Bug(s) fixed: 206662

Bug Description: PAM passthru: ENTRY map method not working and schema incorrect
Reviewed by: nhosoi (Thanks!)
Fix Description:
1) Rename all occurrences of pamMapMethod to pamIDMapMethod
2) The parsing code for the map method was just plain wrong - it wasn't
incrementing the pointer correctly.
3) This code: if (one == two == three == PAMPT_MAP_METHOD_NONE) - is not correct.
Platforms tested: RHEL4
Flag Day: no
Doc impact: no

ldap/schema/60pam-plugin.ldif

@@ -43,9 +43,9 @@ dn: cn=schema
 attributeTypes: ( 2.16.840.1.113730.3.1.2067 NAME 'pamIncludeSuffix' DESC 'Suffixes to include for PAM authentication' SYNTAX  1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'Red Hat Directory Server' )
 attributeTypes: ( 2.16.840.1.113730.3.1.2068 NAME 'pamExcludeSuffix' DESC 'Suffixes to exclude from PAM authentication' SYNTAX  1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'Red Hat Directory Server' )
 attributeTypes: ( 2.16.840.1.113730.3.1.2069 NAME 'pamMissingSuffix' DESC 'How to handle missing include or exclude suffixes' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Red Hat Directory Server' )
-attributeTypes: ( 2.16.840.1.113730.3.1.2070 NAME 'pamMapMethod' DESC 'How to map BIND DN to PAM identity' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Red Hat Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.2070 NAME 'pamIDMapMethod' DESC 'How to map BIND DN to PAM identity' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Red Hat Directory Server' )
 attributeTypes: ( 2.16.840.1.113730.3.1.2071 NAME 'pamIDAttr' DESC 'Name of attribute holding PAM ID' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Red Hat Directory Server' )
 attributeTypes: ( 2.16.840.1.113730.3.1.2072 NAME 'pamFallback' DESC 'Fallback to regular LDAP BIND if PAM auth fails' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'Red Hat Directory Server' )
 attributeTypes: ( 2.16.840.1.113730.3.1.2073 NAME 'pamSecure' DESC 'Require secure (TLS/SSL) connection for PAM auth' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'Red Hat Directory Server' )
 attributeTypes: ( 2.16.840.1.113730.3.1.2074 NAME 'pamService' DESC 'Service name to pass to pam_start' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'Red Hat Directory Server' )
-objectClasses: ( 2.16.840.1.113730.3.2.318 NAME 'pamConfig' DESC 'PAM plugin configuration' SUP top AUXILIARY MAY ( pamMissingSuffix $ pamExcludeSuffix $ pamIncludeSuffix $ pamIDAttr $ pamMapMethod $ pamFallback $ pamSecure $ pamService ) X-ORIGIN 'Red Hat Directory Server' )
+objectClasses: ( 2.16.840.1.113730.3.2.318 NAME 'pamConfig' DESC 'PAM plugin configuration' SUP top AUXILIARY MAY ( pamMissingSuffix $ pamExcludeSuffix $ pamIncludeSuffix $ pamIDAttr $ pamIDMapMethod $ pamFallback $ pamSecure $ pamService ) X-ORIGIN 'Red Hat Directory Server' )

ldap/servers/plugins/pam_passthru/README

@@ -86,7 +86,7 @@ which is one of the objectclasses of the plugin entry:
 * pamIDAttr (string) - The value of this attribute, present in the
 	user's entry, holds the PAM identity of the user - it maps the LDAP
 	identity to the PAM identity
-* pamMapMethod (string)
+* pamIDMapMethod (string)
       o RDN (default) - uses the value from the leftmost RDN in the BIND DN
       o ENTRY - gets the value of the PAM identity attribute from the BIND DN entry
       o DN - uses the full DN string
@@ -137,13 +137,13 @@ to avoid it if possible.
 We may have to worry about different PAM policy in different subtrees
 e.g. maybe for dc=coke,dc=com you want to use the ENTRY map method,
 but for dc=pepsi,dc=com you want to use the RDN method. We could
-probably do this by having the pamMapMethod attr be multivalued, and
+probably do this by having the pamIDMapMethod attr be multivalued, and
 have it's value like this:
 
-pamMapMethod: RDN dc=coke,dc=com
-pamMapMethod: RDN dc=sprite,dc=com
-pamMapMethod: ENTRY dc=pepsi,dc=com
-pamMapMethod: DN (the default for all other suffixes)
+pamIDMapMethod: RDN dc=coke,dc=com
+pamIDMapMethod: RDN dc=sprite,dc=com
+pamIDMapMethod: ENTRY dc=pepsi,dc=com
+pamIDMapMethod: DN (the default for all other suffixes)
 
 The suffix that uses that map method would follow the map method used.
 
@@ -201,7 +201,7 @@ nsslapd-plugin-depends-on-type: database
 pamMissingSuffix: ALLOW
 pamExcludeSuffix: o=NetscapeRoot
 pamExcludeSuffix: cn=config
-pamMapMethod: RDN
+pamIDMapMethod: RDN
 pamFallback: FALSE
 pamSecure: TRUE
 pamService: ldapserver

ldap/servers/plugins/pam_passthru/config.ldif

@@ -50,7 +50,7 @@ nsslapd-plugin-depends-on-type: database
 pamMissingSuffix: ALLOW
 pamExcludeSuffix: o=NetscapeRoot
 pamExcludeSuffix: cn=config
-pamMapMethod: RDN
+pamIDMapMethod: RDN
 pamFallback: FALSE
 pamSecure: TRUE
 pamService: ldapserver

ldap/servers/plugins/pam_passthru/pam_ptconfig.c

@@ -188,11 +188,11 @@ meth_to_int(char **map_method, int *err)
 {
 	char *end;
 	int len;
-	int ret;
+	int ret = PAMPT_MAP_METHOD_NONE;
 
 	*err = 0;
 	if (!map_method || !*map_method) {
-		return PAMPT_MAP_METHOD_NONE;
+		return ret;
 	}
 
 	end = strchr(*map_method, ' ');
@@ -211,7 +211,7 @@ meth_to_int(char **map_method, int *err)
 		*err = 1;
 	}
 
-	if (!err) {
+	if (!*err) {
 		if (end && *end) {
 			*map_method = end + 1;
 		} else {
@@ -225,36 +225,37 @@ meth_to_int(char **map_method, int *err)
 static int
 parse_map_method(char *map_method, int *one, int *two, int *three, char *returntext)
 {
-	int err = 0;
+	int err = LDAP_SUCCESS;
 	int extra;
+	char **ptr = &map_method;
 
 	*one = *two = *three = PAMPT_MAP_METHOD_NONE;
-	*one = meth_to_int(&map_method, &err);
+	*one = meth_to_int(ptr, &err);
 	if (err) {
 		PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE,
 					"The map method in the string [%s] is invalid: must be "
 					"one of %s", map_method, get_map_method_values());
 		return LDAP_UNWILLING_TO_PERFORM;
 	}
-	*two = meth_to_int(&map_method, &err);
+	*two = meth_to_int(ptr, &err);
 	if (err) {
 		PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE,
 					"The map method in the string [%s] is invalid: must be "
 					"one of %s", map_method, get_map_method_values());
 		return LDAP_UNWILLING_TO_PERFORM;
 	}
-	*three = meth_to_int(&map_method, &err);
+	*three = meth_to_int(ptr, &err);
 	if (err) {
 		PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE,
 					"The map method in the string [%s] is invalid: must be "
 					"one of %s", map_method, get_map_method_values());
 		return LDAP_UNWILLING_TO_PERFORM;
 	}
-	if (((extra = meth_to_int(&map_method, &err)) != PAMPT_MAP_METHOD_NONE) ||
+	if (((extra = meth_to_int(ptr, &err)) != PAMPT_MAP_METHOD_NONE) ||
 		err) {
 		PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE,
 					"Invalid extra text [%s] after last map method",
-					map_method);
+					((ptr && *ptr) ? *ptr : "(null)"));
 		return LDAP_UNWILLING_TO_PERFORM;		
 	}
 
@@ -341,7 +342,10 @@ pam_passthru_validate_config (Slapi_PBlock *pb, Slapi_Entry* entryBefore, Slapi_
 	map_method = slapi_entry_attr_get_charptr(e, PAMPT_MAP_METHOD_ATTR);
 	if (map_method) {
 		int one, two, three;
-		*returncode = parse_map_method(map_method, &one, &two, &three, returntext);
+		if (LDAP_SUCCESS !=
+			(*returncode = parse_map_method(map_method, &one, &two, &three, returntext))) {
+			goto done; /* returntext set already */
+		}
 		if (!pam_ident_attr &&
 			((one == PAMPT_MAP_METHOD_ENTRY) || (two == PAMPT_MAP_METHOD_ENTRY) ||
 			 (three == PAMPT_MAP_METHOD_ENTRY))) {
@@ -351,7 +355,8 @@ pam_passthru_validate_config (Slapi_PBlock *pb, Slapi_Entry* entryBefore, Slapi_
 			*returncode = LDAP_UNWILLING_TO_PERFORM;
 			goto done;
 		}
-		if (one == two == three == PAMPT_MAP_METHOD_NONE) {
+		if ((one == PAMPT_MAP_METHOD_NONE) && (two == PAMPT_MAP_METHOD_NONE) &&
+			(three == PAMPT_MAP_METHOD_NONE)) {
 			PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE, "Error: no method(s)"
 						" specified for %s, should be one or more of %s",
 						PAMPT_MAP_METHOD_ATTR, get_map_method_values());