[Fedora-directory-commits] ldapserver/ldap/servers/plugins/pam_passthru README, 1.4, 1.5 config.ldif, 1.4, 1.5 pam_ptconfig.c, 1.6, 1.7
Richard Allen Megginson (rmeggins)
fedora-directory-commits at redhat.com
Fri Sep 15 21:20:38 UTC 2006
Author: rmeggins
Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/pam_passthru
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv29435/ldapserver/ldap/servers/plugins/pam_passthru
Modified Files:
README config.ldif pam_ptconfig.c
Log Message:
Bug(s) fixed: 206662
Bug Description: PAM passthru: ENTRY map method not working and schema incorrect
Reviewed by: nhosoi (Thanks!)
Fix Description:
1) Rename all occurrences of pamMapMethod to pamIDMapMethod
2) The parsing code for the map method was just plain wrong - it wasn't
incrementing the pointer correctly.
3) This code: if (one == two == three == PAMPT_MAP_METHOD_NONE) - is not correct.
Platforms tested: RHEL4
Flag Day: no
Doc impact: no
Index: README
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/pam_passthru/README,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- README 19 Apr 2005 22:07:30 -0000 1.4
+++ README 15 Sep 2006 21:20:36 -0000 1.5
@@ -86,7 +86,7 @@
* pamIDAttr (string) - The value of this attribute, present in the
user's entry, holds the PAM identity of the user - it maps the LDAP
identity to the PAM identity
-* pamMapMethod (string)
+* pamIDMapMethod (string)
o RDN (default) - uses the value from the leftmost RDN in the BIND DN
o ENTRY - gets the value of the PAM identity attribute from the BIND DN entry
o DN - uses the full DN string
@@ -137,13 +137,13 @@
We may have to worry about different PAM policy in different subtrees
e.g. maybe for dc=coke,dc=com you want to use the ENTRY map method,
but for dc=pepsi,dc=com you want to use the RDN method. We could
-probably do this by having the pamMapMethod attr be multivalued, and
+probably do this by having the pamIDMapMethod attr be multivalued, and
have it's value like this:
-pamMapMethod: RDN dc=coke,dc=com
-pamMapMethod: RDN dc=sprite,dc=com
-pamMapMethod: ENTRY dc=pepsi,dc=com
-pamMapMethod: DN (the default for all other suffixes)
+pamIDMapMethod: RDN dc=coke,dc=com
+pamIDMapMethod: RDN dc=sprite,dc=com
+pamIDMapMethod: ENTRY dc=pepsi,dc=com
+pamIDMapMethod: DN (the default for all other suffixes)
The suffix that uses that map method would follow the map method used.
@@ -201,7 +201,7 @@
pamMissingSuffix: ALLOW
pamExcludeSuffix: o=NetscapeRoot
pamExcludeSuffix: cn=config
-pamMapMethod: RDN
+pamIDMapMethod: RDN
pamFallback: FALSE
pamSecure: TRUE
pamService: ldapserver
Index: config.ldif
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/pam_passthru/config.ldif,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- config.ldif 19 Apr 2005 22:07:30 -0000 1.4
+++ config.ldif 15 Sep 2006 21:20:36 -0000 1.5
@@ -50,7 +50,7 @@
pamMissingSuffix: ALLOW
pamExcludeSuffix: o=NetscapeRoot
pamExcludeSuffix: cn=config
-pamMapMethod: RDN
+pamIDMapMethod: RDN
pamFallback: FALSE
pamSecure: TRUE
pamService: ldapserver
Index: pam_ptconfig.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/pam_passthru/pam_ptconfig.c,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- pam_ptconfig.c 25 May 2006 14:37:14 -0000 1.6
+++ pam_ptconfig.c 15 Sep 2006 21:20:36 -0000 1.7
@@ -188,11 +188,11 @@
{
char *end;
int len;
- int ret;
+ int ret = PAMPT_MAP_METHOD_NONE;
*err = 0;
if (!map_method || !*map_method) {
- return PAMPT_MAP_METHOD_NONE;
+ return ret;
}
end = strchr(*map_method, ' ');
@@ -211,7 +211,7 @@
*err = 1;
}
- if (!err) {
+ if (!*err) {
if (end && *end) {
*map_method = end + 1;
} else {
@@ -225,36 +225,37 @@
static int
parse_map_method(char *map_method, int *one, int *two, int *three, char *returntext)
{
- int err = 0;
+ int err = LDAP_SUCCESS;
int extra;
+ char **ptr = &map_method;
*one = *two = *three = PAMPT_MAP_METHOD_NONE;
- *one = meth_to_int(&map_method, &err);
+ *one = meth_to_int(ptr, &err);
if (err) {
PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE,
"The map method in the string [%s] is invalid: must be "
"one of %s", map_method, get_map_method_values());
return LDAP_UNWILLING_TO_PERFORM;
}
- *two = meth_to_int(&map_method, &err);
+ *two = meth_to_int(ptr, &err);
if (err) {
PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE,
"The map method in the string [%s] is invalid: must be "
"one of %s", map_method, get_map_method_values());
return LDAP_UNWILLING_TO_PERFORM;
}
- *three = meth_to_int(&map_method, &err);
+ *three = meth_to_int(ptr, &err);
if (err) {
PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE,
"The map method in the string [%s] is invalid: must be "
"one of %s", map_method, get_map_method_values());
return LDAP_UNWILLING_TO_PERFORM;
}
- if (((extra = meth_to_int(&map_method, &err)) != PAMPT_MAP_METHOD_NONE) ||
+ if (((extra = meth_to_int(ptr, &err)) != PAMPT_MAP_METHOD_NONE) ||
err) {
PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE,
"Invalid extra text [%s] after last map method",
- map_method);
+ ((ptr && *ptr) ? *ptr : "(null)"));
return LDAP_UNWILLING_TO_PERFORM;
}
@@ -341,7 +342,10 @@
map_method = slapi_entry_attr_get_charptr(e, PAMPT_MAP_METHOD_ATTR);
if (map_method) {
int one, two, three;
- *returncode = parse_map_method(map_method, &one, &two, &three, returntext);
+ if (LDAP_SUCCESS !=
+ (*returncode = parse_map_method(map_method, &one, &two, &three, returntext))) {
+ goto done; /* returntext set already */
+ }
if (!pam_ident_attr &&
((one == PAMPT_MAP_METHOD_ENTRY) || (two == PAMPT_MAP_METHOD_ENTRY) ||
(three == PAMPT_MAP_METHOD_ENTRY))) {
@@ -351,7 +355,8 @@
*returncode = LDAP_UNWILLING_TO_PERFORM;
goto done;
}
- if (one == two == three == PAMPT_MAP_METHOD_NONE) {
+ if ((one == PAMPT_MAP_METHOD_NONE) && (two == PAMPT_MAP_METHOD_NONE) &&
+ (three == PAMPT_MAP_METHOD_NONE)) {
PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE, "Error: no method(s)"
" specified for %s, should be one or more of %s",
PAMPT_MAP_METHOD_ATTR, get_map_method_values());
More information about the Fedora-directory-commits
mailing list