From 139623cff43c8e8630e1342675f8209f53ebe3d1 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Fri, 26 Jun 2015 18:36:54 +0200
Subject: Always include home-mount-script in ad module; add support for
 fetching homedir-server directly from AD

---
 data/ad/mountscript                                |  60 +++++-----
 .../openslx/taskmanager/tasks/CreateAdConfig.java  |   3 +-
 .../taskmanager/tasks/SyncdaemonLauncher.java      | 122 ---------------------
 3 files changed, 35 insertions(+), 150 deletions(-)
 delete mode 100644 src/main/java/org/openslx/taskmanager/tasks/SyncdaemonLauncher.java

diff --git a/data/ad/mountscript b/data/ad/mountscript
index 4fa5f36..4812b1e 100644
--- a/data/ad/mountscript
+++ b/data/ad/mountscript
@@ -4,50 +4,58 @@
 #       and is not stand-alone!
 #
 
+VOLUME=
+REAL_ACCOUNT=
 if ! grep -q "^${PAM_USER}:" "/etc/passwd"; then
-	
-	if [ -z "$VOLUME" -o -z "$REAL_ACCOUNT" ]; then
-		# determine fileserver and share for home directories
-		touch "/tmp/ldapsearch.${PAM_USER}"
-		chmod 0600 "/tmp/ldapsearch.${PAM_USER}"
-		ldapsearch -x -LLL uid="${PAM_USER}" homeMount realAccount > "/tmp/ldapsearch.${PAM_USER}" 2>/dev/null || \
-			{ slxlog "pam-ad-ldapquery" "Could not query LDAP server for parameters of user '${PAM_USER}'."; exit 1; }
-		VOLUME=$(cat "/tmp/ldapsearch.${PAM_USER}" | grep ^homeMount | head -n 1 | cut -d" " -f2)
-		[ -z "${VOLUME}" ] && slxlog "pam-ad-ldapvolume" "LDAP server did not provide 'homeMount'. Aborting mount for ${PAM_USER}." && exit 1
-		[ -z "$REAL_ACCOUNT" ] && REAL_ACCOUNT=$(cat "/tmp/ldapsearch.${PAM_USER}" | grep ^realAccount | head -n 1 | cut -d" " -f2)
-		[ -z "$REAL_ACCOUNT" ] && REAL_ACCOUNT="$PAM_USER"
+	# determine fileserver and share for home directories
+	BINDDN=$(ldapsearch -l 3 -o nettimeout=3 -o ldif-wrap=no -x -LLL uid="${PAM_USER}" dn distinguishedName | grep -E '^(dn|distinguishedName):' | head -n 1 | cut -d ' ' -f 2)
+	if [ -z "$BINDDN" ]; then
+		slxlog "pam-ad-ldapquery" "Could not query DN of user ${PAM_USER}. No home directory available"
+	else
+		RESULT=$(mktemp)
+		PW="/tmp/pw.${RANDOM}.${RANDOM}.${PAM_USER}.${RANDOM}"
+		mkfifo -m 0600 "${PW}" || slxlog "pam-ad-fifo" "Could not create FIFO at ${PW}"
+		( echo "${PAM_AUTHTOK}" > "${PW}" ) &
+		ldapsearch -y "${PW}" -D "$BINDDN" -l 5 -o nettimeout=5 -o ldif-wrap=no -x -LLL uid="${PAM_USER}" homeMount realAccount > "${RESULT}" 2>/dev/null \
+			|| slxlog "pam-ad-ldapquery" "Could not query LDAP-AD-Proxy for parameters of user '${PAM_USER}'."
+		rm -f -- "${PW}"
+		VOLUME=$(cat "${RESULT}" | grep '^homeMount:' | head -n 1 | cut -d ' ' -f 2)
+		[ -z "${VOLUME}" ] && slxlog "pam-ad-ldapvolume" "AD/Proxy did not provide 'homeMount'. Aborting mount for ${PAM_USER}."
+		[ -z "$REAL_ACCOUNT" ] && REAL_ACCOUNT=$(cat "${RESULT}" | grep '^realAccount:' | head -n 1 | cut -d ' ' -f 2)
+		[ -z "$REAL_ACCOUNT" ] && REAL_ACCOUNT="${PAM_USER}"
 	fi
-	
-	MOUNT_OPTS="-v -t cifs -o uid=${USER_UID},gid=${USER_GID},forceuid,forcegid,sec=ntlm"
-	
-	SIGNAL=$(mktemp)
-	rm -f -- "${SIGNAL}"
-	
+fi
+
+if [ -n "${VOLUME}" ]; then
+	MOUNT_OPTS="-v -t cifs -o uid=${USER_UID},gid=${USER_GID},forceuid,forcegid,sec=ntlm,nounix,file_mode=0700,dir_mode=0700"
+	SIGNAL="/tmp/signal.${RANDOM}.${RANDOM}.${PAM_USER}.${RANDOM}"
+
 	export USER="${REAL_ACCOUNT}"
 	export PASSWD="${PAM_AUTHTOK}"
-	
-	( mount ${MOUNT_OPTS} "${VOLUME}" "${PERSISTENT_HOME_DIR}" > "/tmp/home.$PAM_USER" 2>&1 || touch "${SIGNAL}" ) &
+
+	( mount ${MOUNT_OPTS} "${VOLUME}" "${PERSISTENT_HOME_DIR}" > "${RESULT}" 2>&1 || touch "${SIGNAL}" ) &
 	MOUNT_PID=$!
 	for COUNTER in 1 2 4 4; do
 		kill -0 "${MOUNT_PID}" 2>/dev/null || break
 		sleep "${COUNTER}"
 	done
-	
+
 	if [ -e "${SIGNAL}" ]; then
-		slxlog "pam-ad-mount" "Mount of '${VOLUME}' to '${PERSISTENT_HOME_DIR}' failed. (Args: ${MOUNT_OPTS})" "/tmp/home.$PAM_USER"
+		slxlog "pam-ad-mount" "Mount of '${VOLUME}' to '${PERSISTENT_HOME_DIR}' failed. (Args: ${MOUNT_OPTS})" "${RESULT}"
 		sleep 1
 		rm -f -- "${SIGNAL}"
 	elif kill -9 "${MOUNT_PID}" 2>/dev/null; then
-		slxlog "pam-ad-mount" "Mount of '${VOLUME}' to '${PERSISTENT_HOME_DIR}' timed out. (Args: ${MOUNT_OPTS})" "/tmp/home.$PAM_USER"
+		slxlog "pam-ad-mount" "Mount of '${VOLUME}' to '${PERSISTENT_HOME_DIR}' timed out. (Args: ${MOUNT_OPTS})" "${RESULT}"
 		sleep 1
 	else
 		PERSISTENT_OK=yes
-		chmod -R u+rw "${PERSISTENT_HOME_DIR}" 2>/dev/null
+		chmod -R u+rwX "${PERSISTENT_HOME_DIR}" 2>/dev/null
 	fi
-	
+
 	unset USER
 	unset PASSWD
-	
-	rm -f -- "/tmp/home.$PAM_USER"
 fi
 
+[ -n "${RESULT}" ] && rm -f -- "${RESULT}"
+true
+
diff --git a/src/main/java/org/openslx/taskmanager/tasks/CreateAdConfig.java b/src/main/java/org/openslx/taskmanager/tasks/CreateAdConfig.java
index 69ed2b6..d548b9f 100644
--- a/src/main/java/org/openslx/taskmanager/tasks/CreateAdConfig.java
+++ b/src/main/java/org/openslx/taskmanager/tasks/CreateAdConfig.java
@@ -160,8 +160,7 @@ public class CreateAdConfig extends AbstractTask
 				}
 			}
 			// Home if present
-			if ( this.home.length() != 0
-					&& !Archive.tarAddFile( outArchive, "/opt/openslx/scripts/pam_script_mount_persistent", new File( "./data/ad/mountscript" ), 0644 ) ) {
+			if ( !Archive.tarAddFile( outArchive, "/opt/openslx/scripts/pam_script_mount_persistent", new File( "./data/ad/mountscript" ), 0644 ) ) {
 				status.error = "Could not add mount script to module";
 				return false;
 			}
diff --git a/src/main/java/org/openslx/taskmanager/tasks/SyncdaemonLauncher.java b/src/main/java/org/openslx/taskmanager/tasks/SyncdaemonLauncher.java
deleted file mode 100644
index 98d512a..0000000
--- a/src/main/java/org/openslx/taskmanager/tasks/SyncdaemonLauncher.java
+++ /dev/null
@@ -1,122 +0,0 @@
-package org.openslx.taskmanager.tasks;
-
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.List;
-
-import org.openslx.taskmanager.api.SystemCommandTask;
-
-import com.google.gson.annotations.Expose;
-
-public class SyncdaemonLauncher extends SystemCommandTask
-{
-	/**
-	 * What to do: start, stop, checkconfig, import, ...
-	 */
-	@Expose
-	private String operation;
-	/**
-	 * When importing, these are the fields for our identity
-	 */
-	@Expose
-	private String importModulus, importPrivateExponent, importPublicExponent, importOrganization;
-	/**
-	 * (IP) Address of this satellite server, used when calling submitkey or updateaddress
-	 */
-	@Expose
-	private String address;
-
-	private StatusObject status = new StatusObject();
-
-	@Override
-	protected String[] initCommandLine()
-	{
-		List<String> params = new ArrayList<>();
-		params.addAll(
-				Arrays.asList(
-						"/usr/bin/sudo",
-						"-n",
-						"-u", "syncdaemon",
-						"/opt/syncdaemon/control.sh" ) );
-		switch ( operation ) {
-		case "start":
-		case "stop":
-		case "checkconfig":
-			params.add( operation );
-			break;
-		case "genid":
-			if ( errorIfNull( importOrganization, "genid: no organization given" ) )
-				return null;
-			params.add( operation );
-			params.add( importOrganization );
-			break;
-		case "updateaddress":
-		case "submitkey":
-			if ( errorIfNull( address, "updateaddress/submitkey: no address given" ) )
-				return null;
-			params.add( operation );
-			params.add( address );
-			break;
-		case "import":
-			if ( errorIfNull( importOrganization, "import: no organization given" )
-					|| errorIfNull( importModulus, "import: no modulus given" )
-					|| errorIfNull( importPrivateExponent, "import: no private exponent given" )
-					|| errorIfNull( importPublicExponent, "import: no public exponent given" ) )
-				return null;
-			params.add( operation );
-			params.add( importOrganization );
-			params.add( importModulus );
-			params.add( importPrivateExponent );
-			params.add( importPublicExponent );
-			break;
-		default:
-			status.addMsg( "Unknown operation: " + operation );
-			return null;
-		}
-		this.timeoutSeconds = 5;
-		return params.toArray( new String[ 0 ] );
-	}
-
-	private boolean errorIfNull( String check, String message )
-	{
-		if ( check == null )
-			status.addMsg( message );
-		return check == null;
-	}
-
-	@Override
-	protected boolean processEnded( int exitCode )
-	{
-		return exitCode == 0;
-	}
-
-	@Override
-	protected void processStdOut( String line )
-	{
-		status.addMsg( line );
-	}
-
-	@Override
-	protected void processStdErr( String line )
-	{
-		status.addMsg( line );
-	}
-
-	@Override
-	protected boolean initTask()
-	{
-		this.setStatusObject( this.status );
-		return !errorIfNull( operation, "No operation given" );
-	}
-
-	class StatusObject
-	{
-		private String messages = "";
-
-		public void addMsg( String str )
-		{
-			messages = messages + "\n" + str;
-		}
-	}
-
-}
-- 
cgit v1.2.3-55-g7522