diff options
author | Arthur de Jong <arthur@arthurdejong.org> | 2012-08-14 19:34:41 +0000 |
---|---|---|
committer | Arthur de Jong <arthur@arthurdejong.org> | 2012-08-14 19:34:41 +0000 |
commit | 1e97d8bee0dc35a9eba92bf59804fbbf675760a2 (patch) | |
tree | fbdd874ad1889d28a981297c56457e225bfa0af2 | |
parent | 8c3489da26df9750cbfe4ad195a7d925711556b5 (diff) |
introduce a sasl_canonicalize option that will now, by default, disable reverse host name lookups in OpenLDAP
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1733 ef36b2f9-881f-0410-afb5-c4e39611909c
-rw-r--r-- | man/nslcd.conf.5.xml | 12 | ||||
-rw-r--r-- | nslcd/cfg.c | 17 | ||||
-rw-r--r-- | nslcd/cfg.h | 4 | ||||
-rw-r--r-- | nslcd/myldap.c | 4 | ||||
-rw-r--r-- | pynslcd/cfg.py | 11 | ||||
-rwxr-xr-x | pynslcd/pynslcd.py | 1 |
6 files changed, 49 insertions, 0 deletions
diff --git a/man/nslcd.conf.5.xml b/man/nslcd.conf.5.xml index 4a3e442..a8b79b2 100644 --- a/man/nslcd.conf.5.xml +++ b/man/nslcd.conf.5.xml @@ -282,6 +282,18 @@ </listitem> </varlistentry> + <varlistentry id="sasl_canonicalize"> + <term><option>sasl_canonicalize</option> yes|no</term> + <listitem> + <para> + Determines whether the <acronym>LDAP</acronym> server host name should + be canonicalised. If this is set to yes the <acronym>LDAP</acronym> + library will do a reverse host name lookup. + By default <command>nslcd</command> disables this extra lookup. + </para> + </listitem> + </varlistentry> + </variablelist> </refsect2> diff --git a/nslcd/cfg.c b/nslcd/cfg.c index bc57c6b..dd48b0e 100644 --- a/nslcd/cfg.c +++ b/nslcd/cfg.c @@ -111,6 +111,7 @@ static void cfg_defaults(struct ldap_config *cfg) cfg->ldc_sasl_authcid=NULL; cfg->ldc_sasl_authzid=NULL; cfg->ldc_sasl_secprops=NULL; + cfg->ldc_sasl_canonicalize=0; for (i=0;i<NSS_LDAP_CONFIG_MAX_BASES;i++) cfg->ldc_bases[i]=NULL; cfg->ldc_scope=LDAP_SCOPE_SUBTREE; @@ -990,6 +991,22 @@ static void cfg_read(const char *filename,struct ldap_config *cfg) get_strdup(filename,lnr,keyword,&line,&cfg->ldc_sasl_secprops); get_eol(filename,lnr,keyword,&line); } +#ifdef LDAP_OPT_X_SASL_NOCANON + else if ( (strcasecmp(keyword,"sasl_canonicalize")==0) || + (strcasecmp(keyword,"sasl_canonicalise")==0) || + (strcasecmp(keyword,"ldap_sasl_canonicalize")==0) || + (strcasecmp(keyword,"sasl_canon")==0) ) + { + get_boolean(filename,lnr,keyword,&line,&cfg->ldc_sasl_canonicalize); + get_eol(filename,lnr,keyword,&line); + } + else if (strcasecmp(keyword,"sasl_nocanon")==0) + { + get_boolean(filename,lnr,keyword,&line,&cfg->ldc_sasl_canonicalize); + cfg->ldc_sasl_canonicalize=!cfg->ldc_sasl_canonicalize; + get_eol(filename,lnr,keyword,&line); + } +#endif /* LDAP_OPT_X_SASL_NOCANON */ /* Kerberos authentication options */ else if (strcasecmp(keyword,"krb5_ccname")==0) { diff --git a/nslcd/cfg.h b/nslcd/cfg.h index ebdd95a..ccbad37 100644 --- a/nslcd/cfg.h +++ b/nslcd/cfg.h @@ -115,6 +115,10 @@ struct ldap_config char *ldc_sasl_authzid; /* sasl security */ char *ldc_sasl_secprops; +#ifdef LDAP_OPT_X_SASL_NOCANON + /* whether host name should be canonicalised */ + int ldc_sasl_canonicalize; +#endif /* LDAP_OPT_X_SASL_NOCANON */ /* base DN, eg. dc=gnu,dc=org */ const char *ldc_bases[NSS_LDAP_CONFIG_MAX_BASES]; /* scope for searches */ diff --git a/nslcd/myldap.c b/nslcd/myldap.c index 3e03648..e7132b0 100644 --- a/nslcd/myldap.c +++ b/nslcd/myldap.c @@ -639,6 +639,10 @@ static int do_set_options(MYLDAP_SESSION *session) LDAP_SET_OPTION(session->ld,LDAP_OPT_X_TLS,&i); } #endif /* LDAP_OPT_X_TLS */ +#ifdef LDAP_OPT_X_SASL_NOCANON + log_log(LOG_DEBUG,"ldap_set_option(LDAP_OPT_X_SASL_NOCANON,%s)",nslcd_cfg->ldc_sasl_canonicalize?"LDAP_OPT_OFF":"LDAP_OPT_ON"); + LDAP_SET_OPTION(session->ld,LDAP_OPT_X_SASL_NOCANON,nslcd_cfg->ldc_sasl_canonicalize?LDAP_OPT_OFF:LDAP_OPT_ON); +#endif /* LDAP_OPT_X_SASL_NOCANON */ /* if nothing above failed, everything should be fine */ return LDAP_SUCCESS; } diff --git a/pynslcd/cfg.py b/pynslcd/cfg.py index 95995e1..ecc7ef1 100644 --- a/pynslcd/cfg.py +++ b/pynslcd/cfg.py @@ -52,6 +52,7 @@ sasl_realm = None sasl_authcid = None sasl_authzid = None sasl_secprops = None +sasl_canonicalize = False # LDAP bases to search bases = [] @@ -266,6 +267,16 @@ def read(filename): global ssl ssl = _ssl_options[m.group('value').lower()] continue + # sasl_canonicalize yes|no + m = re.match('(ldap_?)?sasl_(?P<no>no)?canon(icali[sz]e)?\s+(?P<value>%s)' % + '|'.join(_boolean_options.keys()), + line, re.IGNORECASE) + if m: + global sasl_canonicalize + sasl_canonicalize = _boolean_options[m.group('value').lower()] + if m.group('no'): + sasl_canonicalize = not sasl_canonicalize + continue # tls_reqcert <demand|hard|yes...> m = re.match('tls_reqcert\s+(?P<value>%s)' % '|'.join(_tls_reqcert_options.keys()), diff --git a/pynslcd/pynslcd.py b/pynslcd/pynslcd.py index 42dfb90..aba9b4b 100755 --- a/pynslcd/pynslcd.py +++ b/pynslcd/pynslcd.py @@ -248,6 +248,7 @@ def get_connection(): session.set_option(ldap.OPT_NETWORK_TIMEOUT, cfg.timelimit) if cfg.referrals: session.set_option(ldap.OPT_REFERRALS, cfg.referrals) + session.set_option(ldap.OPT_X_SASL_NOCANON, not cfg.sasl_canonicalize) session.set_option(ldap.OPT_RESTART, True) # TODO: register a connection callback (like dis?connect_cb() in myldap.c) if cfg.ssl or cfg.uri.startswith('ldaps://'): |