blob: 6fcf9655a50a40629b39f4b1fc578bdb803db88e (
plain) (
tree)
|
|
#!/bin/bash
# -- bash for arrays
# Prepare pam, nss and sssd configs as appropriate
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/openslx/sbin:/opt/openslx/bin"
declare -a auth
declare -a account
declare -a session
declare -a nss
declare -a dns
# Add PAM and NSS modules for sssd
add_sssd_modules() {
auth+=("[success=%NUM% default=ignore] pam_sss.so use_first_pass")
account+=("[success=%NUM% new_authtok_reqd=done default=ignore] pam_sss.so")
nss+=("sss")
# Skip sss if unix worked
session+=("[success=1] pam_unix.so")
session+=("optional pam_sss.so")
}
# Write a combined sssd config from all our /opt/openslx/pam/slx-ldap.d/* files
write_sssd_config() {
local file ok domains
local tmpfile=$(mktemp)
ok=0
domains=
cat > "$tmpfile" <<-HERE
# File generated $(date) -- <slx-autogen>
# This file might get overwritten again as long as the above tag stays in it
[sssd]
config_file_version = 2
services = nss, pam
domains = %DOMAIN_LIST%
[nss]
filter_users = root
[pam]
HERE
for file in /opt/openslx/pam/slx-ldap.d/*; do
[ -f "$file" ] || continue
unset LDAP_ATTR_MOUNT_OPTS LDAP_URI LDAP_BASE SHARE_DOMAIN LDAP_CACERT
. "$file"
[ -z "$LDAP_URI" ] && continue
[ -z "$LDAP_BASE" ] && continue
ok=$(( ok + 1 ))
domains="${domains}, dom$ok"
cat >> "$tmpfile" <<-HERE
[domain/dom$ok]
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307
ldap_user_email = bogusFieldName42
ldap_user_principal = bogusFieldName43
cache_credentials = true
ldap_uri = $LDAP_URI
ldap_search_base = $LDAP_BASE
ldap_tls_reqcert = demand
HERE
[ -n "$LDAP_CACERT" ] && echo "ldap_tls_cacert = $LDAP_CACERT" >> "$tmpfile"
done
[ "$ok" = 0 ] && return 1 # No config
mkdir -p "/etc/sssd"
chmod 0755 "/etc/sssd"
sed "s/%DOMAIN_LIST%/${domains#, }/" "${tmpfile}" > "/etc/sssd/sssd.conf"
chmod 0600 "/etc/sssd/sssd.conf"
rm -f -- "${tmpfile}"
return 0 # OK
}
# unix
auth+=("[success=%NUM% default=ignore] pam_unix.so nodelay")
account+=("[success=%NUM% new_authtok_reqd=done default=ignore] pam_unix.so")
nss+=("files" "cache")
# Our plugin, but account ONLY since it's fast (it's not if not executed in root context so move after unix)
account+=("[success=%NUM% new_authtok_reqd=done default=ignore] pam_exec.so quiet /opt/openslx/pam/exec_account")
# check for bwIDM
if [ -x "/opt/openslx/scripts/pam_bwidm" ]; then
auth+=("[success=%NUM% default=ignore] pam_exec.so quiet expose_authtok /opt/openslx/scripts/pam_bwidm")
account+=("[success=%NUM% new_authtok_reqd=done default=ignore] pam_exec.so quiet /opt/openslx/scripts/pam_bwidm")
fi
# Insert kerberos before our auth module
if [ -s "/etc/krb5.conf" ]; then
auth+=("optional pam_krb5.so minimum_uid=1000 use_first_pass ccache=FILE:/run/user/krb5cc_%u_XXXXXX ccname_template=FILE:/run/user/krb5cc_%U_XXXXXX")
session+=("optional pam_krb5.so minimum_uid=1000")
fi
# Our plugin, auth now
auth+=("[success=%NUM% default=ignore] pam_exec.so quiet expose_authtok /opt/openslx/pam/exec_auth")
# sssd if reasonable
if systemctl is-enabled -q sssd.service && grep -q -e '^\s*id_provider' -e '^\s*auth_provider' "/etc/sssd/sssd.conf" \
&& ! grep -q -F '<slx-autogen>' "/etc/sssd/sssd.conf"; then
# sssd is configured and doesn't have our marker - just add pam and nss config but leave sssd.conf alone
add_sssd_modules
elif ! systemctl show sssd.service | grep -q '^LoadError='; then
# We have sssd available and unconfigured, or marked with our config tag, <slx-autogen>
if write_sssd_config; then
add_sssd_modules
systemctl enable sssd.service
systemctl restart --no-block sssd.service
else
# Nothing to configure, don't use sssd
session+=("optional pam_unix.so")
fi
else
session+=("optional pam_unix.so")
fi
# DNS
dns+=("files" "cache")
if systemctl is-enabled -q systemd-resolved; then
dns+=("resolve")
fi
dns+=("dns")
session+=("optional pam_exec.so quiet /opt/openslx/pam/exec_session")
#
# Write pam configs
tmpfile=$(mktemp)
# common-auth
if grep -q '<slx-autogen>' "/etc/pam.d/common-auth"; then
skip=$(( ${#auth[@]} + 1 ))
echo "# <slx-autogen> Generated $(date)" > "$tmpfile"
for line in "${auth[@]}"; do
echo "auth ${line//%NUM%/$skip}"
skip=$(( skip - 1 ))
done >> "$tmpfile"
cat >> "$tmpfile" <<-HERE
auth optional pam_faildelay.so delay=2123123
auth requisite pam_deny.so
auth optional pam_exec.so quiet expose_authtok /opt/openslx/pam/exec_auth_final
auth required pam_permit.so
auth optional pam_cap.so
HERE
cp -f -- "$tmpfile" "/etc/pam.d/common-auth"
chmod 0644 "/etc/pam.d/common-auth"
fi
# common-account
if grep -q '<slx-autogen>' "/etc/pam.d/common-account"; then
skip=${#account[@]}
echo "# <slx-autogen> Generated $(date)" > "$tmpfile"
for line in "${account[@]}"; do
echo "account ${line//%NUM%/$skip}"
skip=$(( skip - 1 ))
done >> "$tmpfile"
cat >> "$tmpfile" <<-HERE
account requisite pam_deny.so
account required pam_permit.so
HERE
cp -f -- "$tmpfile" "/etc/pam.d/common-account"
chmod 0644 "/etc/pam.d/common-account"
fi
# common-session
if grep -q '<slx-autogen>' "/etc/pam.d/common-session"; then
cat > "$tmpfile" <<-HERE
# <slx-autogen> Generated $(date)
session required pam_permit.so
session optional pam_umask.so
session required pam_systemd.so
session optional pam_env.so readenv=1
session optional pam_env.so readenv=1 envfile=/etc/default/locale
session optional pam_exec.so quiet /opt/openslx/pam/mkhome
HERE
for line in "${session[@]}"; do
echo "session $line"
done >> "$tmpfile"
cp -f -- "$tmpfile" "/etc/pam.d/common-session"
chmod 0644 "/etc/pam.d/common-session"
fi
#
# Write nsswitch.conf
if grep -q '<slx-autogen>' "/etc/nsswitch.conf"; then
cat > "/etc/nsswitch.conf" <<-HERE
# <slx-autogen> Generated $(date)
passwd: ${nss[@]}
group: ${nss[@]}
shadow: files
hosts: ${dns[@]}
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
HERE
chmod 0644 "/etc/nsswitch.conf"
fi
rm -f -- "$tmpfile"
exit 0
|
