From d17d30dc38d1aad44d1840a13678c1976d1ad5d7 Mon Sep 17 00:00:00 2001 From: Howard Chu Date: Mon, 20 Apr 2009 03:18:34 +0000 Subject: [PATCH] sanity check for host_ad and svc_ad --- contrib/slapd-modules/nssov/nssov.c | 44 +++++++++++++++++++++++++++++ contrib/slapd-modules/nssov/nssov.h | 5 ++-- contrib/slapd-modules/nssov/pam.c | 21 ++++++++------ 3 files changed, 60 insertions(+), 10 deletions(-) diff --git a/contrib/slapd-modules/nssov/nssov.c b/contrib/slapd-modules/nssov/nssov.c index b3e7d014be..1cbb28fcd4 100644 --- a/contrib/slapd-modules/nssov/nssov.c +++ b/contrib/slapd-modules/nssov/nssov.c @@ -642,6 +642,28 @@ nss_cf_gen(ConfigArgs *c) i = verbs_to_mask(c->argc, c->argv, pam_opts, &m); if (i == 0) { ni->ni_pam_opts = m; + if ((m & NI_PAM_USERHOST) && !nssov_pam_host_ad) { + const char *text; + i = slap_str2ad("host", &nssov_pam_host_ad, &text); + if (i != LDAP_SUCCESS) { + snprintf(c->cr_msg, sizeof(c->cr_msg), + "nssov: host attr unknown: %s", text); + Debug(LDAP_DEBUG_ANY,"%s\n",c->cr_msg,0,0); + rc = 1; + break; + } + } + if ((m & (NI_PAM_USERSVC|NI_PAM_HOSTSVC)) && !nssov_pam_svc_ad) { + const char *text; + i = slap_str2ad("authorizedService", &nssov_pam_svc_ad, &text); + if (i != LDAP_SUCCESS) { + snprintf(c->cr_msg, sizeof(c->cr_msg), + "nssov: authorizedService attr unknown: %s", text); + Debug(LDAP_DEBUG_ANY,"%s\n",c->cr_msg,0,0); + rc = 1; + break; + } + } } else { rc = 1; } @@ -731,6 +753,28 @@ nssov_db_open( mi->mi_attrs[j].an_desc = NULL; } + /* Find host and authorizedService definitions */ + if ((ni->ni_pam_opts & NI_PAM_USERHOST) && !nssov_pam_host_ad) + { + const char *text; + i = slap_str2ad("host", &nssov_pam_host_ad, &text); + if (i != LDAP_SUCCESS) { + Debug(LDAP_DEBUG_ANY,"nssov: host attr unknown: %s\n", + text, 0, 0 ); + return -1; + } + } + if ((ni->ni_pam_opts & (NI_PAM_USERSVC|NI_PAM_HOSTSVC)) && + !nssov_pam_svc_ad) + { + const char *text; + i = slap_str2ad("authorizedService", &nssov_pam_svc_ad, &text); + if (i != LDAP_SUCCESS) { + Debug(LDAP_DEBUG_ANY,"nssov: authorizedService attr unknown: %s\n", + text, 0, 0 ); + return -1; + } + } if ( slapMode & SLAP_SERVER_MODE ) { /* create a socket */ if ( (sock=socket(PF_UNIX,SOCK_STREAM,0))<0 ) diff --git a/contrib/slapd-modules/nssov/nssov.h b/contrib/slapd-modules/nssov/nssov.h index 2f41b10bab..9c822d5e3c 100644 --- a/contrib/slapd-modules/nssov/nssov.h +++ b/contrib/slapd-modules/nssov/nssov.h @@ -74,8 +74,6 @@ typedef struct nssov_info AttributeDescription *ni_pam_template_ad; struct berval ni_pam_template; struct berval ni_pam_defhost; - AttributeDescription *ni_pam_host_ad; - AttributeDescription *ni_pam_svc_ad; } nssov_info; #define NI_PAM_USERHOST 1 /* old style host checking */ @@ -88,6 +86,9 @@ typedef struct nssov_info #define NI_PAM_OLD (NI_PAM_USERHOST|NI_PAM_USERSVC|NI_PAM_USERGRP) #define NI_PAM_NEW NI_PAM_HOSTSVC +extern AttributeDescription *nssov_pam_host_ad; +extern AttributeDescription *nssov_pam_svc_ad; + /* Read the default configuration file. */ void nssov_cfg_init(nssov_info *ni,const char *fname); diff --git a/contrib/slapd-modules/nssov/pam.c b/contrib/slapd-modules/nssov/pam.c index c2f950f579..d2cfcbc4df 100644 --- a/contrib/slapd-modules/nssov/pam.c +++ b/contrib/slapd-modules/nssov/pam.c @@ -248,9 +248,12 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op) } /* See if they have access to the host and service */ - if (ni->ni_pam_opts & NI_PAM_HOSTSVC) { + if ((ni->ni_pam_opts & NI_PAM_HOSTSVC) && nssov_pam_svc_ad) { AttributeAssertion ava = ATTRIBUTEASSERTION_INIT; struct berval hostdn = BER_BVNULL; + struct berval odn = op->o_ndn; + op->o_dn = dn; + op->o_ndn = dn; { nssov_mapinfo *mi = &ni->ni_maps[NM_host]; char fbuf[1024]; @@ -299,7 +302,7 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op) op->o_tag = LDAP_REQ_COMPARE; op->o_req_dn = hostdn; op->o_req_ndn = hostdn; - ava.aa_desc = ni->ni_pam_svc_ad; + ava.aa_desc = nssov_pam_svc_ad; ava.aa_value = svc; op->orc_ava = &ava; rc = op->o_bd->be_compare( op, &rs ); @@ -308,6 +311,8 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op) rc = PAM_PERM_DENIED; goto finish; } + op->o_dn = odn; + op->o_ndn = odn; } /* See if they're a member of the group */ @@ -340,9 +345,9 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op) goto finish; } } - if (ni->ni_pam_opts & NI_PAM_USERHOST) { - a = attr_find(e->e_attrs, ni->ni_pam_host_ad); - if (!a || value_find_ex( ni->ni_pam_host_ad, + if ((ni->ni_pam_opts & NI_PAM_USERHOST) && nssov_pam_host_ad) { + a = attr_find(e->e_attrs, nssov_pam_host_ad); + if (!a || value_find_ex( nssov_pam_host_ad, SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH, a->a_vals, &global_host_bv, op->o_tmpmemctx )) { rc = PAM_PERM_DENIED; @@ -350,9 +355,9 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op) goto finish; } } - if (ni->ni_pam_opts & NI_PAM_USERSVC) { - a = attr_find(e->e_attrs, ni->ni_pam_svc_ad); - if (!a || value_find_ex( ni->ni_pam_svc_ad, + if ((ni->ni_pam_opts & NI_PAM_USERSVC) && nssov_pam_svc_ad) { + a = attr_find(e->e_attrs, nssov_pam_svc_ad); + if (!a || value_find_ex( nssov_pam_svc_ad, SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH, a->a_vals, &svc, op->o_tmpmemctx )) { rc = PAM_PERM_DENIED;