{nss,pam}_ldap: Drop packages
These are obsoleted by sssd and FTFBS Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This commit is contained in:
parent
5950243ec7
commit
fd724b8af7
|
@ -1,105 +0,0 @@
|
|||
###############################################################################
|
||||
# IPFire.org - An Open Source Firewall Solution #
|
||||
# Copyright (C) - IPFire Development Team <info@ipfire.org> #
|
||||
###############################################################################
|
||||
|
||||
name = nss_ldap
|
||||
version = 265
|
||||
release = 5
|
||||
|
||||
groups = System/Base
|
||||
url = http://www.padl.com/
|
||||
license = LGPLv2+
|
||||
summary = NSS library and PAM module for LDAP.
|
||||
|
||||
description
|
||||
This package includes two LDAP access clients: nss_ldap and
|
||||
pam_ldap. Nss_ldap is a set of C library extensions that allow
|
||||
X.500 and LDAP directory servers to be used as a primary source
|
||||
of aliases, ethers, groups, hosts, networks, protocol, users,
|
||||
RPCs, services, and shadow passwords.
|
||||
end
|
||||
|
||||
source_dl = http://www.padl.com/download/
|
||||
|
||||
patches = \
|
||||
nss_ldap-265-depth.patch \
|
||||
nss_ldap-254-soname.patch \
|
||||
nss_ldap-257-mozldap.patch \
|
||||
nss_ldap-259-res_init.patch \
|
||||
nss_ldap-264-checkcase.patch \
|
||||
nss_ldap-265-ent_internal.patch \
|
||||
nss_ldap-264-cloexec.patch \
|
||||
nss_ldap-265-local_users.patch \
|
||||
nss_ldap-265-erange.patch \
|
||||
nss_ldap-265-initgroups-minimum_uid.patch \
|
||||
nss_ldap-265-fix-uninit.patch \
|
||||
nss_ldap-265-padl-bug-418.patch \
|
||||
nss_ldap-265-setnetgrent.patch
|
||||
|
||||
build
|
||||
requires
|
||||
autoconf
|
||||
automake
|
||||
cyrus-sasl-devel
|
||||
openldap-devel
|
||||
end
|
||||
|
||||
configure_options += \
|
||||
--sysconfdir=/etc \
|
||||
--with-ldap-lib=openldap \
|
||||
--enable-rfc2307bis \
|
||||
--with-ldap-conf-file=/etc/nss_ldap.conf \
|
||||
--with-ldap-secret-file=/etc/nss_ldap.secret
|
||||
|
||||
prepare_cmds
|
||||
sed -i -e 's,^ldap.conf$$,nss_ldap.conf,g' *.5
|
||||
sed -i -e 's,^/etc/ldap\.,/etc/nss_ldap.,g' *.5
|
||||
sed -i -e 's,ldap.secret,nss_ldap.secret,g' *.5
|
||||
sed -i -e 's,(ldap.conf),(nss_ldap.conf),g' *.5
|
||||
|
||||
# Fix call for vers_string.
|
||||
sed -e "s/vers_string/.\/&/g" -i Makefile*
|
||||
|
||||
autoreconf -vfi
|
||||
end
|
||||
|
||||
make_build_targets += \
|
||||
LDFLAGS="-Wl,-z,nodelete"
|
||||
|
||||
make_install_targets += \
|
||||
LIBC_VERS=%{version}
|
||||
|
||||
install_cmds
|
||||
# Remove awkward directory
|
||||
rm -rvf %{BUILDROOT}/usr/usr
|
||||
|
||||
if [ -e "%{BUILDROOT}%{libdir}/libnss_ldap-%{version}.so" ]; then
|
||||
ln -svf libnss_ldap-%{version}.so %{BUILDROOT}%{libdir}/libnss_ldap.so.2
|
||||
ln -svf libnss_ldap.so.2 %{BUILDROOT}%{libdir}/libnss_ldap.so
|
||||
fi
|
||||
|
||||
rm -vf %{BUILDROOT}/etc/nsswitch.ldap
|
||||
|
||||
cd %{DIR_APP} && sed 's|dc=padl|dc=example|g' ldap.conf > \
|
||||
%{BUILDROOT}/etc/nss_ldap.conf
|
||||
touch %{BUILDROOT}/etc/nss_ldap.secret
|
||||
end
|
||||
end
|
||||
|
||||
packages
|
||||
package %{name}
|
||||
requires
|
||||
%{libdir}/security/pam_ldap.so
|
||||
end
|
||||
|
||||
configfiles
|
||||
%{sysconfdir}/nss_ldap.conf
|
||||
%{sysconfdir}/nss_ldap.secret
|
||||
end
|
||||
end
|
||||
|
||||
package %{name}-debuginfo
|
||||
template DEBUGINFO
|
||||
end
|
||||
end
|
|
@ -1,12 +0,0 @@
|
|||
Set the soname which glibc expects us to have.
|
||||
--- nss_ldap-254/configure.in 2007-02-26 16:40:53.000000000 -0500
|
||||
+++ nss_ldap-254/configure.in 2007-02-26 16:40:47.000000000 -0500
|
||||
@@ -92,7 +92,7 @@
|
||||
nss_ldap_so_LDFLAGS="-b -dynamic -G `cat exports.hpux`"
|
||||
CPPFLAGS="$CPPFLAGS -I. -DHPUX"
|
||||
TARGET_OS=HPUX ;;
|
||||
-linux*) nss_ldap_so_LDFLAGS="-shared -Wl,-Bdynamic -Wl,--version-script,\$(srcdir)/exports.linux" ;;
|
||||
+linux*) nss_ldap_so_LDFLAGS="-shared -Wl,-Bdynamic -Wl,--version-script,\$(srcdir)/exports.linux -Wl,-soname=libnss_ldap.so.2" ;;
|
||||
*) nss_ldap_so_LDFLAGS="-shared -Wl,-Bdynamic" ;;
|
||||
esac
|
||||
|
|
@ -1,287 +0,0 @@
|
|||
Go back to using AC_TRY_COMPILE to detect <ldap_ssl.h>, which requires
|
||||
that <ldap.h> be included before it.
|
||||
|
||||
Use the draft-specified value "0" instead of a preprocessor define which
|
||||
mozldap doesn't provide (LDAP_OPT_SUCCESS).
|
||||
|
||||
Don't fail to compile if libldap doesn't provide ldap_create_control(),
|
||||
just fail at run-time if we try to use it.
|
||||
|
||||
Only try to set non-portable options that the libldap which is being used
|
||||
supports.
|
||||
|
||||
Don't depend on ldap_alloc_ber_with_options() being there; fall back to
|
||||
either ber_alloc_t() or the deprecated der_alloc().
|
||||
|
||||
Learn about Mozilla LDAP 6.
|
||||
|
||||
Prefer </usr/include/nss.h> to <nss.h>, because <nss.h> can also be the
|
||||
security toolkit used by Mozilla's LDAP SDK rather than libc's nsswitch
|
||||
header, and if we've set the include path, we could be screwed.
|
||||
|
||||
Strip off any '/' which appears in our hostname before passing it to
|
||||
ldap_init().
|
||||
|
||||
diff -up nss_ldap/configure.in nss_ldap/configure.in
|
||||
--- nss_ldap/configure.in 2007-11-14 14:21:54.000000000 -0500
|
||||
+++ nss_ldap/configure.in 2007-11-14 15:01:32.000000000 -0500
|
||||
@@ -41,7 +41,7 @@ dnl
|
||||
AC_ARG_ENABLE(configurable-krb5-ccname-env, [ --enable-configurable-krb5-ccname-env enable configurable Kerberos V credentials cache name (putenv method)], [AC_DEFINE(CONFIGURE_KRB5_CCNAME) AC_DEFINE(CONFIGURE_KRB5_CCNAME_ENV)])
|
||||
AC_ARG_ENABLE(configurable-krb5-ccname-gssapi, [ --enable-configurable-krb5-ccname-gssapi enable configurable Kerberos V credentials cache name (gssapi method)], [AC_DEFINE(CONFIGURE_KRB5_CCNAME) AC_DEFINE(CONFIGURE_KRB5_CCNAME_GSSAPI)])
|
||||
|
||||
-AC_ARG_WITH(ldap-lib, [ --with-ldap-lib=type select ldap library [auto|netscape5|netscape4|netscape3|umich|openldap]])
|
||||
+AC_ARG_WITH(ldap-lib, [ --with-ldap-lib=type select ldap library [auto|mozilla|netscape5|netscape4|netscape3|umich|openldap]])
|
||||
AC_ARG_WITH(ldap-dir, [ --with-ldap-dir=DIR base directory of LDAP SDK])
|
||||
AC_ARG_WITH(ldap-conf-file, [ --with-ldap-conf-file path to LDAP configuration file],
|
||||
[ NSS_LDAP_PATH_CONF="$with_ldap_conf_file" ],
|
||||
@@ -132,17 +132,18 @@ AC_SUBST(NSS_LDAP_LDFLAGS)
|
||||
|
||||
AC_CHECK_HEADERS(lber.h)
|
||||
AC_CHECK_HEADERS(ldap.h, , AC_MSG_ERROR(could not locate <ldap.h>))
|
||||
-AC_CHECK_HEADERS(ldap_ssl.h)
|
||||
+dnl AC_CHECK_HEADERS(ldap_ssl.h)
|
||||
|
||||
-dnl AC_MSG_CHECKING(for ldap_ssl.h)
|
||||
-dnl AC_TRY_COMPILE([#include <sys/types.h>
|
||||
-dnl #include <ldap.h>
|
||||
-dnl #include <ldap_ssl.h>], ,
|
||||
-dnl [
|
||||
-dnl AC_MSG_RESULT(yes),
|
||||
-dnl AC_DEFINE(HAVE_LDAP_SSL_H, 1)
|
||||
-dnl ],
|
||||
-dnl AC_MSG_RESULT(no))
|
||||
+AC_MSG_CHECKING(for ldap_ssl.h)
|
||||
+AC_TRY_COMPILE([
|
||||
+ #include <sys/types.h>
|
||||
+ #include <ldap.h>
|
||||
+ #include <ldap_ssl.h>],[],
|
||||
+ [
|
||||
+ AC_MSG_RESULT(yes)
|
||||
+ AC_DEFINE(HAVE_LDAP_SSL_H,1,[Define if you have <ldap_ssl.h>.])
|
||||
+ ],
|
||||
+ AC_MSG_RESULT(no))
|
||||
|
||||
# For HP-UX and AIX we use private API, the headers for which
|
||||
# are included locally. We need to do something to stop both
|
||||
@@ -150,7 +151,8 @@ dnl AC_MSG_RESULT(no))
|
||||
case "$target_os" in
|
||||
aix*) AC_CHECK_HEADERS(irs.h usersec.h) ;;
|
||||
hpux*) AC_CHECK_HEADERS(nsswitch.h) ;;
|
||||
- *) AC_CHECK_HEADERS(nss.h)
|
||||
+ *) AC_CHECK_HEADERS(/usr/include/nss.h)
|
||||
+ AC_CHECK_HEADERS(nss.h)
|
||||
AC_CHECK_HEADERS(nsswitch.h)
|
||||
AC_CHECK_HEADERS(irs.h) ;;
|
||||
esac
|
||||
@@ -297,6 +299,9 @@ if test -z "$found_ldap_lib" -a \( $with
|
||||
AC_CHECK_LIB(lber, main)
|
||||
AC_CHECK_LIB(ldap, main, [LIBS="-lldap $LIBS" found_ldap_lib=yes],,$LIBS)
|
||||
fi
|
||||
+if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = mozilla \); then
|
||||
+AC_CHECK_LIB(ldap60, main, LIBS="-lssldap60 -lprldap60 -lldap60 -lssl3 -lsmime3 -lnss3 -lplds4 -lplc4 -lnspr4 $LIBS" found_ldap_lib=yes need_pthread=yes,, -lpthread)
|
||||
+fi
|
||||
if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape5 \); then
|
||||
AC_CHECK_LIB(ldap50, main, LIBS="-lldap50 -lssldap50 -lssl3 -lnss3 -lnspr4 -lprldap50 -lplc4 -lplds4 $LIBS" found_ldap_lib=yes need_pthread=yes,, -lpthread)
|
||||
fi
|
||||
@@ -331,6 +336,7 @@ AC_CHECK_FUNCS(ldap_init ldap_get_lderrn
|
||||
AC_CHECK_FUNCS(ldap_ld_free ldap_explode_rdn ldap_set_option ldap_get_option)
|
||||
AC_CHECK_FUNCS(ldap_sasl_interactive_bind_s ldap_initialize ldap_search_ext)
|
||||
AC_CHECK_FUNCS(ldap_create_control ldap_create_page_control ldap_parse_page_control)
|
||||
+AC_CHECK_FUNCS(ldap_alloc_ber_with_options ber_alloc_t der_alloc)
|
||||
if test "$enable_ssl" \!= "no"; then
|
||||
AC_CHECK_FUNCS(ldapssl_client_init ldap_start_tls_s ldap_pvt_tls_set_option ldap_start_tls)
|
||||
fi
|
||||
diff -up nss_ldap/ldap-nss.h nss_ldap/ldap-nss.h
|
||||
--- nss_ldap/ldap-nss.h 2007-11-14 14:21:54.000000000 -0500
|
||||
+++ nss_ldap/ldap-nss.h 2007-11-14 15:05:57.000000000 -0500
|
||||
@@ -58,6 +58,8 @@
|
||||
#include <nss_common.h>
|
||||
#include <nss_dbdefs.h>
|
||||
#include <nsswitch.h>
|
||||
+#elif defined(HAVE__USR_INCLUDE_NSS_H)
|
||||
+#include </usr/include/nss.h>
|
||||
#elif defined(HAVE_NSS_H)
|
||||
#include <nss.h>
|
||||
#elif defined(HAVE_IRS_H)
|
||||
diff -up nss_ldap/ldap-nss.c nss_ldap/ldap-nss.c
|
||||
--- nss_ldap/ldap-nss.c 2007-11-14 14:21:54.000000000 -0500
|
||||
+++ nss_ldap/ldap-nss.c 2007-11-14 14:21:54.000000000 -0500
|
||||
@@ -1069,6 +1069,23 @@ do_init_session (LDAP ** ld, const char
|
||||
defport = atoi (p + 1);
|
||||
uri = uribuf;
|
||||
}
|
||||
+ else
|
||||
+ {
|
||||
+ size_t urilen = strlen(uri);
|
||||
+
|
||||
+ if (urilen >= sizeof (uribuf))
|
||||
+ {
|
||||
+ return NSS_UNAVAIL;
|
||||
+ }
|
||||
+
|
||||
+ memcpy (uribuf, uri, urilen);
|
||||
+ uribuf[urilen] = '\0';
|
||||
+
|
||||
+ if ((urilen > 0) && (uribuf[urilen - 1] == '/'))
|
||||
+ uribuf[urilen - 1] = '\0';
|
||||
+
|
||||
+ uri = uribuf;
|
||||
+ }
|
||||
|
||||
# ifdef HAVE_LDAP_INIT
|
||||
*ld = ldap_init (uri, defport);
|
||||
@@ -1537,7 +1554,7 @@ do_open (void)
|
||||
|
||||
if (ldap_get_option
|
||||
(__session.ls_conn, LDAP_OPT_PROTOCOL_VERSION,
|
||||
- &version) == LDAP_OPT_SUCCESS)
|
||||
+ &version) == 0)
|
||||
{
|
||||
if (version < LDAP_VERSION3)
|
||||
{
|
||||
@@ -1697,6 +1714,7 @@ do_ssl_options (ldap_config_t * cfg)
|
||||
}
|
||||
#endif /* LDAP_OPT_X_TLS_RANDOM_FILE */
|
||||
|
||||
+#ifdef LDAP_OPT_X_TLS_CACERTFILE
|
||||
if (cfg->ldc_tls_cacertfile != NULL)
|
||||
{
|
||||
/* ca cert file */
|
||||
@@ -1709,7 +1727,9 @@ do_ssl_options (ldap_config_t * cfg)
|
||||
return LDAP_OPERATIONS_ERROR;
|
||||
}
|
||||
}
|
||||
+#endif
|
||||
|
||||
+#ifdef LDAP_OPT_X_TLS_CACERTDIR
|
||||
if (cfg->ldc_tls_cacertdir != NULL)
|
||||
{
|
||||
/* ca cert directory */
|
||||
@@ -1722,7 +1742,9 @@ do_ssl_options (ldap_config_t * cfg)
|
||||
return LDAP_OPERATIONS_ERROR;
|
||||
}
|
||||
}
|
||||
+#endif
|
||||
|
||||
+#ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
|
||||
/* require cert? */
|
||||
if (cfg->ldc_tls_checkpeer > -1)
|
||||
{
|
||||
@@ -1735,7 +1757,9 @@ do_ssl_options (ldap_config_t * cfg)
|
||||
return LDAP_OPERATIONS_ERROR;
|
||||
}
|
||||
}
|
||||
+#endif
|
||||
|
||||
+#ifdef LDAP_OPT_X_TLS_CIPHER_SUITE
|
||||
if (cfg->ldc_tls_ciphers != NULL)
|
||||
{
|
||||
/* set cipher suite, certificate and private key: */
|
||||
@@ -1748,7 +1772,9 @@ do_ssl_options (ldap_config_t * cfg)
|
||||
return LDAP_OPERATIONS_ERROR;
|
||||
}
|
||||
}
|
||||
+#endif
|
||||
|
||||
+#ifdef LDAP_OPT_X_TLS_CERTFILE
|
||||
if (cfg->ldc_tls_cert != NULL)
|
||||
{
|
||||
rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CERTFILE, cfg->ldc_tls_cert);
|
||||
@@ -1759,7 +1785,9 @@ do_ssl_options (ldap_config_t * cfg)
|
||||
return LDAP_OPERATIONS_ERROR;
|
||||
}
|
||||
}
|
||||
+#endif
|
||||
|
||||
+#ifdef LDAP_OPT_X_TLS_CERTFILE
|
||||
if (cfg->ldc_tls_key != NULL)
|
||||
{
|
||||
rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_KEYFILE, cfg->ldc_tls_key);
|
||||
@@ -1770,6 +1798,7 @@ do_ssl_options (ldap_config_t * cfg)
|
||||
return LDAP_OPERATIONS_ERROR;
|
||||
}
|
||||
}
|
||||
+#endif
|
||||
|
||||
debug ("<== do_ssl_options");
|
||||
|
||||
diff -up nss_ldap/pagectrl.c nss_ldap/pagectrl.c
|
||||
--- nss_ldap/pagectrl.c 2007-08-03 00:51:09.000000000 -0400
|
||||
+++ nss_ldap/pagectrl.c 2007-11-14 14:21:54.000000000 -0500
|
||||
@@ -38,6 +38,17 @@ static char rcsId[] = "$Id: pagectrl.c,v
|
||||
#define LDAP_CONTROL_PAGE_OID "1.2.840.113556.1.4.319"
|
||||
#endif
|
||||
|
||||
+#ifndef HAVE_LDAP_CREATE_CONTROL
|
||||
+#define ldap_create_control _nss_ldap_fail_to_create_control
|
||||
+static int
|
||||
+ldap_create_control(const char *oid, BerElement *value,
|
||||
+ int iscritical, LDAPControl ** ctrlp)
|
||||
+{
|
||||
+ *ctrlp = NULL;
|
||||
+ return LDAP_ENCODING_ERROR;
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
#ifndef HAVE_LDAP_CREATE_PAGE_CONTROL
|
||||
/*---
|
||||
ldap_create_page_control
|
||||
@@ -78,9 +89,6 @@ static char rcsId[] = "$Id: pagectrl.c,v
|
||||
|
||||
---*/
|
||||
|
||||
-#ifndef HAVE_LDAP_CREATE_CONTROL
|
||||
-#error LDAP client library does not support ldap_create_control()
|
||||
-#else
|
||||
int
|
||||
ldap_create_page_control (LDAP * ld,
|
||||
unsigned long pagesize,
|
||||
@@ -97,10 +105,24 @@ ldap_create_page_control (LDAP * ld,
|
||||
return (LDAP_PARAM_ERROR);
|
||||
}
|
||||
|
||||
+#ifdef HAVE_LDAP_ALLOC_BER_WITH_OPTIONS
|
||||
if ((ber = ldap_alloc_ber_with_options (ld)) == NULL)
|
||||
{
|
||||
return (LDAP_NO_MEMORY);
|
||||
}
|
||||
+#elif defined(HAVE_BER_ALLOC_T) && defined(LBER_USE_DER)
|
||||
+ if ((ber = ber_alloc_t(LBER_USE_DER)) == NULL)
|
||||
+ {
|
||||
+ return (LDAP_NO_MEMORY);
|
||||
+ }
|
||||
+#elif defined(HAVE_DER_ALLOC)
|
||||
+ if ((ber = der_alloc()) == NULL)
|
||||
+ {
|
||||
+ return (LDAP_NO_MEMORY);
|
||||
+ }
|
||||
+#else
|
||||
+ return (LDAP_NO_MEMORY);
|
||||
+#endif
|
||||
|
||||
tag = ber_printf (ber, "{i", pagesize);
|
||||
if (tag == LBER_ERROR)
|
||||
@@ -126,7 +148,6 @@ exit:
|
||||
ber_free (ber, 1);
|
||||
return (LDAP_ENCODING_ERROR);
|
||||
}
|
||||
-#endif /* HAVE_LDAP_CREATE_CONTROL */
|
||||
#endif /* HAVE_LDAP_CREATE_PAGE_CONTROL */
|
||||
|
||||
#ifndef HAVE_LDAP_PARSE_PAGE_CONTROL
|
||||
@@ -154,9 +175,6 @@ exit:
|
||||
|
||||
---*/
|
||||
|
||||
-#ifndef HAVE_LDAP_CREATE_CONTROL
|
||||
-#error LDAP client library does not support ldap_create_control()
|
||||
-#else
|
||||
int
|
||||
ldap_parse_page_control (LDAP * ld,
|
||||
LDAPControl ** ctrls,
|
||||
@@ -222,5 +240,4 @@ foundPageControl:
|
||||
|
||||
return (LDAP_SUCCESS);
|
||||
}
|
||||
-#endif /* HAVE_LDAP_CREATE_CONTROL */
|
||||
#endif /* HAVE_LDAP_PARSE_PAGE_CONTROL */
|
|
@ -1,146 +0,0 @@
|
|||
Workaround for a NetworkManager/Upstart combination making things
|
||||
interesting. When an application starts before the network is up,
|
||||
/etc/resolv.conf is empty, causing the application to attempt to use a
|
||||
local resolver. When the network comes up later, /etc/resolv.conf gets
|
||||
populated with nameserver addresses, but the application doesn't re-read
|
||||
it. This screws nss_ldap later on, because the LDAP client library
|
||||
needs to be able to resolve the directory server's address, but it can't
|
||||
without a local resolver which is probably not started.
|
||||
|
||||
diff -up nss_ldap-259/configure.in nss_ldap-259/configure.in
|
||||
--- nss_ldap-259/configure.in 2008-04-16 10:42:15.000000000 -0400
|
||||
+++ nss_ldap-259/configure.in 2008-04-16 10:42:15.000000000 -0400
|
||||
@@ -176,6 +176,7 @@ AC_CHECK_HEADERS(alignof.h)
|
||||
AC_CHECK_HEADERS(rpc/rpcent.h)
|
||||
AC_CHECK_HEADERS(sys/byteorder.h)
|
||||
AC_CHECK_HEADERS(sys/un.h)
|
||||
+AC_CHECK_HEADERS(sys/stat.h)
|
||||
AC_CHECK_HEADERS(libc-lock.h)
|
||||
AC_CHECK_HEADERS(bits/libc-lock.h)
|
||||
AC_CHECK_HEADERS(sasl.h sasl/sasl.h)
|
||||
diff -up nss_ldap-259/ldap-nss.c nss_ldap-259/ldap-nss.c
|
||||
--- nss_ldap-259/ldap-nss.c 2008-04-16 10:42:15.000000000 -0400
|
||||
+++ nss_ldap-259/ldap-nss.c 2008-04-16 10:48:02.000000000 -0400
|
||||
@@ -44,10 +44,16 @@ static char rcsId[] =
|
||||
#include <syslog.h>
|
||||
#include <signal.h>
|
||||
#include <fcntl.h>
|
||||
+#ifdef HAVE_SYS_STAT_H
|
||||
+#include <sys/stat.h>
|
||||
+#endif
|
||||
#include <sys/time.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/param.h>
|
||||
#include <errno.h>
|
||||
+#ifdef HAVE_RESOLV_H
|
||||
+#include <resolv.h>
|
||||
+#endif
|
||||
#ifdef HAVE_SYS_UN_H
|
||||
#include <sys/un.h>
|
||||
#endif
|
||||
@@ -1021,8 +1027,31 @@ _nss_ldap_close (void)
|
||||
do_close ();
|
||||
}
|
||||
|
||||
+static void
|
||||
+_nss_ldap_res_init (const char *uri)
|
||||
+{
|
||||
+ if (strncmp(uri, "ldapi://", 8) != 0)
|
||||
+ {
|
||||
+ struct stat st;
|
||||
+ static time_t last_mtime = (time_t) -1;
|
||||
+#if defined(HAVE_RESOLV_H) && defined(_PATH_RESCONF)
|
||||
+ NSS_LDAP_DEFINE_LOCK (_nss_ldap_res_init_lock);
|
||||
+ NSS_LDAP_LOCK (_nss_ldap_res_init_lock);
|
||||
+ if (stat(_PATH_RESCONF, &st) == 0)
|
||||
+ {
|
||||
+ if (last_mtime != st.st_mtime)
|
||||
+ {
|
||||
+ last_mtime = st.st_mtime;
|
||||
+ res_init();
|
||||
+ }
|
||||
+ }
|
||||
+ NSS_LDAP_UNLOCK (_nss_ldap_res_init_lock);
|
||||
+#endif
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
static NSS_STATUS
|
||||
-do_init_session (LDAP ** ld, const char *uri, int defport)
|
||||
+do_init_session (LDAP ** ld, const char *uri, int defport, int res_init_hack)
|
||||
{
|
||||
int rc;
|
||||
int ldaps;
|
||||
@@ -1050,6 +1079,8 @@ do_init_session (LDAP ** ld, const char
|
||||
uri = uribuf;
|
||||
}
|
||||
|
||||
+ if (res_init_hack)
|
||||
+ _nss_ldap_res_init(uri);
|
||||
rc = ldap_initialize (ld, uri);
|
||||
#else
|
||||
if (strncasecmp (uri, "ldap://", sizeof ("ldap://") - 1) != 0)
|
||||
@@ -1075,6 +1106,8 @@ do_init_session (LDAP ** ld, const char
|
||||
defport = atoi (p + 1);
|
||||
uri = uribuf;
|
||||
}
|
||||
+ if (res_init_hack)
|
||||
+ _nss_ldap_res_init(NULL);
|
||||
# ifdef HAVE_LDAP_INIT
|
||||
*ld = ldap_init (uri, defport);
|
||||
# else
|
||||
@@ -1346,7 +1379,8 @@ do_init (void)
|
||||
|
||||
stat = do_init_session (&__session.ls_conn,
|
||||
cfg->ldc_uris[__session.ls_current_uri],
|
||||
- cfg->ldc_port);
|
||||
+ cfg->ldc_port,
|
||||
+ cfg->ldc_resolv_conf_res_init_hack);
|
||||
if (stat != NSS_SUCCESS)
|
||||
{
|
||||
debug ("<== do_init (failed to initialize LDAP session)");
|
||||
diff -up nss_ldap-259/ldap-nss.h nss_ldap-259/ldap-nss.h
|
||||
--- nss_ldap-259/ldap-nss.h 2008-04-16 10:45:49.000000000 -0400
|
||||
+++ nss_ldap-259/ldap-nss.h 2008-04-16 10:45:52.000000000 -0400
|
||||
@@ -400,6 +400,9 @@ struct ldap_config
|
||||
time_t ldc_mtime;
|
||||
|
||||
char **ldc_initgroups_ignoreusers;
|
||||
+
|
||||
+ /* disable the do-res_init()-on-resolv.conf-changes hack */
|
||||
+ unsigned int ldc_resolv_conf_res_init_hack;
|
||||
};
|
||||
|
||||
typedef struct ldap_config ldap_config_t;
|
||||
diff -up nss_ldap-259/util.c nss_ldap-259/util.c
|
||||
--- nss_ldap-259/util.c 2008-04-16 10:48:08.000000000 -0400
|
||||
+++ nss_ldap-259/util.c 2008-04-16 10:50:14.000000000 -0400
|
||||
@@ -680,6 +680,8 @@ NSS_STATUS _nss_ldap_init_config (ldap_c
|
||||
}
|
||||
}
|
||||
|
||||
+ result->ldc_resolv_conf_res_init_hack = 1;
|
||||
+
|
||||
return NSS_SUCCESS;
|
||||
}
|
||||
|
||||
@@ -1204,6 +1206,19 @@ _nss_ldap_readconfig (ldap_config_t ** p
|
||||
{
|
||||
t = &result->ldc_srv_domain;
|
||||
}
|
||||
+ else if (!strcasecmp (k, "nss_resolv_conf_res_init_hack"))
|
||||
+ {
|
||||
+ if (!strcasecmp (v, "on") || !strcasecmp (v, "yes")
|
||||
+ || !strcasecmp (v, "true"))
|
||||
+ {
|
||||
+ result->ldc_resolv_conf_res_init_hack = 1;
|
||||
+ }
|
||||
+ else if (!strcasecmp (v, "off") || !strcasecmp (v, "no")
|
||||
+ || !strcasecmp (v, "false"))
|
||||
+ {
|
||||
+ result->ldc_resolv_conf_res_init_hack = 0;
|
||||
+ }
|
||||
+ }
|
||||
else
|
||||
{
|
||||
/*
|
|
@ -1,192 +0,0 @@
|
|||
Search attribute which are not case-sensitive in a directory, but which
|
||||
are in local files on a glibc-based system:
|
||||
|
||||
posixAccount.uid: struct passwd.pw_name
|
||||
shadowAccount.uid: struct shadow.sp_namp
|
||||
posixGroup.cn: struct group.gr_name
|
||||
ipService.cn,ipServiceProtocol: struct servent.s_name,s_proto
|
||||
ipProtocol.cn: struct protoent.p_name
|
||||
ipHost.cn: OK, actually not case-sensitive in local files
|
||||
ipNetwork.cn: OK, actually not case-sensitive in local files
|
||||
rfc822MailAlias.cn: OK, actually not case-sensitive in local files
|
||||
oncRpc.cn: struct rpcent.r_name
|
||||
nisNetgroup.cn: N/A
|
||||
nisMap.nisMapName: N/A
|
||||
nisObject.nisMapName: N/A
|
||||
nisObject.cn: N/A
|
||||
ieee802Device: N/A
|
||||
bootableDevice: N/A
|
||||
automount.automountKey: no defined structure
|
||||
|
||||
This patch adds additional logic to reject the result of a search if the
|
||||
field in the result which corresponds to the original request differs
|
||||
by case from the actual request (for example, when a search for a group
|
||||
named "bob" turns up a group named "Bob"), but currently only covers
|
||||
glibc-style systems. Upstream #399.
|
||||
|
||||
diff -ur nss_ldap-264/ldap-grp.c nss_ldap-264/ldap-grp.c
|
||||
--- nss_ldap-264/ldap-grp.c 2009-07-02 11:01:03.000000000 -0400
|
||||
+++ nss_ldap-264/ldap-grp.c 2009-07-02 10:57:37.000000000 -0400
|
||||
@@ -1201,7 +1201,8 @@
|
||||
char *buffer, size_t buflen, int *errnop)
|
||||
{
|
||||
LOOKUP_NAME (name, result, buffer, buflen, errnop, _nss_ldap_filt_getgrnam,
|
||||
- LM_GROUP, _nss_ldap_parse_gr, LDAP_NSS_BUFLEN_GROUP);
|
||||
+ LM_GROUP, _nss_ldap_parse_gr, LDAP_NSS_BUFLEN_GROUP)
|
||||
+ AND_REQUIRE_MATCH(name, result->gr_name);
|
||||
}
|
||||
#elif defined(HAVE_NSSWITCH_H)
|
||||
static NSS_STATUS
|
||||
diff -ur nss_ldap-264/ldap-nss.c nss_ldap-264/ldap-nss.c
|
||||
--- nss_ldap-264/ldap-nss.c 2009-07-02 11:01:03.000000000 -0400
|
||||
+++ nss_ldap-264/ldap-nss.c 2009-07-02 10:46:39.000000000 -0400
|
||||
@@ -4300,4 +4300,17 @@
|
||||
return lderrno;
|
||||
}
|
||||
|
||||
+NSS_STATUS _nss_ldap_expect_name(NSS_STATUS result,
|
||||
+ const char *requested_name,
|
||||
+ const char *actual_name)
|
||||
+{
|
||||
+ if ((result == NSS_SUCCESS) &&
|
||||
+ (requested_name != NULL) &&
|
||||
+ (actual_name != NULL) &&
|
||||
+ (strcasecmp(requested_name, actual_name) == 0) &&
|
||||
+ (strcmp(requested_name, actual_name) != 0)) {
|
||||
+ return NSS_NOTFOUND;
|
||||
+ }
|
||||
+ return result;
|
||||
+}
|
||||
|
||||
diff -ur nss_ldap-264/ldap-nss.h nss_ldap-264/ldap-nss.h
|
||||
--- nss_ldap-264/ldap-nss.h 2009-07-02 11:01:03.000000000 -0400
|
||||
+++ nss_ldap-264/ldap-nss.h 2009-07-02 10:28:59.000000000 -0400
|
||||
@@ -911,4 +911,8 @@
|
||||
#ifdef CONFIGURE_KRB5_KEYTAB
|
||||
int do_init_krb5_cache(ldap_config_t *config);
|
||||
#endif /* CONFIGURE_KRB5_KEYTAB */
|
||||
+NSS_STATUS _nss_ldap_expect_name(NSS_STATUS result,
|
||||
+ const char *requested_name,
|
||||
+ const char *actual_name);
|
||||
+
|
||||
#endif /* _LDAP_NSS_LDAP_LDAP_NSS_H */
|
||||
diff -ur nss_ldap-264/ldap-parse.h nss_ldap-264/ldap-parse.h
|
||||
--- nss_ldap-264/ldap-parse.h 2006-09-13 02:42:08.000000000 -0400
|
||||
+++ nss_ldap-264/ldap-parse.h 2009-07-02 10:56:54.000000000 -0400
|
||||
@@ -94,6 +94,7 @@
|
||||
|
||||
#define LOOKUP_NAME(name, result, buffer, buflen, errnop, filter, selector, parser, req_buflen) \
|
||||
ldap_args_t a; \
|
||||
+ NSS_STATUS s; \
|
||||
if (buflen < req_buflen) { \
|
||||
*errnop = ERANGE; \
|
||||
return NSS_TRYAGAIN; \
|
||||
@@ -101,7 +102,8 @@
|
||||
LA_INIT(a); \
|
||||
LA_STRING(a) = name; \
|
||||
LA_TYPE(a) = LA_TYPE_STRING; \
|
||||
- return _nss_ldap_getbyname(&a, result, buffer, buflen, errnop, filter, selector, parser);
|
||||
+ s = _nss_ldap_getbyname(&a, result, buffer, buflen, errnop, filter, selector, parser); \
|
||||
+ return s
|
||||
#define LOOKUP_NUMBER(number, result, buffer, buflen, errnop, filter, selector, parser, req_buflen) \
|
||||
ldap_args_t a; \
|
||||
if (buflen < req_buflen) { \
|
||||
@@ -199,4 +201,7 @@
|
||||
|
||||
#endif /* HAVE_NSSWITCH_H */
|
||||
|
||||
+#define AND_REQUIRE_MATCH(name,field) \
|
||||
+ == NSS_SUCCESS ? _nss_ldap_expect_name(s,name,field) : s
|
||||
+
|
||||
#endif /* _LDAP_NSS_LDAP_LDAP_PARSE_H */
|
||||
diff -ur nss_ldap-264/ldap-proto.c nss_ldap-264/ldap-proto.c
|
||||
--- nss_ldap-264/ldap-proto.c 2006-09-13 02:42:08.000000000 -0400
|
||||
+++ nss_ldap-264/ldap-proto.c 2009-07-02 10:58:25.000000000 -0400
|
||||
@@ -113,7 +113,8 @@
|
||||
{
|
||||
LOOKUP_NAME (name, result, buffer, buflen, errnop,
|
||||
_nss_ldap_filt_getprotobyname, LM_PROTOCOLS,
|
||||
- _nss_ldap_parse_proto, LDAP_NSS_BUFLEN_DEFAULT);
|
||||
+ _nss_ldap_parse_proto, LDAP_NSS_BUFLEN_DEFAULT)
|
||||
+ AND_REQUIRE_MATCH(name, result->p_name);
|
||||
}
|
||||
#endif
|
||||
|
||||
diff -ur nss_ldap-264/ldap-pwd.c nss_ldap-264/ldap-pwd.c
|
||||
--- nss_ldap-264/ldap-pwd.c 2009-07-02 11:01:03.000000000 -0400
|
||||
+++ nss_ldap-264/ldap-pwd.c 2009-07-02 10:57:15.000000000 -0400
|
||||
@@ -243,7 +243,8 @@
|
||||
char *buffer, size_t buflen, int *errnop)
|
||||
{
|
||||
LOOKUP_NAME (name, result, buffer, buflen, errnop, _nss_ldap_filt_getpwnam,
|
||||
- LM_PASSWD, _nss_ldap_parse_pw, LDAP_NSS_BUFLEN_DEFAULT);
|
||||
+ LM_PASSWD, _nss_ldap_parse_pw, LDAP_NSS_BUFLEN_DEFAULT)
|
||||
+ AND_REQUIRE_MATCH(name, result->pw_name);
|
||||
}
|
||||
#elif defined(HAVE_NSSWITCH_H)
|
||||
static NSS_STATUS
|
||||
diff -ur nss_ldap-264/ldap-rpc.c nss_ldap-264/ldap-rpc.c
|
||||
--- nss_ldap-264/ldap-rpc.c 2009-07-02 11:01:03.000000000 -0400
|
||||
+++ nss_ldap-264/ldap-rpc.c 2009-07-02 10:58:01.000000000 -0400
|
||||
@@ -123,7 +123,8 @@
|
||||
{
|
||||
LOOKUP_NAME (name, result, buffer, buflen, errnop,
|
||||
_nss_ldap_filt_getrpcbyname, LM_RPC, _nss_ldap_parse_rpc,
|
||||
- LDAP_NSS_BUFLEN_DEFAULT);
|
||||
+ LDAP_NSS_BUFLEN_DEFAULT)
|
||||
+ AND_REQUIRE_MATCH(name, result->r_name);
|
||||
}
|
||||
#endif
|
||||
|
||||
diff -ur nss_ldap-264/ldap-service.c nss_ldap-264/ldap-service.c
|
||||
--- nss_ldap-264/ldap-service.c 2009-07-02 15:44:14.000000000 -0400
|
||||
+++ nss_ldap-264/ldap-service.c 2009-07-02 15:45:07.000000000 -0400
|
||||
@@ -230,16 +230,20 @@
|
||||
char *buffer, size_t buflen, int *errnop)
|
||||
{
|
||||
ldap_args_t a;
|
||||
+ NSS_STATUS s;
|
||||
|
||||
LA_INIT (a);
|
||||
LA_STRING (a) = name;
|
||||
LA_TYPE (a) = (proto == NULL) ? LA_TYPE_STRING : LA_TYPE_STRING_AND_STRING;
|
||||
LA_STRING2 (a) = proto;
|
||||
|
||||
- return _nss_ldap_getbyname (&a, result, buffer, buflen, errnop,
|
||||
- ((proto == NULL) ? _nss_ldap_filt_getservbyname
|
||||
- : _nss_ldap_filt_getservbynameproto),
|
||||
- LM_SERVICES, _nss_ldap_parse_serv);
|
||||
+ s = _nss_ldap_getbyname (&a, result, buffer, buflen, errnop,
|
||||
+ ((proto == NULL) ? _nss_ldap_filt_getservbyname
|
||||
+ : _nss_ldap_filt_getservbynameproto),
|
||||
+ LM_SERVICES, _nss_ldap_parse_serv);
|
||||
+ s = _nss_ldap_expect_name(s, name, result->s_name);
|
||||
+ s = _nss_ldap_expect_name(s, proto, result->s_proto);
|
||||
+ return s;
|
||||
}
|
||||
#endif
|
||||
|
||||
diff -ur nss_ldap-264/ldap-spwd.c nss_ldap-264/ldap-spwd.c
|
||||
--- nss_ldap-264/ldap-spwd.c 2009-07-02 11:01:03.000000000 -0400
|
||||
+++ nss_ldap-264/ldap-spwd.c 2009-07-02 10:58:50.000000000 -0400
|
||||
@@ -149,7 +149,8 @@
|
||||
char *buffer, size_t buflen, int *errnop)
|
||||
{
|
||||
LOOKUP_NAME (name, result, buffer, buflen, errnop, _nss_ldap_filt_getspnam,
|
||||
- LM_SHADOW, _nss_ldap_parse_sp, LDAP_NSS_BUFLEN_DEFAULT);
|
||||
+ LM_SHADOW, _nss_ldap_parse_sp, LDAP_NSS_BUFLEN_DEFAULT)
|
||||
+ AND_REQUIRE_MATCH (name, result->sp_namp);
|
||||
}
|
||||
#elif defined(HAVE_NSSWITCH_H)
|
||||
static NSS_STATUS
|
||||
--- nss_ldap-264/ldap-automount.c 2009-07-02 16:03:30.000000000 -0400
|
||||
+++ nss_ldap-264/ldap-automount.c 2009-07-02 16:03:48.000000000 -0400
|
||||
@@ -384,7 +384,7 @@
|
||||
_nss_ldap_filt_getautomntbyname,
|
||||
LM_AUTOMOUNT,
|
||||
_nss_ldap_parse_automount);
|
||||
-
|
||||
+ stat = _nss_ldap_expect_name(stat, key, canon_key ? *canon_key : NULL);
|
||||
if (stat != NSS_NOTFOUND)
|
||||
{
|
||||
break; /* on success or error other than not found */
|
|
@ -1,11 +0,0 @@
|
|||
diff -up nss_ldap-264/ldap-nss.c nss_ldap-264/ldap-nss.c
|
||||
--- nss_ldap-264/ldap-nss.c 2009-07-23 18:55:15.290388484 -0400
|
||||
+++ nss_ldap-264/ldap-nss.c 2009-07-23 19:01:33.328398737 -0400
|
||||
@@ -896,6 +896,7 @@ do_drop_connection(int sd, int closeSd)
|
||||
/* we must let dup2 close sd for us to avoid race conditions
|
||||
* in multithreaded code.
|
||||
*/
|
||||
+ fcntl (dummyfd, F_SETFD, 1L);
|
||||
do_dupfd (dummyfd, sd);
|
||||
do_closefd (dummyfd);
|
||||
}
|
|
@ -1,186 +0,0 @@
|
|||
Check if we can use thread-local storage, and if we can, use one to avoid a
|
||||
self-deadlock if we recurse into our own host resolution routines from inside
|
||||
of another lookup attempt. Revised from patch originally submitted for #340.
|
||||
|
||||
diff -up nss_ldap-265/config.h.in nss_ldap-265/config.h.in
|
||||
--- nss_ldap-265/config.h.in 2009-11-06 05:28:08.000000000 -0500
|
||||
+++ nss_ldap-265/config.h.in 2010-01-08 17:29:49.000000000 -0500
|
||||
@@ -304,6 +304,11 @@
|
||||
/* Define to 1 if you have the <thread.h> header file. */
|
||||
#undef HAVE_THREAD_H
|
||||
|
||||
+/* Define if your toolchain supports thread-local storage, which can be used
|
||||
+ for detecting self- and mutual-recursion problems when performing
|
||||
+ host/address lookups. */
|
||||
+#undef HAVE_THREAD_LOCAL_STORAGE
|
||||
+
|
||||
/* Define to 1 if you have the <unistd.h> header file. */
|
||||
#undef HAVE_UNISTD_H
|
||||
|
||||
diff -up nss_ldap-265/configure.in nss_ldap-265/configure.in
|
||||
--- nss_ldap-265/configure.in 2009-11-06 05:28:08.000000000 -0500
|
||||
+++ nss_ldap-265/configure.in 2010-01-08 17:29:49.000000000 -0500
|
||||
@@ -27,6 +27,14 @@ dnl
|
||||
|
||||
AC_ARG_ENABLE(debugging, [ --enable-debugging enable debug code ], [AC_DEFINE(DEBUG)])
|
||||
|
||||
+AC_MSG_CHECKING(for thread-local storage)
|
||||
+AC_TRY_COMPILE([],[static __thread int _nss_ldap_recursion_count;],
|
||||
+ [
|
||||
+ AC_MSG_RESULT(yes)
|
||||
+ AC_DEFINE(HAVE_THREAD_LOCAL_STORAGE,1,[Define if your toolchain supports thread-local storage, which can be used for detecting self- and mutual-recursion problems when performing host/address lookups.])
|
||||
+ ],
|
||||
+ AC_MSG_RESULT(no))
|
||||
+
|
||||
dnl
|
||||
dnl --enable-paged-results is now deprecated; if this option is set,
|
||||
dnl then paged results will be enabled by default. However, it can
|
||||
diff -up nss_ldap-265/depth.c nss_ldap-265/depth.c
|
||||
--- nss_ldap-265/depth.c 2010-01-08 17:29:49.000000000 -0500
|
||||
+++ nss_ldap-265/depth.c 2010-01-08 17:29:49.000000000 -0500
|
||||
@@ -0,0 +1,24 @@
|
||||
+#include "config.h"
|
||||
+#include "depth.h"
|
||||
+
|
||||
+#ifdef HAVE_THREAD_LOCAL_STORAGE
|
||||
+static __thread int depth = 0;
|
||||
+
|
||||
+int
|
||||
+_nss_ldap_get_depth (void)
|
||||
+{
|
||||
+ return depth;
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+_nss_ldap_inc_depth (void)
|
||||
+{
|
||||
+ return ++depth;
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+_nss_ldap_dec_depth (void)
|
||||
+{
|
||||
+ return --depth;
|
||||
+}
|
||||
+#endif
|
||||
diff -up nss_ldap-265/depth.h nss_ldap-265/depth.h
|
||||
--- nss_ldap-265/depth.h 2010-01-08 17:29:49.000000000 -0500
|
||||
+++ nss_ldap-265/depth.h 2010-01-08 17:29:49.000000000 -0500
|
||||
@@ -0,0 +1,3 @@
|
||||
+int _nss_ldap_get_depth (void);
|
||||
+int _nss_ldap_inc_depth (void);
|
||||
+int _nss_ldap_dec_depth (void);
|
||||
diff -up nss_ldap-265/ldap-hosts.c nss_ldap-265/ldap-hosts.c
|
||||
--- nss_ldap-265/ldap-hosts.c 2009-11-06 05:28:08.000000000 -0500
|
||||
+++ nss_ldap-265/ldap-hosts.c 2010-01-08 17:33:38.000000000 -0500
|
||||
@@ -66,6 +66,7 @@ static char rcsId[] =
|
||||
#include "ldap-nss.h"
|
||||
#include "ldap-hosts.h"
|
||||
#include "util.h"
|
||||
+#include "depth.h"
|
||||
|
||||
#ifdef HAVE_PORT_AFTER_H
|
||||
#include <port_after.h>
|
||||
@@ -280,6 +281,11 @@ _nss_ldap_gethostbyname2_r (const char *
|
||||
}
|
||||
#endif
|
||||
|
||||
+#ifdef HAVE_THREAD_LOCAL_STORAGE
|
||||
+ if (_nss_ldap_get_depth() > 0)
|
||||
+ return NSS_STATUS_UNAVAIL;
|
||||
+#endif
|
||||
+
|
||||
LA_INIT (a);
|
||||
LA_STRING (a) = name;
|
||||
LA_TYPE (a) = LA_TYPE_STRING;
|
||||
@@ -355,6 +361,11 @@ _nss_ldap_gethostbyaddr_r (struct in_add
|
||||
NSS_STATUS status;
|
||||
ldap_args_t a;
|
||||
|
||||
+#ifdef HAVE_THREAD_LOCAL_STORAGE
|
||||
+ if (_nss_ldap_get_depth() > 0)
|
||||
+ return NSS_STATUS_UNAVAIL;
|
||||
+#endif
|
||||
+
|
||||
/* if querying by IPv6 address, make sure the address is "normalized" --
|
||||
* it should contain no leading zeros and all components of the address.
|
||||
* still we can't fit an IPv6 address in an int, so who cares for now.
|
||||
@@ -391,6 +402,11 @@ _nss_ldap_sethostent_r (nss_backend_t *
|
||||
#endif
|
||||
#if defined(HAVE_NSS_H) || defined(HAVE_NSSWITCH_H)
|
||||
{
|
||||
+#ifdef HAVE_THREAD_LOCAL_STORAGE
|
||||
+ if (_nss_ldap_get_depth() > 0)
|
||||
+ return NSS_STATUS_UNAVAIL;
|
||||
+#endif
|
||||
+
|
||||
LOOKUP_SETENT (hosts_context);
|
||||
}
|
||||
#endif
|
||||
@@ -403,6 +419,11 @@ _nss_ldap_endhostent_r (nss_backend_t *
|
||||
#endif
|
||||
#if defined(HAVE_NSS_H) || defined(HAVE_NSSWITCH_H)
|
||||
{
|
||||
+#ifdef HAVE_THREAD_LOCAL_STORAGE
|
||||
+ if (_nss_ldap_get_depth() > 0)
|
||||
+ return NSS_STATUS_UNAVAIL;
|
||||
+#endif
|
||||
+
|
||||
LOOKUP_ENDENT (hosts_context);
|
||||
}
|
||||
#endif
|
||||
@@ -435,6 +456,11 @@ _nss_ldap_gethostent_r (struct hostent *
|
||||
{
|
||||
NSS_STATUS status;
|
||||
|
||||
+#ifdef HAVE_THREAD_LOCAL_STORAGE
|
||||
+ if (_nss_ldap_get_depth() > 0)
|
||||
+ return NSS_STATUS_UNAVAIL;
|
||||
+#endif
|
||||
+
|
||||
status = _nss_ldap_getent (&hosts_context,
|
||||
result,
|
||||
buffer,
|
||||
diff -up nss_ldap-265/ldap-nss.c nss_ldap-265/ldap-nss.c
|
||||
--- nss_ldap-265/ldap-nss.c 2009-11-06 05:28:08.000000000 -0500
|
||||
+++ nss_ldap-265/ldap-nss.c 2010-01-08 17:29:49.000000000 -0500
|
||||
@@ -93,6 +93,7 @@ static char rcsId[] =
|
||||
#include "util.h"
|
||||
#include "dnsconfig.h"
|
||||
#include "pagectrl.h"
|
||||
+#include "depth.h"
|
||||
|
||||
#if defined(HAVE_THREAD_H) && !defined(_AIX)
|
||||
#ifdef HAVE_PTHREAD_ATFORK
|
||||
@@ -578,6 +579,9 @@ _nss_ldap_enter (void)
|
||||
debug ("==> _nss_ldap_enter");
|
||||
|
||||
NSS_LDAP_LOCK (__lock);
|
||||
+#ifdef HAVE_THREAD_LOCAL_STORAGE
|
||||
+ _nss_ldap_inc_depth();
|
||||
+#endif
|
||||
|
||||
/*
|
||||
* Patch for Debian Bug 130006:
|
||||
@@ -623,6 +627,9 @@ _nss_ldap_leave (void)
|
||||
}
|
||||
#endif /* HAVE_SIGACTION */
|
||||
|
||||
+#ifdef HAVE_THREAD_LOCAL_STORAGE
|
||||
+ _nss_ldap_dec_depth();
|
||||
+#endif
|
||||
NSS_LDAP_UNLOCK (__lock);
|
||||
|
||||
debug ("<== _nss_ldap_leave");
|
||||
diff -up nss_ldap-265/Makefile.am nss_ldap-265/Makefile.am
|
||||
--- nss_ldap-265/Makefile.am 2009-11-06 05:28:08.000000000 -0500
|
||||
+++ nss_ldap-265/Makefile.am 2010-01-08 17:31:45.000000000 -0500
|
||||
@@ -23,7 +23,7 @@ nss_ldap_so_SOURCES = ldap-nss.c ldap-pw
|
||||
ldap-alias.c ldap-service.c ldap-schema.c ldap-ethers.c \
|
||||
ldap-bp.c ldap-automount.c util.c ltf.c snprintf.c resolve.c \
|
||||
dnsconfig.c irs-nss.c pagectrl.c ldap-sldap.c ldap-init-krb5-cache.c \
|
||||
- vers.c
|
||||
+ vers.c depth.c
|
||||
|
||||
nss_ldap_so_LDFLAGS = @nss_ldap_so_LDFLAGS@
|
||||
|
|
@ -1,102 +0,0 @@
|
|||
Distinguish between contexts that are somewhat persistent and one-offs
|
||||
which are used to fulfill part of a larger request. Proposed for #322.
|
||||
|
||||
diff -up nss_ldap-265/ldap-grp.c nss_ldap-265/ldap-grp.c
|
||||
--- nss_ldap-265/ldap-grp.c 2010-01-08 17:38:38.000000000 -0500
|
||||
+++ nss_ldap-265/ldap-grp.c 2010-01-08 17:38:38.000000000 -0500
|
||||
@@ -859,7 +859,7 @@ ng_chase (const char *dn, ldap_initgroup
|
||||
LA_STRING (a) = dn;
|
||||
LA_TYPE (a) = LA_TYPE_STRING;
|
||||
|
||||
- if (_nss_ldap_ent_context_init_locked (&ctx) == NULL)
|
||||
+ if (_nss_ldap_ent_context_init_internal_locked (&ctx) == NULL)
|
||||
{
|
||||
return NSS_UNAVAIL;
|
||||
}
|
||||
@@ -931,7 +931,7 @@ ng_chase_backlink (const char ** members
|
||||
LA_STRING_LIST (a) = filteredMembersOf;
|
||||
LA_TYPE (a) = LA_TYPE_STRING_LIST_OR;
|
||||
|
||||
- if (_nss_ldap_ent_context_init_locked (&ctx) == NULL)
|
||||
+ if (_nss_ldap_ent_context_init_internal_locked (&ctx) == NULL)
|
||||
{
|
||||
free (filteredMembersOf);
|
||||
return NSS_UNAVAIL;
|
||||
diff -up nss_ldap-265/ldap-netgrp.c nss_ldap-265/ldap-netgrp.c
|
||||
--- nss_ldap-265/ldap-netgrp.c 2009-11-06 05:28:08.000000000 -0500
|
||||
+++ nss_ldap-265/ldap-netgrp.c 2010-01-08 17:38:38.000000000 -0500
|
||||
@@ -691,7 +691,7 @@ do_innetgr_nested (ldap_innetgr_args_t *
|
||||
LA_TYPE (a) = LA_TYPE_STRING;
|
||||
LA_STRING (a) = nested; /* memberNisNetgroup */
|
||||
|
||||
- if (_nss_ldap_ent_context_init_locked (&ctx) == NULL)
|
||||
+ if (_nss_ldap_ent_context_init_internal_locked (&ctx) == NULL)
|
||||
{
|
||||
debug ("<== do_innetgr_nested: failed to initialize context");
|
||||
return NSS_UNAVAIL;
|
||||
diff -up nss_ldap-265/ldap-nss.c nss_ldap-265/ldap-nss.c
|
||||
--- nss_ldap-265/ldap-nss.c 2010-01-08 17:38:38.000000000 -0500
|
||||
+++ nss_ldap-265/ldap-nss.c 2010-01-08 17:40:37.000000000 -0500
|
||||
@@ -2043,6 +2043,7 @@ _nss_ldap_ent_context_init_locked (ent_c
|
||||
debug ("<== _nss_ldap_ent_context_init_locked");
|
||||
return NULL;
|
||||
}
|
||||
+ ctx->ec_internal = 0;
|
||||
*pctx = ctx;
|
||||
}
|
||||
else
|
||||
@@ -2104,7 +2105,8 @@ do_context_release (ent_context_t * ctx,
|
||||
|
||||
LS_INIT (ctx->ec_state);
|
||||
|
||||
- if (_nss_ldap_test_config_flag (NSS_LDAP_FLAGS_CONNECT_POLICY_ONESHOT))
|
||||
+ if (!ctx->ec_internal &&
|
||||
+ _nss_ldap_test_config_flag (NSS_LDAP_FLAGS_CONNECT_POLICY_ONESHOT))
|
||||
{
|
||||
do_close ();
|
||||
}
|
||||
@@ -2113,6 +2115,16 @@ do_context_release (ent_context_t * ctx,
|
||||
free (ctx);
|
||||
}
|
||||
|
||||
+ent_context_t *
|
||||
+_nss_ldap_ent_context_init_internal_locked (ent_context_t ** pctx)
|
||||
+{
|
||||
+ ent_context_t *ctx;
|
||||
+ ctx = _nss_ldap_ent_context_init_locked (pctx);
|
||||
+ if (ctx != NULL)
|
||||
+ ctx->ec_internal = 1;
|
||||
+ return ctx;
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* Clears a given context; we require the caller
|
||||
* to acquire the lock.
|
||||
diff -up nss_ldap-265/ldap-nss.h nss_ldap-265/ldap-nss.h
|
||||
--- nss_ldap-265/ldap-nss.h 2010-01-08 17:38:38.000000000 -0500
|
||||
+++ nss_ldap-265/ldap-nss.h 2010-01-08 17:42:34.000000000 -0500
|
||||
@@ -574,6 +574,8 @@ struct ent_context
|
||||
ldap_state_t ec_state; /* eg. for services */
|
||||
int ec_msgid; /* message ID */
|
||||
LDAPMessage *ec_res; /* result chain */
|
||||
+ int ec_internal; /* this context is just a part of a larger
|
||||
+ * query for information */
|
||||
ldap_service_search_descriptor_t *ec_sd; /* current sd */
|
||||
struct berval *ec_cookie; /* cookie for paged searches */
|
||||
int ec_eof; /* reached notional end of file */
|
||||
@@ -769,6 +771,15 @@ ent_context_t *_nss_ldap_ent_context_ini
|
||||
ent_context_t *_nss_ldap_ent_context_init_locked (ent_context_t **);
|
||||
|
||||
/*
|
||||
+ * _nss_ldap_ent_context_init_internal_locked() has the same
|
||||
+ * behaviour, except it marks the context as one that's being
|
||||
+ * used to fetch additional data used in answering a request, i.e.
|
||||
+ * that this isn't the "main" context
|
||||
+ */
|
||||
+
|
||||
+ent_context_t *_nss_ldap_ent_context_init_internal_locked (ent_context_t **);
|
||||
+
|
||||
+/*
|
||||
* _nss_ldap_ent_context_release() is used to manually free a context
|
||||
*/
|
||||
void _nss_ldap_ent_context_release (ent_context_t **);
|
|
@ -1,17 +0,0 @@
|
|||
If we were supposed to set ERANGE, do so again, in case do_close() or
|
||||
_nss_ldap_leave() overwrote errno with some other value. Upstream #421.
|
||||
|
||||
diff -up nss_ldap-265/ldap-nss.ce nss_ldap-265/ldap-nss.c
|
||||
--- nss_ldap-265/ldap-nss.ce 2010-07-08 16:17:07.000000000 -0400
|
||||
+++ nss_ldap-265/ldap-nss.c 2010-07-08 16:17:03.000000000 -0400
|
||||
@@ -3572,6 +3572,10 @@ _nss_ldap_getbyname (ldap_args_t * args,
|
||||
|
||||
debug ("<== _nss_ldap_getbyname");
|
||||
|
||||
+ /* at least for the cases where we know we have to return ERANGE */
|
||||
+ if (stat == NSS_TRYAGAIN)
|
||||
+ do_map_errno(stat, errnop);
|
||||
+
|
||||
return stat;
|
||||
}
|
||||
|
|
@ -1,10 +0,0 @@
|
|||
--- nss_ldap-265/ldap-nss.c.orig 2010-10-18 22:11:18.112108167 +1100
|
||||
+++ nss_ldap-265/ldap-nss.c 2010-10-18 22:13:20.030169868 +1100
|
||||
@@ -3449,6 +3449,7 @@
|
||||
|
||||
debug ("==> _nss_ldap_getbyname");
|
||||
|
||||
+ memset(&ctx, 0, sizeof(ent_context_t));
|
||||
ctx.ec_msgid = -1;
|
||||
ctx.ec_cookie = NULL;
|
||||
ctx.ec_eof = 0;
|
|
@ -1,190 +0,0 @@
|
|||
This builds off of the recursion checking introduced by -depth to avoid
|
||||
a deadlock if/when we recurse into ourselves while looking up the user's
|
||||
UID to compare it to the configured value. Revision for upstream #341.
|
||||
|
||||
diff -ur nss_ldap-265/ldap-nss.c nss_ldap-265-2/ldap-nss.c
|
||||
--- nss_ldap-265/ldap-nss.c 2010-08-19 17:16:51.000000000 -0400
|
||||
+++ nss_ldap-265-2/ldap-nss.c 2010-08-19 17:25:09.000000000 -0400
|
||||
@@ -34,6 +34,7 @@
|
||||
#endif
|
||||
|
||||
#include <assert.h>
|
||||
+#include <pwd.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
#include <string.h>
|
||||
@@ -4356,20 +4357,55 @@
|
||||
int
|
||||
_nss_ldap_test_initgroups_ignoreuser (const char *user)
|
||||
{
|
||||
- char **p;
|
||||
+ char **p, *buf;
|
||||
+ size_t buflen;
|
||||
+ struct passwd pwd, *passwd;
|
||||
|
||||
- if (__config == NULL)
|
||||
- return 0;
|
||||
-
|
||||
- if (__config->ldc_initgroups_ignoreusers == NULL)
|
||||
- return 0;
|
||||
-
|
||||
- for (p = __config->ldc_initgroups_ignoreusers; *p != NULL; p++)
|
||||
+ if (__config != NULL)
|
||||
{
|
||||
- if (strcmp (*p, user) == 0)
|
||||
- return 1;
|
||||
+ if (__config->ldc_initgroups_ignoreusers != NULL)
|
||||
+ for (p = __config->ldc_initgroups_ignoreusers; *p != NULL; p++)
|
||||
+ {
|
||||
+ if (strcmp (*p, user) == 0)
|
||||
+ return 1;
|
||||
+ }
|
||||
+ if (__config->ldc_initgroups_minimum_uid >= 0)
|
||||
+ {
|
||||
+ memset (&pwd, 0, sizeof(pwd));
|
||||
+ buflen = 0x100;
|
||||
+ buf = malloc(buflen);
|
||||
+ if (buf != NULL)
|
||||
+ {
|
||||
+ passwd = NULL;
|
||||
+ while ((getpwnam_r(user, &pwd, buf, buflen, &passwd) != 0) &&
|
||||
+ (passwd != &pwd))
|
||||
+ {
|
||||
+ switch (errno)
|
||||
+ {
|
||||
+ case ERANGE:
|
||||
+ buflen *= 2;
|
||||
+ free(buf);
|
||||
+ if (buflen > 0x100000)
|
||||
+ buf = NULL;
|
||||
+ else
|
||||
+ buf = malloc(buflen);
|
||||
+ break;
|
||||
+ case EINTR:
|
||||
+ continue;
|
||||
+ break;
|
||||
+ default:
|
||||
+ free(buf);
|
||||
+ buf = NULL;
|
||||
+ break;
|
||||
+ }
|
||||
+ if (buf == NULL)
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ if ((passwd == &pwd) && (passwd->pw_uid < 1000))
|
||||
+ return 1;
|
||||
+ }
|
||||
}
|
||||
-
|
||||
return 0;
|
||||
}
|
||||
|
||||
diff -ur nss_ldap-265/ldap-nss.h nss_ldap-265-2/ldap-nss.h
|
||||
--- nss_ldap-265/ldap-nss.h 2010-08-19 17:16:51.000000000 -0400
|
||||
+++ nss_ldap-265-2/ldap-nss.h 2010-08-19 17:18:47.000000000 -0400
|
||||
@@ -400,6 +400,7 @@
|
||||
time_t ldc_mtime;
|
||||
|
||||
char **ldc_initgroups_ignoreusers;
|
||||
+ int ldc_initgroups_minimum_uid;
|
||||
|
||||
/* disable the do-res_init()-on-resolv.conf-changes hack */
|
||||
unsigned int ldc_resolv_conf_res_init_hack;
|
||||
diff -ur nss_ldap-265/ldap-pwd.c nss_ldap-265-2/ldap-pwd.c
|
||||
--- nss_ldap-265/ldap-pwd.c 2010-08-19 17:16:51.000000000 -0400
|
||||
+++ nss_ldap-265-2/ldap-pwd.c 2010-08-19 16:40:43.000000000 -0400
|
||||
@@ -49,6 +49,7 @@
|
||||
#include "ldap-nss.h"
|
||||
#include "ldap-pwd.h"
|
||||
#include "util.h"
|
||||
+#include "depth.h"
|
||||
|
||||
#ifdef HAVE_PORT_AFTER_H
|
||||
#include <port_after.h>
|
||||
@@ -242,6 +243,10 @@
|
||||
struct passwd * result,
|
||||
char *buffer, size_t buflen, int *errnop)
|
||||
{
|
||||
+#ifdef HAVE_THREAD_LOCAL_STORAGE
|
||||
+ if (_nss_ldap_get_depth() > 0)
|
||||
+ return NSS_STATUS_UNAVAIL;
|
||||
+#endif
|
||||
LOOKUP_NAME (name, result, buffer, buflen, errnop, _nss_ldap_filt_getpwnam,
|
||||
LM_PASSWD, _nss_ldap_parse_pw, LDAP_NSS_BUFLEN_DEFAULT)
|
||||
AND_REQUIRE_MATCH(name, result->pw_name);
|
||||
@@ -261,6 +266,10 @@
|
||||
struct passwd *result,
|
||||
char *buffer, size_t buflen, int *errnop)
|
||||
{
|
||||
+#ifdef HAVE_THREAD_LOCAL_STORAGE
|
||||
+ if (_nss_ldap_get_depth() > 0)
|
||||
+ return NSS_STATUS_UNAVAIL;
|
||||
+#endif
|
||||
LOOKUP_NUMBER (uid, result, buffer, buflen, errnop, _nss_ldap_filt_getpwuid,
|
||||
LM_PASSWD, _nss_ldap_parse_pw, LDAP_NSS_BUFLEN_DEFAULT);
|
||||
}
|
||||
diff -ur nss_ldap-265/nss_ldap.5 nss_ldap-265-2/nss_ldap.5
|
||||
--- nss_ldap-265/nss_ldap.5 2010-08-19 17:16:51.000000000 -0400
|
||||
+++ nss_ldap-265-2/nss_ldap.5 2010-08-19 17:19:23.000000000 -0400
|
||||
@@ -445,6 +445,14 @@
|
||||
to return NSS_STATUS_NOTFOUND if called with a listed users as
|
||||
its argument.
|
||||
.TP
|
||||
+.B nss_initgroups_minimum_uid <uid>
|
||||
+This option directs the
|
||||
+.B nss_ldap
|
||||
+implementation of
|
||||
+.BR initgroups(3)
|
||||
+to return NSS_STATUS_NOTFOUND if called with a user whose UID is
|
||||
+below the value given as the argument.
|
||||
+.TP
|
||||
.B nss_getgrent_skipmembers <yes|no>
|
||||
Specifies whether or not to populate the members list in
|
||||
the group structure for group lookups. If very large groups
|
||||
diff -ur nss_ldap-265/util.c nss_ldap-265-2/util.c
|
||||
--- nss_ldap-265/util.c 2010-08-19 17:16:51.000000000 -0400
|
||||
+++ nss_ldap-265-2/util.c 2010-08-19 17:18:33.000000000 -0400
|
||||
@@ -669,6 +669,7 @@
|
||||
result->ldc_reconnect_maxsleeptime = LDAP_NSS_MAXSLEEPTIME;
|
||||
result->ldc_reconnect_maxconntries = LDAP_NSS_MAXCONNTRIES;
|
||||
result->ldc_initgroups_ignoreusers = NULL;
|
||||
+ result->ldc_initgroups_minimum_uid = -1;
|
||||
|
||||
for (i = 0; i <= LM_NONE; i++)
|
||||
{
|
||||
@@ -1180,6 +1181,10 @@
|
||||
break;
|
||||
}
|
||||
}
|
||||
+ else if (!strcasecmp (k, NSS_LDAP_KEY_INITGROUPS_MINIMUM_UID))
|
||||
+ {
|
||||
+ result->ldc_initgroups_minimum_uid = atoi(v);
|
||||
+ }
|
||||
else if (!strcasecmp (k, NSS_LDAP_KEY_GETGRENT_SKIPMEMBERS))
|
||||
{
|
||||
if (!strcasecmp (v, "on") || !strcasecmp (v, "yes")
|
||||
diff -ur nss_ldap-265/util.h nss_ldap-265-2/util.h
|
||||
--- nss_ldap-265/util.h 2009-11-06 05:28:08.000000000 -0500
|
||||
+++ nss_ldap-265-2/util.h 2010-08-19 17:19:46.000000000 -0400
|
||||
@@ -92,6 +92,7 @@
|
||||
#define NSS_LDAP_KEY_PAGESIZE "pagesize"
|
||||
#define NSS_LDAP_KEY_INITGROUPS "nss_initgroups"
|
||||
#define NSS_LDAP_KEY_INITGROUPS_IGNOREUSERS "nss_initgroups_ignoreusers"
|
||||
+#define NSS_LDAP_KEY_INITGROUPS_MINIMUM_UID "nss_initgroups_minimum_uid"
|
||||
#define NSS_LDAP_KEY_GETGRENT_SKIPMEMBERS "nss_getgrent_skipmembers"
|
||||
|
||||
/* more reconnect policy fine-tuning */
|
||||
--- nss_ldap-265/ldap.conf 2005-08-17 18:35:13.000000000 -0400
|
||||
+++ nss_ldap-265/ldap.conf 2006-02-09 14:14:05.000000000 -0500
|
||||
@@ -177,8 +177,8 @@
|
||||
#nss_base_aliases ou=Aliases,dc=padl,dc=com?one
|
||||
#nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one
|
||||
|
||||
-# Just assume that there are no supplemental groups for these named users
|
||||
-nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm,polkituser,rtkit,pulse,rpc,rpcuser,nobody
|
||||
+# Just assume that there are no supplemental groups for system users.
|
||||
+nss_initgroups_minimum_uid 500
|
||||
|
||||
# attribute/objectclass mapping
|
||||
# Syntax:
|
|
@ -1,17 +0,0 @@
|
|||
Configure by default to fail, quickly, requests for supplemental group
|
||||
information for "root", "ldap", and assorted other users as whom services
|
||||
run or who are mentioned by the DBus configuration. This patch will never
|
||||
be pretty.
|
||||
|
||||
--- pam_ldap-180/ldap.conf 2005-08-17 18:35:13.000000000 -0400
|
||||
+++ pam_ldap-180/ldap.conf 2006-02-09 14:14:05.000000000 -0500
|
||||
@@ -177,6 +177,9 @@
|
||||
#nss_base_aliases ou=Aliases,dc=padl,dc=com?one
|
||||
#nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one
|
||||
|
||||
+# Just assume that there are no supplemental groups for these named users
|
||||
+nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm,polkituser,rtkit,pulse,rpc,rpcuser,nobody
|
||||
+
|
||||
# attribute/objectclass mapping
|
||||
# Syntax:
|
||||
#nss_map_attribute rfc2307attribute mapped_attribute
|
|
@ -1,36 +0,0 @@
|
|||
diff -up nss_ldap-253/ldap-nss.c.padl418 nss_ldap-253/ldap-nss.c
|
||||
--- nss_ldap-253/ldap-nss.c.padl418 2010-11-17 14:08:24.000000000 +0000
|
||||
+++ nss_ldap-253/ldap-nss.c 2010-11-18 00:34:22.000000000 +0000
|
||||
@@ -1272,9 +1272,14 @@ do_init (void)
|
||||
}
|
||||
}
|
||||
|
||||
- __session.ls_conn = NULL;
|
||||
+ /* looks like a problem. could be initialized, but not connected */
|
||||
+ if (__session.ls_state != LS_UNINITIALIZED)
|
||||
+ {
|
||||
+ debug ("<== do_init (already initialized)");
|
||||
+ goto initialized;
|
||||
+ }
|
||||
+
|
||||
__session.ls_timestamp = 0;
|
||||
- __session.ls_state = LS_UNINITIALIZED;
|
||||
|
||||
#if defined(HAVE_PTHREAD_ONCE) && defined(HAVE_PTHREAD_ATFORK)
|
||||
if (pthread_once (&__once, do_atfork_setup) != 0)
|
||||
@@ -1394,6 +1399,7 @@ do_init (void)
|
||||
|
||||
debug ("<== do_init (initialized session)");
|
||||
|
||||
+initialized:
|
||||
return NSS_SUCCESS;
|
||||
}
|
||||
|
||||
@@ -1614,6 +1620,7 @@ do_open (void)
|
||||
}
|
||||
else
|
||||
{
|
||||
+ syslog(LOG_ERR, "nss-ldap: do_open: do_start_tls failed:stat=%d", stat);
|
||||
do_close ();
|
||||
debug ("<== do_open (TLS startup failed)");
|
||||
return stat;
|
|
@ -1,11 +0,0 @@
|
|||
--- nss_ldap/ldap-netgrp.c
|
||||
+++ nss_ldap/ldap-netgrp.c
|
||||
@@ -372,7 +372,7 @@ _nss_ldap_setnetgrent (char *group, stru
|
||||
_nss_ldap_filt_getnetgrent, LM_NETGROUP,
|
||||
_nss_ldap_load_netgr);
|
||||
|
||||
- if (stat == NSS_NOTFOUND)
|
||||
+ if (stat != NSS_SUCCESS)
|
||||
return stat;
|
||||
|
||||
LOOKUP_SETENT (_ngbe);
|
|
@ -1,90 +0,0 @@
|
|||
###############################################################################
|
||||
# IPFire.org - An Open Source Firewall Solution #
|
||||
# Copyright (C) - IPFire Development Team <info@ipfire.org> #
|
||||
###############################################################################
|
||||
|
||||
name = pam_ldap
|
||||
version = 186
|
||||
release = 3
|
||||
|
||||
groups = System/Base
|
||||
url = http://www.padl.com/OSS/pam_ldap.html
|
||||
license = GPL and LGPL
|
||||
summary = A pam/ldap module that supports password changes.
|
||||
|
||||
description
|
||||
The pam_ldap module provides the means for Solaris and Linux servers \
|
||||
and workstations to authenticate against LDAP directories, and to \
|
||||
change their passwords in the directory.
|
||||
end
|
||||
|
||||
# Always change this if the nss_ldap package has been updated!
|
||||
NSS_LDAP_VER = 265
|
||||
|
||||
source_dl =
|
||||
sources += nss_ldap-%{NSS_LDAP_VER}.tar.gz
|
||||
|
||||
build
|
||||
requires
|
||||
autoconf
|
||||
automake
|
||||
openldap-devel
|
||||
pam-devel
|
||||
end
|
||||
|
||||
configure_options += \
|
||||
--with-ldap-conf-file=/etc/pam_ldap.conf \
|
||||
--with-ldap-secret-file=/etc/pam_ldap.secret
|
||||
|
||||
prepare_cmds
|
||||
# Extract source tarball of nss_ldap
|
||||
cd %{DIR_SRC} && %{MACRO_EXTRACT} %{DIR_DL}/nss_ldap-%{NSS_LDAP_VER}.tar.gz
|
||||
|
||||
# Copy needed files from nss_ldap
|
||||
cd %{DIR_APP} && cp -av %{DIR_SRC}/nss_ldap-%{NSS_LDAP_VER}/resolve.c .
|
||||
cp -av %{DIR_SRC}/nss_ldap-%{NSS_LDAP_VER}/resolve.h .
|
||||
cp -av %{DIR_SRC}/nss_ldap-%{NSS_LDAP_VER}/snprintf.c .
|
||||
cp -av %{DIR_SRC}/nss_ldap-%{NSS_LDAP_VER}/snprintf.h .
|
||||
|
||||
sed -i -e 's,^ldap.conf$$,pam_ldap.conf,g' *.5
|
||||
sed -i -e 's,^/etc/ldap\.,/etc/pam_ldap.,g' *.5
|
||||
sed -i -e 's,in ldap.co$nf,in pam_ldap.conf,g' *.5
|
||||
sed -i -e 's,of ldap.conf,of pam_ldap.conf,g' *.5
|
||||
sed -i -e 's,ldap.secret,pam_ldap.secret,g' *.5
|
||||
sed -i -e 's,(ldap.conf),(pam_ldap.conf),g' *.5
|
||||
|
||||
autoreconf -f -i
|
||||
end
|
||||
|
||||
make_build_targets += \
|
||||
LDFLAGS="-Wl,-z,nodelete"
|
||||
|
||||
install
|
||||
# Create directory layout
|
||||
mkdir -pv %{BUILDROOT}/{etc,%{libdir}/security}
|
||||
|
||||
# Prevent to install an ldap.conf
|
||||
touch %{BUILDROOT}/etc/ldap.conf
|
||||
make install DESTDIR=%{BUILDROOT}
|
||||
rm -rvf %{BUILDROOT}/etc/ldap.conf
|
||||
|
||||
# Install the default configuration file and change padl to example
|
||||
sed 's|dc=padl|dc=example|g' ldap.conf > %{BUILDROOT}/etc/pam_ldap.conf
|
||||
chmod 644 %{BUILDROOT}/etc/pam_ldap.conf
|
||||
|
||||
# Create an empty ldap.secret file
|
||||
touch %{BUILDROOT}/etc/pam_ldap.secret
|
||||
end
|
||||
end
|
||||
|
||||
packages
|
||||
package %{name}
|
||||
conflicts
|
||||
filesystem < 002
|
||||
end
|
||||
end
|
||||
|
||||
package %{name}-debuginfo
|
||||
template DEBUGINFO
|
||||
end
|
||||
end
|
|
@ -1,11 +0,0 @@
|
|||
--- pam_ldap-176/pam_ldap.c 2011-01-06 07:37:12.000000000 -0800
|
||||
+++ pam_ldap-176/pam_ldap.c 2011-01-06 07:38:59.000000000 -0800
|
||||
@@ -3415,7 +3415,7 @@
|
||||
if (rc != PAM_SUCCESS)
|
||||
return rc;
|
||||
|
||||
- if (!(session->conf->rootbinddn && getuid () == 0))
|
||||
+ if (!(session->conf->rootbinddn && getuid () == 0 && !(flags & PAM_CHANGE_EXPIRED_AUTHTOK)))
|
||||
{
|
||||
/* we are not root, authenticate old password */
|
||||
if (try_first_pass || use_first_pass)
|
|
@ -1,17 +0,0 @@
|
|||
When deciding whether or not to try to use ldap_modify to change the user's
|
||||
password, skip it if we're in "pam_password exop_send_old", just as we would
|
||||
for "pam_password exop". Upstream #321.
|
||||
|
||||
diff -up pam_ldap-176/pam_ldap.c pam_ldap-176/pam_ldap.c
|
||||
--- pam_ldap-176/pam_ldap.c 2007-10-04 10:07:32.000000000 -0400
|
||||
+++ pam_ldap-176/pam_ldap.c 2007-10-04 10:07:40.000000000 -0400
|
||||
@@ -3025,7 +3025,8 @@ _update_authtok (pam_handle_t *pamh,
|
||||
break;
|
||||
} /* end switch */
|
||||
|
||||
- if (session->conf->password_type != PASSWORD_EXOP)
|
||||
+ if ((session->conf->password_type != PASSWORD_EXOP) &&
|
||||
+ (session->conf->password_type != PASSWORD_EXOP_SEND_OLD))
|
||||
{
|
||||
rc = ldap_modify_s (session->ld, session->info->userdn, mods);
|
||||
if (rc != LDAP_SUCCESS)
|
|
@ -1,18 +0,0 @@
|
|||
--- pam_ldap-180/Makefile.am 2006-01-11 14:52:17.000000000 -0500
|
||||
+++ pam_ldap-180/Makefile.am 2006-01-11 14:52:11.000000000 -0500
|
||||
@@ -23,12 +23,12 @@
|
||||
@$(NORMAL_INSTALL)
|
||||
$(mkinstalldirs) $(DESTDIR)$(libdir)/security
|
||||
if EXTENSION_SO
|
||||
- $(INSTALL_PROGRAM) -o root -g root pam_ldap.so $(DESTDIR)$(libdir)/security/pam_ldap.so
|
||||
+ $(INSTALL_PROGRAM) pam_ldap.so $(DESTDIR)$(libdir)/security/pam_ldap.so
|
||||
else
|
||||
if EXTENSION_1
|
||||
- $(INSTALL_PROGRAM) -o root -g root pam_ldap.so $(DESTDIR)$(libdir)/security/libpam_ldap.1
|
||||
+ $(INSTALL_PROGRAM) pam_ldap.so $(DESTDIR)$(libdir)/security/libpam_ldap.1
|
||||
else
|
||||
- $(INSTALL_PROGRAM) -o root -g root pam_ldap.so $(DESTDIR)$(libdir)/security/pam_ldap.so.1
|
||||
+ $(INSTALL_PROGRAM) pam_ldap.so $(DESTDIR)$(libdir)/security/pam_ldap.so.1
|
||||
(cd $(DESTDIR)$(libdir)/security; rm -f pam_ldap.so; ln -s pam_ldap.so.1 pam_ldap.so)
|
||||
endif
|
||||
endif
|
|
@ -1,14 +0,0 @@
|
|||
Give people a pointer to the pam_ldap man page, because the name of this file
|
||||
actually has changed over time.
|
||||
|
||||
--- pam_ldap/ldap.conf 2006-07-25 17:16:11.000000000 -0400
|
||||
+++ pam_ldap/ldap.conf 2006-07-25 17:16:06.000000000 -0400
|
||||
@@ -3,6 +3,8 @@
|
||||
# This is the configuration file for the LDAP nameservice
|
||||
# switch library and the LDAP PAM module.
|
||||
#
|
||||
+# The man page for this file is pam_ldap(5)
|
||||
+#
|
||||
# PADL Software
|
||||
# http://www.padl.com
|
||||
#
|
|
@ -1,77 +0,0 @@
|
|||
Fix a memory leak at cleanup-time.
|
||||
|
||||
diff -up pam_ldap/pam_ldap.c pam_ldap/pam_ldap.c
|
||||
--- pam_ldap/pam_ldap.c 2009-07-22 15:55:42.000000000 -0400
|
||||
+++ pam_ldap/pam_ldap.c 2009-07-22 16:00:23.000000000 -0400
|
||||
@@ -437,6 +437,7 @@ static void
|
||||
_release_config (pam_ldap_config_t ** pconfig)
|
||||
{
|
||||
pam_ldap_config_t *c;
|
||||
+ pam_ssd_t *ssd, *next_ssd;
|
||||
|
||||
c = *pconfig;
|
||||
if (c == NULL)
|
||||
@@ -445,6 +446,9 @@ _release_config (pam_ldap_config_t ** pc
|
||||
if (c->configFile != NULL)
|
||||
free (c->configFile);
|
||||
|
||||
+ if (c->uri != NULL)
|
||||
+ free (c->uri);
|
||||
+
|
||||
if (c->host != NULL)
|
||||
free (c->host);
|
||||
|
||||
@@ -474,6 +478,16 @@ _release_config (pam_ldap_config_t ** pc
|
||||
free (c->sslpath);
|
||||
}
|
||||
|
||||
+ ssd = c->ssd;
|
||||
+ while ( ssd != NULL )
|
||||
+ {
|
||||
+ next_ssd = ssd->next;
|
||||
+ free (ssd->base);
|
||||
+ free (ssd->filter);
|
||||
+ free (ssd);
|
||||
+ ssd = next_ssd;
|
||||
+ }
|
||||
+
|
||||
if (c->userattr != NULL)
|
||||
{
|
||||
free (c->userattr);
|
||||
@@ -509,6 +523,36 @@ _release_config (pam_ldap_config_t ** pc
|
||||
free (c->logdir);
|
||||
}
|
||||
|
||||
+ if (c->tls_cacertfile != NULL)
|
||||
+ {
|
||||
+ free (c->tls_cacertfile);
|
||||
+ }
|
||||
+
|
||||
+ if (c->tls_cacertdir != NULL)
|
||||
+ {
|
||||
+ free (c->tls_cacertdir);
|
||||
+ }
|
||||
+
|
||||
+ if (c->tls_ciphers != NULL)
|
||||
+ {
|
||||
+ free (c->tls_ciphers);
|
||||
+ }
|
||||
+
|
||||
+ if (c->tls_cert != NULL)
|
||||
+ {
|
||||
+ free (c->tls_cert);
|
||||
+ }
|
||||
+
|
||||
+ if (c->tls_key != NULL)
|
||||
+ {
|
||||
+ free (c->tls_key);
|
||||
+ }
|
||||
+
|
||||
+ if (c->tls_randfile != NULL)
|
||||
+ {
|
||||
+ free (c->tls_randfile);
|
||||
+ }
|
||||
+
|
||||
if (c->sasl_mechanism != NULL)
|
||||
{
|
||||
free (c->sasl_mechanism);
|
|
@ -1,86 +0,0 @@
|
|||
Add a role check, like the existing group membership check.
|
||||
Submitted to upstream #382.
|
||||
|
||||
diff -up pam_ldap-184/pam_ldap.5 pam_ldap-184/pam_ldap.5
|
||||
--- pam_ldap-184/pam_ldap.5 2008-11-17 13:36:03.000000000 -0500
|
||||
+++ pam_ldap-184/pam_ldap.5 2008-11-17 13:37:35.000000000 -0500
|
||||
@@ -333,6 +333,10 @@ group specified in the
|
||||
.B pam_groupdn
|
||||
option.
|
||||
.TP
|
||||
+.B pam_nsrole <role>
|
||||
+Specifies a value which the user's entry's "nsRole" attribute must match
|
||||
+for logon authorization to succeed.
|
||||
+.TP
|
||||
.B pam_min_uid <uid>
|
||||
If specified, a user must have a POSIX user ID of at least
|
||||
.B uid
|
||||
diff -up pam_ldap-184/pam_ldap.c pam_ldap-184/pam_ldap.c
|
||||
--- pam_ldap-184/pam_ldap.c 2008-11-17 13:35:52.000000000 -0500
|
||||
+++ pam_ldap-184/pam_ldap.c 2008-11-17 13:35:56.000000000 -0500
|
||||
@@ -499,6 +499,11 @@ _release_config (pam_ldap_config_t ** pc
|
||||
free (c->groupdn);
|
||||
}
|
||||
|
||||
+ if (c->nsrole != NULL)
|
||||
+ {
|
||||
+ free (c->nsrole);
|
||||
+ }
|
||||
+
|
||||
if (c->filter != NULL)
|
||||
{
|
||||
free (c->filter);
|
||||
@@ -639,6 +644,7 @@ _alloc_config (pam_ldap_config_t ** pres
|
||||
result->userattr = NULL;
|
||||
result->groupattr = NULL;
|
||||
result->groupdn = NULL;
|
||||
+ result->nsrole = NULL;
|
||||
result->getpolicy = 0;
|
||||
result->checkhostattr = 0;
|
||||
result->checkserviceattr = 0;
|
||||
@@ -1043,6 +1049,10 @@ _read_config (const char *configFile, pa
|
||||
{
|
||||
CHECKPOINTER (result->groupattr = strdup (v));
|
||||
}
|
||||
+ else if (!strcasecmp (k, "pam_nsrole"))
|
||||
+ {
|
||||
+ CHECKPOINTER (result->nsrole = strdup (v));
|
||||
+ }
|
||||
else if (!strcasecmp (k, "pam_min_uid"))
|
||||
{
|
||||
result->min_uid = (uid_t) atol (v);
|
||||
@@ -4136,6 +4146,23 @@ pam_sm_acct_mgmt (pam_handle_t * pamh, i
|
||||
rc = success;
|
||||
}
|
||||
|
||||
+ /* check the user's entry's nsRole attribute for the required value */
|
||||
+ if (rc == success && session->conf->nsrole != NULL)
|
||||
+ {
|
||||
+ rc = ldap_compare_s (session->ld,
|
||||
+ session->info->userdn,
|
||||
+ "nsRole", session->conf->nsrole);
|
||||
+ if (rc != LDAP_COMPARE_TRUE)
|
||||
+ {
|
||||
+ snprintf (buf, sizeof buf, "You must have the %s role to login.",
|
||||
+ session->conf->nsrole);
|
||||
+ _conv_sendmsg (appconv, buf, PAM_ERROR_MSG, no_warn);
|
||||
+ return PAM_PERM_DENIED;
|
||||
+ }
|
||||
+ else
|
||||
+ rc = success;
|
||||
+ }
|
||||
+
|
||||
if (rc == success && session->conf->checkserviceattr)
|
||||
{
|
||||
rc = _service_ok (pamh, session);
|
||||
--- pam_ldap-184/pam_ldap.h 2008-11-17 13:39:49.000000000 -0500
|
||||
+++ pam_ldap-184/pam_ldap.h 2008-11-17 13:39:50.000000000 -0500
|
||||
@@ -95,6 +95,8 @@
|
||||
char *groupdn;
|
||||
/* group membership attribute; defaults to uniquemember */
|
||||
char *groupattr;
|
||||
+ /* role name; optional, for access authorization */
|
||||
+ char *nsrole;
|
||||
/* LDAP protocol version */
|
||||
int version;
|
||||
/* search timelimit */
|
|
@ -1,337 +0,0 @@
|
|||
--- pam_ldap-176/Makefile.am 2004-09-30 22:33:14.000000000 -0400
|
||||
+++ pam_ldap-176/Makefile.am 2004-10-28 17:24:13.691936696 -0400
|
||||
@@ -2,7 +2,7 @@ noinst_PROGRAMS = pam_ldap.so
|
||||
EXTRA_DIST = COPYING.LIB CVSVersionInfo.txt ChangeLog README \
|
||||
ldap.conf pam.conf pam_ldap.spec pam.d
|
||||
|
||||
-pam_ldap_so_SOURCES = pam_ldap.c pam_ldap.h md5.c md5.h vers.c
|
||||
+pam_ldap_so_SOURCES = pam_ldap.c pam_ldap.h md5.c md5.h vers.c resolve.c resolve.h dnsconfig.c dnsconfig.h snprintf.c snprintf.h
|
||||
pam_ldap_so_LDFLAGS = @pam_ldap_so_LDFLAGS@
|
||||
|
||||
man_MANS = pam_ldap.5
|
||||
--- pam_ldap-176/configure.in 2004-09-30 22:33:14.000000000 -0400
|
||||
+++ pam_ldap-176/configure.in 2004-10-28 17:24:13.692936544 -0400
|
||||
@@ -133,6 +133,38 @@
|
||||
AC_CHECK_FUNCS(ldap_initialize)
|
||||
AC_CHECK_FUNCS(ldap_sasl_bind ldap_sasl_interactive_bind_s)
|
||||
AC_CHECK_FUNCS(gethostbyname_r)
|
||||
+AC_CHECK_FUNCS(snprintf strtok_r)
|
||||
+AC_CHECK_LIB(resolv, main)
|
||||
+AC_CHECK_HEADERS(resolv.h)
|
||||
+AC_CHECK_FUNCS(res_search dn_expand)
|
||||
+if test x$ac_cv_func_res_search = xno ; then
|
||||
+ AC_MSG_CHECKING([for res_search again])
|
||||
+ AC_TRY_LINK([#ifdef HAVE_RESOLV_H
|
||||
+ #include <resolv.h>
|
||||
+ #endif
|
||||
+ #ifdef HAVE_STDLIB_H
|
||||
+ #include <stdlib.h>
|
||||
+ #endif],
|
||||
+ [res_search(NULL,0,0,NULL,0);],
|
||||
+ AC_DEFINE(HAVE_RES_SEARCH,1,
|
||||
+ [Define if you have res_search().])
|
||||
+ ac_cv_func_res_search=yes)
|
||||
+ AC_CHECK_FUNCS(res_search)
|
||||
+fi
|
||||
+if test x$ac_cv_func_dn_expand = xno ; then
|
||||
+ AC_MSG_CHECKING([for dn_expand again])
|
||||
+ AC_TRY_LINK([#ifdef HAVE_RESOLV_H
|
||||
+ #include <resolv.h>
|
||||
+ #endif
|
||||
+ #ifdef HAVE_STDLIB_H
|
||||
+ #include <stdlib.h>
|
||||
+ #endif],
|
||||
+ [dn_expand(NULL,NULL,NULL,NULL,0);],
|
||||
+ AC_DEFINE(HAVE_DN_EXPAND,1,
|
||||
+ [Define if you have dn_expand().])
|
||||
+ ac_cv_func_dn_expand=yes)
|
||||
+ AC_CHECK_FUNCS(dn_expand)
|
||||
+fi
|
||||
|
||||
if test "$ac_cv_func_gethostbyname_r" = "yes"; then
|
||||
AC_CACHE_CHECK(whether gethostbyname_r takes 6 arguments, xad_cv_gethostbyname_r_args, [
|
||||
--- /dev/null 2004-10-19 17:45:17.794252000 -0400
|
||||
+++ pam_ldap-176/dnsconfig.c 2004-10-28 17:32:36.915435096 -0400
|
||||
@@ -0,0 +1,214 @@
|
||||
+
|
||||
+/* Copyright (C) 1997-2001 Luke Howard.
|
||||
+ This file started off as part of the nss_ldap library.
|
||||
+ Contributed by Luke Howard, <lukeh@padl.com>, 1997.
|
||||
+ (The author maintains a non-exclusive licence to distribute this file
|
||||
+ under their own conditions.)
|
||||
+
|
||||
+ The nss_ldap library is free software; you can redistribute it and/or
|
||||
+ modify it under the terms of the GNU Library General Public License as
|
||||
+ published by the Free Software Foundation; either version 2 of the
|
||||
+ License, or (at your option) any later version.
|
||||
+
|
||||
+ The nss_ldap library is distributed in the hope that it will be useful,
|
||||
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
+ Library General Public License for more details.
|
||||
+
|
||||
+ You should have received a copy of the GNU Library General Public
|
||||
+ License along with the nss_ldap library; see the file COPYING.LIB. If not,
|
||||
+ write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330,
|
||||
+ Boston, MA 02111-1307, USA.
|
||||
+ */
|
||||
+
|
||||
+/*
|
||||
+ * Support DNS SRV records. I look up the SRV record for
|
||||
+ * _ldap._tcp.gnu.org.
|
||||
+ * and build the DN DC=gnu,DC=org.
|
||||
+ * Thanks to Assar & co for resolve.[ch].
|
||||
+ */
|
||||
+
|
||||
+static char rcsId[] = "$Id: dnsconfig.c,v 2.24 2001/02/27 14:44:31 lukeh Exp $";
|
||||
+
|
||||
+#include "config.h"
|
||||
+
|
||||
+#include <stdio.h>
|
||||
+#include <string.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <sys/param.h>
|
||||
+#include <netdb.h>
|
||||
+#include <syslog.h>
|
||||
+#include <netinet/in.h>
|
||||
+#include <arpa/nameser.h>
|
||||
+#include <resolv.h>
|
||||
+#include <string.h>
|
||||
+
|
||||
+#ifdef HAVE_LBER_H
|
||||
+#include <lber.h>
|
||||
+#endif
|
||||
+#ifdef HAVE_LDAP_H
|
||||
+#include <ldap.h>
|
||||
+#endif
|
||||
+
|
||||
+#ifndef HAVE_SNPRINTF
|
||||
+#include "snprintf.h"
|
||||
+#endif
|
||||
+
|
||||
+#include "pam_ldap.h"
|
||||
+#include "resolve.h"
|
||||
+#include "dnsconfig.h"
|
||||
+
|
||||
+#define DC_ATTR "DC"
|
||||
+#define DC_ATTR_AVA DC_ATTR "="
|
||||
+#define DC_ATTR_AVA_LEN (sizeof(DC_ATTR_AVA) - 1)
|
||||
+
|
||||
+/* map gnu.org into DC=gnu,DC=org */
|
||||
+int
|
||||
+_pam_ldap_getdnsdn (char *src_domain, char **rval)
|
||||
+{
|
||||
+ char *p;
|
||||
+ int len = 0;
|
||||
+#ifdef HAVE_STRTOK_R
|
||||
+ char *st = NULL;
|
||||
+#endif
|
||||
+ char *domain;
|
||||
+ char domain_copy[BUFSIZ], buffer[BUFSIZ];
|
||||
+
|
||||
+ /* we need to take a copy of domain, because strtok() modifies
|
||||
+ * it in place. Bad.
|
||||
+ */
|
||||
+ if (strlen (src_domain) >= sizeof (domain_copy))
|
||||
+ {
|
||||
+ return PAM_SYSTEM_ERR;
|
||||
+ }
|
||||
+ memset (domain_copy, '\0', sizeof (domain_copy));
|
||||
+ memset (buffer, '\0', sizeof (buffer));
|
||||
+ strcpy (domain_copy, src_domain);
|
||||
+
|
||||
+ domain = domain_copy;
|
||||
+
|
||||
+#ifndef HAVE_STRTOK_R
|
||||
+ while ((p = strtok (domain, ".")))
|
||||
+#else
|
||||
+ while ((p = strtok_r (domain, ".", &st)))
|
||||
+#endif
|
||||
+ {
|
||||
+ len = strlen (p);
|
||||
+
|
||||
+ if (strlen (buffer) + DC_ATTR_AVA_LEN + len + 1 >= sizeof (buffer))
|
||||
+ {
|
||||
+ return PAM_SYSTEM_ERR;
|
||||
+ }
|
||||
+
|
||||
+ if (domain == NULL)
|
||||
+ {
|
||||
+ strcat (buffer, ",");
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ domain = NULL;
|
||||
+ }
|
||||
+
|
||||
+ strcat (buffer, DC_ATTR_AVA);
|
||||
+ strcat (buffer, p);
|
||||
+ }
|
||||
+
|
||||
+ if (rval != NULL)
|
||||
+ {
|
||||
+ *rval = strdup (buffer);
|
||||
+ }
|
||||
+
|
||||
+ return PAM_SUCCESS;
|
||||
+}
|
||||
+
|
||||
+
|
||||
+int
|
||||
+_pam_ldap_readconfigfromdns (pam_ldap_config_t * result)
|
||||
+{
|
||||
+ int stat = PAM_SUCCESS;
|
||||
+ struct dns_reply *r;
|
||||
+ struct resource_record *rr;
|
||||
+ char domain[MAXHOSTNAMELEN + 1];
|
||||
+
|
||||
+ /* only reinitialize variables we'll change here */
|
||||
+ result->host = NULL;
|
||||
+ result->base = NULL;
|
||||
+ result->port = LDAP_PORT;
|
||||
+#ifdef LDAP_VERSION3
|
||||
+ result->version = LDAP_VERSION3;
|
||||
+#else
|
||||
+ result->version = LDAP_VERSION2;
|
||||
+#endif /* LDAP_VERSION3 */
|
||||
+
|
||||
+ if ((_res.options & RES_INIT) == 0 && res_init () == -1)
|
||||
+ {
|
||||
+ return PAM_SYSTEM_ERR;
|
||||
+ }
|
||||
+
|
||||
+ snprintf (domain, sizeof (domain), "_ldap._tcp.%s.", _res.defdname);
|
||||
+
|
||||
+ r = dns_lookup (domain, "srv");
|
||||
+ if (r == NULL)
|
||||
+ {
|
||||
+ return PAM_SYSTEM_ERR;
|
||||
+ }
|
||||
+
|
||||
+ /* XXX need to sort by priority and reorder using weights */
|
||||
+ for (rr = r->head; rr != NULL; rr = rr->next)
|
||||
+ {
|
||||
+ if (rr->type == T_SRV)
|
||||
+ {
|
||||
+ if (result->host != NULL)
|
||||
+ {
|
||||
+ /* need more space */
|
||||
+ int length;
|
||||
+ char *tmp;
|
||||
+ length = strlen (result->host) + 1 +
|
||||
+ strlen (rr->u.srv->target) + 1 + 5 + 1;
|
||||
+ tmp = malloc (length);
|
||||
+ if (tmp == NULL)
|
||||
+ {
|
||||
+ dns_free_data (r);
|
||||
+ return PAM_BUF_ERR;
|
||||
+ }
|
||||
+ sprintf (tmp, "%s %s:%d", result->host, rr->u.srv->target,
|
||||
+ rr->u.srv->port);
|
||||
+ free (result->host);
|
||||
+ result->host = tmp;
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ /* Server Host */
|
||||
+ result->host = strdup (rr->u.srv->target);
|
||||
+ if (result->host == NULL)
|
||||
+ {
|
||||
+ dns_free_data (r);
|
||||
+ return PAM_BUF_ERR;
|
||||
+ }
|
||||
+ /* Port */
|
||||
+ result->port = rr->u.srv->port;
|
||||
+ }
|
||||
+
|
||||
+#ifdef LDAPS_PORT
|
||||
+ /* Hack: if the port is the registered SSL port, enable SSL. */
|
||||
+ if (result->port == LDAPS_PORT)
|
||||
+ {
|
||||
+ result->ssl_on = SSL_LDAPS;
|
||||
+ }
|
||||
+#endif /* SSL */
|
||||
+
|
||||
+ /* DN */
|
||||
+ stat = _pam_ldap_getdnsdn (_res.defdname, &result->base);
|
||||
+ if (stat != PAM_SUCCESS)
|
||||
+ {
|
||||
+ dns_free_data (r);
|
||||
+ return stat;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ dns_free_data (r);
|
||||
+ stat = PAM_SUCCESS;
|
||||
+
|
||||
+ return stat;
|
||||
+}
|
||||
--- /dev/null 2004-10-19 17:45:17.794252000 -0400
|
||||
+++ pam_ldap-176/dnsconfig.h 2004-10-28 17:24:13.694936240 -0400
|
||||
@@ -0,0 +1,35 @@
|
||||
+/* Copyright (C) 1997-2001 Luke Howard.
|
||||
+ This file started off as part of the nss_ldap library.
|
||||
+ Contributed by Luke Howard, <lukeh@padl.com>, 1997.
|
||||
+ (The author maintains a non-exclusive licence to distribute this file
|
||||
+ under their own conditions.)
|
||||
+
|
||||
+ The nss_ldap library is free software; you can redistribute it and/or
|
||||
+ modify it under the terms of the GNU Library General Public License as
|
||||
+ published by the Free Software Foundation; either version 2 of the
|
||||
+ License, or (at your option) any later version.
|
||||
+
|
||||
+ The nss_ldap library is distributed in the hope that it will be useful,
|
||||
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
+ Library General Public License for more details.
|
||||
+
|
||||
+ You should have received a copy of the GNU Library General Public
|
||||
+ License along with the nss_ldap library; see the file COPYING.LIB. If not,
|
||||
+ write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330,
|
||||
+ Boston, MA 02111-1307, USA.
|
||||
+ */
|
||||
+
|
||||
+#ifndef _LDAP_PAM_LDAP_DNSCONFIG_H
|
||||
+#define _LDAP_PAM_LDAP_DNSCONFIG_H
|
||||
+
|
||||
+/* utility routines. */
|
||||
+
|
||||
+int _pam_ldap_getdnsdn (
|
||||
+ char *domain,
|
||||
+ char **rval);
|
||||
+
|
||||
+int _pam_ldap_readconfigfromdns (
|
||||
+ pam_ldap_config_t *result);
|
||||
+
|
||||
+#endif /* _LDAP_PAM_LDAP_DNSCONFIG_H */
|
||||
--- pam_ldap-176/pam_ldap.c 2004-09-30 22:33:14.000000000 -0400
|
||||
+++ pam_ldap-176/pam_ldap.c 2004-10-28 17:40:56.918423088 -0400
|
||||
@@ -130,6 +130,7 @@
|
||||
|
||||
#include "pam_ldap.h"
|
||||
#include "md5.h"
|
||||
+#include "dnsconfig.h"
|
||||
|
||||
#if defined(HAVE_SECURITY_PAM_MISC_H) || defined(HAVE_PAM_PAM_MISC_H)
|
||||
/* FIXME: is there something better to check? */
|
||||
@@ -1107,11 +1108,15 @@
|
||||
{
|
||||
/*
|
||||
* According to PAM Documentation, such an error in a config file
|
||||
- * SHOULD be logged at LOG_ALERT level
|
||||
+ * SHOULD be logged at LOG_ALERT level, but we suppress it if DNS
|
||||
+ * can provide us with the needed information
|
||||
*/
|
||||
- syslog (LOG_ALERT, "pam_ldap: missing \"host\" in file \"%s\"",
|
||||
- configFile);
|
||||
- return PAM_SERVICE_ERR;
|
||||
+ if (_pam_ldap_readconfigfromdns (result) != PAM_SUCCESS)
|
||||
+ {
|
||||
+ syslog (LOG_ALERT, "pam_ldap: missing \"host\" in file \"%s\"",
|
||||
+ configFile);
|
||||
+ return PAM_SERVICE_ERR;
|
||||
+ }
|
||||
}
|
||||
|
||||
#if !(defined(HAVE_SASL_SASL_H) || defined(HAVE_SASL_H)) && !defined(HAVE_LDAP_SASL_INTERACTIVE_BIND_S)
|
|
@ -1,61 +0,0 @@
|
|||
Heavily based on a patch from Masahiro Matsuya.
|
||||
|
||||
diff -up pam_ldap-185/pam_ldap.c pam_ldap-185/pam_ldap.c
|
||||
--- pam_ldap-185/pam_ldap.c 2010-09-22 18:35:55.377828002 -0400
|
||||
+++ pam_ldap-185/pam_ldap.c 2010-09-22 19:08:34.938828001 -0400
|
||||
@@ -4014,6 +4014,8 @@ pam_sm_acct_mgmt (pam_handle_t * pamh, i
|
||||
time_t currenttime;
|
||||
long int currentday;
|
||||
long int expirein = 0; /* seconds until password expires */
|
||||
+ long int expireh = 0;
|
||||
+ long int expires = 0;
|
||||
const char *configFile = NULL;
|
||||
|
||||
for (i = 0; i < argc; i++)
|
||||
@@ -4190,14 +4191,29 @@ pam_sm_acct_mgmt (pam_handle_t * pamh, i
|
||||
}
|
||||
else
|
||||
{
|
||||
- expirein = session->info->password_expiration_time / SECSPERDAY;
|
||||
+ if ( session->info->password_expiration_time != 0 )
|
||||
+ {
|
||||
+ expires = session->info->password_expiration_time;
|
||||
+ expirein = session->info->password_expiration_time / SECSPERDAY;
|
||||
+ if ( expirein == 0 )
|
||||
+ {
|
||||
+ expireh = session->info->password_expiration_time / SECSPERHOUR;
|
||||
+ }
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ expirein = 0;
|
||||
+ }
|
||||
}
|
||||
|
||||
- if (expirein > 0)
|
||||
+ if ((expirein > 0) || (expireh > 0) || (expires > 0))
|
||||
{
|
||||
snprintf (buf, sizeof buf,
|
||||
- "Your LDAP password will expire in %ld day%s.",
|
||||
- expirein, (expirein == 1) ? "" : "s");
|
||||
+ "Your LDAP password will expire in %ld %s.",
|
||||
+ (expirein == 0) ? expireh : expirein,
|
||||
+ (expirein == 0) ?
|
||||
+ ((expireh == 1) ? "hour" : "hours") :
|
||||
+ ((expirein == 1) ? "day" : "days"));
|
||||
_conv_sendmsg (appconv, buf, PAM_ERROR_MSG, no_warn);
|
||||
|
||||
/* we set this to make sure that user can't abort a password change */
|
||||
diff -up pam_ldap-185/pam_ldap.h pam_ldap-185/pam_ldap.h
|
||||
--- pam_ldap-185/pam_ldap.h 2010-09-22 18:35:55.359828002 -0400
|
||||
+++ pam_ldap-185/pam_ldap.h 2010-09-22 19:00:56.787828000 -0400
|
||||
@@ -226,6 +226,9 @@ pam_ldap_shadow_t;
|
||||
/* Seconds in a day */
|
||||
#define SECSPERDAY 86400
|
||||
|
||||
+/* Seconds in an hour */
|
||||
+#define SECSPERHOUR 3600
|
||||
+
|
||||
/* Netscape per-use password attributes. Unused except for DN. */
|
||||
typedef struct pam_ldap_user_info
|
||||
{
|
Loading…
Reference in New Issue