Index: 97_shadowbind_overlay.quilt =================================================================== --- 97_shadowbind_overlay.quilt (Revision 17287) +++ 97_shadowbind_overlay.quilt (Arbeitskopie) @@ -83,7 +83,7 @@ diff -Nur openldap-2.4.42+dfsg.o/contrib/slapd-modules/shadowbind/shadowbind.c openldap-2.4.42+dfsg/contrib/slapd-modules/shadowbind/shadowbind.c --- openldap-2.4.42+dfsg.o/contrib/slapd-modules/shadowbind/shadowbind.c 1970-01-01 01:00:00.000000000 +0100 +++ openldap-2.4.42+dfsg/contrib/slapd-modules/shadowbind/shadowbind.c 2016-08-31 20:10:52.747816000 +0200 -@@ -0,0 +1,358 @@ +@@ -0,0 +1,380 @@ +/* shadowbind.c - overlay to deny login based shadow settings */ + +/* @@ -145,10 +145,13 @@ +#define SLAPD_SHADOW_MAX_ATTR "shadowMax" +#define SLAPD_SHADOW_LAST_CHANGE_ATTR "shadowLastChange" +#define SLAPD_SHADOW_EXPIRE_ATTR "shadowExpire" ++#define SLAPD_USER_PASSWORD "userPassword" ++#define KINIT_SCHEME "{KINIT}" + +static AttributeDescription *attr_shadowMax; +static AttributeDescription *attr_shadowLastChange; +static AttributeDescription *attr_shadowExpire; ++static AttributeDescription *attr_userPassword; + +static ObjectClass *oc_shadowAccount; + @@ -249,6 +252,15 @@ + return rc; + } + } ++ if (attr_userPassword == NULL) { ++ rc = slap_str2ad( SLAPD_USER_PASSWORD, &attr_userPassword, &err ); ++ if ( rc != LDAP_SUCCESS ) { ++ Debug( LDAP_DEBUG_ANY, "shadowbind_db_open: " ++ "unable to find attribute=\"%s\": %s (%d)\n", ++ SLAPD_USER_PASSWORD, err, rc ); ++ return rc; ++ } ++ } + + return 0; +} @@ -297,6 +309,16 @@ + return SLAP_CB_CONTINUE; + } + ++ /* ignore objects with userPassword={KINIT}, authentication of these objects is delegated to ++ a (ad) krb5 server and we have nothing to do with authentication/authorization */ ++ a = attr_find(e->e_attrs, attr_userPassword); ++ if ( a != NULL && a->a_nvals[0].bv_val != NULL ) { ++ if (strcmp(a->a_nvals[0].bv_val, KINIT_SCHEME) == 0) { ++ Debug( LDAP_DEBUG_ANY, "shadowbind_bind_response: ignore %s, found kinit scheme\n", op->o_req_ndn.bv_val, 0, 0); ++ goto done; ++ } ++ } ++ + /* ignore non shadowAccount objects */ + if ( !is_entry_objectclass(e, oc_shadowAccount, 0 ) ) { + Debug( LDAP_DEBUG_ANY, "shadowbind_bind_response: ignore non shadowAccount %s\n", op->o_req_ndn.bv_val, 0, 0 ); @@ -305,7 +327,7 @@ + + /* ignore objects that match the ignore filter */ + if ( cfg->ignore_filter && test_filter( NULL, e, cfg->ignore_filter ) == LDAP_COMPARE_TRUE ) { -+ Debug( LDAP_DEBUG_ANY, "shadowbind_bind_response: object %s matches ignore filter", op->o_req_ndn.bv_val, 0, 0 ); ++ Debug( LDAP_DEBUG_ANY, "shadowbind_bind_response: object %s matches ignore filter\n", op->o_req_ndn.bv_val, 0, 0 ); + goto done; + } + @@ -346,6 +368,7 @@ + } + } + } ++ Debug( LDAP_DEBUG_ANY, "shadowbind_bind_response: no shadow restrictions, your good to go\n", NULL, 0, 0 ); + +done: + overlay_entry_release_ov(op, e, 0, on); @@ -441,4 +464,3 @@ +#endif /* SLAPD_OVER_SHADOWBIND == SLAPD_MOD_DYNAMIC */ + +#endif /* SLAPD_OVER_SHADOWBIND */ -+