From e609af8d68a8d3f534dfd4ea000a23c718de8c75 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Wed, 31 Jul 2013 14:29:31 +0300 Subject: back-sch: use plugin configuration to decide whether NSSWITCH should be consulted When one instance of schema compat plugin is configured to consult NSSWITCH, promote its configuration to the backend. Default to not looking into NSSWITCH. --- src/back-sch.c | 45 ++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 44 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/back-sch.c b/src/back-sch.c index 0dc11c5..8911568 100644 --- a/src/back-sch.c +++ b/src/back-sch.c @@ -28,6 +28,7 @@ #include #include #include +#include #ifdef HAVE_DIRSRV_SLAPI_PLUGIN_H #include @@ -133,6 +134,9 @@ backend_copy_set_config(const struct backend_set_data *data) ret->rdn_format = strdup(data->rdn_format); ret->attribute_format = backend_shr_dup_strlist(data->attribute_format); ret->check_access = data->check_access; + ret->check_nsswitch = data->check_nsswitch; + ret->nsswitch_min_id = data->nsswitch_min_id; + if ((ret->common.group == NULL) || (ret->common.set == NULL) || (ret->common.bases == NULL) || @@ -151,7 +155,7 @@ backend_set_config_read_config(struct plugin_state *state, Slapi_Entry *e, const char *group, const char *container, bool_t *flag, struct backend_shr_set_data **pret) { - char **bases, *entry_filter, **attributes, *rdn_format, *dn; + char **bases, *entry_filter, **attributes, *rdn_format, *dn, *nsswitch_min_id, *check_nsswitch, *strp; bool_t check_access; struct backend_set_data ret; Slapi_DN *tmp_sdn; @@ -166,6 +170,10 @@ backend_set_config_read_config(struct plugin_state *state, Slapi_Entry *e, check_access = backend_shr_get_vattr_boolean(state, e, SCH_CONTAINER_CONFIGURATION_ACCESS_ATTR, TRUE); + check_nsswitch = backend_shr_get_vattr_str(state, e, + SCH_CONTAINER_CONFIGURATION_NSSWITCH_ATTR); + nsswitch_min_id = backend_shr_get_vattr_str(state, e, + SCH_CONTAINER_CONFIGURATION_NSSWITCH_MIN_ID_ATTR); attributes = backend_shr_get_vattr_strlist(state, e, SCH_CONTAINER_CONFIGURATION_ATTR_ATTR); /* Populate the returned structure. */ @@ -200,6 +208,41 @@ backend_set_config_read_config(struct plugin_state *state, Slapi_Entry *e, ret.rdn_format = rdn_format; ret.attribute_format = attributes; ret.check_access = check_access; + + if (check_nsswitch != NULL) { + if (strcasecmp(check_nsswitch, "group") == 0) { + ret.check_nsswitch = SCH_NSSWITCH_GROUP; + } else if (strcasecmp(check_nsswitch, "user") == 0) { + ret.check_nsswitch = SCH_NSSWITCH_USER; + } else { + ret.check_nsswitch = SCH_NSSWITCH_NONE; + } + } else { + ret.check_nsswitch = SCH_NSSWITCH_NONE; + } + + /* Make sure we don't return system users/groups + * by limiting lower bound on searches. + * If config value cannot be parsed or not specified, default to 1000. + * It is OK to specify something lower in the config as some Linux distributions force lower limit to 500 */ + ret.nsswitch_min_id = 1000; /* default in Fedora */ + if (nsswitch_min_id != NULL) { + errno = 0; + ret.nsswitch_min_id = strtoul(nsswitch_min_id, &strp, 10); + if ((errno != 0) || ((strp != NULL) && (*strp != '\0'))) { + /* enforce id in case of an error or too low limit */ + ret.nsswitch_min_id = 1000; + } + } + + if (ret.check_nsswitch != SCH_NSSWITCH_NONE) { + /* Auto-populate attributes based on selected NSSWITCH tree + * and add special attribute to track whether the entry requires PAM-based bind */ + backend_shr_add_strlist(&ret.attribute_format, "objectClass=extensibleObject"); + backend_shr_add_strlist(&ret.attribute_format, "schema-compat-origin=%{schema-compat-origin}"); + backend_shr_add_strlist(&ret.attribute_format, "ipaNTSecurityIdentifier=%{ipaNTSecurityIdentifier}"); + } + *pret = backend_copy_set_config(&ret); free(ret.common.group); free(ret.common.set); -- cgit