blob: 1893660352ff72823902245d964bff8656c5fc7f (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
|
#!/bin/bash
# -- bash for arrays
# Prepare pam, nss and sssd configs as appropriate
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/openslx/sbin:/opt/openslx/bin"
declare -a auth
declare -a account
declare -a session
declare -a nss
declare -a dns
# Add PAM and NSS modules for sssd
add_sssd_modules() {
auth+=("[success=%NUM% default=ignore] pam_sss.so use_first_pass")
account+=("[success=%NUM% new_authtok_reqd=done default=ignore] pam_sss.so")
nss+=("sss")
# Skip sss if unix worked
session+=("[success=1] pam_unix.so")
session+=("optional pam_sss.so")
}
# Write a combined sssd config from all our /opt/openslx/pam/slx-ldap.d/* files
write_sssd_config() {
local file ok domains
local tmpfile=$(mktemp)
ok=0
domains=
cat > "$tmpfile" <<-HERE
# File generated $(date) -- <slx-autogen>
# This file might get overwritten again as long as the above tag stays in it
[sssd]
config_file_version = 2
services = nss, pam
domains = %DOMAIN_LIST%
[nss]
filter_users = root
[pam]
HERE
for file in /opt/openslx/pam/slx-ldap.d/*; do
[ -f "$file" ] || continue
unset LDAP_ATTR_MOUNT_OPTS LDAP_URI LDAP_BASE SHARE_DOMAIN LDAP_CACERT
. "$file"
[ -z "$LDAP_URI" ] && continue
[ -z "$LDAP_BASE" ] && continue
ok=$(( ok + 1 ))
domains="${domains}, dom$ok"
cat >> "$tmpfile" <<-HERE
[domain/dom$ok]
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307
ldap_user_email = bogusFieldName42
ldap_user_principal = bogusFieldName43
cache_credentials = true
ldap_uri = $LDAP_URI
ldap_search_base = $LDAP_BASE
ldap_tls_reqcert = demand
HERE
[ -n "$LDAP_CACERT" ] && echo "ldap_tls_cacert = $LDAP_CACERT" >> "$tmpfile"
done
[ "$ok" = 0 ] && return 1 # No config
mkdir -p "/etc/sssd"
chmod 0755 "/etc/sssd"
sed "s/%DOMAIN_LIST%/${domains#, }/" "${tmpfile}" > "/etc/sssd/sssd.conf"
chmod 0600 "/etc/sssd/sssd.conf"
rm -f -- "${tmpfile}"
return 0 # OK
}
# unix
auth+=("[success=%NUM% default=ignore] pam_unix.so nodelay")
account+=("[success=%NUM% new_authtok_reqd=done default=ignore] pam_unix.so")
nss+=("files" "cache")
# Our plugin, but account ONLY since it's fast (it's not if not executed in root context so move after unix)
account+=("[success=%NUM% new_authtok_reqd=done default=ignore] pam_exec.so quiet /opt/openslx/pam/exec_account")
# check for bwIDM
if [ -x "/opt/openslx/scripts/pam_bwidm" ]; then
auth+=("[success=%NUM% default=ignore] pam_exec.so quiet expose_authtok /opt/openslx/scripts/pam_bwidm")
account+=("[success=%NUM% new_authtok_reqd=done default=ignore] pam_exec.so quiet /opt/openslx/scripts/pam_bwidm")
fi
# Insert kerberos before our auth module
if [ -s "/etc/krb5.conf" ]; then
auth+=("optional pam_krb5.so minimum_uid=1000 use_first_pass ccache=FILE:/run/user/krb5cc_%u_XXXXXX ccname_template=FILE:/run/user/krb5cc_%U_XXXXXX")
session+=("optional pam_krb5.so minimum_uid=1000")
fi
# Our plugin, auth now
auth+=("[success=%NUM% default=ignore] pam_exec.so quiet expose_authtok /opt/openslx/pam/exec_auth")
# sssd if reasonable
if systemctl is-enabled -q sssd.service && grep -q -e '^\s*id_provider' -e '^\s*auth_provider' "/etc/sssd/sssd.conf" \
&& ! grep -q -F '<slx-autogen>' "/etc/sssd/sssd.conf"; then
# sssd is configured and doesn't have our marker - just add pam and nss config but leave sssd.conf alone
add_sssd_modules
elif ! systemctl show sssd.service | grep -q '^LoadError='; then
# We have sssd available and unconfigured, or marked with our config tag, <slx-autogen>
if write_sssd_config; then
add_sssd_modules
systemctl enable sssd.service
systemctl restart --no-block sssd.service
else
# Nothing to configure, don't use sssd
session+=("optional pam_unix.so")
fi
else
session+=("optional pam_unix.so")
fi
# DNS
dns+=("files" "cache")
if systemctl is-enabled -q systemd-resolved; then
dns+=("resolve")
fi
dns+=("dns")
session+=("optional pam_exec.so quiet /opt/openslx/pam/exec_session")
#
# Write pam configs
tmpfile=$(mktemp)
# common-auth
if grep -q '<slx-autogen>' "/etc/pam.d/common-auth"; then
skip=$(( ${#auth[@]} + 1 ))
echo "# <slx-autogen> Generated $(date)" > "$tmpfile"
for line in "${auth[@]}"; do
echo "auth ${line//%NUM%/$skip}"
skip=$(( skip - 1 ))
done >> "$tmpfile"
cat >> "$tmpfile" <<-HERE
auth optional pam_faildelay.so delay=2123123
auth requisite pam_deny.so
auth optional pam_exec.so quiet /opt/openslx/pam/exec_auth_final
auth required pam_permit.so
auth optional pam_cap.so
HERE
cp -f -- "$tmpfile" "/etc/pam.d/common-auth"
chmod 0644 "/etc/pam.d/common-auth"
fi
# common-account
if grep -q '<slx-autogen>' "/etc/pam.d/common-account"; then
skip=${#account[@]}
echo "# <slx-autogen> Generated $(date)" > "$tmpfile"
for line in "${account[@]}"; do
echo "account ${line//%NUM%/$skip}"
skip=$(( skip - 1 ))
done >> "$tmpfile"
cat >> "$tmpfile" <<-HERE
account requisite pam_deny.so
account required pam_permit.so
HERE
cp -f -- "$tmpfile" "/etc/pam.d/common-account"
chmod 0644 "/etc/pam.d/common-account"
fi
# common-session
if grep -q '<slx-autogen>' "/etc/pam.d/common-session"; then
cat > "$tmpfile" <<-HERE
# <slx-autogen> Generated $(date)
session required pam_permit.so
session optional pam_umask.so
session required pam_systemd.so
session optional pam_env.so readenv=1
session optional pam_env.so readenv=1 envfile=/etc/default/locale
session optional pam_exec.so quiet /opt/openslx/pam/mkhome
HERE
for line in "${session[@]}"; do
echo "session $line"
done >> "$tmpfile"
cp -f -- "$tmpfile" "/etc/pam.d/common-session"
chmod 0644 "/etc/pam.d/common-session"
fi
#
# Write nsswitch.conf
if grep -q '<slx-autogen>' "/etc/nsswitch.conf"; then
cat > "/etc/nsswitch.conf" <<-HERE
# <slx-autogen> Generated $(date)
passwd: ${nss[@]}
group: ${nss[@]}
shadow: files
hosts: ${dns[@]}
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
HERE
chmod 0644 "/etc/nsswitch.conf"
fi
rm -f -- "$tmpfile"
exit 0
|