1 /* smbk5pwd.c - Overlay for managing Samba and Heimdal passwords */
4 * Copyright 2004-2005 by Howard Chu, Symas Corp.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted only as authorized by the OpenLDAP
11 * A copy of this license is available in the file LICENSE in the
12 * top-level directory of the distribution or, alternatively, at
13 * <http://www.OpenLDAP.org/license.html>.
16 * Support for table-driven configuration added by Pierangelo Masarati.
17 * Support for sambaPwdMustChange and sambaPwdCanChange added by Marco D'Ettorre.
19 * The conditions of the OpenLDAP Public License apply.
24 #ifndef SLAPD_OVER_SMBK5PWD
25 #define SLAPD_OVER_SMBK5PWD SLAPD_MOD_DYNAMIC
28 #ifdef SLAPD_OVER_SMBK5PWD
32 #include <ac/string.h>
41 /* make ASN1_MALLOC_ENCODE use our allocator */
42 #define malloc ch_malloc
45 #include <kadm5/admin.h>
48 #ifndef HDB_INTERFACE_VERSION
49 #define HDB_MASTER_KEY_SET master_key_set
51 #define HDB_MASTER_KEY_SET hdb_master_key_set
54 static krb5_context context;
55 static void *kadm_context;
56 static kadm5_config_params conf;
59 static AttributeDescription *ad_krb5Key;
60 static AttributeDescription *ad_krb5KeyVersionNumber;
61 static AttributeDescription *ad_krb5PrincipalName;
62 static AttributeDescription *ad_krb5ValidEnd;
63 static ObjectClass *oc_krb5KDCEntry;
69 typedef unsigned char DES_cblock[8];
71 #include <openssl/des.h>
72 #include <openssl/md4.h>
74 #include "ldap_utf8.h"
76 static AttributeDescription *ad_sambaLMPassword;
77 static AttributeDescription *ad_sambaNTPassword;
78 static AttributeDescription *ad_sambaPwdLastSet;
79 static AttributeDescription *ad_sambaPwdMustChange;
80 static AttributeDescription *ad_sambaPwdCanChange;
81 static ObjectClass *oc_sambaSamAccount;
84 /* Per-instance configuration information */
85 typedef struct smbk5pwd_t {
87 #define SMBK5PWD_F_KRB5 (0x1U)
88 #define SMBK5PWD_F_SAMBA (0x2U)
90 #define SMBK5PWD_DO_KRB5(pi) ((pi)->mode & SMBK5PWD_F_KRB5)
91 #define SMBK5PWD_DO_SAMBA(pi) ((pi)->mode & SMBK5PWD_F_SAMBA)
98 /* How many seconds before forcing a password change? */
99 time_t smb_must_change;
100 /* How many seconds after allowing a password change? */
101 time_t smb_can_change;
105 static const unsigned SMBK5PWD_F_ALL =
115 static int smbk5pwd_modules_init( smbk5pwd_t *pi );
118 static const char hex[] = "0123456789abcdef";
120 /* From liblutil/passwd.c... */
121 static void lmPasswd_to_key(
122 const char *lmPasswd,
125 const unsigned char *lpw = (const unsigned char *)lmPasswd;
126 unsigned char *k = (unsigned char *)key;
128 /* make room for parity bits */
130 k[1] = ((lpw[0]&0x01)<<7) | (lpw[1]>>1);
131 k[2] = ((lpw[1]&0x03)<<6) | (lpw[2]>>2);
132 k[3] = ((lpw[2]&0x07)<<5) | (lpw[3]>>3);
133 k[4] = ((lpw[3]&0x0F)<<4) | (lpw[4]>>4);
134 k[5] = ((lpw[4]&0x1F)<<3) | (lpw[5]>>5);
135 k[6] = ((lpw[5]&0x3F)<<2) | (lpw[6]>>6);
136 k[7] = ((lpw[6]&0x7F)<<1);
139 des_set_odd_parity( key );
143 #define MAX_PWLEN 256
147 const char in[HASHLEN],
155 out->bv_val = ch_malloc(HASHLEN*2 + 1);
156 out->bv_len = HASHLEN*2;
159 b = (unsigned char *)in;
160 for (i=0; i<HASHLEN; i++) {
162 *a++ = hex[*b++ & 0x0f];
168 struct berval *passwd,
172 char UcasePassword[15];
174 DES_cblock StdText = "KGS!@#$%";
177 DES_key_schedule schedule;
178 #elif defined(HAVE_GNUTLS)
179 gcry_cipher_hd_t h = NULL;
182 err = gcry_cipher_open( &h, GCRY_CIPHER_DES, GCRY_CIPHER_MODE_CBC, 0 );
186 strncpy( UcasePassword, passwd->bv_val, 14 );
187 UcasePassword[14] = '\0';
188 ldap_pvt_str2upper( UcasePassword );
190 lmPasswd_to_key( UcasePassword, &key );
192 err = gcry_cipher_setkey( h, &key, sizeof(key) );
194 err = gcry_cipher_encrypt( h, &hbuf[0], sizeof(key), &StdText, sizeof(key) );
196 gcry_cipher_reset( h );
197 lmPasswd_to_key( &UcasePassword[7], &key );
198 err = gcry_cipher_setkey( h, &key, sizeof(key) );
200 err = gcry_cipher_encrypt( h, &hbuf[1], sizeof(key), &StdText, sizeof(key) );
203 gcry_cipher_close( h );
205 #elif defined(HAVE_OPENSSL)
206 des_set_key_unchecked( &key, schedule );
207 des_ecb_encrypt( &StdText, &hbuf[0], schedule , DES_ENCRYPT );
209 lmPasswd_to_key( &UcasePassword[7], &key );
210 des_set_key_unchecked( &key, schedule );
211 des_ecb_encrypt( &StdText, &hbuf[1], schedule , DES_ENCRYPT );
214 hexify( (char *)hbuf, hash );
218 struct berval *passwd,
222 /* Windows currently only allows 14 character passwords, but
223 * may support up to 256 in the future. We assume this means
224 * 256 UCS2 characters, not 256 bytes...
231 if (passwd->bv_len > MAX_PWLEN*2)
232 passwd->bv_len = MAX_PWLEN*2;
236 MD4_Update( &ctx, passwd->bv_val, passwd->bv_len );
237 MD4_Final( (unsigned char *)hbuf, &ctx );
238 #elif defined(HAVE_GNUTLS)
239 gcry_md_hash_buffer(GCRY_MD_MD4, hbuf, passwd->bv_val, passwd->bv_len );
242 hexify( hbuf, hash );
244 #endif /* DO_SAMBA */
248 static int smbk5pwd_op_cleanup(
254 /* clear out the current key */
255 ldap_pvt_thread_pool_setkey( op->o_threadctx, smbk5pwd_op_cleanup,
256 NULL, 0, NULL, NULL );
258 /* free the callback */
260 op->o_callback = cb->sc_next;
261 op->o_tmpfree( cb, op->o_tmpmemctx );
265 static int smbk5pwd_op_bind(
269 /* If this is a simple Bind, stash the Op pointer so our chk
270 * function can find it. Set a cleanup callback to clear it
271 * out when the Bind completes.
273 if ( op->oq_bind.rb_method == LDAP_AUTH_SIMPLE ) {
275 ldap_pvt_thread_pool_setkey( op->o_threadctx,
276 smbk5pwd_op_cleanup, op, 0, NULL, NULL );
277 cb = op->o_tmpcalloc( 1, sizeof(slap_callback), op->o_tmpmemctx );
278 cb->sc_cleanup = smbk5pwd_op_cleanup;
279 cb->sc_next = op->o_callback;
282 return SLAP_CB_CONTINUE;
285 static LUTIL_PASSWD_CHK_FUNC k5key_chk;
286 static LUTIL_PASSWD_HASH_FUNC k5key_hash;
287 static const struct berval k5key_scheme = BER_BVC("{K5KEY}");
289 /* This password scheme stores no data in the userPassword attribute
290 * other than the scheme name. It assumes the invoking entry is a
291 * krb5KDCentry and compares the passed-in credentials against the
292 * krb5Key attribute. The krb5Key may be multi-valued, but they are
293 * simply multiple keytypes generated from the same input string, so
294 * only the first value needs to be compared here.
296 * Since the lutil_passwd API doesn't pass the Entry object in, we
297 * have to fetch it ourselves in order to get access to the other
298 * attributes. We accomplish this with the help of the overlay's Bind
299 * function, which stores the current Operation pointer in thread-specific
300 * storage so we can retrieve it here. The Operation provides all
301 * the necessary context for us to get Entry from the database.
303 static int k5key_chk(
304 const struct berval *sc,
305 const struct berval *passwd,
306 const struct berval *cred,
319 /* Find our thread context, find our Operation */
320 ctx = ldap_pvt_thread_pool_context();
322 if ( ldap_pvt_thread_pool_getkey( ctx, smbk5pwd_op_cleanup, &op_tmp, NULL )
324 return LUTIL_PASSWD_ERR;
327 rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e );
328 if ( rc != LDAP_SUCCESS ) return LUTIL_PASSWD_ERR;
330 rc = LUTIL_PASSWD_ERR;
335 a = attr_find( e->e_attrs, ad_krb5PrincipalName );
338 memset( &ent, 0, sizeof(ent) );
339 ret = krb5_parse_name(context, a->a_vals[0].bv_val, &ent.principal);
342 a = attr_find( e->e_attrs, ad_krb5ValidEnd );
345 struct lutil_timet tt;
346 if ( lutil_parsetime( a->a_vals[0].bv_val, &tm ) == 0 &&
347 lutil_tm2time( &tm, &tt ) == 0 && tt.tt_usec < op->o_time ) {
348 /* Account is expired */
349 rc = LUTIL_PASSWD_ERR;
354 krb5_get_pw_salt( context, ent.principal, &salt );
355 krb5_free_principal( context, ent.principal );
357 a = attr_find( e->e_attrs, ad_krb5Key );
361 ent.keys.val = &ekey;
362 decode_Key((unsigned char *) a->a_vals[0].bv_val,
363 (size_t) a->a_vals[0].bv_len, &ent.keys.val[0], &l);
364 if ( db->HDB_MASTER_KEY_SET )
365 hdb_unseal_keys( context, db, &ent );
367 krb5_string_to_key_salt( context, ekey.key.keytype, cred->bv_val,
370 krb5_free_salt( context, salt );
372 if ( memcmp( ekey.key.keyvalue.data, key.keyvalue.data,
373 key.keyvalue.length ) == 0 ) rc = LUTIL_PASSWD_OK;
375 krb5_free_keyblock_contents( context, &key );
376 krb5_free_keyblock_contents( context, &ekey.key );
379 be_entry_release_r( op, e );
383 static int k5key_hash(
384 const struct berval *scheme,
385 const struct berval *passwd,
389 ber_dupbv( hash, (struct berval *)&k5key_scheme );
390 return LUTIL_PASSWD_OK;
394 static int smbk5pwd_exop_passwd(
399 req_pwdexop_s *qpw = &op->oq_pwdexop;
402 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
403 smbk5pwd_t *pi = on->on_bi.bi_private;
406 /* Not the operation we expected, pass it on... */
407 if ( ber_bvcmp( &slap_EXOP_MODIFY_PASSWD, &op->ore_reqoid ) ) {
408 return SLAP_CB_CONTINUE;
411 op->o_bd->bd_info = (BackendInfo *)on->on_info;
412 rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e );
413 if ( rc != LDAP_SUCCESS ) return rc;
415 term = qpw->rs_new.bv_val[qpw->rs_new.bv_len];
416 qpw->rs_new.bv_val[qpw->rs_new.bv_len] = '\0';
427 if ( !SMBK5PWD_DO_KRB5( pi ) ) break;
429 if ( !is_entry_objectclass(e, oc_krb5KDCEntry, 0 ) ) break;
431 a = attr_find( e->e_attrs, ad_krb5PrincipalName );
434 memset( &ent, 0, sizeof(ent) );
435 ret = krb5_parse_name(context, a->a_vals[0].bv_val, &ent.principal);
438 a = attr_find( e->e_attrs, ad_krb5KeyVersionNumber );
441 if ( lutil_atoi( &kvno, a->a_vals[0].bv_val ) != 0 ) {
442 Debug( LDAP_DEBUG_ANY, "%s smbk5pwd EXOP: "
443 "dn=\"%s\" unable to parse krb5KeyVersionNumber=\"%s\"\n",
444 op->o_log_prefix, e->e_name.bv_val, a->a_vals[0].bv_val );
448 /* shouldn't happen, this is a required attr */
449 Debug( LDAP_DEBUG_ANY, "%s smbk5pwd EXOP: "
450 "dn=\"%s\" missing krb5KeyVersionNumber\n",
451 op->o_log_prefix, e->e_name.bv_val, 0 );
454 ret = _kadm5_set_keys(kadm_context, &ent, qpw->rs_new.bv_val);
455 hdb_seal_keys(context, db, &ent);
456 krb5_free_principal( context, ent.principal );
458 keys = ch_malloc( (ent.keys.len + 1) * sizeof(struct berval));
460 for (i = 0; i < ent.keys.len; i++) {
464 ASN1_MALLOC_ENCODE(Key, buf, len, &ent.keys.val[i], &len, ret);
468 keys[i].bv_val = (char *)buf;
469 keys[i].bv_len = len;
471 BER_BVZERO( &keys[i] );
473 _kadm5_free_keys(kadm_context, ent.keys.len, ent.keys.val);
475 if ( i != ent.keys.len ) {
476 ber_bvarray_free( keys );
480 ml = ch_malloc(sizeof(Modifications));
481 if (!qpw->rs_modtail) qpw->rs_modtail = &ml->sml_next;
482 ml->sml_next = qpw->rs_mods;
485 ml->sml_desc = ad_krb5Key;
486 ml->sml_op = LDAP_MOD_REPLACE;
487 #ifdef SLAP_MOD_INTERNAL
488 ml->sml_flags = SLAP_MOD_INTERNAL;
491 ml->sml_values = keys;
492 ml->sml_nvalues = NULL;
494 ml = ch_malloc(sizeof(Modifications));
495 ml->sml_next = qpw->rs_mods;
498 ml->sml_desc = ad_krb5KeyVersionNumber;
499 ml->sml_op = LDAP_MOD_REPLACE;
500 #ifdef SLAP_MOD_INTERNAL
501 ml->sml_flags = SLAP_MOD_INTERNAL;
504 ml->sml_values = ch_malloc( 2 * sizeof(struct berval));
505 ml->sml_values[0].bv_val = ch_malloc( 64 );
506 ml->sml_values[0].bv_len = sprintf(ml->sml_values[0].bv_val,
508 BER_BVZERO( &ml->sml_values[1] );
509 ml->sml_nvalues = NULL;
515 if ( SMBK5PWD_DO_SAMBA( pi ) && is_entry_objectclass(e, oc_sambaSamAccount, 0 ) ) {
522 /* Expand incoming UTF8 string to UCS4 */
523 l = ldap_utf8_chars(qpw->rs_new.bv_val);
524 wcs = ch_malloc((l+1) * sizeof(wchar_t));
526 ldap_x_utf8s_to_wcs( wcs, qpw->rs_new.bv_val, l );
528 /* Truncate UCS4 to UCS2 */
530 for (j=0; j<l; j++) {
533 *c++ = (wc >> 8) & 0xff;
536 pwd.bv_val = (char *)wcs;
539 ml = ch_malloc(sizeof(Modifications));
540 if (!qpw->rs_modtail) qpw->rs_modtail = &ml->sml_next;
541 ml->sml_next = qpw->rs_mods;
544 keys = ch_malloc( 2 * sizeof(struct berval) );
545 BER_BVZERO( &keys[1] );
546 nthash( &pwd, keys );
548 ml->sml_desc = ad_sambaNTPassword;
549 ml->sml_op = LDAP_MOD_REPLACE;
550 #ifdef SLAP_MOD_INTERNAL
551 ml->sml_flags = SLAP_MOD_INTERNAL;
554 ml->sml_values = keys;
555 ml->sml_nvalues = NULL;
557 /* Truncate UCS2 to 8-bit ASCII */
560 for (j=1; j<l; j++) {
565 pwd.bv_val[pwd.bv_len] = '\0';
567 ml = ch_malloc(sizeof(Modifications));
568 ml->sml_next = qpw->rs_mods;
571 keys = ch_malloc( 2 * sizeof(struct berval) );
572 BER_BVZERO( &keys[1] );
573 lmhash( &pwd, keys );
575 ml->sml_desc = ad_sambaLMPassword;
576 ml->sml_op = LDAP_MOD_REPLACE;
577 #ifdef SLAP_MOD_INTERNAL
578 ml->sml_flags = SLAP_MOD_INTERNAL;
581 ml->sml_values = keys;
582 ml->sml_nvalues = NULL;
586 ml = ch_malloc(sizeof(Modifications));
587 ml->sml_next = qpw->rs_mods;
590 keys = ch_malloc( 2 * sizeof(struct berval) );
591 keys[0].bv_val = ch_malloc( LDAP_PVT_INTTYPE_CHARS(long) );
592 keys[0].bv_len = snprintf(keys[0].bv_val,
593 LDAP_PVT_INTTYPE_CHARS(long),
594 "%ld", slap_get_time());
595 BER_BVZERO( &keys[1] );
597 ml->sml_desc = ad_sambaPwdLastSet;
598 ml->sml_op = LDAP_MOD_REPLACE;
599 #ifdef SLAP_MOD_INTERNAL
600 ml->sml_flags = SLAP_MOD_INTERNAL;
603 ml->sml_values = keys;
604 ml->sml_nvalues = NULL;
606 if (pi->smb_must_change)
608 ml = ch_malloc(sizeof(Modifications));
609 ml->sml_next = qpw->rs_mods;
612 keys = ch_malloc( 2 * sizeof(struct berval) );
613 keys[0].bv_val = ch_malloc( LDAP_PVT_INTTYPE_CHARS(long) );
614 keys[0].bv_len = snprintf(keys[0].bv_val,
615 LDAP_PVT_INTTYPE_CHARS(long),
616 "%ld", slap_get_time() + pi->smb_must_change);
617 BER_BVZERO( &keys[1] );
619 ml->sml_desc = ad_sambaPwdMustChange;
620 ml->sml_op = LDAP_MOD_REPLACE;
621 #ifdef SLAP_MOD_INTERNAL
622 ml->sml_flags = SLAP_MOD_INTERNAL;
625 ml->sml_values = keys;
626 ml->sml_nvalues = NULL;
629 if (pi->smb_can_change)
631 ml = ch_malloc(sizeof(Modifications));
632 ml->sml_next = qpw->rs_mods;
635 keys = ch_malloc( 2 * sizeof(struct berval) );
636 keys[0].bv_val = ch_malloc( LDAP_PVT_INTTYPE_CHARS(long) );
637 keys[0].bv_len = snprintf(keys[0].bv_val,
638 LDAP_PVT_INTTYPE_CHARS(long),
639 "%ld", slap_get_time() + pi->smb_can_change);
640 BER_BVZERO( &keys[1] );
642 ml->sml_desc = ad_sambaPwdCanChange;
643 ml->sml_op = LDAP_MOD_REPLACE;
644 #ifdef SLAP_MOD_INTERNAL
645 ml->sml_flags = SLAP_MOD_INTERNAL;
648 ml->sml_values = keys;
649 ml->sml_nvalues = NULL;
652 #endif /* DO_SAMBA */
653 be_entry_release_r( op, e );
654 qpw->rs_new.bv_val[qpw->rs_new.bv_len] = term;
656 return SLAP_CB_CONTINUE;
659 static slap_overinst smbk5pwd;
661 /* back-config stuff */
663 PC_SMB_MUST_CHANGE = 1,
668 static ConfigDriver smbk5pwd_cf_func;
671 * NOTE: uses OID arcs OLcfgCtAt:1 and OLcfgCtOc:1
674 static ConfigTable smbk5pwd_cfats[] = {
675 { "smbk5pwd-enable", "arg",
676 2, 0, 0, ARG_MAGIC|PC_SMB_ENABLE, smbk5pwd_cf_func,
677 "( OLcfgCtAt:1.1 NAME 'olcSmbK5PwdEnable' "
678 "DESC 'Modules to be enabled' "
679 "SYNTAX OMsDirectoryString )", NULL, NULL },
680 { "smbk5pwd-must-change", "time",
681 2, 2, 0, ARG_MAGIC|ARG_INT|PC_SMB_MUST_CHANGE, smbk5pwd_cf_func,
682 "( OLcfgCtAt:1.2 NAME 'olcSmbK5PwdMustChange' "
683 "DESC 'Credentials validity interval' "
684 "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
685 { "smbk5pwd-can-change", "time",
686 2, 2, 0, ARG_MAGIC|ARG_INT|PC_SMB_CAN_CHANGE, smbk5pwd_cf_func,
687 "( OLcfgCtAt:1.3 NAME 'olcSmbK5PwdCanChange' "
688 "DESC 'Credentials minimum validity interval' "
689 "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
691 { NULL, NULL, 0, 0, 0, ARG_IGNORED }
694 static ConfigOCs smbk5pwd_cfocs[] = {
696 "NAME 'olcSmbK5PwdConfig' "
697 "DESC 'smbk5pwd overlay configuration' "
698 "SUP olcOverlayConfig "
701 "$ olcSmbK5PwdMustChange "
702 "$ olcSmbK5PwdCanChange "
703 ") )", Cft_Overlay, smbk5pwd_cfats },
709 * add here other functionalities; handle their initialization
710 * as appropriate in smbk5pwd_modules_init().
712 static slap_verbmasks smbk5pwd_modules[] = {
713 { BER_BVC( "krb5" ), SMBK5PWD_F_KRB5 },
714 { BER_BVC( "samba" ), SMBK5PWD_F_SAMBA },
719 smbk5pwd_cf_func( ConfigArgs *c )
721 slap_overinst *on = (slap_overinst *)c->bi;
724 smbk5pwd_t *pi = on->on_bi.bi_private;
726 if ( c->op == SLAP_CONFIG_EMIT ) {
728 case PC_SMB_MUST_CHANGE:
730 c->value_int = pi->smb_must_change;
731 #else /* ! DO_SAMBA */
733 #endif /* ! DO_SAMBA */
736 case PC_SMB_CAN_CHANGE:
738 c->value_int = pi->smb_can_change;
739 #else /* ! DO_SAMBA */
741 #endif /* ! DO_SAMBA */
745 c->rvalue_vals = NULL;
747 mask_to_verbs( smbk5pwd_modules, pi->mode, &c->rvalue_vals );
748 if ( c->rvalue_vals == NULL ) {
760 } else if ( c->op == LDAP_MOD_DELETE ) {
762 case PC_SMB_MUST_CHANGE:
765 case PC_SMB_CAN_CHANGE:
775 m = verb_to_mask( c->line, smbk5pwd_modules );
788 case PC_SMB_MUST_CHANGE:
790 if ( c->value_int < 0 ) {
791 Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: "
792 "<%s> invalid negative value \"%d\".",
793 c->log, c->argv[ 0 ], 0 );
796 pi->smb_must_change = c->value_int;
797 #else /* ! DO_SAMBA */
798 Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: "
799 "<%s> only meaningful "
800 "when compiled with -DDO_SAMBA.\n",
801 c->log, c->argv[ 0 ], 0 );
803 #endif /* ! DO_SAMBA */
806 case PC_SMB_CAN_CHANGE:
808 if ( c->value_int < 0 ) {
809 Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: "
810 "<%s> invalid negative value \"%d\".",
811 c->log, c->argv[ 0 ], 0 );
814 pi->smb_can_change = c->value_int;
815 #else /* ! DO_SAMBA */
816 Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: "
817 "<%s> only meaningful "
818 "when compiled with -DDO_SAMBA.\n",
819 c->log, c->argv[ 0 ], 0 );
821 #endif /* ! DO_SAMBA */
824 case PC_SMB_ENABLE: {
825 slap_mask_t mode = pi->mode, m;
827 rc = verbs_to_mask( c->argc, c->argv, smbk5pwd_modules, &m );
829 Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: "
830 "<%s> unknown module \"%s\".\n",
831 c->log, c->argv[ 0 ], c->argv[ rc ] );
835 /* we can hijack the smbk5pwd_t structure because
836 * from within the configuration, this is the only
841 if ( SMBK5PWD_DO_KRB5( pi ) ) {
842 Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: "
843 "<%s> module \"%s\" only allowed when compiled with -DDO_KRB5.\n",
844 c->log, c->argv[ 0 ], c->argv[ rc ] );
848 #endif /* ! DO_KRB5 */
851 if ( SMBK5PWD_DO_SAMBA( pi ) ) {
852 Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: "
853 "<%s> module \"%s\" only allowed when compiled with -DDO_SAMBA.\n",
854 c->log, c->argv[ 0 ], c->argv[ rc ] );
858 #endif /* ! DO_SAMBA */
861 BackendDB db = *c->be;
863 /* Re-initialize the module, because
864 * the configuration might have changed */
865 db.bd_info = (BackendInfo *)on;
866 rc = smbk5pwd_modules_init( pi );
883 smbk5pwd_modules_init( smbk5pwd_t *pi )
887 AttributeDescription **adp;
891 { "krb5Key", &ad_krb5Key },
892 { "krb5KeyVersionNumber", &ad_krb5KeyVersionNumber },
893 { "krb5PrincipalName", &ad_krb5PrincipalName },
894 { "krb5ValidEnd", &ad_krb5ValidEnd },
900 { "sambaLMPassword", &ad_sambaLMPassword },
901 { "sambaNTPassword", &ad_sambaNTPassword },
902 { "sambaPwdLastSet", &ad_sambaPwdLastSet },
903 { "sambaPwdMustChange", &ad_sambaPwdMustChange },
904 { "sambaPwdCanChange", &ad_sambaPwdCanChange },
907 #endif /* DO_SAMBA */
910 /* this is to silence the unused var warning */
911 dummy_ad.name = NULL;
914 if ( SMBK5PWD_DO_KRB5( pi ) && oc_krb5KDCEntry == NULL ) {
916 extern HDB *_kadm5_s_get_db(void *);
920 /* Make sure all of our necessary schema items are loaded */
921 oc_krb5KDCEntry = oc_find( "krb5KDCEntry" );
922 if ( !oc_krb5KDCEntry ) {
923 Debug( LDAP_DEBUG_ANY, "smbk5pwd: "
924 "unable to find \"krb5KDCEntry\" objectClass.\n",
929 for ( i = 0; krb5_ad[ i ].name != NULL; i++ ) {
932 *(krb5_ad[ i ].adp) = NULL;
934 rc = slap_str2ad( krb5_ad[ i ].name, krb5_ad[ i ].adp, &text );
935 if ( rc != LDAP_SUCCESS ) {
936 Debug( LDAP_DEBUG_ANY, "smbk5pwd: "
937 "unable to find \"%s\" attributeType: %s (%d).\n",
938 krb5_ad[ i ].name, text, rc );
939 oc_krb5KDCEntry = NULL;
944 /* Initialize Kerberos context */
945 ret = krb5_init_context(&context);
947 Debug( LDAP_DEBUG_ANY, "smbk5pwd: "
948 "unable to initialize krb5 context (%d).\n",
950 oc_krb5KDCEntry = NULL;
954 ret = kadm5_s_init_with_password_ctx( context,
958 &conf, 0, 0, &kadm_context );
960 char *err_str, *err_msg = "<unknown error>";
961 err_str = krb5_get_error_string( context );
963 err_msg = (char *)krb5_get_err_text( context, ret );
964 Debug( LDAP_DEBUG_ANY, "smbk5pwd: "
965 "unable to initialize krb5 admin context: %s (%d).\n",
966 err_str ? err_str : err_msg, ret, 0 );
968 krb5_free_error_string( context, err_str );
969 krb5_free_context( context );
970 oc_krb5KDCEntry = NULL;
974 db = _kadm5_s_get_db( kadm_context );
979 if ( SMBK5PWD_DO_SAMBA( pi ) && oc_sambaSamAccount == NULL ) {
982 oc_sambaSamAccount = oc_find( "sambaSamAccount" );
983 if ( !oc_sambaSamAccount ) {
984 Debug( LDAP_DEBUG_ANY, "smbk5pwd: "
985 "unable to find \"sambaSamAccount\" objectClass.\n",
990 for ( i = 0; samba_ad[ i ].name != NULL; i++ ) {
993 *(samba_ad[ i ].adp) = NULL;
995 rc = slap_str2ad( samba_ad[ i ].name, samba_ad[ i ].adp, &text );
996 if ( rc != LDAP_SUCCESS ) {
997 Debug( LDAP_DEBUG_ANY, "smbk5pwd: "
998 "unable to find \"%s\" attributeType: %s (%d).\n",
999 samba_ad[ i ].name, text, rc );
1000 oc_sambaSamAccount = NULL;
1005 #endif /* DO_SAMBA */
1011 smbk5pwd_db_init(BackendDB *be, ConfigReply *cr)
1013 slap_overinst *on = (slap_overinst *)be->bd_info;
1016 pi = ch_calloc( 1, sizeof( smbk5pwd_t ) );
1020 on->on_bi.bi_private = (void *)pi;
1026 smbk5pwd_db_open(BackendDB *be, ConfigReply *cr)
1028 slap_overinst *on = (slap_overinst *)be->bd_info;
1029 smbk5pwd_t *pi = (smbk5pwd_t *)on->on_bi.bi_private;
1033 if ( pi->mode == 0 ) {
1034 pi->mode = SMBK5PWD_F_ALL;
1037 rc = smbk5pwd_modules_init( pi );
1046 smbk5pwd_db_destroy(BackendDB *be, ConfigReply *cr)
1048 slap_overinst *on = (slap_overinst *)be->bd_info;
1049 smbk5pwd_t *pi = (smbk5pwd_t *)on->on_bi.bi_private;
1059 smbk5pwd_initialize(void)
1063 smbk5pwd.on_bi.bi_type = "smbk5pwd";
1065 smbk5pwd.on_bi.bi_db_init = smbk5pwd_db_init;
1066 smbk5pwd.on_bi.bi_db_open = smbk5pwd_db_open;
1067 smbk5pwd.on_bi.bi_db_destroy = smbk5pwd_db_destroy;
1069 smbk5pwd.on_bi.bi_extended = smbk5pwd_exop_passwd;
1072 smbk5pwd.on_bi.bi_op_bind = smbk5pwd_op_bind;
1074 lutil_passwd_add( (struct berval *)&k5key_scheme, k5key_chk, k5key_hash );
1077 smbk5pwd.on_bi.bi_cf_ocs = smbk5pwd_cfocs;
1079 rc = config_register_schema( smbk5pwd_cfats, smbk5pwd_cfocs );
1084 return overlay_register( &smbk5pwd );
1087 #if SLAPD_OVER_SMBK5PWD == SLAPD_MOD_DYNAMIC
1088 int init_module(int argc, char *argv[]) {
1089 return smbk5pwd_initialize();
1093 #endif /* defined(SLAPD_OVER_SMBK5PWD) */