From fb2c8d11ebe0d0ac66800897d7f5675be11d5df6 Mon Sep 17 00:00:00 2001
From: Arthur de Jong <arthur@arthurdejong.org>
Date: Sat, 14 Aug 2010 14:33:51 +0000
Subject: offer to add ldap to shadow in nsswitch.conf if a potential broken
 configuration is found

git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1171 ef36b2f9-881f-0410-afb5-c4e39611909c
---
 debian/libnss-ldapd.postinst          |  2 ++
 debian/libnss-ldapd.postrm            |  1 +
 debian/libpam-ldapd.lintian-overrides |  6 +++++
 debian/libpam-ldapd.postinst          | 42 +++++++++++++++++++++++++++++++++++
 debian/libpam-ldapd.templates         | 15 +++++++++++++
 5 files changed, 66 insertions(+)
 create mode 100644 debian/libpam-ldapd.lintian-overrides
 create mode 100644 debian/libpam-ldapd.templates

(limited to 'debian')

diff --git a/debian/libnss-ldapd.postinst b/debian/libnss-ldapd.postinst
index 34c55be..6124dd6 100644
--- a/debian/libnss-ldapd.postinst
+++ b/debian/libnss-ldapd.postinst
@@ -7,6 +7,7 @@ set -e
 
 # check to see if name is configured to do lookups through
 # LDAP and enable if not
+# Note: this function is in both libnss-ldapd.postinst and libpam-ldapd.postinst
 nss_enable()
 {
   name="$1"
@@ -27,6 +28,7 @@ nss_enable()
 }
 
 # remove NSS lookups though LDAP for the specified service
+# Note: this function is in both libnss-ldapd.postinst and libnss-ldapd.postrm
 nss_disable()
 {
   name="$1"
diff --git a/debian/libnss-ldapd.postrm b/debian/libnss-ldapd.postrm
index b21df19..a4a95f2 100644
--- a/debian/libnss-ldapd.postrm
+++ b/debian/libnss-ldapd.postrm
@@ -3,6 +3,7 @@
 set -e
 
 # remove NSS lookups though LDAP for the specified service
+# Note: this function is in both libnss-ldapd.postinst and libnss-ldapd.postrm
 nss_disable()
 {
   name="$1"
diff --git a/debian/libpam-ldapd.lintian-overrides b/debian/libpam-ldapd.lintian-overrides
new file mode 100644
index 0000000..1f54a33
--- /dev/null
+++ b/debian/libpam-ldapd.lintian-overrides
@@ -0,0 +1,6 @@
+# we prompt in postinst instead of config because we can only
+# reliably detect the actual configuration in postinst and are
+# only doing this if we detect that there is something wrong
+# with the actual config
+libpam-ldapd: no-debconf-config
+libpam-ldapd: postinst-uses-db-input
diff --git a/debian/libpam-ldapd.postinst b/debian/libpam-ldapd.postinst
index 20c9b76..026c2e9 100644
--- a/debian/libpam-ldapd.postinst
+++ b/debian/libpam-ldapd.postinst
@@ -2,6 +2,48 @@
 
 set -e
 
+# source debconf library.
+. /usr/share/debconf/confmodule
+db_version 2.0
+
 #DEBHELPER#
 
 pam-auth-update --package
+
+# check to see if name is configured to do lookups through
+# LDAP and enable if not
+# Note: this function is in both libnss-ldapd.postinst and libpam-ldapd.postinst
+nss_enable()
+{
+  name="$1"
+  if ! grep -q '^'$name':.*ldap.*' /etc/nsswitch.conf
+  then
+    echo "/etc/nsswitch.conf: enable LDAP lookups for $name" >&2
+    if grep -q '^'$name':' /etc/nsswitch.conf
+    then
+      # modify an existing entry by just adding ldap to the end
+      sed -i 's/^\('$name':.*[^[:space:]]\)[[:space:]]*$/\1 ldap/' /etc/nsswitch.conf
+    else
+      # append a new line
+      printf '%-15s ldap\n' $name':' >> /etc/nsswitch.conf
+    fi
+  fi
+  # we're done
+  return 0
+}
+
+# if /etc/nsswitch.conf contains passwd: ..ldap but not shadow: ...ldap
+# warn the user that this will not work and offer to fix it
+if grep -q '^passwd:.*ldap' /etc/nsswitch.conf && \
+   ! grep -q '^shadow:.*ldap' /etc/nsswitch.conf
+then
+  if db_input critical libpam-ldapd/enable_shadow
+  then
+    db_go
+    db_get libpam-ldapd/enable_shadow
+    if [ "$RET" = "true" ]
+    then
+      nss_enable shadow
+    fi
+  fi
+fi
diff --git a/debian/libpam-ldapd.templates b/debian/libpam-ldapd.templates
new file mode 100644
index 0000000..1abfac5
--- /dev/null
+++ b/debian/libpam-ldapd.templates
@@ -0,0 +1,15 @@
+Template: libpam-ldapd/enable_shadow
+Type: boolean
+Default: true
+_Description: Enable shadow lookups through NSS?
+ For the proper operation of the PAM stack the NSS module should return
+ shadow information for LDAP users, otherwise these users will not be able
+ to log in. Note that the shadow entries themselves may be empty (i.e. it
+ is not needed to expose password hashes).
+ .
+ More background information on this requirement can be found here:
+ http://bugs.debian.org/583492
+ .
+ You can edit /etc/nsswitch.conf by hand or choose to add the entry
+ automatically now. Be sure to review the changes to /etc/nsswitch.conf if
+ you choose to add the entry now.
-- 
cgit v1.2.3