1 /* pam.c - pam processing routines */
4 * Copyright 2009 by Howard Chu, Symas Corp.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted only as authorized by the OpenLDAP
11 * A copy of this license is available in the file LICENSE in the
12 * top-level directory of the distribution or, alternatively, at
13 * <http://www.OpenLDAP.org/license.html>.
18 #include <security/pam_modules.h>
20 static int pam_nullcb(
21 Operation *op, SlapReply *rs)
26 int pam_authc(nssov_info *ni,TFILE *fp,Operation *op)
30 slap_callback cb = {0};
31 SlapReply rs = {REP_RESULT};
35 struct berval uid, svc, pwd, sdn, dn;
38 READ_STRING_BUF2(fp,uidc,sizeof(uidc));
40 uid.bv_len = tmpint32;
41 READ_STRING_BUF2(fp,svcc,sizeof(svcc));
43 svc.bv_len = tmpint32;
44 READ_STRING_BUF2(fp,pwdc,sizeof(pwdc));
46 pwd.bv_len = tmpint32;
48 Debug(LDAP_DEBUG_TRACE,"nssov_pam_authc(%s)\n",uid.bv_val,0,0);
50 if (!isvalidusername(&uid)) {
51 Debug(LDAP_DEBUG_ANY,"nssov_pam_authc(%s): invalid user name\n",uid.bv_val,0,0);
52 rc = PAM_USER_UNKNOWN;
56 /* Why didn't we make this a berval? */
57 hlen = strlen(global_host);
59 /* First try this form, to allow service-dependent mappings */
60 /* cn=<service>+uid=<user>,cn=<host>,cn=pam,cn=auth */
61 sdn.bv_len = uid.bv_len + svc.bv_len + hlen + STRLENOF( "cn=+uid=,cn=,cn=pam,cn=auth" );
62 sdn.bv_val = op->o_tmpalloc( sdn.bv_len + 1, op->o_tmpmemctx );
63 sprintf(sdn.bv_val, "cn=%s+uid=%s,cn=%s,cn=pam,cn=auth", svcc, uidc, global_host);
65 slap_sasl2dn(op, &sdn, &dn, 0);
66 op->o_tmpfree( sdn.bv_val, op->o_tmpmemctx );
68 /* If no luck, do a basic uid search */
69 if (BER_BVISEMPTY(&dn)) {
70 if (!nssov_uid2dn(op, ni, &uid, &dn)) {
71 rc = PAM_USER_UNKNOWN;
75 dnNormalize( 0, NULL, NULL, &sdn, &dn, op->o_tmpmemctx );
79 /* TODO: add ppolicy control */
80 cb.sc_response = pam_nullcb;
82 op->o_dn.bv_val[0] = 0;
84 op->o_ndn.bv_val[0] = 0;
86 op->o_tag = LDAP_REQ_BIND;
87 op->o_protocol = LDAP_VERSION3;
88 op->orb_method = LDAP_AUTH_SIMPLE;
92 slap_op_time( &op->o_time, &op->o_tincr );
93 op->o_bd->be_bind( op, &rs );
94 memset(pwd.bv_val,0,pwd.bv_len);
96 case LDAP_SUCCESS: rc = PAM_SUCCESS; break;
97 case LDAP_INVALID_CREDENTIALS: rc = PAM_AUTH_ERR; break;
98 default: rc = PAM_AUTH_ERR; break;
102 WRITE_INT32(fp,NSLCD_VERSION);
103 WRITE_INT32(fp,NSLCD_ACTION_PAM_AUTHC);
104 WRITE_INT32(fp,NSLCD_RESULT_SUCCESS);
106 WRITE_INT32(fp,PAM_SUCCESS); /* authz */
107 WRITE_BERVAL(fp,&dn);
108 WRITE_BERVAL(fp,&sdn); /* authzmsg */
109 WRITE_BERVAL(fp,&sdn); /* tmpluser */
113 int pam_authz(nssov_info *ni,TFILE *fp,Operation *op)
115 struct berval dn, svc;
116 struct berval authzmsg = BER_BVNULL;
121 READ_STRING_BUF2(fp,dnc,sizeof(dnc));
123 dn.bv_len = tmpint32;
124 READ_STRING_BUF2(fp,svcc,sizeof(svcc));
126 svc.bv_len = tmpint32;
128 Debug(LDAP_DEBUG_TRACE,"nssov_pam_authz(%s)\n",dn.bv_val,0,0);
130 WRITE_INT32(fp,NSLCD_VERSION);
131 WRITE_INT32(fp,NSLCD_ACTION_PAM_AUTHZ);
132 WRITE_INT32(fp,NSLCD_RESULT_SUCCESS);
133 WRITE_INT32(fp,PAM_SUCCESS);
134 WRITE_BERVAL(fp,&authzmsg);
138 int pam_sess_o(nssov_info *ni,TFILE *fp,Operation *op)
140 struct berval dn, svc;
145 READ_STRING_BUF2(fp,dnc,sizeof(dnc));
147 dn.bv_len = tmpint32;
148 READ_STRING_BUF2(fp,svcc,sizeof(svcc));
150 svc.bv_len = tmpint32;
152 Debug(LDAP_DEBUG_TRACE,"nssov_pam_sess_o(%s)\n",dn.bv_val,0,0);
154 WRITE_INT32(fp,NSLCD_VERSION);
155 WRITE_INT32(fp,NSLCD_ACTION_PAM_SESS_O);
156 WRITE_INT32(fp,NSLCD_RESULT_SUCCESS);
160 int pam_sess_c(nssov_info *ni,TFILE *fp,Operation *op)
162 struct berval dn, svc;
167 READ_STRING_BUF2(fp,dnc,sizeof(dnc));
169 dn.bv_len = tmpint32;
170 READ_STRING_BUF2(fp,svcc,sizeof(svcc));
172 svc.bv_len = tmpint32;
174 Debug(LDAP_DEBUG_TRACE,"nssov_pam_sess_c(%s)\n",dn.bv_val,0,0);
176 WRITE_INT32(fp,NSLCD_VERSION);
177 WRITE_INT32(fp,NSLCD_ACTION_PAM_SESS_C);
178 WRITE_INT32(fp,NSLCD_RESULT_SUCCESS);
182 int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op)
184 struct berval dn, uid, opw, npw;
191 READ_STRING_BUF2(fp,dnc,sizeof(dnc));
193 dn.bv_len = tmpint32;
194 READ_STRING_BUF2(fp,uidc,sizeof(uidc));
196 uid.bv_len = tmpint32;
197 READ_STRING_BUF2(fp,opwc,sizeof(opwc));
199 opw.bv_len = tmpint32;
200 READ_STRING_BUF2(fp,npwc,sizeof(npwc));
202 npw.bv_len = tmpint32;
204 Debug(LDAP_DEBUG_TRACE,"nssov_pam_pwmod(%s), %s\n",dn.bv_val,uid.bv_val,0);
207 WRITE_INT32(fp,NSLCD_VERSION);
208 WRITE_INT32(fp,NSLCD_ACTION_PAM_PWMOD);
209 WRITE_INT32(fp,NSLCD_RESULT_SUCCESS);
210 WRITE_INT32(fp,PAM_SUCCESS);
211 WRITE_BERVAL(fp,&npw);