opensourcemirror
/
ipfire-3.x
mirror of git://git.ipfire.org/ipfire-3.x.git
1
0
Fork 0
Code Issues Releases Wiki Activity

{nss,pam}_ldap: Drop packages 

These are obsoleted by sssd and FTFBS

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This commit is contained in:
Michael Tremer 2016-10-15 09:10:30 -04:00
parent 5950243ec7
commit fd724b8af7
23 changed files with 0 additions and 2033 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

105
nss_ldap/nss_ldap.nm
View File

@ -1,105 +0,0 @@
###############################################################################
# IPFire.org - An Open Source Firewall Solution #
# Copyright (C) - IPFire Development Team <info@ipfire.org> #
###############################################################################
name = nss_ldap
version = 265
release = 5
groups = System/Base
url = http://www.padl.com/
license = LGPLv2+
summary = NSS library and PAM module for LDAP.
description
This package includes two LDAP access clients: nss_ldap and
pam_ldap. Nss_ldap is a set of C library extensions that allow
X.500 and LDAP directory servers to be used as a primary source
of aliases, ethers, groups, hosts, networks, protocol, users,
RPCs, services, and shadow passwords.
end
source_dl = http://www.padl.com/download/
patches = \
nss_ldap-265-depth.patch \
nss_ldap-254-soname.patch \
nss_ldap-257-mozldap.patch \
nss_ldap-259-res_init.patch \
nss_ldap-264-checkcase.patch \
nss_ldap-265-ent_internal.patch \
nss_ldap-264-cloexec.patch \
nss_ldap-265-local_users.patch \
nss_ldap-265-erange.patch \
nss_ldap-265-initgroups-minimum_uid.patch \
nss_ldap-265-fix-uninit.patch \
nss_ldap-265-padl-bug-418.patch \
nss_ldap-265-setnetgrent.patch
build
requires
autoconf
automake
cyrus-sasl-devel
openldap-devel
end
configure_options += \
--sysconfdir=/etc \
--with-ldap-lib=openldap \
--enable-rfc2307bis \
--with-ldap-conf-file=/etc/nss_ldap.conf \
--with-ldap-secret-file=/etc/nss_ldap.secret
prepare_cmds
sed -i -e 's,^ldap.conf$$,nss_ldap.conf,g' *.5
sed -i -e 's,^/etc/ldap\.,/etc/nss_ldap.,g' *.5
sed -i -e 's,ldap.secret,nss_ldap.secret,g' *.5
sed -i -e 's,(ldap.conf),(nss_ldap.conf),g' *.5
# Fix call for vers_string.
sed -e "s/vers_string/.\/&/g" -i Makefile*
autoreconf -vfi
end
make_build_targets += \
LDFLAGS="-Wl,-z,nodelete"
make_install_targets += \
LIBC_VERS=%{version}
install_cmds
# Remove awkward directory
rm -rvf %{BUILDROOT}/usr/usr
if [ -e "%{BUILDROOT}%{libdir}/libnss_ldap-%{version}.so" ]; then
ln -svf libnss_ldap-%{version}.so %{BUILDROOT}%{libdir}/libnss_ldap.so.2
ln -svf libnss_ldap.so.2 %{BUILDROOT}%{libdir}/libnss_ldap.so
fi
rm -vf %{BUILDROOT}/etc/nsswitch.ldap
cd %{DIR_APP} && sed 's|dc=padl|dc=example|g' ldap.conf > \
%{BUILDROOT}/etc/nss_ldap.conf
touch %{BUILDROOT}/etc/nss_ldap.secret
end
end
packages
package %{name}
requires
%{libdir}/security/pam_ldap.so
end
configfiles
%{sysconfdir}/nss_ldap.conf
%{sysconfdir}/nss_ldap.secret
end
end
package %{name}-debuginfo
template DEBUGINFO
end
end

12
nss_ldap/patches/nss_ldap-254-soname.patch
View File

@ -1,12 +0,0 @@
Set the soname which glibc expects us to have.
--- nss_ldap-254/configure.in 2007-02-26 16:40:53.000000000 -0500
+++ nss_ldap-254/configure.in 2007-02-26 16:40:47.000000000 -0500
@@ -92,7 +92,7 @@
nss_ldap_so_LDFLAGS="-b -dynamic -G `cat exports.hpux`"
CPPFLAGS="$CPPFLAGS -I. -DHPUX"
TARGET_OS=HPUX ;;
-linux*) nss_ldap_so_LDFLAGS="-shared -Wl,-Bdynamic -Wl,--version-script,\$(srcdir)/exports.linux" ;;
+linux*) nss_ldap_so_LDFLAGS="-shared -Wl,-Bdynamic -Wl,--version-script,\$(srcdir)/exports.linux -Wl,-soname=libnss_ldap.so.2" ;;
*) nss_ldap_so_LDFLAGS="-shared -Wl,-Bdynamic" ;;
esac

287
nss_ldap/patches/nss_ldap-257-mozldap.patch
View File

@ -1,287 +0,0 @@
Go back to using AC_TRY_COMPILE to detect <ldap_ssl.h>, which requires
that <ldap.h> be included before it.
Use the draft-specified value "0" instead of a preprocessor define which
mozldap doesn't provide (LDAP_OPT_SUCCESS).
Don't fail to compile if libldap doesn't provide ldap_create_control(),
just fail at run-time if we try to use it.
Only try to set non-portable options that the libldap which is being used
supports.
Don't depend on ldap_alloc_ber_with_options() being there; fall back to
either ber_alloc_t() or the deprecated der_alloc().
Learn about Mozilla LDAP 6.
Prefer </usr/include/nss.h> to <nss.h>, because <nss.h> can also be the
security toolkit used by Mozilla's LDAP SDK rather than libc's nsswitch
header, and if we've set the include path, we could be screwed.
Strip off any '/' which appears in our hostname before passing it to
ldap_init().
diff -up nss_ldap/configure.in nss_ldap/configure.in
--- nss_ldap/configure.in 2007-11-14 14:21:54.000000000 -0500
+++ nss_ldap/configure.in 2007-11-14 15:01:32.000000000 -0500
@@ -41,7 +41,7 @@ dnl
AC_ARG_ENABLE(configurable-krb5-ccname-env, [ --enable-configurable-krb5-ccname-env enable configurable Kerberos V credentials cache name (putenv method)], [AC_DEFINE(CONFIGURE_KRB5_CCNAME) AC_DEFINE(CONFIGURE_KRB5_CCNAME_ENV)])
AC_ARG_ENABLE(configurable-krb5-ccname-gssapi, [ --enable-configurable-krb5-ccname-gssapi enable configurable Kerberos V credentials cache name (gssapi method)], [AC_DEFINE(CONFIGURE_KRB5_CCNAME) AC_DEFINE(CONFIGURE_KRB5_CCNAME_GSSAPI)])
-AC_ARG_WITH(ldap-lib, [ --with-ldap-lib=type select ldap library [auto|netscape5|netscape4|netscape3|umich|openldap]])
+AC_ARG_WITH(ldap-lib, [ --with-ldap-lib=type select ldap library [auto|mozilla|netscape5|netscape4|netscape3|umich|openldap]])
AC_ARG_WITH(ldap-dir, [ --with-ldap-dir=DIR base directory of LDAP SDK])
AC_ARG_WITH(ldap-conf-file, [ --with-ldap-conf-file path to LDAP configuration file],
[ NSS_LDAP_PATH_CONF="$with_ldap_conf_file" ],
@@ -132,17 +132,18 @@ AC_SUBST(NSS_LDAP_LDFLAGS)
AC_CHECK_HEADERS(lber.h)
AC_CHECK_HEADERS(ldap.h, , AC_MSG_ERROR(could not locate <ldap.h>))
-AC_CHECK_HEADERS(ldap_ssl.h)
+dnl AC_CHECK_HEADERS(ldap_ssl.h)
-dnl AC_MSG_CHECKING(for ldap_ssl.h)
-dnl AC_TRY_COMPILE([#include <sys/types.h>
-dnl #include <ldap.h>
-dnl #include <ldap_ssl.h>], ,
-dnl [
-dnl AC_MSG_RESULT(yes),
-dnl AC_DEFINE(HAVE_LDAP_SSL_H, 1)
-dnl ],
-dnl AC_MSG_RESULT(no))
+AC_MSG_CHECKING(for ldap_ssl.h)
+AC_TRY_COMPILE([
+ #include <sys/types.h>
+ #include <ldap.h>
+ #include <ldap_ssl.h>],[],
+ [
+ AC_MSG_RESULT(yes)
+ AC_DEFINE(HAVE_LDAP_SSL_H,1,[Define if you have <ldap_ssl.h>.])
+ ],
+ AC_MSG_RESULT(no))
# For HP-UX and AIX we use private API, the headers for which
# are included locally. We need to do something to stop both
@@ -150,7 +151,8 @@ dnl AC_MSG_RESULT(no))
case "$target_os" in
aix*) AC_CHECK_HEADERS(irs.h usersec.h) ;;
hpux*) AC_CHECK_HEADERS(nsswitch.h) ;;
- *) AC_CHECK_HEADERS(nss.h)
+ *) AC_CHECK_HEADERS(/usr/include/nss.h)
+ AC_CHECK_HEADERS(nss.h)
AC_CHECK_HEADERS(nsswitch.h)
AC_CHECK_HEADERS(irs.h) ;;
esac
@@ -297,6 +299,9 @@ if test -z "$found_ldap_lib" -a \( $with
AC_CHECK_LIB(lber, main)
AC_CHECK_LIB(ldap, main, [LIBS="-lldap $LIBS" found_ldap_lib=yes],,$LIBS)
fi
+if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = mozilla \); then
+AC_CHECK_LIB(ldap60, main, LIBS="-lssldap60 -lprldap60 -lldap60 -lssl3 -lsmime3 -lnss3 -lplds4 -lplc4 -lnspr4 $LIBS" found_ldap_lib=yes need_pthread=yes,, -lpthread)
+fi
if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape5 \); then
AC_CHECK_LIB(ldap50, main, LIBS="-lldap50 -lssldap50 -lssl3 -lnss3 -lnspr4 -lprldap50 -lplc4 -lplds4 $LIBS" found_ldap_lib=yes need_pthread=yes,, -lpthread)
fi
@@ -331,6 +336,7 @@ AC_CHECK_FUNCS(ldap_init ldap_get_lderrn
AC_CHECK_FUNCS(ldap_ld_free ldap_explode_rdn ldap_set_option ldap_get_option)
AC_CHECK_FUNCS(ldap_sasl_interactive_bind_s ldap_initialize ldap_search_ext)
AC_CHECK_FUNCS(ldap_create_control ldap_create_page_control ldap_parse_page_control)
+AC_CHECK_FUNCS(ldap_alloc_ber_with_options ber_alloc_t der_alloc)
if test "$enable_ssl" \!= "no"; then
AC_CHECK_FUNCS(ldapssl_client_init ldap_start_tls_s ldap_pvt_tls_set_option ldap_start_tls)
fi
diff -up nss_ldap/ldap-nss.h nss_ldap/ldap-nss.h
--- nss_ldap/ldap-nss.h 2007-11-14 14:21:54.000000000 -0500
+++ nss_ldap/ldap-nss.h 2007-11-14 15:05:57.000000000 -0500
@@ -58,6 +58,8 @@
#include <nss_common.h>
#include <nss_dbdefs.h>
#include <nsswitch.h>
+#elif defined(HAVE__USR_INCLUDE_NSS_H)
+#include </usr/include/nss.h>
#elif defined(HAVE_NSS_H)
#include <nss.h>
#elif defined(HAVE_IRS_H)
diff -up nss_ldap/ldap-nss.c nss_ldap/ldap-nss.c
--- nss_ldap/ldap-nss.c 2007-11-14 14:21:54.000000000 -0500
+++ nss_ldap/ldap-nss.c 2007-11-14 14:21:54.000000000 -0500
@@ -1069,6 +1069,23 @@ do_init_session (LDAP ** ld, const char
defport = atoi (p + 1);
uri = uribuf;
}
+ else
+ {
+ size_t urilen = strlen(uri);
+
+ if (urilen >= sizeof (uribuf))
+ {
+ return NSS_UNAVAIL;
+ }
+
+ memcpy (uribuf, uri, urilen);
+ uribuf[urilen] = '\0';
+
+ if ((urilen > 0) && (uribuf[urilen - 1] == '/'))
+ uribuf[urilen - 1] = '\0';
+
+ uri = uribuf;
+ }
# ifdef HAVE_LDAP_INIT
*ld = ldap_init (uri, defport);
@@ -1537,7 +1554,7 @@ do_open (void)
if (ldap_get_option
(__session.ls_conn, LDAP_OPT_PROTOCOL_VERSION,
- &version) == LDAP_OPT_SUCCESS)
+ &version) == 0)
{
if (version < LDAP_VERSION3)
{
@@ -1697,6 +1714,7 @@ do_ssl_options (ldap_config_t * cfg)
}
#endif /* LDAP_OPT_X_TLS_RANDOM_FILE */
+#ifdef LDAP_OPT_X_TLS_CACERTFILE
if (cfg->ldc_tls_cacertfile != NULL)
{
/* ca cert file */
@@ -1709,7 +1727,9 @@ do_ssl_options (ldap_config_t * cfg)
return LDAP_OPERATIONS_ERROR;
}
}
+#endif
+#ifdef LDAP_OPT_X_TLS_CACERTDIR
if (cfg->ldc_tls_cacertdir != NULL)
{
/* ca cert directory */
@@ -1722,7 +1742,9 @@ do_ssl_options (ldap_config_t * cfg)
return LDAP_OPERATIONS_ERROR;
}
}
+#endif
+#ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
/* require cert? */
if (cfg->ldc_tls_checkpeer > -1)
{
@@ -1735,7 +1757,9 @@ do_ssl_options (ldap_config_t * cfg)
return LDAP_OPERATIONS_ERROR;
}
}
+#endif
+#ifdef LDAP_OPT_X_TLS_CIPHER_SUITE
if (cfg->ldc_tls_ciphers != NULL)
{
/* set cipher suite, certificate and private key: */
@@ -1748,7 +1772,9 @@ do_ssl_options (ldap_config_t * cfg)
return LDAP_OPERATIONS_ERROR;
}
}
+#endif
+#ifdef LDAP_OPT_X_TLS_CERTFILE
if (cfg->ldc_tls_cert != NULL)
{
rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CERTFILE, cfg->ldc_tls_cert);
@@ -1759,7 +1785,9 @@ do_ssl_options (ldap_config_t * cfg)
return LDAP_OPERATIONS_ERROR;
}
}
+#endif
+#ifdef LDAP_OPT_X_TLS_CERTFILE
if (cfg->ldc_tls_key != NULL)
{
rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_KEYFILE, cfg->ldc_tls_key);
@@ -1770,6 +1798,7 @@ do_ssl_options (ldap_config_t * cfg)
return LDAP_OPERATIONS_ERROR;
}
}
+#endif
debug ("<== do_ssl_options");
diff -up nss_ldap/pagectrl.c nss_ldap/pagectrl.c
--- nss_ldap/pagectrl.c 2007-08-03 00:51:09.000000000 -0400
+++ nss_ldap/pagectrl.c 2007-11-14 14:21:54.000000000 -0500
@@ -38,6 +38,17 @@ static char rcsId[] = "$Id: pagectrl.c,v
#define LDAP_CONTROL_PAGE_OID "1.2.840.113556.1.4.319"
#endif
+#ifndef HAVE_LDAP_CREATE_CONTROL
+#define ldap_create_control _nss_ldap_fail_to_create_control
+static int
+ldap_create_control(const char *oid, BerElement *value,
+ int iscritical, LDAPControl ** ctrlp)
+{
+ *ctrlp = NULL;
+ return LDAP_ENCODING_ERROR;
+}
+#endif
+
#ifndef HAVE_LDAP_CREATE_PAGE_CONTROL
/*---
ldap_create_page_control
@@ -78,9 +89,6 @@ static char rcsId[] = "$Id: pagectrl.c,v
---*/
-#ifndef HAVE_LDAP_CREATE_CONTROL
-#error LDAP client library does not support ldap_create_control()
-#else
int
ldap_create_page_control (LDAP * ld,
unsigned long pagesize,
@@ -97,10 +105,24 @@ ldap_create_page_control (LDAP * ld,
return (LDAP_PARAM_ERROR);
}
+#ifdef HAVE_LDAP_ALLOC_BER_WITH_OPTIONS
if ((ber = ldap_alloc_ber_with_options (ld)) == NULL)
{
return (LDAP_NO_MEMORY);
}
+#elif defined(HAVE_BER_ALLOC_T) && defined(LBER_USE_DER)
+ if ((ber = ber_alloc_t(LBER_USE_DER)) == NULL)
+ {
+ return (LDAP_NO_MEMORY);
+ }
+#elif defined(HAVE_DER_ALLOC)
+ if ((ber = der_alloc()) == NULL)
+ {
+ return (LDAP_NO_MEMORY);
+ }
+#else
+ return (LDAP_NO_MEMORY);
+#endif
tag = ber_printf (ber, "{i", pagesize);
if (tag == LBER_ERROR)
@@ -126,7 +148,6 @@ exit:
ber_free (ber, 1);
return (LDAP_ENCODING_ERROR);
}
-#endif /* HAVE_LDAP_CREATE_CONTROL */
#endif /* HAVE_LDAP_CREATE_PAGE_CONTROL */
#ifndef HAVE_LDAP_PARSE_PAGE_CONTROL
@@ -154,9 +175,6 @@ exit:
---*/
-#ifndef HAVE_LDAP_CREATE_CONTROL
-#error LDAP client library does not support ldap_create_control()
-#else
int
ldap_parse_page_control (LDAP * ld,
LDAPControl ** ctrls,
@@ -222,5 +240,4 @@ foundPageControl:
return (LDAP_SUCCESS);
}
-#endif /* HAVE_LDAP_CREATE_CONTROL */
#endif /* HAVE_LDAP_PARSE_PAGE_CONTROL */

146
nss_ldap/patches/nss_ldap-259-res_init.patch
View File

@ -1,146 +0,0 @@
Workaround for a NetworkManager/Upstart combination making things
interesting. When an application starts before the network is up,
/etc/resolv.conf is empty, causing the application to attempt to use a
local resolver. When the network comes up later, /etc/resolv.conf gets
populated with nameserver addresses, but the application doesn't re-read
it. This screws nss_ldap later on, because the LDAP client library
needs to be able to resolve the directory server's address, but it can't
without a local resolver which is probably not started.
diff -up nss_ldap-259/configure.in nss_ldap-259/configure.in
--- nss_ldap-259/configure.in 2008-04-16 10:42:15.000000000 -0400
+++ nss_ldap-259/configure.in 2008-04-16 10:42:15.000000000 -0400
@@ -176,6 +176,7 @@ AC_CHECK_HEADERS(alignof.h)
AC_CHECK_HEADERS(rpc/rpcent.h)
AC_CHECK_HEADERS(sys/byteorder.h)
AC_CHECK_HEADERS(sys/un.h)
+AC_CHECK_HEADERS(sys/stat.h)
AC_CHECK_HEADERS(libc-lock.h)
AC_CHECK_HEADERS(bits/libc-lock.h)
AC_CHECK_HEADERS(sasl.h sasl/sasl.h)
diff -up nss_ldap-259/ldap-nss.c nss_ldap-259/ldap-nss.c
--- nss_ldap-259/ldap-nss.c 2008-04-16 10:42:15.000000000 -0400
+++ nss_ldap-259/ldap-nss.c 2008-04-16 10:48:02.000000000 -0400
@@ -44,10 +44,16 @@ static char rcsId[] =
#include <syslog.h>
#include <signal.h>
#include <fcntl.h>
+#ifdef HAVE_SYS_STAT_H
+#include <sys/stat.h>
+#endif
#include <sys/time.h>
#include <sys/socket.h>
#include <sys/param.h>
#include <errno.h>
+#ifdef HAVE_RESOLV_H
+#include <resolv.h>
+#endif
#ifdef HAVE_SYS_UN_H
#include <sys/un.h>
#endif
@@ -1021,8 +1027,31 @@ _nss_ldap_close (void)
do_close ();
}
+static void
+_nss_ldap_res_init (const char *uri)
+{
+ if (strncmp(uri, "ldapi://", 8) != 0)
+ {
+ struct stat st;
+ static time_t last_mtime = (time_t) -1;
+#if defined(HAVE_RESOLV_H) && defined(_PATH_RESCONF)
+ NSS_LDAP_DEFINE_LOCK (_nss_ldap_res_init_lock);
+ NSS_LDAP_LOCK (_nss_ldap_res_init_lock);
+ if (stat(_PATH_RESCONF, &st) == 0)
+ {
+ if (last_mtime != st.st_mtime)
+ {
+ last_mtime = st.st_mtime;
+ res_init();
+ }
+ }
+ NSS_LDAP_UNLOCK (_nss_ldap_res_init_lock);
+#endif
+ }
+}
+
static NSS_STATUS
-do_init_session (LDAP ** ld, const char *uri, int defport)
+do_init_session (LDAP ** ld, const char *uri, int defport, int res_init_hack)
{
int rc;
int ldaps;
@@ -1050,6 +1079,8 @@ do_init_session (LDAP ** ld, const char
uri = uribuf;
}
+ if (res_init_hack)
+ _nss_ldap_res_init(uri);
rc = ldap_initialize (ld, uri);
#else
if (strncasecmp (uri, "ldap://", sizeof ("ldap://") - 1) != 0)
@@ -1075,6 +1106,8 @@ do_init_session (LDAP ** ld, const char
defport = atoi (p + 1);
uri = uribuf;
}
+ if (res_init_hack)
+ _nss_ldap_res_init(NULL);
# ifdef HAVE_LDAP_INIT
*ld = ldap_init (uri, defport);
# else
@@ -1346,7 +1379,8 @@ do_init (void)
stat = do_init_session (&__session.ls_conn,
cfg->ldc_uris[__session.ls_current_uri],
- cfg->ldc_port);
+ cfg->ldc_port,
+ cfg->ldc_resolv_conf_res_init_hack);
if (stat != NSS_SUCCESS)
{
debug ("<== do_init (failed to initialize LDAP session)");
diff -up nss_ldap-259/ldap-nss.h nss_ldap-259/ldap-nss.h
--- nss_ldap-259/ldap-nss.h 2008-04-16 10:45:49.000000000 -0400
+++ nss_ldap-259/ldap-nss.h 2008-04-16 10:45:52.000000000 -0400
@@ -400,6 +400,9 @@ struct ldap_config
time_t ldc_mtime;
char **ldc_initgroups_ignoreusers;
+
+ /* disable the do-res_init()-on-resolv.conf-changes hack */
+ unsigned int ldc_resolv_conf_res_init_hack;
};
typedef struct ldap_config ldap_config_t;
diff -up nss_ldap-259/util.c nss_ldap-259/util.c
--- nss_ldap-259/util.c 2008-04-16 10:48:08.000000000 -0400
+++ nss_ldap-259/util.c 2008-04-16 10:50:14.000000000 -0400
@@ -680,6 +680,8 @@ NSS_STATUS _nss_ldap_init_config (ldap_c
}
}
+ result->ldc_resolv_conf_res_init_hack = 1;
+
return NSS_SUCCESS;
}
@@ -1204,6 +1206,19 @@ _nss_ldap_readconfig (ldap_config_t ** p
{
t = &result->ldc_srv_domain;
}
+ else if (!strcasecmp (k, "nss_resolv_conf_res_init_hack"))
+ {
+ if (!strcasecmp (v, "on") || !strcasecmp (v, "yes")
+ || !strcasecmp (v, "true"))
+ {
+ result->ldc_resolv_conf_res_init_hack = 1;
+ }
+ else if (!strcasecmp (v, "off") || !strcasecmp (v, "no")
+ || !strcasecmp (v, "false"))
+ {
+ result->ldc_resolv_conf_res_init_hack = 0;
+ }
+ }
else
{
/*

192
nss_ldap/patches/nss_ldap-264-checkcase.patch
View File

@ -1,192 +0,0 @@
Search attribute which are not case-sensitive in a directory, but which
are in local files on a glibc-based system:
posixAccount.uid: struct passwd.pw_name
shadowAccount.uid: struct shadow.sp_namp
posixGroup.cn: struct group.gr_name
ipService.cn,ipServiceProtocol: struct servent.s_name,s_proto
ipProtocol.cn: struct protoent.p_name
ipHost.cn: OK, actually not case-sensitive in local files
ipNetwork.cn: OK, actually not case-sensitive in local files
rfc822MailAlias.cn: OK, actually not case-sensitive in local files
oncRpc.cn: struct rpcent.r_name
nisNetgroup.cn: N/A
nisMap.nisMapName: N/A
nisObject.nisMapName: N/A
nisObject.cn: N/A
ieee802Device: N/A
bootableDevice: N/A
automount.automountKey: no defined structure
This patch adds additional logic to reject the result of a search if the
field in the result which corresponds to the original request differs
by case from the actual request (for example, when a search for a group
named "bob" turns up a group named "Bob"), but currently only covers
glibc-style systems. Upstream #399.
diff -ur nss_ldap-264/ldap-grp.c nss_ldap-264/ldap-grp.c
--- nss_ldap-264/ldap-grp.c 2009-07-02 11:01:03.000000000 -0400
+++ nss_ldap-264/ldap-grp.c 2009-07-02 10:57:37.000000000 -0400
@@ -1201,7 +1201,8 @@
char *buffer, size_t buflen, int *errnop)
{
LOOKUP_NAME (name, result, buffer, buflen, errnop, _nss_ldap_filt_getgrnam,
- LM_GROUP, _nss_ldap_parse_gr, LDAP_NSS_BUFLEN_GROUP);
+ LM_GROUP, _nss_ldap_parse_gr, LDAP_NSS_BUFLEN_GROUP)
+ AND_REQUIRE_MATCH(name, result->gr_name);
}
#elif defined(HAVE_NSSWITCH_H)
static NSS_STATUS
diff -ur nss_ldap-264/ldap-nss.c nss_ldap-264/ldap-nss.c
--- nss_ldap-264/ldap-nss.c 2009-07-02 11:01:03.000000000 -0400
+++ nss_ldap-264/ldap-nss.c 2009-07-02 10:46:39.000000000 -0400
@@ -4300,4 +4300,17 @@
return lderrno;
}
+NSS_STATUS _nss_ldap_expect_name(NSS_STATUS result,
+ const char *requested_name,
+ const char *actual_name)
+{
+ if ((result == NSS_SUCCESS) &&
+ (requested_name != NULL) &&
+ (actual_name != NULL) &&
+ (strcasecmp(requested_name, actual_name) == 0) &&
+ (strcmp(requested_name, actual_name) != 0)) {
+ return NSS_NOTFOUND;
+ }
+ return result;
+}
diff -ur nss_ldap-264/ldap-nss.h nss_ldap-264/ldap-nss.h
--- nss_ldap-264/ldap-nss.h 2009-07-02 11:01:03.000000000 -0400
+++ nss_ldap-264/ldap-nss.h 2009-07-02 10:28:59.000000000 -0400
@@ -911,4 +911,8 @@
#ifdef CONFIGURE_KRB5_KEYTAB
int do_init_krb5_cache(ldap_config_t *config);
#endif /* CONFIGURE_KRB5_KEYTAB */
+NSS_STATUS _nss_ldap_expect_name(NSS_STATUS result,
+ const char *requested_name,
+ const char *actual_name);
+
#endif /* _LDAP_NSS_LDAP_LDAP_NSS_H */
diff -ur nss_ldap-264/ldap-parse.h nss_ldap-264/ldap-parse.h
--- nss_ldap-264/ldap-parse.h 2006-09-13 02:42:08.000000000 -0400
+++ nss_ldap-264/ldap-parse.h 2009-07-02 10:56:54.000000000 -0400
@@ -94,6 +94,7 @@
#define LOOKUP_NAME(name, result, buffer, buflen, errnop, filter, selector, parser, req_buflen) \
ldap_args_t a; \
+ NSS_STATUS s; \
if (buflen < req_buflen) { \
*errnop = ERANGE; \
return NSS_TRYAGAIN; \
@@ -101,7 +102,8 @@
LA_INIT(a); \
LA_STRING(a) = name; \
LA_TYPE(a) = LA_TYPE_STRING; \
- return _nss_ldap_getbyname(&a, result, buffer, buflen, errnop, filter, selector, parser);
+ s = _nss_ldap_getbyname(&a, result, buffer, buflen, errnop, filter, selector, parser); \
+ return s
#define LOOKUP_NUMBER(number, result, buffer, buflen, errnop, filter, selector, parser, req_buflen) \
ldap_args_t a; \
if (buflen < req_buflen) { \
@@ -199,4 +201,7 @@
#endif /* HAVE_NSSWITCH_H */
+#define AND_REQUIRE_MATCH(name,field) \
+ == NSS_SUCCESS ? _nss_ldap_expect_name(s,name,field) : s
+
#endif /* _LDAP_NSS_LDAP_LDAP_PARSE_H */
diff -ur nss_ldap-264/ldap-proto.c nss_ldap-264/ldap-proto.c
--- nss_ldap-264/ldap-proto.c 2006-09-13 02:42:08.000000000 -0400
+++ nss_ldap-264/ldap-proto.c 2009-07-02 10:58:25.000000000 -0400
@@ -113,7 +113,8 @@
{
LOOKUP_NAME (name, result, buffer, buflen, errnop,
_nss_ldap_filt_getprotobyname, LM_PROTOCOLS,
- _nss_ldap_parse_proto, LDAP_NSS_BUFLEN_DEFAULT);
+ _nss_ldap_parse_proto, LDAP_NSS_BUFLEN_DEFAULT)
+ AND_REQUIRE_MATCH(name, result->p_name);
}
#endif
diff -ur nss_ldap-264/ldap-pwd.c nss_ldap-264/ldap-pwd.c
--- nss_ldap-264/ldap-pwd.c 2009-07-02 11:01:03.000000000 -0400
+++ nss_ldap-264/ldap-pwd.c 2009-07-02 10:57:15.000000000 -0400
@@ -243,7 +243,8 @@
char *buffer, size_t buflen, int *errnop)
{
LOOKUP_NAME (name, result, buffer, buflen, errnop, _nss_ldap_filt_getpwnam,
- LM_PASSWD, _nss_ldap_parse_pw, LDAP_NSS_BUFLEN_DEFAULT);
+ LM_PASSWD, _nss_ldap_parse_pw, LDAP_NSS_BUFLEN_DEFAULT)
+ AND_REQUIRE_MATCH(name, result->pw_name);
}
#elif defined(HAVE_NSSWITCH_H)
static NSS_STATUS
diff -ur nss_ldap-264/ldap-rpc.c nss_ldap-264/ldap-rpc.c
--- nss_ldap-264/ldap-rpc.c 2009-07-02 11:01:03.000000000 -0400
+++ nss_ldap-264/ldap-rpc.c 2009-07-02 10:58:01.000000000 -0400
@@ -123,7 +123,8 @@
{
LOOKUP_NAME (name, result, buffer, buflen, errnop,
_nss_ldap_filt_getrpcbyname, LM_RPC, _nss_ldap_parse_rpc,
- LDAP_NSS_BUFLEN_DEFAULT);
+ LDAP_NSS_BUFLEN_DEFAULT)
+ AND_REQUIRE_MATCH(name, result->r_name);
}
#endif
diff -ur nss_ldap-264/ldap-service.c nss_ldap-264/ldap-service.c
--- nss_ldap-264/ldap-service.c 2009-07-02 15:44:14.000000000 -0400
+++ nss_ldap-264/ldap-service.c 2009-07-02 15:45:07.000000000 -0400
@@ -230,16 +230,20 @@
char *buffer, size_t buflen, int *errnop)
{
ldap_args_t a;
+ NSS_STATUS s;
LA_INIT (a);
LA_STRING (a) = name;
LA_TYPE (a) = (proto == NULL) ? LA_TYPE_STRING : LA_TYPE_STRING_AND_STRING;
LA_STRING2 (a) = proto;
- return _nss_ldap_getbyname (&a, result, buffer, buflen, errnop,
- ((proto == NULL) ? _nss_ldap_filt_getservbyname
- : _nss_ldap_filt_getservbynameproto),
- LM_SERVICES, _nss_ldap_parse_serv);
+ s = _nss_ldap_getbyname (&a, result, buffer, buflen, errnop,
+ ((proto == NULL) ? _nss_ldap_filt_getservbyname
+ : _nss_ldap_filt_getservbynameproto),
+ LM_SERVICES, _nss_ldap_parse_serv);
+ s = _nss_ldap_expect_name(s, name, result->s_name);
+ s = _nss_ldap_expect_name(s, proto, result->s_proto);
+ return s;
}
#endif
diff -ur nss_ldap-264/ldap-spwd.c nss_ldap-264/ldap-spwd.c
--- nss_ldap-264/ldap-spwd.c 2009-07-02 11:01:03.000000000 -0400
+++ nss_ldap-264/ldap-spwd.c 2009-07-02 10:58:50.000000000 -0400
@@ -149,7 +149,8 @@
char *buffer, size_t buflen, int *errnop)
{
LOOKUP_NAME (name, result, buffer, buflen, errnop, _nss_ldap_filt_getspnam,
- LM_SHADOW, _nss_ldap_parse_sp, LDAP_NSS_BUFLEN_DEFAULT);
+ LM_SHADOW, _nss_ldap_parse_sp, LDAP_NSS_BUFLEN_DEFAULT)
+ AND_REQUIRE_MATCH (name, result->sp_namp);
}
#elif defined(HAVE_NSSWITCH_H)
static NSS_STATUS
--- nss_ldap-264/ldap-automount.c 2009-07-02 16:03:30.000000000 -0400
+++ nss_ldap-264/ldap-automount.c 2009-07-02 16:03:48.000000000 -0400
@@ -384,7 +384,7 @@
_nss_ldap_filt_getautomntbyname,
LM_AUTOMOUNT,
_nss_ldap_parse_automount);
-
+ stat = _nss_ldap_expect_name(stat, key, canon_key ? *canon_key : NULL);
if (stat != NSS_NOTFOUND)
{
break; /* on success or error other than not found */

11
nss_ldap/patches/nss_ldap-264-cloexec.patch
View File

@ -1,11 +0,0 @@
diff -up nss_ldap-264/ldap-nss.c nss_ldap-264/ldap-nss.c
--- nss_ldap-264/ldap-nss.c 2009-07-23 18:55:15.290388484 -0400
+++ nss_ldap-264/ldap-nss.c 2009-07-23 19:01:33.328398737 -0400
@@ -896,6 +896,7 @@ do_drop_connection(int sd, int closeSd)
/* we must let dup2 close sd for us to avoid race conditions
* in multithreaded code.
*/
+ fcntl (dummyfd, F_SETFD, 1L);
do_dupfd (dummyfd, sd);
do_closefd (dummyfd);
}

186
nss_ldap/patches/nss_ldap-265-depth.patch
View File

@ -1,186 +0,0 @@
Check if we can use thread-local storage, and if we can, use one to avoid a
self-deadlock if we recurse into our own host resolution routines from inside
of another lookup attempt. Revised from patch originally submitted for #340.
diff -up nss_ldap-265/config.h.in nss_ldap-265/config.h.in
--- nss_ldap-265/config.h.in 2009-11-06 05:28:08.000000000 -0500
+++ nss_ldap-265/config.h.in 2010-01-08 17:29:49.000000000 -0500
@@ -304,6 +304,11 @@
/* Define to 1 if you have the <thread.h> header file. */
#undef HAVE_THREAD_H
+/* Define if your toolchain supports thread-local storage, which can be used
+ for detecting self- and mutual-recursion problems when performing
+ host/address lookups. */
+#undef HAVE_THREAD_LOCAL_STORAGE
+
/* Define to 1 if you have the <unistd.h> header file. */
#undef HAVE_UNISTD_H
diff -up nss_ldap-265/configure.in nss_ldap-265/configure.in
--- nss_ldap-265/configure.in 2009-11-06 05:28:08.000000000 -0500
+++ nss_ldap-265/configure.in 2010-01-08 17:29:49.000000000 -0500
@@ -27,6 +27,14 @@ dnl
AC_ARG_ENABLE(debugging, [ --enable-debugging enable debug code ], [AC_DEFINE(DEBUG)])
+AC_MSG_CHECKING(for thread-local storage)
+AC_TRY_COMPILE([],[static __thread int _nss_ldap_recursion_count;],
+ [
+ AC_MSG_RESULT(yes)
+ AC_DEFINE(HAVE_THREAD_LOCAL_STORAGE,1,[Define if your toolchain supports thread-local storage, which can be used for detecting self- and mutual-recursion problems when performing host/address lookups.])
+ ],
+ AC_MSG_RESULT(no))
+
dnl
dnl --enable-paged-results is now deprecated; if this option is set,
dnl then paged results will be enabled by default. However, it can
diff -up nss_ldap-265/depth.c nss_ldap-265/depth.c
--- nss_ldap-265/depth.c 2010-01-08 17:29:49.000000000 -0500
+++ nss_ldap-265/depth.c 2010-01-08 17:29:49.000000000 -0500
@@ -0,0 +1,24 @@
+#include "config.h"
+#include "depth.h"
+
+#ifdef HAVE_THREAD_LOCAL_STORAGE
+static __thread int depth = 0;
+
+int
+_nss_ldap_get_depth (void)
+{
+ return depth;
+}
+
+int
+_nss_ldap_inc_depth (void)
+{
+ return ++depth;
+}
+
+int
+_nss_ldap_dec_depth (void)
+{
+ return --depth;
+}
+#endif
diff -up nss_ldap-265/depth.h nss_ldap-265/depth.h
--- nss_ldap-265/depth.h 2010-01-08 17:29:49.000000000 -0500
+++ nss_ldap-265/depth.h 2010-01-08 17:29:49.000000000 -0500
@@ -0,0 +1,3 @@
+int _nss_ldap_get_depth (void);
+int _nss_ldap_inc_depth (void);
+int _nss_ldap_dec_depth (void);
diff -up nss_ldap-265/ldap-hosts.c nss_ldap-265/ldap-hosts.c
--- nss_ldap-265/ldap-hosts.c 2009-11-06 05:28:08.000000000 -0500
+++ nss_ldap-265/ldap-hosts.c 2010-01-08 17:33:38.000000000 -0500
@@ -66,6 +66,7 @@ static char rcsId[] =
#include "ldap-nss.h"
#include "ldap-hosts.h"
#include "util.h"
+#include "depth.h"
#ifdef HAVE_PORT_AFTER_H
#include <port_after.h>
@@ -280,6 +281,11 @@ _nss_ldap_gethostbyname2_r (const char *
}
#endif
+#ifdef HAVE_THREAD_LOCAL_STORAGE
+ if (_nss_ldap_get_depth() > 0)
+ return NSS_STATUS_UNAVAIL;
+#endif
+
LA_INIT (a);
LA_STRING (a) = name;
LA_TYPE (a) = LA_TYPE_STRING;
@@ -355,6 +361,11 @@ _nss_ldap_gethostbyaddr_r (struct in_add
NSS_STATUS status;
ldap_args_t a;
+#ifdef HAVE_THREAD_LOCAL_STORAGE
+ if (_nss_ldap_get_depth() > 0)
+ return NSS_STATUS_UNAVAIL;
+#endif
+
/* if querying by IPv6 address, make sure the address is "normalized" --
* it should contain no leading zeros and all components of the address.
* still we can't fit an IPv6 address in an int, so who cares for now.
@@ -391,6 +402,11 @@ _nss_ldap_sethostent_r (nss_backend_t *
#endif
#if defined(HAVE_NSS_H) || defined(HAVE_NSSWITCH_H)
{
+#ifdef HAVE_THREAD_LOCAL_STORAGE
+ if (_nss_ldap_get_depth() > 0)
+ return NSS_STATUS_UNAVAIL;
+#endif
+
LOOKUP_SETENT (hosts_context);
}
#endif
@@ -403,6 +419,11 @@ _nss_ldap_endhostent_r (nss_backend_t *
#endif
#if defined(HAVE_NSS_H) || defined(HAVE_NSSWITCH_H)
{
+#ifdef HAVE_THREAD_LOCAL_STORAGE
+ if (_nss_ldap_get_depth() > 0)
+ return NSS_STATUS_UNAVAIL;
+#endif
+
LOOKUP_ENDENT (hosts_context);
}
#endif
@@ -435,6 +456,11 @@ _nss_ldap_gethostent_r (struct hostent *
{
NSS_STATUS status;
+#ifdef HAVE_THREAD_LOCAL_STORAGE
+ if (_nss_ldap_get_depth() > 0)
+ return NSS_STATUS_UNAVAIL;
+#endif
+
status = _nss_ldap_getent (&hosts_context,
result,
buffer,
diff -up nss_ldap-265/ldap-nss.c nss_ldap-265/ldap-nss.c
--- nss_ldap-265/ldap-nss.c 2009-11-06 05:28:08.000000000 -0500
+++ nss_ldap-265/ldap-nss.c 2010-01-08 17:29:49.000000000 -0500
@@ -93,6 +93,7 @@ static char rcsId[] =
#include "util.h"
#include "dnsconfig.h"
#include "pagectrl.h"
+#include "depth.h"
#if defined(HAVE_THREAD_H) && !defined(_AIX)
#ifdef HAVE_PTHREAD_ATFORK
@@ -578,6 +579,9 @@ _nss_ldap_enter (void)
debug ("==> _nss_ldap_enter");
NSS_LDAP_LOCK (__lock);
+#ifdef HAVE_THREAD_LOCAL_STORAGE
+ _nss_ldap_inc_depth();
+#endif
/*
* Patch for Debian Bug 130006:
@@ -623,6 +627,9 @@ _nss_ldap_leave (void)
}
#endif /* HAVE_SIGACTION */
+#ifdef HAVE_THREAD_LOCAL_STORAGE
+ _nss_ldap_dec_depth();
+#endif
NSS_LDAP_UNLOCK (__lock);
debug ("<== _nss_ldap_leave");
diff -up nss_ldap-265/Makefile.am nss_ldap-265/Makefile.am
--- nss_ldap-265/Makefile.am 2009-11-06 05:28:08.000000000 -0500
+++ nss_ldap-265/Makefile.am 2010-01-08 17:31:45.000000000 -0500
@@ -23,7 +23,7 @@ nss_ldap_so_SOURCES = ldap-nss.c ldap-pw
ldap-alias.c ldap-service.c ldap-schema.c ldap-ethers.c \
ldap-bp.c ldap-automount.c util.c ltf.c snprintf.c resolve.c \
dnsconfig.c irs-nss.c pagectrl.c ldap-sldap.c ldap-init-krb5-cache.c \
- vers.c
+ vers.c depth.c
nss_ldap_so_LDFLAGS = @nss_ldap_so_LDFLAGS@

102
nss_ldap/patches/nss_ldap-265-ent_internal.patch
View File

@ -1,102 +0,0 @@
Distinguish between contexts that are somewhat persistent and one-offs
which are used to fulfill part of a larger request. Proposed for #322.
diff -up nss_ldap-265/ldap-grp.c nss_ldap-265/ldap-grp.c
--- nss_ldap-265/ldap-grp.c 2010-01-08 17:38:38.000000000 -0500
+++ nss_ldap-265/ldap-grp.c 2010-01-08 17:38:38.000000000 -0500
@@ -859,7 +859,7 @@ ng_chase (const char *dn, ldap_initgroup
LA_STRING (a) = dn;
LA_TYPE (a) = LA_TYPE_STRING;
- if (_nss_ldap_ent_context_init_locked (&ctx) == NULL)
+ if (_nss_ldap_ent_context_init_internal_locked (&ctx) == NULL)
{
return NSS_UNAVAIL;
}
@@ -931,7 +931,7 @@ ng_chase_backlink (const char ** members
LA_STRING_LIST (a) = filteredMembersOf;
LA_TYPE (a) = LA_TYPE_STRING_LIST_OR;
- if (_nss_ldap_ent_context_init_locked (&ctx) == NULL)
+ if (_nss_ldap_ent_context_init_internal_locked (&ctx) == NULL)
{
free (filteredMembersOf);
return NSS_UNAVAIL;
diff -up nss_ldap-265/ldap-netgrp.c nss_ldap-265/ldap-netgrp.c
--- nss_ldap-265/ldap-netgrp.c 2009-11-06 05:28:08.000000000 -0500
+++ nss_ldap-265/ldap-netgrp.c 2010-01-08 17:38:38.000000000 -0500
@@ -691,7 +691,7 @@ do_innetgr_nested (ldap_innetgr_args_t *
LA_TYPE (a) = LA_TYPE_STRING;
LA_STRING (a) = nested; /* memberNisNetgroup */
- if (_nss_ldap_ent_context_init_locked (&ctx) == NULL)
+ if (_nss_ldap_ent_context_init_internal_locked (&ctx) == NULL)
{
debug ("<== do_innetgr_nested: failed to initialize context");
return NSS_UNAVAIL;
diff -up nss_ldap-265/ldap-nss.c nss_ldap-265/ldap-nss.c
--- nss_ldap-265/ldap-nss.c 2010-01-08 17:38:38.000000000 -0500
+++ nss_ldap-265/ldap-nss.c 2010-01-08 17:40:37.000000000 -0500
@@ -2043,6 +2043,7 @@ _nss_ldap_ent_context_init_locked (ent_c
debug ("<== _nss_ldap_ent_context_init_locked");
return NULL;
}
+ ctx->ec_internal = 0;
*pctx = ctx;
}
else
@@ -2104,7 +2105,8 @@ do_context_release (ent_context_t * ctx,
LS_INIT (ctx->ec_state);
- if (_nss_ldap_test_config_flag (NSS_LDAP_FLAGS_CONNECT_POLICY_ONESHOT))
+ if (!ctx->ec_internal &&
+ _nss_ldap_test_config_flag (NSS_LDAP_FLAGS_CONNECT_POLICY_ONESHOT))
{
do_close ();
}
@@ -2113,6 +2115,16 @@ do_context_release (ent_context_t * ctx,
free (ctx);
}
+ent_context_t *
+_nss_ldap_ent_context_init_internal_locked (ent_context_t ** pctx)
+{
+ ent_context_t *ctx;
+ ctx = _nss_ldap_ent_context_init_locked (pctx);
+ if (ctx != NULL)
+ ctx->ec_internal = 1;
+ return ctx;
+}
+
/*
* Clears a given context; we require the caller
* to acquire the lock.
diff -up nss_ldap-265/ldap-nss.h nss_ldap-265/ldap-nss.h
--- nss_ldap-265/ldap-nss.h 2010-01-08 17:38:38.000000000 -0500
+++ nss_ldap-265/ldap-nss.h 2010-01-08 17:42:34.000000000 -0500
@@ -574,6 +574,8 @@ struct ent_context
ldap_state_t ec_state; /* eg. for services */
int ec_msgid; /* message ID */
LDAPMessage *ec_res; /* result chain */
+ int ec_internal; /* this context is just a part of a larger
+ * query for information */
ldap_service_search_descriptor_t *ec_sd; /* current sd */
struct berval *ec_cookie; /* cookie for paged searches */
int ec_eof; /* reached notional end of file */
@@ -769,6 +771,15 @@ ent_context_t *_nss_ldap_ent_context_ini
ent_context_t *_nss_ldap_ent_context_init_locked (ent_context_t **);
/*
+ * _nss_ldap_ent_context_init_internal_locked() has the same
+ * behaviour, except it marks the context as one that's being
+ * used to fetch additional data used in answering a request, i.e.
+ * that this isn't the "main" context
+ */
+
+ent_context_t *_nss_ldap_ent_context_init_internal_locked (ent_context_t **);
+
+/*
* _nss_ldap_ent_context_release() is used to manually free a context
*/
void _nss_ldap_ent_context_release (ent_context_t **);

17
nss_ldap/patches/nss_ldap-265-erange.patch
View File

@ -1,17 +0,0 @@
If we were supposed to set ERANGE, do so again, in case do_close() or
_nss_ldap_leave() overwrote errno with some other value. Upstream #421.
diff -up nss_ldap-265/ldap-nss.ce nss_ldap-265/ldap-nss.c
--- nss_ldap-265/ldap-nss.ce 2010-07-08 16:17:07.000000000 -0400
+++ nss_ldap-265/ldap-nss.c 2010-07-08 16:17:03.000000000 -0400
@@ -3572,6 +3572,10 @@ _nss_ldap_getbyname (ldap_args_t * args,
debug ("<== _nss_ldap_getbyname");
+ /* at least for the cases where we know we have to return ERANGE */
+ if (stat == NSS_TRYAGAIN)
+ do_map_errno(stat, errnop);
+
return stat;
}

10
nss_ldap/patches/nss_ldap-265-fix-uninit.patch
View File

@ -1,10 +0,0 @@
--- nss_ldap-265/ldap-nss.c.orig 2010-10-18 22:11:18.112108167 +1100
+++ nss_ldap-265/ldap-nss.c 2010-10-18 22:13:20.030169868 +1100
@@ -3449,6 +3449,7 @@
debug ("==> _nss_ldap_getbyname");
+ memset(&ctx, 0, sizeof(ent_context_t));
ctx.ec_msgid = -1;
ctx.ec_cookie = NULL;
ctx.ec_eof = 0;

190
nss_ldap/patches/nss_ldap-265-initgroups-minimum_uid.patch
View File

@ -1,190 +0,0 @@
This builds off of the recursion checking introduced by -depth to avoid
a deadlock if/when we recurse into ourselves while looking up the user's
UID to compare it to the configured value. Revision for upstream #341.
diff -ur nss_ldap-265/ldap-nss.c nss_ldap-265-2/ldap-nss.c
--- nss_ldap-265/ldap-nss.c 2010-08-19 17:16:51.000000000 -0400
+++ nss_ldap-265-2/ldap-nss.c 2010-08-19 17:25:09.000000000 -0400
@@ -34,6 +34,7 @@
#endif
#include <assert.h>
+#include <pwd.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
@@ -4356,20 +4357,55 @@
int
_nss_ldap_test_initgroups_ignoreuser (const char *user)
{
- char **p;
+ char **p, *buf;
+ size_t buflen;
+ struct passwd pwd, *passwd;
- if (__config == NULL)
- return 0;
-
- if (__config->ldc_initgroups_ignoreusers == NULL)
- return 0;
-
- for (p = __config->ldc_initgroups_ignoreusers; *p != NULL; p++)
+ if (__config != NULL)
{
- if (strcmp (*p, user) == 0)
- return 1;
+ if (__config->ldc_initgroups_ignoreusers != NULL)
+ for (p = __config->ldc_initgroups_ignoreusers; *p != NULL; p++)
+ {
+ if (strcmp (*p, user) == 0)
+ return 1;
+ }
+ if (__config->ldc_initgroups_minimum_uid >= 0)
+ {
+ memset (&pwd, 0, sizeof(pwd));
+ buflen = 0x100;
+ buf = malloc(buflen);
+ if (buf != NULL)
+ {
+ passwd = NULL;
+ while ((getpwnam_r(user, &pwd, buf, buflen, &passwd) != 0) &&
+ (passwd != &pwd))
+ {
+ switch (errno)
+ {
+ case ERANGE:
+ buflen *= 2;
+ free(buf);
+ if (buflen > 0x100000)
+ buf = NULL;
+ else
+ buf = malloc(buflen);
+ break;
+ case EINTR:
+ continue;
+ break;
+ default:
+ free(buf);
+ buf = NULL;
+ break;
+ }
+ if (buf == NULL)
+ break;
+ }
+ }
+ if ((passwd == &pwd) && (passwd->pw_uid < 1000))
+ return 1;
+ }
}
-
return 0;
}
diff -ur nss_ldap-265/ldap-nss.h nss_ldap-265-2/ldap-nss.h
--- nss_ldap-265/ldap-nss.h 2010-08-19 17:16:51.000000000 -0400
+++ nss_ldap-265-2/ldap-nss.h 2010-08-19 17:18:47.000000000 -0400
@@ -400,6 +400,7 @@
time_t ldc_mtime;
char **ldc_initgroups_ignoreusers;
+ int ldc_initgroups_minimum_uid;
/* disable the do-res_init()-on-resolv.conf-changes hack */
unsigned int ldc_resolv_conf_res_init_hack;
diff -ur nss_ldap-265/ldap-pwd.c nss_ldap-265-2/ldap-pwd.c
--- nss_ldap-265/ldap-pwd.c 2010-08-19 17:16:51.000000000 -0400
+++ nss_ldap-265-2/ldap-pwd.c 2010-08-19 16:40:43.000000000 -0400
@@ -49,6 +49,7 @@
#include "ldap-nss.h"
#include "ldap-pwd.h"
#include "util.h"
+#include "depth.h"
#ifdef HAVE_PORT_AFTER_H
#include <port_after.h>
@@ -242,6 +243,10 @@
struct passwd * result,
char *buffer, size_t buflen, int *errnop)
{
+#ifdef HAVE_THREAD_LOCAL_STORAGE
+ if (_nss_ldap_get_depth() > 0)
+ return NSS_STATUS_UNAVAIL;
+#endif
LOOKUP_NAME (name, result, buffer, buflen, errnop, _nss_ldap_filt_getpwnam,
LM_PASSWD, _nss_ldap_parse_pw, LDAP_NSS_BUFLEN_DEFAULT)
AND_REQUIRE_MATCH(name, result->pw_name);
@@ -261,6 +266,10 @@
struct passwd *result,
char *buffer, size_t buflen, int *errnop)
{
+#ifdef HAVE_THREAD_LOCAL_STORAGE
+ if (_nss_ldap_get_depth() > 0)
+ return NSS_STATUS_UNAVAIL;
+#endif
LOOKUP_NUMBER (uid, result, buffer, buflen, errnop, _nss_ldap_filt_getpwuid,
LM_PASSWD, _nss_ldap_parse_pw, LDAP_NSS_BUFLEN_DEFAULT);
}
diff -ur nss_ldap-265/nss_ldap.5 nss_ldap-265-2/nss_ldap.5
--- nss_ldap-265/nss_ldap.5 2010-08-19 17:16:51.000000000 -0400
+++ nss_ldap-265-2/nss_ldap.5 2010-08-19 17:19:23.000000000 -0400
@@ -445,6 +445,14 @@
to return NSS_STATUS_NOTFOUND if called with a listed users as
its argument.
.TP
+.B nss_initgroups_minimum_uid <uid>
+This option directs the
+.B nss_ldap
+implementation of
+.BR initgroups(3)
+to return NSS_STATUS_NOTFOUND if called with a user whose UID is
+below the value given as the argument.
+.TP
.B nss_getgrent_skipmembers <yes|no>
Specifies whether or not to populate the members list in
the group structure for group lookups. If very large groups
diff -ur nss_ldap-265/util.c nss_ldap-265-2/util.c
--- nss_ldap-265/util.c 2010-08-19 17:16:51.000000000 -0400
+++ nss_ldap-265-2/util.c 2010-08-19 17:18:33.000000000 -0400
@@ -669,6 +669,7 @@
result->ldc_reconnect_maxsleeptime = LDAP_NSS_MAXSLEEPTIME;
result->ldc_reconnect_maxconntries = LDAP_NSS_MAXCONNTRIES;
result->ldc_initgroups_ignoreusers = NULL;
+ result->ldc_initgroups_minimum_uid = -1;
for (i = 0; i <= LM_NONE; i++)
{
@@ -1180,6 +1181,10 @@
break;
}
}
+ else if (!strcasecmp (k, NSS_LDAP_KEY_INITGROUPS_MINIMUM_UID))
+ {
+ result->ldc_initgroups_minimum_uid = atoi(v);
+ }
else if (!strcasecmp (k, NSS_LDAP_KEY_GETGRENT_SKIPMEMBERS))
{
if (!strcasecmp (v, "on") || !strcasecmp (v, "yes")
diff -ur nss_ldap-265/util.h nss_ldap-265-2/util.h
--- nss_ldap-265/util.h 2009-11-06 05:28:08.000000000 -0500
+++ nss_ldap-265-2/util.h 2010-08-19 17:19:46.000000000 -0400
@@ -92,6 +92,7 @@
#define NSS_LDAP_KEY_PAGESIZE "pagesize"
#define NSS_LDAP_KEY_INITGROUPS "nss_initgroups"
#define NSS_LDAP_KEY_INITGROUPS_IGNOREUSERS "nss_initgroups_ignoreusers"
+#define NSS_LDAP_KEY_INITGROUPS_MINIMUM_UID "nss_initgroups_minimum_uid"
#define NSS_LDAP_KEY_GETGRENT_SKIPMEMBERS "nss_getgrent_skipmembers"
/* more reconnect policy fine-tuning */
--- nss_ldap-265/ldap.conf 2005-08-17 18:35:13.000000000 -0400
+++ nss_ldap-265/ldap.conf 2006-02-09 14:14:05.000000000 -0500
@@ -177,8 +177,8 @@
#nss_base_aliases ou=Aliases,dc=padl,dc=com?one
#nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one
-# Just assume that there are no supplemental groups for these named users
-nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm,polkituser,rtkit,pulse,rpc,rpcuser,nobody
+# Just assume that there are no supplemental groups for system users.
+nss_initgroups_minimum_uid 500
# attribute/objectclass mapping
# Syntax:

17
nss_ldap/patches/nss_ldap-265-local_users.patch
View File

@ -1,17 +0,0 @@
Configure by default to fail, quickly, requests for supplemental group
information for "root", "ldap", and assorted other users as whom services
run or who are mentioned by the DBus configuration. This patch will never
be pretty.
--- pam_ldap-180/ldap.conf 2005-08-17 18:35:13.000000000 -0400
+++ pam_ldap-180/ldap.conf 2006-02-09 14:14:05.000000000 -0500
@@ -177,6 +177,9 @@
#nss_base_aliases ou=Aliases,dc=padl,dc=com?one
#nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one
+# Just assume that there are no supplemental groups for these named users
+nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm,polkituser,rtkit,pulse,rpc,rpcuser,nobody
+
# attribute/objectclass mapping
# Syntax:
#nss_map_attribute rfc2307attribute mapped_attribute

36
nss_ldap/patches/nss_ldap-265-padl-bug-418.patch
View File

@ -1,36 +0,0 @@
diff -up nss_ldap-253/ldap-nss.c.padl418 nss_ldap-253/ldap-nss.c
--- nss_ldap-253/ldap-nss.c.padl418 2010-11-17 14:08:24.000000000 +0000
+++ nss_ldap-253/ldap-nss.c 2010-11-18 00:34:22.000000000 +0000
@@ -1272,9 +1272,14 @@ do_init (void)
}
}
- __session.ls_conn = NULL;
+ /* looks like a problem. could be initialized, but not connected */
+ if (__session.ls_state != LS_UNINITIALIZED)
+ {
+ debug ("<== do_init (already initialized)");
+ goto initialized;
+ }
+
__session.ls_timestamp = 0;
- __session.ls_state = LS_UNINITIALIZED;
#if defined(HAVE_PTHREAD_ONCE) && defined(HAVE_PTHREAD_ATFORK)
if (pthread_once (&__once, do_atfork_setup) != 0)
@@ -1394,6 +1399,7 @@ do_init (void)
debug ("<== do_init (initialized session)");
+initialized:
return NSS_SUCCESS;
}
@@ -1614,6 +1620,7 @@ do_open (void)
}
else
{
+ syslog(LOG_ERR, "nss-ldap: do_open: do_start_tls failed:stat=%d", stat);
do_close ();
debug ("<== do_open (TLS startup failed)");
return stat;

11
nss_ldap/patches/nss_ldap-265-setnetgrent.patch
View File

@ -1,11 +0,0 @@
--- nss_ldap/ldap-netgrp.c
+++ nss_ldap/ldap-netgrp.c
@@ -372,7 +372,7 @@ _nss_ldap_setnetgrent (char *group, stru
_nss_ldap_filt_getnetgrent, LM_NETGROUP,
_nss_ldap_load_netgr);
- if (stat == NSS_NOTFOUND)
+ if (stat != NSS_SUCCESS)
return stat;
LOOKUP_SETENT (_ngbe);

90
pam_ldap/pam_ldap.nm
View File

@ -1,90 +0,0 @@
###############################################################################
# IPFire.org - An Open Source Firewall Solution #
# Copyright (C) - IPFire Development Team <info@ipfire.org> #
###############################################################################
name = pam_ldap
version = 186
release = 3
groups = System/Base
url = http://www.padl.com/OSS/pam_ldap.html
license = GPL and LGPL
summary = A pam/ldap module that supports password changes.
description
The pam_ldap module provides the means for Solaris and Linux servers \
and workstations to authenticate against LDAP directories, and to \
change their passwords in the directory.
end
# Always change this if the nss_ldap package has been updated!
NSS_LDAP_VER = 265
source_dl =
sources += nss_ldap-%{NSS_LDAP_VER}.tar.gz
build
requires
autoconf
automake
openldap-devel
pam-devel
end
configure_options += \
--with-ldap-conf-file=/etc/pam_ldap.conf \
--with-ldap-secret-file=/etc/pam_ldap.secret
prepare_cmds
# Extract source tarball of nss_ldap
cd %{DIR_SRC} && %{MACRO_EXTRACT} %{DIR_DL}/nss_ldap-%{NSS_LDAP_VER}.tar.gz
# Copy needed files from nss_ldap
cd %{DIR_APP} && cp -av %{DIR_SRC}/nss_ldap-%{NSS_LDAP_VER}/resolve.c .
cp -av %{DIR_SRC}/nss_ldap-%{NSS_LDAP_VER}/resolve.h .
cp -av %{DIR_SRC}/nss_ldap-%{NSS_LDAP_VER}/snprintf.c .
cp -av %{DIR_SRC}/nss_ldap-%{NSS_LDAP_VER}/snprintf.h .
sed -i -e 's,^ldap.conf$$,pam_ldap.conf,g' *.5
sed -i -e 's,^/etc/ldap\.,/etc/pam_ldap.,g' *.5
sed -i -e 's,in ldap.co$nf,in pam_ldap.conf,g' *.5
sed -i -e 's,of ldap.conf,of pam_ldap.conf,g' *.5
sed -i -e 's,ldap.secret,pam_ldap.secret,g' *.5
sed -i -e 's,(ldap.conf),(pam_ldap.conf),g' *.5
autoreconf -f -i
end
make_build_targets += \
LDFLAGS="-Wl,-z,nodelete"
install
# Create directory layout
mkdir -pv %{BUILDROOT}/{etc,%{libdir}/security}
# Prevent to install an ldap.conf
touch %{BUILDROOT}/etc/ldap.conf
make install DESTDIR=%{BUILDROOT}
rm -rvf %{BUILDROOT}/etc/ldap.conf
# Install the default configuration file and change padl to example
sed 's|dc=padl|dc=example|g' ldap.conf > %{BUILDROOT}/etc/pam_ldap.conf
chmod 644 %{BUILDROOT}/etc/pam_ldap.conf
# Create an empty ldap.secret file
touch %{BUILDROOT}/etc/pam_ldap.secret
end
end
packages
package %{name}
conflicts
filesystem < 002
end
end
package %{name}-debuginfo
template DEBUGINFO
end
end

11
pam_ldap/patches/pam_ldap-176-authenticateOnChangeExpiredAuthtok.patch
View File

@ -1,11 +0,0 @@
--- pam_ldap-176/pam_ldap.c 2011-01-06 07:37:12.000000000 -0800
+++ pam_ldap-176/pam_ldap.c 2011-01-06 07:38:59.000000000 -0800
@@ -3415,7 +3415,7 @@
if (rc != PAM_SUCCESS)
return rc;
- if (!(session->conf->rootbinddn && getuid () == 0))
+ if (!(session->conf->rootbinddn && getuid () == 0 && !(flags & PAM_CHANGE_EXPIRED_AUTHTOK)))
{
/* we are not root, authenticate old password */
if (try_first_pass || use_first_pass)

17
pam_ldap/patches/pam_ldap-176-exop-modify.patch
View File

@ -1,17 +0,0 @@
When deciding whether or not to try to use ldap_modify to change the user's
password, skip it if we're in "pam_password exop_send_old", just as we would
for "pam_password exop". Upstream #321.
diff -up pam_ldap-176/pam_ldap.c pam_ldap-176/pam_ldap.c
--- pam_ldap-176/pam_ldap.c 2007-10-04 10:07:32.000000000 -0400
+++ pam_ldap-176/pam_ldap.c 2007-10-04 10:07:40.000000000 -0400
@@ -3025,7 +3025,8 @@ _update_authtok (pam_handle_t *pamh,
break;
} /* end switch */
- if (session->conf->password_type != PASSWORD_EXOP)
+ if ((session->conf->password_type != PASSWORD_EXOP) &&
+ (session->conf->password_type != PASSWORD_EXOP_SEND_OLD))
{
rc = ldap_modify_s (session->ld, session->info->userdn, mods);
if (rc != LDAP_SUCCESS)

18
pam_ldap/patches/pam_ldap-180-install-perms.patch
View File

@ -1,18 +0,0 @@
--- pam_ldap-180/Makefile.am 2006-01-11 14:52:17.000000000 -0500
+++ pam_ldap-180/Makefile.am 2006-01-11 14:52:11.000000000 -0500
@@ -23,12 +23,12 @@
@$(NORMAL_INSTALL)
$(mkinstalldirs) $(DESTDIR)$(libdir)/security
if EXTENSION_SO
- $(INSTALL_PROGRAM) -o root -g root pam_ldap.so $(DESTDIR)$(libdir)/security/pam_ldap.so
+ $(INSTALL_PROGRAM) pam_ldap.so $(DESTDIR)$(libdir)/security/pam_ldap.so
else
if EXTENSION_1
- $(INSTALL_PROGRAM) -o root -g root pam_ldap.so $(DESTDIR)$(libdir)/security/libpam_ldap.1
+ $(INSTALL_PROGRAM) pam_ldap.so $(DESTDIR)$(libdir)/security/libpam_ldap.1
else
- $(INSTALL_PROGRAM) -o root -g root pam_ldap.so $(DESTDIR)$(libdir)/security/pam_ldap.so.1
+ $(INSTALL_PROGRAM) pam_ldap.so $(DESTDIR)$(libdir)/security/pam_ldap.so.1
(cd $(DESTDIR)$(libdir)/security; rm -f pam_ldap.so; ln -s pam_ldap.so.1 pam_ldap.so)
endif
endif

14
pam_ldap/patches/pam_ldap-182-manpointer.patch
View File

@ -1,14 +0,0 @@
Give people a pointer to the pam_ldap man page, because the name of this file
actually has changed over time.
--- pam_ldap/ldap.conf 2006-07-25 17:16:11.000000000 -0400
+++ pam_ldap/ldap.conf 2006-07-25 17:16:06.000000000 -0400
@@ -3,6 +3,8 @@
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
+# The man page for this file is pam_ldap(5)
+#
# PADL Software
# http://www.padl.com
#

77
pam_ldap/patches/pam_ldap-183-releaseconfig.patch
View File

@ -1,77 +0,0 @@
Fix a memory leak at cleanup-time.
diff -up pam_ldap/pam_ldap.c pam_ldap/pam_ldap.c
--- pam_ldap/pam_ldap.c 2009-07-22 15:55:42.000000000 -0400
+++ pam_ldap/pam_ldap.c 2009-07-22 16:00:23.000000000 -0400
@@ -437,6 +437,7 @@ static void
_release_config (pam_ldap_config_t ** pconfig)
{
pam_ldap_config_t *c;
+ pam_ssd_t *ssd, *next_ssd;
c = *pconfig;
if (c == NULL)
@@ -445,6 +446,9 @@ _release_config (pam_ldap_config_t ** pc
if (c->configFile != NULL)
free (c->configFile);
+ if (c->uri != NULL)
+ free (c->uri);
+
if (c->host != NULL)
free (c->host);
@@ -474,6 +478,16 @@ _release_config (pam_ldap_config_t ** pc
free (c->sslpath);
}
+ ssd = c->ssd;
+ while ( ssd != NULL )
+ {
+ next_ssd = ssd->next;
+ free (ssd->base);
+ free (ssd->filter);
+ free (ssd);
+ ssd = next_ssd;
+ }
+
if (c->userattr != NULL)
{
free (c->userattr);
@@ -509,6 +523,36 @@ _release_config (pam_ldap_config_t ** pc
free (c->logdir);
}
+ if (c->tls_cacertfile != NULL)
+ {
+ free (c->tls_cacertfile);
+ }
+
+ if (c->tls_cacertdir != NULL)
+ {
+ free (c->tls_cacertdir);
+ }
+
+ if (c->tls_ciphers != NULL)
+ {
+ free (c->tls_ciphers);
+ }
+
+ if (c->tls_cert != NULL)
+ {
+ free (c->tls_cert);
+ }
+
+ if (c->tls_key != NULL)
+ {
+ free (c->tls_key);
+ }
+
+ if (c->tls_randfile != NULL)
+ {
+ free (c->tls_randfile);
+ }
+
if (c->sasl_mechanism != NULL)
{
free (c->sasl_mechanism);

86
pam_ldap/patches/pam_ldap-184-nsrole.patch
View File

@ -1,86 +0,0 @@
Add a role check, like the existing group membership check.
Submitted to upstream #382.
diff -up pam_ldap-184/pam_ldap.5 pam_ldap-184/pam_ldap.5
--- pam_ldap-184/pam_ldap.5 2008-11-17 13:36:03.000000000 -0500
+++ pam_ldap-184/pam_ldap.5 2008-11-17 13:37:35.000000000 -0500
@@ -333,6 +333,10 @@ group specified in the
.B pam_groupdn
option.
.TP
+.B pam_nsrole <role>
+Specifies a value which the user's entry's "nsRole" attribute must match
+for logon authorization to succeed.
+.TP
.B pam_min_uid <uid>
If specified, a user must have a POSIX user ID of at least
.B uid
diff -up pam_ldap-184/pam_ldap.c pam_ldap-184/pam_ldap.c
--- pam_ldap-184/pam_ldap.c 2008-11-17 13:35:52.000000000 -0500
+++ pam_ldap-184/pam_ldap.c 2008-11-17 13:35:56.000000000 -0500
@@ -499,6 +499,11 @@ _release_config (pam_ldap_config_t ** pc
free (c->groupdn);
}
+ if (c->nsrole != NULL)
+ {
+ free (c->nsrole);
+ }
+
if (c->filter != NULL)
{
free (c->filter);
@@ -639,6 +644,7 @@ _alloc_config (pam_ldap_config_t ** pres
result->userattr = NULL;
result->groupattr = NULL;
result->groupdn = NULL;
+ result->nsrole = NULL;
result->getpolicy = 0;
result->checkhostattr = 0;
result->checkserviceattr = 0;
@@ -1043,6 +1049,10 @@ _read_config (const char *configFile, pa
{
CHECKPOINTER (result->groupattr = strdup (v));
}
+ else if (!strcasecmp (k, "pam_nsrole"))
+ {
+ CHECKPOINTER (result->nsrole = strdup (v));
+ }
else if (!strcasecmp (k, "pam_min_uid"))
{
result->min_uid = (uid_t) atol (v);
@@ -4136,6 +4146,23 @@ pam_sm_acct_mgmt (pam_handle_t * pamh, i
rc = success;
}
+ /* check the user's entry's nsRole attribute for the required value */
+ if (rc == success && session->conf->nsrole != NULL)
+ {
+ rc = ldap_compare_s (session->ld,
+ session->info->userdn,
+ "nsRole", session->conf->nsrole);
+ if (rc != LDAP_COMPARE_TRUE)
+ {
+ snprintf (buf, sizeof buf, "You must have the %s role to login.",
+ session->conf->nsrole);
+ _conv_sendmsg (appconv, buf, PAM_ERROR_MSG, no_warn);
+ return PAM_PERM_DENIED;
+ }
+ else
+ rc = success;
+ }
+
if (rc == success && session->conf->checkserviceattr)
{
rc = _service_ok (pamh, session);
--- pam_ldap-184/pam_ldap.h 2008-11-17 13:39:49.000000000 -0500
+++ pam_ldap-184/pam_ldap.h 2008-11-17 13:39:50.000000000 -0500
@@ -95,6 +95,8 @@
char *groupdn;
/* group membership attribute; defaults to uniquemember */
char *groupattr;
+ /* role name; optional, for access authorization */
+ char *nsrole;
/* LDAP protocol version */
int version;
/* search timelimit */

337
pam_ldap/patches/pam_ldap-185-dnsconfig.patch
View File

@ -1,337 +0,0 @@
--- pam_ldap-176/Makefile.am 2004-09-30 22:33:14.000000000 -0400
+++ pam_ldap-176/Makefile.am 2004-10-28 17:24:13.691936696 -0400
@@ -2,7 +2,7 @@ noinst_PROGRAMS = pam_ldap.so
EXTRA_DIST = COPYING.LIB CVSVersionInfo.txt ChangeLog README \
ldap.conf pam.conf pam_ldap.spec pam.d
-pam_ldap_so_SOURCES = pam_ldap.c pam_ldap.h md5.c md5.h vers.c
+pam_ldap_so_SOURCES = pam_ldap.c pam_ldap.h md5.c md5.h vers.c resolve.c resolve.h dnsconfig.c dnsconfig.h snprintf.c snprintf.h
pam_ldap_so_LDFLAGS = @pam_ldap_so_LDFLAGS@
man_MANS = pam_ldap.5
--- pam_ldap-176/configure.in 2004-09-30 22:33:14.000000000 -0400
+++ pam_ldap-176/configure.in 2004-10-28 17:24:13.692936544 -0400
@@ -133,6 +133,38 @@
AC_CHECK_FUNCS(ldap_initialize)
AC_CHECK_FUNCS(ldap_sasl_bind ldap_sasl_interactive_bind_s)
AC_CHECK_FUNCS(gethostbyname_r)
+AC_CHECK_FUNCS(snprintf strtok_r)
+AC_CHECK_LIB(resolv, main)
+AC_CHECK_HEADERS(resolv.h)
+AC_CHECK_FUNCS(res_search dn_expand)
+if test x$ac_cv_func_res_search = xno ; then
+ AC_MSG_CHECKING([for res_search again])
+ AC_TRY_LINK([#ifdef HAVE_RESOLV_H
+ #include <resolv.h>
+ #endif
+ #ifdef HAVE_STDLIB_H
+ #include <stdlib.h>
+ #endif],
+ [res_search(NULL,0,0,NULL,0);],
+ AC_DEFINE(HAVE_RES_SEARCH,1,
+ [Define if you have res_search().])
+ ac_cv_func_res_search=yes)
+ AC_CHECK_FUNCS(res_search)
+fi
+if test x$ac_cv_func_dn_expand = xno ; then
+ AC_MSG_CHECKING([for dn_expand again])
+ AC_TRY_LINK([#ifdef HAVE_RESOLV_H
+ #include <resolv.h>
+ #endif
+ #ifdef HAVE_STDLIB_H
+ #include <stdlib.h>
+ #endif],
+ [dn_expand(NULL,NULL,NULL,NULL,0);],
+ AC_DEFINE(HAVE_DN_EXPAND,1,
+ [Define if you have dn_expand().])
+ ac_cv_func_dn_expand=yes)
+ AC_CHECK_FUNCS(dn_expand)
+fi
if test "$ac_cv_func_gethostbyname_r" = "yes"; then
AC_CACHE_CHECK(whether gethostbyname_r takes 6 arguments, xad_cv_gethostbyname_r_args, [
--- /dev/null 2004-10-19 17:45:17.794252000 -0400
+++ pam_ldap-176/dnsconfig.c 2004-10-28 17:32:36.915435096 -0400
@@ -0,0 +1,214 @@
+
+/* Copyright (C) 1997-2001 Luke Howard.
+ This file started off as part of the nss_ldap library.
+ Contributed by Luke Howard, <lukeh@padl.com>, 1997.
+ (The author maintains a non-exclusive licence to distribute this file
+ under their own conditions.)
+
+ The nss_ldap library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Library General Public License as
+ published by the Free Software Foundation; either version 2 of the
+ License, or (at your option) any later version.
+
+ The nss_ldap library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Library General Public License for more details.
+
+ You should have received a copy of the GNU Library General Public
+ License along with the nss_ldap library; see the file COPYING.LIB. If not,
+ write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330,
+ Boston, MA 02111-1307, USA.
+ */
+
+/*
+ * Support DNS SRV records. I look up the SRV record for
+ * _ldap._tcp.gnu.org.
+ * and build the DN DC=gnu,DC=org.
+ * Thanks to Assar & co for resolve.[ch].
+ */
+
+static char rcsId[] = "$Id: dnsconfig.c,v 2.24 2001/02/27 14:44:31 lukeh Exp $";
+
+#include "config.h"
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <sys/param.h>
+#include <netdb.h>
+#include <syslog.h>
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <resolv.h>
+#include <string.h>
+
+#ifdef HAVE_LBER_H
+#include <lber.h>
+#endif
+#ifdef HAVE_LDAP_H
+#include <ldap.h>
+#endif
+
+#ifndef HAVE_SNPRINTF
+#include "snprintf.h"
+#endif
+
+#include "pam_ldap.h"
+#include "resolve.h"
+#include "dnsconfig.h"
+
+#define DC_ATTR "DC"
+#define DC_ATTR_AVA DC_ATTR "="
+#define DC_ATTR_AVA_LEN (sizeof(DC_ATTR_AVA) - 1)
+
+/* map gnu.org into DC=gnu,DC=org */
+int
+_pam_ldap_getdnsdn (char *src_domain, char **rval)
+{
+ char *p;
+ int len = 0;
+#ifdef HAVE_STRTOK_R
+ char *st = NULL;
+#endif
+ char *domain;
+ char domain_copy[BUFSIZ], buffer[BUFSIZ];
+
+ /* we need to take a copy of domain, because strtok() modifies
+ * it in place. Bad.
+ */
+ if (strlen (src_domain) >= sizeof (domain_copy))
+ {
+ return PAM_SYSTEM_ERR;
+ }
+ memset (domain_copy, '\0', sizeof (domain_copy));
+ memset (buffer, '\0', sizeof (buffer));
+ strcpy (domain_copy, src_domain);
+
+ domain = domain_copy;
+
+#ifndef HAVE_STRTOK_R
+ while ((p = strtok (domain, ".")))
+#else
+ while ((p = strtok_r (domain, ".", &st)))
+#endif
+ {
+ len = strlen (p);
+
+ if (strlen (buffer) + DC_ATTR_AVA_LEN + len + 1 >= sizeof (buffer))
+ {
+ return PAM_SYSTEM_ERR;
+ }
+
+ if (domain == NULL)
+ {
+ strcat (buffer, ",");
+ }
+ else
+ {
+ domain = NULL;
+ }
+
+ strcat (buffer, DC_ATTR_AVA);
+ strcat (buffer, p);
+ }
+
+ if (rval != NULL)
+ {
+ *rval = strdup (buffer);
+ }
+
+ return PAM_SUCCESS;
+}
+
+
+int
+_pam_ldap_readconfigfromdns (pam_ldap_config_t * result)
+{
+ int stat = PAM_SUCCESS;
+ struct dns_reply *r;
+ struct resource_record *rr;
+ char domain[MAXHOSTNAMELEN + 1];
+
+ /* only reinitialize variables we'll change here */
+ result->host = NULL;
+ result->base = NULL;
+ result->port = LDAP_PORT;
+#ifdef LDAP_VERSION3
+ result->version = LDAP_VERSION3;
+#else
+ result->version = LDAP_VERSION2;
+#endif /* LDAP_VERSION3 */
+
+ if ((_res.options & RES_INIT) == 0 && res_init () == -1)
+ {
+ return PAM_SYSTEM_ERR;
+ }
+
+ snprintf (domain, sizeof (domain), "_ldap._tcp.%s.", _res.defdname);
+
+ r = dns_lookup (domain, "srv");
+ if (r == NULL)
+ {
+ return PAM_SYSTEM_ERR;
+ }
+
+ /* XXX need to sort by priority and reorder using weights */
+ for (rr = r->head; rr != NULL; rr = rr->next)
+ {
+ if (rr->type == T_SRV)
+ {
+ if (result->host != NULL)
+ {
+ /* need more space */
+ int length;
+ char *tmp;
+ length = strlen (result->host) + 1 +
+ strlen (rr->u.srv->target) + 1 + 5 + 1;
+ tmp = malloc (length);
+ if (tmp == NULL)
+ {
+ dns_free_data (r);
+ return PAM_BUF_ERR;
+ }
+ sprintf (tmp, "%s %s:%d", result->host, rr->u.srv->target,
+ rr->u.srv->port);
+ free (result->host);
+ result->host = tmp;
+ }
+ else
+ {
+ /* Server Host */
+ result->host = strdup (rr->u.srv->target);
+ if (result->host == NULL)
+ {
+ dns_free_data (r);
+ return PAM_BUF_ERR;
+ }
+ /* Port */
+ result->port = rr->u.srv->port;
+ }
+
+#ifdef LDAPS_PORT
+ /* Hack: if the port is the registered SSL port, enable SSL. */
+ if (result->port == LDAPS_PORT)
+ {
+ result->ssl_on = SSL_LDAPS;
+ }
+#endif /* SSL */
+
+ /* DN */
+ stat = _pam_ldap_getdnsdn (_res.defdname, &result->base);
+ if (stat != PAM_SUCCESS)
+ {
+ dns_free_data (r);
+ return stat;
+ }
+ }
+ }
+
+ dns_free_data (r);
+ stat = PAM_SUCCESS;
+
+ return stat;
+}
--- /dev/null 2004-10-19 17:45:17.794252000 -0400
+++ pam_ldap-176/dnsconfig.h 2004-10-28 17:24:13.694936240 -0400
@@ -0,0 +1,35 @@
+/* Copyright (C) 1997-2001 Luke Howard.
+ This file started off as part of the nss_ldap library.
+ Contributed by Luke Howard, <lukeh@padl.com>, 1997.
+ (The author maintains a non-exclusive licence to distribute this file
+ under their own conditions.)
+
+ The nss_ldap library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Library General Public License as
+ published by the Free Software Foundation; either version 2 of the
+ License, or (at your option) any later version.
+
+ The nss_ldap library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Library General Public License for more details.
+
+ You should have received a copy of the GNU Library General Public
+ License along with the nss_ldap library; see the file COPYING.LIB. If not,
+ write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330,
+ Boston, MA 02111-1307, USA.
+ */
+
+#ifndef _LDAP_PAM_LDAP_DNSCONFIG_H
+#define _LDAP_PAM_LDAP_DNSCONFIG_H
+
+/* utility routines. */
+
+int _pam_ldap_getdnsdn (
+ char *domain,
+ char **rval);
+
+int _pam_ldap_readconfigfromdns (
+ pam_ldap_config_t *result);
+
+#endif /* _LDAP_PAM_LDAP_DNSCONFIG_H */
--- pam_ldap-176/pam_ldap.c 2004-09-30 22:33:14.000000000 -0400
+++ pam_ldap-176/pam_ldap.c 2004-10-28 17:40:56.918423088 -0400
@@ -130,6 +130,7 @@
#include "pam_ldap.h"
#include "md5.h"
+#include "dnsconfig.h"
#if defined(HAVE_SECURITY_PAM_MISC_H) || defined(HAVE_PAM_PAM_MISC_H)
/* FIXME: is there something better to check? */
@@ -1107,11 +1108,15 @@
{
/*
* According to PAM Documentation, such an error in a config file
- * SHOULD be logged at LOG_ALERT level
+ * SHOULD be logged at LOG_ALERT level, but we suppress it if DNS
+ * can provide us with the needed information
*/
- syslog (LOG_ALERT, "pam_ldap: missing \"host\" in file \"%s\"",
- configFile);
- return PAM_SERVICE_ERR;
+ if (_pam_ldap_readconfigfromdns (result) != PAM_SUCCESS)
+ {
+ syslog (LOG_ALERT, "pam_ldap: missing \"host\" in file \"%s\"",
+ configFile);
+ return PAM_SERVICE_ERR;
+ }
}
#if !(defined(HAVE_SASL_SASL_H) || defined(HAVE_SASL_H)) && !defined(HAVE_LDAP_SASL_INTERACTIVE_BIND_S)

61
pam_ldap/patches/pam_ldap-185-expiration4.patch
View File

@ -1,61 +0,0 @@
Heavily based on a patch from Masahiro Matsuya.
diff -up pam_ldap-185/pam_ldap.c pam_ldap-185/pam_ldap.c
--- pam_ldap-185/pam_ldap.c 2010-09-22 18:35:55.377828002 -0400
+++ pam_ldap-185/pam_ldap.c 2010-09-22 19:08:34.938828001 -0400
@@ -4014,6 +4014,8 @@ pam_sm_acct_mgmt (pam_handle_t * pamh, i
time_t currenttime;
long int currentday;
long int expirein = 0; /* seconds until password expires */
+ long int expireh = 0;
+ long int expires = 0;
const char *configFile = NULL;
for (i = 0; i < argc; i++)
@@ -4190,14 +4191,29 @@ pam_sm_acct_mgmt (pam_handle_t * pamh, i
}
else
{
- expirein = session->info->password_expiration_time / SECSPERDAY;
+ if ( session->info->password_expiration_time != 0 )
+ {
+ expires = session->info->password_expiration_time;
+ expirein = session->info->password_expiration_time / SECSPERDAY;
+ if ( expirein == 0 )
+ {
+ expireh = session->info->password_expiration_time / SECSPERHOUR;
+ }
+ }
+ else
+ {
+ expirein = 0;
+ }
}
- if (expirein > 0)
+ if ((expirein > 0) || (expireh > 0) || (expires > 0))
{
snprintf (buf, sizeof buf,
- "Your LDAP password will expire in %ld day%s.",
- expirein, (expirein == 1) ? "" : "s");
+ "Your LDAP password will expire in %ld %s.",
+ (expirein == 0) ? expireh : expirein,
+ (expirein == 0) ?
+ ((expireh == 1) ? "hour" : "hours") :
+ ((expirein == 1) ? "day" : "days"));
_conv_sendmsg (appconv, buf, PAM_ERROR_MSG, no_warn);
/* we set this to make sure that user can't abort a password change */
diff -up pam_ldap-185/pam_ldap.h pam_ldap-185/pam_ldap.h
--- pam_ldap-185/pam_ldap.h 2010-09-22 18:35:55.359828002 -0400
+++ pam_ldap-185/pam_ldap.h 2010-09-22 19:00:56.787828000 -0400
@@ -226,6 +226,9 @@ pam_ldap_shadow_t;
/* Seconds in a day */
#define SECSPERDAY 86400
+/* Seconds in an hour */
+#define SECSPERHOUR 3600
+
/* Netscape per-use password attributes. Unused except for DN. */
typedef struct pam_ldap_user_info
{