rsa_key b/sources/ldap.usr/postinstall/install/etc/ssh/ssh_host_rsa_key
new file mode 100644 (file)
index 0000000..9cf34b0
--- /dev/null
+++ b/sources/ldap.usr/postinstall/install/etc/ssh/ssh_host_rsa_key
@@ -0,0 +1,27 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
+NhAAAAAwEAAQAAAQEAl33xHJr1IacdKzig31rgBuKL4kfuvLmXPzHgftSlH0q1r0zMizAE
+aPcXMRHZ5w/TVUegd3qk2tNVQcJSPoqTjOFC2+tTpYYO6uJ7i5iDvP5v2Akm0VlSL3zwdv
+k/TYBwpp3qXtLz4TNhcCjFpup63QgPCVlhZj7WyES4fWstR56ePAyBGydWUkwz1d4pZo8G
+ChrSflt3F9nHcfTkgoZPD5GMQnm521rpL+yeuyUOmkO0DTkh00CP8nm9rhXUN99uGlYxDM
++lMcNn/1PV/8/BYMzhgeI1qJz10yXwPKQb5fxXdk/6qa4I9AKzscTV23/QAwgmz4bSYlzz
+ypYlt0enEQAAA7h06oRJdOqESQAAAAdzc2gtcnNhAAABAQCXffEcmvUhpx0rOKDfWuAG4o
+viR+68uZc/MeB+1KUfSrWvTMyLMARo9xcxEdnnD9NVR6B3eqTa01VBwlI+ipOM4ULb61Ol
+hg7q4nuLmIO8/m/YCSbRWVIvfPB2+T9NgHCmnepe0vPhM2FwKMWm6nrdCA8JWWFmPtbIRL
+h9ay1Hnp48DIEbJ1ZSTDPV3ilmjwYKGtJ+W3cX2cdx9OSChk8PkYxCebnbWukv7J67JQ6a
+Q7QNOSHTQI/yeb2uFdQ3324aVjEMz6Uxw2f/U9X/z8FgzOGB4jWonPXTJfA8pBvl/Fd2T/
+qprgj0ArOxxNXbf9ADCCbPhtJiXPPKliW3R6cRAAAAAwEAAQAAAQA3Q7aF3PG4CSLW9Z2a
+XaiEWnj1X5B0QLAwWZ2wJxrlw3dsL/QegrHZKOrI994qMNfDsJGVhKRHP/lGOAGQ1zTkm/
+isCblGFRW0ElNHpafJdniOsyf6Dz+wG0AN5vd06nouDkXFuedGLFxLclRIhBm2MI5rtrOV
+fS8VeBxlhIfMLD2QGy6tZytksdqTIf8egAYv5QGn/LAYmjtiXfyWIGwN4LUKV6jeQUz9mk
+P0UzY9VyOwXAthWE43MDM3zllzXF7Yw8vf2EJuOKLzXqbuKzNPAyNrOXMXYHMt2ZlJuy0b
+JThk72tmR7aCiyKOsHxWPjwMad9hBvjV7Kg475UD+WkRAAAAgQCPim2W3nzD8i1mq89jr7
+VkQQWsmKmbeS/cufuHoJ23JqNyoO3dxfRT1GHupBYJXvjwQS9Dt/v2+GTVZa6Ldbx9T1Ew
+COetJS1ZnrTUPbT6fesSuFZnCBDwGjx02bOcPbhDutTMDqCTPh8J45kIpw8U4UynWTIe9w
+ZhObgUeKh2rQAAAIEAyJS2/z7CpwN7gtzRovSuaPFMtxBGlmkHDBa/AA9oCSleoXABMSiI
+GE7Mfl6B3q+ryvLJMNj9ILSfPhBORMvO6RhKVV3qR0hUKuqFxy9p8e8e69N1QoYVgBsEtR
+q+iij76B1cnwsV6wf4kxHKRHmivHATfKFPgZONmr4E9SST4ncAAACBAMFZHe0EdpReZGw4
+ARCyj6fvGLOu3ApM+PreNyVLXETNxvPIsqn1JTAPsMrX/82HKxD78c6nu1Ki0qJ7BuTEBQ
+Rq6SiGjEEaW3skoppOK0md5cj7xNBY7eJFVbVAFmiudQaEbQlorf63jd0ErzIu0xKEi0Kg
+l5RXrm5GsNIiwly3AAAAAAEC
+-----END OPENSSH PRIVATE KEY-----

diff --git a/sources/ldap.usr/postinstall/install/etc/ssh/ssh_host_rsa_key.pub b/sources/ldap.usr/postinstall/install/etc/ssh/ssh_host_rsa_key.pub
new file mode 100644 (file)
index 0000000..7efa1e9
--- /dev/null
+++ b/sources/ldap.usr/postinstall/install/etc/ssh/ssh_host_rsa_key.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCXffEcmvUhpx0rOKDfWuAG4oviR+68uZc/MeB+1KUfSrWvTMyLMARo9xcxEdnnD9NVR6B3eqTa01VBwlI+ipOM4ULb61Olhg7q4nuLmIO8/m/YCSbRWVIvfPB2+T9NgHCmnepe0vPhM2FwKMWm6nrdCA8JWWFmPtbIRLh9ay1Hnp48DIEbJ1ZSTDPV3ilmjwYKGtJ+W3cX2cdx9OSChk8PkYxCebnbWukv7J67JQ6aQ7QNOSHTQI/yeb2uFdQ3324aVjEMz6Uxw2f/U9X/z8FgzOGB4jWonPXTJfA8pBvl/Fd2T/qprgj0ArOxxNXbf9ADCCbPhtJiXPPKliW3R6cR 

diff --git a/sources/ldap.usr/postinstall/install/etc/sssd/sssd.conf b/sources/ldap.usr/postinstall/install/etc/sssd/sssd.conf
new file mode 100644 (file)
index 0000000..6f40aa8
--- /dev/null
+++ b/sources/ldap.usr/postinstall/install/etc/sssd/sssd.conf
@@ -0,0 +1,18 @@
+[domain/default]
+id_provider = ldap
+autofs_provider = ldap
+auth_provider = ldap
+chpass_provider = ldap
+ldap_uri = ldap://ldap.usr.user.hu/
+ldap_search_base = dc=user,dc=hu
+ldap_id_use_start_tls = True
+ldap_tls_cacertdir = /etc/openldap/certs
+cache_credentials = True
+ldap_tls_reqcert = allow
+
+[sssd]
+services = nss, pam, autofs
+domains = default
+
+[nss]
+homedir_substring = /home

diff --git a/sources/ldap.usr/postinstall/install/etc/sysctl.d/01-ipv6.conf b/sources/ldap.usr/postinstall/install/etc/sysctl.d/01-ipv6.conf
new file mode 100644 (file)
index 0000000..9b1dfc6
--- /dev/null
+++ b/sources/ldap.usr/postinstall/install/etc/sysctl.d/01-ipv6.conf
@@ -0,0 +1,2 @@
+net.ipv6.conf.all.disable_ipv6 = 1
+net.ipv6.conf.ldap.disable_ipv6 = 1

diff --git a/sources/ldap.usr/postinstall/install/var/lib/ldap/DB_CONFIG b/sources/ldap.usr/postinstall/install/var/lib/ldap/DB_CONFIG
new file mode 100644 (file)
index 0000000..d0f2c68
--- /dev/null
+++ b/sources/ldap.usr/postinstall/install/var/lib/ldap/DB_CONFIG
@@ -0,0 +1,28 @@
+# $OpenLDAP$
+# Example DB_CONFIG file for use with slapd(8) BDB/HDB databases.
+#
+# See the Oracle Berkeley DB documentation
+#   <http://www.oracle.com/technology/documentation/berkeley-db/db/ref/env/db_config.html>
+# for detail description of DB_CONFIG syntax and semantics.
+#
+# Hints can also be found in the OpenLDAP Software FAQ
+#      <http://www.openldap.org/faq/index.cgi?file=2>
+# in particular:
+#   <http://www.openldap.org/faq/index.cgi?file=1075>
+
+# Note: most DB_CONFIG settings will take effect only upon rebuilding
+# the DB environment.
+
+# one 0.25 GB cache
+set_cachesize 0 268435456 1
+
+# Data Directory
+#set_data_dir db
+
+# Transaction Log settings
+set_lg_regionmax 262144
+set_lg_bsize 2097152
+#set_lg_dir logs
+
+# Note: special DB_CONFIG flags are no longer needed for "quick"
+# slapadd(8) or slapindex(8) access (see their -q option). 

diff --git a/sources/ldap.usr/preinstall/01_backupldapdb.sh b/sources/ldap.usr/preinstall/01_backupldapdb.sh
new file mode 100755 (executable)
index 0000000..ee4177e
--- /dev/null
+++ b/sources/ldap.usr/preinstall/01_backupldapdb.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+
+REAL_PATH=$(realpath $(dirname $0))
+CONTAINER_NAME=$1
+CONTAINER_ROOTFS=$2
+CONTAINER_SOURCE_PATH=$3
+
+lxc-attach --name=$CONTAINER_NAME -- systemctl stop slapd.service
+lxc-attach --name=$CONTAINER_NAME -- slapcat -n 2 \
+               >$CONTAINER_SOURCE_PATH/firstboot/data.ldif