diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2010-08-29 22:15:06 +0200 |
---|---|---|
committer | Stephen Gallagher <sgallagh@redhat.com> | 2010-09-08 09:36:22 -0400 |
commit | 88aeed9a31b734a92630d5e881c960c5f77ba0ce (patch) | |
tree | 516e1e785f1365873d8a036d8510e0492a8b6f87 | |
parent | 530ba03ecabb472f17d5d1ab546aec9390492de1 (diff) | |
download | sssd-88aeed9a31b734a92630d5e881c960c5f77ba0ce.tar.gz sssd-88aeed9a31b734a92630d5e881c960c5f77ba0ce.tar.xz sssd-88aeed9a31b734a92630d5e881c960c5f77ba0ce.zip |
Deobfuscate password in back ends
When obfuscated password is used in config file, the LDAP backend
converts it back to clear text and uses it to authenticate to the
server.
-rw-r--r-- | Makefile.am | 6 | ||||
-rw-r--r-- | src/man/sssd-ldap.5.xml | 11 | ||||
-rw-r--r-- | src/providers/ldap/sdap_async_connection.c | 59 |
3 files changed, 66 insertions, 10 deletions
diff --git a/Makefile.am b/Makefile.am index d6aef7fd6..f3f5a329c 100644 --- a/Makefile.am +++ b/Makefile.am @@ -782,7 +782,8 @@ libsss_ldap_la_CFLAGS = \ libsss_ldap_la_LIBADD = \ $(OPENLDAP_LIBS) \ $(DHASH_LIBS) \ - $(KRB5_LIBS) + $(KRB5_LIBS) \ + libsss_crypt.la libsss_ldap_la_LDFLAGS = \ -version-info 1:0:0 \ -module @@ -871,7 +872,8 @@ libsss_ipa_la_LIBADD = \ $(OPENLDAP_LIBS) \ $(DHASH_LIBS) \ $(KEYUTILS_LIBS) \ - $(KRB5_LIBS) + $(KRB5_LIBS) \ + libsss_crypt.la libsss_ipa_la_LDFLAGS = \ -version-info 1:0:0 \ -module diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml index 346faf8de..b32096dd9 100644 --- a/src/man/sssd-ldap.5.xml +++ b/src/man/sssd-ldap.5.xml @@ -120,7 +120,16 @@ <listitem> <para> The type of the authentication token of the - default bind DN. The only currently supported value is "password". + default bind DN. + </para> + <para> + The two mechanisms currently supported are: + </para> + <para> + password + </para> + <para> + obfuscated_password </para> </listitem> </varlistentry> diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c index d2ca356f3..682d74c81 100644 --- a/src/providers/ldap/sdap_async_connection.c +++ b/src/providers/ldap/sdap_async_connection.c @@ -25,6 +25,7 @@ #include "util/sss_krb5.h" #include "providers/ldap/sdap_async_private.h" #include "providers/ldap/ldap_req_wrap.h" +#include "util/crypto/sss_crypto.h" #define LDAP_X_SSSD_PASSWORD_EXPIRED 0x555D @@ -786,6 +787,10 @@ struct sdap_auth_state { }; static void sdap_auth_done(struct tevent_req *subreq); +static int sdap_auth_get_authtok(TALLOC_CTX *memctx, + const char *authtok_type, + struct dp_opt_blob authtok, + struct berval *pw); /* TODO: handle sasl_cred */ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx, @@ -799,18 +804,25 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx, { struct tevent_req *req, *subreq; struct sdap_auth_state *state; - - if (authtok_type != NULL && strcasecmp(authtok_type,"password") != 0) { - DEBUG(1,("Authentication token type [%s] is not supported")); - return NULL; - } + int ret; req = tevent_req_create(memctx, &state, struct sdap_auth_state); if (!req) return NULL; state->user_dn = user_dn; - state->pw.bv_val = (char *)authtok.data; - state->pw.bv_len = authtok.length; + + ret = sdap_auth_get_authtok(state, authtok_type, authtok, &state->pw); + if (ret != EOK) { + if (ret == ENOSYS) { + DEBUG(1, ("Getting authtok is not supported with the " + "crypto library compiled with, authentication " + "might fail!\n")); + } else { + DEBUG(1, ("Cannot parse authtok.\n")); + tevent_req_error(req, ret); + return tevent_req_post(req, ev); + } + } if (sasl_mech) { state->is_sasl = true; @@ -832,6 +844,39 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx, return req; } +static int sdap_auth_get_authtok(TALLOC_CTX *mem_ctx, + const char *authtok_type, + struct dp_opt_blob authtok, + struct berval *pw) +{ + char *cleartext; + int ret; + + if (!authtok_type) return EOK; + if (!pw) return EINVAL; + + if (strcasecmp(authtok_type,"password") == 0) { + pw->bv_len = authtok.length; + pw->bv_val = (char *) authtok.data; + } else if (strcasecmp(authtok_type,"obfuscated_password") == 0) { + ret = sss_password_decrypt(mem_ctx, (char *) authtok.data, &cleartext); + if (ret != EOK) { + DEBUG(1, ("Cannot convert the obfuscated " + "password back to cleartext\n")); + return ret; + } + + pw->bv_len = strlen(cleartext); + pw->bv_val = (char *) cleartext; + } else { + DEBUG(1, ("Authentication token type [%s] is not supported\n", + authtok_type)); + return EINVAL; + } + + return EOK; +} + static void sdap_auth_done(struct tevent_req *subreq) { struct tevent_req *req = tevent_req_callback_data(subreq, |