diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/back-sch.c | 45 |
1 files changed, 44 insertions, 1 deletions
diff --git a/src/back-sch.c b/src/back-sch.c index 0dc11c5..8911568 100644 --- a/src/back-sch.c +++ b/src/back-sch.c @@ -28,6 +28,7 @@ #include <string.h> #include <time.h> #include <unistd.h> +#include <errno.h> #ifdef HAVE_DIRSRV_SLAPI_PLUGIN_H #include <nspr.h> @@ -133,6 +134,9 @@ backend_copy_set_config(const struct backend_set_data *data) ret->rdn_format = strdup(data->rdn_format); ret->attribute_format = backend_shr_dup_strlist(data->attribute_format); ret->check_access = data->check_access; + ret->check_nsswitch = data->check_nsswitch; + ret->nsswitch_min_id = data->nsswitch_min_id; + if ((ret->common.group == NULL) || (ret->common.set == NULL) || (ret->common.bases == NULL) || @@ -151,7 +155,7 @@ backend_set_config_read_config(struct plugin_state *state, Slapi_Entry *e, const char *group, const char *container, bool_t *flag, struct backend_shr_set_data **pret) { - char **bases, *entry_filter, **attributes, *rdn_format, *dn; + char **bases, *entry_filter, **attributes, *rdn_format, *dn, *nsswitch_min_id, *check_nsswitch, *strp; bool_t check_access; struct backend_set_data ret; Slapi_DN *tmp_sdn; @@ -166,6 +170,10 @@ backend_set_config_read_config(struct plugin_state *state, Slapi_Entry *e, check_access = backend_shr_get_vattr_boolean(state, e, SCH_CONTAINER_CONFIGURATION_ACCESS_ATTR, TRUE); + check_nsswitch = backend_shr_get_vattr_str(state, e, + SCH_CONTAINER_CONFIGURATION_NSSWITCH_ATTR); + nsswitch_min_id = backend_shr_get_vattr_str(state, e, + SCH_CONTAINER_CONFIGURATION_NSSWITCH_MIN_ID_ATTR); attributes = backend_shr_get_vattr_strlist(state, e, SCH_CONTAINER_CONFIGURATION_ATTR_ATTR); /* Populate the returned structure. */ @@ -200,6 +208,41 @@ backend_set_config_read_config(struct plugin_state *state, Slapi_Entry *e, ret.rdn_format = rdn_format; ret.attribute_format = attributes; ret.check_access = check_access; + + if (check_nsswitch != NULL) { + if (strcasecmp(check_nsswitch, "group") == 0) { + ret.check_nsswitch = SCH_NSSWITCH_GROUP; + } else if (strcasecmp(check_nsswitch, "user") == 0) { + ret.check_nsswitch = SCH_NSSWITCH_USER; + } else { + ret.check_nsswitch = SCH_NSSWITCH_NONE; + } + } else { + ret.check_nsswitch = SCH_NSSWITCH_NONE; + } + + /* Make sure we don't return system users/groups + * by limiting lower bound on searches. + * If config value cannot be parsed or not specified, default to 1000. + * It is OK to specify something lower in the config as some Linux distributions force lower limit to 500 */ + ret.nsswitch_min_id = 1000; /* default in Fedora */ + if (nsswitch_min_id != NULL) { + errno = 0; + ret.nsswitch_min_id = strtoul(nsswitch_min_id, &strp, 10); + if ((errno != 0) || ((strp != NULL) && (*strp != '\0'))) { + /* enforce id in case of an error or too low limit */ + ret.nsswitch_min_id = 1000; + } + } + + if (ret.check_nsswitch != SCH_NSSWITCH_NONE) { + /* Auto-populate attributes based on selected NSSWITCH tree + * and add special attribute to track whether the entry requires PAM-based bind */ + backend_shr_add_strlist(&ret.attribute_format, "objectClass=extensibleObject"); + backend_shr_add_strlist(&ret.attribute_format, "schema-compat-origin=%{schema-compat-origin}"); + backend_shr_add_strlist(&ret.attribute_format, "ipaNTSecurityIdentifier=%{ipaNTSecurityIdentifier}"); + } + *pret = backend_copy_set_config(&ret); free(ret.common.group); free(ret.common.set); |