git.sur5r.net Git - openldap/blob - servers/slapd/passwd.c

   1 /* bind.c - ldbm backend bind and unbind routines */
   2 /* $OpenLDAP$ */
   3 /*
   4  * Copyright 1998-1999 The OpenLDAP Foundation, All Rights Reserved.
   5  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
   6  */
   7
   8 #include "portable.h"
   9
  10 #include <stdio.h>
  11
  12 #include <ac/krb.h>
  13 #include <ac/socket.h>
  14 #include <ac/string.h>
  15 #include <ac/unistd.h>
  16
  17 #include "slap.h"
  18
  19 #include <lutil.h>
  20
  21 int passwd_extop(
  22         SLAP_EXTOP_CALLBACK_FN ext_callback,
  23         Connection *conn, Operation *op, char *oid,
  24         struct berval *reqdata,
  25         struct berval **rspdata,
  26         LDAPControl ***rspctrls,
  27         char **text )
  28 {
  29         int rc;
  30
  31         assert( oid != NULL );
  32         assert( strcmp( LDAP_EXOP_X_MODIFY_PASSWD, oid ) == 0 );
  33
  34         if( op->o_dn == NULL || op->o_dn[0] == '\0' ) {
  35                 *text = ch_strdup("only authenicated users may change passwords");
  36                 return LDAP_STRONG_AUTH_REQUIRED;
  37         }
  38
  39         if( conn->c_authz_backend != NULL &&
  40                 conn->c_authz_backend->be_extended )
  41         {
  42                 rc = conn->c_authz_backend->be_extended(
  43                         conn->c_authz_backend,
  44                         conn, op, oid, reqdata, rspdata, rspctrls, text );
  45
  46         } else {
  47                 *text = ch_strdup("operation not supported for current user");
  48                 rc = LDAP_UNWILLING_TO_PERFORM;
  49         }
  50
  51         return rc;
  52 }
  53
  54 int slap_passwd_parse( struct berval *reqdata,
  55         struct berval **id,
  56         struct berval **old,
  57         struct berval **new,
  58         char **text )
  59 {
  60         int rc = LDAP_SUCCESS;
  61         ber_tag_t tag;
  62         ber_len_t len;
  63         BerElement *ber;
  64
  65         if( reqdata == NULL ) {
  66                 return LDAP_SUCCESS;
  67         }
  68
  69         ber = ber_init( reqdata );
  70
  71         if( ber == NULL ) {
  72                 Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ber_init failed\n",
  73                         0, 0, 0 );
  74                 *text = ch_strdup("password decoding error");
  75                 return LDAP_PROTOCOL_ERROR;
  76         }
  77
  78         tag = ber_peek_tag( ber, &len );
  79
  80         if( tag == LDAP_TAG_EXOP_X_MODIFY_PASSWD_ID ) {
  81                 if( id == NULL ) {
  82                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID not allowed.\n",
  83                                 0, 0, 0 );
  84                         *text = "user must change own password";
  85                         rc = LDAP_UNWILLING_TO_PERFORM;
  86                         goto done;
  87                 }
  88
  89                 tag = ber_scanf( ber, "O", id );
  90
  91                 if( tag == LBER_ERROR ) {
  92                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID parse failed.\n",
  93                                 0, 0, 0 );
  94                         goto decoding_error;
  95                 }
  96
  97                 tag = ber_peek_tag( ber, &len);
  98         }
  99
 100         if( tag == LDAP_TAG_EXOP_X_MODIFY_PASSWD_OLD ) {
 101                 if( old == NULL ) {
 102                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: OLD not allowed.\n",
 103                                 0, 0, 0 );
 104                         *text = "use bind to verify old password";
 105                         rc = LDAP_UNWILLING_TO_PERFORM;
 106                         goto done;
 107                 }
 108
 109                 tag = ber_scanf( ber, "O", old );
 110
 111                 if( tag == LBER_ERROR ) {
 112                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID parse failed.\n",
 113                                 0, 0, 0 );
 114                         goto decoding_error;
 115                 }
 116
 117                 tag = ber_peek_tag( ber, &len);
 118         }
 119
 120         if( tag == LDAP_TAG_EXOP_X_MODIFY_PASSWD_NEW ) {
 121                 if( new == NULL ) {
 122                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: NEW not allowed.\n",
 123                                 0, 0, 0 );
 124                         *text = "user specified passwords disallowed";
 125                         rc = LDAP_UNWILLING_TO_PERFORM;
 126                         goto done;
 127                 }
 128
 129                 tag = ber_scanf( ber, "O", new );
 130
 131                 if( tag == LBER_ERROR ) {
 132                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: OLD parse failed.\n",
 133                                 0, 0, 0 );
 134                         goto decoding_error;
 135                 }
 136
 137                 tag = ber_peek_tag( ber, &len );
 138         }
 139
 140         if( len != 0 ) {
 141 decoding_error:
 142                 Debug( LDAP_DEBUG_TRACE,
 143                         "slap_passwd_parse: decoding error, len=%ld\n",
 144                         (long) len, 0, 0 );
 145
 146                 *text = ch_strdup("data decoding error");
 147                 rc = LDAP_PROTOCOL_ERROR;
 148         }
 149
 150 done:
 151         if( rc != LDAP_SUCCESS ) {
 152                 if( id != NULL ) {
 153                         ber_bvfree( *id );
 154                         *id = NULL;
 155                 }
 156
 157                 if( old != NULL ) {
 158                         ber_bvfree( *old );
 159                         *old = NULL;
 160                 }
 161
 162                 if( new != NULL ) {
 163                         ber_bvfree( *new );
 164                         *new = NULL;
 165                 }
 166         }
 167
 168         ber_free( ber, 1 );
 169         return rc;
 170 }
 171
 172 struct berval * slap_passwd_return(
 173         struct berval           *cred )
 174 {
 175         int rc;
 176         struct berval *bv;
 177         BerElement *ber = ber_alloc_t(LBER_USE_DER);
 178
 179         assert( cred != NULL );
 180
 181         Debug( LDAP_DEBUG_TRACE, "slap_passwd_return: %ld\n",
 182                 (long) cred->bv_len, 0, 0 );
 183
 184         if( ber == NULL ) return NULL;
 185
 186         rc = ber_printf( ber, "tO",
 187                 LDAP_TAG_EXOP_X_MODIFY_PASSWD_NEW, cred );
 188
 189         if( rc == -1 ) {
 190                 ber_free( ber, 1 );
 191                 return NULL;
 192         }
 193
 194         (void) ber_flatten( ber, &bv );
 195
 196         ber_free( ber, 1 );
 197
 198         return bv;
 199 }
 200
 201 int
 202 slap_passwd_check(
 203         Attribute *a,
 204         struct berval *cred )
 205 {
 206         int     i;
 207         for ( i = 0; a->a_vals[i] != NULL; i++ ) {
 208                 int result;
 209
 210 #ifdef SLAPD_CRYPT
 211                 ldap_pvt_thread_mutex_lock( &crypt_mutex );
 212 #endif
 213
 214                 result = lutil_passwd( a->a_vals[i], cred, NULL );
 215
 216 #ifdef SLAPD_CRYPT
 217                 ldap_pvt_thread_mutex_unlock( &crypt_mutex );
 218 #endif
 219
 220                 return result;
 221         }
 222
 223         return( 1 );
 224 }
 225
 226 struct berval * slap_passwd_generate( void )
 227 {
 228         Debug( LDAP_DEBUG_TRACE, "slap_passwd_generate\n", 0, 0, 0 );
 229         return lutil_passwd_generate( 8 );
 230 }
 231
 232 struct berval * slap_passwd_hash(
 233         struct berval * cred )
 234 {
 235         char* hash = default_passwd_hash ? default_passwd_hash : "{SSHA}";
 236
 237         struct berval *new;
 238
 239 #ifdef SLAPD_CRYPT
 240         ldap_pvt_thread_mutex_lock( &crypt_mutex );
 241 #endif
 242
 243         new = lutil_passwd_hash( cred , hash );
 244
 245 #ifdef SLAPD_CRYPT
 246         ldap_pvt_thread_mutex_unlock( &crypt_mutex );
 247 #endif
 248
 249         return new;
 250 }