[PC-BSD Commits] r19545 - pcbsd/current/src-sh/pc-adctl/scripts
svn at pcbsd.org
svn at pcbsd.org
Wed Sep 26 16:34:24 PDT 2012
Author: johnh
Date: 2012-09-26 23:34:24 +0000 (Wed, 26 Sep 2012)
New Revision: 19545
Modified:
pcbsd/current/src-sh/pc-adctl/scripts/pc-pam
Log:
checkpoint. This doesn't work, just saving progress.
Modified: pcbsd/current/src-sh/pc-adctl/scripts/pc-pam
===================================================================
--- pcbsd/current/src-sh/pc-adctl/scripts/pc-pam 2012-09-26 18:01:17 UTC (rev 19544)
+++ pcbsd/current/src-sh/pc-adctl/scripts/pc-pam 2012-09-26 23:34:24 UTC (rev 19545)
@@ -22,23 +22,55 @@
: ${pam_krb5:="pam_krb5.so"}
#
-# The default pam classes for the specified services is auth and session.
+# The default pam facilities for the specified services is auth and session.
#
# This can be further and fine tuned using this format:
-# activedirectory_pam_${service}="${classes}"
+# (activedirectory|ldap)_pam_${service}="${facilities}"
#
# eg:
# activedirectory_pam_sshd="auth account session password"
#
-# If you want all classes use ALL, if you want no classes, use NONE.
+# If you want all facilities use ALL, if you want no facilities , use NONE.
#
+# More good stuff:
+#
+# To specify specific placement of pam modules in pam files, you
+# can use this format:
+#
+# (activedirectory|ldap)_pam_${service}_${facility}_index="${index}"
+#
+# eg:
+# activedirectory_pam_sshd_auth_index="2"
+#
+# This will place the pam_winbind.so module at index 2 in the auth
+# section (if it exists, otherwise, it will be placed less than 2
+# at the end, or the beginning of no modules are specified.
+#
+# (activedirectory|ldap)_pam_${service}_${facility}_before="${module}"
+#
+# eg:
+# activedirectory_pam_sshd_auth_before="pam_unix.so"
+#
+# This places pam_winbind.so right before pam_unix.so
+#
+# (activedirectory|ldap)_pam_${service}_${facility}_after="${module}"
+#
+# eg:
+# activedirectory_pam_sshd_auth_after="pam_krb5.so"
+#
+# This places pam_winbind.so right after pam_krb5.so
+#
-: ${activedirectory_pam_classes:="auth session"}
+: ${activedirectory_pam_facilities:="auth session"}
: ${activedirectory_pam_services:="${DEFAULT_PAM_SERVICES}"}
-: ${ldapclient_pam_classes:="auth session"}
+: ${ldapclient_pam_facilities:="auth session"}
: ${ldapclient_pam_services:="${DEFAULT_PAM_SERVICES}"}
+#
+# PC-BSD specifics
+#
+activedirectory_pam_gdm_auth_before="pam_unix.so"
in_pam_services()
{
@@ -68,16 +100,78 @@
return ${res}
}
+__getvar()
+{
+ local name="${1}"
+ local tmp="$(echo ${name}|tr '.-' _)"
+ local var=""
+ if checkyesno activedirectory_enable 2>/dev/null
+ then
+ var="\$$(printf "activedirectory_pam_${tmp}")"
+
+ elif checkyesno ldapclient_enable 2>/dev/null
+ then
+ var="\$$(printf "ldapclient_pam_${tmp}")"
+
+ else
+ var="${tmp}"
+ fi
+
+ echo "${var}"
+}
+
+__getval()
+{
+ local var="${1}"
+ local val="$(eval "echo ${var} 2>/dev/null")"
+
+ echo "${val}"
+}
+
+__pam_var_isset()
+{
+ local service="${1}"
+ local var
+ local val
+
+ if checkyesno activedirectory_enable 2>/dev/null
+ then
+ local tmp="$(echo ${service}|tr '.-' _)"
+
+ var=\$$(printf "activedirectory_pam_${tmp}")
+ val=$(eval "echo ${var} 2>/dev/null")
+
+ if [ -n "${val}" ]
+ then
+ return 0
+ fi
+
+ elif checkyesno ldapclient_enable 2>/dev/null
+ then
+ local tmp="$(echo ${service}|tr '.-' _)"
+
+ var=\$$(printf "ldapclient_pam_${tmp}")
+ val=$(eval "echo ${var} 2>/dev/null")
+
+ if [ -n "${val}" ]
+ then
+ return 0
+ fi
+ fi
+
+ return 1
+}
+
do_pam_var_isset()
{
local service="${1}"
- local class="${2}"
+ local facility="${2}"
local check=0
local var
local val
- if [ -z "${service}" -o -z "${class}" ]
+ if [ -z "${service}" -o -z "${facility}" ]
then
return 1
fi
@@ -91,7 +185,7 @@
if [ -z "${val}" ]
then
- val="${activedirectory_pam_classes}"
+ val="${activedirectory_pam_facilities}"
fi
check=1
@@ -105,7 +199,7 @@
if [ -z "${val}" ]
then
- val="${ldapclient_pam_classes}"
+ val="${ldapclient_pam_facilities}"
fi
check=1
@@ -130,7 +224,7 @@
for s in ${val}
do
- if [ "${s}" = "${class}" ]
+ if [ "${s}" = "${facility}" ]
then
return 0
fi
@@ -143,10 +237,15 @@
get_index()
{
local file="${1}"
- local class="${2}"
+ local facility="${2}"
local index
- index="$(egrep "^${class}" "${file}"|awk '{ printf("%d %s\n", n++, $0); }'|egrep sufficient|awk '{ print $1 }'|tail -1)"
+ index="$(egrep "^${facility}" "${file}" | \
+ awk '{ printf("%d %s\n", n++, $0); }' | \
+ egrep sufficient | \
+ awk '{ print $1 }' | \
+ tail -1)"
+
if [ -z "${index}" ]
then
index=0
@@ -156,6 +255,25 @@
echo "${index}"
}
+get_module_index()
+{
+ local file="${1}"
+ local facility="${2}"
+ local module="${3}"
+
+ if [ -z "${file}" -o -z "${facility}" -o -z "${module}" ]
+ then
+ return 1
+ fi
+
+ egrep "^${facility}" "${file}" | \
+ awk '{ printf("%d %s\n", n++, $0); }' | \
+ egrep "${module}" | \
+ awk '{ print $1 }'
+
+ return 0
+}
+
get_auth_index()
{
get_index "${1}" "auth"
@@ -176,30 +294,182 @@
get_index "${1}" "password"
}
+get_pam_auth()
+{
+ __getval $(__getvar "${1}_auth")
+}
+
pam_auth_isset()
{
do_pam_var_isset "${1}" "auth"
return $?
}
+get_pam_auth_index()
+{
+ __getval $(__getvar "${1}_auth_index")
+}
+
+pam_auth_index_isset()
+{
+ __pam_var_isset "${1}_auth_index"
+ return $?
+}
+
+get_pam_auth_before()
+{
+ __getval $(__getvar "${1}_auth_before")
+}
+
+pam_auth_before_isset()
+{
+ __pam_var_isset "${1}_auth_before"
+ return $?
+}
+
+get_pam_auth_after()
+{
+ __getval $(__getvar "${1}_auth_after")
+}
+
+pam_auth_after_isset()
+{
+ __pam_var_isset "${1}_auth_after"
+ return $?
+}
+
+get_pam_account()
+{
+ __getval $(__getvar "${1}_account")
+}
+
pam_account_isset()
{
do_pam_var_isset "${1}" "account"
return $?
}
+get_pam_account_index()
+{
+ __getval $(__getvar "${1}_account_index")
+}
+
+pam_account_index_isset()
+{
+ __pam_var_isset "${1}_account_index"
+ return $?
+}
+
+get_pam_account_before()
+{
+ __getval $(__getvar "${1}_account_before")
+}
+
+pam_account_before_isset()
+{
+ __pam_var_isset "${1}_account_before"
+ return $?
+}
+
+get_pam_account_after()
+{
+ __getval $(__getvar "${1}_account_after")
+}
+
+pam_account_after_isset()
+{
+ __pam_var_isset "${1}_account_after"
+ return $?
+}
+
+get_pam_session()
+{
+ __getval $(__getvar "${1}_session")
+}
+
pam_session_isset()
{
do_pam_var_isset "${1}" "session"
return $?
}
+get_pam_session_index()
+{
+ __getval $(__getvar "${1}_session_index")
+}
+
+pam_session_index_isset()
+{
+ __pam_var_isset "${1}_session_index"
+ return $?
+}
+
+get_pam_session_before()
+{
+ __getval $(__getvar "${1}_session_before")
+}
+
+pam_session_before_isset()
+{
+ __pam_var_isset "${1}_session_before"
+ return $?
+}
+
+get_pam_session_after()
+{
+ __getval $(__getvar "${1}_session_after")
+}
+
+pam_session_after_isset()
+{
+ __pam_var_isset "${1}_session_after"
+ return $?
+}
+
+get_pam_password()
+{
+ __getval $(__getvar "${1}_password")
+}
+
pam_password_isset()
{
do_pam_var_isset "${1}" "password"
return $?
}
+get_pam_password_index()
+{
+ __getval $(__getvar "${1}_password_index")
+}
+
+pam_password_index_isset()
+{
+ __pam_var_isset "${1}_password_index"
+ return $?
+}
+
+get_pam_password_before()
+{
+ __getval $(__getvar "${1}_password_before")
+}
+
+pam_password_before_isset()
+{
+ __pam_var_isset "${1}_password_before"
+ return $?
+}
+
+get_pam_password_after()
+{
+ __getval $(__getvar "${1}_password_after")
+}
+
+pam_password_after_isset()
+{
+ __pam_var_isset "${1}_password_after"
+ return $?
+}
+
pam_service_configured()
{
local pam_file="${1}"
@@ -215,6 +485,78 @@
return $?
}
+do_pam_auth_conf()
+{
+ local pam_file="${1}"
+ local s="${2}"
+ local auth="${3}"
+ local __auth
+
+ if pam_auth_isset "${s}"
+ then
+ if pam_auth_index_isset "${s}"
+ then
+ echo "AAA"
+ local index="$(get_pam_auth_index "${s}")"
+ __auth="-m "$(echo "${auth}" | sed -E "s|^\+|+${index}|")""
+
+ elif pam_auth_before_isset "${s}"
+ then
+ echo "BBB"
+ local before="$(get_pam_auth_before "${s}")"
+ local index="$(get_module_index "${pam_file}" auth "${before}")"
+
+ if [ "${index}" -gt "0" ]
+ then
+ index=$(( index -= 1 ))
+ fi
+ __auth="-m "$(echo "${auth}" | sed -E "s|^\+|+${index}|")""
+
+ elif pam_auth_after_isset "${s}"
+ then
+ echo "CCC"
+ local before="$(get_pam_auth_after "${s}")"
+ local index="$(get_module_index "${pam_file}" auth "${after}")"
+
+ index=$(( index += 1 ))
+ __auth="-m "$(echo "${auth}" | sed -E "s|^\+|+${index}|")""
+
+ elif echo "${auth}" | egrep -q '^(+|^)' && \
+ ! pam_service_configured "${pam_file}" "${auth}"
+ then
+ echo "DDD"
+ local index="$(get_auth_index "${pam_file}")"
+ __auth="-m "$(echo "${auth}" | sed -E "s|^\+|+${index}|")""
+
+ elif echo "${auth}" | egrep -q '^-'
+ then
+ echo "EEE"
+ __auth="-m "${auth}""
+ fi
+ else
+ echo "FFF"
+ __auth=""
+ fi
+
+ echo "${__auth}"
+}
+
+do_pam_account_conf()
+{
+}
+
+do_pam_session_conf()
+{
+}
+
+do_pam_password_conf()
+{
+}
+
+do_pam_facility_conf()
+{
+}
+
do_pam_conf()
{
local auth="${1}"
@@ -257,6 +599,43 @@
if in_pam_services "${s}" "${services}"
then
+ # pam_auth_isset
+ # pam_auth_index_isset
+ # pam_auth_before_isset
+ # pam_auth_after_isset
+
+ if [ -z "${auth}" ]
+ then
+ __auth=""
+ continue
+ fi
+
+ __auth=""
+ if pam_auth_isset "${s}"
+ then
+ __auth="$(do_pam_auth_conf "${pam_file}" "${s}" "${auth}")"
+ fi
+
+ echo "__auth = $__auth"
+
+
+ if pam_account_isset "${s}"
+ then
+ :
+ fi
+
+ if pam_session_isset "${s}"
+ then
+ :
+ fi
+
+ if pam_password_isset "${s}"
+ then
+ :
+ fi
+
+ continue
+
if pam_auth_isset "${s}" && [ -n "${auth}" ]
then
if echo "${auth}" | egrep -q '^(+|^)' && \
More information about the Commits
mailing list