nss-pam-ldapd commit: r1338 - in nss-pam-ldapd: man nslcd
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
nss-pam-ldapd commit: r1338 - in nss-pam-ldapd: man nslcd
- From: Commits of the nss-pam-ldapd project <nss-pam-ldapd-commits [at] lists.arthurdejong.org>
- To: nss-pam-ldapd-commits [at] lists.arthurdejong.org
- Reply-to: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: nss-pam-ldapd commit: r1338 - in nss-pam-ldapd: man nslcd
- Date: Mon, 20 Dec 2010 11:18:29 +0100 (CET)
Author: arthur
Date: Mon Dec 20 11:18:27 2010
New Revision: 1338
URL: http://arthurdejong.org/viewvc/nss-pam-ldapd?view=rev&revision=1338
Log:
implement a nss_min_uid option to filter user entries returned by LDAP
Modified:
nss-pam-ldapd/man/nslcd.conf.5.xml
nss-pam-ldapd/nslcd/cfg.c
nss-pam-ldapd/nslcd/cfg.h
nss-pam-ldapd/nslcd/group.c
nss-pam-ldapd/nslcd/passwd.c
Modified: nss-pam-ldapd/man/nslcd.conf.5.xml
==============================================================================
--- nss-pam-ldapd/man/nslcd.conf.5.xml Sat Dec 18 18:39:57 2010 (r1337)
+++ nss-pam-ldapd/man/nslcd.conf.5.xml Mon Dec 20 11:18:27 2010 (r1338)
@@ -649,6 +649,17 @@
</varlistentry>
<varlistentry>
+ <term><option>nss_min_uid</option> <replaceable>UID</replaceable></term>
+ <listitem>
+ <para>
+ This option ensures that <acronym>LDAP</acronym> users with a numeric
+ user id lower than the specified value are ignored. Also requests for
+ users with a lower user id are ignored.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><option>pam_authz_search</option>
<replaceable>FILTER</replaceable></term>
<listitem>
Modified: nss-pam-ldapd/nslcd/cfg.c
==============================================================================
--- nss-pam-ldapd/nslcd/cfg.c Sat Dec 18 18:39:57 2010 (r1337)
+++ nss-pam-ldapd/nslcd/cfg.c Mon Dec 20 11:18:27 2010 (r1338)
@@ -120,6 +120,7 @@
cfg->ldc_pagesize=0;
cfg->ldc_nss_initgroups_ignoreusers=NULL;
cfg->ldc_pam_authz_search=NULL;
+ cfg->ldc_nss_min_uid=0;
}
/* simple strdup wrapper */
@@ -1050,6 +1051,11 @@
check_argumentcount(filename,lnr,keyword,(line!=NULL)&&(*line!='\0'));
cfg->ldc_pam_authz_search=xstrdup(line);
}
+ else if (strcasecmp(keyword,"nss_min_uid")==0)
+ {
+ get_uid(filename,lnr,keyword,&line,&cfg->ldc_nss_min_uid);
+ get_eol(filename,lnr,keyword,&line);
+ }
#ifdef ENABLE_CONFIGFILE_CHECKING
/* fallthrough */
else
Modified: nss-pam-ldapd/nslcd/cfg.h
==============================================================================
--- nss-pam-ldapd/nslcd/cfg.h Sat Dec 18 18:39:57 2010 (r1337)
+++ nss-pam-ldapd/nslcd/cfg.h Mon Dec 20 11:18:27 2010 (r1338)
@@ -137,6 +137,8 @@
SET *ldc_nss_initgroups_ignoreusers;
/* the search that should be performed to do autorisation checks */
char *ldc_pam_authz_search;
+ /* minimum uid for users retreived from LDAP */
+ uid_t ldc_nss_min_uid;
};
/* this is a pointer to the global configuration, it should be available
Modified: nss-pam-ldapd/nslcd/group.c
==============================================================================
--- nss-pam-ldapd/nslcd/group.c Sat Dec 18 18:39:57 2010 (r1337)
+++ nss-pam-ldapd/nslcd/group.c Mon Dec 20 11:18:27 2010 (r1338)
@@ -69,7 +69,6 @@
/* default values for attributes */
static const char *default_group_userPassword = "*"; /* unmatchable */
-
/* the attribute list to request with searches */
static const char *group_attrs[6];
Modified: nss-pam-ldapd/nslcd/passwd.c
==============================================================================
--- nss-pam-ldapd/nslcd/passwd.c Sat Dec 18 18:39:57 2010 (r1337)
+++ nss-pam-ldapd/nslcd/passwd.c Mon Dec 20 11:18:27 2010 (r1338)
@@ -138,13 +138,46 @@
};
#define DN2UID_CACHE_TIMEOUT (15*60)
+/* checks whether the entry has a valid uidNumber attribute
+ (>= nss_min_uid) */
+static int entry_has_valid_uid(MYLDAP_ENTRY *entry)
+{
+ int i;
+ const char **values;
+ char *tmp;
+ uid_t uid;
+ /* if min_uid is not set any entry should do */
+ if (nslcd_cfg->ldc_nss_min_uid==0)
+ return 1;
+ /* get all uidNumber attributes */
+ values=myldap_get_values(entry,attmap_passwd_uidNumber);
+ if ((values==NULL)||(values[0]==NULL))
+ {
+ log_log(LOG_WARNING,"passwd entry %s does not contain %s value",
+ myldap_get_dn(entry),attmap_passwd_uidNumber);
+ return 0;
+ }
+ /* check if there is a uidNumber attributes >= min_uid */
+ for (i=0;values[i]!=NULL;i++)
+ {
+ uid=(uid_t)strtol(values[i],&tmp,0);
+ if ((*(values[i])=='\0')||(*tmp!='\0'))
+ log_log(LOG_WARNING,"passwd entry %s contains non-numeric %s value",
+ myldap_get_dn(entry),attmap_passwd_uidNumber);
+ else if (uid>=nslcd_cfg->ldc_nss_min_uid)
+ return 1;
+ }
+ /* nothing found */
+ return 0;
+}
+
/* Perform an LDAP lookup to translate the DN into a uid.
This function either returns NULL or a strdup()ed string. */
char *lookup_dn2uid(MYLDAP_SESSION *session,const char *dn,int *rcp,char
*buf,size_t buflen)
{
MYLDAP_SEARCH *search;
MYLDAP_ENTRY *entry;
- static const char *attrs[2];
+ static const char *attrs[3];
int rc=LDAP_SUCCESS;
const char **values;
char *uid=NULL;
@@ -152,7 +185,8 @@
rcp=&rc;
/* we have to look up the entry */
attrs[0]=attmap_passwd_uid;
- attrs[1]=NULL;
+ attrs[1]=attmap_passwd_uidNumber;
+ attrs[2]=NULL;
search=myldap_search(session,dn,LDAP_SCOPE_BASE,passwd_filter,attrs,rcp);
if (search==NULL)
{
@@ -166,13 +200,17 @@
log_log(LOG_WARNING,"lookup of user %s failed:
%s",dn,ldap_err2string(*rcp));
return NULL;
}
- /* get uid (just use first one) */
- values=myldap_get_values(entry,attmap_passwd_uid);
- /* check the result for presence and validity */
- if
((values!=NULL)&&(values[0]!=NULL)&&isvalidname(values[0])&&(strlen(values[0])<buflen))
+ /* check the uidNumber attribute if min_uid is set */
+ if (entry_has_valid_uid(entry))
{
- strcpy(buf,values[0]);
- uid=buf;
+ /* get uid (just use first one) */
+ values=myldap_get_values(entry,attmap_passwd_uid);
+ /* check the result for presence and validity */
+ if
((values!=NULL)&&(values[0]!=NULL)&&isvalidname(values[0])&&(strlen(values[0])<buflen))
+ {
+ strcpy(buf,values[0]);
+ uid=buf;
+ }
}
/* clean up and return */
myldap_search_close(search);
@@ -258,14 +296,15 @@
MYLDAP_ENTRY *entry=NULL;
const char *base;
int i;
- static const char *attrs[2];
+ static const char *attrs[3];
char filter[1024];
/* if it isn't a valid username, just bail out now */
if (!isvalidname(uid))
return NULL;
/* set up attributes (we don't need much) */
attrs[0]=attmap_passwd_uid;
- attrs[1]=NULL;
+ attrs[1]=attmap_passwd_uidNumber;
+ attrs[2]=NULL;
/* we have to look up the entry */
mkfilter_passwd_byname(uid,filter,sizeof(filter));
for (i=0;(i<NSS_LDAP_CONFIG_MAX_BASES)&&((base=passwd_bases[i])!=NULL);i++)
@@ -274,7 +313,7 @@
if (search==NULL)
return NULL;
entry=myldap_get_entry(search,NULL);
- if (entry!=NULL)
+ if ((entry!=NULL)&&(entry_has_valid_uid(entry)))
return entry;
}
return NULL;
@@ -393,14 +432,17 @@
{
for (j=0;j<numuids;j++)
{
- WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
- WRITE_STRING(fp,usernames[i]);
- WRITE_STRING(fp,passwd);
- WRITE_TYPE(fp,uids[j],uid_t);
- WRITE_TYPE(fp,gid,gid_t);
- WRITE_STRING(fp,gecos);
- WRITE_STRING(fp,homedir);
- WRITE_STRING(fp,shell);
+ if (uids[j]>=nslcd_cfg->ldc_nss_min_uid)
+ {
+ WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
+ WRITE_STRING(fp,usernames[i]);
+ WRITE_STRING(fp,passwd);
+ WRITE_TYPE(fp,uids[j],uid_t);
+ WRITE_TYPE(fp,gid,gid_t);
+ WRITE_STRING(fp,gecos);
+ WRITE_STRING(fp,homedir);
+ WRITE_STRING(fp,shell);
+ }
}
}
}
@@ -427,7 +469,14 @@
uid_t uid;
char filter[1024];
READ_TYPE(fp,uid,uid_t);
- log_setrequest("passwd=%d",(int)uid);,
+ log_setrequest("passwd=%d",(int)uid);
+ if (uid<nslcd_cfg->ldc_nss_min_uid)
+ {
+ /* return an empty result */
+ WRITE_INT32(fp,NSLCD_VERSION);
+ WRITE_INT32(fp,NSLCD_ACTION_PASSWD_BYUID);
+ WRITE_INT32(fp,NSLCD_RESULT_END);
+ },
NSLCD_ACTION_PASSWD_BYUID,
mkfilter_passwd_byuid(uid,filter,sizeof(filter)),
write_passwd(fp,entry,NULL,&uid,calleruid)
--
To unsubscribe send an email to
nss-pam-ldapd-commits-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-commits
- nss-pam-ldapd commit: r1338 - in nss-pam-ldapd: man nslcd,
Commits of the nss-pam-ldapd project
