diff options
| author | Sergey Poznyakoff <gray@gnu.org.ua> | 2014-07-25 15:09:33 +0300 |
|---|---|---|
| committer | Sergey Poznyakoff <gray@gnu.org.ua> | 2014-07-25 15:37:28 +0300 |
| commit | b4a27a9c7afc21d7a4895cddc5c182c3349f1f11 (patch) | |
| tree | 9808605942a1c52af52fcb9c3cdbe14925bd370b | |
| parent | c1059e03983d704ea79cf97d9cffb2cbaa79bcae (diff) | |
| download | pam-modules-b4a27a9c7afc21d7a4895cddc5c182c3349f1f11.tar.gz pam-modules-b4a27a9c7afc21d7a4895cddc5c182c3349f1f11.tar.bz2 | |
pam_ldaphome: read /etc/ldap.conf file.
* lib/env.c (gray_env_read_tr): New function.
(gray_env_read): Rewrite using gray_env_read_tr.
(gray_env_merge): New function.
* lib/escape.c (gray_escape_string): Remove useless typecasts.
* lib/graypam.h (gray_env_read_tr)
(gray_env_merge): New protos.
* pam_ldaphome/pam_ldaphome.c (ldap_config_name): New variable.
(ldap_connect): Use 'ssl' keyword, if 'tls' is not defined.
(ldaphome_main): New keyword ldap-config
* doc/pam-modules.texi: Document reading system-wide ldap.conf
* doc/pam_ldaphome.8in: Likewise.
| -rw-r--r-- | doc/pam-modules.texi | 179 | ||||
| -rw-r--r-- | doc/pam_ldaphome.8in | 28 | ||||
| -rw-r--r-- | lib/env.c | 58 | ||||
| -rw-r--r-- | lib/escape.c | 8 | ||||
| -rw-r--r-- | lib/graypam.h | 2 | ||||
| -rw-r--r-- | pam_ldaphome/pam_ldaphome.c | 75 |
6 files changed, 249 insertions, 101 deletions
diff --git a/doc/pam-modules.texi b/doc/pam-modules.texi index 12c58cd..57242cf 100644 --- a/doc/pam-modules.texi +++ b/doc/pam-modules.texi | |||
| @@ -1179,36 +1179,45 @@ Read configuration from @var{file}. Default is | |||
| 1179 | @file{pam_ldaphome.conf} in @var{sysconfdir}. | 1179 | @file{pam_ldaphome.conf} in @var{sysconfdir}. |
| 1180 | @end table | 1180 | @end table |
| 1181 | 1181 | ||
| 1182 | Actual module configuration is read from the configuration file, which | 1182 | Actual module configuration is read from the configuration file. |
| 1183 | has the same syntax as described in @ref{config, SQL configuration | ||
| 1184 | file}. The following keywords are defined: | ||
| 1185 | 1183 | ||
| 1186 | @deffn {pam_ldaphome config} allow-home-dir @var{path} | 1184 | @menu |
| 1187 | If present, this option controls where @command{pam_ldaphome} should | 1185 | * ldaphome config:: |
| 1188 | try to create home directories. Its value is a list of directories | 1186 | * ldaphome example:: |
| 1189 | separated by colons. The user's home directory will be created only | 1187 | * ldappubkey:: |
| 1190 | if the directory part of its name is listed in @var{path}. | 1188 | * usergitconfig:: |
| 1191 | @end deffn | 1189 | @end menu |
| 1192 | 1190 | ||
| 1193 | @deffn {pam_ldaphome config} skel @var{dir} | 1191 | @node ldaphome config |
| 1194 | Supplies the name of a @dfn{skeleton directory}. The contents of this | 1192 | @section Configuration file for @command{pam_ldaphome} |
| 1195 | directory is copied to the newly created user home directory. The | ||
| 1196 | file modes and permissions are preserved. | ||
| 1197 | @end deffn | ||
| 1198 | 1193 | ||
| 1199 | @deffn {pam_ldaphome config} uri @var{arg} | 1194 | @command{Pam_ldaphome} reads its configuration from two files: the |
| 1200 | Sets the URI of the LDAP server to consult for the user profile. | 1195 | configuration file supplied with the @command{config} command line |
| 1201 | Example: | 1196 | option and the system-wide LDAP configuration file |
| 1197 | @file{/etc/ldap.conf}. | ||
| 1202 | 1198 | ||
| 1203 | @example | 1199 | The syntax of the former is described in @ref{config, SQL configuration |
| 1204 | uri ldap://127.0.0.1/ | 1200 | file}. Allowed keywords are discussed below. |
| 1205 | @end example | ||
| 1206 | @end deffn | ||
| 1207 | 1201 | ||
| 1208 | @deffn {pam_ldaphome config} ldap-version @var{v} | 1202 | The syntax of the @file{/etc/ldap.conf} configuration file is |
| 1209 | Sets the LDAP version to use. Valid values for @var{v} are @samp{2} | 1203 | described in @ref{ldap.conf,,LDAP configuration file,ldap.conf(5), |
| 1210 | and @samp{3} (the default). | 1204 | ldap.conf(5) manpage}. Its parsing can be suppressed using the |
| 1211 | @end deffn | 1205 | @command{ldap-config} statement (see below). |
| 1206 | |||
| 1207 | From @file{/etc/ldap.conf}, the following statements are used: | ||
| 1208 | @samp{base}, @samp{binddn}, @samp{bindpw}, @samp{tls_cacert}, | ||
| 1209 | @samp{uri}. The @samp{ssl} statement is understood if its value is | ||
| 1210 | @samp{start_tls} or @samp{off}. Other values are silently ignored. | ||
| 1211 | |||
| 1212 | In general, all statements defined below can appear in both files. | ||
| 1213 | However, since @file{/etc/ldap.conf} is read by other system utilities | ||
| 1214 | as well, we do not recomment using @command{pam_ldaphome}-specific | ||
| 1215 | keywords in it. | ||
| 1216 | |||
| 1217 | The values read from @command{pam_ldaphome} configuration file | ||
| 1218 | override those obtained from the standard LDAP configuration file. | ||
| 1219 | |||
| 1220 | @subheading LDAP configuration | ||
| 1212 | 1221 | ||
| 1213 | @deffn {pam_ldaphome config} base @var{searchbase} | 1222 | @deffn {pam_ldaphome config} base @var{searchbase} |
| 1214 | Use @var{searchbase} as the starting point for the search instead of | 1223 | Use @var{searchbase} as the starting point for the search instead of |
| @@ -1237,6 +1246,27 @@ password for simple authentication. | |||
| 1237 | Read password for simple authentication from @var{file}. | 1246 | Read password for simple authentication from @var{file}. |
| 1238 | @end deffn | 1247 | @end deffn |
| 1239 | 1248 | ||
| 1249 | @deffn {pam_ldaphome config} filter @var{expr} | ||
| 1250 | Sets the LDAP filter expression to return a user profile. The | ||
| 1251 | @var{expr} should conform to the string representation for search | ||
| 1252 | filters as defined in RFC 4515. | ||
| 1253 | @end deffn | ||
| 1254 | |||
| 1255 | @deffn {pam_ldaphome config} ldap-config @var{file} | ||
| 1256 | Read LDAP configuration from @var{file} (default -- | ||
| 1257 | @file{/etc/ldap.conf}). Special value @samp{none} disables this | ||
| 1258 | feature. | ||
| 1259 | @end deffn | ||
| 1260 | |||
| 1261 | @deffn {pam_ldaphome config} ldap-version @var{v} | ||
| 1262 | Sets the LDAP version to use. Valid values for @var{v} are @samp{2} | ||
| 1263 | and @samp{3} (the default). | ||
| 1264 | @end deffn | ||
| 1265 | |||
| 1266 | @deffn {pam_ldaphome config} pubkey-attr @var{text} | ||
| 1267 | Defines the name of the attribute which holds the user public key. | ||
| 1268 | @end deffn | ||
| 1269 | |||
| 1240 | @deffn {pam_ldaphome config} tls @var{val} | 1270 | @deffn {pam_ldaphome config} tls @var{val} |
| 1241 | Controls whether TLS is desired or required. If @var{val} is | 1271 | Controls whether TLS is desired or required. If @var{val} is |
| 1242 | @samp{no} (the default), TLS will not be used. If it is @samp{yes}, | 1272 | @samp{no} (the default), TLS will not be used. If it is @samp{yes}, |
| @@ -1247,41 +1277,27 @@ mandatory, and the module will not establish LDAP connection unless | |||
| 1247 | @end deffn | 1277 | @end deffn |
| 1248 | 1278 | ||
| 1249 | @deffn {pam_ldaphome config} tls-cacert @var{val} | 1279 | @deffn {pam_ldaphome config} tls-cacert @var{val} |
| 1280 | @deffnx {pam_ldaphome config} tls_cacert @var{val} | ||
| 1250 | Full pathname to the CA certificate file. Used if TLS is enabled. | 1281 | Full pathname to the CA certificate file. Used if TLS is enabled. |
| 1282 | The second form (@samp{tls_cacert}) is for use in | ||
| 1283 | @file{/etc/ldap.conf} file. | ||
| 1251 | @end deffn | 1284 | @end deffn |
| 1252 | 1285 | ||
| 1253 | @deffn {pam_ldaphome config} min-uid @var{n} | 1286 | @deffn {pam_ldaphome config} uri @var{arg} |
| 1254 | Sets the minimal UID. For users with UIDs less than @var{n}, | 1287 | Sets the URI of the LDAP server to consult for the user profile. |
| 1255 | @command{pam_ldaphome} returns PAM_SUCCESS immediately. This allows | 1288 | Example: |
| 1256 | you to have a set of basic users whose credentials are kept in the | ||
| 1257 | system database and who will not be disturbed by | ||
| 1258 | @command{pam_ldaphome}. See also @samp{min-gid} and | ||
| 1259 | @samp{allow-groups}. | ||
| 1260 | @end deffn | ||
| 1261 | |||
| 1262 | @deffn {pam_ldaphome config} min-gid @var{n} | ||
| 1263 | Sets the minimal GID. For users with GIDs less than @var{n}, | ||
| 1264 | @command{pam_ldaphome} returns PAM_SUCCESS immediately. | ||
| 1265 | @end deffn | ||
| 1266 | |||
| 1267 | @deffn {pam_ldaphome config} allow-groups @var{group} [@var{group}...] | ||
| 1268 | Only handle members of the listed groups. | ||
| 1269 | @end deffn | ||
| 1270 | |||
| 1271 | @deffn {pam_ldaphome config} filter @var{expr} | ||
| 1272 | Sets the LDAP filter expression to return a user profile. The | ||
| 1273 | @var{expr} should conform to the string representation for search | ||
| 1274 | filters as defined in RFC 4515. | ||
| 1275 | @end deffn | ||
| 1276 | 1289 | ||
| 1277 | @deffn {pam_ldaphome config} import-public-keys @var{bool} | 1290 | @example |
| 1278 | When set to @samp{no}, disables importing public keys from LDAP. You | 1291 | uri ldap://127.0.0.1/ |
| 1279 | may wish to use this option if you are using @command{openssh} 6.1 or | 1292 | @end example |
| 1280 | later with @command{ldappubkey} as @samp{AuthorizedKeysCommand}. | ||
| 1281 | @end deffn | 1293 | @end deffn |
| 1282 | 1294 | ||
| 1283 | @deffn {pam_ldaphome config} pubkey-attr @var{text} | 1295 | @subheading Home directory creation |
| 1284 | Defines the name of the attribute which holds the user public key. | 1296 | @deffn {pam_ldaphome config} allow-home-dir @var{path} |
| 1297 | If present, this option controls where @command{pam_ldaphome} should | ||
| 1298 | try to create home directories. Its value is a list of directories | ||
| 1299 | separated by colons. The user's home directory will be created only | ||
| 1300 | if the directory part of its name is listed in @var{path}. | ||
| 1285 | @end deffn | 1301 | @end deffn |
| 1286 | 1302 | ||
| 1287 | @deffn {pam_ldaphome config} copy-buf-size @var{n} | 1303 | @deffn {pam_ldaphome config} copy-buf-size @var{n} |
| @@ -1293,10 +1309,13 @@ directory to the newly created home. The default size is 16384 bytes. | |||
| 1293 | Sets the mode (octal) for the created user directories. | 1309 | Sets the mode (octal) for the created user directories. |
| 1294 | @end deffn | 1310 | @end deffn |
| 1295 | 1311 | ||
| 1296 | @deffn {pam_ldaphome config} keyfile-mode @var{mode} | 1312 | @deffn {pam_ldaphome config} skel @var{dir} |
| 1297 | Sets the mode (octal) for the created authorized keys file. | 1313 | Supplies the name of a @dfn{skeleton directory}. The contents of this |
| 1314 | directory is copied to the newly created user home directory. The | ||
| 1315 | file modes and permissions are preserved. | ||
| 1298 | @end deffn | 1316 | @end deffn |
| 1299 | 1317 | ||
| 1318 | @subheading Authorized keys file | ||
| 1300 | @deffn {pam_ldaphome config} authorized_keys @var{name} | 1319 | @deffn {pam_ldaphome config} authorized_keys @var{name} |
| 1301 | Sets the pathname (relative to the home directory) for the authorized | 1320 | Sets the pathname (relative to the home directory) for the authorized |
| 1302 | keys file. The default is @samp{.ssh/authorized_keys}. For normal | 1321 | keys file. The default is @samp{.ssh/authorized_keys}. For normal |
| @@ -1305,11 +1324,47 @@ operation, this value must be the same as the value of | |||
| 1305 | change the latter, there's no need to edit it. | 1324 | change the latter, there's no need to edit it. |
| 1306 | @end deffn | 1325 | @end deffn |
| 1307 | 1326 | ||
| 1327 | @deffn {pam_ldaphome config} import-public-keys @var{bool} | ||
| 1328 | When set to @samp{no}, disables importing public keys from LDAP. You | ||
| 1329 | may wish to use this option if you are using @command{openssh} 6.1 or | ||
| 1330 | later with @command{ldappubkey} as @samp{AuthorizedKeysCommand}. | ||
| 1331 | @end deffn | ||
| 1332 | |||
| 1333 | @deffn {pam_ldaphome config} keyfile-mode @var{mode} | ||
| 1334 | Sets the mode (octal) for the created authorized keys file. | ||
| 1335 | @end deffn | ||
| 1336 | |||
| 1337 | @subheading Access control | ||
| 1338 | @deffn {pam_ldaphome config} allow-groups @var{group} [@var{group}...] | ||
| 1339 | Only handle members of the listed groups. | ||
| 1340 | @end deffn | ||
| 1341 | |||
| 1342 | @deffn {pam_ldaphome config} min-gid @var{n} | ||
| 1343 | Sets the minimal GID. For users with GIDs less than @var{n}, | ||
| 1344 | @command{pam_ldaphome} returns PAM_SUCCESS immediately. | ||
| 1345 | @end deffn | ||
| 1346 | |||
| 1347 | @deffn {pam_ldaphome config} min-uid @var{n} | ||
| 1348 | Sets the minimal UID. For users with UIDs less than @var{ | ||