diff options
author | Sergey Poznyakoff <gray@gnu.org.ua> | 2014-05-19 13:49:03 +0300 |
---|---|---|
committer | Sergey Poznyakoff <gray@gnu.org.ua> | 2014-05-19 14:01:21 +0300 |
commit | 7636fa3e7b5829adebf003f3150ae14372cdaae5 (patch) | |
tree | f394870ed1a4c5ea7a2f5cf4debaa91b57f8b856 | |
parent | 867eaccec7a1324f958d0d86c1a148187212bf6f (diff) | |
download | pam-modules-7636fa3e7b5829adebf003f3150ae14372cdaae5.tar.gz pam-modules-7636fa3e7b5829adebf003f3150ae14372cdaae5.tar.bz2 |
New utility "ldappubkey".
* NEWS: Document new features.
* doc/pam-modules.texi: Document usergitconfig.
* doc/pam_ldaphome.8in: Update.
* examples/ldappubkey: New file.
* examples/usergitconfig: Refer to perldoc on error.
* lib/env.c (gray_env_get_bool): New function.
* lib/graypam.h (gray_env_get_bool): New proto.
* pam_ldaphome/pam_ldaphome.c (import_public_key): Do nothing if
"import-public-keys" is set to "no".
(pam_sm_authenticate): New function.
-rw-r--r-- | NEWS | 11 | ||||
-rw-r--r-- | doc/pam-modules.texi | 44 | ||||
-rw-r--r-- | doc/pam_ldaphome.8in | 10 | ||||
-rwxr-xr-x | examples/ldappubkey | 176 | ||||
-rwxr-xr-x | examples/usergitconfig | 10 | ||||
-rw-r--r-- | lib/env.c | 9 | ||||
-rw-r--r-- | lib/graypam.h | 1 | ||||
-rw-r--r-- | pam_ldaphome/pam_ldaphome.c | 38 |
8 files changed, 289 insertions, 10 deletions
@@ -1,4 +1,4 @@ | |||
1 | pam-modules -- history of user-visible changes. 2014-05-06 | 1 | pam-modules -- history of user-visible changes. 2014-05-11 |
2 | Copyright (C) 2001, 2004-2005, 2007-2012, 2014 Sergey Poznyakoff | 2 | Copyright (C) 2001, 2004-2005, 2007-2012, 2014 Sergey Poznyakoff |
3 | See the end of file for copying conditions. | 3 | See the end of file for copying conditions. |
4 | 4 | ||
@@ -11,6 +11,15 @@ Version 1.8.92, (Git) | |||
11 | 11 | ||
12 | Tests whether the user is a member of one or more groups. | 12 | Tests whether the user is a member of one or more groups. |
13 | 13 | ||
14 | * pam_ldaphome can invoke an external program | ||
15 | |||
16 | An external program defined with the inirc-command keyword is run | ||
17 | in the newly created user's home directory. It can be used for | ||
18 | per-user customization of the files copied from the skeleton dir. | ||
19 | |||
20 | The examples directory contains a perl program "usergitconfig", which, | ||
21 | when used as inirc-command, initializes the user's .gitconfig file. | ||
22 | |||
14 | * Bugfixes | 23 | * Bugfixes |
15 | 24 | ||
16 | 25 | ||
diff --git a/doc/pam-modules.texi b/doc/pam-modules.texi index 87c4d6c..bf101f7 100644 --- a/doc/pam-modules.texi +++ b/doc/pam-modules.texi | |||
@@ -1249,6 +1249,12 @@ Sets the LDAP filter expression to return a user profile. The | |||
1249 | filters as defined in RFC 4515. | 1249 | filters as defined in RFC 4515. |
1250 | @end deffn | 1250 | @end deffn |
1251 | 1251 | ||
1252 | @deffn {pam_ldaphome config} import-public-keys bool | ||
1253 | When set to @samp{no}, disables importing public keys from LDAP. You | ||
1254 | may wish to use this option if you are using @command{openssh} 6.1 or | ||
1255 | later with @command{ldappubkey} as @samp{AuthorizedKeysCommand}. | ||
1256 | @end deffn | ||
1257 | |||
1252 | @deffn {pam_ldaphome config} pubkey-attr text | 1258 | @deffn {pam_ldaphome config} pubkey-attr text |
1253 | Defines the name of the attribute which holds the user public key. | 1259 | Defines the name of the attribute which holds the user public key. |
1254 | @end deffn | 1260 | @end deffn |
@@ -1351,6 +1357,7 @@ which case the usual shell dequoting rules apply. | |||
1351 | 1357 | ||
1352 | @menu | 1358 | @menu |
1353 | * ldaphome example:: | 1359 | * ldaphome example:: |
1360 | * usergitconfig:: | ||
1354 | @end menu | 1361 | @end menu |
1355 | 1362 | ||
1356 | @node ldaphome example | 1363 | @node ldaphome example |
@@ -1437,6 +1444,43 @@ passwd: files ldap | |||
1437 | group: files ldap | 1444 | group: files ldap |
1438 | @end example | 1445 | @end example |
1439 | 1446 | ||
1447 | @node usergitconfig | ||
1448 | @section usergitconfig | ||
1449 | @cindex usergitconfig | ||
1450 | |||
1451 | The @file{examples} subdirectory of the @command{pam-modules} | ||
1452 | distribution contains a program @command{usergitconfig} which | ||
1453 | is designed to customize user's @file{.gitconfig} file using | ||
1454 | attributes from his LDAP entry. | ||
1455 | |||
1456 | The command reads the @file{.gitconfig} file and replaces any | ||
1457 | occurrence of @samp{$@{@var{attr}@}} with the value of the LDAP | ||
1458 | attribute @var{attr}. Not defined attributes are replaced with | ||
1459 | empty strings. | ||
1460 | |||
1461 | To use this utility with @command{pam_ldaphome}, copy it to | ||
1462 | some location of preference (say, @file{/usr/libexec}), and | ||
1463 | add the following to @command{pam_ldaphome} configuration file: | ||
1464 | |||
1465 | @example | ||
1466 | skel /etc/skel | ||
1467 | initrc-command /usr/libexec/usergitconfig | ||
1468 | @end example | ||
1469 | |||
1470 | The @file{/etc/skel} directory should contain the file @file{.gitconfig}. | ||
1471 | Suppose its contents is as follows: | ||
1472 | |||
1473 | @example | ||
1474 | [user] | ||
1475 | name = $@{cn@} | ||
1476 | email = $@{mail@} | ||
1477 | @end example | ||
1478 | |||
1479 | @noindent | ||
1480 | Then, after successful completion of @command{pam_ldaphome}, the | ||
1481 | user's @file{.gitconfig} file will contain his real name and email | ||
1482 | set properly from the database. | ||
1483 | |||
1440 | @node umotd | 1484 | @node umotd |
1441 | @chapter pam_umotd | 1485 | @chapter pam_umotd |
1442 | @set MODULE pam_umotd | 1486 | @set MODULE pam_umotd |
diff --git a/doc/pam_ldaphome.8in b/doc/pam_ldaphome.8in index 6d74e4e..5150849 100644 --- a/doc/pam_ldaphome.8in +++ b/doc/pam_ldaphome.8in | |||
@@ -14,7 +14,7 @@ | |||
14 | .\" You should have received a copy of the GNU General Public License | 14 | .\" You should have received a copy of the GNU General Public License |
15 | .\" along with PAM-Modules. If not, see <http://www.gnu.org/licenses/>. | 15 | .\" along with PAM-Modules. If not, see <http://www.gnu.org/licenses/>. |
16 | .so config.so | 16 | .so config.so |
17 | .TH PAM_LDAPHOME 8 "April 4, 2014" "PAM-MODULES" "Pam-Modules User Reference" | 17 | .TH PAM_LDAPHOME 8 "May 19, 2014" "PAM-MODULES" "Pam-Modules User Reference" |
18 | .SH NAME | 18 | .SH NAME |
19 | pam_ldaphome \- create and populate user home directories | 19 | pam_ldaphome \- create and populate user home directories |
20 | .SH SYNOPSIS | 20 | .SH SYNOPSIS |
@@ -108,6 +108,11 @@ Defines a LDAP filter expression which returns the user profile. The | |||
108 | \fIEXPR\fR should conform to the string representation for search | 108 | \fIEXPR\fR should conform to the string representation for search |
109 | filters as defined in RFC 4515. | 109 | filters as defined in RFC 4515. |
110 | .TP | 110 | .TP |
111 | .BI import\-public\-keys " BOOL" | ||
112 | When set to \fBno\fR, disables importing public keys from LDAP. You | ||
113 | may wish to use this option if you are using \fBopenssh\fR 6.1 or | ||
114 | later with \fBldappubkey\fR as \fBAuthorizedKeysCommand\fR. | ||
115 | .TP | ||
111 | .BI pubkey\-attr " TEXT" | 116 | .BI pubkey\-attr " TEXT" |
112 | Defines the name of the attribute that keeps user's public SSH key. | 117 | Defines the name of the attribute that keeps user's public SSH key. |
113 | .TP | 118 | .TP |
@@ -203,7 +208,8 @@ the \fB\-\-enable\-debug\fR option. | |||
203 | \fBaudit\fR | 208 | \fBaudit\fR |
204 | Log auditing information. | 209 | Log auditing information. |
205 | .SH MODULE TYPES PROVIDED | 210 | .SH MODULE TYPES PROVIDED |
206 | .BR auth . | 211 | .BR auth , |
212 | .BR session . | ||
207 | .SH RETURN VALUES | 213 | .SH RETURN VALUES |
208 | .TP | 214 | .TP |
209 | .B PAM_SUCCESS | 215 | .B PAM_SUCCESS |
diff --git a/examples/ldappubkey b/examples/ldappubkey new file mode 100755 index 0000000..2451505 --- /dev/null +++ b/examples/ldappubkey | |||
@@ -0,0 +1,176 @@ | |||
1 | #! /usr/bin/perl | ||
2 | # This file is part of pam-modules. | ||
3 | # Copyright (C) 2014 Sergey Poznyakoff | ||
4 | # | ||
5 | # This program is free software; you can redistribute it and/or modify | ||
6 | # it under the terms of the GNU General Public License as published by | ||
7 | # the Free Software Foundation; either version 3, or (at your option) | ||
8 | # any later version. | ||
9 | # | ||
10 | # This program is distributed in the hope that it will be useful, | ||
11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
13 | # GNU General Public License for more details. | ||
14 | # | ||
15 | # You should have received a copy of the GNU General Public License along | ||
16 | # with this program. If not, see <http://www.gnu.org/licenses/>. | ||
17 | |||
18 | use strict; | ||
19 | use Net::LDAP; | ||
20 | |||
21 | =head1 NAME | ||
22 | |||
23 | ldappubkey - get user public ssh keys from the LDAP database | ||
24 | |||
25 | =head1 SYNOPSIS | ||
26 | |||
27 | B<ldappubkey> I<LOGIN> | ||
28 | |||
29 | =head1 DESCRIPTION | ||
30 | |||
31 | Produces on the standard output public ssh keys for the user I<LOGIN>, each | ||
32 | on a separate line. The program is designed for use with B<sshd>(8) version | ||
33 | 6.x or higher. Public keys are obtained from a LDAP database. The | ||
34 | configuration is looked up in the following files: B</etc/ldap.conf>, | ||
35 | B</etc/ldap/ldap.conf> and B</etc/openldap/ldap.conf>. These files are | ||
36 | tried in this order and the first one of them that exists is read. | ||
37 | |||
38 | The following configuration statements are used (all keywords are | ||
39 | case-insensitive): | ||
40 | |||
41 | =over 4 | ||
42 | |||
43 | =item B<uri> B<ldap[si]://>[I<name>[:I<port>]] ...> | ||
44 | |||
45 | Specifies the URI of the LDAP server (or servers) to connect to. The default | ||
46 | is B<ldap://127.0.0.1>. | ||
47 | |||
48 | =item B<base> I<DN> | ||
49 | |||
50 | Specifies the default base DN to use when performing ldap operations. | ||
51 | The base must be specified as a Distinguished Name in LDAP format. | ||
52 | |||
53 | =item B<binddn> I<DN> | ||
54 | |||
55 | Specifies the default bind DN to use. | ||
56 | |||
57 | =item B<bindpw> I<PASS> | ||
58 | |||
59 | Specifies the password to use with B<binddn>. | ||
60 | |||
61 | =item B<uid> I<ATTR> | ||
62 | |||
63 | Name of the attribute to use instead of B<uid>. The LDAP record is searched | ||
64 | using the filter B<(&(objectClass=posixAccount)(I<ATTR>=I<LOGIN>))>. | ||
65 | |||
66 | =item B<publickeyattribute> I<ATTR> | ||
67 | |||
68 | Name of the attribute which holds the public key. Default is B<grayPublicKey>. | ||
69 | |||
70 | =back | ||
71 | |||
72 | =head1 OPTIONS | ||
73 | |||
74 | =over 4 | ||
75 | |||
76 | =item B<-h> | ||
77 | |||
78 | Show program usage. | ||