digraph {
ratio = 1.4137931034482; // For printing on A paper size
edge [labeldistance=2.5];
subgraph cluster_pam {
label = "pam_auth (common-auth)";
has_pam_exec_bwidm [label="has pam_exec_bwidm?", shape="diamond"];
has_krb5 [label="has /etc/krb5.conf?", shape="diamond"];
has_sssd [label="has sssd + config?", shape="diamond"];
pam_deny [style=filled, fillcolor="#ff7777"];
pam_cap [style=filled, fillcolor="#77ff77"];
pam_unix -> pam_exec_final [color="green"];
pam_unix -> has_pam_exec_bwidm [color=red];
has_pam_exec_bwidm -> pam_exec_bwidm [taillabel="yes"];
has_pam_exec_bwidm -> has_krb5 [taillabel="no"];
pam_exec_bwidm -> pam_exec_final [color="green"];
pam_exec_bwidm -> has_krb5 [color=red];
has_krb5 -> pam_krb5 [taillabel="yes"];
has_krb5 -> pam_exec_slx [taillabel="no"];
pam_krb5 -> pam_exec_slx;
pam_exec_slx -> pam_exec_final [color="green"];
pam_exec_slx -> has_sssd [color=red];
has_sssd -> pam_sss [taillabel="yes"];
has_sssd -> pam_faildelay [taillabel="no"];
pam_sss -> pam_exec_final [color="green"];
pam_sss -> pam_faildelay [color=red];
pam_faildelay -> pam_deny;
pam_exec_final -> pam_permit;
pam_permit -> pam_cap;
}
subgraph cluster_pam_exec_slx {
label = "/opt/openslx/pam/exec_auth";
exec_slx_start [label="start"];
exec_slx_end [label="end"];
exec_slx_stdinpw [label="Read pasword from stdin"];
exec_slx_colon [label="':' in Username?"];
exec_slx_check_user [label="Running as which user?"];
exec_slx_shadow [label="User in /etc/shadow?"];
exec_slx_etc_passwd [label="Does special /etc/passwd line exist?"];
exec_slx_source_auth [label="Source next file in /opt/openslx/pam/auth-source.d"];
exec_slx_check_auth_vars [label="Is USER_UID and USER_GID/USER_GROUP set?\n(Should be set by sourced file on success)"];
exec_slx_check_uid [label="Is USER_UID == 0, or not numeric?\nIs USER_GID numeric if not empty?"];
exec_slx_check_caps [label="Is $USER_NAME == $PAM_USER?\nDoes any variable contain newlines?"];
exec_slx_group [label="Resolve USER_GID or USER_GROUP, or create if necessary"];
exec_slx_tmphome [label="Set TEMP_HOME_DIR = $USER_HOME\nPERSISTENT_HOME_DIR = $TEMP_HOME_DIR/PERSISTENT"];
exec_slx_tmphome2 [label="Mount tmpfs to $TEMP_HOME_DIR (if\nnot already there), owned by user"];
exec_slx_tmphome3 [label="Mount tmpfs to $TEMP_HOME_DIR/.openslx, owned by root"];
exec_slx_tmphome4 [label="Write $REAL_ACCOUNT to .openslx/account"];
exec_slx_tmphome5 [label="Move $USER_INFO_FILE to .openslx/ldap"];
exec_slx_nethome_ok [label="Anything mounted at $PERSISTENT_HOME_DIR?"];
exec_slx_nethome [label="Source next file in /opt/openslx/pam/mount.d"];
exec_slx_note_persistent [label="Write WARNING.txt hinting at PERSISTENT subdir"];
exec_slx_note_usb [label="Write WARNING.txt hinting at no persistent storage"];
exec_slx_set_netpath [label="Set PERSISTENT_NETPATH to NETWORK_HOME,\nwith '/' replaced by '\\'"];
exec_slx_source_hook [label="Set PAM_AUTHTOK to user password and source\n/opt/openslx/pam/hooks/auth-slx-source.d/*"];
subgraph cluster_homedir {
label = "/opt/openslx/pam/common/homedir-passwd";
exec_slx_home [label="Sanitize USER_HOME or use default pattern"];
exec_slx_prune_passwd [label="Delete any user with same name or uid from /etc/passwd"];
exec_slx_write_passwd [label="Write user to /etc/passwd, with special marker"];
exec_slx_home -> exec_slx_prune_passwd -> exec_slx_write_passwd;
}
exec_slx_start -> exec_slx_stdinpw;
exec_slx_stdinpw -> exec_slx_colon [taillabel="ok"];
exec_slx_stdinpw -> exec_slx_end [taillabel="empty",color=red];
exec_slx_colon -> exec_slx_check_user [taillabel="no"];
exec_slx_colon -> exec_slx_end [taillabel="yes",color=red];
exec_slx_check_user -> exec_slx_etc_passwd [taillabel="$PAM_USER"];
exec_slx_check_user -> exec_slx_shadow [taillabel="root"];
exec_slx_check_user -> exec_slx_end [taillabel="other",color=red];
exec_slx_etc_passwd -> exec_slx_source_auth [taillabel="yes"];
exec_slx_etc_passwd -> exec_slx_end [taillabel="no",color=red];
exec_slx_shadow -> exec_slx_source_auth [taillabel="no"];
exec_slx_shadow -> exec_slx_end [taillabel="yes",color=red];
exec_slx_source_auth -> exec_slx_check_auth_vars;
exec_slx_source_auth -> exec_slx_check_uid [taillabel="no more files"];
exec_slx_check_auth_vars -> exec_slx_source_auth [taillabel="no"];
exec_slx_check_auth_vars -> exec_slx_check_uid [taillabel="yes"];
exec_slx_check_uid -> exec_slx_check_caps [taillabel="no"];
exec_slx_check_uid -> exec_slx_end [taillabel="yes",color=red];
exec_slx_check_caps -> exec_slx_group [taillabel="yes"];
exec_slx_check_caps -> exec_slx_end [taillabel="no",color=red];
exec_slx_group -> exec_slx_home;
exec_slx_write_passwd -> exec_slx_tmphome -> exec_slx_tmphome2 -> exec_slx_tmphome3 -> exec_slx_tmphome4 -> exec_slx_tmphome5;
exec_slx_tmphome5 -> exec_slx_nethome_ok;
exec_slx_nethome_ok -> exec_slx_note_persistent [taillabel="yes"];
exec_slx_nethome_ok -> exec_slx_nethome [taillabel="no"];
exec_slx_nethome -> exec_slx_nethome_ok;
exec_slx_nethome -> exec_slx_note_usb [taillabel="no more files"];
exec_slx_note_usb -> exec_slx_set_netpath;
exec_slx_note_persistent -> exec_slx_set_netpath;
exec_slx_set_netpath -> exec_slx_source_hook;
exec_slx_source_hook -> exec_slx_end;
}
subgraph cluster_pam_exec_final {
label = "/opt/openslx/pam/exec_auth_final";
exec_final_start [label="start"];
exec_final_end [label="end"];
exec_final_user [label="Running in root context?"];
exec_final_d [label="Execute all scripts in /opt/openslx/pam/hooks/auth-final-exec.d"];
exec_final_start -> exec_final_user;
exec_final_user -> exec_final_d [taillabel="yes"];
exec_final_user -> exec_final_end [taillabel="no"];
exec_final_d -> exec_final_end;
}
subgraph cluster_pam_exec_bwidm {
label = "/opt/openslx/scripts/pam_bwidm";
bwidm_start [label="start"];
bwidm_end [label="end"];
bwidm_stdinpw [label="Read password from stdin"];
bwidm_precon [label="Check for curl and mktemp"];
bwidm_tmpdir [label="Find usable tmpdir"];
bwidm_allowed [label="Check if enabled and org allowed"];
bwidm_check_cache [label="Does IdP cache exist?"];
bwidm_cache_writable [label="Is cache dir writable?"];
bwidm_download_list [label="Download IdP list"];
bwidm_lookup_idp [label="Lookup IdP URL"];
bwidm_addgroup [label="Make sure group bwidm exists"];
bwidm_pam_type [label="Which pam type?"];
bwidm_req_401 [label="Request with wrong password"];
bwidm_req_200 [label="Request with provided password"];
bwidm_etc_passwd [label="Make sure /etc/passwd entry exists"];
bwidm_start -> bwidm_stdinpw;
bwidm_stdinpw -> bwidm_precon [taillabel="ok"];
bwidm_stdinpw -> bwidm_end [taillabel="fail",color=red];
bwidm_precon -> bwidm_tmpdir;
bwidm_precon -> bwidm_end [taillabel="missing",color=red];
bwidm_tmpdir -> bwidm_allowed;
bwidm_allowed -> bwidm_check_cache [taillabel="yes"];
bwidm_allowed -> bwidm_end [taillabel="no",color=red];
bwidm_check_cache -> bwidm_lookup_idp [taillabel="yes"];
bwidm_check_cache -> bwidm_cache_writable [taillabel="no"];
bwidm_cache_writable -> bwidm_download_list [taillabel="yes"];
bwidm_cache_writable -> bwidm_end [taillabel="no",color=red];
bwidm_download_list -> bwidm_lookup_idp [taillabel="HTTP 2xx"];
bwidm_download_list -> bwidm_end [taillabel="<other>",color=red];
bwidm_lookup_idp -> bwidm_addgroup [taillabel="found"];
bwidm_lookup_idp -> bwidm_end [taillabel="not found",color=red];
bwidm_addgroup -> bwidm_pam_type [taillabel="ok"];
bwidm_addgroup -> bwidm_end [taillabel="fail",color="red"];
bwidm_pam_type -> bwidm_req_401 [taillabel="auth"];
bwidm_pam_type -> bwidm_end [taillabel="account",color=green];
bwidm_pam_type -> bwidm_end [label="<other>",color=red];
bwidm_req_401 -> bwidm_req_200 [taillabel="HTTP 401"];
bwidm_req_401 -> bwidm_end [taillabel="<other>",color=red];
bwidm_req_200 -> bwidm_etc_passwd [taillabel="HTTP 2xx"];
bwidm_req_200 -> bwidm_end [label="<other>",color=red];
bwidm_etc_passwd -> bwidm_end [taillabel="ok",color=green];
bwidm_etc_passwd -> bwidm_end [taillabel="fail",color=red];
}
exec_final_start -> pam_exec_final [arrowhead=none,penwidth=3];
exec_slx_start -> pam_exec_slx [arrowhead=none,penwidth=3];
bwidm_start -> pam_exec_bwidm [arrowhead=none,penwidth=3];
start [shape=none];
start -> pam_unix;
}
