From 2b230a34464b5496112fbe30076cec195e8f7be3 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Wed, 9 Aug 2017 18:24:08 +0200
Subject: Add option to disable fixNumeric logic (s-prefixing), but default to
 ON

---
 proxy.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

(limited to 'proxy.c')

diff --git a/proxy.c b/proxy.c
index 95a7fbe..ad7496d 100644
--- a/proxy.c
+++ b/proxy.c
@@ -551,7 +551,9 @@ static BOOL request_replaceAttribute(server_t *server, struct string *attribute,
 		if (attr) attr->hasUser = TRUE;
 		// If uid is of format s[0-9]+, we assume that it's a numeric account name in AD, as a workaround
 		if (value == NULL) return TRUE;
-		fixUnNumeric(value);
+		if (server->fixNumeric) {
+			fixUnNumeric(value);
+		}
 		////// ###################
 	} else if (iequals(attribute, &s_homemount)) {
 		*attribute = server->map.homemount;
@@ -693,7 +695,7 @@ static void response_replacePal(server_t *server, struct PartialAttributeList **
 		// Fetch user name so we can add our fake fields later
 		if (username == NULL && iequals(&(*pal)->type, &s_uid)) {
 			username = &(*pal)->values->a;
-			if (username->l > 1 && username->s[0] == 's' && isInt(username, 1)) wasNumeric = TRUE;
+			if (server->fixNumeric && username->l > 1 && username->s[0] == 's' && isInt(username, 1)) wasNumeric = TRUE;
 		}
 		pal = &(*pal)->next;
 	}
@@ -741,7 +743,9 @@ static void response_replaceAttribute(server_t *server, const struct string * co
 	if (value == NULL) return;
 	// Attributes already remapped here!
 	if (iequals(attribute, &s_uid)) {
-		fixNumeric(value);
+		if (server->fixNumeric) {
+			fixNumeric(value);
+		}
 	} else if (iequals(attribute, &s_uidnumber)) {
 		if (!server->plainLdap) {
 			plog(DEBUG_TRACE, "Replacing uidnumber from objectsid len=%d", (int)value->l);
@@ -990,7 +994,9 @@ static BOOL proxy_clientBindRequest(epoll_client_t *client, const unsigned long
 		} else {
 			BOOL incorrect = FALSE;
 			server_t *server = server_getFromBase(&name);
-			if (server == NULL || (incorrect = (strncmp(password.s, "\x08\x0a\x0d\x7fINCORRECT", 13) == 0)) || isInt(&name, 0)) {
+			if (server == NULL
+					|| (incorrect = (strncmp(password.s, "\x08\x0a\x0d\x7fINCORRECT", 13) == 0))
+					|| (server->fixNumeric && isInt(&name, 0))) {
 				// The INCORRECT part is some weird thing I saw pam_ldap do - probably to identify misconfigured
 				// LDAP servers/accounts that will accept any password - save the round trip to AD and deny
 				if (!incorrect) plog(DEBUG_WARNING, "[Client] Numeric account or invalid binddn for %.*s", (int)name.l, name.s);
-- 
cgit v1.2.3-55-g7522