Bug#341541: Allow for simple username in pam_member_attribute

Thu, 01 Dec 2005 01:49:44 -0800 

Package: libpam-ldap
Version: 178-1sarge1
Severity: wishlist
Tags: patch, upstream

libpam-ldap allow only for distinguished names in the
pam_member_attribute when checking groups for allowed logins.

With the attached patch, simple user as as they appear in the posixGroup
schema are possible as well, configurable via a config option.
The defaults are the used behaviour, of course.

Please consider integrating it.

Thanks,

Joerg


Index: pam_ldap.c
===================================================================
--- pam_ldap.c  (revision 1)
+++ pam_ldap.c  (working copy)
@@ -636,6 +636,7 @@
   result->userattr = NULL;
   result->groupattr = NULL;
   result->groupdn = NULL;
+  result->groupattr_dn = 1;
   result->getpolicy = 0;
   result->checkhostattr = 0;
   result->checkserviceattr = 0;
@@ -1040,6 +1041,10 @@
        {
          CHECKPOINTER (result->groupattr = strdup (v));
        }
+      else if (!strcasecmp (k, "pam_member_attribute_is_dn"))
+       {
+         result->groupattr_dn = !!strcasecmp (v, "no");
+       }
       else if (!strcasecmp (k, "pam_min_uid"))
        {
          result->min_uid = (uid_t) atol (v);
@@ -3898,7 +3903,8 @@
     {
       rc = ldap_compare_s (session->ld,
                           session->conf->groupdn,
-                          session->conf->groupattr, session->info->userdn);
+                          session->conf->groupattr,
+                           
(session->conf->groupattr_dn)?session->info->userdn:session->info->username);
       if (rc != LDAP_COMPARE_TRUE)
        {
          snprintf (buf, sizeof buf, "You must be a %s of %s to login.",
Index: pam_ldap.h
===================================================================
--- pam_ldap.h  (revision 1)
+++ pam_ldap.h  (working copy)
@@ -95,6 +95,8 @@
     char *groupdn;
     /* group membership attribute; defaults to uniquemember */
     char *groupattr;
+    /* groupattr checking for distinguished name */
+    int groupattr_dn;
     /* LDAP protocol version */
     int version;
     /* search timelimit */
Index: pam_ldap.5
===================================================================
--- pam_ldap.5  (revision 1)
+++ pam_ldap.5  (working copy)
@@ -327,12 +327,18 @@
 .B pam_groupdn <groupdn>
 Specifies the distinguished name of a group to which a user must belong
 for logon authorization to succeed.
+.TP
 .B pam_member_attribute <attribute>
 Specifies the attribute to use when testing a user's membership of a 
 group specified in the
 .B pam_groupdn
 option.
 .TP
+.B pam_member_attribute_is_dn <yes|no>
+Specifies wether attribute specified by
+.B pam_member_attribut
+is a distinguished name. The default is "yes".
+.TP
 .B pam_min_uid <uid>
 If specified, a user must have a POSIX user ID of at least
 .B uid

Attachment: signature.asc
Description: Digital signature

Reply via email to