X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;ds=sidebyside;f=contrib%2Fslapd-modules%2Fsmbk5pwd%2Fsmbk5pwd.c;h=38b8b47102d00e19aab9a32bd380602307c47f43;hb=584e0fd0ce2d43432ec00e0713689e804183cb0b;hp=fc881db5522d2e81c318e8d213c7140035e49b73;hpb=8520a8dfd7f644cbca28dc3bb013c12ab93fd7fe;p=openldap diff --git a/contrib/slapd-modules/smbk5pwd/smbk5pwd.c b/contrib/slapd-modules/smbk5pwd/smbk5pwd.c index fc881db552..38b8b47102 100644 --- a/contrib/slapd-modules/smbk5pwd/smbk5pwd.c +++ b/contrib/slapd-modules/smbk5pwd/smbk5pwd.c @@ -12,6 +12,12 @@ * top-level directory of the distribution or, alternatively, at * . */ +/* + * Support for table-driven configuration added by Pierangelo Masarati. + * Support for sambaPwdMustChange and sambaPwdCanChange added by Marco D'Ettorre. + * + * The conditions of the OpenLDAP Public License apply. + */ #include @@ -65,6 +71,7 @@ static AttributeDescription *ad_sambaLMPassword; static AttributeDescription *ad_sambaNTPassword; static AttributeDescription *ad_sambaPwdLastSet; static AttributeDescription *ad_sambaPwdMustChange; +static AttributeDescription *ad_sambaPwdCanChange; static ObjectClass *oc_sambaSamAccount; #endif @@ -84,6 +91,8 @@ typedef struct smbk5pwd_t { #ifdef DO_SAMBA /* How many seconds before forcing a password change? */ time_t smb_must_change; + /* How many seconds after allowing a password change? */ + time_t smb_can_change; #endif } smbk5pwd_t; @@ -206,7 +215,7 @@ static int smbk5pwd_op_cleanup( /* clear out the current key */ ldap_pvt_thread_pool_setkey( op->o_threadctx, smbk5pwd_op_cleanup, - NULL, NULL ); + NULL, 0, NULL, NULL ); /* free the callback */ cb = op->o_callback; @@ -225,8 +234,8 @@ static int smbk5pwd_op_bind( */ if ( op->oq_bind.rb_method == LDAP_AUTH_SIMPLE ) { slap_callback *cb; - ldap_pvt_thread_pool_setkey( op->o_threadctx, smbk5pwd_op_cleanup, op, - NULL ); + ldap_pvt_thread_pool_setkey( op->o_threadctx, + smbk5pwd_op_cleanup, op, 0, NULL, NULL ); cb = op->o_tmpcalloc( 1, sizeof(slap_callback), op->o_tmpmemctx ); cb->sc_cleanup = smbk5pwd_op_cleanup; cb->sc_next = op->o_callback; @@ -259,7 +268,7 @@ static int k5key_chk( const struct berval *cred, const char **text ) { - void *ctx; + void *ctx, *op_tmp; Operation *op; int rc; Entry *e; @@ -272,9 +281,10 @@ static int k5key_chk( /* Find our thread context, find our Operation */ ctx = ldap_pvt_thread_pool_context(); - if ( ldap_pvt_thread_pool_getkey( ctx, smbk5pwd_op_cleanup, (void **)&op, NULL ) || - !op ) + if ( ldap_pvt_thread_pool_getkey( ctx, smbk5pwd_op_cleanup, &op_tmp, NULL ) + || !op_tmp ) return LUTIL_PASSWD_ERR; + op = op_tmp; rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e ); if ( rc != LDAP_SUCCESS ) return LUTIL_PASSWD_ERR; @@ -371,11 +381,19 @@ static int smbk5pwd_exop_passwd( if ( ret ) break; a = attr_find( e->e_attrs, ad_krb5KeyVersionNumber ); + kvno = 0; if ( a ) { - kvno = atoi(a->a_vals[0].bv_val); + if ( lutil_atoi( &kvno, a->a_vals[0].bv_val ) != 0 ) { + Debug( LDAP_DEBUG_ANY, "%s smbk5pwd EXOP: " + "dn=\"%s\" unable to parse krb5KeyVersionNumber=\"%s\"\n", + op->o_log_prefix, e->e_name.bv_val, a->a_vals[0].bv_val ); + } + } else { /* shouldn't happen, this is a required attr */ - kvno = 0; + Debug( LDAP_DEBUG_ANY, "%s smbk5pwd EXOP: " + "dn=\"%s\" missing krb5KeyVersionNumber\n", + op->o_log_prefix, e->e_name.bv_val, 0 ); } ret = _kadm5_set_keys(kadm_context, &ent, qpw->rs_new.bv_val); @@ -414,6 +432,7 @@ static int smbk5pwd_exop_passwd( #ifdef SLAP_MOD_INTERNAL ml->sml_flags = SLAP_MOD_INTERNAL; #endif + ml->sml_numvals = i; ml->sml_values = keys; ml->sml_nvalues = NULL; @@ -426,6 +445,7 @@ static int smbk5pwd_exop_passwd( #ifdef SLAP_MOD_INTERNAL ml->sml_flags = SLAP_MOD_INTERNAL; #endif + ml->sml_numvals = 1; ml->sml_values = ch_malloc( 2 * sizeof(struct berval)); ml->sml_values[0].bv_val = ch_malloc( 64 ); ml->sml_values[0].bv_len = sprintf(ml->sml_values[0].bv_val, @@ -475,6 +495,7 @@ static int smbk5pwd_exop_passwd( #ifdef SLAP_MOD_INTERNAL ml->sml_flags = SLAP_MOD_INTERNAL; #endif + ml->sml_numvals = 1; ml->sml_values = keys; ml->sml_nvalues = NULL; @@ -501,6 +522,7 @@ static int smbk5pwd_exop_passwd( #ifdef SLAP_MOD_INTERNAL ml->sml_flags = SLAP_MOD_INTERNAL; #endif + ml->sml_numvals = 1; ml->sml_values = keys; ml->sml_nvalues = NULL; @@ -511,9 +533,9 @@ static int smbk5pwd_exop_passwd( qpw->rs_mods = ml; keys = ch_malloc( 2 * sizeof(struct berval) ); - keys[0].bv_val = ch_malloc( STRLENOF( "9223372036854775807L" ) + 1 ); + keys[0].bv_val = ch_malloc( LDAP_PVT_INTTYPE_CHARS(long) ); keys[0].bv_len = snprintf(keys[0].bv_val, - STRLENOF( "9223372036854775807L" ) + 1, + LDAP_PVT_INTTYPE_CHARS(long), "%ld", slap_get_time()); BER_BVZERO( &keys[1] ); @@ -522,6 +544,7 @@ static int smbk5pwd_exop_passwd( #ifdef SLAP_MOD_INTERNAL ml->sml_flags = SLAP_MOD_INTERNAL; #endif + ml->sml_numvals = 1; ml->sml_values = keys; ml->sml_nvalues = NULL; @@ -532,9 +555,9 @@ static int smbk5pwd_exop_passwd( qpw->rs_mods = ml; keys = ch_malloc( 2 * sizeof(struct berval) ); - keys[0].bv_val = ch_malloc( STRLENOF( "9223372036854775807L" ) + 1 ); + keys[0].bv_val = ch_malloc( LDAP_PVT_INTTYPE_CHARS(long) ); keys[0].bv_len = snprintf(keys[0].bv_val, - STRLENOF( "9223372036854775807L" ) + 1, + LDAP_PVT_INTTYPE_CHARS(long), "%ld", slap_get_time() + pi->smb_must_change); BER_BVZERO( &keys[1] ); @@ -543,6 +566,30 @@ static int smbk5pwd_exop_passwd( #ifdef SLAP_MOD_INTERNAL ml->sml_flags = SLAP_MOD_INTERNAL; #endif + ml->sml_numvals = 1; + ml->sml_values = keys; + ml->sml_nvalues = NULL; + } + + if (pi->smb_can_change) + { + ml = ch_malloc(sizeof(Modifications)); + ml->sml_next = qpw->rs_mods; + qpw->rs_mods = ml; + + keys = ch_malloc( 2 * sizeof(struct berval) ); + keys[0].bv_val = ch_malloc( LDAP_PVT_INTTYPE_CHARS(long) ); + keys[0].bv_len = snprintf(keys[0].bv_val, + LDAP_PVT_INTTYPE_CHARS(long), + "%ld", slap_get_time() + pi->smb_can_change); + BER_BVZERO( &keys[1] ); + + ml->sml_desc = ad_sambaPwdCanChange; + ml->sml_op = LDAP_MOD_REPLACE; +#ifdef SLAP_MOD_INTERNAL + ml->sml_flags = SLAP_MOD_INTERNAL; +#endif + ml->sml_numvals = 1; ml->sml_values = keys; ml->sml_nvalues = NULL; } @@ -558,38 +605,45 @@ static slap_overinst smbk5pwd; /* back-config stuff */ enum { PC_SMB_MUST_CHANGE = 1, + PC_SMB_CAN_CHANGE, PC_SMB_ENABLE }; static ConfigDriver smbk5pwd_cf_func; /* - * NOTE: uses OID arcs OLcfgOvAt:6 and OLcfgOvOc:6 + * NOTE: uses OID arcs OLcfgCtAt:1 and OLcfgCtOc:1 */ static ConfigTable smbk5pwd_cfats[] = { { "smbk5pwd-enable", "arg", 2, 0, 0, ARG_MAGIC|PC_SMB_ENABLE, smbk5pwd_cf_func, - "( OLcfgOvAt:6.1 NAME 'olcSmbK5PwdEnable' " + "( OLcfgCtAt:1.1 NAME 'olcSmbK5PwdEnable' " "DESC 'Modules to be enabled' " "SYNTAX OMsDirectoryString )", NULL, NULL }, { "smbk5pwd-must-change", "time", 2, 2, 0, ARG_MAGIC|ARG_INT|PC_SMB_MUST_CHANGE, smbk5pwd_cf_func, - "( OLcfgOvAt:6.2 NAME 'olcSmbK5PwdMustChange' " + "( OLcfgCtAt:1.2 NAME 'olcSmbK5PwdMustChange' " "DESC 'Credentials validity interval' " "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL }, + { "smbk5pwd-can-change", "time", + 2, 2, 0, ARG_MAGIC|ARG_INT|PC_SMB_CAN_CHANGE, smbk5pwd_cf_func, + "( OLcfgCtAt:1.3 NAME 'olcSmbK5PwdCanChange' " + "DESC 'Credentials minimum validity interval' " + "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL }, { NULL, NULL, 0, 0, 0, ARG_IGNORED } }; static ConfigOCs smbk5pwd_cfocs[] = { - { "( OLcfgOvOc:6.1 " + { "( OLcfgCtOc:1.1 " "NAME 'olcSmbK5PwdConfig' " "DESC 'smbk5pwd overlay configuration' " "SUP olcOverlayConfig " "MAY ( " "olcSmbK5PwdEnable " "$ olcSmbK5PwdMustChange " + "$ olcSmbK5PwdCanChange " ") )", Cft_Overlay, smbk5pwd_cfats }, { NULL, 0, NULL } @@ -623,6 +677,14 @@ smbk5pwd_cf_func( ConfigArgs *c ) #endif /* ! DO_SAMBA */ break; + case PC_SMB_CAN_CHANGE: +#ifdef DO_SAMBA + c->value_int = pi->smb_can_change; +#else /* ! DO_SAMBA */ + c->value_int = 0; +#endif /* ! DO_SAMBA */ + break; + case PC_SMB_ENABLE: c->rvalue_vals = NULL; if ( pi->mode ) { @@ -644,6 +706,9 @@ smbk5pwd_cf_func( ConfigArgs *c ) case PC_SMB_MUST_CHANGE: break; + case PC_SMB_CAN_CHANGE: + break; + case PC_SMB_ENABLE: if ( !c->line ) { pi->mode = 0; @@ -666,6 +731,12 @@ smbk5pwd_cf_func( ConfigArgs *c ) switch( c->type ) { case PC_SMB_MUST_CHANGE: #ifdef DO_SAMBA + if ( c->value_int < 0 ) { + Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: " + "<%s> invalid negative value \"%d\".", + c->log, c->argv[ 0 ], 0 ); + return 1; + } pi->smb_must_change = c->value_int; #else /* ! DO_SAMBA */ Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: " @@ -676,23 +747,46 @@ smbk5pwd_cf_func( ConfigArgs *c ) #endif /* ! DO_SAMBA */ break; + case PC_SMB_CAN_CHANGE: +#ifdef DO_SAMBA + if ( c->value_int < 0 ) { + Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: " + "<%s> invalid negative value \"%d\".", + c->log, c->argv[ 0 ], 0 ); + return 1; + } + pi->smb_can_change = c->value_int; +#else /* ! DO_SAMBA */ + Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: " + "<%s> only meaningful " + "when compiled with -DDO_SAMBA.\n", + c->log, c->argv[ 0 ], 0 ); + return 1; +#endif /* ! DO_SAMBA */ + break; + case PC_SMB_ENABLE: { - slap_mask_t m; + slap_mask_t mode = pi->mode, m; rc = verbs_to_mask( c->argc, c->argv, smbk5pwd_modules, &m ); - if ( rc ) { + if ( rc > 0 ) { Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: " "<%s> unknown module \"%s\".\n", c->log, c->argv[ 0 ], c->argv[ rc ] ); return 1; } + + /* we can hijack the smbk5pwd_t structure because + * from within the configuration, this is the only + * active thread. */ pi->mode |= m; #ifndef DO_KRB5 if ( SMBK5PWD_DO_KRB5( pi ) ) { Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: " "<%s> module \"%s\" only allowed when compiled with -DDO_KRB5.\n", - c->log, c->argv[ 0 ], c->argv[ i ] ); + c->log, c->argv[ 0 ], c->argv[ rc ] ); + pi->mode = mode; return 1; } #endif /* ! DO_KRB5 */ @@ -701,7 +795,8 @@ smbk5pwd_cf_func( ConfigArgs *c ) if ( SMBK5PWD_DO_SAMBA( pi ) ) { Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: " "<%s> module \"%s\" only allowed when compiled with -DDO_SAMBA.\n", - c->log, c->argv[ 0 ], c->argv[ i ] ); + c->log, c->argv[ 0 ], c->argv[ rc ] ); + pi->mode = mode; return 1; } #endif /* ! DO_SAMBA */ @@ -709,9 +804,12 @@ smbk5pwd_cf_func( ConfigArgs *c ) { BackendDB db = *c->be; + /* Re-initialize the module, because + * the configuration might have changed */ db.bd_info = (BackendInfo *)on; rc = smbk5pwd_modules_init( pi ); if ( rc ) { + pi->mode = mode; return 1; } } @@ -728,56 +826,72 @@ smbk5pwd_cf_func( ConfigArgs *c ) static int smbk5pwd_modules_init( smbk5pwd_t *pi ) { - int rc; - const char *text; + static struct { + const char *name; + AttributeDescription **adp; + } +#ifdef DO_KRB5 + krb5_ad[] = { + { "krb5Key", &ad_krb5Key }, + { "krb5KeyVersionNumber", &ad_krb5KeyVersionNumber }, + { "krb5PrincipalName", &ad_krb5PrincipalName }, + { NULL } + }, +#endif /* DO_KRB5 */ +#ifdef DO_SAMBA + samba_ad[] = { + { "sambaLMPassword", &ad_sambaLMPassword }, + { "sambaNTPassword", &ad_sambaNTPassword }, + { "sambaPwdLastSet", &ad_sambaPwdLastSet }, + { "sambaPwdMustChange", &ad_sambaPwdMustChange }, + { "sambaPwdCanChange", &ad_sambaPwdCanChange }, + { NULL } + }, +#endif /* DO_SAMBA */ + dummy_ad; + + /* this is to silence the unused var warning */ + dummy_ad.name = NULL; #ifdef DO_KRB5 if ( SMBK5PWD_DO_KRB5( pi ) && oc_krb5KDCEntry == NULL ) { krb5_error_code ret; extern HDB *_kadm5_s_get_db(void *); + int i, rc; + /* Make sure all of our necessary schema items are loaded */ - oc_krb5KDCEntry = oc_find("krb5KDCEntry"); + oc_krb5KDCEntry = oc_find( "krb5KDCEntry" ); if ( !oc_krb5KDCEntry ) { Debug( LDAP_DEBUG_ANY, "smbk5pwd: " "unable to find \"krb5KDCEntry\" objectClass.\n", 0, 0, 0 ); - rc = -1; - goto cleanup_krb5; + return -1; } - rc = slap_str2ad( "krb5Key", &ad_krb5Key, &text ); - if ( rc != LDAP_SUCCESS ) { - Debug( LDAP_DEBUG_ANY, "smbk5pwd: " - "unable to find \"krb5Key\" attributeType: %s (%d).\n", - text, rc, 0 ); - goto cleanup_krb5; - } + for ( i = 0; krb5_ad[ i ].name != NULL; i++ ) { + const char *text; - rc = slap_str2ad( "krb5KeyVersionNumber", &ad_krb5KeyVersionNumber, &text ); - if ( rc != LDAP_SUCCESS ) { - Debug( LDAP_DEBUG_ANY, "smbk5pwd: " - "unable to find \"krb5KeyVersionNumber\" attributeType: %s (%d).\n", - text, rc, 0 ); - goto cleanup_krb5; - } + *(krb5_ad[ i ].adp) = NULL; - rc = slap_str2ad( "krb5PrincipalName", &ad_krb5PrincipalName, &text ); - if ( rc != LDAP_SUCCESS ) { - Debug( LDAP_DEBUG_ANY, "smbk5pwd: " - "unable to find \"krb5PrincipalName\" attributeType: %s (%d).\n", - text, rc, 0 ); - goto cleanup_krb5; + rc = slap_str2ad( krb5_ad[ i ].name, krb5_ad[ i ].adp, &text ); + if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_ANY, "smbk5pwd: " + "unable to find \"%s\" attributeType: %s (%d).\n", + krb5_ad[ i ].name, text, rc ); + oc_krb5KDCEntry = NULL; + return rc; + } } /* Initialize Kerberos context */ ret = krb5_init_context(&context); if (ret) { Debug( LDAP_DEBUG_ANY, "smbk5pwd: " - "unable to initialize krb5 context.\n", - 0, 0, 0 ); - rc = -1; - goto cleanup_krb5; + "unable to initialize krb5 context (%d).\n", + ret, 0, 0 ); + oc_krb5KDCEntry = NULL; + return -1; } ret = kadm5_s_init_with_password_ctx( context, @@ -785,58 +899,50 @@ smbk5pwd_modules_init( smbk5pwd_t *pi ) NULL, KADM5_ADMIN_SERVICE, &conf, 0, 0, &kadm_context ); - - db = _kadm5_s_get_db(kadm_context); - - if ( 0 ) { -cleanup_krb5:; + if (ret) { + char *err_str, *err_msg = ""; + err_str = krb5_get_error_string( context ); + if (!err_str) + err_msg = krb5_get_err_text( context, ret ); + Debug( LDAP_DEBUG_ANY, "smbk5pwd: " + "unable to initialize krb5 admin context: %s (%d).\n", + err_str ? err_str : err_msg, ret, 0 ); + if (err_str) + krb5_free_error_string( context, err_str ); + krb5_free_context( context ); oc_krb5KDCEntry = NULL; - - return rc; + return -1; } + + db = _kadm5_s_get_db( kadm_context ); } #endif /* DO_KRB5 */ #ifdef DO_SAMBA if ( SMBK5PWD_DO_SAMBA( pi ) && oc_sambaSamAccount == NULL ) { + int i, rc; + oc_sambaSamAccount = oc_find( "sambaSamAccount" ); if ( !oc_sambaSamAccount ) { Debug( LDAP_DEBUG_ANY, "smbk5pwd: " "unable to find \"sambaSamAccount\" objectClass.\n", 0, 0, 0 ); - rc = -1; - goto cleanup_samba; + return -1; } - rc = slap_str2ad( "sambaLMPassword", &ad_sambaLMPassword, &text ); - if ( rc != LDAP_SUCCESS ) { - Debug( LDAP_DEBUG_ANY, "smbk5pwd: " - "unable to find \"sambaLMPassword\" attributeType: %s (%d).\n", - text, rc, 0 ); - goto cleanup_samba; - } - - rc = slap_str2ad( "sambaNTPassword", &ad_sambaNTPassword, &text ); - if ( rc != LDAP_SUCCESS ) { - Debug( LDAP_DEBUG_ANY, "smbk5pwd: " - "unable to find \"sambaLMPassword\" attributeType: %s (%d).\n", - text, rc, 0 ); - goto cleanup_samba; - } + for ( i = 0; samba_ad[ i ].name != NULL; i++ ) { + const char *text; - rc = slap_str2ad( "sambaPwdLastSet", &ad_sambaPwdLastSet, &text ); - if ( rc != LDAP_SUCCESS ) { - Debug( LDAP_DEBUG_ANY, "smbk5pwd: " - "unable to find \"sambaLMPassword\" attributeType: %s (%d).\n", - text, rc, 0 ); - goto cleanup_samba; - } + *(samba_ad[ i ].adp) = NULL; - if ( 0 ) { -cleanup_samba:; - oc_sambaSamAccount = NULL; - - return rc; + rc = slap_str2ad( samba_ad[ i ].name, samba_ad[ i ].adp, &text ); + if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_ANY, "smbk5pwd: " + "unable to find \"%s\" attributeType: %s (%d).\n", + samba_ad[ i ].name, text, rc ); + oc_sambaSamAccount = NULL; + return rc; + } } } #endif /* DO_SAMBA */ @@ -845,10 +951,10 @@ cleanup_samba:; } static int -smbk5pwd_db_init(BackendDB *be) +smbk5pwd_db_init(BackendDB *be, ConfigReply *cr) { slap_overinst *on = (slap_overinst *)be->bd_info; - smbk5pwd_t *pi; + smbk5pwd_t *pi; pi = ch_calloc( 1, sizeof( smbk5pwd_t ) ); if ( pi == NULL ) { @@ -860,7 +966,7 @@ smbk5pwd_db_init(BackendDB *be) } static int -smbk5pwd_db_open(BackendDB *be) +smbk5pwd_db_open(BackendDB *be, ConfigReply *cr) { slap_overinst *on = (slap_overinst *)be->bd_info; smbk5pwd_t *pi = (smbk5pwd_t *)on->on_bi.bi_private; @@ -880,7 +986,7 @@ smbk5pwd_db_open(BackendDB *be) } static int -smbk5pwd_db_destroy(BackendDB *be) +smbk5pwd_db_destroy(BackendDB *be, ConfigReply *cr) { slap_overinst *on = (slap_overinst *)be->bd_info; smbk5pwd_t *pi = (smbk5pwd_t *)on->on_bi.bi_private;