On Thu, Jun 04, 2020 at 03:18:39PM +0200, Landry Breuil wrote:
> On Wed, Jun 03, 2020 at 08:12:48PM -0500, Lucas Raab wrote:
> > On Wed, Jun 03, 2020 at 07:06:28AM -0500, Lucas Raab wrote:
> > > On Wed, Jun 03, 2020 at 12:56:00PM +0100, Stuart Henderson wrote:
> > > > On 2020/06/03 06:02, Lucas Raab wrote:
> > > > > On Wed, Jun 03, 2020 at 08:19:40AM +0200, Landry Breuil wrote:
> > > > > > On Tue, Jun 02, 2020 at 05:01:06PM -0500, Lucas Raab wrote:
> > > > > > > Hello,
> > > > > > >
> > > > > > > Here are three new ports, two deps, and the one piece de
> > > > > > > resistance,
> > > > > > > web2ldap.
>
> <snip>
>
> > > > Rather than putting files in share/examples/web2ldap/templates and
> > > > @sample'ing them across, another option is to put them in
> > > > share/web2ldap/templates and installing a symlink at pkg_add time,
> > > > something like this should work (untested):
> > > >
> > > > @exec-add [ -e ${SYSCONFDIR}/web2ldap ] || ln -s
> > > > %D/share/web2ldap/templates ${SYSCONFDIR}/web2ldap/
> > > >
> > > > That allows using the templates directory by default, but still
> > > > allows pointing the link elsewhere if you want to customise them.
> > > >
> > > > tls/ca-bundle.pem should just use the system file instead,
> > > > /etc/ssl/cert.pem (_don't_ use ${SYSCONFDIR} for that one).
> > >
> > > Got it, I'll give that a whirl. Thanks!
> > >
> > > >
> > > > > > - instead of using 'nobody', create a new separate user for the
> > > > > > daemon,
> > > > > > look for examples in other ports' PLIST (@newuser/@newgroup, +
> > > > > > db/user.list line)
> > > > >
> > > > > My rationale here was that there aren't any files that an extra user
> > > > > would need to own for web2ldap to run. Using nobody seemed the
> > > > > simplest
> > > > > approach to nulling out any privileges for the service to work.
> > > >
> > > > "nobody" is absolutely not allowed.
> > > >
> > > > $ getent passwd nobody
> > > > nobody:*:32767:32767:Unprivileged user for
> > > > NFS:/nonexistent:/sbin/nologin
> > > >
> > > Aha, that makes sense now. Consider myself chastised :)
> > >
> >
> > Updated ports attached.
> >
> > Changes:
> > * py-ldap0 WANTLIB to use $(MODPY_WANTLIB} instead
> > * use MODPY_EGG_VERSION in place of $V for web2ldap
> > * new user _web2ldap to run the service
> > * I backed off a bit from the two step install. I included a README to
> > instruct the user to copy the template folder over. The templates can
> > be customized, new ones added, etc so it didn't seem right to do a
> > symlink. Thoughts?
> > * Looking in hosts.py, the ca-bundle.pem file isn't specifically
> > referenced. Instead, I added some words to the README mentioning
> > that if a user needs to connect to TLS enabled servers, then he/she
> > should point to /etc/ssl/cert.pem (unless otherwise needed). I forgot
> > that that's what I ended up doing, looking at my own configuration.
>
> after building the ports, tests fail the samefor py-ldap0 and web2ldap:
>
> ======================================================================
> ERROR: tests (unittest.loader._FailedTest)
> ----------------------------------------------------------------------
> ImportError: Failed to import test module: tests
> Traceback (most recent call last):
> File "/usr/local/lib/python3.7/unittest/loader.py", line 154, in
> loadTestsFromName
> module = __import__(module_name)
> ModuleNotFoundError: No module named 'tests'
>
> tests fail for py-xlwt:
>
> File "/usr/local/lib/python3.7/unittest/loader.py", line 205, in
> loadTestsFromName
> test = obj()
> TypeError: __init__() missing 2 required positional arguments: 'colx' and
> 'parent_sheet'* I added NO_TEST to py-ldap0. Looking at the repo, the tests look to assume that they're running in the container in .gitlab-ci.yml * I added MODPY_PYTEST=Yes to py-xlwt, tests fine after that * I added MODPY_PYTEST=Yes to web2ldap, but for some reason, the tests don't seem to be picked up. I'm not sure what to do there. Nothing stood out to me as being obviously wrong. > > > something i spotted - MODPY_BIN should be used in pkg/web2ldap.rc, dont > hardcode python3.7. Updated, thanks for catching that. > > Im a bit confused by the README, why not patching the code (or the conf) to > make etc/ssl/cert.pem the default value ? web2ldap allows global defaults and per-server TLS configurations. It could be specified that /etc/ssl/cert.pem is the global default and that leaves the user free to define other CAs in per server configs (I've done this at my workplace). The default hosts.py makes no assumptions about what the user wants (the TLS cert options are all commented out). I don't think it's unreasonable to assume that a global default could be set to /etc/ssl/cert.pem and still allow the user to have their overrides. I've updated the README to make it clearer. > > The default should work ootb, now if i try to run it, here's what i get at the > first hit: > > 2020-06-04 15:01:30 WARNING: AppHandler[135494693050] ErrorExit: 'I/O error > during reading connect form template file.' > Traceback (most recent call last): > File "/usr/local/lib/python3.7/site-packages/web2ldap/app/gui.py", line 94, > in read_template > with open(tmpl_filename, 'rb') as tmpl_fileobj: > FileNotFoundError: [Errno 2] No such file or directory: > '/etc/web2ldap/templates/connect.html' > > once i've symlinked the template dir under /etc/web2ldap it works (not saying > that's what has to be done, but its a solution): > > $doas ln -s /usr/local/share/examples/web2ldap/templates > /etc/web2ldap/templates I added back the @exec-add from sthen. Yeah, that was a bad move on my part by taking it out. > > Adding BUILD_DEPENDS to RUN_DEPENDS is to be avoided, for example here it > installed devel/ccache for example.. Updated to move them to RUN_DEPENDS since none of them were actually required to build the package. > > other than that, managed to run it locally to connect to some servers at work > ssh forwarding the relevant ports, it seems to 'work' fine in basic testing, > binding as admin to the directory, etc.. Great! I've been running it at work on a Linux server and found it to be a great Swiss Army knife over other tools like Apache Directory Studio and more powerful that ADUC (though that's a pretty low bar). > > Landry >
web2ldap.tgz
Description: Binary data
