lists.arthurdejong.org
RSS feed

nss-pam-ldapd commit: r1679 - in nss-pam-ldapd: man nslcd pynslcd

[Date Prev][Date Next] [Thread Prev][Thread Next]

nss-pam-ldapd commit: r1679 - in nss-pam-ldapd: man nslcd pynslcd

Author: arthur
Date: Fri May  4 15:36:45 2012
New Revision: 1679
URL: http://arthurdejong.org/viewvc/nss-pam-ldapd?revision=1679&view=revision

Log:
allow the pam_authz_search option to be specified multiple times

Modified:
   nss-pam-ldapd/man/nslcd.conf.5.xml
   nss-pam-ldapd/nslcd/cfg.c
   nss-pam-ldapd/nslcd/cfg.h
   nss-pam-ldapd/nslcd/pam.c
   nss-pam-ldapd/pynslcd/cfg.py

Modified: nss-pam-ldapd/man/nslcd.conf.5.xml
==============================================================================
--- nss-pam-ldapd/man/nslcd.conf.5.xml  Fri May  4 15:31:43 2012        (r1678)
+++ nss-pam-ldapd/man/nslcd.conf.5.xml  Fri May  4 15:36:45 2012        (r1679)
@@ -751,8 +751,8 @@
        
<literallayout><literal>(&amp;(objectClass=posixAccount)(uid=$username)(|(host=$hostname)(host=$fqdn)(host=\\*)))</literal></literallayout>
       </para>
       <para>
-       The default behaviour is not to do this extra search and always
-       grant access.
+       This option may be specified multiple times and all specified searches
+       should at least return one entry for access to be granted.
       </para>
      </listitem>
     </varlistentry>

Modified: nss-pam-ldapd/nslcd/cfg.c
==============================================================================
--- nss-pam-ldapd/nslcd/cfg.c   Fri May  4 15:31:43 2012        (r1678)
+++ nss-pam-ldapd/nslcd/cfg.c   Fri May  4 15:36:45 2012        (r1679)
@@ -126,7 +126,8 @@
   cfg->ldc_restart=1;
   cfg->ldc_pagesize=0;
   cfg->ldc_nss_initgroups_ignoreusers=NULL;
-  cfg->ldc_pam_authz_search=NULL;
+  for (i=0;i<NSS_LDAP_CONFIG_MAX_AUTHZ_SEARCHES;i++)
+    cfg->ldc_pam_authz_search[i]=NULL;
   cfg->ldc_nss_min_uid=0;
   parse_validnames_statement(__FILE__,__LINE__,"",
                 "/^[a-z0-9._@$][a-z0-9._@$ \\~-]*[a-z0-9._@$~-]$/i",cfg);
@@ -782,9 +783,17 @@
   const char **list;
   int i;
   check_argumentcount(filename,lnr,keyword,(line!=NULL)&&(*line!='\0'));
-  cfg->ldc_pam_authz_search=xstrdup(line);
+  /* find free spot for search filter */
+  for 
(i=0;(i<NSS_LDAP_CONFIG_MAX_AUTHZ_SEARCHES)&&(cfg->ldc_pam_authz_search[i]!=NULL);i++);
+  if (i>=NSS_LDAP_CONFIG_MAX_AUTHZ_SEARCHES)
+  {
+    log_log(LOG_ERR,"%s:%d: maximum number of pam_authz_search options (%d) 
exceeded",
+            filename,lnr,NSS_LDAP_CONFIG_MAX_AUTHZ_SEARCHES);
+    exit(EXIT_FAILURE);
+  }
+  cfg->ldc_pam_authz_search[i]=xstrdup(line);
   /* check the variables used in the expression */
-  set=expr_vars(cfg->ldc_pam_authz_search,NULL);
+  set=expr_vars(cfg->ldc_pam_authz_search[i],NULL);
   list=set_tolist(set);
   for (i=0;list[i]!=NULL;i++)
   {

Modified: nss-pam-ldapd/nslcd/cfg.h
==============================================================================
--- nss-pam-ldapd/nslcd/cfg.h   Fri May  4 15:31:43 2012        (r1678)
+++ nss-pam-ldapd/nslcd/cfg.h   Fri May  4 15:36:45 2012        (r1679)
@@ -5,7 +5,7 @@
 
    Copyright (C) 1997-2005 Luke Howard
    Copyright (C) 2007 West Consulting
-   Copyright (C) 2007, 2008, 2009, 2010, 2011 Arthur de Jong
+   Copyright (C) 2007, 2008, 2009, 2010, 2011, 2012 Arthur de Jong
 
    This library is free software; you can redistribute it and/or
    modify it under the terms of the GNU Lesser General Public
@@ -40,11 +40,14 @@
 #define NOGID ((gid_t)-1)
 
 /* maximum number of URIs */
-#define NSS_LDAP_CONFIG_URI_MAX         31
+#define NSS_LDAP_CONFIG_URI_MAX 31
 
-/* maximum number of 'passwd base's */
+/* maximum number of search bases */
 #define NSS_LDAP_CONFIG_MAX_BASES 7
 
+/* maximum number of pam_authz_search options */
+#define NSS_LDAP_CONFIG_MAX_AUTHZ_SEARCHES 8
+
 enum ldap_ssl_options
 {
   SSL_OFF,
@@ -138,8 +141,8 @@
   int ldc_pagesize;
   /* the users for which no initgroups() searches should be done */
   SET *ldc_nss_initgroups_ignoreusers;
-  /* the search that should be performed to do autorisation checks */
-  char *ldc_pam_authz_search;
+  /* the searches that should be performed to do autorisation checks */
+  char *ldc_pam_authz_search[NSS_LDAP_CONFIG_MAX_AUTHZ_SEARCHES];
   /* minimum uid for users retreived from LDAP */
   uid_t ldc_nss_min_uid;
   /* the regular expression to determine valid names */

Modified: nss-pam-ldapd/nslcd/pam.c
==============================================================================
--- nss-pam-ldapd/nslcd/pam.c   Fri May  4 15:31:43 2012        (r1678)
+++ nss-pam-ldapd/nslcd/pam.c   Fri May  4 15:36:45 2012        (r1679)
@@ -378,66 +378,80 @@
 {
   char hostname[HOST_NAME_MAX+1];
   const char *fqdn;
-  DICT *dict;
+  DICT *dict=NULL;
   char filter_buffer[4096];
   MYLDAP_SEARCH *search;
   MYLDAP_ENTRY *entry;
   static const char *attrs[2];
   int rc;
   const char *res;
-  /* check whether the search filter is configured at all */
-  if (!nslcd_cfg->ldc_pam_authz_search)
-    return LDAP_SUCCESS;
-  /* build the dictionary with variables
-     NOTE: any variables added here also need to be added to
-           cfg.c:parse_pam_authz_search_statement() */
-  dict=dict_new();
-  autzsearch_var_add(dict,"username",username);
-  autzsearch_var_add(dict,"service",servicename);
-  autzsearch_var_add(dict,"ruser",ruser);
-  autzsearch_var_add(dict,"rhost",rhost);
-  autzsearch_var_add(dict,"tty",tty);
-  if (gethostname(hostname,sizeof(hostname))==0)
-    autzsearch_var_add(dict,"hostname",hostname);
-  if ((fqdn=getfqdn())!=NULL)
-    autzsearch_var_add(dict,"fqdn",fqdn);
-  autzsearch_var_add(dict,"dn",dn);
-  autzsearch_var_add(dict,"uid",username);
-  /* build the search filter */
-  res=expr_parse(nslcd_cfg->ldc_pam_authz_search,
-                 filter_buffer,sizeof(filter_buffer),
-                 autzsearch_var_get,(void *)dict);
-  autzsearch_vars_free(dict);
-  dict_free(dict);
-  if (res==NULL)
+  int i;
+  /* go over all pam_authz_search options */
+  for 
(i=0;(i<NSS_LDAP_CONFIG_MAX_AUTHZ_SEARCHES)&&(nslcd_cfg->ldc_pam_authz_search[i]!=NULL);i++)
   {
-    log_log(LOG_ERR,"invalid pam_authz_search 
\"%s\"",nslcd_cfg->ldc_pam_authz_search);
-    return LDAP_LOCAL_ERROR;
+    if (dict==NULL)
+    {
+      /* build the dictionary with variables
+         NOTE: any variables added here also need to be added to
+               cfg.c:parse_pam_authz_search_statement() */
+      dict=dict_new();
+      autzsearch_var_add(dict,"username",username);
+      autzsearch_var_add(dict,"service",servicename);
+      autzsearch_var_add(dict,"ruser",ruser);
+      autzsearch_var_add(dict,"rhost",rhost);
+      autzsearch_var_add(dict,"tty",tty);
+      if (gethostname(hostname,sizeof(hostname))==0)
+        autzsearch_var_add(dict,"hostname",hostname);
+      if ((fqdn=getfqdn())!=NULL)
+        autzsearch_var_add(dict,"fqdn",fqdn);
+      autzsearch_var_add(dict,"dn",dn);
+      autzsearch_var_add(dict,"uid",username);
+    }
+    /* build the search filter */
+    res=expr_parse(nslcd_cfg->ldc_pam_authz_search[i],
+                   filter_buffer,sizeof(filter_buffer),
+                   autzsearch_var_get,(void *)dict);
+    if (res==NULL)
+    {
+      autzsearch_vars_free(dict);
+      dict_free(dict);
+      log_log(LOG_ERR,"invalid pam_authz_search 
\"%s\"",nslcd_cfg->ldc_pam_authz_search[i]);
+      return LDAP_LOCAL_ERROR;
+    }
+    log_log(LOG_DEBUG,"trying pam_authz_search \"%s\"",filter_buffer);
+    /* perform the search */
+    attrs[0]="dn";
+    attrs[1]=NULL;
+    /* FIXME: this only searches the first base */
+    search=myldap_search(session,nslcd_cfg->ldc_bases[0],LDAP_SCOPE_SUBTREE,
+                         filter_buffer,attrs,&rc);
+    if (search==NULL)
+    {
+      autzsearch_vars_free(dict);
+      dict_free(dict);
+      log_log(LOG_ERR,"pam_authz_search \"%s\" failed: %s",
+              filter_buffer,ldap_err2string(rc));
+      return rc;
+    }
+    /* try to get an entry */
+    entry=myldap_get_entry(search,&rc);
+    if (entry==NULL)
+    {
+      autzsearch_vars_free(dict);
+      dict_free(dict);
+      log_log(LOG_ERR,"pam_authz_search \"%s\" found no 
matches",filter_buffer);
+      if (rc==LDAP_SUCCESS)
+        rc=LDAP_NO_SUCH_OBJECT;
+      return rc;
+    }
+    log_log(LOG_DEBUG,"pam_authz_search found \"%s\"",myldap_get_dn(entry));
   }
-  log_log(LOG_DEBUG,"trying pam_authz_search \"%s\"",filter_buffer);
-  /* perform the search */
-  attrs[0]="dn";
-  attrs[1]=NULL;
-  /* FIXME: this only searches the first base */
-  search=myldap_search(session,nslcd_cfg->ldc_bases[0],LDAP_SCOPE_SUBTREE,
-                       filter_buffer,attrs,&rc);
-  if (search==NULL)
+  /* we went over all pam_authz_search entries */
+  if (dict!=NULL)
   {
-    log_log(LOG_ERR,"pam_authz_search \"%s\" failed: %s",
-            filter_buffer,ldap_err2string(rc));
-    return rc;
+    autzsearch_vars_free(dict);
+    dict_free(dict);
   }
-  /* try to get an entry */
-  entry=myldap_get_entry(search,&rc);
-  if (entry==NULL)
-  {
-    log_log(LOG_ERR,"pam_authz_search \"%s\" found no matches",filter_buffer);
-    if (rc==LDAP_SUCCESS)
-      rc=LDAP_NO_SUCH_OBJECT;
-    return rc;
-  }
-  log_log(LOG_DEBUG,"pam_authz_search found \"%s\"",myldap_get_dn(entry));
-  /* we've found an entry so it's OK */
   return LDAP_SUCCESS;
 }
 

Modified: nss-pam-ldapd/pynslcd/cfg.py
==============================================================================
--- nss-pam-ldapd/pynslcd/cfg.py        Fri May  4 15:31:43 2012        (r1678)
+++ nss-pam-ldapd/pynslcd/cfg.py        Fri May  4 15:36:45 2012        (r1679)
@@ -82,7 +82,7 @@
 nss_initgroups_ignoreusers = set()
 nss_min_uid = 0
 validnames = re.compile(r'^[a-z0-9._@$][a-z0-9._@$ 
\\~-]{0,98}[a-z0-9._@$~-]$', re.IGNORECASE)
-pam_authz_search = None
+pam_authz_search = []
 
 
 # allowed boolean values
@@ -248,9 +248,8 @@
         # pam_authz_search <FILTER>
         m = re.match('pam_authz_search\s+(?P<value>\S.*)', line, re.IGNORECASE)
         if m:
-            global pam_authz_search
             from attmap import Expression
-            pam_authz_search = Expression(m.group('value'))
+            pam_authz_search.append(Expression(m.group('value')))
             # TODO: check pam_authz_search expression to only contain 
username, service, ruser, rhost, tty, hostname, fqdn, dn or uid variables
             continue
         # ssl <on|off|start_tls>
-- 
To unsubscribe send an email to
nss-pam-ldapd-commits-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-commits/