1 /* bind.c - ldbm backend bind and unbind routines */
4 * Copyright 1998-1999 The OpenLDAP Foundation, All Rights Reserved.
5 * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
13 #include <ac/socket.h>
14 #include <ac/string.h>
15 #include <ac/unistd.h>
22 SLAP_EXTOP_CALLBACK_FN ext_callback,
23 Connection *conn, Operation *op,
25 struct berval *reqdata,
27 struct berval **rspdata,
28 LDAPControl ***rspctrls,
30 struct berval ***refs )
34 assert( reqoid != NULL );
35 assert( strcmp( LDAP_EXOP_X_MODIFY_PASSWD, reqoid ) == 0 );
37 if( op->o_dn == NULL || op->o_dn[0] == '\0' ) {
38 *text = ch_strdup("only authenicated users may change passwords");
39 return LDAP_STRONG_AUTH_REQUIRED;
42 if( conn->c_authz_backend != NULL && conn->c_authz_backend->be_extended )
44 if( global_readonly || conn->c_authz_backend->be_readonly ) {
45 *text = ch_strdup("authorization database is read only");
46 rc = LDAP_UNWILLING_TO_PERFORM;
48 } else if( conn->c_authz_backend->be_update_ndn != NULL ) {
49 /* we SHOULD return a referral in this case */
50 *refs = conn->c_authz_backend->be_update_refs;
54 rc = conn->c_authz_backend->be_extended(
55 conn->c_authz_backend, conn, op,
57 rspoid, rspdata, rspctrls,
62 *text = ch_strdup("operation not supported for current user");
63 rc = LDAP_UNWILLING_TO_PERFORM;
69 int slap_passwd_parse( struct berval *reqdata,
75 int rc = LDAP_SUCCESS;
80 if( reqdata == NULL ) {
84 ber = ber_init( reqdata );
87 Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ber_init failed\n",
89 *text = ch_strdup("password decoding error");
90 return LDAP_PROTOCOL_ERROR;
93 tag = ber_scanf( ber, "{" /*}*/ );
95 if( tag != LBER_ERROR ) {
96 tag = ber_peek_tag( ber, &len );
99 if( tag == LDAP_TAG_EXOP_X_MODIFY_PASSWD_ID ) {
101 Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID not allowed.\n",
103 *text = "user must change own password";
104 rc = LDAP_UNWILLING_TO_PERFORM;
108 tag = ber_scanf( ber, "O", id );
110 if( tag == LBER_ERROR ) {
111 Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID parse failed.\n",
116 tag = ber_peek_tag( ber, &len);
119 if( tag == LDAP_TAG_EXOP_X_MODIFY_PASSWD_OLD ) {
121 Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: OLD not allowed.\n",
123 *text = "use bind to verify old password";
124 rc = LDAP_UNWILLING_TO_PERFORM;
128 tag = ber_scanf( ber, "O", old );
130 if( tag == LBER_ERROR ) {
131 Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID parse failed.\n",
136 tag = ber_peek_tag( ber, &len);
139 if( tag == LDAP_TAG_EXOP_X_MODIFY_PASSWD_NEW ) {
141 Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: NEW not allowed.\n",
143 *text = "user specified passwords disallowed";
144 rc = LDAP_UNWILLING_TO_PERFORM;
148 tag = ber_scanf( ber, "O", new );
150 if( tag == LBER_ERROR ) {
151 Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: OLD parse failed.\n",
156 tag = ber_peek_tag( ber, &len );
161 Debug( LDAP_DEBUG_TRACE,
162 "slap_passwd_parse: decoding error, len=%ld\n",
165 *text = ch_strdup("data decoding error");
166 rc = LDAP_PROTOCOL_ERROR;
170 if( rc != LDAP_SUCCESS ) {
191 struct berval * slap_passwd_return(
192 struct berval *cred )
196 BerElement *ber = ber_alloc_t(LBER_USE_DER);
198 assert( cred != NULL );
200 Debug( LDAP_DEBUG_TRACE, "slap_passwd_return: %ld\n",
201 (long) cred->bv_len, 0, 0 );
203 if( ber == NULL ) return NULL;
205 rc = ber_printf( ber, "{tO}",
206 LDAP_TAG_EXOP_X_MODIFY_PASSWD_GEN, cred );
213 (void) ber_flatten( ber, &bv );
223 struct berval *cred )
226 for ( i = 0; a->a_vals[i] != NULL; i++ ) {
230 ldap_pvt_thread_mutex_lock( &crypt_mutex );
233 result = lutil_passwd( a->a_vals[i], cred, NULL );
236 ldap_pvt_thread_mutex_unlock( &crypt_mutex );
245 struct berval * slap_passwd_generate( void )
247 Debug( LDAP_DEBUG_TRACE, "slap_passwd_generate\n", 0, 0, 0 );
250 * generate passwords of only 8 characters as some getpass(3)
251 * implementations truncate at 8 characters.
253 return lutil_passwd_generate( 8 );
256 struct berval * slap_passwd_hash(
257 struct berval * cred )
259 char* hash = default_passwd_hash ? default_passwd_hash : "{SSHA}";
264 ldap_pvt_thread_mutex_lock( &crypt_mutex );
267 new = lutil_passwd_hash( cred , hash );
270 ldap_pvt_thread_mutex_unlock( &crypt_mutex );