Mercurial > illumos > illumos-gate

changeset 10870:312ce57c0d19

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
6628630 idsconfig support for setting up sasl/GSSAPI in DS is broken 6890468 idsconfig must support DS 7.x
author Milan Jurik <Milan.Jurik@Sun.COM>
date Mon, 26 Oct 2009 08:10:31 +0000
parents a0eba84ac81d
children f225409e4233
files usr/src/cmd/ldap/ns_ldap/idsconfig.sh
diffstat 1 files changed, 34 insertions(+), 139 deletions(-) [+]
line wrap: on
line diff
--- a/usr/src/cmd/ldap/ns_ldap/idsconfig.sh	Mon Oct 26 13:27:22 2009 +0800
+++ b/usr/src/cmd/ldap/ns_ldap/idsconfig.sh	Mon Oct 26 08:10:31 2009 +0000
@@ -20,7 +20,7 @@
 # CDDL HEADER END
 #
 #
-# idsconfig -- script to setup iDS 5.x/6.x for Native LDAP II.
+# idsconfig -- script to setup iDS 5.x/6.x/7.x for Native LDAP II.
 #
 # Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
@@ -61,7 +61,7 @@
       to stop the server.  Then, using directoryserver, follow the
       directoryserver examples below to create the actual VLV indexes.
 
-      For DS6.x, use dsadm command delivered with DS6.x on ${IDS_SERVER}
+      For DS6.x or later, use dsadm command delivered with DS on ${IDS_SERVER}
       to stop the server.  Then, using dsadm, follow the
       dsadm examples below to create the actual VLV indexes.
 
@@ -73,8 +73,6 @@
   2  proxy
   3  proxy anonymous
   4  self
-  5  self proxy
-  6  self proxy anonymous
 EOF
     ;;
     auth_method_menu) cat <<EOF
@@ -1075,8 +1073,8 @@
     SSD_FILE=${TMPDIR}/ssd_list
 
     # GSSAPI setup
+    GSSAPI_ENABLE=0
     LDAP_KRB_REALM=""
-    LDAP_GSSAPI_PROFILE=""
     SCHEMA_UPDATED=0
     
     export DEBUG VERB ECHO EVAL EGREP GREP STEP TMPDIR
@@ -1092,7 +1090,7 @@
     export NEED_SRVAUTH_PAM NEED_SRVAUTH_KEY NEED_SRVAUTH_CMD
     export LDAP_SRV_AUTHMETHOD_PAM LDAP_SRV_AUTHMETHOD_KEY LDAP_SRV_AUTHMETHOD_CMD
     export LDAP_SERV_SRCH_DES SSD_FILE
-    export GEN_CMD LDAP_KRB_REALM LDAP_GSSAPI_PROFILE SCHEMA_UPDATED
+    export GEN_CMD GSSAPI_ENABLE LDAP_KRB_REALM SCHEMA_UPDATED
 }
 
 
@@ -1269,10 +1267,11 @@
     IDS_VER=`cat ${TMPDIR}/checkDSver`
     IDS_MAJVER=`${ECHO} ${IDS_VER} | cut -f1 -d.`
     IDS_MINVER=`${ECHO} ${IDS_VER} | cut -f2 -d.`
-    if [ "${IDS_MAJVER}" != "5" ] && [ "${IDS_MAJVER}" != "6" ]; then
-	${ECHO} "ERROR: $PROG only works with JES DS version 5.x and 6.x, not ${IDS_VER}."
-    	exit 1
-    fi
+    case "${IDS_MAJVER}" in
+        5|6|7)  : ;;
+        *)   ${ECHO} "ERROR: $PROG only works with JES DS version 5.x, 6.x or 7.x, not ${IDS_VER}."; exit 1;;
+    esac
+
     if [ $DEBUG -eq 1 ]; then
 	${ECHO} "  IDS_MAJVER = $IDS_MAJVER"
 	${ECHO} "  IDS_MINVER = $IDS_MINVER"
@@ -1607,85 +1606,15 @@
 }
 
 #
-# $1: 1 - interactive, 0 - no
-#
-create_gssapi_profile() {
-
-
-    if [ ${1} -eq 1 ]; then
-        echo
-        echo "You can create a sasl/GSSAPI enabled profile with default values now."
-        get_confirm "Do you want to create a sasl/GSSAPI default profile ?" "n"
-
-        if [ $? -eq 0 ]; then
-	    return
-        fi
-    fi
-
-    # Add profile container if it does not exist
-    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"ou=profile,${LDAP_BASEDN}\" -s base \"objectclass=*\" > /dev/null 2>&1"
-    if [ $? -ne 0 ]; then
-	( cat << EOF
-dn: ou=profile,${LDAP_BASEDN}
-ou: profile
-objectClass: top
-objectClass: organizationalUnit
-EOF
-) > ${TMPDIR}/profile_people.ldif
-
-        add_entry_by_DN "ou=profile,${LDAP_BASEDN}" "${TMPDIR}/profile_people.ldif"
-
-    fi
-
-    search_update_schema "objectclass" "DUAConfigProfile"
-
-    _P_NAME="gssapi_${LDAP_KRB_REALM}"
-    if [ ${1} -eq 1 ]; then
-    	_P_TMP=${LDAP_PROFILE_NAME}
-    	LDAP_PROFILE_NAME=${_P_NAME}
-   	get_profile_name
-        LDAP_GSSAPI_PROFILE=${LDAP_PROFILE_NAME}
-    	LDAP_PROFILE_NAME=${_P_TMP}
-    fi
-
-    _P_DN="cn=${LDAP_GSSAPI_PROFILE},ou=profile,${LDAP_BASEDN}"
-    if [ ${DEL_OLD_PROFILE} -eq 1 ]; then
-	    DEL_OLD_PROFILE=0
-	    ${EVAL} "${LDAPDELETE} ${LDAP_ARGS} ${_P_DN} ${VERB}"
-    fi
-
-    _SVR=`getent hosts ${IDS_SERVER} | ${NAWK} '{ print $1 }'`
-    if [ ${IDS_PORT} -ne 389 ]; then
-	    _SVR="${_SVR}:${IDS_PORT}"
-    fi
-
-    (cat << EOF
-dn: ${_P_DN}
-objectClass: top
-objectClass: DUAConfigProfile
-defaultServerList: ${_SVR}
-defaultSearchBase: ${LDAP_BASEDN}
-authenticationMethod: sasl/GSSAPI
-followReferrals: ${LDAP_FOLLOWREF}
-defaultSearchScope: ${LDAP_SEARCH_SCOPE}
-searchTimeLimit: ${LDAP_SEARCH_TIME_LIMIT}
-profileTTL: ${LDAP_PROFILE_TTL}
-cn: ${LDAP_GSSAPI_PROFILE}
-credentialLevel: self
-bindTimeLimit: ${LDAP_BIND_LIMIT}
-EOF
-) > ${TMPDIR}/gssapi_profile.ldif
-
-    add_entry_by_DN "${_P_DN}" "${TMPDIR}/gssapi_profile.ldif"
-
-}
-#
 # Set up GSSAPI if necessary
 #
 gssapi_setup() {
 
+	GSSAPI_ENABLE=0
+
 	# assume sasl/GSSAPI is supported by the ldap server and may be used
 	GSSAPI_AUTH_MAY_BE_USED=1
+
 	${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"\" -s base \"objectclass=*\" supportedSASLMechanisms | ${GREP} GSSAPI ${VERB}"
 	if [ $? -ne 0 ]; then
 		GSSAPI_AUTH_MAY_BE_USED=0
@@ -1695,59 +1624,17 @@
 
 	get_confirm "GSSAPI is supported. Do you want to set up gssapi:(y/n)" "n"
 	if [ $? -eq 0 ]; then
+		GSSAPI_ENABLE=0
 		${ECHO}
 		${ECHO} "GSSAPI is not set up."
 		${ECHO} "sasl/GSSAPI bind may not work if it's not set up first."
 	else
+		GSSAPI_ENABLE=1
 		get_krb_realm
-		add_id_mapping_rules
-		modify_userpassword_acl_for_gssapi
-		create_gssapi_profile 1
-		${ECHO}
-		${ECHO} "GSSAPI setup is done."
-	fi
-
-	cat << EOF
-
-You can continue to create a profile and
-configure the LDAP server.
-Or you can stop now.
-
-EOF
-	get_confirm "Do you want to stop:(y/n)" "n"
-	if [ $? -eq 1 ]; then
-		cleanup
-		exit
 	fi
 
 }
-gssapi_setup_auto() {
-	GSSAPI_AUTH_MAY_BE_USED=0
-	${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"\" -s base \"objectclass=*\" supportedSASLMechanisms | ${GREP} GSSAPI ${VERB}"
-	if [ $? -ne 0 ]; then
-		${ECHO}
-		${ECHO} "sasl/GSSAPI is not supported by this LDAP server"
-		${ECHO}
-		return
-	fi
-	if [ -z "${LDAP_KRB_REALM}" ]; then
-		${ECHO}
-		${ECHO} "LDAP_KRB_REALM is not set. Skip gssapi setup."
-		${ECHO} "sasl/GSSAPI bind won't work properly."
-		${ECHO}
-		return
-	fi
-	GSSAPI_AUTH_MAY_BE_USED=1
-	if [ -z "${LDAP_GSSAPI_PROFILE}" ]; then
-		${ECHO}
-		${ECHO} "LDAP_GSSAPI_PROFILE is not set. Default is gssapi_${LDAP_KRB_REALM}"
-		${ECHO}
-		LDAP_GSSAPI_PROFILE="gssapi_${LDAP_KRB_REALM}"
-	fi
-	add_id_mapping_rules
-	modify_userpassword_acl_for_gssapi
-	create_gssapi_profile 0
-}
+#
 # get_profile_name(): Enter the profile name.
 #
 get_profile_name()
@@ -1895,6 +1782,9 @@
     display_msg cred_level_menu
     while :
     do
+	if [ $GSSAPI_ENABLE -eq 1 ]; then
+	    ${ECHO} '"self" is needed for GSSAPI profile'
+	fi
 	get_ans "Choose Credential level [h=help]:" "1"
 	_MENU_CHOICE=$ANS
 	case "$_MENU_CHOICE" in
@@ -1905,16 +1795,9 @@
 	    3) LDAP_CRED_LEVEL="proxy anonymous"
 	       return 3 ;;
 	    4) LDAP_CRED_LEVEL="self"
-	       SELF_GSSAPI=1
 	       return 4 ;;
-	    5) LDAP_CRED_LEVEL="self proxy"
-	       SELF_GSSAPI=1
-	       return 5 ;;
-	    6) LDAP_CRED_LEVEL="self proxy anonymous"
-	       SELF_GSSAPI=1
-	       return 6 ;;
 	    h) display_msg cred_lvl_help ;;
-	    *) ${ECHO} "Please enter 1, 2, 3, 4, 5 or 6." ;;
+	    *) ${ECHO} "Please enter 1, 2, 3 or 4." ;;
 	esac
     done
 }
@@ -1971,6 +1854,9 @@
     # Get a Valid choice.
     while :
     do
+	if [ $GSSAPI_ENABLE -eq 1 ]; then
+	    ${ECHO} '"sasl/GSSAPI" is needed for GSSAPI profile'
+	fi
 	# Display appropriate prompt and get answer.
 	if [ $_FIRST -eq 1 ]; then
 	    get_ans "Choose Authentication Method (h=help):" "1"
@@ -3033,8 +2919,8 @@
 LDAP_ROOTPWD=$LDAP_ROOTPWD
 LDAP_DOMAIN="$LDAP_DOMAIN"
 LDAP_SUFFIX="$LDAP_SUFFIX"
+GSSAPI_ENABLE=$GSSAPI_ENABLE
 LDAP_KRB_REALM="$LDAP_KRB_REALM"
-LDAP_GSSAPI_PROFILE="$LDAP_GSSAPI_PROFILE"
 
 # Internal program variables that need to be set.
 NEED_PROXY=$NEED_PROXY
@@ -3085,7 +2971,7 @@
 export LDAP_PREF_SRVLIST LDAP_PROFILE_TTL LDAP_CRED_LEVEL LDAP_BIND_LIMIT
 export NEED_SRVAUTH_PAM NEED_SRVAUTH_KEY NEED_SRVAUTH_CMD
 export LDAP_SRV_AUTHMETHOD_PAM LDAP_SRV_AUTHMETHOD_KEY LDAP_SRV_AUTHMETHOD_CMD
-export LDAP_SERV_SRCH_DES SSD_FILE LDAP_KRB_REALM LDAP_GSSAPI_PROFILE
+export LDAP_SERV_SRCH_DES SSD_FILE GSSAPI_ENABLE LDAP_KRB_REALM
 
 # Service Search Descriptors start here if present:
 EOF
@@ -5368,7 +5254,6 @@
     INTERACTIVE=0      # Turns off prompts that occur later.
     validate_info      # Validate basic info in file.
     chk_ids_version    # Check iDS version for compatibility.
-    gssapi_setup_auto
 else
     # Display BACKUP warning to user.
     display_msg backup_server
@@ -5448,6 +5333,16 @@
     deny_non_admin_shadow_access
 fi
 
+if [ $GSSAPI_ENABLE -eq 1 ]; then
+    add_id_mapping_rules
+    # do not modify ACI if "sasl/GSSAPI" and "self" are not selected
+    if [ "$LDAP_CRED_LEVEL" = "self" -a "$LDAP_AUTHMETHOD" = "sasl/GSSAPI" ]; then
+        modify_userpassword_acl_for_gssapi
+    else
+        ${ECHO} "  ACL for GSSAPI was not set because of incompatibility in profile."
+    fi
+fi
+
 # If use host principal for shadow update, give read/write permission for
 # shadow, and deny all others' read/write access to it.
 if [ $NEED_HOSTACL -eq 1 ]; then