lists.arthurdejong.org
RSS feed

nss-pam-ldapd branch master updated. 0.9.0-54-g7b474d0

[Date Prev][Date Next] [Thread Prev][Thread Next]

nss-pam-ldapd branch master updated. 0.9.0-54-g7b474d0



This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "nss-pam-ldapd".

The branch, master has been updated
       via  7b474d0d1cf1a5c7a7b59e55b29a9778d5925742 (commit)
       via  b0358f74944cd5d7e984700d61da989b5f98cb18 (commit)
       via  ebbe8a6fd1b4559f064d79016b3571abc2bf54c4 (commit)
       via  8bdb28933154d9ee0e7e45e68c094bc507cb89db (commit)
       via  d58f163b5aceb570aa7bd41b2c8edb3307a3a980 (commit)
      from  34365b4e9b43045500b478edb8842b5212e8d3f5 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=7b474d0d1cf1a5c7a7b59e55b29a9778d5925742

commit 7b474d0d1cf1a5c7a7b59e55b29a9778d5925742
Author: Arthur de Jong <arthur@arthurdejong.org>
Date:   Wed Aug 21 21:52:41 2013 +0200

    Have pynslcd handle mapped userPassword
    
    This fixes an error that could occur when the userPassword was retrieved
    from LDAP and insufficient privileges were available for reading the
    attribute.

diff --git a/pynslcd/group.py b/pynslcd/group.py
index 965148d..375af57 100644
--- a/pynslcd/group.py
+++ b/pynslcd/group.py
@@ -139,8 +139,13 @@ class GroupRequest(common.Request):
     def convert(self, dn, attributes, parameters):
         # get group names and check against requested group name
         names = attributes['cn']
-        # get group group password
-        passwd = attributes['userPassword'][0]
+        # get group password
+        try:
+            passwd = attributes['userPassword'][0]
+        except IndexError:
+            passwd = None
+        if not passwd or self.calleruid != 0:
+            passwd = '*'
         # get group id(s)
         gids = [int(x) for x in attributes['gidNumber']]
         # build member list
diff --git a/pynslcd/passwd.py b/pynslcd/passwd.py
index a5e4d1f..d65e556 100644
--- a/pynslcd/passwd.py
+++ b/pynslcd/passwd.py
@@ -77,7 +77,12 @@ class PasswdRequest(common.Request):
         if 'shadowAccount' in attributes['objectClass']:
             passwd = 'x'
         else:
-            passwd = attributes['userPassword'][0]
+            try:
+                passwd = attributes['userPassword'][0]
+            except IndexError:
+                passwd = None
+            if not passwd or self.calleruid != 0:
+                passwd = '*'
         uids = [int(x) for x in attributes['uidNumber']]
         gid = int(attributes['gidNumber'][0])
         gecos = attributes['gecos'][0]
diff --git a/pynslcd/shadow.py b/pynslcd/shadow.py
index 5fd0aa9..89dbbfa 100644
--- a/pynslcd/shadow.py
+++ b/pynslcd/shadow.py
@@ -76,7 +76,10 @@ class ShadowRequest(common.Request):
 
     def convert(self, dn, attributes, parameters):
         names = attributes['uid']
-        passwd = attributes['userPassword'][0]
+        try:
+            passwd = attributes['userPassword'][0]
+        except IndexError:
+            passwd = None
         if not passwd or self.calleruid != 0:
             passwd = '*'
         # function for making an int

http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=b0358f74944cd5d7e984700d61da989b5f98cb18

commit b0358f74944cd5d7e984700d61da989b5f98cb18
Merge: d58f163 ebbe8a6
Author: Arthur de Jong <arthur@arthurdejong.org>
Date:   Wed Aug 21 21:47:28 2013 +0200

    Retry LDAP servers quickly after receiving SIGUSR1
    
    When nslcd receives the SIGUSR1 signal it will retry connecting to
    unavailable LDAP servers sooner.
    
    This signal can for example be sent when (re)stablishing a network
    connection.


http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=ebbe8a6fd1b4559f064d79016b3571abc2bf54c4

commit ebbe8a6fd1b4559f064d79016b3571abc2bf54c4
Author: Arthur de Jong <arthur@arthurdejong.org>
Date:   Tue Aug 20 17:19:27 2013 +0200

    Handle SIGUSR1 by resetting the retry timer
    
    This implements and documents handling of the SIGUSR1 signal in nslcd to
    reset the reconnect_sleeptime and reconnect_retrytime timers to re-check
    availability of the LDAP server.

diff --git a/man/nslcd.8.xml b/man/nslcd.8.xml
index 9b7ff90..ce725ab 100644
--- a/man/nslcd.8.xml
+++ b/man/nslcd.8.xml
@@ -137,6 +137,26 @@
   </variablelist>
  </refsect1>
 
+ <refsect1 id="signals">
+  <title>Signals</title>
+  <variablelist remap="IP">
+   <varlistentry id="sigterm">
+    <term><option>SIGTERM</option>/<option>SIGINT</option></term>
+    <listitem>
+     <para>Cancel any running queries and exit.</para>
+    </listitem>
+   </varlistentry>
+   <varlistentry id="sigusr1"> <!-- since 0.9.1 -->
+    <term><option>SIGUSR1</option></term>
+    <listitem>
+     <para>Cause <command>nslcd</command> to retry any failing connections
+     to the LDAP server, regardless of the <option>reconnect_sleeptime</option>
+     and <option>reconnect_retrytime</option> options.</para>
+    </listitem>
+   </varlistentry>
+  </variablelist>
+ </refsect1>
+
  <refsect1 id="files">
   <title>Files</title>
   <para>
diff --git a/nslcd/nslcd.c b/nslcd/nslcd.c
index 073f38c..98aee6b 100644
--- a/nslcd/nslcd.c
+++ b/nslcd/nslcd.c
@@ -87,8 +87,8 @@ static int nslcd_nofork = 0;
 /* flag to indicate user requested the --check option */
 static int nslcd_checkonly = 0;
 
-/* the exit flag to indicate that a signal was received */
-static volatile int nslcd_exitsignal = 0;
+/* the flag to indicate that a signal was received */
+static volatile int nslcd_receivedsignal = 0;
 
 /* the server socket used for communication */
 static int nslcd_serversocket = -1;
@@ -186,11 +186,11 @@ static void parse_cmdline(int argc, char *argv[])
   }
 }
 
-/* signal handler for closing down */
-static void sigexit_handler(int signum)
+/* signal handler for storing information on received signals */
+static void sig_handler(int signum)
 {
   /* just save the signal to indicate that we're stopping */
-  nslcd_exitsignal = signum;
+  nslcd_receivedsignal = signum;
 }
 
 /* do some cleaning up before terminating */
@@ -803,22 +803,29 @@ int main(int argc, char *argv[])
   }
   pthread_sigmask(SIG_SETMASK, &oldmask, NULL);
   /* install signalhandlers for some signals */
-  install_sighandler(SIGHUP, sigexit_handler);
-  install_sighandler(SIGINT, sigexit_handler);
-  install_sighandler(SIGQUIT, sigexit_handler);
-  install_sighandler(SIGABRT, sigexit_handler);
+  install_sighandler(SIGHUP, sig_handler);
+  install_sighandler(SIGINT, sig_handler);
+  install_sighandler(SIGQUIT, sig_handler);
+  install_sighandler(SIGABRT, sig_handler);
   install_sighandler(SIGPIPE, SIG_IGN);
-  install_sighandler(SIGTERM, sigexit_handler);
-  install_sighandler(SIGUSR1, sigexit_handler);
-  install_sighandler(SIGUSR2, sigexit_handler);
+  install_sighandler(SIGTERM, sig_handler);
+  install_sighandler(SIGUSR1, sig_handler);
+  install_sighandler(SIGUSR2, sig_handler);
   /* wait until we received a signal */
-  while (nslcd_exitsignal == 0)
+  while ((nslcd_receivedsignal == 0) || (nslcd_receivedsignal == SIGUSR1))
   {
     sleep(INT_MAX); /* sleep as long as we can or until we receive a signal */
+    if (nslcd_receivedsignal == SIGUSR1)
+    {
+      log_log(LOG_INFO, "caught signal %s (%d), refresh retries",
+              signame(nslcd_receivedsignal), nslcd_receivedsignal);
+      myldap_immediate_reconnect();
+      nslcd_receivedsignal = 0;
+    }
   }
   /* print something about received signal */
   log_log(LOG_INFO, "caught signal %s (%d), shutting down",
-          signame(nslcd_exitsignal), nslcd_exitsignal);
+          signame(nslcd_receivedsignal), nslcd_receivedsignal);
   /* cancel all running threads */
   for (i = 0; i < nslcd_cfg->threads; i++)
     if (pthread_cancel(nslcd_threads[i]))

http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=8bdb28933154d9ee0e7e45e68c094bc507cb89db

commit 8bdb28933154d9ee0e7e45e68c094bc507cb89db
Author: Arthur de Jong <arthur@arthurdejong.org>
Date:   Tue Aug 20 16:16:24 2013 +0200

    Implement function for resetting reconnect times
    
    This implemens a myldap_immediate_reconnect() function that resets the
    reconnect timer to retry failing connections to the LDAP server upon the
    next search.
    
    This can be used to cut the reconnect_sleeptime and reconnect_retrytime
    sleeping periodss short if we have some indication that the LDAP server
    is available again.

diff --git a/nslcd/myldap.c b/nslcd/myldap.c
index b2258d4..757eb20 100644
--- a/nslcd/myldap.c
+++ b/nslcd/myldap.c
@@ -1257,6 +1257,28 @@ static int do_retry_search(MYLDAP_SEARCH *search)
   }
 }
 
+/* force quick retries of all failing LDAP servers */
+void myldap_immediate_reconnect(void)
+{
+  int i;
+  time_t t;
+  t = time(NULL) - nslcd_cfg->reconnect_retrytime;
+  pthread_mutex_lock(&uris_mutex);
+  for (i = 0; i < (NSS_LDAP_CONFIG_MAX_URIS + 1); i++)
+  {
+    /* only adjust failing connections that are in a hard fail state */
+    if ((nslcd_cfg->uris[i].lastfail > t) &&
+        (nslcd_cfg->uris[i].lastfail > (nslcd_cfg->uris[i].firstfail + 
nslcd_cfg->reconnect_retrytime)))
+    {
+      /* move lastfail back to ensure quick retry */
+      log_log(LOG_DEBUG, "moving lastfail of %s %d second(s) back to force 
retry",
+              nslcd_cfg->uris[i].uri, (int)(nslcd_cfg->uris[i].lastfail - t));
+      nslcd_cfg->uris[i].lastfail = t;
+    }
+  }
+  pthread_mutex_unlock(&uris_mutex);
+}
+
 MYLDAP_SEARCH *myldap_search(MYLDAP_SESSION *session,
                              const char *base, int scope, const char *filter,
                              const char **attrs, int *rcp)
diff --git a/nslcd/myldap.h b/nslcd/myldap.h
index 9367b43..8c4551a 100644
--- a/nslcd/myldap.h
+++ b/nslcd/myldap.h
@@ -90,6 +90,10 @@ void myldap_session_check(MYLDAP_SESSION *session);
    After a call to this function the referenced handle is invalid. */
 void myldap_session_close(MYLDAP_SESSION *session);
 
+/* Mark all failing LDAP servers as needing quick retries. This ensures that 
the
+   reconnect_sleeptime and reconnect_retrytime sleeping period is cut short. */
+void myldap_immediate_reconnect(void);
+
 /* Do an LDAP search and return a reference to the results (returns NULL on
    error). This function uses paging, and does reconnects to the configured
    URLs transparently. The function returns an LDAP status code in the

http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=d58f163b5aceb570aa7bd41b2c8edb3307a3a980

commit d58f163b5aceb570aa7bd41b2c8edb3307a3a980
Author: Arthur de Jong <arthur@arthurdejong.org>
Date:   Tue Aug 20 22:43:10 2013 +0200

    Return partial shadow information to non-root users
    
    This also returns everything except the password hash from the shadow
    database to non-root users (nothing was returned before). This allows
    non-root users to do PAM authentication in some configurations.
    
    On some systems there is a setgid executable that is allowed to read
    /etc/shadow for authentication by e.g. screensavers. Returning no shadow
    information will cause pam_unix to deny authorisation in common
    configurations.
    
    See:
    http://bugs.debian.org/706913

diff --git a/nslcd/common.h b/nslcd/common.h
index fce92f6..c848e36 100644
--- a/nslcd/common.h
+++ b/nslcd/common.h
@@ -233,8 +233,8 @@ int nslcd_rpc_all(TFILE *fp, MYLDAP_SESSION *session);
 int nslcd_service_byname(TFILE *fp, MYLDAP_SESSION *session);
 int nslcd_service_bynumber(TFILE *fp, MYLDAP_SESSION *session);
 int nslcd_service_all(TFILE *fp, MYLDAP_SESSION *session);
-int nslcd_shadow_byname(TFILE *fp, MYLDAP_SESSION *session);
-int nslcd_shadow_all(TFILE *fp, MYLDAP_SESSION *session);
+int nslcd_shadow_byname(TFILE *fp, MYLDAP_SESSION *session, uid_t calleruid);
+int nslcd_shadow_all(TFILE *fp, MYLDAP_SESSION *session, uid_t calleruid);
 int nslcd_pam_authc(TFILE *fp, MYLDAP_SESSION *session, uid_t calleruid);
 int nslcd_pam_authz(TFILE *fp, MYLDAP_SESSION *session);
 int nslcd_pam_sess_o(TFILE *fp, MYLDAP_SESSION *session);
diff --git a/nslcd/nslcd.c b/nslcd/nslcd.c
index 59323eb..073f38c 100644
--- a/nslcd/nslcd.c
+++ b/nslcd/nslcd.c
@@ -407,10 +407,8 @@ static void handleconnection(int sock, MYLDAP_SESSION 
*session)
     case NSLCD_ACTION_SERVICE_BYNAME:   (void)nslcd_service_byname(fp, 
session); break;
     case NSLCD_ACTION_SERVICE_BYNUMBER: (void)nslcd_service_bynumber(fp, 
session); break;
     case NSLCD_ACTION_SERVICE_ALL:      (void)nslcd_service_all(fp, session); 
break;
-    case NSLCD_ACTION_SHADOW_BYNAME:    if (uid == 0) 
(void)nslcd_shadow_byname(fp, session);
-      else log_log(LOG_DEBUG, "denied shadow request by non-root user"); break;
-    case NSLCD_ACTION_SHADOW_ALL:       if (uid == 0) 
(void)nslcd_shadow_all(fp, session);
-      else log_log(LOG_DEBUG, "denied shadow request by non-root user"); break;
+    case NSLCD_ACTION_SHADOW_BYNAME:    (void)nslcd_shadow_byname(fp, session, 
uid); break;
+    case NSLCD_ACTION_SHADOW_ALL:       (void)nslcd_shadow_all(fp, session, 
uid); break;
     case NSLCD_ACTION_PAM_AUTHC:        (void)nslcd_pam_authc(fp, session, 
uid); break;
     case NSLCD_ACTION_PAM_AUTHZ:        (void)nslcd_pam_authz(fp, session); 
break;
     case NSLCD_ACTION_PAM_SESS_O:       (void)nslcd_pam_sess_o(fp, session); 
break;
diff --git a/nslcd/shadow.c b/nslcd/shadow.c
index 6e84d36..031bf4d 100644
--- a/nslcd/shadow.c
+++ b/nslcd/shadow.c
@@ -216,7 +216,8 @@ void get_shadow_properties(MYLDAP_ENTRY *entry, long 
*lastchangedate,
   }
 }
 
-static int write_shadow(TFILE *fp, MYLDAP_ENTRY *entry, const char *requser)
+static int write_shadow(TFILE *fp, MYLDAP_ENTRY *entry, const char *requser,
+                        uid_t calleruid)
 {
   int32_t tmpint32;
   const char **usernames;
@@ -241,7 +242,7 @@ static int write_shadow(TFILE *fp, MYLDAP_ENTRY *entry, 
const char *requser)
   /* get password */
   passwd = get_userpassword(entry, attmap_shadow_userPassword,
                             passbuffer, sizeof(passbuffer));
-  if (passwd == NULL)
+  if ((passwd == NULL) || (calleruid != 0))
     passwd = default_shadow_userPassword;
   /* get expiry properties */
   get_shadow_properties(entry, &lastchangedate, &mindays, &maxdays, &warndays,
@@ -299,20 +300,20 @@ MYLDAP_ENTRY *shadow_uid2entry(MYLDAP_SESSION *session, 
const char *username,
   return NULL;
 }
 
-NSLCD_HANDLE(
+NSLCD_HANDLE_UID(
   shadow, byname, NSLCD_ACTION_SHADOW_BYNAME,
   char name[256];
   char filter[4096];
   READ_STRING(fp, name);
   log_setrequest("shadow=\"%s\"", name);,
   mkfilter_shadow_byname(name, filter, sizeof(filter)),
-  write_shadow(fp, entry, name)
+  write_shadow(fp, entry, name, calleruid)
 )
 
-NSLCD_HANDLE(
+NSLCD_HANDLE_UID(
   shadow, all, NSLCD_ACTION_SHADOW_ALL,
   const char *filter;
   log_setrequest("shadow(all)");,
   (filter = shadow_filter, 0),
-  write_shadow(fp, entry, NULL)
+  write_shadow(fp, entry, NULL, calleruid)
 )

-----------------------------------------------------------------------

Summary of changes:
 man/nslcd.8.xml   |   20 ++++++++++++++++++++
 nslcd/common.h    |    4 ++--
 nslcd/myldap.c    |   22 ++++++++++++++++++++++
 nslcd/myldap.h    |    4 ++++
 nslcd/nslcd.c     |   41 +++++++++++++++++++++++------------------
 nslcd/shadow.c    |   13 +++++++------
 pynslcd/group.py  |    9 +++++++--
 pynslcd/passwd.py |    7 ++++++-
 pynslcd/shadow.py |    5 ++++-
 9 files changed, 95 insertions(+), 30 deletions(-)


hooks/post-receive
-- 
nss-pam-ldapd
-- 
To unsubscribe send an email to
nss-pam-ldapd-commits-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-commits/