diff options
-rw-r--r-- | dirsrv/ldif/sudoers-389.ldif | 35 | ||||
-rw-r--r-- | dirsrv/misc/sudoers2ldif.pl | 153 | ||||
-rw-r--r-- | generic/nsswitch.conf | 32 | ||||
-rw-r--r-- | sssd/client_sssd.generated.conf | 72 | ||||
-rw-r--r-- | sssd/sssd.conf | 58 |
5 files changed, 350 insertions, 0 deletions
diff --git a/dirsrv/ldif/sudoers-389.ldif b/dirsrv/ldif/sudoers-389.ldif new file mode 100644 index 0000000..f1bd855 --- /dev/null +++ b/dirsrv/ldif/sudoers-389.ldif @@ -0,0 +1,35 @@ +dn: cn=defaults,ou=SUDOers,ou=syscid-system,dc=syscid,dc=com +objectClass: top +objectClass: sudoRole +cn: defaults +description: Default sudoOption's go here +sudoOption: always_set_home +sudoOption: secure_path="/usr/sbin:/usr/bin:/sbin:/bin" +sudoOption: env_reset +sudoOption: env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE" +sudoOption: insults +sudoOption: mail_badpass +sudoOption: log_output +sudoOption: timestamp_timeout=15 +sudoOrder: 1 + +dn: cn=root,ou=SUDOers,ou=syscid-system,dc=syscid,dc=com +objectClass: top +objectClass: sudoRole +cn: root +sudoUser: root +sudoHost: ALL +sudoRunAsUser: ALL +sudoCommand: ALL +sudoOrder: 2 + +dn: cn=%wheel,ou=SUDOers,ou=syscid-system,dc=syscid,dc=com +objectClass: top +objectClass: sudoRole +cn: %wheel +sudoUser: %wheel +sudoHost: ALL +sudoRunAsUser: ALL +sudoCommand: ALL +sudoOrder: 3 + diff --git a/dirsrv/misc/sudoers2ldif.pl b/dirsrv/misc/sudoers2ldif.pl new file mode 100644 index 0000000..a94fa04 --- /dev/null +++ b/dirsrv/misc/sudoers2ldif.pl @@ -0,0 +1,153 @@ +#!/usr/bin/env perl +# +# Copyright (c) 2007, 2010-2011, 2013 Todd C. Miller <Todd.Miller@courtesan.com> +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# + +use strict; + +# +# Converts a sudoers file to LDIF format in prepration for loading into +# the LDAP server. +# + +# BUGS: +# Does not yet handle multiple lines with : in them +# Does not yet remove quotation marks from options +# Does not yet escape + at the beginning of a dn +# Does not yet handle line wraps correctly +# Does not yet handle multiple roles with same name (needs tiebreaker) +# +# CAVEATS: +# Sudoers entries can have multiple RunAs entries that override former ones, +# with LDAP sudoRunAs{Group,User} applies to all commands in a sudoRole + +my %RA; +my %UA; +my %HA; +my %CA; +my $base=$ENV{SUDOERS_BASE} or die "$0: Container SUDOERS_BASE undefined\n"; +my @options=(); + +my $did_defaults=0; +my $order = 0; + +# parse sudoers one line at a time +while (<>){ + + # remove comment + s/#.*//; + + # line continuation + $_.=<> while s/\\\s*$//s; + + # cleanup newline + chomp; + + # ignore blank lines + next if /^\s*$/; + + if (/^Defaults\s+/i) { + my $opt=$'; + $opt=~s/\s+$//; # remove trailing whitespace + push @options,$opt; + } elsif (/^(\S+)\s+([^=]+)=\s*(.*)/) { + + # Aliases or Definitions + my ($p1,$p2,$p3)=($1,$2,$3); + $p2=~s/\s+$//; # remove trailing whitespace + $p3=~s/\s+$//; # remove trailing whitespace + + if ($p1 eq "User_Alias") { + $UA{$p2}=$p3; + } elsif ($p1 eq "Runas_Alias") { + $RA{$p2}=$p3; + } elsif ($p1 eq "Host_Alias") { + $HA{$p2}=$p3; + } elsif ($p1 eq "Cmnd_Alias") { + $CA{$p2}=$p3; + } else { + if (!$did_defaults++){ + # do this once + print "dn: cn=defaults,$base\n"; + print "objectClass: top\n"; + print "objectClass: sudoRole\n"; + print "cn: defaults\n"; + print "description: Default sudoOption's go here\n"; + print "sudoOption: $_\n" foreach @options; + printf "sudoOrder: %d\n", ++$order; + print "\n"; + } + # Definition + my @users=split /\s*,\s*/,$p1; + my @hosts=split /\s*,\s*/,$p2; + my @cmds= split /\s*,\s*/,$p3; + @options=(); + print "dn: cn=$users[0],$base\n"; + print "objectClass: top\n"; + print "objectClass: sudoRole\n"; + print "cn: $users[0]\n"; + # will clobber options + print "sudoUser: $_\n" foreach expand(\%UA,@users); + print "sudoHost: $_\n" foreach expand(\%HA,@hosts); + foreach (@cmds) { + if (s/^\(([^\)]+)\)\s*//) { + my @runas = split(/:\s*/, $1); + if (defined($runas[0])) { + print "sudoRunAsUser: $_\n" foreach expand(\%RA, split(/,\s*/, $runas[0])); + } + if (defined($runas[1])) { + print "sudoRunAsGroup: $_\n" foreach expand(\%RA, split(/,\s*/, $runas[1])); + } + } + } + print "sudoCommand: $_\n" foreach expand(\%CA,@cmds); + print "sudoOption: $_\n" foreach @options; + printf "sudoOrder: %d\n", ++$order; + print "\n"; + } + + } else { + print "parse error: $_\n"; + } + +} + +# +# recursively expand hash elements +sub expand{ + my $ref=shift; + my @a=(); + + # preen the line a little + foreach (@_){ + # if NOPASSWD: directive found, mark entire entry as not requiring + s/NOPASSWD:\s*// && push @options,"!authenticate"; + s/PASSWD:\s*// && push @options,"authenticate"; + s/NOEXEC:\s*// && push @options,"noexec"; + s/EXEC:\s*// && push @options,"!noexec"; + s/SETENV:\s*// && push @options,"setenv"; + s/NOSETENV:\s*// && push @options,"!setenv"; + s/LOG_INPUT:\s*// && push @options,"log_input"; + s/NOLOG_INPUT:\s*// && push @options,"!log_input"; + s/LOG_OUTPUT:\s*// && push @options,"log_output"; + s/NOLOG_OUTPUT:\s*// && push @options,"!log_output"; + s/[[:upper:]]+://; # silently remove other tags + s/\s+$//; # right trim + } + + # do the expanding + push @a,$ref->{$_} ? expand($ref,split /\s*,\s*/,$ref->{$_}):$_ foreach @_; + @a; +} diff --git a/generic/nsswitch.conf b/generic/nsswitch.conf new file mode 100644 index 0000000..3a031e1 --- /dev/null +++ b/generic/nsswitch.conf @@ -0,0 +1,32 @@ +### +## +## Prototype Name Service Switch configuration for GNU/Linux systems in the namespaces lysergic.dev / syscid.com / liberta.casa +#รค +## Unless otherwise stated, system/scripts/sh/deploy_directory_client.sh should be run instead of manually setting this file. +## georg@lysergic.dev +## +### + +passwd: sss files +group: sss files +shadow: sss compat +# initgroups: compat + +hosts: files dns +networks: files dns + +aliases: files usrfiles +ethers: files usrfiles +gshadow: files usrfiles +netgroup: files nis +protocols: files usrfiles +publickey: files +rpc: files usrfiles +services: files usrfiles + +automount: files nis +bootparams: files +netmasks: files + +sudoers: sss + diff --git a/sssd/client_sssd.generated.conf b/sssd/client_sssd.generated.conf new file mode 100644 index 0000000..3615f96 --- /dev/null +++ b/sssd/client_sssd.generated.conf @@ -0,0 +1,72 @@ +WARNING: ldap_uri starts with ldapi:// - you should review this parameter in the sssd configuration + +# +# sssd.conf +# Generated by 389 Directory Server - dsidm +# +# For more details see man sssd.conf and man sssd-ldap +# Be sure to review the content of this file to ensure it is secure and correct +# in your environment. + +[domain/ldap] +# Uncomment this for more verbose logging. +# debug_level=3 + +# Cache hashes of user authentication for offline auth. +cache_credentials = True +id_provider = ldap +auth_provider = ldap +access_provider = ldap +chpass_provider = ldap +ldap_schema = rfc2307bis +ldap_search_base = dc=syscid,dc=com +ldap_uri = ldapi://%2fvar%2frun%2fslapd-syscid.socket +# If you have DNS SRV records, you can use the following instead. This derives +# from your ldap_search_base. +# ldap_uri = _srv_ + +ldap_tls_reqcert = demand +# To use cacert dir, place *.crt files in this path then run: +# /usr/bin/openssl rehash /etc/openldap/certs +# or (for older versions of openssl) +# /usr/bin/c_rehash /etc/openldap/certs +ldap_tls_cacertdir = /etc/openldap/certs + +# Path to the cacert +# ldap_tls_cacert = /etc/openldap/certs/ca.crt + +# Only users who match this filter can login and authorise to this machine. Note +# that users who do NOT match, will still have their uid/gid resolve, but they +# can't login. +# ldap_access_filter = (memberOf=<dn>) + +enumerate = false +access_provider = ldap +ldap_user_member_of = memberof +ldap_user_gecos = cn +ldap_user_uuid = nsUniqueId +ldap_group_uuid = nsUniqueId +# This is really important as it allows SSSD to respect nsAccountLock +ldap_account_expire_policy = rhds +ldap_access_order = filter, expire +# Setup for ssh keys +# Inside /etc/ssh/sshd_config add the lines: +# AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys +# AuthorizedKeysCommandUser nobody +# You can test with the command: sss_ssh_authorizedkeys <username> +ldap_user_ssh_public_key = nsSshPublicKey + +# This prevents an issue where the Directory is recursively walked on group +# and user look ups. It makes the client faster and more responsive in almost +# every scenario. +ignore_group_members = False + +[sssd] +services = nss, pam, ssh, sudo +config_file_version = 2 + +domains = ldap +[nss] +homedir_substring = /home + + diff --git a/sssd/sssd.conf b/sssd/sssd.conf new file mode 100644 index 0000000..7a6664d --- /dev/null +++ b/sssd/sssd.conf @@ -0,0 +1,58 @@ +### +## +## Prototype System Security Services Daemon configuration for GNU/Linux based systems in the namespaces lysergic.dev / syscid.com /liberta.casa +## +## Unless otherwise stated, system/scripts/sh/deploy_directory_client.sh should be run instead of manually setting this file. +## +## georg@lysergic.dev +## +### + +[sssd] +debug_level = 10 +config_file_version = 2 +services = nss, pam, ssh, sudo +domains = SYSCID + +[nss] +homedir_substring = /home +debug_level = 10 + +[pam] +debug_level = 10 +pam_verbosity = 3 +pam_account_expired_message = Permission denied - Your SYSCID or LibertaCasa Account EXPIRED. +pam_account_locked_message = Permission denied - Your SYSCID or LibertaCasa Account is LOCKED. + +[ssh] +debug_level = 10 + +[sudo] +debug_level = 10 + +[domain/SYSCID] +ignore_group_members = False +debug_level = 10 +cache_credentials= False +id_provider = ldap +auth_provider = ldap +access_provider = ldap +chpass_provider = ldap +ldap_schema = rfc2307bis +ldap_search_base = dc=syscid,dc=com +ldap_uri = ldaps://ldap.syscid.com +ldap_access_filter = (memberOf=cn=syscid_shell_users,ou=syscid-groups,dc=syscid,dc=com) +access_provider = ldap +ldap_user_member_of = memberof +#ldap_group_member = memberUid +#ldap_group_member = member +ldap_user_gecos = cn +ldap_user_uuid = nsUniqueId +ldap_group_uuid = nsUniqueId +#ldap_pwd_policy = shadow +ldap_account_expire_policy = rhds +ldap_access_order = filter, expire, pwd_expire_policy_renew +ldap_user_ssh_public_key = sshPublicKey +sudo_provider = ldap +ldap_sudo_search_base = ou=SUDOers,ou=syscid-system,dc=syscid,dc=com + |