alterator-auth-0.25/000075500000000000000000000000001210020337200143605ustar00rootroot00000000000000alterator-auth-0.25/Makefile000064400000000000000000000001721210020337200160200ustar00rootroot00000000000000NAME=auth INSTALL=/usr/bin/install all: clean: install: install-module include /usr/share/alterator/build/module.mak alterator-auth-0.25/applications/000075500000000000000000000000001210020337200170465ustar00rootroot00000000000000alterator-auth-0.25/applications/auth.desktop000064400000000000000000000003711210020337200214030ustar00rootroot00000000000000[Desktop Entry] Type=Application Categories=X-Alterator-Users Icon=auth Terminal=false Name=Authentication X-Alterator-URI=/auth X-Alterator-Weight=20 X-Alterator-Help=auth Name[ru]=Аутентификация Name[uk]=Аутентифікація alterator-auth-0.25/backend3/000075500000000000000000000000001210020337200160325ustar00rootroot00000000000000alterator-auth-0.25/backend3/auth000075500000000000000000000114521210020337200167240ustar00rootroot00000000000000#!/bin/sh #common part po_domain="alterator-auth" alterator_api_version=1 ldap_uri_re='^(ldap|ldapi|ldaps)://[.a-zA-Z0-9_-]+$' rdelim='[[:space:]]\+' wdelim=' ' #pam configuration pamldapfile="/etc/pam_ldap.conf" #nss configuration nssldapfile= nssldapfile1="/etc/nss_ldap.conf" nssldapfile2="/etc/nslcd.conf" nsswitchfile="/etc/nsswitch.conf" #select between nss_ldap and nss_ldapd [ -f "$nssldapfile1" ] && nssldapfile="$nssldapfile1" [ -f "$nssldapfile2" ] && nssldapfile="$nssldapfile2" . alterator-sh-functions . shell-config . shell-quote #turn off auto expansion set -f host_2_dn() { local host="$1" ; shift host="$(echo $host|sed -e "s/^/dc=/"|sed -e "s/\./,dc=/g")" echo "$host" } local_bases(){ if [ -n "$in_ldap_host" ]; then if test_bool "$in_ldap_ssl"; then ldap_uri="ldaps://" else ldap_uri="ldap://" fi echo "$in_ldap_ssl: $ldap_uri$in_ldap_host" >> /root/alt_test.txt ldapsearch -x -H "$ldap_uri$in_ldap_host" -LLL -b "" -s base namingContexts | grep naming | cut -f2 -d ' '| \ while read base_dn ; do write_enum_item "$base_dn" "$base_dn" done 2>/dev/null else ldap-dn list | while read basedn configfile;do write_enum_item "$basedn" "$basedn" done fi } list_domain() { local __ prefix ip txt role domain # Check if avahi-daemon is running for browse domain status= service avahi-daemon status &>/dev/null && status="running" if [ "$status" != "running" ]; then write_error "error_browse" exit 1 fi write_enum_item "local" "$(_ "local")" # Lookup available domains in Zeroconf avahi-browse -prtk _server._tcp 2>/dev/null| while IFS=';' read prefix __ __ __ __ __ __ ip __ txt; do [ "$prefix" = "=" ] || continue role="$(txt_record role "$txt")" [ "$role" = "master" ] || continue domain="$(txt_record domain "$txt")" write_enum_item "$domain" "$domain ($ip)" done # write_enum_item "custom" "$(_ "custom")" } txt_record() { echo "$2" | sed -n "s/\(^\|.*[[:space:]]\)\"$(quote_sed_regexp "$1")=\([^\"]*\)\".*/\2/p" } dn_2_host() { local dn="$1" local host= echo "$dn"|sed -e 's/^dc=//i'|sed -e 's/,dc=/\./g' } read_current() { local data="$(/usr/sbin/system-auth status)" local status="$(echo "$data"|cut -f1 -d' ')" local dn echo "$status" | grep -q "^krb5" \ && dn="$(echo "$data"|cut -f2 -d' ')" \ && dn_2_host "$dn" \ && return echo "`_ "Kerberos domain do not used"`" } read_ldap() { shell_config_get "$1" "$2" "$rdelim" } read_ldap2() { local f f= [ -f "$nssldapfile" ] && f="$nssldapfile" [ -f "$pamldapfile" ] && f="$pamldapfile" [ -n "$f" ] && read_ldap "$f" "$1" } get_ldap() { local ldap_uri="$(read_ldap2 uri)" local ldap_proto="${ldap_uri%%://*}" local ldap_host="${ldap_uri#$ldap_proto://}" local ldap_port="${ldap_host##*:}" ldap_host="${ldap_host%%:*}" [ "$ldap_port" != "$ldap_host" ] || ldap_port= write_string_param ldap_host "$ldap_host" #write_string_param ldap_port "$ldap_port" [ "$ldap_proto" != "ldaps" ] write_bool_param ldap_ssl "$?" write_string_param ldap_basedn "$(read_ldap2 base)" } on_message() { case "$in_action" in type) write_type_item domain_name hostname write_type_item domain hostname ;; list) [ "$in__objects" = "avail_domain" ] && list_domain || return [ "$in__objects" = "local_bases" ] && local_bases ;; read) auth_type="$(/usr/sbin/system-auth status |cut -f1 -d ' ')" write_string_param "auth_type" "$auth_type" get_ldap write_string_param current_domain "$(read_current)" write_bool_param "ccreds" $(echo "$auth_type" | sed 's/krb5_ccreds/true/') ;; write) #echo "$(set|grep -a "in_")" >&2 case "$in_auth_type" in local) /usr/sbin/system-auth write local ;; ldap) [ "$in_ldap_ssl" == "on" ] && ldap_uri="ldaps://" || ldap_uri="ldap://" /usr/sbin/system-auth write ldap "$in_ldap_basedn" "$ldap_uri$in_ldap_host" ;; krb5) if [ "$in_domain" = "local" ]; then /usr/sbin/system-auth write local else if [ "$in_ccreds" = "#t" ]; then auth_type=krb5_ccreds else auth_type=krb5 fi ldap_uri="ldaps://" [ -n "$in_domain" ] && /usr/sbin/system-auth write $auth_type "$(host_2_dn "$in_domain")" "$ldap_uri"ldap."$in_domain" || fatal "$(_ "Domain not set")" fi ;; multi) ;; pkcs11) ;; *) ;; esac ;; esac } message_loop alterator-auth-0.25/hooks/000075500000000000000000000000001210020337200155035ustar00rootroot00000000000000alterator-auth-0.25/hooks/auth000064400000000000000000000011401210020337200163630ustar00rootroot00000000000000#!/bin/sh -f # if we are not server [ -f /etc/sysconfig/system ] || exit 0 . /etc/sysconfig/system [ -n "$SERVER_ROLE" ] || exit 0 authtool="/usr/sbin/system-auth" . shell-quote . shell-error olddomain="$1" ; shift newdomain="$1" ; shift host_2_dn() { local host="$1" ; shift host="$(echo $host|sed -e "s/^/dc=/"|sed -e "s/\./,dc=/g")" echo "$host" } rename() { local new="${2#*.}" ; shift [ -z "$new" ] && fatal "new domain must be set" uri="ldap://127.0.0.1" basedn="$(host_2_dn "$new")" $authtool write ldap "$basedn" "$uri" } rename "$olddomain" "$newdomain" alterator-auth-0.25/sbin/000075500000000000000000000000001210020337200153135ustar00rootroot00000000000000alterator-auth-0.25/sbin/system-auth000075500000000000000000000116431210020337200175310ustar00rootroot00000000000000#!/bin/sh rdelim='[[:space:]]\+' wdelim=' ' #pam configuration pamldapfile="/etc/pam_ldap.conf" #nss configuration nssldapfile= nssldapfile1="/etc/nss_ldap.conf" nssldapfile2="/etc/nslcd.conf" nsswitchfile="/etc/nsswitch.conf" #openldap conf ldap_conf="/etc/openldap/ldap.conf" # krb conf krb5_conf="/etc/krb5.conf" #select between nss_ldap and nss-ldapd [ -f "$nssldapfile1" ] && nssldapfile="$nssldapfile1" [ -f "$nssldapfile2" ] && nssldapfile="$nssldapfile2" . shell-config . shell-quote . shell-error #turn off auto expansion set -f # getting current auth get_status() { local status="$(/usr/sbin/control system-auth)" case "$status" in local) echo "local" ;; ldap) echo -n "ldap " && pam_ldap_info ;; krb5*) echo -n "$status " && pam_ldap_info ;; *) echo "unknown status" ;; esac } list() { # always local echo "local" # checking pam_ldap and libnss_ldap libs [ -n "$(find /$(getconf SLIB)/security -maxdepth 1 -name 'pam_ldap.*')" ] && [ -n "$(find /$(getconf SLIB) -maxdepth 1 -name 'libnss_ldap.so.*')" ] && echo "ldap" # checking ldap and krb5 libs [ -n "$(find /$(getconf SLIB)/security -maxdepth 1 -name 'pam_ldap.*')" ] && [ -n "$(find /$(getconf SLIB) -maxdepth 1 -name 'libnss_ldap.so.*')" ] && [ -n "$(find /$(getconf SLIB) -maxdepth 1 -name 'libkrb5.so.*')" ] && echo "krb5" } pam_ldap_info() { local uri basedn if [ -f "$pamldapfile" ];then uri="$(read_pam_ldap uri)" basedn="$(read_pam_ldap base)" else uri="$(read_nss_ldap uri)" basedn="$(read_nss_ldap base)" fi check_uri "$uri" && check_basedn "$basedn" && echo "$basedn $uri" } check_uri() { local uri="$1" [ -z "$uri" ] && message "$0 (check_uri) uri not set" && return 1 [ -z "$(echo "$uri"| egrep "^ldap[s|i]?:\/\/[^\/]+/?$")" ] && message "$0 (check_uri) invalid uri format" && return 1 : } check_basedn() { local basedn="$1" [ -z "$basedn" ] && message "$0 (check_basedn) basedn not set" && return 1 [ -z "$(echo "$basedn"| egrep "^dc=[^,]+(,dc=[^,]+)*$")" ] && message "$0 (check_basedn) invalid basedn format" && return 1 : } read_pam_ldap() { read_config "$pamldapfile" "$1" } read_nss_ldap() { read_config "$nssldapfile" "$1" } read_config() { shell_config_get "$1" "$2" "$rdelim" } write_profile() { /usr/sbin/control system-auth "$1" && case "$1" in local) write_nsswitch "passwd" "files" write_nsswitch "shadow" "tcb files" write_nsswitch "group" "files" ;; ldap|krb5*) write_nsswitch "passwd" "files ldap" write_nsswitch "shadow" "tcb files ldap" write_nsswitch "group" "files ldap" ;; esac } write_nsswitch() { write_config "$nsswitchfile" "$1:" "$2" } write_2_ldap() { write_pam_ldap "$1" "$2" write_nss_ldap "$1" "$2" write_ldap_conf "$1" "$2" } write_pam_ldap() { [ -f "$pamldapfile" ] && write_config "$pamldapfile" "$1" "$2" } write_nss_ldap() { write_config "$nssldapfile" "$1" "$2" } write_ldap_conf() { # ugly, but effective sed -r -i -e "/^[^#]*$1.*$/Id" "$ldap_conf" echo "$1 $2" >> "$ldap_conf" } write_config() { shell_config_set "$1" "$2" "$3" "$rdelim" "$wdelim" } dn_2_host() { local dn="$1" echo "$dn"|sed -e 's/^dc=//i'|sed -e 's/,dc=/\./g' } remove_host_from_confs() { del_from_conf_var "$pamldapfile" "host" && del_from_conf_var "$nssldapfile" "host" } del_from_conf_var() { shell_config_del "$1" "$2" "$rdelim" } #initial settings init() { # removing host parameter from pam_ldap_conf remove_host_from_confs if [ -f "$nssldapfile1" ]; then write_config "$nssldapfile1" bind_policy soft write_config "$nssldapfile1" bind_timelimit 30 fi } action="$1" ; shift [ $# -ge 1 ] && object="$1" && shift case "$action" in status) get_status ;; list) list ;; write) case "$object" in local) # if service nslcd from nss-ldapd is running, stop it if [ -f /etc/init.d/nslcd ]; then chkconfig nslcd off service nslcd stop >/dev/null fi write_profile "$object" ;; ldap|krb5*) if check_basedn "$1" && check_uri "$2" ;then init write_profile "$object" write_2_ldap base "$1" write_2_ldap uri "$2" # if nss-ldapd is used, restart daemon if [ -f /etc/init.d/nslcd ]; then chkconfig nslcd on [ -n "$(service nslcd status| grep 'running$')" ] && service nslcd stop >/dev/null service nslcd start >/dev/null fi else exit 1 fi ;; *) fatal "unknown auth type $object" ;; esac ;; *) echo "$0 action [object]" ;; esac alterator-auth-0.25/ui/000075500000000000000000000000001210020337200147755ustar00rootroot00000000000000alterator-auth-0.25/ui/auth/000075500000000000000000000000001210020337200157365ustar00rootroot00000000000000alterator-auth-0.25/ui/auth/ajax.scm000064400000000000000000000051601210020337200173670ustar00rootroot00000000000000(define-module (ui auth ajax) :use-module (alterator woo) :use-module (alterator ajax) :use-module (alterator str) :use-module (alterator effect) :export (init)) (define (ui-init) (let ((data (woo-read-first "/auth"))) (form-update-value-list '("current_domain" "auth_type" "ldap_host" "ldap_ssl" "ldap_basedn") data) (form-update-enum "domain" (woo-list "/auth/avail_domain"))) ) (define (hide_areas) (form-update-visibility '("local_area" "ldap_area" "krb5_area" "multi_area" "pkcs11_area" ) #f)) (define (local_selected) (hide_areas) (form-update-visibility '("local_area") #t)) (define (ldap_changed) (form-update-value "ldap_basedn" "") (form-update-enum "local_bases" (woo-list "/auth/local_bases" 'ldap_host (form-value "ldap_host") 'ldap_ssl (form-value "ldap_ssl"))) (form-bind "local_bases" "change" set_basedn) (show_bases) ) (define (ldap_selected) (hide_areas) (form-update-visibility '("ldap_area") #t) (form-update-value "domain" "local") (form-update-enum "local_bases" (woo-list "/auth/local_bases" 'ldap_host (form-value "ldap_host") 'ldap_ssl (form-value "ldap_ssl") ) ) (form-bind "local_bases" "change" set_basedn) (form-update-value "local_bases" (form-value "ldap_basedn")) ) (define (show_bases) (form-update-visibility '("local_bases") #t) ) (define (set_basedn) (form-update-value "ldap_basedn" (form-value "local_bases")) (form-update-visibility '("local_bases") #f) ) (define (krb5_selected) (hide_areas) (form-update-visibility '("krb5_area") #t)) (define (multi_selected) (hide_areas) (form-update-visibility '("multi_area") #t)) (define (pkcs11_selected) (hide_areas) (form-update-visibility '("pkcs11_area") #t)) (define (select_area) (let ( (type (car (string-cut-repeated (or (form-value "auth_type") "local") #\,))) ) (cond ((string-ci=? type "local")(local_selected)) ((string-ci=? type "ldap")(ldap_selected)) ((string-ci=? type "krb5")(krb5_selected)) ((string-ci=? type "multi")(multi_selected)) ((string-ci=? type "pkcs11")(pkcs11_selected)) (else (local_selected))))) (define (save_settings) (catch/message (lambda() (apply woo-write "/auth" (form-value-list)))) (ui-init) ) (define (init) (ui-init) (select_area) (form-bind "auth_type" "change" select_area) (form-bind "local_bases" "change" set_basedn) (form-bind "ldap_host" "change" ldap_changed) (form-bind "show_bdn" "click" show_bases) (form-bind "app_btn" "click" save_settings) ) alterator-auth-0.25/ui/auth/index.html000064400000000000000000000064241210020337200177410ustar00rootroot00000000000000
Available authentication methods
Local files
LDAP base
Kerberos domain
Multi
Pkcs11
 
LDAP server: TLS/SSL
Base DN:
Current domain:
 
Domain list:
 
 
multi 
pkcs11 
Attention: Domain change needs reboot for normal operation
 

alterator-auth-0.25/ui/auth/index.scm000064400000000000000000000042451210020337200175560ustar00rootroot00000000000000(document:surround "/std/frame") ;;; Functions (define (update-domain) (let ((domain (form-value "domain"))) (form-update-visibility '("domain_name") (string=? domain "custom")))) (define (ui-commit) (catch/message (lambda() (apply woo-write "/auth" "ldap_ssl" "on" "auth_type" "krb5" (form-value-list)) (form-update-value-list '("current_domain") (woo-read-first "/auth"))))) (define (ui-init) (let ((data (woo-read-first "/auth"))) (form-update-value-list '("current_domain" "ccreds") data) ;;; Check avahi available for domain lookup (woo-catch (lambda() (form-update-enum "domain" (woo-list "/auth/avail_domain"))) (lambda(reason) (avahi-warning visibility #t) )) (form-update-value "domain" (woo-get-option data 'current_domain)) (update-domain))) ;;; UI (gridbox columns "0;100" margin 50 (label text (_ "Current domain:") align "right") (label name "current_domain") (label colspan 2) (document:id domain-list-label (label text (_ "Domain list:") align "right")) (document:id domain-list (combobox name "domain")) ;;; Warning if avahi-daemon is out of gear (document:id avahi-warning (label colspan 2 text (string-append (bold (_ "Warning: ")) (_ "Search for domains is impossible because avahi-daemon is not started")) visibility #f)) (edit name "domain_name" visibility #t) (checkbox colspan 2 text(_"Use cached credentials for out of domain login") name "ccreds") (spacer) (label colspan 2) (document:id change-attention (label colspan 2 text (string-append (bold (_ "Attention: ")) (_ "Domain change needs reboot for normal operation")))) (label colspan 2) (if (global 'frame:next) (label) (hbox align "left" (document:id apply-button (button name "apply" text (_ "Apply") (when clicked (ui-commit)))))) ) ;;; Logic (document:root (when loaded (ui-init) (form-bind "domain" "change" update-domain))) (frame:on-back (thunk (or (ui-commit) 'cancel))) (frame:on-next (thunk (or (ui-commit) 'cancel)))