[CreateLdapConfig] Adapt to new config format

references #3313

10 files changed, 45 insertions, 313 deletions

diff --git a/data/ad/common-account b/data/ad/common-account
deleted file mode 100644
index 341a340..0000000
--- a/data/ad/common-account
+++ /dev/null
@@ -1,10 +0,0 @@
-account	[success=3 new_authtok_reqd=done default=ignore]	pam_unix.so
-account	[success=2 new_authtok_reqd=done default=ignore]	pam_exec.so quiet /opt/openslx/scripts/pam_bwidm
-account	[success=1 default=ignore]	pam_sss.so
-# here's the fallback if no module succeeds
-account	requisite			pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-account	required			pam_permit.so
-
diff --git a/data/ad/common-auth b/data/ad/common-auth
deleted file mode 100644
index f7e97a5..0000000
--- a/data/ad/common-auth
+++ /dev/null
@@ -1,14 +0,0 @@
-auth	[success=4 default=ignore]	pam_unix.so nodelay
-auth	[success=3 default=ignore] pam_exec.so quiet expose_authtok /opt/openslx/scripts/pam_bwidm
-auth	[success=2 default=ignore]	pam_sss.so use_first_pass
-# here's the fallback if no module succeeds
-auth  optional          pam_faildelay.so delay=2123123
-auth	requisite			pam_deny.so
-auth	optional			pam_script.so expose=1
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-auth	required			pam_permit.so
-# and here are more per-package modules (the "Additional" block)
-auth	optional			pam_cap.so
-
diff --git a/data/ad/common-password b/data/ad/common-password
deleted file mode 100644
index 9362eac..0000000
--- a/data/ad/common-password
+++ /dev/null
@@ -1,9 +0,0 @@
-password	[success=1 default=ignore]	pam_unix.so obscure sha512
-# here's the fallback if no module succeeds
-password	requisite			pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-password	required			pam_permit.so
-# and here are more per-package modules (the "Additional" block)
-
diff --git a/data/ad/common-session b/data/ad/common-session
deleted file mode 100644
index f5651a9..0000000
--- a/data/ad/common-session
+++ /dev/null
@@ -1,20 +0,0 @@
-session	[default=1]			pam_permit.so
-# here's the fallback if no module succeeds
-session	requisite			pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-session	required			pam_permit.so
-# The pam_umask module will set the umask according to the system default in
-# /etc/login.defs and user settings, solving the problem of different
-# umask settings with different shells, display managers, remote sessions etc.
-# See "man pam_umask".
-session optional			pam_umask.so
-session required       pam_systemd.so
-session optional        pam_env.so readenv=1
-session optional        pam_env.so readenv=1 envfile=/etc/default/locale
-# and here are more per-package modules (the "Additional" block)
-session	[success=1]    pam_unix.so
-session	[success=ok]   pam_sss.so
-session sufficient      pam_script.so
-
diff --git a/data/ad/common-session-noninteractive b/data/ad/common-session-noninteractive
deleted file mode 100644
index 36b573c..0000000
--- a/data/ad/common-session-noninteractive
+++ /dev/null
@@ -1,16 +0,0 @@
-session	[default=1]			pam_permit.so
-# here's the fallback if no module succeeds
-session	requisite			pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-session	required			pam_permit.so
-# The pam_umask module will set the umask according to the system default in
-# /etc/login.defs and user settings, solving the problem of different
-# umask settings with different shells, display managers, remote sessions etc.
-# See "man pam_umask".
-session optional			pam_umask.so
-# and here are more per-package modules (the "Additional" block)
-session	sufficient       pam_unix.so
-session	sufficient       pam_sss.so
-
diff --git a/data/ad/ldap.conf.template b/data/ad/ldap.conf.template
deleted file mode 100644
index c607405..0000000
--- a/data/ad/ldap.conf.template
+++ /dev/null
@@ -1,9 +0,0 @@
-URI                  %URI%
-BASE                 %SEARCHBASE%
-BIND_TIMELIMIT       10
-TIMELIMIT            30
-TLS_REQCERT          demand
-TLS_CACERT           %CACERT%
-nss_base_passwd      %SEARCHBASE%
-nss_base_group       %SEARCHBASE%
-nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,colord,daemon,dnsmasq,games,gnats,hplip,irc,kernoops,libuuid,lightdm,list,lp,mail,man,messagebus,news,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,sync,sys,syslog,usbmux,uucp,whoopsie,www-data
diff --git a/data/ad/mountscript b/data/ad/mountscript
deleted file mode 100644
index 810eed6..0000000
--- a/data/ad/mountscript
+++ /dev/null
@@ -1,131 +0,0 @@
-###################################################################
-#
-#       This script is a part of the pam_script_ses_open script
-#       and is not stand-alone!
-#
-
-VOLUME=
-SEARCH=
-RESULT=
-REAL_ACCOUNT=
-WAIT=
-TMPDEL=
-LOGFILES=
-if ! grep -q "^${PAM_USER}:" "/etc/passwd"; then
-	if which gawk &>/dev/null; then
-		un64() {
-			gawk 'BEGIN{FS=":: "}{c="base64 -d";if(/^\w+:: /) {print $2 |& c; close(c,"to"); c |& getline $2; close(c); printf("%s: %s\n", $1, $2); next} print $0 }'
-		}
-	else
-		un64() {
-			cat
-		}
-	fi
-	# determine fileserver and share for home directories
-	SEARCH=$(mktemp)
-	TMPDEL="$TMPDEL $SEARCH"
-	ldapsearch -l 3 -o nettimeout=3 -o ldif-wrap=no -x -LLL uid="${PAM_USER}" dn distinguishedName homeMount realAccount > "${SEARCH}" 2>&1
-	BINDDN=$(cat "${SEARCH}" | grep -E '^(dn|distinguishedName):' | un64 | head -n 1 | cut -d ' ' -f 2-)
-	if [ -z "$BINDDN" ]; then
-		slxlog "pam-ad-ldapquery" "Could not query DN of user ${PAM_USER}. No home directory available" "${SEARCH}"
-		WAIT=1
-	else
-		RESULT=$(mktemp)
-		TMPDEL="$TMPDEL $RESULT"
-		PW="/tmp/pw.${RANDOM}.${RANDOM}.${PAM_USER}.${RANDOM}"
-		mkfifo -m 0600 "${PW}" || slxlog "pam-ad-fifo" "Could not create FIFO at ${PW}"
-		(
-			echo -n "${PAM_AUTHTOK}" > "${PW}"
-		) &
-		if ! ldapsearch -y "${PW}" -D "$BINDDN" -l 5 -o nettimeout=5 -o ldif-wrap=no -x -LLL uid="${PAM_USER}" homeMount realAccount > "${RESULT}" 2>&1; then
-			slxlog "pam-ad-ldapquery" "Could not query LDAP-AD-Proxy for parameters of user '${PAM_USER}' (${BINDDN})." "${RESULT}"
-			WAIT=1
-		fi
-		rm -f -- "${PW}"
-		VOLUME=$(cat "${RESULT}" | grep '^homeMount:' | head -n 1 | cut -d ' ' -f 2-)
-		[ -z "$REAL_ACCOUNT" ] && REAL_ACCOUNT=$(cat "${RESULT}" | grep '^realAccount:' | head -n 1 | cut -d ' ' -f 2-)
-	fi
-	[ -z "$VOLUME" ] && VOLUME=$(cat "${SEARCH}" | grep '^homeMount:' | head -n 1 | cut -d ' ' -f 2-)
-	[ -z "$VOLUME" ] && slxlog "pam-ad-ldapvolume" "AD/Proxy did not provide 'homeMount'. Aborting mount for ${PAM_USER}." "${RESULT}"
-	[ -z "$REAL_ACCOUNT" ] && REAL_ACCOUNT=$(cat "${SEARCH}" | grep '^realAccount:' | head -n 1 | cut -d ' ' -f 2-)
-	[ -z "$REAL_ACCOUNT" ] && REAL_ACCOUNT="${PAM_USER}"
-fi
-
-if [ -n "${VOLUME}" ]; then
-	isHomeMounted() {
-		grep -Fuq " ${PERSISTENT_HOME_DIR} " /proc/mounts
-	}
-	# Most servers can work without, but some don't
-	XDOMAIN=
-	if [ -s "/opt/openslx/inc/shares" ]; then
-		. /opt/openslx/inc/shares
-		XDOMAIN="${SHARE_DOMAIN}"
-	fi
-	if [ -z "$XDOMAIN" ]; then
-		XDOMAIN=$(<"/etc/ldap.conf" grep -m1 -i '^BASE\s.*DC=' | grep -o -E -i 'DC=([^,;]+)' | head -n 1 | cut -c 4-)
-	fi
-	if [ -z "$XDOMAIN" ]; then
-		XDOMAIN=$(<"/etc/sssd/sssd.conf" grep -m1 -i '^ldap_search_base\s*=.*DC=' | grep -o -E -i 'DC=[^,;]+' | head -n 1 | cut -c 4-)
-	fi
-	if [ "x$XDOMAIN" = "x#" ]; then
-		XDOMAIN=
-	fi
-	# Remember for hooks in pam_script_auth.d
-	export PERSISTENT_NETPATH=$(echo "$VOLUME" | tr '/' '\')
-
-	export USER="${REAL_ACCOUNT}"
-	export PASSWD="${PAM_AUTHTOK}"
-
-	# We try 7 different mount option combinations; launch them in 1 second steps until one of them succeeds
-	CNT=0
-	PIDS=
-	for opt in "vers=3.0,sec=ntlmssp" "vers=2.1,sec=ntlmssp" "vers=1.0,sec=ntlm" "vers=3.0,sec=ntlmv2" "vers=1.0,sec=ntlmv2" "vers=3.0,sec=ntlm" "vers=2.0,sec=ntlmssp"; do
-		# Also we try with and without explicit domain argument
-		for dom in "#" $XDOMAIN; do # No quotes
-			[ "x$dom" != "x#" ] && opt="${opt},domain=$dom"
-			CNT=$(( CNT + 1 ))
-			FILE=$(mktemp)
-			LOGFILES="$LOGFILES $FILE"
-			MOUNT_OPTS="-v -t cifs -o uid=${USER_UID},gid=${USER_GID},forceuid,forcegid,${opt},nounix,file_mode=0700,dir_mode=0700,noacl,nobrl"
-			echo " ****** Trying '$opt'" > "$FILE"
-			mount ${MOUNT_OPTS} "${VOLUME}" "${PERSISTENT_HOME_DIR}" >> "${FILE}" 2>&1 &
-			PID=$!
-			# Wait max. 1 second; remember PID if this mount call seems to be running after we stop waiting
-			for waits in 1 2 3 4; do
-				usleep 250000
-				if isHomeMounted; then
-					# A previously invoked mount call might have succeeded while this one is still running; try to stop it right away
-					kill "$PID" &> /dev/null
-					break 3
-				fi
-				kill -0 "$PID" || break
-			done
-			kill -0 "$PID" && PIDS="$PIDS $PID" # Remember all PIDs
-		done
-	done
-
-	if [ -n "$PIDS" ]; then
-		CNT=0
-		while ! isHomeMounted && [ "$CNT" -lt 10 ] && kill -0 $PIDS; do # No quotes
-			usleep 333000
-			CNT=$(( CNT + 1 ))
-		done
-		kill -9 $PIDS # Kill any leftovers; No quotes
-	fi
-
-	if ! isHomeMounted; then
-		LOG_COMBINED=$(mktemp)
-		[ -n "$LOGFILES" ] && cat ${LOGFILES} > "$LOG_COMBINED" # No quotes
-		slxlog --delete "pam-ad-mount" "Mount of '${VOLUME}' to '${PERSISTENT_HOME_DIR}' failed." "${LOG_COMBINED}"
-	else
-		PERSISTENT_OK=yes
-		#chmod -R u+rwX "${PERSISTENT_HOME_DIR}" 2>/dev/null TODO: Still needed? Use '&' maybe?
-	fi
-
-	unset USER
-	unset PASSWD
-fi
-
-[ -n "${TMPDEL}${LOGFILES}" ] && rm -f -- ${TMPDEL} ${LOGFILES} # No quotes
-true
-
diff --git a/data/ad/nsswitch.conf b/data/ad/nsswitch.conf
deleted file mode 100644
index 75ea9f8..0000000
--- a/data/ad/nsswitch.conf
+++ /dev/null
@@ -1,14 +0,0 @@
-passwd:         compat sss
-group:          compat sss
-shadow:         compat
-
-hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
-networks:       files
-
-protocols:      db files
-services:       db files
-ethers:         db files
-rpc:            db files
-
-netgroup:       nis
-
diff --git a/data/ad/sssd.conf.template b/data/ad/sssd.conf.template
deleted file mode 100644
index ce87799..0000000
--- a/data/ad/sssd.conf.template
+++ /dev/null
@@ -1,20 +0,0 @@
-[sssd]
-config_file_version = 2
-services = nss, pam
-domains = LDAP
-[nss]
-filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd,demo
-[pam]
-[domain/LDAP]
-filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd,demo
-id_provider = ldap
-auth_provider = ldap
-ldap_tls_reqcert = demand
-ldap_tls_cacert = %CACERT%
-ldap_schema = rfc2307
-ldap_uri = %URI%
-ldap_search_base = %SEARCHBASE%
-ldap_user_email = bogusFieldName42
-ldap_user_principal = bogusFieldName43
-cache_credentials = true
-
diff --git a/src/main/java/org/openslx/taskmanager/tasks/CreateLdapConfig.java b/src/main/java/org/openslx/taskmanager/tasks/CreateLdapConfig.java
index 35cbe31..a790ecb 100644
--- a/src/main/java/org/openslx/taskmanager/tasks/CreateLdapConfig.java
+++ b/src/main/java/org/openslx/taskmanager/tasks/CreateLdapConfig.java
@@ -18,7 +18,6 @@ import org.openslx.satserver.util.Constants;
 import org.openslx.satserver.util.Exec;
 import org.openslx.satserver.util.Exec.ExecCallback;
 import org.openslx.satserver.util.LdapMapping;
-import org.openslx.satserver.util.Template;
 import org.openslx.satserver.util.Util;
 import org.openslx.taskmanager.api.AbstractTask;
 
@@ -63,6 +62,8 @@ public class CreateLdapConfig extends AbstractTask
 	private String fixnumeric = null;
 	@Expose
 	private LdapMapping mapping;
+	@Expose
+	private String ldapAttrMountOpts;
 
 	// Share mode stuff
 	@Expose
@@ -86,6 +87,8 @@ public class CreateLdapConfig extends AbstractTask
 	@Expose
 	private String shareDomain;
 	@Expose
+	private String shareHomeMountOpts;
+	@Expose
 	private int credentialPassthrough;
 
 	private Output status = new Output();
@@ -143,13 +146,13 @@ public class CreateLdapConfig extends AbstractTask
 	protected boolean execute()
 	{
 		TarArchiveOutputStream outArchive = null;
-		File keyFile = new File( "/opt/ldadp/configs/" + this.moduleid + ".key.pem" );
-		File certFile = new File( "/opt/ldadp/configs/" + this.moduleid + ".crt.pem" );
-		File caFile = new File( "/opt/ldadp/configs/" + this.moduleid + ".ca-bundle.pem" );
-		String uri = "ldaps://" + this.proxyip + ":" + this.proxyport + "/";
-		String cacertPath = "/etc/ldap-proxy.pem";
-		String caPath = "";
+		final File keyFile = new File( "/opt/ldadp/configs/" + this.moduleid + ".key.pem" );
+		final File certFile = new File( "/opt/ldadp/configs/" + this.moduleid + ".crt.pem" );
+		final File caFile = new File( "/opt/ldadp/configs/" + this.moduleid + ".ca-bundle.pem" );
+		final String uri = "ldaps://" + this.proxyip + ":" + this.proxyport + "/";
+		final String clientCacertPath = "/etc/ldap/proxy-" + this.moduleid + ".pem";
 		final String subject = "/C=DE/ST=Nowhere/L=Springfield/O=Dis/CN=" + this.proxyip;
+		String caPath = "";
 		try {
 			// If cert already exists, check if the subject (most importantly the CN) matches the desired one
 			if ( certFile.exists() ) {
@@ -239,44 +242,29 @@ public class CreateLdapConfig extends AbstractTask
 					certFile,
 					keyFile );
 			// Generic ldap config
-			final Template ldapConf = new Template( "./data/ad/ldap.conf.template" );
-			ldapConf.replace( "%URI%", uri );
-			ldapConf.replace( "%SEARCHBASE%", this.searchbase );
-			ldapConf.replace( "%CACERT%", cacertPath );
-			// sssd config
-			final Template sssdConf = new Template( "./data/ad/sssd.conf.template" );
-			sssdConf.replace( "%URI%", uri );
-			sssdConf.replace( "%SEARCHBASE%", this.searchbase );
-			sssdConf.replace( "%CACERT%", cacertPath );
+			StringBuilder ldapConf = new StringBuilder();
+			addConfLine( ldapConf, "LDAP_URI", uri );
+			addConfLine( ldapConf, "LDAP_BASE", this.searchbase );
+			addConfLine( ldapConf, "LDAP_CACERT", clientCacertPath );
+			addConfLine( ldapConf, "LDAP_ATTR_MOUNT_OPTS", this.ldapAttrMountOpts );
 			// Sharemode config
-			String shareConf = String.format(
-					"SHARE_REMAP_MODE=%d\n"
-							+ "SHARE_CREATE_MISSING_REMAP=%d\n"
-							+ "SHARE_HOME_DRIVE='%s'\n"
-							+ "SHARE_DOCUMENTS=%d\n"
-							+ "SHARE_DOWNLOADS=%d\n"
-							+ "SHARE_DESKTOP=%d\n"
-							+ "SHARE_MEDIA=%d\n"
-							+ "SHARE_OTHER=%d\n"
-							+ "SHARE_DOMAIN='%s'\n"
-							+ "SHARE_CREDENTIAL_PASSTHROUGH=%d\n",
-					this.shareRemapMode,
-					this.shareRemapCreate,
-					escapeBashString( this.shareHomeDrive ),
-					this.shareDocuments,
-					this.shareDownloads,
-					this.shareDesktop,
-					this.shareMedia,
-					this.shareOther,
-					escapeBashString( this.shareDomain ),
-					this.credentialPassthrough
-					);
+			addConfLine( ldapConf, "SHARE_HOME_MOUNT_OPTS", this.shareHomeMountOpts );
+			addConfLine( ldapConf, "SHARE_REMAP_MODE", this.shareRemapMode );
+			addConfLine( ldapConf, "SHARE_CREATE_MISSING_REMAP", this.shareRemapCreate );
+			addConfLine( ldapConf, "SHARE_HOME_DRIVE", this.shareHomeDrive );
+			addConfLine( ldapConf, "SHARE_DOCUMENTS", this.shareDocuments );
+			addConfLine( ldapConf, "SHARE_DOWNLOADS", this.shareDownloads );
+			addConfLine( ldapConf, "SHARE_DESKTOP", this.shareDesktop );
+			addConfLine( ldapConf, "SHARE_MEDIA", this.shareMedia );
+			addConfLine( ldapConf, "SHARE_OTHER", this.shareOther );
+			addConfLine( ldapConf, "SHARE_DOMAIN", this.shareDomain );
+			addConfLine( ldapConf, "SHARE_CREDENTIAL_PASSTHROUGH", this.credentialPassthrough );
 			if ( this.shares != null && !this.shares.isEmpty() ) {
 				int i = 0;
 				for ( Share s : this.shares ) {
-					shareConf += String.format( "SHARE_LINE_%d='%s\t%s\t%s\t%s\t%s'\n",
-							++i, escapeBashString( s.share ), escapeBashString( s.letter ), escapeBashString( s.shortcut ),
-							escapeBashString( s.user ), escapeBashString( s.pass ) );
+					++i;
+					addConfLine( ldapConf, "SHARE_LINE_" + i,
+							String.format( "%s\t%s\t%s\t%s\t%s", s.share, s.letter, s.shortcut, s.user, s.pass ) );
 				}
 			}
 			// Build tar/config
@@ -305,46 +293,33 @@ public class CreateLdapConfig extends AbstractTask
 				return false;
 			}
 			// The cert we just created
-			if ( !Archive.tarAddFile( outArchive, cacertPath, certFile, 0644 ) ) {
+			if ( !Archive.tarAddFile( outArchive, clientCacertPath, certFile, 0644 ) ) {
 				status.error = "Could not add ldap-proxy.pem to module";
 				return false;
 			}
-			// nsswitch.conf with ldap enabled
-			if ( !Archive.tarAddFile( outArchive, "/etc/nsswitch.conf", new File( "./data/ad/nsswitch.conf" ), 0644 ) ) {
-				status.error = "Could not add nsswitch.conf to module";
-				return false;
-			}
-			// All the pam.d common-XXXX files
-			for ( String file : new String[] { "common-auth", "common-account", "common-session", "common-session-noninteractive",
-					"common-password" } ) {
-				if ( !Archive.tarAddFile( outArchive, "/etc/pam.d/" + file, new File( "./data/ad/" + file ), 0644 ) ) {
-					status.error = "Could not add " + file + " to module";
-					return false;
-				}
-			}
-			// Home if present
-			if ( !Archive.tarAddFile( outArchive, "/opt/openslx/scripts/pam_script_mount_persistent", new File( "./data/ad/mountscript" ),
-					0644 ) ) {
-				status.error = "Could not add mount script to module";
-				return false;
-			}
-			boolean ret = Archive.tarCreateFileFromString( outArchive, "/etc/ldap.conf", ldapConf.toString(), 0644 )
-					&& Archive.tarCreateFileFromString( outArchive, "/etc/sssd/sssd.conf", sssdConf.toString(), 0600 )
-					&& Archive.tarCreateFileFromString( outArchive, "/opt/openslx/inc/shares", shareConf, 0644 )
-					&& Archive.tarCreateSymlink( outArchive, "/etc/ldap.conf", "/etc/ldap/ldap.conf" )
-					&& Archive.tarCreateSymlink( outArchive, "/etc/ldap.conf", "/etc/openldap/ldap.conf" )
-					&& Archive.tarCreateSymlink( outArchive, "../sssd.service", "/etc/systemd/system/basic.target.wants/sssd.service" );
+			boolean ret = Archive.tarCreateFileFromString( outArchive, "/opt/openslx/pam/slx-ldap.d/conf-" + this.moduleid,
+							ldapConf.toString(), 0644 );
 			if ( !ret ) {
 				status.error = "Could not add ldap configs to module";
 			}
 			return ret;
-		} catch ( IOException e ) {
-			status.error = e.toString();
-			return false;
 		} finally {
 			Util.multiClose( outArchive );
 		}
 	}
+	
+	private void addConfLine( StringBuilder sb, String varName, int value )
+	{
+		addConfLine( sb, varName, Integer.toString( value ) );
+	}
+
+	private void addConfLine( StringBuilder sb, String varName, String value )
+	{
+		sb.append( varName );
+		sb.append( "='" );
+		sb.append( escapeBashString( value ) );
+		sb.append( "'\n" );
+	}
 
 	private String escapeBashString( String str )
 	{