back-sch: use plugin configuration to decide whether NSSWITCH should be consulted

When one instance of schema compat plugin is configured to consult
NSSWITCH, promote its configuration to the backend.

Default to not looking into NSSWITCH.

1 files changed, 44 insertions, 1 deletions

diff --git a/src/back-sch.c b/src/back-sch.c
index 0dc11c5..8911568 100644
--- a/src/back-sch.c
+++ b/src/back-sch.c
@@ -28,6 +28,7 @@
 #include <string.h>
 #include <time.h>
 #include <unistd.h>
+#include <errno.h>
 
 #ifdef HAVE_DIRSRV_SLAPI_PLUGIN_H
 #include <nspr.h>
@@ -133,6 +134,9 @@ backend_copy_set_config(const struct backend_set_data *data)
 	ret->rdn_format = strdup(data->rdn_format);
 	ret->attribute_format = backend_shr_dup_strlist(data->attribute_format);
 	ret->check_access = data->check_access;
+	ret->check_nsswitch = data->check_nsswitch;
+	ret->nsswitch_min_id = data->nsswitch_min_id;
+
 	if ((ret->common.group == NULL) ||
 	    (ret->common.set == NULL) ||
 	    (ret->common.bases == NULL) ||
@@ -151,7 +155,7 @@ backend_set_config_read_config(struct plugin_state *state, Slapi_Entry *e,
 			       const char *group, const char *container,
 			       bool_t *flag, struct backend_shr_set_data **pret)
 {
-	char **bases, *entry_filter, **attributes, *rdn_format, *dn;
+	char **bases, *entry_filter, **attributes, *rdn_format, *dn, *nsswitch_min_id, *check_nsswitch, *strp;
 	bool_t check_access;
 	struct backend_set_data ret;
 	Slapi_DN *tmp_sdn;
@@ -166,6 +170,10 @@ backend_set_config_read_config(struct plugin_state *state, Slapi_Entry *e,
 	check_access = backend_shr_get_vattr_boolean(state, e,
 						     SCH_CONTAINER_CONFIGURATION_ACCESS_ATTR,
 						     TRUE);
+	check_nsswitch = backend_shr_get_vattr_str(state, e,
+						   SCH_CONTAINER_CONFIGURATION_NSSWITCH_ATTR);
+	nsswitch_min_id = backend_shr_get_vattr_str(state, e,
+						    SCH_CONTAINER_CONFIGURATION_NSSWITCH_MIN_ID_ATTR);
 	attributes = backend_shr_get_vattr_strlist(state, e,
 						   SCH_CONTAINER_CONFIGURATION_ATTR_ATTR);
 	/* Populate the returned structure. */
@@ -200,6 +208,41 @@ backend_set_config_read_config(struct plugin_state *state, Slapi_Entry *e,
 	ret.rdn_format = rdn_format;
 	ret.attribute_format = attributes;
 	ret.check_access = check_access;
+
+	if (check_nsswitch != NULL) {
+		if (strcasecmp(check_nsswitch, "group") == 0) {
+			ret.check_nsswitch = SCH_NSSWITCH_GROUP;
+		} else if (strcasecmp(check_nsswitch, "user") == 0) {
+			ret.check_nsswitch = SCH_NSSWITCH_USER;
+		} else {
+			ret.check_nsswitch = SCH_NSSWITCH_NONE;
+		}
+	} else {
+		ret.check_nsswitch = SCH_NSSWITCH_NONE;
+	}
+
+	/* Make sure we don't return system users/groups
+	 * by limiting lower bound on searches.
+	 * If config value cannot be parsed or not specified, default to 1000.
+	 * It is OK to specify something lower in the config as some Linux distributions force lower limit to 500 */
+	ret.nsswitch_min_id = 1000; /* default in Fedora */
+	if (nsswitch_min_id != NULL) {
+		errno = 0;
+		ret.nsswitch_min_id = strtoul(nsswitch_min_id, &strp, 10);
+		if ((errno != 0) || ((strp != NULL) && (*strp != '\0'))) {
+			/* enforce id in case of an error or too low limit */
+			ret.nsswitch_min_id = 1000;
+		}
+	}
+
+	if (ret.check_nsswitch != SCH_NSSWITCH_NONE) {
+		/* Auto-populate attributes based on selected NSSWITCH tree
+		 * and add special attribute to track whether the entry requires PAM-based bind */
+		backend_shr_add_strlist(&ret.attribute_format, "objectClass=extensibleObject");
+		backend_shr_add_strlist(&ret.attribute_format, "schema-compat-origin=%{schema-compat-origin}");
+		backend_shr_add_strlist(&ret.attribute_format, "ipaNTSecurityIdentifier=%{ipaNTSecurityIdentifier}");
+	}
+
 	*pret = backend_copy_set_config(&ret);
 	free(ret.common.group);
 	free(ret.common.set);