From b7c1937d5a9070ee29e2f988d22c7433037af568 Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Wed, 27 Jun 2018 13:20:15 +0200 Subject: [pam-slx-plug] Write user's LDAP attributes to .openslx/ldap Also qury transitive group memberships of AD servers by setting the search base to the user's DN and then limiting the search scope to "base" --- .../pam-slx-plug/data/opt/openslx/pam/auth-source.d/99-slx-ldap | 9 ++++++--- core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth | 6 +++++- 2 files changed, 11 insertions(+), 4 deletions(-) (limited to 'core/modules/pam-slx-plug') diff --git a/core/modules/pam-slx-plug/data/opt/openslx/pam/auth-source.d/99-slx-ldap b/core/modules/pam-slx-plug/data/opt/openslx/pam/auth-source.d/99-slx-ldap index e4f2704e..3e20d8ed 100644 --- a/core/modules/pam-slx-plug/data/opt/openslx/pam/auth-source.d/99-slx-ldap +++ b/core/modules/pam-slx-plug/data/opt/openslx/pam/auth-source.d/99-slx-ldap @@ -102,9 +102,9 @@ run_auth() { echo -n "${USER_PASSWORD}" > "${PW}" ) & # unquoted LDAP_ATTR_* - ldapsearch -x -LLL -l 5 -o nettimeout=5 -o ldif-wrap=no \ - -H "$LDAP_URI" -b "$LDAP_BASE" uid="${PAM_USER}" -y "${PW}" -D "$BINDDN" uid="${PAM_USER}" \ - homeMount homeDirectory realAccount uid uidNumber gidNumber ${LDAP_ATTR_MOUNT_OPTS} &> "${SEARCH_USER}" + # Use "-s base" and BINDDN as search base so Active Directory will return transitive group memberships + ldapsearch -s base -x -LLL -l 5 -o nettimeout=5 -o ldif-wrap=no \ + -H "$LDAP_URI" -b "$BINDDN" -y "${PW}" -D "$BINDDN" uid="${PAM_USER}" msds-memberOfTransitive "*" &> "${SEARCH_USER}" RET=$? rm -f -- "${PW}" case "$RET" in @@ -154,11 +154,14 @@ run_auth() { cn &> "${SEARCH_ANON}" USER_GROUP=$(extract_field "cn" "$SEARCH_ANON") fi + USER_INFO_FILE=$(mktemp) + cp "$SEARCH_USER" "$USER_INFO_FILE" return 0 } TEMPFILES_LDAP= SLX_LDAP_FILE= +USER_INFO_FILE= for s_file in /opt/openslx/pam/slx-ldap.d/*; do unset_ldap_vars diff --git a/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth b/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth index d140f78c..6f1dc0ae 100755 --- a/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth +++ b/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth @@ -45,6 +45,7 @@ for auth_file in /opt/openslx/pam/auth-source.d/*; do USER_GROUP= USER_HOME= USER_DN= + USER_INFO_FILE= [ -f "$auth_file" ] || continue . "$auth_file" [ -n "$USER_UID" ] || continue @@ -133,7 +134,10 @@ if [ -n "${REAL_ACCOUNT}" ]; then echo "${REAL_ACCOUNT}" > "${TEMP_HOME_DIR}/.openslx/account" chmod 0644 "${TEMP_HOME_DIR}/.openslx/account" fi - +if [ -n "$USER_INFO_FILE" ] && [ -s "$USER_INFO_FILE" ]; then + mv -- "$USER_INFO_FILE" "${TEMP_HOME_DIR}/.openslx/ldap" + chmod 0644 "${TEMP_HOME_DIR}/.openslx/ldap" +fi ############################################################################### # -- cgit v1.2.3-55-g7522