git.sur5r.net Git - openldap/blob - servers/slapd/passwd.c

   1 /* bind.c - ldbm backend bind and unbind routines */
   2 /* $OpenLDAP$ */
   3 /*
   4  * Copyright 1998-2003 The OpenLDAP Foundation, All Rights Reserved.
   5  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
   6  */
   7
   8 #include "portable.h"
   9
  10 #include <stdio.h>
  11
  12 #include <ac/krb.h>
  13 #include <ac/socket.h>
  14 #include <ac/string.h>
  15 #include <ac/unistd.h>
  16
  17 #include "slap.h"
  18
  19 #include <lber_pvt.h>
  20 #include <lutil.h>
  21
  22 int passwd_extop(
  23         Operation *op,
  24         SlapReply *rs )
  25 {
  26         assert( ber_bvcmp( &slap_EXOP_MODIFY_PASSWD, &op->ore_reqoid ) == 0 );
  27
  28         if( op->o_dn.bv_len == 0 ) {
  29                 rs->sr_text = "only authenticated users may change passwords";
  30                 return LDAP_STRONG_AUTH_REQUIRED;
  31         }
  32
  33         ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex );
  34         op->o_bd = op->o_conn->c_authz_backend;
  35         ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex );
  36
  37         if( op->o_bd && !op->o_bd->be_extended ) {
  38                 rs->sr_text = "operation not supported for current user";
  39                 return LDAP_UNWILLING_TO_PERFORM;
  40         }
  41
  42         if (backend_check_restrictions( op, rs,
  43                         (struct berval *)&slap_EXOP_MODIFY_PASSWD ) != LDAP_SUCCESS) {
  44                 return rs->sr_err;
  45         }
  46
  47         if( op->o_bd == NULL ) {
  48 #ifdef HAVE_CYRUS_SASL
  49                 rs->sr_err = slap_sasl_setpass( op, rs );
  50 #else
  51                 rs->sr_text = "no authz backend";
  52                 rs->sr_err = LDAP_OTHER;
  53 #endif
  54
  55 #if defined(LDAP_SYNCREPL) || !defined(SLAPD_MULTIMASTER)
  56         /* This does not apply to multi-master case */
  57         } else if( op->o_bd->be_update_ndn.bv_len ) {
  58                 /* we SHOULD return a referral in this case */
  59                 BerVarray defref = NULL;
  60 #ifdef LDAP_SYNCREPL
  61                 if ( op->o_bd->syncinfo ) {
  62                         defref = op->o_bd->syncinfo->master_bv;
  63                 } else
  64 #endif
  65                 {
  66                         defref = referral_rewrite( op->o_bd->be_update_refs,
  67                                 NULL, NULL, LDAP_SCOPE_DEFAULT );
  68                 }
  69                 rs->sr_ref = defref;
  70                 rs->sr_err = LDAP_REFERRAL;
  71 #endif /* !SLAPD_MULTIMASTER */
  72
  73         } else {
  74                 rs->sr_err = op->o_bd->be_extended( op, rs );
  75         }
  76
  77         return rs->sr_err;
  78 }
  79
  80 int slap_passwd_parse( struct berval *reqdata,
  81         struct berval *id,
  82         struct berval *oldpass,
  83         struct berval *newpass,
  84         const char **text )
  85 {
  86         int rc = LDAP_SUCCESS;
  87         ber_tag_t tag;
  88         ber_len_t len;
  89         char berbuf[LBER_ELEMENT_SIZEOF];
  90         BerElement *ber = (BerElement *)berbuf;
  91
  92         if( reqdata == NULL ) {
  93                 return LDAP_SUCCESS;
  94         }
  95
  96         if( reqdata->bv_len == 0 ) {
  97                 *text = "empty request data field";
  98                 return LDAP_PROTOCOL_ERROR;
  99         }
 100
 101         /* ber_init2 uses reqdata directly, doesn't allocate new buffers */
 102         ber_init2( ber, reqdata, 0 );
 103
 104         tag = ber_scanf( ber, "{" /*}*/ );
 105
 106         if( tag != LBER_ERROR ) {
 107                 tag = ber_peek_tag( ber, &len );
 108         }
 109
 110         if( tag == LDAP_TAG_EXOP_MODIFY_PASSWD_ID ) {
 111                 if( id == NULL ) {
 112 #ifdef NEW_LOGGING
 113                         LDAP_LOG( OPERATION, ERR,
 114                            "slap_passwd_parse: ID not allowed.\n", 0, 0, 0 );
 115 #else
 116                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID not allowed.\n",
 117                                 0, 0, 0 );
 118 #endif
 119
 120                         *text = "user must change own password";
 121                         rc = LDAP_UNWILLING_TO_PERFORM;
 122                         goto done;
 123                 }
 124
 125                 tag = ber_scanf( ber, "m", id );
 126
 127                 if( tag == LBER_ERROR ) {
 128 #ifdef NEW_LOGGING
 129                         LDAP_LOG( OPERATION, ERR,
 130                            "slap_passwd_parse:  ID parse failed.\n", 0, 0, 0 );
 131 #else
 132                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID parse failed.\n",
 133                                 0, 0, 0 );
 134 #endif
 135
 136                         goto decoding_error;
 137                 }
 138
 139                 tag = ber_peek_tag( ber, &len);
 140         }
 141
 142         if( tag == LDAP_TAG_EXOP_MODIFY_PASSWD_OLD ) {
 143                 if( oldpass == NULL ) {
 144 #ifdef NEW_LOGGING
 145                         LDAP_LOG( OPERATION, ERR,
 146                            "slap_passwd_parse: OLD not allowed.\n" , 0, 0, 0 );
 147 #else
 148                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: OLD not allowed.\n",
 149                                 0, 0, 0 );
 150 #endif
 151
 152                         *text = "use bind to verify old password";
 153                         rc = LDAP_UNWILLING_TO_PERFORM;
 154                         goto done;
 155                 }
 156
 157                 tag = ber_scanf( ber, "m", oldpass );
 158
 159                 if( tag == LBER_ERROR ) {
 160 #ifdef NEW_LOGGING
 161                         LDAP_LOG( OPERATION, ERR,
 162                            "slap_passwd_parse:  ID parse failed.\n" , 0, 0, 0 );
 163 #else
 164                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID parse failed.\n",
 165                                 0, 0, 0 );
 166 #endif
 167
 168                         goto decoding_error;
 169                 }
 170
 171                 tag = ber_peek_tag( ber, &len );
 172         }
 173
 174         if( tag == LDAP_TAG_EXOP_MODIFY_PASSWD_NEW ) {
 175                 if( newpass == NULL ) {
 176 #ifdef NEW_LOGGING
 177                         LDAP_LOG( OPERATION, ERR,
 178                            "slap_passwd_parse:  NEW not allowed.\n", 0, 0, 0 );
 179 #else
 180                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: NEW not allowed.\n",
 181                                 0, 0, 0 );
 182 #endif
 183
 184                         *text = "user specified passwords disallowed";
 185                         rc = LDAP_UNWILLING_TO_PERFORM;
 186                         goto done;
 187                 }
 188
 189                 tag = ber_scanf( ber, "m", newpass );
 190
 191                 if( tag == LBER_ERROR ) {
 192 #ifdef NEW_LOGGING
 193                         LDAP_LOG( OPERATION, ERR,
 194                            "slap_passwd_parse:  OLD parse failed.\n", 0, 0, 0 );
 195 #else
 196                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: OLD parse failed.\n",
 197                                 0, 0, 0 );
 198 #endif
 199
 200                         goto decoding_error;
 201                 }
 202
 203                 tag = ber_peek_tag( ber, &len );
 204         }
 205
 206         if( len != 0 ) {
 207 decoding_error:
 208 #ifdef NEW_LOGGING
 209                 LDAP_LOG( OPERATION, ERR,
 210                         "slap_passwd_parse: decoding error, len=%ld\n", (long)len, 0, 0 );
 211 #else
 212                 Debug( LDAP_DEBUG_TRACE,
 213                         "slap_passwd_parse: decoding error, len=%ld\n",
 214                         (long) len, 0, 0 );
 215 #endif
 216
 217                 *text = "data decoding error";
 218                 rc = LDAP_PROTOCOL_ERROR;
 219         }
 220
 221 done:
 222         return rc;
 223 }
 224
 225 struct berval * slap_passwd_return(
 226         struct berval           *cred )
 227 {
 228         int rc;
 229         struct berval *bv = NULL;
 230         char berbuf[LBER_ELEMENT_SIZEOF];
 231         /* opaque structure, size unknown but smaller than berbuf */
 232         BerElement *ber = (BerElement *)berbuf;
 233
 234         assert( cred != NULL );
 235
 236 #ifdef NEW_LOGGING
 237         LDAP_LOG( OPERATION, ENTRY,
 238                 "slap_passwd_return: %ld\n",(long)cred->bv_len, 0, 0 );
 239 #else
 240         Debug( LDAP_DEBUG_TRACE, "slap_passwd_return: %ld\n",
 241                 (long) cred->bv_len, 0, 0 );
 242 #endif
 243
 244         ber_init_w_nullc( ber, LBER_USE_DER );
 245
 246         rc = ber_printf( ber, "{tON}",
 247                 LDAP_TAG_EXOP_MODIFY_PASSWD_GEN, cred );
 248
 249         if( rc >= 0 ) {
 250                 (void) ber_flatten( ber, &bv );
 251         }
 252
 253         ber_free_buf( ber );
 254
 255         return bv;
 256 }
 257
 258 int
 259 slap_passwd_check(
 260         Connection *conn,
 261         Attribute *a,
 262         struct berval *cred,
 263         const char **text )
 264 {
 265         int result = 1;
 266         struct berval *bv;
 267
 268 #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
 269         ldap_pvt_thread_mutex_lock( &passwd_mutex );
 270 #ifdef SLAPD_SPASSWD
 271         lutil_passwd_sasl_conn = conn->c_sasl_authctx;
 272 #endif
 273 #endif
 274
 275         for ( bv = a->a_vals; bv->bv_val != NULL; bv++ ) {
 276                 if( !lutil_passwd( bv, cred, NULL, text ) ) {
 277                         result = 0;
 278                         break;
 279                 }
 280         }
 281
 282 #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
 283 #ifdef SLAPD_SPASSWD
 284         lutil_passwd_sasl_conn = NULL;
 285 #endif
 286         ldap_pvt_thread_mutex_unlock( &passwd_mutex );
 287 #endif
 288
 289         return result;
 290 }
 291
 292 void
 293 slap_passwd_generate( struct berval *pass )
 294 {
 295         struct berval *tmp;
 296 #ifdef NEW_LOGGING
 297         LDAP_LOG( OPERATION, ENTRY, "slap_passwd_generate: begin\n", 0, 0, 0 );
 298 #else
 299         Debug( LDAP_DEBUG_TRACE, "slap_passwd_generate\n", 0, 0, 0 );
 300 #endif
 301         /*
 302          * generate passwords of only 8 characters as some getpass(3)
 303          * implementations truncate at 8 characters.
 304          */
 305         tmp = lutil_passwd_generate( 8 );
 306         if (tmp) {
 307                 *pass = *tmp;
 308                 free(tmp);
 309         } else {
 310                 pass->bv_val = NULL;
 311                 pass->bv_len = 0;
 312         }
 313 }
 314
 315 void
 316 slap_passwd_hash(
 317         struct berval * cred,
 318         struct berval * new,
 319         const char **text )
 320 {
 321         struct berval *tmp;
 322 #ifdef LUTIL_SHA1_BYTES
 323         char* hash = default_passwd_hash ?  default_passwd_hash : "{SSHA}";
 324 #else
 325         char* hash = default_passwd_hash ?  default_passwd_hash : "{SMD5}";
 326 #endif
 327
 328
 329 #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
 330         ldap_pvt_thread_mutex_lock( &passwd_mutex );
 331 #endif
 332
 333         tmp = lutil_passwd_hash( cred , hash, text );
 334
 335 #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
 336         ldap_pvt_thread_mutex_unlock( &passwd_mutex );
 337 #endif
 338
 339         if( tmp == NULL ) {
 340                 new->bv_len = 0;
 341                 new->bv_val = NULL;
 342         }
 343
 344         *new = *tmp;
 345         free( tmp );
 346         return;
 347 }