From 89c09d4ed208e838d6e21932079767c8eb9ffaba Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Thu, 15 Mar 2018 17:13:34 +0100 Subject: [CreateLdapConfig] Adapt to new config format references #3313 --- data/ad/common-account | 10 -- data/ad/common-auth | 14 --- data/ad/common-password | 9 -- data/ad/common-session | 20 ---- data/ad/common-session-noninteractive | 16 --- data/ad/ldap.conf.template | 9 -- data/ad/mountscript | 131 --------------------- data/ad/nsswitch.conf | 14 --- data/ad/sssd.conf.template | 20 ---- .../taskmanager/tasks/CreateLdapConfig.java | 115 +++++++----------- 10 files changed, 45 insertions(+), 313 deletions(-) delete mode 100644 data/ad/common-account delete mode 100644 data/ad/common-auth delete mode 100644 data/ad/common-password delete mode 100644 data/ad/common-session delete mode 100644 data/ad/common-session-noninteractive delete mode 100644 data/ad/ldap.conf.template delete mode 100644 data/ad/mountscript delete mode 100644 data/ad/nsswitch.conf delete mode 100644 data/ad/sssd.conf.template diff --git a/data/ad/common-account b/data/ad/common-account deleted file mode 100644 index 341a340..0000000 --- a/data/ad/common-account +++ /dev/null @@ -1,10 +0,0 @@ -account [success=3 new_authtok_reqd=done default=ignore] pam_unix.so -account [success=2 new_authtok_reqd=done default=ignore] pam_exec.so quiet /opt/openslx/scripts/pam_bwidm -account [success=1 default=ignore] pam_sss.so -# here's the fallback if no module succeeds -account requisite pam_deny.so -# prime the stack with a positive return value if there isn't one already; -# this avoids us returning an error just because nothing sets a success code -# since the modules above will each just jump around -account required pam_permit.so - diff --git a/data/ad/common-auth b/data/ad/common-auth deleted file mode 100644 index f7e97a5..0000000 --- a/data/ad/common-auth +++ /dev/null @@ -1,14 +0,0 @@ -auth [success=4 default=ignore] pam_unix.so nodelay -auth [success=3 default=ignore] pam_exec.so quiet expose_authtok /opt/openslx/scripts/pam_bwidm -auth [success=2 default=ignore] pam_sss.so use_first_pass -# here's the fallback if no module succeeds -auth optional pam_faildelay.so delay=2123123 -auth requisite pam_deny.so -auth optional pam_script.so expose=1 -# prime the stack with a positive return value if there isn't one already; -# this avoids us returning an error just because nothing sets a success code -# since the modules above will each just jump around -auth required pam_permit.so -# and here are more per-package modules (the "Additional" block) -auth optional pam_cap.so - diff --git a/data/ad/common-password b/data/ad/common-password deleted file mode 100644 index 9362eac..0000000 --- a/data/ad/common-password +++ /dev/null @@ -1,9 +0,0 @@ -password [success=1 default=ignore] pam_unix.so obscure sha512 -# here's the fallback if no module succeeds -password requisite pam_deny.so -# prime the stack with a positive return value if there isn't one already; -# this avoids us returning an error just because nothing sets a success code -# since the modules above will each just jump around -password required pam_permit.so -# and here are more per-package modules (the "Additional" block) - diff --git a/data/ad/common-session b/data/ad/common-session deleted file mode 100644 index f5651a9..0000000 --- a/data/ad/common-session +++ /dev/null @@ -1,20 +0,0 @@ -session [default=1] pam_permit.so -# here's the fallback if no module succeeds -session requisite pam_deny.so -# prime the stack with a positive return value if there isn't one already; -# this avoids us returning an error just because nothing sets a success code -# since the modules above will each just jump around -session required pam_permit.so -# The pam_umask module will set the umask according to the system default in -# /etc/login.defs and user settings, solving the problem of different -# umask settings with different shells, display managers, remote sessions etc. -# See "man pam_umask". -session optional pam_umask.so -session required pam_systemd.so -session optional pam_env.so readenv=1 -session optional pam_env.so readenv=1 envfile=/etc/default/locale -# and here are more per-package modules (the "Additional" block) -session [success=1] pam_unix.so -session [success=ok] pam_sss.so -session sufficient pam_script.so - diff --git a/data/ad/common-session-noninteractive b/data/ad/common-session-noninteractive deleted file mode 100644 index 36b573c..0000000 --- a/data/ad/common-session-noninteractive +++ /dev/null @@ -1,16 +0,0 @@ -session [default=1] pam_permit.so -# here's the fallback if no module succeeds -session requisite pam_deny.so -# prime the stack with a positive return value if there isn't one already; -# this avoids us returning an error just because nothing sets a success code -# since the modules above will each just jump around -session required pam_permit.so -# The pam_umask module will set the umask according to the system default in -# /etc/login.defs and user settings, solving the problem of different -# umask settings with different shells, display managers, remote sessions etc. -# See "man pam_umask". -session optional pam_umask.so -# and here are more per-package modules (the "Additional" block) -session sufficient pam_unix.so -session sufficient pam_sss.so - diff --git a/data/ad/ldap.conf.template b/data/ad/ldap.conf.template deleted file mode 100644 index c607405..0000000 --- a/data/ad/ldap.conf.template +++ /dev/null @@ -1,9 +0,0 @@ -URI %URI% -BASE %SEARCHBASE% -BIND_TIMELIMIT 10 -TIMELIMIT 30 -TLS_REQCERT demand -TLS_CACERT %CACERT% -nss_base_passwd %SEARCHBASE% -nss_base_group %SEARCHBASE% -nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,colord,daemon,dnsmasq,games,gnats,hplip,irc,kernoops,libuuid,lightdm,list,lp,mail,man,messagebus,news,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,sync,sys,syslog,usbmux,uucp,whoopsie,www-data diff --git a/data/ad/mountscript b/data/ad/mountscript deleted file mode 100644 index 810eed6..0000000 --- a/data/ad/mountscript +++ /dev/null @@ -1,131 +0,0 @@ -################################################################### -# -# This script is a part of the pam_script_ses_open script -# and is not stand-alone! -# - -VOLUME= -SEARCH= -RESULT= -REAL_ACCOUNT= -WAIT= -TMPDEL= -LOGFILES= -if ! grep -q "^${PAM_USER}:" "/etc/passwd"; then - if which gawk &>/dev/null; then - un64() { - gawk 'BEGIN{FS=":: "}{c="base64 -d";if(/^\w+:: /) {print $2 |& c; close(c,"to"); c |& getline $2; close(c); printf("%s: %s\n", $1, $2); next} print $0 }' - } - else - un64() { - cat - } - fi - # determine fileserver and share for home directories - SEARCH=$(mktemp) - TMPDEL="$TMPDEL $SEARCH" - ldapsearch -l 3 -o nettimeout=3 -o ldif-wrap=no -x -LLL uid="${PAM_USER}" dn distinguishedName homeMount realAccount > "${SEARCH}" 2>&1 - BINDDN=$(cat "${SEARCH}" | grep -E '^(dn|distinguishedName):' | un64 | head -n 1 | cut -d ' ' -f 2-) - if [ -z "$BINDDN" ]; then - slxlog "pam-ad-ldapquery" "Could not query DN of user ${PAM_USER}. No home directory available" "${SEARCH}" - WAIT=1 - else - RESULT=$(mktemp) - TMPDEL="$TMPDEL $RESULT" - PW="/tmp/pw.${RANDOM}.${RANDOM}.${PAM_USER}.${RANDOM}" - mkfifo -m 0600 "${PW}" || slxlog "pam-ad-fifo" "Could not create FIFO at ${PW}" - ( - echo -n "${PAM_AUTHTOK}" > "${PW}" - ) & - if ! ldapsearch -y "${PW}" -D "$BINDDN" -l 5 -o nettimeout=5 -o ldif-wrap=no -x -LLL uid="${PAM_USER}" homeMount realAccount > "${RESULT}" 2>&1; then - slxlog "pam-ad-ldapquery" "Could not query LDAP-AD-Proxy for parameters of user '${PAM_USER}' (${BINDDN})." "${RESULT}" - WAIT=1 - fi - rm -f -- "${PW}" - VOLUME=$(cat "${RESULT}" | grep '^homeMount:' | head -n 1 | cut -d ' ' -f 2-) - [ -z "$REAL_ACCOUNT" ] && REAL_ACCOUNT=$(cat "${RESULT}" | grep '^realAccount:' | head -n 1 | cut -d ' ' -f 2-) - fi - [ -z "$VOLUME" ] && VOLUME=$(cat "${SEARCH}" | grep '^homeMount:' | head -n 1 | cut -d ' ' -f 2-) - [ -z "$VOLUME" ] && slxlog "pam-ad-ldapvolume" "AD/Proxy did not provide 'homeMount'. Aborting mount for ${PAM_USER}." "${RESULT}" - [ -z "$REAL_ACCOUNT" ] && REAL_ACCOUNT=$(cat "${SEARCH}" | grep '^realAccount:' | head -n 1 | cut -d ' ' -f 2-) - [ -z "$REAL_ACCOUNT" ] && REAL_ACCOUNT="${PAM_USER}" -fi - -if [ -n "${VOLUME}" ]; then - isHomeMounted() { - grep -Fuq " ${PERSISTENT_HOME_DIR} " /proc/mounts - } - # Most servers can work without, but some don't - XDOMAIN= - if [ -s "/opt/openslx/inc/shares" ]; then - . /opt/openslx/inc/shares - XDOMAIN="${SHARE_DOMAIN}" - fi - if [ -z "$XDOMAIN" ]; then - XDOMAIN=$(<"/etc/ldap.conf" grep -m1 -i '^BASE\s.*DC=' | grep -o -E -i 'DC=([^,;]+)' | head -n 1 | cut -c 4-) - fi - if [ -z "$XDOMAIN" ]; then - XDOMAIN=$(<"/etc/sssd/sssd.conf" grep -m1 -i '^ldap_search_base\s*=.*DC=' | grep -o -E -i 'DC=[^,;]+' | head -n 1 | cut -c 4-) - fi - if [ "x$XDOMAIN" = "x#" ]; then - XDOMAIN= - fi - # Remember for hooks in pam_script_auth.d - export PERSISTENT_NETPATH=$(echo "$VOLUME" | tr '/' '\') - - export USER="${REAL_ACCOUNT}" - export PASSWD="${PAM_AUTHTOK}" - - # We try 7 different mount option combinations; launch them in 1 second steps until one of them succeeds - CNT=0 - PIDS= - for opt in "vers=3.0,sec=ntlmssp" "vers=2.1,sec=ntlmssp" "vers=1.0,sec=ntlm" "vers=3.0,sec=ntlmv2" "vers=1.0,sec=ntlmv2" "vers=3.0,sec=ntlm" "vers=2.0,sec=ntlmssp"; do - # Also we try with and without explicit domain argument - for dom in "#" $XDOMAIN; do # No quotes - [ "x$dom" != "x#" ] && opt="${opt},domain=$dom" - CNT=$(( CNT + 1 )) - FILE=$(mktemp) - LOGFILES="$LOGFILES $FILE" - MOUNT_OPTS="-v -t cifs -o uid=${USER_UID},gid=${USER_GID},forceuid,forcegid,${opt},nounix,file_mode=0700,dir_mode=0700,noacl,nobrl" - echo " ****** Trying '$opt'" > "$FILE" - mount ${MOUNT_OPTS} "${VOLUME}" "${PERSISTENT_HOME_DIR}" >> "${FILE}" 2>&1 & - PID=$! - # Wait max. 1 second; remember PID if this mount call seems to be running after we stop waiting - for waits in 1 2 3 4; do - usleep 250000 - if isHomeMounted; then - # A previously invoked mount call might have succeeded while this one is still running; try to stop it right away - kill "$PID" &> /dev/null - break 3 - fi - kill -0 "$PID" || break - done - kill -0 "$PID" && PIDS="$PIDS $PID" # Remember all PIDs - done - done - - if [ -n "$PIDS" ]; then - CNT=0 - while ! isHomeMounted && [ "$CNT" -lt 10 ] && kill -0 $PIDS; do # No quotes - usleep 333000 - CNT=$(( CNT + 1 )) - done - kill -9 $PIDS # Kill any leftovers; No quotes - fi - - if ! isHomeMounted; then - LOG_COMBINED=$(mktemp) - [ -n "$LOGFILES" ] && cat ${LOGFILES} > "$LOG_COMBINED" # No quotes - slxlog --delete "pam-ad-mount" "Mount of '${VOLUME}' to '${PERSISTENT_HOME_DIR}' failed." "${LOG_COMBINED}" - else - PERSISTENT_OK=yes - #chmod -R u+rwX "${PERSISTENT_HOME_DIR}" 2>/dev/null TODO: Still needed? Use '&' maybe? - fi - - unset USER - unset PASSWD -fi - -[ -n "${TMPDEL}${LOGFILES}" ] && rm -f -- ${TMPDEL} ${LOGFILES} # No quotes -true - diff --git a/data/ad/nsswitch.conf b/data/ad/nsswitch.conf deleted file mode 100644 index 75ea9f8..0000000 --- a/data/ad/nsswitch.conf +++ /dev/null @@ -1,14 +0,0 @@ -passwd: compat sss -group: compat sss -shadow: compat - -hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 -networks: files - -protocols: db files -services: db files -ethers: db files -rpc: db files - -netgroup: nis - diff --git a/data/ad/sssd.conf.template b/data/ad/sssd.conf.template deleted file mode 100644 index ce87799..0000000 --- a/data/ad/sssd.conf.template +++ /dev/null @@ -1,20 +0,0 @@ -[sssd] -config_file_version = 2 -services = nss, pam -domains = LDAP -[nss] -filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd,demo -[pam] -[domain/LDAP] -filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd,demo -id_provider = ldap -auth_provider = ldap -ldap_tls_reqcert = demand -ldap_tls_cacert = %CACERT% -ldap_schema = rfc2307 -ldap_uri = %URI% -ldap_search_base = %SEARCHBASE% -ldap_user_email = bogusFieldName42 -ldap_user_principal = bogusFieldName43 -cache_credentials = true - diff --git a/src/main/java/org/openslx/taskmanager/tasks/CreateLdapConfig.java b/src/main/java/org/openslx/taskmanager/tasks/CreateLdapConfig.java index 35cbe31..a790ecb 100644 --- a/src/main/java/org/openslx/taskmanager/tasks/CreateLdapConfig.java +++ b/src/main/java/org/openslx/taskmanager/tasks/CreateLdapConfig.java @@ -18,7 +18,6 @@ import org.openslx.satserver.util.Constants; import org.openslx.satserver.util.Exec; import org.openslx.satserver.util.Exec.ExecCallback; import org.openslx.satserver.util.LdapMapping; -import org.openslx.satserver.util.Template; import org.openslx.satserver.util.Util; import org.openslx.taskmanager.api.AbstractTask; @@ -63,6 +62,8 @@ public class CreateLdapConfig extends AbstractTask private String fixnumeric = null; @Expose private LdapMapping mapping; + @Expose + private String ldapAttrMountOpts; // Share mode stuff @Expose @@ -86,6 +87,8 @@ public class CreateLdapConfig extends AbstractTask @Expose private String shareDomain; @Expose + private String shareHomeMountOpts; + @Expose private int credentialPassthrough; private Output status = new Output(); @@ -143,13 +146,13 @@ public class CreateLdapConfig extends AbstractTask protected boolean execute() { TarArchiveOutputStream outArchive = null; - File keyFile = new File( "/opt/ldadp/configs/" + this.moduleid + ".key.pem" ); - File certFile = new File( "/opt/ldadp/configs/" + this.moduleid + ".crt.pem" ); - File caFile = new File( "/opt/ldadp/configs/" + this.moduleid + ".ca-bundle.pem" ); - String uri = "ldaps://" + this.proxyip + ":" + this.proxyport + "/"; - String cacertPath = "/etc/ldap-proxy.pem"; - String caPath = ""; + final File keyFile = new File( "/opt/ldadp/configs/" + this.moduleid + ".key.pem" ); + final File certFile = new File( "/opt/ldadp/configs/" + this.moduleid + ".crt.pem" ); + final File caFile = new File( "/opt/ldadp/configs/" + this.moduleid + ".ca-bundle.pem" ); + final String uri = "ldaps://" + this.proxyip + ":" + this.proxyport + "/"; + final String clientCacertPath = "/etc/ldap/proxy-" + this.moduleid + ".pem"; final String subject = "/C=DE/ST=Nowhere/L=Springfield/O=Dis/CN=" + this.proxyip; + String caPath = ""; try { // If cert already exists, check if the subject (most importantly the CN) matches the desired one if ( certFile.exists() ) { @@ -239,44 +242,29 @@ public class CreateLdapConfig extends AbstractTask certFile, keyFile ); // Generic ldap config - final Template ldapConf = new Template( "./data/ad/ldap.conf.template" ); - ldapConf.replace( "%URI%", uri ); - ldapConf.replace( "%SEARCHBASE%", this.searchbase ); - ldapConf.replace( "%CACERT%", cacertPath ); - // sssd config - final Template sssdConf = new Template( "./data/ad/sssd.conf.template" ); - sssdConf.replace( "%URI%", uri ); - sssdConf.replace( "%SEARCHBASE%", this.searchbase ); - sssdConf.replace( "%CACERT%", cacertPath ); + StringBuilder ldapConf = new StringBuilder(); + addConfLine( ldapConf, "LDAP_URI", uri ); + addConfLine( ldapConf, "LDAP_BASE", this.searchbase ); + addConfLine( ldapConf, "LDAP_CACERT", clientCacertPath ); + addConfLine( ldapConf, "LDAP_ATTR_MOUNT_OPTS", this.ldapAttrMountOpts ); // Sharemode config - String shareConf = String.format( - "SHARE_REMAP_MODE=%d\n" - + "SHARE_CREATE_MISSING_REMAP=%d\n" - + "SHARE_HOME_DRIVE='%s'\n" - + "SHARE_DOCUMENTS=%d\n" - + "SHARE_DOWNLOADS=%d\n" - + "SHARE_DESKTOP=%d\n" - + "SHARE_MEDIA=%d\n" - + "SHARE_OTHER=%d\n" - + "SHARE_DOMAIN='%s'\n" - + "SHARE_CREDENTIAL_PASSTHROUGH=%d\n", - this.shareRemapMode, - this.shareRemapCreate, - escapeBashString( this.shareHomeDrive ), - this.shareDocuments, - this.shareDownloads, - this.shareDesktop, - this.shareMedia, - this.shareOther, - escapeBashString( this.shareDomain ), - this.credentialPassthrough - ); + addConfLine( ldapConf, "SHARE_HOME_MOUNT_OPTS", this.shareHomeMountOpts ); + addConfLine( ldapConf, "SHARE_REMAP_MODE", this.shareRemapMode ); + addConfLine( ldapConf, "SHARE_CREATE_MISSING_REMAP", this.shareRemapCreate ); + addConfLine( ldapConf, "SHARE_HOME_DRIVE", this.shareHomeDrive ); + addConfLine( ldapConf, "SHARE_DOCUMENTS", this.shareDocuments ); + addConfLine( ldapConf, "SHARE_DOWNLOADS", this.shareDownloads ); + addConfLine( ldapConf, "SHARE_DESKTOP", this.shareDesktop ); + addConfLine( ldapConf, "SHARE_MEDIA", this.shareMedia ); + addConfLine( ldapConf, "SHARE_OTHER", this.shareOther ); + addConfLine( ldapConf, "SHARE_DOMAIN", this.shareDomain ); + addConfLine( ldapConf, "SHARE_CREDENTIAL_PASSTHROUGH", this.credentialPassthrough ); if ( this.shares != null && !this.shares.isEmpty() ) { int i = 0; for ( Share s : this.shares ) { - shareConf += String.format( "SHARE_LINE_%d='%s\t%s\t%s\t%s\t%s'\n", - ++i, escapeBashString( s.share ), escapeBashString( s.letter ), escapeBashString( s.shortcut ), - escapeBashString( s.user ), escapeBashString( s.pass ) ); + ++i; + addConfLine( ldapConf, "SHARE_LINE_" + i, + String.format( "%s\t%s\t%s\t%s\t%s", s.share, s.letter, s.shortcut, s.user, s.pass ) ); } } // Build tar/config @@ -305,46 +293,33 @@ public class CreateLdapConfig extends AbstractTask return false; } // The cert we just created - if ( !Archive.tarAddFile( outArchive, cacertPath, certFile, 0644 ) ) { + if ( !Archive.tarAddFile( outArchive, clientCacertPath, certFile, 0644 ) ) { status.error = "Could not add ldap-proxy.pem to module"; return false; } - // nsswitch.conf with ldap enabled - if ( !Archive.tarAddFile( outArchive, "/etc/nsswitch.conf", new File( "./data/ad/nsswitch.conf" ), 0644 ) ) { - status.error = "Could not add nsswitch.conf to module"; - return false; - } - // All the pam.d common-XXXX files - for ( String file : new String[] { "common-auth", "common-account", "common-session", "common-session-noninteractive", - "common-password" } ) { - if ( !Archive.tarAddFile( outArchive, "/etc/pam.d/" + file, new File( "./data/ad/" + file ), 0644 ) ) { - status.error = "Could not add " + file + " to module"; - return false; - } - } - // Home if present - if ( !Archive.tarAddFile( outArchive, "/opt/openslx/scripts/pam_script_mount_persistent", new File( "./data/ad/mountscript" ), - 0644 ) ) { - status.error = "Could not add mount script to module"; - return false; - } - boolean ret = Archive.tarCreateFileFromString( outArchive, "/etc/ldap.conf", ldapConf.toString(), 0644 ) - && Archive.tarCreateFileFromString( outArchive, "/etc/sssd/sssd.conf", sssdConf.toString(), 0600 ) - && Archive.tarCreateFileFromString( outArchive, "/opt/openslx/inc/shares", shareConf, 0644 ) - && Archive.tarCreateSymlink( outArchive, "/etc/ldap.conf", "/etc/ldap/ldap.conf" ) - && Archive.tarCreateSymlink( outArchive, "/etc/ldap.conf", "/etc/openldap/ldap.conf" ) - && Archive.tarCreateSymlink( outArchive, "../sssd.service", "/etc/systemd/system/basic.target.wants/sssd.service" ); + boolean ret = Archive.tarCreateFileFromString( outArchive, "/opt/openslx/pam/slx-ldap.d/conf-" + this.moduleid, + ldapConf.toString(), 0644 ); if ( !ret ) { status.error = "Could not add ldap configs to module"; } return ret; - } catch ( IOException e ) { - status.error = e.toString(); - return false; } finally { Util.multiClose( outArchive ); } } + + private void addConfLine( StringBuilder sb, String varName, int value ) + { + addConfLine( sb, varName, Integer.toString( value ) ); + } + + private void addConfLine( StringBuilder sb, String varName, String value ) + { + sb.append( varName ); + sb.append( "='" ); + sb.append( escapeBashString( value ) ); + sb.append( "'\n" ); + } private String escapeBashString( String str ) { -- cgit v1.2.3-55-g7522