[CreateLdapConfig] Adapt to new config format

references #3313

9 files changed, 0 insertions, 243 deletions

diff --git a/data/ad/common-account b/data/ad/common-account
deleted file mode 100644
index 341a340..0000000
--- a/data/ad/common-account
+++ /dev/null
@@ -1,10 +0,0 @@
-account	[success=3 new_authtok_reqd=done default=ignore]	pam_unix.so
-account	[success=2 new_authtok_reqd=done default=ignore]	pam_exec.so quiet /opt/openslx/scripts/pam_bwidm
-account	[success=1 default=ignore]	pam_sss.so
-# here's the fallback if no module succeeds
-account	requisite			pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-account	required			pam_permit.so
-
diff --git a/data/ad/common-auth b/data/ad/common-auth
deleted file mode 100644
index f7e97a5..0000000
--- a/data/ad/common-auth
+++ /dev/null
@@ -1,14 +0,0 @@
-auth	[success=4 default=ignore]	pam_unix.so nodelay
-auth	[success=3 default=ignore] pam_exec.so quiet expose_authtok /opt/openslx/scripts/pam_bwidm
-auth	[success=2 default=ignore]	pam_sss.so use_first_pass
-# here's the fallback if no module succeeds
-auth  optional          pam_faildelay.so delay=2123123
-auth	requisite			pam_deny.so
-auth	optional			pam_script.so expose=1
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-auth	required			pam_permit.so
-# and here are more per-package modules (the "Additional" block)
-auth	optional			pam_cap.so
-
diff --git a/data/ad/common-password b/data/ad/common-password
deleted file mode 100644
index 9362eac..0000000
--- a/data/ad/common-password
+++ /dev/null
@@ -1,9 +0,0 @@
-password	[success=1 default=ignore]	pam_unix.so obscure sha512
-# here's the fallback if no module succeeds
-password	requisite			pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-password	required			pam_permit.so
-# and here are more per-package modules (the "Additional" block)
-
diff --git a/data/ad/common-session b/data/ad/common-session
deleted file mode 100644
index f5651a9..0000000
--- a/data/ad/common-session
+++ /dev/null
@@ -1,20 +0,0 @@
-session	[default=1]			pam_permit.so
-# here's the fallback if no module succeeds
-session	requisite			pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-session	required			pam_permit.so
-# The pam_umask module will set the umask according to the system default in
-# /etc/login.defs and user settings, solving the problem of different
-# umask settings with different shells, display managers, remote sessions etc.
-# See "man pam_umask".
-session optional			pam_umask.so
-session required       pam_systemd.so
-session optional        pam_env.so readenv=1
-session optional        pam_env.so readenv=1 envfile=/etc/default/locale
-# and here are more per-package modules (the "Additional" block)
-session	[success=1]    pam_unix.so
-session	[success=ok]   pam_sss.so
-session sufficient      pam_script.so
-
diff --git a/data/ad/common-session-noninteractive b/data/ad/common-session-noninteractive
deleted file mode 100644
index 36b573c..0000000
--- a/data/ad/common-session-noninteractive
+++ /dev/null
@@ -1,16 +0,0 @@
-session	[default=1]			pam_permit.so
-# here's the fallback if no module succeeds
-session	requisite			pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-session	required			pam_permit.so
-# The pam_umask module will set the umask according to the system default in
-# /etc/login.defs and user settings, solving the problem of different
-# umask settings with different shells, display managers, remote sessions etc.
-# See "man pam_umask".
-session optional			pam_umask.so
-# and here are more per-package modules (the "Additional" block)
-session	sufficient       pam_unix.so
-session	sufficient       pam_sss.so
-
diff --git a/data/ad/ldap.conf.template b/data/ad/ldap.conf.template
deleted file mode 100644
index c607405..0000000
--- a/data/ad/ldap.conf.template
+++ /dev/null
@@ -1,9 +0,0 @@
-URI                  %URI%
-BASE                 %SEARCHBASE%
-BIND_TIMELIMIT       10
-TIMELIMIT            30
-TLS_REQCERT          demand
-TLS_CACERT           %CACERT%
-nss_base_passwd      %SEARCHBASE%
-nss_base_group       %SEARCHBASE%
-nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,colord,daemon,dnsmasq,games,gnats,hplip,irc,kernoops,libuuid,lightdm,list,lp,mail,man,messagebus,news,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,sync,sys,syslog,usbmux,uucp,whoopsie,www-data
diff --git a/data/ad/mountscript b/data/ad/mountscript
deleted file mode 100644
index 810eed6..0000000
--- a/data/ad/mountscript
+++ /dev/null
@@ -1,131 +0,0 @@
-###################################################################
-#
-#       This script is a part of the pam_script_ses_open script
-#       and is not stand-alone!
-#
-
-VOLUME=
-SEARCH=
-RESULT=
-REAL_ACCOUNT=
-WAIT=
-TMPDEL=
-LOGFILES=
-if ! grep -q "^${PAM_USER}:" "/etc/passwd"; then
-	if which gawk &>/dev/null; then
-		un64() {
-			gawk 'BEGIN{FS=":: "}{c="base64 -d";if(/^\w+:: /) {print $2 |& c; close(c,"to"); c |& getline $2; close(c); printf("%s: %s\n", $1, $2); next} print $0 }'
-		}
-	else
-		un64() {
-			cat
-		}
-	fi
-	# determine fileserver and share for home directories
-	SEARCH=$(mktemp)
-	TMPDEL="$TMPDEL $SEARCH"
-	ldapsearch -l 3 -o nettimeout=3 -o ldif-wrap=no -x -LLL uid="${PAM_USER}" dn distinguishedName homeMount realAccount > "${SEARCH}" 2>&1
-	BINDDN=$(cat "${SEARCH}" | grep -E '^(dn|distinguishedName):' | un64 | head -n 1 | cut -d ' ' -f 2-)
-	if [ -z "$BINDDN" ]; then
-		slxlog "pam-ad-ldapquery" "Could not query DN of user ${PAM_USER}. No home directory available" "${SEARCH}"
-		WAIT=1
-	else
-		RESULT=$(mktemp)
-		TMPDEL="$TMPDEL $RESULT"
-		PW="/tmp/pw.${RANDOM}.${RANDOM}.${PAM_USER}.${RANDOM}"
-		mkfifo -m 0600 "${PW}" || slxlog "pam-ad-fifo" "Could not create FIFO at ${PW}"
-		(
-			echo -n "${PAM_AUTHTOK}" > "${PW}"
-		) &
-		if ! ldapsearch -y "${PW}" -D "$BINDDN" -l 5 -o nettimeout=5 -o ldif-wrap=no -x -LLL uid="${PAM_USER}" homeMount realAccount > "${RESULT}" 2>&1; then
-			slxlog "pam-ad-ldapquery" "Could not query LDAP-AD-Proxy for parameters of user '${PAM_USER}' (${BINDDN})." "${RESULT}"
-			WAIT=1
-		fi
-		rm -f -- "${PW}"
-		VOLUME=$(cat "${RESULT}" | grep '^homeMount:' | head -n 1 | cut -d ' ' -f 2-)
-		[ -z "$REAL_ACCOUNT" ] && REAL_ACCOUNT=$(cat "${RESULT}" | grep '^realAccount:' | head -n 1 | cut -d ' ' -f 2-)
-	fi
-	[ -z "$VOLUME" ] && VOLUME=$(cat "${SEARCH}" | grep '^homeMount:' | head -n 1 | cut -d ' ' -f 2-)
-	[ -z "$VOLUME" ] && slxlog "pam-ad-ldapvolume" "AD/Proxy did not provide 'homeMount'. Aborting mount for ${PAM_USER}." "${RESULT}"
-	[ -z "$REAL_ACCOUNT" ] && REAL_ACCOUNT=$(cat "${SEARCH}" | grep '^realAccount:' | head -n 1 | cut -d ' ' -f 2-)
-	[ -z "$REAL_ACCOUNT" ] && REAL_ACCOUNT="${PAM_USER}"
-fi
-
-if [ -n "${VOLUME}" ]; then
-	isHomeMounted() {
-		grep -Fuq " ${PERSISTENT_HOME_DIR} " /proc/mounts
-	}
-	# Most servers can work without, but some don't
-	XDOMAIN=
-	if [ -s "/opt/openslx/inc/shares" ]; then
-		. /opt/openslx/inc/shares
-		XDOMAIN="${SHARE_DOMAIN}"
-	fi
-	if [ -z "$XDOMAIN" ]; then
-		XDOMAIN=$(<"/etc/ldap.conf" grep -m1 -i '^BASE\s.*DC=' | grep -o -E -i 'DC=([^,;]+)' | head -n 1 | cut -c 4-)
-	fi
-	if [ -z "$XDOMAIN" ]; then
-		XDOMAIN=$(<"/etc/sssd/sssd.conf" grep -m1 -i '^ldap_search_base\s*=.*DC=' | grep -o -E -i 'DC=[^,;]+' | head -n 1 | cut -c 4-)
-	fi
-	if [ "x$XDOMAIN" = "x#" ]; then
-		XDOMAIN=
-	fi
-	# Remember for hooks in pam_script_auth.d
-	export PERSISTENT_NETPATH=$(echo "$VOLUME" | tr '/' '\')
-
-	export USER="${REAL_ACCOUNT}"
-	export PASSWD="${PAM_AUTHTOK}"
-
-	# We try 7 different mount option combinations; launch them in 1 second steps until one of them succeeds
-	CNT=0
-	PIDS=
-	for opt in "vers=3.0,sec=ntlmssp" "vers=2.1,sec=ntlmssp" "vers=1.0,sec=ntlm" "vers=3.0,sec=ntlmv2" "vers=1.0,sec=ntlmv2" "vers=3.0,sec=ntlm" "vers=2.0,sec=ntlmssp"; do
-		# Also we try with and without explicit domain argument
-		for dom in "#" $XDOMAIN; do # No quotes
-			[ "x$dom" != "x#" ] && opt="${opt},domain=$dom"
-			CNT=$(( CNT + 1 ))
-			FILE=$(mktemp)
-			LOGFILES="$LOGFILES $FILE"
-			MOUNT_OPTS="-v -t cifs -o uid=${USER_UID},gid=${USER_GID},forceuid,forcegid,${opt},nounix,file_mode=0700,dir_mode=0700,noacl,nobrl"
-			echo " ****** Trying '$opt'" > "$FILE"
-			mount ${MOUNT_OPTS} "${VOLUME}" "${PERSISTENT_HOME_DIR}" >> "${FILE}" 2>&1 &
-			PID=$!
-			# Wait max. 1 second; remember PID if this mount call seems to be running after we stop waiting
-			for waits in 1 2 3 4; do
-				usleep 250000
-				if isHomeMounted; then
-					# A previously invoked mount call might have succeeded while this one is still running; try to stop it right away
-					kill "$PID" &> /dev/null
-					break 3
-				fi
-				kill -0 "$PID" || break
-			done
-			kill -0 "$PID" && PIDS="$PIDS $PID" # Remember all PIDs
-		done
-	done
-
-	if [ -n "$PIDS" ]; then
-		CNT=0
-		while ! isHomeMounted && [ "$CNT" -lt 10 ] && kill -0 $PIDS; do # No quotes
-			usleep 333000
-			CNT=$(( CNT + 1 ))
-		done
-		kill -9 $PIDS # Kill any leftovers; No quotes
-	fi
-
-	if ! isHomeMounted; then
-		LOG_COMBINED=$(mktemp)
-		[ -n "$LOGFILES" ] && cat ${LOGFILES} > "$LOG_COMBINED" # No quotes
-		slxlog --delete "pam-ad-mount" "Mount of '${VOLUME}' to '${PERSISTENT_HOME_DIR}' failed." "${LOG_COMBINED}"
-	else
-		PERSISTENT_OK=yes
-		#chmod -R u+rwX "${PERSISTENT_HOME_DIR}" 2>/dev/null TODO: Still needed? Use '&' maybe?
-	fi
-
-	unset USER
-	unset PASSWD
-fi
-
-[ -n "${TMPDEL}${LOGFILES}" ] && rm -f -- ${TMPDEL} ${LOGFILES} # No quotes
-true
-
diff --git a/data/ad/nsswitch.conf b/data/ad/nsswitch.conf
deleted file mode 100644
index 75ea9f8..0000000
--- a/data/ad/nsswitch.conf
+++ /dev/null
@@ -1,14 +0,0 @@
-passwd:         compat sss
-group:          compat sss
-shadow:         compat
-
-hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
-networks:       files
-
-protocols:      db files
-services:       db files
-ethers:         db files
-rpc:            db files
-
-netgroup:       nis
-
diff --git a/data/ad/sssd.conf.template b/data/ad/sssd.conf.template
deleted file mode 100644
index ce87799..0000000
--- a/data/ad/sssd.conf.template
+++ /dev/null
@@ -1,20 +0,0 @@
-[sssd]
-config_file_version = 2
-services = nss, pam
-domains = LDAP
-[nss]
-filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd,demo
-[pam]
-[domain/LDAP]
-filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd,demo
-id_provider = ldap
-auth_provider = ldap
-ldap_tls_reqcert = demand
-ldap_tls_cacert = %CACERT%
-ldap_schema = rfc2307
-ldap_uri = %URI%
-ldap_search_base = %SEARCHBASE%
-ldap_user_email = bogusFieldName42
-ldap_user_principal = bogusFieldName43
-cache_credentials = true
-