Package: nslcd Version: 0.8.0 Severity: wishlist Here are some change to the nslcd debconf to avoid loosing the previous configuration on dpkg-reconfigure.
Any change to the configuration file prevails on debconf, this permit to avoid "clearing settings to pick up valus from configfile". Here is my changelog: * debian/nslcd.config: Do not reset all debconf values when the configuration file exists. Deduce authentication type only if not defined. Keep all authentication values in debconf, postinst handle them. (read_config): Overwrite debconf value whent it differs from configuration file. (parsesys): Remove useless statements. * debian/nslcd.postinst: Handle all the authentication scenarios. (cfg_disable): Can take more than one paremeter. Tested on my system: - install with priority high - reconfigure with priority low -> SASL -> DIGEST-MD5 - reconfigure with priority low -> no authentication -> disable all SASL options - reconfigure with priority low -> SASL -> all SASL options are predefined as in first reconfigure - edit /etc/nslcd.conf -> sasl_mech GSSAPI - reconfigure with priority low -> SASL is preselected -> GSSAPI is preselected Regards. -- System Information: Debian Release: 6.0 APT prefers sid APT policy: (500, 'sid'), (500, 'unstable'), (90, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.37+hati.1 (SMP w/2 CPU cores; PREEMPT) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -- Daniel Dehennin Récupérer ma clef GPG: gpg --keyserver pgp.mit.edu --recv-keys 0x6A2540D1
diff --git a/debian/nslcd.config b/debian/nslcd.config index 933c5e3..9ef3240 100644 --- a/debian/nslcd.config +++ b/debian/nslcd.config @@ -26,13 +26,11 @@ read_config() { debconf_param="$1" cfg_param="$2" - # get debconf value to ensure we don't overwrite an already set value + # overwrite debconf value if different from config file db_get "$debconf_param" - if [ -z "$RET" ] - then - value=`sed -n 's/^'"$cfg_param"'[[:space:]]*\([^[:space:]].*[^[:space:]]\)[[:space:]]*$/\1/ip' "$cfgfile" | tail -n 1` - [ -n "$value" ] && db_set "$debconf_param" "$value" - fi + debconf_value="$RET" + cfgfile_value=`sed -n 's/^'"$cfg_param"'[[:space:]]*\([^[:space:]].*[^[:space:]]\)[[:space:]]*$/\1/ip' "$cfgfile" | tail -n 1` + [ -n "$cfgfile_value" ] && [ "$debconf_value" != "$cfgfile_value" ] && db_set "$debconf_param" "$cfgfile_value" # we're done return 0 } @@ -49,8 +47,6 @@ parsesys() [ -z "$domain" ] && domain=`hostname --nis | grep '\.'` || true [ -z "$domain" ] && domain=`hostname --fqdn | sed -n 's/^[^.]*\.//p'` || true [ -z "$domain" ] && domain=`sed -n 's/^ *\(domain\|search\) *\([^ ]*\) *$/\2/p' /etc/resolv.conf | head -n 1` || true - db_get nslcd/ldap-base - searchbase="$RET" # if the ldap-base value doesn't seem to be preseeded, try to use the # domain name to build the default base if [ -n "$domain" ] @@ -148,17 +144,17 @@ parsecfg() if [ -f "$CONFFILE" ] then # clear settings to pick up valus from configfile - db_set nslcd/ldap-uris "" - db_set nslcd/ldap-base "" - db_set nslcd/ldap-binddn "" - db_set nslcd/ldap-bindpw "" - db_set nslcd/ldap-sasl-mech "" - db_set nslcd/ldap-sasl-realm "" - db_set nslcd/ldap-sasl-authcid "" - db_set nslcd/ldap-sasl-authzid "" - db_set nslcd/ldap-sasl-secprops "" - db_set nslcd/ldap-starttls "" - db_set nslcd/ldap-reqcert "" + # db_set nslcd/ldap-uris "" + # db_set nslcd/ldap-base "" + # db_set nslcd/ldap-binddn "" + # db_set nslcd/ldap-bindpw "" + # db_set nslcd/ldap-sasl-mech "" + # db_set nslcd/ldap-sasl-realm "" + # db_set nslcd/ldap-sasl-authcid "" + # db_set nslcd/ldap-sasl-authzid "" + # db_set nslcd/ldap-sasl-secprops "" + # db_set nslcd/ldap-starttls "" + # db_set nslcd/ldap-reqcert "" # parse current configuration parsecfg "$CONFFILE" else @@ -180,18 +176,22 @@ db_get nslcd/ldap-starttls [ -z "$RET" ] && db_set nslcd/ldap-starttls "false" # deduce auth-type from available information -db_get nslcd/ldap-sasl-mech -sasl_mech="$RET" -db_get nslcd/ldap-binddn -binddn="$RET" -if [ -n "$sasl_mech" ] +db_get nslcd/ldap-auth-type +if [ -z "$RET" ] then - db_set nslcd/ldap-auth-type "SASL" -elif [ -n "$binddn" ] -then - db_set nslcd/ldap-auth-type "simple" -else - db_set nslcd/ldap-auth-type "none" + db_get nslcd/ldap-sasl-mech + sasl_mech="$RET" + db_get nslcd/ldap-binddn + binddn="$RET" + if [ -n "$sasl_mech" ] + then + db_set nslcd/ldap-auth-type "SASL" + elif [ -n "$binddn" ] + then + db_set nslcd/ldap-auth-type "simple" + else + db_set nslcd/ldap-auth-type "none" + fi fi # @@ -225,24 +225,19 @@ do db_get nslcd/ldap-auth-type case "$RET" in none) - # anonymous bind, nothing to ask (clear options) - db_set nslcd/ldap-binddn "" + # anonymous bind, nothing to ask (clear password) db_set nslcd/ldap-bindpw "" - db_set nslcd/ldap-sasl-mech "" state="starttls" ;; simple) # ask for binddn and bindpw db_input medium nslcd/ldap-binddn || true db_input medium nslcd/ldap-bindpw || true - db_set nslcd/ldap-sasl-mech "" state="starttls" ;; SASL) # ask about SASL mechanism (other SASL questions depend on this) db_input medium nslcd/ldap-sasl-mech || true - # RFC4313 if SASL, binddn should be disabled - db_set nslcd/ldap-binddn "" state="sasloptions" ;; *) @@ -261,9 +256,6 @@ do then db_input medium nslcd/ldap-sasl-authcid || true db_input medium nslcd/ldap-bindpw || true - else - db_set nslcd/ldap-sasl-authcid "" - db_set nslcd/ldap-bindpw "" fi db_input medium nslcd/ldap-sasl-authzid || true db_input medium nslcd/ldap-sasl-secprops || true @@ -273,8 +265,6 @@ do db_get nslcd/ldap-sasl-krb5-ccname [ -z "$RET" ] && db_set nslcd/ldap-sasl-krb5-ccname "/var/run/nslcd/nslcd.tkt" db_input low nslcd/ldap-sasl-krb5-ccname || true - else - db_set nslcd/ldap-sasl-krb5-ccname "" fi # ask the question, go to the next question or back state="starttls" diff --git a/debian/nslcd.postinst b/debian/nslcd.postinst index 53f54fc..7e2a551 100644 --- a/debian/nslcd.postinst +++ b/debian/nslcd.postinst @@ -41,22 +41,24 @@ cfg_set() return 0 } -# disable an option in the configuration file by commenting it out +# disable options in the configuration file by commenting them out cfg_disable() { - parameter="$1" - # handle bindpw option specially by removing value from config first - if [ "$parameter" = "bindpw" ] && grep -i -q "^bindpw " $CONFFILE - then - cfg_set bindpw "*removed*" - fi - # make matching of spaces better in parameter - param_re=`echo "$parameter" | sed 's#^#[[:space:]]*#;s#[[:space:]][[:space:]]*#[[:space:]][[:space:]]*#g'` - # lines to not match - nomatch_re="^$param_re[[:space:]][[:space:]]*\(aliases\|ethers\|group\|hosts\|netgroup\|networks\|passwd\|protocols\|rpc\|services\|shadow\)" - # comment out the option - sed -i '/'"$nomatch_re"'/n;s/^'"$param_re"'[[:space:]].*$/#&/i' "$CONFFILE" - # we're done + for parameter in $@ + do + # handle bindpw option specially by removing value from config first + if [ "$parameter" = "bindpw" ] && grep -i -q "^bindpw " $CONFFILE + then + cfg_set bindpw "*removed*" + fi + # make matching of spaces better in parameter + param_re=`echo "$parameter" | sed 's#^#[[:space:]]*#;s#[[:space:]][[:space:]]*#[[:space:]][[:space:]]*#g'` + # lines to not match + nomatch_re="^$param_re[[:space:]][[:space:]]*\(aliases\|ethers\|group\|hosts\|netgroup\|networks\|passwd\|protocols\|rpc\|services\|shadow\)" + # comment out the option + sed -i '/'"$nomatch_re"'/n;s/^'"$param_re"'[[:space:]].*$/#&/i' "$CONFFILE" + # we're done + done return 0 } @@ -199,14 +201,39 @@ then cfg_uris "$RET" # update some options update_config nslcd/ldap-base base - update_config nslcd/ldap-binddn binddn - update_config nslcd/ldap-bindpw bindpw - update_config nslcd/ldap-sasl-mech sasl_mech - update_config nslcd/ldap-sasl-realm sasl_realm - update_config nslcd/ldap-sasl-authcid sasl_authcid - update_config nslcd/ldap-sasl-authzid sasl_authzid - update_config nslcd/ldap-sasl-secprops sasl_secprops - update_config nslcd/ldap-sasl-krb5-ccname krb5_ccname + db_get nslcd/ldap-auth-type + authtype="$RET" + case "$authtype" in + simple) + update_config nslcd/ldap-binddn binddn + update_config nslcd/ldap-bindpw bindpw + cfg_disable sasl_mech sasl_realm sasl_authcid sasl_authzid sasl_secprops krb5_ccname + ;; + SASL) + update_config nslcd/ldap-sasl-mech sasl_mech + update_config nslcd/ldap-sasl-realm sasl_realm + # RFC4313 if SASL, binddn should be disabled + cfg_disable binddn + db_get nslcd/ldap-sasl-mech + saslmech="$RET" + case "$saslmech" in + GSSAPI) + update_config nslcd/ldap-sasl-krb5-ccname krb5_ccname + cfg_disable sasl_authcid + ;; + *) + update_config nslcd/ldap-sasl-authcid sasl_authcid + update_config nslcd/ldap-bindpw bindpw + cfg_disable krb5_ccname + ;; + esac + update_config nslcd/ldap-sasl-authzid sasl_authzid + update_config nslcd/ldap-sasl-secprops sasl_secprops + ;; + none) + cfg_disable binddn bindpw + cfg_disable sasl_mech sasl_realm sasl_authcid sasl_authzid sasl_secprops krb5_ccname + esac update_config nslcd/ldap-reqcert tls_reqcert # remove password from database db_set nslcd/ldap-bindpw ""
pgp0pVAnF67Wg.pgp
Description: PGP signature