diff --git a/libexec-create-certdb.sh b/libexec-create-certdb.sh deleted file mode 100755 index 2377fdd..0000000 --- a/libexec-create-certdb.sh +++ /dev/null @@ -1,70 +0,0 @@ -#!/bin/bash -# Author: Jan Vcelak - -set -e - -# default options - -CERTDB_DIR=/etc/openldap/certs - -# internals - -MODULE_CKBI="$(rpm --eval %{_libdir})/libnssckbi.so" -RANDOM_SOURCE=/dev/urandom -PASSWORD_BYTES=32 - -# parse arguments - -usage() { - printf "usage: create-certdb.sh [-d certdb]\n" >&2 - exit 1 -} - -while getopts "d:" opt; do - case "$opt" in - d) - CERTDB_DIR="$OPTARG" - ;; - \?) - usage - ;; - esac -done - -[ "$OPTIND" -le "$#" ] && usage - -# verify target location - -if [ ! -d "$CERTDB_DIR" ]; then - printf "Directory '%s' does not exist.\n" "$CERTDB_DIR" >&2 - exit 1 -fi - -if [ ! "$(find "$CERTDB_DIR" -maxdepth 0 -empty | wc -l)" -eq 1 ]; then - printf "Directory '%s' is not empty.\n" "$CERTDB_DIR" >&2 - exit 1 -fi - -# create the database - -printf "Creating certificate database in '%s'.\n" "$CERTDB_DIR" >&2 - -PASSWORD_FILE="$CERTDB_DIR/password" -OLD_UMASK="$(umask)" -umask 0377 -dd if=$RANDOM_SOURCE bs=$PASSWORD_BYTES count=1 2>/dev/null | base64 > "$PASSWORD_FILE" -umask "$OLD_UMASK" - -certutil -d "$CERTDB_DIR" -N -f "$PASSWORD_FILE" &>/dev/null - -# load module with builtin CA certificates - -echo | modutil -dbdir "$CERTDB_DIR" -add "Root Certs" -libfile "$MODULE_CKBI" &>/dev/null - -# tune permissions - -for dbfile in "$CERTDB_DIR"/*.db; do - chmod 0644 "$dbfile" -done - -exit 0 diff --git a/libexec-generate-server-cert.sh b/libexec-generate-server-cert.sh deleted file mode 100755 index e2f4974..0000000 --- a/libexec-generate-server-cert.sh +++ /dev/null @@ -1,118 +0,0 @@ -#!/bin/bash -# Author: Jan Vcelak - -set -e - -# default options - -CERTDB_DIR=/etc/openldap/certs -CERT_NAME="OpenLDAP Server" -PASSWORD_FILE= -HOSTNAME_FQDN="$(hostname --fqdn)" -ALT_NAMES= -ONCE=0 - -# internals - -RANDOM_SOURCE=/dev/urandom -CERT_RANDOM_BYTES=256 -CERT_KEY_TYPE=rsa -CERT_KEY_SIZE=1024 -CERT_VALID_MONTHS=12 - -# parse arguments - -usage() { - printf "usage: generate-server-cert.sh [-d certdb-dir] [-n cert-name]\n" >&2 - printf " [-p password-file] [-h hostnames]\n" >&2 - printf " [-a dns-alt-names] [-o]\n" >&2 - exit 1 -} - -while getopts "d:n:p:h:a:o" opt; do - case "$opt" in - d) - CERTDB_DIR="$OPTARG" - ;; - n) - CERT_NAME="$OPTARG" - ;; - p) - PASSWORD_FILE="$OPTARG" - ;; - h) - HOSTNAME_FQDN="$OPTARG" - ;; - a) - ALT_NAMES="$OPTARG" - ;; - o) - ONCE=1 - ;; - \?) - usage - ;; - esac -done - -[ "$OPTIND" -le "$#" ] && usage - -# generated options - -ONCE_FILE="$CERTDB_DIR/.slapd-leave" -PASSWORD_FILE="${PASSWORD_FILE:-${CERTDB_DIR}/password}" -ALT_NAMES="${ALT_NAMES:-${HOSTNAME_FQDN},localhost,localhost.localdomain}" - -# verify target location - -if [ "$ONCE" -eq 1 -a -f "$ONCE_FILE" ]; then - printf "Skipping certificate generating, '%s' exists.\n" "$ONCE_FILE" >&2 - exit 0 -fi - -if ! certutil -d "$CERTDB_DIR" -U &>/dev/null; then - printf "Directory '%s' is not a valid certificate database.\n" "$CERTDB_DIR" >&2 - exit 1 -fi - -printf "Creating new server certificate in '%s'.\n" "$CERTDB_DIR" >&2 - -if [ ! -r "$PASSWORD_FILE" ]; then - printf "Password file '%s' is not readable.\n" "$PASSWORD_FILE" >&2 - exit 1 -fi - -if certutil -d "$CERTDB_DIR" -L -a -n "$CERT_NAME" &>/dev/null; then - printf "Certificate '%s' already exists in the certificate database.\n" "$CERT_NAME" >&2 - exit 1 -fi - -# generate server certificate (self signed) - - -CERT_RANDOM=$(mktemp --tmpdir=/var/run/openldap) -dd if=$RANDOM_SOURCE bs=$CERT_RANDOM_BYTES count=1 of=$CERT_RANDOM &>/dev/null - -certutil -d "$CERTDB_DIR" -f "$PASSWORD_FILE" -z "$CERT_RANDOM" \ - -S -x -n "$CERT_NAME" \ - -s "CN=$HOSTNAME_FQDN" \ - -t TC,, \ - -k $CERT_KEY_TYPE -g $CERT_KEY_SIZE \ - -v $CERT_VALID_MONTHS \ - -8 "$ALT_NAMES" \ - &>/dev/null - -rm -f $CERT_RANDOM - -# tune permissions - -if [ "$(id -u)" -eq 0 ]; then - chgrp ldap "$PASSWORD_FILE" - chmod g+r "$PASSWORD_FILE" -else - printf "WARNING: The server requires read permissions on the password file in order to\n" >&2 - printf " load it's private key from the certificate database.\n" >&2 -fi - -touch "$ONCE_FILE" -exit 0 diff --git a/openldap.spec b/openldap.spec index f63a80b..3cb51d6 100644 --- a/openldap.spec +++ b/openldap.spec @@ -18,8 +18,6 @@ Source10: ltb-project-openldap-ppolicy-check-password-%{check_password_version}. Source50: libexec-functions Source52: libexec-check-config.sh Source53: libexec-upgrade-db.sh -Source54: libexec-create-certdb.sh -Source55: libexec-generate-server-cert.sh # patches for 2.4 Patch0: openldap-manpages.patch @@ -248,8 +246,6 @@ install -m 0755 -d %{buildroot}%{_libexecdir}/openldap install -m 0644 %SOURCE50 %{buildroot}%{_libexecdir}/openldap/functions install -m 0755 %SOURCE52 %{buildroot}%{_libexecdir}/openldap/check-config.sh install -m 0755 %SOURCE53 %{buildroot}%{_libexecdir}/openldap/upgrade-db.sh -install -m 0755 %SOURCE54 %{buildroot}%{_libexecdir}/openldap/create-certdb.sh -install -m 0755 %SOURCE55 %{buildroot}%{_libexecdir}/openldap/generate-server-cert.sh # remove build root from config files and manual pages perl -pi -e "s|%{buildroot}||g" %{buildroot}%{_sysconfdir}/openldap/*.conf @@ -342,9 +338,6 @@ exit 0 /sbin/ldconfig %systemd_post slapd.service -# generate sample TLS certificate for server (will not replace) -%{_libexecdir}/openldap/generate-server-cert.sh -o &>/dev/null || : - # generate configuration if necessary if [[ ! -f %{_sysconfdir}/openldap/slapd.d/cn=config.ldif && \ ! -f %{_sysconfdir}/openldap/slapd.conf @@ -437,7 +430,6 @@ exit 0 %dir %{_sysconfdir}/openldap/certs %config(noreplace) %{_sysconfdir}/openldap/ldap.conf %dir %{_libexecdir}/openldap/ -%{_libexecdir}/openldap/create-certdb.sh %{_libdir}/liblber-2.4*.so.* %{_libdir}/libldap-2.4*.so.* %{_libdir}/libldap_r-2.4*.so.* @@ -495,7 +487,6 @@ exit 0 %{_libexecdir}/openldap/functions %{_libexecdir}/openldap/check-config.sh %{_libexecdir}/openldap/upgrade-db.sh -%{_libexecdir}/openldap/generate-server-cert.sh %{_sbindir}/sl* %{_mandir}/man8/* %{_mandir}/man5/slapd*.5* @@ -517,6 +508,7 @@ exit 0 %changelog * Tue Jan 27 2015 Jan Synáček - 2.4.40-8 - link against openssl by default +- simplify package even more by removing certificate generation * Mon Jan 26 2015 Jan Synáček - 2.4.40-7 - remove tmpfiles config since it's no longer needed