def writeConfig(self, *a): # make sure slapd is stopped os.system('/etc/init.d/slapd stop') # Back up ldap.. Who knows.. someone just might postprep a live box :( os.system('slapcat > /usr/local/tcs/tums/backups/ldap-%s.ldif' % int(time.time())) # Kill the ldap database because 1.2rc3 came with cruf in it for some reason if os.path.exists('/etc/debian_version'): # check for debian base os.system('rm /var/lib/ldap/*') else: os.system('rm /var/lib/openldap-data/*') # Start SLAPd os.system('/etc/init.d/slapd start') # Make sure it's started... lk = os.popen('/etc/init.d/slapd status').read() if "stopped" in lk: print "slapd isn't running, and I can't start it :-(." print "the LDAP service is probably broken." return # Generate a shiny new tree os.system('/usr/local/tcs/tums/genLDAP.py') # Import the new tree os.system('/etc/init.d/slapd stop') os.system('slapadd < /usr/local/tcs/tums/template.ldif') # ldapadd is f****d on Debian os.system('/etc/init.d/slapd start') # Restart slapd for safe measure os.system('/etc/init.d/slapd restart') os.system('/etc/init.d/samba restart') # Populate the LDAP tree with SMB goodness os.system('smbldap-populate') # Sprinkle on a bit of joy and sugar os.system('/usr/local/tcs/tums/ldapConfig') # Secure it with a password if os.path.exists('/etc/debian_version'): os.system('smbpasswd -w `cat /etc/ldap/slapd.conf | grep rootpw | awk \'{print $2}\'`') else: os.system('smbpasswd -w `cat /etc/openldap/slapd.conf | grep rootpw | awk \'{print $2}\'`') # And then switch it off again os.system('/etc/init.d/samba stop') os.system('/usr/local/tcs/tums/syscripts/vpn.sh') # Clear samba cache os.system('rm /var/cache/samba/wins.dat') os.system('rm /var/cache/samba/gencache.tdb') os.system('rm /var/cache/samba/browse.dat') os.system('rm /etc/bind/pri/*.jnl') os.system('/root/tcs/vpn.sh') if os.path.exists('/etc/debian_version'): os.system('openssl req -x509 -newkey rsa:1024 -keyout /etc/exim4/exim.key -out /etc/exim4/exim.cert -days 9999 -nodes') else: os.system('openssl req -x509 -newkey rsa:1024 -keyout /etc/exim/exim.key -out /etc/exim/exim.cert -days 9999 -nodes') os.system('sensors-detect') os.system('ntpdate -su %s' % config.NTP) if not os.path.exists('/etc/debian_version'): os.system('/etc/init.d/clock save') # Recreate openssh-server keys if it's gentoo if not os.path.exists('/etc/debian_version'): os.system('rm /etc/ssh/ssh*key*') os.system('rm /root/.ssh/known_hosts') runlevels = [ ('apache2', 'default'), ('slapd', 'default'), ('mysql', 'default'), ('exim', 'default'), ('clamd', 'default'), ('courier-imapd', 'default'), ('courier-authlib', 'default'), ('courier-pop3d', 'default'), ('ddclient', 'default'), ('shorewall', 'default'), ('spamd', 'default'), ('squid', 'default'), ('smartd', 'default'), ('sysklogd', 'default'), ('ulogd', 'default'), ('xinetd', 'default'), ('cupsd', 'default'), ('netmount', 'default'), ('ntp-client', 'default'), ('ntpd', 'default'), ('gpm', 'default'), ('samba', 'default'), ('nscd', 'default'), ('named', 'default'), ('dhcpd', 'default'), ('tums', 'default'), ('quagga', 'default'), ('zebra', 'default') ] if os.path.exists('/etc/debian_version'): for run, level in runlevels: # apply modifications for debian level = level.replace('default', 'defaults') run = run.replace('dhcpd', 'dhcp3-server').replace('exim', 'exim4') run = run.replace('courier-authlib', 'courier-authdaemon') os.system('update-rc.d %s %s > /dev/null 2>&1' % (run, level)) # Do defaults fixes (bloody irritating...) spamd = """ENABLED=1 OPTIONS="--create-prefs --max-children 5 --helper-home-dir" PIDFILE="/var/run/spamd.pid" NICE="--nicelevel 15""" Utils.writeConf('/etc/default/spamassassin', spamd, '#') shorewall = """startup=1\n""" Utils.writeConf('/etc/default/shorewall', shorewall, '#') os.system('update-rc.d -f fprobe remove > /dev/null 2>&1') else: for inter in config.EthernetDevices: runlevels.append(("net."+inter, 'boot')) for inter in config.WANDevices: runlevels.append(("net."+inter, 'boot')) for run,level in runlevels: os.system('rc-update add %s %s' % (run, level)) os.system('chmod +x /usr/local/tcs/tums/existat.py') os.system('chmod +x /usr/local/tcs/tums/existat-render.py') print "Creating admin account" self.createAdmin()
def writeConfig(self, *a): host = config.ExternalName user = ''.join(host.split('.')) debianinitd = """#!/bin/sh -e #### BEGIN INIT INFO # Provides: tums # Required-Start: $syslog $time $local_fs $remote_fs # Required-Stop: $syslog $time $local_fs $remote_fs # Default-Start: 2 3 4 5 # Default-Stop: S 0 1 6 # Short-Description: User management system # Description: Debian init script for TUMS providing administrative features to Vulani. ### END INIT INFO # # Author: Colin Alston <*****@*****.**> # . /lib/lsb/init-functions case "$1" in start) log_daemon_msg "Starting Tums" "tums" export PYTHONPATH='/usr/local/tcs/tums' start-stop-daemon --start --pidfile /var/run/tums.pid --exec /usr/local/tcs/tums/tums start-stop-daemon --start --pidfile /var/run/tums-fc.pid --exec /usr/local/tcs/tums/tums-fc start-stop-daemon --start --pidfile /var/run/tums-proxy.pid --exec /usr/local/tcs/tums/proxy.py /usr/local/tcs/exilog-tums/exilog_agent.pl > /dev/null 2>&1 log_end_msg 0 ;; stop) log_daemon_msg "Stopping Tums" "tums" start-stop-daemon --stop --pidfile /var/run/tums.pid > /dev/null 2>&1 start-stop-daemon --stop --pidfile /var/run/tums-fc.pid > /dev/null 2>&1 start-stop-daemon --stop --pidfile /var/run/tums-proxy.pid > /dev/null 2>&1 killall -r exilog > /dev/null 2>&1 log_end_msg 0 ;; force-reload|restart) log_daemon_msg "Restarting tums" "tums" start-stop-daemon --stop --pidfile /var/run/tums.pid > /dev/null 2>&1 start-stop-daemon --stop --pidfile /var/run/tums-fc.pid > /dev/null 2>&1 start-stop-daemon --stop --pidfile /var/run/tums-proxy.pid > /dev/null 2>&1 sleep 2 export PYTHONPATH='/usr/local/tcs/tums' killall -r exilog > /dev/null 2>&1 /usr/local/tcs/exilog-tums/exilog_agent.pl > /dev/null 2>&1 start-stop-daemon --start --pidfile /var/run/tums.pid --exec /usr/local/tcs/tums/tums start-stop-daemon --start --pidfile /var/run/tums-fc.pid --exec /usr/local/tcs/tums/tums-fc start-stop-daemon --start --pidfile /var/run/tums-proxy.pid --exec /usr/local/tcs/tums/proxy.py log_end_msg 0 ;;\nesac\n""" host = config.ExternalName user = ''.join(host.split('.')) password = sha.sha(user).hexdigest() pwdhash = sha.sha(password).hexdigest() userD = {user:pwdhash} secret = password settings = "" settings += "LDAPPass = '******'\n" % config.LDAPPassword settings += "LDAPBase = '%s'\n" % config.LDAPBase settings += "LDAPOrganisation = '%s'\n" % config.CompanyName settings += "defaultDomain = '%s'\n" % config.Domain settings += "SMBDomain = '%s'\n" % config.SambaDomain settings += 'users = %s\n' % repr(userD) settings += 'secret = %s\n' % repr(secret) updateServer = 'https://thebe.thusa.co.za:9680/' staticSettings = """LDAPPersonIdentifier = 'mail' LDAPServer = '127.0.0.1' LDAPManager = 'cn=Manager' LDAPPeople = 'ou=People' BaseDir = '/usr/local/tcs/tums' sambaDN = True port = 9682 Mailer='exim' updateServer = '%s' packageServer = 'http://updates.thusa.co.za/' installDirectory = '/usr/local/tcs/tums' capabilities = {'ipv6':True} hiveAddress = "thebe.thusa.co.za" thebePort='9680'\n""" % ( updateServer ) settings += staticSettings Utils.writeConf('/etc/init.d/tums', debianinitd, None) os.system('chmod +x /etc/init.d/tums') Utils.writeConf('/usr/local/tcs/tums/Settings.py', settings, None) try: ts = open('/usr/local/tcs/tums/tcsstore.dat') except: ts = open('/usr/local/tcs/tums/tcsstore.dat', 'wt') ts.write('V1.5\n') ts.close() os.system('mkdir -p /usr/local/tcs/tums/images/graphs > /dev/null 2>&1') # Fix existat os.system('chmod a+x /usr/local/tcs/tums/existat*') os.system('echo "GRANT ALL ON exilog.* to exilog@localhost identified by \'exilogpw\';" | mysql >/dev/null 2>&1 ')
def writeConfig(self): areSets = False # Write cron.d jobs for set in config.Backup.keys(): areSets = True t = config.Backup[set].get('time') if t: self.time = time.strptime(str(t), "%H:%M:%S") cron = "%s %s * * * root /usr/local/tcs/tums/backup.py %s\n" % ( self.time.tm_min, self.time.tm_hour, set) file = '/etc/cron.d/backup%s' % set # write to cron file using Utils.writeConf Utils.writeConf(file, cron, '#') if not areSets: # Term here if there are no backups to look at return # Maintain cron jobs jobs = [cron for cron in os.listdir('/etc/cron.d') if 'backup' in cron] for i in jobs: if i: if not i.lstrip('backup') and not int( i.lstrip('backup')) in config.Backup.keys(): os.remove('/etc/cron.d/%s' % i) # Create logfile directory if not os.path.isdir('/var/log/backup'): os.makedirs('/var/log/backup') # Write logrotate conf if not os.path.exists('/etc/logrotate.d/backup'): content = """/var/log/backup/*.log { daily rotate 30 missingok notifempty compress nocreate }""" file = '/etc/logrotate.d/backup' Utils.writeConf(file, content, '#') if not os.path.exists('/var/log/backup/'): os.mkdir('/var/log/backup') # Create a store for each type types = {'usb': [], 'smb': []} # Map types to their handler functions handlers = { 'usb': self.usbDir, 'smb': self.smbDir, } # reprocess the configuration for set, conf in config.Backup.items(): cnf = conf types[str(cnf['type'])].append(cnf) # Call the handler functions with the stores for k, v in types.items(): if v: v.sort() handlers[k](v)
def writeConfig(self, *a): # VERY IMPORTANT NOTICE! # # All lines are lead by 8 spaces. These spaces are stripped out at the end. # If you have less than 8 spaces before any new line written to the config # then it will be broken # This is done to make the source semi readable # # END OF IMPORTANT NOTICE # Setup local delivery domains locals = "\n".join(config.LocalDomains) # A list of servers we redeliver or hub mail to serverhosts = ['127.0.0.1'] # Configure hubbed hosts and relay domains relayDoms = config.Mail.get('relay', []) hubs = "" mailReroute = "" for dom, dest in config.Mail.get('hubbed', []): if dest not in serverhosts: serverhosts.append(dest) if "@" in dom: mailReroute += "%s %s byname\n" % (dom,dest) dom = dom.split('@')[-1] else: hubs += "%s %s byname\n" % (dom, dest) if dom not in relayDoms: relayDoms.append(dom) # Branch configuration branches = config.Mail.get('branchtopology', {}) branchMap = {} for r in config.Mail.get('branches', []): # if the items in branches are not lists, we assume an old datastructure if not isinstance(r, list): branchMap[r] = None continue svr, relay = r branchMap[svr] = None if relay: branchMap[svr] = relay.replace(' ', '').replace(';', ',').replace(':', ',').split(',') branchReroute = "" for branch, addrs in branches.items(): for addr in addrs: # Extend relay domains to handle this remote server too dom = addr.split('@')[-1] if dom not in relayDoms: relayDoms.append(dom) if branchMap[branch]: relay = ':'.join(branchMap[branch]) else: relay = branch if relay not in serverhosts: serverhosts.append(relay) # Add the address to mail reroute branchReroute += "%s %s byname\n" % ( addr, relay ) # Setup our relay list relays = "\n".join(relayDoms) # Initialise blacklists blacklistSender = "" blacklistHost = "" blacklistDom = "" for b in config.Mail.get('blacklist', []): if "@" in b: blacklistSender += b + '\n' else: try: int(b.split('.')[0]) blacklistHost += b + '\n' except: blacklistDom += b + '\n' whitelistSender = "" whitelistHost = "" whitelistDom = "" for w in config.Mail.get('whitelist', []): if "@" in w: whitelistSender += w + "\n" else: try: int(w.split('.')[0]) whitelistHost += w + '\n' except: whitelistDom += w + '\n' catchall = "" for c in config.Mail.get('catchall', []): catchall += c + "\n" # System filters copyTo = "#System Filter\nif error_message then finish endif\n\n" if config.Mail.get('copytoall', None): copyTo += "if first_delivery then\n" copyTo += " unseen deliver %s errors_to postmaster@%s\n" % (config.Mail['copytoall'], config.Domain) copyTo += "endif\n\n" for addr, dest in config.Mail.get('copys', []): copyTo += "if $recipients contains %s then\n" % addr copyTo += " unseen deliver %s errors_to postmaster@%s\n" % (dest, config.Domain) copyTo += "endif\n\n" # Global system filter if os.path.exists('/usr/local/tcs/tums/filter.db'): filterCont = open('/usr/local/tcs/tums/filter.db').read() copyTo += filterCont copyTo += "\n" allowsend = "" if config.Mail.get('allowsend', None): allowsend = "\n".join(config.Mail['allowsend']) if config.Mail.get('disableratelimit', None): rateLimit = "" else: rateLimit = """ # System-wide rate limit for dodgey senders defer message = Connection limited: Sender rate $sender_rate / $sender_rate_period. hosts = +relay_hosts !sender_domains = +local_domains : +relay_domains !senders = : ratelimit = 50 / 1h / strict\n""" if config.Mail.get('disablerpfilter', None): senderRpFilter = "" else: senderRpFilter = """ # Block mail from forged address on the local side. deny message = Vulani has rejected this message from $sender_address because it is not local to this site. http://vulani.net/ !sender_domains = +local_domains : +relay_domains !senders = : !senders = +acl_allowed_senders hosts = +relay_hosts !hosts = +server_hosts\n""" Utils.writeConf('/etc/exim4/sender_whitelist', whitelistSender, '#') Utils.writeConf('/etc/exim4/host_whitelist', whitelistHost, '#') Utils.writeConf('/etc/exim4/domain_whitelist', whitelistDom, '#') Utils.writeConf('/etc/exim4/sender_blacklist', blacklistSender, '#') Utils.writeConf('/etc/exim4/host_blacklist', blacklistHost, '#') Utils.writeConf('/etc/exim4/domain_blacklist', blacklistDom, '#') Utils.writeConf('/etc/exim4/allowed_senders', allowsend, '#') Utils.writeConf('/etc/exim4/host_noavscan', "", '#') Utils.writeConf('/etc/exim4/local_domains', locals, '#') Utils.writeConf('/etc/exim4/relay_domains', relays, '#') Utils.writeConf('/etc/exim4/hubbed_hosts', hubs, '#') Utils.writeConf('/etc/exim4/mail_reroute', mailReroute, '#') Utils.writeConf('/etc/exim4/branch_reroute', branchReroute, '#') Utils.writeConf('/etc/exim4/system_filter', copyTo, '#') Utils.writeConf('/etc/exim4/catchall_domains', catchall, '#') # Get rid of the autogenerated tag so aptitude doesn't break us os.system('rm /var/lib/exim4/config.autogenerated > /dev/null 2>&1') systemFilter = "system_filter = /etc/exim4/system_filter\n" if config.Mail.get('noavscan'): avScan = "" avscanacl = "" print "Antivirus scanning disabled!" else: avScan = "av_scanner = clamd:/var/run/clamav/clamd.sock" avscanacl = """ accept condition = ${if <={$message_size}{250k}{yes}{no}} deny message = This message contains a virus ($malware_name) !hosts = +acl_host_noavscan malware = *\n""" primaryDomain = config.Domain hostname = config.ExternalName # Must be externally lookupable(?!?) name mailSize = config.Mail.get('mailsize', '') localNet = " : ".join([v for k,v in Utils.getLanNetworks(config).items()]) for n in Utils.getLanIP6s(config): localNet += ' : %s ' % n.replace(':', '::') # fill in allowed hosts (config.Mail.relay-from) if config.Mail.get('relay-from'): localNet += ' : ' + ' : '.join(config.Mail['relay-from']) extensionBlock = "" # Blocked file extensions if config.Mail.get('blockedfiles', []): extensionBlock = " deny message = We do not accept \".$found_extension\" attachments here.\n" extensionBlock += " demime = %s\n" % ':'.join(config.Mail['blockedfiles']) # Mail rewrite rules rewriteRules = "" for fromm,too,flags in config.Mail.get('rewrites', []): # flags is one of TtFfbcr rewriteRules+=' *@%s $1@%s %s\n' % (fromm, too, flags) # Get any mailman settings mm_router, mm_transport, mm_main = self.MailMan() # SpamAssassin required score spamscore = config.Mail.get('spamscore', 70) # Get greylisting ACLS (if greylisting is enabled) aclCheckSenderGreylist, aclCheckDataGreylist = self.Greylisting() ### Enable tweaked performance performanceTweak = "" if config.Mail.get('performance', False): performanceTweak = " # use muliple directories (default false)\n" performanceTweak += " split_spool_directory\n" performanceTweak += " # queue incoming if load high (no default)\n" performanceTweak += " queue_only_load = 4\n" performanceTweak += " # maximum simultaneous queue runners (default 5)\n" performanceTweak += " queue_run_max = 0\n" performanceTweak += " # parallel delivery of one message to a number of remote hosts (default 2)\n" performanceTweak += " remote_max_parallel = 30\n" performanceTweak += " # simultaneous connections from a single host (default 10)\n" performanceTweak += " smtp_accept_max_per_connection = 20\n" performanceTweak += " # maximum number of waiting SMTP connections (default 20)\n" performanceTweak += " smtp_connect_backlog = 50\n" performanceTweak += " # maximum number of simultaneous incoming SMTP calls that Exim will accept (default 20)\n" performanceTweak += " smtp_accept_max = 0\n" if config.Mail.get('rbls'): RBL = config.Mail.get('rbls') else: RBL = [ "dsn.rfc-ignorant.org/$sender_address_domain", "zen.spamhaus.org", "dnsbl.njabl.org", "bhnc.njabl.org", "combined.njabl.org", "bl.spamcop.net", "psbl-mirror.surriel.com", "blackholes.mail-abuse.org", "dialup.mail-abuse.org" ] ### Exim main configuration eximMain = """ ###################################################################### # MAIN CONFIGURATION SETTINGS # ###################################################################### ldap_default_servers = %(ldap)s primary_hostname = %(hostname)s %(avScan)s spamd_address = 127.0.0.1 783 %(systemFilter)s domainlist local_domains = @ : lsearch;/etc/exim4/local_domains domainlist relay_domains = lsearch;/etc/exim4/relay_domains hostlist relay_hosts = 127.0.0.1 : %(hostlist)s hostlist server_hosts = %(serverhosts)s domainlist acl_domain_whitelist = lsearch;/etc/exim4/domain_whitelist hostlist acl_host_whitelist = net-iplsearch;/etc/exim4/host_whitelist addresslist acl_sender_whitelist = lsearch*@;/etc/exim4/sender_whitelist domainlist acl_domain_blacklist = lsearch;/etc/exim4/domain_blacklist hostlist acl_host_blacklist = net-iplsearch;/etc/exim4/host_blacklist addresslist acl_sender_blacklist = lsearch*@;/etc/exim4/sender_blacklist addresslist acl_allowed_senders = /etc/exim4/allowed_senders hostlist acl_host_noavscan = net-iplsearch;/etc/exim4/host_noavscan acl_smtp_connect = acl_check_host acl_smtp_helo = acl_check_helo acl_smtp_mail = acl_check_sender acl_smtp_rcpt = acl_check_rcpt acl_smtp_data = acl_check_data acl_smtp_etrn = acl_check_etrn qualify_domain = %(domain)s trusted_users = mail message_size_limit = %(mailSize)s helo_allow_chars = _ host_lookup = * smtp_enforce_sync = false helo_accept_junk_hosts = * strip_excess_angle_brackets strip_trailing_dot delay_warning_condition = "\\ ${if match{$h_precedence:}{(?i)bulk|list|junk}{no}{yes}}" #rfc1413_hosts = ${if eq{$interface_port}{SMTP_PORT} {*}{! *}} rfc1413_query_timeout = 0s sender_unqualified_hosts = %(hostlist)s recipient_unqualified_hosts = %(hostlist)s ignore_bounce_errors_after = 2d timeout_frozen_after = 7d recipients_max = 0 # SSL/TLS cert and key tls_certificate = /etc/exim4/exim.cert tls_privatekey = /etc/exim4/exim.key # Advertise TLS to anyone tls_advertise_hosts = * smtp_etrn_command = /etc/exim4/etrn_script $domain LDAP_AUTH_CHECK_LOGIN = ${lookup ldap { \\ user="******"cn=Manager,o=%(base)s" pass=%(pass)s ldap:///?dn?sub?(&(accountStatus=active)(mail=${quote_ldap:$1}))}}" \\ pass="******" ldap:///?mail?sub?(&(accountStatus=active)(mail=${quote_ldap:$1}))}{yes}{no}} LDAP_AUTH_CHECK_PLAIN = ${lookup ldap { \\ user="******"cn=Manager,o=%(base)s" pass=%(pass)s ldap:///?dn?sub?(&(accountStatus=active)(mail=${quote_ldap:$2}))}}" \\ pass="******" ldap:///?mail?sub?(&(accountStatus=active)(mail=${quote_ldap:$2}))}{yes}{no}} %(extra)s """ % { 'ldap': '127.0.0.1', 'hostname': hostname, 'hostlist': localNet, 'serverhosts': ' : '.join(serverhosts), 'domain': primaryDomain, 'mailSize': mailSize, 'extra': performanceTweak + mm_main, 'systemFilter': systemFilter, 'avScan': avScan, 'base':config.LDAPBase, 'pass':config.LDAPPassword } eximACL=""" ###################################################################### # ACL CONFIGURATION # # Specifies access control lists for incoming SMTP mail # ###################################################################### begin acl ###################################################################### # Check connecting host (DNSBL's checked in acl_check_rcpt to ensure no reconnect attempt) ###################################################################### acl_check_host: deny hosts = +acl_host_blacklist accept ###################################################################### # Check conencting host is not pretending to be the localhost ###################################################################### acl_check_helo: accept hosts = +relay_hosts # If the HELO pretend to be this host deny condition = ${if or { \\ {eq {${lc:$sender_helo_name}}{%(hostname)s}} \\ {eq {${lc:$sender_helo_name}}{%(domain)s}} \\ } {true}{false} } accept ###################################################################### # Check sender address ###################################################################### acl_check_sender: deny message = sender envelope address $sender_address is locally blacklisted here. senders = +acl_sender_blacklist accept ###################################################################### # Check incoming messages ###################################################################### acl_check_rcpt: # Accept if source is local SMTP accept hosts = : # Deny if illegal characters in email address deny local_parts = ^.*[@%%!/|] : ^\\\\. %(ratelimit)s # Accept mail to postmaster at any local domain without any checks accept local_parts = postmaster domains = +local_domains %(senderRpFilter)s # Accept local, authenticated, whitelisted and dnswl'd hosts accept hosts = +relay_hosts accept authenticated = * accept dnslists = list.dnswl.org accept hosts = +acl_host_whitelist accept domains = +acl_domain_whitelist accept senders = +acl_sender_whitelist # Deny if domain is locally blacklisted deny message = rejected because $sender_domain is locally blacklisted here domains = +acl_domain_blacklist # Deny if listed in a DNSBL deny message = rejected because $sender_host_address is in a blacklist \\ at $dnslist_domain\\n$dnslist_text !senders = : domains = +local_domains : +relay_domains dnslists = %(rbl)s # Accept if this is a local domain accept domains = +local_domains endpass message = unknown user verify = recipient # Accept if this is a relay domain accept domains = +relay_domains endpass message = unrouteable address verify = recipient %(senderGreylist)s # Deny everything else deny message = relay not permitted ###################################################################### # Check contents of email ###################################################################### acl_check_data: %(dataGreylist)s # ClamAV virus scanning deny message = Vulani has rejected this message because it contains a virus: ($malware_name) http://vulani.net log_message = rejected VIRUS ($malware_name) from $sender_address to $recipients !hosts = +acl_host_noavscan demime = * malware = */defer_ok # Reject messages that have serious MIME errors. This calls the demime # condition again, but will return cached results. deny message = Vulani has rejected this message because it contains a broken MIME container ($demime_reason) http://vulani.net log_message = rejected broken MIME container ($demime_reason) from $sender_address to $recipients condition = ${if >{$demime_errorlevel}{2}{1}{0}} demime = * # SpamAssassin Content Filtering # Include Spam Score in Header warn message = X-Spam-Score: $spam_score\\n\\ X-Spam-Score-Int: $spam_score_int\\n\\ X-Spam-Bar: $spam_bar condition = ${if <{$message_size}{250k}{1}{0}} !hosts = +relay_hosts spam = nobody:true/defer_ok # Reject spam messages with score over 7, using an extra condition. deny message = Vulani has rejected this message because it scored $spam_score spam points and is considered to be unsolicited http://vulani.net log_message = rejected SPAM score above threshhold in message from $sender_address to $recipients !hosts = +acl_host_noavscan condition = ${if >{$spam_score_int}{70}{1}{0}} spam = nobody:true %(extblock)s accept ###################################################################### # Check ETRN requests ###################################################################### acl_check_etrn: accept hosts = 0.0.0.0/0 """ % { 'rbl': ' : '.join(RBL), # DNS block lists 'spamlow': int(spamscore)-20, # Warn spam score 'spamhigh': int(spamscore), # Drop spam score. 'senderGreylist': aclCheckSenderGreylist, # Greylisting configuration 'dataGreylist': aclCheckDataGreylist, # 'extblock': extensionBlock, # Blocked file extensions 'hostname': hostname, 'domain': primaryDomain, 'senderRpFilter': senderRpFilter, 'ratelimit': rateLimit, 'avscan': avscanacl } # Trigger our disclaimer transport if config.Mail.get('disclaimer'): transport = "remote_smtp_filter" else: transport = "remote_smtp" # Set the external router depending on how the relay is set if config.SMTPRelay: externalRouter = """ gateway: driver = manualroute domains = ! +local_domains route_list = * %s bydns transport = %s """ % (config.SMTPRelay, transport) else: externalRouter = """ dnslookup: driver = dnslookup domains = ! +local_domains transport = %s ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 no_more """ % transport eximRouters = """ ###################################################################### # ROUTERS CONFIGURATION # ###################################################################### begin routers etrn_already: driver = accept transport = bsmtp_for_etrn require_files = /var/spool/mail/etrn/$domain domains = lsearch;/etc/exim/etrn_domains etrn_delay: driver = accept transport = bsmtp_for_etrn condition = ${if >{$message_age}{1800} {yes}{no}} domains = lsearch;/etc/exim/etrn_domains mail_reroute: driver = manualroute route_data = ${lookup{$local_part@$domain}lsearch{/etc/exim4/mail_reroute}} transport = remote_smtp branch_reroute: driver = manualroute route_data = ${lookup{$local_part@$domain}lsearch{/etc/exim4/branch_reroute}} transport = remote_smtp hubbed_hosts: driver = manualroute domains = ! +local_domains route_data = ${lookup{$domain}lsearch{/etc/exim/hubbed_hosts}} transport = remote_smtp %(extro)s userforward: driver = redirect domains = +local_domains file = /var/spool/mail/forward/${local_part}@${domain} no_verify no_expn check_ancestor file_transport = address_file pipe_transport = address_pipe reply_transport = address_reply alias_user_vacation: driver = redirect domains = +local_domains allow_defer allow_fail data = ${lookup ldap {user="******" pass=%(ldappass)s \\ ldap:///?mail?sub?(mailAlternateAddress=${local_part}@${domain})}} redirect_router = user_vacation retry_use_local_part user_vacation: driver = accept domains = +local_domains require_files = /var/spool/mail/vacation/${local_part}@${domain}.txt no_verify user = apache senders = !^.*-request@.* : !^owner-.*@.* : !^postmaster@.* : \\ ! ^listmaster@.* : !^mailer-daemon@.* : !^noreply@.* : \\ !^.*-bounces@.* transport = vacation_reply unseen ldap_aliases: driver = redirect domains = +local_domains allow_defer allow_fail data = ${lookup ldap {user="******" pass=%(ldappass)s \\ ldap:///?mail?sub?(mailAlternateAddress=${local_part}@${domain})}} redirect_router = ldap_forward retry_use_local_part ldap_forward: driver = redirect domains = +local_domains allow_defer allow_fail data = ${lookup ldap {user="******" pass=%(ldappass)s \\ ldap:///?mailForwardingAddress?sub?\\ (&(accountStatus=active)(mail=${local_part}@${domain}))}{$value}fail} no_expn retry_use_local_part no_verify ldap_user: driver = accept domains = +local_domains condition = ${if eq {}{${lookup ldap {user="******" pass=%(ldappass)s \\ ldap:///?mail?sub?(&(accountStatus=active)(mail=${local_part}@${domain}))}}}{no}{yes}} group = users retry_use_local_part transport = local_delivery catchall: domains = lsearch;/etc/exim/catchall_domains driver = redirect data = catchall@${domain} %(router)s #localuser: # driver = accept # domains = +local_domains # check_local_user # transport = local_delivery """ % { 'router': mm_router, 'ldapbase': config.LDAPBase, 'ldappass': config.LDAPPassword, 'extro': externalRouter, } ## Prevent bounce of failed hosts? (Maximum send timeout reached) hostfailBounce = "" if config.Mail.get('hostfailbounce', False): hostfailBounce += " delay_after_cutoff = false\n" if config.Mail.get('smtpinterface'): hostfailBounce += " interface = %s\n" % config.Mail.get('smtpinterface') eximTransports = """ ###################################################################### # TRANSPORTS CONFIGURATION # ###################################################################### begin transports bsmtp_for_etrn: driver=appendfile file=/var/spool/mail/etrn/$domain user=mail batch_max=1000 use_bsmtp vacation_reply: debug_print = "T: vacation_reply for $local_part@$domain" driver = autoreply file = /var/spool/mail/vacation/${local_part}@${domain}.txt file_expand log = /var/spool/mail/vacation/${local_part}@${domain}.log once_repeat = 7d once = /var/spool/mail/vacation/${local_part}@${domain}.db from = ${local_part}@${domain} to = $sender_address subject = "Re: $h_subject" text = "\\ This is an automated response for $local_part@${domain}:\\n\\ ====================================================\\n\\n" remote_smtp: driver = smtp %(iface)s remote_smtp_filter: driver = smtp transport_filter = /usr/local/tcs/tums/bin/remime %(iface)s local_delivery: driver = appendfile create_directory delivery_date_add directory = ${lookup ldap {user="******" pass=%(wpass)s \\ ldap:///?mailMessageStore?sub?(&(accountStatus=active)\\ (mail=${local_part}@${domain}))}} directory_mode = 770 envelope_to_add group = mail maildir_format mode = 660 return_path_add user = mail address_pipe: driver = pipe return_output address_file: driver = appendfile delivery_date_add envelope_to_add return_path_add address_reply: driver = autoreply %(mm)s\n""" % { 'iface': hostfailBounce, 'basedn': config.LDAPBase, 'wpass': config.LDAPPassword, 'mm': mm_transport } eximOther = """ ###################################################################### # RETRY CONFIGURATION # ###################################################################### begin retry * * senders=: F,2m,1m * * F,2h,15m; G,16h,1h,1.5; F,7d,4h ###################################################################### # REWRITE CONFIGURATION # ###################################################################### begin rewrite %(rewrite)s ###################################################################### # AUTHENTICATION CONFIGURATION # ###################################################################### begin authenticators login: driver = plaintext public_name = LOGIN server_prompts = "Username:: : Password::" server_advertise_condition = yes server_condition = ${if match_ip{$sender_host_address}{+relay_hosts}{yes}{LDAP_AUTH_CHECK_LOGIN}} server_set_id = $1 plain: driver = plaintext public_name = PLAIN server_prompts = : server_advertise_condition = yes server_condition = ${if match_ip{$sender_host_address}{+relay_hosts}{yes}{LDAP_AUTH_CHECK_PLAIN}} server_set_id = $2 """ % { 'base':config.LDAPBase, 'pass':config.LDAPPassword, 'rewrite': rewriteRules } confFile = eximMain + eximACL + eximRouters + eximTransports + eximOther os.system('mkdir -p /var/spool/mail/forward/') os.system('mkdir -p /var/spool/mail/etrn/') # Reprocess the config file lp = confFile.split('\n') confFile = "" for i in lp: confFile += i[8:] + '\n' confFile = confFile.replace('/etc/exim/', '/etc/exim4/').replace('apache', 'www-data') # Patches user names confFile = confFile.replace('user=mail', 'user=Debian-exim') Utils.writeConf('/etc/exim4/exim4.conf', confFile, '#') os.system('chmod a+r /etc/exim4/*') os.system('chmod -R a+r /usr/local/tcs/tums/data') os.system('chmod a+x /etc/exim4/etrn_script >/dev/null 2>&1') os.system('chmod a+rx /var/mail/vacation >/dev/null 2>&1') os.system('chown Debian-exim:Debian-exim /var/spool/mail/etrn') os.system('mkdir /var/cache/vulani/ >/dev/null 2>&1') ### Mailname mailname = "%s.%s\n" % ( config.Hostname, config.Domain ) l = open('/etc/mailname', 'wt') l.write(mailname) l.close()
def writeConfig(self, *a): # conf.d/net net = "\n" routes = "" vlanIfaces = {} dhcpIfaces = [] for interface, defin in config.EthernetDevices.items(): if interface!="extra": net += 'config_%s=(\n' % interface if config.EthernetDevices[interface]['type'].lower() == 'dhcp': net += ' "dhcp"\n' if config.EthernetDevices[interface]['type'].lower() == 'manual': net += ' ' else: net += ' "%s"\n' % (config.EthernetDevices[interface]['ip']) if config.EthernetDevices[interface].get('aliases',None): for addr in config.EthernetDevices[interface]['aliases']: net+= ' "%s"\n' % (addr) if defin.get('extra', None): net += defin['extra'] net += ')\n\n' if "vlan" in interface: if defin.get('interface', False): if defin['interface'] in vlanIfaces: vlanIfaces[defin['interface']].append(interface.strip('vlan')) else: vlanIfaces[defin['interface']] = [interface.strip('vlan')] routes += 'routes_%s=(\n' % interface for ro in config.EthernetDevices[interface].get('routes', []): routes += ' "%s via %s"\n' % ro routes += ')\n' if interface == config.LANPrimary or defin.get('dhcpserver', False): dhcpIfaces.append(interface) confddhcp = "DHCPD_IFACE=\"%s\"\n" % ' '.join(dhcpIfaces) cdd = open('/etc/conf.d/dhcpd', 'wt') cdd.write(confddhcp) cdd.close() # config tunnel cont = [] l = open('/etc/conf.d/local.start') for i in l: if i.strip() and not "# TUN" in i: cont.append(i) l.close() if config.Tunnel.get('ipv6', False): remote = config.Tunnel['ipv6']['remoteip'] local = config.Tunnel['ipv6']['localip'] localv6 = config.Tunnel['ipv6']['localv6'] cont.append('ip tunnel add ipv6tun mode sit remote %s local %s ttl 255 # TUN' % (remote, local)) cont.append('ip link set ipv6tun up # TUN') cont.append('ip addr add %s dev ipv6tun # TUN' % (localv6)) cont.append('ip -6 ro add 2003::/3 dev ipv6tun # TUN\n') l = open('/etc/conf.d/local.start', "wt") l.write('\n'.join(cont)) l.close() for iface, vlans in vlanIfaces.items(): net+= "vlans_%s=\"%s\"\n" % (iface, ' '.join(vlans)) net+= "vconfig_%s=( \"set_name_type VLAN_PLUS_VID_NO_PAD\" )\n" % (iface) if config.EthernetDevices.get('extra', None): net += config.EthernetDevices['extra'] net += '\n' for wan in config.WANDevices: net += "config_%s=(\"ppp\")\n" % wan for opt in config.WANDevices[wan]: if type(config.WANDevices[wan][opt]) is list: val = "( %s )" % (' '.join(['"%s"' % i for i in config.WANDevices[wan][opt]])) else: val = '"%s"' % config.WANDevices[wan][opt] net += '%s_%s=%s \n' % (opt, wan, val) net += '\n' net += routes Utils.writeConf('/etc/conf.d/net', net, '#')
def writeConfig(self, *a): syslogConfig = """# Vulani Logging setup auth,authpriv.* /var/log/auth.log *.*;lpr,user,uucp,cron,auth,authpriv,local0,local1,local2,local3,local4,local5,local6.none,local7.none -/var/log/syslog cron.* /var/log/cron.log daemon.* -/var/log/daemon.log kern.* -/var/log/kern.log lpr.* -/var/log/lpr.log mail.* /var/log/mail.log user.* -/var/log/user.log uucp.* -/var/log/uucp.log local0,local1,local3,local5.* -/var/log/localproc.log local6.* -/var/log/imapd.log local2.* -/var/log/ppp.log local4.* -/var/log/slapd.log local7.* -/var/log/dhcpd.log mail.info -/var/log/mail.info mail.warn -/var/log/mail.warn mail.err /var/log/mail.err *.=debug;\ auth,authpriv.none;\ news.none;mail.none -/var/log/debug *.=info;*.=notice;*.=warn;\ auth,authpriv.none;\ cron,daemon.none;\ mail,news.none -/var/log/messages *.emerg * *.emerg /var/log/emergency""" Utils.writeConf('/etc/syslog.conf', syslogConfig, '#') clamavd = """/var/log/clamav/clamav.log { rotate 12 weekly compress delaycompress create 640 Debian-exim Debian-exim postrotate /etc/init.d/clamav-daemon reload-log > /dev/null endscript }\n""" clamavfc = """/var/log/clamav/freshclam.log { rotate 12 weekly compress delaycompress create 640 Debian-exim Debian-exim postrotate /etc/init.d/clamav-freshclam reload-log > /dev/null endscript }\n""" exim4 = """/var/log/exim4/mainlog /var/log/exim4/rejectlog { daily missingok rotate 10 compress delaycompress notifempty create 640 Debian-exim adm } /var/log/exim4/paniclog { weekly missingok rotate 10 compress delaycompress notifempty create 640 Debian-exim adm }\n""" squid = """/var/log/squid/*.log { daily compress delaycompress rotate 10 missingok nocreate sharedscripts postrotate test ! -e /var/run/squid.pid || /usr/sbin/squid -k rotate endscript }\n""" tums = """/var/log/tums_cache.log { daily compress delaycompress rotate 10 missingok create 666 proxy proxy }\n""" Utils.writeConf('/etc/logrotate.d/clamav-daemon', clamavd, '#') Utils.writeConf('/etc/logrotate.d/clamav-freshclam', clamavfc, '#') Utils.writeConf('/etc/logrotate.d/exim4-base', exim4, '#') Utils.writeConf('/etc/logrotate.d/squid', squid, '#') Utils.writeConf('/etc/logrotate.d/tums', tums, '#')
def writeConfig(self, *a): print "Performing final %s configuration" % PRODNAME print " Preparing LDAP tree...", # make sure slapd is stopped os.system('/etc/init.d/slapd stop > /dev/null 2>&1') # Back up ldap.. Who knows.. someone just might postprep a live box :( os.system('slapcat > /usr/local/tcs/tums/backups/ldap-%s.ldif' % int(time.time())) # Kill the ldap database because 1.2rc3 came with cruf in it for some reason os.system('rm /var/lib/ldap/* > /dev/null 2>&1') # Start SLAPd os.system('/etc/init.d/slapd start > /dev/null 2>&1') # Make sure it's started... lk = os.popen('/etc/init.d/slapd status').read() if "stopped" in lk: print "slapd isn't running, and I can't start it :-(." print "the LDAP service is probably broken." return # Generate a shiny new tree os.system('/usr/local/tcs/tums/genLDAP.py') # Import the new tree os.system('/etc/init.d/slapd stop > /dev/null 2>&1') os.system('slapadd < /usr/local/tcs/tums/template.ldif > /dev/null 2>&1') # ldapadd is f****d on Debian os.system('chown openldap:openldap /var/lib/ldap/*') os.system('chmod a+r /var/lib/ldap/*') os.system('su - openldap slapindex > /dev/null 2>&1') os.system('/etc/init.d/slapd start > /dev/null 2>&1') os.system('chown openldap:openldap /var/lib/ldap/*') # Restart slapd for safe measure os.system('/etc/init.d/slapd restart > /dev/null 2>&1') os.system('/etc/init.d/samba restart > /dev/null 2>&1') print "Populating...", # Populate the LDAP tree with SMB goodness os.system('/usr/local/tcs/tums/syscripts/populate > /dev/null 2>&1') # Sprinkle on a bit of joy and sugar os.system('/usr/local/tcs/tums/ldapConfig > /dev/null 2>&1') # Secure it with a password os.system('/usr/bin/smbpasswd -w `cat /etc/ldap/slapd.conf | grep rootpw | awk \'{print $2}\'` > /dev/null 2>&1') # And then switch it off again os.system('/etc/init.d/samba stop > /dev/null 2>&1') # Gratuitous hack persistance os.system('/etc/init.d/slapd restart > /dev/null 2>&1') # Put the domain tools in place.. print " Done." print " Installing PDC utilities...", os.system('tar -zxf /usr/local/tcs/tums/packages/netlogon.tar.gz -C /var/lib/samba/netlogon/') print " Done." print " Building security certificates...", os.system('/usr/local/tcs/tums/syscripts/vpn.sh > /dev/null 2>&1') os.system('mkdir /etc/openvpn/vpn-ccd; chmod -R a+r /etc/openvpn') # Clear samba cache os.system('rm /var/cache/samba/wins.dat > /dev/null 2>&1') os.system('rm /var/cache/samba/gencache.tdb > /dev/null 2>&1') os.system('rm /var/cache/samba/browse.dat > /dev/null 2>&1') os.system('rm /etc/bind/pri/*.jnl > /dev/null 2>&1') #os.system('/root/tcs/vpn.sh > /dev/null 2>&1') os.system('/usr/bin/openssl req -x509 -batch -newkey rsa:1024 -keyout /etc/exim4/exim.key -out /etc/exim4/exim.cert -days 9999 -nodes > /dev/null 2>&1') print " Done." print " Detecting hardware...", os.system('yes yes | sensors-detect > /dev/null 2>&1') print " Done. (ignore the 'yes' error)" print " Updating system clock...", os.system('ntpdate -su %s > /dev/null 2>&1' % config.NTP) print " Done." print " Saving settings...", # Recreate openssh-server keys if it's gentoo runlevels = [ ('apache2', 'default'), ('slapd', 'default'), ('mysql', 'default'), ('exim', 'default'), ('clamd', 'default'), ('courier-imapd', 'default'), ('courier-authlib', 'default'), ('courier-pop3d', 'default'), ('ddclient', 'default'), ('shorewall', 'default'), ('spamd', 'default'), ('squid', 'default'), ('smartd', 'default'), ('sysklogd', 'default'), ('ulogd', 'default'), ('xinetd', 'default'), ('cupsd', 'default'), ('netmount', 'default'), ('ntp-client', 'default'), ('ntpd', 'default'), ('gpm', 'default'), ('samba', 'default'), ('nscd', 'default'), ('named', 'default'), ('tums', 'default'), ('quagga', 'default'), ('zebra', 'default') ] for run, level in runlevels: # apply modifications for debian level = level.replace('default', 'defaults') run = run.replace('dhcpd', 'dhcp3-server').replace('exim', 'exim4') run = run.replace('courier-authlib', 'courier-authdaemon') os.system('update-rc.d %s %s > /dev/null 2>&1' % (run, level)) # Do defaults fixes (bloody irritating...) spamd = """ENABLED=1 OPTIONS="-s local6 --create-prefs --max-children 5 --helper-home-dir" PIDFILE="/var/run/spamd.pid" NICE="--nicelevel 15" """ Utils.writeConf('/etc/default/spamassassin', spamd, '#') shorewall = """startup=1\n""" Utils.writeConf('/etc/default/shorewall', shorewall, '#') os.system('update-rc.d -f fprobe remove > /dev/null 2>&1') # Make sure l2tpns starts earlier os.system('update-rc.d -f l2tpns remove > /dev/null 2>&1') os.system('update-rc.d l2tpns start 16 2 3 4 5 . stop 16 0 1 6 . > /dev/null 2>&1') # Make sure shorewall starts much much later os.system('update-rc.d -f shorewall remove > /dev/null 2>&1') os.system('update-rc.d shorewall start 90 2 3 4 5 . stop 90 0 1 6 . > /dev/null 2>&1') os.system('chmod +x /usr/local/tcs/tums/existat.py') os.system('chmod +x /usr/local/tcs/tums/existat-render.py') os.system('chmod +x /usr/local/tcs/tums/bin/*') os.system('chmod a+r /usr/local/tcs/tums/currentProfile') os.system('chmod a+r /usr/local/tcs/tums/profiles') os.system('chmod a+r /usr/local/tcs/tums/profiles/*') os.system('chmod a+x /var/lib/samba/data') os.system('chmod a+rwx /var/lib/samba/data/public') os.system('ln -s /usr/local/tcs/tums/vdiag /usr/bin/') os.system('ln -s /usr/local/tcs/tums/configurator /usr/bin/') print " Done." print " Creating admin account...", self.createAdmin() print " Done." # Upgrade the system to ACL supprt print " Configuring ACL support...", os.system("sed -i 's/reiserfs.*notail/reiserfs notail,acl/' /etc/fstab") print " Done." os.system('/usr/local/tcs/tums/configurator --services > /dev/null') os.system('/usr/local/tcs/tums/configurator --apt > /dev/null') print "\nInstallation Complete"
def writeConfig(self, *a): if not config.General.get('ha'): # No Xen config return haConf = config.General.get('ha') nodes = [] masterName = "" for nodeip, v in haConf.items(): nodes.append(v['name']) if v['topology'] == "master": masterName = v['name'] hacf = """logfile /var/log/ha.log keepalive 1 deadtime 30 initdead 80 bcast %(lan)s # Tell what machines are in the cluster # node nodename ... -- must match uname -n node %(node)s # Usualy 'crm yes' #crm respawn auto_failback yes """ % { 'lan': haConf.get('port', Utils.getLans(config)[0]), 'node': ' '.join(nodes) } Utils.writeConf('/etc/heartbeat/ha.cf', hacf, '#') auth = "auth 2\n2 sha1 haf%s\n" % masterName Utils.writeConf('/etc/heartbeat/authkeys', auth, '#') os.system('chmod 0600 /etc/heartbeat/authkeys') nets = [] for k,v in config.EthernetDevices.items(): nets.append('%s/%s' % (v['ip'], k)) conline = "%s %s vulani\n" % (masterName, ' '.join(nets)) Utils.writeConf('/etc/heartbeat/haresources', conline, '#') vulaniResource = """#!/bin/sh # # Description: Vulani Master resource.d # # Author: Colin Alston <*****@*****.**> # Support: [email protected] # License: All rights reserved # Copyright: (C) 2008 Thusa Business Support (Pty) Ltd. exit 0""" l = open('/etc/heartbeat/resource.d/vulani', 'wt') l.write(vulaniResource) l.close() os.system('chmod a+x /etc/heartbeat/resource.d/vulani') # Before we restart our local HB service, make sure our slaves are OFF for name, v in haConf.items(): if v['topology'] == 'slave': os.system('ssh root@%s /etc/init.d/heartbeat stop' % name) os.system('/etc/init.d/heartbeat restart') # Reconfigure SSH to not do SHKC # This is required in order for fresh hosts not to block eachother interactivly ssh_config = """# SSH client configuration Host * StrictHostKeyChecking no SendEnv LANG LC_* HashKnownHosts yes GSSAPIAuthentication yes GSSAPIDelegateCredentials no\n""" Utils.writeConf('/etc/ssh/ssh_config', ssh_config, '#') # Configure master LDAP self.configureMasterLDAP() # Configure slaves for nodeip, v in haConf.items(): if v['topology'] == 'slave': self.configureSlave(nodeip) self.sendLDAP(nodeip)
def configureMasterLDAP(self): replicas = [] haConf = config.General.get('ha') for nodeip, v in haConf.items(): if v['topology'] == 'slave': replicas.append("""replica host=%(ip)s binddn="cn=Manager, o=%(base)s" bindmethod=simple credentials=%(pass)s""" % { 'base': config.LDAPBase, 'pass': config.LDAPPassword, 'ip': nodeip, }) conf = """include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/samba.schema include /etc/ldap/schema/thusa.schema allow bind_v2 pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel 256 modulepath /usr/lib/ldap moduleload back_bdb tool-threads 1 defaultsearchbase "o=%(base)s" backend bdb database bdb suffix "o=%(base)s" #checkpoint 128 15 threads 16 idletimeout 0 sizelimit unlimited rootdn "cn=Manager,o=%(base)s" rootpw %(pass)s directory "/var/lib/ldap" access to attrs=userPassword by self write by dn="cn=Manager,o=%(base)s" write by * auth access to * by self write by dn="cn=Manager,o=%(base)s" write by peername.ip=127.0.0.1 read by * read by * auth replogfile /var/lib/ldap/replogfile %(replica)s index dc eq index objectClass,givenname,sn,cn,uid pres,eq index uniqueMember,memberUid pres,eq index accountStatus,mail pres,eq index uidNumber,mailAlternateAddress pres,eq index associatedDomain pres,eq index sOARecord,aRecord pres,eq index sambaSID,sambaSIDList,sambaGroupType pres,eq index gidNumber,displayName,employeeType pres,eq\n""" % { 'base': config.LDAPBase, 'pass': config.LDAPPassword, 'replica': '\n'.join(replicas) } Utils.writeConf('/etc/ldap/slapd.conf', conf, '#') os.system("sed -i 's/SLURPD_START=auto/SLURPD_START=yes/g' /etc/default/slapd") os.system('/etc/init.d/slapd restart')