From a17c235b325a690af87f3b3e3c0744c00dfe5a3d Mon Sep 17 00:00:00 2001
From: Darks <l.gatin@neuf.fr>
Date: Thu, 21 Nov 2019 15:47:31 +0100
Subject: [PATCH] Ajout d'un script d'init du LDAP

---
 ldap/README.md    | 27 ++++++++++++++++++
 ldap/install.sh   | 51 +++++++++++++++++++++++++++++++++
 ldap/organization |  4 +++
 ldap/slapd.conf   | 73 +++++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 155 insertions(+)
 create mode 100644 ldap/README.md
 create mode 100755 ldap/install.sh
 create mode 100644 ldap/organization
 create mode 100644 ldap/slapd.conf

diff --git a/ldap/README.md b/ldap/README.md
new file mode 100644
index 0000000..9786c6e
--- /dev/null
+++ b/ldap/README.md
@@ -0,0 +1,27 @@
+### Info
+Ce dossier contient un script permettant d'installer la config OpenLDAP sur un
+serveur VPS-like (Archlinux).
+
+**Attention ! Le script supprime toute base OpenLDAP déjà présente sur le système !**
+
+### Dépendances
+
+- `pacman -S openldap`
+
+### Usage
+
+```
+$ git clone https://gitea.planet-casio.com/devs/VPS-config.git
+$ cd VPS-config/ldap
+$ sudo install.sh
+```
+
+Puis suivre les instructions.
+
+### Ajouter manuellement un compte
+
+```
+$ ldapadd -x -D 'cn=ldap-root,o=planet-casio' -W
+```
+
+Puis suivre la doc sur [le Wiki](/devs/VPS-config/wiki/LDAP). Finir par `^D`.
diff --git a/ldap/install.sh b/ldap/install.sh
new file mode 100755
index 0000000..f40576d
--- /dev/null
+++ b/ldap/install.sh
@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+
+# stop service if running
+echo "stop service if running"
+systemctl stop slapd.service
+
+# deleting old databases
+echo "deleting old databases"
+rm -f /var/lib/openldap/openldap-data/*.mdb
+
+# copy default config
+echo "copy default config"
+cp -f ./slapd.conf /etc/openldap/slapd.conf
+
+# remove root password
+echo "remove root password"
+sed -i "/rootpw/ d" /etc/openldap/slapd.conf
+
+# add new root password
+echo "add new root password"
+echo "rootpw    $(slappasswd)" >> /etc/openldap/slapd.conf
+
+# copy default config
+echo "copy default config"
+cp /var/lib/openldap/openldap-data/DB_CONFIG.example /var/lib/openldap/openldap-data/DB_CONFIG
+
+# remove old config files
+echo "remove old config files"
+rm -rf /etc/openldap/slapd.d/*
+
+# create a db if there is none
+echo "create a db if there is none"
+systemctl start slapd.service && systemctl stop slapd.service
+
+# generate new config files
+echo "generate new config files"
+slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
+
+# change ownership of slapd.d
+echo "change ownership of slapd.d"
+chown -R ldap:ldap /etc/openldap/slapd.d
+
+# start service
+echo "start service"
+systemctl start slapd.service
+
+# add organization
+echo "add organization"
+ldapadd -x -D 'cn=ldap-root,o=planet-casio' -W -f ./organization
+
+echo "Installation done. Service is running"
diff --git a/ldap/organization b/ldap/organization
new file mode 100644
index 0000000..9199a29
--- /dev/null
+++ b/ldap/organization
@@ -0,0 +1,4 @@
+dn: o=planet-casio
+objectClass: organization
+o: planet-casio
+description: Planète Casio
diff --git a/ldap/slapd.conf b/ldap/slapd.conf
new file mode 100644
index 0000000..7135c44
--- /dev/null
+++ b/ldap/slapd.conf
@@ -0,0 +1,73 @@
+#
+# See slapd.conf(5) for details on configuration options.
+# This file should NOT be world readable.
+#
+include		/etc/openldap/schema/core.schema
+include         /etc/openldap/schema/cosine.schema
+include         /etc/openldap/schema/inetorgperson.schema
+include         /etc/openldap/schema/nis.schema
+
+# Define global ACLs to disable default read access.
+
+# Do not enable referrals until AFTER you have a working directory
+# service AND an understanding of referrals.
+#referral	ldap://root.openldap.org
+
+pidfile		/run/openldap/slapd.pid
+argsfile	/run/openldap/slapd.args
+
+# Load dynamic backend modules:
+# modulepath	/usr/lib/openldap
+# moduleload	back_mdb.la
+# moduleload	back_ldap.la
+
+# Sample security restrictions
+#	Require integrity protection (prevent hijacking)
+#	Require 112-bit (3DES or better) encryption for updates
+#	Require 63-bit encryption for simple bind
+# security ssf=1 update_ssf=112 simple_bind=64
+
+# Sample access control policy:
+#	Root DSE: allow anyone to read it
+#	Subschema (sub)entry DSE: allow anyone to read it
+#	Other DSEs:
+#		Allow self write access
+#		Allow authenticated users read access
+#		Allow anonymous users to authenticate
+#	Directives needed to implement policy:
+# access to dn.base="" by * read
+# access to dn.base="cn=Subschema" by * read
+# access to *
+#	by self write
+#	by users read
+#	by anonymous auth
+#
+# if no access controls are present, the default policy
+# allows anyone and everyone to read anything but restricts
+# updates to rootdn.  (e.g., "access to * by * read")
+#
+# rootdn can always read and write EVERYTHING!
+
+#######################################################################
+# MDB database definitions
+#######################################################################
+
+database	mdb
+maxsize		1073741824
+suffix		"o=planet-casio"
+rootdn		"cn=ldap-root,o=planet-casio"
+# Cleartext passwords, especially for the rootdn, should
+# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
+# Use of strong authentication encouraged.
+rootpw		secret
+# The database directory MUST exist prior to running slapd AND
+# should only be accessible by the slapd and slap tools.
+# Mode 700 recommended.
+directory	/var/lib/openldap/openldap-data
+# Indices to maintain
+index   objectClass     eq
+index   uid             pres,eq
+index   mail            pres,sub,eq
+index   cn              pres,sub,eq
+index   sn              pres,sub,eq
+index   dc              eq