Bug#610117: nslcd: Avoid loosing previous configuration values by nslcd debconf: authentication scenarios are handled in postint

Daniel Dehennin Sat, 15 Jan 2011 06:12:24 -0800

Package: nslcd
Version: 0.8.0
Severity: wishlist

Here are some change to the nslcd debconf to avoid loosing the previous
configuration on dpkg-reconfigure.


Any change to the configuration file prevails on debconf, this permit to
avoid "clearing settings to pick up valus from configfile".

Here is my changelog:

* debian/nslcd.config: Do not reset all debconf values when the
  configuration file exists.
  Deduce authentication type only if not defined.
  Keep all authentication values in debconf, postinst handle them.
  (read_config): Overwrite debconf value whent it differs from
  configuration file.
  (parsesys): Remove useless statements.

* debian/nslcd.postinst: Handle all the authentication scenarios.
  (cfg_disable): Can take more than one paremeter.

Tested on my system:
- install with priority high
- reconfigure with priority low -> SASL -> DIGEST-MD5
- reconfigure with priority low -> no authentication -> disable all SASL options
- reconfigure with priority low -> SASL -> all SASL options are predefined
  as in first reconfigure
- edit /etc/nslcd.conf -> sasl_mech GSSAPI
- reconfigure with priority low -> SASL is preselected -> GSSAPI is preselected

Regards.
-- System Information:
Debian Release: 6.0
  APT prefers sid
  APT policy: (500, 'sid'), (500, 'unstable'), (90, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.37+hati.1 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

-- 
Daniel Dehennin
Récupérer ma clef GPG:
gpg --keyserver pgp.mit.edu --recv-keys 0x6A2540D1

diff --git a/debian/nslcd.config b/debian/nslcd.config
index 933c5e3..9ef3240 100644
--- a/debian/nslcd.config
+++ b/debian/nslcd.config
@@ -26,13 +26,11 @@ read_config()
 {
   debconf_param="$1"
   cfg_param="$2"
-  # get debconf value to ensure we don't overwrite an already set value
+  # overwrite debconf value if different from config file
   db_get "$debconf_param"
-  if [ -z "$RET" ]
-  then
-    value=`sed -n 's/^'"$cfg_param"'[[:space:]]*\([^[:space:]].*[^[:space:]]\)[[:space:]]*$/\1/ip' "$cfgfile" | tail -n 1`
-    [ -n "$value" ] && db_set "$debconf_param" "$value"
-  fi
+  debconf_value="$RET"
+  cfgfile_value=`sed -n 's/^'"$cfg_param"'[[:space:]]*\([^[:space:]].*[^[:space:]]\)[[:space:]]*$/\1/ip' "$cfgfile" | tail -n 1`
+  [ -n "$cfgfile_value" ] && [ "$debconf_value" != "$cfgfile_value" ] && db_set "$debconf_param" "$cfgfile_value"
   # we're done
   return 0
 }
@@ -49,8 +47,6 @@ parsesys()
     [ -z "$domain" ] && domain=`hostname --nis | grep '\.'` || true
     [ -z "$domain" ] && domain=`hostname --fqdn | sed -n 's/^[^.]*\.//p'` || true
     [ -z "$domain" ] && domain=`sed -n 's/^ *\(domain\|search\) *\([^ ]*\) *$/\2/p' /etc/resolv.conf | head -n 1` || true
-    db_get nslcd/ldap-base
-    searchbase="$RET"
     # if the ldap-base value doesn't seem to be preseeded, try to use the
     # domain name to build the default base
     if [ -n "$domain" ]
@@ -148,17 +144,17 @@ parsecfg()
 if [ -f "$CONFFILE" ]
 then
   # clear settings to pick up valus from configfile
-  db_set nslcd/ldap-uris ""
-  db_set nslcd/ldap-base ""
-  db_set nslcd/ldap-binddn ""
-  db_set nslcd/ldap-bindpw ""
-  db_set nslcd/ldap-sasl-mech ""
-  db_set nslcd/ldap-sasl-realm ""
-  db_set nslcd/ldap-sasl-authcid ""
-  db_set nslcd/ldap-sasl-authzid ""
-  db_set nslcd/ldap-sasl-secprops ""
-  db_set nslcd/ldap-starttls ""
-  db_set nslcd/ldap-reqcert ""
+  # db_set nslcd/ldap-uris ""
+  # db_set nslcd/ldap-base ""
+  # db_set nslcd/ldap-binddn ""
+  # db_set nslcd/ldap-bindpw ""
+  # db_set nslcd/ldap-sasl-mech ""
+  # db_set nslcd/ldap-sasl-realm ""
+  # db_set nslcd/ldap-sasl-authcid ""
+  # db_set nslcd/ldap-sasl-authzid ""
+  # db_set nslcd/ldap-sasl-secprops ""
+  # db_set nslcd/ldap-starttls ""
+  # db_set nslcd/ldap-reqcert ""
   # parse current configuration
   parsecfg "$CONFFILE"
 else
@@ -180,18 +176,22 @@ db_get nslcd/ldap-starttls
 [ -z "$RET" ] && db_set nslcd/ldap-starttls "false"
 
 # deduce auth-type from available information
-db_get nslcd/ldap-sasl-mech
-sasl_mech="$RET"
-db_get nslcd/ldap-binddn
-binddn="$RET"
-if [ -n "$sasl_mech" ]
+db_get nslcd/ldap-auth-type
+if [ -z "$RET" ]
 then
-  db_set nslcd/ldap-auth-type "SASL"
-elif [ -n "$binddn" ]
-then
-  db_set nslcd/ldap-auth-type "simple"
-else
-  db_set nslcd/ldap-auth-type "none"
+  db_get nslcd/ldap-sasl-mech
+  sasl_mech="$RET"
+  db_get nslcd/ldap-binddn
+  binddn="$RET"
+  if [ -n "$sasl_mech" ]
+  then
+    db_set nslcd/ldap-auth-type "SASL"
+  elif [ -n "$binddn" ]
+  then
+    db_set nslcd/ldap-auth-type "simple"
+  else
+    db_set nslcd/ldap-auth-type "none"
+  fi
 fi
 
 #
@@ -225,24 +225,19 @@ do
     db_get nslcd/ldap-auth-type
     case "$RET" in
     none)
-      # anonymous bind, nothing to ask (clear options)
-      db_set nslcd/ldap-binddn ""
+      # anonymous bind, nothing to ask (clear password)
       db_set nslcd/ldap-bindpw ""
-      db_set nslcd/ldap-sasl-mech ""
       state="starttls"
       ;;
     simple)
       # ask for binddn and bindpw
       db_input medium nslcd/ldap-binddn || true
       db_input medium nslcd/ldap-bindpw || true
-      db_set nslcd/ldap-sasl-mech ""
       state="starttls"
       ;;
     SASL)
       # ask about SASL mechanism (other SASL questions depend on this)
       db_input medium nslcd/ldap-sasl-mech || true
-      # RFC4313 if SASL, binddn should be disabled
-      db_set nslcd/ldap-binddn ""
       state="sasloptions"
       ;;
     *)
@@ -261,9 +256,6 @@ do
     then
       db_input medium nslcd/ldap-sasl-authcid || true
       db_input medium nslcd/ldap-bindpw || true
-    else
-      db_set nslcd/ldap-sasl-authcid ""
-      db_set nslcd/ldap-bindpw ""
     fi
     db_input medium nslcd/ldap-sasl-authzid || true
     db_input medium nslcd/ldap-sasl-secprops || true
@@ -273,8 +265,6 @@ do
       db_get nslcd/ldap-sasl-krb5-ccname
       [ -z "$RET" ] && db_set nslcd/ldap-sasl-krb5-ccname "/var/run/nslcd/nslcd.tkt"
       db_input low nslcd/ldap-sasl-krb5-ccname || true
-    else
-      db_set nslcd/ldap-sasl-krb5-ccname ""
     fi
     # ask the question, go to the next question or back
     state="starttls"
diff --git a/debian/nslcd.postinst b/debian/nslcd.postinst
index 53f54fc..7e2a551 100644
--- a/debian/nslcd.postinst
+++ b/debian/nslcd.postinst
@@ -41,22 +41,24 @@ cfg_set()
   return 0
 }
 
-# disable an option in the configuration file by commenting it out
+# disable options in the configuration file by commenting them out
 cfg_disable()
 {
-  parameter="$1"
-  # handle bindpw option specially by removing value from config first
-  if [ "$parameter" = "bindpw" ] && grep -i -q "^bindpw " $CONFFILE
-  then
-    cfg_set bindpw "*removed*"
-  fi
-  # make matching of spaces better in parameter
-  param_re=`echo "$parameter" | sed 's#^#[[:space:]]*#;s#[[:space:]][[:space:]]*#[[:space:]][[:space:]]*#g'`
-  # lines to not match
-  nomatch_re="^$param_re[[:space:]][[:space:]]*\(aliases\|ethers\|group\|hosts\|netgroup\|networks\|passwd\|protocols\|rpc\|services\|shadow\)"
-  # comment out the option
-  sed -i '/'"$nomatch_re"'/n;s/^'"$param_re"'[[:space:]].*$/#&/i' "$CONFFILE"
-  # we're done
+  for parameter in $@
+  do
+    # handle bindpw option specially by removing value from config first
+    if [ "$parameter" = "bindpw" ] && grep -i -q "^bindpw " $CONFFILE
+    then
+      cfg_set bindpw "*removed*"
+    fi
+    # make matching of spaces better in parameter
+    param_re=`echo "$parameter" | sed 's#^#[[:space:]]*#;s#[[:space:]][[:space:]]*#[[:space:]][[:space:]]*#g'`
+    # lines to not match
+    nomatch_re="^$param_re[[:space:]][[:space:]]*\(aliases\|ethers\|group\|hosts\|netgroup\|networks\|passwd\|protocols\|rpc\|services\|shadow\)"
+    # comment out the option
+    sed -i '/'"$nomatch_re"'/n;s/^'"$param_re"'[[:space:]].*$/#&/i' "$CONFFILE"
+    # we're done
+  done
   return 0
 }
 
@@ -199,14 +201,39 @@ then
   cfg_uris "$RET"
   # update some options
   update_config nslcd/ldap-base base
-  update_config nslcd/ldap-binddn binddn
-  update_config nslcd/ldap-bindpw bindpw
-  update_config nslcd/ldap-sasl-mech sasl_mech
-  update_config nslcd/ldap-sasl-realm sasl_realm
-  update_config nslcd/ldap-sasl-authcid sasl_authcid
-  update_config nslcd/ldap-sasl-authzid sasl_authzid
-  update_config nslcd/ldap-sasl-secprops sasl_secprops
-  update_config nslcd/ldap-sasl-krb5-ccname krb5_ccname
+  db_get nslcd/ldap-auth-type
+  authtype="$RET"
+  case "$authtype" in
+  simple)
+    update_config nslcd/ldap-binddn binddn
+    update_config nslcd/ldap-bindpw bindpw
+    cfg_disable sasl_mech sasl_realm sasl_authcid sasl_authzid sasl_secprops krb5_ccname
+    ;;
+  SASL)
+    update_config nslcd/ldap-sasl-mech sasl_mech
+    update_config nslcd/ldap-sasl-realm sasl_realm
+    # RFC4313 if SASL, binddn should be disabled
+    cfg_disable binddn
+    db_get nslcd/ldap-sasl-mech
+    saslmech="$RET"
+    case "$saslmech" in
+    GSSAPI)
+      update_config nslcd/ldap-sasl-krb5-ccname krb5_ccname
+      cfg_disable sasl_authcid
+      ;;
+    *)
+      update_config nslcd/ldap-sasl-authcid sasl_authcid
+      update_config nslcd/ldap-bindpw bindpw
+      cfg_disable krb5_ccname
+      ;;
+    esac
+    update_config nslcd/ldap-sasl-authzid sasl_authzid
+    update_config nslcd/ldap-sasl-secprops sasl_secprops
+    ;;
+  none)
+    cfg_disable binddn bindpw
+    cfg_disable sasl_mech sasl_realm sasl_authcid sasl_authzid sasl_secprops krb5_ccname
+  esac
   update_config nslcd/ldap-reqcert tls_reqcert
   # remove password from database
   db_set nslcd/ldap-bindpw ""

pgp0pVAnF67Wg.pgp
Description: PGP signature

Bug#610117: nslcd: Avoid loosing previous configuration values by nslcd debconf: authentication scenarios are handled in postint

Reply via email to