From dc277009e220e4b420c69ed1c0c4efa44539ff6c Mon Sep 17 00:00:00 2001 From: Ryan Tandy Date: Wed, 7 Jan 2015 07:46:53 -0800 Subject: [PATCH] ITS#8097 nssov: update to protocol version 2 This updates nssov for the protocol changes in nss-pam-ldapd commits 5f55781 and 6a74d8d. The protocol was changed to network byte order, uid_t and gid_t were changed to int32_t, and the READ_TYPE and WRITE_TYPE macros were removed. The PAM protocol was restructured to drop the DN field and to use a common basic set of fields for all requests. --- contrib/slapd-modules/nssov/ether.c | 4 +- contrib/slapd-modules/nssov/group.c | 4 +- contrib/slapd-modules/nssov/nssov.c | 26 ++- contrib/slapd-modules/nssov/nssov.h | 61 ++++--- contrib/slapd-modules/nssov/pam.c | 232 +++++++++++++-------------- contrib/slapd-modules/nssov/passwd.c | 6 +- 6 files changed, 168 insertions(+), 165 deletions(-) diff --git a/contrib/slapd-modules/nssov/ether.c b/contrib/slapd-modules/nssov/ether.c index 6af43ec88e..0cb85db830 100644 --- a/contrib/slapd-modules/nssov/ether.c +++ b/contrib/slapd-modules/nssov/ether.c @@ -59,7 +59,7 @@ NSSOV_CBPRIV(ether, tmpaddr.ether_addr_octet[3] = ao[3]; \ tmpaddr.ether_addr_octet[4] = ao[4]; \ tmpaddr.ether_addr_octet[5] = ao[5]; } \ - WRITE_TYPE(fp,tmpaddr,uint8_t[6]); + WRITE(fp,&tmpaddr,sizeof(uint8_t[6])); static int write_ether(nssov_ether_cbp *cbp,Entry *entry) { @@ -141,7 +141,7 @@ NSSOV_HANDLE( struct berval filter = {sizeof(fbuf)}; filter.bv_val = fbuf; BER_BVZERO(&cbp.name); - READ_TYPE(fp,addr,uint8_t[6]); + READ(fp,&addr,sizeof(uint8_t[6])); cbp.addr.bv_len = snprintf(cbp.buf,sizeof(cbp.buf), "%x:%x:%x:%x:%x:%x", addr.ether_addr_octet[0], addr.ether_addr_octet[1], diff --git a/contrib/slapd-modules/nssov/group.c b/contrib/slapd-modules/nssov/group.c index fed9609b84..5de9aa484d 100644 --- a/contrib/slapd-modules/nssov/group.c +++ b/contrib/slapd-modules/nssov/group.c @@ -251,7 +251,7 @@ static int write_group(nssov_group_cbp *cbp,Entry *entry) WRITE_INT32(cbp->fp,NSLCD_RESULT_BEGIN); WRITE_BERVAL(cbp->fp,&names[i]); WRITE_BERVAL(cbp->fp,&passwd); - WRITE_TYPE(cbp->fp,gid,gid_t); + WRITE_INT32(cbp->fp,gid); /* write a list of values */ WRITE_INT32(cbp->fp,nummembers); if (nummembers) @@ -299,7 +299,7 @@ NSSOV_HANDLE( char fbuf[1024]; struct berval filter = {sizeof(fbuf)}; filter.bv_val = fbuf; - READ_TYPE(fp,gid,gid_t); + READ_INT32(fp,gid); cbp.gidnum.bv_val = cbp.buf; cbp.gidnum.bv_len = snprintf(cbp.buf,sizeof(cbp.buf),"%d",gid); cbp.wantmembers = 1; diff --git a/contrib/slapd-modules/nssov/nssov.c b/contrib/slapd-modules/nssov/nssov.c index 05b6adc899..e55c0c351f 100644 --- a/contrib/slapd-modules/nssov/nssov.c +++ b/contrib/slapd-modules/nssov/nssov.c @@ -142,7 +142,7 @@ int write_address(TFILE *fp,struct berval *addr) /* write the address length */ WRITE_INT32(fp,sizeof(struct in_addr)); /* write the address itself (in network byte order) */ - WRITE_TYPE(fp,ipv4addr,struct in_addr); + WRITE(fp,&ipv4addr,sizeof(struct in_addr)); } else if (inet_pton(AF_INET6,addr->bv_val,&ipv6addr)>0) { @@ -151,7 +151,7 @@ int write_address(TFILE *fp,struct berval *addr) /* write the address length */ WRITE_INT32(fp,sizeof(struct in6_addr)); /* write the address itself (in network byte order) */ - WRITE_TYPE(fp,ipv6addr,struct in6_addr); + WRITE(fp,&ipv6addr,sizeof(struct in6_addr)); } else { @@ -240,14 +240,14 @@ static int read_header(TFILE *fp,int32_t *action) { int32_t tmpint32; /* read the protocol version */ - READ_TYPE(fp,tmpint32,int32_t); + READ_INT32(fp,tmpint32); if (tmpint32 != (int32_t)NSLCD_VERSION) { Debug( LDAP_DEBUG_TRACE,"nssov: wrong nslcd version id (%d)\n",(int)tmpint32,0,0); return -1; } /* read the request type */ - READ(fp,action,sizeof(int32_t)); + READ_INT32(fp,*action); return 0; } @@ -255,34 +255,30 @@ int nssov_config(nssov_info *ni,TFILE *fp,Operation *op) { int opt; int32_t tmpint32; - struct berval *msg = BER_BVC(""); - int rc = NSLCD_PAM_SUCCESS; READ_INT32(fp,opt); Debug(LDAP_DEBUG_TRACE, "nssov_config (%d)\n",opt,0,0); + WRITE_INT32(fp,NSLCD_VERSION); + WRITE_INT32(fp,NSLCD_ACTION_CONFIG_GET); + WRITE_INT32(fp,NSLCD_RESULT_BEGIN); + switch (opt) { case NSLCD_CONFIG_PAM_PASSWORD_PROHIBIT_MESSAGE: - /* request for pam password_prothibit_message */ + /* request for pam password_prohibit_message */ /* nssov_pam prohibits password */ if (!BER_BVISEMPTY(&ni->ni_pam_password_prohibit_message)) { Debug(LDAP_DEBUG_TRACE,"nssov_config(): %s (%s)\n", "password_prohibit_message", ni->ni_pam_password_prohibit_message.bv_val,0); - msg = &ni->ni_pam_password_prohibit_message; - rc = NSLCD_PAM_PERM_DENIED; + WRITE_STRING(fp,ni->ni_pam_password_prohibit_message.bv_val); } - /* fall through */ default: + /* all other config options are ignored */ break; } -done:; - WRITE_INT32(fp,NSLCD_VERSION); - WRITE_INT32(fp,NSLCD_ACTION_CONFIG_GET); - WRITE_INT32(fp,NSLCD_RESULT_BEGIN); - WRITE_BERVAL(fp,msg); WRITE_INT32(fp,NSLCD_RESULT_END); return 0; } diff --git a/contrib/slapd-modules/nssov/nssov.h b/contrib/slapd-modules/nssov/nssov.h index f13378e73b..eae55f7655 100644 --- a/contrib/slapd-modules/nssov/nssov.h +++ b/contrib/slapd-modules/nssov/nssov.h @@ -127,31 +127,42 @@ void nssov_cfg_init(nssov_info *ni,const char *fname); Debug(LDAP_DEBUG_ANY,"nssov: client supplied argument too large\n",0,0,0); \ return -1; -#define WRITE_BERVAL(fp,bv) \ - DEBUG_PRINT("WRITE_STRING: var="__STRING(bv)" string=\"%s\"",(bv)->bv_val); \ - if ((bv)==NULL) \ - { \ - WRITE_INT32(fp,0); \ - } \ - else \ - { \ - WRITE_INT32(fp,(bv)->bv_len); \ - if (tmpint32>0) \ - { WRITE(fp,(bv)->bv_val,tmpint32); } \ - } - -#define WRITE_BVARRAY(fp,arr) \ - /* first determine length of array */ \ - for (tmp3int32=0;(arr)[tmp3int32].bv_val!=NULL;tmp3int32++) \ - /*nothing*/ ; \ - /* write number of strings */ \ - DEBUG_PRINT("WRITE_BVARRAY: var="__STRING(arr)" num=%d",(int)tmp3int32); \ - WRITE_TYPE(fp,tmp3int32,int32_t); \ - /* write strings */ \ - for (tmp2int32=0;tmp2int32bv_val); \ + if ((bv) == NULL) \ + { \ + WRITE_INT32(fp, 0); \ + } \ + else \ + { \ + WRITE_INT32(fp, (bv)->bv_len); \ + tmpint32 = ntohl(tmpint32); \ + if (tmpint32 > 0) \ + { \ + WRITE(fp, (bv)->bv_val, tmpint32); \ + } \ + } \ + +#define WRITE_BVARRAY(fp, arr) \ + if ((arr) == NULL) \ + { \ + DEBUG_PRINT("WRITE_BVARRAY: var="__STRING(arr)" num=%d", 0); \ + WRITE_INT32(fp, 0); \ + } \ + else \ + { \ + /* first determine length of array */ \ + for (tmp3int32 = 0; (arr)[tmp3int32].bv_val != NULL; tmp3int32++) \ + /* nothing */ ; \ + /* write number of strings */ \ + DEBUG_PRINT("WRITE_BVARRAY: var="__STRING(arr)" num=%d", (int)tmp3int32); \ + WRITE_INT32(fp, tmp3int32); \ + /* write strings */ \ + for (tmp2int32 = 0; tmp2int32 < tmp3int32; tmp2int32++) \ + { \ + WRITE_BERVAL(fp, &(arr)[tmp2int32]); \ + } \ + } \ /* This tries to get the user password attribute from the entry. It will try to return an encrypted password as it is used in /etc/passwd, diff --git a/contrib/slapd-modules/nssov/pam.c b/contrib/slapd-modules/nssov/pam.c index 45302b55a8..c940538481 100644 --- a/contrib/slapd-modules/nssov/pam.c +++ b/contrib/slapd-modules/nssov/pam.c @@ -26,6 +26,9 @@ struct paminfo { struct berval uid; struct berval dn; struct berval svc; + struct berval ruser; + struct berval rhost; + struct berval tty; struct berval pwd; int authz; struct berval msg; @@ -155,7 +158,6 @@ int pam_do_bind(nssov_info *ni,TFILE *fp,Operation *op, if (!pi->ispwdmgr) { - BER_BVZERO(&pi->dn); rc = pam_uid2dn(ni, op, pi); if (rc) goto finish; @@ -213,24 +215,30 @@ int pam_authc(nssov_info *ni,TFILE *fp,Operation *op,uid_t calleruid) { int32_t tmpint32; int rc; - slap_callback cb = {0}; - char dnc[1024]; char uidc[32]; char svcc[256]; + char ruserc[32]; + char rhostc[256]; + char ttyc[256]; char pwdc[256]; - struct berval sdn, dn; struct paminfo pi; READ_STRING(fp,uidc); pi.uid.bv_val = uidc; pi.uid.bv_len = tmpint32; - READ_STRING(fp,dnc); - pi.dn.bv_val = dnc; - pi.dn.bv_len = tmpint32; READ_STRING(fp,svcc); pi.svc.bv_val = svcc; pi.svc.bv_len = tmpint32; + READ_STRING(fp,ruserc); + pi.ruser.bv_val = ruserc; + pi.ruser.bv_len = tmpint32; + READ_STRING(fp,rhostc); + pi.rhost.bv_val = rhostc; + pi.rhost.bv_len = tmpint32; + READ_STRING(fp,ttyc); + pi.tty.bv_val = ttyc; + pi.tty.bv_len = tmpint32; READ_STRING(fp,pwdc); pi.pwd.bv_val = pwdc; pi.pwd.bv_len = tmpint32; @@ -238,6 +246,7 @@ int pam_authc(nssov_info *ni,TFILE *fp,Operation *op,uid_t calleruid) Debug(LDAP_DEBUG_TRACE,"nssov_pam_authc(%s)\n", pi.uid.bv_val ? pi.uid.bv_val : "NULL",0,0); + BER_BVZERO(&pi.msg); pi.ispwdmgr = 0; /* if service is "passwd" and "nssov-pam-password-prohibit-message */ @@ -303,11 +312,11 @@ finish: WRITE_INT32(fp,NSLCD_VERSION); WRITE_INT32(fp,NSLCD_ACTION_PAM_AUTHC); WRITE_INT32(fp,NSLCD_RESULT_BEGIN); - WRITE_BERVAL(fp,&pi.uid); - WRITE_BERVAL(fp,&pi.dn); WRITE_INT32(fp,rc); + WRITE_BERVAL(fp,&pi.uid); WRITE_INT32(fp,pi.authz); /* authz */ WRITE_BERVAL(fp,&pi.msg); /* authzmsg */ + WRITE_INT32(fp,NSLCD_RESULT_END); return 0; } @@ -329,52 +338,40 @@ static int pam_compare_cb(Operation *op, SlapReply *rs) int pam_authz(nssov_info *ni,TFILE *fp,Operation *op) { - struct berval dn, uid, svc, ruser, rhost, tty; struct berval authzmsg = BER_BVNULL; int32_t tmpint32; - char dnc[1024]; char uidc[32]; char svcc[256]; char ruserc[32]; char rhostc[256]; char ttyc[256]; int rc; + struct paminfo pi; Entry *e = NULL; Attribute *a; slap_callback cb = {0}; READ_STRING(fp,uidc); - uid.bv_val = uidc; - uid.bv_len = tmpint32; - READ_STRING(fp,dnc); - dn.bv_val = dnc; - dn.bv_len = tmpint32; + pi.uid.bv_val = uidc; + pi.uid.bv_len = tmpint32; READ_STRING(fp,svcc); - svc.bv_val = svcc; - svc.bv_len = tmpint32; + pi.svc.bv_val = svcc; + pi.svc.bv_len = tmpint32; READ_STRING(fp,ruserc); - ruser.bv_val = ruserc; - ruser.bv_len = tmpint32; + pi.ruser.bv_val = ruserc; + pi.ruser.bv_len = tmpint32; READ_STRING(fp,rhostc); - rhost.bv_val = rhostc; - rhost.bv_len = tmpint32; + pi.rhost.bv_val = rhostc; + pi.rhost.bv_len = tmpint32; READ_STRING(fp,ttyc); - tty.bv_val = ttyc; - tty.bv_len = tmpint32; - - Debug(LDAP_DEBUG_TRACE,"nssov_pam_authz(%s)\n", - dn.bv_val ? dn.bv_val : "NULL",0,0); + pi.tty.bv_val = ttyc; + pi.tty.bv_len = tmpint32; - /* If we didn't do authc, we don't have a DN yet */ - if (BER_BVISEMPTY(&dn)) { - struct paminfo pi; - pi.uid = uid; - pi.svc = svc; + rc = pam_uid2dn(ni, op, &pi); + if (rc) goto finish; - rc = pam_uid2dn(ni, op, &pi); - if (rc) goto finish; - dn = pi.dn; - } + Debug(LDAP_DEBUG_TRACE,"nssov_pam_authz(%s)\n", + pi.dn.bv_val ? pi.dn.bv_val : "NULL",0,0); /* See if they have access to the host and service */ if ((ni->ni_pam_opts & NI_PAM_HOSTSVC) && nssov_pam_svc_ad) { @@ -382,8 +379,8 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op) struct berval hostdn = BER_BVNULL; struct berval odn = op->o_ndn; SlapReply rs = {REP_RESULT}; - op->o_dn = dn; - op->o_ndn = dn; + op->o_dn = pi.dn; + op->o_ndn = pi.dn; { nssov_mapinfo *mi = &ni->ni_maps[NM_host]; char fbuf[1024]; @@ -432,7 +429,7 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op) op->o_req_dn = hostdn; op->o_req_ndn = hostdn; ava.aa_desc = nssov_pam_svc_ad; - ava.aa_value = svc; + ava.aa_value = pi.svc; op->orc_ava = &ava; rc = op->o_bd->be_compare( op, &rs ); if ( cb.sc_private == NULL ) { @@ -457,7 +454,7 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op) op->o_req_dn = ni->ni_pam_group_dn; op->o_req_ndn = ni->ni_pam_group_dn; ava.aa_desc = ni->ni_pam_group_ad; - ava.aa_value = dn; + ava.aa_value = pi.dn; op->orc_ava = &ava; rc = op->o_bd->be_compare( op, &rs ); if ( cb.sc_private == NULL ) { @@ -471,7 +468,7 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op) if ((ni->ni_pam_opts & (NI_PAM_USERHOST|NI_PAM_USERSVC)) || ni->ni_pam_template_ad || ni->ni_pam_min_uid || ni->ni_pam_max_uid ) { - rc = be_entry_get_rw( op, &dn, NULL, NULL, 0, &e ); + rc = be_entry_get_rw( op, &pi.dn, NULL, NULL, 0, &e ); if (rc != LDAP_SUCCESS) { rc = NSLCD_PAM_USER_UNKNOWN; goto finish; @@ -493,7 +490,7 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op) if (!a || attr_valfind( a, SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH | SLAP_MR_VALUE_OF_SYNTAX, - &svc, NULL, op->o_tmpmemctx )) { + &pi.svc, NULL, op->o_tmpmemctx )) { rc = NSLCD_PAM_PERM_DENIED; authzmsg = svcmsg; goto finish; @@ -530,9 +527,9 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op) if (ni->ni_pam_template_ad) { a = attr_find(e->e_attrs, ni->ni_pam_template_ad); if (a) - uid = a->a_vals[0]; + pi.uid = a->a_vals[0]; else if (!BER_BVISEMPTY(&ni->ni_pam_template)) - uid = ni->ni_pam_template; + pi.uid = ni->ni_pam_template; } rc = NSLCD_PAM_SUCCESS; @@ -540,10 +537,9 @@ finish: WRITE_INT32(fp,NSLCD_VERSION); WRITE_INT32(fp,NSLCD_ACTION_PAM_AUTHZ); WRITE_INT32(fp,NSLCD_RESULT_BEGIN); - WRITE_BERVAL(fp,&uid); - WRITE_BERVAL(fp,&dn); WRITE_INT32(fp,rc); WRITE_BERVAL(fp,&authzmsg); + WRITE_INT32(fp,NSLCD_RESULT_END); if (e) { be_entry_release_r(op, e); } @@ -565,14 +561,14 @@ finish: static int pam_sess(nssov_info *ni,TFILE *fp,Operation *op,int action) { - struct berval dn, uid, svc, tty, rhost, ruser; int32_t tmpint32; - char dnc[1024]; char svcc[256]; char uidc[32]; char ttyc[32]; char rhostc[256]; char ruserc[32]; + char sessionID[64]; + struct paminfo pi; slap_callback cb = {0}; SlapReply rs = {REP_RESULT}; char timebuf[LDAP_LUTIL_GENTIME_BUFSIZE]; @@ -580,38 +576,41 @@ static int pam_sess(nssov_info *ni,TFILE *fp,Operation *op,int action) time_t stamp; Modifications mod; int rc = 0; - int sessionID = -1; READ_STRING(fp,uidc); - uid.bv_val = uidc; - uid.bv_len = tmpint32; - READ_STRING(fp,dnc); - dn.bv_val = dnc; - dn.bv_len = tmpint32; + pi.uid.bv_val = uidc; + pi.uid.bv_len = tmpint32; READ_STRING(fp,svcc); - svc.bv_val = svcc; - svc.bv_len = tmpint32; - READ_STRING(fp,ttyc); - tty.bv_val = ttyc; - tty.bv_len = tmpint32; - READ_STRING(fp,rhostc); - rhost.bv_val = rhostc; - rhost.bv_len = tmpint32; + pi.svc.bv_val = svcc; + pi.svc.bv_len = tmpint32; READ_STRING(fp,ruserc); - ruser.bv_val = ruserc; - ruser.bv_len = tmpint32; - READ_INT32(fp,stamp); - - Debug(LDAP_DEBUG_TRACE,"nssov_pam_sess_%c(%s)\n", - action==NSLCD_ACTION_PAM_SESS_O ? 'o' : 'c', dn.bv_val,0); + pi.ruser.bv_val = ruserc; + pi.ruser.bv_len = tmpint32; + READ_STRING(fp,rhostc); + pi.rhost.bv_val = rhostc; + pi.rhost.bv_len = tmpint32; + READ_STRING(fp,ttyc); + pi.tty.bv_val = ttyc; + pi.tty.bv_len = tmpint32; - if (!dn.bv_len) { - Debug(LDAP_DEBUG_TRACE,"nssov_pam_sess_%c(): %s\n", - action==NSLCD_ACTION_PAM_SESS_O ? 'o' : 'c', "null DN",0); - rc = -1; - goto done; + if (action==NSLCD_ACTION_PAM_SESS_O) { + slap_op_time( &op->o_time, &op->o_tincr ); + timestamp.bv_len = sizeof(timebuf); + timestamp.bv_val = timebuf; + stamp = op->o_time; + slap_timestamp( &stamp, ×tamp ); + } else { + READ_STRING(fp,sessionID); + timestamp.bv_val = sessionID; + timestamp.bv_len = tmpint32; } + rc = pam_uid2dn(ni, op, &pi); + if (rc) goto done; + + Debug(LDAP_DEBUG_TRACE,"nssov_pam_sess_%c(%s)\n", + action==NSLCD_ACTION_PAM_SESS_O ? 'o' : 'c', pi.dn.bv_val,0); + if (!ni->ni_pam_sessions) { Debug(LDAP_DEBUG_TRACE,"nssov_pam_sess_%c(): %s\n", action==NSLCD_ACTION_PAM_SESS_O ? 'o' : 'c', @@ -623,9 +622,9 @@ static int pam_sess(nssov_info *ni,TFILE *fp,Operation *op,int action) { int i, found=0; for (i=0; !BER_BVISNULL(&ni->ni_pam_sessions[i]); i++) { - if (ni->ni_pam_sessions[i].bv_len != svc.bv_len) + if (ni->ni_pam_sessions[i].bv_len != pi.svc.bv_len) continue; - if (!strcasecmp(ni->ni_pam_sessions[i].bv_val, svc.bv_val)) { + if (!strcasecmp(ni->ni_pam_sessions[i].bv_val, pi.svc.bv_val)) { found = 1; break; } @@ -634,24 +633,18 @@ static int pam_sess(nssov_info *ni,TFILE *fp,Operation *op,int action) Debug(LDAP_DEBUG_TRACE, "nssov_pam_sess_%c(): service(%s) not configured, ignored\n", action==NSLCD_ACTION_PAM_SESS_O ? 'o' : 'c', - svc.bv_val,0); + pi.svc.bv_val,0); rc = -1; goto done; } } - slap_op_time( &op->o_time, &op->o_tincr ); - timestamp.bv_len = sizeof(timebuf); - timestamp.bv_val = timebuf; - if (action == NSLCD_ACTION_PAM_SESS_O ) - stamp = op->o_time; - slap_timestamp( &stamp, ×tamp ); - bv[0].bv_len = timestamp.bv_len + global_host_bv.bv_len + svc.bv_len + - tty.bv_len + ruser.bv_len + rhost.bv_len + STRLENOF(" (@)"); + bv[0].bv_len = timestamp.bv_len + global_host_bv.bv_len + pi.svc.bv_len + + pi.tty.bv_len + pi.ruser.bv_len + pi.rhost.bv_len + STRLENOF(" (@)"); bv[0].bv_val = op->o_tmpalloc( bv[0].bv_len+1, op->o_tmpmemctx ); sprintf(bv[0].bv_val, "%s %s %s %s (%s@%s)", - timestamp.bv_val, global_host_bv.bv_val, svc.bv_val, tty.bv_val, - ruser.bv_val, rhost.bv_val); + timestamp.bv_val, global_host_bv.bv_val, pi.svc.bv_val, pi.tty.bv_val, + pi.ruser.bv_val, pi.rhost.bv_val); Debug(LDAP_DEBUG_TRACE, "nssov_pam_sess_%c(): loginStatus (%s) \n", action==NSLCD_ACTION_PAM_SESS_O ? 'o' : 'c', bv[0].bv_val,0); @@ -674,8 +667,8 @@ static int pam_sess(nssov_info *ni,TFILE *fp,Operation *op,int action) op->o_ndn = op->o_bd->be_rootndn; op->orm_modlist = &mod; op->orm_no_opattrs = 1; - op->o_req_dn = dn; - op->o_req_ndn = dn; + op->o_req_dn = pi.dn; + op->o_req_ndn = pi.dn; if (op->o_bd->be_modify( op, &rs ) != LDAP_SUCCESS) { Debug(LDAP_DEBUG_TRACE, "nssov_pam_sess_%c(): modify op failed\n", @@ -696,12 +689,13 @@ done:; "nssov_pam_sess_%c(): success\n", action==NSLCD_ACTION_PAM_SESS_O ? 'o' : 'c', 0,0); - sessionID = op->o_time; } WRITE_INT32(fp,NSLCD_VERSION); WRITE_INT32(fp,action); WRITE_INT32(fp,NSLCD_RESULT_BEGIN); - WRITE_INT32(fp,sessionID); + if (action==NSLCD_ACTION_PAM_SESS_O) + WRITE_STRING(fp,timestamp.bv_val); + WRITE_INT32(fp,NSLCD_RESULT_END); return 0; } @@ -719,23 +713,33 @@ int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op,uid_t calleruid) { struct berval npw; int32_t tmpint32; - char dnc[1024]; char uidc[32]; + char svcc[256]; + char ruserc[32]; + char rhostc[256]; + char ttyc[256]; + int asroot; char opwc[256]; char npwc[256]; - char svcc[256]; struct paminfo pi; int rc; READ_STRING(fp,uidc); pi.uid.bv_val = uidc; pi.uid.bv_len = tmpint32; - READ_STRING(fp,dnc); - pi.dn.bv_val = dnc; - pi.dn.bv_len = tmpint32; READ_STRING(fp,svcc); pi.svc.bv_val = svcc; pi.svc.bv_len = tmpint32; + READ_STRING(fp,ruserc); + pi.ruser.bv_val = svcc; + pi.ruser.bv_len = tmpint32; + READ_STRING(fp,rhostc); + pi.rhost.bv_val = svcc; + pi.rhost.bv_len = tmpint32; + READ_STRING(fp,ttyc); + pi.tty.bv_val = svcc; + pi.tty.bv_len = tmpint32; + READ_INT32(fp, asroot); READ_STRING(fp,opwc); pi.pwd.bv_val = opwc; pi.pwd.bv_len = tmpint32; @@ -743,9 +747,13 @@ int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op,uid_t calleruid) npw.bv_val = npwc; npw.bv_len = tmpint32; - Debug(LDAP_DEBUG_TRACE,"nssov_pam_pwmod(%s), %s\n", + rc = pam_uid2dn(ni, op, &pi); + if (rc) goto done; + + Debug(LDAP_DEBUG_TRACE,"nssov_pam_pwmod(%s), %s %s\n", pi.dn.bv_val ? pi.dn.bv_val : "NULL", - pi.uid.bv_val ? pi.uid.bv_val : "NULL" ,0); + pi.uid.bv_val ? pi.uid.bv_val : "NULL", + asroot ? "as root" : "as user"); BER_BVZERO(&pi.msg); pi.ispwdmgr = 0; @@ -760,18 +768,14 @@ int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op,uid_t calleruid) goto done; } - if (BER_BVISEMPTY(&pi.dn)) { - /* should not be here at all, pam_authc() should have returned */ - /* error */ - Debug(LDAP_DEBUG_TRACE,"nssov_pam_pwmod(), %s\n", - "prelim checking failed", 0, 0); - ber_str2bv("no pwmod requesting dn", 0, 0, &pi.msg); - rc = NSLCD_PAM_PERM_DENIED; - goto done; - } - - if (!BER_BVISEMPTY(&ni->ni_pam_pwdmgr_dn) && - !ber_bvcmp(&pi.dn, &ni->ni_pam_pwdmgr_dn)) { + if (asroot) { + if (BER_BVISEMPTY(&ni->ni_pam_pwdmgr_dn)) { + Debug(LDAP_DEBUG_TRACE,"nssov_pam_pwmod(), %s\n", + "pwdmgr not configured", 0, 0); + ber_str2bv("pwdmgr not configured", 0, 0, &pi.msg); + rc = NSLCD_PAM_PERM_DENIED; + goto done; + } if (calleruid != 0) { Debug(LDAP_DEBUG_TRACE,"nssov_pam_pwmod(): %s\n", "caller is not root", 0, 0); @@ -779,14 +783,8 @@ int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op,uid_t calleruid) rc = NSLCD_PAM_PERM_DENIED; goto done; } - /* root user requesting pwmod, convert uid to dn */ + /* root user requesting pwmod */ pi.ispwdmgr = 1; - rc = pam_uid2dn(ni, op, &pi); - if (rc) { - ber_str2bv("unable to convert uid to dn", 0, 0, &pi.msg); - rc = NSLCD_PAM_PERM_DENIED; - goto done; - } } if (!pi.ispwdmgr && BER_BVISEMPTY(&pi.pwd)) { @@ -847,8 +845,6 @@ done:; WRITE_INT32(fp,NSLCD_VERSION); WRITE_INT32(fp,NSLCD_ACTION_PAM_PWMOD); WRITE_INT32(fp,NSLCD_RESULT_BEGIN); - WRITE_BERVAL(fp,&pi.uid); - WRITE_BERVAL(fp,&pi.dn); WRITE_INT32(fp,rc); WRITE_BERVAL(fp,&pi.msg); return 0; diff --git a/contrib/slapd-modules/nssov/passwd.c b/contrib/slapd-modules/nssov/passwd.c index c92a7eee17..4e6a8c113d 100644 --- a/contrib/slapd-modules/nssov/passwd.c +++ b/contrib/slapd-modules/nssov/passwd.c @@ -378,8 +378,8 @@ static int write_passwd(nssov_passwd_cbp *cbp,Entry *entry) WRITE_INT32(cbp->fp,NSLCD_RESULT_BEGIN); WRITE_BERVAL(cbp->fp,&names[i]); WRITE_BERVAL(cbp->fp,&passwd); - WRITE_TYPE(cbp->fp,uid,uid_t); - WRITE_TYPE(cbp->fp,gid,gid_t); + WRITE_INT32(cbp->fp,uid); + WRITE_INT32(cbp->fp,gid); WRITE_BERVAL(cbp->fp,&gecos); WRITE_BERVAL(cbp->fp,&homedir); WRITE_BERVAL(cbp->fp,&shell); @@ -415,7 +415,7 @@ NSSOV_HANDLE( char fbuf[1024]; struct berval filter = {sizeof(fbuf)}; filter.bv_val = fbuf; - READ_TYPE(fp,uid,uid_t); + READ_INT32(fp,uid); cbp.id.bv_val = cbp.buf; cbp.id.bv_len = snprintf(cbp.buf,sizeof(cbp.buf),"%d",uid); BER_BVZERO(&cbp.name);, -- 2.39.2