[PC-BSD Commits] r19318 - in pcbsd/current/src-sh/pc-adctl: nssldap scripts

svn at pcbsd.org svn at pcbsd.org
Mon Sep 17 14:03:52 PDT 2012


Author: johnh
Date: 2012-09-17 21:03:52 +0000 (Mon, 17 Sep 2012)
New Revision: 19318

Modified:
   pcbsd/current/src-sh/pc-adctl/nssldap/nssldapconf.c
   pcbsd/current/src-sh/pc-adctl/scripts/pc-nssldap
   pcbsd/current/src-sh/pc-adctl/scripts/pc-pam
Log:
more bugfixes, more needed.



Modified: pcbsd/current/src-sh/pc-adctl/nssldap/nssldapconf.c
===================================================================
--- pcbsd/current/src-sh/pc-adctl/nssldap/nssldapconf.c	2012-09-17 19:42:29 UTC (rev 19317)
+++ pcbsd/current/src-sh/pc-adctl/nssldap/nssldapconf.c	2012-09-17 21:03:52 UTC (rev 19318)
@@ -218,12 +218,15 @@
 
 	TAILQ_FOREACH(ne, &nssldapconf, entries) {
 		if (ne->type == type && type == NSSLDAP_ENTRY_PAIR &&
-			strcasecmp(ne->nep_name, nm->name) == 0) {
+			strcasecmp(ne->nep_name, nm->name) == 0 &&
+			strcasecmp(ne->nep_value, nm->value) == 0) {
 			exists = 1;
 			break;
 
 		} else if (ne->type == type && type == NSSLDAP_ENTRY_TRIPLET &&
-			strcasecmp(ne->net_name, nm->name) == 0) {
+			strcasecmp(ne->net_name, nm->name) == 0 &&
+			strcasecmp(ne->net_attr, nm->attr) == 0 &&
+			strcasecmp(ne->net_value, nm->value) == 0) {
 			exists = 1;
 			break;
 		}
@@ -277,7 +280,8 @@
 			break;
 
 		} else if (ne->type == type && type == NSSLDAP_ENTRY_TRIPLET &&
-			strcasecmp(ne->net_name, nm->name) == 0) {
+			strcasecmp(ne->net_name, nm->name) == 0 &&
+			strcasecmp(ne->net_attr, nm->attr) == 0) {
 			xfree(&ne->net_attr);
 			xfree(&ne->net_value);
 			ne->net_attr = xstrdup(nm->attr);
@@ -426,7 +430,7 @@
 		"Where options in:\n\n"
 		"\t-f <input file>\n"
 		"\t-o <output file>\n"
-		"\t-p <(+|-|^)name=value>\n\n"
+		"\t-p <(+|-|^)name=value>\n"
 		"\t-t <(+|-|^)name=attr=value>\n\n"
 	);
 

Modified: pcbsd/current/src-sh/pc-adctl/scripts/pc-nssldap
===================================================================
--- pcbsd/current/src-sh/pc-adctl/scripts/pc-nssldap	2012-09-17 19:42:29 UTC (rev 19317)
+++ pcbsd/current/src-sh/pc-adctl/scripts/pc-nssldap	2012-09-17 21:03:52 UTC (rev 19318)
@@ -305,7 +305,7 @@
 		-c -t "^nss_map_attribute=gecos=cn" \
 		-c -t "^nss_map_attribute=homeDirectory=unixHomeDirectory" \
 		-c -t "^nss_map_attribute=uniqueMember=member" \
-		-c -t "^pam_filter=objectClass=user" \
+		-c -m "^pam_filter=objectClass=user" \
 		-c -m "^pam_member_attribute=member" \
 		-c -m "^pam_password=ad" \
 		-o "${tmp}"

Modified: pcbsd/current/src-sh/pc-adctl/scripts/pc-pam
===================================================================
--- pcbsd/current/src-sh/pc-adctl/scripts/pc-pam	2012-09-17 19:42:29 UTC (rev 19317)
+++ pcbsd/current/src-sh/pc-adctl/scripts/pc-pam	2012-09-17 21:03:52 UTC (rev 19318)
@@ -11,12 +11,32 @@
 . /usr/local/etc/rc.ldap
 . /usr/local/etc/rc.activedirectory
 
+: ${DEFAULT_PAM_SERVICES:="gdm-autologin kde kde-np login sshd su xdm gdm sudo xscreensaver"}
 
-: ${DEFAULT_PAM_SERVICES:="ALL"}
 : ${PAMDIRS:="/etc/pam.d /usr/local/etc/pam.d"}
 : ${PAMCONF:="/usr/local/bin/pc-pamconf"}
 
+: ${pam_mkhomedir:="/usr/local/lib/pam_mkhomedir.so"}
+: ${pam_winbind:="/usr/local/lib/pam_winbind.so"}
+: ${pam_ldap:="/usr/local/lib/pam_ldap.so"}
+: ${pam_krb5:="pam_krb5.so"}
+
+#
+# The default pam classes for the specified services is auth and session.
+#
+# This can be further and fine tuned using this format:
+# activedirectory_pam_${service}="${classes}"
+#
+# eg:
+# activedirectory_pam_sshd="auth account session password"
+#
+# If you want all classes use ALL, if you want no classes, use NONE.
+#
+
+: ${activedirectory_pam_classes:="auth session"}
 : ${activedirectory_pam_services:="${DEFAULT_PAM_SERVICES}"}
+
+: ${ldapclient_pam_classes:="auth session"}
 : ${ldapclient_pam_services:="${DEFAULT_PAM_SERVICES}"}
 
 
@@ -48,21 +68,128 @@
 	return ${res}
 }
 
+
+do_pam_var_isset()
+{
+	local service="${1}"
+	local class="${2}"
+	local check=0
+	local var
+	local val
+
+	if [ -z "${service}" -o -z "${class}" ]
+	then
+		return 1
+	fi
+
+	if checkyesno activedirectory_enable 2>/dev/null
+	then
+		local tmp="$(echo ${service}|tr '.-' _)"
+
+		var=\$$(printf "activedirectory_pam_${tmp}")
+		val=$(eval "echo ${var} 2>/dev/null")
+
+		if [ -z "${val}" ]
+		then
+			val="${activedirectory_pam_classes}"
+		fi
+
+		check=1
+
+	elif checkyesno ldapclient_enable 2>/dev/null
+	then
+		local tmp="$(echo ${service}|tr '.-' _)"
+
+		var=\$$(printf "ldapclient_pam_${tmp}")
+		val=$(eval "echo ${var} 2>/dev/null")
+
+		if [ -z "${val}" ]
+		then
+			val="${ldapclient_pam_classes}"
+		fi
+
+		check=1
+	fi
+
+	if [ "${check}" = "1" ]
+	then
+		local s
+
+		if [ "${val}" = "NONE" ]
+		then
+			return 1
+
+		elif [ "${val}" = "ALL" ]
+		then
+			return 0
+
+		elif [ -z "${val}" ]
+		then
+			return 1
+		fi
+
+		for s in ${val}
+		do
+			if [ "${s}" = "${class}" ]
+			then
+				return 0
+			fi
+		done
+	fi
+
+	return 1
+}
+
+pam_auth_isset()
+{
+	do_pam_var_isset "${1}" "auth"
+	return $?
+}
+
+pam_account_isset()
+{
+	do_pam_var_isset "${1}" "account"
+	return $?
+}
+
+pam_session_isset()
+{
+	do_pam_var_isset "${1}" "session"
+	return $?
+}
+
+pam_password_isset()
+{
+	do_pam_var_isset "${1}" "password"
+	return $?
+}
+
 do_pam_conf()
 {
 	local auth="${1}"
 	local account="${2}"
 	local session="${3}"
 	local password="${4}"
-	local services="${5}"
+	local services
 
 	local fail=0
 	local tmpdirs=""
+	local pam_dir
 
+	if checkyesno activedirectory_enable 2>/dev/null
+	then
+		services="${activedirectory_pam_services}"
+
+	elif checkyesno ldapclient_enable 2>/dev/null
+	then
+		services="${ldapclient_pam_services}"
+	fi
+
 	for pam_dir in ${PAMDIRS}
 	do
 		local tmpdir="$(mktemp -d /tmp/pam.XXXXXX)"
 		local pam_files="$(ls "${pam_dir}" | grep -v README)"
+		local s
 
 		tmpdirs="${tmpdirs} ${tmpdir}:${pam_dir}"
 
@@ -70,19 +197,59 @@
 		do
 			local pam_file="${pam_dir}/${s}"
 			local tmp_file="${tmpdir}/${s}"
+			local doconf=0
 
+			local __auth
+			local __account
+			local __session
+			local __password
+
 			if in_pam_services "${s}" "${services}"
 			then
-				${PAMCONF} -f "${pam_file}" \
-				-m "${auth}" \
-				-m "${account}" \
-				-m "${session}" \
-				-m "${password}" \
-				-o "${tmp_file}"
+				if pam_auth_isset "${s}" && [ -n "${auth}" ]
+				then
+					__auth="-m "${auth}""
+					doconf=1
+				else
+					__auth=""
+				fi
+				if pam_account_isset "${s}" && [ -n "${account}" ]
+				then
+					__account=" -m "${account}""
+					doconf=1
+				else
+					__account=""
+				fi
+				if pam_session_isset "${s}" && [ -n "${session}" ]
+				then
+					__session="-m "${session}""
+					doconf=1
+				else
+					__session=""
+				fi
+				if pam_password_isset "${s}" && [ -n "${password}" ]
+				then
+					__password="-m "${password}""
+					doconf=1
+				else
+					__password=""
+				fi
+				
 
-				if [ "$?" != "0" ]
+				if [ "${doconf}" = "1" ]
 				then
-					touch "${tmp_file}.FAIL"
+
+					${PAMCONF} -f "${pam_file}" \
+					${__auth} \
+					${__account} \
+					${__session} \
+					${__password} \
+					-o "${tmp_file}"
+
+					if [ "$?" != "0" ]
+					then
+						touch "${tmp_file}.FAIL"
+					fi
 				fi
 			fi	
 		done
@@ -130,42 +297,45 @@
 	local account
 	local session
 	local password
-	local services
-	local doconf=0
 
 	if checkyesno activedirectory_enable 2>/dev/null
 	then
 		AD_init
 
-		local pam_winbind="/usr/local/lib/pam_winbind.so"
-		local pam_krb5="pam_krb5.so"
+		if ! AD_UNIX_extensions
+		then
+			auth="+2auth:sufficient:${pam_winbind}:silent:try_first_pass:krb5_auth:krb5_ccache_type=FILE"
+			account="+2account:sufficient:${pam_winbind}:krb5_auth:krb5_ccache_type=FILE"
+			session="+session:required:${pam_mkhomedir}"
+			password="+0password:sufficient:${pam_winbind}:try_first_pass:krb5_auth:krb5_ccache_type=FILE"
 
-		local pam_mod="${pam_winbind}"
-		if AD_UNIX_extensions
-		then
-			pam_mod="${pam_krb5}"
+			do_pam_conf "${auth}" "${account}" "${session}" "${password}"
+			return $?
 		fi
 
-		doconf=1
-		auth="+2auth:sufficient:${pam_mod}:silent:try_first_pass:krb5_auth:krb5_ccache_type=FILE"
-		account="+2account:sufficient:${pam_mod}:krb5_auth:krb5_ccache_type=FILE"
-		session="+session:required:/usr/local/lib/pam_mkhomedir.so"
-		password="+0password:sufficient:${pam_mod}:try_first_pass:krb5_auth:krb5_ccache_type=FILE"
-		services="${activedirectory_pam_services}"
+		auth="+2auth:sufficient:${pam_ldap}:no_warn:try_first_pass"
+		account="+2account:sufficient:${pam_ldap}:ignore_authinfo_unavail"
+		session="+session:required:${pam_mkhomedir}"
+		password="+0password:sufficient:${pam_ldap}:try_first_pass"
 
+		do_pam_conf "${auth}" "${account}" "${session}" "${password}"
+
+		auth="+3auth:sufficient:${pam_krb5}:silent:try_first_pass:krb5_auth:krb5_ccache_type=FILE"
+		account="+3account:sufficient:${pam_krb5}:krb5_auth:krb5_ccache_type=FILE"
+		password="+1password:sufficient:${pam_krb5}:try_first_pass:krb5_auth:krb5_ccache_type=FILE"
+		session=""
+
+		do_pam_conf "${auth}" "${account}" "${session}" "${password}"
+		return $?
+
 	elif checkyesno ldapclient_enable 2>/dev/null
 	then
-		doconf=1
-		auth="+2auth:sufficient:/usr/local/lib/pam_ldap.so:silent:no_warn:try_first_pass"
-		account="+2account:sufficient:/usr/local/lib/pam_ldap.so:ignore_authinfo_unavail"
-		session="+session:required:/usr/local/lib/pam_mkhomedir.so"
-		password="+0password:sufficient:/usr/local/lib/pam_ldap.so:try_first_pass"
-		services="${ldap_pam_services}"
-	fi
+		auth="+2auth:sufficient:${pam_ldap}:silent:no_warn:try_first_pass"
+		account="+2account:sufficient:${pam_ldap}:ignore_authinfo_unavail"
+		session="+session:required:${pam_mkhomedir}"
+		password="+0password:sufficient:${pam_ldap}:try_first_pass"
 
-	if [ "${doconf}" = "1" ]
-	then
-		do_pam_conf "${auth}" "${account}" "${session}" "${password}" "${services}"
+		do_pam_conf "${auth}" "${account}" "${session}" "${password}"
 		return $?
 	fi
 
@@ -178,48 +348,54 @@
 	local account
 	local session
 	local password
-	local services
 	local doconf=0
 
 	if checkyesno activedirectory_enable 2>/dev/null
 	then
 		AD_init
 
-		local pam_winbind="/usr/local/lib/pam_winbind.so"
-		local pam_krb5="pam_krb5.so"
+		if ! AD_UNIX_extensions
+		then
 
-		local pam_mod="${pam_winbind}"
-		if AD_UNIX_extensions
-		then
-			pam_mod="${pam_krb5}"
+			auth="-auth:sufficient:${pam_winbind}"
+			account="-account:sufficient:${pam_winbind}"
+			session="-session:required:${pam_mkhomedir}"
+			password="-password:sufficient:${pam_winbind}"
+
+			do_pam_conf "${auth}" "${account}" "${session}" "${password}"
+			return $?
 		fi
 
-		doconf=1
-		auth="-auth:sufficient:${pam_mod}"
-		account="-account:sufficient:${pam_mod}"
-		session="-session:required:/usr/local/lib/pam_mkhomedir.so"
-		password="-password:sufficient:${pam_mod}"
-		services="${activedirectory_pam_services}"
+		auth="-auth:sufficient:${pam_krb5}"
+		account="-account:sufficient:${pam_krb5}"
+		session="-session:required:${pam_mkhomedir}"
+		password="-password:sufficient:${pam_krb5}"
 
+		do_pam_conf "${auth}" "${account}" "${session}" "${password}"
+
+		auth="-auth:sufficient:${pam_ldap}"
+		account="-account:sufficient:${pam_ldap}"
+		password="-password:sufficient:${pam_ldap}"
+		session=""
+
+		do_pam_conf "${auth}" "${account}" "${session}" "${password}"
+		return $?		
+
 	elif checkyesno ldapclient_enable 2>/dev/null
 	then
-		doconf=1
-		auth='-auth:sufficient:/usr/local/lib/pam_ldap.so'
-		account='-account:sufficient:/usr/local/lib/pam_ldap.so'
-		session='-session:required:/usr/local/lib/pam_mkhomedir.so'
-		password='-password:sufficient:/usr/local/lib/pam_ldap.so'
-		services="${ldap_pam_services}"
-	fi
+		auth='-auth:sufficient:${pam_ldap}'
+		account='-account:sufficient:${pam_ldap}'
+		session='-session:required:${pam_mkhomedir}'
+		password='-password:sufficient:${pam_ldap}'
 
-	if [ "${doconf}" = "1" ]
-	then
-		do_pam_conf "${auth}" "${account}" "${session}" "${password}" "${services}"
+		do_pam_conf "${auth}" "${account}" "${session}" "${password}"
 		return $?
 	fi
 
 	return 0
 }
 
+
 name="pc-pam"
 start_cmd='pam_start'
 stop_cmd='pam_stop'



More information about the Commits mailing list