#!/bin/sh
set -e
CONFFILE="/etc/nslcd.conf"
OCONFFILE="/etc/nss-ldapd.conf"
# fall back to old configfile if new one isn't present but old one is
[ ! -f "$CONFFILE" ] && [ -f "$OCONFFILE" ] && CONFFILE="$OCONFFILE"
# source debconf library.
. /usr/share/debconf/confmodule
db_version 2.0
db_capb backup
# set title
db_title "Configuring NSLCD"
#
# This is the fist part of the script. In this part an attempt
# is made to get or guess the current configuration. This information
# is used later on to prompt the user and to provide a sensible
# default.
#
# check the system (non-LDAP configuration files) for some
# reasonable defaults
parsesys()
{
# guess domain based on system information
db_get nslcd/ldap-base
if [ -z "$RET" ]
then
domain=`hostname --domain` || true
[ -z "$domain" ] && domain=`hostname --nis | grep '\.'` || true
[ -z "$domain" ] && domain=`hostname --fqdn | sed -n 's/^[^.]*\.//p'` || true
[ -z "$domain" ] && domain=`sed -n 's/^ *\(domain\|search\) *\([^ ]*\) *$/\2/p' /etc/resolv.conf | head -n 1` || true
db_get nslcd/ldap-base
searchbase="$RET"
# if the ldap-base value doesn't seem to be preseeded, try to use the
# domain name to build the default base
if [ -n "$domain" ]
then
searchbase=`echo "$domain" | sed 's/^/dc=/;s/\./,dc=/'` || true
db_set nslcd/ldap-base "$searchbase"
fi
fi
# guess ldap server
db_get nslcd/ldap-uris
if [ -z "$RET" ]
then
server=`getent hosts ldap` || true
[ -z "$server" ] && server=`getent hosts dirhost` || true
if [ -n "$domain" ] && [ -z "$server" ]
then
server=`getent hosts ldap."$domain"` || true
[ -z "$server" ] && server=`getent hosts dirhost."$domain"` || true
fi
if [ -n "$server" ]
then
# extract ip address from host entry and quote ipv6 address
ip=`echo $server | sed 's/[[:space:]].*//;s/^\(.*:.*\)$/[\1]/'`
db_set nslcd/ldap-uris "ldap://$ip/"
fi
fi
# we're done
return 0
}
# parse a LDAP-like configuration file
parsecfg()
{
cfgfile="$1"
# check existance
[ -f "$cfgfile" ] || return 0
# find uri/host/port combo
db_get nslcd/ldap-uris
if [ -z "$RET" ]
then
uris=`sed -n 's/^uri[[:space:]]*//ip' "$cfgfile" | tr '\n' ' '`
if [ -z "$uris" ]
then
hosts=`sed -n 's/^host[[:space:]]*//ip' "$cfgfile"`
port=`sed -n 's/^port[[:space:]]*//ip' "$cfgfile" | tail -n 1`
for host in $hosts
do
if [ -z "$port" ] || (echo "$host" | grep -q ':' )
then
uris="$uris ldap://$host/"
else
uris="$uris ldap://$host:$port/"
fi
done
fi
[ -n "$uris" ] && db_set nslcd/ldap-uris "$uris"
fi
# find base config
db_get nslcd/ldap-base
if [ -z "$RET" ]
then
searchbase=`sed -n 's/^base[[:space:]]*\([^[:space:]]*\)[[:space:]]*$/\1/ip' "$cfgfile" | tail -n 1`
[ -n "$searchbase" ] && db_set nslcd/ldap-base "$searchbase"
fi
# find binddn
db_get nslcd/ldap-binddn
if [ -z "$RET" ]
then
binddn=`sed -n 's/^binddn[[:space:]]*//ip' "$cfgfile" | tail -n 1`
db_set nslcd/ldap-binddn "$binddn"
fi
# find bindpw
db_get nslcd/ldap-bindpw
if [ -z "$RET" ]
then
bindpw=`sed -n 's/^bindpw[[:space:]]*//ip' "$cfgfile" | tail -n 1`
db_set nslcd/ldap-bindpw "$bindpw"
fi
# check ssl option
db_get nslcd/ldap-starttls
if [ -z "$RET" ]
then
if grep -qi '^ssl[[:space:]]*start_*tls' "$cfgfile"
then
db_set nslcd/ldap-starttls "true"
elif grep -qi '^ssl[[:space:]]' "$cfgfile"
then
db_set nslcd/ldap-starttls "false"
fi
fi
# check reqcert option
db_get nslcd/ldap-reqcert
if [ -z "$RET" ]
then
reqcert=`sed -n 's/^tls_\(reqcert\|checkpeer\)[[:space:]]*\([^[:space:]]*\)[[:space:]]*$/\2/ip' "$cfgfile" | tail -n 1`
# normalise value
reqcert=`echo "$reqcert" | tr 'A-Z' 'a-z' | sed 's/^no$/never/;s/^yes$/demand/'`
[ -n "$reqcert" ] && db_set nslcd/ldap-reqcert "$reqcert"
fi
# we're done
return 0
}
# fill our defaults with the current configuration if available
# and fall back to guessing the config from some other system files
if [ -f "$CONFFILE" ]
then
# clear settings to pick up valus from configfile
db_set nslcd/ldap-uris ""
db_set nslcd/ldap-base ""
db_set nslcd/ldap-binddn ""
db_set nslcd/ldap-bindpw ""
db_set nslcd/ldap-starttls ""
# parse current configuration
parsecfg "$CONFFILE"
else
# first match wins
parsecfg /etc/libnss-ldap.conf
parsecfg /etc/pam_ldap.conf
parsecfg /etc/ldap/ldap.conf
parsecfg /etc/ldap.conf
parsesys
# fallback default values
db_get nslcd/ldap-uris
[ -z "$RET" ] && db_set nslcd/ldap-uris "ldap://127.0.0.1/"
db_get nslcd/ldap-base
[ -z "$RET" ] && db_set nslcd/ldap-base "dc=example,dc=net/"
fi
# fallback for starttls option
db_get nslcd/ldap-starttls
[ -z "$RET" ] && db_set nslcd/ldap-starttls "false"
#
# This is the second part of the script. In this part the configurable
# settings will be presented to the user for approval. The postinst
# will finaly perform the actual modifications.
#
state="server"
while [ "$state" != "done" ]
do
case "$state" in
server)
# ask about server configuration
db_input high nslcd/ldap-uris || true
db_input high nslcd/ldap-base || true
# ask the questions, go to the next question or exit
state="binddn"
db_go || exit 1
# TODO: add error checking on options
;;
binddn)
# ask for login information
db_input medium nslcd/ldap-binddn || true
# ask the question, go to the next question or back
state="bindpw"
db_go || state="server"
;;
bindpw)
# only ask question if we have a binddn
db_get nslcd/ldap-binddn
if [ -n "$RET" ]
then
# ask for login information
db_input medium nslcd/ldap-bindpw || true
else
# clear password
db_set nslcd/ldap-bindpw ""
fi
# ask the question, go to the next question or back
state="starttls"
db_go || state="binddn"
;;
starttls)
# check if ldaps:// URL's are used
db_get nslcd/ldap-uris
uris="$RET"
if (echo "$uris" | grep -q 'ldaps://')
then
# ldaps: URI defined, don't ask about StartTLS
db_set nslcd/ldap-starttls "false"
else
# ask whether to use StartTLS
db_input medium nslcd/ldap-starttls || true
fi
# ask the question, go to the next question or back
state="reqcert"
db_go || state="bindpw"
;;
reqcert)
# check if ldaps:// URL's are used
db_get nslcd/ldap-uris
uris="$RET"
# check if StartTLS is used
db_get nslcd/ldap-starttls
starttls="$RET"
if (echo "$uris" | grep -q 'ldaps://') || [ "$starttls" = "true" ]
then
# ask whether to do certificate validation
db_input high nslcd/ldap-reqcert || true
fi
# ask the question, go to the next question or back
state="done"
db_go || state="bindpw"
;;
esac
done
exit 0