sanity check for host_ad and svc_ad

diff --git a/contrib/slapd-modules/nssov/nssov.c b/contrib/slapd-modules/nssov/nssov.c
index b3e7d014be16c0fcfe3662a43ee311ef0750b8e4..1cbb28fcd483e93999c713ad8936631889f0d2b8 100644 (file)
--- a/contrib/slapd-modules/nssov/nssov.c
+++ b/contrib/slapd-modules/nssov/nssov.c
@@ -642,6 +642,28 @@ nss_cf_gen(ConfigArgs *c)
                i = verbs_to_mask(c->argc, c->argv, pam_opts, &m);
                if (i == 0) {
                        ni->ni_pam_opts = m;
+                       if ((m & NI_PAM_USERHOST) && !nssov_pam_host_ad) {
+                               const char *text;
+                               i = slap_str2ad("host", &nssov_pam_host_ad, &text);
+                               if (i != LDAP_SUCCESS) {
+                                       snprintf(c->cr_msg, sizeof(c->cr_msg),
+                                               "nssov: host attr unknown: %s", text);
+                                       Debug(LDAP_DEBUG_ANY,"%s\n",c->cr_msg,0,0);
+                                       rc = 1;
+                                       break;
+                               }
+                       }
+                       if ((m & (NI_PAM_USERSVC|NI_PAM_HOSTSVC)) && !nssov_pam_svc_ad) {
+                               const char *text;
+                               i = slap_str2ad("authorizedService", &nssov_pam_svc_ad, &text);
+                               if (i != LDAP_SUCCESS) {
+                                       snprintf(c->cr_msg, sizeof(c->cr_msg),
+                                               "nssov: authorizedService attr unknown: %s", text);
+                                       Debug(LDAP_DEBUG_ANY,"%s\n",c->cr_msg,0,0);
+                                       rc = 1;
+                                       break;
+                               }
+                       }
                } else {
                        rc = 1;
                }
@@ -731,6 +753,28 @@ nssov_db_open(
                mi->mi_attrs[j].an_desc = NULL;
        }
 
+       /* Find host and authorizedService definitions */
+       if ((ni->ni_pam_opts & NI_PAM_USERHOST) && !nssov_pam_host_ad)
+       {
+               const char *text;
+               i = slap_str2ad("host", &nssov_pam_host_ad, &text);
+               if (i != LDAP_SUCCESS) {
+                       Debug(LDAP_DEBUG_ANY,"nssov: host attr unknown: %s\n",
+                               text, 0, 0 );
+                       return -1;
+               }
+       }
+       if ((ni->ni_pam_opts & (NI_PAM_USERSVC|NI_PAM_HOSTSVC)) &&
+               !nssov_pam_svc_ad)
+       {
+               const char *text;
+               i = slap_str2ad("authorizedService", &nssov_pam_svc_ad, &text);
+               if (i != LDAP_SUCCESS) {
+                       Debug(LDAP_DEBUG_ANY,"nssov: authorizedService attr unknown: %s\n",
+                               text, 0, 0 );
+                       return -1;
+               }
+       }
        if ( slapMode & SLAP_SERVER_MODE ) {
                /* create a socket */
                if ( (sock=socket(PF_UNIX,SOCK_STREAM,0))<0 )

diff --git a/contrib/slapd-modules/nssov/nssov.h b/contrib/slapd-modules/nssov/nssov.h
index 2f41b10bab1359424db1bd163e4ec2bcc8673aa8..9c822d5e3c53780bec1e7caa59dbc6b3cca57718 100644 (file)
--- a/contrib/slapd-modules/nssov/nssov.h
+++ b/contrib/slapd-modules/nssov/nssov.h
@@ -74,8 +74,6 @@ typedef struct nssov_info
        AttributeDescription *ni_pam_template_ad;
        struct berval ni_pam_template;
        struct berval ni_pam_defhost;
-       AttributeDescription *ni_pam_host_ad;
-       AttributeDescription *ni_pam_svc_ad;
 } nssov_info;
 
 #define NI_PAM_USERHOST                1       /* old style host checking */
@@ -88,6 +86,9 @@ typedef struct nssov_info
 #define        NI_PAM_OLD      (NI_PAM_USERHOST|NI_PAM_USERSVC|NI_PAM_USERGRP)
 #define        NI_PAM_NEW      NI_PAM_HOSTSVC
 
+extern AttributeDescription *nssov_pam_host_ad;
+extern AttributeDescription *nssov_pam_svc_ad;
+
 /* Read the default configuration file. */
 void nssov_cfg_init(nssov_info *ni,const char *fname);
 

diff --git a/contrib/slapd-modules/nssov/pam.c b/contrib/slapd-modules/nssov/pam.c
index c2f950f579a0cabf3f9e55a460457d8138d153d1..d2cfcbc4df308fb99c5c03d62fc3d96b77cc124b 100644 (file)
--- a/contrib/slapd-modules/nssov/pam.c
+++ b/contrib/slapd-modules/nssov/pam.c
@@ -248,9 +248,12 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op)
        }
 
        /* See if they have access to the host and service */
-       if (ni->ni_pam_opts & NI_PAM_HOSTSVC) {
+       if ((ni->ni_pam_opts & NI_PAM_HOSTSVC) && nssov_pam_svc_ad) {
                AttributeAssertion ava = ATTRIBUTEASSERTION_INIT;
                struct berval hostdn = BER_BVNULL;
+               struct berval odn = op->o_ndn;
+               op->o_dn = dn;
+               op->o_ndn = dn;
                {
                        nssov_mapinfo *mi = &ni->ni_maps[NM_host];
                        char fbuf[1024];
@@ -299,7 +302,7 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op)
                op->o_tag = LDAP_REQ_COMPARE;
                op->o_req_dn = hostdn;
                op->o_req_ndn = hostdn;
-               ava.aa_desc = ni->ni_pam_svc_ad;
+               ava.aa_desc = nssov_pam_svc_ad;
                ava.aa_value = svc;
                op->orc_ava = &ava;
                rc = op->o_bd->be_compare( op, &rs );
@@ -308,6 +311,8 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op)
                        rc = PAM_PERM_DENIED;
                        goto finish;
                }
+               op->o_dn = odn;
+               op->o_ndn = odn;
        }
 
        /* See if they're a member of the group */
@@ -340,9 +345,9 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op)
                        goto finish;
                }
        }
-       if (ni->ni_pam_opts & NI_PAM_USERHOST) {
-               a = attr_find(e->e_attrs, ni->ni_pam_host_ad);
-               if (!a || value_find_ex( ni->ni_pam_host_ad,
+       if ((ni->ni_pam_opts & NI_PAM_USERHOST) && nssov_pam_host_ad) {
+               a = attr_find(e->e_attrs, nssov_pam_host_ad);
+               if (!a || value_find_ex( nssov_pam_host_ad,
                        SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH,
                        a->a_vals, &global_host_bv, op->o_tmpmemctx )) {
                        rc = PAM_PERM_DENIED;
@@ -350,9 +355,9 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op)
                        goto finish;
                }
        }
-       if (ni->ni_pam_opts & NI_PAM_USERSVC) {
-               a = attr_find(e->e_attrs, ni->ni_pam_svc_ad);
-               if (!a || value_find_ex( ni->ni_pam_svc_ad,
+       if ((ni->ni_pam_opts & NI_PAM_USERSVC) && nssov_pam_svc_ad) {
+               a = attr_find(e->e_attrs, nssov_pam_svc_ad);
+               if (!a || value_find_ex( nssov_pam_svc_ad,
                        SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH,
                        a->a_vals, &svc, op->o_tmpmemctx )) {
                        rc = PAM_PERM_DENIED;