blob: 04f7285c487eb2450f034bcb0dec02c2c624ae4d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
|
#!/bin/sh
set -e
CONFFILE="/etc/nss-ldapd.conf"
# set an option in the configuration file to the specified value
cfg_set()
{
parameter=$1
value=$2
commented=0
notthere=0
# check if the parameter is defined
grep -i -q "^$parameter " $CONFFILE || notthere=1
if [ "$notthere" = "1" ]
then
# check if the parameter is commented out
if grep -i -q "^#$parameter" $CONFFILE
then
notthere=0
commented=1
fi
fi
# decide what to do
if [ "$notthere" = "1" ]
then
# just append a new line
echo "$parameter $value" >> $CONFFILE
else
# TODO: check if the option is already defined with the value we need
# replace the existing option
replacestring="$parameter"
if [ "$commented" = "1" ]
then
replacestring="# *$parameter"
fi
# this works as long as any option is specified only once
# FIXME: also work when option is commented out on multiple lines
sed -i 's%^'"$replacestring"' .*$%'"$parameter $value"'%i' "$CONFFILE"
fi
# we're done
return 0
}
# disable an option in the configuration file by commenting it out
cfg_disable()
{
parameter=$1
# TODO add an option to also remove the option value
# (for passwords)
if grep -i -q "^$parameter " $CONFFILE
then
sed -i 's%^\('"$parameter"'.*\)$%#\1%i' "$CONFFILE"
fi
# we're done
return 0
}
# check to see if name is configured to do lookups through
# LDAP and enable if not
nss_enable()
{
name=$1
if ! grep -q '^'$name':.*ldap.*' /etc/nsswitch.conf
then
echo "/etc/nsswitch.conf: enable LDAP lookups for $name" >&2
if grep -q '^'$name':' /etc/nsswitch.conf
then
# modify an existing entry by just adding ldap to the end
sed -i 's/^\('$name':.*\)[[:space:]]*$/\1 ldap/' /etc/nsswitch.conf
else
# append a new line
printf '%-15s ldap\n' $name':' >> /etc/nsswitch.conf
fi
fi
# we're done
return 0
}
# remove NSS lookups though LDAP for the specified service
nss_disable()
{
name=$1
# these functions also remove the lookup result handling part
# of the ldap entry (see nsswitch.conf(5))
if grep -q '^'$name':.*ldap.*' /etc/nsswitch.conf
then
echo "/etc/nsswitch.conf: disable LDAP lookups for $name" >&2
if [ -n "`sed -n '/^'$name':[[:space:]]*ldap[[:space:]]*\(\[[^]]*\]\)*[[:space:]]*$/p' /etc/nsswitch.conf`" ]
then
# the name service only maps to ldap, remove the whole line
sed -i '/^'$name':[[:space:]]*ldap[[:space:]]*\(\[[^]]*\]\)*[[:space:]]*$/d' /etc/nsswitch.conf
else
# remove ldap part from existing line, keeping other methods intact
# TODO: remove trailing space
sed -i 's/^\('$name':.*\)ldap[[:space:]]*\(\[[^]]*\]\)*[[:space:]]*\(.*\)$/\1\3/' /etc/nsswitch.conf
fi
fi
# we're done
return 0
}
# create a default configuration file if nothing exists yet
create_config()
{
if [ ! -e "$CONFFILE" ]
then
if [ -f /etc/libnss-ldap.conf ]
then
# begin the file by some information as to where it came from
cat > "$CONFFILE" << EOM
# $CONFFILE
# nss-ldapd configuration file. See nss-ldapd.conf(5)
# for details.
#
# This file was based on existing configuration files
# /etc/libnss-ldap.conf and /etc/libnss-ldap.secret
EOM
# copy the existing config in place, getting rid
# of the silly #DEBCONF# lines
egrep -v '(###DEBCONF###|configuration of this file will be done by debconf|dpkg-reconfigure)' \
< /etc/libnss-ldap.conf \
>> "$CONFFILE"
# also append the secret file if it is present
if [ -f /etc/libnss-ldap.secret ]
then
echo "rootbindpw `cat /etc/libnss-ldap.secret`" >> "$CONFFILE"
fi
# disable options that are no longer supported
cfg_disable host
cfg_disable port
else
# fall back to generating a simple configuration file
# from this simple template
# TODO: improve this template
cat > "$CONFFILE" << EOM
# $CONFFILE
# nss-ldapd configuration file. See nss-ldapd.conf(5)
# for details.
# The location at which the LDAP server(s) should be reachable.
uri ldap://localhost/
# The search base that will be used for all queries.
base dc=example,dc=net
# The LDAP protocol version to use.
ldap_version 3
# The DN to bind with for normal lookups.
binddn cn=annonymous,dc=example,dc=net
bindpw secret
# The DN to bind with for lookups as root.
rootbinddn cn=administrator,dc=example,dc=net
rootbindpw verysecret
# The search scope.
#scope sub
EOM
fi
fi
# we're done
return 0
}
# real functions begin here
if [ "$1" = "configure" ]
then
# get configuration data from debconf
. /usr/share/debconf/confmodule
# create a default configuration
create_config
# set server uri
db_get libnss-ldapd/ldap-uris
cfg_set uri "$RET"
# set search base
db_get libnss-ldapd/ldap-base
cfg_set base "$RET"
# set ldap version
db_get libnss-ldapd/ldap-version
cfg_set ldap_version "$RET"
# set bind dn/pw
db_get libnss-ldapd/ldap-binddn
if [ -n "$RET" ]
then
cfg_set binddn "$RET"
db_get libnss-ldapd/ldap-bindpw
cfg_set bindpw "$RET"
# remove password from database
db_set libnss-ldapd/ldap-bindpw ""
else
# no binddn/pw, disable options
cfg_disable binddn
cfg_disable bindpw
# FIXME: remove password value from config
fi
# set root bind dn/pw
db_get libnss-ldapd/ldap-rootbinddn
if [ -n "$RET" ]
then
cfg_set rootbinddn "$RET"
db_get libnss-ldapd/ldap-rootbindpw
cfg_set rootbindpw "$RET"
# remove password from database
db_set libnss-ldapd/ldap-rootbindpw ""
else
# no binddn/pw, disable options
cfg_disable rootbinddn
cfg_disable rootbindpw
# FIXME: remove password value from config
fi
# modify /etc/nsswitch.conf
db_get libnss-ldapd/nsswitch
enablenss=`echo "$RET" | sed 's/,//g'`
allnss=`sed -n 's/^\([a-z]*\):.*$/\1/p' /etc/nsswitch.conf`
allnss=`echo $allnss $enablenss | sed 's/ /\n/g' | sort -u`
for n in $allnss
do
if echo ' '$enablenss' ' | grep -q ' '$n' '
then
nss_enable $n
else
nss_disable $n
fi
done
# we're done
db_stop
# TODO: fix permissions of configfile if passwords are stored
# TODO: create backups of /etc/nsswitch.conf and configfile
# (probably store orig in tmpfile and if diff install it
# as backup)
fi
# restart nscd to pick up changes in nsswitch.conf
# (other processes will have to be restarted manually)
if [ -s /usr/sbin/nscd ]
then
if [ `pidof -s nscd` ]
then
if which invoke-rc.d >/dev/null 2>&1
then
invoke-rc.d nscd restart
else
/etc/init.d/nscd restart
fi
fi
fi
#DEBHELPER#
exit 0
|