git.sur5r.net Git - openldap/blob - servers/slapd/passwd.c

   1 /* bind.c - ldbm backend bind and unbind routines */
   2 /* $OpenLDAP$ */
   3 /*
   4  * Copyright 1998-1999 The OpenLDAP Foundation, All Rights Reserved.
   5  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
   6  */
   7
   8 #include "portable.h"
   9
  10 #include <stdio.h>
  11
  12 #include <ac/krb.h>
  13 #include <ac/socket.h>
  14 #include <ac/string.h>
  15 #include <ac/unistd.h>
  16
  17 #include "slap.h"
  18
  19 #include <lutil.h>
  20
  21 static int passwd_main(
  22         SLAP_EXTOP_CALLBACK_FN ext_callback,
  23         Connection *conn, Operation *op, char *oid,
  24         struct berval *reqdata, struct berval **rspdata, char **text )
  25 {
  26         int rc;
  27
  28         assert( oid != NULL );
  29         assert( strcmp( LDAP_EXOP_X_MODIFY_PASSWD, oid ) == 0 );
  30
  31         if( op->o_dn == NULL || op->o_dn[0] == '\0' ) {
  32                 *text = ch_strdup("only authenicated users may change passwords");
  33                 return LDAP_STRONG_AUTH_REQUIRED;
  34         }
  35
  36         if( reqdata == NULL || reqdata->bv_len == 0 ) {
  37                 *text = ch_strdup("request data missing");
  38                 return LDAP_PROTOCOL_ERROR;
  39         }
  40
  41         if( conn->c_authz_backend != NULL &&
  42                 conn->c_authz_backend->be_extended )
  43         {
  44                 rc = conn->c_authz_backend->be_extended(
  45                         conn->c_authz_backend,
  46                         conn, op, oid, reqdata, rspdata, text );
  47
  48         } else {
  49                 *text = ch_strdup("operation not supported for current user");
  50                 rc = LDAP_UNWILLING_TO_PERFORM;
  51         }
  52
  53         return rc;
  54 }
  55
  56 int slap_passwd_parse( struct berval *reqdata,
  57         struct berval **id,
  58         struct berval **old,
  59         struct berval **new,
  60         char **text )
  61 {
  62         int rc = LDAP_SUCCESS;
  63         ber_tag_t tag;
  64         ber_len_t len;
  65         BerElement *ber;
  66
  67         assert( reqdata != NULL );
  68
  69         ber = ber_init( reqdata );
  70
  71         if( ber == NULL ) {
  72                 Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ber_init failed\n",
  73                         0, 0, 0 );
  74                 *text = ch_strdup("password decoding error");
  75                 return LDAP_PROTOCOL_ERROR;
  76         }
  77
  78         tag = ber_scanf(ber, "{" /*}*/);
  79
  80         if( tag == LBER_ERROR ) {
  81                 goto decoding_error;
  82         }
  83
  84         tag = ber_peek_tag( ber, &len );
  85
  86         if( tag == LDAP_TAG_EXOP_X_MODIFY_PASSWD_ID ) {
  87                 if( id == NULL ) {
  88                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID not allowed.\n",
  89                                 0, 0, 0 );
  90                         *text = "user must change own password";
  91                         rc = LDAP_UNWILLING_TO_PERFORM;
  92                         goto done;
  93                 }
  94
  95                 tag = ber_scanf( ber, "O", id );
  96
  97                 if( tag == LBER_ERROR ) {
  98                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID parse failed.\n",
  99                                 0, 0, 0 );
 100                         goto decoding_error;
 101                 }
 102
 103                 tag = ber_peek_tag( ber, &len);
 104         }
 105
 106         if( tag == LDAP_TAG_EXOP_X_MODIFY_PASSWD_OLD ) {
 107                 if( old == NULL ) {
 108                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: OLD not allowed.\n",
 109                                 0, 0, 0 );
 110                         *text = "use bind to verify old password";
 111                         rc = LDAP_UNWILLING_TO_PERFORM;
 112                         goto done;
 113                 }
 114
 115                 tag = ber_scanf( ber, "O", old );
 116
 117                 if( tag == LBER_ERROR ) {
 118                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID parse failed.\n",
 119                                 0, 0, 0 );
 120                         goto decoding_error;
 121                 }
 122
 123                 tag = ber_peek_tag( ber, &len);
 124         }
 125
 126         if( tag == LDAP_TAG_EXOP_X_MODIFY_PASSWD_NEW ) {
 127                 if( new == NULL ) {
 128                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: NEW not allowed.\n",
 129                                 0, 0, 0 );
 130                         *text = "user specified passwords disallowed";
 131                         rc = LDAP_UNWILLING_TO_PERFORM;
 132                         goto done;
 133                 }
 134
 135                 tag = ber_scanf( ber, "O", new );
 136
 137                 if( tag == LBER_ERROR ) {
 138                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: OLD parse failed.\n",
 139                                 0, 0, 0 );
 140                         goto decoding_error;
 141                 }
 142
 143                 tag = ber_peek_tag( ber, &len );
 144         }
 145
 146         if( len != 0 ) {
 147 decoding_error:
 148                 Debug( LDAP_DEBUG_TRACE,
 149                         "slap_passwd_parse: decoding error, len=%ld\n",
 150                         (long) len, 0, 0 );
 151
 152                 *text = ch_strdup("data decoding error");
 153                 rc = LDAP_PROTOCOL_ERROR;
 154         }
 155
 156 done:
 157         if( rc != LDAP_SUCCESS ) {
 158                 if( id != NULL ) {
 159                         ber_bvfree( *id );
 160                         *id = NULL;
 161                 }
 162
 163                 if( old != NULL ) {
 164                         ber_bvfree( *old );
 165                         *old = NULL;
 166                 }
 167
 168                 if( new != NULL ) {
 169                         ber_bvfree( *new );
 170                         *new = NULL;
 171                 }
 172         }
 173
 174         ber_free( ber, 1 );
 175         return rc;
 176 }
 177
 178 int
 179 slap_passwd_init( void )
 180 {
 181         return load_extop( LDAP_EXOP_X_MODIFY_PASSWD, passwd_main );
 182 }
 183
 184 int
 185 slap_passwd_check(
 186         Attribute *a,
 187         struct berval *cred )
 188 {
 189         int     i;
 190         for ( i = 0; a->a_vals[i] != NULL; i++ ) {
 191                 int result;
 192
 193 #ifdef SLAPD_CRYPT
 194                 ldap_pvt_thread_mutex_lock( &crypt_mutex );
 195 #endif
 196
 197                 result = lutil_passwd( a->a_vals[i], cred, NULL );
 198
 199 #ifdef SLAPD_CRYPT
 200                 ldap_pvt_thread_mutex_unlock( &crypt_mutex );
 201 #endif
 202
 203                 return result;
 204         }
 205
 206         return( 1 );
 207 }
 208
 209 struct berval * slap_passwd_generate(
 210         struct berval * cred )
 211 {
 212         char* hash = default_passwd_hash ? default_passwd_hash : "{SSHA}";
 213
 214         struct berval *new;
 215
 216 #ifdef SLAPD_CRYPT
 217         ldap_pvt_thread_mutex_lock( &crypt_mutex );
 218 #endif
 219
 220         new = lutil_passwd_generate( cred , hash );
 221
 222 #ifdef SLAPD_CRYPT
 223         ldap_pvt_thread_mutex_unlock( &crypt_mutex );
 224 #endif
 225
 226         return new;
 227 }