lists.arthurdejong.org
RSS feed

nss-pam-ldapd commit: r1338 - in nss-pam-ldapd: man nslcd

[Date Prev][Date Next] [Thread Prev][Thread Next]

nss-pam-ldapd commit: r1338 - in nss-pam-ldapd: man nslcd



Author: arthur
Date: Mon Dec 20 11:18:27 2010
New Revision: 1338
URL: http://arthurdejong.org/viewvc/nss-pam-ldapd?view=rev&revision=1338

Log:
implement a nss_min_uid option to filter user entries returned by LDAP

Modified:
   nss-pam-ldapd/man/nslcd.conf.5.xml
   nss-pam-ldapd/nslcd/cfg.c
   nss-pam-ldapd/nslcd/cfg.h
   nss-pam-ldapd/nslcd/group.c
   nss-pam-ldapd/nslcd/passwd.c

Modified: nss-pam-ldapd/man/nslcd.conf.5.xml
==============================================================================
--- nss-pam-ldapd/man/nslcd.conf.5.xml  Sat Dec 18 18:39:57 2010        (r1337)
+++ nss-pam-ldapd/man/nslcd.conf.5.xml  Mon Dec 20 11:18:27 2010        (r1338)
@@ -649,6 +649,17 @@
     </varlistentry>
 
     <varlistentry>
+     <term><option>nss_min_uid</option> <replaceable>UID</replaceable></term>
+     <listitem>
+      <para>
+       This option ensures that <acronym>LDAP</acronym> users with a numeric
+       user id lower than the specified value are ignored. Also requests for
+       users with a lower user id are ignored.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
      <term><option>pam_authz_search</option>
            <replaceable>FILTER</replaceable></term>
      <listitem>

Modified: nss-pam-ldapd/nslcd/cfg.c
==============================================================================
--- nss-pam-ldapd/nslcd/cfg.c   Sat Dec 18 18:39:57 2010        (r1337)
+++ nss-pam-ldapd/nslcd/cfg.c   Mon Dec 20 11:18:27 2010        (r1338)
@@ -120,6 +120,7 @@
   cfg->ldc_pagesize=0;
   cfg->ldc_nss_initgroups_ignoreusers=NULL;
   cfg->ldc_pam_authz_search=NULL;
+  cfg->ldc_nss_min_uid=0;
 }
 
 /* simple strdup wrapper */
@@ -1050,6 +1051,11 @@
       check_argumentcount(filename,lnr,keyword,(line!=NULL)&&(*line!='\0'));
       cfg->ldc_pam_authz_search=xstrdup(line);
     }
+    else if (strcasecmp(keyword,"nss_min_uid")==0)
+    {
+      get_uid(filename,lnr,keyword,&line,&cfg->ldc_nss_min_uid);
+      get_eol(filename,lnr,keyword,&line);
+    }
 #ifdef ENABLE_CONFIGFILE_CHECKING
     /* fallthrough */
     else

Modified: nss-pam-ldapd/nslcd/cfg.h
==============================================================================
--- nss-pam-ldapd/nslcd/cfg.h   Sat Dec 18 18:39:57 2010        (r1337)
+++ nss-pam-ldapd/nslcd/cfg.h   Mon Dec 20 11:18:27 2010        (r1338)
@@ -137,6 +137,8 @@
   SET *ldc_nss_initgroups_ignoreusers;
   /* the search that should be performed to do autorisation checks */
   char *ldc_pam_authz_search;
+  /* minimum uid for users retreived from LDAP */
+  uid_t ldc_nss_min_uid;
 };
 
 /* this is a pointer to the global configuration, it should be available

Modified: nss-pam-ldapd/nslcd/group.c
==============================================================================
--- nss-pam-ldapd/nslcd/group.c Sat Dec 18 18:39:57 2010        (r1337)
+++ nss-pam-ldapd/nslcd/group.c Mon Dec 20 11:18:27 2010        (r1338)
@@ -69,7 +69,6 @@
 /* default values for attributes */
 static const char *default_group_userPassword     = "*"; /* unmatchable */
 
-
 /* the attribute list to request with searches */
 static const char *group_attrs[6];
 

Modified: nss-pam-ldapd/nslcd/passwd.c
==============================================================================
--- nss-pam-ldapd/nslcd/passwd.c        Sat Dec 18 18:39:57 2010        (r1337)
+++ nss-pam-ldapd/nslcd/passwd.c        Mon Dec 20 11:18:27 2010        (r1338)
@@ -138,13 +138,46 @@
 };
 #define DN2UID_CACHE_TIMEOUT (15*60)
 
+/* checks whether the entry has a valid uidNumber attribute
+   (>= nss_min_uid) */
+static int entry_has_valid_uid(MYLDAP_ENTRY *entry)
+{
+  int i;
+  const char **values;
+  char *tmp;
+  uid_t uid;
+  /* if min_uid is not set any entry should do */
+  if (nslcd_cfg->ldc_nss_min_uid==0)
+    return 1;
+  /* get all uidNumber attributes */
+  values=myldap_get_values(entry,attmap_passwd_uidNumber);
+  if ((values==NULL)||(values[0]==NULL))
+  {
+    log_log(LOG_WARNING,"passwd entry %s does not contain %s value",
+                        myldap_get_dn(entry),attmap_passwd_uidNumber);
+    return 0;
+  }
+  /* check if there is a uidNumber attributes >= min_uid */
+  for (i=0;values[i]!=NULL;i++)
+  {
+    uid=(uid_t)strtol(values[i],&tmp,0);
+    if ((*(values[i])=='\0')||(*tmp!='\0'))
+      log_log(LOG_WARNING,"passwd entry %s contains non-numeric %s value",
+                          myldap_get_dn(entry),attmap_passwd_uidNumber);
+    else if (uid>=nslcd_cfg->ldc_nss_min_uid)
+      return 1;
+  }
+  /* nothing found */
+  return 0;
+}
+
 /* Perform an LDAP lookup to translate the DN into a uid.
    This function either returns NULL or a strdup()ed string. */
 char *lookup_dn2uid(MYLDAP_SESSION *session,const char *dn,int *rcp,char 
*buf,size_t buflen)
 {
   MYLDAP_SEARCH *search;
   MYLDAP_ENTRY *entry;
-  static const char *attrs[2];
+  static const char *attrs[3];
   int rc=LDAP_SUCCESS;
   const char **values;
   char *uid=NULL;
@@ -152,7 +185,8 @@
     rcp=&rc;
   /* we have to look up the entry */
   attrs[0]=attmap_passwd_uid;
-  attrs[1]=NULL;
+  attrs[1]=attmap_passwd_uidNumber;
+  attrs[2]=NULL;
   search=myldap_search(session,dn,LDAP_SCOPE_BASE,passwd_filter,attrs,rcp);
   if (search==NULL)
   {
@@ -166,13 +200,17 @@
       log_log(LOG_WARNING,"lookup of user %s failed: 
%s",dn,ldap_err2string(*rcp));
     return NULL;
   }
-  /* get uid (just use first one) */
-  values=myldap_get_values(entry,attmap_passwd_uid);
-  /* check the result for presence and validity */
-  if 
((values!=NULL)&&(values[0]!=NULL)&&isvalidname(values[0])&&(strlen(values[0])<buflen))
+  /* check the uidNumber attribute if min_uid is set */
+  if (entry_has_valid_uid(entry))
   {
-    strcpy(buf,values[0]);
-    uid=buf;
+    /* get uid (just use first one) */
+    values=myldap_get_values(entry,attmap_passwd_uid);
+    /* check the result for presence and validity */
+    if 
((values!=NULL)&&(values[0]!=NULL)&&isvalidname(values[0])&&(strlen(values[0])<buflen))
+    {
+      strcpy(buf,values[0]);
+      uid=buf;
+    }
   }
   /* clean up and return */
   myldap_search_close(search);
@@ -258,14 +296,15 @@
   MYLDAP_ENTRY *entry=NULL;
   const char *base;
   int i;
-  static const char *attrs[2];
+  static const char *attrs[3];
   char filter[1024];
   /* if it isn't a valid username, just bail out now */
   if (!isvalidname(uid))
     return NULL;
   /* set up attributes (we don't need much) */
   attrs[0]=attmap_passwd_uid;
-  attrs[1]=NULL;
+  attrs[1]=attmap_passwd_uidNumber;
+  attrs[2]=NULL;
   /* we have to look up the entry */
   mkfilter_passwd_byname(uid,filter,sizeof(filter));
   for (i=0;(i<NSS_LDAP_CONFIG_MAX_BASES)&&((base=passwd_bases[i])!=NULL);i++)
@@ -274,7 +313,7 @@
     if (search==NULL)
       return NULL;
     entry=myldap_get_entry(search,NULL);
-    if (entry!=NULL)
+    if ((entry!=NULL)&&(entry_has_valid_uid(entry)))
       return entry;
   }
   return NULL;
@@ -393,14 +432,17 @@
       {
         for (j=0;j<numuids;j++)
         {
-          WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
-          WRITE_STRING(fp,usernames[i]);
-          WRITE_STRING(fp,passwd);
-          WRITE_TYPE(fp,uids[j],uid_t);
-          WRITE_TYPE(fp,gid,gid_t);
-          WRITE_STRING(fp,gecos);
-          WRITE_STRING(fp,homedir);
-          WRITE_STRING(fp,shell);
+          if (uids[j]>=nslcd_cfg->ldc_nss_min_uid)
+          {
+            WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
+            WRITE_STRING(fp,usernames[i]);
+            WRITE_STRING(fp,passwd);
+            WRITE_TYPE(fp,uids[j],uid_t);
+            WRITE_TYPE(fp,gid,gid_t);
+            WRITE_STRING(fp,gecos);
+            WRITE_STRING(fp,homedir);
+            WRITE_STRING(fp,shell);
+          }
         }
       }
     }
@@ -427,7 +469,14 @@
   uid_t uid;
   char filter[1024];
   READ_TYPE(fp,uid,uid_t);
-  log_setrequest("passwd=%d",(int)uid);,
+  log_setrequest("passwd=%d",(int)uid);
+  if (uid<nslcd_cfg->ldc_nss_min_uid)
+  {
+    /* return an empty result */
+    WRITE_INT32(fp,NSLCD_VERSION);
+    WRITE_INT32(fp,NSLCD_ACTION_PASSWD_BYUID);
+    WRITE_INT32(fp,NSLCD_RESULT_END);
+  },
   NSLCD_ACTION_PASSWD_BYUID,
   mkfilter_passwd_byuid(uid,filter,sizeof(filter)),
   write_passwd(fp,entry,NULL,&uid,calleruid)
--
To unsubscribe send an email to
nss-pam-ldapd-commits-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-commits