From f3756af73b64d6881168096e1f2a5735c6c4c37f Mon Sep 17 00:00:00 2001 From: Hasan Kara Date: Thu, 25 Apr 2019 10:25:05 +0300 Subject: [PATCH] SSSD config and installation python files are copied under registration --- src/base/registration/config-files/sssd.conf | 42 +++++ .../execute_cancel_sssd_authentication.py | 91 +++++++++++ .../execute_sssd_authentication.py | 150 ++++++++++++++++++ 3 files changed, 283 insertions(+) create mode 100644 src/base/registration/config-files/sssd.conf create mode 100644 src/base/registration/execute_cancel_sssd_authentication.py create mode 100644 src/base/registration/execute_sssd_authentication.py diff --git a/src/base/registration/config-files/sssd.conf b/src/base/registration/config-files/sssd.conf new file mode 100644 index 0000000..d872d0f --- /dev/null +++ b/src/base/registration/config-files/sssd.conf @@ -0,0 +1,42 @@ +[sssd] +config_file_version = 2 +services = nss, pam, sudo +domains = LDAP + +[nss] + +[sudo] + +[pam] +pam_verbosity=2 +pam_account_locked_message = Hesap Kilitli +offline_credentials_expiration = 30 + +[domain/LDAP] +debug_level = 9 +id_provider = ldap +auth_provider = ldap +access_provider = ldap +#ldap_access_filter = (employeeType=admin) +ldap_access_order = ppolicy +pam_verbosity=2 +###ldap_pwdlockout_dn### +ldap_schema = rfc2307 +###ldap_uri### +###ldap_default_bind_dn### +###ldap_default_authtok### +ldap_default_authtok_type = password +###ldap_search_base### +###ldap_user_search_base### +###ldap_group_search_base### +ldap_user_object_class = posixAccount +ldap_user_gecos = cn +ldap_tls_reqcert = never +ldap_auth_disable_tls_never_use_in_production = true +override_shell = /bin/bash +enumerate = true +cache_credentials = true +sudo_provider = ldap +ldap_sudo_search_base = ou=Roles,dc=liderahenk,dc=org +ldap_sudo_full_refresh_interval=86400 +ldap_sudo_smart_refresh_interval=3600 \ No newline at end of file diff --git a/src/base/registration/execute_cancel_sssd_authentication.py b/src/base/registration/execute_cancel_sssd_authentication.py new file mode 100644 index 0000000..52b6e88 --- /dev/null +++ b/src/base/registration/execute_cancel_sssd_authentication.py @@ -0,0 +1,91 @@ +#!/usr/bin/python3 +# -*- coding: utf-8 -*- +# Author: Hasan Kara + +from base.scope import Scope +from base.util.util import Util +import re + + +class ExecuteCancelSSSDAuthentication: + def __init__(self): + scope = Scope().get_instance() + self.logger = scope.get_logger() + self.util = Util() + + def cancel(self): + self.util.execute("apt purge libpam-sss sssd-common -y") + self.util.execute("apt autoremove -y") + + if self.util.is_exist("/etc/sssd"): + self.util.delete_folder("/etc/sssd") + + # pattern for clearing file data from spaces, tabs and newlines + pattern = re.compile(r'\s+') + + # Configure nsswitch.conf + file_ns_switch = open("/etc/nsswitch.conf", 'r') + file_data = file_ns_switch.read() + + # cleared file data from spaces, tabs and newlines + text = pattern.sub('', file_data) + + did_configuration_change = False + if "passwd:compatsss" in text: + file_data = file_data.replace("passwd: compat sss", "passwd: compat") + did_configuration_change = True + + if "group:compatsss" in text: + file_data = file_data.replace("group: compat sss", "group: compat") + did_configuration_change = True + + if "shadow:compatsss" in text: + file_data = file_data.replace("shadow: compat sss", "shadow: compat") + did_configuration_change = True + + if "services:dbfilessss" in text: + file_data = file_data.replace("services: db files sss", "services: db files") + did_configuration_change = True + + if "netgroup:nissss" in text: + file_data = file_data.replace("netgroup: nis sss", "netgroup: nis") + did_configuration_change = True + + if "sudoers:filessss" in text: + file_data = file_data.replace("sudoers: files sss", "") + did_configuration_change = True + + if did_configuration_change: + self.logger.info("nsswitch.conf configuration has been configured") + else: + self.logger.info("nsswitch.conf has already been configured") + + file_ns_switch.close() + file_ns_switch = open("/etc/nsswitch.conf", 'w') + file_ns_switch.write(file_data) + file_ns_switch.close() + + common_session_conf_path = "/etc/pam.d/common-session" + + # configure common-session for creating home directories for ldap users + file_common_session = open(common_session_conf_path, 'r') + file_data = file_common_session.read() + + if "session optional pam_mkhomedir.so skel=/etc/skel umask=077" in file_data: + file_data = file_data.replace("session optional pam_mkhomedir.so skel=/etc/skel umask=077", "") + self.logger.info("common-session is configured") + + file_common_session.close() + file_common_session = open(common_session_conf_path, 'w') + file_common_session.write(file_data) + file_common_session.close() + + # Configure lightdm.service + pardus_xfce_path = "/usr/share/lightdm/lightdm.conf.d/99-pardus-xfce.conf" + if self.util.is_exist(pardus_xfce_path): + self.logger.info("99-pardus-xfce.conf exists. Deleting file.") + self.util.delete_file(pardus_xfce_path) + self.util.execute("systemctl restart nscd.service") + + self.logger.info("LDAP Login iptal etme işlemi başarı ile sağlandı.") + diff --git a/src/base/registration/execute_sssd_authentication.py b/src/base/registration/execute_sssd_authentication.py new file mode 100644 index 0000000..6d9ceee --- /dev/null +++ b/src/base/registration/execute_sssd_authentication.py @@ -0,0 +1,150 @@ +#!/usr/bin/python3 +# -*- coding: utf-8 -*- +# Author: Hasan Kara + +from base.scope import Scope +from base.util.util import Util +import re + + +class ExecuteSSSDAuthentication: + def __init__(self): + scope = Scope().get_instance() + self.logger = scope.get_logger() + self.util = Util() + + def authenticate(self, server_address, dn, admin_dn, admin_password): + try: + ldap_pwdlockout_dn = "cn=DefaultPolicy,ou=PasswordPolicies" + "," + dn + + # pattern for clearing file data from spaces, tabs and newlines + pattern = re.compile(r'\s+') + + sssd_config_template_path = "/usr/share/ahenk/base/registration/config-files/sssd.conf" + sssd_config_folder_path = "/etc/sssd" + sssd_config_file_path = "/etc/sssd/sssd.conf" + + common_session_conf_path = "/etc/pam.d/common-session" + + # copy configuration file to /etc/sssd/sssd.conf before package installation + # create sssd folder in /etc + if not self.util.is_exist(sssd_config_folder_path): + self.util.create_directory(sssd_config_folder_path) + self.logger.info("{0} folder is created".format(sssd_config_folder_path)) + + # Copy sssd.conf template under /etc/sssd + self.util.copy_file(sssd_config_template_path, sssd_config_folder_path) + self.logger.info("{0} config file is copied under {1}".format(sssd_config_template_path, sssd_config_folder_path)) + + # Configure sssd.conf + file_sssd = open(sssd_config_file_path, 'r') + file_data = file_sssd.read() + + file_data = file_data.replace("###ldap_pwdlockout_dn###", "ldap_pwdlockout_dn = " + ldap_pwdlockout_dn) + file_data = file_data.replace("###ldap_uri###", "ldap_uri = " + "ldap://" + server_address + "/") + file_data = file_data.replace("###ldap_default_bind_dn###", "ldap_default_bind_dn = " + admin_dn) + file_data = file_data.replace("###ldap_default_authtok###", "ldap_default_authtok = " + admin_password) + file_data = file_data.replace("###ldap_search_base###", "ldap_search_base = " + dn) + file_data = file_data.replace("###ldap_user_search_base###", "ldap_user_search_base = " + dn) + file_data = file_data.replace("###ldap_group_search_base###", "ldap_group_search_base = " + dn) + + file_sssd.close() + file_sssd = open(sssd_config_file_path, 'w') + file_sssd.write(file_data) + file_sssd.close() + + # Install libpam-sss sssd-common for sssd authentication + (result_code, p_out, p_err) = self.util.execute("sudo apt install libpam-sss sssd-common -y") + + if result_code != 0: + self.logger.error("SSSD packages couldn't be downloaded.") + return False + + # configure common-session for creating home directories for ldap users + file_common_session = open(common_session_conf_path, 'r') + file_data = file_common_session.read() + + if "session optional pam_mkhomedir.so skel=/etc/skel umask=077" not in file_data : + file_data = file_data + "\n" + "session optional pam_mkhomedir.so skel=/etc/skel umask=077" + self.logger.info("common-session is configured") + + file_common_session.close() + file_common_session = open(common_session_conf_path, 'w') + file_common_session.write(file_data) + file_common_session.close() + + # Configure nsswitch.conf + file_ns_switch = open("/etc/nsswitch.conf", 'r') + file_data = file_ns_switch.read() + + # cleared file data from spaces, tabs and newlines + text = pattern.sub('', file_data) + + is_configuration_done_before = False + if "passwd:compatsss" not in text: + file_data = file_data.replace("passwd: compat", "passwd: compat sss") + is_configuration_done_before = True + + if "group:compatsss" not in text: + file_data = file_data.replace("group: compat", "group: compat sss") + is_configuration_done_before = True + + if "shadow:compatsss" not in text: + file_data = file_data.replace("shadow: compat", "shadow: compat sss") + is_configuration_done_before = True + + if "services:dbfilessss" not in text: + file_data = file_data.replace("services: db files", "services: db files sss") + is_configuration_done_before = True + + if "netgroup:nissss" not in text: + file_data = file_data.replace("netgroup: nis", "netgroup: nis sss") + is_configuration_done_before = True + + if "sudoers:filessss" not in text: + file_data = file_data.replace("sudoers: files", "sudoers: files sss") + is_configuration_done_before = True + + if is_configuration_done_before: + self.logger.info("nsswitch.conf configuration has been completed") + else: + self.logger.info("nsswitch.conf is already configured") + + file_ns_switch.close() + file_ns_switch = open("/etc/nsswitch.conf", 'w') + file_ns_switch.write(file_data) + file_ns_switch.close() + + # Configure lightdm.service + # check if 99-pardus-xfce.conf exists if not create + pardus_xfce_path = "/usr/share/lightdm/lightdm.conf.d/99-pardus-xfce.conf" + if not self.util.is_exist(pardus_xfce_path): + self.logger.info("99-pardus-xfce.conf does not exist.") + self.util.create_file(pardus_xfce_path) + + file_lightdm = open(pardus_xfce_path, 'a') + file_lightdm.write("[Seat:*]\n") + file_lightdm.write("greeter-hide-users=true") + file_lightdm.close() + self.logger.info("lightdm has been configured.") + else: + self.logger.info("99-pardus-xfce.conf exists. Delete file and create new one.") + self.util.delete_file(pardus_xfce_path) + self.util.create_file(pardus_xfce_path) + + file_lightdm = open(pardus_xfce_path, 'a') + file_lightdm.write("[Seat:*]") + file_lightdm.write("greeter-hide-users=true") + file_lightdm.close() + self.logger.info("lightdm.conf has been configured.") + + self.util.execute("systemctl restart nscd.service") + self.util.execute("pam-auth-update --force") + self.logger.info("LDAP Login operation has been completed.") + + self.logger.info("LDAP Login işlemi başarı ile sağlandı.") + return True + except Exception as e: + self.logger.error(str(e)) + self.logger.info("LDAP Login işlemi esnasında hata oluştu.") + return False