summaryrefslogtreecommitdiff
path: root/nslcd/cfg.c
diff options
context:
space:
mode:
Diffstat (limited to 'nslcd/cfg.c')
-rw-r--r--nslcd/cfg.c425
1 files changed, 1 insertions, 424 deletions
diff --git a/nslcd/cfg.c b/nslcd/cfg.c
index 7e172df..9a90003 100644
--- a/nslcd/cfg.c
+++ b/nslcd/cfg.c
@@ -56,7 +56,6 @@
#include "common.h"
#include "log.h"
#include "cfg.h"
-#include "attmap.h"
#include "common/expr.h"
struct ldap_config *nslcd_cfg = NULL;
@@ -602,244 +601,6 @@ static const char *print_map(enum ldap_map_selector map)
}
}
-static void handle_base(const char *filename, int lnr,
- const char *keyword, char *line,
- struct ldap_config *cfg)
-{
- const char **bases;
- int i;
- char *value;
-#ifdef HAVE_LDAP_DOMAIN2DN
- const char *domain = NULL;
- char *domaindn = NULL;
-#endif /* HAVE_LDAP_DOMAIN2DN */
- /* get the list of bases to update */
- bases = base_get_var(get_map(&line));
- if (bases == NULL)
- bases = cfg->bases;
- /* rest of the line is the value */
- value = get_linedup(filename, lnr, keyword, &line);
- /* if the base is "DOMAIN" use the domain name */
- if (strcasecmp(value, "domain") == 0)
- {
-#ifdef HAVE_LDAP_DOMAIN2DN
- free(value);
- domain = cfg_getdomainname(filename, lnr);
- ldap_domain2dn(domain, &domaindn);
- log_log(LOG_DEBUG, "set_base(): setting base to %s from domain",
- domaindn);
- value = xstrdup(domaindn);
-#else /* not HAVE_LDAP_DOMAIN2DN */
- log_log(LOG_ERR, "%s:%d: value %s not supported on platform",
- filename, lnr, value);
- exit(EXIT_FAILURE);
-#endif /* not HAVE_LDAP_DOMAIN2DN */
- }
- /* find the spot in the list of bases */
- for (i = 0; i < NSS_LDAP_CONFIG_MAX_BASES; i++)
- if (bases[i] == NULL)
- {
- bases[i] = value;
- return;
- }
- /* no free spot found */
- log_log(LOG_ERR, "%s:%d: maximum number of base options per map (%d) exceeded",
- filename, lnr, NSS_LDAP_CONFIG_MAX_BASES);
- exit(EXIT_FAILURE);
-}
-
-static void handle_scope(const char *filename, int lnr,
- const char *keyword, char *line,
- struct ldap_config *cfg)
-{
- char token[32];
- int *var;
- var = scope_get_var(get_map(&line));
- check_argumentcount(filename, lnr, keyword,
- get_token(&line, token, sizeof(token)) != NULL);
- get_eol(filename, lnr, keyword, &line);
- if (var == NULL)
- var = &cfg->scope;
- if ((strcasecmp(token, "sub") == 0) || (strcasecmp(token, "subtree") == 0))
- *var = LDAP_SCOPE_SUBTREE;
- else if ((strcasecmp(token, "one") == 0) || (strcasecmp(token, "onelevel") == 0))
- *var = LDAP_SCOPE_ONELEVEL;
- else if (strcasecmp(token, "base") == 0)
- *var = LDAP_SCOPE_BASE;
-#ifdef LDAP_SCOPE_CHILDREN
- else if (strcasecmp(token, "children") == 0)
- *var = LDAP_SCOPE_CHILDREN;
-#endif /* LDAP_SCOPE_CHILDREN */
- else
- {
- log_log(LOG_ERR, "%s:%d: not a scope argument: '%s'",
- filename, lnr, token);
- exit(EXIT_FAILURE);
- }
-}
-
-static const char *print_scope(int scope)
-{
- switch (scope)
- {
- case LDAP_SCOPE_SUBTREE: return "sub";
- case LDAP_SCOPE_ONELEVEL: return "one";
- case LDAP_SCOPE_BASE: return "base";
-#ifdef LDAP_SCOPE_CHILDREN
- case LDAP_SCOPE_CHILDREN: return "children";
-#endif /* LDAP_SCOPE_CHILDREN */
- default: return "???";
- }
-}
-
-static void handle_deref(const char *filename, int lnr,
- const char *keyword, char *line,
- struct ldap_config *cfg)
-{
- char token[32];
- check_argumentcount(filename, lnr, keyword,
- get_token(&line, token, sizeof(token)) != NULL);
- get_eol(filename, lnr, keyword, &line);
- if (strcasecmp(token, "never") == 0)
- cfg->deref = LDAP_DEREF_NEVER;
- else if (strcasecmp(token, "searching") == 0)
- cfg->deref = LDAP_DEREF_SEARCHING;
- else if (strcasecmp(token, "finding") == 0)
- cfg->deref = LDAP_DEREF_FINDING;
- else if (strcasecmp(token, "always") == 0)
- cfg->deref = LDAP_DEREF_ALWAYS;
- else
- {
- log_log(LOG_ERR, "%s:%d: wrong argument: '%s'", filename, lnr, token);
- exit(EXIT_FAILURE);
- }
-}
-
-static const char *print_deref(int deref)
-{
- switch (deref)
- {
- case LDAP_DEREF_NEVER: return "never";
- case LDAP_DEREF_SEARCHING: return "searching";
- case LDAP_DEREF_FINDING: return "finding";
- case LDAP_DEREF_ALWAYS: return "always";
- default: return "???";
- }
-}
-
-static void handle_filter(const char *filename, int lnr,
- const char *keyword, char *line)
-{
- const char **var;
- const char *map = line;
- var = filter_get_var(get_map(&line));
- if (var == NULL)
- {
- log_log(LOG_ERR, "%s:%d: unknown map: '%s'", filename, lnr, map);
- exit(EXIT_FAILURE);
- }
- check_argumentcount(filename, lnr, keyword, (line != NULL) && (*line != '\0'));
- /* check if the value will be changed */
- if (strcmp(*var, line) != 0)
- {
- /* Note: we have a memory leak here if a single mapping is changed
- multiple times in one config (deemed not a problem) */
- *var = xstrdup(line);
- }
-}
-
-/* this function modifies the statement argument passed */
-static void handle_map(const char *filename, int lnr,
- const char *keyword, char *line)
-{
- enum ldap_map_selector map;
- const char **var;
- char oldatt[32], newatt[1024];
- /* get the map */
- if ((map = get_map(&line)) == LM_NONE)
- {
- log_log(LOG_ERR, "%s:%d: unknown map: '%s'", filename, lnr, line);
- exit(EXIT_FAILURE);
- }
- /* read the other tokens */
- check_argumentcount(filename, lnr, keyword,
- (get_token(&line, oldatt, sizeof(oldatt)) != NULL) &&
- (get_token(&line, newatt, sizeof(newatt)) != NULL));
- /* check that there are no more tokens left on the line */
- get_eol(filename, lnr, keyword, &line);
- /* change attribute mapping */
- var = attmap_get_var(map, oldatt);
- if (var == NULL)
- {
- log_log(LOG_ERR, "%s:%d: unknown attribute to map: '%s'",
- filename, lnr, oldatt);
- exit(EXIT_FAILURE);
- }
- if (attmap_set_mapping(var, newatt) == NULL)
- {
- log_log(LOG_ERR, "%s:%d: attribute %s cannot be an expression",
- filename, lnr, oldatt);
- exit(EXIT_FAILURE);
- }
-}
-
-#ifdef LDAP_OPT_X_TLS
-static const char *print_ssl(int ssl)
-{
- switch (ssl)
- {
- case SSL_OFF: return "off";
- case SSL_START_TLS: return "start_tls";
- case SSL_LDAPS: return "on";
- default: return "???";
- }
-}
-
-static void handle_tls_reqcert(const char *filename, int lnr,
- const char *keyword, char *line)
-{
- char token[16];
- int value, rc;
- /* get token */
- check_argumentcount(filename, lnr, keyword,
- get_token(&line, token, sizeof(token)) != NULL);
- get_eol(filename, lnr, keyword, &line);
- /* check if it is a valid value for tls_reqcert option */
- if ((strcasecmp(token, "never") == 0) || (strcasecmp(token, "no") == 0))
- value = LDAP_OPT_X_TLS_NEVER;
- else if (strcasecmp(token, "allow") == 0)
- value = LDAP_OPT_X_TLS_ALLOW;
- else if (strcasecmp(token, "try") == 0)
- value = LDAP_OPT_X_TLS_TRY;
- else if ((strcasecmp(token, "demand") == 0) ||
- (strcasecmp(token, "yes") == 0))
- value = LDAP_OPT_X_TLS_DEMAND;
- else if (strcasecmp(token, "hard") == 0)
- value = LDAP_OPT_X_TLS_HARD;
- else
- {
- log_log(LOG_ERR, "%s:%d: %s: invalid argument: '%s'",
- filename, lnr, keyword, token);
- exit(EXIT_FAILURE);
- }
- log_log(LOG_DEBUG, "ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT,%s)", token);
- LDAP_SET_OPTION(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &value);
-}
-
-static const char *print_tls_reqcert(int value)
-{
- switch (value)
- {
- case LDAP_OPT_X_TLS_NEVER: return "never";
- case LDAP_OPT_X_TLS_ALLOW: return "allow";
- case LDAP_OPT_X_TLS_TRY: return "try";
- case LDAP_OPT_X_TLS_DEMAND: return "demand";
- case LDAP_OPT_X_TLS_HARD: return "hard";
- default: return "???";
- }
-}
-#endif /* LDAP_OPT_X_TLS */
-
/* this function modifies the line argument passed */
static void handle_nss_initgroups_ignoreusers(
const char *filename, int lnr,
@@ -1068,58 +829,6 @@ static void handle_cache(const char *filename, int lnr,
}
}
-/* This function tries to get the LDAP search base from the LDAP server.
- Note that this returns a string that has been allocated with strdup().
- For this to work the myldap module needs enough configuration information
- to make an LDAP connection. */
-static MUST_USE char *get_base_from_rootdse(void)
-{
- MYLDAP_SESSION *session;
- MYLDAP_SEARCH *search;
- MYLDAP_ENTRY *entry;
- const char *attrs[] = { "+", NULL };
- int i;
- int rc;
- const char **values;
- char *base = NULL;
- /* initialize session */
- session = myldap_create_session();
- assert(session != NULL);
- /* perform search */
- search = myldap_search(session, "", LDAP_SCOPE_BASE, "(objectClass=*)",
- attrs, NULL);
- if (search == NULL)
- {
- myldap_session_close(session);
- return NULL;
- }
- /* go over results */
- for (i = 0; (entry = myldap_get_entry(search, &rc)) != NULL; i++)
- {
- /* get defaultNamingContext */
- values = myldap_get_values(entry, "defaultNamingContext");
- if ((values != NULL) && (values[0] != NULL))
- {
- base = xstrdup(values[0]);
- log_log(LOG_DEBUG, "get_basedn_from_rootdse(): found attribute defaultNamingContext with value %s",
- values[0]);
- break;
- }
- /* get namingContexts */
- values = myldap_get_values(entry, "namingContexts");
- if ((values != NULL) && (values[0] != NULL))
- {
- base = xstrdup(values[0]);
- log_log(LOG_DEBUG, "get_basedn_from_rootdse(): found attribute namingContexts with value %s",
- values[0]);
- break;
- }
- }
- /* clean up */
- myldap_session_close(session);
- return base;
-}
-
/* check that the file is not world readable */
static void check_permissions(const char *filename, const char *keyword)
{
@@ -1389,10 +1098,6 @@ static void cfg_read(const char *filename, struct ldap_config *cfg)
{
handle_filter(filename, lnr, keyword, line);
}
- else if (strcasecmp(keyword, "map") == 0)
- {
- handle_map(filename, lnr, keyword, line);
- }
/* timing/reconnect options */
else if (strcasecmp(keyword, "bind_timelimit") == 0)
{
@@ -1634,132 +1339,7 @@ static void cfg_dump(void)
else
log_log(LOG_DEBUG, "CFG: # gid not set");
log_log_config();
- for (i = 0; i < (NSS_LDAP_CONFIG_MAX_URIS + 1); i++)
- if (nslcd_cfg->uris[i].uri != NULL)
- log_log(LOG_DEBUG, "CFG: uri %s", nslcd_cfg->uris[i].uri);
- log_log(LOG_DEBUG, "CFG: ldap_version %d", nslcd_cfg->ldap_version);
- if (nslcd_cfg->binddn != NULL)
- log_log(LOG_DEBUG, "CFG: binddn %s", nslcd_cfg->binddn);
- if (nslcd_cfg->bindpw != NULL)
- log_log(LOG_DEBUG, "CFG: bindpw ***");
- if (nslcd_cfg->rootpwmoddn != NULL)
- log_log(LOG_DEBUG, "CFG: rootpwmoddn %s", nslcd_cfg->rootpwmoddn);
- if (nslcd_cfg->rootpwmodpw != NULL)
- log_log(LOG_DEBUG, "CFG: rootpwmodpw ***");
- if (nslcd_cfg->sasl_mech != NULL)
- log_log(LOG_DEBUG, "CFG: sasl_mech %s", nslcd_cfg->sasl_mech);
- if (nslcd_cfg->sasl_realm != NULL)
- log_log(LOG_DEBUG, "CFG: sasl_realm %s", nslcd_cfg->sasl_realm);
- if (nslcd_cfg->sasl_authcid != NULL)
- log_log(LOG_DEBUG, "CFG: sasl_authcid %s", nslcd_cfg->sasl_authcid);
- if (nslcd_cfg->sasl_authzid != NULL)
- log_log(LOG_DEBUG, "CFG: sasl_authzid %s", nslcd_cfg->sasl_authzid);
- if (nslcd_cfg->sasl_secprops != NULL)
- log_log(LOG_DEBUG, "CFG: sasl_secprops %s", nslcd_cfg->sasl_secprops);
-#ifdef LDAP_OPT_X_SASL_NOCANON
- if (nslcd_cfg->sasl_canonicalize >= 0)
- log_log(LOG_DEBUG, "CFG: sasl_canonicalize %s", print_boolean(nslcd_cfg->sasl_canonicalize));
-#endif /* LDAP_OPT_X_SASL_NOCANON */
- str = getenv("KRB5CCNAME");
- if (str != NULL)
- log_log(LOG_DEBUG, "CFG: krb5_ccname %s", str);
- for (i = 0; i < NSS_LDAP_CONFIG_MAX_BASES; i++)
- if (nslcd_cfg->bases[i] != NULL)
- log_log(LOG_DEBUG, "CFG: base %s", nslcd_cfg->bases[i]);
- for (map = LM_ALIASES; map < LM_NONE; map++)
- {
- strp = base_get_var(map);
- if (strp != NULL)
- for (i = 0; i < NSS_LDAP_CONFIG_MAX_BASES; i++)
- if (strp[i] != NULL)
- log_log(LOG_DEBUG, "CFG: base %s %s", print_map(map), strp[i]);
- }
- log_log(LOG_DEBUG, "CFG: scope %s", print_scope(nslcd_cfg->scope));
- for (map = LM_ALIASES; map < LM_NONE; map++)
- {
- scopep = scope_get_var(map);
- if ((scopep != NULL) && (*scopep != LDAP_SCOPE_DEFAULT))
- log_log(LOG_DEBUG, "CFG: scope %s %s", print_map(map), print_scope(*scopep));
- }
- log_log(LOG_DEBUG, "CFG: deref %s", print_deref(nslcd_cfg->deref));
- log_log(LOG_DEBUG, "CFG: referrals %s", print_boolean(nslcd_cfg->referrals));
- for (map = LM_ALIASES; map < LM_NONE; map++)
- {
- strp = filter_get_var(map);
- if ((strp != NULL) && (*strp != NULL))
- log_log(LOG_DEBUG, "CFG: filter %s %s", print_map(map), *strp);
- }
-#define LOG_ATTMAP(map, mapl, att) \
- if (strcmp(attmap_##mapl##_##att, __STRING(att)) != 0) \
- log_log(LOG_DEBUG, "CFG: map %s %s %s", \
- print_map(map), __STRING(att), attmap_##mapl##_##att);
- LOG_ATTMAP(LM_ALIASES, alias, cn);
- LOG_ATTMAP(LM_ALIASES, alias, rfc822MailMember);
- LOG_ATTMAP(LM_ETHERS, ether, cn);
- LOG_ATTMAP(LM_ETHERS, ether, macAddress);
- LOG_ATTMAP(LM_GROUP, group, cn);
- LOG_ATTMAP(LM_GROUP, group, userPassword);
- LOG_ATTMAP(LM_GROUP, group, gidNumber);
- LOG_ATTMAP(LM_GROUP, group, memberUid);
- LOG_ATTMAP(LM_GROUP, group, member);
- LOG_ATTMAP(LM_HOSTS, host, cn);
- LOG_ATTMAP(LM_HOSTS, host, ipHostNumber);
- LOG_ATTMAP(LM_NETGROUP, netgroup, cn);
- LOG_ATTMAP(LM_NETGROUP, netgroup, nisNetgroupTriple);
- LOG_ATTMAP(LM_NETGROUP, netgroup, memberNisNetgroup);
- LOG_ATTMAP(LM_NETWORKS, network, cn);
- LOG_ATTMAP(LM_NETWORKS, network, ipNetworkNumber);
- LOG_ATTMAP(LM_PASSWD, passwd, uid);
- LOG_ATTMAP(LM_PASSWD, passwd, userPassword);
- LOG_ATTMAP(LM_PASSWD, passwd, uidNumber);
- LOG_ATTMAP(LM_PASSWD, passwd, gidNumber);
- LOG_ATTMAP(LM_PASSWD, passwd, gecos);
- LOG_ATTMAP(LM_PASSWD, passwd, homeDirectory);
- LOG_ATTMAP(LM_PASSWD, passwd, loginShell);
- LOG_ATTMAP(LM_PROTOCOLS, protocol, cn);
- LOG_ATTMAP(LM_PROTOCOLS, protocol, ipProtocolNumber);
- LOG_ATTMAP(LM_RPC, rpc, cn);
- LOG_ATTMAP(LM_RPC, rpc, oncRpcNumber);
- LOG_ATTMAP(LM_SERVICES, service, cn);
- LOG_ATTMAP(LM_SERVICES, service, ipServicePort);
- LOG_ATTMAP(LM_SERVICES, service, ipServiceProtocol);
- LOG_ATTMAP(LM_SHADOW, shadow, uid);
- LOG_ATTMAP(LM_SHADOW, shadow, userPassword);
- LOG_ATTMAP(LM_SHADOW, shadow, shadowLastChange);
- LOG_ATTMAP(LM_SHADOW, shadow, shadowMin);
- LOG_ATTMAP(LM_SHADOW, shadow, shadowMax);
- LOG_ATTMAP(LM_SHADOW, shadow, shadowWarning);
- LOG_ATTMAP(LM_SHADOW, shadow, shadowInactive);
- LOG_ATTMAP(LM_SHADOW, shadow, shadowExpire);
- LOG_ATTMAP(LM_SHADOW, shadow, shadowFlag);
- log_log(LOG_DEBUG, "CFG: bind_timelimit %d", nslcd_cfg->bind_timelimit);
- log_log(LOG_DEBUG, "CFG: timelimit %d", nslcd_cfg->timelimit);
- log_log(LOG_DEBUG, "CFG: idle_timelimit %d", nslcd_cfg->idle_timelimit);
- log_log(LOG_DEBUG, "CFG: reconnect_sleeptime %d", nslcd_cfg->reconnect_sleeptime);
- log_log(LOG_DEBUG, "CFG: reconnect_retrytime %d", nslcd_cfg->reconnect_retrytime);
-#ifdef LDAP_OPT_X_TLS
- log_log(LOG_DEBUG, "CFG: ssl %s", print_ssl(nslcd_cfg->ssl));
- rc = ldap_get_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &i);
- if (rc != LDAP_SUCCESS)
- log_log(LOG_DEBUG, "CFG: # tls_reqcert ERROR: %s", ldap_err2string(rc));
- else
- log_log(LOG_DEBUG, "CFG: tls_reqcert %s", print_tls_reqcert(i));
- #define LOG_LDAP_OPT_STRING(cfg, option) \
- str = NULL; \
- rc = ldap_get_option(NULL, option, &str); \
- if (rc != LDAP_SUCCESS) \
- log_log(LOG_DEBUG, "CFG: # %s ERROR: %s", cfg, ldap_err2string(rc)); \
- else if ((str != NULL) && (*str != '\0')) \
- log_log(LOG_DEBUG, "CFG: %s %s", cfg, str); \
- if (str != NULL) \
- ldap_memfree(str);
- LOG_LDAP_OPT_STRING("tls_cacertdir", LDAP_OPT_X_TLS_CACERTDIR);
- LOG_LDAP_OPT_STRING("tls_cacertfile", LDAP_OPT_X_TLS_CACERTFILE);
- LOG_LDAP_OPT_STRING("tls_randfile", LDAP_OPT_X_TLS_RANDOM_FILE);
- LOG_LDAP_OPT_STRING("tls_ciphers", LDAP_OPT_X_TLS_CIPHER_SUITE);
- LOG_LDAP_OPT_STRING("tls_cert", LDAP_OPT_X_TLS_CERTFILE);
- LOG_LDAP_OPT_STRING("tls_key", LDAP_OPT_X_TLS_KEYFILE);
-#endif /* LDAP_OPT_X_TLS */
+
log_log(LOG_DEBUG, "CFG: pagesize %d", nslcd_cfg->pagesize);
if (nslcd_cfg->nss_initgroups_ignoreusers != NULL)
{
@@ -1852,9 +1432,6 @@ void cfg_init(const char *fname)
}
/* TODO: check that if some tls options are set the ssl option should be set to on (just warn) */
#endif /* LDAP_OPT_X_TLS */
- /* if basedn is not yet set, get if from the rootDSE */
- if (nslcd_cfg->bases[0] == NULL)
- nslcd_cfg->bases[0] = get_base_from_rootdse();
/* TODO: handle the case gracefully when no LDAP server is available yet */
/* see if we have a valid basedn */
if ((nslcd_cfg->bases[0] == NULL) || (nslcd_cfg->bases[0][0] == '\0'))
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-02 16:58:06 +0000