diff options
Diffstat (limited to 'src/os-plugins/plugins/auth/XX_auth.sh')
| -rw-r--r-- | src/os-plugins/plugins/auth/XX_auth.sh | 214 |
1 files changed, 214 insertions, 0 deletions
diff --git a/src/os-plugins/plugins/auth/XX_auth.sh b/src/os-plugins/plugins/auth/XX_auth.sh new file mode 100644 index 00000000..99d5716e --- /dev/null +++ b/src/os-plugins/plugins/auth/XX_auth.sh @@ -0,0 +1,214 @@ + # Copyright (c) 2010 - OpenSLX GmbH +# +# This program/file is free software distributed under the GPL version 2. +# See http://openslx.org/COPYING +# +# If you have any feedback please consult http://openslx.org/feedback and +# send your feedback to feedback@openslx.org +# +# General information about OpenSLX can be found at http://openslx.org +# +# script is included from init via the "." load function - thus it has all +# variables and functions available + +# check if the configuration file is available +if [ -e /initramfs/plugin-conf/auth.conf ]; then + + . /etc/openslx.conf + ETCDIR=/mnt/${OPENSLX_DEFAULT_CONFDIR} + PLUGINCONFDIR=${ETCDIR}/plugins/auth + BINDIR=/mnt/${OPENSLX_DEFAULT_BINDIR} + PLUGINDIR=/mnt/${OPENSLX_DEFAULT_DIR}/plugin-repo/auth + VIRTDIR=/mnt/${OPENSLX_DEFAULT_VIRTDIR} + + # load needed variables + . /initramfs/plugin-conf/auth.conf + + # get distribution info; has also version if needed... + . /etc/slxsystem.conf + distro=$slxconf_distro_name + distro_version=$slxconf_distro_ver + + # Test if this plugin is activated... more or less useless with the + # new plugin system + if [ $auth_active -ne 0 ]; then + [ $DEBUGLEVEL -gt 0 ] && echo "executing the 'auth' os-plugin ..."; + # load general configuration + . /initramfs/machine-setup + + # Passwd: todo: move somewhere else + chown root:shadow /mnt/etc/shadow + chmod 0640 /mnt/etc/shadow + chown root:root /mnt/etc/paswd + chmod 0644 /mnt/etc/passwd + #sed -i 's/auth_rootpwd.*/auth_rootpwd=*********/' $PLUGINCONFDIR/auth.conf + + # set authentication to passwd and group which is default + sed -i 's/^passwd:.*/passwd: files/' /mnt/etc/nsswitch.conf + sed -i 's/^group:.*/group: files/' /mnt/etc/nsswitch.conf + + if [ $auth_ldap -eq 1 ]; then + cp ${PLUGINDIR}/ldap.conf.slx /mnt/etc/ldap/ldap.conf + cp ${PLUGINDIR}/ldap.conf.slx /mnt/etc/openldap/ldap.conf # required for openSUSE 11.4 + # even if their syntax can differ, we copy them (and hope no nss_* attributes where used) + cp ${PLUGINDIR}/ldap.conf.slx /mnt/etc/nslcd.conf # required for openSUSE 11.4 + cp ${PLUGINDIR}/ldap.conf.slx /mnt/etc/ldap.conf + + # PAM: add ldap conf before pam_unix(2).so; SuSE: ...-pc + sed -i \ + '/^account.*req.*pam_unix/ s/^/account sufficient pam_ldap.so\n/' \ + /mnt/etc/pam.d/common-account /mnt/etc/pam.d/common-account-pc + sed -i \ + '/^auth.*req.*pam_unix/ s/^/auth sufficient pam_ldap.so\n/' \ + /mnt/etc/pam.d/common-auth /mnt/etc/pam.d/common-auth-pc + + sed -i 's/^\(passwd:.*\)/\1 ldap/' /mnt/etc/nsswitch.conf + sed -i 's/^\(group:.*\)/\1 ldap/' /mnt/etc/nsswitch.conf + + case "$distro" in + suse) + rllinker "nslcd" 20 8 # req. with OpenSuSE 11.4 + ;; + esac + + # just to be on the save side... usually nslcd isn't used. + sed -i "s/^\(nss_.*\)/#XX_auth.sh#\1/" /mnt/etc/nslcd.conf + + + # hack. if we want to have totally custom ldap.conf files... + if [ -f ${PLUGINDIR}/ldap.conf ]; then + cp ${PLUGINDIR}/ldap.conf /mnt/etc/ldap.conf + cp ${PLUGINDIR}/ldap.conf /mnt/etc/ldap/ldap.conf + cp ${PLUGINDIR}/ldap.conf /mnt/etc/openldap/ldap.conf # required for openSUSE 11.4 + chmod 644 /mnt/etc/ldap.conf /mnt/etc/ldap/ldap.conf + fi + # similiar to ldap.conf, but just similiar + if [ -f ${PLUGINDIR}/nslcd.conf ]; then + cp ${PLUGINDIR}/nslcd.conf /mnt/etc/nslcd.conf # openSUSE 11.4 + fi + + fi + + # configure automount + if [ $auth_automount -eq 1 ]; then + cp ${PLUGINDIR}/auto.master /mnt/etc + cp ${PLUGINDIR}/auto.slx /mnt/etc + if [! -d /mnt/$auth_automnt_dir ]; then + mkdir -p /mnt/$auth_automnt_dir + fi + + config_portmap # distro specific configuration :( + config_automount # distro specific configuration :( + config_nfs # distro specific config... activates gssd and idmapd + + #maybe we need the following, same at auth_nfs4. also OS depending + #rllinker "autofs" 15 7 + + # hack for ubuntu + if [ $distro = "ubuntu" ]; then + sed -e 's,start on ,start on filesystem #,' \ + -i /mnt/etc/init/statd.conf + echo -e "alias autofs autofs4" >>/mnt/etc/modprobe.d/aliases.conf + fi + fi + + # configure nfs4 + if [ $auth_nfs4 -eq 1 ]; then + testmkd /mnt/var/lib/nfs/rpc_pipefs + echo -e "rpc_pipefs\t/var/lib/nfs/rpc_pipefs rpc_pipefs defaults\t 0 0 nfsd\t\t/proc/fs/nfsd\tnfsd\t\tdefaults\t 0 0" >>/etc/fstab + echo -e "rpc_pipefs\t/var/lib/nfs/rpc_pipefs rpc_pipefs defaults\t 0 0 nfsd\t\t/proc/fs/nfsd\tnfsd\t\tdefaults\t 0 0" >>/mnt/etc/fstab + mount -t rpc_pipefs rpc_pipefs /var/lib/nfs/rpc_pipefs + mount -t nfsd nfsd /proc/fs/nfsd + touch /mnt/var/lib/nfs/state + config_portmap # distro specific config. maybe double usage with automount + #rllinker "portmap" 2 20 + + # starts rpc.idmapd, maybe portmap... nfs-init.d-hell... + case "$distro" in + suse) + rllinker "nfs" 14 8 + ;; + ubuntu) + rllinker "nfs-common" 14 8 + sed -i 's/^NEED_IDMAPD=.*/NEED_IDMAPD=yes/' /mnt/etc/default/nfs-common + ;; + *) + # we don't know it, so lets use all... hopefully one will work ;-) + rllinker "nfs" 14 8 + rllinker "nfs-common" 14 8 + ;; + esac + + sed -i \ + "s/^Domain.*/Domain = ${auth_idmap_domain}/" \ + /mnt/etc/idmapd.conf + + + #maybe we need the following, same at auth_nfs4. also OS depending + #rllinker "autofs" 15 7 + fi + + # configure automnt_script + if [ $auth_automnt_script ]; then + chmod 755 /mnt/${OPENSLX_DEFAULT_DIR}/plugin-repo/auth/$auth_automnt_script + fi + + + + # configure KerberOS + if [ $auth_krb -eq 1 ]; then + cp ${PLUGINDIR}/krb5.conf /mnt/etc + chmod 644 /mnt/etc/krb5.conf + + # PAM: add krb conf after pam_unix(2).so; SuSE: ...-pc + sed -i \ + '/^account.*req.*pam_unix/ s/^/account [success=ok new_authtok_reqd=ok ignore=ignore default=bad user_unknown=ignore] pam_krb5.so use_first_pass\n/' \ + /mnt/etc/pam.d/common-account /mnt/etc/pam.d/common-account-pc + sed -i \ + '/^account.*req.*pam_unix/ s/^/auth sufficient pam_krb5.so use_first_pass\n/' \ + /mnt/etc/pam.d/common-account /mnt/etc/pam.d/common-auth-pc + echo "session optional pam_krb5.so" >> /mnt/etc/pam.d/common-session + echo "session optional pam_krb5.so" >> /mnt/etc/pam.d/common-session-pc + + # script to get keytab or do other magic things + if [ -n $auth_krbscript ]; then + echo "# auth-plugin: start custom kerberOS script + /${OPENSLX_DEFAULT_DIR}/plugin-repo/auth/$auth_krbscript + chmod 600 /etc/krb5.keytab # if a user forget to change it the $auth_krbscript" \ + >> /mnt/etc/init.d/boot.slx + chmod 755 /mnt/${OPENSLX_DEFAULT_DIR}/plugin-repo/auth/$auth_krbscript + # just krb5.conf perm + rllinker "boot.slx" 2 20 + fi + + # maybe not needed in every case. depends how $HOME gets mounted... but required for nfs & automount at least with nfsv4 + if [ $distro = "ubuntu" ]; then + sed -i 's/^NEED_GSSD.*/NEED_GSSD=yes/' /mnt/etc/default/nfs-common + fi + if [ $distro = "suse" ]; then + sed -i 's/^NFS_START_SERVICES.*/NFS_START_SERVICES="yes"/' /mnt/etc/sysconfig/nfs + sed -i 's/^NFS_SECURITY_GSS.*/NFS_SECURITY_GSS="yes"/' /mnt/etc/sysconfig/nfs + fi + + fi + + fi + + # hack. if we want to have totally custom pam-files... + if [ -d ${PLUGINDIR}/pam.d/ ]; then + cp ${PLUGINDIR}/pam.d/* /mnt/etc/pam.d/ + fi + + # hack. if we want to have totally custom nsswitch.conf file... + if [ -f ${PLUGINDIR}/nsswitch.conf ]; then + cp ${PLUGINDIR}/nsswitch.conf /mnt/etc/nsswitch.conf + chmod 644 /mnt/etc/nsswitch.conf + fi + + + # just for development purpose, can be deleted later + rllinker "syslog" 2 20 + +else + [ $DEBUGLEVEL -gt 0 ] && echo " * Configuration of auth plugin failed" +fi |