From b3712e4fde272330cdc024c9bd71a381ef42150e Mon Sep 17 00:00:00 2001 From: Quanah Gibson-Mount Date: Thu, 15 Apr 2010 20:24:09 +0000 Subject: [PATCH] Fix pam_authz parameter input Lookup user DN in pam_authz if it was not provided Fix compare checking in pam_authz --- contrib/slapd-modules/nssov/pam.c | 62 ++++++++++++++++++++----------- 1 file changed, 41 insertions(+), 21 deletions(-) diff --git a/contrib/slapd-modules/nssov/pam.c b/contrib/slapd-modules/nssov/pam.c index 09b8609980..b603e679dc 100644 --- a/contrib/slapd-modules/nssov/pam.c +++ b/contrib/slapd-modules/nssov/pam.c @@ -100,24 +100,17 @@ static int pam_bindcb( return LDAP_SUCCESS; } -int pam_do_bind(nssov_info *ni,TFILE *fp,Operation *op, +static int pam_uid2dn(nssov_info *ni, Operation *op, struct paminfo *pi) { - int rc; - slap_callback cb = {0}; - SlapReply rs = {REP_RESULT}; struct berval sdn; - pi->msg.bv_val = pi->pwd.bv_val; - pi->msg.bv_len = 0; - pi->authz = NSLCD_PAM_SUCCESS; BER_BVZERO(&pi->dn); if (!isvalidusername(&pi->uid)) { - Debug(LDAP_DEBUG_ANY,"nssov_pam_do_bind(%s): invalid user name\n", + Debug(LDAP_DEBUG_ANY,"nssov_pam_uid2dn(%s): invalid user name\n", pi->uid.bv_val,0,0); - rc = NSLCD_PAM_USER_UNKNOWN; - goto finish; + return NSLCD_PAM_USER_UNKNOWN; } if (ni->ni_pam_opts & NI_PAM_SASL2DN) { @@ -141,11 +134,26 @@ int pam_do_bind(nssov_info *ni,TFILE *fp,Operation *op, dnNormalize( 0, NULL, NULL, &sdn, &pi->dn, op->o_tmpmemctx ); } } - BER_BVZERO(&sdn); if (BER_BVISEMPTY(&pi->dn)) { - rc = NSLCD_PAM_USER_UNKNOWN; - goto finish; + return NSLCD_PAM_USER_UNKNOWN; } + return 0; +} + +int pam_do_bind(nssov_info *ni,TFILE *fp,Operation *op, + struct paminfo *pi) +{ + int rc; + slap_callback cb = {0}; + SlapReply rs = {REP_RESULT}; + + pi->msg.bv_val = pi->pwd.bv_val; + pi->msg.bv_len = 0; + pi->authz = NSLCD_PAM_SUCCESS; + BER_BVZERO(&pi->dn); + + rc = pam_uid2dn(ni, op, pi); + if (rc) goto finish; if (BER_BVISEMPTY(&pi->pwd)) { rc = NSLCD_PAM_IGNORE; @@ -245,6 +253,13 @@ static struct berval svcmsg = static struct berval uidmsg = BER_BVC("Access denied by UID check"); +static int pam_compare_cb(Operation *op, SlapReply *rs) +{ + if (rs->sr_err == LDAP_COMPARE_TRUE) + op->o_callback->sc_private = (void *)1; + return LDAP_SUCCESS; +} + int pam_authz(nssov_info *ni,TFILE *fp,Operation *op) { struct berval dn, uid, svc, ruser, rhost, tty; @@ -271,22 +286,27 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op) READ_STRING_BUF2(fp,svcc,sizeof(svcc)); svc.bv_val = svcc; svc.bv_len = tmpint32; - READ_STRING_BUF2(fp,svcc,sizeof(ruserc)); + READ_STRING_BUF2(fp,ruserc,sizeof(ruserc)); ruser.bv_val = ruserc; ruser.bv_len = tmpint32; - READ_STRING_BUF2(fp,svcc,sizeof(rhostc)); + READ_STRING_BUF2(fp,rhostc,sizeof(rhostc)); rhost.bv_val = rhostc; rhost.bv_len = tmpint32; - READ_STRING_BUF2(fp,svcc,sizeof(ttyc)); + READ_STRING_BUF2(fp,ttyc,sizeof(ttyc)); tty.bv_val = ttyc; tty.bv_len = tmpint32; Debug(LDAP_DEBUG_TRACE,"nssov_pam_authz(%s)\n",dn.bv_val,0,0); - /* We don't do authorization if they weren't authenticated by us */ + /* If we didn't do authc, we don't have a DN yet */ if (BER_BVISEMPTY(&dn)) { - rc = NSLCD_PAM_USER_UNKNOWN; - goto finish; + struct paminfo pi; + pi.uid = uid; + pi.svc = svc; + + rc = pam_uid2dn(ni, op, &pi); + if (rc) goto finish; + dn = pi.dn; } /* See if they have access to the host and service */ @@ -339,7 +359,7 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op) } } - cb.sc_response = slap_null_cb; + cb.sc_response = pam_compare_cb; cb.sc_private = NULL; op->o_tag = LDAP_REQ_COMPARE; op->o_req_dn = hostdn; @@ -348,7 +368,7 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op) ava.aa_value = svc; op->orc_ava = &ava; rc = op->o_bd->be_compare( op, &rs ); - if ( rs.sr_err != LDAP_COMPARE_TRUE ) { + if ( cb.sc_private == NULL ) { authzmsg = svcmsg; rc = NSLCD_PAM_PERM_DENIED; goto finish; -- 2.39.5