Source: nss-pam-ldapd
Version: 0.8.10-3
Severity: normal
Tags: upstream patch

Hi,

I’ve had the problem today to put a wheezy system onto our LDAP,
and I was told to use libnss-ldapd instead of libnss-ldap, so I
investigated. Since I stay clear off PAM if at all possible, I
ran into a little problem when doing this in nslcd.conf:

map shadow userPassword "${userPassword#{crypt\}}"

In our LDAP (Univention Corporate Server 2.4), this works, as
all passwords are '{crypt}' + an md5crypt of the password as
used by libc (with an '!' after the '{crypt}' if the user is
disabled). Of course, uri ldaps://… and ssl on and tls_reqcert
demand were used together with a binddn.

I wrote a patch that extends the mksh-like "${foo:-bar}" style
parameter expansion code by (limited) trimming: "${foo#bar}"

Its limitations are:
• only trim at the front ('#'), not at the back ('%')
• no '##' (trim as much as possible) because it was not
  needed because…
• … the only wildcard is '?', no '*' or extglobs '+([0-9])'
• you can escape *any* character with a backslash
• the trim string goes until the first unescaped }

If the trim string is too long, no trim happens; same if
it doesn’t match (in both cases, the full value is expanded).
If no trailing } is found or a backslash (to escape) is
followed by a NUL (end of string), an error is thrown.

Enjoy!

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/mksh-static
diff -Nru nss-pam-ldapd-0.8.10/debian/changelog nss-pam-ldapd-0.8.10/debian/changelog
--- nss-pam-ldapd-0.8.10/debian/changelog	2012-10-14 23:00:01.000000000 +0200
+++ nss-pam-ldapd-0.8.10/debian/changelog	2012-12-03 16:17:24.000000000 +0100
@@ -1,3 +1,11 @@
+nss-pam-ldapd (0.8.10-3tarent1) local; urgency=low
+
+  * debian/patches/add-expression-trimming.patch: new, allows
+    trimming of expressions like "${foo#b?r}" (only ? is wilcard)
+    or "${userPassword#{crypt\}}"
+
+ -- Thorsten Glaser <[email protected]>  Mon, 03 Dec 2012 16:16:52 +0100
+
 nss-pam-ldapd (0.8.10-3) unstable; urgency=low
 
   * fix a problem in sed logic for commenting out disabled options
diff -Nru nss-pam-ldapd-0.8.10/debian/patches/add-expression-trimming.patch nss-pam-ldapd-0.8.10/debian/patches/add-expression-trimming.patch
--- nss-pam-ldapd-0.8.10/debian/patches/add-expression-trimming.patch	1970-01-01 01:00:00.000000000 +0100
+++ nss-pam-ldapd-0.8.10/debian/patches/add-expression-trimming.patch	2012-12-03 16:11:30.000000000 +0100
@@ -0,0 +1,78 @@
+--- a/common/expr.c
++++ b/common/expr.c
+@@ -3,6 +3,7 @@
+    This file is part of the nss-pam-ldapd library.
+ 
+    Copyright (C) 2009, 2010, 2011 Arthur de Jong
++   Copyright (c) 2012 Thorsten Glaser <[email protected]>
+ 
+    This library is free software; you can redistribute it and/or
+    modify it under the terms of the GNU Lesser General Public
+@@ -140,6 +141,67 @@ MUST_USE static const char *parse_dollar
+         buffer[0]='\0';
+       }
+     }
++    else if (str[*ptr]=='#')
++    {
++      char c;
++      const char *cp, *vp;
++      int ismatch;
++      size_t vallen;
++
++      (*ptr)+=1;
++      cp=str+*ptr;
++      vp=varvalue;
++      ismatch=1;
++      while ((c=*cp++) && c!='}')
++      {
++        if (ismatch && !*vp)
++        {
++          /* varvalue shorter than trim string */
++          ismatch=0;
++        }
++        if (c=='?')
++        {
++          /* match any one character */
++          ++vp;
++          continue;
++        }
++        if (c=='\\')
++        {
++          if (!(c=*cp++))
++          {
++            /* end of input: syntax error */
++            return NULL;
++          }
++          /* escape the next character c */
++        }
++        if (ismatch && *vp!=c)
++        {
++          /* they differ */
++          ismatch=0;
++        }
++        ++vp;
++      }
++      if (!c)
++      {
++        /* end of input: syntax error */
++        return NULL;
++      }
++      /*
++       * at this point, cp points to after the closing }
++       * if ismatch, vp points to the beginning of the
++       * data after trimming, otherwise vp is invalid
++       */
++      --cp;
++      (*ptr)=cp-str;
++      if (!ismatch)
++      {
++        vp=varvalue;
++      }
++      /* now copy the (trimmed or not) value to the buffer */
++      if ((vallen=strlen(vp)+1)>buflen)
++        return NULL;
++      memcpy(buffer,vp,vallen);
++    }
+     else
+       return NULL;
+     (*ptr)++; /* skip closing } */
diff -Nru nss-pam-ldapd-0.8.10/debian/patches/series nss-pam-ldapd-0.8.10/debian/patches/series
--- nss-pam-ldapd-0.8.10/debian/patches/series	2012-10-12 22:09:41.000000000 +0200
+++ nss-pam-ldapd-0.8.10/debian/patches/series	2012-12-03 15:46:35.000000000 +0100
@@ -1 +1,2 @@
 01-use-poll-instead-of-select.patch
+add-expression-trimming.patch

Reply via email to