Arthur de Jong

Open Source / Free Software developer

summaryrefslogtreecommitdiffstats
path: root/debian/nslcd.config
blob: 2ac2a38d69644ba0118ea32c153efab7febd0727 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
#!/bin/sh

set -e

CONFFILE="/etc/nslcd.conf"
OCONFFILE="/etc/nss-ldapd.conf"

# fall back to old configfile if new one isn't present but old one is
[ ! -f "$CONFFILE" ] && [ -f "$OCONFFILE" ] && CONFFILE="$OCONFFILE"

# source debconf library.
. /usr/share/debconf/confmodule
db_version 2.0
db_capb backup

#
# This is the fist part of the script. In this part an attempt
# is made to get or guess the current configuration. This information
# is used later on to prompt the user and to provide a sensible
# default.
#

# check the system (non-LDAP configuration files) for some
# reasonable defaults
parsesys()
{
  # guess domain based on system information
  db_get nslcd/ldap-base
  if [ -z "$RET" ]
  then
    domain=`hostname --domain` || true
    [ -z "$domain" ] && domain=`hostname --nis | grep '\.'` || true
    [ -z "$domain" ] && domain=`hostname --fqdn | sed -n 's/^[^.]*\.//p'` || true
    [ -z "$domain" ] && domain=`sed -n 's/^ *\(domain\|search\) *\([^ ]*\) *$/\2/p' /etc/resolv.conf | head -n 1` || true
    db_get nslcd/ldap-base
    searchbase="$RET"
    # if the ldap-base value doesn't seem to be preseeded, try to use the
    # domain name to build the default base
    if [ -n "$domain" ]
    then
      searchbase=`echo "$domain" | sed 's/^/dc=/;s/\./,dc=/'` || true
      db_set nslcd/ldap-base "$searchbase"
    fi
  fi
  # guess ldap server
  db_get nslcd/ldap-uris
  if [ -z "$RET" ]
  then
    server=`getent hosts ldap` || true
    [ -z "$server" ] && server=`getent hosts dirhost` || true
    if [ -n "$domain" ] && [ -z "$server" ]
    then
      server=`getent hosts ldap."$domain"` || true
      [ -z "$server" ] && server=`getent hosts dirhost."$domain"` || true
    fi
    if [ -n "$server" ]
    then
      # extract ip address from host entry and quote ipv6 address
      ip=`echo $server | sed 's/[[:space:]].*//;s/^\(.*:.*\)$/[\1]/'`
      db_set nslcd/ldap-uris "ldap://$ip/"
    fi
  fi
  # we're done
  return 0
}

# parse a LDAP-like configuration file
parsecfg()
{
  cfgfile="$1"
  # check existance
  [ -f "$cfgfile" ] || return 0
  # find uri/host/port combo
  db_get nslcd/ldap-uris
  if [ -z "$RET" ]
  then
    uris=`sed -n 's/^uri[[:space:]]*//ip' "$cfgfile" | tr '\n' ' '`
    if [ -z "$uris" ]
    then
      hosts=`sed -n 's/^host[[:space:]]*//ip' "$cfgfile"`
      port=`sed -n 's/^port[[:space:]]*//ip' "$cfgfile" | tail -n 1`
      for host in $hosts
      do
        if [ -z "$port" ] || (echo "$host" | grep -q ':' )
        then
          uris="$uris ldap://$host/"
        else
          uris="$uris ldap://$host:$port/"
        fi
      done
    fi
    [ -n "$uris" ] && db_set nslcd/ldap-uris "$uris"
  fi
  # find base config
  db_get nslcd/ldap-base
  if [ -z "$RET" ]
  then
    searchbase=`sed -n 's/^base[[:space:]]*\([^[:space:]]*\)[[:space:]]*$/\1/ip' "$cfgfile" | tail -n 1`
    [ -n "$searchbase" ] && db_set nslcd/ldap-base "$searchbase"
  fi
  # find binddn
  db_get nslcd/ldap-binddn
  if [ -z "$RET" ]
  then
    binddn=`sed -n 's/^binddn[[:space:]]*//ip' "$cfgfile" | tail -n 1`
    db_set nslcd/ldap-binddn "$binddn"
  fi
  # find bindpw
  db_get nslcd/ldap-bindpw
  if [ -z "$RET" ]
  then
    bindpw=`sed -n 's/^bindpw[[:space:]]*//ip' "$cfgfile" | tail -n 1`
    db_set nslcd/ldap-bindpw "$bindpw"
  fi
  # check ssl option
  db_get nslcd/ldap-starttls
  if [ -z "$RET" ]
  then
    if grep -qi '^ssl[[:space:]]*start_*tls' "$cfgfile"
    then
      db_set nslcd/ldap-starttls "true"
    elif grep -qi '^ssl[[:space:]]' "$cfgfile"
    then
      db_set nslcd/ldap-starttls "false"
    fi
  fi
  # check reqcert option
  db_get nslcd/ldap-reqcert
  if [ -z "$RET" ]
  then
    reqcert=`sed -n 's/^tls_\(reqcert\|checkpeer\)[[:space:]]*\([^[:space:]]*\)[[:space:]]*$/\2/ip' "$cfgfile" | tail -n 1`
    # normalise value
    reqcert=`echo "$reqcert" | tr 'A-Z' 'a-z' | sed 's/^no$/never/;s/^yes$/demand/'`
    [ -n "$reqcert" ] && db_set nslcd/ldap-reqcert "$reqcert"
  fi
  # we're done
  return 0
}

# fill our defaults with the current configuration if available
# and fall back to guessing the config from some other system files
if [ -f "$CONFFILE" ]
then
  # clear settings to pick up valus from configfile
  db_set nslcd/ldap-uris ""
  db_set nslcd/ldap-base ""
  db_set nslcd/ldap-binddn ""
  db_set nslcd/ldap-bindpw ""
  db_set nslcd/ldap-starttls ""
  # parse current configuration
  parsecfg "$CONFFILE"
else
  # first match wins
  parsecfg /etc/libnss-ldap.conf
  parsecfg /etc/pam_ldap.conf
  parsecfg /etc/ldap/ldap.conf
  parsecfg /etc/ldap.conf
  parsesys
  # fallback default values
  db_get nslcd/ldap-uris
  [ -z "$RET" ] && db_set nslcd/ldap-uris "ldap://127.0.0.1/"
  db_get nslcd/ldap-base
  [ -z "$RET" ] && db_set nslcd/ldap-base "dc=example,dc=net/"
fi

# fallback for starttls option
db_get nslcd/ldap-starttls
[ -z "$RET" ] && db_set nslcd/ldap-starttls "false"

#
# This is the second part of the script. In this part the configurable
# settings will be presented to the user for approval. The postinst
# will finaly perform the actual modifications.
#

state="server"
while [ "$state" != "done" ]
do
  case "$state" in
  server)
    # ask about server configuration
    db_input high nslcd/ldap-uris || true
    db_input high nslcd/ldap-base || true
    # ask the questions, go to the next question or exit
    state="binddn"
    db_go || exit 1
    # TODO: add error checking on options
    ;;
  binddn)
    # ask for login information
    db_input medium nslcd/ldap-binddn || true
    # ask the question, go to the next question or back
    state="bindpw"
    db_go || state="server"
    ;;
  bindpw)
    # only ask question if we have a binddn
    db_get nslcd/ldap-binddn
    if [ -n "$RET" ]
    then
      # ask for login information
      db_input medium nslcd/ldap-bindpw || true
    else
      # clear password
      db_set nslcd/ldap-bindpw ""
    fi
    # ask the question, go to the next question or back
    state="starttls"
    db_go || state="binddn"
    ;;
  starttls)
    # check if ldaps:// URL's are used
    db_get nslcd/ldap-uris
    uris="$RET"
    if (echo "$uris" | grep -q 'ldaps://')
    then
      # ldaps: URI defined, don't ask about StartTLS
      db_set nslcd/ldap-starttls "false"
    else
      # ask whether to use StartTLS
      db_input medium nslcd/ldap-starttls || true
    fi
    # ask the question, go to the next question or back
    state="reqcert"
    db_go || state="bindpw"
    ;;
  reqcert)
    # check if ldaps:// URL's are used
    db_get nslcd/ldap-uris
    uris="$RET"
    # check if StartTLS is used
    db_get nslcd/ldap-starttls
    starttls="$RET"
    if (echo "$uris" | grep -q 'ldaps://') || [ "$starttls" = "true" ]
    then
      # ask whether to do certificate validation
      db_input high nslcd/ldap-reqcert || true
    fi
    # ask the question, go to the next question or back
    state="done"
    db_go || state="starttls"
    ;;
  esac
done

exit 0