From: Howard Chu Date: Thu, 23 Apr 2009 00:38:41 +0000 (+0000) Subject: More for session management X-Git-Tag: ACLCHECK_0~603 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=4a6d46dfa9a2747e0ddba11278e0999d22153d16;p=openldap More for session management --- diff --git a/contrib/slapd-modules/nssov/README b/contrib/slapd-modules/nssov/README index ba76fd1ea3..5ce2c86845 100644 --- a/contrib/slapd-modules/nssov/README +++ b/contrib/slapd-modules/nssov/README @@ -120,7 +120,7 @@ of the authorizedServiceObject auxiliary class) to use this method. Session management: the overlay may optionally add a "logged in" attribute to a user's entry for successful logins, and delete the corresponding value upon logout. The attribute value is of the form - + Password management: the overlay will perform a PasswordModify exop in the server for the given user. diff --git a/contrib/slapd-modules/nssov/nss-ldapd/nss/pam.c b/contrib/slapd-modules/nssov/nss-ldapd/nss/pam.c index 40b1e4cd6e..7a9d56e3b7 100644 --- a/contrib/slapd-modules/nssov/nss-ldapd/nss/pam.c +++ b/contrib/slapd-modules/nssov/nss-ldapd/nss/pam.c @@ -414,24 +414,36 @@ int pam_sm_acct_mgmt( return rc; } -static enum nss_status pam_do_sess_o( - pld_ctx *ctx, const char *svc,int *errnop) +static enum nss_status pam_do_sess( + pam_handle_t *pamh,pld_ctx *ctx,int action,int *errnop) { - NSS_BYGEN(NSLCD_ACTION_PAM_SESS_O, + const char *svc = NULL, *tty = NULL, *rhost = NULL, *ruser = NULL; + + pam_get_item (pamh, PAM_SERVICE, (CONST_ARG void **) &svc); + pam_get_item (pamh, PAM_TTY, (CONST_ARG void **) &tty); + pam_get_item (pamh, PAM_RHOST, (CONST_ARG void **) &rhost); + pam_get_item (pamh, PAM_RUSER, (CONST_ARG void **) &ruser); + + { + NSS_BYGEN(action, WRITE_STRING(fp,ctx->user); WRITE_STRING(fp,ctx->dn); - WRITE_STRING(fp,svc), + WRITE_STRING(fp,svc); + WRITE_STRING(fp,tty); + WRITE_STRING(fp,rhost); + WRITE_STRING(fp,ruser), NSS_STATUS_SUCCESS); + } } -int pam_sm_open_session( - pam_handle_t *pamh, int flags, int argc, const char **argv) +int pam_sm_session( + pam_handle_t *pamh, int flags, int argc, const char **argv, + int action, int *no_warn) { int rc, err; - const char *username, *svc; - int no_warn = 0, ignore_flags = 0; + const char *username; + int ignore_flags = 0; int i, success = PAM_SUCCESS; - struct pam_conv *appconv; pld_ctx *ctx = NULL; for (i = 0; i < argc; i++) @@ -441,7 +453,7 @@ int pam_sm_open_session( else if (!strcmp (argv[i], "try_first_pass")) ; else if (!strcmp (argv[i], "no_warn")) - no_warn = 1; + *no_warn = 1; else if (!strcmp (argv[i], "ignore_unknown_user")) ignore_flags |= IGNORE_UNKNOWN; else if (!strcmp (argv[i], "ignore_authinfo_unavail")) @@ -453,11 +465,7 @@ int pam_sm_open_session( } if (flags & PAM_SILENT) - no_warn = 1; - - rc = pam_get_item (pamh, PAM_CONV, (CONST_ARG void **) &appconv); - if (rc != PAM_SUCCESS) - return rc; + *no_warn = 1; rc = pam_get_user (pamh, (CONST_ARG char **) &username, NULL); if (rc != PAM_SUCCESS) @@ -470,79 +478,38 @@ int pam_sm_open_session( if (rc != PAM_SUCCESS) return rc; - rc = pam_get_item (pamh, PAM_SERVICE, (CONST_ARG void **) &svc); - if (rc != PAM_SUCCESS) - return rc; - - rc = pam_do_sess_o(ctx, svc, &err); + rc = pam_do_sess(pamh, ctx, action, &err); NSS2PAM_RC(rc, ignore_flags, PAM_SUCCESS); - if (rc != PAM_SUCCESS && rc != PAM_IGNORE) - pam_warn(appconv, "LDAP open_session failed", PAM_ERROR_MSG, no_warn); return rc; } -static enum nss_status pam_do_sess_c( - pld_ctx *ctx, const char *svc,int *errnop) -{ - NSS_BYGEN(NSLCD_ACTION_PAM_SESS_C, - WRITE_STRING(fp,ctx->user); - WRITE_STRING(fp,ctx->dn); - WRITE_STRING(fp,svc), - NSS_STATUS_SUCCESS); -} - -int pam_sm_close_session( +int pam_sm_open_session( pam_handle_t *pamh, int flags, int argc, const char **argv) { - int rc, err; - const char *username, *svc; - int no_warn = 0, ignore_flags = 0; - int i, success = PAM_SUCCESS; + int rc, no_warn = 0; struct pam_conv *appconv; - pld_ctx *ctx = NULL; - - for (i = 0; i < argc; i++) - { - if (!strcmp (argv[i], "use_first_pass")) - ; - else if (!strcmp (argv[i], "try_first_pass")) - ; - else if (!strcmp (argv[i], "no_warn")) - no_warn = 1; - else if (!strcmp (argv[i], "ignore_unknown_user")) - ignore_flags |= IGNORE_UNKNOWN; - else if (!strcmp (argv[i], "ignore_authinfo_unavail")) - ignore_flags |= IGNORE_UNAVAIL; - else if (!strcmp (argv[i], "debug")) - ; - else - syslog (LOG_ERR, "illegal option %s", argv[i]); - } - - if (flags & PAM_SILENT) - no_warn = 1; rc = pam_get_item (pamh, PAM_CONV, (CONST_ARG void **) &appconv); if (rc != PAM_SUCCESS) return rc; - rc = pam_get_user (pamh, (CONST_ARG char **) &username, NULL); - if (rc != PAM_SUCCESS) - return rc; - - if (username == NULL) - return PAM_USER_UNKNOWN; + rc = pam_sm_session(pamh,flags,argc,argv,NSLCD_ACTION_PAM_SESS_O,&no_warn); + if (rc != PAM_SUCCESS && rc != PAM_IGNORE) + pam_warn(appconv, "LDAP open_session failed", PAM_ERROR_MSG, no_warn); + return rc; +} - rc = pam_get_ctx(pamh, username, &ctx); - if (rc != PAM_SUCCESS) - return rc; +int pam_sm_close_session( + pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + int rc, no_warn = 0;; + struct pam_conv *appconv; - rc = pam_get_item (pamh, PAM_SERVICE, (CONST_ARG void **) &svc); + rc = pam_get_item (pamh, PAM_CONV, (CONST_ARG void **) &appconv); if (rc != PAM_SUCCESS) return rc; - rc = pam_do_sess_c(ctx, svc, &err); - NSS2PAM_RC(rc, ignore_flags, PAM_SUCCESS); + rc = pam_sm_session(pamh,flags,argc,argv,NSLCD_ACTION_PAM_SESS_C,&no_warn); if (rc != PAM_SUCCESS && rc != PAM_IGNORE) pam_warn(appconv, "LDAP close_session failed", PAM_ERROR_MSG, no_warn); return rc; diff --git a/contrib/slapd-modules/nssov/nssov.c b/contrib/slapd-modules/nssov/nssov.c index bada9de3be..619d040b33 100644 --- a/contrib/slapd-modules/nssov/nssov.c +++ b/contrib/slapd-modules/nssov/nssov.c @@ -327,8 +327,8 @@ static void handleconnection(nssov_info *ni,int sock,Operation *op) case NSLCD_ACTION_SHADOW_ALL: if (uid==0) (void)nssov_shadow_all(ni,fp,op); break; case NSLCD_ACTION_PAM_AUTHC: (void)pam_authc(ni,fp,op); break; case NSLCD_ACTION_PAM_AUTHZ: (void)pam_authz(ni,fp,op); break; - case NSLCD_ACTION_PAM_SESS_O: (void)pam_sess_o(ni,fp,op); break; - case NSLCD_ACTION_PAM_SESS_C: (void)pam_sess_c(ni,fp,op); break; + case NSLCD_ACTION_PAM_SESS_O: if (uid==0) (void)pam_sess_o(ni,fp,op); break; + case NSLCD_ACTION_PAM_SESS_C: if (uid==0) (void)pam_sess_c(ni,fp,op); break; case NSLCD_ACTION_PAM_PWMOD: (void)pam_pwmod(ni,fp,op); break; default: Debug( LDAP_DEBUG_ANY,"nssov: invalid request id: %d",(int)action,0,0); diff --git a/contrib/slapd-modules/nssov/pam.c b/contrib/slapd-modules/nssov/pam.c index a960547fe0..0e2f3ffd0d 100644 --- a/contrib/slapd-modules/nssov/pam.c +++ b/contrib/slapd-modules/nssov/pam.c @@ -451,11 +451,14 @@ finish: int pam_sess_o(nssov_info *ni,TFILE *fp,Operation *op) { - struct berval dn, uid, svc; + struct berval dn, uid, svc, tty, rhost, ruser; int32_t tmpint32; char dnc[1024]; char svcc[256]; char uidc[32]; + char ttyc[32]; + char rhostc[256]; + char ruserc[32]; READ_STRING_BUF2(fp,uidc,sizeof(uidc)); uid.bv_val = uidc; @@ -466,6 +469,15 @@ int pam_sess_o(nssov_info *ni,TFILE *fp,Operation *op) READ_STRING_BUF2(fp,svcc,sizeof(svcc)); svc.bv_val = svcc; svc.bv_len = tmpint32; + READ_STRING_BUF2(fp,ttyc,sizeof(ttyc)); + tty.bv_val = ttyc; + tty.bv_len = tmpint32; + READ_STRING_BUF2(fp,rhostc,sizeof(rhostc)); + rhost.bv_val = rhostc; + rhost.bv_len = tmpint32; + READ_STRING_BUF2(fp,ruserc,sizeof(ruserc)); + ruser.bv_val = ruserc; + ruser.bv_len = tmpint32; Debug(LDAP_DEBUG_TRACE,"nssov_pam_sess_o(%s)\n",dn.bv_val,0,0); @@ -477,11 +489,14 @@ int pam_sess_o(nssov_info *ni,TFILE *fp,Operation *op) int pam_sess_c(nssov_info *ni,TFILE *fp,Operation *op) { - struct berval dn, uid, svc; + struct berval dn, uid, svc, tty, rhost, ruser; int32_t tmpint32; char dnc[1024]; char svcc[256]; char uidc[32]; + char ttyc[32]; + char rhostc[256]; + char ruserc[32]; READ_STRING_BUF2(fp,uidc,sizeof(uidc)); uid.bv_val = uidc; @@ -492,6 +507,15 @@ int pam_sess_c(nssov_info *ni,TFILE *fp,Operation *op) READ_STRING_BUF2(fp,svcc,sizeof(svcc)); svc.bv_val = svcc; svc.bv_len = tmpint32; + READ_STRING_BUF2(fp,ttyc,sizeof(ttyc)); + tty.bv_val = ttyc; + tty.bv_len = tmpint32; + READ_STRING_BUF2(fp,rhostc,sizeof(rhostc)); + rhost.bv_val = rhostc; + rhost.bv_len = tmpint32; + READ_STRING_BUF2(fp,ruserc,sizeof(ruserc)); + ruser.bv_val = ruserc; + ruser.bv_len = tmpint32; Debug(LDAP_DEBUG_TRACE,"nssov_pam_sess_c(%s)\n",dn.bv_val,0,0);