diff options
| author | Arthur de Jong <arthur@arthurdejong.org> | 2007-09-15 14:42:52 +0000 |
|---|---|---|
| committer | Arthur de Jong <arthur@arthurdejong.org> | 2007-09-15 14:42:52 +0000 |
| commit | 674276efcf15d9af7892c49db5b9891c03ae6ef7 (patch) | |
| tree | 66cf5389ce9a68852c26eca977be018a1e001dba | |
| parent | 6ce816453782882018a901eed4c4f74a9d6ee0d3 (diff) | |
remove support for nested groups and use of uniqueMember and member attributes as well as memberOf attribute (this removes quite some functionality but helps us in refactoring because the code was one big exception to all the other modules)
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-ldapd@407 ef36b2f9-881f-0410-afb5-c4e39611909c
| -rw-r--r-- | nslcd/attmap.c | 2 | ||||
| -rw-r--r-- | nslcd/attmap.h | 2 | ||||
| -rw-r--r-- | nslcd/cfg.c | 13 | ||||
| -rw-r--r-- | nslcd/cfg.h | 3 | ||||
| -rw-r--r-- | nslcd/common.h | 3 | ||||
| -rw-r--r-- | nslcd/group.c | 959 | ||||
| -rw-r--r-- | nslcd/ldap-nss.c | 49 | ||||
| -rw-r--r-- | nslcd/ldap-nss.h | 20 | ||||
| -rw-r--r-- | nslcd/passwd.c | 21 |
9 files changed, 25 insertions, 1047 deletions
diff --git a/nslcd/attmap.c b/nslcd/attmap.c index 4f9222c..c39283c 100644 --- a/nslcd/attmap.c +++ b/nslcd/attmap.c @@ -146,8 +146,10 @@ const char **attmap_get_var(enum ldap_map_selector map,const char *name) if (strcasecmp(name,"userPassword")==0) return &attmap_group_userPassword; if (strcasecmp(name,"gidNumber")==0) return &attmap_group_gidNumber; if (strcasecmp(name,"memberUid")==0) return &attmap_group_memberUid; +/* if (strcasecmp(name,"uniqueMember")==0) return &attmap_group_uniqueMember; if (strcasecmp(name,"memberOf")==0) return &attmap_group_memberOf; +*/ } else if (map==LM_HOSTS) { diff --git a/nslcd/attmap.h b/nslcd/attmap.h index 6ba4287..2132cfb 100644 --- a/nslcd/attmap.h +++ b/nslcd/attmap.h @@ -34,8 +34,10 @@ extern const char *attmap_group_cn; extern const char *attmap_group_userPassword; extern const char *attmap_group_gidNumber; extern const char *attmap_group_memberUid; +/* extern const char *attmap_group_uniqueMember; extern const char *attmap_group_memberOf; +*/ extern const char *attmap_host_cn; extern const char *attmap_host_ipHostNumber; extern const char *attmap_netgroup_cn; diff --git a/nslcd/cfg.c b/nslcd/cfg.c index f700df6..c2fe8f6 100644 --- a/nslcd/cfg.c +++ b/nslcd/cfg.c @@ -637,19 +637,6 @@ static void cfg_read(const char *filename,struct ldap_config *cfg) check_argumentcount(filename,lnr,opts[0],nopts==2); cfg->ldc_pagesize=atoi(opts[1]); } - else if (strcasecmp(opts[0],"nss_schema")==0) - { - check_argumentcount(filename,lnr,opts[0],nopts==2); - if (strcasecmp(opts[1],"rfc2307bis")==0) - cfg->ldc_flags|=NSS_LDAP_FLAGS_RFC2307BIS; - else if (strcasecmp(opts[1],"rfc2307")==0) - cfg->ldc_flags&=~(NSS_LDAP_FLAGS_RFC2307BIS); - else - { - log_log(LOG_ERR,"%s:%d: wrong argument: '%s'",filename,lnr,opts[1]); - exit(EXIT_FAILURE); - } - } /* undocumented options */ else if (strcasecmp(opts[0],"nss_reconnect_tries")==0) { diff --git a/nslcd/cfg.h b/nslcd/cfg.h index 05cc77f..4d308ba 100644 --- a/nslcd/cfg.h +++ b/nslcd/cfg.h @@ -117,7 +117,7 @@ struct ldap_config int ldc_bind_timelimit; /* reconnect policy */ enum ldap_reconnect_policy ldc_reconnect_pol; - /* for nss_connect_policy and nss_schema */ + /* for nss_connect_policy */ unsigned int ldc_flags; /* idle timeout */ time_t ldc_idle_timelimit; @@ -166,7 +166,6 @@ extern struct ldap_config *nslcd_cfg; /* * Flags that are exposed via _nss_ldap_test_config_flag() */ -#define NSS_LDAP_FLAGS_RFC2307BIS 0x0004 #define NSS_LDAP_FLAGS_CONNECT_POLICY_ONESHOT 0x0008 int _nss_ldap_test_config_flag(unsigned int flag) diff --git a/nslcd/common.h b/nslcd/common.h index 00dd697..280e292 100644 --- a/nslcd/common.h +++ b/nslcd/common.h @@ -85,7 +85,4 @@ int nslcd_service_all(TFILE *fp,MYLDAP_SESSION *session); int nslcd_shadow_byname(TFILE *fp,MYLDAP_SESSION *session); int nslcd_shadow_all(TFILE *fp,MYLDAP_SESSION *session); -/* Note that our caller has to free the returned value with ldap_free() */ -char *passwd_username2dn(MYLDAP_SESSION *session,const char *username); - #endif /* not _SERVER_COMMON_H */ diff --git a/nslcd/group.c b/nslcd/group.c index 714ce3f..fc4dc31 100644 --- a/nslcd/group.c +++ b/nslcd/group.c @@ -106,10 +106,6 @@ ldap_initgroups_args_t; #define GID_NOBODY UID_NOBODY #endif -static enum nss_status ng_chase(MYLDAP_SESSION *session,const char *dn,ldap_initgroups_args_t *lia); - -static enum nss_status ng_chase_backlink(MYLDAP_SESSION *session,const char **membersOf,ldap_initgroups_args_t *lia); - /* ( nisSchema.2.2 NAME 'posixGroup' SUP top STRUCTURAL * DESC 'Abstraction of a group of accounts' * MUST ( cn $ gidNumber ) @@ -118,6 +114,9 @@ static enum nss_status ng_chase_backlink(MYLDAP_SESSION *session,const char **me * apart from that the above the uniqueMember attributes may be * supported in a coming release (they map to DNs, which is an extra * lookup step) + * + * using nested groups (groups that are member of a group) is currently + * not supported, this may be added in a later release */ /* the search base for searches */ @@ -134,8 +133,10 @@ const char *attmap_group_cn = "cn"; const char *attmap_group_userPassword = "userPassword"; const char *attmap_group_gidNumber = "gidNumber"; const char *attmap_group_memberUid = "memberUid"; +/* const char *attmap_group_uniqueMember = "uniqueMember"; const char *attmap_group_memberOf = "memberOf"; +*/ /* the attribute list to request with searches */ static const char *group_attrs[6]; @@ -167,46 +168,6 @@ static int mkfilter_group_bygid(gid_t gid, attmap_group_gidNumber,gid); } -static int mkfilter_getgroupsbydn(const char *dn, - char *buffer,size_t buflen) -{ - return mysnprintf(buffer,buflen, - "(&%s(%s=%s))", - group_filter, - attmap_group_uniqueMember,dn); -} - -static int mkfilter_group_bymember(MYLDAP_SESSION *session,const char *user, - char *buffer,size_t buflen) -{ - char buf2[1024]; - char *userdn; - char buf3[1024]; - /* escape attribute */ - if(myldap_escape(user,buf2,sizeof(buf2))) - return -1; - /* lookup the user's DN */ - if (_nss_ldap_test_config_flag(NSS_LDAP_FLAGS_RFC2307BIS)) - userdn=passwd_username2dn(session,user); - if (userdn==NULL) - return mysnprintf(buffer,buflen, - "(&%s(%s=%s))", - group_filter, - attmap_group_memberUid,user); - else - { - /* escape DN */ - if(myldap_escape(userdn,buf3,sizeof(buf3))) - return -1; - ldap_memfree(userdn); - return mysnprintf(buffer,buflen, - "(&%s(|(%s=%s)(%s=%s)))", - group_filter, - attmap_group_memberUid, user, - attmap_group_uniqueMember, userdn); - } -} - static void group_init(void) { /* set up base */ @@ -219,9 +180,9 @@ static void group_init(void) group_attrs[0]=attmap_group_cn; group_attrs[1]=attmap_group_userPassword; group_attrs[2]=attmap_group_memberUid; - group_attrs[3]=attmap_group_uniqueMember; - group_attrs[4]=attmap_group_gidNumber; - group_attrs[5]=NULL; + group_attrs[3]=attmap_group_gidNumber; + group_attrs[4]=NULL; +/* group_attrs[4]=attmap_group_uniqueMember; */ } /* macros for expanding the NSLCD_GROUP macro */ @@ -240,920 +201,32 @@ static int write_group(TFILE *fp,struct group *result) return 0; } -/* - * Add a nested netgroup or group to the namelist - */ -static enum nss_status _nss_ldap_namelist_push(struct name_list **head,const char *name) -{ - struct name_list *nl; - - log_log(LOG_DEBUG,"==> _nss_ldap_namelist_push (%s)", name); - - nl = (struct name_list *) malloc (sizeof (*nl)); - if (nl == NULL) - { - log_log(LOG_DEBUG,"<== _nss_ldap_namelist_push"); - return NSS_STATUS_TRYAGAIN; - } - - nl->name = strdup (name); - if (nl->name == NULL) - { - log_log(LOG_DEBUG,"<== _nss_ldap_namelist_push"); - free (nl); - return NSS_STATUS_TRYAGAIN; - } - - nl->next = *head; - - *head = nl; - - log_log(LOG_DEBUG,"<== _nss_ldap_namelist_push"); - - return NSS_STATUS_SUCCESS; -} - -/* - * Cleanup nested netgroup or group namelist. - */ -static void _nss_ldap_namelist_destroy(struct name_list **head) -{ - struct name_list *p, *next; - - log_log(LOG_DEBUG,"==> _nss_ldap_namelist_destroy"); - - for (p = *head; p != NULL; p = next) - { - next = p->next; - - if (p->name != NULL) - free (p->name); - free (p); - } - - *head = NULL; - - log_log(LOG_DEBUG,"<== _nss_ldap_namelist_destroy"); -} - -/* - * Check whether we have already seen a netgroup or group, - * to avoid loops in nested netgroup traversal - */ -static int _nss_ldap_namelist_find(struct name_list *head,const char *netgroup) -{ - struct name_list *p; - int found = 0; - - log_log(LOG_DEBUG,"==> _nss_ldap_namelist_find"); - - for (p = head; p != NULL; p = p->next) - { - if (strcasecmp (p->name, netgroup) == 0) - { - found++; - break; - } - } - - log_log(LOG_DEBUG,"<== _nss_ldap_namelist_find"); - - return found; -} - -/* - * Range retrieval logic was reimplemented from example in - * http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ldap/ldap/searching_using_range_retrieval.asp - */ - -static enum nss_status -do_parse_range (const char *attributeType, - const char *attributeDescription, int *start, int *end) -{ - enum nss_status stat = NSS_STATUS_NOTFOUND; - char *attribute; - size_t attributeTypeLength; - size_t attributeDescriptionLength; - char *p; -#ifdef HAVE_STRTOK_R - char *st = NULL; -#endif - - *start = 0; - *end = -1; - - if (strcasecmp (attributeType, attributeDescription) == 0) - { - return NSS_STATUS_SUCCESS; - } - - attributeDescriptionLength = strlen (attributeDescription); - attributeTypeLength = strlen (attributeType); - - if (attributeDescriptionLength < attributeTypeLength) - { - /* could not be a subtype */ - return NSS_STATUS_NOTFOUND; - } - - /* XXX need to copy as strtok() is destructive */ - attribute = strdup (attributeDescription); - if (attribute == NULL) - { - return NSS_STATUS_TRYAGAIN; - } - -#ifndef HAVE_STRTOK_R - for (p = strtok (attribute, ";"); p != NULL; p = strtok (NULL, ";")) -#else - for (p = strtok_r (attribute, ";", &st); - p != NULL; p = strtok_r (NULL, ";", &st)) -#endif /* !HAVE_STRTOK_R */ - { - char *q; - - if (p == attribute) - { - if (strcasecmp (p, attributeType) != 0) - { - free (attribute); - return NSS_STATUS_NOTFOUND; - } - } - else if (strncasecmp (p, "range=", sizeof ("range=") - 1) == 0) - { - p += sizeof ("range=") - 1; - - q = strchr (p, '-'); - if (q == NULL) - { - free (attribute); - return NSS_STATUS_NOTFOUND; - } - - *q++ = '\0'; - - *start = strtoul (p, (char **) NULL, 10); - if (strcmp (q, "*") == 0) - *end = -1; - else - *end = strtoul (q, (char **) NULL, 10); - - stat = NSS_STATUS_SUCCESS; - break; - } - } - - free (attribute); - return stat; -} - -static enum nss_status do_get_range_values( - MYLDAP_SESSION *session,LDAPMessage *e,const char *attributeType, - int *start,int *end,char ***pGroupMembers) -{ - enum nss_status stat = NSS_STATUS_NOTFOUND; - BerElement *ber = NULL; - char *attribute; - - *pGroupMembers = NULL; - - for (attribute = _nss_ldap_first_attribute(session,e,&ber); - attribute != NULL; attribute = _nss_ldap_next_attribute(session,e,ber)) - { - stat = do_parse_range (attributeType, attribute, start, end); - if (stat == NSS_STATUS_SUCCESS) - { - *pGroupMembers = _nss_ldap_get_values(session,e,attribute); - if (*pGroupMembers == NULL) - { - stat = NSS_STATUS_NOTFOUND; - } - else if ((*pGroupMembers)[0] == NULL) - { - ldap_value_free (*pGroupMembers); - *pGroupMembers = NULL; - stat = NSS_STATUS_NOTFOUND; - } - } - -#ifdef HAVE_LDAP_MEMFREE - ldap_memfree (attribute); -#endif - - if (stat == NSS_STATUS_SUCCESS) - break; - } - - if (ber != NULL) - ber_free (ber, 0); - - return stat; -} - -/* - * Format an attribute with description as: - * attribute;range=START-END - */ -static enum nss_status do_construct_range_attribute( - const char *attribute,int start,int end, - char **buffer,size_t * buflen, - const char **pAttributeWithRange) -{ - size_t len; - char startbuf[32], endbuf[32]; - - snprintf (startbuf, sizeof (startbuf), "%u", start); - - if (end != -1) - snprintf (endbuf, sizeof (endbuf), "%u", end); - else - snprintf (endbuf, sizeof (endbuf), "*"); - - len = strlen (attribute) + sizeof (";range=") - 1; - len += strlen (startbuf) + 1 /* - */ + strlen (endbuf); - len++; /* \0 */ - - if (*buflen < len) - return NSS_STATUS_TRYAGAIN; - - *pAttributeWithRange = *buffer; - - snprintf (*buffer, len, "%s;range=%s-%s", attribute, startbuf, endbuf); - - *buffer += len; - *buflen -= len; - - return NSS_STATUS_SUCCESS; -} - -static enum nss_status dn2uid( - MYLDAP_SESSION *session,const char *dn,char **uid,char **buffer, - size_t *buflen,int *pIsNestedGroup, - LDAPMessage **pRes) -{ - enum nss_status status; - const char *attrs[4]; - LDAPMessage *res,*e; - - *pIsNestedGroup = 0; - - attrs[0] = attmap_passwd_uid; - attrs[1] = attmap_group_uniqueMember; - attrs[2] = "objectClass"; - attrs[3] = NULL; - - if ((status=_nss_ldap_read_sync(session,dn,attrs,&res))==NSS_STATUS_SUCCESS) - { - e=_nss_ldap_first_entry(session,res); - if (e != NULL) - { - /* FIXME: somehow replace this with the dynamic stuff in group.c */ - if (has_objectclass(session,e,"posixGroup")) - { - *pIsNestedGroup = 1; - *pRes = res; - log_log(LOG_DEBUG,"<== _nss_ldap_dn2uid (nested group)"); - return NSS_STATUS_SUCCESS; - } - - status=_nss_ldap_assign_attrval(session,e,attmap_passwd_uid,uid,buffer,buflen); - } - } - ldap_msgfree (res); - - log_log(LOG_DEBUG,"<== _nss_ldap_dn2uid"); - - return status; -} - -/* - * Expand group members, including nested groups - */ -static enum nss_status do_parse_group_members( - MYLDAP_SESSION *session,LDAPMessage *e,char ***pGroupMembers, - size_t *pGroupMembersCount,size_t *pGroupMembersBufferSize, - int *pGroupMembersBufferIsMalloced,char **buffer,size_t *buflen, - int *depth,struct name_list **pKnownGroups) /* traversed groups */ -{ - enum nss_status stat = NSS_STATUS_SUCCESS; - char **dnValues = NULL; - char **uidValues = NULL; - char **groupMembers; - size_t groupMembersCount, i; - char **valiter; - const char *uniquemember_attrs[2]; - LDAPMessage *res=NULL; - int start, end = 0; - char *groupdn = NULL; - - uniquemember_attrs[0] = attmap_group_uniqueMember; - uniquemember_attrs[1] = NULL; - - if (*depth > LDAP_NSS_MAXGR_DEPTH) - { - return NSS_STATUS_NOTFOUND; - } - - i = *pGroupMembersCount; /* index of next member */ - groupMembers = *pGroupMembers; - - groupdn=_nss_ldap_get_dn(session,e); - if (groupdn == NULL) - { - stat = NSS_STATUS_NOTFOUND; - goto out; - } - - if (_nss_ldap_namelist_find (*pKnownGroups, groupdn)) - { - stat = NSS_STATUS_NOTFOUND; - goto out; - } - - /* store group DN for nested group loop detection */ - stat = _nss_ldap_namelist_push (pKnownGroups, groupdn); - if (stat != NSS_STATUS_SUCCESS) - { - goto out; - } - - do - { - if (e == NULL) - { - stat = NSS_STATUS_NOTFOUND; - goto out; - } - - groupMembersCount = 0; /* number of members in this group */ - - (void)do_get_range_values(session,e,attmap_group_uniqueMember,&start,&end,&dnValues); - if (dnValues != NULL) - { - groupMembersCount += ldap_count_values (dnValues); - } - - uidValues=_nss_ldap_get_values(session,e,attmap_group_memberUid); - if (uidValues != NULL) - { - groupMembersCount += ldap_count_values (uidValues); - } - - /* - * Check whether we need to increase the group membership buffer. - * As an optimization the buffer is preferentially allocated off - * the stack - */ - if ((i + groupMembersCount) * sizeof (char *) >= - *pGroupMembersBufferSize) - { - *pGroupMembersBufferSize = - (i + groupMembersCount + 1) * sizeof (char *); - *pGroupMembersBufferSize += - (LDAP_NSS_NGROUPS * sizeof (char *)) - 1; - *pGroupMembersBufferSize -= - (*pGroupMembersBufferSize % - (LDAP_NSS_NGROUPS * sizeof (char *))); - - if (*pGroupMembersBufferIsMalloced == 0) - { - groupMembers = *pGroupMembers; - *pGroupMembers = NULL; /* force malloc() */ - } - - *pGroupMembers = - (char **) realloc (*pGroupMembers, *pGroupMembersBufferSize); - if (*pGroupMembers == NULL) - { - *pGroupMembersBufferIsMalloced = 0; /* don't try to free */ - stat = NSS_STATUS_TRYAGAIN; - goto out; - } - - if (*pGroupMembersBufferIsMalloced == 0) - { - memcpy (*pGroupMembers, groupMembers, i * sizeof (char *)); - groupMembers = NULL; /* defensive programming */ - *pGroupMembersBufferIsMalloced = 1; - } - } - - groupMembers = *pGroupMembers; - - /* Parse distinguished name members */ - if (dnValues != NULL) - { - for (valiter = dnValues; *valiter != NULL; valiter++) - { - LDAPMessage *res; - enum nss_status parseStat; - int isNestedGroup = 0; - char *uid; - - uid = strrchr (*valiter, '#'); - if (uid != NULL) - { - *uid = '\0'; - } - - parseStat=dn2uid(session,*valiter,&groupMembers[i],buffer,buflen,&isNestedGroup,&res); - if (parseStat == NSS_STATUS_SUCCESS) - { - if (isNestedGroup == 0) - { - /* just a normal user which we have flattened */ - i++; - continue; - } - - (*depth)++; - parseStat = - do_parse_group_members (session,_nss_ldap_first_entry(session,res), - &groupMembers, &i, - pGroupMembersBufferSize, - pGroupMembersBufferIsMalloced, - buffer, buflen, depth, - pKnownGroups); - (*depth)--; - - if (parseStat == NSS_STATUS_TRYAGAIN) - { - stat = NSS_STATUS_TRYAGAIN; - goto out; - } - - ldap_msgfree (res); - } - else if (parseStat == NSS_STATUS_TRYAGAIN) - { - stat = NSS_STATUS_TRYAGAIN; - goto out; - } - } - } - - /* Parse RFC 2307 (flat) members */ - if (uidValues != NULL) - { - for (valiter = uidValues; *valiter != NULL; valiter++) - { - size_t len = strlen (*valiter) + 1; - if (*buflen < len) - { - stat = NSS_STATUS_TRYAGAIN; - goto out; - } - groupMembers[i] = *buffer; - *buffer += len; - *buflen -= len; - - memcpy (groupMembers[i++], *valiter, len); - } - } - - /* Get next range for Active Directory compat */ - if (end != -1) - { - stat = do_construct_range_attribute (attmap_group_uniqueMember, - end + 1, - -1, - buffer, - buflen, - uniquemember_attrs); - if (stat == NSS_STATUS_SUCCESS) - { - if (dnValues != NULL) - { - ldap_value_free (dnValues); - dnValues = NULL; - } - if (uidValues != NULL) - { - ldap_value_free (uidValues); - uidValues = NULL; - } - if (res != NULL) - { - ldap_msgfree (res); - res = NULL; - } - - stat=_nss_ldap_read_sync(session,groupdn,uniquemember_attrs,&res); - if (stat != NSS_STATUS_SUCCESS) - goto out; - - e=_nss_ldap_first_entry(session,res); - } - } - } - while (end != -1); - -out: - if (dnValues != NULL) - ldap_value_free (dnValues); - if (uidValues != NULL) - ldap_value_free (uidValues); - if (res != NULL) - ldap_msgfree (res); - if (groupdn != NULL) -#ifdef HAVE_LDAP_MEMFREE - ldap_memfree (groupdn); -#else - free (groupdn); -#endif - - *pGroupMembers = groupMembers; - *pGroupMembersCount = i; - - return stat; -} - -/* - * "Fix" group membership list into caller provided buffer, - * and NULL terminate. -*/ -static enum nss_status -do_fix_group_members_buffer (char **mallocedGroupMembers, - size_t groupMembersCount, - char ***pGroupMembers, - char **buffer, size_t * buflen) -{ - size_t len; - - len = (groupMembersCount + 1) * sizeof (char *); - - if (bytesleft (*buffer, *buflen, char *) < len) - { - return NSS_STATUS_TRYAGAIN; - } - - align (*buffer, *buflen, char *); - *pGroupMembers = (char **) *buffer; - *buffer += len; - *buflen -= len; - - memcpy (*pGroupMembers, mallocedGroupMembers, - groupMembersCount * sizeof (char *)); - (*pGroupMembers)[groupMembersCount] = NULL; - - return NSS_STATUS_SUCCESS; -} - static enum nss_status _nss_ldap_parse_gr( MYLDAP_SESSION *session,LDAPMessage *e,struct ldap_state UNUSED(*state), void *result,char *buffer,size_t buflen) { - struct group *gr = (struct group *) result; + struct group *gr=(struct group *)result; char *gid; enum nss_status stat; - char **groupMembers; - size_t groupMembersCount; - size_t groupMembersBufferSize; - char *groupMembersBuffer[LDAP_NSS_NGROUPS]; - int groupMembersBufferIsMalloced; - int depth; - struct name_list *knownGroups = NULL; - + /* get group gid (gidNumber) */ stat=_nss_ldap_assign_attrval(session,e,attmap_group_gidNumber,&gid,&buffer,&buflen); if (stat != NSS_STATUS_SUCCESS) return stat; - - gr->gr_gid = - (*gid == '\0') ? (unsigned) GID_NOBODY : (gid_t) strtoul (gid, - (char **) NULL, - 10); - + gr->gr_gid=(*gid=='\0')?(unsigned)GID_NOBODY:(gid_t)strtoul(gid,NULL,10); + /* get group name (cn) */ stat=_nss_ldap_getrdnvalue(session,e,attmap_group_cn,&gr->gr_name,&buffer,&buflen); if (stat != NSS_STATUS_SUCCESS) return stat; - + /* get group passwd (userPassword) */ stat=_nss_ldap_assign_userpassword(session,e,attmap_group_userPassword,&gr->gr_passwd,&buffer,&buflen); if (stat != NSS_STATUS_SUCCESS) return stat; - - if (_nss_ldap_test_config_flag (NSS_LDAP_FLAGS_RFC2307BIS)) - { - groupMembers = groupMembersBuffer; - groupMembersCount = 0; - groupMembersBufferSize = sizeof (groupMembers); - groupMembersBufferIsMalloced = 0; - depth = 0; - - stat=do_parse_group_members(session,e,&groupMembers,&groupMembersCount, - &groupMembersBufferSize,&groupMembersBufferIsMalloced, - &buffer,&buflen,&depth,&knownGroups); - if (stat != NSS_STATUS_SUCCESS) - { - if (groupMembersBufferIsMalloced) - free (groupMembers); - _nss_ldap_namelist_destroy (&knownGroups); - return stat; - } - - stat = do_fix_group_members_buffer (groupMembers, groupMembersCount, - &gr->gr_mem, &buffer, &buflen); - - if (groupMembersBufferIsMalloced) - free (groupMembers); - _nss_ldap_namelist_destroy (&knownGroups); - } - else - { - stat=_nss_ldap_assign_attrvals(session,e,attmap_group_memberUid,NULL, - &gr->gr_mem,&buffer,&buflen,NULL); - } - + /* get group memebers (memberUid) */ + stat=_nss_ldap_assign_attrvals(session,e,attmap_group_memberUid,NULL, + &gr->gr_mem,&buffer,&buflen,NULL); return stat; } -/* - * Add a group ID to a group list, and optionally the group IDs - * of any groups to which this group belongs (RFC2307bis nested - * group expansion is done by do_parse_initgroups_nested()). - */ -static enum nss_status do_parse_initgroups( - MYLDAP_SESSION *session,LDAPMessage *e,struct ldap_state UNUSED(*state), - void *result,char UNUSED(*buffer),size_t UNUSED(buflen)) -{ - char **values; - ssize_t i; - gid_t gid; - ldap_initgroups_args_t *lia=(ldap_initgroups_args_t *)result; - values=_nss_ldap_get_values(session,e,attmap_group_gidNumber); - if (values == NULL) - { - /* invalid group; skip it */ - return NSS_STATUS_NOTFOUND; - } - - if (values[0] == NULL) - { - /* invalid group; skip it */ - ldap_value_free (values); - return NSS_STATUS_NOTFOUND; - } - -#ifdef HAVE_USERSEC_H - i = strlen (values[0]); - lia->grplist = realloc (lia->grplist, lia->listlen + i + 2); - if (lia->grplist == NULL) - { - ldap_value_free (values); - return NSS_STATUS_TRYAGAIN; - } - memcpy (lia->grplist + lia->listlen, values[0], i); - lia->grplist[lia->listlen + i] = ','; - lia->listlen += i + 1; - ldap_value_free (values); -#else - gid = strtoul (values[0], (char **) NULL, 10); - ldap_value_free (values); - - if (gid == LONG_MAX && errno == ERANGE) - { - /* invalid group, skip it */ - return NSS_STATUS_NOTFOUND; - } - - if (gid == lia->group) - { - /* primary group, so skip it */ - return NSS_STATUS_NOTFOUND; - } - - if (lia->limit > 0) - { - if (*(lia->start) >= lia->limit) - { - /* can't fit any more */ - return NSS_STATUS_TRYAGAIN; - } - } - if (*(lia->start) == *(lia->size)) - { - /* Need a bigger buffer */ - *(lia->groups) = (gid_t *) realloc (*(lia->groups), - 2 * *(lia->size) * sizeof (gid_t)); - if (*(lia->groups) == NULL) - { - return NSS_STATUS_TRYAGAIN; - } - *(lia->size) *= 2; - } - - /* weed out duplicates; is this really our responsibility? */ - for (i = 0; i < *(lia->start); i++) - { - if ((*(lia->groups))[i] == gid) - { - return NSS_STATUS_NOTFOUND; - } - } - - /* add to group list */ - (*(lia->groups))[*(lia->start)] = gid; - (*(lia->start)) += 1; -#endif /* HAVE_USERSEC_H */ - - return NSS_STATUS_NOTFOUND; -} - -static enum nss_status do_parse_initgroups_nested( - MYLDAP_SESSION *session,LDAPMessage *e,struct ldap_state *state, - void *result,char *buffer,size_t buflen) -{ - enum nss_status status; - ldap_initgroups_args_t *lia = (ldap_initgroups_args_t *) result; - char **values; - char *groupdn; - - status=do_parse_initgroups(session,e,state,result,buffer,buflen); - if (status != NSS_STATUS_NOTFOUND) - return status; - - if (!_nss_ldap_test_config_flag (NSS_LDAP_FLAGS_RFC2307BIS)) - return NSS_STATUS_NOTFOUND; - - if (lia->backlink != 0) - { - /* - * Now add the GIDs of any groups of which this group is - * a member. - */ - values=_nss_ldap_get_values(session,e,attmap_group_memberOf); - if (values != NULL) - { - lia->depth++; - status=ng_chase_backlink(session,(const char **)values,lia); - lia->depth--; - - ldap_value_free (values); - - return status; - } - } - else - { - /* - * Now add the GIDs of any groups which refer to this group - */ - groupdn=_nss_ldap_get_dn(session,e); - if (groupdn != NULL) - { - /* Note: there was a problem here with stat in the orriginal code */ - lia->depth++; - status=ng_chase(session,groupdn,lia); - lia->depth--; -#ifdef HAVE_LDAP_MEMFREE - ldap_memfree(groupdn); -#else - free(groupdn); -#endif - } - } - - return status; -} - -static enum nss_status ng_chase(MYLDAP_SESSION *session,const char *dn,ldap_initgroups_args_t *lia) -{ - char filter[1024]; - enum nss_status stat; - struct ent_context context; - const char *gidnumber_attrs[2]; - - if (lia->depth>LDAP_NSS_MAXGR_DEPTH) - return NSS_STATUS_NOTFOUND; - - if (_nss_ldap_namelist_find(lia->known_groups,dn)) - return NSS_STATUS_NOTFOUND; - - gidnumber_attrs[0]=attmap_group_gidNumber; - gidnumber_attrs[1]=NULL; - - _nss_ldap_ent_context_init(&context,session); - mkfilter_getgroupsbydn(dn,filter,sizeof(filter)); - stat=_nss_ldap_getent(&context,lia,NULL,0, - group_base,group_scope,filter,gidnumber_attrs, - do_parse_initgroups_nested); - - if (stat==NSS_STATUS_SUCCESS) - stat=_nss_ldap_namelist_push(&lia->known_groups,dn); - - _nss_ldap_ent_context_cleanup(&context); - - return stat; -} - -static enum nss_status ng_chase_backlink(MYLDAP_SESSION *session,const char **membersOf,ldap_initgroups_args_t *lia) -{ - enum nss_status stat; - struct ent_context context; - const char *gidnumber_attrs[3]; - const char **memberP; - const char **filteredMembersOf; /* remove already traversed groups */ - size_t memberCount, i; - - if (lia->depth > LDAP_NSS_MAXGR_DEPTH) - return NSS_STATUS_NOTFOUND; - - for (memberCount = 0; membersOf[memberCount] != NULL; memberCount++) - ; - - /* Build a list of membersOf values without any already traversed groups */ - filteredMembersOf = (const char **) malloc(sizeof(char *) * (memberCount + 1)); - if (filteredMembersOf == NULL) - { - return NSS_STATUS_TRYAGAIN; - } - - memberP = filteredMembersOf; - - for (i = 0; i < memberCount; i++) - { - if (_nss_ldap_namelist_find (lia->known_groups, membersOf[i])) - continue; - - *memberP = membersOf[i]; - memberP++; - } - - *memberP = NULL; - - if (filteredMembersOf[0] == NULL) - { - free (filteredMembersOf); - return NSS_STATUS_NOTFOUND; - } - - gidnumber_attrs[0] = attmap_group_gidNumber; - gidnumber_attrs[1] = attmap_group_memberOf; - gidnumber_attrs[2] = NULL; - - _nss_ldap_ent_context_init(&context,session); - /* FIXME: the search filter is wrong here, we should figure out what it's - supposed to be */ - stat=_nss_ldap_getent(&context,lia,NULL,0, - group_base,group_scope,"(distinguishedName=%s)",gidnumber_attrs, - do_parse_initgroups_nested); - - if (stat == NSS_STATUS_SUCCESS) - { - enum nss_status stat2; - - for (memberP = filteredMembersOf; *memberP != NULL; memberP++) - { - stat2 = _nss_ldap_namelist_push (&lia->known_groups, *memberP); - if (stat2 != NSS_STATUS_SUCCESS) - { - stat = stat2; - break; - } - } - } - - free (filteredMembersOf); - - _nss_ldap_ent_context_cleanup(&context); - - return stat; -} - -static int group_bymember(MYLDAP_SESSION *session,const char *user) -{ - ldap_initgroups_args_t lia; - char filter[1024]; - enum nss_status stat; - struct ent_context context; - const char *gidnumber_attrs[3]; - log_log(LOG_DEBUG,"==> group_bymember (user=%s)",user); - lia.depth = 0; - lia.known_groups=NULL; - /* initialize schema */ - if (_nss_ldap_init(session)) - { - log_log(LOG_DEBUG,"<== group_bymember (init failed)"); - return -1; - } - mkfilter_group_bymember(session,user,filter,sizeof(filter)); - gidnumber_attrs[0] = attmap_group_gidNumber; - gidnumber_attrs[1] = NULL; - _nss_ldap_ent_context_init(&context,session); - stat=_nss_ldap_getent(&context,(void *)&lia,NULL,0, - group_base,group_scope,filter,gidnumber_attrs, - do_parse_initgroups_nested); - _nss_ldap_namelist_destroy(&lia.known_groups); - _nss_ldap_ent_context_cleanup(&context); - if ((stat!=NSS_STATUS_SUCCESS)&&(stat!=NSS_STATUS_NOTFOUND)) - { - log_log(LOG_DEBUG,"<== group_bymember (not found)"); - return -1; - } - log_log(LOG_DEBUG,"<== group_bymember (success)"); - return 0; -} - int nslcd_group_byname(TFILE *fp,MYLDAP_SESSION *session) { int32_t tmpint32; diff --git a/nslcd/ldap-nss.c b/nslcd/ldap-nss.c index 3deb469..b7e0d93 100644 --- a/nslcd/ldap-nss.c +++ b/nslcd/ldap-nss.c @@ -306,7 +306,7 @@ static void do_close(MYLDAP_SESSION *session) } /* set up the session state, ensure that we have an LDAP connection */ -int _nss_ldap_init(MYLDAP_SESSION *session) +static int _nss_ldap_init(MYLDAP_SESSION *session) { time_t current_time; int rc; @@ -891,20 +891,6 @@ static enum nss_status do_parse_sync( } /* - * Read an entry from the directory, a la X.500. This is used - * for functions that need to retrieve attributes from a DN, - * such as the RFC2307bis group expansion function. - */ -enum nss_status _nss_ldap_read_sync( - MYLDAP_SESSION *session,const char *dn,const char **attributes, - LDAPMessage ** res) -{ - /* synchronous search */ - return do_with_reconnect(session,dn,LDAP_SCOPE_BASE,"(objectclass=*)", - attributes,1 /* sizelimit */,res,NULL); -} - -/* * Simple wrapper around ldap_get_values(). Requires that * session is already established. */ @@ -921,7 +907,7 @@ char **_nss_ldap_get_values(MYLDAP_SESSION *session,LDAPMessage *e, * Simple wrapper around ldap_get_dn(). Requires that * session is already established. */ -char *_nss_ldap_get_dn(MYLDAP_SESSION *session,LDAPMessage *e) +static char *_nss_ldap_get_dn(MYLDAP_SESSION *session,LDAPMessage *e) { if (session->ls_state!=LS_CONNECTED_TO_DSA) return NULL; @@ -930,37 +916,9 @@ char *_nss_ldap_get_dn(MYLDAP_SESSION *session,LDAPMessage *e) } /* - * Simple wrapper around ldap_first_entry(). Requires that - * session is already established. - */ -LDAPMessage *_nss_ldap_first_entry(MYLDAP_SESSION *session,LDAPMessage *res) -{ - if (session->ls_state!=LS_CONNECTED_TO_DSA) - return NULL; - assert(session->ls_conn!=NULL); - return ldap_first_entry(session->ls_conn,res); -} - -char *_nss_ldap_first_attribute(MYLDAP_SESSION *session,LDAPMessage *entry,BerElement **berptr) -{ - if (session->ls_state!=LS_CONNECTED_TO_DSA) - return NULL; - assert(session->ls_conn!=NULL); - return ldap_first_attribute(session->ls_conn,entry,berptr); -} - -char *_nss_ldap_next_attribute(MYLDAP_SESSION *session,LDAPMessage *entry,BerElement *ber) -{ - if (session->ls_state!=LS_CONNECTED_TO_DSA) - return NULL; - assert(session->ls_conn!=NULL); - return ldap_next_attribute(session->ls_conn,entry,ber); -} - -/* * The generic synchronous lookup cover function. */ -enum nss_status _nss_ldap_search_sync( +static enum nss_status _nss_ldap_search_sync( MYLDAP_SESSION *session,const char *base,int scope, const char *filter,const char **attrs,int sizelimit, LDAPMessage **res) @@ -1276,6 +1234,7 @@ static const char *_nss_ldap_locate_userpassword(char **vals) token_length = sizeof("CRYPT$") - 1; break; case LU_OTHER_PASSWORD: + default: break; } } diff --git a/nslcd/ldap-nss.h b/nslcd/ldap-nss.h index 6a688de..5293da7 100644 --- a/nslcd/ldap-nss.h +++ b/nslcd/ldap-nss.h @@ -117,20 +117,6 @@ void _nss_ldap_ent_context_init(struct ent_context *context,MYLDAP_SESSION *sess */ void _nss_ldap_ent_context_cleanup(struct ent_context *context); -enum nss_status _nss_ldap_search_sync( - MYLDAP_SESSION *session,const char *base,int scope, - const char *filter,const char **attrs,int sizelimit, - LDAPMessage **res); - -/* - * Emulate X.500 read operation. - */ -enum nss_status _nss_ldap_read_sync( - MYLDAP_SESSION *session, - const char *dn, /* IN */ - const char **attributes, /* IN */ - LDAPMessage ** res /* OUT */ ); - /* * common enumeration routine; uses asynchronous API. */ @@ -156,10 +142,6 @@ int _nss_ldap_getbyname( /* parsing utility functions */ char **_nss_ldap_get_values(MYLDAP_SESSION *session,LDAPMessage *e,const char *attr); -char *_nss_ldap_get_dn(MYLDAP_SESSION *session,LDAPMessage *e); -LDAPMessage *_nss_ldap_first_entry(MYLDAP_SESSION *session,LDAPMessage *res); -char *_nss_ldap_first_attribute(MYLDAP_SESSION *session,LDAPMessage *entry,BerElement **berptr); -char *_nss_ldap_next_attribute(MYLDAP_SESSION *session,LDAPMessage *entry,BerElement *ber); enum nss_status _nss_ldap_assign_attrvals ( MYLDAP_SESSION *session, @@ -191,8 +173,6 @@ enum nss_status _nss_ldap_assign_userpassword( return 0 for false, not-0 for true */ int has_objectclass(MYLDAP_SESSION *session,LDAPMessage *entry,const char *objectclass); -int _nss_ldap_init(MYLDAP_SESSION *session); - /* * get the RDN's value: eg. if the RDN was cn=lukeh, getrdnvalue(entry) * would return lukeh. diff --git a/nslcd/passwd.c b/nslcd/passwd.c index 437ee57..843e073 100644 --- a/nslcd/passwd.c +++ b/nslcd/passwd.c @@ -239,27 +239,6 @@ static enum nss_status _nss_ldap_parse_pw( return NSS_STATUS_SUCCESS; } -/* Note that our caller has to free the returned value with ldap_free() */ -char *passwd_username2dn(MYLDAP_SESSION *session,const char *username) -{ - char *userdn=NULL; - static const char *no_attrs[]={ NULL }; - char filter[1024]; - LDAPMessage *res,*e; - /* log call */ - log_log(LOG_DEBUG,"passwd_username2dn(%s)",username); - /* do the LDAP request */ - mkfilter_passwd_byname(username,filter,sizeof(filter)); - if (_nss_ldap_search_sync(session,passwd_base,passwd_scope,filter,no_attrs,1,&res)==NSS_STATUS_SUCCESS) - { - e=_nss_ldap_first_entry(session,res); - if (e!=NULL) - userdn=_nss_ldap_get_dn(session,e); - ldap_msgfree(res); - } - return userdn; -} - /* the caller should take care of opening and closing the stream */ int nslcd_passwd_byname(TFILE *fp,MYLDAP_SESSION *session) { |