[PC-BSD Testing] ldap tool issues

Rodney Lewis rodney.lewis at tortoiseblog.com
Fri Nov 29 08:47:03 PST 2013


I have been trying to use the pcbsdcontrol panel "active directory/ldap" tool to configure connectivity to our ldap server. I can configure nss_ldap.conf and openldap.conf by hand correctly but the tool was causing problems. 
I am using the following release

FreeBSD 9.2-RELEASE-p7 FreeBSD 9.2-RELEASE-p7 #0: Wed Sep 11 15:02:50 UTC 2013 root at amd64-builder.pcbsd.org:/usr/obj/usr/src/sys/GENERIC amd64

1. The /usr/local/etc/nss_ldap.conf host entry was being incorrectly updated with machine host name rather than the one specified.
Fixed by updating /usr/local/etc/rc.d/pc-nssldap with the following
        #-----------------------------------------------------------------      
        # changed host=${hostname} to host=${host} otherwise it fills in
        # machine shortname 
        ${cmd} \
                -c -m "^host=${host}" \
                -c -m "^base=${basedn}" \
                -c -m "^rootbinddn=${rootbasedn}" \
                -c -m "^pam_password=${pwencryption}" \
                -c -t "^nss_override_attribute_value=loginShell=/bin/sh" \
                -o "${tmp}"

2. The nss_base_shadow options where not being set. I assume this is what the passwords entry is for in the tool. If not I can added it as an option for my site.
Fixed by adding in missing routine to the generate_LDAP_nss_ldap_conf function
        #--------------------------------------------------------
        # Did not seem to be setting the shadow options at all so 
        # I added the following.
        cmd="${NSSLDAPCONF} -f ${conf}"

        tmp=$(mktemp /tmp/tmp.XXXXXX)

        if [ -z "${passwordsuffix}" ]
        then
                ${cmd} -c -m "^nss_base_shadow=${basedn}" -o "${tmp}"
        else
                ${cmd} -c -m "^nss_base_shadow=${passwordsuffix},${basedn}" -o "${tmp}"
        fi
        if [ "$?" != "0" ]
        then
                return 1
        fi
        if ! safe_save "${tmp}" "${conf}"
        then
                return 1
        fi
        #--------------------------------------------------------

Also password suffix was being read in incorrectly from /usr/local/etc/pc-ldap.conf
Fix by the following in the generate_LDAP_nss_ldap_conf function
        #-----------------------------------------------------
        # Taken from /usr/local/etc/pc-ldap.conf where
        # ldap_passwordsuffix = ou=Password but at end of file
        # ldap_passwordstuff = ou=People my settings
        local passwordsuffix=$(ldap_get passwordstuff)
        #-----------------------------------------------------

3. When stopping the pc-pam service the ldap settings where not removed.
Fixed by updating the /usr/local/ec/rc.d/pc-pam in the pam_stop function
        #-------------------------------------------
        # The items have ' instead of " around them and it fails to change
        # back the settings.
        # Changed them to "
        then
                auth="-auth:sufficient:${pam_ldap}"
                account="-account:sufficient:${pam_ldap}"
                session="-session:required:${pam_mkhomedir}"
                password="-password:sufficient:${pam_ldap}"

                do_pam_conf "${auth}" "${account}" "${session}" "${password}"
                return $?
        fi
        #------------------------------------------------


Also the settings that are auto populated when the tool starts are stored under that accounts .config folder.  It was very confusing trying to understand where those settings where coming from.  I would have thought either use /usr/local/etc/pc-ldap.conf or store the settings in /var. Enabling anyone starting the tool to see all the same settings.

Thanks




 


More information about the Testing mailing list