diff options
| author | Arthur de Jong <arthur@arthurdejong.org> | 2011-05-13 13:57:54 +0200 |
|---|---|---|
| committer | Arthur de Jong <arthur@arthurdejong.org> | 2011-05-13 13:57:54 +0200 |
| commit | 478bd403f522b29cfc406c7335bcee2e5f3bf446 (patch) | |
| tree | 3ba8188269ebc76f0f4978a9e6164577b2e36341 | |
| parent | 8453feea03109ccbb6368e6a479d2f6daa2e1f4a (diff) | |
search for LDAP server by looking for SRV _ldap._tcp DNS records and try to query LDAP server for base DN during package configuration (based on work by Petter Reinholdtsen for the sssd package)
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1457 ef36b2f9-881f-0410-afb5-c4e39611909c
| -rw-r--r-- | debian/control | 2 | ||||
| -rw-r--r-- | debian/nslcd.config | 108 |
2 files changed, 89 insertions, 21 deletions
diff --git a/debian/control b/debian/control index 99b37e2..0933c9d 100644 --- a/debian/control +++ b/debian/control @@ -12,7 +12,7 @@ Vcs-Browser: http://arthurdejong.org/viewvc/nss-pam-ldapd/nss-pam-ldapd/ Package: nslcd Architecture: any Depends: ${misc:Depends}, ${shlibs:Depends}, adduser -Recommends: nscd, libnss-ldapd | libnss-ldap, libpam-ldapd | libpam-ldap | libpam-krb5 | libpam-heimdal | libpam-sss +Recommends: nscd, libnss-ldapd | libnss-ldap, libpam-ldapd | libpam-ldap | libpam-krb5 | libpam-heimdal | libpam-sss, ldap-utils, bind9-host | host Suggests: kstart Replaces: libnss-ldapd (<< 0.7.0) Breaks: libnss-ldapd (<< 0.7.0) diff --git a/debian/nslcd.config b/debian/nslcd.config index b176de0..da1dd52 100644 --- a/debian/nslcd.config +++ b/debian/nslcd.config @@ -35,43 +35,111 @@ read_config() return 0 } -# check the system (non-LDAP configuration files) for some -# reasonable defaults -parsesys() +# figure out the system's domain name +get_domain() { - # guess domain based on system information - db_get nslcd/ldap-base - if [ -z "$RET" ] + domain=`hostname --domain` || true + [ -z "$domain" ] && domain=`hostname --nis | grep '\.'` || true + [ -z "$domain" ] && domain=`hostname --fqdn | sed -n 's/^[^.]*\.//p'` || true + [ -z "$domain" ] && domain=`sed -n 's/^ *\(domain\|search\) *\([^ ]*\) *$/\2/p' /etc/resolv.conf | head -n 1` || true + echo "$domain" +} + +# find a LDAP server URI by trying DNS and normal hostname lookups +guess_ldap_uri() +{ + # see if ldap server exists on localhost and is listening on ldapi:// + if [ -e /var/run/slapd/ldapi ] + then + echo "ldapi:///" + return + fi + # try to lookup _ldap._tcp SRV records + if [ -n "$domain" ] then - domain=`hostname --domain` || true - [ -z "$domain" ] && domain=`hostname --nis | grep '\.'` || true - [ -z "$domain" ] && domain=`hostname --fqdn | sed -n 's/^[^.]*\.//p'` || true - [ -z "$domain" ] && domain=`sed -n 's/^ *\(domain\|search\) *\([^ ]*\) *$/\2/p' /etc/resolv.conf | head -n 1` || true - # if the ldap-base value doesn't seem to be preseeded, try to use the - # domain name to build the default base - if [ -n "$domain" ] + server=`host -N 2 -t SRV _ldap._tcp.$domain 2> /dev/null | grep -v NXDOMAIN | awk '{print $NF}' | head -1 | sed 's/\.$//'` || true + if [ -n "$server" ] then - searchbase=`echo "$domain" | sed 's/^/dc=/;s/\./,dc=/g'` || true - db_set nslcd/ldap-base "$searchbase" + echo "ldap://$server/" + return fi fi - # guess ldap server - db_get nslcd/ldap-uris - if [ -z "$RET" ] + # fall back to name lookups + if [ -z "$ldap_uri" ] then + # try unqualified hostname lookup server=`getent hosts ldap` || true [ -z "$server" ] && server=`getent hosts dirhost` || true + # try qualified hostname if [ -n "$domain" ] && [ -z "$server" ] then server=`getent hosts ldap."$domain"` || true [ -z "$server" ] && server=`getent hosts dirhost."$domain"` || true fi + # turn into URI with IP address if [ -n "$server" ] then - # extract ip address from host entry and quote ipv6 address + # extract IP address from host entry and quote IPv6 address ip=`echo $server | sed 's/[[:space:]].*//;s/^\(.*:.*\)$/[\1]/'` - db_set nslcd/ldap-uris "ldap://$ip/" + echo "ldap://$ip/" + fi + fi +} + +# guess the LDAP search base by performing LDAP searches on the +# found server +query_search_base() +{ + ldap_uri="$1" + # first try the default naming context + context=`ldapsearch -LLL -H "$ldap_uri" -x -b '' -s base defaultNamingContext 2>/dev/null | sed -n 's/^defaultNamingContext: //pi'` || true + if [ -n "$context" ] + then + echo "$context" + return + fi + # go over naming contexts, pick the first one with posixAccount or + # posixGroup objects in it + for context in `ldapsearch -LLL -H "$ldap_uri" -x -b '' -s base namingContexts 2>/dev/null | sed -n 's/^namingContexts: //pi'` + do + # search the context + found=`ldapsearch -LLL -H "$ldap_uri" -x -b "$context" -s sub -z 1 '(|(objectClass=posixAccount)(objectclass=posixGroup))' dn 2>/dev/null` || true + if [ -n "$found" ] + then + echo $context + return + fi + done +} + +# check the system (non-LDAP configuration files) for some +# reasonable defaults +parsesys() +{ + # guess domain based on system information + domain=`get_domain` + # guess ldap server URI + db_get nslcd/ldap-uris + if [ -z "$RET" ] + then + ldap_uri=`guess_ldap_uri "$domain"` + [ -n "$ldap_uri" ] && db_set nslcd/ldap-uris "$ldap_uri" + else + # only get first URI from any stored (preseeded) value + ldap_uri=`echo "$RET" | sed -n 's/[[:space:]].*//'` + fi + # guess search base + db_get nslcd/ldap-base + if [ -z "$RET" ] + then + # try to find the search base from the found URI + [ -n "$ldap_uri" ] && search_base=`query_search_base "$ldap_uri"` + # try to use the domain name to build the default base + if [ -z "$search_base" ] && [ -n "$domain" ] + then + search_base=`echo "$domain" | sed 's/^/dc=/;s/\./,dc=/g'` fi + [ -n "$search_base" ] && db_set nslcd/ldap-base "$search_base" fi # we're done return 0 |