git.sur5r.net Git - openldap/blob - servers/slapd/passwd.c

   1 /* passwd.c - password extended operation routines */
   2 /* $OpenLDAP$ */
   3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
   4  *
   5  * Copyright 1998-2003 The OpenLDAP Foundation.
   6  * All rights reserved.
   7  *
   8  * Redistribution and use in source and binary forms, with or without
   9  * modification, are permitted only as authorized by the OpenLDAP
  10  * Public License.
  11  *
  12  * A copy of this license is available in the file LICENSE in the
  13  * top-level directory of the distribution or, alternatively, at
  14  * <http://www.OpenLDAP.org/license.html>.
  15  */
  16
  17 #include "portable.h"
  18
  19 #include <stdio.h>
  20
  21 #include <ac/krb.h>
  22 #include <ac/socket.h>
  23 #include <ac/string.h>
  24 #include <ac/unistd.h>
  25
  26 #include "slap.h"
  27
  28 #include <lber_pvt.h>
  29 #include <lutil.h>
  30
  31 int passwd_extop(
  32         Operation *op,
  33         SlapReply *rs )
  34 {
  35         struct berval id = {0, NULL}, old = {0, NULL}, new = {0, NULL},
  36                 dn, ndn, hash, vals[2], tmpbv, *rsp = NULL;
  37         Modifications ml, **modtail;
  38         Operation op2;
  39         slap_callback cb = { NULL, slap_null_cb, NULL, NULL };
  40         slap_callback cb2 = { &cb, slap_replog_cb, NULL, NULL };
  41
  42         assert( ber_bvcmp( &slap_EXOP_MODIFY_PASSWD, &op->ore_reqoid ) == 0 );
  43
  44         if( op->o_dn.bv_len == 0 ) {
  45                 rs->sr_text = "only authenticated users may change passwords";
  46                 return LDAP_STRONG_AUTH_REQUIRED;
  47         }
  48
  49         if( op->oq_extended.rs_reqdata ) {
  50                 ber_dupbv_x( &tmpbv, op->oq_extended.rs_reqdata, op->o_tmpmemctx );
  51         }
  52         rs->sr_err = slap_passwd_parse(
  53                 op->oq_extended.rs_reqdata ? &tmpbv : NULL,
  54                 &id, &old, &new, &rs->sr_text );
  55
  56         if ( rs->sr_err != LDAP_SUCCESS ) {
  57                 return rs->sr_err;
  58         }
  59
  60         if ( id.bv_len ) {
  61                 dn = id;
  62                 /* ndn is in tmpmem, so we don't need to free it */
  63                 rs->sr_err = dnNormalize( 0, NULL, NULL, &dn, &ndn, op->o_tmpmemctx );
  64                 if ( rs->sr_err != LDAP_SUCCESS ) {
  65                         rs->sr_text = "Invalid DN";
  66                         return rs->sr_err;
  67                 }
  68                 op->o_bd = select_backend( &ndn, 0, 0 );
  69         } else {
  70                 dn = op->o_dn;
  71                 ndn = op->o_ndn;
  72                 ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex );
  73                 op->o_bd = op->o_conn->c_authz_backend;
  74                 ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex );
  75         }
  76
  77         if( op->o_bd == NULL ) {
  78 #ifdef HAVE_CYRUS_SASL
  79                 return slap_sasl_setpass( op, rs );
  80 #else
  81                 rs->sr_text = "no authz backend";
  82                 return LDAP_OTHER;
  83 #endif
  84         }
  85
  86         if ( ndn.bv_len == 0 ) {
  87                 rs->sr_text = "no password is associated with the Root DSE";
  88                 return LDAP_UNWILLING_TO_PERFORM;
  89         }
  90
  91         if (backend_check_restrictions( op, rs,
  92                         (struct berval *)&slap_EXOP_MODIFY_PASSWD ) != LDAP_SUCCESS) {
  93                 return rs->sr_err;
  94         }
  95
  96
  97 #ifndef SLAPD_MULTIMASTER
  98         /* This does not apply to multi-master case */
  99         if( op->o_bd->be_update_ndn.bv_len ) {
 100                 /* we SHOULD return a referral in this case */
 101                 BerVarray defref = NULL;
 102                 if ( !LDAP_STAILQ_EMPTY( &op->o_bd->be_syncinfo )) {
 103                         syncinfo_t *si;
 104                         LDAP_STAILQ_FOREACH( si, &op->o_bd->be_syncinfo, si_next ) {
 105                                 struct berval tmpbv;
 106                                 ber_dupbv( &tmpbv, &si->si_provideruri_bv[0] );
 107                                 ber_bvarray_add( &defref, &tmpbv );
 108                         }
 109                 } else {
 110                         defref = referral_rewrite( op->o_bd->be_update_refs,
 111                                 NULL, NULL, LDAP_SCOPE_DEFAULT );
 112                 }
 113                 rs->sr_ref = defref;
 114                 return LDAP_REFERRAL;
 115         }
 116 #endif /* !SLAPD_MULTIMASTER */
 117
 118         /* Give the backend a chance to handle this itself */
 119         if ( op->o_bd->be_extended ) {
 120                 rs->sr_err = op->o_bd->be_extended( op, rs );
 121                 if ( rs->sr_err != LDAP_UNWILLING_TO_PERFORM ) {
 122                         return rs->sr_err;
 123                 }
 124         }
 125
 126         /* The backend didn't handle it, so try it here */
 127         if( op->o_bd && !op->o_bd->be_modify ) {
 128                 rs->sr_text = "operation not supported for current user";
 129                 return LDAP_UNWILLING_TO_PERFORM;
 130         }
 131
 132         if ( new.bv_len == 0 ) {
 133                 slap_passwd_generate( &new );
 134                 rsp = slap_passwd_return( &new );
 135         }
 136         if ( new.bv_len == 0 ) {
 137                 rs->sr_text = "password generation failed";
 138                 return LDAP_OTHER;
 139         }
 140         slap_passwd_hash( &new, &hash, &rs->sr_text );
 141         if ( rsp ) {
 142                 free( new.bv_val );
 143         }
 144         if ( hash.bv_len == 0 ) {
 145                 if ( !rs->sr_text ) {
 146                         rs->sr_text = "password hash failed";
 147                 }
 148                 return LDAP_OTHER;
 149         }
 150         vals[0] = hash;
 151         vals[1].bv_val = NULL;
 152         ml.sml_desc = slap_schema.si_ad_userPassword;
 153         ml.sml_values = vals;
 154         ml.sml_nvalues = NULL;
 155         ml.sml_op = LDAP_MOD_REPLACE;
 156         ml.sml_next = NULL;
 157
 158         op2 = *op;
 159         op2.o_tag = LDAP_REQ_MODIFY;
 160         op2.o_callback = &cb2;
 161         op2.o_req_dn = dn;
 162         op2.o_req_ndn = ndn;
 163         op2.orm_modlist = &ml;
 164
 165         modtail = &ml.sml_next;
 166         rs->sr_err = slap_mods_opattrs( &op2, &ml, modtail, &rs->sr_text,
 167                 NULL, 0 );
 168
 169         if ( rs->sr_err == LDAP_SUCCESS ) {
 170                 rs->sr_err = op2.o_bd->be_modify( &op2, rs );
 171         }
 172         if ( rs->sr_err == LDAP_SUCCESS ) {
 173                 rs->sr_rspdata = rsp;
 174         } else if ( rsp ) {
 175                 ber_bvfree( rsp );
 176         }
 177         slap_mods_free( ml.sml_next );
 178         free( hash.bv_val );
 179
 180         return rs->sr_err;
 181 }
 182
 183 int slap_passwd_parse( struct berval *reqdata,
 184         struct berval *id,
 185         struct berval *oldpass,
 186         struct berval *newpass,
 187         const char **text )
 188 {
 189         int rc = LDAP_SUCCESS;
 190         ber_tag_t tag;
 191         ber_len_t len = -1;
 192         BerElementBuffer berbuf;
 193         BerElement *ber = (BerElement *)&berbuf;
 194
 195         if( reqdata == NULL ) {
 196                 return LDAP_SUCCESS;
 197         }
 198
 199         if( reqdata->bv_len == 0 ) {
 200                 *text = "empty request data field";
 201                 return LDAP_PROTOCOL_ERROR;
 202         }
 203
 204         /* ber_init2 uses reqdata directly, doesn't allocate new buffers */
 205         ber_init2( ber, reqdata, 0 );
 206
 207         tag = ber_scanf( ber, "{" /*}*/ );
 208
 209         if( tag == LBER_ERROR ) {
 210 #ifdef NEW_LOGGING
 211                 LDAP_LOG( OPERATION, ERR,
 212                         "slap_passwd_parse: decoding error\n", 0, 0, 0 );
 213 #else
 214                 Debug( LDAP_DEBUG_TRACE,
 215                         "slap_passwd_parse: decoding error\n", 0, 0, 0 );
 216 #endif
 217                 rc = LDAP_PROTOCOL_ERROR;
 218                 goto done;
 219         }
 220
 221         tag = ber_peek_tag( ber, &len );
 222         if( tag == LDAP_TAG_EXOP_MODIFY_PASSWD_ID ) {
 223                 if( id == NULL ) {
 224 #ifdef NEW_LOGGING
 225                         LDAP_LOG( OPERATION, ERR,
 226                            "slap_passwd_parse: ID not allowed.\n", 0, 0, 0 );
 227 #else
 228                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID not allowed.\n",
 229                                 0, 0, 0 );
 230 #endif
 231
 232                         *text = "user must change own password";
 233                         rc = LDAP_UNWILLING_TO_PERFORM;
 234                         goto done;
 235                 }
 236
 237                 tag = ber_scanf( ber, "m", id );
 238
 239                 if( tag == LBER_ERROR ) {
 240 #ifdef NEW_LOGGING
 241                         LDAP_LOG( OPERATION, ERR,
 242                            "slap_passwd_parse:  ID parse failed.\n", 0, 0, 0 );
 243 #else
 244                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID parse failed.\n",
 245                                 0, 0, 0 );
 246 #endif
 247
 248                         goto decoding_error;
 249                 }
 250
 251                 tag = ber_peek_tag( ber, &len);
 252         }
 253
 254         if( tag == LDAP_TAG_EXOP_MODIFY_PASSWD_OLD ) {
 255                 if( oldpass == NULL ) {
 256 #ifdef NEW_LOGGING
 257                         LDAP_LOG( OPERATION, ERR,
 258                            "slap_passwd_parse: OLD not allowed.\n" , 0, 0, 0 );
 259 #else
 260                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: OLD not allowed.\n",
 261                                 0, 0, 0 );
 262 #endif
 263
 264                         *text = "use bind to verify old password";
 265                         rc = LDAP_UNWILLING_TO_PERFORM;
 266                         goto done;
 267                 }
 268
 269                 tag = ber_scanf( ber, "m", oldpass );
 270
 271                 if( tag == LBER_ERROR ) {
 272 #ifdef NEW_LOGGING
 273                         LDAP_LOG( OPERATION, ERR,
 274                            "slap_passwd_parse:  ID parse failed.\n" , 0, 0, 0 );
 275 #else
 276                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID parse failed.\n",
 277                                 0, 0, 0 );
 278 #endif
 279
 280                         goto decoding_error;
 281                 }
 282
 283                 tag = ber_peek_tag( ber, &len );
 284         }
 285
 286         if( tag == LDAP_TAG_EXOP_MODIFY_PASSWD_NEW ) {
 287                 if( newpass == NULL ) {
 288 #ifdef NEW_LOGGING
 289                         LDAP_LOG( OPERATION, ERR,
 290                            "slap_passwd_parse:  NEW not allowed.\n", 0, 0, 0 );
 291 #else
 292                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: NEW not allowed.\n",
 293                                 0, 0, 0 );
 294 #endif
 295
 296                         *text = "user specified passwords disallowed";
 297                         rc = LDAP_UNWILLING_TO_PERFORM;
 298                         goto done;
 299                 }
 300
 301                 tag = ber_scanf( ber, "m", newpass );
 302
 303                 if( tag == LBER_ERROR ) {
 304 #ifdef NEW_LOGGING
 305                         LDAP_LOG( OPERATION, ERR,
 306                            "slap_passwd_parse:  OLD parse failed.\n", 0, 0, 0 );
 307 #else
 308                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: OLD parse failed.\n",
 309                                 0, 0, 0 );
 310 #endif
 311
 312                         goto decoding_error;
 313                 }
 314
 315                 tag = ber_peek_tag( ber, &len );
 316         }
 317
 318         if( len != 0 ) {
 319 decoding_error:
 320 #ifdef NEW_LOGGING
 321                 LDAP_LOG( OPERATION, ERR,
 322                         "slap_passwd_parse: decoding error, len=%ld\n", (long)len, 0, 0 );
 323 #else
 324                 Debug( LDAP_DEBUG_TRACE,
 325                         "slap_passwd_parse: decoding error, len=%ld\n",
 326                         (long) len, 0, 0 );
 327 #endif
 328
 329                 *text = "data decoding error";
 330                 rc = LDAP_PROTOCOL_ERROR;
 331         }
 332
 333 done:
 334         return rc;
 335 }
 336
 337 struct berval * slap_passwd_return(
 338         struct berval           *cred )
 339 {
 340         int rc;
 341         struct berval *bv = NULL;
 342         BerElementBuffer berbuf;
 343         /* opaque structure, size unknown but smaller than berbuf */
 344         BerElement *ber = (BerElement *)&berbuf;
 345
 346         assert( cred != NULL );
 347
 348 #ifdef NEW_LOGGING
 349         LDAP_LOG( OPERATION, ENTRY,
 350                 "slap_passwd_return: %ld\n",(long)cred->bv_len, 0, 0 );
 351 #else
 352         Debug( LDAP_DEBUG_TRACE, "slap_passwd_return: %ld\n",
 353                 (long) cred->bv_len, 0, 0 );
 354 #endif
 355
 356         ber_init_w_nullc( ber, LBER_USE_DER );
 357
 358         rc = ber_printf( ber, "{tON}",
 359                 LDAP_TAG_EXOP_MODIFY_PASSWD_GEN, cred );
 360
 361         if( rc >= 0 ) {
 362                 (void) ber_flatten( ber, &bv );
 363         }
 364
 365         ber_free_buf( ber );
 366
 367         return bv;
 368 }
 369
 370 int
 371 slap_passwd_check(
 372         Connection *conn,
 373         Attribute *a,
 374         struct berval *cred,
 375         const char **text )
 376 {
 377         int result = 1;
 378         struct berval *bv;
 379
 380 #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
 381         ldap_pvt_thread_mutex_lock( &passwd_mutex );
 382 #ifdef SLAPD_SPASSWD
 383         lutil_passwd_sasl_conn = conn->c_sasl_authctx;
 384 #endif
 385 #endif
 386
 387         for ( bv = a->a_vals; bv->bv_val != NULL; bv++ ) {
 388                 if( !lutil_passwd( bv, cred, NULL, text ) ) {
 389                         result = 0;
 390                         break;
 391                 }
 392         }
 393
 394 #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
 395 #ifdef SLAPD_SPASSWD
 396         lutil_passwd_sasl_conn = NULL;
 397 #endif
 398         ldap_pvt_thread_mutex_unlock( &passwd_mutex );
 399 #endif
 400
 401         return result;
 402 }
 403
 404 void
 405 slap_passwd_generate( struct berval *pass )
 406 {
 407         struct berval *tmp;
 408 #ifdef NEW_LOGGING
 409         LDAP_LOG( OPERATION, ENTRY, "slap_passwd_generate: begin\n", 0, 0, 0 );
 410 #else
 411         Debug( LDAP_DEBUG_TRACE, "slap_passwd_generate\n", 0, 0, 0 );
 412 #endif
 413         /*
 414          * generate passwords of only 8 characters as some getpass(3)
 415          * implementations truncate at 8 characters.
 416          */
 417         tmp = lutil_passwd_generate( 8 );
 418         if (tmp) {
 419                 *pass = *tmp;
 420                 free(tmp);
 421         } else {
 422                 pass->bv_val = NULL;
 423                 pass->bv_len = 0;
 424         }
 425 }
 426
 427 void
 428 slap_passwd_hash(
 429         struct berval * cred,
 430         struct berval * new,
 431         const char **text )
 432 {
 433         struct berval *tmp;
 434 #ifdef LUTIL_SHA1_BYTES
 435         char* hash = default_passwd_hash ?  default_passwd_hash : "{SSHA}";
 436 #else
 437         char* hash = default_passwd_hash ?  default_passwd_hash : "{SMD5}";
 438 #endif
 439
 440
 441 #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
 442         ldap_pvt_thread_mutex_lock( &passwd_mutex );
 443 #endif
 444
 445         tmp = lutil_passwd_hash( cred , hash, text );
 446
 447 #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
 448         ldap_pvt_thread_mutex_unlock( &passwd_mutex );
 449 #endif
 450
 451         if( tmp == NULL ) {
 452                 new->bv_len = 0;
 453                 new->bv_val = NULL;
 454         }
 455
 456         *new = *tmp;
 457         free( tmp );
 458         return;
 459 }