| 4 |
- |
1 |
#!/bin/bash
|
|
|
2 |
#
|
|
|
3 |
# slapd This shell script takes care of starting and stopping
|
|
|
4 |
# ldap servers (slapd).
|
|
|
5 |
#
|
|
|
6 |
# chkconfig: - 27 73
|
|
|
7 |
# description: LDAP stands for Lightweight Directory Access Protocol, used \
|
|
|
8 |
# for implementing the industry standard directory services.
|
|
|
9 |
# processname: slapd
|
|
|
10 |
# config: /etc/openldap/slapd.conf
|
|
|
11 |
# pidfile: /var/run/slapd.pid
|
|
|
12 |
|
|
|
13 |
### BEGIN INIT INFO
|
|
|
14 |
# Provides: slapd
|
|
|
15 |
# Required-Start: $network $local_fs
|
|
|
16 |
# Required-Stop: $network $local_fs
|
|
|
17 |
# Should-Start:
|
|
|
18 |
# Should-Stop:
|
|
|
19 |
# Default-Start:
|
|
|
20 |
# Default-Stop:
|
|
|
21 |
# Short-Description: starts and stopd OpenLDAP server daemon
|
|
|
22 |
# Description: LDAP stands for Lightweight Directory Access Protocol, used
|
|
|
23 |
# for implementing the industry standard directory services.
|
|
|
24 |
### END INIT INFO
|
|
|
25 |
|
|
|
26 |
# Source function library.
|
|
|
27 |
. /etc/init.d/functions
|
|
|
28 |
|
|
|
29 |
# Define default values of options allowed in /etc/sysconfig/ldap
|
|
|
30 |
SLAPD_LDAP="yes"
|
|
|
31 |
SLAPD_LDAPI="no"
|
|
|
32 |
SLAPD_LDAPS="no"
|
|
|
33 |
SLAPD_URLS=""
|
|
|
34 |
SLAPD_SHUTDOWN_TIMEOUT=3
|
|
|
35 |
# OPTIONS, SLAPD_OPTIONS and KTB5_KTNAME are not defined
|
|
|
36 |
|
|
|
37 |
# Source an auxiliary options file if we have one
|
|
|
38 |
if [ -r /etc/sysconfig/ldap ] ; then
|
|
|
39 |
. /etc/sysconfig/ldap
|
|
|
40 |
fi
|
|
|
41 |
|
|
|
42 |
slapd=/usr/sbin/slapd
|
|
|
43 |
slaptest=/usr/sbin/slaptest
|
|
|
44 |
lockfile=/var/lock/subsys/slapd
|
|
|
45 |
configdir=/etc/openldap/slapd.d/
|
|
|
46 |
configfile=/etc/openldap/slapd.conf
|
|
|
47 |
pidfile=/var/run/slapd.pid
|
|
|
48 |
slapd_pidfile=/var/run/openldap/slapd.pid
|
|
|
49 |
|
|
|
50 |
RETVAL=0
|
|
|
51 |
|
|
|
52 |
#
|
|
|
53 |
# Pass commands given in $2 and later to "test" run as user given in $1.
|
|
|
54 |
#
|
|
|
55 |
function testasuser() {
|
|
|
56 |
local user= cmd=
|
|
|
57 |
user="$1"
|
|
|
58 |
shift
|
|
|
59 |
cmd="$@"
|
|
|
60 |
if test x"$user" != x ; then
|
|
|
61 |
if test x"$cmd" != x ; then
|
|
|
62 |
/sbin/runuser -f -m -s /bin/sh -c "test $cmd" -- "$user"
|
|
|
63 |
else
|
|
|
64 |
false
|
|
|
65 |
fi
|
|
|
66 |
else
|
|
|
67 |
false
|
|
|
68 |
fi
|
|
|
69 |
}
|
|
|
70 |
|
|
|
71 |
#
|
|
|
72 |
# Check for read-access errors for the user given in $1 for a service named $2.
|
|
|
73 |
# If $3 is specified, the command is run if "klist" can't be found.
|
|
|
74 |
#
|
|
|
75 |
function checkkeytab() {
|
|
|
76 |
local user= service= klist= default=
|
|
|
77 |
user="$1"
|
|
|
78 |
service="$2"
|
|
|
79 |
default="${3:-false}"
|
|
|
80 |
if test -x /usr/kerberos/bin/klist ; then
|
|
|
81 |
klist=/usr/kerberos/bin/klist
|
|
|
82 |
elif test -x /usr/bin/klist ; then
|
|
|
83 |
klist=/usr/bin/klist
|
|
|
84 |
fi
|
|
|
85 |
KRB5_KTNAME="${KRB5_KTNAME:-/etc/krb5.keytab}"
|
|
|
86 |
export KRB5_KTNAME
|
|
|
87 |
if test -s "$KRB5_KTNAME" ; then
|
|
|
88 |
if test x"$klist" != x ; then
|
|
|
89 |
if LANG=C $klist -k "$KRB5_KTNAME" | tail -n 4 | awk '{print $2}' | grep -q ^"$service"/ ; then
|
|
|
90 |
if ! testasuser "$user" -r ${KRB5_KTNAME:-/etc/krb5.keytab} ; then
|
|
|
91 |
true
|
|
|
92 |
else
|
|
|
93 |
false
|
|
|
94 |
fi
|
|
|
95 |
else
|
|
|
96 |
false
|
|
|
97 |
fi
|
|
|
98 |
else
|
|
|
99 |
$default
|
|
|
100 |
fi
|
|
|
101 |
else
|
|
|
102 |
false
|
|
|
103 |
fi
|
|
|
104 |
}
|
|
|
105 |
|
|
|
106 |
function configtest() {
|
|
|
107 |
local user= ldapuid= dbdir= file=
|
|
|
108 |
# Check for simple-but-common errors.
|
|
|
109 |
user=ldap
|
|
|
110 |
prog=`basename ${slapd}`
|
|
|
111 |
ldapuid=`id -u $user`
|
|
|
112 |
# Unaccessible database files.
|
|
|
113 |
dbdirs=""
|
|
|
114 |
if [ -d $configdir ]; then
|
|
|
115 |
for configfile in `ls -1 $configdir/cn\=config/olcDatabase*.ldif`; do
|
|
|
116 |
dbdirs=$dbdirs"
|
|
|
117 |
"`LANG=C egrep '^olcDbDirectory[[:space:]]*:[[:space:]]+[[:print:]]+$' $configfile | sed 's,^olcDbDirectory: ,,'`
|
|
|
118 |
done
|
|
|
119 |
elif [ -f $configfile ]; then
|
| 9 |
- |
120 |
dbdirs=`LANG=C egrep '^directory[[:space:]]+' $configfile | sed 's,^directory[[:space:]]*,,' | tr -d \"`
|
| 4 |
- |
121 |
else
|
|
|
122 |
exit 6
|
|
|
123 |
fi
|
|
|
124 |
for dbdir in $dbdirs; do
|
|
|
125 |
if [ ! -d $dbdir ]; then
|
|
|
126 |
exit 6
|
|
|
127 |
fi
|
|
|
128 |
for file in `find ${dbdir}/ -not -uid $ldapuid -and \( -name "*.dbb" -or -name "*.gdbm" -or -name "*.bdb" -or -name "__db.*" -or -name "log.*" -or -name alock \)` ; do
|
|
|
129 |
echo -n $"$file is not owned by \"$user\"" ; warning ; echo
|
|
|
130 |
done
|
|
|
131 |
if test -f "${dbdir}/DB_CONFIG"; then
|
|
|
132 |
if ! testasuser $user -r "${dbdir}/DB_CONFIG"; then
|
|
|
133 |
file=DB_CONFIG
|
|
|
134 |
echo -n $"$file is not readable by \"$user\"" ; warning ; echo
|
|
|
135 |
fi
|
|
|
136 |
fi
|
|
|
137 |
done
|
|
|
138 |
# Unaccessible keytab with an "ldap" key.
|
|
|
139 |
if checkkeytab $user ldap ; then
|
|
|
140 |
file=${KRB5_KTNAME:-/etc/krb5.keytab}
|
|
|
141 |
echo -n $"$file is not readable by \"$user\"" ; warning ; echo
|
|
|
142 |
fi
|
|
|
143 |
# Check the configuration file.
|
|
|
144 |
slaptestout=`/sbin/runuser -m -s "$slaptest" -- "$user" "-u" 2>&1`
|
|
|
145 |
slaptestexit=$?
|
|
|
146 |
# slaptestout=`echo $slaptestout 2>/dev/null | grep -v "config file testing succeeded"`
|
|
|
147 |
# print warning if slaptest passed but reports some problems
|
|
|
148 |
if test $slaptestexit == 0 ; then
|
|
|
149 |
if echo "$slaptestout" | grep -v "config file testing succeeded" >/dev/null ; then
|
|
|
150 |
echo -n $"Checking configuration files for $prog: " ; warning ; echo
|
|
|
151 |
echo "$slaptestout"
|
|
|
152 |
fi
|
|
|
153 |
fi
|
|
|
154 |
# report error if configuration file is wrong
|
|
|
155 |
if test $slaptestexit != 0 ; then
|
|
|
156 |
echo -n $"Checking configuration files for $prog: " ; failure ; echo
|
|
|
157 |
echo "$slaptestout"
|
|
|
158 |
if /sbin/runuser -m -s "$slaptest" -- "$user" "-u" > /dev/null 2> /dev/null ; then
|
|
|
159 |
#dirs=`LANG=C egrep '^directory[[:space:]]+[[:print:]]+$' $configfile | awk '{print $2}'`
|
|
|
160 |
for directory in $dbdirs ; do
|
|
|
161 |
if test -r $directory/__db.001 ; then
|
|
|
162 |
echo -n $"stale lock files may be present in $directory" ; warning ; echo
|
|
|
163 |
fi
|
|
|
164 |
done
|
|
|
165 |
fi
|
|
|
166 |
exit 6
|
|
|
167 |
fi
|
|
|
168 |
}
|
|
|
169 |
|
|
|
170 |
function start() {
|
|
|
171 |
[ -x $slapd ] || exit 5
|
|
|
172 |
[ `id -u` -eq 0 ] || exit 4
|
|
|
173 |
configtest
|
|
|
174 |
# Define a couple of local variables which we'll need. Maybe.
|
|
|
175 |
user=ldap
|
|
|
176 |
prog=`basename ${slapd}`
|
|
|
177 |
harg="$SLAPD_URLS"
|
|
|
178 |
if test x$SLAPD_LDAP = xyes ; then
|
|
|
179 |
harg="$harg ldap:///"
|
|
|
180 |
fi
|
|
|
181 |
if test x$SLAPD_LDAPS = xyes ; then
|
|
|
182 |
harg="$harg ldaps:///"
|
|
|
183 |
fi
|
|
|
184 |
if test x$SLAPD_LDAPI = xyes ; then
|
|
|
185 |
harg="$harg ldapi:///"
|
|
|
186 |
fi
|
|
|
187 |
# System resources limit.
|
|
|
188 |
if [ -n "$SLAPD_ULIMIT_SETTINGS" ]; then
|
|
|
189 |
ulimit="ulimit $SLAPD_ULIMIT_SETTINGS &>/dev/null;"
|
|
|
190 |
else
|
|
|
191 |
ulimit=""
|
|
|
192 |
fi
|
|
|
193 |
# Release reserverd port
|
|
|
194 |
[ -x /sbin/portrelease ] && /sbin/portrelease slapd &>/dev/null || :
|
|
|
195 |
# Start daemons.
|
|
|
196 |
echo -n $"Starting $prog: "
|
|
|
197 |
daemon --pidfile=$pidfile --check=$prog $ulimit ${slapd} -h "\"$harg\"" -u ${user} $OPTIONS $SLAPD_OPTIONS
|
|
|
198 |
RETVAL=$?
|
|
|
199 |
if [ $RETVAL -eq 0 ]; then
|
|
|
200 |
touch $lockfile
|
|
|
201 |
ln $slapd_pidfile $pidfile
|
|
|
202 |
fi
|
|
|
203 |
echo
|
|
|
204 |
return $RETVAL
|
|
|
205 |
}
|
|
|
206 |
|
|
|
207 |
function stop() {
|
|
|
208 |
# Stop daemons.
|
|
|
209 |
prog=`basename ${slapd}`
|
|
|
210 |
[ `id -u` -eq 0 ] || exit 4
|
|
|
211 |
echo -n $"Stopping $prog: "
|
|
|
212 |
|
|
|
213 |
# This will remove pid and args files from /var/run/openldap
|
|
|
214 |
killproc -p $slapd_pidfile -d $SLAPD_SHUTDOWN_TIMEOUT ${slapd}
|
|
|
215 |
RETVAL=$?
|
|
|
216 |
|
|
|
217 |
# Now we want to remove lock file and hardlink of pid file
|
|
|
218 |
[ $RETVAL -eq 0 ] && rm -f $pidfile $lockfile
|
|
|
219 |
echo
|
|
|
220 |
return $RETVAL
|
|
|
221 |
}
|
|
|
222 |
|
|
|
223 |
# See how we were called.
|
|
|
224 |
case "$1" in
|
|
|
225 |
configtest)
|
|
|
226 |
configtest
|
|
|
227 |
;;
|
|
|
228 |
start)
|
|
|
229 |
start
|
|
|
230 |
RETVAL=$?
|
|
|
231 |
;;
|
|
|
232 |
stop)
|
|
|
233 |
stop
|
|
|
234 |
RETVAL=$?
|
|
|
235 |
;;
|
|
|
236 |
status)
|
|
|
237 |
status -p $pidfile ${slapd}
|
|
|
238 |
RETVAL=$?
|
|
|
239 |
;;
|
|
|
240 |
restart|force-reload)
|
|
|
241 |
stop
|
|
|
242 |
start
|
|
|
243 |
RETVAL=$?
|
|
|
244 |
;;
|
|
|
245 |
condrestart|try-restart)
|
|
|
246 |
status -p $pidfile ${slapd} > /dev/null 2>&1 || exit 0
|
|
|
247 |
stop
|
|
|
248 |
start
|
|
|
249 |
;;
|
|
|
250 |
usage)
|
|
|
251 |
echo $"Usage: $0 {start|stop|restart|force-reload|status|condrestart|try-restart|configtest|usage}"
|
|
|
252 |
RETVAL=0
|
|
|
253 |
;;
|
|
|
254 |
*)
|
|
|
255 |
echo $"Usage: $0 {start|stop|restart|force-reload|status|condrestart|try-restart|configtest|usage}"
|
|
|
256 |
RETVAL=2
|
|
|
257 |
esac
|
|
|
258 |
|
|
|
259 |
exit $RETVAL
|