# ------------------------------------------------------------------------------ # Add local or remote users # This file is part of the init.sh project # Copyright (c) 2019-2021 Geoffray Levasseur # ------------------------------------------------------------------------------ # This file is distributed under 3-clause BSD license. # The complete license agreement can be obtained at: # https://opensource.org/licenses/BSD-3-Clause # ------------------------------------------------------------------------------ # Variable: # * REALM: Domain (must be kerberos real if using Kerberos) # * WITH_LDAP_KERB: Shall we install requirements for LDAP/Kerberos auth ? # * KDC_SERVER: Kerberos domain controler KADM_SERVER # * KADM_SERVER: Administrative Kerberos KADM_SERVER # * BASE_DC: Domain in LDAP format # * LDAP_SERVER: LDAP server # * REMOTE_USERS: List of remote users to add # * LOCAL_USERS: List of local users to create # * REMOVE_USERS: List of username to remove # * DEFAULT_SHELL: The shell to use when creating new users # ------------------------------------------------------------------------------ export VER_authnz=0.1.6 export DEP_authnz="upgrade_dist" # Users (from Ldap) add_remote_user() { echo "+$1::::::" >> /etc/passwd echo "+$1::::::::" >> /etc/shadow } # Remove users remove_user() { # Using sed is more universal than any distro commands sed -i -e "/^$1/d" /etc/passwd /etc/shadow /etc/group /etc/gshadow } # Create a local user create_user() { if [[ $(noerror --noout id $1) != 0 ]]; then prnt I "Creating user $1..." # The following should be replaced by a more universal version useradd --create-home --shell $DEFAULT_SHELL --user-group $1 else prnt W "The user $1 already exists. Nothing to do..." fi } # Authentication authnz() { backupdist /etc/passwd /etc/shadow /etc/group tagfile /etc/passwd /etc/shadow /etc/group for usr in $REMOVE_USERS; do prnt I "Removing user $usr..." remove_user $usr done if [[ $WITH_LDAP_KERB == yes ]]; then pkginst krb5-user libpam-krb5 libnss-ldap libpam-ldap nscd backupdist /etc/krb5.conf /etc/libnss-ldap.conf /etc/pam_ldap.conf \ /etc/nsswitch.conf /etc/pam.d/common-session \ /etc/pam.d/common-account /etc/pam.d/common-password \ /etc/pam.d/common-auth installfile authnz/krb5.conf authnz/libnss-ldap.conf \ authnz/pam_ldap.conf authnz/nsswitch.conf /etc tagfile /etc/krb5.conf /etc/libnss-ldap.conf /etc/pam-ldap.conf sed -i -e "s/@REALM@/${REALM^^}/g" -e "s/@DOMAIN@/$REALM/g" \ -e "s/@KDC_SERVER@/$KDC_SERVER/" -e "s/@KADM_SERVER@/$KADM_SERVER/" \ /etc/krb5.conf sed -i -e "s/@BASE_CD@/$BASE_DC@/" -e "s/@LDAP_SERVER@/$LDAP_SERVER/" \ /etc/libnss-ldap.conf sed -i -e "s/@BASE_CD@/$BASE_DC@/g" -e "s/@LDAP_SERVER@/$LDAP_SERVER/" \ -e "s/@LDAP_ADM@/$LDAP_ADM/" /etc/pam-ldap.conf installfile authnz/common-{session,account,password,auth} /etc/pam.d tagfile /etc/pam.d/common-{session,account,password,auth} scv_restart nscd for usr in $REMOTE_USERS; do prnt I "Adding remote user $usr..." add_remote_user $usr done fi if [[ -z $LOCAL_USERS ]]; then return 0 fi for usr in $LOCAL_USERS; do prnt I "Creating user $usr..." create_user $usr done } precheck_authnz() { if [[ $WITH_LDAP_KERB == "yes" ]]; then if [[ -n $REMOTE_USERS ]]; then if [[ -z $KDC_SERVER || -z $KADM_SERVER || -z $BASE_CD || \ -z $LDAP_SERVER || -z $LDAP_ADM ]]; then prnt E "A variable related to authentication is missing!" die 109 fi prnt I "The following distant users will be accessible:" prnt m "\t* $REMOTE_USERS" else prnt W "No distant user but LDAP/Kerberos is activated!" fi file_exists auth/{krb5,libnss-ldap,pam_ldap,nsswitch}.conf pam/common-{session,account,password,auth} else if [[ -n $REMOTE_USERS ]]; then prnt E "Impossible to add distant users authentication mechanism." die 109 fi fi if [[ -n $LOCAL_USERS ]]; then prnt I "The following local users will be created:" prnt m "\t* $LOCAL_USERS" fi if [[ -n $REMOvE_USERS ]]; then prnt I "The following users will be removed:" prnt m "\t* $REMOVE_USERS" fi } export -f authnz export -f precheck_authnz # EOF