diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2009-08-13 17:01:27 +1000 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2009-08-17 09:50:58 +1000 |
| commit | f87811f6b39bfa8bdef906256cf7752e4a6fd999 (patch) | |
| tree | 6b6a36de1546d8cc08074f78eea5279f7dcd7551 /source4/setup | |
| parent | 7a9030b7ce164460e662d0798c2490ec5929442d (diff) | |
| download | samba-f87811f6b39bfa8bdef906256cf7752e4a6fd999.tar.gz samba-f87811f6b39bfa8bdef906256cf7752e4a6fd999.tar.bz2 samba-f87811f6b39bfa8bdef906256cf7752e4a6fd999.zip | |
s4:provision Rework provision-backend into provision
This removes a *lot* of duplicated code and the cause of much
administrator frustration. We now handle starting and stopping the
slapd (at least for the provision), and ensure that there is only one
'right' way to configure the OpenLDAP and Fedora DS backend
We now run OpenLDAP in 'cn=config' mode for online configuration.
To test what was the provision-backend code, a new --ldap-dryrun-mode
option has been added to provision. It quits the provision just
before it would start the LDAP binaries
Andrew Bartlett
Diffstat (limited to 'source4/setup')
| -rw-r--r-- | source4/setup/ldap_backend_startup.sh | 2 | ||||
| -rw-r--r-- | source4/setup/olc_acl.conf | 4 | ||||
| -rw-r--r-- | source4/setup/olc_pass.conf | 3 | ||||
| -rwxr-xr-x | source4/setup/provision | 35 | ||||
| -rwxr-xr-x | source4/setup/provision-backend | 119 | ||||
| -rw-r--r-- | source4/setup/slapd.conf | 10 | ||||
| -rwxr-xr-x | source4/setup/tests/blackbox_provision-backend.sh | 10 |
7 files changed, 36 insertions, 147 deletions
diff --git a/source4/setup/ldap_backend_startup.sh b/source4/setup/ldap_backend_startup.sh new file mode 100644 index 0000000000..4a7c765e36 --- /dev/null +++ b/source4/setup/ldap_backend_startup.sh @@ -0,0 +1,2 @@ +#!/bin/sh +${SLAPD_COMMAND} diff --git a/source4/setup/olc_acl.conf b/source4/setup/olc_acl.conf deleted file mode 100644 index c248b30fb5..0000000000 --- a/source4/setup/olc_acl.conf +++ /dev/null @@ -1,4 +0,0 @@ -access to dn.sub="cn=config" - by dn="cn=samba-admin,cn=samba" write - by dn="cn=replicator,cn=samba" read - diff --git a/source4/setup/olc_pass.conf b/source4/setup/olc_pass.conf deleted file mode 100644 index 4c66c1c43f..0000000000 --- a/source4/setup/olc_pass.conf +++ /dev/null @@ -1,3 +0,0 @@ -database config -rootdn cn=config - diff --git a/source4/setup/provision b/source4/setup/provision index d7fa6aa54f..5686ee0e26 100755 --- a/source4/setup/provision +++ b/source4/setup/provision @@ -74,8 +74,6 @@ parser.add_option("--root", type="string", metavar="USERNAME", help="choose 'root' unix username") parser.add_option("--nobody", type="string", metavar="USERNAME", help="choose 'nobody' user") -parser.add_option("--nogroup", type="string", metavar="GROUPNAME", - help="choose 'nogroup' group") parser.add_option("--wheel", type="string", metavar="GROUPNAME", help="choose 'wheel' privileged group") parser.add_option("--users", type="string", metavar="GROUPNAME", @@ -83,13 +81,12 @@ parser.add_option("--users", type="string", metavar="GROUPNAME", parser.add_option("--quiet", help="Be quiet", action="store_true") parser.add_option("--blank", action="store_true", help="do not add users or groups, just the structure") -parser.add_option("--ldap-backend", type="string", metavar="LDAPSERVER", - help="LDAP server to use for this provision") +parser.add_option("--ldap-backend-extra-port", type="int", metavar="LDAP-BACKEND-EXTRA-PORT", + help="Additional TCP port for LDAP backend server (to use for replication)") parser.add_option("--ldap-backend-type", type="choice", metavar="LDAP-BACKEND-TYPE", - help="LDB mapping module to use for the LDAP backend", + help="LDAP backend type (fedora-ds or openldap)", choices=["fedora-ds", "openldap"]) -parser.add_option("--aci", type="string", metavar="ACI", - help="An arbitary LDIF fragment, particularly useful to loading a backend ACI value into a target LDAP server. You must provide at least a realm and domain") +parser.add_option("--ldap-backend-nosync", help="Configure LDAP backend not to call fsync() (for performance in test environments)", action="store_true") parser.add_option("--server-role", type="choice", metavar="ROLE", choices=["domain controller", "dc", "member server", "member", "standalone"], help="Set server role to provision for (default standalone)") @@ -97,6 +94,14 @@ parser.add_option("--partitions-only", help="Configure Samba's partitions, but do not modify them (ie, join a BDC)", action="store_true") parser.add_option("--targetdir", type="string", metavar="DIR", help="Set target directory") +parser.add_option("--ol-mmr-urls", type="string", metavar="LDAPSERVER", + help="List of LDAP-URLS [ ldap://<FQHN>:<PORT>/ (where <PORT> has to be different than 389!) ] separated with whitespaces for use with OpenLDAP-MMR (Multi-Master-Replication)") +parser.add_option("--slapd-path", type="string", metavar="SLAPD-PATH", + help="Path to slapd for LDAP backend [e.g.:'/usr/local/libexec/slapd']. Required for Setup with LDAP-Backend. OpenLDAP Version >= 2.4.17 should be used.") +parser.add_option("--setup-ds-path", type="string", metavar="SETUP_DS-PATH", + help="Path to setup-ds.pl script for Fedora DS LDAP backend [e.g.:'/usr/sbin/setup-ds.pl']. Required for Setup with Fedora DS backend.") +parser.add_option("--nosync", help="Configure LDAP backend not to call fsync() (for performance in test environments)", action="store_true") +parser.add_option("--ldap-dryrun-mode", help="Configure LDAP backend, but do not run any binaries and exit early. Used only for the test environment. DO NOT USE", action="store_true") opts = parser.parse_args()[0] @@ -148,9 +153,6 @@ if opts.interactive: lp = sambaopts.get_loadparm() smbconf = lp.configfile -if opts.aci is not None: - print "set ACI: %s" % opts.aci - if opts.server_role == "dc": server_role = "domain controller" elif opts.server_role == "member": @@ -182,7 +184,12 @@ provision(setup_dir, message, invocationid=opts.invocationid, adminpass=opts.adminpass, krbtgtpass=opts.krbtgtpass, machinepass=opts.machinepass, dnspass=opts.dnspass, root=opts.root, nobody=opts.nobody, - nogroup=opts.nogroup, wheel=opts.wheel, users=opts.users, - aci=opts.aci, serverrole=server_role, - ldap_backend=opts.ldap_backend, - ldap_backend_type=opts.ldap_backend_type) + wheel=opts.wheel, users=opts.users, + serverrole=server_role, + ldap_backend_extra_port=opts.ldap_backend_extra_port, + ldap_backend_type=opts.ldap_backend_type, + ol_mmr_urls=opts.ol_mmr_urls, + slapd_path=opts.slapd_path, + setup_ds_path=opts.setup_ds_path, + nosync=opts.nosync, + ldap_dryrun_mode=opts.ldap_dryrun_mode) diff --git a/source4/setup/provision-backend b/source4/setup/provision-backend deleted file mode 100755 index 3da360447f..0000000000 --- a/source4/setup/provision-backend +++ /dev/null @@ -1,119 +0,0 @@ -#!/usr/bin/python -# -# Unix SMB/CIFS implementation. -# provision a Samba4 server -# Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2008 -# Copyright (C) Andrew Bartlett <abartlet@samba.org> 2008 -# Copyright (C) Oliver Liebel <oliver@itc.li> 2008-2009 -# -# Based on the original in EJS: -# Copyright (C) Andrew Tridgell 2005 -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. -# - -import os, sys - -sys.path.insert(0, "bin/python") - -import getopt -import optparse - -import samba -from samba import param - -from samba.auth import system_session -import samba.getopt as options -from samba.provision import provision_backend, find_setup_dir - -parser = optparse.OptionParser("provision [options]") -sambaopts = options.SambaOptions(parser) -parser.add_option_group(sambaopts) -parser.add_option_group(options.VersionOptions(parser)) -credopts = options.CredentialsOptions(parser) -parser.add_option_group(credopts) -parser.add_option("--setupdir", type="string", metavar="DIR", - help="directory with setup files") -parser.add_option("--realm", type="string", metavar="REALM", help="set realm") -parser.add_option("--domain", type="string", metavar="DOMAIN", - help="set domain") -parser.add_option("--host-name", type="string", metavar="HOSTNAME", - help="set hostname") -parser.add_option("--ldap-admin-pass", type="string", metavar="PASSWORD", - help="choose LDAP admin password (otherwise random)") -parser.add_option("--root", type="string", metavar="USERNAME", - help="choose 'root' unix username") -parser.add_option("--quiet", help="Be quiet", action="store_true") -parser.add_option("--nosync", help="Configure LDAP backend not to call fsync() (for performance in test environments)", action="store_true") -parser.add_option("--ldap-backend-type", type="choice", metavar="LDAP-BACKEND-TYPE", - help="LDB mapping module to use for the LDAP backend", - choices=["fedora-ds", "openldap"]) -parser.add_option("--ldap-backend-port", type="int", metavar="PORT", - help="TCP Port LDAP server should listen to (default ldapi only)") -parser.add_option("--server-role", type="choice", metavar="ROLE", - choices=["domain controller", "dc", "member server", "member", "standalone"], - help="Set server role to provision for (default standalone)") -parser.add_option("--targetdir", type="string", metavar="DIR", - help="Set target directory") -parser.add_option("--ol-mmr-urls", type="string", metavar="LDAPSERVER", - help="List of LDAP-URLS [ ldap://<FQHN>:<PORT>/ (where <PORT> has to be different than 389!) ] separated with whitespaces for use with OpenLDAP-MMR (Multi-Master-Replication)") -parser.add_option("--ol-olc", type="choice", metavar="OPENLDAP-OLC", - help="To setup OpenLDAP-Backend with Online-Configuration [slapd.d] choose 'yes'.", - choices=["yes", "no"]) -parser.add_option("--ol-slapd", type="string", metavar="SLAPD-PATH", - help="Path to OpenLDAP-Daemon (slapd) [e.g.:'/usr/local/libexec/slapd']. Required for Setup with OpenLDAP-Backend. OpenLDAP Version >= 2.4.17 should be used.") -parser.add_option("--testing-mode", type="choice", metavar="TESTING-MODE", - help="Do not select this option, except as part of 'make test' to verify behaviour without a slapd on the system", - choices=["yes", "no"]) - -opts = parser.parse_args()[0] - -def message(text): - """print a message if quiet is not set.""" - if not opts.quiet: - print text - -if opts.realm is None or opts.domain is None: - if opts.realm is None: - print >>sys.stderr, "No realm set" - if opts.domain is None: - print >>sys.stderr, "No domain set" - parser.print_usage() - sys.exit(1) - -smbconf = sambaopts.get_loadparm().configfile - -if opts.server_role == "dc": - server_role = "domain controller" -elif opts.server_role == "member": - server_role = "member server" -else: - server_role = opts.server_role - -setup_dir = opts.setupdir -if setup_dir is None: - setup_dir = find_setup_dir() - -provision_backend(setup_dir=setup_dir, message=message, smbconf=smbconf, targetdir=opts.targetdir, - realm=opts.realm, domain=opts.domain, - hostname=opts.host_name, - adminpass=opts.ldap_admin_pass, - root=opts.root, serverrole=server_role, - ldap_backend_type=opts.ldap_backend_type, - ldap_backend_port=opts.ldap_backend_port, - ol_mmr_urls=opts.ol_mmr_urls, - ol_olc=opts.ol_olc, - ol_slapd=opts.ol_slapd, - nosync=opts.nosync, - testing_mode=opts.testing_mode) diff --git a/source4/setup/slapd.conf b/source4/setup/slapd.conf index 6174121c77..0077a224fb 100644 --- a/source4/setup/slapd.conf +++ b/source4/setup/slapd.conf @@ -61,10 +61,16 @@ rootdn cn=Manager,cn=Samba ######################################## ## olc - configuration ### -${OLC_CONFIG_PASS} +database config +rootdn cn=config + ${OLC_SYNCREPL_CONFIG} ${OLC_MMR_CONFIG} -${OLC_CONFIG_ACL} + +access to dn.sub="cn=config" + by dn="cn=samba-admin,cn=samba" write + by dn="cn=replicator,cn=samba" read + ######################################## ### cn=schema ### diff --git a/source4/setup/tests/blackbox_provision-backend.sh b/source4/setup/tests/blackbox_provision-backend.sh index e1331d62eb..305c87ad36 100755 --- a/source4/setup/tests/blackbox_provision-backend.sh +++ b/source4/setup/tests/blackbox_provision-backend.sh @@ -12,13 +12,13 @@ shift 1 . `dirname $0`/../../../testprogs/blackbox/subunit.sh -testit "openldap-backend" $PYTHON ./setup/provision-backend --domain=FOO --realm=foo.example.com --host-name=samba --ldap-backend-type=openldap --targetdir=$PREFIX/openldap-backend --testing-mode=yes --ol-slapd=/dev/null -testit "openldap-mmr-backend" $PYTHON ./setup/provision-backend --domain=FOO --realm=foo.example.com --host-name=samba --ldap-backend-type=openldap --targetdir=$PREFIX/openldap-mmr-backend --ol-mmr-urls='ldap://localdc1:9000,ldap://localdc2:9000,ldap://localdc3:9000' --testing-mode=yes --ol-slapd=/dev/null -testit "fedora-ds-backend" $PYTHON ./setup/provision-backend --domain=FOO --realm=foo.example.com --host-name=samba --ldap-backend-type=fedora-ds --targetdir=$PREFIX/fedora-ds-backend --testing-mode=yes --ol-slapd=/dev/null +testit "openldap-backend" $PYTHON ./setup/provision --domain=FOO --realm=foo.example.com --ldap-backend-type=openldap --targetdir=$PREFIX/openldap-backend --ldap-dryrun-mode --slapd-path=/dev/null +testit "openldap-mmr-backend" $PYTHON ./setup/provision --domain=FOO --realm=foo.example.com --ldap-backend-type=openldap --targetdir=$PREFIX/openldap-mmr-backend --ol-mmr-urls='ldap://localdc1:9000,ldap://localdc2:9000,ldap://localdc3:9000' --ldap-dryrun-mode --slapd-path=/dev/null +testit "fedora-ds-backend" $PYTHON ./setup/provision --domain=FOO --realm=foo.example.com --ldap-backend-type=openldap --targetdir=$PREFIX/openldap-backend --ldap-dryrun-mode --slapd-path=/dev/null reprovision() { - $PYTHON ./setup/provision-backend --domain=FOO --realm=foo.example.com --host-name=samba --ldap-backend-type=openldap --targetdir=$PREFIX/openldap-backend-reprovision --testing-mode=yes --ol-slapd=/dev/null - $PYTHON ./setup/provision-backend --domain=FOO --realm=foo.example.com --host-name=samba --ldap-backend-type=openldap --targetdir=$PREFIX/openldap-backend-reprovision --testing-mode=yes --ol-slapd=/dev/null + $PYTHON ./setup/provision --domain=FOO --realm=foo.example.com --ldap-backend-type=openldap --targetdir=$PREFIX/openldap-backend-reprovision --ldap-dryrun-mode --slapd-path=/dev/null + $PYTHON ./setup/provision --domain=FOO --realm=foo.example.com --ldap-backend-type=openldap --targetdir=$PREFIX/openldap-backend-reprovision --ldap-dryrun-mode --slapd-path=/dev/null } testit "reprovision-backend" reprovision |