From 7316cfa0edc48ed49cd6178282228a3f5a9b173f Mon Sep 17 00:00:00 2001 From: Pascal Rigaux Date: Thu, 17 Jun 2004 08:09:07 +0000 Subject: - AD_users_db is cn=users,ldap_domain and not cn=users,dc=servername,ldap_domain - AD_user (for binddn) is user@domain instead of cn=user,cn=users,ldap_domain - better system-auth krb5 configuration (all this as requested by Vincent Guardiola) --- perl-install/authentication.pm | 88 +++++++++++++++++++++--------------------- 1 file changed, 44 insertions(+), 44 deletions(-) (limited to 'perl-install') diff --git a/perl-install/authentication.pm b/perl-install/authentication.pm index bc28468e4..d5937d124 100644 --- a/perl-install/authentication.pm +++ b/perl-install/authentication.pm @@ -42,9 +42,9 @@ sub ask_parameters { } elsif ($kind eq 'AD') { $val ||= $netc->{DOMAINNAME}; $authentication->{AD_server} ||= 'kerberos.' . $val; - $authentication->{AD_users_db} ||= 'cn=users,' . domain_to_ldap_domain($authentication->{AD_server}); + $authentication->{AD_users_db} ||= 'cn=users,' . domain_to_ldap_domain($val); - my $AD_user = $authentication->{AD_user} =~ /cn=(.*),\Q$authentication->{AD_users_db}\E$/ ? $1 : $authentication->{AD_user}; + my $AD_user = $authentication->{AD_user} =~ /(.*)\@\Q$val\E$/ ? $1 : $authentication->{AD_user}; $in->ask_from('', N("Authentication Active Directory"), @@ -54,8 +54,7 @@ sub ask_parameters { { label => N("LDAP user allowed to browse the Active Directory"), val => \$AD_user }, { label => N("Password for user"), val => \$authentication->{AD_password}, disabled => sub { !$AD_user } }, ]) or return; - $authentication->{AD_user} = !$AD_user ? '' : $AD_user =~ /cn=/ ? $AD_user : - "cn=$AD_user,$authentication->{AD_users_db}"; + $authentication->{AD_user} = !$AD_user ? '' : $AD_user =~ /@/ ? $AD_user : "$AD_user\@$val"; } elsif ($kind eq 'NIS') { $val ||= 'broadcast'; $in->ask_from('', @@ -181,7 +180,7 @@ sub set { sub pam_modules() { - 'pam_ldap', 'pam_winbind', 'pam_mkhomedir'; + 'pam_ldap', 'pam_winbind', 'pam_krb5', 'pam_mkhomedir'; } sub pam_module_from_path { $_[0] && $_[0] =~ m|(/lib/security/)?(pam_.*)\.so| && $2; @@ -205,41 +204,56 @@ sub get_raw_pam_authentication() { \%before_deny; } -sub set_raw_pam_authentication { - my ($before_deny, $before_first) = @_; +sub set_pam_authentication { + my (@authentication_kinds) = @_; + + my %special = ( + auth => \@authentication_kinds, + account => \@authentication_kinds, + password => [ intersection(\@authentication_kinds, [ 'ldap', 'krb5' ]) ], + ); + my %before_first = ( + session => intersection(\@authentication_kinds, [ 'winbind', 'krb5' ]) ? pam_format_line('session', 'optional', 'pam_mkhomedir', 'skel=/etc/skel/', 'umask=0022') : '', + ); + my %after_deny = ( + session => member('krb5', @authentication_kinds) ? pam_format_line('session', 'optional', 'pam_krb5') : '', + ); + substInFile { my ($type, $control, $module, @para) = split; - my $added_pre_line = ''; if ($module = pam_module_from_path($module)) { - if ($module eq 'pam_unix' && member($type, 'auth', 'account')) { - #- remove likeauth, nullok and use_first_pass - $_ = pam_format_line($type, 'sufficient', $module, grep { !member($_, qw(likeauth nullok use_first_pass)) } @para); + if (member($module, pam_modules())) { + #- first removing previous config + $_ = ''; + } + if ($module eq 'pam_unix' && $special{$type} && @{$special{$type}}) { + my @para_for_last = + $type eq 'auth' ? qw(likeauth nullok use_first_pass) : + $type eq 'account' ? qw(use_first_pass) : @{[]}; + @para = difference2(\@para, \@para_for_last); + + my ($before, $after) = partition { $_ eq 'krb5' } @{$special{$type}}; + my @l = ((map { [ "pam_$_" ] } @$before), + [ 'pam_unix', @para ], + (map { [ "pam_$_" ] } @$after), + ); + push @{$l[-1]}, @para_for_last; + $_ = join('', map { pam_format_line($type, 'sufficient', @$_) } @l); + if ($control eq 'required') { #- ensure a pam_deny line is there ($control, $module, @para) = ('required', 'pam_deny'); - ($added_pre_line, $_) = ($_, pam_format_line($type, $control, $module)); + $_ .= pam_format_line($type, $control, $module); } } - if (member($module, pam_modules())) { - #- first removing previous config - warn "dropping line $_"; - $_ = ''; - } else { - if ($before_first->{$type}) { - foreach my $module (keys %{$before_first->{$type}}) { - $_ = pam_format_line($type, 'required', $module, @{$before_first->{$type}{$module}}) . $_; - } - delete $before_first->{$type}; - } - if ($control eq 'required' && $module eq 'pam_deny') { - if ($before_deny->{$type}) { - foreach my $module (keys %{$before_deny->{$type}}) { - $_ = pam_format_line($type, 'sufficient', $module, @{$before_deny->{$type}{$module}}) . $_; - } - } + if (my $s = delete $before_first{$type}) { + $_ = $s . $_; + } + if ($control eq 'required' && member($module, 'pam_deny', 'pam_unix')) { + if (my $s = delete $after_deny{$type}) { + $_ .= $s; } } - $_ = $added_pre_line . $_; } } "$::prefix/etc/pam.d/system-auth"; } @@ -249,20 +263,6 @@ sub get_pam_authentication_kinds() { map { s/pam_//; $_ } keys %{$before_deny->{auth}}; } -sub set_pam_authentication { - my (@authentication_kinds) = @_; - my $before_deny = {}; - my $before_first = {}; - foreach (@authentication_kinds) { - my $module = 'pam_' . $_; - $before_deny->{auth}{$module} = [ 'likeauth', 'nullok', 'use_first_pass' ]; - $before_deny->{account}{$module} = [ 'use_first_pass' ]; - $before_deny->{password}{$module} = [] if $_ eq 'ldap'; - $before_first->{session}{pam_mkhomedir} = [ 'skel=/etc/skel/', 'umask=0022' ] if $_ eq 'winbind'; - } - set_raw_pam_authentication($before_deny, $before_first); -} - sub set_nsswitch_priority { my (@kinds) = @_; # allowed: files nis ldap dns -- cgit v1.2.1