[PC-BSD Commits] r19318 - in pcbsd/current/src-sh/pc-adctl: nssldap scripts
svn at pcbsd.org
svn at pcbsd.org
Mon Sep 17 14:03:52 PDT 2012
Author: johnh
Date: 2012-09-17 21:03:52 +0000 (Mon, 17 Sep 2012)
New Revision: 19318
Modified:
pcbsd/current/src-sh/pc-adctl/nssldap/nssldapconf.c
pcbsd/current/src-sh/pc-adctl/scripts/pc-nssldap
pcbsd/current/src-sh/pc-adctl/scripts/pc-pam
Log:
more bugfixes, more needed.
Modified: pcbsd/current/src-sh/pc-adctl/nssldap/nssldapconf.c
===================================================================
--- pcbsd/current/src-sh/pc-adctl/nssldap/nssldapconf.c 2012-09-17 19:42:29 UTC (rev 19317)
+++ pcbsd/current/src-sh/pc-adctl/nssldap/nssldapconf.c 2012-09-17 21:03:52 UTC (rev 19318)
@@ -218,12 +218,15 @@
TAILQ_FOREACH(ne, &nssldapconf, entries) {
if (ne->type == type && type == NSSLDAP_ENTRY_PAIR &&
- strcasecmp(ne->nep_name, nm->name) == 0) {
+ strcasecmp(ne->nep_name, nm->name) == 0 &&
+ strcasecmp(ne->nep_value, nm->value) == 0) {
exists = 1;
break;
} else if (ne->type == type && type == NSSLDAP_ENTRY_TRIPLET &&
- strcasecmp(ne->net_name, nm->name) == 0) {
+ strcasecmp(ne->net_name, nm->name) == 0 &&
+ strcasecmp(ne->net_attr, nm->attr) == 0 &&
+ strcasecmp(ne->net_value, nm->value) == 0) {
exists = 1;
break;
}
@@ -277,7 +280,8 @@
break;
} else if (ne->type == type && type == NSSLDAP_ENTRY_TRIPLET &&
- strcasecmp(ne->net_name, nm->name) == 0) {
+ strcasecmp(ne->net_name, nm->name) == 0 &&
+ strcasecmp(ne->net_attr, nm->attr) == 0) {
xfree(&ne->net_attr);
xfree(&ne->net_value);
ne->net_attr = xstrdup(nm->attr);
@@ -426,7 +430,7 @@
"Where options in:\n\n"
"\t-f <input file>\n"
"\t-o <output file>\n"
- "\t-p <(+|-|^)name=value>\n\n"
+ "\t-p <(+|-|^)name=value>\n"
"\t-t <(+|-|^)name=attr=value>\n\n"
);
Modified: pcbsd/current/src-sh/pc-adctl/scripts/pc-nssldap
===================================================================
--- pcbsd/current/src-sh/pc-adctl/scripts/pc-nssldap 2012-09-17 19:42:29 UTC (rev 19317)
+++ pcbsd/current/src-sh/pc-adctl/scripts/pc-nssldap 2012-09-17 21:03:52 UTC (rev 19318)
@@ -305,7 +305,7 @@
-c -t "^nss_map_attribute=gecos=cn" \
-c -t "^nss_map_attribute=homeDirectory=unixHomeDirectory" \
-c -t "^nss_map_attribute=uniqueMember=member" \
- -c -t "^pam_filter=objectClass=user" \
+ -c -m "^pam_filter=objectClass=user" \
-c -m "^pam_member_attribute=member" \
-c -m "^pam_password=ad" \
-o "${tmp}"
Modified: pcbsd/current/src-sh/pc-adctl/scripts/pc-pam
===================================================================
--- pcbsd/current/src-sh/pc-adctl/scripts/pc-pam 2012-09-17 19:42:29 UTC (rev 19317)
+++ pcbsd/current/src-sh/pc-adctl/scripts/pc-pam 2012-09-17 21:03:52 UTC (rev 19318)
@@ -11,12 +11,32 @@
. /usr/local/etc/rc.ldap
. /usr/local/etc/rc.activedirectory
+: ${DEFAULT_PAM_SERVICES:="gdm-autologin kde kde-np login sshd su xdm gdm sudo xscreensaver"}
-: ${DEFAULT_PAM_SERVICES:="ALL"}
: ${PAMDIRS:="/etc/pam.d /usr/local/etc/pam.d"}
: ${PAMCONF:="/usr/local/bin/pc-pamconf"}
+: ${pam_mkhomedir:="/usr/local/lib/pam_mkhomedir.so"}
+: ${pam_winbind:="/usr/local/lib/pam_winbind.so"}
+: ${pam_ldap:="/usr/local/lib/pam_ldap.so"}
+: ${pam_krb5:="pam_krb5.so"}
+
+#
+# The default pam classes for the specified services is auth and session.
+#
+# This can be further and fine tuned using this format:
+# activedirectory_pam_${service}="${classes}"
+#
+# eg:
+# activedirectory_pam_sshd="auth account session password"
+#
+# If you want all classes use ALL, if you want no classes, use NONE.
+#
+
+: ${activedirectory_pam_classes:="auth session"}
: ${activedirectory_pam_services:="${DEFAULT_PAM_SERVICES}"}
+
+: ${ldapclient_pam_classes:="auth session"}
: ${ldapclient_pam_services:="${DEFAULT_PAM_SERVICES}"}
@@ -48,21 +68,128 @@
return ${res}
}
+
+do_pam_var_isset()
+{
+ local service="${1}"
+ local class="${2}"
+ local check=0
+ local var
+ local val
+
+ if [ -z "${service}" -o -z "${class}" ]
+ then
+ return 1
+ fi
+
+ if checkyesno activedirectory_enable 2>/dev/null
+ then
+ local tmp="$(echo ${service}|tr '.-' _)"
+
+ var=\$$(printf "activedirectory_pam_${tmp}")
+ val=$(eval "echo ${var} 2>/dev/null")
+
+ if [ -z "${val}" ]
+ then
+ val="${activedirectory_pam_classes}"
+ fi
+
+ check=1
+
+ elif checkyesno ldapclient_enable 2>/dev/null
+ then
+ local tmp="$(echo ${service}|tr '.-' _)"
+
+ var=\$$(printf "ldapclient_pam_${tmp}")
+ val=$(eval "echo ${var} 2>/dev/null")
+
+ if [ -z "${val}" ]
+ then
+ val="${ldapclient_pam_classes}"
+ fi
+
+ check=1
+ fi
+
+ if [ "${check}" = "1" ]
+ then
+ local s
+
+ if [ "${val}" = "NONE" ]
+ then
+ return 1
+
+ elif [ "${val}" = "ALL" ]
+ then
+ return 0
+
+ elif [ -z "${val}" ]
+ then
+ return 1
+ fi
+
+ for s in ${val}
+ do
+ if [ "${s}" = "${class}" ]
+ then
+ return 0
+ fi
+ done
+ fi
+
+ return 1
+}
+
+pam_auth_isset()
+{
+ do_pam_var_isset "${1}" "auth"
+ return $?
+}
+
+pam_account_isset()
+{
+ do_pam_var_isset "${1}" "account"
+ return $?
+}
+
+pam_session_isset()
+{
+ do_pam_var_isset "${1}" "session"
+ return $?
+}
+
+pam_password_isset()
+{
+ do_pam_var_isset "${1}" "password"
+ return $?
+}
+
do_pam_conf()
{
local auth="${1}"
local account="${2}"
local session="${3}"
local password="${4}"
- local services="${5}"
+ local services
local fail=0
local tmpdirs=""
+ local pam_dir
+ if checkyesno activedirectory_enable 2>/dev/null
+ then
+ services="${activedirectory_pam_services}"
+
+ elif checkyesno ldapclient_enable 2>/dev/null
+ then
+ services="${ldapclient_pam_services}"
+ fi
+
for pam_dir in ${PAMDIRS}
do
local tmpdir="$(mktemp -d /tmp/pam.XXXXXX)"
local pam_files="$(ls "${pam_dir}" | grep -v README)"
+ local s
tmpdirs="${tmpdirs} ${tmpdir}:${pam_dir}"
@@ -70,19 +197,59 @@
do
local pam_file="${pam_dir}/${s}"
local tmp_file="${tmpdir}/${s}"
+ local doconf=0
+ local __auth
+ local __account
+ local __session
+ local __password
+
if in_pam_services "${s}" "${services}"
then
- ${PAMCONF} -f "${pam_file}" \
- -m "${auth}" \
- -m "${account}" \
- -m "${session}" \
- -m "${password}" \
- -o "${tmp_file}"
+ if pam_auth_isset "${s}" && [ -n "${auth}" ]
+ then
+ __auth="-m "${auth}""
+ doconf=1
+ else
+ __auth=""
+ fi
+ if pam_account_isset "${s}" && [ -n "${account}" ]
+ then
+ __account=" -m "${account}""
+ doconf=1
+ else
+ __account=""
+ fi
+ if pam_session_isset "${s}" && [ -n "${session}" ]
+ then
+ __session="-m "${session}""
+ doconf=1
+ else
+ __session=""
+ fi
+ if pam_password_isset "${s}" && [ -n "${password}" ]
+ then
+ __password="-m "${password}""
+ doconf=1
+ else
+ __password=""
+ fi
+
- if [ "$?" != "0" ]
+ if [ "${doconf}" = "1" ]
then
- touch "${tmp_file}.FAIL"
+
+ ${PAMCONF} -f "${pam_file}" \
+ ${__auth} \
+ ${__account} \
+ ${__session} \
+ ${__password} \
+ -o "${tmp_file}"
+
+ if [ "$?" != "0" ]
+ then
+ touch "${tmp_file}.FAIL"
+ fi
fi
fi
done
@@ -130,42 +297,45 @@
local account
local session
local password
- local services
- local doconf=0
if checkyesno activedirectory_enable 2>/dev/null
then
AD_init
- local pam_winbind="/usr/local/lib/pam_winbind.so"
- local pam_krb5="pam_krb5.so"
+ if ! AD_UNIX_extensions
+ then
+ auth="+2auth:sufficient:${pam_winbind}:silent:try_first_pass:krb5_auth:krb5_ccache_type=FILE"
+ account="+2account:sufficient:${pam_winbind}:krb5_auth:krb5_ccache_type=FILE"
+ session="+session:required:${pam_mkhomedir}"
+ password="+0password:sufficient:${pam_winbind}:try_first_pass:krb5_auth:krb5_ccache_type=FILE"
- local pam_mod="${pam_winbind}"
- if AD_UNIX_extensions
- then
- pam_mod="${pam_krb5}"
+ do_pam_conf "${auth}" "${account}" "${session}" "${password}"
+ return $?
fi
- doconf=1
- auth="+2auth:sufficient:${pam_mod}:silent:try_first_pass:krb5_auth:krb5_ccache_type=FILE"
- account="+2account:sufficient:${pam_mod}:krb5_auth:krb5_ccache_type=FILE"
- session="+session:required:/usr/local/lib/pam_mkhomedir.so"
- password="+0password:sufficient:${pam_mod}:try_first_pass:krb5_auth:krb5_ccache_type=FILE"
- services="${activedirectory_pam_services}"
+ auth="+2auth:sufficient:${pam_ldap}:no_warn:try_first_pass"
+ account="+2account:sufficient:${pam_ldap}:ignore_authinfo_unavail"
+ session="+session:required:${pam_mkhomedir}"
+ password="+0password:sufficient:${pam_ldap}:try_first_pass"
+ do_pam_conf "${auth}" "${account}" "${session}" "${password}"
+
+ auth="+3auth:sufficient:${pam_krb5}:silent:try_first_pass:krb5_auth:krb5_ccache_type=FILE"
+ account="+3account:sufficient:${pam_krb5}:krb5_auth:krb5_ccache_type=FILE"
+ password="+1password:sufficient:${pam_krb5}:try_first_pass:krb5_auth:krb5_ccache_type=FILE"
+ session=""
+
+ do_pam_conf "${auth}" "${account}" "${session}" "${password}"
+ return $?
+
elif checkyesno ldapclient_enable 2>/dev/null
then
- doconf=1
- auth="+2auth:sufficient:/usr/local/lib/pam_ldap.so:silent:no_warn:try_first_pass"
- account="+2account:sufficient:/usr/local/lib/pam_ldap.so:ignore_authinfo_unavail"
- session="+session:required:/usr/local/lib/pam_mkhomedir.so"
- password="+0password:sufficient:/usr/local/lib/pam_ldap.so:try_first_pass"
- services="${ldap_pam_services}"
- fi
+ auth="+2auth:sufficient:${pam_ldap}:silent:no_warn:try_first_pass"
+ account="+2account:sufficient:${pam_ldap}:ignore_authinfo_unavail"
+ session="+session:required:${pam_mkhomedir}"
+ password="+0password:sufficient:${pam_ldap}:try_first_pass"
- if [ "${doconf}" = "1" ]
- then
- do_pam_conf "${auth}" "${account}" "${session}" "${password}" "${services}"
+ do_pam_conf "${auth}" "${account}" "${session}" "${password}"
return $?
fi
@@ -178,48 +348,54 @@
local account
local session
local password
- local services
local doconf=0
if checkyesno activedirectory_enable 2>/dev/null
then
AD_init
- local pam_winbind="/usr/local/lib/pam_winbind.so"
- local pam_krb5="pam_krb5.so"
+ if ! AD_UNIX_extensions
+ then
- local pam_mod="${pam_winbind}"
- if AD_UNIX_extensions
- then
- pam_mod="${pam_krb5}"
+ auth="-auth:sufficient:${pam_winbind}"
+ account="-account:sufficient:${pam_winbind}"
+ session="-session:required:${pam_mkhomedir}"
+ password="-password:sufficient:${pam_winbind}"
+
+ do_pam_conf "${auth}" "${account}" "${session}" "${password}"
+ return $?
fi
- doconf=1
- auth="-auth:sufficient:${pam_mod}"
- account="-account:sufficient:${pam_mod}"
- session="-session:required:/usr/local/lib/pam_mkhomedir.so"
- password="-password:sufficient:${pam_mod}"
- services="${activedirectory_pam_services}"
+ auth="-auth:sufficient:${pam_krb5}"
+ account="-account:sufficient:${pam_krb5}"
+ session="-session:required:${pam_mkhomedir}"
+ password="-password:sufficient:${pam_krb5}"
+ do_pam_conf "${auth}" "${account}" "${session}" "${password}"
+
+ auth="-auth:sufficient:${pam_ldap}"
+ account="-account:sufficient:${pam_ldap}"
+ password="-password:sufficient:${pam_ldap}"
+ session=""
+
+ do_pam_conf "${auth}" "${account}" "${session}" "${password}"
+ return $?
+
elif checkyesno ldapclient_enable 2>/dev/null
then
- doconf=1
- auth='-auth:sufficient:/usr/local/lib/pam_ldap.so'
- account='-account:sufficient:/usr/local/lib/pam_ldap.so'
- session='-session:required:/usr/local/lib/pam_mkhomedir.so'
- password='-password:sufficient:/usr/local/lib/pam_ldap.so'
- services="${ldap_pam_services}"
- fi
+ auth='-auth:sufficient:${pam_ldap}'
+ account='-account:sufficient:${pam_ldap}'
+ session='-session:required:${pam_mkhomedir}'
+ password='-password:sufficient:${pam_ldap}'
- if [ "${doconf}" = "1" ]
- then
- do_pam_conf "${auth}" "${account}" "${session}" "${password}" "${services}"
+ do_pam_conf "${auth}" "${account}" "${session}" "${password}"
return $?
fi
return 0
}
+
name="pc-pam"
start_cmd='pam_start'
stop_cmd='pam_stop'
More information about the Commits
mailing list