[PC-BSD Commits] r19545 - pcbsd/current/src-sh/pc-adctl/scripts

svn at pcbsd.org svn at pcbsd.org
Wed Sep 26 16:34:24 PDT 2012


Author: johnh
Date: 2012-09-26 23:34:24 +0000 (Wed, 26 Sep 2012)
New Revision: 19545

Modified:
   pcbsd/current/src-sh/pc-adctl/scripts/pc-pam
Log:
checkpoint. This doesn't work, just saving progress.



Modified: pcbsd/current/src-sh/pc-adctl/scripts/pc-pam
===================================================================
--- pcbsd/current/src-sh/pc-adctl/scripts/pc-pam	2012-09-26 18:01:17 UTC (rev 19544)
+++ pcbsd/current/src-sh/pc-adctl/scripts/pc-pam	2012-09-26 23:34:24 UTC (rev 19545)
@@ -22,23 +22,55 @@
 : ${pam_krb5:="pam_krb5.so"}
 
 #
-# The default pam classes for the specified services is auth and session.
+# The default pam facilities for the specified services is auth and session.
 #
 # This can be further and fine tuned using this format:
-# activedirectory_pam_${service}="${classes}"
+# (activedirectory|ldap)_pam_${service}="${facilities}"
 #
 # eg:
 # activedirectory_pam_sshd="auth account session password"
 #
-# If you want all classes use ALL, if you want no classes, use NONE.
+# If you want all facilities use ALL, if you want no facilities , use NONE.
 #
+# More good stuff: 
+#
+# To specify specific placement of pam modules in pam files, you
+# can use this format:
+# 
+# (activedirectory|ldap)_pam_${service}_${facility}_index="${index}"
+#
+# eg:
+# activedirectory_pam_sshd_auth_index="2"
+#
+# This will place the pam_winbind.so module at index 2 in the auth
+# section (if it exists, otherwise, it will be placed less than 2
+# at the end, or the beginning of no modules are specified.
+#
+# (activedirectory|ldap)_pam_${service}_${facility}_before="${module}"
+#
+# eg:
+# activedirectory_pam_sshd_auth_before="pam_unix.so"
+#
+# This places pam_winbind.so right before pam_unix.so
+#
+# (activedirectory|ldap)_pam_${service}_${facility}_after="${module}"
+#
+# eg:
+# activedirectory_pam_sshd_auth_after="pam_krb5.so"
+#
+# This places pam_winbind.so right after pam_krb5.so
+#
 
-: ${activedirectory_pam_classes:="auth session"}
+: ${activedirectory_pam_facilities:="auth session"}
 : ${activedirectory_pam_services:="${DEFAULT_PAM_SERVICES}"}
 
-: ${ldapclient_pam_classes:="auth session"}
+: ${ldapclient_pam_facilities:="auth session"}
 : ${ldapclient_pam_services:="${DEFAULT_PAM_SERVICES}"}
 
+#
+# PC-BSD specifics
+#
+activedirectory_pam_gdm_auth_before="pam_unix.so"
 
 in_pam_services()
 {
@@ -68,16 +100,78 @@
 	return ${res}
 }
 
+__getvar()
+{
+	local name="${1}"
+	local tmp="$(echo ${name}|tr '.-' _)"
+	local var=""
 
+	if checkyesno activedirectory_enable 2>/dev/null
+	then
+		var="\$$(printf "activedirectory_pam_${tmp}")"
+
+	elif checkyesno ldapclient_enable 2>/dev/null
+	then
+		var="\$$(printf "ldapclient_pam_${tmp}")"
+
+	else
+		var="${tmp}"	
+	fi
+
+	echo "${var}"
+}
+
+__getval()
+{
+	local var="${1}"
+	local val="$(eval "echo ${var} 2>/dev/null")"
+
+	echo "${val}"
+}
+
+__pam_var_isset()
+{
+	local service="${1}"
+	local var
+	local val
+
+	if checkyesno activedirectory_enable 2>/dev/null
+	then
+		local tmp="$(echo ${service}|tr '.-' _)"
+
+		var=\$$(printf "activedirectory_pam_${tmp}")
+		val=$(eval "echo ${var} 2>/dev/null")
+
+		if [ -n "${val}" ]
+		then
+			return 0
+		fi
+
+	elif checkyesno ldapclient_enable 2>/dev/null
+	then
+		local tmp="$(echo ${service}|tr '.-' _)"
+
+		var=\$$(printf "ldapclient_pam_${tmp}")
+		val=$(eval "echo ${var} 2>/dev/null")
+
+		if [ -n "${val}" ]
+		then
+			return 0
+		fi
+	fi
+
+	return 1
+}
+
 do_pam_var_isset()
 {
 	local service="${1}"
-	local class="${2}"
+	local facility="${2}"
 	local check=0
 	local var
 	local val
 
-	if [ -z "${service}" -o -z "${class}" ]
+	if [ -z "${service}" -o -z "${facility}" ]
 	then
 		return 1
 	fi
@@ -91,7 +185,7 @@
 
 		if [ -z "${val}" ]
 		then
-			val="${activedirectory_pam_classes}"
+			val="${activedirectory_pam_facilities}"
 		fi
 
 		check=1
@@ -105,7 +199,7 @@
 
 		if [ -z "${val}" ]
 		then
-			val="${ldapclient_pam_classes}"
+			val="${ldapclient_pam_facilities}"
 		fi
 
 		check=1
@@ -130,7 +224,7 @@
 
 		for s in ${val}
 		do
-			if [ "${s}" = "${class}" ]
+			if [ "${s}" = "${facility}" ]
 			then
 				return 0
 			fi
@@ -143,10 +237,15 @@
 get_index()
 {
 	local file="${1}"
-	local class="${2}"
+	local facility="${2}"
 	local index
 
-	index="$(egrep "^${class}" "${file}"|awk '{ printf("%d %s\n", n++, $0); }'|egrep sufficient|awk '{ print $1 }'|tail -1)"
+	index="$(egrep "^${facility}" "${file}" | \
+		awk '{ printf("%d %s\n", n++, $0); }' | \
+		egrep sufficient | \
+		awk '{ print $1 }' | \
+		tail -1)"
+
 	if [ -z "${index}" ]
 	then
 		index=0
@@ -156,6 +255,25 @@
 	echo "${index}"
 }
 
+get_module_index()
+{
+	local file="${1}"
+	local facility="${2}"
+	local module="${3}"
+
+	if [ -z "${file}" -o -z "${facility}" -o -z "${module}" ]
+	then
+		return 1
+	fi
+
+	egrep "^${facility}" "${file}" | \
+		awk '{ printf("%d %s\n", n++, $0); }' | \
+		egrep "${module}" | \
+		awk '{ print $1 }'
+
+	return 0
+}
+
 get_auth_index()
 {
 	get_index "${1}" "auth"
@@ -176,30 +294,182 @@
 	get_index "${1}" "password"
 }
 
+get_pam_auth()
+{
+	__getval $(__getvar "${1}_auth")
+}
+
 pam_auth_isset()
 {
 	do_pam_var_isset "${1}" "auth"
 	return $?
 }
 
+get_pam_auth_index()
+{
+	__getval $(__getvar "${1}_auth_index")
+}
+
+pam_auth_index_isset()
+{
+	__pam_var_isset "${1}_auth_index"
+	return $?
+}
+
+get_pam_auth_before()
+{
+	__getval $(__getvar "${1}_auth_before")
+}
+
+pam_auth_before_isset()
+{
+	__pam_var_isset "${1}_auth_before"
+	return $?
+}
+
+get_pam_auth_after()
+{
+	__getval $(__getvar "${1}_auth_after")
+}
+
+pam_auth_after_isset()
+{
+	__pam_var_isset "${1}_auth_after"
+	return $?
+}
+
+get_pam_account()
+{
+	__getval $(__getvar "${1}_account")
+}
+
 pam_account_isset()
 {
 	do_pam_var_isset "${1}" "account"
 	return $?
 }
 
+get_pam_account_index()
+{
+	__getval $(__getvar "${1}_account_index")
+}
+
+pam_account_index_isset()
+{
+	__pam_var_isset "${1}_account_index"
+	return $?
+}
+
+get_pam_account_before()
+{
+	__getval $(__getvar "${1}_account_before")
+}
+
+pam_account_before_isset()
+{
+	__pam_var_isset "${1}_account_before"
+	return $?
+}
+
+get_pam_account_after()
+{
+	__getval $(__getvar "${1}_account_after")
+}
+
+pam_account_after_isset()
+{
+	__pam_var_isset "${1}_account_after"
+	return $?
+}
+
+get_pam_session()
+{
+	__getval $(__getvar "${1}_session")
+}
+
 pam_session_isset()
 {
 	do_pam_var_isset "${1}" "session"
 	return $?
 }
 
+get_pam_session_index()
+{
+	__getval $(__getvar "${1}_session_index")
+}
+
+pam_session_index_isset()
+{
+	__pam_var_isset "${1}_session_index"
+	return $?
+}
+
+get_pam_session_before()
+{
+	__getval $(__getvar "${1}_session_before")
+}
+
+pam_session_before_isset()
+{
+	__pam_var_isset "${1}_session_before"
+	return $?
+}
+
+get_pam_session_after()
+{
+	__getval $(__getvar "${1}_session_after")
+}
+
+pam_session_after_isset()
+{
+	__pam_var_isset "${1}_session_after"
+	return $?
+}
+
+get_pam_password()
+{
+	__getval $(__getvar "${1}_password")
+}
+
 pam_password_isset()
 {
 	do_pam_var_isset "${1}" "password"
 	return $?
 }
 
+get_pam_password_index()
+{
+	__getval $(__getvar "${1}_password_index")
+}
+
+pam_password_index_isset()
+{
+	__pam_var_isset "${1}_password_index"
+	return $?
+}
+
+get_pam_password_before()
+{
+	__getval $(__getvar "${1}_password_before")
+}
+
+pam_password_before_isset()
+{
+	__pam_var_isset "${1}_password_before"
+	return $?
+}
+
+get_pam_password_after()
+{
+	__getval $(__getvar "${1}_password_after")
+}
+
+pam_password_after_isset()
+{
+	__pam_var_isset "${1}_password_after"
+	return $?
+}
+
 pam_service_configured()
 {
 	local pam_file="${1}"
@@ -215,6 +485,78 @@
 	return $?
 }
 
+do_pam_auth_conf()
+{
+	local pam_file="${1}"
+	local s="${2}"
+	local auth="${3}"
+	local __auth
+
+	if pam_auth_isset "${s}"
+	then
+		if pam_auth_index_isset "${s}"
+		then
+			echo "AAA"
+			local index="$(get_pam_auth_index "${s}")"
+			__auth="-m "$(echo "${auth}" | sed -E "s|^\+|+${index}|")""
+
+		elif pam_auth_before_isset "${s}"
+		then
+			echo "BBB"
+			local before="$(get_pam_auth_before "${s}")"
+			local index="$(get_module_index "${pam_file}" auth "${before}")"
+
+			if [ "${index}" -gt "0" ]
+			then
+				index=$(( index -= 1 ))
+			fi
+			__auth="-m "$(echo "${auth}" | sed -E "s|^\+|+${index}|")""
+
+		elif pam_auth_after_isset "${s}"
+		then
+			echo "CCC"
+			local before="$(get_pam_auth_after "${s}")"
+			local index="$(get_module_index "${pam_file}" auth "${after}")"
+
+			index=$(( index += 1 ))
+			__auth="-m "$(echo "${auth}" | sed -E "s|^\+|+${index}|")""
+
+		elif echo "${auth}" | egrep -q '^(+|^)' && \
+			! pam_service_configured "${pam_file}" "${auth}"
+		then
+			echo "DDD"
+			local index="$(get_auth_index "${pam_file}")"
+			__auth="-m "$(echo "${auth}" | sed -E "s|^\+|+${index}|")""
+
+		elif echo "${auth}" | egrep -q '^-'
+		then
+			echo "EEE"
+			__auth="-m "${auth}""
+		fi
+	else
+			echo "FFF"
+		__auth=""
+	fi
+
+	echo "${__auth}"
+}
+
+do_pam_account_conf()
+{
+}
+
+do_pam_session_conf()
+{
+}
+
+do_pam_password_conf()
+{
+}
+
+do_pam_facility_conf()
+{
+}
+
 do_pam_conf()
 {
 	local auth="${1}"
@@ -257,6 +599,43 @@
 
 			if in_pam_services "${s}" "${services}"
 			then
+				# pam_auth_isset
+				# pam_auth_index_isset
+				# pam_auth_before_isset
+				# pam_auth_after_isset
+
+				if [ -z "${auth}" ]
+				then
+					__auth=""
+					continue
+				fi
+
+				__auth=""
+				if pam_auth_isset "${s}"
+				then
+					__auth="$(do_pam_auth_conf "${pam_file}" "${s}" "${auth}")"
+				fi
+
+				echo "__auth = $__auth"
+
+
+				if pam_account_isset "${s}"
+				then
+					:
+				fi
+
+				if pam_session_isset "${s}"
+				then
+					:
+				fi
+
+				if pam_password_isset "${s}"
+				then
+					:
+				fi
+
+				continue
+
 				if pam_auth_isset "${s}" && [ -n "${auth}" ]
 				then
 					if echo "${auth}" | egrep -q '^(+|^)' && \



More information about the Commits mailing list