martin: server/kolab/kolab kolab, 1.17.2.1, 1.17.2.2 slapd.conf.template, 1.6.2.4, 1.6.2.5
cvs at intevation.de
cvs at intevation.de
Tue Apr 27 20:11:26 CEST 2004
Author: martin
Update of /kolabrepository/server/kolab/kolab
In directory doto:/tmp/cvs-serv21836
Modified Files:
Tag: KOLAB_1_0
kolab slapd.conf.template
Log Message:
Martin K.: Fix for password hashing and file access permissions (slapd.conf)
Index: kolab
===================================================================
RCS file: /kolabrepository/server/kolab/kolab/kolab,v
retrieving revision 1.17.2.1
retrieving revision 1.17.2.2
diff -u -d -r1.17.2.1 -r1.17.2.2
--- kolab 29 Jul 2003 14:20:51 -0000 1.17.2.1
+++ kolab 27 Apr 2004 18:11:24 -0000 1.17.2.2
@@ -56,6 +56,51 @@
sub PROTOCOLOP_EXTENDEDREQ () { 0x18 }
sub PROTOCOLOP_EXTENDEDRESP () { 0x19 }
+my %config_files = (
+ "$kolab_prefix/etc/kolab/session_vars.php.template" => "$kolab_prefix/var/kolab/www/admin/include/session_vars.php",
+ "$kolab_prefix/etc/kolab/main.cf.template" => "$kolab_prefix/etc/postfix/main.cf",
+ "$kolab_prefix/etc/kolab/master.cf.template" => "$kolab_prefix/etc/postfix/master.cf",
+ "$kolab_prefix/etc/kolab/saslauthd.conf.template" => "$kolab_prefix/etc/sasl/saslauthd.conf",
+ "$kolab_prefix/etc/kolab/imapd.conf.template" => "$kolab_prefix/etc/imapd/imapd.conf",
+ "$kolab_prefix/etc/kolab/httpd.conf.template" => "$kolab_prefix/etc/apache/apache.conf",
+ "$kolab_prefix/etc/kolab/legacy.conf.template" => "$kolab_prefix/etc/apache/legacy.conf",
+ "$kolab_prefix/etc/kolab/php.ini.template" => "$kolab_prefix/etc/apache/php.ini",
+ "$kolab_prefix/etc/kolab/proftpd.conf.template" => "$kolab_prefix/etc/proftpd/proftpd.conf",
+ "$kolab_prefix/etc/kolab/slapd.conf.template" => "$kolab_prefix/etc/openldap/slapd.conf");
+
+my %permissions = (
+ "$kolab_prefix/var/kolab/www/admin/include/session_vars.php" => 0640,
+ "$kolab_prefix/etc/postfix/main.cf" => 0640,
+ "$kolab_prefix/etc/postfix/master.cf" => 0640,
+ "$kolab_prefix/etc/sasl/saslauthd.conf" => 0600,
+ "$kolab_prefix/etc/imapd/imapd.conf" => 0640,
+ "$kolab_prefix/etc/apache/apache.conf" => 0640,
+ "$kolab_prefix/etc/apache/legacy.conf" => 0640,
+ "$kolab_prefix/etc/apache/php.ini" => 0640,
+ "$kolab_prefix/etc/proftpd/proftpd.conf" => 0640,
+ "$kolab_prefix/etc/openldap/slapd.conf" => 0640,
+ "$kolab_prefix/etc/postfix/transport" => 0640,
+ "$kolab_prefix/etc/imapd/cyrus.conf" => 0640,
+ "$kolab_prefix/etc/imapd/imapd.group" => 0640,
+ "$kolab_prefix/etc/postfix/virtual" => 0640);
+
+my %ownership = (
+ "$kolab_prefix/var/kolab/www/admin/include/session_vars.php" => "kolab:kolab-n",
+ "$kolab_prefix/etc/postfix/main.cf" => "root:root",
+ "$kolab_prefix/etc/postfix/master.cf" => "root:root",
+ "$kolab_prefix/etc/sasl/saslauthd.conf" => "kolab:kolab",
+ "$kolab_prefix/etc/imapd/imapd.conf" => "kolab:kolab-r",
+ "$kolab_prefix/etc/apache/apache.conf" => "kolab:kolab-n",
+ "$kolab_prefix/etc/apache/legacy.conf" => "kolab:kolab-n",
+ "$kolab_prefix/etc/apache/php.ini" => "kolab:kolab-n",
+ "$kolab_prefix/etc/proftpd/proftpd.conf" => "kolab:kolab-n",
+ "$kolab_prefix/etc/openldap/slapd.conf" => "kolab:kolab",
+ "$kolab_prefix/etc/postfix/transport" => "root:root",
+ "$kolab_prefix/etc/imapd/cyrus.conf" => "kolab:kolab",
+ "$kolab_prefix/etc/imapd/imapd.group" => "kolab:kolab-r",
+ "$kolab_prefix/etc/postfix/virtual" => "root:root");
+
+
#############
# FUNCTIONS #
@@ -208,12 +253,27 @@
return $string;
}
+
+sub fixup {
+ my $file = shift;
+ my $key = shift;
+
+ $opt_v && print "fixing perms of $file\n";
+
+ (my $owner, my $group) = split(/:/, $ownership{$key}, 2);
+ my $uid = (getpwnam($owner))[2];
+ my $gid = (getgrnam($group))[2];
+ chmod($permissions{$key}, $file);
+ chown($uid,$gid,$file);
+}
+
+
# build ( <template name> , <new config file name> )
sub build {
my $templ = $_[0];
my $conf = $_[1];
- my $uid = (getpwnam("kolab"))[2];
- my $gid = (getgrnam("kolab"))[2];
+ my $uid = (getpwnam("root"))[2];
+ my $gid = (getgrnam("root"))[2];
$opt_v && print "creating new $conf from $templ\n";
# make a copy of the last config file to detect differences
@@ -224,7 +284,10 @@
}
my $template = IO::File->new($templ, "r") || die "could not open $templ";
- my $config = IO::File->new($kolab_prefix."/etc/kolab/.tmp", "w+") || die "could not open $conf";
+ my $config = IO::File->new($kolab_prefix."/etc/kolab/.tmp", "w+", 0600) || die "could not open $conf";
+
+ fixup($kolab_prefix."/etc/kolab/.tmp", $conf);
+
while (<$template>) {
if (/\@{3}(\S+)\@{3}/) {
if ($configdata{$1}) {
@@ -239,8 +302,13 @@
undef $template;
undef $config;
move($kolab_prefix."/etc/kolab/.tmp", $conf);
- chown($uid,$gid,$conf);
+ # find all copies of config files
+ foreach $mask (keys %ownership) {
+ @filelist = map { glob($_) } $mask.".*";
+ chmod(0600, at filelist);
+ }
+
# find out about changes
if (!$opt_o && -f $conf.".old") {
my $rc = `diff -q $conf $conf.old`;
@@ -273,23 +341,6 @@
my $section="";
my $ldapobject;
my $mesg;
- my %config_files = (
- "$kolab_prefix/etc/kolab/session_vars.php.template" => "$kolab_prefix/var/kolab/www/admin/include/session_vars.php",
-
- "$kolab_prefix/etc/kolab/main.cf.template" => "$kolab_prefix/etc/postfix/main.cf",
- "$kolab_prefix/etc/kolab/master.cf.template" => "$kolab_prefix/etc/postfix/master.cf",
-
- "$kolab_prefix/etc/kolab/saslauthd.conf.template" => "$kolab_prefix/etc/sasl/saslauthd.conf",
-
- "$kolab_prefix/etc/kolab/imapd.conf.template" => "$kolab_prefix/etc/imapd/imapd.conf",
-
- "$kolab_prefix/etc/kolab/httpd.conf.template" => "$kolab_prefix/etc/apache/apache.conf",
- "$kolab_prefix/etc/kolab/legacy.conf.template" => "$kolab_prefix/etc/apache/legacy.conf",
- "$kolab_prefix/etc/kolab/php.ini.template" => "$kolab_prefix/etc/apache/php.ini",
-
- "$kolab_prefix/etc/kolab/proftpd.conf.template" => "$kolab_prefix/etc/proftpd/proftpd.conf",
-
- "$kolab_prefix/etc/kolab/slapd.conf.template" => "$kolab_prefix/etc/openldap/slapd.conf");
dolog("generating new config");
@@ -320,14 +371,13 @@
foreach $key (keys %config_files) {
build($key, $config_files{$key});
}
- my $uid = (getpwnam("kolab"))[2];
- my $gid = (getgrnam("kolab"))[2];
# put together the transport map for postfix
my $configname="$kolab_prefix/etc/postfix/transport";
copy($configname, $configname.".old");
- chown($uid,$gid,$configname.".old");
copy("$kolab_prefix/etc/kolab/transport.template", $configname);
+ fixup($configname, $configname);
+
my $transport = IO::File->new($configname, "a")
|| die "could not write to postfix transport map";
$mesg = $ldap->search(base=> "k=kolab,".$configdata{'base_dn'}, scope=> 'sub', filter=> "(objectclass=*)")
@@ -344,7 +394,6 @@
}
undef $ldapobject;
undef $transport;
- system("chown root.root $kolab_prefix/etc/postfix/*");
system("$postmap $kolab_prefix/etc/postfix/transport");
if (!$opt_o) {
if (-f $configname.".old") {
@@ -361,9 +410,9 @@
|| die "could not open imapd cyrus.conf template";
$configname = "$kolab_prefix/etc/imapd/cyrus.conf";
copy($configname, $configname.".old");
- chown($uid,$gid,$configname.".old");
$opt_v && printf "creating new $configname from cyrus.conf.template\n";
my $cyrusconf = IO::File->new($configname,"w") || die "could not open $configname";
+ fixup($configname, $configname);
while (<$cyrustemplate>) {
if (/\@{3}cyrus-imap\@{3}/ && ($configdata{"cyrus-imap"} =~ /true/i)) {
$_ = "imap cmd=\"imapd -C $kolab_prefix/etc/imapd/imapd.conf\" listen=\"143\" prefork=0\n";
@@ -385,7 +434,6 @@
}
undef $cyrustemplate;
undef $cyrusconf;
- chown($uid,$gid,$configname);
if (!$opt_o) {
if (-f $configname.".old") {
my $rc = `diff -q $configname $configname.old`;
@@ -400,8 +448,8 @@
# collect group information from LDAP
$configname = "$kolab_prefix/etc/imapd/imapd.group";
copy($configname, $configname.".old");
- chown($uid,$gid,$configname.".old");
copy("$kolab_prefix/etc/kolab/imapd.group.template", $configname);
+ fixup($configname, $configname);
my $groupconf = IO::File->new($configname, "a")
|| die "could not write to $configname";
my $count = 60000;
@@ -422,7 +470,6 @@
}
undef $ldapobject;
undef $groupconf;
- chown($uid,$gid,$configname);
if (!$opt_o) {
if (-f $configname.".old") {
my $rc = `diff -q $configname $configname.old`;
@@ -551,40 +598,27 @@
# find aliases and put together the virtual map for postfix
# also fill up aliases
$configname = "$kolab_prefix/etc/postfix/virtual";
- #$configname2 = "$kolab_prefix/etc/postfix/aliases";
copy("$kolab_prefix/etc/kolab/virtual.template",$configname);
- #copy("$kolab_prefix/etc/kolab/aliases.template",$configname2);
+ fixup($configname, $configname);
my $virtual = IO::File->new($configname, "a") || die "could not write to $configname";
- #my $aliasdb = IO::File->new($configname2, "a") || die "could not write to $configname2";
$mesg = $ldap->search(base=> $configdata{'base_dn'}, scope=> 'sub', filter=> '(mail=*)');
if ($mesg->code <= 0) {
foreach $ldapobject ($mesg->entries) {
- #my $uidval = $ldapobject->get_value('uid');
my $mail = $ldapobject->get_value('mail');
if (defined($mail)) {
$mail = trim($mail);
my $aliases = $ldapobject->get_value('alias', asref => 1);
- #push @$aliases, $ldapobject->get_value('mail');
foreach (@$aliases) {
$_ = trim($_);
my $rule = $_." ".$mail;
defined($opt_v) && print "adding virtual entry '$rule'\n";
print $virtual $rule."\n";
}
- #(my $rule, my $dom,) = split(/@/,$mail);
- #if ($mail) {
- # $rule .= ": ".$uidval."@".$dom."\n";
- # defined($opt_v) && print "adding aliases entry '$rule'\n";
- # print $aliasdb $rule;
- #}
}
}
} elsif ($opt_v) { print "warning: could not find any aliases in ldap\n"; }
$virtual->close;
- #$aliasdb->close;
- system("chown root.root $kolab_prefix/etc/postfix/*");
system("$postmap $configname");
- #system("$newaliases");
if (!$opt_o && -f $configname.old) {
my $rc = `diff -q $configname $configname.old`;
if ($rc) {
@@ -652,6 +686,13 @@
undef $fd;
$configdata{'bind_dn'} = $kolab_config{'bind_dn'} || die "could not read bind_dn from $kolab_config";
$configdata{'bind_pw'} = $kolab_config{'bind_pw'} || die "could not read bind_pw from $kolab_config";
+
+#martin
+my $hashcmd = $kolab_prefix."/sbin/slappasswd -s ".$kolab_config{'bind_pw'};
+$configdata{'bind_pw_hash'} = `$hashcmd`;
+chomp($configdata{'bind_pw_hash'});
+
+
$configdata{'ldap_uri'} = $kolab_config{'ldap_uri'} || die "could not read ldap_uri from $kolab_config";
$configdata{'base_dn'} = $kolab_config{'base_dn'} || die "could not read base_dn from $kolab_config";
$configdata{'php_dn'} = $kolab_config{'php_dn'} || die "could not read php_dn from $kolab_config";
Index: slapd.conf.template
===================================================================
RCS file: /kolabrepository/server/kolab/kolab/slapd.conf.template,v
retrieving revision 1.6.2.4
retrieving revision 1.6.2.5
diff -u -d -r1.6.2.4 -r1.6.2.5
--- slapd.conf.template 28 Nov 2003 03:43:18 -0000 1.6.2.4
+++ slapd.conf.template 27 Apr 2004 18:11:24 -0000 1.6.2.5
@@ -1,5 +1,5 @@
-# (c) 2003 Tassilo Erlewein <tassilo.erlewein at erfrakon.de>
-# (c) 2003 Martin Konold <martin.konold at erfrakon.de>
+# (c) 2003, 2004 Tassilo Erlewein <tassilo.erlewein at erfrakon.de>
+# (c) 2003, 2004 Martin Konold <martin.konold at erfrakon.de>
# (c) 2003 Achim Frank <achim.frank at erfrakon.de>
# This program is Free Software under the GNU General Public License (>=v2).
# Read the file COPYING that comes with this packages for details.
@@ -7,7 +7,7 @@
# this file is automatically written by the Kolab config backend
# manual additions are lost unless made to the template in the Kolab config directory
-# the template is @@@kolab_prefix@@@/etc/kolab/slapd.conf.template
+# the template is /kolab/etc/kolab/slapd.conf.template
include @@@kolab_prefix@@@/etc/kolab/kolab.schema
@@ -26,14 +26,12 @@
loglevel 0
-password-hash {sha}
-
database ldbm
suffix "@@@base_dn@@@"
directory @@@kolab_prefix@@@/var/openldap/openldap-data
rootdn "@@@bind_dn@@@"
-rootpw "@@@bind_pw@@@"
+rootpw @@@bind_pw_hash@@@
replica host=127.0.0.1:9999
binddn="cn=replicator"
@@ -46,10 +44,10 @@
index alias eq
access to attr=userPassword
- by group="cn=admin,@@@base_dn@@@" write
- by group="cn=maintainer,@@@base_dn@@@" write
- by self write
- by anonymous auth
+ by group="cn=admin,@@@base_dn@@@" =wx
+ by group="cn=maintainer,@@@base_dn@@@" =wx
+ by self =wx
+ by anonymous =x
by * none stop
access to attr=mail
More information about the commits
mailing list