* top-level directory of the distribution or, alternatively, at
* <http://www.OpenLDAP.org/license.html>.
*/
+/*
+ * Support for table-driven configuration added by Pierangelo Masarati.
+ * Support for sambaPwdMustChange and sambaPwdCanChange added by Marco D'Ettorre.
+ *
+ * The conditions of the OpenLDAP Public License apply.
+ */
#include <portable.h>
static AttributeDescription *ad_sambaNTPassword;
static AttributeDescription *ad_sambaPwdLastSet;
static AttributeDescription *ad_sambaPwdMustChange;
+static AttributeDescription *ad_sambaPwdCanChange;
static ObjectClass *oc_sambaSamAccount;
#endif
#ifdef DO_SAMBA
/* How many seconds before forcing a password change? */
time_t smb_must_change;
+ /* How many seconds after allowing a password change? */
+ time_t smb_can_change;
#endif
} smbk5pwd_t;
/* clear out the current key */
ldap_pvt_thread_pool_setkey( op->o_threadctx, smbk5pwd_op_cleanup,
- NULL, NULL );
+ NULL, 0, NULL, NULL );
/* free the callback */
cb = op->o_callback;
*/
if ( op->oq_bind.rb_method == LDAP_AUTH_SIMPLE ) {
slap_callback *cb;
- ldap_pvt_thread_pool_setkey( op->o_threadctx, smbk5pwd_op_cleanup, op,
- NULL );
+ ldap_pvt_thread_pool_setkey( op->o_threadctx,
+ smbk5pwd_op_cleanup, op, 0, NULL, NULL );
cb = op->o_tmpcalloc( 1, sizeof(slap_callback), op->o_tmpmemctx );
cb->sc_cleanup = smbk5pwd_op_cleanup;
cb->sc_next = op->o_callback;
const struct berval *cred,
const char **text )
{
- void *ctx;
+ void *ctx, *op_tmp;
Operation *op;
int rc;
Entry *e;
/* Find our thread context, find our Operation */
ctx = ldap_pvt_thread_pool_context();
- if ( ldap_pvt_thread_pool_getkey( ctx, smbk5pwd_op_cleanup, (void **)&op, NULL ) ||
- !op )
+ if ( ldap_pvt_thread_pool_getkey( ctx, smbk5pwd_op_cleanup, &op_tmp, NULL )
+ || !op_tmp )
return LUTIL_PASSWD_ERR;
+ op = op_tmp;
rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e );
if ( rc != LDAP_SUCCESS ) return LUTIL_PASSWD_ERR;
if ( ret ) break;
a = attr_find( e->e_attrs, ad_krb5KeyVersionNumber );
+ kvno = 0;
if ( a ) {
- kvno = atoi(a->a_vals[0].bv_val);
+ if ( lutil_atoi( &kvno, a->a_vals[0].bv_val ) != 0 ) {
+ Debug( LDAP_DEBUG_ANY, "%s smbk5pwd EXOP: "
+ "dn=\"%s\" unable to parse krb5KeyVersionNumber=\"%s\"\n",
+ op->o_log_prefix, e->e_name.bv_val, a->a_vals[0].bv_val );
+ }
+
} else {
/* shouldn't happen, this is a required attr */
- kvno = 0;
+ Debug( LDAP_DEBUG_ANY, "%s smbk5pwd EXOP: "
+ "dn=\"%s\" missing krb5KeyVersionNumber\n",
+ op->o_log_prefix, e->e_name.bv_val, 0 );
}
ret = _kadm5_set_keys(kadm_context, &ent, qpw->rs_new.bv_val);
#ifdef SLAP_MOD_INTERNAL
ml->sml_flags = SLAP_MOD_INTERNAL;
#endif
+ ml->sml_numvals = i;
ml->sml_values = keys;
ml->sml_nvalues = NULL;
#ifdef SLAP_MOD_INTERNAL
ml->sml_flags = SLAP_MOD_INTERNAL;
#endif
+ ml->sml_numvals = 1;
ml->sml_values = ch_malloc( 2 * sizeof(struct berval));
ml->sml_values[0].bv_val = ch_malloc( 64 );
ml->sml_values[0].bv_len = sprintf(ml->sml_values[0].bv_val,
#ifdef SLAP_MOD_INTERNAL
ml->sml_flags = SLAP_MOD_INTERNAL;
#endif
+ ml->sml_numvals = 1;
ml->sml_values = keys;
ml->sml_nvalues = NULL;
#ifdef SLAP_MOD_INTERNAL
ml->sml_flags = SLAP_MOD_INTERNAL;
#endif
+ ml->sml_numvals = 1;
ml->sml_values = keys;
ml->sml_nvalues = NULL;
qpw->rs_mods = ml;
keys = ch_malloc( 2 * sizeof(struct berval) );
- keys[0].bv_val = ch_malloc( STRLENOF( "9223372036854775807L" ) + 1 );
+ keys[0].bv_val = ch_malloc( LDAP_PVT_INTTYPE_CHARS(long) );
keys[0].bv_len = snprintf(keys[0].bv_val,
- STRLENOF( "9223372036854775807L" ) + 1,
+ LDAP_PVT_INTTYPE_CHARS(long),
"%ld", slap_get_time());
BER_BVZERO( &keys[1] );
#ifdef SLAP_MOD_INTERNAL
ml->sml_flags = SLAP_MOD_INTERNAL;
#endif
+ ml->sml_numvals = 1;
ml->sml_values = keys;
ml->sml_nvalues = NULL;
qpw->rs_mods = ml;
keys = ch_malloc( 2 * sizeof(struct berval) );
- keys[0].bv_val = ch_malloc( STRLENOF( "9223372036854775807L" ) + 1 );
+ keys[0].bv_val = ch_malloc( LDAP_PVT_INTTYPE_CHARS(long) );
keys[0].bv_len = snprintf(keys[0].bv_val,
- STRLENOF( "9223372036854775807L" ) + 1,
+ LDAP_PVT_INTTYPE_CHARS(long),
"%ld", slap_get_time() + pi->smb_must_change);
BER_BVZERO( &keys[1] );
#ifdef SLAP_MOD_INTERNAL
ml->sml_flags = SLAP_MOD_INTERNAL;
#endif
+ ml->sml_numvals = 1;
+ ml->sml_values = keys;
+ ml->sml_nvalues = NULL;
+ }
+
+ if (pi->smb_can_change)
+ {
+ ml = ch_malloc(sizeof(Modifications));
+ ml->sml_next = qpw->rs_mods;
+ qpw->rs_mods = ml;
+
+ keys = ch_malloc( 2 * sizeof(struct berval) );
+ keys[0].bv_val = ch_malloc( LDAP_PVT_INTTYPE_CHARS(long) );
+ keys[0].bv_len = snprintf(keys[0].bv_val,
+ LDAP_PVT_INTTYPE_CHARS(long),
+ "%ld", slap_get_time() + pi->smb_can_change);
+ BER_BVZERO( &keys[1] );
+
+ ml->sml_desc = ad_sambaPwdCanChange;
+ ml->sml_op = LDAP_MOD_REPLACE;
+#ifdef SLAP_MOD_INTERNAL
+ ml->sml_flags = SLAP_MOD_INTERNAL;
+#endif
+ ml->sml_numvals = 1;
ml->sml_values = keys;
ml->sml_nvalues = NULL;
}
/* back-config stuff */
enum {
PC_SMB_MUST_CHANGE = 1,
+ PC_SMB_CAN_CHANGE,
PC_SMB_ENABLE
};
static ConfigDriver smbk5pwd_cf_func;
/*
- * NOTE: uses OID arcs OLcfgOvAt:6 and OLcfgOvOc:6
+ * NOTE: uses OID arcs OLcfgCtAt:1 and OLcfgCtOc:1
*/
static ConfigTable smbk5pwd_cfats[] = {
{ "smbk5pwd-enable", "arg",
2, 0, 0, ARG_MAGIC|PC_SMB_ENABLE, smbk5pwd_cf_func,
- "( OLcfgOvAt:6.1 NAME 'olcSmbK5PwdEnable' "
+ "( OLcfgCtAt:1.1 NAME 'olcSmbK5PwdEnable' "
"DESC 'Modules to be enabled' "
"SYNTAX OMsDirectoryString )", NULL, NULL },
{ "smbk5pwd-must-change", "time",
2, 2, 0, ARG_MAGIC|ARG_INT|PC_SMB_MUST_CHANGE, smbk5pwd_cf_func,
- "( OLcfgOvAt:6.2 NAME 'olcSmbK5PwdMustChange' "
+ "( OLcfgCtAt:1.2 NAME 'olcSmbK5PwdMustChange' "
"DESC 'Credentials validity interval' "
"SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
+ { "smbk5pwd-can-change", "time",
+ 2, 2, 0, ARG_MAGIC|ARG_INT|PC_SMB_CAN_CHANGE, smbk5pwd_cf_func,
+ "( OLcfgCtAt:1.3 NAME 'olcSmbK5PwdCanChange' "
+ "DESC 'Credentials minimum validity interval' "
+ "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
{ NULL, NULL, 0, 0, 0, ARG_IGNORED }
};
static ConfigOCs smbk5pwd_cfocs[] = {
- { "( OLcfgOvOc:6.1 "
+ { "( OLcfgCtOc:1.1 "
"NAME 'olcSmbK5PwdConfig' "
"DESC 'smbk5pwd overlay configuration' "
"SUP olcOverlayConfig "
"MAY ( "
"olcSmbK5PwdEnable "
"$ olcSmbK5PwdMustChange "
+ "$ olcSmbK5PwdCanChange "
") )", Cft_Overlay, smbk5pwd_cfats },
{ NULL, 0, NULL }
#endif /* ! DO_SAMBA */
break;
+ case PC_SMB_CAN_CHANGE:
+#ifdef DO_SAMBA
+ c->value_int = pi->smb_can_change;
+#else /* ! DO_SAMBA */
+ c->value_int = 0;
+#endif /* ! DO_SAMBA */
+ break;
+
case PC_SMB_ENABLE:
c->rvalue_vals = NULL;
if ( pi->mode ) {
case PC_SMB_MUST_CHANGE:
break;
+ case PC_SMB_CAN_CHANGE:
+ break;
+
case PC_SMB_ENABLE:
if ( !c->line ) {
pi->mode = 0;
switch( c->type ) {
case PC_SMB_MUST_CHANGE:
#ifdef DO_SAMBA
+ if ( c->value_int < 0 ) {
+ Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: "
+ "<%s> invalid negative value \"%d\".",
+ c->log, c->argv[ 0 ], 0 );
+ return 1;
+ }
pi->smb_must_change = c->value_int;
#else /* ! DO_SAMBA */
Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: "
#endif /* ! DO_SAMBA */
break;
+ case PC_SMB_CAN_CHANGE:
+#ifdef DO_SAMBA
+ if ( c->value_int < 0 ) {
+ Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: "
+ "<%s> invalid negative value \"%d\".",
+ c->log, c->argv[ 0 ], 0 );
+ return 1;
+ }
+ pi->smb_can_change = c->value_int;
+#else /* ! DO_SAMBA */
+ Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: "
+ "<%s> only meaningful "
+ "when compiled with -DDO_SAMBA.\n",
+ c->log, c->argv[ 0 ], 0 );
+ return 1;
+#endif /* ! DO_SAMBA */
+ break;
+
case PC_SMB_ENABLE: {
- slap_mask_t m;
+ slap_mask_t mode = pi->mode, m;
rc = verbs_to_mask( c->argc, c->argv, smbk5pwd_modules, &m );
- if ( rc ) {
+ if ( rc > 0 ) {
Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: "
"<%s> unknown module \"%s\".\n",
c->log, c->argv[ 0 ], c->argv[ rc ] );
return 1;
}
+
+ /* we can hijack the smbk5pwd_t structure because
+ * from within the configuration, this is the only
+ * active thread. */
pi->mode |= m;
#ifndef DO_KRB5
if ( SMBK5PWD_DO_KRB5( pi ) ) {
Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: "
"<%s> module \"%s\" only allowed when compiled with -DDO_KRB5.\n",
- c->log, c->argv[ 0 ], c->argv[ i ] );
+ c->log, c->argv[ 0 ], c->argv[ rc ] );
+ pi->mode = mode;
return 1;
}
#endif /* ! DO_KRB5 */
if ( SMBK5PWD_DO_SAMBA( pi ) ) {
Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: "
"<%s> module \"%s\" only allowed when compiled with -DDO_SAMBA.\n",
- c->log, c->argv[ 0 ], c->argv[ i ] );
+ c->log, c->argv[ 0 ], c->argv[ rc ] );
+ pi->mode = mode;
return 1;
}
#endif /* ! DO_SAMBA */
{
BackendDB db = *c->be;
+ /* Re-initialize the module, because
+ * the configuration might have changed */
db.bd_info = (BackendInfo *)on;
rc = smbk5pwd_modules_init( pi );
if ( rc ) {
+ pi->mode = mode;
return 1;
}
}
static int
smbk5pwd_modules_init( smbk5pwd_t *pi )
{
- int rc;
- const char *text;
+ static struct {
+ const char *name;
+ AttributeDescription **adp;
+ }
+#ifdef DO_KRB5
+ krb5_ad[] = {
+ { "krb5Key", &ad_krb5Key },
+ { "krb5KeyVersionNumber", &ad_krb5KeyVersionNumber },
+ { "krb5PrincipalName", &ad_krb5PrincipalName },
+ { NULL }
+ },
+#endif /* DO_KRB5 */
+#ifdef DO_SAMBA
+ samba_ad[] = {
+ { "sambaLMPassword", &ad_sambaLMPassword },
+ { "sambaNTPassword", &ad_sambaNTPassword },
+ { "sambaPwdLastSet", &ad_sambaPwdLastSet },
+ { "sambaPwdMustChange", &ad_sambaPwdMustChange },
+ { "sambaPwdCanChange", &ad_sambaPwdCanChange },
+ { NULL }
+ },
+#endif /* DO_SAMBA */
+ dummy_ad;
+
+ /* this is to silence the unused var warning */
+ dummy_ad.name = NULL;
#ifdef DO_KRB5
if ( SMBK5PWD_DO_KRB5( pi ) && oc_krb5KDCEntry == NULL ) {
krb5_error_code ret;
extern HDB *_kadm5_s_get_db(void *);
+ int i, rc;
+
/* Make sure all of our necessary schema items are loaded */
- oc_krb5KDCEntry = oc_find("krb5KDCEntry");
+ oc_krb5KDCEntry = oc_find( "krb5KDCEntry" );
if ( !oc_krb5KDCEntry ) {
Debug( LDAP_DEBUG_ANY, "smbk5pwd: "
"unable to find \"krb5KDCEntry\" objectClass.\n",
0, 0, 0 );
- rc = -1;
- goto cleanup_krb5;
+ return -1;
}
- rc = slap_str2ad( "krb5Key", &ad_krb5Key, &text );
- if ( rc != LDAP_SUCCESS ) {
- Debug( LDAP_DEBUG_ANY, "smbk5pwd: "
- "unable to find \"krb5Key\" attributeType: %s (%d).\n",
- text, rc, 0 );
- goto cleanup_krb5;
- }
+ for ( i = 0; krb5_ad[ i ].name != NULL; i++ ) {
+ const char *text;
- rc = slap_str2ad( "krb5KeyVersionNumber", &ad_krb5KeyVersionNumber, &text );
- if ( rc != LDAP_SUCCESS ) {
- Debug( LDAP_DEBUG_ANY, "smbk5pwd: "
- "unable to find \"krb5KeyVersionNumber\" attributeType: %s (%d).\n",
- text, rc, 0 );
- goto cleanup_krb5;
- }
+ *(krb5_ad[ i ].adp) = NULL;
- rc = slap_str2ad( "krb5PrincipalName", &ad_krb5PrincipalName, &text );
- if ( rc != LDAP_SUCCESS ) {
- Debug( LDAP_DEBUG_ANY, "smbk5pwd: "
- "unable to find \"krb5PrincipalName\" attributeType: %s (%d).\n",
- text, rc, 0 );
- goto cleanup_krb5;
+ rc = slap_str2ad( krb5_ad[ i ].name, krb5_ad[ i ].adp, &text );
+ if ( rc != LDAP_SUCCESS ) {
+ Debug( LDAP_DEBUG_ANY, "smbk5pwd: "
+ "unable to find \"%s\" attributeType: %s (%d).\n",
+ krb5_ad[ i ].name, text, rc );
+ oc_krb5KDCEntry = NULL;
+ return rc;
+ }
}
/* Initialize Kerberos context */
ret = krb5_init_context(&context);
if (ret) {
Debug( LDAP_DEBUG_ANY, "smbk5pwd: "
- "unable to initialize krb5 context.\n",
- 0, 0, 0 );
- rc = -1;
- goto cleanup_krb5;
+ "unable to initialize krb5 context (%d).\n",
+ ret, 0, 0 );
+ oc_krb5KDCEntry = NULL;
+ return -1;
}
ret = kadm5_s_init_with_password_ctx( context,
NULL,
KADM5_ADMIN_SERVICE,
&conf, 0, 0, &kadm_context );
-
- db = _kadm5_s_get_db(kadm_context);
-
- if ( 0 ) {
-cleanup_krb5:;
+ if (ret) {
+ char *err_str, *err_msg = "<unknown error>";
+ err_str = krb5_get_error_string( context );
+ if (!err_str)
+ err_msg = krb5_get_err_text( context, ret );
+ Debug( LDAP_DEBUG_ANY, "smbk5pwd: "
+ "unable to initialize krb5 admin context: %s (%d).\n",
+ err_str ? err_str : err_msg, ret, 0 );
+ if (err_str)
+ krb5_free_error_string( context, err_str );
+ krb5_free_context( context );
oc_krb5KDCEntry = NULL;
-
- return rc;
+ return -1;
}
+
+ db = _kadm5_s_get_db( kadm_context );
}
#endif /* DO_KRB5 */
#ifdef DO_SAMBA
if ( SMBK5PWD_DO_SAMBA( pi ) && oc_sambaSamAccount == NULL ) {
+ int i, rc;
+
oc_sambaSamAccount = oc_find( "sambaSamAccount" );
if ( !oc_sambaSamAccount ) {
Debug( LDAP_DEBUG_ANY, "smbk5pwd: "
"unable to find \"sambaSamAccount\" objectClass.\n",
0, 0, 0 );
- rc = -1;
- goto cleanup_samba;
+ return -1;
}
- rc = slap_str2ad( "sambaLMPassword", &ad_sambaLMPassword, &text );
- if ( rc != LDAP_SUCCESS ) {
- Debug( LDAP_DEBUG_ANY, "smbk5pwd: "
- "unable to find \"sambaLMPassword\" attributeType: %s (%d).\n",
- text, rc, 0 );
- goto cleanup_samba;
- }
-
- rc = slap_str2ad( "sambaNTPassword", &ad_sambaNTPassword, &text );
- if ( rc != LDAP_SUCCESS ) {
- Debug( LDAP_DEBUG_ANY, "smbk5pwd: "
- "unable to find \"sambaLMPassword\" attributeType: %s (%d).\n",
- text, rc, 0 );
- goto cleanup_samba;
- }
+ for ( i = 0; samba_ad[ i ].name != NULL; i++ ) {
+ const char *text;
- rc = slap_str2ad( "sambaPwdLastSet", &ad_sambaPwdLastSet, &text );
- if ( rc != LDAP_SUCCESS ) {
- Debug( LDAP_DEBUG_ANY, "smbk5pwd: "
- "unable to find \"sambaLMPassword\" attributeType: %s (%d).\n",
- text, rc, 0 );
- goto cleanup_samba;
- }
+ *(samba_ad[ i ].adp) = NULL;
- if ( 0 ) {
-cleanup_samba:;
- oc_sambaSamAccount = NULL;
-
- return rc;
+ rc = slap_str2ad( samba_ad[ i ].name, samba_ad[ i ].adp, &text );
+ if ( rc != LDAP_SUCCESS ) {
+ Debug( LDAP_DEBUG_ANY, "smbk5pwd: "
+ "unable to find \"%s\" attributeType: %s (%d).\n",
+ samba_ad[ i ].name, text, rc );
+ oc_sambaSamAccount = NULL;
+ return rc;
+ }
}
}
#endif /* DO_SAMBA */
}
static int
-smbk5pwd_db_init(BackendDB *be)
+smbk5pwd_db_init(BackendDB *be, ConfigReply *cr)
{
slap_overinst *on = (slap_overinst *)be->bd_info;
- smbk5pwd_t *pi;
+ smbk5pwd_t *pi;
pi = ch_calloc( 1, sizeof( smbk5pwd_t ) );
if ( pi == NULL ) {
}
static int
-smbk5pwd_db_open(BackendDB *be)
+smbk5pwd_db_open(BackendDB *be, ConfigReply *cr)
{
slap_overinst *on = (slap_overinst *)be->bd_info;
smbk5pwd_t *pi = (smbk5pwd_t *)on->on_bi.bi_private;
}
static int
-smbk5pwd_db_destroy(BackendDB *be)
+smbk5pwd_db_destroy(BackendDB *be, ConfigReply *cr)
{
slap_overinst *on = (slap_overinst *)be->bd_info;
smbk5pwd_t *pi = (smbk5pwd_t *)on->on_bi.bi_private;