/* $NetBSD: pam.c,v 1.1.1.5.6.1 2019/08/10 06:17:10 martin Exp $ */
/* pam.c - pam processing routines */
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software .
*
* Copyright 2008-2019 The OpenLDAP Foundation.
* Portions Copyright 2008 by Howard Chu, Symas Corp.
* Portions Copyright 2013 by Ted C. Cheng, Symas Corp.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted only as authorized by the OpenLDAP
* Public License.
*
* A copy of this license is available in the file LICENSE in the
* top-level directory of the distribution or, alternatively, at
* .
*/
#include "nssov.h"
#include "lutil.h"
#undef ldap_debug /* silence a warning in ldap-int.h */
#include "../../../libraries/libldap/ldap-int.h" /* for ldap_ld_free */
static int ppolicy_cid;
static AttributeDescription *ad_loginStatus;
struct paminfo {
struct berval uid;
struct berval dn;
struct berval svc;
struct berval ruser;
struct berval rhost;
struct berval tty;
struct berval pwd;
int authz;
struct berval msg;
int ispwdmgr;
};
static int pam_bindcb(
Operation *op, SlapReply *rs)
{
struct paminfo *pi = op->o_callback->sc_private;
LDAPControl *ctrl = ldap_control_find(LDAP_CONTROL_PASSWORDPOLICYRESPONSE,
rs->sr_ctrls, NULL);
if (ctrl) {
LDAP *ld;
ber_int_t expire, grace;
LDAPPasswordPolicyError error;
ldap_create(&ld);
if (ld) {
int rc = ldap_parse_passwordpolicy_control(ld,ctrl,
&expire,&grace,&error);
if (rc == LDAP_SUCCESS) {
if (expire >= 0) {
char *unit = "seconds";
if (expire > 60) {
expire /= 60;
unit = "minutes";
}
if (expire > 60) {
expire /= 60;
unit = "hours";
}
if (expire > 24) {
expire /= 24;
unit = "days";
}
#if 0 /* Who warns about expiration so far in advance? */
if (expire > 7) {
expire /= 7;
unit = "weeks";
}
if (expire > 4) {
expire /= 4;
unit = "months";
}
if (expire > 12) {
expire /= 12;
unit = "years";
}
#endif
pi->msg.bv_len = sprintf(pi->msg.bv_val,
"\nWARNING: Password expires in %d %s\n", expire, unit);
} else if (grace > 0) {
pi->msg.bv_len = sprintf(pi->msg.bv_val,
"Password expired; %d grace logins remaining",
grace);
pi->authz = NSLCD_PAM_NEW_AUTHTOK_REQD;
} else if (error != PP_noError) {
ber_str2bv(ldap_passwordpolicy_err2txt(error), 0, 0,
&pi->msg);
switch (error) {
case PP_passwordExpired:
/* report this during authz */
rs->sr_err = LDAP_SUCCESS;
/* fallthru */
case PP_changeAfterReset:
pi->authz = NSLCD_PAM_NEW_AUTHTOK_REQD;
}
}
}
ldap_ld_free(ld,0,NULL,NULL);
}
}
return LDAP_SUCCESS;
}
static int pam_uid2dn(nssov_info *ni, Operation *op,
struct paminfo *pi)
{
struct berval sdn;
BER_BVZERO(&pi->dn);
if (!isvalidusername(&pi->uid)) {
Debug(LDAP_DEBUG_ANY,"nssov_pam_uid2dn(%s): invalid user name\n",
pi->uid.bv_val ? pi->uid.bv_val : "NULL",0,0);
return NSLCD_PAM_USER_UNKNOWN;
}
if (ni->ni_pam_opts & NI_PAM_SASL2DN) {
int hlen = global_host_bv.bv_len;
/* cn=+uid=,cn=,cn=pam,cn=auth */
sdn.bv_len = pi->uid.bv_len + pi->svc.bv_len + hlen +
STRLENOF( "cn=+uid=,cn=,cn=pam,cn=auth" );
sdn.bv_val = op->o_tmpalloc( sdn.bv_len + 1, op->o_tmpmemctx );
sprintf(sdn.bv_val, "cn=%s+uid=%s,cn=%s,cn=pam,cn=auth",
pi->svc.bv_val, pi->uid.bv_val, global_host_bv.bv_val);
slap_sasl2dn(op, &sdn, &pi->dn, 0);
op->o_tmpfree( sdn.bv_val, op->o_tmpmemctx );
}
/* If no luck, do a basic uid search */
if (BER_BVISEMPTY(&pi->dn) && (ni->ni_pam_opts & NI_PAM_UID2DN)) {
nssov_uid2dn(op, ni, &pi->uid, &pi->dn);
if (!BER_BVISEMPTY(&pi->dn)) {
sdn = pi->dn;
dnNormalize( 0, NULL, NULL, &sdn, &pi->dn, op->o_tmpmemctx );
}
}
if (BER_BVISEMPTY(&pi->dn)) {
return NSLCD_PAM_USER_UNKNOWN;
}
return 0;
}
int pam_do_bind(nssov_info *ni,TFILE *fp,Operation *op,
struct paminfo *pi)
{
int rc;
slap_callback cb = {0};
SlapReply rs = {REP_RESULT};
pi->msg.bv_val = pi->pwd.bv_val;
pi->msg.bv_len = 0;
pi->authz = NSLCD_PAM_SUCCESS;
if (!pi->ispwdmgr) {
rc = pam_uid2dn(ni, op, pi);
if (rc) goto finish;
if (BER_BVISEMPTY(&pi->pwd)) {
rc = NSLCD_PAM_PERM_DENIED;
goto finish;
}
/* Should only need to do this once at open time, but there's always
* the possibility that ppolicy will get loaded later.
*/
if (!ppolicy_cid) {
rc = slap_find_control_id(LDAP_CONTROL_PASSWORDPOLICYREQUEST,
&ppolicy_cid);
}
/* of course, 0 is a valid cid, but it won't be ppolicy... */
if (ppolicy_cid) {
op->o_ctrlflag[ppolicy_cid] = SLAP_CONTROL_NONCRITICAL;
}
}
cb.sc_response = pam_bindcb;
cb.sc_private = pi;
op->o_callback = &cb;
op->o_dn.bv_val[0] = 0;
op->o_dn.bv_len = 0;
op->o_ndn.bv_val[0] = 0;
op->o_ndn.bv_len = 0;
op->o_tag = LDAP_REQ_BIND;
op->o_protocol = LDAP_VERSION3;
op->orb_method = LDAP_AUTH_SIMPLE;
op->orb_cred = pi->pwd;
op->o_req_dn = pi->dn;
op->o_req_ndn = pi->dn;
slap_op_time( &op->o_time, &op->o_tincr );
rc = op->o_bd->be_bind( op, &rs );
memset(pi->pwd.bv_val,0,pi->pwd.bv_len);
/* quirk: on successful bind, caller has to send result. we need
* to make sure callbacks run.
*/
if (rc == LDAP_SUCCESS)
send_ldap_result(op, &rs);
switch(rs.sr_err) {
case LDAP_SUCCESS: rc = NSLCD_PAM_SUCCESS; break;
case LDAP_INVALID_CREDENTIALS: rc = NSLCD_PAM_AUTH_ERR; break;
default: rc = NSLCD_PAM_AUTH_ERR; break;
}
finish:
Debug(LDAP_DEBUG_ANY,"pam_do_bind (%s): rc (%d)\n",
pi->dn.bv_val ? pi->dn.bv_val : "NULL", rc, 0);
return rc;
}
int pam_authc(nssov_info *ni,TFILE *fp,Operation *op,uid_t calleruid)
{
int32_t tmpint32;
int rc;
char uidc[32];
char svcc[256];
char ruserc[32];
char rhostc[256];
char ttyc[256];
char pwdc[256];
struct paminfo pi;
READ_STRING(fp,uidc);
pi.uid.bv_val = uidc;
pi.uid.bv_len = tmpint32;
READ_STRING(fp,svcc);
pi.svc.bv_val = svcc;
pi.svc.bv_len = tmpint32;
READ_STRING(fp,ruserc);
pi.ruser.bv_val = ruserc;
pi.ruser.bv_len = tmpint32;
READ_STRING(fp,rhostc);
pi.rhost.bv_val = rhostc;
pi.rhost.bv_len = tmpint32;
READ_STRING(fp,ttyc);
pi.tty.bv_val = ttyc;
pi.tty.bv_len = tmpint32;
READ_STRING(fp,pwdc);
pi.pwd.bv_val = pwdc;
pi.pwd.bv_len = tmpint32;
Debug(LDAP_DEBUG_TRACE,"nssov_pam_authc(%s)\n",
pi.uid.bv_val ? pi.uid.bv_val : "NULL",0,0);
BER_BVZERO(&pi.msg);
pi.ispwdmgr = 0;
/* if service is "passwd" and "nssov-pam-password-prohibit-message */
/* is set, deny the auth request */
if (!strcmp(svcc, "passwd") &&
!BER_BVISEMPTY(&ni->ni_pam_password_prohibit_message)) {
Debug(LDAP_DEBUG_TRACE,"nssov_pam_authc(): %s (%s)\n",
"password_prohibit_message for passwd",
ni->ni_pam_password_prohibit_message.bv_val,0);
ber_str2bv(ni->ni_pam_password_prohibit_message.bv_val, 0, 0, &pi.msg);
pi.authz = NSLCD_PAM_PERM_DENIED;
rc = NSLCD_PAM_PERM_DENIED;
goto finish;
}
/* if username is null, pwdmgr password preliminary check */
if (BER_BVISEMPTY(&pi.uid)) {
if (BER_BVISEMPTY(&ni->ni_pam_pwdmgr_dn)) {
/* pwdmgr dn not configured */
Debug(LDAP_DEBUG_TRACE,"nssov_pam_authc(prelim check): %s\n",
"pwdmgr dn not configured", 0, 0);
ber_str2bv("pwdmgr dn not configured", 0, 0, &pi.msg);
pi.authz = NSLCD_PAM_PERM_DENIED;
rc = NSLCD_PAM_PERM_DENIED;
goto finish;
} else if (calleruid != 0) {
Debug(LDAP_DEBUG_TRACE,"nssov_pam_authc(prelim check): %s\n",
"caller is not root", 0, 0);
ber_str2bv("only root may do that", 0, 0, &pi.msg);
pi.authz = NSLCD_PAM_PERM_DENIED;
rc = NSLCD_PAM_PERM_DENIED;
goto finish;
} else {
/* use pwdmgr dn */
ber_str2bv(ni->ni_pam_pwdmgr_dn.bv_val, 0, 0, &pi.dn);
}
/* use pwdmgr pwd if configured */
if (BER_BVISEMPTY(&pi.pwd)) {
if (BER_BVISEMPTY(&ni->ni_pam_pwdmgr_pwd)) {
Debug(LDAP_DEBUG_TRACE,"nssov_pam_authc(prelim check): %s\n",
"no pwdmgr pwd", 0, 0);
ber_str2bv("pwdmgr pwd not configured", 0, 0, &pi.msg);
pi.authz = NSLCD_PAM_PERM_DENIED;
rc = NSLCD_PAM_PERM_DENIED;
goto finish;
}
/* use configured pwdmgr pwd */
memset((void *) pwdc, 0, 256);
strncpy(pi.pwd.bv_val, ni->ni_pam_pwdmgr_pwd.bv_val,
ni->ni_pam_pwdmgr_pwd.bv_len);
pi.pwd.bv_len = ni->ni_pam_pwdmgr_pwd.bv_len;
}
pi.ispwdmgr = 1;
}
rc = pam_do_bind(ni, fp, op, &pi);
finish:
Debug(LDAP_DEBUG_TRACE,"nssov_pam_authc(%s): rc (%d)\n",
pi.dn.bv_val ? pi.dn.bv_val : "NULL",rc,0);
WRITE_INT32(fp,NSLCD_VERSION);
WRITE_INT32(fp,NSLCD_ACTION_PAM_AUTHC);
WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
WRITE_INT32(fp,rc);
WRITE_BERVAL(fp,&pi.uid);
WRITE_INT32(fp,pi.authz); /* authz */
WRITE_BERVAL(fp,&pi.msg); /* authzmsg */
WRITE_INT32(fp,NSLCD_RESULT_END);
return 0;
}
static struct berval grpmsg =
BER_BVC("Access denied by group check");
static struct berval hostmsg =
BER_BVC("Access denied for this host");
static struct berval svcmsg =
BER_BVC("Access denied for this service");
static struct berval uidmsg =
BER_BVC("Access denied by UID check");
static int pam_compare_cb(Operation *op, SlapReply *rs)
{
if (rs->sr_err == LDAP_COMPARE_TRUE)
op->o_callback->sc_private = (void *)1;
return LDAP_SUCCESS;
}
int pam_authz(nssov_info *ni,TFILE *fp,Operation *op)
{
struct berval authzmsg = BER_BVNULL;
int32_t tmpint32;
char uidc[32];
char svcc[256];
char ruserc[32];
char rhostc[256];
char ttyc[256];
int rc;
struct paminfo pi;
Entry *e = NULL;
Attribute *a;
slap_callback cb = {0};
READ_STRING(fp,uidc);
pi.uid.bv_val = uidc;
pi.uid.bv_len = tmpint32;
READ_STRING(fp,svcc);
pi.svc.bv_val = svcc;
pi.svc.bv_len = tmpint32;
READ_STRING(fp,ruserc);
pi.ruser.bv_val = ruserc;
pi.ruser.bv_len = tmpint32;
READ_STRING(fp,rhostc);
pi.rhost.bv_val = rhostc;
pi.rhost.bv_len = tmpint32;
READ_STRING(fp,ttyc);
pi.tty.bv_val = ttyc;
pi.tty.bv_len = tmpint32;
rc = pam_uid2dn(ni, op, &pi);
if (rc) goto finish;
Debug(LDAP_DEBUG_TRACE,"nssov_pam_authz(%s)\n",
pi.dn.bv_val ? pi.dn.bv_val : "NULL",0,0);
/* See if they have access to the host and service */
if ((ni->ni_pam_opts & NI_PAM_HOSTSVC) && nssov_pam_svc_ad) {
AttributeAssertion ava = ATTRIBUTEASSERTION_INIT;
struct berval hostdn = BER_BVNULL;
struct berval odn = op->o_ndn;
SlapReply rs = {REP_RESULT};
op->o_dn = pi.dn;
op->o_ndn = pi.dn;
{
nssov_mapinfo *mi = &ni->ni_maps[NM_host];
char fbuf[1024];
struct berval filter = {sizeof(fbuf),fbuf};
SlapReply rs2 = {REP_RESULT};
/* Lookup the host entry */
nssov_filter_byname(mi,0,&global_host_bv,&filter);
cb.sc_private = &hostdn;
cb.sc_response = nssov_name2dn_cb;
op->o_callback = &cb;
op->o_req_dn = mi->mi_base;
op->o_req_ndn = mi->mi_base;
op->ors_scope = mi->mi_scope;
op->ors_filterstr = filter;
op->ors_filter = str2filter_x(op, filter.bv_val);
op->ors_attrs = slap_anlist_no_attrs;
op->ors_tlimit = SLAP_NO_LIMIT;
op->ors_slimit = 2;
rc = op->o_bd->be_search(op, &rs2);
filter_free_x(op, op->ors_filter, 1);
if (BER_BVISEMPTY(&hostdn) &&
!BER_BVISEMPTY(&ni->ni_pam_defhost)) {
filter.bv_len = sizeof(fbuf);
filter.bv_val = fbuf;
rs_reinit(&rs2, REP_RESULT);
nssov_filter_byname(mi,0,&ni->ni_pam_defhost,&filter);
op->ors_filterstr = filter;
op->ors_filter = str2filter_x(op, filter.bv_val);
rc = op->o_bd->be_search(op, &rs2);
filter_free_x(op, op->ors_filter, 1);
}
/* no host entry, no default host -> deny */
if (BER_BVISEMPTY(&hostdn)) {
rc = NSLCD_PAM_PERM_DENIED;
authzmsg = hostmsg;
goto finish;
}
}
cb.sc_response = pam_compare_cb;
cb.sc_private = NULL;
op->o_tag = LDAP_REQ_COMPARE;
op->o_req_dn = hostdn;
op->o_req_ndn = hostdn;
ava.aa_desc = nssov_pam_svc_ad;
ava.aa_value = pi.svc;
op->orc_ava = &ava;
rc = op->o_bd->be_compare( op, &rs );
if ( cb.sc_private == NULL ) {
authzmsg = svcmsg;
rc = NSLCD_PAM_PERM_DENIED;
goto finish;
}
op->o_dn = odn;
op->o_ndn = odn;
}
/* See if they're a member of the group */
if ((ni->ni_pam_opts & NI_PAM_USERGRP) &&
!BER_BVISEMPTY(&ni->ni_pam_group_dn) &&
ni->ni_pam_group_ad) {
AttributeAssertion ava = ATTRIBUTEASSERTION_INIT;
SlapReply rs = {REP_RESULT};
op->o_callback = &cb;
cb.sc_response = pam_compare_cb;
cb.sc_private = NULL;
op->o_tag = LDAP_REQ_COMPARE;
op->o_req_dn = ni->ni_pam_group_dn;
op->o_req_ndn = ni->ni_pam_group_dn;
ava.aa_desc = ni->ni_pam_group_ad;
ava.aa_value = pi.dn;
op->orc_ava = &ava;
rc = op->o_bd->be_compare( op, &rs );
if ( cb.sc_private == NULL ) {
authzmsg = grpmsg;
rc = NSLCD_PAM_PERM_DENIED;
goto finish;
}
}
/* We need to check the user's entry for these bits */
if ((ni->ni_pam_opts & (NI_PAM_USERHOST|NI_PAM_USERSVC)) ||
ni->ni_pam_template_ad ||
ni->ni_pam_min_uid || ni->ni_pam_max_uid ) {
rc = be_entry_get_rw( op, &pi.dn, NULL, NULL, 0, &e );
if (rc != LDAP_SUCCESS) {
rc = NSLCD_PAM_USER_UNKNOWN;
goto finish;
}
}
if ((ni->ni_pam_opts & NI_PAM_USERHOST) && nssov_pam_host_ad) {
a = attr_find(e->e_attrs, nssov_pam_host_ad);
if (!a || attr_valfind( a,
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
SLAP_MR_VALUE_OF_SYNTAX,
&global_host_bv, NULL, op->o_tmpmemctx )) {
rc = NSLCD_PAM_PERM_DENIED;
authzmsg = hostmsg;
goto finish;
}
}
if ((ni->ni_pam_opts & NI_PAM_USERSVC) && nssov_pam_svc_ad) {
a = attr_find(e->e_attrs, nssov_pam_svc_ad);
if (!a || attr_valfind( a,
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
SLAP_MR_VALUE_OF_SYNTAX,
&pi.svc, NULL, op->o_tmpmemctx )) {
rc = NSLCD_PAM_PERM_DENIED;
authzmsg = svcmsg;
goto finish;
}
}
/* from passwd.c */
#define UIDN_KEY 2
if (ni->ni_pam_min_uid || ni->ni_pam_max_uid) {
int id;
char *tmp;
nssov_mapinfo *mi = &ni->ni_maps[NM_passwd];
a = attr_find(e->e_attrs, mi->mi_attrs[UIDN_KEY].an_desc);
if (!a) {
rc = NSLCD_PAM_PERM_DENIED;
authzmsg = uidmsg;
goto finish;
}
id = (int)strtol(a->a_vals[0].bv_val,&tmp,0);
if (a->a_vals[0].bv_val[0] == '\0' || *tmp != '\0') {
rc = NSLCD_PAM_PERM_DENIED;
authzmsg = uidmsg;
goto finish;
}
if ((ni->ni_pam_min_uid && id < ni->ni_pam_min_uid) ||
(ni->ni_pam_max_uid && id > ni->ni_pam_max_uid)) {
rc = NSLCD_PAM_PERM_DENIED;
authzmsg = uidmsg;
goto finish;
}
}
if (ni->ni_pam_template_ad) {
a = attr_find(e->e_attrs, ni->ni_pam_template_ad);
if (a)
pi.uid = a->a_vals[0];
else if (!BER_BVISEMPTY(&ni->ni_pam_template))
pi.uid = ni->ni_pam_template;
}
rc = NSLCD_PAM_SUCCESS;
finish:
WRITE_INT32(fp,NSLCD_VERSION);
WRITE_INT32(fp,NSLCD_ACTION_PAM_AUTHZ);
WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
WRITE_INT32(fp,rc);
WRITE_BERVAL(fp,&authzmsg);
WRITE_INT32(fp,NSLCD_RESULT_END);
if (e) {
be_entry_release_r(op, e);
}
switch (rc) {
case NSLCD_PAM_SUCCESS:
Debug(LDAP_DEBUG_TRACE,"nssov_pam_authz(): success\n", 0,0,0);
break;
case NSLCD_PAM_PERM_DENIED:
Debug(LDAP_DEBUG_TRACE,"nssov_pam_authz(): %s\n",
authzmsg.bv_val ? authzmsg.bv_val : "NULL",0,0);
break;
default:
Debug(LDAP_DEBUG_TRACE,
"nssov_pam_authz(): permission denied, rc (%d)\n",
rc, 0, 0);
}
return 0;
}
static int pam_sess(nssov_info *ni,TFILE *fp,Operation *op,int action)
{
int32_t tmpint32;
char svcc[256];
char uidc[32];
char ttyc[32];
char rhostc[256];
char ruserc[32];
char sessionID[64];
struct paminfo pi;
slap_callback cb = {0};
SlapReply rs = {REP_RESULT};
char timebuf[LDAP_LUTIL_GENTIME_BUFSIZE];
struct berval timestamp, bv[2], *nbv;
time_t stamp;
Modifications mod;
int rc = 0;
READ_STRING(fp,uidc);
pi.uid.bv_val = uidc;
pi.uid.bv_len = tmpint32;
READ_STRING(fp,svcc);
pi.svc.bv_val = svcc;
pi.svc.bv_len = tmpint32;
READ_STRING(fp,ruserc);
pi.ruser.bv_val = ruserc;
pi.ruser.bv_len = tmpint32;
READ_STRING(fp,rhostc);
pi.rhost.bv_val = rhostc;
pi.rhost.bv_len = tmpint32;
READ_STRING(fp,ttyc);
pi.tty.bv_val = ttyc;
pi.tty.bv_len = tmpint32;
if (action==NSLCD_ACTION_PAM_SESS_O) {
slap_op_time( &op->o_time, &op->o_tincr );
timestamp.bv_len = sizeof(timebuf);
timestamp.bv_val = timebuf;
stamp = op->o_time;
slap_timestamp( &stamp, ×tamp );
} else {
READ_STRING(fp,sessionID);
timestamp.bv_val = sessionID;
timestamp.bv_len = tmpint32;
}
rc = pam_uid2dn(ni, op, &pi);
if (rc) goto done;
Debug(LDAP_DEBUG_TRACE,"nssov_pam_sess_%c(%s)\n",
action==NSLCD_ACTION_PAM_SESS_O ? 'o' : 'c', pi.dn.bv_val,0);
if (!ni->ni_pam_sessions) {
Debug(LDAP_DEBUG_TRACE,"nssov_pam_sess_%c(): %s\n",
action==NSLCD_ACTION_PAM_SESS_O ? 'o' : 'c',
"pam session(s) not configured, ignored",0);
rc = -1;
goto done;
}
{
int i, found=0;
for (i=0; !BER_BVISNULL(&ni->ni_pam_sessions[i]); i++) {
if (ni->ni_pam_sessions[i].bv_len != pi.svc.bv_len)
continue;
if (!strcasecmp(ni->ni_pam_sessions[i].bv_val, pi.svc.bv_val)) {
found = 1;
break;
}
}
if (!found) {
Debug(LDAP_DEBUG_TRACE,
"nssov_pam_sess_%c(): service(%s) not configured, ignored\n",
action==NSLCD_ACTION_PAM_SESS_O ? 'o' : 'c',
pi.svc.bv_val,0);
rc = -1;
goto done;
}
}
bv[0].bv_len = timestamp.bv_len + global_host_bv.bv_len + pi.svc.bv_len +
pi.tty.bv_len + pi.ruser.bv_len + pi.rhost.bv_len + STRLENOF(" (@)");
bv[0].bv_val = op->o_tmpalloc( bv[0].bv_len+1, op->o_tmpmemctx );
sprintf(bv[0].bv_val, "%s %s %s %s (%s@%s)",
timestamp.bv_val, global_host_bv.bv_val, pi.svc.bv_val, pi.tty.bv_val,
pi.ruser.bv_val, pi.rhost.bv_val);
Debug(LDAP_DEBUG_TRACE, "nssov_pam_sess_%c(): loginStatus (%s) \n",
action==NSLCD_ACTION_PAM_SESS_O ? 'o' : 'c', bv[0].bv_val,0);
mod.sml_numvals = 1;
mod.sml_values = bv;
BER_BVZERO(&bv[1]);
attr_normalize( ad_loginStatus, bv, &nbv, op->o_tmpmemctx );
mod.sml_nvalues = nbv;
mod.sml_desc = ad_loginStatus;
mod.sml_op = action == NSLCD_ACTION_PAM_SESS_O ? LDAP_MOD_ADD :
LDAP_MOD_DELETE;
mod.sml_flags = SLAP_MOD_INTERNAL;
mod.sml_next = NULL;
cb.sc_response = slap_null_cb;
op->o_callback = &cb;
op->o_tag = LDAP_REQ_MODIFY;
op->o_dn = op->o_bd->be_rootdn;
op->o_ndn = op->o_bd->be_rootndn;
op->orm_modlist = &mod;
op->orm_no_opattrs = 1;
op->o_req_dn = pi.dn;
op->o_req_ndn = pi.dn;
if (op->o_bd->be_modify( op, &rs ) != LDAP_SUCCESS) {
Debug(LDAP_DEBUG_TRACE,
"nssov_pam_sess_%c(): modify op failed\n",
action==NSLCD_ACTION_PAM_SESS_O ? 'o' : 'c',
0,0);
rc = -1;
}
if ( mod.sml_next ) {
slap_mods_free( mod.sml_next, 1 );
}
ber_bvarray_free_x( nbv, op->o_tmpmemctx );
done:;
if (rc == 0) {
Debug(LDAP_DEBUG_TRACE,
"nssov_pam_sess_%c(): success\n",
action==NSLCD_ACTION_PAM_SESS_O ? 'o' : 'c',
0,0);
}
WRITE_INT32(fp,NSLCD_VERSION);
WRITE_INT32(fp,action);
WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
if (action==NSLCD_ACTION_PAM_SESS_O)
WRITE_STRING(fp,timestamp.bv_val);
WRITE_INT32(fp,NSLCD_RESULT_END);
return 0;
}
int pam_sess_o(nssov_info *ni,TFILE *fp,Operation *op)
{
return pam_sess(ni,fp,op,NSLCD_ACTION_PAM_SESS_O);
}
int pam_sess_c(nssov_info *ni,TFILE *fp,Operation *op)
{
return pam_sess(ni,fp,op,NSLCD_ACTION_PAM_SESS_C);
}
int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op,uid_t calleruid)
{
struct berval npw;
int32_t tmpint32;
char uidc[32];
char svcc[256];
char ruserc[32];
char rhostc[256];
char ttyc[256];
int asroot;
char opwc[256];
char npwc[256];
struct paminfo pi;
int rc;
READ_STRING(fp,uidc);
pi.uid.bv_val = uidc;
pi.uid.bv_len = tmpint32;
READ_STRING(fp,svcc);
pi.svc.bv_val = svcc;
pi.svc.bv_len = tmpint32;
READ_STRING(fp,ruserc);
pi.ruser.bv_val = svcc;
pi.ruser.bv_len = tmpint32;
READ_STRING(fp,rhostc);
pi.rhost.bv_val = svcc;
pi.rhost.bv_len = tmpint32;
READ_STRING(fp,ttyc);
pi.tty.bv_val = svcc;
pi.tty.bv_len = tmpint32;
READ_INT32(fp, asroot);
READ_STRING(fp,opwc);
pi.pwd.bv_val = opwc;
pi.pwd.bv_len = tmpint32;
READ_STRING(fp,npwc);
npw.bv_val = npwc;
npw.bv_len = tmpint32;
rc = pam_uid2dn(ni, op, &pi);
if (rc) goto done;
Debug(LDAP_DEBUG_TRACE,"nssov_pam_pwmod(%s), %s %s\n",
pi.dn.bv_val ? pi.dn.bv_val : "NULL",
pi.uid.bv_val ? pi.uid.bv_val : "NULL",
asroot ? "as root" : "as user");
BER_BVZERO(&pi.msg);
pi.ispwdmgr = 0;
/* nssov_pam prohibits password mod */
if (!BER_BVISEMPTY(&ni->ni_pam_password_prohibit_message)) {
Debug(LDAP_DEBUG_TRACE,"nssov_pam_pwmod(): %s (%s)\n",
"password_prohibit_message",
ni->ni_pam_password_prohibit_message.bv_val,0);
ber_str2bv(ni->ni_pam_password_prohibit_message.bv_val, 0, 0, &pi.msg);
rc = NSLCD_PAM_PERM_DENIED;
goto done;
}
if (asroot) {
if (BER_BVISEMPTY(&ni->ni_pam_pwdmgr_dn)) {
Debug(LDAP_DEBUG_TRACE,"nssov_pam_pwmod(), %s\n",
"pwdmgr not configured", 0, 0);
ber_str2bv("pwdmgr not configured", 0, 0, &pi.msg);
rc = NSLCD_PAM_PERM_DENIED;
goto done;
}
if (calleruid != 0) {
Debug(LDAP_DEBUG_TRACE,"nssov_pam_pwmod(): %s\n",
"caller is not root", 0, 0);
ber_str2bv("only root may do that", 0, 0, &pi.msg);
rc = NSLCD_PAM_PERM_DENIED;
goto done;
}
/* root user requesting pwmod */
pi.ispwdmgr = 1;
}
if (!pi.ispwdmgr && BER_BVISEMPTY(&pi.pwd)) {
Debug(LDAP_DEBUG_TRACE,"nssov_pam_pwmod(), %s\n",
"not pwdmgr and old pwd empty", 0, 0);
ber_str2bv("must provide old password", 0, 0, &pi.msg);
rc = NSLCD_PAM_PERM_DENIED;
goto done;
}
BerElementBuffer berbuf;
BerElement *ber = (BerElement *)&berbuf;
struct berval bv;
SlapReply rs = {REP_RESULT};
slap_callback cb = {0};
ber_init_w_nullc(ber, LBER_USE_DER);
ber_printf(ber, "{");
if (!BER_BVISEMPTY(&pi.dn))
ber_printf(ber, "tO", LDAP_TAG_EXOP_MODIFY_PASSWD_ID,
&pi.dn);
/* supply old pwd whenever it's given */
if (!BER_BVISEMPTY(&pi.pwd))
ber_printf(ber, "tO", LDAP_TAG_EXOP_MODIFY_PASSWD_OLD,
&pi.pwd);
if (!BER_BVISEMPTY(&npw))
ber_printf(ber, "tO", LDAP_TAG_EXOP_MODIFY_PASSWD_NEW,
&npw);
ber_printf(ber, "N}");
ber_flatten2(ber, &bv, 0);
op->o_tag = LDAP_REQ_EXTENDED;
op->ore_reqoid = slap_EXOP_MODIFY_PASSWD;
op->ore_reqdata = &bv;
if (pi.ispwdmgr) {
/* root user changing end-user passwords */
op->o_dn = ni->ni_pam_pwdmgr_dn;
op->o_ndn = ni->ni_pam_pwdmgr_dn;
} else {
/* end-user self-pwd-mod */
op->o_dn = pi.dn;
op->o_ndn = pi.dn;
}
op->o_callback = &cb;
op->o_conn->c_authz_backend = op->o_bd;
cb.sc_response = slap_null_cb;
op->o_bd = frontendDB;
rc = op->o_bd->be_extended(op, &rs);
if (rs.sr_text)
ber_str2bv(rs.sr_text, 0, 0, &pi.msg);
if (rc == LDAP_SUCCESS)
rc = NSLCD_PAM_SUCCESS;
else
rc = NSLCD_PAM_PERM_DENIED;
done:;
Debug(LDAP_DEBUG_TRACE,"nssov_pam_pwmod(), rc (%d)\n", rc, 0, 0);
WRITE_INT32(fp,NSLCD_VERSION);
WRITE_INT32(fp,NSLCD_ACTION_PAM_PWMOD);
WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
WRITE_INT32(fp,rc);
WRITE_BERVAL(fp,&pi.msg);
return 0;
}
int nssov_pam_init()
{
int code = 0;
const char *text;
if (!ad_loginStatus)
code = slap_str2ad("loginStatus", &ad_loginStatus, &text);
return code;
}