diff options
| author | Arthur de Jong <arthur@arthurdejong.org> | 2010-12-12 23:45:21 +0100 |
|---|---|---|
| committer | Arthur de Jong <arthur@arthurdejong.org> | 2010-12-12 23:45:21 +0100 |
| commit | 38b08af090769450018505a8547377709b93a9f6 (patch) | |
| tree | 33ed5127dd8c8595151cc320895457f871199091 /debian | |
| parent | 7d9baf67b727c7b50c3666721821e38485d76332 (diff) | |
| parent | 42490ca4bab185ac92db5203235ed7515111731a (diff) | |
merge changes from trunk
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd-solaris@1329 ef36b2f9-881f-0410-afb5-c4e39611909c
Diffstat (limited to 'debian')
| -rw-r--r-- | debian/nslcd.config | 148 | ||||
| -rw-r--r-- | debian/nslcd.postinst | 92 | ||||
| -rw-r--r-- | debian/nslcd.templates | 76 |
3 files changed, 226 insertions, 90 deletions
diff --git a/debian/nslcd.config b/debian/nslcd.config index 2ac2a38..933c5e3 100644 --- a/debian/nslcd.config +++ b/debian/nslcd.config @@ -20,6 +20,23 @@ db_capb backup # default. # +# read a configuration value from the specified file +# (it takes care in not overwriting a previously written value) +read_config() +{ + debconf_param="$1" + cfg_param="$2" + # get debconf value to ensure we don't overwrite an already set value + db_get "$debconf_param" + if [ -z "$RET" ] + then + value=`sed -n 's/^'"$cfg_param"'[[:space:]]*\([^[:space:]].*[^[:space:]]\)[[:space:]]*$/\1/ip' "$cfgfile" | tail -n 1` + [ -n "$value" ] && db_set "$debconf_param" "$value" + fi + # we're done + return 0 +} + # check the system (non-LDAP configuration files) for some # reasonable defaults parsesys() @@ -91,27 +108,16 @@ parsecfg() fi [ -n "$uris" ] && db_set nslcd/ldap-uris "$uris" fi - # find base config - db_get nslcd/ldap-base - if [ -z "$RET" ] - then - searchbase=`sed -n 's/^base[[:space:]]*\([^[:space:]]*\)[[:space:]]*$/\1/ip' "$cfgfile" | tail -n 1` - [ -n "$searchbase" ] && db_set nslcd/ldap-base "$searchbase" - fi - # find binddn - db_get nslcd/ldap-binddn - if [ -z "$RET" ] - then - binddn=`sed -n 's/^binddn[[:space:]]*//ip' "$cfgfile" | tail -n 1` - db_set nslcd/ldap-binddn "$binddn" - fi - # find bindpw - db_get nslcd/ldap-bindpw - if [ -z "$RET" ] - then - bindpw=`sed -n 's/^bindpw[[:space:]]*//ip' "$cfgfile" | tail -n 1` - db_set nslcd/ldap-bindpw "$bindpw" - fi + # read simple options + read_config nslcd/ldap-base base + read_config nslcd/ldap-binddn binddn + read_config nslcd/ldap-bindpw bindpw + read_config nslcd/ldap-sasl-mech sasl_mech + read_config nslcd/ldap-sasl-realm sasl_realm + read_config nslcd/ldap-sasl-authcid sasl_authcid + read_config nslcd/ldap-sasl-authzid sasl_authzid + read_config nslcd/ldap-sasl-secprops sasl_secprops + read_config nslcd/ldap-sasl-krb5-ccname krb5_ccname # check ssl option db_get nslcd/ldap-starttls if [ -z "$RET" ] @@ -146,7 +152,13 @@ then db_set nslcd/ldap-base "" db_set nslcd/ldap-binddn "" db_set nslcd/ldap-bindpw "" + db_set nslcd/ldap-sasl-mech "" + db_set nslcd/ldap-sasl-realm "" + db_set nslcd/ldap-sasl-authcid "" + db_set nslcd/ldap-sasl-authzid "" + db_set nslcd/ldap-sasl-secprops "" db_set nslcd/ldap-starttls "" + db_set nslcd/ldap-reqcert "" # parse current configuration parsecfg "$CONFFILE" else @@ -160,13 +172,28 @@ else db_get nslcd/ldap-uris [ -z "$RET" ] && db_set nslcd/ldap-uris "ldap://127.0.0.1/" db_get nslcd/ldap-base - [ -z "$RET" ] && db_set nslcd/ldap-base "dc=example,dc=net/" + [ -z "$RET" ] && db_set nslcd/ldap-base "dc=example,dc=net" fi # fallback for starttls option db_get nslcd/ldap-starttls [ -z "$RET" ] && db_set nslcd/ldap-starttls "false" +# deduce auth-type from available information +db_get nslcd/ldap-sasl-mech +sasl_mech="$RET" +db_get nslcd/ldap-binddn +binddn="$RET" +if [ -n "$sasl_mech" ] +then + db_set nslcd/ldap-auth-type "SASL" +elif [ -n "$binddn" ] +then + db_set nslcd/ldap-auth-type "simple" +else + db_set nslcd/ldap-auth-type "none" +fi + # # This is the second part of the script. In this part the configurable # settings will be presented to the user for approval. The postinst @@ -182,31 +209,76 @@ do db_input high nslcd/ldap-uris || true db_input high nslcd/ldap-base || true # ask the questions, go to the next question or exit - state="binddn" + state="authtype" db_go || exit 1 # TODO: add error checking on options ;; - binddn) - # ask for login information - db_input medium nslcd/ldap-binddn || true + authtype) + # ask for authentication type + db_input medium nslcd/ldap-auth-type || true # ask the question, go to the next question or back - state="bindpw" + state="authentication" db_go || state="server" ;; - bindpw) - # only ask question if we have a binddn - db_get nslcd/ldap-binddn - if [ -n "$RET" ] + authentication) + # check which questions to ask, depending on the authentication type + db_get nslcd/ldap-auth-type + case "$RET" in + none) + # anonymous bind, nothing to ask (clear options) + db_set nslcd/ldap-binddn "" + db_set nslcd/ldap-bindpw "" + db_set nslcd/ldap-sasl-mech "" + state="starttls" + ;; + simple) + # ask for binddn and bindpw + db_input medium nslcd/ldap-binddn || true + db_input medium nslcd/ldap-bindpw || true + db_set nslcd/ldap-sasl-mech "" + state="starttls" + ;; + SASL) + # ask about SASL mechanism (other SASL questions depend on this) + db_input medium nslcd/ldap-sasl-mech || true + # RFC4313 if SASL, binddn should be disabled + db_set nslcd/ldap-binddn "" + state="sasloptions" + ;; + *) + exit 1 + ;; + esac + db_go || state="authtype" + ;; + sasloptions) + # get SASL mech + db_get nslcd/ldap-sasl-mech + sasl_mech="$RET" + # ask SASL questions + db_input medium nslcd/ldap-sasl-realm || true + if [ "$sasl_mech" != "GSSAPI" ] then - # ask for login information + db_input medium nslcd/ldap-sasl-authcid || true db_input medium nslcd/ldap-bindpw || true else - # clear password + db_set nslcd/ldap-sasl-authcid "" db_set nslcd/ldap-bindpw "" fi + db_input medium nslcd/ldap-sasl-authzid || true + db_input medium nslcd/ldap-sasl-secprops || true + if [ "$sasl_mech" = "GSSAPI" ] + then + # have a default for ldap-sasl-krb5-ccname + db_get nslcd/ldap-sasl-krb5-ccname + [ -z "$RET" ] && db_set nslcd/ldap-sasl-krb5-ccname "/var/run/nslcd/nslcd.tkt" + db_input low nslcd/ldap-sasl-krb5-ccname || true + else + db_set nslcd/ldap-sasl-krb5-ccname "" + fi # ask the question, go to the next question or back state="starttls" - db_go || state="binddn" + db_go || state="authentication" ;; starttls) # check if ldaps:// URL's are used @@ -221,8 +293,9 @@ do db_input medium nslcd/ldap-starttls || true fi # ask the question, go to the next question or back + # (we go back to authtype because the previous questions were optional) state="reqcert" - db_go || state="bindpw" + db_go || state="authtype" ;; reqcert) # check if ldaps:// URL's are used @@ -235,10 +308,13 @@ do then # ask whether to do certificate validation db_input high nslcd/ldap-reqcert || true + else + db_set nslcd/ldap-reqcert "" fi # ask the question, go to the next question or back + # (we go back to authtype because the previous questions were optional) state="done" - db_go || state="starttls" + db_go || state="authtype" ;; esac done diff --git a/debian/nslcd.postinst b/debian/nslcd.postinst index 358d749..53f54fc 100644 --- a/debian/nslcd.postinst +++ b/debian/nslcd.postinst @@ -45,6 +45,11 @@ cfg_set() cfg_disable() { parameter="$1" + # handle bindpw option specially by removing value from config first + if [ "$parameter" = "bindpw" ] && grep -i -q "^bindpw " $CONFFILE + then + cfg_set bindpw "*removed*" + fi # make matching of spaces better in parameter param_re=`echo "$parameter" | sed 's#^#[[:space:]]*#;s#[[:space:]][[:space:]]*#[[:space:]][[:space:]]*#g'` # lines to not match @@ -135,6 +140,21 @@ EOM return 0 } +# update a configuration parameter, based on the debconf key +update_config() +{ + debconf_param="$1" + cfg_param="$2" + # update configuration option based on debconf value + db_get "$debconf_param" + if [ -n "$RET" ] + then + cfg_set "$cfg_param" "$RET" + else + cfg_disable "$cfg_param" + fi +} + # real functions begin here if [ "$1" = "configure" ] then @@ -162,43 +182,32 @@ then fi # create a default configuration create_config - # set server uri - db_get nslcd/ldap-uris - cfg_uris "$RET" - # set search base - db_get nslcd/ldap-base - if [ -n "$RET" ] + # rename tls_checkpeer to tls_reqcert + if grep -qi '^tls_checkpeer[[:space:]]' $CONFFILE then - cfg_set base "$RET" - else - cfg_disable base + echo "Renaming tls_checkpeer to tls_reqcert in $CONFFILE..." >&2 + sed -i 's/^tls_checkpeer[[:space:]]/tls_reqcert /' "$CONFFILE" fi - # set bind dn/pw - db_get nslcd/ldap-binddn - if [ -n "$RET" ] + # rename reconnect_maxsleeptime to reconnect_retrytime + if grep -qi '^reconnect_maxsleeptime[[:space:]]' $CONFFILE then - cfg_set binddn "$RET" - db_get nslcd/ldap-bindpw - if [ -n "$RET" ] - then - cfg_set bindpw "$RET" - else - # no bindpw set - if grep -i -q "^bindpw " $CONFFILE - then - cfg_set bindpw "*removed*" - cfg_disable bindpw - fi - fi - else - # no binddn/pw, disable options - cfg_disable binddn - if grep -i -q "^bindpw " $CONFFILE - then - cfg_set bindpw "*removed*" - cfg_disable bindpw - fi + echo "Renaming reconnect_maxsleeptime to reconnect_retrytime in $CONFFILE..." >&2 + sed -i 's/^reconnect_maxsleeptime[[:space:]]/reconnect_retrytime /' "$CONFFILE" fi + # set server uri + db_get nslcd/ldap-uris + cfg_uris "$RET" + # update some options + update_config nslcd/ldap-base base + update_config nslcd/ldap-binddn binddn + update_config nslcd/ldap-bindpw bindpw + update_config nslcd/ldap-sasl-mech sasl_mech + update_config nslcd/ldap-sasl-realm sasl_realm + update_config nslcd/ldap-sasl-authcid sasl_authcid + update_config nslcd/ldap-sasl-authzid sasl_authzid + update_config nslcd/ldap-sasl-secprops sasl_secprops + update_config nslcd/ldap-sasl-krb5-ccname krb5_ccname + update_config nslcd/ldap-reqcert tls_reqcert # remove password from database db_set nslcd/ldap-bindpw "" # set ssl option @@ -210,25 +219,8 @@ then then cfg_disable ssl fi - # set tls_reqcert option - db_get nslcd/ldap-reqcert - if [ -n "$RET" ] - then - # rename any tls_checkpeer options - sed -i 's/^tls_checkpeer/tls_reqcert/i' "$CONFFILE" - # set tls_reqcert option - cfg_set tls_reqcert "$RET" - # clear debconf value so that this option is only set if the question is asked - db_set nslcd/ldap-reqcert "" - fi # we're done db_stop - # rename reconnect_maxsleeptime to reconnect_retrytime - if grep -qi '^reconnect_maxsleeptime[[:space:]]' $CONFFILE - then - echo "Renaming reconnect_maxsleeptime to reconnect_retrytime in $CONFFILE..." >&2 - sed -i 's/^reconnect_maxsleeptime[[:space:]]/reconnect_retrytime /' "$CONFFILE" - fi # fix permissions of configfile if upgrading from an old version if dpkg --compare-versions "$2" lt-nl "0.6.7.1" then diff --git a/debian/nslcd.templates b/debian/nslcd.templates index 0c0cc82..874a348 100644 --- a/debian/nslcd.templates +++ b/debian/nslcd.templates @@ -18,19 +18,87 @@ _Description: LDAP server search base: domain "example.net" would use "dc=example,dc=net" as the distinguished name of the search base. +Template: nslcd/ldap-auth-type +Type: select +__Choices: none, simple, SASL +Default: none +_Description: LDAP authentication to use: + If your LDAP database requires authentication you can choose which mechanism + should be used. Please choose the mechanism by which authentication should + be done: + * none: no authentication; + * simple: simple clear text binddn/password; + * SASL: one of the Simple Authentication and Security Layer + mechanisms. + Template: nslcd/ldap-binddn Type: string _Description: LDAP database user: - If the LDAP database requires a login for normal lookups, enter the name of - the account that will be used here. Leave it empty otherwise. - . - This value should be specified as a DN (distinguished name). + Enter the name of the account that will be used to log in to the LDAP + database. This value should be specified as a DN (distinguished name). Template: nslcd/ldap-bindpw Type: password _Description: LDAP user password: Enter the password that will be used to log in to the LDAP database. +Template: nslcd/ldap-sasl-mech +Type: select +__Choices: auto, LOGIN, PLAIN, NTLM, CRAM-MD5, DIGEST-MD5, GSSAPI, OTP +_Description: SASL mechanism to use: + Choose the SASL mechanism that will be used to authenticate to the LDAP + database: + * auto: autonegociation; + * LOGIN: deprecated in flavor of PLAIN; + * PLAIN: simple cleartext password mechanism; + * NTLM: NT LAN Manager authentication mechanism; + * CRAM-MD5: challenge-response scheme based on HMAC-MD5; + * DIGEST-MD5: HTTP Digest compatible challenge-response scheme; + * GSSAPI: used for Kerberos; + * OTP: a One Time Password mechanism. + +Template: nslcd/ldap-sasl-realm +Type: string +_Description: SASL realm: + Enter the SASL realm that will be used to authenticate to the LDAP + database. + . + If empty, the GSSAPI mechanism will use information from the Kerberos + credential cache. Others mechanisms may need @<REALM> suffixing sasl_authcid + and sasl_authzid. + . + The realm is appended to authentication and authorisation identities. + +Template: nslcd/ldap-sasl-authcid +Type: string +_Description: SASL authentication identity: + Enter the SASL authentication identity that will be used to authenticate to + the LDAP database. + . + This is the login used in LOGIN, PLAIN, CRAM-MD5 and DIGEST-MD5 mechanisms. + +Template: nslcd/ldap-sasl-authzid +Type: string +_Description: SASL proxy authorisation identity: + Enter the proxy authorisation identity that will be used to authenticate to + the LDAP database. + . + This is the object in the name of witch the LDAP request are done. + This value should be specified as a DN (distinguished name). + +Template: nslcd/ldap-sasl-secprops +Type: string +_Description: Cyrus SASL security properties: + Enter the Cyrus SASL security properties. + Allowed values are described in the ldap.conf(5) manual page + in the SASL OPTIONS section. + +Template: nslcd/ldap-sasl-krb5-ccname +Type: string +Default: /var/run/nslcd/nslcd.tkt +_Description: Kerberos credential cache file path: + Enter the GSSAPI/Kerberos credential cache file name that will be used. + Template: nslcd/ldap-starttls Type: boolean _Description: Use StartTLS? |