Arthur de Jong <[email protected]> writes:
[...] > I'm now mostly happy with the .config and .postinst files but I think > the .templates files has some issues still. The text is rather long and > even lintian complains about the nslcd/ldap-sasl-mech and > nslcd/ldap-sasl-secprops templates. > > Can you see if you have any improvements for the templates file? Perhaps > some external reference can be included or we may have to assume that an > administrator knows about the different SASL options? > > Perhaps it should be clearer what to do when you want to use Kerberos? > > Anyway, hope to hear from you on this! I have simplify the template and fix the read_config function. The SASL questions (in switch case) are lost in trunk, should I provide a new patch on yours for this or do you have it somewhere? Regards. -- Daniel Dehennin Récupérer ma clef GPG: gpg --keyserver pgp.mit.edu --recv-keys 0x6A2540D1
=== modified file 'debian/nslcd.templates' --- debian/nslcd.templates 2010-08-19 20:36:53 +0000 +++ debian/nslcd.templates 2010-11-09 20:17:54 +0000 @@ -25,11 +25,15 @@ the account that will be used here. Leave it empty otherwise. . This value should be specified as a DN (distinguished name). + . + Leave empty for Simple Authentication and Security Layer (SASL) + authentication. Template: nslcd/ldap-bindpw Type: password _Description: LDAP user password: - Enter the password that will be used to log in to the LDAP database. + Enter the password that will be used to log in to the LDAP database + with simple binddn or SASL authentications. Template: nslcd/ldap-starttls Type: boolean @@ -52,3 +56,91 @@ * demand: a certificate will be requested, required, and checked. If certificate checking is enabled, at least one of the tls_cacertdir or tls_cacertfile options must be put in /etc/nslcd.conf. + +Template: nslcd/ldap-auth-type +Type: select +__Choices: none, simple, SASL +_Default: none +_Description: LDAP authentication to use: + LDAP bind can be performed anonymously or authenticated with either a + simple binddn/password or the Simple Authentication and Security Layer. + . + You can choose in the following list: + * none: no authentication. + * simple: simple clear text binddn/password. + * SASL: one of the Simple Authentication and Security Layer + mechanisms. + . + Clear text authentication methods should be use with Transport Layer + security (TLS) enabled. + +Template: nslcd/ldap-sasl-mech +Type: select +__Choices: auto, LOGIN, PLAIN, NTLM, CRAM-MD5, DIGEST-MD5, GSSAPI, OTP +_Description: SASL mechanism to use: + Simple Authentication and Security Layer is a challange based + protocol. + . + LOGIN mechanism is deprecated in flavor of PLAIN. Both are clear text + authentication methods which should be use with Transport Layer + security (TLS) enabled. + . + CRAM-MD5 needs SASL SECPROPS minssf=0. + . + GSSAPI needs libsasl2-modules-gssapi-mit or + libsasl2-modules-gssapi-heimdal. + +Template: nslcd/ldap-sasl-realm +Type: string +_Description: SASL realm: + Simple Authentication and Security Layer realm to use for LDAP + authentication. + . + If empty, the GSSAPI mechanism will use informations from the kerberos + credential cache. Others may need @<REALM> suffixing sasl_authcid and + sasl_authzid. + . + The realm is appended to authentication and authorisation identities. + +Template: nslcd/ldap-sasl-authcid +Type: string +_Description: SASL authentication identity: + Simple Authentication and Security Layer identity. + . + This is the login used in LOGIN, PLAIN, CRAM-MD5 and DIGEST-MD5 mechanisms. + +Template: nslcd/ldap-sasl-authzid +Type: string +_Description: SASL proxy authorisation identity: + Simple Authentication and Security Layer proxy authorisation + identity. + . + This is the object in the name of witch the LDAP request are + done. They should have a DN syntax. + +Template: nslcd/ldap-sasl-secprops +Type: string +_Description: Cyrus SASL security properties: + The Cyrus Simple Authentication and Security Layer library may use + security properties, see ldap.conf(5) man page, section SASL OPTIONS + for more informations + +Template: nslcd/ldap-sasl-krb5-keytab +Type: string +Default: /etc/krb5.keytab +_Description: Kerberos keytab file path: + The GSSAPI/Kerberos authentication mechanism needs a keytab file. + . + The keytab file is used by k5start to create the credential cache + file. + . + This option is not used for now, edit /etc/default/nslcd directly. + +Template: nslcd/ldap-sasl-krb5-ccname +Type: string +Default: /var/run/nslcd/nslcd.tkt +_Description: Kerberos credential cache file path: + The GSSAPI/Kerberos authentication mechanism needs a credential cache + file. + . + The cache file is initialised and maintained by k5start.
=== modified file 'debian/nslcd.config'
--- debian/nslcd.config 2010-11-07 22:13:26 +0000
+++ debian/nslcd.config 2010-11-09 20:32:47 +0000
@@ -31,7 +31,7 @@
if [ -z "$RET" ]
then
value=`sed -n 's/^'"$cfg_param"'[[:space:]]*\([^[:space:]].*[^[:space:]]\)[[:space:]]*$/\1/ip' "$cfgfile" | tail -n 1`
- [ -n "$value" ] && db_set "$debconf_param" "$value"
+ [ -n "$value" ] && db_set "$debconf_param" "$value" || /bin/true
fi
}
pgpt6bYyIDOBw.pgp
Description: PGP signature
