xref: /PHP-8.2/.github/scripts/setup-slapd.sh (revision 4cc800fc)
1#!/bin/sh
2set -ex
3
4# Create TLS certificate
5sudo mkdir -p /etc/ldap/ssl
6
7alt_names() {
8  (
9      (
10        (hostname && hostname -a && hostname -A && hostname -f) |
11        xargs -n 1 |
12        sort -u |
13        sed -e 's/\(\S\+\)/DNS:\1/g'
14      ) && (
15        (hostname -i && hostname -I && echo "127.0.0.1 ::1") |
16        xargs -n 1 |
17        sort -u |
18        sed -e 's/\(\S\+\)/IP:\1/g'
19      )
20  ) | paste -d, -s
21}
22
23sudo openssl req -newkey rsa:4096 -x509 -nodes -days 3650 \
24  -out /etc/ldap/ssl/server.crt -keyout /etc/ldap/ssl/server.key \
25  -subj "/C=US/ST=Arizona/L=Localhost/O=localhost/CN=localhost" \
26  -addext "subjectAltName = `alt_names`"
27
28sudo chown -R openldap:openldap /etc/ldap/ssl
29
30# Display the TLS certificate (should be world readable)
31openssl x509 -noout -text -in /etc/ldap/ssl/server.crt
32
33# Point to the certificate generated
34if ! grep -q 'TLS_CACERT \/etc\/ldap\/ssl\/server.crt' /etc/ldap/ldap.conf; then
35  sudo sed -e 's|^\s*TLS_CACERT|# TLS_CACERT|' -i /etc/ldap/ldap.conf
36  echo 'TLS_CACERT /etc/ldap/ssl/server.crt' | sudo tee -a /etc/ldap/ldap.conf
37fi
38
39# Configure LDAP protocols to serve.
40sudo sed -e 's|^\s*SLAPD_SERVICES\s*=.*$|SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"|' -i /etc/default/slapd
41
42# Configure LDAP database.
43DBDN=`sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(&(olcRootDN=*)(olcSuffix=*))' dn | grep -i '^dn:' | sed -e 's/^dn:\s*//'`;
44
45sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif
46
47sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// << EOF
48dn: $DBDN
49changetype: modify
50replace: olcSuffix
51olcSuffix: dc=my-domain,dc=com
52-
53replace: olcRootDN
54olcRootDN: cn=Manager,dc=my-domain,dc=com
55-
56replace: olcRootPW
57olcRootPW: secret
58
59dn: cn=config
60changetype: modify
61add: olcTLSCACertificateFile
62olcTLSCACertificateFile: /etc/ldap/ssl/server.crt
63-
64add: olcTLSCertificateFile
65olcTLSCertificateFile: /etc/ldap/ssl/server.crt
66-
67add: olcTLSCertificateKeyFile
68olcTLSCertificateKeyFile: /etc/ldap/ssl/server.key
69-
70add: olcTLSVerifyClient
71olcTLSVerifyClient: never
72-
73add: olcAuthzRegexp
74olcAuthzRegexp: uid=usera,cn=digest-md5,cn=auth cn=usera,dc=my-domain,dc=com
75-
76replace: olcLogLevel
77olcLogLevel: -1
78
79dn: cn=module{0},cn=config
80changetype: modify
81add: olcModuleLoad
82olcModuleLoad: sssvlv
83-
84add: olcModuleLoad
85olcModuleLoad: ppolicy
86-
87add: olcModuleLoad
88olcModuleLoad: dds
89EOF
90
91sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// << EOF
92dn: olcOverlay=sssvlv,$DBDN
93objectClass: olcOverlayConfig
94objectClass: olcSssVlvConfig
95olcOverlay: sssvlv
96olcSssVlvMax: 10
97olcSssVlvMaxKeys: 5
98
99dn: olcOverlay=ppolicy,$DBDN
100objectClass: olcOverlayConfig
101objectClass: olcPPolicyConfig
102olcOverlay: ppolicy
103### This would clutter our DIT and make tests to fail, while ppolicy does not
104### seem to work as we expect (it does not seem to provide expected controls)
105## olcPPolicyDefault: cn=default,ou=pwpolicies,dc=my-domain,dc=com
106## olcPPolicyHashCleartext: FALSE
107## olcPPolicyUseLockout: TRUE
108
109dn: olcOverlay=dds,$DBDN
110objectClass: olcOverlayConfig
111objectClass: olcDdsConfig
112olcOverlay: dds
113EOF
114
115sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// << EOF
116dn: $DBDN
117changetype: modify
118add: olcDbIndex
119olcDbIndex: entryExpireTimestamp eq
120EOF
121
122ldapadd -H ldapi:/// -D cn=Manager,dc=my-domain,dc=com -w secret <<EOF
123dn: dc=my-domain,dc=com
124objectClass: top
125objectClass: organization
126objectClass: dcObject
127dc: my-domain
128o: php ldap tests
129
130### This would clutter our DIT and make tests to fail, while ppolicy does not
131### seem to work as we expect (it does not seem to provide expected controls)
132## dn: ou=pwpolicies,dc=my-domain,dc=com
133## objectClass: top
134## objectClass: organizationalUnit
135## ou: pwpolicies
136##
137## dn: cn=default,ou=pwpolicies,dc=my-domain,dc=com
138## objectClass: top
139## objectClass: person
140## objectClass: pwdPolicy
141## cn: default
142## sn: default
143## pwdAttribute: userPassword
144## pwdMaxAge: 2592000
145## pwdExpireWarning: 3600
146## #pwdInHistory: 0
147## pwdCheckQuality: 0
148## pwdMaxFailure: 5
149## pwdLockout: TRUE
150## #pwdLockoutDuration: 0
151## #pwdGraceAuthNLimit: 0
152## #pwdFailureCountInterval: 0
153## pwdMustChange: FALSE
154## pwdMinLength: 3
155## pwdAllowUserChange: TRUE
156## pwdSafeModify: FALSE
157EOF
158
159sudo service slapd restart
160
161# Verify TLS connection
162tries=0
163while : ; do
164	ldapsearch -d 255 -H ldaps://localhost -D cn=Manager,dc=my-domain,dc=com -w secret -s base -b dc=my-domain,dc=com 'objectclass=*'
165	rt=$?
166	if [ $rt -eq 0 ]; then
167		echo "OK"
168		exit 0
169	else
170		tries=$((tries+1))
171		if [ $((tries)) -gt 3 ]; then
172			echo "exit failure $rt"
173			exit $rt
174		else
175			echo "trying again"
176			sleep 3
177		fi
178	fi
179done
180