xref: /PHP-8.0/.github/scripts/setup-slapd.sh (revision b43e4943) 
1#!/bin/sh
2set -ex
3
4# Create TLS certificate
5sudo mkdir -p /etc/ldap/ssl
6
7alt_names() {
8  (
9      (
10        (hostname && hostname -a && hostname -A && hostname -f) |
11        xargs -n 1 |
12        sort -u |
13        sed -e 's/\(\S\+\)/DNS:\1/g'
14      ) && (
15        (hostname -i && hostname -I && echo "127.0.0.1 ::1") |
16        xargs -n 1 |
17        sort -u |
18        sed -e 's/\(\S\+\)/IP:\1/g'
19      )
20  ) | paste -d, -s
21}
22
23sudo openssl req -newkey rsa:4096 -x509 -nodes -days 3650 \
24  -out /etc/ldap/ssl/server.crt -keyout /etc/ldap/ssl/server.key \
25  -subj "/C=US/ST=Arizona/L=Localhost/O=localhost/CN=localhost" \
26  -addext "subjectAltName = `alt_names`"
27
28sudo chown -R openldap:openldap /etc/ldap/ssl
29
30# Display the TLS certificate (should be world readable)
31openssl x509 -noout -text -in /etc/ldap/ssl/server.crt
32
33# Point to the certificate generated
34if ! grep -q 'TLS_CACERT \/etc\/ldap\/ssl\/server.crt' /etc/ldap/ldap.conf; then
35  sudo sed -e 's|^\s*TLS_CACERT|# TLS_CACERT|' -i /etc/ldap/ldap.conf
36  echo 'TLS_CACERT /etc/ldap/ssl/server.crt' | sudo tee -a /etc/ldap/ldap.conf
37fi
38
39# Configure LDAP protocols to serve.
40sudo sed -e 's|^\s*SLAPD_SERVICES\s*=.*$|SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"|' -i /etc/default/slapd
41
42# Configure LDAP database.
43DBDN=`sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(&(olcRootDN=*)(olcSuffix=*))' dn | grep -i '^dn:' | sed -e 's/^dn:\s*//'`;
44
45sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif
46
47sudo service slapd restart
48
49sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// << EOF
50dn: $DBDN
51changetype: modify
52replace: olcSuffix
53olcSuffix: dc=my-domain,dc=com
54-
55replace: olcRootDN
56olcRootDN: cn=Manager,dc=my-domain,dc=com
57-
58replace: olcRootPW
59olcRootPW: secret
60
61dn: cn=config
62changetype: modify
63add: olcTLSCACertificateFile
64olcTLSCACertificateFile: /etc/ldap/ssl/server.crt
65-
66add: olcTLSCertificateFile
67olcTLSCertificateFile: /etc/ldap/ssl/server.crt
68-
69add: olcTLSCertificateKeyFile
70olcTLSCertificateKeyFile: /etc/ldap/ssl/server.key
71-
72add: olcTLSVerifyClient
73olcTLSVerifyClient: never
74-
75add: olcAuthzRegexp
76olcAuthzRegexp: uid=usera,cn=digest-md5,cn=auth cn=usera,dc=my-domain,dc=com
77-
78replace: olcLogLevel
79olcLogLevel: -1
80
81dn: cn=module{0},cn=config
82changetype: modify
83add: olcModuleLoad
84olcModuleLoad: sssvlv
85-
86add: olcModuleLoad
87olcModuleLoad: ppolicy
88-
89add: olcModuleLoad
90olcModuleLoad: dds
91EOF
92
93sudo service slapd restart
94
95sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// << EOF
96dn: olcOverlay=sssvlv,$DBDN
97objectClass: olcOverlayConfig
98objectClass: olcSssVlvConfig
99olcOverlay: sssvlv
100olcSssVlvMax: 10
101olcSssVlvMaxKeys: 5
102
103dn: olcOverlay=ppolicy,$DBDN
104objectClass: olcOverlayConfig
105objectClass: olcPPolicyConfig
106olcOverlay: ppolicy
107### This would clutter our DIT and make tests to fail, while ppolicy does not
108### seem to work as we expect (it does not seem to provide expected controls)
109## olcPPolicyDefault: cn=default,ou=pwpolicies,dc=my-domain,dc=com
110## olcPPolicyHashCleartext: FALSE
111## olcPPolicyUseLockout: TRUE
112
113dn: olcOverlay=dds,$DBDN
114objectClass: olcOverlayConfig
115objectClass: olcDdsConfig
116olcOverlay: dds
117EOF
118
119sudo service slapd restart
120
121sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// << EOF
122dn: $DBDN
123changetype: modify
124add: olcDbIndex
125olcDbIndex: entryExpireTimestamp eq
126EOF
127
128sudo service slapd restart
129
130ldapadd -H ldapi:/// -D cn=Manager,dc=my-domain,dc=com -w secret <<EOF
131dn: dc=my-domain,dc=com
132objectClass: top
133objectClass: organization
134objectClass: dcObject
135dc: my-domain
136o: php ldap tests
137
138### This would clutter our DIT and make tests to fail, while ppolicy does not
139### seem to work as we expect (it does not seem to provide expected controls)
140## dn: ou=pwpolicies,dc=my-domain,dc=com
141## objectClass: top
142## objectClass: organizationalUnit
143## ou: pwpolicies
144##
145## dn: cn=default,ou=pwpolicies,dc=my-domain,dc=com
146## objectClass: top
147## objectClass: person
148## objectClass: pwdPolicy
149## cn: default
150## sn: default
151## pwdAttribute: userPassword
152## pwdMaxAge: 2592000
153## pwdExpireWarning: 3600
154## #pwdInHistory: 0
155## pwdCheckQuality: 0
156## pwdMaxFailure: 5
157## pwdLockout: TRUE
158## #pwdLockoutDuration: 0
159## #pwdGraceAuthNLimit: 0
160## #pwdFailureCountInterval: 0
161## pwdMustChange: FALSE
162## pwdMinLength: 3
163## pwdAllowUserChange: TRUE
164## pwdSafeModify: FALSE
165EOF
166
167# Verify TLS connection
168tries=0
169while : ; do
170	ldapsearch -d 255 -H ldaps://localhost -D cn=Manager,dc=my-domain,dc=com -w secret -s base -b dc=my-domain,dc=com 'objectclass=*'
171	rt=$?
172	if [ $rt -eq 0 ]; then
173		echo "OK"
174		exit 0
175	else
176		tries=$((tries+1))
177		if [ $((tries)) -gt 3 ]; then
178			echo "exit failure $rt"
179			exit $rt
180		else
181			echo "trying again"
182			sleep 3
183		fi
184	fi
185done
186