|
1 |
@!@ |
1 |
@!@ |
2 |
minimum_uid = int(configRegistry.get('pam/krb5/minimum_uid', 1000)) |
2 |
METHODS = [ |
3 |
pam_krb5 = ''' |
3 |
('krb5', 'pam_krb5.so use_first_pass minimum_uid=%d' % (configRegistry.get('pam/krb5/minimum_uid', 1000),)), |
4 |
auth [success=<succ> new_authtok_reqd=ok \ |
4 |
('ldap', 'pam_ldap.so use_first_pass'), |
5 |
user_unknown=<unknown> \ |
5 |
('winbind', 'pam_winbind.so use_first_pass'), |
6 |
service_err=<unavail> authinfo_unavail=<unavail> \ |
6 |
] |
7 |
default=<unknown>] pam_krb5.so use_first_pass minimum_uid=%d''' % (minimum_uid,) |
7 |
methods = set(configRegistry['auth/methods'].split()) |
8 |
pam_ldap = ''' |
8 |
stmts = [stmt for (method, stmt) in METHODS if method in methods] |
9 |
auth [success=<succ> new_authtok_reqd=ok \ |
|
|
10 |
user_unknown=<unknown> \ |
11 |
service_err=<unavail> authinfo_unavail=<unavail> \ |
12 |
default=<unknown>] pam_ldap.so use_first_pass''' |
13 |
pam_winbind = ''' |
14 |
auth [success=<succ> new_authtok_reqd=ok \ |
15 |
user_unknown=<unknown> \ |
16 |
service_err=<unavail> authinfo_unavail=<unavail> \ |
17 |
default=<unknown>] pam_winbind.so use_first_pass''' |
18 |
|
9 |
|
19 |
|
10 |
|
20 |
def pam_section(template, last): |
11 |
if not stmts: |
21 |
succ='done' |
|
|
22 |
unavail='die' |
23 |
fail='die' |
24 |
unknown = 'die' if last else 'ignore' |
25 |
|
26 |
return template.replace('<succ>', succ).replace('<unavail>', unavail).replace('<fail>', fail).replace('<unknown>', unknown) |
27 |
|
28 |
methods = [x for x in configRegistry['auth/methods'].split(' ') if x in ['krb5', 'ldap', 'winbind']] |
29 |
|
30 |
|
31 |
if not methods: |
32 |
print(''' |
12 |
print(''' |
33 |
auth required pam_unix.so''') |
13 |
auth required pam_unix.so''') |
34 |
else: |
14 |
else: |
|
39 |
|
19 |
|
40 |
|
20 |
|
41 |
|
21 |
|
42 |
if 'krb5' in methods: |
22 |
for i, stmt in enumerate(stmts): |
43 |
last = 'ldap' not in methods and 'winbind' not in methods |
23 |
action = "[success=%d new_authtok_reqd=ok user_unknown=ignore service_err=die authinfo_unavail=die default=ignore]" % (len(stmts) - i,) |
44 |
print(pam_section(pam_krb5, last)) |
24 |
print("auth %s %s" % (action, stmt)) |
45 |
if 'ldap' in methods: |
|
|
46 |
last = 'winbind' not in methods |
47 |
print(pam_section(pam_ldap, last)) |
48 |
if 'winbind' in methods: |
49 |
print(pam_section(pam_winbind, true)) |
50 |
@!@ |
25 |
@!@ |
|
|
26 |
auth requisite pam_deny.so |
27 |
auth required pam_permit.so |