]> git.sur5r.net Git - openldap/blob - contrib/slapd-modules/smbk5pwd/smbk5pwd.c
projects / openldap / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Experimental Samba and Heimdal password synchronization overlay.
[openldap] / contrib / slapd-modules / smbk5pwd / smbk5pwd.c
1 /* smbk5pwd.c - Overlay for managing Samba and Heimdal passwords */
2 /* $OpenLDAP$ */
3 /*
4  * Copyright 2004 by Howard Chu, Symas Corp.
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted only as authorized by the OpenLDAP
9  * Public License.
10  *
11  * A copy of this license is available in the file LICENSE in the
12  * top-level directory of the distribution or, alternatively, at
13  * <http://www.OpenLDAP.org/license.html>.
14  */
15
16 #include <portable.h>
17
18 #ifndef SLAPD_OVER_SMBK5PWD
19 #define SLAPD_OVER_SMBK5PWD SLAPD_MOD_DYNAMIC
20 #endif
21
22 #ifdef SLAPD_OVER_SMBK5PWD
23
24 #include <slap.h>
25 #include <ac/errno.h>
26
27 #ifdef DO_KRB5
28 /* make ASN1_MALLOC_ENCODE use our allocator */
29 #define malloc  ch_malloc
30
31 #include <krb5.h>
32 #include <kadm5/admin.h>
33 #include <hdb.h>
34
35 static krb5_context context;
36 static void *kadm_context;
37 static kadm5_config_params conf;
38 static HDB *db;
39
40 static AttributeDescription *ad_krb5Key;
41 static AttributeDescription *ad_krb5KeyVersionNumber;
42 static AttributeDescription *ad_krb5PrincipalName;
43 static ObjectClass *oc_krb5KDCEntry;
44 #endif
45
46 #ifdef DO_SAMBA
47 #include <openssl/des.h>
48 #include <openssl/md4.h>
49
50 static AttributeDescription *ad_sambaLMPassword;
51 static AttributeDescription *ad_sambaNTPassword;
52 static AttributeDescription *ad_sambaPwdLastSet;
53 static ObjectClass *oc_sambaSamAccount;
54 #endif
55
56 #if 0
57 static void smbk5pwd_destroy() {
58         kadm5_destroy(kadm_context);
59         krb5_free_context(context);
60 }
61 #endif
62
63 #ifdef DO_SAMBA
64 static const char hex[] = "0123456789abcdef";
65
66 /* From liblutil/passwd.c... */
67 static void lmPasswd_to_key(
68         const unsigned char *lmPasswd,
69         des_cblock *key)
70 {
71         /* make room for parity bits */
72         ((char *)key)[0] = lmPasswd[0];
73         ((char *)key)[1] = ((lmPasswd[0]&0x01)<<7) | (lmPasswd[1]>>1);
74         ((char *)key)[2] = ((lmPasswd[1]&0x03)<<6) | (lmPasswd[2]>>2);
75         ((char *)key)[3] = ((lmPasswd[2]&0x07)<<5) | (lmPasswd[3]>>3);
76         ((char *)key)[4] = ((lmPasswd[3]&0x0F)<<4) | (lmPasswd[4]>>4);
77         ((char *)key)[5] = ((lmPasswd[4]&0x1F)<<3) | (lmPasswd[5]>>5);
78         ((char *)key)[6] = ((lmPasswd[5]&0x3F)<<2) | (lmPasswd[6]>>6);
79         ((char *)key)[7] = ((lmPasswd[6]&0x7F)<<1);
80
81         des_set_odd_parity( key );
82 }
83
84 #define MAX_PWLEN 256
85 #define HASHLEN 16
86
87 static void hexify(
88         const char in[HASHLEN],
89         struct berval *out
90 )
91 {
92         int i;
93         char *a;
94         unsigned char *b;
95
96         out->bv_val = ch_malloc(HASHLEN*2 + 1);
97         out->bv_len = HASHLEN*2;
98
99         a = out->bv_val;
100         b = (unsigned char *)in;
101         for (i=0; i<HASHLEN; i++) {
102                 *a++ = hex[*b >> 4];
103                 *a++ = hex[*b++ & 0x0f];
104         }
105         *a++ = '\0';
106 }
107
108 static void lmhash(
109         struct berval *passwd,
110         struct berval *hash
111 )
112 {
113         char UcasePassword[15];
114         des_cblock key;
115         des_key_schedule schedule;
116         des_cblock StdText = "KGS!@#$%";
117         des_cblock hbuf[2];
118
119         strncpy( UcasePassword, passwd->bv_val, 14 );
120         UcasePassword[14] = '\0';
121         ldap_pvt_str2upper( UcasePassword );
122
123         lmPasswd_to_key( UcasePassword, &key );
124         des_set_key_unchecked( &key, schedule );
125         des_ecb_encrypt( &StdText, &hbuf[0], schedule , DES_ENCRYPT );
126
127         lmPasswd_to_key( &UcasePassword[7], &key );
128         des_set_key_unchecked( &key, schedule );
129         des_ecb_encrypt( &StdText, &hbuf[1], schedule , DES_ENCRYPT );
130
131         hexify( (char *)hbuf, hash );
132 }
133
134 static void nthash(
135         struct berval *passwd,
136         struct berval *hash
137 )
138 {
139         /* Windows currently only allows 14 character passwords, but
140          * may support up to 256 in the future. We assume this means
141          * 256 UCS2 characters, not 256 bytes...
142          */
143         char hbuf[HASHLEN];
144         int i;
145         MD4_CTX ctx;
146
147         if (passwd->bv_len > MAX_PWLEN*2)
148                 passwd->bv_len = MAX_PWLEN*2;
149                 
150         MD4_Init( &ctx );
151         MD4_Update( &ctx, passwd->bv_val, passwd->bv_len );
152         MD4_Final( hbuf, &ctx );
153
154         hexify( hbuf, hash );
155 }
156 #endif /* DO_SAMBA */
157
158 int smbk5pwd_exop_passwd(
159         Operation *op,
160         SlapReply *rs )
161 {
162         int i, rc;
163         req_pwdexop_s *qpw = &op->oq_pwdexop;
164         Entry *e;
165         Attribute *a;
166         Modifications *ml;
167         slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
168
169         /* Not the operation we expected, pass it on... */
170         if ( ber_bvcmp( &slap_EXOP_MODIFY_PASSWD, &op->ore_reqoid ) ) {
171                 return SLAP_CB_CONTINUE;
172         }
173
174         op->o_bd->bd_info = (BackendInfo *)on->on_info;
175         rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e );
176         if ( rc != LDAP_SUCCESS ) return rc;
177
178 #ifdef DO_KRB5
179         /* Kerberos stuff */
180         do {
181                 krb5_error_code ret;
182                 hdb_entry ent;
183                 struct berval *keys;
184                 int kvno;
185
186                 if ( !is_entry_objectclass(e, oc_krb5KDCEntry, 0 ) ) break;
187
188                 a = attr_find( e->e_attrs, ad_krb5PrincipalName );
189                 if ( !a ) break;
190
191                 memset( &ent, 0, sizeof(ent) );
192                 ret = krb5_parse_name(context, a->a_vals[0].bv_val, &ent.principal);
193                 if ( ret ) break;
194
195                 a = attr_find( e->e_attrs, ad_krb5KeyVersionNumber );
196                 if ( a ) {
197                         kvno = atoi(a->a_vals[0].bv_val);
198                 } else {
199                         /* shouldn't happen, this is a required attr */
200                         kvno = 0;
201                 }
202
203                 ret = _kadm5_set_keys(kadm_context, &ent, qpw->rs_new.bv_val);
204                 hdb_seal_keys(context, db, &ent);
205                 krb5_free_principal( context, ent.principal );
206
207                 keys = ch_malloc( (ent.keys.len + 1) * sizeof(struct berval));
208
209                 for (i = 0; i < ent.keys.len; i++) {
210                         unsigned char *buf;
211                         size_t len;
212
213                         ASN1_MALLOC_ENCODE(Key, buf, len, &ent.keys.val[i], &len, ret);
214                         if (ret != 0)
215                                 break;
216                         
217                         keys[i].bv_val = buf;
218                         keys[i].bv_len = len;
219                 }
220                 keys[i].bv_val = NULL;
221                 keys[i].bv_len = 0;
222
223                 if ( i != ent.keys.len ) {
224                         ber_bvarray_free( keys );
225                         break;
226                 }
227
228                 ml = ch_malloc(sizeof(Modifications));
229                 if (!qpw->rs_modtail) qpw->rs_modtail = &ml->sml_next;
230                 ml->sml_next = qpw->rs_mods;
231                 qpw->rs_mods = ml;
232
233                 ml->sml_desc = ad_krb5Key;
234                 ml->sml_op = LDAP_MOD_REPLACE;
235                 ml->sml_values = keys;
236                 ml->sml_nvalues = NULL;
237                 
238                 ml = ch_malloc(sizeof(Modifications));
239                 ml->sml_next = qpw->rs_mods;
240                 qpw->rs_mods = ml;
241                 
242                 ml->sml_desc = ad_krb5KeyVersionNumber;
243                 ml->sml_op = LDAP_MOD_REPLACE;
244                 ml->sml_values = ch_malloc( 2 * sizeof(struct berval));
245                 ml->sml_values[0].bv_val = ch_malloc( 64 );
246                 ml->sml_values[0].bv_len = sprintf(ml->sml_values[0].bv_val,
247                         "%d", kvno+1 );
248                 ml->sml_values[1].bv_val = NULL;
249                 ml->sml_values[1].bv_len = 0;
250                 ml->sml_nvalues = NULL;
251         } while(0);
252 #endif /* DO_KRB5 */
253
254 #ifdef DO_SAMBA
255         /* Samba stuff */
256         if ( is_entry_objectclass(e, oc_sambaSamAccount, 0 ) ) {
257                 struct berval *keys;
258                 ber_len_t j,l;
259                 wchar_t *wcs, wc;
260                 char *c, *d;
261                 struct berval pwd;
262                 
263                 /* Expand incoming UTF8 string to UCS4 */
264                 l = ldap_utf8_chars(qpw->rs_new.bv_val);
265                 wcs = ch_malloc((l+1) * sizeof(wchar_t));
266
267                 ldap_x_utf8s_to_wcs( wcs, qpw->rs_new.bv_val, l );
268                 
269                 /* Truncate UCS4 to UCS2 */
270                 c = (char *)wcs;
271                 for (j=0; j<l; j++) {
272                         wc = wcs[j];
273                         *c++ = wc & 0xff;
274                         *c++ = (wc >> 8) & 0xff;
275                 }
276                 *c++ = 0;
277                 pwd.bv_val = (char *)wcs;
278                 pwd.bv_len = l * 2;
279
280                 ml = ch_malloc(sizeof(Modifications));
281                 if (!qpw->rs_modtail) qpw->rs_modtail = &ml->sml_next;
282                 ml->sml_next = qpw->rs_mods;
283                 qpw->rs_mods = ml;
284
285                 keys = ch_malloc( 2 * sizeof(struct berval) );
286                 keys[1].bv_val = NULL;
287                 keys[1].bv_len = 0;
288                 nthash( &pwd, keys );
289                 
290                 ml->sml_desc = ad_sambaNTPassword;
291                 ml->sml_op = LDAP_MOD_REPLACE;
292                 ml->sml_values = keys;
293                 ml->sml_nvalues = NULL;
294
295                 /* Truncate UCS2 to 8-bit ASCII */
296                 c = pwd.bv_val+1;
297                 d = pwd.bv_val+2;
298                 for (j=1; j<l; j++) {
299                         *c++ = *d++;
300                         d++;
301                 }
302
303                 ml = ch_malloc(sizeof(Modifications));
304                 ml->sml_next = qpw->rs_mods;
305                 qpw->rs_mods = ml;
306
307                 keys = ch_malloc( 2 * sizeof(struct berval) );
308                 keys[1].bv_val = NULL;
309                 keys[1].bv_len = 0;
310                 lmhash( &pwd, keys );
311                 
312                 ml->sml_desc = ad_sambaLMPassword;
313                 ml->sml_op = LDAP_MOD_REPLACE;
314                 ml->sml_values = keys;
315                 ml->sml_nvalues = NULL;
316
317                 ch_free(wcs);
318
319                 ml = ch_malloc(sizeof(Modifications));
320                 ml->sml_next = qpw->rs_mods;
321                 qpw->rs_mods = ml;
322
323                 keys = ch_malloc( 2 * sizeof(struct berval) );
324                 keys[1].bv_val = NULL;
325                 keys[1].bv_len = 0;
326                 keys[0].bv_val = ch_malloc(16);
327                 keys[0].bv_len = sprintf(keys[0].bv_val, "%d",
328                         slap_get_time());
329                 
330                 ml->sml_desc = ad_sambaPwdLastSet;
331                 ml->sml_op = LDAP_MOD_REPLACE;
332                 ml->sml_values = keys;
333                 ml->sml_nvalues = NULL;
334         }
335 #endif /* DO_SAMBA */
336         be_entry_release_r( op, e );
337
338         return SLAP_CB_CONTINUE;
339 }
340
341 static slap_overinst smbk5pwd;
342
343 int smbk5pwd_init() {
344         int rc;
345         const char *text;
346
347 #ifdef DO_KRB5
348         krb5_error_code ret;
349         extern HDB * _kadm5_s_get_db(void *);
350
351         /* Make sure all of our necessary schema items are loaded */
352         oc_krb5KDCEntry = oc_find("krb5KDCEntry");
353         if ( !oc_krb5KDCEntry ) return -1;
354
355         rc = slap_str2ad( "krb5Key", &ad_krb5Key, &text );
356         if ( rc ) return rc;
357         rc = slap_str2ad( "krb5KeyVersionNumber", &ad_krb5KeyVersionNumber, &text );
358         if ( rc ) return rc;
359         rc = slap_str2ad( "krb5PrincipalName", &ad_krb5PrincipalName, &text );
360         if ( rc ) return rc;
361
362         /* Initialize Kerberos context */
363         ret = krb5_init_context(&context);
364         if (ret) {
365                 return -1;
366         }
367
368         ret = kadm5_s_init_with_password_ctx( context,
369                 KADM5_ADMIN_SERVICE,
370                 NULL,
371                 KADM5_ADMIN_SERVICE,
372                 &conf, 0, 0, &kadm_context );
373         
374         db = _kadm5_s_get_db(kadm_context);
375 #endif /* DO_KRB5 */
376
377 #ifdef DO_SAMBA
378         oc_sambaSamAccount = oc_find("sambaSamAccount");
379         if ( !oc_sambaSamAccount ) return -1;
380
381         rc = slap_str2ad( "sambaLMPassword", &ad_sambaLMPassword, &text );
382         if ( rc ) return rc;
383         rc = slap_str2ad( "sambaNTPassword", &ad_sambaNTPassword, &text );
384         if ( rc ) return rc;
385         rc = slap_str2ad( "sambaPwdLastSet", &ad_sambaPwdLastSet, &text );
386         if ( rc ) return rc;
387 #endif /* DO_SAMBA */
388
389         smbk5pwd.on_bi.bi_type = "smbk5pwd";
390         smbk5pwd.on_bi.bi_extended = smbk5pwd_exop_passwd;
391
392         return overlay_register( &smbk5pwd );
393 }
394
395 #if SLAPD_OVER_SMBK5PWD == SLAPD_MOD_DYNAMIC
396 int init_module(int argc, char *argv[]) {
397         return smbk5pwd_init();
398 }
399 #endif
400
401 #endif /* defined(SLAPD_OVER_SMBK5PWD) */
Cloned from git://git.openldap.org/openldap.git