Full_Name: Chris Breneman Version: 2.4.21 OS: Debian Lenny URL: http://paste.cluenet.org/pastebin.php?dl=2648 Submission from: (NULL) (98.212.227.43)
My organization needs the capability of per-user (instead of per-group) access control with nssov. Using the method of modifying slapd ACLs to grant or revoke compare privileges on the authorizedService attribute of the host object is not scalable with large numbers of users, each of which have individual access.
This patch adds an attribute "authorizedUserService" for use in a host entry. The attribute is in the form of "UID:SERVICE". If an attribute value for the user and service exists, access is granted. Otherwise access is denied. Wildcards in the form of "UID:*", "*:UID", and "*:*" are also supported.
This patch also fixes a minor bug in the pam_authz function. Currently, one of the values read from NSCLD is used as a string in a Debug statement without initializing a NULL terminator. The patch extends the lengths of each buffer by 1 and initializes them to 0 so each buffer is always null-terminated and can be used as a string.
The patch applies to the latest CVS HEAD as of this report, since several changes have been made in that region of code since 2.4.21.
The patch is at http://paste.cluenet.org/pastebin.php?dl=2648 or http://paste.cluenet.org/2648