diff options
Diffstat (limited to 'debian/libnss-ldapd.config')
| -rw-r--r-- | debian/libnss-ldapd.config | 249 |
1 files changed, 12 insertions, 237 deletions
diff --git a/debian/libnss-ldapd.config b/debian/libnss-ldapd.config index f8141f9..03d5622 100644 --- a/debian/libnss-ldapd.config +++ b/debian/libnss-ldapd.config @@ -7,7 +7,6 @@ CONFFILE="/etc/nss-ldapd.conf" # source debconf library. . /usr/share/debconf/confmodule db_version 2.0 -db_capb backup # set title db_title "Configuring libnss-ldapd" @@ -19,251 +18,27 @@ db_title "Configuring libnss-ldapd" # default. # -# check the system (non-LDAP configuration files) for some -# reasonable defaults -parsesys() -{ - # guess domain based on system information - db_get libnss-ldapd/ldap-base - if [ -z "$RET" ] - then - domain=`hostname --domain` || true - [ -z "$domain" ] && domain=`hostname --nis | grep '\.'` || true - [ -z "$domain" ] && domain=`hostname --fqdn | sed -n 's/^[^.]*\.//p'` || true - [ -z "$domain" ] && domain=`sed -n 's/^ *\(domain\|search\) *\([^ ]*\) *$/\2/p' /etc/resolv.conf | head -n 1` || true - db_get libnss-ldapd/ldap-base - searchbase="$RET" - # if the ldap-base value doesn't seem to be preseeded, try to use the - # domain name to build the default base - if [ -n "$domain" ] - then - searchbase=`echo "$domain" | sed 's/^/dc=/;s/\./,dc=/'` || true - db_set libnss-ldapd/ldap-base "$searchbase" - fi - fi - # guess ldap server - db_get libnss-ldapd/ldap-uris - if [ -z "$RET" ] - then - server=`getent hosts ldap` || true - [ -z "$server" ] && server=`getent hosts dirhost` || true - if [ -n "$domain" ] && [ -z "$server" ] - then - server=`getent hosts ldap."$domain"` || true - [ -z "$server" ] && server=`getent hosts dirhost."$domain"` || true - fi - if [ -n "$server" ] - then - # extract ip address from host entry and quote ipv6 address - ip=`echo $server | sed 's/[[:space:]].*//;s/^\(.*:.*\)$/[\1]/'` - db_set libnss-ldapd/ldap-uris "ldap://$ip/" - fi - fi - # we're done - return 0 -} - -# parse a LDAP-like configuration file -parsecfg() -{ - cfgfile="$1" - # check existance - [ -f "$cfgfile" ] || return 0 - # find uri/host/port combo - db_get libnss-ldapd/ldap-uris - if [ -z "$RET" ] - then - uris=`sed -n 's/^uri[[:space:]]*//ip' "$cfgfile" | tr '\n' ' '` - if [ -z "$uris" ] - then - hosts=`sed -n 's/^host[[:space:]]*//ip' "$cfgfile"` - port=`sed -n 's/^port[[:space:]]*//ip' "$cfgfile" | tail -n 1` - for host in $hosts - do - if [ -z "$port" ] || (echo "$host" | grep -q ':' ) - then - uris="$uris ldap://$host/" - else - uris="$uris ldap://$host:$port/" - fi - done - fi - [ -n "$uris" ] && db_set libnss-ldapd/ldap-uris "$uris" - fi - # find base config - db_get libnss-ldapd/ldap-base - if [ -z "$RET" ] - then - searchbase=`sed -n 's/^base[[:space:]]*\([^[:space:]]*\)[[:space:]]*$/\1/ip' "$cfgfile" | tail -n 1` - [ -n "$searchbase" ] && db_set libnss-ldapd/ldap-base "$searchbase" - fi - # find binddn - db_get libnss-ldapd/ldap-binddn - if [ -z "$RET" ] - then - binddn=`sed -n 's/^binddn[[:space:]]*//ip' "$cfgfile" | tail -n 1` - db_set libnss-ldapd/ldap-binddn "$binddn" - fi - # find bindpw - db_get libnss-ldapd/ldap-bindpw - if [ -z "$RET" ] - then - bindpw=`sed -n 's/^bindpw[[:space:]]*//ip' "$cfgfile" | tail -n 1` - db_set libnss-ldapd/ldap-bindpw "$bindpw" - fi - # check ssl option - db_get libnss-ldapd/ldap-starttls - if [ -z "$RET" ] - then - if grep -qi '^ssl[[:space:]]*start_*tls' "$cfgfile" - then - db_set libnss-ldapd/ldap-starttls "true" - elif grep -qi '^ssl[[:space:]]' "$cfgfile" - then - db_set libnss-ldapd/ldap-starttls "false" - fi - fi - # check reqcert option - db_get libnss-ldapd/ldap-reqcert - if [ -z "$RET" ] - then - reqcert=`sed -n 's/^tls_\(reqcert\|checkpeer\)[[:space:]]*\([^[:space:]]*\)[[:space:]]*$/\2/ip' "$cfgfile" | tail -n 1` - # normalise value - reqcert=`echo "$reqcert" | tr 'A-Z' 'a-z' | sed 's/^no$/never/;s/^yes$/demand/'` - [ -n "$reqcert" ] && db_set libnss-ldapd/ldap-reqcert "$reqcert" - fi - # we're done - return 0 -} - # parse /etc/nsswitch.conf and see which services have ldap specified -parsensswitch() -{ - db_get libnss-ldapd/nsswitch - if [ -z "$RET" ] - then - # find name services that currently use LDAP - configured=`sed -n 's/^\([a-z]*\):.*[[:space:]]ldap\([[:space:]].*\)\?/\1/p' /etc/nsswitch.conf` - # separate by commas - configured=`echo $configured | sed 's/ /, /g'` - # store configured services - db_set libnss-ldapd/nsswitch "$configured" - fi - # we're done - return 0 -} - -# fill our defaults with the current configuration if available -# and fall back to guessing the config from some other system files -if [ -f "$CONFFILE" ] +db_get libnss-ldapd/nsswitch +if [ -z "$RET" ] then - # clear settings to pick up valus from configfile - db_set libnss-ldapd/ldap-uris "" - db_set libnss-ldapd/ldap-base "" - db_set libnss-ldapd/ldap-binddn "" - db_set libnss-ldapd/ldap-bindpw "" - db_set libnss-ldapd/nsswitch "" - # parse current configuration - parsecfg "$CONFFILE" -else - # first match wins - parsecfg /etc/libnss-ldap.conf - parsecfg /etc/pam_ldap.conf - parsecfg /etc/ldap/ldap.conf - parsesys - # fallback default values - db_get libnss-ldapd/ldap-uris - [ -z "$RET" ] && db_set libnss-ldapd/ldap-uris "ldap://127.0.0.1/" - db_get libnss-ldapd/ldap-base - [ -z "$RET" ] && db_set libnss-ldapd/ldap-base "dc=example,dc=net/" - db_get libnss-ldapd/ldap-starttls - [ -z "$RET" ] && db_set libnss-ldapd/ldap-starttls "false" + # find name services that currently use LDAP + configured=`sed -n 's/^\([a-z]*\):.*[[:space:]]ldap\([[:space:]].*\)\?/\1/p' /etc/nsswitch.conf` + # separate by commas + configured=`echo $configured | sed 's/ /, /g'` + # store configured services + db_set libnss-ldapd/nsswitch "$configured" fi -# check /etc/nsswitch.conf -parsensswitch - # # This is the second part of the script. In this part the configurable # settings will be presented to the user for approval. The postinst # will finaly perform the actual modifications. # -state="server" -while [ "$state" != "done" ] -do - case "$state" in - server) - # ask about server configuration - db_input high libnss-ldapd/ldap-uris || true - db_input high libnss-ldapd/ldap-base || true - # ask the questions, go to the next question or exit - state="binddn" - db_go || exit 1 - # TODO: add error checking on options - ;; - binddn) - # ask for login information - db_input medium libnss-ldapd/ldap-binddn || true - # ask the question, go to the next question or back - state="bindpw" - db_go || state="server" - ;; - bindpw) - # only ask question if we have a binddn - db_get libnss-ldapd/ldap-binddn - if [ -n "$RET" ] - then - # ask for login information - db_input medium libnss-ldapd/ldap-bindpw || true - else - # clear password - db_set libnss-ldapd/ldap-bindpw "" - fi - # ask the question, go to the next question or back - state="starttls" - db_go || state="binddn" - ;; - starttls) - # check if ldaps:// URL's are used - db_get libnss-ldapd/ldap-uris - uris="$RET" - if (echo "$uris" | grep -q 'ldaps://') - then - # ldaps: URI defined, don't ask about StartTLS - db_set libnss-ldapd/ldap-starttls "false" - else - # ask whether to use StartTLS - db_input medium libnss-ldapd/ldap-starttls || true - fi - # ask the question, go to the next question or back - state="reqcert" - db_go || state="bindpw" - ;; - reqcert) - # check if ldaps:// URL's are used - db_get libnss-ldapd/ldap-uris - uris="$RET" - # check if StartTLS is used - db_get libnss-ldapd/ldap-starttls - starttls="$RET" - if (echo "$uris" | grep -q 'ldaps://') || [ "$starttls" = "true" ] - then - # ask whether to do certificate validation - db_input high libnss-ldapd/ldap-reqcert || true - fi - # ask the question, go to the next question or back - state="nsswitch" - db_go || state="bindpw" - ;; - nsswitch) - # ask for which nsswitch options to configure - db_capb multiselect - db_input high libnss-ldapd/nsswitch || true - state="done" - db_go || state="reqcert" - ;; - esac -done +# ask for which nsswitch options to configure +db_capb multiselect +db_input high libnss-ldapd/nsswitch || true +db_go || true exit 0 |