summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorArthur de Jong <arthur@arthurdejong.org>2012-08-14 19:34:41 +0000
committerArthur de Jong <arthur@arthurdejong.org>2012-08-14 19:34:41 +0000
commit1e97d8bee0dc35a9eba92bf59804fbbf675760a2 (patch)
treefbdd874ad1889d28a981297c56457e225bfa0af2
parent8c3489da26df9750cbfe4ad195a7d925711556b5 (diff)
introduce a sasl_canonicalize option that will now, by default, disable reverse host name lookups in OpenLDAP
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1733 ef36b2f9-881f-0410-afb5-c4e39611909c
-rw-r--r--man/nslcd.conf.5.xml12
-rw-r--r--nslcd/cfg.c17
-rw-r--r--nslcd/cfg.h4
-rw-r--r--nslcd/myldap.c4
-rw-r--r--pynslcd/cfg.py11
-rwxr-xr-xpynslcd/pynslcd.py1
6 files changed, 49 insertions, 0 deletions
diff --git a/man/nslcd.conf.5.xml b/man/nslcd.conf.5.xml
index 4a3e442..a8b79b2 100644
--- a/man/nslcd.conf.5.xml
+++ b/man/nslcd.conf.5.xml
@@ -282,6 +282,18 @@
</listitem>
</varlistentry>
+ <varlistentry id="sasl_canonicalize">
+ <term><option>sasl_canonicalize</option> yes|no</term>
+ <listitem>
+ <para>
+ Determines whether the <acronym>LDAP</acronym> server host name should
+ be canonicalised. If this is set to yes the <acronym>LDAP</acronym>
+ library will do a reverse host name lookup.
+ By default <command>nslcd</command> disables this extra lookup.
+ </para>
+ </listitem>
+ </varlistentry>
+
</variablelist>
</refsect2>
diff --git a/nslcd/cfg.c b/nslcd/cfg.c
index bc57c6b..dd48b0e 100644
--- a/nslcd/cfg.c
+++ b/nslcd/cfg.c
@@ -111,6 +111,7 @@ static void cfg_defaults(struct ldap_config *cfg)
cfg->ldc_sasl_authcid=NULL;
cfg->ldc_sasl_authzid=NULL;
cfg->ldc_sasl_secprops=NULL;
+ cfg->ldc_sasl_canonicalize=0;
for (i=0;i<NSS_LDAP_CONFIG_MAX_BASES;i++)
cfg->ldc_bases[i]=NULL;
cfg->ldc_scope=LDAP_SCOPE_SUBTREE;
@@ -990,6 +991,22 @@ static void cfg_read(const char *filename,struct ldap_config *cfg)
get_strdup(filename,lnr,keyword,&line,&cfg->ldc_sasl_secprops);
get_eol(filename,lnr,keyword,&line);
}
+#ifdef LDAP_OPT_X_SASL_NOCANON
+ else if ( (strcasecmp(keyword,"sasl_canonicalize")==0) ||
+ (strcasecmp(keyword,"sasl_canonicalise")==0) ||
+ (strcasecmp(keyword,"ldap_sasl_canonicalize")==0) ||
+ (strcasecmp(keyword,"sasl_canon")==0) )
+ {
+ get_boolean(filename,lnr,keyword,&line,&cfg->ldc_sasl_canonicalize);
+ get_eol(filename,lnr,keyword,&line);
+ }
+ else if (strcasecmp(keyword,"sasl_nocanon")==0)
+ {
+ get_boolean(filename,lnr,keyword,&line,&cfg->ldc_sasl_canonicalize);
+ cfg->ldc_sasl_canonicalize=!cfg->ldc_sasl_canonicalize;
+ get_eol(filename,lnr,keyword,&line);
+ }
+#endif /* LDAP_OPT_X_SASL_NOCANON */
/* Kerberos authentication options */
else if (strcasecmp(keyword,"krb5_ccname")==0)
{
diff --git a/nslcd/cfg.h b/nslcd/cfg.h
index ebdd95a..ccbad37 100644
--- a/nslcd/cfg.h
+++ b/nslcd/cfg.h
@@ -115,6 +115,10 @@ struct ldap_config
char *ldc_sasl_authzid;
/* sasl security */
char *ldc_sasl_secprops;
+#ifdef LDAP_OPT_X_SASL_NOCANON
+ /* whether host name should be canonicalised */
+ int ldc_sasl_canonicalize;
+#endif /* LDAP_OPT_X_SASL_NOCANON */
/* base DN, eg. dc=gnu,dc=org */
const char *ldc_bases[NSS_LDAP_CONFIG_MAX_BASES];
/* scope for searches */
diff --git a/nslcd/myldap.c b/nslcd/myldap.c
index 3e03648..e7132b0 100644
--- a/nslcd/myldap.c
+++ b/nslcd/myldap.c
@@ -639,6 +639,10 @@ static int do_set_options(MYLDAP_SESSION *session)
LDAP_SET_OPTION(session->ld,LDAP_OPT_X_TLS,&i);
}
#endif /* LDAP_OPT_X_TLS */
+#ifdef LDAP_OPT_X_SASL_NOCANON
+ log_log(LOG_DEBUG,"ldap_set_option(LDAP_OPT_X_SASL_NOCANON,%s)",nslcd_cfg->ldc_sasl_canonicalize?"LDAP_OPT_OFF":"LDAP_OPT_ON");
+ LDAP_SET_OPTION(session->ld,LDAP_OPT_X_SASL_NOCANON,nslcd_cfg->ldc_sasl_canonicalize?LDAP_OPT_OFF:LDAP_OPT_ON);
+#endif /* LDAP_OPT_X_SASL_NOCANON */
/* if nothing above failed, everything should be fine */
return LDAP_SUCCESS;
}
diff --git a/pynslcd/cfg.py b/pynslcd/cfg.py
index 95995e1..ecc7ef1 100644
--- a/pynslcd/cfg.py
+++ b/pynslcd/cfg.py
@@ -52,6 +52,7 @@ sasl_realm = None
sasl_authcid = None
sasl_authzid = None
sasl_secprops = None
+sasl_canonicalize = False
# LDAP bases to search
bases = []
@@ -266,6 +267,16 @@ def read(filename):
global ssl
ssl = _ssl_options[m.group('value').lower()]
continue
+ # sasl_canonicalize yes|no
+ m = re.match('(ldap_?)?sasl_(?P<no>no)?canon(icali[sz]e)?\s+(?P<value>%s)' %
+ '|'.join(_boolean_options.keys()),
+ line, re.IGNORECASE)
+ if m:
+ global sasl_canonicalize
+ sasl_canonicalize = _boolean_options[m.group('value').lower()]
+ if m.group('no'):
+ sasl_canonicalize = not sasl_canonicalize
+ continue
# tls_reqcert <demand|hard|yes...>
m = re.match('tls_reqcert\s+(?P<value>%s)' %
'|'.join(_tls_reqcert_options.keys()),
diff --git a/pynslcd/pynslcd.py b/pynslcd/pynslcd.py
index 42dfb90..aba9b4b 100755
--- a/pynslcd/pynslcd.py
+++ b/pynslcd/pynslcd.py
@@ -248,6 +248,7 @@ def get_connection():
session.set_option(ldap.OPT_NETWORK_TIMEOUT, cfg.timelimit)
if cfg.referrals:
session.set_option(ldap.OPT_REFERRALS, cfg.referrals)
+ session.set_option(ldap.OPT_X_SASL_NOCANON, not cfg.sasl_canonicalize)
session.set_option(ldap.OPT_RESTART, True)
# TODO: register a connection callback (like dis?connect_cb() in myldap.c)
if cfg.ssl or cfg.uri.startswith('ldaps://'):