add init script and config to the debian package, renamed to ai-auth-server

authserv/server.py

@@ -78,6 +78,8 @@ def main():
                       help='Configuration file')
     parser.add_option('--port', type='int', default=1616,
                       help='TCP port to listen on (default: %default)')
+    parser.add_option('--addr', dest='addr', default='0.0.0.0',
+                      help='Address to listen on (default: %default)')
     parser.add_option('--ca', dest='ssl_ca',
                       default='/etc/ai/internal_ca.pem',
                       help='SSL CA certificate file (default: %default)')
@@ -120,7 +122,7 @@ def main():
         ssl_ctx = ssl.create_server_context(opts.ssl_cert, opts.ssl_key,
                                             opts.ssl_ca, opts.dh_params)
 
-    app.run(host='0.0.0.0', port=opts.port, use_reloader=False,
+    app.run(host=opts.addr, port=opts.port, use_reloader=False,
             ssl_context=ssl_ctx)
 
 

debian/ai-auth-server.conf

+#
+
+MEMCACHE_ADDR = ['127.0.0.1:11211']
+
+# Lock all low-level authentications (email and dav services) to
+# accounts assigned to the local machine.
+import socket
+host = socket.gethostname().split('.')[0]
+
+LDAP_SERVICE_MAP = {
+
+    # Mail accounts (dovecot, nginx-mail-mapper).
+    'mail': {
+        'base': 'ou=People, dc=investici, dc=org, o=Anarchy',
+        'filter': '(&(objectClass=virtualMailUser)(status=active)(mail=%s))',
+    },
+ 
+    # DAV access (webdav fcgi handler).
+    'dav': {
+        'base': 'ou=People, dc=investici, dc=org, o=Anarchy',
+        'filter': '(&(objectClass=ftpAccount)(status=active)(host=%s)(ftpname=%%s))' % host,
+    },
+
+    # Main account (pannello).
+    'account': {
+        'dn': 'uid=%s, ou=People, dc=investici, dc=org, o=Anarchy',
+    },
+
+}
+
+LDAP_BIND_DN = 'cn=manager, o=Anarchy'
+
+with open('/etc/ldap.secret') as fd:
+    LDAP_BIND_PW = fd.read().strip()

debian/ai-auth-server.default

+
+#PORT=1616
+#ADDR=127.0.0.1
+#CONFIG=/etc/ai-auth-server.conf
+

debian/ai-auth-server.init

+#! /bin/sh
+### BEGIN INIT INFO
+# Provides:          ai-auth-server
+# Required-Start:    $remote_fs $syslog
+# Required-Stop:     $remote_fs $syslog
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: A/I authentication server.
+### END INIT INFO
+
+# Do NOT "set -e"
+
+# PATH should only include /usr/* if it runs after the mountnfs.sh script
+PATH=/sbin:/usr/sbin:/bin:/usr/bin
+DESC="Local audit log server"
+NAME=ai-auth-server
+DAEMON=/usr/bin/$NAME
+DAEMON_ARGS=""
+AUDIT_SERVER=""
+USER=auth
+PIDFILE=/var/run/$NAME.pid
+SCRIPTNAME=/etc/init.d/$NAME
+
+# Default options.
+PORT=1616
+BIND_ADDR=127.0.0.1
+CONFIG=/etc/ai-auth-server.conf
+
+# Exit if the package is not installed
+[ -x "$DAEMON" ] || exit 0
+
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+
+DAEMON_ARGS="--config=$CONFIG --port=$PORT --addr=$BIND_ADDR $DAEMON_ARGS"
+
+# Load the VERBOSE setting and other rcS variables
+. /lib/init/vars.sh
+
+# Define LSB log_* functions.
+# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
+# and status_of_proc is working.
+. /lib/lsb/init-functions
+
+#
+# Function that starts the daemon/service
+#
+do_start()
+{
+        # Return
+        #   0 if daemon has been started
+        #   1 if daemon was already running
+        #   2 if daemon could not be started
+        pre_start
+
+        start-stop-daemon --start --quiet --background --make-pidfile --pidfile $PIDFILE -
+-chuid $USER:$GROUP --umask 007 --exec $DAEMON --test > /dev/null \
+                || return 1
+        start-stop-daemon --start --quiet --background --make-pidfile --pidfile $PIDFILE -
+-chuid $USER:$GROUP --umask 007 --exec $DAEMON -- \
+                --syslog $DAEMON_ARGS \
+                || return 2
+        # Add code here, if necessary, that waits for the process to be ready
+        # to handle requests from services started subsequently which depend
+        # on this one.  As a last resort, sleep for some time.
+}
+
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+        # Return
+        #   0 if daemon has been stopped
+        #   1 if daemon was already stopped
+        #   2 if daemon could not be stopped
+        #   other if a failure occurred
+        start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --user $USER --name $NAME
+        RETVAL="$?"
+        [ "$RETVAL" = 2 ] && return 2
+        # Wait for children to finish too if this is a daemon that forks
+        # and if the daemon is only ever run from this initscript.
+        # If the above conditions are not satisfied then add some other code
+        # that waits for the process to drop all resources that could be
+        # needed by services started subsequently.  A last resort is to
+        # sleep for some time.
+        #start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
+        #[ "$?" = 2 ] && return 2
+        # Many daemons don't delete their pidfiles when they exit.
+        rm -f $PIDFILE
+        return "$RETVAL"
+}
+
+case "$1" in
+  start)
+        [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
+        do_start
+        case "$?" in
+                0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+                2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+        esac
+        ;;
+  stop)
+        [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
+        do_stop
+        case "$?" in
+                0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+                2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+        esac
+        ;;
+  status)
+        status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
+        ;;
+  restart|force-reload)
+        #
+        # If the "reload" option is implemented then remove the
+        # 'force-reload' alias
+        #
+        log_daemon_msg "Restarting $DESC" "$NAME"
+        do_stop
+        case "$?" in
+          0|1)
+                do_start
+                case "$?" in
+                        0) log_end_msg 0 ;;
+                        1) log_end_msg 1 ;; # Old process is still running
+                        *) log_end_msg 1 ;; # Failed to start
+                esac
+                ;;
+          *)
+                # Failed to stop
+                log_end_msg 1
+                ;;
+        esac
+        ;;
+  *)
+        echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
+        exit 3
+        ;;
+esac
+
+:

debian/python-authserv.install → debian/ai-auth-server.install

+debian/tmp/etc/ai-auth-server.conf
 debian/tmp/usr/bin
 debian/tmp/usr/lib/python2.7

debian/ai-auth-server.postinst

+#!/bin/sh
+# postinstall script for ai-auth-server.
+
+case "$1" in
+configure)
+
+	adduser --quiet --system --home /var/spool/audit --no-create-home \
+	    --disabled-password --ingroup internal-credentials ai-auth-server
+
+	;;
+abort-upgrade|abort-remove|abort-deconfigure)
+	;;
+*)
+        echo "postinst called with unknown argument \`$1'" >&2
+        exit 1
+	;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0

debian/control

@@ -13,7 +13,7 @@ Depends: ${shlibs:Depends}, ${misc:Depends}
 Description: PAM module for authserv.
  PAM module for authserv.
 
-Package: python-authserv
+Package: ai-auth-server
 Architecture: all
 Depends: ${python:Depends}, ${misc:Depends}
 Description: Auth server package.

debian/rules

@@ -28,6 +28,9 @@ override_dh_auto_build:
 	dh_auto_build
 
 override_dh_install:
+	install -d $(CURDIR)/debian/tmp/etc
+	install -o root -g root -m 644 $(CURDIR)/debian/ai-auth-server.conf \
+	  $(CURDIR)/debian/tmp/etc/ai-auth-server.conf
 	(cd pam && make install DESTDIR=$(CURDIR)/debian/tmp)
 	rm -f $(PAM_INST_DIR)/pam_authclient.so{,.0}
 	mv $(PAM_INST_DIR)/pam_authclient.so.0.0.0 \