entrouvert
/
slapd-supann
Archived
17
0
Fork 0
Code Issues Pull Requests Releases Activity
This repository has been archived on 2023-02-21. You can view files and clone it, but cannot push or open issues or pull requests.
slapd-supann/lib/resetdb

149 lines
5.0 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
set -e
function echoonerror {
LOG=`tempfile`
if ! "$@" >$LOG 2>&1; then
STATUS="$?"
cat $LOG
return $STATUS
fi
}
function confirm {
echo -n Voulez-vous $1 ? "(y/n) "
read OK
if [ "$OK" = "y" ]; then
return 0
else
return 1
fi
}
if [ "x$1" = "x" ]; then
echo Suffix de la base à réinitialiser ?
echo -ne "> "
read SUFFIX
else
SUFFIX="$1"
fi
DN=`ldapsearch -H ldapi:// -Y EXTERNAL -b cn=config "olcSuffix=$SUFFIX" "" 2>/dev/null | grep ^dn | head -n1 | sed 's/^dn: //'`
DN2=`ldapsearch -H ldapi:// -Y EXTERNAL -b $DN "objectClass=olcConstraintConfig" "" 2>/dev/null | grep ^dn | head -n1 | sed 's/^dn: //'`
if [ "x$DN" != "" ]; then
LDIF=`tempfile`
cat <<EOF
La réinitialisation des ACLs supprimera vos ACLs locales les remplaçant par le
standard PSL, à ne faire qu'en connaissance de cause.
EOF
if confirm "remettre à zéro les ACLs"; then
cat <<EOF >$LDIF
dn: $DN
changetype: modify
replace: olcAccess
# Accès super-utilisateur
olcAccess: {0}to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by group.exact="cn=admin,ou=groups,$SUFFIX" manage
by * break
# Structure du DIT: tout le monde peut voir
olcAccess: {1}to dn.base="$SUFFIX"
by anonymous read
by * +rs break
olcAccess: {2}to dn.one="$SUFFIX"
by anonymous read
by * +rs break
# Branche people
olcAccess: {3}to dn.regex="uid=[^,]+,ou=people,$SUFFIX" attrs=userPassword
by self write
by anonymous auth
by * none
olcAccess: {4}to dn.regex="uid=[^,]+,ou=people,$SUFFIX" attrs=supannAliasLogin,supannListeRouge,eduPersonNickname,supannMailPerso,labeledURI
by self write
by * break
olcAccess: {5}to dn.one="ou=people,$SUFFIX"
by self read
by users read
by anonymous auth
by * none
# Branche groups
olcAccess: {6}to dn.one="ou=groups,$SUFFIX"
by set="this/owner & user" manage
by * break
olcAccess: {7}to dn.one="ou=groups,$SUFFIX" attrs=member
by set="this/supannGroupeAdminDN/member* & user" write
by set="this/supannGroupeAdminDN & user" write
by set="this/supannGroupeLecteurDN/member* & user" read
by set="this/supannGroupeLecteurDN & user" read
by group.exact="cn=reader,ou=groups,$SUFFIX" read
by dnattr=member selfread
by * none
olcAccess: {8}to dn.one="ou=groups,$SUFFIX"
by users read
by * none
# Branche structure, tout le monde peut lire
olcAccess: {9}to dn.subtree="ou=structures,$SUFFIX"
by * read
olcAccess: {10}to *
by group.exact="cn=reader,ou=groups,$SUFFIX" +r
by users +s
EOF
echoonerror ldapmodify -H ldapi:// -Y EXTERNAL -f $LDIF && echo "- directives olcAccess réinitialisées"
fi
cat <<EOF
La réinitialisation des directives olcDBIndex supprimera vos règles
d'indexation locales, si vous utilisez des attributs locaux qui nécessitent une
indexation cela pourrait produire des ralentissements.
EOF
if confirm "réinitialiser les directives olcDbIndex"; then
cat <<EOF >$LDIF
dn: $DN
changetype: modify
replace: olcDbIndex
olcDbIndex: objectClass,contextCSN,member,eduPersonPrincipalName,owner,supannRefId,pslBadgeCSN eq
olcDbIndex: supannAliasLogin,mail,givenName,uid,cn,sn,supannMailPerso,displayName pres,eq,approx,sub
-
replace: olcDbMaxSize
olcDbMaxSize: 1073741824
EOF
echoonerror ldapmodify -H ldapi:// -Y EXTERNAL -f $LDIF
echo "- directives olcDBIndex réinitialisées"
fi
# remove the displayname constraint
if ldapsearch -H ldapi:// -Y EXTERNAL -b "$DN2" "olcConstraintAttribute=displayName,sn,givenName set \"\\28this/givenName + [ ] + this/sn\\29 & this/displayName\" restrict=\"ldap:///ou=people,$SUFFIX??sub?\\28objectClass=\\2a\\29\"" 2>/dev/null | grep -q ^olcConstraintAttribute ; then
cat <<EOF >$LDIF
dn: $DN2
changetype: modify
delete: olcConstraintAttribute
olcConstraintAttribute: displayName,sn,givenName set "(this/givenName + [ ] + this/sn) & this/displayName" restrict="ldap:///ou=people,$SUFFIX??sub?(objectClass=*)"
EOF
echoonerror ldapmodify -H ldapi:// -Y EXTERNAL -f $LDIF && echo "- contrainte displayName retiré"
fi
# remove the supannAliasLogin constraint
if ldapsearch -H ldapi:// -Y EXTERNAL -b "$DN2" olcConstraintAttribute='supannAliasLogin regex "^[[:alnum:]]+$"' 2>/dev/null | grep -q ^olcConstraintAttribute ; then
cat <<EOF >$LDIF
dn: $DN2
changetype: modify
delete: olcConstraintAttribute
olcConstraintAttribute: supannAliasLogin regex "^[[:alnum:]]+$"
EOF
echoonerror ldapmodify -H ldapi:// -Y EXTERNAL -f $LDIF && echo "- contrainte supannAliasLogin retiré"
fi
# add the pslBadgeCSN constraint
if ! (ldapsearch -H ldapi:// -Y EXTERNAL -b "$DN2" 'olcConstraintAttribute=pslBadgeCSN regex "^[0-9A-F]{8,14}$"' 2>/dev/null | grep -q ^olc); then
cat <<EOF >$LDIF
dn: $DN2
changetype: modify
add: olcConstraintAttribute
olcConstraintAttribute: pslBadgeCSN regex "^[0-9A-F]{8,14}$"
EOF
echoonerror ldapmodify -H ldapi:// -Y EXTERNAL -f $LDIF && echo "- contrainte pslBadgeCSN ajouté"
fi
rm $LDIF
echo "Réinitialisation de la base $DN pour le suffixe $SUFFIX effectuée."
else
echo "ERREUR: Le suffixe $SUFFIX n'a pas été trouvé"
fi
View Git Blame Copy Permalink