diff --git a/fixtures/ldap/Readme.md b/fixtures/ldap/Readme.md index 60e6fb4..649206e 100644 --- a/fixtures/ldap/Readme.md +++ b/fixtures/ldap/Readme.md @@ -15,8 +15,11 @@ perform the following actions: - *uadmin* user that will belong to admins group - *uviewer* user that will belong to viewers group -To check that every is fine you can do the following search that should show -all inputs listed above. +To check that everything works well you can perform the following search +that should show all inputs listed above. ``` ldapsearch -x -b "dc=stacklight,dc=ci" -D "cn=admin,dc=stacklight,dc=ci" -W ``` + +The server is running LDAP and LDAPS. The self-signed certificate is generated +by the script and stored in */etc/ldap/ssl/slapd.pem*. diff --git a/fixtures/ldap/install_slapd.sh b/fixtures/ldap/install_slapd.sh index 8df6dd7..258721d 100755 --- a/fixtures/ldap/install_slapd.sh +++ b/fixtures/ldap/install_slapd.sh @@ -9,6 +9,12 @@ then echo "Please run as root" exit 1 fi +OPENSSL=$(which openssl) +if [ "$?" -ne 0 ]; then + echo "openssl: command not found" + exit 1 +fi + DOMAIN="stacklight.ci" BASE_DN="dc=stacklight,dc=ci" BIND_DN="cn=admin,${BASE_DN}" @@ -95,6 +101,36 @@ objectclass: posixGroup objectclass: top EOF +# ############################################################################ +# Configure LDAPS + +SLAPD_CERT_DIR="/etc/ldap/ssl" +SLAPD_CERT="${SLAPD_CERT_DIR}/slapd.pem" +mkdir -p $SLAPD_CERT_DIR +$OPENSSL req -newkey rsa:2048 -x509 -nodes -days 3650 \ + -out $SLAPD_CERT -keyout $SLAPD_CERT \ + -subj "/C=FR/ST=Rhone-Alpes/L=Grenoble/O=Mirantis/OU=StackLight CI/CN=localhost" +chown -R openldap:openldap $SLAPD_CERT_DIR +chmod 0400 $SLAPD_CERT + + +ldapmodify -Y EXTERNAL -H ldapi:/// << EOF +add: olcTLSCACertificateFile +olcTLSCACertificateFile: "${SLAPD_CERT}" +- +add: olcTLSCertificateFile +olcTLSCertificateFile: "${SLAPD_CERT}" +- +add: olcTLSCertificateKeyFile +olcTLSCertificateKeyFile: "${SLAPD_CERT}" +EOF + +# Enable ldaps in the configuration file +sed -i 's,^SLAPD_SERVICES=.*$,SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///",g' /etc/default/slapd + +# Restart the service +/etc/init.d/slapd restart + # ############################################################################ # Validate the installation