Arthur de Jong

Open Source / Free Software developer

summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--Makefile.am2
-rw-r--r--debian/libnss-ldapd.postinst2
-rw-r--r--debian/libnss-ldapd.postrm1
-rw-r--r--debian/libpam-ldapd.lintian-overrides6
-rw-r--r--debian/libpam-ldapd.postinst42
-rw-r--r--debian/libpam-ldapd.templates15
6 files changed, 68 insertions, 0 deletions
diff --git a/Makefile.am b/Makefile.am
index c958354..0b8bbeb 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -52,10 +52,12 @@ DEBIAN_FILES = debian/changelog debian/compat debian/control \
debian/libnss-ldapd.postrm \
debian/libnss-ldapd.templates \
debian/libpam-ldapd.install \
+ debian/libpam-ldapd.lintian-overrides \
debian/libpam-ldapd.manpages \
debian/libpam-ldapd.pam-auth-update \
debian/libpam-ldapd.postinst \
debian/libpam-ldapd.prerm \
+ debian/libpam-ldapd.templates \
debian/po/POTFILES.in debian/po/templates.pot \
$(wildcard debian/po/*.po)
diff --git a/debian/libnss-ldapd.postinst b/debian/libnss-ldapd.postinst
index 34c55be..6124dd6 100644
--- a/debian/libnss-ldapd.postinst
+++ b/debian/libnss-ldapd.postinst
@@ -7,6 +7,7 @@ set -e
# check to see if name is configured to do lookups through
# LDAP and enable if not
+# Note: this function is in both libnss-ldapd.postinst and libpam-ldapd.postinst
nss_enable()
{
name="$1"
@@ -27,6 +28,7 @@ nss_enable()
}
# remove NSS lookups though LDAP for the specified service
+# Note: this function is in both libnss-ldapd.postinst and libnss-ldapd.postrm
nss_disable()
{
name="$1"
diff --git a/debian/libnss-ldapd.postrm b/debian/libnss-ldapd.postrm
index b21df19..a4a95f2 100644
--- a/debian/libnss-ldapd.postrm
+++ b/debian/libnss-ldapd.postrm
@@ -3,6 +3,7 @@
set -e
# remove NSS lookups though LDAP for the specified service
+# Note: this function is in both libnss-ldapd.postinst and libnss-ldapd.postrm
nss_disable()
{
name="$1"
diff --git a/debian/libpam-ldapd.lintian-overrides b/debian/libpam-ldapd.lintian-overrides
new file mode 100644
index 0000000..1f54a33
--- /dev/null
+++ b/debian/libpam-ldapd.lintian-overrides
@@ -0,0 +1,6 @@
+# we prompt in postinst instead of config because we can only
+# reliably detect the actual configuration in postinst and are
+# only doing this if we detect that there is something wrong
+# with the actual config
+libpam-ldapd: no-debconf-config
+libpam-ldapd: postinst-uses-db-input
diff --git a/debian/libpam-ldapd.postinst b/debian/libpam-ldapd.postinst
index 20c9b76..026c2e9 100644
--- a/debian/libpam-ldapd.postinst
+++ b/debian/libpam-ldapd.postinst
@@ -2,6 +2,48 @@
set -e
+# source debconf library.
+. /usr/share/debconf/confmodule
+db_version 2.0
+
#DEBHELPER#
pam-auth-update --package
+
+# check to see if name is configured to do lookups through
+# LDAP and enable if not
+# Note: this function is in both libnss-ldapd.postinst and libpam-ldapd.postinst
+nss_enable()
+{
+ name="$1"
+ if ! grep -q '^'$name':.*ldap.*' /etc/nsswitch.conf
+ then
+ echo "/etc/nsswitch.conf: enable LDAP lookups for $name" >&2
+ if grep -q '^'$name':' /etc/nsswitch.conf
+ then
+ # modify an existing entry by just adding ldap to the end
+ sed -i 's/^\('$name':.*[^[:space:]]\)[[:space:]]*$/\1 ldap/' /etc/nsswitch.conf
+ else
+ # append a new line
+ printf '%-15s ldap\n' $name':' >> /etc/nsswitch.conf
+ fi
+ fi
+ # we're done
+ return 0
+}
+
+# if /etc/nsswitch.conf contains passwd: ..ldap but not shadow: ...ldap
+# warn the user that this will not work and offer to fix it
+if grep -q '^passwd:.*ldap' /etc/nsswitch.conf && \
+ ! grep -q '^shadow:.*ldap' /etc/nsswitch.conf
+then
+ if db_input critical libpam-ldapd/enable_shadow
+ then
+ db_go
+ db_get libpam-ldapd/enable_shadow
+ if [ "$RET" = "true" ]
+ then
+ nss_enable shadow
+ fi
+ fi
+fi
diff --git a/debian/libpam-ldapd.templates b/debian/libpam-ldapd.templates
new file mode 100644
index 0000000..1abfac5
--- /dev/null
+++ b/debian/libpam-ldapd.templates
@@ -0,0 +1,15 @@
+Template: libpam-ldapd/enable_shadow
+Type: boolean
+Default: true
+_Description: Enable shadow lookups through NSS?
+ For the proper operation of the PAM stack the NSS module should return
+ shadow information for LDAP users, otherwise these users will not be able
+ to log in. Note that the shadow entries themselves may be empty (i.e. it
+ is not needed to expose password hashes).
+ .
+ More background information on this requirement can be found here:
+ http://bugs.debian.org/583492
+ .
+ You can edit /etc/nsswitch.conf by hand or choose to add the entry
+ automatically now. Be sure to review the changes to /etc/nsswitch.conf if
+ you choose to add the entry now.