saslauthd finalization

tiredofit · tiredofit · commit 14b2f7202238 · 2026-04-15T22:41:18.000-07:00
diff --git a/README.md b/README.md
@@ -260,21 +260,32 @@ If you already have a check_password.conf or ppm.conf in /etc/openldap/ the foll
 
 #### SASLAuthd Options
 
-| Variable                             | Description                                   | Default                |
-| ------------------------------------ | --------------------------------------------- | ---------------------- |
-| `ENABLE_SASLAUTHD`                   | Enable saslauthd daemon                       | `FALSE`                |
-| `SASLAUTHD_LOG_TYPE`                 | Log Type `file` `console` `both` `none`       | `both`                 |
-| `SASLAUTHD_LOG_PATH`                 | Log Path                                      | `/logs/`               |
-| `SASLAUTHD_LOG_FILE`                 | Log File                                      | `saslauthd.log`        |
-| `SASLAUTHD_PATH`                     | Path for volatile data                        | `/run/saslauthd/`      |
-| `SASLAUTHD_COMBINE_REALM`            | Combine Realms                                | `FALSE`                |
-| `SASLAUTHD_ENABLE_ACCEPT_LOCKING`    | Enable accept() Locking                       | `FALSE`                |
-| `SASLAUTHD_ENABLE_CREDENTIAL_CACHE`  | Enable Credential Caching                     | `TRUE`                 |
-| `SASLAUTHD_CREDENTIAL_CACHE_SIZE`    | Cache size in kilobytes                       |                        |
-| `SASLAUTHD_CREDENTIAL_CACHE_TIMEOUT` | Cache timeout in seconds                      |                        |
-| `SASLAUTHD_PROCESSES`                | Processes to run (0 dynamic)                  | `0`                    |
-| `SASLAUTHD_TYPE`                     | Type when writing `/etc/sasl/slapd.conf`      | `pam`                  |
-| `SASLAUTHD_MECH_LIST`                | Mech List when writing `/etc/sasl/slapd.conf` | `PLAIN LOGIN EXTERNAL` |
+| Variable                             | Description                                                                                | Default                                     |
+| ------------------------------------ | ------------------------------------------------------------------------------------------ | ------------------------------------------- |
+| `ENABLE_SASLAUTHD`                   | Enable saslauthd daemon                                                                    | `FALSE`                                     |
+| `SASLAUTHD_LOG_TYPE`                 | Log Type `file` `console` `both` `none`                                                    | `both`                                      |
+| `SASLAUTHD_LOG_PATH`                 | Log Path                                                                                   | `/logs/`                                    |
+| `SASLAUTHD_LOG_FILE`                 | Log File                                                                                   | `saslauthd.log`                             |
+| `SASLAUTHD_CONFIG_PATH`              | Path for storing SASLAUTHD_SLAPD_CONFIG_FILE - if not default will symlink to this default | `/etc/sasl2/`                               |
+| `SASLAUTHD_SLAPD_CONFIG_FILE`        | Configuration file for slapd                                                               | `slapd.conf`                                |
+| `SASLAUTHD_RUN_PATH`                 | Path for volatile data                                                                     | `/run/saslauthd/`                           |
+| `SASLAUTHD_COMBINE_REALM`            | Combine Realms                                                                             | `FALSE`                                     |
+| `SASLAUTHD_ENABLE_ACCEPT_LOCKING`    | Enable accept() Locking                                                                    | `FALSE`                                     |
+| `SASLAUTHD_ENABLE_CREDENTIAL_CACHE`  | Enable Credential Caching                                                                  | `TRUE`                                      |
+| `SASLAUTHD_CREDENTIAL_CACHE_SIZE`    | Cache size in kilobytes                                                                    |                                             |
+| `SASLAUTHD_CREDENTIAL_CACHE_TIMEOUT` | Cache timeout in seconds                                                                   |                                             |
+| `SASLAUTHD_PROCESSES`                | Processes to run (0 dynamic)                                                               | `0`                                         |
+| `SASLAUTHD_AUTO_CONFIGURE`           | Auto configure ${SASLAUTHD_CONFIG_PATH}/${SASLAUTHD_SLAPD_CONFIG_FILE}                     | `TRUE`                                      |
+| `SASLAUTHD_SLAPD_TYPE`               | Type when writing `/etc/sasl/slapd.conf`                                                   | `pam`                                       |
+| `SASLAUTHD_MECH_LIST`                | Mech List when writing `/etc/sasl/slapd.conf`                                              | `PLAIN LOGIN EXTERNAL`                      |
+| `SASLAUTHD_SLAPD_TYPE`               |                                                                                            | `pam`                                       |
+| `SASLAUTHD_PAM_CONFIG_PATH`          | Pam Configuration path - If not default will symlink to this                               | `/etc/pam/`                                 |
+| `SASLAUTHD_SLAPD_PAM_FILE`           | Pam Configuration file - If not default will symlink to this                               | `ldap`                                      |
+| `SASLAUTHD_PAM_AUTO_CONFIGURE`       | Auto configure ${SASLAUTHD_PAM_CONFIG_PATH}/${SASLAUTHD_PAM_SLAPD_CONFIG_FILE}             | `TRUE`                                      |
+| `SASLAUTHD_PAM_LDAP_AUTH_ENTRY`      | Auth line entry                                                                            | see second line |
+| | `required pam_exec.so debug expose_authtok` | |
+| `SASLAUTHD_PAM_LDAP_ACCOUNT_ENTRY`   | Account line entry                                                                         | see second line                    |
+| | ``required pam_permit.so` | |
 
 ## Users and Groups
 
diff --git a/rootfs/container/defaults/30-saslauthd b/rootfs/container/defaults/30-saslauthd
@@ -2,14 +2,22 @@
 #
 # SPDX-License-Identifier: MIT
 
-ENABLE_SASLAUTHD=${ENABLE_SASLAUTHD:-"FALSE"}
+ENABLE_SASLAUTHD=${ENABLE_SASLAUTHD:-"TRUE"}
+SASLAUTHD_AUTO_CONFIGURE=${SASLAUTHD_AUTO_CONFIGURE:-"TRUE"}
 SASLAUTHD_COMBINE_REALM=${SASLAUTHD_COMBINE_REALM:-"FALSE"}
+SASLAUTHD_CONFIG_PATH=${SASLAUTHD_CONFIG_PATH:-"/etc/sasl2"}
 SASLAUTHD_ENABLE_ACCEPT_LOCKING=${SASLAUTHD_ENABLE_ACCEPT_LOCKING:-"FALSE"}
 SASLAUTHD_ENABLE_CREDENTIAL_CACHE=${SASLAUTHD_ENABLE_CREDENTIAL_CACHE:-"TRUE"}
 SASLAUTHD_LOG_FILE=${SASLAUTHD_LOG_FILE:-"saslauthd.log"}
 SASLAUTHD_LOG_PATH=${SASLAUTH_LOG_PATH:-"/logs/"}
 SASLAUTHD_LOG_TYPE=${SASLAUTHD_LOG_TYPE:-"FILE"}
 SASLAUTHD_MECH_LIST=${SASLAUTHD_MECH_LIST:-"PLAIN LOGIN EXTERNAL"}
-SASLAUTHD_PATH=${SASLAUTHD_PATH:-"/run/saslauthd/"}
+SASLAUTHD_PAM_AUTO_CONFIGURE=${SASLAUTHD_PAM_AUTO_CONFIGURE:-"TRUE"}
+SASLAUTHD_PAM_LDAP_ACCOUNT_ENTRY=${SASLAUTHD_PAM_LDAP_ACCOUNT_ENTRY:-"required pam_permit.so"}
+SASLAUTHD_PAM_LDAP_AUTH_ENTRY=${SASLAUTHD_PAM_LDAP_AUTH_ENTRY:-"required pam_exec.so debug expose_authtok"}
 SASLAUTHD_PROCESSES=${SASLAUTHD_PROCESSES:-"0"}
-SASLAUTHD_TYPE=${SASLAUTHD_TYPE:-"pam"}
+SASLAUTHD_RUN_PATH=${SASLAUTHD_RUN_PATH:-"/run/saslauthd/"}
+SASLAUTHD_SLAPD_CONFIG_FILE=${SASLAUTHD_SLAPD_CONFIG_FILE:-"slapd.conf"}
+SASLAUTHD_PAM_CONFIG_PATH=${SASLAUTHD_PAM_CONFIG_PATH:-"/etc/pam/"}
+SASLAUTHD_SLAPD_PAM_FILE=${SASLAUTHD_SLAPD_PAM_FILE:-"ldap"}
+SASLAUTHD_SLAPD_TYPE=${SASLAUTHD_TYPE:-"pam"}
diff --git a/rootfs/container/functions/30-saslauthd b/rootfs/container/functions/30-saslauthd
@@ -3,20 +3,58 @@
 # SPDX-License-Identifier: MIT
 
 saslauthd_bootstrap_filesystem() {
-    create_folder "${SASLAUTHD_PATH}" root:root 755
+    if [ "${SASLAUTHD_CONFIG_PATH%/}" != "/etc/sasl2" ] ; then
+        rm -rf /etc/sasl2
+        ln -sf "${SASLAUTHD_CONFIG_PATH%/}" /etc/sasl2
+    fi
+    create_folder "${SASLAUTHD_CONFIG_PATH}" root:ldap 750 force
     case "${SASLAUTHD_LOG_TYPE,,}" in
         file | both )
             touch "${SASLAUTHD_LOG_PATH%/}"/"${SASLAUTHD_LOG_FILE}"
             saslauthd_log_file="${SASLAUTHD_LOG_PATH%/}"/"${SASLAUTHD_LOG_FILE}"
             create_logrotate saslauthd "${SASLAUTHD_LOG_PATH%/}"/"${SASLAUTHD_LOG_FILE}" none root root
         ;;
     esac
+
+    create_folder "${SASLAUTHD_RUN_PATH%/}" root:ldap 750 force
 }
 
+
 saslauthd_configure_daemon() {
-    write_file /etc/sasl2/slapd.conf:600 <<EOF
+    if var_true "${SASLAUTHD_AUTO_CONFIGURE}" ; then
+        write_file "${SASLAUTHD_CONFIG_PATH%/}"/"${SASLAUTHD_SLAPD_CONFIG_FILE}":640 <<EOF
 pwcheck_method: saslauthd
-saslauthd_path: ${SASLAUTHD_PATH}/mux
+saslauthd_path: ${SASLAUTHD_RUN_PATH}/mux
 mech_list: ${SASLAUTHD_MECH_LIST}
 EOF
+    else
+        print_warning "SASLAUTHD_AUTO_CONFIGURE is disabled, skipping automatic configuration for saslauthd. Ensure that the appropriate configuration files are mounted at ${SASLAUTHD_CONFIG_PATH%/}/${SASLAUTHD_SLAPD_CONFIG_FILE} and ${SASLAUTHD_PAM_CONFIG_PATH%/}/${SASLAUTHD_PAM_LDAP_CONFIG_FILE} with the necessary entries for saslauthd"
+        chmod 640 "${SASLAUTHD_CONFIG_PATH%/}"/"${SASLAUTHD_SLAPD_CONFIG_FILE}"
+        chown root:ldap "${SASLAUTHD_CONFIG_PATH%/}"/"${SASLAUTHD_SLAPD_CONFIG_FILE}"
+    fi
+}
+
+saslauthd_configure_pam() {
+    if [ "${SASLAUTHD_SLAPD_TYPE,,}" = "pam" ] ; then
+        print_notice "Configuring PAM for saslauthd/slapd"
+        if [ -n "${SASLAUTHD_LDAP_PAM_CONFIG_FILE}" ] ; then
+            ln -s "${SASLAUTHD_PAM_CONFIG_PATH%/}"/"${SASLAUTHD_PAM_LDAP_CONFIG_FILE}" /etc/pam.d/ldap
+        fi
+
+        if [ "${SASLAUTHD_PAM_CONFIG_PATH%/}" != "/etc/pam" ] && [ "${SASLAUTHD_PAM_LDAP_CONFIG_FILE}" != "ldap" ] ; then
+            rm -rf /etc/pam/ldap
+            ln -s "${SASLAUTHD_PAM_CONFIG_PATH%/}"/"${SASLAUTHD_PAM_LDAP_CONFIG_FILE}" /etc/pam.d/ldap
+        fi
+        if var_true "${SASLAUTHD_PAM_AUTO_CONFIGURE}" ; then
+            write_file "${SASLAUTHD_PAM_CONFIG_PATH%/}"/"${SASLAUTHD_PAM_LDAP_CONFIG_FILE}":700 <<EOF
+auth    ${SASLAUTHD_PAM_LDAP_AUTH_ENTRY}
+account ${SASLAUTHD_PAM_LDAP_ACCOUNT_ENTRY}
+EOF
+        else
+            chmod 644 "${SASLAUTHD_PAM_CONFIG_PATH%/}"/"${SASLAUTHD_PAM_LDAP_CONFIG_FILE}"
+            chown root:ldap "${SASLAUTHD_PAM_CONFIG_PATH%/}"/"${SASLAUTHD_PAM_LDAP_CONFIG_FILE}"
+            print_warning "SASLAUTHD_PAM_AUTO_CONFIGURE is disabled, skipping PAM configuration for saslauthd. Ensure that the appropriate PAM configuration file is mounted at ${SASLAUTHD_PAM_CONFIG_PATH%/}/${SASLAUTHD_PAM_LDAP_CONFIG_FILE} with the necessary auth and account entries for saslauthd"
+        fi
+    fi
 }
+dcu
diff --git a/rootfs/container/init/init.d/30-saslauthd b/rootfs/container/init/init.d/30-saslauthd
@@ -11,6 +11,7 @@ if var_true "${ENABLE_SASLAUTHD}" ; then
     print_notice "Configuring saslauthd"
     saslauthd_bootstrap_filesystem
     saslauthd_configure_daemon
+    saslauthd_configure_pam
 else
     print_debug "Disabling saslauthd"
     service_stop 30-saslauthd
diff --git a/rootfs/container/run/available/30-saslauthd/run b/rootfs/container/run/available/30-saslauthd/run
@@ -57,7 +57,7 @@ _exec_log() {
 print_start "Starting SASL Authentication Daemon"
 _exec_log "${SASLAUTHD_LOG_TYPE}" "${saslauthd_log_file}" \
     /usr/sbin/saslauthd \
-        -m ${SASLAUTHD_PATH} \
-        -a ${SASLAUTHD_TYPE} \
+        -m ${SASLAUTHD_RUN_PATH%/} \
+        -a ${SASLAUTHD_SLAPD_TYPE} \
         -n ${SASLAUTHD_PROCESSES} \
         -d ${cc_args} ${lock_args} ${combine_realm_arg} ${SASLAUTHD_EXTRA_ARGS}
