1 /* smbk5pwd.c - Overlay for managing Samba and Heimdal passwords */
4 * Copyright 2004-2005 by Howard Chu, Symas Corp.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted only as authorized by the OpenLDAP
11 * A copy of this license is available in the file LICENSE in the
12 * top-level directory of the distribution or, alternatively, at
13 * <http://www.OpenLDAP.org/license.html>.
18 #ifndef SLAPD_OVER_SMBK5PWD
19 #define SLAPD_OVER_SMBK5PWD SLAPD_MOD_DYNAMIC
22 #ifdef SLAPD_OVER_SMBK5PWD
26 #include <ac/string.h>
35 /* make ASN1_MALLOC_ENCODE use our allocator */
36 #define malloc ch_malloc
39 #include <kadm5/admin.h>
42 #ifndef HDB_INTERFACE_VERSION
43 #define HDB_MASTER_KEY_SET master_key_set
45 #define HDB_MASTER_KEY_SET hdb_master_key_set
48 static krb5_context context;
49 static void *kadm_context;
50 static kadm5_config_params conf;
53 static AttributeDescription *ad_krb5Key;
54 static AttributeDescription *ad_krb5KeyVersionNumber;
55 static AttributeDescription *ad_krb5PrincipalName;
56 static ObjectClass *oc_krb5KDCEntry;
60 #include <openssl/des.h>
61 #include <openssl/md4.h>
62 #include "ldap_utf8.h"
64 static AttributeDescription *ad_sambaLMPassword;
65 static AttributeDescription *ad_sambaNTPassword;
66 static AttributeDescription *ad_sambaPwdLastSet;
67 static AttributeDescription *ad_sambaPwdMustChange;
68 static ObjectClass *oc_sambaSamAccount;
71 /* Per-instance configuration information */
72 typedef struct smbk5pwd_t {
74 #define SMBK5PWD_F_KRB5 (0x1U)
75 #define SMBK5PWD_F_SAMBA (0x2U)
77 #define SMBK5PWD_DO_KRB5(pi) ((pi)->mode & SMBK5PWD_F_KRB5)
78 #define SMBK5PWD_DO_SAMBA(pi) ((pi)->mode & SMBK5PWD_F_SAMBA)
85 /* How many seconds before forcing a password change? */
86 time_t smb_must_change;
90 static const unsigned SMBK5PWD_F_ALL =
100 static int smbk5pwd_modules_init( smbk5pwd_t *pi );
103 static const char hex[] = "0123456789abcdef";
105 /* From liblutil/passwd.c... */
106 static void lmPasswd_to_key(
107 const char *lmPasswd,
110 const unsigned char *lpw = (const unsigned char *)lmPasswd;
111 unsigned char *k = (unsigned char *)key;
113 /* make room for parity bits */
115 k[1] = ((lpw[0]&0x01)<<7) | (lpw[1]>>1);
116 k[2] = ((lpw[1]&0x03)<<6) | (lpw[2]>>2);
117 k[3] = ((lpw[2]&0x07)<<5) | (lpw[3]>>3);
118 k[4] = ((lpw[3]&0x0F)<<4) | (lpw[4]>>4);
119 k[5] = ((lpw[4]&0x1F)<<3) | (lpw[5]>>5);
120 k[6] = ((lpw[5]&0x3F)<<2) | (lpw[6]>>6);
121 k[7] = ((lpw[6]&0x7F)<<1);
123 des_set_odd_parity( key );
126 #define MAX_PWLEN 256
130 const char in[HASHLEN],
138 out->bv_val = ch_malloc(HASHLEN*2 + 1);
139 out->bv_len = HASHLEN*2;
142 b = (unsigned char *)in;
143 for (i=0; i<HASHLEN; i++) {
145 *a++ = hex[*b++ & 0x0f];
151 struct berval *passwd,
155 char UcasePassword[15];
157 des_key_schedule schedule;
158 des_cblock StdText = "KGS!@#$%";
161 strncpy( UcasePassword, passwd->bv_val, 14 );
162 UcasePassword[14] = '\0';
163 ldap_pvt_str2upper( UcasePassword );
165 lmPasswd_to_key( UcasePassword, &key );
166 des_set_key_unchecked( &key, schedule );
167 des_ecb_encrypt( &StdText, &hbuf[0], schedule , DES_ENCRYPT );
169 lmPasswd_to_key( &UcasePassword[7], &key );
170 des_set_key_unchecked( &key, schedule );
171 des_ecb_encrypt( &StdText, &hbuf[1], schedule , DES_ENCRYPT );
173 hexify( (char *)hbuf, hash );
177 struct berval *passwd,
181 /* Windows currently only allows 14 character passwords, but
182 * may support up to 256 in the future. We assume this means
183 * 256 UCS2 characters, not 256 bytes...
188 if (passwd->bv_len > MAX_PWLEN*2)
189 passwd->bv_len = MAX_PWLEN*2;
192 MD4_Update( &ctx, passwd->bv_val, passwd->bv_len );
193 MD4_Final( (unsigned char *)hbuf, &ctx );
195 hexify( hbuf, hash );
197 #endif /* DO_SAMBA */
201 static int smbk5pwd_op_cleanup(
207 /* clear out the current key */
208 ldap_pvt_thread_pool_setkey( op->o_threadctx, smbk5pwd_op_cleanup,
211 /* free the callback */
213 op->o_callback = cb->sc_next;
214 op->o_tmpfree( cb, op->o_tmpmemctx );
218 static int smbk5pwd_op_bind(
222 /* If this is a simple Bind, stash the Op pointer so our chk
223 * function can find it. Set a cleanup callback to clear it
224 * out when the Bind completes.
226 if ( op->oq_bind.rb_method == LDAP_AUTH_SIMPLE ) {
228 ldap_pvt_thread_pool_setkey( op->o_threadctx, smbk5pwd_op_cleanup, op,
230 cb = op->o_tmpcalloc( 1, sizeof(slap_callback), op->o_tmpmemctx );
231 cb->sc_cleanup = smbk5pwd_op_cleanup;
232 cb->sc_next = op->o_callback;
235 return SLAP_CB_CONTINUE;
238 static LUTIL_PASSWD_CHK_FUNC k5key_chk;
239 static LUTIL_PASSWD_HASH_FUNC k5key_hash;
240 static const struct berval k5key_scheme = BER_BVC("{K5KEY}");
242 /* This password scheme stores no data in the userPassword attribute
243 * other than the scheme name. It assumes the invoking entry is a
244 * krb5KDCentry and compares the passed-in credentials against the
245 * krb5Key attribute. The krb5Key may be multi-valued, but they are
246 * simply multiple keytypes generated from the same input string, so
247 * only the first value needs to be compared here.
249 * Since the lutil_passwd API doesn't pass the Entry object in, we
250 * have to fetch it ourselves in order to get access to the other
251 * attributes. We accomplish this with the help of the overlay's Bind
252 * function, which stores the current Operation pointer in thread-specific
253 * storage so we can retrieve it here. The Operation provides all
254 * the necessary context for us to get Entry from the database.
256 static int k5key_chk(
257 const struct berval *sc,
258 const struct berval *passwd,
259 const struct berval *cred,
272 /* Find our thread context, find our Operation */
273 ctx = ldap_pvt_thread_pool_context();
275 if ( ldap_pvt_thread_pool_getkey( ctx, smbk5pwd_op_cleanup, (void **)&op, NULL ) ||
277 return LUTIL_PASSWD_ERR;
279 rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e );
280 if ( rc != LDAP_SUCCESS ) return LUTIL_PASSWD_ERR;
282 rc = LUTIL_PASSWD_ERR;
287 a = attr_find( e->e_attrs, ad_krb5PrincipalName );
290 memset( &ent, 0, sizeof(ent) );
291 ret = krb5_parse_name(context, a->a_vals[0].bv_val, &ent.principal);
293 krb5_get_pw_salt( context, ent.principal, &salt );
294 krb5_free_principal( context, ent.principal );
296 a = attr_find( e->e_attrs, ad_krb5Key );
300 ent.keys.val = &ekey;
301 decode_Key((unsigned char *) a->a_vals[0].bv_val,
302 (size_t) a->a_vals[0].bv_len, &ent.keys.val[0], &l);
303 if ( db->HDB_MASTER_KEY_SET )
304 hdb_unseal_keys( context, db, &ent );
306 krb5_string_to_key_salt( context, ekey.key.keytype, cred->bv_val,
309 krb5_free_salt( context, salt );
311 if ( memcmp( ekey.key.keyvalue.data, key.keyvalue.data,
312 key.keyvalue.length ) == 0 ) rc = LUTIL_PASSWD_OK;
314 krb5_free_keyblock_contents( context, &key );
315 krb5_free_keyblock_contents( context, &ekey.key );
318 be_entry_release_r( op, e );
322 static int k5key_hash(
323 const struct berval *scheme,
324 const struct berval *passwd,
328 ber_dupbv( hash, (struct berval *)&k5key_scheme );
329 return LUTIL_PASSWD_OK;
333 static int smbk5pwd_exop_passwd(
338 req_pwdexop_s *qpw = &op->oq_pwdexop;
341 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
342 smbk5pwd_t *pi = on->on_bi.bi_private;
344 /* Not the operation we expected, pass it on... */
345 if ( ber_bvcmp( &slap_EXOP_MODIFY_PASSWD, &op->ore_reqoid ) ) {
346 return SLAP_CB_CONTINUE;
349 op->o_bd->bd_info = (BackendInfo *)on->on_info;
350 rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e );
351 if ( rc != LDAP_SUCCESS ) return rc;
362 if ( !SMBK5PWD_DO_KRB5( pi ) ) break;
364 if ( !is_entry_objectclass(e, oc_krb5KDCEntry, 0 ) ) break;
366 a = attr_find( e->e_attrs, ad_krb5PrincipalName );
369 memset( &ent, 0, sizeof(ent) );
370 ret = krb5_parse_name(context, a->a_vals[0].bv_val, &ent.principal);
373 a = attr_find( e->e_attrs, ad_krb5KeyVersionNumber );
375 kvno = atoi(a->a_vals[0].bv_val);
377 /* shouldn't happen, this is a required attr */
381 ret = _kadm5_set_keys(kadm_context, &ent, qpw->rs_new.bv_val);
382 hdb_seal_keys(context, db, &ent);
383 krb5_free_principal( context, ent.principal );
385 keys = ch_malloc( (ent.keys.len + 1) * sizeof(struct berval));
387 for (i = 0; i < ent.keys.len; i++) {
391 ASN1_MALLOC_ENCODE(Key, buf, len, &ent.keys.val[i], &len, ret);
395 keys[i].bv_val = (char *)buf;
396 keys[i].bv_len = len;
398 BER_BVZERO( &keys[i] );
400 _kadm5_free_keys(kadm_context, ent.keys.len, ent.keys.val);
402 if ( i != ent.keys.len ) {
403 ber_bvarray_free( keys );
407 ml = ch_malloc(sizeof(Modifications));
408 if (!qpw->rs_modtail) qpw->rs_modtail = &ml->sml_next;
409 ml->sml_next = qpw->rs_mods;
412 ml->sml_desc = ad_krb5Key;
413 ml->sml_op = LDAP_MOD_REPLACE;
414 #ifdef SLAP_MOD_INTERNAL
415 ml->sml_flags = SLAP_MOD_INTERNAL;
417 ml->sml_values = keys;
418 ml->sml_nvalues = NULL;
420 ml = ch_malloc(sizeof(Modifications));
421 ml->sml_next = qpw->rs_mods;
424 ml->sml_desc = ad_krb5KeyVersionNumber;
425 ml->sml_op = LDAP_MOD_REPLACE;
426 #ifdef SLAP_MOD_INTERNAL
427 ml->sml_flags = SLAP_MOD_INTERNAL;
429 ml->sml_values = ch_malloc( 2 * sizeof(struct berval));
430 ml->sml_values[0].bv_val = ch_malloc( 64 );
431 ml->sml_values[0].bv_len = sprintf(ml->sml_values[0].bv_val,
433 BER_BVZERO( &ml->sml_values[1] );
434 ml->sml_nvalues = NULL;
440 if ( SMBK5PWD_DO_SAMBA( pi ) && is_entry_objectclass(e, oc_sambaSamAccount, 0 ) ) {
447 /* Expand incoming UTF8 string to UCS4 */
448 l = ldap_utf8_chars(qpw->rs_new.bv_val);
449 wcs = ch_malloc((l+1) * sizeof(wchar_t));
451 ldap_x_utf8s_to_wcs( wcs, qpw->rs_new.bv_val, l );
453 /* Truncate UCS4 to UCS2 */
455 for (j=0; j<l; j++) {
458 *c++ = (wc >> 8) & 0xff;
461 pwd.bv_val = (char *)wcs;
464 ml = ch_malloc(sizeof(Modifications));
465 if (!qpw->rs_modtail) qpw->rs_modtail = &ml->sml_next;
466 ml->sml_next = qpw->rs_mods;
469 keys = ch_malloc( 2 * sizeof(struct berval) );
470 BER_BVZERO( &keys[1] );
471 nthash( &pwd, keys );
473 ml->sml_desc = ad_sambaNTPassword;
474 ml->sml_op = LDAP_MOD_REPLACE;
475 #ifdef SLAP_MOD_INTERNAL
476 ml->sml_flags = SLAP_MOD_INTERNAL;
478 ml->sml_values = keys;
479 ml->sml_nvalues = NULL;
481 /* Truncate UCS2 to 8-bit ASCII */
484 for (j=1; j<l; j++) {
489 pwd.bv_val[pwd.bv_len] = '\0';
491 ml = ch_malloc(sizeof(Modifications));
492 ml->sml_next = qpw->rs_mods;
495 keys = ch_malloc( 2 * sizeof(struct berval) );
496 BER_BVZERO( &keys[1] );
497 lmhash( &pwd, keys );
499 ml->sml_desc = ad_sambaLMPassword;
500 ml->sml_op = LDAP_MOD_REPLACE;
501 #ifdef SLAP_MOD_INTERNAL
502 ml->sml_flags = SLAP_MOD_INTERNAL;
504 ml->sml_values = keys;
505 ml->sml_nvalues = NULL;
509 ml = ch_malloc(sizeof(Modifications));
510 ml->sml_next = qpw->rs_mods;
513 keys = ch_malloc( 2 * sizeof(struct berval) );
514 keys[0].bv_val = ch_malloc( STRLENOF( "9223372036854775807L" ) + 1 );
515 keys[0].bv_len = snprintf(keys[0].bv_val,
516 STRLENOF( "9223372036854775807L" ) + 1,
517 "%ld", slap_get_time());
518 BER_BVZERO( &keys[1] );
520 ml->sml_desc = ad_sambaPwdLastSet;
521 ml->sml_op = LDAP_MOD_REPLACE;
522 #ifdef SLAP_MOD_INTERNAL
523 ml->sml_flags = SLAP_MOD_INTERNAL;
525 ml->sml_values = keys;
526 ml->sml_nvalues = NULL;
528 if (pi->smb_must_change)
530 ml = ch_malloc(sizeof(Modifications));
531 ml->sml_next = qpw->rs_mods;
534 keys = ch_malloc( 2 * sizeof(struct berval) );
535 keys[0].bv_val = ch_malloc( STRLENOF( "9223372036854775807L" ) + 1 );
536 keys[0].bv_len = snprintf(keys[0].bv_val,
537 STRLENOF( "9223372036854775807L" ) + 1,
538 "%ld", slap_get_time() + pi->smb_must_change);
539 BER_BVZERO( &keys[1] );
541 ml->sml_desc = ad_sambaPwdMustChange;
542 ml->sml_op = LDAP_MOD_REPLACE;
543 #ifdef SLAP_MOD_INTERNAL
544 ml->sml_flags = SLAP_MOD_INTERNAL;
546 ml->sml_values = keys;
547 ml->sml_nvalues = NULL;
550 #endif /* DO_SAMBA */
551 be_entry_release_r( op, e );
553 return SLAP_CB_CONTINUE;
556 static slap_overinst smbk5pwd;
558 /* back-config stuff */
560 PC_SMB_MUST_CHANGE = 1,
564 static ConfigDriver smbk5pwd_cf_func;
567 * NOTE: uses OID arcs OLcfgOvAt:6 and OLcfgOvOc:6
570 static ConfigTable smbk5pwd_cfats[] = {
571 { "smbk5pwd-enable", "arg",
572 2, 0, 0, ARG_MAGIC|PC_SMB_ENABLE, smbk5pwd_cf_func,
573 "( OLcfgOvAt:6.1 NAME 'olcSmbK5PwdEnable' "
574 "DESC 'Modules to be enabled' "
575 "SYNTAX OMsDirectoryString )", NULL, NULL },
576 { "smbk5pwd-must-change", "time",
577 2, 2, 0, ARG_MAGIC|ARG_INT|PC_SMB_MUST_CHANGE, smbk5pwd_cf_func,
578 "( OLcfgOvAt:6.2 NAME 'olcSmbK5PwdMustChange' "
579 "DESC 'Credentials validity interval' "
580 "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
582 { NULL, NULL, 0, 0, 0, ARG_IGNORED }
585 static ConfigOCs smbk5pwd_cfocs[] = {
587 "NAME 'olcSmbK5PwdConfig' "
588 "DESC 'smbk5pwd overlay configuration' "
589 "SUP olcOverlayConfig "
592 "$ olcSmbK5PwdMustChange "
593 ") )", Cft_Overlay, smbk5pwd_cfats },
599 * add here other functionalities; handle their initialization
600 * as appropriate in FIXME
602 static slap_verbmasks smbk5pwd_modules[] = {
603 { BER_BVC( "krb5" ), SMBK5PWD_F_KRB5 },
604 { BER_BVC( "samba" ), SMBK5PWD_F_SAMBA },
609 smbk5pwd_cf_func( ConfigArgs *c )
611 slap_overinst *on = (slap_overinst *)c->bi;
614 smbk5pwd_t *pi = on->on_bi.bi_private;
616 if ( c->op == SLAP_CONFIG_EMIT ) {
618 case PC_SMB_MUST_CHANGE:
620 c->value_int = pi->smb_must_change;
621 #else /* ! DO_SAMBA */
623 #endif /* ! DO_SAMBA */
627 c->rvalue_vals = NULL;
629 mask_to_verbs( smbk5pwd_modules, pi->mode, &c->rvalue_vals );
630 if ( c->rvalue_vals == NULL ) {
642 } else if ( c->op == LDAP_MOD_DELETE ) {
644 case PC_SMB_MUST_CHANGE:
654 m = verb_to_mask( c->line, smbk5pwd_modules );
667 case PC_SMB_MUST_CHANGE:
669 pi->smb_must_change = c->value_int;
670 #else /* ! DO_SAMBA */
671 Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: "
672 "<%s> only meaningful "
673 "when compiled with -DDO_SAMBA.\n",
674 c->log, c->argv[ 0 ], 0 );
676 #endif /* ! DO_SAMBA */
679 case PC_SMB_ENABLE: {
682 rc = verbs_to_mask( c->argc, c->argv, smbk5pwd_modules, &m );
684 Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: "
685 "<%s> unknown module \"%s\".\n",
686 c->log, c->argv[ 0 ], c->argv[ rc ] );
692 if ( SMBK5PWD_DO_KRB5( pi ) ) {
693 Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: "
694 "<%s> module \"%s\" only allowed when compiled with -DDO_KRB5.\n",
695 c->log, c->argv[ 0 ], c->argv[ i ] );
698 #endif /* ! DO_KRB5 */
701 if ( SMBK5PWD_DO_SAMBA( pi ) ) {
702 Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: "
703 "<%s> module \"%s\" only allowed when compiled with -DDO_SAMBA.\n",
704 c->log, c->argv[ 0 ], c->argv[ i ] );
707 #endif /* ! DO_SAMBA */
710 BackendDB db = *c->be;
712 db.bd_info = (BackendInfo *)on;
713 rc = smbk5pwd_modules_init( pi );
729 smbk5pwd_modules_init( smbk5pwd_t *pi )
735 if ( SMBK5PWD_DO_KRB5( pi ) && oc_krb5KDCEntry == NULL ) {
737 extern HDB *_kadm5_s_get_db(void *);
739 /* Make sure all of our necessary schema items are loaded */
740 oc_krb5KDCEntry = oc_find("krb5KDCEntry");
741 if ( !oc_krb5KDCEntry ) {
742 Debug( LDAP_DEBUG_ANY, "smbk5pwd: "
743 "unable to find \"krb5KDCEntry\" objectClass.\n",
748 rc = slap_str2ad( "krb5Key", &ad_krb5Key, &text );
749 if ( rc != LDAP_SUCCESS ) {
750 Debug( LDAP_DEBUG_ANY, "smbk5pwd: "
751 "unable to find \"krb5Key\" attributeType: %s (%d).\n",
756 rc = slap_str2ad( "krb5KeyVersionNumber", &ad_krb5KeyVersionNumber, &text );
757 if ( rc != LDAP_SUCCESS ) {
758 Debug( LDAP_DEBUG_ANY, "smbk5pwd: "
759 "unable to find \"krb5KeyVersionNumber\" attributeType: %s (%d).\n",
764 rc = slap_str2ad( "krb5PrincipalName", &ad_krb5PrincipalName, &text );
765 if ( rc != LDAP_SUCCESS ) {
766 Debug( LDAP_DEBUG_ANY, "smbk5pwd: "
767 "unable to find \"krb5PrincipalName\" attributeType: %s (%d).\n",
772 /* Initialize Kerberos context */
773 ret = krb5_init_context(&context);
775 Debug( LDAP_DEBUG_ANY, "smbk5pwd: "
776 "unable to initialize krb5 context.\n",
781 ret = kadm5_s_init_with_password_ctx( context,
785 &conf, 0, 0, &kadm_context );
787 db = _kadm5_s_get_db(kadm_context);
792 if ( SMBK5PWD_DO_SAMBA( pi ) && oc_sambaSamAccount == NULL ) {
793 oc_sambaSamAccount = oc_find( "sambaSamAccount" );
794 if ( !oc_sambaSamAccount ) {
795 Debug( LDAP_DEBUG_ANY, "smbk5pwd: "
796 "unable to find \"sambaSamAccount\" objectClass.\n",
801 rc = slap_str2ad( "sambaLMPassword", &ad_sambaLMPassword, &text );
802 if ( rc != LDAP_SUCCESS ) {
803 Debug( LDAP_DEBUG_ANY, "smbk5pwd: "
804 "unable to find \"sambaLMPassword\" attributeType: %s (%d).\n",
809 rc = slap_str2ad( "sambaNTPassword", &ad_sambaNTPassword, &text );
810 if ( rc != LDAP_SUCCESS ) {
811 Debug( LDAP_DEBUG_ANY, "smbk5pwd: "
812 "unable to find \"sambaLMPassword\" attributeType: %s (%d).\n",
817 rc = slap_str2ad( "sambaPwdLastSet", &ad_sambaPwdLastSet, &text );
818 if ( rc != LDAP_SUCCESS ) {
819 Debug( LDAP_DEBUG_ANY, "smbk5pwd: "
820 "unable to find \"sambaLMPassword\" attributeType: %s (%d).\n",
825 #endif /* DO_SAMBA */
831 smbk5pwd_db_init(BackendDB *be)
833 slap_overinst *on = (slap_overinst *)be->bd_info;
836 pi = ch_calloc( 1, sizeof( smbk5pwd_t ) );
840 on->on_bi.bi_private = (void *)pi;
846 smbk5pwd_db_open(BackendDB *be)
848 slap_overinst *on = (slap_overinst *)be->bd_info;
849 smbk5pwd_t *pi = (smbk5pwd_t *)on->on_bi.bi_private;
853 if ( pi->mode == 0 ) {
854 pi->mode = SMBK5PWD_F_ALL;
857 rc = smbk5pwd_modules_init( pi );
866 smbk5pwd_db_destroy(BackendDB *be)
868 slap_overinst *on = (slap_overinst *)be->bd_info;
869 smbk5pwd_t *pi = (smbk5pwd_t *)on->on_bi.bi_private;
879 smbk5pwd_initialize(void)
883 smbk5pwd.on_bi.bi_type = "smbk5pwd";
885 smbk5pwd.on_bi.bi_db_init = smbk5pwd_db_init;
886 smbk5pwd.on_bi.bi_db_open = smbk5pwd_db_open;
887 smbk5pwd.on_bi.bi_db_destroy = smbk5pwd_db_destroy;
889 smbk5pwd.on_bi.bi_extended = smbk5pwd_exop_passwd;
892 smbk5pwd.on_bi.bi_op_bind = smbk5pwd_op_bind;
894 lutil_passwd_add( (struct berval *)&k5key_scheme, k5key_chk, k5key_hash );
897 smbk5pwd.on_bi.bi_cf_ocs = smbk5pwd_cfocs;
899 rc = config_register_schema( smbk5pwd_cfats, smbk5pwd_cfocs );
904 return overlay_register( &smbk5pwd );
907 #if SLAPD_OVER_SMBK5PWD == SLAPD_MOD_DYNAMIC
908 int init_module(int argc, char *argv[]) {
909 return smbk5pwd_initialize();
913 #endif /* defined(SLAPD_OVER_SMBK5PWD) */