fatalerrors/init.sh
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
89fcbd4f055a72b4e5cfbe9339bdb49873f5fdcb
init.sh/modules/authnz.sh
Geoffray Levasseur cd35f52509 improved code quality, few bug fixes
2023-08-02 11:36:01 +02:00

163 lines
5.6 KiB
Bash
Raw Blame History

# ------------------------------------------------------------------------------
# Add local or remote users
# This file is part of the init.sh project
# Copyright (c) 2019-2022 Geoffray Levasseur <fatalerrors@geoffray-levasseur.org>
# ------------------------------------------------------------------------------
# This file is distributed under 3-clause BSD license.
# The complete license agreement can be obtained at:
# https://opensource.org/licenses/BSD-3-Clause
# ------------------------------------------------------------------------------
# Variable:
# * REALM: Domain (must be kerberos real if using Kerberos)
# * WITH_LDAP_KERB: Shall we install requirements for LDAP/Kerberos auth ?
# * KDC_SERVER: Kerberos domain controler KADM_SERVER
# * KADM_SERVER: Administrative Kerberos KADM_SERVER
# * BASE_DC: Domain in LDAP format
# * LDAP_SERVER: LDAP server name or address
# * REMOTE_USERS: List of remote users to add
# * LOCAL_USERS: List of local users to create
# * REMOVE_USERS: List of username to remove
# * DEFAULT_SHELL: The shell to use when creating new users
# ------------------------------------------------------------------------------
export VER_authnz="0.2.2"
export DEP_authnz="upgrade_dist"
# Users (from Ldap)
add_remote_user()
{
if [[ -n $(grep "^$1:" /etc/passwd) ]]; then
prnt W "A local user with name $1 already exists, adding anyway!"
fi
if [[ -n $(grep "^+$1:" /etc/passwd) ]]; then
prnt W "The remote user $1 is already declared, nothing to do in passwd."
else
echo "+$1::::::" >> /etc/passwd
prnt I "User $1 added to passwd..."
fi
if [[ -n $(grep "^+$1:" /etc/shadow) ]]; then
prnt W "The remote user $1 is already connectable, nothing to do in shadow."
else
echo "+$1::::::::" >> /etc/shadow
prnt I "User $1 added to shadow..."
fi
}
# Remove users
remove_user()
{
if [[ -n $(grep "^$1:" /etc/{passwd,shadow,group,gshadow}) ]]; then
# Using sed is more universal than any distro commands - local case
sed -i -e "/^$1:/d" /etc/{passwd,shadow,group,gshadow}
elif [[ -n $(grep "^+$1:" /etc/{passwd,shadow,group,gshadow}) ]]; then
# remote case
sed -i -e "/^+$1:/d" /etc/{passwd,shadow,group,gshadow}
else
prnt W "User $1 don't exists in auth files, nothing to do."
fi
}
# Create a local user
create_local_user()
{
if [[ $(noerror --noout id $1) != 0 ]]; then
prnt I "Creating user $1..."
if [[ $(directory_exists home_skell) ]]; then
useradd --create-home --shell $DEFAULT_SHELL --user-group $1 \
--skell $(select_directory home_skell)
else
useradd --create-home --shell $DEFAULT_SHELL --user-group $1
fi
else
prnt W "The user $1 already exists. Nothing to do..."
fi
}
# Authentication
authnz()
{
backup_dist /etc/{passwd,shadow,group,gshadow}
tag_file /etc/{passwd,shadow,group,gshadow}
for usr in $REMOVE_USERS; do
prnt I "Removing user $usr..."
remove_user $usr
done
if [[ $WITH_LDAP_KERB == yes ]]; then
pkginst krb5-user libpam-krb5 libnss-ldap libpam-ldap nscd
backup_dist /etc/krb5.conf /etc/libnss-ldap.conf /etc/pam_ldap.conf \
/etc/nsswitch.conf /etc/pam.d/common-session \
/etc/pam.d/common-account /etc/pam.d/common-password \
/etc/pam.d/common-auth
install_file authnz/krb5.conf authnz/libnss-ldap.conf \
authnz/pam_ldap.conf authnz/nsswitch.conf /etc
tag_file /etc/krb5.conf /etc/libnss-ldap.conf /etc/pam-ldap.conf
sed -i -e "s/@REALM@/${REALM^^}/g" -e "s/@DOMAIN@/$REALM/g" \
-e "s/@KDC_SERVER@/$KDC_SERVER/" -e "s/@KADM_SERVER@/$KADM_SERVER/" \
/etc/krb5.conf
sed -i -e "s/@BASE_CD@/$BASE_DC@/" -e "s/@LDAP_SERVER@/$LDAP_SERVER/" \
/etc/libnss-ldap.conf
sed -i -e "s/@BASE_CD@/$BASE_DC@/g" -e "s/@LDAP_SERVER@/$LDAP_SERVER/" \
-e "s/@LDAP_ADM@/$LDAP_ADM/" /etc/pam-ldap.conf
install_file authnz/common-{session,account,password,auth} /etc/pam.d
tag_file /etc/pam.d/common-{session,account,password,auth}
scv_restart nscd
for usr in $REMOTE_USERS; do
prnt I "Adding remote user $usr..."
add_remote_user $usr
done
fi
if [[ -n $LOCAL_USERS ]]; then
for usr in $LOCAL_USERS; do
prnt I "Creating user $usr..."
create_local_user $usr
done
fi
NEED_REBOOT=true
}
precheck_authnz()
{
if [[ $WITH_LDAP_KERB == "yes" ]]; then
if [[ -n $REMOTE_USERS ]]; then
if [[ -z $KDC_SERVER || -z $KADM_SERVER || -z $BASE_CD || \
-z $LDAP_SERVER || -z $LDAP_ADM ]]; then
prnt E "A variable related to authentication is missing!"
die 109
fi
prnt I "The following distant users will be accessible:"
prnt m "\t* $REMOTE_USERS"
else
prnt W "No distant user but LDAP/Kerberos is activated!"
fi
file_must_exists auth/{krb5,libnss-ldap,pam_ldap,nsswitch}.conf
pam/common-{session,account,password,auth}
else
if [[ -n $REMOTE_USERS ]]; then
prnt E "Impossible to add distant users authentication mechanism."
die 109
fi
fi
if [[ -n $LOCAL_USERS ]]; then
prnt I "The following local users will be created:"
prnt m "\t* $LOCAL_USERS"
fi
if [[ -n $REMOvE_USERS ]]; then
prnt I "The following users will be removed:"
prnt m "\t* $REMOVE_USERS"
fi
}
export -f authnz
export -f precheck_authnz
# EOF
Reference in New Issue View Git Blame Copy Permalink