Package: libpam-ldap
Version: 184-4
Severity: minor
Tags: sid patch
Adds multiple groupdn support to libpam-ldap
see bugzilla.padl.com/show_bug.cgi?id=231 for the immediate details
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.18-6-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
diff -u --recursive orig/pam_ldap-184/pam_ldap.c new/pam_ldap-184/pam_ldap.c
--- orig/pam_ldap-184/pam_ldap.c 2008-05-28 08:46:13.000000000 -0700
+++ new/pam_ldap-184/pam_ldap.c 2008-05-28 09:34:23.000000000 -0700
@@ -434,6 +434,7 @@
_release_config (pam_ldap_config_t ** pconfig)
{
pam_ldap_config_t *c;
+ int i = 0;
c = *pconfig;
if (c == NULL)
@@ -493,7 +494,12 @@
if (c->groupdn != NULL)
{
- free (c->groupdn);
+ for(i = 0; c->groupdn[i] != NULL; i++)
+ free (c->groupdn[i]);
+ free(c->groupdn);
+ c->groupdns = 0;
+ c->groupdn = NULL;
+
}
if (c->filter != NULL)
@@ -636,6 +642,7 @@
result->userattr = NULL;
result->groupattr = NULL;
result->groupdn = NULL;
+ result->groupdns = 0;
result->getpolicy = 0;
result->checkhostattr = 0;
result->checkserviceattr = 0;
@@ -1034,7 +1041,9 @@
}
else if (!strcasecmp (k, "pam_groupdn"))
{
- CHECKPOINTER (result->groupdn = strdup (v));
+ CHECKPOINTER (result->groupdn = realloc(result->groupdn, sizeof(char **) * (result->groupdns+2)));
+ CHECKPOINTER (result->groupdn[result->groupdns++] = strdup (v));
+ result->groupdn[result->groupdns] = NULL;
}
else if (!strcasecmp (k, "pam_member_attribute"))
{
@@ -3814,6 +3823,7 @@
int i, success = PAM_SUCCESS;
struct pam_conv *appconv;
pam_ldap_session_t *session = NULL;
+ int groupdn_success = 0;
char buf[1024];
time_t currenttime;
long int currentday;
@@ -4011,26 +4021,25 @@
} /* password expired */
/* group auth, per Chris's pam_ldap_auth module */
- if (session->conf->groupdn != NULL)
- {
+ groupdn_success = 0;
+ for (i = 0; !groupdn_success && NULL != session->conf->groupdn[i]; i++){
const char *value = session->info->userdn;
if (strcasecmp(session->conf->groupattr, "memberUid") == 0)
value = username;
rc = ldap_compare_s (session->ld,
- session->conf->groupdn,
+ session->conf->groupdn[i],
session->conf->groupattr, value);
- if (rc != LDAP_COMPARE_TRUE)
+ if (rc == LDAP_COMPARE_TRUE)
{
- snprintf (buf, sizeof buf, "You must be a %s of %s to login.",
- session->conf->groupattr, session->conf->groupdn);
- _conv_sendmsg (appconv, buf, PAM_ERROR_MSG, no_warn);
- return PAM_PERM_DENIED;
+ rc = success;
+ groupdn_success++;
}
- else
- rc = success;
+ }
+ if(i && !groupdn_success){
+ return PAM_PERM_DENIED;
}
if (rc == success && session->conf->checkserviceattr)
diff -u --recursive orig/pam_ldap-184/pam_ldap.h new/pam_ldap-184/pam_ldap.h
--- orig/pam_ldap-184/pam_ldap.h 2007-03-02 23:13:10.000000000 -0800
+++ new/pam_ldap-184/pam_ldap.h 2008-05-28 09:19:34.000000000 -0700
@@ -92,7 +92,8 @@
/* service attribute checking, for access authorization */
int checkserviceattr;
/* group name; optional, for access authorization */
- char *groupdn;
+ char **groupdn;
+ int groupdns;
/* group membership attribute; defaults to uniquemember */
char *groupattr;
/* LDAP protocol version */
