diff options
author | Sergey Poznyakoff <gray@gnu.org.ua> | 2014-07-25 15:09:33 +0300 |
---|---|---|
committer | Sergey Poznyakoff <gray@gnu.org.ua> | 2014-07-25 15:37:28 +0300 |
commit | b4a27a9c7afc21d7a4895cddc5c182c3349f1f11 (patch) | |
tree | 9808605942a1c52af52fcb9c3cdbe14925bd370b | |
parent | c1059e03983d704ea79cf97d9cffb2cbaa79bcae (diff) | |
download | pam-modules-b4a27a9c7afc21d7a4895cddc5c182c3349f1f11.tar.gz pam-modules-b4a27a9c7afc21d7a4895cddc5c182c3349f1f11.tar.bz2 |
pam_ldaphome: read /etc/ldap.conf file.
* lib/env.c (gray_env_read_tr): New function.
(gray_env_read): Rewrite using gray_env_read_tr.
(gray_env_merge): New function.
* lib/escape.c (gray_escape_string): Remove useless typecasts.
* lib/graypam.h (gray_env_read_tr)
(gray_env_merge): New protos.
* pam_ldaphome/pam_ldaphome.c (ldap_config_name): New variable.
(ldap_connect): Use 'ssl' keyword, if 'tls' is not defined.
(ldaphome_main): New keyword ldap-config
* doc/pam-modules.texi: Document reading system-wide ldap.conf
* doc/pam_ldaphome.8in: Likewise.
-rw-r--r-- | doc/pam-modules.texi | 179 | ||||
-rw-r--r-- | doc/pam_ldaphome.8in | 28 | ||||
-rw-r--r-- | lib/env.c | 58 | ||||
-rw-r--r-- | lib/escape.c | 8 | ||||
-rw-r--r-- | lib/graypam.h | 2 | ||||
-rw-r--r-- | pam_ldaphome/pam_ldaphome.c | 75 |
6 files changed, 249 insertions, 101 deletions
diff --git a/doc/pam-modules.texi b/doc/pam-modules.texi index 12c58cd..57242cf 100644 --- a/doc/pam-modules.texi +++ b/doc/pam-modules.texi | |||
@@ -1179,36 +1179,45 @@ Read configuration from @var{file}. Default is | |||
1179 | @file{pam_ldaphome.conf} in @var{sysconfdir}. | 1179 | @file{pam_ldaphome.conf} in @var{sysconfdir}. |
1180 | @end table | 1180 | @end table |
1181 | 1181 | ||
1182 | Actual module configuration is read from the configuration file, which | 1182 | Actual module configuration is read from the configuration file. |
1183 | has the same syntax as described in @ref{config, SQL configuration | ||
1184 | file}. The following keywords are defined: | ||
1185 | 1183 | ||
1186 | @deffn {pam_ldaphome config} allow-home-dir @var{path} | 1184 | @menu |
1187 | If present, this option controls where @command{pam_ldaphome} should | 1185 | * ldaphome config:: |
1188 | try to create home directories. Its value is a list of directories | 1186 | * ldaphome example:: |
1189 | separated by colons. The user's home directory will be created only | 1187 | * ldappubkey:: |
1190 | if the directory part of its name is listed in @var{path}. | 1188 | * usergitconfig:: |
1191 | @end deffn | 1189 | @end menu |
1192 | 1190 | ||
1193 | @deffn {pam_ldaphome config} skel @var{dir} | 1191 | @node ldaphome config |
1194 | Supplies the name of a @dfn{skeleton directory}. The contents of this | 1192 | @section Configuration file for @command{pam_ldaphome} |
1195 | directory is copied to the newly created user home directory. The | ||
1196 | file modes and permissions are preserved. | ||
1197 | @end deffn | ||
1198 | 1193 | ||
1199 | @deffn {pam_ldaphome config} uri @var{arg} | 1194 | @command{Pam_ldaphome} reads its configuration from two files: the |
1200 | Sets the URI of the LDAP server to consult for the user profile. | 1195 | configuration file supplied with the @command{config} command line |
1201 | Example: | 1196 | option and the system-wide LDAP configuration file |
1197 | @file{/etc/ldap.conf}. | ||
1202 | 1198 | ||
1203 | @example | 1199 | The syntax of the former is described in @ref{config, SQL configuration |
1204 | uri ldap://127.0.0.1/ | 1200 | file}. Allowed keywords are discussed below. |
1205 | @end example | ||
1206 | @end deffn | ||
1207 | 1201 | ||
1208 | @deffn {pam_ldaphome config} ldap-version @var{v} | 1202 | The syntax of the @file{/etc/ldap.conf} configuration file is |
1209 | Sets the LDAP version to use. Valid values for @var{v} are @samp{2} | 1203 | described in @ref{ldap.conf,,LDAP configuration file,ldap.conf(5), |
1210 | and @samp{3} (the default). | 1204 | ldap.conf(5) manpage}. Its parsing can be suppressed using the |
1211 | @end deffn | 1205 | @command{ldap-config} statement (see below). |
1206 | |||
1207 | From @file{/etc/ldap.conf}, the following statements are used: | ||
1208 | @samp{base}, @samp{binddn}, @samp{bindpw}, @samp{tls_cacert}, | ||
1209 | @samp{uri}. The @samp{ssl} statement is understood if its value is | ||
1210 | @samp{start_tls} or @samp{off}. Other values are silently ignored. | ||
1211 | |||
1212 | In general, all statements defined below can appear in both files. | ||
1213 | However, since @file{/etc/ldap.conf} is read by other system utilities | ||
1214 | as well, we do not recomment using @command{pam_ldaphome}-specific | ||
1215 | keywords in it. | ||
1216 | |||
1217 | The values read from @command{pam_ldaphome} configuration file | ||
1218 | override those obtained from the standard LDAP configuration file. | ||
1219 | |||
1220 | @subheading LDAP configuration | ||
1212 | 1221 | ||
1213 | @deffn {pam_ldaphome config} base @var{searchbase} | 1222 | @deffn {pam_ldaphome config} base @var{searchbase} |
1214 | Use @var{searchbase} as the starting point for the search instead of | 1223 | Use @var{searchbase} as the starting point for the search instead of |
@@ -1237,6 +1246,27 @@ password for simple authentication. | |||
1237 | Read password for simple authentication from @var{file}. | 1246 | Read password for simple authentication from @var{file}. |
1238 | @end deffn | 1247 | @end deffn |
1239 | 1248 | ||
1249 | @deffn {pam_ldaphome config} filter @var{expr} | ||
1250 | Sets the LDAP filter expression to return a user profile. The | ||
1251 | @var{expr} should conform to the string representation for search | ||
1252 | filters as defined in RFC 4515. | ||
1253 | @end deffn | ||
1254 | |||
1255 | @deffn {pam_ldaphome config} ldap-config @var{file} | ||
1256 | Read LDAP configuration from @var{file} (default -- | ||
1257 | @file{/etc/ldap.conf}). Special value @samp{none} disables this | ||
1258 | feature. | ||
1259 | @end deffn | ||
1260 | |||
1261 | @deffn {pam_ldaphome config} ldap-version @var{v} | ||
1262 | Sets the LDAP version to use. Valid values for @var{v} are @samp{2} | ||
1263 | and @samp{3} (the default). | ||
1264 | @end deffn | ||
1265 | |||
1266 | @deffn {pam_ldaphome config} pubkey-attr @var{text} | ||
1267 | Defines the name of the attribute which holds the user public key. | ||
1268 | @end deffn | ||
1269 | |||
1240 | @deffn {pam_ldaphome config} tls @var{val} | 1270 | @deffn {pam_ldaphome config} tls @var{val} |
1241 | Controls whether TLS is desired or required. If @var{val} is | 1271 | Controls whether TLS is desired or required. If @var{val} is |
1242 | @samp{no} (the default), TLS will not be used. If it is @samp{yes}, | 1272 | @samp{no} (the default), TLS will not be used. If it is @samp{yes}, |
@@ -1247,41 +1277,27 @@ mandatory, and the module will not establish LDAP connection unless | |||
1247 | @end deffn | 1277 | @end deffn |
1248 | 1278 | ||
1249 | @deffn {pam_ldaphome config} tls-cacert @var{val} | 1279 | @deffn {pam_ldaphome config} tls-cacert @var{val} |
1280 | @deffnx {pam_ldaphome config} tls_cacert @var{val} | ||
1250 | Full pathname to the CA certificate file. Used if TLS is enabled. | 1281 | Full pathname to the CA certificate file. Used if TLS is enabled. |
1282 | The second form (@samp{tls_cacert}) is for use in | ||
1283 | @file{/etc/ldap.conf} file. | ||
1251 | @end deffn | 1284 | @end deffn |
1252 | 1285 | ||
1253 | @deffn {pam_ldaphome config} min-uid @var{n} | 1286 | @deffn {pam_ldaphome config} uri @var{arg} |
1254 | Sets the minimal UID. For users with UIDs less than @var{n}, | 1287 | Sets the URI of the LDAP server to consult for the user profile. |
1255 | @command{pam_ldaphome} returns PAM_SUCCESS immediately. This allows | 1288 | Example: |
1256 | you to have a set of basic users whose credentials are kept in the | ||
1257 | system database and who will not be disturbed by | ||
1258 | @command{pam_ldaphome}. See also @samp{min-gid} and | ||
1259 | @samp{allow-groups}. | ||
1260 | @end deffn | ||
1261 | |||
1262 | @deffn {pam_ldaphome config} min-gid @var{n} | ||
1263 | Sets the minimal GID. For users with GIDs less than @var{n}, | ||
1264 | @command{pam_ldaphome} returns PAM_SUCCESS immediately. | ||
1265 | @end deffn | ||
1266 | |||
1267 | @deffn {pam_ldaphome config} allow-groups @var{group} [@var{group}...] | ||
1268 | Only handle members of the listed groups. | ||
1269 | @end deffn | ||
1270 | |||
1271 | @deffn {pam_ldaphome config} filter @var{expr} | ||
1272 | Sets the LDAP filter expression to return a user profile. The | ||
1273 | @var{expr} should conform to the string representation for search | ||
1274 | filters as defined in RFC 4515. | ||
1275 | @end deffn | ||
1276 | 1289 | ||
1277 | @deffn {pam_ldaphome config} import-public-keys @var{bool} | 1290 | @example |
1278 | When set to @samp{no}, disables importing public keys from LDAP. You | 1291 | uri ldap://127.0.0.1/ |
1279 | may wish to use this option if you are using @command{openssh} 6.1 or | 1292 | @end example |
1280 | later with @command{ldappubkey} as @samp{AuthorizedKeysCommand}. | ||
1281 | @end deffn | 1293 | @end deffn |
1282 | 1294 | ||
1283 | @deffn {pam_ldaphome config} pubkey-attr @var{text} | 1295 | @subheading Home directory creation |
1284 | Defines the name of the attribute which holds the user public key. | 1296 | @deffn {pam_ldaphome config} allow-home-dir @var{path} |
1297 | If present, this option controls where @command{pam_ldaphome} should | ||
1298 | try to create home directories. Its value is a list of directories | ||
1299 | separated by colons. The user's home directory will be created only | ||
1300 | if the directory part of its name is listed in @var{path}. | ||
1285 | @end deffn | 1301 | @end deffn |
1286 | 1302 | ||
1287 | @deffn {pam_ldaphome config} copy-buf-size @var{n} | 1303 | @deffn {pam_ldaphome config} copy-buf-size @var{n} |
@@ -1293,10 +1309,13 @@ directory to the newly created home. The default size is 16384 bytes. | |||
1293 | Sets the mode (octal) for the created user directories. | 1309 | Sets the mode (octal) for the created user directories. |
1294 | @end deffn | 1310 | @end deffn |
1295 | 1311 | ||
1296 | @deffn {pam_ldaphome config} keyfile-mode @var{mode} | 1312 | @deffn {pam_ldaphome config} skel @var{dir} |
1297 | Sets the mode (octal) for the created authorized keys file. | 1313 | Supplies the name of a @dfn{skeleton directory}. The contents of this |
1314 | directory is copied to the newly created user home directory. The | ||
1315 | file modes and permissions are preserved. | ||
1298 | @end deffn | 1316 | @end deffn |
1299 | 1317 | ||
1318 | @subheading Authorized keys file | ||
1300 | @deffn {pam_ldaphome config} authorized_keys @var{name} | 1319 | @deffn {pam_ldaphome config} authorized_keys @var{name} |
1301 | Sets the pathname (relative to the home directory) for the authorized | 1320 | Sets the pathname (relative to the home directory) for the authorized |
1302 | keys file. The default is @samp{.ssh/authorized_keys}. For normal | 1321 | keys file. The default is @samp{.ssh/authorized_keys}. For normal |
@@ -1305,11 +1324,47 @@ operation, this value must be the same as the value of | |||
1305 | change the latter, there's no need to edit it. | 1324 | change the latter, there's no need to edit it. |
1306 | @end deffn | 1325 | @end deffn |
1307 | 1326 | ||
1327 | @deffn {pam_ldaphome config} import-public-keys @var{bool} | ||
1328 | When set to @samp{no}, disables importing public keys from LDAP. You | ||
1329 | may wish to use this option if you are using @command{openssh} 6.1 or | ||
1330 | later with @command{ldappubkey} as @samp{AuthorizedKeysCommand}. | ||
1331 | @end deffn | ||
1332 | |||
1333 | @deffn {pam_ldaphome config} keyfile-mode @var{mode} | ||
1334 | Sets the mode (octal) for the created authorized keys file. | ||
1335 | @end deffn | ||
1336 | |||
1337 | @subheading Access control | ||
1338 | @deffn {pam_ldaphome config} allow-groups @var{group} [@var{group}...] | ||
1339 | Only handle members of the listed groups. | ||
1340 | @end deffn | ||
1341 | |||
1342 | @deffn {pam_ldaphome config} min-gid @var{n} | ||
1343 | Sets the minimal GID. For users with GIDs less than @var{n}, | ||
1344 | @command{pam_ldaphome} returns PAM_SUCCESS immediately. | ||
1345 | @end deffn | ||
1346 | |||
1347 | @deffn {pam_ldaphome config} min-uid @var{n} | ||
1348 | Sets the minimal UID. For users with UIDs less than @var{ |