slapd-supann/lib/newdb

#!/bin/bash

set -e

echo "Suffixe de la base à créer (exemple : dc=dauphine,dc=fr) :"
echo -n "-> "
read SUFFIX
echo

if [ -d "/var/lib/ldap/$SUFFIX" ]; then
	echo "ERR: le répertoire '/var/lib/ldap/$SUFFIX' existe déjà" >&2
	exit 1
fi

if ldapsearch -H ldapi:// -Y EXTERNAL -b cn=config olcSuffix=$SUFFIX 2>/dev/null | grep -q '^result: [1-9]'; then
	echo "ERR: le suffixe $SUFFIX existe déjà" >&2
	exit 2
fi

echo "Choisir un mot de passe administrateur (uid=admin,ou=people,$SUFFIX) :"
echo -n "-> "
stty -echo
read PASSWORD
stty echo
echo
echo "Une nouvelle fois :"
echo -n "-> "
stty -echo
read PASSWORD2
stty echo
echo
if [ x"$PASSWORD" != x"$PASSWORD2" ]; then
	echo "ERR: mots de passe différents" >&2
	exit 3
fi
echo

echo "Nom de l'organisation (o=...) :"
echo "uniquement des majuscules, sans accent"
echo "Exemple: ENS"
echo -n "-> "
read ORGANIZATION
echo

CODE_ENTITE="`echo $ORGANIZATION | sed 's/ /_/' | sed sx\'xx`"

echo "Code de l'établissement, préfixé par son origine (supannEtablissement={ORIG}CODE)"
echo "Exemples :"
echo " {UAI}0350936C          Université de Rennes 1"
echo " {SIRET}18004312700067  AMUE"
echo " {CNRS}MOY1400          Délégation régionale de Toulouse du CNRS"
echo -n "-> "
read CODEETB
echo

echo "Récapitulatif :"
echo " Suffixe : $SUFFIX"
echo "     Nom : $ORGANIZATION"
echo "Code UAI : $CODEETB"
echo "DN entité établissement : supannCodeEntite=$CODE_ENTITE,ou=structures,$SUFFIX"
echo
echo "Créer cette base ? (taper oui)"
echo -n "-> "
read OK
echo

if [ "x$OK" != "xoui" ]; then
	exit 4
fi

DC=`echo $SUFFIX | sed 's/dc=\([^,]*\).*/\1/'`
DBDIR=/var/lib/ldap/$SUFFIX
DBACCESSLOGDIR=/var/lib/ldap/$SUFFIX/accesslog/

mkdir -p "$DBDIR" "$DBACCESSLOGDIR"
chown openldap:openldap "$DBDIR" "$DBACCESSLOGDIR"

LDIF=`tempfile --prefix=newdb --suffix=.ldif`
cat << EOF > $LDIF
# LDAPVI syntax
add olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcSuffix: $SUFFIX
olcDbDirectory: /var/lib/ldap/$SUFFIX/
olcRootDN: uid=admin,ou=people,$SUFFIX
olcRootPW: $PASSWORD
olcLastMod: TRUE
olcAddContentACL: FALSE
olcMonitoring: TRUE
olcSyncUseSubentry: FALSE
olcMaxDerefDepth: 0
olcLimits: {0}dn.exact="uid=admin,ou=people,$SUFFIX" size.soft=unlimited  size.hard=unlimited  time.soft=unlimited  time.hard=unlimited
olcLimits: {1}dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" size.soft=unlimited  size.hard=unlimited  time.soft=unlimited  time.hard=unlimited
olcLimits: {2}* size.pr=1000 size.prtotal=unlimited
olcReadOnly: FALSE
# Index
olcDbIndex: objectClass,contextCSN,member,eduPersonPrincipalName,owner,supannRefId eq
olcDbIndex: supannAliasLogin,mail,givenName,uid,cn,sn,supannMailPerso,displayName pres,eq,approx,sub
# Accès super-utilisateur
olcAccess: {0}to *
  by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
  by group.exact="cn=admin,ou=groups,$SUFFIX" manage
  by * break
# Structure du DIT: tout le monde peut voir
olcAccess: {1}to dn.base="$SUFFIX"
  by anonymous read
  by * +rs break
olcAccess: {2}to dn.one="$SUFFIX"
  by anonymous read
  by * +rs break
# Branche people
olcAccess: {3}to dn.regex="uid=[^,]+,ou=people,$SUFFIX" attrs=userPassword
  by self write
  by anonymous auth
  by * none
olcAccess: {4}to dn.regex="uid=[^,]+,ou=people,$SUFFIX" attrs=supannAliasLogin,supannListeRouge,eduPersonNickname,supannMailPerso,labeledURI,telephoneNumber,mobile
  by self write
  by * break
olcAccess: {5}to dn.one="ou=people,$SUFFIX"
  by self read
  by users read
  by anonymous auth
  by * none
# Branche groups
olcAccess: {6}to dn.one="ou=groups,$SUFFIX"
  by set="this/owner & user" manage
  by * break
olcAccess: {7}to dn.one="ou=groups,$SUFFIX" attrs=member
  by set="this/supannGroupeAdminDN/member* & user" write
  by set="this/supannGroupeAdminDN & user" write
  by set="this/supannGroupeLecteurDN/member* & user" read
  by set="this/supannGroupeLecteurDN & user" read
  by group.exact="cn=reader,ou=groups,$SUFFIX" read
  by dnattr=member selfread
  by * none
olcAccess: {8}to dn.one="ou=groups,$SUFFIX"
  by users read
  by * none
# Branche structure, tout le monde peut lire
olcAccess: {9}to dn.subtree="ou=structures,$SUFFIX"
  by * read
olcAccess: {10}to *
  by group.exact="cn=reader,ou=groups,$SUFFIX" +r
  by users +s
olcDbMaxSize: 1073741824

# Create accesslog DIT
add olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcSuffix: cn=accesslog,$SUFFIX
olcDbDirectory: /var/lib/ldap/$SUFFIX/accesslog/
olcAccess: {0}to *
  by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
  by group=cn=admin,ou=groupes,$SUFFIX manage
  by * break
olcDbMaxSize: 1073741824

add olcOverlay={0}syncprov,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
olcSpCheckpoint: 100 10
olcSpSessionlog: 100

# Log all writes to the db
add olcOverlay={1}accesslog,olcDatabase={2}mdb,cn=config
objectClass: olcAccesslogConfig
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: {1}accesslog
olcAccessLogDB: cn=accesslog,$SUFFIX
olcAccessLogOps: writes
# log are conserved one year and purged every day
olcAccessLogPurge: 365+00:00 1+00:00
# Keep a copy of everything
olcAccessLogOld: objectClass=*

add olcOverlay={2}refint,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
olcOverlay: {2}refint
olcRefintAttribute: member
  eduPersonOrgDN
  eduPersonOrgUnitDN
  owner
  eduPersonPrimaryOrgUnitDN
  supannGroupeAdminDN
  supannGroupeLecteurDN
  supannParrainDN
olcRefintNothing: $SUFFIX

add olcOverlay={3}constraint,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcConstraintConfig
olcOverlay: {3}constraint
# un seul cn pour les utilisateurs
olcConstraintAttribute: cn count 1 restrict="ldap:///ou=people,$SUFFIX??sub?(objectClass=*)"
#olcConstraintAttribute: cn regex "^[-A-Z' ]*$" restrict="ldap:///ou=people,$SUFFIX??sub?(objectClass=*)"
olcConstraintAttribute: cn regex "^[-A-Za-z0-9 ]*$" restrict="ldap:///ou=groups,$SUFFIX??sub?(objectClass=*)"
olcConstraintAttribute: cn regex "^[-A-Za-z0-9 ]*$" restrict="ldap:///$SUFFIX??base?(objectClass=*)"
olcConstraintAttribute: dc regex "^[a-z0-9-]*$"
olcConstraintAttribute: eduOrgHomePageURI,eduOrgSuperiorURI,eduOrgWhitePagesURI regex "^https?://.*$"
olcConstraintAttribute: eduPersonAffiliation regex "^(student|faculty|staff|employee|member|affiliate|alum|library-walk-in|researcher|retired|emeritus|teacher|registered-reader)$"
olcConstraintAttribute: eduPersonPrincipalName regex "^.*@.*$"
olcConstraintAttribute: mail count 1
olcConstraintAttribute: mail,supannMailPerso,supannAutreMail
  regex "^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}$"
# olcConstraintAttribute: mailForwardingAddress
  regex "^([a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}|[a-zA-Z0-9]+)$" # mail ou uid
olcConstraintAttribute: supannCodeEntiteParent,supannEntiteAffectation uri  ldap:///ou=structures,$SUFFIX?supannCodeEntite?sub?(objectClass=supannEntite)
olcConstraintAttribute: supannCodeINE count 1
olcConstraintAttribute: supannEmpId count 1
# FIXME: syntex regex pas bonne
olcConstraintAttribute: supannCivilite regex "^(M.|Mme|Mlle)$"
olcConstraintAttribute: supannTypeEntite,supannEtuCursusAnnee regex "^\{SUPANN\}[A-Z][0-9]+$"
# attribut issu d'une nomenclature
olcConstraintAttribute: supannEtablissement,
 supannEtuDiplome,
 supannEtuElementPedagogique,
 supannEtuEtape,
 supannEtuRegimeInscription,
 supannEtuSecteurDisciplinaire,
 supannEtuTypeDiplome,
  regex "^\{[^}]+\}.*$"
olcConstraintAttribute: supannEtuAnneeInscription regex "^[0-9][0-9][0-9][0-9]$"
olcConstraintAttribute: pslBadgeCSN regex "^[0-9A-F]{8,14}$"

add olcOverlay={4}unique,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcUniqueConfig
olcOverlay: {4}unique
olcUniqueURI: ldap:///$SUFFIX?supannAutreMail?sub

add $SUFFIX
objectClass: organization
objectClass: dcObject
objectClass: eduOrg
objectClass: supannOrg
dc: $DC
o: $ORGANIZATION
supannEtablissement: $CODEETB

add ou=people,$SUFFIX
objectClass: organizationalUnit
ou: people

add uid=admin,ou=people,$SUFFIX
objectClass: inetOrgPerson
objectClass: eduPerson
objectClass: supannPerson
uid: admin
cn: Administrateur annuaire
displayName: Administrateur annuaire
givenName: Administrateur
sn: annuaire
supannListeRouge: TRUE
userPassword: $PASSWORD
supannEtablissement: $CODEETB

add ou=structures,$SUFFIX
objectClass: organizationalUnit
ou: structures

add supannCodeEntite=$CODE_ENTITE,ou=structures,$SUFFIX
objectClass: supannOrg
objectClass: supannEntite
objectClass: organization
objectClass: eduOrg
o: $ORGANIZATION
supannCodeEntite: $CODE_ENTITE
description: $ORGANIZATION

add ou=groups,$SUFFIX
objectClass: organizationalUnit
ou: groups

add cn=admin,ou=groups,$SUFFIX
objectClass: groupOfNames
objectClass: supannGroupe
cn: admin
description: Groupe des administrateurs de l'annuaire
member: uid=admin,ou=people,$SUFFIX
EOF

echo "Chargement de la définition de la nouvelle base annuaire ($LDIF) :"
ldapvi --verbose --profile config --ldapmodify --ldapvi --add $LDIF
echo "OK"