diff options
author | Simon Rettberg | 2013-07-05 12:02:08 +0200 |
---|---|---|
committer | Simon Rettberg | 2013-07-05 12:02:08 +0200 |
commit | 7c375528887dae948b29d6dad70ed807dd681c85 (patch) | |
tree | ea9879b9e7b3ea4b621a0c97167f20ad74d4fec4 /remote/modules/pam | |
parent | [vmchooser] Create text file in floppy image that tells the guest the host's ... (diff) | |
download | tm-scripts-7c375528887dae948b29d6dad70ed807dd681c85.tar.gz tm-scripts-7c375528887dae948b29d6dad70ed807dd681c85.tar.xz tm-scripts-7c375528887dae948b29d6dad70ed807dd681c85.zip |
[pam] Cleanup, formatting, force nscd usage in nsswitch.conf, set timeouts for LDAP lookups
Diffstat (limited to 'remote/modules/pam')
-rw-r--r-- | remote/modules/pam/data/etc/ldap.conf | 3 | ||||
-rw-r--r-- | remote/modules/pam/data/etc/pam.d/common-session | 23 | ||||
-rw-r--r-- | remote/modules/pam/data/etc/pam.d/kdm | 9 | ||||
-rw-r--r-- | remote/modules/pam/data/etc/pam.d/kdm-np | 6 | ||||
-rw-r--r-- | remote/modules/pam/data/etc/pam.d/login | 3 | ||||
-rw-r--r-- | remote/modules/pam/data/etc/systemd/system/activate-nss-ldap.service | 4 |
6 files changed, 27 insertions, 21 deletions
diff --git a/remote/modules/pam/data/etc/ldap.conf b/remote/modules/pam/data/etc/ldap.conf index 43b1640e..483595d2 100644 --- a/remote/modules/pam/data/etc/ldap.conf +++ b/remote/modules/pam/data/etc/ldap.conf @@ -1,5 +1,8 @@ URI ldaps://bv1.ruf.uni-freiburg.de ldaps://bv2.ruf.uni-freiburg.de ldaps://bv3.ruf.uni-freiburg.de BASE ou=people,dc=uni-freiburg,dc=de +BIND_TIMELIMIT 5 +TIMELIMIT 10 +LOGDIR /tmp/ldap TLS_REQCERT allow nss_base_passwd ou=people,dc=uni-freiburg,dc=de?one?rufdienst=ldap*)(&(rufclienthome=*)(rufstatus=enabled) nss_base_group ou=group,dc=uni-freiburg,dc=de?one diff --git a/remote/modules/pam/data/etc/pam.d/common-session b/remote/modules/pam/data/etc/pam.d/common-session index af0e62fb..6182d470 100644 --- a/remote/modules/pam/data/etc/pam.d/common-session +++ b/remote/modules/pam/data/etc/pam.d/common-session @@ -13,24 +13,25 @@ # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) -session [default=1] pam_permit.so +session [default=1] pam_permit.so # here's the fallback if no module succeeds -session requisite pam_deny.so +session requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around -session required pam_permit.so +session required pam_permit.so # The pam_umask module will set the umask according to the system default in # /etc/login.defs and user settings, solving the problem of different # umask settings with different shells, display managers, remote sessions etc. # See "man pam_umask". -session optional pam_umask.so +session optional pam_umask.so # and here are more per-package modules (the "Additional" block) -session required pam_systemd.so -session optional pam_env.so readenv=1 -session optional pam_krb5.so minimum_uid=1000 -session [success=1] pam_unix.so -session [success=ok] pam_ldap.so -session sufficient pam_script.so -session optional pam_mkhomedir.so skel=/etc/skel umask=0022 +session required pam_systemd.so +session optional pam_env.so readenv=1 +session optional pam_env.so readenv=1 envfile=/etc/default/locale +session optional pam_krb5.so minimum_uid=1000 +session [success=1] pam_unix.so +session [success=ok] pam_ldap.so +session sufficient pam_script.so +session optional pam_mkhomedir.so skel=/etc/skel umask=0022 # end of pam-auth-update config diff --git a/remote/modules/pam/data/etc/pam.d/kdm b/remote/modules/pam/data/etc/pam.d/kdm index 11b5f1fc..e6a4ec9b 100644 --- a/remote/modules/pam/data/etc/pam.d/kdm +++ b/remote/modules/pam/data/etc/pam.d/kdm @@ -4,8 +4,7 @@ auth required pam_nologin.so auth required pam_env.so readenv=1 auth required pam_env.so readenv=1 envfile=/etc/default/locale -auth include common-auth -session required pam_limits.so -account include common-account -password include common-password -session include common-session +auth include common-auth +account include common-account +password include common-password +session include common-session diff --git a/remote/modules/pam/data/etc/pam.d/kdm-np b/remote/modules/pam/data/etc/pam.d/kdm-np index 8c1a2a81..dc10e5b5 100644 --- a/remote/modules/pam/data/etc/pam.d/kdm-np +++ b/remote/modules/pam/data/etc/pam.d/kdm-np @@ -5,7 +5,7 @@ auth required pam_nologin.so auth required pam_env.so readenv=1 auth required pam_env.so readenv=1 envfile=/etc/default/locale session required pam_limits.so -account include common-account -password include common-password -session include common-session +account include common-account +password include common-password +session include common-session auth required pam_permit.so diff --git a/remote/modules/pam/data/etc/pam.d/login b/remote/modules/pam/data/etc/pam.d/login index 561c71df..1065f351 100644 --- a/remote/modules/pam/data/etc/pam.d/login +++ b/remote/modules/pam/data/etc/pam.d/login @@ -40,7 +40,8 @@ auth requisite pam_nologin.so # that a module could execute code in the wrong domain. # When the module is present, "required" would be sufficient (When SELinux # is disabled, this returns success.) -session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close +# OpenSLX: Not Needed? +#session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close # This module parses environment configuration file(s) # and also allows you to use an extended config diff --git a/remote/modules/pam/data/etc/systemd/system/activate-nss-ldap.service b/remote/modules/pam/data/etc/systemd/system/activate-nss-ldap.service index 518681b6..bbac775a 100644 --- a/remote/modules/pam/data/etc/systemd/system/activate-nss-ldap.service +++ b/remote/modules/pam/data/etc/systemd/system/activate-nss-ldap.service @@ -1,8 +1,10 @@ [Unit] Description=Activate NSS-LDAP lookups +Before=graphical.target [Service] Type=oneshot -ExecStart=/opt/openslx/bin/sed -i -e 's/^passwd.*/passwd:\t\tfiles ldap/g;s/^group.*/group:\t\tfiles ldap/g' /etc/nsswitch.conf +ExecStart=-/opt/openslx/bin/mkdir /tmp/ldap +ExecStart=/opt/openslx/bin/sed -i -e 's/^passwd:.*$/passwd:\t\tcache files ldap/;s/^group:.*$/group:\t\tcache files ldap/;s/^hosts:.*files/hosts:\t\tcache files/' /etc/nsswitch.conf ExecStart=/usr/bin/systemctl restart nscd |