Multi-Region: Support shared LDAP service

Decouple NSLCD from the open-ldap SM service and manage it by PMOND instead. This is needed because in the Shared LDAP case, we deprovision the open-ldap service on the Secondary Region which renders NSLCD unmanaged. Additionally, we allow the Secondary Region or Sub Clouds to bind anonymously, but still need to support LDAP read operations in these regions such as ldapfinger or lsldap. For this purpose, the ldapscripts runtime library has been modified to allow anonymous binds during LDAP search operations. Change-Id: I3d4a709d058963be61a0311a539cd020f54118d6 Signed-off-by: Jack Ding <jack.ding@windriver.com>
2018-04-17 16:26:25 -04:00 · 2018-04-17 16:26:25 -04:00 · bc94b9f05f
parent fda572c53e
commit bc94b9f05f
3 changed files with 41 additions and 1 deletions
--- a/ldapscripts/centos/build_srpm.data
+++ b/ldapscripts/centos/build_srpm.data
@ -1,3 +1,3 @@
 COPY_LIST="files/* \
           $CGCS_BASE/downloads/ldapscripts-2.0.8.tgz"
-TIS_PATCH_VER=1
+TIS_PATCH_VER=2
--- a/ldapscripts/centos/ldapscripts.spec
+++ b/ldapscripts/centos/ldapscripts.spec
@ -21,6 +21,7 @@ Patch2: log_timestamp.patch
 Patch3: ldap-user-setup-support.patch
 Patch4: ldap-user-setup-support-input-validation.patch
 Patch5: ldap-user-setup-noninteractive-mode-fix.patch
+Patch6: allow-anonymous-bind-for-ldap-search.patch

 %define debug_package %{nil}

@ -39,6 +40,7 @@ Shell scripts that allow to manage POSIX accounts (users, groups, machines) in a
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1


 %build
--- a/ldapscripts/files/allow-anonymous-bind-for-ldap-search.patch
+++ b/ldapscripts/files/allow-anonymous-bind-for-ldap-search.patch
@ -0,0 +1,38 @@
+From bee43b9f75ee7a2cee0391319528264014d775f7 Mon Sep 17 00:00:00 2001
+From: Kam Nasim <kam.nasim@windriver.com>
+Date: Mon, 16 Apr 2018 14:58:03 -0400
+Subject: [PATCH] ldapscripts - allow anonymous bind for ldap search
+
+---
+ lib/runtime | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/lib/runtime b/lib/runtime
+index 012ac95..18acf3f 100644
+--- a/lib/runtime
+++ b/lib/runtime
+@@ -197,8 +197,11 @@ _ldapsearch () {
+   elif [ -n "$BINDPWDFILE" ]
+   then
+     $LDAPSEARCHBIN $LDAPBINOPTS $LDAPSEARCHOPTS -y "$BINDPWDFILE" -D "$BINDDN" -b "${1:-$SUFFIX}" -xH "$SERVER" -s sub -LLL "${2:-(objectclass=*)}" "${3:-*}" 2>>"$LOGFILE" 
+-  else
+  elif [ -n "$BINDPWD" ]
+  then
+     $LDAPSEARCHBIN $LDAPBINOPTS $LDAPSEARCHOPTS -w "$BINDPWD" -D "$BINDDN" -b "${1:-$SUFFIX}" -xH "$SERVER" -s sub -LLL "${2:-(objectclass=*)}" "${3:-*}" 2>>"$LOGFILE" 
+  else
+    $LDAPSEARCHBIN $LDAPBINOPTS $LDAPSEARCHOPTS -D "$BINDDN" -b "${1:-$SUFFIX}" -xH "$SERVER" -s sub -LLL "${2:-(objectclass=*)}" "${3:-*}" 2>>"$LOGFILE" 
+   fi
+ }
+ 
+@@ -785,7 +788,7 @@ then
+     then
+       warn_log "Warning : using command-line passwords, ldapscripts may not be safe"
+     else
+-      end_die "Unable to read password file $BINDPWDFILE, exiting..."
+      warn_log "Warning: Unable to read password file $BINDPWDFILE, binding anonymously..."
+     fi
+   fi
+ fi
+-- 
+1.8.3.1
+