|
83 |
diff -Nur openldap-2.4.42+dfsg.o/contrib/slapd-modules/shadowbind/shadowbind.c openldap-2.4.42+dfsg/contrib/slapd-modules/shadowbind/shadowbind.c |
83 |
diff -Nur openldap-2.4.42+dfsg.o/contrib/slapd-modules/shadowbind/shadowbind.c openldap-2.4.42+dfsg/contrib/slapd-modules/shadowbind/shadowbind.c |
84 |
--- openldap-2.4.42+dfsg.o/contrib/slapd-modules/shadowbind/shadowbind.c 1970-01-01 01:00:00.000000000 +0100 |
84 |
--- openldap-2.4.42+dfsg.o/contrib/slapd-modules/shadowbind/shadowbind.c 1970-01-01 01:00:00.000000000 +0100 |
85 |
+++ openldap-2.4.42+dfsg/contrib/slapd-modules/shadowbind/shadowbind.c 2016-08-31 20:10:52.747816000 +0200 |
85 |
+++ openldap-2.4.42+dfsg/contrib/slapd-modules/shadowbind/shadowbind.c 2016-08-31 20:10:52.747816000 +0200 |
86 |
@@ -0,0 +1,358 @@ |
86 |
@@ -0,0 +1,380 @@ |
87 |
+/* shadowbind.c - overlay to deny login based shadow settings */ |
87 |
+/* shadowbind.c - overlay to deny login based shadow settings */ |
88 |
+ |
88 |
+ |
89 |
+/* |
89 |
+/* |
|
145 |
+#define SLAPD_SHADOW_MAX_ATTR "shadowMax" |
145 |
+#define SLAPD_SHADOW_MAX_ATTR "shadowMax" |
146 |
+#define SLAPD_SHADOW_LAST_CHANGE_ATTR "shadowLastChange" |
146 |
+#define SLAPD_SHADOW_LAST_CHANGE_ATTR "shadowLastChange" |
147 |
+#define SLAPD_SHADOW_EXPIRE_ATTR "shadowExpire" |
147 |
+#define SLAPD_SHADOW_EXPIRE_ATTR "shadowExpire" |
|
|
148 |
+#define SLAPD_USER_PASSWORD "userPassword" |
149 |
+#define KINIT_SCHEME "{KINIT}" |
148 |
+ |
150 |
+ |
149 |
+static AttributeDescription *attr_shadowMax; |
151 |
+static AttributeDescription *attr_shadowMax; |
150 |
+static AttributeDescription *attr_shadowLastChange; |
152 |
+static AttributeDescription *attr_shadowLastChange; |
151 |
+static AttributeDescription *attr_shadowExpire; |
153 |
+static AttributeDescription *attr_shadowExpire; |
|
|
154 |
+static AttributeDescription *attr_userPassword; |
152 |
+ |
155 |
+ |
153 |
+static ObjectClass *oc_shadowAccount; |
156 |
+static ObjectClass *oc_shadowAccount; |
154 |
+ |
157 |
+ |
|
249 |
+ return rc; |
252 |
+ return rc; |
250 |
+ } |
253 |
+ } |
251 |
+ } |
254 |
+ } |
|
|
255 |
+ if (attr_userPassword == NULL) { |
256 |
+ rc = slap_str2ad( SLAPD_USER_PASSWORD, &attr_userPassword, &err ); |
257 |
+ if ( rc != LDAP_SUCCESS ) { |
258 |
+ Debug( LDAP_DEBUG_ANY, "shadowbind_db_open: " |
259 |
+ "unable to find attribute=\"%s\": %s (%d)\n", |
260 |
+ SLAPD_USER_PASSWORD, err, rc ); |
261 |
+ return rc; |
262 |
+ } |
263 |
+ } |
252 |
+ |
264 |
+ |
253 |
+ return 0; |
265 |
+ return 0; |
254 |
+} |
266 |
+} |
|
297 |
+ return SLAP_CB_CONTINUE; |
309 |
+ return SLAP_CB_CONTINUE; |
298 |
+ } |
310 |
+ } |
299 |
+ |
311 |
+ |
|
|
312 |
+ /* ignore objects with userPassword={KINIT}, authentication of these objects is delegated to |
313 |
+ a (ad) krb5 server and we have nothing to do with authentication/authorization */ |
314 |
+ a = attr_find(e->e_attrs, attr_userPassword); |
315 |
+ if ( a != NULL && a->a_nvals[0].bv_val != NULL ) { |
316 |
+ if (strcmp(a->a_nvals[0].bv_val, KINIT_SCHEME) == 0) { |
317 |
+ Debug( LDAP_DEBUG_ANY, "shadowbind_bind_response: ignore %s, found kinit scheme\n", op->o_req_ndn.bv_val, 0, 0); |
318 |
+ goto done; |
319 |
+ } |
320 |
+ } |
321 |
+ |
300 |
+ /* ignore non shadowAccount objects */ |
322 |
+ /* ignore non shadowAccount objects */ |
301 |
+ if ( !is_entry_objectclass(e, oc_shadowAccount, 0 ) ) { |
323 |
+ if ( !is_entry_objectclass(e, oc_shadowAccount, 0 ) ) { |
302 |
+ Debug( LDAP_DEBUG_ANY, "shadowbind_bind_response: ignore non shadowAccount %s\n", op->o_req_ndn.bv_val, 0, 0 ); |
324 |
+ Debug( LDAP_DEBUG_ANY, "shadowbind_bind_response: ignore non shadowAccount %s\n", op->o_req_ndn.bv_val, 0, 0 ); |
|
305 |
+ |
327 |
+ |
306 |
+ /* ignore objects that match the ignore filter */ |
328 |
+ /* ignore objects that match the ignore filter */ |
307 |
+ if ( cfg->ignore_filter && test_filter( NULL, e, cfg->ignore_filter ) == LDAP_COMPARE_TRUE ) { |
329 |
+ if ( cfg->ignore_filter && test_filter( NULL, e, cfg->ignore_filter ) == LDAP_COMPARE_TRUE ) { |
308 |
+ Debug( LDAP_DEBUG_ANY, "shadowbind_bind_response: object %s matches ignore filter", op->o_req_ndn.bv_val, 0, 0 ); |
330 |
+ Debug( LDAP_DEBUG_ANY, "shadowbind_bind_response: object %s matches ignore filter\n", op->o_req_ndn.bv_val, 0, 0 ); |
309 |
+ goto done; |
331 |
+ goto done; |
310 |
+ } |
332 |
+ } |
311 |
+ |
333 |
+ |
|
346 |
+ } |
368 |
+ } |
347 |
+ } |
369 |
+ } |
348 |
+ } |
370 |
+ } |
|
|
371 |
+ Debug( LDAP_DEBUG_ANY, "shadowbind_bind_response: no shadow restrictions, your good to go\n", NULL, 0, 0 ); |
349 |
+ |
372 |
+ |
350 |
+done: |
373 |
+done: |
351 |
+ overlay_entry_release_ov(op, e, 0, on); |
374 |
+ overlay_entry_release_ov(op, e, 0, on); |
|
441 |
+#endif /* SLAPD_OVER_SHADOWBIND == SLAPD_MOD_DYNAMIC */ |
464 |
+#endif /* SLAPD_OVER_SHADOWBIND == SLAPD_MOD_DYNAMIC */ |
442 |
+ |
465 |
+ |
443 |
+#endif /* SLAPD_OVER_SHADOWBIND */ |
466 |
+#endif /* SLAPD_OVER_SHADOWBIND */ |
444 |
+ |
|
|