1 /* smbk5pwd.c - Overlay for managing Samba and Heimdal passwords */
4 * Copyright 2004-2005 by Howard Chu, Symas Corp.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted only as authorized by the OpenLDAP
11 * A copy of this license is available in the file LICENSE in the
12 * top-level directory of the distribution or, alternatively, at
13 * <http://www.OpenLDAP.org/license.html>.
18 #ifndef SLAPD_OVER_SMBK5PWD
19 #define SLAPD_OVER_SMBK5PWD SLAPD_MOD_DYNAMIC
22 #ifdef SLAPD_OVER_SMBK5PWD
26 #include <ac/string.h>
33 /* make ASN1_MALLOC_ENCODE use our allocator */
34 #define malloc ch_malloc
37 #include <kadm5/admin.h>
40 #ifndef HDB_INTERFACE_VERSION
41 #define HDB_MASTER_KEY_SET master_key_set
43 #define HDB_MASTER_KEY_SET hdb_master_key_set
46 static krb5_context context;
47 static void *kadm_context;
48 static kadm5_config_params conf;
51 static AttributeDescription *ad_krb5Key;
52 static AttributeDescription *ad_krb5KeyVersionNumber;
53 static AttributeDescription *ad_krb5PrincipalName;
54 static ObjectClass *oc_krb5KDCEntry;
58 #include <openssl/des.h>
59 #include <openssl/md4.h>
60 #include "ldap_utf8.h"
62 static AttributeDescription *ad_sambaLMPassword;
63 static AttributeDescription *ad_sambaNTPassword;
64 static AttributeDescription *ad_sambaPwdLastSet;
65 static ObjectClass *oc_sambaSamAccount;
69 static void smbk5pwd_destroy() {
70 kadm5_destroy(kadm_context);
71 krb5_free_context(context);
76 static const char hex[] = "0123456789abcdef";
78 /* From liblutil/passwd.c... */
79 static void lmPasswd_to_key(
83 const unsigned char *lpw = (const unsigned char *)lmPasswd;
84 unsigned char *k = (unsigned char *)key;
86 /* make room for parity bits */
88 k[1] = ((lpw[0]&0x01)<<7) | (lpw[1]>>1);
89 k[2] = ((lpw[1]&0x03)<<6) | (lpw[2]>>2);
90 k[3] = ((lpw[2]&0x07)<<5) | (lpw[3]>>3);
91 k[4] = ((lpw[3]&0x0F)<<4) | (lpw[4]>>4);
92 k[5] = ((lpw[4]&0x1F)<<3) | (lpw[5]>>5);
93 k[6] = ((lpw[5]&0x3F)<<2) | (lpw[6]>>6);
94 k[7] = ((lpw[6]&0x7F)<<1);
96 des_set_odd_parity( key );
103 const char in[HASHLEN],
111 out->bv_val = ch_malloc(HASHLEN*2 + 1);
112 out->bv_len = HASHLEN*2;
115 b = (unsigned char *)in;
116 for (i=0; i<HASHLEN; i++) {
118 *a++ = hex[*b++ & 0x0f];
124 struct berval *passwd,
128 char UcasePassword[15];
130 des_key_schedule schedule;
131 des_cblock StdText = "KGS!@#$%";
134 strncpy( UcasePassword, passwd->bv_val, 14 );
135 UcasePassword[14] = '\0';
136 ldap_pvt_str2upper( UcasePassword );
138 lmPasswd_to_key( UcasePassword, &key );
139 des_set_key_unchecked( &key, schedule );
140 des_ecb_encrypt( &StdText, &hbuf[0], schedule , DES_ENCRYPT );
142 lmPasswd_to_key( &UcasePassword[7], &key );
143 des_set_key_unchecked( &key, schedule );
144 des_ecb_encrypt( &StdText, &hbuf[1], schedule , DES_ENCRYPT );
146 hexify( (char *)hbuf, hash );
150 struct berval *passwd,
154 /* Windows currently only allows 14 character passwords, but
155 * may support up to 256 in the future. We assume this means
156 * 256 UCS2 characters, not 256 bytes...
161 if (passwd->bv_len > MAX_PWLEN*2)
162 passwd->bv_len = MAX_PWLEN*2;
165 MD4_Update( &ctx, passwd->bv_val, passwd->bv_len );
166 MD4_Final( (unsigned char *)hbuf, &ctx );
168 hexify( hbuf, hash );
170 #endif /* DO_SAMBA */
174 static int smbk5pwd_op_cleanup(
180 /* clear out the current key */
181 ldap_pvt_thread_pool_setkey( op->o_threadctx, smbk5pwd_op_cleanup,
184 /* free the callback */
186 op->o_callback = cb->sc_next;
187 op->o_tmpfree( cb, op->o_tmpmemctx );
191 static int smbk5pwd_op_bind(
195 /* If this is a simple Bind, stash the Op pointer so our chk
196 * function can find it. Set a cleanup callback to clear it
197 * out when the Bind completes.
199 if ( op->oq_bind.rb_method == LDAP_AUTH_SIMPLE ) {
201 ldap_pvt_thread_pool_setkey( op->o_threadctx, smbk5pwd_op_cleanup, op,
203 cb = op->o_tmpcalloc( 1, sizeof(slap_callback), op->o_tmpmemctx );
204 cb->sc_cleanup = smbk5pwd_op_cleanup;
205 cb->sc_next = op->o_callback;
208 return SLAP_CB_CONTINUE;
211 static LUTIL_PASSWD_CHK_FUNC k5key_chk;
212 static LUTIL_PASSWD_HASH_FUNC k5key_hash;
213 static const struct berval k5key_scheme = BER_BVC("{K5KEY}");
215 /* This password scheme stores no data in the userPassword attribute
216 * other than the scheme name. It assumes the invoking entry is a
217 * krb5KDCentry and compares the passed-in credentials against the
218 * krb5Key attribute. The krb5Key may be multi-valued, but they are
219 * simply multiple keytypes generated from the same input string, so
220 * only the first value needs to be compared here.
222 * Since the lutil_passwd API doesn't pass the Entry object in, we
223 * have to fetch it ourselves in order to get access to the other
224 * attributes. We accomplish this with the help of the overlay's Bind
225 * function, which stores the current Operation pointer in thread-specific
226 * storage so we can retrieve it here. The Operation provides all
227 * the necessary context for us to get Entry from the database.
229 static int k5key_chk(
230 const struct berval *sc,
231 const struct berval *passwd,
232 const struct berval *cred,
245 /* Find our thread context, find our Operation */
246 ctx = ldap_pvt_thread_pool_context();
248 if ( ldap_pvt_thread_pool_getkey( ctx, smbk5pwd_op_cleanup, (void **)&op, NULL ) ||
250 return LUTIL_PASSWD_ERR;
252 rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e );
253 if ( rc != LDAP_SUCCESS ) return LUTIL_PASSWD_ERR;
255 rc = LUTIL_PASSWD_ERR;
260 a = attr_find( e->e_attrs, ad_krb5PrincipalName );
263 memset( &ent, 0, sizeof(ent) );
264 ret = krb5_parse_name(context, a->a_vals[0].bv_val, &ent.principal);
266 krb5_get_pw_salt( context, ent.principal, &salt );
267 krb5_free_principal( context, ent.principal );
269 a = attr_find( e->e_attrs, ad_krb5Key );
273 ent.keys.val = &ekey;
274 decode_Key((unsigned char *) a->a_vals[0].bv_val,
275 (size_t) a->a_vals[0].bv_len, &ent.keys.val[0], &l);
276 if ( db->HDB_MASTER_KEY_SET )
277 hdb_unseal_keys( context, db, &ent );
279 krb5_string_to_key_salt( context, ekey.key.keytype, cred->bv_val,
282 krb5_free_salt( context, salt );
284 if ( memcmp( ekey.key.keyvalue.data, key.keyvalue.data,
285 key.keyvalue.length ) == 0 ) rc = LUTIL_PASSWD_OK;
287 krb5_free_keyblock_contents( context, &key );
288 krb5_free_keyblock_contents( context, &ekey.key );
291 be_entry_release_r( op, e );
295 static int k5key_hash(
296 const struct berval *scheme,
297 const struct berval *passwd,
301 ber_dupbv( hash, (struct berval *)&k5key_scheme );
302 return LUTIL_PASSWD_OK;
306 static int smbk5pwd_exop_passwd(
311 req_pwdexop_s *qpw = &op->oq_pwdexop;
314 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
316 /* Not the operation we expected, pass it on... */
317 if ( ber_bvcmp( &slap_EXOP_MODIFY_PASSWD, &op->ore_reqoid ) ) {
318 return SLAP_CB_CONTINUE;
321 op->o_bd->bd_info = (BackendInfo *)on->on_info;
322 rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e );
323 if ( rc != LDAP_SUCCESS ) return rc;
334 if ( !is_entry_objectclass(e, oc_krb5KDCEntry, 0 ) ) break;
336 a = attr_find( e->e_attrs, ad_krb5PrincipalName );
339 memset( &ent, 0, sizeof(ent) );
340 ret = krb5_parse_name(context, a->a_vals[0].bv_val, &ent.principal);
343 a = attr_find( e->e_attrs, ad_krb5KeyVersionNumber );
345 kvno = atoi(a->a_vals[0].bv_val);
347 /* shouldn't happen, this is a required attr */
351 ret = _kadm5_set_keys(kadm_context, &ent, qpw->rs_new.bv_val);
352 hdb_seal_keys(context, db, &ent);
353 krb5_free_principal( context, ent.principal );
355 keys = ch_malloc( (ent.keys.len + 1) * sizeof(struct berval));
357 for (i = 0; i < ent.keys.len; i++) {
361 ASN1_MALLOC_ENCODE(Key, buf, len, &ent.keys.val[i], &len, ret);
365 keys[i].bv_val = (char *)buf;
366 keys[i].bv_len = len;
368 BER_BVZERO( &keys[i] );
370 _kadm5_free_keys(kadm_context, ent.keys.len, ent.keys.val);
372 if ( i != ent.keys.len ) {
373 ber_bvarray_free( keys );
377 ml = ch_malloc(sizeof(Modifications));
378 if (!qpw->rs_modtail) qpw->rs_modtail = &ml->sml_next;
379 ml->sml_next = qpw->rs_mods;
382 ml->sml_desc = ad_krb5Key;
383 ml->sml_op = LDAP_MOD_REPLACE;
384 #ifdef SLAP_MOD_INTERNAL
385 ml->sml_flags = SLAP_MOD_INTERNAL;
387 ml->sml_values = keys;
388 ml->sml_nvalues = NULL;
390 ml = ch_malloc(sizeof(Modifications));
391 ml->sml_next = qpw->rs_mods;
394 ml->sml_desc = ad_krb5KeyVersionNumber;
395 ml->sml_op = LDAP_MOD_REPLACE;
396 #ifdef SLAP_MOD_INTERNAL
397 ml->sml_flags = SLAP_MOD_INTERNAL;
399 ml->sml_values = ch_malloc( 2 * sizeof(struct berval));
400 ml->sml_values[0].bv_val = ch_malloc( 64 );
401 ml->sml_values[0].bv_len = sprintf(ml->sml_values[0].bv_val,
403 BER_BVZERO( &ml->sml_values[1] );
404 ml->sml_nvalues = NULL;
410 if ( is_entry_objectclass(e, oc_sambaSamAccount, 0 ) ) {
417 /* Expand incoming UTF8 string to UCS4 */
418 l = ldap_utf8_chars(qpw->rs_new.bv_val);
419 wcs = ch_malloc((l+1) * sizeof(wchar_t));
421 ldap_x_utf8s_to_wcs( wcs, qpw->rs_new.bv_val, l );
423 /* Truncate UCS4 to UCS2 */
425 for (j=0; j<l; j++) {
428 *c++ = (wc >> 8) & 0xff;
431 pwd.bv_val = (char *)wcs;
434 ml = ch_malloc(sizeof(Modifications));
435 if (!qpw->rs_modtail) qpw->rs_modtail = &ml->sml_next;
436 ml->sml_next = qpw->rs_mods;
439 keys = ch_malloc( 2 * sizeof(struct berval) );
440 BER_BVZERO( &keys[1] );
441 nthash( &pwd, keys );
443 ml->sml_desc = ad_sambaNTPassword;
444 ml->sml_op = LDAP_MOD_REPLACE;
445 #ifdef SLAP_MOD_INTERNAL
446 ml->sml_flags = SLAP_MOD_INTERNAL;
448 ml->sml_values = keys;
449 ml->sml_nvalues = NULL;
451 /* Truncate UCS2 to 8-bit ASCII */
454 for (j=1; j<l; j++) {
459 pwd.bv_val[pwd.bv_len] = '\0';
461 ml = ch_malloc(sizeof(Modifications));
462 ml->sml_next = qpw->rs_mods;
465 keys = ch_malloc( 2 * sizeof(struct berval) );
466 BER_BVZERO( &keys[1] );
467 lmhash( &pwd, keys );
469 ml->sml_desc = ad_sambaLMPassword;
470 ml->sml_op = LDAP_MOD_REPLACE;
471 #ifdef SLAP_MOD_INTERNAL
472 ml->sml_flags = SLAP_MOD_INTERNAL;
474 ml->sml_values = keys;
475 ml->sml_nvalues = NULL;
479 ml = ch_malloc(sizeof(Modifications));
480 ml->sml_next = qpw->rs_mods;
483 keys = ch_malloc( 2 * sizeof(struct berval) );
484 keys[0].bv_val = ch_malloc( STRLENOF( "9223372036854775807L" ) + 1 );
485 keys[0].bv_len = snprintf(keys[0].bv_val,
486 STRLENOF( "9223372036854775807L" ) + 1,
487 "%ld", slap_get_time());
488 BER_BVZERO( &keys[1] );
490 ml->sml_desc = ad_sambaPwdLastSet;
491 ml->sml_op = LDAP_MOD_REPLACE;
492 #ifdef SLAP_MOD_INTERNAL
493 ml->sml_flags = SLAP_MOD_INTERNAL;
495 ml->sml_values = keys;
496 ml->sml_nvalues = NULL;
498 #endif /* DO_SAMBA */
499 be_entry_release_r( op, e );
501 return SLAP_CB_CONTINUE;
504 static slap_overinst smbk5pwd;
506 int smbk5pwd_init() {
512 extern HDB * _kadm5_s_get_db(void *);
514 /* Make sure all of our necessary schema items are loaded */
515 oc_krb5KDCEntry = oc_find("krb5KDCEntry");
516 if ( !oc_krb5KDCEntry ) return -1;
518 rc = slap_str2ad( "krb5Key", &ad_krb5Key, &text );
520 rc = slap_str2ad( "krb5KeyVersionNumber", &ad_krb5KeyVersionNumber, &text );
522 rc = slap_str2ad( "krb5PrincipalName", &ad_krb5PrincipalName, &text );
525 /* Initialize Kerberos context */
526 ret = krb5_init_context(&context);
531 ret = kadm5_s_init_with_password_ctx( context,
535 &conf, 0, 0, &kadm_context );
537 db = _kadm5_s_get_db(kadm_context);
541 oc_sambaSamAccount = oc_find("sambaSamAccount");
542 if ( !oc_sambaSamAccount ) return -1;
544 rc = slap_str2ad( "sambaLMPassword", &ad_sambaLMPassword, &text );
546 rc = slap_str2ad( "sambaNTPassword", &ad_sambaNTPassword, &text );
548 rc = slap_str2ad( "sambaPwdLastSet", &ad_sambaPwdLastSet, &text );
550 #endif /* DO_SAMBA */
552 smbk5pwd.on_bi.bi_type = "smbk5pwd";
553 smbk5pwd.on_bi.bi_extended = smbk5pwd_exop_passwd;
556 smbk5pwd.on_bi.bi_op_bind = smbk5pwd_op_bind;
558 lutil_passwd_add( (struct berval *)&k5key_scheme, k5key_chk, k5key_hash );
561 return overlay_register( &smbk5pwd );
564 #if SLAPD_OVER_SMBK5PWD == SLAPD_MOD_DYNAMIC
565 int init_module(int argc, char *argv[]) {
566 return smbk5pwd_init();
570 #endif /* defined(SLAPD_OVER_SMBK5PWD) */
projects / openldap / blob