From 89c09d4ed208e838d6e21932079767c8eb9ffaba Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Thu, 15 Mar 2018 17:13:34 +0100 Subject: [CreateLdapConfig] Adapt to new config format references #3313 --- data/ad/common-account | 10 --- data/ad/common-auth | 14 ---- data/ad/common-password | 9 --- data/ad/common-session | 20 ------ data/ad/common-session-noninteractive | 16 ----- data/ad/ldap.conf.template | 9 --- data/ad/mountscript | 131 ---------------------------------- data/ad/nsswitch.conf | 14 ---- data/ad/sssd.conf.template | 20 ------ 9 files changed, 243 deletions(-) delete mode 100644 data/ad/common-account delete mode 100644 data/ad/common-auth delete mode 100644 data/ad/common-password delete mode 100644 data/ad/common-session delete mode 100644 data/ad/common-session-noninteractive delete mode 100644 data/ad/ldap.conf.template delete mode 100644 data/ad/mountscript delete mode 100644 data/ad/nsswitch.conf delete mode 100644 data/ad/sssd.conf.template (limited to 'data') diff --git a/data/ad/common-account b/data/ad/common-account deleted file mode 100644 index 341a340..0000000 --- a/data/ad/common-account +++ /dev/null @@ -1,10 +0,0 @@ -account [success=3 new_authtok_reqd=done default=ignore] pam_unix.so -account [success=2 new_authtok_reqd=done default=ignore] pam_exec.so quiet /opt/openslx/scripts/pam_bwidm -account [success=1 default=ignore] pam_sss.so -# here's the fallback if no module succeeds -account requisite pam_deny.so -# prime the stack with a positive return value if there isn't one already; -# this avoids us returning an error just because nothing sets a success code -# since the modules above will each just jump around -account required pam_permit.so - diff --git a/data/ad/common-auth b/data/ad/common-auth deleted file mode 100644 index f7e97a5..0000000 --- a/data/ad/common-auth +++ /dev/null @@ -1,14 +0,0 @@ -auth [success=4 default=ignore] pam_unix.so nodelay -auth [success=3 default=ignore] pam_exec.so quiet expose_authtok /opt/openslx/scripts/pam_bwidm -auth [success=2 default=ignore] pam_sss.so use_first_pass -# here's the fallback if no module succeeds -auth optional pam_faildelay.so delay=2123123 -auth requisite pam_deny.so -auth optional pam_script.so expose=1 -# prime the stack with a positive return value if there isn't one already; -# this avoids us returning an error just because nothing sets a success code -# since the modules above will each just jump around -auth required pam_permit.so -# and here are more per-package modules (the "Additional" block) -auth optional pam_cap.so - diff --git a/data/ad/common-password b/data/ad/common-password deleted file mode 100644 index 9362eac..0000000 --- a/data/ad/common-password +++ /dev/null @@ -1,9 +0,0 @@ -password [success=1 default=ignore] pam_unix.so obscure sha512 -# here's the fallback if no module succeeds -password requisite pam_deny.so -# prime the stack with a positive return value if there isn't one already; -# this avoids us returning an error just because nothing sets a success code -# since the modules above will each just jump around -password required pam_permit.so -# and here are more per-package modules (the "Additional" block) - diff --git a/data/ad/common-session b/data/ad/common-session deleted file mode 100644 index f5651a9..0000000 --- a/data/ad/common-session +++ /dev/null @@ -1,20 +0,0 @@ -session [default=1] pam_permit.so -# here's the fallback if no module succeeds -session requisite pam_deny.so -# prime the stack with a positive return value if there isn't one already; -# this avoids us returning an error just because nothing sets a success code -# since the modules above will each just jump around -session required pam_permit.so -# The pam_umask module will set the umask according to the system default in -# /etc/login.defs and user settings, solving the problem of different -# umask settings with different shells, display managers, remote sessions etc. -# See "man pam_umask". -session optional pam_umask.so -session required pam_systemd.so -session optional pam_env.so readenv=1 -session optional pam_env.so readenv=1 envfile=/etc/default/locale -# and here are more per-package modules (the "Additional" block) -session [success=1] pam_unix.so -session [success=ok] pam_sss.so -session sufficient pam_script.so - diff --git a/data/ad/common-session-noninteractive b/data/ad/common-session-noninteractive deleted file mode 100644 index 36b573c..0000000 --- a/data/ad/common-session-noninteractive +++ /dev/null @@ -1,16 +0,0 @@ -session [default=1] pam_permit.so -# here's the fallback if no module succeeds -session requisite pam_deny.so -# prime the stack with a positive return value if there isn't one already; -# this avoids us returning an error just because nothing sets a success code -# since the modules above will each just jump around -session required pam_permit.so -# The pam_umask module will set the umask according to the system default in -# /etc/login.defs and user settings, solving the problem of different -# umask settings with different shells, display managers, remote sessions etc. -# See "man pam_umask". -session optional pam_umask.so -# and here are more per-package modules (the "Additional" block) -session sufficient pam_unix.so -session sufficient pam_sss.so - diff --git a/data/ad/ldap.conf.template b/data/ad/ldap.conf.template deleted file mode 100644 index c607405..0000000 --- a/data/ad/ldap.conf.template +++ /dev/null @@ -1,9 +0,0 @@ -URI %URI% -BASE %SEARCHBASE% -BIND_TIMELIMIT 10 -TIMELIMIT 30 -TLS_REQCERT demand -TLS_CACERT %CACERT% -nss_base_passwd %SEARCHBASE% -nss_base_group %SEARCHBASE% -nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,colord,daemon,dnsmasq,games,gnats,hplip,irc,kernoops,libuuid,lightdm,list,lp,mail,man,messagebus,news,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,sync,sys,syslog,usbmux,uucp,whoopsie,www-data diff --git a/data/ad/mountscript b/data/ad/mountscript deleted file mode 100644 index 810eed6..0000000 --- a/data/ad/mountscript +++ /dev/null @@ -1,131 +0,0 @@ -################################################################### -# -# This script is a part of the pam_script_ses_open script -# and is not stand-alone! -# - -VOLUME= -SEARCH= -RESULT= -REAL_ACCOUNT= -WAIT= -TMPDEL= -LOGFILES= -if ! grep -q "^${PAM_USER}:" "/etc/passwd"; then - if which gawk &>/dev/null; then - un64() { - gawk 'BEGIN{FS=":: "}{c="base64 -d";if(/^\w+:: /) {print $2 |& c; close(c,"to"); c |& getline $2; close(c); printf("%s: %s\n", $1, $2); next} print $0 }' - } - else - un64() { - cat - } - fi - # determine fileserver and share for home directories - SEARCH=$(mktemp) - TMPDEL="$TMPDEL $SEARCH" - ldapsearch -l 3 -o nettimeout=3 -o ldif-wrap=no -x -LLL uid="${PAM_USER}" dn distinguishedName homeMount realAccount > "${SEARCH}" 2>&1 - BINDDN=$(cat "${SEARCH}" | grep -E '^(dn|distinguishedName):' | un64 | head -n 1 | cut -d ' ' -f 2-) - if [ -z "$BINDDN" ]; then - slxlog "pam-ad-ldapquery" "Could not query DN of user ${PAM_USER}. No home directory available" "${SEARCH}" - WAIT=1 - else - RESULT=$(mktemp) - TMPDEL="$TMPDEL $RESULT" - PW="/tmp/pw.${RANDOM}.${RANDOM}.${PAM_USER}.${RANDOM}" - mkfifo -m 0600 "${PW}" || slxlog "pam-ad-fifo" "Could not create FIFO at ${PW}" - ( - echo -n "${PAM_AUTHTOK}" > "${PW}" - ) & - if ! ldapsearch -y "${PW}" -D "$BINDDN" -l 5 -o nettimeout=5 -o ldif-wrap=no -x -LLL uid="${PAM_USER}" homeMount realAccount > "${RESULT}" 2>&1; then - slxlog "pam-ad-ldapquery" "Could not query LDAP-AD-Proxy for parameters of user '${PAM_USER}' (${BINDDN})." "${RESULT}" - WAIT=1 - fi - rm -f -- "${PW}" - VOLUME=$(cat "${RESULT}" | grep '^homeMount:' | head -n 1 | cut -d ' ' -f 2-) - [ -z "$REAL_ACCOUNT" ] && REAL_ACCOUNT=$(cat "${RESULT}" | grep '^realAccount:' | head -n 1 | cut -d ' ' -f 2-) - fi - [ -z "$VOLUME" ] && VOLUME=$(cat "${SEARCH}" | grep '^homeMount:' | head -n 1 | cut -d ' ' -f 2-) - [ -z "$VOLUME" ] && slxlog "pam-ad-ldapvolume" "AD/Proxy did not provide 'homeMount'. Aborting mount for ${PAM_USER}." "${RESULT}" - [ -z "$REAL_ACCOUNT" ] && REAL_ACCOUNT=$(cat "${SEARCH}" | grep '^realAccount:' | head -n 1 | cut -d ' ' -f 2-) - [ -z "$REAL_ACCOUNT" ] && REAL_ACCOUNT="${PAM_USER}" -fi - -if [ -n "${VOLUME}" ]; then - isHomeMounted() { - grep -Fuq " ${PERSISTENT_HOME_DIR} " /proc/mounts - } - # Most servers can work without, but some don't - XDOMAIN= - if [ -s "/opt/openslx/inc/shares" ]; then - . /opt/openslx/inc/shares - XDOMAIN="${SHARE_DOMAIN}" - fi - if [ -z "$XDOMAIN" ]; then - XDOMAIN=$(<"/etc/ldap.conf" grep -m1 -i '^BASE\s.*DC=' | grep -o -E -i 'DC=([^,;]+)' | head -n 1 | cut -c 4-) - fi - if [ -z "$XDOMAIN" ]; then - XDOMAIN=$(<"/etc/sssd/sssd.conf" grep -m1 -i '^ldap_search_base\s*=.*DC=' | grep -o -E -i 'DC=[^,;]+' | head -n 1 | cut -c 4-) - fi - if [ "x$XDOMAIN" = "x#" ]; then - XDOMAIN= - fi - # Remember for hooks in pam_script_auth.d - export PERSISTENT_NETPATH=$(echo "$VOLUME" | tr '/' '\') - - export USER="${REAL_ACCOUNT}" - export PASSWD="${PAM_AUTHTOK}" - - # We try 7 different mount option combinations; launch them in 1 second steps until one of them succeeds - CNT=0 - PIDS= - for opt in "vers=3.0,sec=ntlmssp" "vers=2.1,sec=ntlmssp" "vers=1.0,sec=ntlm" "vers=3.0,sec=ntlmv2" "vers=1.0,sec=ntlmv2" "vers=3.0,sec=ntlm" "vers=2.0,sec=ntlmssp"; do - # Also we try with and without explicit domain argument - for dom in "#" $XDOMAIN; do # No quotes - [ "x$dom" != "x#" ] && opt="${opt},domain=$dom" - CNT=$(( CNT + 1 )) - FILE=$(mktemp) - LOGFILES="$LOGFILES $FILE" - MOUNT_OPTS="-v -t cifs -o uid=${USER_UID},gid=${USER_GID},forceuid,forcegid,${opt},nounix,file_mode=0700,dir_mode=0700,noacl,nobrl" - echo " ****** Trying '$opt'" > "$FILE" - mount ${MOUNT_OPTS} "${VOLUME}" "${PERSISTENT_HOME_DIR}" >> "${FILE}" 2>&1 & - PID=$! - # Wait max. 1 second; remember PID if this mount call seems to be running after we stop waiting - for waits in 1 2 3 4; do - usleep 250000 - if isHomeMounted; then - # A previously invoked mount call might have succeeded while this one is still running; try to stop it right away - kill "$PID" &> /dev/null - break 3 - fi - kill -0 "$PID" || break - done - kill -0 "$PID" && PIDS="$PIDS $PID" # Remember all PIDs - done - done - - if [ -n "$PIDS" ]; then - CNT=0 - while ! isHomeMounted && [ "$CNT" -lt 10 ] && kill -0 $PIDS; do # No quotes - usleep 333000 - CNT=$(( CNT + 1 )) - done - kill -9 $PIDS # Kill any leftovers; No quotes - fi - - if ! isHomeMounted; then - LOG_COMBINED=$(mktemp) - [ -n "$LOGFILES" ] && cat ${LOGFILES} > "$LOG_COMBINED" # No quotes - slxlog --delete "pam-ad-mount" "Mount of '${VOLUME}' to '${PERSISTENT_HOME_DIR}' failed." "${LOG_COMBINED}" - else - PERSISTENT_OK=yes - #chmod -R u+rwX "${PERSISTENT_HOME_DIR}" 2>/dev/null TODO: Still needed? Use '&' maybe? - fi - - unset USER - unset PASSWD -fi - -[ -n "${TMPDEL}${LOGFILES}" ] && rm -f -- ${TMPDEL} ${LOGFILES} # No quotes -true - diff --git a/data/ad/nsswitch.conf b/data/ad/nsswitch.conf deleted file mode 100644 index 75ea9f8..0000000 --- a/data/ad/nsswitch.conf +++ /dev/null @@ -1,14 +0,0 @@ -passwd: compat sss -group: compat sss -shadow: compat - -hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 -networks: files - -protocols: db files -services: db files -ethers: db files -rpc: db files - -netgroup: nis - diff --git a/data/ad/sssd.conf.template b/data/ad/sssd.conf.template deleted file mode 100644 index ce87799..0000000 --- a/data/ad/sssd.conf.template +++ /dev/null @@ -1,20 +0,0 @@ -[sssd] -config_file_version = 2 -services = nss, pam -domains = LDAP -[nss] -filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd,demo -[pam] -[domain/LDAP] -filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd,demo -id_provider = ldap -auth_provider = ldap -ldap_tls_reqcert = demand -ldap_tls_cacert = %CACERT% -ldap_schema = rfc2307 -ldap_uri = %URI% -ldap_search_base = %SEARCHBASE% -ldap_user_email = bogusFieldName42 -ldap_user_principal = bogusFieldName43 -cache_credentials = true - -- cgit v1.2.3-55-g7522