Wire in nss-pam-ldapd

Ticket: #23392

gui/account/migrations/0007_add_nslcd_user.py

@@ -0,0 +1,54 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.10.3 on 2017-02-22 12:00
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+
+def add_nslcd_user(apps, schema_editor):
+    try:
+        group = apps.get_model("account", "bsdGroups").objects.create(
+            bsdgrp_builtin=True,
+            bsdgrp_gid="389",
+            bsdgrp_group="nslcd"
+        )
+        group.save()
+        user = apps.get_model("account", "bsdUsers").objects.create(
+            bsdusr_builtin=True,
+            bsdusr_full_name="Nslcd Daemon",
+            bsdusr_group=group,
+            bsdusr_home="/var/tmp/nslcd",
+            bsdusr_shell="/usr/sbin/nologin",
+            bsdusr_smbhash="*",
+            bsdusr_unixhash="*",
+            bsdusr_uid="389",
+            bsdusr_username="nslcd"
+        )
+        user.save()
+
+    except Exception as e:
+        print("ERROR: unable to create nslcd user/group: ", e)
+
+def remove_nslcd_user(apps, schema_editor):
+    try:
+        apps.get_model("account", "bsdUsers").objects.get(
+            bsdusr_username="nslcd"
+        ).delete()
+        apps.get_model("account", "bsdGroups").objects.get(
+            bsdgrp_group="nslcd"
+        ).delete()
+
+    except Exception as e:
+        print("ERROR: unable to remove nslcd user/group: ", e)
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('account', '0006_bsdusers_bsdusr_attributes'),
+    ]
+
+    operations = [
+        migrations.RunPython(
+            add_nslcd_user,
+            reverse_code=remove_nslcd_user
+        )
+    ]

src/freenas/etc/directoryservice/LDAP/ctl

@@ -47,6 +47,31 @@ sssd_restart()
 	return $?
 }
 
+nslcd_running()
+{
+	${service} nslcd onestatus >/dev/null 2>&1
+	return $?
+}
+
+nslcd_start()
+{
+	ldapctl_cmd ${service} nslcd onestart
+	return $?
+}
+
+nslcd_stop()
+{
+	ldapctl_cmd ${service} nslcd onestop
+	return $?
+}
+
+nslcd_restart()
+{
+	ldapctl_cmd ${service} nslcd onestop
+	ldapctl_cmd ${service} nslcd onestart
+	return $?
+}
+
 cifs_enabled()
 {
 	srv_enabled cifs && return 0
@@ -128,7 +153,16 @@ ldapctl_start()
 		else
 			sssd_start
 		fi
-
+
+	elif [ "${anonbind}" = "1" ]
+	then
+		ldapctl_cmd ${service} ix-pam quietstart
+		if nslcd_running
+		then
+			nslcd_restart
+		else
+			nslcd_start
+		fi
 	fi
 
 	if ! ldapctl_cmd ${service} ix-ldap status
@@ -164,6 +198,11 @@ ldapctl_stop()
 		sssd_stop
 		ldapctl_cmd ${service} ix-sssd start
 	fi
+	if nslcd_running
+	then
+		nslcd_stop
+		ldapctl_cmd ${service} ix-nslcd start
+	fi
 
 	ldapctl_cmd ${service} ix-ldap forcestop
 	ldapctl_cmd ${service} ix-nsswitch quietstop

src/middlewared/middlewared/etc_files/local/nslcd.conf

@@ -0,0 +1,42 @@
+<%
+        def safe_call(*args):
+            try:
+                val = middleware.call_sync(*args)
+            except:
+                val = False
+            return val
+
+        ldap = safe_call('datastore.query', 'directoryservice.LDAP')
+        if ldap and ldap[0]:
+            ldap = ldap[0]
+            capath = None
+            if ldap['ldap_certificate']:
+                cert = safe_call('certificateauthority.query', [('id', '=', ldap['ldap_certificate']['id'])], {'get': True})
+                if cert:
+                    capath = cert['cert_certificate_path']
+        else:
+            ldap = None
+
+        ldap_enabled = safe_call('notifier.common', 'system', 'ldap_enabled')
+
+        ldap_uri = "%s://%s" % ("ldaps" if ldap['ldap_ssl'] == "on" else "ldap", ldap['ldap_hostname'])
+
+%>
+% if ldap_enabled and ldap:
+uri ${ldap_uri}
+base ${ldap['ldap_basedn']}
+    % if ldap['ldap_ssl'] in ('start_tls', 'on'):
+ssl ${ldap['ldap_ssl']}
+        % if capath:
+tls_cacert ${capath}
+        % endif
+tls_reqcert allow
+    % endif
+scope sub
+timelimit 30
+bind_timelimit 30
+map passwd loginShell /bin/sh
+    % if ldap['ldap_auxiliary_parameters']:
+${ldap['ldap_auxiliary_parameters']}
+    % endif
+% endif

src/middlewared/middlewared/etc_files/local/nss_ldap.conf

@@ -32,7 +32,7 @@ tls_cacert ${capath}
         % endif
 tls_reqcert allow
     % endif
-scobe sub
+scope sub
 timelimit 30
 bind_timelimit 30
 bind_policy soft

src/middlewared/middlewared/etc_files/pam.d/ftp

@@ -3,46 +3,30 @@
 #
 # PAM configuration for the "ftpd" service
 #
+<%namespace name="pam" file="pam.inc" />
 <%
-        def safe_call(*args):
-            try:
-                val = middleware.call_sync(*args)
-            except:
-                val = False
-            return val
-
-        ad_enabled = safe_call('notifier.common', 'system', 'activedirectory_enabled')
-        dc_enabled = safe_call('notifier.common', 'system', 'domaincontroller_enabled')
-        ldap_enabled = safe_call('notifier.common', 'system', 'ldap_enabled')
-        nis_enabled = safe_call('notifier.common', 'system', 'nis_enabled')
+        dsp = pam.getDirectoryServicePam(middleware=middleware, file='ftp')
 %>
-
 # auth
 auth		sufficient	pam_opie.so		no_warn no_fake_prompts
 auth		requisite	pam_opieaccess.so	no_warn allow_local
-% if ad_enabled or dc_enabled:
-auth		sufficient	/usr/local/lib/pam_winbind.so	silent try_first_pass krb5_auth krb5_ccache_type=FILE 
-% endif
-% if ldap_enabled:
-auth		sufficient	/usr/local/lib/pam_sss.so ignore_authinfo_unavail quiet
+% if dsp.enabled() and dsp.name() != 'NIS':
+${dsp.pam_auth()}
 % endif
 #auth		sufficient	pam_krb5.so		no_warn
 #auth		sufficient	pam_ssh.so		no_warn try_first_pass
 auth		required	pam_unix.so		no_warn try_first_pass
 
 # account
 account		required	pam_nologin.so
-% if ad_enabled or dc_enabled:
-account		sufficient	/usr/local/lib/pam_winbind.so krb5_auth krb5_ccache_type=FILE
-% endif
-% if ldap_enabled:
-account		sufficient	/usr/local/lib/pam_sss.so ignore_authinfo_unavail quiet
+% if dsp.enabled() and dsp.name() != 'NIS':
+${dsp.pam_account()}
 % endif
 #account	required	pam_krb5.so
 account		required	pam_unix.so
 
 # session
 session		required	pam_permit.so
-% if ad_enabled or ldap_enabled or nis_enabled or dc_enabled:
-session		required	/usr/local/lib/pam_mkhomedir.so
+% if dsp.enabled():
+${dsp.pam_session()}
 % endif

src/middlewared/middlewared/etc_files/pam.d/ftpd

@@ -3,46 +3,30 @@
 #
 # PAM configuration for the "ftpd" service
 #
+<%namespace name="pam" file="pam.inc" />
 <%
-        def safe_call(*args):
-            try:
-                val = middleware.call_sync(*args)
-            except:
-                val = False
-            return val
-
-        ad_enabled = safe_call('notifier.common', 'system', 'activedirectory_enabled')
-        dc_enabled = safe_call('notifier.common', 'system', 'domaincontroller_enabled')
-        ldap_enabled = safe_call('notifier.common', 'system', 'ldap_enabled')
-        nis_enabled = safe_call('notifier.common', 'system', 'nis_enabled')
+        dsp = pam.getDirectoryServicePam(middleware=middleware, file='ftpd')
 %>
-
 # auth
 auth		sufficient	pam_opie.so		no_warn no_fake_prompts
 auth		requisite	pam_opieaccess.so	no_warn allow_local
-% if ad_enabled or dc_enabled:
-auth		sufficient	/usr/local/lib/pam_winbind.so	silent try_first_pass krb5_auth krb5_ccache_type=FILE
-% endif
-% if ldap_enabled:
-auth		sufficient	/usr/local/lib/pam_sss.so ignore_authinfo_unavail quiet
+% if dsp.enabled() and dsp.name() != 'NIS':
+${dsp.pam_auth()}
 % endif
 #auth		sufficient	pam_krb5.so		no_warn
 #auth		sufficient	pam_ssh.so		no_warn try_first_pass
 auth		required	pam_unix.so		no_warn try_first_pass
 
 # account
 account		required	pam_nologin.so
-% if ad_enabled or dc_enabled:
-account		sufficient	/usr/local/lib/pam_winbind.so krb5_auth krb5_ccache_type=FILE
-% endif
-% if ldap_enabled:
-account		sufficient	/usr/local/lib/pam_sss.so ignore_authinfo_unavail quiet
+% if dsp.enabled() and dsp.name() != 'NIS':
+${dsp.pam_account()}
 % endif
 #account	required	pam_krb5.so
 account		required	pam_unix.so
 
 # session
 session		required	pam_permit.so
-% if ad_enabled or ldap_enabled or nis_enabled or dc_enabled:
-session		required	/usr/local/lib/pam_mkhomedir.so
+% if dsp.enabled():
+${dsp.pam_session()}
 % endif

src/middlewared/middlewared/etc_files/pam.d/login

@@ -3,37 +3,22 @@
 #
 # PAM configuration for the "login" service
 #
+<%namespace name="pam" file="pam.inc" />
 <%
-        def safe_call(*args):
-            try:
-                val = middleware.call_sync(*args)
-            except:
-                val = False
-            return val
-
-        ad_enabled = safe_call('notifier.common', 'system', 'activedirectory_enabled')
-        dc_enabled = safe_call('notifier.common', 'system', 'domaincontroller_enabled')
-        ldap_enabled = safe_call('notifier.common', 'system', 'ldap_enabled')
+        dsp = pam.getDirectoryServicePam(middleware=middleware, file='login')
 %>
-
 # auth
 auth		sufficient	pam_self.so		no_warn
-% if ad_enabled or dc_enabled:
-auth		sufficient	/usr/local/lib/pam_winbind.so silent try_first_pass krb5_auth krb5_ccache_type=FILE
-% endif
-% if ldap_enabled:
-auth		sufficient	/usr/local/lib/pam_sss.so quiet
+% if dsp.enabled() and dsp.name() != 'NIS':
+${dsp.pam_auth()}
 % endif
 auth		include		system
 
 # account
 account		requisite	pam_securetty.so
 account		required	pam_nologin.so
-% if ad_enabled or dc_enabled:
-account		sufficient	/usr/local/lib/pam_winbind.so krb5_auth krb5_ccache_type=FILE
-% endif
-% if ldap_enabled:
-account		sufficient	/usr/local/lib/pam_sss.so quiet
+% if dsp.enabled() and dsp.name() != 'NIS':
+${dsp.pam_account()}
 % endif
 account		include		system
 

src/middlewared/middlewared/etc_files/pam.d/netatalk

@@ -1,56 +1,37 @@
 #
 # PAM configuration for the "netatalk" service
 #
+<%namespace name="pam" file="pam.inc" />
 <%
-        def safe_call(*args):
-            try:
-                val = middleware.call_sync(*args)
-            except:
-                val = False
-            return val
-
-        ad_enabled = safe_call('notifier.common', 'system', 'activedirectory_enabled')
-        dc_enabled = safe_call('notifier.common', 'system', 'domaincontroller_enabled')
-        ldap_enabled = safe_call('notifier.common', 'system', 'ldap_enabled')
-        nis_enabled = safe_call('notifier.common', 'system', 'nis_enabled')
+    dsp = pam.getDirectoryServicePam(middleware=middleware, file='netatalk')
 %>
-
 # auth
 auth		sufficient	pam_opie.so		no_warn no_fake_prompts
 auth		requisite	pam_opieaccess.so	no_warn allow_local
-% if ad_enabled or dc_enabled:
-auth		sufficient	/usr/local/lib/pam_winbind.so	silent try_first_pass krb5_auth krb5_ccache_type=FILE
-% endif
-% if ldap_enabled:
-auth		sufficient	/usr/local/lib/pam_sss.so quiet
+% if dsp.enabled() and dsp.name() != 'NIS':
+${dsp.pam_auth()}
 % endif
 #auth		sufficient	pam_krb5.so		no_warn
 #auth		sufficient	pam_ssh.so		no_warn try_first_pass
 auth		required	pam_unix.so		no_warn try_first_pass
 
 # account
 account		required	pam_nologin.so
-% if ad_enabled or dc_enabled:
-account		sufficient	/usr/local/lib/pam_winbind.so krb5_auth krb5_ccache_type=FILE
-% endif
-% if ldap_enabled:
-account		sufficient	/usr/local/lib/pam_sss.so quiet
+% if dsp.enabled() and dsp.name() != 'NIS':
+${dsp.pam_account()}
 % endif
 #account	required	pam_krb5.so
 account		required	pam_unix.so
 
 # session
 session		required	pam_permit.so
-% if ad_enabled or ldap_enabled or nis_enabled or dc_enabled:
-session		required	/usr/local/lib/pam_mkhomedir.so
+% if dsp.enabled():
+${dsp.pam_session()}
 % endif
 
 # password
 #password	sufficient	pam_krb5.so		no_warn try_first_pass
-% if ad_enabled or dc_enabled:
-password	sufficient	/usr/local/lib/pam_winbind.so	try_first_pass krb5_auth krb5_ccache_type=FILE
-% endif
-% if ldap_enabled:
-password	sufficient	/usr/local/lib/pam_sss.so use_authtok quiet
+% if dsp.enabled() and dsp.name() != 'NIS':
+${dsp.pam_password()}
 % endif
 password	required	pam_unix.so		no_warn try_first_pass