Add option to disable fixNumeric logic (s-prefixing), but default to ON

4 files changed, 21 insertions, 4 deletions

diff --git a/ldadp.c b/ldadp.c
index 923891a..bd9d6e0 100644
--- a/ldadp.c
+++ b/ldadp.c
@@ -143,6 +143,8 @@ static int loadConfig_handler(void *stuff, const char *section, const char *key,
 			server_setPort(section, value);
 		} else if (strcmp(key, "plainldap") == 0) {
 			server_setPlainLdap(section, value);
+		} else if (strcmp(key, "fixnumeric") == 0) {
+			server_setFixNumeric(section, value);
 		} else if (strncmp(key, "map.", 4) == 0) {
 			server_setMap(section, key+4, value);
 		} else {
diff --git a/proxy.c b/proxy.c
index 95a7fbe..ad7496d 100644
--- a/proxy.c
+++ b/proxy.c
@@ -551,7 +551,9 @@ static BOOL request_replaceAttribute(server_t *server, struct string *attribute,
 		if (attr) attr->hasUser = TRUE;
 		// If uid is of format s[0-9]+, we assume that it's a numeric account name in AD, as a workaround
 		if (value == NULL) return TRUE;
-		fixUnNumeric(value);
+		if (server->fixNumeric) {
+			fixUnNumeric(value);
+		}
 		////// ###################
 	} else if (iequals(attribute, &s_homemount)) {
 		*attribute = server->map.homemount;
@@ -693,7 +695,7 @@ static void response_replacePal(server_t *server, struct PartialAttributeList **
 		// Fetch user name so we can add our fake fields later
 		if (username == NULL && iequals(&(*pal)->type, &s_uid)) {
 			username = &(*pal)->values->a;
-			if (username->l > 1 && username->s[0] == 's' && isInt(username, 1)) wasNumeric = TRUE;
+			if (server->fixNumeric && username->l > 1 && username->s[0] == 's' && isInt(username, 1)) wasNumeric = TRUE;
 		}
 		pal = &(*pal)->next;
 	}
@@ -741,7 +743,9 @@ static void response_replaceAttribute(server_t *server, const struct string * co
 	if (value == NULL) return;
 	// Attributes already remapped here!
 	if (iequals(attribute, &s_uid)) {
-		fixNumeric(value);
+		if (server->fixNumeric) {
+			fixNumeric(value);
+		}
 	} else if (iequals(attribute, &s_uidnumber)) {
 		if (!server->plainLdap) {
 			plog(DEBUG_TRACE, "Replacing uidnumber from objectsid len=%d", (int)value->l);
@@ -990,7 +994,9 @@ static BOOL proxy_clientBindRequest(epoll_client_t *client, const unsigned long
 		} else {
 			BOOL incorrect = FALSE;
 			server_t *server = server_getFromBase(&name);
-			if (server == NULL || (incorrect = (strncmp(password.s, "\x08\x0a\x0d\x7fINCORRECT", 13) == 0)) || isInt(&name, 0)) {
+			if (server == NULL
+					|| (incorrect = (strncmp(password.s, "\x08\x0a\x0d\x7fINCORRECT", 13) == 0))
+					|| (server->fixNumeric && isInt(&name, 0))) {
 				// The INCORRECT part is some weird thing I saw pam_ldap do - probably to identify misconfigured
 				// LDAP servers/accounts that will accept any password - save the round trip to AD and deny
 				if (!incorrect) plog(DEBUG_WARNING, "[Client] Numeric account or invalid binddn for %.*s", (int)name.l, name.s);
diff --git a/server.c b/server.c
index 1f5fba3..a4106f9 100644
--- a/server.c
+++ b/server.c
@@ -63,6 +63,13 @@ void server_setPlainLdap(const char *server, const char *enabledStr)
 			|| strcmp(enabledStr, "True") == 0 || strcmp(enabledStr, "TRUE") == 0;
 }
 
+void server_setFixNumeric(const char *server, const char *enabledStr)
+{
+	server_t *entry = server_create(server);
+	if (entry == NULL) return;
+	entry->fixNumeric = *enabledStr != '\0' || atoi(enabledStr) != 0;
+}
+
 static void strtolower(char *str)
 {
 	while (*str != '\0') {
@@ -379,6 +386,7 @@ static server_t *server_create(const char *server)
 	snprintf(servers[serverCount].addr, ADDRLEN, "%s", server);
 	servers[serverCount].con.fd = -1;
 	servers[serverCount].con.serverData = &servers[serverCount];
+	servers[serverCount].fixNumeric = TRUE;
 	return &servers[serverCount++];
 }
 
diff --git a/types.h b/types.h
index 19477fb..4030902 100644
--- a/types.h
+++ b/types.h
@@ -120,6 +120,7 @@ struct _server_t_ {
 	unsigned char fingerprint[FINGERPRINTLEN];
 	char cabundle[MAXPATH];
 	BOOL plainLdap;
+	BOOL fixNumeric; // prefix numeric account names with an 's'
 	uint16_t port;
 	SSL_CTX *sslContext;
 	epoll_server_t con;