diff options
Diffstat (limited to 'testing/source/PAM')
11 files changed, 390 insertions, 9 deletions
diff --git a/testing/source/PAM/buildlist b/testing/source/PAM/buildlist index b05fcbf6..5fc1b40f 100644 --- a/testing/source/PAM/buildlist +++ b/testing/source/PAM/buildlist @@ -1,6 +1,7 @@ a/cracklib/cracklib.SlackBuild a/pam/pam.SlackBuild a/libpwquality/libpwquality.SlackBuild +n/nss-pam-ldapd/nss-pam-ldapd.SlackBuild source/a/shadow/shadow.SlackBuild source/a/util-linux/util-linux.SlackBuild source/a/libcgroup/libcgroup.SlackBuild diff --git a/testing/source/PAM/buildlist-fix-lib-security-location b/testing/source/PAM/buildlist-fix-lib-security-location deleted file mode 100644 index 4b49d382..00000000 --- a/testing/source/PAM/buildlist-fix-lib-security-location +++ /dev/null @@ -1,9 +0,0 @@ -a/pam/pam.SlackBuild -a/libpwquality/libpwquality.SlackBuild -source/a/libcgroup/libcgroup.SlackBuild -source/l/polkit/polkit.SlackBuild -source/l/ConsoleKit2/ConsoleKit2.SlackBuild -source/l/gnome-keyring/gnome-keyring.SlackBuild -source/n/cifs-utils/cifs-utils.SlackBuild -source/ap/mariadb/mariadb.SlackBuild -source/n/samba/samba.SlackBuild diff --git a/testing/source/PAM/n/nss-pam-ldapd/1025d5de336d8c9585b79df3154b5649da344281.patch b/testing/source/PAM/n/nss-pam-ldapd/1025d5de336d8c9585b79df3154b5649da344281.patch new file mode 100644 index 00000000..b21ab09e --- /dev/null +++ b/testing/source/PAM/n/nss-pam-ldapd/1025d5de336d8c9585b79df3154b5649da344281.patch @@ -0,0 +1,42 @@ +From 1025d5de336d8c9585b79df3154b5649da344281 Mon Sep 17 00:00:00 2001 +From: Arthur de Jong <arthur@arthurdejong.org> +Date: Sun, 13 Oct 2019 17:23:20 +0200 +Subject: [PATCH] Fix Python 3 compatibility in chsh.ldap + +--- + utils/chsh.py | 6 +++--- + utils/shells.py | 2 +- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/utils/chsh.py b/utils/chsh.py +index e7537e71..0f24bfcc 100755 +--- a/utils/chsh.py ++++ b/utils/chsh.py +@@ -43,11 +43,11 @@ + def ask_shell(oldshell): + """Ask the user to provide a shell.""" + # Provide Python 2 compatibility ++ prompt = ' Login Shell [%s]: ' % oldshell + try: +- input = raw_input ++ shell = raw_input(prompt) + except NameError: +- pass +- shell = input(' Login Shell [%s]: ' % oldshell) ++ shell = input(prompt) + return shell or oldshell + + +diff --git a/utils/shells.py b/utils/shells.py +index 92dba2f2..327b35e7 100644 +--- a/utils/shells.py ++++ b/utils/shells.py +@@ -35,7 +35,7 @@ def list_shells(): + shell = getusershell() + if not shell: + break +- yield shell ++ yield shell.decode('utf-8') + libc.endusershell() + + diff --git a/testing/source/PAM/n/nss-pam-ldapd/548efe5333b56a0a042843a044e0348317f80065.patch b/testing/source/PAM/n/nss-pam-ldapd/548efe5333b56a0a042843a044e0348317f80065.patch new file mode 100644 index 00000000..d03f1552 --- /dev/null +++ b/testing/source/PAM/n/nss-pam-ldapd/548efe5333b56a0a042843a044e0348317f80065.patch @@ -0,0 +1,37 @@ +From 548efe5333b56a0a042843a044e0348317f80065 Mon Sep 17 00:00:00 2001 +From: Arthur de Jong <arthur@arthurdejong.org> +Date: Mon, 11 Nov 2019 23:06:20 +0100 +Subject: [PATCH] Log the correct timeout value + +This fixes logging of the LDAP_OPT_TIMEOUT, LDAP_OPT_NETWORK_TIMEOUT and +LDAP_X_OPT_CONNECT_TIMEOUT options to actually log the value of the +bind_timelimit option instead of the timelimit option. +--- + nslcd/myldap.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/nslcd/myldap.c b/nslcd/myldap.c +index 02b97195..0ee1be80 100644 +--- a/nslcd/myldap.c ++++ b/nslcd/myldap.c +@@ -911,17 +911,17 @@ static int do_set_options(MYLDAP_SESSION *session) + tv.tv_usec = 0; + #ifdef LDAP_OPT_TIMEOUT + log_log(LOG_DEBUG, "ldap_set_option(LDAP_OPT_TIMEOUT,%d)", +- nslcd_cfg->timelimit); ++ nslcd_cfg->bind_timelimit); + LDAP_SET_OPTION(session->ld, LDAP_OPT_TIMEOUT, &tv); + #endif /* LDAP_OPT_TIMEOUT */ + #ifdef LDAP_OPT_NETWORK_TIMEOUT + log_log(LOG_DEBUG, "ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,%d)", +- nslcd_cfg->timelimit); ++ nslcd_cfg->bind_timelimit); + LDAP_SET_OPTION(session->ld, LDAP_OPT_NETWORK_TIMEOUT, &tv); + #endif /* LDAP_OPT_NETWORK_TIMEOUT */ + #ifdef LDAP_X_OPT_CONNECT_TIMEOUT + log_log(LOG_DEBUG, "ldap_set_option(LDAP_X_OPT_CONNECT_TIMEOUT,%d)", +- nslcd_cfg->timelimit); ++ nslcd_cfg->bind_timelimit); + LDAP_SET_OPTION(session->ld, LDAP_X_OPT_CONNECT_TIMEOUT, &tv); + #endif /* LDAP_X_OPT_CONNECT_TIMEOUT */ + log_log(LOG_DEBUG, "ldap_set_option(LDAP_OPT_REFERRALS,%s)", diff --git a/testing/source/PAM/n/nss-pam-ldapd/b33551895b3c02dc7082363c6aae13f8e336f4e5.patch b/testing/source/PAM/n/nss-pam-ldapd/b33551895b3c02dc7082363c6aae13f8e336f4e5.patch new file mode 100644 index 00000000..127243e0 --- /dev/null +++ b/testing/source/PAM/n/nss-pam-ldapd/b33551895b3c02dc7082363c6aae13f8e336f4e5.patch @@ -0,0 +1,26 @@ +From b33551895b3c02dc7082363c6aae13f8e336f4e5 Mon Sep 17 00:00:00 2001 +From: Arthur de Jong <arthur@arthurdejong.org> +Date: Mon, 10 Feb 2020 22:52:16 +0100 +Subject: [PATCH] Fix typo in manual page + +Thanks Benedict Reuschling for pointing this out. + +Closes https://github.com/arthurdejong/nss-pam-ldapd/issues/39 +Fixes b93838d +--- + man/nslcd.conf.5.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/man/nslcd.conf.5.xml b/man/nslcd.conf.5.xml +index 7ae56b28..4e81645c 100644 +--- a/man/nslcd.conf.5.xml ++++ b/man/nslcd.conf.5.xml +@@ -514,7 +514,7 @@ + <term><option>idle_timelimit</option> <replaceable>SECONDS</replaceable></term> + <listitem> + <para> +- Specifies the period if inactivity (in seconds) after which the ++ Specifies the period of inactivity (in seconds) after which the + connection to the <acronym>LDAP</acronym> server will be closed. + The default is not to time out connections. + </para> diff --git a/testing/source/PAM/n/nss-pam-ldapd/doinst.sh b/testing/source/PAM/n/nss-pam-ldapd/doinst.sh new file mode 100644 index 00000000..d483abce --- /dev/null +++ b/testing/source/PAM/n/nss-pam-ldapd/doinst.sh @@ -0,0 +1,26 @@ +config() { + NEW="$1" + OLD="$(dirname $NEW)/$(basename $NEW .new)" + # If there's no config file by that name, mv it over: + if [ ! -r $OLD ]; then + mv $NEW $OLD + elif [ "$(cat $OLD | md5sum)" = "$(cat $NEW | md5sum)" ]; then + # toss the redundant copy + rm $NEW + fi + # Otherwise, we leave the .new copy for the admin to consider... +} + +preserve_perms() { + NEW="$1" + OLD="$(dirname $NEW)/$(basename $NEW .new)" + if [ -e $OLD ]; then + cp -a $OLD ${NEW}.incoming + cat $NEW > ${NEW}.incoming + mv ${NEW}.incoming $NEW + fi + config $NEW +} + +config etc/nslcd.conf.new +preserve_perms etc/rc.d/rc.nss-pam-ldapd.new diff --git a/testing/source/PAM/n/nss-pam-ldapd/fea0f5ed287b04406afca0835b1a333bd1fe617b.patch b/testing/source/PAM/n/nss-pam-ldapd/fea0f5ed287b04406afca0835b1a333bd1fe617b.patch new file mode 100644 index 00000000..13b0ace7 --- /dev/null +++ b/testing/source/PAM/n/nss-pam-ldapd/fea0f5ed287b04406afca0835b1a333bd1fe617b.patch @@ -0,0 +1,49 @@ +From fea0f5ed287b04406afca0835b1a333bd1fe617b Mon Sep 17 00:00:00 2001 +From: Arthur de Jong <arthur@arthurdejong.org> +Date: Sun, 13 Oct 2019 17:24:36 +0200 +Subject: [PATCH] Add pam_authc_ppolicy support in pynslcd + +See https://bugs.debian.org/900253 +--- + pynslcd/cfg.py | 3 ++- + pynslcd/pam.py | 6 ++++-- + 2 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/pynslcd/cfg.py b/pynslcd/cfg.py +index 877d4427..b970b5a7 100644 +--- a/pynslcd/cfg.py ++++ b/pynslcd/cfg.py +@@ -87,6 +87,7 @@ + nss_getgrent_skipmembers = False + nss_disable_enumeration = False + validnames = re.compile(r'^[a-z0-9._@$][a-z0-9._@$ \\~-]{0,98}[a-z0-9._@$~-]$', re.IGNORECASE) ++pam_authc_ppolicy = True + pam_authz_searches = [] + pam_password_prohibit_message = None + reconnect_invalidate = set() +@@ -184,7 +185,7 @@ def read(filename): # noqa: C901 (many simple branches) + # parse options with a single boolean argument + m = re.match( + r'(?P<keyword>referrals|nss_nested_groups|nss_getgrent_skipmembers|' +- r'nss_disable_enumeration)\s+(?P<value>%s)' % ( ++ r'nss_disable_enumeration|pam_authc_ppolicy)\s+(?P<value>%s)' % ( + '|'.join(_boolean_options.keys())), + line, re.IGNORECASE) + if m: +diff --git a/pynslcd/pam.py b/pynslcd/pam.py +index b372cdda..5f5486b3 100644 +--- a/pynslcd/pam.py ++++ b/pynslcd/pam.py +@@ -42,8 +42,10 @@ def authenticate(binddn, password): + # open a new connection + conn = search.Connection() + # bind using the specified credentials +- pwctrl = PasswordPolicyControl() +- res, data, msgid, ctrls = conn.simple_bind_s(binddn, password, serverctrls=[pwctrl]) ++ serverctrls = [] ++ if cfg.pam_authc_ppolicy: ++ serverctrls.append(PasswordPolicyControl()) ++ res, data, msgid, ctrls = conn.simple_bind_s(binddn, password, serverctrls=serverctrls) + # go over bind result server controls + for ctrl in ctrls: + if ctrl.controlType == PasswordPolicyControl.controlType: diff --git a/testing/source/PAM/n/nss-pam-ldapd/nss-pam-ldapd.SlackBuild b/testing/source/PAM/n/nss-pam-ldapd/nss-pam-ldapd.SlackBuild new file mode 100755 index 00000000..204e9603 --- /dev/null +++ b/testing/source/PAM/n/nss-pam-ldapd/nss-pam-ldapd.SlackBuild @@ -0,0 +1,152 @@ +#!/bin/bash + +# Copyright 2020 Patrick J. Volkerding, Sebeka, Minnesota, USA +# All rights reserved. +# +# Redistribution and use of this script, with or without modification, is +# permitted provided that the following conditions are met: +# +# 1. Redistributions of this script must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO +# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +cd $(dirname $0) ; CWD=$(pwd) + +PKGNAM=nss-pam-ldapd +VERSION=${VERSION:-$(echo $PKGNAM-*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} +BUILD=${BUILD:-1} + +# Automatically determine the architecture we're building on: +if [ -z "$ARCH" ]; then + case "$(uname -m)" in + i?86) ARCH=i586 ;; + arm*) readelf /usr/bin/file -A | egrep -q "Tag_CPU.*[4,5]" && ARCH=arm || ARCH=armv7hl ;; + # Unless $ARCH is already set, use uname -m for all other archs: + *) ARCH=$(uname -m) ;; + esac + export ARCH +fi + +# If the variable PRINT_PACKAGE_NAME is set, then this script will report what +# the name of the created package would be, and then exit. This information +# could be useful to other scripts. +if [ ! -z "${PRINT_PACKAGE_NAME}" ]; then + echo "$PKGNAM-$VERSION-$ARCH-$BUILD.txz" + exit 0 +fi + +NUMJOBS=${NUMJOBS:-" -j$(expr $(nproc) + 1) "} + +if [ "$ARCH" = "i586" ]; then + SLKCFLAGS="-O2 -march=i586 -mtune=i686" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "i686" ]; then + SLKCFLAGS="-O2 -march=i686" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "s390" ]; then + SLKCFLAGS="-O2" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "x86_64" ]; then + SLKCFLAGS="-O2 -fPIC" + LIBDIRSUFFIX="64" +elif [ "$ARCH" = "armv7hl" ]; then + SLKCFLAGS="-O3 -march=armv7-a -mfpu=vfpv3-d16" + LIBDIRSUFFIX="" +else + SLKCFLAGS="-O2" + LIBDIRSUFFIX="" +fi + +TMP=${TMP:-/tmp} +PKG=$TMP/package-$PKGNAM + +rm -rf $PKG +mkdir -p $TMP $PKG + +cd $TMP +rm -rf $PKGNAM-$VERSION +tar xvf $CWD/$PKGNAM-$VERSION.tar.?z || exit 1 +cd $PKGNAM-$VERSION || exit 1 + +chown -R root:root . +find . \ + \( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \ + -exec chmod 755 {} \+ -o \ + \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \ + -exec chmod 644 {} \+ + +# Upstream patches from git: +zcat $CWD/1025d5de336d8c9585b79df3154b5649da344281.patch.gz | patch -p1 --verbose || exit 1 +zcat $CWD/548efe5333b56a0a042843a044e0348317f80065.patch.gz | patch -p1 --verbose || exit 1 +zcat $CWD/b33551895b3c02dc7082363c6aae13f8e336f4e5.patch.gz | patch -p1 --verbose || exit 1 +zcat $CWD/fea0f5ed287b04406afca0835b1a333bd1fe617b.patch.gz | patch -p1 --verbose || exit 1 + +export PYTHON=python3 + +# Configure, build, and install: +CFLAGS="$SLKCFLAGS" \ +CXXFLAGS="$SLKCFLAGS" \ +./configure \ + --prefix=/usr \ + --libdir=/usr/lib${LIBDIRSUFFIX} \ + --sysconfdir=/etc \ + --localstatedir=/var \ + --mandir=/usr/man \ + --docdir=/usr/doc/$PKGNAM-$VERSION \ + --with-pam-seclib-dir=/lib$LIBDIRSUFFIX/security \ + --build=$ARCH-slackware-linux || exit 1 +make $NUMJOBS || make || exit 1 +make install DESTDIR=$PKG || exit 1 + +# Don't ship .la files: +rm -f $PKG/{,usr/}lib${LIBDIRSUFFIX}/*.la + +# Install config file as .new: +mv $PKG/etc/nslcd.conf $PKG/etc/nslcd.conf.new +# Restrict access since this file may include a secret credential: +chmod 600 $PKG/etc/nslcd.conf.new + +# Install init script: +mkdir -p $PKG/etc/rc.d +cat $CWD/rc.nss-pam-ldapd > $PKG/etc/rc.d/rc.nss-pam-ldapd.new + +# Strip binaries: +find $PKG | xargs file | grep -e "executable" -e "shared object" | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null + +# Compress manual pages: +find $PKG/usr/man -type f -exec gzip -9 {} \+ +for i in $( find $PKG/usr/man -type l ) ; do + ln -s $( readlink $i ).gz $i.gz + rm $i +done + +# Add a documentation directory: +mkdir -p $PKG/usr/doc/${PKGNAM}-$VERSION +cp -a \ + AUTHORS* ChangeLog COPYING* HACKING* LICENSE* NEWS* README* TODO* \ + $PKG/usr/doc/${PKGNAM}-$VERSION + +# If there's a ChangeLog, installing at least part of the recent history +# is useful, but don't let it get totally out of control: +if [ -r ChangeLog ]; then + DOCSDIR=$(echo $PKG/usr/doc/${PKGNAM}-$VERSION) + cat ChangeLog | head -n 1000 > $DOCSDIR/ChangeLog + touch -r ChangeLog $DOCSDIR/ChangeLog +fi + +mkdir -p $PKG/install +zcat $CWD/doinst.sh.gz > $PKG/install/doinst.sh +cat $CWD/slack-desc > $PKG/install/slack-desc + +cd $PKG +/sbin/makepkg -l y -c n $TMP/$PKGNAM-$VERSION-$ARCH-$BUILD.txz diff --git a/testing/source/PAM/n/nss-pam-ldapd/nss-pam-ldapd.url b/testing/source/PAM/n/nss-pam-ldapd/nss-pam-ldapd.url new file mode 100644 index 00000000..2644c0eb --- /dev/null +++ b/testing/source/PAM/n/nss-pam-ldapd/nss-pam-ldapd.url @@ -0,0 +1 @@ +https://arthurdejong.org/nss-pam-ldapd diff --git a/testing/source/PAM/n/nss-pam-ldapd/rc.nss-pam-ldapd b/testing/source/PAM/n/nss-pam-ldapd/rc.nss-pam-ldapd new file mode 100644 index 00000000..7a4252a3 --- /dev/null +++ b/testing/source/PAM/n/nss-pam-ldapd/rc.nss-pam-ldapd @@ -0,0 +1,37 @@ +#!/bin/sh +# +# rc.nss-pam-ldapd: start/stop/restart nslcd +# +# nslcd is a daemon that will do LDAP queries for local processes that want +# to do user, group, and other naming lookups (NSS), or do user authentication, +# authorization, or password modification (PAM). + +nslcd_start() { + if [ -x /usr/sbin/nslcd -a -r /etc/nslcd.conf ]; then + # Ensure /run directory exists: + mkdir -p /run/nslcd + echo "Starting local LDAP name service daemon: /usr/sbin/nslcd" + /usr/sbin/nslcd + fi +} + +nslcd_stop() { + echo "Stopping local LDAP name service daemon." + killall --ns $$ nslcd +} + +case "$1" in +'start') + nslcd_start + ;; +'stop') + nslcd_stop + ;; +'restart') + nslcd_stop + sleep 2 + nslcd_start + ;; +*) + echo "usage $0 start|stop|restart" +esac diff --git a/testing/source/PAM/n/nss-pam-ldapd/slack-desc b/testing/source/PAM/n/nss-pam-ldapd/slack-desc new file mode 100644 index 00000000..fed065b2 --- /dev/null +++ b/testing/source/PAM/n/nss-pam-ldapd/slack-desc @@ -0,0 +1,19 @@ +# HOW TO EDIT THIS FILE: +# The "handy ruler" below makes it easier to edit a package description. +# Line up the first '|' above the ':' following the base package name, and +# the '|' on the right side marks the last column you can put a character in. +# You must make exactly 11 lines for the formatting to be correct. It's also +# customary to leave one space after the ':' except on otherwise blank lines. + + |-----handy-ruler------------------------------------------------------| +nss-pam-ldapd: nss-pam-ldapd (LDAP NSS/PAM module) +nss-pam-ldapd: +nss-pam-ldapd: nss-pam-ldapd is an NSS and PAM module that allows your LDAP server to +nss-pam-ldapd: provide user account, group, host name, alias, netgroup, and basically +nss-pam-ldapd: any other information that you would normally get from /etc/ flat +nss-pam-ldapd: files or NIS. It also allows you to do authentication to an LDAP +nss-pam-ldapd: server. +nss-pam-ldapd: +nss-pam-ldapd: Homepage: https://arthurdejong.org/nss-pam-ldapd/ +nss-pam-ldapd: +nss-pam-ldapd: |