lists.arthurdejong.org
RSS feed

Re: ldap server unavailable and pam response

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: ldap server unavailable and pam response



On 16/11/2010 08:33, Pierre Gambarotto wrote:
> Hi
>
> I found a little problem : when ldap servers are unavaiable (typically
> because of a network problem), the pam layer returns the code for "user
> unknown" whereas it should return "authinfo unavail".
> Tested with 0.7.2, 0.7.6 and 0.7.12.
>
> I found this strange behaviour when trying pam_ldap in cunjunction with
> pam_ccreds
> I hope I am clear enough in my explanations :-)
>
I have a  patch fixing this issue, working for me. But I don't know the
code enough
to predict any unwanted effect.
 
Hope this helps

   Pierre
diff -u nslcd/common.h ../nss-pam-ldapd-0.7.12/nslcd/common.h
--- nslcd/common.h      2010-11-16 10:47:22.554453124 +0100
+++ ../nss-pam-ldapd-0.7.12/nslcd/common.h      2010-09-24 09:07:16.000000000 
+0200
@@ -90,7 +90,6 @@
 
 /* use the user id to lookup an LDAP entry */
 MYLDAP_ENTRY *uid2entry(MYLDAP_SESSION *session,const char *uid);
-MYLDAP_ENTRY *uid2entry_rc(MYLDAP_SESSION *session,const char *uid,int *rcp);
 
 /* transforms the uid into a DN by doing an LDAP lookup */
 MUST_USE char *uid2dn(MYLDAP_SESSION *session,const char *uid,char *buf,size_t 
buflen);
diff -u nslcd/myldap.c ../nss-pam-ldapd-0.7.12/nslcd/myldap.c
--- nslcd/myldap.c      2010-11-16 11:05:39.895751429 +0100
+++ ../nss-pam-ldapd-0.7.12/nslcd/myldap.c      2010-10-17 12:55:23.000000000 
+0200
@@ -899,11 +899,8 @@
     if (nexttry>=endtime)
     {
       if (search->session->binddn[0]=='\0')
-      {
         log_log(LOG_ERR,"no available LDAP server found");
-        log_log(LOG_ERR, ldap_err2string(rc));
-        return LDAP_UNAVAILABLE;
-      }
+      return rc;
     }
     /* sleep between tries */
     sleeptime=nexttry-time(NULL);
diff -u nslcd/pam.c ../nss-pam-ldapd-0.7.12/nslcd/pam.c
--- nslcd/pam.c 2010-11-16 10:47:22.554453124 +0100
+++ ../nss-pam-ldapd-0.7.12/nslcd/pam.c 2010-10-15 15:24:55.000000000 +0200
@@ -66,7 +66,6 @@
   {
     case LDAP_SUCCESS:             return NSLCD_PAM_SUCCESS;
     case LDAP_INVALID_CREDENTIALS: return NSLCD_PAM_AUTH_ERR;
-    case LDAP_UNAVAILABLE:        return NSLCD_PAM_AUTHINFO_UNAVAIL;
     default:                       return NSLCD_PAM_AUTH_ERR;
   }
 }
@@ -75,7 +74,6 @@
 static int validate_user(MYLDAP_SESSION *session,char *userdn,size_t userdnsz,
                          char *username,size_t usernamesz)
 {
-  int rc;
   MYLDAP_ENTRY *entry=NULL;
   const char *value;
   const char **values;
@@ -89,15 +87,11 @@
   if (userdn[0]=='\0')
   {
     /* get the user entry based on the username */
-    entry=uid2entry_rc(session,username,&rc);
+    entry=uid2entry(session,username);
     if (entry==NULL)
     {
       log_log(LOG_WARNING,"\"%s\": user not found",username);
-      log_log(LOG_WARNING,"ldap error code: %i",rc);
-      if (rc==LDAP_UNAVAILABLE)
-        return -2;
-      else
-        return -1;
+      return -1;
     }
     /* get the DN */
     myldap_cpy_dn(entry,userdn,userdnsz);
@@ -165,18 +159,6 @@
     }
     strcpy(userdn,nslcd_cfg->ldc_rootpwmoddn);
   }
-  else if 
(validate_user(session,userdn,sizeof(userdn),username,sizeof(username))==-2)
-  {
-  /* LDAP UNAVAILABLE*/
-  WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
-  WRITE_STRING(fp,username);
-  WRITE_STRING(fp,"");
-  WRITE_INT32(fp,NSLCD_PAM_AUTHINFO_UNAVAIL);  /* authc */
-  WRITE_INT32(fp,NSLCD_PAM_AUTHINFO_UNAVAIL);  /* authz */
-  WRITE_STRING(fp,"LDAP server unavaiable"); /* authzmsg */
-  WRITE_INT32(fp,NSLCD_RESULT_END);
-  return -1; 
-  }
   else if 
(validate_user(session,userdn,sizeof(userdn),username,sizeof(username)))
   {
     WRITE_INT32(fp,NSLCD_RESULT_END);
diff -u nslcd/passwd.c ../nss-pam-ldapd-0.7.12/nslcd/passwd.c
--- nslcd/passwd.c      2010-11-16 10:47:22.554453124 +0100
+++ ../nss-pam-ldapd-0.7.12/nslcd/passwd.c      2010-09-24 09:07:16.000000000 
+0200
@@ -243,35 +243,6 @@
   return buf;
 }
 
-MYLDAP_ENTRY *uid2entry_rc(MYLDAP_SESSION *session,const char *uid,int *rcp)
-{
-  MYLDAP_SEARCH *search=NULL;
-  MYLDAP_ENTRY *entry=NULL;
-  const char *base;
-  int i;
-  static const char *attrs[2];
-  char filter[1024];
-  /* if it isn't a valid username, just bail out now */
-  if (!isvalidname(uid))
-    return NULL;
-  /* set up attributes (we don't need much) */
-  attrs[0]=attmap_passwd_uid;
-  attrs[1]=NULL;
-  /* we have to look up the entry */
-  mkfilter_passwd_byname(uid,filter,sizeof(filter));
-  for (i=0;(i<NSS_LDAP_CONFIG_MAX_BASES)&&((base=passwd_bases[i])!=NULL);i++)
-  {
-    search=myldap_search(session,base,passwd_scope,filter,attrs,rcp);
-    if (search==NULL)
-      return NULL;
-    entry=myldap_get_entry(search,NULL);
-    if (entry!=NULL)
-      return entry;
-  }
-  return NULL;
-}
-
-
 MYLDAP_ENTRY *uid2entry(MYLDAP_SESSION *session,const char *uid)
 {
   MYLDAP_SEARCH *search=NULL;
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users