#!/bin/sh
set -e
CONFFILE="/etc/nss-ldapd.conf"
# set an option in the configuration file to the specified value
cfg_set()
{
parameter=$1
value=$2
commented=0
notthere=0
# check if the parameter is defined
grep -i -q "^$parameter " $CONFFILE || notthere=1
if [ "$notthere" = "1" ]
then
# check if the parameter is commented out
if grep -i -q "^#$parameter" $CONFFILE
then
notthere=0
commented=1
fi
fi
# decide what to do
if [ "$notthere" = "1" ]
then
# just append a new line
echo "$parameter $value" >> $CONFFILE
else
# TODO: check if the option is already defined with the value we need
# replace the existing option
replacestring="$parameter"
if [ "$commented" = "1" ]
then
replacestring="# *$parameter"
fi
# this works as long as any option is specified only once
# FIXME: also work when option is commented out on multiple lines
sed -i 's%^'"$replacestring"' .*$%'"$parameter $value"'%i' "$CONFFILE"
fi
# we're done
return 0
}
# disable an option in the configuration file by commenting it out
cfg_disable()
{
parameter=$1
# TODO add an option to also remove the option value
# (for passwords)
if grep -i -q "^$parameter " $CONFFILE
then
sed -i 's%^\('"$parameter"'.*\)$%#\1%i' "$CONFFILE"
fi
# we're done
return 0
}
# editing nsswitch.conf seems to be ok
# http://lists.debian.org/debian-devel/2007/02/msg00076.html
# check to see if name is configured to do lookups through
# LDAP and enable if not
nss_enable()
{
name=$1
if ! grep -q '^'$name':.*ldap.*' /etc/nsswitch.conf
then
echo "/etc/nsswitch.conf: enable LDAP lookups for $name" >&2
if grep -q '^'$name':' /etc/nsswitch.conf
then
# modify an existing entry by just adding ldap to the end
sed -i 's/^\('$name':.*\)[[:space:]]*$/\1 ldap/' /etc/nsswitch.conf
else
# append a new line
printf '%-15s ldap\n' $name':' >> /etc/nsswitch.conf
fi
fi
# we're done
return 0
}
# remove NSS lookups though LDAP for the specified service
nss_disable()
{
name=$1
# these functions also remove the lookup result handling part
# of the ldap entry (see nsswitch.conf(5))
if grep -q '^'$name':.*ldap.*' /etc/nsswitch.conf
then
echo "/etc/nsswitch.conf: disable LDAP lookups for $name" >&2
if [ -n "`sed -n '/^'$name':[[:space:]]*ldap[[:space:]]*\(\[[^]]*\]\)*[[:space:]]*$/p' /etc/nsswitch.conf`" ]
then
# the name service only maps to ldap, remove the whole line
sed -i '/^'$name':[[:space:]]*ldap[[:space:]]*\(\[[^]]*\]\)*[[:space:]]*$/d' /etc/nsswitch.conf
else
# remove ldap part from existing line, keeping other methods intact
# TODO: remove trailing space
sed -i 's/^\('$name':.*\)ldap[[:space:]]*\(\[[^]]*\]\)*[[:space:]]*\(.*\)$/\1\3/' /etc/nsswitch.conf
fi
fi
# we're done
return 0
}
# create a default configuration file if nothing exists yet
create_config()
{
if [ ! -e "$CONFFILE" ]
then
if [ -f /etc/libnss-ldap.conf ]
then
# begin the file by some information as to where it came from
cat > "$CONFFILE" << EOM
# $CONFFILE
# nss-ldapd configuration file. See nss-ldapd.conf(5)
# for details.
#
# This file was based on existing configuration files
# /etc/libnss-ldap.conf and /etc/libnss-ldap.secret
EOM
# copy the existing config in place, getting rid
# of the silly #DEBCONF# lines
egrep -v '(###DEBCONF###|configuration of this file will be done by debconf|dpkg-reconfigure)' \
< /etc/libnss-ldap.conf \
>> "$CONFFILE"
# also append the secret file if it is present
if [ -f /etc/libnss-ldap.secret ]
then
echo "rootbindpw `cat /etc/libnss-ldap.secret`" >> "$CONFFILE"
fi
# disable options that are no longer supported
cfg_disable host
cfg_disable port
else
# fall back to generating a simple configuration file
# from this simple template
# TODO: improve this template
cat > "$CONFFILE" << EOM
# $CONFFILE
# nss-ldapd configuration file. See nss-ldapd.conf(5)
# for details.
# The location at which the LDAP server(s) should be reachable.
uri ldap://localhost/
# The search base that will be used for all queries.
base dc=example,dc=net
# The LDAP protocol version to use.
ldap_version 3
# The DN to bind with for normal lookups.
binddn cn=annonymous,dc=example,dc=net
bindpw secret
# The DN to bind with for lookups as root.
rootbinddn cn=administrator,dc=example,dc=net
rootbindpw verysecret
# The search scope.
#scope sub
EOM
fi
fi
# we're done
return 0
}
# real functions begin here
if [ "$1" = "configure" ]
then
# get configuration data from debconf
. /usr/share/debconf/confmodule
# create a default configuration
create_config
# set server uri
db_get libnss-ldapd/ldap-uris
cfg_set uri "$RET"
# set search base
db_get libnss-ldapd/ldap-base
cfg_set base "$RET"
# set ldap version
db_get libnss-ldapd/ldap-version
cfg_set ldap_version "$RET"
# set bind dn/pw
db_get libnss-ldapd/ldap-binddn
if [ -n "$RET" ]
then
cfg_set binddn "$RET"
db_get libnss-ldapd/ldap-bindpw
cfg_set bindpw "$RET"
# remove password from database
db_set libnss-ldapd/ldap-bindpw ""
else
# no binddn/pw, disable options
cfg_disable binddn
cfg_disable bindpw
# FIXME: remove password value from config
fi
# set root bind dn/pw
db_get libnss-ldapd/ldap-rootbinddn
if [ -n "$RET" ]
then
cfg_set rootbinddn "$RET"
db_get libnss-ldapd/ldap-rootbindpw
cfg_set rootbindpw "$RET"
# remove password from database
db_set libnss-ldapd/ldap-rootbindpw ""
else
# no binddn/pw, disable options
cfg_disable rootbinddn
cfg_disable rootbindpw
# FIXME: remove password value from config
fi
# modify /etc/nsswitch.conf
db_get libnss-ldapd/nsswitch
enablenss=`echo "$RET" | sed 's/,//g'`
for n in aliases ethers group hosts netgroup networks passwd protocols rpc services shadow
do
if echo ' '$enablenss' ' | grep -q ' '$n' '
then
nss_enable $n
else
nss_disable $n
fi
done
# we're done
db_stop
# TODO: fix permissions of configfile if passwords are stored
# TODO: create backups of /etc/nsswitch.conf and configfile
# (probably store orig in tmpfile and if diff install it
# as backup)
fi
# restart nscd to pick up changes in nsswitch.conf
# (other processes will have to be restarted manually)
if [ -s /usr/sbin/nscd ]
then
if [ `pidof -s nscd` ]
then
if which invoke-rc.d >/dev/null 2>&1
then
invoke-rc.d nscd restart
else
/etc/init.d/nscd restart
fi
fi
fi
#DEBHELPER#
exit 0