fixed filter

2020-07-23 16:22:15 -04:00 · 2020-07-23 16:22:15 -04:00 · c9a745abca
commit c9a745abca
parent 39b84ec2f8
1 changed files with 34 additions and 4 deletions
--- a/index.sh
+++ b/index.sh
@ -1,9 +1,16 @@
 #!/bin/bash

+
+# Stop this script on any error.
 set -e

+
+# Pull in the mustache template library for bash
 source lib/mo

+
+# Set some variables for the test of the file
+## TODO! Dont hard code these values.
 export ldap_host="192.168.1.55"
 export ldap_base_dn="dc=theta42,dc=com"

@ -16,6 +23,7 @@ export ldap_bind_password=$2
 export current_host=`hostname`


+# Configure the options for the LDAP packages based on debian or ubuntu
 if grep -qiE "^NAME=\"debian" /etc/os-release; then

 	echo "libnss-ldap libnss-ldap/rootbindpw string $ldap_admin_password" | debconf-set-selections
@ -53,7 +61,13 @@ else
 	echo "ldap-auth-config ldap-auth-config/override boolean true" | debconf-set-selections
 fi

+
+# Install the requires packages for LDAP PAM telling apt to ignore any interactive options
 DEBIAN_FRONTEND=noninteractive apt install -y libnss-ldap libpam-ldap ldap-utils nscd
+
+
+# Configure the system to use LDAP for PAM. Some versions include `auth-client-config` and others dont.
+# `auth-client-config` requires python2.x, so support for it is dropping.
 if which auth-client-config >/dev/null; then
 	auth-client-config -t nss -p lac_ldap
 else
@ -61,22 +75,36 @@ else
 	sed -i '/group/ s/$/ ldap/' /etc/nsswitch.conf
 	sed -e s/use_authtok//g -i /etc/pam.d/common-password
 fi
-
 pam-auth-update --enable ldap
+
+
+# Enable the system to create home directories for LDAP users who do not have one on first login 
 pam-auth-update --enable mkhomedir
 echo "session required pam_mkhomedir.so skel=/etc/skel umask=077" >> /etc/pam.d/common-session
+
+
+# Restart the Name Service cache daemon, unsure if this is required.
 systemctl restart nscd
 systemctl enable nscd

-## filter PAM login for only group members
-echo "pam_filter &(|(memberof=cn=host_access,ou=groups,dc=theta42,dc=com)(memberof=cn=host_`hostname`_access,ou=groups,dc=theta42,dc=com))" >> /etc/ldap.conf
+
+# Apply LDAP group filter for PAM LDAP login
+# Different distros/versions read the filter from different places.
+PAM_LDAP_filter="pam_filter &(|(memberof=cn=host_access,ou=groups,dc=theta42,dc=com)(memberof=cn=host_`hostname`_access,ou=groups,dc=theta42,dc=com))"
+
+if grep -qiE "^NAME=\"debian" /etc/os-release; then
+	echo "$PAM_LDAP_filter" >> /etc/pam_ldap.conf
+else
+echo "$PAM_LDAP_filter" >> /etc/ldap/ldap.conf
+echo "$PAM_LDAP_filter" >> /etc/ldap.conf
+

 ## Set up sudo-ldap
-
 apt install -y sudo-ldap
 sudo_ldap_template="$(cat files/sudo-ldap.conf)"
 echo "$sudo_ldap_template" | mo > /etc/sudo-ldap.conf

+
 ## Set up SSHkey via LDAP
 sudo_ldap_template="$(cat files/ldap-ssh-key.sh)"
 echo "$sudo_ldap_template" | mo > /usr/local/bin/ldap-ssh-key
@ -86,3 +114,5 @@ echo "AuthorizedKeysCommand /usr/local/bin/ldap-ssh-key" >> /etc/ssh/sshd_config
 echo "AuthorizedKeysCommandUser nobody" >> /etc/ssh/sshd_config

 service ssh restart
+
+exit 0