Resolves: bug 232377

Bug Description: PAM passthru ENTRY method not working
Reviewed by: prowley (Thanks!)
Fix Description: There are several problems.
1) For the ENTRY method to perform the internal search to get the entry for the bind DN, it must have a component ID (aka plugin identity).  The code was already there to get/set it, but it was never initialized in the init function.
2) You cannot mix slapi_sdn_new* with slapi_sdn_init* - slapi_sdn_init will erase the knowledge that the Slapi_DN was allocated with malloc and it will not free it in slapi_sdn_free().
3) People may assume they can specify a subtree (e.g. ou=people,dc=example,dc=com) instead of a suffix for the list of included/excluded suffixes.  The error message will not print a list of valid suffixes for the admin to use.
4) slapi_be_exist was failing because the database does not notify the mapping tree code that the backend is started during startup.  This works fine under normal conditions because most all of the code in mapping_tree.c will lookup the backend if the mtn_be pointer in the mapping tree node is NULL.  However, slapi_be_exist and slapi_be_select do not do this.  The proper solution is to call slapi_mtn_be_started() at database startup time.  This is the same thing that happens when a backend is added at runtime.
Platforms tested: FC6
Flag Day: no
Doc impact: no

ldap/servers/plugins/pam_passthru/README

@@ -155,7 +155,9 @@ values when the password has expired. So we need to call
 pam_acct_mgmt() somewhere during the pam handshakes and before
 pam_end() to get this information. We also try to return an
 appropriate LDAP error code.
+
 PAM Error Code			LDAP Error Code				Meaning
+==============          ===============             =======
 PAM_USER_UNKNOWN		LDAP_NO_SUCH_OBJECT			User ID does not exist
 PAM_AUTH_ERROR			LDAP_INVALID_CREDENTIALS	Password is not correct
 PAM_ACCT_EXPIRED		LDAP_INVALID_CREDENTIALS	User's password is expired
@@ -163,6 +165,7 @@ PAM_PERM_DENIED			LDAP_UNWILLING_TO_PERFORM	User's account is locked out
 PAM_NEW_AUTHTOK_REQD	LDAP_INVALID_CREDENTIALS	User's password has expired and must be renewed
 PAM_MAXTRIES			LDAP_CONSTRAINT_VIOLATION	Max retry count has been exceeded
 Other codes				LDAP_OPERATIONS_ERROR		PAM config is incorrect, machine problem, etc.
+
 There are three controls we might possibly add to the response:
 * the auth response control - returned upon success - contains the BIND DN (u: not currently supported)
 * LDAP_CONTROL_PWEXPIRED - returned when PAM reports ACCT_EXPIRED or NEW_AUTHTOK_REQD
@@ -182,7 +185,7 @@ Configuration
 
 1. Shutdown the server
 2. Make sure the slapd-instance/config/schema contains the 60pam-config.ldif file
-3. Make sure serverroot/lib/pam-passthru-plugin.so exists
+3. Make sure plugindir/libpam-passthru-plugin.so exists
 4. Make sure /etc/pam.d/ldapserver exists and is configured correctly
 5. If the configuration is not already in dse.ldif, append the following to slapd-instance/config/dse.ldif
 
@@ -192,7 +195,7 @@ objectclass: nsSlapdPlugin
 objectclass: extensibleObject
 objectclass: pamConfig
 cn: PAM Pass Through Auth
-nsslapd-pluginpath: /opt/ldapserver/lib/pam-passthru-plugin.so
+nsslapd-pluginpath: /path/to/libpam-passthru-plugin.so
 nsslapd-plugininitfunc: pam_passthruauth_init
 nsslapd-plugintype: preoperation
 nsslapd-pluginenabled: on
@@ -210,7 +213,25 @@ Make sure there is a blank line at the end. The line with
 o=NetscapeRoot may be omitted if this is not a configuration DS. Then
 restart slapd.
 
+Testing
+
+I find it convenient to just test against regular /etc/passwd accounts.
+0) Create a server instance with suffix dc=example,dc=com and load the Example.ldif file
+1) cd /etc/pam.d
+2) cp system-auth ldapserver (make sure ldapserver is readable by nobody or whatever your ldap server account is)
+3) useradd scarter (or any uid from Example.ldif)
+4) passwd scarter - use a different password than the LDAP password
+5) Make sure /etc/shadow is readable by nobody or whatever your ldap server account is
+
+You might want to turn off pamSecure for testing purposes unless you have already set up your server and ldap clients to use TLS.
+
+Then you can run a test like this:
+ldapsearch -x -D "uid=scarter,ou=people,dc=example,dc=com" -w thepassword -s base -b ""
+
+Check /var/log/secure for any PAM authentication failures
+
 See Also
+
 PAM API for Linux http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_appl.html
 PAM API for Solaris Writing PAM Applications and Services from the Solaris Security for Developers Guide http://docs.sun.com/app/docs/doc/816-4863/6mb20lvfh?a=view
 PAM API for HP-UX http://docs.hp.com/en/B2355-60103/pam.3.html

ldap/servers/plugins/pam_passthru/pam_ptconfig.c

@@ -266,7 +266,23 @@ parse_map_method(char *map_method, int *one, int *two, int *three, char *returnt
 
 	return err;
 }
-		
+
+static void
+print_suffixes()
+{
+	void *cookie = NULL;
+	Slapi_DN *sdn = NULL;
+	slapi_log_error(SLAPI_LOG_FATAL, PAM_PASSTHRU_PLUGIN_SUBSYSTEM,
+					"The following is the list of valid suffixes to use with "
+					PAMPT_EXCLUDES_ATTR " and " PAMPT_INCLUDES_ATTR ":\n");
+	for (sdn = slapi_get_first_suffix(&cookie, 1);
+		 sdn && cookie;
+		 sdn = slapi_get_next_suffix(&cookie, 1)) {
+		slapi_log_error(SLAPI_LOG_FATAL, PAM_PASSTHRU_PLUGIN_SUBSYSTEM,
+						"\t%s\n", slapi_sdn_get_dn(sdn));
+	}
+}
+
 /*
   Validate the pending changes in the e entry.
 */
@@ -295,30 +311,27 @@ pam_passthru_validate_config (Slapi_PBlock *pb, Slapi_Entry* entryBefore, Slapi_
 
 	if (missing_suffix != PAMPT_MISSING_SUFFIX_IGNORE) {
 		char **missing_list = NULL;
-		Slapi_DN *comp_dn = slapi_sdn_new();
 
 		/* get the list of excluded suffixes */
 		excludes = slapi_entry_attr_get_charray(e, PAMPT_EXCLUDES_ATTR);
 		for (ii = 0; excludes && excludes[ii]; ++ii) {
-			slapi_sdn_init_dn_byref(comp_dn, excludes[ii]);
+			Slapi_DN *comp_dn = slapi_sdn_new_dn_byref(excludes[ii]);
 			if (!slapi_be_exist(comp_dn)) {
 				charray_add(&missing_list, slapi_ch_strdup(excludes[ii]));
 			}
-			slapi_sdn_done(comp_dn);
+			slapi_sdn_free(&comp_dn);
 		}
 
 		/* get the list of included suffixes */
 		includes = slapi_entry_attr_get_charray(e, PAMPT_INCLUDES_ATTR);
 		for (ii = 0; includes && includes[ii]; ++ii) {
-			slapi_sdn_init_dn_byref(comp_dn, includes[ii]);
+			Slapi_DN *comp_dn = slapi_sdn_new_dn_byref(includes[ii]);
 			if (!slapi_be_exist(comp_dn)) {
 				charray_add(&missing_list, slapi_ch_strdup(includes[ii]));
 			}
-			slapi_sdn_done(comp_dn);
+			slapi_sdn_free(&comp_dn);
 		}
 
-		slapi_sdn_free(&comp_dn);
-
 		if (missing_list) {
 			PRUint32 size =
 				PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE,
@@ -333,6 +346,7 @@ pam_passthru_validate_config (Slapi_PBlock *pb, Slapi_Entry* entryBefore, Slapi_
 			}
 			slapi_ch_array_free(missing_list);
 			missing_list = NULL;
+			print_suffixes();
 			if (missing_suffix != PAMPT_MISSING_SUFFIX_ERROR) {
 				slapi_log_error(SLAPI_LOG_FATAL, PAM_PASSTHRU_PLUGIN_SUBSYSTEM,
 								"Warning: %s\n", returntext);
@@ -398,8 +412,7 @@ New_Pam_PassthruSuffix(char *suffix)
 	Pam_PassthruSuffix *newone = NULL;
 	if (suffix) {
 		newone = (Pam_PassthruSuffix *)slapi_ch_malloc(sizeof(Pam_PassthruSuffix));
-		newone->pamptsuffix_dn = slapi_sdn_new();
-		slapi_sdn_init_dn_byval(newone->pamptsuffix_dn, suffix);
+		newone->pamptsuffix_dn = slapi_sdn_new_dn_byval(suffix);
 		newone->pamptsuffix_next = NULL;
 	}
 	return newone;
@@ -532,8 +545,7 @@ pam_passthru_check_suffix(Pam_PassthruConfig *cfg, char *binddn)
 	Pam_PassthruSuffix *try;
 	int ret = LDAP_SUCCESS;
 
-	comp_dn = slapi_sdn_new();
-	slapi_sdn_init_dn_byref(comp_dn, binddn);
+	comp_dn = slapi_sdn_new_dn_byref(binddn);
 
 	slapi_lock_mutex(cfg->lock);
 	if (!cfg->pamptconfig_includes && !cfg->pamptconfig_excludes) {

ldap/servers/plugins/pam_passthru/pam_ptpreop.c

@@ -85,6 +85,9 @@ pam_passthruauth_init( Slapi_PBlock *pb )
     slapi_log_error( SLAPI_LOG_PLUGIN, PAM_PASSTHRU_PLUGIN_SUBSYSTEM,
 	    "=> pam_passthruauth_init\n" );
 
+    slapi_pblock_get (pb, SLAPI_PLUGIN_IDENTITY, &pam_passthruauth_plugin_identity);
+    PR_ASSERT (pam_passthruauth_plugin_identity);
+
     if ( slapi_pblock_set( pb, SLAPI_PLUGIN_VERSION,
 		    (void *)SLAPI_PLUGIN_VERSION_01 ) != 0
 	    || slapi_pblock_set( pb, SLAPI_PLUGIN_DESCRIPTION,

ldap/servers/slapd/back-ldbm/instance.c

@@ -278,6 +278,7 @@ ldbm_instance_startall(struct ldbminfo *li)
 	    rc = rc1;
 	} else {
 	    vlv_init(inst);
+	    slapi_mtn_be_started(inst->inst_be);
 	}
         inst_obj = objset_next_obj(li->li_instance_set, inst_obj);
     }

ldap/servers/slapd/backend_manager.c

@@ -80,6 +80,10 @@ slapi_be_new( const char *type, const char *name, int isprivate, int logchanges
 
 	backends[i] = be;
 	nbackends++;
+
+	slapi_log_error(SLAPI_LOG_TRACE, "slapi_be_new",
+					"Added new backend name [%s] type [%s] nbackends [%d]\n",
+					name, type, nbackends);
 	return( be );
 }
 

ldap/servers/slapd/mapping_tree.c

@@ -324,6 +324,12 @@ mapping_tree_node_new(Slapi_DN *dn, Slapi_Backend **be, char **backend_names, in
     node->mtn_dstr_plg_name = plg_fct;
     node->mtn_dstr_plg = plg;
 
+    slapi_log_error(SLAPI_LOG_TRACE, "mapping_tree",
+                    "Created new mapping tree node for suffix [%s] backend [%s] [%p]\n",
+                    slapi_sdn_get_dn(dn),
+                    backend_names && backend_names[0] ? backend_names[0] : "null",
+                    be ? be[0] : NULL);
+
     return node;
 }