Patch for nss_ldap 252 to check for access to credential cache configured in /etc/ldap.conf

I attach a patch to nss_ldap version 252 that checks to see if the credentials cache configured in the ldap.conf file is readable. If it is then it is used, otherwise the check is done with the environment of the caller - this will then use the configure KRB5CCNAME variable or the default credentials cache.

This allows the NSCD code to provide access to the ldap lookup when running in SASL mode, while stopping any non-authenticated user from enumerating the passwd map. It also allows other daemons to provide their own credentials to allow them to access even when they do not have read access to the configured credentials cache. I use this inside the nfs environment where rpc.statd runs as rpcuser.

--

Howard Wilkinson	Phone:	+44(20)76907075
Coherent Technology Limited	Fax:
23 Northampton Square,	Mobile:	+44(7980)639379
London, United Kingdom, EC1V 0HL	Email:	howard@xxxxxxxxxxx

 

diff -ruN nss_ldap-252-save/nss_ldap-252/ldap-nss.c 
nss_ldap-252/nss_ldap-252/ldap-nss.c
--- nss_ldap-252-save/nss_ldap-252/ldap-nss.c   2006-08-14 09:43:05.000000000 
+0100
+++ nss_ldap-252/nss_ldap-252/ldap-nss.c        2006-09-13 13:49:05.000000000 
+0100
@@ -1837,6 +1837,19 @@
       if (__config->ldc_krb5_ccname != NULL)
        {
          ccname = __config->ldc_krb5_ccname;
+         /* Check that cache exists and is readable */
+         if ((strncasecmp(ccname, "FILE:", sizeof("FILE:") - 1) == 0)
+             || (strncasecmp(ccname, "WRFILE:", sizeof("WRFILE:") - 1) == 0))
+           {
+           char *ccfile = strchr(ccname, ':') + 1;
+           if (access(ccfile, R_OK) != 0)
+             {
+             ccname = NULL;
+             }
+           }
+       }
+      if (ccname != NULL)
+       {           
 # ifdef CONFIGURE_KRB5_CCNAME_ENV
          oldccname = getenv ("KRB5CCNAME");
          if (oldccname != NULL)