From b730f13ce0e8d13d2f0b94b3bee19e4457da5576 Mon Sep 17 00:00:00 2001 From: Jan Synacek Date: Jan 27 2015 14:25:04 +0000 Subject: simplify package even more by removing certificate generation Creating self-signed certificates for localhost is pointless. If anyone uses TLS, they probably have their own. Testers can generate their own as well, the package does't have to be plagued by scripts just because of that. --- diff --git a/libexec-create-certdb.sh b/libexec-create-certdb.sh deleted file mode 100755 index 2377fdd..0000000 --- a/libexec-create-certdb.sh +++ /dev/null @@ -1,70 +0,0 @@ -#!/bin/bash -# Author: Jan Vcelak - -set -e - -# default options - -CERTDB_DIR=/etc/openldap/certs - -# internals - -MODULE_CKBI="$(rpm --eval %{_libdir})/libnssckbi.so" -RANDOM_SOURCE=/dev/urandom -PASSWORD_BYTES=32 - -# parse arguments - -usage() { - printf "usage: create-certdb.sh [-d certdb]\n" >&2 - exit 1 -} - -while getopts "d:" opt; do - case "$opt" in - d) - CERTDB_DIR="$OPTARG" - ;; - \?) - usage - ;; - esac -done - -[ "$OPTIND" -le "$#" ] && usage - -# verify target location - -if [ ! -d "$CERTDB_DIR" ]; then - printf "Directory '%s' does not exist.\n" "$CERTDB_DIR" >&2 - exit 1 -fi - -if [ ! "$(find "$CERTDB_DIR" -maxdepth 0 -empty | wc -l)" -eq 1 ]; then - printf "Directory '%s' is not empty.\n" "$CERTDB_DIR" >&2 - exit 1 -fi - -# create the database - -printf "Creating certificate database in '%s'.\n" "$CERTDB_DIR" >&2 - -PASSWORD_FILE="$CERTDB_DIR/password" -OLD_UMASK="$(umask)" -umask 0377 -dd if=$RANDOM_SOURCE bs=$PASSWORD_BYTES count=1 2>/dev/null | base64 > "$PASSWORD_FILE" -umask "$OLD_UMASK" - -certutil -d "$CERTDB_DIR" -N -f "$PASSWORD_FILE" &>/dev/null - -# load module with builtin CA certificates - -echo | modutil -dbdir "$CERTDB_DIR" -add "Root Certs" -libfile "$MODULE_CKBI" &>/dev/null - -# tune permissions - -for dbfile in "$CERTDB_DIR"/*.db; do - chmod 0644 "$dbfile" -done - -exit 0 diff --git a/libexec-generate-server-cert.sh b/libexec-generate-server-cert.sh deleted file mode 100755 index e2f4974..0000000 --- a/libexec-generate-server-cert.sh +++ /dev/null @@ -1,118 +0,0 @@ -#!/bin/bash -# Author: Jan Vcelak - -set -e - -# default options - -CERTDB_DIR=/etc/openldap/certs -CERT_NAME="OpenLDAP Server" -PASSWORD_FILE= -HOSTNAME_FQDN="$(hostname --fqdn)" -ALT_NAMES= -ONCE=0 - -# internals - -RANDOM_SOURCE=/dev/urandom -CERT_RANDOM_BYTES=256 -CERT_KEY_TYPE=rsa -CERT_KEY_SIZE=1024 -CERT_VALID_MONTHS=12 - -# parse arguments - -usage() { - printf "usage: generate-server-cert.sh [-d certdb-dir] [-n cert-name]\n" >&2 - printf " [-p password-file] [-h hostnames]\n" >&2 - printf " [-a dns-alt-names] [-o]\n" >&2 - exit 1 -} - -while getopts "d:n:p:h:a:o" opt; do - case "$opt" in - d) - CERTDB_DIR="$OPTARG" - ;; - n) - CERT_NAME="$OPTARG" - ;; - p) - PASSWORD_FILE="$OPTARG" - ;; - h) - HOSTNAME_FQDN="$OPTARG" - ;; - a) - ALT_NAMES="$OPTARG" - ;; - o) - ONCE=1 - ;; - \?) - usage - ;; - esac -done - -[ "$OPTIND" -le "$#" ] && usage - -# generated options - -ONCE_FILE="$CERTDB_DIR/.slapd-leave" -PASSWORD_FILE="${PASSWORD_FILE:-${CERTDB_DIR}/password}" -ALT_NAMES="${ALT_NAMES:-${HOSTNAME_FQDN},localhost,localhost.localdomain}" - -# verify target location - -if [ "$ONCE" -eq 1 -a -f "$ONCE_FILE" ]; then - printf "Skipping certificate generating, '%s' exists.\n" "$ONCE_FILE" >&2 - exit 0 -fi - -if ! certutil -d "$CERTDB_DIR" -U &>/dev/null; then - printf "Directory '%s' is not a valid certificate database.\n" "$CERTDB_DIR" >&2 - exit 1 -fi - -printf "Creating new server certificate in '%s'.\n" "$CERTDB_DIR" >&2 - -if [ ! -r "$PASSWORD_FILE" ]; then - printf "Password file '%s' is not readable.\n" "$PASSWORD_FILE" >&2 - exit 1 -fi - -if certutil -d "$CERTDB_DIR" -L -a -n "$CERT_NAME" &>/dev/null; then - printf "Certificate '%s' already exists in the certificate database.\n" "$CERT_NAME" >&2 - exit 1 -fi - -# generate server certificate (self signed) - - -CERT_RANDOM=$(mktemp --tmpdir=/var/run/openldap) -dd if=$RANDOM_SOURCE bs=$CERT_RANDOM_BYTES count=1 of=$CERT_RANDOM &>/dev/null - -certutil -d "$CERTDB_DIR" -f "$PASSWORD_FILE" -z "$CERT_RANDOM" \ - -S -x -n "$CERT_NAME" \ - -s "CN=$HOSTNAME_FQDN" \ - -t TC,, \ - -k $CERT_KEY_TYPE -g $CERT_KEY_SIZE \ - -v $CERT_VALID_MONTHS \ - -8 "$ALT_NAMES" \ - &>/dev/null - -rm -f $CERT_RANDOM - -# tune permissions - -if [ "$(id -u)" -eq 0 ]; then - chgrp ldap "$PASSWORD_FILE" - chmod g+r "$PASSWORD_FILE" -else - printf "WARNING: The server requires read permissions on the password file in order to\n" >&2 - printf " load it's private key from the certificate database.\n" >&2 -fi - -touch "$ONCE_FILE" -exit 0 diff --git a/openldap.spec b/openldap.spec index f63a80b..3cb51d6 100644 --- a/openldap.spec +++ b/openldap.spec @@ -18,8 +18,6 @@ Source10: ltb-project-openldap-ppolicy-check-password-%{check_password_version}. Source50: libexec-functions Source52: libexec-check-config.sh Source53: libexec-upgrade-db.sh -Source54: libexec-create-certdb.sh -Source55: libexec-generate-server-cert.sh # patches for 2.4 Patch0: openldap-manpages.patch @@ -248,8 +246,6 @@ install -m 0755 -d %{buildroot}%{_libexecdir}/openldap install -m 0644 %SOURCE50 %{buildroot}%{_libexecdir}/openldap/functions install -m 0755 %SOURCE52 %{buildroot}%{_libexecdir}/openldap/check-config.sh install -m 0755 %SOURCE53 %{buildroot}%{_libexecdir}/openldap/upgrade-db.sh -install -m 0755 %SOURCE54 %{buildroot}%{_libexecdir}/openldap/create-certdb.sh -install -m 0755 %SOURCE55 %{buildroot}%{_libexecdir}/openldap/generate-server-cert.sh # remove build root from config files and manual pages perl -pi -e "s|%{buildroot}||g" %{buildroot}%{_sysconfdir}/openldap/*.conf @@ -342,9 +338,6 @@ exit 0 /sbin/ldconfig %systemd_post slapd.service -# generate sample TLS certificate for server (will not replace) -%{_libexecdir}/openldap/generate-server-cert.sh -o &>/dev/null || : - # generate configuration if necessary if [[ ! -f %{_sysconfdir}/openldap/slapd.d/cn=config.ldif && \ ! -f %{_sysconfdir}/openldap/slapd.conf @@ -437,7 +430,6 @@ exit 0 %dir %{_sysconfdir}/openldap/certs %config(noreplace) %{_sysconfdir}/openldap/ldap.conf %dir %{_libexecdir}/openldap/ -%{_libexecdir}/openldap/create-certdb.sh %{_libdir}/liblber-2.4*.so.* %{_libdir}/libldap-2.4*.so.* %{_libdir}/libldap_r-2.4*.so.* @@ -495,7 +487,6 @@ exit 0 %{_libexecdir}/openldap/functions %{_libexecdir}/openldap/check-config.sh %{_libexecdir}/openldap/upgrade-db.sh -%{_libexecdir}/openldap/generate-server-cert.sh %{_sbindir}/sl* %{_mandir}/man8/* %{_mandir}/man5/slapd*.5* @@ -517,6 +508,7 @@ exit 0 %changelog * Tue Jan 27 2015 Jan Synáček - 2.4.40-8 - link against openssl by default +- simplify package even more by removing certificate generation * Mon Jan 26 2015 Jan Synáček - 2.4.40-7 - remove tmpfiles config since it's no longer needed