Arthur de Jong

Open Source / Free Software developer

summaryrefslogtreecommitdiffstats
path: root/debian/libnss-ldapd.postinst
blob: 04f7285c487eb2450f034bcb0dec02c2c624ae4d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
#!/bin/sh

set -e

CONFFILE="/etc/nss-ldapd.conf"

# set an option in the configuration file to the specified value
cfg_set()
{
  parameter=$1
  value=$2
  commented=0
  notthere=0
  # check if the parameter is defined
  grep -i -q "^$parameter " $CONFFILE || notthere=1
  if [ "$notthere" = "1" ]
  then
    # check if the parameter is commented out
    if grep -i -q "^#$parameter" $CONFFILE
    then
      notthere=0
      commented=1
    fi
  fi
  # decide what to do
  if [ "$notthere" = "1" ]
  then
    # just append a new line
    echo "$parameter $value" >> $CONFFILE
  else
    # TODO: check if the option is already defined with the value we need
    # replace the existing option
    replacestring="$parameter"
    if [ "$commented" = "1" ]
    then
      replacestring="# *$parameter"
    fi
    # this works as long as any option is specified only once
    # FIXME: also work when option is commented out on multiple lines
    sed -i 's%^'"$replacestring"' .*$%'"$parameter $value"'%i' "$CONFFILE"
  fi
  # we're done
  return 0
}

# disable an option in the configuration file by commenting it out
cfg_disable()
{
  parameter=$1
  # TODO add an option to also remove the option value
  #      (for passwords)
  if grep -i -q "^$parameter " $CONFFILE
  then
    sed -i 's%^\('"$parameter"'.*\)$%#\1%i' "$CONFFILE"
  fi
  # we're done
  return 0
}

# check to see if name is configured to do lookups through
# LDAP and enable if not
nss_enable()
{
  name=$1
  if ! grep -q '^'$name':.*ldap.*' /etc/nsswitch.conf
  then
    echo "/etc/nsswitch.conf: enable LDAP lookups for $name" >&2
    if grep -q '^'$name':' /etc/nsswitch.conf
    then
      # modify an existing entry by just adding ldap to the end
      sed -i 's/^\('$name':.*\)[[:space:]]*$/\1 ldap/' /etc/nsswitch.conf
    else
      # append a new line
      printf '%-15s ldap\n' $name':' >> /etc/nsswitch.conf
    fi
  fi
  # we're done
  return 0
}

# remove NSS lookups though LDAP for the specified service
nss_disable()
{
  name=$1
  # these functions also remove the lookup result handling part
  # of the ldap entry (see nsswitch.conf(5))
  if grep -q '^'$name':.*ldap.*' /etc/nsswitch.conf
  then
    echo "/etc/nsswitch.conf: disable LDAP lookups for $name" >&2
    if [ -n "`sed -n '/^'$name':[[:space:]]*ldap[[:space:]]*\(\[[^]]*\]\)*[[:space:]]*$/p' /etc/nsswitch.conf`" ]
    then
      # the name service only maps to ldap, remove the whole line
      sed -i '/^'$name':[[:space:]]*ldap[[:space:]]*\(\[[^]]*\]\)*[[:space:]]*$/d' /etc/nsswitch.conf
    else
      # remove ldap part from existing line, keeping other methods intact
      # TODO: remove trailing space
      sed -i 's/^\('$name':.*\)ldap[[:space:]]*\(\[[^]]*\]\)*[[:space:]]*\(.*\)$/\1\3/' /etc/nsswitch.conf
    fi
  fi
  # we're done
  return 0
}

# create a default configuration file if nothing exists yet
create_config()
{
  if [ ! -e "$CONFFILE" ]
  then
    if [ -f /etc/libnss-ldap.conf ]
    then
      # begin the file by some information as to where it came from
      cat > "$CONFFILE" << EOM
# $CONFFILE
# nss-ldapd configuration file. See nss-ldapd.conf(5)
# for details.
#
# This file was based on existing configuration files
# /etc/libnss-ldap.conf and /etc/libnss-ldap.secret

EOM
      # copy the existing config in place, getting rid
      # of the silly #DEBCONF# lines
      egrep -v '(###DEBCONF###|configuration of this file will be done by debconf|dpkg-reconfigure)' \
        < /etc/libnss-ldap.conf \
        >> "$CONFFILE"
      # also append the secret file if it is present
      if [ -f /etc/libnss-ldap.secret ]
      then
        echo "rootbindpw `cat /etc/libnss-ldap.secret`" >> "$CONFFILE"
      fi
      # disable options that are no longer supported
      cfg_disable host
      cfg_disable port
    else
      # fall back to generating a simple configuration file
      # from this simple template
      # TODO: improve this template
      cat > "$CONFFILE" << EOM
# $CONFFILE
# nss-ldapd configuration file. See nss-ldapd.conf(5)
# for details.

# The location at which the LDAP server(s) should be reachable.
uri ldap://localhost/

# The search base that will be used for all queries.
base dc=example,dc=net

# The LDAP protocol version to use.
ldap_version 3

# The DN to bind with for normal lookups.
binddn cn=annonymous,dc=example,dc=net
bindpw secret

# The DN to bind with for lookups as root.
rootbinddn cn=administrator,dc=example,dc=net
rootbindpw verysecret

# The search scope.
#scope sub

EOM
    fi
  fi
  # we're done
  return 0
}

# real functions begin here
if [ "$1" = "configure" ]
then
  # get configuration data from debconf
  . /usr/share/debconf/confmodule
  # create a default configuration
  create_config
  # set server uri
  db_get libnss-ldapd/ldap-uris
  cfg_set uri "$RET"
  # set search base
  db_get libnss-ldapd/ldap-base
  cfg_set base "$RET"
  # set ldap version
  db_get libnss-ldapd/ldap-version
  cfg_set ldap_version "$RET"
  # set bind dn/pw
  db_get libnss-ldapd/ldap-binddn
  if [ -n "$RET" ]
  then
    cfg_set binddn "$RET"
    db_get libnss-ldapd/ldap-bindpw
    cfg_set bindpw "$RET"
    # remove password from database
    db_set libnss-ldapd/ldap-bindpw ""
  else
    # no binddn/pw, disable options
    cfg_disable binddn
    cfg_disable bindpw
    # FIXME: remove password value from config
  fi
  # set root bind dn/pw
  db_get libnss-ldapd/ldap-rootbinddn
  if [ -n "$RET" ]
  then
    cfg_set rootbinddn "$RET"
    db_get libnss-ldapd/ldap-rootbindpw
    cfg_set rootbindpw "$RET"
    # remove password from database
    db_set libnss-ldapd/ldap-rootbindpw ""
  else
    # no binddn/pw, disable options
    cfg_disable rootbinddn
    cfg_disable rootbindpw
    # FIXME: remove password value from config
  fi
  # modify /etc/nsswitch.conf
  db_get libnss-ldapd/nsswitch
  enablenss=`echo "$RET" | sed 's/,//g'`
  allnss=`sed -n 's/^\([a-z]*\):.*$/\1/p' /etc/nsswitch.conf`
  allnss=`echo $allnss $enablenss | sed 's/ /\n/g' | sort -u`
  for n in $allnss
  do
    if echo ' '$enablenss' ' | grep -q ' '$n' '
    then
      nss_enable $n
    else
      nss_disable $n
    fi
  done
  # we're done
  db_stop
  # TODO: fix permissions of configfile if passwords are stored
  # TODO: create backups of /etc/nsswitch.conf and configfile
  #       (probably store orig in tmpfile and if diff install it
  #       as backup)
fi

# restart nscd to pick up changes in nsswitch.conf
# (other processes will have to be restarted manually)
if [ -s /usr/sbin/nscd ]
then
  if [ `pidof -s nscd` ]
  then
    if which invoke-rc.d >/dev/null 2>&1
    then
      invoke-rc.d nscd restart
    else
      /etc/init.d/nscd restart
    fi
  fi
fi

#DEBHELPER#

exit 0