Multi-Region: Support shared LDAP service

Decouple NSLCD from the open-ldap SM service and manage it by PMOND
instead. This is needed because in the Shared LDAP case, we deprovision
the open-ldap service on the Secondary Region which renders NSLCD
unmanaged.

Additionally, we allow the Secondary Region or Sub Clouds to bind
anonymously, but still need to support LDAP read operations in these
regions such as ldapfinger or lsldap. For this purpose, the ldapscripts
runtime library has been modified to allow anonymous binds during LDAP
search operations.

Change-Id: I3d4a709d058963be61a0311a539cd020f54118d6
Signed-off-by: Jack Ding <jack.ding@windriver.com>
Signed-off-by: Scott Little <scott.little@windriver.com>
This commit is contained in:
Kam Nasim 2018-04-17 16:26:25 -04:00 committed by Scott Little
parent 69be80651e
commit 8c1837205d
3 changed files with 41 additions and 1 deletions

View File

@ -1,3 +1,3 @@
COPY_LIST="files/* \
$CGCS_BASE/downloads/ldapscripts-2.0.8.tgz"
TIS_PATCH_VER=1
TIS_PATCH_VER=2

View File

@ -21,6 +21,7 @@ Patch2: log_timestamp.patch
Patch3: ldap-user-setup-support.patch
Patch4: ldap-user-setup-support-input-validation.patch
Patch5: ldap-user-setup-noninteractive-mode-fix.patch
Patch6: allow-anonymous-bind-for-ldap-search.patch
%define debug_package %{nil}
@ -39,6 +40,7 @@ Shell scripts that allow to manage POSIX accounts (users, groups, machines) in a
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%build

View File

@ -0,0 +1,38 @@
From bee43b9f75ee7a2cee0391319528264014d775f7 Mon Sep 17 00:00:00 2001
From: Kam Nasim <kam.nasim@windriver.com>
Date: Mon, 16 Apr 2018 14:58:03 -0400
Subject: [PATCH] ldapscripts - allow anonymous bind for ldap search
---
lib/runtime | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/lib/runtime b/lib/runtime
index 012ac95..18acf3f 100644
--- a/lib/runtime
+++ b/lib/runtime
@@ -197,8 +197,11 @@ _ldapsearch () {
elif [ -n "$BINDPWDFILE" ]
then
$LDAPSEARCHBIN $LDAPBINOPTS $LDAPSEARCHOPTS -y "$BINDPWDFILE" -D "$BINDDN" -b "${1:-$SUFFIX}" -xH "$SERVER" -s sub -LLL "${2:-(objectclass=*)}" "${3:-*}" 2>>"$LOGFILE"
- else
+ elif [ -n "$BINDPWD" ]
+ then
$LDAPSEARCHBIN $LDAPBINOPTS $LDAPSEARCHOPTS -w "$BINDPWD" -D "$BINDDN" -b "${1:-$SUFFIX}" -xH "$SERVER" -s sub -LLL "${2:-(objectclass=*)}" "${3:-*}" 2>>"$LOGFILE"
+ else
+ $LDAPSEARCHBIN $LDAPBINOPTS $LDAPSEARCHOPTS -D "$BINDDN" -b "${1:-$SUFFIX}" -xH "$SERVER" -s sub -LLL "${2:-(objectclass=*)}" "${3:-*}" 2>>"$LOGFILE"
fi
}
@@ -785,7 +788,7 @@ then
then
warn_log "Warning : using command-line passwords, ldapscripts may not be safe"
else
- end_die "Unable to read password file $BINDPWDFILE, exiting..."
+ warn_log "Warning: Unable to read password file $BINDPWDFILE, binding anonymously..."
fi
fi
fi
--
1.8.3.1