[Pkg-openldap-devel] [openldap] 210/281: ITS#8097 nssov: update to protocol version 2
Ryan Tandy
rtandy-guest at moszumanska.debian.org
Thu Jul 9 01:43:01 UTC 2015
This is an automated email from the git hooks/post-receive script.
rtandy-guest pushed a commit to branch master
in repository openldap.
commit 99e6232914e3cfd8323c70d9505181d1d03e965a
Author: Ryan Tandy <ryan at nardis.ca>
Date: Wed Jan 7 07:46:53 2015 -0800
ITS#8097 nssov: update to protocol version 2
This updates nssov for the protocol changes in nss-pam-ldapd commits
5f55781 and 6a74d8d. The protocol was changed to network byte order,
uid_t and gid_t were changed to int32_t, and the READ_TYPE and
WRITE_TYPE macros were removed. The PAM protocol was restructured to
drop the DN field and to use a common basic set of fields for all
requests.
---
contrib/slapd-modules/nssov/ether.c | 4 +-
contrib/slapd-modules/nssov/group.c | 4 +-
contrib/slapd-modules/nssov/nssov.c | 26 ++--
contrib/slapd-modules/nssov/nssov.h | 61 +++++----
contrib/slapd-modules/nssov/pam.c | 232 +++++++++++++++++------------------
contrib/slapd-modules/nssov/passwd.c | 6 +-
6 files changed, 168 insertions(+), 165 deletions(-)
diff --git a/contrib/slapd-modules/nssov/ether.c b/contrib/slapd-modules/nssov/ether.c
index 6af43ec..0cb85db 100644
--- a/contrib/slapd-modules/nssov/ether.c
+++ b/contrib/slapd-modules/nssov/ether.c
@@ -59,7 +59,7 @@ NSSOV_CBPRIV(ether,
tmpaddr.ether_addr_octet[3] = ao[3]; \
tmpaddr.ether_addr_octet[4] = ao[4]; \
tmpaddr.ether_addr_octet[5] = ao[5]; } \
- WRITE_TYPE(fp,tmpaddr,uint8_t[6]);
+ WRITE(fp,&tmpaddr,sizeof(uint8_t[6]));
static int write_ether(nssov_ether_cbp *cbp,Entry *entry)
{
@@ -141,7 +141,7 @@ NSSOV_HANDLE(
struct berval filter = {sizeof(fbuf)};
filter.bv_val = fbuf;
BER_BVZERO(&cbp.name);
- READ_TYPE(fp,addr,uint8_t[6]);
+ READ(fp,&addr,sizeof(uint8_t[6]));
cbp.addr.bv_len = snprintf(cbp.buf,sizeof(cbp.buf), "%x:%x:%x:%x:%x:%x",
addr.ether_addr_octet[0],
addr.ether_addr_octet[1],
diff --git a/contrib/slapd-modules/nssov/group.c b/contrib/slapd-modules/nssov/group.c
index fed9609..5de9aa4 100644
--- a/contrib/slapd-modules/nssov/group.c
+++ b/contrib/slapd-modules/nssov/group.c
@@ -251,7 +251,7 @@ static int write_group(nssov_group_cbp *cbp,Entry *entry)
WRITE_INT32(cbp->fp,NSLCD_RESULT_BEGIN);
WRITE_BERVAL(cbp->fp,&names[i]);
WRITE_BERVAL(cbp->fp,&passwd);
- WRITE_TYPE(cbp->fp,gid,gid_t);
+ WRITE_INT32(cbp->fp,gid);
/* write a list of values */
WRITE_INT32(cbp->fp,nummembers);
if (nummembers)
@@ -299,7 +299,7 @@ NSSOV_HANDLE(
char fbuf[1024];
struct berval filter = {sizeof(fbuf)};
filter.bv_val = fbuf;
- READ_TYPE(fp,gid,gid_t);
+ READ_INT32(fp,gid);
cbp.gidnum.bv_val = cbp.buf;
cbp.gidnum.bv_len = snprintf(cbp.buf,sizeof(cbp.buf),"%d",gid);
cbp.wantmembers = 1;
diff --git a/contrib/slapd-modules/nssov/nssov.c b/contrib/slapd-modules/nssov/nssov.c
index 05b6adc..e55c0c3 100644
--- a/contrib/slapd-modules/nssov/nssov.c
+++ b/contrib/slapd-modules/nssov/nssov.c
@@ -142,7 +142,7 @@ int write_address(TFILE *fp,struct berval *addr)
/* write the address length */
WRITE_INT32(fp,sizeof(struct in_addr));
/* write the address itself (in network byte order) */
- WRITE_TYPE(fp,ipv4addr,struct in_addr);
+ WRITE(fp,&ipv4addr,sizeof(struct in_addr));
}
else if (inet_pton(AF_INET6,addr->bv_val,&ipv6addr)>0)
{
@@ -151,7 +151,7 @@ int write_address(TFILE *fp,struct berval *addr)
/* write the address length */
WRITE_INT32(fp,sizeof(struct in6_addr));
/* write the address itself (in network byte order) */
- WRITE_TYPE(fp,ipv6addr,struct in6_addr);
+ WRITE(fp,&ipv6addr,sizeof(struct in6_addr));
}
else
{
@@ -240,14 +240,14 @@ static int read_header(TFILE *fp,int32_t *action)
{
int32_t tmpint32;
/* read the protocol version */
- READ_TYPE(fp,tmpint32,int32_t);
+ READ_INT32(fp,tmpint32);
if (tmpint32 != (int32_t)NSLCD_VERSION)
{
Debug( LDAP_DEBUG_TRACE,"nssov: wrong nslcd version id (%d)\n",(int)tmpint32,0,0);
return -1;
}
/* read the request type */
- READ(fp,action,sizeof(int32_t));
+ READ_INT32(fp,*action);
return 0;
}
@@ -255,34 +255,30 @@ int nssov_config(nssov_info *ni,TFILE *fp,Operation *op)
{
int opt;
int32_t tmpint32;
- struct berval *msg = BER_BVC("");
- int rc = NSLCD_PAM_SUCCESS;
READ_INT32(fp,opt);
Debug(LDAP_DEBUG_TRACE, "nssov_config (%d)\n",opt,0,0);
+ WRITE_INT32(fp,NSLCD_VERSION);
+ WRITE_INT32(fp,NSLCD_ACTION_CONFIG_GET);
+ WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
+
switch (opt) {
case NSLCD_CONFIG_PAM_PASSWORD_PROHIBIT_MESSAGE:
- /* request for pam password_prothibit_message */
+ /* request for pam password_prohibit_message */
/* nssov_pam prohibits password */
if (!BER_BVISEMPTY(&ni->ni_pam_password_prohibit_message)) {
Debug(LDAP_DEBUG_TRACE,"nssov_config(): %s (%s)\n",
"password_prohibit_message",
ni->ni_pam_password_prohibit_message.bv_val,0);
- msg = &ni->ni_pam_password_prohibit_message;
- rc = NSLCD_PAM_PERM_DENIED;
+ WRITE_STRING(fp,ni->ni_pam_password_prohibit_message.bv_val);
}
- /* fall through */
default:
+ /* all other config options are ignored */
break;
}
-done:;
- WRITE_INT32(fp,NSLCD_VERSION);
- WRITE_INT32(fp,NSLCD_ACTION_CONFIG_GET);
- WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
- WRITE_BERVAL(fp,msg);
WRITE_INT32(fp,NSLCD_RESULT_END);
return 0;
}
diff --git a/contrib/slapd-modules/nssov/nssov.h b/contrib/slapd-modules/nssov/nssov.h
index f13378e..eae55f7 100644
--- a/contrib/slapd-modules/nssov/nssov.h
+++ b/contrib/slapd-modules/nssov/nssov.h
@@ -127,31 +127,42 @@ void nssov_cfg_init(nssov_info *ni,const char *fname);
Debug(LDAP_DEBUG_ANY,"nssov: client supplied argument too large\n",0,0,0); \
return -1;
-#define WRITE_BERVAL(fp,bv) \
- DEBUG_PRINT("WRITE_STRING: var="__STRING(bv)" string=\"%s\"",(bv)->bv_val); \
- if ((bv)==NULL) \
- { \
- WRITE_INT32(fp,0); \
- } \
- else \
- { \
- WRITE_INT32(fp,(bv)->bv_len); \
- if (tmpint32>0) \
- { WRITE(fp,(bv)->bv_val,tmpint32); } \
- }
-
-#define WRITE_BVARRAY(fp,arr) \
- /* first determine length of array */ \
- for (tmp3int32=0;(arr)[tmp3int32].bv_val!=NULL;tmp3int32++) \
- /*nothing*/ ; \
- /* write number of strings */ \
- DEBUG_PRINT("WRITE_BVARRAY: var="__STRING(arr)" num=%d",(int)tmp3int32); \
- WRITE_TYPE(fp,tmp3int32,int32_t); \
- /* write strings */ \
- for (tmp2int32=0;tmp2int32<tmp3int32;tmp2int32++) \
- { \
- WRITE_BERVAL(fp,&(arr)[tmp2int32]); \
- }
+#define WRITE_BERVAL(fp, bv) \
+ DEBUG_PRINT("WRITE_BERVAL: var="__STRING(bv)" bv_val=\"%s\"", (bv)->bv_val); \
+ if ((bv) == NULL) \
+ { \
+ WRITE_INT32(fp, 0); \
+ } \
+ else \
+ { \
+ WRITE_INT32(fp, (bv)->bv_len); \
+ tmpint32 = ntohl(tmpint32); \
+ if (tmpint32 > 0) \
+ { \
+ WRITE(fp, (bv)->bv_val, tmpint32); \
+ } \
+ } \
+
+#define WRITE_BVARRAY(fp, arr) \
+ if ((arr) == NULL) \
+ { \
+ DEBUG_PRINT("WRITE_BVARRAY: var="__STRING(arr)" num=%d", 0); \
+ WRITE_INT32(fp, 0); \
+ } \
+ else \
+ { \
+ /* first determine length of array */ \
+ for (tmp3int32 = 0; (arr)[tmp3int32].bv_val != NULL; tmp3int32++) \
+ /* nothing */ ; \
+ /* write number of strings */ \
+ DEBUG_PRINT("WRITE_BVARRAY: var="__STRING(arr)" num=%d", (int)tmp3int32); \
+ WRITE_INT32(fp, tmp3int32); \
+ /* write strings */ \
+ for (tmp2int32 = 0; tmp2int32 < tmp3int32; tmp2int32++) \
+ { \
+ WRITE_BERVAL(fp, &(arr)[tmp2int32]); \
+ } \
+ } \
/* This tries to get the user password attribute from the entry.
It will try to return an encrypted password as it is used in /etc/passwd,
diff --git a/contrib/slapd-modules/nssov/pam.c b/contrib/slapd-modules/nssov/pam.c
index 45302b5..c940538 100644
--- a/contrib/slapd-modules/nssov/pam.c
+++ b/contrib/slapd-modules/nssov/pam.c
@@ -26,6 +26,9 @@ struct paminfo {
struct berval uid;
struct berval dn;
struct berval svc;
+ struct berval ruser;
+ struct berval rhost;
+ struct berval tty;
struct berval pwd;
int authz;
struct berval msg;
@@ -155,7 +158,6 @@ int pam_do_bind(nssov_info *ni,TFILE *fp,Operation *op,
if (!pi->ispwdmgr) {
- BER_BVZERO(&pi->dn);
rc = pam_uid2dn(ni, op, pi);
if (rc) goto finish;
@@ -213,24 +215,30 @@ int pam_authc(nssov_info *ni,TFILE *fp,Operation *op,uid_t calleruid)
{
int32_t tmpint32;
int rc;
- slap_callback cb = {0};
- char dnc[1024];
char uidc[32];
char svcc[256];
+ char ruserc[32];
+ char rhostc[256];
+ char ttyc[256];
char pwdc[256];
- struct berval sdn, dn;
struct paminfo pi;
READ_STRING(fp,uidc);
pi.uid.bv_val = uidc;
pi.uid.bv_len = tmpint32;
- READ_STRING(fp,dnc);
- pi.dn.bv_val = dnc;
- pi.dn.bv_len = tmpint32;
READ_STRING(fp,svcc);
pi.svc.bv_val = svcc;
pi.svc.bv_len = tmpint32;
+ READ_STRING(fp,ruserc);
+ pi.ruser.bv_val = ruserc;
+ pi.ruser.bv_len = tmpint32;
+ READ_STRING(fp,rhostc);
+ pi.rhost.bv_val = rhostc;
+ pi.rhost.bv_len = tmpint32;
+ READ_STRING(fp,ttyc);
+ pi.tty.bv_val = ttyc;
+ pi.tty.bv_len = tmpint32;
READ_STRING(fp,pwdc);
pi.pwd.bv_val = pwdc;
pi.pwd.bv_len = tmpint32;
@@ -238,6 +246,7 @@ int pam_authc(nssov_info *ni,TFILE *fp,Operation *op,uid_t calleruid)
Debug(LDAP_DEBUG_TRACE,"nssov_pam_authc(%s)\n",
pi.uid.bv_val ? pi.uid.bv_val : "NULL",0,0);
+ BER_BVZERO(&pi.msg);
pi.ispwdmgr = 0;
/* if service is "passwd" and "nssov-pam-password-prohibit-message */
@@ -303,11 +312,11 @@ finish:
WRITE_INT32(fp,NSLCD_VERSION);
WRITE_INT32(fp,NSLCD_ACTION_PAM_AUTHC);
WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
- WRITE_BERVAL(fp,&pi.uid);
- WRITE_BERVAL(fp,&pi.dn);
WRITE_INT32(fp,rc);
+ WRITE_BERVAL(fp,&pi.uid);
WRITE_INT32(fp,pi.authz); /* authz */
WRITE_BERVAL(fp,&pi.msg); /* authzmsg */
+ WRITE_INT32(fp,NSLCD_RESULT_END);
return 0;
}
@@ -329,52 +338,40 @@ static int pam_compare_cb(Operation *op, SlapReply *rs)
int pam_authz(nssov_info *ni,TFILE *fp,Operation *op)
{
- struct berval dn, uid, svc, ruser, rhost, tty;
struct berval authzmsg = BER_BVNULL;
int32_t tmpint32;
- char dnc[1024];
char uidc[32];
char svcc[256];
char ruserc[32];
char rhostc[256];
char ttyc[256];
int rc;
+ struct paminfo pi;
Entry *e = NULL;
Attribute *a;
slap_callback cb = {0};
READ_STRING(fp,uidc);
- uid.bv_val = uidc;
- uid.bv_len = tmpint32;
- READ_STRING(fp,dnc);
- dn.bv_val = dnc;
- dn.bv_len = tmpint32;
+ pi.uid.bv_val = uidc;
+ pi.uid.bv_len = tmpint32;
READ_STRING(fp,svcc);
- svc.bv_val = svcc;
- svc.bv_len = tmpint32;
+ pi.svc.bv_val = svcc;
+ pi.svc.bv_len = tmpint32;
READ_STRING(fp,ruserc);
- ruser.bv_val = ruserc;
- ruser.bv_len = tmpint32;
+ pi.ruser.bv_val = ruserc;
+ pi.ruser.bv_len = tmpint32;
READ_STRING(fp,rhostc);
- rhost.bv_val = rhostc;
- rhost.bv_len = tmpint32;
+ pi.rhost.bv_val = rhostc;
+ pi.rhost.bv_len = tmpint32;
READ_STRING(fp,ttyc);
- tty.bv_val = ttyc;
- tty.bv_len = tmpint32;
-
- Debug(LDAP_DEBUG_TRACE,"nssov_pam_authz(%s)\n",
- dn.bv_val ? dn.bv_val : "NULL",0,0);
+ pi.tty.bv_val = ttyc;
+ pi.tty.bv_len = tmpint32;
- /* If we didn't do authc, we don't have a DN yet */
- if (BER_BVISEMPTY(&dn)) {
- struct paminfo pi;
- pi.uid = uid;
- pi.svc = svc;
+ rc = pam_uid2dn(ni, op, &pi);
+ if (rc) goto finish;
- rc = pam_uid2dn(ni, op, &pi);
- if (rc) goto finish;
- dn = pi.dn;
- }
+ Debug(LDAP_DEBUG_TRACE,"nssov_pam_authz(%s)\n",
+ pi.dn.bv_val ? pi.dn.bv_val : "NULL",0,0);
/* See if they have access to the host and service */
if ((ni->ni_pam_opts & NI_PAM_HOSTSVC) && nssov_pam_svc_ad) {
@@ -382,8 +379,8 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op)
struct berval hostdn = BER_BVNULL;
struct berval odn = op->o_ndn;
SlapReply rs = {REP_RESULT};
- op->o_dn = dn;
- op->o_ndn = dn;
+ op->o_dn = pi.dn;
+ op->o_ndn = pi.dn;
{
nssov_mapinfo *mi = &ni->ni_maps[NM_host];
char fbuf[1024];
@@ -432,7 +429,7 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op)
op->o_req_dn = hostdn;
op->o_req_ndn = hostdn;
ava.aa_desc = nssov_pam_svc_ad;
- ava.aa_value = svc;
+ ava.aa_value = pi.svc;
op->orc_ava = &ava;
rc = op->o_bd->be_compare( op, &rs );
if ( cb.sc_private == NULL ) {
@@ -457,7 +454,7 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op)
op->o_req_dn = ni->ni_pam_group_dn;
op->o_req_ndn = ni->ni_pam_group_dn;
ava.aa_desc = ni->ni_pam_group_ad;
- ava.aa_value = dn;
+ ava.aa_value = pi.dn;
op->orc_ava = &ava;
rc = op->o_bd->be_compare( op, &rs );
if ( cb.sc_private == NULL ) {
@@ -471,7 +468,7 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op)
if ((ni->ni_pam_opts & (NI_PAM_USERHOST|NI_PAM_USERSVC)) ||
ni->ni_pam_template_ad ||
ni->ni_pam_min_uid || ni->ni_pam_max_uid ) {
- rc = be_entry_get_rw( op, &dn, NULL, NULL, 0, &e );
+ rc = be_entry_get_rw( op, &pi.dn, NULL, NULL, 0, &e );
if (rc != LDAP_SUCCESS) {
rc = NSLCD_PAM_USER_UNKNOWN;
goto finish;
@@ -493,7 +490,7 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op)
if (!a || attr_valfind( a,
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
SLAP_MR_VALUE_OF_SYNTAX,
- &svc, NULL, op->o_tmpmemctx )) {
+ &pi.svc, NULL, op->o_tmpmemctx )) {
rc = NSLCD_PAM_PERM_DENIED;
authzmsg = svcmsg;
goto finish;
@@ -530,9 +527,9 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op)
if (ni->ni_pam_template_ad) {
a = attr_find(e->e_attrs, ni->ni_pam_template_ad);
if (a)
- uid = a->a_vals[0];
+ pi.uid = a->a_vals[0];
else if (!BER_BVISEMPTY(&ni->ni_pam_template))
- uid = ni->ni_pam_template;
+ pi.uid = ni->ni_pam_template;
}
rc = NSLCD_PAM_SUCCESS;
@@ -540,10 +537,9 @@ finish:
WRITE_INT32(fp,NSLCD_VERSION);
WRITE_INT32(fp,NSLCD_ACTION_PAM_AUTHZ);
WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
- WRITE_BERVAL(fp,&uid);
- WRITE_BERVAL(fp,&dn);
WRITE_INT32(fp,rc);
WRITE_BERVAL(fp,&authzmsg);
+ WRITE_INT32(fp,NSLCD_RESULT_END);
if (e) {
be_entry_release_r(op, e);
}
@@ -565,14 +561,14 @@ finish:
static int pam_sess(nssov_info *ni,TFILE *fp,Operation *op,int action)
{
- struct berval dn, uid, svc, tty, rhost, ruser;
int32_t tmpint32;
- char dnc[1024];
char svcc[256];
char uidc[32];
char ttyc[32];
char rhostc[256];
char ruserc[32];
+ char sessionID[64];
+ struct paminfo pi;
slap_callback cb = {0};
SlapReply rs = {REP_RESULT};
char timebuf[LDAP_LUTIL_GENTIME_BUFSIZE];
@@ -580,38 +576,41 @@ static int pam_sess(nssov_info *ni,TFILE *fp,Operation *op,int action)
time_t stamp;
Modifications mod;
int rc = 0;
- int sessionID = -1;
READ_STRING(fp,uidc);
- uid.bv_val = uidc;
- uid.bv_len = tmpint32;
- READ_STRING(fp,dnc);
- dn.bv_val = dnc;
- dn.bv_len = tmpint32;
+ pi.uid.bv_val = uidc;
+ pi.uid.bv_len = tmpint32;
READ_STRING(fp,svcc);
- svc.bv_val = svcc;
- svc.bv_len = tmpint32;
- READ_STRING(fp,ttyc);
- tty.bv_val = ttyc;
- tty.bv_len = tmpint32;
- READ_STRING(fp,rhostc);
- rhost.bv_val = rhostc;
- rhost.bv_len = tmpint32;
+ pi.svc.bv_val = svcc;
+ pi.svc.bv_len = tmpint32;
READ_STRING(fp,ruserc);
- ruser.bv_val = ruserc;
- ruser.bv_len = tmpint32;
- READ_INT32(fp,stamp);
-
- Debug(LDAP_DEBUG_TRACE,"nssov_pam_sess_%c(%s)\n",
- action==NSLCD_ACTION_PAM_SESS_O ? 'o' : 'c', dn.bv_val,0);
+ pi.ruser.bv_val = ruserc;
+ pi.ruser.bv_len = tmpint32;
+ READ_STRING(fp,rhostc);
+ pi.rhost.bv_val = rhostc;
+ pi.rhost.bv_len = tmpint32;
+ READ_STRING(fp,ttyc);
+ pi.tty.bv_val = ttyc;
+ pi.tty.bv_len = tmpint32;
- if (!dn.bv_len) {
- Debug(LDAP_DEBUG_TRACE,"nssov_pam_sess_%c(): %s\n",
- action==NSLCD_ACTION_PAM_SESS_O ? 'o' : 'c', "null DN",0);
- rc = -1;
- goto done;
+ if (action==NSLCD_ACTION_PAM_SESS_O) {
+ slap_op_time( &op->o_time, &op->o_tincr );
+ timestamp.bv_len = sizeof(timebuf);
+ timestamp.bv_val = timebuf;
+ stamp = op->o_time;
+ slap_timestamp( &stamp, ×tamp );
+ } else {
+ READ_STRING(fp,sessionID);
+ timestamp.bv_val = sessionID;
+ timestamp.bv_len = tmpint32;
}
+ rc = pam_uid2dn(ni, op, &pi);
+ if (rc) goto done;
+
+ Debug(LDAP_DEBUG_TRACE,"nssov_pam_sess_%c(%s)\n",
+ action==NSLCD_ACTION_PAM_SESS_O ? 'o' : 'c', pi.dn.bv_val,0);
+
if (!ni->ni_pam_sessions) {
Debug(LDAP_DEBUG_TRACE,"nssov_pam_sess_%c(): %s\n",
action==NSLCD_ACTION_PAM_SESS_O ? 'o' : 'c',
@@ -623,9 +622,9 @@ static int pam_sess(nssov_info *ni,TFILE *fp,Operation *op,int action)
{
int i, found=0;
for (i=0; !BER_BVISNULL(&ni->ni_pam_sessions[i]); i++) {
- if (ni->ni_pam_sessions[i].bv_len != svc.bv_len)
+ if (ni->ni_pam_sessions[i].bv_len != pi.svc.bv_len)
continue;
- if (!strcasecmp(ni->ni_pam_sessions[i].bv_val, svc.bv_val)) {
+ if (!strcasecmp(ni->ni_pam_sessions[i].bv_val, pi.svc.bv_val)) {
found = 1;
break;
}
@@ -634,24 +633,18 @@ static int pam_sess(nssov_info *ni,TFILE *fp,Operation *op,int action)
Debug(LDAP_DEBUG_TRACE,
"nssov_pam_sess_%c(): service(%s) not configured, ignored\n",
action==NSLCD_ACTION_PAM_SESS_O ? 'o' : 'c',
- svc.bv_val,0);
+ pi.svc.bv_val,0);
rc = -1;
goto done;
}
}
- slap_op_time( &op->o_time, &op->o_tincr );
- timestamp.bv_len = sizeof(timebuf);
- timestamp.bv_val = timebuf;
- if (action == NSLCD_ACTION_PAM_SESS_O )
- stamp = op->o_time;
- slap_timestamp( &stamp, ×tamp );
- bv[0].bv_len = timestamp.bv_len + global_host_bv.bv_len + svc.bv_len +
- tty.bv_len + ruser.bv_len + rhost.bv_len + STRLENOF(" (@)");
+ bv[0].bv_len = timestamp.bv_len + global_host_bv.bv_len + pi.svc.bv_len +
+ pi.tty.bv_len + pi.ruser.bv_len + pi.rhost.bv_len + STRLENOF(" (@)");
bv[0].bv_val = op->o_tmpalloc( bv[0].bv_len+1, op->o_tmpmemctx );
sprintf(bv[0].bv_val, "%s %s %s %s (%s@%s)",
- timestamp.bv_val, global_host_bv.bv_val, svc.bv_val, tty.bv_val,
- ruser.bv_val, rhost.bv_val);
+ timestamp.bv_val, global_host_bv.bv_val, pi.svc.bv_val, pi.tty.bv_val,
+ pi.ruser.bv_val, pi.rhost.bv_val);
Debug(LDAP_DEBUG_TRACE, "nssov_pam_sess_%c(): loginStatus (%s) \n",
action==NSLCD_ACTION_PAM_SESS_O ? 'o' : 'c', bv[0].bv_val,0);
@@ -674,8 +667,8 @@ static int pam_sess(nssov_info *ni,TFILE *fp,Operation *op,int action)
op->o_ndn = op->o_bd->be_rootndn;
op->orm_modlist = &mod;
op->orm_no_opattrs = 1;
- op->o_req_dn = dn;
- op->o_req_ndn = dn;
+ op->o_req_dn = pi.dn;
+ op->o_req_ndn = pi.dn;
if (op->o_bd->be_modify( op, &rs ) != LDAP_SUCCESS) {
Debug(LDAP_DEBUG_TRACE,
"nssov_pam_sess_%c(): modify op failed\n",
@@ -696,12 +689,13 @@ done:;
"nssov_pam_sess_%c(): success\n",
action==NSLCD_ACTION_PAM_SESS_O ? 'o' : 'c',
0,0);
- sessionID = op->o_time;
}
WRITE_INT32(fp,NSLCD_VERSION);
WRITE_INT32(fp,action);
WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
- WRITE_INT32(fp,sessionID);
+ if (action==NSLCD_ACTION_PAM_SESS_O)
+ WRITE_STRING(fp,timestamp.bv_val);
+ WRITE_INT32(fp,NSLCD_RESULT_END);
return 0;
}
@@ -719,23 +713,33 @@ int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op,uid_t calleruid)
{
struct berval npw;
int32_t tmpint32;
- char dnc[1024];
char uidc[32];
+ char svcc[256];
+ char ruserc[32];
+ char rhostc[256];
+ char ttyc[256];
+ int asroot;
char opwc[256];
char npwc[256];
- char svcc[256];
struct paminfo pi;
int rc;
READ_STRING(fp,uidc);
pi.uid.bv_val = uidc;
pi.uid.bv_len = tmpint32;
- READ_STRING(fp,dnc);
- pi.dn.bv_val = dnc;
- pi.dn.bv_len = tmpint32;
READ_STRING(fp,svcc);
pi.svc.bv_val = svcc;
pi.svc.bv_len = tmpint32;
+ READ_STRING(fp,ruserc);
+ pi.ruser.bv_val = svcc;
+ pi.ruser.bv_len = tmpint32;
+ READ_STRING(fp,rhostc);
+ pi.rhost.bv_val = svcc;
+ pi.rhost.bv_len = tmpint32;
+ READ_STRING(fp,ttyc);
+ pi.tty.bv_val = svcc;
+ pi.tty.bv_len = tmpint32;
+ READ_INT32(fp, asroot);
READ_STRING(fp,opwc);
pi.pwd.bv_val = opwc;
pi.pwd.bv_len = tmpint32;
@@ -743,9 +747,13 @@ int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op,uid_t calleruid)
npw.bv_val = npwc;
npw.bv_len = tmpint32;
- Debug(LDAP_DEBUG_TRACE,"nssov_pam_pwmod(%s), %s\n",
+ rc = pam_uid2dn(ni, op, &pi);
+ if (rc) goto done;
+
+ Debug(LDAP_DEBUG_TRACE,"nssov_pam_pwmod(%s), %s %s\n",
pi.dn.bv_val ? pi.dn.bv_val : "NULL",
- pi.uid.bv_val ? pi.uid.bv_val : "NULL" ,0);
+ pi.uid.bv_val ? pi.uid.bv_val : "NULL",
+ asroot ? "as root" : "as user");
BER_BVZERO(&pi.msg);
pi.ispwdmgr = 0;
@@ -760,18 +768,14 @@ int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op,uid_t calleruid)
goto done;
}
- if (BER_BVISEMPTY(&pi.dn)) {
- /* should not be here at all, pam_authc() should have returned */
- /* error */
- Debug(LDAP_DEBUG_TRACE,"nssov_pam_pwmod(), %s\n",
- "prelim checking failed", 0, 0);
- ber_str2bv("no pwmod requesting dn", 0, 0, &pi.msg);
- rc = NSLCD_PAM_PERM_DENIED;
- goto done;
- }
-
- if (!BER_BVISEMPTY(&ni->ni_pam_pwdmgr_dn) &&
- !ber_bvcmp(&pi.dn, &ni->ni_pam_pwdmgr_dn)) {
+ if (asroot) {
+ if (BER_BVISEMPTY(&ni->ni_pam_pwdmgr_dn)) {
+ Debug(LDAP_DEBUG_TRACE,"nssov_pam_pwmod(), %s\n",
+ "pwdmgr not configured", 0, 0);
+ ber_str2bv("pwdmgr not configured", 0, 0, &pi.msg);
+ rc = NSLCD_PAM_PERM_DENIED;
+ goto done;
+ }
if (calleruid != 0) {
Debug(LDAP_DEBUG_TRACE,"nssov_pam_pwmod(): %s\n",
"caller is not root", 0, 0);
@@ -779,14 +783,8 @@ int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op,uid_t calleruid)
rc = NSLCD_PAM_PERM_DENIED;
goto done;
}
- /* root user requesting pwmod, convert uid to dn */
+ /* root user requesting pwmod */
pi.ispwdmgr = 1;
- rc = pam_uid2dn(ni, op, &pi);
- if (rc) {
- ber_str2bv("unable to convert uid to dn", 0, 0, &pi.msg);
- rc = NSLCD_PAM_PERM_DENIED;
- goto done;
- }
}
if (!pi.ispwdmgr && BER_BVISEMPTY(&pi.pwd)) {
@@ -847,8 +845,6 @@ done:;
WRITE_INT32(fp,NSLCD_VERSION);
WRITE_INT32(fp,NSLCD_ACTION_PAM_PWMOD);
WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
- WRITE_BERVAL(fp,&pi.uid);
- WRITE_BERVAL(fp,&pi.dn);
WRITE_INT32(fp,rc);
WRITE_BERVAL(fp,&pi.msg);
return 0;
diff --git a/contrib/slapd-modules/nssov/passwd.c b/contrib/slapd-modules/nssov/passwd.c
index c92a7ee..4e6a8c1 100644
--- a/contrib/slapd-modules/nssov/passwd.c
+++ b/contrib/slapd-modules/nssov/passwd.c
@@ -378,8 +378,8 @@ static int write_passwd(nssov_passwd_cbp *cbp,Entry *entry)
WRITE_INT32(cbp->fp,NSLCD_RESULT_BEGIN);
WRITE_BERVAL(cbp->fp,&names[i]);
WRITE_BERVAL(cbp->fp,&passwd);
- WRITE_TYPE(cbp->fp,uid,uid_t);
- WRITE_TYPE(cbp->fp,gid,gid_t);
+ WRITE_INT32(cbp->fp,uid);
+ WRITE_INT32(cbp->fp,gid);
WRITE_BERVAL(cbp->fp,&gecos);
WRITE_BERVAL(cbp->fp,&homedir);
WRITE_BERVAL(cbp->fp,&shell);
@@ -415,7 +415,7 @@ NSSOV_HANDLE(
char fbuf[1024];
struct berval filter = {sizeof(fbuf)};
filter.bv_val = fbuf;
- READ_TYPE(fp,uid,uid_t);
+ READ_INT32(fp,uid);
cbp.id.bv_val = cbp.buf;
cbp.id.bv_len = snprintf(cbp.buf,sizeof(cbp.buf),"%d",uid);
BER_BVZERO(&cbp.name);,
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-openldap/openldap.git
More information about the Pkg-openldap-devel
mailing list