Bug#585639: nslcd: Run k5start when nslcd is configured with kerberos

Sat, 12 Jun 2010 09:33:23 -0700 

Package: nslcd
Version: 0.7.6
Severity: wishlist
Tags: patch

I provide a patch to start k5start when nslcd is configured for SASL
GSSAPI kerberos authentication.

Here is my changelog:

Handle kerberos ticket cache creation with k5start.

* debian/nslcd.init (NSLCD_DEFAULT): Default configuration file.
  Add kerberos specific options: K5START_DESC, K5START_BIN,
  K5START_PIDFILE, KRB5_PRINCIPAL, KRB5_KEYTAB, KRB5_CCREFRESH, KRB5_MODE.
  Take care of badly configured nslcd.conf: use_sasl requires
  sasl_mech=GSSAPI wich requires k5start binary.
  Restrict tiket cache type to file based.
  Start k5start before starting nslcd.
  Stop k5start after stopping nslcd.

* debian/nslcd.default: Kerberos configuration used by init script.

* debian/nslcd.conffile: Put nslcd.default in /etc/default/.

* debian/control (Recommends): Add k5start.

Regards.

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (90, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.33.2+hati.1 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages nslcd depends on:
ii  adduser                     3.112        add and remove users and groups
ii  debconf [debconf-2.0]       1.5.32       Debian configuration management sy
ii  libc6                       2.11.1-3     Embedded GNU C Library: Shared lib
ii  libgssapi-krb5-2            1.8.1+dfsg-5 MIT Kerberos runtime libraries - k
ii  libldap-2.4-2               2.4.21-1     OpenLDAP libraries

Versions of packages nslcd recommends:
pn  libnss-ldapd                  <none>     (no description available)
pn  libpam-ldapd                  <none>     (no description available)
pn  nscd                          <none>     (no description available)

nslcd suggests no packages.

-- debconf information:
  nslcd/ldap-starttls: false
  nslcd/ldap-reqcert:
* nslcd/ldap-uris: ldap://127.0.0.1/
  nslcd/ldap-binddn:
* nslcd/ldap-base: dc=baby-gnu,dc=org

-- 
Daniel Dehennin
Récupérer ma clef GPG:
gpg --keyserver pgp.mit.edu --recv-keys 0x6A2540D1


=== modified file 'debian/control'
--- debian/control	2010-05-26 20:07:49 +0000
+++ debian/control	2010-06-12 16:26:45 +0000
@@ -12,7 +12,7 @@
 Package: nslcd
 Architecture: any
 Depends: ${misc:Depends}, ${shlibs:Depends}, adduser
-Recommends: nscd, libnss-ldapd, libpam-ldapd
+Recommends: nscd, libnss-ldapd, libpam-ldapd, k5start
 Conflicts: libnss-ldapd (<< 0.7.0)
 Description: Daemon for NSS and PAM lookups using LDAP
  This package provides a daemon for retrieving user account, and other

=== added file 'debian/nslcd.conffile'
--- debian/nslcd.conffile	1970-01-01 00:00:00 +0000
+++ debian/nslcd.conffile	2010-06-12 16:19:55 +0000
@@ -0,0 +1,1 @@
+nslcd.default /etc/default/nslcd

=== added file 'debian/nslcd.default'
--- debian/nslcd.default	1970-01-01 00:00:00 +0000
+++ debian/nslcd.default	2010-06-12 16:19:44 +0000
@@ -0,0 +1,5 @@
+# Kerberos configuration
+# KRB5_PRINCIPAL="host/$(hostname -f)"
+# KRB5_KEYTAB=/etc/krb5.keytab
+# KRB5_CCREFRESH=60
+# KRB5_MODE=600

=== modified file 'debian/nslcd.init'
--- debian/nslcd.init	2010-05-23 18:33:56 +0000
+++ debian/nslcd.init	2010-06-12 16:24:26 +0000
@@ -36,6 +36,7 @@
 NSLCD_BIN=/usr/sbin/nslcd
 NSLCD_DESC="LDAP connection daemon"
 NSLCD_CFG=/etc/nslcd.conf
+NSLCD_DEFAULT=/etc/default/nslcd
 
 [ -x "$NSLCD_BIN" ] || exit 0
 [ -f "$NSLCD_CFG" ] || exit 0
@@ -45,10 +46,107 @@
 NSLCD_STATEDIR=/var/run/nslcd
 NSLCD_PIDFILE=$NSLCD_STATEDIR/nslcd.pid
 
+# Kerberos default
+K5START_DESC="Keep alive Kerberos ticket"
+K5START_BIN=/usr/bin/k5start
+K5START_PIDFILE=$NSLCD_STATEDIR/k5start_nslcd.pid
+KRB5_PRINCIPAL="host/$(hostname -f)"
+KRB5_KEYTAB=/etc/krb5.keytab
+KRB5_CCREFRESH=60
+KRB5_MODE=600
+KRB5_CACHEOPT=""
+
+# Get info from config file
+NSLCD_USER=$(grep '^uid' "$NSLCD_CFG" | cut -d' ' -f 2)
+NSLCD_GROUP=$(grep '^gid' "$NSLCD_CFG" | cut -d' ' -f 2)
+USE_SASL=$(grep '^use_sasl' "$NSLCD_CFG" | cut -d' ' -f 2)
+SASL_MECH=$(grep '^sasl_mech' "$NSLCD_CFG" | cut -d' ' -f 2)
+KRB5_CCNAME=$(grep '^krb5_ccname' "$NSLCD_CFG" | cut -d' ' -f 2)
+# cache TYPE:
+KRB5_CCTYPE=${KRB5_CCNAME%:*}
+# Remove TYPE: to delete it after stop
+KRB5_CCNAME=${KRB5_CCNAME#*:}
+
+# no TYPE: is defaulted to file based
+[ -n "$KRB5_CCNAME" ] && [ "$KRB5_CCNAME" = "$KRB5_CCTYPE" ] && KRB5_CCTYPE=""
+
+[ -f "$NSLCD_DEFAULT" ] && . "$NSLCD_DEFAULT"
+
+# Check SASL usage
+if [ -n "$USE_SASL" ]
+then
+  if [ "$SASL_MECH" = "GSSAPI" ]
+  then
+    if [ ! -x "$K5START_BIN" ]
+    then
+      log_failure_msg "SASL GSSAPI Kerberos is configure but k5start is missing"
+      exit 1
+    fi
+    if [ -n "$KRB5_CCTYPE" ] && [ "$KRB5_CCTYPE" != "FILE" ]
+    then
+      # k5start need an environnement variable for non file base cache
+      # when nslcd will support other types
+      # export KRB5CCNAME="${KRB5_CCTYPE}:${KRB5_CCNAME}"
+      log_failure_msg "nslcd supports only file base kerberos ticket cache"
+      exit 1
+    else
+      # Specify -k option for file based cache
+      KRB5_CACHEOPT="-k $KRB5_CCNAME -o $NSLCD_USER -g $NSLCD_GROUP -m $KRB5_MODE"
+    fi
+  else
+      log_failure_msg "SASL is configured with unsupported mech: $SASL_MECH"
+      exit 1
+  fi
+fi
+
+k5start_start()
+{
+
+  # Kerberos authentication works only if the 3 options are sets
+  if [ -n "$USE_SASL" ] && [ "$SASL_MECH" = "GSSAPI" ] && [ -n "$KRB5_CCNAME" ]
+  then
+    log_daemon_msg "Starting $K5START_DESC" "k5start"
+    start-stop-daemon --start \
+                      --pidfile $K5START_PIDFILE \
+                      --exec $K5START_BIN -- -b -p $K5START_PIDFILE \
+                                             -K $KRB5_CCREFRESH \
+                                             -u $KRB5_PRINCIPAL \
+                                             -f $KRB5_KEYTAB \
+                                             $KRB5_CACHEOPT
+    log_end_msg $?
+  fi
+}
+
+k5start_stop()
+{
+  if [ -f "$K5START_PIDFILE" ]
+  then
+    log_daemon_msg "Stopping $K5START_DESC" "k5start"
+    start-stop-daemon --stop --oknodo --pidfile $K5START_PIDFILE
+    log_end_msg $?
+    [ -n "$K5START_PIDFILE" ] && rm -f $K5START_PIDFILE
+    [ -f "$KRB5_CCNAME" ] && rm -f $KRB5_CCNAME
+  fi
+}
+
+k5start_status()
+{
+  if [ -n "$USE_SASL" ] && [ "$SASL_MECH" = "GSSAPI" ] && [ -n "$KRB5_CCNAME" ]
+  then
+    if [ -f "$K5START_PIDFILE" ]
+    then
+      status_of_proc -p "$K5START_PIDFILE" "$K5START_BIN" "k5start"
+    else
+      log_failure_msg "SASL GSSAPI Kerberos configured but no pid file for k5start"
+    fi
+  fi
+}
+
 case "$1" in
 start)
   [ -d "$NSLCD_STATEDIR" ] || ( mkdir -m 755 "$NSLCD_STATEDIR" ; \
                                 chown nslcd:nslcd "$NSLCD_STATEDIR" )
+  k5start_start
   log_daemon_msg "Starting $NSLCD_DESC" "nslcd"
   start-stop-daemon --start --oknodo \
                     --pidfile $NSLCD_PIDFILE \
@@ -62,6 +160,7 @@
                     --name nslcd
   log_end_msg $?
   [ -n "$NSLCD_PIDFILE" ] && rm -f $NSLCD_PIDFILE
+  k5start_stop
   ;;
 restart|force-reload)
   [ -d "$NSLCD_STATEDIR" ] || ( mkdir -m 755 "$NSLCD_STATEDIR" ; \
@@ -71,12 +170,15 @@
                     --pidfile $NSLCD_PIDFILE \
                     --name nslcd
   [ -n "$NSLCD_PIDFILE" ] && rm -f $NSLCD_PIDFILE
+  k5start_stop
+  k5start_start
   start-stop-daemon --start \
                     --pidfile $NSLCD_PIDFILE \
                     --startas $NSLCD_BIN
   log_end_msg $?
   ;;
 status)
+  k5start_status
   if [ -f "$NSLCD_PIDFILE" ]
   then
     if $NSLCD_BIN --check

Reply via email to