resetacl: renommage en resetdb, ajouter la contrainte sur pslBadgeCSN (fixes #22917)

Corrige aussi les mises à jour de contrainte précédente qui ne marchait
pas car olcConstraintAttribute ne supporte pas les recherches par
sous-chaîne.
This commit is contained in:
Benjamin Dauvergne 2018-04-27 11:01:32 +02:00
parent a8f4ba5d4d
commit 1751cf08dc
2 changed files with 57 additions and 8 deletions

View File

@ -10,6 +10,16 @@ function echoonerror {
fi
}
function confirm {
echo -n Voulez-vous $1 ? "(y/n) "
read OK
if [ "$OK" = "y" ]; then
return 0
else
return 1
fi
}
if [ "x$1" = "x" ]; then
echo Suffix de la base à réinitialiser ?
echo -ne "> "
@ -23,7 +33,12 @@ DN2=`ldapsearch -H ldapi:// -Y EXTERNAL -b $DN "objectClass=olcConstraintConfig"
if [ "x$DN" != "" ]; then
LDIF=`tempfile`
cat <<EOF >$LDIF
cat <<EOF
La réinitialisation des ACLs supprimera vos ACLs locales les remplaçant par le
standard PSL, à ne faire qu'en connaissance de cause.
EOF
if confirm "remettre à zéro les ACLs"; then
cat <<EOF >$LDIF
dn: $DN
changetype: modify
replace: olcAccess
@ -73,24 +88,58 @@ olcAccess: {9}to dn.subtree="ou=structures,$SUFFIX"
olcAccess: {10}to *
by group.exact="cn=reader,ou=groups,$SUFFIX" +r
by users +s
-
EOF
echoonerror ldapmodify -H ldapi:// -Y EXTERNAL -f $LDIF && echo "- directives olcAccess réinitialisées"
fi
cat <<EOF
La réinitialisation des directives olcDBIndex supprimera vos règles
d'indexation locales, si vous utilisez des attributs locaux qui nécessitent une
indexation cela pourrait produire des ralentissements.
EOF
if confirm "réinitialiser les directives olcDbIndex"; then
cat <<EOF >$LDIF
dn: $DN
changetype: modify
replace: olcDbIndex
olcDbIndex: objectClass,contextCSN,member,eduPersonPrincipalName,owner,supannRefId eq
olcDbIndex: objectClass,contextCSN,member,eduPersonPrincipalName,owner,supannRefId,pslBadgeCSN eq
olcDbIndex: supannAliasLogin,mail,givenName,uid,cn,sn,supannMailPerso,displayName pres,eq,approx,sub
-
replace: olcDbMaxSize
olcDbMaxSize: 1073741824
EOF
echoonerror ldapmodify -H ldapi:// -Y EXTERNAL -f $LDIF
if echoonerror ldapsearch -H ldapi:// -Y EXTERNAL -b "$DN2" olcConstraintAttribute=*displayName* >/dev/null; then
echo <<EOF >$LDIF
echoonerror ldapmodify -H ldapi:// -Y EXTERNAL -f $LDIF
echo "- directives olcDBIndex réinitialisées"
fi
# remove the displayname constraint
if ldapsearch -H ldapi:// -Y EXTERNAL -b "$DN2" "olcConstraintAttribute=displayName,sn,givenName set \"\\28this/givenName + [ ] + this/sn\\29 & this/displayName\" restrict=\"ldap:///ou=people,$SUFFIX??sub?\\28objectClass=\\2a\\29\"" 2>/dev/null | grep -q ^olcConstraintAttribute ; then
cat <<EOF >$LDIF
dn: $DN2
changetype: modify
delete: olcConstraintAttribute
olcConstraintAttribute: displayName,sn,givenName set "(this/givenName + [ ] + this/sn) & this/displayName" restrict="ldap:///ou=people,$SUFFIX??sub?(objectClass=*)"
olcConstraintAttribute: supannAliasLogin regex "^[[:alnum]+$"
EOF
echoonerror ldapmodify -H ldapi:// -Y EXTERNAL -f $LDIF
echoonerror ldapmodify -H ldapi:// -Y EXTERNAL -f $LDIF && echo "- contrainte displayName retiré"
fi
# remove the supannAliasLogin constraint
if ldapsearch -H ldapi:// -Y EXTERNAL -b "$DN2" olcConstraintAttribute='supannAliasLogin regex "^[[:alnum:]]+$"' 2>/dev/null | grep -q ^olcConstraintAttribute ; then
cat <<EOF >$LDIF
dn: $DN2
changetype: modify
delete: olcConstraintAttribute
olcConstraintAttribute: supannAliasLogin regex "^[[:alnum:]]+$"
EOF
echoonerror ldapmodify -H ldapi:// -Y EXTERNAL -f $LDIF && echo "- contrainte supannAliasLogin retiré"
fi
# add the pslBadgeCSN constraint
if ! (ldapsearch -H ldapi:// -Y EXTERNAL -b "$DN2" 'olcConstraintAttribute=pslBadgeCSN regex "^[0-9A-F]{8,14}$"' 2>/dev/null | grep -q ^olc); then
cat <<EOF >$LDIF
dn: $DN2
changetype: modify
add: olcConstraintAttribute
olcConstraintAttribute: pslBadgeCSN regex "^[0-9A-F]{8,14}$"
EOF
echoonerror ldapmodify -H ldapi:// -Y EXTERNAL -f $LDIF && echo "- contrainte pslBadgeCSN ajouté"
fi
rm $LDIF
echo "Réinitialisation de la base $DN pour le suffixe $SUFFIX effectuée."