summaryrefslogtreecommitdiffstats
path: root/core/modules/pam-slx-plug/data/opt/openslx/pam/systemd/create-pam-config
blob: 1893660352ff72823902245d964bff8656c5fc7f (plain) (blame) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205

#!/bin/bash
# -- bash for arrays

# Prepare pam, nss and sssd configs as appropriate

export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/openslx/sbin:/opt/openslx/bin"

declare -a auth
declare -a account
declare -a session
declare -a nss
declare -a dns

# Add PAM and NSS modules for sssd
add_sssd_modules() {
	auth+=("[success=%NUM% default=ignore] pam_sss.so use_first_pass")
	account+=("[success=%NUM% new_authtok_reqd=done default=ignore] pam_sss.so")
	nss+=("sss")
	# Skip sss if unix worked
	session+=("[success=1] pam_unix.so")
	session+=("optional pam_sss.so")
}

# Write a combined sssd config from all our /opt/openslx/pam/slx-ldap.d/* files
write_sssd_config() {
	local file ok domains
	local tmpfile=$(mktemp)
	ok=0
	domains=
	cat > "$tmpfile" <<-HERE
		# File generated $(date) -- <slx-autogen>
		# This file might get overwritten again as long as the above tag stays in it
		[sssd]
		config_file_version = 2
		services = nss, pam
		domains = %DOMAIN_LIST%
		[nss]
		filter_users = root
		[pam]
	HERE
	for file in /opt/openslx/pam/slx-ldap.d/*; do
		[ -f "$file" ] || continue
		unset LDAP_ATTR_MOUNT_OPTS LDAP_URI LDAP_BASE SHARE_DOMAIN LDAP_CACERT
		. "$file"
		[ -z "$LDAP_URI" ] && continue
		[ -z "$LDAP_BASE" ] && continue
		ok=$(( ok + 1 ))
		domains="${domains}, dom$ok"
		cat >> "$tmpfile" <<-HERE
			[domain/dom$ok]
			id_provider = ldap
			auth_provider = ldap
			ldap_schema = rfc2307
			ldap_user_email = bogusFieldName42
			ldap_user_principal = bogusFieldName43
			cache_credentials = true
			ldap_uri = $LDAP_URI
			ldap_search_base = $LDAP_BASE
			ldap_tls_reqcert = demand
		HERE
		[ -n "$LDAP_CACERT" ] && echo "ldap_tls_cacert = $LDAP_CACERT" >> "$tmpfile"
	done
	[ "$ok" = 0 ] && return 1 # No config
	mkdir -p "/etc/sssd"
	chmod 0755 "/etc/sssd"
	sed "s/%DOMAIN_LIST%/${domains#, }/" "${tmpfile}" > "/etc/sssd/sssd.conf"
	chmod 0600 "/etc/sssd/sssd.conf"
	rm -f -- "${tmpfile}"
	return 0 # OK
}

# unix
auth+=("[success=%NUM% default=ignore] pam_unix.so nodelay")
account+=("[success=%NUM% new_authtok_reqd=done default=ignore] pam_unix.so")
nss+=("files" "cache")

# Our plugin, but account ONLY since it's fast (it's not if not executed in root context so move after unix)
account+=("[success=%NUM% new_authtok_reqd=done default=ignore] pam_exec.so quiet /opt/openslx/pam/exec_account")

# check for bwIDM
if [ -x "/opt/openslx/scripts/pam_bwidm" ]; then
	auth+=("[success=%NUM% default=ignore] pam_exec.so quiet expose_authtok /opt/openslx/scripts/pam_bwidm")
	account+=("[success=%NUM% new_authtok_reqd=done default=ignore] pam_exec.so quiet /opt/openslx/scripts/pam_bwidm")
fi

# Insert kerberos before our auth module
if [ -s "/etc/krb5.conf" ]; then
	auth+=("optional pam_krb5.so minimum_uid=1000 use_first_pass ccache=FILE:/run/user/krb5cc_%u_XXXXXX ccname_template=FILE:/run/user/krb5cc_%U_XXXXXX")
	session+=("optional pam_krb5.so minimum_uid=1000")
fi

# Our plugin, auth now
auth+=("[success=%NUM% default=ignore] pam_exec.so quiet expose_authtok /opt/openslx/pam/exec_auth")

# sssd if reasonable
if systemctl is-enabled -q sssd.service && grep -q -e '^\s*id_provider' -e '^\s*auth_provider' "/etc/sssd/sssd.conf" \
		&& ! grep -q -F '<slx-autogen>' "/etc/sssd/sssd.conf"; then
	# sssd is configured and doesn't have our marker - just add pam and nss config but leave sssd.conf alone
	add_sssd_modules
elif ! systemctl show sssd.service | grep -q '^LoadError='; then
	# We have sssd available and unconfigured, or marked with our config tag, <slx-autogen>
	if write_sssd_config; then
		add_sssd_modules
		systemctl enable sssd.service
		systemctl restart --no-block sssd.service
	else
		# Nothing to configure, don't use sssd
		session+=("optional pam_unix.so")
	fi
else
	session+=("optional pam_unix.so")
fi

# DNS
dns+=("files" "cache")
if systemctl is-enabled -q systemd-resolved; then
	dns+=("resolve")
fi
dns+=("dns")

session+=("optional pam_exec.so quiet /opt/openslx/pam/exec_session")

#
# Write pam configs
tmpfile=$(mktemp)

# common-auth
if grep -q '<slx-autogen>' "/etc/pam.d/common-auth"; then
	skip=$(( ${#auth[@]} + 1 ))
	echo "# <slx-autogen> Generated $(date)" > "$tmpfile"
	for line in "${auth[@]}"; do
		echo "auth  ${line//%NUM%/$skip}"
		skip=$(( skip - 1 ))
	done >> "$tmpfile"
	cat >> "$tmpfile" <<-HERE
		auth  optional   pam_faildelay.so delay=2123123
		auth  requisite  pam_deny.so
		auth  optional   pam_exec.so quiet /opt/openslx/pam/exec_auth_final
		auth  required   pam_permit.so
		auth  optional   pam_cap.so
	HERE
	cp -f -- "$tmpfile" "/etc/pam.d/common-auth"
	chmod 0644 "/etc/pam.d/common-auth"
fi

# common-account
if grep -q '<slx-autogen>' "/etc/pam.d/common-account"; then
	skip=${#account[@]}
	echo "# <slx-autogen> Generated $(date)" > "$tmpfile"
	for line in "${account[@]}"; do
		echo "account  ${line//%NUM%/$skip}"
		skip=$(( skip - 1 ))
	done >> "$tmpfile"
	cat >> "$tmpfile" <<-HERE
		account	requisite  pam_deny.so
		account	required   pam_permit.so
	HERE
	cp -f -- "$tmpfile" "/etc/pam.d/common-account"
	chmod 0644 "/etc/pam.d/common-account"
fi

# common-session
if grep -q '<slx-autogen>' "/etc/pam.d/common-session"; then
	cat > "$tmpfile" <<-HERE
		# <slx-autogen> Generated $(date)
		session  required pam_permit.so
		session  optional pam_umask.so
		session  required pam_systemd.so
		session  optional pam_env.so readenv=1
		session  optional pam_env.so readenv=1 envfile=/etc/default/locale
		session  optional pam_exec.so quiet /opt/openslx/pam/mkhome
	HERE
	for line in "${session[@]}"; do
		echo "session  $line"
	done >> "$tmpfile"
	cp -f -- "$tmpfile" "/etc/pam.d/common-session"
	chmod 0644 "/etc/pam.d/common-session"
fi

#
# Write nsswitch.conf
if grep -q '<slx-autogen>' "/etc/nsswitch.conf"; then
	cat > "/etc/nsswitch.conf" <<-HERE
		# <slx-autogen> Generated $(date)
		passwd:         ${nss[@]}
		group:          ${nss[@]}
		shadow:         files

		hosts:          ${dns[@]}
		networks:       files

		protocols:      db files
		services:       db files
		ethers:         db files
		rpc:            db files

		netgroup:       nis
	HERE
	chmod 0644 "/etc/nsswitch.conf"
fi

rm -f -- "$tmpfile"

exit 0
generated by cgit v1.2.3-55-g7522 (git 2.39.0) at 2024-04-29 14:50:25 +0200