]> git.sur5r.net Git - openldap/blob - servers/slapd/passwd.c
now I remember why I introduced the 'has_ldapinfo_dn_ru' flag
[openldap] / servers / slapd / passwd.c
1 /* passwd.c - password extended operation routines */
2 /* $OpenLDAP$ */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
4  *
5  * Copyright 1998-2004 The OpenLDAP Foundation.
6  * All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted only as authorized by the OpenLDAP
10  * Public License.
11  *
12  * A copy of this license is available in the file LICENSE in the
13  * top-level directory of the distribution or, alternatively, at
14  * <http://www.OpenLDAP.org/license.html>.
15  */
16
17 #include "portable.h"
18
19 #include <stdio.h>
20
21 #include <ac/krb.h>
22 #include <ac/socket.h>
23 #include <ac/string.h>
24 #include <ac/unistd.h>
25
26 #include "slap.h"
27
28 #include <lber_pvt.h>
29 #include <lutil.h>
30
31 int passwd_extop(
32         Operation *op,
33         SlapReply *rs )
34 {
35         struct berval id = {0, NULL}, old = {0, NULL}, new = {0, NULL},
36                 dn, ndn, hash, vals[2], tmpbv, *rsp = NULL;
37         Modifications ml, **modtail;
38         Operation op2;
39         slap_callback cb = { NULL, slap_null_cb, NULL, NULL };
40         slap_callback cb2 = { NULL, slap_replog_cb, NULL, NULL };
41         cb2.sc_next = &cb;
42
43         assert( ber_bvcmp( &slap_EXOP_MODIFY_PASSWD, &op->ore_reqoid ) == 0 );
44
45         if( op->o_dn.bv_len == 0 ) {
46                 rs->sr_text = "only authenticated users may change passwords";
47                 return LDAP_STRONG_AUTH_REQUIRED;
48         }
49
50         if( op->oq_extended.rs_reqdata ) {
51                 ber_dupbv_x( &tmpbv, op->oq_extended.rs_reqdata, op->o_tmpmemctx );
52         }
53         rs->sr_err = slap_passwd_parse(
54                 op->oq_extended.rs_reqdata ? &tmpbv : NULL,
55                 &id, &old, &new, &rs->sr_text );
56
57         if ( rs->sr_err != LDAP_SUCCESS ) {
58                 return rs->sr_err;
59         }
60
61         if ( id.bv_len ) {
62                 dn = id;
63                 /* ndn is in tmpmem, so we don't need to free it */
64                 rs->sr_err = dnNormalize( 0, NULL, NULL, &dn, &ndn, op->o_tmpmemctx );
65                 if ( rs->sr_err != LDAP_SUCCESS ) {
66                         rs->sr_text = "Invalid DN";
67                         return rs->sr_err;
68                 }
69                 op->o_bd = select_backend( &ndn, 0, 0 );
70         } else {
71                 dn = op->o_dn;
72                 ndn = op->o_ndn;
73                 ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex );
74                 op->o_bd = op->o_conn->c_authz_backend;
75                 ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex );
76         }
77
78         if( op->o_bd == NULL ) {
79 #ifdef HAVE_CYRUS_SASL
80                 return slap_sasl_setpass( op, rs );
81 #else
82                 rs->sr_text = "no authz backend";
83                 return LDAP_OTHER;
84 #endif
85         }
86
87         if ( ndn.bv_len == 0 ) {
88                 rs->sr_text = "no password is associated with the Root DSE";
89                 return LDAP_UNWILLING_TO_PERFORM;
90         }
91
92         if (backend_check_restrictions( op, rs,
93                         (struct berval *)&slap_EXOP_MODIFY_PASSWD ) != LDAP_SUCCESS) {
94                 return rs->sr_err;
95         }
96
97
98 #ifndef SLAPD_MULTIMASTER
99         /* This does not apply to multi-master case */
100         if( op->o_bd->be_update_ndn.bv_len ) {
101                 /* we SHOULD return a referral in this case */
102                 BerVarray defref = NULL;
103                 if ( !LDAP_STAILQ_EMPTY( &op->o_bd->be_syncinfo )) {
104                         syncinfo_t *si;
105                         LDAP_STAILQ_FOREACH( si, &op->o_bd->be_syncinfo, si_next ) {
106                                 struct berval tmpbv;
107                                 ber_dupbv( &tmpbv, &si->si_provideruri_bv[0] );
108                                 ber_bvarray_add( &defref, &tmpbv );
109                         }
110                 } else {
111                         defref = referral_rewrite( op->o_bd->be_update_refs,
112                                 NULL, NULL, LDAP_SCOPE_DEFAULT );
113                 }
114                 rs->sr_ref = defref;
115                 return LDAP_REFERRAL;
116         }
117 #endif /* !SLAPD_MULTIMASTER */
118
119         /* Give the backend a chance to handle this itself */
120         if ( op->o_bd->be_extended ) {
121                 rs->sr_err = op->o_bd->be_extended( op, rs );
122                 if ( rs->sr_err != LDAP_UNWILLING_TO_PERFORM ) {
123                         return rs->sr_err;
124                 }
125         }
126
127         /* The backend didn't handle it, so try it here */
128         if( op->o_bd && !op->o_bd->be_modify ) {
129                 rs->sr_text = "operation not supported for current user";
130                 return LDAP_UNWILLING_TO_PERFORM;
131         }
132
133         if ( new.bv_len == 0 ) {
134                 slap_passwd_generate( &new );
135                 rsp = slap_passwd_return( &new );
136         }
137         if ( new.bv_len == 0 ) {
138                 rs->sr_text = "password generation failed";
139                 return LDAP_OTHER;
140         }
141         slap_passwd_hash( &new, &hash, &rs->sr_text );
142         if ( rsp ) {
143                 free( new.bv_val );
144         }
145         if ( hash.bv_len == 0 ) {
146                 if ( !rs->sr_text ) {
147                         rs->sr_text = "password hash failed";
148                 }
149                 return LDAP_OTHER;
150         }
151         vals[0] = hash;
152         vals[1].bv_val = NULL;
153         ml.sml_desc = slap_schema.si_ad_userPassword;
154         ml.sml_values = vals;
155         ml.sml_nvalues = NULL;
156         ml.sml_op = LDAP_MOD_REPLACE;
157         ml.sml_next = NULL;
158
159         op2 = *op;
160         op2.o_tag = LDAP_REQ_MODIFY;
161         op2.o_callback = &cb2;
162         op2.o_req_dn = dn;
163         op2.o_req_ndn = ndn;
164         op2.orm_modlist = &ml;
165
166         modtail = &ml.sml_next;
167         rs->sr_err = slap_mods_opattrs( &op2, &ml, modtail, &rs->sr_text,
168                 NULL, 0 );
169         
170         if ( rs->sr_err == LDAP_SUCCESS ) {
171                 rs->sr_err = op2.o_bd->be_modify( &op2, rs );
172         }
173         if ( rs->sr_err == LDAP_SUCCESS ) {
174                 rs->sr_rspdata = rsp;
175         } else if ( rsp ) {
176                 ber_bvfree( rsp );
177         }
178         slap_mods_free( ml.sml_next );
179         free( hash.bv_val );
180
181         return rs->sr_err;
182 }
183
184 int slap_passwd_parse( struct berval *reqdata,
185         struct berval *id,
186         struct berval *oldpass,
187         struct berval *newpass,
188         const char **text )
189 {
190         int rc = LDAP_SUCCESS;
191         ber_tag_t tag;
192         ber_len_t len = -1;
193         BerElementBuffer berbuf;
194         BerElement *ber = (BerElement *)&berbuf;
195
196         if( reqdata == NULL ) {
197                 return LDAP_SUCCESS;
198         }
199
200         if( reqdata->bv_len == 0 ) {
201                 *text = "empty request data field";
202                 return LDAP_PROTOCOL_ERROR;
203         }
204
205         /* ber_init2 uses reqdata directly, doesn't allocate new buffers */
206         ber_init2( ber, reqdata, 0 );
207
208         tag = ber_scanf( ber, "{" /*}*/ );
209
210         if( tag == LBER_ERROR ) {
211 #ifdef NEW_LOGGING
212                 LDAP_LOG( OPERATION, ERR, 
213                         "slap_passwd_parse: decoding error\n", 0, 0, 0 );
214 #else
215                 Debug( LDAP_DEBUG_TRACE,
216                         "slap_passwd_parse: decoding error\n", 0, 0, 0 );
217 #endif
218                 rc = LDAP_PROTOCOL_ERROR;
219                 goto done;
220         }
221
222         tag = ber_peek_tag( ber, &len );
223         if( tag == LDAP_TAG_EXOP_MODIFY_PASSWD_ID ) {
224                 if( id == NULL ) {
225 #ifdef NEW_LOGGING
226                         LDAP_LOG( OPERATION, ERR,
227                            "slap_passwd_parse: ID not allowed.\n", 0, 0, 0 );
228 #else
229                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID not allowed.\n",
230                                 0, 0, 0 );
231 #endif
232
233                         *text = "user must change own password";
234                         rc = LDAP_UNWILLING_TO_PERFORM;
235                         goto done;
236                 }
237
238                 tag = ber_scanf( ber, "m", id );
239
240                 if( tag == LBER_ERROR ) {
241 #ifdef NEW_LOGGING
242                         LDAP_LOG( OPERATION, ERR,
243                            "slap_passwd_parse:  ID parse failed.\n", 0, 0, 0 );
244 #else
245                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID parse failed.\n",
246                                 0, 0, 0 );
247 #endif
248
249                         goto decoding_error;
250                 }
251
252                 tag = ber_peek_tag( ber, &len);
253         }
254
255         if( tag == LDAP_TAG_EXOP_MODIFY_PASSWD_OLD ) {
256                 if( oldpass == NULL ) {
257 #ifdef NEW_LOGGING
258                         LDAP_LOG( OPERATION, ERR,
259                            "slap_passwd_parse: OLD not allowed.\n" , 0, 0, 0 );
260 #else
261                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: OLD not allowed.\n",
262                                 0, 0, 0 );
263 #endif
264
265                         *text = "use bind to verify old password";
266                         rc = LDAP_UNWILLING_TO_PERFORM;
267                         goto done;
268                 }
269
270                 tag = ber_scanf( ber, "m", oldpass );
271
272                 if( tag == LBER_ERROR ) {
273 #ifdef NEW_LOGGING
274                         LDAP_LOG( OPERATION, ERR,
275                            "slap_passwd_parse:  ID parse failed.\n" , 0, 0, 0 );
276 #else
277                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID parse failed.\n",
278                                 0, 0, 0 );
279 #endif
280
281                         goto decoding_error;
282                 }
283
284                 tag = ber_peek_tag( ber, &len );
285         }
286
287         if( tag == LDAP_TAG_EXOP_MODIFY_PASSWD_NEW ) {
288                 if( newpass == NULL ) {
289 #ifdef NEW_LOGGING
290                         LDAP_LOG( OPERATION, ERR,
291                            "slap_passwd_parse:  NEW not allowed.\n", 0, 0, 0 );
292 #else
293                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: NEW not allowed.\n",
294                                 0, 0, 0 );
295 #endif
296
297                         *text = "user specified passwords disallowed";
298                         rc = LDAP_UNWILLING_TO_PERFORM;
299                         goto done;
300                 }
301
302                 tag = ber_scanf( ber, "m", newpass );
303
304                 if( tag == LBER_ERROR ) {
305 #ifdef NEW_LOGGING
306                         LDAP_LOG( OPERATION, ERR,
307                            "slap_passwd_parse:  OLD parse failed.\n", 0, 0, 0 );
308 #else
309                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: OLD parse failed.\n",
310                                 0, 0, 0 );
311 #endif
312
313                         goto decoding_error;
314                 }
315
316                 tag = ber_peek_tag( ber, &len );
317         }
318
319         if( len != 0 ) {
320 decoding_error:
321 #ifdef NEW_LOGGING
322                 LDAP_LOG( OPERATION, ERR, 
323                         "slap_passwd_parse: decoding error, len=%ld\n", (long)len, 0, 0 );
324 #else
325                 Debug( LDAP_DEBUG_TRACE,
326                         "slap_passwd_parse: decoding error, len=%ld\n",
327                         (long) len, 0, 0 );
328 #endif
329
330                 *text = "data decoding error";
331                 rc = LDAP_PROTOCOL_ERROR;
332         }
333
334 done:
335         return rc;
336 }
337
338 struct berval * slap_passwd_return(
339         struct berval           *cred )
340 {
341         int rc;
342         struct berval *bv = NULL;
343         BerElementBuffer berbuf;
344         /* opaque structure, size unknown but smaller than berbuf */
345         BerElement *ber = (BerElement *)&berbuf;
346
347         assert( cred != NULL );
348
349 #ifdef NEW_LOGGING
350         LDAP_LOG( OPERATION, ENTRY, 
351                 "slap_passwd_return: %ld\n",(long)cred->bv_len, 0, 0 );
352 #else
353         Debug( LDAP_DEBUG_TRACE, "slap_passwd_return: %ld\n",
354                 (long) cred->bv_len, 0, 0 );
355 #endif
356         
357         ber_init_w_nullc( ber, LBER_USE_DER );
358
359         rc = ber_printf( ber, "{tON}",
360                 LDAP_TAG_EXOP_MODIFY_PASSWD_GEN, cred );
361
362         if( rc >= 0 ) {
363                 (void) ber_flatten( ber, &bv );
364         }
365
366         ber_free_buf( ber );
367
368         return bv;
369 }
370
371 int
372 slap_passwd_check(
373         Connection *conn,
374         Attribute *a,
375         struct berval *cred,
376         const char **text )
377 {
378         int result = 1;
379         struct berval *bv;
380
381 #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
382         ldap_pvt_thread_mutex_lock( &passwd_mutex );
383 #ifdef SLAPD_SPASSWD
384         lutil_passwd_sasl_conn = conn->c_sasl_authctx;
385 #endif
386 #endif
387
388         for ( bv = a->a_vals; bv->bv_val != NULL; bv++ ) {
389                 if( !lutil_passwd( bv, cred, NULL, text ) ) {
390                         result = 0;
391                         break;
392                 }
393         }
394
395 #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
396 #ifdef SLAPD_SPASSWD
397         lutil_passwd_sasl_conn = NULL;
398 #endif
399         ldap_pvt_thread_mutex_unlock( &passwd_mutex );
400 #endif
401
402         return result;
403 }
404
405 void
406 slap_passwd_generate( struct berval *pass )
407 {
408         struct berval *tmp;
409 #ifdef NEW_LOGGING
410         LDAP_LOG( OPERATION, ENTRY, "slap_passwd_generate: begin\n", 0, 0, 0 );
411 #else
412         Debug( LDAP_DEBUG_TRACE, "slap_passwd_generate\n", 0, 0, 0 );
413 #endif
414         /*
415          * generate passwords of only 8 characters as some getpass(3)
416          * implementations truncate at 8 characters.
417          */
418         tmp = lutil_passwd_generate( 8 );
419         if (tmp) {
420                 *pass = *tmp;
421                 free(tmp);
422         } else {
423                 pass->bv_val = NULL;
424                 pass->bv_len = 0;
425         }
426 }
427
428 void
429 slap_passwd_hash(
430         struct berval * cred,
431         struct berval * new,
432         const char **text )
433 {
434         struct berval *tmp;
435 #ifdef LUTIL_SHA1_BYTES
436         char* hash = default_passwd_hash ?  default_passwd_hash : "{SSHA}";
437 #else
438         char* hash = default_passwd_hash ?  default_passwd_hash : "{SMD5}";
439 #endif
440         
441
442 #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
443         ldap_pvt_thread_mutex_lock( &passwd_mutex );
444 #endif
445
446         tmp = lutil_passwd_hash( cred , hash, text );
447         
448 #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
449         ldap_pvt_thread_mutex_unlock( &passwd_mutex );
450 #endif
451
452         if( tmp == NULL ) {
453                 new->bv_len = 0;
454                 new->bv_val = NULL;
455         }
456
457         *new = *tmp;
458         free( tmp );
459         return;
460 }