From 98d9e442c41b0951d2035f43ddc7553a5dffee1b Mon Sep 17 00:00:00 2001 From: Timothy Pearson Date: Fri, 12 Apr 2013 10:21:45 -0500 Subject: [PATCH] Add ability to control PAM options including credential caching and home directory creation --- src/libtdeldap.cpp | 60 +++++++++++++++++++++++++++++++++++++++++++--- src/libtdeldap.h | 19 ++++++++++++++- 2 files changed, 75 insertions(+), 4 deletions(-) diff --git a/src/libtdeldap.cpp b/src/libtdeldap.cpp index 0354fb4..417bc46 100644 --- a/src/libtdeldap.cpp +++ b/src/libtdeldap.cpp @@ -63,6 +63,7 @@ #define PAMD_DIRECTORY "/etc/pam.d/" #define PAMD_COMMON_ACCOUNT "common-account" #define PAMD_COMMON_AUTH "common-auth" +#define PAMD_COMMON_SESSION "common-session" #define LDAP_FILE "/etc/ldap/ldap.conf" #define LDAP_SECONDARY_FILE "/etc/ldap.conf" @@ -3073,6 +3074,11 @@ LDAPClientRealmConfig LDAPManager::loadClientRealmConfig(KSimpleConfig* config, clientRealmConfig.passwordHash = config->readEntry("ConnectionPasswordHash", "exop"); clientRealmConfig.ignoredUsers = config->readEntry("ConnectionIgnoredUsers", DEFAULT_IGNORED_USERS_LIST); + clientRealmConfig.pamConfig.enable_cached_credentials = config->readBoolEntry("EnableCachedCredentials", true); + clientRealmConfig.pamConfig.autocreate_user_directories_enable = config->readBoolEntry("EnableAutoUserDir", true); + clientRealmConfig.pamConfig.autocreate_user_directories_umask = config->readNumEntry("AutoUserDirUmask", 0022); + clientRealmConfig.pamConfig.autocreate_user_directories_skel = config->readEntry("AutoUserDirSkelDir", "/etc/skel"); + return clientRealmConfig; } @@ -3096,6 +3102,11 @@ int LDAPManager::saveClientRealmConfig(LDAPClientRealmConfig clientRealmConfig, config->writeEntry("ConnectionPasswordHash", clientRealmConfig.passwordHash); config->writeEntry("ConnectionIgnoredUsers", clientRealmConfig.ignoredUsers); + config->writeEntry("EnableCachedCredentials", clientRealmConfig.pamConfig.enable_cached_credentials); + config->writeEntry("EnableAutoUserDir", clientRealmConfig.pamConfig.autocreate_user_directories_enable); + config->writeEntry("AutoUserDirUmask", clientRealmConfig.pamConfig.autocreate_user_directories_umask); + config->writeEntry("AutoUserDirSkelDir", clientRealmConfig.pamConfig.autocreate_user_directories_skel); + return 0; } @@ -3177,7 +3188,7 @@ int LDAPManager::writeNSSwitchFile(TQString *errstr) { return 0; } -int LDAPManager::writePAMFiles(TQString *errstr) { +int LDAPManager::writePAMFiles(LDAPPamConfig pamConfig, TQString *errstr) { TQFile file(PAMD_DIRECTORY PAMD_COMMON_ACCOUNT); if (file.open(IO_WriteOnly)) { TQTextStream stream( &file ); @@ -3202,13 +3213,46 @@ int LDAPManager::writePAMFiles(TQString *errstr) { stream << "auth [default=ignore success=ignore] pam_mount.so" << "\n"; stream << "auth sufficient pam_unix.so nullok try_first_pass" << "\n"; stream << "auth [default=ignore success=1 service_err=reset] pam_krb5.so ccache=/tmp/krb5cc_%u use_first_pass" << "\n"; - stream << "auth [default=die success=done] pam_ccreds.so action=validate use_first_pass" << "\n"; - stream << "auth sufficient pam_ccreds.so action=store use_first_pass" << "\n"; + if (pamConfig.enable_cached_credentials) { + stream << "auth [default=bad success=ok] pam_ccreds.so action=validate use_first_pass" << "\n"; + stream << "auth sufficient pam_ccreds.so action=store use_first_pass" << "\n"; + } stream << "auth required pam_deny.so" << "\n"; file2.close(); } + TQFile file3(PAMD_DIRECTORY PAMD_COMMON_SESSION); + if (file3.open(IO_WriteOnly)) { + TQTextStream stream( &file3 ); + + stream << "# This file was automatically generated by TDE\n"; + stream << "# All changes will be lost!\n"; + stream << "\n"; + stream << "session [default=1] pam_permit.so" << "\n"; + stream << "session requisite pam_deny.so" << "\n"; + stream << "session required pam_permit.so" << "\n"; + stream << "session required pam_unix.so" << "\n"; + stream << "session optional pam_ck_connector.so nox11" << "\n"; + if (pamConfig.autocreate_user_directories_enable) { + char modestring[8]; + sprintf(modestring, "%04o", pamConfig.autocreate_user_directories_umask); + TQString skelstring; + if (pamConfig.autocreate_user_directories_skel != "") { + skelstring = " skel=" + pamConfig.autocreate_user_directories_skel; + } + TQString umaskString; + if (pamConfig.autocreate_user_directories_umask != 0) { + umaskString = " umask="; + umaskString.append(modestring); + } + stream << "session required pam_mkhomedir.so" << skelstring << umaskString << "\n"; + } + stream << "auth required pam_deny.so" << "\n"; + + file3.close(); + } + return 0; } @@ -3482,4 +3526,14 @@ KerberosTicketInfo::~KerberosTicketInfo() { // } +LDAPPamConfig::LDAPPamConfig() { + enable_cached_credentials = true; + autocreate_user_directories_enable = true; + autocreate_user_directories_umask; +} + +LDAPPamConfig::~LDAPPamConfig() { + // +} + #include "libtdeldap.moc" diff --git a/src/libtdeldap.h b/src/libtdeldap.h index 8bc0355..e67bca5 100644 --- a/src/libtdeldap.h +++ b/src/libtdeldap.h @@ -22,6 +22,7 @@ #define _LIBTDELDAP_H_ #include +#include #include #include @@ -189,6 +190,20 @@ class LDAPCertConfig TQString emailAddress; }; +// PRIVATE +class LDAPPamConfig +{ + public: + LDAPPamConfig(); + ~LDAPPamConfig(); + + public: + bool enable_cached_credentials; + bool autocreate_user_directories_enable; + mode_t autocreate_user_directories_umask; + TQString autocreate_user_directories_skel; +}; + // PRIVATE class LDAPClientRealmConfig { @@ -207,6 +222,8 @@ class LDAPClientRealmConfig TQString ignoredUsers; bool configurationVerifiedForLocalMachine; + + LDAPPamConfig pamConfig; }; typedef TQMap LDAPRealmConfigList; @@ -461,7 +478,7 @@ class LDAPManager : public TQObject { static int writeLDAPConfFile(LDAPRealmConfig realmcfg, TQString *errstr=0); static int writeNSSwitchFile(TQString *errstr=0); static int writeClientCronFiles(TQString *errstr=0); - static int writePAMFiles(TQString *errstr=0); + static int writePAMFiles(LDAPPamConfig pamConfig, TQString *errstr=0); static int bondRealm(TQString adminUserName, const char * adminPassword, TQString adminRealm, TQString *errstr=0); static int unbondRealm(LDAPRealmConfig realmcfg, TQString adminUserName, const char * adminPassword, TQString adminRealm, TQString *errstr=0);