2
2
group.c - group entry lookup routines
3
Parts of this file were part of the nss_ldap library (as ldap-grp.c) which
4
has been forked into the nss-pam-ldapd library.
3
Parts of this file were part of the nss_ldap library (as ldap-grp.c)
4
which has been forked into the nss-pam-ldapd library.
6
6
Copyright (C) 1997-2006 Luke Howard
7
7
Copyright (C) 2006 West Consulting
8
Copyright (C) 2006, 2007, 2008, 2009, 2010 Arthur de Jong
8
Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011 Arthur de Jong
10
10
This library is free software; you can redistribute it and/or
11
11
modify it under the terms of the GNU Lesser General Public
37
37
#include "myldap.h"
39
39
#include "attmap.h"
40
#include "compat/strndup.h"
41
42
/* ( nisSchema.2.2 NAME 'posixGroup' SUP top STRUCTURAL
42
43
* DESC 'Abstraction of a group of accounts'
43
44
* MUST ( cn $ gidNumber )
44
45
* MAY ( userPassword $ memberUid $ description ) )
46
* apart from that the above the uniqueMember attributes may be
47
* supported in a coming release (they map to DNs, which is an extra
47
* apart from the above a member attribute is also supported that
48
* may contains a DN of a user
50
* using nested groups (groups that are member of a group) is currently
51
* not supported, this may be added in a later release
50
* nested groups (groups that are member of a group) are currently
54
54
/* the search base for searches */
63
63
/* the attributes to request with searches */
64
64
const char *attmap_group_cn = "cn";
65
const char *attmap_group_userPassword = "userPassword";
65
const char *attmap_group_userPassword = "\"*\"";
66
66
const char *attmap_group_gidNumber = "gidNumber";
67
67
const char *attmap_group_memberUid = "memberUid";
68
const char *attmap_group_uniqueMember = "uniqueMember";
68
const char *attmap_group_member = "member";
70
/* special property for objectSid-based searches
71
(these are already LDAP-escaped strings) */
72
static char *gidSid=NULL;
70
74
/* default values for attributes */
71
75
static const char *default_group_userPassword = "*"; /* unmatchable */
74
77
/* the attribute list to request with searches */
75
static const char *group_attrs[6];
78
static const char **group_attrs=NULL;
77
80
/* create a search filter for searching a group entry
78
81
by name, return -1 on errors */
95
98
static int mkfilter_group_bygid(gid_t gid,
96
99
char *buffer,size_t buflen)
98
return mysnprintf(buffer,buflen,
101
attmap_group_gidNumber,(int)gid);
103
return mysnprintf(buffer,buflen,
104
"(&%s(%s=%s\\%02x\\%02x\\%02x\\%02x))",
106
attmap_group_gidNumber,gidSid,
107
(int)(gid&0xff),(int)((gid>>8)&0xff),
108
(int)((gid>>16)&0xff),(int)((gid>>24)&0xff));
112
return mysnprintf(buffer,buflen,
115
attmap_group_gidNumber,(int)gid);
104
119
/* create a search filter for searching a group entry
127
142
"(&%s(|(%s=%s)(%s=%s)))",
129
144
attmap_group_memberUid,safeuid,
130
attmap_group_uniqueMember,safedn);
145
attmap_group_member,safedn);
133
148
void group_init(void)
136
152
/* set up search bases */
137
153
if (group_bases[0]==NULL)
138
154
for (i=0;i<NSS_LDAP_CONFIG_MAX_BASES;i++)
140
156
/* set up scope */
141
157
if (group_scope==LDAP_SCOPE_DEFAULT)
142
158
group_scope=nslcd_cfg->ldc_scope;
159
/* special case when gidNumber references objectSid */
160
if (strncasecmp(attmap_group_gidNumber,"objectSid:",10)==0)
162
gidSid=sid2search(attmap_group_gidNumber+10);
163
attmap_group_gidNumber=strndup(attmap_group_gidNumber,9);
143
165
/* set up attribute list */
144
group_attrs[0]=attmap_group_cn;
145
group_attrs[1]=attmap_group_userPassword;
146
group_attrs[2]=attmap_group_memberUid;
147
group_attrs[3]=attmap_group_gidNumber;
148
group_attrs[4]=attmap_group_uniqueMember;
167
attmap_add_attributes(set,attmap_group_cn);
168
attmap_add_attributes(set,attmap_group_userPassword);
169
attmap_add_attributes(set,attmap_group_memberUid);
170
attmap_add_attributes(set,attmap_group_gidNumber);
171
attmap_add_attributes(set,attmap_group_member);
172
group_attrs=set_tolist(set);
152
176
static int do_write_group(
161
185
if (!isvalidname(names[i]))
163
log_log(LOG_WARNING,"group entry %s contains invalid group name: \"%s\"",
187
log_log(LOG_WARNING,"group entry %s name denied by validnames option: \"%s\"",
164
188
myldap_get_dn(entry),names[i]);
166
190
else if ((reqname==NULL)||(strcmp(reqname,names[i])==0))
197
221
if (isvalidname(values[i]))
198
222
set_add(set,values[i]);
200
/* add the uniqueMember values */
201
values=myldap_get_values(entry,attmap_group_uniqueMember);
224
/* add the member values */
225
values=myldap_get_values(entry,attmap_group_member);
202
226
if (values!=NULL)
203
227
for (i=0;values[i]!=NULL;i++)
245
gidvalues=myldap_get_values(entry,attmap_group_gidNumber);
270
gidvalues=myldap_get_values_len(entry,attmap_group_gidNumber);
246
271
if ((gidvalues==NULL)||(gidvalues[0]==NULL))
248
273
log_log(LOG_WARNING,"group entry %s does not contain %s value",
249
274
myldap_get_dn(entry),attmap_group_gidNumber);
252
for (numgids=0;(gidvalues[numgids]!=NULL)&&(numgids<MAXGIDS_PER_ENTRY);numgids++)
277
for (numgids=0;(numgids<MAXGIDS_PER_ENTRY)&&(gidvalues[numgids]!=NULL);numgids++)
254
gids[numgids]=(gid_t)strtol(gidvalues[numgids],&tmp,0);
255
if ((*(gidvalues[numgids])=='\0')||(*tmp!='\0'))
280
gids[numgids]=(gid_t)binsid2id(gidvalues[numgids]);
257
log_log(LOG_WARNING,"group entry %s contains non-numeric %s value",
258
myldap_get_dn(entry),attmap_group_gidNumber);
284
gids[numgids]=strtogid(gidvalues[numgids],&tmp,0);
285
if ((*(gidvalues[numgids])=='\0')||(*tmp!='\0'))
287
log_log(LOG_WARNING,"group entry %s contains non-numeric %s value",
288
myldap_get_dn(entry),attmap_group_gidNumber);
293
log_log(LOG_WARNING,"group entry %s contains too large %s value",
294
myldap_get_dn(entry),attmap_group_gidNumber);
263
300
/* get group passwd (userPassword) (use only first entry) */
264
passwd=get_userpassword(entry,attmap_group_userPassword);
301
passwd=get_userpassword(entry,attmap_group_userPassword,passbuffer,sizeof(passbuffer));
265
302
if (passwd==NULL)
266
303
passwd=default_group_userPassword;
267
/* get group memebers (memberUid&uniqueMember) */
304
/* get group memebers (memberUid&member) */
269
306
members=getmembers(entry,session);
284
321
char filter[1024];
285
322
READ_STRING(fp,name);
323
log_setrequest("group=\"%s\"",name);
286
324
if (!isvalidname(name)) {
287
log_log(LOG_WARNING,"nslcd_group_byname(%s): invalid group name",name);
325
log_log(LOG_WARNING,"\"%s\": name denied by validnames option",name);
290
log_log(LOG_DEBUG,"nslcd_group_byname(%s)",name);,
291
328
NSLCD_ACTION_GROUP_BYNAME,
292
329
mkfilter_group_byname(name,filter,sizeof(filter)),
293
330
write_group(fp,entry,name,NULL,1,session)
299
336
char filter[1024];
300
READ_TYPE(fp,gid,gid_t);,
301
log_log(LOG_DEBUG,"nslcd_group_bygid(%d)",(int)gid);,
337
READ_TYPE(fp,gid,gid_t);
338
log_setrequest("group=%d",(int)gid);,
302
339
NSLCD_ACTION_GROUP_BYGID,
303
340
mkfilter_group_bygid(gid,filter,sizeof(filter)),
304
341
write_group(fp,entry,NULL,&gid,1,session)
310
347
char filter[1024];
311
348
READ_STRING(fp,name);
312
if (!isvalidname(name)) {
313
log_log(LOG_WARNING,"nslcd_group_bymember(%s): invalid user name",name);
349
log_setrequest("group/member=\"%s\"",name);
350
if (!isvalidname(name))
352
log_log(LOG_WARNING,"\"%s\": name denied by validnames option",name);
316
355
if ((nslcd_cfg->ldc_nss_initgroups_ignoreusers!=NULL)&&
317
356
set_contains(nslcd_cfg->ldc_nss_initgroups_ignoreusers,name))
358
log_log(LOG_DEBUG,"ignored group member");
319
359
/* just end the request, returning no results */
320
360
WRITE_INT32(fp,NSLCD_VERSION);
321
361
WRITE_INT32(fp,NSLCD_ACTION_GROUP_BYMEMBER);
322
362
WRITE_INT32(fp,NSLCD_RESULT_END);
325
log_log(LOG_DEBUG,"nslcd_group_bymember(%s)",name);,
326
365
NSLCD_ACTION_GROUP_BYMEMBER,
327
366
mkfilter_group_bymember(session,name,filter,sizeof(filter)),
328
367
write_group(fp,entry,NULL,NULL,0,session)
333
372
const char *filter;
334
/* no parameters to read */,
335
log_log(LOG_DEBUG,"nslcd_group_all()");,
373
log_setrequest("group(all)");,
336
374
NSLCD_ACTION_GROUP_ALL,
337
375
(filter=group_filter,0),
338
376
write_group(fp,entry,NULL,NULL,1,session)