From f71e5996f427a63b362b426d128b6adbaca5e274 Mon Sep 17 00:00:00 2001 From: Jonathan Bauer Date: Wed, 4 Feb 2015 13:36:37 +0100 Subject: [freiburg] restructuring pam-freiburg module before renaming --- server/modules/pam-freiburg/etc/ldap.conf | 11 ---- server/modules/pam-freiburg/etc/ldap/ldap.conf | 12 ++++- server/modules/pam-freiburg/etc/nsswitch.conf | 4 +- server/modules/pam-freiburg/etc/openldap/ldap.conf | 1 - .../modules/pam-freiburg/etc/pam.d/common-account | 26 ++++++++++ server/modules/pam-freiburg/etc/pam.d/common-auth | 28 ++++++++++ .../modules/pam-freiburg/etc/pam.d/common-session | 37 +++++++++++++ server/modules/pam-freiburg/etc/sssd/sssd.conf | 60 ++++++++++++++++++++++ server/modules/sssd-freiburg/etc/nsswitch.conf | 19 ------- .../modules/sssd-freiburg/etc/pam.d/common-account | 26 ---------- server/modules/sssd-freiburg/etc/pam.d/common-auth | 28 ---------- .../modules/sssd-freiburg/etc/pam.d/common-session | 37 ------------- server/modules/sssd-freiburg/etc/sssd/sssd.conf | 60 ---------------------- 13 files changed, 164 insertions(+), 185 deletions(-) delete mode 100644 server/modules/pam-freiburg/etc/ldap.conf mode change 120000 => 100644 server/modules/pam-freiburg/etc/ldap/ldap.conf delete mode 120000 server/modules/pam-freiburg/etc/openldap/ldap.conf create mode 100644 server/modules/pam-freiburg/etc/pam.d/common-account create mode 100644 server/modules/pam-freiburg/etc/pam.d/common-auth create mode 100644 server/modules/pam-freiburg/etc/pam.d/common-session create mode 100644 server/modules/pam-freiburg/etc/sssd/sssd.conf delete mode 100644 server/modules/sssd-freiburg/etc/nsswitch.conf delete mode 100644 server/modules/sssd-freiburg/etc/pam.d/common-account delete mode 100644 server/modules/sssd-freiburg/etc/pam.d/common-auth delete mode 100644 server/modules/sssd-freiburg/etc/pam.d/common-session delete mode 100644 server/modules/sssd-freiburg/etc/sssd/sssd.conf (limited to 'server/modules') diff --git a/server/modules/pam-freiburg/etc/ldap.conf b/server/modules/pam-freiburg/etc/ldap.conf deleted file mode 100644 index 483595d2..00000000 --- a/server/modules/pam-freiburg/etc/ldap.conf +++ /dev/null @@ -1,11 +0,0 @@ -URI ldaps://bv1.ruf.uni-freiburg.de ldaps://bv2.ruf.uni-freiburg.de ldaps://bv3.ruf.uni-freiburg.de -BASE ou=people,dc=uni-freiburg,dc=de -BIND_TIMELIMIT 5 -TIMELIMIT 10 -LOGDIR /tmp/ldap -TLS_REQCERT allow -nss_base_passwd ou=people,dc=uni-freiburg,dc=de?one?rufdienst=ldap*)(&(rufclienthome=*)(rufstatus=enabled) -nss_base_group ou=group,dc=uni-freiburg,dc=de?one -nss_map_attribute homeDirectory rufClientHome - -nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,colord,daemon,distccd,games,git,gnats,hplip,irc,kdm,kernoops,libuuid,lightdm,list,lp,mail,man,messagebus,news,ntp,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,statd,sync,sys,syslog,usbmux,uucp,whoopsie,www-data diff --git a/server/modules/pam-freiburg/etc/ldap/ldap.conf b/server/modules/pam-freiburg/etc/ldap/ldap.conf deleted file mode 120000 index 6050948a..00000000 --- a/server/modules/pam-freiburg/etc/ldap/ldap.conf +++ /dev/null @@ -1 +0,0 @@ -../ldap.conf \ No newline at end of file diff --git a/server/modules/pam-freiburg/etc/ldap/ldap.conf b/server/modules/pam-freiburg/etc/ldap/ldap.conf new file mode 100644 index 00000000..3e7dad17 --- /dev/null +++ b/server/modules/pam-freiburg/etc/ldap/ldap.conf @@ -0,0 +1,11 @@ +URI ldaps://ldap.ruf.uni-freiburg.de ldaps://bv1.ruf.uni-freiburg.de ldaps://bv2.ruf.uni-freiburg.de ldaps://bv3.ruf.uni-freiburg.de +BASE ou=people,dc=uni-freiburg,dc=de +BIND_TIMELIMIT 5 +TIMELIMIT 10 +LOGDIR /tmp/ldap +TLS_REQCERT allow +nss_base_passwd ou=people,dc=uni-freiburg,dc=de?one?rufdienst=ldap*)(&(rufclienthome=*)(rufstatus=enabled) +nss_base_group ou=group,dc=uni-freiburg,dc=de?one +nss_map_attribute homeDirectory rufClientHome + +nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,colord,daemon,distccd,games,git,gnats,hplip,irc,kdm,kernoops,libuuid,lightdm,list,lp,mail,man,messagebus,news,ntp,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,statd,sync,sys,syslog,usbmux,uucp,whoopsie,www-data diff --git a/server/modules/pam-freiburg/etc/nsswitch.conf b/server/modules/pam-freiburg/etc/nsswitch.conf index 85c1719a..94e5c180 100644 --- a/server/modules/pam-freiburg/etc/nsswitch.conf +++ b/server/modules/pam-freiburg/etc/nsswitch.conf @@ -4,8 +4,8 @@ # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. -passwd: cache compat ldap -group: cache compat ldap +passwd: cache compat sss +group: cache compat sss shadow: compat hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 diff --git a/server/modules/pam-freiburg/etc/openldap/ldap.conf b/server/modules/pam-freiburg/etc/openldap/ldap.conf deleted file mode 120000 index c0aaf459..00000000 --- a/server/modules/pam-freiburg/etc/openldap/ldap.conf +++ /dev/null @@ -1 +0,0 @@ -/etc/ldap.conf \ No newline at end of file diff --git a/server/modules/pam-freiburg/etc/pam.d/common-account b/server/modules/pam-freiburg/etc/pam.d/common-account new file mode 100644 index 00000000..179158f7 --- /dev/null +++ b/server/modules/pam-freiburg/etc/pam.d/common-account @@ -0,0 +1,26 @@ +# +# /etc/pam.d/common-account - authorization settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authorization modules that define +# the central access policy for use on the system. The default is to +# only deny service to users whose accounts are expired in /etc/shadow. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. +# + +# here are the per-package modules (the "Primary" block) +account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so +account [success=1 new_authtok_reqd=done default=ignore] pam_sss.so use_first_pass +# here's the fallback if no module succeeds +account requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +account required pam_permit.so +# and here are more per-package modules (the "Additional" block) +# end of pam-auth-update config diff --git a/server/modules/pam-freiburg/etc/pam.d/common-auth b/server/modules/pam-freiburg/etc/pam.d/common-auth new file mode 100644 index 00000000..e04c5c74 --- /dev/null +++ b/server/modules/pam-freiburg/etc/pam.d/common-auth @@ -0,0 +1,28 @@ +# +# /etc/pam.d/common-auth - authentication settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authentication modules that define +# the central authentication scheme for use on the system +# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the +# traditional Unix authentication mechanisms. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +auth [success=ok default=ignore] pam_krb5.so minimum_uid=1000 +auth [success=2 default=ignore] pam_unix.so try_first_pass +auth [success=1 default=ignore] pam_sss.so use_first_pass +# here's the fallback if no module succeeds +auth requisite pam_deny.so +auth optional pam_script.so expose=1 +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +auth required pam_permit.so +# and here are more per-package modules (the "Additional" block) +# end of pam-auth-update config diff --git a/server/modules/pam-freiburg/etc/pam.d/common-session b/server/modules/pam-freiburg/etc/pam.d/common-session new file mode 100644 index 00000000..be55be0d --- /dev/null +++ b/server/modules/pam-freiburg/etc/pam.d/common-session @@ -0,0 +1,37 @@ +# +# /etc/pam.d/common-session - session-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of sessions of *any* kind (both interactive and +# non-interactive). +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +session [default=1] pam_permit.so +# here's the fallback if no module succeeds +session requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +session required pam_permit.so +# The pam_umask module will set the umask according to the system default in +# /etc/login.defs and user settings, solving the problem of different +# umask settings with different shells, display managers, remote sessions etc. +# See "man pam_umask". +session optional pam_umask.so +# and here are more per-package modules (the "Additional" block) +session required pam_systemd.so +session optional pam_env.so readenv=1 +session optional pam_env.so readenv=1 envfile=/etc/default/locale +session optional pam_krb5.so minimum_uid=1000 +session [success=1] pam_unix.so +session [success=ok] pam_sss.so +session sufficient pam_script.so +session optional pam_mkhomedir.so skel=/etc/skel umask=0022 +# end of pam-auth-update config diff --git a/server/modules/pam-freiburg/etc/sssd/sssd.conf b/server/modules/pam-freiburg/etc/sssd/sssd.conf new file mode 100644 index 00000000..7b3d7b51 --- /dev/null +++ b/server/modules/pam-freiburg/etc/sssd/sssd.conf @@ -0,0 +1,60 @@ +[sssd] +config_file_version = 2 +services = nss, pam +#debug_level = 0xffff +# SSSD will not start if you do not configure any domains. +# Add new domain configurations as [domain/] sections, and +# then add the list of domains (in the order you want them to be +# queried) to the "domains" attribute below and uncomment it. +domains = LDAP + +[nss] +filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd,demo + +[pam] + +# Example LDAP domain +[domain/LDAP] +id_provider = ldap +auth_provider = ldap +ldap_tls_reqcert = never +# ldap_schema can be set to "rfc2307", which stores group member names in the +# "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in +# the "member" attribute. If you do not know this value, ask your LDAP +# administrator. +ldap_schema = rfc2307bis +ldap_uri = ldaps://ldap.ruf.uni-freiburg.de +ldap_backup_uri = ldaps://bv1.ruf.uni-freiburg.de,ldaps://bv2.ruf.uni-freiburg.de,ldaps://bv3.ruf.uni-freiburg.de +ldap_group_search_base = ou=group,dc=uni-freiburg,dc=de +ldap_user_search_base = ou=people,dc=uni-freiburg,dc=de +ldap_user_home_directory = rufClientHome +ldap_search_base = ou=people,dc=uni-freiburg,dc=de +# Note that enabling enumeration will have a moderate performance impact. +# Consequently, the default value for enumeration is FALSE. +# Refer to the sssd.conf man page for full details. +; enumerate = false +# Allow offline logins by locally storing password hashes (default: false). +cache_credentials = true + +# An example Active Directory domain. Please note that this configuration +# works for AD 2003R2 and AD 2008, because they use pretty much RFC2307bis +# compliant attribute names. To support UNIX clients with AD 2003 or older, +# you must install Microsoft Services For Unix and map LDAP attributes onto +# msSFU30* attribute names. +;[domain/AD] +;id_provider = ldap +;auth_provider = krb5 +;chpass_provider = krb5 + +;ldap_uri = ldaps://bv1.ruf.uni-freiburg.de ldaps://bv2.ruf.uni-freiburg.de ldaps://bv3.ruf.uni-freiburg.de +;ldap_search_base = ou=people,dc=uni-freiburg,dc=de +;ldap_schema = rfc2307bis +;ldap_sasl_mech = GSSAPI +;ldap_user_object_class = user +;ldap_group_object_class = group +;ldap_user_principal = userPrincipalName +;ldap_account_expire_policy = ad +;ldap_force_upper_case_realm = true +; +; krb5_server = your.ad.example.com +; krb5_realm = EXAMPLE.COM diff --git a/server/modules/sssd-freiburg/etc/nsswitch.conf b/server/modules/sssd-freiburg/etc/nsswitch.conf deleted file mode 100644 index 94e5c180..00000000 --- a/server/modules/sssd-freiburg/etc/nsswitch.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/nsswitch.conf -# -# Example configuration of GNU Name Service Switch functionality. -# If you have the `glibc-doc-reference' and `info' packages installed, try: -# `info libc "Name Service Switch"' for information about this file. - -passwd: cache compat sss -group: cache compat sss -shadow: compat - -hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 -networks: files - -protocols: db files -services: db files -ethers: db files -rpc: db files - -netgroup: nis diff --git a/server/modules/sssd-freiburg/etc/pam.d/common-account b/server/modules/sssd-freiburg/etc/pam.d/common-account deleted file mode 100644 index 179158f7..00000000 --- a/server/modules/sssd-freiburg/etc/pam.d/common-account +++ /dev/null @@ -1,26 +0,0 @@ -# -# /etc/pam.d/common-account - authorization settings common to all services -# -# This file is included from other service-specific PAM config files, -# and should contain a list of the authorization modules that define -# the central access policy for use on the system. The default is to -# only deny service to users whose accounts are expired in /etc/shadow. -# -# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. -# To take advantage of this, it is recommended that you configure any -# local modules either before or after the default block, and use -# pam-auth-update to manage selection of other modules. See -# pam-auth-update(8) for details. -# - -# here are the per-package modules (the "Primary" block) -account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so -account [success=1 new_authtok_reqd=done default=ignore] pam_sss.so use_first_pass -# here's the fallback if no module succeeds -account requisite pam_deny.so -# prime the stack with a positive return value if there isn't one already; -# this avoids us returning an error just because nothing sets a success code -# since the modules above will each just jump around -account required pam_permit.so -# and here are more per-package modules (the "Additional" block) -# end of pam-auth-update config diff --git a/server/modules/sssd-freiburg/etc/pam.d/common-auth b/server/modules/sssd-freiburg/etc/pam.d/common-auth deleted file mode 100644 index e04c5c74..00000000 --- a/server/modules/sssd-freiburg/etc/pam.d/common-auth +++ /dev/null @@ -1,28 +0,0 @@ -# -# /etc/pam.d/common-auth - authentication settings common to all services -# -# This file is included from other service-specific PAM config files, -# and should contain a list of the authentication modules that define -# the central authentication scheme for use on the system -# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the -# traditional Unix authentication mechanisms. -# -# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. -# To take advantage of this, it is recommended that you configure any -# local modules either before or after the default block, and use -# pam-auth-update to manage selection of other modules. See -# pam-auth-update(8) for details. - -# here are the per-package modules (the "Primary" block) -auth [success=ok default=ignore] pam_krb5.so minimum_uid=1000 -auth [success=2 default=ignore] pam_unix.so try_first_pass -auth [success=1 default=ignore] pam_sss.so use_first_pass -# here's the fallback if no module succeeds -auth requisite pam_deny.so -auth optional pam_script.so expose=1 -# prime the stack with a positive return value if there isn't one already; -# this avoids us returning an error just because nothing sets a success code -# since the modules above will each just jump around -auth required pam_permit.so -# and here are more per-package modules (the "Additional" block) -# end of pam-auth-update config diff --git a/server/modules/sssd-freiburg/etc/pam.d/common-session b/server/modules/sssd-freiburg/etc/pam.d/common-session deleted file mode 100644 index be55be0d..00000000 --- a/server/modules/sssd-freiburg/etc/pam.d/common-session +++ /dev/null @@ -1,37 +0,0 @@ -# -# /etc/pam.d/common-session - session-related modules common to all services -# -# This file is included from other service-specific PAM config files, -# and should contain a list of modules that define tasks to be performed -# at the start and end of sessions of *any* kind (both interactive and -# non-interactive). -# -# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. -# To take advantage of this, it is recommended that you configure any -# local modules either before or after the default block, and use -# pam-auth-update to manage selection of other modules. See -# pam-auth-update(8) for details. - -# here are the per-package modules (the "Primary" block) -session [default=1] pam_permit.so -# here's the fallback if no module succeeds -session requisite pam_deny.so -# prime the stack with a positive return value if there isn't one already; -# this avoids us returning an error just because nothing sets a success code -# since the modules above will each just jump around -session required pam_permit.so -# The pam_umask module will set the umask according to the system default in -# /etc/login.defs and user settings, solving the problem of different -# umask settings with different shells, display managers, remote sessions etc. -# See "man pam_umask". -session optional pam_umask.so -# and here are more per-package modules (the "Additional" block) -session required pam_systemd.so -session optional pam_env.so readenv=1 -session optional pam_env.so readenv=1 envfile=/etc/default/locale -session optional pam_krb5.so minimum_uid=1000 -session [success=1] pam_unix.so -session [success=ok] pam_sss.so -session sufficient pam_script.so -session optional pam_mkhomedir.so skel=/etc/skel umask=0022 -# end of pam-auth-update config diff --git a/server/modules/sssd-freiburg/etc/sssd/sssd.conf b/server/modules/sssd-freiburg/etc/sssd/sssd.conf deleted file mode 100644 index 7b3d7b51..00000000 --- a/server/modules/sssd-freiburg/etc/sssd/sssd.conf +++ /dev/null @@ -1,60 +0,0 @@ -[sssd] -config_file_version = 2 -services = nss, pam -#debug_level = 0xffff -# SSSD will not start if you do not configure any domains. -# Add new domain configurations as [domain/] sections, and -# then add the list of domains (in the order you want them to be -# queried) to the "domains" attribute below and uncomment it. -domains = LDAP - -[nss] -filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd,demo - -[pam] - -# Example LDAP domain -[domain/LDAP] -id_provider = ldap -auth_provider = ldap -ldap_tls_reqcert = never -# ldap_schema can be set to "rfc2307", which stores group member names in the -# "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in -# the "member" attribute. If you do not know this value, ask your LDAP -# administrator. -ldap_schema = rfc2307bis -ldap_uri = ldaps://ldap.ruf.uni-freiburg.de -ldap_backup_uri = ldaps://bv1.ruf.uni-freiburg.de,ldaps://bv2.ruf.uni-freiburg.de,ldaps://bv3.ruf.uni-freiburg.de -ldap_group_search_base = ou=group,dc=uni-freiburg,dc=de -ldap_user_search_base = ou=people,dc=uni-freiburg,dc=de -ldap_user_home_directory = rufClientHome -ldap_search_base = ou=people,dc=uni-freiburg,dc=de -# Note that enabling enumeration will have a moderate performance impact. -# Consequently, the default value for enumeration is FALSE. -# Refer to the sssd.conf man page for full details. -; enumerate = false -# Allow offline logins by locally storing password hashes (default: false). -cache_credentials = true - -# An example Active Directory domain. Please note that this configuration -# works for AD 2003R2 and AD 2008, because they use pretty much RFC2307bis -# compliant attribute names. To support UNIX clients with AD 2003 or older, -# you must install Microsoft Services For Unix and map LDAP attributes onto -# msSFU30* attribute names. -;[domain/AD] -;id_provider = ldap -;auth_provider = krb5 -;chpass_provider = krb5 - -;ldap_uri = ldaps://bv1.ruf.uni-freiburg.de ldaps://bv2.ruf.uni-freiburg.de ldaps://bv3.ruf.uni-freiburg.de -;ldap_search_base = ou=people,dc=uni-freiburg,dc=de -;ldap_schema = rfc2307bis -;ldap_sasl_mech = GSSAPI -;ldap_user_object_class = user -;ldap_group_object_class = group -;ldap_user_principal = userPrincipalName -;ldap_account_expire_policy = ad -;ldap_force_upper_case_realm = true -; -; krb5_server = your.ad.example.com -; krb5_realm = EXAMPLE.COM -- cgit v1.2.3-55-g7522