Add ability to control PAM options including credential caching and home directory creation

src/libtdeldap.cpp

@@ -63,6 +63,7 @@
 #define PAMD_DIRECTORY "/etc/pam.d/"
 #define PAMD_COMMON_ACCOUNT "common-account"
 #define PAMD_COMMON_AUTH "common-auth"
+#define PAMD_COMMON_SESSION "common-session"
 
 #define LDAP_FILE "/etc/ldap/ldap.conf"
 #define LDAP_SECONDARY_FILE "/etc/ldap.conf"
@@ -3073,6 +3074,11 @@ LDAPClientRealmConfig LDAPManager::loadClientRealmConfig(KSimpleConfig* config,
 	clientRealmConfig.passwordHash = config->readEntry("ConnectionPasswordHash", "exop");
 	clientRealmConfig.ignoredUsers = config->readEntry("ConnectionIgnoredUsers", DEFAULT_IGNORED_USERS_LIST);
 
+	clientRealmConfig.pamConfig.enable_cached_credentials = config->readBoolEntry("EnableCachedCredentials", true);
+	clientRealmConfig.pamConfig.autocreate_user_directories_enable = config->readBoolEntry("EnableAutoUserDir", true);
+	clientRealmConfig.pamConfig.autocreate_user_directories_umask = config->readNumEntry("AutoUserDirUmask", 0022);
+	clientRealmConfig.pamConfig.autocreate_user_directories_skel = config->readEntry("AutoUserDirSkelDir", "/etc/skel");
+
 	return clientRealmConfig;
 }
 
@@ -3096,6 +3102,11 @@ int LDAPManager::saveClientRealmConfig(LDAPClientRealmConfig clientRealmConfig,
 	config->writeEntry("ConnectionPasswordHash", clientRealmConfig.passwordHash);
 	config->writeEntry("ConnectionIgnoredUsers", clientRealmConfig.ignoredUsers);
 
+	config->writeEntry("EnableCachedCredentials", clientRealmConfig.pamConfig.enable_cached_credentials);
+	config->writeEntry("EnableAutoUserDir", clientRealmConfig.pamConfig.autocreate_user_directories_enable);
+	config->writeEntry("AutoUserDirUmask", clientRealmConfig.pamConfig.autocreate_user_directories_umask);
+	config->writeEntry("AutoUserDirSkelDir", clientRealmConfig.pamConfig.autocreate_user_directories_skel);
+
 	return 0;
 }
 
@@ -3177,7 +3188,7 @@ int LDAPManager::writeNSSwitchFile(TQString *errstr) {
 	return 0;
 }
 
-int LDAPManager::writePAMFiles(TQString *errstr) {
+int LDAPManager::writePAMFiles(LDAPPamConfig pamConfig, TQString *errstr) {
 	TQFile file(PAMD_DIRECTORY PAMD_COMMON_ACCOUNT);
 	if (file.open(IO_WriteOnly)) {
 		TQTextStream stream( &file );
@@ -3202,13 +3213,46 @@ int LDAPManager::writePAMFiles(TQString *errstr) {
 		stream << "auth [default=ignore success=ignore] pam_mount.so" << "\n";
 		stream << "auth sufficient pam_unix.so nullok try_first_pass" << "\n";
 		stream << "auth [default=ignore success=1 service_err=reset] pam_krb5.so ccache=/tmp/krb5cc_%u use_first_pass" << "\n";
-		stream << "auth [default=die success=done] pam_ccreds.so action=validate use_first_pass" << "\n";
+		if (pamConfig.enable_cached_credentials) {
+			stream << "auth [default=bad success=ok] pam_ccreds.so action=validate use_first_pass" << "\n";
 			stream << "auth sufficient pam_ccreds.so action=store use_first_pass" << "\n";
+		}
 		stream << "auth required pam_deny.so" << "\n";
 
 		file2.close();
 	}
 
+	TQFile file3(PAMD_DIRECTORY PAMD_COMMON_SESSION);
+	if (file3.open(IO_WriteOnly)) {
+		TQTextStream stream( &file3 );
+
+		stream << "# This file was automatically generated by TDE\n";
+		stream << "# All changes will be lost!\n";
+		stream << "\n";
+		stream << "session [default=1] pam_permit.so" << "\n";
+		stream << "session requisite pam_deny.so" << "\n";
+		stream << "session required pam_permit.so" << "\n";
+		stream << "session required pam_unix.so" << "\n";
+		stream << "session optional pam_ck_connector.so nox11" << "\n";
+		if (pamConfig.autocreate_user_directories_enable) {
+			char modestring[8];
+			sprintf(modestring, "%04o", pamConfig.autocreate_user_directories_umask);
+			TQString skelstring;
+			if (pamConfig.autocreate_user_directories_skel != "") {
+				skelstring = " skel=" + pamConfig.autocreate_user_directories_skel;
+			}
+			TQString umaskString;
+			if (pamConfig.autocreate_user_directories_umask != 0) {
+				umaskString = " umask=";
+				umaskString.append(modestring);
+			}
+			stream << "session required pam_mkhomedir.so" << skelstring << umaskString << "\n";
+		}
+		stream << "auth required pam_deny.so" << "\n";
+
+		file3.close();
+	}
+
 	return 0;
 }
 
@@ -3482,4 +3526,14 @@ KerberosTicketInfo::~KerberosTicketInfo() {
 	//
 }
 
+LDAPPamConfig::LDAPPamConfig() {
+	enable_cached_credentials = true;
+	autocreate_user_directories_enable = true;
+	autocreate_user_directories_umask;
+}
+
+LDAPPamConfig::~LDAPPamConfig() {
+	//
+}
+
 #include "libtdeldap.moc"

src/libtdeldap.h

@@ -22,6 +22,7 @@
 #define _LIBTDELDAP_H_
 
 #include <unistd.h>
+#include <sys/stat.h>
 #include <ldap.h>
 
 #include <tqobject.h>
@@ -189,6 +190,20 @@ class LDAPCertConfig
 		TQString emailAddress;
 };
 
+// PRIVATE
+class LDAPPamConfig
+{
+	public:
+		LDAPPamConfig();
+		~LDAPPamConfig();
+
+	public:
+		bool enable_cached_credentials;
+		bool autocreate_user_directories_enable;
+		mode_t autocreate_user_directories_umask;
+		TQString autocreate_user_directories_skel;
+};
+
 // PRIVATE
 class LDAPClientRealmConfig
 {
@@ -207,6 +222,8 @@ class LDAPClientRealmConfig
 		TQString ignoredUsers;
 
 		bool configurationVerifiedForLocalMachine;
+
+		LDAPPamConfig pamConfig;
 };
 
 typedef TQMap<TQString, LDAPRealmConfig> LDAPRealmConfigList;
@@ -461,7 +478,7 @@ class LDAPManager : public TQObject {
 		static int writeLDAPConfFile(LDAPRealmConfig realmcfg, TQString *errstr=0);
 		static int writeNSSwitchFile(TQString *errstr=0);
 		static int writeClientCronFiles(TQString *errstr=0);
-		static int writePAMFiles(TQString *errstr=0);
+		static int writePAMFiles(LDAPPamConfig pamConfig, TQString *errstr=0);
 
 		static int bondRealm(TQString adminUserName, const char * adminPassword, TQString adminRealm, TQString *errstr=0);
 		static int unbondRealm(LDAPRealmConfig realmcfg, TQString adminUserName, const char * adminPassword, TQString adminRealm, TQString *errstr=0);