Update secure OpenLDAP configuration for Debian

This commit concerns only Debian deployments. The configuration updates are required to support a secure OpenLDAP server for a Debian installation. The following updates are applied at bootstrap: - Configure slapd to support both "ldap" and "ldaps" protocols. - Configure slapd to allow making updates to schema files by setting the olcRootPW for "olcRootDN: cn=config" Tests performed on Debian system: PASS: Verified slapd service is listening on TCP port 636. PASS: Schema file "olcDatabase={0}config.ldif" gets updated with olcRootPW of the ldapadmin user. PASS: Successful execution of ldapmodify to update schema file "/etc/openldap/schema/cn=config.ldif". PASS: OpenLDAP users are cached on the host in "/etc/passwd". PASS: Successful execution of an ldapsearch command to list OpenLDAP objects. PASS: Add new OpenLDAP user PASS: Integration tests with openldap certificate, "system-openldap-local-certificate" creation at bootstrap. PASS: Trigger openldap certificate renewal by removing the openldap secret. Story: 2009834 Task: 45839 Signed-off-by: Carmen Rata <carmen.rata@windriver.com> Change-Id: Ie85ffc57c9670d8063822a9a67f1aabfe8d03441
2022-08-02 11:53:24 -04:00
parent 2a1ae2e717
commit 34fa57cf3d
4 changed files with 19 additions and 1 deletions
--- a/openldap-config/debian/deb_folder/openldap-config.install
+++ b/openldap-config/debian/deb_folder/openldap-config.install
@@ -5,3 +5,4 @@ slapd.syslog-ng.conf /usr/share/starlingx/openldap
 slapd.sysconfig /usr/share/starlingx/openldap
 slapd.service /etc/systemd/system
 sudo.schema /etc/ldap/schema
+certs.ldif /etc/ldap
--- a/openldap-config/source-debian/certs.ldif
+++ b/openldap-config/source-debian/certs.ldif
@@ -0,0 +1,10 @@
+dn: cn=config
+changetype: modify
+replace: olcTLSCertificateKeyFile
+olcTLSCertificateKeyFile: /etc/ldap/certs/openldap-cert.key
+
+dn: cn=config
+changetype: modify
+replace: olcTLSCertificateFile
+olcTLSCertificateFile: /etc/ldap/certs/openldap-cert.crt
+
--- a/openldap-config/source-debian/initscript
+++ b/openldap-config/source-debian/initscript
@@ -45,7 +45,7 @@ case "$1" in
    ulimit -n 4096
    if [ -f /etc/ldap/schema/cn=config.ldif ]; then
        start-stop-daemon --start --oknodo --quiet --exec $slapd \
-            -- -F /etc/ldap/schema/
+            -- -h "ldap:/// ldaps:///" -F /etc/ldap/schema/
        RETVAL=$?
    else
        start-stop-daemon --start --oknodo --quiet --exec $slapd
--- a/openldap-config/source-debian/slapd.conf
+++ b/openldap-config/source-debian/slapd.conf
@@ -58,6 +58,13 @@ moduleload      syncprov.la
 # BDB database definitions
 #######################################################################

+# olcDatabase={0}config
+database        config
+rootdn          "cn=config"
+rootpw          _LDAPADMIN_PW_
+
+
+# olcDatabase={1}mdb
 database        mdb
 suffix          "dc=cgcs,dc=local"
 rootdn          "cn=ldapadmin,dc=cgcs,dc=local"