From 6fa0e0473ac74ce049130c6aae30399761761938 Mon Sep 17 00:00:00 2001 From: root Date: Sat, 7 Jan 2017 21:11:21 +0100 Subject: [PATCH] saving uncommitted changes in /etc prior to emerge run --- .etckeeper | 3 +-- init.d/slapd | 37 ++++++++++++++++++++++++--- openldap/schema/README | 2 +- openldap/schema/collective.ldif | 2 +- openldap/schema/collective.schema | 2 +- openldap/schema/corba.ldif | 2 +- openldap/schema/corba.schema | 2 +- openldap/schema/core.ldif | 2 +- openldap/schema/core.schema | 2 +- openldap/schema/cosine.ldif | 2 +- openldap/schema/cosine.schema | 2 +- openldap/schema/duaconf.ldif | 2 +- openldap/schema/duaconf.schema | 2 +- openldap/schema/dyngroup.ldif | 2 +- openldap/schema/dyngroup.schema | 2 +- openldap/schema/inetorgperson.ldif | 2 +- openldap/schema/inetorgperson.schema | 2 +- openldap/schema/java.ldif | 2 +- openldap/schema/java.schema | 2 +- openldap/schema/misc.ldif | 2 +- openldap/schema/misc.schema | 2 +- openldap/schema/nis.ldif | 2 +- openldap/schema/nis.schema | 2 +- openldap/schema/openldap.ldif | 2 +- openldap/schema/openldap.schema | 2 +- openldap/schema/pmi.ldif | 2 +- openldap/schema/pmi.schema | 2 +- openldap/schema/ppolicy.ldif | 38 ++++++++++++++++++---------- openldap/schema/ppolicy.schema | 31 ++++++++++++++++++++--- openldap/slapd.conf.default | 5 ++-- openldap/slapd.ldif | 11 ++++---- openldap/slapd.ldif.default | 11 ++++---- 32 files changed, 127 insertions(+), 59 deletions(-) diff --git a/.etckeeper b/.etckeeper index 40cbf8c..04e2e7a 100755 --- a/.etckeeper +++ b/.etckeeper @@ -2043,8 +2043,7 @@ maybe chmod 0644 'openldap/schema/samba.schema' maybe chmod 0644 'openldap/schema/sudo.schema' maybe chgrp 'ldap' 'openldap/slapd.conf' maybe chmod 0640 'openldap/slapd.conf' -maybe chgrp 'ldap' 'openldap/slapd.conf.default' -maybe chmod 0640 'openldap/slapd.conf.default' +maybe chmod 0600 'openldap/slapd.conf.default' maybe chmod 0600 'openldap/slapd.ldif' maybe chmod 0600 'openldap/slapd.ldif.default' maybe chmod 0755 'openldap/ssl' diff --git a/init.d/slapd b/init.d/slapd index 3982aad..da3e348 100755 --- a/init.d/slapd +++ b/init.d/slapd @@ -1,11 +1,13 @@ #!/sbin/openrc-run -# Copyright 1999-2012 Gentoo Foundation +# Copyright 1999-2015 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 # $Id$ extra_commands="checkconfig" [ -z "$INSTANCE" ] && INSTANCE="openldap${SVCNAME#slapd}" +PIDDIR=/run/openldap +PIDFILE=$PIDDIR/$SVCNAME.pid depend() { need net @@ -14,23 +16,50 @@ depend() { } start() { - checkpath -q -d /var/run/openldap/ -o ldap:ldap + checkpath -q -d ${PIDDIR} -o ldap:ldap if ! checkconfig -Q ; then eerror "There is a problem with your slapd.conf!" return 1 fi ebegin "Starting ldap-server" [ -n "$KRB5_KTNAME" ] && export KRB5_KTNAME - eval start-stop-daemon --start --pidfile /var/run/openldap/${SVCNAME}.pid --exec /usr/lib64/openldap/slapd -- -u ldap -g ldap "${OPTS}" + eval start-stop-daemon --start --pidfile ${PIDFILE} --exec /usr/lib64/openldap/slapd -- -u ldap -g ldap "${OPTS}" eend $? } stop() { ebegin "Stopping ldap-server" - start-stop-daemon --stop --signal 2 --quiet --pidfile /var/run/openldap/${SVCNAME}.pid + start-stop-daemon --stop --signal 2 --quiet --pidfile ${PIDFILE} eend $? } checkconfig() { + # checks requested by bug #502948 + # Step 1: extract the last valid config file or config dir + set -- $OPTS + while [ -n "$*" ]; do + opt=$1 ; shift + if [ "$opt" = "-f" -o "$opt" = "-F" ] ; then + CONF=$1 + shift + fi + done + set -- + # Fallback + CONF=${CONF-/etc/openldap/slapd.conf} + [ -d $CONF ] && CONF=${CONF}/* + DBDIRS=`eval awk '"/^(directory|olcDbDirectory:)/{print \\$2}"' $CONF` + for d in $DBDIRS; do + if [ ! -d $d ]; then + eerror "Directory $d in config does not exist!" + return 1 + fi + /usr/bin/find $d ! -name DB_CONFIG ! -user ldap -o ! -group ldap |grep -sq . + if [ $? -ne 0 ]; then + ewarn "You have files in $d not owned by the ldap user, you must ensure they are accessible to the slapd instance!" + fi + [ ! -e $d/DB_CONFIG ] && ewarn "$d/DB_CONFIG does not exist, slapd performance may be sub-optimal" + done + # now test the config fully /usr/sbin/slaptest -u "$@" ${OPTS_CONF} } diff --git a/openldap/schema/README b/openldap/schema/README index e2e2c76..aa05a02 100644 --- a/openldap/schema/README +++ b/openldap/schema/README @@ -34,7 +34,7 @@ convert schema files in general. This notice applies to all files in this directory. -Copyright 1998-2013 The OpenLDAP Foundation, Redwood City, California, USA +Copyright 1998-2015 The OpenLDAP Foundation, Redwood City, California, USA All rights reserved. Redistribution and use in source and binary forms, with or without diff --git a/openldap/schema/collective.ldif b/openldap/schema/collective.ldif index 49e8d05..a762cc6 100644 --- a/openldap/schema/collective.ldif +++ b/openldap/schema/collective.ldif @@ -2,7 +2,7 @@ # $OpenLDAP$ ## This work is part of OpenLDAP Software . ## -## Copyright 1998-2013 The OpenLDAP Foundation. +## Copyright 1998-2015 The OpenLDAP Foundation. ## All rights reserved. ## ## Redistribution and use in source and binary forms, with or without diff --git a/openldap/schema/collective.schema b/openldap/schema/collective.schema index 1f0feb6..4912b75 100644 --- a/openldap/schema/collective.schema +++ b/openldap/schema/collective.schema @@ -2,7 +2,7 @@ # $OpenLDAP$ ## This work is part of OpenLDAP Software . ## -## Copyright 1998-2013 The OpenLDAP Foundation. +## Copyright 1998-2015 The OpenLDAP Foundation. ## All rights reserved. ## ## Redistribution and use in source and binary forms, with or without diff --git a/openldap/schema/corba.ldif b/openldap/schema/corba.ldif index 285f170..47675a5 100644 --- a/openldap/schema/corba.ldif +++ b/openldap/schema/corba.ldif @@ -3,7 +3,7 @@ # $OpenLDAP$ ## This work is part of OpenLDAP Software . ## -## Copyright 1998-2013 The OpenLDAP Foundation. +## Copyright 1998-2015 The OpenLDAP Foundation. ## All rights reserved. ## ## Redistribution and use in source and binary forms, with or without diff --git a/openldap/schema/corba.schema b/openldap/schema/corba.schema index eb0e144..731080e 100644 --- a/openldap/schema/corba.schema +++ b/openldap/schema/corba.schema @@ -4,7 +4,7 @@ # $OpenLDAP$ ## This work is part of OpenLDAP Software . ## -## Copyright 1998-2013 The OpenLDAP Foundation. +## Copyright 1998-2015 The OpenLDAP Foundation. ## All rights reserved. ## ## Redistribution and use in source and binary forms, with or without diff --git a/openldap/schema/core.ldif b/openldap/schema/core.ldif index 7ea6ae7..aed7349 100644 --- a/openldap/schema/core.ldif +++ b/openldap/schema/core.ldif @@ -2,7 +2,7 @@ # $OpenLDAP$ ## This work is part of OpenLDAP Software . ## -## Copyright 1998-2013 The OpenLDAP Foundation. +## Copyright 1998-2015 The OpenLDAP Foundation. ## All rights reserved. ## ## Redistribution and use in source and binary forms, with or without diff --git a/openldap/schema/core.schema b/openldap/schema/core.schema index 8828caa..0257cff 100644 --- a/openldap/schema/core.schema +++ b/openldap/schema/core.schema @@ -2,7 +2,7 @@ # $OpenLDAP$ ## This work is part of OpenLDAP Software . ## -## Copyright 1998-2013 The OpenLDAP Foundation. +## Copyright 1998-2015 The OpenLDAP Foundation. ## All rights reserved. ## ## Redistribution and use in source and binary forms, with or without diff --git a/openldap/schema/cosine.ldif b/openldap/schema/cosine.ldif index 428b7a3..340ca11 100644 --- a/openldap/schema/cosine.ldif +++ b/openldap/schema/cosine.ldif @@ -2,7 +2,7 @@ # $OpenLDAP$ ## This work is part of OpenLDAP Software . ## -## Copyright 1998-2013 The OpenLDAP Foundation. +## Copyright 1998-2015 The OpenLDAP Foundation. ## All rights reserved. ## ## Redistribution and use in source and binary forms, with or without diff --git a/openldap/schema/cosine.schema b/openldap/schema/cosine.schema index 9b16419..bc1d7f7 100644 --- a/openldap/schema/cosine.schema +++ b/openldap/schema/cosine.schema @@ -2,7 +2,7 @@ # $OpenLDAP$ ## This work is part of OpenLDAP Software . ## -## Copyright 1998-2013 The OpenLDAP Foundation. +## Copyright 1998-2015 The OpenLDAP Foundation. ## All rights reserved. ## ## Redistribution and use in source and binary forms, with or without diff --git a/openldap/schema/duaconf.ldif b/openldap/schema/duaconf.ldif index ea05327..840965a 100644 --- a/openldap/schema/duaconf.ldif +++ b/openldap/schema/duaconf.ldif @@ -1,7 +1,7 @@ # $OpenLDAP$ ## This work is part of OpenLDAP Software . ## -## Copyright 1998-2013 The OpenLDAP Foundation. +## Copyright 1998-2015 The OpenLDAP Foundation. ## All rights reserved. ## ## Redistribution and use in source and binary forms, with or without diff --git a/openldap/schema/duaconf.schema b/openldap/schema/duaconf.schema index 06b5ad0..c0cdaa5 100644 --- a/openldap/schema/duaconf.schema +++ b/openldap/schema/duaconf.schema @@ -1,7 +1,7 @@ # $OpenLDAP$ ## This work is part of OpenLDAP Software . ## -## Copyright 1998-2013 The OpenLDAP Foundation. +## Copyright 1998-2015 The OpenLDAP Foundation. ## All rights reserved. ## ## Redistribution and use in source and binary forms, with or without diff --git a/openldap/schema/dyngroup.ldif b/openldap/schema/dyngroup.ldif index c38cbc0..595ae61 100644 --- a/openldap/schema/dyngroup.ldif +++ b/openldap/schema/dyngroup.ldif @@ -2,7 +2,7 @@ # $OpenLDAP$ ## This work is part of OpenLDAP Software . ## -## Copyright 1998-2013 The OpenLDAP Foundation. +## Copyright 1998-2015 The OpenLDAP Foundation. ## All rights reserved. ## ## Redistribution and use in source and binary forms, with or without diff --git a/openldap/schema/dyngroup.schema b/openldap/schema/dyngroup.schema index 9c0c2ad..035e23f 100644 --- a/openldap/schema/dyngroup.schema +++ b/openldap/schema/dyngroup.schema @@ -2,7 +2,7 @@ # $OpenLDAP$ ## This work is part of OpenLDAP Software . ## -## Copyright 1998-2013 The OpenLDAP Foundation. +## Copyright 1998-2015 The OpenLDAP Foundation. ## All rights reserved. ## ## Redistribution and use in source and binary forms, with or without diff --git a/openldap/schema/inetorgperson.ldif b/openldap/schema/inetorgperson.ldif index 0cf6e14..d91b2bd 100644 --- a/openldap/schema/inetorgperson.ldif +++ b/openldap/schema/inetorgperson.ldif @@ -2,7 +2,7 @@ # $OpenLDAP$ ## This work is part of OpenLDAP Software . ## -## Copyright 1998-2013 The OpenLDAP Foundation. +## Copyright 1998-2015 The OpenLDAP Foundation. ## All rights reserved. ## ## Redistribution and use in source and binary forms, with or without diff --git a/openldap/schema/inetorgperson.schema b/openldap/schema/inetorgperson.schema index bbab287..24c2421 100644 --- a/openldap/schema/inetorgperson.schema +++ b/openldap/schema/inetorgperson.schema @@ -2,7 +2,7 @@ # $OpenLDAP$ ## This work is part of OpenLDAP Software . ## -## Copyright 1998-2013 The OpenLDAP Foundation. +## Copyright 1998-2015 The OpenLDAP Foundation. ## All rights reserved. ## ## Redistribution and use in source and binary forms, with or without diff --git a/openldap/schema/java.ldif b/openldap/schema/java.ldif index 862939b..e39723d 100644 --- a/openldap/schema/java.ldif +++ b/openldap/schema/java.ldif @@ -2,7 +2,7 @@ # $OpenLDAP$ ## This work is part of OpenLDAP Software . ## -## Copyright 1998-2013 The OpenLDAP Foundation. +## Copyright 1998-2015 The OpenLDAP Foundation. ## All rights reserved. ## ## Redistribution and use in source and binary forms, with or without diff --git a/openldap/schema/java.schema b/openldap/schema/java.schema index d1bcfb9..bb9c01c 100644 --- a/openldap/schema/java.schema +++ b/openldap/schema/java.schema @@ -2,7 +2,7 @@ # $OpenLDAP$ ## This work is part of OpenLDAP Software . ## -## Copyright 1998-2013 The OpenLDAP Foundation. +## Copyright 1998-2015 The OpenLDAP Foundation. ## All rights reserved. ## ## Redistribution and use in source and binary forms, with or without diff --git a/openldap/schema/misc.ldif b/openldap/schema/misc.ldif index e3a7bd0..5117fd2 100644 --- a/openldap/schema/misc.ldif +++ b/openldap/schema/misc.ldif @@ -2,7 +2,7 @@ # $OpenLDAP$ ## This work is part of OpenLDAP Software . ## -## Copyright 1998-2013 The OpenLDAP Foundation. +## Copyright 1998-2015 The OpenLDAP Foundation. ## All rights reserved. ## ## Redistribution and use in source and binary forms, with or without diff --git a/openldap/schema/misc.schema b/openldap/schema/misc.schema index 76a92a7..e636135 100644 --- a/openldap/schema/misc.schema +++ b/openldap/schema/misc.schema @@ -2,7 +2,7 @@ # $OpenLDAP$ ## This work is part of OpenLDAP Software . ## -## Copyright 1998-2013 The OpenLDAP Foundation. +## Copyright 1998-2015 The OpenLDAP Foundation. ## All rights reserved. ## ## Redistribution and use in source and binary forms, with or without diff --git a/openldap/schema/nis.ldif b/openldap/schema/nis.ldif index 13099de..9d7f19c 100644 --- a/openldap/schema/nis.ldif +++ b/openldap/schema/nis.ldif @@ -2,7 +2,7 @@ # $OpenLDAP$ ## This work is part of OpenLDAP Software . ## -## Copyright 1998-2013 The OpenLDAP Foundation. +## Copyright 1998-2015 The OpenLDAP Foundation. ## All rights reserved. ## ## Redistribution and use in source and binary forms, with or without diff --git a/openldap/schema/nis.schema b/openldap/schema/nis.schema index ec5b32c..6e83c7e 100644 --- a/openldap/schema/nis.schema +++ b/openldap/schema/nis.schema @@ -1,7 +1,7 @@ # $OpenLDAP$ ## This work is part of OpenLDAP Software . ## -## Copyright 1998-2013 The OpenLDAP Foundation. +## Copyright 1998-2015 The OpenLDAP Foundation. ## All rights reserved. ## ## Redistribution and use in source and binary forms, with or without diff --git a/openldap/schema/openldap.ldif b/openldap/schema/openldap.ldif index ffd99b5..79ccac5 100644 --- a/openldap/schema/openldap.ldif +++ b/openldap/schema/openldap.ldif @@ -1,7 +1,7 @@ # $OpenLDAP$ ## This work is part of OpenLDAP Software . ## -## Copyright 1998-2013 The OpenLDAP Foundation. +## Copyright 1998-2015 The OpenLDAP Foundation. ## All rights reserved. ## ## Redistribution and use in source and binary forms, with or without diff --git a/openldap/schema/openldap.schema b/openldap/schema/openldap.schema index af6b51e..cd00946 100644 --- a/openldap/schema/openldap.schema +++ b/openldap/schema/openldap.schema @@ -1,7 +1,7 @@ # $OpenLDAP$ ## This work is part of OpenLDAP Software . ## -## Copyright 1998-2013 The OpenLDAP Foundation. +## Copyright 1998-2015 The OpenLDAP Foundation. ## All rights reserved. ## ## Redistribution and use in source and binary forms, with or without diff --git a/openldap/schema/pmi.ldif b/openldap/schema/pmi.ldif index e14948c..b2afb5d 100644 --- a/openldap/schema/pmi.ldif +++ b/openldap/schema/pmi.ldif @@ -2,7 +2,7 @@ # $OpenLDAP$ ## This work is part of OpenLDAP Software . ## -## Copyright 1998-2013 The OpenLDAP Foundation. +## Copyright 1998-2015 The OpenLDAP Foundation. ## All rights reserved. ## ## Redistribution and use in source and binary forms, with or without diff --git a/openldap/schema/pmi.schema b/openldap/schema/pmi.schema index 0ec2478..5452a22 100644 --- a/openldap/schema/pmi.schema +++ b/openldap/schema/pmi.schema @@ -2,7 +2,7 @@ # $OpenLDAP$ ## This work is part of OpenLDAP Software . ## -## Copyright 1998-2013 The OpenLDAP Foundation. +## Copyright 1998-2015 The OpenLDAP Foundation. ## All rights reserved. ## ## Redistribution and use in source and binary forms, with or without diff --git a/openldap/schema/ppolicy.ldif b/openldap/schema/ppolicy.ldif index 677330b..759c96d 100644 --- a/openldap/schema/ppolicy.ldif +++ b/openldap/schema/ppolicy.ldif @@ -1,7 +1,7 @@ # $OpenLDAP$ ## This work is part of OpenLDAP Software . ## -## Copyright 2004-2013 The OpenLDAP Foundation. +## Copyright 2004-2015 The OpenLDAP Foundation. ## All rights reserved. ## ## Redistribution and use in source and binary forms, with or without @@ -35,28 +35,37 @@ cn: ppolicy olcAttributeTypes: {0}( 1.3.6.1.4.1.42.2.27.8.1.1 NAME 'pwdAttribute' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) olcAttributeTypes: {1}( 1.3.6.1.4.1.42.2.27.8.1.2 NAME 'pwdMinAge' EQUALITY in - tegerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + tegerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) olcAttributeTypes: {2}( 1.3.6.1.4.1.42.2.27.8.1.3 NAME 'pwdMaxAge' EQUALITY in - tegerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + tegerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) olcAttributeTypes: {3}( 1.3.6.1.4.1.42.2.27.8.1.4 NAME 'pwdInHistory' EQUALITY - integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1 + .27 SINGLE-VALUE ) olcAttributeTypes: {4}( 1.3.6.1.4.1.42.2.27.8.1.5 NAME 'pwdCheckQuality' EQUAL - ITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + ITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.12 + 1.1.27 SINGLE-VALUE ) olcAttributeTypes: {5}( 1.3.6.1.4.1.42.2.27.8.1.6 NAME 'pwdMinLength' EQUALITY - integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121. + 1.27 SINGLE-VALUE ) olcAttributeTypes: {6}( 1.3.6.1.4.1.42.2.27.8.1.7 NAME 'pwdExpireWarning' EQUA - LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + LITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115. + 121.1.27 SINGLE-VALUE ) olcAttributeTypes: {7}( 1.3.6.1.4.1.42.2.27.8.1.8 NAME 'pwdGraceAuthNLimit' EQ - UALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + UALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.11 + 5.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {8}( 1.3.6.1.4.1.42.2.27.8.1.9 NAME 'pwdLockout' EQUALITY b ooleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcAttributeTypes: {9}( 1.3.6.1.4.1.42.2.27.8.1.10 NAME 'pwdLockoutDuration' E - QUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + QUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.1 + 15.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {10}( 1.3.6.1.4.1.42.2.27.8.1.11 NAME 'pwdMaxFailure' EQUAL - ITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + ITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.1 + 21.1.27 SINGLE-VALUE ) olcAttributeTypes: {11}( 1.3.6.1.4.1.42.2.27.8.1.12 NAME 'pwdFailureCountInter - val' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE - ) + val' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1. + 1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {12}( 1.3.6.1.4.1.42.2.27.8.1.13 NAME 'pwdMustChange' EQUAL ITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcAttributeTypes: {13}( 1.3.6.1.4.1.42.2.27.8.1.14 NAME 'pwdAllowUserChange' @@ -66,10 +75,13 @@ olcAttributeTypes: {14}( 1.3.6.1.4.1.42.2.27.8.1.15 NAME 'pwdSafeModify' EQUAL olcAttributeTypes: {15}( 1.3.6.1.4.1.4754.1.99.1 NAME 'pwdCheckModule' DESC 'L oadable module that instantiates "check_password() function' EQUALITY caseExa ctIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {16}( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRecordedFailur + e' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1. + 1466.115.121.1.27 SINGLE-VALUE ) olcObjectClasses: {0}( 1.3.6.1.4.1.4754.2.99.1 NAME 'pwdPolicyChecker' SUP top AUXILIARY MAY pwdCheckModule ) olcObjectClasses: {1}( 1.3.6.1.4.1.42.2.27.8.2.1 NAME 'pwdPolicy' SUP top AUXI LIARY MUST pwdAttribute MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheck Quality $ pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ pwdMustChange - $ pwdAllowUserChange $ pwdSafeModify ) ) + $ pwdAllowUserChange $ pwdSafeModify $ pwdMaxRecordedFailure ) ) diff --git a/openldap/schema/ppolicy.schema b/openldap/schema/ppolicy.schema index 15bc837..5cfe81b 100644 --- a/openldap/schema/ppolicy.schema +++ b/openldap/schema/ppolicy.schema @@ -1,7 +1,7 @@ # $OpenLDAP$ ## This work is part of OpenLDAP Software . ## -## Copyright 2004-2013 The OpenLDAP Foundation. +## Copyright 2004-2015 The OpenLDAP Foundation. ## All rights reserved. ## ## Redistribution and use in source and binary forms, with or without @@ -110,6 +110,7 @@ attributetype ( 1.3.6.1.4.1.42.2.27.8.1.1 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.2 NAME 'pwdMinAge' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -125,6 +126,7 @@ attributetype ( 1.3.6.1.4.1.42.2.27.8.1.2 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.3 NAME 'pwdMaxAge' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -140,6 +142,7 @@ attributetype ( 1.3.6.1.4.1.42.2.27.8.1.3 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.4 NAME 'pwdInHistory' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -166,6 +169,7 @@ attributetype ( 1.3.6.1.4.1.42.2.27.8.1.4 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.5 NAME 'pwdCheckQuality' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -182,6 +186,7 @@ attributetype ( 1.3.6.1.4.1.42.2.27.8.1.5 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.6 NAME 'pwdMinLength' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -198,6 +203,7 @@ attributetype ( 1.3.6.1.4.1.42.2.27.8.1.6 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.7 NAME 'pwdExpireWarning' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -210,6 +216,7 @@ attributetype ( 1.3.6.1.4.1.42.2.27.8.1.7 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.8 NAME 'pwdGraceAuthNLimit' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -241,6 +248,7 @@ attributetype ( 1.3.6.1.4.1.42.2.27.8.1.9 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.10 NAME 'pwdLockoutDuration' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -254,6 +262,7 @@ attributetype ( 1.3.6.1.4.1.42.2.27.8.1.10 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.11 NAME 'pwdMaxFailure' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -269,6 +278,7 @@ attributetype ( 1.3.6.1.4.1.42.2.27.8.1.11 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.12 NAME 'pwdFailureCountInterval' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -315,6 +325,20 @@ attributetype ( 1.3.6.1.4.1.42.2.27.8.1.15 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) +#ITS#8185 pwdMaxRecordedFailure +# +# This attribute specifies the maximum number of consecutive failed bind +# attempts to record. If this attribute is not present, or if the value +# is 0, it defaults to the value of pwdMaxFailure. If that value is also +# 0, this value defaults to 5. + +attributetype ( 1.3.6.1.4.1.42.2.27.8.1.30 + NAME 'pwdMaxRecordedFailure' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + # HP extensions # # pwdCheckModule @@ -332,7 +356,7 @@ attributetype ( 1.3.6.1.4.1.4754.1.99.1 NAME 'pwdCheckModule' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - DESC 'Loadable module that instantiates "check_password() function' + DESC 'Loadable module that instantiates check_password() function' SINGLE-VALUE ) objectclass ( 1.3.6.1.4.1.4754.2.99.1 @@ -356,7 +380,8 @@ objectclass ( 1.3.6.1.4.1.42.2.27.8.2.1 MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $ pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ - pwdMustChange $ pwdAllowUserChange $ pwdSafeModify ) ) + pwdMustChange $ pwdAllowUserChange $ pwdSafeModify $ + pwdMaxRecordedFailure ) ) #5.3 Attribute Types for Password Policy State Information # diff --git a/openldap/slapd.conf.default b/openldap/slapd.conf.default index ea9e489..d536b1f 100644 --- a/openldap/slapd.conf.default +++ b/openldap/slapd.conf.default @@ -10,8 +10,8 @@ include /etc/openldap/schema/core.schema # service AND an understanding of referrals. #referral ldap://root.openldap.org -pidfile /var/run/openldap/slapd.pid -argsfile /var/run/openldap/slapd.args +pidfile /run/openldap/slapd.pid +argsfile /run/openldap/slapd.args # Load dynamic backend modules: # modulepath /usr/lib64/openldap/openldap @@ -24,6 +24,7 @@ argsfile /var/run/openldap/slapd.args # moduleload back_null.so # moduleload back_monitor.so # moduleload back_meta.so +# moduleload back_mdb.so # moduleload back_ldap.so # moduleload back_dnssrv.so diff --git a/openldap/slapd.ldif b/openldap/slapd.ldif index afb1d52..3cee8b1 100644 --- a/openldap/slapd.ldif +++ b/openldap/slapd.ldif @@ -1,5 +1,5 @@ # -# See slapd.d(5) for details on configuration options. +# See slapd-config(5) for details on configuration options. # This file should NOT be world readable. # dn: cn=config @@ -47,6 +47,7 @@ include: file:///etc/openldap/schema/core.ldif # dn: olcDatabase=frontend,cn=config objectClass: olcDatabaseConfig +objectClass: olcFrontendConfig olcDatabase: frontend # # Sample global access control policy: @@ -73,13 +74,13 @@ olcDatabase: frontend ####################################################################### -# BDB database definitions +# LMDB database definitions ####################################################################### # -dn: olcDatabase=bdb,cn=config +dn: olcDatabase=mdb,cn=config objectClass: olcDatabaseConfig -objectClass: olcBdbConfig -olcDatabase: bdb +objectClass: olcMdbConfig +olcDatabase: mdb olcSuffix: dc=my-domain,dc=com olcRootDN: cn=Manager,dc=my-domain,dc=com # Cleartext passwords, especially for the rootdn, should diff --git a/openldap/slapd.ldif.default b/openldap/slapd.ldif.default index afb1d52..3cee8b1 100644 --- a/openldap/slapd.ldif.default +++ b/openldap/slapd.ldif.default @@ -1,5 +1,5 @@ # -# See slapd.d(5) for details on configuration options. +# See slapd-config(5) for details on configuration options. # This file should NOT be world readable. # dn: cn=config @@ -47,6 +47,7 @@ include: file:///etc/openldap/schema/core.ldif # dn: olcDatabase=frontend,cn=config objectClass: olcDatabaseConfig +objectClass: olcFrontendConfig olcDatabase: frontend # # Sample global access control policy: @@ -73,13 +74,13 @@ olcDatabase: frontend ####################################################################### -# BDB database definitions +# LMDB database definitions ####################################################################### # -dn: olcDatabase=bdb,cn=config +dn: olcDatabase=mdb,cn=config objectClass: olcDatabaseConfig -objectClass: olcBdbConfig -olcDatabase: bdb +objectClass: olcMdbConfig +olcDatabase: mdb olcSuffix: dc=my-domain,dc=com olcRootDN: cn=Manager,dc=my-domain,dc=com # Cleartext passwords, especially for the rootdn, should -- 2.39.5