summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--core/modules/pam-slx-plug/data/opt/openslx/pam/auth-source.d/99-slx-ldap9
-rwxr-xr-xcore/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth6
2 files changed, 11 insertions, 4 deletions
diff --git a/core/modules/pam-slx-plug/data/opt/openslx/pam/auth-source.d/99-slx-ldap b/core/modules/pam-slx-plug/data/opt/openslx/pam/auth-source.d/99-slx-ldap
index e4f2704e..3e20d8ed 100644
--- a/core/modules/pam-slx-plug/data/opt/openslx/pam/auth-source.d/99-slx-ldap
+++ b/core/modules/pam-slx-plug/data/opt/openslx/pam/auth-source.d/99-slx-ldap
@@ -102,9 +102,9 @@ run_auth() {
echo -n "${USER_PASSWORD}" > "${PW}"
) &
# unquoted LDAP_ATTR_*
- ldapsearch -x -LLL -l 5 -o nettimeout=5 -o ldif-wrap=no \
- -H "$LDAP_URI" -b "$LDAP_BASE" uid="${PAM_USER}" -y "${PW}" -D "$BINDDN" uid="${PAM_USER}" \
- homeMount homeDirectory realAccount uid uidNumber gidNumber ${LDAP_ATTR_MOUNT_OPTS} &> "${SEARCH_USER}"
+ # Use "-s base" and BINDDN as search base so Active Directory will return transitive group memberships
+ ldapsearch -s base -x -LLL -l 5 -o nettimeout=5 -o ldif-wrap=no \
+ -H "$LDAP_URI" -b "$BINDDN" -y "${PW}" -D "$BINDDN" uid="${PAM_USER}" msds-memberOfTransitive "*" &> "${SEARCH_USER}"
RET=$?
rm -f -- "${PW}"
case "$RET" in
@@ -154,11 +154,14 @@ run_auth() {
cn &> "${SEARCH_ANON}"
USER_GROUP=$(extract_field "cn" "$SEARCH_ANON")
fi
+ USER_INFO_FILE=$(mktemp)
+ cp "$SEARCH_USER" "$USER_INFO_FILE"
return 0
}
TEMPFILES_LDAP=
SLX_LDAP_FILE=
+USER_INFO_FILE=
for s_file in /opt/openslx/pam/slx-ldap.d/*; do
unset_ldap_vars
diff --git a/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth b/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth
index d140f78c..6f1dc0ae 100755
--- a/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth
+++ b/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth
@@ -45,6 +45,7 @@ for auth_file in /opt/openslx/pam/auth-source.d/*; do
USER_GROUP=
USER_HOME=
USER_DN=
+ USER_INFO_FILE=
[ -f "$auth_file" ] || continue
. "$auth_file"
[ -n "$USER_UID" ] || continue
@@ -133,7 +134,10 @@ if [ -n "${REAL_ACCOUNT}" ]; then
echo "${REAL_ACCOUNT}" > "${TEMP_HOME_DIR}/.openslx/account"
chmod 0644 "${TEMP_HOME_DIR}/.openslx/account"
fi
-
+if [ -n "$USER_INFO_FILE" ] && [ -s "$USER_INFO_FILE" ]; then
+ mv -- "$USER_INFO_FILE" "${TEMP_HOME_DIR}/.openslx/ldap"
+ chmod 0644 "${TEMP_HOME_DIR}/.openslx/ldap"
+fi
###############################################################################
#