From bc94b9f05f8ff809079969e06fc772bf97d5bad1 Mon Sep 17 00:00:00 2001 From: Kam Nasim Date: Tue, 17 Apr 2018 16:26:25 -0400 Subject: [PATCH] Multi-Region: Support shared LDAP service Decouple NSLCD from the open-ldap SM service and manage it by PMOND instead. This is needed because in the Shared LDAP case, we deprovision the open-ldap service on the Secondary Region which renders NSLCD unmanaged. Additionally, we allow the Secondary Region or Sub Clouds to bind anonymously, but still need to support LDAP read operations in these regions such as ldapfinger or lsldap. For this purpose, the ldapscripts runtime library has been modified to allow anonymous binds during LDAP search operations. Change-Id: I3d4a709d058963be61a0311a539cd020f54118d6 Signed-off-by: Jack Ding --- ldapscripts/centos/build_srpm.data | 2 +- ldapscripts/centos/ldapscripts.spec | 2 + ...allow-anonymous-bind-for-ldap-search.patch | 38 +++++++++++++++++++ 3 files changed, 41 insertions(+), 1 deletion(-) create mode 100644 ldapscripts/files/allow-anonymous-bind-for-ldap-search.patch diff --git a/ldapscripts/centos/build_srpm.data b/ldapscripts/centos/build_srpm.data index 0beff5c..5327613 100644 --- a/ldapscripts/centos/build_srpm.data +++ b/ldapscripts/centos/build_srpm.data @@ -1,3 +1,3 @@ COPY_LIST="files/* \ $CGCS_BASE/downloads/ldapscripts-2.0.8.tgz" -TIS_PATCH_VER=1 +TIS_PATCH_VER=2 diff --git a/ldapscripts/centos/ldapscripts.spec b/ldapscripts/centos/ldapscripts.spec index 3baeb1f..263e38d 100644 --- a/ldapscripts/centos/ldapscripts.spec +++ b/ldapscripts/centos/ldapscripts.spec @@ -21,6 +21,7 @@ Patch2: log_timestamp.patch Patch3: ldap-user-setup-support.patch Patch4: ldap-user-setup-support-input-validation.patch Patch5: ldap-user-setup-noninteractive-mode-fix.patch +Patch6: allow-anonymous-bind-for-ldap-search.patch %define debug_package %{nil} @@ -39,6 +40,7 @@ Shell scripts that allow to manage POSIX accounts (users, groups, machines) in a %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 %build diff --git a/ldapscripts/files/allow-anonymous-bind-for-ldap-search.patch b/ldapscripts/files/allow-anonymous-bind-for-ldap-search.patch new file mode 100644 index 0000000..e2e0129 --- /dev/null +++ b/ldapscripts/files/allow-anonymous-bind-for-ldap-search.patch @@ -0,0 +1,38 @@ +From bee43b9f75ee7a2cee0391319528264014d775f7 Mon Sep 17 00:00:00 2001 +From: Kam Nasim +Date: Mon, 16 Apr 2018 14:58:03 -0400 +Subject: [PATCH] ldapscripts - allow anonymous bind for ldap search + +--- + lib/runtime | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/lib/runtime b/lib/runtime +index 012ac95..18acf3f 100644 +--- a/lib/runtime ++++ b/lib/runtime +@@ -197,8 +197,11 @@ _ldapsearch () { + elif [ -n "$BINDPWDFILE" ] + then + $LDAPSEARCHBIN $LDAPBINOPTS $LDAPSEARCHOPTS -y "$BINDPWDFILE" -D "$BINDDN" -b "${1:-$SUFFIX}" -xH "$SERVER" -s sub -LLL "${2:-(objectclass=*)}" "${3:-*}" 2>>"$LOGFILE" +- else ++ elif [ -n "$BINDPWD" ] ++ then + $LDAPSEARCHBIN $LDAPBINOPTS $LDAPSEARCHOPTS -w "$BINDPWD" -D "$BINDDN" -b "${1:-$SUFFIX}" -xH "$SERVER" -s sub -LLL "${2:-(objectclass=*)}" "${3:-*}" 2>>"$LOGFILE" ++ else ++ $LDAPSEARCHBIN $LDAPBINOPTS $LDAPSEARCHOPTS -D "$BINDDN" -b "${1:-$SUFFIX}" -xH "$SERVER" -s sub -LLL "${2:-(objectclass=*)}" "${3:-*}" 2>>"$LOGFILE" + fi + } + +@@ -785,7 +788,7 @@ then + then + warn_log "Warning : using command-line passwords, ldapscripts may not be safe" + else +- end_die "Unable to read password file $BINDPWDFILE, exiting..." ++ warn_log "Warning: Unable to read password file $BINDPWDFILE, binding anonymously..." + fi + fi + fi +-- +1.8.3.1 +