nss-pam-ldapd commit: r1312 - nss-pam-ldapd/debian
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
nss-pam-ldapd commit: r1312 - nss-pam-ldapd/debian
- From: Commits of the nss-pam-ldapd project <nss-pam-ldapd-commits [at] lists.arthurdejong.org>
- To: nss-pam-ldapd-commits [at] lists.arthurdejong.org
- Reply-to: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: nss-pam-ldapd commit: r1312 - nss-pam-ldapd/debian
- Date: Wed, 10 Nov 2010 22:12:06 +0100 (CET)
Author: arthur
Date: Wed Nov 10 22:12:05 2010
New Revision: 1312
URL: http://arthurdejong.org/viewvc/nss-pam-ldapd?view=rev&revision=1312
Log:
implement configuring SASL authentication using Debconf, based on a patch by
Daniel Dehennin
Modified:
nss-pam-ldapd/debian/nslcd.config
nss-pam-ldapd/debian/nslcd.postinst
nss-pam-ldapd/debian/nslcd.templates
Modified: nss-pam-ldapd/debian/nslcd.config
==============================================================================
--- nss-pam-ldapd/debian/nslcd.config Wed Nov 10 21:05:46 2010 (r1311)
+++ nss-pam-ldapd/debian/nslcd.config Wed Nov 10 22:12:05 2010 (r1312)
@@ -112,6 +112,12 @@
read_config nslcd/ldap-base base
read_config nslcd/ldap-binddn binddn
read_config nslcd/ldap-bindpw bindpw
+ read_config nslcd/ldap-sasl-mech sasl_mech
+ read_config nslcd/ldap-sasl-realm sasl_realm
+ read_config nslcd/ldap-sasl-authcid sasl_authcid
+ read_config nslcd/ldap-sasl-authzid sasl_authzid
+ read_config nslcd/ldap-sasl-secprops sasl_secprops
+ read_config nslcd/ldap-sasl-krb5-ccname krb5_ccname
# check ssl option
db_get nslcd/ldap-starttls
if [ -z "$RET" ]
@@ -146,6 +152,11 @@
db_set nslcd/ldap-base ""
db_set nslcd/ldap-binddn ""
db_set nslcd/ldap-bindpw ""
+ db_set nslcd/ldap-sasl-mech ""
+ db_set nslcd/ldap-sasl-realm ""
+ db_set nslcd/ldap-sasl-authcid ""
+ db_set nslcd/ldap-sasl-authzid ""
+ db_set nslcd/ldap-sasl-secprops ""
db_set nslcd/ldap-starttls ""
db_set nslcd/ldap-reqcert ""
# parse current configuration
@@ -168,6 +179,21 @@
db_get nslcd/ldap-starttls
[ -z "$RET" ] && db_set nslcd/ldap-starttls "false"
+# deduce auth-type from available information
+db_get nslcd/ldap-sasl-mech
+sasl_mech="$RET"
+db_get nslcd/ldap-binddn
+binddn="$RET"
+if [ -n "$sasl_mech" ]
+then
+ db_set nslcd/ldap-auth-type "SASL"
+elif [ -n "$binddn" ]
+then
+ db_set nslcd/ldap-auth-type "simple"
+else
+ db_set nslcd/ldap-auth-type "none"
+fi
+
#
# This is the second part of the script. In this part the configurable
# settings will be presented to the user for approval. The postinst
@@ -183,31 +209,76 @@
db_input high nslcd/ldap-uris || true
db_input high nslcd/ldap-base || true
# ask the questions, go to the next question or exit
- state="binddn"
+ state="authtype"
db_go || exit 1
# TODO: add error checking on options
;;
- binddn)
- # ask for login information
- db_input medium nslcd/ldap-binddn || true
+ authtype)
+ # ask for authentication type
+ db_input medium nslcd/ldap-auth-type || true
# ask the question, go to the next question or back
- state="bindpw"
+ state="authentication"
db_go || state="server"
;;
- bindpw)
- # only ask question if we have a binddn
- db_get nslcd/ldap-binddn
- if [ -n "$RET" ]
+ authentication)
+ # check which questions to ask, depending on the authentication type
+ db_get nslcd/ldap-auth-type
+ case "$RET" in
+ none)
+ # anonymous bind, nothing to ask (clear options)
+ db_set nslcd/ldap-binddn ""
+ db_set nslcd/ldap-bindpw ""
+ db_set nslcd/ldap-sasl-mech ""
+ state="starttls"
+ ;;
+ simple)
+ # ask for binddn and bindpw
+ db_input medium nslcd/ldap-binddn || true
+ db_input medium nslcd/ldap-bindpw || true
+ db_set nslcd/ldap-sasl-mech ""
+ state="starttls"
+ ;;
+ SASL)
+ # ask about SASL mechanism (other SASL questions depend on this)
+ db_input medium nslcd/ldap-sasl-mech || true
+ # RFC4313 if SASL, binddn should be disabled
+ db_set nslcd/ldap-binddn ""
+ state="sasloptions"
+ ;;
+ *)
+ exit 1
+ ;;
+ esac
+ db_go || state="authtype"
+ ;;
+ sasloptions)
+ # get SASL mech
+ db_get nslcd/ldap-sasl-mech
+ sasl_mech="$RET"
+ # ask SASL questions
+ db_input medium nslcd/ldap-sasl-realm || true
+ if [ "$sasl_mech" != "GSSAPI" ]
then
- # ask for login information
+ db_input medium nslcd/ldap-sasl-authcid || true
db_input medium nslcd/ldap-bindpw || true
else
- # clear password
+ db_set nslcd/ldap-sasl-authcid ""
db_set nslcd/ldap-bindpw ""
fi
+ db_input medium nslcd/ldap-sasl-authzid || true
+ db_input medium nslcd/ldap-sasl-secprops || true
+ if [ "$sasl_mech" = "GSSAPI" ]
+ then
+ # have a default for ldap-sasl-krb5-ccname
+ db_get nslcd/ldap-sasl-krb5-ccname
+ [ -z "$RET" ] && db_set nslcd/ldap-sasl-krb5-ccname
"/var/run/nslcd/nslcd.tkt"
+ db_input low nslcd/ldap-sasl-krb5-ccname || true
+ else
+ db_set nslcd/ldap-sasl-krb5-ccname ""
+ fi
# ask the question, go to the next question or back
state="starttls"
- db_go || state="binddn"
+ db_go || state="authentication"
;;
starttls)
# check if ldaps:// URL's are used
@@ -222,8 +293,9 @@
db_input medium nslcd/ldap-starttls || true
fi
# ask the question, go to the next question or back
+ # (we go back to authtype because the previous questions were optional)
state="reqcert"
- db_go || state="bindpw"
+ db_go || state="authtype"
;;
reqcert)
# check if ldaps:// URL's are used
@@ -240,8 +312,9 @@
db_set nslcd/ldap-reqcert ""
fi
# ask the question, go to the next question or back
+ # (we go back to authtype because the previous questions were optional)
state="done"
- db_go || state="starttls"
+ db_go || state="authtype"
;;
esac
done
Modified: nss-pam-ldapd/debian/nslcd.postinst
==============================================================================
--- nss-pam-ldapd/debian/nslcd.postinst Wed Nov 10 21:05:46 2010 (r1311)
+++ nss-pam-ldapd/debian/nslcd.postinst Wed Nov 10 22:12:05 2010 (r1312)
@@ -201,6 +201,12 @@
update_config nslcd/ldap-base base
update_config nslcd/ldap-binddn binddn
update_config nslcd/ldap-bindpw bindpw
+ update_config nslcd/ldap-sasl-mech sasl_mech
+ update_config nslcd/ldap-sasl-realm sasl_realm
+ update_config nslcd/ldap-sasl-authcid sasl_authcid
+ update_config nslcd/ldap-sasl-authzid sasl_authzid
+ update_config nslcd/ldap-sasl-secprops sasl_secprops
+ update_config nslcd/ldap-sasl-krb5-ccname krb5_ccname
update_config nslcd/ldap-reqcert tls_reqcert
# remove password from database
db_set nslcd/ldap-bindpw ""
Modified: nss-pam-ldapd/debian/nslcd.templates
==============================================================================
--- nss-pam-ldapd/debian/nslcd.templates Wed Nov 10 21:05:46 2010
(r1311)
+++ nss-pam-ldapd/debian/nslcd.templates Wed Nov 10 22:12:05 2010
(r1312)
@@ -18,19 +18,87 @@
domain "example.net" would use "dc=example,dc=net" as the distinguished name
of the search base.
+Template: nslcd/ldap-auth-type
+Type: select
+__Choices: none, simple, SASL
+Default: none
+_Description: LDAP authentication to use:
+ If your LDAP database requires authentication you can choose which mechanism
+ should be used. Please choose the mechanism by which authentication should
+ be done:
+ * none: no authentication;
+ * simple: simple clear text binddn/password;
+ * SASL: one of the Simple Authentication and Security Layer
+ mechanisms.
+
Template: nslcd/ldap-binddn
Type: string
_Description: LDAP database user:
- If the LDAP database requires a login for normal lookups, enter the name of
- the account that will be used here. Leave it empty otherwise.
- .
- This value should be specified as a DN (distinguished name).
+ Enter the name of the account that will be used to log in to the LDAP
+ database. This value should be specified as a DN (distinguished name).
Template: nslcd/ldap-bindpw
Type: password
_Description: LDAP user password:
Enter the password that will be used to log in to the LDAP database.
+Template: nslcd/ldap-sasl-mech
+Type: select
+__Choices: auto, LOGIN, PLAIN, NTLM, CRAM-MD5, DIGEST-MD5, GSSAPI, OTP
+_Description: SASL mechanism to use:
+ Choose the SASL mechanism that will be used to authenticate to the LDAP
+ database:
+ * auto: autonegociation;
+ * LOGIN: deprecated in flavor of PLAIN;
+ * PLAIN: simple cleartext password mechanism;
+ * NTLM: NT LAN Manager authentication mechanism;
+ * CRAM-MD5: challenge-response scheme based on HMAC-MD5;
+ * DIGEST-MD5: HTTP Digest compatible challenge-response scheme;
+ * GSSAPI: used for Kerberos;
+ * OTP: a One Time Password mechanism.
+
+Template: nslcd/ldap-sasl-realm
+Type: string
+_Description: SASL realm:
+ Enter the SASL realm that will be used to authenticate to the LDAP
+ database.
+ .
+ If empty, the GSSAPI mechanism will use information from the Kerberos
+ credential cache. Others mechanisms may need @<REALM> suffixing sasl_authcid
+ and sasl_authzid.
+ .
+ The realm is appended to authentication and authorisation identities.
+
+Template: nslcd/ldap-sasl-authcid
+Type: string
+_Description: SASL authentication identity:
+ Enter the SASL authentication identity that will be used to authenticate to
+ the LDAP database.
+ .
+ This is the login used in LOGIN, PLAIN, CRAM-MD5 and DIGEST-MD5 mechanisms.
+
+Template: nslcd/ldap-sasl-authzid
+Type: string
+_Description: SASL proxy authorisation identity:
+ Enter the proxy authorisation identity that will be used to authenticate to
+ the LDAP database.
+ .
+ This is the object in the name of witch the LDAP request are done.
+ This value should be specified as a DN (distinguished name).
+
+Template: nslcd/ldap-sasl-secprops
+Type: string
+_Description: Cyrus SASL security properties:
+ Enter the Cyrus SASL security properties.
+ Allowed values are described in the ldap.conf(5) manual page
+ in the SASL OPTIONS section.
+
+Template: nslcd/ldap-sasl-krb5-ccname
+Type: string
+Default: /var/run/nslcd/nslcd.tkt
+_Description: Kerberos credential cache file path:
+ Enter the GSSAPI/Kerberos credential cache file name that will be used.
+
Template: nslcd/ldap-starttls
Type: boolean
_Description: Use StartTLS?
--
To unsubscribe send an email to
nss-pam-ldapd-commits-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-commits
- nss-pam-ldapd commit: r1312 - nss-pam-ldapd/debian,
Commits of the nss-pam-ldapd project
