Bug#638007: libnss-ldapd: please add more services to the list: automount and sudoers

[Andreas B. Mundt]

user debian-...@lists.debian.org
tags 638007 + patch
usertag 638007 + debian-edu
thanks

Hi Arthur,

On Wed, Aug 17, 2011 at 09:00:28PM +0200, Arthur de Jong wrote:
> On Tue, 2011-08-16 at 15:54 +0200, Andreas B. Mundt wrote:
> > the libnss-ldapd package is a nice way to switch on LDAP as data
> > source for various services.  Unfortunatelly, it is not possible to
> > add automounter (autofs-ldap) and sudoers (sudo-ldap) to the list in
> > /etc/nsswitch.conf, like: 
> >  
> > [...]
> > automount:    files ldap
> > sudoers:      files ldap
> > [...]
> 
> The problem with those are that these services are not provided by the
> NSS layer in the C library (even though some applications
> abuse /etc/nsswitch.conf for this).
> 
> Both autofs-ldap and sudo-ldap are not very generic applications. It
> seems that autofs uses a plugin-like setup so it should be possible to
> either provide an autofs-ldapd or similar mechanism for it. I've had a
> look at sudo-ldap once but it seems to be very hard to make something
> independant (sudo-ldap is more a patched sudo).
> 
> Having said that, I don't think it is terribly difficult to implement
> the needed features in nslcd. I would welcome patches for something like
> this.

I prepared a simple patch now, to include automount and sudoers to the
list of services to be configured.  I'm not sure if we should make a
note in the template (debian/libnss-ldapd.templates) about the
'specialness' of these two services, something like: 

"Note that automount and sudoers are not provided by the NSS layer in
the C library, but the corresponding applications parse
/etc/nsswitch.conf to determine their data source."

But that is probably just confusing to the user.  I also don't know if
the 'abuse' may cause problems.

Best regards,

     Andi 

diff -ur nss-pam-ldapd-0.7.13//debian/libnss-ldapd.postinst 
/root/nss-pam-ldapd-0.7.13+nmu1//debian/libnss-ldapd.postinst
--- nss-pam-ldapd-0.7.13//debian/libnss-ldapd.postinst  2010-09-24 
09:07:12.000000000 +0200
+++ /root/nss-pam-ldapd-0.7.13+nmu1//debian/libnss-ldapd.postinst       
2011-08-23 16:59:41.000000000 +0200
@@ -59,7 +59,7 @@
   # modify /etc/nsswitch.conf
   db_get libnss-ldapd/nsswitch
   enablenss=`echo "$RET" | sed 's/,//g'`
-  for n in aliases ethers group hosts netgroup networks passwd protocols rpc 
services shadow
+  for n in aliases ethers group hosts netgroup networks passwd protocols rpc 
services shadow automount sudoers
   do
     if echo ' '$enablenss' ' | grep -q ' '$n' '
     then
diff -ur nss-pam-ldapd-0.7.13//debian/libnss-ldapd.templates 
/root/nss-pam-ldapd-0.7.13+nmu1//debian/libnss-ldapd.templates
--- nss-pam-ldapd-0.7.13//debian/libnss-ldapd.templates 2010-09-24 
09:07:12.000000000 +0200
+++ /root/nss-pam-ldapd-0.7.13+nmu1//debian/libnss-ldapd.templates      
2011-08-23 17:00:28.000000000 +0200
@@ -1,6 +1,6 @@
 Template: libnss-ldapd/nsswitch
 Type: multiselect
-Choices: aliases, ethers, group, hosts, netgroup, networks, passwd, protocols, 
rpc, services, shadow
+Choices: aliases, ethers, group, hosts, netgroup, networks, passwd, protocols, 
rpc, services, shadow, automount, sudoers
 _Description: Name services to configure:
  For this package to work, you need to modify your /etc/nsswitch.conf to use
  the ldap datasource.
diff -ur nss-pam-ldapd-0.7.13//debian/nslcd.postinst 
/root/nss-pam-ldapd-0.7.13+nmu1//debian/nslcd.postinst
--- nss-pam-ldapd-0.7.13//debian/nslcd.postinst 2010-09-24 09:07:12.000000000 
+0200
+++ /root/nss-pam-ldapd-0.7.13+nmu1//debian/nslcd.postinst      2011-08-23 
17:08:00.000000000 +0200
@@ -14,14 +14,14 @@
   # this is complicated becase of the "base [map] dn" keyword
   param_re=`echo "$parameter" | sed 
's#^#[[:space:]]*#;s#[[:space:]][[:space:]]*#[[:space:]][[:space:]]*#g'`
   # lines to not match
-  
nomatch_re="^$param_re[[:space:]][[:space:]]*\(aliases\|ethers\|group\|hosts\|netgroup\|networks\|passwd\|protocols\|rpc\|services\|shadow\)"
+  
nomatch_re="^$param_re[[:space:]][[:space:]]*\(aliases\|ethers\|group\|hosts\|netgroup\|networks\|passwd\|protocols\|rpc\|services\|shadow\|automount\|sudoers\)"
   # check if the parameter is defined
   line=`sed -n '/'"$nomatch_re"'/n;/^'"$param_re"'[[:space:]]/p' "$CONFFILE" | 
head -n 1`
   if [ -z "$line" ]
   then
     # check if the parameter is commented out
     param_re="#$param_re"
-    
nomatch_re="^$param_re[[:space:]][[:space:]]*\(aliases\|ethers\|group\|hosts\|netgroup\|networks\|passwd\|protocols\|rpc\|services\|shadow\)"
+    
nomatch_re="^$param_re[[:space:]][[:space:]]*\(aliases\|ethers\|group\|hosts\|netgroup\|networks\|passwd\|protocols\|rpc\|services\|shadow\|automount\|sudoers\)"
     line=`sed -n '/'"$nomatch_re"'/n;/^'"$param_re"'[[:space:]]/p' "$CONFFILE" 
| head -n 1`
   fi
   # decide what to do
@@ -48,7 +48,7 @@
   # make matching of spaces better in parameter
   param_re=`echo "$parameter" | sed 
's#^#[[:space:]]*#;s#[[:space:]][[:space:]]*#[[:space:]][[:space:]]*#g'`
   # lines to not match
-  
nomatch_re="^$param_re[[:space:]][[:space:]]*\(aliases\|ethers\|group\|hosts\|netgroup\|networks\|passwd\|protocols\|rpc\|services\|shadow\)"
+  
nomatch_re="^$param_re[[:space:]][[:space:]]*\(aliases\|ethers\|group\|hosts\|netgroup\|networks\|passwd\|protocols\|rpc\|services\|shadow\|automount\|sudoers\)"
   # comment out the option
   sed -i '/'"$nomatch_re"'/n;s/^'"$param_re"'[[:space:]].*$/#&/i' "$CONFFILE"
   # we're done