mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-09 02:52:04 +08:00
sanity check for host_ad and svc_ad
This commit is contained in:
Howard Chu
parent
8fd0d184a7
commit
d17d30dc38
@ -642,6 +642,28 @@ nss_cf_gen(ConfigArgs *c)
|
||||
i = verbs_to_mask(c->argc, c->argv, pam_opts, &m);
|
||||
if (i == 0) {
|
||||
ni->ni_pam_opts = m;
|
||||
if ((m & NI_PAM_USERHOST) && !nssov_pam_host_ad) {
|
||||
const char *text;
|
||||
i = slap_str2ad("host", &nssov_pam_host_ad, &text);
|
||||
if (i != LDAP_SUCCESS) {
|
||||
snprintf(c->cr_msg, sizeof(c->cr_msg),
|
||||
"nssov: host attr unknown: %s", text);
|
||||
Debug(LDAP_DEBUG_ANY,"%s\n",c->cr_msg,0,0);
|
||||
rc = 1;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if ((m & (NI_PAM_USERSVC|NI_PAM_HOSTSVC)) && !nssov_pam_svc_ad) {
|
||||
const char *text;
|
||||
i = slap_str2ad("authorizedService", &nssov_pam_svc_ad, &text);
|
||||
if (i != LDAP_SUCCESS) {
|
||||
snprintf(c->cr_msg, sizeof(c->cr_msg),
|
||||
"nssov: authorizedService attr unknown: %s", text);
|
||||
Debug(LDAP_DEBUG_ANY,"%s\n",c->cr_msg,0,0);
|
||||
rc = 1;
|
||||
break;
|
||||
}
|
||||
}
|
||||
} else {
|
||||
rc = 1;
|
||||
}
|
||||
@ -731,6 +753,28 @@ nssov_db_open(
|
||||
mi->mi_attrs[j].an_desc = NULL;
|
||||
}
|
||||
|
||||
/* Find host and authorizedService definitions */
|
||||
if ((ni->ni_pam_opts & NI_PAM_USERHOST) && !nssov_pam_host_ad)
|
||||
{
|
||||
const char *text;
|
||||
i = slap_str2ad("host", &nssov_pam_host_ad, &text);
|
||||
if (i != LDAP_SUCCESS) {
|
||||
Debug(LDAP_DEBUG_ANY,"nssov: host attr unknown: %s\n",
|
||||
text, 0, 0 );
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
if ((ni->ni_pam_opts & (NI_PAM_USERSVC|NI_PAM_HOSTSVC)) &&
|
||||
!nssov_pam_svc_ad)
|
||||
{
|
||||
const char *text;
|
||||
i = slap_str2ad("authorizedService", &nssov_pam_svc_ad, &text);
|
||||
if (i != LDAP_SUCCESS) {
|
||||
Debug(LDAP_DEBUG_ANY,"nssov: authorizedService attr unknown: %s\n",
|
||||
text, 0, 0 );
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
if ( slapMode & SLAP_SERVER_MODE ) {
|
||||
/* create a socket */
|
||||
if ( (sock=socket(PF_UNIX,SOCK_STREAM,0))<0 )
|
||||
|
||||
@ -74,8 +74,6 @@ typedef struct nssov_info
|
||||
AttributeDescription *ni_pam_template_ad;
|
||||
struct berval ni_pam_template;
|
||||
struct berval ni_pam_defhost;
|
||||
AttributeDescription *ni_pam_host_ad;
|
||||
AttributeDescription *ni_pam_svc_ad;
|
||||
} nssov_info;
|
||||
|
||||
#define NI_PAM_USERHOST 1 /* old style host checking */
|
||||
@ -88,6 +86,9 @@ typedef struct nssov_info
|
||||
#define NI_PAM_OLD (NI_PAM_USERHOST|NI_PAM_USERSVC|NI_PAM_USERGRP)
|
||||
#define NI_PAM_NEW NI_PAM_HOSTSVC
|
||||
|
||||
extern AttributeDescription *nssov_pam_host_ad;
|
||||
extern AttributeDescription *nssov_pam_svc_ad;
|
||||
|
||||
/* Read the default configuration file. */
|
||||
void nssov_cfg_init(nssov_info *ni,const char *fname);
|
||||
|
||||
|
||||
@ -248,9 +248,12 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op)
|
||||
}
|
||||
|
||||
/* See if they have access to the host and service */
|
||||
if (ni->ni_pam_opts & NI_PAM_HOSTSVC) {
|
||||
if ((ni->ni_pam_opts & NI_PAM_HOSTSVC) && nssov_pam_svc_ad) {
|
||||
AttributeAssertion ava = ATTRIBUTEASSERTION_INIT;
|
||||
struct berval hostdn = BER_BVNULL;
|
||||
struct berval odn = op->o_ndn;
|
||||
op->o_dn = dn;
|
||||
op->o_ndn = dn;
|
||||
{
|
||||
nssov_mapinfo *mi = &ni->ni_maps[NM_host];
|
||||
char fbuf[1024];
|
||||
@ -299,7 +302,7 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op)
|
||||
op->o_tag = LDAP_REQ_COMPARE;
|
||||
op->o_req_dn = hostdn;
|
||||
op->o_req_ndn = hostdn;
|
||||
ava.aa_desc = ni->ni_pam_svc_ad;
|
||||
ava.aa_desc = nssov_pam_svc_ad;
|
||||
ava.aa_value = svc;
|
||||
op->orc_ava = &ava;
|
||||
rc = op->o_bd->be_compare( op, &rs );
|
||||
@ -308,6 +311,8 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op)
|
||||
rc = PAM_PERM_DENIED;
|
||||
goto finish;
|
||||
}
|
||||
op->o_dn = odn;
|
||||
op->o_ndn = odn;
|
||||
}
|
||||
|
||||
/* See if they're a member of the group */
|
||||
@ -340,9 +345,9 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op)
|
||||
goto finish;
|
||||
}
|
||||
}
|
||||
if (ni->ni_pam_opts & NI_PAM_USERHOST) {
|
||||
a = attr_find(e->e_attrs, ni->ni_pam_host_ad);
|
||||
if (!a || value_find_ex( ni->ni_pam_host_ad,
|
||||
if ((ni->ni_pam_opts & NI_PAM_USERHOST) && nssov_pam_host_ad) {
|
||||
a = attr_find(e->e_attrs, nssov_pam_host_ad);
|
||||
if (!a || value_find_ex( nssov_pam_host_ad,
|
||||
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH,
|
||||
a->a_vals, &global_host_bv, op->o_tmpmemctx )) {
|
||||
rc = PAM_PERM_DENIED;
|
||||
@ -350,9 +355,9 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op)
|
||||
goto finish;
|
||||
}
|
||||
}
|
||||
if (ni->ni_pam_opts & NI_PAM_USERSVC) {
|
||||
a = attr_find(e->e_attrs, ni->ni_pam_svc_ad);
|
||||
if (!a || value_find_ex( ni->ni_pam_svc_ad,
|
||||
if ((ni->ni_pam_opts & NI_PAM_USERSVC) && nssov_pam_svc_ad) {
|
||||
a = attr_find(e->e_attrs, nssov_pam_svc_ad);
|
||||
if (!a || value_find_ex( nssov_pam_svc_ad,
|
||||
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH,
|
||||
a->a_vals, &svc, op->o_tmpmemctx )) {
|
||||
rc = PAM_PERM_DENIED;
|
||||
|
||||
Loading…
Reference in New Issue
Block a user