added full ldap/kerberos support to authnz module, add mam as exemple

2021-12-08 18:31:18 +01:00
parent 976ba1a9ee
commit ebc5b50300
11 changed files with 848 additions and 2 deletions
--- a/modules/authnz.sh
+++ b/modules/authnz.sh
@@ -8,7 +8,12 @@
 # https://opensource.org/licenses/BSD-3-Clause
 # ------------------------------------------------------------------------------
 # Variable:
+#  * REALM: Domain (must be kerberos real if using Kerberos)
 #  * WITH_LDAP_KERB: Shall we install requirements for LDAP/Kerberos auth ?
+#      * KDC_SERVER: Kerberos domain controler KADM_SERVER
+#      * KADM_SERVER: Administrative Kerberos KADM_SERVER
+#      * BASE_DC: Domain in LDAP format
+#      * LDAP_SERVER: LDAP server
 #  * REMOTE_USERS: List of remote users to add
 #  * LOCAL_USERS: List of local users to create
 #  * REMOVE_USERS: List of username to remove
@@ -59,8 +64,20 @@ authnz()
            /etc/nsswitch.conf /etc/pam.d/common-session \
            /etc/pam.d/common-account /etc/pam.d/common-password \
            /etc/pam.d/common-auth
-        installfile krb5.conf libnss-ldap.conf pam_ldap.conf nsswitch.conf /etc
-        installfile common-session common-account common-password common-auth \
+        installfile authnz/krb5.conf authnz/libnss-ldap.conf \
+            authnz/pam_ldap.conf authnz/nsswitch.conf /etc
+
+        sed -i -e "s/@REALM@/${REALM^^}/g" -e "s/@DOMAIN@/$REALM/g" \
+            -e "s/@KDC_SERVER@/$KDC_SERVER/" -e "s/@KADM_SERVER@/$KADM_SERVER/" \
+            /etc/krb5.conf
+        sed -i -e "s/@BASE_CD@/$BASE_DC@/" -e "s/@LDAP_SERVER@/$LDAP_SERVER/" \
+            /etc/libnss-ldap.conf
+        sed -i -e "s/@BASE_CD@/$BASE_DC@/g" -e "s/@LDAP_SERVER@/$LDAP_SERVER/" \
+            -e "s/@LDAP_ADM@/$LDAP_ADM/" /etc/libnss-ldap.conf
+
+
+        installfile authnz/common-session authnz/common-account \
+            authnz/common-password authnz/common-auth \
            /etc/pam.d

        scv_restart nscd
@@ -85,6 +102,11 @@ precheck_authnz()
 {
    if [[ $WITH_LDAP_KERB == "yes" ]]; then
        if [[ -n $REMOTE_USERS ]]; then
+            if [[ -z $KDC_SERVER || -z $KADM_SERVER || -z $BASE_CD || \
+                -z $LDAP_SERVER || -z $LDAP_ADM ]]; then
+                prnt E "A variable related to authentication is missing!"
+                die 109
+            fi
            prnt I "The following distant users will be accessible:"
            prnt m "\t* $REMOTE_USERS"
        else