int nssov_config(nssov_info *ni,TFILE *fp,Operation *op) { int opt; int32_t tmpint32; struct berval *msg = BER_BVC(""); int rc = NSLCD_PAM_SUCCESS; READ_INT32(fp,opt); Debug(LDAP_DEBUG_TRACE, "nssov_config (%d)\n",opt,0,0); switch (opt) { case NSLCD_CONFIG_PAM_PASSWORD_PROHIBIT_MESSAGE: /* request for pam password_prothibit_message */ /* nssov_pam prohibits password */ if (!BER_BVISEMPTY(&ni->ni_pam_password_prohibit_message)) { Debug(LDAP_DEBUG_TRACE,"nssov_config(): %s (%s)\n", "password_prohibit_message", ni->ni_pam_password_prohibit_message.bv_val,0); msg = &ni->ni_pam_password_prohibit_message; rc = NSLCD_PAM_PERM_DENIED; } /* fall through */ default: break; } done:; WRITE_INT32(fp,NSLCD_VERSION); WRITE_INT32(fp,NSLCD_ACTION_CONFIG_GET); WRITE_INT32(fp,NSLCD_RESULT_BEGIN); WRITE_BERVAL(fp,msg); WRITE_INT32(fp,NSLCD_RESULT_END); return 0; }
void client_write_move(remote_process_client *client, const struct ct_move *move) { WRITE_BYTE(MSG_MOVE_MESSAGE); WRITE_BYTE(1); WRITE_BYTE((signed char)move->action); WRITE_BYTE((signed char)move->direction); WRITE_INT32(move->position.x); WRITE_INT32(move->position.y); FLUSH(); }
/* get a single passwd entry by uid */ nss_status_t _nss_ldap_getpwuid_r(uid_t uid, struct passwd *result, char *buffer, size_t buflen, int *errnop) { NSS_GETONE(NSLCD_ACTION_PASSWD_BYUID, WRITE_INT32(fp, uid), read_passwd(fp, result, buffer, buflen, errnop)); }
static int write_alias(TFILE *fp,MYLDAP_ENTRY *entry,const char *reqalias) { int32_t tmpint32,tmp2int32,tmp3int32; const char **names,**members; int i; /* get the name of the alias */ names=myldap_get_values(entry,attmap_alias_cn); if ((names==NULL)||(names[0]==NULL)) { log_log(LOG_WARNING,"alias entry %s does not contain %s value", myldap_get_dn(entry),attmap_alias_cn); return 0; } /* get the members of the alias */ members=myldap_get_values(entry,attmap_alias_rfc822MailMember); /* for each name, write an entry */ for (i=0;names[i]!=NULL;i++) { if ((reqalias==NULL)||(strcasecmp(reqalias,names[i])==0)) { WRITE_INT32(fp,NSLCD_RESULT_BEGIN); WRITE_STRING(fp,names[i]); WRITE_STRINGLIST(fp,members); } } return 0; }
int pam_authc(nssov_info *ni,TFILE *fp,Operation *op) { int32_t tmpint32; int rc; slap_callback cb = {0}; char dnc[1024]; char uidc[32]; char svcc[256]; char pwdc[256]; struct berval sdn, dn; struct paminfo pi; READ_STRING(fp,uidc); pi.uid.bv_val = uidc; pi.uid.bv_len = tmpint32; READ_STRING(fp,dnc); pi.dn.bv_val = dnc; pi.dn.bv_len = tmpint32; READ_STRING(fp,svcc); pi.svc.bv_val = svcc; pi.svc.bv_len = tmpint32; READ_STRING(fp,pwdc); pi.pwd.bv_val = pwdc; pi.pwd.bv_len = tmpint32; Debug(LDAP_DEBUG_TRACE,"nssov_pam_authc(%s)\n",pi.uid.bv_val,0,0); rc = pam_do_bind(ni, fp, op, &pi); finish: WRITE_INT32(fp,NSLCD_VERSION); WRITE_INT32(fp,NSLCD_ACTION_PAM_AUTHC); WRITE_INT32(fp,NSLCD_RESULT_BEGIN); WRITE_BERVAL(fp,&pi.uid); WRITE_BERVAL(fp,&pi.dn); WRITE_INT32(fp,rc); WRITE_INT32(fp,pi.authz); /* authz */ WRITE_BERVAL(fp,&pi.msg); /* authzmsg */ return 0; }
/* write a single network entry to the stream */ static int write_network(TFILE *fp,MYLDAP_ENTRY *entry) { int32_t tmpint32,tmp2int32,tmp3int32; int numaddr,i; const char *networkname; const char **networknames; const char **addresses; /* get the most canonical name */ networkname=myldap_get_rdn_value(entry,attmap_network_cn); /* get the other names for the network */ networknames=myldap_get_values(entry,attmap_network_cn); if ((networknames==NULL)||(networknames[0]==NULL)) { log_log(LOG_WARNING,"network entry %s does not contain %s value", myldap_get_dn(entry),attmap_network_cn); return 0; } /* if the networkname is not yet found, get the first entry from networknames */ if (networkname==NULL) networkname=networknames[0]; /* get the addresses */ addresses=myldap_get_values(entry,attmap_network_ipNetworkNumber); if ((addresses==NULL)||(addresses[0]==NULL)) { log_log(LOG_WARNING,"network entry %s does not contain %s value", myldap_get_dn(entry),attmap_network_ipNetworkNumber); return 0; } /* write the entry */ WRITE_INT32(fp,NSLCD_RESULT_BEGIN); WRITE_STRING(fp,networkname); WRITE_STRINGLIST_EXCEPT(fp,networknames,networkname); for (numaddr=0;addresses[numaddr]!=NULL;numaddr++) /*noting*/ ; WRITE_INT32(fp,numaddr); for (i=0;i<numaddr;i++) { WRITE_ADDRESS(fp,addresses[i]); } return 0; }
static int write_shadow(TFILE *fp, MYLDAP_ENTRY *entry, const char *requser, uid_t calleruid) { int32_t tmpint32; const char **usernames; const char *passwd; long lastchangedate; long mindays; long maxdays; long warndays; long inactdays; long expiredate; unsigned long flag; int i; char passbuffer[BUFLEN_PASSWORDHASH]; /* get username */ usernames = myldap_get_values(entry, attmap_shadow_uid); if ((usernames == NULL) || (usernames[0] == NULL)) { log_log(LOG_WARNING, "%s: %s: missing", myldap_get_dn(entry), attmap_shadow_uid); return 0; } /* get password */ passwd = get_userpassword(entry, attmap_shadow_userPassword, passbuffer, sizeof(passbuffer)); if ((passwd == NULL) || (calleruid != 0)) passwd = default_shadow_userPassword; /* get expiry properties */ get_shadow_properties(entry, &lastchangedate, &mindays, &maxdays, &warndays, &inactdays, &expiredate, &flag); /* write the entries */ for (i = 0; usernames[i] != NULL; i++) if ((requser == NULL) || (STR_CMP(requser, usernames[i]) == 0)) { WRITE_INT32(fp, NSLCD_RESULT_BEGIN); WRITE_STRING(fp, usernames[i]); WRITE_STRING(fp, passwd); WRITE_INT32(fp, lastchangedate); WRITE_INT32(fp, mindays); WRITE_INT32(fp, maxdays); WRITE_INT32(fp, warndays); WRITE_INT32(fp, inactdays); WRITE_INT32(fp, expiredate); WRITE_INT32(fp, flag); } return 0; }
/* this writes a single address to the stream */ int write_address(TFILE *fp,const char *addr) { int32_t tmpint32; struct in_addr ipv4addr; struct in6_addr ipv6addr; /* try to parse the address as IPv4 first, fall back to IPv6 */ if (inet_pton(AF_INET,addr,&ipv4addr)>0) { /* write address type */ WRITE_INT32(fp,AF_INET); /* write the address length */ WRITE_INT32(fp,sizeof(struct in_addr)); /* write the address itself (in network byte order) */ WRITE_TYPE(fp,ipv4addr,struct in_addr); } else if (inet_pton(AF_INET6,addr,&ipv6addr)>0) { /* write address type */ WRITE_INT32(fp,AF_INET6); /* write the address length */ WRITE_INT32(fp,sizeof(struct in6_addr)); /* write the address itself (in network byte order) */ WRITE_TYPE(fp,ipv6addr,struct in6_addr); } else { /* failure, log but write simple invalid address (otherwise the address list is messed up) */ /* TODO: have error message in correct format */ log_log(LOG_WARNING,"unparseble address: %s",addr); /* write an illegal address type */ WRITE_INT32(fp,-1); /* write an emtpy address */ WRITE_INT32(fp,0); } /* we're done */ return 0; }
/* this writes a single address to the stream */ int write_address(TFILE *fp,struct berval *addr) { int32_t tmpint32; struct in_addr ipv4addr; struct in6_addr ipv6addr; /* try to parse the address as IPv4 first, fall back to IPv6 */ if (inet_pton(AF_INET,addr->bv_val,&ipv4addr)>0) { /* write address type */ WRITE_INT32(fp,AF_INET); /* write the address length */ WRITE_INT32(fp,sizeof(struct in_addr)); /* write the address itself (in network byte order) */ WRITE_TYPE(fp,ipv4addr,struct in_addr); } else if (inet_pton(AF_INET6,addr->bv_val,&ipv6addr)>0) { /* write address type */ WRITE_INT32(fp,AF_INET6); /* write the address length */ WRITE_INT32(fp,sizeof(struct in6_addr)); /* write the address itself (in network byte order) */ WRITE_TYPE(fp,ipv6addr,struct in6_addr); } else { /* failure, log but write simple invalid address (otherwise the address list is messed up) */ /* TODO: have error message in correct format */ Debug(LDAP_DEBUG_ANY,"nssov: unparseable address: %s\n",addr->bv_val,0,0); /* write an illegal address type */ WRITE_INT32(fp,-1); /* write an empty address */ WRITE_INT32(fp,0); } /* we're done */ return 0; }
static int write_protocol(TFILE *fp, MYLDAP_ENTRY *entry, const char *reqname) { int32_t tmpint32, tmp2int32, tmp3int32; const char *name; const char **aliases; const char **protos; char *tmp; long proto; int i; /* get the most canonical name */ name = myldap_get_rdn_value(entry, attmap_protocol_cn); /* get the other names for the protocol */ aliases = myldap_get_values(entry, attmap_protocol_cn); if ((aliases == NULL) || (aliases[0] == NULL)) { log_log(LOG_WARNING, "%s: %s: missing", myldap_get_dn(entry), attmap_protocol_cn); return 0; } /* if the protocol name is not yet found, get the first entry */ if (name == NULL) name = aliases[0]; /* check case of returned protocol entry */ if ((reqname != NULL) && (STR_CMP(reqname, name) != 0)) { for (i = 0; (aliases[i] != NULL) && (STR_CMP(reqname, aliases[i]) != 0); i++) /* nothing */ ; if (aliases[i] == NULL) return 0; /* neither the name nor any of the aliases matched */ } /* get the protocol number */ protos = myldap_get_values(entry, attmap_protocol_ipProtocolNumber); if ((protos == NULL) || (protos[0] == NULL)) { log_log(LOG_WARNING, "%s: %s: missing", myldap_get_dn(entry), attmap_protocol_ipProtocolNumber); return 0; } else if (protos[1] != NULL) { log_log(LOG_WARNING, "%s: %s: multiple values", myldap_get_dn(entry), attmap_protocol_ipProtocolNumber); } errno = 0; proto = strtol(protos[0], &tmp, 10); if ((*(protos[0]) == '\0') || (*tmp != '\0')) { log_log(LOG_WARNING, "%s: %s: non-numeric", myldap_get_dn(entry), attmap_protocol_ipProtocolNumber); return 0; } else if ((errno != 0) || (proto < 0) || (proto > (long)UINT8_MAX)) { log_log(LOG_WARNING, "%s: %s: out of range", myldap_get_dn(entry), attmap_protocol_ipProtocolNumber); return 0; } /* write entry */ WRITE_INT32(fp, NSLCD_RESULT_BEGIN); WRITE_STRING(fp, name); WRITE_STRINGLIST_EXCEPT(fp, aliases, name); /* proto number is actually an 8-bit value but we write 32 bits anyway */ WRITE_INT32(fp, proto); return 0; }
int nslcd_usermod(TFILE *fp, MYLDAP_SESSION *session, uid_t calleruid) { int32_t tmpint32; int rc = LDAP_SUCCESS; char username[BUFLEN_NAME]; int asroot, isroot; char password[BUFLEN_PASSWORD]; int32_t param; char buffer[4096]; size_t buflen = sizeof(buffer); size_t bufptr = 0; const char *value = NULL; const char *fullname = NULL, *roomnumber = NULL, *workphone = NULL; const char *homephone = NULL, *other = NULL, *homedir = NULL; const char *shell = NULL; const char *binddn = NULL; /* the user performing the modification */ MYLDAP_ENTRY *entry; MYLDAP_SESSION *newsession; char errmsg[BUFLEN_MESSAGE]; /* read request parameters */ READ_STRING(fp, username); READ_INT32(fp, asroot); READ_STRING(fp, password); /* read the usermod parameters */ while (1) { READ_INT32(fp, param); if (param == NSLCD_USERMOD_END) break; READ_BUF_STRING(fp, value); switch (param) { case NSLCD_USERMOD_FULLNAME: fullname = value; break; case NSLCD_USERMOD_ROOMNUMBER: roomnumber = value; break; case NSLCD_USERMOD_WORKPHONE: workphone = value; break; case NSLCD_USERMOD_HOMEPHONE: homephone = value; break; case NSLCD_USERMOD_OTHER: other = value; break; case NSLCD_USERMOD_HOMEDIR: homedir = value; break; case NSLCD_USERMOD_SHELL: shell = value; break; default: /* other parameters are silently ignored */ break; } } /* log call */ log_setrequest("usermod=\"%s\"", username); log_log(LOG_DEBUG, "nslcd_usermod(\"%s\",%s,\"%s\")", username, asroot ? "asroot" : "asuser", *password ? "***" : ""); if (fullname != NULL) log_log(LOG_DEBUG, "nslcd_usermod(fullname=\"%s\")", fullname); if (roomnumber != NULL) log_log(LOG_DEBUG, "nslcd_usermod(roomnumber=\"%s\")", roomnumber); if (workphone != NULL) log_log(LOG_DEBUG, "nslcd_usermod(workphone=\"%s\")", workphone); if (homephone != NULL) log_log(LOG_DEBUG, "nslcd_usermod(homephone=\"%s\")", homephone); if (other != NULL) log_log(LOG_DEBUG, "nslcd_usermod(other=\"%s\")", other); if (homedir != NULL) log_log(LOG_DEBUG, "nslcd_usermod(homedir=\"%s\")", homedir); if (shell != NULL) log_log(LOG_DEBUG, "nslcd_usermod(shell=\"%s\")", shell); /* write the response header */ WRITE_INT32(fp, NSLCD_VERSION); WRITE_INT32(fp, NSLCD_ACTION_USERMOD); /* validate request */ entry = validate_user(session, username, &rc); if (entry == NULL) { /* for user not found we just say no result, otherwise break the protocol */ if (rc == LDAP_NO_SUCH_OBJECT) { WRITE_INT32(fp, NSLCD_RESULT_END); } return -1; } /* check if it is a modification as root */ isroot = (calleruid == 0) && asroot; if (asroot) { if (nslcd_cfg->rootpwmoddn == NULL) { log_log(LOG_NOTICE, "rootpwmoddn not configured"); /* we break the protocol */ return -1; } binddn = nslcd_cfg->rootpwmoddn; /* check if rootpwmodpw should be used */ if ((*password == '\0') && isroot && (nslcd_cfg->rootpwmodpw != NULL)) { if (strlen(nslcd_cfg->rootpwmodpw) >= sizeof(password)) { log_log(LOG_ERR, "nslcd_pam_pwmod(): rootpwmodpw will not fit in password"); return -1; } strcpy(password, nslcd_cfg->rootpwmodpw); } } else binddn = myldap_get_dn(entry); WRITE_INT32(fp, NSLCD_RESULT_BEGIN); /* home directory change requires either root or valid directory */ if ((homedir != NULL) && (!isroot) && !is_valid_homedir(homedir)) { log_log(LOG_NOTICE, "invalid directory: %s", homedir); WRITE_INT32(fp, NSLCD_USERMOD_HOMEDIR); WRITE_STRING(fp, "invalid directory"); homedir = NULL; } /* shell change requires either root or a valid shell */ if ((shell != NULL) && (!isroot) && !is_valid_shell(shell)) { log_log(LOG_NOTICE, "invalid shell: %s", shell); WRITE_INT32(fp, NSLCD_USERMOD_SHELL); WRITE_STRING(fp, "invalid shell"); shell = NULL; } /* perform requested changes */ newsession = get_session(binddn, myldap_get_dn(entry), password, &rc); if (newsession != NULL) { rc = change(newsession, myldap_get_dn(entry), homedir, shell); myldap_session_close(newsession); } /* return response to caller */ if (rc != LDAP_SUCCESS) { log_log(LOG_WARNING, "%s: modification failed: %s", myldap_get_dn(entry), ldap_err2string(rc)); mysnprintf(errmsg, sizeof(errmsg) - 1, "change failed: %s", ldap_err2string(rc)); WRITE_INT32(fp, NSLCD_USERMOD_RESULT); WRITE_STRING(fp, errmsg); WRITE_INT32(fp, NSLCD_USERMOD_END); WRITE_INT32(fp, NSLCD_RESULT_END); return 0; } log_log(LOG_NOTICE, "changed information for %s", myldap_get_dn(entry)); WRITE_INT32(fp, NSLCD_USERMOD_END); WRITE_INT32(fp, NSLCD_RESULT_END); return 0; }
void client_write_protocol_version(remote_process_client *client) { WRITE_BYTE(MSG_PROTOCOL_VERSION); WRITE_INT32(2); FLUSH(); }
static void client_write_string(remote_process_client *client, const char *str) { int32 length = (int32)strlen(str); WRITE_INT32(length); client_write_bytes(client, str, length); }
int pam_authz(nssov_info *ni,TFILE *fp,Operation *op) { struct berval dn, uid, svc, ruser, rhost, tty; struct berval authzmsg = BER_BVNULL; int32_t tmpint32; char dnc[1024]; char uidc[32]; char svcc[256]; char ruserc[32]; char rhostc[256]; char ttyc[256]; int rc; Entry *e = NULL; Attribute *a; slap_callback cb = {0}; READ_STRING(fp,uidc); uid.bv_val = uidc; uid.bv_len = tmpint32; READ_STRING(fp,dnc); dn.bv_val = dnc; dn.bv_len = tmpint32; READ_STRING(fp,svcc); svc.bv_val = svcc; svc.bv_len = tmpint32; READ_STRING(fp,ruserc); ruser.bv_val = ruserc; ruser.bv_len = tmpint32; READ_STRING(fp,rhostc); rhost.bv_val = rhostc; rhost.bv_len = tmpint32; READ_STRING(fp,ttyc); tty.bv_val = ttyc; tty.bv_len = tmpint32; Debug(LDAP_DEBUG_TRACE,"nssov_pam_authz(%s)\n",dn.bv_val,0,0); /* If we didn't do authc, we don't have a DN yet */ if (BER_BVISEMPTY(&dn)) { struct paminfo pi; pi.uid = uid; pi.svc = svc; rc = pam_uid2dn(ni, op, &pi); if (rc) goto finish; dn = pi.dn; } /* See if they have access to the host and service */ if ((ni->ni_pam_opts & NI_PAM_HOSTSVC) && nssov_pam_svc_ad) { AttributeAssertion ava = ATTRIBUTEASSERTION_INIT; struct berval hostdn = BER_BVNULL; struct berval odn = op->o_ndn; SlapReply rs = {REP_RESULT}; op->o_dn = dn; op->o_ndn = dn; { nssov_mapinfo *mi = &ni->ni_maps[NM_host]; char fbuf[1024]; struct berval filter = {sizeof(fbuf),fbuf}; SlapReply rs2 = {REP_RESULT}; /* Lookup the host entry */ nssov_filter_byname(mi,0,&global_host_bv,&filter); cb.sc_private = &hostdn; cb.sc_response = nssov_name2dn_cb; op->o_callback = &cb; op->o_req_dn = mi->mi_base; op->o_req_ndn = mi->mi_base; op->ors_scope = mi->mi_scope; op->ors_filterstr = filter; op->ors_filter = str2filter_x(op, filter.bv_val); op->ors_attrs = slap_anlist_no_attrs; op->ors_tlimit = SLAP_NO_LIMIT; op->ors_slimit = 2; rc = op->o_bd->be_search(op, &rs2); filter_free_x(op, op->ors_filter, 1); if (BER_BVISEMPTY(&hostdn) && !BER_BVISEMPTY(&ni->ni_pam_defhost)) { filter.bv_len = sizeof(fbuf); filter.bv_val = fbuf; rs_reinit(&rs2, REP_RESULT); nssov_filter_byname(mi,0,&ni->ni_pam_defhost,&filter); op->ors_filterstr = filter; op->ors_filter = str2filter_x(op, filter.bv_val); rc = op->o_bd->be_search(op, &rs2); filter_free_x(op, op->ors_filter, 1); } /* no host entry, no default host -> deny */ if (BER_BVISEMPTY(&hostdn)) { rc = NSLCD_PAM_PERM_DENIED; authzmsg = hostmsg; goto finish; } } cb.sc_response = pam_compare_cb; cb.sc_private = NULL; op->o_tag = LDAP_REQ_COMPARE; op->o_req_dn = hostdn; op->o_req_ndn = hostdn; ava.aa_desc = nssov_pam_svc_ad; ava.aa_value = svc; op->orc_ava = &ava; rc = op->o_bd->be_compare( op, &rs ); if ( cb.sc_private == NULL ) { authzmsg = svcmsg; rc = NSLCD_PAM_PERM_DENIED; goto finish; } op->o_dn = odn; op->o_ndn = odn; } /* See if they're a member of the group */ if ((ni->ni_pam_opts & NI_PAM_USERGRP) && !BER_BVISEMPTY(&ni->ni_pam_group_dn) && ni->ni_pam_group_ad) { AttributeAssertion ava = ATTRIBUTEASSERTION_INIT; SlapReply rs = {REP_RESULT}; op->o_callback = &cb; cb.sc_response = slap_null_cb; op->o_tag = LDAP_REQ_COMPARE; op->o_req_dn = ni->ni_pam_group_dn; op->o_req_ndn = ni->ni_pam_group_dn; ava.aa_desc = ni->ni_pam_group_ad; ava.aa_value = dn; op->orc_ava = &ava; rc = op->o_bd->be_compare( op, &rs ); if ( rs.sr_err != LDAP_COMPARE_TRUE ) { authzmsg = grpmsg; rc = NSLCD_PAM_PERM_DENIED; goto finish; } } /* We need to check the user's entry for these bits */ if ((ni->ni_pam_opts & (NI_PAM_USERHOST|NI_PAM_USERSVC)) || ni->ni_pam_template_ad || ni->ni_pam_min_uid || ni->ni_pam_max_uid ) { rc = be_entry_get_rw( op, &dn, NULL, NULL, 0, &e ); if (rc != LDAP_SUCCESS) { rc = NSLCD_PAM_USER_UNKNOWN; goto finish; } } if ((ni->ni_pam_opts & NI_PAM_USERHOST) && nssov_pam_host_ad) { a = attr_find(e->e_attrs, nssov_pam_host_ad); if (!a || attr_valfind( a, SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH | SLAP_MR_VALUE_OF_SYNTAX, &global_host_bv, NULL, op->o_tmpmemctx )) { rc = NSLCD_PAM_PERM_DENIED; authzmsg = hostmsg; goto finish; } } if ((ni->ni_pam_opts & NI_PAM_USERSVC) && nssov_pam_svc_ad) { a = attr_find(e->e_attrs, nssov_pam_svc_ad); if (!a || attr_valfind( a, SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH | SLAP_MR_VALUE_OF_SYNTAX, &svc, NULL, op->o_tmpmemctx )) { rc = NSLCD_PAM_PERM_DENIED; authzmsg = svcmsg; goto finish; } } /* from passwd.c */ #define UIDN_KEY 2 if (ni->ni_pam_min_uid || ni->ni_pam_max_uid) { int id; char *tmp; nssov_mapinfo *mi = &ni->ni_maps[NM_passwd]; a = attr_find(e->e_attrs, mi->mi_attrs[UIDN_KEY].an_desc); if (!a) { rc = NSLCD_PAM_PERM_DENIED; authzmsg = uidmsg; goto finish; } id = (int)strtol(a->a_vals[0].bv_val,&tmp,0); if (a->a_vals[0].bv_val[0] == '\0' || *tmp != '\0') { rc = NSLCD_PAM_PERM_DENIED; authzmsg = uidmsg; goto finish; } if ((ni->ni_pam_min_uid && id < ni->ni_pam_min_uid) || (ni->ni_pam_max_uid && id > ni->ni_pam_max_uid)) { rc = NSLCD_PAM_PERM_DENIED; authzmsg = uidmsg; goto finish; } } if (ni->ni_pam_template_ad) { a = attr_find(e->e_attrs, ni->ni_pam_template_ad); if (a) uid = a->a_vals[0]; else if (!BER_BVISEMPTY(&ni->ni_pam_template)) uid = ni->ni_pam_template; } rc = NSLCD_PAM_SUCCESS; finish: WRITE_INT32(fp,NSLCD_VERSION); WRITE_INT32(fp,NSLCD_ACTION_PAM_AUTHZ); WRITE_INT32(fp,NSLCD_RESULT_BEGIN); WRITE_BERVAL(fp,&uid); WRITE_BERVAL(fp,&dn); WRITE_INT32(fp,rc); WRITE_BERVAL(fp,&authzmsg); if (e) { be_entry_release_r(op, e); } return 0; }
static nss_status_t passwd_getpwuid(nss_backend_t UNUSED(*be), void *args) { NSS_GETONE(NSLCD_ACTION_PASSWD_BYUID, WRITE_INT32(fp, NSS_ARGS(args)->key.uid), read_result(fp, args)); }
/* write a single rpc entry to the stream */ static int write_rpc(TFILE *fp, MYLDAP_ENTRY *entry, const char *reqname) { int32_t tmpint32, tmp2int32, tmp3int32; const char *name; const char **aliases; const char **numbers; char *tmp; unsigned long number; int i; /* get the most canonical name */ name = myldap_get_rdn_value(entry, attmap_rpc_cn); /* get the other names for the rpc entries */ aliases = myldap_get_values(entry, attmap_rpc_cn); if ((aliases == NULL) || (aliases[0] == NULL)) { log_log(LOG_WARNING, "%s: %s: missing", myldap_get_dn(entry), attmap_rpc_cn); return 0; } /* if the rpc name is not yet found, get the first entry */ if (name == NULL) name = aliases[0]; /* check case of returned rpc entry */ if ((reqname != NULL) && (STR_CMP(reqname, name) != 0)) { for (i = 0; (aliases[i] != NULL) && (STR_CMP(reqname, aliases[i]) != 0); i++) /* nothing */ ; if (aliases[i] == NULL) return 0; /* neither the name nor any of the aliases matched */ } /* get the rpc number */ numbers = myldap_get_values(entry, attmap_rpc_oncRpcNumber); if ((numbers == NULL) || (numbers[0] == NULL)) { log_log(LOG_WARNING, "%s: %s: missing", myldap_get_dn(entry), attmap_rpc_oncRpcNumber); return 0; } else if (numbers[1] != NULL) { log_log(LOG_WARNING, "%s: %s: multiple values", myldap_get_dn(entry), attmap_rpc_oncRpcNumber); } errno = 0; number = strtol(numbers[0], &tmp, 10); if ((*(numbers[0]) == '\0') || (*tmp != '\0')) { log_log(LOG_WARNING, "%s: %s: non-numeric", myldap_get_dn(entry), attmap_rpc_oncRpcNumber); return 0; } else if ((errno != 0) || (number > UINT32_MAX)) { log_log(LOG_WARNING, "%s: %s: out of range", myldap_get_dn(entry), attmap_rpc_oncRpcNumber); return 0; } /* write the entry */ WRITE_INT32(fp, NSLCD_RESULT_BEGIN); WRITE_STRING(fp, name); WRITE_STRINGLIST_EXCEPT(fp, aliases, name); WRITE_INT32(fp, number); return 0; }
static int pam_sess(nssov_info *ni,TFILE *fp,Operation *op,int action) { struct berval dn, uid, svc, tty, rhost, ruser; int32_t tmpint32; char dnc[1024]; char svcc[256]; char uidc[32]; char ttyc[32]; char rhostc[256]; char ruserc[32]; slap_callback cb = {0}; SlapReply rs = {REP_RESULT}; char timebuf[LDAP_LUTIL_GENTIME_BUFSIZE]; struct berval timestamp, bv[2], *nbv; time_t stamp; Modifications mod; READ_STRING(fp,uidc); uid.bv_val = uidc; uid.bv_len = tmpint32; READ_STRING(fp,dnc); dn.bv_val = dnc; dn.bv_len = tmpint32; READ_STRING(fp,svcc); svc.bv_val = svcc; svc.bv_len = tmpint32; READ_STRING(fp,ttyc); tty.bv_val = ttyc; tty.bv_len = tmpint32; READ_STRING(fp,rhostc); rhost.bv_val = rhostc; rhost.bv_len = tmpint32; READ_STRING(fp,ruserc); ruser.bv_val = ruserc; ruser.bv_len = tmpint32; READ_INT32(fp,stamp); Debug(LDAP_DEBUG_TRACE,"nssov_pam_sess_%c(%s)\n", action==NSLCD_ACTION_PAM_SESS_O ? 'o' : 'c', dn.bv_val,0); if (!dn.bv_len || !ni->ni_pam_sessions) return 0; { int i, found=0; for (i=0; !BER_BVISNULL(&ni->ni_pam_sessions[i]); i++) { if (ni->ni_pam_sessions[i].bv_len != svc.bv_len) continue; if (!strcasecmp(ni->ni_pam_sessions[i].bv_val, svc.bv_val)) { found = 1; break; } } if (!found) return 0; } slap_op_time( &op->o_time, &op->o_tincr ); timestamp.bv_len = sizeof(timebuf); timestamp.bv_val = timebuf; if (action == NSLCD_ACTION_PAM_SESS_O ) stamp = op->o_time; slap_timestamp( &stamp, ×tamp ); bv[0].bv_len = timestamp.bv_len + global_host_bv.bv_len + svc.bv_len + tty.bv_len + ruser.bv_len + rhost.bv_len + STRLENOF(" (@)"); bv[0].bv_val = op->o_tmpalloc( bv[0].bv_len+1, op->o_tmpmemctx ); sprintf(bv[0].bv_val, "%s %s %s %s (%s@%s)", timestamp.bv_val, global_host_bv.bv_val, svc.bv_val, tty.bv_val, ruser.bv_val, rhost.bv_val); mod.sml_numvals = 1; mod.sml_values = bv; BER_BVZERO(&bv[1]); attr_normalize( ad_loginStatus, bv, &nbv, op->o_tmpmemctx ); mod.sml_nvalues = nbv; mod.sml_desc = ad_loginStatus; mod.sml_op = action == NSLCD_ACTION_PAM_SESS_O ? LDAP_MOD_ADD : LDAP_MOD_DELETE; mod.sml_flags = SLAP_MOD_INTERNAL; mod.sml_next = NULL; cb.sc_response = slap_null_cb; op->o_callback = &cb; op->o_tag = LDAP_REQ_MODIFY; op->o_dn = op->o_bd->be_rootdn; op->o_ndn = op->o_bd->be_rootndn; op->orm_modlist = &mod; op->orm_no_opattrs = 1; op->o_req_dn = dn; op->o_req_ndn = dn; op->o_bd->be_modify( op, &rs ); if ( mod.sml_next ) { slap_mods_free( mod.sml_next, 1 ); } ber_bvarray_free_x( nbv, op->o_tmpmemctx ); WRITE_INT32(fp,NSLCD_VERSION); WRITE_INT32(fp,action); WRITE_INT32(fp,NSLCD_RESULT_BEGIN); WRITE_INT32(fp,op->o_time); return 0; }
int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op) { struct berval npw; int32_t tmpint32; char dnc[1024]; char uidc[32]; char opwc[256]; char npwc[256]; char svcc[256]; struct paminfo pi; int rc; READ_STRING(fp,uidc); pi.uid.bv_val = uidc; pi.uid.bv_len = tmpint32; READ_STRING(fp,dnc); pi.dn.bv_val = dnc; pi.dn.bv_len = tmpint32; READ_STRING(fp,svcc); pi.svc.bv_val = svcc; pi.svc.bv_len = tmpint32; READ_STRING(fp,opwc); pi.pwd.bv_val = opwc; pi.pwd.bv_len = tmpint32; READ_STRING(fp,npwc); npw.bv_val = npwc; npw.bv_len = tmpint32; Debug(LDAP_DEBUG_TRACE,"nssov_pam_pwmod(%s), %s\n", pi.dn.bv_val,pi.uid.bv_val,0); BER_BVZERO(&pi.msg); /* This is a prelim check */ if (BER_BVISEMPTY(&pi.dn)) { rc = pam_do_bind(ni,fp,op,&pi); if (rc == NSLCD_PAM_IGNORE) rc = NSLCD_PAM_SUCCESS; } else { BerElementBuffer berbuf; BerElement *ber = (BerElement *)&berbuf; struct berval bv; SlapReply rs = {REP_RESULT}; slap_callback cb = {0}; ber_init_w_nullc(ber, LBER_USE_DER); ber_printf(ber, "{"); if (!BER_BVISEMPTY(&pi.pwd)) ber_printf(ber, "tO", LDAP_TAG_EXOP_MODIFY_PASSWD_OLD, &pi.pwd); if (!BER_BVISEMPTY(&npw)) ber_printf(ber, "tO", LDAP_TAG_EXOP_MODIFY_PASSWD_NEW, &npw); ber_printf(ber, "N}"); ber_flatten2(ber, &bv, 0); op->o_tag = LDAP_REQ_EXTENDED; op->ore_reqoid = slap_EXOP_MODIFY_PASSWD; op->ore_reqdata = &bv; op->o_dn = pi.dn; op->o_ndn = pi.dn; op->o_callback = &cb; op->o_conn->c_authz_backend = op->o_bd; cb.sc_response = slap_null_cb; op->o_bd = frontendDB; rc = op->o_bd->be_extended(op, &rs); if (rs.sr_text) ber_str2bv(rs.sr_text, 0, 0, &pi.msg); if (rc == LDAP_SUCCESS) rc = NSLCD_PAM_SUCCESS; else rc = NSLCD_PAM_PERM_DENIED; } WRITE_INT32(fp,NSLCD_VERSION); WRITE_INT32(fp,NSLCD_ACTION_PAM_PWMOD); WRITE_INT32(fp,NSLCD_RESULT_BEGIN); WRITE_BERVAL(fp,&pi.uid); WRITE_BERVAL(fp,&pi.dn); WRITE_INT32(fp,rc); WRITE_BERVAL(fp,&pi.msg); return 0; }