Date: Fri, 10 Dec 2010 12:57:45 GMT From: Konstantin Menshikov <k.menshikov@peterhost.ru> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/152987: [patch] net/nss_ldap, option nss_initgroups_ignoreusers ignored Message-ID: <201012101257.oBACvjEp005508@red.freebsd.org> Resent-Message-ID: <201012101300.oBAD0TSo081176@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 152987 >Category: ports >Synopsis: [patch] net/nss_ldap, option nss_initgroups_ignoreusers ignored >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Fri Dec 10 13:00:29 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Konstantin Menshikov >Release: FreeBSD 8.1-RELEASE amd64 >Organization: >Environment: FreeBSD nscd.kmenshikov.devel.hostcomm.ru 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Thu Sep 2 02:56:24 UTC 2010 root@tinderbox.infra.hc.ru:/usr/obj/usr/src/sys/GENERIC amd64 >Description: Option nss_initgroups_ignoreusers for net/nss_ldap not working for function getgrouplist(), getgrouplist() called from initgroups(). Call getgroplist() on freebsd used nss_ldap function __nss_compat_getgrent_r(), because not realized function for "getgroupmembership". Option nss_initgroups_ignoreusers checked in _nss_ldap_initgroups_dyn(). Therefore option not working. I`m found patch http://lists.freebsd.org/pipermail/freebsd-current/2007-July/075131.html (for bsdnss.c) and corrected it. This implemented special function for getgroupmembership search. Run and testing on my freebsd box, option nss_initgroups_ignoreusers works fine. >How-To-Repeat: Configure you system for authentication in LDAP http://www.freebsd.org/doc/en_US.ISO8859-1/articles/ldap-auth/index.html Add in /usr/local/etc/nss_ldap.conf "nss_initgroups_ignoreusers nobody", run "id nobody". Look ldap server logs (you see search loockup for get group list) or build net/nss_ldap with debug (CFLAGS+=-DDEBUG in make.conf) and see debug trace. >Fix: Need apply patch to bsdnss.c and rebuild nss_ldap. Patch attached with submission follows: --- bsdnss.c.old 2010-12-09 13:04:25.000000000 +0000 +++ bsdnss.c 2010-12-09 13:02:37.000000000 +0000 @@ -1,9 +1,11 @@ #include <errno.h> +#include <stdlib.h> #include <sys/param.h> #include <netinet/in.h> #include <pwd.h> #include <grp.h> #include <nss.h> +#include <nsswitch.h> #include <netdb.h> extern enum nss_status _nss_ldap_getgrent_r(struct group *, char *, size_t, @@ -14,6 +16,8 @@ size_t, int *); extern enum nss_status _nss_ldap_setgrent(void); extern enum nss_status _nss_ldap_endgrent(void); +extern enum nss_status _nss_ldap_initgroups_dyn(const char *, gid_t, long int *, + long int *, gid_t **, long int, int *); extern enum nss_status _nss_ldap_getpwent_r(struct passwd *, char *, size_t, int *); @@ -40,6 +44,7 @@ NSS_METHOD_PROTOTYPE(__nss_compat_getgrent_r); NSS_METHOD_PROTOTYPE(__nss_compat_setgrent); NSS_METHOD_PROTOTYPE(__nss_compat_endgrent); +static NSS_METHOD_PROTOTYPE(__freebsd_getgroupmembership); NSS_METHOD_PROTOTYPE(__nss_compat_getpwnam_r); NSS_METHOD_PROTOTYPE(__nss_compat_getpwuid_r); @@ -57,6 +62,7 @@ { NSDB_GROUP, "getgrent_r", __nss_compat_getgrent_r, _nss_ldap_getgrent_r }, { NSDB_GROUP, "setgrent", __nss_compat_setgrent, _nss_ldap_setgrent }, { NSDB_GROUP, "endgrent", __nss_compat_endgrent, _nss_ldap_endgrent }, +{ NSDB_GROUP, "getgroupmembership", __freebsd_getgroupmembership, NULL }, { NSDB_PASSWD, "getpwnam_r", __nss_compat_getpwnam_r, _nss_ldap_getpwnam_r }, { NSDB_PASSWD, "getpwuid_r", __nss_compat_getpwuid_r, _nss_ldap_getpwuid_r }, @@ -156,3 +162,58 @@ h_errno = h_errnop; return (status); } + +static int +__gr_addgid(gid_t gid, gid_t *groups, int maxgrp, int *groupc) +{ + int ret, dupc; + + /* skip duplicates */ + for (dupc = 0; dupc < MIN(maxgrp, *groupc); dupc++) { + if (groups[dupc] == gid) + return 1; + } + + ret = 1; + if (*groupc < maxgrp) /* add this gid */ + groups[*groupc] = gid; + else + ret = 0; + (*groupc)++; + return ret; +} + +static int __freebsd_getgroupmembership(void *retval, void *mdata, va_list ap) +{ + int err; + enum nss_status s; + const char *user = va_arg(ap, const char *); + gid_t group = va_arg(ap, gid_t); + gid_t *groups = va_arg(ap, gid_t *); + int limit = va_arg(ap, int); + int *size = va_arg(ap, int*); + gid_t *tmpgroups; + long int lstart, lsize; + int i; + + tmpgroups = malloc(limit * sizeof(gid_t)); + if (tmpgroups == NULL) + return NS_TRYAGAIN; + + /* insert primary membership */ + __gr_addgid(group, groups, limit, size); + + lstart = 0; + lsize = limit; + s = _nss_ldap_initgroups_dyn(user, group, &lstart, &lsize, + &tmpgroups, 0, &err); + if (s == NSS_STATUS_SUCCESS) { + for (i = 0; i < lstart; i++) + __gr_addgid(tmpgroups[i], groups, limit, size); + s = NSS_STATUS_NOTFOUND; + } + + free(tmpgroups); + + return __nss_compat_result(s, err); +} >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201012101257.oBACvjEp005508>