1 /* bind.c - ldbm backend bind and unbind routines */
4 * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved.
5 * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
13 #include <ac/socket.h>
14 #include <ac/string.h>
15 #include <ac/unistd.h>
23 Connection *conn, Operation *op,
25 struct berval *reqdata,
27 struct berval **rspdata,
28 LDAPControl ***rspctrls,
34 assert( reqoid != NULL );
35 assert( strcmp( LDAP_EXOP_MODIFY_PASSWD, reqoid ) == 0 );
37 if( op->o_dn.bv_len == 0 ) {
38 *text = "only authenticated users may change passwords";
39 return LDAP_STRONG_AUTH_REQUIRED;
42 if( conn->c_authz_backend == NULL || !conn->c_authz_backend->be_extended ) {
43 *text = "operation not supported for current user";
44 return LDAP_UNWILLING_TO_PERFORM;
48 struct berval passwd = BER_BVC( LDAP_EXOP_MODIFY_PASSWD );
50 rc = backend_check_restrictions( conn->c_authz_backend,
51 conn, op, &passwd, text );
54 if( rc != LDAP_SUCCESS ) {
58 if( conn->c_authz_backend->be_update_ndn.bv_len ) {
59 /* we SHOULD return a referral in this case */
60 *refs = referral_rewrite( conn->c_authz_backend->be_update_refs,
61 NULL, NULL, LDAP_SCOPE_DEFAULT );
65 rc = conn->c_authz_backend->be_extended(
66 conn->c_authz_backend, conn, op,
68 rspoid, rspdata, rspctrls,
75 int slap_passwd_parse( struct berval *reqdata,
77 struct berval *oldpass,
78 struct berval *newpass,
81 int rc = LDAP_SUCCESS;
85 BerElement *ber = (BerElement *)berbuf;
87 if( reqdata == NULL ) {
91 /* ber_init2 uses reqdata directly, doesn't allocate new buffers */
92 ber_init2( ber, reqdata, 0 );
94 tag = ber_scanf( ber, "{" /*}*/ );
96 if( tag != LBER_ERROR ) {
97 tag = ber_peek_tag( ber, &len );
100 if( tag == LDAP_TAG_EXOP_MODIFY_PASSWD_ID ) {
103 LDAP_LOG(( "operation", LDAP_LEVEL_ERR,
104 "slap_passwd_parse: ID not allowed.\n"));
106 Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID not allowed.\n",
110 *text = "user must change own password";
111 rc = LDAP_UNWILLING_TO_PERFORM;
115 tag = ber_scanf( ber, "m", id );
117 if( tag == LBER_ERROR ) {
119 LDAP_LOG(( "operation", LDAP_LEVEL_ERR,
120 "slap_passwd_parse: ID parse failed.\n"));
122 Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID parse failed.\n",
129 tag = ber_peek_tag( ber, &len);
132 if( tag == LDAP_TAG_EXOP_MODIFY_PASSWD_OLD ) {
133 if( oldpass == NULL ) {
135 LDAP_LOG(( "operation", LDAP_LEVEL_ERR,
136 "slap_passwd_parse: OLD not allowed.\n" ));
138 Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: OLD not allowed.\n",
142 *text = "use bind to verify old password";
143 rc = LDAP_UNWILLING_TO_PERFORM;
147 tag = ber_scanf( ber, "m", oldpass );
149 if( tag == LBER_ERROR ) {
151 LDAP_LOG(( "operation", LDAP_LEVEL_ERR,
152 "slap_passwd_parse: ID parse failed.\n" ));
154 Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID parse failed.\n",
161 tag = ber_peek_tag( ber, &len );
164 if( tag == LDAP_TAG_EXOP_MODIFY_PASSWD_NEW ) {
165 if( newpass == NULL ) {
167 LDAP_LOG(( "operation", LDAP_LEVEL_ERR,
168 "slap_passwd_parse: NEW not allowed.\n" ));
170 Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: NEW not allowed.\n",
174 *text = "user specified passwords disallowed";
175 rc = LDAP_UNWILLING_TO_PERFORM;
179 tag = ber_scanf( ber, "m", newpass );
181 if( tag == LBER_ERROR ) {
183 LDAP_LOG(( "operation", LDAP_LEVEL_ERR,
184 "slap_passwd_parse: OLD parse failed.\n"));
186 Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: OLD parse failed.\n",
193 tag = ber_peek_tag( ber, &len );
199 LDAP_LOG(( "operation", LDAP_LEVEL_ERR,
200 "slap_passwd_parse: decoding error, len=%ld\n", (long)len ));
202 Debug( LDAP_DEBUG_TRACE,
203 "slap_passwd_parse: decoding error, len=%ld\n",
208 *text = "data decoding error";
209 rc = LDAP_PROTOCOL_ERROR;
216 struct berval * slap_passwd_return(
217 struct berval *cred )
220 struct berval *bv = NULL;
222 /* opaque structure, size unknown but smaller than berbuf */
223 BerElement *ber = (BerElement *)berbuf;
225 assert( cred != NULL );
228 LDAP_LOG(( "operation", LDAP_LEVEL_ENTRY,
229 "slap_passwd_return: %ld\n",(long)cred->bv_len ));
231 Debug( LDAP_DEBUG_TRACE, "slap_passwd_return: %ld\n",
232 (long) cred->bv_len, 0, 0 );
235 ber_init_w_nullc( ber, LBER_USE_DER );
237 rc = ber_printf( ber, "{tON}",
238 LDAP_TAG_EXOP_MODIFY_PASSWD_GEN, cred );
241 (void) ber_flatten( ber, &bv );
253 struct berval *cred )
258 #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
259 ldap_pvt_thread_mutex_lock( &passwd_mutex );
261 lutil_passwd_sasl_conn = conn->c_sasl_context;
265 for ( bv = a->a_vals; bv->bv_val != NULL; bv++ ) {
266 if( !lutil_passwd( bv, cred, NULL ) ) {
272 #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
274 lutil_passwd_sasl_conn = NULL;
276 ldap_pvt_thread_mutex_unlock( &passwd_mutex );
283 slap_passwd_generate( struct berval *pass )
287 LDAP_LOG(( "operation", LDAP_LEVEL_ENTRY,
288 "slap_passwd_generate: begin\n" ));
290 Debug( LDAP_DEBUG_TRACE, "slap_passwd_generate\n", 0, 0, 0 );
293 * generate passwords of only 8 characters as some getpass(3)
294 * implementations truncate at 8 characters.
296 tmp = lutil_passwd_generate( 8 );
308 struct berval * cred,
309 struct berval * new )
312 #ifdef LUTIL_SHA1_BYTES
313 char* hash = default_passwd_hash ? default_passwd_hash : "{SSHA}";
315 char* hash = default_passwd_hash ? default_passwd_hash : "{SMD5}";
319 #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
320 ldap_pvt_thread_mutex_lock( &passwd_mutex );
323 tmp = lutil_passwd_hash( cred , hash );
325 #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
326 ldap_pvt_thread_mutex_unlock( &passwd_mutex );