r23177: Add in a new provision-backend script. This helps set up the OpenLDAP or Fedora DS backend.

This required a new mkdir() call in ejs.

We can now provision just the schema for ad2oLschema to operate on
(with provision_schema(), without performing the whole provision, just
to wipe it again (adjustments to 'make test' to come soon).

Andrew Bartlett
(This used to be commit 01d54d13dc66ef2127ac52c64ede53d0790738ec)

4 files changed, 241 insertions, 0 deletions

diff --git a/source4/setup/fedorads-partitions.ldif b/source4/setup/fedorads-partitions.ldif
new file mode 100644
index 0000000000..7533b1583a
--- /dev/null
+++ b/source4/setup/fedorads-partitions.ldif
@@ -0,0 +1,28 @@
+dn: cn=\"${CONFIGDN}\",cn=mapping tree,cn=config
+objectclass: top
+objectclass: extensibleObject
+objectclass: nsMappingTree
+nsslapd-state: backend
+nsslapd-backend: configData
+cn: ${CONFIGDN}
+
+dn: cn=configData,cn=ldbm database,cn=plugins,cn=config
+objectclass: extensibleObject
+objectclass: nsBackendInstance
+nsslapd-suffix: ${CONFIGDN}
+cn: configData
+
+dn: cn=\"${SCHEMADN}\",cn=mapping tree,cn=config
+objectclass: top
+objectclass: extensibleObject
+objectclass: nsMappingTree
+nsslapd-state: backend
+nsslapd-backend: schemaData
+cn: ${SCHEMADN}
+
+dn: cn=schemaData,cn=ldbm database,cn=plugins,cn=config
+objectclass: extensibleObject
+objectclass: nsBackendInstance
+nsslapd-suffix: ${SCHEMADN}
+cn: schemaData
+
diff --git a/source4/setup/fedorads.inf b/source4/setup/fedorads.inf
new file mode 100644
index 0000000000..a5d282d392
--- /dev/null
+++ b/source4/setup/fedorads.inf
@@ -0,0 +1,26 @@
+[General]
+SuiteSpotUserID = ${ROOT}
+FullMachineName=   ${HOSTNAME}.${DNSDOMAIN}
+ServerRoot=   ${LDAPDIR}
+
+[slapd]
+ldapifilepath=${LDAPDIR}/ldapi
+Suffix= ${DOMAINDN}
+RootDN= cn=Manager,${DOMAINDN}
+RootDNPwd= ${LDAPMANAGERPASS}
+ServerIdentifier= samba4
+
+inst_dir= ${LDAPDIR}/slapd-samba4
+config_dir= ${LDAPDIR}/slapd-samba4
+schema_dir= ${LDAPDIR}/slapd-samba4/schema
+lock_dir= ${LDAPDIR}/slapd-samba4/lock
+log_dir= ${LDAPDIR}/slapd-samba4/logs
+run_dir= ${LDAPDIR}/slapd-samba4/logs
+db_dir= ${LDAPDIR}/slapd-samba4/db
+bak_dir= ${LDAPDIR}/slapd-samba4/bak
+tmp_dir= ${LDAPDIR}/slapd-samba4/tmp
+ldif_dir= ${LDAPDIR}/slapd-samba4/ldif
+cert_dir= ${LDAPDIR}/slapd-samba4
+
+start_server= 0
+install_full_schema= 0
\ No newline at end of file
diff --git a/source4/setup/provision-backend b/source4/setup/provision-backend
new file mode 100755
index 0000000000..6a5ec3e892
--- /dev/null
+++ b/source4/setup/provision-backend
@@ -0,0 +1,114 @@
+#!/bin/sh
+exec smbscript "$0" ${1+"$@"}
+/*
+	provision a Samba4 server
+	Copyright Andrew Tridgell 2005
+	Released under the GNU GPL v2 or later
+*/
+
+options = GetOptions(ARGV,
+		"POPT_AUTOHELP",
+		"POPT_COMMON_SAMBA",
+		"POPT_COMMON_VERSION",
+		"POPT_COMMON_CREDENTIALS",
+		'realm=s',
+		'host-name=s',
+		'ldap-manager-pass=s',
+		'root=s',
+		'quiet',
+		'ldap-backend-type=s');
+
+if (options == undefined) {
+   println("Failed to parse options");
+   return -1;
+}
+
+sys = sys_init();
+
+libinclude("base.js");
+libinclude("provision.js");
+
+/*
+  print a message if quiet is not set
+*/
+function message()
+{
+	if (options["quiet"] == undefined) {
+		print(vsprintf(arguments));
+	}
+}
+
+/*
+ show some help
+*/
+function ShowHelp()
+{
+	print("
+Samba4 provisioning
+
+provision [options]
+ --realm	REALM		set realm
+ --host-name	HOSTNAME	set hostname
+ --ldap-manager-pass	PASSWORD	choose LDAP Manager password (otherwise random)
+ --root         USERNAME	choose 'root' unix username
+ --quiet			Be quiet
+ --ldap-backend-type LDAPSERVER     Select either \"openldap\" or \"fedora-ds\" as a target to configure
+ --ldap-module= MODULE          LDB mapping module to use for the LDAP backend
+You must provide at least a realm and ldap-backend-type
+
+");
+	exit(1);
+}
+
+if (options['host-name'] == undefined) {
+	options['host-name'] = hostname();
+}
+
+/*
+   main program
+*/
+if (options["realm"] == undefined ||
+    options["ldap-backend-type"] == undefined ||
+    options["host-name"] == undefined) {
+	ShowHelp();
+}
+
+/* cope with an initially blank smb.conf */
+var lp = loadparm_init();
+lp.set("realm", options.realm);
+lp.reload();
+
+var subobj = provision_guess();
+for (r in options) {
+	var key = strupper(join("", split("-", r)));
+	subobj[key] = options[r];
+}
+
+var ldapbackend = (options["ldap-backend-type"] != undefined);
+
+var paths = provision_default_paths(subobj);
+provision_fix_subobj(subobj, message, paths);
+message("Provisioning LDAP backend for %s in realm %s into %s\n", subobj.HOSTNAME, subobj.REALM, subobj.LDAPDIR);
+message("Using LDAP Manager password: %s\n", subobj.LDAPMANAGERPASS);
+
+var tmp_schema_ldb = subobj.LDAPDIR + "/schema-tmp.ldb";
+sys.mkdir(subobj.LDAPDIR, 0700);
+
+provision_schema(subobj, message, tmp_schema_ldb, paths);
+
+var mapping;
+var ext;
+if (options["ldap-backend-type"] == "fedora-ds") {
+	mapping = "schema-map-fedora-ds-1.0";
+	ext = "ldif";
+	setup_file("fedorads.inf", message, subobj.LDAPDIR + "/fedorads.inf", subobj);
+	setup_file("fedorads-partitions.ldif", message, subobj.LDAPDIR + "/fedorads-partitions.ldif", subobj);
+} else if (options["ldap-backend-type"] == "openldap") {
+	mapping = "schema-map-openldap-2.3";
+	ext = "schema";
+	setup_file("slapd.conf", message, subobj.LDAPDIR + "/slapd.conf", subobj);
+}
+message("ad2oLschema --option=convert:target=" + options["ldap-backend-type"] + " -I " + lp.get("setup directory") + "/" + mapping + " -H tdb://" + tmp_schema_ldb + " -O " + subobj.LDAPDIR + "/backend-schema." + ext + "\n");
+
+message("All OK\n");
+return 0;
diff --git a/source4/setup/slapd.conf b/source4/setup/slapd.conf
new file mode 100644
index 0000000000..a6fe73a4de
--- /dev/null
+++ b/source4/setup/slapd.conf
@@ -0,0 +1,73 @@
+loglevel 0
+
+include ${LDAPDIR}/backend-schema.schema
+
+pidfile		${LDAPDIR}/slapd.pid
+argsfile	${LDAPDIR}/slapd.args
+sasl-realm ${DNSDOMAIN}
+access to * by * write
+
+allow update_anon
+
+authz-regexp
+          uid=([^,]*),cn=${DNSDOMAIN},cn=digest-md5,cn=auth
+          ldap:///${DOMAINDN}??sub?(samAccountName=\$1)
+
+authz-regexp
+          uid=([^,]*),cn=([^,]*),cn=digest-md5,cn=auth
+          ldap:///${DOMAINDN}??sub?(samAccountName=\$1)
+
+include $modconf
+
+defaultsearchbase \"${DOMAINDN}\"
+
+backend		bdb
+database        bdb
+suffix		\"cn=Schema,cn=Configuration,${DOMAINDN}\"
+directory	${LDAPDIR}/db/schema
+index           objectClass eq
+index           samAccountName eq
+index name eq
+index objectCategory eq
+index lDAPDisplayName eq
+index subClassOf eq
+
+database        bdb
+suffix		\"cn=Configuration,${DOMAINDN}\"
+directory	${LDAPDIR}/db/config
+index           objectClass eq
+index           samAccountName eq
+index name eq
+index objectSid eq
+index objectCategory eq
+index nCName eq pres
+index subClassOf eq
+index dnsRoot eq
+index nETBIOSName eq pres
+
+database        bdb
+suffix		\"${DOMAINDN}\"
+rootdn          \"cn=Manager,${DOMAINDN}\"
+rootpw          ${LDAPMANAGERPASS}
+directory	${LDAPDIR}/db/user
+index           objectClass eq
+index           samAccountName eq
+index name eq
+index objectSid eq
+index objectCategory eq
+index member eq
+index uidNumber eq
+index gidNumber eq
+index unixName eq
+index privilege eq
+index nCName eq pres
+index lDAPDisplayName eq
+index subClassOf eq
+index dnsRoot eq
+index nETBIOSName eq pres
+
+#syncprov is stable in OpenLDAP 2.3, and available in 2.2.  
+#We only need this for the contextCSN attribute anyway....
+overlay syncprov
+syncprov-checkpoint 100 10
+syncprov-sessionlog 100