[PC-BSD Commits] r18397 - in pcbsd/current/src-sh/pc-adctl: rc scripts
svn at pcbsd.org
svn at pcbsd.org
Fri Aug 10 15:49:40 PDT 2012
Author: johnh
Date: 2012-08-10 22:49:40 +0000 (Fri, 10 Aug 2012)
New Revision: 18397
Added:
pcbsd/current/src-sh/pc-adctl/scripts/pc-ldapctl
pcbsd/current/src-sh/pc-adctl/scripts/pc-nssldap
Modified:
pcbsd/current/src-sh/pc-adctl/rc/rc.activedirectory
pcbsd/current/src-sh/pc-adctl/rc/rc.ldap
pcbsd/current/src-sh/pc-adctl/scripts/Makefile
pcbsd/current/src-sh/pc-adctl/scripts/pc-ldap
pcbsd/current/src-sh/pc-adctl/scripts/pc-nsswitch
pcbsd/current/src-sh/pc-adctl/scripts/pc-pam
pcbsd/current/src-sh/pc-adctl/scripts/pc-samba
Log:
wire things up to understand both activedirectory and ldap
Modified: pcbsd/current/src-sh/pc-adctl/rc/rc.activedirectory
===================================================================
--- pcbsd/current/src-sh/pc-adctl/rc/rc.activedirectory 2012-08-10 19:52:40 UTC (rev 18396)
+++ pcbsd/current/src-sh/pc-adctl/rc/rc.activedirectory 2012-08-10 22:49:40 UTC (rev 18397)
@@ -209,12 +209,12 @@
rm "${tmpfile}"
}
-__escape()
+__AD_escape()
{
printf "${1}" | sed -Ee 's|\\|\\\\|g' -Ee 's|[^a-zA-Z0-9]|\\&|g'
}
-__unescape()
+__AD_unescape()
{
printf "${1}" | sed -Ee 's|\\([^a-zA-Z0-9])|\1|g' -Ee 's|\\\\|\\|g'
}
@@ -226,7 +226,7 @@
local var=\$$(printf "${prefix}${name}")
local val=$(eval "printf ${var}")
- __unescape "${val}"
+ __AD_unescape "${val}"
}
AD_get()
@@ -244,7 +244,7 @@
{
local prefix="${1}"
local var="${2}"
- local val=$(__escape "${3}")
+ local val=$(__AD_escape "${3}")
local pair="${var}=${val}"
eval "${prefix}${pair}"
Modified: pcbsd/current/src-sh/pc-adctl/rc/rc.ldap
===================================================================
--- pcbsd/current/src-sh/pc-adctl/rc/rc.ldap 2012-08-10 19:52:40 UTC (rev 18396)
+++ pcbsd/current/src-sh/pc-adctl/rc/rc.ldap 2012-08-10 22:49:40 UTC (rev 18397)
@@ -6,12 +6,12 @@
: ${PC_LDAP_CONF:="/usr/local/etc/pc-ldap.conf"}
-__escape()
+__ldap_escape()
{
echo "${1}" | sed -Ee 's|\\|\\\\|g' -Ee 's|[^a-zA-Z0-9]|\\&|g'
}
-__unescape()
+__ldap_unescape()
{
echo "${1}" | sed -Ee 's|\\([^a-zA-Z0-9])|\1|g' -Ee 's|\\\\|\\|g'
}
@@ -23,7 +23,7 @@
local var=\$$(echo "${prefix}${name}")
local val="$(eval "echo ${var}")"
- __unescape "${val}"
+ __ldap_unescape "${val}"
}
ldap_get()
@@ -53,7 +53,7 @@
{
local prefix="${1}"
local var="${2}"
- local val="$(__escape "${3}")"
+ local val="$(__ldap_escape "${3}")"
local pair="${var}=${val}"
export eval "${prefix}${pair}"
Modified: pcbsd/current/src-sh/pc-adctl/scripts/Makefile
===================================================================
--- pcbsd/current/src-sh/pc-adctl/scripts/Makefile 2012-08-10 19:52:40 UTC (rev 18396)
+++ pcbsd/current/src-sh/pc-adctl/scripts/Makefile 2012-08-10 22:49:40 UTC (rev 18397)
@@ -1,5 +1,5 @@
FILES=pc-activedirectory pc-kerberos pc-kinit pc-nsswitch pc-pam \
- pc-samba pc-adctl pc-ldap
+ pc-samba pc-adctl pc-ldap pc-nssldap
FILESMODE=0555
FILESDIR=/usr/local/etc/rc.d
Modified: pcbsd/current/src-sh/pc-adctl/scripts/pc-ldap
===================================================================
--- pcbsd/current/src-sh/pc-adctl/scripts/pc-ldap 2012-08-10 19:52:40 UTC (rev 18396)
+++ pcbsd/current/src-sh/pc-adctl/scripts/pc-ldap 2012-08-10 22:49:40 UTC (rev 18397)
@@ -9,14 +9,8 @@
. /usr/local/etc/rc.ldap
-: ${NSS_LDAP_CONF:="/usr/local/etc/nss_ldap.conf"}
-: ${NSS_LDAP_SECRET:="/usr/local/etc/nss_ldap.secret"}
: ${OPENLDAP_CONF:="/usr/local/etc/openldap/ldap.conf"}
-
-: ${CERT_FILE:="/usr/local/etc/certs/cacert.crt"}
-
: ${LDAPCONF:="/usr/local/bin/ldapconf"}
-: ${NSSLDAPCONF:="/usr/local/bin/nssldapconf"}
backup_openldap_conf()
@@ -49,36 +43,6 @@
}
-backup_nss_ldap_conf()
-{
- local conf="${NSS_LDAP_CONF}"
- local backup="${conf}.bak"
-
- if [ -f "${conf}" ]
- then
- cp "${conf}" "${backup}"
- return $?
- fi
-
- return 0
-}
-
-
-restore_nss_ldap_conf()
-{
- local conf="${NSS_LDAP_CONF}"
- local backup="${conf}.bak"
-
- if [ -f "${backup}" ]
- then
- cp "${backup}" "${conf}"
- return $?
- fi
-
- return 0
-}
-
-
safe_save()
{
local src="${1}"
@@ -165,177 +129,6 @@
return 0
}
-generate_nss_ldap_conf()
-{
- local tmp
- local conf="${NSS_LDAP_CONF}"
- local secret="${NSS_LDAP_SECRET}"
-
- local host=$(ldap_get hostname)
- local basedn=$(ldap_get basedn)
- local rootbasedn=$(ldap_get rootbasedn)
- local rootbindpw=$(ldap_get rootbindpw)
- local anonbind=$(ldap_get anonbind)
- local pwencryption=$(ldap_get pwencryption)
- local usersuffix=$(ldap_get usersuffix)
- local groupsuffix=$(ldap_get groupsuffix)
- local passwordsuffix=$(ldap_get passwordsuffix)
- local machinesuffix=$(ldap_get machinesuffix)
- local encryption_mode=$(ldap_get encryption_mode)
- local certfile=$(ldap_get tls_cacertfile)
- local options="$(ldap_get_options)"
-
- local cmd="${NSSLDAPCONF}"
- if [ -f "${conf}" ]
- then
- cmd="${NSSLDAPCONF} -f ${conf}"
- fi
-
- tmp=$(mktemp /tmp/tmp.XXXXXX)
- ${cmd} \
- -c -m "^host=${hostname}" \
- -c -m "^base=${basedn}" \
- -c -m "^rootbinddn=${rootbasedn}" \
- -c -m "^pam_password=${pwencryption}" \
- -c -t "^nss_override_attribute_value=loginShell=/bin/sh" \
- -o "${tmp}"
- if [ "$?" != "0" ]
- then
- return 1
- fi
- if ! safe_save "${tmp}" "${conf}"
- then
- return 1
- fi
-
- cmd="${NSSLDAPCONF} -f ${conf}"
-
- tmp=$(mktemp /tmp/tmp.XXXXXX)
- if [ -z "${usersuffix}" ]
- then
- ${cmd} -c -m "^nss_base_passwd=${basedn}" -o "${tmp}"
- else
- ${cmd} -c -m "^nss_base_passwd=${usersuffix},${basedn}" -o "${tmp}"
- fi
- if [ "$?" != "0" ]
- then
- return 1
- fi
- if ! safe_save "${tmp}" "${conf}"
- then
- return 1
- fi
-
- tmp=$(mktemp /tmp/tmp.XXXXXX)
- if [ -z "${groupsuffix}" ]
- then
- ${cmd} -c -m "^nss_base_group=${basedn}" -o "${tmp}"
- else
- ${cmd} -c -m "^nss_base_group=${groupsuffix},${basedn}" -o "${tmp}"
- fi
- if [ "$?" != "0" ]
- then
- return 1
- fi
- if ! safe_save "${tmp}" "${conf}"
- then
- return 1
- fi
-
- if [ "${encryption_mode}" = "start_tls" ]
- then
- tmp=$(mktemp /tmp/tmp.XXXXXX)
- ${cmd} \
- -c -m "^ssl=${encryption_mode}" \
- -c -m "^tls_cacertfile=${certfile}" \
- -o "${tmp}"
- if [ "$?" != "0" ]
- then
- return 1
- fi
- if ! safe_save "${tmp}" "${conf}"
- then
- return 1
- fi
-
- elif [ "${encryption_mode}" = "on" ]
- then
- tmp=$(mktemp /tmp/tmp.XXXXXX)
- ${cmd} \
- -c -m "^uri=ldaps://${hostname}" \
- -c -m "^ssl=${encryption_mode}" \
- -c -m "^tls_cacertfile=${certfile}" \
- -o "${tmp}"
- if [ "$?" != "0" ]
- then
- return 1
- fi
- if ! safe_save "${tmp}" "${conf}"
- then
- return 1
- fi
- fi
-
- for opt in ${options}
- do
- local var val tv n=0
-
- var=$(echo "${opt}" | sed -E 's|^opt_||')
- val=$(ldap_get ${opt})
-
- tv=""
- for v in ${val}
- do
- n=$((n + 1))
- tv="${tv}${v}="
- done
-
- if [ "${n}" = "1" ]
- then
- tmp=$(mktemp /tmp/tmp.XXXXXX)
-
- ${cmd} -c -m "^${var}=${val}" -o "${tmp}"
- if [ "$?" != "0" ]
- then
- return 1
- fi
- if ! safe_save "${tmp}" "${conf}"
- then
- return 1
- fi
-
- elif [ "${n}" -gt "1" ]
- then
- tmp=$(mktemp /tmp/tmp.XXXXXX)
-
- tv=$(echo "${tv}"|sed -E 's|=$||')
-
- ${cmd} -c -t "^${var}=${tv}" -o "${tmp}"
- if [ "$?" != "0" ]
- then
- return 1
- fi
- if ! safe_save "${tmp}" "${conf}"
- then
- return 1
- fi
- fi
-
- done
-
- if [ "${anonbind}" != "1" ]
- then
- printf "${rootbindpw}" > "${secret}"
- chmod 600 "${secret}"
- fi
-
- ln -sf ${conf} "$(dirname ${conf})/ldap.conf"
- if [ "$ldap_anonbind" != 1 ]
- then
- ln -sf ${secret} "$(dirname ${secret})/ldap.secret"
- fi
-}
-
ldap_status()
{
local ret=0
@@ -401,12 +194,8 @@
if checkyesno ldapclient_enable 2>/dev/null
then
ldap_init
-
backup_openldap_conf
generate_openldap_conf
-
- backup_nss_ldap_conf
- generate_nss_ldap_conf
fi
}
@@ -414,7 +203,6 @@
{
if checkyesno ldapclient_enable 2>/dev/null
then
- restore_nss_ldap_conf
restore_openldap_conf
fi
}
Modified: pcbsd/current/src-sh/pc-adctl/scripts/pc-nsswitch
===================================================================
--- pcbsd/current/src-sh/pc-adctl/scripts/pc-nsswitch 2012-08-10 19:52:40 UTC (rev 18396)
+++ pcbsd/current/src-sh/pc-adctl/scripts/pc-nsswitch 2012-08-10 22:49:40 UTC (rev 18397)
@@ -7,20 +7,41 @@
# REQUIRE: root
# BEFORE: nsswitch
+. /usr/local/etc/rc.ldap
. /usr/local/etc/rc.activedirectory
: ${PATH_NS_CONF:="/etc/nsswitch.conf"}
: ${NSSCONF:="/usr/local/bin/nssconf"}
-ad_nsswitch_conf_start()
+nsswitch_conf_start()
{
+ local doconf=0
+ local conftype
+ local cmd="${NSSCONF}"
+
if checkyesno activedirectory_enable 2>/dev/null
then
+ conftype='winbind'
+ doconf=1
+
+ elif checkyesno ldapclient_enable 2>/dev/null
+ then
+ conftype='ldap'
+ doconf=1
+ fi
+
+ if [ -f "${PATH_NS_CONF}" ]
+ then
+ cmd="${NSSCONF} -f ${PATH_NS_CONF}"
+ fi
+
+ if [ "${doconf}" = "1" ]
+ then
local tmp=$(mktemp /tmp/ns.XXXXXX)
- ${NSSCONF} -f "${PATH_NS_CONF}" \
- -d group -r -s "+files" -s "+winbind" \
- -d passwd -r -s "+files" -s "+winbind" \
+ ${cmd} \
+ -d group -r -s "+files" -s "+${conftype}" \
+ -d passwd -r -s "+files" -s "+${conftype}" \
-o "${tmp}"
if [ "$?" = "0" -a -s "${tmp}" ]
@@ -35,15 +56,35 @@
return 0
}
-ad_nsswitch_conf_stop()
+nsswitch_conf_stop()
{
+ local doconf=0
+ local conftype
+ local cmd="${NSSCONF}"
+
if checkyesno activedirectory_enable 2>/dev/null
then
+ conftype='winbind'
+ doconf=1
+
+ elif checkyesno ldapclient_enable 2>/dev/null
+ then
+ conftype='ldap'
+ doconf=1
+ fi
+
+ if [ -f "${PATH_NS_CONF}" ]
+ then
+ cmd="${NSSCONF} -f ${PATH_NS_CONF}"
+ fi
+
+ if [ "${doconf}" = "1" ]
+ then
local tmp=$(mktemp /tmp/ns.XXXXXX)
- ${NSSCONF} -f "${PATH_NS_CONF}" \
- -d group -s "-winbind" \
- -d passwd -s "-winbind" \
+ ${cmd} \
+ -d group -s "-${conftype}" \
+ -d passwd -s "-${conftype}" \
-o "${tmp}"
if [ "$?" = "0" -a -s "${tmp}" ]
@@ -58,9 +99,10 @@
return 0
}
+
name="pc-nsswitch"
-start_cmd='ad_nsswitch_conf_start'
-stop_cmd='ad_nsswitch_conf_stop'
+start_cmd='nsswitch_conf_start'
+stop_cmd='nsswitch_conf_stop'
load_rc_config $name
run_rc_command "$1"
Modified: pcbsd/current/src-sh/pc-adctl/scripts/pc-pam
===================================================================
--- pcbsd/current/src-sh/pc-adctl/scripts/pc-pam 2012-08-10 19:52:40 UTC (rev 18396)
+++ pcbsd/current/src-sh/pc-adctl/scripts/pc-pam 2012-08-10 22:49:40 UTC (rev 18397)
@@ -8,32 +8,57 @@
# REQUIRE: pc-nsswitch
# BEFORE: NETWORK
+. /usr/local/etc/rc.ldap
. /usr/local/etc/rc.activedirectory
: ${DEFAULT_PAM_SERVICES:="ftp login passwd sshd su telnetd"}
: ${PAMDIR:="/etc/pam.d"}
: ${PAMCONF:="/usr/local/bin/pamconf"}
-: ${active_directory_pam_services:="${DEFAULT_PAM_SERVICES}"}
+: ${activedirectory_pam_services:="${DEFAULT_PAM_SERVICES}"}
+: ${ldapclient_pam_services:="${DEFAULT_PAM_SERVICES}"}
-ad_pam_start()
+pam_start()
{
+ local auth
+ local account
+ local session
+ local password
+ local doconf=0
+
if checkyesno activedirectory_enable 2>/dev/null
then
+ doconf=1
+ auth="+2auth:sufficient:/usr/local/lib/pam_winbind.so:silent:try_first_pass:krb5_auth:krb5_ccache_type=FILE"
+ account="+2account:sufficient:/usr/local/lib/pam_winbind.so:krb5_auth:krb5_ccache_type=FILE"
+ session="+session:required:/usr/local/lib/pam_mkhomedir.so"
+ password="+0password:sufficient:/usr/local/lib/pam_winbind.so:try_first_pass:krb5_auth krb5_ccache_type=FILE"
+
+ elif checkyesno ldapclient_enable 2>/dev/null
+ then
+ doconf=1
+ auth="+2auth:sufficient:/usr/local/lib/pam_ldap.so:silent:no_warn:try_first_pass"
+ account="+2account:sufficient:/usr/local/lib/pam_ldap.so:ignore_authinfo_unavail"
+ session="+session:required:/usr/local/lib/pam_mkhomedir.so"
+ password="+0password:sufficient:/usr/local/lib/pam_ldap.so:try_first_pass"
+ fi
+
+ if [ "${doconf}" = "1" ]
+ then
local tmpdir=$(mktemp -d /tmp/pam.XXXXXX)
local errors=0
- for s in ${active_directory_pam_services}
+ for s in ${activedirectory_pam_services}
do
local tmp="${tmpdir}/${s}"
local sfile="${PAMDIR}/${s}"
cp "${sfile}" "${tmpdir}/${s}.orig"
${PAMCONF} -f "${sfile}" \
- -m "+2auth:sufficient:/usr/local/lib/pam_winbind.so:silent:try_first_pass:krb5_auth:krb5_ccache_type=FILE" \
- -m "+2account:sufficient:/usr/local/lib/pam_winbind.so:krb5_auth:krb5_ccache_type=FILE" \
- -m "+session:required:/usr/local/lib/pam_mkhomedir.so" \
- -m "+0password:sufficient:/usr/local/lib/pam_winbind.so:try_first_pass:krb5_auth krb5_ccache_type=FILE" \
+ -m "${auth}" \
+ -m "${account}" \
+ -m "${session}" \
+ -m "${password}" \
-o "${tmp}"
if [ "$?" != "0" -o ! -s "${tmp}" ]
@@ -79,24 +104,47 @@
return 0
}
-ad_pam_stop()
+pam_stop()
{
+ local auth
+ local account
+ local session
+ local password
+ local doconf=0
+
if checkyesno activedirectory_enable 2>/dev/null
then
+ doconf=1
+ auth='-auth:sufficient:/usr/local/lib/pam_winbind.so'
+ account='-account:sufficient:/usr/local/lib/pam_winbind.so'
+ session='-session:required:/usr/local/lib/pam_mkhomedir.so'
+ password='-password:sufficient:/usr/local/lib/pam_winbind.so'
+
+ elif checkyesno ldapclient_enable 2>/dev/null
+ then
+ doconf=1
+ auth='-auth:sufficient:/usr/local/lib/pam_ldap.so'
+ account='-account:sufficient:/usr/local/lib/pam_ldap.so'
+ session='-session:required:/usr/local/lib/pam_mkhomedir.so'
+ password='-password:sufficient:/usr/local/lib/pam_ldap.so'
+ fi
+
+ if [ "${doconf}" = "1" ]
+ then
local tmpdir=$(mktemp -d /tmp/pam.XXXXXX)
local errors=0
- for s in ${active_directory_pam_services}
+ for s in ${activedirectory_pam_services}
do
local tmp="${tmpdir}/${s}"
local sfile="${PAMDIR}/${s}"
cp "${sfile}" "${tmpdir}/${s}.orig"
${PAMCONF} -f "${sfile}" \
- -m '-auth:sufficient:/usr/local/lib/pam_winbind.so' \
- -m '-account:sufficient:/usr/local/lib/pam_winbind.so' \
- -m '-session:required:/usr/local/lib/pam_mkhomedir.so' \
- -m '-password:sufficient:/usr/local/lib/pam_winbind.so' \
+ -m "${auth}" \
+ -m "${account}" \
+ -m "${session}" \
+ -m "${password}" \
-o "${tmp}"
if [ "$?" != "0" -o ! -s "${tmp}" ]
@@ -143,8 +191,8 @@
}
name="pc-pam"
-start_cmd='ad_pam_start'
-stop_cmd='ad_pam_stop'
+start_cmd='pam_start'
+stop_cmd='pam_stop'
load_rc_config $name
run_rc_command "$1"
Modified: pcbsd/current/src-sh/pc-adctl/scripts/pc-samba
===================================================================
--- pcbsd/current/src-sh/pc-adctl/scripts/pc-samba 2012-08-10 19:52:40 UTC (rev 18396)
+++ pcbsd/current/src-sh/pc-adctl/scripts/pc-samba 2012-08-10 22:49:40 UTC (rev 18397)
@@ -8,6 +8,7 @@
# REQUIRE: pc-pam
# BEFORE: smbd
+. /usr/local/etc/rc.ldap
. /usr/local/etc/rc.activedirectory
: ${SMB_CONF:="/usr/local/etc/smb.conf"}
@@ -60,32 +61,117 @@
-w -m "+global: template homedir=/home/%U" \
-o "${tmp}"
- if [ "$?" = "0" -a -s "${tmp}" ]
+ if [ "$?" = "0" -a -s "${tmp}" ]
+ then
+ mv "${tmp}" "${SMB_CONF}"
+ return $?
+ fi
+
+ return 1
+ fi
+
+ return 0
+}
+
+ldap_smbconf_start()
+{
+ local cmd="${SAMBACONF}"
+ if [ -f "${SMB_CONF}" ]
+ then
+ cmd="${SAMBACONF} -f ${SMB_CONF}"
+ fi
+
+ if checkyesno ldapclient_enable 2>/dev/null
+ then
+ local tmp=$(mktemp /tmp/samba.XXXXXX)
+
+ ldap_init
+
+ local ssl="off"
+ local encryption_mode=$(ldap_get encryption_mode)
+ if [ "${encryption_mode}" = "start_tls" ]
+ then
+ ssl="start tls"
+ fi
+
+ cp "${SMB_CONF}" "${SMB_CONF}.orig" >/dev/null 2>&1
+ ${cmd} \
+ -w -m "+global:security=user" \
+ -w -m "+global:passdb backend=ldapsam:ldap://$(ldap_get hostname)" \
+ -w -m "+global:ldap admin dn=$(ldap_get rootbasedn)" \
+ -w -m "+global:ldap suffix=$(ldap_get basedn)" \
+ -w -m "+global:ldap user suffix=$(ldap_get usersuffix)" \
+ -w -m "+global:ldap group suffix=$(ldap_get groupsuffix)" \
+ -w -m "+global:ldap machine suffix=$(ldap_get machinesuffix)" \
+ -w -m "+global:ldap ssl=${ssl}" \
+ -w -m "+global:ldap replication sleep=1000" \
+ -w -m "+global:ldap passwd sync=yes" \
+ -w -m "+global:ldapsam:trusted=yes" \
+ -w -m "+global:idmap uid=10000-39999" \
+ -w -m "+global:idmap gid=10000-39999" \
+ -o "${tmp}"
+
+ if [ "$?" = "0" -a -s "${tmp}" ]
+ then
+ local rootbindpw=$(ldap_get rootbindpw)
+
+ mv "${tmp}" "${SMB_CONF}"
+ if [ "$?" != "0" ]
then
- mv "${tmp}" "${SMB_CONF}"
+ return 1
+ fi
+
+ if [ -n "${rootbindpw}" ]
+ then
+ /usr/local/bin/smbpasswd -w "${rootbindpw}" >/dev/null 2>&1
return $?
fi
- return 1
+ return 0
+ fi
+
+ return 1
+
fi
return 0
}
-ad_smbconf_stop()
+smbconf_start()
{
if checkyesno activedirectory_enable 2>/dev/null
then
+ ad_smbconf_start
+ return $?
+
+ elif checkyesno ldapclient_enable 2>/dev/null
+ then
+ ldap_smbconf_start
+ return $?
+ fi
+
+ return 0
+}
+
+smbconf_stop()
+{
+ if checkyesno activedirectory_enable 2>/dev/null
+ then
cp "${SMB_CONF}.orig" "${SMB_CONF}"
return $?
+
+ elif checkyesno ldapclient_enable 2>/dev/null
+ then
+ cp "${SMB_CONF}.orig" "${SMB_CONF}"
+ return $?
fi
return 0
}
name="pc-samba"
-start_cmd='ad_smbconf_start'
-stop_cmd='ad_smbconf_stop'
+start_cmd='smbconf_start'
+stop_cmd='smbconf_stop'
load_rc_config $name
run_rc_command "$1"
More information about the Commits
mailing list