mirror of
https://git.openldap.org/openldap/openldap.git
synced 2026-01-02 21:19:53 -05:00
More for session management
This commit is contained in:
Howard Chu
parent
aa494bd8c0
commit
4a6d46dfa9
4 changed files with 96 additions and 105 deletions
|
|
@ -120,7 +120,7 @@ of the authorizedServiceObject auxiliary class) to use this method.
|
|||
Session management: the overlay may optionally add a "logged in" attribute
|
||||
to a user's entry for successful logins, and delete the corresponding
|
||||
value upon logout. The attribute value is of the form
|
||||
<service> <host> <generalizedTime>
|
||||
<host> <service> <tty> <ruser@rhost> <generalizedTime>
|
||||
|
||||
Password management: the overlay will perform a PasswordModify exop
|
||||
in the server for the given user.
|
||||
|
|
|
|||
|
|
@ -414,135 +414,102 @@ int pam_sm_acct_mgmt(
|
|||
return rc;
|
||||
}
|
||||
|
||||
static enum nss_status pam_do_sess_o(
|
||||
pld_ctx *ctx, const char *svc,int *errnop)
|
||||
static enum nss_status pam_do_sess(
|
||||
pam_handle_t *pamh,pld_ctx *ctx,int action,int *errnop)
|
||||
{
|
||||
NSS_BYGEN(NSLCD_ACTION_PAM_SESS_O,
|
||||
const char *svc = NULL, *tty = NULL, *rhost = NULL, *ruser = NULL;
|
||||
|
||||
pam_get_item (pamh, PAM_SERVICE, (CONST_ARG void **) &svc);
|
||||
pam_get_item (pamh, PAM_TTY, (CONST_ARG void **) &tty);
|
||||
pam_get_item (pamh, PAM_RHOST, (CONST_ARG void **) &rhost);
|
||||
pam_get_item (pamh, PAM_RUSER, (CONST_ARG void **) &ruser);
|
||||
|
||||
{
|
||||
NSS_BYGEN(action,
|
||||
WRITE_STRING(fp,ctx->user);
|
||||
WRITE_STRING(fp,ctx->dn);
|
||||
WRITE_STRING(fp,svc),
|
||||
WRITE_STRING(fp,svc);
|
||||
WRITE_STRING(fp,tty);
|
||||
WRITE_STRING(fp,rhost);
|
||||
WRITE_STRING(fp,ruser),
|
||||
NSS_STATUS_SUCCESS);
|
||||
}
|
||||
}
|
||||
|
||||
int pam_sm_session(
|
||||
pam_handle_t *pamh, int flags, int argc, const char **argv,
|
||||
int action, int *no_warn)
|
||||
{
|
||||
int rc, err;
|
||||
const char *username;
|
||||
int ignore_flags = 0;
|
||||
int i, success = PAM_SUCCESS;
|
||||
pld_ctx *ctx = NULL;
|
||||
|
||||
for (i = 0; i < argc; i++)
|
||||
{
|
||||
if (!strcmp (argv[i], "use_first_pass"))
|
||||
;
|
||||
else if (!strcmp (argv[i], "try_first_pass"))
|
||||
;
|
||||
else if (!strcmp (argv[i], "no_warn"))
|
||||
*no_warn = 1;
|
||||
else if (!strcmp (argv[i], "ignore_unknown_user"))
|
||||
ignore_flags |= IGNORE_UNKNOWN;
|
||||
else if (!strcmp (argv[i], "ignore_authinfo_unavail"))
|
||||
ignore_flags |= IGNORE_UNAVAIL;
|
||||
else if (!strcmp (argv[i], "debug"))
|
||||
;
|
||||
else
|
||||
syslog (LOG_ERR, "illegal option %s", argv[i]);
|
||||
}
|
||||
|
||||
if (flags & PAM_SILENT)
|
||||
*no_warn = 1;
|
||||
|
||||
rc = pam_get_user (pamh, (CONST_ARG char **) &username, NULL);
|
||||
if (rc != PAM_SUCCESS)
|
||||
return rc;
|
||||
|
||||
if (username == NULL)
|
||||
return PAM_USER_UNKNOWN;
|
||||
|
||||
rc = pam_get_ctx(pamh, username, &ctx);
|
||||
if (rc != PAM_SUCCESS)
|
||||
return rc;
|
||||
|
||||
rc = pam_do_sess(pamh, ctx, action, &err);
|
||||
NSS2PAM_RC(rc, ignore_flags, PAM_SUCCESS);
|
||||
return rc;
|
||||
}
|
||||
|
||||
int pam_sm_open_session(
|
||||
pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
{
|
||||
int rc, err;
|
||||
const char *username, *svc;
|
||||
int no_warn = 0, ignore_flags = 0;
|
||||
int i, success = PAM_SUCCESS;
|
||||
int rc, no_warn = 0;
|
||||
struct pam_conv *appconv;
|
||||
pld_ctx *ctx = NULL;
|
||||
|
||||
for (i = 0; i < argc; i++)
|
||||
{
|
||||
if (!strcmp (argv[i], "use_first_pass"))
|
||||
;
|
||||
else if (!strcmp (argv[i], "try_first_pass"))
|
||||
;
|
||||
else if (!strcmp (argv[i], "no_warn"))
|
||||
no_warn = 1;
|
||||
else if (!strcmp (argv[i], "ignore_unknown_user"))
|
||||
ignore_flags |= IGNORE_UNKNOWN;
|
||||
else if (!strcmp (argv[i], "ignore_authinfo_unavail"))
|
||||
ignore_flags |= IGNORE_UNAVAIL;
|
||||
else if (!strcmp (argv[i], "debug"))
|
||||
;
|
||||
else
|
||||
syslog (LOG_ERR, "illegal option %s", argv[i]);
|
||||
}
|
||||
|
||||
if (flags & PAM_SILENT)
|
||||
no_warn = 1;
|
||||
|
||||
rc = pam_get_item (pamh, PAM_CONV, (CONST_ARG void **) &appconv);
|
||||
if (rc != PAM_SUCCESS)
|
||||
return rc;
|
||||
|
||||
rc = pam_get_user (pamh, (CONST_ARG char **) &username, NULL);
|
||||
if (rc != PAM_SUCCESS)
|
||||
return rc;
|
||||
|
||||
if (username == NULL)
|
||||
return PAM_USER_UNKNOWN;
|
||||
|
||||
rc = pam_get_ctx(pamh, username, &ctx);
|
||||
if (rc != PAM_SUCCESS)
|
||||
return rc;
|
||||
|
||||
rc = pam_get_item (pamh, PAM_SERVICE, (CONST_ARG void **) &svc);
|
||||
if (rc != PAM_SUCCESS)
|
||||
return rc;
|
||||
|
||||
rc = pam_do_sess_o(ctx, svc, &err);
|
||||
NSS2PAM_RC(rc, ignore_flags, PAM_SUCCESS);
|
||||
rc = pam_sm_session(pamh,flags,argc,argv,NSLCD_ACTION_PAM_SESS_O,&no_warn);
|
||||
if (rc != PAM_SUCCESS && rc != PAM_IGNORE)
|
||||
pam_warn(appconv, "LDAP open_session failed", PAM_ERROR_MSG, no_warn);
|
||||
return rc;
|
||||
}
|
||||
|
||||
static enum nss_status pam_do_sess_c(
|
||||
pld_ctx *ctx, const char *svc,int *errnop)
|
||||
{
|
||||
NSS_BYGEN(NSLCD_ACTION_PAM_SESS_C,
|
||||
WRITE_STRING(fp,ctx->user);
|
||||
WRITE_STRING(fp,ctx->dn);
|
||||
WRITE_STRING(fp,svc),
|
||||
NSS_STATUS_SUCCESS);
|
||||
}
|
||||
|
||||
int pam_sm_close_session(
|
||||
pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
{
|
||||
int rc, err;
|
||||
const char *username, *svc;
|
||||
int no_warn = 0, ignore_flags = 0;
|
||||
int i, success = PAM_SUCCESS;
|
||||
int rc, no_warn = 0;;
|
||||
struct pam_conv *appconv;
|
||||
pld_ctx *ctx = NULL;
|
||||
|
||||
for (i = 0; i < argc; i++)
|
||||
{
|
||||
if (!strcmp (argv[i], "use_first_pass"))
|
||||
;
|
||||
else if (!strcmp (argv[i], "try_first_pass"))
|
||||
;
|
||||
else if (!strcmp (argv[i], "no_warn"))
|
||||
no_warn = 1;
|
||||
else if (!strcmp (argv[i], "ignore_unknown_user"))
|
||||
ignore_flags |= IGNORE_UNKNOWN;
|
||||
else if (!strcmp (argv[i], "ignore_authinfo_unavail"))
|
||||
ignore_flags |= IGNORE_UNAVAIL;
|
||||
else if (!strcmp (argv[i], "debug"))
|
||||
;
|
||||
else
|
||||
syslog (LOG_ERR, "illegal option %s", argv[i]);
|
||||
}
|
||||
|
||||
if (flags & PAM_SILENT)
|
||||
no_warn = 1;
|
||||
|
||||
rc = pam_get_item (pamh, PAM_CONV, (CONST_ARG void **) &appconv);
|
||||
if (rc != PAM_SUCCESS)
|
||||
return rc;
|
||||
|
||||
rc = pam_get_user (pamh, (CONST_ARG char **) &username, NULL);
|
||||
if (rc != PAM_SUCCESS)
|
||||
return rc;
|
||||
|
||||
if (username == NULL)
|
||||
return PAM_USER_UNKNOWN;
|
||||
|
||||
rc = pam_get_ctx(pamh, username, &ctx);
|
||||
if (rc != PAM_SUCCESS)
|
||||
return rc;
|
||||
|
||||
rc = pam_get_item (pamh, PAM_SERVICE, (CONST_ARG void **) &svc);
|
||||
if (rc != PAM_SUCCESS)
|
||||
return rc;
|
||||
|
||||
rc = pam_do_sess_c(ctx, svc, &err);
|
||||
NSS2PAM_RC(rc, ignore_flags, PAM_SUCCESS);
|
||||
rc = pam_sm_session(pamh,flags,argc,argv,NSLCD_ACTION_PAM_SESS_C,&no_warn);
|
||||
if (rc != PAM_SUCCESS && rc != PAM_IGNORE)
|
||||
pam_warn(appconv, "LDAP close_session failed", PAM_ERROR_MSG, no_warn);
|
||||
return rc;
|
||||
|
|
|
|||
|
|
@ -327,8 +327,8 @@ static void handleconnection(nssov_info *ni,int sock,Operation *op)
|
|||
case NSLCD_ACTION_SHADOW_ALL: if (uid==0) (void)nssov_shadow_all(ni,fp,op); break;
|
||||
case NSLCD_ACTION_PAM_AUTHC: (void)pam_authc(ni,fp,op); break;
|
||||
case NSLCD_ACTION_PAM_AUTHZ: (void)pam_authz(ni,fp,op); break;
|
||||
case NSLCD_ACTION_PAM_SESS_O: (void)pam_sess_o(ni,fp,op); break;
|
||||
case NSLCD_ACTION_PAM_SESS_C: (void)pam_sess_c(ni,fp,op); break;
|
||||
case NSLCD_ACTION_PAM_SESS_O: if (uid==0) (void)pam_sess_o(ni,fp,op); break;
|
||||
case NSLCD_ACTION_PAM_SESS_C: if (uid==0) (void)pam_sess_c(ni,fp,op); break;
|
||||
case NSLCD_ACTION_PAM_PWMOD: (void)pam_pwmod(ni,fp,op); break;
|
||||
default:
|
||||
Debug( LDAP_DEBUG_ANY,"nssov: invalid request id: %d",(int)action,0,0);
|
||||
|
|
|
|||
|
|
@ -451,11 +451,14 @@ finish:
|
|||
|
||||
int pam_sess_o(nssov_info *ni,TFILE *fp,Operation *op)
|
||||
{
|
||||
struct berval dn, uid, svc;
|
||||
struct berval dn, uid, svc, tty, rhost, ruser;
|
||||
int32_t tmpint32;
|
||||
char dnc[1024];
|
||||
char svcc[256];
|
||||
char uidc[32];
|
||||
char ttyc[32];
|
||||
char rhostc[256];
|
||||
char ruserc[32];
|
||||
|
||||
READ_STRING_BUF2(fp,uidc,sizeof(uidc));
|
||||
uid.bv_val = uidc;
|
||||
|
|
@ -466,6 +469,15 @@ int pam_sess_o(nssov_info *ni,TFILE *fp,Operation *op)
|
|||
READ_STRING_BUF2(fp,svcc,sizeof(svcc));
|
||||
svc.bv_val = svcc;
|
||||
svc.bv_len = tmpint32;
|
||||
READ_STRING_BUF2(fp,ttyc,sizeof(ttyc));
|
||||
tty.bv_val = ttyc;
|
||||
tty.bv_len = tmpint32;
|
||||
READ_STRING_BUF2(fp,rhostc,sizeof(rhostc));
|
||||
rhost.bv_val = rhostc;
|
||||
rhost.bv_len = tmpint32;
|
||||
READ_STRING_BUF2(fp,ruserc,sizeof(ruserc));
|
||||
ruser.bv_val = ruserc;
|
||||
ruser.bv_len = tmpint32;
|
||||
|
||||
Debug(LDAP_DEBUG_TRACE,"nssov_pam_sess_o(%s)\n",dn.bv_val,0,0);
|
||||
|
||||
|
|
@ -477,11 +489,14 @@ int pam_sess_o(nssov_info *ni,TFILE *fp,Operation *op)
|
|||
|
||||
int pam_sess_c(nssov_info *ni,TFILE *fp,Operation *op)
|
||||
{
|
||||
struct berval dn, uid, svc;
|
||||
struct berval dn, uid, svc, tty, rhost, ruser;
|
||||
int32_t tmpint32;
|
||||
char dnc[1024];
|
||||
char svcc[256];
|
||||
char uidc[32];
|
||||
char ttyc[32];
|
||||
char rhostc[256];
|
||||
char ruserc[32];
|
||||
|
||||
READ_STRING_BUF2(fp,uidc,sizeof(uidc));
|
||||
uid.bv_val = uidc;
|
||||
|
|
@ -492,6 +507,15 @@ int pam_sess_c(nssov_info *ni,TFILE *fp,Operation *op)
|
|||
READ_STRING_BUF2(fp,svcc,sizeof(svcc));
|
||||
svc.bv_val = svcc;
|
||||
svc.bv_len = tmpint32;
|
||||
READ_STRING_BUF2(fp,ttyc,sizeof(ttyc));
|
||||
tty.bv_val = ttyc;
|
||||
tty.bv_len = tmpint32;
|
||||
READ_STRING_BUF2(fp,rhostc,sizeof(rhostc));
|
||||
rhost.bv_val = rhostc;
|
||||
rhost.bv_len = tmpint32;
|
||||
READ_STRING_BUF2(fp,ruserc,sizeof(ruserc));
|
||||
ruser.bv_val = ruserc;
|
||||
ruser.bv_len = tmpint32;
|
||||
|
||||
Debug(LDAP_DEBUG_TRACE,"nssov_pam_sess_c(%s)\n",dn.bv_val,0,0);
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue