git.sur5r.net Git - openldap/blob - servers/slapd/passwd.c

   1 /* passwd.c - password extended operation routines */
   2 /* $OpenLDAP$ */
   3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
   4  *
   5  * Copyright 1998-2005 The OpenLDAP Foundation.
   6  * All rights reserved.
   7  *
   8  * Redistribution and use in source and binary forms, with or without
   9  * modification, are permitted only as authorized by the OpenLDAP
  10  * Public License.
  11  *
  12  * A copy of this license is available in the file LICENSE in the
  13  * top-level directory of the distribution or, alternatively, at
  14  * <http://www.OpenLDAP.org/license.html>.
  15  */
  16
  17 #include "portable.h"
  18
  19 #include <stdio.h>
  20
  21 #include <ac/krb.h>
  22 #include <ac/socket.h>
  23 #include <ac/string.h>
  24 #include <ac/unistd.h>
  25
  26 #ifdef SLAPD_CRYPT
  27 #include <ac/crypt.h>
  28 #endif
  29
  30 #include "slap.h"
  31
  32 #include <lber_pvt.h>
  33 #include <lutil.h>
  34 #include <lutil_sha1.h>
  35
  36 static const char *defhash[] = {
  37 #ifdef LUTIL_SHA1_BYTES
  38         "{SSHA}",
  39 #else
  40         "{SMD5}",
  41 #endif
  42         NULL
  43 };
  44
  45 int passwd_extop(
  46         Operation *op,
  47         SlapReply *rs )
  48 {
  49         struct berval id = {0, NULL}, hash, *rsp = NULL;
  50         req_pwdexop_s *qpw = &op->oq_pwdexop;
  51         req_extended_s qext = op->oq_extended;
  52         Modifications *ml;
  53         slap_callback cb = { NULL, slap_null_cb, NULL, NULL };
  54         slap_callback cb2 = { NULL, slap_replog_cb, NULL, NULL };
  55         int i, nhash;
  56         char **hashes;
  57         int     rc;
  58         BackendDB *op_be;
  59
  60         cb2.sc_next = &cb;
  61
  62         assert( ber_bvcmp( &slap_EXOP_MODIFY_PASSWD, &op->ore_reqoid ) == 0 );
  63
  64         if( op->o_dn.bv_len == 0 ) {
  65                 Statslog( LDAP_DEBUG_STATS, "%s PASSMOD\n",
  66                         op->o_log_prefix, 0, 0, 0, 0 );
  67                 rs->sr_text = "only authenticated users may change passwords";
  68                 return LDAP_STRONG_AUTH_REQUIRED;
  69         }
  70
  71         qpw->rs_old.bv_val = NULL;
  72         qpw->rs_new.bv_val = NULL;
  73         qpw->rs_mods = NULL;
  74         qpw->rs_modtail = NULL;
  75
  76         rs->sr_err = slap_passwd_parse( op->ore_reqdata, &id, &qpw->rs_old,
  77                 &qpw->rs_new, &rs->sr_text );
  78
  79         if ( rs->sr_err == LDAP_SUCCESS && !BER_BVISEMPTY( &id ) ) {
  80                 Statslog( LDAP_DEBUG_STATS, "%s PASSMOD id=\"%s\"%s%s\n",
  81                         op->o_log_prefix, id.bv_val,
  82                         qpw->rs_old.bv_val ? " old" : "",
  83                         qpw->rs_new.bv_val ? " new" : "", 0 );
  84         } else {
  85                 Statslog( LDAP_DEBUG_STATS, "%s PASSMOD\n",
  86                         op->o_log_prefix, 0, 0, 0, 0 );
  87         }
  88
  89         if ( rs->sr_err != LDAP_SUCCESS ) {
  90                 return rs->sr_err;
  91         }
  92
  93         if ( !BER_BVISEMPTY( &id ) ) {
  94                 rs->sr_err = dnPrettyNormal( NULL, &id, &op->o_req_dn,
  95                                 &op->o_req_ndn, op->o_tmpmemctx );
  96                 if ( rs->sr_err != LDAP_SUCCESS ) {
  97                         rs->sr_text = "Invalid DN";
  98                         rc = rs->sr_err;
  99                         goto error_return;
 100                 }
 101                 op->o_bd = select_backend( &op->o_req_ndn, 0, 1 );
 102
 103         } else {
 104                 ber_dupbv_x( &op->o_req_dn, &op->o_dn, op->o_tmpmemctx );
 105                 ber_dupbv_x( &op->o_req_ndn, &op->o_ndn, op->o_tmpmemctx );
 106                 ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex );
 107                 op->o_bd = op->o_conn->c_authz_backend;
 108                 ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex );
 109         }
 110
 111         if( op->o_bd == NULL ) {
 112 #ifdef HAVE_CYRUS_SASL
 113                 rc = slap_sasl_setpass( op, rs );
 114 #else
 115                 rs->sr_text = "no authz backend";
 116                 rc = LDAP_OTHER;
 117 #endif
 118                 goto error_return;
 119         }
 120
 121         if ( op->o_req_ndn.bv_len == 0 ) {
 122                 rs->sr_text = "no password is associated with the Root DSE";
 123                 rc = LDAP_UNWILLING_TO_PERFORM;
 124                 goto error_return;
 125         }
 126
 127         /* If we've got a glued backend, check the real backend */
 128         op_be = op->o_bd;
 129         if ( SLAP_GLUE_INSTANCE( op->o_bd )) {
 130                 op->o_bd = select_backend( &op->o_req_ndn, 0, 0 );
 131         }
 132
 133         if (backend_check_restrictions( op, rs,
 134                         (struct berval *)&slap_EXOP_MODIFY_PASSWD ) != LDAP_SUCCESS) {
 135                 rc = rs->sr_err;
 136                 goto error_return;
 137         }
 138
 139         /* check for referrals */
 140         if ( backend_check_referrals( op, rs ) != LDAP_SUCCESS ) {
 141                 rc = rs->sr_err;
 142                 goto error_return;
 143         }
 144
 145 #ifndef SLAPD_MULTIMASTER
 146         /* This does not apply to multi-master case */
 147         if(!( !SLAP_SHADOW( op->o_bd ) || be_isupdate( op ))) {
 148                 /* we SHOULD return a referral in this case */
 149                 BerVarray defref = op->o_bd->be_update_refs
 150                         ? op->o_bd->be_update_refs : default_referral;
 151
 152                 if( defref != NULL ) {
 153                         rs->sr_ref = referral_rewrite( op->o_bd->be_update_refs,
 154                                 NULL, NULL, LDAP_SCOPE_DEFAULT );
 155                         if(rs->sr_ref) {
 156                                 rs->sr_flags |= REP_REF_MUSTBEFREED;
 157                         } else {
 158                                 rs->sr_ref = defref;
 159                         }
 160                         rc = LDAP_REFERRAL;
 161                         goto error_return;
 162
 163                 }
 164
 165                 rs->sr_text = "shadow context; no update referral";
 166                 rc = LDAP_UNWILLING_TO_PERFORM;
 167                 goto error_return;
 168         }
 169 #endif /* !SLAPD_MULTIMASTER */
 170
 171         /* generate a new password if none was provided */
 172         if ( qpw->rs_new.bv_len == 0 ) {
 173                 slap_passwd_generate( &qpw->rs_new );
 174                 if ( qpw->rs_new.bv_len ) {
 175                         rsp = slap_passwd_return( &qpw->rs_new );
 176                 }
 177         }
 178         if ( qpw->rs_new.bv_len == 0 ) {
 179                 rs->sr_text = "password generation failed";
 180                 rc = LDAP_OTHER;
 181                 goto error_return;
 182         }
 183
 184         op->o_bd = op_be;
 185
 186         /* Give the backend a chance to handle this itself */
 187         if ( op->o_bd->be_extended ) {
 188                 rs->sr_err = op->o_bd->be_extended( op, rs );
 189                 if ( rs->sr_err != LDAP_UNWILLING_TO_PERFORM &&
 190                         rs->sr_err != SLAP_CB_CONTINUE ) {
 191                         rc = rs->sr_err;
 192                         goto error_return;
 193                 }
 194         }
 195
 196         /* The backend didn't handle it, so try it here */
 197         if( op->o_bd && !op->o_bd->be_modify ) {
 198                 rs->sr_text = "operation not supported for current user";
 199                 rc = LDAP_UNWILLING_TO_PERFORM;
 200                 goto error_return;
 201         }
 202
 203         ml = ch_malloc( sizeof(Modifications) );
 204         if ( !qpw->rs_modtail ) qpw->rs_modtail = &ml->sml_next;
 205
 206         if ( default_passwd_hash ) {
 207                 for ( nhash = 0; default_passwd_hash[nhash]; nhash++ );
 208                 hashes = default_passwd_hash;
 209         } else {
 210                 nhash = 1;
 211                 hashes = (char **)defhash;
 212         }
 213         ml->sml_values = ch_malloc( (nhash+1)*sizeof(struct berval) );
 214         for ( i=0; hashes[i]; i++ ) {
 215                 slap_passwd_hash_type( &qpw->rs_new, &hash, hashes[i], &rs->sr_text );
 216                 if ( hash.bv_len == 0 ) {
 217                         if ( !rs->sr_text ) {
 218                                 rs->sr_text = "password hash failed";
 219                         }
 220                         break;
 221                 }
 222                 ml->sml_values[i] = hash;
 223         }
 224         ml->sml_values[i].bv_val = NULL;
 225         ml->sml_nvalues = NULL;
 226         ml->sml_desc = slap_schema.si_ad_userPassword;
 227         ml->sml_op = LDAP_MOD_REPLACE;
 228         ml->sml_flags = 0;
 229         ml->sml_next = qpw->rs_mods;
 230         qpw->rs_mods = ml;
 231
 232         if ( hashes[i] ) {
 233                 rs->sr_err = LDAP_OTHER;
 234
 235         } else {
 236                 slap_callback *sc = op->o_callback;
 237
 238                 op->o_tag = LDAP_REQ_MODIFY;
 239                 op->o_callback = &cb2;
 240                 op->orm_modlist = qpw->rs_mods;
 241                 cb2.sc_private = qpw;   /* let Modify know this was pwdMod,
 242                                          * if it cares... */
 243
 244                 rs->sr_err = slap_mods_opattrs( op, ml, qpw->rs_modtail, &rs->sr_text,
 245                         NULL, 0, 1 );
 246
 247                 if ( rs->sr_err == LDAP_SUCCESS ) {
 248                         rs->sr_err = op->o_bd->be_modify( op, rs );
 249                 }
 250                 if ( rs->sr_err == LDAP_SUCCESS ) {
 251                         rs->sr_rspdata = rsp;
 252                 } else if ( rsp ) {
 253                         ber_bvfree( rsp );
 254                 }
 255                 op->o_tag = LDAP_REQ_EXTENDED;
 256                 op->o_callback = sc;
 257         }
 258         slap_mods_free( qpw->rs_mods, 1 );
 259         if ( rsp ) {
 260                 free( qpw->rs_new.bv_val );
 261         }
 262
 263         rc = rs->sr_err;
 264         op->oq_extended = qext;
 265
 266 error_return:;
 267         if ( !BER_BVISNULL( &op->o_req_dn ) ) {
 268                 op->o_tmpfree( op->o_req_dn.bv_val, op->o_tmpmemctx );
 269         }
 270         if ( !BER_BVISNULL( &op->o_req_ndn ) ) {
 271                 op->o_tmpfree( op->o_req_ndn.bv_val, op->o_tmpmemctx );
 272         }
 273
 274         return rc;
 275 }
 276
 277 int slap_passwd_parse( struct berval *reqdata,
 278         struct berval *id,
 279         struct berval *oldpass,
 280         struct berval *newpass,
 281         const char **text )
 282 {
 283         int rc = LDAP_SUCCESS;
 284         ber_tag_t tag;
 285         ber_len_t len = -1;
 286         BerElementBuffer berbuf;
 287         BerElement *ber = (BerElement *)&berbuf;
 288
 289         if( reqdata == NULL ) {
 290                 return LDAP_SUCCESS;
 291         }
 292
 293         if( reqdata->bv_len == 0 ) {
 294                 *text = "empty request data field";
 295                 return LDAP_PROTOCOL_ERROR;
 296         }
 297
 298         /* ber_init2 uses reqdata directly, doesn't allocate new buffers */
 299         ber_init2( ber, reqdata, 0 );
 300
 301         tag = ber_scanf( ber, "{" /*}*/ );
 302
 303         if( tag == LBER_ERROR ) {
 304                 Debug( LDAP_DEBUG_TRACE,
 305                         "slap_passwd_parse: decoding error\n", 0, 0, 0 );
 306                 rc = LDAP_PROTOCOL_ERROR;
 307                 goto done;
 308         }
 309
 310         tag = ber_peek_tag( ber, &len );
 311         if( tag == LDAP_TAG_EXOP_MODIFY_PASSWD_ID ) {
 312                 if( id == NULL ) {
 313                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID not allowed.\n",
 314                                 0, 0, 0 );
 315
 316                         *text = "user must change own password";
 317                         rc = LDAP_UNWILLING_TO_PERFORM;
 318                         goto done;
 319                 }
 320
 321                 tag = ber_scanf( ber, "m", id );
 322
 323                 if( tag == LBER_ERROR ) {
 324                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID parse failed.\n",
 325                                 0, 0, 0 );
 326
 327                         goto decoding_error;
 328                 }
 329
 330                 tag = ber_peek_tag( ber, &len );
 331         }
 332
 333         if( tag == LDAP_TAG_EXOP_MODIFY_PASSWD_OLD ) {
 334                 if( oldpass == NULL ) {
 335                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: OLD not allowed.\n",
 336                                 0, 0, 0 );
 337
 338                         *text = "use bind to verify old password";
 339                         rc = LDAP_UNWILLING_TO_PERFORM;
 340                         goto done;
 341                 }
 342
 343                 tag = ber_scanf( ber, "m", oldpass );
 344
 345                 if( tag == LBER_ERROR ) {
 346                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: OLD parse failed.\n",
 347                                 0, 0, 0 );
 348
 349                         goto decoding_error;
 350                 }
 351
 352                 if( oldpass->bv_len == 0 ) {
 353                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: OLD empty.\n",
 354                                 0, 0, 0 );
 355
 356                         *text = "old password value is empty";
 357                         rc = LDAP_UNWILLING_TO_PERFORM;
 358                         goto done;
 359                 }
 360
 361                 tag = ber_peek_tag( ber, &len );
 362         }
 363
 364         if( tag == LDAP_TAG_EXOP_MODIFY_PASSWD_NEW ) {
 365                 if( newpass == NULL ) {
 366                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: NEW not allowed.\n",
 367                                 0, 0, 0 );
 368
 369                         *text = "user specified passwords disallowed";
 370                         rc = LDAP_UNWILLING_TO_PERFORM;
 371                         goto done;
 372                 }
 373
 374                 tag = ber_scanf( ber, "m", newpass );
 375
 376                 if( tag == LBER_ERROR ) {
 377                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: NEW parse failed.\n",
 378                                 0, 0, 0 );
 379
 380                         goto decoding_error;
 381                 }
 382
 383                 if( newpass->bv_len == 0 ) {
 384                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: NEW empty.\n",
 385                                 0, 0, 0 );
 386
 387                         *text = "new password value is empty";
 388                         rc = LDAP_UNWILLING_TO_PERFORM;
 389                         goto done;
 390                 }
 391
 392                 tag = ber_peek_tag( ber, &len );
 393         }
 394
 395         if( len != 0 ) {
 396 decoding_error:
 397                 Debug( LDAP_DEBUG_TRACE,
 398                         "slap_passwd_parse: decoding error, len=%ld\n",
 399                         (long) len, 0, 0 );
 400
 401                 *text = "data decoding error";
 402                 rc = LDAP_PROTOCOL_ERROR;
 403         }
 404
 405 done:
 406         return rc;
 407 }
 408
 409 struct berval * slap_passwd_return(
 410         struct berval           *cred )
 411 {
 412         int rc;
 413         struct berval *bv = NULL;
 414         BerElementBuffer berbuf;
 415         /* opaque structure, size unknown but smaller than berbuf */
 416         BerElement *ber = (BerElement *)&berbuf;
 417
 418         assert( cred != NULL );
 419
 420         Debug( LDAP_DEBUG_TRACE, "slap_passwd_return: %ld\n",
 421                 (long) cred->bv_len, 0, 0 );
 422
 423         ber_init_w_nullc( ber, LBER_USE_DER );
 424
 425         rc = ber_printf( ber, "{tON}",
 426                 LDAP_TAG_EXOP_MODIFY_PASSWD_GEN, cred );
 427
 428         if( rc >= 0 ) {
 429                 (void) ber_flatten( ber, &bv );
 430         }
 431
 432         ber_free_buf( ber );
 433
 434         return bv;
 435 }
 436
 437 /*
 438  * if "e" is provided, access to each value of the password is checked first
 439  */
 440 int
 441 slap_passwd_check(
 442         Operation       *op,
 443         Entry           *e,
 444         Attribute       *a,
 445         struct berval   *cred,
 446         const char      **text )
 447 {
 448         int                     result = 1;
 449         struct berval           *bv;
 450         AccessControlState      acl_state = ACL_STATE_INIT;
 451
 452 #ifdef SLAPD_SPASSWD
 453         ldap_pvt_thread_pool_setkey( op->o_threadctx, slap_sasl_bind,
 454                 op->o_conn->c_sasl_authctx, NULL );
 455 #endif
 456
 457         for ( bv = a->a_vals; bv->bv_val != NULL; bv++ ) {
 458                 /* if e is provided, check access */
 459                 if ( e && access_allowed( op, e, a->a_desc, bv,
 460                                         ACL_AUTH, &acl_state ) == 0 )
 461                 {
 462                         continue;
 463                 }
 464
 465                 if ( !lutil_passwd( bv, cred, NULL, text ) ) {
 466                         result = 0;
 467                         break;
 468                 }
 469         }
 470
 471 #ifdef SLAPD_SPASSWD
 472         ldap_pvt_thread_pool_setkey( op->o_threadctx, slap_sasl_bind,
 473                 NULL, NULL );
 474 #endif
 475
 476         return result;
 477 }
 478
 479 void
 480 slap_passwd_generate( struct berval *pass )
 481 {
 482         Debug( LDAP_DEBUG_TRACE, "slap_passwd_generate\n", 0, 0, 0 );
 483         pass->bv_val = NULL;
 484         pass->bv_len = 0;
 485
 486         /*
 487          * generate passwords of only 8 characters as some getpass(3)
 488          * implementations truncate at 8 characters.
 489          */
 490         lutil_passwd_generate( pass, 8 );
 491 }
 492
 493 void
 494 slap_passwd_hash_type(
 495         struct berval * cred,
 496         struct berval * new,
 497         char *hash,
 498         const char **text )
 499 {
 500         new->bv_len = 0;
 501         new->bv_val = NULL;
 502
 503         assert( hash != NULL );
 504
 505         lutil_passwd_hash( cred , hash, new, text );
 506 }
 507 void
 508 slap_passwd_hash(
 509         struct berval * cred,
 510         struct berval * new,
 511         const char **text )
 512 {
 513         char *hash = NULL;
 514         if ( default_passwd_hash ) {
 515                 hash = default_passwd_hash[0];
 516         }
 517         if ( !hash ) {
 518                 hash = (char *)defhash[0];
 519         }
 520
 521         slap_passwd_hash_type( cred, new, hash, text );
 522 }
 523
 524 #ifdef SLAPD_CRYPT
 525 static ldap_pvt_thread_mutex_t passwd_mutex;
 526 static lutil_cryptfunc slapd_crypt;
 527
 528 static int slapd_crypt( const char *key, const char *salt, char **hash )
 529 {
 530         char *cr;
 531         int rc;
 532
 533         ldap_pvt_thread_mutex_lock( &passwd_mutex );
 534
 535         cr = crypt( key, salt );
 536         if ( cr == NULL || cr[0] == '\0' ) {
 537                 /* salt must have been invalid */
 538                 rc = LUTIL_PASSWD_ERR;
 539         } else {
 540                 if ( hash ) {
 541                         *hash = ber_strdup( cr );
 542                         rc = LUTIL_PASSWD_OK;
 543
 544                 } else {
 545                         rc = strcmp( salt, cr ) ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK;
 546                 }
 547         }
 548
 549         ldap_pvt_thread_mutex_unlock( &passwd_mutex );
 550         return rc;
 551 }
 552 #endif /* SLAPD_CRYPT */
 553
 554 void slap_passwd_init()
 555 {
 556 #ifdef SLAPD_CRYPT
 557         ldap_pvt_thread_mutex_init( &passwd_mutex );
 558         lutil_cryptptr = slapd_crypt;
 559 #endif
 560 }
 561