Author: jsuchome Date: Tue Jun 7 11:49:17 2011 New Revision: 64246 URL: http://svn.opensuse.org/viewcvs/yast?rev=64246&view=rev Log: - make SSSD switch more prominent (fate#310820) - add options to set ldap_schema and enumerate in sssd.conf - adapted help texts - 2.17.26 Modified: branches/SuSE-Code-11-SP2-Branch/ldap-client/VERSION branches/SuSE-Code-11-SP2-Branch/ldap-client/package/yast2-ldap-client.changes branches/SuSE-Code-11-SP2-Branch/ldap-client/src/Ldap.ycp branches/SuSE-Code-11-SP2-Branch/ldap-client/src/ui.ycp Modified: branches/SuSE-Code-11-SP2-Branch/ldap-client/VERSION URL: http://svn.opensuse.org/viewcvs/yast/branches/SuSE-Code-11-SP2-Branch/ldap-client/VERSION?rev=64246&r1=64245&r2=64246&view=diff ============================================================================== --- branches/SuSE-Code-11-SP2-Branch/ldap-client/VERSION (original) +++ branches/SuSE-Code-11-SP2-Branch/ldap-client/VERSION Tue Jun 7 11:49:17 2011 @@ -1 +1 @@ -2.17.25 +2.17.26 Modified: branches/SuSE-Code-11-SP2-Branch/ldap-client/package/yast2-ldap-client.changes URL: http://svn.opensuse.org/viewcvs/yast/branches/SuSE-Code-11-SP2-Branch/ldap-client/package/yast2-ldap-client.changes?rev=64246&r1=64245&r2=64246&view=diff ============================================================================== --- branches/SuSE-Code-11-SP2-Branch/ldap-client/package/yast2-ldap-client.changes (original) +++ branches/SuSE-Code-11-SP2-Branch/ldap-client/package/yast2-ldap-client.changes Tue Jun 7 11:49:17 2011 @@ -1,4 +1,12 @@ ------------------------------------------------------------------- +Tue Jun 7 11:45:02 CEST 2011 - jsuchome@suse.cz + +- make SSSD switch more prominent (fate#310820) +- add options to set ldap_schema and enumerate in sssd.conf +- adapted help texts +- 2.17.26 + +------------------------------------------------------------------- Wed Mar 23 08:46:38 CET 2011 - jsuchome@suse.cz - remove 'ldap' from nsswitch.conf when sssd is configured Modified: branches/SuSE-Code-11-SP2-Branch/ldap-client/src/Ldap.ycp URL: http://svn.opensuse.org/viewcvs/yast/branches/SuSE-Code-11-SP2-Branch/ldap-client/src/Ldap.ycp?rev=64246&r1=64245&r2=64246&view=diff ============================================================================== --- branches/SuSE-Code-11-SP2-Branch/ldap-client/src/Ldap.ycp (original) +++ branches/SuSE-Code-11-SP2-Branch/ldap-client/src/Ldap.ycp Tue Jun 7 11:49:17 2011 @@ -344,6 +344,12 @@ // adress of KDC (key distribution centre) server for default realm global string krb5_kdcip = ""; + // ldap_schema argument of /etc/sssd/sssd.conf + global string sssd_ldap_schema = "rfc2307bis"; + + // enumerate users/group + global boolean sssd_enumerate = false; + //---------------------------------------------------------------- /** @@ -474,6 +480,9 @@ tls_checkpeer = settings ["tls_checkpeer"]:"yes"; mkhomedir = settings ["mkhomedir"]:mkhomedir; sssd = settings ["sssd"]:sssd; + sssd_ldap_schema= settings ["sssd_ldap_schema"]:sssd_ldap_schema; + sssd_enumerate = settings ["sssd_enumerate"]:sssd_enumerate; + sssd_cache_credentials = settings ["sssd_cache_credentials"]:sssd_cache_credentials; krb5_realm = settings ["krb5_realm"]:krb5_realm; krb5_kdcip = settings ["krb5_kdcip"]:krb5_kdcip; if (_start_autofs) @@ -538,6 +547,12 @@ e["krb5_realm"] = krb5_realm; if (krb5_kdcip != "") e["krb5_kdcip"] = krb5_kdcip; + if (sssd_ldap_schema != "rfc2307bis") + e["sssd_ldap_schema"] = sssd_ldap_schema; + if (sssd_enumerate) + e["sssd_enumerate"] = sssd_enumerate; + if (sssd_cache_credentials) + e["sssd_cache_credentials"] = sssd_cache_credentials; return e; } @@ -943,8 +958,16 @@ string kdc = (string) SCR::Read (add (domain, "krb5_kdcip")); if (kdc != nil) krb5_kdcip = kdc; + string schema = (string) SCR::Read (add (domain, "ldap_schema")); + if (schema != nil) + { + sssd_ldap_schema= schema; + } - sssd_cache_credentials = SCR::Read (add (domain, "cache_credentials")) == "True"; + string cache_credentials = (string)SCR::Read (add (domain, "cache_credentials")); + sssd_cache_credentials = cache_credentials != nil && tolower (cache_credentials) == "true"; + string enumerate = (string)SCR::Read (add (domain, "enumerate")); + sssd_enumerate = enumerate != nil && tolower (enumerate) == "true"; } if (krb5_realm != "" && krb5_kdcip != "") { @@ -2145,12 +2168,13 @@ string uri = sformat ("ldap://%1", String::FirstChunk (server, " \t")); SCR::Write (add (domain, "ldap_uri"), uri); SCR::Write (add (domain, "ldap_search_base"), base_dn); - SCR::Write (add (domain, "ldap_schema"), "rfc2307bis"); + SCR::Write (add (domain, "ldap_schema"), sssd_ldap_schema); SCR::Write (add (domain, "id_provider"), "ldap"); SCR::Write (add (domain, "ldap_user_uuid"), "entryuuid"); SCR::Write (add (domain, "ldap_group_uuid"), "entryuuid"); SCR::Write (add (domain, "ldap_id_use_start_tls"), ldap_tls ? "True" : "False"); + SCR::Write (add (domain, "enumerate"), sssd_enumerate ? "True" : "False"); SCR::Write (add (domain, "cache_credentials"), sssd_cache_credentials ? "True" : "False"); SCR::Write (add (domain, "ldap_tls_cacertdir"), tls_cacertdir == "" ? nil : tls_cacertdir); SCR::Write (add (domain, "ldap_tls_cacert"), tls_cacertfile == "" ? nil : tls_cacertfile); Modified: branches/SuSE-Code-11-SP2-Branch/ldap-client/src/ui.ycp URL: http://svn.opensuse.org/viewcvs/yast/branches/SuSE-Code-11-SP2-Branch/ldap-client/src/ui.ycp?rev=64246&r1=64245&r2=64246&view=diff ============================================================================== --- branches/SuSE-Code-11-SP2-Branch/ldap-client/src/ui.ycp (original) +++ branches/SuSE-Code-11-SP2-Branch/ldap-client/src/ui.ycp Tue Jun 7 11:49:17 2011 @@ -189,6 +189,9 @@ // help text 3.5/9 _("<p>To activate LDAP but forbid users from logging in to this machine, select <b>Enable LDAP Users but Disable Logins</b>.</p>") + + // help text + _("<p>Check <b>Use System Security Services Daemon</b> if you want the system to use SSSD instead of nss_ldap.</p>") + + // help text 4/9 _("<p>Enter the LDAP server's address (such as ldap.example.com or 10.20.0.2) in <b>Addresses</b> and the distinguished name of the search base (<b>Base DN</b>, such as dc=example,dc=com). Specify multiple servers by separating their addresses with spaces. It must be possible to resolve the @@ -223,14 +226,13 @@ boolean installation = Stage::cont () && !contains (WFM::Args (), "from_users"); boolean start = Ldap::start || installation; - + boolean sssd = Ldap::sssd; string base_dn = Ldap::GetBaseDN (); string server = Ldap::server; boolean ldap_tls = Ldap::ldap_tls || Ldap::sssd; // force TLS to true if sssd is used string tls_checkpeer = Ldap::tls_checkpeer; boolean login_enabled = Ldap::login_enabled; string certTmpFile = sformat ("%1/__LDAPcert.crt", Directory::tmpdir); - boolean sssd_cache_credentials = Ldap::sssd_cache_credentials; boolean autofs = Ldap::_start_autofs; term autofs_con = `Empty (); if (Ldap::_autofs_allowed) @@ -271,6 +273,11 @@ start && !login_enabled)) ))) ), + `VSpacing (0.4), + `Left (`CheckBox (`id (`sssd), `opt (`notify), + // checkbox label + _("Use S&ystem Security Services Daemon (SSSD)"), sssd + )), `VSpacing (0.4) ))), `VSpacing (0.4), @@ -310,8 +317,6 @@ ), `HSpacing (0.5))), autofs_con, mkhomedir_term, - // check box label - `Left (`CheckBox (`id (`sssd_cache_credentials), _("SSSD O&ffline Authentication"), sssd_cache_credentials)), `VSpacing(0.4), // pushbutton label `PushButton (`id(`advanced), _("&Advanced Configuration...")) @@ -331,7 +336,6 @@ UI::ChangeWidget (`id(`server),`ValidChars, Address::ValidChars + " "); UI::ChangeWidget (`id(`import_cert),`Enabled, ldap_tls); - UI::ChangeWidget (`id(`sssd_cache_credentials),`Enabled, Ldap::sssd); // do not alow to turn off TLS when SSSD is used UI::ChangeWidget (`id (`ldaps), `Enabled, !Ldap::sssd); @@ -343,11 +347,10 @@ start = (rb != `ldapno); login_enabled = (rb != `ldapnologin); + sssd = (boolean) UI::QueryWidget (`id (`sssd), `Value); server = (string) UI::QueryWidget(`id(`server), `Value); ldap_tls = (boolean) UI::QueryWidget(`id(`ldaps), `Value); mkhomedir = (boolean) UI::QueryWidget (`id(`mkhomedir),`Value); - sssd_cache_credentials = - (boolean) UI::QueryWidget (`id(`sssd_cache_credentials), `Value); UI::ChangeWidget (`id(`import_cert), `Enabled, ldap_tls); if (result == `slp) @@ -562,7 +565,8 @@ Ldap::ldap_tls != ldap_tls || Ldap::_start_autofs != autofs || Ldap::login_enabled != login_enabled || Ldap::mkhomedir != mkhomedir || - Ldap::sssd_cache_credentials != sssd_cache_credentials) + Ldap::sssd != sssd + ) { if (result == `next) { @@ -617,7 +621,7 @@ Ldap::_start_autofs = autofs; Ldap::login_enabled = login_enabled; Ldap::mkhomedir = mkhomedir; - Ldap::sssd_cache_credentials = sssd_cache_credentials; + Ldap::sssd = sssd; Ldap::modified = true; } } @@ -636,11 +640,19 @@ // help text caption 1 _("<p><b>Advanced LDAP Client Settings</b></p>") + + (Ldap::sssd ? + + // help text 1/3 + _("<p>If Kerberos authentication should be used, specify the <b>realm</b> and <b>KDC Address</b>. +Determine if user credentials should be cached localy by checking <b>SSSD Offline Authentication</b>. +For more info about SSSD settings, check the man page of <tt>sssd.conf</tt>.</p> +") : + // help text 1/3 _("<p>Specify the search bases to use for specific maps (users, passwords, and groups) if they are different from the base DN. These values are set to the nss_base_passwd, nss_base_shadow, and nss_base_group attributes in /etc/ldap.conf file.</p> -") + +")) + // help text 2/3 _("<p><b>Password Change Protocol</b> refers to the pam_password attribute of the <tt>/etc/ldap.conf</tt> file. See <tt>man pam_ldap</tt> for the meaning of its values.</p>") + @@ -719,10 +731,12 @@ boolean ldap_v2 = Ldap::ldap_v2; string tls_cacertdir = Ldap::tls_cacertdir; string tls_cacertfile = Ldap::tls_cacertfile; - boolean sssd = Ldap::sssd; string krb5_realm = Ldap::krb5_realm; string krb5_kdcip = Ldap::krb5_kdcip; boolean sssd_with_krb = Ldap::sssd_with_krb; + string sssd_ldap_schema = Ldap::sssd_ldap_schema; + boolean sssd_enumerate = Ldap::sssd_enumerate; + boolean sssd_cache_credentials = Ldap::sssd_cache_credentials; list<term>member_attributes = [ `item (`id("member"), "member", member_attribute == "member"), @@ -754,6 +768,10 @@ `item (`id (it), it, it == pam_password) )) ); + list<string> ldap_schemas = [ + "rfc2307", + "rfc2307bis" + ]; list ppolicy_list = []; @@ -883,14 +901,34 @@ term get_frame_krb () { return // frame label - `Frame (_("Basic Kerberos Settings"), `HBox (`HSpacing (1), `VBox ( + `Frame (_("Basic SSSD Settings"), `HBox (`HSpacing (1), `VBox ( // checkbox label `Left (`CheckBox (`id (`sssd_with_krb), `opt (`notify), _("&Use Kerberos"), sssd_with_krb)), `VSpacing(0.4), - // textentry label - `TextEntry (`id (`krb5_realm), _("Default Real&m"), krb5_realm), - // textentry label - `TextEntry (`id (`krb5_kdcip), _("&KDC Server Address"), krb5_kdcip), + `HBox ( + // textentry label + `TextEntry (`id (`krb5_realm), _("Default Real&m"), krb5_realm), + // textentry label + `TextEntry (`id (`krb5_kdcip), _("&KDC Server Address"), krb5_kdcip) + ), + // combobox label + `ComboBox (`id (`sssd_ldap_schema), `opt (`notify, `hstretch), _("LDAP Schema"), + maplist (string s, ldap_schemas, ``(`item (`id (s), s, s == sssd_ldap_schema))) + ), + `VSpacing (0.4), + `HBox ( + `HSpacing (0.4), + // checkbox label + `Left (`CheckBox (`id (`sssd_enumerate), _("Enable user and group enumeration"), + sssd_enumerate)) + ), + `VSpacing (0.4), + `HBox ( + `HSpacing (0.4), + // check box label + `Left (`CheckBox (`id (`sssd_cache_credentials), _("SSSD O&ffline Authentication"), + sssd_cache_credentials)) + ), `VSpacing (0.4) ), `HSpacing (1))); } @@ -899,14 +937,11 @@ term cont = `Top (`HBox(`HSpacing (5), `VBox( `VSpacing(0.4), - `Left (`CheckBox (`id (`sssd), `opt (`notify), _("Use S&ystem Security Services Daemon (SSSD)"), sssd)), - `VSpacing(0.4), - `ReplacePoint (`id (`rp_frame), `VBox (sssd ? get_frame_krb () : get_frame_nss ())), + `VBox (Ldap::sssd ? get_frame_krb () : get_frame_nss ()), `VSpacing (0.4), `ComboBox (`id (`pam_password), `opt(`notify,`hstretch,`editable), // combobox label _("Passwor&d Change Protocol"), pam_password_items), - `VSpacing(0.4), `ComboBox (`id (`group_style), `opt (`notify, `hstretch), // combobox label _("Group Member &Attribute"), member_attributes), @@ -940,7 +975,7 @@ UI::ReplaceWidget (`tabContents, cont); if (has_tabs) UI::ChangeWidget (`id (`tabs), `CurrentItem, `client); - if (sssd) + if (Ldap::sssd) { UI::ChangeWidget (`id (`krb5_realm), `Enabled, sssd_with_krb); UI::ChangeWidget (`id (`krb5_kdcip), `Enabled, sssd_with_krb); @@ -1041,12 +1076,18 @@ { member_attribute =(string)UI::QueryWidget(`id(`group_style),`Value); - if (sssd) + if (Ldap::sssd) { krb5_realm = (string) UI::QueryWidget (`id (`krb5_realm), `Value); krb5_kdcip = (string) UI::QueryWidget (`id (`krb5_kdcip), `Value); + sssd_cache_credentials = (boolean) + UI::QueryWidget (`id (`sssd_cache_credentials), `Value); + sssd_enumerate = (boolean) + UI::QueryWidget (`id (`sssd_enumerate), `Value); + sssd_ldap_schema= (string) + UI::QueryWidget (`id (`sssd_ldap_schema), `Value); } else { @@ -1117,11 +1158,6 @@ UI::ChangeWidget (`id(br2entry[result]:nil), `Value, dn); } } - if (result == `sssd) - { - sssd = (boolean) UI::QueryWidget (`id (`sssd), `Value); - UI::ReplaceWidget (`id (`rp_frame), sssd ? get_frame_krb () : get_frame_nss ()); - } if (result == `sssd_with_krb) { sssd_with_krb = (boolean) UI::QueryWidget (`id (`sssd_with_krb), `Value); @@ -1302,7 +1338,7 @@ Ldap::ppolicies[dn] = pp; } }); - if (krb5_realm == "" || krb5_kdcip == "" || !sssd) + if (krb5_realm == "" || krb5_kdcip == "" || !Ldap::sssd) sssd_with_krb = false; if (Ldap::GetMainConfigDN() != base_config_dn || @@ -1317,9 +1353,11 @@ Ldap::ldap_v2 != ldap_v2 || Ldap::tls_cacertdir != tls_cacertdir || Ldap::tls_cacertfile != tls_cacertfile || - Ldap::sssd != sssd || Ldap::krb5_realm != krb5_realm || - Ldap::krb5_kdcip != krb5_kdcip + Ldap::krb5_kdcip != krb5_kdcip || + Ldap::sssd_cache_credentials != sssd_cache_credentials || + Ldap::sssd_enumerate != sssd_enumerate || + Ldap::sssd_ldap_schema != sssd_ldap_schema ) { Ldap::bind_dn = bind_dn; @@ -1334,10 +1372,12 @@ Ldap::ldap_v2 = ldap_v2; Ldap::tls_cacertdir = tls_cacertdir; Ldap::tls_cacertfile = tls_cacertfile; - Ldap::sssd = sssd; Ldap::krb5_realm = krb5_realm; Ldap::krb5_kdcip = krb5_kdcip; Ldap::sssd_with_krb = sssd_with_krb; + Ldap::sssd_cache_credentials = sssd_cache_credentials; + Ldap::sssd_enumerate = sssd_enumerate; + Ldap::sssd_ldap_schema = sssd_ldap_schema; Ldap::modified = true; } break; -- To unsubscribe, e-mail: yast-commit+unsubscribe@opensuse.org For additional commands, e-mail: yast-commit+help@opensuse.org