Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Ticket: #23392
- Loading branch information
John Hixson
committed
May 30, 2018
1 parent
5ecb492
commit 51b4222
Showing
14 changed files
with
425 additions
and
190 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
# -*- coding: utf-8 -*- | ||
# Generated by Django 1.10.3 on 2017-02-22 12:00 | ||
from __future__ import unicode_literals | ||
|
||
from django.db import migrations, models | ||
|
||
def add_nslcd_user(apps, schema_editor): | ||
try: | ||
group = apps.get_model("account", "bsdGroups").objects.create( | ||
bsdgrp_builtin=True, | ||
bsdgrp_gid="389", | ||
bsdgrp_group="nslcd" | ||
) | ||
group.save() | ||
user = apps.get_model("account", "bsdUsers").objects.create( | ||
bsdusr_builtin=True, | ||
bsdusr_full_name="Nslcd Daemon", | ||
bsdusr_group=group, | ||
bsdusr_home="/var/tmp/nslcd", | ||
bsdusr_shell="/usr/sbin/nologin", | ||
bsdusr_smbhash="*", | ||
bsdusr_unixhash="*", | ||
bsdusr_uid="389", | ||
bsdusr_username="nslcd" | ||
) | ||
user.save() | ||
|
||
except Exception as e: | ||
print("ERROR: unable to create nslcd user/group: ", e) | ||
|
||
def remove_nslcd_user(apps, schema_editor): | ||
try: | ||
apps.get_model("account", "bsdUsers").objects.get( | ||
bsdusr_username="nslcd" | ||
).delete() | ||
apps.get_model("account", "bsdGroups").objects.get( | ||
bsdgrp_group="nslcd" | ||
).delete() | ||
|
||
except Exception as e: | ||
print("ERROR: unable to remove nslcd user/group: ", e) | ||
|
||
class Migration(migrations.Migration): | ||
|
||
dependencies = [ | ||
('account', '0006_bsdusers_bsdusr_attributes'), | ||
] | ||
|
||
operations = [ | ||
migrations.RunPython( | ||
add_nslcd_user, | ||
reverse_code=remove_nslcd_user | ||
) | ||
] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
<% | ||
def safe_call(*args): | ||
try: | ||
val = middleware.call_sync(*args) | ||
except: | ||
val = False | ||
return val | ||
|
||
ldap = safe_call('datastore.query', 'directoryservice.LDAP') | ||
if ldap and ldap[0]: | ||
ldap = ldap[0] | ||
capath = None | ||
if ldap['ldap_certificate']: | ||
cert = safe_call('certificateauthority.query', [('id', '=', ldap['ldap_certificate']['id'])], {'get': True}) | ||
if cert: | ||
capath = cert['cert_certificate_path'] | ||
else: | ||
ldap = None | ||
|
||
ldap_enabled = safe_call('notifier.common', 'system', 'ldap_enabled') | ||
|
||
ldap_uri = "%s://%s" % ("ldaps" if ldap['ldap_ssl'] == "on" else "ldap", ldap['ldap_hostname']) | ||
|
||
%> | ||
% if ldap_enabled and ldap: | ||
uri ${ldap_uri} | ||
base ${ldap['ldap_basedn']} | ||
% if ldap['ldap_ssl'] in ('start_tls', 'on'): | ||
ssl ${ldap['ldap_ssl']} | ||
% if capath: | ||
tls_cacert ${capath} | ||
% endif | ||
tls_reqcert allow | ||
% endif | ||
scope sub | ||
timelimit 30 | ||
bind_timelimit 30 | ||
map passwd loginShell /bin/sh | ||
% if ldap['ldap_auxiliary_parameters']: | ||
${ldap['ldap_auxiliary_parameters']} | ||
% endif | ||
% endif |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,56 +1,37 @@ | ||
# | ||
# PAM configuration for the "netatalk" service | ||
# | ||
<%namespace name="pam" file="pam.inc" /> | ||
<% | ||
def safe_call(*args): | ||
try: | ||
val = middleware.call_sync(*args) | ||
except: | ||
val = False | ||
return val | ||
|
||
ad_enabled = safe_call('notifier.common', 'system', 'activedirectory_enabled') | ||
dc_enabled = safe_call('notifier.common', 'system', 'domaincontroller_enabled') | ||
ldap_enabled = safe_call('notifier.common', 'system', 'ldap_enabled') | ||
nis_enabled = safe_call('notifier.common', 'system', 'nis_enabled') | ||
dsp = pam.getDirectoryServicePam(middleware=middleware, file='netatalk') | ||
%> | ||
|
||
# auth | ||
auth sufficient pam_opie.so no_warn no_fake_prompts | ||
auth requisite pam_opieaccess.so no_warn allow_local | ||
% if ad_enabled or dc_enabled: | ||
auth sufficient /usr/local/lib/pam_winbind.so silent try_first_pass krb5_auth krb5_ccache_type=FILE | ||
% endif | ||
% if ldap_enabled: | ||
auth sufficient /usr/local/lib/pam_sss.so quiet | ||
% if dsp.enabled() and dsp.name() != 'NIS': | ||
${dsp.pam_auth()} | ||
% endif | ||
#auth sufficient pam_krb5.so no_warn | ||
#auth sufficient pam_ssh.so no_warn try_first_pass | ||
auth required pam_unix.so no_warn try_first_pass | ||
|
||
# account | ||
account required pam_nologin.so | ||
% if ad_enabled or dc_enabled: | ||
account sufficient /usr/local/lib/pam_winbind.so krb5_auth krb5_ccache_type=FILE | ||
% endif | ||
% if ldap_enabled: | ||
account sufficient /usr/local/lib/pam_sss.so quiet | ||
% if dsp.enabled() and dsp.name() != 'NIS': | ||
${dsp.pam_account()} | ||
% endif | ||
#account required pam_krb5.so | ||
account required pam_unix.so | ||
|
||
# session | ||
session required pam_permit.so | ||
% if ad_enabled or ldap_enabled or nis_enabled or dc_enabled: | ||
session required /usr/local/lib/pam_mkhomedir.so | ||
% if dsp.enabled(): | ||
${dsp.pam_session()} | ||
% endif | ||
|
||
# password | ||
#password sufficient pam_krb5.so no_warn try_first_pass | ||
% if ad_enabled or dc_enabled: | ||
password sufficient /usr/local/lib/pam_winbind.so try_first_pass krb5_auth krb5_ccache_type=FILE | ||
% endif | ||
% if ldap_enabled: | ||
password sufficient /usr/local/lib/pam_sss.so use_authtok quiet | ||
% if dsp.enabled() and dsp.name() != 'NIS': | ||
${dsp.pam_password()} | ||
% endif | ||
password required pam_unix.so no_warn try_first_pass |
Oops, something went wrong.