diff options
Diffstat (limited to 'servers/slapd/back-passwd')
-rw-r--r-- | servers/slapd/back-passwd/Makefile.in | 41 | ||||
-rw-r--r-- | servers/slapd/back-passwd/back-passwd.h | 31 | ||||
-rw-r--r-- | servers/slapd/back-passwd/config.c | 73 | ||||
-rw-r--r-- | servers/slapd/back-passwd/init.c | 122 | ||||
-rw-r--r-- | servers/slapd/back-passwd/proto-passwd.h | 33 | ||||
-rw-r--r-- | servers/slapd/back-passwd/search.c | 381 |
6 files changed, 681 insertions, 0 deletions
diff --git a/servers/slapd/back-passwd/Makefile.in b/servers/slapd/back-passwd/Makefile.in new file mode 100644 index 0000000..937cf88 --- /dev/null +++ b/servers/slapd/back-passwd/Makefile.in @@ -0,0 +1,41 @@ +# Makefile.in for back-passwd +# $OpenLDAP$ +## This work is part of OpenLDAP Software <http://www.openldap.org/>. +## +## Copyright 1998-2022 The OpenLDAP Foundation. +## All rights reserved. +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted only as authorized by the OpenLDAP +## Public License. +## +## A copy of this license is available in the file LICENSE in the +## top-level directory of the distribution or, alternatively, at +## <http://www.OpenLDAP.org/license.html>. + +SRCS = search.c config.c init.c +OBJS = search.lo config.lo init.lo + +LDAP_INCDIR= ../../../include +LDAP_LIBDIR= ../../../libraries + +BUILD_OPT = "--enable-passwd" +BUILD_MOD = @BUILD_PASSWD@ + +mod_DEFS = -DSLAPD_IMPORT +MOD_DEFS = $(@BUILD_PASSWD@_DEFS) + +shared_LDAP_LIBS = $(LDAP_LIBLDAP_LA) $(LDAP_LIBLBER_LA) +NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) +UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) + +LIBBASE = back_passwd + +XINCPATH = -I.. -I$(srcdir)/.. +XDEFS = $(MODULES_CPPFLAGS) + +all-local-lib: ../.backend + +../.backend: lib$(LIBBASE).a + @touch $@ + diff --git a/servers/slapd/back-passwd/back-passwd.h b/servers/slapd/back-passwd/back-passwd.h new file mode 100644 index 0000000..d1957cc --- /dev/null +++ b/servers/slapd/back-passwd/back-passwd.h @@ -0,0 +1,31 @@ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 1998-2022 The OpenLDAP Foundation. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ + +#ifndef _BACK_PASSWD_H +#define _BACK_PASSWD_H + +#include "proto-passwd.h" + +LDAP_BEGIN_DECL + +extern ldap_pvt_thread_mutex_t passwd_mutex; + +extern BI_destroy passwd_back_destroy; + +extern BI_op_search passwd_back_search; + +LDAP_END_DECL + +#endif /* _BACK_PASSWD_H */ diff --git a/servers/slapd/back-passwd/config.c b/servers/slapd/back-passwd/config.c new file mode 100644 index 0000000..9168e4b --- /dev/null +++ b/servers/slapd/back-passwd/config.c @@ -0,0 +1,73 @@ +/* config.c - passwd backend configuration file routine */ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 1998-2022 The OpenLDAP Foundation. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ +/* Portions Copyright (c) 1995 Regents of the University of Michigan. + * All rights reserved. + * + * Redistribution and use in source and binary forms are permitted + * provided that this notice is preserved and that due credit is given + * to the University of Michigan at Ann Arbor. The name of the University + * may not be used to endorse or promote products derived from this + * software without specific prior written permission. This software + * is provided ``as is'' without express or implied warranty. + */ +/* ACKNOWLEDGEMENTS: + * This work was originally developed by the University of Michigan + * (as part of U-MICH LDAP). + */ + +#include "portable.h" + +#include <stdio.h> + +#include <ac/socket.h> +#include <ac/string.h> +#include <ac/time.h> + +#include "slap.h" +#include "back-passwd.h" +#include "slap-config.h" + +static ConfigTable passwdcfg[] = { + { "file", "filename", 2, 2, 0, +#ifdef HAVE_SETPWFILE + ARG_STRING|ARG_OFFSET, NULL, +#else + ARG_IGNORED, NULL, +#endif + "( OLcfgDbAt:9.1 NAME 'olcPasswdFile' " + "DESC 'File containing passwd records' " + "EQUALITY caseExactMatch " + "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL }, + { NULL, NULL, 0, 0, 0, ARG_IGNORED, + NULL, NULL, NULL, NULL } +}; + +static ConfigOCs passwdocs[] = { + { "( OLcfgDbOc:9.1 " + "NAME 'olcPasswdConfig' " + "DESC 'Passwd backend configuration' " + "SUP olcDatabaseConfig " + "MAY olcPasswdFile )", + Cft_Database, passwdcfg }, + { NULL, 0, NULL } +}; + +int +passwd_back_init_cf( BackendInfo *bi ) +{ + bi->bi_cf_ocs = passwdocs; + return config_register_schema( passwdcfg, passwdocs ); +} diff --git a/servers/slapd/back-passwd/init.c b/servers/slapd/back-passwd/init.c new file mode 100644 index 0000000..b855c15 --- /dev/null +++ b/servers/slapd/back-passwd/init.c @@ -0,0 +1,122 @@ +/* init.c - initialize passwd backend */ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 1998-2022 The OpenLDAP Foundation. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ + +#include "portable.h" + +#include <stdio.h> + +#include <ac/socket.h> + +#include "slap.h" +#include "back-passwd.h" + +ldap_pvt_thread_mutex_t passwd_mutex; + +AttributeDescription *ad_sn; +AttributeDescription *ad_desc; + +static BI_db_init passwd_back_db_init; + +int +passwd_back_initialize( + BackendInfo *bi +) +{ + ldap_pvt_thread_mutex_init( &passwd_mutex ); + + bi->bi_open = passwd_back_open; + bi->bi_config = 0; + bi->bi_close = 0; + bi->bi_destroy = passwd_back_destroy; + + bi->bi_db_init = passwd_back_db_init; + bi->bi_db_config = 0; + bi->bi_db_open = 0; + bi->bi_db_close = 0; + bi->bi_db_destroy = 0; + + bi->bi_op_bind = 0; + bi->bi_op_unbind = 0; + bi->bi_op_search = passwd_back_search; + bi->bi_op_compare = 0; + bi->bi_op_modify = 0; + bi->bi_op_modrdn = 0; + bi->bi_op_add = 0; + bi->bi_op_delete = 0; + bi->bi_op_abandon = 0; + + bi->bi_extended = 0; + + bi->bi_chk_referrals = 0; + + bi->bi_connection_init = 0; + bi->bi_connection_destroy = 0; + + return passwd_back_init_cf( bi ); +} + +int +passwd_back_open( + BackendInfo *bi +) +{ + const char *text; + int rc; + + rc = slap_str2ad( "sn", &ad_sn, &text ); + if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_ANY, "passwd_back_open: " + "slap_str2ad(\"%s\") returned %d: %s\n", + "sn", rc, text ); + return -1; + } + rc = slap_str2ad( "description", &ad_desc, &text ); + if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_ANY, "passwd_back_open: " + "slap_str2ad(\"%s\") returned %d: %s\n", + "description", rc, text ); + return -1; + } + + return 0; +} + +int +passwd_back_destroy( + BackendInfo *bi +) +{ + ldap_pvt_thread_mutex_destroy( &passwd_mutex ); + return 0; +} + +static int +passwd_back_db_init( + Backend *be, + struct config_reply_s *cr +) +{ + be->be_cf_ocs = be->bd_info->bi_cf_ocs; + return 0; +} + +#if SLAPD_PASSWD == SLAPD_MOD_DYNAMIC + +/* conditionally define the init_module() function */ +SLAP_BACKEND_INIT_MODULE( passwd ) + +#endif /* SLAPD_PASSWD == SLAPD_MOD_DYNAMIC */ + diff --git a/servers/slapd/back-passwd/proto-passwd.h b/servers/slapd/back-passwd/proto-passwd.h new file mode 100644 index 0000000..96bc73e --- /dev/null +++ b/servers/slapd/back-passwd/proto-passwd.h @@ -0,0 +1,33 @@ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 1998-2022 The OpenLDAP Foundation. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ + +#ifndef PROTO_PASSWD_H +#define PROTO_PASSWD_H + +LDAP_BEGIN_DECL + +extern BI_init passwd_back_initialize; +extern BI_open passwd_back_open; +extern BI_destroy passwd_back_destroy; +extern BI_op_search passwd_back_search; + +extern int passwd_back_init_cf( BackendInfo *bi ); + +extern AttributeDescription *ad_sn; +extern AttributeDescription *ad_desc; + +LDAP_END_DECL + +#endif /* PROTO_PASSWD_H */ diff --git a/servers/slapd/back-passwd/search.c b/servers/slapd/back-passwd/search.c new file mode 100644 index 0000000..19d847c --- /dev/null +++ b/servers/slapd/back-passwd/search.c @@ -0,0 +1,381 @@ +/* search.c - /etc/passwd backend search function */ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 1998-2022 The OpenLDAP Foundation. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ +/* Portions Copyright (c) 1995 Regents of the University of Michigan. + * All rights reserved. + * + * Redistribution and use in source and binary forms are permitted + * provided that this notice is preserved and that due credit is given + * to the University of Michigan at Ann Arbor. The name of the University + * may not be used to endorse or promote products derived from this + * software without specific prior written permission. This software + * is provided ``as is'' without express or implied warranty. + */ +/* ACKNOWLEDGEMENTS: + * This work was originally developed by the University of Michigan + * (as part of U-MICH LDAP). Additional significant contributors + * include: + * Hallvard B. Furuseth + * Howard Chu + * Kurt D. Zeilenga + */ + +#include "portable.h" + +#include <stdio.h> + +#include <ac/ctype.h> +#include <ac/socket.h> +#include <ac/string.h> +#include <ac/time.h> + +#include <pwd.h> + +#include "slap.h" +#include "back-passwd.h" + +static void pw_start( Backend *be ); + +static int pw2entry( + Backend *be, + struct passwd *pw, + Entry *ep ); + +int +passwd_back_search( + Operation *op, + SlapReply *rs ) +{ + struct passwd *pw; + time_t stoptime = (time_t)-1; + + LDAPRDN rdn = NULL; + struct berval parent = BER_BVNULL; + + AttributeDescription *ad_objectClass = slap_schema.si_ad_objectClass; + + if ( op->ors_tlimit != SLAP_NO_LIMIT ) { + stoptime = op->o_time + op->ors_tlimit; + } + + /* Handle a query for the base of this backend */ + if ( be_issuffix( op->o_bd, &op->o_req_ndn ) ) { + struct berval val; + + rs->sr_matched = op->o_req_dn.bv_val; + + if( op->ors_scope != LDAP_SCOPE_ONELEVEL ) { + AttributeDescription *desc = NULL; + char *next; + Entry e = { 0 }; + + /* Create an entry corresponding to the base DN */ + e.e_name.bv_val = ch_strdup( op->o_req_dn.bv_val ); + e.e_name.bv_len = op->o_req_dn.bv_len; + e.e_nname.bv_val = ch_strdup( op->o_req_ndn.bv_val ); + e.e_nname.bv_len = op->o_req_ndn.bv_len; + + /* Use the first attribute of the DN + * as an attribute within the entry itself. + */ + if( ldap_bv2rdn( &op->o_req_dn, &rdn, &next, + LDAP_DN_FORMAT_LDAP ) ) + { + rs->sr_err = LDAP_INVALID_DN_SYNTAX; + goto done; + } + + if( slap_bv2ad( &rdn[0]->la_attr, &desc, &rs->sr_text )) { + rs->sr_err = LDAP_NO_SUCH_OBJECT; + ldap_rdnfree(rdn); + goto done; + } + + attr_merge_normalize_one( &e, desc, &rdn[0]->la_value, NULL ); + + ldap_rdnfree(rdn); + rdn = NULL; + + /* Every entry needs an objectclass. We don't really + * know if our hardcoded choice here agrees with the + * DN that was configured for this backend, but it's + * better than nothing. + * + * should be a configurable item + */ + BER_BVSTR( &val, "organizationalUnit" ); + attr_merge_one( &e, ad_objectClass, &val, NULL ); + + if ( test_filter( op, &e, op->ors_filter ) == LDAP_COMPARE_TRUE ) { + rs->sr_entry = &e; + rs->sr_attrs = op->ors_attrs; + rs->sr_flags = REP_ENTRY_MODIFIABLE; + send_search_entry( op, rs ); + rs->sr_flags = 0; + rs->sr_attrs = NULL; + } + + entry_clean( &e ); + } + + if ( op->ors_scope != LDAP_SCOPE_BASE ) { + /* check all our "children" */ + + ldap_pvt_thread_mutex_lock( &passwd_mutex ); + pw_start( op->o_bd ); + for ( pw = getpwent(); pw != NULL; pw = getpwent() ) { + Entry e = { 0 }; + + /* check for abandon */ + if ( op->o_abandon ) { + endpwent(); + ldap_pvt_thread_mutex_unlock( &passwd_mutex ); + return( SLAPD_ABANDON ); + } + + /* check time limit */ + if ( op->ors_tlimit != SLAP_NO_LIMIT + && slap_get_time() > stoptime ) + { + send_ldap_error( op, rs, LDAP_TIMELIMIT_EXCEEDED, NULL ); + endpwent(); + ldap_pvt_thread_mutex_unlock( &passwd_mutex ); + return( 0 ); + } + + if ( pw2entry( op->o_bd, pw, &e ) ) { + rs->sr_err = LDAP_OTHER; + endpwent(); + ldap_pvt_thread_mutex_unlock( &passwd_mutex ); + goto done; + } + + if ( test_filter( op, &e, op->ors_filter ) == LDAP_COMPARE_TRUE ) { + /* check size limit */ + if ( --op->ors_slimit == -1 ) { + send_ldap_error( op, rs, LDAP_SIZELIMIT_EXCEEDED, NULL ); + endpwent(); + ldap_pvt_thread_mutex_unlock( &passwd_mutex ); + return( 0 ); + } + + rs->sr_entry = &e; + rs->sr_attrs = op->ors_attrs; + rs->sr_flags = REP_ENTRY_MODIFIABLE; + send_search_entry( op, rs ); + rs->sr_flags = 0; + rs->sr_entry = NULL; + } + + entry_clean( &e ); + } + endpwent(); + ldap_pvt_thread_mutex_unlock( &passwd_mutex ); + } + + } else { + char *next; + Entry e = { 0 }; + int rc; + + if (! be_issuffix( op->o_bd, &op->o_req_ndn ) ) { + dnParent( &op->o_req_ndn, &parent ); + } + + /* This backend is only one layer deep. Don't answer requests for + * anything deeper than that. + */ + if( !be_issuffix( op->o_bd, &parent ) ) { + int i; + for( i=0; op->o_bd->be_nsuffix[i].bv_val != NULL; i++ ) { + if( dnIsSuffix( &op->o_req_ndn, &op->o_bd->be_nsuffix[i] ) ) { + rs->sr_matched = op->o_bd->be_suffix[i].bv_val; + break; + } + } + rs->sr_err = LDAP_NO_SUCH_OBJECT; + goto done; + } + + if( op->ors_scope == LDAP_SCOPE_ONELEVEL ) { + goto done; + } + + if ( ldap_bv2rdn( &op->o_req_dn, &rdn, &next, + LDAP_DN_FORMAT_LDAP )) + { + rs->sr_err = LDAP_OTHER; + goto done; + } + + ldap_pvt_thread_mutex_lock( &passwd_mutex ); + pw_start( op->o_bd ); + pw = getpwnam( rdn[0]->la_value.bv_val ); + if ( pw == NULL ) { + rs->sr_matched = parent.bv_val; + rs->sr_err = LDAP_NO_SUCH_OBJECT; + ldap_pvt_thread_mutex_unlock( &passwd_mutex ); + goto done; + } + + rc = pw2entry( op->o_bd, pw, &e ); + ldap_pvt_thread_mutex_unlock( &passwd_mutex ); + if ( rc ) { + rs->sr_err = LDAP_OTHER; + goto done; + } + + if ( test_filter( op, &e, op->ors_filter ) == LDAP_COMPARE_TRUE ) { + rs->sr_entry = &e; + rs->sr_attrs = op->ors_attrs; + rs->sr_flags = REP_ENTRY_MODIFIABLE; + send_search_entry( op, rs ); + rs->sr_flags = 0; + rs->sr_entry = NULL; + rs->sr_attrs = NULL; + } + + entry_clean( &e ); + } + +done: + if( rs->sr_err != LDAP_NO_SUCH_OBJECT ) rs->sr_matched = NULL; + send_ldap_result( op, rs ); + + if( rdn != NULL ) ldap_rdnfree( rdn ); + + return( 0 ); +} + +static void +pw_start( + Backend *be +) +{ + endpwent(); + +#ifdef HAVE_SETPWFILE + if ( be->be_private != NULL ) { + (void) setpwfile( (char *) be->be_private ); + } +#endif /* HAVE_SETPWFILE */ +} + +static int +pw2entry( Backend *be, struct passwd *pw, Entry *e ) +{ + size_t pwlen; + struct berval val; + struct berval bv; + + int rc; + + /* + * from pw we get pw_name and make it cn + * give it an objectclass of person. + */ + + pwlen = strlen( pw->pw_name ); + val.bv_len = STRLENOF("uid=,") + ( pwlen + be->be_suffix[0].bv_len ); + val.bv_val = ch_malloc( val.bv_len + 1 ); + + /* rdn attribute type should be a configurable item */ + sprintf( val.bv_val, "uid=%s,%s", + pw->pw_name, be->be_suffix[0].bv_val ); + + rc = dnNormalize( 0, NULL, NULL, &val, &bv, NULL ); + if( rc != LDAP_SUCCESS ) { + free( val.bv_val ); + return( -1 ); + } + + e->e_name = val; + e->e_nname = bv; + + e->e_attrs = NULL; + + /* objectclasses should be configurable items */ + BER_BVSTR( &val, "person" ); + attr_merge_one( e, slap_schema.si_ad_objectClass, &val, NULL ); + + BER_BVSTR( &val, "uidObject" ); + attr_merge_one( e, slap_schema.si_ad_objectClass, &val, NULL ); + + val.bv_val = pw->pw_name; + val.bv_len = pwlen; + attr_merge_normalize_one( e, slap_schema.si_ad_uid, &val, NULL ); /* required by uidObject */ + attr_merge_normalize_one( e, slap_schema.si_ad_cn, &val, NULL ); /* required by person */ + attr_merge_normalize_one( e, ad_sn, &val, NULL ); /* required by person */ + +#ifdef HAVE_STRUCT_PASSWD_PW_GECOS + /* + * if gecos is present, add user's full name as a cn. first process it + * according to standard BSD usage. If the processed cn has + * a space, use the tail as the surname. + */ + if (pw->pw_gecos[0]) { + char *s; + char buf[1024]; + + ber_str2bv( pw->pw_gecos, 0, 0, &val ); + attr_merge_normalize_one( e, ad_desc, &val, NULL ); + + s = strchr( val.bv_val, (unsigned char)',' ); + if ( s ) { + *s = '\0'; + val.bv_len = s - val.bv_val; + } + + s = strchr( val.bv_val, (unsigned char)'&' ); + if ( s ) { + unsigned r = sizeof buf; + /* if name with expanded `&` fits in buf */ + if ( val.bv_len + pwlen <= r ) { + char * d = buf; + + for (;;) { + size_t const i = s - val.bv_val; + memcpy( d, val.bv_val, i ); + d += i; + memcpy( d, pw->pw_name, pwlen ); + *d = TOUPPER((unsigned char)*pw->pw_name); + d += pwlen; + r -= pwlen + i; + val.bv_len -= i + 1; + val.bv_val = s + 1; + + s = strchr( val.bv_val, (unsigned char)'&' ); + if (!(s && ( val.bv_len + pwlen <= r ))) + break; + } + strcpy( d, val.bv_val ); + val.bv_len = d - buf + val.bv_len; + val.bv_val = buf; + } // 1st fits + } // 1st & + + if ( val.bv_len && strcasecmp( val.bv_val, pw->pw_name ) ) { + attr_merge_normalize_one( e, slap_schema.si_ad_cn, &val, NULL ); + } + + if ( ( s = strrchr(val.bv_val, ' ' ) ) ) { + ber_str2bv( s + 1, 0, 0, &val ); + attr_merge_normalize_one( e, ad_sn, &val, NULL ); + } + } +#endif /* HAVE_STRUCT_PASSWD_PW_GECOS */ + + return( 0 ); +} |