#!/usr/bin/python
# -*- coding: UTF-8 -*-
#
# Authconfig - client authentication configuration program
# Copyright (c) 1999-2008 Red Hat, Inc.
#
# Original authors: Preston Brown <pbrown@redhat.com>
#                   Nalin Dahyabhai <nalin@redhat.com>
#                   Matt Wilson <msw@redhat.com>
# Python rewrite and further development by: Tomas Mraz <tmraz@redhat.com>
#
# This is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
#

import authinfo, acutil
import gettext, os, signal, sys
_ = gettext.lgettext
from optparse import OptionParser
import locale
locale.setlocale(locale.LC_ALL, '')

def runsAs(name):
    return sys.argv[0].find(name) >= 0

if runsAs("authconfig-tui"):
    import snack

class UnihelpOptionParser(OptionParser):
    def print_help(self, file=None):
        if file is None:
            file = sys.stdout
        srcencoding = locale.getpreferredencoding()
        encoding = getattr(file, "encoding", None)
        if not encoding or encoding == "ascii":
            encoding = srcencoding
        file.write(self.format_help().decode(srcencoding).encode(encoding, "replace"))

class Authconfig:
    def __init__(self):
        nis_avail = False
        kerberos_avail = False
        ldap_avail = False
        smb_avail = False
        cache_avail = False

    def module(self):
        return "authconfig"

    def printError(self, error):
        sys.stderr.write("%s: %s\n" % (self.module(), error))

    def listHelp(self, l, addidx):
         idx = 0
         help = "<"
         for item in l:
             if idx > 0:
                 help += "|"
            if addidx:
                help += str(idx) + "="
            help += item
            idx += 1
        help += ">"
        return help

    def parseOptions(self):
        usage = _("usage: %s [options]") % self.module()
        if self.module() == "authconfig":
            usage += " <--update|--test|--probe>"

        parser = UnihelpOptionParser(usage)

        parser.add_option("--enableshadow", "--useshadow", action="store_true",
            help=_("enable shadowed passwords by default"))
         parser.add_option("--disableshadow", action="store_true",
            help=_("disable shadowed passwords by default"))
        parser.add_option("--enablemd5", "--usemd5", action="store_true",
            help=_("enable MD5 passwords by default"))
         parser.add_option("--disablemd5", action="store_true",
            help=_("disable MD5 passwords by default"))
        parser.add_option("--passalgo",
            metavar=self.listHelp(authinfo.password_algorithms, False),
            help=_("hash/crypt algorithm for new passwords"))

        parser.add_option("--enablenis", action="store_true",
            help=_("enable NIS for user information by default"))
         parser.add_option("--disablenis", action="store_true",
            help=_("disable NIS for user information by default"))
         parser.add_option("--nisdomain", metavar=_("<domain>"),
             help=_("default NIS domain"))
         parser.add_option("--nisserver", metavar=_("<server>"),
             help=_("default NIS server"))

        parser.add_option("--enableldap", action="store_true",
            help=_("enable LDAP for user information by default"))
         parser.add_option("--disableldap", action="store_true",
            help=_("disable LDAP for user information by default"))
        parser.add_option("--enableldapauth", action="store_true",
            help=_("enable LDAP for authentication by default"))
         parser.add_option("--disableldapauth", action="store_true",
            help=_("disable LDAP for authentication by default"))
         parser.add_option("--ldapserver", metavar=_("<server>"),
             help=_("default LDAP server"))
         parser.add_option("--ldapbasedn", metavar=_("<dn>"),
             help=_("default LDAP base DN"))
        parser.add_option("--enableldaptls", "--enableldapssl", action="store_true",
            help=_("enable use of TLS with LDAP"))
         parser.add_option("--disableldaptls",  "--disableldapssl", action="store_true",
            help=_("disable use of TLS with LDAP"))
         parser.add_option("--ldaploadcacert", metavar=_("<URL>"),
             help=_("load CA certificate from the URL"))

        parser.add_option("--enablesmartcard", action="store_true",
            help=_("enable authentication with smart card by default"))
         parser.add_option("--disablesmartcard", action="store_true",
            help=_("disable authentication with smart card by default"))
        parser.add_option("--enablerequiresmartcard", action="store_true",
            help=_("require smart card for authentication by default"))
         parser.add_option("--disablerequiresmartcard", action="store_true",
            help=_("do not require smart card for authentication by default"))
         parser.add_option("--smartcardmodule", metavar=_("<module>"),
             help=_("default smart card module to use"))
        actshelp = self.listHelp(authinfo.getSmartcardActions(), True)
         parser.add_option("--smartcardaction", metavar=actshelp,
             help=_("action to be taken on smart card removal"))

        parser.add_option("--enablekrb5", action="store_true",
            help=_("enable kerberos authentication by default"))
         parser.add_option("--disablekrb5", action="store_true",
            help=_("disable kerberos authentication by default"))
         parser.add_option("--krb5kdc", metavar=_("<server>"),
             help=_("default kerberos KDC"))
         parser.add_option("--krb5adminserver", metavar=_("<server>"),
             help=_("default kerberos admin server"))
         parser.add_option("--krb5realm", metavar=_("<realm>"),
             help=_("default kerberos realm"))
        parser.add_option("--enablekrb5kdcdns", action="store_true",
            help=_("enable use of DNS to find kerberos KDCs"))
        parser.add_option("--disablekrb5kdcdns", action="store_true",
            help=_("disable use of DNS to find kerberos KDCs"))
        parser.add_option("--enablekrb5realmdns", action="store_true",
            help=_("enable use of DNS to find kerberos realms"))
        parser.add_option("--disablekrb5realmdns", action="store_true",
            help=_("disable use of DNS to find kerberos realms"))

        parser.add_option("--enablesmbauth", action="store_true",
            help=_("enable SMB authentication by default"))
         parser.add_option("--disablesmbauth", action="store_true",
            help=_("disable SMB authentication by default"))
         parser.add_option("--smbservers", metavar=_("<servers>"),
             help=_("names of servers to authenticate against"))
         parser.add_option("--smbworkgroup", metavar=_("<workgroup>"),
             help=_("workgroup authentication servers are in"))
            
        parser.add_option("--enablewinbind", action="store_true",
            help=_("enable winbind for user information by default"))
         parser.add_option("--disablewinbind", action="store_true",
            help=_("disable winbind for user information by default"))
        parser.add_option("--enablewinbindauth", action="store_true",
            help=_("enable winbind for authentication by default"))
         parser.add_option("--disablewinbindauth", action="store_true",
            help=_("disable winbind for authentication by default"))        
         parser.add_option("--smbsecurity", metavar="<user|server|domain|ads>",
             help=_("security mode to use for samba and winbind"))
         parser.add_option("--smbrealm", metavar=_("<realm>"),
             help=_("default realm for samba and winbind when security=ads"))
         parser.add_option("--smbidmapuid", metavar=_("<lowest-highest>"),
             help=_("uid range winbind will assign to domain or ads users"))
         parser.add_option("--smbidmapgid", metavar=_("<lowest-highest>"),
             help=_("gid range winbind will assign to domain or ads users"))
         parser.add_option("--winbindseparator", metavar="<\\>",
             help=_("the character which will be used to separate the domain and user part of winbind-created user names if winbindusedefaultdomain is not enabled"))
         parser.add_option("--winbindtemplatehomedir", metavar="</home/%D/%U>",
             help=_("the directory which winbind-created users will have as home directories"))
         parser.add_option("--winbindtemplateprimarygroup", metavar="<nobody>",
             help=_("the group which winbind-created users will have as their primary group"))
         parser.add_option("--winbindtemplateshell", metavar="</bin/false>",
             help=_("the shell which winbind-created users will have as their login shell"))
        parser.add_option("--enablewinbindusedefaultdomain", action="store_true",
            help=_("configures winbind to assume that users with no domain in their user names are domain users"))
         parser.add_option("--disablewinbindusedefaultdomain", action="store_true",
            help=_("configures winbind to assume that users with no domain in their user names are not domain users"))
        parser.add_option("--enablewinbindoffline", action="store_true",
            help=_("configures winbind to allow offline login"))
         parser.add_option("--disablewinbindoffline", action="store_true",
            help=_("configures winbind to prevent offline login"))
         parser.add_option("--winbindjoin", metavar="<Administrator>",
            help=_("join the winbind domain or ads realm now as this administrator"))        

        parser.add_option("--enablewins", action="store_true",
            help=_("enable wins for hostname resolution"))
         parser.add_option("--disablewins", action="store_true",
            help=_("disable wins for hostname resolution"))

        parser.add_option("--enablepreferdns", action="store_true",
            help=_("prefer dns over wins or nis for hostname resolution"))
         parser.add_option("--disablepreferdns", action="store_true",
            help=_("do not prefer dns over wins or nis for hostname resolution"))

        parser.add_option("--enablehesiod", action="store_true",
            help=_("enable hesiod for user information by default"))
         parser.add_option("--disablehesiod", action="store_true",
            help=_("disable hesiod for user information by default"))
         parser.add_option("--hesiodlhs", metavar="<lhs>",
            help=_("default hesiod LHS"))
         parser.add_option("--hesiodrhs", metavar="<rhs>",
            help=_("default hesiod RHS"))

        parser.add_option("--enablecache", action="store_true",
            help=_("enable caching of user information by default"))
         parser.add_option("--disablecache", action="store_true",
            help=_("disable caching of user information by default"))

        parser.add_option("--enablelocauthorize", action="store_true",
            help=_("local authorization is sufficient for local users"))
         parser.add_option("--disablelocauthorize", action="store_true",
            help=_("authorize local users also through remote service"))

        parser.add_option("--enablepamaccess", action="store_true",
            help=_("check access.conf during account authorization"))
         parser.add_option("--disablepamaccess", action="store_true",
            help=_("do not check access.conf during account authorization"))

        parser.add_option("--enablesysnetauth", action="store_true",
            help=_("authenticate system accounts by network services"))
         parser.add_option("--disablesysnetauth", action="store_true",
            help=_("authenticate system accounts by local files only"))

        parser.add_option("--enablemkhomedir", action="store_true",
            help=_("create home directories for users on their first login"))
         parser.add_option("--disablemkhomedir", action="store_true",
            help=_("do not create home directories for users on their first login"))

        parser.add_option("--nostart", action="store_true",
            help=_("do not start/stop portmap, ypbind, and nscd"))

        parser.add_option("--test", action="store_true",
            help=_("do not update the configuration files, only print new settings"))

        if self.module() == "authconfig-tui":
            parser.add_option("--back", action="store_true",
                help=_("display Back instead of Cancel in the main dialog of the TUI"))
            parser.add_option("--kickstart", action="store_true",
                help=_("do not display the deprecated text user interface"))
        else:
            parser.add_option("--update", "--kickstart", action="store_true",
                help=_("opposite of --test, update configuration files with changed settings"))

        parser.add_option("--updateall", action="store_true",
            help=_("update all configuration files"))

        parser.add_option("--probe", action="store_true",
            help=_("probe network for defaults and print them"))

        (self.options, args) = parser.parse_args()
        
        if args:
            self.printError(_("unexpected argument"))
            sys.exit(2)

        if (not self.module() == "authconfig-tui" and not self.options.probe and
            not self.options.test and not self.options.update and not self.options.updateall):
            # --update (== --kickstart) or --test or --probe must be specified
            # this will print usage and call sys.exit()
            parser.parse_args(["-h"])
    
    def probe(self):
        info = authinfo.AuthInfo(self.printError)
        info.probe()
        if info.hesiodLHS and info.hesiodRHS:
            print "hesiod %s/%s" % (info.hesiodLHS,
                 info.hesiodRHS)
        if info.ldapServer and info.ldapBaseDN:
            print "ldap %s/%s\n" % (info.ldapServer,
                info.ldapBaseDN)
        if info.kerberosRealm:
            print "krb5 %s/%s/%s\n" % (info.kerberosRealm,
                info.kerberosKDC or "", info.kerberosAdminServer or "")
    
    def readAuthInfo(self):
        self.info = authinfo.read(self.printError)
        # FIXME: what about printing critical errors reading individual configs?
        self.pristineinfo = self.info.copy()

    def testAvailableSubsys(self):
        self.nis_avail = (os.access(authinfo.PATH_YPBIND, os.X_OK) and
            os.access(authinfo.PATH_LIBNSS_NIS, os.X_OK))
        self.kerberos_avail = os.access(authinfo.PATH_PAM_KRB5, os.X_OK)
        self.ldap_avail = (os.access(authinfo.PATH_PAM_LDAP, os.X_OK) and
            os.access(authinfo.PATH_LIBNSS_LDAP, os.X_OK))
        self.smb_avail = os.access(authinfo.PATH_PAM_SMB, os.X_OK)
        self.cache_avail = os.access(authinfo.PATH_NSCD, os.X_OK)
    
    def overrideSettings(self):
        bool_settings = {"shadow":"enableShadow",
            "locauthorize":"enableLocAuthorize",
            "pamaccess":"enablePAMAccess",
            "sysnetauth":"enableSysNetAuth",
            "mkhomedir":"enableMkHomeDir",
            "cache":"enableCache",
            "hesiod":"enableHesiod",
            "ldap":"enableLDAP",
            "ldaptls":"enableLDAPS",
            "ldapauth":"enableLDAPAuth",
            "krb5":"enableKerberos",
            "nis":"enableNIS",
            "krb5kdcdns":"kerberosKDCviaDNS",
            "krb5realmdns":"kerberosRealmviaDNS",
            "smartcard":"enableSmartcard",
            "requiresmartcard":"forceSmartcard",
            "smbauth":"enableSMB",
            "winbind":"enableWinbind",
            "winbindauth":"enableWinbindAuth",
            "winbindusedefaultdomain":"winbindUseDefaultDomain",
            "winbindoffline":"winbindOffline",
            "wins":"enableWINS",
            "preferdns":"preferDNSinHosts"}
            
        string_settings = {"passalgo":"passwordAlgorithm",
            "hesiodlhs":"hesiodLHS",
            "hesiodrhs":"hesiodRHS",
            "ldapserver":"ldapServer",
            "ldapbasedn":"ldapBaseDN",
            "ldaploadcacert":"ldapCacertURL",
            "krb5realm":"kerberosRealm",
            "krb5kdc":"kerberosKDC",
            "krb5adminserver":"kerberosAdminServer",
            "smartcardmodule":"smartcardModule",
            "smartcardaction":"smartcardAction",
            "nisdomain":"nisDomain",
            "nisserver":"nisServer",
            "smbworkgroup":"smbWorkgroup",
            "smbservers":"smbServers",
            "smbsecurity":"smbSecurity",
            "smbrealm" : "smbRealm",
            "smbidmapuid":"smbIdmapUid",
            "smbidmapgid":"smbIdmapGid",
            "winbindseparator":"winbindSeparator",
            "winbindtemplatehomedir":"winbindTemplateHomedir",
            "winbindtemplateprimarygroup":"winbindTemplatePrimaryGroup",
            "winbindtemplateshell":"winbindTemplateShell"}
            
        for opt, aival in bool_settings.iteritems():
            if getattr(self.options, "enable"+opt):
                setattr(self.info, aival, True)
            if getattr(self.options, "disable"+opt):
                setattr(self.info, aival, False)

        if self.options.krb5realm and self.options.krb5realm != self.info.kerberosRealm:
            self.info.kerberosKDC = self.info.getKerberosKDC(self.options.krb5realm)
            self.info.kerberosAdminServer = self.info.getKerberosAdminServer(self.options.krb5realm)

        for opt, aival in string_settings.iteritems():
            if getattr(self.options, opt) != None:
                setattr(self.info, aival, getattr(self.options, opt))            

        if self.options.winbindjoin:
            lst = self.options.winbindjoin.split("%", 1)
            self.info.joinUser = lst[0]
            if len(lst) > 1:
                self.info.joinPassword = lst[1]
        
        if self.options.smartcardaction:
            try:
                idx = int(self.options.smartcardaction)
                self.info.smartcardAction = authinfo.getSmartcardActions()[idx]
            except (ValueError, IndexError):
                self.printError(_("Bad smart card removal action specified."))
                self.info.smartcardAction = ""

        if not self.options.passalgo:
            if self.options.enablemd5:
                self.info.passwordAlgorithm = "md5"
            if self.options.disablemd5:
                self.info.passwordAlgorithm = "descrypt"
        elif self.options.passalgo not in authinfo.password_algorithms:
            self.printError(_("Unknown password hashing algorithm specified, using sha256."))
            self.info.passwordAlgorithm = "sha256"

    def doUI(self):
        return True
    
    def joinDomain(self):
        if self.options.winbindjoin:
            self.info.joinDomain(True)
    
    def writeAuthInfo(self):
        self.info.testLDAPCACerts()
        if self.info.ldapCacertURL:
            self.info.downloadLDAPCACert()
        self.info.rehashLDAPCACerts()
        if self.options.updateall:
            self.info.write()
        else:
            self.info.writeChanged(self.pristineinfo)
        # FIXME: what about printing critical errors writing individual configs?
        self.joinDomain()
        self.info.post(self.options.nostart)
                
    def run(self):
        self.parseOptions()
        if self.options.probe:
            self.probe()
            sys.exit(0)
        if not self.options.test and os.getuid() != 0:
            self.printError(_("can only be run as root"))
            sys.exit(2)
        self.readAuthInfo()
        self.testAvailableSubsys()
        self.overrideSettings()
        if not self.doUI():
            if self.options.test:
                self.printError(_("dialog was cancelled"))
            sys.exit(1)
        if self.options.test:
            self.info.printInfo()
        else:
            self.writeAuthInfo()                

class AuthconfigTUI(Authconfig):
    def module(self):
        return "authconfig-tui"

    def joinDomain(self):
        # join domain only on kickstart
        if self.options.kickstart and self.options.winbindjoin:
            self.info.joinDomain(True)

    def warnCallback(self, data):
        (comp, warning) = data
        if not comp.selected():
            return

        while warning:
            if not os.access(warning[0], os.R_OK):
                text = (_("The %s file was not found, but it is required for %s support to work properly.\nInstall the %s package, which provides this file.") %
                    (warning[0], warning[1], warning[2]))
                snack.ButtonChoiceWindow(self.screen, _("Warning"), text, [_("Ok")])
            warning = warning[3]
            
    def getMainChoices(self):
        warnCache = [authinfo.PATH_NSCD, _("caching"), "nscd", None]
        warnKerberos = [authinfo.PATH_PAM_KRB5, _("Kerberos"), "pam_krb5", None]
        warnLDAPAuth = [authinfo.PATH_PAM_LDAP, _("LDAP authentication"), "nss_ldap", None]
        warnLDAP = [authinfo.PATH_LIBNSS_LDAP, _("LDAP"), "nss_ldap", None]
        warnNIS = [authinfo.PATH_YPBIND, _("NIS"), "ypbind", None]
        warnShadow = [authinfo.PATH_PWCONV, _("shadow password"), "shadow-utils", None]
        warnSMB = [authinfo.PATH_PAM_SMB, _("SMB authentication"), "pam_smb", None]
        warnWinbindNet = [authinfo.PATH_WINBIND_NET, _("Winbind"), "samba-client", None]
        warnWinbindAuth = [authinfo.PATH_PAM_WINBIND, _("Winbind authentication"), "samba-common", warnWinbindNet]
        warnWinbind = [authinfo.PATH_LIBNSS_WINBIND, _("Winbind"), "samba-common", warnWinbindAuth]

        # Information
        infoGrid = snack.Grid(1, 6)

        comp = snack.Label(_("User Information"))
        infoGrid.setField(comp, 0, 0, anchorLeft=1, growx=1)

        cache = cb = snack.Checkbox(_("Cache Information"), bool(self.info.enableCache))
        infoGrid.setField(cb, 0, 1, anchorLeft=1, growx=1)
        cb.setCallback(self.warnCallback, (cb, warnCache))

        hesiod = cb =    snack.Checkbox(_("Use Hesiod"), bool(self.info.enableHesiod))
        infoGrid.setField(cb, 0, 2, anchorLeft=1, growx=1)

        ldap = cb = snack.Checkbox(_("Use LDAP"), bool(self.info.enableLDAP))
        infoGrid.setField(cb, 0, 3, anchorLeft=1, growx=1)
        cb.setCallback(self.warnCallback, (cb, warnLDAP))

        nis = cb = snack.Checkbox(_("Use NIS"), bool(self.info.enableNIS))
        infoGrid.setField(cb, 0, 4, anchorLeft=1, growx=1)
        cb.setCallback(self.warnCallback, (cb, warnNIS))

        winbind = cb = snack.Checkbox(_("Use Winbind"), bool(self.info.enableWinbind))
        infoGrid.setField(cb, 0, 5, anchorLeft=1, growx=1)

        # Authentication
        authGrid = snack.Grid(1, 8)

        comp = snack.Label(_("Authentication"))
        authGrid.setField(comp, 0, 0, anchorLeft=1, growx=1)

        md5 = cb = snack.Checkbox(_("Use MD5 Passwords"), bool(self.info.passwordAlgorithm=='md5'))
        authGrid.setField(cb, 0, 1, anchorLeft=1, growx=1)

        shadow = cb = snack.Checkbox(_("Use Shadow Passwords"), bool(self.info.enableShadow))
        authGrid.setField(cb, 0, 2, anchorLeft=1, growx=1)
        cb.setCallback(self.warnCallback, (cb, warnShadow))

        ldapa = cb = snack.Checkbox(_("Use LDAP Authentication"), bool(self.info.enableLDAPAuth))
        authGrid.setField(cb, 0, 3, anchorLeft=1, growx=1)
        cb.setCallback(self.warnCallback, (cb, warnLDAPAuth))

        krb5 = cb = snack.Checkbox(_("Use Kerberos"), bool(self.info.enableKerberos))
        authGrid.setField(cb, 0, 4, anchorLeft=1, growx=1)
        cb.setCallback(self.warnCallback, (cb, warnKerberos))

        smb = cb = snack.Checkbox(_("Use SMB Authentication"), bool(self.info.enableSMB))
        authGrid.setField(cb, 0, 5, anchorLeft=1, growx=1)
        cb.setCallback(self.warnCallback, (cb, warnSMB))

        winbindauth = cb = snack.Checkbox(_("Use Winbind Authentication"), bool(self.info.enableWinbindAuth))
        authGrid.setField(cb, 0, 6, anchorLeft=1, growx=1)
        cb.setCallback(self.warnCallback, (cb, warnWinbindAuth))

        locauthorize = cb = snack.Checkbox(_("Local authorization is sufficient"), bool(self.info.enableLocAuthorize))
        authGrid.setField(cb, 0, 7, anchorLeft=1, growx=1)

        # Control grid
        mechGrid = snack.Grid(2, 1)
        mechGrid.setField(infoGrid, 0, 0, anchorLeft=1, anchorTop=1, padding=(1, 0, 1, 1))
        mechGrid.setField(authGrid, 1, 0, anchorRight=1, anchorTop=1, padding=(2, 0, 1, 1))
        
        # Buttons
        buttonGrid = snack.Grid(2, 1)
        cancel = snack.Button(self.options.back and _("Back") or _("Cancel"))
        ok = snack.Button(_("Next"))
        buttonGrid.setField(cancel, 0, 0)
        buttonGrid.setField(ok, 1, 0)

        # Top-level grid
        mainGrid = snack.Grid(1, 2)
        mainGrid.setField(mechGrid, 0, 0, growx=1)
        mainGrid.setField(buttonGrid, 0, 1, growx=1)

        # Run the form and interpret the results
        form = snack.Form()
        self.screen.gridWrappedWindow(mainGrid, _("Authentication Configuration"))
        form.add(mainGrid)

        # BEHOLD!  AUTHCONFIG IN ALL ITS GORY GLORY!
        comp = form.run()

        if comp != cancel:
            self.info.enableCache = cache.selected()
            self.info.enableHesiod = hesiod.selected()
            self.info.enableLDAP = ldap.selected()
            self.info.enableNIS = nis.selected()
            self.info.enableWinbind = winbind.selected()
            self.info.enableShadow = shadow.selected()
            if md5.selected():
                self.info.passwordAlgorithm = 'md5'
            elif self.info.passwordAlgorithm == 'md5':
                self.info.passwordAlgorithm = 'descrypt'
            self.info.enableLDAPAuth = ldapa.selected()
            self.info.enableKerberos = krb5.selected()
            self.info.enableSMB = smb.selected()
            self.info.enableWinbindAuth = winbindauth.selected()
            self.info.enableLocAuthorize = locauthorize.selected()

        self.screen.popWindow()

        return comp != cancel

    def getGenericChoices(self, dtitle, items, canceltxt, oktxt, anothertxt=None, anothercb=None):

        # Count up the number of rows we need in the grid.
        rows = len(items)

        # Create a grid for these questions.
        questionGrid = snack.Grid(2, rows)
        row = 0
        widgets = []
        for (t, desc, attr, val) in items:
            if t == "tfvalue":
                      cb = snack.Checkbox(desc, bool(getattr(self.info, attr)))
                      widgets.append(cb)
                questionGrid.setField(snack.Label(""), 0, row, anchorRight=1)
                questionGrid.setField(cb, 1, row, anchorLeft=1)
                
            elif t == "svalue":
                      comp = snack.Label(desc)
                questionGrid.setField(comp, 0, row, padding=(0, 0, 1, 0), anchorRight=1)
                      comp = snack.Entry(40, getattr(self.info, attr), hidden=val)
                      widgets.append(comp)
                # FIXME? Filtering " " and "\t"
                questionGrid.setField(comp, 1, row, growx=1)

            elif t == "rvalue":
                      comp = snack.Label(desc)
                questionGrid.setField(comp, 0, row, padding=(0, 0, 1, 0), anchorRight=1, anchorTop=1)
                try:
                    sel = getattr(self.info, attr)
                    val.index(sel)
                except ValueError:
                    sel = val[0]
                comp = None
                buttonlist = []
                for v in val:
                    buttonlist.append((v, v, v == sel))
                radioBar = snack.RadioBar(None, buttonlist)
                widgets.append(radioBar)            
                questionGrid.setField(radioBar, 1, row, anchorLeft=1)
                
            elif t == "lvalue":
                comp = snack.TextboxReflowed(50, desc, flexDown=1, flexUp=1)    
                widgets.append(comp)
                questionGrid.setField(comp, 0, row, anchorLeft=1)

            row += 1

        # Buttons
        buttonGrid = snack.Grid(anothertxt and 3 or 2, 1)
        cancel = snack.Button(canceltxt)
        ok = snack.Button(oktxt)
        another = anothertxt and snack.Button(anothertxt) or None
        buttonGrid.setField(cancel, 0, 0)
        if anothertxt:
            buttonGrid.setField(another, 1, 0)
        buttonGrid.setField(ok, anothertxt and 2 or 1, 0)

        # Top-level grid
          mainGrid = snack.Grid(1, 2)
        mainGrid.setField(questionGrid, 0, 0, padding=(0, 0, 0, 1), growx=1)
        mainGrid.setField(buttonGrid, 0, 1, padding=(0, 0, 0, 0), growx=1)

        # Run the form and interpret the results
        form = snack.Form()
        self.screen.gridWrappedWindow(mainGrid, dtitle)
        form.add(mainGrid)

        while True:
            comp = form.run()
            if comp == cancel:
                break

            wcopy = widgets[:]
            for (t, desc, attr, val) in items:
                if t == "tfvalue":
                    setattr(self.info, attr, wcopy.pop(0).selected())
                    
                elif t == "svalue":
                    setattr(self.info, attr, wcopy.pop(0).value())
                    # FIXME? Filtering " " and "\t"

                elif t == "rvalue":
                    setattr(self.info, attr, wcopy.pop(0).getSelection())
                    
                elif t == "lvalue":
                    wcopy.pop(0)            
            
            if comp != another:
                break
            if anothercb:
                anothercb()
        
        self.screen.popWindow()
        return comp != cancel

    def getHesiodSettings(self, next):
        questions = [("svalue", _("LHS:"), "hesiodLHS", 0),
            ("svalue", _("RHS:"), "hesiodRHS", 0)]
        return self.getGenericChoices(_("Hesiod Settings"),
            questions, _("Back"), next and _("Next") or _("Ok"))

    def getLDAPSettings(self, next):
        questions = [("tfvalue", _("Use TLS"), "enableLDAPS", None),
            ("svalue", _("Server:"), "ldapServer", 0),
            ("svalue", _("Base DN:"), "ldapBaseDN", 0)]
        return self.getGenericChoices(_("LDAP Settings"),
            questions, _("Back"), next and _("Next") or _("Ok"))

    def getNISSettings(self, next):
        questions = [("svalue", _("Domain:"), "nisDomain", 0),
            ("svalue", _("Server:"), "nisServer", 0)]
        return self.getGenericChoices(_("NIS Settings"),
            questions, _("Back"), next and _("Next") or _("Ok"))
            
    def getKerberosSettings(self, next):
        questions = [("svalue", _("Realm:"), "kerberosRealm", 0),
            ("svalue", _("KDC:"), "kerberosKDC", 0),
            ("svalue", _("Admin Server:"), "kerberosAdminServer", 0),
            ("tfvalue", _("Use DNS to resolve hosts to realms"), "kerberosRealmviaDNS", None),
            ("tfvalue", _("Use DNS to locate KDCs for realms"), "kerberosKDCviaDNS", None)]
        return self.getGenericChoices(_("Kerberos Settings"),
            questions, _("Back"), next and _("Next") or _("Ok"))

    def getSMBSettings(self, next):
        questions = [("svalue", _("Workgroup:"), "smbWorkgroup", 0),
            ("svalue", _("Servers:"), "smbServers", 0),
            ("svalue", _("Shell:"), "winbindTemplateShell", 0)]
        return self.getGenericChoices(_("SMB Settings"),
            questions, _("Back"), next and _("Next") or _("Ok"))

    def getJoinSettings(self):
        questions = [("svalue", _("Domain Administrator:"), "joinUser", 0),
            ("svalue", _("Password:"), "joinPassword", 1)]
        if not self.info.joinUser:
            self.info.joinUser = "Administrator"
        if self.getGenericChoices(_("Join Settings"),
            questions, _("Cancel"), _("Ok")):
            self.screen.suspend()
            self.info.update()
            self.info.joinDomain(True)
            self.screen.resume()
        return True

    def maybeGetJoinSettings(self):
        questions = [("lvalue",
             _("Some of the configuration changes you've made should be saved to disk before continuing.  If you do not save them, then your attempt to join the domain may fail.  Save changes?"),
              None, None)]
        orig_info = authinfo.read(self.printError)
        orig_info.update()
        self.info.update()
        ret = False
        if self.info.differs(orig_info):
            ret = self.getGenericChoices(_("Save Settings"),
                questions, _("No"), _("Yes"))
        if ret:
            self.info.write()
        self.getJoinSettings()
        return True

    def getWinbindSettings(self, next):
        security = ["ads", "domain"]
        shells = ["/sbin/nologin", "/bin/sh", "/bin/bash", "/bin/tcsh", "/bin/ksh",
            "/bin/zsh"]
            
        def shellexists(shell):
            return os.access(shell, os.X_OK)
        
        shells = filter(shellexists, shells)
        # Why does your favorite shell not show up in the list?  Because it won't
           # fit, that's why!
        questions = [("rvalue", _("Security Model:"), "smbSecurity", security),
            ("svalue", _("Domain:"), "smbWorkgroup", 0),
            ("svalue", _("Domain Controllers:"), "smbServers", 0),
            ("svalue", _("ADS Realm:"), "smbRealm", 0),
            ("rvalue", _("Template Shell:"), "winbindTemplateShell", shells)]

        return self.getGenericChoices(_("Winbind Settings"),
            questions, _("Back"), next and _("Next") or _("Ok"),
            anothertxt=_("Join Domain"), anothercb=self.maybeGetJoinSettings)

    def getChoices(self):
        next = 1
        rc = False
        while next > 0 and next <= 7:
            self.info.update()
            if next == 1:
                rc = self.getMainChoices()
            elif next == 2:
                if self.info.enableHesiod:
                    more = (self.info.enableLDAP or
                        self.info.enableLDAPAuth or
                        self.info.enableKerberos or
                        self.info.enableNIS or
                        self.info.enableSMB or
                        self.info.enableWinbind or
                        self.info.enableWinbindAuth)
                    rc = self.getHesiodSettings(more)
            elif next == 3:
                if self.info.enableLDAP or self.info.enableLDAPAuth:
                    more = (self.info.enableKerberos or
                        self.info.enableNIS or
                        self.info.enableSMB or
                        self.info.enableWinbind or
                        self.info.enableWinbindAuth)
                    rc = self.getLDAPSettings(more)
            elif next == 4:
                if self.info.enableNIS:
                    more = (self.info.enableKerberos or
                        self.info.enableSMB or
                        self.info.enableWinbind or
                        self.info.enableWinbindAuth)
                    rc = self.getNISSettings(more)
            elif next == 5:
                if self.info.enableKerberos:
                    more = (self.info.enableSMB or
                        self.info.enableWinbind or
                        self.info.enableWinbindAuth)
                    rc = self.getKerberosSettings(more)
            elif next == 6:
                if self.info.enableSMB and not (self.info.enableWinbind or
                    self.info.enableWinbindAuth):
                    more = (self.info.enableWinbind or
                        self.info.enableWinbindAuth)
                    rc = self.getSMBSettings(more)
            elif next == 7:
                      if self.info.enableWinbind or self.info.enableWinbindAuth:
                    more = False
                    rc = self.getWinbindSettings(more)
            self.info.update()
            if rc:
                next += 1
            else:
                next -= 1
        return next == 8
    
    def displayCACertsMessage(self):
        text = (_("To connect to a LDAP server with TLS protocol enabled you need "
                        "a CA certificate which signed your server's certificate. "
                        "Copy the certificate in the PEM format to the '%s' directory.\n"
                        "Then press OK.") %
            self.info.ldapCacertDir)
        snack.ButtonChoiceWindow(self.screen, _("Warning"), text, [_("Ok")])
    
    def doUI(self):
        if self.options.kickstart:
            return True
        try:
            self.screen = snack.SnackScreen()
            packageversion = self.module() # FIXME - version
            
            self.screen.pushHelpLine(_(" <Tab>/<Alt-Tab> between elements   |   <Space> selects   |  <F12> next screen"))
            self.screen.drawRootText(0, 0, packageversion + " - (c) 1999-2005 Red Hat, Inc.")
            if not self.getChoices():
                # cancelled
                self.screen.finish()
                return False

            if self.info.enableLDAPS and self.info.testLDAPCACerts():
                self.displayCACertsMessage()
        finally:
            self.screen.finish()
        return True

if __name__ == '__main__':
    signal.signal(signal.SIGINT, signal.SIG_DFL)
    gettext.textdomain("authconfig")
    if runsAs("authconfig-tui"):
        # deprecated TUI
        module = AuthconfigTUI()
    else:
        module = Authconfig()
    module.run()
    sys.exit(0)