summaryrefslogtreecommitdiffstats
path: root/data
diff options
context:
space:
mode:
authorSimon Rettberg2018-03-15 17:13:34 +0100
committerSimon Rettberg2018-03-15 17:13:34 +0100
commit89c09d4ed208e838d6e21932079767c8eb9ffaba (patch)
tree3535047c6b5ca856f3408c7506b09b61663d3759 /data
parentmount-script: Better timeout, try domain guessing, logging, cleanup (diff)
downloadtmlite-bwlp-89c09d4ed208e838d6e21932079767c8eb9ffaba.tar.gz
tmlite-bwlp-89c09d4ed208e838d6e21932079767c8eb9ffaba.tar.xz
tmlite-bwlp-89c09d4ed208e838d6e21932079767c8eb9ffaba.zip
[CreateLdapConfig] Adapt to new config format
references #3313
Diffstat (limited to 'data')
-rw-r--r--data/ad/common-account10
-rw-r--r--data/ad/common-auth14
-rw-r--r--data/ad/common-password9
-rw-r--r--data/ad/common-session20
-rw-r--r--data/ad/common-session-noninteractive16
-rw-r--r--data/ad/ldap.conf.template9
-rw-r--r--data/ad/mountscript131
-rw-r--r--data/ad/nsswitch.conf14
-rw-r--r--data/ad/sssd.conf.template20
9 files changed, 0 insertions, 243 deletions
diff --git a/data/ad/common-account b/data/ad/common-account
deleted file mode 100644
index 341a340..0000000
--- a/data/ad/common-account
+++ /dev/null
@@ -1,10 +0,0 @@
-account [success=3 new_authtok_reqd=done default=ignore] pam_unix.so
-account [success=2 new_authtok_reqd=done default=ignore] pam_exec.so quiet /opt/openslx/scripts/pam_bwidm
-account [success=1 default=ignore] pam_sss.so
-# here's the fallback if no module succeeds
-account requisite pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-account required pam_permit.so
-
diff --git a/data/ad/common-auth b/data/ad/common-auth
deleted file mode 100644
index f7e97a5..0000000
--- a/data/ad/common-auth
+++ /dev/null
@@ -1,14 +0,0 @@
-auth [success=4 default=ignore] pam_unix.so nodelay
-auth [success=3 default=ignore] pam_exec.so quiet expose_authtok /opt/openslx/scripts/pam_bwidm
-auth [success=2 default=ignore] pam_sss.so use_first_pass
-# here's the fallback if no module succeeds
-auth optional pam_faildelay.so delay=2123123
-auth requisite pam_deny.so
-auth optional pam_script.so expose=1
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-auth required pam_permit.so
-# and here are more per-package modules (the "Additional" block)
-auth optional pam_cap.so
-
diff --git a/data/ad/common-password b/data/ad/common-password
deleted file mode 100644
index 9362eac..0000000
--- a/data/ad/common-password
+++ /dev/null
@@ -1,9 +0,0 @@
-password [success=1 default=ignore] pam_unix.so obscure sha512
-# here's the fallback if no module succeeds
-password requisite pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-password required pam_permit.so
-# and here are more per-package modules (the "Additional" block)
-
diff --git a/data/ad/common-session b/data/ad/common-session
deleted file mode 100644
index f5651a9..0000000
--- a/data/ad/common-session
+++ /dev/null
@@ -1,20 +0,0 @@
-session [default=1] pam_permit.so
-# here's the fallback if no module succeeds
-session requisite pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-session required pam_permit.so
-# The pam_umask module will set the umask according to the system default in
-# /etc/login.defs and user settings, solving the problem of different
-# umask settings with different shells, display managers, remote sessions etc.
-# See "man pam_umask".
-session optional pam_umask.so
-session required pam_systemd.so
-session optional pam_env.so readenv=1
-session optional pam_env.so readenv=1 envfile=/etc/default/locale
-# and here are more per-package modules (the "Additional" block)
-session [success=1] pam_unix.so
-session [success=ok] pam_sss.so
-session sufficient pam_script.so
-
diff --git a/data/ad/common-session-noninteractive b/data/ad/common-session-noninteractive
deleted file mode 100644
index 36b573c..0000000
--- a/data/ad/common-session-noninteractive
+++ /dev/null
@@ -1,16 +0,0 @@
-session [default=1] pam_permit.so
-# here's the fallback if no module succeeds
-session requisite pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-session required pam_permit.so
-# The pam_umask module will set the umask according to the system default in
-# /etc/login.defs and user settings, solving the problem of different
-# umask settings with different shells, display managers, remote sessions etc.
-# See "man pam_umask".
-session optional pam_umask.so
-# and here are more per-package modules (the "Additional" block)
-session sufficient pam_unix.so
-session sufficient pam_sss.so
-
diff --git a/data/ad/ldap.conf.template b/data/ad/ldap.conf.template
deleted file mode 100644
index c607405..0000000
--- a/data/ad/ldap.conf.template
+++ /dev/null
@@ -1,9 +0,0 @@
-URI %URI%
-BASE %SEARCHBASE%
-BIND_TIMELIMIT 10
-TIMELIMIT 30
-TLS_REQCERT demand
-TLS_CACERT %CACERT%
-nss_base_passwd %SEARCHBASE%
-nss_base_group %SEARCHBASE%
-nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,colord,daemon,dnsmasq,games,gnats,hplip,irc,kernoops,libuuid,lightdm,list,lp,mail,man,messagebus,news,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,sync,sys,syslog,usbmux,uucp,whoopsie,www-data
diff --git a/data/ad/mountscript b/data/ad/mountscript
deleted file mode 100644
index 810eed6..0000000
--- a/data/ad/mountscript
+++ /dev/null
@@ -1,131 +0,0 @@
-###################################################################
-#
-# This script is a part of the pam_script_ses_open script
-# and is not stand-alone!
-#
-
-VOLUME=
-SEARCH=
-RESULT=
-REAL_ACCOUNT=
-WAIT=
-TMPDEL=
-LOGFILES=
-if ! grep -q "^${PAM_USER}:" "/etc/passwd"; then
- if which gawk &>/dev/null; then
- un64() {
- gawk 'BEGIN{FS=":: "}{c="base64 -d";if(/^\w+:: /) {print $2 |& c; close(c,"to"); c |& getline $2; close(c); printf("%s: %s\n", $1, $2); next} print $0 }'
- }
- else
- un64() {
- cat
- }
- fi
- # determine fileserver and share for home directories
- SEARCH=$(mktemp)
- TMPDEL="$TMPDEL $SEARCH"
- ldapsearch -l 3 -o nettimeout=3 -o ldif-wrap=no -x -LLL uid="${PAM_USER}" dn distinguishedName homeMount realAccount > "${SEARCH}" 2>&1
- BINDDN=$(cat "${SEARCH}" | grep -E '^(dn|distinguishedName):' | un64 | head -n 1 | cut -d ' ' -f 2-)
- if [ -z "$BINDDN" ]; then
- slxlog "pam-ad-ldapquery" "Could not query DN of user ${PAM_USER}. No home directory available" "${SEARCH}"
- WAIT=1
- else
- RESULT=$(mktemp)
- TMPDEL="$TMPDEL $RESULT"
- PW="/tmp/pw.${RANDOM}.${RANDOM}.${PAM_USER}.${RANDOM}"
- mkfifo -m 0600 "${PW}" || slxlog "pam-ad-fifo" "Could not create FIFO at ${PW}"
- (
- echo -n "${PAM_AUTHTOK}" > "${PW}"
- ) &
- if ! ldapsearch -y "${PW}" -D "$BINDDN" -l 5 -o nettimeout=5 -o ldif-wrap=no -x -LLL uid="${PAM_USER}" homeMount realAccount > "${RESULT}" 2>&1; then
- slxlog "pam-ad-ldapquery" "Could not query LDAP-AD-Proxy for parameters of user '${PAM_USER}' (${BINDDN})." "${RESULT}"
- WAIT=1
- fi
- rm -f -- "${PW}"
- VOLUME=$(cat "${RESULT}" | grep '^homeMount:' | head -n 1 | cut -d ' ' -f 2-)
- [ -z "$REAL_ACCOUNT" ] && REAL_ACCOUNT=$(cat "${RESULT}" | grep '^realAccount:' | head -n 1 | cut -d ' ' -f 2-)
- fi
- [ -z "$VOLUME" ] && VOLUME=$(cat "${SEARCH}" | grep '^homeMount:' | head -n 1 | cut -d ' ' -f 2-)
- [ -z "$VOLUME" ] && slxlog "pam-ad-ldapvolume" "AD/Proxy did not provide 'homeMount'. Aborting mount for ${PAM_USER}." "${RESULT}"
- [ -z "$REAL_ACCOUNT" ] && REAL_ACCOUNT=$(cat "${SEARCH}" | grep '^realAccount:' | head -n 1 | cut -d ' ' -f 2-)
- [ -z "$REAL_ACCOUNT" ] && REAL_ACCOUNT="${PAM_USER}"
-fi
-
-if [ -n "${VOLUME}" ]; then
- isHomeMounted() {
- grep -Fuq " ${PERSISTENT_HOME_DIR} " /proc/mounts
- }
- # Most servers can work without, but some don't
- XDOMAIN=
- if [ -s "/opt/openslx/inc/shares" ]; then
- . /opt/openslx/inc/shares
- XDOMAIN="${SHARE_DOMAIN}"
- fi
- if [ -z "$XDOMAIN" ]; then
- XDOMAIN=$(<"/etc/ldap.conf" grep -m1 -i '^BASE\s.*DC=' | grep -o -E -i 'DC=([^,;]+)' | head -n 1 | cut -c 4-)
- fi
- if [ -z "$XDOMAIN" ]; then
- XDOMAIN=$(<"/etc/sssd/sssd.conf" grep -m1 -i '^ldap_search_base\s*=.*DC=' | grep -o -E -i 'DC=[^,;]+' | head -n 1 | cut -c 4-)
- fi
- if [ "x$XDOMAIN" = "x#" ]; then
- XDOMAIN=
- fi
- # Remember for hooks in pam_script_auth.d
- export PERSISTENT_NETPATH=$(echo "$VOLUME" | tr '/' '\')
-
- export USER="${REAL_ACCOUNT}"
- export PASSWD="${PAM_AUTHTOK}"
-
- # We try 7 different mount option combinations; launch them in 1 second steps until one of them succeeds
- CNT=0
- PIDS=
- for opt in "vers=3.0,sec=ntlmssp" "vers=2.1,sec=ntlmssp" "vers=1.0,sec=ntlm" "vers=3.0,sec=ntlmv2" "vers=1.0,sec=ntlmv2" "vers=3.0,sec=ntlm" "vers=2.0,sec=ntlmssp"; do
- # Also we try with and without explicit domain argument
- for dom in "#" $XDOMAIN; do # No quotes
- [ "x$dom" != "x#" ] && opt="${opt},domain=$dom"
- CNT=$(( CNT + 1 ))
- FILE=$(mktemp)
- LOGFILES="$LOGFILES $FILE"
- MOUNT_OPTS="-v -t cifs -o uid=${USER_UID},gid=${USER_GID},forceuid,forcegid,${opt},nounix,file_mode=0700,dir_mode=0700,noacl,nobrl"
- echo " ****** Trying '$opt'" > "$FILE"
- mount ${MOUNT_OPTS} "${VOLUME}" "${PERSISTENT_HOME_DIR}" >> "${FILE}" 2>&1 &
- PID=$!
- # Wait max. 1 second; remember PID if this mount call seems to be running after we stop waiting
- for waits in 1 2 3 4; do
- usleep 250000
- if isHomeMounted; then
- # A previously invoked mount call might have succeeded while this one is still running; try to stop it right away
- kill "$PID" &> /dev/null
- break 3
- fi
- kill -0 "$PID" || break
- done
- kill -0 "$PID" && PIDS="$PIDS $PID" # Remember all PIDs
- done
- done
-
- if [ -n "$PIDS" ]; then
- CNT=0
- while ! isHomeMounted && [ "$CNT" -lt 10 ] && kill -0 $PIDS; do # No quotes
- usleep 333000
- CNT=$(( CNT + 1 ))
- done
- kill -9 $PIDS # Kill any leftovers; No quotes
- fi
-
- if ! isHomeMounted; then
- LOG_COMBINED=$(mktemp)
- [ -n "$LOGFILES" ] && cat ${LOGFILES} > "$LOG_COMBINED" # No quotes
- slxlog --delete "pam-ad-mount" "Mount of '${VOLUME}' to '${PERSISTENT_HOME_DIR}' failed." "${LOG_COMBINED}"
- else
- PERSISTENT_OK=yes
- #chmod -R u+rwX "${PERSISTENT_HOME_DIR}" 2>/dev/null TODO: Still needed? Use '&' maybe?
- fi
-
- unset USER
- unset PASSWD
-fi
-
-[ -n "${TMPDEL}${LOGFILES}" ] && rm -f -- ${TMPDEL} ${LOGFILES} # No quotes
-true
-
diff --git a/data/ad/nsswitch.conf b/data/ad/nsswitch.conf
deleted file mode 100644
index 75ea9f8..0000000
--- a/data/ad/nsswitch.conf
+++ /dev/null
@@ -1,14 +0,0 @@
-passwd: compat sss
-group: compat sss
-shadow: compat
-
-hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
-networks: files
-
-protocols: db files
-services: db files
-ethers: db files
-rpc: db files
-
-netgroup: nis
-
diff --git a/data/ad/sssd.conf.template b/data/ad/sssd.conf.template
deleted file mode 100644
index ce87799..0000000
--- a/data/ad/sssd.conf.template
+++ /dev/null
@@ -1,20 +0,0 @@
-[sssd]
-config_file_version = 2
-services = nss, pam
-domains = LDAP
-[nss]
-filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd,demo
-[pam]
-[domain/LDAP]
-filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd,demo
-id_provider = ldap
-auth_provider = ldap
-ldap_tls_reqcert = demand
-ldap_tls_cacert = %CACERT%
-ldap_schema = rfc2307
-ldap_uri = %URI%
-ldap_search_base = %SEARCHBASE%
-ldap_user_email = bogusFieldName42
-ldap_user_principal = bogusFieldName43
-cache_credentials = true
-