nss-pam-ldapd commit: r1346 - in nss-pam-ldapd: man nslcd
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
nss-pam-ldapd commit: r1346 - in nss-pam-ldapd: man nslcd
- From: Commits of the nss-pam-ldapd project <nss-pam-ldapd-commits [at] lists.arthurdejong.org>
- To: nss-pam-ldapd-commits [at] lists.arthurdejong.org
- Reply-to: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: nss-pam-ldapd commit: r1346 - in nss-pam-ldapd: man nslcd
- Date: Tue, 28 Dec 2010 23:52:30 +0100 (CET)
Author: arthur
Date: Tue Dec 28 23:52:28 2010
New Revision: 1346
URL: http://arthurdejong.org/viewvc/nss-pam-ldapd?view=rev&revision=1346
Log:
allow attribute mapping with an expression for the userPassword attribute for
passwd, group and shadow entries and by default map it to the unmatchable
password ("*") to avoid accidentally leaking password information
Modified:
nss-pam-ldapd/man/nslcd.conf.5.xml
nss-pam-ldapd/nslcd/attmap.c
nss-pam-ldapd/nslcd/common.c
nss-pam-ldapd/nslcd/common.h
nss-pam-ldapd/nslcd/group.c
nss-pam-ldapd/nslcd/passwd.c
nss-pam-ldapd/nslcd/shadow.c
Modified: nss-pam-ldapd/man/nslcd.conf.5.xml
==============================================================================
--- nss-pam-ldapd/man/nslcd.conf.5.xml Sun Dec 26 18:09:47 2010 (r1345)
+++ nss-pam-ldapd/man/nslcd.conf.5.xml Tue Dec 28 23:52:28 2010 (r1346)
@@ -399,17 +399,25 @@
See the section on attribute mapping expressions below for more details.
</para>
<para>
- Only some attributes for passwd and shadow entries may be mapped with
- an expression (because other attributes may be used in search
+ Only some attributes for group, passwd and shadow entries may be mapped
+ with an expression (because other attributes may be used in search
filters).
+ For group entries only the <literal>userPassword</literal> attribute
+ may be mapped with an expression.
For passwd entries the following attributes may be mapped with an
- expression: <literal>gidNumber</literal>, <literal>gecos</literal>,
- <literal>homeDirectory</literal> and <literal>loginShell</literal>.
+ expression: <literal>userPassword</literal>,
<literal>gidNumber</literal>,
+ <literal>gecos</literal>, <literal>homeDirectory</literal> and
+ <literal>loginShell</literal>.
For shadow entries the following attributes may be mapped with an
- expression: <literal>shadowLastChange</literal>,
<literal>shadowMin</literal>,
- <literal>shadowMax</literal>, <literal>shadowWarning</literal>,
- <literal>shadowInactive</literal>, <literal>shadowExpire</literal> and
- <literal>shadowFlag</literal>.
+ expression: <literal>userPassword</literal>,
<literal>shadowLastChange</literal>,
+ <literal>shadowMin</literal>, <literal>shadowMax</literal>,
+ <literal>shadowWarning</literal>, <literal>shadowInactive</literal>,
+ <literal>shadowExpire</literal> and <literal>shadowFlag</literal>.
+ </para>
+ <para>
+ By default all <literal>userPassword</literal> attributes are mapped
+ to the unmatchable password ("*") to avoid accidentally leaking
+ password information.
</para>
</listitem>
</varlistentry>
Modified: nss-pam-ldapd/nslcd/attmap.c
==============================================================================
--- nss-pam-ldapd/nslcd/attmap.c Sun Dec 26 18:09:47 2010 (r1345)
+++ nss-pam-ldapd/nslcd/attmap.c Tue Dec 28 23:52:28 2010 (r1346)
@@ -213,10 +213,13 @@
/* these attributes may contain an expression
(note that this needs to match the functionality in the specific
lookup module) */
- if ( (var!=&attmap_passwd_gidNumber) &&
+ if ( (var!=&attmap_group_userPassword) &&
+ (var!=&attmap_passwd_userPassword) &&
+ (var!=&attmap_passwd_gidNumber) &&
(var!=&attmap_passwd_gecos) &&
(var!=&attmap_passwd_homeDirectory) &&
(var!=&attmap_passwd_loginShell) &&
+ (var!=&attmap_shadow_userPassword) &&
(var!=&attmap_shadow_shadowLastChange) &&
(var!=&attmap_shadow_shadowMin) &&
(var!=&attmap_shadow_shadowMax) &&
Modified: nss-pam-ldapd/nslcd/common.c
==============================================================================
--- nss-pam-ldapd/nslcd/common.c Sun Dec 26 18:09:47 2010 (r1345)
+++ nss-pam-ldapd/nslcd/common.c Tue Dec 28 23:52:28 2010 (r1346)
@@ -35,6 +35,7 @@
#include "nslcd.h"
#include "common.h"
#include "log.h"
+#include "attmap.h"
/* simple wrapper around snptintf() to return non-0 in case
of any failure (but always keep string 0-terminated) */
@@ -51,25 +52,21 @@
return ((res<0)||(((size_t)res)>=buflen));
}
-const char *get_userpassword(MYLDAP_ENTRY *entry,const char *attr)
+const char *get_userpassword(MYLDAP_ENTRY *entry,const char *attr,char
*buffer,size_t buflen)
{
- const char **values;
- int i;
- /* get the entries */
- values=myldap_get_values(entry,attr);
- if ((values==NULL)||(values[0]==NULL))
+ const char *tmpvalue;
+ /* get the value */
+ tmpvalue=attmap_get_value(entry,attr,buffer,buflen);
+ if (tmpvalue==NULL)
return NULL;
/* go over the entries and return the remainder of the value if it
starts with {crypt} or crypt$ */
- for (i=0;values[i]!=NULL;i++)
- {
- if (strncasecmp(values[i],"{crypt}",7)==0)
- return values[i]+7;
- if (strncasecmp(values[i],"crypt$",6)==0)
- return values[i]+6;
- }
+ if (strncasecmp(tmpvalue,"{crypt}",7)==0)
+ return tmpvalue+7;
+ if (strncasecmp(tmpvalue,"crypt$",6)==0)
+ return tmpvalue+6;
/* just return the first value completely */
- return values[0];
+ return tmpvalue;
/* TODO: support more password formats e.g. SMD5
(which is $1$ but in a different format)
(any code for this is more than welcome) */
Modified: nss-pam-ldapd/nslcd/common.h
==============================================================================
--- nss-pam-ldapd/nslcd/common.h Sun Dec 26 18:09:47 2010 (r1345)
+++ nss-pam-ldapd/nslcd/common.h Tue Dec 28 23:52:28 2010 (r1346)
@@ -59,7 +59,8 @@
/etc/group or /etc/shadow depending upon what is in the directory.
This function will return NULL if no passwd is found and will return the
literal value in the directory if conversion is not possible. */
-const char *get_userpassword(MYLDAP_ENTRY *entry,const char *attr);
+const char *get_userpassword(MYLDAP_ENTRY *entry,const char *attr,
+ char *buffer,size_t buflen);
/* write out an address, parsing the addr value */
int write_address(TFILE *fp,const char *addr);
Modified: nss-pam-ldapd/nslcd/group.c
==============================================================================
--- nss-pam-ldapd/nslcd/group.c Sun Dec 26 18:09:47 2010 (r1345)
+++ nss-pam-ldapd/nslcd/group.c Tue Dec 28 23:52:28 2010 (r1346)
@@ -61,7 +61,7 @@
/* the attributes to request with searches */
const char *attmap_group_cn = "cn";
-const char *attmap_group_userPassword = "userPassword";
+const char *attmap_group_userPassword = "\"*\"";
const char *attmap_group_gidNumber = "gidNumber";
const char *attmap_group_memberUid = "memberUid";
const char *attmap_group_uniqueMember = "uniqueMember";
@@ -70,7 +70,7 @@
static const char *default_group_userPassword = "*"; /* unmatchable */
/* the attribute list to request with searches */
-static const char *group_attrs[6];
+static const char **group_attrs=NULL;
/* create a search filter for searching a group entry
by name, return -1 on errors */
@@ -131,6 +131,7 @@
void group_init(void)
{
int i;
+ SET *set;
/* set up search bases */
if (group_bases[0]==NULL)
for (i=0;i<NSS_LDAP_CONFIG_MAX_BASES;i++)
@@ -139,12 +140,14 @@
if (group_scope==LDAP_SCOPE_DEFAULT)
group_scope=nslcd_cfg->ldc_scope;
/* set up attribute list */
- group_attrs[0]=attmap_group_cn;
- group_attrs[1]=attmap_group_userPassword;
- group_attrs[2]=attmap_group_memberUid;
- group_attrs[3]=attmap_group_gidNumber;
- group_attrs[4]=attmap_group_uniqueMember;
- group_attrs[5]=NULL;
+ set=set_new();
+ attmap_add_attributes(set,attmap_group_cn);
+ attmap_add_attributes(set,attmap_group_userPassword);
+ attmap_add_attributes(set,attmap_group_memberUid);
+ attmap_add_attributes(set,attmap_group_gidNumber);
+ attmap_add_attributes(set,attmap_group_uniqueMember);
+ group_attrs=set_tolist(set);
+ set_free(set);
}
static int do_write_group(
@@ -223,6 +226,7 @@
gid_t gids[MAXGIDS_PER_ENTRY];
int numgids;
char *tmp;
+ char passbuffer[80];
int rc;
/* get group name (cn) */
names=myldap_get_values(entry,attmap_group_cn);
@@ -259,7 +263,7 @@
}
}
/* get group passwd (userPassword) (use only first entry) */
- passwd=get_userpassword(entry,attmap_group_userPassword);
+
passwd=get_userpassword(entry,attmap_group_userPassword,passbuffer,sizeof(passbuffer));
if (passwd==NULL)
passwd=default_group_userPassword;
/* get group memebers (memberUid&uniqueMember) */
Modified: nss-pam-ldapd/nslcd/passwd.c
==============================================================================
--- nss-pam-ldapd/nslcd/passwd.c Sun Dec 26 18:09:47 2010 (r1345)
+++ nss-pam-ldapd/nslcd/passwd.c Tue Dec 28 23:52:28 2010 (r1346)
@@ -56,7 +56,7 @@
/* the attributes used in searches */
const char *attmap_passwd_uid = "uid";
-const char *attmap_passwd_userPassword = "userPassword";
+const char *attmap_passwd_userPassword = "\"*\"";
const char *attmap_passwd_uidNumber = "uidNumber";
const char *attmap_passwd_gidNumber = "gidNumber";
const char *attmap_passwd_gecos = "\"${gecos:-$cn}\"";
@@ -348,6 +348,7 @@
char gecos[100];
char homedir[100];
char shell[100];
+ char passbuffer[80];
int i,j;
/* get the usernames for this entry */
usernames=myldap_get_values(entry,attmap_passwd_uid);
@@ -365,7 +366,7 @@
}
else
{
- passwd=get_userpassword(entry,attmap_passwd_userPassword);
+
passwd=get_userpassword(entry,attmap_passwd_userPassword,passbuffer,sizeof(passbuffer));
if ((passwd==NULL)||(calleruid!=0))
passwd=default_passwd_userPassword;
}
Modified: nss-pam-ldapd/nslcd/shadow.c
==============================================================================
--- nss-pam-ldapd/nslcd/shadow.c Sun Dec 26 18:09:47 2010 (r1345)
+++ nss-pam-ldapd/nslcd/shadow.c Tue Dec 28 23:52:28 2010 (r1346)
@@ -55,7 +55,7 @@
/* the attributes to request with searches */
const char *attmap_shadow_uid = "uid";
-const char *attmap_shadow_userPassword = "userPassword";
+const char *attmap_shadow_userPassword = "\"*\"";
const char *attmap_shadow_shadowLastChange = "\"${shadowLastChange:--1}\"";
const char *attmap_shadow_shadowMin = "\"${shadowMin:--1}\"";
const char *attmap_shadow_shadowMax = "\"${shadowMax:--1}\"";
@@ -251,6 +251,7 @@
unsigned long flag;
int i;
char buffer[80];
+ char passbuffer[80];
/* get username */
usernames=myldap_get_values(entry,attmap_shadow_uid);
if ((usernames==NULL)||(usernames[0]==NULL))
@@ -260,7 +261,7 @@
return 0;
}
/* get password */
- passwd=get_userpassword(entry,attmap_shadow_userPassword);
+
passwd=get_userpassword(entry,attmap_shadow_userPassword,passbuffer,sizeof(passbuffer));
if (passwd==NULL)
passwd=default_shadow_userPassword;
/* get lastchange date */
--
To unsubscribe send an email to
nss-pam-ldapd-commits-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-commits
- nss-pam-ldapd commit: r1346 - in nss-pam-ldapd: man nslcd,
Commits of the nss-pam-ldapd project