]> git.sur5r.net Git - openldap/blob - servers/slapd/passwd.c
projects / openldap / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
ITS#2846 - make veryclean
[openldap] / servers / slapd / passwd.c
1 /* passwd.c - password extended operation routines */
2 /* $OpenLDAP$ */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
4  *
5  * Copyright 1998-2003 The OpenLDAP Foundation.
6  * All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted only as authorized by the OpenLDAP
10  * Public License.
11  *
12  * A copy of this license is available in the file LICENSE in the
13  * top-level directory of the distribution or, alternatively, at
14  * <http://www.OpenLDAP.org/license.html>.
15  */
16
17 #include "portable.h"
18
19 #include <stdio.h>
20
21 #include <ac/krb.h>
22 #include <ac/socket.h>
23 #include <ac/string.h>
24 #include <ac/unistd.h>
25
26 #include "slap.h"
27
28 #include <lber_pvt.h>
29 #include <lutil.h>
30
31 int passwd_extop(
32         Operation *op,
33         SlapReply *rs )
34 {
35         assert( ber_bvcmp( &slap_EXOP_MODIFY_PASSWD, &op->ore_reqoid ) == 0 );
36
37         if( op->o_dn.bv_len == 0 ) {
38                 rs->sr_text = "only authenticated users may change passwords";
39                 return LDAP_STRONG_AUTH_REQUIRED;
40         }
41
42         ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex );
43         op->o_bd = op->o_conn->c_authz_backend;
44         ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex );
45
46         if( op->o_bd && !op->o_bd->be_extended ) {
47                 rs->sr_text = "operation not supported for current user";
48                 return LDAP_UNWILLING_TO_PERFORM;
49         }
50
51         if (backend_check_restrictions( op, rs,
52                         (struct berval *)&slap_EXOP_MODIFY_PASSWD ) != LDAP_SUCCESS) {
53                 return rs->sr_err;
54         }
55
56         if( op->o_bd == NULL ) {
57 #ifdef HAVE_CYRUS_SASL
58                 rs->sr_err = slap_sasl_setpass( op, rs );
59 #else
60                 rs->sr_text = "no authz backend";
61                 rs->sr_err = LDAP_OTHER;
62 #endif
63
64 #ifndef SLAPD_MULTIMASTER
65         /* This does not apply to multi-master case */
66         } else if( op->o_bd->be_update_ndn.bv_len ) {
67                 /* we SHOULD return a referral in this case */
68                 BerVarray defref = NULL;
69                 if ( !LDAP_STAILQ_EMPTY( &op->o_bd->be_syncinfo )) {
70                         syncinfo_t *si;
71                         LDAP_STAILQ_FOREACH( si, &op->o_bd->be_syncinfo, si_next ) {
72                                 struct berval tmpbv;
73                                 ber_dupbv( &tmpbv, &si->si_provideruri_bv[0] );
74                                 ber_bvarray_add( &defref, &tmpbv );
75                         }
76                 } else {
77                         defref = referral_rewrite( op->o_bd->be_update_refs,
78                                 NULL, NULL, LDAP_SCOPE_DEFAULT );
79                 }
80                 rs->sr_ref = defref;
81                 rs->sr_err = LDAP_REFERRAL;
82 #endif /* !SLAPD_MULTIMASTER */
83
84         } else {
85                 rs->sr_err = op->o_bd->be_extended( op, rs );
86         }
87
88         return rs->sr_err;
89 }
90
91 int slap_passwd_parse( struct berval *reqdata,
92         struct berval *id,
93         struct berval *oldpass,
94         struct berval *newpass,
95         const char **text )
96 {
97         int rc = LDAP_SUCCESS;
98         ber_tag_t tag;
99         ber_len_t len;
100         BerElementBuffer berbuf;
101         BerElement *ber = (BerElement *)&berbuf;
102
103         if( reqdata == NULL ) {
104                 return LDAP_SUCCESS;
105         }
106
107         if( reqdata->bv_len == 0 ) {
108                 *text = "empty request data field";
109                 return LDAP_PROTOCOL_ERROR;
110         }
111
112         /* ber_init2 uses reqdata directly, doesn't allocate new buffers */
113         ber_init2( ber, reqdata, 0 );
114
115         tag = ber_scanf( ber, "{" /*}*/ );
116
117         if( tag != LBER_ERROR ) {
118                 tag = ber_peek_tag( ber, &len );
119         }
120
121         if( tag == LDAP_TAG_EXOP_MODIFY_PASSWD_ID ) {
122                 if( id == NULL ) {
123 #ifdef NEW_LOGGING
124                         LDAP_LOG( OPERATION, ERR,
125                            "slap_passwd_parse: ID not allowed.\n", 0, 0, 0 );
126 #else
127                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID not allowed.\n",
128                                 0, 0, 0 );
129 #endif
130
131                         *text = "user must change own password";
132                         rc = LDAP_UNWILLING_TO_PERFORM;
133                         goto done;
134                 }
135
136                 tag = ber_scanf( ber, "m", id );
137
138                 if( tag == LBER_ERROR ) {
139 #ifdef NEW_LOGGING
140                         LDAP_LOG( OPERATION, ERR,
141                            "slap_passwd_parse:  ID parse failed.\n", 0, 0, 0 );
142 #else
143                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID parse failed.\n",
144                                 0, 0, 0 );
145 #endif
146
147                         goto decoding_error;
148                 }
149
150                 tag = ber_peek_tag( ber, &len);
151         }
152
153         if( tag == LDAP_TAG_EXOP_MODIFY_PASSWD_OLD ) {
154                 if( oldpass == NULL ) {
155 #ifdef NEW_LOGGING
156                         LDAP_LOG( OPERATION, ERR,
157                            "slap_passwd_parse: OLD not allowed.\n" , 0, 0, 0 );
158 #else
159                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: OLD not allowed.\n",
160                                 0, 0, 0 );
161 #endif
162
163                         *text = "use bind to verify old password";
164                         rc = LDAP_UNWILLING_TO_PERFORM;
165                         goto done;
166                 }
167
168                 tag = ber_scanf( ber, "m", oldpass );
169
170                 if( tag == LBER_ERROR ) {
171 #ifdef NEW_LOGGING
172                         LDAP_LOG( OPERATION, ERR,
173                            "slap_passwd_parse:  ID parse failed.\n" , 0, 0, 0 );
174 #else
175                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID parse failed.\n",
176                                 0, 0, 0 );
177 #endif
178
179                         goto decoding_error;
180                 }
181
182                 tag = ber_peek_tag( ber, &len );
183         }
184
185         if( tag == LDAP_TAG_EXOP_MODIFY_PASSWD_NEW ) {
186                 if( newpass == NULL ) {
187 #ifdef NEW_LOGGING
188                         LDAP_LOG( OPERATION, ERR,
189                            "slap_passwd_parse:  NEW not allowed.\n", 0, 0, 0 );
190 #else
191                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: NEW not allowed.\n",
192                                 0, 0, 0 );
193 #endif
194
195                         *text = "user specified passwords disallowed";
196                         rc = LDAP_UNWILLING_TO_PERFORM;
197                         goto done;
198                 }
199
200                 tag = ber_scanf( ber, "m", newpass );
201
202                 if( tag == LBER_ERROR ) {
203 #ifdef NEW_LOGGING
204                         LDAP_LOG( OPERATION, ERR,
205                            "slap_passwd_parse:  OLD parse failed.\n", 0, 0, 0 );
206 #else
207                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: OLD parse failed.\n",
208                                 0, 0, 0 );
209 #endif
210
211                         goto decoding_error;
212                 }
213
214                 tag = ber_peek_tag( ber, &len );
215         }
216
217         if( len != 0 ) {
218 decoding_error:
219 #ifdef NEW_LOGGING
220                 LDAP_LOG( OPERATION, ERR, 
221                         "slap_passwd_parse: decoding error, len=%ld\n", (long)len, 0, 0 );
222 #else
223                 Debug( LDAP_DEBUG_TRACE,
224                         "slap_passwd_parse: decoding error, len=%ld\n",
225                         (long) len, 0, 0 );
226 #endif
227
228                 *text = "data decoding error";
229                 rc = LDAP_PROTOCOL_ERROR;
230         }
231
232 done:
233         return rc;
234 }
235
236 struct berval * slap_passwd_return(
237         struct berval           *cred )
238 {
239         int rc;
240         struct berval *bv = NULL;
241         BerElementBuffer berbuf;
242         /* opaque structure, size unknown but smaller than berbuf */
243         BerElement *ber = (BerElement *)&berbuf;
244
245         assert( cred != NULL );
246
247 #ifdef NEW_LOGGING
248         LDAP_LOG( OPERATION, ENTRY, 
249                 "slap_passwd_return: %ld\n",(long)cred->bv_len, 0, 0 );
250 #else
251         Debug( LDAP_DEBUG_TRACE, "slap_passwd_return: %ld\n",
252                 (long) cred->bv_len, 0, 0 );
253 #endif
254         
255         ber_init_w_nullc( ber, LBER_USE_DER );
256
257         rc = ber_printf( ber, "{tON}",
258                 LDAP_TAG_EXOP_MODIFY_PASSWD_GEN, cred );
259
260         if( rc >= 0 ) {
261                 (void) ber_flatten( ber, &bv );
262         }
263
264         ber_free_buf( ber );
265
266         return bv;
267 }
268
269 int
270 slap_passwd_check(
271         Connection *conn,
272         Attribute *a,
273         struct berval *cred,
274         const char **text )
275 {
276         int result = 1;
277         struct berval *bv;
278
279 #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
280         ldap_pvt_thread_mutex_lock( &passwd_mutex );
281 #ifdef SLAPD_SPASSWD
282         lutil_passwd_sasl_conn = conn->c_sasl_authctx;
283 #endif
284 #endif
285
286         for ( bv = a->a_vals; bv->bv_val != NULL; bv++ ) {
287                 if( !lutil_passwd( bv, cred, NULL, text ) ) {
288                         result = 0;
289                         break;
290                 }
291         }
292
293 #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
294 #ifdef SLAPD_SPASSWD
295         lutil_passwd_sasl_conn = NULL;
296 #endif
297         ldap_pvt_thread_mutex_unlock( &passwd_mutex );
298 #endif
299
300         return result;
301 }
302
303 void
304 slap_passwd_generate( struct berval *pass )
305 {
306         struct berval *tmp;
307 #ifdef NEW_LOGGING
308         LDAP_LOG( OPERATION, ENTRY, "slap_passwd_generate: begin\n", 0, 0, 0 );
309 #else
310         Debug( LDAP_DEBUG_TRACE, "slap_passwd_generate\n", 0, 0, 0 );
311 #endif
312         /*
313          * generate passwords of only 8 characters as some getpass(3)
314          * implementations truncate at 8 characters.
315          */
316         tmp = lutil_passwd_generate( 8 );
317         if (tmp) {
318                 *pass = *tmp;
319                 free(tmp);
320         } else {
321                 pass->bv_val = NULL;
322                 pass->bv_len = 0;
323         }
324 }
325
326 void
327 slap_passwd_hash(
328         struct berval * cred,
329         struct berval * new,
330         const char **text )
331 {
332         struct berval *tmp;
333 #ifdef LUTIL_SHA1_BYTES
334         char* hash = default_passwd_hash ?  default_passwd_hash : "{SSHA}";
335 #else
336         char* hash = default_passwd_hash ?  default_passwd_hash : "{SMD5}";
337 #endif
338         
339
340 #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
341         ldap_pvt_thread_mutex_lock( &passwd_mutex );
342 #endif
343
344         tmp = lutil_passwd_hash( cred , hash, text );
345         
346 #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
347         ldap_pvt_thread_mutex_unlock( &passwd_mutex );
348 #endif
349
350         if( tmp == NULL ) {
351                 new->bv_len = 0;
352                 new->bv_val = NULL;
353         }
354
355         *new = *tmp;
356         free( tmp );
357         return;
358 }
Cloned from git://git.openldap.org/openldap.git