lists.arthurdejong.org
RSS feed

nss-pam-ldapd branch master updated. 0.9.0-27-gec53918

[Date Prev][Date Next] [Thread Prev][Thread Next]

nss-pam-ldapd branch master updated. 0.9.0-27-gec53918

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "nss-pam-ldapd".

The branch, master has been updated
       via  ec5391838ca71ee31afe0ad4377664dd88e5266b (commit)
       via  d659e8347171fff61e1f3dfe094244f310ef4557 (commit)
       via  7092d40f32df9b419fff475f3368b5df2ff1c521 (commit)
       via  a0e12e6b98616994aca595de7589c003bb68013e (commit)
       via  fa97bcc376777f87ee661852ad0a8ed60d002466 (commit)
       via  a3acbecc071b4138a36fa2a155f7fab2eb94209b (commit)
       via  4031750cbbf7d8c7803ed7379d42c1c1b4805a85 (commit)
      from  5d3f681e04861f15539fe639e7a4e289050a315e (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=ec5391838ca71ee31afe0ad4377664dd88e5266b

commit ec5391838ca71ee31afe0ad4377664dd88e5266b
Author: Arthur de Jong <arthur@arthurdejong.org>
Date:   Mon Jul 29 23:56:07 2013 +0200

    Use cleaner import and get rid of uid2dn function in pynslcd

diff --git a/pynslcd/group.py b/pynslcd/group.py
index ee1d268..2868d96 100644
--- a/pynslcd/group.py
+++ b/pynslcd/group.py
@@ -24,7 +24,7 @@ import logging
 from ldap.filter import escape_filter_chars
 import ldap
 
-from passwd import dn2uid, uid2dn
+import passwd
 import cache
 import cfg
 import common
@@ -63,12 +63,12 @@ class Search(search.LDAPSearch):
         # we still need a custom mk_filter because this is an | query
         if attmap['member'] and 'memberUid' in self.parameters:
             memberuid = self.parameters['memberUid']
-            dn = uid2dn(self.conn, memberuid)
-            if dn:
+            entry = passwd.uid2entry(self.conn, memberuid)
+            if entry:
                 return '(&%s(|(%s=%s)(%s=%s)))' % (
                         self.filter,
                         attmap['memberUid'], escape_filter_chars(memberuid),
-                        attmap['member'], escape_filter_chars(dn)
+                        attmap['member'], escape_filter_chars(entry[0])
                     )
         return super(Search, self).mk_filter()
 
@@ -109,7 +109,7 @@ class GroupRequest(common.Request):
             if memberdn in seen:
                 continue
             seen.add(memberdn)
-            member = dn2uid(self.conn, memberdn)
+            member = passwd.dn2uid(self.conn, memberdn)
             if member and common.isvalidname(member):
                 members.add(member)
             elif cfg.nss_nested_groups:
diff --git a/pynslcd/passwd.py b/pynslcd/passwd.py
index 418be7f..7fb5619 100644
--- a/pynslcd/passwd.py
+++ b/pynslcd/passwd.py
@@ -120,13 +120,6 @@ def uid2entry(conn, uid):
             return dn, attributes
 
 
-def uid2dn(conn, uid):
-    """Look up the user by uid and return the DN or None if the user was
-    not found."""
-    x = uid2entry(conn, uid)
-    if x is not None:
-        return x[0]
-
 # FIXME: use cache of dn2uid and try to use DN to get uid attribute
 
 

http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=d659e8347171fff61e1f3dfe094244f310ef4557

commit d659e8347171fff61e1f3dfe094244f310ef4557
Author: Arthur de Jong <arthur@arthurdejong.org>
Date:   Mon Jul 29 23:57:01 2013 +0200

    Handle the nss_min_uid option in pynslcd

diff --git a/pynslcd/cfg.py b/pynslcd/cfg.py
index 310d308..90acbeb 100644
--- a/pynslcd/cfg.py
+++ b/pynslcd/cfg.py
@@ -80,7 +80,7 @@ tls_key = None
 # other options
 pagesize = 0  # FIXME: add support
 nss_initgroups_ignoreusers = set()
-nss_min_uid = 0  # FIXME: add support
+nss_min_uid = 0
 nss_nested_groups = False
 validnames = re.compile(r'^[a-z0-9._@$][a-z0-9._@$ 
\\~-]{0,98}[a-z0-9._@$~-]$', re.IGNORECASE)
 pam_authz_searches = []
diff --git a/pynslcd/passwd.py b/pynslcd/passwd.py
index 3be7885..418be7f 100644
--- a/pynslcd/passwd.py
+++ b/pynslcd/passwd.py
@@ -21,6 +21,7 @@
 import logging
 
 import cache
+import cfg
 import common
 import constants
 import search
@@ -76,7 +77,8 @@ class PasswdRequest(common.Request):
                 logging.warning('%s: %s: denied by validnames option', dn, 
attmap['uid'])
             else:
                 for uid in uids:
-                    yield (name, passwd, uid, gid, gecos, home, shell)
+                    if uid >= cfg.nss_min_uid:
+                        yield (name, passwd, uid, gid, gecos, home, shell)
 
 
 class PasswdByNameRequest(PasswdRequest):
@@ -96,6 +98,14 @@ class PasswdByUidRequest(PasswdRequest):
     def read_parameters(self, fp):
         return dict(uidNumber=fp.read_int32())
 
+    def handle_request(self, parameters):
+        # check requested numeric id
+        if parameters['uidNumber'] >= cfg.nss_min_uid:
+            return super(PasswdByUidRequest, self).handle_request(parameters)
+        # write the final result code to signify empty results
+        self.fp.write_int32(constants.NSLCD_RESULT_END)
+
+
 
 class PasswdAllRequest(PasswdRequest):
 
@@ -106,7 +116,8 @@ def uid2entry(conn, uid):
     """Look up the user by uid and return the LDAP entry or None if the user
     was not found."""
     for dn, attributes in Search(conn, parameters=dict(uid=uid)):
-        return dn, attributes
+        if any(int(x) >= cfg.nss_min_uid for x in attributes['uidNumber']])
+            return dn, attributes
 
 
 def uid2dn(conn, uid):
@@ -123,4 +134,5 @@ def dn2uid(conn, dn):
     """Look up the user by dn and return a uid or None if the user was
     not found."""
     for dn, attributes in Search(conn, base=dn):
-        return attributes['uid'][0]
+        if any(int(x) >= cfg.nss_min_uid for x in attributes['uidNumber']])
+            return attributes['uid'][0]

http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=7092d40f32df9b419fff475f3368b5df2ff1c521

commit 7092d40f32df9b419fff475f3368b5df2ff1c521
Author: Arthur de Jong <arthur@arthurdejong.org>
Date:   Mon Jul 29 23:14:47 2013 +0200

    Handle the nss_initgroups_ignoreusers option in pynslcd

diff --git a/pynslcd/cfg.py b/pynslcd/cfg.py
index b4967f8..310d308 100644
--- a/pynslcd/cfg.py
+++ b/pynslcd/cfg.py
@@ -79,7 +79,7 @@ tls_key = None
 
 # other options
 pagesize = 0  # FIXME: add support
-nss_initgroups_ignoreusers = set()  # FIXME: add support
+nss_initgroups_ignoreusers = set()
 nss_min_uid = 0  # FIXME: add support
 nss_nested_groups = False
 validnames = re.compile(r'^[a-z0-9._@$][a-z0-9._@$ 
\\~-]{0,98}[a-z0-9._@$~-]$', re.IGNORECASE)
diff --git a/pynslcd/group.py b/pynslcd/group.py
index a72c57d..ee1d268 100644
--- a/pynslcd/group.py
+++ b/pynslcd/group.py
@@ -187,6 +187,14 @@ class GroupByMemberRequest(GroupRequest):
                         for result in self.convert(dn, attributes, parameters):
                             yield result
 
+    def handle_request(self, parameters):
+        # check whether requested user is in nss_initgroups_ignoreusers
+        if parameters['memberUid'] in cfg.nss_initgroups_ignoreusers:
+            # write the final result code to signify empty results
+            self.fp.write_int32(constants.NSLCD_RESULT_END)
+            return
+        return super(GroupByMemberRequest, self).handle_request(parameters)
+
 
 class GroupAllRequest(GroupRequest):
 

http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=a0e12e6b98616994aca595de7589c003bb68013e

commit a0e12e6b98616994aca595de7589c003bb68013e
Author: Arthur de Jong <arthur@arthurdejong.org>
Date:   Sat Jul 27 23:09:01 2013 +0200

    Fix handling of pam_password_prohibit_message in pynslcd

diff --git a/pynslcd/cfg.py b/pynslcd/cfg.py
index cf9c872..b4967f8 100644
--- a/pynslcd/cfg.py
+++ b/pynslcd/cfg.py
@@ -84,7 +84,7 @@ nss_min_uid = 0  # FIXME: add support
 nss_nested_groups = False
 validnames = re.compile(r'^[a-z0-9._@$][a-z0-9._@$ 
\\~-]{0,98}[a-z0-9._@$~-]$', re.IGNORECASE)
 pam_authz_searches = []
-pam_password_prohibit_message = None  # FIXME: add support
+pam_password_prohibit_message = None
 reconnect_invalidate = set()
 
 
diff --git a/pynslcd/pam.py b/pynslcd/pam.py
index 483c8d5..7c01517 100644
--- a/pynslcd/pam.py
+++ b/pynslcd/pam.py
@@ -278,7 +278,7 @@ class PAMPasswordModificationRequest(PAMRequest):
         self.validate(parameters)
         # check if pam_password_prohibit_message is set
         if cfg.pam_password_prohibit_message:
-            self.write(parameters, constants.NSLCD_PAM_PERM_DENIED,
+            self.write(constants.NSLCD_PAM_PERM_DENIED,
                        cfg.pam_password_prohibit_message)
             return
         # check if the the user passed the rootpwmoddn

http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=fa97bcc376777f87ee661852ad0a8ed60d002466

commit fa97bcc376777f87ee661852ad0a8ed60d002466
Author: Arthur de Jong <arthur@arthurdejong.org>
Date:   Mon Jul 29 23:07:36 2013 +0200

    Implement config request handling in pynslcd
    
    This allows the PAM module to request the pam_password_prohibit_message
    option for denying password change.

diff --git a/pynslcd/Makefile.am b/pynslcd/Makefile.am
index f96654b..a61ff65 100644
--- a/pynslcd/Makefile.am
+++ b/pynslcd/Makefile.am
@@ -21,9 +21,9 @@ pynslcddir = $(datadir)/pynslcd
 
 pynslcd_PYTHON = pynslcd.py attmap.py cache.py cfg.py common.py expr.py \
                  mypidfile.py invalidator.py search.py tio.py \
-                 alias.py ether.py group.py host.py netgroup.py network.py \
-                 passwd.py protocol.py rpc.py service.py shadow.py pam.py \
-                 usermod.py
+                 config.py alias.py ether.py group.py host.py netgroup.py \
+                 network.py passwd.py protocol.py rpc.py service.py \
+                 shadow.py pam.py usermod.py
 nodist_pynslcd_PYTHON = constants.py
 CLEANFILES = $(nodist_pynslcd_PYTHON)
 
diff --git a/pynslcd/config.py b/pynslcd/config.py
new file mode 100644
index 0000000..ee57db3
--- /dev/null
+++ b/pynslcd/config.py
@@ -0,0 +1,45 @@
+
+# config.py - routines for getting configuration information
+#
+# Copyright (C) 2013 Arthur de Jong
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+# 02110-1301 USA
+
+import cfg
+import common
+import constants
+
+
+class ConfigGetRequest(common.Request):
+
+    action = constants.NSLCD_ACTION_CONFIG_GET
+
+    def read_parameters(self, fp):
+        return dict(cfgopt=fp.read_int32())
+        # TODO: log call with parameters
+
+    def write(self, value):
+        self.fp.write_int32(constants.NSLCD_RESULT_BEGIN)
+        self.fp.write_string(value)
+        self.fp.write_int32(constants.NSLCD_RESULT_END)
+
+    def handle_request(self, parameters):
+        cfgopt = parameters['cfgopt']
+        if cfgopt == constants.NSLCD_CONFIG_PAM_PASSWORD_PROHIBIT_MESSAGE:
+            self.write(cfg.pam_password_prohibit_message or '')
+        else:
+            # return empty response
+            self.fp.write_int32(constants.NSLCD_RESULT_END)
diff --git a/pynslcd/pynslcd.py b/pynslcd/pynslcd.py
index e0add71..cd3a171 100755
--- a/pynslcd/pynslcd.py
+++ b/pynslcd/pynslcd.py
@@ -178,6 +178,7 @@ def getpeercred(fd):
 
 
 handlers = {}
+handlers.update(common.get_handlers('config'))
 handlers.update(common.get_handlers('alias'))
 handlers.update(common.get_handlers('ether'))
 handlers.update(common.get_handlers('group'))

http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=a3acbecc071b4138a36fa2a155f7fab2eb94209b

commit a3acbecc071b4138a36fa2a155f7fab2eb94209b
Author: Arthur de Jong <arthur@arthurdejong.org>
Date:   Sat Jul 27 20:17:16 2013 +0200

    Implement PAM session handling in pynslcd
    
    Just like in nslcd this doesn't actually do anything with the session
    ids except generating them.

diff --git a/pynslcd/pam.py b/pynslcd/pam.py
index 1dbf7e8..483c8d5 100644
--- a/pynslcd/pam.py
+++ b/pynslcd/pam.py
@@ -19,6 +19,7 @@
 # 02110-1301 USA
 
 import logging
+import random
 import socket
 import time
 
@@ -34,6 +35,9 @@ import search
 import shadow
 
 
+random = random.SystemRandom()
+
+
 def authenticate(binddn, password):
     # open a new connection
     conn = search.Connection()
@@ -309,5 +313,60 @@ class PAMPasswordModificationRequest(PAMRequest):
         self.write()
 
 
-#NSLCD_ACTION_PAM_SESS_O
-#NSLCD_ACTION_PAM_SESS_C
+SESSION_ID_LENGTH = 25
+SESSION_ID_ALPHABET = (
+    "ABCDEFGHIJKLMNOPQRSTUVWXYZ" +
+    "abcdefghijklmnopqrstuvwxyz" +
+    "01234567890"
+)
+
+
+def generate_session_id():
+    return ''.join(
+        random.choice(SESSION_ID_ALPHABET)
+        for i in range(SESSION_ID_LENGTH)
+    )
+
+
+class PAMSessionOpenRequest(PAMRequest):
+
+    action = constants.NSLCD_ACTION_PAM_SESS_O
+
+    def read_parameters(self, fp):
+        return dict(username=fp.read_string(),
+                    service=fp.read_string(),
+                    ruser=fp.read_string(),
+                    rhost=fp.read_string(),
+                    tty=fp.read_string())
+        # TODO: log call with parameters
+
+    def write(self, sessionid):
+        self.fp.write_int32(constants.NSLCD_RESULT_BEGIN)
+        self.fp.write_string(sessionid)
+        self.fp.write_int32(constants.NSLCD_RESULT_END)
+
+    def handle_request(self, parameters):
+        # generate a session id
+        session_id = generate_session_id()
+        self.write(session_id)
+
+
+class PAMSessionCloseRequest(PAMRequest):
+
+    action = constants.NSLCD_ACTION_PAM_SESS_C
+
+    def read_parameters(self, fp):
+        return dict(username=fp.read_string(),
+                    service=fp.read_string(),
+                    ruser=fp.read_string(),
+                    rhost=fp.read_string(),
+                    tty=fp.read_string(),
+                    session_id=fp.read_string())
+        # TODO: log call with parameters
+
+    def write(self):
+        self.fp.write_int32(constants.NSLCD_RESULT_BEGIN)
+        self.fp.write_int32(constants.NSLCD_RESULT_END)
+
+    def handle_request(self, parameters):
+        self.write()

http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=4031750cbbf7d8c7803ed7379d42c1c1b4805a85

commit 4031750cbbf7d8c7803ed7379d42c1c1b4805a85
Author: Arthur de Jong <arthur@arthurdejong.org>
Date:   Fri Jul 26 23:43:40 2013 +0200

    Properly handle start_tls in pynslcd

diff --git a/pynslcd/search.py b/pynslcd/search.py
index f8c82fb..4c6f243 100644
--- a/pynslcd/search.py
+++ b/pynslcd/search.py
@@ -53,6 +53,10 @@ class Connection(ldap.ldapobject.ReconnectLDAPObject):
         # TODO: register a connection callback (like dis?connect_cb() in 
myldap.c)
         if cfg.ssl or cfg.uri.startswith('ldaps://'):
             self.set_option(ldap.OPT_X_TLS, ldap.OPT_X_TLS_HARD)
+        # TODO: the following should probably be done on the first search
+        #       together with binding, not when creating the connection object
+        if cfg.ssl == 'STARTTLS':
+            self.start_tls_s()
 
     def reconnect_after_fail(self):
         import invalidator

-----------------------------------------------------------------------

Summary of changes:
 pynslcd/Makefile.am |    6 ++---
 pynslcd/cfg.py      |    6 ++---
 pynslcd/config.py   |   45 +++++++++++++++++++++++++++++++++++
 pynslcd/group.py    |   18 ++++++++++----
 pynslcd/pam.py      |   65 ++++++++++++++++++++++++++++++++++++++++++++++++---
 pynslcd/passwd.py   |   25 ++++++++++++--------
 pynslcd/pynslcd.py  |    1 +
 pynslcd/search.py   |    4 ++++
 8 files changed, 146 insertions(+), 24 deletions(-)
 create mode 100644 pynslcd/config.py


hooks/post-receive
-- 
nss-pam-ldapd
-- 
To unsubscribe send an email to
nss-pam-ldapd-commits-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-commits/