git.sur5r.net Git - openldap/blob - servers/slapd/passwd.c

   1 /* passwd.c - password extended operation routines */
   2 /* $OpenLDAP$ */
   3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
   4  *
   5  * Copyright 1998-2004 The OpenLDAP Foundation.
   6  * All rights reserved.
   7  *
   8  * Redistribution and use in source and binary forms, with or without
   9  * modification, are permitted only as authorized by the OpenLDAP
  10  * Public License.
  11  *
  12  * A copy of this license is available in the file LICENSE in the
  13  * top-level directory of the distribution or, alternatively, at
  14  * <http://www.OpenLDAP.org/license.html>.
  15  */
  16
  17 #include "portable.h"
  18
  19 #include <stdio.h>
  20
  21 #include <ac/krb.h>
  22 #include <ac/socket.h>
  23 #include <ac/string.h>
  24 #include <ac/unistd.h>
  25
  26 #include "slap.h"
  27
  28 #include <lber_pvt.h>
  29 #include <lutil.h>
  30
  31 int passwd_extop(
  32         Operation *op,
  33         SlapReply *rs )
  34 {
  35         struct berval id = {0, NULL}, old = {0, NULL}, new = {0, NULL},
  36                 dn, ndn, hash, vals[2], tmpbv, *rsp = NULL;
  37         Modifications ml, **modtail;
  38         Operation op2;
  39         slap_callback cb = { NULL, slap_null_cb, NULL, NULL };
  40         slap_callback cb2 = { NULL, slap_replog_cb, NULL, NULL };
  41         cb2.sc_next = &cb;
  42
  43         assert( ber_bvcmp( &slap_EXOP_MODIFY_PASSWD, &op->ore_reqoid ) == 0 );
  44
  45         if( op->o_dn.bv_len == 0 ) {
  46                 rs->sr_text = "only authenticated users may change passwords";
  47                 return LDAP_STRONG_AUTH_REQUIRED;
  48         }
  49
  50         if( op->oq_extended.rs_reqdata ) {
  51                 ber_dupbv_x( &tmpbv, op->oq_extended.rs_reqdata, op->o_tmpmemctx );
  52         }
  53         rs->sr_err = slap_passwd_parse(
  54                 op->oq_extended.rs_reqdata ? &tmpbv : NULL,
  55                 &id, &old, &new, &rs->sr_text );
  56
  57         if ( rs->sr_err != LDAP_SUCCESS ) {
  58                 return rs->sr_err;
  59         }
  60
  61         if ( id.bv_len ) {
  62                 dn = id;
  63                 /* ndn is in tmpmem, so we don't need to free it */
  64                 rs->sr_err = dnNormalize( 0, NULL, NULL, &dn, &ndn, op->o_tmpmemctx );
  65                 if ( rs->sr_err != LDAP_SUCCESS ) {
  66                         rs->sr_text = "Invalid DN";
  67                         return rs->sr_err;
  68                 }
  69                 op->o_bd = select_backend( &ndn, 0, 0 );
  70         } else {
  71                 dn = op->o_dn;
  72                 ndn = op->o_ndn;
  73                 ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex );
  74                 op->o_bd = op->o_conn->c_authz_backend;
  75                 ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex );
  76         }
  77
  78         if( op->o_bd == NULL ) {
  79 #ifdef HAVE_CYRUS_SASL
  80                 return slap_sasl_setpass( op, rs );
  81 #else
  82                 rs->sr_text = "no authz backend";
  83                 return LDAP_OTHER;
  84 #endif
  85         }
  86
  87         if ( ndn.bv_len == 0 ) {
  88                 rs->sr_text = "no password is associated with the Root DSE";
  89                 return LDAP_UNWILLING_TO_PERFORM;
  90         }
  91
  92         if (backend_check_restrictions( op, rs,
  93                         (struct berval *)&slap_EXOP_MODIFY_PASSWD ) != LDAP_SUCCESS) {
  94                 return rs->sr_err;
  95         }
  96
  97
  98 #ifndef SLAPD_MULTIMASTER
  99         /* This does not apply to multi-master case */
 100         if( op->o_bd->be_update_ndn.bv_len ) {
 101                 /* we SHOULD return a referral in this case */
 102                 BerVarray defref = NULL;
 103                 if ( !LDAP_STAILQ_EMPTY( &op->o_bd->be_syncinfo )) {
 104                         syncinfo_t *si;
 105                         LDAP_STAILQ_FOREACH( si, &op->o_bd->be_syncinfo, si_next ) {
 106                                 struct berval tmpbv;
 107                                 ber_dupbv( &tmpbv, &si->si_provideruri_bv[0] );
 108                                 ber_bvarray_add( &defref, &tmpbv );
 109                         }
 110                 } else {
 111                         defref = referral_rewrite( op->o_bd->be_update_refs,
 112                                 NULL, NULL, LDAP_SCOPE_DEFAULT );
 113                 }
 114                 rs->sr_ref = defref;
 115                 return LDAP_REFERRAL;
 116         }
 117 #endif /* !SLAPD_MULTIMASTER */
 118
 119         /* Give the backend a chance to handle this itself */
 120         if ( op->o_bd->be_extended ) {
 121                 rs->sr_err = op->o_bd->be_extended( op, rs );
 122                 if ( rs->sr_err != LDAP_UNWILLING_TO_PERFORM ) {
 123                         return rs->sr_err;
 124                 }
 125         }
 126
 127         /* The backend didn't handle it, so try it here */
 128         if( op->o_bd && !op->o_bd->be_modify ) {
 129                 rs->sr_text = "operation not supported for current user";
 130                 return LDAP_UNWILLING_TO_PERFORM;
 131         }
 132
 133         if ( new.bv_len == 0 ) {
 134                 slap_passwd_generate( &new );
 135                 rsp = slap_passwd_return( &new );
 136         }
 137         if ( new.bv_len == 0 ) {
 138                 rs->sr_text = "password generation failed";
 139                 return LDAP_OTHER;
 140         }
 141         slap_passwd_hash( &new, &hash, &rs->sr_text );
 142         if ( rsp ) {
 143                 free( new.bv_val );
 144         }
 145         if ( hash.bv_len == 0 ) {
 146                 if ( !rs->sr_text ) {
 147                         rs->sr_text = "password hash failed";
 148                 }
 149                 return LDAP_OTHER;
 150         }
 151         vals[0] = hash;
 152         vals[1].bv_val = NULL;
 153         ml.sml_desc = slap_schema.si_ad_userPassword;
 154         ml.sml_values = vals;
 155         ml.sml_nvalues = NULL;
 156         ml.sml_op = LDAP_MOD_REPLACE;
 157         ml.sml_next = NULL;
 158
 159         op2 = *op;
 160         op2.o_tag = LDAP_REQ_MODIFY;
 161         op2.o_callback = &cb2;
 162         op2.o_req_dn = dn;
 163         op2.o_req_ndn = ndn;
 164         op2.orm_modlist = &ml;
 165
 166         modtail = &ml.sml_next;
 167         rs->sr_err = slap_mods_opattrs( &op2, &ml, modtail, &rs->sr_text,
 168                 NULL, 0 );
 169
 170         if ( rs->sr_err == LDAP_SUCCESS ) {
 171                 rs->sr_err = op2.o_bd->be_modify( &op2, rs );
 172         }
 173         if ( rs->sr_err == LDAP_SUCCESS ) {
 174                 rs->sr_rspdata = rsp;
 175         } else if ( rsp ) {
 176                 ber_bvfree( rsp );
 177         }
 178         slap_mods_free( ml.sml_next );
 179         free( hash.bv_val );
 180
 181         return rs->sr_err;
 182 }
 183
 184 int slap_passwd_parse( struct berval *reqdata,
 185         struct berval *id,
 186         struct berval *oldpass,
 187         struct berval *newpass,
 188         const char **text )
 189 {
 190         int rc = LDAP_SUCCESS;
 191         ber_tag_t tag;
 192         ber_len_t len = -1;
 193         BerElementBuffer berbuf;
 194         BerElement *ber = (BerElement *)&berbuf;
 195
 196         if( reqdata == NULL ) {
 197                 return LDAP_SUCCESS;
 198         }
 199
 200         if( reqdata->bv_len == 0 ) {
 201                 *text = "empty request data field";
 202                 return LDAP_PROTOCOL_ERROR;
 203         }
 204
 205         /* ber_init2 uses reqdata directly, doesn't allocate new buffers */
 206         ber_init2( ber, reqdata, 0 );
 207
 208         tag = ber_scanf( ber, "{" /*}*/ );
 209
 210         if( tag == LBER_ERROR ) {
 211 #ifdef NEW_LOGGING
 212                 LDAP_LOG( OPERATION, ERR,
 213                         "slap_passwd_parse: decoding error\n", 0, 0, 0 );
 214 #else
 215                 Debug( LDAP_DEBUG_TRACE,
 216                         "slap_passwd_parse: decoding error\n", 0, 0, 0 );
 217 #endif
 218                 rc = LDAP_PROTOCOL_ERROR;
 219                 goto done;
 220         }
 221
 222         tag = ber_peek_tag( ber, &len );
 223         if( tag == LDAP_TAG_EXOP_MODIFY_PASSWD_ID ) {
 224                 if( id == NULL ) {
 225 #ifdef NEW_LOGGING
 226                         LDAP_LOG( OPERATION, ERR,
 227                            "slap_passwd_parse: ID not allowed.\n", 0, 0, 0 );
 228 #else
 229                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID not allowed.\n",
 230                                 0, 0, 0 );
 231 #endif
 232
 233                         *text = "user must change own password";
 234                         rc = LDAP_UNWILLING_TO_PERFORM;
 235                         goto done;
 236                 }
 237
 238                 tag = ber_scanf( ber, "m", id );
 239
 240                 if( tag == LBER_ERROR ) {
 241 #ifdef NEW_LOGGING
 242                         LDAP_LOG( OPERATION, ERR,
 243                            "slap_passwd_parse:  ID parse failed.\n", 0, 0, 0 );
 244 #else
 245                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID parse failed.\n",
 246                                 0, 0, 0 );
 247 #endif
 248
 249                         goto decoding_error;
 250                 }
 251
 252                 tag = ber_peek_tag( ber, &len);
 253         }
 254
 255         if( tag == LDAP_TAG_EXOP_MODIFY_PASSWD_OLD ) {
 256                 if( oldpass == NULL ) {
 257 #ifdef NEW_LOGGING
 258                         LDAP_LOG( OPERATION, ERR,
 259                            "slap_passwd_parse: OLD not allowed.\n" , 0, 0, 0 );
 260 #else
 261                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: OLD not allowed.\n",
 262                                 0, 0, 0 );
 263 #endif
 264
 265                         *text = "use bind to verify old password";
 266                         rc = LDAP_UNWILLING_TO_PERFORM;
 267                         goto done;
 268                 }
 269
 270                 tag = ber_scanf( ber, "m", oldpass );
 271
 272                 if( tag == LBER_ERROR ) {
 273 #ifdef NEW_LOGGING
 274                         LDAP_LOG( OPERATION, ERR,
 275                            "slap_passwd_parse:  ID parse failed.\n" , 0, 0, 0 );
 276 #else
 277                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID parse failed.\n",
 278                                 0, 0, 0 );
 279 #endif
 280
 281                         goto decoding_error;
 282                 }
 283
 284                 tag = ber_peek_tag( ber, &len );
 285         }
 286
 287         if( tag == LDAP_TAG_EXOP_MODIFY_PASSWD_NEW ) {
 288                 if( newpass == NULL ) {
 289 #ifdef NEW_LOGGING
 290                         LDAP_LOG( OPERATION, ERR,
 291                            "slap_passwd_parse:  NEW not allowed.\n", 0, 0, 0 );
 292 #else
 293                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: NEW not allowed.\n",
 294                                 0, 0, 0 );
 295 #endif
 296
 297                         *text = "user specified passwords disallowed";
 298                         rc = LDAP_UNWILLING_TO_PERFORM;
 299                         goto done;
 300                 }
 301
 302                 tag = ber_scanf( ber, "m", newpass );
 303
 304                 if( tag == LBER_ERROR ) {
 305 #ifdef NEW_LOGGING
 306                         LDAP_LOG( OPERATION, ERR,
 307                            "slap_passwd_parse:  OLD parse failed.\n", 0, 0, 0 );
 308 #else
 309                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: OLD parse failed.\n",
 310                                 0, 0, 0 );
 311 #endif
 312
 313                         goto decoding_error;
 314                 }
 315
 316                 tag = ber_peek_tag( ber, &len );
 317         }
 318
 319         if( len != 0 ) {
 320 decoding_error:
 321 #ifdef NEW_LOGGING
 322                 LDAP_LOG( OPERATION, ERR,
 323                         "slap_passwd_parse: decoding error, len=%ld\n", (long)len, 0, 0 );
 324 #else
 325                 Debug( LDAP_DEBUG_TRACE,
 326                         "slap_passwd_parse: decoding error, len=%ld\n",
 327                         (long) len, 0, 0 );
 328 #endif
 329
 330                 *text = "data decoding error";
 331                 rc = LDAP_PROTOCOL_ERROR;
 332         }
 333
 334 done:
 335         return rc;
 336 }
 337
 338 struct berval * slap_passwd_return(
 339         struct berval           *cred )
 340 {
 341         int rc;
 342         struct berval *bv = NULL;
 343         BerElementBuffer berbuf;
 344         /* opaque structure, size unknown but smaller than berbuf */
 345         BerElement *ber = (BerElement *)&berbuf;
 346
 347         assert( cred != NULL );
 348
 349 #ifdef NEW_LOGGING
 350         LDAP_LOG( OPERATION, ENTRY,
 351                 "slap_passwd_return: %ld\n",(long)cred->bv_len, 0, 0 );
 352 #else
 353         Debug( LDAP_DEBUG_TRACE, "slap_passwd_return: %ld\n",
 354                 (long) cred->bv_len, 0, 0 );
 355 #endif
 356
 357         ber_init_w_nullc( ber, LBER_USE_DER );
 358
 359         rc = ber_printf( ber, "{tON}",
 360                 LDAP_TAG_EXOP_MODIFY_PASSWD_GEN, cred );
 361
 362         if( rc >= 0 ) {
 363                 (void) ber_flatten( ber, &bv );
 364         }
 365
 366         ber_free_buf( ber );
 367
 368         return bv;
 369 }
 370
 371 int
 372 slap_passwd_check(
 373         Connection *conn,
 374         Attribute *a,
 375         struct berval *cred,
 376         const char **text )
 377 {
 378         int result = 1;
 379         struct berval *bv;
 380
 381 #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
 382         ldap_pvt_thread_mutex_lock( &passwd_mutex );
 383 #ifdef SLAPD_SPASSWD
 384         lutil_passwd_sasl_conn = conn->c_sasl_authctx;
 385 #endif
 386 #endif
 387
 388         for ( bv = a->a_vals; bv->bv_val != NULL; bv++ ) {
 389                 if( !lutil_passwd( bv, cred, NULL, text ) ) {
 390                         result = 0;
 391                         break;
 392                 }
 393         }
 394
 395 #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
 396 #ifdef SLAPD_SPASSWD
 397         lutil_passwd_sasl_conn = NULL;
 398 #endif
 399         ldap_pvt_thread_mutex_unlock( &passwd_mutex );
 400 #endif
 401
 402         return result;
 403 }
 404
 405 void
 406 slap_passwd_generate( struct berval *pass )
 407 {
 408         struct berval *tmp;
 409 #ifdef NEW_LOGGING
 410         LDAP_LOG( OPERATION, ENTRY, "slap_passwd_generate: begin\n", 0, 0, 0 );
 411 #else
 412         Debug( LDAP_DEBUG_TRACE, "slap_passwd_generate\n", 0, 0, 0 );
 413 #endif
 414         /*
 415          * generate passwords of only 8 characters as some getpass(3)
 416          * implementations truncate at 8 characters.
 417          */
 418         tmp = lutil_passwd_generate( 8 );
 419         if (tmp) {
 420                 *pass = *tmp;
 421                 free(tmp);
 422         } else {
 423                 pass->bv_val = NULL;
 424                 pass->bv_len = 0;
 425         }
 426 }
 427
 428 void
 429 slap_passwd_hash(
 430         struct berval * cred,
 431         struct berval * new,
 432         const char **text )
 433 {
 434         struct berval *tmp;
 435 #ifdef LUTIL_SHA1_BYTES
 436         char* hash = default_passwd_hash ?  default_passwd_hash : "{SSHA}";
 437 #else
 438         char* hash = default_passwd_hash ?  default_passwd_hash : "{SMD5}";
 439 #endif
 440
 441
 442 #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
 443         ldap_pvt_thread_mutex_lock( &passwd_mutex );
 444 #endif
 445
 446         tmp = lutil_passwd_hash( cred , hash, text );
 447
 448 #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
 449         ldap_pvt_thread_mutex_unlock( &passwd_mutex );
 450 #endif
 451
 452         if( tmp == NULL ) {
 453                 new->bv_len = 0;
 454                 new->bv_val = NULL;
 455         }
 456
 457         *new = *tmp;
 458         free( tmp );
 459         return;
 460 }