Arthur de Jong

+/* compatibility definition */

+#ifndef LDAP_SASL_QUIET

+#define LDAP_SASL_QUIET 2U

+#endif /* not LDAP_SASL_QUIET */

+ freebsd*) NSS_LDAP_SONAME="nss_ldap.so" ;;

+ nss_ldap_so_LDFLAGS="-shared -Wl,-h,\$(NSS_LDAP_SONAME) -Wl,--version-script,\$(srcdir)/exports.$with_nss_flavour"

+# read a configuration value from the specified file

+# (it takes care in not overwriting a previously written value)

+read_config()

+{

+ debconf_param="$1"

+ cfg_param="$2"

+ # get debconf value to ensure we don't overwrite an already set value

+ db_get "$debconf_param"

+ if [ -z "$RET" ]

+ then

+ value=`sed -n 's/^'"$cfg_param"'[[:space:]]*\([^[:space:]].*[^[:space:]]\)[[:space:]]*$/\1/ip' "$cfgfile" | tail -n 1`

+ [ -n "$value" ] && db_set "$debconf_param" "$value"

+ fi

+ # we're done

+ return 0

+}

+

+ # read simple options

+ read_config nslcd/ldap-base base

+ read_config nslcd/ldap-binddn binddn

+ read_config nslcd/ldap-bindpw bindpw

+ read_config nslcd/ldap-sasl-mech sasl_mech

+ read_config nslcd/ldap-sasl-realm sasl_realm

+ read_config nslcd/ldap-sasl-authcid sasl_authcid

+ read_config nslcd/ldap-sasl-authzid sasl_authzid

+ read_config nslcd/ldap-sasl-secprops sasl_secprops

+ read_config nslcd/ldap-sasl-krb5-ccname krb5_ccname

+ db_set nslcd/ldap-sasl-mech ""

+ db_set nslcd/ldap-sasl-realm ""

+ db_set nslcd/ldap-sasl-authcid ""

+ db_set nslcd/ldap-sasl-authzid ""

+ db_set nslcd/ldap-sasl-secprops ""

+ db_set nslcd/ldap-reqcert ""

+ [ -z "$RET" ] && db_set nslcd/ldap-base "dc=example,dc=net"

+# deduce auth-type from available information

+db_get nslcd/ldap-sasl-mech

+sasl_mech="$RET"

+db_get nslcd/ldap-binddn

+binddn="$RET"

+if [ -n "$sasl_mech" ]

+then

+ db_set nslcd/ldap-auth-type "SASL"

+elif [ -n "$binddn" ]

+then

+ db_set nslcd/ldap-auth-type "simple"

+else

+ db_set nslcd/ldap-auth-type "none"

+fi

+

+ state="authtype"

+ authtype)

+ # ask for authentication type

+ db_input medium nslcd/ldap-auth-type || true

+ state="authentication"

+ authentication)

+ # check which questions to ask, depending on the authentication type

+ db_get nslcd/ldap-auth-type

+ case "$RET" in

+ none)

+ # anonymous bind, nothing to ask (clear options)

+ db_set nslcd/ldap-binddn ""

+ db_set nslcd/ldap-bindpw ""

+ db_set nslcd/ldap-sasl-mech ""

+ state="starttls"

+ ;;

+ simple)

+ # ask for binddn and bindpw

+ db_input medium nslcd/ldap-binddn || true

+ db_input medium nslcd/ldap-bindpw || true

+ db_set nslcd/ldap-sasl-mech ""

+ state="starttls"

+ ;;

+ SASL)

+ # ask about SASL mechanism (other SASL questions depend on this)

+ db_input medium nslcd/ldap-sasl-mech || true

+ # RFC4313 if SASL, binddn should be disabled

+ db_set nslcd/ldap-binddn ""

+ state="sasloptions"

+ ;;

+ *)

+ exit 1

+ ;;

+ esac

+ db_go || state="authtype"

+ ;;

+ sasloptions)

+ # get SASL mech

+ db_get nslcd/ldap-sasl-mech

+ sasl_mech="$RET"

+ # ask SASL questions

+ db_input medium nslcd/ldap-sasl-realm || true

+ if [ "$sasl_mech" != "GSSAPI" ]

+ db_input medium nslcd/ldap-sasl-authcid || true

+ db_set nslcd/ldap-sasl-authcid ""

+ db_input medium nslcd/ldap-sasl-authzid || true

+ db_input medium nslcd/ldap-sasl-secprops || true

+ if [ "$sasl_mech" = "GSSAPI" ]

+ then

+ # have a default for ldap-sasl-krb5-ccname

+ db_get nslcd/ldap-sasl-krb5-ccname

+ [ -z "$RET" ] && db_set nslcd/ldap-sasl-krb5-ccname "/var/run/nslcd/nslcd.tkt"

+ db_input low nslcd/ldap-sasl-krb5-ccname || true

+ else

+ db_set nslcd/ldap-sasl-krb5-ccname ""

+ fi

+ db_go || state="authentication"

+ # (we go back to authtype because the previous questions were optional)

+ db_go || state="authtype"

+ else

+ db_set nslcd/ldap-reqcert ""

+ # (we go back to authtype because the previous questions were optional)

+ db_go || state="authtype"

+ # handle bindpw option specially by removing value from config first

+ if [ "$parameter" = "bindpw" ] && grep -i -q "^bindpw " $CONFFILE

+ then

+ cfg_set bindpw "*removed*"

+ fi

+# update a configuration parameter, based on the debconf key

+update_config()

+{

+ debconf_param="$1"

+ cfg_param="$2"

+ # update configuration option based on debconf value

+ db_get "$debconf_param"

+ if [ -n "$RET" ]

+ then

+ cfg_set "$cfg_param" "$RET"

+ else

+ cfg_disable "$cfg_param"

+ fi

+}

+

+ # rename tls_checkpeer to tls_reqcert

+ if grep -qi '^tls_checkpeer[[:space:]]' $CONFFILE

+ echo "Renaming tls_checkpeer to tls_reqcert in $CONFFILE..." >&2

+ sed -i 's/^tls_checkpeer[[:space:]]/tls_reqcert /' "$CONFFILE"

+ # rename reconnect_maxsleeptime to reconnect_retrytime

+ if grep -qi '^reconnect_maxsleeptime[[:space:]]' $CONFFILE

+ echo "Renaming reconnect_maxsleeptime to reconnect_retrytime in $CONFFILE..." >&2

+ sed -i 's/^reconnect_maxsleeptime[[:space:]]/reconnect_retrytime /' "$CONFFILE"

+ # set server uri

+ db_get nslcd/ldap-uris

+ cfg_uris "$RET"

+ # update some options

+ update_config nslcd/ldap-base base

+ update_config nslcd/ldap-binddn binddn

+ update_config nslcd/ldap-bindpw bindpw

+ update_config nslcd/ldap-sasl-mech sasl_mech

+ update_config nslcd/ldap-sasl-realm sasl_realm

+ update_config nslcd/ldap-sasl-authcid sasl_authcid

+ update_config nslcd/ldap-sasl-authzid sasl_authzid

+ update_config nslcd/ldap-sasl-secprops sasl_secprops

+ update_config nslcd/ldap-sasl-krb5-ccname krb5_ccname

+ update_config nslcd/ldap-reqcert tls_reqcert

+Template: nslcd/ldap-auth-type

+Type: select

+__Choices: none, simple, SASL

+Default: none

+_Description: LDAP authentication to use:

+ If your LDAP database requires authentication you can choose which mechanism

+ should be used. Please choose the mechanism by which authentication should

+ be done:

+ * none: no authentication;

+ * simple: simple clear text binddn/password;

+ * SASL: one of the Simple Authentication and Security Layer

+ mechanisms.

+

+ Enter the name of the account that will be used to log in to the LDAP

+ database. This value should be specified as a DN (distinguished name).

+Template: nslcd/ldap-sasl-mech

+Type: select

+__Choices: auto, LOGIN, PLAIN, NTLM, CRAM-MD5, DIGEST-MD5, GSSAPI, OTP

+_Description: SASL mechanism to use:

+ Choose the SASL mechanism that will be used to authenticate to the LDAP

+ database:

+ * auto: autonegociation;

+ * LOGIN: deprecated in flavor of PLAIN;

+ * PLAIN: simple cleartext password mechanism;

+ * NTLM: NT LAN Manager authentication mechanism;

+ * CRAM-MD5: challenge-response scheme based on HMAC-MD5;

+ * DIGEST-MD5: HTTP Digest compatible challenge-response scheme;

+ * GSSAPI: used for Kerberos;

+ * OTP: a One Time Password mechanism.

+

+Template: nslcd/ldap-sasl-realm

+Type: string

+_Description: SASL realm:

+ Enter the SASL realm that will be used to authenticate to the LDAP

+ database.

+ .

+ If empty, the GSSAPI mechanism will use information from the Kerberos

+ credential cache. Others mechanisms may need @<REALM> suffixing sasl_authcid

+ and sasl_authzid.

+ .

+ The realm is appended to authentication and authorisation identities.

+

+Template: nslcd/ldap-sasl-authcid

+Type: string

+_Description: SASL authentication identity:

+ Enter the SASL authentication identity that will be used to authenticate to

+ the LDAP database.

+ .

+ This is the login used in LOGIN, PLAIN, CRAM-MD5 and DIGEST-MD5 mechanisms.

+

+Template: nslcd/ldap-sasl-authzid

+Type: string

+_Description: SASL proxy authorisation identity:

+ Enter the proxy authorisation identity that will be used to authenticate to

+ the LDAP database.

+ .

+ This is the object in the name of witch the LDAP request are done.

+ This value should be specified as a DN (distinguished name).

+

+Template: nslcd/ldap-sasl-secprops

+Type: string

+_Description: Cyrus SASL security properties:

+ Enter the Cyrus SASL security properties.

+ Allowed values are described in the ldap.conf(5) manual page

+ in the SASL OPTIONS section.

+

+Template: nslcd/ldap-sasl-krb5-ccname

+Type: string

+Default: /var/run/nslcd/nslcd.tkt

+_Description: Kerberos credential cache file path:

+ Enter the GSSAPI/Kerberos credential cache file name that will be used.

+

+ READ_STRING(fp,name);

+ log_setrequest("alias=\"%s\"",name);,

+ log_setrequest("alias(all)");,

+MYLDAP_ENTRY *uid2entry(MYLDAP_SESSION *session,const char *uid,int *rcp);

+#define NSLCD_HANDLE(db,fn,readfn,action,mkfilter,writefn) \

+ NSLCD_HANDLE_BODY(db,fn,readfn,action,mkfilter,writefn)

+#define NSLCD_HANDLE_UID(db,fn,readfn,action,mkfilter,writefn) \

+ NSLCD_HANDLE_BODY(db,fn,readfn,action,mkfilter,writefn)

+#define NSLCD_HANDLE_BODY(db,fn,readfn,action,mkfilter,writefn) \

+ READ_STRING(fp,name);

+ log_setrequest("ether=\"%s\"",name);,

+ return -1;

+ log_setrequest("ether=%s",ether);,

+ log_setrequest("ether(all)");,

+ log_setrequest("group=\"%s\"",name);

+ log_log(LOG_WARNING,"\"%s\": invalid group name",name);

+ READ_TYPE(fp,gid,gid_t);

+ log_setrequest("group=%d",(int)gid);,

+ log_setrequest("group/member=\"%s\"",name);

+ if (!isvalidname(name))

+ {

+ log_log(LOG_WARNING,"\"%s\": invalid user name",name);

+ log_log(LOG_DEBUG,"ignored group member");

+ log_setrequest("group(all)");,

+ READ_STRING(fp,name);

+ log_setrequest("host=\"%s\"",name);,

+ }

+ log_setrequest("host=%s",name);,

+ log_setrequest("host(all)");,

+ Copyright (C) 2002, 2003, 2008, 2010 Arthur de Jong

+/* the request identifier that is set for this thread */

+static __thread char *requestid=NULL;

+#define MAX_REQUESTID_LENGTH 40

+

+

+ /* set the request id to empty */

+ if (requestid!=NULL)

+ requestid[0]='\0';

+}

+

+

+/* indicate that a request identifier should be included in the output

+ from this point on, until log_newsession() is called */

+void log_setrequest(const char *format, ...)

+{

+ va_list ap;

+ /* ensure that requestid can hold a string */

+ if (requestid==NULL)

+ {

+ requestid=(char *)malloc(MAX_REQUESTID_LENGTH);

+ if (requestid==NULL)

+ {

+ fprintf(stderr,"malloc() failed: %s",strerror(errno));

+ return; /* silently fail */

+ }

+ }

+ /* make the message */

+ va_start(ap,format);

+ vsnprintf(requestid,MAX_REQUESTID_LENGTH,format,ap);

+ requestid[MAX_REQUESTID_LENGTH-1]='\0';

+ va_end(ap);

+ if ((requestid!=NULL)&&(requestid[0]!='\0'))

+ fprintf(stderr,"%s: [%s] <%s> %s%s\n",PACKAGE,sessionid,requestid,pri==LOG_DEBUG?"DEBUG: ":"",buffer);

+ else if (sessionid)

+ if ((requestid!=NULL)&&(requestid[0]!='\0'))

+ syslog(pri,"[%s] <%s> %s",sessionid,requestid,buffer);

+ else if (sessionid)

+ if ((requestid!=NULL)&&(requestid[0]!='\0'))

+ fprintf(lst->fp,"%s: [%s] <%s> %s\n",sessionid,requestid,PACKAGE,buffer);

+ else if (sessionid)

+ Copyright (C) 2002, 2003, 2007, 2008, 2010 Arthur de Jong

+/* indicate that a request identifier should be included in the output

+ from this point on, until log_newsession() is called */

+void log_setrequest(const char *format, ...)

+ LIKE_PRINTF(1,2);

+

+

+ The binddn and bindpw parameters may be used to override the authentication

+ mechanism defined in the configuration. This returns an LDAP result

+ code. */

+static int do_bind(LDAP *ld,const char *binddn,const char *bindpw,const char *uri)

+ rc=ldap_start_tls_s(ld,NULL,NULL);

+ if ((binddn!=NULL)&(binddn[0]!='\0'))

+ log_log(LOG_DEBUG,"ldap_simple_bind_s(\"%s\",%s) (uri=\"%s\")",binddn,

+ ((bindpw!=NULL)&&(bindpw[0]!='\0'))?"\"***\"":"\"\"",uri);

+ return ldap_simple_bind_s(ld,binddn,bindpw);

+ LDAP_SET_OPTION(ld,LDAP_OPT_X_SASL_SECPROPS,(void *)nslcd_cfg->ldc_sasl_secprops);

+ return ldap_sasl_interactive_bind_s(ld,nslcd_cfg->ldc_binddn,nslcd_cfg->ldc_sasl_mech,NULL,NULL,

+ return ldap_sasl_bind_s(ld,nslcd_cfg->ldc_binddn,nslcd_cfg->ldc_sasl_mech,&cred,NULL,NULL,NULL);

+ return ldap_simple_bind_s(ld,nslcd_cfg->ldc_binddn,nslcd_cfg->ldc_bindpw);

+static int do_rebind(LDAP *ld,LDAP_CONST char *url,

+ MYLDAP_SESSION *session=(MYLDAP_SESSION *)arg;

+ return do_bind(ld,session->binddn,session->bindpw,url);

+void myldap_session_check(MYLDAP_SESSION *session)

+ rc=do_bind(session->ld,session->binddn,session->bindpw,

+ nslcd_cfg->ldc_uris[session->current_uri].uri);

+ /* check when we should try this URI again */

+ {

+ log_log(LOG_ERR,"no available LDAP server found: %s",ldap_err2string(rc));

+ return LDAP_UNAVAILABLE;

+ }

+/* This checks the timeout value of the session and closes the connection

+ to the LDAP server if the timeout has expired and there are no pending

+ searches. */

+void myldap_session_check(MYLDAP_SESSION *session);

+

+ READ_STRING(fp,name);

+ log_setrequest("netgroup=\"%s\"",name);,

+ READ_STRING(fp,name);

+ log_setrequest("network=\"%s\"",name);,

+ }

+ log_setrequest("network=%s",name);,

+ log_setrequest("network(all)");,

+ int i;

+ /* do not block on accept() */

+ if ((i=fcntl(sock,F_GETFL,0))<0)

+ {

+ log_log(LOG_ERR,"fctnl(F_GETFL) failed: %s",strerror(errno));

+ if (close(sock))

+ log_log(LOG_WARNING,"problem closing socket: %s",strerror(errno));

+ exit(1);

+ }

+ if (fcntl(sock,F_SETFL,i|O_NONBLOCK)<0)

+ {

+ log_log(LOG_ERR,"fctnl(F_SETFL,O_NONBLOCK) failed: %s",strerror(errno));

+ if (close(sock))

+ log_log(LOG_WARNING,"problem closing socket: %s",strerror(errno));

+ exit(1);

+ }

+ fd_set fds;

+ struct timeval tv;

+ /* time out connection to LDAP server if needed */

+ myldap_session_check(session);

+ /* set up the set of fds to wait on */

+ FD_ZERO(&fds);

+ FD_SET(nslcd_serversocket,&fds);

+ /* set up our timeout value */

+ tv.tv_sec=nslcd_cfg->ldc_idle_timelimit;

+ tv.tv_usec=0;

+ j=select(nslcd_serversocket+1,&fds,NULL,NULL,nslcd_cfg->ldc_idle_timelimit>0?&tv:NULL);

+ /* check result of select() */

+ if (j<0)

+ {

+ if (errno==EINTR)

+ log_log(LOG_DEBUG,"debug: select() failed (ignored): %s",strerror(errno));

+ else

+ log_log(LOG_ERR,"select() failed: %s",strerror(errno));

+ continue;

+ }

+ /* see if our file descriptor is actually ready */

+ if (!FD_ISSET(nslcd_serversocket,&fds))

+ continue;

+ /* wait for a new connection */

+ alen=(socklen_t)sizeof(struct sockaddr_storage);

+ csock=accept(nslcd_serversocket,(struct sockaddr *)&addr,&alen);

+ else

+ log_log(LOG_ERR,"accept() failed: %s",strerror(errno));

+ /* close all file descriptors (except stdin/out/err) */

+ i=sysconf(_SC_OPEN_MAX);

+ /* if the system does not have OPEN_MAX just close the first 32 and

+ hope we closed enough */

+ if (i<0)

+ i=32;

+ for (;i>3;i--)

+ close(i);

+/* set up a connection and try to bind with the specified DN and password,

+ returns an LDAP result code */

+ MYLDAP_SEARCH *search;

+ MYLDAP_ENTRY *entry;

+ static const char *attrs[2];

+ return LDAP_UNAVAILABLE;

+ attrs[0]="dn";

+ attrs[1]=NULL;

+ search=myldap_search(session,userdn,LDAP_SCOPE_BASE,"(objectClass=*)",attrs,&rc);

+ if ((search==NULL)||(rc!=LDAP_SUCCESS))

+ {

+ if (rc==LDAP_SUCCESS)

+ rc=LDAP_LOCAL_ERROR;

+ log_log(LOG_WARNING,"lookup of %s failed: %s",userdn,ldap_err2string(rc));

+ }

+ else

+ entry=myldap_get_entry(search,&rc);

+ if ((entry==NULL)||(rc!=LDAP_SUCCESS))

+ {

+ if (rc==LDAP_SUCCESS)

+ rc=LDAP_NO_RESULTS_RETURNED;

+ log_log(LOG_WARNING,"lookup of %s failed: %s",userdn,ldap_err2string(rc));

+ }

+ /* close the session */

+ myldap_session_close(session);

+ /* return results */

+ return rc;

+/* ensure that both userdn and username are filled in from the entry,

+ returns an LDAP result code */

+ int rc;

+ return LDAP_NO_SUCH_OBJECT;

+ entry=uid2entry(session,username,&rc);

+ log_log(LOG_WARNING,"\"%s\": user not found: %s",username,ldap_err2string(rc));

+ return rc;

+ return LDAP_NO_SUCH_OBJECT;

+ return LDAP_INVALID_SYNTAX;

+ return LDAP_SUCCESS;

+ log_setrequest("pam_authc=\"%s\"",username);

+ else if ((rc=validate_user(session,userdn,sizeof(userdn),username,sizeof(username)))!=LDAP_SUCCESS)

+ if (rc!=LDAP_NO_SUCH_OBJECT)

+ {

+ WRITE_INT32(fp,NSLCD_RESULT_BEGIN);

+ WRITE_STRING(fp,username);

+ WRITE_STRING(fp,"");

+ WRITE_INT32(fp,NSLCD_PAM_AUTHINFO_UNAVAIL); /* authc */

+ WRITE_INT32(fp,NSLCD_PAM_SUCCESS); /* authz */

+ WRITE_STRING(fp,"LDAP server unavaiable"); /* authzmsg */

+ }

+ if (rc==LDAP_SUCCESS)

+ /* map result code */

+ switch (rc)

+ {

+ case LDAP_SUCCESS: rc=NSLCD_PAM_SUCCESS; break;

+ case LDAP_INVALID_CREDENTIALS: rc=NSLCD_PAM_AUTH_ERR; break;

+ default: rc=NSLCD_PAM_AUTH_ERR;

+ }

+ WRITE_INT32(fp,rc); /* authc */

+ WRITE_INT32(fp,NSLCD_PAM_SUCCESS); /* authz */

+ WRITE_STRING(fp,""); /* authzmsg */

+/* perform an authorisation search, returns an LDAP status code */

+ return LDAP_LOCAL_ERROR;

+ return rc;

+ entry=myldap_get_entry(search,&rc);

+ return rc;

+ return LDAP_SUCCESS;

+ log_setrequest("pam_authz=\"%s\"",username);

+ if (validate_user(session,userdn,sizeof(userdn),username,sizeof(username))!=LDAP_SUCCESS)

+ if (try_autzsearch(session,dict,nslcd_cfg->ldc_pam_authz_search)!=LDAP_SUCCESS)

+ log_setrequest("pam_sess_o=\"%s\"",username);

+ log_setrequest("pam_sess_c=\"%s\"",username);

+/* perform an LDAP password modification, returns an LDAP status code */

+ return LDAP_UNAVAILABLE;

+ log_setrequest("pam_pwmod=\"%s\"",username);

+ if (validate_user(session,userdn,sizeof(userdn),username,sizeof(username))!=LDAP_SUCCESS)

+MYLDAP_ENTRY *uid2entry(MYLDAP_SESSION *session,const char *uid,int *rcp)

+ search=myldap_search(session,base,passwd_scope,filter,attrs,rcp);

+ entry=uid2entry(session,uid,NULL);

+ log_setrequest("passwd=\"%s\"",name);

+ log_log(LOG_WARNING,"\"%s\": invalid user name",name);

+ READ_TYPE(fp,uid,uid_t);

+ log_setrequest("passwd=%d",(int)uid);,

+ log_setrequest("passwd(all)");,

+ READ_STRING(fp,name);

+ log_setrequest("protocol=\"%s\"",name);,

+ READ_INT32(fp,protocol);

+ log_setrequest("protocol=%d",protocol);,

+ log_setrequest("protocol(all)");,

+ READ_STRING(fp,name);

+ log_setrequest("rpc=\"%s\"",name);,

+ READ_INT32(fp,number);

+ log_setrequest("rpc=%d",number);,

+ log_setrequest("rpc(all)");,

+ READ_STRING(fp,protocol);

+ log_setrequest("service=\"%s\"/%s",name,protocol);,

+ READ_STRING(fp,protocol);

+ log_setrequest("service=%d/%s",number,protocol);,

+ log_setrequest("service(all)");,

+ READ_STRING(fp,name);

+ log_setrequest("shadow=\"%s\"",name);,

+ log_setrequest("shadow(all)");,

+ $(INSTALL_PROGRAM) pam_ldap.so $(DESTDIR)$(PAM_SECLIB_DIR)/$(PAM_LDAP_SONAME)

+ /* turn in to generic PAM error message if message is empty */

+ if ((ctx2.authzmsg==NULL)||(ctx2.authzmsg[0]=='\0'))

+ ctx2.authzmsg=(char *)pam_strerror(pamh,ctx2.authz);

+ if ((ctx->authzmsg==NULL)||(ctx->authzmsg[0]=='\0'))

+ ctx->authzmsg=(char *)pam_strerror(pamh,ctx->authz);

+ assert(rc==LDAP_SUCCESS);

+ assert(rc==LDAP_SUCCESS);