Arthur de Jong <[email protected]> writes: > First, the detection routines are now a little cleaner I think. All > options are read from the config, even if they don't make much sense > combined. We want to try to retain as much as possible from the > administrator's changes to the file.
Hello, I attache a patch against your nslcd.config, I can provide one against trunk if you prefer. Settings defined in the configuration file are retained, others stay in debconf. The only trickery thing I encounter with my change is the nslcd/ldap-auth-type autodetection. Both types can be defined, one from debconf and one from the configuration file. In that case, I use debconf auth-type if any or none. The administrator only needs to select the desired one interactively. To overcome any manually modified settings, an "non interactive debconf" administrator only needs to preseed nslcd/ldap-auth-type to none, reconfigure non interactively, then preseed again with the good settings and reconfigure. Regards. -- Daniel Dehennin Récupérer ma clef GPG: gpg --keyserver pgp.mit.edu --recv-keys 0x6A2540D1
=== modified file 'debian/nslcd.config'
--- debian/nslcd.config 2010-07-21 12:40:02 +0000
+++ debian/nslcd.config 2010-07-21 12:42:28 +0000
@@ -68,70 +68,79 @@
parsecfg()
{
cfgfile="$1"
+ dbover="$2"
# check existance
[ -f "$cfgfile" ] || return 0
# find uri/host/port combo
- db_get nslcd/ldap-uris
- if [ -z "$RET" ]
+ uris=`sed -n 's/^uri[[:space:]]*//ip' "$cfgfile" | tr '\n' ' '`
+ if [ -z "$uris" ]
then
- uris=`sed -n 's/^uri[[:space:]]*//ip' "$cfgfile" | tr '\n' ' '`
- if [ -z "$uris" ]
- then
hosts=`sed -n 's/^host[[:space:]]*//ip' "$cfgfile"`
port=`sed -n 's/^port[[:space:]]*//ip' "$cfgfile" | tail -n 1`
for host in $hosts
do
- if [ -z "$port" ] || (echo "$host" | grep -q ':' )
- then
- uris="$uris ldap://$host/";
- else
- uris="$uris ldap://$host:$port/";
- fi
+ if [ -z "$port" ] || (echo "$host" | grep -q ':' )
+ then
+ uris="$uris ldap://$host/";
+ else
+ uris="$uris ldap://$host:$port/";
+ fi
done
- fi
- [ -n "$uris" ] && db_set nslcd/ldap-uris "$uris"
+ fi
+ db_get nslcd/ldap-uris
+ if [ -z "$RET" ] || [ -n "$dbover" ] && [ -n "$uris" ]
+ then
+ db_set nslcd/ldap-uris "$uris"
fi
# find base config
+ searchbase=`sed -n 's/^base[[:space:]]*\([^[:space:]]*\)[[:space:]]*$/\1/ip' "$cfgfile" | tail -n 1`
db_get nslcd/ldap-base
- if [ -z "$RET" ]
+ if [ -z "$RET" ] || [ -n "$dbover" ] && [ -n "$searchbase" ]
then
- searchbase=`sed -n 's/^base[[:space:]]*\([^[:space:]]*\)[[:space:]]*$/\1/ip' "$cfgfile" | tail -n 1`
- [ -n "$searchbase" ] && db_set nslcd/ldap-base "$searchbase"
+ db_set nslcd/ldap-base "$searchbase"
fi
# find binddn
+ binddn=`sed -n 's/^binddn[[:space:]]*//ip' "$cfgfile" | tail -n 1`
db_get nslcd/ldap-binddn
- if [ -z "$RET" ]
+ if [ -z "$RET" ] || [ -n "$dbover" ] && [ -n "$binddn" ]
then
- binddn=`sed -n 's/^binddn[[:space:]]*//ip' "$cfgfile" | tail -n 1`
db_set nslcd/ldap-binddn "$binddn"
fi
# find bindpw
+ bindpw=`sed -n 's/^bindpw[[:space:]]*//ip' "$cfgfile" | tail -n 1`
db_get nslcd/ldap-bindpw
- if [ -z "$RET" ]
+ if [ -z "$RET" ] || [ -n "$dbover" ] && [ -n "$bindpw" ]
then
- bindpw=`sed -n 's/^bindpw[[:space:]]*//ip' "$cfgfile" | tail -n 1`
db_set nslcd/ldap-bindpw "$bindpw"
fi
# check ssl option
+ if grep -qi '^ssl[[:space:]]*start_*tls' "$cfgfile"
+ then
+ starttls=true
+ elif grep -qi '^ssl[[:space:]]' "$cfgfile"
+ then
+ starttls=false
+ fi
db_get nslcd/ldap-starttls
- if [ -z "$RET" ]
+ if [ -z "$RET" ] || [ -n "$dbover" ] && [ -n "$starttls" ]
then
- if grep -qi '^ssl[[:space:]]*start_*tls' "$cfgfile"
- then
- db_set nslcd/ldap-starttls "true"
- elif grep -qi '^ssl[[:space:]]' "$cfgfile"
- then
- db_set nslcd/ldap-starttls "false"
- fi
+ db_set nslcd/ldap-starttls "$starttls"
fi
# check reqcert option
+ reqcert=`sed -n 's/^tls_\(reqcert\|checkpeer\)[[:space:]]*\([^[:space:]]*\)[[:space:]]*$/\2/ip' "$cfgfile" | tail -n 1`
+ # normalise value
+ reqcert=`echo "$reqcert" | tr 'A-Z' 'a-z' | sed 's/^no$/never/;s/^yes$/demand/'`
db_get nslcd/ldap-reqcert
- if [ -z "$RET" ]
- then
- reqcert=`sed -n 's/^tls_\(reqcert\|checkpeer\)[[:space:]]*\([^[:space:]]*\)[[:space:]]*$/\2/ip' "$cfgfile" | tail -n 1`
- # normalise value
- reqcert=`echo "$reqcert" | tr 'A-Z' 'a-z' | sed 's/^no$/never/;s/^yes$/demand/'`
- [ -n "$reqcert" ] && db_set nslcd/ldap-reqcert "$reqcert"
+ if [ -z "$RET" ] || [ -n "$dbover" ] && [ -n "$reqcert" ]
+ then
+ db_set nslcd/ldap-reqcert "$reqcert"
+ fi
+ # find SASL mech
+ sasl_mech=`sed -n 's/^sasl_mech[[:space:]]*\([^//[:space:]]*\)[[:space:]]*$/\1/ip' "$cfgfile"`
+ db_get nslcd/ldap-sasl-mech
+ if [ -z "$RET" ] || [ -n "$dbover" ] && [ -n "$sasl_mech" ]
+ then
+ db_set nslcd/ldap-sasl-mech "$sasl_mech"
fi
# find SASL mech
db_get nslcd/ldap-sasl-mech
@@ -141,32 +150,32 @@
[ -n "$sasl_mech" ] && db_set nslcd/ldap-sasl-mech "$sasl_mech"
fi
# check SASL realm
+ sasl_realm=`sed -n 's/^SASL_REALM[[:space:]]*\([^[:space:]]*\)[[:space:]]*$/\1/ip' "$cfgfile"`
db_get nslcd/ldap-sasl-realm
- if [ -z "$RET" ]
+ if [ -z "$RET" ] || [ -n "$dbover" ] && [ -n "$sasl_realm" ]
then
- sasl_realm=`sed -n 's/^SASL_REALM[[:space:]]*\([^[:space:]]*\)[[:space:]]*$/\1/ip' "$cfgfile"`
- [ -n "$sasl_realm" ] && db_set nslcd/ldap-sasl-realm "$sasl_realm"
+ db_set nslcd/ldap-sasl-realm "$sasl_realm"
fi
# check SASL authentication ID
+ sasl_authcid=`sed -n 's/^SASL_AUTHCID[[:space:]]*\([^[:space:]]*\)[[:space:]]*$/\1/ip' "$cfgfile"`
db_get nslcd/ldap-sasl-authcid
- if [ -z "$RET" ]
+ if [ -z "$RET" ] || [ -n "$dbover" ] && [ -n "$sasl_authcid" ]
then
- sasl_authcid=`sed -n 's/^SASL_AUTHCID[[:space:]]*\([^[:space:]]*\)[[:space:]]*$/\1/ip' "$cfgfile"`
- [ -n "$sasl_authcid" ] && db_set nslcd/ldap-sasl-authcid "$sasl_authcid"
+ db_set nslcd/ldap-sasl-authcid "$sasl_authcid"
fi
# check SASL authorization ID
+ sasl_authzid=`sed -n 's/^SASL_AUTHZID[[:space:]]*\([^[:space:]]*\)[[:space:]]*$/\1/ip' "$cfgfile"`
db_get nslcd/ldap-sasl-authzid
- if [ -z "$RET" ]
+ if [ -z "$RET" ] || [ -n "$dbover" ] && [ -n "$sasl_authzid" ]
then
- sasl_authzid=`sed -n 's/^SASL_AUTHZID[[:space:]]*\([^[:space:]]*\)[[:space:]]*$/\1/ip' "$cfgfile"`
- [ -n "$sasl_authzid" ] && db_set nslcd/ldap-sasl-authzid "$sasl_authzid"
+ db_set nslcd/ldap-sasl-authzid "$sasl_authzid"
fi
# check SASL security properties
+ sasl_secprops=`sed -n 's/^SASL_SECPROPS[[:space:]]*\([^[:space:]]*\)[[:space:]]*$/\1/ip' "$cfgfile"`
db_get nslcd/ldap-sasl-secprops
- if [ -z "$RET" ]
+ if [ -z "$RET" ] || [ -n "$dbover" ] && [ -n "$sasl_secprops" ]
then
- sasl_secprops=`sed -n 's/^SASL_SECPROPS[[:space:]]*\([^[:space:]]*\)[[:space:]]*$/\1/ip' "$cfgfile"`
- [ -n "$sasl_secprops" ] && db_set nslcd/ldap-sasl-secprops "$sasl_secprops"
+ db_set nslcd/ldap-sasl-secprops "$sasl_secprops"
fi
# we're done
return 0
@@ -177,18 +186,18 @@
if [ -f "$CONFFILE" ]
then
# clear settings to pick up valus from configfile
- db_set nslcd/ldap-uris ""
- db_set nslcd/ldap-base ""
- db_set nslcd/ldap-binddn ""
- db_set nslcd/ldap-bindpw ""
- db_set nslcd/ldap-starttls ""
- db_set nslcd/ldap-sasl-mech ""
- db_set nslcd/ldap-sasl-realm ""
- db_set nslcd/ldap-sasl-authcid ""
- db_set nslcd/ldap-sasl-authzid ""
- db_set nslcd/ldap-sasl-secprops ""
+ # db_set nslcd/ldap-uris ""
+ # db_set nslcd/ldap-base ""
+ # db_set nslcd/ldap-binddn ""
+ # db_set nslcd/ldap-bindpw ""
+ # db_set nslcd/ldap-starttls ""
+ # db_set nslcd/ldap-sasl-mech ""
+ # db_set nslcd/ldap-sasl-realm ""
+ # db_set nslcd/ldap-sasl-authcid ""
+ # db_set nslcd/ldap-sasl-authzid ""
+ # db_set nslcd/ldap-sasl-secprops ""
# parse current configuration
- parsecfg "$CONFFILE"
+ parsecfg "$CONFFILE" overloaddebconf
else
# first match wins
parsecfg /etc/libnss-ldap.conf
@@ -216,14 +225,16 @@
sasl_mech="$RET"
db_get nslcd/ldap-binddn
binddn="$RET"
-if [ -n "$sasl_mech" ]
+if [ -n "$sasl_mech" ] && [ -z "$binddn" ]
then
db_set nslcd/ldap-auth-type "SASL"
-elif [ -n "$binddn" ]
+elif [ -n "$binddn" ] && [ -z "$sasl_mech" ]
then
db_set nslcd/ldap-auth-type "simple"
else
- db_set nslcd/ldap-auth-type "none"
+ # none or both defined
+ db_get nslcd/ldap-auth-type
+ [ -z "$RET" ] && db_set nslcd/ldap-auth-type "none"
fi
#
=== modified file 'debian/nslcd.postinst'
--- debian/nslcd.postinst 2010-07-14 11:26:03 +0000
+++ debian/nslcd.postinst 2010-07-21 12:43:10 +0000
@@ -220,11 +220,10 @@
cfg_disable sasl_secprops
fi
- # Disable krb5_ccname, we don't know what was the mech before
- grep -qi "^krb5_ccname" $CONFFILE && cfg_disable krb5_ccname
# mech specific setup
case "$saslmech" in
GSSAPI)
+ cfg_disable sasl_authcid
# TODO handle nslcd/ldap-sasl-krb5-keytab in /etc/default/nslcd
# Set kerberos credential cache name
db_get nslcd/ldap-sasl-krb5-ccname
@@ -235,9 +234,11 @@
# default value
cfg_set krb5_ccname "/var/run/nslcd/nslcd.tkt"
fi
- ;;
- LOGIN|PLAIN|CRAM-MD5|DIGEST-MD5)
- # FIXME login/password only for those?
+ ;;
+ *)
+ # Disable krb5_ccname
+ grep -qi "^krb5_ccname" $CONFFILE && cfg_disable krb5_ccname
+ # FIXME login/password only for those?
# authcid must be set
db_get nslcd/ldap-sasl-authcid
saslauthcid="$RET"
@@ -251,12 +252,12 @@
cfg_set sasl_authcid "$saslauthcid"
cfg_set bindpw "$bindpw"
else
- cfg_disable sasl_authcid "$saslauthcid"
+ cfg_disable sasl_authcid
cfg_set bindpw "*removed*"
cfg_disable bindpw "$bindpw"
fi
fi
- ;;
+ ;;
esac
else
# Password must be hidden
=== modified file 'debian/nslcd.templates'
--- debian/nslcd.templates 2010-07-14 11:26:03 +0000
+++ debian/nslcd.templates 2010-07-21 12:40:26 +0000
@@ -77,7 +77,6 @@
Template: nslcd/ldap-sasl-mech
Type: select
__Choices: auto, LOGIN, PLAIN, NTLM, CRAM-MD5, DIGEST-MD5, GSSAPI, OTP
-Default: auto
_Description: SASL mechanism to use:
Simple Authentication and Security Layer is a challange based
protocol.
pgpSBsIxKKx8Q.pgp
Description: PGP signature
