diff options
Diffstat (limited to 'nslcd/cfg.c')
-rw-r--r-- | nslcd/cfg.c | 425 |
1 files changed, 1 insertions, 424 deletions
diff --git a/nslcd/cfg.c b/nslcd/cfg.c index 7e172df..9a90003 100644 --- a/nslcd/cfg.c +++ b/nslcd/cfg.c @@ -56,7 +56,6 @@ #include "common.h" #include "log.h" #include "cfg.h" -#include "attmap.h" #include "common/expr.h" struct ldap_config *nslcd_cfg = NULL; @@ -602,244 +601,6 @@ static const char *print_map(enum ldap_map_selector map) } } -static void handle_base(const char *filename, int lnr, - const char *keyword, char *line, - struct ldap_config *cfg) -{ - const char **bases; - int i; - char *value; -#ifdef HAVE_LDAP_DOMAIN2DN - const char *domain = NULL; - char *domaindn = NULL; -#endif /* HAVE_LDAP_DOMAIN2DN */ - /* get the list of bases to update */ - bases = base_get_var(get_map(&line)); - if (bases == NULL) - bases = cfg->bases; - /* rest of the line is the value */ - value = get_linedup(filename, lnr, keyword, &line); - /* if the base is "DOMAIN" use the domain name */ - if (strcasecmp(value, "domain") == 0) - { -#ifdef HAVE_LDAP_DOMAIN2DN - free(value); - domain = cfg_getdomainname(filename, lnr); - ldap_domain2dn(domain, &domaindn); - log_log(LOG_DEBUG, "set_base(): setting base to %s from domain", - domaindn); - value = xstrdup(domaindn); -#else /* not HAVE_LDAP_DOMAIN2DN */ - log_log(LOG_ERR, "%s:%d: value %s not supported on platform", - filename, lnr, value); - exit(EXIT_FAILURE); -#endif /* not HAVE_LDAP_DOMAIN2DN */ - } - /* find the spot in the list of bases */ - for (i = 0; i < NSS_LDAP_CONFIG_MAX_BASES; i++) - if (bases[i] == NULL) - { - bases[i] = value; - return; - } - /* no free spot found */ - log_log(LOG_ERR, "%s:%d: maximum number of base options per map (%d) exceeded", - filename, lnr, NSS_LDAP_CONFIG_MAX_BASES); - exit(EXIT_FAILURE); -} - -static void handle_scope(const char *filename, int lnr, - const char *keyword, char *line, - struct ldap_config *cfg) -{ - char token[32]; - int *var; - var = scope_get_var(get_map(&line)); - check_argumentcount(filename, lnr, keyword, - get_token(&line, token, sizeof(token)) != NULL); - get_eol(filename, lnr, keyword, &line); - if (var == NULL) - var = &cfg->scope; - if ((strcasecmp(token, "sub") == 0) || (strcasecmp(token, "subtree") == 0)) - *var = LDAP_SCOPE_SUBTREE; - else if ((strcasecmp(token, "one") == 0) || (strcasecmp(token, "onelevel") == 0)) - *var = LDAP_SCOPE_ONELEVEL; - else if (strcasecmp(token, "base") == 0) - *var = LDAP_SCOPE_BASE; -#ifdef LDAP_SCOPE_CHILDREN - else if (strcasecmp(token, "children") == 0) - *var = LDAP_SCOPE_CHILDREN; -#endif /* LDAP_SCOPE_CHILDREN */ - else - { - log_log(LOG_ERR, "%s:%d: not a scope argument: '%s'", - filename, lnr, token); - exit(EXIT_FAILURE); - } -} - -static const char *print_scope(int scope) -{ - switch (scope) - { - case LDAP_SCOPE_SUBTREE: return "sub"; - case LDAP_SCOPE_ONELEVEL: return "one"; - case LDAP_SCOPE_BASE: return "base"; -#ifdef LDAP_SCOPE_CHILDREN - case LDAP_SCOPE_CHILDREN: return "children"; -#endif /* LDAP_SCOPE_CHILDREN */ - default: return "???"; - } -} - -static void handle_deref(const char *filename, int lnr, - const char *keyword, char *line, - struct ldap_config *cfg) -{ - char token[32]; - check_argumentcount(filename, lnr, keyword, - get_token(&line, token, sizeof(token)) != NULL); - get_eol(filename, lnr, keyword, &line); - if (strcasecmp(token, "never") == 0) - cfg->deref = LDAP_DEREF_NEVER; - else if (strcasecmp(token, "searching") == 0) - cfg->deref = LDAP_DEREF_SEARCHING; - else if (strcasecmp(token, "finding") == 0) - cfg->deref = LDAP_DEREF_FINDING; - else if (strcasecmp(token, "always") == 0) - cfg->deref = LDAP_DEREF_ALWAYS; - else - { - log_log(LOG_ERR, "%s:%d: wrong argument: '%s'", filename, lnr, token); - exit(EXIT_FAILURE); - } -} - -static const char *print_deref(int deref) -{ - switch (deref) - { - case LDAP_DEREF_NEVER: return "never"; - case LDAP_DEREF_SEARCHING: return "searching"; - case LDAP_DEREF_FINDING: return "finding"; - case LDAP_DEREF_ALWAYS: return "always"; - default: return "???"; - } -} - -static void handle_filter(const char *filename, int lnr, - const char *keyword, char *line) -{ - const char **var; - const char *map = line; - var = filter_get_var(get_map(&line)); - if (var == NULL) - { - log_log(LOG_ERR, "%s:%d: unknown map: '%s'", filename, lnr, map); - exit(EXIT_FAILURE); - } - check_argumentcount(filename, lnr, keyword, (line != NULL) && (*line != '\0')); - /* check if the value will be changed */ - if (strcmp(*var, line) != 0) - { - /* Note: we have a memory leak here if a single mapping is changed - multiple times in one config (deemed not a problem) */ - *var = xstrdup(line); - } -} - -/* this function modifies the statement argument passed */ -static void handle_map(const char *filename, int lnr, - const char *keyword, char *line) -{ - enum ldap_map_selector map; - const char **var; - char oldatt[32], newatt[1024]; - /* get the map */ - if ((map = get_map(&line)) == LM_NONE) - { - log_log(LOG_ERR, "%s:%d: unknown map: '%s'", filename, lnr, line); - exit(EXIT_FAILURE); - } - /* read the other tokens */ - check_argumentcount(filename, lnr, keyword, - (get_token(&line, oldatt, sizeof(oldatt)) != NULL) && - (get_token(&line, newatt, sizeof(newatt)) != NULL)); - /* check that there are no more tokens left on the line */ - get_eol(filename, lnr, keyword, &line); - /* change attribute mapping */ - var = attmap_get_var(map, oldatt); - if (var == NULL) - { - log_log(LOG_ERR, "%s:%d: unknown attribute to map: '%s'", - filename, lnr, oldatt); - exit(EXIT_FAILURE); - } - if (attmap_set_mapping(var, newatt) == NULL) - { - log_log(LOG_ERR, "%s:%d: attribute %s cannot be an expression", - filename, lnr, oldatt); - exit(EXIT_FAILURE); - } -} - -#ifdef LDAP_OPT_X_TLS -static const char *print_ssl(int ssl) -{ - switch (ssl) - { - case SSL_OFF: return "off"; - case SSL_START_TLS: return "start_tls"; - case SSL_LDAPS: return "on"; - default: return "???"; - } -} - -static void handle_tls_reqcert(const char *filename, int lnr, - const char *keyword, char *line) -{ - char token[16]; - int value, rc; - /* get token */ - check_argumentcount(filename, lnr, keyword, - get_token(&line, token, sizeof(token)) != NULL); - get_eol(filename, lnr, keyword, &line); - /* check if it is a valid value for tls_reqcert option */ - if ((strcasecmp(token, "never") == 0) || (strcasecmp(token, "no") == 0)) - value = LDAP_OPT_X_TLS_NEVER; - else if (strcasecmp(token, "allow") == 0) - value = LDAP_OPT_X_TLS_ALLOW; - else if (strcasecmp(token, "try") == 0) - value = LDAP_OPT_X_TLS_TRY; - else if ((strcasecmp(token, "demand") == 0) || - (strcasecmp(token, "yes") == 0)) - value = LDAP_OPT_X_TLS_DEMAND; - else if (strcasecmp(token, "hard") == 0) - value = LDAP_OPT_X_TLS_HARD; - else - { - log_log(LOG_ERR, "%s:%d: %s: invalid argument: '%s'", - filename, lnr, keyword, token); - exit(EXIT_FAILURE); - } - log_log(LOG_DEBUG, "ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT,%s)", token); - LDAP_SET_OPTION(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &value); -} - -static const char *print_tls_reqcert(int value) -{ - switch (value) - { - case LDAP_OPT_X_TLS_NEVER: return "never"; - case LDAP_OPT_X_TLS_ALLOW: return "allow"; - case LDAP_OPT_X_TLS_TRY: return "try"; - case LDAP_OPT_X_TLS_DEMAND: return "demand"; - case LDAP_OPT_X_TLS_HARD: return "hard"; - default: return "???"; - } -} -#endif /* LDAP_OPT_X_TLS */ - /* this function modifies the line argument passed */ static void handle_nss_initgroups_ignoreusers( const char *filename, int lnr, @@ -1068,58 +829,6 @@ static void handle_cache(const char *filename, int lnr, } } -/* This function tries to get the LDAP search base from the LDAP server. - Note that this returns a string that has been allocated with strdup(). - For this to work the myldap module needs enough configuration information - to make an LDAP connection. */ -static MUST_USE char *get_base_from_rootdse(void) -{ - MYLDAP_SESSION *session; - MYLDAP_SEARCH *search; - MYLDAP_ENTRY *entry; - const char *attrs[] = { "+", NULL }; - int i; - int rc; - const char **values; - char *base = NULL; - /* initialize session */ - session = myldap_create_session(); - assert(session != NULL); - /* perform search */ - search = myldap_search(session, "", LDAP_SCOPE_BASE, "(objectClass=*)", - attrs, NULL); - if (search == NULL) - { - myldap_session_close(session); - return NULL; - } - /* go over results */ - for (i = 0; (entry = myldap_get_entry(search, &rc)) != NULL; i++) - { - /* get defaultNamingContext */ - values = myldap_get_values(entry, "defaultNamingContext"); - if ((values != NULL) && (values[0] != NULL)) - { - base = xstrdup(values[0]); - log_log(LOG_DEBUG, "get_basedn_from_rootdse(): found attribute defaultNamingContext with value %s", - values[0]); - break; - } - /* get namingContexts */ - values = myldap_get_values(entry, "namingContexts"); - if ((values != NULL) && (values[0] != NULL)) - { - base = xstrdup(values[0]); - log_log(LOG_DEBUG, "get_basedn_from_rootdse(): found attribute namingContexts with value %s", - values[0]); - break; - } - } - /* clean up */ - myldap_session_close(session); - return base; -} - /* check that the file is not world readable */ static void check_permissions(const char *filename, const char *keyword) { @@ -1389,10 +1098,6 @@ static void cfg_read(const char *filename, struct ldap_config *cfg) { handle_filter(filename, lnr, keyword, line); } - else if (strcasecmp(keyword, "map") == 0) - { - handle_map(filename, lnr, keyword, line); - } /* timing/reconnect options */ else if (strcasecmp(keyword, "bind_timelimit") == 0) { @@ -1634,132 +1339,7 @@ static void cfg_dump(void) else log_log(LOG_DEBUG, "CFG: # gid not set"); log_log_config(); - for (i = 0; i < (NSS_LDAP_CONFIG_MAX_URIS + 1); i++) - if (nslcd_cfg->uris[i].uri != NULL) - log_log(LOG_DEBUG, "CFG: uri %s", nslcd_cfg->uris[i].uri); - log_log(LOG_DEBUG, "CFG: ldap_version %d", nslcd_cfg->ldap_version); - if (nslcd_cfg->binddn != NULL) - log_log(LOG_DEBUG, "CFG: binddn %s", nslcd_cfg->binddn); - if (nslcd_cfg->bindpw != NULL) - log_log(LOG_DEBUG, "CFG: bindpw ***"); - if (nslcd_cfg->rootpwmoddn != NULL) - log_log(LOG_DEBUG, "CFG: rootpwmoddn %s", nslcd_cfg->rootpwmoddn); - if (nslcd_cfg->rootpwmodpw != NULL) - log_log(LOG_DEBUG, "CFG: rootpwmodpw ***"); - if (nslcd_cfg->sasl_mech != NULL) - log_log(LOG_DEBUG, "CFG: sasl_mech %s", nslcd_cfg->sasl_mech); - if (nslcd_cfg->sasl_realm != NULL) - log_log(LOG_DEBUG, "CFG: sasl_realm %s", nslcd_cfg->sasl_realm); - if (nslcd_cfg->sasl_authcid != NULL) - log_log(LOG_DEBUG, "CFG: sasl_authcid %s", nslcd_cfg->sasl_authcid); - if (nslcd_cfg->sasl_authzid != NULL) - log_log(LOG_DEBUG, "CFG: sasl_authzid %s", nslcd_cfg->sasl_authzid); - if (nslcd_cfg->sasl_secprops != NULL) - log_log(LOG_DEBUG, "CFG: sasl_secprops %s", nslcd_cfg->sasl_secprops); -#ifdef LDAP_OPT_X_SASL_NOCANON - if (nslcd_cfg->sasl_canonicalize >= 0) - log_log(LOG_DEBUG, "CFG: sasl_canonicalize %s", print_boolean(nslcd_cfg->sasl_canonicalize)); -#endif /* LDAP_OPT_X_SASL_NOCANON */ - str = getenv("KRB5CCNAME"); - if (str != NULL) - log_log(LOG_DEBUG, "CFG: krb5_ccname %s", str); - for (i = 0; i < NSS_LDAP_CONFIG_MAX_BASES; i++) - if (nslcd_cfg->bases[i] != NULL) - log_log(LOG_DEBUG, "CFG: base %s", nslcd_cfg->bases[i]); - for (map = LM_ALIASES; map < LM_NONE; map++) - { - strp = base_get_var(map); - if (strp != NULL) - for (i = 0; i < NSS_LDAP_CONFIG_MAX_BASES; i++) - if (strp[i] != NULL) - log_log(LOG_DEBUG, "CFG: base %s %s", print_map(map), strp[i]); - } - log_log(LOG_DEBUG, "CFG: scope %s", print_scope(nslcd_cfg->scope)); - for (map = LM_ALIASES; map < LM_NONE; map++) - { - scopep = scope_get_var(map); - if ((scopep != NULL) && (*scopep != LDAP_SCOPE_DEFAULT)) - log_log(LOG_DEBUG, "CFG: scope %s %s", print_map(map), print_scope(*scopep)); - } - log_log(LOG_DEBUG, "CFG: deref %s", print_deref(nslcd_cfg->deref)); - log_log(LOG_DEBUG, "CFG: referrals %s", print_boolean(nslcd_cfg->referrals)); - for (map = LM_ALIASES; map < LM_NONE; map++) - { - strp = filter_get_var(map); - if ((strp != NULL) && (*strp != NULL)) - log_log(LOG_DEBUG, "CFG: filter %s %s", print_map(map), *strp); - } -#define LOG_ATTMAP(map, mapl, att) \ - if (strcmp(attmap_##mapl##_##att, __STRING(att)) != 0) \ - log_log(LOG_DEBUG, "CFG: map %s %s %s", \ - print_map(map), __STRING(att), attmap_##mapl##_##att); - LOG_ATTMAP(LM_ALIASES, alias, cn); - LOG_ATTMAP(LM_ALIASES, alias, rfc822MailMember); - LOG_ATTMAP(LM_ETHERS, ether, cn); - LOG_ATTMAP(LM_ETHERS, ether, macAddress); - LOG_ATTMAP(LM_GROUP, group, cn); - LOG_ATTMAP(LM_GROUP, group, userPassword); - LOG_ATTMAP(LM_GROUP, group, gidNumber); - LOG_ATTMAP(LM_GROUP, group, memberUid); - LOG_ATTMAP(LM_GROUP, group, member); - LOG_ATTMAP(LM_HOSTS, host, cn); - LOG_ATTMAP(LM_HOSTS, host, ipHostNumber); - LOG_ATTMAP(LM_NETGROUP, netgroup, cn); - LOG_ATTMAP(LM_NETGROUP, netgroup, nisNetgroupTriple); - LOG_ATTMAP(LM_NETGROUP, netgroup, memberNisNetgroup); - LOG_ATTMAP(LM_NETWORKS, network, cn); - LOG_ATTMAP(LM_NETWORKS, network, ipNetworkNumber); - LOG_ATTMAP(LM_PASSWD, passwd, uid); - LOG_ATTMAP(LM_PASSWD, passwd, userPassword); - LOG_ATTMAP(LM_PASSWD, passwd, uidNumber); - LOG_ATTMAP(LM_PASSWD, passwd, gidNumber); - LOG_ATTMAP(LM_PASSWD, passwd, gecos); - LOG_ATTMAP(LM_PASSWD, passwd, homeDirectory); - LOG_ATTMAP(LM_PASSWD, passwd, loginShell); - LOG_ATTMAP(LM_PROTOCOLS, protocol, cn); - LOG_ATTMAP(LM_PROTOCOLS, protocol, ipProtocolNumber); - LOG_ATTMAP(LM_RPC, rpc, cn); - LOG_ATTMAP(LM_RPC, rpc, oncRpcNumber); - LOG_ATTMAP(LM_SERVICES, service, cn); - LOG_ATTMAP(LM_SERVICES, service, ipServicePort); - LOG_ATTMAP(LM_SERVICES, service, ipServiceProtocol); - LOG_ATTMAP(LM_SHADOW, shadow, uid); - LOG_ATTMAP(LM_SHADOW, shadow, userPassword); - LOG_ATTMAP(LM_SHADOW, shadow, shadowLastChange); - LOG_ATTMAP(LM_SHADOW, shadow, shadowMin); - LOG_ATTMAP(LM_SHADOW, shadow, shadowMax); - LOG_ATTMAP(LM_SHADOW, shadow, shadowWarning); - LOG_ATTMAP(LM_SHADOW, shadow, shadowInactive); - LOG_ATTMAP(LM_SHADOW, shadow, shadowExpire); - LOG_ATTMAP(LM_SHADOW, shadow, shadowFlag); - log_log(LOG_DEBUG, "CFG: bind_timelimit %d", nslcd_cfg->bind_timelimit); - log_log(LOG_DEBUG, "CFG: timelimit %d", nslcd_cfg->timelimit); - log_log(LOG_DEBUG, "CFG: idle_timelimit %d", nslcd_cfg->idle_timelimit); - log_log(LOG_DEBUG, "CFG: reconnect_sleeptime %d", nslcd_cfg->reconnect_sleeptime); - log_log(LOG_DEBUG, "CFG: reconnect_retrytime %d", nslcd_cfg->reconnect_retrytime); -#ifdef LDAP_OPT_X_TLS - log_log(LOG_DEBUG, "CFG: ssl %s", print_ssl(nslcd_cfg->ssl)); - rc = ldap_get_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &i); - if (rc != LDAP_SUCCESS) - log_log(LOG_DEBUG, "CFG: # tls_reqcert ERROR: %s", ldap_err2string(rc)); - else - log_log(LOG_DEBUG, "CFG: tls_reqcert %s", print_tls_reqcert(i)); - #define LOG_LDAP_OPT_STRING(cfg, option) \ - str = NULL; \ - rc = ldap_get_option(NULL, option, &str); \ - if (rc != LDAP_SUCCESS) \ - log_log(LOG_DEBUG, "CFG: # %s ERROR: %s", cfg, ldap_err2string(rc)); \ - else if ((str != NULL) && (*str != '\0')) \ - log_log(LOG_DEBUG, "CFG: %s %s", cfg, str); \ - if (str != NULL) \ - ldap_memfree(str); - LOG_LDAP_OPT_STRING("tls_cacertdir", LDAP_OPT_X_TLS_CACERTDIR); - LOG_LDAP_OPT_STRING("tls_cacertfile", LDAP_OPT_X_TLS_CACERTFILE); - LOG_LDAP_OPT_STRING("tls_randfile", LDAP_OPT_X_TLS_RANDOM_FILE); - LOG_LDAP_OPT_STRING("tls_ciphers", LDAP_OPT_X_TLS_CIPHER_SUITE); - LOG_LDAP_OPT_STRING("tls_cert", LDAP_OPT_X_TLS_CERTFILE); - LOG_LDAP_OPT_STRING("tls_key", LDAP_OPT_X_TLS_KEYFILE); -#endif /* LDAP_OPT_X_TLS */ + log_log(LOG_DEBUG, "CFG: pagesize %d", nslcd_cfg->pagesize); if (nslcd_cfg->nss_initgroups_ignoreusers != NULL) { @@ -1852,9 +1432,6 @@ void cfg_init(const char *fname) } /* TODO: check that if some tls options are set the ssl option should be set to on (just warn) */ #endif /* LDAP_OPT_X_TLS */ - /* if basedn is not yet set, get if from the rootDSE */ - if (nslcd_cfg->bases[0] == NULL) - nslcd_cfg->bases[0] = get_base_from_rootdse(); /* TODO: handle the case gracefully when no LDAP server is available yet */ /* see if we have a valid basedn */ if ((nslcd_cfg->bases[0] == NULL) || (nslcd_cfg->bases[0][0] == '\0')) |