diff --git a/base/univention-pam/conffiles/etc/pam.d/common-account b/base/univention-pam/conffiles/etc/pam.d/common-account index 825991c2bd..0e6f25cc43 100644 --- a/base/univention-pam/conffiles/etc/pam.d/common-account +++ b/base/univention-pam/conffiles/etc/pam.d/common-account @@ -11,27 +11,16 @@ account [success=done new_authtok_reqd=done acct_expired=bad default=ignore] @!@ -minimum_uid = int(configRegistry.get('pam/krb5/minimum_uid', 1000)) -pam_krb5=''' -account pam_krb5.so minimum_uid=%d''' % (minimum_uid,) -pam_ldap=''' -account pam_ldap.so''' -pam_winbind=''' -account pam_winbind.so''' - -def pam_section(template, index): - action = 'required ' if index <= 1 else 'sufficient' - return template.replace('', action) - -methods = set(configRegistry['auth/methods'].split(' ')) & {'krb5', 'ldap', 'winbind'} -index = len(methods) - -if 'krb5' in methods: - print(pam_section(pam_krb5, index)) - index -= 1 -if 'ldap' in methods: - print(pam_section(pam_ldap, index)) - index -= 1 -if 'winbind' in methods: - print(pam_section(pam_winbind, index)) +METHODS = [ + ('krb5', 'pam_krb5.so minimum_uid=%s' % (configRegistry.get('pam/krb5/minimum_uid', 1000),)), + ('ldap', 'pam_ldap.so'), + ('winbind', 'pam_winbind.so'), +] +methods = set(configRegistry['auth/methods'].split()) +stmts = [stmt for (method, stmt) in METHODS if method in methods] +for i, stmt in enumerate(stmts): + action = "[success=%d new_authtok_reqd=done default=ignore]" % (len(stmts) - i,) + print("account %s %s" % (action, stmt)) @!@ +account requisite pam_deny.so +account required pam_permit.so diff --git a/base/univention-pam/conffiles/etc/pam.d/common-auth-nowrite b/base/univention-pam/conffiles/etc/pam.d/common-auth-nowrite index 95a4eb8e6a..d71431bacc 100644 --- a/base/univention-pam/conffiles/etc/pam.d/common-auth-nowrite +++ b/base/univention-pam/conffiles/etc/pam.d/common-auth-nowrite @@ -21,22 +21,18 @@ auth sufficient pam_unix.so @!@ -minimum_uid = int(configRegistry.get('pam/krb5/minimum_uid', 1000)) -pam_krb5=''' -auth sufficient pam_krb5.so use_first_pass minimum_uid=%d''' % (minimum_uid,) -pam_ldap=''' -auth sufficient pam_ldap.so use_first_pass''' -pam_winbind=''' -auth sufficient pam_winbind.so use_first_pass''' - -methods = set(configRegistry['auth/methods'].split(' ')) & {'krb5', 'ldap', 'winbind'} - -if 'krb5' in methods: - print(pam_krb5) -if 'ldap' in methods: - print(pam_ldap) -if 'winbind' in methods: - print(pam_winbind) +METHODS = [ + ('krb5', 'pam_krb5.so use_first_pass minimum_uid=%d' % (configRegistry.get('pam/krb5/minimum_uid', 1000),)), + ('ldap', 'pam_ldap.so use_first_pass'), + ('winbind', 'pam_winbind.so use_first_pass'), +] +methods = set(configRegistry['auth/methods'].split()) +stmts = [stmt for (method, stmt) in METHODS if method in methods] +for i, stmt in enumerate(stmts): + action = "[success=%d default=ignore]" % (len(stmts) - i,) + print("auth %s %s" % (action, stmt)) @!@ +auth requisite pam_deny.so +auth required pam_permit.so auth required pam_env.so diff --git a/base/univention-pam/conffiles/etc/pam.d/common-auth.d/50univention-pam_general b/base/univention-pam/conffiles/etc/pam.d/common-auth.d/50univention-pam_general index 450f4b5a7c..6d3aae16cc 100644 --- a/base/univention-pam/conffiles/etc/pam.d/common-auth.d/50univention-pam_general +++ b/base/univention-pam/conffiles/etc/pam.d/common-auth.d/50univention-pam_general @@ -1,34 +1,14 @@ @!@ -minimum_uid = int(configRegistry.get('pam/krb5/minimum_uid', 1000)) -pam_krb5 = ''' -auth [success= new_authtok_reqd=ok \ - user_unknown= \ - service_err= authinfo_unavail= \ - default=] pam_krb5.so use_first_pass minimum_uid=%d''' % (minimum_uid,) -pam_ldap = ''' -auth [success= new_authtok_reqd=ok \ - user_unknown= \ - service_err= authinfo_unavail= \ - default=] pam_ldap.so use_first_pass''' -pam_winbind = ''' -auth [success= new_authtok_reqd=ok \ - user_unknown= \ - service_err= authinfo_unavail= \ - default=] pam_winbind.so use_first_pass''' +METHODS = [ + ('krb5', 'pam_krb5.so use_first_pass minimum_uid=%d' % (configRegistry.get('pam/krb5/minimum_uid', 1000),)), + ('ldap', 'pam_ldap.so use_first_pass'), + ('winbind', 'pam_winbind.so use_first_pass'), +] +methods = set(configRegistry['auth/methods'].split()) +stmts = [stmt for (method, stmt) in METHODS if method in methods] -def pam_section(template, last): - succ='done' - unavail='die' - fail='die' - unknown = 'die' if last else 'ignore' - - return template.replace('', succ).replace('', unavail).replace('', fail).replace('', unknown) - -methods = [x for x in configRegistry['auth/methods'].split(' ') if x in ['krb5', 'ldap', 'winbind']] - - -if not methods: +if not stmts: print(''' auth required pam_unix.so''') else: @@ -39,12 +19,9 @@ print(''' -if 'krb5' in methods: - last = 'ldap' not in methods and 'winbind' not in methods - print(pam_section(pam_krb5, last)) -if 'ldap' in methods: - last = 'winbind' not in methods - print(pam_section(pam_ldap, last)) -if 'winbind' in methods: - print(pam_section(pam_winbind, true)) +for i, stmt in enumerate(stmts): + action = "[success=%d new_authtok_reqd=ok user_unknown=ignore service_err=die authinfo_unavail=die default=ignore]" % (len(stmts) - i,) + print("auth %s %s" % (action, stmt)) @!@ +auth requisite pam_deny.so +auth required pam_permit.so