From 1a5069a02be8b8c242eebda7cecf72a7fbcd34b0 Mon Sep 17 00:00:00 2001 From: Arthur de Jong Date: Sun, 7 Nov 2010 16:38:48 +0000 Subject: remove extra slash character git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1304 ef36b2f9-881f-0410-afb5-c4e39611909c --- debian/nslcd.config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'debian') diff --git a/debian/nslcd.config b/debian/nslcd.config index 2ac2a38..02c2a30 100644 --- a/debian/nslcd.config +++ b/debian/nslcd.config @@ -160,7 +160,7 @@ else db_get nslcd/ldap-uris [ -z "$RET" ] && db_set nslcd/ldap-uris "ldap://127.0.0.1/" db_get nslcd/ldap-base - [ -z "$RET" ] && db_set nslcd/ldap-base "dc=example,dc=net/" + [ -z "$RET" ] && db_set nslcd/ldap-base "dc=example,dc=net" fi # fallback for starttls option -- cgit v1.2.3 From 4b03a41e450adf7a3e983bdcee3ed159f9932d5b Mon Sep 17 00:00:00 2001 From: Arthur de Jong Date: Sun, 7 Nov 2010 17:06:07 +0000 Subject: handle tls_reqcert option consistently with other options git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1305 ef36b2f9-881f-0410-afb5-c4e39611909c --- debian/nslcd.config | 2 ++ debian/nslcd.postinst | 8 ++++---- 2 files changed, 6 insertions(+), 4 deletions(-) (limited to 'debian') diff --git a/debian/nslcd.config b/debian/nslcd.config index 02c2a30..611f767 100644 --- a/debian/nslcd.config +++ b/debian/nslcd.config @@ -235,6 +235,8 @@ do then # ask whether to do certificate validation db_input high nslcd/ldap-reqcert || true + else + db_set nslcd/ldap-reqcert "" fi # ask the question, go to the next question or back state="done" diff --git a/debian/nslcd.postinst b/debian/nslcd.postinst index 358d749..e51cd5f 100644 --- a/debian/nslcd.postinst +++ b/debian/nslcd.postinst @@ -210,16 +210,16 @@ then then cfg_disable ssl fi + # rename any tls_checkpeer options + sed -i 's/^tls_checkpeer/tls_reqcert/i' "$CONFFILE" # set tls_reqcert option db_get nslcd/ldap-reqcert if [ -n "$RET" ] then - # rename any tls_checkpeer options - sed -i 's/^tls_checkpeer/tls_reqcert/i' "$CONFFILE" # set tls_reqcert option cfg_set tls_reqcert "$RET" - # clear debconf value so that this option is only set if the question is asked - db_set nslcd/ldap-reqcert "" + else + cfg_disable tls_reqcert fi # we're done db_stop -- cgit v1.2.3 From 1031fca2fba6168933ffc5de900b5e9db46c161e Mon Sep 17 00:00:00 2001 From: Arthur de Jong Date: Sun, 7 Nov 2010 17:08:53 +0000 Subject: move special casing of handling bindpw removal to cfg_disable() function git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1306 ef36b2f9-881f-0410-afb5-c4e39611909c --- debian/nslcd.postinst | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) (limited to 'debian') diff --git a/debian/nslcd.postinst b/debian/nslcd.postinst index e51cd5f..dee6893 100644 --- a/debian/nslcd.postinst +++ b/debian/nslcd.postinst @@ -45,6 +45,11 @@ cfg_set() cfg_disable() { parameter="$1" + # handle bindpw option specially by removing value from config first + if [ "$parameter" = "bindpw" ] && grep -i -q "^bindpw " $CONFFILE + then + cfg_set bindpw "*removed*" + fi # make matching of spaces better in parameter param_re=`echo "$parameter" | sed 's#^#[[:space:]]*#;s#[[:space:]][[:space:]]*#[[:space:]][[:space:]]*#g'` # lines to not match @@ -183,21 +188,12 @@ then then cfg_set bindpw "$RET" else - # no bindpw set - if grep -i -q "^bindpw " $CONFFILE - then - cfg_set bindpw "*removed*" - cfg_disable bindpw - fi + cfg_disable bindpw fi else # no binddn/pw, disable options cfg_disable binddn - if grep -i -q "^bindpw " $CONFFILE - then - cfg_set bindpw "*removed*" - cfg_disable bindpw - fi + cfg_disable bindpw fi # remove password from database db_set nslcd/ldap-bindpw "" -- cgit v1.2.3 From fb7025d23abe4295afc674a6c8a92861b95e80c2 Mon Sep 17 00:00:00 2001 From: Arthur de Jong Date: Sun, 7 Nov 2010 20:04:58 +0000 Subject: split updating configuration file based on debconf value to separate function and make config option renaming consistent git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1308 ef36b2f9-881f-0410-afb5-c4e39611909c --- debian/nslcd.postinst | 71 ++++++++++++++++++++++----------------------------- 1 file changed, 30 insertions(+), 41 deletions(-) (limited to 'debian') diff --git a/debian/nslcd.postinst b/debian/nslcd.postinst index dee6893..8177feb 100644 --- a/debian/nslcd.postinst +++ b/debian/nslcd.postinst @@ -140,6 +140,20 @@ EOM return 0 } +update_config() +{ + debconf_param="$1" + cfg_param="$2" + # update configuration option based on debconf value + db_get "$debconf_param" + if [ -n "$RET" ] + then + cfg_set "$cfg_param" "$RET" + else + cfg_disable "$cfg_param" + fi +} + # real functions begin here if [ "$1" = "configure" ] then @@ -167,34 +181,26 @@ then fi # create a default configuration create_config - # set server uri - db_get nslcd/ldap-uris - cfg_uris "$RET" - # set search base - db_get nslcd/ldap-base - if [ -n "$RET" ] + # rename tls_checkpeer to tls_reqcert + if grep -qi '^tls_checkpeer[[:space:]]' $CONFFILE then - cfg_set base "$RET" - else - cfg_disable base + echo "Renaming tls_checkpeer to tls_reqcert in $CONFFILE..." >&2 + sed -i 's/^tls_checkpeer[[:space:]]/tls_reqcert /' "$CONFFILE" fi - # set bind dn/pw - db_get nslcd/ldap-binddn - if [ -n "$RET" ] + # rename reconnect_maxsleeptime to reconnect_retrytime + if grep -qi '^reconnect_maxsleeptime[[:space:]]' $CONFFILE then - cfg_set binddn "$RET" - db_get nslcd/ldap-bindpw - if [ -n "$RET" ] - then - cfg_set bindpw "$RET" - else - cfg_disable bindpw - fi - else - # no binddn/pw, disable options - cfg_disable binddn - cfg_disable bindpw + echo "Renaming reconnect_maxsleeptime to reconnect_retrytime in $CONFFILE..." >&2 + sed -i 's/^reconnect_maxsleeptime[[:space:]]/reconnect_retrytime /' "$CONFFILE" fi + # set server uri + db_get nslcd/ldap-uris + cfg_uris "$RET" + # update some options + update_config nslcd/ldap-base base + update_config nslcd/ldap-binddn binddn + update_config nslcd/ldap-bindpw bindpw + update_config nslcd/ldap-reqcert tls_reqcert # remove password from database db_set nslcd/ldap-bindpw "" # set ssl option @@ -206,25 +212,8 @@ then then cfg_disable ssl fi - # rename any tls_checkpeer options - sed -i 's/^tls_checkpeer/tls_reqcert/i' "$CONFFILE" - # set tls_reqcert option - db_get nslcd/ldap-reqcert - if [ -n "$RET" ] - then - # set tls_reqcert option - cfg_set tls_reqcert "$RET" - else - cfg_disable tls_reqcert - fi # we're done db_stop - # rename reconnect_maxsleeptime to reconnect_retrytime - if grep -qi '^reconnect_maxsleeptime[[:space:]]' $CONFFILE - then - echo "Renaming reconnect_maxsleeptime to reconnect_retrytime in $CONFFILE..." >&2 - sed -i 's/^reconnect_maxsleeptime[[:space:]]/reconnect_retrytime /' "$CONFFILE" - fi # fix permissions of configfile if upgrading from an old version if dpkg --compare-versions "$2" lt-nl "0.6.7.1" then -- cgit v1.2.3 From 515015797fb8a7feeb5639ec0ddcbe4c87d5f0f3 Mon Sep 17 00:00:00 2001 From: Arthur de Jong Date: Sun, 7 Nov 2010 22:05:59 +0000 Subject: add comment describing function git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1309 ef36b2f9-881f-0410-afb5-c4e39611909c --- debian/nslcd.postinst | 1 + 1 file changed, 1 insertion(+) (limited to 'debian') diff --git a/debian/nslcd.postinst b/debian/nslcd.postinst index 8177feb..d103e9d 100644 --- a/debian/nslcd.postinst +++ b/debian/nslcd.postinst @@ -140,6 +140,7 @@ EOM return 0 } +# update a configuration parameter, based on the debconf key update_config() { debconf_param="$1" -- cgit v1.2.3 From 901276912d8241ad61da3db57835d23cc7917205 Mon Sep 17 00:00:00 2001 From: Arthur de Jong Date: Sun, 7 Nov 2010 22:13:26 +0000 Subject: split reading values from a configfile into a separate function and also ensure that tls_reqcert is correctly read git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1310 ef36b2f9-881f-0410-afb5-c4e39611909c --- debian/nslcd.config | 41 ++++++++++++++++++++--------------------- 1 file changed, 20 insertions(+), 21 deletions(-) (limited to 'debian') diff --git a/debian/nslcd.config b/debian/nslcd.config index 611f767..4af3d7c 100644 --- a/debian/nslcd.config +++ b/debian/nslcd.config @@ -20,6 +20,21 @@ db_capb backup # default. # +# read a configuration value from the specified file +# (it takes care in not overwriting a previously written value) +read_config() +{ + debconf_param="$1" + cfg_param="$2" + # get debconf value to ensure we don't overwrite an already set value + db_get "$debconf_param" + if [ -z "$RET" ] + then + value=`sed -n 's/^'"$cfg_param"'[[:space:]]*\([^[:space:]].*[^[:space:]]\)[[:space:]]*$/\1/ip' "$cfgfile" | tail -n 1` + [ -n "$value" ] && db_set "$debconf_param" "$value" + fi +} + # check the system (non-LDAP configuration files) for some # reasonable defaults parsesys() @@ -91,27 +106,10 @@ parsecfg() fi [ -n "$uris" ] && db_set nslcd/ldap-uris "$uris" fi - # find base config - db_get nslcd/ldap-base - if [ -z "$RET" ] - then - searchbase=`sed -n 's/^base[[:space:]]*\([^[:space:]]*\)[[:space:]]*$/\1/ip' "$cfgfile" | tail -n 1` - [ -n "$searchbase" ] && db_set nslcd/ldap-base "$searchbase" - fi - # find binddn - db_get nslcd/ldap-binddn - if [ -z "$RET" ] - then - binddn=`sed -n 's/^binddn[[:space:]]*//ip' "$cfgfile" | tail -n 1` - db_set nslcd/ldap-binddn "$binddn" - fi - # find bindpw - db_get nslcd/ldap-bindpw - if [ -z "$RET" ] - then - bindpw=`sed -n 's/^bindpw[[:space:]]*//ip' "$cfgfile" | tail -n 1` - db_set nslcd/ldap-bindpw "$bindpw" - fi + # read simple options + read_config nslcd/ldap-base base + read_config nslcd/ldap-binddn binddn + read_config nslcd/ldap-bindpw bindpw # check ssl option db_get nslcd/ldap-starttls if [ -z "$RET" ] @@ -147,6 +145,7 @@ then db_set nslcd/ldap-binddn "" db_set nslcd/ldap-bindpw "" db_set nslcd/ldap-starttls "" + db_set nslcd/ldap-reqcert "" # parse current configuration parsecfg "$CONFFILE" else -- cgit v1.2.3 From 8023dd7e8e1d9187e0ba15f06f6e9fd1e7ee7970 Mon Sep 17 00:00:00 2001 From: Arthur de Jong Date: Wed, 10 Nov 2010 20:05:46 +0000 Subject: fix for problem with undefined values in read_config() function git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1311 ef36b2f9-881f-0410-afb5-c4e39611909c --- debian/nslcd.config | 2 ++ 1 file changed, 2 insertions(+) (limited to 'debian') diff --git a/debian/nslcd.config b/debian/nslcd.config index 4af3d7c..bef5378 100644 --- a/debian/nslcd.config +++ b/debian/nslcd.config @@ -33,6 +33,8 @@ read_config() value=`sed -n 's/^'"$cfg_param"'[[:space:]]*\([^[:space:]].*[^[:space:]]\)[[:space:]]*$/\1/ip' "$cfgfile" | tail -n 1` [ -n "$value" ] && db_set "$debconf_param" "$value" fi + # we're done + return 0 } # check the system (non-LDAP configuration files) for some -- cgit v1.2.3 From ca4154079dd117cbfe980d8950a5970cafeb062f Mon Sep 17 00:00:00 2001 From: Arthur de Jong Date: Wed, 10 Nov 2010 21:12:05 +0000 Subject: implement configuring SASL authentication using Debconf, based on a patch by Daniel Dehennin git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1312 ef36b2f9-881f-0410-afb5-c4e39611909c --- debian/nslcd.config | 101 ++++++++++++++++++++++++++++++++++++++++++------- debian/nslcd.postinst | 6 +++ debian/nslcd.templates | 76 +++++++++++++++++++++++++++++++++++-- 3 files changed, 165 insertions(+), 18 deletions(-) (limited to 'debian') diff --git a/debian/nslcd.config b/debian/nslcd.config index bef5378..933c5e3 100644 --- a/debian/nslcd.config +++ b/debian/nslcd.config @@ -112,6 +112,12 @@ parsecfg() read_config nslcd/ldap-base base read_config nslcd/ldap-binddn binddn read_config nslcd/ldap-bindpw bindpw + read_config nslcd/ldap-sasl-mech sasl_mech + read_config nslcd/ldap-sasl-realm sasl_realm + read_config nslcd/ldap-sasl-authcid sasl_authcid + read_config nslcd/ldap-sasl-authzid sasl_authzid + read_config nslcd/ldap-sasl-secprops sasl_secprops + read_config nslcd/ldap-sasl-krb5-ccname krb5_ccname # check ssl option db_get nslcd/ldap-starttls if [ -z "$RET" ] @@ -146,6 +152,11 @@ then db_set nslcd/ldap-base "" db_set nslcd/ldap-binddn "" db_set nslcd/ldap-bindpw "" + db_set nslcd/ldap-sasl-mech "" + db_set nslcd/ldap-sasl-realm "" + db_set nslcd/ldap-sasl-authcid "" + db_set nslcd/ldap-sasl-authzid "" + db_set nslcd/ldap-sasl-secprops "" db_set nslcd/ldap-starttls "" db_set nslcd/ldap-reqcert "" # parse current configuration @@ -168,6 +179,21 @@ fi db_get nslcd/ldap-starttls [ -z "$RET" ] && db_set nslcd/ldap-starttls "false" +# deduce auth-type from available information +db_get nslcd/ldap-sasl-mech +sasl_mech="$RET" +db_get nslcd/ldap-binddn +binddn="$RET" +if [ -n "$sasl_mech" ] +then + db_set nslcd/ldap-auth-type "SASL" +elif [ -n "$binddn" ] +then + db_set nslcd/ldap-auth-type "simple" +else + db_set nslcd/ldap-auth-type "none" +fi + # # This is the second part of the script. In this part the configurable # settings will be presented to the user for approval. The postinst @@ -183,31 +209,76 @@ do db_input high nslcd/ldap-uris || true db_input high nslcd/ldap-base || true # ask the questions, go to the next question or exit - state="binddn" + state="authtype" db_go || exit 1 # TODO: add error checking on options ;; - binddn) - # ask for login information - db_input medium nslcd/ldap-binddn || true + authtype) + # ask for authentication type + db_input medium nslcd/ldap-auth-type || true # ask the question, go to the next question or back - state="bindpw" + state="authentication" db_go || state="server" ;; - bindpw) - # only ask question if we have a binddn - db_get nslcd/ldap-binddn - if [ -n "$RET" ] + authentication) + # check which questions to ask, depending on the authentication type + db_get nslcd/ldap-auth-type + case "$RET" in + none) + # anonymous bind, nothing to ask (clear options) + db_set nslcd/ldap-binddn "" + db_set nslcd/ldap-bindpw "" + db_set nslcd/ldap-sasl-mech "" + state="starttls" + ;; + simple) + # ask for binddn and bindpw + db_input medium nslcd/ldap-binddn || true + db_input medium nslcd/ldap-bindpw || true + db_set nslcd/ldap-sasl-mech "" + state="starttls" + ;; + SASL) + # ask about SASL mechanism (other SASL questions depend on this) + db_input medium nslcd/ldap-sasl-mech || true + # RFC4313 if SASL, binddn should be disabled + db_set nslcd/ldap-binddn "" + state="sasloptions" + ;; + *) + exit 1 + ;; + esac + db_go || state="authtype" + ;; + sasloptions) + # get SASL mech + db_get nslcd/ldap-sasl-mech + sasl_mech="$RET" + # ask SASL questions + db_input medium nslcd/ldap-sasl-realm || true + if [ "$sasl_mech" != "GSSAPI" ] then - # ask for login information + db_input medium nslcd/ldap-sasl-authcid || true db_input medium nslcd/ldap-bindpw || true else - # clear password + db_set nslcd/ldap-sasl-authcid "" db_set nslcd/ldap-bindpw "" fi + db_input medium nslcd/ldap-sasl-authzid || true + db_input medium nslcd/ldap-sasl-secprops || true + if [ "$sasl_mech" = "GSSAPI" ] + then + # have a default for ldap-sasl-krb5-ccname + db_get nslcd/ldap-sasl-krb5-ccname + [ -z "$RET" ] && db_set nslcd/ldap-sasl-krb5-ccname "/var/run/nslcd/nslcd.tkt" + db_input low nslcd/ldap-sasl-krb5-ccname || true + else + db_set nslcd/ldap-sasl-krb5-ccname "" + fi # ask the question, go to the next question or back state="starttls" - db_go || state="binddn" + db_go || state="authentication" ;; starttls) # check if ldaps:// URL's are used @@ -222,8 +293,9 @@ do db_input medium nslcd/ldap-starttls || true fi # ask the question, go to the next question or back + # (we go back to authtype because the previous questions were optional) state="reqcert" - db_go || state="bindpw" + db_go || state="authtype" ;; reqcert) # check if ldaps:// URL's are used @@ -240,8 +312,9 @@ do db_set nslcd/ldap-reqcert "" fi # ask the question, go to the next question or back + # (we go back to authtype because the previous questions were optional) state="done" - db_go || state="starttls" + db_go || state="authtype" ;; esac done diff --git a/debian/nslcd.postinst b/debian/nslcd.postinst index d103e9d..53f54fc 100644 --- a/debian/nslcd.postinst +++ b/debian/nslcd.postinst @@ -201,6 +201,12 @@ then update_config nslcd/ldap-base base update_config nslcd/ldap-binddn binddn update_config nslcd/ldap-bindpw bindpw + update_config nslcd/ldap-sasl-mech sasl_mech + update_config nslcd/ldap-sasl-realm sasl_realm + update_config nslcd/ldap-sasl-authcid sasl_authcid + update_config nslcd/ldap-sasl-authzid sasl_authzid + update_config nslcd/ldap-sasl-secprops sasl_secprops + update_config nslcd/ldap-sasl-krb5-ccname krb5_ccname update_config nslcd/ldap-reqcert tls_reqcert # remove password from database db_set nslcd/ldap-bindpw "" diff --git a/debian/nslcd.templates b/debian/nslcd.templates index 0c0cc82..874a348 100644 --- a/debian/nslcd.templates +++ b/debian/nslcd.templates @@ -18,19 +18,87 @@ _Description: LDAP server search base: domain "example.net" would use "dc=example,dc=net" as the distinguished name of the search base. +Template: nslcd/ldap-auth-type +Type: select +__Choices: none, simple, SASL +Default: none +_Description: LDAP authentication to use: + If your LDAP database requires authentication you can choose which mechanism + should be used. Please choose the mechanism by which authentication should + be done: + * none: no authentication; + * simple: simple clear text binddn/password; + * SASL: one of the Simple Authentication and Security Layer + mechanisms. + Template: nslcd/ldap-binddn Type: string _Description: LDAP database user: - If the LDAP database requires a login for normal lookups, enter the name of - the account that will be used here. Leave it empty otherwise. - . - This value should be specified as a DN (distinguished name). + Enter the name of the account that will be used to log in to the LDAP + database. This value should be specified as a DN (distinguished name). Template: nslcd/ldap-bindpw Type: password _Description: LDAP user password: Enter the password that will be used to log in to the LDAP database. +Template: nslcd/ldap-sasl-mech +Type: select +__Choices: auto, LOGIN, PLAIN, NTLM, CRAM-MD5, DIGEST-MD5, GSSAPI, OTP +_Description: SASL mechanism to use: + Choose the SASL mechanism that will be used to authenticate to the LDAP + database: + * auto: autonegociation; + * LOGIN: deprecated in flavor of PLAIN; + * PLAIN: simple cleartext password mechanism; + * NTLM: NT LAN Manager authentication mechanism; + * CRAM-MD5: challenge-response scheme based on HMAC-MD5; + * DIGEST-MD5: HTTP Digest compatible challenge-response scheme; + * GSSAPI: used for Kerberos; + * OTP: a One Time Password mechanism. + +Template: nslcd/ldap-sasl-realm +Type: string +_Description: SASL realm: + Enter the SASL realm that will be used to authenticate to the LDAP + database. + . + If empty, the GSSAPI mechanism will use information from the Kerberos + credential cache. Others mechanisms may need @ suffixing sasl_authcid + and sasl_authzid. + . + The realm is appended to authentication and authorisation identities. + +Template: nslcd/ldap-sasl-authcid +Type: string +_Description: SASL authentication identity: + Enter the SASL authentication identity that will be used to authenticate to + the LDAP database. + . + This is the login used in LOGIN, PLAIN, CRAM-MD5 and DIGEST-MD5 mechanisms. + +Template: nslcd/ldap-sasl-authzid +Type: string +_Description: SASL proxy authorisation identity: + Enter the proxy authorisation identity that will be used to authenticate to + the LDAP database. + . + This is the object in the name of witch the LDAP request are done. + This value should be specified as a DN (distinguished name). + +Template: nslcd/ldap-sasl-secprops +Type: string +_Description: Cyrus SASL security properties: + Enter the Cyrus SASL security properties. + Allowed values are described in the ldap.conf(5) manual page + in the SASL OPTIONS section. + +Template: nslcd/ldap-sasl-krb5-ccname +Type: string +Default: /var/run/nslcd/nslcd.tkt +_Description: Kerberos credential cache file path: + Enter the GSSAPI/Kerberos credential cache file name that will be used. + Template: nslcd/ldap-starttls Type: boolean _Description: Use StartTLS? -- cgit v1.2.3