diff options
author | Timothy Pearson <[email protected]> | 2013-04-12 10:21:45 -0500 |
---|---|---|
committer | Timothy Pearson <[email protected]> | 2013-04-12 10:21:45 -0500 |
commit | 98d9e442c41b0951d2035f43ddc7553a5dffee1b (patch) | |
tree | 1a06b6b017442ea31ea3b5a75cd559356a703e14 /src/libtdeldap.cpp | |
parent | 52d15ff7179f2b53b82a086a52a06fbb6b6d68c3 (diff) | |
download | libtdeldap-98d9e442c41b0951d2035f43ddc7553a5dffee1b.tar.gz libtdeldap-98d9e442c41b0951d2035f43ddc7553a5dffee1b.zip |
Add ability to control PAM options including credential caching and home directory creation
Diffstat (limited to 'src/libtdeldap.cpp')
-rw-r--r-- | src/libtdeldap.cpp | 60 |
1 files changed, 57 insertions, 3 deletions
diff --git a/src/libtdeldap.cpp b/src/libtdeldap.cpp index 0354fb4..417bc46 100644 --- a/src/libtdeldap.cpp +++ b/src/libtdeldap.cpp @@ -63,6 +63,7 @@ #define PAMD_DIRECTORY "/etc/pam.d/" #define PAMD_COMMON_ACCOUNT "common-account" #define PAMD_COMMON_AUTH "common-auth" +#define PAMD_COMMON_SESSION "common-session" #define LDAP_FILE "/etc/ldap/ldap.conf" #define LDAP_SECONDARY_FILE "/etc/ldap.conf" @@ -3073,6 +3074,11 @@ LDAPClientRealmConfig LDAPManager::loadClientRealmConfig(KSimpleConfig* config, clientRealmConfig.passwordHash = config->readEntry("ConnectionPasswordHash", "exop"); clientRealmConfig.ignoredUsers = config->readEntry("ConnectionIgnoredUsers", DEFAULT_IGNORED_USERS_LIST); + clientRealmConfig.pamConfig.enable_cached_credentials = config->readBoolEntry("EnableCachedCredentials", true); + clientRealmConfig.pamConfig.autocreate_user_directories_enable = config->readBoolEntry("EnableAutoUserDir", true); + clientRealmConfig.pamConfig.autocreate_user_directories_umask = config->readNumEntry("AutoUserDirUmask", 0022); + clientRealmConfig.pamConfig.autocreate_user_directories_skel = config->readEntry("AutoUserDirSkelDir", "/etc/skel"); + return clientRealmConfig; } @@ -3096,6 +3102,11 @@ int LDAPManager::saveClientRealmConfig(LDAPClientRealmConfig clientRealmConfig, config->writeEntry("ConnectionPasswordHash", clientRealmConfig.passwordHash); config->writeEntry("ConnectionIgnoredUsers", clientRealmConfig.ignoredUsers); + config->writeEntry("EnableCachedCredentials", clientRealmConfig.pamConfig.enable_cached_credentials); + config->writeEntry("EnableAutoUserDir", clientRealmConfig.pamConfig.autocreate_user_directories_enable); + config->writeEntry("AutoUserDirUmask", clientRealmConfig.pamConfig.autocreate_user_directories_umask); + config->writeEntry("AutoUserDirSkelDir", clientRealmConfig.pamConfig.autocreate_user_directories_skel); + return 0; } @@ -3177,7 +3188,7 @@ int LDAPManager::writeNSSwitchFile(TQString *errstr) { return 0; } -int LDAPManager::writePAMFiles(TQString *errstr) { +int LDAPManager::writePAMFiles(LDAPPamConfig pamConfig, TQString *errstr) { TQFile file(PAMD_DIRECTORY PAMD_COMMON_ACCOUNT); if (file.open(IO_WriteOnly)) { TQTextStream stream( &file ); @@ -3202,13 +3213,46 @@ int LDAPManager::writePAMFiles(TQString *errstr) { stream << "auth [default=ignore success=ignore] pam_mount.so" << "\n"; stream << "auth sufficient pam_unix.so nullok try_first_pass" << "\n"; stream << "auth [default=ignore success=1 service_err=reset] pam_krb5.so ccache=/tmp/krb5cc_%u use_first_pass" << "\n"; - stream << "auth [default=die success=done] pam_ccreds.so action=validate use_first_pass" << "\n"; - stream << "auth sufficient pam_ccreds.so action=store use_first_pass" << "\n"; + if (pamConfig.enable_cached_credentials) { + stream << "auth [default=bad success=ok] pam_ccreds.so action=validate use_first_pass" << "\n"; + stream << "auth sufficient pam_ccreds.so action=store use_first_pass" << "\n"; + } stream << "auth required pam_deny.so" << "\n"; file2.close(); } + TQFile file3(PAMD_DIRECTORY PAMD_COMMON_SESSION); + if (file3.open(IO_WriteOnly)) { + TQTextStream stream( &file3 ); + + stream << "# This file was automatically generated by TDE\n"; + stream << "# All changes will be lost!\n"; + stream << "\n"; + stream << "session [default=1] pam_permit.so" << "\n"; + stream << "session requisite pam_deny.so" << "\n"; + stream << "session required pam_permit.so" << "\n"; + stream << "session required pam_unix.so" << "\n"; + stream << "session optional pam_ck_connector.so nox11" << "\n"; + if (pamConfig.autocreate_user_directories_enable) { + char modestring[8]; + sprintf(modestring, "%04o", pamConfig.autocreate_user_directories_umask); + TQString skelstring; + if (pamConfig.autocreate_user_directories_skel != "") { + skelstring = " skel=" + pamConfig.autocreate_user_directories_skel; + } + TQString umaskString; + if (pamConfig.autocreate_user_directories_umask != 0) { + umaskString = " umask="; + umaskString.append(modestring); + } + stream << "session required pam_mkhomedir.so" << skelstring << umaskString << "\n"; + } + stream << "auth required pam_deny.so" << "\n"; + + file3.close(); + } + return 0; } @@ -3482,4 +3526,14 @@ KerberosTicketInfo::~KerberosTicketInfo() { // } +LDAPPamConfig::LDAPPamConfig() { + enable_cached_credentials = true; + autocreate_user_directories_enable = true; + autocreate_user_directories_umask; +} + +LDAPPamConfig::~LDAPPamConfig() { + // +} + #include "libtdeldap.moc" |