ldap/pam: enable pam/ldap authentication

- modify pam configuration files to use ldap - modify sshd to enable pam - modify nsswitch.conf to use ldap Signed-off-by: Amy Fong <amy.fong@windriver.com>
author: Amy Fong <amy.fong@windriver.com> 2014-07-22 09:55:30 -0400
committer: Bruce Ashfield <bruce.ashfield@windriver.com> 2014-07-30 00:50:21 -0400
commit: 91f39a6e38e6e6fd1e9b6582fb85cd273f3249bb (patch)
tree: 9d936adcd87c0b814d13f135340d81c48fe82aed
parent: 9ec30c79de0764d8c45518644e539e18ddde8b84 (diff)
download: meta-cloud-services-91f39a6e38e6e6fd1e9b6582fb85cd273f3249bb.tar.gz
11 files changed, 341 insertions, 0 deletions
diff --git a/meta-openstack/recipes-connectivity/openssh/files/mcs-sshd b/meta-openstack/recipes-connectivity/openssh/files/mcs-sshd
new file mode 100755
index 0000000..3420bd2
--- /dev/null
+++ b/meta-openstack/recipes-connectivity/openssh/files/mcs-sshd
@@ -0,0 +1,33 @@
+# PAM configuration for the Secure Shell service
+# Standard Un*x authentication.
+auth include common-auth
+# Disallow non-root logins when /etc/nologin exists.
+account    required     pam_nologin.so
+# Uncomment and edit /etc/security/access.conf if you need to set complex
+# access limits that are hard to express in sshd_config.
+# account  required     pam_access.so
+# Standard Un*x authorization.
+account include common-account
+# Set the loginuid process attribute.
+session    required     pam_loginuid.so
+# Create a new session keyring.
+session    optional     pam_keyinit.so force revoke
+# Standard Un*x session setup and teardown.
+session include common-session
+# Set up user limits from /etc/security/limits.conf.
+session    required     pam_limits.so
+# Read environment variables from /etc/environment and
+# /etc/security/pam_env.conf.
+session    required     pam_env.so # [1]
+# Standard Un*x password updating.
+password include common-password
diff --git a/meta-openstack/recipes-connectivity/openssh/files/mcs-sshd_config b/meta-openstack/recipes-connectivity/openssh/files/mcs-sshd_config
new file mode 100644
index 0000000..7c2c7d9
--- /dev/null
+++ b/meta-openstack/recipes-connectivity/openssh/files/mcs-sshd_config
@@ -0,0 +1,120 @@
+#       $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options change a
+# default value.
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+# Disable legacy (protocol version 1) support in the server for new
+# installations. In future the default will change to require explicit
+# activation of protocol 1
+Protocol 2
+# HostKey for protocol version 1
+#HostKey /etc/ssh/ssh_host_key
+# HostKeys for protocol version 2
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_dsa_key
+# Lifetime and size of ephemeral version 1 server key
+#KeyRegenerationInterval 1h
+#ServerKeyBits 1024
+# Logging
+# obsoletes QuietMode and FascistLogging
+#SyslogFacility AUTH
+#LogLevel INFO
+# Authentication:
+#LoginGraceTime 2m
+#PermitRootLogin yes
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+#RSAAuthentication yes
+#PubkeyAuthentication yes
+#AuthorizedKeysFile     .ssh/authorized_keys
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#RhostsRSAAuthentication no
+# similar for protocol version 2
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# RhostsRSAAuthentication and HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+# To disable tunneled clear text passwords, change to no here!
+#PasswordAuthentication yes
+PermitEmptyPasswords yes
+# Change to no to disable s/key passwords
+#ChallengeResponseAuthentication yes
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+# Set this to 'yes' to enable PAM authentication, account processing, 
+# and session processing. If this is enabled, PAM authentication will 
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+#UsePAM no
+UsePAM yes
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+#X11Forwarding no
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PrintMotd yes
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+UsePrivilegeSeparation yes
+#PermitUserEnvironment no
+Compression no
+ClientAliveInterval 15
+ClientAliveCountMax 4
+#UseDNS yes
+#PidFile /var/run/sshd.pid
+#MaxStartups 10
+#PermitTunnel no
+#ChrootDirectory none
+# no default banner path
+#Banner none
+# override default of no subsystems
+Subsystem       sftp    /usr/libexec/sftp-server
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#       X11Forwarding no
+#       AllowTcpForwarding no
+#       ForceCommand cvs server
diff --git a/meta-openstack/recipes-connectivity/openssh/openssh_6.0p1.bbappend b/meta-openstack/recipes-connectivity/openssh/openssh_6.0p1.bbappend
new file mode 100644
index 0000000..ad7e232
--- /dev/null
+++ b/meta-openstack/recipes-connectivity/openssh/openssh_6.0p1.bbappend
@@ -0,0 +1,13 @@
+PRINC = "1"
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+SRC_URI += "file://mcs-sshd"
+SRC_URI += "file://mcs-sshd_config"
+do_install_append() {
+    if ${@base_contains('DISTRO_FEATURES', 'OpenLDAP', 'true', 'false', d)}; then
+        install -D -m 644 ${WORKDIR}/mcs-sshd ${D}/etc/pam.d/sshd
+        install -D -m 644 ${WORKDIR}/mcs-sshd_config ${D}/etc/ssh/sshd_config
+    fi
+}
diff --git a/meta-openstack/recipes-core/base-files/base-files_3.0.14.bbappend b/meta-openstack/recipes-core/base-files/base-files_3.0.14.bbappend
new file mode 100644
index 0000000..a24bc7f
--- /dev/null
+++ b/meta-openstack/recipes-core/base-files/base-files_3.0.14.bbappend
@@ -0,0 +1,15 @@
+PRINC = "1"
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+SRC_URI += "file://nsswitch.conf"
+PACKAGECONFIG ?= "${@base_contains('DISTRO_FEATURES', 'OpenLDAP', 'OpenLDAP', '', d)}"
+PACKAGECONFIG[OpenLDAP] = ",,,nss-pam-ldapd"
+do_install_append() {
+    if ${@base_contains('DISTRO_FEATURES', 'OpenLDAP', 'true', 'false', d)}; then
+        install -m 755 -d ${D}/etc/
+        install -m 644 ${WORKDIR}/nsswitch.conf ${D}/etc/
+    fi
+}
diff --git a/meta-openstack/recipes-core/base-files/files/nsswitch.conf b/meta-openstack/recipes-core/base-files/files/nsswitch.conf
new file mode 100644
index 0000000..0bc04be
--- /dev/null
+++ b/meta-openstack/recipes-core/base-files/files/nsswitch.conf
@@ -0,0 +1,19 @@
+# /etc/nsswitch.conf
+#
+# Example configuration of GNU Name Service Switch functionality.
+# If you have the `glibc-doc' and `info' packages installed, try:
+# `info libc "Name Service Switch"' for information about this file.
+passwd:         compat ldap
+group:          compat ldap
+shadow:         compat ldap
+hosts:          files dns
+networks:       files
+protocols:      db files
+services:       db files
+ethers:         db files
+rpc:            db files
+netgroup:       nis
diff --git a/meta-openstack/recipes-extended/libpam/files/common-account b/meta-openstack/recipes-extended/libpam/files/common-account
new file mode 100644
index 0000000..66cc62c
--- /dev/null
+++ b/meta-openstack/recipes-extended/libpam/files/common-account
@@ -0,0 +1,26 @@
+#
+# /etc/pam.d/common-account - authorization settings common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authorization modules that define
+# the central access policy for use on the system.  The default is to
+# only deny service to users whose accounts are expired in /etc/shadow.
+#
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+#
+# here are the per-package modules (the "Primary" block)
+account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so 
+# here's the fallback if no module succeeds
+account requisite                       pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+account required                        pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad]        pam_ldap.so minimum_uid=1000
+# end of pam-auth-update config
diff --git a/meta-openstack/recipes-extended/libpam/files/common-auth b/meta-openstack/recipes-extended/libpam/files/common-auth
new file mode 100644
index 0000000..e5b429d
--- /dev/null
+++ b/meta-openstack/recipes-extended/libpam/files/common-auth
@@ -0,0 +1,21 @@
+#
+# /etc/pam.d/common-auth - authentication settings common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authentication modules that define
+# the central authentication scheme for use on the system
+# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
+# traditional Unix authentication mechanisms.
+# here are the per-package modules (the "Primary" block)
+auth    [success=2 default=ignore]      pam_unix.so nullok_secure
+auth    [success=1 default=ignore]      pam_ldap.so minimum_uid=1000 use_first_pass
+# here's the fallback if no module succeeds
+auth    requisite                       pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+auth    required                        pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+auth    optional                        pam_cap.so 
+# end of pam-auth-update config
diff --git a/meta-openstack/recipes-extended/libpam/files/common-password b/meta-openstack/recipes-extended/libpam/files/common-password
new file mode 100644
index 0000000..f9bbecc
--- /dev/null
+++ b/meta-openstack/recipes-extended/libpam/files/common-password
@@ -0,0 +1,28 @@
+#
+# /etc/pam.d/common-password - password-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define the services to be
+# used to change user passwords.  The default is pam_unix.
+# Explanation of pam_unix options:
+#
+# The "sha512" option enables salted SHA512 passwords.  Without this option,
+# the default is Unix crypt.  Prior releases used the option "md5".
+#
+# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
+# login.defs.
+#
+# See the pam_unix manpage for other options.
+# here are the per-package modules (the "Primary" block)
+password        [success=2 default=ignore]      pam_unix.so obscure sha512
+password        [success=1 default=ignore]      pam_ldap.so minimum_uid=1000 try_first_pass
+# here's the fallback if no module succeeds
+password        requisite                       pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+password        required                        pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+# end of pam-auth-update config
diff --git a/meta-openstack/recipes-extended/libpam/files/common-session b/meta-openstack/recipes-extended/libpam/files/common-session
new file mode 100644
index 0000000..7f95098
--- /dev/null
+++ b/meta-openstack/recipes-extended/libpam/files/common-session
@@ -0,0 +1,22 @@
+#
+# /etc/pam.d/common-session - session-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define tasks to be performed
+# at the start and end of sessions of *any* kind (both interactive and
+# non-interactive).
+#
+# here are the per-package modules (the "Primary" block)
+session [default=1]                     pam_permit.so
+# here's the fallback if no module succeeds
+session requisite                       pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+session required                        pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+session required        pam_unix.so 
+session [success=ok default=ignore]     pam_ldap.so minimum_uid=1000
+session required pam_mkhomedir.so skel=/etc/skel umask=0022
+# end of pam-auth-update config
diff --git a/meta-openstack/recipes-extended/libpam/files/common-session-noninteractive b/meta-openstack/recipes-extended/libpam/files/common-session-noninteractive
new file mode 100644
index 0000000..f7f83ed
--- /dev/null
+++ b/meta-openstack/recipes-extended/libpam/files/common-session-noninteractive
@@ -0,0 +1,21 @@
+#
+# /etc/pam.d/common-session-noninteractive - session-related modules
+# common to all non-interactive services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define tasks to be performed
+# at the start and end of all non-interactive sessions.
+#
+# here are the per-package modules (the "Primary" block)
+session [default=1]                     pam_permit.so
+# here's the fallback if no module succeeds
+session requisite                       pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+session required                        pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+session required        pam_unix.so 
+session [success=ok default=ignore]     pam_ldap.so minimum_uid=1000
+# end of pam-auth-update config
diff --git a/meta-openstack/recipes-extended/libpam/libpam_1.1.5.bbappend b/meta-openstack/recipes-extended/libpam/libpam_1.1.5.bbappend
new file mode 100644
index 0000000..dc32cc9
--- /dev/null
+++ b/meta-openstack/recipes-extended/libpam/libpam_1.1.5.bbappend
@@ -0,0 +1,23 @@
+PRINC = "1"
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+SRC_URI += "file://common-account"
+SRC_URI += "file://common-auth"
+SRC_URI += "file://common-password"
+SRC_URI += "file://common-session"
+SRC_URI += "file://common-session-noninteractive"
+PACKAGECONFIG ?= "${@base_contains('DISTRO_FEATURES', 'OpenLDAP', 'OpenLDAP', '', d)}"
+PACKAGECONFIG[OpenLDAP] = ",,,pam-plugin-mkhomedir nss-pam-ldapd"
+do_install_append() {
+    if ${@base_contains('DISTRO_FEATURES', 'OpenLDAP', 'true', 'false', d)}; then
+        install -m 755 -d ${D}/etc/pam.d/
+        install -m 644 ${WORKDIR}/common-account ${D}/etc/pam.d/
+        install -m 644 ${WORKDIR}/common-auth ${D}/etc/pam.d/
+        install -m 644 ${WORKDIR}/common-password ${D}/etc/pam.d/
+        install -m 644 ${WORKDIR}/common-session ${D}/etc/pam.d/
+        install -m 644 ${WORKDIR}/common-session-noninteractive ${D}/etc/pam.d/
+    fi
+}
author	Amy Fong <amy.fong@windriver.com>	2014-07-22 09:55:30 -0400
committer	Bruce Ashfield <bruce.ashfield@windriver.com>	2014-07-30 00:50:21 -0400
commit	91f39a6e38e6e6fd1e9b6582fb85cd273f3249bb (patch)
tree	9d936adcd87c0b814d13f135340d81c48fe82aed
parent	9ec30c79de0764d8c45518644e539e18ddde8b84 (diff)
download	meta-cloud-services-91f39a6e38e6e6fd1e9b6582fb85cd273f3249bb.tar.gz

diff --git a/meta-openstack/recipes-connectivity/openssh/files/mcs-sshd b/meta-openstack/recipes-connectivity/openssh/files/mcs-sshd new file mode 100755 index 0000000..3420bd2 --- /dev/null +++ b/meta-openstack/recipes-connectivity/openssh/files/mcs-sshd
@@ -0,0 +1,33 @@
	1	# PAM configuration for the Secure Shell service
	2
	3	# Standard Un*x authentication.
	4	auth include common-auth
	5
	6	# Disallow non-root logins when /etc/nologin exists.
	7	account required pam_nologin.so
	8
	9	# Uncomment and edit /etc/security/access.conf if you need to set complex
	10	# access limits that are hard to express in sshd_config.
	11	# account required pam_access.so
	12
	13	# Standard Un*x authorization.
	14	account include common-account
	15
	16	# Set the loginuid process attribute.
	17	session required pam_loginuid.so
	18
	19	# Create a new session keyring.
	20	session optional pam_keyinit.so force revoke
	21
	22	# Standard Un*x session setup and teardown.
	23	session include common-session
	24
	25	# Set up user limits from /etc/security/limits.conf.
	26	session required pam_limits.so
	27
	28	# Read environment variables from /etc/environment and
	29	# /etc/security/pam_env.conf.
	30	session required pam_env.so # [1]
	31
	32	# Standard Un*x password updating.
	33	password include common-password


diff --git a/meta-openstack/recipes-connectivity/openssh/files/mcs-sshd_config b/meta-openstack/recipes-connectivity/openssh/files/mcs-sshd_config new file mode 100644 index 0000000..7c2c7d9 --- /dev/null +++ b/meta-openstack/recipes-connectivity/openssh/files/mcs-sshd_config
@@ -0,0 +1,120 @@
	1	# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
	2
	3	# This is the sshd server system-wide configuration file. See
	4	# sshd_config(5) for more information.
	5
	6	# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
	7
	8	# The strategy used for options in the default sshd_config shipped with
	9	# OpenSSH is to specify options with their default value where
	10	# possible, but leave them commented. Uncommented options change a
	11	# default value.
	12
	13	#Port 22
	14	#AddressFamily any
	15	#ListenAddress 0.0.0.0
	16	#ListenAddress ::
	17
	18	# Disable legacy (protocol version 1) support in the server for new
	19	# installations. In future the default will change to require explicit
	20	# activation of protocol 1
	21	Protocol 2
	22
	23	# HostKey for protocol version 1
	24	#HostKey /etc/ssh/ssh_host_key
	25	# HostKeys for protocol version 2
	26	#HostKey /etc/ssh/ssh_host_rsa_key
	27	#HostKey /etc/ssh/ssh_host_dsa_key
	28
	29	# Lifetime and size of ephemeral version 1 server key
	30	#KeyRegenerationInterval 1h
	31	#ServerKeyBits 1024
	32
	33	# Logging
	34	# obsoletes QuietMode and FascistLogging
	35	#SyslogFacility AUTH
	36	#LogLevel INFO
	37
	38	# Authentication:
	39
	40	#LoginGraceTime 2m
	41	#PermitRootLogin yes
	42	#StrictModes yes
	43	#MaxAuthTries 6
	44	#MaxSessions 10
	45
	46	#RSAAuthentication yes
	47	#PubkeyAuthentication yes
	48	#AuthorizedKeysFile .ssh/authorized_keys
	49
	50	# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
	51	#RhostsRSAAuthentication no
	52	# similar for protocol version 2
	53	#HostbasedAuthentication no
	54	# Change to yes if you don't trust ~/.ssh/known_hosts for
	55	# RhostsRSAAuthentication and HostbasedAuthentication
	56	#IgnoreUserKnownHosts no
	57	# Don't read the user's ~/.rhosts and ~/.shosts files
	58	#IgnoreRhosts yes
	59
	60	# To disable tunneled clear text passwords, change to no here!
	61	#PasswordAuthentication yes
	62	PermitEmptyPasswords yes
	63
	64	# Change to no to disable s/key passwords
	65	#ChallengeResponseAuthentication yes
	66
	67	# Kerberos options
	68	#KerberosAuthentication no
	69	#KerberosOrLocalPasswd yes
	70	#KerberosTicketCleanup yes
	71	#KerberosGetAFSToken no
	72
	73	# GSSAPI options
	74	#GSSAPIAuthentication no
	75	#GSSAPICleanupCredentials yes
	76
	77	# Set this to 'yes' to enable PAM authentication, account processing,
	78	# and session processing. If this is enabled, PAM authentication will
	79	# be allowed through the ChallengeResponseAuthentication and
	80	# PasswordAuthentication. Depending on your PAM configuration,
	81	# PAM authentication via ChallengeResponseAuthentication may bypass
	82	# the setting of "PermitRootLogin without-password".
	83	# If you just want the PAM account and session checks to run without
	84	# PAM authentication, then enable this but set PasswordAuthentication
	85	# and ChallengeResponseAuthentication to 'no'.
	86	#UsePAM no
	87	UsePAM yes
	88
	89	#AllowAgentForwarding yes
	90	#AllowTcpForwarding yes
	91	#GatewayPorts no
	92	#X11Forwarding no
	93	#X11DisplayOffset 10
	94	#X11UseLocalhost yes
	95	#PrintMotd yes
	96	#PrintLastLog yes
	97	#TCPKeepAlive yes
	98	#UseLogin no
	99	UsePrivilegeSeparation yes
	100	#PermitUserEnvironment no
	101	Compression no
	102	ClientAliveInterval 15
	103	ClientAliveCountMax 4
	104	#UseDNS yes
	105	#PidFile /var/run/sshd.pid
	106	#MaxStartups 10
	107	#PermitTunnel no
	108	#ChrootDirectory none
	109
	110	# no default banner path
	111	#Banner none
	112
	113	# override default of no subsystems
	114	Subsystem sftp /usr/libexec/sftp-server
	115
	116	# Example of overriding settings on a per-user basis
	117	#Match User anoncvs
	118	# X11Forwarding no
	119	# AllowTcpForwarding no
	120	# ForceCommand cvs server


diff --git a/meta-openstack/recipes-connectivity/openssh/openssh_6.0p1.bbappend b/meta-openstack/recipes-connectivity/openssh/openssh_6.0p1.bbappend new file mode 100644 index 0000000..ad7e232 --- /dev/null +++ b/meta-openstack/recipes-connectivity/openssh/openssh_6.0p1.bbappend
@@ -0,0 +1,13 @@
	1	PRINC = "1"
	2
	3	FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
	4
	5	SRC_URI += "file://mcs-sshd"
	6	SRC_URI += "file://mcs-sshd_config"
	7
	8	do_install_append() {
	9	if ${@base_contains('DISTRO_FEATURES', 'OpenLDAP', 'true', 'false', d)}; then
	10	install -D -m 644 ${WORKDIR}/mcs-sshd ${D}/etc/pam.d/sshd
	11	install -D -m 644 ${WORKDIR}/mcs-sshd_config ${D}/etc/ssh/sshd_config
	12	fi
	13	}


diff --git a/meta-openstack/recipes-core/base-files/base-files_3.0.14.bbappend b/meta-openstack/recipes-core/base-files/base-files_3.0.14.bbappend new file mode 100644 index 0000000..a24bc7f --- /dev/null +++ b/meta-openstack/recipes-core/base-files/base-files_3.0.14.bbappend
@@ -0,0 +1,15 @@
	1	PRINC = "1"
	2
	3	FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
	4
	5	SRC_URI += "file://nsswitch.conf"
	6
	7	PACKAGECONFIG ?= "${@base_contains('DISTRO_FEATURES', 'OpenLDAP', 'OpenLDAP', '', d)}"
	8	PACKAGECONFIG[OpenLDAP] = ",,,nss-pam-ldapd"
	9
	10	do_install_append() {
	11	if ${@base_contains('DISTRO_FEATURES', 'OpenLDAP', 'true', 'false', d)}; then
	12	install -m 755 -d ${D}/etc/
	13	install -m 644 ${WORKDIR}/nsswitch.conf ${D}/etc/
	14	fi
	15	}


diff --git a/meta-openstack/recipes-core/base-files/files/nsswitch.conf b/meta-openstack/recipes-core/base-files/files/nsswitch.conf new file mode 100644 index 0000000..0bc04be --- /dev/null +++ b/meta-openstack/recipes-core/base-files/files/nsswitch.conf
@@ -0,0 +1,19 @@
	1	# /etc/nsswitch.conf
	2	#
	3	# Example configuration of GNU Name Service Switch functionality.
	4	# If you have the `glibc-doc' and `info' packages installed, try:
	5	# `info libc "Name Service Switch"' for information about this file.
	6
	7	passwd: compat ldap
	8	group: compat ldap
	9	shadow: compat ldap
	10
	11	hosts: files dns
	12	networks: files
	13
	14	protocols: db files
	15	services: db files
	16	ethers: db files
	17	rpc: db files
	18
	19	netgroup: nis


diff --git a/meta-openstack/recipes-extended/libpam/files/common-account b/meta-openstack/recipes-extended/libpam/files/common-account new file mode 100644 index 0000000..66cc62c --- /dev/null +++ b/meta-openstack/recipes-extended/libpam/files/common-account
@@ -0,0 +1,26 @@
	1	#
	2	# /etc/pam.d/common-account - authorization settings common to all services
	3	#
	4	# This file is included from other service-specific PAM config files,
	5	# and should contain a list of the authorization modules that define
	6	# the central access policy for use on the system. The default is to
	7	# only deny service to users whose accounts are expired in /etc/shadow.
	8	#
	9	# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
	10	# To take advantage of this, it is recommended that you configure any
	11	# local modules either before or after the default block, and use
	12	# pam-auth-update to manage selection of other modules. See
	13	# pam-auth-update(8) for details.
	14	#
	15
	16	# here are the per-package modules (the "Primary" block)
	17	account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
	18	# here's the fallback if no module succeeds
	19	account requisite pam_deny.so
	20	# prime the stack with a positive return value if there isn't one already;
	21	# this avoids us returning an error just because nothing sets a success code
	22	# since the modules above will each just jump around
	23	account required pam_permit.so
	24	# and here are more per-package modules (the "Additional" block)
	25	account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad] pam_ldap.so minimum_uid=1000
	26	# end of pam-auth-update config


diff --git a/meta-openstack/recipes-extended/libpam/files/common-auth b/meta-openstack/recipes-extended/libpam/files/common-auth new file mode 100644 index 0000000..e5b429d --- /dev/null +++ b/meta-openstack/recipes-extended/libpam/files/common-auth
@@ -0,0 +1,21 @@
	1	#
	2	# /etc/pam.d/common-auth - authentication settings common to all services
	3	#
	4	# This file is included from other service-specific PAM config files,
	5	# and should contain a list of the authentication modules that define
	6	# the central authentication scheme for use on the system
	7	# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
	8	# traditional Unix authentication mechanisms.
	9
	10	# here are the per-package modules (the "Primary" block)
	11	auth [success=2 default=ignore] pam_unix.so nullok_secure
	12	auth [success=1 default=ignore] pam_ldap.so minimum_uid=1000 use_first_pass
	13	# here's the fallback if no module succeeds
	14	auth requisite pam_deny.so
	15	# prime the stack with a positive return value if there isn't one already;
	16	# this avoids us returning an error just because nothing sets a success code
	17	# since the modules above will each just jump around
	18	auth required pam_permit.so
	19	# and here are more per-package modules (the "Additional" block)
	20	auth optional pam_cap.so
	21	# end of pam-auth-update config


diff --git a/meta-openstack/recipes-extended/libpam/files/common-password b/meta-openstack/recipes-extended/libpam/files/common-password new file mode 100644 index 0000000..f9bbecc --- /dev/null +++ b/meta-openstack/recipes-extended/libpam/files/common-password
@@ -0,0 +1,28 @@
	1	#
	2	# /etc/pam.d/common-password - password-related modules common to all services
	3	#
	4	# This file is included from other service-specific PAM config files,
	5	# and should contain a list of modules that define the services to be
	6	# used to change user passwords. The default is pam_unix.
	7
	8	# Explanation of pam_unix options:
	9	#
	10	# The "sha512" option enables salted SHA512 passwords. Without this option,
	11	# the default is Unix crypt. Prior releases used the option "md5".
	12	#
	13	# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
	14	# login.defs.
	15	#
	16	# See the pam_unix manpage for other options.
	17
	18	# here are the per-package modules (the "Primary" block)
	19	password [success=2 default=ignore] pam_unix.so obscure sha512
	20	password [success=1 default=ignore] pam_ldap.so minimum_uid=1000 try_first_pass
	21	# here's the fallback if no module succeeds
	22	password requisite pam_deny.so
	23	# prime the stack with a positive return value if there isn't one already;
	24	# this avoids us returning an error just because nothing sets a success code
	25	# since the modules above will each just jump around
	26	password required pam_permit.so
	27	# and here are more per-package modules (the "Additional" block)
	28	# end of pam-auth-update config


diff --git a/meta-openstack/recipes-extended/libpam/files/common-session b/meta-openstack/recipes-extended/libpam/files/common-session new file mode 100644 index 0000000..7f95098 --- /dev/null +++ b/meta-openstack/recipes-extended/libpam/files/common-session
@@ -0,0 +1,22 @@
	1	#
	2	# /etc/pam.d/common-session - session-related modules common to all services
	3	#
	4	# This file is included from other service-specific PAM config files,
	5	# and should contain a list of modules that define tasks to be performed
	6	# at the start and end of sessions of any kind (both interactive and
	7	# non-interactive).
	8	#
	9
	10	# here are the per-package modules (the "Primary" block)
	11	session [default=1] pam_permit.so
	12	# here's the fallback if no module succeeds
	13	session requisite pam_deny.so
	14	# prime the stack with a positive return value if there isn't one already;
	15	# this avoids us returning an error just because nothing sets a success code
	16	# since the modules above will each just jump around
	17	session required pam_permit.so
	18	# and here are more per-package modules (the "Additional" block)
	19	session required pam_unix.so
	20	session [success=ok default=ignore] pam_ldap.so minimum_uid=1000
	21	session required pam_mkhomedir.so skel=/etc/skel umask=0022
	22	# end of pam-auth-update config


diff --git a/meta-openstack/recipes-extended/libpam/files/common-session-noninteractive b/meta-openstack/recipes-extended/libpam/files/common-session-noninteractive new file mode 100644 index 0000000..f7f83ed --- /dev/null +++ b/meta-openstack/recipes-extended/libpam/files/common-session-noninteractive
@@ -0,0 +1,21 @@
	1	#
	2	# /etc/pam.d/common-session-noninteractive - session-related modules
	3	# common to all non-interactive services
	4	#
	5	# This file is included from other service-specific PAM config files,
	6	# and should contain a list of modules that define tasks to be performed
	7	# at the start and end of all non-interactive sessions.
	8	#
	9
	10	# here are the per-package modules (the "Primary" block)
	11	session [default=1] pam_permit.so
	12	# here's the fallback if no module succeeds
	13	session requisite pam_deny.so
	14	# prime the stack with a positive return value if there isn't one already;
	15	# this avoids us returning an error just because nothing sets a success code
	16	# since the modules above will each just jump around
	17	session required pam_permit.so
	18	# and here are more per-package modules (the "Additional" block)
	19	session required pam_unix.so
	20	session [success=ok default=ignore] pam_ldap.so minimum_uid=1000
	21	# end of pam-auth-update config


diff --git a/meta-openstack/recipes-extended/libpam/libpam_1.1.5.bbappend b/meta-openstack/recipes-extended/libpam/libpam_1.1.5.bbappend new file mode 100644 index 0000000..dc32cc9 --- /dev/null +++ b/meta-openstack/recipes-extended/libpam/libpam_1.1.5.bbappend
@@ -0,0 +1,23 @@
	1	PRINC = "1"
	2
	3	FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
	4
	5	SRC_URI += "file://common-account"
	6	SRC_URI += "file://common-auth"
	7	SRC_URI += "file://common-password"
	8	SRC_URI += "file://common-session"
	9	SRC_URI += "file://common-session-noninteractive"
	10
	11	PACKAGECONFIG ?= "${@base_contains('DISTRO_FEATURES', 'OpenLDAP', 'OpenLDAP', '', d)}"
	12	PACKAGECONFIG[OpenLDAP] = ",,,pam-plugin-mkhomedir nss-pam-ldapd"
	13
	14	do_install_append() {
	15	if ${@base_contains('DISTRO_FEATURES', 'OpenLDAP', 'true', 'false', d)}; then
	16	install -m 755 -d ${D}/etc/pam.d/
	17	install -m 644 ${WORKDIR}/common-account ${D}/etc/pam.d/
	18	install -m 644 ${WORKDIR}/common-auth ${D}/etc/pam.d/
	19	install -m 644 ${WORKDIR}/common-password ${D}/etc/pam.d/
	20	install -m 644 ${WORKDIR}/common-session ${D}/etc/pam.d/
	21	install -m 644 ${WORKDIR}/common-session-noninteractive ${D}/etc/pam.d/
	22	fi
	23	}