From 92cd987e0a347123d81f83be99787ab77f39ca8e Mon Sep 17 00:00:00 2001
From: Ana Krivokapic <akrivoka@redhat.com>
Date: Thu, 17 Oct 2013 21:58:00 +0200
Subject: Add ipa-advise plugins for nss-pam-ldapd legacy clients

Add three new ipa-advise plugins, to facilitate configuration of
legacy clients using nss-pam-ldapd:

* config-redhat-nss-pam-ldapd
* config-generic-linux-nss-pam-ldapd
* config-freebsd-nss-pam-ldapd

https://fedorahosted.org/freeipa/ticket/3672
---
 install/share/advise/legacy/Makefile.am            |  4 +++-
 .../advise/legacy/pam.conf.nss_pam_ldapd.template  | 22 +++++++++++++++++++
 install/share/advise/legacy/pam.conf.sssd.template | 22 +++++++++++++++++++
 install/share/advise/legacy/pam.conf.template      | 22 -------------------
 install/share/advise/legacy/pam_conf_sshd.template | 25 ++++++++++++++++++++++
 install/share/advise/legacy/sssd.conf.template     |  4 ++--
 6 files changed, 74 insertions(+), 25 deletions(-)
 create mode 100644 install/share/advise/legacy/pam.conf.nss_pam_ldapd.template
 create mode 100644 install/share/advise/legacy/pam.conf.sssd.template
 delete mode 100644 install/share/advise/legacy/pam.conf.template
 create mode 100644 install/share/advise/legacy/pam_conf_sshd.template

(limited to 'install/share')

diff --git a/install/share/advise/legacy/Makefile.am b/install/share/advise/legacy/Makefile.am
index 73cd2718c..412185171 100644
--- a/install/share/advise/legacy/Makefile.am
+++ b/install/share/advise/legacy/Makefile.am
@@ -3,7 +3,9 @@ NULL =
 appdir = $(IPA_DATA_DIR)/advise/legacy
 app_DATA =				\
 	sssd.conf.template		\
-	pam.conf.template		\
+	pam.conf.sssd.template		\
+	pam.conf.nss_pam_ldapd.template		\
+	pam_conf_sshd.template		\
 	$(NULL)
 
 EXTRA_DIST =				\
diff --git a/install/share/advise/legacy/pam.conf.nss_pam_ldapd.template b/install/share/advise/legacy/pam.conf.nss_pam_ldapd.template
new file mode 100644
index 000000000..9c60c27ef
--- /dev/null
+++ b/install/share/advise/legacy/pam.conf.nss_pam_ldapd.template
@@ -0,0 +1,22 @@
+auth        required      pam_env.so
+auth        sufficient    pam_unix.so nullok try_first_pass
+auth        requisite     pam_succeed_if.so uid >= 500 quiet
+auth        sufficient    pam_ldap.so use_first_pass
+auth        required      pam_deny.so
+
+account     required      pam_unix.so broken_shadow
+account     sufficient    pam_localuser.so
+account     sufficient    pam_succeed_if.so uid < 500 quiet
+account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
+account     required      pam_permit.so
+
+password    requisite     pam_cracklib.so try_first_pass retry=3 type=
+password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
+password    sufficient    pam_ldap.so use_authtok
+password    required      pam_deny.so
+
+session     optional      pam_keyinit.so revoke
+session     required      pam_limits.so
+session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session     required      pam_unix.so
+session     optional      pam_ldap.so
diff --git a/install/share/advise/legacy/pam.conf.sssd.template b/install/share/advise/legacy/pam.conf.sssd.template
new file mode 100644
index 000000000..bdd91821e
--- /dev/null
+++ b/install/share/advise/legacy/pam.conf.sssd.template
@@ -0,0 +1,22 @@
+auth        required      pam_env.so
+auth        sufficient    pam_unix.so nullok try_first_pass
+auth        requisite     pam_succeed_if.so uid >= 500 quiet
+auth        sufficient    pam_sss.so use_first_pass
+auth        required      pam_deny.so
+
+account     required      pam_unix.so broken_shadow
+account     sufficient    pam_localuser.so
+account     sufficient    pam_succeed_if.so uid < 500 quiet
+account     [default=bad success=ok user_unknown=ignore] pam_sss.so
+account     required      pam_permit.so
+
+password    requisite     pam_cracklib.so try_first_pass retry=3 type=
+password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
+password    sufficient    pam_sss.so use_authtok
+password    required      pam_deny.so
+
+session     optional      pam_keyinit.so revoke
+session     required      pam_limits.so
+session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session     required      pam_unix.so
+session     optional      pam_sss.so
diff --git a/install/share/advise/legacy/pam.conf.template b/install/share/advise/legacy/pam.conf.template
deleted file mode 100644
index bdd91821e..000000000
--- a/install/share/advise/legacy/pam.conf.template
+++ /dev/null
@@ -1,22 +0,0 @@
-auth        required      pam_env.so
-auth        sufficient    pam_unix.so nullok try_first_pass
-auth        requisite     pam_succeed_if.so uid >= 500 quiet
-auth        sufficient    pam_sss.so use_first_pass
-auth        required      pam_deny.so
-
-account     required      pam_unix.so broken_shadow
-account     sufficient    pam_localuser.so
-account     sufficient    pam_succeed_if.so uid < 500 quiet
-account     [default=bad success=ok user_unknown=ignore] pam_sss.so
-account     required      pam_permit.so
-
-password    requisite     pam_cracklib.so try_first_pass retry=3 type=
-password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
-password    sufficient    pam_sss.so use_authtok
-password    required      pam_deny.so
-
-session     optional      pam_keyinit.so revoke
-session     required      pam_limits.so
-session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
-session     required      pam_unix.so
-session     optional      pam_sss.so
diff --git a/install/share/advise/legacy/pam_conf_sshd.template b/install/share/advise/legacy/pam_conf_sshd.template
new file mode 100644
index 000000000..488f4998b
--- /dev/null
+++ b/install/share/advise/legacy/pam_conf_sshd.template
@@ -0,0 +1,25 @@
+# PAM configuration for the "sshd" service
+#
+
+# auth
+auth            sufficient      pam_opie.so             no_warn no_fake_prompts
+auth            requisite       pam_opieaccess.so       no_warn allow_local
+#auth           sufficient      pam_krb5.so             no_warn try_first_pass
+#auth           sufficient      pam_ssh.so              no_warn try_first_pass
+auth            sufficient      /usr/local/lib/pam_ldap.so      no_warn
+auth            required        pam_unix.so             no_warn try_first_pass
+
+# account
+account         required        pam_nologin.so
+#account        required        pam_krb5.so
+account         required        /usr/local/lib/pam_ldap.so      no_warn ignore_authinfo_unavail ignore_unknown_user
+account         required        pam_login_access.so
+account         required        pam_unix.so
+
+# session
+#session        optional        pam_ssh.so              want_agent
+session         required        pam_permit.so
+
+# password
+#password       sufficient      pam_krb5.so             no_warn try_first_pass
+password        required        pam_unix.so             no_warn try_first_pass
diff --git a/install/share/advise/legacy/sssd.conf.template b/install/share/advise/legacy/sssd.conf.template
index 28f9c115d..87084870a 100644
--- a/install/share/advise/legacy/sssd.conf.template
+++ b/install/share/advise/legacy/sssd.conf.template
@@ -8,6 +8,6 @@ re_expression = (?P<name>.+)
 cache_credentials = True
 id_provider = ldap
 auth_provider = ldap
-ldap_uri = ldap://$IPA_SERVER_HOSTNAME
-ldap_search_base = cn=compat,$BASE_DN
+ldap_uri = $URI
+ldap_search_base = $BASE
 ldap_tls_cacert = /etc/openldap/cacerts/ipa.crt
-- 
cgit