summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--ldadp.c2
-rw-r--r--proxy.c14
-rw-r--r--server.c8
-rw-r--r--types.h1
4 files changed, 21 insertions, 4 deletions
diff --git a/ldadp.c b/ldadp.c
index 923891a..bd9d6e0 100644
--- a/ldadp.c
+++ b/ldadp.c
@@ -143,6 +143,8 @@ static int loadConfig_handler(void *stuff, const char *section, const char *key,
server_setPort(section, value);
} else if (strcmp(key, "plainldap") == 0) {
server_setPlainLdap(section, value);
+ } else if (strcmp(key, "fixnumeric") == 0) {
+ server_setFixNumeric(section, value);
} else if (strncmp(key, "map.", 4) == 0) {
server_setMap(section, key+4, value);
} else {
diff --git a/proxy.c b/proxy.c
index 95a7fbe..ad7496d 100644
--- a/proxy.c
+++ b/proxy.c
@@ -551,7 +551,9 @@ static BOOL request_replaceAttribute(server_t *server, struct string *attribute,
if (attr) attr->hasUser = TRUE;
// If uid is of format s[0-9]+, we assume that it's a numeric account name in AD, as a workaround
if (value == NULL) return TRUE;
- fixUnNumeric(value);
+ if (server->fixNumeric) {
+ fixUnNumeric(value);
+ }
////// ###################
} else if (iequals(attribute, &s_homemount)) {
*attribute = server->map.homemount;
@@ -693,7 +695,7 @@ static void response_replacePal(server_t *server, struct PartialAttributeList **
// Fetch user name so we can add our fake fields later
if (username == NULL && iequals(&(*pal)->type, &s_uid)) {
username = &(*pal)->values->a;
- if (username->l > 1 && username->s[0] == 's' && isInt(username, 1)) wasNumeric = TRUE;
+ if (server->fixNumeric && username->l > 1 && username->s[0] == 's' && isInt(username, 1)) wasNumeric = TRUE;
}
pal = &(*pal)->next;
}
@@ -741,7 +743,9 @@ static void response_replaceAttribute(server_t *server, const struct string * co
if (value == NULL) return;
// Attributes already remapped here!
if (iequals(attribute, &s_uid)) {
- fixNumeric(value);
+ if (server->fixNumeric) {
+ fixNumeric(value);
+ }
} else if (iequals(attribute, &s_uidnumber)) {
if (!server->plainLdap) {
plog(DEBUG_TRACE, "Replacing uidnumber from objectsid len=%d", (int)value->l);
@@ -990,7 +994,9 @@ static BOOL proxy_clientBindRequest(epoll_client_t *client, const unsigned long
} else {
BOOL incorrect = FALSE;
server_t *server = server_getFromBase(&name);
- if (server == NULL || (incorrect = (strncmp(password.s, "\x08\x0a\x0d\x7fINCORRECT", 13) == 0)) || isInt(&name, 0)) {
+ if (server == NULL
+ || (incorrect = (strncmp(password.s, "\x08\x0a\x0d\x7fINCORRECT", 13) == 0))
+ || (server->fixNumeric && isInt(&name, 0))) {
// The INCORRECT part is some weird thing I saw pam_ldap do - probably to identify misconfigured
// LDAP servers/accounts that will accept any password - save the round trip to AD and deny
if (!incorrect) plog(DEBUG_WARNING, "[Client] Numeric account or invalid binddn for %.*s", (int)name.l, name.s);
diff --git a/server.c b/server.c
index 1f5fba3..a4106f9 100644
--- a/server.c
+++ b/server.c
@@ -63,6 +63,13 @@ void server_setPlainLdap(const char *server, const char *enabledStr)
|| strcmp(enabledStr, "True") == 0 || strcmp(enabledStr, "TRUE") == 0;
}
+void server_setFixNumeric(const char *server, const char *enabledStr)
+{
+ server_t *entry = server_create(server);
+ if (entry == NULL) return;
+ entry->fixNumeric = *enabledStr != '\0' || atoi(enabledStr) != 0;
+}
+
static void strtolower(char *str)
{
while (*str != '\0') {
@@ -379,6 +386,7 @@ static server_t *server_create(const char *server)
snprintf(servers[serverCount].addr, ADDRLEN, "%s", server);
servers[serverCount].con.fd = -1;
servers[serverCount].con.serverData = &servers[serverCount];
+ servers[serverCount].fixNumeric = TRUE;
return &servers[serverCount++];
}
diff --git a/types.h b/types.h
index 19477fb..4030902 100644
--- a/types.h
+++ b/types.h
@@ -120,6 +120,7 @@ struct _server_t_ {
unsigned char fingerprint[FINGERPRINTLEN];
char cabundle[MAXPATH];
BOOL plainLdap;
+ BOOL fixNumeric; // prefix numeric account names with an 's'
uint16_t port;
SSL_CTX *sslContext;
epoll_server_t con;