1 /* nssov.h - NSS overlay header file */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 2008-2015 The OpenLDAP Foundation.
6 * Portions Copyright 2008 Howard Chu.
7 * Portions Copyright 2013 Ted C. Cheng, Symas Corp.
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted only as authorized by the OpenLDAP
14 * A copy of this license is available in the file LICENSE in the
15 * top-level directory of the distribution or, alternatively, at
16 * <http://www.OpenLDAP.org/license.html>.
23 #define NSLCD_PATH "/var/run/nslcd"
27 #define NSLCD_SOCKET NSLCD_PATH "/socket"
33 #include "nslcd-prot.h"
37 #undef PACKAGE_BUGREPORT
40 #undef PACKAGE_TARNAME
41 #undef PACKAGE_VERSION
45 #include <ac/string.h>
47 /* selectors for different maps */
48 enum nssov_map_selector
64 typedef struct nssov_mapinfo {
65 struct berval mi_base;
67 struct berval mi_filter0;
68 struct berval mi_filter;
69 struct berval *mi_attrkeys;
70 AttributeName *mi_attrs;
73 typedef struct nssov_info
75 /* search timelimit */
77 struct nssov_mapinfo ni_maps[NM_NONE];
82 /* PAM authz support... */
83 slap_mask_t ni_pam_opts;
84 struct berval ni_pam_group_dn;
85 AttributeDescription *ni_pam_group_ad;
88 AttributeDescription *ni_pam_template_ad;
89 struct berval ni_pam_template;
90 struct berval ni_pam_defhost;
91 struct berval *ni_pam_sessions;
92 struct berval ni_pam_password_prohibit_message;
93 struct berval ni_pam_pwdmgr_dn;
94 struct berval ni_pam_pwdmgr_pwd;
97 #define NI_PAM_USERHOST 1 /* old style host checking */
98 #define NI_PAM_USERSVC 2 /* old style service checking */
99 #define NI_PAM_USERGRP 4 /* old style group checking */
100 #define NI_PAM_HOSTSVC 8 /* new style authz checking */
101 #define NI_PAM_SASL2DN 0x10 /* use sasl2dn */
102 #define NI_PAM_UID2DN 0x20 /* use uid2dn */
104 #define NI_PAM_OLD (NI_PAM_USERHOST|NI_PAM_USERSVC|NI_PAM_USERGRP)
105 #define NI_PAM_NEW NI_PAM_HOSTSVC
107 extern AttributeDescription *nssov_pam_host_ad;
108 extern AttributeDescription *nssov_pam_svc_ad;
110 /* Read the default configuration file. */
111 void nssov_cfg_init(nssov_info *ni,const char *fname);
113 /* macros for basic read and write operations, the following
114 ERROR_OUT* marcos define the action taken on errors
115 the stream is not closed because the caller closes the
118 #define ERROR_OUT_WRITEERROR(fp) \
119 Debug(LDAP_DEBUG_ANY,"nssov: error writing to client\n",0,0,0); \
122 #define ERROR_OUT_READERROR(fp) \
123 Debug(LDAP_DEBUG_ANY,"nssov: error reading from client\n",0,0,0); \
126 #define ERROR_OUT_BUFERROR(fp) \
127 Debug(LDAP_DEBUG_ANY,"nssov: client supplied argument too large\n",0,0,0); \
130 #define WRITE_BERVAL(fp,bv) \
131 DEBUG_PRINT("WRITE_STRING: var="__STRING(bv)" string=\"%s\"",(bv)->bv_val); \
138 WRITE_INT32(fp,(bv)->bv_len); \
140 { WRITE(fp,(bv)->bv_val,tmpint32); } \
143 #define WRITE_BVARRAY(fp,arr) \
144 /* first determine length of array */ \
145 for (tmp3int32=0;(arr)[tmp3int32].bv_val!=NULL;tmp3int32++) \
147 /* write number of strings */ \
148 DEBUG_PRINT("WRITE_BVARRAY: var="__STRING(arr)" num=%d",(int)tmp3int32); \
149 WRITE_TYPE(fp,tmp3int32,int32_t); \
150 /* write strings */ \
151 for (tmp2int32=0;tmp2int32<tmp3int32;tmp2int32++) \
153 WRITE_BERVAL(fp,&(arr)[tmp2int32]); \
156 /* This tries to get the user password attribute from the entry.
157 It will try to return an encrypted password as it is used in /etc/passwd,
158 /etc/group or /etc/shadow depending upon what is in the directory.
159 This function will return NULL if no passwd is found and will return the
160 literal value in the directory if conversion is not possible. */
161 void get_userpassword(struct berval *attr, struct berval *pw);
163 /* write out an address, parsing the addr value */
164 int write_address(TFILE *fp,struct berval *addr);
166 /* a helper macro to write out addresses and bail out on errors */
167 #define WRITE_ADDRESS(fp,addr) \
168 if (write_address(fp,addr)) \
171 /* read an address from the stream */
172 int read_address(TFILE *fp,char *addr,int *addrlen,int *af);
174 /* helper macro to read an address from the stream */
175 #define READ_ADDRESS(fp,addr,len,af) \
176 len=(int)sizeof(addr); \
177 if (read_address(fp,addr,&(len),&(af))) \
180 /* checks to see if the specified string is a valid username */
181 int isvalidusername(struct berval *name);
183 /* transforms the DN into a uid doing an LDAP lookup if needed */
184 int nssov_dn2uid(Operation *op,nssov_info *ni,struct berval *dn,struct berval *uid);
186 /* transforms the uid into a DN by doing an LDAP lookup */
187 int nssov_uid2dn(Operation *op,nssov_info *ni,struct berval *uid,struct berval *dn);
188 int nssov_name2dn_cb(Operation *op, SlapReply *rs);
190 /* Escapes characters in a string for use in a search filter. */
191 int nssov_escape(struct berval *src,struct berval *dst);
193 int nssov_filter_byname(nssov_mapinfo *mi,int key,struct berval *name,struct berval *buf);
194 int nssov_filter_byid(nssov_mapinfo *mi,int key,struct berval *id,struct berval *buf);
196 void nssov_alias_init(nssov_info *ni);
197 void nssov_ether_init(nssov_info *ni);
198 void nssov_group_init(nssov_info *ni);
199 void nssov_host_init(nssov_info *ni);
200 void nssov_netgroup_init(nssov_info *ni);
201 void nssov_network_init(nssov_info *ni);
202 void nssov_passwd_init(nssov_info *ni);
203 void nssov_protocol_init(nssov_info *ni);
204 void nssov_rpc_init(nssov_info *ni);
205 void nssov_service_init(nssov_info *ni);
206 void nssov_shadow_init(nssov_info *ni);
208 int nssov_pam_init(void);
210 /* these are the different functions that handle the database
211 specific actions, see nslcd.h for the action descriptions */
212 int nssov_alias_byname(nssov_info *ni,TFILE *fp,Operation *op);
213 int nssov_alias_all(nssov_info *ni,TFILE *fp,Operation *op);
214 int nssov_ether_byname(nssov_info *ni,TFILE *fp,Operation *op);
215 int nssov_ether_byether(nssov_info *ni,TFILE *fp,Operation *op);
216 int nssov_ether_all(nssov_info *ni,TFILE *fp,Operation *op);
217 int nssov_group_byname(nssov_info *ni,TFILE *fp,Operation *op);
218 int nssov_group_bygid(nssov_info *ni,TFILE *fp,Operation *op);
219 int nssov_group_bymember(nssov_info *ni,TFILE *fp,Operation *op);
220 int nssov_group_all(nssov_info *ni,TFILE *fp,Operation *op);
221 int nssov_host_byname(nssov_info *ni,TFILE *fp,Operation *op);
222 int nssov_host_byaddr(nssov_info *ni,TFILE *fp,Operation *op);
223 int nssov_host_all(nssov_info *ni,TFILE *fp,Operation *op);
224 int nssov_netgroup_byname(nssov_info *ni,TFILE *fp,Operation *op);
225 int nssov_network_byname(nssov_info *ni,TFILE *fp,Operation *op);
226 int nssov_network_byaddr(nssov_info *ni,TFILE *fp,Operation *op);
227 int nssov_network_all(nssov_info *ni,TFILE *fp,Operation *op);
228 int nssov_passwd_byname(nssov_info *ni,TFILE *fp,Operation *op);
229 int nssov_passwd_byuid(nssov_info *ni,TFILE *fp,Operation *op);
230 int nssov_passwd_all(nssov_info *ni,TFILE *fp,Operation *op);
231 int nssov_protocol_byname(nssov_info *ni,TFILE *fp,Operation *op);
232 int nssov_protocol_bynumber(nssov_info *ni,TFILE *fp,Operation *op);
233 int nssov_protocol_all(nssov_info *ni,TFILE *fp,Operation *op);
234 int nssov_rpc_byname(nssov_info *ni,TFILE *fp,Operation *op);
235 int nssov_rpc_bynumber(nssov_info *ni,TFILE *fp,Operation *op);
236 int nssov_rpc_all(nssov_info *ni,TFILE *fp,Operation *op);
237 int nssov_service_byname(nssov_info *ni,TFILE *fp,Operation *op);
238 int nssov_service_bynumber(nssov_info *ni,TFILE *fp,Operation *op);
239 int nssov_service_all(nssov_info *ni,TFILE *fp,Operation *op);
240 int nssov_shadow_byname(nssov_info *ni,TFILE *fp,Operation *op);
241 int nssov_shadow_all(nssov_info *ni,TFILE *fp,Operation *op);
242 int pam_authc(nssov_info *ni,TFILE *fp,Operation *op,uid_t calleruid);
243 int pam_authz(nssov_info *ni,TFILE *fp,Operation *op);
244 int pam_sess_o(nssov_info *ni,TFILE *fp,Operation *op);
245 int pam_sess_c(nssov_info *ni,TFILE *fp,Operation *op);
246 int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op,uid_t calleruid);
248 /* config initialization */
249 #define NSSOV_INIT(db) \
250 void nssov_##db##_init(nssov_info *ni) \
252 nssov_mapinfo *mi = &ni->ni_maps[NM_##db]; \
254 for (i=0;!BER_BVISNULL(&db##_keys[i]);i++); \
256 mi->mi_attrs = ch_malloc( i*sizeof(AttributeName)); \
257 for (i=0;!BER_BVISNULL(&db##_keys[i]);i++) { \
258 mi->mi_attrs[i].an_name = db##_keys[i]; \
259 mi->mi_attrs[i].an_desc = NULL; \
261 mi->mi_scope = LDAP_SCOPE_DEFAULT; \
262 mi->mi_filter0 = db##_filter; \
263 ber_dupbv( &mi->mi_filter, &mi->mi_filter0 ); \
264 mi->mi_filter = db##_filter; \
265 mi->mi_attrkeys = db##_keys; \
266 BER_BVZERO(&mi->mi_base); \
269 /* param structure for search callback */
270 #define NSSOV_CBPRIV(db,parms) \
271 typedef struct nssov_##db##_cbp { \
278 /* callback for writing search results */
279 #define NSSOV_CB(db) \
280 static int nssov_##db##_cb(Operation *op, SlapReply *rs) \
282 if ( rs->sr_type == REP_SEARCH ) { \
283 nssov_##db##_cbp *cbp = op->o_callback->sc_private; \
284 if (write_##db(cbp,rs->sr_entry)) return LDAP_OTHER; \
286 return LDAP_SUCCESS; \
289 /* macro for generating service handling code */
290 #define NSSOV_HANDLE(db,fn,readfn,logcall,action,mkfilter) \
291 int nssov_##db##_##fn(nssov_info *ni,TFILE *fp,Operation *op) \
293 /* define common variables */ \
296 nssov_##db##_cbp cbp; \
297 slap_callback cb = {0}; \
298 SlapReply rs = {REP_RESULT}; \
299 cbp.mi = &ni->ni_maps[NM_##db]; \
302 /* read request parameters */ \
306 /* write the response header */ \
307 WRITE_INT32(fp,NSLCD_VERSION); \
308 WRITE_INT32(fp,action); \
309 /* prepare the search filter */ \
312 Debug(LDAP_DEBUG_ANY,"nssov_" __STRING(db) "_" __STRING(fn) "(): filter buffer too small",0,0,0); \
315 cb.sc_private = &cbp; \
316 op->o_callback = &cb; \
317 cb.sc_response = nssov_##db##_cb; \
318 slap_op_time( &op->o_time, &op->o_tincr ); \
319 op->o_req_dn = cbp.mi->mi_base; \
320 op->o_req_ndn = cbp.mi->mi_base; \
321 op->ors_scope = cbp.mi->mi_scope; \
322 op->ors_filterstr = filter; \
323 op->ors_filter = str2filter_x( op, filter.bv_val ); \
324 op->ors_attrs = cbp.mi->mi_attrs; \
325 op->ors_tlimit = SLAP_NO_LIMIT; \
326 op->ors_slimit = SLAP_NO_LIMIT; \
327 /* do the internal search */ \
328 op->o_bd->be_search( op, &rs ); \
329 filter_free_x( op, op->ors_filter, 1 ); \
330 WRITE_INT32(fp,NSLCD_RESULT_END); \