diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2010-08-29 22:15:06 +0200 |
---|---|---|
committer | Stephen Gallagher <sgallagh@redhat.com> | 2010-09-08 09:36:22 -0400 |
commit | 88aeed9a31b734a92630d5e881c960c5f77ba0ce (patch) | |
tree | 516e1e785f1365873d8a036d8510e0492a8b6f87 /src | |
parent | 530ba03ecabb472f17d5d1ab546aec9390492de1 (diff) | |
download | sssd-88aeed9a31b734a92630d5e881c960c5f77ba0ce.tar.gz sssd-88aeed9a31b734a92630d5e881c960c5f77ba0ce.tar.xz sssd-88aeed9a31b734a92630d5e881c960c5f77ba0ce.zip |
Deobfuscate password in back ends
When obfuscated password is used in config file, the LDAP backend
converts it back to clear text and uses it to authenticate to the
server.
Diffstat (limited to 'src')
-rw-r--r-- | src/man/sssd-ldap.5.xml | 11 | ||||
-rw-r--r-- | src/providers/ldap/sdap_async_connection.c | 59 |
2 files changed, 62 insertions, 8 deletions
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml index 346faf8de..b32096dd9 100644 --- a/src/man/sssd-ldap.5.xml +++ b/src/man/sssd-ldap.5.xml @@ -120,7 +120,16 @@ <listitem> <para> The type of the authentication token of the - default bind DN. The only currently supported value is "password". + default bind DN. + </para> + <para> + The two mechanisms currently supported are: + </para> + <para> + password + </para> + <para> + obfuscated_password </para> </listitem> </varlistentry> diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c index d2ca356f3..682d74c81 100644 --- a/src/providers/ldap/sdap_async_connection.c +++ b/src/providers/ldap/sdap_async_connection.c @@ -25,6 +25,7 @@ #include "util/sss_krb5.h" #include "providers/ldap/sdap_async_private.h" #include "providers/ldap/ldap_req_wrap.h" +#include "util/crypto/sss_crypto.h" #define LDAP_X_SSSD_PASSWORD_EXPIRED 0x555D @@ -786,6 +787,10 @@ struct sdap_auth_state { }; static void sdap_auth_done(struct tevent_req *subreq); +static int sdap_auth_get_authtok(TALLOC_CTX *memctx, + const char *authtok_type, + struct dp_opt_blob authtok, + struct berval *pw); /* TODO: handle sasl_cred */ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx, @@ -799,18 +804,25 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx, { struct tevent_req *req, *subreq; struct sdap_auth_state *state; - - if (authtok_type != NULL && strcasecmp(authtok_type,"password") != 0) { - DEBUG(1,("Authentication token type [%s] is not supported")); - return NULL; - } + int ret; req = tevent_req_create(memctx, &state, struct sdap_auth_state); if (!req) return NULL; state->user_dn = user_dn; - state->pw.bv_val = (char *)authtok.data; - state->pw.bv_len = authtok.length; + + ret = sdap_auth_get_authtok(state, authtok_type, authtok, &state->pw); + if (ret != EOK) { + if (ret == ENOSYS) { + DEBUG(1, ("Getting authtok is not supported with the " + "crypto library compiled with, authentication " + "might fail!\n")); + } else { + DEBUG(1, ("Cannot parse authtok.\n")); + tevent_req_error(req, ret); + return tevent_req_post(req, ev); + } + } if (sasl_mech) { state->is_sasl = true; @@ -832,6 +844,39 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx, return req; } +static int sdap_auth_get_authtok(TALLOC_CTX *mem_ctx, + const char *authtok_type, + struct dp_opt_blob authtok, + struct berval *pw) +{ + char *cleartext; + int ret; + + if (!authtok_type) return EOK; + if (!pw) return EINVAL; + + if (strcasecmp(authtok_type,"password") == 0) { + pw->bv_len = authtok.length; + pw->bv_val = (char *) authtok.data; + } else if (strcasecmp(authtok_type,"obfuscated_password") == 0) { + ret = sss_password_decrypt(mem_ctx, (char *) authtok.data, &cleartext); + if (ret != EOK) { + DEBUG(1, ("Cannot convert the obfuscated " + "password back to cleartext\n")); + return ret; + } + + pw->bv_len = strlen(cleartext); + pw->bv_val = (char *) cleartext; + } else { + DEBUG(1, ("Authentication token type [%s] is not supported\n", + authtok_type)); + return EINVAL; + } + + return EOK; +} + static void sdap_auth_done(struct tevent_req *subreq) { struct tevent_req *req = tevent_req_callback_data(subreq, |