# ------------------------------------------------------------------------------ # Add local or remote users # This file is part of the init.sh project # Copyright (c) 2019-2025 Geoffray Levasseur # ------------------------------------------------------------------------------ # This file is distributed under 3-clause BSD license. # The complete license agreement can be obtained at: # https://opensource.org/licenses/BSD-3-Clause # ------------------------------------------------------------------------------ # Variable: # * REALM: Domain (must be kerberos real if using Kerberos) # * WITH_LDAP_KERB: Shall we install requirements for LDAP/Kerberos auth ? # * KDC_SERVER: Kerberos domain controler KADM_SERVER # * KADM_SERVER: Administrative Kerberos KADM_SERVER # * BASE_DC: Domain in LDAP format # * LDAP_SERVER: LDAP server name or address # * REMOTE_USERS: List of remote users to add # * LOCAL_USERS: List of local users to create # * REMOVE_USERS: List of username to remove # * DEFAULT_SHELL: The shell to use when creating new users # ------------------------------------------------------------------------------ export VER_authnz="0.2.2" export DEP_authnz="" # Authentication authnz() { backup_dist /etc/{passwd,shadow,group,gshadow} tag_file /etc/{passwd,shadow,group,gshadow} for usr in $REMOVE_USERS; do prnt I "Removing user $usr..." remove_user $usr done if [[ $WITH_LDAP_KERB == yes ]]; then pkginst krb5-user libpam-krb5 libnss-ldap libpam-ldap nscd backup_dist /etc/krb5.conf /etc/libnss-ldap.conf /etc/pam_ldap.conf \ /etc/nsswitch.conf /etc/pam.d/common-session \ /etc/pam.d/common-account /etc/pam.d/common-password \ /etc/pam.d/common-auth install_file authnz/krb5.conf authnz/libnss-ldap.conf \ authnz/pam_ldap.conf authnz/nsswitch.conf /etc tag_file /etc/krb5.conf /etc/libnss-ldap.conf /etc/pam-ldap.conf sed -i -e "s/@REALM@/${REALM^^}/g" -e "s/@DOMAIN@/$REALM/g" \ -e "s/@KDC_SERVER@/$KDC_SERVER/" -e "s/@KADM_SERVER@/$KADM_SERVER/" \ /etc/krb5.conf sed -i -e "s/@BASE_CD@/$BASE_DC@/" -e "s/@LDAP_SERVER@/$LDAP_SERVER/" \ /etc/libnss-ldap.conf sed -i -e "s/@BASE_CD@/$BASE_DC@/g" -e "s/@LDAP_SERVER@/$LDAP_SERVER/" \ -e "s/@LDAP_ADM@/$LDAP_ADM/" /etc/pam-ldap.conf install_file authnz/common-{session,account,password,auth} /etc/pam.d tag_file /etc/pam.d/common-{session,account,password,auth} scv_restart nscd for usr in $REMOTE_USERS; do prnt I "Adding remote user $usr..." add_remote_user $usr done fi if [[ -n $LOCAL_USERS ]]; then for usr in $LOCAL_USERS; do prnt I "Creating user $usr..." create_local_user $usr done fi NEED_REBOOT=true } precheck_authnz() { if [[ $WITH_LDAP_KERB == "yes" ]]; then if [[ -n $REMOTE_USERS ]]; then if [[ -z $KDC_SERVER || -z $KADM_SERVER || -z $BASE_CD || \ -z $LDAP_SERVER || -z $LDAP_ADM ]]; then prnt E "A variable related to authentication is missing!" die 109 fi prnt I "The following distant users will be accessible:" prnt m "\t* $REMOTE_USERS" else prnt W "No distant user but LDAP/Kerberos is activated!" fi file_must_exists auth/{krb5,libnss-ldap,pam_ldap,nsswitch}.conf pam/common-{session,account,password,auth} else if [[ -n $REMOTE_USERS ]]; then prnt E "Impossible to add distant users authentication mechanism." die 109 fi fi if [[ -n $LOCAL_USERS ]]; then prnt I "The following local users will be created:" prnt m "\t* $LOCAL_USERS" fi if [[ -n $REMOvE_USERS ]]; then prnt I "The following users will be removed:" prnt m "\t* $REMOVE_USERS" fi } export -f authnz export -f precheck_authnz # EOF