[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#6487) Nssov pam_authz authorizedUserService

To: openldap-its@OpenLDAP.org
Subject: (ITS#6487) Nssov pam_authz authorizedUserService
From: crispy@cluenet.org
Date: Thu, 4 Mar 2010 20:00:52 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Chris Breneman
Version: 2.4.21
OS: Debian Lenny
URL: http://paste.cluenet.org/pastebin.php?dl=2648
Submission from: (NULL) (98.212.227.43)


My organization needs the capability of per-user (instead of per-group) access
control with nssov.  Using the method of modifying slapd ACLs to grant or revoke
compare privileges on the authorizedService attribute of the host object is not
scalable with large numbers of users, each of which have individual access.

This patch adds an attribute "authorizedUserService" for use in a host entry. 
The attribute is in the form of "UID:SERVICE".  If an attribute value for the
user and service exists, access is granted.  Otherwise access is denied. 
Wildcards in the form of "UID:*", "*:UID", and "*:*" are also supported.

This patch also fixes a minor bug in the pam_authz function.  Currently, one of
the values read from NSCLD is used as a string in a Debug statement without
initializing a NULL terminator.  The patch extends the lengths of each buffer by
1 and initializes them to 0 so each buffer is always null-terminated and can be
used as a string.

The patch applies to the latest CVS HEAD as of this report, since several
changes have been made in that region of code since 2.4.21.

The patch is at http://paste.cluenet.org/pastebin.php?dl=2648 or
http://paste.cluenet.org/2648

Prev by Date: Re: (ITS#6485) nssov pam_authz fixes
Next by Date: Re: (ITS#6486) OpenLDAP Admin Guide Backends Documentation
Index(es):
- Chronological
- Thread