nss-pam-ldapd commit: r1487 - in nss-pam-ldapd: nslcd tests
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
nss-pam-ldapd commit: r1487 - in nss-pam-ldapd: nslcd tests
- From: Commits of the nss-pam-ldapd project <nss-pam-ldapd-commits [at] lists.arthurdejong.org>
- To: nss-pam-ldapd-commits [at] lists.arthurdejong.org
- Reply-to: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: nss-pam-ldapd commit: r1487 - in nss-pam-ldapd: nslcd tests
- Date: Fri, 5 Aug 2011 23:28:25 +0200 (CEST)
Author: arthur
Date: Fri Aug 5 23:28:23 2011
New Revision: 1487
URL: http://arthurdejong.org/viewvc/nss-pam-ldapd?view=rev&revision=1487
Log:
check whether the NSS shadow map queries LDAP before returning x as a password
has for shadow users
Added:
nss-pam-ldapd/nslcd/nsswitch.c
Modified:
nss-pam-ldapd/nslcd/Makefile.am
nss-pam-ldapd/nslcd/common.h
nss-pam-ldapd/nslcd/passwd.c
nss-pam-ldapd/tests/Makefile.am
Modified: nss-pam-ldapd/nslcd/Makefile.am
==============================================================================
--- nss-pam-ldapd/nslcd/Makefile.am Fri Aug 5 22:58:10 2011 (r1486)
+++ nss-pam-ldapd/nslcd/Makefile.am Fri Aug 5 23:28:23 2011 (r1487)
@@ -1,7 +1,7 @@
# Makefile.am - use automake to generate Makefile.in
#
# Copyright (C) 2006, 2007 West Consulting
-# Copyright (C) 2006, 2007, 2008, 2009 Arthur de Jong
+# Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011 Arthur de Jong
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
@@ -30,6 +30,7 @@
myldap.c myldap.h \
cfg.c cfg.h \
attmap.c attmap.h \
+ nsswitch.c \
alias.c ether.c group.c host.c netgroup.c network.c \
passwd.c protocol.c rpc.c service.c shadow.c pam.c
nslcd_LDADD = @nslcd_LIBS@ @PTHREAD_LIBS@ ../common/libtio.a
../common/libdict.a \
Modified: nss-pam-ldapd/nslcd/common.h
==============================================================================
--- nss-pam-ldapd/nslcd/common.h Fri Aug 5 22:58:10 2011 (r1486)
+++ nss-pam-ldapd/nslcd/common.h Fri Aug 5 23:28:23 2011 (r1487)
@@ -120,6 +120,10 @@
long *mindays,long *maxdays,long *warndays,
long *inactdays,long *expiredate,unsigned long
*flag);
+
+/* check whether the nsswitch.conf file has LDAP as a naming source for db */
+int nsswitch_db_uses_ldap(const char *filename,const char *db);
+
/* fallback definition of HOST_NAME_MAX */
#ifndef HOST_NAME_MAX
#ifdef _POSIX_HOST_NAME_MAX
Added: nss-pam-ldapd/nslcd/nsswitch.c
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ nss-pam-ldapd/nslcd/nsswitch.c Fri Aug 5 23:28:23 2011 (r1487)
@@ -0,0 +1,116 @@
+/*
+ nsswitch.c - functions for parsing /etc/nsswitch.conf
+
+ Copyright (C) 2011 Arthur de Jong
+
+ This library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ This library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with this library; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ 02110-1301 USA
+*/
+
+#include "config.h"
+
+#include <stdio.h>
+#include <string.h>
+#include <ctype.h>
+#include <errno.h>
+
+#include "log.h"
+
+/* the maximum line length supported of nsswitch.conf */
+#define MAX_LINE_LENGTH 4096
+
+
+/* TODO: store mtime of file and use it to check reparse */
+/* TODO: cache entries for x minutes */
+
+/* see if the line is a service definition for db and return a pointer to
+ the beginning of the services list if it is */
+static const char *find_db(const char *line,const char *db)
+{
+ int i;
+ i=strlen(db);
+ /* the line should begin with the db we're looking for */
+ if (strncmp(line,db,i)!=0)
+ return NULL;
+ /* followed by a : */
+ while (isspace(line[i])) i++;
+ if (line[i]!=':')
+ return NULL;
+ i++;
+ while (isspace(line[i])) i++;
+ return line+i;
+}
+
+/* check to see if the list of services contains the specified service */
+static int has_service(const char *services,const char *service,
+ const char *filename,int lnr)
+{
+ int i=0,l;
+ if (services==NULL)
+ return 0;
+ l=strlen(service);
+ while (services[i]!='\0')
+ {
+ /* skip spaces */
+ while (isspace(services[i])) i++;
+ /* check if this is the service */
+ if ((strncmp(services+i,service,l)==0)&&(!isalnum(services[i+l])))
+ return 1;
+ /* skip service name and spaces */
+ i++;
+ while (isalnum(services[i])) i++;
+ while (isspace(services[i])) i++;
+ /* skip action mappings */
+ if (services[i]=='[')
+ {
+ i++; /* skip [ */
+ while ((services[i]!=']')&&(services[i]!='\0')) i++;
+ if (services[i]!=']')
+ {
+ log_log(LOG_WARNING,"%s: error parsing line %d",filename,lnr);
+ return 0; /* parse error */
+ }
+ i++; /* skip ] */
+ }
+ }
+ return 0;
+}
+
+int nsswitch_db_uses_ldap(const char *filename,const char *db)
+{
+ FILE *fp;
+ int lnr=0;
+ char linebuf[MAX_LINE_LENGTH];
+ const char *services;
+ /* open config file */
+ if ((fp=fopen(filename,"r"))==NULL)
+ {
+ log_log(LOG_ERR,"cannot open %s: %s",filename,strerror(errno));
+ return 0;
+ }
+ /* read file and parse lines */
+ while (fgets(linebuf,sizeof(linebuf),fp)!=NULL)
+ {
+ lnr++;
+ services=find_db(linebuf,db);
+ if ((services!=NULL)&&has_service(services,"ldap",filename,lnr))
+ {
+ fclose(fp);
+ return 1;
+ }
+ }
+ fclose(fp);
+ return 0;
+}
Modified: nss-pam-ldapd/nslcd/passwd.c
==============================================================================
--- nss-pam-ldapd/nslcd/passwd.c Fri Aug 5 22:58:10 2011 (r1486)
+++ nss-pam-ldapd/nslcd/passwd.c Fri Aug 5 23:28:23 2011 (r1487)
@@ -377,6 +377,17 @@
return myldap_cpy_dn(entry,buf,buflen);
}
+#define CACHED_UNKNOWN 22
+static int cached_shadow_uses_ldap=CACHED_UNKNOWN;
+
+/* check whether shadow lookups are configured to use ldap */
+static int shadow_uses_ldap(void)
+{
+ if (cached_shadow_uses_ldap==CACHED_UNKNOWN)
+
cached_shadow_uses_ldap=nsswitch_db_uses_ldap("/etc/nsswitch.conf","shadow");
+ return cached_shadow_uses_ldap;
+}
+
/* the maximum number of uidNumber attributes per entry */
#define MAXUIDS_PER_ENTRY 5
@@ -405,10 +416,10 @@
myldap_get_dn(entry),attmap_passwd_uid);
return 0;
}
- /* get the password for this entry */
- if (myldap_has_objectclass(entry,"shadowAccount"))
+ /* if we are using shadow maps and this entry looks like it would return
+ shadow information, make the passwd entry indicate it */
+ if (myldap_has_objectclass(entry,"shadowAccount")&&shadow_uses_ldap())
{
- /* if the entry has a shadowAccount entry, point to that instead */
passwd="x";
}
else
Modified: nss-pam-ldapd/tests/Makefile.am
==============================================================================
--- nss-pam-ldapd/tests/Makefile.am Fri Aug 5 22:58:10 2011 (r1486)
+++ nss-pam-ldapd/tests/Makefile.am Fri Aug 5 23:28:23 2011 (r1487)
@@ -55,7 +55,7 @@
# common objects that are included for the tests of nslcd functionality
common_nslcd_LDADD = ../nslcd/log.o ../nslcd/common.o \
- ../nslcd/myldap.o ../nslcd/attmap.o \
+ ../nslcd/myldap.o ../nslcd/attmap.o ../nslcd/nsswitch.o \
../nslcd/alias.o ../nslcd/ether.o ../nslcd/group.o \
../nslcd/host.o ../nslcd/netgroup.o ../nslcd/network.o \
../nslcd/passwd.o ../nslcd/protocol.o ../nslcd/rpc.o \
--
To unsubscribe send an email to
nss-pam-ldapd-commits-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-commits
- nss-pam-ldapd commit: r1487 - in nss-pam-ldapd: nslcd tests,
Commits of the nss-pam-ldapd project
