On 2020/06/03 06:02, Lucas Raab wrote:
> On Wed, Jun 03, 2020 at 08:19:40AM +0200, Landry Breuil wrote:
> > On Tue, Jun 02, 2020 at 05:01:06PM -0500, Lucas Raab wrote:
> > > Hello,
> > >
> > > Here are three new ports, two deps, and the one piece de resistance,
> > > web2ldap.
> > >
> > > sysutils/web2ldap - web-based LDAP client
> > > devel/py-xlwt - dep for exporting LDAP query results as XLS files
> > > devel/py-ldap0 - web2ldap's interface to the OpenLDAP libraries
> > >
> > > The author of web2ldap and py-ldap0 has been very responsive to some
> > > questions I had a few months ago and accepted a change to make it
> > > easier to manage on the BSDs as a whole.
> > >
> > > More information here: https://web2ldap.de/
> > > Project upstream here: https://gitlab.com/ae-dir/web2ldap
> > >
> > > I've been using this in my own tree for several months now with no
> > > issues. That being said, I hope I didn't get complacent in the
> > > submission.
> > >
> > > Completely understand if this is too niche to warrant being included in
> > > the tree. If not so terribly niche, feedback?
> >
> > That looks interesting and a very complete ldap client/admin tool. Will
> > have to try it on some of my servers, but some porting nits first:
> >
> > - WANTLIB = python3.7m -> use ${MODPY_WANTLIB}
> > - use MODPY_EGG_VERSION in web2ldap, this way it gets substituted in the
> > PLIST
>
> See above about complacency :) I'll get those updated.
>
> > - are *all* those @sample required in ${SYSCONFDIR}/web2ldap ? that looks
> > a lot.
>
> I suppose not. I was going for a `pkg_add web2ldap` and
> `rcctl start web2ldap` style where moving files around was already
> sorted out for the user. Being too helpful there? It is rather a lot of
> files to manage in the PLIST...
Rather than putting files in share/examples/web2ldap/templates and
@sample'ing them across, another option is to put them in
share/web2ldap/templates and installing a symlink at pkg_add time,
something like this should work (untested):
@exec-add [ -e ${SYSCONFDIR}/web2ldap ] || ln -s %D/share/web2ldap/templates
${SYSCONFDIR}/web2ldap/
That allows using the templates directory by default, but still
allows pointing the link elsewhere if you want to customise them.
tls/ca-bundle.pem should just use the system file instead,
/etc/ssl/cert.pem (_don't_ use ${SYSCONFDIR} for that one).
> > - instead of using 'nobody', create a new separate user for the daemon,
> > look for examples in other ports' PLIST (@newuser/@newgroup, +
> > db/user.list line)
>
> My rationale here was that there aren't any files that an extra user
> would need to own for web2ldap to run. Using nobody seemed the simplest
> approach to nulling out any privileges for the service to work.
"nobody" is absolutely not allowed.
$ getent passwd nobody
nobody:*:32767:32767:Unprivileged user for NFS:/nonexistent:/sbin/nologin
