diff options
Diffstat (limited to 'src/back-sch-pam.c')
| -rw-r--r-- | src/back-sch-pam.c | 44 |
1 files changed, 10 insertions, 34 deletions
diff --git a/src/back-sch-pam.c b/src/back-sch-pam.c index 3266261..c37758a 100644 --- a/src/back-sch-pam.c +++ b/src/back-sch-pam.c @@ -54,12 +54,7 @@ #include <security/pam_appl.h> - -/* - * PAM is not thread safe. We have to execute any PAM API calls in - * a critical section. This is the lock that protects that code. - */ -static Slapi_Mutex *PAMLock = NULL; +#include "format.h" /* Utility struct to wrap strings to avoid mallocs if possible - use stack allocated string space */ @@ -98,15 +93,6 @@ struct my_pam_conv_str { char *pam_identity; }; -/* returns a berval value as a null terminated string */ -static char *strdupbv(struct berval *bv) -{ - char *str = slapi_ch_malloc(bv->bv_len+1); - memcpy(str, bv->bv_val, bv->bv_len); - str[bv->bv_len] = 0; - return str; -} - static void free_pam_response(int nresp, struct pam_response *resp) { @@ -131,25 +117,24 @@ pam_conv_func(int num_msg, const struct pam_message **msg, struct pam_response * int ii; struct berval *creds; struct my_pam_conv_str *my_data = (struct my_pam_conv_str *)mydata; - struct pam_response *reply; + struct pam_response *reply; int ret = PAM_SUCCESS; - if (num_msg <= 0) { + if (num_msg <= 0) { return PAM_CONV_ERR; } /* empty reply structure */ - reply = (struct pam_response *)slapi_ch_calloc(num_msg, - sizeof(struct pam_response)); + reply = (struct pam_response *)slapi_ch_calloc(num_msg, sizeof(struct pam_response)); slapi_pblock_get( my_data->pb, SLAPI_BIND_CREDENTIALS, &creds ); /* the password */ for (ii = 0; ii < num_msg; ++ii) { /* hard to tell what prompt is for . . . */ /* assume prompts for password are either BINARY or ECHO_OFF */ if (msg[ii]->msg_style == PAM_PROMPT_ECHO_OFF) { - reply[ii].resp = strdupbv(creds); + reply[ii].resp = format_strdupbv(creds); #ifdef LINUX } else if (msg[ii]->msg_style == PAM_BINARY_PROMPT) { - reply[ii].resp = strdupbv(creds); + reply[ii].resp = format_strdupbv(creds); #endif } else if (msg[ii]->msg_style == PAM_PROMPT_ECHO_ON) { /* assume username */ reply[ii].resp = slapi_ch_strdup(my_data->pam_identity); @@ -190,7 +175,7 @@ do_pam_auth( Slapi_PBlock *pb, char *pam_service, /* name of service for pam_start() */ int pw_response_requested, /* do we need to send pwd policy resp control */ - Slapi_Entry *entry + const char *username ) { MyStrBuf pam_id; @@ -212,10 +197,7 @@ do_pam_auth( } binddn = slapi_sdn_get_dn(bindsdn); - char *val = slapi_entry_attr_get_charptr(entry, "uid"); - init_my_str_buf(&pam_id, val); - slapi_ch_free_string(&val); - + init_my_str_buf(&pam_id, username); if (!pam_id.str) { errmsg = PR_smprintf("Bind DN [%s] is invalid or not found", binddn); retcode = LDAP_NO_SUCH_OBJECT; /* user unknown */ @@ -226,7 +208,6 @@ do_pam_auth( my_data.pb = pb; my_data.pam_identity = pam_id.str; my_pam_conv.appdata_ptr = &my_data; - slapi_lock_mutex(PAMLock); /* from this point on we are in the critical section */ rc = pam_start(pam_service, pam_id.str, &my_pam_conv, &pam_handle); @@ -304,7 +285,6 @@ do_pam_auth( } rc = pam_end(pam_handle, rc); - slapi_unlock_mutex(PAMLock); /* not in critical section any more */ done: @@ -334,17 +314,13 @@ done: * depending on what methods are set in the config. */ int -backend_sch_do_pam_auth(Slapi_PBlock *pb, Slapi_Entry *entry) +backend_sch_do_pam_auth(Slapi_PBlock *pb, const char *username) { int rc = LDAP_SUCCESS; MyStrBuf pam_service; /* avoid malloc if possible */ int pw_response_requested; LDAPControl **reqctrls = NULL; - if (!PAMLock && !(PAMLock = slapi_new_mutex())) { - return LDAP_LOCAL_ERROR; - } - init_my_str_buf(&pam_service, "system-auth"); slapi_pblock_get (pb, SLAPI_REQCONTROLS, &reqctrls); @@ -353,7 +329,7 @@ backend_sch_do_pam_auth(Slapi_PBlock *pb, Slapi_Entry *entry) /* figure out which method is the last one - we only return error codes, controls to the client and send a response on the last method */ - rc = do_pam_auth(pb, pam_service.str, pw_response_requested, entry); + rc = do_pam_auth(pb, pam_service.str, pw_response_requested, username); delete_my_str_buf(&pam_service); |