|
|
|---|
| 83 |
diff -Nur openldap-2.4.42+dfsg.o/contrib/slapd-modules/shadowbind/shadowbind.c openldap-2.4.42+dfsg/contrib/slapd-modules/shadowbind/shadowbind.c |
83 |
diff -Nur openldap-2.4.42+dfsg.o/contrib/slapd-modules/shadowbind/shadowbind.c openldap-2.4.42+dfsg/contrib/slapd-modules/shadowbind/shadowbind.c |
| 84 |
--- openldap-2.4.42+dfsg.o/contrib/slapd-modules/shadowbind/shadowbind.c 1970-01-01 01:00:00.000000000 +0100 |
84 |
--- openldap-2.4.42+dfsg.o/contrib/slapd-modules/shadowbind/shadowbind.c 1970-01-01 01:00:00.000000000 +0100 |
| 85 |
+++ openldap-2.4.42+dfsg/contrib/slapd-modules/shadowbind/shadowbind.c 2016-08-31 20:10:52.747816000 +0200 |
85 |
+++ openldap-2.4.42+dfsg/contrib/slapd-modules/shadowbind/shadowbind.c 2016-08-31 20:10:52.747816000 +0200 |
| 86 |
@@ -0,0 +1,358 @@ |
86 |
@@ -0,0 +1,380 @@ |
| 87 |
+/* shadowbind.c - overlay to deny login based shadow settings */ |
87 |
+/* shadowbind.c - overlay to deny login based shadow settings */ |
| 88 |
+ |
88 |
+ |
| 89 |
+/* |
89 |
+/* |
|
|
|---|
| 145 |
+#define SLAPD_SHADOW_MAX_ATTR "shadowMax" |
145 |
+#define SLAPD_SHADOW_MAX_ATTR "shadowMax" |
| 146 |
+#define SLAPD_SHADOW_LAST_CHANGE_ATTR "shadowLastChange" |
146 |
+#define SLAPD_SHADOW_LAST_CHANGE_ATTR "shadowLastChange" |
| 147 |
+#define SLAPD_SHADOW_EXPIRE_ATTR "shadowExpire" |
147 |
+#define SLAPD_SHADOW_EXPIRE_ATTR "shadowExpire" |
|
|
148 |
+#define SLAPD_USER_PASSWORD "userPassword" |
| 149 |
+#define KINIT_SCHEME "{KINIT}" |
| 148 |
+ |
150 |
+ |
| 149 |
+static AttributeDescription *attr_shadowMax; |
151 |
+static AttributeDescription *attr_shadowMax; |
| 150 |
+static AttributeDescription *attr_shadowLastChange; |
152 |
+static AttributeDescription *attr_shadowLastChange; |
| 151 |
+static AttributeDescription *attr_shadowExpire; |
153 |
+static AttributeDescription *attr_shadowExpire; |
|
|
154 |
+static AttributeDescription *attr_userPassword; |
| 152 |
+ |
155 |
+ |
| 153 |
+static ObjectClass *oc_shadowAccount; |
156 |
+static ObjectClass *oc_shadowAccount; |
| 154 |
+ |
157 |
+ |
|
|
|---|
| 249 |
+ return rc; |
252 |
+ return rc; |
| 250 |
+ } |
253 |
+ } |
| 251 |
+ } |
254 |
+ } |
|
|
255 |
+ if (attr_userPassword == NULL) { |
| 256 |
+ rc = slap_str2ad( SLAPD_USER_PASSWORD, &attr_userPassword, &err ); |
| 257 |
+ if ( rc != LDAP_SUCCESS ) { |
| 258 |
+ Debug( LDAP_DEBUG_ANY, "shadowbind_db_open: " |
| 259 |
+ "unable to find attribute=\"%s\": %s (%d)\n", |
| 260 |
+ SLAPD_USER_PASSWORD, err, rc ); |
| 261 |
+ return rc; |
| 262 |
+ } |
| 263 |
+ } |
| 252 |
+ |
264 |
+ |
| 253 |
+ return 0; |
265 |
+ return 0; |
| 254 |
+} |
266 |
+} |
|
|
|---|
| 297 |
+ return SLAP_CB_CONTINUE; |
309 |
+ return SLAP_CB_CONTINUE; |
| 298 |
+ } |
310 |
+ } |
| 299 |
+ |
311 |
+ |
|
|
312 |
+ /* ignore objects with userPassword={KINIT}, authentication of these objects is delegated to |
| 313 |
+ a (ad) krb5 server and we have nothing to do with authentication/authorization */ |
| 314 |
+ a = attr_find(e->e_attrs, attr_userPassword); |
| 315 |
+ if ( a != NULL && a->a_nvals[0].bv_val != NULL ) { |
| 316 |
+ if (strcmp(a->a_nvals[0].bv_val, KINIT_SCHEME) == 0) { |
| 317 |
+ Debug( LDAP_DEBUG_ANY, "shadowbind_bind_response: ignore %s, found kinit scheme\n", op->o_req_ndn.bv_val, 0, 0); |
| 318 |
+ goto done; |
| 319 |
+ } |
| 320 |
+ } |
| 321 |
+ |
| 300 |
+ /* ignore non shadowAccount objects */ |
322 |
+ /* ignore non shadowAccount objects */ |
| 301 |
+ if ( !is_entry_objectclass(e, oc_shadowAccount, 0 ) ) { |
323 |
+ if ( !is_entry_objectclass(e, oc_shadowAccount, 0 ) ) { |
| 302 |
+ Debug( LDAP_DEBUG_ANY, "shadowbind_bind_response: ignore non shadowAccount %s\n", op->o_req_ndn.bv_val, 0, 0 ); |
324 |
+ Debug( LDAP_DEBUG_ANY, "shadowbind_bind_response: ignore non shadowAccount %s\n", op->o_req_ndn.bv_val, 0, 0 ); |
|
|
|---|
| 305 |
+ |
327 |
+ |
| 306 |
+ /* ignore objects that match the ignore filter */ |
328 |
+ /* ignore objects that match the ignore filter */ |
| 307 |
+ if ( cfg->ignore_filter && test_filter( NULL, e, cfg->ignore_filter ) == LDAP_COMPARE_TRUE ) { |
329 |
+ if ( cfg->ignore_filter && test_filter( NULL, e, cfg->ignore_filter ) == LDAP_COMPARE_TRUE ) { |
| 308 |
+ Debug( LDAP_DEBUG_ANY, "shadowbind_bind_response: object %s matches ignore filter", op->o_req_ndn.bv_val, 0, 0 ); |
330 |
+ Debug( LDAP_DEBUG_ANY, "shadowbind_bind_response: object %s matches ignore filter\n", op->o_req_ndn.bv_val, 0, 0 ); |
| 309 |
+ goto done; |
331 |
+ goto done; |
| 310 |
+ } |
332 |
+ } |
| 311 |
+ |
333 |
+ |
|
|
|---|
| 346 |
+ } |
368 |
+ } |
| 347 |
+ } |
369 |
+ } |
| 348 |
+ } |
370 |
+ } |
|
|
371 |
+ Debug( LDAP_DEBUG_ANY, "shadowbind_bind_response: no shadow restrictions, your good to go\n", NULL, 0, 0 ); |
| 349 |
+ |
372 |
+ |
| 350 |
+done: |
373 |
+done: |
| 351 |
+ overlay_entry_release_ov(op, e, 0, on); |
374 |
+ overlay_entry_release_ov(op, e, 0, on); |
|
|
|---|
| 441 |
+#endif /* SLAPD_OVER_SHADOWBIND == SLAPD_MOD_DYNAMIC */ |
464 |
+#endif /* SLAPD_OVER_SHADOWBIND == SLAPD_MOD_DYNAMIC */ |
| 442 |
+ |
465 |
+ |
| 443 |
+#endif /* SLAPD_OVER_SHADOWBIND */ |
466 |
+#endif /* SLAPD_OVER_SHADOWBIND */ |
| 444 |
+ |
|
|