implement configuring SASL authentication using Debconf, based on a patch by Daniel Dehennin

git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1312 ef36b2f9-881f-0410-afb5-c4e39611909c

3 files changed, 165 insertions, 18 deletions

diff --git a/debian/nslcd.config b/debian/nslcd.config
index bef5378..933c5e3 100644
--- a/debian/nslcd.config
+++ b/debian/nslcd.config
@@ -112,6 +112,12 @@ parsecfg()
   read_config nslcd/ldap-base base
   read_config nslcd/ldap-binddn binddn
   read_config nslcd/ldap-bindpw bindpw
+  read_config nslcd/ldap-sasl-mech sasl_mech
+  read_config nslcd/ldap-sasl-realm sasl_realm
+  read_config nslcd/ldap-sasl-authcid sasl_authcid
+  read_config nslcd/ldap-sasl-authzid sasl_authzid
+  read_config nslcd/ldap-sasl-secprops sasl_secprops
+  read_config nslcd/ldap-sasl-krb5-ccname krb5_ccname
   # check ssl option
   db_get nslcd/ldap-starttls
   if [ -z "$RET" ]
@@ -146,6 +152,11 @@ then
   db_set nslcd/ldap-base ""
   db_set nslcd/ldap-binddn ""
   db_set nslcd/ldap-bindpw ""
+  db_set nslcd/ldap-sasl-mech ""
+  db_set nslcd/ldap-sasl-realm ""
+  db_set nslcd/ldap-sasl-authcid ""
+  db_set nslcd/ldap-sasl-authzid ""
+  db_set nslcd/ldap-sasl-secprops ""
   db_set nslcd/ldap-starttls ""
   db_set nslcd/ldap-reqcert ""
   # parse current configuration
@@ -168,6 +179,21 @@ fi
 db_get nslcd/ldap-starttls
 [ -z "$RET" ] && db_set nslcd/ldap-starttls "false"
 
+# deduce auth-type from available information
+db_get nslcd/ldap-sasl-mech
+sasl_mech="$RET"
+db_get nslcd/ldap-binddn
+binddn="$RET"
+if [ -n "$sasl_mech" ]
+then
+  db_set nslcd/ldap-auth-type "SASL"
+elif [ -n "$binddn" ]
+then
+  db_set nslcd/ldap-auth-type "simple"
+else
+  db_set nslcd/ldap-auth-type "none"
+fi
+
 #
 # This is the second part of the script. In this part the configurable
 # settings will be presented to the user for approval. The postinst
@@ -183,31 +209,76 @@ do
     db_input high nslcd/ldap-uris || true
     db_input high nslcd/ldap-base || true
     # ask the questions, go to the next question or exit
-    state="binddn"
+    state="authtype"
     db_go || exit 1
     # TODO: add error checking on options
     ;;
-  binddn)
-    # ask for login information
-    db_input medium nslcd/ldap-binddn || true
+  authtype)
+    # ask for authentication type
+    db_input medium nslcd/ldap-auth-type || true
     # ask the question, go to the next question or back
-    state="bindpw"
+    state="authentication"
     db_go || state="server"
     ;;
-  bindpw)
-    # only ask question if we have a binddn
-    db_get nslcd/ldap-binddn
-    if [ -n "$RET" ]
+  authentication)
+    # check which questions to ask, depending on the authentication type
+    db_get nslcd/ldap-auth-type
+    case "$RET" in
+    none)
+      # anonymous bind, nothing to ask (clear options)
+      db_set nslcd/ldap-binddn ""
+      db_set nslcd/ldap-bindpw ""
+      db_set nslcd/ldap-sasl-mech ""
+      state="starttls"
+      ;;
+    simple)
+      # ask for binddn and bindpw
+      db_input medium nslcd/ldap-binddn || true
+      db_input medium nslcd/ldap-bindpw || true
+      db_set nslcd/ldap-sasl-mech ""
+      state="starttls"
+      ;;
+    SASL)
+      # ask about SASL mechanism (other SASL questions depend on this)
+      db_input medium nslcd/ldap-sasl-mech || true
+      # RFC4313 if SASL, binddn should be disabled
+      db_set nslcd/ldap-binddn ""
+      state="sasloptions"
+      ;;
+    *)
+      exit 1
+      ;;
+    esac
+    db_go || state="authtype"
+    ;;
+  sasloptions)
+    # get SASL mech
+    db_get nslcd/ldap-sasl-mech
+    sasl_mech="$RET"
+    # ask SASL questions
+    db_input medium nslcd/ldap-sasl-realm || true
+    if [ "$sasl_mech" != "GSSAPI" ]
     then
-      # ask for login information
+      db_input medium nslcd/ldap-sasl-authcid || true
       db_input medium nslcd/ldap-bindpw || true
     else
-      # clear password
+      db_set nslcd/ldap-sasl-authcid ""
       db_set nslcd/ldap-bindpw ""
     fi
+    db_input medium nslcd/ldap-sasl-authzid || true
+    db_input medium nslcd/ldap-sasl-secprops || true
+    if [ "$sasl_mech" = "GSSAPI" ]
+    then
+      # have a default for ldap-sasl-krb5-ccname
+      db_get nslcd/ldap-sasl-krb5-ccname
+      [ -z "$RET" ] && db_set nslcd/ldap-sasl-krb5-ccname "/var/run/nslcd/nslcd.tkt"
+      db_input low nslcd/ldap-sasl-krb5-ccname || true
+    else
+      db_set nslcd/ldap-sasl-krb5-ccname ""
+    fi
     # ask the question, go to the next question or back
     state="starttls"
-    db_go || state="binddn"
+    db_go || state="authentication"
     ;;
   starttls)
     # check if ldaps:// URL's are used
@@ -222,8 +293,9 @@ do
       db_input medium nslcd/ldap-starttls || true
     fi
     # ask the question, go to the next question or back
+    # (we go back to authtype because the previous questions were optional)
     state="reqcert"
-    db_go || state="bindpw"
+    db_go || state="authtype"
     ;;
   reqcert)
     # check if ldaps:// URL's are used
@@ -240,8 +312,9 @@ do
       db_set nslcd/ldap-reqcert ""
     fi
     # ask the question, go to the next question or back
+    # (we go back to authtype because the previous questions were optional)
     state="done"
-    db_go || state="starttls"
+    db_go || state="authtype"
     ;;
   esac
 done
diff --git a/debian/nslcd.postinst b/debian/nslcd.postinst
index d103e9d..53f54fc 100644
--- a/debian/nslcd.postinst
+++ b/debian/nslcd.postinst
@@ -201,6 +201,12 @@ then
   update_config nslcd/ldap-base base
   update_config nslcd/ldap-binddn binddn
   update_config nslcd/ldap-bindpw bindpw
+  update_config nslcd/ldap-sasl-mech sasl_mech
+  update_config nslcd/ldap-sasl-realm sasl_realm
+  update_config nslcd/ldap-sasl-authcid sasl_authcid
+  update_config nslcd/ldap-sasl-authzid sasl_authzid
+  update_config nslcd/ldap-sasl-secprops sasl_secprops
+  update_config nslcd/ldap-sasl-krb5-ccname krb5_ccname
   update_config nslcd/ldap-reqcert tls_reqcert
   # remove password from database
   db_set nslcd/ldap-bindpw ""
diff --git a/debian/nslcd.templates b/debian/nslcd.templates
index 0c0cc82..874a348 100644
--- a/debian/nslcd.templates
+++ b/debian/nslcd.templates
@@ -18,19 +18,87 @@ _Description: LDAP server search base:
  domain "example.net" would use "dc=example,dc=net" as the distinguished name
  of the search base.
 
+Template: nslcd/ldap-auth-type
+Type: select
+__Choices: none, simple, SASL
+Default: none
+_Description: LDAP authentication to use:
+ If your LDAP database requires authentication you can choose which mechanism
+ should be used. Please choose the mechanism by which authentication should
+ be done:
+  * none: no authentication;
+  * simple: simple clear text binddn/password;
+  * SASL: one of the Simple Authentication and Security Layer
+          mechanisms.
+
 Template: nslcd/ldap-binddn
 Type: string
 _Description: LDAP database user:
- If the LDAP database requires a login for normal lookups, enter the name of
- the account that will be used here. Leave it empty otherwise.
- .
- This value should be specified as a DN (distinguished name).
+ Enter the name of the account that will be used to log in to the LDAP
+ database. This value should be specified as a DN (distinguished name).
 
 Template: nslcd/ldap-bindpw
 Type: password
 _Description: LDAP user password:
  Enter the password that will be used to log in to the LDAP database.
 
+Template: nslcd/ldap-sasl-mech
+Type: select
+__Choices: auto, LOGIN, PLAIN, NTLM, CRAM-MD5, DIGEST-MD5, GSSAPI, OTP
+_Description: SASL mechanism to use:
+ Choose the SASL mechanism that will be used to authenticate to the LDAP
+ database:
+  * auto: autonegociation;
+  * LOGIN: deprecated in flavor of PLAIN;
+  * PLAIN: simple cleartext password mechanism;
+  * NTLM: NT LAN Manager authentication mechanism;
+  * CRAM-MD5: challenge-response scheme based on HMAC-MD5;
+  * DIGEST-MD5: HTTP Digest compatible challenge-response scheme;
+  * GSSAPI: used for Kerberos;
+  * OTP: a One Time Password mechanism.
+
+Template: nslcd/ldap-sasl-realm
+Type: string
+_Description: SASL realm:
+ Enter the SASL realm that will be used to authenticate to the LDAP
+ database.
+ .
+ If empty, the GSSAPI mechanism will use information from the Kerberos
+ credential cache. Others mechanisms may need @<REALM> suffixing sasl_authcid
+ and sasl_authzid.
+ .
+ The realm is appended to authentication and authorisation identities.
+
+Template: nslcd/ldap-sasl-authcid
+Type: string
+_Description: SASL authentication identity:
+ Enter the SASL authentication identity that will be used to authenticate to
+ the LDAP database.
+ .
+ This is the login used in LOGIN, PLAIN, CRAM-MD5 and DIGEST-MD5 mechanisms.
+
+Template: nslcd/ldap-sasl-authzid
+Type: string
+_Description: SASL proxy authorisation identity:
+ Enter the proxy authorisation identity that will be used to authenticate to
+ the LDAP database.
+ .
+ This is the object in the name of witch the LDAP request are done.
+ This value should be specified as a DN (distinguished name).
+
+Template: nslcd/ldap-sasl-secprops
+Type: string
+_Description: Cyrus SASL security properties:
+ Enter the Cyrus  SASL  security properties.
+ Allowed values are described in the ldap.conf(5) manual page
+ in the SASL OPTIONS section.
+
+Template: nslcd/ldap-sasl-krb5-ccname
+Type: string
+Default: /var/run/nslcd/nslcd.tkt
+_Description: Kerberos credential cache file path:
+ Enter the GSSAPI/Kerberos credential cache file name that will be used.
+
 Template: nslcd/ldap-starttls
 Type: boolean
 _Description: Use StartTLS?