Skip to content

Commit

Permalink
Update for upstream release 2.14.0
Browse files Browse the repository at this point in the history
jthiltges committed Feb 21, 2019

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
1 parent 67fcc8e commit 7a3a12c
Showing 4 changed files with 129 additions and 75 deletions.
80 changes: 62 additions & 18 deletions allow-anon-bind.patch
Original file line number Diff line number Diff line change
@@ -1,22 +1,66 @@
Remove the check requiring a bind_dn
commit b6d8e26e92b78b58a3dd22fae7b74be27ef2e37a
Author: John Thiltges <[email protected]>
Date: Thu Feb 21 16:21:37 2019 -0600

The code assumes an Active Directory server. For a non-AD server, it works
fine with an anonymous bind.
Remove the checks requiring a bind_dn

The code assumes an Active Directory server. For a non-AD server such as OpenLDAP, it works fine with an anonymous bind.

diff -r -U3 duoauthproxy-2.4.12-src.orig/pkgs/duoauthproxy/duoauthproxy/modules/ad_client.py duoauthproxy-2.4.12-src/pkgs/duoauthproxy/duoauthproxy/modules/ad_client.py
--- duoauthproxy-2.4.12-src.orig/pkgs/duoauthproxy/duoauthproxy/modules/ad_client.py 2015-08-04 08:39:11.000000000 -0500
+++ duoauthproxy-2.4.12-src/pkgs/duoauthproxy/duoauthproxy/modules/ad_client.py 2015-10-16 10:53:07.624913666 -0500
@@ -293,13 +293,6 @@
ldap_filter = None
diff --git a/pkgs/duoauthproxy/duoauthproxy/lib/util.py b/pkgs/duoauthproxy/duoauthproxy/lib/util.py
index a19ad54..c9165cb 100644
--- a/pkgs/duoauthproxy/duoauthproxy/lib/util.py
+++ b/pkgs/duoauthproxy/duoauthproxy/lib/util.py
@@ -344,16 +344,13 @@ def parse_ad_client(config):
'auth_type', ldap.client.AD_AUTH_TYPES,
ldap.client.AD_AUTH_TYPE_NTLM_V2, str.lower)

# validate configuration
- if (auth_type == ldap.client.AD_AUTH_TYPE_PLAIN and not bind_dn):
- raise base.ConfigError(
- 'Missing required configuration item: if \'auth_type\' '
- 'is \'plain\', then \'bind_dn\' is required')
- else:
- bind_dn = bind_dn or '<ROOT>'
- # service_account_username, service_account_password are optional
- # for auth_type = AD_AUTH_TYPE_SSPI; mandatory otherwise
- is_sspi = (auth_type == ldap.client.AD_AUTH_TYPE_SSPI)
service_account_username = config.get_str(
'service_account_username',
- '' if is_sspi else None)
+ '')
service_account_password = config.get_protected_str(
'service_account_password_protected',
'service_account_password',
- '' if is_sspi else None)
+ '')

timeout = config.get_int('timeout', 10)
search_dn = config.get_str('search_dn')
@@ -380,11 +377,6 @@ def parse_ad_client(config):
else:
ldap_filter = None

- # A blank bind_dn will be rejected with auth-type plain in validation
- # otherwise we supply a default
- if not bind_dn:
- bind_dn = '<ROOT>'
-
if (auth_type == ldap.client.AD_AUTH_TYPE_PLAIN
and transport_type == ldap.client.AD_TRANSPORT_CLEAR):
log.msg('WARNING: you have selected cleartext (plain) authentication for Active Directory')
warning_message = warn_insecure_settings(auth_type, transport_type)
if warning_message:
log.msg(warning_message)
diff --git a/pkgs/duoauthproxy/duoauthproxy/lib/validation/config/check/ad_client.py b/pkgs/duoauthproxy/duoauthproxy/lib/validation/config/check/ad_client.py
index 772e0cb..b85b57c 100644
--- a/pkgs/duoauthproxy/duoauthproxy/lib/validation/config/check/ad_client.py
+++ b/pkgs/duoauthproxy/duoauthproxy/lib/validation/config/check/ad_client.py
@@ -54,7 +54,7 @@ def check_required_keys(config, toolbox):
# the value. Validation will happen in check_config_values and we don't
# want duplicate errors if the auth_type config is invalid.
auth_type = config.get('auth_type') or ldap.client.AD_AUTH_TYPE_NTLM_V2
- if auth_type.lower() != ldap.client.AD_AUTH_TYPE_SSPI:
+ if auth_type.lower() not in (ldap.client.AD_AUTH_TYPE_SSPI, ldap.client.AD_AUTH_TYPE_PLAIN):
if not toolbox.test_config_has_key(config, 'service_account_username'):
problems.append(MissingKey(key='service_account_username'))

@@ -183,9 +183,6 @@ def check_valid_bind_dn_for_auth_type(config, toolbox):
ldap.client.AD_AUTH_TYPES,
ldap.client.AD_AUTH_TYPE_NTLM_V2)
has_bind_dn = toolbox.test_config_has_value(config, 'bind_dn')
- if auth_type == ldap.client.AD_AUTH_TYPE_PLAIN and not has_bind_dn:
- problems.append(UnmetDependency(message='bind_dn is required for '
- 'auth_type %s' % auth_type))
except ConfigError:
problems.append(SkippedTest(
test=check_valid_bind_dn_for_auth_type.__name__, key='auth_type'))
6 changes: 3 additions & 3 deletions authproxy.sample-openldap.cfg
Original file line number Diff line number Diff line change
@@ -5,9 +5,9 @@ host_3=ldap3.example.edu
search_dn=ou=People,dc=example,dc=edu
auth_type=plain
username_attribute=uid
service_account_username=
service_account_password=
bind_dn=
#service_account_username=
#service_account_password=
#bind_dn=

[ldap_server_auto]
ikey=IIIIIIIIIIIIIIIIIIII
93 changes: 64 additions & 29 deletions duoauthproxy.spec
Original file line number Diff line number Diff line change
@@ -1,81 +1,112 @@
Name: duoauthproxy
Version: 2.4.12
Version: 2.14.0
%define srctag bd60798
Release: 1%{?dist}
Summary: Duo Authentication Proxy

Group: System Environment/Daemons
License: Commercial
URL: https://www.duosecurity.com/docs/ldap
URL: https://duo.com/docs/authproxy-reference
Source0: https://dl.duosecurity.com/duoauthproxy-%{version}-src.tgz
Source1: authproxy.sample-openldap.cfg
Patch0: non-interactive-install.patch
Patch1: allow-anon-bind.patch
Patch0: allow-anon-bind.patch

%define svc_user nobody
%define install_dir /opt/%{name}
%global debug_package %{nil}

BuildRequires: python-devel
BuildRequires: openssl-devel
BuildRequires: perl
# Bytecode compilation fails in lib2to3/tests/data/py3_test_grammar.py
%global _python_bytecompile_errors_terminate_build 0

# Needed by the init script
Requires: initscripts
Requires: chkconfig
BuildRequires: gcc
BuildRequires: libffi-devel
BuildRequires: make
BuildRequires: perl
BuildRequires: python-devel
BuildRequires: zlib-devel
%{?systemd_requires}

%description
Proxies RADIUS or LDAP authentication attempts and adds Duo authentication

%prep
%setup -q -n %{name}-%{version}-src
%setup -q -n %{name}-%{version}-%{srctag}-src
%patch0 -p1
%patch1 -p1

# Sample config
cp -p %{SOURCE1} conf

# Set username in authproxyctl
perl -p -i -e "s/^USER_DEFAULT = None$/USER_DEFAULT = '%{svc_user}'/g" pkgs/duoauthproxy/scripts/authproxyctl
# Set username in authproxyctl and duoauthproxy.tap
perl -p -i -e "s/^USER_DEFAULT = None$/USER_DEFAULT = '%{svc_user}'/g" \
pkgs/duoauthproxy/scripts/authproxyctl \
pkgs/duoauthproxy/scripts/duoauthproxy.tap

%build
make
#make %{_smp_mflags}
make -j1

%install
rm -rf %{buildroot}

# The included installer doesn't work with buildroots, so we install manually
#duoauthproxy-build/install
#duoauthproxy-build/install --install-dir=%{buildroot}%{install_dir} --service-user=%{svc_user} --create-init-script=yes

########################################################
# Extract the RHEL init script from the python installer
# Extract the systemd service file from the python installer
mv duoauthproxy-build/install install.py

cat > get_init.py << EOF
import install
params = {'service_user': '%{svc_user}',
'install_dir': '%{install_dir}' }

print install.INITSCRIPT_REDHAT_TMPL % params
print install.INITSCRIPT_SYSTEMD_TMPL % params
EOF
python get_init.py > init
install -D init %{buildroot}/%{_initddir}/%{name}
install -D init %{buildroot}/%{_unitdir}/%{name}.service

########################################################
# Install the application
mkdir -p %{buildroot}/%{install_dir}
cp -a duoauthproxy-build/* %{buildroot}/%{install_dir}

# Remove static libraries from install
# - They are not needed at runtime
# - libpython2.7.a is installed with 555 perms and RPM symbol stripping fails
find %{buildroot} -name '*.a' -delete

# Remove headers and manpages
rm -rf %{buildroot}/%{install_dir}/usr/local/include \
%{buildroot}/%{install_dir}/usr/local/openssl/include \
%{buildroot}/%{install_dir}/usr/local/*/man

# Fix the python interpreter path
pkgs/Python-2.7.14/Tools/scripts/pathfix.py -i %{install_dir}/usr/local/bin/python \
%{buildroot}/%{install_dir}/usr/local/bin \
%{buildroot}/%{install_dir}/usr/local/lib/python2.7/cgi.py \
%{buildroot}/%{install_dir}/usr/local/bin/{2to3,authproxy,authproxy_connectivity_tool,authproxyctl,authproxy_primary_only,authproxy_support,automat-visualize,cftp,ckeygen,conch,easy_install,easy_install-2.7,idle,install,m2r,mailmail,netaddr,pbr,pydoc,pyhtmlizer,python2.7-config,tkconch,trial,twist,twistd}
# And remove backup files
rm %{buildroot}/%{install_dir}/usr/local/bin/*~ \
%{buildroot}/%{install_dir}/usr/local/lib/python2.7/cgi.py~

# Remove unnecessary OpenSSL pieces which drag in perl
rm %{buildroot}/%{install_dir}/usr/local/openssl/{misc/tsget,misc/CA.pl,bin/c_rehash}

# Add symlinks for Duo components
ln -s -t %{buildroot}/%{install_dir}/bin ../usr/local/bin/{authproxy,authproxy_connectivity_tool,authproxy_primary_only,authproxy_support,authproxyctl}

# Switch over to the bundled python for byte-compilation
%define __python %{buildroot}/%{install_dir}/usr/local/bin/python

%clean
rm -rf %{buildroot}

%post
/sbin/chkconfig --add %{name}

%systemd_post %{name}.service
%preun
if [ $1 = 0 ]; then # Final removal
/sbin/service %{name} stop >/dev/null 2>&1 || :
/sbin/chkconfig --del %{name}
fi
%systemd_preun %{name}.service
%postun
%systemd_postun_with_restart %{name}.service

%files
%defattr(-,root,root,-)
@@ -84,13 +115,17 @@ fi
%config(noreplace) %attr(640,%{svc_user},%{svc_user}) %{install_dir}/conf/authproxy.cfg
%{install_dir}/conf/authproxy.sample-openldap.cfg
%{install_dir}/doc
%{install_dir}/include
%{install_dir}/lib
%{install_dir}/lib64
%attr(750,%{svc_user},%{svc_user}) %{install_dir}/log
%attr(750,%{svc_user},%{svc_user}) %{install_dir}/run
%{_initddir}/%{name}
%{install_dir}/usr
%{_unitdir}/%{name}.service

%changelog
* Thu Feb 21 2019 John Thiltges <> 2.14.0-1
- Upstream release 2.14.0

* Mon May 16 2016 John Thiltges <> 2.4.17-1
- Upstream release 2.4.17

* Fri Oct 16 2015 John Thiltges <> 2.4.12-1
- Initial package
25 changes: 0 additions & 25 deletions non-interactive-install.patch

This file was deleted.

0 comments on commit 7a3a12c

Please sign in to comment.