Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package yast2-auth-client for openSUSE:Factory checked in at 2022-07-31 23:00:45 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/yast2-auth-client (Old) and /work/SRC/openSUSE:Factory/.yast2-auth-client.new.1533 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "yast2-auth-client" Sun Jul 31 23:00:45 2022 rev:45 rq:991571 version:4.5.1 Changes: -------- --- /work/SRC/openSUSE:Factory/yast2-auth-client/yast2-auth-client.changes 2022-04-14 17:23:59.591160140 +0200 +++ /work/SRC/openSUSE:Factory/.yast2-auth-client.new.1533/yast2-auth-client.changes 2022-07-31 23:00:59.811700962 +0200 @@ -1,0 +2,7 @@ +Wed Jul 27 00:50:39 UTC 2022 - William Brown <william.brown@suse.com> + +- Remove nss_ldap and pam_ldap support in favour of SSSD + (gh#yast/yast-auth-client#82) +- 4.5.1 + +------------------------------------------------------------------- Old: ---- yast2-auth-client-4.5.0.tar.bz2 New: ---- yast2-auth-client-4.5.1.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ yast2-auth-client.spec ++++++ --- /var/tmp/diff_new_pack.ImO2Rr/_old 2022-07-31 23:01:00.207702113 +0200 +++ /var/tmp/diff_new_pack.ImO2Rr/_new 2022-07-31 23:01:00.211702125 +0200 @@ -17,7 +17,7 @@ Name: yast2-auth-client -Version: 4.5.0 +Version: 4.5.1 Release: 0 URL: https://github.com/yast/yast-auth-client Summary: YaST2 - Centralised System Authentication Configuration ++++++ yast2-auth-client-4.5.0.tar.bz2 -> yast2-auth-client-4.5.1.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-client-4.5.0/README.md new/yast2-auth-client-4.5.1/README.md --- old/yast2-auth-client-4.5.0/README.md 2022-04-12 13:32:42.000000000 +0200 +++ new/yast2-auth-client-4.5.1/README.md 2022-07-28 15:52:19.000000000 +0200 @@ -14,8 +14,7 @@ * Configure single or multi-domain authentication via SSSD * Enroll a host at Microsoft Active Directory - * Configure PAM/NSS for LDAP - * Configure Kerberos client + * Configure PAM/NSS for LDAP or Kerberos via SSSD Installation ------------ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-client-4.5.0/package/yast2-auth-client.changes new/yast2-auth-client-4.5.1/package/yast2-auth-client.changes --- old/yast2-auth-client-4.5.0/package/yast2-auth-client.changes 2022-04-12 13:32:42.000000000 +0200 +++ new/yast2-auth-client-4.5.1/package/yast2-auth-client.changes 2022-07-28 15:52:19.000000000 +0200 @@ -1,4 +1,11 @@ ------------------------------------------------------------------- +Wed Jul 27 00:50:39 UTC 2022 - William Brown <william.brown@suse.com> + +- Remove nss_ldap and pam_ldap support in favour of SSSD + (gh#yast/yast-auth-client#82) +- 4.5.1 + +------------------------------------------------------------------- Wed Apr 06 13:24:58 UTC 2022 - Ladislav Slez��k <lslezak@suse.cz> - Bump version to 4.5.0 (bsc#1198109) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-client-4.5.0/package/yast2-auth-client.spec new/yast2-auth-client-4.5.1/package/yast2-auth-client.spec --- old/yast2-auth-client-4.5.0/package/yast2-auth-client.spec 2022-04-12 13:32:42.000000000 +0200 +++ new/yast2-auth-client-4.5.1/package/yast2-auth-client.spec 2022-07-28 15:52:19.000000000 +0200 @@ -17,7 +17,7 @@ Name: yast2-auth-client -Version: 4.5.0 +Version: 4.5.1 Release: 0 Url: https://github.com/yast/yast-auth-client Summary: YaST2 - Centralised System Authentication Configuration diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-client-4.5.0/src/clients/ldapkrb.rb new/yast2-auth-client-4.5.1/src/clients/ldapkrb.rb --- old/yast2-auth-client-4.5.0/src/clients/ldapkrb.rb 2022-04-12 13:32:42.000000000 +0200 +++ new/yast2-auth-client-4.5.1/src/clients/ldapkrb.rb 1970-01-01 01:00:00.000000000 +0100 @@ -1,32 +0,0 @@ -# encoding: utf-8 - -# ------------------------------------------------------------------------------ -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. -# -# This program is free software; you can redistribute it and/or modify it under -# the terms of version 2 of the GNU General Public License as published by the -# Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, but WITHOUT -# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS -# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along with -# this program; if not, contact SUSE Linux GmbH. -# -# ------------------------------------------------------------------------------ - -# Module: Configure system-wide authentication mechanisms via LDAP and Kerberos -# Summary: Invoke main dialog and allow configuring LDAP and Kerberos -# Authors: Howard Guo <hguo@suse.com> - -require 'auth/authconf' -require 'auth/auth-cli' -require 'authui/main_dialog' - -if Yast::WFM.Args.empty? - Auth::AuthConfInst.read_all - Auth::MainDialog.new(:ldapkrb).run -else - Auth::CLI.run("ldapkrb") -end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-client-4.5.0/src/lib/auth/authconf.rb new/yast2-auth-client-4.5.1/src/lib/auth/authconf.rb --- old/yast2-auth-client-4.5.0/src/lib/auth/authconf.rb 2022-04-12 13:32:42.000000000 +0200 +++ new/yast2-auth-client-4.5.1/src/lib/auth/authconf.rb 2022-07-28 15:52:19.000000000 +0200 @@ -34,7 +34,7 @@ include Yast::Logger include Yast::UIShortcuts - attr_accessor(:krb_conf, :krb_pam, :ldap_conf, :ldap_pam, :ldap_nss, :sssd_conf, :sssd_pam, :sssd_nss, :sssd_enabled) + attr_accessor(:krb_conf, :krb_pam, :ldap_pam, :ldap_nss, :sssd_conf, :sssd_pam, :sssd_nss, :sssd_enabled) attr_accessor(:autofs_enabled, :nscd_enabled, :mkhomedir_pam) attr_accessor(:ad_domain, :ad_user, :ad_ou, :ad_pass, :ad_overwrite_smb_conf, :ad_update_dns, :autoyast_editor_mode, :autoyast_modified) @@ -44,7 +44,6 @@ @krb_conf = {'include' => [], 'libdefaults' => {}, 'realms' => {}, 'domain_realm' => {}, 'logging' => {}} @krb_pam = false # LDAP configuration (/etc/ldap.conf) - @ldap_conf = {} @ldap_pam = false @ldap_nss = [] # SSSD configuration (/etc/sssd/sssd.conf) @@ -439,25 +438,6 @@ # Load LDAP configuration. def ldap_read - @ldap_conf = {} - # Destruct ldap.conf file - Yast::SCR.UnmountAgent(Yast::Path.new('.etc.ldap_conf')) - Yast::SCR.Read(Yast::Path.new('.etc.ldap_conf.all')).fetch('value', []).each { |entry| - if entry['kind'] != 'value' - skip - end - entry_name = entry['name'].strip - entry_value = entry['value'].strip - # Store values from duplicate keys in the original order - existing_value = @ldap_conf[entry_name] - if existing_value && existing_value.kind_of?(::String) - @ldap_conf[entry_name] = [existing_value, entry_value] - elsif existing_value && existing_value.kind_of?(::Array) - @ldap_conf[entry_name] = existing_value + [entry_value] - else - @ldap_conf[entry_name] = entry_value - end - } # Read PAM/NSS @ldap_pam = Yast::Pam.Enabled('ldap') @ldap_nss = [] @@ -470,18 +450,15 @@ # Return LDAP configuration. def ldap_export - return {'conf' => @ldap_conf, 'pam' => @ldap_pam, 'nss' => @ldap_nss} + return {'pam' => @ldap_pam, 'nss' => @ldap_nss} end # Set configuration for LDAP from exported objects. def ldap_import(exported_conf) if exported_conf.nil? - @ldap_conf = {} @ldap_pam = false @ldap_nss = [] else - @ldap_conf = exported_conf['conf'] - @ldap_conf = {} if @ldap_conf.nil? @ldap_pam = exported_conf['pam'] @ldap_pam = false if @ldap_pam.nil? @ldap_nss = exported_conf['nss'] @@ -506,93 +483,6 @@ return content end - # Immediately apply LDAP configuration, including PAM/NSS configuration. - def ldap_apply - if @autoyast_editor_mode - return - end - # Calculate package requirements - pkgs = [] - if @ldap_pam - pkgs += ['pam_ldap'] - end - if @ldap_nss.any? - pkgs += ['nss_ldap'] - if @ldap_nss.include?('automount') - pkgs += ['openldap2-client'] # provides /etc/openldap/ldap.conf - end - end - pkgs.delete_if { |name| Yast::Package.Installed(name) } - if pkgs.any? - if !Yast::Package.DoInstall(pkgs) - Yast::Report.Error(_('Failed to install software packages required for LDAP.')) - end - end - # Write LDAP config file and correct its permission and ownerships - ldap_conf = File.new('/etc/ldap.conf', 'w') - ldap_conf.chmod(0600) - ldap_conf.chown(0, 0) - ldap_conf.write(ldap_make_conf) - ldap_conf.close - # If automount is enabled, overwrite openldap's ldap.conf as well. - if @ldap_nss.include?('automount') - ldap_conf = File.new('/etc/openldap/ldap.conf', 'w') - ldap_conf.chmod(0644) - ldap_conf.chown(0, 0) - ldap_conf.write(ldap_make_conf) - ldap_conf.close - end - # Save PAM/NSS/daemon status - if @ldap_pam - Yast::Pam.Add('ldap') - else - Yast::Pam.Remove('ldap') - end - fix_pam - LDAP_CAPABLE_NSS_DBS.each { |db| nss_disable_module(db, 'ldap') } - if @ldap_nss.any? - @ldap_nss.each { |db| nss_enable_module(db, 'ldap') } - end - end - - # Run ldapsearch to test the parameters. Return empty string if test is successful, otherwise return ldapsearch error output. - def ldap_test_bind(uri, start_tls, dn, password, base_dn) - # Make sure openldap client is installed - if !Yast::Package.Installed('openldap2-client') - if !Yast::Package.DoInstall(['openldap2-client']) - return 'Failed to install openldap2-client package' - end - end - # Create a temporary file to hold the password - pwd_filename = "yastauthclient-ldaptestbind-#{Time.now.strftime('%Y%m%d%I%M%S')}" - pwd_file = File.open(pwd_filename, 'w', 0600) - pwd_file.write(password) - pwd_file.close - # Run ldapsearch with password bind - cmd = "ldapsearch -o nettimeout=5 -s one -x -H '#{uri}' " - if start_tls - cmd += '-ZZ ' - end - if dn.to_s != '' - cmd += "-D '#{dn}' -y '#{pwd_filename}' " - end - cmd += "-b #{base_dn}" - out = '' - errout = '' - exitstatus = 0 - Open3.popen3(cmd){ |stdin, stdout, stderr, control| - stdin.close - out = stdout.read - errout = stderr.read - exitstatus = control.value - } - File.unlink(pwd_file) - if exitstatus == 0 - return '' - end - return _("ERROR: ") + "#{out}\n#{errout}" - end - # Parse and set Kerberos configuration def krb_parse_set(content) @krb_conf = KrbParse.parse(content) @@ -772,32 +662,14 @@ if @autoyast_editor_mode return end - # Calculate package requirements - pkgs = [] - if @krb_pam - pkgs += ['pam_krb5', 'krb5', 'krb5-client'] - end - pkgs.delete_if { |name| Yast::Package.Installed(name) } - if pkgs.any? - if !Yast::Package.DoInstall(pkgs) - Yast::Report.Error(_('Failed to install software packages required for Kerberos.')) - end - end # Write LDAP config file and correct its permission and ownerships krb_conf = File.new('/etc/krb5.conf', 'w') krb_conf.chmod(0644) krb_conf.chown(0, 0) krb_conf.write(krb_make_conf) krb_conf.close - # Save PAM/NSS/daemon status - if @krb_pam - Yast::Pam.Add('krb5') - else - Yast::Pam.Remove('krb5') - end - fix_pam end - + # Create a Kerberos realm if it does not yet exist. If it already exists, update the configuration. All parameters are required. def krb_add_update_realm(realm_name, kdc_addr, admin_addr, make_domain_realms, make_default) realm_name = realm_name.upcase.strip @@ -1070,18 +942,6 @@ end } end - if @ldap_pam - pkgs += ['pam_ldap'] - end - if @krb_pam - pkgs += ['pam_krb5', 'krb5', 'krb5-client'] - end - if @ldap_nss.any? - pkgs += ['nss_ldap'] - if @ldap_nss.include?('automount') - pkgs += ['openldap2-client'] # provides /etc/openldap/ldap.conf - end - end if @autofs_enabled || @sssd_nss.include?('automount') || @ldap_nss.include?('automount') pkgs += ['autofs'] end @@ -1108,26 +968,25 @@ auth_doms_caption += ' ' + _('(daemon is inactive)') end else - # LDAP and/or Kerberos is configured - if @ldap_nss.any? || @ldap_pam - if @ldap_conf['base'].to_s == '' - auth_doms_caption = _('LDAP is enabled but the setup is incomplete') + list_of_providers = '' + if @ldap_nss.any? + list_of_providers = _('NSS LDAP') + end + if @ldap_pam + if list_of_providers != '' + list_of_providers = _('PAM + NSS LDAP') else - auth_doms_caption = _('via LDAP on %s') % [@ldap_conf['base']] + list_of_providers = _('PAM LDAP') end end if @krb_pam - if auth_doms_caption != '' - # 'and' as in "authenticate via LDAP and Kerberos" - auth_doms_caption += _(' and ') - end - realms = @krb_conf.fetch('realms', {}) - if realms.length == 0 - auth_doms_caption += _('via Kerberos') + if list_of_providers != '' + list_of_providers += _('and PAM KRB5') else - auth_doms_caption += _('via Kerberos on %s') % [realms.keys.join(', ')] + list_of_providers = _('PAM KRB5') end end + auth_doms_caption = _('������ Use of %s detected. These modules can no longer be configured and you MUST migrate to SSSD') % [list_of_providers] end return auth_doms_caption end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-client-4.5.0/src/lib/authui/ldapkrb/edit_realm_dialog.rb new/yast2-auth-client-4.5.1/src/lib/authui/ldapkrb/edit_realm_dialog.rb --- old/yast2-auth-client-4.5.0/src/lib/authui/ldapkrb/edit_realm_dialog.rb 2022-04-12 13:32:42.000000000 +0200 +++ new/yast2-auth-client-4.5.1/src/lib/authui/ldapkrb/edit_realm_dialog.rb 1970-01-01 01:00:00.000000000 +0100 @@ -1,178 +0,0 @@ -# encoding: utf-8 - -# ------------------------------------------------------------------------------ -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. -# -# This program is free software; you can redistribute it and/or modify it under -# the terms of version 2 of the GNU General Public License as published by the -# Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, but WITHOUT -# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS -# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along with -# this program; if not, contact SUSE Linux GmbH. -# -# ------------------------------------------------------------------------------ - -require 'yast' -require 'auth/authconf' -require 'authui/ldapkrb/generic_input_dialog' -Yast.import 'UI' -Yast.import 'Icon' -Yast.import 'Label' - -module LdapKrb - # Edit Kerberos realm configuration - class EditRealmDialog < UI::Dialog - include Yast - include Auth - include UIShortcuts - include I18n - include Logger - - def initialize(realm_name) - super() - @realm_name = realm_name - textdomain "auth-client" - end - - def create_dialog - return false unless super - return true - end - - def dialog_options - Opt(:decorated) - end - - def dialog_content - VBox( - InputField(Id(:realm_name), Opt(:hstretch), _('Realm name'), @realm_name.to_s), - CheckBox(Id(:map_domain), Opt(:hstretch), _('Map Domain Name to the Realm (example.com -> EXAMPLE.COM)'), - !@realm_name.nil? && !AuthConfInst.krb_conf_get(['domain_realm', @realm_name.downcase], nil).nil?), - CheckBox(Id(:map_wildcard_domain), Opt(:hstretch), _('Map Wild Card Domain Name to the Realm (*.example.com -> EXAMPLE.COM)'), - !@realm_name.nil? && !AuthConfInst.krb_conf_get(['domain_realm', ".#{@realm_name.downcase}"], nil).nil?), - VSpacing(1.0), - InputField(Id(:admin_server), Opt(:hstretch), _('Host Name of Administration Server (Optional)'), - AuthConfInst.krb_conf_get(['realms', @realm_name, 'admin_server'], '')), - InputField(Id(:master_kdc), Opt(:hstretch), _('Host Name of Master Key Distribution Center (Optional)'), - AuthConfInst.krb_conf_get(['realms', @realm_name, 'master_kdc'], '')), - SelectionBox(Id(:kdc), Opt(:hstretch), _('Key Distribution Centers (Optional If Auto-Discovery via DNS is Enabled)'), - AuthConfInst.krb_conf_get(['realms', @realm_name, 'kdc'], [])), - Left(HBox(PushButton(Id(:kdc_add), Label.AddButton), PushButton(Id(:kdc_remove), Label.DeleteButton))), - VSpacing(1.0), - HBox( - VBox( - Left(Label(_('Custom Mappings of Principal Names to User Names'))), - Table(Id(:auth_to_local_names), Header(_('Principal Name'), _('User Name')), - AuthConfInst.krb_conf_get(['realms', @realm_name, 'auth_to_local_names'], []).map {|princ_name, user_name| Item(princ_name, user_name)}), - Left(HBox(PushButton(Id(:a2ln_add), Label.AddButton), PushButton(Id(:a2ln_remove), Label.DeleteButton))), - ), - VBox( - SelectionBox(Id(:auth_to_local), _('Custom Rules for Mapping Principal Names to User Names'), - AuthConfInst.krb_conf_get(['realms', @realm_name, 'auth_to_local'], [])), - Left(HBox(PushButton(Id(:a2l_add), Label.AddButton), PushButton(Id(:a2l_remove), Label.DeleteButton))), - ) - ), - VSpacing(1.0), - ButtonBox( - PushButton(Id(:ok), Label.OKButton), - PushButton(Id(:cancel), Label.CancelButton), - ) - ) - end - - # Add a KDC - def kdc_add_handler - new_kdc = GenericInputDialog.new(_('Please type in the host name of Key Distribution Centre:'), '').run - if !new_kdc.nil? - UI.ChangeWidget(Id(:kdc), :Items, UI.QueryWidget(Id(:kdc), :Items) + [new_kdc]) - end - end - - # Remove a KDC - def kdc_remove_handler - UI.ChangeWidget(Id(:kdc), :Items, UI.QueryWidget(Id(:kdc), :Items).map{|item| item[1]} - [UI.QueryWidget(Id(:kdc), :CurrentItem)]) - end - - # Add an auth_to_local - def a2l_add_handler - new_a2l = GenericInputDialog.new(_('Please type the new rule string (e.g. "RULE:[2:$1](johndoe)s/^.*$/guest/")'), '').run - if !new_a2l.nil? - UI.ChangeWidget(Id(:auth_to_local), :Items, UI.QueryWidget(Id(:auth_to_local), :Items) + [new_a2l]) - end - end - - # Remove an auth_to_local - def a2l_remove_handler - UI.ChangeWidget(Id(:auth_to_local), :Items, UI.QueryWidget(Id(:auth_to_local), :Items).map{|item| item[1]} - [UI.QueryWidget(Id(:auth_to_local), :CurrentItem)]) - end - - # Add an auth_to_local_names - def a2ln_add_handler - new_a2ln = GenericInputDialog.new(_('Please type in the principal name and user name in the format of "princ_name = user_name":'), '').run - if !new_a2ln.nil? - new_a2ln = new_a2ln.split(/\s*=\s*/) - if new_a2ln.length == 2 - UI.ChangeWidget(Id(:auth_to_local_names), :Items, UI.QueryWidget(Id(:auth_to_local_names), :Items) + [Item(new_a2ln[0], new_a2ln[1])]) - end - end - end - - # Remove an auth_to_local_names - def a2ln_remove_handler - current_key = UI.QueryWidget(Id(:auth_to_local_names), :CurrentItem) - new_items = UI.QueryWidget(Id(:auth_to_local_names), :Items).select{ |item| item[1] != current_key} - UI.ChangeWidget(Id(:auth_to_local_names), :Items, new_items) - end - - # Save realm settings - def ok_handler - input_realm_name = UI.QueryWidget(Id(:realm_name), :Value).upcase - if input_realm_name == '' - Popup.Error(_('Please enter realm name.')) - return - end - # Move configuration from one realm to another - if !@realm_name.nil? && @realm_name != input_realm_name - AuthConfInst.krb_conf['realms'][input_realm_name] = AuthConfInst.krb_conf['realms'][@realm_name] - AuthConfInst.krb_conf['realms'].delete(@realm_name) - if AuthConfInst.krb_conf['libdefaults']['default_realm'] == @realm_name - AuthConfInst.krb_conf['libdefaults']['default_realm'] = input_realm_name - end - domains = AuthConfInst.krb_conf['domain_realm'].select{ |_, realm| realm == @realm_name}.keys - domains.each {|domain| AuthConfInst.krb_conf['domain_realm'].delete(domain)} - domains.each {|domain| AuthConfInst.krb_conf['domain_realm'][domain] = input_realm_name} - end - # Create new realm - if !AuthConfInst.krb_conf['realms'].include?(input_realm_name) - AuthConfInst.krb_conf['realms'][input_realm_name] = {} - end - # Set settings - realm_conf = AuthConfInst.krb_conf['realms'][input_realm_name] - realm_conf['admin_server'] = UI.QueryWidget(Id(:admin_server), :Value) - realm_conf['master_kdc'] = UI.QueryWidget(Id(:master_kdc), :Value) - realm_conf['kdc'] = UI.QueryWidget(Id(:kdc), :Items).map{|item| item[1]} - if UI.QueryWidget(Id(:map_domain), :Value) - AuthConfInst.krb_conf['domain_realm'][input_realm_name.downcase] = input_realm_name - else - AuthConfInst.krb_conf['domain_realm'].delete(input_realm_name.downcase) - end - if UI.QueryWidget(Id(:map_wildcard_domain), :Value) - AuthConfInst.krb_conf['domain_realm'][".#{input_realm_name.downcase}"] = input_realm_name - else - AuthConfInst.krb_conf['domain_realm'].delete(".#{input_realm_name.downcase}") - end - realm_conf['auth_to_local'] = UI.QueryWidget(Id(:auth_to_local), :Items).map{|item| item[1]} - realm_conf['auth_to_local_names'] = Hash[*UI.QueryWidget(Id(:auth_to_local_names), :Items).map{|item| [item[1], item[2]]}.flatten] - finish_dialog(:finish) - end - - # Close the dialog - def finish_handler - finish_dialog(:finish) - end - end -end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-client-4.5.0/src/lib/authui/ldapkrb/generic_input_dialog.rb new/yast2-auth-client-4.5.1/src/lib/authui/ldapkrb/generic_input_dialog.rb --- old/yast2-auth-client-4.5.0/src/lib/authui/ldapkrb/generic_input_dialog.rb 2022-04-12 13:32:42.000000000 +0200 +++ new/yast2-auth-client-4.5.1/src/lib/authui/ldapkrb/generic_input_dialog.rb 1970-01-01 01:00:00.000000000 +0100 @@ -1,74 +0,0 @@ -# encoding: utf-8 - -# ------------------------------------------------------------------------------ -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. -# -# This program is free software; you can redistribute it and/or modify it under -# the terms of version 2 of the GNU General Public License as published by the -# Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, but WITHOUT -# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS -# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along with -# this program; if not, contact SUSE Linux GmbH. -# -# ------------------------------------------------------------------------------ - -require 'yast' -require 'auth/authconf' -Yast.import 'UI' -Yast.import 'Icon' -Yast.import 'Label' - -module LdapKrb - # A generic text input dialog. - class GenericInputDialog - include Yast - include Auth - include UIShortcuts - include I18n - include Logger - - def initialize(caption, default_text) - @caption = caption - @default_text = default_text - textdomain "auth-client" - end - - def run - return if !render_all - begin - return ui_event_loop - ensure - UI.CloseDialog() - end - end - - def render_all - UI.OpenDialog( - VBox( - Left(Label(@caption)), - InputField(Id(:input), Opt(:hstretch), @default_text), - ButtonBox( - PushButton(Id(:ok), Label.OKButton), - PushButton(Id(:cancel), Label.CancelButton), - ) - ) - ) - end - - # Return text in the input field, or nil if the dialog is cancelled. - def ui_event_loop - loop do - case UI.UserInput - when :ok - return UI.QueryWidget(Id(:input), :Value) - else - return nil - end - end - end - end -end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-client-4.5.0/src/lib/authui/ldapkrb/krb_extended_opts_dialog.rb new/yast2-auth-client-4.5.1/src/lib/authui/ldapkrb/krb_extended_opts_dialog.rb --- old/yast2-auth-client-4.5.0/src/lib/authui/ldapkrb/krb_extended_opts_dialog.rb 2022-04-12 13:32:42.000000000 +0200 +++ new/yast2-auth-client-4.5.1/src/lib/authui/ldapkrb/krb_extended_opts_dialog.rb 1970-01-01 01:00:00.000000000 +0100 @@ -1,78 +0,0 @@ -# encoding: utf-8 - -# ------------------------------------------------------------------------------ -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. -# -# This program is free software; you can redistribute it and/or modify it under -# the terms of version 2 of the GNU General Public License as published by the -# Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, but WITHOUT -# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS -# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along with -# this program; if not, contact SUSE Linux GmbH. -# -# ------------------------------------------------------------------------------ - -require 'yast' -require 'ui/dialog' -require 'auth/authconf' -Yast.import 'UI' -Yast.import 'Label' - -module LdapKrb - # Edit more configuration items for Kerberos. - class KrbExtendedOptsDialog < UI::Dialog - include Yast - include Auth - include UIShortcuts - include I18n - - def initialize - super() - textdomain "auth-client" - end - - def create_dialog - return super - end - - def dialog_options - Opt(:decorated) - end - - def dialog_content - MinWidth(80, VBox( - InputField(Id(:default_keytab_name), Opt(:hstretch), _('Default Location of Keytab File'), - AuthConfInst.krb_conf_get(['libdefaults', 'default_keytab_name'], '/etc/krb5.keytab')), - InputField(Id(:default_tgs_enctypes), Opt(:hstretch), _('Encryption Types for TGS (Space separated)'), - AuthConfInst.krb_conf_get(['libdefaults', 'default_tgs_enctypes'], AuthConfInst.krb_get_default(:default_tgs_enctypes))), - InputField(Id(:default_tkt_enctypes), Opt(:hstretch), _('Encryption Types for Ticket (Space separated)'), - AuthConfInst.krb_conf_get(['libdefaults', 'default_tkt_enctypes'], AuthConfInst.krb_get_default(:default_tkt_enctypes))), - InputField(Id(:permitted_enctypes), Opt(:hstretch), _('Encryption Types for Sessions (Space separated)'), - AuthConfInst.krb_conf_get(['libdefaults', 'permitted_enctypes'], AuthConfInst.krb_get_default(:permitted_enctypes))), - InputField(Id(:extra_addresses), Opt(:hstretch), _('Additional Addresses to be put in Ticket (Comma separated)'), - AuthConfInst.krb_conf_get(['libdefaults', 'extra_addresses'], '')), - VSpacing(1.0), - HBox(PushButton(Id(:reset), _('Reset')), PushButton(Id(:finish), Label.OKButton)), - )) - end - - def reset_handler - [:default_keytab_name, :default_tgs_enctypes, :default_tkt_enctypes, :permitted_enctypes].each { |key| - UI.ChangeWidget(Id(key), :Value, AuthConfInst.krb_get_default(key)) - } - end - - def finish_handler - AuthConfInst.krb_conf['libdefaults']['default_keytab_name'] = UI.QueryWidget(Id(:default_keytab_name), :Value) - AuthConfInst.krb_conf['libdefaults']['default_tgs_enctypes'] = UI.QueryWidget(Id(:default_tgs_enctypes), :Value) - AuthConfInst.krb_conf['libdefaults']['default_tkt_enctypes'] = UI.QueryWidget(Id(:default_tkt_enctypes), :Value) - AuthConfInst.krb_conf['libdefaults']['permitted_enctypes'] = UI.QueryWidget(Id(:permitted_enctypes), :Value) - AuthConfInst.krb_conf['libdefaults']['extra_addresses'] = UI.QueryWidget(Id(:extra_addresses), :Value) - finish_dialog(:finish) - end - end -end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-client-4.5.0/src/lib/authui/ldapkrb/ldap_extended_opts_dialog.rb new/yast2-auth-client-4.5.1/src/lib/authui/ldapkrb/ldap_extended_opts_dialog.rb --- old/yast2-auth-client-4.5.0/src/lib/authui/ldapkrb/ldap_extended_opts_dialog.rb 2022-04-12 13:32:42.000000000 +0200 +++ new/yast2-auth-client-4.5.1/src/lib/authui/ldapkrb/ldap_extended_opts_dialog.rb 1970-01-01 01:00:00.000000000 +0100 @@ -1,66 +0,0 @@ -# encoding: utf-8 - -# ------------------------------------------------------------------------------ -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. -# -# This program is free software; you can redistribute it and/or modify it under -# the terms of version 2 of the GNU General Public License as published by the -# Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, but WITHOUT -# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS -# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along with -# this program; if not, contact SUSE Linux GmbH. -# -# ------------------------------------------------------------------------------ - -require 'yast' -require 'ui/dialog' -require 'auth/authconf' -Yast.import 'UI' -Yast.import 'Label' - -module LdapKrb - # Edit more configuration items for LDAP. - class LdapExtendedOptsDialog < UI::Dialog - include Yast - include Auth - include UIShortcuts - include I18n - - def initialize - super() - textdomain "auth-client" - end - - def create_dialog - super - end - - def dialog_options - Opt(:decorated) - end - - def dialog_content - # The user cannot possibly understand the implication of 0 in search timeout if the user uses YaST - MinWidth(80, VBox( - IntField(Id(:ldap_bind_timelimit), Opt(:hstretch), _('Timeout for Bind Operations in Seconds'), 1, 600, - (AuthConfInst.ldap_conf['bind_timelimit'].to_s == '' ? '30' : AuthConfInst.ldap_conf['bind_timelimit']).to_i), - IntField(Id(:ldap_timelimit), Opt(:hstretch), _('Timeout for Search Operations in Seconds'), 1, 600, - (AuthConfInst.ldap_conf['timelimit'].to_s == '' ? '30' : AuthConfInst.ldap_conf['timelimit']).to_i), - VSpacing(1.0), - PushButton(Id(:finish), Label.OKButton) - )) - end - - def finish_handler - # The user cannot possibly understand the implication of 'hard' policy if the user uses YaST - AuthConfInst.ldap_conf['bind_policy'] = 'soft' - AuthConfInst.ldap_conf['bind_timelimit'] = UI.QueryWidget(Id(:ldap_bind_timelimit), :Value) - AuthConfInst.ldap_conf['timelimit'] = UI.QueryWidget(Id(:ldap_timelimit), :Value) - finish_dialog(:finish) - end - end -end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-client-4.5.0/src/lib/authui/ldapkrb/main_dialog.rb new/yast2-auth-client-4.5.1/src/lib/authui/ldapkrb/main_dialog.rb --- old/yast2-auth-client-4.5.0/src/lib/authui/ldapkrb/main_dialog.rb 2022-04-12 13:32:42.000000000 +0200 +++ new/yast2-auth-client-4.5.1/src/lib/authui/ldapkrb/main_dialog.rb 1970-01-01 01:00:00.000000000 +0100 @@ -1,441 +0,0 @@ -# encoding: utf-8 - -# ------------------------------------------------------------------------------ -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. -# -# This program is free software; you can redistribute it and/or modify it under -# the terms of version 2 of the GNU General Public License as published by the -# Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, but WITHOUT -# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS -# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along with -# this program; if not, contact SUSE Linux GmbH. -# -# ------------------------------------------------------------------------------ - -require 'yast' -require 'auth/authconf.rb' -require 'authui/ldapkrb/edit_realm_dialog' -require 'authui/ldapkrb/krb_extended_opts_dialog' -require 'authui/ldapkrb/ldap_extended_opts_dialog' -Yast.import 'UI' -Yast.import 'Label' - -module LdapKrb - # Main dialog shows three tabs, one for Kerberos, one for LDAP, and one for auxiliary daemons. - class MainDialog - include Yast - include Auth - include UIShortcuts - include I18n - include Logger - - def initialize - @tab = :ldap # the last saved tab - textdomain 'auth-client' - end - - def run - return if !UI.OpenDialog(Opt(:decorated, :defaultsize), - VBox(Opt(:hstretch), - DumbTab([_('Use a Directory as Identity Provider (LDAP)'), _('Authentication via Kerberos')], - ReplacePoint(Id(:tab), Empty())), - ButtonBox( - PushButton(Id(:ok), Label.OKButton), - PushButton(Id(:cancel), Label.CancelButton), - ), - ), - ) - render_ldap - begin - return ui_event_loop - ensure - UI.CloseDialog() - end - end - - def ui_event_loop - loop do - case UI.UserInput - when _('Use a Directory as Identity Provider (LDAP)') - save_tab - render_ldap - @tab = :ldap - when _('Authentication via Kerberos') - save_tab - render_krb - @tab = :krb - - # LDAP tab events - when :ldap_pam - if UI.QueryWidget(Id(:ldap_pam), :Value) - if AuthConfInst.sssd_pam || AuthConfInst.sssd_enabled - Popup.Error(_("This computer is currently using SSSD to authenticate users.\n" + - "Before you may use legacy LDAP authentication (pam_ldap), please disable SSSD from \"User Logon Management\".")) - UI.ChangeWidget(Id(:ldap_pam), :Value, false) - end - end - when :ldap_nss_passwd - if UI.QueryWidget(Id(:ldap_nss_passwd), :Value) - if AuthConfInst.sssd_nss.include?('passwd') - Popup.Error(_("This computer is currently reading user database from SSSD identity provider.\n" + - "Before you may use LDAP user database (nss_ldap), please disable SSSD user database from \"User Logon Management\".")) - UI.ChangeWidget(Id(:ldap_nss_passwd), :Value, false) - end - end - when :ldap_nss_group - if UI.QueryWidget(Id(:ldap_nss_group), :Value) - if AuthConfInst.sssd_nss.include?('group') - Popup.Error(_("This computer is currently reading group database from SSSD identity provider.\n" + - "Before you may use LDAP group database (nss_ldap), please disable SSSD group database from \"User Logon Management\".")) - UI.ChangeWidget(Id(:ldap_nss_group), :Value, false) - end - end - when :ldap_nss_sudoers - if UI.QueryWidget(Id(:ldap_nss_sudoers), :Value) - if AuthConfInst.sssd_nss.include?('sudoers') - Popup.Error(_("This computer is currently reading sudoers database from SSSD identity provider.\n" + - "Before you may use LDAP sudoers database (nss_ldap), please disable SSSD sudo database from \"User Logon Management\".")) - UI.ChangeWidget(Id(:ldap_nss_sudoers), :Value, false) - end - end - when :ldap_nss_automount - if UI.QueryWidget(Id(:ldap_nss_automount), :Value) - if AuthConfInst.sssd_nss.include?('automount') - Popup.Error(_("This computer is currently reading automount database from SSSD identity provider.\n" + - "Before you may use LDAP automount database (nss_ldap), please disable SSSD automount database from \"User Logon Management\".")) - UI.ChangeWidget(Id(:ldap_nss_automount), :Value, false) - redo - end - end - AuthConfInst.autofs_enabled = UI.QueryWidget(Id(:ldap_nss_automount), :Value) - when :ldap_test - uris, hosts = get_ldap_uri_and_hosts - if uris.empty? && hosts.empty? - Popup.Error(_('Please enter server URI.')) - redo - end - start_tls = UI.QueryWidget(Id(:ldap_tls_method), :CurrentButton) == :ldap_tls_method_starttls - dn = UI.QueryWidget(Id(:ldap_binddn), :Value) - password = UI.QueryWidget(Id(:ldap_bindpw), :Value) - base_dn = UI.QueryWidget(Id(:ldap_base), :Value) - if base_dn == '' - Popup.Error(_('Please enter DN of search base.')) - redo - end - # Test URI input - uris.each {|uri| - result = AuthConfInst.ldap_test_bind(uri, start_tls, dn, password, base_dn) - if result == '' - Popup.Message(_('Successfully contacted LDAP server on URI %s!') % [uri]) - else - Popup.LongError(_("Connection check has failed on URI %s.\n\n%s") % [uri, result]) - end - } - # Test host address input, construct URI for each one. - host_uri_prefix = '' - if UI.QueryWidget(Id(:ldap_tls_method), :CurrentButton) == :ldap_tls_method_yes - host_uri_prefix = 'ldaps://' - else - host_uri_prefix = 'ldap://' - end - hosts.each {|host| - splitted = host.split(':') - if splitted.length == 1 - host_uri = "#{host_uri_prefix}#{host}:389" - else - host_uri = "#{host_uri_prefix}#{splitted[0]}:#{splitted[1]}" - end - result = AuthConfInst.ldap_test_bind(host_uri, start_tls, dn, password, base_dn) - if result == '' - Popup.Message(_('Successfully contacted LDAP server on host %s') % [host_uri]) - else - Popup.LongError(_("Connection check has failed on host %s.\n\n%s") % [host_uri, result]) - end - } - when :ldap_extended_opts - LdapExtendedOptsDialog.new.run - when :nscd_enable - if AuthConfInst.sssd_enabled && UI.QueryWidget(Id(:nscd_enable), :Value) - if !Popup.YesNo(_("The name service cache is should only used with legacy LDAP identity provider,\n" + - "but your system currently has authentication domain enabled, which is not compatible with the cache.\n\n" + - "Do you still wish to enable the cache?")) - UI.ChangeWidget(Id(:nscd_enable), :Value, false) - end - end - when :ldap_extended_opts - LdapExtendedOptsDialog.new.run - - # Kerberos tab events - when :krb_pam - if UI.QueryWidget(Id(:krb_pam), :Value) - if AuthConfInst.sssd_pam || AuthConfInst.sssd_enabled - Popup.Error(_("This computer is currently using SSSD to authenticate users.\n" + - "Before you may use Kerberos authentication (pam_krb5), please disable SSSD from \"User Logon Management\".")) - UI.ChangeWidget(Id(:krb_pam), :Value, false) - end - end - when :krb_realm_new - LdapKrb::EditRealmDialog.new(nil).run - curr_def = UI.QueryWidget(Id(:krb_default_realm), :Value) - UI.ChangeWidget(Id(:krb_default_realm), :Items, [_('(not specified)')] + AuthConfInst.krb_conf['realms'].keys.sort) - UI.ChangeWidget(Id(:krb_default_realm), :Value, curr_def) - UI.ChangeWidget(Id(:krb_realms), :Items, AuthConfInst.krb_conf['realms'].keys.sort) - when :krb_realm_edit - realm = UI.QueryWidget(Id(:krb_realms), :CurrentItem) - if realm.nil? - redo - end - LdapKrb::EditRealmDialog.new(realm).run - curr_def = UI.QueryWidget(Id(:krb_default_realm), :Value) - UI.ChangeWidget(Id(:krb_default_realm), :Items, [_('(not specified)')] + AuthConfInst.krb_conf['realms'].keys.sort) - UI.ChangeWidget(Id(:krb_default_realm), :Value, curr_def) - UI.ChangeWidget(Id(:krb_realms), :Items, AuthConfInst.krb_conf['realms'].keys.sort) - when :krb_realm_del - realm_name = UI.QueryWidget(Id(:krb_realms), :CurrentItem) - if realm_name.nil? - redo - end - if Popup.YesNo(_('Are you sure to delete realm %s?') % [realm_name]) - AuthConfInst.krb_conf['domain_realm'].delete_if{ |_, domain_realm| domain_realm == realm_name} - if UI.QueryWidget(Id(:krb_default_realm), :Value) == realm_name - UI.ChangeWidget(Id(:krb_default_realm), :Value, _('(not specified)')) - end - AuthConfInst.krb_conf['realms'].delete(realm_name) - UI.ChangeWidget(Id(:krb_realms), :Items, AuthConfInst.krb_conf['realms'].keys.sort) - curr_def = UI.QueryWidget(Id(:krb_default_realm), :Value) - UI.ChangeWidget(Id(:krb_default_realm), :Items, [_('(not specified)')] + AuthConfInst.krb_conf['realms'].keys.sort) - UI.ChangeWidget(Id(:krb_default_realm), :Value, curr_def) - if AuthConfInst.krb_conf_get(['libdefaults', 'default_realm'], nil) == realm_name - AuthConfInst.krb_conf['libdefaults'].delete('default_realm') - end - end - when :krb_extended_opts - KrbExtendedOptsDialog.new.run - - # Save ALL - when :ok - save_tab - AuthConfInst.ldap_apply - AuthConfInst.krb_apply - AuthConfInst.aux_apply - break - else - break - end - end - end - - # Save the content of current tab. - def save_tab - case @tab - when :ldap - save_ldap - when :krb - save_krb - when :aux - save_aux - end - end - - # Return a tuple of ldap URIs (array) and ldap host:port combinations (array). - def get_ldap_uri_and_hosts - uris = [] - hosts = [] - UI.QueryWidget(Id(:ldap_host_or_uri), :Value).split(/\s+/).each {|entry| - if /ldap.*:\/\//.match(entry) - uris += [entry] - else - hosts += [entry] - end - } - return [uris, hosts] - end - - def save_ldap - AuthConfInst.nscd_enabled = UI.QueryWidget(Id(:nscd_enable), :Value) - AuthConfInst.ldap_pam = UI.QueryWidget(Id(:ldap_pam), :Value) - ['passwd', 'group', 'sudoers', 'automount'].each{ |db| - symbol = ('ldap_nss_' + db).to_sym - if UI.QueryWidget(Id(symbol), :Value) - AuthConfInst.ldap_nss += [db] if !AuthConfInst.ldap_nss.include?(db) - else - AuthConfInst.ldap_nss.delete_if{ |n| n == db} - end - } - # Split URI/host entry into two attributes, remove port attribute - AuthConfInst.ldap_conf.delete('port') - uris, hosts = get_ldap_uri_and_hosts - if hosts.any? - AuthConfInst.ldap_conf['host'] = hosts.join(' ') - else - AuthConfInst.ldap_conf.delete('host') - end - if uris.any? - AuthConfInst.ldap_conf['uri'] = uris.join(' ') - else - AuthConfInst.ldap_conf.delete('uri') - end - AuthConfInst.ldap_conf['base'] = UI.QueryWidget(Id(:ldap_base), :Value) - AuthConfInst.ldap_conf['binddn'] = UI.QueryWidget(Id(:ldap_binddn), :Value) - if AuthConfInst.ldap_conf['binddn'] == '' - AuthConfInst.ldap_conf.delete('binddn') - end - AuthConfInst.ldap_conf['bindpw'] = UI.QueryWidget(Id(:ldap_bindpw), :Value) - if AuthConfInst.ldap_conf['bindpw'] == '' - AuthConfInst.ldap_conf.delete('bindpw') - end - if UI.QueryWidget(Id(:ldap_rfc2307bis), :Value) - AuthConfInst.ldap_conf['nss_schema'] = 'rfc2307bis' - else - AuthConfInst.ldap_conf.delete('nss_schema') - end - if UI.QueryWidget(Id(:ldap_persist), :Value) - AuthConfInst.ldap_conf['nss_connect_policy'] = 'persist' - else - AuthConfInst.ldap_conf['nss_connect_policy'] = 'oneshot' - end - case UI.QueryWidget(Id(:ldap_tls_method), :CurrentButton) - when :ldap_tls_method_no - AuthConfInst.ldap_conf['ssl'] = 'no' - when :ldap_tls_method_yes - AuthConfInst.ldap_conf['ssl'] = 'yes' - when :ldap_tls_method_starttls - AuthConfInst.ldap_conf['ssl'] = 'start_tls' - end - - # bsc#1162025: Default bind_policy to soft if not present. - if not AuthConfInst.ldap_conf.key?('bind_policy') - AuthConfInst.ldap_conf['bind_policy'] = 'soft' - end - - AuthConfInst.mkhomedir_pam = UI.QueryWidget(Id(:mkhomedir_enable), :Value) - end - - # Save Kerberos - def save_krb - AuthConfInst.krb_pam = UI.QueryWidget(Id(:krb_pam), :Value) - default_realm_choice = UI.QueryWidget(Id(:krb_default_realm), :Value) - if default_realm_choice == _('(not specified)') - AuthConfInst.krb_conf['libdefaults']['default_realm'] = nil - else - AuthConfInst.krb_conf['libdefaults']['default_realm'] = default_realm_choice - end - AuthConfInst.krb_conf['libdefaults']['forwardable'] = UI.QueryWidget(Id(:krb_forwardable), :Value) - AuthConfInst.krb_conf['libdefaults']['proxiable'] = UI.QueryWidget(Id(:krb_proxiable), :Value) - AuthConfInst.krb_conf['libdefaults']['noaddresses'] = UI.QueryWidget(Id(:krb_noaddresses), :Value) - AuthConfInst.krb_conf['libdefaults']['dns_lookup_realm'] = UI.QueryWidget(Id(:krb_dns_lookup_realm), :Value) - AuthConfInst.krb_conf['libdefaults']['dns_lookup_kdc'] = UI.QueryWidget(Id(:krb_dns_lookup_kdc), :Value) - AuthConfInst.krb_conf['libdefaults']['allow_weak_crypto'] = UI.QueryWidget(Id(:krb_allow_weak_crypto), :Value) - AuthConfInst.mkhomedir_pam = UI.QueryWidget(Id(:mkhomedir_enable), :Value) - end - - def render_ldap - UI.ReplaceWidget(Id(:tab), VBox( - HBox( - Top(VBox( - Left(CheckBox(Id(:ldap_pam), Opt(:notify), _('Allow LDAP Users To Authenticate (pam_ldap)'), AuthConfInst.ldap_pam)), - Left(CheckBox(Id(:nscd_enable), Opt(:notify), _('Cache LDAP Entries For Faster Response (nscd)'), AuthConfInst.nscd_enabled)), - Left(CheckBox(Id(:mkhomedir_enable), _('Automatically Create Home Directory'), AuthConfInst.mkhomedir_pam)), - VSpacing(1.0), - Left(Label(_('Read the following items from LDAP data source:'))), - Left(CheckBox(Id(:ldap_nss_passwd), Opt(:notify), _("Users"), AuthConfInst.ldap_nss.include?('passwd'))), - Left(CheckBox(Id(:ldap_nss_group), Opt(:notify), _("Groups"), AuthConfInst.ldap_nss.include?('group'))), - Left(CheckBox(Id(:ldap_nss_sudoers), Opt(:notify), _("Super-User Commands (sudo)"), AuthConfInst.ldap_nss.include?('sudoers'))), - Left(CheckBox(Id(:ldap_nss_automount), Opt(:notify), _("Network Disk Locations (automount)"), AuthConfInst.ldap_nss.include?('automount'))), - VSpacing(1.0), - Left(Label(_('Enter LDAP server locations (space separated), in either format:'))), - Left(Label(_('- Host name or IP and port number (ip:port)'))), - Left(Label(_('- URI (ldap://server:port, ldaps://server:port)'))), - InputField(Id(:ldap_host_or_uri), Opt(:hstretch), ''), - InputField(Id(:ldap_base), Opt(:hstretch), _('DN of Search Base (e.g. dc=example,dc=com)'), - AuthConfInst.ldap_conf['base'].to_s), - )), - Top(VBox( - InputField(Id(:ldap_binddn), Opt(:hstretch), _('DN of Bind User (Leave Empty for Anonymous Bind)'), - AuthConfInst.ldap_conf['binddn'].to_s), - InputField(Id(:ldap_bindpw), Opt(:hstretch), _('Password of the Bind User (Leave Empty for Anonymous Bind)'), - AuthConfInst.ldap_conf['bindpw'].to_s), - VSpacing(1.0), - CheckBox(Id(:ldap_rfc2307bis), Opt(:hstretch), _('Identify Group Members by Their DNs (RFC2307bis)'), - AuthConfInst.ldap_conf['nss_schema'] == 'rfc2307bis'), - CheckBox(Id(:ldap_persist), Opt(:hstretch), _('Leave LDAP Connections Open for Consecutive Requests'), - AuthConfInst.ldap_conf['nss_connect_policy'] != 'oneshot'), - VSpacing(1.0), - Frame(_('Secure LDAP communication'), RadioButtonGroup(Id(:ldap_tls_method), VBox( - Left(RadioButton(Id(:ldap_tls_method_no), _('Do Not Use Security'))), - Left(RadioButton(Id(:ldap_tls_method_yes), _('Secure Communication via TLS'))), - Left(RadioButton(Id(:ldap_tls_method_starttls), _('Secure Communication via StartTLS'))), - ))), - VSpacing(1.0), - Left(HBox(PushButton(Id(:ldap_test), _('Test Connection')), PushButton(Id(:ldap_extended_opts), _('Extended Options')))), - )), - ), - )) - # Combine host/port/uri into one - default_port_str = AuthConfInst.ldap_conf['port'] ? AuthConfInst.ldap_conf['port'] : '389' - hosts = AuthConfInst.ldap_conf['host'].to_s.split(/\s+/).map{|a_host| - # If not specified, append the default port number - if a_host.split(':').length == 1 - a_host + ':' + default_port_str - else - a_host - end - } - uris = AuthConfInst.ldap_conf['uri'].to_s.split(/\s+/) - UI.ChangeWidget(Id(:ldap_host_or_uri), :Value, (uris + hosts).join(' ')) - - if AuthConfInst.ldap_conf['bind_policy'] == 'soft' - UI.ChangeWidget(Id(:ldap_bind_policy), :CurrentButton, :ldap_bind_policy_soft) - else - UI.ChangeWidget(Id(:ldap_bind_policy), :CurrentButton, :ldap_bind_policy_hard) - end - if AuthConfInst.ldap_conf['ssl'] == 'yes' - UI.ChangeWidget(Id(:ldap_tls_method), :CurrentButton, :ldap_tls_method_yes) - elsif AuthConfInst.ldap_conf['ssl'] == 'start_tls' - UI.ChangeWidget(Id(:ldap_tls_method), :CurrentButton, :ldap_tls_method_starttls) - else - UI.ChangeWidget(Id(:ldap_tls_method), :CurrentButton, :ldap_tls_method_no) - end - end - - def render_krb - UI.ReplaceWidget(Id(:tab), VBox( - HBox( - Top(VBox( - Left(CheckBox(Id(:krb_pam), Opt(:notify), _('Allow Kerberos Users To Authenticate (pam_krb5)'), - AuthConfInst.krb_pam)), - Left(HBox(CheckBox(Id(:mkhomedir_enable), _('Automatically Create Home Directory'), AuthConfInst.mkhomedir_pam))), - VSpacing(1.0), - Left(ComboBox(Id(:krb_default_realm), _('Default Realm For User Login:'), - [_('(not specified)')] + AuthConfInst.krb_conf['realms'].keys.sort)), - Left(SelectionBox(Id(:krb_realms), _('All Authentication Realms'), - AuthConfInst.krb_conf['realms'].keys.sort)), - Left(HBox(PushButton(Id(:krb_realm_new), _('Add Realm')), PushButton(Id(:krb_realm_edit), _('Edit Realm')), PushButton(Id(:krb_realm_del), _('Delete Realm')))), - )), - Top(VBox( - Left(CheckBox(Id(:krb_dns_lookup_realm), _('Use DNS TXT Record to Discover Realms'), - AuthConfInst.krb_conf_get_bool(['libdefaults', 'dns_lookup_realm'], false))), - Left(CheckBox(Id(:krb_dns_lookup_kdc), _('Use DNS SRV record to Discover KDC servers'), - AuthConfInst.krb_conf_get_bool(['libdefaults', 'dns_lookup_kdc'], false))), - VSpacing(1.0), - Left(CheckBox(Id(:krb_allow_weak_crypto), _('Allow Insecure Encryption (Windows NT)'), - AuthConfInst.krb_conf_get_bool(['libdefaults', 'allow_weak_crypto'], false))), - Left(CheckBox(Id(:krb_forwardable), _('Allow KDC on Other Networks to Issue Authentication Tickets'), - AuthConfInst.krb_conf_get_bool(['libdefaults', 'forwardable'], false))), - Left(CheckBox(Id(:krb_proxiable), _('Allow Kerberos-Enabled Services to Take on The Identity Of a User'), - AuthConfInst.krb_conf_get_bool(['libdefaults', 'proxiable'], false))), - Left(CheckBox(Id(:krb_noaddresses), _('Issue Address-Less Tickets for Computers Behind NAT'), - AuthConfInst.krb_conf_get_bool(['libdefaults', 'noaddresses'], false))), - VSpacing(1.0), - Left(PushButton(Id(:krb_extended_opts), _('Extended Options'))), - )), - ), - )) - UI.ChangeWidget(Id(:krb_default_realm), :Value, AuthConfInst.krb_conf_get(['libdefaults', 'default_realm'], _('(not specified)'))) - end - end -end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-client-4.5.0/test/authconf_chroot/etc/ldap.conf new/yast2-auth-client-4.5.1/test/authconf_chroot/etc/ldap.conf --- old/yast2-auth-client-4.5.0/test/authconf_chroot/etc/ldap.conf 2022-04-12 13:32:42.000000000 +0200 +++ new/yast2-auth-client-4.5.1/test/authconf_chroot/etc/ldap.conf 1970-01-01 01:00:00.000000000 +0100 @@ -1,315 +0,0 @@ -# -# This is the configuration file for the LDAP nameservice -# switch library and the LDAP PAM module. -# - -# Your LDAP server. Must be resolvable without using LDAP. -# Multiple hosts may be specified, each separated by a -# space. How long nss_ldap takes to failover depends on -# whether your LDAP client library supports configurable -# network or connect timeouts (see bind_timelimit). -host 127.0.0.1 - -# The distinguished name of the search base. -base dc=example,dc=com - -# Another way to specify your LDAP server is to provide an -# uri with the server name. This allows to use -# Unix Domain Sockets to connect to a local LDAP Server. -#uri ldap://127.0.0.1/ -#uri ldaps://127.0.0.1/ -#uri ldapi://%2fvar%2frun%2fldapi_sock/ -# Note: %2f encodes the '/' used as directory separator - -# The LDAP version to use (defaults to 3 -# if supported by client library) -#ldap_version 3 - -# The distinguished name to bind to the server with. -# Optional: default is to bind anonymously. -#binddn cn=proxyuser,dc=example,dc=com - -# The credentials to bind with. -# Optional: default is no credential. -#bindpw secret - -# The distinguished name to bind to the server with -# if the effective user ID is root. Password is -# stored in /etc/ldap.secret (mode 600) -#rootbinddn cn=manager,dc=example,dc=com - -# The port. -# Optional: default is 389. -#port 389 - -# The search scope. -#scope sub -#scope one -#scope base - -# Search timelimit -#timelimit 30 - -# Bind/connect timelimit -#bind_timelimit 30 - -# Reconnect policy: -# hard_open: reconnect to DSA with exponential backoff if -# opening connection failed -# hard_init: reconnect to DSA with exponential backoff if -# initializing connection failed -# hard: alias for hard_open -# soft: return immediately on server failure -bind_policy soft - -# Connection policy: -# persist: DSA connections are kept open (default) -# oneshot: DSA connections destroyed after request -#nss_connect_policy persist - -# Idle timelimit; client will close connections -# (nss_ldap only) if the server has not been contacted -# for the number of seconds specified below. -#idle_timelimit 3600 - -# Use paged rseults -#nss_paged_results yes - -# Pagesize: when paged results enable, used to set the -# pagesize to a custom value -#pagesize 1000 - -# Filter to AND with uid=%s -#pam_filter objectclass=account - -# The user ID attribute (defaults to uid) -#pam_login_attribute uid - -# Search the root DSE for the password policy (works -# with Netscape Directory Server). Make use of -# Password Policy LDAP Control (as in OpenLDAP) -pam_lookup_policy yes - -# Check the 'host' attribute for access control -# Default is no; if set to yes, and user has no -# value for the host attribute, and pam_ldap is -# configured for account management (authorization) -# then the user will not be allowed to login. -#pam_check_host_attr yes - -# Check the 'authorizedService' attribute for access -# control -# Default is no; if set to yes, and the user has no -# value for the authorizedService attribute, and -# pam_ldap is configured for account management -# (authorization) then the user will not be allowed -# to login. -#pam_check_service_attr yes - -# Group to enforce membership of -#pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com - -# Group member attribute -#pam_member_attribute uniquemember - -# Specify a minium or maximum UID number allowed -#pam_min_uid 0 -#pam_max_uid 0 - -# Template login attribute, default template user -# (can be overriden by value of former attribute -# in user's entry) -#pam_login_attribute userPrincipalName -#pam_template_login_attribute uid -#pam_template_login nobody - -# HEADS UP: the pam_crypt, pam_nds_passwd, -# and pam_ad_passwd options are no -# longer supported. -# -# Do not hash the password at all; presume -# the directory server will do it, if -# necessary. This is the default. -#pam_password clear - -# Hash password locally; required for University of -# Michigan LDAP server, and works with Netscape -# Directory Server if you're using the UNIX-Crypt -# hash mechanism and not using the NT Synchronization -# service. -#pam_password crypt - -# Remove old password first, then update in -# cleartext. Necessary for use with Novell -# Directory Services (NDS) -#pam_password nds - -# RACF is an alias for the above. For use with -# IBM RACF -#pam_password racf - -# Update Active Directory password, by -# creating Unicode password and updating -# unicodePwd attribute. -#pam_password ad - -# Use the OpenLDAP password change -# extended operation to update the password. -pam_password exop - -# Redirect users to a URL or somesuch on password -# changes. -#pam_password_prohibit_message Please visit http://internal to change your password. - -# Use backlinks for answering initgroups() -#nss_initgroups backlink - -# returns NOTFOUND if nss_ldap's initgroups() is called -# for users specified in nss_initgroups_ignoreusers -# (comma separated) -nss_initgroups_ignoreusers root,ldap - -# Enable support for RFC2307bis (distinguished names in group -# members) -nss_schema rfc2307bis - -# RFC2307bis naming contexts -# Syntax: -# nss_base_XXX base?scope?filter -# where scope is {base,one,sub} -# and filter is a filter to be &'d with the -# default filter. -# You can omit the suffix eg: -# nss_base_passwd ou=People, -# to append the default base DN but this -# may incur a small performance impact. -#nss_base_passwd ou=People,dc=example,dc=com?one -#nss_base_shadow ou=People,dc=example,dc=com?one -#nss_base_group ou=Group,dc=example,dc=com?one -#nss_base_hosts ou=Hosts,dc=example,dc=com?one -#nss_base_services ou=Services,dc=example,dc=com?one -#nss_base_networks ou=Networks,dc=example,dc=com?one -#nss_base_protocols ou=Protocols,dc=example,dc=com?one -#nss_base_rpc ou=Rpc,dc=example,dc=com?one -#nss_base_ethers ou=Ethers,dc=example,dc=com?one -#nss_base_netmasks ou=Networks,dc=example,dc=com?ne -#nss_base_bootparams ou=Ethers,dc=example,dc=com?one -#nss_base_aliases ou=Aliases,dc=example,dc=com?one -#nss_base_netgroup ou=Netgroup,dc=example,dc=com?one - -# attribute/objectclass mapping -# Syntax: -#nss_map_attribute rfc2307attribute mapped_attribute -#nss_map_objectclass rfc2307objectclass mapped_objectclass - -# configure --enable-nds is no longer supported. -# NDS mappings -nss_map_attribute uniqueMember member - -# Services for UNIX 3.5 mappings -#nss_map_objectclass posixAccount User -#nss_map_objectclass shadowAccount User -#nss_map_attribute uid msSFU30Name -#nss_map_attribute uniqueMember msSFU30PosixMember -#nss_map_attribute userPassword msSFU30Password -#nss_map_attribute homeDirectory msSFU30HomeDirectory -#nss_map_attribute homeDirectory msSFUHomeDirectory -#nss_map_objectclass posixGroup Group -#pam_login_attribute msSFU30Name -#pam_filter objectclass=User -#pam_password ad - -# configure --enable-mssfu-schema is no longer supported. -# Services for UNIX 2.0 mappings -#nss_map_objectclass posixAccount User -#nss_map_objectclass shadowAccount user -#nss_map_attribute uid msSFUName -#nss_map_attribute uniqueMember posixMember -#nss_map_attribute userPassword msSFUPassword -#nss_map_attribute homeDirectory msSFUHomeDirectory -#nss_map_attribute shadowLastChange pwdLastSet -#nss_map_objectclass posixGroup Group -#nss_map_attribute cn msSFUName -#pam_login_attribute msSFUName -#pam_filter objectclass=User -#pam_password ad - -# RFC 2307 (AD) mappings -#nss_map_objectclass posixAccount user -#nss_map_objectclass shadowAccount user -#nss_map_attribute uid sAMAccountName -#nss_map_attribute homeDirectory unixHomeDirectory -#nss_map_attribute shadowLastChange pwdLastSet -#nss_map_objectclass posixGroup group -#nss_map_attribute uniqueMember member -#pam_login_attribute sAMAccountName -#pam_filter objectclass=User -#pam_password ad - -# configure --enable-authpassword is no longer supported -# AuthPassword mappings -#nss_map_attribute userPassword authPassword - -# AIX SecureWay mappings -#nss_map_objectclass posixAccount aixAccount -#nss_base_passwd ou=aixaccount,?one -#nss_map_attribute uid userName -#nss_map_attribute gidNumber gid -#nss_map_attribute uidNumber uid -#nss_map_attribute userPassword passwordChar -#nss_map_objectclass posixGroup aixAccessGroup -#nss_base_group ou=aixgroup,?one -#nss_map_attribute cn groupName -#nss_map_attribute uniqueMember member -#pam_login_attribute userName -#pam_filter objectclass=aixAccount -#pam_password clear - -# For pre-RFC2307bis automount schema -#nss_map_objectclass automountMap nisMap -#nss_map_attribute automountMapName nisMapName -#nss_map_objectclass automount nisObject -#nss_map_attribute automountKey cn -#nss_map_attribute automountInformation nisMapEntry - -# Netscape SDK LDAPS -#ssl on - -# Netscape SDK SSL options -#sslpath /etc/ssl/certs - -# OpenLDAP SSL mechanism -# start_tls mechanism uses the normal LDAP port, LDAPS typically 636 -ssl start_tls -#ssl on - -# OpenLDAP SSL options -# Require and verify server certificate (yes/no) -# Default is to use libldap's default behavior, which can be configured in -# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for -# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes". -#tls_checkpeer yes - -# CA certificates for server certificate verification -# At least one of these are required if tls_checkpeer is "yes" -#tls_cacertfile /etc/ssl/ca.cert -#tls_cacertdir /etc/ssl/certs - -# Seed the PRNG if /dev/urandom is not provided -#tls_randfile /var/run/egd-pool - -# SSL cipher suite -# See man ciphers for syntax -#tls_ciphers TLSv1 - -# Client certificate and key -# Use these, if your server requires client authentication. -#tls_cert -#tls_key - -# Disable SASL security layers. This is needed for AD. -#sasl_secprops maxssf=0 - -# Override the default Kerberos ticket cache location. -#krb5_ccname FILE:/etc/.ldapcache - diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-client-4.5.0/test/authconf_test.rb new/yast2-auth-client-4.5.1/test/authconf_test.rb --- old/yast2-auth-client-4.5.0/test/authconf_test.rb 2022-04-12 13:32:42.000000000 +0200 +++ new/yast2-auth-client-4.5.1/test/authconf_test.rb 2022-07-28 15:52:19.000000000 +0200 @@ -110,53 +110,6 @@ end end - describe 'LDAP' do - it 'Read, lint, and export LDAP configuration' do - authconf.ldap_read - expect(authconf.ldap_export).to eq( - 'conf'=>{ - 'host'=>'127.0.0.1', - 'base'=>'dc=example,dc=com', - 'bind_policy'=>'soft', - 'pam_lookup_policy'=>'yes', - 'pam_password'=>'exop', - 'nss_initgroups_ignoreusers'=>'root,ldap', - 'nss_schema'=>'rfc2307bis', - 'nss_map_attribute'=>'uniqueMember member', - 'ssl'=>'start_tls'}, - 'pam'=>false, - 'nss'=>[]) - end - it 'Create LDAP configuration file' do - expect(authconf.ldap_make_conf).to eq('host 127.0.0.1 -base dc=example,dc=com -bind_policy soft -pam_lookup_policy yes -pam_password exop -nss_initgroups_ignoreusers root,ldap -nss_schema rfc2307bis -nss_map_attribute uniqueMember member -ssl start_tls -') - end - it 'Import and recreate the same configuration' do - conf = {'conf'=>{ - 'host'=>'127.0.0.1', - 'base'=>'dc=example,dc=com', - 'bind_policy'=>'soft', - 'pam_lookup_policy'=>'yes', - 'pam_password'=>'exop', - 'nss_initgroups_ignoreusers'=>'root,ldap', - 'nss_schema'=>'rfc2307bis', - 'nss_map_attribute'=>'uniqueMember member', - 'ssl'=>'start_tls'}, - 'pam'=>true, - 'nss'=>['passwd', 'group']} - authconf.ldap_import(conf) - expect(authconf.ldap_export).to eq(conf) - end - end - describe 'Kerberos' do it 'Read, lint, and export Kerberos configuration' do # The first example is very simple