summaryrefslogtreecommitdiffstats
path: root/src/providers
diff options
context:
space:
mode:
authorJakub Hrozek <jhrozek@redhat.com>2010-08-29 22:15:06 +0200
committerStephen Gallagher <sgallagh@redhat.com>2010-09-08 09:36:22 -0400
commit88aeed9a31b734a92630d5e881c960c5f77ba0ce (patch)
tree516e1e785f1365873d8a036d8510e0492a8b6f87 /src/providers
parent530ba03ecabb472f17d5d1ab546aec9390492de1 (diff)
downloadsssd-88aeed9a31b734a92630d5e881c960c5f77ba0ce.tar.gz
sssd-88aeed9a31b734a92630d5e881c960c5f77ba0ce.tar.xz
sssd-88aeed9a31b734a92630d5e881c960c5f77ba0ce.zip
Deobfuscate password in back ends
When obfuscated password is used in config file, the LDAP backend converts it back to clear text and uses it to authenticate to the server.
Diffstat (limited to 'src/providers')
-rw-r--r--src/providers/ldap/sdap_async_connection.c59
1 files changed, 52 insertions, 7 deletions
diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
index d2ca356f3..682d74c81 100644
--- a/src/providers/ldap/sdap_async_connection.c
+++ b/src/providers/ldap/sdap_async_connection.c
@@ -25,6 +25,7 @@
#include "util/sss_krb5.h"
#include "providers/ldap/sdap_async_private.h"
#include "providers/ldap/ldap_req_wrap.h"
+#include "util/crypto/sss_crypto.h"
#define LDAP_X_SSSD_PASSWORD_EXPIRED 0x555D
@@ -786,6 +787,10 @@ struct sdap_auth_state {
};
static void sdap_auth_done(struct tevent_req *subreq);
+static int sdap_auth_get_authtok(TALLOC_CTX *memctx,
+ const char *authtok_type,
+ struct dp_opt_blob authtok,
+ struct berval *pw);
/* TODO: handle sasl_cred */
struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx,
@@ -799,18 +804,25 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx,
{
struct tevent_req *req, *subreq;
struct sdap_auth_state *state;
-
- if (authtok_type != NULL && strcasecmp(authtok_type,"password") != 0) {
- DEBUG(1,("Authentication token type [%s] is not supported"));
- return NULL;
- }
+ int ret;
req = tevent_req_create(memctx, &state, struct sdap_auth_state);
if (!req) return NULL;
state->user_dn = user_dn;
- state->pw.bv_val = (char *)authtok.data;
- state->pw.bv_len = authtok.length;
+
+ ret = sdap_auth_get_authtok(state, authtok_type, authtok, &state->pw);
+ if (ret != EOK) {
+ if (ret == ENOSYS) {
+ DEBUG(1, ("Getting authtok is not supported with the "
+ "crypto library compiled with, authentication "
+ "might fail!\n"));
+ } else {
+ DEBUG(1, ("Cannot parse authtok.\n"));
+ tevent_req_error(req, ret);
+ return tevent_req_post(req, ev);
+ }
+ }
if (sasl_mech) {
state->is_sasl = true;
@@ -832,6 +844,39 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx,
return req;
}
+static int sdap_auth_get_authtok(TALLOC_CTX *mem_ctx,
+ const char *authtok_type,
+ struct dp_opt_blob authtok,
+ struct berval *pw)
+{
+ char *cleartext;
+ int ret;
+
+ if (!authtok_type) return EOK;
+ if (!pw) return EINVAL;
+
+ if (strcasecmp(authtok_type,"password") == 0) {
+ pw->bv_len = authtok.length;
+ pw->bv_val = (char *) authtok.data;
+ } else if (strcasecmp(authtok_type,"obfuscated_password") == 0) {
+ ret = sss_password_decrypt(mem_ctx, (char *) authtok.data, &cleartext);
+ if (ret != EOK) {
+ DEBUG(1, ("Cannot convert the obfuscated "
+ "password back to cleartext\n"));
+ return ret;
+ }
+
+ pw->bv_len = strlen(cleartext);
+ pw->bv_val = (char *) cleartext;
+ } else {
+ DEBUG(1, ("Authentication token type [%s] is not supported\n",
+ authtok_type));
+ return EINVAL;
+ }
+
+ return EOK;
+}
+
static void sdap_auth_done(struct tevent_req *subreq)
{
struct tevent_req *req = tevent_req_callback_data(subreq,