mrc0mmand / rpms / openldap

Forked from rpms/openldap 3 years ago
Clone
adf540
#!/bin/bash
adf540
# Author: Jan Vcelak <jvcelak@redhat.com>
adf540
adf540
set -e
adf540
adf540
# default options
adf540
adf540
CERTDB_DIR=/etc/openldap/certs
adf540
adf540
# internals
adf540
adf540
MODULE_CKBI="$(rpm --eval %{_libdir})/libnssckbi.so"
adf540
RANDOM_SOURCE=/dev/urandom
adf540
PASSWORD_BYTES=32
adf540
adf540
# parse arguments
adf540
adf540
usage() {
adf540
	printf "usage: create-certdb.sh [-d certdb]\n" >&2
adf540
	exit 1
adf540
}
adf540
adf540
while getopts "d:" opt; do
adf540
	case "$opt" in
adf540
	d)
adf540
		CERTDB_DIR="$OPTARG"
adf540
		;;
adf540
	\?)
adf540
		usage
adf540
		;;
adf540
	esac
adf540
done
adf540
adf540
[ "$OPTIND" -le "$#" ] && usage
adf540
adf540
# verify target location
adf540
adf540
if [ ! -d "$CERTDB_DIR" ]; then
adf540
	printf "Directory '%s' does not exist.\n" "$CERTDB_DIR" >&2
adf540
	exit 1
adf540
fi
adf540
adf540
if [ ! "$(find "$CERTDB_DIR"  -maxdepth 0 -empty | wc -l)" -eq 1 ]; then
adf540
	printf "Directory '%s' is not empty.\n" "$CERTDB_DIR" >&2
adf540
	exit 1
adf540
fi
adf540
adf540
# create the database
adf540
adf540
printf "Creating certificate database in '%s'.\n" "$CERTDB_DIR" >&2
adf540
adf540
PASSWORD_FILE="$CERTDB_DIR/password"
adf540
OLD_UMASK="$(umask)"
adf540
umask 0377
adf540
dd if=$RANDOM_SOURCE bs=$PASSWORD_BYTES count=1 2>/dev/null | base64 > "$PASSWORD_FILE"
adf540
umask "$OLD_UMASK"
adf540
adf540
certutil -d "$CERTDB_DIR" -N -f "$PASSWORD_FILE" &>/dev/null
adf540
adf540
# load module with builtin CA certificates
adf540
adf540
echo | modutil -dbdir "$CERTDB_DIR" -add "Root Certs" -libfile "$MODULE_CKBI" &>/dev/null
adf540
adf540
# tune permissions
adf540
adf540
for dbfile in "$CERTDB_DIR"/*.db; do
adf540
	chmod 0644 "$dbfile"
adf540
done
adf540
adf540
exit 0