diff options
| author | Arthur de Jong <arthur@arthurdejong.org> | 2012-05-04 20:20:36 +0000 |
|---|---|---|
| committer | Arthur de Jong <arthur@arthurdejong.org> | 2012-05-04 20:20:36 +0000 |
| commit | 7e1d8e36ef2bdcf26077750d7f42398c04f19e5f (patch) | |
| tree | a7c28f87a50e02bd9380304b9cb0a1275cceeb45 /pynslcd/pam.py | |
| parent | d8c5bb2778c0680d99b5eab0f6e6fa52ab1b6374 (diff) | |
ignore user-supplied DN for PAM requests and don't send it back
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1683 ef36b2f9-881f-0410-afb5-c4e39611909c
Diffstat (limited to 'pynslcd/pam.py')
| -rw-r--r-- | pynslcd/pam.py | 49 |
1 files changed, 24 insertions, 25 deletions
diff --git a/pynslcd/pam.py b/pynslcd/pam.py index c4d8a3c..753b7a8 100644 --- a/pynslcd/pam.py +++ b/pynslcd/pam.py @@ -48,28 +48,27 @@ class PAMRequest(common.Request): in the DN if needed.""" # check username for validity common.validate_name(parameters['username']) - # look up user DN if not known - if not parameters['userdn']: - entry = passwd.uid2entry(self.conn, parameters['username']) - if not entry: - raise ValueError('%r: user not found' % parameters['username']) - # save the DN - parameters['userdn'] = entry[0] - # get the "real" username - value = passwd.attmap.get_rdn_value(entry[0], 'uid') - if not value: - # get the username from the uid attribute - values = entry[1]['uid'] - if not values or not values[0]: - logging.warning('%s: is missing a %s attribute', dn, passwd.attmap['uid']) - value = values[0] - # check the username - if value and not common.isvalidname(value): - raise ValueError('%s: has invalid %s attribute', dn, passwd.attmap['uid']) - # check if the username is different and update it if needed - if value != parameters['username']: - logging.info('username changed from %r to %r', parameters['username'], value) - parameters['username'] = value + # look up user DN + entry = passwd.uid2entry(self.conn, parameters['username']) + if not entry: + raise ValueError('%r: user not found' % parameters['username']) + # save the DN + parameters['userdn'] = entry[0] + # get the "real" username + value = passwd.attmap.get_rdn_value(entry[0], 'uid') + if not value: + # get the username from the uid attribute + values = entry[1]['uid'] + if not values or not values[0]: + logging.warning('%s: is missing a %s attribute', dn, passwd.attmap['uid']) + value = values[0] + # check the username + if value and not common.isvalidname(value): + raise ValueError('%s: has invalid %s attribute', dn, passwd.attmap['uid']) + # check if the username is different and update it if needed + if value != parameters['username']: + logging.info('username changed from %r to %r', parameters['username'], value) + parameters['username'] = value class PAMAuthenticationRequest(PAMRequest): @@ -78,8 +77,8 @@ class PAMAuthenticationRequest(PAMRequest): def read_parameters(self, fp): return dict(username=fp.read_string(), - userdn=fp.read_string(), - servicename=fp.read_string(), + ignore_userdn=fp.read_string(), + service=fp.read_string(), password=fp.read_string()) #self.validate_request() # TODO: log call with parameters @@ -87,7 +86,7 @@ class PAMAuthenticationRequest(PAMRequest): def write(self, parameters, code=constants.NSLCD_PAM_SUCCESS, msg=''): self.fp.write_int32(constants.NSLCD_RESULT_BEGIN) self.fp.write_string(parameters['username']) - self.fp.write_string(parameters['userdn']) + self.fp.write_string('') # userdn self.fp.write_int32(code) # authc self.fp.write_int32(constants.NSLCD_PAM_SUCCESS) # authz self.fp.write_string(msg) # authzmsg |