[PC-BSD Commits] r18360 - in pcbsd/current/src-sh/pc-adctl: conf scripts

svn at pcbsd.org svn at pcbsd.org
Wed Aug 8 23:55:11 PDT 2012


Author: johnh
Date: 2012-08-09 06:55:10 +0000 (Thu, 09 Aug 2012)
New Revision: 18360

Modified:
   pcbsd/current/src-sh/pc-adctl/conf/pc-ldap.conf
   pcbsd/current/src-sh/pc-adctl/scripts/pc-ldap
Log:
Committing current LDAP work.



Modified: pcbsd/current/src-sh/pc-adctl/conf/pc-ldap.conf
===================================================================
--- pcbsd/current/src-sh/pc-adctl/conf/pc-ldap.conf	2012-08-08 21:17:31 UTC (rev 18359)
+++ pcbsd/current/src-sh/pc-adctl/conf/pc-ldap.conf	2012-08-09 06:55:10 UTC (rev 18360)
@@ -69,4 +69,4 @@
 opt_timelimit = 30
 opt_bind_policy = soft
 opt_pam_ldap_attribute = uid
-opt_nss_override_attribute_value = "loginShell /bin/sh"
+opt_nss_override_attribute_value = loginShell /bin/sh

Modified: pcbsd/current/src-sh/pc-adctl/scripts/pc-ldap
===================================================================
--- pcbsd/current/src-sh/pc-adctl/scripts/pc-ldap	2012-08-08 21:17:31 UTC (rev 18359)
+++ pcbsd/current/src-sh/pc-adctl/scripts/pc-ldap	2012-08-09 06:55:10 UTC (rev 18360)
@@ -18,62 +18,131 @@
 : ${LDAPCONF:="/usr/local/bin/ldapconf"}
 : ${NSSLDAPCONF:="/usr/local/bin/nssldapconf"}
 
-save_certificate()
+
+backup_openldap_conf()
 {
-	local ldap_id="${1}"
+	local conf="${OPENLDAP_CONF}"
+	local backup="${conf}.bak"
 
-	mkdir -p "$(dirname ${CERT_FILE})"
+	if [ -f "${conf}" ]
+	then
+		cp "${conf}" "${backup}"
+		return $?
+	fi
 
-	${FREENAS_SQLITE_CMD} ${FREENAS_CONFIG} "
-	SELECT
-		ldap_tls_cacertfile
+	return 0
+}
 
-	FROM
-		services_ldap
 
-	WHERE
-		id = ${ldap_id}
+restore_openldap_conf()
+{
+	local conf="${OPENLDAP_CONF}"
+	local backup="${conf}.bak"
 
-	" > "${CERT_FILE}"
+	if [ -f "${backup}" ]
+	then
+		cp "${backup}" "${conf}"
+		return $?
+	fi
+
+	return 0
 }
 
+
+backup_nss_ldap_conf()
+{
+	local conf="${NSS_LDAP_CONF}"
+	local backup="${conf}.bak"
+
+	if [ -f "${conf}" ]
+	then
+		cp "${conf}" "${backup}"
+		return $?
+	fi
+
+	return 0
+}
+
+
+restore_nss_ldap_conf()
+{
+	local conf="${NSS_LDAP_CONF}"
+	local backup="${conf}.bak"
+
+	if [ -f "${backup}" ]
+	then
+		cp "${backup}" "${conf}"
+		return $?
+	fi
+
+	return 0
+}
+
+
+safe_save()
+{
+	local src="${1}"
+	local dst="${2}"
+
+	if [ ! -s "${src}" ]
+	then
+		return 1
+	fi
+
+	cp "${dst}" "${dst}.orig" >/dev/null 2>&1
+	mv "${src}" "${dst}"
+	if [ "$?" != "0" ]
+	then
+		cp "${dst}.orig" "${dst}" >/dev/null 2>&1
+		return 1
+	fi
+
+	return 0
+}
+
+
 generate_openldap_conf()
 {
 	local conf="${OPENLDAP_CONF}"
 	local tmp=$(mktemp /tmp/tmp.XXXXXX)
 
-	${LDAPCONF} \
-		-f "${OPENLDAP_CONF}" \
+	local cmd="${LDAPCONF}"
+	if [ -f "${OPENLDAP_CONF}" ]
+	then
+		cmd="${cmd} -f ${OPENLDAP_CONF}"
+	fi
+
+	${cmd} \
 		-c -m "^HOST=$(ldap_get hostname)" \
 		-c -m "^BASE=$(ldap_get basedn)" \
 		-o "${tmp}"
-	if ! [ "$?" = "0" -a -s "${tmp}" ]
+	if [ "$?" != "0" -o ! $(safe_save "${tmp}" "${conf}") ] 
 	then
 		return 1
 	fi
 
-	mv "${tmp}" "${conf}"
 	local em=$(ldap_get encryption_mode)
-
 	case "${em}" in 
 		start_tls)
-			${LDAPCONF} \
-				-f "${OPENLDAP_CONF}" \
+			tmp=$(mktemp /tmp/tmp.XXXXXX)
+			${cmd} \
 				-c -m "^TLS_CACERT=$(ldap_get tls_cacertfile)" \
-				-c -m "^TLS_REQCERT=allow"
-				if ! [ "$?" = "0" -a -s "${tmp}" ]
+				-c -m "^TLS_REQCERT=allow" \
+				-o "${tmp}"
+				if ! [ "$?" != "0" -o ! $(safe_save "${tmp}" "${conf}") ]
 				then
 					return 1
 				fi
 			;;
 
 		on)
-			${LDAPCONF} \
-				-f "${OPENLDAP_CONF}" \
+			tmp=$(mktemp /tmp/tmp.XXXXXX)
+			${cmd} \
 				-c -m "^URI=ldaps://$(ldap_get hostname)" \
 				-c -m "^TLS_CACERT=$(ldap_get tls_cacertfile)" \
-				-c -m "^TLS_REQCERT=allow"
-				if ! [ "$?" = "0" -a -s "${tmp}" ]
+				-c -m "^TLS_REQCERT=allow" \
+				-o "${tmp}"
+				if ! [ "$?" != "0" -o ! $(safe_save "${tmp}" "${conf}") ]
 				then
 					return 1
 				fi
@@ -85,13 +154,13 @@
 
 generate_nss_ldap_conf()
 {
-	local conf="${LDAP_NSS_CONF}"
+	local tmp
+	local conf="${NSS_LDAP_CONF}"
 
 	local host=$(ldap_get hostname)
 	local basedn=$(ldap_get basedn)
-	local binddn=$(ldap_get rootbasedn)
-	local binddn=$(ldap_get rootbasedn)
-	local bindpw=$(ldap_get rootbindpw)
+	local rootbasedn=$(ldap_get rootbasedn)
+	local rootbindpw=$(ldap_get rootbindpw)
 	local anonbind=$(ldap_get anonbind)
 	local pwencryption=$(ldap_get pwencryption)
 	local usersuffix=$(ldap_get usersuffix)
@@ -99,97 +168,126 @@
 	local passwordsuffix=$(ldap_get passwordsuffix)
 	local machinesuffix=$(ldap_get machinesuffix)
 	local encryption_mode=$(ldap_get encryption_mode)
+	local certfile=$(ldap_get tls_cacertfile)
 	local options="$(ldap_get_options)"
 
 	local cmd="${NSSLDAPCONF}"
-	if [ -f "${NSS_LDAP_CONF}" ]
+	if [ -f "${conf}" ]
 	then
-		cmd="${cmd} -f ${NSS_LDAP_CONF}"
+		cmd="${cmd} -f ${conf}"
 	fi
 
+	tmp=$(mktemp /tmp/tmp.XXXXXX)
 	${cmd} \
 		-c -m "^host=${hostname}" \
 		-c -m "^base=${basedn}" \
-		-c -m "^rootbinddn=${rootbinddn}" \
+		-c -m "^rootbinddn=${rootbasedn}" \
 		-c -m "^pam_password=${pwencryption}" \
-		-c -t "^nss_override_attribute_value=loginShell=/bin/sh"
+		-c -t "^nss_override_attribute_value=loginShell=/bin/sh" \
+		-o "${tmp}"
+	if [ "$?" != "0" -o ! $(safe_save "${tmp}" "${conf}") ]
+	then
+		return 1
+	fi
 
-		if [ -z "${usersuffix}" ]
+	tmp=$(mktemp /tmp/tmp.XXXXXX)
+	if [ -z "${usersuffix}" ]
+	then
+		${cmd} -c -m "^nss_base_passwd=${basedn}" -o "${tmp}"
+	else
+		${cmd} -c -m "^nss_base_passwd=${usersuffix},${basedn}" -o "${tmp}"
+	fi
+	if [ "$?" != "0" -o ! $(safe_save "${tmp}" "${conf}") ]
+	then
+		return 1
+	fi
+
+	tmp=$(mktemp /tmp/tmp.XXXXXX)
+	if [ -z "${groupsuffix}" ]
+	then
+		${cmd} -c -m "^nss_base_group=${basedn}" -o "${tmp}"
+	else
+		${cmd} -c -m "^nss_base_group=${groupsuffix},${basedn}" -o "${tmp}"
+	fi
+	if [ "$?" != "0" -o ! $(safe_save "${tmp}" "${conf}") ]
+	then
+		return 1
+	fi
+
+	if [ "${encryption_mode}" = "start_tls" ]
+	then
+		tmp=$(mktemp /tmp/tmp.XXXXXX)
+		${cmd} \
+			-c -m "^ssl=${encryption_mode}" \
+			-c -m "^tls_cacertfile=${certfile}" \
+			-o "${tmp}"
+		if [ "$?" != "0" -o ! $(safe_save "${tmp}" "${conf}") ]
 		then
-			${cmd} -c -m "^nss_base_passwd=${basedn}"
-		else
-			${cmd} -c -m "^nss_base_passwd=${usersuffix},${basedn}"
+			return 1
 		fi
 
-		if [ -z "${groupsuffix}" ]
+	elif [ "${encryption_mode}" = "on" ]
+	then
+		tmp=$(mktemp /tmp/tmp.XXXXXX)
+		${cmd} \
+			-c -m "^uri=ldaps://${hostname}" \
+			-c -m "^ssl=${encryption_mode}" \
+			-c -m "^tls_cacertfile=${certfile}" \
+			-o "${tmp}"
+		if [ "$?" != "0" -o ! $(safe_save "${tmp}" "${conf}") ]
 		then
-			${cmd} -c -m "^nss_base_group=${basedn}"
-		else
-			${cmd} -c -m "^nss_base_group=${groupsuffix},${basedn}"
+			return 1
 		fi
+	fi
+		
+	for opt in ${options}
+	do
+		local var val tv n=0
 
-		if [ "${encryption_mode}" = "start_tls" ]
-		then
-			#save_certificate "${cert}"
+		var=$(echo "${opt}" | sed -E 's|^opt_||')
+		val=$(ldap_get ${opt})
 
-			${cmd} \
-				-c -m "^ssl=${encryption_mode}" \
-				-c -m "^tls_cacertfile=${certfile}"
+		tv=""
+		for v in ${val}
+		do
+			n=$((n + 1))
+			tmp="${tv}${v}="
+		done
 
-		elif [ "${encryption_mode}" = "on" ]
+		if [ "${n}" = "1" ]
 		then
-			#save_certificate "${cert}"
+			${cmd} -c -m "^${var}=${val}"
 
-			${cmd} \
-				-c -m "^uri=ldaps://${hostname}" \
-				-c -m "^ssl=${encryption_mode}" \
-				-c -m "^tls_cacertfile=${certfile}"
+		elif [ "${n}" -gt "1" ]
+		then
+			tmp=$(mktemp /tmp/tmp.XXXXXX)
 
-		fi
-		
-		for opt in ${options}
-		do
-			local var val tmp n=0
+			tv=$(echo "${tv}"|sed -E 's|=$||')
 
-			var=$(echo "${opt}" | sed -E 's|^opt_||')
-			val=$(ldap_get ${opt})
-
-			tmp=""
-			for v in ${val}
-			do
-				n=$((n + 1))
-				tmp="${tmp}${v}="
-			done
-
-			if [ "${n}" = "1" ]
+			${cmd} -c -t "^${var}=${tv}" -o "${tmp}"
+			if [ "$?" != "0" -o ! $(safe_save "${tmp}" "${conf}") ]
 			then
-				${cmd} -c -m "^${var}=${val}"
-
-			elif [ "${n}" -gt "1" ]
-			then
-				tmp=$(echo "${tmp}"|sed -E 's|=$||')
-				${cmd} -c -t "^${var}=${tmp}"
+				return 1
 			fi
+		fi
 
-		done
+	done
 
-		if [ "${anonbind}" != "1" ]
-		then
-			printf "${rootbindpw}" > "${secret}
-			chmod 600 "${secret}"
-		fi
+	if [ "${anonbind}" != "1" ]
+	then
+		printf "${rootbindpw}" > "${secret}"
+		chmod 600 "${secret}"
+	fi
 
-		ln -sf ${conf} "$(dirname ${conf})/ldap.conf"
-		if [ "$ldap_anonbind" != 1 ]
-		then
-			ln -sf ${secret} "$(dirname ${secret})/ldap.secret"
-		fi
+	ln -sf ${conf} "$(dirname ${conf})/ldap.conf"
+	if [ "$ldap_anonbind" != 1 ]
+	then
+		ln -sf ${secret} "$(dirname ${secret})/ldap.secret"
+	fi
 }
 
-
 ldap_status()
 {
-	local IFS=\|
 	local ret=0
 	local res=1
 	local fail="/tmp/.ldap_fail"
@@ -209,7 +307,7 @@
 	if [ "${anonbind}" = "0" ]
 	then
 		local temp=$(mktemp /tmp/tmp.XXXXXX)
-	
+
 		chmod 400 "${temp}"
 		echo -n "${rootbindpw}" > "${temp}"
 
@@ -253,7 +351,11 @@
 	if checkyesno ldapclient_enable 2>/dev/null
 	then
 		ldap_init
+
+		backup_openldap_conf
 		generate_openldap_conf
+
+		backup_nss_ldap_conf
 		generate_nss_ldap_conf
 	fi
 }
@@ -262,7 +364,8 @@
 {
 	if  checkyesno ldapclient_enable 2>/dev/null
 	then
-		:
+		restore_nss_ldap_conf
+		restore_openldap_conf
 	fi
 }
 



More information about the Commits mailing list