diff --git a/conf/core/usersources.ini.template b/conf/core/usersources.ini.template index df221ef5f87033444138f2e9e9d3fe6886c696a3..9f821e2c045d045b957d46a7de517eae3fb6c1ba 100644 --- a/conf/core/usersources.ini.template +++ b/conf/core/usersources.ini.template @@ -25,6 +25,7 @@ defaultRealm = PAM [PAM] class = caosdb.server.accessControl.Pam +; pam_script = "./misc/pam_authentication/pam_authentication.sh" default_status = ACTIVE ;include.user = [uncomment and put your users here] ;include.group = [uncomment and put your groups here] diff --git a/misc/pam_authentication/ldap.conf b/misc/pam_authentication/ldap.conf new file mode 100644 index 0000000000000000000000000000000000000000..aca5b0491bc937997f7e70efae09d92c55564e67 --- /dev/null +++ b/misc/pam_authentication/ldap.conf @@ -0,0 +1,7 @@ +# This file is sourced by the LDAP authentication script + + +# Set the ldap server here. This is also used to generate a fully qualified +# user name. + +# LDAP_SERVER="example.com" diff --git a/misc/pam_authentication/ldap_authentication.sh b/misc/pam_authentication/ldap_authentication.sh new file mode 100644 index 0000000000000000000000000000000000000000..3b64a295fa94c266fe89410b0c13f1c253aee7b2 --- /dev/null +++ b/misc/pam_authentication/ldap_authentication.sh @@ -0,0 +1,42 @@ +#!/bin/bash + +# ** header v3.0 +# This file is a part of the CaosDB Project. +# +# Copyright (c) 2020 IndiScale GmbH +# Copyright (c) 2020 Daniel Hornung <d.hornung@indiscale.com> +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. +# +# ** end header + +# Try to authenticate a user ($1) with a password ($2) via LDAP + +# set LDAP_SERVER here +# e.g. `LDAP_SERVER=example.com` +. ldap.conf + +username="${1}@${LDAP_SERVER}" +pw="$2" + +if ldapwhoami -x -H "ldap://$LDAP_SERVER" -D "$username" -w "$pw" ; then + echo "[OK]" + exit 0 +else + echo "[FAILED]" + exit 1 +fi + + +