#!/bin/bash # Copyright (C) 2024 Pädagogisches Landesinstitut Rheinland-Pfalz # Copyright (C) 2023 Mike Gabriel # Copyright (C) 2024 Daniel Teichmann # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the # Free Software Foundation, Inc., # 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA. set -e . /usr/share/debconf/confmodule || exit 255 common_file="/usr/share/debian-edu-router/debian-edu-router.common" # Load common functions, variables and stuff. if [ -s "$common_file" ]; then source "$common_file" else echo "Could not load common file at "$common_file"." exit 0; fi # prepare debconf export DC_PRIO_LOW="medium" export DC_PRIO_HIGH="high" db_version 2.0 db_capb backup escape if [ -e /etc/debian-edu/router.conf ]; then source /etc/debian-edu/router.conf fi PRODUCTNAME="${PRODUCTNAME:-"Debian Edu Router"}" PRODUCTNAME_PLUGIN_SUFFIX="${PRODUCTNAME_PLUGIN_SUFFIX:-"Plugin"}" PRODUCTNAME_PLUGIN="${PRODUCTNAME_PLUGIN:-"${PRODUCTNAME} ${PRODUCTNAME_PLUGIN_SUFFIX}: LDAP/AD Connector"}" PACKAGE_NAME="debian-edu-router-plugin.ldap-connector" db_title "${PRODUCTNAME_PLUGIN}" # If we don't run this script for the first time, make sure we know what IP # proto versions are enabled for non-network configuration steps, what internal # networks are enabled and what internal networks have static IP address set. # # This is really important for cases where the sysadmin chooses to skip network # settings. We can't populate the IPV4 and IPV6 variables from within the while # loop, so let's preset these values in case networking set up gets skipped. # # Sets IPV4 and IPV6 bool variables. parse_ip_versions if [ "${CONFIGURE_ONLY}" = "NOT_IMPLEMENTED" ]; then STATE=46 QCOUNT=46 elif [ "${CONFIGURE_ONLY}" = "ONOFF" ]; then STATE=0 QCOUNT=0 elif [ "${CONFIGURE_ONLY}" = "SERVER" ]; then STATE=1 QCOUNT=18 elif [ "${CONFIGURE_ONLY}" = "MAPPINGS" ]; then STATE=19 QCOUNT=45 elif [ "${CONFIGURE_ONLY}" = "INSTALL_SSLCERTS_LDAP" ]; then STATE=14 QCOUNT=16 elif [ "${SKIP_DEBCONF_QUESTIONS_CONFIG}" = "1" ]; then STATE=999 QCOUNT=999 else STATE=0 QCOUNT=45 fi # Define a starting point that cannot be skipped by going back BACKSTOP=${STATE} debug_log "Picked up the following debconf-question state-machine settings for ${PACKAGE_NAME}.config:" debug_log " - SKIP_DEBCONF_QUESTIONS_CONFIG='${SKIP_DEBCONF_QUESTIONS_CONFIG}'." debug_log " - CONFIGURE_ONLY= '${CONFIGURE_ONLY}'." debug_log " - STATE= '${STATE}'." debug_log " - QCOUNT= '${QCOUNT}'." debug_log " - BACKSTOP= '${BACKSTOP}'." debug_log " - Script arguments= '${0} $@'." # Failure counters: Some question don't allow empty input or similar. # We can't re-ask questions endlessly, but need to bail out at some point. FCOUNTER=0 # default behaviour should be that steps go UP rather than down. # we have this variable to track in which direction we are currently going # for example if the user wants to backup a step at step 17 # and step 16 should be skipped (for whatever reason) then we should move on # to step *15* instead of step 17! STATE_DIRECTION=1 # setup milestones # when configuring a new milestone, please test if backing up from that # milestone does work as expected! STATE_ONOFF_QUESTION=0 STATE_FIRST_QUESTION=1 STATE_LDAP_AUTH_TYPE=4 STATE_LDAP_SASL_MECH=7 STATE_LDAP_SASL_AUTHZID=10 STATE_LDAP_STARTTLS=13 STATE_LDAP_DNS_SERVERS=17 ALL_PROXY_GROUPS=( ProxyTrustedClient, ProxyAllowClient, ProxyDenyClient, ProxyDenyUser, ProxyBlacklistClient, ProxyWhitelistClient, ProxyNoauthClient, ProxyTrustedUser, ProxyAllowUser, ProxyBlacklistUser, ProxyWhitelistUser ) USER_PROXY_GROUPS=( ProxyDenyUser, ProxyTrustedUser, ProxyAllowUser, ProxyBlacklistUser, ProxyWhitelistUser ) function statemachine() { while [ ${STATE} -gt -1 ] && [ ${STATE} -le ${QCOUNT} ] && [ ${STATE} -ge ${BACKSTOP} ]; do debug_log "We are currently at step ${cyan}$STATE${normal}." # ask questions case "${STATE}" in # # LDAP connector (Obtain configuration, filter lists, etc. from a site's LDAP server) # 0) # PLUGIN ENABLED? db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-connector-enabled || true ;; 1) db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-uri || true ;; 2) db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-base || true ;; 3) db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-user-searchfilter || true ;; 4) db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-auth-type || true ;; 5) db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-binddn || true ;; 6) if [ $STATE_DIRECTION -eq -1 ] && [ "${ldap_auth_type}" != "simple" ]; then # If backtracking, skip to auth type selection. debug_log "Skipping bindpw + binddn questions..." STATE="$STATE_LDAP_AUTH_TYPE" continue fi db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-bindpw || true ;; 7) db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-sasl-mech || true ;; 8) db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-sasl-realm || true ;; 9) if [ $STATE_DIRECTION -eq -1 ] && [ "${ldap_sasl_mech}" != "GSSAPI" ]; then debug_log "Skipping authcid question, since GSSAPI SASL mech was selected..." STATE="$(($STATE+$STATE_DIRECTION))" continue fi db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-sasl-authcid || true ;; 10) db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-sasl-authzid || true ;; 11) db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-sasl-secprops || true ;; 12) if [ $STATE_DIRECTION -eq -1 ]; then if [ "${ldap_auth_type}" != "SASL" ]; then debug_log "Skipping krb5 ccname question, since SASL was not selected..." STATE="$STATE_LDAP_AUTH_TYPE" continue elif [ "${ldap_sasl_mech}" != "GSSAPI" ]; then debug_log "Skipping krb5 ccname question, since GSSAPI SASL mech wasn't selected..." STATE="$(($STATE+$STATE_DIRECTION))" continue fi fi db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-sasl-krb5-ccname || true ;; 13) db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-starttls || true ;; 14) db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-reqcert || true ;; # SSL certificate obtaining behaviour 15) if [ -n "$INSTALL_SSLCERTS_LDAP" ]; then db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-install-cert-type || true fi ;; # CA certificate filepath 16) if [ -n "$INSTALL_SSLCERTS_LDAP" ]; then db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-cacertfile || true fi ;; # LDAP's DNS servers 17) db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-dns-servers || true ;; # LDAP refresh filterlists systemd service/cron job 18) db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-refresh-filterlists || true ;; # # Proxy*{Client, User}: LDAP GROUP TYPES # 19) choices=( "${ALL_PROXY_GROUPS[@]}" ) db_subst debian-edu-router-plugin.ldap-connector/ldap-groups-type-nisNetgroup choices "${choices[@]}" db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-groups-type-nisNetgroup || true ;; 20) choices=( "${ALL_PROXY_GROUPS[@]}" ) # Proxy groups cannot be selected multiple times. Filter already selected ones out. if [[ -n "${ldap_groups_type_nisNetgroup[*]}" ]]; then choices=( "$(compare_comma_separated_items "${choices[*]}" "${ldap_groups_type_nisNetgroup[*]}")" ) fi db_subst debian-edu-router-plugin.ldap-connector/ldap-groups-type-group choices "${choices[@]}" db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-groups-type-group || true ;; 21) choices=( "${ALL_PROXY_GROUPS[@]}" ) # Proxy groups cannot be selected multiple times. Filter already selected ones out. if [[ -n "${ldap_groups_type_nisNetgroup[*]}" ]]; then choices=( "$(compare_comma_separated_items "${choices[*]}" "${ldap_groups_type_nisNetgroup[*]}")" ) fi if [[ -n "${ldap_groups_type_group[*]}" ]]; then choices=( "$(compare_comma_separated_items "${choices[*]}" "${ldap_groups_type_group[*]}")" ) fi db_subst debian-edu-router-plugin.ldap-connector/ldap-groups-type-groupOfNames choices "${choices[@]}" db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-groups-type-groupOfNames || true ;; 22) # Special case: *User* groups support posixGroups too, but *clients* do not. choices=( "${USER_PROXY_GROUPS[@]}" ) # Proxy groups cannot be selected multiple times. Filter already selected ones out. if [[ -n "${ldap_groups_type_nisNetgroup[*]}" ]]; then choices=( "$(compare_comma_separated_items "${choices[*]}" "${ldap_groups_type_nisNetgroup[*]}")" ) fi if [[ -n "${ldap_groups_type_group[*]}" ]]; then choices=( "$(compare_comma_separated_items "${choices[*]}" "${ldap_groups_type_group[*]}")" ) fi if [[ -n "${ldap_groups_type_groupOfNames[*]}" ]]; then choices=( "$(compare_comma_separated_items "${choices[*]}" "${ldap_groups_type_groupOfNames[*]}")" ) fi # We only want to have Proxy*User group in $choices! choices=( "$(intersect_comma_separated_items "${choices[*]}" "${USER_PROXY_GROUPS[*]}" )" ) if [[ -z "${choices[@]}" ]]; then db_fset debian-edu-router-plugin.ldap-connector/ldap-groups-type-posixGroup seen false db_set debian-edu-router-plugin.ldap-connector/ldap-groups-type-posixGroup "" fi db_subst debian-edu-router-plugin.ldap-connector/ldap-groups-type-posixGroup choices "${choices[@]}" db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-groups-type-posixGroup || true ;; # # GROUPS NAME: Clients (used for nisNetgroup, group and groupOfNames) # 23) proxy_group="ProxyTrustedClient" proxy_group_type="$( find_proxy_group_type "${proxy_group}" )" if [[ -z "${proxy_group_type}" ]]; then warning_log "Proxy group '${proxy_group}' has no LDAP group type selected, skipping." STATE="$(($STATE + $STATE_DIRECTION))" continue fi db_subst "debian-edu-router-plugin.ldap-connector/ldap-group-name-${proxy_group}" group_type "${proxy_group_type}" db_input ${DC_PRIO_HIGH} "debian-edu-router-plugin.ldap-connector/ldap-group-name-${proxy_group}" || true ;; 24) proxy_group="ProxyAllowClient" proxy_group_type="$( find_proxy_group_type "${proxy_group}" )" if [[ -z "${proxy_group_type}" ]]; then warning_log "Proxy group '${proxy_group}' has no LDAP group type selected, skipping." STATE="$(($STATE + $STATE_DIRECTION))" continue fi db_subst "debian-edu-router-plugin.ldap-connector/ldap-group-name-${proxy_group}" group_type "${proxy_group_type}" db_input ${DC_PRIO_HIGH} "debian-edu-router-plugin.ldap-connector/ldap-group-name-${proxy_group}" || true ;; 25) proxy_group="ProxyDenyClient" proxy_group_type="$( find_proxy_group_type "${proxy_group}" )" if [[ -z "${proxy_group_type}" ]]; then warning_log "Proxy group '${proxy_group}' has no LDAP group type selected, skipping." STATE="$(($STATE + $STATE_DIRECTION))" continue fi db_subst "debian-edu-router-plugin.ldap-connector/ldap-group-name-${proxy_group}" group_type "${proxy_group_type}" db_input ${DC_PRIO_HIGH} "debian-edu-router-plugin.ldap-connector/ldap-group-name-${proxy_group}" || true ;; 26) proxy_group="ProxyBlacklistClient" proxy_group_type="$( find_proxy_group_type "${proxy_group}" )" if [[ -z "${proxy_group_type}" ]]; then warning_log "Proxy group '${proxy_group}' has no LDAP group type selected, skipping." STATE="$(($STATE + $STATE_DIRECTION))" continue fi db_subst "debian-edu-router-plugin.ldap-connector/ldap-group-name-${proxy_group}" group_type "${proxy_group_type}" db_input ${DC_PRIO_HIGH} "debian-edu-router-plugin.ldap-connector/ldap-group-name-${proxy_group}" || true ;; 27) proxy_group="ProxyWhitelistClient" proxy_group_type="$( find_proxy_group_type "${proxy_group}" )" if [[ -z "${proxy_group_type}" ]]; then warning_log "Proxy group '${proxy_group}' has no LDAP group type selected, skipping." STATE="$(($STATE + $STATE_DIRECTION))" continue fi db_subst "debian-edu-router-plugin.ldap-connector/ldap-group-name-${proxy_group}" group_type "${proxy_group_type}" db_input ${DC_PRIO_HIGH} "debian-edu-router-plugin.ldap-connector/ldap-group-name-${proxy_group}" || true ;; 28) proxy_group="ProxyNoauthClient" proxy_group_type="$( find_proxy_group_type "${proxy_group}" )" if [[ -z "${proxy_group_type}" ]]; then warning_log "Proxy group '${proxy_group}' has no LDAP group type selected, skipping." STATE="$(($STATE + $STATE_DIRECTION))" continue fi db_subst "debian-edu-router-plugin.ldap-connector/ldap-group-name-${proxy_group}" group_type "${proxy_group_type}" db_input ${DC_PRIO_HIGH} "debian-edu-router-plugin.ldap-connector/ldap-group-name-${proxy_group}" || true ;; # # GROUPS NAME: Users (used for nisNetgroup, posixGroup, group and groupOfNames) # 29) proxy_group="ProxyTrustedUser" proxy_group_type="$( find_proxy_group_type "${proxy_group}" )" if [[ -z "${proxy_group_type}" ]]; then warning_log "Proxy group '${proxy_group}' has no LDAP group type selected, skipping." STATE="$(($STATE + $STATE_DIRECTION))" continue fi db_subst "debian-edu-router-plugin.ldap-connector/ldap-group-name-${proxy_group}" group_type "${proxy_group_type}" db_input ${DC_PRIO_HIGH} "debian-edu-router-plugin.ldap-connector/ldap-group-name-${proxy_group}" || true ;; 30) proxy_group="ProxyAllowUser" proxy_group_type="$( find_proxy_group_type "${proxy_group}" )" if [[ -z "${proxy_group_type}" ]]; then warning_log "Proxy group '${proxy_group}' has no LDAP group type selected, skipping." STATE="$(($STATE + $STATE_DIRECTION))" continue fi db_subst "debian-edu-router-plugin.ldap-connector/ldap-group-name-${proxy_group}" group_type "${proxy_group_type}" db_input ${DC_PRIO_HIGH} "debian-edu-router-plugin.ldap-connector/ldap-group-name-${proxy_group}" || true ;; 31) proxy_group="ProxyDenyUser" proxy_group_type="$( find_proxy_group_type "${proxy_group}" )" if [[ -z "${proxy_group_type}" ]]; then warning_log "Proxy group '${proxy_group}' has no LDAP group type selected, skipping." STATE="$(($STATE + $STATE_DIRECTION))" continue fi db_subst "debian-edu-router-plugin.ldap-connector/ldap-group-name-${proxy_group}" group_type "${proxy_group_type}" db_input ${DC_PRIO_HIGH} "debian-edu-router-plugin.ldap-connector/ldap-group-name-${proxy_group}" || true ;; 32) proxy_group="ProxyBlacklistUser" proxy_group_type="$( find_proxy_group_type "${proxy_group}" )" if [[ -z "${proxy_group_type}" ]]; then warning_log "Proxy group '${proxy_group}' has no LDAP group type selected, skipping." STATE="$(($STATE + $STATE_DIRECTION))" continue fi db_subst "debian-edu-router-plugin.ldap-connector/ldap-group-name-${proxy_group}" group_type "${proxy_group_type}" db_input ${DC_PRIO_HIGH} "debian-edu-router-plugin.ldap-connector/ldap-group-name-${proxy_group}" || true ;; 33) proxy_group="ProxyWhitelistUser" proxy_group_type="$( find_proxy_group_type "${proxy_group}" )" if [[ -z "${proxy_group_type}" ]]; then warning_log "Proxy group '${proxy_group}' has no LDAP group type selected, skipping." STATE="$(($STATE + $STATE_DIRECTION))" continue fi db_subst "debian-edu-router-plugin.ldap-connector/ldap-group-name-${proxy_group}" group_type "${proxy_group_type}" db_input ${DC_PRIO_HIGH} "debian-edu-router-plugin.ldap-connector/ldap-group-name-${proxy_group}" || true ;; # SEARCH VIA SEARCH/BASE DN 34) choices=( "${ALL_PROXY_GROUPS[@]}" ) if [[ -n "${ldap_groups_type_nisNetgroup[*]}" ]]; then choices=( "$(compare_comma_separated_items "${choices[*]}" "${ldap_groups_type_nisNetgroup[*]}")" ) fi if [[ -n "${ldap_groups_type_group[*]}" ]]; then choices=( "$(compare_comma_separated_items "${choices[*]}" "${ldap_groups_type_group[*]}")" ) fi if [[ -n "${ldap_groups_type_groupOfNames[*]}" ]]; then choices=( "$(compare_comma_separated_items "${choices[*]}" "${ldap_groups_type_groupOfNames[*]}")" ) fi if [[ -n "${ldap_groups_type_posixGroup[*]}" ]]; then choices=( "$(compare_comma_separated_items "${choices[*]}" "${ldap_groups_type_posixGroup[*]}")" ) fi groups_left_unselected=( "${choices[@]}" ) choices=( "$(compare_comma_separated_items "${ALL_PROXY_GROUPS[*]}" "${groups_left_unselected[*]}")" ) db_subst debian-edu-router-plugin.ldap-connector/ldap-groups-search-via-base-dn choices "${choices[@]}" db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-groups-search-via-base-dn || true ;; # # GROUPS BASE DN: Clients (used for Search-via-BaseDN only) # 35) if ! echo "${ldap_groups_search_via_base_dn}" | grep -q "ProxyTrustedClient"; then STATE=$(($STATE + $STATE_DIRECTION)) continue fi db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-ProxyTrustedClient || true ;; 36) if ! echo "${ldap_groups_search_via_base_dn}" | grep -q "ProxyAllowClient"; then STATE=$(($STATE + $STATE_DIRECTION)) STATE=$(($STATE + $STATE_DIRECTION)) continue fi db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-ProxyAllowClient || true ;; 37) if ! echo "${ldap_groups_search_via_base_dn}" | grep -q "ProxyDenyClient"; then STATE=$(($STATE + $STATE_DIRECTION)) continue fi db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-ProxyDenyClient || true ;; 38) if ! echo "${ldap_groups_search_via_base_dn}" | grep -q "ProxyBlacklistClient"; then STATE=$(($STATE + $STATE_DIRECTION)) continue fi db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-ProxyBlacklistClient || true ;; 39) if ! echo "${ldap_groups_search_via_base_dn}" | grep -q "ProxyWhitelistClient"; then STATE=$(($STATE + $STATE_DIRECTION)) continue fi db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-ProxyWhitelistClient || true ;; 40) if ! echo "${ldap_groups_search_via_base_dn}" | grep -q "ProxyNoauthClient"; then STATE=$(($STATE + $STATE_DIRECTION)) continue fi db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-ProxyNoauthClient || true ;; # # GROUPS BASE DN: Users (used for Search-via-BaseDN only) # 41) if ! echo "${ldap_groups_search_via_base_dn}" | grep -q "ProxyTrustedUser"; then STATE=$(($STATE + $STATE_DIRECTION)) continue fi db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-ProxyTrustedUser || true ;; 42) if ! echo "${ldap_groups_search_via_base_dn}" | grep -q "ProxyAllowUser"; then STATE=$(($STATE + $STATE_DIRECTION)) continue fi db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-ProxyAllowUser || true ;; 43) if ! echo "${ldap_groups_search_via_base_dn}" | grep -q "ProxyDenyUser"; then STATE=$(($STATE + $STATE_DIRECTION)) continue fi db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-ProxyDenyUser || true ;; 44) if ! echo "${ldap_groups_search_via_base_dn}" | grep -q "ProxyBlacklistUser"; then STATE=$(($STATE + $STATE_DIRECTION)) continue fi db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-ProxyBlacklistUser || true ;; 45) if ! echo "${ldap_groups_search_via_base_dn}" | grep -q "ProxyWhitelistUser"; then STATE=$(($STATE + $STATE_DIRECTION)) continue fi db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-ProxyWhitelistUser || true ;; # not implemented yet... 46) db_input ${DC_PRIO_HIGH} debian-edu-router-config/not-implemented-yet || true ;; # Used for skipping/aborting questions entirely. 999) ;; *) echo "Unknown state ${STATE}!"; exit 255 ;; esac if db_go || [ "$BYPASS_DB_GO" == true ]; then # evaluate answers case "${STATE}" in # # LDAP connector (Obtain configuration, filter lists, etc. from a site's LDAP server) # 0) # PLUGIN ENABLED? db_get debian-edu-router-plugin.ldap-connector/ldap-connector-enabled || true ldap_connector_enabled="${RET}" if [ "${ldap_connector_enabled}" = "false" ]; then STATE=999 continue fi ;; 1) db_get debian-edu-router-plugin.ldap-connector/ldap-uri || true ldap_uri="${RET}" ;; 2) db_get debian-edu-router-plugin.ldap-connector/ldap-base || true ldap_base="${RET}" ;; 3) db_get debian-edu-router-plugin.ldap-connector/ldap-user-searchfilter || true ldap_user_searchfilter="${RET}" ;; 4) db_get debian-edu-router-plugin.ldap-connector/ldap-auth-type || true ldap_auth_type="${RET}" if [ "${ldap_auth_type}" = "none" ]; then # no authentication requested, skip forward to SSL configuration dialogs STATE="$STATE_LDAP_STARTTLS" continue elif [ "${ldap_auth_type}" = "SASL" ]; then # skip binddn and bindpw, skip forward to SASL related config dialogs STATE="$STATE_LDAP_SASL_MECH" continue elif [ "${ldap_auth_type}" = "simple" ]; then # ask for binddn and bindpw : fi ;; 5) db_get debian-edu-router-plugin.ldap-connector/ldap-binddn || true ldap_binddn="${RET}" ;; 6) db_get debian-edu-router-plugin.ldap-connector/ldap-bindpw || true ldap_bindpw="${RET}" if [ "${ldap_auth_type}" != "SASL" ]; then # Skip SASL related configuration dialogs debug_log "Skipping SASL related questions..." STATE="$STATE_LDAP_STARTTLS" continue fi ;; 7) db_get debian-edu-router-plugin.ldap-connector/ldap-sasl-mech || true ldap_sasl_mech="${RET}" ;; 8) db_get debian-edu-router-plugin.ldap-connector/ldap-sasl-realm || true ldap_sasl_realm="${RET}" if [ "${ldap_sasl_mech}" = "GSSAPI" ]; then debug_log "Skipping authcid question, since GSSAPI SASL mech was selected..." STATE="$STATE_LDAP_SASL_AUTHZID" continue fi debug_log "Asking previously skipped bindpw question..." db_get debian-edu-router-plugin.ldap-connector/ldap-bindpw || true ldap_bindpw="${RET}" ;; 9) db_get debian-edu-router-plugin.ldap-connector/ldap-sasl-authcid || true ldap_sasl_authcid="${RET}" ;; 10) db_get debian-edu-router-plugin.ldap-connector/ldap-sasl-authzid || true ldap_sasl_authzid="${RET}" ;; 11) db_get debian-edu-router-plugin.ldap-connector/ldap-sasl-secprops || true ldap_sasl_secprops="${RET}" if [ "${ldap_sasl_mech}" != "GSSAPI" ]; then debug_log "Skipping krb5 ccname question, since no kerberos mech was selected..." STATE="$STATE_LDAP_STARTTLS" continue fi ;; 12) db_get debian-edu-router-plugin.ldap-connector/ldap-sasl-krb5-ccname || true ldap_sasl_krb5_ccname="${RET}" ;; 13) db_get debian-edu-router-plugin.ldap-connector/ldap-starttls || true ldap_starttls="${RET}" ;; 14) db_get debian-edu-router-plugin.ldap-connector/ldap-reqcert || true ldap_reqcert="${RET}" if [ ${ldap_reqcert} = "never" ]; then STATE="$STATE_LDAP_DNS_SERVERS" continue fi ;; # SSL certificate obtaining behaviour 15) db_get debian-edu-router-plugin.ldap-connector/ldap-install-cert-type ldap_install_cert_type="${RET}" if [ ${ldap_install_cert_type} != "manually" ]; then STATE="$STATE_LDAP_DNS_SERVERS" continue fi ;; # CA certificate filepath 16) db_get debian-edu-router-plugin.ldap-connector/ldap-cacertfile || true ldap_cacertfile="${RET}" ;; # LDAP's DNS server 17) db_get debian-edu-router-plugin.content-filter/dns-servers || true contentfilter_dns_servers="$(echo ${RET} | sed -E -e "s/,/ /g" -e "s/\s+/ /g")" db_get debian-edu-router-plugin.ldap-connector/ldap-dns-servers || true ldap_dns_servers="$(echo ${RET} | sed -E -e "s/,/ /g" -e "s/\s+/ /g")" # Force non-empty answer. if [ -z "${ldap_dns_servers}" ] && [ -z "${contentfilter_dns_servers}" ]; then # db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-dns-servers-required || true # if ! db_go; then # debug_log "Ignoring backup/db_go-failure..." # fi warning_log "An external nameserver must be specified to resolve client hostnames coming from LDAP!" FCOUNTER=$((${FCOUNTER}+1)) bailout_on_too_many_failures debian-edu-router-plugin.ldap-connector/ldap-dns-servers ${FCOUNTER} 5 continue fi invalid_nameserver=false # FIXME: Actually test DNS via e.g. 'dig'? # Check for invalid DNS entries. for dns_addr in ${ldap_dns_servers}; do if [ "$IPV4" == true ] && is_address_v4 "${dns_addr}"; then # Alright, address looks good. Check next one. debug_log "IPv4 nameserver address '$dns_addr' could be verified." continue elif [ "$IPV6" == true ] && is_address_v6 "${dns_addr}"; then # Alright, address looks good. Check next one. debug_log "IPv6 nameserver address '$dns_addr' could be verified." continue fi warning_log "Nameserver address '$dns_addr' is *not* valid!" db_input ${DC_PRIO_HIGH} debian-edu-router-config/net-syntax-invalid-nameserver || true if ! db_go; then debug_log "Ignoring backup/db_go-failure..." fi invalid_nameserver=true FCOUNTER=$((${FCOUNTER}+1)) bailout_on_too_many_failures debian-edu-router-plugin.ldap-connector/ldap-dns-servers ${FCOUNTER} 5 break done # Let the user retry if invalid entry was found. if [ "${invalid_nameserver}" == true ]; then continue fi FCOUNTER=0 ;; # LDAP refresh filterlists systemd service/cron job 18) db_get debian-edu-router-plugin.ldap-connector/ldap-refresh-filterlists || true ldap_refresh_filterlists="${RET}" ;; # # Proxy*{Client, User}: LDAP GROUP TYPES # 19) db_get debian-edu-router-plugin.ldap-connector/ldap-groups-type-nisNetgroup || true ldap_groups_type_nisNetgroup=( ${RET} ) ;; 20) db_get debian-edu-router-plugin.ldap-connector/ldap-groups-type-group || true ldap_groups_type_group=( ${RET} ) ;; 21) db_get debian-edu-router-plugin.ldap-connector/ldap-groups-type-groupOfNames || true ldap_groups_type_groupOfNames=( ${RET} ) ;; 22) db_get debian-edu-router-plugin.ldap-connector/ldap-groups-type-posixGroup || true ldap_groups_type_posixGroup=( ${RET} ) choices=( "${ALL_PROXY_GROUPS[@]}" ) if [[ -n "${ldap_groups_type_nisNetgroup[*]}" ]]; then choices=( "$(compare_comma_separated_items "${choices[*]}" "${ldap_groups_type_nisNetgroup[*]}")" ) fi if [[ -n "${ldap_groups_type_group[*]}" ]]; then choices=( "$(compare_comma_separated_items "${choices[*]}" "${ldap_groups_type_group[*]}")" ) fi if [[ -n "${ldap_groups_type_groupOfNames[*]}" ]]; then choices=( "$(compare_comma_separated_items "${choices[*]}" "${ldap_groups_type_groupOfNames[*]}")" ) fi if [[ -n "${ldap_groups_type_posixGroup[*]}" ]]; then choices=( "$(compare_comma_separated_items "${choices[*]}" "${ldap_groups_type_posixGroup[*]}")" ) fi groups_left_unselected=( "${choices[@]}" ) if [[ -n "${groups_left_unselected}" ]]; then db_subst debian-edu-router-plugin.ldap-connector/ldap-unconfigured-proxy-groups groups_left_unselected "${groups_left_unselected[*]}" db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-unconfigured-proxy-groups || true fi ;; # # GROUPS NAME: Clients (used for nisNetgroup, group and groupOfNames) # 23) proxy_group="ProxyTrustedClient" db_get "debian-edu-router-plugin.ldap-connector/ldap-group-name-${proxy_group}" || true if [[ -z "${RET}" ]]; then db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-group-name-empty || true FCOUNTER=$((${FCOUNTER}+1)) bailout_on_too_many_failures "debian-edu-router-plugin.ldap-connector/ldap-group-name-${proxy_group}" ${FCOUNTER} 5 continue fi FCOUNTER=0 ;; 24) proxy_group="ProxyAlllowClient" db_get "debian-edu-router-plugin.ldap-connector/ldap-group-name-${proxy_group}" || true if [[ -z "${RET}" ]]; then db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-group-name-empty || true FCOUNTER=$((${FCOUNTER}+1)) bailout_on_too_many_failures "debian-edu-router-plugin.ldap-connector/ldap-group-name-${proxy_group}" ${FCOUNTER} 5 continue fi FCOUNTER=0 ;; 25) proxy_group="ProxyDenyClient" db_get "debian-edu-router-plugin.ldap-connector/ldap-group-name-${proxy_group}" || true if [[ -z "${RET}" ]]; then db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-group-name-empty || true FCOUNTER=$((${FCOUNTER}+1)) bailout_on_too_many_failures "debian-edu-router-plugin.ldap-connector/ldap-group-name-${proxy_group}" ${FCOUNTER} 5 continue fi FCOUNTER=0 ;; 26) proxy_group="ProxyBlacklistClient" db_get "debian-edu-router-plugin.ldap-connector/ldap-group-name-${proxy_group}" || true if [[ -z "${RET}" ]]; then db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-group-name-empty || true FCOUNTER=$((${FCOUNTER}+1)) bailout_on_too_many_failures "debian-edu-router-plugin.ldap-connector/ldap-group-name-${proxy_group}" ${FCOUNTER} 5 continue fi FCOUNTER=0 ;; 27) proxy_group="ProxyWhitelistClient" db_get "debian-edu-router-plugin.ldap-connector/ldap-group-name-${proxy_group}" || true if [[ -z "${RET}" ]]; then db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-group-name-empty || true FCOUNTER=$((${FCOUNTER}+1)) bailout_on_too_many_failures "debian-edu-router-plugin.ldap-connector/ldap-group-name-${proxy_group}" ${FCOUNTER} 5 continue fi FCOUNTER=0 ;; 28) proxy_group="ProxyNoauthClient" db_get "debian-edu-router-plugin.ldap-connector/ldap-group-name-${proxy_group}" || true if [[ -z "${RET}" ]]; then db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-group-name-empty || true FCOUNTER=$((${FCOUNTER}+1)) bailout_on_too_many_failures "debian-edu-router-plugin.ldap-connector/ldap-group-name-${proxy_group}" ${FCOUNTER} 5 continue fi FCOUNTER=0 ;; # # GROUPS NAME: Users (used for nisNetgroup, posixGroup, group and groupOfNames) # 29) proxy_group="ProxyTrustedUser" db_get "debian-edu-router-plugin.ldap-connector/ldap-group-name-${proxy_group}" || true if [[ -z "${RET}" ]]; then db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-group-name-empty || true FCOUNTER=$((${FCOUNTER}+1)) bailout_on_too_many_failures "debian-edu-router-plugin.ldap-connector/ldap-group-name-${proxy_group}" ${FCOUNTER} 5 continue fi FCOUNTER=0 ;; 30) proxy_group="ProxyAllowUser" db_get "debian-edu-router-plugin.ldap-connector/ldap-group-name-${proxy_group}" || true if [[ -z "${RET}" ]]; then db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-group-name-empty || true FCOUNTER=$((${FCOUNTER}+1)) bailout_on_too_many_failures "debian-edu-router-plugin.ldap-connector/ldap-group-name-${proxy_group}" ${FCOUNTER} 5 continue fi FCOUNTER=0 ;; 31) proxy_group="ProxyDenyUser" db_get "debian-edu-router-plugin.ldap-connector/ldap-group-name-${proxy_group}" || true if [[ -z "${RET}" ]]; then db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-group-name-empty || true FCOUNTER=$((${FCOUNTER}+1)) bailout_on_too_many_failures "debian-edu-router-plugin.ldap-connector/ldap-group-name-${proxy_group}" ${FCOUNTER} 5 continue fi FCOUNTER=0 ;; 32) proxy_group="ProxyBlacklistUser" db_get "debian-edu-router-plugin.ldap-connector/ldap-group-name-${proxy_group}" || true if [[ -z "${RET}" ]]; then db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-group-name-empty || true FCOUNTER=$((${FCOUNTER}+1)) bailout_on_too_many_failures "debian-edu-router-plugin.ldap-connector/ldap-group-name-${proxy_group}" ${FCOUNTER} 5 continue fi FCOUNTER=0 ;; 33) proxy_group="ProxyWhitelistUser" db_get "debian-edu-router-plugin.ldap-connector/ldap-group-name-${proxy_group}" || true if [[ -z "${RET}" ]]; then db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-group-name-empty || true FCOUNTER=$((${FCOUNTER}+1)) bailout_on_too_many_failures "debian-edu-router-plugin.ldap-connector/ldap-group-name-${proxy_group}" ${FCOUNTER} 5 continue fi FCOUNTER=0 ;; # SEARCH VIA SEARCH/BASE DN 34) db_get debian-edu-router-plugin.ldap-connector/ldap-groups-search-via-base-dn || true ldap_groups_search_via_base_dn="${RET}" ;; # # GROUPS BASE DN: Clients (used for Search-via-BaseDN only) # 35) proxy_group="ProxyTrustedClient" if ! echo "${ldap_groups_search_via_base_dn}" | grep -q "${proxy_group}"; then continue fi db_get "debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-${proxy_group}" || true if [[ -z "${RET}" ]]; then db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-empty || true FCOUNTER=$((${FCOUNTER}+1)) bailout_on_too_many_failures "debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-${proxy_group}" ${FCOUNTER} 5 continue fi FCOUNTER=0 ;; 36) proxy_group="ProxyAllowClient" if ! echo "${ldap_groups_search_via_base_dn}" | grep -q "${proxy_group}"; then continue fi db_get "debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-${proxy_group}" || true if [[ -z "${RET}" ]]; then db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-empty || true FCOUNTER=$((${FCOUNTER}+1)) bailout_on_too_many_failures "debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-${proxy_group}" ${FCOUNTER} 5 continue fi FCOUNTER=0 ;; 37) proxy_group="ProxyDenyClient" if ! echo "${ldap_groups_search_via_base_dn}" | grep -q "${proxy_group}"; then continue fi db_get "debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-${proxy_group}" || true if [[ -z "${RET}" ]]; then db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-empty || true FCOUNTER=$((${FCOUNTER}+1)) bailout_on_too_many_failures "debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-${proxy_group}" ${FCOUNTER} 5 continue fi FCOUNTER=0 ;; 38) proxy_group="ProxyBlacklistClient" if ! echo "${ldap_groups_search_via_base_dn}" | grep -q "${proxy_group}"; then continue fi db_get "debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-${proxy_group}" || true if [[ -z "${RET}" ]]; then db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-empty || true FCOUNTER=$((${FCOUNTER}+1)) bailout_on_too_many_failures "debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-${proxy_group}" ${FCOUNTER} 5 continue fi FCOUNTER=0 ;; 39) proxy_group="ProxyWhitelistClient" if ! echo "${ldap_groups_search_via_base_dn}" | grep -q "${proxy_group}"; then continue fi db_get "debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-${proxy_group}" || true if [[ -z "${RET}" ]]; then db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-empty || true FCOUNTER=$((${FCOUNTER}+1)) bailout_on_too_many_failures "debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-${proxy_group}" ${FCOUNTER} 5 continue fi FCOUNTER=0 ;; 40) proxy_group="ProxyNoauthClient" if ! echo "${ldap_groups_search_via_base_dn}" | grep -q "${proxy_group}"; then continue fi db_get "debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-${proxy_group}" || true if [[ -z "${RET}" ]]; then db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-empty || true FCOUNTER=$((${FCOUNTER}+1)) bailout_on_too_many_failures "debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-${proxy_group}" ${FCOUNTER} 5 continue fi FCOUNTER=0 ;; # # GROUPS BASE DN: Users (used for Search-via-BaseDN only) # 41) proxy_group="ProxyTrustedUser" if ! echo "${ldap_groups_search_via_base_dn}" | grep -q "${proxy_group}"; then continue fi db_get "debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-${proxy_group}" || true if [[ -z "${RET}" ]]; then db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-empty || true FCOUNTER=$((${FCOUNTER}+1)) bailout_on_too_many_failures "debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-${proxy_group}" ${FCOUNTER} 5 continue fi FCOUNTER=0 ;; 42) proxy_group="ProxyAllowUser" if ! echo "${ldap_groups_search_via_base_dn}" | grep -q "${proxy_group}"; then continue fi db_get "debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-${proxy_group}" || true if [[ -z "${RET}" ]]; then db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-empty || true FCOUNTER=$((${FCOUNTER}+1)) bailout_on_too_many_failures "debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-${proxy_group}" ${FCOUNTER} 5 continue fi FCOUNTER=0 ;; 43) proxy_group="ProxyDenyUser" if ! echo "${ldap_groups_search_via_base_dn}" | grep -q "${proxy_group}"; then continue fi db_get "debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-${proxy_group}" || true if [[ -z "${RET}" ]]; then db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-empty || true FCOUNTER=$((${FCOUNTER}+1)) bailout_on_too_many_failures "debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-${proxy_group}" ${FCOUNTER} 5 continue fi FCOUNTER=0 ;; 44) proxy_group="ProxyBlacklistUser" if ! echo "${ldap_groups_search_via_base_dn}" | grep -q "${proxy_group}"; then continue fi db_get "debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-${proxy_group}" || true if [[ -z "${RET}" ]]; then db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-empty || true FCOUNTER=$((${FCOUNTER}+1)) bailout_on_too_many_failures "debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-${proxy_group}" ${FCOUNTER} 5 continue fi FCOUNTER=0 ;; 45) proxy_group="ProxyWhitelistUser" if ! echo "${ldap_groups_search_via_base_dn}" | grep -q "${proxy_group}"; then continue fi db_get "debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-${proxy_group}" || true if [[ -z "${RET}" ]]; then db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-empty || true FCOUNTER=$((${FCOUNTER}+1)) bailout_on_too_many_failures "debian-edu-router-plugin.ldap-connector/ldap-group-base-dn-${proxy_group}" ${FCOUNTER} 5 continue fi FCOUNTER=0 ;; # not implemented yet... 46) db_get debian-edu-router-config/not-implemented-yet || true ;; # Used for skipping/aborting questions entirely. 999) ;; esac # last question was ok, so go up. # except if we just simulated that step... if [ "$BYPASS_DB_GO" == true ]; then STATE_DIRECTION=1 STATE=$ORIGIN_STATE else STATE_DIRECTION=1 STATE=$(($STATE + $STATE_DIRECTION)) fi # reset. BYPASS_DB_GO=false else # last question was not ok (user wants to backup), so go *DOWN* a step. # and if the next step should be skipped, go down another step. # and if that step should also be skipped, go down another step. # and so on and so on... STATE_DIRECTION=-1 STATE=$(($STATE + $STATE_DIRECTION)) debug_log "Backing up to step ${cyan}${STATE}${green}..." fi done if [ $STATE -lt $BACKSTOP ]; then # user went backwards from beyond BACKSTOP/entry point, abort package configuration. debug_log "User tried to backup beyond BACKSTOP/entry point... Exiting." exit 10 fi } function main() { statemachine } if [[ "$1" == "configure" ]] && [[ -n "$2" ]]; then main elif [[ "$1" == "configure" ]] && [[ "$2" == "debian-edu-router-reconfigured" ]]; then debug_log "config script was called via dpkg-trigger, specifically 'debian-edu-router-reconfigured' trigger." main elif [[ "$1" == "reconfigure" ]]; then debug_log "config script was called via dpkg-reconfigure." main else debug_log "config script was probably called to preconfigure package, skipping..." exit 0 fi # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. debug_log "Finished .config stage of ${PACKAGE_NAME}." exit 0