summaryrefslogblamecommitdiffstats
path: root/core/modules/pam-slx-plug/data/opt/openslx/pam/systemd/create-pam-config
blob: c28ed125d229d87017790c88e68a64d0702ce3b6 (plain) (tree) 
53f89464 ^



40483dd6 ^


53f89464 ^








40483dd6 ^







































b7f48edc ^

40483dd6 ^


















53f89464 ^
























40483dd6 ^














53f89464 ^













































































40483dd6 ^


53f89464 ^


1
2
3

4
5

6
7
8
9
10
11
12
13

14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52

53

54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71

72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95

96
97
98
99
100
101
102
103
104
105
106
107
108
109

110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186

187
188

189
190



                    

                                                  







                                                                                                             






































                                                                                              
                                             

















                                                                                            























                                                                                                                          













                                                                                                                      












































































                                                                          

                   

      
#!/bin/bash
# -- bash for arrays

# Prepare pam, nss and sssd configs as appropriate

export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/openslx/sbin:/opt/openslx/bin"

declare -a auth
declare -a account
declare -a session
declare -a nss
declare -a dns

# Add PAM and NSS modules for sssd
add_sssd_modules() {
	auth+=("[success=%NUM% default=ignore] pam_sss.so use_first_pass")
	account+=("[success=%NUM% new_authtok_reqd=done default=ignore] pam_sss.so")
	nss+=("sss")
	# Skip sss if unix worked
	session+=("[success=1] pam_unix.so")
	session+=("optional pam_sss.so")
}

# Write a combined sssd config from all our /opt/openslx/pam/slx-ldap.d/* files
write_sssd_config() {
	local file ok domains
	local tmpfile=$(mktemp)
	ok=0
	domains=
	cat > "$tmpfile" <<-HERE
		# File generated $(date) -- <slx-autogen>
		# This file might get overwritten again as long as the above tag stays in it
		[sssd]
		config_file_version = 2
		services = nss, pam
		domains = %DOMAIN_LIST%
		[nss]
		filter_users = root
		[pam]
	HERE
	for file in /opt/openslx/pam/slx-ldap.d/*; do
		[ -f "$file" ] || continue
		unset LDAP_ATTR_MOUNT_OPTS LDAP_URI LDAP_BASE LDAP_DOMAIN_OVERRIDE LDAP_CACERT
		. "$file"
		[ -z "$LDAP_URI" ] && continue
		[ -z "$LDAP_BASE" ] && continue
		ok=$(( ok + 1 ))
		domains="${domains}, dom$ok"
		cat >> "$tmpfile" <<-HERE
			[domain/dom$ok]
			id_provider = ldap
			auth_provider = ldap
			ldap_schema = rfc2307
			ldap_user_email = bogusFieldName42
			ldap_user_principal = bogusFieldName43
			cache_credentials = true
			ldap_uri = $LDAP_URI
			ldap_search_base = $LDAP_BASE
			ldap_tls_reqcert = demand
		HERE
		[ -n "$LDAP_CACERT" ] && echo "ldap_tls_cacert = $LDAP_CACERT" >> "$tmpfile"
	done
	[ "$ok" = 0 ] && return 1 # No config
	mkdir -p "/etc/sssd"
	chmod 0755 "/etc/sssd"
	sed "s/%DOMAIN_LIST%/${domains#, }/" "${tmpfile}" > "/etc/sssd/sssd.conf"
	chmod 0600 "/etc/sssd/sssd.conf"
	rm -f -- "${tmpfile}"
	return 0 # OK
}

# Our plugin, but account ONLY since it's fast
account+=("[success=%NUM% new_authtok_reqd=done default=ignore] pam_exec.so quiet /opt/openslx/pam/exec_account")

# unix
auth+=("[success=%NUM% default=ignore] pam_unix.so nodelay")
account+=("[success=%NUM% new_authtok_reqd=done default=ignore] pam_unix.so")
nss+=("files" "cache")

# check for bwIDM
if [ -x "/opt/openslx/scripts/pam_bwidm" ]; then
	auth+=("[success=%NUM% default=ignore] pam_exec.so quiet expose_authtok /opt/openslx/scripts/pam_bwidm")
	account+=("[success=%NUM% new_authtok_reqd=done default=ignore] pam_exec.so quiet /opt/openslx/scripts/pam_bwidm")
fi

# Insert kerberos before our auth module
if [ -s "/etc/ksb5.conf" ]; then
	auth+=("optional pam_krb5.so minimum_uid=1000 use_first_pass")
	session+=("optional pam_krb5.so minimum_uid=1000")
fi

# Our plugin, auth now
auth+=("[success=%NUM% default=ignore] pam_exec.so quiet expose_authtok /opt/openslx/pam/exec_auth")

# sssd if reasonable
if systemctl is-enabled -q sssd.service && grep -q -e '^\s*id_provider' -e '^\s*auth_provider' "/etc/sssd/sssd.conf" \
		&& ! grep -q -F '<slx-autogen>' "/etc/sssd/sssd.conf"; then
	# sssd is configured and doesn't have our marker - just add pam and nss config but leave sssd.conf alone
	add_sssd_modules
elif ! systemctl show sssd.service | grep -q '^LoadError='; then
	# We have sssd available and unconfigured, or marked with our config tag, <slx-autogen>
	if write_sssd_config; then
		add_sssd_modules
		systemctl enable sssd.service
		systemctl restart --no-block sssd.service
	else
		# Nothing to configure, don't use sssd
		session+=("optional pam_unix.so")
	fi
else
	session+=("optional pam_unix.so")
fi

# DNS
dns+=("files" "cache")
if systemctl is-enabled -q systemd-resolved; then
	dns+=("resolve")
fi
dns+=("dns")

session+=("optional pam_exec.so quiet /opt/openslx/pam/exec_session")

#
# Write pam configs
tmpfile=$(mktemp)
# common-auth
skip=$(( ${#auth[@]} + 1 ))
echo "# Generated $(date)" > "$tmpfile"
for line in "${auth[@]}"; do
	echo "auth  ${line//%NUM%/$skip}"
	skip=$(( skip - 1 ))
done >> "$tmpfile"
cat >> "$tmpfile" <<-HERE
	auth  optional   pam_faildelay.so delay=2123123
	auth  requisite  pam_deny.so
	auth  required   pam_permit.so
	auth  optional   pam_cap.so
HERE
cp -f -- "$tmpfile" "/etc/pam.d/common-auth"

# common-account
skip=${#account[@]}
echo "# Generated $(date)" > "$tmpfile"
for line in "${account[@]}"; do
	echo "account  ${line//%NUM%/$skip}"
	skip=$(( skip - 1 ))
done >> "$tmpfile"
cat >> "$tmpfile" <<-HERE
	account	requisite  pam_deny.so
	account	required   pam_permit.so
HERE
cp -f -- "$tmpfile" "/etc/pam.d/common-account"

# common-session
cat > "$tmpfile" <<-HERE
	session  required pam_permit.so
	session  optional pam_umask.so
	session  required pam_systemd.so
	session  optional pam_env.so readenv=1
	session  optional pam_env.so readenv=1 envfile=/etc/default/locale
	session  optional pam_exec.so quiet /opt/openslx/pam/mkhome
HERE
for line in "${session[@]}"; do
	echo "session  $line"
done >> "$tmpfile"
cp -f -- "$tmpfile" "/etc/pam.d/common-session"

#
# Write nsswitch.conf
cat > "/etc/nsswitch.conf" <<-HERE
# Generated $(date)
passwd:         ${nss[@]}
group:          ${nss[@]}
shadow:         files

hosts:          ${dns[@]}
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis
HERE

rm -f -- "$tmpfile"

exit 0
generated by cgit v1.2.3-55-g7522 (git 2.39.0) at 2024-06-01 04:32:05 +0200