diff options
| author | Arthur de Jong <arthur@arthurdejong.org> | 2006-12-16 17:35:30 +0100 |
|---|---|---|
| committer | Arthur de Jong <arthur@arthurdejong.org> | 2006-12-16 17:35:30 +0100 |
| commit | 3abcfd0972867049ed6b48c8f316f0960b9845eb (patch) | |
| tree | 370027a91620b09975536228af872308321b6d31 /debian | |
| parent | 4bd692c652a3bf2a7554ca55f858da823401f8f6 (diff) | |
redid Debian packaging: on installation a search is done for any reasonable configuration information (existing nss_ldap config, hostname info, etc), configuring nsswitch.conf is also done and all files in the debian directory have more logical names
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/libnss_ldapd@158 ef36b2f9-881f-0410-afb5-c4e39611909c
Diffstat (limited to 'debian')
| -rw-r--r-- | debian/config | 97 | ||||
| -rw-r--r-- | debian/libnss-ldapd.config | 201 | ||||
| -rw-r--r-- | debian/libnss-ldapd.postinst | 391 | ||||
| -rw-r--r-- | debian/libnss-ldapd.postrm | 9 | ||||
| -rw-r--r-- | debian/libnss-ldapd.templates | 75 | ||||
| -rwxr-xr-x | debian/rules | 6 | ||||
| -rw-r--r-- | debian/templates | 121 |
7 files changed, 513 insertions, 387 deletions
diff --git a/debian/config b/debian/config deleted file mode 100644 index 8e88667..0000000 --- a/debian/config +++ /dev/null @@ -1,97 +0,0 @@ -#!/usr/bin/perl -# Debconf configuration script for PADL-ldap tools. -# By Sami Haahtinen <ressu@debian.org> - -$conffile="/etc/libnss-ldap.conf"; -$action=shift; -$from_version=shift; - -use Debconf::Client::ConfModule ':all'; -version('2.0'); - -# Not yet.. i'll prolly fix this later... -# my $capb=capb('backup'); - -my @ret; -my @current_config; - -# The 'override' thing really ought to go, but let's see how this works -# out first. - -if(-e $conffile) { - open CONFIG, "<$conffile"; - if(<CONFIG> =~ /^###DEBCONF###$/) { - set("libnss-ldap/override", "true"); - } else { - my $oldval=get("libnss-ldap/override"); - set("libnss-ldap/override", "false"); - if ($oldval eq "true") { - fset("libnss-ldap/override", "seen", "false") - } - - # well, this was a screwy from the start.. lets make it more - # sane. priority is critical when running reconfigure, - # otherwise it's high.. - # -- i hope thats enough.. - - input($action =~ /reconfigure/ ? "critical" : "high", - "libnss-ldap/override"); - $ret=go(); - }; - @current_config = <CONFIG>; - close CONFIG; -} else { - set("libnss-ldap/override", "true"); -}; - -# ok, previously in Configuring LDAP services.. -# - Configuration file was tested for ###DEBCONF### and override was -# set accordingly. -# - Eric was dumped because of an secret affair with Karen. -# Tune in next time for the next episode of, configuring LDAP services.. - -if(get("libnss-ldap/override") eq "true") { - read_and_input('shared/ldapns/ldap-server', 'uri', 'critical'); - read_and_input('shared/ldapns/base-dn', 'base', 'critical'); - read_and_input('shared/ldapns/ldap_version', 'ldap_version', 'critical'); - $ret = go(); # yeah, we don't need that.. but in case we sometime do - - # Anyone with database that requires logging in should have - # atleast medium priority.. - input("medium", "libnss-ldap/dblogin"); - input("medium", "libnss-ldap/dbrootlogin"); - input("medium", "libnss-ldap/confperm"); - $ret = go(); - - if(get("libnss-ldap/dbrootlogin") eq "true") { - read_and_input('libnss-ldap/rootbinddn', 'rootbinddn', 'critical'); - input('critical', 'libnss-ldap/rootbindpw'); - $ret = go() - } - - if(get("libnss-ldap/dblogin") eq "true") { - # user wants to login.. - # we better set these at critical.. just in case - read_and_input('libnss-ldap/binddn', 'binddn', 'critical'); - read_and_input('libnss-ldap/bindpw', 'bindpw', 'critical'); - $ret = go(); - } -} - -input("critical", "libnss-ldap/nsswitch"); -$ret = go(); - -sub read_and_input -{ - my ($debconf_name, $conffile_name, $priority) = @_; - $priority = 'medium' unless $priority; - - my @valuelist = grep(/^$conffile_name\s/, @current_config); - if (@valuelist) { - my $value = pop(@valuelist); - chomp($value); - $value =~ s/^$conffile_name\s+//; - set($debconf_name, $value); - } - input($priority, $debconf_name); -} diff --git a/debian/libnss-ldapd.config b/debian/libnss-ldapd.config new file mode 100644 index 0000000..5118560 --- /dev/null +++ b/debian/libnss-ldapd.config @@ -0,0 +1,201 @@ +#!/bin/sh + +set -e + +# source debconf library. +. /usr/share/debconf/confmodule +db_version 2.0 +db_capb backup + +# set title +db_title "Configuring libnss-ldapd" + +# +# This is the fist part of the script. In this part an attempt +# is made to get or guess the current configuration. This information +# is later on used to prompt the user and to provide a sensible +# default. +# + +# check the system (non-LDAP configuration files) for some +# reasonable defaults +parsesys() +{ + # guess domain based on system information + domain=`hostname --domain` + [ -z "$domain" ] && domain=`hostname --nis | grep '\.'` + [ -z "$domain" ] && domain=`hostname --fqdn | sed -n 's/^[^.]*\.//p'` + [ -z "$domain" ] && domain=`sed -n 's/^ *\(domain\|search\) *\([^ ]*\) *$/\2/p' /etc/resolv.conf | head -n 1` + if [ -n "$domain" ] + then + # set search base + searchbase=`echo "$domain" | sed 's/^/dc=/;s/\./,dc=/'` + db_set libnss-ldapd/ldap-base "$searchbase" + fi + # guess ldap server + server=`getent hosts ldap` + [ -z "$server" ] && server=`getent hosts dirhost` + if [ -n "$domain" ] && [ -z "$server" ] + then + server=`getent hosts ldap."$domain"` + [ -z "$server" ] && server=`getent hosts dirhost."$domain"` + fi + if [ -n "$server" ] + then + # extract ip address from host entry and quote ipv6 address + ip=`echo $server | sed 's/[[:space:]].*//;s/^\(.*:.*\)$/[\1]/'` + db_set libnss-ldapd/ldap-uris "ldap://$ip/" + fi +} + +# parse a LDAP-like configuration file +parsecfg() +{ + cfgfile="$1" + # check existance + [ -f "$cfgfile" ] || return 0 + # find uri/host/port combo + uris=`sed -n 's/^uri[[:space:]]*//ip' "$cfgfile"` + if [ -z "$uris" ] + then + hosts=`sed -n 's/^host[[:space:]]*//ip' "$cfgfile"` + port=`sed -n 's/^port[[:space:]]*//ip' "$cfgfile"` + for host in $hosts + do + if [ -n "$port" ] && [ -z `echo $host | grep ':'` ] + then + uris="$uris ldap://$host:$port/" + else + uris="$uris ldap://$host/" + fi + done + fi + [ -n "$uris" ] && db_set libnss-ldapd/ldap-uris "$uris" + # find base config + searchbase=`sed -n 's/^base[[:space:]]*//ip' "$cfgfile"` + [ -n "$searchbase" ] && db_set libnss-ldapd/ldap-base "$searchbase" + # find ldap_version + ldapversion=`sed -n 's/^ldap_version[[:space:]]*//ip' "$cfgfile"` + [ -n "$searchbase" ] && db_set libnss-ldapd/ldap-version "$ldapversion" + # find binddb + binddn=`sed -n 's/^binddn[[:space:]]*//ip' "$cfgfile"` + [ -n "$binddn" ] && db_set libnss-ldapd/ldap-binddn "$binddn" + # find bindpw + bindpw=`sed -n 's/^bindpw[[:space:]]*//ip' "$cfgfile"` + [ -n "$bindpw" ] && db_set libnss-ldapd/ldap-bindpw "$bindpw" + # find rootbinddb + rootbinddn=`sed -n 's/^rootbinddn[[:space:]]*//ip' "$cfgfile"` + [ -n "$rootbinddn" ] && db_set libnss-ldapd/ldap-rootbinddn "$rootbinddn" + # find rootbindpw + rootbindpw=`sed -n 's/^rootbindpw[[:space:]]*//ip' "$cfgfile"` + [ -n "$rootbindpw" ] && db_set libnss-ldapd/ldap-rootbindpw "$rootbindpw" + # we're done + return 0 +} + +# parse /etc/nsswitch.conf and see which services have ldap specified +parsensswitch() +{ + # find name services that currently use LDAP + configured=`sed -n 's/^\([^[:space:]]*\):.*[[:space:]]ldap\([[:space:]].*\)\?/\1/p' /etc/nsswitch.conf` + # separate by commas + configured=`echo $configured | sed 's/ /, /g'` + # store configured services + db_set libnss-ldapd/nsswitch "$configured" + # we're done + return 0 +} + +# clear some settings in case they are not set in the config +db_set libnss-ldapd/ldap-binddn "" +db_set libnss-ldapd/ldap-bindpw "" +db_set libnss-ldapd/ldap-rootbinddn "" +db_set libnss-ldapd/ldap-rootbindpw "" + +# fill our defaults with the current configuration if available +# and fall back to guessing the config from some other system files +if [ -f /etc/libnss-ldapd.conf ] +then + # parse current configuration + parsecfg /etc/libnss-ldapd.conf +else + # newer found values override older values + parsesys + parsecfg /etc/ldap/ldap.conf + parsecfg /etc/pam_ldap.conf + parsecfg /etc/libnss-ldap.conf +fi +# check /etc/nsswitch.conf +parsensswitch + +# +# This is the second part of the script. In this part the configurable +# settings will be presented to the user for approval. The postinst +# will finaly perform the actual modifications. +# + +state="server" +while [ "$state" != "done" ] +do + case "$state" in + server) + # ask about server configuration + db_input high libnss-ldapd/ldap-uris || true + db_input high libnss-ldapd/ldap-base || true + db_input low libnss-ldapd/ldap-version || true + # ask the questions, go to the next question or exit + state="binddn" + db_go || exit 1 + # TODO: add error checking on options + ;; + binddn) + # ask for login information + db_input medium libnss-ldapd/ldap-binddn || true + # ask the question, go to the next question or back + state="bindpw" + db_go || state="server" + # TODO: if answer is empty also clear passwd + ;; + bindpw) + # only ask question if we have a binddn + db_get libnss-ldapd/ldap-binddn + if [ -n "$RET" ] + then + # ask for login information + db_input medium libnss-ldapd/ldap-bindpw || true + fi + # ask the question, go to the next question or back + state="rootbinddn" + db_go || state="binddn" + ;; + rootbinddn) + # ask for login information + db_input medium libnss-ldapd/ldap-rootbinddn || true + # ask the question, go to the next question or back + state="rootbindpw" + db_go || state="bindpw" + # TODO: if answer is empty also clear passwd + ;; + rootbindpw) + # only ask question if we have a rootbinddn + db_get libnss-ldapd/ldap-rootbinddn + if [ -n "$RET" ] + then + # ask for login information + db_input medium libnss-ldapd/ldap-rootbindpw || true + fi + # ask the question, go to the next question or back + state="nsswitch" + db_go || state="rootbinddn" + ;; + nsswitch) + # ask for which nsswitch options to configure + db_capb multiselect + db_input high libnss-ldapd/nsswitch || true + state="done" + db_go || state="rootbindpw" + ;; + esac +done + +exit 0 diff --git a/debian/libnss-ldapd.postinst b/debian/libnss-ldapd.postinst index 3a10868..d4cfdf5 100644 --- a/debian/libnss-ldapd.postinst +++ b/debian/libnss-ldapd.postinst @@ -1,180 +1,251 @@ -#!/bin/sh -e +#!/bin/sh + +set -e PACKAGE=libnss-ldapd -CONFFILE="/etc/libnss-ldap.conf" -PASSWDFILE="/etc/libnss-ldap.secret" +CONFFILE="/etc/libnss-ldapd.conf" -add_missing() +# set an option in the configuration file to the specified value +cfg_set() { - # FIXME: it would be nice to get the prototype from a template. - - parameter=$1 - value=$2 - echo "$parameter $value" >> $CONFFILE + parameter=$1 + value=$2 + commented=0 + notthere=0 + # check if the parameter is defined + egrep -i -q "^$parameter " $CONFFILE || notthere=1 + if [ "$notthere" = "1" ] + then + # check if the parameter is commented out + if ( egrep -i -q "^#$parameter" $CONFFILE ) + then + notthere=0 + commented=1 + fi + fi + # decide what to do + if [ "$notthere" = "1" ] + then + # just append a new line + echo "$parameter $value" >> $CONFFILE + else + # TODO: check if the option is already defined with the value we need + # replace the existing option + replacestring="$parameter" + if [ "$commented" = "1" ] + then + replacestring="# *$parameter" + fi + # this works as long as any option is specified only once + # FIXME: also work when option is commented out on multiple lines + sed -i 's%^'"$replacestring"' .*$%'"$parameter $value"'%i' "$CONFFILE" + fi + # we're done + return 0 } -change_value() +# disable an option in the configuration file by commenting it out +cfg_disable() { - parameter=$1 - value=$2 - commented=0 ; notthere=0 - - egrep -i -q "^$parameter " $CONFFILE || notthere=1 - if [ "$notthere" = "1" ]; then - if ( egrep -i -q "^# *$parameter" $CONFFILE ); then - notthere=0 - commented=1 - fi - fi - - if [ "$notthere" = "1" ]; then - add_missing $parameter $value - else - replacestring="^$parameter .*" - if [ "$commented" = "1" ]; then - replacestring="^# *$parameter .*" - fi - # i really need a better way to do this... - # currently we replace only the first match, we need a better - # way of dealing with multiple hits. - value=$value parameter=$parameter perl -i -p -e 's/^# *\Q$ENV{"parameter"}\E .*/$ENV{"parameter"} $ENV{"value"}/i - and $match=1 unless ($match)' $CONFFILE - fi + parameter=$1 + # TODO add an option to also remove the option value + # (for passwords) + if egrep -q "^$parameter " $CONFFILE + then + sed -i 's%^\('"$parameter"'.*\)$%#\1%i' "$CONFFILE" + fi + # we're done + return 0 } -disable_param() +# check to see if name is configured to do lookups through +# LDAP and enable if not +nss_enable() { - parameter=$1 - enabled=0 - egrep -q "^$parameter " $CONFFILE && enabled=1 - if [ "$enabled" = "1" ]; then - perl -i -p -e "s/^($parameter .*)/#\$1/i" $CONFFILE - fi + name=$1 + if [ ! "`grep '^'$name':.*ldap.*' /etc/nsswitch.conf`" ] + then + echo "/etc/nsswitch.conf: enable LDAP lookups for $name" >&2 + if [ "`grep '^'$name':' /etc/nsswitch.conf`" ] + then + # modify an existing entry by just adding ldap to the end + sed -i 's/^\('$name':.*\)[[:space:]]*$/\1 ldap/' /etc/nsswitch.conf + else + # append a new line + printf '%-15s ldap\n' $name':' >> /etc/nsswitch.conf + fi + fi + # we're done + return 0 } -# Real functions begin here. -case "$1" in - configure) - # ok, lets get to business.. - . /usr/share/debconf/confmodule - - # lets create the configuration from example if it's not there. - examplefile=/usr/share/$PACKAGE/ldap.conf - if [ ! -e $CONFFILE ] && [ -e $examplefile ]; then - cat > $CONFFILE << EOM -###DEBCONF### -# the configuration of this file will be done by debconf as long as the -# first line of the file says '###DEBCONF###' -# -# you should use dpkg-reconfigure libnss-ldap to configure this file. +# remove NSS lookups though LDAP for the specified service +nss_disable() +{ + name=$1 + # these functions also remove the lookup result handling part + # of the ldap entry (see nsswitch.conf(5)) + if [ "`grep '^'$name':.*ldap.*' /etc/nsswitch.conf`" ] + then + echo "/etc/nsswitch.conf: disable LDAP lookups for $name" >&2 + if [ "`sed -n '/^'$name':[[:space:]]*ldap[[:space:]]*\(\[[^]]*\]\)*[[:space:]]*$/p' /etc/nsswitch.conf`" ] + then + # the name service only maps to ldap, remove the whole line + sed -i '/^'$name':[[:space:]]*ldap[[:space:]]*\(\[[^]]*\]\)*[[:space:]]*$/d' /etc/nsswitch.conf + else + # remove ldap part from existing line, keeping other methods intact + # TODO: remove trailing space + sed -i 's/^\('$name':.*\)ldap[[:space:]]*\(\[[^]]*\]\)*[[:space:]]*\(.*\)$/\1\3/' /etc/nsswitch.conf + fi + fi + # we're done + return 0 +} + +# create a default configuration file if nothing exists yet +create_config() +{ + if [ ! -e "$CONFFILE" ] + then + if [ -f /etc/libnss-ldap.conf ] + then + # begin the file by some information as to where it came from + cat > "$CONFFILE" << EOM +# $CONFFILE +# libnss-ldapd configuration file. See libnss-ldapd.conf(5) +# for details. # +# This file was based on existing configuration files +# /etc/libnss-ldap.conf and /etc/libnss-ldap.secret + EOM - cat $examplefile >> $CONFFILE - chmod 0644 $CONFFILE - db_set libnss-ldap/override true - fi - - db_get libnss-ldap/override - if [ "$RET" = "true" ]; then - if ( head -1 $CONFFILE | grep -q -v '^###DEBCONF###$' ); then - mv $CONFFILE $CONFFILE.tmp - cat > $CONFFILE << EOM -###DEBCONF### + # copy the existing config in place, getting rid + # of the silly #DEBCONF# lines + egrep -v '(###DEBCONF###|configuration of this file will be done by debconf|dpkg-reconfigure)' \ + < /etc/libnss-ldap.conf \ + >> "$CONFFILE" + # also append the secret file if it is present + if [ -f /etc/libnss-ldap.secret ] + then + cat /etc/libnss-ldap.secret >> "$CONFFILE" + fi + else + # fall back to generating a simple configuration file + # from this simple template + # TODO: improve this template + cat > "$CONFFILE" << EOM +# $CONFFILE +# libnss-ldapd configuration file. See libnss-ldapd.conf(5) +# for details. + +# The location at which the LDAP server(s) should be reachable. +uri ldap://localhost/ + +# The search base that will be used for all queries. +base dc=example,dc=net + +# The LDAP protocol version to use. +ldap_version 3 + +binddn cn=annonymous,dc=example,dc=net +bindpw secret + +rootbinddn cn=administrator,dc=example,dc=net +rootbindpw verysecret + +# The search scope. +#scope sub + EOM - cat $CONFFILE.tmp >> $CONFFILE - rm -f $CONFFILE.tmp - chmod 0644 $CONFFILE - fi - - db_get shared/ldapns/ldap-server - if echo $RET | egrep -q '^ldaps?://'; then - disable_param host - change_value uri "$RET" - else - disable_param uri - change_value host "$RET" - fi - - db_get shared/ldapns/base-dn - change_value base "$RET" - - db_get shared/ldapns/ldap_version - change_value ldap_version "$RET" - - db_get libnss-ldap/dbrootlogin - if [ "$RET" = "true" ]; then - # user wants to log in to the database, so be it. - db_get libnss-ldap/rootbinddn - change_value rootbinddn "$RET" - - db_get libnss-ldap/rootbindpw - if [ "$RET" != "" ]; then - rm -f $PASSWDFILE - echo $RET > $PASSWDFILE - chmod 0600 $PASSWDFILE - db_set libnss-ldap/rootbindpw '' - fi - else - # ok, so the user refused to use this feature, better make - # sure it's really off. - disable_param rootbinddn - rm -f $PASSWDFILE - fi - - db_get libnss-ldap/dblogin - if [ "$RET" = "true" ]; then - # user wants to log in to the database, so be it. - db_get libnss-ldap/binddn - change_value binddn "$RET" - - db_get libnss-ldap/bindpw - if [ "$RET" != "" ]; then - change_value bindpw "$RET" - db_set libnss-ldap/bindpw '' - fi - else - # once again, user didn't.. lets make sure we dont. - disable_param binddn - disable_param bindpw - fi - - db_get libnss-ldap/confperm - if [ "$RET" = "true" ]; then - # FIXME: we need a way to check if the file - # was 0700 and we removed the flag. - chmod 0600 $CONFFILE - else - # ICK! ugly hack, but i didn't get anything - # better to work. - find $CONFFILE -perm 0600 -exec chmod 0644 {} \; - fi - fi - db_stop - ;; - - abort-upgrade|abort-remove|abort-deconfigure) - exit 0 - ;; - - *) - echo "postinst called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -if [ -e /etc/ldap.secret ] && [ ! -e /etc/libnss-ldap.secret ]; then - cp -p /etc/ldap.secret /etc/libnss-ldap.secret + fi + fi + # we're done + return 0 +} + +# real functions begin here +if [ "$1" = "configure" ] +then + # get configuration data from debconf + . /usr/share/debconf/confmodule + # create a default configuration + create_config + # set server uri + db_get libnss-ldapd/ldap-uris + cfg_set uri "$RET" + # set search base + db_get libnss-ldapd/ldap-base + cfg_set base "$RET" + # set ldap version + db_get libnss-ldapd/ldap-version + cfg_set ldap_version "$RET" + # set bind dn/pw + db_get libnss-ldapd/ldap-binddn + if [ -n "$RET" ] + then + cfg_set binddn "$RET" + db_get libnss-ldapd/ldap-bindpw + cfg_set bindpw "$RET" + # remove password from database + db_set libnss-ldapd/ldap-bindpw "" + else + # no binddn/pw, disable options + cfg_disable binddn + cfg_disable bindpw + # FIXME: remove password value from config + fi + # set root bind dn/pw + db_get libnss-ldapd/ldap-rootbinddn + if [ -n "$RET" ] + then + cfg_set rootbinddn "$RET" + db_get libnss-ldapd/ldap-rootbindpw + cfg_set rootbindpw "$RET" + # remove password from database + db_set libnss-ldapd/ldap-rootbindpw "" + else + # no binddn/pw, disable options + cfg_disable rootbinddn + cfg_disable rootbindpw + # FIXME: remove password value from config + fi + # modify /etc/nsswitch.conf + db_get libnss-ldapd/nsswitch + enablenss=`echo "$RET" | sed 's/,//g'` + allnss=`sed -n 's/^\([a-z]*\):.*$/\1/p' /etc/nsswitch.conf` + allnss=`echo $allnss $enablenss | sed 's/ /\n/g' | sort -u` + for n in $allnss + do + if [ "`echo ' '$enablenss' ' | grep ' '$n' '`" ] + then + nss_enable $n + else + nss_disable $n + fi + done + # we're done + db_stop + # TODO: fix permissions of configfile if passwords are stored + # TODO: create backups of /etc/nsswitch.conf and configfile + # (probably store orig in tmpfile and if diff install it + # as backup) fi -# restart nscd for some reason -if [ -s /usr/sbin/nscd ]; then - if [ `pidof -s nscd` ]; then - if which invoke-rc.d >/dev/null 2>&1; then - invoke-rc.d nscd restart - else - /etc/init.d/nscd restart - fi - fi +# restart nscd to pick up changes in nsswitch.conf +# (other processes will have to be restarted manually) +if [ -s /usr/sbin/nscd ] +then + if [ `pidof -s nscd` ] + then + if which invoke-rc.d >/dev/null 2>&1 + then + invoke-rc.d nscd restart + else + /etc/init.d/nscd restart + fi + fi fi #DEBHELPER# + +exit 0 diff --git a/debian/libnss-ldapd.postrm b/debian/libnss-ldapd.postrm index 204289b..8a1da8f 100644 --- a/debian/libnss-ldapd.postrm +++ b/debian/libnss-ldapd.postrm @@ -1,12 +1,11 @@ #!/bin/sh -CONFFILE="/etc/libnss-ldap.conf" -PASSWDFILE="/etc/libnss-ldap.secret" - action=$1 -if [ "$action" = "purge" ]; then - rm -f $CONFFILE $PASSWDFILE +# remove our configuration file (not a conffile) on purge manually +if [ "$action" = "purge" ] +then + rm -f /etc/libnss-ldapd.conf fi #DEBHELPER# diff --git a/debian/libnss-ldapd.templates b/debian/libnss-ldapd.templates new file mode 100644 index 0000000..4d25ffd --- /dev/null +++ b/debian/libnss-ldapd.templates @@ -0,0 +1,75 @@ +Template: libnss-ldapd/ldap-uris +Type: string +Default: ldap://127.0.0.1/ +_Description: LDAP server Uniform Resource Identifier + Please enter the URI of the LDAP server used. This is a string in the + form ldap://<hostname or IP>:<port>/ . ldaps:// or ldapi:// can also + be used. The port number is optional. + . + Note: It is usually a good idea to use an IP address; this reduces risks + of failure in the event name service is unavailable. + . + Multiple URIs can be be specified by separating them with spaces. + +Template: libnss-ldapd/ldap-base +Type: string +Default: dc=example,dc=net +_Description: LDAP server search base + Please enter the distinguished name of the LDAP search base. Many sites + use the components of their domain names for this purpose. For example, + the domain "example.net" would use "dc=example,dc=net" as the + distinguished name of the search base. + +Template: libnss-ldapd/ldap-version +Type: select +Choices: 3, 2 +Default: 3 +_Description: LDAP version to use + Please enter which version of the LDAP protocol is to use. It is + usually a good idea to set this to highest available version number. + +Template: libnss-ldapd/ldap-binddn +Type: string +Default: +_Description: LDAP database user + If the LDAP database requires a login for normal lookups, enter + the name of the account that will be used here. Leave empty + otherwise. + . + This value should be specified as a DN (distinguished name). + +Template: libnss-ldapd/ldap-bindpw +Type: password +_Description: LDAP user password + Enter the password that will be used to log in to the LDAP database. + +Template: libnss-ldapd/ldap-rootbinddn +Type: string +Default: cn=manager,dc=example,dc=net +_Description: LDAP account for root + This account will be used for nss requests with root privileges. + This can be used to give root processes more information + (e.g. users' shadow entries or group passwords). + . + Leave this empty to not do anything special for root lookups. + . + This value should be specified as a DN (distinguished name). + +Template: libnss-ldapd/ldap-rootbindpw +Type: password +_Description: LDAP root account password + Enter the password that will be used to log in to the LDAP database + when the root process does lookups. + +Template: libnss-ldapd/nsswitch +Type: multiselect +Choices: aliases, ethers, group, hosts, netgroup, networks, passwd, protocols, rpc, services, shadow +_Description: Name services to configure: + For this package to work, you need to modify your /etc/nsswitch.conf to + use the ldap datasource. There is an example file at + /usr/share/doc/libnss-ldap/examples/nsswitch.ldap which can be used as an + example for your nsswitch setup. + . + You can also select the services that should be enabled or disabled + for LDAP lookups. New LDAP lookups will be added as last option. + Be sure to review these changes. diff --git a/debian/rules b/debian/rules index 910ba01..ccbb5c1 100755 --- a/debian/rules +++ b/debian/rules @@ -25,8 +25,7 @@ configure-stamp: --disable-dependency-tracking \ --enable-rfc2307bis \ --with-ldap-lib=openldap \ - --with-ldap-conf-file=/etc/libnss-ldap.conf \ - --with-ldap-secret-file=/etc/libnss-ldap.secret \ + --with-ldap-conf-file=/etc/libnss-ldapd.conf \ --with-nslcd-pidfile=/var/run/nslcd/nslcd.pid \ --with-nslcd-socket=/var/run/nslcd/socket \ --enable-schema-mapping \ @@ -58,8 +57,7 @@ install: build dh_clean -k $(MAKE) install DESTDIR=$(CURDIR)/debian/libnss-ldapd # make configfile fully generated - rm -f $(CURDIR)/debian/libnss-ldapd/etc/libnss-ldap.conf - rm -f $(CURDIR)/debian/libnss-ldapd/etc/libnss-ldap.secret + rm -f $(CURDIR)/debian/libnss-ldapd/etc/libnss-ldapd.conf # rename man page mv $(CURDIR)/debian/libnss-ldapd/usr/share/man/man5/nss_ldap.5 $(CURDIR)/debian/libnss-ldapd/usr/share/man/man5/libnss-ldap.conf.5 # change all references from /etc/ldap.conf to /etc/libnss-ldap.conf diff --git a/debian/templates b/debian/templates deleted file mode 100644 index ecbda97..0000000 --- a/debian/templates +++ /dev/null @@ -1,121 +0,0 @@ -Template: libnss-ldap/confperm -Type: boolean -Default: false -_Description: make configuration readable/writeable by owner only - Should the libnss-ldap configuration file be readable and writable only by - the file owner? - . - If you use passwords in your libnss-ldap configuration, it is usually a - good idea to have the configuration set with mode 0600 (readable and - writable only by the file's owner). - . - Note: As a sanity check, libnss-ldap will check if you have nscd installed - and will only set the mode to 0600 if nscd is present. - -Template: libnss-ldap/nsswitch -Type: note -_Description: nsswitch.conf is not managed automatically - For this package to work, you need to modify your /etc/nsswitch.conf to - use the ldap datasource. There is an example file at - /usr/share/doc/libnss-ldap/examples/nsswitch.ldap which can be used as an - example for your nsswitch setup, or it can be copied over your current - setup. - . - Also, before removing this package, it is wise to remove the ldap entries - from nsswitch.conf to keep basic services functioning. - -Template: shared/ldapns/base-dn -Type: string -Default: dc=example,dc=net -_Description: distinguished name of the search base - Please enter the distinguished name of the LDAP search base. Many sites - use the components of their domain names for this purpose. For example, - the domain "example.net" would use "dc=example,dc=net" as the - distinguished name of the search base. - -Template: libnss-ldap/dblogin -Type: boolean -Default: false -_Description: database requires login - Does the LDAP database require login? - . - Answer this question affirmatively only if you can't retreive entries from - the database without logging in. - . - Note: Under a normal setup, this is not needed. - -Template: libnss-ldap/override -Type: boolean -Default: true -_Description: enable automatic configuration updates by debconf - Should debconf automatically update libnss-ldap's configuration file? - . - libnss-ldap has been moved to use debconf for its configuration. - . - The file will be prepended with "###DEBCONF###"; you can disable the - debconf updates by removing that line. - . - All new installations will have this by default. - -Template: libnss-ldap/binddn -Type: string -Default: cn=proxyuser,dc=example,dc=net -_Description: unprivileged database user - Enter the name of the account that will be used to log in to the LDAP - database. - -Template: libnss-ldap/bindpw -Type: password -_Description: password for database login account - Enter the password that will be used to log in to the LDAP database. - -Template: shared/ldapns/ldap_version -Type: select -Choices: 3, 2 -Default: 3 -_Description: LDAP version to use - Please enter which version of the LDAP protocol ldapns is to use. It is - usually a good idea to set this to highest available version number. - -Template: shared/ldapns/ldap-server -Type: string -Default: ldap://127.0.0.1/ -_Description: LDAP server Uniform Resource Identifier - Please enter the URI of the LDAP server used. This is a string in the - form ldap://<hostname or IP>:<port>/ . ldaps:// or ldapi:// can also - be used. The port number is optional. - . - Note: It is usually a good idea to use an IP address; this reduces risks - of failure in the event name service is unavailable. - -Template: libnss-ldap/dbrootlogin -Type: boolean -Default: true -_Description: special LDAP privileges for root - This option will allow tools that perform requests to the nss system - with libnss-ldap as backend to return more information when called - as root. - . - If you are using NFS mounted /etc or any other custom setup, you should - disable this. - -Template: libnss-ldap/rootbinddn -Type: string -Default: cn=manager,dc=example,dc=net -_Description: LDAP account for root - This account will be used for nss requests with root privileges. - . - Note: For this to work the account needs permission to access the - attributes in the LDAP directory that are related to the users' shadow - entries as well as users' and groups' passwords. - -Template: libnss-ldap/rootbindpw -Type: password -_Description: LDAP root account password - This password will be used when libnss-ldap tries to login to the LDAP - directory using the LDAP account for root. - . - The password will be stored in a separate file /etc/libnss-ldap.secret - which will be made readable to root only. - . - Entering an empty password will re-use the old password. |