From 2b230a34464b5496112fbe30076cec195e8f7be3 Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Wed, 9 Aug 2017 18:24:08 +0200 Subject: Add option to disable fixNumeric logic (s-prefixing), but default to ON --- ldadp.c | 2 ++ proxy.c | 14 ++++++++++---- server.c | 8 ++++++++ types.h | 1 + 4 files changed, 21 insertions(+), 4 deletions(-) diff --git a/ldadp.c b/ldadp.c index 923891a..bd9d6e0 100644 --- a/ldadp.c +++ b/ldadp.c @@ -143,6 +143,8 @@ static int loadConfig_handler(void *stuff, const char *section, const char *key, server_setPort(section, value); } else if (strcmp(key, "plainldap") == 0) { server_setPlainLdap(section, value); + } else if (strcmp(key, "fixnumeric") == 0) { + server_setFixNumeric(section, value); } else if (strncmp(key, "map.", 4) == 0) { server_setMap(section, key+4, value); } else { diff --git a/proxy.c b/proxy.c index 95a7fbe..ad7496d 100644 --- a/proxy.c +++ b/proxy.c @@ -551,7 +551,9 @@ static BOOL request_replaceAttribute(server_t *server, struct string *attribute, if (attr) attr->hasUser = TRUE; // If uid is of format s[0-9]+, we assume that it's a numeric account name in AD, as a workaround if (value == NULL) return TRUE; - fixUnNumeric(value); + if (server->fixNumeric) { + fixUnNumeric(value); + } ////// ################### } else if (iequals(attribute, &s_homemount)) { *attribute = server->map.homemount; @@ -693,7 +695,7 @@ static void response_replacePal(server_t *server, struct PartialAttributeList ** // Fetch user name so we can add our fake fields later if (username == NULL && iequals(&(*pal)->type, &s_uid)) { username = &(*pal)->values->a; - if (username->l > 1 && username->s[0] == 's' && isInt(username, 1)) wasNumeric = TRUE; + if (server->fixNumeric && username->l > 1 && username->s[0] == 's' && isInt(username, 1)) wasNumeric = TRUE; } pal = &(*pal)->next; } @@ -741,7 +743,9 @@ static void response_replaceAttribute(server_t *server, const struct string * co if (value == NULL) return; // Attributes already remapped here! if (iequals(attribute, &s_uid)) { - fixNumeric(value); + if (server->fixNumeric) { + fixNumeric(value); + } } else if (iequals(attribute, &s_uidnumber)) { if (!server->plainLdap) { plog(DEBUG_TRACE, "Replacing uidnumber from objectsid len=%d", (int)value->l); @@ -990,7 +994,9 @@ static BOOL proxy_clientBindRequest(epoll_client_t *client, const unsigned long } else { BOOL incorrect = FALSE; server_t *server = server_getFromBase(&name); - if (server == NULL || (incorrect = (strncmp(password.s, "\x08\x0a\x0d\x7fINCORRECT", 13) == 0)) || isInt(&name, 0)) { + if (server == NULL + || (incorrect = (strncmp(password.s, "\x08\x0a\x0d\x7fINCORRECT", 13) == 0)) + || (server->fixNumeric && isInt(&name, 0))) { // The INCORRECT part is some weird thing I saw pam_ldap do - probably to identify misconfigured // LDAP servers/accounts that will accept any password - save the round trip to AD and deny if (!incorrect) plog(DEBUG_WARNING, "[Client] Numeric account or invalid binddn for %.*s", (int)name.l, name.s); diff --git a/server.c b/server.c index 1f5fba3..a4106f9 100644 --- a/server.c +++ b/server.c @@ -63,6 +63,13 @@ void server_setPlainLdap(const char *server, const char *enabledStr) || strcmp(enabledStr, "True") == 0 || strcmp(enabledStr, "TRUE") == 0; } +void server_setFixNumeric(const char *server, const char *enabledStr) +{ + server_t *entry = server_create(server); + if (entry == NULL) return; + entry->fixNumeric = *enabledStr != '\0' || atoi(enabledStr) != 0; +} + static void strtolower(char *str) { while (*str != '\0') { @@ -379,6 +386,7 @@ static server_t *server_create(const char *server) snprintf(servers[serverCount].addr, ADDRLEN, "%s", server); servers[serverCount].con.fd = -1; servers[serverCount].con.serverData = &servers[serverCount]; + servers[serverCount].fixNumeric = TRUE; return &servers[serverCount++]; } diff --git a/types.h b/types.h index 19477fb..4030902 100644 --- a/types.h +++ b/types.h @@ -120,6 +120,7 @@ struct _server_t_ { unsigned char fingerprint[FINGERPRINTLEN]; char cabundle[MAXPATH]; BOOL plainLdap; + BOOL fixNumeric; // prefix numeric account names with an 's' uint16_t port; SSL_CTX *sslContext; epoll_server_t con; -- cgit v1.2.3-55-g7522