git.sur5r.net Git - openldap/blob - servers/slapd/passwd.c

   1 /* bind.c - ldbm backend bind and unbind routines */
   2 /* $OpenLDAP$ */
   3 /*
   4  * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved.
   5  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
   6  */
   7
   8 #include "portable.h"
   9
  10 #include <stdio.h>
  11
  12 #include <ac/krb.h>
  13 #include <ac/socket.h>
  14 #include <ac/string.h>
  15 #include <ac/unistd.h>
  16
  17 #include "slap.h"
  18
  19 #include <lber_pvt.h>
  20 #include <lutil.h>
  21
  22 int passwd_extop(
  23         Connection *conn, Operation *op,
  24         const char *reqoid,
  25         struct berval *reqdata,
  26         char **rspoid,
  27         struct berval **rspdata,
  28         LDAPControl ***rspctrls,
  29         const char **text,
  30         BerVarray *refs )
  31 {
  32         Backend *be;
  33         int rc;
  34
  35         assert( reqoid != NULL );
  36         assert( strcmp( LDAP_EXOP_MODIFY_PASSWD, reqoid ) == 0 );
  37
  38         if( op->o_dn.bv_len == 0 ) {
  39                 *text = "only authenticated users may change passwords";
  40                 return LDAP_STRONG_AUTH_REQUIRED;
  41         }
  42
  43         ldap_pvt_thread_mutex_lock( &conn->c_mutex );
  44         be = conn->c_authz_backend;
  45         ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
  46
  47         if( be == NULL ) {
  48                 *text = "operation not supported for SASL user";
  49                 return LDAP_UNWILLING_TO_PERFORM;
  50         }
  51
  52         if( !be->be_extended ) {
  53                 *text = "operation not supported for current user";
  54                 return LDAP_UNWILLING_TO_PERFORM;
  55         }
  56
  57         {
  58                 struct berval passwd = BER_BVC( LDAP_EXOP_MODIFY_PASSWD );
  59
  60                 rc = backend_check_restrictions( be, conn, op, &passwd, text );
  61         }
  62
  63         if( rc != LDAP_SUCCESS ) {
  64                 return rc;
  65         }
  66
  67         if( be->be_update_ndn.bv_len ) {
  68                 /* we SHOULD return a referral in this case */
  69                 *refs = referral_rewrite( be->be_update_refs,
  70                         NULL, NULL, LDAP_SCOPE_DEFAULT );
  71                         rc = LDAP_REFERRAL;
  72
  73         } else {
  74                 rc = be->be_extended(
  75                         be, conn, op,
  76                         reqoid, reqdata,
  77                         rspoid, rspdata, rspctrls,
  78                         text, refs );
  79         }
  80
  81         return rc;
  82 }
  83
  84 int slap_passwd_parse( struct berval *reqdata,
  85         struct berval *id,
  86         struct berval *oldpass,
  87         struct berval *newpass,
  88         const char **text )
  89 {
  90         int rc = LDAP_SUCCESS;
  91         ber_tag_t tag;
  92         ber_len_t len;
  93         char berbuf[256];
  94         BerElement *ber = (BerElement *)berbuf;
  95
  96         if( reqdata == NULL ) {
  97                 return LDAP_SUCCESS;
  98         }
  99
 100         if( reqdata->bv_len == 0 ) {
 101                 *text = "empty request data field";
 102                 return LDAP_PROTOCOL_ERROR;
 103         }
 104
 105         /* ber_init2 uses reqdata directly, doesn't allocate new buffers */
 106         ber_init2( ber, reqdata, 0 );
 107
 108         tag = ber_scanf( ber, "{" /*}*/ );
 109
 110         if( tag != LBER_ERROR ) {
 111                 tag = ber_peek_tag( ber, &len );
 112         }
 113
 114         if( tag == LDAP_TAG_EXOP_MODIFY_PASSWD_ID ) {
 115                 if( id == NULL ) {
 116 #ifdef NEW_LOGGING
 117                         LDAP_LOG(( "operation", LDAP_LEVEL_ERR,
 118                                    "slap_passwd_parse: ID not allowed.\n"));
 119 #else
 120                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID not allowed.\n",
 121                                 0, 0, 0 );
 122 #endif
 123
 124                         *text = "user must change own password";
 125                         rc = LDAP_UNWILLING_TO_PERFORM;
 126                         goto done;
 127                 }
 128
 129                 tag = ber_scanf( ber, "m", id );
 130
 131                 if( tag == LBER_ERROR ) {
 132 #ifdef NEW_LOGGING
 133                         LDAP_LOG(( "operation", LDAP_LEVEL_ERR,
 134                                    "slap_passwd_parse:  ID parse failed.\n"));
 135 #else
 136                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID parse failed.\n",
 137                                 0, 0, 0 );
 138 #endif
 139
 140                         goto decoding_error;
 141                 }
 142
 143                 tag = ber_peek_tag( ber, &len);
 144         }
 145
 146         if( tag == LDAP_TAG_EXOP_MODIFY_PASSWD_OLD ) {
 147                 if( oldpass == NULL ) {
 148 #ifdef NEW_LOGGING
 149                         LDAP_LOG(( "operation", LDAP_LEVEL_ERR,
 150                                    "slap_passwd_parse: OLD not allowed.\n" ));
 151 #else
 152                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: OLD not allowed.\n",
 153                                 0, 0, 0 );
 154 #endif
 155
 156                         *text = "use bind to verify old password";
 157                         rc = LDAP_UNWILLING_TO_PERFORM;
 158                         goto done;
 159                 }
 160
 161                 tag = ber_scanf( ber, "m", oldpass );
 162
 163                 if( tag == LBER_ERROR ) {
 164 #ifdef NEW_LOGGING
 165                         LDAP_LOG(( "operation", LDAP_LEVEL_ERR,
 166                                    "slap_passwd_parse:  ID parse failed.\n" ));
 167 #else
 168                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID parse failed.\n",
 169                                 0, 0, 0 );
 170 #endif
 171
 172                         goto decoding_error;
 173                 }
 174
 175                 tag = ber_peek_tag( ber, &len );
 176         }
 177
 178         if( tag == LDAP_TAG_EXOP_MODIFY_PASSWD_NEW ) {
 179                 if( newpass == NULL ) {
 180 #ifdef NEW_LOGGING
 181                         LDAP_LOG(( "operation", LDAP_LEVEL_ERR,
 182                                    "slap_passwd_parse:  NEW not allowed.\n" ));
 183 #else
 184                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: NEW not allowed.\n",
 185                                 0, 0, 0 );
 186 #endif
 187
 188                         *text = "user specified passwords disallowed";
 189                         rc = LDAP_UNWILLING_TO_PERFORM;
 190                         goto done;
 191                 }
 192
 193                 tag = ber_scanf( ber, "m", newpass );
 194
 195                 if( tag == LBER_ERROR ) {
 196 #ifdef NEW_LOGGING
 197                         LDAP_LOG(( "operation", LDAP_LEVEL_ERR,
 198                                    "slap_passwd_parse:  OLD parse failed.\n"));
 199 #else
 200                         Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: OLD parse failed.\n",
 201                                 0, 0, 0 );
 202 #endif
 203
 204                         goto decoding_error;
 205                 }
 206
 207                 tag = ber_peek_tag( ber, &len );
 208         }
 209
 210         if( len != 0 ) {
 211 decoding_error:
 212 #ifdef NEW_LOGGING
 213                 LDAP_LOG(( "operation", LDAP_LEVEL_ERR,
 214                            "slap_passwd_parse: decoding error, len=%ld\n", (long)len ));
 215 #else
 216                 Debug( LDAP_DEBUG_TRACE,
 217                         "slap_passwd_parse: decoding error, len=%ld\n",
 218                         (long) len, 0, 0 );
 219 #endif
 220
 221                 *text = "data decoding error";
 222                 rc = LDAP_PROTOCOL_ERROR;
 223         }
 224
 225 done:
 226         return rc;
 227 }
 228
 229 struct berval * slap_passwd_return(
 230         struct berval           *cred )
 231 {
 232         int rc;
 233         struct berval *bv = NULL;
 234         char berbuf[256];
 235         /* opaque structure, size unknown but smaller than berbuf */
 236         BerElement *ber = (BerElement *)berbuf;
 237
 238         assert( cred != NULL );
 239
 240 #ifdef NEW_LOGGING
 241         LDAP_LOG(( "operation", LDAP_LEVEL_ENTRY,
 242                    "slap_passwd_return: %ld\n",(long)cred->bv_len ));
 243 #else
 244         Debug( LDAP_DEBUG_TRACE, "slap_passwd_return: %ld\n",
 245                 (long) cred->bv_len, 0, 0 );
 246 #endif
 247
 248         ber_init_w_nullc( ber, LBER_USE_DER );
 249
 250         rc = ber_printf( ber, "{tON}",
 251                 LDAP_TAG_EXOP_MODIFY_PASSWD_GEN, cred );
 252
 253         if( rc >= 0 ) {
 254                 (void) ber_flatten( ber, &bv );
 255         }
 256
 257         ber_free_buf( ber );
 258
 259         return bv;
 260 }
 261
 262 int
 263 slap_passwd_check(
 264         Connection *conn,
 265         Attribute *a,
 266         struct berval *cred )
 267 {
 268         int result = 1;
 269         struct berval *bv;
 270
 271 #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
 272         ldap_pvt_thread_mutex_lock( &passwd_mutex );
 273 #ifdef SLAPD_SPASSWD
 274         lutil_passwd_sasl_conn = conn->c_sasl_context;
 275 #endif
 276 #endif
 277
 278         for ( bv = a->a_vals; bv->bv_val != NULL; bv++ ) {
 279                 if( !lutil_passwd( bv, cred, NULL ) ) {
 280                         result = 0;
 281                         break;
 282                 }
 283         }
 284
 285 #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
 286 #ifdef SLAPD_SPASSWD
 287         lutil_passwd_sasl_conn = NULL;
 288 #endif
 289         ldap_pvt_thread_mutex_unlock( &passwd_mutex );
 290 #endif
 291
 292         return result;
 293 }
 294
 295 void
 296 slap_passwd_generate( struct berval *pass )
 297 {
 298         struct berval *tmp;
 299 #ifdef NEW_LOGGING
 300         LDAP_LOG(( "operation", LDAP_LEVEL_ENTRY,
 301                    "slap_passwd_generate: begin\n" ));
 302 #else
 303         Debug( LDAP_DEBUG_TRACE, "slap_passwd_generate\n", 0, 0, 0 );
 304 #endif
 305         /*
 306          * generate passwords of only 8 characters as some getpass(3)
 307          * implementations truncate at 8 characters.
 308          */
 309         tmp = lutil_passwd_generate( 8 );
 310         if (tmp) {
 311                 *pass = *tmp;
 312                 free(tmp);
 313         } else {
 314                 pass->bv_val = NULL;
 315                 pass->bv_len = 0;
 316         }
 317 }
 318
 319 void
 320 slap_passwd_hash(
 321         struct berval * cred,
 322         struct berval * new )
 323 {
 324         struct berval *tmp;
 325 #ifdef LUTIL_SHA1_BYTES
 326         char* hash = default_passwd_hash ?  default_passwd_hash : "{SSHA}";
 327 #else
 328         char* hash = default_passwd_hash ?  default_passwd_hash : "{SMD5}";
 329 #endif
 330
 331
 332 #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
 333         ldap_pvt_thread_mutex_lock( &passwd_mutex );
 334 #endif
 335
 336         tmp = lutil_passwd_hash( cred , hash );
 337
 338 #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
 339         ldap_pvt_thread_mutex_unlock( &passwd_mutex );
 340 #endif
 341
 342         if( tmp == NULL ) {
 343                 new->bv_len = 0;
 344                 new->bv_val = NULL;
 345         }
 346
 347         *new = *tmp;
 348         free( tmp );
 349         return;
 350 }