Patch: strip domain part of uid (passwd, shadow)

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Ludek Finstrle <ludek.finstrle [at] pzkagis.cz>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Patch: strip domain part of uid (passwd, shadow)
Date: Wed, 31 Aug 2011 12:06:52 +0200

Hello,

  I know I didn't post the idea about feature enhancement but I have to finish 
it today.

I take inspiration from objectSid patch and create similar configuration and 
functionality.
I have installed samba Franky (Samba4 for AD + Samba3 for FS and printing) and 
won't have winbind.
I add posixAccount into AD LDAP (which is supported by MS since Win2003). 
Unfortunately samba3
(from Franky) ask for local account DOMAIN\login. I have to cut off the DOMAIN\ 
part from
lookup in the AD LDAP.

I add possibility to sAMAccountName (uid in passwd and shadow) to this:

map passwd uid sAMAccountName:DOMAIN\
map shadow uid sAMAccountName:DOMAIN\

this configuration leads to cut off the DOMAIN\ form lookup so the samba3 is 
able to find the user:

dn: CN=Administrator,CN=Users,DC=domain,DC=net
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: organizationalPerson
objectClass: user
cn: Administrator
description: Built-in account for administering the computer/domain
...
sAMAccountName: Administrator
uid: Administrator
uidNumber: 0
gidNumber: 10513
unixHomeDirectory: /tmp
loginShell: /bin/nologin

I tested the patch backported to 0.7.5 (which is in CentOS 6).
CentOS 6 - Linux 2.6.32-71.29.1.el6.x86_64 #1 SMP x86_64 x86_64 x86_64 GNU/Linux

It would be nice to see this in trunk.

Best regards,

Ludek Finstrle

diff -ru nss-pam-ldapd.orig/man/nslcd.conf.5.xml 
nss-pam-ldapd/man/nslcd.conf.5.xml
--- nss-pam-ldapd.orig/man/nslcd.conf.5.xml     2011-08-31 06:27:30.879668453 
+0200
+++ nss-pam-ldapd/man/nslcd.conf.5.xml  2011-08-31 11:58:25.236668910 +0200
@@ -420,6 +420,12 @@
        <literal>shadowExpire</literal> and <literal>shadowFlag</literal>.
       </para>
       <para>
+       The <literal>uid</literal> attribute in the <literal>passwd</literal>
+       and <literal>shadow</literal> map may be mapped to the
+       <literal>sAMAccountName</literal> followed by the domain name to strip
+       from lookup by name (e.g.  <literal>sAMAccountName:DOMAIN\</literal>).
+      </para>
+      <para>
        The <literal>uidNumber</literal> and <literal>gidNumber</literal>
        attributes in the <literal>passwd</literal> and <literal>group</literal>
        maps may be mapped to the <literal>objectSid</literal> followed by
diff -ru nss-pam-ldapd.orig/nslcd/passwd.c nss-pam-ldapd/nslcd/passwd.c
--- nss-pam-ldapd.orig/nslcd/passwd.c   2011-08-31 06:27:30.533793514 +0200
+++ nss-pam-ldapd/nslcd/passwd.c        2011-08-31 11:56:20.796668807 +0200
@@ -65,6 +65,10 @@
 const char *attmap_passwd_homeDirectory = "homeDirectory";
 const char *attmap_passwd_loginShell    = "loginShell";
 
+/* special properties for sAMAccountName-based searches */
+static char *uidDomain=NULL;
+static size_t uidDomainSize=0;
+
 /* special properties for objectSid-based searches
    (these are already LDAP-escaped strings) */
 static char *uidSid=NULL;
@@ -89,6 +93,9 @@
                                   char *buffer,size_t buflen)
 {
   char safename[300];
+  /* special case when strip domain from sAMAccountName */
+  if(uidDomainSize && uidDomain && strncasecmp(name,uidDomain,uidDomainSize) 
== 0)
+    name += uidDomainSize;
   /* escape attribute */
   if(myldap_escape(name,safename,sizeof(safename)))
     return -1;
@@ -133,6 +140,16 @@
   /* set up scope */
   if (passwd_scope==LDAP_SCOPE_DEFAULT)
     passwd_scope=nslcd_cfg->ldc_scope;
+  /* special properties for sAMAccountName-based searches */
+  if (strncasecmp(attmap_passwd_uid,"sAMAccountName:",15)==0)
+  {
+    uidDomainSize=strlen(attmap_passwd_uid) - 15;
+    if (uidDomainSize > 0)
+    {
+      uidDomain=strdup(attmap_passwd_uid+15);
+      attmap_passwd_uid=strndup(attmap_passwd_uid,14);
+    }
+  }
   /* special case when uidNumber or gidNumber reference objectSid */
   if (strncasecmp(attmap_passwd_uidNumber,"objectSid:",10)==0)
   {
@@ -550,6 +567,9 @@
                         myldap_get_dn(entry),attmap_passwd_homeDirectory);
   /* get the shell for this entry */
   attmap_get_value(entry,attmap_passwd_loginShell,shell,sizeof(shell));
+  /* special case when strip domain from sAMAccountName */
+  if(uidDomainSize && uidDomain && requser && 
strncasecmp(requser,uidDomain,uidDomainSize) == 0)
+    requser += uidDomainSize;
   /* write the entries */
   for (i=0;usernames[i]!=NULL;i++)
     if ((requser==NULL)||(strcmp(requser,usernames[i])==0))
diff -ru nss-pam-ldapd.orig/nslcd/shadow.c nss-pam-ldapd/nslcd/shadow.c
--- nss-pam-ldapd.orig/nslcd/shadow.c   2011-08-31 06:27:30.548793338 +0200
+++ nss-pam-ldapd/nslcd/shadow.c        2011-08-31 11:56:20.797668542 +0200
@@ -64,6 +64,10 @@
 const char *attmap_shadow_shadowExpire     = "\"${shadowExpire:--1}\"";
 const char *attmap_shadow_shadowFlag       = "\"${shadowFlag:-0}\"";
 
+/* special properties for sAMAccountName-based searches */
+static char *uidDomain=NULL;
+static size_t uidDomainSize=0;
+
 /* default values for attributes */
 static const char *default_shadow_userPassword     = "*"; /* unmatchable */
 
@@ -74,6 +78,9 @@
                                   char *buffer,size_t buflen)
 {
   char safename[300];
+  /* special case when strip domain from sAMAccountName */
+  if(uidDomainSize && uidDomain && strncasecmp(name,uidDomain,uidDomainSize) 
== 0)
+    name += uidDomainSize;
   /* escape attribute */
   if(myldap_escape(name,safename,sizeof(safename)))
     return -1;
@@ -95,6 +102,16 @@
   /* set up scope */
   if (shadow_scope==LDAP_SCOPE_DEFAULT)
     shadow_scope=nslcd_cfg->ldc_scope;
+  /* special properties for sAMAccountName-based searches */
+  if (strncasecmp(attmap_shadow_uid,"sAMAccountName:",15)==0)
+  {
+    uidDomainSize=strlen(attmap_shadow_uid) - 15;
+    if (uidDomainSize > 0)
+    {
+      uidDomain=strdup(attmap_shadow_uid+15);
+      attmap_shadow_uid=strndup(attmap_shadow_uid,14);
+    }
+  }
   /* set up attribute list */
   set=set_new();
   attmap_add_attributes(set,attmap_shadow_uid);
@@ -305,6 +322,9 @@
   /* get expiry properties */
   get_shadow_properties(entry,&lastchangedate,&mindays,&maxdays,&warndays,
                         &inactdays,&expiredate,&flag);
+  /* special case when strip domain from sAMAccountName */
+  if(uidDomainSize && uidDomain && requser && 
strncasecmp(requser,uidDomain,uidDomainSize) == 0)
+    requser += uidDomainSize;
   /* write the entries */
   for (i=0;usernames[i]!=NULL;i++)
     if ((requser==NULL)||(strcmp(requser,usernames[i])==0))

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users

Patch: strip domain part of uid (passwd, shadow), Ludek Finstrle

Prev by Date: Re: [PATCH] Do not truncate large UID/GID values on 32bit architectures
Next by Date: DNS SRV Records and ldaps
Previous by thread: Re: [PATCH] Silence autoconf warnings
Next by thread: DNS SRV Records and ldaps