[PC-BSD Testing] ldap tool issues

Kris Moore kris at pcbsd.org
Thu Dec 5 09:45:03 PST 2013


On 11/29/2013 11:47, Rodney Lewis wrote:
> I have been trying to use the pcbsdcontrol panel "active directory/ldap" tool to configure connectivity to our ldap server. I can configure nss_ldap.conf and openldap.conf by hand correctly but the tool was causing problems. 
> I am using the following release
>
> FreeBSD 9.2-RELEASE-p7 FreeBSD 9.2-RELEASE-p7 #0: Wed Sep 11 15:02:50 UTC 2013 root at amd64-builder.pcbsd.org:/usr/obj/usr/src/sys/GENERIC amd64
>
> 1. The /usr/local/etc/nss_ldap.conf host entry was being incorrectly updated with machine host name rather than the one specified.
> Fixed by updating /usr/local/etc/rc.d/pc-nssldap with the following
>         #-----------------------------------------------------------------      
>         # changed host=${hostname} to host=${host} otherwise it fills in
>         # machine shortname 
>         ${cmd} \
>                 -c -m "^host=${host}" \
>                 -c -m "^base=${basedn}" \
>                 -c -m "^rootbinddn=${rootbasedn}" \
>                 -c -m "^pam_password=${pwencryption}" \
>                 -c -t "^nss_override_attribute_value=loginShell=/bin/sh" \
>                 -o "${tmp}"
>
> 2. The nss_base_shadow options where not being set. I assume this is what the passwords entry is for in the tool. If not I can added it as an option for my site.
> Fixed by adding in missing routine to the generate_LDAP_nss_ldap_conf function
>         #--------------------------------------------------------
>         # Did not seem to be setting the shadow options at all so 
>         # I added the following.
>         cmd="${NSSLDAPCONF} -f ${conf}"
>
>         tmp=$(mktemp /tmp/tmp.XXXXXX)
>
>         if [ -z "${passwordsuffix}" ]
>         then
>                 ${cmd} -c -m "^nss_base_shadow=${basedn}" -o "${tmp}"
>         else
>                 ${cmd} -c -m "^nss_base_shadow=${passwordsuffix},${basedn}" -o "${tmp}"
>         fi
>         if [ "$?" != "0" ]
>         then
>                 return 1
>         fi
>         if ! safe_save "${tmp}" "${conf}"
>         then
>                 return 1
>         fi
>         #--------------------------------------------------------
>
> Also password suffix was being read in incorrectly from /usr/local/etc/pc-ldap.conf
> Fix by the following in the generate_LDAP_nss_ldap_conf function
>         #-----------------------------------------------------
>         # Taken from /usr/local/etc/pc-ldap.conf where
>         # ldap_passwordsuffix = ou=Password but at end of file
>         # ldap_passwordstuff = ou=People my settings
>         local passwordsuffix=$(ldap_get passwordstuff)
>         #-----------------------------------------------------
>
> 3. When stopping the pc-pam service the ldap settings where not removed.
> Fixed by updating the /usr/local/ec/rc.d/pc-pam in the pam_stop function
>         #-------------------------------------------
>         # The items have ' instead of " around them and it fails to change
>         # back the settings.
>         # Changed them to "
>         then
>                 auth="-auth:sufficient:${pam_ldap}"
>                 account="-account:sufficient:${pam_ldap}"
>                 session="-session:required:${pam_mkhomedir}"
>                 password="-password:sufficient:${pam_ldap}"
>
>                 do_pam_conf "${auth}" "${account}" "${session}" "${password}"
>                 return $?
>         fi
>         #------------------------------------------------
>
>
> Also the settings that are auto populated when the tool starts are stored under that accounts .config folder.  It was very confusing trying to understand where those settings where coming from.  I would have thought either use /usr/local/etc/pc-ldap.conf or store the settings in /var. Enabling anyone starting the tool to see all the same settings.
>
> Thanks
>
>
>
>
>  
> _______________________________________________
> Testing mailing list
> Testing at lists.pcbsd.org
> http://lists.pcbsd.org/mailman/listinfo/testing


Ok, I think I got this committed properly now:

https://github.com/pcbsd/pcbsd/commit/765d4e3be896029cbf0de2eaad38378ec8624e89

Can you check it out to be sure? Also next time, send a patch file, or
git pull and It'll be easier to merge it in :)

-- 
Kris Moore
PC-BSD Software
iXsystems

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.pcbsd.org/pipermail/testing/attachments/20131205/fec15bee/attachment.html>


More information about the Testing mailing list