Add ability to control PAM options including credential caching and home directory creation

pull/1/head
Timothy Pearson 12 years ago
parent 52d15ff717
commit 98d9e442c4

@ -63,6 +63,7 @@
#define PAMD_DIRECTORY "/etc/pam.d/"
#define PAMD_COMMON_ACCOUNT "common-account"
#define PAMD_COMMON_AUTH "common-auth"
#define PAMD_COMMON_SESSION "common-session"
#define LDAP_FILE "/etc/ldap/ldap.conf"
#define LDAP_SECONDARY_FILE "/etc/ldap.conf"
@ -3073,6 +3074,11 @@ LDAPClientRealmConfig LDAPManager::loadClientRealmConfig(KSimpleConfig* config,
clientRealmConfig.passwordHash = config->readEntry("ConnectionPasswordHash", "exop");
clientRealmConfig.ignoredUsers = config->readEntry("ConnectionIgnoredUsers", DEFAULT_IGNORED_USERS_LIST);
clientRealmConfig.pamConfig.enable_cached_credentials = config->readBoolEntry("EnableCachedCredentials", true);
clientRealmConfig.pamConfig.autocreate_user_directories_enable = config->readBoolEntry("EnableAutoUserDir", true);
clientRealmConfig.pamConfig.autocreate_user_directories_umask = config->readNumEntry("AutoUserDirUmask", 0022);
clientRealmConfig.pamConfig.autocreate_user_directories_skel = config->readEntry("AutoUserDirSkelDir", "/etc/skel");
return clientRealmConfig;
}
@ -3096,6 +3102,11 @@ int LDAPManager::saveClientRealmConfig(LDAPClientRealmConfig clientRealmConfig,
config->writeEntry("ConnectionPasswordHash", clientRealmConfig.passwordHash);
config->writeEntry("ConnectionIgnoredUsers", clientRealmConfig.ignoredUsers);
config->writeEntry("EnableCachedCredentials", clientRealmConfig.pamConfig.enable_cached_credentials);
config->writeEntry("EnableAutoUserDir", clientRealmConfig.pamConfig.autocreate_user_directories_enable);
config->writeEntry("AutoUserDirUmask", clientRealmConfig.pamConfig.autocreate_user_directories_umask);
config->writeEntry("AutoUserDirSkelDir", clientRealmConfig.pamConfig.autocreate_user_directories_skel);
return 0;
}
@ -3177,7 +3188,7 @@ int LDAPManager::writeNSSwitchFile(TQString *errstr) {
return 0;
}
int LDAPManager::writePAMFiles(TQString *errstr) {
int LDAPManager::writePAMFiles(LDAPPamConfig pamConfig, TQString *errstr) {
TQFile file(PAMD_DIRECTORY PAMD_COMMON_ACCOUNT);
if (file.open(IO_WriteOnly)) {
TQTextStream stream( &file );
@ -3202,13 +3213,46 @@ int LDAPManager::writePAMFiles(TQString *errstr) {
stream << "auth [default=ignore success=ignore] pam_mount.so" << "\n";
stream << "auth sufficient pam_unix.so nullok try_first_pass" << "\n";
stream << "auth [default=ignore success=1 service_err=reset] pam_krb5.so ccache=/tmp/krb5cc_%u use_first_pass" << "\n";
stream << "auth [default=die success=done] pam_ccreds.so action=validate use_first_pass" << "\n";
stream << "auth sufficient pam_ccreds.so action=store use_first_pass" << "\n";
if (pamConfig.enable_cached_credentials) {
stream << "auth [default=bad success=ok] pam_ccreds.so action=validate use_first_pass" << "\n";
stream << "auth sufficient pam_ccreds.so action=store use_first_pass" << "\n";
}
stream << "auth required pam_deny.so" << "\n";
file2.close();
}
TQFile file3(PAMD_DIRECTORY PAMD_COMMON_SESSION);
if (file3.open(IO_WriteOnly)) {
TQTextStream stream( &file3 );
stream << "# This file was automatically generated by TDE\n";
stream << "# All changes will be lost!\n";
stream << "\n";
stream << "session [default=1] pam_permit.so" << "\n";
stream << "session requisite pam_deny.so" << "\n";
stream << "session required pam_permit.so" << "\n";
stream << "session required pam_unix.so" << "\n";
stream << "session optional pam_ck_connector.so nox11" << "\n";
if (pamConfig.autocreate_user_directories_enable) {
char modestring[8];
sprintf(modestring, "%04o", pamConfig.autocreate_user_directories_umask);
TQString skelstring;
if (pamConfig.autocreate_user_directories_skel != "") {
skelstring = " skel=" + pamConfig.autocreate_user_directories_skel;
}
TQString umaskString;
if (pamConfig.autocreate_user_directories_umask != 0) {
umaskString = " umask=";
umaskString.append(modestring);
}
stream << "session required pam_mkhomedir.so" << skelstring << umaskString << "\n";
}
stream << "auth required pam_deny.so" << "\n";
file3.close();
}
return 0;
}
@ -3482,4 +3526,14 @@ KerberosTicketInfo::~KerberosTicketInfo() {
//
}
LDAPPamConfig::LDAPPamConfig() {
enable_cached_credentials = true;
autocreate_user_directories_enable = true;
autocreate_user_directories_umask;
}
LDAPPamConfig::~LDAPPamConfig() {
//
}
#include "libtdeldap.moc"

@ -22,6 +22,7 @@
#define _LIBTDELDAP_H_
#include <unistd.h>
#include <sys/stat.h>
#include <ldap.h>
#include <tqobject.h>
@ -189,6 +190,20 @@ class LDAPCertConfig
TQString emailAddress;
};
// PRIVATE
class LDAPPamConfig
{
public:
LDAPPamConfig();
~LDAPPamConfig();
public:
bool enable_cached_credentials;
bool autocreate_user_directories_enable;
mode_t autocreate_user_directories_umask;
TQString autocreate_user_directories_skel;
};
// PRIVATE
class LDAPClientRealmConfig
{
@ -207,6 +222,8 @@ class LDAPClientRealmConfig
TQString ignoredUsers;
bool configurationVerifiedForLocalMachine;
LDAPPamConfig pamConfig;
};
typedef TQMap<TQString, LDAPRealmConfig> LDAPRealmConfigList;
@ -461,7 +478,7 @@ class LDAPManager : public TQObject {
static int writeLDAPConfFile(LDAPRealmConfig realmcfg, TQString *errstr=0);
static int writeNSSwitchFile(TQString *errstr=0);
static int writeClientCronFiles(TQString *errstr=0);
static int writePAMFiles(TQString *errstr=0);
static int writePAMFiles(LDAPPamConfig pamConfig, TQString *errstr=0);
static int bondRealm(TQString adminUserName, const char * adminPassword, TQString adminRealm, TQString *errstr=0);
static int unbondRealm(LDAPRealmConfig realmcfg, TQString adminUserName, const char * adminPassword, TQString adminRealm, TQString *errstr=0);

Loading…
Cancel
Save