[PC-BSD Commits] r18360 - in pcbsd/current/src-sh/pc-adctl: conf scripts
svn at pcbsd.org
svn at pcbsd.org
Wed Aug 8 23:55:11 PDT 2012
Author: johnh
Date: 2012-08-09 06:55:10 +0000 (Thu, 09 Aug 2012)
New Revision: 18360
Modified:
pcbsd/current/src-sh/pc-adctl/conf/pc-ldap.conf
pcbsd/current/src-sh/pc-adctl/scripts/pc-ldap
Log:
Committing current LDAP work.
Modified: pcbsd/current/src-sh/pc-adctl/conf/pc-ldap.conf
===================================================================
--- pcbsd/current/src-sh/pc-adctl/conf/pc-ldap.conf 2012-08-08 21:17:31 UTC (rev 18359)
+++ pcbsd/current/src-sh/pc-adctl/conf/pc-ldap.conf 2012-08-09 06:55:10 UTC (rev 18360)
@@ -69,4 +69,4 @@
opt_timelimit = 30
opt_bind_policy = soft
opt_pam_ldap_attribute = uid
-opt_nss_override_attribute_value = "loginShell /bin/sh"
+opt_nss_override_attribute_value = loginShell /bin/sh
Modified: pcbsd/current/src-sh/pc-adctl/scripts/pc-ldap
===================================================================
--- pcbsd/current/src-sh/pc-adctl/scripts/pc-ldap 2012-08-08 21:17:31 UTC (rev 18359)
+++ pcbsd/current/src-sh/pc-adctl/scripts/pc-ldap 2012-08-09 06:55:10 UTC (rev 18360)
@@ -18,62 +18,131 @@
: ${LDAPCONF:="/usr/local/bin/ldapconf"}
: ${NSSLDAPCONF:="/usr/local/bin/nssldapconf"}
-save_certificate()
+
+backup_openldap_conf()
{
- local ldap_id="${1}"
+ local conf="${OPENLDAP_CONF}"
+ local backup="${conf}.bak"
- mkdir -p "$(dirname ${CERT_FILE})"
+ if [ -f "${conf}" ]
+ then
+ cp "${conf}" "${backup}"
+ return $?
+ fi
- ${FREENAS_SQLITE_CMD} ${FREENAS_CONFIG} "
- SELECT
- ldap_tls_cacertfile
+ return 0
+}
- FROM
- services_ldap
- WHERE
- id = ${ldap_id}
+restore_openldap_conf()
+{
+ local conf="${OPENLDAP_CONF}"
+ local backup="${conf}.bak"
- " > "${CERT_FILE}"
+ if [ -f "${backup}" ]
+ then
+ cp "${backup}" "${conf}"
+ return $?
+ fi
+
+ return 0
}
+
+backup_nss_ldap_conf()
+{
+ local conf="${NSS_LDAP_CONF}"
+ local backup="${conf}.bak"
+
+ if [ -f "${conf}" ]
+ then
+ cp "${conf}" "${backup}"
+ return $?
+ fi
+
+ return 0
+}
+
+
+restore_nss_ldap_conf()
+{
+ local conf="${NSS_LDAP_CONF}"
+ local backup="${conf}.bak"
+
+ if [ -f "${backup}" ]
+ then
+ cp "${backup}" "${conf}"
+ return $?
+ fi
+
+ return 0
+}
+
+
+safe_save()
+{
+ local src="${1}"
+ local dst="${2}"
+
+ if [ ! -s "${src}" ]
+ then
+ return 1
+ fi
+
+ cp "${dst}" "${dst}.orig" >/dev/null 2>&1
+ mv "${src}" "${dst}"
+ if [ "$?" != "0" ]
+ then
+ cp "${dst}.orig" "${dst}" >/dev/null 2>&1
+ return 1
+ fi
+
+ return 0
+}
+
+
generate_openldap_conf()
{
local conf="${OPENLDAP_CONF}"
local tmp=$(mktemp /tmp/tmp.XXXXXX)
- ${LDAPCONF} \
- -f "${OPENLDAP_CONF}" \
+ local cmd="${LDAPCONF}"
+ if [ -f "${OPENLDAP_CONF}" ]
+ then
+ cmd="${cmd} -f ${OPENLDAP_CONF}"
+ fi
+
+ ${cmd} \
-c -m "^HOST=$(ldap_get hostname)" \
-c -m "^BASE=$(ldap_get basedn)" \
-o "${tmp}"
- if ! [ "$?" = "0" -a -s "${tmp}" ]
+ if [ "$?" != "0" -o ! $(safe_save "${tmp}" "${conf}") ]
then
return 1
fi
- mv "${tmp}" "${conf}"
local em=$(ldap_get encryption_mode)
-
case "${em}" in
start_tls)
- ${LDAPCONF} \
- -f "${OPENLDAP_CONF}" \
+ tmp=$(mktemp /tmp/tmp.XXXXXX)
+ ${cmd} \
-c -m "^TLS_CACERT=$(ldap_get tls_cacertfile)" \
- -c -m "^TLS_REQCERT=allow"
- if ! [ "$?" = "0" -a -s "${tmp}" ]
+ -c -m "^TLS_REQCERT=allow" \
+ -o "${tmp}"
+ if ! [ "$?" != "0" -o ! $(safe_save "${tmp}" "${conf}") ]
then
return 1
fi
;;
on)
- ${LDAPCONF} \
- -f "${OPENLDAP_CONF}" \
+ tmp=$(mktemp /tmp/tmp.XXXXXX)
+ ${cmd} \
-c -m "^URI=ldaps://$(ldap_get hostname)" \
-c -m "^TLS_CACERT=$(ldap_get tls_cacertfile)" \
- -c -m "^TLS_REQCERT=allow"
- if ! [ "$?" = "0" -a -s "${tmp}" ]
+ -c -m "^TLS_REQCERT=allow" \
+ -o "${tmp}"
+ if ! [ "$?" != "0" -o ! $(safe_save "${tmp}" "${conf}") ]
then
return 1
fi
@@ -85,13 +154,13 @@
generate_nss_ldap_conf()
{
- local conf="${LDAP_NSS_CONF}"
+ local tmp
+ local conf="${NSS_LDAP_CONF}"
local host=$(ldap_get hostname)
local basedn=$(ldap_get basedn)
- local binddn=$(ldap_get rootbasedn)
- local binddn=$(ldap_get rootbasedn)
- local bindpw=$(ldap_get rootbindpw)
+ local rootbasedn=$(ldap_get rootbasedn)
+ local rootbindpw=$(ldap_get rootbindpw)
local anonbind=$(ldap_get anonbind)
local pwencryption=$(ldap_get pwencryption)
local usersuffix=$(ldap_get usersuffix)
@@ -99,97 +168,126 @@
local passwordsuffix=$(ldap_get passwordsuffix)
local machinesuffix=$(ldap_get machinesuffix)
local encryption_mode=$(ldap_get encryption_mode)
+ local certfile=$(ldap_get tls_cacertfile)
local options="$(ldap_get_options)"
local cmd="${NSSLDAPCONF}"
- if [ -f "${NSS_LDAP_CONF}" ]
+ if [ -f "${conf}" ]
then
- cmd="${cmd} -f ${NSS_LDAP_CONF}"
+ cmd="${cmd} -f ${conf}"
fi
+ tmp=$(mktemp /tmp/tmp.XXXXXX)
${cmd} \
-c -m "^host=${hostname}" \
-c -m "^base=${basedn}" \
- -c -m "^rootbinddn=${rootbinddn}" \
+ -c -m "^rootbinddn=${rootbasedn}" \
-c -m "^pam_password=${pwencryption}" \
- -c -t "^nss_override_attribute_value=loginShell=/bin/sh"
+ -c -t "^nss_override_attribute_value=loginShell=/bin/sh" \
+ -o "${tmp}"
+ if [ "$?" != "0" -o ! $(safe_save "${tmp}" "${conf}") ]
+ then
+ return 1
+ fi
- if [ -z "${usersuffix}" ]
+ tmp=$(mktemp /tmp/tmp.XXXXXX)
+ if [ -z "${usersuffix}" ]
+ then
+ ${cmd} -c -m "^nss_base_passwd=${basedn}" -o "${tmp}"
+ else
+ ${cmd} -c -m "^nss_base_passwd=${usersuffix},${basedn}" -o "${tmp}"
+ fi
+ if [ "$?" != "0" -o ! $(safe_save "${tmp}" "${conf}") ]
+ then
+ return 1
+ fi
+
+ tmp=$(mktemp /tmp/tmp.XXXXXX)
+ if [ -z "${groupsuffix}" ]
+ then
+ ${cmd} -c -m "^nss_base_group=${basedn}" -o "${tmp}"
+ else
+ ${cmd} -c -m "^nss_base_group=${groupsuffix},${basedn}" -o "${tmp}"
+ fi
+ if [ "$?" != "0" -o ! $(safe_save "${tmp}" "${conf}") ]
+ then
+ return 1
+ fi
+
+ if [ "${encryption_mode}" = "start_tls" ]
+ then
+ tmp=$(mktemp /tmp/tmp.XXXXXX)
+ ${cmd} \
+ -c -m "^ssl=${encryption_mode}" \
+ -c -m "^tls_cacertfile=${certfile}" \
+ -o "${tmp}"
+ if [ "$?" != "0" -o ! $(safe_save "${tmp}" "${conf}") ]
then
- ${cmd} -c -m "^nss_base_passwd=${basedn}"
- else
- ${cmd} -c -m "^nss_base_passwd=${usersuffix},${basedn}"
+ return 1
fi
- if [ -z "${groupsuffix}" ]
+ elif [ "${encryption_mode}" = "on" ]
+ then
+ tmp=$(mktemp /tmp/tmp.XXXXXX)
+ ${cmd} \
+ -c -m "^uri=ldaps://${hostname}" \
+ -c -m "^ssl=${encryption_mode}" \
+ -c -m "^tls_cacertfile=${certfile}" \
+ -o "${tmp}"
+ if [ "$?" != "0" -o ! $(safe_save "${tmp}" "${conf}") ]
then
- ${cmd} -c -m "^nss_base_group=${basedn}"
- else
- ${cmd} -c -m "^nss_base_group=${groupsuffix},${basedn}"
+ return 1
fi
+ fi
+
+ for opt in ${options}
+ do
+ local var val tv n=0
- if [ "${encryption_mode}" = "start_tls" ]
- then
- #save_certificate "${cert}"
+ var=$(echo "${opt}" | sed -E 's|^opt_||')
+ val=$(ldap_get ${opt})
- ${cmd} \
- -c -m "^ssl=${encryption_mode}" \
- -c -m "^tls_cacertfile=${certfile}"
+ tv=""
+ for v in ${val}
+ do
+ n=$((n + 1))
+ tmp="${tv}${v}="
+ done
- elif [ "${encryption_mode}" = "on" ]
+ if [ "${n}" = "1" ]
then
- #save_certificate "${cert}"
+ ${cmd} -c -m "^${var}=${val}"
- ${cmd} \
- -c -m "^uri=ldaps://${hostname}" \
- -c -m "^ssl=${encryption_mode}" \
- -c -m "^tls_cacertfile=${certfile}"
+ elif [ "${n}" -gt "1" ]
+ then
+ tmp=$(mktemp /tmp/tmp.XXXXXX)
- fi
-
- for opt in ${options}
- do
- local var val tmp n=0
+ tv=$(echo "${tv}"|sed -E 's|=$||')
- var=$(echo "${opt}" | sed -E 's|^opt_||')
- val=$(ldap_get ${opt})
-
- tmp=""
- for v in ${val}
- do
- n=$((n + 1))
- tmp="${tmp}${v}="
- done
-
- if [ "${n}" = "1" ]
+ ${cmd} -c -t "^${var}=${tv}" -o "${tmp}"
+ if [ "$?" != "0" -o ! $(safe_save "${tmp}" "${conf}") ]
then
- ${cmd} -c -m "^${var}=${val}"
-
- elif [ "${n}" -gt "1" ]
- then
- tmp=$(echo "${tmp}"|sed -E 's|=$||')
- ${cmd} -c -t "^${var}=${tmp}"
+ return 1
fi
+ fi
- done
+ done
- if [ "${anonbind}" != "1" ]
- then
- printf "${rootbindpw}" > "${secret}
- chmod 600 "${secret}"
- fi
+ if [ "${anonbind}" != "1" ]
+ then
+ printf "${rootbindpw}" > "${secret}"
+ chmod 600 "${secret}"
+ fi
- ln -sf ${conf} "$(dirname ${conf})/ldap.conf"
- if [ "$ldap_anonbind" != 1 ]
- then
- ln -sf ${secret} "$(dirname ${secret})/ldap.secret"
- fi
+ ln -sf ${conf} "$(dirname ${conf})/ldap.conf"
+ if [ "$ldap_anonbind" != 1 ]
+ then
+ ln -sf ${secret} "$(dirname ${secret})/ldap.secret"
+ fi
}
-
ldap_status()
{
- local IFS=\|
local ret=0
local res=1
local fail="/tmp/.ldap_fail"
@@ -209,7 +307,7 @@
if [ "${anonbind}" = "0" ]
then
local temp=$(mktemp /tmp/tmp.XXXXXX)
-
+
chmod 400 "${temp}"
echo -n "${rootbindpw}" > "${temp}"
@@ -253,7 +351,11 @@
if checkyesno ldapclient_enable 2>/dev/null
then
ldap_init
+
+ backup_openldap_conf
generate_openldap_conf
+
+ backup_nss_ldap_conf
generate_nss_ldap_conf
fi
}
@@ -262,7 +364,8 @@
{
if checkyesno ldapclient_enable 2>/dev/null
then
- :
+ restore_nss_ldap_conf
+ restore_openldap_conf
fi
}
More information about the Commits
mailing list