PAM pass through auth plugin support

author: Rich Megginson <rmeggins@redhat.com> 2005-02-07 19:02:49 +0000
committer: Rich Megginson <rmeggins@redhat.com> 2005-02-07 19:02:49 +0000
commit: 5335c65cbaf4a899dae6bc497ae7e85e0831f540 (patch)
tree: 769e16668d2abfead0be06eae78e2a8ebf93d09b
parent: 9eb2b56ec631aa3fffc9a80afcbe40f6cc645d8a (diff)
download: ds-5335c65cbaf4a899dae6bc497ae7e85e0831f540.tar.gz
ds-5335c65cbaf4a899dae6bc497ae7e85e0831f540.tar.xz
ds-5335c65cbaf4a899dae6bc497ae7e85e0831f540.zip
12 files changed, 97 insertions, 56 deletions
diff --git a/ldap/admin/src/create_instance.c b/ldap/admin/src/create_instance.c
index 26b276b6..6d3d3111 100644
--- a/ldap/admin/src/create_instance.c
+++ b/ldap/admin/src/create_instance.c
@@ -3727,6 +3727,30 @@ char *ds_gen_confs(char *sroot, server_config_s *cf,
         }
     }
 
+	/* PAM Pass Through Auth plugin - off by default */
+	fprintf(f, "dn: cn=PAM Pass Through Auth,cn=plugins,cn=config\n");
+	fprintf(f, "objectclass: top\n");
+	fprintf(f, "objectclass: nsSlapdPlugin\n");
+	fprintf(f, "objectclass: extensibleObject\n");
+	fprintf(f, "objectclass: pamConfig\n");
+	fprintf(f, "cn: PAM Pass Through Auth\n");
+	fprintf(f, "nsslapd-pluginpath: %s/lib/pam-passthru-plugin%s\n", sroot, shared_lib);
+	fprintf(f, "nsslapd-plugininitfunc: pam_passthruauth_init\n");
+	fprintf(f, "nsslapd-plugintype: preoperation\n");
+	fprintf(f, "nsslapd-pluginenabled: off\n");
+	fprintf(f, "nsslapd-pluginLoadGlobal: true\n");
+	fprintf(f, "nsslapd-plugin-depends-on-type: database\n");
+	fprintf(f, "pamMissingSuffix: ALLOW\n");
+	if (cf->netscaperoot) {
+		fprintf(f, "pamExcludeSuffix: %s\n", cf->netscaperoot);
+	}
+	fprintf(f, "pamExcludeSuffix: cn=config\n");
+	fprintf(f, "pamMapMethod: RDN\n");
+	fprintf(f, "pamFallback: FALSE\n");
+	fprintf(f, "pamSecure: TRUE\n");
+	fprintf(f, "pamService: ldapserver\n");
+	fprintf(f, "\n");
+
     fprintf(f, "dn: cn=ldbm database,cn=plugins,cn=config\n");
     fprintf(f, "objectclass: top\n");
     fprintf(f, "objectclass: nsSlapdPlugin\n");
diff --git a/ldap/schema/60pam-plugin.ldif b/ldap/schema/60pam-plugin.ldif
new file mode 100644
index 00000000..89f18e19
--- /dev/null
+++ b/ldap/schema/60pam-plugin.ldif
@@ -0,0 +1,19 @@
+#
+# BEGIN COPYRIGHT BLOCK
+# Copyright 2005 Red Hat Inc.
+# All rights reserved.
+# END COPYRIGHT BLOCK
+#
+#
+# Schema for representing PAM plugin configuration
+#
+dn: cn=schema
+attributeTypes: ( 2.16.840.1.113730.3.1.2067 NAME 'pamIncludeSuffix' DESC 'Suffixes to include for PAM authentication' SYNTAX  1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'Red Hat Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.2068 NAME 'pamExcludeSuffix' DESC 'Suffixes to exclude from PAM authentication' SYNTAX  1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'Red Hat Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.2069 NAME 'pamMissingSuffix' DESC 'How to handle missing include or exclude suffixes' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Red Hat Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.2070 NAME 'pamMapMethod' DESC 'How to map BIND DN to PAM identity' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Red Hat Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.2071 NAME 'pamIDAttr' DESC 'Name of attribute holding PAM ID' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Red Hat Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.2072 NAME 'pamFallback' DESC 'Fallback to regular LDAP BIND if PAM auth fails' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'Red Hat Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.2073 NAME 'pamSecure' DESC 'Require secure (TLS/SSL) connection for PAM auth' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'Red Hat Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.2074 NAME 'pamService' DESC 'Service name to pass to pam_start' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'Red Hat Directory Server' )
+objectClasses: ( 2.16.840.1.113730.3.2.318 NAME 'pamConfig' DESC 'PAM plugin configuration' SUP top AUXILIARY MAY ( pamMissingSuffix $ pamExcludeSuffix $ pamIncludeSuffix $ pamIDAttr $ pamMapMethod $ pamFallback $ pamSecure $ pamService ) X-ORIGIN 'Red Hat Directory Server' )
diff --git a/ldap/servers/plugins/Makefile b/ldap/servers/plugins/Makefile
index a743f9e4..2057ad27 100644
--- a/ldap/servers/plugins/Makefile
+++ b/ldap/servers/plugins/Makefile
@@ -19,7 +19,7 @@ NSPR20=true	# probably should be defined somewhere else (not sure where)
 include $(BUILD_ROOT)/nsconfig.mk
 include $(LDAP_SRC)/nsldap.mk
 
-all: _referint _collation _syntaxes _passthru _utils _uiduniq _roles _acl _replication _cos _pwdstorage _rever _chainingdb _distrib _retrocl _statechange _http _views 
+all: _referint _collation _syntaxes _passthru _utils _uiduniq _roles _acl _replication _cos _pwdstorage _rever _chainingdb _distrib _retrocl _statechange _http _views _pam_passthru
 
 _utils:
 	cd shared; $(MAKE) $(MFLAGS) all
@@ -41,6 +41,9 @@ _syntaxes:
 _passthru:
 	cd passthru; $(MAKE) $(MFLAGS) all
 
+_pam_passthru:
+	cd pam_passthru; $(MAKE) $(MFLAGS) all
+
 _uiduniq:
 	cd uiduniq; $(MAKE) $(MFLAGS) all
 
diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c
index ab9ca89d..7490f3d3 100644
--- a/ldap/servers/slapd/bind.c
+++ b/ldap/servers/slapd/bind.c
@@ -344,7 +344,7 @@ do_bind( Slapi_PBlock *pb )
                                   pb->pb_conn->c_external_dn,
                                   NULL, NULL, NULL , NULL);
             if ( auth_response_requested ) {
-                add_auth_response_control( pb, pb->pb_conn->c_external_dn );
+                slapi_add_auth_response_control( pb, pb->pb_conn->c_external_dn );
             }
             send_ldap_result( pb, LDAP_SUCCESS, NULL, NULL, 0, NULL );
             goto free_and_return;
@@ -362,7 +362,7 @@ do_bind( Slapi_PBlock *pb )
             /* call preop plugins */
             if (plugin_call_plugins( pb, SLAPI_PLUGIN_PRE_BIND_FN ) == 0){
                 if ( auth_response_requested ) {
-                    add_auth_response_control( pb, "" );
+                    slapi_add_auth_response_control( pb, "" );
                 }
                 send_ldap_result( pb, LDAP_SUCCESS, NULL, NULL, 0, NULL );
 
@@ -411,7 +411,7 @@ do_bind( Slapi_PBlock *pb )
         /* call preop plugin */
         if (plugin_call_plugins( pb, SLAPI_PLUGIN_PRE_BIND_FN ) == 0){
             if ( auth_response_requested ) {
-                add_auth_response_control( pb,
+                slapi_add_auth_response_control( pb,
                                            ( cred.bv_len == 0 ) ? "" :
                                            slapi_sdn_get_ndn(&sdn));
             }
@@ -498,12 +498,12 @@ do_bind( Slapi_PBlock *pb )
                                                   slapi_sdn_get_ndn(&sdn)),
                                               NULL, NULL, NULL, bind_target_entry );
                         if ( auth_response_requested ) {
-                            add_auth_response_control( pb,
+                            slapi_add_auth_response_control( pb,
                                                        slapi_sdn_get_ndn(&sdn));
                         }
                     } else {	/* anonymous */
                         if ( auth_response_requested ) {
-                            add_auth_response_control( pb,
+                            slapi_add_auth_response_control( pb,
                                                        "" );
                         }
                     }
@@ -517,12 +517,12 @@ do_bind( Slapi_PBlock *pb )
                     switch ( need_new_pw (pb, &t, bind_target_entry, pw_response_requested )) {
 						
                     case 1:
-                        (void)add_pwd_control ( pb, 
+                        (void)slapi_add_pwd_control ( pb, 
                                                 LDAP_CONTROL_PWEXPIRED, 0);
                         break;
 						
                     case 2:
-                        (void)add_pwd_control ( pb, 
+                        (void)slapi_add_pwd_control ( pb, 
                                                 LDAP_CONTROL_PWEXPIRING, t);
                         break;
                     case -1: 
@@ -635,7 +635,7 @@ log_bind_access (
 
 
 void
-add_auth_response_control( Slapi_PBlock *pb, const char *binddn )
+slapi_add_auth_response_control( Slapi_PBlock *pb, const char *binddn )
 {
     LDAPControl		arctrl;
 	char			dnbuf_fixedsize[ 512 ], *dnbuf, *dnbuf_dynamic = NULL;
diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c
index 4cf7869b..b7f08b01 100644
--- a/ldap/servers/slapd/connection.c
+++ b/ldap/servers/slapd/connection.c
@@ -404,7 +404,7 @@ connection_need_new_password(const Connection *conn, const Operation *op, Slapi_
 		op->o_tag != LDAP_REQ_BIND && op->o_tag != LDAP_REQ_UNBIND && 
 		op->o_tag != LDAP_REQ_ABANDON )
 	{
-		add_pwd_control ( pb, LDAP_CONTROL_PWEXPIRED, 0);	
+		slapi_add_pwd_control ( pb, LDAP_CONTROL_PWEXPIRED, 0);	
 		slapi_log_access( LDAP_DEBUG_STATS, "conn=%d op=%d %s\n",
            	pb->pb_conn->c_connid, pb->pb_op->o_opid, 
 			"need new password" );
diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c
index 86237758..ba36b49c 100644
--- a/ldap/servers/slapd/modify.c
+++ b/ldap/servers/slapd/modify.c
@@ -259,7 +259,7 @@ do_modify( Slapi_PBlock *pb )
 	if (!pb->pb_conn->c_isreplication_session &&
 		pb->pb_conn->c_needpw && pw_change == 0 )
 	{
-		(void)add_pwd_control ( pb, LDAP_CONTROL_PWEXPIRED, 0);
+		(void)slapi_add_pwd_control ( pb, LDAP_CONTROL_PWEXPIRED, 0);
 		op_shared_log_error_access (pb, "MOD", dn, "need new password");
 		send_ldap_result( pb, LDAP_UNWILLING_TO_PERFORM, NULL, NULL, 0, NULL );
 		goto free_and_return;
@@ -871,7 +871,7 @@ static int op_shared_allow_pw_change (Slapi_PBlock *pb, LDAPMod *mod, char **old
 			!pb->pb_conn->c_needpw && !pwpolicy->pw_change)
 		{
 			if ( pwresponse_req == 1 ) {
-				pwpolicy_make_response_control ( pb, -1, -1, LDAP_PWPOLICY_PWDMODNOTALLOWED );
+				slapi_pwpolicy_make_response_control ( pb, -1, -1, LDAP_PWPOLICY_PWDMODNOTALLOWED );
 			}
 			send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL,
 							 "user is not allowed to change password", 0, NULL);
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
index 78c32f90..8b331152 100644
--- a/ldap/servers/slapd/proto-slap.h
+++ b/ldap/servers/slapd/proto-slap.h
@@ -661,7 +661,6 @@ int check_pw_syntax( Slapi_PBlock *pb, const Slapi_DN *sdn, Slapi_Value **vals,
 	char **old_pw, Slapi_Entry *e, int mod_op );
 int check_account_lock( Slapi_PBlock *pb, Slapi_Entry * bind_target_entry, int pwresponse_req);
 int check_pw_minage( Slapi_PBlock *pb, const Slapi_DN *sdn, struct berval **vals) ;
-int add_pwd_control( Slapi_PBlock *pb, char *arg, long time );
 void add_password_attrs( Slapi_PBlock *pb, Operation *op, Slapi_Entry *e );
 void mod_allowchange_aci(char *val);
 void pw_mod_allowchange_aci(int pw_prohibit_change);
@@ -1141,11 +1140,6 @@ int connection_is_free (Connection *conn);
 int connection_is_active_nolock (Connection *conn);
 
 /*
- * bind.c
- */
-void add_auth_response_control( Slapi_PBlock *pb, const char *binddn );
-
-/*
  * saslbind.c
  */
 int ids_sasl_init(void);
diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c
index c1323cfb..b767e0e9 100644
--- a/ldap/servers/slapd/pw.c
+++ b/ldap/servers/slapd/pw.c
@@ -660,7 +660,7 @@ check_pw_minage ( Slapi_PBlock *pb, const Slapi_DN *sdn, struct berval **vals)
 							parse_genTime ( cur_time_str )) > 0 )
 			{
 				if ( pwresponse_req == 1 ) {
-					pwpolicy_make_response_control ( pb, -1, -1,
+					slapi_pwpolicy_make_response_control ( pb, -1, -1,
 							LDAP_PWPOLICY_PWDTOOYOUNG );
 				}
 				pw_send_ldap_result ( pb,
@@ -699,7 +699,7 @@ check_pw_syntax ( Slapi_PBlock *pb, const Slapi_DN *sdn, Slapi_Value **vals,
 			if ( pwpolicy->pw_minlength
 				> (int)slapi_value_get_length(vals[ i ]) ) { /* jcm: had to cast unsigned int to signed int */
 				if ( pwresponse_req == 1 ) {
-					pwpolicy_make_response_control ( pb, -1, -1,
+					slapi_pwpolicy_make_response_control ( pb, -1, -1,
 							LDAP_PWPOLICY_PWDTOOSHORT );
 				}
 				pw_send_ldap_result ( pb, 
@@ -729,7 +729,7 @@ check_pw_syntax ( Slapi_PBlock *pb, const Slapi_DN *sdn, Slapi_Value **vals,
 				Slapi_Value **va= attr_get_present_values(attr);
 				if ( pw_in_history( va, vals[0] ) == 0 ) {
 					if ( pwresponse_req == 1 ) {
-						pwpolicy_make_response_control ( pb, -1, -1,
+						slapi_pwpolicy_make_response_control ( pb, -1, -1,
 							LDAP_PWPOLICY_PWDINHISTORY );
 					}
 					pw_send_ldap_result ( pb, 
@@ -954,11 +954,11 @@ int pw_in_history( Slapi_Value **history_vals, const Slapi_Value *pw_val)
 }
 
 int
-add_pwd_control ( Slapi_PBlock *pb, char *arg, long time) {
+slapi_add_pwd_control ( Slapi_PBlock *pb, char *arg, long time) {
 	LDAPControl	new_ctrl;
 	char		buf[12];
 	
-	LDAPDebug( LDAP_DEBUG_TRACE, "=> add_pwd_control\n", 0, 0, 0 );
+	LDAPDebug( LDAP_DEBUG_TRACE, "=> slapi_add_pwd_control\n", 0, 0, 0 );
 	
 	sprintf( buf, "%ld", time );
 	new_ctrl.ldctl_oid = arg;
@@ -1108,7 +1108,7 @@ check_trivial_words (Slapi_PBlock *pb, Slapi_Entry *e, Slapi_Value **vals, char
 			if( strcasecmp( slapi_value_get_string(va[i]),  slapi_value_get_string(vals[0])) == 0) /* JCM Innards */
 			{
 				if ( pwresponse_req == 1 ) {
-					pwpolicy_make_response_control ( pb, -1, -1,
+					slapi_pwpolicy_make_response_control ( pb, -1, -1,
 						LDAP_PWPOLICY_INVALIDPWDSYNTAX );
 				}
 				pw_send_ldap_result ( pb, 
@@ -1378,7 +1378,7 @@ delete_passwdPolicy( passwdPolicy **pwpolicy)
  *   operationsError (1),
  */
 int
-pwpolicy_make_response_control (Slapi_PBlock *pb, int seconds, int logins, int error)
+slapi_pwpolicy_make_response_control (Slapi_PBlock *pb, int seconds, int logins, int error)
 {
 	BerElement *ber= NULL;    
 	struct berval *bvp = NULL;
@@ -1401,7 +1401,7 @@ pwpolicy_make_response_control (Slapi_PBlock *pb, int seconds, int logins, int e
 			passwordInHistory     (8) } }
 	*/
 	
-	LDAPDebug( LDAP_DEBUG_TRACE, "=> pwpolicy_make_response_control", 0, 0, 0 );
+	LDAPDebug( LDAP_DEBUG_TRACE, "=> slapi_pwpolicy_make_response_control", 0, 0, 0 );
 	if ( ( ber = ber_alloc()) == NULL )
 	{
 		return rc;
@@ -1442,7 +1442,7 @@ pwpolicy_make_response_control (Slapi_PBlock *pb, int seconds, int logins, int e
 		ber_bvfree(bvp);
 	}
 
-	LDAPDebug( LDAP_DEBUG_TRACE, "<= pwpolicy_make_response_control", 0, 0, 0 );
+	LDAPDebug( LDAP_DEBUG_TRACE, "<= slapi_pwpolicy_make_response_control", 0, 0, 0 );
 
 	return (rc==-1?LDAP_OPERATIONS_ERROR:LDAP_SUCCESS);
 }
diff --git a/ldap/servers/slapd/pw.h b/ldap/servers/slapd/pw.h
index b74bbd66..d9202bef 100644
--- a/ldap/servers/slapd/pw.h
+++ b/ldap/servers/slapd/pw.h
@@ -11,17 +11,6 @@
 #define PWD_HASH_PREFIX_START	'{'
 #define PWD_HASH_PREFIX_END	'}'
 
-/* Password Policy Response Control stuff */
-#define LDAP_PWPOLICY_PWDEXPIRED		0
-#define LDAP_PWPOLICY_ACCTLOCKED		1
-#define LDAP_PWPOLICY_CHGAFTERRESET		2
-#define LDAP_PWPOLICY_PWDMODNOTALLOWED		3
-#define LDAP_PWPOLICY_MUSTSUPPLYOLDPWD		4
-#define LDAP_PWPOLICY_INVALIDPWDSYNTAX		5
-#define LDAP_PWPOLICY_PWDTOOSHORT		6
-#define LDAP_PWPOLICY_PWDTOOYOUNG		7
-#define LDAP_PWPOLICY_PWDINHISTORY		8
-
 /*
  * 
  * structure for holding password scheme info.
@@ -53,7 +42,6 @@ int pw_encodevals( Slapi_Value **vals );
 int checkPrefix(char *cipher, char *schemaName, char **encrypt);
 struct passwordpolicyarray *new_passwdPolicy ( Slapi_PBlock *pb, char *dn );
 void delete_passwdPolicy( struct passwordpolicyarray **pwpolicy);
-int pwpolicy_make_response_control (Slapi_PBlock *pb, int seconds, int logins, int error);
 
 /* function for checking the values of fine grained password policy attributes */
 int check_pw_minage_value( const char *attr_name, char *value, long minval, long maxval, char *errorbuf );
diff --git a/ldap/servers/slapd/pw_mgmt.c b/ldap/servers/slapd/pw_mgmt.c
index b400efab..d9346f85 100644
--- a/ldap/servers/slapd/pw_mgmt.c
+++ b/ldap/servers/slapd/pw_mgmt.c
@@ -105,9 +105,9 @@ skip:
 		/* check for "changeafterreset" condition */
 		if (pb->pb_conn->c_needpw == 1) {
 			if (pwresponse_req) {
-				pwpolicy_make_response_control ( pb, -1, -1, LDAP_PWPOLICY_CHGAFTERRESET );
+				slapi_pwpolicy_make_response_control ( pb, -1, -1, LDAP_PWPOLICY_CHGAFTERRESET );
 			} 
-			add_pwd_control ( pb, LDAP_CONTROL_PWEXPIRED, 0);
+			slapi_add_pwd_control ( pb, LDAP_CONTROL_PWEXPIRED, 0);
 		}
 		pw_apply_mods(dn, &smods);
 		slapi_mods_done(&smods);
@@ -136,18 +136,18 @@ skip:
 			if (pwresponse_req) {
 				/* check for "changeafterreset" condition */
 				if (pb->pb_conn->c_needpw == 1) {
-					pwpolicy_make_response_control( pb, -1, 
+					slapi_pwpolicy_make_response_control( pb, -1, 
 						((pwpolicy->pw_gracelimit) - pwdGraceUserTime),
 						LDAP_PWPOLICY_CHGAFTERRESET);
 				} else {
-					pwpolicy_make_response_control( pb, -1, 
+					slapi_pwpolicy_make_response_control( pb, -1, 
 						((pwpolicy->pw_gracelimit) - pwdGraceUserTime),
 						-1);
 				}
 			}
 			
 			if (pb->pb_conn->c_needpw == 1) {
-				add_pwd_control ( pb, LDAP_CONTROL_PWEXPIRED, 0);
+				slapi_add_pwd_control ( pb, LDAP_CONTROL_PWEXPIRED, 0);
 			}
 			delete_passwdPolicy(&pwpolicy);
 			return ( 0 );
@@ -155,9 +155,9 @@ skip:
 
 		/* password expired and user exceeded limit of grace attemps.
 		 * Send result and also the control */
-		add_pwd_control ( pb, LDAP_CONTROL_PWEXPIRED, 0);
+		slapi_add_pwd_control ( pb, LDAP_CONTROL_PWEXPIRED, 0);
 		if (pwresponse_req) {
-			pwpolicy_make_response_control ( pb, -1, -1, LDAP_PWPOLICY_PWDEXPIRED );
+			slapi_pwpolicy_make_response_control ( pb, -1, -1, LDAP_PWPOLICY_PWDEXPIRED );
 		}
 		slapi_send_ldap_result ( pb, LDAP_INVALID_CREDENTIALS, NULL,
 			"password expired!", 0, NULL );
@@ -226,16 +226,16 @@ skip:
 		if (pwresponse_req) {
 			/* check for "changeafterreset" condition */
 			if (pb->pb_conn->c_needpw == 1) {
-					pwpolicy_make_response_control( pb, *t, -1,
+					slapi_pwpolicy_make_response_control( pb, *t, -1,
 						LDAP_PWPOLICY_CHGAFTERRESET);
 				} else {
-					pwpolicy_make_response_control( pb, *t, -1,
+					slapi_pwpolicy_make_response_control( pb, *t, -1,
 						-1);
 				}
 		}
 
 		if (pb->pb_conn->c_needpw == 1) {
-			add_pwd_control ( pb, LDAP_CONTROL_PWEXPIRED, 0);
+			slapi_add_pwd_control ( pb, LDAP_CONTROL_PWEXPIRED, 0);
 		}
 		delete_passwdPolicy(&pwpolicy);
 		return (2);
@@ -245,7 +245,7 @@ skip:
 	slapi_mods_done(&smods);
 	/* Leftover from "changeafterreset" condition */
 	if (pb->pb_conn->c_needpw == 1) {
-		add_pwd_control ( pb, LDAP_CONTROL_PWEXPIRED, 0);
+		slapi_add_pwd_control ( pb, LDAP_CONTROL_PWEXPIRED, 0);
 	}
 	delete_passwdPolicy(&pwpolicy);
 	/* passes checking, return 0 */
@@ -298,7 +298,7 @@ check_account_lock ( Slapi_PBlock *pb, Slapi_Entry * bind_target_entry, int pwre
 			{
 				/* account inactivated */
 				if (pwresponse_req) {
-					pwpolicy_make_response_control ( pb, -1, -1,
+					slapi_pwpolicy_make_response_control ( pb, -1, -1,
 							LDAP_PWPOLICY_ACCTLOCKED );
 				}
 				send_ldap_result ( pb, LDAP_UNWILLING_TO_PERFORM, NULL,
@@ -348,7 +348,7 @@ check_account_lock ( Slapi_PBlock *pb, Slapi_Entry * bind_target_entry, int pwre
 
 	        /* account is locked forever. contact admin to reset */
 			if (pwresponse_req) {
-				pwpolicy_make_response_control ( pb, -1, -1,
+				slapi_pwpolicy_make_response_control ( pb, -1, -1,
 						LDAP_PWPOLICY_ACCTLOCKED );
 			}
 	        send_ldap_result ( pb, LDAP_CONSTRAINT_VIOLATION, NULL,
@@ -363,7 +363,7 @@ check_account_lock ( Slapi_PBlock *pb, Slapi_Entry * bind_target_entry, int pwre
 
 			/* account is locked, cannot do anything */	
 			if (pwresponse_req) {
-				pwpolicy_make_response_control ( pb, -1, -1,
+				slapi_pwpolicy_make_response_control ( pb, -1, -1,
 						LDAP_PWPOLICY_ACCTLOCKED );
 			}
 			send_ldap_result ( pb, LDAP_CONSTRAINT_VIOLATION, NULL,
diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c
index 6a488d4f..b7a2464e 100644
--- a/ldap/servers/slapd/saslbind.c
+++ b/ldap/servers/slapd/saslbind.c
@@ -803,7 +803,7 @@ void ids_sasl_check_bind(Slapi_PBlock *pb)
         slapi_pblock_get(pb, SLAPI_REQCONTROLS, &ctrls);
         if (slapi_control_present(ctrls, LDAP_CONTROL_AUTH_REQUEST, 
                                   NULL, NULL)) {
-            add_auth_response_control(pb, dn);
+            slapi_add_auth_response_control(pb, dn);
         }
 
         if (slapi_mapping_tree_select(pb, &be, &referral, errorbuf) != LDAP_SUCCESS) {
@@ -835,10 +835,10 @@ void ids_sasl_check_bind(Slapi_PBlock *pb)
 			
             switch (pwrc) {
             case 1:
-                add_pwd_control(pb, LDAP_CONTROL_PWEXPIRED, 0);
+                slapi_add_pwd_control(pb, LDAP_CONTROL_PWEXPIRED, 0);
                 break;
             case 2:
-                add_pwd_control(pb, LDAP_CONTROL_PWEXPIRING, t);
+                slapi_add_pwd_control(pb, LDAP_CONTROL_PWEXPIRING, t);
                 break;
             case -1:
                 goto out;
diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h
index c7263b4d..c9da17a5 100644
--- a/ldap/servers/slapd/slapi-plugin.h
+++ b/ldap/servers/slapd/slapi-plugin.h
@@ -785,6 +785,19 @@ char **slapi_get_supported_extended_ops_copy( void );
  */
 void slapi_register_supported_saslmechanism( char *mechanism );
 char ** slapi_get_supported_saslmechanisms_copy( void );
+void slapi_add_auth_response_control( Slapi_PBlock *pb, const char *binddn );
+int slapi_add_pwd_control( Slapi_PBlock *pb, char *arg, long time );
+int slapi_pwpolicy_make_response_control (Slapi_PBlock *pb, int seconds, int logins, int error);
+/* Password Policy Response Control stuff - the error argument above */
+#define LDAP_PWPOLICY_PWDEXPIRED		0
+#define LDAP_PWPOLICY_ACCTLOCKED		1
+#define LDAP_PWPOLICY_CHGAFTERRESET		2
+#define LDAP_PWPOLICY_PWDMODNOTALLOWED		3
+#define LDAP_PWPOLICY_MUSTSUPPLYOLDPWD		4
+#define LDAP_PWPOLICY_INVALIDPWDSYNTAX		5
+#define LDAP_PWPOLICY_PWDTOOSHORT		6
+#define LDAP_PWPOLICY_PWDTOOYOUNG		7
+#define LDAP_PWPOLICY_PWDINHISTORY		8
 
 /*
  * routine for freeing the ch_arrays returned by the slapi_get*_copy functions above
author	Rich Megginson <rmeggins@redhat.com>	2005-02-07 19:02:49 +0000
committer	Rich Megginson <rmeggins@redhat.com>	2005-02-07 19:02:49 +0000
commit	5335c65cbaf4a899dae6bc497ae7e85e0831f540 (patch)
tree	769e16668d2abfead0be06eae78e2a8ebf93d09b
parent	9eb2b56ec631aa3fffc9a80afcbe40f6cc645d8a (diff)
download	ds-5335c65cbaf4a899dae6bc497ae7e85e0831f540.tar.gz ds-5335c65cbaf4a899dae6bc497ae7e85e0831f540.tar.xz ds-5335c65cbaf4a899dae6bc497ae7e85e0831f540.zip