summaryrefslogtreecommitdiffstats
path: root/src/providers/ldap/ldap_auth.c
diff options
context:
space:
mode:
authorStephen Gallagher <sgallagh@redhat.com>2010-02-18 07:49:04 -0500
committerStephen Gallagher <sgallagh@redhat.com>2010-02-18 13:48:45 -0500
commit1c48b5a62f73234ed26bb20f0ab345ab61cda0ab (patch)
tree0b6cddd567a862e1a7b5df23764869782a62ca78 /src/providers/ldap/ldap_auth.c
parent8c56df3176f528fe0260974b3bf934173c4651ea (diff)
downloadsssd-1c48b5a62f73234ed26bb20f0ab345ab61cda0ab.tar.gz
sssd-1c48b5a62f73234ed26bb20f0ab345ab61cda0ab.tar.xz
sssd-1c48b5a62f73234ed26bb20f0ab345ab61cda0ab.zip
Rename server/ directory to src/
Also update BUILD.txt
Diffstat (limited to 'src/providers/ldap/ldap_auth.c')
-rw-r--r--src/providers/ldap/ldap_auth.c1055
1 files changed, 1055 insertions, 0 deletions
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
new file mode 100644
index 000000000..cfe8adb97
--- /dev/null
+++ b/src/providers/ldap/ldap_auth.c
@@ -0,0 +1,1055 @@
+/*
+ SSSD
+
+ LDAP Backend Module
+
+ Authors:
+ Sumit Bose <sbose@redhat.com>
+
+ Copyright (C) 2008 Red Hat
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifdef WITH_MOZLDAP
+#define LDAP_OPT_SUCCESS LDAP_SUCCESS
+#define LDAP_TAG_EXOP_MODIFY_PASSWD_ID ((ber_tag_t) 0x80U)
+#define LDAP_TAG_EXOP_MODIFY_PASSWD_OLD ((ber_tag_t) 0x81U)
+#define LDAP_TAG_EXOP_MODIFY_PASSWD_NEW ((ber_tag_t) 0x82U)
+#endif
+
+#define _XOPEN_SOURCE 500 /* for strptime() */
+#include <time.h>
+#undef _XOPEN_SOURCE
+#include <errno.h>
+#include <sys/time.h>
+#include <strings.h>
+
+#include <shadow.h>
+#include <security/pam_modules.h>
+
+#include "util/util.h"
+#include "util/user_info_msg.h"
+#include "db/sysdb.h"
+#include "providers/ldap/ldap_common.h"
+#include "providers/ldap/sdap_async.h"
+
+enum pwexpire {
+ PWEXPIRE_NONE = 0,
+ PWEXPIRE_LDAP_PASSWORD_POLICY,
+ PWEXPIRE_KERBEROS,
+ PWEXPIRE_SHADOW
+};
+
+static errno_t check_pwexpire_kerberos(const char *expire_date, time_t now,
+ enum sdap_result *result)
+{
+ char *end;
+ struct tm tm = {0, 0, 0, 0, 0, 0, 0, 0, 0};
+ time_t expire_time;
+
+ *result = SDAP_AUTH_FAILED;
+
+ end = strptime(expire_date, "%Y%m%d%H%M%SZ", &tm);
+ if (end == NULL) {
+ DEBUG(1, ("Kerberos expire date [%s] invalid.\n", expire_date));
+ return EINVAL;
+ }
+ if (*end != '\0') {
+ DEBUG(1, ("Kerberos expire date [%s] contains extra characters.\n",
+ expire_date));
+ return EINVAL;
+ }
+
+ expire_time = mktime(&tm);
+ if (expire_time == -1) {
+ DEBUG(1, ("mktime failed to convert [%s].\n", expire_date));
+ return EINVAL;
+ }
+
+ tzset();
+ expire_time -= timezone;
+ DEBUG(9, ("Time info: tzname[0] [%s] tzname[1] [%s] timezone [%d] "
+ "daylight [%d] now [%d] expire_time [%d].\n", tzname[0],
+ tzname[1], timezone, daylight, now, expire_time));
+
+ if (difftime(now, expire_time) > 0.0) {
+ DEBUG(4, ("Kerberos password expired.\n"));
+ *result = SDAP_AUTH_PW_EXPIRED;
+ } else {
+ *result = SDAP_AUTH_SUCCESS;
+ }
+
+ return EOK;
+}
+
+static errno_t check_pwexpire_shadow(struct spwd *spwd, time_t now,
+ enum sdap_result *result)
+{
+ long today;
+ long password_age;
+
+ if (spwd->sp_lstchg <= 0) {
+ DEBUG(4, ("Last change day is not set, new password needed.\n"));
+ *result = SDAP_AUTH_PW_EXPIRED;
+ return EOK;
+ }
+
+ today = (long) (now / (60 * 60 *24));
+ password_age = today - spwd->sp_lstchg;
+ if (password_age < 0) {
+ DEBUG(2, ("The last password change time is in the future!.\n"));
+ *result = SDAP_AUTH_SUCCESS;
+ return EOK;
+ }
+
+ if ((spwd->sp_expire != -1 && today > spwd->sp_expire) ||
+ (spwd->sp_max != -1 && spwd->sp_inact != -1 &&
+ password_age > spwd->sp_max + spwd->sp_inact))
+ {
+ DEBUG(4, ("Account expired.\n"));
+ *result = SDAP_ACCT_EXPIRED;
+ return EOK;
+ }
+
+ if (spwd->sp_max != -1 && password_age > spwd->sp_max) {
+ DEBUG(4, ("Password expired.\n"));
+ *result = SDAP_AUTH_PW_EXPIRED;
+ return EOK;
+ }
+
+/* TODO: evaluate spwd->min and spwd->warn */
+
+ *result = SDAP_AUTH_SUCCESS;
+ return EOK;
+}
+
+static errno_t string_to_shadowpw_days(const char *s, long *d)
+{
+ long l;
+ char *endptr;
+
+ if (s == NULL || *s == '\0') {
+ *d = -1;
+ return EOK;
+ }
+
+ errno = 0;
+ l = strtol(s, &endptr, 10);
+ if (errno != 0) {
+ DEBUG(1, ("strtol failed [%d][%s].\n", errno, strerror(errno)));
+ return errno;
+ }
+
+ if (*endptr != '\0') {
+ DEBUG(1, ("Input string [%s] is invalid.\n", s));
+ return EINVAL;
+ }
+
+ if (*d < -1) {
+ DEBUG(1, ("Input string contains not allowed negative value [%d].\n",
+ *d));
+ return EINVAL;
+ }
+
+ *d = l;
+
+ return EOK;
+}
+
+static errno_t find_password_expiration_attributes(TALLOC_CTX *mem_ctx,
+ const struct ldb_message *msg,
+ struct dp_option *opts,
+ enum pwexpire *type, void **data)
+{
+ const char *mark;
+ const char *val;
+ struct spwd *spwd;
+ const char *pwd_policy;
+ int ret;
+
+ *type = PWEXPIRE_NONE;
+ *data = NULL;
+
+ pwd_policy = dp_opt_get_string(opts, SDAP_PWD_POLICY);
+ if (pwd_policy == NULL) {
+ DEBUG(1, ("Missing password policy.\n"));
+ return EINVAL;
+ }
+
+ mark = ldb_msg_find_attr_as_string(msg, SYSDB_PWD_ATTRIBUTE, NULL);
+ if (mark != NULL) {
+ DEBUG(9, ("Found pwdAttribute, "
+ "assuming LDAP password policies are active.\n"));
+
+ *type = PWEXPIRE_LDAP_PASSWORD_POLICY;
+ return EOK;
+ }
+
+ if (strcasecmp(pwd_policy, PWD_POL_OPT_NONE) == 0) {
+ DEBUG(9, ("No password policy requested.\n"));
+ return EOK;
+ } else if (strcasecmp(pwd_policy, PWD_POL_OPT_MIT) == 0) {
+ mark = ldb_msg_find_attr_as_string(msg, SYSDB_KRBPW_LASTCHANGE, NULL);
+ if (mark != NULL) {
+ DEBUG(9, ("Found Kerberos password expiration attributes.\n"))
+ val = ldb_msg_find_attr_as_string(msg, SYSDB_KRBPW_EXPIRATION,
+ NULL);
+ if (val != NULL) {
+ *data = talloc_strdup(mem_ctx, val);
+ if (*data == NULL) {
+ DEBUG(1, ("talloc_strdup failed.\n"));
+ return ENOMEM;
+ }
+ *type = PWEXPIRE_KERBEROS;
+
+ return EOK;
+ }
+ } else {
+ DEBUG(1, ("No Kerberos password expiration attributes found, "
+ "but MIT Kerberos password policy was requested.\n"));
+ return EINVAL;
+ }
+ } else if (strcasecmp(pwd_policy, PWD_POL_OPT_SHADOW) == 0) {
+ mark = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_LASTCHANGE, NULL);
+ if (mark != NULL) {
+ DEBUG(9, ("Found shadow password expiration attributes.\n"))
+ spwd = talloc_zero(mem_ctx, struct spwd);
+ if (spwd == NULL) {
+ DEBUG(1, ("talloc failed.\n"));
+ return ENOMEM;
+ }
+
+ val = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_LASTCHANGE, NULL);
+ ret = string_to_shadowpw_days(val, &spwd->sp_lstchg);
+ if (ret != EOK) goto shadow_fail;
+
+ val = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_MIN, NULL);
+ ret = string_to_shadowpw_days(val, &spwd->sp_min);
+ if (ret != EOK) goto shadow_fail;
+
+ val = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_MAX, NULL);
+ ret = string_to_shadowpw_days(val, &spwd->sp_max);
+ if (ret != EOK) goto shadow_fail;
+
+ val = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_WARNING, NULL);
+ ret = string_to_shadowpw_days(val, &spwd->sp_warn);
+ if (ret != EOK) goto shadow_fail;
+
+ val = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_INACTIVE, NULL);
+ ret = string_to_shadowpw_days(val, &spwd->sp_inact);
+ if (ret != EOK) goto shadow_fail;
+
+ val = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_EXPIRE, NULL);
+ ret = string_to_shadowpw_days(val, &spwd->sp_expire);
+ if (ret != EOK) goto shadow_fail;
+
+ *data = spwd;
+ *type = PWEXPIRE_SHADOW;
+
+ return EOK;
+ } else {
+ DEBUG(1, ("No shadow password attributes found, "
+ "but shadow password policy was requested.\n"));
+ return EINVAL;
+ }
+ }
+
+ DEBUG(9, ("No password expiration attributes found.\n"));
+ return EOK;
+
+shadow_fail:
+ talloc_free(spwd);
+ return ret;
+}
+
+/* ==Get-User-DN========================================================== */
+
+struct get_user_dn_state {
+ struct tevent_context *ev;
+ struct sdap_auth_ctx *ctx;
+ struct sdap_handle *sh;
+
+ const char **attrs;
+ const char *name;
+
+ char *dn;
+ enum pwexpire pw_expire_type;
+ void *pw_expire_data;
+};
+
+static void get_user_dn_done(void *pvt, int err, struct ldb_result *res);
+
+struct tevent_req *get_user_dn_send(TALLOC_CTX *memctx,
+ struct tevent_context *ev,
+ struct sdap_auth_ctx *ctx,
+ struct sdap_handle *sh,
+ const char *username)
+{
+ struct tevent_req *req;
+ struct get_user_dn_state *state;
+ int ret;
+
+ req = tevent_req_create(memctx, &state, struct get_user_dn_state);
+ if (!req) return NULL;
+
+ state->ev = ev;
+ state->ctx = ctx;
+ state->sh = sh;
+ state->name = username;
+
+ state->attrs = talloc_array(state, const char *, 11);
+ if (!state->attrs) {
+ talloc_zfree(req);
+ return NULL;
+ }
+ state->attrs[0] = SYSDB_ORIG_DN;
+ state->attrs[1] = SYSDB_SHADOWPW_LASTCHANGE;
+ state->attrs[2] = SYSDB_SHADOWPW_MIN;
+ state->attrs[3] = SYSDB_SHADOWPW_MAX;
+ state->attrs[4] = SYSDB_SHADOWPW_WARNING;
+ state->attrs[5] = SYSDB_SHADOWPW_INACTIVE;
+ state->attrs[6] = SYSDB_SHADOWPW_EXPIRE;
+ state->attrs[7] = SYSDB_KRBPW_LASTCHANGE;
+ state->attrs[8] = SYSDB_KRBPW_EXPIRATION;
+ state->attrs[9] = SYSDB_PWD_ATTRIBUTE;
+ state->attrs[10] = NULL;
+
+ /* this sysdb call uses a sysdn operation, which means it will be
+ * schedule only after we return, no timer hack needed */
+ ret = sysdb_get_user_attr(state, state->ctx->be->sysdb,
+ state->ctx->be->domain, state->name,
+ state->attrs, get_user_dn_done, req);
+ if (ret) {
+ tevent_req_error(req, ret);
+ tevent_req_post(req, ev);
+ }
+
+ return req;
+}
+
+static void get_user_dn_done(void *pvt, int err, struct ldb_result *res)
+{
+ struct tevent_req *req = talloc_get_type(pvt, struct tevent_req);
+ struct get_user_dn_state *state = tevent_req_data(req,
+ struct get_user_dn_state);
+ const char *dn;
+ int ret;
+
+ if (err != LDB_SUCCESS) {
+ tevent_req_error(req, EIO);
+ return;
+ }
+
+ switch (res->count) {
+ case 0:
+ /* FIXME: not in cache, needs a true search */
+ tevent_req_error(req, ENOENT);
+ break;
+
+ case 1:
+ dn = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_ORIG_DN, NULL);
+ if (!dn) {
+ /* TODO: try to search ldap server ? */
+
+ /* FIXME: remove once we store originalDN on every call
+ * NOTE: this is wrong, works only with some DITs */
+ dn = talloc_asprintf(state, "%s=%s,%s",
+ state->ctx->opts->user_map[SDAP_AT_USER_NAME].name,
+ state->name,
+ dp_opt_get_string(state->ctx->opts->basic,
+ SDAP_USER_SEARCH_BASE));
+ if (!dn) {
+ tevent_req_error(req, ENOMEM);
+ break;
+ }
+ }
+
+ state->dn = talloc_strdup(state, dn);
+ if (!state->dn) {
+ tevent_req_error(req, ENOMEM);
+ break;
+ }
+
+ ret = find_password_expiration_attributes(state, res->msgs[0],
+ state->ctx->opts->basic,
+ &state->pw_expire_type,
+ &state->pw_expire_data);
+ if (ret != EOK) {
+ DEBUG(1, ("find_password_expiration_attributes failed.\n"));
+ tevent_req_error(req, ENOMEM);
+ break;
+ }
+
+ tevent_req_done(req);
+ break;
+
+ default:
+ DEBUG(1, ("A user search by name (%s) returned > 1 results!\n",
+ state->name));
+ tevent_req_error(req, EFAULT);
+ break;
+ }
+}
+
+static int get_user_dn_recv(struct tevent_req *req,
+ TALLOC_CTX *memctx, char **dn,
+ enum pwexpire *pw_expire_type,
+ void **pw_expire_data)
+{
+ struct get_user_dn_state *state = tevent_req_data(req,
+ struct get_user_dn_state);
+
+ TEVENT_REQ_RETURN_ON_ERROR(req);
+
+ *dn = talloc_steal(memctx, state->dn);
+ if (!*dn) return ENOMEM;
+
+ /* state->pw_expire_data may be NULL */
+ *pw_expire_data = talloc_steal(memctx, state->pw_expire_data);
+
+ *pw_expire_type = state->pw_expire_type;
+
+ return EOK;
+}
+
+/* ==Authenticate-User==================================================== */
+
+struct auth_state {
+ struct tevent_context *ev;
+ struct sdap_auth_ctx *ctx;
+ const char *username;
+ struct dp_opt_blob password;
+
+ struct sdap_handle *sh;
+
+ enum sdap_result result;
+ char *dn;
+ enum pwexpire pw_expire_type;
+ void *pw_expire_data;
+
+ struct fo_server *srv;
+};
+
+static void auth_resolve_done(struct tevent_req *subreq);
+static void auth_connect_done(struct tevent_req *subreq);
+static void auth_get_user_dn_done(struct tevent_req *subreq);
+static void auth_bind_user_done(struct tevent_req *subreq);
+
+static struct tevent_req *auth_send(TALLOC_CTX *memctx,
+ struct tevent_context *ev,
+ struct sdap_auth_ctx *ctx,
+ const char *username,
+ struct dp_opt_blob password)
+{
+ struct tevent_req *req, *subreq;
+ struct auth_state *state;
+
+ req = tevent_req_create(memctx, &state, struct auth_state);
+ if (!req) return NULL;
+
+ state->ev = ev;
+ state->ctx = ctx;
+ state->username = username;
+ state->password = password;
+ state->srv = NULL;
+
+ subreq = be_resolve_server_send(state, ev, ctx->be, ctx->service->name);
+ if (!subreq) goto fail;
+
+ tevent_req_set_callback(subreq, auth_resolve_done, req);
+
+ return req;
+
+fail:
+ talloc_zfree(req);
+ return NULL;
+}
+
+static void auth_resolve_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(subreq,
+ struct tevent_req);
+ struct auth_state *state = tevent_req_data(req,
+ struct auth_state);
+ int ret;
+
+ ret = be_resolve_server_recv(subreq, &state->srv);
+ talloc_zfree(subreq);
+ if (ret) {
+ tevent_req_error(req, ret);
+ return;
+ }
+
+ subreq = sdap_connect_send(state, state->ev, state->ctx->opts,
+ state->ctx->service->uri, true);
+ if (!subreq) {
+ tevent_req_error(req, ENOMEM);
+ return;
+ }
+
+ tevent_req_set_callback(subreq, auth_connect_done, req);
+}
+
+static void auth_connect_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(subreq,
+ struct tevent_req);
+ struct auth_state *state = tevent_req_data(req,
+ struct auth_state);
+ int ret;
+
+ ret = sdap_connect_recv(subreq, state, &state->sh);
+ talloc_zfree(subreq);
+ if (ret) {
+ if (state->srv) {
+ /* mark this server as bad if connection failed */
+ fo_set_port_status(state->srv, PORT_NOT_WORKING);
+ }
+
+ tevent_req_error(req, ret);
+ return;
+ } else if (state->srv) {
+ fo_set_port_status(state->srv, PORT_WORKING);
+ }
+
+ subreq = get_user_dn_send(state, state->ev,
+ state->ctx, state->sh,
+ state->username);
+ if (!subreq) {
+ tevent_req_error(req, ENOMEM);
+ return;
+ }
+
+ tevent_req_set_callback(subreq, auth_get_user_dn_done, req);
+}
+
+static void auth_get_user_dn_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(subreq,
+ struct tevent_req);
+ struct auth_state *state = tevent_req_data(req,
+ struct auth_state);
+ int ret;
+
+ ret = get_user_dn_recv(subreq, state, &state->dn, &state->pw_expire_type,
+ &state->pw_expire_data);
+ talloc_zfree(subreq);
+ if (ret) {
+ tevent_req_error(req, ret);
+ return;
+ }
+
+ subreq = sdap_auth_send(state, state->ev, state->sh,
+ NULL, NULL, state->dn,
+ "password", state->password);
+ if (!subreq) {
+ tevent_req_error(req, ENOMEM);
+ return;
+ }
+
+ tevent_req_set_callback(subreq, auth_bind_user_done, req);
+}
+
+static void auth_bind_user_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(subreq,
+ struct tevent_req);
+ struct auth_state *state = tevent_req_data(req,
+ struct auth_state);
+ int ret;
+
+ ret = sdap_auth_recv(subreq, &state->result);
+ talloc_zfree(subreq);
+ if (ret) {
+ tevent_req_error(req, ret);
+ return;
+ }
+
+ tevent_req_done(req);
+}
+
+int auth_recv(struct tevent_req *req,
+ TALLOC_CTX *memctx,
+ struct sdap_handle **sh,
+ enum sdap_result *result, char **dn,
+ enum pwexpire *pw_expire_type, void **pw_expire_data)
+{
+ struct auth_state *state = tevent_req_data(req, struct auth_state);
+ enum tevent_req_state tstate;
+ uint64_t err;
+
+ if (tevent_req_is_error(req, &tstate, &err)) {
+ switch (tstate) {
+ case TEVENT_REQ_USER_ERROR:
+ if (err == ETIMEDOUT) *result = SDAP_UNAVAIL;
+ else *result = SDAP_ERROR;
+ return err;
+ default:
+ *result = SDAP_ERROR;
+ return EIO;
+ }
+ }
+
+ if (sh != NULL) {
+ *sh = talloc_steal(memctx, state->sh);
+ if (*sh == NULL) return ENOMEM;
+ }
+
+ if (dn != NULL) {
+ *dn = talloc_steal(memctx, state->dn);
+ if (*dn == NULL) return ENOMEM;
+ }
+
+ if (pw_expire_data != NULL) {
+ *pw_expire_data = talloc_steal(memctx, state->pw_expire_data);
+ }
+
+ *pw_expire_type = state->pw_expire_type;
+
+ *result = state->result;
+ return EOK;
+}
+
+/* ==Perform-Password-Change===================== */
+
+struct sdap_pam_chpass_state {
+ struct be_req *breq;
+ struct pam_data *pd;
+ const char *username;
+ char *dn;
+ char *password;
+ char *new_password;
+ struct sdap_handle *sh;
+};
+
+static void sdap_auth4chpass_done(struct tevent_req *req);
+static void sdap_pam_chpass_done(struct tevent_req *req);
+static void sdap_pam_auth_reply(struct be_req *breq, int dp_err, int result);
+
+void sdap_pam_chpass_handler(struct be_req *breq)
+{
+ struct sdap_pam_chpass_state *state;
+ struct sdap_auth_ctx *ctx;
+ struct tevent_req *subreq;
+ struct pam_data *pd;
+ struct dp_opt_blob authtok;
+ int dp_err = DP_ERR_FATAL;
+
+ ctx = talloc_get_type(breq->be_ctx->bet_info[BET_CHPASS].pvt_bet_data,
+ struct sdap_auth_ctx);
+ pd = talloc_get_type(breq->req_data, struct pam_data);
+
+ if (be_is_offline(ctx->be)) {
+ DEBUG(4, ("Backend is marked offline, retry later!\n"));
+ pd->pam_status = PAM_AUTHINFO_UNAVAIL;
+ dp_err = DP_ERR_OFFLINE;
+ goto done;
+ }
+
+ DEBUG(2, ("starting password change request for user [%s].\n", pd->user));
+
+ pd->pam_status = PAM_SYSTEM_ERR;
+
+ if (pd->cmd != SSS_PAM_CHAUTHTOK && pd->cmd != SSS_PAM_CHAUTHTOK_PRELIM) {
+ DEBUG(2, ("chpass target was called by wrong pam command.\n"));
+ goto done;
+ }
+
+ state = talloc_zero(breq, struct sdap_pam_chpass_state);
+ if (!state) goto done;
+
+ state->breq = breq;
+ state->pd = pd;
+ state->username = pd->user;
+ state->password = talloc_strndup(state,
+ (char *)pd->authtok, pd->authtok_size);
+ if (!state->password) goto done;
+ talloc_set_destructor((TALLOC_CTX *)state->password,
+ password_destructor);
+
+ if (pd->cmd == SSS_PAM_CHAUTHTOK) {
+ state->new_password = talloc_strndup(state,
+ (char *)pd->newauthtok,
+ pd->newauthtok_size);
+ if (!state->new_password) goto done;
+ talloc_set_destructor((TALLOC_CTX *)state->new_password,
+ password_destructor);
+ }
+
+ authtok.data = (uint8_t *)state->password;
+ authtok.length = strlen(state->password);
+ subreq = auth_send(breq, breq->be_ctx->ev,
+ ctx, state->username, authtok);
+ if (!subreq) goto done;
+
+ tevent_req_set_callback(subreq, sdap_auth4chpass_done, state);
+ return;
+
+done:
+ sdap_pam_auth_reply(breq, dp_err, pd->pam_status);
+}
+
+static void sdap_auth4chpass_done(struct tevent_req *req)
+{
+ struct sdap_pam_chpass_state *state =
+ tevent_req_callback_data(req, struct sdap_pam_chpass_state);
+ struct tevent_req *subreq;
+ enum sdap_result result;
+ enum pwexpire pw_expire_type;
+ void *pw_expire_data;
+ int dp_err = DP_ERR_FATAL;
+ int ret;
+
+ ret = auth_recv(req, state, &state->sh,
+ &result, &state->dn,
+ &pw_expire_type, &pw_expire_data);
+ talloc_zfree(req);
+ if (ret) {
+ state->pd->pam_status = PAM_SYSTEM_ERR;
+ goto done;
+ }
+
+ if (result == SDAP_AUTH_SUCCESS &&
+ state->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM) {
+ DEBUG(9, ("Initial authentication for change password operation "
+ "successful.\n"));
+ state->pd->pam_status = PAM_SUCCESS;
+ goto done;
+ }
+
+ if (result == SDAP_AUTH_SUCCESS) {
+ switch (pw_expire_type) {
+ case PWEXPIRE_SHADOW:
+ ret = check_pwexpire_shadow(pw_expire_data, time(NULL),
+ &result);
+ if (ret != EOK) {
+ DEBUG(1, ("check_pwexpire_shadow failed.\n"));
+ state->pd->pam_status = PAM_SYSTEM_ERR;
+ goto done;
+ }
+ break;
+ case PWEXPIRE_KERBEROS:
+ ret = check_pwexpire_kerberos(pw_expire_data, time(NULL),
+ &result);
+ if (ret != EOK) {
+ DEBUG(1, ("check_pwexpire_kerberos failed.\n"));
+ state->pd->pam_status = PAM_SYSTEM_ERR;
+ goto done;
+ }
+
+ if (result == SDAP_AUTH_PW_EXPIRED) {
+ DEBUG(1, ("LDAP provider cannot change kerberos "
+ "passwords.\n"));
+ state->pd->pam_status = PAM_SYSTEM_ERR;
+ goto done;
+ }
+ break;
+ case PWEXPIRE_LDAP_PASSWORD_POLICY:
+ case PWEXPIRE_NONE:
+ break;
+ default:
+ DEBUG(1, ("Unknow pasword expiration type.\n"));
+ state->pd->pam_status = PAM_SYSTEM_ERR;
+ goto done;
+ }
+ }
+
+ switch (result) {
+ case SDAP_AUTH_SUCCESS:
+ case SDAP_AUTH_PW_EXPIRED:
+ DEBUG(7, ("user [%s] successfully authenticated.\n", state->dn));
+ if (pw_expire_type == PWEXPIRE_SHADOW) {
+/* TODO: implement async ldap modify request */
+ DEBUG(1, ("Changing shadow password attributes not implemented.\n"));
+ state->pd->pam_status = PAM_MODULE_UNKNOWN;
+ goto done;
+ } else {
+ subreq = sdap_exop_modify_passwd_send(state,
+ state->breq->be_ctx->ev,
+ state->sh,
+ state->dn,
+ state->password,
+ state->new_password);
+
+ if (!subreq) {
+ DEBUG(2, ("Failed to change password for %s\n", state->username));
+ goto done;
+ }
+
+ tevent_req_set_callback(subreq, sdap_pam_chpass_done, state);
+ return;
+ }
+ break;
+ case SDAP_AUTH_FAILED:
+ state->pd->pam_status = PAM_AUTH_ERR;
+ break;
+ default:
+ state->pd->pam_status = PAM_SYSTEM_ERR;
+ }
+
+done:
+ sdap_pam_auth_reply(state->breq, dp_err, state->pd->pam_status);
+}
+
+static void sdap_pam_chpass_done(struct tevent_req *req)
+{
+ struct sdap_pam_chpass_state *state =
+ tevent_req_callback_data(req, struct sdap_pam_chpass_state);
+ enum sdap_result result;
+ int dp_err = DP_ERR_FATAL;
+ int ret;
+ char *user_error_message = NULL;
+ size_t msg_len;
+ uint8_t *msg;
+
+ ret = sdap_exop_modify_passwd_recv(req, state, &result, &user_error_message);
+ talloc_zfree(req);
+ if (ret) {
+ state->pd->pam_status = PAM_SYSTEM_ERR;
+ goto done;
+ }
+
+ switch (result) {
+ case SDAP_SUCCESS:
+ state->pd->pam_status = PAM_SUCCESS;
+ dp_err = DP_ERR_OK;
+ break;
+ default:
+ state->pd->pam_status = PAM_AUTHTOK_ERR;
+ if (user_error_message != NULL) {
+ ret = pack_user_info_chpass_error(state->pd, user_error_message,
+ &msg_len, &msg);
+ if (ret != EOK) {
+ DEBUG(1, ("pack_user_info_chpass_error failed.\n"));
+ } else {
+ ret = pam_add_response(state->pd, SSS_PAM_USER_INFO, msg_len,
+ msg);
+ if (ret != EOK) {
+ DEBUG(1, ("pam_add_response failed.\n"));
+ }
+ }
+ }
+ }
+
+done:
+ sdap_pam_auth_reply(state->breq, dp_err, state->pd->pam_status);
+}
+/* ==Perform-User-Authentication-and-Password-Caching===================== */
+
+struct sdap_pam_auth_state {
+ struct be_req *breq;
+ struct pam_data *pd;
+ const char *username;
+ struct dp_opt_blob password;
+};
+
+static void sdap_pam_auth_done(struct tevent_req *req);
+static void sdap_password_cache_done(struct tevent_req *req);
+
+void sdap_pam_auth_handler(struct be_req *breq)
+{
+ struct sdap_pam_auth_state *state;
+ struct sdap_auth_ctx *ctx;
+ struct tevent_req *subreq;
+ struct pam_data *pd;
+ int dp_err = DP_ERR_FATAL;
+
+ ctx = talloc_get_type(breq->be_ctx->bet_info[BET_AUTH].pvt_bet_data,
+ struct sdap_auth_ctx);
+ pd = talloc_get_type(breq->req_data, struct pam_data);
+
+ if (be_is_offline(ctx->be)) {
+ DEBUG(4, ("Backend is marked offline, retry later!\n"));
+ pd->pam_status = PAM_AUTHINFO_UNAVAIL;
+ dp_err = DP_ERR_OFFLINE;
+ goto done;
+ }
+
+ pd->pam_status = PAM_SYSTEM_ERR;
+
+ switch (pd->cmd) {
+ case SSS_PAM_AUTHENTICATE:
+ case SSS_PAM_CHAUTHTOK_PRELIM:
+
+ state = talloc_zero(breq, struct sdap_pam_auth_state);
+ if (!state) goto done;
+
+ state->breq = breq;
+ state->pd = pd;
+ state->username = pd->user;
+ state->password.data = pd->authtok;
+ state->password.length = pd->authtok_size;
+
+ subreq = auth_send(breq, breq->be_ctx->ev, ctx,
+ state->username, state->password);
+ if (!subreq) goto done;
+
+ tevent_req_set_callback(subreq, sdap_pam_auth_done, state);
+ return;
+
+ case SSS_PAM_CHAUTHTOK:
+ break;
+
+ case SSS_PAM_ACCT_MGMT:
+ case SSS_PAM_SETCRED:
+ case SSS_PAM_OPEN_SESSION:
+ case SSS_PAM_CLOSE_SESSION:
+ pd->pam_status = PAM_SUCCESS;
+ dp_err = DP_ERR_OK;
+ break;
+ default:
+ pd->pam_status = PAM_MODULE_UNKNOWN;
+ dp_err = DP_ERR_OK;
+ }
+
+done:
+ sdap_pam_auth_reply(breq, dp_err, pd->pam_status);
+}
+
+static void sdap_pam_auth_done(struct tevent_req *req)
+{
+ struct sdap_pam_auth_state *state =
+ tevent_req_callback_data(req, struct sdap_pam_auth_state);
+ struct tevent_req *subreq;
+ enum sdap_result result;
+ enum pwexpire pw_expire_type;
+ void *pw_expire_data;
+ int dp_err = DP_ERR_OK;
+ int ret;
+
+ ret = auth_recv(req, state, NULL,
+ &result, NULL,
+ &pw_expire_type, &pw_expire_data);
+ talloc_zfree(req);
+ if (ret) {
+ state->pd->pam_status = PAM_SYSTEM_ERR;
+ dp_err = DP_ERR_FATAL;
+ goto done;
+ }
+
+ if (result == SDAP_AUTH_SUCCESS) {
+ switch (pw_expire_type) {
+ case PWEXPIRE_SHADOW:
+ ret = check_pwexpire_shadow(pw_expire_data, time(NULL),
+ &result);
+ if (ret != EOK) {
+ DEBUG(1, ("check_pwexpire_shadow failed.\n"));
+ state->pd->pam_status = PAM_SYSTEM_ERR;
+ goto done;
+ }
+ break;
+ case PWEXPIRE_KERBEROS:
+ ret = check_pwexpire_kerberos(pw_expire_data, time(NULL),
+ &result);
+ if (ret != EOK) {
+ DEBUG(1, ("check_pwexpire_kerberos failed.\n"));
+ state->pd->pam_status = PAM_SYSTEM_ERR;
+ goto done;
+ }
+ break;
+ case PWEXPIRE_LDAP_PASSWORD_POLICY:
+ case PWEXPIRE_NONE:
+ break;
+ default:
+ DEBUG(1, ("Unknow pasword expiration type.\n"));
+ state->pd->pam_status = PAM_SYSTEM_ERR;
+ goto done;
+ }
+ }
+
+ switch (result) {
+ case SDAP_AUTH_SUCCESS:
+ state->pd->pam_status = PAM_SUCCESS;
+ break;
+ case SDAP_AUTH_FAILED:
+ state->pd->pam_status = PAM_PERM_DENIED;
+ break;
+ case SDAP_UNAVAIL:
+ state->pd->pam_status = PAM_AUTHINFO_UNAVAIL;
+ break;
+ case SDAP_ACCT_EXPIRED:
+ state->pd->pam_status = PAM_ACCT_EXPIRED;
+ break;
+ case SDAP_AUTH_PW_EXPIRED:
+ state->pd->pam_status = PAM_AUTHTOK_EXPIRED;
+ break;
+ default:
+ state->pd->pam_status = PAM_SYSTEM_ERR;
+ dp_err = DP_ERR_FATAL;
+ }
+
+ if (result == SDAP_UNAVAIL) {
+ be_mark_offline(state->breq->be_ctx);
+ dp_err = DP_ERR_OFFLINE;
+ goto done;
+ }
+
+ if (result == SDAP_AUTH_SUCCESS &&
+ state->breq->be_ctx->domain->cache_credentials) {
+
+ char *password = talloc_strndup(state, (char *)
+ state->password.data,
+ state->password.length);
+ /* password caching failures are not fatal errors */
+ if (!password) {
+ DEBUG(2, ("Failed to cache password for %s\n", state->username));
+ goto done;
+ }
+ talloc_set_destructor((TALLOC_CTX *)password, password_destructor);
+
+ subreq = sysdb_cache_password_send(state,
+ state->breq->be_ctx->ev,
+ state->breq->be_ctx->sysdb,
+ NULL,
+ state->breq->be_ctx->domain,
+ state->username, password);
+
+ /* password caching failures are not fatal errors */
+ if (!subreq) {
+ DEBUG(2, ("Failed to cache password for %s\n", state->username));
+ goto done;
+ }
+
+ tevent_req_set_callback(subreq, sdap_password_cache_done, state);
+ return;
+ }
+
+done:
+ sdap_pam_auth_reply(state->breq, dp_err, state->pd->pam_status);
+}
+
+static void sdap_password_cache_done(struct tevent_req *subreq)
+{
+ struct sdap_pam_auth_state *state = tevent_req_callback_data(subreq,
+ struct sdap_pam_auth_state);
+ int ret;
+
+ ret = sysdb_cache_password_recv(subreq);
+ talloc_zfree(subreq);
+ if (ret) {
+ /* password caching failures are not fatal errors */
+ DEBUG(2, ("Failed to cache password for %s\n", state->username));
+ } else {
+ DEBUG(4, ("Password successfully cached for %s\n", state->username));
+ }
+
+ sdap_pam_auth_reply(state->breq, DP_ERR_OK, state->pd->pam_status);
+}
+
+static void sdap_pam_auth_reply(struct be_req *req, int dp_err, int result)
+{
+ req->fn(req, dp_err, result, NULL);
+}
+
generated by cgit (git 2.34.1) at 2024-04-18 04:45:13 +0000