diff options
| author | Arthur de Jong <arthur@arthurdejong.org> | 2007-11-26 23:38:15 +0100 |
|---|---|---|
| committer | Arthur de Jong <arthur@arthurdejong.org> | 2007-11-26 23:38:15 +0100 |
| commit | 02acd0ec98167b72634677c66890886c72e655f0 (patch) | |
| tree | 03873e5981db1b8dc53f3decc7dbc73f5fda745a | |
| parent | fd4d98e5fe02711367cb71a1a056f103efab87a2 (diff) | |
clean up Kerberos ccname code, moving it to cfg.c, fixing some bugs in the putenv() code, making the gss_krb5_ccache_name() automatically used if the function is available and removing the --with-gssapi-dir, --enable-configurable-krb5-ccname-gssapi and --enable-configurable-krb5-ccname-env configure options
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-ldapd@481 ef36b2f9-881f-0410-afb5-c4e39611909c
| -rw-r--r-- | configure.ac | 20 | ||||
| -rw-r--r-- | man/nss-ldapd.conf.5.xml | 13 | ||||
| -rw-r--r-- | nslcd/cfg.c | 63 | ||||
| -rw-r--r-- | nslcd/cfg.h | 4 | ||||
| -rw-r--r-- | nslcd/ldap-nss.c | 49 |
5 files changed, 61 insertions, 88 deletions
diff --git a/configure.ac b/configure.ac index 08a2ede..b9f3f55 100644 --- a/configure.ac +++ b/configure.ac @@ -78,21 +78,6 @@ AC_ARG_ENABLE(warnings, [enable extra compiler warnings (gcc)]), [if test "x$enableval" != "no" ; then CFLAGS="$CFLAGS -pedantic -Wall -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Waggregate-return -Wmissing-declarations -Wunused -Wformat=2 -Wswitch-default -Wswitch-enum -Wfloat-equal -Wdeclaration-after-statement -Wextra -Wpointer-arith -Wbad-function-cast -Wunreachable-code -Wredundant-decls -Wredundant-decls" ; fi]) -dnl -dnl XXX TODO make configurable-krb5-ccname-* configurable at runtime -dnl -AC_ARG_ENABLE(configurable-krb5-ccname-env, - AS_HELP_STRING([--enable-configurable-krb5-ccname-env], - [enable configurable Kerberos V credentials cache name (putenv method)]), - [ AC_DEFINE(CONFIGURE_KRB5_CCNAME,1,[Define to enable configurable Kerberos credentials cache.]) - AC_DEFINE(CONFIGURE_KRB5_CCNAME_ENV,1,[Define to enable configurable Kerberos credentials cache (putenv method).]) ]) - -AC_ARG_ENABLE(configurable-krb5-ccname-gssapi, - AS_HELP_STRING([--enable-configurable-krb5-ccname-gssapi], - [enable configurable Kerberos V credentials cache name (gssapi method)]), - [ AC_DEFINE(CONFIGURE_KRB5_CCNAME) - AC_DEFINE(CONFIGURE_KRB5_CCNAME_GSSAPI,1,[Define to enable configurable Kerberos credentials cache (gssapi method).]) ]) - AC_ARG_WITH(ldap-lib, AS_HELP_STRING([--with-ldap-lib=TYPE], [select ldap library (auto|netscape5|netscape4|netscape3|umich|openldap) @<:@auto@:>@])) @@ -124,10 +109,6 @@ AC_ARG_WITH(nslcd-socket, AC_DEFINE_UNQUOTED(NSLCD_SOCKET,"$NSLCD_SOCKET",[The location of the socket used for communicating.]) AC_SUBST(NSLCD_SOCKET) -AC_ARG_WITH(gssapi-dir, - AS_HELP_STRING([--with-gssapi-dir=PATH], - [base directory of gssapi SDK])) - ldap_nss_ngroups=64 AC_ARG_WITH(ngroups, AS_HELP_STRING([--with-ngroups=NUM], @@ -306,6 +287,7 @@ fi AC_CHECK_LIB(gssldap, ldap_gss_bind,[LIBS="-lgssldap $LIBS"],,$LIBS) AC_CHECK_FUNCS(sasl_auxprop_request) +AC_CHECK_FUNCS(gss_krb5_ccache_name) AC_CHECK_FUNCS(ldap_init ldap_get_lderrno ldap_parse_result ldap_memfree ldap_controls_free) AC_CHECK_FUNCS(ldap_ld_free ldap_explode_rdn ldap_set_option ldap_get_option) AC_CHECK_FUNCS(ldap_sasl_interactive_bind_s ldap_initialize ldap_search_ext) diff --git a/man/nss-ldapd.conf.5.xml b/man/nss-ldapd.conf.5.xml index 2936ca3..727f29b 100644 --- a/man/nss-ldapd.conf.5.xml +++ b/man/nss-ldapd.conf.5.xml @@ -255,15 +255,14 @@ <title>Kerberos authentication options</title> <variablelist> - <varlistentry> - <term><emphasis remap="B">krb5_ccname <PREFIX:args></emphasis></term> + <varlistentry> + <term><option>krb5_ccname</option> <emphasis remap="I">NAME</emphasis></term> <listitem> - <para>If - <emphasis remap="B">nss_ldap</emphasis> - is built with configurable GSS-API credentials cache name support, - specifies the Kerberos credentials cache to use.</para> + <para> + Set the name for the GSS-API Kerberos credentials cache. + </para> </listitem> - </varlistentry> + </varlistentry> </variablelist> </refsect2> diff --git a/nslcd/cfg.c b/nslcd/cfg.c index e64c2db..065b12a 100644 --- a/nslcd/cfg.c +++ b/nslcd/cfg.c @@ -33,8 +33,16 @@ #include <unistd.h> #include <stdlib.h> #include <errno.h> +#ifdef HAVE_GSSAPI_H +#include <gssapi.h> +#endif /* HAVE_GSSAPI_H */ +#ifdef HAVE_GSSAPI_GSSAPI_KRB5_H +#include <gssapi/gssapi.h> +#include <gssapi/gssapi_krb5.h> +#endif /* HAVE_GSSAPI_GSSAPI_KRB5_H */ #include "ldap-nss.h" +#include "common.h" #include "log.h" #include "cfg.h" #include "attmap.h" @@ -79,9 +87,6 @@ static void cfg_defaults(struct ldap_config *cfg) cfg->ldc_sasl_secprops=NULL; cfg->ldc_usesasl=0; cfg->ldc_rootusesasl=0; -#ifdef CONFIGURE_KRB5_CCNAME - cfg->ldc_krb5_ccname=NULL; -#endif /* CONFIGURE_KRB5_CCNAME */ cfg->ldc_base=NULL; cfg->ldc_scope=LDAP_SCOPE_SUBTREE; cfg->ldc_deref=LDAP_DEREF_NEVER; @@ -205,7 +210,7 @@ static void add_uris_from_dns(const char *filename,int lnr, nxt++; } /* add the URI */ - snprintf(buf,sizeof(buf),"ldap://%s",hostlist); + mysnprintf(buf,sizeof(buf),"ldap://%s",hostlist); log_log(LOG_DEBUG,"add_uris_from_dns(): found uri: %s",buf); add_uri(filename,lnr,cfg,buf); /* get next entry from list */ @@ -290,6 +295,50 @@ static inline void check_argumentcount(const char *filename,int lnr, } } +static void parse_krb5_ccname_statement(const char *filename,int lnr, + const char **opts,int nopts) +{ + const char *ccname; + const char *ccfile; + size_t ccenvlen; + char *ccenv; + OM_uint32 minor_status; + /* set default kerberos ticket cache for SASL-GSSAPI */ + log_log(LOG_WARNING,"%s:%d: option %s is currently untested (please report any successes)",filename,lnr,opts[0]); + check_argumentcount(filename,lnr,opts[0],nopts==2); + ccname=opts[1]; + /* check that cache exists and is readable if it is a file */ + if ( (strncasecmp(ccname,"FILE:",sizeof("FILE:")-1)==0) || + (strncasecmp(ccname,"WRFILE:",sizeof("WRFILE:")-1)==0)) + { + ccfile=strchr(ccname,':')+1; + if (access(ccfile,R_OK)!=0) + { + log_log(LOG_ERR,"%s:%d: error accessing %s: %s",filename,lnr,ccfile,strerror(errno)); + exit(EXIT_FAILURE); + } + } + /* set the environment variable (we have a memory leak if this option + is set multiple times) */ + ccenvlen=strlen(ccname)+sizeof("KRB5CCNAME="); + ccenv=(char *)malloc(ccenvlen); + if (ccenv==NULL) + { + log_log(LOG_CRIT,"malloc() failed to allocate memory"); + exit(EXIT_FAILURE); + } + mysnprintf(ccenv,ccenvlen,"KRB5CCNAME=%s",ccname); + putenv(ccenv); +#ifdef HAVE_GSS_KRB5_CCACHE_NAME + /* set the name with gss_krb5_ccache_name() */ + if (gss_krb5_ccache_name(&minor_status,ccname,NULL)!=GSS_S_COMPLETE) + { + log_log(LOG_ERR,"%s:%d: unable to set default credential cache: %s",filename,lnr,ccname); + exit(EXIT_FAILURE); + } +# endif /* HAVE_GSS_KRB5_CCACHE_NAME */ +} + /* assigns the base to the specified variable doing domain expansion and a simple check to avoid overwriting duplicate values */ static void set_base(const char *filename,int lnr, @@ -587,15 +636,11 @@ static void cfg_read(const char *filename,struct ldap_config *cfg) check_argumentcount(filename,lnr,opts[0],nopts==2); cfg->ldc_rootusesasl=parse_boolean(filename,lnr,opts[1]); } -#ifdef CONFIGURE_KRB5_CCNAME /* Kerberos authentication options */ else if (strcasecmp(opts[0],"krb5_ccname")==0) { - log_log(LOG_WARNING,"%s:%d: option %s is currently untested (please report any successes)",filename,lnr,opts[0]); - check_argumentcount(filename,lnr,opts[0],nopts==2); - cfg->ldc_krb5_ccname=xstrdup(opts[1]); + parse_krb5_ccname_statement(filename,lnr,opts,nopts); } -#endif /* CONFIGURE_KRB5_CCNAME */ /* search/mapping options */ else if (strcasecmp(opts[0],"base")==0) { diff --git a/nslcd/cfg.h b/nslcd/cfg.h index 960714c..8c1dc4b 100644 --- a/nslcd/cfg.h +++ b/nslcd/cfg.h @@ -99,10 +99,6 @@ struct ldap_config int ldc_usesasl; /* do we use sasl for root? */ int ldc_rootusesasl; -#ifdef CONFIGURE_KRB5_CCNAME - /* krb5 ccache name */ - char *ldc_krb5_ccname; -#endif /* CONFIGURE_KRB5_CCNAME */ /* base DN, eg. dc=gnu,dc=org */ char *ldc_base; /* scope for searches */ diff --git a/nslcd/ldap-nss.c b/nslcd/ldap-nss.c index 2cba1b6..b2f21e5 100644 --- a/nslcd/ldap-nss.c +++ b/nslcd/ldap-nss.c @@ -57,12 +57,6 @@ #elif defined(HAVE_SASL_H) #include <sasl.h> #endif -#ifdef HAVE_GSSAPI_H -#include <gssapi.h> -#elif defined(HAVE_GSSAPI_GSSAPI_KRB5_H) -#include <gssapi/gssapi.h> -#include <gssapi/gssapi_krb5.h> -#endif #include <ctype.h> #include "ldap-nss.h" @@ -342,13 +336,6 @@ static int do_bind(MYLDAP_SESSION *session) int rc; char *binddn,*bindarg; int usesasl; -#ifdef CONFIGURE_KRB5_CCNAME -#ifndef CONFIGURE_KRB5_CCNAME_GSSAPI - char tmpbuf[256]; -#endif - char *ccname; - const char *oldccname = NULL; -#endif /* CONFIGURE_KRB5_CCNAME */ /* * If we're running as root, let us bind as a special * user, so we can fake shadow passwords. @@ -388,42 +375,6 @@ static int do_bind(MYLDAP_SESSION *session) return -1; } } -# ifdef CONFIGURE_KRB5_CCNAME - /* Set default Kerberos ticket cache for SASL-GSSAPI */ - ccname = nslcd_cfg->ldc_krb5_ccname; - if (ccname != NULL) - { - char *ccfile = ccname; - /* Check that cache exists and is readable */ - if ((strncasecmp(ccfile, "FILE:", sizeof("FILE:") - 1) == 0) - || (strncasecmp(ccfile, "WRFILE:", sizeof("WRFILE:") - 1) == 0)) - { - ccfile = strchr(ccfile, ':') + 1; - } - if (access(ccfile, R_OK) == 0) - { -# ifdef CONFIGURE_KRB5_CCNAME_ENV - oldccname = getenv ("KRB5CCNAME"); - if (oldccname != NULL) - { - strncpy (tmpbuf, oldccname, sizeof (tmpbuf)); - tmpbuf[sizeof (tmpbuf) - 1] = '\0'; - } else { - tmpbuf[0] = '\0'; - } - oldccname = tmpbuf; - snprintf(tmpbuf, sizeof (tmpbuf), "KRB5CCNAME=%s", ccname); - putenv (tmpbuf); -# elif defined(CONFIGURE_KRB5_CCNAME_GSSAPI) - if (gss_krb5_ccache_name(&rc, ccname, &oldccname) != GSS_S_COMPLETE) - { - log_log(LOG_ERR, "do_bind: unable to set default credential cache"); - return -1; - } -# endif - } - } -# endif /* CONFIGURE_KRB5_CCNAME */ rc=ldap_sasl_interactive_bind_s(session->ls_conn,binddn,"GSSAPI",NULL,NULL, LDAP_SASL_QUIET, do_sasl_interact,(void *)bindarg); |