Package: nslcd Version: 0.7.6 Severity: wishlist Hello,
Here is a patch to permit the configuration of SASL authentication with debconf. The configuration is limited to GSSAPI for now, I'll try to setup saslauthd to look at other mechanism. Regards. -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable'), (90, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.33.2+hati.1 (SMP w/2 CPU cores; PREEMPT) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages nslcd depends on: ii adduser 3.112 add and remove users and groups ii debconf [debconf-2.0] 1.5.32 Debian configuration management sy ii libc6 2.11.1-3 Embedded GNU C Library: Shared lib ii libgssapi-krb5-2 1.8.1+dfsg-5 MIT Kerberos runtime libraries - k ii libldap-2.4-2 2.4.21-1 OpenLDAP libraries Versions of packages nslcd recommends: ii libnss-ldapd 0.7.6 NSS module for using LDAP as a nam pn libpam-ldapd <none> (no description available) pn nscd <none> (no description available) nslcd suggests no packages. -- debconf information: nslcd/ldap-starttls: false nslcd/ldap-reqcert: * nslcd/ldap-uris: ldap://127.0.0.1/ nslcd/ldap-binddn: * nslcd/ldap-base: dc=baby-gnu,dc=org -- Daniel Dehennin Récupérer ma clef GPG: gpg --keyserver pgp.mit.edu --recv-keys 0x6A2540D1
=== modified file 'debian/nslcd.config'
--- debian/nslcd.config 2010-05-03 19:29:36 +0000
+++ debian/nslcd.config 2010-06-20 11:37:02 +0000
@@ -136,6 +136,38 @@
reqcert=`echo "$reqcert" | tr 'A-Z' 'a-z' | sed 's/^no$/never/;s/^yes$/demand/'`
[ -n "$reqcert" ] && db_set nslcd/ldap-reqcert "$reqcert"
fi
+ # check SASL option
+ db_get nslcd/ldap-sasl
+ if [ -z "$RET" ]
+ then
+ if grep -qi '^SASL_MECH[[:space:]]*GSSAPI' "$cfgfile"
+ then
+ db_set nslcd/ldap-sasl "true"
+ else
+ db_set nslcd/ldap-sasl "false"
+ fi
+ fi
+ # check SASL mechanism
+ db_get nslcd/ldap-sasl-mech
+ if [ -z "$RET" ]
+ then
+ saslmech=`sed -n 's/^SASL_MECH[[:space:]]*\(GSSAPI\)[[:space:]]*$/\1/ip' "$cfgfile"`
+ [ -n "$saslmech" ] && db_set nslcd/ldap-sasl-mech "$saslmech"
+ fi
+ # check SASL realm
+ db_get nslcd/ldap-sasl-realm
+ if [ -z "$RET" ]
+ then
+ saslrealm=`sed -n 's/^SASL_REALM[[:space:]]*\([^[:space:]]*\)[[:space:]]*$/\1/ip' "$cfgfile"`
+ [ -n "$saslrealm" ] && db_set nslcd/ldap-sasl-realm "$saslrealm"
+ fi
+ # check SASL security properties
+ db_get nslcd/ldap-sasl-secprops
+ if [ -z "$RET" ]
+ then
+ saslsecprops=`sed -n 's/^SASL_SECPROPS[[:space:]]*\([^[:space:]]*\)[[:space:]]*$/\1/ip' "$cfgfile"`
+ [ -n "$saslsecprops" ] && db_set nslcd/ldap-sasl-secprops "$saslsecprops"
+ fi
# we're done
return 0
}
@@ -150,6 +182,12 @@
db_set nslcd/ldap-binddn ""
db_set nslcd/ldap-bindpw ""
db_set nslcd/ldap-starttls ""
+ db_set nslcd/ldap-sasl ""
+ db_set nslcd/ldap-sasl-mech ""
+ db_set nslcd/ldap-sasl-realm ""
+ db_set nslcd/ldap-sasl-authcid ""
+ db_set nslcd/ldap-sasl-authzid ""
+ db_set nslcd/ldap-sasl-secprops ""
# parse current configuration
parsecfg "$CONFFILE"
else
@@ -170,6 +208,10 @@
db_get nslcd/ldap-starttls
[ -z "$RET" ] && db_set nslcd/ldap-starttls "false"
+# fallback for krb5_ccname
+db_get nslcd/ldap-sasl-krb5-ccname
+[ -z "$RET" ] && db_set nslcd/ldap-sasl-krb5-ccname "/var/run/nslcd/nslcd.tkt"
+
#
# This is the second part of the script. In this part the configurable
# settings will be presented to the user for approval. The postinst
@@ -240,8 +282,112 @@
db_input high nslcd/ldap-reqcert || true
fi
# ask the question, go to the next question or back
+ state="sasl"
+ db_go || state="bindpw"
+ ;;
+ sasl)
+ db_input medium nslcd/ldap-sasl || true
+ # ask the question, go to the next question or back
+ state="saslmech"
+ db_go || state="reqcert"
+ ;;
+ saslmech)
+ # check if SASL is enabled
+ db_get nslcd/ldap-sasl
+ if [ "$RET" = "true" ]
+ then
+ db_input medium nslcd/ldap-sasl-mech || true
+ else
+ db_set nslcd/ldap-sasl-mech ""
+ fi
+ # ask the question, go to the next question or back
+ state="saslrealm"
+ db_go || state="sasl"
+ ;;
+ saslrealm)
+ # check if SASL is enabled
+ db_get nslcd/ldap-sasl
+ sasl="$RET"
+ # check if SASL mechanism is not none
+ db_get nslcd/ldap-sasl-mech
+ saslmech="$RET"
+ if [ "$sasl" = "true" ] && [ "$saslmech" != "none" ]
+ then
+ db_input medium nslcd/ldap-sasl-realm || true
+ else
+ db_set nslcd/ldap-sasl-realm ""
+ fi
+ # ask the question, go to the next question or back
+ state="saslauthcid"
+ db_go || state="saslmech"
+ ;;
+ saslauthcid)
+ # check if SASL is enabled
+ db_get nslcd/ldap-sasl
+ sasl="$RET"
+ # check if SASL mechanism is not none
+ db_get nslcd/ldap-sasl-mech
+ saslmech="$RET"
+ if [ "$sasl" = "true" ] && [ "$saslmech" != "none" ]
+ then
+ db_input medium nslcd/ldap-sasl-authcid || true
+ else
+ db_set nslcd/ldap-sasl-authcid ""
+ fi
+ # ask the question, go to the next question or back
+ state="saslauthzid"
+ db_go || state="saslrealm"
+ ;;
+ saslauthzid)
+ # check if SASL is enabled
+ db_get nslcd/ldap-sasl
+ sasl="$RET"
+ # check if SASL mechanism is not none
+ db_get nslcd/ldap-sasl-mech
+ saslmech="$RET"
+ if [ "$sasl" = "true" ] && [ "$saslmech" != "none" ]
+ then
+ db_input medium nslcd/ldap-sasl-authzid || true
+ else
+ db_set nslcd/ldap-sasl-authzid ""
+ fi
+ # ask the question, go to the next question or back
+ state="saslsecprops"
+ db_go || state="saslauthcid"
+ ;;
+ saslsecprops)
+ # check if SASL is enabled
+ db_get nslcd/ldap-sasl
+ sasl="$RET"
+ # check if SASL mechanism is not none
+ db_get nslcd/ldap-sasl-mech
+ saslmech="$RET"
+ if [ "$sasl" = "true" ] && [ "$saslmech" != "none" ]
+ then
+ db_input medium nslcd/ldap-sasl-secprops || true
+ else
+ db_set nslcd/ldap-sasl-secprops ""
+ fi
+ # ask the question, go to the next question or back
+ state="krb5ccname"
+ db_go || state="saslauthzid"
+ ;;
+ krb5ccname)
+ # check if SASL mech is GSSAPI
+ db_get nslcd/ldap-sasl
+ sasl="$RET"
+ # check if SASL mechanism is not none
+ db_get nslcd/ldap-sasl-mech
+ saslmech="$RET"
+ if [ "$sasl" = "true" ] && [ "$saslmech" = "GSSAPI" ]
+ then
+ db_input low nslcd/ldap-sasl-krb5-ccname || true
+ else
+ db_set nslcd/ldap-sasl-krb5-ccname ""
+ fi
+ # ask the question, go to the next question or back
state="done"
- db_go || state="bindpw"
+ db_go || state="saslsecprops"
;;
esac
done
=== modified file 'debian/nslcd.postinst'
--- debian/nslcd.postinst 2010-05-09 09:39:45 +0000
+++ debian/nslcd.postinst 2010-06-20 11:42:07 +0000
@@ -221,6 +221,75 @@
# clear debconf value so that this option is only set if the question is asked
db_set nslcd/ldap-reqcert ""
fi
+ # set SASL options
+ db_get nslcd/ldap-sasl
+ if [ -n "$RET" ]
+ then
+ db_get nslcd/ldap-sasl-mech
+ if [ -n "$RET" ] && [ "$RET" != "none" ]
+ then
+ saslmech="$RET"
+ cfg_set sasl_mech "$RET"
+ if [ "$saslmech" = "GSSAPI" ]
+ then
+ # Set kerberos credential cache name
+ db_get nslcd/ldap-sasl-krb5-ccname
+ if [ -n "$RET" ]
+ then
+ cfg_set krb5_ccname "$RET"
+ else
+ # default value
+ cfg_set krb5_ccname "/var/run/nslcd/nslcd.tkt"
+ fi
+ fi
+ else
+ if grep -qi '^sasl_mech' $CONFFILE
+ then
+ cfg_disable sasl_mech
+ fi
+ if grep -qi '^krb5_ccname' $CONFFILE
+ then
+ cfg_disable krb5_ccname
+ fi
+ fi
+ db_get nslcd/ldap-sasl-realm
+ if [ -n "$RET" ]
+ then
+ cfg_set sasl_realm "$RET"
+ else
+ cfg_disable sasl_realm
+ fi
+ db_get nslcd/ldap-sasl-authcid
+ if [ -n "$RET" ]
+ then
+ cfg_set sasl_authcid "$RET"
+ else
+ cfg_disable sasl_authcid
+ fi
+ db_get nslcd/ldap-sasl-authzid
+ if [ -n "$RET" ]
+ then
+ cfg_set sasl_authzid "$RET"
+ else
+ cfg_disable sasl_authzid
+ fi
+ db_get nslcd/ldap-sasl-secprops
+ if [ -n "$RET" ]
+ then
+ cfg_set sasl_secprops "$RET"
+ else
+ cfg_disable sasl_secprops
+ fi
+ else
+ # Disable all SASL options
+ for saslitem in sasl_mech sasl_realm sasl_authcid sasl_authzid sasl_secprops krb5_ccname
+ do
+ if grep -qi "^saslitem" $CONFFILE
+ then
+ cfg_disable $saslitem
+ fi
+ done
+ fi
# we're done
db_stop
# rename reconnect_maxsleeptime to reconnect_retrytime
=== modified file 'debian/nslcd.templates'
--- debian/nslcd.templates 2009-08-31 20:46:01 +0000
+++ debian/nslcd.templates 2010-06-20 11:21:02 +0000
@@ -52,3 +52,84 @@
* demand: a certificate will be requested, required, and checked.
If certificate checking is enabled, at least one of the tls_cacertdir or
tls_cacertfile options must be put in /etc/nslcd.conf.
+
+Template: nslcd/ldap-sasl
+Type: boolean
+Default: false
+_Description: Configure LDAP SASL authentication?
+ LDAP binding can be performed with the Simple Authentication and
+ Security Layer.
+ .
+ For the moment, only GSSAPI/Kerberos authentication mechanism is
+ tested and configurable via debconf. It needs the suggested package
+ kstart to acquire and maintain the kerberos credential cache.
+ .
+ You can try other mechanisms by editing /etc/nslcd.conf configuration file
+ directly and report any successful configuration.
+
+Template: nslcd/ldap-sasl-mech
+Type: select
+__Choices: none, GSSAPI
+Default: none
+_Description: SASL mechanism to configure:
+ Simple Authentication and Security Layer mechanism to use for LDAP
+ authentication.
+
+Template: nslcd/ldap-sasl-realm
+Type: string
+_Description: SASL realm:
+ Simple Authentication and Security Layer realm to use for LDAP
+ authentication.
+ .
+ If empty, the GSSAPI mechanism will use informations from the kerberos
+ credential cache.
+
+Template: nslcd/ldap-sasl-authcid
+Type: string
+_Description: SASL authentication identity:
+ Simple Authentication and Security Layer identity.
+
+Template: nslcd/ldap-sasl-authzid
+Type: string
+_Description: SASL proxy authorisation identity:
+ Simple Authentication and Security Layer proxy authorisation identity.
+
+Template: nslcd/ldap-sasl-secprops
+Type: string
+_Description: Cyrus SASL security properties:
+ The Cyrus Simple Authentication and Security Layer library provides
+ the following security properties:
+ * none: (without any other properties) causes the properties
+ defaults ("noanonymous,noplain") to be cleared.
+ * noplain: disables mechanisms susceptible to simple passive
+ attacks.
+ * noactive: disables mechanisms susceptible to active attacks.
+ * nodict: disables mechanisms susceptible to passive dictionary
+ attacks.
+ * noanonymous: disables mechanisms which support anonymous login.
+ * forwardsec: requires forward secrecy between sessions.
+ * passcred: requires mechanisms which pass client credentials (and
+ allows mechanisms which can pass credentials to do so).
+ * minssf=<factor>: specifies the minimum acceptable security strength
+ factor as an integer approximating the effective
+ key length used for encryption. 0 (zero) implies
+ no protection, 1 implies integrity protection
+ only, 56 allows DES or other weak ciphers, 112
+ allows triple DES and other strong ciphers, 128
+ allows RC4, Blowfish and other modern strong
+ ciphers. The default is 0.
+ * maxssf=<factor>: specifies the maximum acceptable security
+ strength factor as an integer (see minssf
+ description). The default is INT_MAX.
+ * maxbufsize=<factor>: specifies the maximum security layer receive
+ buffer size allowed. 0 disables security
+ layers. The default is 65536.
+
+Template: nslcd/ldap-sasl-krb5-ccname
+Type: string
+Default: /var/run/nslcd/nslcd.tkt
+_Description: Kerberos credential cache file path:
+ The GSSAPI/Kerberos authentication mechanism needs a credential cache
+ file.
+ .
+ The cache file is initialised and maintained by k5start.
pgp7k57G1U4t1.pgp
Description: PGP signature
