[PC-BSD Commits] r18323 - in pcbsd/current/src-sh/pc-adctl: rc scripts

svn at pcbsd.org svn at pcbsd.org
Tue Aug 7 15:48:29 PDT 2012


Author: johnh
Date: 2012-08-07 22:48:29 +0000 (Tue, 07 Aug 2012)
New Revision: 18323

Added:
   pcbsd/current/src-sh/pc-adctl/rc/rc.ldap
Modified:
   pcbsd/current/src-sh/pc-adctl/rc/Makefile
   pcbsd/current/src-sh/pc-adctl/scripts/Makefile
   pcbsd/current/src-sh/pc-adctl/scripts/pc-ldap
Log:
More ldap goodness. pc-ldap and rc.ldap are nearly working.



Modified: pcbsd/current/src-sh/pc-adctl/rc/Makefile
===================================================================
--- pcbsd/current/src-sh/pc-adctl/rc/Makefile	2012-08-07 22:09:34 UTC (rev 18322)
+++ pcbsd/current/src-sh/pc-adctl/rc/Makefile	2012-08-07 22:48:29 UTC (rev 18323)
@@ -1,4 +1,4 @@
-FILES=rc.activedirectory
+FILES=rc.activedirectory rc.ldap
 
 FILESMODE=0444
 FILESDIR=/usr/local/etc/

Modified: pcbsd/current/src-sh/pc-adctl/scripts/Makefile
===================================================================
--- pcbsd/current/src-sh/pc-adctl/scripts/Makefile	2012-08-07 22:09:34 UTC (rev 18322)
+++ pcbsd/current/src-sh/pc-adctl/scripts/Makefile	2012-08-07 22:48:29 UTC (rev 18323)
@@ -1,5 +1,5 @@
 FILES=pc-activedirectory pc-kerberos pc-kinit pc-nsswitch pc-pam \
-	pc-samba pc-adctl
+	pc-samba pc-adctl pc-ldap
 
 FILESMODE=0555
 FILESDIR=/usr/local/etc/rc.d

Modified: pcbsd/current/src-sh/pc-adctl/scripts/pc-ldap
===================================================================
--- pcbsd/current/src-sh/pc-adctl/scripts/pc-ldap	2012-08-07 22:09:34 UTC (rev 18322)
+++ pcbsd/current/src-sh/pc-adctl/scripts/pc-ldap	2012-08-07 22:48:29 UTC (rev 18323)
@@ -7,7 +7,7 @@
 # REQUIRE: root
 # BEFORE: NETWORK
 
-. /etc/rc.freenas
+. /usr/local/etc/rc.ldap
     
 : ${NSS_LDAP_CONF:="/usr/local/etc/nss_ldap.conf"}
 : ${NSS_LDAP_SECRET:="/usr/local/etc/nss_ldap.secret"}
@@ -37,232 +37,208 @@
 	" > "${CERT_FILE}"
 }
 
-generate_ldapconf()
+generate_openldap_conf()
 {
-	local IFS=\|
-	local nssconf="${NSS_LDAP_CONF}"
-	local ldapconf="${LDAP_CONF}"
-	local secret="${NSS_LDAP_SECRET}"
+	local conf="${OPENLDAP_CONF}"
+	local tmp=$(mktemp /tmp/tmp.XXXXXX)
 
-	${FREENAS_SQLITE_CMD} ${FREENAS_CONFIG} "
-	SELECT
-		services_ldap.id as ldap_id,
-		ldap_hostname, 	 
-		ldap_basedn, 	 
-		ldap_anonbind, 	 
-		ldap_rootbasedn, 	 
-		ldap_rootbindpw, 	 
-		ldap_pwencryption, 	 
-		ldap_usersuffix, 	 
-		ldap_groupsuffix, 	 
-		ldap_passwordsuffix, 	 
-		ldap_machinesuffix, 	 
-		ldap_ssl,
-		trim(
-			rtrim(
-				replace(
-					replace(
-						replace(ldap_options, '\n', '|'),
-					x'0A', '|'),
-				x'0D', ''),
-			'|')
-		) as ldap_options
+	${LDAPCONF} \
+		-f "${OPENLDAP_CONF}" \
+		-c -m "^HOST=$(ldap_get hostname)" \
+		-c -m "^BASE=$(ldap_get basedn)" \
+		-o "${tmp}"
+	if ! [ "$?" = "0" -a -s "${tmp}" ]
+	then
+		return 1
+	fi
 
-	FROM
-		services_services,
-		services_ldap
+	mv "${tmp}" "${conf}"
+	local em=$(ldap_get encryption_mode)
 
-	WHERE (
-		srv_service = 'ldap' and
-		srv_enable = 1
-	)
+	case "${em}" in 
+		start_tls)
+			${LDAPCONF} \
+				-f "${OPENLDAP_CONF}" \
+				-c -m "^TLS_CACERT=$(ldap_get tls_cacertfile)" \
+				-c -m "^TLS_REQCERT=allow"
+				if ! [ "$?" = "0" -a -s "${tmp}" ]
+				then
+					return 1
+				fi
+			;;
 
-	ORDER BY
-		-services_ldap.id
+		on)
+			${LDAPCONF} \
+				-f "${OPENLDAP_CONF}" \
+				-c -m "^URI=ldaps://$(ldap_get hostname)" \
+				-c -m "^TLS_CACERT=$(ldap_get tls_cacertfile)" \
+				-c -m "^TLS_REQCERT=allow"
+				if ! [ "$?" = "0" -a -s "${tmp}" ]
+				then
+					return 1
+				fi
+			;;
+	esac
 
-	LIMIT 1
-	" | \
-	while eval read ldap_id ldap_hostname ldap_basedn ldap_anonbind ldap_rootbasedn \
-		ldap_rootbindpw ldap_pwencryption ldap_usersuffix ldap_groupsuffix \
-		ldap_passwordsuffix ldap_machinesuffix ldap_ssl ldap_options;
-	do
-		[ -z "${ldap_hostname}" -o -z "${ldap_basedn}" ] && return 1
+	return 0
+}
 
-		cat >"${nssconf}" <<-EOF
-		host ${ldap_hostname}
-		base ${ldap_basedn}
-		rootbinddn ${ldap_rootbasedn}
-		pam_password ${ldap_pwencryption}
-		nss_override_attribute_value loginShell /bin/sh
-EOF
-		if [ -z "${ldap_usersuffix}" ]; then
-			cat >>"${nssconf}" <<-EOF
-			nss_base_passwd ${ldap_basedn}
-EOF
+generate_nss_ldap_conf()
+{
+	local conf="${LDAP_NSS_CONF}"
+
+	local host=$(ldap_get hostname)
+	local basedn=$(ldap_get basedn)
+	local binddn=$(ldap_get rootbasedn)
+	local binddn=$(ldap_get rootbasedn)
+	local bindpw=$(ldap_get rootbindpw)
+	local anonbind=$(ldap_get anonbind)
+	local pwencryption=$(ldap_get pwencryption)
+	local usersuffix=$(ldap_get usersuffix)
+	local groupsuffix=$(ldap_get groupsuffix)
+	local passwordsuffix=$(ldap_get passwordsuffix)
+	local machinesuffix=$(ldap_get machinesuffix)
+	local encryption_mode=$(ldap_get encryption_mode)
+	local options="$(ldap_get_options)"
+
+	local cmd="${NSSLDAPCONF}"
+	if [ -f "${NSS_LDAP_CONF}" ]
+	then
+		cmd="${cmd} -f ${NSS_LDAP_CONF}"
+	fi
+
+	${cmd} \
+		-c -m "^host=${hostname}" \
+		-c -m "^base=${basedn}" \
+		-c -m "^rootbinddn=${rootbinddn}" \
+		-c -m "^pam_password=${pwencryption}" \
+		-c -t "^nss_override_attribute_value=loginShell=/bin/sh"
+
+		if [ -z "${usersuffix}" ]
+		then
+			${cmd} -c -m "^nss_base_passwd=${basedn}"
 		else
-			cat >>"${nssconf}" <<-EOF
-			nss_base_passwd ${ldap_usersuffix},${ldap_basedn}
-EOF
+			${cmd} -c -m "^nss_base_passwd=${usersuffix},${basedn}"
 		fi
-		if [ -z "${ldap_groupsuffix}" ]; then
-			cat >>"${nssconf}" <<-EOF
-			nss_base_group ${ldap_basedn}
-EOF
+
+		if [ -z "${groupsuffix}" ]
+		then
+			${cmd} -c -m "^nss_base_group=${basedn}"
 		else
-			cat >>"${nssconf}" <<-EOF
-			nss_base_group ${ldap_groupsuffix},${ldap_basedn}
-EOF
+			${cmd} -c -m "^nss_base_group=${groupsuffix},${basedn}"
 		fi
-	
-		if [ "${ldap_ssl}" = "start_tls" ]; then
-			save_certificate "${ldap_id}"
 
-			cat >>"${nssconf}" <<-EOF
-			ssl ${ldap_ssl}
-			tls_cacertfile ${CERT_FILE}
-EOF
-		elif [ "${ldap_ssl}" = "on" ]; then
-			save_certificate "${ldap_id}"
+		if [ "${encryption_mode}" = "start_tls" ]
+		then
+			#save_certificate "${cert}"
 
-			cat >>"${nssconf}" <<-EOF
-			uri ldaps://${ldap_hostname}
-			ssl ${ldap_ssl}
-			tls_cacertfile ${CERT_FILE}
-EOF
-		fi
+			${cmd} \
+				-c -m "^ssl=${encryption_mode}" \
+				-c -m "^tls_cacertfile=${certfile}"
 
-		for opt in ${ldap_options}; do
-			echo ${opt} >> "${nssconf}"
-		done
+		elif [ "${encryption_mode}" = "on" ]
+		then
+			#save_certificate "${cert}"
 
-		if [ "$ldap_anonbind" != 1 ]; then
-			echo "${ldap_rootbindpw}" > "${secret}"
-			chmod 600 "${secret}"
-		fi
+			${cmd} \
+				-c -m "^uri=ldaps://${hostname}" \
+				-c -m "^ssl=${encryption_mode}" \
+				-c -m "^tls_cacertfile=${certfile}"
 
-		ln -sf ${nssconf} "$(dirname ${nssconf})/ldap.conf"
-		if [ "$ldap_anonbind" != 1 ]; then
-			ln -sf ${secret} "$(dirname ${secret})/ldap.secret"
 		fi
+		
+		for opt in ${options}
+		do
+			local var val tmp n=0
 
-		echo "HOST ${ldap_hostname}" > "${ldapconf}"
-		echo "BASE ${ldap_basedn}" >> "${ldapconf}"
-		case "$ldap_ssl" in
-		start_tls)
-			cat >> "${ldapconf}" <<-EOF
-			TLS_CACERT ${CERT_FILE}
-			TLS_REQCERT allow
-EOF
-			;;
-		on)
-			cat >> "${ldapconf}" <<-EOF
-			URI ldaps://${ldap_hostname}
-			TLS_CACERT ${CERT_FILE}
-			TLS_REQCERT allow
-EOF
-			;;
-		esac
-	done
+			var=$(echo "${opt}" | sed -E 's|^opt_||')
+			val=$(ldap_get ${opt})
 
-	return 0
-}
+			tmp=""
+			for v in ${val}
+			do
+				n=$((n + 1))
+				tmp="${tmp}${v}="
+			done
 
+			if [ "${n}" = "1" ]
+			then
+				${cmd} -c -m "^${var}=${val}"
 
-get_cifs_homedir()
-{
-	${FREENAS_SQLITE_CMD} ${FREENAS_CONFIG} "
-	SELECT
-		cifs_srv_homedir
+			elif [ "${n}" -gt "1" ]
+			then
+				tmp=$(echo "${tmp}"|sed -E 's|=$||')
+				${cmd} -c -t "^${var}=${tmp}"
+			fi
 
-	FROM
-		services_cifs
+		done
 
-	ORDER BY
-		-services_cifs.id
+		if [ "${anonbind}" != "1" ]
+		then
+			printf "${rootbindpw}" > "${secret}
+			chmod 600 "${secret}"
+		fi
 
-	LIMIT 1;
-	"
+		ln -sf ${conf} "$(dirname ${conf})/ldap.conf"
+		if [ "$ldap_anonbind" != 1 ]
+		then
+			ln -sf ${secret} "$(dirname ${secret})/ldap.secret"
+		fi
 }
 
-setup_homedirs()
-{
-	local cifs_home="$(get_cifs_homedir)"
 
-	if [ -n "${cifs_home}" ]
-	then
-		ln -sfh "$cifs_home" "/var/home" 2>/dev/null
-
-	elif [ ! -d "/var/home" ]
-	then
-		mkdir /var/home
-	fi
-}
-
 ldap_status()
 {
 	local IFS=\|
 	local ret=0
+	local res=1
 	local fail="/tmp/.ldap_fail"
+	local ldapwhoami=/usr/local/bin/ldapwhoami
+	local options=
 
-	${FREENAS_SQLITE_CMD} ${FREENAS_CONFIG} "
-	SELECT
-		ldap_anonbind, 	 
-		ldap_rootbasedn, 	 
-		ldap_rootbindpw, 	 
-		ldap_ssl
-	FROM
-		services_ldap
+	local anonbind=$(ldap_get anonbind)
+	local rootbasedn=$(ldap_get rootbasedn)
+	local rootbindpw=$(ldap_get rootbindpw)
+	local encryption_mode=$(ldap_get encryption_mode)
 
-	ORDER BY
-		-services_ldap.id
+	if [ "${encryption_mode}" = "start_tls" ]
+	then
+		options="-Z"
+	fi
 
-	LIMIT 1
-	" | \
-	while eval read ldap_anonbind ldap_rootbasedn ldap_rootbindpw ldap_ssl
-	do
-		local res=1
-		local ldapwhoami=/usr/local/bin/ldapwhoami
-		local options=
+	if [ "${anonbind}" = "0" ]
+	then
+		local temp=$(mktemp /tmp/tmp.XXXXXX)
+	
+		chmod 400 "${temp}"
+		echo -n "${rootbindpw}" > "${temp}"
 
-		if [ "${ldap_ssl}" = "start_tls" ]
-		then
-			options="-Z"
-		fi
+		local out=$(${ldapwhoami} ${options} -D "${rootbasedn}" -y "${temp}")
+		res=$?
 
-		if [ "${ldap_anonbind}" = "0" ]
+		rm -f "${temp}"
+		local dn=$(echo "${out}"|cut -f2 -d:)
+
+		if [ "${dn}" != "${rootbasedn}" ]
 		then
-			local temp=$(mktemp /tmp/tmp.XXXXXX)
-		
-			chmod 400 "${temp}"
-			echo -n "${ldap_rootbindpw}" > "${temp}"
-
-			local out=$(${ldapwhoami} ${options} -D "${ldap_rootbasedn}" -y "${temp}")
-			res=$?
-
-			rm -f "${temp}"
-			local dn=$(echo "${out}"|cut -f2 -d:)
-
-			if [ "${dn}" != "${ldap_rootbasedn}" ]
-			then
-				res=1
-			fi
-		else		
-			local out=$(${ldapwhoami} -D '' ${options})
-			res=$?
-
-			local dn=$(echo "${out}"|cut -f2 -d:)
-			if [ "${dn}" != "anonymous" ]
-			then
-				res=1
-			fi
+			res=1
 		fi
+	else		
+		local out=$(${ldapwhoami} -D '' ${options})
+		res=$?
 
-		if [ "${res}" = "1" ]
+		local dn=$(echo "${out}"|cut -f2 -d:)
+		if [ "${dn}" != "anonymous" ]
 		then
-			touch "${fail}"
+			res=1
 		fi
-	done
+	fi
 
+	if [ "${res}" = "1" ]
+	then
+		touch "${fail}"
+	fi
+
 	if [ -f "${fail}" ]
 	then
 		rm -f "${fail}"
@@ -272,19 +248,11 @@
 	return ${ret}
 }
 
-generate_ldap_config()
-{
-	if srv_enabled ldap; then
-		generate_ldapconf &&
-		setup_homedirs &&
-		create_cache_filesystem
-	fi
-}
-
 ldap_start()
 {
 	if checkyesno ldapclient_enable 2>/dev/null
 	then
+		ldap_init
 		generate_openldap_conf
 		generate_nss_ldap_conf
 	fi



More information about the Commits mailing list