nslcd.sh 4.27 KB
Newer Older
1 2 3 4 5 6
#!/bin/sh
#
# Starts nslcd needed for LDAP
#
MONIT=/usr/bin/monit
dotconfig=/wr/etc/dot-config
7
log_output=/dev/kmsg
8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

start_counter() {
	# increase boot counter
	COUNTER_FILE="/tmp/start_cnt_ldap"
	START_COUNTER=1
	if [ -f "$COUNTER_FILE" ];
	then
		read -r START_COUNTER < $COUNTER_FILE
		START_COUNTER=$((START_COUNTER+1))
	fi
	echo "$START_COUNTER" > $COUNTER_FILE
}

start() {
	echo -n "Starting nslcd (LDAP): "
	
	if [ -f "$dotconfig" ]; then
		. "$dotconfig"
	else
27
		echo "$0 unable to source dot-config ($dotconfig)!" | tee $log_output
28 29 30
	fi
	
	if [ "$CONFIG_LDAP_ENABLE" != "y" ]; then
31
		echo "LDAP not enabled in dot-config" | tee $log_output
32 33 34 35 36 37 38 39
		# Unmonitor web server (nslcd), ignore all printouts
		# from monit.
		# Run in background since monit may wait for a timeout.
		$MONIT unmonitor nslcd &>/dev/null &
		exit 0
	fi
	
	if [ -z "$CONFIG_LDAP_SERVER" ]; then
40
		echo "Failed! LDAP server not defined" | tee $log_output
41 42 43 44 45 46 47
		exit 0
	fi
	# fill LDAP server address
	cp -a /usr/etc/nslcd.conf /etc/nslcd.conf
	sed -i "s,^uri CONFIG_LDAP_SERVER_ADDRESS,uri $CONFIG_LDAP_SERVER,g" /etc/nslcd.conf

	if [ -z "$CONFIG_LDAP_SEARCH_BASE" ]; then
48
		echo "Failed! LDAP search base not defined" | tee $log_output
49 50 51 52 53 54 55 56 57 58
		exit 0
	fi
	# fill LDAP search base
	sed -i "s/CONFIG_LDAP_SEARCH_BASE/$CONFIG_LDAP_SEARCH_BASE/g" /etc/nslcd.conf

	if [ "$CONFIG_LDAP_FILTER_NONE" = "y" ]; then
		# no filter
		sed -i "s/CONFIG_LDAP_FILTER//g" /etc/nslcd.conf
	elif [ "$CONFIG_LDAP_FILTER_EGROUP" = "y" ]; then
		if [ -z "$CONFIG_LDAP_FILTER_EGROUP_STR" ]; then
59
			echo -n "Warning: CONFIG_LDAP_FILTER_EGROUP_STR empty! " | tee $log_output
60 61 62 63
		fi
		sed -i "s/CONFIG_LDAP_FILTER/(memberOf=CN=$CONFIG_LDAP_FILTER_EGROUP_STR,OU=e-groups,OU=Workgroups,$CONFIG_LDAP_SEARCH_BASE)/g" /etc/nslcd.conf
	elif [ "$CONFIG_LDAP_FILTER_CUSTOM" = "y" ]; then
		if [ -z "$CONFIG_LDAP_FILTER_CUSTOM_STR" ]; then
64
			echo -n "Warning: CONFIG_LDAP_FILTER_CUSTOM_STR empty! " | tee $log_output
65 66 67 68 69 70 71 72 73 74 75 76 77
		fi
		sed -i "s/CONFIG_LDAP_FILTER/$CONFIG_LDAP_FILTER_CUSTOM_STR/g" /etc/nslcd.conf
	fi

	# add ldap to /etc/nsswitch.conf
	cp -a /usr/etc/nsswitch.conf /etc/nsswitch.conf
	sed -i "s/^passwd:[ \t]*files\$/passwd: files ldap/g" /etc/nsswitch.conf
	sed -i "s/^group:[ \t]*files\$/group: files ldap/g" /etc/nsswitch.conf
	sed -i "s/^shadow:[ \t]*files\$/shadow: files ldap/g" /etc/nsswitch.conf

	cp -a /usr/etc/pam.d/sshd /etc/pam.d/sshd
	if [ "$CONFIG_AUTH_KRB5" = "y" ]; then
		if [ -z "$CONFIG_AUTH_KRB5_SERVER" ]; then
78
			echo "Failed! CONFIG_AUTH_KRB5_SERVER empty!" | tee $log_output
79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140
			exit 0
		fi
		
		sed -i "s,# auth line to be replaced by startup scripts,# added by $0\nauth       sufficient   /lib/security/pam_krb5.so minimum_uid=1000\n,g" /etc/pam.d/sshd
		sed -i "s,# account line to be replaced by startup scripts,# added by $0\naccount    required     /lib/security/pam_krb5.so minimum_uid=1000\n,g" /etc/pam.d/sshd
		sed -i "s,# session line to be replaced by startup scripts,# added by $0\nsession    required     /lib/security/pam_krb5.so minimum_uid=1000\n,g" /etc/pam.d/sshd
		cp -a /usr/etc/krb5.conf /etc/krb5.conf
		sed -i "s,default_realm = CONFIG_AUTH_KRB5_SERVER,default_realm = $CONFIG_AUTH_KRB5_SERVER,g" /etc/krb5.conf
	fi
	
	if [ "$CONFIG_AUTH_LDAP" = "y" ]; then
		sed -i "s,# auth line to be replaced by startup scripts,# added by $0\nauth       sufficient   /lib/security/pam_ldap.so minimum_uid=1000\n,g" /etc/pam.d/sshd
		sed -i "s,# account line to be replaced by startup scripts,# added by $0\naccount    required     /lib/security/pam_ldap.so minimum_uid=1000\n,g" /etc/pam.d/sshd
		sed -i "s,# session line to be replaced by startup scripts,# added by $0\nsession    required     /lib/security/pam_ldap.so minimum_uid=1000\n,g" /etc/pam.d/sshd

	fi

	# /var/run/nslcd/nslcd.pid is created automatically by nslcd
	start-stop-daemon -S -q -p /var/run/nslcd/nslcd.pid --exec /usr/sbin/nslcd
	ret=$?
	if [ $ret -eq 0 ]; then
		start_counter
		echo "OK"
	elif [ $ret -eq 1 ]; then
		echo "Failed (already running?)"
	else
		echo "Failed"
	fi
}

stop() {
	echo -n "Stopping nslcd (LDAP): "
	start-stop-daemon -K -q -p /var/run/nslcd/nslcd.pid
	if [ $? -eq 0 ]; then
		echo "OK"
	else
		echo "Failed"
	fi
}

restart() {
	stop
	start
}

case "$1" in
  start)
  	start
	;;
  stop)
  	stop
	;;
  restart|reload)
  	restart
	;;
  *)
	echo $"Usage: $0 {start|stop|restart}"
	exit 1
esac

exit $?