#!/bin/sh
set -e
CONFFILE="/etc/nss-ldapd.conf"
# set an option in the configuration file to the specified value
cfg_set()
{
parameter="$1"
value="$2"
# make matching of spaces better in parameter
# this is complicated becase of the "base [map] dn" keyword
param_re=`echo "$parameter" | sed -s 's#[[:space:]][[:space:]]*#[[:space:]][[:space:]]*#g'`
# check if the parameter is defined
replace=`sed -n 's/^\('"$param_re"'\)[[:space:]]*\([^[:space:]]*\|".*"\)[[:space:]]*$/\1/ip' "$CONFFILE" | head -n 1`
if [ -z "$replace" ]
then
# check if the parameter is commented out
replace=`sed -n 's/^\(#[[:space:]]*'"$param_re"'\)[[:space:]]*\([^[:space:]]*\|".*"\)[[:space:]]*$/\1/ip' "$CONFFILE" | head -n 1`
fi
# decide what to do
if [ -z "$replace" ]
then
# just append a new line
echo "$parameter $value" >> $CONFFILE
else
# ($replace will not have have any funky characters, neither will $parameter)
# escape value
value=`echo "$value" | sed -s 's#\\\#\\\\\\\#g;s#|#\\\|#g;s#&#\\\&#g'`
# replace the first occurrence of the parameter
sed -i '1,\|^'"$replace"' .*$| s|^\('"$replace"'\) .*$|\1 '"$value"'|i' "$CONFFILE"
fi
# we're done
return 0
}
# disable an option in the configuration file by commenting it out
cfg_disable()
{
parameter="$1"
# make matching of spaces better in parameter
param_re=`echo "$parameter" | sed -s 's#[[:space:]][[:space:]]*#[[:space:]][[:space:]]*#g'`
# comment out the option
sed -i 's/^\('"$param_re"'[[:space:]]*[^[:space:]]*\)[[:space:]]*$/#\1/i' "$CONFFILE"
# we're done
return 0
}
# set the list of uris
cfg_uris()
{
uris="$1"
# escape all uri directives
sed -i 's/^uri /_uri_ /i' $CONFFILE
# set the uri options
echo "$uris" | sed 's/ */\n/g' | while read uri
do
if grep -qi '^_uri_ ' $CONFFILE
then
# escape uri for use in regexp replacement
uri=`echo "$uri" | sed -s 's#\\\#\\\\\\\#g;s#|#\\\|#g;s#&#\\\&#g'`
# replace the first occurrence of _uri_
sed -i '1,/^_uri_ / s|^_uri_ .*$|uri '"$uri"'|i' "$CONFFILE"
else
# append new uri
echo "uri $uri" >> $CONFFILE
fi
done
# comment out the remaining escaped uris
sed -i 's/^_uri_ /#uri /' $CONFFILE
}
# editing nsswitch.conf seems to be ok
# http://lists.debian.org/debian-devel/2007/02/msg00076.html
# check to see if name is configured to do lookups through
# LDAP and enable if not
nss_enable()
{
name="$1"
if ! grep -q '^'$name':.*ldap.*' /etc/nsswitch.conf
then
echo "/etc/nsswitch.conf: enable LDAP lookups for $name" >&2
if grep -q '^'$name':' /etc/nsswitch.conf
then
# modify an existing entry by just adding ldap to the end
sed -i 's/^\('$name':.*[^[:space:]]\)[[:space:]]*$/\1 ldap/' /etc/nsswitch.conf
else
# append a new line
printf '%-15s ldap\n' $name':' >> /etc/nsswitch.conf
fi
fi
# we're done
return 0
}
# remove NSS lookups though LDAP for the specified service
nss_disable()
{
name="$1"
# these functions also remove the lookup result handling part
# of the ldap entry (see nsswitch.conf(5))
if grep -q '^'$name':.*ldap.*' /etc/nsswitch.conf
then
echo "/etc/nsswitch.conf: disable LDAP lookups for $name" >&2
if [ -n "`sed -n '/^'$name':[[:space:]]*ldap[[:space:]]*\(\[[^]]*\]\)*[[:space:]]*$/p' /etc/nsswitch.conf`" ]
then
# the name service only maps to ldap, remove the whole line
sed -i '/^'$name':[[:space:]]*ldap[[:space:]]*\(\[[^]]*\]\)*[[:space:]]*$/d' /etc/nsswitch.conf
else
# remove ldap part from existing line, keeping other methods intact
# TODO: remove trailing space
sed -i 's/^\('$name':.*\)ldap[[:space:]]*\(\[[^]]*\]\)*[[:space:]]*\(.*\)$/\1\3/' /etc/nsswitch.conf
fi
fi
# we're done
return 0
}
# create a default configuration file if nothing exists yet
create_config()
{
if [ ! -e "$CONFFILE" ]
then
# create a simple configuration file from this template
# TODO: improve this template
cat > "$CONFFILE" << EOM
# $CONFFILE
# nss-ldapd configuration file. See nss-ldapd.conf(5)
# for details.
# The location at which the LDAP server(s) should be reachable.
uri ldap://localhost/
# The search base that will be used for all queries.
base dc=example,dc=net
# The LDAP protocol version to use.
#ldap_version 3
# The DN to bind with for normal lookups.
binddn cn=annonymous,dc=example,dc=net
bindpw secret
# The DN to bind with for lookups as root.
rootbinddn cn=administrator,dc=example,dc=net
rootbindpw verysecret
# The search scope.
#scope sub
EOM
fi
# we're done
return 0
}
# real functions begin here
if [ "$1" = "configure" ]
then
# get configuration data from debconf
. /usr/share/debconf/confmodule
# create a default configuration
create_config
# set server uri
db_get libnss-ldapd/ldap-uris
cfg_uris "$RET"
# set search base
db_get libnss-ldapd/ldap-base
cfg_set base "$RET"
# set bind dn/pw
db_get libnss-ldapd/ldap-binddn
if [ -n "$RET" ]
then
cfg_set binddn "$RET"
db_get libnss-ldapd/ldap-bindpw
cfg_set bindpw "$RET"
else
# no binddn/pw, disable options
cfg_disable binddn
if grep -i -q "^bindpw " $CONFFILE
then
cfg_set bindpw "*removed*"
cfg_disable bindpw
fi
fi
# remove password from database
db_set libnss-ldapd/ldap-bindpw ""
# set root bind dn/pw
db_get libnss-ldapd/ldap-rootbinddn
if [ -n "$RET" ]
then
cfg_set rootbinddn "$RET"
db_get libnss-ldapd/ldap-rootbindpw
cfg_set rootbindpw "$RET"
else
# no binddn/pw, disable options
cfg_disable rootbinddn
if grep -i -q "^rootbindpw " $CONFFILE
then
cfg_set rootbindpw "*removed*"
cfg_disable rootbindpw
fi
fi
# remove password from database
db_set libnss-ldapd/ldap-rootbindpw ""
# modify /etc/nsswitch.conf
db_get libnss-ldapd/nsswitch
enablenss=`echo "$RET" | sed 's/,//g'`
for n in aliases ethers group hosts netgroup networks passwd protocols rpc services shadow
do
if echo ' '$enablenss' ' | grep -q ' '$n' '
then
nss_enable $n
else
nss_disable $n
fi
done
# we're done
db_stop
# TODO: fix permissions of configfile if passwords are stored
# TODO: create backups of /etc/nsswitch.conf and configfile
# (probably store orig in tmpfile and if diff install it
# as backup)
# restart nscd to pick up changes in nsswitch.conf
# (other processes will have to be restarted manually)
if [ -s /usr/sbin/nscd ] && [ `pidof -s nscd` ]
then
if which invoke-rc.d >/dev/null 2>&1
then
invoke-rc.d nscd restart
else
/etc/init.d/nscd restart
fi
fi
fi
#DEBHELPER#
exit 0