From 4477953aae80e03f881042d476ecc95d6b24ab5d Mon Sep 17 00:00:00 2001 From: Luke Shumaker Date: Wed, 3 Dec 2014 23:16:14 -0500 Subject: strip down cfg --- nslcd/cfg.c | 329 --------------------------------------------------------- nslcd/cfg.h | 54 ---------- nslcd/db_pam.c | 6 +- 3 files changed, 4 insertions(+), 385 deletions(-) diff --git a/nslcd/cfg.c b/nslcd/cfg.c index d62cf80..6a9811a 100644 --- a/nslcd/cfg.c +++ b/nslcd/cfg.c @@ -66,16 +66,6 @@ struct ldap_config *nslcd_cfg = NULL; /* the delimiters of tokens */ #define TOKEN_DELIM " \t\n\r" -/* convenient wrapper macro for ldap_set_option() */ -#define LDAP_SET_OPTION(ld, option, invalue) \ - rc = ldap_set_option(ld, option, invalue); \ - if (rc != LDAP_SUCCESS) \ - { \ - log_log(LOG_ERR, "ldap_set_option(" #option ") failed: %s", \ - ldap_err2string(rc)); \ - exit(EXIT_FAILURE); \ - } - /* simple strdup wrapper */ static char *xstrdup(const char *s) { @@ -139,15 +129,6 @@ static char *get_token(char **line, char *buf, size_t buflen) return buf; } -static char *get_strdup(const char *filename, int lnr, - const char *keyword, char **line) -{ - char token[64]; - check_argumentcount(filename, lnr, keyword, - get_token(line, token, sizeof(token)) != NULL); - return xstrdup(token); -} - static char *get_linedup(const char *filename, int lnr, const char *keyword, char **line) { @@ -212,63 +193,6 @@ static const char *print_boolean(int bool) else return "no"; } -#define TIME_MINUTES 60 -#define TIME_HOURS (60 * 60) -#define TIME_DAYS (60 * 60 * 24) - -static time_t parse_time(const char *filename, int lnr, const char *value) -{ - time_t t; - char *tmp = NULL; - if (strcasecmp(value, "off") == 0) - return 0; - errno = 0; - t = strtol(value, &tmp, 10); - if (errno != 0) - { - log_log(LOG_ERR, "%s:%d: value out of range: '%s'", - filename, lnr, value); - exit(EXIT_FAILURE); - } - if ((strcasecmp(tmp, "") == 0) || (strcasecmp(tmp, "s") == 0)) - return t; - else if (strcasecmp(tmp, "m") == 0) - return t * TIME_MINUTES; - else if (strcasecmp(tmp, "h") == 0) - return t * TIME_HOURS; - else if (strcasecmp(tmp, "d") == 0) - return t * TIME_DAYS; - else - { - log_log(LOG_ERR, "%s:%d: invalid time value: '%s'", - filename, lnr, value); - exit(EXIT_FAILURE); - } -} - -static time_t get_time(const char *filename, int lnr, - const char *keyword, char **line) -{ - char token[32]; - check_argumentcount(filename, lnr, keyword, - get_token(line, token, sizeof(token)) != NULL); - return parse_time(filename, lnr, token); -} - -static void print_time(time_t t, char *buffer, size_t buflen) -{ - if (t == 0) - mysnprintf(buffer, buflen, "off"); - else if ((t % TIME_DAYS) == 0) - mysnprintf(buffer, buflen, "%ldd", (long)(t / TIME_DAYS)); - else if ((t % TIME_HOURS) == 0) - mysnprintf(buffer, buflen, "%ldh", (long)(t / TIME_HOURS)); - else if ((t % TIME_MINUTES) == 0) - mysnprintf(buffer, buflen, "%ldm", (long)(t / TIME_MINUTES)); - else - mysnprintf(buffer, buflen, "%lds", (long)t); -} - static void handle_uid(const char *filename, int lnr, const char *keyword, char *line, struct ldap_config *cfg) @@ -385,153 +309,6 @@ static void handle_log(const char *filename, int lnr, } } -/* add a single URI to the list of URIs in the configuration */ -static void add_uri(const char *filename, int lnr, - struct ldap_config *cfg, const char *uri) -{ - int i; - /* find the place where to insert the URI */ - for (i = 0; cfg->uris[i].uri != NULL; i++) - /* nothing */ ; - /* check for room */ - if (i >= NSS_LDAP_CONFIG_MAX_URIS) - { - log_log(LOG_ERR, "%s:%d: maximum number of URIs exceeded", - filename, lnr); - exit(EXIT_FAILURE); - } - /* append URI to list */ - cfg->uris[i].uri = xstrdup(uri); -} - -#ifdef HAVE_LDAP_DOMAIN2HOSTLIST -/* return the domain name of the current host - the returned string must be freed by caller */ -static const char *cfg_getdomainname(const char *filename, int lnr) -{ - const char *fqdn, *domain; - fqdn = getfqdn(); - if ((fqdn != NULL) && ((domain = strchr(fqdn, '.')) != NULL) && (domain[1] != '\0')) - return domain + 1; - log_log(LOG_ERR, "%s:%d: unable to determinate a domain name", - filename, lnr); - exit(EXIT_FAILURE); -} - -/* add URIs by doing DNS queries for SRV records */ -static void add_uris_from_dns(const char *filename, int lnr, - struct ldap_config *cfg, const char *domain) -{ - int rc; - char *hostlist = NULL, *nxt; - char buf[HOST_NAME_MAX + sizeof("ldap://")]; - log_log(LOG_DEBUG, "query %s for SRV records", domain); - rc = ldap_domain2hostlist(domain, &hostlist); - if (rc != LDAP_SUCCESS) - { - log_log(LOG_ERR, "%s:%d: no servers found in DNS zone %s: %s", - filename, lnr, domain, ldap_err2string(rc)); - exit(EXIT_FAILURE); - } - if ((hostlist == NULL) || (*hostlist == '\0')) - { - log_log(LOG_ERR, "%s:%d: no servers found in DNS zone %s", - filename, lnr, domain); - exit(EXIT_FAILURE); - } - /* hostlist is a space-separated list of host names that we use to build - URIs */ - while (hostlist != NULL) - { - /* find the next space and split the string there */ - nxt = strchr(hostlist, ' '); - if (nxt != NULL) - { - *nxt = '\0'; - nxt++; - } - /* if port is 636, use ldaps:// URI */ - if ((strlen(hostlist) > 4) && (strcmp(hostlist + strlen(hostlist) - 4, ":636") == 0)) - { - hostlist[strlen(hostlist) - 4] = '\0'; - if (mysnprintf(buf, sizeof(buf), "ldaps://%s", hostlist)) - { - log_log(LOG_ERR, "add_uris_from_dns(): buf buffer too small (%d required)", - strlen(hostlist) + 8); - exit(EXIT_FAILURE); - } - } - else - { - /* strip default port number */ - if ((strlen(hostlist) > 4) && (strcmp(hostlist + strlen(hostlist) - 4, ":389") == 0)) - hostlist[strlen(hostlist) - 4] = '\0'; - if (mysnprintf(buf, sizeof(buf), "ldap://%s", hostlist)) - { - log_log(LOG_ERR, "add_uris_from_dns(): buf buffer too small (%d required)", - strlen(hostlist) + 7); - exit(EXIT_FAILURE); - } - } - log_log(LOG_DEBUG, "add_uris_from_dns(): found uri: %s", buf); - add_uri(filename, lnr, cfg, buf); - /* get next entry from list */ - hostlist = nxt; - } -} -#endif /* HAVE_LDAP_DOMAIN2HOSTLIST */ - -static void handle_krb5_ccname(const char *filename, int lnr, - const char *keyword, char *line) -{ - char token[80]; - const char *ccname; - const char *ccfile; - size_t ccenvlen; - char *ccenv; -#ifdef HAVE_GSS_KRB5_CCACHE_NAME - OM_uint32 minor_status; -#endif /* HAVE_GSS_KRB5_CCACHE_NAME */ - /* get token */ - check_argumentcount(filename, lnr, keyword, - (get_token(&line, token, sizeof(token)) != NULL)); - get_eol(filename, lnr, keyword, &line); - /* set default kerberos ticket cache for SASL-GSSAPI */ - ccname = token; - /* check that cache exists and is readable if it is a file */ - if ((strncasecmp(ccname, "FILE:", sizeof("FILE:") - 1) == 0) || - (strncasecmp(ccname, "WRFILE:", sizeof("WRFILE:") - 1) == 0)) - { - ccfile = strchr(ccname, ':') + 1; - if (access(ccfile, R_OK) != 0) - { - log_log(LOG_ERR, "%s:%d: error accessing %s: %s", - filename, lnr, ccfile, strerror(errno)); - exit(EXIT_FAILURE); - } - } - /* set the environment variable (we have a memory leak if this option - is set multiple times) */ - ccenvlen = strlen(ccname) + sizeof("KRB5CCNAME="); - ccenv = (char *)malloc(ccenvlen); - if (ccenv == NULL) - { - log_log(LOG_CRIT, "malloc() failed to allocate memory"); - exit(EXIT_FAILURE); - } - mysnprintf(ccenv, ccenvlen, "KRB5CCNAME=%s", ccname); - putenv(ccenv); -#ifdef HAVE_GSS_KRB5_CCACHE_NAME - /* set the name with gss_krb5_ccache_name() */ - if (gss_krb5_ccache_name(&minor_status, ccname, NULL) != GSS_S_COMPLETE) - { - log_log(LOG_ERR, "%s:%d: unable to set default credential cache: %s", - filename, lnr, ccname); - exit(EXIT_FAILURE); - } -#endif /* HAVE_GSS_KRB5_CCACHE_NAME */ -} - static enum ldap_map_selector parse_map(const char *value) { if ((strcasecmp(value, "alias") == 0) || (strcasecmp(value, "aliases") == 0)) @@ -801,34 +578,6 @@ static void handle_reconnect_invalidate( } } -static void handle_cache(const char *filename, int lnr, - const char *keyword, char *line, - struct ldap_config *cfg) -{ - char cache[16]; - time_t value1, value2; - /* get cache map and values */ - check_argumentcount(filename, lnr, keyword, - get_token(&line, cache, sizeof(cache)) != NULL); - value1 = get_time(filename, lnr, keyword, &line); - if ((line != NULL) && (*line != '\0')) - value2 = get_time(filename, lnr, keyword, &line); - else - value2 = value1; - get_eol(filename, lnr, keyword, &line); - /* check the cache */ - if (strcasecmp(cache, "dn2uid") == 0) - { - cfg->cache_dn2uid_positive = value1; - cfg->cache_dn2uid_negative = value2; - } - else - { - log_log(LOG_ERR, "%s:%d: unknown cache: '%s'", filename, lnr, cache); - exit(EXIT_FAILURE); - } -} - /* check that the file is not world readable */ static void check_permissions(const char *filename, const char *keyword) { @@ -860,42 +609,6 @@ static void cfg_defaults(struct ldap_config *cfg) cfg->uidname = NULL; cfg->uid = NOUID; cfg->gid = NOGID; - for (i = 0; i < (NSS_LDAP_CONFIG_MAX_URIS + 1); i++) - { - cfg->uris[i].uri = NULL; - cfg->uris[i].firstfail = 0; - cfg->uris[i].lastfail = 0; - } -#ifdef LDAP_VERSION3 - cfg->ldap_version = LDAP_VERSION3; -#else /* LDAP_VERSION3 */ - cfg->ldap_version = LDAP_VERSION2; -#endif /* not LDAP_VERSION3 */ - cfg->binddn = NULL; - cfg->bindpw = NULL; - cfg->rootpwmoddn = NULL; - cfg->rootpwmodpw = NULL; - cfg->sasl_mech = NULL; - cfg->sasl_realm = NULL; - cfg->sasl_authcid = NULL; - cfg->sasl_authzid = NULL; - cfg->sasl_secprops = NULL; -#ifdef LDAP_OPT_X_SASL_NOCANON - cfg->sasl_canonicalize = -1; -#endif /* LDAP_OPT_X_SASL_NOCANON */ - for (i = 0; i < NSS_LDAP_CONFIG_MAX_BASES; i++) - cfg->bases[i] = NULL; - cfg->scope = LDAP_SCOPE_SUBTREE; - cfg->deref = LDAP_DEREF_NEVER; - cfg->referrals = 1; - cfg->bind_timelimit = 10; - cfg->timelimit = LDAP_NO_LIMIT; - cfg->idle_timelimit = 0; - cfg->reconnect_sleeptime = 1; - cfg->reconnect_retrytime = 10; -#ifdef LDAP_OPT_X_TLS - cfg->ssl = SSL_OFF; -#endif /* LDAP_OPT_X_TLS */ cfg->pagesize = 0; cfg->nss_initgroups_ignoreusers = NULL; cfg->nss_min_uid = 0; @@ -910,8 +623,6 @@ static void cfg_defaults(struct ldap_config *cfg) cfg->pam_password_prohibit_message = NULL; for (i = 0; i < LM_NONE; i++) cfg->reconnect_invalidate[i] = 0; - cfg->cache_dn2uid_positive = 15 * TIME_MINUTES; - cfg->cache_dn2uid_negative = 15 * TIME_MINUTES; } static void cfg_read(const char *filename, struct ldap_config *cfg) @@ -923,10 +634,6 @@ static void cfg_read(const char *filename, struct ldap_config *cfg) char keyword[32]; char token[64]; int i; -#ifdef LDAP_OPT_X_TLS - int rc; - char *value; -#endif /* open config file */ if ((fp = fopen(filename, "r")) == NULL) { @@ -1017,10 +724,6 @@ static void cfg_read(const char *filename, struct ldap_config *cfg) { handle_reconnect_invalidate(filename, lnr, keyword, line, cfg); } - else if (strcasecmp(keyword, "cache") == 0) - { - handle_cache(filename, lnr, keyword, line, cfg); - } #ifdef ENABLE_CONFIGFILE_CHECKING /* fallthrough */ else @@ -1157,16 +860,10 @@ static void cfg_dump(void) } if (buffer[0] != '\0') log_log(LOG_DEBUG, "CFG: reconnect_invalidate %s", buffer); - print_time(nslcd_cfg->cache_dn2uid_positive, buffer, sizeof(buffer) / 2); - print_time(nslcd_cfg->cache_dn2uid_positive, buffer + (sizeof(buffer) / 2), sizeof(buffer) / 2); - log_log(LOG_DEBUG, "CFG: cache dn2uid %s %s", buffer, buffer + (sizeof(buffer) / 2)); } void cfg_init(const char *fname) { -#ifdef LDAP_OPT_X_TLS - int i; -#endif /* LDAP_OPT_X_TLS */ /* check if we were called before */ if (nslcd_cfg != NULL) { @@ -1187,32 +884,6 @@ void cfg_init(const char *fname) #ifdef NSLCD_BINDPW_PATH bindpw_read(NSLCD_BINDPW_PATH, nslcd_cfg); #endif /* NSLCD_BINDPW_PATH */ - /* do some sanity checks */ - if (nslcd_cfg->uris[0].uri == NULL) - { - log_log(LOG_ERR, "no URIs defined in config"); - exit(EXIT_FAILURE); - } - /* if ssl is on each URI should start with ldaps */ -#ifdef LDAP_OPT_X_TLS - if (nslcd_cfg->ssl == SSL_LDAPS) - { - for (i = 0; nslcd_cfg->uris[i].uri != NULL; i++) - { - if (strncasecmp(nslcd_cfg->uris[i].uri, "ldaps://", 8) != 0) - log_log(LOG_WARNING, "%s doesn't start with ldaps:// and \"ssl on\" is specified", - nslcd_cfg->uris[i].uri); - } - } - /* TODO: check that if some tls options are set the ssl option should be set to on (just warn) */ -#endif /* LDAP_OPT_X_TLS */ - /* TODO: handle the case gracefully when no LDAP server is available yet */ - /* see if we have a valid basedn */ - if ((nslcd_cfg->bases[0] == NULL) || (nslcd_cfg->bases[0][0] == '\0')) - { - log_log(LOG_ERR, "no base defined in config and couldn't get one from server"); - exit(EXIT_FAILURE); - } /* dump configuration */ cfg_dump(); } diff --git a/nslcd/cfg.h b/nslcd/cfg.h index 2fade8b..5fc3147 100644 --- a/nslcd/cfg.h +++ b/nslcd/cfg.h @@ -26,12 +26,7 @@ #ifndef NSLCD__CFG_H #define NSLCD__CFG_H -#include -#include -#include -#include #include -#include #include "compat/attrs.h" #include "common/set.h" @@ -49,12 +44,6 @@ /* maximum number of pam_authz_search options */ #define NSS_LDAP_CONFIG_MAX_AUTHZ_SEARCHES 8 -enum ldap_ssl_options { - SSL_OFF, - SSL_LDAPS, - SSL_START_TLS -}; - /* selectors for different maps */ enum ldap_map_selector { LM_ALIASES, @@ -72,52 +61,12 @@ enum ldap_map_selector { LM_NONE }; -struct myldap_uri { - char *uri; - /* time of first failed operation */ - time_t firstfail; - /* time of last failed operation */ - time_t lastfail; -}; - struct ldap_config { int threads; /* the number of threads to start */ char *uidname; /* the user name specified in the uid option */ uid_t uid; /* the user id nslcd should be run as */ gid_t gid; /* the group id nslcd should be run as */ - struct myldap_uri uris[NSS_LDAP_CONFIG_MAX_URIS + 1]; /* NULL terminated list of URIs */ - int ldap_version; /* LDAP protocol version */ - char *binddn; /* bind DN */ - char *bindpw; /* bind cred */ - char *rootpwmoddn; /* bind DN for password modification by root */ - char *rootpwmodpw; /* bind password for password modification by root */ - - char *sasl_mech; /* SASL mechanism */ - char *sasl_realm; /* SASL realm */ - char *sasl_authcid; /* SASL authentication identity */ - char *sasl_authzid; /* SASL authorization identity */ - char *sasl_secprops; /* SASL security properties */ -#ifdef LDAP_OPT_X_SASL_NOCANON - int sasl_canonicalize; /* whether host name should be canonicalised */ -#endif /* LDAP_OPT_X_SASL_NOCANON */ - - const char *bases[NSS_LDAP_CONFIG_MAX_BASES]; /* search bases */ - int scope; /* scope for searches */ - int deref; /* dereference aliases/links */ - int referrals; /* chase referrals */ - - int bind_timelimit; /* bind timelimit */ - int timelimit; /* search timelimit */ - int idle_timelimit; /* idle timeout */ - int reconnect_sleeptime; /* seconds to sleep; doubled until max */ - int reconnect_retrytime; /* maximum seconds to sleep */ - -#ifdef LDAP_OPT_X_TLS - /* SSL enabled */ - enum ldap_ssl_options ssl; -#endif /* LDAP_OPT_X_TLS */ - int pagesize; /* set to a greater than 0 to enable handling of paged results with the specified size */ SET *nss_initgroups_ignoreusers; /* the users for which no initgroups() searches should be done */ uid_t nss_min_uid; /* minimum uid for users retrieved from LDAP */ @@ -128,9 +77,6 @@ struct ldap_config { char *pam_authz_searches[NSS_LDAP_CONFIG_MAX_AUTHZ_SEARCHES]; /* the searches that should be performed to do autorisation checks */ char *pam_password_prohibit_message; /* whether password changing should be denied and user prompted with this message */ char reconnect_invalidate[LM_NONE]; /* set to 1 if the corresponding map should be invalidated */ - - time_t cache_dn2uid_positive; - time_t cache_dn2uid_negative; }; /* this is a pointer to the global configuration, it should be available diff --git a/nslcd/db_pam.c b/nslcd/db_pam.c index cb5c39e..0b101aa 100644 --- a/nslcd/db_pam.c +++ b/nslcd/db_pam.c @@ -175,8 +175,10 @@ NSLCD_HANDLE(PAM, AUTHZ return NULL; /* check authorisation search */ - int rc = LDAP_SUCCESS; /* TODO */ - if (rc != LDAP_SUCCESS) + /* TODO */ + /*int rc = LDAP_SUCCESS; + if (rc != LDAP_SUCCESS)*/ + if (0) { entry->authz_rc = NSLCD_PAM_PERM_DENIED; strcpy(entry->authz_msg, "LDAP authorisation check failed"); -- cgit v1.2.3