lists.arthurdejong.org
RSS feed

nss-pam-ldapd commit: r1457 - nss-pam-ldapd/debian

[Date Prev][Date Next] [Thread Prev][Thread Next]

nss-pam-ldapd commit: r1457 - nss-pam-ldapd/debian



Author: arthur
Date: Fri May 13 13:57:54 2011
New Revision: 1457
URL: http://arthurdejong.org/viewvc/nss-pam-ldapd?view=rev&revision=1457

Log:
search for LDAP server by looking for SRV _ldap._tcp DNS records and try to 
query LDAP server for base DN during package configuration (based on work by 
Petter Reinholdtsen for the sssd package)

Modified:
   nss-pam-ldapd/debian/control
   nss-pam-ldapd/debian/nslcd.config

Modified: nss-pam-ldapd/debian/control
==============================================================================
--- nss-pam-ldapd/debian/control        Fri May 13 09:48:56 2011        (r1456)
+++ nss-pam-ldapd/debian/control        Fri May 13 13:57:54 2011        (r1457)
@@ -12,7 +12,7 @@
 Package: nslcd
 Architecture: any
 Depends: ${misc:Depends}, ${shlibs:Depends}, adduser
-Recommends: nscd, libnss-ldapd | libnss-ldap, libpam-ldapd | libpam-ldap | 
libpam-krb5 | libpam-heimdal | libpam-sss
+Recommends: nscd, libnss-ldapd | libnss-ldap, libpam-ldapd | libpam-ldap | 
libpam-krb5 | libpam-heimdal | libpam-sss, ldap-utils, bind9-host | host
 Suggests: kstart
 Replaces: libnss-ldapd (<< 0.7.0)
 Breaks: libnss-ldapd (<< 0.7.0)

Modified: nss-pam-ldapd/debian/nslcd.config
==============================================================================
--- nss-pam-ldapd/debian/nslcd.config   Fri May 13 09:48:56 2011        (r1456)
+++ nss-pam-ldapd/debian/nslcd.config   Fri May 13 13:57:54 2011        (r1457)
@@ -35,43 +35,111 @@
   return 0
 }
 
-# check the system (non-LDAP configuration files) for some
-# reasonable defaults
-parsesys()
+# figure out the system's domain name
+get_domain()
 {
-  # guess domain based on system information
-  db_get nslcd/ldap-base
-  if [ -z "$RET" ]
+  domain=`hostname --domain` || true
+  [ -z "$domain" ] && domain=`hostname --nis | grep '\.'` || true
+  [ -z "$domain" ] && domain=`hostname --fqdn | sed -n 's/^[^.]*\.//p'` || true
+  [ -z "$domain" ] && domain=`sed -n 's/^ *\(domain\|search\) *\([^ ]*\) 
*$/\2/p' /etc/resolv.conf | head -n 1` || true
+  echo "$domain"
+}
+
+# find a LDAP server URI by trying DNS and normal hostname lookups
+guess_ldap_uri()
+{
+  # see if ldap server exists on localhost and is listening on ldapi://
+  if [ -e /var/run/slapd/ldapi ]
   then
-    domain=`hostname --domain` || true
-    [ -z "$domain" ] && domain=`hostname --nis | grep '\.'` || true
-    [ -z "$domain" ] && domain=`hostname --fqdn | sed -n 's/^[^.]*\.//p'` || 
true
-    [ -z "$domain" ] && domain=`sed -n 's/^ *\(domain\|search\) *\([^ ]*\) 
*$/\2/p' /etc/resolv.conf | head -n 1` || true
-    # if the ldap-base value doesn't seem to be preseeded, try to use the
-    # domain name to build the default base
-    if [ -n "$domain" ]
+    echo "ldapi:///"
+    return
+  fi
+  # try to lookup _ldap._tcp SRV records
+  if [ -n "$domain" ]
+  then
+    server=`host -N 2 -t SRV _ldap._tcp.$domain 2> /dev/null | grep -v 
NXDOMAIN | awk '{print $NF}' | head -1 | sed 's/\.$//'` || true
+    if [ -n "$server" ]
     then
-      searchbase=`echo "$domain" | sed 's/^/dc=/;s/\./,dc=/g'` || true
-      db_set nslcd/ldap-base "$searchbase"
+      echo "ldap://$server/"
+      return
     fi
   fi
-  # guess ldap server
-  db_get nslcd/ldap-uris
-  if [ -z "$RET" ]
+  # fall back to name lookups
+  if [ -z "$ldap_uri" ]
   then
+    # try unqualified hostname lookup
     server=`getent hosts ldap` || true
     [ -z "$server" ] && server=`getent hosts dirhost` || true
+    # try qualified hostname
     if [ -n "$domain" ] && [ -z "$server" ]
     then
       server=`getent hosts ldap."$domain"` || true
       [ -z "$server" ] && server=`getent hosts dirhost."$domain"` || true
     fi
+    # turn into URI with IP address
     if [ -n "$server" ]
     then
-      # extract ip address from host entry and quote ipv6 address
+      # extract IP address from host entry and quote IPv6 address
       ip=`echo $server | sed 's/[[:space:]].*//;s/^\(.*:.*\)$/[\1]/'`
-      db_set nslcd/ldap-uris "ldap://$ip/"
+      echo "ldap://$ip/"
+    fi
+  fi
+}
+
+# guess the LDAP search base by performing LDAP searches on the
+# found server
+query_search_base()
+{
+  ldap_uri="$1"
+  # first try the default naming context
+  context=`ldapsearch -LLL -H "$ldap_uri" -x -b '' -s base 
defaultNamingContext 2>/dev/null | sed -n 's/^defaultNamingContext: //pi'` || 
true
+  if [ -n "$context" ]
+  then
+    echo "$context"
+    return
+  fi
+  # go over naming contexts, pick the first one with posixAccount or
+  # posixGroup objects in it
+  for context in `ldapsearch -LLL -H "$ldap_uri" -x -b ''  -s base 
namingContexts 2>/dev/null | sed -n 's/^namingContexts: //pi'`
+  do
+    # search the context
+    found=`ldapsearch -LLL -H "$ldap_uri" -x -b "$context" -s sub -z 1 
'(|(objectClass=posixAccount)(objectclass=posixGroup))' dn 2>/dev/null` || true
+    if [ -n "$found" ]
+    then
+      echo $context
+      return
+    fi
+  done
+}
+
+# check the system (non-LDAP configuration files) for some
+# reasonable defaults
+parsesys()
+{
+  # guess domain based on system information
+  domain=`get_domain`
+  # guess ldap server URI
+  db_get nslcd/ldap-uris
+  if [ -z "$RET" ]
+  then
+    ldap_uri=`guess_ldap_uri "$domain"`
+    [ -n "$ldap_uri" ] && db_set nslcd/ldap-uris "$ldap_uri"
+  else
+    # only get first URI from any stored (preseeded) value
+    ldap_uri=`echo "$RET" | sed -n 's/[[:space:]].*//'`
+  fi
+  # guess search base
+  db_get nslcd/ldap-base
+  if [ -z "$RET" ]
+  then
+    # try to find the search base from the found URI
+    [ -n "$ldap_uri" ] && search_base=`query_search_base "$ldap_uri"`
+    # try to use the domain name to build the default base
+    if [ -z "$search_base" ] && [ -n "$domain" ]
+    then
+      search_base=`echo "$domain" | sed 's/^/dc=/;s/\./,dc=/g'`
     fi
+    [ -n "$search_base" ] && db_set nslcd/ldap-base "$search_base"
   fi
   # we're done
   return 0
-- 
To unsubscribe send an email to
nss-pam-ldapd-commits-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-commits