From 27f02881c1d27a081370cf327e30a81b38184916 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Thu, 24 Nov 2011 18:38:38 +0100 Subject: Make pwd-extop aware of new ipaNTHash attribute --- .../ipa-pwd-extop/ipa_pwd_extop.c | 4 +- daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h | 7 ++-- .../ipa-pwd-extop/ipapwd_common.c | 38 ++++++++++++++--- .../ipa-pwd-extop/ipapwd_encoding.c | 22 ++++++++-- .../ipa-pwd-extop/ipapwd_prepost.c | 47 +++++++++++++++------- 5 files changed, 89 insertions(+), 29 deletions(-) (limited to 'daemons/ipa-slapi-plugins') diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c index 65c583459..82acc49dd 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c @@ -156,7 +156,7 @@ static int ipapwd_chpwop(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) Slapi_Value *objectclass=NULL; char *attrlist[] = {"*", "passwordHistory", NULL }; struct ipapwd_data pwdata; - int is_krb, is_smb; + int is_krb, is_smb, is_ipant; char *principal = NULL; /* Get the ber value of the extended operation */ @@ -365,7 +365,7 @@ parse_req_done: } rc = ipapwd_entry_checks(pb, targetEntry, - &is_root, &is_krb, &is_smb, + &is_root, &is_krb, &is_smb, &is_ipant, SLAPI_USERPWD_ATTR, SLAPI_ACL_WRITE); if (rc) { goto free_and_return; diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h index 787ed500a..0edd2dcad 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h @@ -113,7 +113,7 @@ struct ipapwd_krbcfg { }; int ipapwd_entry_checks(Slapi_PBlock *pb, struct slapi_entry *e, - int *is_root, int *is_krb, int *is_smb, + int *is_root, int *is_krb, int *is_smb, int *is_ipant, char *attr, int access); int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg, struct ipapwd_krbcfg **config, int check_flags); @@ -144,8 +144,9 @@ void ipapwd_keyset_free(struct ipapwd_keyset **pkset); int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg, struct ipapwd_data *data, char *userpw, - int is_krb, int is_smb, Slapi_Value ***svals, - char **nthash, char **lmhash, char **errMesg); + int is_krb, int is_smb, int is_ipant, + Slapi_Value ***svals, char **nthash, char **lmhash, + Slapi_Value ***ntvals, char **errMesg); /* from ipapwd_prepost.c */ int ipapwd_ext_init(void); diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c index 9e203be27..c36189987 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c @@ -498,7 +498,7 @@ done: /*==Common-public-functions=============================================*/ int ipapwd_entry_checks(Slapi_PBlock *pb, struct slapi_entry *e, - int *is_root, int *is_krb, int *is_smb, + int *is_root, int *is_krb, int *is_smb, int *is_ipant, char *attr, int acc) { Slapi_Value *sval; @@ -535,6 +535,15 @@ int ipapwd_entry_checks(Slapi_PBlock *pb, struct slapi_entry *e, *is_smb = slapi_entry_attr_has_syntax_value(e, SLAPI_ATTR_OBJECTCLASS, sval); slapi_value_free(&sval); + sval = slapi_value_new_string("ipaNTUserAttrs"); + if (!sval) { + rc = LDAP_OPERATIONS_ERROR; + goto done; + } + *is_ipant = slapi_entry_attr_has_syntax_value(e, SLAPI_ATTR_OBJECTCLASS, + sval); + slapi_value_free(&sval); + rc = LDAP_SUCCESS; done: @@ -765,14 +774,17 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg, int ret = 0; Slapi_Mods *smods = NULL; Slapi_Value **svals = NULL; + Slapi_Value **ntvals = NULL; Slapi_Value **pwvals = NULL; struct tm utctime; char timestr[GENERALIZED_TIME_LENGTH+1]; char *lm = NULL; char *nt = NULL; int is_smb = 0; + int is_ipant = 0; int is_host = 0; Slapi_Value *sambaSamAccount; + Slapi_Value *ipaNTUserAttrs; Slapi_Value *ipaHost; char *errMesg = NULL; char *modtime = NULL; @@ -782,10 +794,17 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg, sambaSamAccount = slapi_value_new_string("sambaSamAccount"); if (slapi_entry_attr_has_syntax_value(data->target, "objectClass", sambaSamAccount)) { - is_smb = 1;; + is_smb = 1; } slapi_value_free(&sambaSamAccount); + ipaNTUserAttrs = slapi_value_new_string("ipaNTUserAttrs"); + if (slapi_entry_attr_has_syntax_value(data->target, + "objectClass", ipaNTUserAttrs)) { + is_ipant = 1; + } + slapi_value_free(&ipaNTUserAttrs); + ipaHost = slapi_value_new_string("ipaHost"); if (slapi_entry_attr_has_syntax_value(data->target, "objectClass", ipaHost)) { @@ -795,8 +814,8 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg, ret = ipapwd_gen_hashes(krbcfg, data, data->password, - is_krb, is_smb, - &svals, &nt, &lm, &errMesg); + is_krb, is_smb, is_ipant, + &svals, &nt, &lm, &ntvals, &errMesg); if (ret) { goto free_and_return; } @@ -835,15 +854,21 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg, } } - if (lm) { + if (lm && is_smb) { slapi_mods_add_string(smods, LDAP_MOD_REPLACE, "sambaLMPassword", lm); } - if (nt) { + if (nt && is_smb) { slapi_mods_add_string(smods, LDAP_MOD_REPLACE, "sambaNTPassword", nt); } + + if (ntvals && is_ipant) { + slapi_mods_add_mod_values(smods, LDAP_MOD_REPLACE, + "ipaNTHash", ntvals); + } + if (is_smb) { /* with samba integration we need to also set sambaPwdLastSet or * samba will decide the user has to change the password again */ @@ -899,6 +924,7 @@ free_and_return: if (modtime) slapi_ch_free((void **)&modtime); slapi_mods_free(&smods); ipapwd_free_slapi_value_array(&svals); + ipapwd_free_slapi_value_array(&ntvals); ipapwd_free_slapi_value_array(&pwvals); return ret; diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c index 8e59e19c6..5720d3e6e 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c @@ -395,8 +395,9 @@ done: int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg, struct ipapwd_data *data, char *userpw, - int is_krb, int is_smb, Slapi_Value ***svals, - char **nthash, char **lmhash, char **errMesg) + int is_krb, int is_smb, int is_ipant, Slapi_Value ***svals, + char **nthash, char **lmhash, Slapi_Value ***ntvals, + char **errMesg) { int rc; @@ -417,7 +418,7 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg, } } - if (is_smb) { + if (is_smb || is_ipant) { char lm[33], nt[33]; struct ntlm_keys ntlm; int ret; @@ -442,6 +443,20 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg, nt[32] = '\0'; *nthash = slapi_ch_strdup(nt); } + + if (is_ipant) { + *ntvals = (Slapi_Value **)calloc(2, sizeof(Slapi_Value *)); + if (!svals) { + LOG_OOM(); + rc = LDAP_OPERATIONS_ERROR; + goto done; + } + (*ntvals)[0] = slapi_value_new(); + if (slapi_value_set((*ntvals)[0], ntlm.nt, 16) == NULL) { + rc = LDAP_OPERATIONS_ERROR; + goto done; + } + } } rc = LDAP_SUCCESS; @@ -451,6 +466,7 @@ done: /* when error, free possibly allocated output parameters */ if (rc) { ipapwd_free_slapi_value_array(svals); + ipapwd_free_slapi_value_array(ntvals); } return rc; diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c index 961678acb..a4663c0cc 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c @@ -163,7 +163,7 @@ static int ipapwd_pre_add(Slapi_PBlock *pb) char *dn = NULL; struct ipapwd_operation *pwdop = NULL; void *op; - int is_repl_op, is_root, is_krb, is_smb; + int is_repl_op, is_root, is_krb, is_smb, is_ipant; int ret; int rc = LDAP_SUCCESS; @@ -240,7 +240,7 @@ static int ipapwd_pre_add(Slapi_PBlock *pb) } rc = ipapwd_entry_checks(pb, e, - &is_root, &is_krb, &is_smb, + &is_root, &is_krb, &is_smb, &is_ipant, NULL, SLAPI_ACL_ADD); if (rc != LDAP_SUCCESS) { goto done; @@ -307,17 +307,18 @@ static int ipapwd_pre_add(Slapi_PBlock *pb) goto done; } - if (is_krb || is_smb) { + if (is_krb || is_smb || is_ipant) { Slapi_Value **svals = NULL; + Slapi_Value **ntvals = NULL; char *nt = NULL; char *lm = NULL; pwdop->is_krb = is_krb; rc = ipapwd_gen_hashes(krbcfg, &pwdop->pwdata, - userpw, is_krb, is_smb, - &svals, &nt, &lm, &errMesg); + userpw, is_krb, is_smb, is_ipant, + &svals, &nt, &lm, &ntvals, &errMesg); if (rc != LDAP_SUCCESS) { goto done; } @@ -335,17 +336,22 @@ static int ipapwd_pre_add(Slapi_PBlock *pb) ipapwd_free_slapi_value_array(&svals); } - if (lm) { + if (lm && is_smb) { /* set value */ slapi_entry_attr_set_charptr(e, "sambaLMPassword", lm); slapi_ch_free_string(&lm); } - if (nt) { + if (nt && is_smb) { /* set value */ slapi_entry_attr_set_charptr(e, "sambaNTPassword", nt); slapi_ch_free_string(&nt); } + if (ntvals && is_ipant) { + slapi_entry_attr_replace_sv(e, "ipaNTHash", ntvals); + ipapwd_free_slapi_value_array(&ntvals); + } + if (is_smb) { /* with samba integration we need to also set sambaPwdLastSet or * samba will decide the user has to change the password again */ @@ -397,7 +403,7 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) struct slapi_entry *e = NULL; struct ipapwd_operation *pwdop = NULL; void *op; - int is_repl_op, is_pwd_op, is_root, is_krb, is_smb; + int is_repl_op, is_pwd_op, is_root, is_krb, is_smb, is_ipant; int has_krb_keys = 0; int has_history = 0; int gen_krb_keys = 0; @@ -514,7 +520,7 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) } rc = ipapwd_entry_checks(pb, e, - &is_root, &is_krb, &is_smb, + &is_root, &is_krb, &is_smb, &is_ipant, SLAPI_USERPWD_ATTR, SLAPI_ACL_WRITE); if (rc) { goto done; @@ -585,6 +591,7 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) * flags, so we sero them out and see if they get set again */ is_krb = 0; is_smb = 0; + is_ipant = 0; case LDAP_MOD_ADD: bv = slapi_mod_get_first_value(smod); @@ -598,6 +605,8 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) is_krb = 1; if (0 == strncasecmp("sambaSamAccount", bv->bv_val, bv->bv_len)) is_smb = 1; + if (0 == strncasecmp("ipaNTUserAttrs", bv->bv_val, bv->bv_len)) + is_ipant = 1; } while ((bv = slapi_mod_get_next_value(smod)) != NULL); break; @@ -606,6 +615,7 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) /* can this happen for objectclasses ? */ is_krb = 0; is_smb = 0; + is_ipant = 0; default: break; @@ -654,7 +664,7 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) /* Check this is a clear text password, or refuse operation (only if we need * to comput other hashes */ - if (! unhashedpw && (gen_krb_keys || is_smb)) { + if (! unhashedpw && (gen_krb_keys || is_smb || is_ipant)) { if ('{' == userpw[0]) { if (0 == strncasecmp(userpw, "{CLEAR}", strlen("{CLEAR}"))) { unhashedpw = slapi_ch_strdup(&userpw[strlen("{CLEAR}")]); @@ -746,15 +756,16 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) } } - if (gen_krb_keys || is_smb) { + if (gen_krb_keys || is_smb || is_ipant) { Slapi_Value **svals = NULL; + Slapi_Value **ntvals = NULL; char *nt = NULL; char *lm = NULL; rc = ipapwd_gen_hashes(krbcfg, &pwdop->pwdata, unhashedpw, - gen_krb_keys, is_smb, - &svals, &nt, &lm, &errMesg); + gen_krb_keys, is_smb, is_ipant, + &svals, &nt, &lm, &ntvals, &errMesg); if (rc) { goto done; } @@ -766,19 +777,25 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) ipapwd_free_slapi_value_array(&svals); } - if (lm) { + if (lm && is_smb) { /* replace value */ slapi_mods_add_string(smods, LDAP_MOD_REPLACE, "sambaLMPassword", lm); slapi_ch_free_string(&lm); } - if (nt) { + if (nt && is_smb) { /* replace value */ slapi_mods_add_string(smods, LDAP_MOD_REPLACE, "sambaNTPassword", nt); slapi_ch_free_string(&nt); } + if (ntvals && is_ipant) { + slapi_mods_add_mod_values(smods, LDAP_MOD_REPLACE, + "ipaNTHash", ntvals); + ipapwd_free_slapi_value_array(&ntvals); + } + if (is_smb) { /* with samba integration we need to also set sambaPwdLastSet or * samba will decide the user has to change the password again */ -- cgit