/* passwd.c - password entry lookup routines Parts of this file were part of the nss_ldap library (as ldap-pwd.c) which has been forked into the nss-ldapd library. Copyright (C) 1997-2005 Luke Howard Copyright (C) 2006 West Consulting Copyright (C) 2006, 2007, 2008 Arthur de Jong This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ #include "config.h" #include #include #include #include #include #include #include "common.h" #include "log.h" #include "myldap.h" #include "cfg.h" #include "attmap.h" #include "common/dict.h" /* ( nisSchema.2.0 NAME 'posixAccount' SUP top AUXILIARY * DESC 'Abstraction of an account with POSIX attributes' * MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) * MAY ( userPassword $ loginShell $ gecos $ description ) ) */ /* the search base for searches */ const char *passwd_base = NULL; /* the search scope for searches */ int passwd_scope = LDAP_SCOPE_DEFAULT; /* the basic search filter for searches */ const char *passwd_filter = "(objectClass=posixAccount)"; /* the attributes used in searches */ const char *attmap_passwd_uid = "uid"; const char *attmap_passwd_userPassword = "userPassword"; const char *attmap_passwd_uidNumber = "uidNumber"; const char *attmap_passwd_gidNumber = "gidNumber"; const char *attmap_passwd_gecos = "gecos"; const char *attmap_passwd_cn = "cn"; const char *attmap_passwd_homeDirectory = "homeDirectory"; const char *attmap_passwd_loginShell = "loginShell"; /* default values for attributes */ static const char *default_passwd_userPassword = "*"; /* unmatchable */ static const char *default_passwd_homeDirectory = ""; static const char *default_passwd_loginShell = ""; /* the attribute list to request with searches */ static const char *passwd_attrs[10]; /* create a search filter for searching a passwd entry by name, return -1 on errors */ static int mkfilter_passwd_byname(const char *name, char *buffer,size_t buflen) { char buf2[1024]; /* escape attribute */ if(myldap_escape(name,buf2,sizeof(buf2))) return -1; /* build filter */ return mysnprintf(buffer,buflen, "(&%s(%s=%s))", passwd_filter, attmap_passwd_uid,buf2); } /* create a search filter for searching a passwd entry by uid, return -1 on errors */ static int mkfilter_passwd_byuid(uid_t uid, char *buffer,size_t buflen) { return mysnprintf(buffer,buflen, "(&%s(%s=%d))", passwd_filter, attmap_passwd_uidNumber,uid); } static void passwd_init(void) { /* set up base */ if (passwd_base==NULL) passwd_base=nslcd_cfg->ldc_base; /* set up scope */ if (passwd_scope==LDAP_SCOPE_DEFAULT) passwd_scope=nslcd_cfg->ldc_scope; /* set up attribute list */ passwd_attrs[0]=attmap_passwd_uid; passwd_attrs[1]=attmap_passwd_userPassword; passwd_attrs[2]=attmap_passwd_uidNumber; passwd_attrs[3]=attmap_passwd_gidNumber; passwd_attrs[4]=attmap_passwd_cn; passwd_attrs[5]=attmap_passwd_homeDirectory; passwd_attrs[6]=attmap_passwd_loginShell; passwd_attrs[7]=attmap_passwd_gecos; passwd_attrs[8]="objectClass"; passwd_attrs[9]=NULL; } /* Checks to see if the specified name is a valid user name. This test is based on the definition from POSIX (IEEE Std 1003.1, 2004, 3.426 User Name and 3.276 Portable Filename Character Set): http://www.opengroup.org/onlinepubs/009695399/basedefs/xbd_chap03.html#tag_03_426 http://www.opengroup.org/onlinepubs/009695399/basedefs/xbd_chap03.html#tag_03_276 The standard defines user names valid if they contain characters from the set [A-Za-z0-9._-] where the hyphen should not be used as first character. As an extension this test allows the dolar '$' sign as the last character to support Samba special accounts. */ int isvalidusername(const char *name) { int i; if ((name==NULL)||(name[0]=='\0')) return 0; /* check first character */ if ( ! ( (name[0]>='A' && name[0] <= 'Z') || (name[0]>='a' && name[0] <= 'z') || (name[0]>='0' && name[0] <= '9') || name[0]=='.' || name[0]=='_' ) ) return 0; /* check other characters */ for (i=1;name[i]!='\0';i++) { if ( name[i]=='$' ) { /* if the char is $ we require it to be the last char */ if (name[i+1]!='\0') return 0; } else if ( ! ( (name[i]>='A' && name[i] <= 'Z') || (name[i]>='a' && name[i] <= 'z') || (name[i]>='0' && name[i] <= '9') || name[i]=='.' || name[i]=='_' || name[i]=='-') ) return 0; } /* no test failed so it must be good */ return -1; } /* the cache that is used in dn2uid() */ static pthread_mutex_t dn2uid_cache_mutex=PTHREAD_MUTEX_INITIALIZER; static DICT *dn2uid_cache=NULL; struct dn2uid_cache_entry { time_t timestamp; char *uid; }; #define DN2UID_CACHE_TIMEOUT (15*60) /* Perform an LDAP lookup to translate the DN into a uid. This function either returns NULL or a strdup()ed string. */ static char *lookup_dn2uid(MYLDAP_SESSION *session,const char *dn) { MYLDAP_SEARCH *search; MYLDAP_ENTRY *entry; static const char *attrs[2]; int rc; const char **values; char *uid; /* we have to look up the entry */ attrs[0]=attmap_passwd_uid; attrs[1]=NULL; search=myldap_search(session,dn,LDAP_SCOPE_BASE,passwd_filter,attrs); if (search==NULL) { log_log(LOG_WARNING,"lookup of user %s failed",dn); return NULL; } entry=myldap_get_entry(search,&rc); if (entry==NULL) { if (rc!=LDAP_SUCCESS) log_log(LOG_WARNING,"lookup of user %s failed: %s",dn,ldap_err2string(rc)); return NULL; } /* get uid (just use first one) */ values=myldap_get_values(entry,attmap_passwd_uid); /* check the result for presence and validity */ if ((values!=NULL)&&(values[0]!=NULL)&&isvalidusername(values[0])) uid=strdup(values[0]); else uid=NULL; myldap_search_close(search); return uid; } char *dn2uid(MYLDAP_SESSION *session,const char *dn,char *buf,size_t buflen) { struct dn2uid_cache_entry *cacheentry=NULL; char *uid; /* check for empty string */ if ((dn==NULL)||(*dn=='\0')) return NULL; /* try to look up uid within DN string */ if (myldap_cpy_rdn_value(dn,attmap_passwd_uid,buf,buflen)!=NULL) { /* check if it is valid */ if (!isvalidusername(buf)) return NULL; return buf; } /* see if we have a cached entry */ pthread_mutex_lock(&dn2uid_cache_mutex); if (dn2uid_cache==NULL) dn2uid_cache=dict_new(); if ((dn2uid_cache!=NULL) && ((cacheentry=dict_get(dn2uid_cache,dn))!=NULL)) { /* if the cached entry is still valid, return that */ if (time(NULL) < (cacheentry->timestamp+DN2UID_CACHE_TIMEOUT)) { if ((cacheentry->uid!=NULL)&&(strlen(cacheentry->uid)uid); else buf=NULL; pthread_mutex_unlock(&dn2uid_cache_mutex); return buf; } /* leave the entry intact, just replace the uid below */ } pthread_mutex_unlock(&dn2uid_cache_mutex); /* look up the uid using an LDAP query */ uid=lookup_dn2uid(session,dn); /* store the result in the cache */ pthread_mutex_lock(&dn2uid_cache_mutex); if (cacheentry==NULL) { /* allocate a new entry in the cache */ cacheentry=(struct dn2uid_cache_entry *)malloc(sizeof(struct dn2uid_cache_entry)); if (cacheentry!=NULL) dict_put(dn2uid_cache,dn,cacheentry); } else if (cacheentry->uid!=NULL) free(cacheentry->uid); /* update the cache entry */ if (cacheentry!=NULL) { cacheentry->timestamp=time(NULL); cacheentry->uid=uid; } pthread_mutex_unlock(&dn2uid_cache_mutex); /* copy the result into the buffer */ if ((uid!=NULL)&&(strlen(uid)