]> git.sur5r.net Git - openldap/blob - servers/slapd/passwd.c
80241ecd14134717ec0e5ef6697920b92c65619a
[openldap] / servers / slapd / passwd.c
1 /* bind.c - ldbm backend bind and unbind routines */
2 /* $OpenLDAP$ */
3 /*
4  * Copyright 1998-2003 The OpenLDAP Foundation, All Rights Reserved.
5  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
6  */
7
8 #include "portable.h"
9
10 #include <stdio.h>
11
12 #include <ac/krb.h>
13 #include <ac/socket.h>
14 #include <ac/string.h>
15 #include <ac/unistd.h>
16
17 #include "slap.h"
18
19 #include <lber_pvt.h>
20 #include <lutil.h>
21
22 int passwd_extop(
23         Operation *op,
24         SlapReply *rs )
25 {
26         assert( ber_bvcmp( &slap_EXOP_MODIFY_PASSWD, &op->ore_reqoid ) == 0 );
27
28         if( op->o_dn.bv_len == 0 ) {
29                 rs->sr_text = "only authenticated users may change passwords";
30                 return LDAP_STRONG_AUTH_REQUIRED;
31         }
32
33         ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex );
34         op->o_bd = op->o_conn->c_authz_backend;
35         ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex );
36
37         if( op->o_bd && !op->o_bd->be_extended ) {
38                 rs->sr_text = "operation not supported for current user";
39                 return LDAP_UNWILLING_TO_PERFORM;
40         }
41
42         if (backend_check_restrictions( op, rs,
43                         (struct berval *)&slap_EXOP_MODIFY_PASSWD ) != LDAP_SUCCESS) {
44                 return rs->sr_err;
45         }
46
47         if( op->o_bd == NULL ) {
48 #ifdef HAVE_CYRUS_SASL
49                 rs->sr_err = slap_sasl_setpass( op, rs );
50 #else
51                 rs->sr_text = "no authz backend";
52                 rs->sr_err = LDAP_OTHER;
53 #endif
54
55 #ifndef SLAPD_MULTIMASTER
56         /* This does not apply to multi-master case */
57         } else if( op->o_bd->be_update_ndn.bv_len ) {
58                 /* we SHOULD return a referral in this case */
59                 BerVarray defref = NULL;
60                 if ( op->o_bd->syncinfo ) {
61                         defref = op->o_bd->syncinfo->provideruri_bv;
62                 } else {
63                         defref = referral_rewrite( op->o_bd->be_update_refs,
64                                 NULL, NULL, LDAP_SCOPE_DEFAULT );
65                 }
66                 rs->sr_ref = defref;
67                 rs->sr_err = LDAP_REFERRAL;
68 #endif /* !SLAPD_MULTIMASTER */
69
70         } else {
71                 rs->sr_err = op->o_bd->be_extended( op, rs );
72         }
73
74         return rs->sr_err;
75 }
76
77 int slap_passwd_parse( struct berval *reqdata,
78         struct berval *id,
79         struct berval *oldpass,
80         struct berval *newpass,
81         const char **text )
82 {
83         int rc = LDAP_SUCCESS;
84         ber_tag_t tag;
85         ber_len_t len;
86         char berbuf[LBER_ELEMENT_SIZEOF];
87         BerElement *ber = (BerElement *)berbuf;
88
89         if( reqdata == NULL ) {
90                 return LDAP_SUCCESS;
91         }
92
93         if( reqdata->bv_len == 0 ) {
94                 *text = "empty request data field";
95                 return LDAP_PROTOCOL_ERROR;
96         }
97
98         /* ber_init2 uses reqdata directly, doesn't allocate new buffers */
99         ber_init2( ber, reqdata, 0 );
100
101         tag = ber_scanf( ber, "{" /*}*/ );
102
103         if( tag != LBER_ERROR ) {
104                 tag = ber_peek_tag( ber, &len );
105         }
106
107         if( tag == LDAP_TAG_EXOP_MODIFY_PASSWD_ID ) {
108                 if( id == NULL ) {
109 #ifdef NEW_LOGGING
110                         LDAP_LOG( OPERATION, ERR,
111                            "slap_passwd_parse: ID not allowed.\n", 0, 0, 0 );
112 #else
113                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID not allowed.\n",
114                                 0, 0, 0 );
115 #endif
116
117                         *text = "user must change own password";
118                         rc = LDAP_UNWILLING_TO_PERFORM;
119                         goto done;
120                 }
121
122                 tag = ber_scanf( ber, "m", id );
123
124                 if( tag == LBER_ERROR ) {
125 #ifdef NEW_LOGGING
126                         LDAP_LOG( OPERATION, ERR,
127                            "slap_passwd_parse:  ID parse failed.\n", 0, 0, 0 );
128 #else
129                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID parse failed.\n",
130                                 0, 0, 0 );
131 #endif
132
133                         goto decoding_error;
134                 }
135
136                 tag = ber_peek_tag( ber, &len);
137         }
138
139         if( tag == LDAP_TAG_EXOP_MODIFY_PASSWD_OLD ) {
140                 if( oldpass == NULL ) {
141 #ifdef NEW_LOGGING
142                         LDAP_LOG( OPERATION, ERR,
143                            "slap_passwd_parse: OLD not allowed.\n" , 0, 0, 0 );
144 #else
145                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: OLD not allowed.\n",
146                                 0, 0, 0 );
147 #endif
148
149                         *text = "use bind to verify old password";
150                         rc = LDAP_UNWILLING_TO_PERFORM;
151                         goto done;
152                 }
153
154                 tag = ber_scanf( ber, "m", oldpass );
155
156                 if( tag == LBER_ERROR ) {
157 #ifdef NEW_LOGGING
158                         LDAP_LOG( OPERATION, ERR,
159                            "slap_passwd_parse:  ID parse failed.\n" , 0, 0, 0 );
160 #else
161                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID parse failed.\n",
162                                 0, 0, 0 );
163 #endif
164
165                         goto decoding_error;
166                 }
167
168                 tag = ber_peek_tag( ber, &len );
169         }
170
171         if( tag == LDAP_TAG_EXOP_MODIFY_PASSWD_NEW ) {
172                 if( newpass == NULL ) {
173 #ifdef NEW_LOGGING
174                         LDAP_LOG( OPERATION, ERR,
175                            "slap_passwd_parse:  NEW not allowed.\n", 0, 0, 0 );
176 #else
177                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: NEW not allowed.\n",
178                                 0, 0, 0 );
179 #endif
180
181                         *text = "user specified passwords disallowed";
182                         rc = LDAP_UNWILLING_TO_PERFORM;
183                         goto done;
184                 }
185
186                 tag = ber_scanf( ber, "m", newpass );
187
188                 if( tag == LBER_ERROR ) {
189 #ifdef NEW_LOGGING
190                         LDAP_LOG( OPERATION, ERR,
191                            "slap_passwd_parse:  OLD parse failed.\n", 0, 0, 0 );
192 #else
193                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: OLD parse failed.\n",
194                                 0, 0, 0 );
195 #endif
196
197                         goto decoding_error;
198                 }
199
200                 tag = ber_peek_tag( ber, &len );
201         }
202
203         if( len != 0 ) {
204 decoding_error:
205 #ifdef NEW_LOGGING
206                 LDAP_LOG( OPERATION, ERR, 
207                         "slap_passwd_parse: decoding error, len=%ld\n", (long)len, 0, 0 );
208 #else
209                 Debug( LDAP_DEBUG_TRACE,
210                         "slap_passwd_parse: decoding error, len=%ld\n",
211                         (long) len, 0, 0 );
212 #endif
213
214                 *text = "data decoding error";
215                 rc = LDAP_PROTOCOL_ERROR;
216         }
217
218 done:
219         return rc;
220 }
221
222 struct berval * slap_passwd_return(
223         struct berval           *cred )
224 {
225         int rc;
226         struct berval *bv = NULL;
227         char berbuf[LBER_ELEMENT_SIZEOF];
228         /* opaque structure, size unknown but smaller than berbuf */
229         BerElement *ber = (BerElement *)berbuf;
230
231         assert( cred != NULL );
232
233 #ifdef NEW_LOGGING
234         LDAP_LOG( OPERATION, ENTRY, 
235                 "slap_passwd_return: %ld\n",(long)cred->bv_len, 0, 0 );
236 #else
237         Debug( LDAP_DEBUG_TRACE, "slap_passwd_return: %ld\n",
238                 (long) cred->bv_len, 0, 0 );
239 #endif
240         
241         ber_init_w_nullc( ber, LBER_USE_DER );
242
243         rc = ber_printf( ber, "{tON}",
244                 LDAP_TAG_EXOP_MODIFY_PASSWD_GEN, cred );
245
246         if( rc >= 0 ) {
247                 (void) ber_flatten( ber, &bv );
248         }
249
250         ber_free_buf( ber );
251
252         return bv;
253 }
254
255 int
256 slap_passwd_check(
257         Connection *conn,
258         Attribute *a,
259         struct berval *cred,
260         const char **text )
261 {
262         int result = 1;
263         struct berval *bv;
264
265 #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
266         ldap_pvt_thread_mutex_lock( &passwd_mutex );
267 #ifdef SLAPD_SPASSWD
268         lutil_passwd_sasl_conn = conn->c_sasl_authctx;
269 #endif
270 #endif
271
272         for ( bv = a->a_vals; bv->bv_val != NULL; bv++ ) {
273                 if( !lutil_passwd( bv, cred, NULL, text ) ) {
274                         result = 0;
275                         break;
276                 }
277         }
278
279 #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
280 #ifdef SLAPD_SPASSWD
281         lutil_passwd_sasl_conn = NULL;
282 #endif
283         ldap_pvt_thread_mutex_unlock( &passwd_mutex );
284 #endif
285
286         return result;
287 }
288
289 void
290 slap_passwd_generate( struct berval *pass )
291 {
292         struct berval *tmp;
293 #ifdef NEW_LOGGING
294         LDAP_LOG( OPERATION, ENTRY, "slap_passwd_generate: begin\n", 0, 0, 0 );
295 #else
296         Debug( LDAP_DEBUG_TRACE, "slap_passwd_generate\n", 0, 0, 0 );
297 #endif
298         /*
299          * generate passwords of only 8 characters as some getpass(3)
300          * implementations truncate at 8 characters.
301          */
302         tmp = lutil_passwd_generate( 8 );
303         if (tmp) {
304                 *pass = *tmp;
305                 free(tmp);
306         } else {
307                 pass->bv_val = NULL;
308                 pass->bv_len = 0;
309         }
310 }
311
312 void
313 slap_passwd_hash(
314         struct berval * cred,
315         struct berval * new,
316         const char **text )
317 {
318         struct berval *tmp;
319 #ifdef LUTIL_SHA1_BYTES
320         char* hash = default_passwd_hash ?  default_passwd_hash : "{SSHA}";
321 #else
322         char* hash = default_passwd_hash ?  default_passwd_hash : "{SMD5}";
323 #endif
324         
325
326 #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
327         ldap_pvt_thread_mutex_lock( &passwd_mutex );
328 #endif
329
330         tmp = lutil_passwd_hash( cred , hash, text );
331         
332 #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
333         ldap_pvt_thread_mutex_unlock( &passwd_mutex );
334 #endif
335
336         if( tmp == NULL ) {
337                 new->bv_len = 0;
338                 new->bv_val = NULL;
339         }
340
341         *new = *tmp;
342         free( tmp );
343         return;
344 }