1 /* bind.c - ldbm backend bind and unbind routines */
4 * Copyright 1998-1999 The OpenLDAP Foundation, All Rights Reserved.
5 * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
13 #include <ac/socket.h>
14 #include <ac/string.h>
15 #include <ac/unistd.h>
22 SLAP_EXTOP_CALLBACK_FN ext_callback,
23 Connection *conn, Operation *op, char *oid,
24 struct berval *reqdata,
25 struct berval **rspdata,
26 LDAPControl ***rspctrls,
31 assert( oid != NULL );
32 assert( strcmp( LDAP_EXOP_X_MODIFY_PASSWD, oid ) == 0 );
34 if( op->o_dn == NULL || op->o_dn[0] == '\0' ) {
35 *text = ch_strdup("only authenicated users may change passwords");
36 return LDAP_STRONG_AUTH_REQUIRED;
39 if( conn->c_authz_backend != NULL &&
40 conn->c_authz_backend->be_extended )
42 rc = conn->c_authz_backend->be_extended(
43 conn->c_authz_backend,
44 conn, op, oid, reqdata, rspdata, rspctrls, text );
47 *text = ch_strdup("operation not supported for current user");
48 rc = LDAP_UNWILLING_TO_PERFORM;
54 int slap_passwd_parse( struct berval *reqdata,
60 int rc = LDAP_SUCCESS;
65 if( reqdata == NULL ) {
69 ber = ber_init( reqdata );
72 Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ber_init failed\n",
74 *text = ch_strdup("password decoding error");
75 return LDAP_PROTOCOL_ERROR;
78 tag = ber_scanf( ber, "{" /*}*/ );
80 if( tag != LBER_ERROR ) {
81 tag = ber_peek_tag( ber, &len );
84 if( tag == LDAP_TAG_EXOP_X_MODIFY_PASSWD_ID ) {
86 Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID not allowed.\n",
88 *text = "user must change own password";
89 rc = LDAP_UNWILLING_TO_PERFORM;
93 tag = ber_scanf( ber, "O", id );
95 if( tag == LBER_ERROR ) {
96 Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID parse failed.\n",
101 tag = ber_peek_tag( ber, &len);
104 if( tag == LDAP_TAG_EXOP_X_MODIFY_PASSWD_OLD ) {
106 Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: OLD not allowed.\n",
108 *text = "use bind to verify old password";
109 rc = LDAP_UNWILLING_TO_PERFORM;
113 tag = ber_scanf( ber, "O", old );
115 if( tag == LBER_ERROR ) {
116 Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID parse failed.\n",
121 tag = ber_peek_tag( ber, &len);
124 if( tag == LDAP_TAG_EXOP_X_MODIFY_PASSWD_NEW ) {
126 Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: NEW not allowed.\n",
128 *text = "user specified passwords disallowed";
129 rc = LDAP_UNWILLING_TO_PERFORM;
133 tag = ber_scanf( ber, "O", new );
135 if( tag == LBER_ERROR ) {
136 Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: OLD parse failed.\n",
141 tag = ber_peek_tag( ber, &len );
146 Debug( LDAP_DEBUG_TRACE,
147 "slap_passwd_parse: decoding error, len=%ld\n",
150 *text = ch_strdup("data decoding error");
151 rc = LDAP_PROTOCOL_ERROR;
155 if( rc != LDAP_SUCCESS ) {
176 struct berval * slap_passwd_return(
177 struct berval *cred )
181 BerElement *ber = ber_alloc_t(LBER_USE_DER);
183 assert( cred != NULL );
185 Debug( LDAP_DEBUG_TRACE, "slap_passwd_return: %ld\n",
186 (long) cred->bv_len, 0, 0 );
188 if( ber == NULL ) return NULL;
190 rc = ber_printf( ber, "{tO}",
191 LDAP_TAG_EXOP_X_MODIFY_PASSWD_GEN, cred );
198 (void) ber_flatten( ber, &bv );
208 struct berval *cred )
211 for ( i = 0; a->a_vals[i] != NULL; i++ ) {
215 ldap_pvt_thread_mutex_lock( &crypt_mutex );
218 result = lutil_passwd( a->a_vals[i], cred, NULL );
221 ldap_pvt_thread_mutex_unlock( &crypt_mutex );
230 struct berval * slap_passwd_generate( void )
232 Debug( LDAP_DEBUG_TRACE, "slap_passwd_generate\n", 0, 0, 0 );
235 * generate passwords of only 8 characters as some getpass(3)
236 * implementations truncate at 8 characters.
238 return lutil_passwd_generate( 8 );
241 struct berval * slap_passwd_hash(
242 struct berval * cred )
244 char* hash = default_passwd_hash ? default_passwd_hash : "{SSHA}";
249 ldap_pvt_thread_mutex_lock( &crypt_mutex );
252 new = lutil_passwd_hash( cred , hash );
255 ldap_pvt_thread_mutex_unlock( &crypt_mutex );