Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package yast2-auth-client for openSUSE:Factory checked in at 2022-07-31 23:00:45
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/yast2-auth-client (Old)
and /work/SRC/openSUSE:Factory/.yast2-auth-client.new.1533 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "yast2-auth-client"
Sun Jul 31 23:00:45 2022 rev:45 rq:991571 version:4.5.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/yast2-auth-client/yast2-auth-client.changes 2022-04-14 17:23:59.591160140 +0200
+++ /work/SRC/openSUSE:Factory/.yast2-auth-client.new.1533/yast2-auth-client.changes 2022-07-31 23:00:59.811700962 +0200
@@ -1,0 +2,7 @@
+Wed Jul 27 00:50:39 UTC 2022 - William Brown
+
+- Remove nss_ldap and pam_ldap support in favour of SSSD
+ (gh#yast/yast-auth-client#82)
+- 4.5.1
+
+-------------------------------------------------------------------
Old:
----
yast2-auth-client-4.5.0.tar.bz2
New:
----
yast2-auth-client-4.5.1.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ yast2-auth-client.spec ++++++
--- /var/tmp/diff_new_pack.ImO2Rr/_old 2022-07-31 23:01:00.207702113 +0200
+++ /var/tmp/diff_new_pack.ImO2Rr/_new 2022-07-31 23:01:00.211702125 +0200
@@ -17,7 +17,7 @@
Name: yast2-auth-client
-Version: 4.5.0
+Version: 4.5.1
Release: 0
URL: https://github.com/yast/yast-auth-client
Summary: YaST2 - Centralised System Authentication Configuration
++++++ yast2-auth-client-4.5.0.tar.bz2 -> yast2-auth-client-4.5.1.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-client-4.5.0/README.md new/yast2-auth-client-4.5.1/README.md
--- old/yast2-auth-client-4.5.0/README.md 2022-04-12 13:32:42.000000000 +0200
+++ new/yast2-auth-client-4.5.1/README.md 2022-07-28 15:52:19.000000000 +0200
@@ -14,8 +14,7 @@
* Configure single or multi-domain authentication via SSSD
* Enroll a host at Microsoft Active Directory
- * Configure PAM/NSS for LDAP
- * Configure Kerberos client
+ * Configure PAM/NSS for LDAP or Kerberos via SSSD
Installation
------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-client-4.5.0/package/yast2-auth-client.changes new/yast2-auth-client-4.5.1/package/yast2-auth-client.changes
--- old/yast2-auth-client-4.5.0/package/yast2-auth-client.changes 2022-04-12 13:32:42.000000000 +0200
+++ new/yast2-auth-client-4.5.1/package/yast2-auth-client.changes 2022-07-28 15:52:19.000000000 +0200
@@ -1,4 +1,11 @@
-------------------------------------------------------------------
+Wed Jul 27 00:50:39 UTC 2022 - William Brown
+
+- Remove nss_ldap and pam_ldap support in favour of SSSD
+ (gh#yast/yast-auth-client#82)
+- 4.5.1
+
+-------------------------------------------------------------------
Wed Apr 06 13:24:58 UTC 2022 - Ladislav Slez��k
- Bump version to 4.5.0 (bsc#1198109)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-client-4.5.0/package/yast2-auth-client.spec new/yast2-auth-client-4.5.1/package/yast2-auth-client.spec
--- old/yast2-auth-client-4.5.0/package/yast2-auth-client.spec 2022-04-12 13:32:42.000000000 +0200
+++ new/yast2-auth-client-4.5.1/package/yast2-auth-client.spec 2022-07-28 15:52:19.000000000 +0200
@@ -17,7 +17,7 @@
Name: yast2-auth-client
-Version: 4.5.0
+Version: 4.5.1
Release: 0
Url: https://github.com/yast/yast-auth-client
Summary: YaST2 - Centralised System Authentication Configuration
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-client-4.5.0/src/clients/ldapkrb.rb new/yast2-auth-client-4.5.1/src/clients/ldapkrb.rb
--- old/yast2-auth-client-4.5.0/src/clients/ldapkrb.rb 2022-04-12 13:32:42.000000000 +0200
+++ new/yast2-auth-client-4.5.1/src/clients/ldapkrb.rb 1970-01-01 01:00:00.000000000 +0100
@@ -1,32 +0,0 @@
-# encoding: utf-8
-
-# ------------------------------------------------------------------------------
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
-#
-# This program is free software; you can redistribute it and/or modify it under
-# the terms of version 2 of the GNU General Public License as published by the
-# Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful, but WITHOUT
-# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
-# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along with
-# this program; if not, contact SUSE Linux GmbH.
-#
-# ------------------------------------------------------------------------------
-
-# Module: Configure system-wide authentication mechanisms via LDAP and Kerberos
-# Summary: Invoke main dialog and allow configuring LDAP and Kerberos
-# Authors: Howard Guo
-
-require 'auth/authconf'
-require 'auth/auth-cli'
-require 'authui/main_dialog'
-
-if Yast::WFM.Args.empty?
- Auth::AuthConfInst.read_all
- Auth::MainDialog.new(:ldapkrb).run
-else
- Auth::CLI.run("ldapkrb")
-end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-client-4.5.0/src/lib/auth/authconf.rb new/yast2-auth-client-4.5.1/src/lib/auth/authconf.rb
--- old/yast2-auth-client-4.5.0/src/lib/auth/authconf.rb 2022-04-12 13:32:42.000000000 +0200
+++ new/yast2-auth-client-4.5.1/src/lib/auth/authconf.rb 2022-07-28 15:52:19.000000000 +0200
@@ -34,7 +34,7 @@
include Yast::Logger
include Yast::UIShortcuts
- attr_accessor(:krb_conf, :krb_pam, :ldap_conf, :ldap_pam, :ldap_nss, :sssd_conf, :sssd_pam, :sssd_nss, :sssd_enabled)
+ attr_accessor(:krb_conf, :krb_pam, :ldap_pam, :ldap_nss, :sssd_conf, :sssd_pam, :sssd_nss, :sssd_enabled)
attr_accessor(:autofs_enabled, :nscd_enabled, :mkhomedir_pam)
attr_accessor(:ad_domain, :ad_user, :ad_ou, :ad_pass, :ad_overwrite_smb_conf, :ad_update_dns, :autoyast_editor_mode, :autoyast_modified)
@@ -44,7 +44,6 @@
@krb_conf = {'include' => [], 'libdefaults' => {}, 'realms' => {}, 'domain_realm' => {}, 'logging' => {}}
@krb_pam = false
# LDAP configuration (/etc/ldap.conf)
- @ldap_conf = {}
@ldap_pam = false
@ldap_nss = []
# SSSD configuration (/etc/sssd/sssd.conf)
@@ -439,25 +438,6 @@
# Load LDAP configuration.
def ldap_read
- @ldap_conf = {}
- # Destruct ldap.conf file
- Yast::SCR.UnmountAgent(Yast::Path.new('.etc.ldap_conf'))
- Yast::SCR.Read(Yast::Path.new('.etc.ldap_conf.all')).fetch('value', []).each { |entry|
- if entry['kind'] != 'value'
- skip
- end
- entry_name = entry['name'].strip
- entry_value = entry['value'].strip
- # Store values from duplicate keys in the original order
- existing_value = @ldap_conf[entry_name]
- if existing_value && existing_value.kind_of?(::String)
- @ldap_conf[entry_name] = [existing_value, entry_value]
- elsif existing_value && existing_value.kind_of?(::Array)
- @ldap_conf[entry_name] = existing_value + [entry_value]
- else
- @ldap_conf[entry_name] = entry_value
- end
- }
# Read PAM/NSS
@ldap_pam = Yast::Pam.Enabled('ldap')
@ldap_nss = []
@@ -470,18 +450,15 @@
# Return LDAP configuration.
def ldap_export
- return {'conf' => @ldap_conf, 'pam' => @ldap_pam, 'nss' => @ldap_nss}
+ return {'pam' => @ldap_pam, 'nss' => @ldap_nss}
end
# Set configuration for LDAP from exported objects.
def ldap_import(exported_conf)
if exported_conf.nil?
- @ldap_conf = {}
@ldap_pam = false
@ldap_nss = []
else
- @ldap_conf = exported_conf['conf']
- @ldap_conf = {} if @ldap_conf.nil?
@ldap_pam = exported_conf['pam']
@ldap_pam = false if @ldap_pam.nil?
@ldap_nss = exported_conf['nss']
@@ -506,93 +483,6 @@
return content
end
- # Immediately apply LDAP configuration, including PAM/NSS configuration.
- def ldap_apply
- if @autoyast_editor_mode
- return
- end
- # Calculate package requirements
- pkgs = []
- if @ldap_pam
- pkgs += ['pam_ldap']
- end
- if @ldap_nss.any?
- pkgs += ['nss_ldap']
- if @ldap_nss.include?('automount')
- pkgs += ['openldap2-client'] # provides /etc/openldap/ldap.conf
- end
- end
- pkgs.delete_if { |name| Yast::Package.Installed(name) }
- if pkgs.any?
- if !Yast::Package.DoInstall(pkgs)
- Yast::Report.Error(_('Failed to install software packages required for LDAP.'))
- end
- end
- # Write LDAP config file and correct its permission and ownerships
- ldap_conf = File.new('/etc/ldap.conf', 'w')
- ldap_conf.chmod(0600)
- ldap_conf.chown(0, 0)
- ldap_conf.write(ldap_make_conf)
- ldap_conf.close
- # If automount is enabled, overwrite openldap's ldap.conf as well.
- if @ldap_nss.include?('automount')
- ldap_conf = File.new('/etc/openldap/ldap.conf', 'w')
- ldap_conf.chmod(0644)
- ldap_conf.chown(0, 0)
- ldap_conf.write(ldap_make_conf)
- ldap_conf.close
- end
- # Save PAM/NSS/daemon status
- if @ldap_pam
- Yast::Pam.Add('ldap')
- else
- Yast::Pam.Remove('ldap')
- end
- fix_pam
- LDAP_CAPABLE_NSS_DBS.each { |db| nss_disable_module(db, 'ldap') }
- if @ldap_nss.any?
- @ldap_nss.each { |db| nss_enable_module(db, 'ldap') }
- end
- end
-
- # Run ldapsearch to test the parameters. Return empty string if test is successful, otherwise return ldapsearch error output.
- def ldap_test_bind(uri, start_tls, dn, password, base_dn)
- # Make sure openldap client is installed
- if !Yast::Package.Installed('openldap2-client')
- if !Yast::Package.DoInstall(['openldap2-client'])
- return 'Failed to install openldap2-client package'
- end
- end
- # Create a temporary file to hold the password
- pwd_filename = "yastauthclient-ldaptestbind-#{Time.now.strftime('%Y%m%d%I%M%S')}"
- pwd_file = File.open(pwd_filename, 'w', 0600)
- pwd_file.write(password)
- pwd_file.close
- # Run ldapsearch with password bind
- cmd = "ldapsearch -o nettimeout=5 -s one -x -H '#{uri}' "
- if start_tls
- cmd += '-ZZ '
- end
- if dn.to_s != ''
- cmd += "-D '#{dn}' -y '#{pwd_filename}' "
- end
- cmd += "-b #{base_dn}"
- out = ''
- errout = ''
- exitstatus = 0
- Open3.popen3(cmd){ |stdin, stdout, stderr, control|
- stdin.close
- out = stdout.read
- errout = stderr.read
- exitstatus = control.value
- }
- File.unlink(pwd_file)
- if exitstatus == 0
- return ''
- end
- return _("ERROR: ") + "#{out}\n#{errout}"
- end
-
# Parse and set Kerberos configuration
def krb_parse_set(content)
@krb_conf = KrbParse.parse(content)
@@ -772,32 +662,14 @@
if @autoyast_editor_mode
return
end
- # Calculate package requirements
- pkgs = []
- if @krb_pam
- pkgs += ['pam_krb5', 'krb5', 'krb5-client']
- end
- pkgs.delete_if { |name| Yast::Package.Installed(name) }
- if pkgs.any?
- if !Yast::Package.DoInstall(pkgs)
- Yast::Report.Error(_('Failed to install software packages required for Kerberos.'))
- end
- end
# Write LDAP config file and correct its permission and ownerships
krb_conf = File.new('/etc/krb5.conf', 'w')
krb_conf.chmod(0644)
krb_conf.chown(0, 0)
krb_conf.write(krb_make_conf)
krb_conf.close
- # Save PAM/NSS/daemon status
- if @krb_pam
- Yast::Pam.Add('krb5')
- else
- Yast::Pam.Remove('krb5')
- end
- fix_pam
end
-
+
# Create a Kerberos realm if it does not yet exist. If it already exists, update the configuration. All parameters are required.
def krb_add_update_realm(realm_name, kdc_addr, admin_addr, make_domain_realms, make_default)
realm_name = realm_name.upcase.strip
@@ -1070,18 +942,6 @@
end
}
end
- if @ldap_pam
- pkgs += ['pam_ldap']
- end
- if @krb_pam
- pkgs += ['pam_krb5', 'krb5', 'krb5-client']
- end
- if @ldap_nss.any?
- pkgs += ['nss_ldap']
- if @ldap_nss.include?('automount')
- pkgs += ['openldap2-client'] # provides /etc/openldap/ldap.conf
- end
- end
if @autofs_enabled || @sssd_nss.include?('automount') || @ldap_nss.include?('automount')
pkgs += ['autofs']
end
@@ -1108,26 +968,25 @@
auth_doms_caption += ' ' + _('(daemon is inactive)')
end
else
- # LDAP and/or Kerberos is configured
- if @ldap_nss.any? || @ldap_pam
- if @ldap_conf['base'].to_s == ''
- auth_doms_caption = _('LDAP is enabled but the setup is incomplete')
+ list_of_providers = ''
+ if @ldap_nss.any?
+ list_of_providers = _('NSS LDAP')
+ end
+ if @ldap_pam
+ if list_of_providers != ''
+ list_of_providers = _('PAM + NSS LDAP')
else
- auth_doms_caption = _('via LDAP on %s') % [@ldap_conf['base']]
+ list_of_providers = _('PAM LDAP')
end
end
if @krb_pam
- if auth_doms_caption != ''
- # 'and' as in "authenticate via LDAP and Kerberos"
- auth_doms_caption += _(' and ')
- end
- realms = @krb_conf.fetch('realms', {})
- if realms.length == 0
- auth_doms_caption += _('via Kerberos')
+ if list_of_providers != ''
+ list_of_providers += _('and PAM KRB5')
else
- auth_doms_caption += _('via Kerberos on %s') % [realms.keys.join(', ')]
+ list_of_providers = _('PAM KRB5')
end
end
+ auth_doms_caption = _('������ Use of %s detected. These modules can no longer be configured and you MUST migrate to SSSD') % [list_of_providers]
end
return auth_doms_caption
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-client-4.5.0/src/lib/authui/ldapkrb/edit_realm_dialog.rb new/yast2-auth-client-4.5.1/src/lib/authui/ldapkrb/edit_realm_dialog.rb
--- old/yast2-auth-client-4.5.0/src/lib/authui/ldapkrb/edit_realm_dialog.rb 2022-04-12 13:32:42.000000000 +0200
+++ new/yast2-auth-client-4.5.1/src/lib/authui/ldapkrb/edit_realm_dialog.rb 1970-01-01 01:00:00.000000000 +0100
@@ -1,178 +0,0 @@
-# encoding: utf-8
-
-# ------------------------------------------------------------------------------
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
-#
-# This program is free software; you can redistribute it and/or modify it under
-# the terms of version 2 of the GNU General Public License as published by the
-# Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful, but WITHOUT
-# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
-# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along with
-# this program; if not, contact SUSE Linux GmbH.
-#
-# ------------------------------------------------------------------------------
-
-require 'yast'
-require 'auth/authconf'
-require 'authui/ldapkrb/generic_input_dialog'
-Yast.import 'UI'
-Yast.import 'Icon'
-Yast.import 'Label'
-
-module LdapKrb
- # Edit Kerberos realm configuration
- class EditRealmDialog < UI::Dialog
- include Yast
- include Auth
- include UIShortcuts
- include I18n
- include Logger
-
- def initialize(realm_name)
- super()
- @realm_name = realm_name
- textdomain "auth-client"
- end
-
- def create_dialog
- return false unless super
- return true
- end
-
- def dialog_options
- Opt(:decorated)
- end
-
- def dialog_content
- VBox(
- InputField(Id(:realm_name), Opt(:hstretch), _('Realm name'), @realm_name.to_s),
- CheckBox(Id(:map_domain), Opt(:hstretch), _('Map Domain Name to the Realm (example.com -> EXAMPLE.COM)'),
- !@realm_name.nil? && !AuthConfInst.krb_conf_get(['domain_realm', @realm_name.downcase], nil).nil?),
- CheckBox(Id(:map_wildcard_domain), Opt(:hstretch), _('Map Wild Card Domain Name to the Realm (*.example.com -> EXAMPLE.COM)'),
- !@realm_name.nil? && !AuthConfInst.krb_conf_get(['domain_realm', ".#{@realm_name.downcase}"], nil).nil?),
- VSpacing(1.0),
- InputField(Id(:admin_server), Opt(:hstretch), _('Host Name of Administration Server (Optional)'),
- AuthConfInst.krb_conf_get(['realms', @realm_name, 'admin_server'], '')),
- InputField(Id(:master_kdc), Opt(:hstretch), _('Host Name of Master Key Distribution Center (Optional)'),
- AuthConfInst.krb_conf_get(['realms', @realm_name, 'master_kdc'], '')),
- SelectionBox(Id(:kdc), Opt(:hstretch), _('Key Distribution Centers (Optional If Auto-Discovery via DNS is Enabled)'),
- AuthConfInst.krb_conf_get(['realms', @realm_name, 'kdc'], [])),
- Left(HBox(PushButton(Id(:kdc_add), Label.AddButton), PushButton(Id(:kdc_remove), Label.DeleteButton))),
- VSpacing(1.0),
- HBox(
- VBox(
- Left(Label(_('Custom Mappings of Principal Names to User Names'))),
- Table(Id(:auth_to_local_names), Header(_('Principal Name'), _('User Name')),
- AuthConfInst.krb_conf_get(['realms', @realm_name, 'auth_to_local_names'], []).map {|princ_name, user_name| Item(princ_name, user_name)}),
- Left(HBox(PushButton(Id(:a2ln_add), Label.AddButton), PushButton(Id(:a2ln_remove), Label.DeleteButton))),
- ),
- VBox(
- SelectionBox(Id(:auth_to_local), _('Custom Rules for Mapping Principal Names to User Names'),
- AuthConfInst.krb_conf_get(['realms', @realm_name, 'auth_to_local'], [])),
- Left(HBox(PushButton(Id(:a2l_add), Label.AddButton), PushButton(Id(:a2l_remove), Label.DeleteButton))),
- )
- ),
- VSpacing(1.0),
- ButtonBox(
- PushButton(Id(:ok), Label.OKButton),
- PushButton(Id(:cancel), Label.CancelButton),
- )
- )
- end
-
- # Add a KDC
- def kdc_add_handler
- new_kdc = GenericInputDialog.new(_('Please type in the host name of Key Distribution Centre:'), '').run
- if !new_kdc.nil?
- UI.ChangeWidget(Id(:kdc), :Items, UI.QueryWidget(Id(:kdc), :Items) + [new_kdc])
- end
- end
-
- # Remove a KDC
- def kdc_remove_handler
- UI.ChangeWidget(Id(:kdc), :Items, UI.QueryWidget(Id(:kdc), :Items).map{|item| item[1]} - [UI.QueryWidget(Id(:kdc), :CurrentItem)])
- end
-
- # Add an auth_to_local
- def a2l_add_handler
- new_a2l = GenericInputDialog.new(_('Please type the new rule string (e.g. "RULE:[2:$1](johndoe)s/^.*$/guest/")'), '').run
- if !new_a2l.nil?
- UI.ChangeWidget(Id(:auth_to_local), :Items, UI.QueryWidget(Id(:auth_to_local), :Items) + [new_a2l])
- end
- end
-
- # Remove an auth_to_local
- def a2l_remove_handler
- UI.ChangeWidget(Id(:auth_to_local), :Items, UI.QueryWidget(Id(:auth_to_local), :Items).map{|item| item[1]} - [UI.QueryWidget(Id(:auth_to_local), :CurrentItem)])
- end
-
- # Add an auth_to_local_names
- def a2ln_add_handler
- new_a2ln = GenericInputDialog.new(_('Please type in the principal name and user name in the format of "princ_name = user_name":'), '').run
- if !new_a2ln.nil?
- new_a2ln = new_a2ln.split(/\s*=\s*/)
- if new_a2ln.length == 2
- UI.ChangeWidget(Id(:auth_to_local_names), :Items, UI.QueryWidget(Id(:auth_to_local_names), :Items) + [Item(new_a2ln[0], new_a2ln[1])])
- end
- end
- end
-
- # Remove an auth_to_local_names
- def a2ln_remove_handler
- current_key = UI.QueryWidget(Id(:auth_to_local_names), :CurrentItem)
- new_items = UI.QueryWidget(Id(:auth_to_local_names), :Items).select{ |item| item[1] != current_key}
- UI.ChangeWidget(Id(:auth_to_local_names), :Items, new_items)
- end
-
- # Save realm settings
- def ok_handler
- input_realm_name = UI.QueryWidget(Id(:realm_name), :Value).upcase
- if input_realm_name == ''
- Popup.Error(_('Please enter realm name.'))
- return
- end
- # Move configuration from one realm to another
- if !@realm_name.nil? && @realm_name != input_realm_name
- AuthConfInst.krb_conf['realms'][input_realm_name] = AuthConfInst.krb_conf['realms'][@realm_name]
- AuthConfInst.krb_conf['realms'].delete(@realm_name)
- if AuthConfInst.krb_conf['libdefaults']['default_realm'] == @realm_name
- AuthConfInst.krb_conf['libdefaults']['default_realm'] = input_realm_name
- end
- domains = AuthConfInst.krb_conf['domain_realm'].select{ |_, realm| realm == @realm_name}.keys
- domains.each {|domain| AuthConfInst.krb_conf['domain_realm'].delete(domain)}
- domains.each {|domain| AuthConfInst.krb_conf['domain_realm'][domain] = input_realm_name}
- end
- # Create new realm
- if !AuthConfInst.krb_conf['realms'].include?(input_realm_name)
- AuthConfInst.krb_conf['realms'][input_realm_name] = {}
- end
- # Set settings
- realm_conf = AuthConfInst.krb_conf['realms'][input_realm_name]
- realm_conf['admin_server'] = UI.QueryWidget(Id(:admin_server), :Value)
- realm_conf['master_kdc'] = UI.QueryWidget(Id(:master_kdc), :Value)
- realm_conf['kdc'] = UI.QueryWidget(Id(:kdc), :Items).map{|item| item[1]}
- if UI.QueryWidget(Id(:map_domain), :Value)
- AuthConfInst.krb_conf['domain_realm'][input_realm_name.downcase] = input_realm_name
- else
- AuthConfInst.krb_conf['domain_realm'].delete(input_realm_name.downcase)
- end
- if UI.QueryWidget(Id(:map_wildcard_domain), :Value)
- AuthConfInst.krb_conf['domain_realm'][".#{input_realm_name.downcase}"] = input_realm_name
- else
- AuthConfInst.krb_conf['domain_realm'].delete(".#{input_realm_name.downcase}")
- end
- realm_conf['auth_to_local'] = UI.QueryWidget(Id(:auth_to_local), :Items).map{|item| item[1]}
- realm_conf['auth_to_local_names'] = Hash[*UI.QueryWidget(Id(:auth_to_local_names), :Items).map{|item| [item[1], item[2]]}.flatten]
- finish_dialog(:finish)
- end
-
- # Close the dialog
- def finish_handler
- finish_dialog(:finish)
- end
- end
-end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-client-4.5.0/src/lib/authui/ldapkrb/generic_input_dialog.rb new/yast2-auth-client-4.5.1/src/lib/authui/ldapkrb/generic_input_dialog.rb
--- old/yast2-auth-client-4.5.0/src/lib/authui/ldapkrb/generic_input_dialog.rb 2022-04-12 13:32:42.000000000 +0200
+++ new/yast2-auth-client-4.5.1/src/lib/authui/ldapkrb/generic_input_dialog.rb 1970-01-01 01:00:00.000000000 +0100
@@ -1,74 +0,0 @@
-# encoding: utf-8
-
-# ------------------------------------------------------------------------------
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
-#
-# This program is free software; you can redistribute it and/or modify it under
-# the terms of version 2 of the GNU General Public License as published by the
-# Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful, but WITHOUT
-# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
-# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along with
-# this program; if not, contact SUSE Linux GmbH.
-#
-# ------------------------------------------------------------------------------
-
-require 'yast'
-require 'auth/authconf'
-Yast.import 'UI'
-Yast.import 'Icon'
-Yast.import 'Label'
-
-module LdapKrb
- # A generic text input dialog.
- class GenericInputDialog
- include Yast
- include Auth
- include UIShortcuts
- include I18n
- include Logger
-
- def initialize(caption, default_text)
- @caption = caption
- @default_text = default_text
- textdomain "auth-client"
- end
-
- def run
- return if !render_all
- begin
- return ui_event_loop
- ensure
- UI.CloseDialog()
- end
- end
-
- def render_all
- UI.OpenDialog(
- VBox(
- Left(Label(@caption)),
- InputField(Id(:input), Opt(:hstretch), @default_text),
- ButtonBox(
- PushButton(Id(:ok), Label.OKButton),
- PushButton(Id(:cancel), Label.CancelButton),
- )
- )
- )
- end
-
- # Return text in the input field, or nil if the dialog is cancelled.
- def ui_event_loop
- loop do
- case UI.UserInput
- when :ok
- return UI.QueryWidget(Id(:input), :Value)
- else
- return nil
- end
- end
- end
- end
-end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-client-4.5.0/src/lib/authui/ldapkrb/krb_extended_opts_dialog.rb new/yast2-auth-client-4.5.1/src/lib/authui/ldapkrb/krb_extended_opts_dialog.rb
--- old/yast2-auth-client-4.5.0/src/lib/authui/ldapkrb/krb_extended_opts_dialog.rb 2022-04-12 13:32:42.000000000 +0200
+++ new/yast2-auth-client-4.5.1/src/lib/authui/ldapkrb/krb_extended_opts_dialog.rb 1970-01-01 01:00:00.000000000 +0100
@@ -1,78 +0,0 @@
-# encoding: utf-8
-
-# ------------------------------------------------------------------------------
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
-#
-# This program is free software; you can redistribute it and/or modify it under
-# the terms of version 2 of the GNU General Public License as published by the
-# Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful, but WITHOUT
-# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
-# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along with
-# this program; if not, contact SUSE Linux GmbH.
-#
-# ------------------------------------------------------------------------------
-
-require 'yast'
-require 'ui/dialog'
-require 'auth/authconf'
-Yast.import 'UI'
-Yast.import 'Label'
-
-module LdapKrb
- # Edit more configuration items for Kerberos.
- class KrbExtendedOptsDialog < UI::Dialog
- include Yast
- include Auth
- include UIShortcuts
- include I18n
-
- def initialize
- super()
- textdomain "auth-client"
- end
-
- def create_dialog
- return super
- end
-
- def dialog_options
- Opt(:decorated)
- end
-
- def dialog_content
- MinWidth(80, VBox(
- InputField(Id(:default_keytab_name), Opt(:hstretch), _('Default Location of Keytab File'),
- AuthConfInst.krb_conf_get(['libdefaults', 'default_keytab_name'], '/etc/krb5.keytab')),
- InputField(Id(:default_tgs_enctypes), Opt(:hstretch), _('Encryption Types for TGS (Space separated)'),
- AuthConfInst.krb_conf_get(['libdefaults', 'default_tgs_enctypes'], AuthConfInst.krb_get_default(:default_tgs_enctypes))),
- InputField(Id(:default_tkt_enctypes), Opt(:hstretch), _('Encryption Types for Ticket (Space separated)'),
- AuthConfInst.krb_conf_get(['libdefaults', 'default_tkt_enctypes'], AuthConfInst.krb_get_default(:default_tkt_enctypes))),
- InputField(Id(:permitted_enctypes), Opt(:hstretch), _('Encryption Types for Sessions (Space separated)'),
- AuthConfInst.krb_conf_get(['libdefaults', 'permitted_enctypes'], AuthConfInst.krb_get_default(:permitted_enctypes))),
- InputField(Id(:extra_addresses), Opt(:hstretch), _('Additional Addresses to be put in Ticket (Comma separated)'),
- AuthConfInst.krb_conf_get(['libdefaults', 'extra_addresses'], '')),
- VSpacing(1.0),
- HBox(PushButton(Id(:reset), _('Reset')), PushButton(Id(:finish), Label.OKButton)),
- ))
- end
-
- def reset_handler
- [:default_keytab_name, :default_tgs_enctypes, :default_tkt_enctypes, :permitted_enctypes].each { |key|
- UI.ChangeWidget(Id(key), :Value, AuthConfInst.krb_get_default(key))
- }
- end
-
- def finish_handler
- AuthConfInst.krb_conf['libdefaults']['default_keytab_name'] = UI.QueryWidget(Id(:default_keytab_name), :Value)
- AuthConfInst.krb_conf['libdefaults']['default_tgs_enctypes'] = UI.QueryWidget(Id(:default_tgs_enctypes), :Value)
- AuthConfInst.krb_conf['libdefaults']['default_tkt_enctypes'] = UI.QueryWidget(Id(:default_tkt_enctypes), :Value)
- AuthConfInst.krb_conf['libdefaults']['permitted_enctypes'] = UI.QueryWidget(Id(:permitted_enctypes), :Value)
- AuthConfInst.krb_conf['libdefaults']['extra_addresses'] = UI.QueryWidget(Id(:extra_addresses), :Value)
- finish_dialog(:finish)
- end
- end
-end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-client-4.5.0/src/lib/authui/ldapkrb/ldap_extended_opts_dialog.rb new/yast2-auth-client-4.5.1/src/lib/authui/ldapkrb/ldap_extended_opts_dialog.rb
--- old/yast2-auth-client-4.5.0/src/lib/authui/ldapkrb/ldap_extended_opts_dialog.rb 2022-04-12 13:32:42.000000000 +0200
+++ new/yast2-auth-client-4.5.1/src/lib/authui/ldapkrb/ldap_extended_opts_dialog.rb 1970-01-01 01:00:00.000000000 +0100
@@ -1,66 +0,0 @@
-# encoding: utf-8
-
-# ------------------------------------------------------------------------------
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
-#
-# This program is free software; you can redistribute it and/or modify it under
-# the terms of version 2 of the GNU General Public License as published by the
-# Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful, but WITHOUT
-# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
-# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along with
-# this program; if not, contact SUSE Linux GmbH.
-#
-# ------------------------------------------------------------------------------
-
-require 'yast'
-require 'ui/dialog'
-require 'auth/authconf'
-Yast.import 'UI'
-Yast.import 'Label'
-
-module LdapKrb
- # Edit more configuration items for LDAP.
- class LdapExtendedOptsDialog < UI::Dialog
- include Yast
- include Auth
- include UIShortcuts
- include I18n
-
- def initialize
- super()
- textdomain "auth-client"
- end
-
- def create_dialog
- super
- end
-
- def dialog_options
- Opt(:decorated)
- end
-
- def dialog_content
- # The user cannot possibly understand the implication of 0 in search timeout if the user uses YaST
- MinWidth(80, VBox(
- IntField(Id(:ldap_bind_timelimit), Opt(:hstretch), _('Timeout for Bind Operations in Seconds'), 1, 600,
- (AuthConfInst.ldap_conf['bind_timelimit'].to_s == '' ? '30' : AuthConfInst.ldap_conf['bind_timelimit']).to_i),
- IntField(Id(:ldap_timelimit), Opt(:hstretch), _('Timeout for Search Operations in Seconds'), 1, 600,
- (AuthConfInst.ldap_conf['timelimit'].to_s == '' ? '30' : AuthConfInst.ldap_conf['timelimit']).to_i),
- VSpacing(1.0),
- PushButton(Id(:finish), Label.OKButton)
- ))
- end
-
- def finish_handler
- # The user cannot possibly understand the implication of 'hard' policy if the user uses YaST
- AuthConfInst.ldap_conf['bind_policy'] = 'soft'
- AuthConfInst.ldap_conf['bind_timelimit'] = UI.QueryWidget(Id(:ldap_bind_timelimit), :Value)
- AuthConfInst.ldap_conf['timelimit'] = UI.QueryWidget(Id(:ldap_timelimit), :Value)
- finish_dialog(:finish)
- end
- end
-end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-client-4.5.0/src/lib/authui/ldapkrb/main_dialog.rb new/yast2-auth-client-4.5.1/src/lib/authui/ldapkrb/main_dialog.rb
--- old/yast2-auth-client-4.5.0/src/lib/authui/ldapkrb/main_dialog.rb 2022-04-12 13:32:42.000000000 +0200
+++ new/yast2-auth-client-4.5.1/src/lib/authui/ldapkrb/main_dialog.rb 1970-01-01 01:00:00.000000000 +0100
@@ -1,441 +0,0 @@
-# encoding: utf-8
-
-# ------------------------------------------------------------------------------
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
-#
-# This program is free software; you can redistribute it and/or modify it under
-# the terms of version 2 of the GNU General Public License as published by the
-# Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful, but WITHOUT
-# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
-# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along with
-# this program; if not, contact SUSE Linux GmbH.
-#
-# ------------------------------------------------------------------------------
-
-require 'yast'
-require 'auth/authconf.rb'
-require 'authui/ldapkrb/edit_realm_dialog'
-require 'authui/ldapkrb/krb_extended_opts_dialog'
-require 'authui/ldapkrb/ldap_extended_opts_dialog'
-Yast.import 'UI'
-Yast.import 'Label'
-
-module LdapKrb
- # Main dialog shows three tabs, one for Kerberos, one for LDAP, and one for auxiliary daemons.
- class MainDialog
- include Yast
- include Auth
- include UIShortcuts
- include I18n
- include Logger
-
- def initialize
- @tab = :ldap # the last saved tab
- textdomain 'auth-client'
- end
-
- def run
- return if !UI.OpenDialog(Opt(:decorated, :defaultsize),
- VBox(Opt(:hstretch),
- DumbTab([_('Use a Directory as Identity Provider (LDAP)'), _('Authentication via Kerberos')],
- ReplacePoint(Id(:tab), Empty())),
- ButtonBox(
- PushButton(Id(:ok), Label.OKButton),
- PushButton(Id(:cancel), Label.CancelButton),
- ),
- ),
- )
- render_ldap
- begin
- return ui_event_loop
- ensure
- UI.CloseDialog()
- end
- end
-
- def ui_event_loop
- loop do
- case UI.UserInput
- when _('Use a Directory as Identity Provider (LDAP)')
- save_tab
- render_ldap
- @tab = :ldap
- when _('Authentication via Kerberos')
- save_tab
- render_krb
- @tab = :krb
-
- # LDAP tab events
- when :ldap_pam
- if UI.QueryWidget(Id(:ldap_pam), :Value)
- if AuthConfInst.sssd_pam || AuthConfInst.sssd_enabled
- Popup.Error(_("This computer is currently using SSSD to authenticate users.\n" +
- "Before you may use legacy LDAP authentication (pam_ldap), please disable SSSD from \"User Logon Management\"."))
- UI.ChangeWidget(Id(:ldap_pam), :Value, false)
- end
- end
- when :ldap_nss_passwd
- if UI.QueryWidget(Id(:ldap_nss_passwd), :Value)
- if AuthConfInst.sssd_nss.include?('passwd')
- Popup.Error(_("This computer is currently reading user database from SSSD identity provider.\n" +
- "Before you may use LDAP user database (nss_ldap), please disable SSSD user database from \"User Logon Management\"."))
- UI.ChangeWidget(Id(:ldap_nss_passwd), :Value, false)
- end
- end
- when :ldap_nss_group
- if UI.QueryWidget(Id(:ldap_nss_group), :Value)
- if AuthConfInst.sssd_nss.include?('group')
- Popup.Error(_("This computer is currently reading group database from SSSD identity provider.\n" +
- "Before you may use LDAP group database (nss_ldap), please disable SSSD group database from \"User Logon Management\"."))
- UI.ChangeWidget(Id(:ldap_nss_group), :Value, false)
- end
- end
- when :ldap_nss_sudoers
- if UI.QueryWidget(Id(:ldap_nss_sudoers), :Value)
- if AuthConfInst.sssd_nss.include?('sudoers')
- Popup.Error(_("This computer is currently reading sudoers database from SSSD identity provider.\n" +
- "Before you may use LDAP sudoers database (nss_ldap), please disable SSSD sudo database from \"User Logon Management\"."))
- UI.ChangeWidget(Id(:ldap_nss_sudoers), :Value, false)
- end
- end
- when :ldap_nss_automount
- if UI.QueryWidget(Id(:ldap_nss_automount), :Value)
- if AuthConfInst.sssd_nss.include?('automount')
- Popup.Error(_("This computer is currently reading automount database from SSSD identity provider.\n" +
- "Before you may use LDAP automount database (nss_ldap), please disable SSSD automount database from \"User Logon Management\"."))
- UI.ChangeWidget(Id(:ldap_nss_automount), :Value, false)
- redo
- end
- end
- AuthConfInst.autofs_enabled = UI.QueryWidget(Id(:ldap_nss_automount), :Value)
- when :ldap_test
- uris, hosts = get_ldap_uri_and_hosts
- if uris.empty? && hosts.empty?
- Popup.Error(_('Please enter server URI.'))
- redo
- end
- start_tls = UI.QueryWidget(Id(:ldap_tls_method), :CurrentButton) == :ldap_tls_method_starttls
- dn = UI.QueryWidget(Id(:ldap_binddn), :Value)
- password = UI.QueryWidget(Id(:ldap_bindpw), :Value)
- base_dn = UI.QueryWidget(Id(:ldap_base), :Value)
- if base_dn == ''
- Popup.Error(_('Please enter DN of search base.'))
- redo
- end
- # Test URI input
- uris.each {|uri|
- result = AuthConfInst.ldap_test_bind(uri, start_tls, dn, password, base_dn)
- if result == ''
- Popup.Message(_('Successfully contacted LDAP server on URI %s!') % [uri])
- else
- Popup.LongError(_("Connection check has failed on URI %s.\n\n%s") % [uri, result])
- end
- }
- # Test host address input, construct URI for each one.
- host_uri_prefix = ''
- if UI.QueryWidget(Id(:ldap_tls_method), :CurrentButton) == :ldap_tls_method_yes
- host_uri_prefix = 'ldaps://'
- else
- host_uri_prefix = 'ldap://'
- end
- hosts.each {|host|
- splitted = host.split(':')
- if splitted.length == 1
- host_uri = "#{host_uri_prefix}#{host}:389"
- else
- host_uri = "#{host_uri_prefix}#{splitted[0]}:#{splitted[1]}"
- end
- result = AuthConfInst.ldap_test_bind(host_uri, start_tls, dn, password, base_dn)
- if result == ''
- Popup.Message(_('Successfully contacted LDAP server on host %s') % [host_uri])
- else
- Popup.LongError(_("Connection check has failed on host %s.\n\n%s") % [host_uri, result])
- end
- }
- when :ldap_extended_opts
- LdapExtendedOptsDialog.new.run
- when :nscd_enable
- if AuthConfInst.sssd_enabled && UI.QueryWidget(Id(:nscd_enable), :Value)
- if !Popup.YesNo(_("The name service cache is should only used with legacy LDAP identity provider,\n" +
- "but your system currently has authentication domain enabled, which is not compatible with the cache.\n\n" +
- "Do you still wish to enable the cache?"))
- UI.ChangeWidget(Id(:nscd_enable), :Value, false)
- end
- end
- when :ldap_extended_opts
- LdapExtendedOptsDialog.new.run
-
- # Kerberos tab events
- when :krb_pam
- if UI.QueryWidget(Id(:krb_pam), :Value)
- if AuthConfInst.sssd_pam || AuthConfInst.sssd_enabled
- Popup.Error(_("This computer is currently using SSSD to authenticate users.\n" +
- "Before you may use Kerberos authentication (pam_krb5), please disable SSSD from \"User Logon Management\"."))
- UI.ChangeWidget(Id(:krb_pam), :Value, false)
- end
- end
- when :krb_realm_new
- LdapKrb::EditRealmDialog.new(nil).run
- curr_def = UI.QueryWidget(Id(:krb_default_realm), :Value)
- UI.ChangeWidget(Id(:krb_default_realm), :Items, [_('(not specified)')] + AuthConfInst.krb_conf['realms'].keys.sort)
- UI.ChangeWidget(Id(:krb_default_realm), :Value, curr_def)
- UI.ChangeWidget(Id(:krb_realms), :Items, AuthConfInst.krb_conf['realms'].keys.sort)
- when :krb_realm_edit
- realm = UI.QueryWidget(Id(:krb_realms), :CurrentItem)
- if realm.nil?
- redo
- end
- LdapKrb::EditRealmDialog.new(realm).run
- curr_def = UI.QueryWidget(Id(:krb_default_realm), :Value)
- UI.ChangeWidget(Id(:krb_default_realm), :Items, [_('(not specified)')] + AuthConfInst.krb_conf['realms'].keys.sort)
- UI.ChangeWidget(Id(:krb_default_realm), :Value, curr_def)
- UI.ChangeWidget(Id(:krb_realms), :Items, AuthConfInst.krb_conf['realms'].keys.sort)
- when :krb_realm_del
- realm_name = UI.QueryWidget(Id(:krb_realms), :CurrentItem)
- if realm_name.nil?
- redo
- end
- if Popup.YesNo(_('Are you sure to delete realm %s?') % [realm_name])
- AuthConfInst.krb_conf['domain_realm'].delete_if{ |_, domain_realm| domain_realm == realm_name}
- if UI.QueryWidget(Id(:krb_default_realm), :Value) == realm_name
- UI.ChangeWidget(Id(:krb_default_realm), :Value, _('(not specified)'))
- end
- AuthConfInst.krb_conf['realms'].delete(realm_name)
- UI.ChangeWidget(Id(:krb_realms), :Items, AuthConfInst.krb_conf['realms'].keys.sort)
- curr_def = UI.QueryWidget(Id(:krb_default_realm), :Value)
- UI.ChangeWidget(Id(:krb_default_realm), :Items, [_('(not specified)')] + AuthConfInst.krb_conf['realms'].keys.sort)
- UI.ChangeWidget(Id(:krb_default_realm), :Value, curr_def)
- if AuthConfInst.krb_conf_get(['libdefaults', 'default_realm'], nil) == realm_name
- AuthConfInst.krb_conf['libdefaults'].delete('default_realm')
- end
- end
- when :krb_extended_opts
- KrbExtendedOptsDialog.new.run
-
- # Save ALL
- when :ok
- save_tab
- AuthConfInst.ldap_apply
- AuthConfInst.krb_apply
- AuthConfInst.aux_apply
- break
- else
- break
- end
- end
- end
-
- # Save the content of current tab.
- def save_tab
- case @tab
- when :ldap
- save_ldap
- when :krb
- save_krb
- when :aux
- save_aux
- end
- end
-
- # Return a tuple of ldap URIs (array) and ldap host:port combinations (array).
- def get_ldap_uri_and_hosts
- uris = []
- hosts = []
- UI.QueryWidget(Id(:ldap_host_or_uri), :Value).split(/\s+/).each {|entry|
- if /ldap.*:\/\//.match(entry)
- uris += [entry]
- else
- hosts += [entry]
- end
- }
- return [uris, hosts]
- end
-
- def save_ldap
- AuthConfInst.nscd_enabled = UI.QueryWidget(Id(:nscd_enable), :Value)
- AuthConfInst.ldap_pam = UI.QueryWidget(Id(:ldap_pam), :Value)
- ['passwd', 'group', 'sudoers', 'automount'].each{ |db|
- symbol = ('ldap_nss_' + db).to_sym
- if UI.QueryWidget(Id(symbol), :Value)
- AuthConfInst.ldap_nss += [db] if !AuthConfInst.ldap_nss.include?(db)
- else
- AuthConfInst.ldap_nss.delete_if{ |n| n == db}
- end
- }
- # Split URI/host entry into two attributes, remove port attribute
- AuthConfInst.ldap_conf.delete('port')
- uris, hosts = get_ldap_uri_and_hosts
- if hosts.any?
- AuthConfInst.ldap_conf['host'] = hosts.join(' ')
- else
- AuthConfInst.ldap_conf.delete('host')
- end
- if uris.any?
- AuthConfInst.ldap_conf['uri'] = uris.join(' ')
- else
- AuthConfInst.ldap_conf.delete('uri')
- end
- AuthConfInst.ldap_conf['base'] = UI.QueryWidget(Id(:ldap_base), :Value)
- AuthConfInst.ldap_conf['binddn'] = UI.QueryWidget(Id(:ldap_binddn), :Value)
- if AuthConfInst.ldap_conf['binddn'] == ''
- AuthConfInst.ldap_conf.delete('binddn')
- end
- AuthConfInst.ldap_conf['bindpw'] = UI.QueryWidget(Id(:ldap_bindpw), :Value)
- if AuthConfInst.ldap_conf['bindpw'] == ''
- AuthConfInst.ldap_conf.delete('bindpw')
- end
- if UI.QueryWidget(Id(:ldap_rfc2307bis), :Value)
- AuthConfInst.ldap_conf['nss_schema'] = 'rfc2307bis'
- else
- AuthConfInst.ldap_conf.delete('nss_schema')
- end
- if UI.QueryWidget(Id(:ldap_persist), :Value)
- AuthConfInst.ldap_conf['nss_connect_policy'] = 'persist'
- else
- AuthConfInst.ldap_conf['nss_connect_policy'] = 'oneshot'
- end
- case UI.QueryWidget(Id(:ldap_tls_method), :CurrentButton)
- when :ldap_tls_method_no
- AuthConfInst.ldap_conf['ssl'] = 'no'
- when :ldap_tls_method_yes
- AuthConfInst.ldap_conf['ssl'] = 'yes'
- when :ldap_tls_method_starttls
- AuthConfInst.ldap_conf['ssl'] = 'start_tls'
- end
-
- # bsc#1162025: Default bind_policy to soft if not present.
- if not AuthConfInst.ldap_conf.key?('bind_policy')
- AuthConfInst.ldap_conf['bind_policy'] = 'soft'
- end
-
- AuthConfInst.mkhomedir_pam = UI.QueryWidget(Id(:mkhomedir_enable), :Value)
- end
-
- # Save Kerberos
- def save_krb
- AuthConfInst.krb_pam = UI.QueryWidget(Id(:krb_pam), :Value)
- default_realm_choice = UI.QueryWidget(Id(:krb_default_realm), :Value)
- if default_realm_choice == _('(not specified)')
- AuthConfInst.krb_conf['libdefaults']['default_realm'] = nil
- else
- AuthConfInst.krb_conf['libdefaults']['default_realm'] = default_realm_choice
- end
- AuthConfInst.krb_conf['libdefaults']['forwardable'] = UI.QueryWidget(Id(:krb_forwardable), :Value)
- AuthConfInst.krb_conf['libdefaults']['proxiable'] = UI.QueryWidget(Id(:krb_proxiable), :Value)
- AuthConfInst.krb_conf['libdefaults']['noaddresses'] = UI.QueryWidget(Id(:krb_noaddresses), :Value)
- AuthConfInst.krb_conf['libdefaults']['dns_lookup_realm'] = UI.QueryWidget(Id(:krb_dns_lookup_realm), :Value)
- AuthConfInst.krb_conf['libdefaults']['dns_lookup_kdc'] = UI.QueryWidget(Id(:krb_dns_lookup_kdc), :Value)
- AuthConfInst.krb_conf['libdefaults']['allow_weak_crypto'] = UI.QueryWidget(Id(:krb_allow_weak_crypto), :Value)
- AuthConfInst.mkhomedir_pam = UI.QueryWidget(Id(:mkhomedir_enable), :Value)
- end
-
- def render_ldap
- UI.ReplaceWidget(Id(:tab), VBox(
- HBox(
- Top(VBox(
- Left(CheckBox(Id(:ldap_pam), Opt(:notify), _('Allow LDAP Users To Authenticate (pam_ldap)'), AuthConfInst.ldap_pam)),
- Left(CheckBox(Id(:nscd_enable), Opt(:notify), _('Cache LDAP Entries For Faster Response (nscd)'), AuthConfInst.nscd_enabled)),
- Left(CheckBox(Id(:mkhomedir_enable), _('Automatically Create Home Directory'), AuthConfInst.mkhomedir_pam)),
- VSpacing(1.0),
- Left(Label(_('Read the following items from LDAP data source:'))),
- Left(CheckBox(Id(:ldap_nss_passwd), Opt(:notify), _("Users"), AuthConfInst.ldap_nss.include?('passwd'))),
- Left(CheckBox(Id(:ldap_nss_group), Opt(:notify), _("Groups"), AuthConfInst.ldap_nss.include?('group'))),
- Left(CheckBox(Id(:ldap_nss_sudoers), Opt(:notify), _("Super-User Commands (sudo)"), AuthConfInst.ldap_nss.include?('sudoers'))),
- Left(CheckBox(Id(:ldap_nss_automount), Opt(:notify), _("Network Disk Locations (automount)"), AuthConfInst.ldap_nss.include?('automount'))),
- VSpacing(1.0),
- Left(Label(_('Enter LDAP server locations (space separated), in either format:'))),
- Left(Label(_('- Host name or IP and port number (ip:port)'))),
- Left(Label(_('- URI (ldap://server:port, ldaps://server:port)'))),
- InputField(Id(:ldap_host_or_uri), Opt(:hstretch), ''),
- InputField(Id(:ldap_base), Opt(:hstretch), _('DN of Search Base (e.g. dc=example,dc=com)'),
- AuthConfInst.ldap_conf['base'].to_s),
- )),
- Top(VBox(
- InputField(Id(:ldap_binddn), Opt(:hstretch), _('DN of Bind User (Leave Empty for Anonymous Bind)'),
- AuthConfInst.ldap_conf['binddn'].to_s),
- InputField(Id(:ldap_bindpw), Opt(:hstretch), _('Password of the Bind User (Leave Empty for Anonymous Bind)'),
- AuthConfInst.ldap_conf['bindpw'].to_s),
- VSpacing(1.0),
- CheckBox(Id(:ldap_rfc2307bis), Opt(:hstretch), _('Identify Group Members by Their DNs (RFC2307bis)'),
- AuthConfInst.ldap_conf['nss_schema'] == 'rfc2307bis'),
- CheckBox(Id(:ldap_persist), Opt(:hstretch), _('Leave LDAP Connections Open for Consecutive Requests'),
- AuthConfInst.ldap_conf['nss_connect_policy'] != 'oneshot'),
- VSpacing(1.0),
- Frame(_('Secure LDAP communication'), RadioButtonGroup(Id(:ldap_tls_method), VBox(
- Left(RadioButton(Id(:ldap_tls_method_no), _('Do Not Use Security'))),
- Left(RadioButton(Id(:ldap_tls_method_yes), _('Secure Communication via TLS'))),
- Left(RadioButton(Id(:ldap_tls_method_starttls), _('Secure Communication via StartTLS'))),
- ))),
- VSpacing(1.0),
- Left(HBox(PushButton(Id(:ldap_test), _('Test Connection')), PushButton(Id(:ldap_extended_opts), _('Extended Options')))),
- )),
- ),
- ))
- # Combine host/port/uri into one
- default_port_str = AuthConfInst.ldap_conf['port'] ? AuthConfInst.ldap_conf['port'] : '389'
- hosts = AuthConfInst.ldap_conf['host'].to_s.split(/\s+/).map{|a_host|
- # If not specified, append the default port number
- if a_host.split(':').length == 1
- a_host + ':' + default_port_str
- else
- a_host
- end
- }
- uris = AuthConfInst.ldap_conf['uri'].to_s.split(/\s+/)
- UI.ChangeWidget(Id(:ldap_host_or_uri), :Value, (uris + hosts).join(' '))
-
- if AuthConfInst.ldap_conf['bind_policy'] == 'soft'
- UI.ChangeWidget(Id(:ldap_bind_policy), :CurrentButton, :ldap_bind_policy_soft)
- else
- UI.ChangeWidget(Id(:ldap_bind_policy), :CurrentButton, :ldap_bind_policy_hard)
- end
- if AuthConfInst.ldap_conf['ssl'] == 'yes'
- UI.ChangeWidget(Id(:ldap_tls_method), :CurrentButton, :ldap_tls_method_yes)
- elsif AuthConfInst.ldap_conf['ssl'] == 'start_tls'
- UI.ChangeWidget(Id(:ldap_tls_method), :CurrentButton, :ldap_tls_method_starttls)
- else
- UI.ChangeWidget(Id(:ldap_tls_method), :CurrentButton, :ldap_tls_method_no)
- end
- end
-
- def render_krb
- UI.ReplaceWidget(Id(:tab), VBox(
- HBox(
- Top(VBox(
- Left(CheckBox(Id(:krb_pam), Opt(:notify), _('Allow Kerberos Users To Authenticate (pam_krb5)'),
- AuthConfInst.krb_pam)),
- Left(HBox(CheckBox(Id(:mkhomedir_enable), _('Automatically Create Home Directory'), AuthConfInst.mkhomedir_pam))),
- VSpacing(1.0),
- Left(ComboBox(Id(:krb_default_realm), _('Default Realm For User Login:'),
- [_('(not specified)')] + AuthConfInst.krb_conf['realms'].keys.sort)),
- Left(SelectionBox(Id(:krb_realms), _('All Authentication Realms'),
- AuthConfInst.krb_conf['realms'].keys.sort)),
- Left(HBox(PushButton(Id(:krb_realm_new), _('Add Realm')), PushButton(Id(:krb_realm_edit), _('Edit Realm')), PushButton(Id(:krb_realm_del), _('Delete Realm')))),
- )),
- Top(VBox(
- Left(CheckBox(Id(:krb_dns_lookup_realm), _('Use DNS TXT Record to Discover Realms'),
- AuthConfInst.krb_conf_get_bool(['libdefaults', 'dns_lookup_realm'], false))),
- Left(CheckBox(Id(:krb_dns_lookup_kdc), _('Use DNS SRV record to Discover KDC servers'),
- AuthConfInst.krb_conf_get_bool(['libdefaults', 'dns_lookup_kdc'], false))),
- VSpacing(1.0),
- Left(CheckBox(Id(:krb_allow_weak_crypto), _('Allow Insecure Encryption (Windows NT)'),
- AuthConfInst.krb_conf_get_bool(['libdefaults', 'allow_weak_crypto'], false))),
- Left(CheckBox(Id(:krb_forwardable), _('Allow KDC on Other Networks to Issue Authentication Tickets'),
- AuthConfInst.krb_conf_get_bool(['libdefaults', 'forwardable'], false))),
- Left(CheckBox(Id(:krb_proxiable), _('Allow Kerberos-Enabled Services to Take on The Identity Of a User'),
- AuthConfInst.krb_conf_get_bool(['libdefaults', 'proxiable'], false))),
- Left(CheckBox(Id(:krb_noaddresses), _('Issue Address-Less Tickets for Computers Behind NAT'),
- AuthConfInst.krb_conf_get_bool(['libdefaults', 'noaddresses'], false))),
- VSpacing(1.0),
- Left(PushButton(Id(:krb_extended_opts), _('Extended Options'))),
- )),
- ),
- ))
- UI.ChangeWidget(Id(:krb_default_realm), :Value, AuthConfInst.krb_conf_get(['libdefaults', 'default_realm'], _('(not specified)')))
- end
- end
-end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-client-4.5.0/test/authconf_chroot/etc/ldap.conf new/yast2-auth-client-4.5.1/test/authconf_chroot/etc/ldap.conf
--- old/yast2-auth-client-4.5.0/test/authconf_chroot/etc/ldap.conf 2022-04-12 13:32:42.000000000 +0200
+++ new/yast2-auth-client-4.5.1/test/authconf_chroot/etc/ldap.conf 1970-01-01 01:00:00.000000000 +0100
@@ -1,315 +0,0 @@
-#
-# This is the configuration file for the LDAP nameservice
-# switch library and the LDAP PAM module.
-#
-
-# Your LDAP server. Must be resolvable without using LDAP.
-# Multiple hosts may be specified, each separated by a
-# space. How long nss_ldap takes to failover depends on
-# whether your LDAP client library supports configurable
-# network or connect timeouts (see bind_timelimit).
-host 127.0.0.1
-
-# The distinguished name of the search base.
-base dc=example,dc=com
-
-# Another way to specify your LDAP server is to provide an
-# uri with the server name. This allows to use
-# Unix Domain Sockets to connect to a local LDAP Server.
-#uri ldap://127.0.0.1/
-#uri ldaps://127.0.0.1/
-#uri ldapi://%2fvar%2frun%2fldapi_sock/
-# Note: %2f encodes the '/' used as directory separator
-
-# The LDAP version to use (defaults to 3
-# if supported by client library)
-#ldap_version 3
-
-# The distinguished name to bind to the server with.
-# Optional: default is to bind anonymously.
-#binddn cn=proxyuser,dc=example,dc=com
-
-# The credentials to bind with.
-# Optional: default is no credential.
-#bindpw secret
-
-# The distinguished name to bind to the server with
-# if the effective user ID is root. Password is
-# stored in /etc/ldap.secret (mode 600)
-#rootbinddn cn=manager,dc=example,dc=com
-
-# The port.
-# Optional: default is 389.
-#port 389
-
-# The search scope.
-#scope sub
-#scope one
-#scope base
-
-# Search timelimit
-#timelimit 30
-
-# Bind/connect timelimit
-#bind_timelimit 30
-
-# Reconnect policy:
-# hard_open: reconnect to DSA with exponential backoff if
-# opening connection failed
-# hard_init: reconnect to DSA with exponential backoff if
-# initializing connection failed
-# hard: alias for hard_open
-# soft: return immediately on server failure
-bind_policy soft
-
-# Connection policy:
-# persist: DSA connections are kept open (default)
-# oneshot: DSA connections destroyed after request
-#nss_connect_policy persist
-
-# Idle timelimit; client will close connections
-# (nss_ldap only) if the server has not been contacted
-# for the number of seconds specified below.
-#idle_timelimit 3600
-
-# Use paged rseults
-#nss_paged_results yes
-
-# Pagesize: when paged results enable, used to set the
-# pagesize to a custom value
-#pagesize 1000
-
-# Filter to AND with uid=%s
-#pam_filter objectclass=account
-
-# The user ID attribute (defaults to uid)
-#pam_login_attribute uid
-
-# Search the root DSE for the password policy (works
-# with Netscape Directory Server). Make use of
-# Password Policy LDAP Control (as in OpenLDAP)
-pam_lookup_policy yes
-
-# Check the 'host' attribute for access control
-# Default is no; if set to yes, and user has no
-# value for the host attribute, and pam_ldap is
-# configured for account management (authorization)
-# then the user will not be allowed to login.
-#pam_check_host_attr yes
-
-# Check the 'authorizedService' attribute for access
-# control
-# Default is no; if set to yes, and the user has no
-# value for the authorizedService attribute, and
-# pam_ldap is configured for account management
-# (authorization) then the user will not be allowed
-# to login.
-#pam_check_service_attr yes
-
-# Group to enforce membership of
-#pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com
-
-# Group member attribute
-#pam_member_attribute uniquemember
-
-# Specify a minium or maximum UID number allowed
-#pam_min_uid 0
-#pam_max_uid 0
-
-# Template login attribute, default template user
-# (can be overriden by value of former attribute
-# in user's entry)
-#pam_login_attribute userPrincipalName
-#pam_template_login_attribute uid
-#pam_template_login nobody
-
-# HEADS UP: the pam_crypt, pam_nds_passwd,
-# and pam_ad_passwd options are no
-# longer supported.
-#
-# Do not hash the password at all; presume
-# the directory server will do it, if
-# necessary. This is the default.
-#pam_password clear
-
-# Hash password locally; required for University of
-# Michigan LDAP server, and works with Netscape
-# Directory Server if you're using the UNIX-Crypt
-# hash mechanism and not using the NT Synchronization
-# service.
-#pam_password crypt
-
-# Remove old password first, then update in
-# cleartext. Necessary for use with Novell
-# Directory Services (NDS)
-#pam_password nds
-
-# RACF is an alias for the above. For use with
-# IBM RACF
-#pam_password racf
-
-# Update Active Directory password, by
-# creating Unicode password and updating
-# unicodePwd attribute.
-#pam_password ad
-
-# Use the OpenLDAP password change
-# extended operation to update the password.
-pam_password exop
-
-# Redirect users to a URL or somesuch on password
-# changes.
-#pam_password_prohibit_message Please visit http://internal to change your password.
-
-# Use backlinks for answering initgroups()
-#nss_initgroups backlink
-
-# returns NOTFOUND if nss_ldap's initgroups() is called
-# for users specified in nss_initgroups_ignoreusers
-# (comma separated)
-nss_initgroups_ignoreusers root,ldap
-
-# Enable support for RFC2307bis (distinguished names in group
-# members)
-nss_schema rfc2307bis
-
-# RFC2307bis naming contexts
-# Syntax:
-# nss_base_XXX base?scope?filter
-# where scope is {base,one,sub}
-# and filter is a filter to be &'d with the
-# default filter.
-# You can omit the suffix eg:
-# nss_base_passwd ou=People,
-# to append the default base DN but this
-# may incur a small performance impact.
-#nss_base_passwd ou=People,dc=example,dc=com?one
-#nss_base_shadow ou=People,dc=example,dc=com?one
-#nss_base_group ou=Group,dc=example,dc=com?one
-#nss_base_hosts ou=Hosts,dc=example,dc=com?one
-#nss_base_services ou=Services,dc=example,dc=com?one
-#nss_base_networks ou=Networks,dc=example,dc=com?one
-#nss_base_protocols ou=Protocols,dc=example,dc=com?one
-#nss_base_rpc ou=Rpc,dc=example,dc=com?one
-#nss_base_ethers ou=Ethers,dc=example,dc=com?one
-#nss_base_netmasks ou=Networks,dc=example,dc=com?ne
-#nss_base_bootparams ou=Ethers,dc=example,dc=com?one
-#nss_base_aliases ou=Aliases,dc=example,dc=com?one
-#nss_base_netgroup ou=Netgroup,dc=example,dc=com?one
-
-# attribute/objectclass mapping
-# Syntax:
-#nss_map_attribute rfc2307attribute mapped_attribute
-#nss_map_objectclass rfc2307objectclass mapped_objectclass
-
-# configure --enable-nds is no longer supported.
-# NDS mappings
-nss_map_attribute uniqueMember member
-
-# Services for UNIX 3.5 mappings
-#nss_map_objectclass posixAccount User
-#nss_map_objectclass shadowAccount User
-#nss_map_attribute uid msSFU30Name
-#nss_map_attribute uniqueMember msSFU30PosixMember
-#nss_map_attribute userPassword msSFU30Password
-#nss_map_attribute homeDirectory msSFU30HomeDirectory
-#nss_map_attribute homeDirectory msSFUHomeDirectory
-#nss_map_objectclass posixGroup Group
-#pam_login_attribute msSFU30Name
-#pam_filter objectclass=User
-#pam_password ad
-
-# configure --enable-mssfu-schema is no longer supported.
-# Services for UNIX 2.0 mappings
-#nss_map_objectclass posixAccount User
-#nss_map_objectclass shadowAccount user
-#nss_map_attribute uid msSFUName
-#nss_map_attribute uniqueMember posixMember
-#nss_map_attribute userPassword msSFUPassword
-#nss_map_attribute homeDirectory msSFUHomeDirectory
-#nss_map_attribute shadowLastChange pwdLastSet
-#nss_map_objectclass posixGroup Group
-#nss_map_attribute cn msSFUName
-#pam_login_attribute msSFUName
-#pam_filter objectclass=User
-#pam_password ad
-
-# RFC 2307 (AD) mappings
-#nss_map_objectclass posixAccount user
-#nss_map_objectclass shadowAccount user
-#nss_map_attribute uid sAMAccountName
-#nss_map_attribute homeDirectory unixHomeDirectory
-#nss_map_attribute shadowLastChange pwdLastSet
-#nss_map_objectclass posixGroup group
-#nss_map_attribute uniqueMember member
-#pam_login_attribute sAMAccountName
-#pam_filter objectclass=User
-#pam_password ad
-
-# configure --enable-authpassword is no longer supported
-# AuthPassword mappings
-#nss_map_attribute userPassword authPassword
-
-# AIX SecureWay mappings
-#nss_map_objectclass posixAccount aixAccount
-#nss_base_passwd ou=aixaccount,?one
-#nss_map_attribute uid userName
-#nss_map_attribute gidNumber gid
-#nss_map_attribute uidNumber uid
-#nss_map_attribute userPassword passwordChar
-#nss_map_objectclass posixGroup aixAccessGroup
-#nss_base_group ou=aixgroup,?one
-#nss_map_attribute cn groupName
-#nss_map_attribute uniqueMember member
-#pam_login_attribute userName
-#pam_filter objectclass=aixAccount
-#pam_password clear
-
-# For pre-RFC2307bis automount schema
-#nss_map_objectclass automountMap nisMap
-#nss_map_attribute automountMapName nisMapName
-#nss_map_objectclass automount nisObject
-#nss_map_attribute automountKey cn
-#nss_map_attribute automountInformation nisMapEntry
-
-# Netscape SDK LDAPS
-#ssl on
-
-# Netscape SDK SSL options
-#sslpath /etc/ssl/certs
-
-# OpenLDAP SSL mechanism
-# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
-ssl start_tls
-#ssl on
-
-# OpenLDAP SSL options
-# Require and verify server certificate (yes/no)
-# Default is to use libldap's default behavior, which can be configured in
-# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
-# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
-#tls_checkpeer yes
-
-# CA certificates for server certificate verification
-# At least one of these are required if tls_checkpeer is "yes"
-#tls_cacertfile /etc/ssl/ca.cert
-#tls_cacertdir /etc/ssl/certs
-
-# Seed the PRNG if /dev/urandom is not provided
-#tls_randfile /var/run/egd-pool
-
-# SSL cipher suite
-# See man ciphers for syntax
-#tls_ciphers TLSv1
-
-# Client certificate and key
-# Use these, if your server requires client authentication.
-#tls_cert
-#tls_key
-
-# Disable SASL security layers. This is needed for AD.
-#sasl_secprops maxssf=0
-
-# Override the default Kerberos ticket cache location.
-#krb5_ccname FILE:/etc/.ldapcache
-
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-client-4.5.0/test/authconf_test.rb new/yast2-auth-client-4.5.1/test/authconf_test.rb
--- old/yast2-auth-client-4.5.0/test/authconf_test.rb 2022-04-12 13:32:42.000000000 +0200
+++ new/yast2-auth-client-4.5.1/test/authconf_test.rb 2022-07-28 15:52:19.000000000 +0200
@@ -110,53 +110,6 @@
end
end
- describe 'LDAP' do
- it 'Read, lint, and export LDAP configuration' do
- authconf.ldap_read
- expect(authconf.ldap_export).to eq(
- 'conf'=>{
- 'host'=>'127.0.0.1',
- 'base'=>'dc=example,dc=com',
- 'bind_policy'=>'soft',
- 'pam_lookup_policy'=>'yes',
- 'pam_password'=>'exop',
- 'nss_initgroups_ignoreusers'=>'root,ldap',
- 'nss_schema'=>'rfc2307bis',
- 'nss_map_attribute'=>'uniqueMember member',
- 'ssl'=>'start_tls'},
- 'pam'=>false,
- 'nss'=>[])
- end
- it 'Create LDAP configuration file' do
- expect(authconf.ldap_make_conf).to eq('host 127.0.0.1
-base dc=example,dc=com
-bind_policy soft
-pam_lookup_policy yes
-pam_password exop
-nss_initgroups_ignoreusers root,ldap
-nss_schema rfc2307bis
-nss_map_attribute uniqueMember member
-ssl start_tls
-')
- end
- it 'Import and recreate the same configuration' do
- conf = {'conf'=>{
- 'host'=>'127.0.0.1',
- 'base'=>'dc=example,dc=com',
- 'bind_policy'=>'soft',
- 'pam_lookup_policy'=>'yes',
- 'pam_password'=>'exop',
- 'nss_initgroups_ignoreusers'=>'root,ldap',
- 'nss_schema'=>'rfc2307bis',
- 'nss_map_attribute'=>'uniqueMember member',
- 'ssl'=>'start_tls'},
- 'pam'=>true,
- 'nss'=>['passwd', 'group']}
- authconf.ldap_import(conf)
- expect(authconf.ldap_export).to eq(conf)
- end
- end
-
describe 'Kerberos' do
it 'Read, lint, and export Kerberos configuration' do
# The first example is very simple