diff options
| author | Simon Rettberg | 2016-09-05 20:44:02 +0200 |
|---|---|---|
| committer | Simon Rettberg | 2016-09-05 20:44:02 +0200 |
| commit | 7300288761fb269dfcef316a8e79a4e48ae77c12 (patch) | |
| tree | 6e14dcc81901a33a661a7dbfe19678a3211a4df5 | |
| parent | [vmware] Rely on usb config from server, only do fallback (diff) | |
| download | tm-scripts-7300288761fb269dfcef316a8e79a4e48ae77c12.tar.gz tm-scripts-7300288761fb269dfcef316a8e79a4e48ae77c12.tar.xz tm-scripts-7300288761fb269dfcef316a8e79a4e48ae77c12.zip | |
[pam-bwidm] Support organization filtering
| -rwxr-xr-x | remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm | 44 |
1 files changed, 35 insertions, 9 deletions
diff --git a/remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm b/remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm index 69a0b657..1ea5a8a8 100755 --- a/remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm +++ b/remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm @@ -8,6 +8,15 @@ # fix PATH as PAM clears it export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/openslx/sbin:/opt/openslx/bin" + +# grab the password from stdin asap, since there is no guarantee some tool just reads it +unset USER_PASSWORD +if [ "x$PAM_TYPE" == "xauth" ]; then + read -r USER_PASSWORD > /dev/null 2>&1 + readonly USER_PASSWORD + [ -z "$USER_PASSWORD" ] && echo "No password given." && exit 1 +fi + if ! busybox which curl || ! busybox which mktemp; then echo "'curl/mktemp' missing. This script won't work without it." exit 1 @@ -27,14 +36,16 @@ exec > "${LOGFILE}" 2>&1 # check if we are allowed to run . /opt/openslx/config -[ -z "${SLX_BWIDM_AUTH}" -o "x${SLX_BWIDM_AUTH}" != "xyes" ] && echo "bwIDM login disabled in openslx-config." && exit 1 - -# grab the password from stdin asap, since there is no garantee some tool just reads it -unset USER_PASSWORD -if [ "x$PAM_TYPE" == "xauth" ]; then - read -r USER_PASSWORD > /dev/null 2>&1 - readonly USER_PASSWORD - [ -z "$USER_PASSWORD" ] && echo "No password given." && exit 1 +if [ "x${SLX_BWIDM_AUTH}" = "xyes" ]; then + : # Allow everything +elif [ "x${SLX_BWIDM_AUTH}" = "xselective" ]; then + if [ -z "${SLX_BWIDM_ORGS}" ]; then + echo "bwIDM selective mode with empty org list - exiting" + exit 1 + fi +else + echo "bwIDM login disabled in openslx-config." + exit 1 fi # sanity check on PAM_USER: contains '@'? @@ -50,6 +61,21 @@ readonly USER_ORGANISATION="${PAM_USER#*@}" [ -z "$USER_ORGANISATION" ] && echo "Could not parse organisation from given login: ${PAM_USER}. Aborting." && exit 1 [ -z "$USER_USERNAME" ] && echo "Could not parse user from given login: ${PAM_USER}. Aborting." && exit 1 +# Check if we're in selective mode and if so, whether the user's organization is whitelisted +if [ "x${SLX_BWIDM_AUTH}" = "xselective" ]; then + FOUND= + for org in ${SLX_BWIDM_ORGS}; do + if [ "x$org" = "x$USER_ORGANISATION" ]; then + FOUND=ya + break + fi + done + if [ -z "$FOUND" ]; then + echo "bwIDM organization $USER_ORGANISATION not in whitelist, abort" + exit 1 + fi +fi + # The given username is valid. Now we get the list of IdPs from the bwlp masterserver # and try to find the user's organisation @@ -76,7 +102,7 @@ USER_ECP_URL="$(awk -v idp="${USER_ORGANISATION}" -F '=' '{if($1==idp) print $2} # now create the bwidm group: find the first free GID from 1000 "downwards" to 100 BWIDM_GROUP="$(getent group bwidm)" if [ -z "$BWIDM_GROUP" ]; then - BWIDM_GID=1000 + BWIDM_GID=999 while [ "$BWIDM_GID" -gt 100 ]; do getent group "$BWIDM_GID" || break let BWIDM_GID-- |