From: Howard Chu <hyc@openldap.org>
Date: Mon, 20 Apr 2009 03:18:34 +0000 (+0000)
Subject: sanity check for host_ad and svc_ad
X-Git-Tag: ACLCHECK_0~611
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=d17d30dc38d1aad44d1840a13678c1976d1ad5d7;p=openldap

sanity check for host_ad and svc_ad
---

diff --git a/contrib/slapd-modules/nssov/nssov.c b/contrib/slapd-modules/nssov/nssov.c
index b3e7d014be..1cbb28fcd4 100644
--- a/contrib/slapd-modules/nssov/nssov.c
+++ b/contrib/slapd-modules/nssov/nssov.c
@@ -642,6 +642,28 @@ nss_cf_gen(ConfigArgs *c)
 		i = verbs_to_mask(c->argc, c->argv, pam_opts, &m);
 		if (i == 0) {
 			ni->ni_pam_opts = m;
+			if ((m & NI_PAM_USERHOST) && !nssov_pam_host_ad) {
+				const char *text;
+				i = slap_str2ad("host", &nssov_pam_host_ad, &text);
+				if (i != LDAP_SUCCESS) {
+					snprintf(c->cr_msg, sizeof(c->cr_msg),
+						"nssov: host attr unknown: %s", text);
+					Debug(LDAP_DEBUG_ANY,"%s\n",c->cr_msg,0,0);
+					rc = 1;
+					break;
+				}
+			}
+			if ((m & (NI_PAM_USERSVC|NI_PAM_HOSTSVC)) && !nssov_pam_svc_ad) {
+				const char *text;
+				i = slap_str2ad("authorizedService", &nssov_pam_svc_ad, &text);
+				if (i != LDAP_SUCCESS) {
+					snprintf(c->cr_msg, sizeof(c->cr_msg),
+						"nssov: authorizedService attr unknown: %s", text);
+					Debug(LDAP_DEBUG_ANY,"%s\n",c->cr_msg,0,0);
+					rc = 1;
+					break;
+				}
+			}
 		} else {
 			rc = 1;
 		}
@@ -731,6 +753,28 @@ nssov_db_open(
 		mi->mi_attrs[j].an_desc = NULL;
 	}
 
+	/* Find host and authorizedService definitions */
+	if ((ni->ni_pam_opts & NI_PAM_USERHOST) && !nssov_pam_host_ad)
+	{
+		const char *text;
+		i = slap_str2ad("host", &nssov_pam_host_ad, &text);
+		if (i != LDAP_SUCCESS) {
+			Debug(LDAP_DEBUG_ANY,"nssov: host attr unknown: %s\n",
+				text, 0, 0 );
+			return -1;
+		}
+	}
+	if ((ni->ni_pam_opts & (NI_PAM_USERSVC|NI_PAM_HOSTSVC)) &&
+		!nssov_pam_svc_ad)
+	{
+		const char *text;
+		i = slap_str2ad("authorizedService", &nssov_pam_svc_ad, &text);
+		if (i != LDAP_SUCCESS) {
+			Debug(LDAP_DEBUG_ANY,"nssov: authorizedService attr unknown: %s\n",
+				text, 0, 0 );
+			return -1;
+		}
+	}
 	if ( slapMode & SLAP_SERVER_MODE ) {
 		/* create a socket */
 		if ( (sock=socket(PF_UNIX,SOCK_STREAM,0))<0 )
diff --git a/contrib/slapd-modules/nssov/nssov.h b/contrib/slapd-modules/nssov/nssov.h
index 2f41b10bab..9c822d5e3c 100644
--- a/contrib/slapd-modules/nssov/nssov.h
+++ b/contrib/slapd-modules/nssov/nssov.h
@@ -74,8 +74,6 @@ typedef struct nssov_info
 	AttributeDescription *ni_pam_template_ad;
 	struct berval ni_pam_template;
 	struct berval ni_pam_defhost;
-	AttributeDescription *ni_pam_host_ad;
-	AttributeDescription *ni_pam_svc_ad;
 } nssov_info;
 
 #define NI_PAM_USERHOST		1	/* old style host checking */
@@ -88,6 +86,9 @@ typedef struct nssov_info
 #define	NI_PAM_OLD	(NI_PAM_USERHOST|NI_PAM_USERSVC|NI_PAM_USERGRP)
 #define	NI_PAM_NEW	NI_PAM_HOSTSVC
 
+extern AttributeDescription *nssov_pam_host_ad;
+extern AttributeDescription *nssov_pam_svc_ad;
+
 /* Read the default configuration file. */
 void nssov_cfg_init(nssov_info *ni,const char *fname);
 
diff --git a/contrib/slapd-modules/nssov/pam.c b/contrib/slapd-modules/nssov/pam.c
index c2f950f579..d2cfcbc4df 100644
--- a/contrib/slapd-modules/nssov/pam.c
+++ b/contrib/slapd-modules/nssov/pam.c
@@ -248,9 +248,12 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op)
 	}
 
 	/* See if they have access to the host and service */
-	if (ni->ni_pam_opts & NI_PAM_HOSTSVC) {
+	if ((ni->ni_pam_opts & NI_PAM_HOSTSVC) && nssov_pam_svc_ad) {
 		AttributeAssertion ava = ATTRIBUTEASSERTION_INIT;
 		struct berval hostdn = BER_BVNULL;
+		struct berval odn = op->o_ndn;
+		op->o_dn = dn;
+		op->o_ndn = dn;
 		{
 			nssov_mapinfo *mi = &ni->ni_maps[NM_host];
 			char fbuf[1024];
@@ -299,7 +302,7 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op)
 		op->o_tag = LDAP_REQ_COMPARE;
 		op->o_req_dn = hostdn;
 		op->o_req_ndn = hostdn;
-		ava.aa_desc = ni->ni_pam_svc_ad;
+		ava.aa_desc = nssov_pam_svc_ad;
 		ava.aa_value = svc;
 		op->orc_ava = &ava;
 		rc = op->o_bd->be_compare( op, &rs );
@@ -308,6 +311,8 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op)
 			rc = PAM_PERM_DENIED;
 			goto finish;
 		}
+		op->o_dn = odn;
+		op->o_ndn = odn;
 	}
 
 	/* See if they're a member of the group */
@@ -340,9 +345,9 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op)
 			goto finish;
 		}
 	}
-	if (ni->ni_pam_opts & NI_PAM_USERHOST) {
-		a = attr_find(e->e_attrs, ni->ni_pam_host_ad);
-		if (!a || value_find_ex( ni->ni_pam_host_ad,
+	if ((ni->ni_pam_opts & NI_PAM_USERHOST) && nssov_pam_host_ad) {
+		a = attr_find(e->e_attrs, nssov_pam_host_ad);
+		if (!a || value_find_ex( nssov_pam_host_ad,
 			SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH,
 			a->a_vals, &global_host_bv, op->o_tmpmemctx )) {
 			rc = PAM_PERM_DENIED;
@@ -350,9 +355,9 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op)
 			goto finish;
 		}
 	}
-	if (ni->ni_pam_opts & NI_PAM_USERSVC) {
-		a = attr_find(e->e_attrs, ni->ni_pam_svc_ad);
-		if (!a || value_find_ex( ni->ni_pam_svc_ad,
+	if ((ni->ni_pam_opts & NI_PAM_USERSVC) && nssov_pam_svc_ad) {
+		a = attr_find(e->e_attrs, nssov_pam_svc_ad);
+		if (!a || value_find_ex( nssov_pam_svc_ad,
 			SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH,
 			a->a_vals, &svc, op->o_tmpmemctx )) {
 			rc = PAM_PERM_DENIED;