From 67fcc8e088600caba232f1dfc632c7313e9bc440 Mon Sep 17 00:00:00 2001 From: John Thiltges Date: Mon, 19 Oct 2015 15:12:32 -0500 Subject: [PATCH] Initial commit of spec and patches --- allow-anon-bind.patch | 22 ++++++++ authproxy.sample-openldap.cfg | 19 +++++++ duoauthproxy.spec | 96 +++++++++++++++++++++++++++++++++++ non-interactive-install.patch | 25 +++++++++ 4 files changed, 162 insertions(+) create mode 100644 allow-anon-bind.patch create mode 100644 authproxy.sample-openldap.cfg create mode 100644 duoauthproxy.spec create mode 100644 non-interactive-install.patch diff --git a/allow-anon-bind.patch b/allow-anon-bind.patch new file mode 100644 index 0000000..028b8cb --- /dev/null +++ b/allow-anon-bind.patch @@ -0,0 +1,22 @@ +Remove the check requiring a bind_dn + +The code assumes an Active Directory server. For a non-AD server, it works +fine with an anonymous bind. + +diff -r -U3 duoauthproxy-2.4.12-src.orig/pkgs/duoauthproxy/duoauthproxy/modules/ad_client.py duoauthproxy-2.4.12-src/pkgs/duoauthproxy/duoauthproxy/modules/ad_client.py +--- duoauthproxy-2.4.12-src.orig/pkgs/duoauthproxy/duoauthproxy/modules/ad_client.py 2015-08-04 08:39:11.000000000 -0500 ++++ duoauthproxy-2.4.12-src/pkgs/duoauthproxy/duoauthproxy/modules/ad_client.py 2015-10-16 10:53:07.624913666 -0500 +@@ -293,13 +293,6 @@ + ldap_filter = None + + # validate configuration +- if (auth_type == ldap.client.AD_AUTH_TYPE_PLAIN and not bind_dn): +- raise base.ConfigError( +- 'Missing required configuration item: if \'auth_type\' ' +- 'is \'plain\', then \'bind_dn\' is required') +- else: +- bind_dn = bind_dn or '' +- + if (auth_type == ldap.client.AD_AUTH_TYPE_PLAIN + and transport_type == ldap.client.AD_TRANSPORT_CLEAR): + log.msg('WARNING: you have selected cleartext (plain) authentication for Active Directory') diff --git a/authproxy.sample-openldap.cfg b/authproxy.sample-openldap.cfg new file mode 100644 index 0000000..b925c15 --- /dev/null +++ b/authproxy.sample-openldap.cfg @@ -0,0 +1,19 @@ +[ad_client] +host=ldap1.example.edu +host_2=ldap2.example.edu +host_3=ldap3.example.edu +search_dn=ou=People,dc=example,dc=edu +auth_type=plain +username_attribute=uid +service_account_username= +service_account_password= +bind_dn= + +[ldap_server_auto] +ikey=IIIIIIIIIIIIIIIIIIII +skey=ssssssssssssssssssssssssssssssssssssssss +api_host=api-zzzzzzzz.duosecurity.com +failmode=safe +port=10389 +client=ad_client +exempt_primary_bind=False diff --git a/duoauthproxy.spec b/duoauthproxy.spec new file mode 100644 index 0000000..f8612b1 --- /dev/null +++ b/duoauthproxy.spec @@ -0,0 +1,96 @@ +Name: duoauthproxy +Version: 2.4.12 +Release: 1%{?dist} +Summary: Duo Authentication Proxy + +Group: System Environment/Daemons +License: Commercial +URL: https://www.duosecurity.com/docs/ldap +Source0: https://dl.duosecurity.com/duoauthproxy-%{version}-src.tgz +Source1: authproxy.sample-openldap.cfg +Patch0: non-interactive-install.patch +Patch1: allow-anon-bind.patch + +%define svc_user nobody +%define install_dir /opt/%{name} +%global debug_package %{nil} + +BuildRequires: python-devel +BuildRequires: openssl-devel +BuildRequires: perl + +# Needed by the init script +Requires: initscripts +Requires: chkconfig + +%description +Proxies RADIUS or LDAP authentication attempts and adds Duo authentication + +%prep +%setup -q -n %{name}-%{version}-src +%patch0 -p1 +%patch1 -p1 + +# Sample config +cp -p %{SOURCE1} conf + +# Set username in authproxyctl +perl -p -i -e "s/^USER_DEFAULT = None$/USER_DEFAULT = '%{svc_user}'/g" pkgs/duoauthproxy/scripts/authproxyctl + +%build +make + +%install +rm -rf %{buildroot} + +# The included installer doesn't work with buildroots, so we install manually +#duoauthproxy-build/install + +######################################################## +# Extract the RHEL init script from the python installer +mv duoauthproxy-build/install install.py + +cat > get_init.py << EOF +import install +params = {'service_user': '%{svc_user}', + 'install_dir': '%{install_dir}' } + +print install.INITSCRIPT_REDHAT_TMPL % params +EOF +python get_init.py > init +install -D init %{buildroot}/%{_initddir}/%{name} + +######################################################## +# Install the application +mkdir -p %{buildroot}/%{install_dir} +cp -a duoauthproxy-build/* %{buildroot}/%{install_dir} + +%clean +rm -rf %{buildroot} + +%post +/sbin/chkconfig --add %{name} + +%preun +if [ $1 = 0 ]; then # Final removal + /sbin/service %{name} stop >/dev/null 2>&1 || : + /sbin/chkconfig --del %{name} +fi + +%files +%defattr(-,root,root,-) +%{install_dir}/bin +%config %{install_dir}/conf/ca-bundle.crt +%config(noreplace) %attr(640,%{svc_user},%{svc_user}) %{install_dir}/conf/authproxy.cfg +%{install_dir}/conf/authproxy.sample-openldap.cfg +%{install_dir}/doc +%{install_dir}/include +%{install_dir}/lib +%{install_dir}/lib64 +%attr(750,%{svc_user},%{svc_user}) %{install_dir}/log +%attr(750,%{svc_user},%{svc_user}) %{install_dir}/run +%{_initddir}/%{name} + +%changelog +* Fri Oct 16 2015 John Thiltges <> 2.4.12-1 +- Initial package diff --git a/non-interactive-install.patch b/non-interactive-install.patch new file mode 100644 index 0000000..1134ddf --- /dev/null +++ b/non-interactive-install.patch @@ -0,0 +1,25 @@ +diff --git a/scripts/install b/scripts/install +index 9542fd9..079dc23 100755 +--- a/scripts/install ++++ b/scripts/install +@@ -374,7 +374,7 @@ class AuthproxyInstaller(object): + + def install(self): + # user interaction +- self.show_license() ++ #self.show_license() + self.get_install_dir() + self.get_user() + +@@ -620,7 +620,10 @@ class AuthproxyInstaller(object): + print 'Failed to create uninstall script: %s' % e + + def main(argv): +- installer = AuthproxyInstaller() ++ installer = AuthproxyInstaller( ++ install_dir=AuthproxyInstaller.INSTALL_DIR_DEFAULT, ++ service_user=AuthproxyInstaller.USER_DEFAULT, ++ do_initscript=True) + try: + installer.install() + return 0