initial commitv1.0

7 files changed, 209 insertions, 0 deletions

diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..7a1f9b0
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,28 @@
+DESTDIR?=
+PREFIX?=	/usr/local
+BINDIR?=	${PREFIX}/bin
+HOOKDIR?=	${PREFIX}/share/lfldap/hooks
+
+HOOKS=	apache24.sh \
+	chrony.sh \
+	nginx.sh \
+	pf.sh \
+	postfix.sh
+
+all: .PHONY
+
+${DESTDIR}${BINDIR}:
+	install -d -m 0755 ${DESTDIR}${BINDIR}
+
+${DESTDIR}${HOOKDIR}:
+	install -d -m 0755 ${DESTDIR}${HOOKDIR}
+
+install: install-bin install-hooks .PHONY
+
+install-bin: ${DESTDIR}${BINDIR} .PHONY
+	install -C -m 0755 lfldap-update.sh ${DESTDIR}${BINDIR}/lfldap-update
+
+install-hooks: ${DESTDIR}${HOOKDIR} .PHONY
+.for hook in ${HOOKS}
+	install -C -m 0644 ${hook} ${DESTDIR}${HOOKDIR}
+.endfor
diff --git a/apache24.sh b/apache24.sh
new file mode 100644
index 0000000..5fce133
--- /dev/null
+++ b/apache24.sh
@@ -0,0 +1,25 @@
+# This source code is released into the public domain.
+#
+# The Apache allow_internal.conf file is a list of "Require ip <prefix>",
+# one per line.
+
+APACHE_FILE="/usr/local/etc/apache24/allow_internal.conf"
+APACHE_TEMP="${APACHE_FILE}.ldaptmp"
+
+if [ ! -f "$APACHE_FILE" ]; then
+	exit 0
+fi
+
+awk <"$NETWORKS_FILE" >"$APACHE_TEMP" '{ print "Require ip " $1 }'
+
+if cmp -s "$APACHE_TEMP" "$APACHE_FILE"; then
+	rm "$APACHE_TEMP"
+	exit 0
+fi
+
+printf '%s updated:\n\n' "$APACHE_FILE"
+diff "$APACHE_FILE" "$APACHE_TEMP"
+printf '\n'
+
+mv "$APACHE_TEMP" "$APACHE_FILE" 
+/usr/local/sbin/apachectl graceful
diff --git a/chrony.sh b/chrony.sh
new file mode 100644
index 0000000..b91a5c3
--- /dev/null
+++ b/chrony.sh
@@ -0,0 +1,27 @@
+# This source code is released into the public domain.
+#
+# The chrony.allow file is a list of "allow <prefix>", one per line,
+# no traiing semicolon.  chrony doesn't have a simple way to reload
+# its configuration file, so we just restart it.  A better way might
+# be to use "chronyc allow" to update it on the fly.
+
+CHRONY_FILE="/usr/local/etc/chrony.allow"
+CHRONY_TEMP="${CHRONY_FILE}.ldaptmp"
+
+if [ ! -f "$CHRONY_FILE" ]; then
+	exit 0
+fi
+
+awk <"$NETWORKS_FILE" >"$CHRONY_TEMP" '{ print "allow " $1 }'
+
+if cmp -s "$CHRONY_TEMP" "$CHRONY_FILE"; then
+	rm "$CHRONY_TEMP"
+	exit 0
+fi
+
+printf '%s updated:\n\n' "$CHRONY_FILE"
+diff "$CHRONY_FILE" "$CHRONY_TEMP"
+printf '\n'
+
+mv "$CHRONY_TEMP" "$CHRONY_FILE" 
+/usr/local/etc/rc.d/chronyd restart
diff --git a/lfldap-update.sh b/lfldap-update.sh
new file mode 100644
index 0000000..50c067f
--- /dev/null
+++ b/lfldap-update.sh
@@ -0,0 +1,57 @@
+#! /bin/sh
+
+PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
+
+FILTER="(&(objectClass=lfNetwork))"
+DBDIR="/var/db/lfldap"
+PREFIX="/usr/local"
+HOOKDIR="${PREFIX}/share/lfldap/hooks"
+NETWORKS_FILE="${DBDIR}/networks"
+NETWORKS_TEMP="${DBDIR}/networks.tmp"
+
+trap cleanup 0
+cleanup()
+{
+	rm -f "$NETWORKS_TEMP"
+}
+
+mkdir -p "$DBDIR"
+rm -f "$NETWORKS_TEMP"
+
+if [ ! -f "$NETWORKS_FILE" ]; then
+	touch "$NETWORKS_FILE"
+fi
+
+ldapsearch			\
+	-x -s sub		\
+	"$FILTER"		\
+	cidrPrefix		\
+	| awk '/^cidrPrefix: / { print $2 }' >${NETWORKS_TEMP}
+
+if ! [ -s "$NETWORKS_TEMP" ]; then
+	printf >&2 '%s: no networks returned; configuration error?\n' "$0"
+	exit 1
+fi
+
+if ! cmp -s "$NETWORKS_FILE" "$NETWORKS_TEMP"; then
+	printf '%s updated:\n\n' "$NETWORKS_FILE"
+	diff "$NETWORKS_FILE" "$NETWORKS_TEMP"
+	printf '\n'
+
+	mv "$NETWORKS_TEMP" "$NETWORKS_FILE"
+else
+	rm -f "$NETWORKS_TEMP"
+fi
+
+# Run hooks even if the networks didn't change, since the user might want
+# new hooks to run.
+
+exit=0
+
+export NETWORKS_FILE
+
+for hook in ${HOOKDIR}/*.sh; do
+	sh $hook || exit=1
+done
+
+exit $exit
diff --git a/nginx.sh b/nginx.sh
new file mode 100644
index 0000000..cb080e9
--- /dev/null
+++ b/nginx.sh
@@ -0,0 +1,26 @@
+# This source code is released into the public domain.
+#
+# The nginx allow_internal.conf file is a list of "allow <prefix>;",
+# one per line, followed by "deny all;".
+
+NGINX_FILE="/usr/local/etc/nginx/allow_internal.conf"
+NGINX_TEMP="${NGINX_FILE}.ldaptmp"
+
+if [ ! -f "$NGINX_FILE" ]; then
+	exit 0
+fi
+
+awk <"$NETWORKS_FILE" >"$NGINX_TEMP" '{ print "allow " $1 ";" }'
+printf >>"$NGINX_TEMP" 'deny all;\n'
+
+if cmp -s "$NGINX_TEMP" "$NGINX_FILE"; then
+	rm "$NGINX_TEMP"
+	exit 0
+fi
+
+printf '%s updated:\n\n' "$NGINX_FILE"
+diff "$NGINX_FILE" "$NGINX_TEMP"
+printf '\n'
+
+mv "$NGINX_TEMP" "$NGINX_FILE" 
+/usr/local/sbin/nginx -s reload
diff --git a/pf.sh b/pf.sh
new file mode 100644
index 0000000..f647360
--- /dev/null
+++ b/pf.sh
@@ -0,0 +1,20 @@
+# This source code is released into the public domain.
+#
+# The pf file is just a list of prefixes, so there's no formatting to do.
+
+PF_FILE="/etc/pf.lf-networks"
+
+if [ ! -f "$PF_FILE" ]; then
+	exit 0
+fi
+
+if cmp -s "$NETWORKS_FILE" "$PF_FILE"; then
+	exit 0
+fi
+
+printf '%s updated:\n\n' "$PF_FILE"
+diff "$PF_FILE" "$NETWORKS_FILE"
+printf '\n'
+
+cp "$NETWORKS_FILE" "$PF_FILE"
+/etc/rc.d/pf reload
diff --git a/postfix.sh b/postfix.sh
new file mode 100644
index 0000000..9e37e33
--- /dev/null
+++ b/postfix.sh
@@ -0,0 +1,26 @@
+# This source code is released into the public domain.
+#
+# The Postfix mynetworks.ldap file is a list of "<prefix> OK", one per line.
+# Since this is a cidr map, there's no need to run postmap, but we do have
+# to reload postfix.
+
+POSTFIX_FILE="/usr/local/etc/postfix/mynetworks.ldap"
+POSTFIX_TEMP="${POSTFIX_FILE}.ldaptmp"
+
+if [ ! -f "$POSTFIX_FILE" ]; then
+	exit 0
+fi
+
+awk <"$NETWORKS_FILE" >"$POSTFIX_TEMP" '{ print $1 " OK" }'
+
+if cmp -s "$POSTFIX_TEMP" "$POSTFIX_FILE"; then
+	rm "$POSTFIX_TEMP"
+	exit 0
+fi
+
+printf '%s updated:\n\n' "$POSTFIX_FILE"
+diff "$POSTFIX_FILE" "$POSTFIX_TEMP"
+printf '\n'
+
+mv "$POSTFIX_TEMP" "$POSTFIX_FILE" 
+/usr/local/sbin/postfix reload