1 /* smbk5pwd.c - Overlay for managing Samba and Heimdal passwords */
4 * Copyright 2004 by Howard Chu, Symas Corp.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted only as authorized by the OpenLDAP
11 * A copy of this license is available in the file LICENSE in the
12 * top-level directory of the distribution or, alternatively, at
13 * <http://www.OpenLDAP.org/license.html>.
18 #ifndef SLAPD_OVER_SMBK5PWD
19 #define SLAPD_OVER_SMBK5PWD SLAPD_MOD_DYNAMIC
22 #ifdef SLAPD_OVER_SMBK5PWD
28 /* make ASN1_MALLOC_ENCODE use our allocator */
29 #define malloc ch_malloc
32 #include <kadm5/admin.h>
35 static krb5_context context;
36 static void *kadm_context;
37 static kadm5_config_params conf;
40 static AttributeDescription *ad_krb5Key;
41 static AttributeDescription *ad_krb5KeyVersionNumber;
42 static AttributeDescription *ad_krb5PrincipalName;
43 static ObjectClass *oc_krb5KDCEntry;
47 #include <openssl/des.h>
48 #include <openssl/md4.h>
50 static AttributeDescription *ad_sambaLMPassword;
51 static AttributeDescription *ad_sambaNTPassword;
52 static AttributeDescription *ad_sambaPwdLastSet;
53 static ObjectClass *oc_sambaSamAccount;
57 static void smbk5pwd_destroy() {
58 kadm5_destroy(kadm_context);
59 krb5_free_context(context);
64 static const char hex[] = "0123456789abcdef";
66 /* From liblutil/passwd.c... */
67 static void lmPasswd_to_key(
68 const unsigned char *lmPasswd,
71 /* make room for parity bits */
72 ((char *)key)[0] = lmPasswd[0];
73 ((char *)key)[1] = ((lmPasswd[0]&0x01)<<7) | (lmPasswd[1]>>1);
74 ((char *)key)[2] = ((lmPasswd[1]&0x03)<<6) | (lmPasswd[2]>>2);
75 ((char *)key)[3] = ((lmPasswd[2]&0x07)<<5) | (lmPasswd[3]>>3);
76 ((char *)key)[4] = ((lmPasswd[3]&0x0F)<<4) | (lmPasswd[4]>>4);
77 ((char *)key)[5] = ((lmPasswd[4]&0x1F)<<3) | (lmPasswd[5]>>5);
78 ((char *)key)[6] = ((lmPasswd[5]&0x3F)<<2) | (lmPasswd[6]>>6);
79 ((char *)key)[7] = ((lmPasswd[6]&0x7F)<<1);
81 des_set_odd_parity( key );
88 const char in[HASHLEN],
96 out->bv_val = ch_malloc(HASHLEN*2 + 1);
97 out->bv_len = HASHLEN*2;
100 b = (unsigned char *)in;
101 for (i=0; i<HASHLEN; i++) {
103 *a++ = hex[*b++ & 0x0f];
109 struct berval *passwd,
113 char UcasePassword[15];
115 des_key_schedule schedule;
116 des_cblock StdText = "KGS!@#$%";
119 strncpy( UcasePassword, passwd->bv_val, 14 );
120 UcasePassword[14] = '\0';
121 ldap_pvt_str2upper( UcasePassword );
123 lmPasswd_to_key( UcasePassword, &key );
124 des_set_key_unchecked( &key, schedule );
125 des_ecb_encrypt( &StdText, &hbuf[0], schedule , DES_ENCRYPT );
127 lmPasswd_to_key( &UcasePassword[7], &key );
128 des_set_key_unchecked( &key, schedule );
129 des_ecb_encrypt( &StdText, &hbuf[1], schedule , DES_ENCRYPT );
131 hexify( (char *)hbuf, hash );
135 struct berval *passwd,
139 /* Windows currently only allows 14 character passwords, but
140 * may support up to 256 in the future. We assume this means
141 * 256 UCS2 characters, not 256 bytes...
147 if (passwd->bv_len > MAX_PWLEN*2)
148 passwd->bv_len = MAX_PWLEN*2;
151 MD4_Update( &ctx, passwd->bv_val, passwd->bv_len );
152 MD4_Final( hbuf, &ctx );
154 hexify( hbuf, hash );
156 #endif /* DO_SAMBA */
158 int smbk5pwd_exop_passwd(
163 req_pwdexop_s *qpw = &op->oq_pwdexop;
167 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
169 /* Not the operation we expected, pass it on... */
170 if ( ber_bvcmp( &slap_EXOP_MODIFY_PASSWD, &op->ore_reqoid ) ) {
171 return SLAP_CB_CONTINUE;
174 op->o_bd->bd_info = (BackendInfo *)on->on_info;
175 rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e );
176 if ( rc != LDAP_SUCCESS ) return rc;
186 if ( !is_entry_objectclass(e, oc_krb5KDCEntry, 0 ) ) break;
188 a = attr_find( e->e_attrs, ad_krb5PrincipalName );
191 memset( &ent, 0, sizeof(ent) );
192 ret = krb5_parse_name(context, a->a_vals[0].bv_val, &ent.principal);
195 a = attr_find( e->e_attrs, ad_krb5KeyVersionNumber );
197 kvno = atoi(a->a_vals[0].bv_val);
199 /* shouldn't happen, this is a required attr */
203 ret = _kadm5_set_keys(kadm_context, &ent, qpw->rs_new.bv_val);
204 hdb_seal_keys(context, db, &ent);
205 krb5_free_principal( context, ent.principal );
207 keys = ch_malloc( (ent.keys.len + 1) * sizeof(struct berval));
209 for (i = 0; i < ent.keys.len; i++) {
213 ASN1_MALLOC_ENCODE(Key, buf, len, &ent.keys.val[i], &len, ret);
217 keys[i].bv_val = buf;
218 keys[i].bv_len = len;
220 keys[i].bv_val = NULL;
223 if ( i != ent.keys.len ) {
224 ber_bvarray_free( keys );
228 ml = ch_malloc(sizeof(Modifications));
229 if (!qpw->rs_modtail) qpw->rs_modtail = &ml->sml_next;
230 ml->sml_next = qpw->rs_mods;
233 ml->sml_desc = ad_krb5Key;
234 ml->sml_op = LDAP_MOD_REPLACE;
235 ml->sml_values = keys;
236 ml->sml_nvalues = NULL;
238 ml = ch_malloc(sizeof(Modifications));
239 ml->sml_next = qpw->rs_mods;
242 ml->sml_desc = ad_krb5KeyVersionNumber;
243 ml->sml_op = LDAP_MOD_REPLACE;
244 ml->sml_values = ch_malloc( 2 * sizeof(struct berval));
245 ml->sml_values[0].bv_val = ch_malloc( 64 );
246 ml->sml_values[0].bv_len = sprintf(ml->sml_values[0].bv_val,
248 ml->sml_values[1].bv_val = NULL;
249 ml->sml_values[1].bv_len = 0;
250 ml->sml_nvalues = NULL;
256 if ( is_entry_objectclass(e, oc_sambaSamAccount, 0 ) ) {
263 /* Expand incoming UTF8 string to UCS4 */
264 l = ldap_utf8_chars(qpw->rs_new.bv_val);
265 wcs = ch_malloc((l+1) * sizeof(wchar_t));
267 ldap_x_utf8s_to_wcs( wcs, qpw->rs_new.bv_val, l );
269 /* Truncate UCS4 to UCS2 */
271 for (j=0; j<l; j++) {
274 *c++ = (wc >> 8) & 0xff;
277 pwd.bv_val = (char *)wcs;
280 ml = ch_malloc(sizeof(Modifications));
281 if (!qpw->rs_modtail) qpw->rs_modtail = &ml->sml_next;
282 ml->sml_next = qpw->rs_mods;
285 keys = ch_malloc( 2 * sizeof(struct berval) );
286 keys[1].bv_val = NULL;
288 nthash( &pwd, keys );
290 ml->sml_desc = ad_sambaNTPassword;
291 ml->sml_op = LDAP_MOD_REPLACE;
292 ml->sml_values = keys;
293 ml->sml_nvalues = NULL;
295 /* Truncate UCS2 to 8-bit ASCII */
298 for (j=1; j<l; j++) {
303 ml = ch_malloc(sizeof(Modifications));
304 ml->sml_next = qpw->rs_mods;
307 keys = ch_malloc( 2 * sizeof(struct berval) );
308 keys[1].bv_val = NULL;
310 lmhash( &pwd, keys );
312 ml->sml_desc = ad_sambaLMPassword;
313 ml->sml_op = LDAP_MOD_REPLACE;
314 ml->sml_values = keys;
315 ml->sml_nvalues = NULL;
319 ml = ch_malloc(sizeof(Modifications));
320 ml->sml_next = qpw->rs_mods;
323 keys = ch_malloc( 2 * sizeof(struct berval) );
324 keys[1].bv_val = NULL;
326 keys[0].bv_val = ch_malloc(16);
327 keys[0].bv_len = sprintf(keys[0].bv_val, "%d",
330 ml->sml_desc = ad_sambaPwdLastSet;
331 ml->sml_op = LDAP_MOD_REPLACE;
332 ml->sml_values = keys;
333 ml->sml_nvalues = NULL;
335 #endif /* DO_SAMBA */
336 be_entry_release_r( op, e );
338 return SLAP_CB_CONTINUE;
341 static slap_overinst smbk5pwd;
343 int smbk5pwd_init() {
349 extern HDB * _kadm5_s_get_db(void *);
351 /* Make sure all of our necessary schema items are loaded */
352 oc_krb5KDCEntry = oc_find("krb5KDCEntry");
353 if ( !oc_krb5KDCEntry ) return -1;
355 rc = slap_str2ad( "krb5Key", &ad_krb5Key, &text );
357 rc = slap_str2ad( "krb5KeyVersionNumber", &ad_krb5KeyVersionNumber, &text );
359 rc = slap_str2ad( "krb5PrincipalName", &ad_krb5PrincipalName, &text );
362 /* Initialize Kerberos context */
363 ret = krb5_init_context(&context);
368 ret = kadm5_s_init_with_password_ctx( context,
372 &conf, 0, 0, &kadm_context );
374 db = _kadm5_s_get_db(kadm_context);
378 oc_sambaSamAccount = oc_find("sambaSamAccount");
379 if ( !oc_sambaSamAccount ) return -1;
381 rc = slap_str2ad( "sambaLMPassword", &ad_sambaLMPassword, &text );
383 rc = slap_str2ad( "sambaNTPassword", &ad_sambaNTPassword, &text );
385 rc = slap_str2ad( "sambaPwdLastSet", &ad_sambaPwdLastSet, &text );
387 #endif /* DO_SAMBA */
389 smbk5pwd.on_bi.bi_type = "smbk5pwd";
390 smbk5pwd.on_bi.bi_extended = smbk5pwd_exop_passwd;
392 return overlay_register( &smbk5pwd );
395 #if SLAPD_OVER_SMBK5PWD == SLAPD_MOD_DYNAMIC
396 int init_module(int argc, char *argv[]) {
397 return smbk5pwd_init();
401 #endif /* defined(SLAPD_OVER_SMBK5PWD) */