92 lines
2.6 KiB
Bash
92 lines
2.6 KiB
Bash
#!/bin/sh
|
|
# Utility functions for OpenLDAP initialization
|
|
|
|
# Logging functions
|
|
log_info() {
|
|
echo "[INFO] $(date '+%Y-%m-%d %H:%M:%S') - $1"
|
|
}
|
|
|
|
log_warn() {
|
|
echo "[WARN] $(date '+%Y-%m-%d %H:%M:%S') - $1" >&2
|
|
}
|
|
|
|
log_error() {
|
|
echo "[ERROR] $(date '+%Y-%m-%d %H:%M:%S') - $1" >&2
|
|
}
|
|
|
|
# Generate a random password
|
|
generate_password() {
|
|
head -c 32 /dev/urandom | base64 | tr -dc 'a-zA-Z0-9' | head -c 24
|
|
}
|
|
|
|
# Hash password using SSHA
|
|
hash_password() {
|
|
local password="$1"
|
|
/usr/sbin/slappasswd -s "$password"
|
|
}
|
|
|
|
# Wait for slapd to be ready
|
|
# Args: max_attempts [socket_url]
|
|
wait_for_slapd() {
|
|
local max_attempts="${1:-30}"
|
|
local socket_url="${2:-ldapi://%2Frun%2Fopenldap%2Fldapi}"
|
|
local attempt=0
|
|
|
|
while [ $attempt -lt $max_attempts ]; do
|
|
if ldapsearch -x -H "$socket_url" -b "" -s base "objectClass=*" >/dev/null 2>&1; then
|
|
return 0
|
|
fi
|
|
attempt=$((attempt + 1))
|
|
sleep 1
|
|
done
|
|
|
|
log_error "slapd did not become ready in time"
|
|
return 1
|
|
}
|
|
|
|
# Template substitution - replaces ${VAR} with environment variable values
|
|
process_template() {
|
|
local template="$1"
|
|
local output="$2"
|
|
|
|
# Use envsubst-like behavior with sed
|
|
cp "$template" "$output"
|
|
|
|
# Replace known variables
|
|
sed -i "s|\${LDAP_BASE_DN}|${LDAP_BASE_DN}|g" "$output"
|
|
sed -i "s|\${LDAP_DC}|${LDAP_DC}|g" "$output"
|
|
sed -i "s|\${LDAP_DOMAIN}|${LDAP_DOMAIN}|g" "$output"
|
|
sed -i "s|\${LDAP_ORGANISATION}|${LDAP_ORGANISATION}|g" "$output"
|
|
sed -i "s|\${LDAP_ADMIN_PASSWORD_HASH}|${LDAP_ADMIN_PASSWORD_HASH}|g" "$output"
|
|
sed -i "s|\${LDAP_CONFIG_PASSWORD_HASH}|${LDAP_CONFIG_PASSWORD_HASH}|g" "$output"
|
|
sed -i "s|\${LDAP_TLS_CERT_FILE}|${LDAP_TLS_CERT_FILE}|g" "$output"
|
|
sed -i "s|\${LDAP_TLS_KEY_FILE}|${LDAP_TLS_KEY_FILE}|g" "$output"
|
|
sed -i "s|\${LDAP_TLS_CA_FILE}|${LDAP_TLS_CA_FILE}|g" "$output"
|
|
sed -i "s|\${LDAP_TLS_VERIFY_CLIENT}|${LDAP_TLS_VERIFY_CLIENT}|g" "$output"
|
|
}
|
|
|
|
# Default LDAPI socket URL
|
|
LDAPI_SOCKET="${LDAPI_SOCKET:-ldapi://%2Frun%2Fopenldap%2Fldapi}"
|
|
|
|
# Check if a DN exists
|
|
dn_exists() {
|
|
local dn="$1"
|
|
ldapsearch -x -H "$LDAPI_SOCKET" -b "$dn" -s base "objectClass=*" >/dev/null 2>&1
|
|
}
|
|
|
|
# Add LDIF if it doesn't cause errors (ignore "already exists" errors)
|
|
ldif_add_safe() {
|
|
local ldif_file="$1"
|
|
local result
|
|
|
|
result=$(ldapadd -x -H "$LDAPI_SOCKET" -D "cn=admin,$LDAP_BASE_DN" -w "$LDAP_ADMIN_PASSWORD" -f "$ldif_file" 2>&1) || {
|
|
if echo "$result" | grep -q "Already exists"; then
|
|
log_warn "Entry already exists, skipping"
|
|
return 0
|
|
else
|
|
log_error "Failed to add LDIF: $result"
|
|
return 1
|
|
fi
|
|
}
|
|
}
|