From cb633f411ef69bfc43cb41cfb9733d037162f680 Mon Sep 17 00:00:00 2001 From: Endial Fang Date: Mon, 12 Jul 2021 09:31:11 +0800 Subject: [PATCH] =?UTF-8?q?[feat:2.4]=E5=88=9D=E5=A7=8B=E7=89=88=E6=9C=ACD?= =?UTF-8?q?ockerfiler=E5=8F=8A=E5=AF=B9=E5=BA=94=E8=84=9A=E6=9C=AC?= =?UTF-8?q?=E6=96=87=E4=BB=B6?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Dockerfile | 186 +++++ Makefile | 55 ++ customer/usr/local/bin/common.sh | 514 ++++++++++++++ customer/usr/local/bin/entry.sh | 29 + customer/usr/local/bin/environment.sh | 93 +++ customer/usr/local/bin/init.sh | 29 + customer/usr/local/bin/run.sh | 38 ++ customer/usr/local/bin/setup.sh | 36 + .../openldap/schema/openssh-lpk-openldap.ldif | 19 + .../schema/openssh-lpk-openldap.schema | 21 + .../openldap/etc/openldap/schema/samba.ldif | 224 ++++++ .../openldap/etc/openldap/schema/samba.schema | 644 ++++++++++++++++++ .../openldap/etc/openldap/schema/sudo.ldif | 11 + .../openldap/etc/openldap/schema/sudo.schema | 76 +++ .../local/openldap/etc/openldap/slapd.ldif | 119 ++++ .../usr/local/overrides/overrides-x.x.x.sh | 11 + customer/usr/sbin/create_user | 12 + customer/usr/sbin/prepare_env | 17 + 18 files changed, 2134 insertions(+) create mode 100644 Dockerfile create mode 100644 Makefile create mode 100644 customer/usr/local/bin/common.sh create mode 100755 customer/usr/local/bin/entry.sh create mode 100644 customer/usr/local/bin/environment.sh create mode 100755 customer/usr/local/bin/init.sh create mode 100755 customer/usr/local/bin/run.sh create mode 100755 customer/usr/local/bin/setup.sh create mode 100644 customer/usr/local/openldap/etc/openldap/schema/openssh-lpk-openldap.ldif create mode 100644 customer/usr/local/openldap/etc/openldap/schema/openssh-lpk-openldap.schema create mode 100644 customer/usr/local/openldap/etc/openldap/schema/samba.ldif create mode 100644 customer/usr/local/openldap/etc/openldap/schema/samba.schema create mode 100644 customer/usr/local/openldap/etc/openldap/schema/sudo.ldif create mode 100644 customer/usr/local/openldap/etc/openldap/schema/sudo.schema create mode 100644 customer/usr/local/openldap/etc/openldap/slapd.ldif create mode 100644 customer/usr/local/overrides/overrides-x.x.x.sh create mode 100755 customer/usr/sbin/create_user create mode 100755 customer/usr/sbin/prepare_env diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..035661d --- /dev/null +++ b/Dockerfile @@ -0,0 +1,186 @@ +# Ver: 1.8 by Endial Fang (endial@126.com) +# + +# 可变参数 ======================================================================== + +# 设置当前应用名称及版本 +ARG app_name=openldap +ARG app_version=2.4.59 + +# 设置默认仓库地址,默认为 阿里云 仓库 +ARG registry_url="registry.cn-shenzhen.aliyuncs.com" + +# 设置 apt-get 源:default / tencent / ustc / aliyun / huawei +ARG apt_source=aliyun + +# 编译镜像时指定用于加速的本地服务器地址 +ARG local_url="" + + +# 0. 预处理 ====================================================================== +FROM ${registry_url}/colovu/dbuilder as builder + +# 声明需要使用的全局可变参数 +ARG app_name +ARG app_version +ARG registry_url +ARG apt_source +ARG local_url + +# 选择软件包源(Optional),以加速后续软件包安装 +RUN select_source ${apt_source}; + +# 安装依赖的软件包及库(Optional) +RUN install_pkg groff groff-base libtool libltdl7 libltdl-dev libperl-dev libssl1.1 libssl-dev libcrypto++-dev libsasl2-dev + +# 设置工作目录 +WORKDIR /tmp + +# 参考文档: +# 编译: https://www.cnblogs.com/si-jie/p/8214206.html +# seolim解决(groff): http://www.emreakkas.com/linux-tips/ubuntu-solve-bin-sh-soelim-not-found + +ENV dbName=db \ + dbVersion=5.1.29 + +# 下载并解压软件包(BerkeleyDB 5.1.29) +RUN set -eux; \ + appName=${dbName}-${dbVersion}.tar.gz; \ + [ ! -z ${local_url} ] && localURL=${local_url}/berkeley; \ + appUrls="${localURL:-} \ + http://download.oracle.com/berkeley-db \ + "; \ + download_pkg unpack ${appName} "${appUrls}"; + +# 源码编译(BerkeleyDB) +RUN set -eux; \ + APP_SRC="/tmp/${dbName}-${dbVersion}"; \ + cd ${APP_SRC}/build_unix; \ + ../dist/configure \ + --prefix=/usr/local/${dbName} \ + ; \ + make -j "$(nproc)"; \ + make install; \ + echo "/usr/local/${dbName}/lib/" >> /etc/ld.so.conf; \ + ldconfig; \ + rm -rf ${APP_SRC}; + +# 下载并解压软件包(OpenLDAP 2.4.59) +RUN set -eux; \ + appName=${app_name}-${app_version}.tgz; \ + [ ! -z ${local_url} ] && localURL=${local_url}/${app_name}; \ + appUrls="${localURL:-} \ + https://www.openldap.org/software/download/OpenLDAP/openldap-release \ + "; \ + download_pkg unpack ${appName} "${appUrls}"; + +# 源码编译(OpenLDAP) +RUN set -eux; \ + APP_SRC="/tmp/${app_name}-${app_version}"; \ + cd ${APP_SRC}; \ + ./configure \ + --prefix=/usr/local/${app_name} \ + CPPFLAGS="-I/usr/local/db/include -D_GNU_SOURCE" \ + LDFLAGS="-L/usr/local/db/lib" \ + --enable-modules \ + --enable-dynamic \ + --enable-backends=mod \ + --enable-overlays=mod \ + --enable-spasswd \ + --enable-crypt \ + --enable-sql=no \ + --enable-ndb=no \ + ; \ + make depend; \ + make -j "$(nproc)"; \ + make install; + +# 删除编译生成的多余文件 +RUN set -eux; \ + find /usr/local -name '*.a' -delete; \ + rm -rf /usr/local/${app_name}/share; \ + rm -rf /usr/local/${app_name}/include; \ + rm -rf /usr/local/db/include; \ + rm -rf /usr/local/db/docs; + +# 检测并生成依赖文件记录 +RUN set -eux; \ + find /usr/local/${app_name} -type f -executable -exec ldd '{}' ';' | \ + awk '/=>/ { print $(NF-1) }' | \ + sort -u | \ + xargs -r dpkg-query --search 2>/dev/null | \ + cut -d: -f1 | \ + sort -u >/usr/local/${app_name}/runDeps; + + +# 1. 生成镜像 ===================================================================== +FROM ${registry_url}/colovu/debian:buster + +# 声明需要使用的全局可变参数 +ARG app_name +ARG app_version +ARG registry_url +ARG apt_source +ARG local_url + +# 镜像所包含应用的基础信息,定义环境变量,供后续脚本使用 +ENV APP_NAME=${app_name} \ + APP_EXEC=slapd \ + APP_VERSION=${app_version} + +ENV APP_HOME_DIR=/usr/local/${APP_NAME} \ + APP_DEF_DIR=/etc/${APP_NAME} + +ENV PATH="${APP_HOME_DIR}/sbin:${APP_HOME_DIR}/bin:${APP_HOME_DIR}/libexec:${PATH}" \ + LD_LIBRARY_PATH="/usr/local/db/lib:${APP_HOME_DIR}/lib" + +LABEL \ + "Version"="v${app_version}" \ + "Description"="Docker image for ${app_name}(v${app_version})." \ + "Dockerfile"="https://github.com/colovu/docker-${app_name}" \ + "Vendor"="Endial Fang (endial@126.com)" + +# 从预处理过程中拷贝软件包(Optional),可以使用阶段编号或阶段命名定义来源 +COPY --from=0 /usr/local/db /usr/local/db +COPY --from=0 /usr/local/${APP_NAME} /usr/local/${APP_NAME} + +# 拷贝应用使用的客制化脚本,并创建对应的用户及数据存储目录 +COPY customer / +RUN set -eux; \ + prepare_env; \ + /bin/bash -c "ln -sf /usr/local/${APP_NAME}/etc/${APP_NAME} /etc/"; + +# 选择软件包源(Optional),以加速后续软件包安装 +RUN select_source ${apt_source} + +# 安装依赖的软件包及库(Optional) +RUN install_pkg `cat /usr/local/${APP_NAME}/runDeps`; +RUN install_pkg pwgen + +# 执行预处理脚本,并验证安装的软件包 +RUN set -eux; \ + override_file="/usr/local/overrides/overrides-${APP_VERSION}.sh"; \ + [ -e "${override_file}" ] && /bin/bash "${override_file}"; \ + ${APP_EXEC} -V | :; + +# 默认提供的数据卷 +VOLUME ["/srv/conf", "/srv/data", "/srv/datalog", "/srv/cert", "/var/log"] + +# 默认使用gosu切换为新建用户启动,必须保证端口在1024之上 +EXPOSE 8389 8636 + +# 关闭基础镜像的健康检查 +#HEALTHCHECK NONE + +# 应用健康状态检查 +HEALTHCHECK --interval=10s --timeout=10s --retries=3 \ + CMD netstat -ltun | grep 8389 + +# 使用 non-root 用户运行后续的命令 +USER 1001 + +# 容器初始化命令 +ENTRYPOINT ["/usr/local/bin/entry.sh"] + +# 应用程序的启动命令,必须使用非守护进程方式运行 +CMD ["/usr/local/bin/run.sh"] diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..4ed7b42 --- /dev/null +++ b/Makefile @@ -0,0 +1,55 @@ +# Ver: 1.11 by Endial Fang (endial@126.com) +# +# 当前 Docker 镜像的编译脚本 + +# 定义镜像名称 +image_name :=colovu/openldap + +# 定义默认镜像仓库地址 +registry_url :=docker.io + +# 定义系统默认使用的源服务器,包含:default / tencent / ustc / aliyun / huawei +apt_source :=tencent + +# 定义镜像TAG,类似: +# <镜像名>:<分支名>-<7位Git ID> # Git 仓库且无文件修改直接编译 +# <镜像名>:<分支名>-<年月日>-<时分秒> # Git 仓库有文件修改后的编译 +# <镜像名>:latest-<年月日>-<时分秒> # 非 Git 仓库编译 +current_subversion:=$(shell if [ ! `git status >/dev/null 2>&1` ]; then git rev-parse --short HEAD; else date +%y%m%d-%H%M%S; fi) +image_tag:=$(shell if [ ! `git status >/dev/null 2>&1` ]; then git rev-parse --abbrev-ref HEAD | sed -e 's/master/latest/'; else echo "latest"; fi)-$(current_subversion) + +build-arg:=--build-arg registry_url=$(registry_url) +build-arg+=--build-arg apt_source=$(apt_source) + +# 设置本地下载服务器路径,加速调试时的本地编译速度 +local_ip:=`echo "en0 eth0" | xargs -n1 ip addr show 2>/dev/null | grep inet | grep -v 127.0.0.1 | grep -v inet6 | tr "/" " " | awk '{print $$2}'` +build-arg+=--build-arg local_url=http://$(local_ip)/dist-files + +.PHONY: build clean clearclean upgrade + +# 屏蔽 "Use 'docker scan' to run Snyk tests against images to find vulnerabilities and learn how to fix them" +export DOCKER_SCAN_SUGGEST=false + +build: + @echo "Build $(image_name):$(image_tag)" + @docker build --progress plain --force-rm $(build-arg) -t $(image_name):$(image_tag) . + @echo "Add tag: $(image_name):latest" + @docker tag $(image_name):$(image_tag) $(image_name):latest + @echo "Build complete" + +# 清理悬空的镜像(无TAG)及停止的容器 +clearclean: clean + @echo "Clean untaged images and stoped containers..." + @docker ps -a | grep "Exited" | awk '{print $$1}' | sort -u | xargs -L 1 docker rm + @docker images | grep '' | awk '{print $$3}' | sort -u | xargs -L 1 docker rmi -f + +# 为了防止删除前缀名相同的镜像,在过滤条件中加入一个空格进行过滤 +clean: + @echo "Clean all images for current application..." + @docker images | grep "$(image_name) " | awk '{print $$3}' | sort -u | xargs -L 1 docker rmi -f + +# 更新所有 colovu 仓库的镜像 +upgrade: + @echo "Upgrade all images..." + @docker images | grep 'colovu' | grep -v '' | grep -v "latest-" | awk '{print $$1":"$$2}' | sort -u | xargs -L 1 docker pull + diff --git a/customer/usr/local/bin/common.sh b/customer/usr/local/bin/common.sh new file mode 100644 index 0000000..999751d --- /dev/null +++ b/customer/usr/local/bin/common.sh @@ -0,0 +1,514 @@ +#!/bin/bash +# Ver: 1.1 by Endial Fang (endial@126.com) +# +# 应用通用业务处理函数 + +# 加载依赖脚本 +. /usr/local/scripts/libcommon.sh # 通用函数库 + +. /usr/local/scripts/libfile.sh +. /usr/local/scripts/libfs.sh +. /usr/local/scripts/liblog.sh +. /usr/local/scripts/libos.sh +. /usr/local/scripts/libservice.sh +. /usr/local/scripts/libvalidations.sh + +# 函数列表 + +# 使用环境变量中配置,更新配置文件 +openldap_update_conf() { + LOG_I "Update configure files..." + +} + +# 生成RootDN用户信息 +openldap_root_credentials() { + # 根据容器参数,设置配置文件 + LOG_I "Configure LDAP credentials for RootDN" + +cat > "${APP_CONF_DIR}/rootdn.ldif" << EOF +# RootDN configration +dn: olcDatabase={2}hdb,cn=config +changetype: modify +replace: olcSuffix +olcSuffix: $LDAP_ROOT + +dn: olcDatabase={2}hdb,cn=config +changetype: modify +replace: olcRootDN +olcRootDN: $LDAP_ROOT_DN + +dn: olcDatabase={2}hdb,cn=config +add: olcRootPW +olcRootPW: $LDAP_ENCRYPTED_ROOT_PASSWORD + +dn: olcDatabase={1}monitor,cn=config +changetype: modify +replace: olcAccess +olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="${LDAP_ROOT_DN}" read by * none +EOF + debug_execute ldapmodify -Y EXTERNAL -H "ldapi:///" -f "${APP_CONF_DIR}/rootdn.ldif" +} + +# 生成Admin账户用户信息 +openldap_create_tree() { + # 根据容器参数,设置配置文件 + LOG_I "Configure LDAP credentials for admin user" + +cat > "${APP_CONF_DIR}/admin.ldif" << EOF +# RootDN creation +dn: $LDAP_ROOT +objectClass: dcObject +objectClass: organization +o: $LDAP_ORGNIZATION_NAME + +# Mnanger OU creation +dn: ou=Manager,$LDAP_ROOT +objectClass: organizationalUnit +ou: Manager + +# User Admin creation +dn: uid=$LDAP_ADMIN_UID,ou=Manager,$LDAP_ROOT +objectclass: inetOrgPerson +cn: $LDAP_ADMIN_GIVEN_NAME $LDAP_ADMIN_SURNAME +sn: $LDAP_ADMIN_SURNAME +uid: $LDAP_ADMIN_UID +userpassword: $LDAP_ENCRYPTED_ADMIN_PASSWORD +mail: $LDAP_ADMIN_MAIL + +# User Binder creation +dn: uid=$LDAP_BIND_UID,ou=Manager,$LDAP_ROOT +objectclass: inetOrgPerson +cn: $LDAP_BIND_GIVEN_NAME $LDAP_BIND_SURNAME +sn: $LDAP_BIND_SURNAME +uid: $LDAP_BIND_UID +userpassword: $LDAP_ENCRYPTED_BIND_PASSWORD +EOF + + debug_execute ldapadd -f "${APP_CONF_DIR}/admin.ldif" -H "ldapi:///" -D "$LDAP_ROOT_DN" -w "$LDAP_ROOT_PASSWORD" +} + +# 生成自定义账户用户信息 +openldap_create_users() { + # 根据容器参数,设置配置文件 + LOG_I "Configure LDAP credentials for admin user" + +cat > "${APP_CONF_DIR}/users.ldif" << EOF +# User OU creation +dn: ${LDAP_USER_OU/#/ou=},$LDAP_ROOT +objectClass: organizationalUnit +ou: users + +EOF + + read -r -a users <<< "$(tr ',;' ' ' <<< "${LDAP_USERS}")" + read -r -a passwords <<< "$(tr ',;' ' ' <<< "${LDAP_PASSWORDS}")" + + local index=0 + for user in "${users[@]}"; do + cat >> "${APP_CONF_DIR}/users.ldif" << EOF +# User $user creation +dn: ${user/#/cn=},${LDAP_USER_OU/#/ou=},${LDAP_ROOT} +cn: User$((index + 1 )) +sn: Bar$((index + 1 )) +objectClass: inetOrgPerson +objectClass: posixAccount +objectClass: shadowAccount +userPassword: ${passwords[$index]} +uid: $user +uidNumber: $((index + 1000 )) +gidNumber: $((index + 1000 )) +homeDirectory: /home/${user} + +EOF + index=$((index + 1 )) + done + + cat >> "${APP_CONF_DIR}/users.ldif" << EOF +# Group creation +dn: ${LDAP_USER_GROUP/#/cn=},${LDAP_USER_OU/#/ou=},${LDAP_ROOT} +cn: $LDAP_USER_GROUP +objectClass: groupOfNames +# User group membership +EOF + + for user in "${users[@]}"; do + cat >> "${APP_CONF_DIR}/users.ldif" << EOF +member: ${user/#/cn=},${LDAP_USER_OU/#/ou=},${LDAP_ROOT} +EOF + done + + debug_execute ldapadd -f "${APP_CONF_DIR}/users.ldif" -H "ldapi:///" -D "$LDAP_ROOT_DN" -w "$LDAP_ROOT_PASSWORD" +} + +# 生成默认配置文件 +openldap_generate_conf() { + # 根据容器参数,设置配置文件 + LOG_I "Creating LDAP online configuration" + + ! is_root && replace_in_file "${APP_CONF_DIR}/slapd.ldif" "uidNumber=0" "uidNumber=$(id -u)" + debug_execute slapadd -F "$LDAP_ONLINE_CONF_DIR" -n 0 -l "${APP_CONF_DIR}/slapd.ldif" +} + +# 生成LTS配置文件 +openldap_generate_lts_conf() { + LOG_I "Configuring TLS" + + cat > "${APP_CONF_DIR}/certs.ldif" << EOF +dn: cn=config +changetype: modify +replace: olcTLSCACertificateFile +olcTLSCACertificateFile: $LDAP_TLS_CA_FILE +- +replace: olcTLSCertificateFile +olcTLSCertificateFile: $LDAP_TLS_CERT_FILE +- +replace: olcTLSCertificateKeyFile +olcTLSCertificateKeyFile: $LDAP_TLS_KEY_FILE +EOF + + if [[ -f "$LDAP_TLS_DH_PARAMS_FILE" ]]; then + cat >> "${APP_CONF_DIR}/certs.ldif" << EOF +- +replace: olcTLSDHParamFile +olcTLSDHParamFile: $LDAP_TLS_DH_PARAMS_FILE +EOF + fi + debug_execute ldapmodify -Y EXTERNAL -H "ldapi:///" -f "${APP_CONF_DIR}/certs.ldif" + +} + +# 检测用户参数信息是否满足条件; 针对部分权限过于开放情况,打印提示信息 +openldap_verify_minimum_env() { + local error_code=0 + + LOG_D "Validating settings in APP_* env vars..." + + print_validation_error() { + LOG_E "$1" + error_code=1 + } + + check_allowed_port() { + local port_var="${1:?missing port variable}" + local validate_port_args=() + ! is_root && validate_port_args+=("-unprivileged") + if ! err=$(validate_port "${validate_port_args[@]}" "${!port_var}"); then + print_validation_error "An invalid port was specified in the environment variable ${port_var}: ${err}." + fi + } + + for var in LDAP_SKIP_DEFAULT_TREE LDAP_ENABLE_TLS; do + if ! is_yes_no_value "${!var}"; then + print_validation_error "The allowed values for $var are: yes or no" + fi + done + + if is_boolean_yes "$LDAP_ENABLE_TLS"; then + if [[ -z "$LDAP_TLS_CERT_FILE" ]]; then + print_validation_error "You must provide a X.509 certificate in order to use TLS" + elif [[ ! -f "$LDAP_TLS_CERT_FILE" ]]; then + print_validation_error "The X.509 certificate file in the specified path ${LDAP_TLS_CERT_FILE} does not exist" + fi + if [[ -z "$LDAP_TLS_KEY_FILE" ]]; then + print_validation_error "You must provide a private key in order to use TLS" + elif [[ ! -f "$LDAP_TLS_KEY_FILE" ]]; then + print_validation_error "The private key file in the specified path ${LDAP_TLS_KEY_FILE} does not exist" + fi + if [[ -z "$LDAP_TLS_CA_FILE" ]]; then + print_validation_error "You must provide a CA X.509 certificate in order to use TLS" + elif [[ ! -f "$LDAP_TLS_CA_FILE" ]]; then + print_validation_error "The CA X.509 certificate file in the specified path ${LDAP_TLS_CA_FILE} does not exist" + fi + fi + + read -r -a users <<< "$(tr ',;' ' ' <<< "${LDAP_USERS}")" + read -r -a passwords <<< "$(tr ',;' ' ' <<< "${LDAP_PASSWORDS}")" + if [[ "${#users[@]}" -ne "${#passwords[@]}" ]]; then + print_validation_error "Specify the same number of passwords on LDAP_PASSWORDS as the number of users on LDAP_USERS!" + fi + + if [[ -n "$LDAP_PORT_NUMBER" ]] && [[ -n "$LDAP_LDAPS_PORT_NUMBER" ]]; then + if [[ "$LDAP_PORT_NUMBER" -eq "$LDAP_LDAPS_PORT_NUMBER" ]]; then + print_validation_error "LDAP_PORT_NUMBER and LDAP_LDAPS_PORT_NUMBER are bound to the same port!" + fi + fi + [[ -n "$LDAP_PORT_NUMBER" ]] && check_allowed_port LDAP_PORT_NUMBER + [[ -n "$LDAP_LDAPS_PORT_NUMBER" ]] && check_allowed_port LDAP_LDAPS_PORT_NUMBER + + [[ "$error_code" -eq 0 ]] || exit "$error_code" +} + +# 以后台方式启动应用服务,并等待启动就绪 +openldap_start_server_bg() { + local -a flags=("-h" "ldap://:${LDAP_PORT_NUMBER}/ ldapi:/// " "-F" "${APP_CONF_DIR}/slapd.d") + local -r command="$(command -v slapd)" + + if openldap_is_server_not_running; then + + LOG_I "Starting ${APP_NAME} in background..." + + ulimit -n "$LDAP_ULIMIT_NOFILES" + + is_root && flags=("-u" "$LDAP_DAEMON_USER" "${flags[@]}") + debug_execute ${command} "${flags[@]}" + + # 通过命令或特定端口检测应用是否就绪 + LOG_D "Checking ${APP_NAME} ready status..." + # wait-for-port --timeout 60 "$ZOO_PORT_NUMBER" + + LOG_I "${APP_NAME} is ready for service..." + fi +} + +# 停止应用服务 +openldap_stop_server() { + local -r retries="${1:-10}" + local -r sleep_time="${2:-1}" + + if openldap_is_server_running ; then + LOG_I "Stopping ${APP_NAME}..." + + # 使用 PID 文件 kill 进程 + stop_service_using_pid "$LDAP_PID_FILE" + + # 检测停止是否完成 + while [[ "$retries" -ne 0 ]] && openldap_is_server_running; do + LOG_D "Waiting for ${APP_NAME} to stop..." + sleep ${sleep_time} + retries=$((retries - 1)) + done + else + LOG_D "${APP_NAME} stopped..." + fi +} + +# 检测应用服务是否在后台运行中 +openldap_is_server_running() { + LOG_D "Check if ${APP_NAME} is running..." + local pid + pid="$(get_pid_from_file "${LDAP_PID_FILE}")" + LOG_D "${APP_NAME} PID: ${pid}" + + if [[ -n "${pid}" ]]; then + is_service_running "${pid}" + else + false + fi +} + +openldap_is_server_not_running() { + ! openldap_is_server_running +} + +# 增加 schema 文件 +openldap_add_modules() { + LOG_I "Adding LDAP extra modules" + + read -r -a modules <<< "$(tr ',;' ' ' <<< "${LDAP_EXTRA_MODULES}")" + cat > "${APP_CONF_DIR}/modules.ldif" << EOF +dn: cn=module{0},cn=config +add: olcModuleLoad +EOF + + for module in "${modules[@]}"; do + LOG_D "Add module: ${module}.la" + cat >> "${APP_CONF_DIR}/modules.ldif" << EOF +olcModuleLoad: ${module}.la +EOF + debug_execute ldapmodify -Y EXTERNAL -H "ldapi:///" -f "${APP_CONF_DIR}/modules.ldif" + done +} + +# 增加 schema 文件 +openldap_add_schemas() { + LOG_I "Adding LDAP extra schemas" + + read -r -a schemas <<< "$(tr ',;' ' ' <<< "${LDAP_EXTRA_SCHEMAS}")" + for schema in "${schemas[@]}"; do + LOG_D "Add schema: ${schema}.ldif" + debug_execute ldapadd -Y EXTERNAL -H "ldapi:///" -f "${APP_CONF_DIR}/schema/${schema}.ldif" + done +} + +# 增加个性化 schema 文件 +openldap_add_custom_schema() { + LOG_I "Adding custom Schema in $LDAP_CUSTOM_SCHEMA_DIR ..." + + #find "$LDAP_CUSTOM_SCHEMA_DIR" -maxdepth 1 \( -type f -o -type l \) -iname '*.ldif' -print0 | sort -z | xargs --null -I{} bash -c ". /usr/local/scripts/libos.sh && debug_execute debug_execute slapadd -F "$LDAP_ONLINE_CONF_DIR" -n 0 -l {} " + find "${APP_CONF_DIR}/${LDAP_CUSTOM_SCHEMA_DIR}" -maxdepth 1 \( -type f -o -type l \) -iname '*.ldif' -print0 | sort -z | while read -r f; do + LOG_D "Add schema: ${schema}.ldif" + debug_execute debug_execute slapadd -F "$LDAP_ONLINE_CONF_DIR" -n 0 -l $f + done + + openldap_stop_server + #while openldap_is_server_running; do sleep 1; done + openldap_start_server_bg +} + +# 导入 ldif 文件定义的数据 +openldap_add_custom_ldifs() { + LOG_I "Loading custom LDIF files..." + LOG_W "Ignoring LDAP_USERS, LDAP_PASSWORDS, LDAP_USER_OU and LDAP_USER_GROUP environment variables..." + + #find "$LDAP_CUSTOM_LDIF_DIR" -maxdepth 1 \( -type f -o -type l \) -iname '*.ldif' -print0 | sort -z | xargs --null -I{} bash -c ". /usr/local/scripts/libos.sh && debug_execute ldapadd -f {} -H 'ldapi:///' -D $LDAP_ROOT_DN -w $LDAP_ROOT_PASSWORD" + find "${APP_CONF_DIR}/${LDAP_CUSTOM_LDIF_DIR}" -maxdepth 1 \( -type f -o -type l \) -iname '*.ldif' -print0 | sort -z | while read -r f; do + LOG_D "Add ldif: ${schema}.ldif" + debug_execute ldapadd -f $f -H 'ldapi:///' -D $LDAP_ROOT_DN -w $LDAP_ROOT_PASSWORD + done +} + +# 清理初始化应用时生成的临时文件 +openldap_clean_tmp_file() { + LOG_D "Clean ${APP_NAME} tmp files for init..." + +} + +# 在重新启动容器时,删除标志文件及必须删除的临时文件 (容器重新启动) +openldap_clean_from_restart() { + LOG_D "Clean ${APP_NAME} tmp files for restart..." + local -r -a files=( + "/var/run/${APP_NAME}/${APP_NAME}.pid" + ) + + for file in ${files[@]}; do + if [[ -f "$file" ]]; then + LOG_I "Cleaning stale $file file" + rm "$file" + fi + done +} + +# 应用默认初始化操作 +# 执行完毕后,生成文件 ${APP_CONF_DIR}/.app_init_flag 及 ${APP_DATA_DIR}/.data_init_flag 文件 +openldap_default_init() { + openldap_clean_from_restart + LOG_D "Check init status of ${APP_NAME}..." + + # 检测配置文件是否存在 + if [[ ! -f "${APP_CONF_DIR}/.app_init_flag" ]]; then + LOG_I "No injected configuration file found, creating default config files..." + + openldap_generate_conf + + touch "${APP_CONF_DIR}/.app_init_flag" + echo "$(date '+%Y-%m-%d %H:%M:%S') : Init success." >> "${APP_CONF_DIR}/.app_init_flag" + else + LOG_I "User injected custom configuration detected!" + + LOG_D "Update configure files from environment..." + openldap_update_conf + fi + + if [[ ! -f "${APP_DATA_DIR}/.data_init_flag" ]]; then + LOG_I "Deploying ${APP_NAME} from scratch..." + + [[ ! -e ${APP_DATA_DIR}/DB_CONFIG ]] && cp ${APP_CONF_DIR}/DB_CONFIG.example ${APP_DATA_DIR}/DB_CONFIG + + # 启动后台服务 + openldap_start_server_bg + + openldap_root_credentials + + if is_boolean_yes "$LDAP_ENABLE_TLS"; then + openldap_generate_lts_conf + fi + + if is_boolean_yes "$LDAP_SKIP_DEFAULT_TREE"; then + LOG_I "Skipping default schemas/tree structure" + else + # 使用相应的 schemas/tree 初始化 OpenLDAP + openldap_add_modules + openldap_add_schemas + if ! is_dir_empty "$LDAP_CUSTOM_SCHEMA_DIR"; then + openldap_add_custom_schema + fi + + if ! is_dir_empty "$LDAP_CUSTOM_LDIF_DIR"; then + openldap_add_custom_ldifs + else + openldap_create_tree + openldap_create_users + fi + fi + + touch ${APP_DATA_DIR}/.data_init_flag + echo "$(date '+%Y-%m-%d %H:%M:%S') : Init success." >> ${APP_DATA_DIR}/.data_init_flag + else + LOG_I "Deploying ${APP_NAME} with persisted data..." + fi +} + +# 用户自定义的前置初始化操作,依次执行目录 preinitdb.d 中的初始化脚本 +# 执行完毕后,生成文件 ${APP_DATA_DIR}/.custom_preinit_flag +openldap_custom_preinit() { + LOG_I "Check custom pre-init status of ${APP_NAME}..." + + # 检测用户配置文件目录是否存在 preinitdb.d 文件夹,如果存在,尝试执行目录中的初始化脚本 + if [ -d "/srv/conf/${APP_NAME}/preinitdb.d" ]; then + # 检测数据存储目录是否存在已初始化标志文件;如果不存在,检索可执行脚本文件并进行初始化操作 + if [[ -n $(find "/srv/conf/${APP_NAME}/preinitdb.d/" -type f -regex ".*\.\(sh\)") ]] && \ + [[ ! -f "${APP_DATA_DIR}/.custom_preinit_flag" ]]; then + LOG_I "Process custom pre-init scripts from /srv/conf/${APP_NAME}/preinitdb.d..." + + # 检索所有可执行脚本,排序后执行 + find "/srv/conf/${APP_NAME}/preinitdb.d/" -type f -regex ".*\.\(sh\)" | sort | process_init_files + + touch "${APP_DATA_DIR}/.custom_preinit_flag" + echo "$(date '+%Y-%m-%d %H:%M:%S') : Init success." >> "${APP_DATA_DIR}/.custom_preinit_flag" + LOG_I "Custom preinit for ${APP_NAME} complete." + else + LOG_I "Custom preinit for ${APP_NAME} already done before, skipping initialization." + fi + fi + + # 检测依赖的服务是否就绪 + #for i in ${SERVICE_PRECONDITION[@]}; do + # openldap_wait_service "${i}" + #done +} + +# 用户自定义的应用初始化操作,依次执行目录initdb.d中的初始化脚本 +# 执行完毕后,生成文件 ${APP_DATA_DIR}/.custom_init_flag +openldap_custom_init() { + LOG_I "Check custom initdb status of ${APP_NAME}..." + + # 检测用户配置文件目录是否存在 initdb.d 文件夹,如果存在,尝试执行目录中的初始化脚本 + if [ -d "/srv/conf/${APP_NAME}/initdb.d" ]; then + # 检测数据存储目录是否存在已初始化标志文件;如果不存在,检索可执行脚本文件并进行初始化操作 + if [[ -n $(find "/srv/conf/${APP_NAME}/initdb.d/" -type f -regex ".*\.\(sh\|sql\|sql.gz\)") ]] && \ + [[ ! -f "${APP_DATA_DIR}/.custom_init_flag" ]]; then + LOG_I "Process custom init scripts from /srv/conf/${APP_NAME}/initdb.d..." + + # 启动后台服务 + openldap_start_server_bg + + # 检索所有可执行脚本,排序后执行 + find "/srv/conf/${APP_NAME}/initdb.d/" -type f -regex ".*\.\(sh\|sql\|sql.gz\)" | sort | while read -r f; do + case "$f" in + *.sh) + if [[ -x "$f" ]]; then + LOG_D "Executing $f"; "$f" + else + LOG_D "Sourcing $f"; . "$f" + fi + ;; + *.ldif) + LOG_D "Executing $f"; + postgresql_execute "${PG_DATABASE}" "${PG_INITSCRIPTS_USERNAME}" "${PG_INITSCRIPTS_PASSWORD}" < "$f" + ;; + *) + LOG_D "Ignoring $f" ;; + esac + done + + touch "${APP_DATA_DIR}/.custom_init_flag" + echo "$(date '+%Y-%m-%d %H:%M:%S') : Init success." >> "${APP_DATA_DIR}/.custom_init_flag" + LOG_I "Custom init for ${APP_NAME} complete." + else + LOG_I "Custom init for ${APP_NAME} already done before, skipping initialization." + fi + fi + +} + diff --git a/customer/usr/local/bin/entry.sh b/customer/usr/local/bin/entry.sh new file mode 100755 index 0000000..2a72e7c --- /dev/null +++ b/customer/usr/local/bin/entry.sh @@ -0,0 +1,29 @@ +#!/bin/bash +# Ver: 1.2 by Endial Fang (endial@126.com) +# +# 容器入口脚本 + +# 设置 shell 执行参数,可使用'-'(打开)'+'(关闭)控制。常用: +# -e: 命令执行错误则报错(errexit); -u: 变量未定义则报错(nounset); -x: 打印实际待执行的命令行; -o pipefail: 设置管道中命令遇到失败则报错 +set -eu +set -o pipefail + +. /usr/local/scripts/libcommon.sh # 加载通用函数库 + +LOG_I "** Processing entry.sh **" + +if [[ "$*" = "/usr/local/bin/run.sh" ]]; then + print_image_welcome + + LOG_I "** Starting ${APP_NAME} setup **" + /usr/local/bin/setup.sh + /usr/local/bin/init.sh + LOG_I "** ${APP_NAME} setup finished! **" +fi + +# 检测是否仅打印帮助信息 +[ "${1:0:1}" = '-' ] && set -- "${APP_EXEC:-/bin/bash}" "$@" +print_command_help "$@" + +LOG_I "Start container with command: $@" +exec "$@" diff --git a/customer/usr/local/bin/environment.sh b/customer/usr/local/bin/environment.sh new file mode 100644 index 0000000..e383569 --- /dev/null +++ b/customer/usr/local/bin/environment.sh @@ -0,0 +1,93 @@ +#!/bin/bash +# Ver: 1.0 by Endial Fang (endial@126.com) +# +# 应用环境变量定义及初始化 + +# 通用设置 +export ENV_DEBUG=${ENV_DEBUG:-false} +export ALLOW_ANONYMOUS_LOGIN="${ALLOW_ANONYMOUS_LOGIN:-no}" + +# 通过读取变量名对应的 *_FILE 文件,获取变量值;如果对应文件存在,则通过传入参数设置的变量值会被文件中对应的值覆盖 +# 变量优先级: *_FILE > 传入变量 > 默认值 +app_env_file_lists=( + APP_PASSWORD +) +for env_var in "${app_env_file_lists[@]}"; do + file_env_var="${env_var}_FILE" + if [[ -n "${!file_env_var:-}" ]]; then + export "${env_var}=$(< "${!file_env_var}")" + unset "${file_env_var}" + fi +done +unset app_env_file_lists + +# 应用路径参数 +export APP_HOME_DIR="/usr/local" +export APP_DEF_DIR="/etc/${APP_NAME}" +export APP_CONF_DIR="/srv/conf/${APP_NAME}" +export APP_DATA_DIR="/srv/data/${APP_NAME}" +export APP_DATA_LOG_DIR="/srv/datalog/${APP_NAME}" +export APP_CACHE_DIR="/var/cache/${APP_NAME}" +export APP_RUN_DIR="/var/run/${APP_NAME}" +export APP_LOG_DIR="/var/log/${APP_NAME}" +export APP_CERT_DIR="/srv/cert/${APP_NAME}" + +# 应用配置参数 +export LDAP_PORT_NUMBER="${LDAP_PORT_NUMBER:-8389}" +export LDAP_LDAPS_PORT_NUMBER="${LDAP_LDAPS_PORT_NUMBER:-8636}" + +export LDAP_EXTRA_SCHEMAS="${LDAP_EXTRA_SCHEMAS:-cosine,inetorgperson,nis}" +export LDAP_EXTRA_MODULES="${LDAP_EXTRA_MODULES:-accesslog}" + +export LDAP_CUSTOM_LDIF_DIR="${LDAP_CUSTOM_LDIF_DIR:-initdb.d/ldifs}" +export LDAP_CUSTOM_SCHEMA_DIR="${LDAP_CUSTOM_SCHEMA_FILE:-initdb/schema}" + +export LDAP_ULIMIT_NOFILES="${LDAP_ULIMIT_NOFILES:-1024}" + +export LDAP_ENABLE_TLS="${LDAP_ENABLE_TLS:-no}" +export LDAP_TLS_CERT_FILE="${LDAP_TLS_CERT_FILE:-}" +export LDAP_TLS_KEY_FILE="${LDAP_TLS_KEY_FILE:-}" +export LDAP_TLS_CA_FILE="${LDAP_TLS_CA_FILE:-}" +export LDAP_TLS_DH_PARAMS_FILE="${LDAP_TLS_DH_PARAMS_FILE:-}" + +export LDAP_ROOT="${LDAP_ROOT:-dc=example,dc=org}" +export LDAP_ORGNIZATION_NAME="${LDAP_ORGNIZATION_NAME:-Colovu Lab}" + +export LDAP_ROOT_USERNAME="${LDAP_ROOT_USERNAME:-root}" +export LDAP_ROOT_DN="${LDAP_ROOT_USERNAME/#/cn=},${LDAP_ROOT}" +export LDAP_ROOT_PASSWORD="${LDAP_ROOT_PASSWORD:-rootpassword}" + +export LDAP_BIND_GIVEN_NAME="${LDAP_BIND_GIVEN_NAME:-Binder}" +export LDAP_BIND_SURNAME="${LDAP_BIND_SURNAME:-UAC}" +export LDAP_BIND_UID="${LDAP_BIND_UID:-bind}" +export LDAP_BIND_DN="${LDAP_BIND_UID/#/uid=},ou=Manager,${LDAP_ROOT}" +export LDAP_BIND_PASSWORD="${LDAP_BIND_PASSWORD:-bindpassword}" + +export LDAP_ADMIN_GIVEN_NAME="${LDAP_ADMIN_GIVEN_NAME:-Administrator}" +export LDAP_ADMIN_SURNAME="${LDAP_ADMIN_SURNAME:-UAC}" +export LDAP_ADMIN_UID="${LDAP_ADMIN_UID:-admin}" +export LDAP_ADMIN_DN="${LDAP_ADMIN_UID/#/uid=},ou=Manager,${LDAP_ROOT}" +export LDAP_ADMIN_PASSWORD="${LDAP_ADMIN_PASSWORD:-adminpassword}" +export LDAP_ADMIN_MAIL="${LDAP_ADMIN_MAIL:-admin@example.com}" + +export LDAP_USERS="${LDAP_USERS:-user01,user02}" +export LDAP_PASSWORDS="${LDAP_PASSWORDS:-password1,password2}" +export LDAP_USER_OU="${LDAP_USER_OU:-users}" +export LDAP_USER_GROUP="${LDAP_USER_GROUP:-readers}" + +export LDAP_SKIP_DEFAULT_TREE="${LDAP_SKIP_DEFAULT_TREE:-no}" + +# 内部变量 +export LDAP_ONLINE_CONF_DIR="${APP_CONF_DIR}/slapd.d" +export LDAP_PID_FILE="${APP_RUN_DIR}/slapd.pid" +export LDAP_ARGS_FILE="${APP_RUN_DIR}/slapd.args" + +export LDAP_DAEMON_USER="slapd" +export LDAP_DAEMON_GROUP="slapd" + +export LDAP_ENCRYPTED_ROOT_PASSWORD="$(echo -n $LDAP_ROOT_PASSWORD | slappasswd -n -T /dev/stdin)" +export LDAP_ENCRYPTED_BIND_PASSWORD="$(echo -n $LDAP_BIND_PASSWORD | slappasswd -n -T /dev/stdin)" +export LDAP_ENCRYPTED_ADMIN_PASSWORD="$(echo -n $LDAP_ADMIN_PASSWORD | slappasswd -n -T /dev/stdin)" + +# 个性化变量 + diff --git a/customer/usr/local/bin/init.sh b/customer/usr/local/bin/init.sh new file mode 100755 index 0000000..24cd936 --- /dev/null +++ b/customer/usr/local/bin/init.sh @@ -0,0 +1,29 @@ +#!/bin/bash +# Ver: 1.2 by Endial Fang (endial@126.com) +# +# 应用初始化脚本 + +# 设置 shell 执行参数,可使用'-'(打开)'+'(关闭)控制。常用: +# -e: 命令执行错误则报错; -u: 变量未定义则报错; -x: 打印实际待执行的命令行; -o pipefail: 设置管道中命令遇到失败则报错 +set -eu +set -o pipefail + +. /usr/local/bin/common.sh # 应用专用函数库 +. /usr/local/bin/environment.sh # 设置环境变量 + +LOG_I "** Processing init.sh **" + +trap "${APP_NAME}_stop_server" EXIT + +${APP_NAME}_verify_minimum_env + +# 执行应用预初始化操作 +${APP_NAME}_custom_preinit + +# 执行应用初始化操作 +${APP_NAME}_default_init + +# 执行用户自定义初始化脚本 +${APP_NAME}_custom_init + +LOG_I "** Processing init.sh finished! **" diff --git a/customer/usr/local/bin/run.sh b/customer/usr/local/bin/run.sh new file mode 100755 index 0000000..0c8f476 --- /dev/null +++ b/customer/usr/local/bin/run.sh @@ -0,0 +1,38 @@ +#!/bin/bash +# Ver: 1.3 by Endial Fang (endial@126.com) +# +# 应用启动脚本 + +# 设置 shell 执行参数,可使用'-'(打开)'+'(关闭)控制。常用: +# -e: 命令执行错误则报错(errexit); -u: 变量未定义则报错(nounset); -x: 打印实际待执行的命令行; -o pipefail: 设置管道中命令遇到失败则报错 +set -eu +set -o pipefail + +. /usr/local/bin/common.sh # 应用专用函数库 +. /usr/local/bin/environment.sh # 设置环境变量 + +LOG_I "** Processing run.sh **" + +# Reduce maximum number of open file descriptors +# https://github.com/docker/docker/issues/8231 +ulimit -n "$LDAP_ULIMIT_NOFILES" + +readonly START_COMMAND="$(command -v ${APP_EXEC})" + +flags=("-h" "ldap://:${LDAP_PORT_NUMBER}/ ldapi:///") +# 如果启用 TLS, 增加 LDAPS 服务 +is_boolean_yes "$LDAP_ENABLE_TLS" && flags=("-h" "ldap://:${LDAP_PORT_NUMBER}/ ldaps://:${LDAP_LDAPS_PORT_NUMBER}/ ldapi:///") + +# 确保应用运行在前台 +flags=("-d" "stats" "${flags[@]}") +flags=("-F" "${APP_CONF_DIR}/slapd.d" "${flags[@]}") + +[[ -z "${APP_EXTRA_FLAGS:-}" ]] || flags=("${flags[@]}" "${APP_EXTRA_FLAGS[@]}") +# 增加 "@" 以使用用户在命令行添加的扩展标识 +flags=("${flags[@]}" "$@") + +LOG_I "** Starting ${APP_NAME} **" +is_root && flags=("-u" "$LDAP_DAEMON_USER" "${flags[@]}") + +LOG_I "Command: ${START_COMMAND[@]} ${flags[@]}" +exec "${START_COMMAND[@]}" "${flags[@]}" diff --git a/customer/usr/local/bin/setup.sh b/customer/usr/local/bin/setup.sh new file mode 100755 index 0000000..bb2b65b --- /dev/null +++ b/customer/usr/local/bin/setup.sh @@ -0,0 +1,36 @@ +#!/bin/bash +# Ver: 1.2 by Endial Fang (endial@126.com) +# +# 应用环境及依赖文件设置脚本 + +# 设置 shell 执行参数,可使用'-'(打开)'+'(关闭)控制。常用: +# -e: 命令执行错误则报错(errexit); -u: 变量未定义则报错(nounset); -x: 打印实际待执行的命令行; -o pipefail: 设置管道中命令遇到失败则报错 +set -eu +set -o pipefail + +. /usr/local/scripts/libcommon.sh # 加载通用函数库 +. /usr/local/scripts/libfs.sh # 加载文件操作函数库 +. /usr/local/scripts/libos.sh # 加载系统管理函数库 + +. /usr/local/bin/environment.sh # 设置环境变量 + +LOG_I "** Processing setup.sh **" + +APP_DIRS="${APP_CONF_DIR:-} ${APP_DATA_DIR:-} ${APP_LOG_DIR:-} ${APP_CERT_DIR:-} ${APP_DATA_LOG_DIR:-}" + +APP_DIRS="${APP_DIRS} ${LDAP_ONLINE_CONF_DIR}" + +LOG_I "Ensure directory exists: ${APP_DIRS}" +for dir in ${APP_DIRS}; do + ensure_dir_exists ${dir} +done + +# 检测指定文件是否在配置文件存储目录存在,如果不存在则拷贝(新挂载数据卷、手动删除都会导致不存在) +LOG_I "Check config files in: ${APP_CONF_DIR}" +if [[ ! -z "$(ls -A "${APP_DEF_DIR}")" ]]; then + ensure_config_file_exist "${APP_DEF_DIR}" $(ls -A "${APP_DEF_DIR}") +fi + +is_root && ensure_user_exists "$LDAP_DAEMON_USER" -g "$LDAP_DAEMON_GROUP" + +LOG_I "** Processing setup.sh finished! **" diff --git a/customer/usr/local/openldap/etc/openldap/schema/openssh-lpk-openldap.ldif b/customer/usr/local/openldap/etc/openldap/schema/openssh-lpk-openldap.ldif new file mode 100644 index 0000000..e7cced4 --- /dev/null +++ b/customer/usr/local/openldap/etc/openldap/schema/openssh-lpk-openldap.ldif @@ -0,0 +1,19 @@ +# +# LDAP Public Key Patch schema for use with openssh-ldappubkey +# useful with PKA-LDAP also +# +# Author: Eric AUGE +# +# LDIF for openLDAP Directory Server. +# Based on the original schema, modified by Jakub Jelen. +# + +dn: cn=openssh-lpk,cn=schema,cn=config +objectClass: olcSchemaConfig +cn: openssh-lpk +olcAttributeTypes: {0}( 1.3.6.1.4.1.24552.500.1.1.1.13 + NAME 'sshPublicKey' DESC 'MANDATORY: OpenSSH Public key' + EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) +olcObjectClasses: {0}( 1.3.6.1.4.1.24552.500.1.1.2.0 + NAME 'ldapPublicKey' DESC 'MANDATORY: OpenSSH LPK objectclass' + SUP top AUXILIARY MUST ( sshPublicKey $ uid ) ) diff --git a/customer/usr/local/openldap/etc/openldap/schema/openssh-lpk-openldap.schema b/customer/usr/local/openldap/etc/openldap/schema/openssh-lpk-openldap.schema new file mode 100644 index 0000000..c84f90f --- /dev/null +++ b/customer/usr/local/openldap/etc/openldap/schema/openssh-lpk-openldap.schema @@ -0,0 +1,21 @@ +# +# LDAP Public Key Patch schema for use with openssh-ldappubkey +# useful with PKA-LDAP also +# +# Author: Eric AUGE +# +# Based on the proposal of : Mark Ruijter +# + + +# octetString SYNTAX +attributetype ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' + DESC 'MANDATORY: OpenSSH Public key' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) + +# printableString SYNTAX yes|no +objectclass ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY + DESC 'MANDATORY: OpenSSH LPK objectclass' + MUST ( sshPublicKey $ uid ) + ) diff --git a/customer/usr/local/openldap/etc/openldap/schema/samba.ldif b/customer/usr/local/openldap/etc/openldap/schema/samba.ldif new file mode 100644 index 0000000..5106e5f --- /dev/null +++ b/customer/usr/local/openldap/etc/openldap/schema/samba.ldif @@ -0,0 +1,224 @@ +dn: cn=samba,cn=schema,cn=config +objectClass: olcSchemaConfig +cn: samba +olcAttributeTypes: {0}( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword' DESC 'L + anManager Password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.1 + 21.1.26{32} SINGLE-VALUE ) +olcAttributeTypes: {1}( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword' DESC 'M + D4 hash of the unicode password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4 + .1.1466.115.121.1.26{32} SINGLE-VALUE ) +olcAttributeTypes: {2}( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags' DESC 'Ac + count Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + {16} SINGLE-VALUE ) +olcAttributeTypes: {3}( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet' DESC 'T + imestamp of the last password update' EQUALITY integerMatch SYNTAX 1.3.6.1.4. + 1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: {4}( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange' DESC + 'Timestamp of when the user is allowed to update the password' EQUALITY integ + erMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: {5}( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange' DESC + 'Timestamp of when the password will expire' EQUALITY integerMatch SYNTAX 1. + 3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: {6}( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime' DESC 'Ti + mestamp of last logon' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121. + 1.27 SINGLE-VALUE ) +olcAttributeTypes: {7}( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime' DESC 'T + imestamp of last logoff' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.12 + 1.1.27 SINGLE-VALUE ) +olcAttributeTypes: {8}( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime' DESC ' + Timestamp of when the user will be logged off automatically' EQUALITY integer + Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: {9}( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount' D + ESC 'Bad password attempt count' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.146 + 6.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: {10}( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime' D + ESC 'Time of the last bad password attempt' EQUALITY integerMatch SYNTAX 1.3. + 6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: {11}( 1.3.6.1.4.1.7165.2.1.55 NAME 'sambaLogonHours' DESC ' + Logon Hours' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + {42} SINGLE-VALUE ) +olcAttributeTypes: {12}( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive' DESC 'D + river letter of home directory mapping' EQUALITY caseIgnoreIA5Match SYNTAX 1. + 3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE ) +olcAttributeTypes: {13}( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript' DESC + 'Logon script path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121. + 1.15{255} SINGLE-VALUE ) +olcAttributeTypes: {14}( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath' DESC + 'Roaming profile path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.1 + 21.1.15{255} SINGLE-VALUE ) +olcAttributeTypes: {15}( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations' + DESC 'List of user workstations the user is allowed to logon to' EQUALITY cas + eIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE ) +olcAttributeTypes: {16}( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath' DESC 'Ho + me directory UNC path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.1 + 21.1.15{128} ) +olcAttributeTypes: {17}( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName' DESC ' + Windows NT domain to which the user belongs' EQUALITY caseIgnoreMatch SYNTAX + 1.3.6.1.4.1.1466.115.121.1.15{128} ) +olcAttributeTypes: {18}( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' DESC ' + Base64 encoded user parameter string' EQUALITY caseExactMatch SYNTAX 1.3.6.1. + 4.1.1466.115.121.1.15{1050} ) +olcAttributeTypes: {19}( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' D + ESC 'Concatenated MD5 hashes of the salted NT passwords used on this account' + EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} ) +olcAttributeTypes: {20}( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID' DESC 'Securit + y ID' EQUALITY caseIgnoreIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1 + .3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) +olcAttributeTypes: {21}( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID' D + ESC 'Primary Group Security ID' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4. + 1.1466.115.121.1.26{64} SINGLE-VALUE ) +olcAttributeTypes: {22}( 1.3.6.1.4.1.7165.2.1.51 NAME 'sambaSIDList' DESC 'Sec + urity ID List' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1. + 26{64} ) +olcAttributeTypes: {23}( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType' DESC 'N + T Group Type' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SING + LE-VALUE ) +olcAttributeTypes: {24}( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid' DESC + 'Next NT rid to give our for users' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1. + 1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: {25}( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid' DESC + 'Next NT rid to give out for groups' EQUALITY integerMatch SYNTAX 1.3.6.1.4. + 1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: {26}( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid' DESC 'Nex + t NT rid to give out for anything' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1 + 466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: {27}( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase + ' DESC 'Base at which the samba RID generation algorithm should operate' EQUA + LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: {28}( 1.3.6.1.4.1.7165.2.1.41 NAME 'sambaShareName' DESC 'S + hare Name' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SING + LE-VALUE ) +olcAttributeTypes: {29}( 1.3.6.1.4.1.7165.2.1.42 NAME 'sambaOptionName' DESC ' + Option Name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX + 1.3.6.1.4.1.1466.115.121.1.15{256} ) +olcAttributeTypes: {30}( 1.3.6.1.4.1.7165.2.1.43 NAME 'sambaBoolOption' DESC ' + A boolean option' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 S + INGLE-VALUE ) +olcAttributeTypes: {31}( 1.3.6.1.4.1.7165.2.1.44 NAME 'sambaIntegerOption' DES + C 'An integer option' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1 + .27 SINGLE-VALUE ) +olcAttributeTypes: {32}( 1.3.6.1.4.1.7165.2.1.45 NAME 'sambaStringOption' DESC + 'A string option' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121 + .1.26 SINGLE-VALUE ) +olcAttributeTypes: {33}( 1.3.6.1.4.1.7165.2.1.46 NAME 'sambaStringListOption' + DESC 'A string list option' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466. + 115.121.1.15 ) +olcAttributeTypes: {34}( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags' DESC ' + Trust Password Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115 + .121.1.26 ) +olcAttributeTypes: {35}( 1.3.6.1.4.1.7165.2.1.58 NAME 'sambaMinPwdLength' DESC + 'Minimal password length (default: 5)' EQUALITY integerMatch SYNTAX 1.3.6.1. + 4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: {36}( 1.3.6.1.4.1.7165.2.1.59 NAME 'sambaPwdHistoryLength' + DESC 'Length of Password History Entries (default: 0 => off)' EQUALITY intege + rMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: {37}( 1.3.6.1.4.1.7165.2.1.60 NAME 'sambaLogonToChgPwd' DES + C 'Force Users to logon for password change (default: 0 => off, 2 => on)' EQU + ALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: {38}( 1.3.6.1.4.1.7165.2.1.61 NAME 'sambaMaxPwdAge' DESC 'M + aximum password age, in seconds (default: -1 => never expire passwords)' EQUA + LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: {39}( 1.3.6.1.4.1.7165.2.1.62 NAME 'sambaMinPwdAge' DESC 'M + inimum password age, in seconds (default: 0 => allow immediate password chang + e)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: {40}( 1.3.6.1.4.1.7165.2.1.63 NAME 'sambaLockoutDuration' D + ESC 'Lockout duration in minutes (default: 30, -1 => forever)' EQUALITY integ + erMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: {41}( 1.3.6.1.4.1.7165.2.1.64 NAME 'sambaLockoutObservation + Window' DESC 'Reset time after lockout in minutes (default: 30)' EQUALITY int + egerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: {42}( 1.3.6.1.4.1.7165.2.1.65 NAME 'sambaLockoutThreshold' + DESC 'Lockout users after bad logon attempts (default: 0 => off)' EQUALITY in + tegerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: {43}( 1.3.6.1.4.1.7165.2.1.66 NAME 'sambaForceLogoff' DESC + 'Disconnect Users outside logon hours (default: -1 => off, 0 => on)' EQUALITY + integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: {44}( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwdCh + ange' DESC 'Allow Machine Password changes (default: 0 => off)' EQUALITY inte + gerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: {45}( 1.3.6.1.4.1.7165.2.1.68 NAME 'sambaClearTextPassword' + DESC 'Clear text password (used for trusted domain passwords)' EQUALITY octe + tStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) +olcAttributeTypes: {46}( 1.3.6.1.4.1.7165.2.1.69 NAME 'sambaPreviousClearTextP + assword' DESC 'Previous clear text password (used for trusted domain password + s)' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) +olcAttributeTypes: {47}( 1.3.6.1.4.1.7165.2.1.70 NAME 'sambaTrustType' DESC 'T + ype of trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SING + LE-VALUE ) +olcAttributeTypes: {48}( 1.3.6.1.4.1.7165.2.1.71 NAME 'sambaTrustAttributes' D + ESC 'Trust attributes for a trusted domain' EQUALITY integerMatch SYNTAX 1.3. + 6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: {49}( 1.3.6.1.4.1.7165.2.1.72 NAME 'sambaTrustDirection' DE + SC 'Direction of a trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.1 + 21.1.27 SINGLE-VALUE ) +olcAttributeTypes: {50}( 1.3.6.1.4.1.7165.2.1.73 NAME 'sambaTrustPartner' DESC + 'Fully qualified name of the domain with which a trust exists' EQUALITY case + IgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) +olcAttributeTypes: {51}( 1.3.6.1.4.1.7165.2.1.74 NAME 'sambaFlatName' DESC 'Ne + tBIOS name of a domain' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115. + 121.1.15{128} ) +olcAttributeTypes: {52}( 1.3.6.1.4.1.7165.2.1.75 NAME 'sambaTrustAuthOutgoing' + DESC 'Authentication information for the outgoing portion of a trust' EQUALIT + Y caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} ) +olcAttributeTypes: {53}( 1.3.6.1.4.1.7165.2.1.76 NAME 'sambaTrustAuthIncoming' + DESC 'Authentication information for the incoming portion of a trust' EQUALIT + Y caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} ) +olcAttributeTypes: {54}( 1.3.6.1.4.1.7165.2.1.77 NAME 'sambaSecurityIdentifier + ' DESC 'SID of a trusted domain' EQUALITY caseIgnoreIA5Match SUBSTR caseExact + IA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) +olcAttributeTypes: {55}( 1.3.6.1.4.1.7165.2.1.78 NAME 'sambaTrustForestTrustIn + fo' DESC 'Forest trust information for a trusted domain object' EQUALITY case + ExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} ) +olcAttributeTypes: {56}( 1.3.6.1.4.1.7165.2.1.79 NAME 'sambaTrustPosixOffset' + DESC 'POSIX offset of a trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466. + 115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: {57}( 1.3.6.1.4.1.7165.2.1.80 NAME 'sambaSupportedEncryptio + nTypes' DESC 'Supported encryption types of a trust' EQUALITY integerMatch SY + NTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcObjectClasses: {0}( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' DESC 'Sam + ba 3.0 Auxilary SAM Account' SUP top AUXILIARY MUST ( uid $ sambaSID ) MAY ( + cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ sambaLogonTime $ s + ambaLogoffTime $ sambaKickoffTime $ sambaPwdCanChange $ sambaPwdMustChange $ + sambaAcctFlags $ displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScr + ipt $ sambaProfilePath $ description $ sambaUserWorkstations $ sambaPrimaryGr + oupSID $ sambaDomainName $ sambaMungedDial $ sambaBadPasswordCount $ sambaBad + PasswordTime $ sambaPasswordHistory $ sambaLogonHours ) ) +olcObjectClasses: {1}( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' DESC 'S + amba Group Mapping' SUP top AUXILIARY MUST ( gidNumber $ sambaSID $ sambaGrou + pType ) MAY ( displayName $ description $ sambaSIDList ) ) +olcObjectClasses: {2}( 1.3.6.1.4.1.7165.2.2.14 NAME 'sambaTrustPassword' DESC + 'Samba Trust Password' SUP top STRUCTURAL MUST ( sambaDomainName $ sambaNTPas + sword $ sambaTrustFlags ) MAY ( sambaSID $ sambaPwdLastSet ) ) +olcObjectClasses: {3}( 1.3.6.1.4.1.7165.2.2.15 NAME 'sambaTrustedDomainPasswor + d' DESC 'Samba Trusted Domain Password' SUP top STRUCTURAL MUST ( sambaDomain + Name $ sambaSID $ sambaClearTextPassword $ sambaPwdLastSet ) MAY sambaPreviou + sClearTextPassword ) +olcObjectClasses: {4}( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' DESC 'Samba D + omain Information' SUP top STRUCTURAL MUST ( sambaDomainName $ sambaSID ) MAY + ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $ sambaAlgorithmicRidB + ase $ sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $ sambaM + axPwdAge $ sambaMinPwdAge $ sambaLockoutDuration $ sambaLockoutObservationWin + dow $ sambaLockoutThreshold $ sambaForceLogoff $ sambaRefuseMachinePwdChange + ) ) +olcObjectClasses: {5}( 1.3.6.1.4.1.7165.2.2.7 NAME 'sambaUnixIdPool' DESC 'Poo + l for allocating UNIX uids/gids' SUP top AUXILIARY MUST ( uidNumber $ gidNumb + er ) ) +olcObjectClasses: {6}( 1.3.6.1.4.1.7165.2.2.8 NAME 'sambaIdmapEntry' DESC 'Map + ping from a SID to an ID' SUP top AUXILIARY MUST sambaSID MAY ( uidNumber $ g + idNumber ) ) +olcObjectClasses: {7}( 1.3.6.1.4.1.7165.2.2.9 NAME 'sambaSidEntry' DESC 'Struc + tural Class for a SID' SUP top STRUCTURAL MUST sambaSID ) +olcObjectClasses: {8}( 1.3.6.1.4.1.7165.2.2.10 NAME 'sambaConfig' DESC 'Samba + Configuration Section' SUP top AUXILIARY MAY description ) +olcObjectClasses: {9}( 1.3.6.1.4.1.7165.2.2.11 NAME 'sambaShare' DESC 'Samba S + hare Section' SUP top STRUCTURAL MUST sambaShareName MAY description ) +olcObjectClasses: {10}( 1.3.6.1.4.1.7165.2.2.12 NAME 'sambaConfigOption' DESC + 'Samba Configuration Option' SUP top STRUCTURAL MUST sambaOptionName MAY ( sa + mbaBoolOption $ sambaIntegerOption $ sambaStringOption $ sambaStringListoptio + n $ description ) ) +olcObjectClasses: {11}( 1.3.6.1.4.1.7165.2.2.16 NAME 'sambaTrustedDomain' DESC + 'Samba Trusted Domain Object' SUP top STRUCTURAL MUST cn MAY ( sambaTrustTyp + e $ sambaTrustAttributes $ sambaTrustDirection $ sambaTrustPartner $ sambaFla + tName $ sambaTrustAuthOutgoing $ sambaTrustAuthIncoming $ sambaSecurityIdenti + fier $ sambaTrustForestTrustInfo $ sambaTrustPosixOffset $ sambaSupportedEncr + yptionTypes) ) diff --git a/customer/usr/local/openldap/etc/openldap/schema/samba.schema b/customer/usr/local/openldap/etc/openldap/schema/samba.schema new file mode 100644 index 0000000..0817311 --- /dev/null +++ b/customer/usr/local/openldap/etc/openldap/schema/samba.schema @@ -0,0 +1,644 @@ +## +## schema file for OpenLDAP 2.x +## Schema for storing Samba user accounts and group maps in LDAP +## OIDs are owned by the Samba Team +## +## Prerequisite schemas - uid (cosine.schema) +## - displayName (inetorgperson.schema) +## - gidNumber (nis.schema) +## +## 1.3.6.1.4.1.7165.2.1.x - attributetypes +## 1.3.6.1.4.1.7165.2.2.x - objectclasses +## +## Printer support +## 1.3.6.1.4.1.7165.2.3.1.x - attributetypes +## 1.3.6.1.4.1.7165.2.3.2.x - objectclasses +## +## Samba4 +## 1.3.6.1.4.1.7165.4.1.x - attributetypes +## 1.3.6.1.4.1.7165.4.2.x - objectclasses +## 1.3.6.1.4.1.7165.4.3.x - LDB/LDAP Controls +## 1.3.6.1.4.1.7165.4.4.x - LDB/LDAP Extended Operations +## 1.3.6.1.4.1.7165.4.255.x - mapped OIDs due to conflicts between AD and standards-track +## +## External projects +## 1.3.6.1.4.1.7165.655.x +## 1.3.6.1.4.1.7165.655.1.x - GSS-NTLMSSP +## +## ----- READ THIS WHEN ADDING A NEW ATTRIBUTE OR OBJECT CLASS ------ +## +## Run the 'get_next_oid' bash script in this directory to find the +## next available OID for attribute type and object classes. +## +## $ ./get_next_oid +## attributetype ( 1.3.6.1.4.1.7165.2.1.XX NAME .... +## objectclass ( 1.3.6.1.4.1.7165.2.2.XX NAME .... +## +## Also ensure that new entries adhere to the declaration style +## used throughout this file +## +## ( 1.3.6.1.4.1.7165.2.XX.XX NAME .... +## ^ ^ ^ +## +## The spaces are required for the get_next_oid script (and for +## readability). +## +## ------------------------------------------------------------------ + +# objectIdentifier SambaRoot 1.3.6.1.4.1.7165 +# objectIdentifier Samba3 SambaRoot:2 +# objectIdentifier Samba3Attrib Samba3:1 +# objectIdentifier Samba3ObjectClass Samba3:2 +# objectIdentifier Samba4 SambaRoot:4 + +######################################################################## +## HISTORICAL ## +######################################################################## + +## +## Password hashes +## +#attributetype ( 1.3.6.1.4.1.7165.2.1.1 NAME 'lmPassword' +# DESC 'LanManager Passwd' +# EQUALITY caseIgnoreIA5Match +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ) + +#attributetype ( 1.3.6.1.4.1.7165.2.1.2 NAME 'ntPassword' +# DESC 'NT Passwd' +# EQUALITY caseIgnoreIA5Match +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ) + +## +## Account flags in string format ([UWDX ]) +## +#attributetype ( 1.3.6.1.4.1.7165.2.1.4 NAME 'acctFlags' +# DESC 'Account Flags' +# EQUALITY caseIgnoreIA5Match +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE ) + +## +## Password timestamps & policies +## +#attributetype ( 1.3.6.1.4.1.7165.2.1.3 NAME 'pwdLastSet' +# DESC 'NT pwdLastSet' +# EQUALITY integerMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +#attributetype ( 1.3.6.1.4.1.7165.2.1.5 NAME 'logonTime' +# DESC 'NT logonTime' +# EQUALITY integerMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +#attributetype ( 1.3.6.1.4.1.7165.2.1.6 NAME 'logoffTime' +# DESC 'NT logoffTime' +# EQUALITY integerMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +#attributetype ( 1.3.6.1.4.1.7165.2.1.7 NAME 'kickoffTime' +# DESC 'NT kickoffTime' +# EQUALITY integerMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +#attributetype ( 1.3.6.1.4.1.7165.2.1.8 NAME 'pwdCanChange' +# DESC 'NT pwdCanChange' +# EQUALITY integerMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +#attributetype ( 1.3.6.1.4.1.7165.2.1.9 NAME 'pwdMustChange' +# DESC 'NT pwdMustChange' +# EQUALITY integerMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +## +## string settings +## +#attributetype ( 1.3.6.1.4.1.7165.2.1.10 NAME 'homeDrive' +# DESC 'NT homeDrive' +# EQUALITY caseIgnoreIA5Match +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE ) + +#attributetype ( 1.3.6.1.4.1.7165.2.1.11 NAME 'scriptPath' +# DESC 'NT scriptPath' +# EQUALITY caseIgnoreIA5Match +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE ) + +#attributetype ( 1.3.6.1.4.1.7165.2.1.12 NAME 'profilePath' +# DESC 'NT profilePath' +# EQUALITY caseIgnoreIA5Match +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE ) + +#attributetype ( 1.3.6.1.4.1.7165.2.1.13 NAME 'userWorkstations' +# DESC 'userWorkstations' +# EQUALITY caseIgnoreIA5Match +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE ) + +#attributetype ( 1.3.6.1.4.1.7165.2.1.17 NAME 'smbHome' +# DESC 'smbHome' +# EQUALITY caseIgnoreIA5Match +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} ) + +#attributetype ( 1.3.6.1.4.1.7165.2.1.18 NAME 'domain' +# DESC 'Windows NT domain to which the user belongs' +# EQUALITY caseIgnoreIA5Match +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} ) + +## +## user and group RID +## +#attributetype ( 1.3.6.1.4.1.7165.2.1.14 NAME 'rid' +# DESC 'NT rid' +# EQUALITY integerMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +#attributetype ( 1.3.6.1.4.1.7165.2.1.15 NAME 'primaryGroupID' +# DESC 'NT Group RID' +# EQUALITY integerMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +## +## The smbPasswordEntry objectclass has been depreciated in favor of the +## sambaAccount objectclass +## +#objectclass ( 1.3.6.1.4.1.7165.2.2.1 NAME 'smbPasswordEntry' SUP top AUXILIARY +# DESC 'Samba smbpasswd entry' +# MUST ( uid $ uidNumber ) +# MAY ( lmPassword $ ntPassword $ pwdLastSet $ acctFlags )) + +#objectclass ( 1.3.6.1.4.1.7165.2.2.2 NAME 'sambaAccount' SUP top STRUCTURAL +# DESC 'Samba Account' +# MUST ( uid $ rid ) +# MAY ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $ +# logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $ +# displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $ +# description $ userWorkstations $ primaryGroupID $ domain )) + +#objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaAccount' SUP top AUXILIARY +# DESC 'Samba Auxiliary Account' +# MUST ( uid $ rid ) +# MAY ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $ +# logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $ +# displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $ +# description $ userWorkstations $ primaryGroupID $ domain )) + +######################################################################## +## END OF HISTORICAL ## +######################################################################## + +####################################################################### +## Attributes used by Samba 3.0 schema ## +####################################################################### + +## +## Password hashes +## +attributetype ( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword' + DESC 'LanManager Password' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword' + DESC 'MD4 hash of the unicode password' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ) + +## +## Account flags in string format ([UWDX ]) +## +attributetype ( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags' + DESC 'Account Flags' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE ) + +## +## Password timestamps & policies +## +attributetype ( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet' + DESC 'Timestamp of the last password update' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange' + DESC 'Timestamp of when the user is allowed to update the password' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange' + DESC 'Timestamp of when the password will expire' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime' + DESC 'Timestamp of last logon' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime' + DESC 'Timestamp of last logoff' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime' + DESC 'Timestamp of when the user will be logged off automatically' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount' + DESC 'Bad password attempt count' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime' + DESC 'Time of the last bad password attempt' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.55 NAME 'sambaLogonHours' + DESC 'Logon Hours' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{42} SINGLE-VALUE ) + +## +## string settings +## +attributetype ( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive' + DESC 'Driver letter of home directory mapping' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript' + DESC 'Logon script path' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath' + DESC 'Roaming profile path' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations' + DESC 'List of user workstations the user is allowed to logon to' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath' + DESC 'Home directory UNC path' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName' + DESC 'Windows NT domain to which the user belongs' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' + DESC 'Base64 encoded user parameter string' + EQUALITY caseExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' + DESC 'Concatenated MD5 hashes of the salted NT passwords used on this account' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} ) + +## +## SID, of any type +## + +attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID' + DESC 'Security ID' + EQUALITY caseIgnoreIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) + +## +## Primary group SID, compatible with ntSid +## + +attributetype ( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID' + DESC 'Primary Group Security ID' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.51 NAME 'sambaSIDList' + DESC 'Security ID List' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} ) + +## +## group mapping attributes +## +attributetype ( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType' + DESC 'NT Group Type' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +## +## Store info on the domain +## + +attributetype ( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid' + DESC 'Next NT rid to give our for users' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid' + DESC 'Next NT rid to give out for groups' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid' + DESC 'Next NT rid to give out for anything' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase' + DESC 'Base at which the samba RID generation algorithm should operate' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.41 NAME 'sambaShareName' + DESC 'Share Name' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.42 NAME 'sambaOptionName' + DESC 'Option Name' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.43 NAME 'sambaBoolOption' + DESC 'A boolean option' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.44 NAME 'sambaIntegerOption' + DESC 'An integer option' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.45 NAME 'sambaStringOption' + DESC 'A string option' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.46 NAME 'sambaStringListOption' + DESC 'A string list option' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) + + +##attributetype ( 1.3.6.1.4.1.7165.2.1.50 NAME 'sambaPrivName' +## SUP name ) + +##attributetype ( 1.3.6.1.4.1.7165.2.1.52 NAME 'sambaPrivilegeList' +## DESC 'Privileges List' +## EQUALITY caseIgnoreIA5Match +## SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags' + DESC 'Trust Password Flags' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +# "min password length" +attributetype ( 1.3.6.1.4.1.7165.2.1.58 NAME 'sambaMinPwdLength' + DESC 'Minimal password length (default: 5)' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +# "password history" +attributetype ( 1.3.6.1.4.1.7165.2.1.59 NAME 'sambaPwdHistoryLength' + DESC 'Length of Password History Entries (default: 0 => off)' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +# "user must logon to change password" +attributetype ( 1.3.6.1.4.1.7165.2.1.60 NAME 'sambaLogonToChgPwd' + DESC 'Force Users to logon for password change (default: 0 => off, 2 => on)' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +# "maximum password age" +attributetype ( 1.3.6.1.4.1.7165.2.1.61 NAME 'sambaMaxPwdAge' + DESC 'Maximum password age, in seconds (default: -1 => never expire passwords)' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +# "minimum password age" +attributetype ( 1.3.6.1.4.1.7165.2.1.62 NAME 'sambaMinPwdAge' + DESC 'Minimum password age, in seconds (default: 0 => allow immediate password change)' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +# "lockout duration" +attributetype ( 1.3.6.1.4.1.7165.2.1.63 NAME 'sambaLockoutDuration' + DESC 'Lockout duration in minutes (default: 30, -1 => forever)' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +# "reset count minutes" +attributetype ( 1.3.6.1.4.1.7165.2.1.64 NAME 'sambaLockoutObservationWindow' + DESC 'Reset time after lockout in minutes (default: 30)' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +# "bad lockout attempt" +attributetype ( 1.3.6.1.4.1.7165.2.1.65 NAME 'sambaLockoutThreshold' + DESC 'Lockout users after bad logon attempts (default: 0 => off)' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +# "disconnect time" +attributetype ( 1.3.6.1.4.1.7165.2.1.66 NAME 'sambaForceLogoff' + DESC 'Disconnect Users outside logon hours (default: -1 => off, 0 => on)' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +# "refuse machine password change" +attributetype ( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwdChange' + DESC 'Allow Machine Password changes (default: 0 => off)' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +# +attributetype ( 1.3.6.1.4.1.7165.2.1.68 NAME 'sambaClearTextPassword' + DESC 'Clear text password (used for trusted domain passwords)' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) + +# +attributetype ( 1.3.6.1.4.1.7165.2.1.69 NAME 'sambaPreviousClearTextPassword' + DESC 'Previous clear text password (used for trusted domain passwords)' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.70 NAME 'sambaTrustType' + DESC 'Type of trust' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.71 NAME 'sambaTrustAttributes' + DESC 'Trust attributes for a trusted domain' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.72 NAME 'sambaTrustDirection' + DESC 'Direction of a trust' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.73 NAME 'sambaTrustPartner' + DESC 'Fully qualified name of the domain with which a trust exists' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.74 NAME 'sambaFlatName' + DESC 'NetBIOS name of a domain' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.75 NAME 'sambaTrustAuthOutgoing' + DESC 'Authentication information for the outgoing portion of a trust' + EQUALITY caseExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.76 NAME 'sambaTrustAuthIncoming' + DESC 'Authentication information for the incoming portion of a trust' + EQUALITY caseExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.77 NAME 'sambaSecurityIdentifier' + DESC 'SID of a trusted domain' + EQUALITY caseIgnoreIA5Match SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.78 NAME 'sambaTrustForestTrustInfo' + DESC 'Forest trust information for a trusted domain object' + EQUALITY caseExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.79 NAME 'sambaTrustPosixOffset' + DESC 'POSIX offset of a trust' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.80 NAME 'sambaSupportedEncryptionTypes' + DESC 'Supported encryption types of a trust' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +####################################################################### +## objectClasses used by Samba 3.0 schema ## +####################################################################### + +## The X.500 data model (and therefore LDAPv3) says that each entry can +## only have one structural objectclass. OpenLDAP 2.0 does not enforce +## this currently but will in v2.1 + +## +## added new objectclass (and OID) for 3.0 to help us deal with backwards +## compatibility with 2.2 installations (e.g. ldapsam_compat) --jerry +## +objectclass ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY + DESC 'Samba 3.0 Auxilary SAM Account' + MUST ( uid $ sambaSID ) + MAY ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ + sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $ + sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $ + displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $ + sambaProfilePath $ description $ sambaUserWorkstations $ + sambaPrimaryGroupSID $ sambaDomainName $ sambaMungedDial $ + sambaBadPasswordCount $ sambaBadPasswordTime $ + sambaPasswordHistory $ sambaLogonHours)) + +## +## Group mapping info +## +objectclass ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY + DESC 'Samba Group Mapping' + MUST ( gidNumber $ sambaSID $ sambaGroupType ) + MAY ( displayName $ description $ sambaSIDList )) + +## +## Trust password for trust relationships (any kind) +## +objectclass ( 1.3.6.1.4.1.7165.2.2.14 NAME 'sambaTrustPassword' SUP top STRUCTURAL + DESC 'Samba Trust Password' + MUST ( sambaDomainName $ sambaNTPassword $ sambaTrustFlags ) + MAY ( sambaSID $ sambaPwdLastSet )) + +## +## Trust password for trusted domains +## (to be stored beneath the trusting sambaDomain object in the DIT) +## +objectclass ( 1.3.6.1.4.1.7165.2.2.15 NAME 'sambaTrustedDomainPassword' SUP top STRUCTURAL + DESC 'Samba Trusted Domain Password' + MUST ( sambaDomainName $ sambaSID $ + sambaClearTextPassword $ sambaPwdLastSet ) + MAY ( sambaPreviousClearTextPassword )) + +## +## Whole-of-domain info +## +objectclass ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL + DESC 'Samba Domain Information' + MUST ( sambaDomainName $ + sambaSID ) + MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $ + sambaAlgorithmicRidBase $ + sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $ + sambaMaxPwdAge $ sambaMinPwdAge $ + sambaLockoutDuration $ sambaLockoutObservationWindow $ sambaLockoutThreshold $ + sambaForceLogoff $ sambaRefuseMachinePwdChange )) + +## +## used for idmap_ldap module +## +objectclass ( 1.3.6.1.4.1.7165.2.2.7 NAME 'sambaUnixIdPool' SUP top AUXILIARY + DESC 'Pool for allocating UNIX uids/gids' + MUST ( uidNumber $ gidNumber ) ) + + +objectclass ( 1.3.6.1.4.1.7165.2.2.8 NAME 'sambaIdmapEntry' SUP top AUXILIARY + DESC 'Mapping from a SID to an ID' + MUST ( sambaSID ) + MAY ( uidNumber $ gidNumber ) ) + +objectclass ( 1.3.6.1.4.1.7165.2.2.9 NAME 'sambaSidEntry' SUP top STRUCTURAL + DESC 'Structural Class for a SID' + MUST ( sambaSID ) ) + +objectclass ( 1.3.6.1.4.1.7165.2.2.10 NAME 'sambaConfig' SUP top AUXILIARY + DESC 'Samba Configuration Section' + MAY ( description ) ) + +objectclass ( 1.3.6.1.4.1.7165.2.2.11 NAME 'sambaShare' SUP top STRUCTURAL + DESC 'Samba Share Section' + MUST ( sambaShareName ) + MAY ( description ) ) + +objectclass ( 1.3.6.1.4.1.7165.2.2.12 NAME 'sambaConfigOption' SUP top STRUCTURAL + DESC 'Samba Configuration Option' + MUST ( sambaOptionName ) + MAY ( sambaBoolOption $ sambaIntegerOption $ sambaStringOption $ + sambaStringListoption $ description ) ) + + +## retired during privilege rewrite +##objectclass ( 1.3.6.1.4.1.7165.2.2.13 NAME 'sambaPrivilege' SUP top AUXILIARY +## DESC 'Samba Privilege' +## MUST ( sambaSID ) +## MAY ( sambaPrivilegeList ) ) + +## +## used for IPA_ldapsam +## +objectclass ( 1.3.6.1.4.1.7165.2.2.16 NAME 'sambaTrustedDomain' SUP top STRUCTURAL + DESC 'Samba Trusted Domain Object' + MUST ( cn ) + MAY ( sambaTrustType $ sambaTrustAttributes $ sambaTrustDirection $ + sambaTrustPartner $ sambaFlatName $ sambaTrustAuthOutgoing $ + sambaTrustAuthIncoming $ sambaSecurityIdentifier $ + sambaTrustForestTrustInfo $ sambaTrustPosixOffset $ + sambaSupportedEncryptionTypes) ) diff --git a/customer/usr/local/openldap/etc/openldap/schema/sudo.ldif b/customer/usr/local/openldap/etc/openldap/schema/sudo.ldif new file mode 100644 index 0000000..8c1f4e3 --- /dev/null +++ b/customer/usr/local/openldap/etc/openldap/schema/sudo.ldif @@ -0,0 +1,11 @@ +dn: cn=sudo,cn=schema,cn=config +objectClass: olcSchemaConfig +cn: sudo +olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcObjectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ description ) ) diff --git a/customer/usr/local/openldap/etc/openldap/schema/sudo.schema b/customer/usr/local/openldap/etc/openldap/schema/sudo.schema new file mode 100644 index 0000000..d3e95e0 --- /dev/null +++ b/customer/usr/local/openldap/etc/openldap/schema/sudo.schema @@ -0,0 +1,76 @@ +# +# OpenLDAP schema file for Sudo +# Save as /etc/openldap/schema/sudo.schema +# + +attributetype ( 1.3.6.1.4.1.15953.9.1.1 + NAME 'sudoUser' + DESC 'User(s) who may run sudo' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.2 + NAME 'sudoHost' + DESC 'Host(s) who may run sudo' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.3 + NAME 'sudoCommand' + DESC 'Command(s) to be executed by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.4 + NAME 'sudoRunAs' + DESC 'User(s) impersonated by sudo (deprecated)' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.5 + NAME 'sudoOption' + DESC 'Options(s) followed by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.6 + NAME 'sudoRunAsUser' + DESC 'User(s) impersonated by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.7 + NAME 'sudoRunAsGroup' + DESC 'Group(s) impersonated by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.8 + NAME 'sudoNotBefore' + DESC 'Start of time interval for which the entry is valid' + EQUALITY generalizedTimeMatch + ORDERING generalizedTimeOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.9 + NAME 'sudoNotAfter' + DESC 'End of time interval for which the entry is valid' + EQUALITY generalizedTimeMatch + ORDERING generalizedTimeOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) + +attributeTypes ( 1.3.6.1.4.1.15953.9.1.10 + NAME 'sudoOrder' + DESC 'an integer to order the sudoRole entries' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) + +objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL + DESC 'Sudoer Entries' + MUST ( cn ) + MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoOrder $ sudoNotBefore $ sudoNotAfter $ + description ) + ) diff --git a/customer/usr/local/openldap/etc/openldap/slapd.ldif b/customer/usr/local/openldap/etc/openldap/slapd.ldif new file mode 100644 index 0000000..b881000 --- /dev/null +++ b/customer/usr/local/openldap/etc/openldap/slapd.ldif @@ -0,0 +1,119 @@ +# +# See slapd-config(5) for details on configuration options. +# This file should NOT be world readable. +# + +dn: cn=config +objectClass: olcGlobal +cn: config +olcArgsFile: /var/run/openldap/slapd.args +olcPidFile: /var/run/openldap/slapd.pid +olcRequires: LDAPv3 + +# Do not enable referrals until AFTER you have a working directory +# service AND an understanding of referrals. +#olcReferral: ldap://root.openldap.org + +# Sample security restrictions +# Require integrity protection (prevent hijacking) +# Require 112-bit (3DES or better) encryption for updates +# Require 64-bit encryption for simple bind +#olcSecurity: ssf=1 update_ssf=112 simple_bind=64 + +# +# Load dynamic backend modules: +# +dn: cn=module,cn=config +objectClass: olcModuleList +cn: module +olcModulepath: /usr/local/openldap/libexec/openldap +olcModuleload: back_hdb.la +olcModuleload: back_monitor.la +olcModuleload: refint.la +olcModuleload: memberof.la +#olcModuleload: syncprov.la +#olcModuleload: ppolicy.la + +# +# Schema settings +# +dn: cn=schema,cn=config +objectClass: olcSchemaConfig +cn: schema + +include: file:///srv/conf/openldap/schema/core.ldif +#include: file:///srv/conf/openldap/schema/ppolicy.ldif + +# +# Frontend settings, olcDatabase: -1 +# +dn: olcDatabase=frontend,cn=config +objectClass: olcDatabaseConfig +objectClass: olcFrontendConfig +olcDatabase: frontend +olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none +olcAccess: to * by dn.base="uid=bind,ou=manager,dc=example,dc=com" read by dn.base="uid=manag,ou=manager,dc=example,dc=com" write by anonymous auth by self write by users read + +# +# Configuration database, olcDatabase: 0 +# +dn: olcDatabase=config,cn=config +objectClass: olcDatabaseConfig +olcDatabase: config +olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none + +# +# Server status monitoring, olcDatabase: 1 +# +dn: olcDatabase=monitor,cn=config +objectClass: olcDatabaseConfig +olcDatabase: monitor +olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=root,dc=example,dc=com" read by * none + +# +# Backend database definitions, olcDatabase: 2 +# +dn: olcDatabase=hdb,cn=config +objectClass: olcDatabaseConfig +objectClass: olcHdbConfig +olcDatabase: hdb +olcSuffix: dc=example,dc=com +olcRootDN: cn=root,dc=example,dc=com +olcDbDirectory: /srv/data/openldap +olcDbIndex: objectClass eq,pres +olcDbIndex: uid,ou,cn,mail,surname,givenname eq,pres,sub + +# +# Add memberof overlay and refint +# +dn: olcOverlay=memberof,olcDatabase={2}hdb,cn=config +objectClass: olcConfig +objectClass: olcMemberOf +objectClass: olcOverlayConfig +objectClass: top +olcOverlay: memberof +olcMemberOfDangling: ignore +olcMemberOfRefInt: TRUE +olcMemberOfGroupOC: groupOfNames +olcMemberOfMemberAD: member +olcMemberOfMemberOfAD: memberOf + +dn: olcOverlay=refint,olcDatabase={2}hdb,cn=config +objectClass: olcConfig +objectClass: olcOverlayConfig +objectClass: olcRefintConfig +objectClass: top +olcOverlay: refint +olcRefintAttribute: memberof uniqueMember owner + +# +# Add ppolicy overlay and syncprov +# +#dn: olcOverlay=ppolicy,olcDatabase={2}hdb,cn=config +#objectClass: olcConfig +#objectClass: olcOverlayConfig +#objectClass: olcPPolicyConfig +#objectClass: top +#olcOverlay: ppolicy +#olcPPolicyDefault: cn=default,ou=Users,dc=hbjc,dc=com +#olcPPolicyHashCleartext: TRUE diff --git a/customer/usr/local/overrides/overrides-x.x.x.sh b/customer/usr/local/overrides/overrides-x.x.x.sh new file mode 100644 index 0000000..c1f8e13 --- /dev/null +++ b/customer/usr/local/overrides/overrides-x.x.x.sh @@ -0,0 +1,11 @@ +#!/bin/bash -e +# Ver: 1.1 by Endial Fang (endial@126.com) +# +# 在安装完应用后,使用该脚本修改默认配置文件中部分配置项; 如果相应的配置项已经定义为容器环境变量,则不需要在这里修改 + +# 定义要修改的文件(改文件应当是默认配置文件目录中的模板文件) +CONF_FILE="${APP_DEF_DIR}/config/server.properties" + +echo "Process overrides for: ${CONF_FILE}" +#sed -i -E 's/^#?listeners=/d' "${CONF_FILE}" +#sed -i -E 's/^#?log.dirs=\/tmp\/kafka-logs*/log.dirs=\/var\/log\/kafka/g' "${CONF_FILE}" diff --git a/customer/usr/sbin/create_user b/customer/usr/sbin/create_user new file mode 100755 index 0000000..8521fe8 --- /dev/null +++ b/customer/usr/sbin/create_user @@ -0,0 +1,12 @@ +#!/bin/bash +# Ver: 1.2 by Endial Fang (endial@126.com) +# +# shell 执行参数,分别为 -e(命令执行错误则退出脚本) -u(变量未定义则报错) -x(打印实际待执行的命令行) +set -eux +groupadd --gid 1001 --system ${APP_USER} +#useradd --gid 1001 --uid 1001 --shell /bin/bash --home /srv/data/${APP_NAME} --system ${APP_USER} +useradd --gid 1001 --uid 1001 --shell /usr/sbin/nologin --home /srv/data/${APP_NAME} --system ${APP_USER} + +# 如果需要 sudo 权限,需要在 Dockerfile 中安装 su 软件包:RUN install_pkg sudo +#sed -i -e 's/^\sDefaults\s*secure_path\s*=/# Defaults secure_path=/' /etc/sudoers +#echo "${APP_USER} ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers diff --git a/customer/usr/sbin/prepare_env b/customer/usr/sbin/prepare_env new file mode 100755 index 0000000..2f346d2 --- /dev/null +++ b/customer/usr/sbin/prepare_env @@ -0,0 +1,17 @@ +#!/bin/bash +# Ver: 1.3 by Endial Fang (endial@126.com) +# +# shell 执行参数,分别为 -e(命令执行错误则退出脚本) -u(变量未定义则报错) -x(打印实际待执行的命令行) +set -eux + +APP_DIRS=" \ + /srv/conf/${APP_NAME} \ + /srv/data/${APP_NAME} \ + /srv/datalog/${APP_NAME} \ + /var/cache/${APP_NAME} \ + /var/run/${APP_NAME} \ + /var/log/${APP_NAME} \ + /srv/cert/${APP_NAME}" + +mkdir -p ${APP_DIRS} +chmod -R g+rwX ${APP_DIRS} /usr/local/${APP_NAME}