int
shell_back_unbind(
Operation *op,
SlapReply *rs
)
{
struct shellinfo *si = (struct shellinfo *) op->o_bd->be_private;
FILE *rfp, *wfp;
if ( si->si_unbind == NULL ) {
return 0;
}
if ( forkandexec( si->si_unbind, &rfp, &wfp ) == (pid_t)-1 ) {
return 0;
}
/* write out the request to the unbind process */
fprintf( wfp, "UNBIND\n" );
fprintf( wfp, "msgid: %ld\n", (long) op->o_msgid );
print_suffixes( wfp, op->o_bd );
fprintf( wfp, "dn: %s\n", (op->o_conn->c_dn.bv_len ? op->o_conn->c_dn.bv_val : "") );
fclose( wfp );
/* no response to unbind */
fclose( rfp );
return 0;
}
int
shell_back_compare(
Operation *op,
SlapReply *rs )
{
struct shellinfo *si = (struct shellinfo *) op->o_bd->be_private;
AttributeDescription *entry = slap_schema.si_ad_entry;
Entry e;
FILE *rfp, *wfp;
if ( si->si_compare == NULL ) {
send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
"compare not implemented" );
return( -1 );
}
e.e_id = NOID;
e.e_name = op->o_req_dn;
e.e_nname = op->o_req_ndn;
e.e_attrs = NULL;
e.e_ocflags = 0;
e.e_bv.bv_len = 0;
e.e_bv.bv_val = NULL;
e.e_private = NULL;
if ( ! access_allowed( op, &e,
entry, NULL, ACL_READ, NULL ) )
{
send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL );
return -1;
}
if ( forkandexec( si->si_compare, &rfp, &wfp ) == (pid_t)-1 ) {
send_ldap_error( op, rs, LDAP_OTHER,
"could not fork/exec" );
return( -1 );
}
/*
* FIX ME: This should use LDIF routines so that binary
* values are properly dealt with
*/
/* write out the request to the compare process */
fprintf( wfp, "COMPARE\n" );
fprintf( wfp, "msgid: %ld\n", (long) op->o_msgid );
print_suffixes( wfp, op->o_bd );
fprintf( wfp, "dn: %s\n", op->o_req_dn.bv_val );
fprintf( wfp, "%s: %s\n",
op->oq_compare.rs_ava->aa_desc->ad_cname.bv_val,
op->oq_compare.rs_ava->aa_value.bv_val /* could be binary! */ );
fclose( wfp );
/* read in the result and send it along */
read_and_send_results( op, rs, rfp );
fclose( rfp );
return( 0 );
}
int
shell_back_search(
Backend *be,
Connection *conn,
Operation *op,
struct berval *base,
struct berval *nbase,
int scope,
int deref,
int size,
int time,
Filter *filter,
struct berval *filterstr,
AttributeName *attrs,
int attrsonly
)
{
struct shellinfo *si = (struct shellinfo *) be->be_private;
FILE *rfp, *wfp;
AttributeName *an;
if ( si->si_search == NULL ) {
send_ldap_result( conn, op, LDAP_UNWILLING_TO_PERFORM, NULL,
"search not implemented", NULL, NULL );
return( -1 );
}
if ( (op->o_private = (void *) forkandexec( si->si_search, &rfp, &wfp ))
== (void *) -1 ) {
send_ldap_result( conn, op, LDAP_OTHER, NULL,
"could not fork/exec", NULL, NULL );
return( -1 );
}
/* write out the request to the search process */
fprintf( wfp, "SEARCH\n" );
fprintf( wfp, "msgid: %ld\n", (long) op->o_msgid );
print_suffixes( wfp, be );
fprintf( wfp, "base: %s\n", base->bv_val );
fprintf( wfp, "scope: %d\n", scope );
fprintf( wfp, "deref: %d\n", deref );
fprintf( wfp, "sizelimit: %d\n", size );
fprintf( wfp, "timelimit: %d\n", time );
fprintf( wfp, "filter: %s\n", filterstr->bv_val );
fprintf( wfp, "attrsonly: %d\n", attrsonly ? 1 : 0 );
fprintf( wfp, "attrs:%s", attrs == NULL ? " all" : "" );
for ( an = attrs; an && an->an_name.bv_val; an++ ) {
fprintf( wfp, " %s", an->an_name.bv_val );
}
fprintf( wfp, "\n" );
fclose( wfp );
/* read in the results and send them along */
read_and_send_results( be, conn, op, rfp, attrs, attrsonly );
fclose( rfp );
return( 0 );
}
int
shell_back_modrdn(
Operation *op,
SlapReply *rs )
{
struct shellinfo *si = (struct shellinfo *) op->o_bd->be_private;
AttributeDescription *entry = slap_schema.si_ad_entry;
Entry e;
FILE *rfp, *wfp;
if ( si->si_modrdn == NULL ) {
send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
"modrdn not implemented" );
return( -1 );
}
e.e_id = NOID;
e.e_name = op->o_req_dn;
e.e_nname = op->o_req_ndn;
e.e_attrs = NULL;
e.e_ocflags = 0;
e.e_bv.bv_len = 0;
e.e_bv.bv_val = NULL;
e.e_private = NULL;
if ( ! access_allowed( op, &e, entry, NULL,
op->oq_modrdn.rs_newSup ? ACL_WDEL : ACL_WRITE,
NULL ) )
{
send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL );
return -1;
}
if ( forkandexec( si->si_modrdn, &rfp, &wfp ) == (pid_t)-1 ) {
send_ldap_error( op, rs, LDAP_OTHER,
"could not fork/exec" );
return( -1 );
}
/* write out the request to the modrdn process */
fprintf( wfp, "MODRDN\n" );
fprintf( wfp, "msgid: %ld\n", (long) op->o_msgid );
print_suffixes( wfp, op->o_bd );
fprintf( wfp, "dn: %s\n", op->o_req_dn.bv_val );
fprintf( wfp, "newrdn: %s\n", op->oq_modrdn.rs_newrdn.bv_val );
fprintf( wfp, "deleteoldrdn: %d\n", op->oq_modrdn.rs_deleteoldrdn ? 1 : 0 );
if ( op->oq_modrdn.rs_newSup != NULL ) {
fprintf( wfp, "newSuperior: %s\n", op->oq_modrdn.rs_newSup->bv_val );
}
fclose( wfp );
/* read in the results and send them along */
read_and_send_results( op, rs, rfp );
fclose( rfp );
return( 0 );
}
int
shell_back_search(
Operation *op,
SlapReply *rs )
{
struct shellinfo *si = (struct shellinfo *) op->o_bd->be_private;
FILE *rfp, *wfp;
AttributeName *an;
if ( si->si_search == NULL ) {
send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
"search not implemented" );
return( -1 );
}
if ( forkandexec( si->si_search, &rfp, &wfp ) == (pid_t)-1 ) {
send_ldap_error( op, rs, LDAP_OTHER,
"could not fork/exec" );
return( -1 );
}
/* write out the request to the search process */
fprintf( wfp, "SEARCH\n" );
fprintf( wfp, "msgid: %ld\n", (long) op->o_msgid );
print_suffixes( wfp, op->o_bd );
fprintf( wfp, "base: %s\n", op->o_req_dn.bv_val );
fprintf( wfp, "scope: %d\n", op->oq_search.rs_scope );
fprintf( wfp, "deref: %d\n", op->oq_search.rs_deref );
fprintf( wfp, "sizelimit: %d\n", op->oq_search.rs_slimit );
fprintf( wfp, "timelimit: %d\n", op->oq_search.rs_tlimit );
fprintf( wfp, "filter: %s\n", op->oq_search.rs_filterstr.bv_val );
fprintf( wfp, "attrsonly: %d\n", op->oq_search.rs_attrsonly ? 1 : 0 );
fprintf( wfp, "attrs:%s", op->oq_search.rs_attrs == NULL ? " all" : "" );
for ( an = op->oq_search.rs_attrs; an && an->an_name.bv_val; an++ ) {
fprintf( wfp, " %s", an->an_name.bv_val );
}
fprintf( wfp, "\n" );
fclose( wfp );
/* read in the results and send them along */
rs->sr_attrs = op->oq_search.rs_attrs;
read_and_send_results( op, rs, rfp );
fclose( rfp );
return( 0 );
}
int
shell_back_add(
Operation *op,
SlapReply *rs )
{
struct shellinfo *si = (struct shellinfo *) op->o_bd->be_private;
AttributeDescription *entry = slap_schema.si_ad_entry;
FILE *rfp, *wfp;
int len;
if ( si->si_add == NULL ) {
send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
"add not implemented" );
return( -1 );
}
if ( ! access_allowed( op, op->oq_add.rs_e,
entry, NULL, ACL_WADD, NULL ) )
{
send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL );
return -1;
}
if ( forkandexec( si->si_add, &rfp, &wfp ) == (pid_t)-1 ) {
send_ldap_error( op, rs, LDAP_OTHER,
"could not fork/exec" );
return( -1 );
}
/* write out the request to the add process */
fprintf( wfp, "ADD\n" );
fprintf( wfp, "msgid: %ld\n", (long) op->o_msgid );
print_suffixes( wfp, op->o_bd );
ldap_pvt_thread_mutex_lock( &entry2str_mutex );
fprintf( wfp, "%s", entry2str( op->oq_add.rs_e, &len ) );
ldap_pvt_thread_mutex_unlock( &entry2str_mutex );
fclose( wfp );
/* read in the result and send it along */
read_and_send_results( op, rs, rfp );
fclose( rfp );
return( 0 );
}
int
shell_back_bind(
Operation *op,
SlapReply *rs )
{
struct shellinfo *si = (struct shellinfo *) op->o_bd->be_private;
AttributeDescription *entry = slap_schema.si_ad_entry;
Entry e;
FILE *rfp, *wfp;
int rc;
/* allow rootdn as a means to auth without the need to actually
* contact the proxied DSA */
switch ( be_rootdn_bind( op, rs ) ) {
case SLAP_CB_CONTINUE:
break;
default:
return rs->sr_err;
}
if ( si->si_bind == NULL ) {
send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
"bind not implemented" );
return( -1 );
}
e.e_id = NOID;
e.e_name = op->o_req_dn;
e.e_nname = op->o_req_ndn;
e.e_attrs = NULL;
e.e_ocflags = 0;
e.e_bv.bv_len = 0;
e.e_bv.bv_val = NULL;
e.e_private = NULL;
if ( ! access_allowed( op, &e,
entry, NULL, ACL_AUTH, NULL ) )
{
send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL );
return -1;
}
if ( forkandexec( si->si_bind, &rfp, &wfp ) == (pid_t)-1 ) {
send_ldap_error( op, rs, LDAP_OTHER,
"could not fork/exec" );
return( -1 );
}
/* write out the request to the bind process */
fprintf( wfp, "BIND\n" );
fprintf( wfp, "msgid: %ld\n", (long) op->o_msgid );
print_suffixes( wfp, op->o_bd );
fprintf( wfp, "dn: %s\n", op->o_req_dn.bv_val );
fprintf( wfp, "method: %d\n", op->oq_bind.rb_method );
fprintf( wfp, "credlen: %lu\n", op->oq_bind.rb_cred.bv_len );
fprintf( wfp, "cred: %s\n", op->oq_bind.rb_cred.bv_val ); /* XXX */
fclose( wfp );
/* read in the results and send them along */
rc = read_and_send_results( op, rs, rfp );
fclose( rfp );
return( rc );
}
int
shell_back_modify(
Operation *op,
SlapReply *rs )
{
Modification *mod;
struct shellinfo *si = (struct shellinfo *) op->o_bd->be_private;
AttributeDescription *entry = slap_schema.si_ad_entry;
Modifications *ml = op->orm_modlist;
Entry e;
FILE *rfp, *wfp;
int i;
if ( si->si_modify == NULL ) {
send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
"modify not implemented" );
return( -1 );
}
e.e_id = NOID;
e.e_name = op->o_req_dn;
e.e_nname = op->o_req_ndn;
e.e_attrs = NULL;
e.e_ocflags = 0;
e.e_bv.bv_len = 0;
e.e_bv.bv_val = NULL;
e.e_private = NULL;
if ( ! access_allowed( op, &e,
entry, NULL, ACL_WRITE, NULL ) )
{
send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL );
return -1;
}
if ( forkandexec( si->si_modify, &rfp, &wfp ) == (pid_t)-1 ) {
send_ldap_error( op, rs, LDAP_OTHER,
"could not fork/exec" );
return( -1 );
}
/* write out the request to the modify process */
fprintf( wfp, "MODIFY\n" );
fprintf( wfp, "msgid: %ld\n", (long) op->o_msgid );
print_suffixes( wfp, op->o_bd );
fprintf( wfp, "dn: %s\n", op->o_req_dn.bv_val );
for ( ; ml != NULL; ml = ml->sml_next ) {
mod = &ml->sml_mod;
switch ( mod->sm_op ) {
case LDAP_MOD_ADD:
fprintf( wfp, "add: %s\n", mod->sm_desc->ad_cname.bv_val );
break;
case LDAP_MOD_DELETE:
fprintf( wfp, "delete: %s\n", mod->sm_desc->ad_cname.bv_val );
break;
case LDAP_MOD_REPLACE:
fprintf( wfp, "replace: %s\n", mod->sm_desc->ad_cname.bv_val );
break;
}
if( mod->sm_values != NULL ) {
for ( i = 0; mod->sm_values[i].bv_val != NULL; i++ ) {
char *out = ldif_put( LDIF_PUT_VALUE,
mod->sm_desc->ad_cname.bv_val,
mod->sm_values[i].bv_val,
mod->sm_values[i].bv_len );
if ( out ) {
fprintf( wfp, "%s", out );
ber_memfree( out );
}
}
}
fprintf( wfp, "-\n" );
}
fclose( wfp );
/* read in the results and send them along */
read_and_send_results( op, rs, rfp );
fclose( rfp );
return( 0 );
}
/*
* Validate the pending changes in the e entry.
* If returntext is NULL, we log messages about invalid config
* to the errors log.
*/
int
pam_passthru_validate_config (Slapi_Entry* e, char *returntext)
{
int rc = PAM_PASSTHRU_FAILURE;
char *missing_suffix_str = NULL;
int missing_suffix;
int ii;
char **excludes = NULL;
char **includes = NULL;
char *pam_ident_attr = NULL;
char *map_method = NULL;
char *pam_filter_str = NULL;
Slapi_Filter *pam_filter = NULL;
/* first, get the missing_suffix flag and validate it */
missing_suffix_str = slapi_entry_attr_get_charptr(e, PAMPT_MISSING_SUFFIX_ATTR);
if ((missing_suffix = missing_suffix_to_int(missing_suffix_str)) < 0 ||
!check_missing_suffix_flag(missing_suffix)) {
if (returntext) {
PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE,
"Error: valid values for %s are %s",
PAMPT_MISSING_SUFFIX_ATTR, get_missing_suffix_values());
} else {
slapi_log_err(SLAPI_LOG_ERR, PAM_PASSTHRU_PLUGIN_SUBSYSTEM,
"pam_passthru_validate_config - Valid values for %s are %s\n",
PAMPT_MISSING_SUFFIX_ATTR, get_missing_suffix_values());
}
goto done;
}
if (missing_suffix != PAMPT_MISSING_SUFFIX_IGNORE) {
char **missing_list = NULL;
/* get the list of excluded suffixes */
excludes = slapi_entry_attr_get_charray(e, PAMPT_EXCLUDES_ATTR);
for (ii = 0; excludes && excludes[ii]; ++ii) {
/* The excludes DNs are already normalized. */
Slapi_DN *comp_dn = slapi_sdn_new_normdn_byref(excludes[ii]);
if (!slapi_be_exist(comp_dn)) {
charray_add(&missing_list, slapi_ch_strdup(excludes[ii]));
}
slapi_sdn_free(&comp_dn);
}
/* get the list of included suffixes */
includes = slapi_entry_attr_get_charray(e, PAMPT_INCLUDES_ATTR);
for (ii = 0; includes && includes[ii]; ++ii) {
/* The includes DNs are already normalized. */
Slapi_DN *comp_dn = slapi_sdn_new_normdn_byref(includes[ii]);
if (!slapi_be_exist(comp_dn)) {
charray_add(&missing_list, slapi_ch_strdup(includes[ii]));
}
slapi_sdn_free(&comp_dn);
}
if (missing_list) {
if (returntext) {
PRUint32 size =
PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE,
"The following suffixes listed in %s or %s are not present in this "
"server: ", PAMPT_EXCLUDES_ATTR, PAMPT_INCLUDES_ATTR);
for (ii = 0; missing_list[ii]; ++ii) {
if (size < SLAPI_DSE_RETURNTEXT_SIZE) {
size += PR_snprintf(returntext+size, SLAPI_DSE_RETURNTEXT_SIZE-size,
"%s%s", (ii > 0) ? "; " : "",
missing_list[ii]);
}
}
} else {
slapi_log_err(SLAPI_LOG_ERR, PAM_PASSTHRU_PLUGIN_SUBSYSTEM,
"pam_passthru_validate_config - The suffixes listed in %s or %s are not present in "
"this server\n", PAMPT_EXCLUDES_ATTR, PAMPT_INCLUDES_ATTR);
}
slapi_ch_array_free(missing_list);
missing_list = NULL;
print_suffixes();
if (missing_suffix != PAMPT_MISSING_SUFFIX_ERROR) {
if (returntext) {
slapi_log_err(SLAPI_LOG_ERR, PAM_PASSTHRU_PLUGIN_SUBSYSTEM,
"pam_passthru_validate_config - Warning: %s\n", returntext);
*returntext = 0; /* log error, don't report back to user */
}
} else {
goto done;
}
}
}
pam_ident_attr = slapi_entry_attr_get_charptr(e, PAMPT_PAM_IDENT_ATTR);
map_method = slapi_entry_attr_get_charptr(e, PAMPT_MAP_METHOD_ATTR);
if (map_method) {
int one, two, three;
if (PAM_PASSTHRU_SUCCESS !=
(rc = parse_map_method(map_method, &one, &two, &three, returntext))) {
goto done; /* returntext set already (or error logged) */
}
if (!pam_ident_attr &&
((one == PAMPT_MAP_METHOD_ENTRY) || (two == PAMPT_MAP_METHOD_ENTRY) ||
(three == PAMPT_MAP_METHOD_ENTRY))) {
if (returntext) {
PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE, "Error: the %s method"
" was specified, but no %s was given",
PAMPT_MAP_METHOD_ENTRY_STRING, PAMPT_PAM_IDENT_ATTR);
} else {
slapi_log_err(SLAPI_LOG_ERR, PAM_PASSTHRU_PLUGIN_SUBSYSTEM,
"pam_passthru_validate_config - The %s method was specified, but no %s was given\n",
PAMPT_MAP_METHOD_ENTRY_STRING, PAMPT_PAM_IDENT_ATTR);
}
rc = PAM_PASSTHRU_FAILURE;
goto done;
}
if ((one == PAMPT_MAP_METHOD_NONE) && (two == PAMPT_MAP_METHOD_NONE) &&
(three == PAMPT_MAP_METHOD_NONE)) {
if (returntext) {
PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE, "Error: no method(s)"
" specified for %s, should be one or more of %s",
PAMPT_MAP_METHOD_ATTR, get_map_method_values());
} else {
slapi_log_err(SLAPI_LOG_ERR, PAM_PASSTHRU_PLUGIN_SUBSYSTEM,
"pam_passthru_validate_config - No method(s) specified for %s, should be "
"one or more of %s\n", PAMPT_MAP_METHOD_ATTR,
get_map_method_values());
}
rc = PAM_PASSTHRU_FAILURE;
goto done;
}
}
/* Validate filter by converting to Slapi_Filter */
pam_filter_str = slapi_entry_attr_get_charptr(e, PAMPT_FILTER_ATTR);
if (pam_filter_str) {
pam_filter = slapi_str2filter(pam_filter_str);
if (pam_filter == NULL) {
if (returntext) {
PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE, "Error: invalid "
"filter specified for %s (filter: \"%s\")",
PAMPT_FILTER_ATTR, pam_filter_str);
} else {
slapi_log_err(SLAPI_LOG_ERR, PAM_PASSTHRU_PLUGIN_SUBSYSTEM,
"pam_passthru_validate_config - Invalid filter specified for %s "
"(filter: \"%s\")\n", PAMPT_FILTER_ATTR,
pam_filter_str);
}
rc = PAM_PASSTHRU_FAILURE;
goto done;
}
}
/* success */
rc = PAM_PASSTHRU_SUCCESS;
done:
slapi_ch_free_string(&map_method);
slapi_ch_free_string(&pam_ident_attr);
slapi_ch_array_free(excludes);
excludes = NULL;
slapi_ch_array_free(includes);
includes = NULL;
slapi_ch_free_string(&missing_suffix_str);
slapi_ch_free_string(&pam_filter_str);
slapi_filter_free(pam_filter, 1);
return rc;
}
int
shell_back_bind(
Backend *be,
Connection *conn,
Operation *op,
struct berval *dn,
struct berval *ndn,
int method,
struct berval *cred,
struct berval *edn
)
{
struct shellinfo *si = (struct shellinfo *) be->be_private;
AttributeDescription *entry = slap_schema.si_ad_entry;
Entry e;
FILE *rfp, *wfp;
int rc;
if ( si->si_bind == NULL ) {
send_ldap_result( conn, op, LDAP_UNWILLING_TO_PERFORM, NULL,
"bind not implemented", NULL, NULL );
return( -1 );
}
e.e_id = NOID;
e.e_name = *dn;
e.e_nname = *ndn;
e.e_attrs = NULL;
e.e_ocflags = 0;
e.e_bv.bv_len = 0;
e.e_bv.bv_val = NULL;
e.e_private = NULL;
if ( ! access_allowed( be, conn, op, &e,
entry, NULL, ACL_AUTH, NULL ) )
{
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
NULL, NULL, NULL, NULL );
return -1;
}
if ( (op->o_private = (void *) forkandexec( si->si_bind, &rfp, &wfp ))
== (void *) -1 ) {
send_ldap_result( conn, op, LDAP_OTHER, NULL,
"could not fork/exec", NULL, NULL );
return( -1 );
}
/* write out the request to the bind process */
fprintf( wfp, "BIND\n" );
fprintf( wfp, "msgid: %ld\n", (long) op->o_msgid );
print_suffixes( wfp, be );
fprintf( wfp, "dn: %s\n", dn->bv_val );
fprintf( wfp, "method: %d\n", method );
fprintf( wfp, "credlen: %lu\n", cred->bv_len );
fprintf( wfp, "cred: %s\n", cred->bv_val ); /* XXX */
fclose( wfp );
/* read in the results and send them along */
rc = read_and_send_results( be, conn, op, rfp, NULL, 0 );
fclose( rfp );
return( rc );
}