diff options
author | Sumit Bose <sbose@redhat.com> | 2011-01-06 13:05:03 +0100 |
---|---|---|
committer | Stephen Gallagher <sgallagh@redhat.com> | 2011-01-06 15:15:54 -0500 |
commit | 52b703a4c7cc43ae908300795569e27b64186ec8 (patch) | |
tree | 2320a1fb0841b0923f7efb388b9bc5b2e325add8 /src/providers/ldap/ldap_common.c | |
parent | c5f66b8c471e472b3c6eecf87c93373ecf8d0890 (diff) | |
download | sssd-52b703a4c7cc43ae908300795569e27b64186ec8.tar.gz sssd-52b703a4c7cc43ae908300795569e27b64186ec8.tar.xz sssd-52b703a4c7cc43ae908300795569e27b64186ec8.zip |
Convert obfuscated password once at startup
Diffstat (limited to 'src/providers/ldap/ldap_common.c')
-rw-r--r-- | src/providers/ldap/ldap_common.c | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c index f0db53f22..c98dd4ff3 100644 --- a/src/providers/ldap/ldap_common.c +++ b/src/providers/ldap/ldap_common.c @@ -28,6 +28,7 @@ #include "providers/krb5/krb5_common.h" #include "util/sss_krb5.h" +#include "util/crypto/sss_crypto.h" /* a fd the child process would log into */ int ldap_child_debug_fd = -1; @@ -203,6 +204,9 @@ int ldap_get_options(TALLOC_CTX *memctx, const char *ldap_deref; int ldap_deref_val; int o; + const char *authtok_type; + struct dp_opt_blob authtok_blob; + char *cleartext; const int search_base_options[] = { SDAP_USER_SEARCH_BASE, SDAP_GROUP_SEARCH_BASE, SDAP_NETGROUP_SEARCH_BASE, @@ -391,6 +395,43 @@ int ldap_get_options(TALLOC_CTX *memctx, goto done; } + authtok_type = dp_opt_get_string(opts->basic, SDAP_DEFAULT_AUTHTOK_TYPE); + if (authtok_type != NULL && + strcasecmp(authtok_type,"obfuscated_password") == 0) { + DEBUG(9, ("Found obfuscated password, " + "trying to convert to cleartext.\n")); + + authtok_blob = dp_opt_get_blob(opts->basic, SDAP_DEFAULT_AUTHTOK); + if (authtok_blob.data == NULL || authtok_blob.length == 0) { + DEBUG(1, ("Missing obfuscated password string.\n")); + return EINVAL; + } + + ret = sss_password_decrypt(memctx, (char *) authtok_blob.data, + &cleartext); + if (ret != EOK) { + DEBUG(1, ("Cannot convert the obfuscated " + "password back to cleartext\n")); + return ret; + } + + authtok_blob.data = (uint8_t *) cleartext; + authtok_blob.length = strlen(cleartext); + ret = dp_opt_set_blob(opts->basic, SDAP_DEFAULT_AUTHTOK, authtok_blob); + talloc_free(cleartext); + if (ret != EOK) { + DEBUG(1, ("dp_opt_set_string failed.\n")); + return ret; + } + + ret = dp_opt_set_string(opts->basic, SDAP_DEFAULT_AUTHTOK_TYPE, + "password"); + if (ret != EOK) { + DEBUG(1, ("dp_opt_set_string failed.\n")); + return ret; + } + } + ret = EOK; *_opts = opts; |