nss-pam-ldapd commit: r1141 - in nss-pam-ldapd: . nslcd nss tests

[Date Prev][Date Next] [Thread Prev][Thread Next]
From: "Commits of the nss-pam-ldapd project." <nss-pam-ldapd-commits [at] lists.arthurdejong.org>
To: nss-pam-ldapd-commits [at] lists.arthurdejong.org
Reply-to: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: nss-pam-ldapd commit: r1141 - in nss-pam-ldapd: . nslcd nss tests
Date: Mon, 14 Jun 2010 23:17:07 +0200 (CEST)
Author: arthur
Date: Mon Jun 14 23:17:05 2010
New Revision: 1141
URL: http://arthurdejong.org/viewvc/nss-pam-ldapd?view=rev&revision=1141

Log:
implement a global symbol inside the NSS module to allow applications to 
disable NSS lookups over LDAP and use it in nslcd to avoid deadlocks

Added:
   nss-pam-ldapd/nss/common.c
Modified:
   nss-pam-ldapd/configure.ac
   nss-pam-ldapd/nslcd/nslcd.c
   nss-pam-ldapd/nss/Makefile.am
   nss-pam-ldapd/nss/common.h
   nss-pam-ldapd/nss/exports.linux
   nss-pam-ldapd/nss/netgroup.c
   nss-pam-ldapd/nss/prototypes.h
   nss-pam-ldapd/tests/Makefile.am

Modified: nss-pam-ldapd/configure.ac
==============================================================================
--- nss-pam-ldapd/configure.ac  Mon Jun 14 23:05:52 2010        (r1140)
+++ nss-pam-ldapd/configure.ac  Mon Jun 14 23:17:05 2010        (r1141)
@@ -323,6 +323,7 @@
   # checks for availability of system libraries for nslcd
   AC_SEARCH_LIBS(gethostbyname,nsl socket)
   AC_SEARCH_LIBS(socket,socket)
+  AC_SEARCH_LIBS(dlopen,dl)
 
   # check for availability of functions
   AC_CHECK_FUNCS(setgroups)
@@ -330,6 +331,7 @@
   AC_CHECK_FUNCS(getpeerucred)
   AC_CHECK_FUNCS(__nss_configure_lookup)
   AC_CHECK_FUNCS(getenv putenv clearenv)
+  AC_CHECK_FUNCS(dlopen dlsym dlerror)
 
   # replace getopt_long() function if it is not on the system
   AC_REPLACE_FUNCS(getopt_long)

Modified: nss-pam-ldapd/nslcd/nslcd.c
==============================================================================
--- nss-pam-ldapd/nslcd/nslcd.c Mon Jun 14 23:05:52 2010        (r1140)
+++ nss-pam-ldapd/nslcd/nslcd.c Mon Jun 14 23:17:05 2010        (r1141)
@@ -55,6 +55,7 @@
 #ifndef HAVE_DAEMON
 #include "compat/daemon.h"
 #endif /* not HAVE_DAEMON */
+#include <dlfcn.h>
 
 #include "nslcd.h"
 #include "log.h"
@@ -565,6 +566,41 @@
   return NULL;
 }
 
+/* function to disable lookups through the nss_ldap module to avoid lookup
+   loops */
+static void disable_nss_ldap(void)
+{
+  void *handle;
+  char *error;
+  int *enable_flag;
+  /* try to load the NSS module */
+  handle=dlopen("libnss_ldap.so.2",RTLD_LAZY);
+  if (handle==NULL)
+  {
+    log_log(LOG_WARNING,"Warning: LDAP NSS module not loaded: %s",dlerror());
+    return;
+  }
+  /* clear any existing errors */
+  dlerror();
+  /* try to look up the flag */
+  enable_flag=(int *)dlsym(handle,"_nss_ldap_enablelookups");
+  error=dlerror();
+  if (error!=NULL)
+  {
+    log_log(LOG_WARNING,"Warning: %s (probably older NSS module 
loaded)",error);
+    /* fall back to changing the way host lookup is done */
+#ifdef HAVE___NSS_CONFIGURE_LOOKUP
+    if (__nss_configure_lookup("hosts","files dns"))
+      log_log(LOG_ERR,"unable to override hosts lookup method: 
%s",strerror(errno));
+#endif /* HAVE___NSS_CONFIGURE_LOOKUP */
+    return;
+  }
+  /* disable nss_ldap */
+  *enable_flag=0;
+  /* we don't do dlclose() because we want the symbol change to be
+     persistent */
+}
+
 /* the main program... */
 int main(int argc,char *argv[])
 {
@@ -585,14 +621,8 @@
   /* this is a bit ugly */
   environ=sane_environment;
 #endif /* not HAVE_CLEARENV */
-  /* disable ldap lookups of host names to avoid lookup loop
-     and fall back to files dns (a sensible default) */
-  /* TODO: parse /etc/nsswitch ourselves and just remove ldap from the list */
-#ifdef HAVE___NSS_CONFIGURE_LOOKUP
-  if (__nss_configure_lookup("hosts","files dns"))
-    log_log(LOG_ERR,"unable to override hosts lookup method: 
%s",strerror(errno));
-#endif /* HAVE___NSS_CONFIGURE_LOOKUP */
-  /* FIXME: have some other mechanism for systems that don't have this */
+  /* disable the nss_ldap module for this process */
+  disable_nss_ldap();
   /* set LDAP log level */
   if (myldap_set_debuglevel(nslcd_debugging)!=LDAP_SUCCESS)
     exit(EXIT_FAILURE);

Modified: nss-pam-ldapd/nss/Makefile.am
==============================================================================
--- nss-pam-ldapd/nss/Makefile.am       Mon Jun 14 23:05:52 2010        (r1140)
+++ nss-pam-ldapd/nss/Makefile.am       Mon Jun 14 23:17:05 2010        (r1141)
@@ -2,7 +2,7 @@
 #
 # Copyright (C) 2006 Luke Howard
 # Copyright (C) 2006 West Consulting
-# Copyright (C) 2006, 2007, 2009 Arthur de Jong
+# Copyright (C) 2006, 2007, 2009, 2010 Arthur de Jong
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -28,7 +28,7 @@
 NSS_VERS = 2
 NSS_LDAP_NSS_VERSIONED = libnss_ldap.so.$(NSS_VERS)
 
-nss_ldap_so_SOURCES = common.h prototypes.h \
+nss_ldap_so_SOURCES = common.c common.h prototypes.h \
                       ../nslcd.h ../common/nslcd-prot.h \
                       ../compat/attrs.h \
                       aliases.c ethers.c group.c hosts.c netgroup.c \

Added: nss-pam-ldapd/nss/common.c
==============================================================================
--- /dev/null   00:00:00 1970   (empty, because file is newly added)
+++ nss-pam-ldapd/nss/common.c  Mon Jun 14 23:17:05 2010        (r1141)
@@ -0,0 +1,22 @@
+/*
+   common.c - common definitions
+
+   Copyright (C) 2010 Arthur de Jong
+
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, write to the Free Software
+   Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+   02110-1301 USA
+*/
+
+int _nss_ldap_enablelookups=1;

Modified: nss-pam-ldapd/nss/common.h
==============================================================================
--- nss-pam-ldapd/nss/common.h  Mon Jun 14 23:05:52 2010        (r1140)
+++ nss-pam-ldapd/nss/common.h  Mon Jun 14 23:17:05 2010        (r1141)
@@ -2,7 +2,7 @@
    common.h - common functions for NSS lookups
 
    Copyright (C) 2006 West Consulting
-   Copyright (C) 2006, 2007, 2008, 2009 Arthur de Jong
+   Copyright (C) 2006, 2007, 2008, 2009, 2010 Arthur de Jong
 
    This library is free software; you can redistribute it and/or
    modify it under the terms of the GNU Lesser General Public
@@ -83,6 +83,8 @@
   TFILE *fp; \
   int32_t tmpint32; \
   enum nss_status retv; \
+  if (!_nss_ldap_enablelookups) \
+    return NSS_STATUS_UNAVAIL; \
   /* check that we have a valid buffer */ \
   if ((buffer==NULL)||(buflen<=0)) \
   { \
@@ -117,6 +119,8 @@
 /* This macro generates a simple setent() function body. This closes any
    open streams so that NSS_GETENT() can open a new file. */
 #define NSS_SETENT(fp) \
+  if (!_nss_ldap_enablelookups) \
+    return NSS_STATUS_UNAVAIL; \
   if (fp!=NULL) \
   { \
     (void)tio_close(fp); \
@@ -130,6 +134,8 @@
 #define NSS_GETENT(fp,action,readfn) \
   int32_t tmpint32; \
   enum nss_status retv; \
+  if (!_nss_ldap_enablelookups) \
+    return NSS_STATUS_UNAVAIL; \
   /* check that we have a valid buffer */ \
   if ((buffer==NULL)||(buflen<=0)) \
   { \
@@ -174,6 +180,8 @@
 /* This macro generates a endent() function body. This just closes
    the stream. */
 #define NSS_ENDENT(fp) \
+  if (!_nss_ldap_enablelookups) \
+    return NSS_STATUS_UNAVAIL; \
   if (fp!=NULL) \
   { \
     (void)tio_close(fp); \

Modified: nss-pam-ldapd/nss/exports.linux
==============================================================================
--- nss-pam-ldapd/nss/exports.linux     Mon Jun 14 23:05:52 2010        (r1140)
+++ nss-pam-ldapd/nss/exports.linux     Mon Jun 14 23:17:05 2010        (r1141)
@@ -3,6 +3,9 @@
   # published NSS service functions
   global:
 
+    # flag to enable or disable lookups
+    _nss_ldap_enablelookups;
+
     # aliases - mail aliases
     _nss_ldap_getaliasbyname_r;
     _nss_ldap_setaliasent;

Modified: nss-pam-ldapd/nss/netgroup.c
==============================================================================
--- nss-pam-ldapd/nss/netgroup.c        Mon Jun 14 23:05:52 2010        (r1140)
+++ nss-pam-ldapd/nss/netgroup.c        Mon Jun 14 23:17:05 2010        (r1141)
@@ -96,6 +96,8 @@
   int32_t tmpint32;
   int errnocp;
   int *errnop;
+  if (!_nss_ldap_enablelookups)
+    return NSS_STATUS_UNAVAIL;
   errnop=&errnocp;
   /* check parameter */
   if ((group==NULL)||(group[0]=='\0'))

Modified: nss-pam-ldapd/nss/prototypes.h
==============================================================================
--- nss-pam-ldapd/nss/prototypes.h      Mon Jun 14 23:05:52 2010        (r1140)
+++ nss-pam-ldapd/nss/prototypes.h      Mon Jun 14 23:17:05 2010        (r1141)
@@ -2,7 +2,7 @@
    prototypes.h - all functions exported by the NSS library
 
    Copyright (C) 2006 West Consulting
-   Copyright (C) 2006, 2008 Arthur de Jong
+   Copyright (C) 2006, 2008, 2010 Arthur de Jong
 
    This library is free software; you can redistribute it and/or
    modify it under the terms of the GNU Lesser General Public
@@ -97,6 +97,10 @@
    http://www.gnu.org/software/libc/manual/html_node/Name-Service-Switch.html
 */
 
+/* flag to gloabally disable lookups (all _nss_ldap_*() functions will return
+   NSS_STATUS_UNAVAIL */
+extern int _nss_ldap_enablelookups;
+
 /* aliases - mail aliases */
 enum nss_status _nss_ldap_getaliasbyname_r(const char *name,struct aliasent 
*result,char *buffer,size_t buflen,int *errnop);
 enum nss_status _nss_ldap_setaliasent(void);

Modified: nss-pam-ldapd/tests/Makefile.am
==============================================================================
--- nss-pam-ldapd/tests/Makefile.am     Mon Jun 14 23:05:52 2010        (r1140)
+++ nss-pam-ldapd/tests/Makefile.am     Mon Jun 14 23:17:05 2010        (r1141)
@@ -1,7 +1,7 @@
 # Makefile.am - use automake to generate Makefile.in
 #
 # Copyright (C) 2006 West Consulting
-# Copyright (C) 2006, 2007, 2008, 2009 Arthur de Jong
+# Copyright (C) 2006, 2007, 2008, 2009, 2010 Arthur de Jong
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -86,7 +86,7 @@
                     ../common/libdict.a ../compat/libcompat.a
 
 common_SOURCES = ../common/nslcd-prot.c ../nslcd.h ../nss/prototypes.h \
-                 ../common/tio.c ../common/tio.h
+                 ../common/tio.c ../common/tio.h ../nss/common.c
 
 test_aliases_SOURCES = test_aliases.c ../nss/aliases.c $(common_SOURCES)
 test_ethers_SOURCES = test_ethers.c ../nss/ethers.c $(common_SOURCES)
--
To unsubscribe send an email to
nss-pam-ldapd-commits-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-commits
nss-pam-ldapd commit: r1141 - in nss-pam-ldapd: . nslcd nss tests, Commits of the nss-pam-ldapd project.
Prev by Date: nss-pam-ldapd commit: r1140 - in nss-pam-ldapd: common compat nslcd nss pam
Next by Date: nss-pam-ldapd commit: r1142 - in nss-pam-ldapd: . nslcd
Previous by thread: nss-pam-ldapd commit: r1140 - in nss-pam-ldapd: common compat nslcd nss pam
Next by thread: nss-pam-ldapd commit: r1142 - in nss-pam-ldapd: . nslcd