diff options
Diffstat (limited to 'ldap')
-rw-r--r-- | ldap/admin/src/create_instance.c | 24 | ||||
-rw-r--r-- | ldap/schema/60pam-plugin.ldif | 19 | ||||
-rw-r--r-- | ldap/servers/plugins/Makefile | 5 | ||||
-rw-r--r-- | ldap/servers/slapd/bind.c | 16 | ||||
-rw-r--r-- | ldap/servers/slapd/connection.c | 2 | ||||
-rw-r--r-- | ldap/servers/slapd/modify.c | 4 | ||||
-rw-r--r-- | ldap/servers/slapd/proto-slap.h | 6 | ||||
-rw-r--r-- | ldap/servers/slapd/pw.c | 18 | ||||
-rw-r--r-- | ldap/servers/slapd/pw.h | 12 | ||||
-rw-r--r-- | ldap/servers/slapd/pw_mgmt.c | 28 | ||||
-rw-r--r-- | ldap/servers/slapd/saslbind.c | 6 | ||||
-rw-r--r-- | ldap/servers/slapd/slapi-plugin.h | 13 |
12 files changed, 97 insertions, 56 deletions
diff --git a/ldap/admin/src/create_instance.c b/ldap/admin/src/create_instance.c index 26b276b6..6d3d3111 100644 --- a/ldap/admin/src/create_instance.c +++ b/ldap/admin/src/create_instance.c @@ -3727,6 +3727,30 @@ char *ds_gen_confs(char *sroot, server_config_s *cf, } } + /* PAM Pass Through Auth plugin - off by default */ + fprintf(f, "dn: cn=PAM Pass Through Auth,cn=plugins,cn=config\n"); + fprintf(f, "objectclass: top\n"); + fprintf(f, "objectclass: nsSlapdPlugin\n"); + fprintf(f, "objectclass: extensibleObject\n"); + fprintf(f, "objectclass: pamConfig\n"); + fprintf(f, "cn: PAM Pass Through Auth\n"); + fprintf(f, "nsslapd-pluginpath: %s/lib/pam-passthru-plugin%s\n", sroot, shared_lib); + fprintf(f, "nsslapd-plugininitfunc: pam_passthruauth_init\n"); + fprintf(f, "nsslapd-plugintype: preoperation\n"); + fprintf(f, "nsslapd-pluginenabled: off\n"); + fprintf(f, "nsslapd-pluginLoadGlobal: true\n"); + fprintf(f, "nsslapd-plugin-depends-on-type: database\n"); + fprintf(f, "pamMissingSuffix: ALLOW\n"); + if (cf->netscaperoot) { + fprintf(f, "pamExcludeSuffix: %s\n", cf->netscaperoot); + } + fprintf(f, "pamExcludeSuffix: cn=config\n"); + fprintf(f, "pamMapMethod: RDN\n"); + fprintf(f, "pamFallback: FALSE\n"); + fprintf(f, "pamSecure: TRUE\n"); + fprintf(f, "pamService: ldapserver\n"); + fprintf(f, "\n"); + fprintf(f, "dn: cn=ldbm database,cn=plugins,cn=config\n"); fprintf(f, "objectclass: top\n"); fprintf(f, "objectclass: nsSlapdPlugin\n"); diff --git a/ldap/schema/60pam-plugin.ldif b/ldap/schema/60pam-plugin.ldif new file mode 100644 index 00000000..89f18e19 --- /dev/null +++ b/ldap/schema/60pam-plugin.ldif @@ -0,0 +1,19 @@ +# +# BEGIN COPYRIGHT BLOCK +# Copyright 2005 Red Hat Inc. +# All rights reserved. +# END COPYRIGHT BLOCK +# +# +# Schema for representing PAM plugin configuration +# +dn: cn=schema +attributeTypes: ( 2.16.840.1.113730.3.1.2067 NAME 'pamIncludeSuffix' DESC 'Suffixes to include for PAM authentication' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'Red Hat Directory Server' ) +attributeTypes: ( 2.16.840.1.113730.3.1.2068 NAME 'pamExcludeSuffix' DESC 'Suffixes to exclude from PAM authentication' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'Red Hat Directory Server' ) +attributeTypes: ( 2.16.840.1.113730.3.1.2069 NAME 'pamMissingSuffix' DESC 'How to handle missing include or exclude suffixes' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Red Hat Directory Server' ) +attributeTypes: ( 2.16.840.1.113730.3.1.2070 NAME 'pamMapMethod' DESC 'How to map BIND DN to PAM identity' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Red Hat Directory Server' ) +attributeTypes: ( 2.16.840.1.113730.3.1.2071 NAME 'pamIDAttr' DESC 'Name of attribute holding PAM ID' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Red Hat Directory Server' ) +attributeTypes: ( 2.16.840.1.113730.3.1.2072 NAME 'pamFallback' DESC 'Fallback to regular LDAP BIND if PAM auth fails' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'Red Hat Directory Server' ) +attributeTypes: ( 2.16.840.1.113730.3.1.2073 NAME 'pamSecure' DESC 'Require secure (TLS/SSL) connection for PAM auth' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'Red Hat Directory Server' ) +attributeTypes: ( 2.16.840.1.113730.3.1.2074 NAME 'pamService' DESC 'Service name to pass to pam_start' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'Red Hat Directory Server' ) +objectClasses: ( 2.16.840.1.113730.3.2.318 NAME 'pamConfig' DESC 'PAM plugin configuration' SUP top AUXILIARY MAY ( pamMissingSuffix $ pamExcludeSuffix $ pamIncludeSuffix $ pamIDAttr $ pamMapMethod $ pamFallback $ pamSecure $ pamService ) X-ORIGIN 'Red Hat Directory Server' ) diff --git a/ldap/servers/plugins/Makefile b/ldap/servers/plugins/Makefile index a743f9e4..2057ad27 100644 --- a/ldap/servers/plugins/Makefile +++ b/ldap/servers/plugins/Makefile @@ -19,7 +19,7 @@ NSPR20=true # probably should be defined somewhere else (not sure where) include $(BUILD_ROOT)/nsconfig.mk include $(LDAP_SRC)/nsldap.mk -all: _referint _collation _syntaxes _passthru _utils _uiduniq _roles _acl _replication _cos _pwdstorage _rever _chainingdb _distrib _retrocl _statechange _http _views +all: _referint _collation _syntaxes _passthru _utils _uiduniq _roles _acl _replication _cos _pwdstorage _rever _chainingdb _distrib _retrocl _statechange _http _views _pam_passthru _utils: cd shared; $(MAKE) $(MFLAGS) all @@ -41,6 +41,9 @@ _syntaxes: _passthru: cd passthru; $(MAKE) $(MFLAGS) all +_pam_passthru: + cd pam_passthru; $(MAKE) $(MFLAGS) all + _uiduniq: cd uiduniq; $(MAKE) $(MFLAGS) all diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c index ab9ca89d..7490f3d3 100644 --- a/ldap/servers/slapd/bind.c +++ b/ldap/servers/slapd/bind.c @@ -344,7 +344,7 @@ do_bind( Slapi_PBlock *pb ) pb->pb_conn->c_external_dn, NULL, NULL, NULL , NULL); if ( auth_response_requested ) { - add_auth_response_control( pb, pb->pb_conn->c_external_dn ); + slapi_add_auth_response_control( pb, pb->pb_conn->c_external_dn ); } send_ldap_result( pb, LDAP_SUCCESS, NULL, NULL, 0, NULL ); goto free_and_return; @@ -362,7 +362,7 @@ do_bind( Slapi_PBlock *pb ) /* call preop plugins */ if (plugin_call_plugins( pb, SLAPI_PLUGIN_PRE_BIND_FN ) == 0){ if ( auth_response_requested ) { - add_auth_response_control( pb, "" ); + slapi_add_auth_response_control( pb, "" ); } send_ldap_result( pb, LDAP_SUCCESS, NULL, NULL, 0, NULL ); @@ -411,7 +411,7 @@ do_bind( Slapi_PBlock *pb ) /* call preop plugin */ if (plugin_call_plugins( pb, SLAPI_PLUGIN_PRE_BIND_FN ) == 0){ if ( auth_response_requested ) { - add_auth_response_control( pb, + slapi_add_auth_response_control( pb, ( cred.bv_len == 0 ) ? "" : slapi_sdn_get_ndn(&sdn)); } @@ -498,12 +498,12 @@ do_bind( Slapi_PBlock *pb ) slapi_sdn_get_ndn(&sdn)), NULL, NULL, NULL, bind_target_entry ); if ( auth_response_requested ) { - add_auth_response_control( pb, + slapi_add_auth_response_control( pb, slapi_sdn_get_ndn(&sdn)); } } else { /* anonymous */ if ( auth_response_requested ) { - add_auth_response_control( pb, + slapi_add_auth_response_control( pb, "" ); } } @@ -517,12 +517,12 @@ do_bind( Slapi_PBlock *pb ) switch ( need_new_pw (pb, &t, bind_target_entry, pw_response_requested )) { case 1: - (void)add_pwd_control ( pb, + (void)slapi_add_pwd_control ( pb, LDAP_CONTROL_PWEXPIRED, 0); break; case 2: - (void)add_pwd_control ( pb, + (void)slapi_add_pwd_control ( pb, LDAP_CONTROL_PWEXPIRING, t); break; case -1: @@ -635,7 +635,7 @@ log_bind_access ( void -add_auth_response_control( Slapi_PBlock *pb, const char *binddn ) +slapi_add_auth_response_control( Slapi_PBlock *pb, const char *binddn ) { LDAPControl arctrl; char dnbuf_fixedsize[ 512 ], *dnbuf, *dnbuf_dynamic = NULL; diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c index 4cf7869b..b7f08b01 100644 --- a/ldap/servers/slapd/connection.c +++ b/ldap/servers/slapd/connection.c @@ -404,7 +404,7 @@ connection_need_new_password(const Connection *conn, const Operation *op, Slapi_ op->o_tag != LDAP_REQ_BIND && op->o_tag != LDAP_REQ_UNBIND && op->o_tag != LDAP_REQ_ABANDON ) { - add_pwd_control ( pb, LDAP_CONTROL_PWEXPIRED, 0); + slapi_add_pwd_control ( pb, LDAP_CONTROL_PWEXPIRED, 0); slapi_log_access( LDAP_DEBUG_STATS, "conn=%d op=%d %s\n", pb->pb_conn->c_connid, pb->pb_op->o_opid, "need new password" ); diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c index 86237758..ba36b49c 100644 --- a/ldap/servers/slapd/modify.c +++ b/ldap/servers/slapd/modify.c @@ -259,7 +259,7 @@ do_modify( Slapi_PBlock *pb ) if (!pb->pb_conn->c_isreplication_session && pb->pb_conn->c_needpw && pw_change == 0 ) { - (void)add_pwd_control ( pb, LDAP_CONTROL_PWEXPIRED, 0); + (void)slapi_add_pwd_control ( pb, LDAP_CONTROL_PWEXPIRED, 0); op_shared_log_error_access (pb, "MOD", dn, "need new password"); send_ldap_result( pb, LDAP_UNWILLING_TO_PERFORM, NULL, NULL, 0, NULL ); goto free_and_return; @@ -871,7 +871,7 @@ static int op_shared_allow_pw_change (Slapi_PBlock *pb, LDAPMod *mod, char **old !pb->pb_conn->c_needpw && !pwpolicy->pw_change) { if ( pwresponse_req == 1 ) { - pwpolicy_make_response_control ( pb, -1, -1, LDAP_PWPOLICY_PWDMODNOTALLOWED ); + slapi_pwpolicy_make_response_control ( pb, -1, -1, LDAP_PWPOLICY_PWDMODNOTALLOWED ); } send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, "user is not allowed to change password", 0, NULL); diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h index 78c32f90..8b331152 100644 --- a/ldap/servers/slapd/proto-slap.h +++ b/ldap/servers/slapd/proto-slap.h @@ -661,7 +661,6 @@ int check_pw_syntax( Slapi_PBlock *pb, const Slapi_DN *sdn, Slapi_Value **vals, char **old_pw, Slapi_Entry *e, int mod_op ); int check_account_lock( Slapi_PBlock *pb, Slapi_Entry * bind_target_entry, int pwresponse_req); int check_pw_minage( Slapi_PBlock *pb, const Slapi_DN *sdn, struct berval **vals) ; -int add_pwd_control( Slapi_PBlock *pb, char *arg, long time ); void add_password_attrs( Slapi_PBlock *pb, Operation *op, Slapi_Entry *e ); void mod_allowchange_aci(char *val); void pw_mod_allowchange_aci(int pw_prohibit_change); @@ -1141,11 +1140,6 @@ int connection_is_free (Connection *conn); int connection_is_active_nolock (Connection *conn); /* - * bind.c - */ -void add_auth_response_control( Slapi_PBlock *pb, const char *binddn ); - -/* * saslbind.c */ int ids_sasl_init(void); diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c index c1323cfb..b767e0e9 100644 --- a/ldap/servers/slapd/pw.c +++ b/ldap/servers/slapd/pw.c @@ -660,7 +660,7 @@ check_pw_minage ( Slapi_PBlock *pb, const Slapi_DN *sdn, struct berval **vals) parse_genTime ( cur_time_str )) > 0 ) { if ( pwresponse_req == 1 ) { - pwpolicy_make_response_control ( pb, -1, -1, + slapi_pwpolicy_make_response_control ( pb, -1, -1, LDAP_PWPOLICY_PWDTOOYOUNG ); } pw_send_ldap_result ( pb, @@ -699,7 +699,7 @@ check_pw_syntax ( Slapi_PBlock *pb, const Slapi_DN *sdn, Slapi_Value **vals, if ( pwpolicy->pw_minlength > (int)slapi_value_get_length(vals[ i ]) ) { /* jcm: had to cast unsigned int to signed int */ if ( pwresponse_req == 1 ) { - pwpolicy_make_response_control ( pb, -1, -1, + slapi_pwpolicy_make_response_control ( pb, -1, -1, LDAP_PWPOLICY_PWDTOOSHORT ); } pw_send_ldap_result ( pb, @@ -729,7 +729,7 @@ check_pw_syntax ( Slapi_PBlock *pb, const Slapi_DN *sdn, Slapi_Value **vals, Slapi_Value **va= attr_get_present_values(attr); if ( pw_in_history( va, vals[0] ) == 0 ) { if ( pwresponse_req == 1 ) { - pwpolicy_make_response_control ( pb, -1, -1, + slapi_pwpolicy_make_response_control ( pb, -1, -1, LDAP_PWPOLICY_PWDINHISTORY ); } pw_send_ldap_result ( pb, @@ -954,11 +954,11 @@ int pw_in_history( Slapi_Value **history_vals, const Slapi_Value *pw_val) } int -add_pwd_control ( Slapi_PBlock *pb, char *arg, long time) { +slapi_add_pwd_control ( Slapi_PBlock *pb, char *arg, long time) { LDAPControl new_ctrl; char buf[12]; - LDAPDebug( LDAP_DEBUG_TRACE, "=> add_pwd_control\n", 0, 0, 0 ); + LDAPDebug( LDAP_DEBUG_TRACE, "=> slapi_add_pwd_control\n", 0, 0, 0 ); sprintf( buf, "%ld", time ); new_ctrl.ldctl_oid = arg; @@ -1108,7 +1108,7 @@ check_trivial_words (Slapi_PBlock *pb, Slapi_Entry *e, Slapi_Value **vals, char if( strcasecmp( slapi_value_get_string(va[i]), slapi_value_get_string(vals[0])) == 0) /* JCM Innards */ { if ( pwresponse_req == 1 ) { - pwpolicy_make_response_control ( pb, -1, -1, + slapi_pwpolicy_make_response_control ( pb, -1, -1, LDAP_PWPOLICY_INVALIDPWDSYNTAX ); } pw_send_ldap_result ( pb, @@ -1378,7 +1378,7 @@ delete_passwdPolicy( passwdPolicy **pwpolicy) * operationsError (1), */ int -pwpolicy_make_response_control (Slapi_PBlock *pb, int seconds, int logins, int error) +slapi_pwpolicy_make_response_control (Slapi_PBlock *pb, int seconds, int logins, int error) { BerElement *ber= NULL; struct berval *bvp = NULL; @@ -1401,7 +1401,7 @@ pwpolicy_make_response_control (Slapi_PBlock *pb, int seconds, int logins, int e passwordInHistory (8) } } */ - LDAPDebug( LDAP_DEBUG_TRACE, "=> pwpolicy_make_response_control", 0, 0, 0 ); + LDAPDebug( LDAP_DEBUG_TRACE, "=> slapi_pwpolicy_make_response_control", 0, 0, 0 ); if ( ( ber = ber_alloc()) == NULL ) { return rc; @@ -1442,7 +1442,7 @@ pwpolicy_make_response_control (Slapi_PBlock *pb, int seconds, int logins, int e ber_bvfree(bvp); } - LDAPDebug( LDAP_DEBUG_TRACE, "<= pwpolicy_make_response_control", 0, 0, 0 ); + LDAPDebug( LDAP_DEBUG_TRACE, "<= slapi_pwpolicy_make_response_control", 0, 0, 0 ); return (rc==-1?LDAP_OPERATIONS_ERROR:LDAP_SUCCESS); } diff --git a/ldap/servers/slapd/pw.h b/ldap/servers/slapd/pw.h index b74bbd66..d9202bef 100644 --- a/ldap/servers/slapd/pw.h +++ b/ldap/servers/slapd/pw.h @@ -11,17 +11,6 @@ #define PWD_HASH_PREFIX_START '{' #define PWD_HASH_PREFIX_END '}' -/* Password Policy Response Control stuff */ -#define LDAP_PWPOLICY_PWDEXPIRED 0 -#define LDAP_PWPOLICY_ACCTLOCKED 1 -#define LDAP_PWPOLICY_CHGAFTERRESET 2 -#define LDAP_PWPOLICY_PWDMODNOTALLOWED 3 -#define LDAP_PWPOLICY_MUSTSUPPLYOLDPWD 4 -#define LDAP_PWPOLICY_INVALIDPWDSYNTAX 5 -#define LDAP_PWPOLICY_PWDTOOSHORT 6 -#define LDAP_PWPOLICY_PWDTOOYOUNG 7 -#define LDAP_PWPOLICY_PWDINHISTORY 8 - /* * * structure for holding password scheme info. @@ -53,7 +42,6 @@ int pw_encodevals( Slapi_Value **vals ); int checkPrefix(char *cipher, char *schemaName, char **encrypt); struct passwordpolicyarray *new_passwdPolicy ( Slapi_PBlock *pb, char *dn ); void delete_passwdPolicy( struct passwordpolicyarray **pwpolicy); -int pwpolicy_make_response_control (Slapi_PBlock *pb, int seconds, int logins, int error); /* function for checking the values of fine grained password policy attributes */ int check_pw_minage_value( const char *attr_name, char *value, long minval, long maxval, char *errorbuf ); diff --git a/ldap/servers/slapd/pw_mgmt.c b/ldap/servers/slapd/pw_mgmt.c index b400efab..d9346f85 100644 --- a/ldap/servers/slapd/pw_mgmt.c +++ b/ldap/servers/slapd/pw_mgmt.c @@ -105,9 +105,9 @@ skip: /* check for "changeafterreset" condition */ if (pb->pb_conn->c_needpw == 1) { if (pwresponse_req) { - pwpolicy_make_response_control ( pb, -1, -1, LDAP_PWPOLICY_CHGAFTERRESET ); + slapi_pwpolicy_make_response_control ( pb, -1, -1, LDAP_PWPOLICY_CHGAFTERRESET ); } - add_pwd_control ( pb, LDAP_CONTROL_PWEXPIRED, 0); + slapi_add_pwd_control ( pb, LDAP_CONTROL_PWEXPIRED, 0); } pw_apply_mods(dn, &smods); slapi_mods_done(&smods); @@ -136,18 +136,18 @@ skip: if (pwresponse_req) { /* check for "changeafterreset" condition */ if (pb->pb_conn->c_needpw == 1) { - pwpolicy_make_response_control( pb, -1, + slapi_pwpolicy_make_response_control( pb, -1, ((pwpolicy->pw_gracelimit) - pwdGraceUserTime), LDAP_PWPOLICY_CHGAFTERRESET); } else { - pwpolicy_make_response_control( pb, -1, + slapi_pwpolicy_make_response_control( pb, -1, ((pwpolicy->pw_gracelimit) - pwdGraceUserTime), -1); } } if (pb->pb_conn->c_needpw == 1) { - add_pwd_control ( pb, LDAP_CONTROL_PWEXPIRED, 0); + slapi_add_pwd_control ( pb, LDAP_CONTROL_PWEXPIRED, 0); } delete_passwdPolicy(&pwpolicy); return ( 0 ); @@ -155,9 +155,9 @@ skip: /* password expired and user exceeded limit of grace attemps. * Send result and also the control */ - add_pwd_control ( pb, LDAP_CONTROL_PWEXPIRED, 0); + slapi_add_pwd_control ( pb, LDAP_CONTROL_PWEXPIRED, 0); if (pwresponse_req) { - pwpolicy_make_response_control ( pb, -1, -1, LDAP_PWPOLICY_PWDEXPIRED ); + slapi_pwpolicy_make_response_control ( pb, -1, -1, LDAP_PWPOLICY_PWDEXPIRED ); } slapi_send_ldap_result ( pb, LDAP_INVALID_CREDENTIALS, NULL, "password expired!", 0, NULL ); @@ -226,16 +226,16 @@ skip: if (pwresponse_req) { /* check for "changeafterreset" condition */ if (pb->pb_conn->c_needpw == 1) { - pwpolicy_make_response_control( pb, *t, -1, + slapi_pwpolicy_make_response_control( pb, *t, -1, LDAP_PWPOLICY_CHGAFTERRESET); } else { - pwpolicy_make_response_control( pb, *t, -1, + slapi_pwpolicy_make_response_control( pb, *t, -1, -1); } } if (pb->pb_conn->c_needpw == 1) { - add_pwd_control ( pb, LDAP_CONTROL_PWEXPIRED, 0); + slapi_add_pwd_control ( pb, LDAP_CONTROL_PWEXPIRED, 0); } delete_passwdPolicy(&pwpolicy); return (2); @@ -245,7 +245,7 @@ skip: slapi_mods_done(&smods); /* Leftover from "changeafterreset" condition */ if (pb->pb_conn->c_needpw == 1) { - add_pwd_control ( pb, LDAP_CONTROL_PWEXPIRED, 0); + slapi_add_pwd_control ( pb, LDAP_CONTROL_PWEXPIRED, 0); } delete_passwdPolicy(&pwpolicy); /* passes checking, return 0 */ @@ -298,7 +298,7 @@ check_account_lock ( Slapi_PBlock *pb, Slapi_Entry * bind_target_entry, int pwre { /* account inactivated */ if (pwresponse_req) { - pwpolicy_make_response_control ( pb, -1, -1, + slapi_pwpolicy_make_response_control ( pb, -1, -1, LDAP_PWPOLICY_ACCTLOCKED ); } send_ldap_result ( pb, LDAP_UNWILLING_TO_PERFORM, NULL, @@ -348,7 +348,7 @@ check_account_lock ( Slapi_PBlock *pb, Slapi_Entry * bind_target_entry, int pwre /* account is locked forever. contact admin to reset */ if (pwresponse_req) { - pwpolicy_make_response_control ( pb, -1, -1, + slapi_pwpolicy_make_response_control ( pb, -1, -1, LDAP_PWPOLICY_ACCTLOCKED ); } send_ldap_result ( pb, LDAP_CONSTRAINT_VIOLATION, NULL, @@ -363,7 +363,7 @@ check_account_lock ( Slapi_PBlock *pb, Slapi_Entry * bind_target_entry, int pwre /* account is locked, cannot do anything */ if (pwresponse_req) { - pwpolicy_make_response_control ( pb, -1, -1, + slapi_pwpolicy_make_response_control ( pb, -1, -1, LDAP_PWPOLICY_ACCTLOCKED ); } send_ldap_result ( pb, LDAP_CONSTRAINT_VIOLATION, NULL, diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c index 6a488d4f..b7a2464e 100644 --- a/ldap/servers/slapd/saslbind.c +++ b/ldap/servers/slapd/saslbind.c @@ -803,7 +803,7 @@ void ids_sasl_check_bind(Slapi_PBlock *pb) slapi_pblock_get(pb, SLAPI_REQCONTROLS, &ctrls); if (slapi_control_present(ctrls, LDAP_CONTROL_AUTH_REQUEST, NULL, NULL)) { - add_auth_response_control(pb, dn); + slapi_add_auth_response_control(pb, dn); } if (slapi_mapping_tree_select(pb, &be, &referral, errorbuf) != LDAP_SUCCESS) { @@ -835,10 +835,10 @@ void ids_sasl_check_bind(Slapi_PBlock *pb) switch (pwrc) { case 1: - add_pwd_control(pb, LDAP_CONTROL_PWEXPIRED, 0); + slapi_add_pwd_control(pb, LDAP_CONTROL_PWEXPIRED, 0); break; case 2: - add_pwd_control(pb, LDAP_CONTROL_PWEXPIRING, t); + slapi_add_pwd_control(pb, LDAP_CONTROL_PWEXPIRING, t); break; case -1: goto out; diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h index c7263b4d..c9da17a5 100644 --- a/ldap/servers/slapd/slapi-plugin.h +++ b/ldap/servers/slapd/slapi-plugin.h @@ -785,6 +785,19 @@ char **slapi_get_supported_extended_ops_copy( void ); */ void slapi_register_supported_saslmechanism( char *mechanism ); char ** slapi_get_supported_saslmechanisms_copy( void ); +void slapi_add_auth_response_control( Slapi_PBlock *pb, const char *binddn ); +int slapi_add_pwd_control( Slapi_PBlock *pb, char *arg, long time ); +int slapi_pwpolicy_make_response_control (Slapi_PBlock *pb, int seconds, int logins, int error); +/* Password Policy Response Control stuff - the error argument above */ +#define LDAP_PWPOLICY_PWDEXPIRED 0 +#define LDAP_PWPOLICY_ACCTLOCKED 1 +#define LDAP_PWPOLICY_CHGAFTERRESET 2 +#define LDAP_PWPOLICY_PWDMODNOTALLOWED 3 +#define LDAP_PWPOLICY_MUSTSUPPLYOLDPWD 4 +#define LDAP_PWPOLICY_INVALIDPWDSYNTAX 5 +#define LDAP_PWPOLICY_PWDTOOSHORT 6 +#define LDAP_PWPOLICY_PWDTOOYOUNG 7 +#define LDAP_PWPOLICY_PWDINHISTORY 8 /* * routine for freeing the ch_arrays returned by the slapi_get*_copy functions above |