pam_ldap/patches/pam_ldap-185-dnsconfig.patch

   1 --- pam_ldap-176/Makefile.am    2004-09-30 22:33:14.000000000 -0400
   2 +++ pam_ldap-176/Makefile.am    2004-10-28 17:24:13.691936696 -0400
   3 @@ -2,7 +2,7 @@ noinst_PROGRAMS = pam_ldap.so
   4  EXTRA_DIST = COPYING.LIB CVSVersionInfo.txt ChangeLog README \
   5              ldap.conf pam.conf pam_ldap.spec pam.d
   6
   7 -pam_ldap_so_SOURCES = pam_ldap.c pam_ldap.h md5.c md5.h vers.c
   8 +pam_ldap_so_SOURCES = pam_ldap.c pam_ldap.h md5.c md5.h vers.c resolve.c resolve.h dnsconfig.c dnsconfig.h snprintf.c snprintf.h
   9  pam_ldap_so_LDFLAGS = @pam_ldap_so_LDFLAGS@
  10
  11  man_MANS = pam_ldap.5
  12 --- pam_ldap-176/configure.in   2004-09-30 22:33:14.000000000 -0400
  13 +++ pam_ldap-176/configure.in   2004-10-28 17:24:13.692936544 -0400
  14 @@ -133,6 +133,38 @@
  15  AC_CHECK_FUNCS(ldap_initialize)
  16  AC_CHECK_FUNCS(ldap_sasl_bind ldap_sasl_interactive_bind_s)
  17  AC_CHECK_FUNCS(gethostbyname_r)
  18 +AC_CHECK_FUNCS(snprintf strtok_r)
  19 +AC_CHECK_LIB(resolv, main)
  20 +AC_CHECK_HEADERS(resolv.h)
  21 +AC_CHECK_FUNCS(res_search dn_expand)
  22 +if test x$ac_cv_func_res_search = xno ; then
  23 +       AC_MSG_CHECKING([for res_search again])
  24 +       AC_TRY_LINK([#ifdef HAVE_RESOLV_H
  25 +                    #include <resolv.h>
  26 +                    #endif
  27 +                    #ifdef HAVE_STDLIB_H
  28 +                    #include <stdlib.h>
  29 +                    #endif],
  30 +                   [res_search(NULL,0,0,NULL,0);],
  31 +                   AC_DEFINE(HAVE_RES_SEARCH,1,
  32 +                             [Define if you have res_search().])
  33 +                   ac_cv_func_res_search=yes)
  34 +       AC_CHECK_FUNCS(res_search)
  35 +fi
  36 +if test x$ac_cv_func_dn_expand = xno ; then
  37 +       AC_MSG_CHECKING([for dn_expand again])
  38 +       AC_TRY_LINK([#ifdef HAVE_RESOLV_H
  39 +                    #include <resolv.h>
  40 +                    #endif
  41 +                    #ifdef HAVE_STDLIB_H
  42 +                    #include <stdlib.h>
  43 +                    #endif],
  44 +                   [dn_expand(NULL,NULL,NULL,NULL,0);],
  45 +                   AC_DEFINE(HAVE_DN_EXPAND,1,
  46 +                             [Define if you have dn_expand().])
  47 +                   ac_cv_func_dn_expand=yes)
  48 +       AC_CHECK_FUNCS(dn_expand)
  49 +fi
  50
  51  if test "$ac_cv_func_gethostbyname_r" = "yes"; then
  52  AC_CACHE_CHECK(whether gethostbyname_r takes 6 arguments, xad_cv_gethostbyname_r_args, [
  53 --- /dev/null   2004-10-19 17:45:17.794252000 -0400
  54 +++ pam_ldap-176/dnsconfig.c    2004-10-28 17:32:36.915435096 -0400
  55 @@ -0,0 +1,214 @@
  56 +
  57 +/* Copyright (C) 1997-2001 Luke Howard.
  58 +   This file started off as part of the nss_ldap library.
  59 +   Contributed by Luke Howard, <lukeh@padl.com>, 1997.
  60 +   (The author maintains a non-exclusive licence to distribute this file
  61 +   under their own conditions.)
  62 +
  63 +   The nss_ldap library is free software; you can redistribute it and/or
  64 +   modify it under the terms of the GNU Library General Public License as
  65 +   published by the Free Software Foundation; either version 2 of the
  66 +   License, or (at your option) any later version.
  67 +
  68 +   The nss_ldap library is distributed in the hope that it will be useful,
  69 +   but WITHOUT ANY WARRANTY; without even the implied warranty of
  70 +   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  71 +   Library General Public License for more details.
  72 +
  73 +   You should have received a copy of the GNU Library General Public
  74 +   License along with the nss_ldap library; see the file COPYING.LIB.  If not,
  75 +   write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330,
  76 +   Boston, MA 02111-1307, USA.
  77 + */
  78 +
  79 +/*
  80 + * Support DNS SRV records. I look up the SRV record for
  81 + * _ldap._tcp.gnu.org.
  82 + * and build the DN DC=gnu,DC=org.
  83 + * Thanks to Assar & co for resolve.[ch].
  84 + */
  85 +
  86 +static char rcsId[] = "$Id: dnsconfig.c,v 2.24 2001/02/27 14:44:31 lukeh Exp $";
  87 +
  88 +#include "config.h"
  89 +
  90 +#include <stdio.h>
  91 +#include <string.h>
  92 +#include <stdlib.h>
  93 +#include <sys/param.h>
  94 +#include <netdb.h>
  95 +#include <syslog.h>
  96 +#include <netinet/in.h>
  97 +#include <arpa/nameser.h>
  98 +#include <resolv.h>
  99 +#include <string.h>
 100 +
 101 +#ifdef HAVE_LBER_H
 102 +#include <lber.h>
 103 +#endif
 104 +#ifdef HAVE_LDAP_H
 105 +#include <ldap.h>
 106 +#endif
 107 +
 108 +#ifndef HAVE_SNPRINTF
 109 +#include "snprintf.h"
 110 +#endif
 111 +
 112 +#include "pam_ldap.h"
 113 +#include "resolve.h"
 114 +#include "dnsconfig.h"
 115 +
 116 +#define DC_ATTR "DC"
 117 +#define DC_ATTR_AVA DC_ATTR "="
 118 +#define DC_ATTR_AVA_LEN (sizeof(DC_ATTR_AVA) - 1)
 119 +
 120 +/* map gnu.org into DC=gnu,DC=org */
 121 +int
 122 +_pam_ldap_getdnsdn (char *src_domain, char **rval)
 123 +{
 124 +  char *p;
 125 +  int len = 0;
 126 +#ifdef HAVE_STRTOK_R
 127 +  char *st = NULL;
 128 +#endif
 129 +  char *domain;
 130 +  char domain_copy[BUFSIZ], buffer[BUFSIZ];
 131 +
 132 +  /* we need to take a copy of domain, because strtok() modifies
 133 +   * it in place. Bad.
 134 +   */
 135 +  if (strlen (src_domain) >= sizeof (domain_copy))
 136 +    {
 137 +      return PAM_SYSTEM_ERR;
 138 +    }
 139 +  memset (domain_copy, '\0', sizeof (domain_copy));
 140 +  memset (buffer, '\0', sizeof (buffer));
 141 +  strcpy (domain_copy, src_domain);
 142 +
 143 +  domain = domain_copy;
 144 +
 145 +#ifndef HAVE_STRTOK_R
 146 +  while ((p = strtok (domain, ".")))
 147 +#else
 148 +  while ((p = strtok_r (domain, ".", &st)))
 149 +#endif
 150 +    {
 151 +      len = strlen (p);
 152 +
 153 +      if (strlen (buffer) + DC_ATTR_AVA_LEN + len + 1 >= sizeof (buffer))
 154 +       {
 155 +         return PAM_SYSTEM_ERR;
 156 +       }
 157 +
 158 +      if (domain == NULL)
 159 +       {
 160 +         strcat (buffer, ",");
 161 +       }
 162 +      else
 163 +       {
 164 +         domain = NULL;
 165 +       }
 166 +
 167 +      strcat (buffer, DC_ATTR_AVA);
 168 +      strcat (buffer, p);
 169 +    }
 170 +
 171 +  if (rval != NULL)
 172 +    {
 173 +      *rval = strdup (buffer);
 174 +    }
 175 +
 176 +  return PAM_SUCCESS;
 177 +}
 178 +
 179 +
 180 +int
 181 +_pam_ldap_readconfigfromdns (pam_ldap_config_t * result)
 182 +{
 183 +  int stat = PAM_SUCCESS;
 184 +  struct dns_reply *r;
 185 +  struct resource_record *rr;
 186 +  char domain[MAXHOSTNAMELEN + 1];
 187 +
 188 +  /* only reinitialize variables we'll change here */
 189 +  result->host = NULL;
 190 +  result->base = NULL;
 191 +  result->port = LDAP_PORT;
 192 +#ifdef LDAP_VERSION3
 193 +  result->version = LDAP_VERSION3;
 194 +#else
 195 +  result->version = LDAP_VERSION2;
 196 +#endif /* LDAP_VERSION3 */
 197 +
 198 +  if ((_res.options & RES_INIT) == 0 && res_init () == -1)
 199 +    {
 200 +      return PAM_SYSTEM_ERR;
 201 +    }
 202 +
 203 +  snprintf (domain, sizeof (domain), "_ldap._tcp.%s.", _res.defdname);
 204 +
 205 +  r = dns_lookup (domain, "srv");
 206 +  if (r == NULL)
 207 +    {
 208 +      return PAM_SYSTEM_ERR;
 209 +    }
 210 +
 211 +  /* XXX need to sort by priority and reorder using weights */
 212 +  for (rr = r->head; rr != NULL; rr = rr->next)
 213 +    {
 214 +      if (rr->type == T_SRV)
 215 +       {
 216 +         if (result->host != NULL)
 217 +           {
 218 +             /* need more space */
 219 +             int length;
 220 +             char *tmp;
 221 +             length = strlen (result->host) + 1 +
 222 +                      strlen (rr->u.srv->target) + 1 + 5 + 1;
 223 +             tmp = malloc (length);
 224 +             if (tmp == NULL)
 225 +               {
 226 +                 dns_free_data (r);
 227 +                 return PAM_BUF_ERR;
 228 +               }
 229 +             sprintf (tmp, "%s %s:%d", result->host, rr->u.srv->target,
 230 +                      rr->u.srv->port);
 231 +             free (result->host);
 232 +             result->host = tmp;
 233 +           }
 234 +         else
 235 +           {
 236 +             /* Server Host */
 237 +             result->host = strdup (rr->u.srv->target);
 238 +             if (result->host == NULL)
 239 +               {
 240 +                 dns_free_data (r);
 241 +                 return PAM_BUF_ERR;
 242 +               }
 243 +             /* Port */
 244 +             result->port = rr->u.srv->port;
 245 +           }
 246 +
 247 +#ifdef LDAPS_PORT
 248 +         /* Hack: if the port is the registered SSL port, enable SSL. */
 249 +         if (result->port == LDAPS_PORT)
 250 +           {
 251 +             result->ssl_on = SSL_LDAPS;
 252 +           }
 253 +#endif /* SSL */
 254 +
 255 +         /* DN */
 256 +         stat = _pam_ldap_getdnsdn (_res.defdname, &result->base);
 257 +         if (stat != PAM_SUCCESS)
 258 +           {
 259 +             dns_free_data (r);
 260 +             return stat;
 261 +           }
 262 +       }
 263 +    }
 264 +
 265 +  dns_free_data (r);
 266 +  stat = PAM_SUCCESS;
 267 +
 268 +  return stat;
 269 +}
 270 --- /dev/null   2004-10-19 17:45:17.794252000 -0400
 271 +++ pam_ldap-176/dnsconfig.h    2004-10-28 17:24:13.694936240 -0400
 272 @@ -0,0 +1,35 @@
 273 +/* Copyright (C) 1997-2001 Luke Howard.
 274 +   This file started off as part of the nss_ldap library.
 275 +   Contributed by Luke Howard, <lukeh@padl.com>, 1997.
 276 +   (The author maintains a non-exclusive licence to distribute this file
 277 +   under their own conditions.)
 278 +
 279 +   The nss_ldap library is free software; you can redistribute it and/or
 280 +   modify it under the terms of the GNU Library General Public License as
 281 +   published by the Free Software Foundation; either version 2 of the
 282 +   License, or (at your option) any later version.
 283 +
 284 +   The nss_ldap library is distributed in the hope that it will be useful,
 285 +   but WITHOUT ANY WARRANTY; without even the implied warranty of
 286 +   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 287 +   Library General Public License for more details.
 288 +
 289 +   You should have received a copy of the GNU Library General Public
 290 +   License along with the nss_ldap library; see the file COPYING.LIB.  If not,
 291 +   write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330,
 292 +   Boston, MA 02111-1307, USA.
 293 + */
 294 +
 295 +#ifndef _LDAP_PAM_LDAP_DNSCONFIG_H
 296 +#define _LDAP_PAM_LDAP_DNSCONFIG_H
 297 +
 298 +/* utility routines.  */
 299 +
 300 +int _pam_ldap_getdnsdn (
 301 +                       char *domain,
 302 +                       char **rval);
 303 +
 304 +int _pam_ldap_readconfigfromdns (
 305 +                                pam_ldap_config_t *result);
 306 +
 307 +#endif /* _LDAP_PAM_LDAP_DNSCONFIG_H */
 308 --- pam_ldap-176/pam_ldap.c     2004-09-30 22:33:14.000000000 -0400
 309 +++ pam_ldap-176/pam_ldap.c     2004-10-28 17:40:56.918423088 -0400
 310 @@ -130,6 +130,7 @@
 311
 312  #include "pam_ldap.h"
 313  #include "md5.h"
 314 +#include "dnsconfig.h"
 315
 316  #if defined(HAVE_SECURITY_PAM_MISC_H) || defined(HAVE_PAM_PAM_MISC_H)
 317   /* FIXME: is there something better to check? */
 318 @@ -1107,11 +1108,15 @@
 319      {
 320        /*
 321         * According to PAM Documentation, such an error in a config file
 322 -       * SHOULD be logged at LOG_ALERT level
 323 +       * SHOULD be logged at LOG_ALERT level, but we suppress it if DNS
 324 +       * can provide us with the needed information
 325         */
 326 -      syslog (LOG_ALERT, "pam_ldap: missing \"host\" in file \"%s\"",
 327 -             configFile);
 328 -      return PAM_SERVICE_ERR;
 329 +      if (_pam_ldap_readconfigfromdns (result) != PAM_SUCCESS)
 330 +        {
 331 +          syslog (LOG_ALERT, "pam_ldap: missing \"host\" in file \"%s\"",
 332 +                 configFile);
 333 +          return PAM_SERVICE_ERR;
 334 +        }
 335      }
 336
 337  #if !(defined(HAVE_SASL_SASL_H) || defined(HAVE_SASL_H)) && !defined(HAVE_LDAP_SASL_INTERACTIVE_BIND_S)