diff options
| author | Simon Rettberg | 2017-08-09 18:24:08 +0200 |
|---|---|---|
| committer | Simon Rettberg | 2017-08-09 18:24:08 +0200 |
| commit | 2b230a34464b5496112fbe30076cec195e8f7be3 (patch) | |
| tree | a320508098191f8b635cbd3a2b37843731b1912b /proxy.c | |
| parent | Debug output (diff) | |
| download | ldadp-2b230a34464b5496112fbe30076cec195e8f7be3.tar.gz ldadp-2b230a34464b5496112fbe30076cec195e8f7be3.tar.xz ldadp-2b230a34464b5496112fbe30076cec195e8f7be3.zip | |
Add option to disable fixNumeric logic (s-prefixing), but default to ON
Diffstat (limited to 'proxy.c')
| -rw-r--r-- | proxy.c | 14 |
1 files changed, 10 insertions, 4 deletions
@@ -551,7 +551,9 @@ static BOOL request_replaceAttribute(server_t *server, struct string *attribute, if (attr) attr->hasUser = TRUE; // If uid is of format s[0-9]+, we assume that it's a numeric account name in AD, as a workaround if (value == NULL) return TRUE; - fixUnNumeric(value); + if (server->fixNumeric) { + fixUnNumeric(value); + } ////// ################### } else if (iequals(attribute, &s_homemount)) { *attribute = server->map.homemount; @@ -693,7 +695,7 @@ static void response_replacePal(server_t *server, struct PartialAttributeList ** // Fetch user name so we can add our fake fields later if (username == NULL && iequals(&(*pal)->type, &s_uid)) { username = &(*pal)->values->a; - if (username->l > 1 && username->s[0] == 's' && isInt(username, 1)) wasNumeric = TRUE; + if (server->fixNumeric && username->l > 1 && username->s[0] == 's' && isInt(username, 1)) wasNumeric = TRUE; } pal = &(*pal)->next; } @@ -741,7 +743,9 @@ static void response_replaceAttribute(server_t *server, const struct string * co if (value == NULL) return; // Attributes already remapped here! if (iequals(attribute, &s_uid)) { - fixNumeric(value); + if (server->fixNumeric) { + fixNumeric(value); + } } else if (iequals(attribute, &s_uidnumber)) { if (!server->plainLdap) { plog(DEBUG_TRACE, "Replacing uidnumber from objectsid len=%d", (int)value->l); @@ -990,7 +994,9 @@ static BOOL proxy_clientBindRequest(epoll_client_t *client, const unsigned long } else { BOOL incorrect = FALSE; server_t *server = server_getFromBase(&name); - if (server == NULL || (incorrect = (strncmp(password.s, "\x08\x0a\x0d\x7fINCORRECT", 13) == 0)) || isInt(&name, 0)) { + if (server == NULL + || (incorrect = (strncmp(password.s, "\x08\x0a\x0d\x7fINCORRECT", 13) == 0)) + || (server->fixNumeric && isInt(&name, 0))) { // The INCORRECT part is some weird thing I saw pam_ldap do - probably to identify misconfigured // LDAP servers/accounts that will accept any password - save the round trip to AD and deny if (!incorrect) plog(DEBUG_WARNING, "[Client] Numeric account or invalid binddn for %.*s", (int)name.l, name.s); |