diff options
| -rw-r--r-- | ldadp.c | 2 | ||||
| -rw-r--r-- | proxy.c | 14 | ||||
| -rw-r--r-- | server.c | 8 | ||||
| -rw-r--r-- | types.h | 1 |
4 files changed, 21 insertions, 4 deletions
@@ -143,6 +143,8 @@ static int loadConfig_handler(void *stuff, const char *section, const char *key, server_setPort(section, value); } else if (strcmp(key, "plainldap") == 0) { server_setPlainLdap(section, value); + } else if (strcmp(key, "fixnumeric") == 0) { + server_setFixNumeric(section, value); } else if (strncmp(key, "map.", 4) == 0) { server_setMap(section, key+4, value); } else { @@ -551,7 +551,9 @@ static BOOL request_replaceAttribute(server_t *server, struct string *attribute, if (attr) attr->hasUser = TRUE; // If uid is of format s[0-9]+, we assume that it's a numeric account name in AD, as a workaround if (value == NULL) return TRUE; - fixUnNumeric(value); + if (server->fixNumeric) { + fixUnNumeric(value); + } ////// ################### } else if (iequals(attribute, &s_homemount)) { *attribute = server->map.homemount; @@ -693,7 +695,7 @@ static void response_replacePal(server_t *server, struct PartialAttributeList ** // Fetch user name so we can add our fake fields later if (username == NULL && iequals(&(*pal)->type, &s_uid)) { username = &(*pal)->values->a; - if (username->l > 1 && username->s[0] == 's' && isInt(username, 1)) wasNumeric = TRUE; + if (server->fixNumeric && username->l > 1 && username->s[0] == 's' && isInt(username, 1)) wasNumeric = TRUE; } pal = &(*pal)->next; } @@ -741,7 +743,9 @@ static void response_replaceAttribute(server_t *server, const struct string * co if (value == NULL) return; // Attributes already remapped here! if (iequals(attribute, &s_uid)) { - fixNumeric(value); + if (server->fixNumeric) { + fixNumeric(value); + } } else if (iequals(attribute, &s_uidnumber)) { if (!server->plainLdap) { plog(DEBUG_TRACE, "Replacing uidnumber from objectsid len=%d", (int)value->l); @@ -990,7 +994,9 @@ static BOOL proxy_clientBindRequest(epoll_client_t *client, const unsigned long } else { BOOL incorrect = FALSE; server_t *server = server_getFromBase(&name); - if (server == NULL || (incorrect = (strncmp(password.s, "\x08\x0a\x0d\x7fINCORRECT", 13) == 0)) || isInt(&name, 0)) { + if (server == NULL + || (incorrect = (strncmp(password.s, "\x08\x0a\x0d\x7fINCORRECT", 13) == 0)) + || (server->fixNumeric && isInt(&name, 0))) { // The INCORRECT part is some weird thing I saw pam_ldap do - probably to identify misconfigured // LDAP servers/accounts that will accept any password - save the round trip to AD and deny if (!incorrect) plog(DEBUG_WARNING, "[Client] Numeric account or invalid binddn for %.*s", (int)name.l, name.s); @@ -63,6 +63,13 @@ void server_setPlainLdap(const char *server, const char *enabledStr) || strcmp(enabledStr, "True") == 0 || strcmp(enabledStr, "TRUE") == 0; } +void server_setFixNumeric(const char *server, const char *enabledStr) +{ + server_t *entry = server_create(server); + if (entry == NULL) return; + entry->fixNumeric = *enabledStr != '\0' || atoi(enabledStr) != 0; +} + static void strtolower(char *str) { while (*str != '\0') { @@ -379,6 +386,7 @@ static server_t *server_create(const char *server) snprintf(servers[serverCount].addr, ADDRLEN, "%s", server); servers[serverCount].con.fd = -1; servers[serverCount].con.serverData = &servers[serverCount]; + servers[serverCount].fixNumeric = TRUE; return &servers[serverCount++]; } @@ -120,6 +120,7 @@ struct _server_t_ { unsigned char fingerprint[FINGERPRINTLEN]; char cabundle[MAXPATH]; BOOL plainLdap; + BOOL fixNumeric; // prefix numeric account names with an 's' uint16_t port; SSL_CTX *sslContext; epoll_server_t con; |