git.sur5r.net Git - openldap/blob - servers/slapd/passwd.c

   1 /* bind.c - ldbm backend bind and unbind routines */
   2 /* $OpenLDAP$ */
   3 /*
   4  * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved.
   5  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
   6  */
   7
   8 #include "portable.h"
   9
  10 #include <stdio.h>
  11
  12 #include <ac/krb.h>
  13 #include <ac/socket.h>
  14 #include <ac/string.h>
  15 #include <ac/unistd.h>
  16
  17 #include "slap.h"
  18
  19 #include <lber_pvt.h>
  20 #include <lutil.h>
  21
  22 int passwd_extop(
  23         Connection *conn, Operation *op,
  24         const char *reqoid,
  25         struct berval *reqdata,
  26         char **rspoid,
  27         struct berval **rspdata,
  28         LDAPControl ***rspctrls,
  29         const char **text,
  30         BerVarray *refs )
  31 {
  32         Backend *be;
  33         int rc;
  34
  35         assert( reqoid != NULL );
  36         assert( strcmp( LDAP_EXOP_MODIFY_PASSWD, reqoid ) == 0 );
  37
  38         if( op->o_dn.bv_len == 0 ) {
  39                 *text = "only authenticated users may change passwords";
  40                 return LDAP_STRONG_AUTH_REQUIRED;
  41         }
  42
  43         ldap_pvt_thread_mutex_lock( &conn->c_mutex );
  44         be = conn->c_authz_backend;
  45         ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
  46
  47         if( be && !be->be_extended ) {
  48                 *text = "operation not supported for current user";
  49                 return LDAP_UNWILLING_TO_PERFORM;
  50         }
  51
  52         {
  53                 struct berval passwd = BER_BVC( LDAP_EXOP_MODIFY_PASSWD );
  54                 rc = backend_check_restrictions( be, conn, op, &passwd, text );
  55         }
  56
  57         if( rc != LDAP_SUCCESS ) {
  58                 return rc;
  59         }
  60
  61         if( be == NULL ) {
  62 #ifdef HAVE_CYRUS_SASL
  63                 rc = slap_sasl_setpass( conn, op,
  64                         reqoid, reqdata,
  65                         rspoid, rspdata, rspctrls,
  66                         text );
  67 #else
  68                 *text = "no authz backend";
  69                 rc = LDAP_OTHER;
  70 #endif
  71
  72         } else if( be->be_update_ndn.bv_len ) {
  73                 /* we SHOULD return a referral in this case */
  74                 *refs = referral_rewrite( be->be_update_refs,
  75                         NULL, NULL, LDAP_SCOPE_DEFAULT );
  76                         rc = LDAP_REFERRAL;
  77
  78         } else {
  79                 rc = be->be_extended(
  80                         be, conn, op,
  81                         reqoid, reqdata,
  82                         rspoid, rspdata, rspctrls,
  83                         text, refs );
  84         }
  85
  86         return rc;
  87 }
  88
  89 int slap_passwd_parse( struct berval *reqdata,
  90         struct berval *id,
  91         struct berval *oldpass,
  92         struct berval *newpass,
  93         const char **text )
  94 {
  95         int rc = LDAP_SUCCESS;
  96         ber_tag_t tag;
  97         ber_len_t len;
  98         char berbuf[LBER_ELEMENT_SIZEOF];
  99         BerElement *ber = (BerElement *)berbuf;
 100
 101         if( reqdata == NULL ) {
 102                 return LDAP_SUCCESS;
 103         }
 104
 105         if( reqdata->bv_len == 0 ) {
 106                 *text = "empty request data field";
 107                 return LDAP_PROTOCOL_ERROR;
 108         }
 109
 110         /* ber_init2 uses reqdata directly, doesn't allocate new buffers */
 111         ber_init2( ber, reqdata, 0 );
 112
 113         tag = ber_scanf( ber, "{" /*}*/ );
 114
 115         if( tag != LBER_ERROR ) {
 116                 tag = ber_peek_tag( ber, &len );
 117         }
 118
 119         if( tag == LDAP_TAG_EXOP_MODIFY_PASSWD_ID ) {
 120                 if( id == NULL ) {
 121 #ifdef NEW_LOGGING
 122                         LDAP_LOG( OPERATION, ERR,
 123                            "slap_passwd_parse: ID not allowed.\n", 0, 0, 0 );
 124 #else
 125                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID not allowed.\n",
 126                                 0, 0, 0 );
 127 #endif
 128
 129                         *text = "user must change own password";
 130                         rc = LDAP_UNWILLING_TO_PERFORM;
 131                         goto done;
 132                 }
 133
 134                 tag = ber_scanf( ber, "m", id );
 135
 136                 if( tag == LBER_ERROR ) {
 137 #ifdef NEW_LOGGING
 138                         LDAP_LOG( OPERATION, ERR,
 139                            "slap_passwd_parse:  ID parse failed.\n", 0, 0, 0 );
 140 #else
 141                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID parse failed.\n",
 142                                 0, 0, 0 );
 143 #endif
 144
 145                         goto decoding_error;
 146                 }
 147
 148                 tag = ber_peek_tag( ber, &len);
 149         }
 150
 151         if( tag == LDAP_TAG_EXOP_MODIFY_PASSWD_OLD ) {
 152                 if( oldpass == NULL ) {
 153 #ifdef NEW_LOGGING
 154                         LDAP_LOG( OPERATION, ERR,
 155                            "slap_passwd_parse: OLD not allowed.\n" , 0, 0, 0 );
 156 #else
 157                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: OLD not allowed.\n",
 158                                 0, 0, 0 );
 159 #endif
 160
 161                         *text = "use bind to verify old password";
 162                         rc = LDAP_UNWILLING_TO_PERFORM;
 163                         goto done;
 164                 }
 165
 166                 tag = ber_scanf( ber, "m", oldpass );
 167
 168                 if( tag == LBER_ERROR ) {
 169 #ifdef NEW_LOGGING
 170                         LDAP_LOG( OPERATION, ERR,
 171                            "slap_passwd_parse:  ID parse failed.\n" , 0, 0, 0 );
 172 #else
 173                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID parse failed.\n",
 174                                 0, 0, 0 );
 175 #endif
 176
 177                         goto decoding_error;
 178                 }
 179
 180                 tag = ber_peek_tag( ber, &len );
 181         }
 182
 183         if( tag == LDAP_TAG_EXOP_MODIFY_PASSWD_NEW ) {
 184                 if( newpass == NULL ) {
 185 #ifdef NEW_LOGGING
 186                         LDAP_LOG( OPERATION, ERR,
 187                            "slap_passwd_parse:  NEW not allowed.\n", 0, 0, 0 );
 188 #else
 189                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: NEW not allowed.\n",
 190                                 0, 0, 0 );
 191 #endif
 192
 193                         *text = "user specified passwords disallowed";
 194                         rc = LDAP_UNWILLING_TO_PERFORM;
 195                         goto done;
 196                 }
 197
 198                 tag = ber_scanf( ber, "m", newpass );
 199
 200                 if( tag == LBER_ERROR ) {
 201 #ifdef NEW_LOGGING
 202                         LDAP_LOG( OPERATION, ERR,
 203                            "slap_passwd_parse:  OLD parse failed.\n", 0, 0, 0 );
 204 #else
 205                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: OLD parse failed.\n",
 206                                 0, 0, 0 );
 207 #endif
 208
 209                         goto decoding_error;
 210                 }
 211
 212                 tag = ber_peek_tag( ber, &len );
 213         }
 214
 215         if( len != 0 ) {
 216 decoding_error:
 217 #ifdef NEW_LOGGING
 218                 LDAP_LOG( OPERATION, ERR,
 219                         "slap_passwd_parse: decoding error, len=%ld\n", (long)len, 0, 0 );
 220 #else
 221                 Debug( LDAP_DEBUG_TRACE,
 222                         "slap_passwd_parse: decoding error, len=%ld\n",
 223                         (long) len, 0, 0 );
 224 #endif
 225
 226                 *text = "data decoding error";
 227                 rc = LDAP_PROTOCOL_ERROR;
 228         }
 229
 230 done:
 231         return rc;
 232 }
 233
 234 struct berval * slap_passwd_return(
 235         struct berval           *cred )
 236 {
 237         int rc;
 238         struct berval *bv = NULL;
 239         char berbuf[LBER_ELEMENT_SIZEOF];
 240         /* opaque structure, size unknown but smaller than berbuf */
 241         BerElement *ber = (BerElement *)berbuf;
 242
 243         assert( cred != NULL );
 244
 245 #ifdef NEW_LOGGING
 246         LDAP_LOG( OPERATION, ENTRY,
 247                 "slap_passwd_return: %ld\n",(long)cred->bv_len, 0, 0 );
 248 #else
 249         Debug( LDAP_DEBUG_TRACE, "slap_passwd_return: %ld\n",
 250                 (long) cred->bv_len, 0, 0 );
 251 #endif
 252
 253         ber_init_w_nullc( ber, LBER_USE_DER );
 254
 255         rc = ber_printf( ber, "{tON}",
 256                 LDAP_TAG_EXOP_MODIFY_PASSWD_GEN, cred );
 257
 258         if( rc >= 0 ) {
 259                 (void) ber_flatten( ber, &bv );
 260         }
 261
 262         ber_free_buf( ber );
 263
 264         return bv;
 265 }
 266
 267 int
 268 slap_passwd_check(
 269         Connection *conn,
 270         Attribute *a,
 271         struct berval *cred )
 272 {
 273         int result = 1;
 274         struct berval *bv;
 275
 276 #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
 277         ldap_pvt_thread_mutex_lock( &passwd_mutex );
 278 #ifdef SLAPD_SPASSWD
 279         lutil_passwd_sasl_conn = conn->c_sasl_context;
 280 #endif
 281 #endif
 282
 283         for ( bv = a->a_vals; bv->bv_val != NULL; bv++ ) {
 284                 if( !lutil_passwd( bv, cred, NULL ) ) {
 285                         result = 0;
 286                         break;
 287                 }
 288         }
 289
 290 #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
 291 #ifdef SLAPD_SPASSWD
 292         lutil_passwd_sasl_conn = NULL;
 293 #endif
 294         ldap_pvt_thread_mutex_unlock( &passwd_mutex );
 295 #endif
 296
 297         return result;
 298 }
 299
 300 void
 301 slap_passwd_generate( struct berval *pass )
 302 {
 303         struct berval *tmp;
 304 #ifdef NEW_LOGGING
 305         LDAP_LOG( OPERATION, ENTRY, "slap_passwd_generate: begin\n", 0, 0, 0 );
 306 #else
 307         Debug( LDAP_DEBUG_TRACE, "slap_passwd_generate\n", 0, 0, 0 );
 308 #endif
 309         /*
 310          * generate passwords of only 8 characters as some getpass(3)
 311          * implementations truncate at 8 characters.
 312          */
 313         tmp = lutil_passwd_generate( 8 );
 314         if (tmp) {
 315                 *pass = *tmp;
 316                 free(tmp);
 317         } else {
 318                 pass->bv_val = NULL;
 319                 pass->bv_len = 0;
 320         }
 321 }
 322
 323 void
 324 slap_passwd_hash(
 325         struct berval * cred,
 326         struct berval * new )
 327 {
 328         struct berval *tmp;
 329 #ifdef LUTIL_SHA1_BYTES
 330         char* hash = default_passwd_hash ?  default_passwd_hash : "{SSHA}";
 331 #else
 332         char* hash = default_passwd_hash ?  default_passwd_hash : "{SMD5}";
 333 #endif
 334
 335
 336 #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
 337         ldap_pvt_thread_mutex_lock( &passwd_mutex );
 338 #endif
 339
 340         tmp = lutil_passwd_hash( cred , hash );
 341
 342 #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
 343         ldap_pvt_thread_mutex_unlock( &passwd_mutex );
 344 #endif
 345
 346         if( tmp == NULL ) {
 347                 new->bv_len = 0;
 348                 new->bv_val = NULL;
 349         }
 350
 351         *new = *tmp;
 352         free( tmp );
 353         return;
 354 }