#!/bin/sh set -e CONFFILE="/etc/nss-ldapd.conf" # set an option in the configuration file to the specified value cfg_set() { parameter="$1" value="$2" # make matching of spaces better in parameter # this is complicated becase of the "base [map] dn" keyword param_re=`echo "$parameter" | sed 's#^#[[:space:]]*#;s#[[:space:]][[:space:]]*#[[:space:]][[:space:]]*#g'` # lines to not match nomatch_re="^$param_re[[:space:]][[:space:]]*\(aliases\|ethers\|group\|hosts\|netgroup\|networks\|passwd\|protocols\|rpc\|services\|shadow\)" # check if the parameter is defined line=`sed -n '/'"$nomatch_re"'/n;/^'"$param_re"'[[:space:]]/p' "$CONFFILE" | head -n 1` if [ -z "$line" ] then # check if the parameter is commented out param_re="#$param_re" nomatch_re="^$param_re[[:space:]][[:space:]]*\(aliases\|ethers\|group\|hosts\|netgroup\|networks\|passwd\|protocols\|rpc\|services\|shadow\)" line=`sed -n '/'"$nomatch_re"'/n;/^'"$param_re"'[[:space:]]/p' "$CONFFILE" | head -n 1` fi # decide what to do if [ -z "$line" ] then # just append a new line echo "$parameter $value" >> $CONFFILE else # escape line to replace replace=`echo "$line" | sed 's#\\\#\\\\\\\#g;s#\([.*+?^$|]\)#\\\\\1#g'` # escape value (parameter doesn't have any special stuff) value=`echo "$value" | sed 's#\\\#\\\\\\\#g;s#|#\\\|#g;s#&#\\\&#g'` # replace the first occurrence of the line sed -i '1,\|^'"$replace"'$| s|^'"$replace"'$|'"$parameter"' '"$value"'|i' "$CONFFILE" fi # we're done return 0 } # disable an option in the configuration file by commenting it out cfg_disable() { parameter="$1" # make matching of spaces better in parameter param_re=`echo "$parameter" | sed 's#^#[[:space:]]*#;s#[[:space:]][[:space:]]*#[[:space:]][[:space:]]*#g'` # lines to not match nomatch_re="^$param_re[[:space:]][[:space:]]*\(aliases\|ethers\|group\|hosts\|netgroup\|networks\|passwd\|protocols\|rpc\|services\|shadow\)" # comment out the option sed -i '/'"$nomatch_re"'/n;s/^'"$param_re"'[[:space:]].*$/#&/i' "$CONFFILE" # we're done return 0 } # set the list of uris cfg_uris() { uris="$1" # escape all uri directives sed -i 's/^uri /_uri_ /i' $CONFFILE # set the uri options echo "$uris" | sed 's/ */\n/g' | while read uri do if grep -qi '^_uri_ ' $CONFFILE then # escape uri for use in regexp replacement uri=`echo "$uri" | sed 's#\\\#\\\\\\\#g;s#|#\\\|#g;s#&#\\\&#g'` # replace the first occurrence of _uri_ sed -i '1,/^_uri_ / s|^_uri_ .*$|uri '"$uri"'|i' "$CONFFILE" else # append new uri echo "uri $uri" >> $CONFFILE fi done # comment out the remaining escaped uris sed -i 's/^_uri_ /#uri /' $CONFFILE } # editing nsswitch.conf seems to be ok # http://lists.debian.org/debian-devel/2007/02/msg00076.html # check to see if name is configured to do lookups through # LDAP and enable if not nss_enable() { name="$1" if ! grep -q '^'$name':.*ldap.*' /etc/nsswitch.conf then echo "/etc/nsswitch.conf: enable LDAP lookups for $name" >&2 if grep -q '^'$name':' /etc/nsswitch.conf then # modify an existing entry by just adding ldap to the end sed -i 's/^\('$name':.*[^[:space:]]\)[[:space:]]*$/\1 ldap/' /etc/nsswitch.conf else # append a new line printf '%-15s ldap\n' $name':' >> /etc/nsswitch.conf fi fi # we're done return 0 } # remove NSS lookups though LDAP for the specified service nss_disable() { name="$1" # these functions also remove the lookup result handling part # of the ldap entry (see nsswitch.conf(5)) if grep -q '^'$name':.*ldap.*' /etc/nsswitch.conf then echo "/etc/nsswitch.conf: disable LDAP lookups for $name" >&2 if [ -n "`sed -n '/^'$name':[[:space:]]*ldap[[:space:]]*\(\[[^]]*\]\)*[[:space:]]*$/p' /etc/nsswitch.conf`" ] then # the name service only maps to ldap, remove the whole line sed -i '/^'$name':[[:space:]]*ldap[[:space:]]*\(\[[^]]*\]\)*[[:space:]]*$/d' /etc/nsswitch.conf else # remove ldap part from existing line, keeping other methods intact # TODO: remove trailing space sed -i 's/^\('$name':.*\)ldap[[:space:]]*\(\[[^]]*\]\)*[[:space:]]*\(.*\)$/\1\3/' /etc/nsswitch.conf fi fi # we're done return 0 } # create a default configuration file if nothing exists yet create_config() { if [ ! -e "$CONFFILE" ] then # create a simple configuration file from this template cat > "$CONFFILE" << EOM # $CONFFILE # nss-ldapd configuration file. See nss-ldapd.conf(5) # for details. # The user and group nslcd should run as. uid nslcd gid nslcd # The location at which the LDAP server(s) should be reachable. uri ldap://localhost/ # The search base that will be used for all queries. base dc=example,dc=net # The LDAP protocol version to use. #ldap_version 3 # The DN to bind with for normal lookups. #binddn cn=annonymous,dc=example,dc=net #bindpw secret # SSL options #ssl off #tls_reqcert never # The search scope. #scope sub EOM # fix permissions chmod 640 "$CONFFILE" chown root:nslcd "$CONFFILE" fi # we're done return 0 } # real functions begin here if [ "$1" = "configure" ] then # get configuration data from debconf . /usr/share/debconf/confmodule # check if the nslcd user exists if getent passwd nslcd >/dev/null then : else # create nslcd user and group adduser --system --group --home /var/run/nslcd/ \ --gecos "nss-ldapd name service LDAP connection daemon" \ --no-create-home \ nslcd # add uid/gid options to the config file if it exists # (this is when we're upgrading) if [ -f "$CONFFILE" ] then echo "Adding uid and gid options to $CONFFILE..." >&2 echo "# automatically added on upgrade of libnss-ldapd package" >> "$CONFFILE" cfg_set uid nslcd cfg_set gid nslcd fi fi # create a default configuration create_config # set server uri db_get libnss-ldapd/ldap-uris cfg_uris "$RET" # set search base db_get libnss-ldapd/ldap-base if [ -n "$RET" ] then cfg_set base "$RET" else cfg_disable base fi # set bind dn/pw db_get libnss-ldapd/ldap-binddn if [ -n "$RET" ] then cfg_set binddn "$RET" db_get libnss-ldapd/ldap-bindpw if [ -n "$RET" ] then cfg_set bindpw "$RET" else # no bindpw set if grep -i -q "^bindpw " $CONFFILE then cfg_set bindpw "*removed*" cfg_disable bindpw fi fi else # no binddn/pw, disable options cfg_disable binddn if grep -i -q "^bindpw " $CONFFILE then cfg_set bindpw "*removed*" cfg_disable bindpw fi fi # remove password from database db_set libnss-ldapd/ldap-bindpw "" # set ssl option db_get libnss-ldapd/ldap-starttls if [ "$RET" = "true" ] then cfg_set ssl "start_tls" elif grep -qi '^ssl[[:space:]]*start_*tls' $CONFFILE then cfg_disable ssl fi # set tls_reqcert option db_get libnss-ldapd/ldap-reqcert if [ -n "$RET" ] then # rename any tls_checkpeer options sed -i 's/^tls_checkpeer/tls_reqcert/i' "$CONFFILE" # set tls_reqcert option cfg_set tls_reqcert "$RET" # clear debconf value so that this option is only set if the question is asked db_set libnss-ldapd/ldap-reqcert "" fi # modify /etc/nsswitch.conf db_get libnss-ldapd/nsswitch enablenss=`echo "$RET" | sed 's/,//g'` for n in aliases ethers group hosts netgroup networks passwd protocols rpc services shadow do if echo ' '$enablenss' ' | grep -q ' '$n' ' then nss_enable $n else nss_disable $n fi done # we're done db_stop # fix permissions of configfile if upgrading from an old version if dpkg --compare-versions "$2" lt-nl "0.6.7.1" then echo "Fixing permissions of $CONFFILE" chmod 640 "$CONFFILE" chown root:nslcd "$CONFFILE" fi # TODO: create backups of /etc/nsswitch.conf and configfile # (probably store orig in tmpfile and if diff install it # as backup) # restart nscd to pick up changes in nsswitch.conf # (other processes will have to be restarted manually) if [ -x /etc/init.d/nscd ] && [ `pidof -s nscd` ] then if which invoke-rc.d >/dev/null 2>&1 then invoke-rc.d nscd restart else /etc/init.d/nscd restart fi fi # update the cache of the dynamic linker # (we don't use dh_makeshlibs because that also installs a shlibs file # which we don't need) ldconfig fi #DEBHELPER# exit 0