nss-pam-ldapd commit: r1733 - in nss-pam-ldapd: man nslcd pynslcd

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Commits of the nss-pam-ldapd project <nss-pam-ldapd-commits [at] lists.arthurdejong.org>
To: nss-pam-ldapd-commits [at] lists.arthurdejong.org
Reply-to: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: nss-pam-ldapd commit: r1733 - in nss-pam-ldapd: man nslcd pynslcd
Date: Tue, 14 Aug 2012 21:34:42 +0200 (CEST)

Author: arthur
Date: Tue Aug 14 21:34:41 2012
New Revision: 1733
URL: http://arthurdejong.org/viewvc/nss-pam-ldapd?revision=1733&view=revision

Log:
introduce a sasl_canonicalize option that will now, by default, disable reverse 
host name lookups in OpenLDAP

Modified:
   nss-pam-ldapd/man/nslcd.conf.5.xml
   nss-pam-ldapd/nslcd/cfg.c
   nss-pam-ldapd/nslcd/cfg.h
   nss-pam-ldapd/nslcd/myldap.c
   nss-pam-ldapd/pynslcd/cfg.py
   nss-pam-ldapd/pynslcd/pynslcd.py

Modified: nss-pam-ldapd/man/nslcd.conf.5.xml
==============================================================================
--- nss-pam-ldapd/man/nslcd.conf.5.xml  Mon Aug  6 20:24:17 2012        (r1732)
+++ nss-pam-ldapd/man/nslcd.conf.5.xml  Tue Aug 14 21:34:41 2012        (r1733)
@@ -282,6 +282,18 @@
      </listitem>
     </varlistentry>
 
+    <varlistentry id="sasl_canonicalize">
+     <term><option>sasl_canonicalize</option> yes|no</term>
+     <listitem>
+      <para>
+       Determines whether the <acronym>LDAP</acronym> server host name should
+       be canonicalised. If this is set to yes the <acronym>LDAP</acronym>
+       library will do a reverse host name lookup.
+       By default <command>nslcd</command> disables this extra lookup.
+      </para>
+     </listitem>
+    </varlistentry>
+
    </variablelist>
   </refsect2>
 

Modified: nss-pam-ldapd/nslcd/cfg.c
==============================================================================
--- nss-pam-ldapd/nslcd/cfg.c   Mon Aug  6 20:24:17 2012        (r1732)
+++ nss-pam-ldapd/nslcd/cfg.c   Tue Aug 14 21:34:41 2012        (r1733)
@@ -111,6 +111,7 @@
   cfg->ldc_sasl_authcid=NULL;
   cfg->ldc_sasl_authzid=NULL;
   cfg->ldc_sasl_secprops=NULL;
+  cfg->ldc_sasl_canonicalize=0;
   for (i=0;i<NSS_LDAP_CONFIG_MAX_BASES;i++)
     cfg->ldc_bases[i]=NULL;
   cfg->ldc_scope=LDAP_SCOPE_SUBTREE;
@@ -990,6 +991,22 @@
       get_strdup(filename,lnr,keyword,&line,&cfg->ldc_sasl_secprops);
       get_eol(filename,lnr,keyword,&line);
     }
+#ifdef LDAP_OPT_X_SASL_NOCANON
+    else if ( (strcasecmp(keyword,"sasl_canonicalize")==0) ||
+              (strcasecmp(keyword,"sasl_canonicalise")==0) ||
+              (strcasecmp(keyword,"ldap_sasl_canonicalize")==0) ||
+              (strcasecmp(keyword,"sasl_canon")==0) )
+    {
+      get_boolean(filename,lnr,keyword,&line,&cfg->ldc_sasl_canonicalize);
+      get_eol(filename,lnr,keyword,&line);
+    }
+    else if (strcasecmp(keyword,"sasl_nocanon")==0)
+    {
+      get_boolean(filename,lnr,keyword,&line,&cfg->ldc_sasl_canonicalize);
+      cfg->ldc_sasl_canonicalize=!cfg->ldc_sasl_canonicalize;
+      get_eol(filename,lnr,keyword,&line);
+    }
+#endif /* LDAP_OPT_X_SASL_NOCANON */
     /* Kerberos authentication options */
     else if (strcasecmp(keyword,"krb5_ccname")==0)
     {

Modified: nss-pam-ldapd/nslcd/cfg.h
==============================================================================
--- nss-pam-ldapd/nslcd/cfg.h   Mon Aug  6 20:24:17 2012        (r1732)
+++ nss-pam-ldapd/nslcd/cfg.h   Tue Aug 14 21:34:41 2012        (r1733)
@@ -115,6 +115,10 @@
   char *ldc_sasl_authzid;
   /* sasl security */
   char *ldc_sasl_secprops;
+#ifdef LDAP_OPT_X_SASL_NOCANON
+  /* whether host name should be canonicalised */
+  int ldc_sasl_canonicalize;
+#endif /* LDAP_OPT_X_SASL_NOCANON */
   /* base DN, eg. dc=gnu,dc=org */
   const char *ldc_bases[NSS_LDAP_CONFIG_MAX_BASES];
   /* scope for searches */

Modified: nss-pam-ldapd/nslcd/myldap.c
==============================================================================
--- nss-pam-ldapd/nslcd/myldap.c        Mon Aug  6 20:24:17 2012        (r1732)
+++ nss-pam-ldapd/nslcd/myldap.c        Tue Aug 14 21:34:41 2012        (r1733)
@@ -639,6 +639,10 @@
     LDAP_SET_OPTION(session->ld,LDAP_OPT_X_TLS,&i);
   }
 #endif /* LDAP_OPT_X_TLS */
+#ifdef LDAP_OPT_X_SASL_NOCANON
+  
log_log(LOG_DEBUG,"ldap_set_option(LDAP_OPT_X_SASL_NOCANON,%s)",nslcd_cfg->ldc_sasl_canonicalize?"LDAP_OPT_OFF":"LDAP_OPT_ON");
+  
LDAP_SET_OPTION(session->ld,LDAP_OPT_X_SASL_NOCANON,nslcd_cfg->ldc_sasl_canonicalize?LDAP_OPT_OFF:LDAP_OPT_ON);
+#endif /* LDAP_OPT_X_SASL_NOCANON */
   /* if nothing above failed, everything should be fine */
   return LDAP_SUCCESS;
 }

Modified: nss-pam-ldapd/pynslcd/cfg.py
==============================================================================
--- nss-pam-ldapd/pynslcd/cfg.py        Mon Aug  6 20:24:17 2012        (r1732)
+++ nss-pam-ldapd/pynslcd/cfg.py        Tue Aug 14 21:34:41 2012        (r1733)
@@ -52,6 +52,7 @@
 sasl_authcid = None
 sasl_authzid = None
 sasl_secprops = None
+sasl_canonicalize = False
 
 # LDAP bases to search
 bases = []
@@ -266,6 +267,16 @@
             global ssl
             ssl = _ssl_options[m.group('value').lower()]
             continue
+        # sasl_canonicalize yes|no
+        m = 
re.match('(ldap_?)?sasl_(?P<no>no)?canon(icali[sz]e)?\s+(?P<value>%s)' %
+                         '|'.join(_boolean_options.keys()),
+                     line, re.IGNORECASE)
+        if m:
+            global sasl_canonicalize
+            sasl_canonicalize = _boolean_options[m.group('value').lower()]
+            if m.group('no'):
+                sasl_canonicalize = not sasl_canonicalize
+            continue
         # tls_reqcert <demand|hard|yes...>
         m = re.match('tls_reqcert\s+(?P<value>%s)' %
                          '|'.join(_tls_reqcert_options.keys()),

Modified: nss-pam-ldapd/pynslcd/pynslcd.py
==============================================================================
--- nss-pam-ldapd/pynslcd/pynslcd.py    Mon Aug  6 20:24:17 2012        (r1732)
+++ nss-pam-ldapd/pynslcd/pynslcd.py    Tue Aug 14 21:34:41 2012        (r1733)
@@ -248,6 +248,7 @@
         session.set_option(ldap.OPT_NETWORK_TIMEOUT, cfg.timelimit)
     if cfg.referrals:
         session.set_option(ldap.OPT_REFERRALS, cfg.referrals)
+    session.set_option(ldap.OPT_X_SASL_NOCANON, not cfg.sasl_canonicalize)
     session.set_option(ldap.OPT_RESTART, True)
     # TODO: register a connection callback (like dis?connect_cb() in myldap.c)
     if cfg.ssl or cfg.uri.startswith('ldaps://'):
-- 
To unsubscribe send an email to
nss-pam-ldapd-commits-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-commits/

nss-pam-ldapd commit: r1733 - in nss-pam-ldapd: man nslcd pynslcd, Commits of the nss-pam-ldapd project

Prev by Date: nss-pam-ldapd commit: r1732 - debian/nss-pam-ldapd/trunk/debian
Next by Date: nss-pam-ldapd commit: r1734 - nss-pam-ldapd/nslcd
Previous by thread: nss-pam-ldapd commit: r1732 - debian/nss-pam-ldapd/trunk/debian
Next by thread: nss-pam-ldapd commit: r1734 - nss-pam-ldapd/nslcd