ldap-auth-client-0.5.3/0000775000000000000000000000000011674205511011544 5ustar ldap-auth-client-0.5.3/profiles/0000775000000000000000000000000011674205511013367 5ustar ldap-auth-client-0.5.3/profiles/ldap-auth-config0000664000000000000000000000073411674205374016447 0ustar # # Clients should be able to authenticate with this profile if following # Network Authentication in the Ubuntu Server guide. Please note that # these settings are not suitable for sometimes disconnected (eg laptop) # systems. The example is taken from LDAPClientAuthentication at: # https://help.ubuntu.com/community/LDAPClientAuthentication # [lac_ldap] nss_passwd=passwd: files ldap nss_group=group: files ldap nss_shadow=shadow: files ldap nss_netgroup=netgroup: nis ldap-auth-client-0.5.3/debian/0000775000000000000000000000000011674205511012766 5ustar ldap-auth-client-0.5.3/debian/ldap-auth-config.templates0000664000000000000000000001112211674205374020034 0ustar Template: ldap-auth-config/rootbinddn Type: string Default: cn=manager,dc=example,dc=net _Description: LDAP account for root: This account will be used when root changes a password. . Note: This account has to be a privileged account. Template: ldap-auth-config/rootbindpw Type: password _Description: LDAP root account password: Please enter the password to use when ${package} tries to login to the LDAP directory using the LDAP account for root. . The password will be stored in a separate file ${filename} which will be made readable to root only. . Entering an empty password will re-use the old password. Template: ldap-auth-config/dblogin Type: boolean Default: false _Description: Does the LDAP database require login? Choose this option if you are required to login to the database to retrieve entries. . Note: Under a normal setup, this is not needed. Template: ldap-auth-config/ldapns/base-dn Type: string Default: dc=example,dc=net _Description: Distinguished name of the search base: Please enter the distinguished name of the LDAP search base. Many sites use the components of their domain names for this purpose. For example, the domain "example.net" would use "dc=example,dc=net" as the distinguished name of the search base. Template: ldap-auth-config/pam_password Type: select _Choices: clear, crypt, nds, ad, exop, md5 Default: md5 _Description: Local crypt to use when changing passwords: The PAM module can set the password crypt locally when changing the passwords, which is usually a good choice. Specifying something other than clear ensures that the password gets crypted in some way. . The meanings for selections are: . clear - Don't set any encryptions. This is useful with servers that automatically encrypt userPassword entry. . crypt - (Default) make userPassword use the same format as the flat filesystem. This will work for most configurations. . nds - Use Novell Directory Services-style updating by first removing the old password and then update with a cleartext password. . ad - Active Directory-style. Create a Unicode password and update the unicodePwd attribute. . exop - Use the OpenLDAP password change extended operation to update the password. . md5 - Use the stronger md5 algorithm instead of standard crypt. Template: ldap-auth-config/ldapns/ldap_version Type: select _Choices: 3, 2 Default: 3 _Description: LDAP version to use: Please enter which version of the LDAP protocol should be used by ldapns. It is usually a good idea to set this to the highest available version. Template: ldap-auth-config/binddn Type: string Default: cn=proxyuser,dc=example,dc=net _Description: Unprivileged database user: Please enter the name of the account that will be used to log in to the LDAP database. . Warning: DO NOT use privileged accounts for logging in, the configuration file has to be world readable. Template: ldap-auth-config/dbrootlogin Type: boolean Default: true _Description: Make local root Database admin: This option will allow you to make password utilities that use pam to behave like you would be changing local passwords. . The password will be stored in a separate file which will be made readable to root only. . If you are using NFS mounted /etc or any other custom setup, you should disable this. Template: ldap-auth-config/ldapns/ldap-server Type: string Default: ldapi:/// _Description: LDAP server Uniform Resource Identifier: Please enter the URI of the LDAP server to use. This is a string in the form of ldap://:/. ldaps:// or ldapi:// can also be used. The port number is optional. . Note: It is usually a good idea to use an IP address because it reduces risks of failure in the event name service problems. Template: ldap-auth-config/bindpw Type: password _Description: Password for database login account: Please enter the password that will be used to log in to the LDAP database. Template: ldap-auth-config/override Type: boolean Default: true _Description: Should debconf manage LDAP configuration? Saying yes will allow future upgrades to use these settings. This is the recommended option. Template: ldap-auth-config/move-to-debconf Type: boolean Default: true _Description: Reconfigure LDAP with debconf? The LDAP authentication libraries now use the new unified configuration file ${newfn}, and no longer use ${pamfn} or ${nssfn}. One or both of these old configuration files were found. These files cannot be automatically migrated to the new ${newfn}. You MUST either reconfigure your settings with debconf, or manually migrate your settings into ${newfn} and verify your configuration before logging out. ldap-auth-client-0.5.3/debian/rules0000775000000000000000000000031611674205374014055 0ustar #!/usr/bin/make -f # -*- mode: makefile; coding: utf-8 -*- # Copyright (C) 2007 Rick Clark include /usr/share/cdbs/1/rules/buildcore.mk include /usr/share/cdbs/1/rules/debhelper.mk ldap-auth-client-0.5.3/debian/changelog0000664000000000000000000000563611674205504014654 0ustar ldap-auth-client (0.5.3) precise; urgency=low * Mark ldap-auth-config Multi-Arch: foreign. -- Steve Langasek Tue, 20 Dec 2011 14:25:08 -0800 ldap-auth-client (0.5.2) intrepid; urgency=low * update auth-client-config profile to not set the pam config; this is now handled instead by libpam-ldap itself, via pam-auth-update. -- Steve Langasek Wed, 27 Aug 2008 23:43:10 +0000 ldap-auth-client (0.5.1) intrepid; urgency=low * update auth-client-config profile to have an entry for 'netgroup' -- Jamie Strandboge Fri, 11 Jul 2008 16:24:39 -0400 ldap-auth-client (0.5) hardy; urgency=low * debian/ldap-auth-config.config: set override to default to true if the file doesn't exist. Fixes LP #155712 * Follow Debian policy and don't make /etc/ldap.conf a conffile. Fixes LP #159275 -- Jamie Strandboge Thu, 01 Nov 2007 11:18:32 -0400 ldap-auth-client (0.4) gutsy; urgency=low * fix postinst syntax error LP: #140061 * ask if user wants to reconfigure with debconf or manually migrate (required a change to templates) * changed template key 'manual' to 'move-to-debconf' * don't share any template keys, as everything was taken out of libnss-ldap and libpam-ldap * ran debconf-updatepo due to templates change * updated ldap-auth-client.config for new logic * update postinst for new 'move-to-debconf' logic * added 'lac_ldap' auth-client-config profile -- Jamie Strandboge Mon, 17 Sep 2007 09:41:48 -0400 ldap-auth-client (0.3) gutsy; urgency=low * debian/control: ldap-auth-client conflicts with libnss-ldap < 255-1ubuntu1 and libpam-ldap < 184-1ubuntu1 * debian/control: have ldap-auth-config Depends on ldap-auth-client and sed and Pre-Depends on auth-client-config * debian/ldap-auth-config.install: install ldap.conf into /etc * debian/ldap-auth-config.postrm: call db_purge when purging * debian/ldap-auth-config.postinst: refactor to handle pre-existing configurations and comply with https://wiki.ubuntu.com/LDAPAuthentication * debian/ldap-auth-config.templates: string fixes and added 'manual' * debian/ldap-auth-config.config: support 'manual' template * debian/ldap-auth-config.config: refactor 'override' logic since ldap.conf is now a proper conffile * debian/ldap-auth-config.postinst: don't remove /etc/ldap.conf if dbrootlogin is false * adjust ldap.conf so it is managed by debconf by default * added po-debconf * lintian fixes (all but NMU complaints) -- Jamie Strandboge Tue, 11 Sep 2007 14:22:31 -0400 ldap-auth-client (0.2) gutsy; urgency=low * Added second binary package ldap-auth-config. -- Rick Clark Wed, 08 Aug 2007 09:35:03 -0400 ldap-auth-client (0.1) gutsy; urgency=low * Initial release. -- Rick Clark Mon, 09 Jul 2007 09:50:40 -0400 ldap-auth-client-0.5.3/debian/po/0000775000000000000000000000000011674205511013404 5ustar ldap-auth-client-0.5.3/debian/po/templates.pot0000664000000000000000000001735511674205374016150 0ustar # SOME DESCRIPTIVE TITLE. # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER # This file is distributed under the same license as the PACKAGE package. # FIRST AUTHOR , YEAR. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: rick.clark@ubuntu.com\n" "POT-Creation-Date: 2007-09-20 15:18-0400\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=CHARSET\n" "Content-Transfer-Encoding: 8bit\n" #. Type: string #. Description #: ../ldap-auth-config.templates:1001 msgid "LDAP account for root:" msgstr "" #. Type: string #. Description #: ../ldap-auth-config.templates:1001 msgid "This account will be used when root changes a password." msgstr "" #. Type: string #. Description #: ../ldap-auth-config.templates:1001 msgid "Note: This account has to be a privileged account." msgstr "" #. Type: password #. Description #: ../ldap-auth-config.templates:2001 msgid "LDAP root account password:" msgstr "" #. Type: password #. Description #: ../ldap-auth-config.templates:2001 msgid "" "Please enter the password to use when ${package} tries to login to the LDAP " "directory using the LDAP account for root." msgstr "" #. Type: password #. Description #: ../ldap-auth-config.templates:2001 msgid "" "The password will be stored in a separate file ${filename} which will be " "made readable to root only." msgstr "" #. Type: password #. Description #: ../ldap-auth-config.templates:2001 msgid "Entering an empty password will re-use the old password." msgstr "" #. Type: boolean #. Description #: ../ldap-auth-config.templates:3001 msgid "Does the LDAP database require login?" msgstr "" #. Type: boolean #. Description #: ../ldap-auth-config.templates:3001 msgid "" "Choose this option if you are required to login to the database to retrieve " "entries." msgstr "" #. Type: boolean #. Description #: ../ldap-auth-config.templates:3001 msgid "Note: Under a normal setup, this is not needed." msgstr "" #. Type: string #. Description #: ../ldap-auth-config.templates:4001 msgid "Distinguished name of the search base:" msgstr "" #. Type: string #. Description #: ../ldap-auth-config.templates:4001 msgid "" "Please enter the distinguished name of the LDAP search base. Many sites use " "the components of their domain names for this purpose. For example, the " "domain \"example.net\" would use \"dc=example,dc=net\" as the distinguished " "name of the search base." msgstr "" #. Type: select #. Choices #: ../ldap-auth-config.templates:5001 msgid "clear, crypt, nds, ad, exop, md5" msgstr "" #. Type: select #. Description #: ../ldap-auth-config.templates:5002 msgid "Local crypt to use when changing passwords:" msgstr "" #. Type: select #. Description #: ../ldap-auth-config.templates:5002 msgid "" "The PAM module can set the password crypt locally when changing the " "passwords, which is usually a good choice. Specifying something other than " "clear ensures that the password gets crypted in some way." msgstr "" #. Type: select #. Description #: ../ldap-auth-config.templates:5002 msgid "The meanings for selections are:" msgstr "" #. Type: select #. Description #: ../ldap-auth-config.templates:5002 msgid "" "clear - Don't set any encryptions. This is useful with servers that " "automatically encrypt userPassword entry." msgstr "" #. Type: select #. Description #: ../ldap-auth-config.templates:5002 msgid "" "crypt - (Default) make userPassword use the same format as the flat " "filesystem. This will work for most configurations." msgstr "" #. Type: select #. Description #: ../ldap-auth-config.templates:5002 msgid "" "nds - Use Novell Directory Services-style updating by first removing the old " "password and then update with a cleartext password." msgstr "" #. Type: select #. Description #: ../ldap-auth-config.templates:5002 msgid "" "ad - Active Directory-style. Create a Unicode password and update the " "unicodePwd attribute." msgstr "" #. Type: select #. Description #: ../ldap-auth-config.templates:5002 msgid "" "exop - Use the OpenLDAP password change extended operation to update the " "password." msgstr "" #. Type: select #. Description #: ../ldap-auth-config.templates:5002 msgid "md5 - Use the stronger md5 algorithm instead of standard crypt." msgstr "" #. Type: select #. Choices #: ../ldap-auth-config.templates:6001 msgid "3, 2" msgstr "" #. Type: select #. Description #: ../ldap-auth-config.templates:6002 msgid "LDAP version to use:" msgstr "" #. Type: select #. Description #: ../ldap-auth-config.templates:6002 msgid "" "Please enter which version of the LDAP protocol should be used by ldapns. It " "is usually a good idea to set this to the highest available version." msgstr "" #. Type: string #. Description #: ../ldap-auth-config.templates:7001 msgid "Unprivileged database user:" msgstr "" #. Type: string #. Description #: ../ldap-auth-config.templates:7001 msgid "" "Please enter the name of the account that will be used to log in to the LDAP " "database." msgstr "" #. Type: string #. Description #: ../ldap-auth-config.templates:7001 msgid "" "Warning: DO NOT use privileged accounts for logging in, the configuration " "file has to be world readable." msgstr "" #. Type: boolean #. Description #: ../ldap-auth-config.templates:8001 msgid "Make local root Database admin:" msgstr "" #. Type: boolean #. Description #: ../ldap-auth-config.templates:8001 msgid "" "This option will allow you to make password utilities that use pam to behave " "like you would be changing local passwords." msgstr "" #. Type: boolean #. Description #: ../ldap-auth-config.templates:8001 msgid "" "The password will be stored in a separate file which will be made readable " "to root only." msgstr "" #. Type: boolean #. Description #: ../ldap-auth-config.templates:8001 msgid "" "If you are using NFS mounted /etc or any other custom setup, you should " "disable this." msgstr "" #. Type: string #. Description #: ../ldap-auth-config.templates:9001 msgid "LDAP server Uniform Resource Identifier:" msgstr "" #. Type: string #. Description #: ../ldap-auth-config.templates:9001 msgid "" "Please enter the URI of the LDAP server to use. This is a string in the form " "of ldap://:/. ldaps:// or ldapi:// can also be used. " "The port number is optional." msgstr "" #. Type: string #. Description #: ../ldap-auth-config.templates:9001 msgid "" "Note: It is usually a good idea to use an IP address because it reduces " "risks of failure in the event name service problems." msgstr "" #. Type: password #. Description #: ../ldap-auth-config.templates:10001 msgid "Password for database login account:" msgstr "" #. Type: password #. Description #: ../ldap-auth-config.templates:10001 msgid "" "Please enter the password that will be used to log in to the LDAP database." msgstr "" #. Type: boolean #. Description #: ../ldap-auth-config.templates:11001 msgid "Should debconf manage LDAP configuration?" msgstr "" #. Type: boolean #. Description #: ../ldap-auth-config.templates:11001 msgid "" "Saying yes will allow future upgrades to use these settings. This is the " "recommended option." msgstr "" #. Type: boolean #. Description #: ../ldap-auth-config.templates:12001 msgid "Reconfigure LDAP with debconf?" msgstr "" #. Type: boolean #. Description #: ../ldap-auth-config.templates:12001 msgid "" "The LDAP authentication libraries now use the new unified configuration file " "${newfn}, and no longer use ${pamfn} or ${nssfn}. One or both of these old " "configuration files were found. These files cannot be automatically migrated " "to the new ${newfn}. You MUST either reconfigure your settings with debconf, " "or manually migrate your settings into ${newfn} and verify your " "configuration before logging out." msgstr "" ldap-auth-client-0.5.3/debian/po/POTFILES.in0000664000000000000000000000006511674205374015171 0ustar [type: gettext/rfc822deb] ldap-auth-config.templates ldap-auth-client-0.5.3/debian/ldap-auth-config.config0000664000000000000000000000702711674205374017314 0ustar #!/usr/bin/perl # Debconf configuration script for PADL-ldap tools. # By Sami Haahtinen # Modified for ldap-auth-config by Rick Clark $conffile="/etc/ldap.conf"; $action=shift; $from_version=shift; use Debconf::Client::ConfModule ':all'; version('2.0'); my @ret; my @current_config; # make sure user sees this my $has_old_confs = ""; subst('ldap-auth-config/move-to-debconf','newfn',"$conffile"); subst('ldap-auth-config/move-to-debconf','nssfn','/etc/libnss-ldap.conf'); subst('ldap-auth-config/move-to-debconf','pamfn','/etc/pam-ldap.conf'); if (-e "/etc/libnss-ldap.conf" || -e "/etc/pam-ldap.conf") { fset('ldap-auth-config/move-to-debconf', 'seen', 'false'); input('critical', 'ldap-auth-config/move-to-debconf'); $has_old_confs = "yes"; } else { set('ldap-auth-config/move-to-debconf', 'true'); fset('ldap-auth-config/move-to-debconf', 'seen', 'true'); } $ret = go(); # The 'override' thing really ought to go, but let's see how this works # out first. if (not $has_old_confs) { if (-f $conffile) { open CONFIG, "<$conffile"; if( =~ /^###DEBCONF###$/) { set("ldap-auth-config/override", "true"); } else { set("ldap-auth-config/override", "false"); }; # whee.. the same deal as with libnss-ldap, critical # priority with reconfigure otherwise it's just high input($action =~ /reconfigure/ ? "critical" : "high", "ldap-auth-config/override"); @current_config = ; close CONFIG; } else { # if the conffile doesn't exist, we will override the default set("ldap-auth-config/override", "true"); } }; $ret=go(); subst('ldap-auth-config/rootbindpw','filename','/etc/ldap.secret'); subst('ldap-auth-config/rootbindpw','package','ldap-auth-config'); if(get("ldap-auth-config/override") eq "true" and get("ldap-auth-config/move-to-debconf") eq "true") { # don't forget to check for any values of 'host' here -- # it may be better to just prepend 'ldap://' and migrate # these all to URI so we can deprecate HOST, but for the time # being this should adequately address our needs my $value = (grep(/^host\s/, @current_config))[0]; if ($value) { chomp($value); $value =~ s/^host\s+//; set('ldap-auth-config/ldapns/ldap-server', $value); } read_and_input('ldap-auth-config/ldapns/ldap-server', 'uri', 'critical'); read_and_input('ldap-auth-config/ldapns/base-dn', 'base', 'critical'); read_and_input('ldap-auth-config/ldapns/ldap_version', 'ldap_version', 'critical'); $ret = go(); # yeah, we don't need that.. but in case we sometime do # dbrootlogin will most likely break.. i need to deal with it # someday.. input("high", "ldap-auth-config/dbrootlogin"); input("high", "ldap-auth-config/dblogin"); $ret = go(); if(get("ldap-auth-config/dbrootlogin") eq "true") { read_and_input('ldap-auth-config/rootbinddn', 'rootbinddn', 'critical'); input('critical', 'ldap-auth-config/rootbindpw'); $ret = go() } if(get("ldap-auth-config/dblogin") eq "true") { # user wants to login.. read_and_input('ldap-auth-config/binddn', 'binddn', 'critical'); read_and_input('ldap-auth-config/bindpw', 'bindpw', 'critical'); $ret = go(); } read_and_input('ldap-auth-config/pam_password', 'pam_password', 'medium'); $ret = go(); } sub read_and_input { my ($debconf_name, $conffile_name, $priority) = @_; $priority = 'medium' unless $priority; my @valuelist = grep(/^$conffile_name\s/, @current_config); if (@valuelist) { my $value = pop(@valuelist); chomp($value); $value =~ s/^$conffile_name\s+//; set($debconf_name, $value); } input($priority, $debconf_name); } ldap-auth-client-0.5.3/debian/ldap-auth-config.postinst0000664000000000000000000001071411674205374017727 0ustar #!/bin/sh # postinst script for ldap-auth-config # set -e . /usr/share/debconf/confmodule PACKAGE="ldap-auth-config" CONFFILE="/etc/ldap.conf" EXAMPLECONFFILE="/usr/share/ldap-auth-config/ldap.conf" PASSWDFILE="/etc/ldap.secret" OLDPASSWDFILE="/etc/pam_ldap.secret" add_missing() { # FIXME: it would be nice to get the prototype from a template. parameter=$1 value=$2 echo "$parameter $value" >> $CONFFILE } change_value() { parameter=$1 value=$2 commented=0 ; notthere=0 egrep -i -q "^$parameter " $CONFFILE || notthere=1 if [ "$notthere" = "1" ]; then if ( egrep -i -q "^# *$parameter" $CONFFILE ); then notthere=0 commented=1 fi fi if [ "$notthere" = "1" ]; then add_missing $parameter $value else # i really need a better way to do this... # currently we replace only the first match, we need a better # way of dealing with multiple hits. if [ "$commented" = "1" ]; then value="$value" parameter="$parameter" perl -i -p -e 's/^# *\Q$ENV{"parameter"}\E .*/$ENV{"parameter"} $ENV{"value"}/i and $match=1 unless ($match)' $CONFFILE else value="$value" parameter="$parameter" perl -i -p -e 's/^\Q$ENV{"parameter"}\E .*/$ENV{"parameter"} $ENV{"value"}/i and $match=1 unless ($match)' $CONFFILE fi fi } disable_param() { parameter=$1 enabled=0 egrep -q "^$parameter " $CONFFILE && enabled=1 if [ "$enabled" = "1" ]; then perl -i -p -e "s/^($parameter .*)/#\$1/i" $CONFFILE fi } case "$1" in configure) if [ ! -e $CONFFILE ]; then if [ -z "$2" ]; then # if no config and fresh install, cp the template cp $EXAMPLECONFFILE $CONFFILE else # if no config and upgrade, don't do anything exit 0 fi fi if [ -e "/etc/libnss-ldap.conf" ] || [ -e "/etc/pam-ldap.conf" ]; then db_get ldap-auth-config/move-to-debconf if [ "$RET" = "false" ]; then db_set ldap-auth-config/override false else db_set ldap-auth-config/override true db_fset ldap-auth-config/override seen true fi fi db_get ldap-auth-config/override if [ "$RET" = "false" ]; then # user said doesn't want to use debconf if ( head -1 $CONFFILE | grep -q '^###DEBCONF###$' ); then sed -i '1d' $CONFFILE fi else if ( head -1 $CONFFILE | grep -q -v '^###DEBCONF###$' ); then sed -i '1 s/\([^ ]*\)/###DEBCONF###\n\1/' $CONFFILE fi db_get ldap-auth-config/ldapns/ldap-server if echo $RET | egrep -q '^ldap[is]?://'; then disable_param host change_value uri "$RET" else disable_param uri change_value host "$RET" fi db_get ldap-auth-config/ldapns/base-dn change_value base "$RET" db_get ldap-auth-config/ldapns/ldap_version change_value ldap_version "$RET" db_get ldap-auth-config/pam_password change_value pam_password "$RET" db_get ldap-auth-config/dbrootlogin if [ "$RET" = "true" ]; then # separate root login to the database db_get ldap-auth-config/rootbinddn change_value rootbinddn "$RET" db_get ldap-auth-config/rootbindpw if [ "$RET" != "" ]; then rm -f $PASSWDFILE $OLDPASSWDFILE echo $RET > $PASSWDFILE chmod 0600 $PASSWDFILE db_set ldap-auth-config/rootbindpw '' else # copy the old password file to its new location if [ ! -e $PASSWDFILE -a -e $OLDPASSWDFILE ]; then cp -a $OLDPASSWDFILE $PASSWDFILE fi fi else # ok, so the user refused to use this feature, better make # sure it's really off. disable_param rootbinddn rm -f $PASSWDFILE fi db_get ldap-auth-config/dblogin if [ "$RET" = "true" ]; then # user wants to log in to the database, so be it. db_get ldap-auth-config/binddn change_value binddn "$RET" db_get ldap-auth-config/bindpw if [ "$RET" != "" ]; then change_value bindpw "$RET" db_set ldap-auth-config/bindpw '' fi else # once again, user didn't.. lets make sure we dont. disable_param binddn disable_param bindpw fi # copy the password file to its new location if [ ! -e $PASSWDFILE -a -e $OLDPASSWDFILE ]; then cp -a $OLDPASSWDFILE $PASSWDFILE fi # do this here, so we know ldap.conf got configured if [ -e "/etc/libnss-ldap.conf" ] ; then mv -f /etc/libnss-ldap.conf /etc/libnss-ldap.conf-dpkg.old fi if [ -e "/etc/pam-ldap.conf" ]; then mv -f /etc/pam-ldap.conf /etc/pam-ldap.conf-dpkg.old fi fi ;; abort-upgrade|abort-remove|abort-deconfigure) # do nothing ;; *) echo "postinst called with unknown argument \`$1'" >&2 exit 1 ;; esac #DEBHELPER# ldap-auth-client-0.5.3/debian/ldap-auth-config.dirs0000664000000000000000000000010011674205374016771 0ustar usr/share/ldap-auth-config etc etc/auth-client-config/profile.d ldap-auth-client-0.5.3/debian/ldap-auth-config.install0000664000000000000000000000014011674205374017502 0ustar ldap.conf usr/share/ldap-auth-config profiles/ldap-auth-config etc/auth-client-config/profile.d ldap-auth-client-0.5.3/debian/control0000664000000000000000000000162011674205501014367 0ustar Source: ldap-auth-client Section: admin Priority: extra Maintainer: Rick Clark Build-Depends: debhelper (>= 5.0.38), cdbs Build-Depends-Indep: po-debconf Standards-Version: 3.7.2 Package: ldap-auth-client Architecture: all Depends: libpam-ldap, libnss-ldap Conflicts: libnss-ldap (<< 255-1ubuntu1), libpam-ldap (<< 184-1ubuntu1) Description: meta-package for LDAP authentication This is the LDAP authentication meta package. It depends on other packages necessary for a Linux system to authenticate to a LDAP server. Package: ldap-auth-config Architecture: all Multi-Arch: foreign Depends: debconf (>=0.5) | debconf-2.0, sed (>= 3.95), ldap-auth-client Pre-Depends: auth-client-config Description: Config package for LDAP authentication This is the LDAP authentication config package. It depends on the meta package necessary for a Linux system to authenticate to a LDAP server. ldap-auth-client-0.5.3/debian/ldap-auth-config.postrm0000664000000000000000000000033611674205374017367 0ustar #!/bin/sh CONFFILE="/etc/ldap.conf" PASSWDFILE="/etc/ldap.secret" action=$1 if [ "$action" = "purge" ]; then # clear out debconf . /usr/share/debconf/confmodule db_purge rm -f $CONFFILE $PASSWDFILE fi #DEBHELPER# ldap-auth-client-0.5.3/debian/compat0000664000000000000000000000000211674205374014173 0ustar 5 ldap-auth-client-0.5.3/debian/copyright0000664000000000000000000000154011674205374014730 0ustar This package was created by Rick Clark Copyright (C) 2007 Rick Clark This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABLILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA. -- Please see /usr/share/common-licenses/GPL for the full license. ldap-auth-client-0.5.3/ldap.conf0000664000000000000000000002127511674205374013351 0ustar ###DEBCONF### ## ## Configuration of this file will be managed by debconf as long as the ## first line of the file says '###DEBCONF###' ## ## You should use dpkg-reconfigure to configure this file via debconf ## # # @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $ # # This is the configuration file for the LDAP nameservice # switch library and the LDAP PAM module. # # PADL Software # http://www.padl.com # # Your LDAP server. Must be resolvable without using LDAP. # Multiple hosts may be specified, each separated by a # space. How long nss_ldap takes to failover depends on # whether your LDAP client library supports configurable # network or connect timeouts (see bind_timelimit). host 127.0.0.1 # The distinguished name of the search base. base dc=padl,dc=com # Another way to specify your LDAP server is to provide an # uri with the server name. This allows to use # Unix Domain Sockets to connect to a local LDAP Server. #uri ldap://127.0.0.1/ #uri ldaps://127.0.0.1/ #uri ldapi://%2fvar%2frun%2fldapi_sock/ # Note: %2f encodes the '/' used as directory separator # The LDAP version to use (defaults to 3 # if supported by client library) #ldap_version 3 # The distinguished name to bind to the server with. # Optional: default is to bind anonymously. #binddn cn=proxyuser,dc=padl,dc=com # The credentials to bind with. # Optional: default is no credential. #bindpw secret # The distinguished name to bind to the server with # if the effective user ID is root. Password is # stored in /etc/ldap.secret (mode 600) #rootbinddn cn=manager,dc=padl,dc=com # The port. # Optional: default is 389. #port 389 # The search scope. #scope sub #scope one #scope base # Search timelimit #timelimit 30 # Bind/connect timelimit #bind_timelimit 30 # Reconnect policy: hard (default) will retry connecting to # the software with exponential backoff, soft will fail # immediately. #bind_policy hard # Idle timelimit; client will close connections # (nss_ldap only) if the server has not been contacted # for the number of seconds specified below. #idle_timelimit 3600 # Filter to AND with uid=%s #pam_filter objectclass=account # The user ID attribute (defaults to uid) #pam_login_attribute uid # Search the root DSE for the password policy (works # with Netscape Directory Server) #pam_lookup_policy yes # Check the 'host' attribute for access control # Default is no; if set to yes, and user has no # value for the host attribute, and pam_ldap is # configured for account management (authorization) # then the user will not be allowed to login. #pam_check_host_attr yes # Check the 'authorizedService' attribute for access # control # Default is no; if set to yes, and the user has no # value for the authorizedService attribute, and # pam_ldap is configured for account management # (authorization) then the user will not be allowed # to login. #pam_check_service_attr yes # Group to enforce membership of #pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com # Group member attribute #pam_member_attribute uniquemember # Specify a minium or maximum UID number allowed #pam_min_uid 0 #pam_max_uid 0 # Template login attribute, default template user # (can be overriden by value of former attribute # in user's entry) #pam_login_attribute userPrincipalName #pam_template_login_attribute uid #pam_template_login nobody # HEADS UP: the pam_crypt, pam_nds_passwd, # and pam_ad_passwd options are no # longer supported. # # Do not hash the password at all; presume # the directory server will do it, if # necessary. This is the default. #pam_password clear # Hash password locally; required for University of # Michigan LDAP server, and works with Netscape # Directory Server if you're using the UNIX-Crypt # hash mechanism and not using the NT Synchronization # service. #pam_password crypt # Remove old password first, then update in # cleartext. Necessary for use with Novell # Directory Services (NDS) #pam_password clear_remove_old #pam_password nds # RACF is an alias for the above. For use with # IBM RACF #pam_password racf # Update Active Directory password, by # creating Unicode password and updating # unicodePwd attribute. #pam_password ad # Use the OpenLDAP password change # extended operation to update the password. #pam_password exop # Redirect users to a URL or somesuch on password # changes. #pam_password_prohibit_message Please visit http://internal to change your password. # RFC2307bis naming contexts # Syntax: # nss_base_XXX base?scope?filter # where scope is {base,one,sub} # and filter is a filter to be &'d with the # default filter. # You can omit the suffix eg: # nss_base_passwd ou=People, # to append the default base DN but this # may incur a small performance impact. #nss_base_passwd ou=People,dc=padl,dc=com?one #nss_base_shadow ou=People,dc=padl,dc=com?one #nss_base_group ou=Group,dc=padl,dc=com?one #nss_base_hosts ou=Hosts,dc=padl,dc=com?one #nss_base_services ou=Services,dc=padl,dc=com?one #nss_base_networks ou=Networks,dc=padl,dc=com?one #nss_base_protocols ou=Protocols,dc=padl,dc=com?one #nss_base_rpc ou=Rpc,dc=padl,dc=com?one #nss_base_ethers ou=Ethers,dc=padl,dc=com?one #nss_base_netmasks ou=Networks,dc=padl,dc=com?ne #nss_base_bootparams ou=Ethers,dc=padl,dc=com?one #nss_base_aliases ou=Aliases,dc=padl,dc=com?one #nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one # attribute/objectclass mapping # Syntax: #nss_map_attribute rfc2307attribute mapped_attribute #nss_map_objectclass rfc2307objectclass mapped_objectclass # configure --enable-nds is no longer supported. # NDS mappings #nss_map_attribute uniqueMember member # Services for UNIX 3.5 mappings #nss_map_objectclass posixAccount User #nss_map_objectclass shadowAccount User #nss_map_attribute uid msSFU30Name #nss_map_attribute uniqueMember msSFU30PosixMember #nss_map_attribute userPassword msSFU30Password #nss_map_attribute homeDirectory msSFU30HomeDirectory #nss_map_attribute homeDirectory msSFUHomeDirectory #nss_map_objectclass posixGroup Group #pam_login_attribute msSFU30Name #pam_filter objectclass=User #pam_password ad # configure --enable-mssfu-schema is no longer supported. # Services for UNIX 2.0 mappings #nss_map_objectclass posixAccount User #nss_map_objectclass shadowAccount user #nss_map_attribute uid msSFUName #nss_map_attribute uniqueMember posixMember #nss_map_attribute userPassword msSFUPassword #nss_map_attribute homeDirectory msSFUHomeDirectory #nss_map_attribute shadowLastChange pwdLastSet #nss_map_objectclass posixGroup Group #nss_map_attribute cn msSFUName #pam_login_attribute msSFUName #pam_filter objectclass=User #pam_password ad # RFC 2307 (AD) mappings #nss_map_objectclass posixAccount user #nss_map_objectclass shadowAccount user #nss_map_attribute uid sAMAccountName #nss_map_attribute homeDirectory unixHomeDirectory #nss_map_attribute shadowLastChange pwdLastSet #nss_map_objectclass posixGroup group #nss_map_attribute uniqueMember member #pam_login_attribute sAMAccountName #pam_filter objectclass=User #pam_password ad # configure --enable-authpassword is no longer supported # AuthPassword mappings #nss_map_attribute userPassword authPassword # AIX SecureWay mappings #nss_map_objectclass posixAccount aixAccount #nss_base_passwd ou=aixaccount,?one #nss_map_attribute uid userName #nss_map_attribute gidNumber gid #nss_map_attribute uidNumber uid #nss_map_attribute userPassword passwordChar #nss_map_objectclass posixGroup aixAccessGroup #nss_base_group ou=aixgroup,?one #nss_map_attribute cn groupName #nss_map_attribute uniqueMember member #pam_login_attribute userName #pam_filter objectclass=aixAccount #pam_password clear # Netscape SDK LDAPS #ssl on # Netscape SDK SSL options #sslpath /etc/ssl/certs # OpenLDAP SSL mechanism # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 #ssl start_tls #ssl on # OpenLDAP SSL options # Require and verify server certificate (yes/no) # Default is to use libldap's default behavior, which can be configured in # /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for # OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes". #tls_checkpeer yes # CA certificates for server certificate verification # At least one of these are required if tls_checkpeer is "yes" #tls_cacertfile /etc/ssl/ca.cert #tls_cacertdir /etc/ssl/certs # Seed the PRNG if /dev/urandom is not provided #tls_randfile /var/run/egd-pool # SSL cipher suite # See man ciphers for syntax #tls_ciphers TLSv1 # Client certificate and key # Use these, if your server requires client authentication. #tls_cert #tls_key # Disable SASL security layers. This is needed for AD. #sasl_secprops maxssf=0 # Override the default Kerberos ticket cache location. #krb5_ccname FILE:/etc/.ldapcache # SASL mechanism for PAM authentication - use is experimental # at present and does not support password policy control #pam_sasl_mech DIGEST-MD5