]> git.sur5r.net Git - openldap/blobdiff - contrib/slapd-modules/nssov/nssov.c
projects / openldap / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Happy New Year!
[openldap] / contrib / slapd-modules / nssov / nssov.c
diff --git a/contrib/slapd-modules/nssov/nssov.c b/contrib/slapd-modules/nssov/nssov.c
index bada9de3be89f1612a3ebb89d058646c044be48c..35062dca3a53328a4b6279ec03bc2988a95c149a 100644 (file)
--- a/contrib/slapd-modules/nssov/nssov.c
+++ b/contrib/slapd-modules/nssov/nssov.c
@@ -1,7 +1,9 @@
 /* nssov.c - nss-ldap overlay for slapd */
 /* $OpenLDAP$ */
-/*
- * Copyright 2008-2009 by Howard Chu, Symas Corp.
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>. 
+ *
+ * Copyright 2008-2012 The OpenLDAP Foundation.
+ * Portions Copyright 2008 by Howard Chu, Symas Corp.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -12,7 +14,7 @@
  * top-level directory of the distribution or, alternatively, at
  * <http://www.OpenLDAP.org/license.html>.
  */
-/*
+/* ACKNOWLEDGEMENTS:
  * This code references portions of the nss-ldapd package
  * written by Arthur de Jong. The nss-ldapd code was forked
  * from the nss-ldap library written by Luke Howard.
@@ -258,9 +260,11 @@ static void handleconnection(nssov_info *ni,int sock,Operation *op)
   uid_t uid;
   gid_t gid;
   char authid[sizeof("gidNumber=4294967295+uidNumber=424967295,cn=peercred,cn=external,cn=auth")];
+  char peerbuf[8];
+  struct berval peerbv = { sizeof(peerbuf), peerbuf };
 
   /* log connection */
-  if (lutil_getpeereid(sock,&uid,&gid))
+  if (LUTIL_GETPEEREID(sock,&uid,&gid,&peerbv))
     Debug( LDAP_DEBUG_TRACE,"nssov: connection from unknown client: %s\n",strerror(errno),0,0);
   else
     Debug( LDAP_DEBUG_TRACE,"nssov: connection from uid=%d gid=%d\n",
@@ -327,8 +331,8 @@ static void handleconnection(nssov_info *ni,int sock,Operation *op)
     case NSLCD_ACTION_SHADOW_ALL:       if (uid==0) (void)nssov_shadow_all(ni,fp,op); break;
        case NSLCD_ACTION_PAM_AUTHC:            (void)pam_authc(ni,fp,op); break;
        case NSLCD_ACTION_PAM_AUTHZ:            (void)pam_authz(ni,fp,op); break;
-       case NSLCD_ACTION_PAM_SESS_O:           (void)pam_sess_o(ni,fp,op); break;
-       case NSLCD_ACTION_PAM_SESS_C:           (void)pam_sess_c(ni,fp,op); break;
+       case NSLCD_ACTION_PAM_SESS_O:           if (uid==0) (void)pam_sess_o(ni,fp,op); break;
+       case NSLCD_ACTION_PAM_SESS_C:           if (uid==0) (void)pam_sess_c(ni,fp,op); break;
        case NSLCD_ACTION_PAM_PWMOD:            (void)pam_pwmod(ni,fp,op); break;
     default:
       Debug( LDAP_DEBUG_ANY,"nssov: invalid request id: %d",(int)action,0,0);
@@ -397,16 +401,16 @@ static void *acceptconn(void *ctx, void *arg)
 }
 
 static slap_verbmasks nss_svcs[] = {
-       { BER_BVC("alias"), NM_alias },
-       { BER_BVC("ether"), NM_ether },
+       { BER_BVC("aliases"), NM_alias },
+       { BER_BVC("ethers"), NM_ether },
        { BER_BVC("group"), NM_group },
-       { BER_BVC("host"), NM_host },
+       { BER_BVC("hosts"), NM_host },
        { BER_BVC("netgroup"), NM_netgroup },
-       { BER_BVC("network"), NM_network },
+       { BER_BVC("networks"), NM_network },
        { BER_BVC("passwd"), NM_passwd },
-       { BER_BVC("protocol"), NM_protocol },
+       { BER_BVC("protocols"), NM_protocol },
        { BER_BVC("rpc"), NM_rpc },
-       { BER_BVC("service"), NM_service },
+       { BER_BVC("services"), NM_service },
        { BER_BVC("shadow"), NM_shadow },
        { BER_BVNULL, 0 }
 };
@@ -416,7 +420,7 @@ static slap_verbmasks pam_opts[] = {
        { BER_BVC("userservice"), NI_PAM_USERSVC },
        { BER_BVC("usergroup"), NI_PAM_USERGRP },
        { BER_BVC("hostservice"), NI_PAM_HOSTSVC },
-       { BER_BVC("sasl2dn"), NI_PAM_SASL2DN },
+       { BER_BVC("authz2dn"), NI_PAM_SASL2DN },
        { BER_BVC("uid2dn"), NI_PAM_UID2DN },
        { BER_BVNULL, 0 }
 };
@@ -426,6 +430,7 @@ enum {
        NSS_MAP,
        NSS_PAM,
        NSS_PAMGROUP,
+       NSS_PAMSESS
 };
 
 static ConfigDriver nss_cf_gen;
@@ -457,7 +462,7 @@ static ConfigTable nsscfg[] = {
                        "DESC 'DN of group in which membership is required' "
                        "EQUALITY distinguishedNameMatch "
                        "SYNTAX OMsDN SINGLE-VALUE )", NULL, NULL },
-       { "nssov-pam-group-ad", "options", 2, 2, 0, ARG_OFFSET|ARG_ATDESC,
+       { "nssov-pam-group-ad", "attr", 2, 2, 0, ARG_OFFSET|ARG_ATDESC,
                (void *)offsetof(struct nssov_info, ni_pam_group_ad),
                "(OLcfgCtAt:3.6 NAME 'olcNssPamGroupAD' "
                        "DESC 'Member attribute to use for group check' "
@@ -487,6 +492,11 @@ static ConfigTable nsscfg[] = {
                        "DESC 'Default template login name' "
                        "EQUALITY caseIgnoreMatch "
                        "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
+       { "nssov-pam-session", "service", 2, 2, 0, ARG_MAGIC|ARG_BERVAL|NSS_PAMSESS,
+               nss_cf_gen, "(OLcfgCtAt:3.11 NAME 'olcNssPamSession' "
+                       "DESC 'Services for which sessions will be recorded' "
+                       "EQUALITY caseIgnoreMatch "
+                       "SYNTAX OMsDirectoryString )", NULL, NULL },
        { NULL, NULL, 0,0,0, ARG_IGNORED }
 };
 
@@ -497,7 +507,7 @@ static ConfigOCs nssocs[] = {
                "SUP olcOverlayConfig "
                "MAY ( olcNssSsd $ olcNssMap $ olcNssPam $ olcNssPamDefHost $ "
                        "olcNssPamGroupDN $ olcNssPamGroupAD $ "
-                       "olcNssPamMinUid $ olcNssPamMaxUid $ "
+                       "olcNssPamMinUid $ olcNssPamMaxUid $ olcNssPamSession $ "
                        "olcNssPamTemplateAD $ olcNssPamTemplate ) )",
                Cft_Overlay, nsscfg },
        { NULL, 0, NULL }
@@ -577,6 +587,13 @@ nss_cf_gen(ConfigArgs *c)
                                rc = 1;
                        }
                        break;
+               case NSS_PAMSESS:
+                       if (ni->ni_pam_sessions) {
+                               ber_bvarray_dup_x( &c->rvalue_vals, ni->ni_pam_sessions, NULL );
+                       } else {
+                               rc = 1;
+                       }
+                       break;
                }
                return rc;
        } else if ( c->op == LDAP_MOD_DELETE ) {
@@ -676,6 +693,9 @@ nss_cf_gen(ConfigArgs *c)
                ni->ni_pam_group_dn = c->value_ndn;
                ch_free( c->value_dn.bv_val );
                break;
+       case NSS_PAMSESS:
+               ber_bvarray_add( &ni->ni_pam_sessions, &c->value_bv );
+               break;
        }
        return rc;
 }
@@ -688,9 +708,12 @@ nssov_db_init(
        slap_overinst *on = (slap_overinst *)be->bd_info;
        nssov_info *ni;
        nssov_mapinfo *mi;
-       int i, j;
+       int rc;
 
-       ni = ch_malloc( sizeof(nssov_info) );
+       rc = nssov_pam_init();
+       if (rc) return rc;
+
+       ni = ch_calloc( 1, sizeof(nssov_info) );
        on->on_bi.bi_private = ni;
 
        /* set up map keys */
@@ -707,6 +730,7 @@ nssov_db_init(
        nssov_shadow_init(ni);
 
        ni->ni_db = be->bd_self;
+       ni->ni_pam_opts = NI_PAM_UID2DN;
 
        return 0;
 }
@@ -780,16 +804,24 @@ nssov_db_open(
                }
        }
        if ( slapMode & SLAP_SERVER_MODE ) {
+               /* make sure /var/run/nslcd exists */
+               if (mkdir(NSLCD_PATH, (mode_t) 0555)) {
+                       Debug(LDAP_DEBUG_TRACE,"nssov: mkdir(%s) failed (ignored): %s\n",
+                                       NSLCD_PATH,strerror(errno),0);
+               } else {
+                       Debug(LDAP_DEBUG_TRACE,"nssov: created %s\n",NSLCD_PATH,0,0);
+               }
+
                /* create a socket */
                if ( (sock=socket(PF_UNIX,SOCK_STREAM,0))<0 )
                {
-                       Debug(LDAP_DEBUG_ANY,"nssov: cannot create socket: %s",strerror(errno),0,0);
+                       Debug(LDAP_DEBUG_ANY,"nssov: cannot create socket: %s\n",strerror(errno),0,0);
                        return -1;
                }
                /* remove existing named socket */
                if (unlink(NSLCD_SOCKET)<0)
                {
-                       Debug( LDAP_DEBUG_TRACE,"nssov: unlink() of "NSLCD_SOCKET" failed (ignored): %s",
+                       Debug( LDAP_DEBUG_TRACE,"nssov: unlink() of "NSLCD_SOCKET" failed (ignored): %s\n",
                                                        strerror(errno),0,0);
                }
                /* create socket address structure */
@@ -849,18 +881,20 @@ nssov_db_close(
        slap_overinst *on = (slap_overinst *)be->bd_info;
        nssov_info *ni = on->on_bi.bi_private;
 
-       /* close socket if it's still in use */
-       if (ni->ni_socket >= 0);
-       {
-               if (close(ni->ni_socket))
-                       Debug( LDAP_DEBUG_ANY,"problem closing server socket (ignored): %s",strerror(errno),0,0);
-               ni->ni_socket = -1;
-       }
-       /* remove existing named socket */
-       if (unlink(NSLCD_SOCKET)<0)
-       {
-               Debug( LDAP_DEBUG_TRACE,"unlink() of "NSLCD_SOCKET" failed (ignored): %s",
-                       strerror(errno),0,0);
+       if ( slapMode & SLAP_SERVER_MODE ) {
+               /* close socket if it's still in use */
+               if (ni->ni_socket >= 0);
+               {
+                       if (close(ni->ni_socket))
+                               Debug( LDAP_DEBUG_ANY,"problem closing server socket (ignored): %s",strerror(errno),0,0);
+                       ni->ni_socket = -1;
+               }
+               /* remove existing named socket */
+               if (unlink(NSLCD_SOCKET)<0)
+               {
+                       Debug( LDAP_DEBUG_TRACE,"unlink() of "NSLCD_SOCKET" failed (ignored): %s",
+                               strerror(errno),0,0);
+               }
        }
 }
 
Cloned from git://git.openldap.org/openldap.git