allow attribute mapping with an expression for the userPassword attribute for passwd, group and shadow entries and by default map it to the unmatchable password ("*") to avoid accidentally leaking password information

git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1346 ef36b2f9-881f-0410-afb5-c4e39611909c

7 files changed, 52 insertions, 37 deletions

diff --git a/man/nslcd.conf.5.xml b/man/nslcd.conf.5.xml
index 930e5a1..62d249d 100644
--- a/man/nslcd.conf.5.xml
+++ b/man/nslcd.conf.5.xml
@@ -399,17 +399,25 @@
        See the section on attribute mapping expressions below for more details.
       </para>
       <para>
-       Only some attributes for passwd and shadow entries may be mapped with
-       an expression (because other attributes may be used in search
+       Only some attributes for group, passwd and shadow entries may be mapped
+       with an expression (because other attributes may be used in search
        filters).
+       For group entries only the <literal>userPassword</literal> attribute
+       may be mapped with an expression.
        For passwd entries the following attributes may be mapped with an
-       expression: <literal>gidNumber</literal>, <literal>gecos</literal>,
-       <literal>homeDirectory</literal> and <literal>loginShell</literal>.
+       expression: <literal>userPassword</literal>, <literal>gidNumber</literal>,
+       <literal>gecos</literal>, <literal>homeDirectory</literal> and
+       <literal>loginShell</literal>.
        For shadow entries the following attributes may be mapped with an
-       expression: <literal>shadowLastChange</literal>, <literal>shadowMin</literal>,
-       <literal>shadowMax</literal>, <literal>shadowWarning</literal>,
-       <literal>shadowInactive</literal>, <literal>shadowExpire</literal> and
-       <literal>shadowFlag</literal>.
+       expression: <literal>userPassword</literal>, <literal>shadowLastChange</literal>,
+       <literal>shadowMin</literal>, <literal>shadowMax</literal>,
+       <literal>shadowWarning</literal>, <literal>shadowInactive</literal>,
+       <literal>shadowExpire</literal> and <literal>shadowFlag</literal>.
+      </para>
+      <para>
+       By default all <literal>userPassword</literal> attributes are mapped
+       to the unmatchable password ("*") to avoid accidentally leaking
+       password information.
       </para>
      </listitem>
     </varlistentry>
diff --git a/nslcd/attmap.c b/nslcd/attmap.c
index 92cc011..32b8041 100644
--- a/nslcd/attmap.c
+++ b/nslcd/attmap.c
@@ -213,10 +213,13 @@ const char *attmap_set_mapping(const char **var,const char *value)
     /* these attributes may contain an expression
        (note that this needs to match the functionality in the specific
        lookup module) */
-    if ( (var!=&attmap_passwd_gidNumber) &&
+    if ( (var!=&attmap_group_userPassword) &&
+         (var!=&attmap_passwd_userPassword) &&
+         (var!=&attmap_passwd_gidNumber) &&
          (var!=&attmap_passwd_gecos) &&
          (var!=&attmap_passwd_homeDirectory) &&
          (var!=&attmap_passwd_loginShell) &&
+         (var!=&attmap_shadow_userPassword) &&
          (var!=&attmap_shadow_shadowLastChange) &&
          (var!=&attmap_shadow_shadowMin) &&
          (var!=&attmap_shadow_shadowMax) &&
diff --git a/nslcd/common.c b/nslcd/common.c
index d634dd7..dc25bed 100644
--- a/nslcd/common.c
+++ b/nslcd/common.c
@@ -35,6 +35,7 @@
 #include "nslcd.h"
 #include "common.h"
 #include "log.h"
+#include "attmap.h"
 
 /* simple wrapper around snptintf() to return non-0 in case
    of any failure (but always keep string 0-terminated) */
@@ -51,25 +52,21 @@ int mysnprintf(char *buffer,size_t buflen,const char *format, ...)
   return ((res<0)||(((size_t)res)>=buflen));
 }
 
-const char *get_userpassword(MYLDAP_ENTRY *entry,const char *attr)
+const char *get_userpassword(MYLDAP_ENTRY *entry,const char *attr,char *buffer,size_t buflen)
 {
-  const char **values;
-  int i;
-  /* get the entries */
-  values=myldap_get_values(entry,attr);
-  if ((values==NULL)||(values[0]==NULL))
+  const char *tmpvalue;
+  /* get the value */
+  tmpvalue=attmap_get_value(entry,attr,buffer,buflen);
+  if (tmpvalue==NULL)
     return NULL;
   /* go over the entries and return the remainder of the value if it
      starts with {crypt} or crypt$ */
-  for (i=0;values[i]!=NULL;i++)
-  {
-    if (strncasecmp(values[i],"{crypt}",7)==0)
-      return values[i]+7;
-    if (strncasecmp(values[i],"crypt$",6)==0)
-      return values[i]+6;
-  }
+  if (strncasecmp(tmpvalue,"{crypt}",7)==0)
+    return tmpvalue+7;
+  if (strncasecmp(tmpvalue,"crypt$",6)==0)
+    return tmpvalue+6;
   /* just return the first value completely */
-  return values[0];
+  return tmpvalue;
   /* TODO: support more password formats e.g. SMD5
     (which is $1$ but in a different format)
     (any code for this is more than welcome) */
diff --git a/nslcd/common.h b/nslcd/common.h
index f3a3288..5bd98ea 100644
--- a/nslcd/common.h
+++ b/nslcd/common.h
@@ -59,7 +59,8 @@ int mysnprintf(char *buffer,size_t buflen,const char *format, ...)
    /etc/group or /etc/shadow depending upon what is in the directory.
    This function will return NULL if no passwd is found and will return the
    literal value in the directory if conversion is not possible. */
-const char *get_userpassword(MYLDAP_ENTRY *entry,const char *attr);
+const char *get_userpassword(MYLDAP_ENTRY *entry,const char *attr,
+                             char *buffer,size_t buflen);
 
 /* write out an address, parsing the addr value */
 int write_address(TFILE *fp,const char *addr);
diff --git a/nslcd/group.c b/nslcd/group.c
index e21f035..fa50d6f 100644
--- a/nslcd/group.c
+++ b/nslcd/group.c
@@ -61,7 +61,7 @@ const char *group_filter = "(objectClass=posixGroup)";
 
 /* the attributes to request with searches */
 const char *attmap_group_cn            = "cn";
-const char *attmap_group_userPassword  = "userPassword";
+const char *attmap_group_userPassword  = "\"*\"";
 const char *attmap_group_gidNumber     = "gidNumber";
 const char *attmap_group_memberUid     = "memberUid";
 const char *attmap_group_uniqueMember  = "uniqueMember";
@@ -70,7 +70,7 @@ const char *attmap_group_uniqueMember  = "uniqueMember";
 static const char *default_group_userPassword     = "*"; /* unmatchable */
 
 /* the attribute list to request with searches */
-static const char *group_attrs[6];
+static const char **group_attrs=NULL;
 
 /* create a search filter for searching a group entry
    by name, return -1 on errors */
@@ -131,6 +131,7 @@ static int mkfilter_group_bymember(MYLDAP_SESSION *session,
 void group_init(void)
 {
   int i;
+  SET *set;
   /* set up search bases */
   if (group_bases[0]==NULL)
     for (i=0;i<NSS_LDAP_CONFIG_MAX_BASES;i++)
@@ -139,12 +140,14 @@ void group_init(void)
   if (group_scope==LDAP_SCOPE_DEFAULT)
     group_scope=nslcd_cfg->ldc_scope;
   /* set up attribute list */
-  group_attrs[0]=attmap_group_cn;
-  group_attrs[1]=attmap_group_userPassword;
-  group_attrs[2]=attmap_group_memberUid;
-  group_attrs[3]=attmap_group_gidNumber;
-  group_attrs[4]=attmap_group_uniqueMember;
-  group_attrs[5]=NULL;
+  set=set_new();
+  attmap_add_attributes(set,attmap_group_cn);
+  attmap_add_attributes(set,attmap_group_userPassword);
+  attmap_add_attributes(set,attmap_group_memberUid);
+  attmap_add_attributes(set,attmap_group_gidNumber);
+  attmap_add_attributes(set,attmap_group_uniqueMember);
+  group_attrs=set_tolist(set);
+  set_free(set);
 }
 
 static int do_write_group(
@@ -223,6 +226,7 @@ static int write_group(TFILE *fp,MYLDAP_ENTRY *entry,const char *reqname,
   gid_t gids[MAXGIDS_PER_ENTRY];
   int numgids;
   char *tmp;
+  char passbuffer[80];
   int rc;
   /* get group name (cn) */
   names=myldap_get_values(entry,attmap_group_cn);
@@ -259,7 +263,7 @@ static int write_group(TFILE *fp,MYLDAP_ENTRY *entry,const char *reqname,
     }
   }
   /* get group passwd (userPassword) (use only first entry) */
-  passwd=get_userpassword(entry,attmap_group_userPassword);
+  passwd=get_userpassword(entry,attmap_group_userPassword,passbuffer,sizeof(passbuffer));
   if (passwd==NULL)
     passwd=default_group_userPassword;
   /* get group memebers (memberUid&uniqueMember) */
diff --git a/nslcd/passwd.c b/nslcd/passwd.c
index 3d734f2..9113f5d 100644
--- a/nslcd/passwd.c
+++ b/nslcd/passwd.c
@@ -56,7 +56,7 @@ const char *passwd_filter = "(objectClass=posixAccount)";
 
 /* the attributes used in searches */
 const char *attmap_passwd_uid           = "uid";
-const char *attmap_passwd_userPassword  = "userPassword";
+const char *attmap_passwd_userPassword  = "\"*\"";
 const char *attmap_passwd_uidNumber     = "uidNumber";
 const char *attmap_passwd_gidNumber     = "gidNumber";
 const char *attmap_passwd_gecos         = "\"${gecos:-$cn}\"";
@@ -348,6 +348,7 @@ static int write_passwd(TFILE *fp,MYLDAP_ENTRY *entry,const char *requser,
   char gecos[100];
   char homedir[100];
   char shell[100];
+  char passbuffer[80];
   int i,j;
   /* get the usernames for this entry */
   usernames=myldap_get_values(entry,attmap_passwd_uid);
@@ -365,7 +366,7 @@ static int write_passwd(TFILE *fp,MYLDAP_ENTRY *entry,const char *requser,
   }
   else
   {
-    passwd=get_userpassword(entry,attmap_passwd_userPassword);
+    passwd=get_userpassword(entry,attmap_passwd_userPassword,passbuffer,sizeof(passbuffer));
     if ((passwd==NULL)||(calleruid!=0))
       passwd=default_passwd_userPassword;
   }
diff --git a/nslcd/shadow.c b/nslcd/shadow.c
index 55013d7..e5f4a54 100644
--- a/nslcd/shadow.c
+++ b/nslcd/shadow.c
@@ -55,7 +55,7 @@ const char *shadow_filter = "(objectClass=shadowAccount)";
 
 /* the attributes to request with searches */
 const char *attmap_shadow_uid              = "uid";
-const char *attmap_shadow_userPassword     = "userPassword";
+const char *attmap_shadow_userPassword     = "\"*\"";
 const char *attmap_shadow_shadowLastChange = "\"${shadowLastChange:--1}\"";
 const char *attmap_shadow_shadowMin        = "\"${shadowMin:--1}\"";
 const char *attmap_shadow_shadowMax        = "\"${shadowMax:--1}\"";
@@ -251,6 +251,7 @@ static int write_shadow(TFILE *fp,MYLDAP_ENTRY *entry,const char *requser)
   unsigned long flag;
   int i;
   char buffer[80];
+  char passbuffer[80];
   /* get username */
   usernames=myldap_get_values(entry,attmap_shadow_uid);
   if ((usernames==NULL)||(usernames[0]==NULL))
@@ -260,7 +261,7 @@ static int write_shadow(TFILE *fp,MYLDAP_ENTRY *entry,const char *requser)
     return 0;
   }
   /* get password */
-  passwd=get_userpassword(entry,attmap_shadow_userPassword);
+  passwd=get_userpassword(entry,attmap_shadow_userPassword,passbuffer,sizeof(passbuffer));
   if (passwd==NULL)
     passwd=default_shadow_userPassword;
   /* get lastchange date */