New utility "ldappubkey".

* NEWS: Document new features.
* doc/pam-modules.texi: Document usergitconfig.
* doc/pam_ldaphome.8in: Update.
* examples/ldappubkey: New file.
* examples/usergitconfig: Refer to perldoc on error.
* lib/env.c (gray_env_get_bool): New function.
* lib/graypam.h (gray_env_get_bool): New proto.
* pam_ldaphome/pam_ldaphome.c (import_public_key): Do nothing if
"import-public-keys" is set to "no".
(pam_sm_authenticate): New function.

8 files changed, 289 insertions, 10 deletions

diff --git a/NEWS b/NEWS
index 200204a..8406bd1 100644
--- a/NEWS
+++ b/NEWS
@@ -1,4 +1,4 @@
-pam-modules -- history of user-visible changes. 2014-05-06
+pam-modules -- history of user-visible changes. 2014-05-11
 Copyright (C) 2001, 2004-2005, 2007-2012, 2014 Sergey Poznyakoff
 See the end of file for copying conditions.
 
@@ -11,6 +11,15 @@ Version 1.8.92, (Git)
 
 Tests whether the user is a member of one or more groups.
 
+* pam_ldaphome can invoke an external program
+
+An external program defined with the inirc-command keyword is run
+in the newly created user's home directory.  It can be used for
+per-user customization of the files copied from the skeleton dir.
+
+The examples directory contains a perl program "usergitconfig", which,
+when used as inirc-command, initializes the user's .gitconfig file.
+
 * Bugfixes
 
 
diff --git a/doc/pam-modules.texi b/doc/pam-modules.texi
index 87c4d6c..bf101f7 100644
--- a/doc/pam-modules.texi
+++ b/doc/pam-modules.texi
@@ -1249,6 +1249,12 @@ Sets the LDAP filter expression to return a user profile.  The
 filters as defined in RFC 4515.
 @end deffn
 
+@deffn {pam_ldaphome config} import-public-keys bool
+When set to @samp{no}, disables importing public keys from LDAP.  You
+may wish to use this option if you are using @command{openssh} 6.1 or
+later with @command{ldappubkey} as @samp{AuthorizedKeysCommand}.
+@end deffn
+
 @deffn {pam_ldaphome config} pubkey-attr text
 Defines the name of the attribute which holds the user public key.
 @end deffn
@@ -1351,6 +1357,7 @@ which case the usual shell dequoting rules apply.
 
 @menu
 * ldaphome example::
+* usergitconfig::
 @end menu
 
 @node ldaphome example
@@ -1437,6 +1444,43 @@ passwd:         files ldap
 group:          files ldap
 @end example
 
+@node usergitconfig
+@section usergitconfig
+@cindex usergitconfig
+
+The @file{examples} subdirectory of the @command{pam-modules}
+distribution contains a program @command{usergitconfig} which
+is designed to customize user's @file{.gitconfig} file using
+attributes from his LDAP entry.
+
+The command reads the @file{.gitconfig} file and replaces any
+occurrence of @samp{$@{@var{attr}@}} with the value of the LDAP
+attribute @var{attr}.  Not defined attributes are replaced with
+empty strings.
+
+To use this utility with @command{pam_ldaphome}, copy it to
+some location of preference (say, @file{/usr/libexec}), and
+add the following to @command{pam_ldaphome} configuration file:
+
+@example
+skel /etc/skel
+initrc-command /usr/libexec/usergitconfig
+@end example
+
+The @file{/etc/skel} directory should contain the file @file{.gitconfig}.
+Suppose its contents is as follows:
+
+@example
+[user]
+        name = $@{cn@}
+        email = $@{mail@}
+@end example
+
+@noindent
+Then, after successful completion of @command{pam_ldaphome}, the
+user's @file{.gitconfig} file will contain his real name and email
+set properly from the database.
+
 @node umotd
 @chapter pam_umotd
 @set MODULE pam_umotd
diff --git a/doc/pam_ldaphome.8in b/doc/pam_ldaphome.8in
index 6d74e4e..5150849 100644
--- a/doc/pam_ldaphome.8in
+++ b/doc/pam_ldaphome.8in
@@ -14,7 +14,7 @@
 .\" You should have received a copy of the GNU General Public License
 .\" along with PAM-Modules.  If not, see <http://www.gnu.org/licenses/>.
 .so config.so
-.TH PAM_LDAPHOME 8 "April 4, 2014" "PAM-MODULES" "Pam-Modules User Reference"
+.TH PAM_LDAPHOME 8 "May 19, 2014" "PAM-MODULES" "Pam-Modules User Reference"
 .SH NAME
 pam_ldaphome \- create and populate user home directories
 .SH SYNOPSIS
@@ -108,6 +108,11 @@ Defines a LDAP filter expression which returns the user profile.  The
 \fIEXPR\fR should conform to the string representation for search
 filters as defined in RFC 4515.
 .TP
+.BI import\-public\-keys " BOOL"
+When set to \fBno\fR, disables importing public keys from LDAP.  You
+may wish to use this option if you are using \fBopenssh\fR 6.1 or
+later with \fBldappubkey\fR as \fBAuthorizedKeysCommand\fR.
+.TP
 .BI pubkey\-attr " TEXT"
 Defines the name of the attribute that keeps user's public SSH key.
 .TP
@@ -203,7 +208,8 @@ the \fB\-\-enable\-debug\fR option.
 \fBaudit\fR
 Log auditing information.
 .SH MODULE TYPES PROVIDED
-.BR auth .
+.BR auth ,
+.BR session .
 .SH RETURN VALUES
 .TP
 .B PAM_SUCCESS
diff --git a/examples/ldappubkey b/examples/ldappubkey
new file mode 100755
index 0000000..2451505
--- /dev/null
+++ b/examples/ldappubkey
@@ -0,0 +1,176 @@
+#! /usr/bin/perl
+# This file is part of pam-modules.
+# Copyright (C) 2014 Sergey Poznyakoff
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+use strict;
+use Net::LDAP;
+
+=head1 NAME
+
+ldappubkey - get user public ssh keys from the LDAP database
+
+=head1 SYNOPSIS
+
+B<ldappubkey> I<LOGIN>
+
+=head1 DESCRIPTION
+
+Produces on the standard output public ssh keys for the user I<LOGIN>, each
+on a separate line.  The program is designed for use with B<sshd>(8) version
+6.x or higher.  Public keys are obtained from a LDAP database.  The
+configuration is looked up in the following files: B</etc/ldap.conf>,
+B</etc/ldap/ldap.conf> and B</etc/openldap/ldap.conf>.  These files are
+tried in this order and the first one of them that exists is read.
+
+The following configuration statements are used (all keywords are
+case-insensitive):
+
+=over 4
+
+=item B<uri> B<ldap[si]://>[I<name>[:I<port>]] ...>
+
+Specifies the URI of the LDAP server (or servers) to connect to.  The default
+is B<ldap://127.0.0.1>.    
+    
+=item B<base> I<DN>
+
+Specifies the default base DN to use when performing ldap operations.
+The base must be specified as a Distinguished Name in LDAP format.
+
+=item B<binddn> I<DN>
+
+Specifies the default bind DN to use.
+
+=item B<bindpw> I<PASS>
+
+Specifies the password to use with B<binddn>.    
+
+=item B<uid> I<ATTR>
+
+Name of the attribute to use instead of B<uid>.  The LDAP record is searched
+using the filter B<(&(objectClass=posixAccount)(I<ATTR>=I<LOGIN>))>.
+
+=item B<publickeyattribute> I<ATTR>
+
+Name of the attribute which holds the public key.  Default is B<grayPublicKey>.
+    
+=back
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-h>
+
+Show program usage.