source-git / nss-pam-ldapd

Clone
Source Code
GIT

Files

  1.   6bd9abb65bc9ec9850bf55af638ff9b186cb59df
  2.   pynslcd
  3.   passwd.py
Blob Blame History Raw 

# passwd.py - lookup functions for user account information
#
# Copyright (C) 2010-2017 Arthur de Jong
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
# 02110-1301 USA

import logging

import cache
import cfg
import common
import constants
import search


attmap = common.Attributes(uid='uid',
                           userPassword='"*"',
                           uidNumber='uidNumber',
                           gidNumber='gidNumber',
                           gecos='"${gecos:-$cn}"',
                           homeDirectory='homeDirectory',
                           loginShell='loginShell',
                           objectClass='objectClass')
filter = '(objectClass=posixAccount)'


class Search(search.LDAPSearch):

    case_sensitive = ('uid', 'uidNumber', )
    limit_attributes = ('uid', 'uidNumber', )
    required = ('uid', 'uidNumber', 'gidNumber', 'gecos', 'homeDirectory',
                'loginShell')

    def mk_filter(self):
        if 'uidNumber' in self.parameters:
            self.parameters['uidNumber'] -= cfg.nss_uid_offset
        return super(Search, self).mk_filter()


class Cache(cache.Cache):

    create_sql = '''
        CREATE TABLE IF NOT EXISTS `passwd_cache`
          ( `uid` TEXT PRIMARY KEY,
            `userPassword` TEXT,
            `uidNumber` INTEGER NOT NULL UNIQUE,
            `gidNumber` INTEGER NOT NULL,
            `gecos` TEXT,
            `homeDirectory` TEXT,
            `loginShell` TEXT,
            `mtime` TIMESTAMP NOT NULL );
    '''


class PasswdRequest(common.Request):

    def write(self, name, passwd, uid, gid, gecos, home, shell):
        self.fp.write_string(name)
        self.fp.write_string(passwd)
        self.fp.write_int32(uid)
        self.fp.write_int32(gid)
        self.fp.write_string(gecos)
        self.fp.write_string(home)
        self.fp.write_string(shell)

    def convert(self, dn, attributes, parameters):
        names = attributes['uid']
        if 'shadowAccount' in attributes['objectClass']:
            passwd = 'x'
        else:
            try:
                passwd = attributes['userPassword'][0]
            except IndexError:
                passwd = None
            if not passwd or self.calleruid != 0:
                passwd = '*'
        uids = [int(x) + cfg.nss_uid_offset for x in attributes['uidNumber']]
        gid = int(attributes['gidNumber'][0]) + cfg.nss_gid_offset
        gecos = attributes['gecos'][0]
        home = attributes['homeDirectory'][0]
        shell = attributes['loginShell'][0]
        for name in names:
            if not common.is_valid_name(name):
                logging.warning('%s: %s: denied by validnames option', dn, attmap['uid'])
            else:
                for uid in uids:
                    if uid >= cfg.nss_min_uid:
                        yield (name, passwd, uid, gid, gecos, home, shell)


class PasswdByNameRequest(PasswdRequest):

    action = constants.NSLCD_ACTION_PASSWD_BYNAME

    def read_parameters(self, fp):
        name = fp.read_string()
        common.validate_name(name)
        return dict(uid=name)


class PasswdByUidRequest(PasswdRequest):

    action = constants.NSLCD_ACTION_PASSWD_BYUID

    def read_parameters(self, fp):
        return dict(uidNumber=fp.read_int32())

    def handle_request(self, parameters):
        # check requested numeric id
        if parameters['uidNumber'] >= cfg.nss_min_uid:
            return super(PasswdByUidRequest, self).handle_request(parameters)
        # write the final result code to signify empty results
        self.fp.write_int32(constants.NSLCD_RESULT_END)


class PasswdAllRequest(PasswdRequest):

    action = constants.NSLCD_ACTION_PASSWD_ALL

    def handle_request(self, parameters):
        if not cfg.nss_disable_enumeration:
            return super(PasswdAllRequest, self).handle_request(parameters)


def uid2entry(conn, uid):
    """Look up the user by uid and return the LDAP entry or None if the user
    was not found."""
    for dn, attributes in Search(conn, parameters=dict(uid=uid)):
        if any((int(x) + cfg.nss_uid_offset) >= cfg.nss_min_uid for x in attributes['uidNumber']):
            return dn, attributes


# FIXME: use cache of dn2uid and try to use DN to get uid attribute


def dn2uid(conn, dn):
    """Look up the user by dn and return a uid or None if the user was
    not found."""
    for dn, attributes in Search(conn, base=dn):
        if any((int(x) + cfg.nss_uid_offset) >= cfg.nss_min_uid for x in attributes['uidNumber']):
            return attributes['uid'][0]

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation