X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=clients%2Ftools%2Fldappasswd.c;h=a0265f4ebdc5fa9b8e7dbc0b48898c7fe9c20d0a;hb=626830b5adf4c048edc3ecd7c5cf48ab1fa8b495;hp=f3dc98047c86e135531343c10183bf4503e738d9;hpb=6393523ffa71bffabcafffda064c04b36742cb2c;p=openldap diff --git a/clients/tools/ldappasswd.c b/clients/tools/ldappasswd.c index f3dc98047c..a0265f4ebd 100644 --- a/clients/tools/ldappasswd.c +++ b/clients/tools/ldappasswd.c @@ -1,6 +1,6 @@ /* $OpenLDAP$ */ /* - * Copyright 1998-2000 The OpenLDAP Foundation, All Rights Reserved. + * Copyright 1998-2003 The OpenLDAP Foundation, All Rights Reserved. * COPYING RESTRICTIONS APPLY, see COPYRIGHT file */ @@ -11,486 +11,154 @@ #include #include -#include #include #include #include #include #include - +#include "lutil.h" #include "lutil_ldap.h" #include "ldap_defaults.h" -static int verbose = 0; +#include "common.h" + + +static char *newpw = NULL; +static char *oldpw = NULL; +static int want_newpw = 0; +static int want_oldpw = 0; -static void -usage(const char *s) + +void +usage( void ) { fprintf(stderr, "Change password of an LDAP user\n\n" -"usage: %s [options] user\n" -" user: the identity of the user, normally a DN\n" +"usage: %s [options] [user]\n" +" user: the autentication identity, commonly a DN\n" "Password change options:\n" -" -a secret\told password\n" -" -A\t\tprompt for old password\n" -" -s secret\tnew password\n" -" -S\t\tprompt for new password\n" - -"Common options:\n" -" -d level\tdebugging level\n" -" -C\t\tchase referrals\n" -" -D binddn\tbind DN\n" -" -h host\t\tLDAP server (default: localhost)\n" -" -I\t\tuse SASL Interactive mode\n" -" -n\t\tmake no modifications\n" -" -O secprops\tSASL security properties\n" -" -p port\t\tport on LDAP server\n" -" -Q\t\tuse SASL Quiet mode\n" -" -R realm\tSASL realm\n" -" -U user\t\tSASL authentication identity (username)\n" -" -v\t\tverbose mode\n" -" -w passwd\tbind password (for simple authentication)\n" -" -W\t\tprompt for bind password\n" -" -x\t\tSimple authentication\n" -" -X id\t\tSASL authorization identity (\"dn:\" or \"u:\")\n" -" -Y mech\t\tSASL mechanism\n" -" -Z\t\tissue Start TLS request (-ZZ to require successful response)\n" - , s ); - +" -a secret old password\n" +" -A prompt for old password\n" +" -s secret new password\n" +" -S prompt for new password\n" + , prog ); + tool_common_usage(); exit( EXIT_FAILURE ); } + +const char options[] = "a:As:S" + "Cd:D:e:h:H:InO:p:QR:U:vVw:WxX:Y:Z"; + int -main( int argc, char *argv[] ) +handle_private_option( int i ) { - int rc; - char *prog = NULL; - char *ldaphost = NULL; - - char *dn = NULL; - char *binddn = NULL; - - struct berval passwd = { 0, NULL }; - char *newpw = NULL; - char *oldpw = NULL; - - int want_bindpw = 0; - int want_newpw = 0; - int want_oldpw = 0; - - int not = 0; - int i; - int ldapport = 0; - int debug = 0; - int version = -1; - int authmethod = -1; - int manageDSAit = 0; -#ifdef HAVE_CYRUS_SASL - unsigned sasl_flags = LDAP_SASL_AUTOMATIC; - char *sasl_realm = NULL; - char *sasl_authc_id = NULL; - char *sasl_authz_id = NULL; - char *sasl_mech = NULL; - char *sasl_secprops = NULL; + switch ( i ) { +#if 0 + int crit; + char *control, *cvalue; + case 'E': /* passwd controls */ + if( protocol == LDAP_VERSION2 ) { + fprintf( stderr, "%s: -E incompatible with LDAPv%d\n", + prog, protocol ); + exit( EXIT_FAILURE ); + } + + /* should be extended to support comma separated list of + * [!]key[=value] parameters, e.g. -E !foo,bar=567 + */ + + crit = 0; + cvalue = NULL; + if( optarg[0] == '!' ) { + crit = 1; + optarg++; + } + + control = strdup( optarg ); + if ( (cvalue = strchr( control, '=' )) != NULL ) { + *cvalue++ = '\0'; + } + fprintf( stderr, "Invalid passwd control name: %s\n", control ); + usage(); #endif - int use_tls = 0; - int referrals = 0; - LDAP *ld; - struct berval *bv = NULL; - - int id, code; - LDAPMessage *res; - char *matcheddn = NULL, *text = NULL, **refs = NULL; - char *retoid = NULL; - struct berval *retdata = NULL; - - prog = (prog = strrchr(argv[0], *LDAP_DIRSEP)) == NULL ? argv[0] : ++prog; - - if (argc == 1) - usage (argv[0]); - - while( (i = getopt( argc, argv, - "Aa:Ss:" "Cd:D:h:InO:p:QRU:vw:WxX:Y:Z" )) != EOF ) - { - switch (i) { - /* Password Options */ - case 'A': /* prompt for old password */ - want_oldpw++; - break; - - case 'a': /* old password (secret) */ - oldpw = strdup (optarg); - - { - char* p; - - for( p = optarg; *p == '\0'; p++ ) { - *p = '\0'; - } - } - break; - - case 'S': /* prompt for user password */ - want_newpw++; - break; - case 's': /* new password (secret) */ - newpw = strdup (optarg); - { - char* p; + case 'a': /* old password (secret) */ + oldpw = strdup (optarg); - for( p = optarg; *p == '\0'; p++ ) { - *p = '\0'; - } + { + char* p; + for( p = optarg; *p != '\0'; p++ ) { + *p = '\0'; } - break; - - /* Common Options (including options we don't use) */ - case 'C': - referrals++; - break; - case 'd': - debug |= atoi( optarg ); - break; - case 'D': /* bind DN */ - if( binddn != NULL ) { - fprintf( stderr, "%s: -D previously specified\n" ); - return EXIT_FAILURE; - } - binddn = strdup( optarg ); - break; - case 'h': /* ldap host */ - if( ldaphost != NULL ) { - fprintf( stderr, "%s: -h previously specified\n" ); - return EXIT_FAILURE; } - ldaphost = strdup( optarg ); - break; - case 'I': -#ifdef HAVE_CYRUS_SASL - if( version == LDAP_VERSION2 ) { - fprintf( stderr, "%s: -I incompatible with version %d\n", - prog, version ); - return EXIT_FAILURE; - } - if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) { - fprintf( stderr, "%s: incompatible previous " - "authentication choice\n", - prog ); - return EXIT_FAILURE; - } - authmethod = LDAP_AUTH_SASL; - version = LDAP_VERSION3; - sasl_flags = LDAP_SASL_INTERACTIVE; break; -#else - fprintf( stderr, "%s: was not compiled with SASL support\n", - prog ); - return( EXIT_FAILURE ); -#endif - case 'k': /* kerberos bind */ -#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND - if( version > LDAP_VERSION2 ) { - fprintf( stderr, "%s: -k incompatible with LDAPv%d\n", - prog, version ); - return EXIT_FAILURE; - } - - if( authmethod != -1 ) { - fprintf( stderr, "%s: -k incompatible with previous " - "authentication choice\n", prog ); - return EXIT_FAILURE; - } - - authmethod = LDAP_AUTH_KRBV4; -#else - fprintf( stderr, "%s: not compiled with Kerberos support\n", prog ); - return EXIT_FAILURE; -#endif - break; - case 'K': /* kerberos bind, part one only */ -#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND - if( version > LDAP_VERSION2 ) { - fprintf( stderr, "%s: -k incompatible with LDAPv%d\n", - prog, version ); - return EXIT_FAILURE; - } - if( authmethod != -1 ) { - fprintf( stderr, "%s: incompatible with previous " - "authentication choice\n", prog ); - return EXIT_FAILURE; - } - authmethod = LDAP_AUTH_KRBV41; -#else - fprintf( stderr, "%s: not compiled with Kerberos support\n", prog ); - return( EXIT_FAILURE ); -#endif - break; - case 'M': - /* enable Manage DSA IT */ - if( version == LDAP_VERSION2 ) { - fprintf( stderr, "%s: -M incompatible with LDAPv%d\n", - prog, version ); - return EXIT_FAILURE; - } - manageDSAit++; - version = LDAP_VERSION3; - break; - case 'n': /* print deletes, don't actually do them */ - ++not; - break; - case 'O': -#ifdef HAVE_CYRUS_SASL - if( sasl_secprops != NULL ) { - fprintf( stderr, "%s: -O previously specified\n" ); - return EXIT_FAILURE; - } - if( version == LDAP_VERSION2 ) { - fprintf( stderr, "%s: -O incompatible with LDAPv%d\n", - prog, version ); - return EXIT_FAILURE; - } - if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) { - fprintf( stderr, "%s: incompatible previous " - "authentication choice\n", prog ); - return EXIT_FAILURE; - } - authmethod = LDAP_AUTH_SASL; - version = LDAP_VERSION3; - sasl_secprops = strdup( optarg ); -#else - fprintf( stderr, "%s: not compiled with SASL support\n", - prog ); - return( EXIT_FAILURE ); -#endif - break; - case 'p': - if( ldapport ) { - fprintf( stderr, "%s: -p previously specified\n" ); - return EXIT_FAILURE; - } - ldapport = atoi( optarg ); - break; - case 'P': - switch( atoi(optarg) ) { - case 2: - if( version == LDAP_VERSION3 ) { - fprintf( stderr, "%s: -P 2 incompatible with version %d\n", - prog, version ); - return EXIT_FAILURE; - } - version = LDAP_VERSION2; - break; - case 3: - if( version == LDAP_VERSION2 ) { - fprintf( stderr, "%s: -P 2 incompatible with version %d\n", - prog, version ); - return EXIT_FAILURE; - } - version = LDAP_VERSION3; - break; - default: - fprintf( stderr, "%s: protocol version should be 2 or 3\n", - prog ); - usage( prog ); - return( EXIT_FAILURE ); - } break; - case 'Q': -#ifdef HAVE_CYRUS_SASL - if( version == LDAP_VERSION2 ) { - fprintf( stderr, "%s: -Q incompatible with version %d\n", - prog, version ); - return EXIT_FAILURE; - } - if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) { - fprintf( stderr, "%s: incompatible previous " - "authentication choice\n", - prog ); - return EXIT_FAILURE; - } - authmethod = LDAP_AUTH_SASL; - version = LDAP_VERSION3; - sasl_flags = LDAP_SASL_QUIET; - break; -#else - fprintf( stderr, "%s: was not compiled with SASL support\n", - prog ); - return( EXIT_FAILURE ); -#endif - case 'R': -#ifdef HAVE_CYRUS_SASL - if( sasl_realm != NULL ) { - fprintf( stderr, "%s: -R previously specified\n" ); - return EXIT_FAILURE; - } - if( version == LDAP_VERSION2 ) { - fprintf( stderr, "%s: -R incompatible with version %d\n", - prog, version ); - return EXIT_FAILURE; - } - if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) { - fprintf( stderr, "%s: incompatible previous " - "authentication choice\n", - prog ); - return EXIT_FAILURE; - } - authmethod = LDAP_AUTH_SASL; - version = LDAP_VERSION3; - sasl_realm = strdup( optarg ); -#else - fprintf( stderr, "%s: was not compiled with SASL support\n", - prog ); - return( EXIT_FAILURE ); -#endif + case 'A': /* prompt for old password */ + want_oldpw++; break; - case 'U': -#ifdef HAVE_CYRUS_SASL - if( sasl_authc_id != NULL ) { - fprintf( stderr, "%s: -U previously specified\n" ); - return EXIT_FAILURE; - } - if( version == LDAP_VERSION2 ) { - fprintf( stderr, "%s: -U incompatible with version %d\n", - prog, version ); - return EXIT_FAILURE; - } - if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) { - fprintf( stderr, "%s: incompatible previous " - "authentication choice\n", - prog ); - return EXIT_FAILURE; - } - authmethod = LDAP_AUTH_SASL; - version = LDAP_VERSION3; - sasl_authc_id = strdup( optarg ); -#else - fprintf( stderr, "%s: was not compiled with SASL support\n", - prog ); - return( EXIT_FAILURE ); -#endif - break; - case 'v': /* verbose mode */ - verbose++; - break; - case 'w': /* password */ - passwd.bv_val = strdup( optarg ); + + case 's': /* new password (secret) */ + newpw = strdup (optarg); { char* p; - - for( p = optarg; *p == '\0'; p++ ) { + for( p = optarg; *p != '\0'; p++ ) { *p = '\0'; } } - passwd.bv_len = strlen( passwd.bv_val ); - break; - case 'W': - want_bindpw++; - break; - case 'Y': -#ifdef HAVE_CYRUS_SASL - if( sasl_mech != NULL ) { - fprintf( stderr, "%s: -Y previously specified\n" ); - return EXIT_FAILURE; - } - if( version == LDAP_VERSION2 ) { - fprintf( stderr, "%s: -Y incompatible with version %d\n", - prog, version ); - return EXIT_FAILURE; - } - if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) { - fprintf( stderr, "%s: incompatible with authentication choice\n", prog ); - return EXIT_FAILURE; - } - authmethod = LDAP_AUTH_SASL; - version = LDAP_VERSION3; - sasl_mech = strdup( optarg ); -#else - fprintf( stderr, "%s: was not compiled with SASL support\n", - prog ); - return( EXIT_FAILURE ); -#endif - break; - case 'x': - if( authmethod != -1 && authmethod != LDAP_AUTH_SIMPLE ) { - fprintf( stderr, "%s: incompatible with previous " - "authentication choice\n", prog ); - return EXIT_FAILURE; - } - authmethod = LDAP_AUTH_SIMPLE; - break; - case 'X': -#ifdef HAVE_CYRUS_SASL - if( sasl_authz_id != NULL ) { - fprintf( stderr, "%s: -X previously specified\n" ); - return EXIT_FAILURE; - } - if( version == LDAP_VERSION2 ) { - fprintf( stderr, "%s: -X incompatible with LDAPv%d\n", - prog, version ); - return EXIT_FAILURE; - } - if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) { - fprintf( stderr, "%s: -X incompatible with " - "authentication choice\n", prog ); - return EXIT_FAILURE; - } - authmethod = LDAP_AUTH_SASL; - version = LDAP_VERSION3; - sasl_authz_id = strdup( optarg ); -#else - fprintf( stderr, "%s: not compiled with SASL support\n", - prog ); - return( EXIT_FAILURE ); -#endif - break; - case 'Z': -#ifdef HAVE_TLS - if( version == LDAP_VERSION2 ) { - fprintf( stderr, "%s -Z incompatible with version %d\n", - prog, version ); - return EXIT_FAILURE; - } - version = LDAP_VERSION3; - use_tls++; -#else - fprintf( stderr, "%s: not compiled with TLS support\n", - prog ); - return( EXIT_FAILURE ); -#endif break; + case 'S': /* prompt for user password */ + want_newpw++; + break; - default: - fprintf( stderr, "%s: unrecongized option -%c\n", - prog, optopt ); - usage (argv[0]); - } + default: + return 0; } + return 1; +} - if( argc - optind != 1 ) { - usage( argv[0] ); - } - if (authmethod == -1) { -#ifdef HAVE_CYRUS_SASL - authmethod = LDAP_AUTH_SASL; -#else - authmethod = LDAP_AUTH_SIMPLE; -#endif - } +int +main( int argc, char *argv[] ) +{ + int rc; + char *user = NULL; - dn = strdup( argv[optind] ); + LDAP *ld = NULL; + struct berval bv = {0, NULL}; + BerElement *ber = NULL; + + int id, code = LDAP_OTHER; + LDAPMessage *res; + char *matcheddn = NULL, *text = NULL, **refs = NULL; + char *retoid = NULL; + struct berval *retdata = NULL; + + prog = lutil_progname( "ldappasswd", argc, argv ); + + /* LDAPv3 only */ + protocol = LDAP_VERSION3; + + tool_args( argc, argv ); + + if( argc - optind > 1 ) { + usage(); + } else if ( argc - optind == 1 ) { + user = strdup( argv[optind] ); + } else { + user = NULL; + } if( want_oldpw && oldpw == NULL ) { /* prompt for old password */ char *ckoldpw; - newpw = strdup(getpassphrase("Old password: ")); + oldpw = strdup(getpassphrase("Old password: ")); ckoldpw = getpassphrase("Re-enter old password: "); - if( newpw== NULL || ckoldpw == NULL || - strncmp( oldpw, ckoldpw, strlen(oldpw) )) + if( oldpw== NULL || ckoldpw == NULL || + strcmp( oldpw, ckoldpw )) { fprintf( stderr, "passwords do not match\n" ); return EXIT_FAILURE; @@ -504,123 +172,29 @@ main( int argc, char *argv[] ) cknewpw = getpassphrase("Re-enter new password: "); if( newpw== NULL || cknewpw == NULL || - strncmp( newpw, cknewpw, strlen(newpw) )) + strcmp( newpw, cknewpw )) { fprintf( stderr, "passwords do not match\n" ); return EXIT_FAILURE; } } - if( binddn == NULL && dn != NULL ) { - binddn = dn; - dn = NULL; - - if( passwd.bv_val == NULL ) { - passwd.bv_val = oldpw; - passwd.bv_len = oldpw == NULL ? 0 : strlen( oldpw ); - } - } - if (want_bindpw && passwd.bv_val == NULL ) { /* handle bind password */ - fprintf( stderr, "Bind DN: %s\n", binddn ); passwd.bv_val = strdup( getpassphrase("Enter bind password: ")); passwd.bv_len = passwd.bv_val ? strlen( passwd.bv_val ) : 0; } - if ( debug ) { - if( ber_set_option( NULL, LBER_OPT_DEBUG_LEVEL, &debug ) != LBER_OPT_SUCCESS ) { - fprintf( stderr, "Could not set LBER_OPT_DEBUG_LEVEL %d\n", debug ); - } - if( ldap_set_option( NULL, LDAP_OPT_DEBUG_LEVEL, &debug ) != LDAP_OPT_SUCCESS ) { - fprintf( stderr, "Could not set LDAP_OPT_DEBUG_LEVEL %d\n", debug ); - } - } + ld = tool_conn_setup( 0, 0 ); -#ifdef SIGPIPE - (void) SIGNAL( SIGPIPE, SIG_IGN ); -#endif + tool_bind( ld ); - /* connect to server */ - if ((ld = ldap_init( ldaphost, ldapport )) == NULL) { - perror("ldap_init"); - return EXIT_FAILURE; - } + if ( authzid || manageDSAit || noop ) + tool_server_controls( ld, NULL, 0 ); - /* referrals */ - if (ldap_set_option( ld, LDAP_OPT_REFERRALS, - referrals ? LDAP_OPT_ON : LDAP_OPT_OFF ) != LDAP_OPT_SUCCESS ) - { - fprintf( stderr, "Could not set LDAP_OPT_REFERRALS %s\n", - referrals ? "on" : "off" ); - return EXIT_FAILURE; - } - - /* LDAPv3 only */ - version = 3; - rc = ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version ); - - if(rc != LDAP_OPT_SUCCESS ) { - fprintf( stderr, "Could not set LDAP_OPT_PROTOCOL_VERSION %d\n", version ); - return EXIT_FAILURE; - } - - if ( use_tls && ldap_start_tls_s( ld, NULL, NULL ) != LDAP_SUCCESS ) { - if ( use_tls > 1 ) { - ldap_perror( ld, "ldap_start_tls" ); - return( EXIT_FAILURE ); - } - fprintf( stderr, "WARNING: could not start TLS\n" ); - } - - if ( authmethod == LDAP_AUTH_SASL ) { -#ifdef HAVE_CYRUS_SASL - void *defaults; - - if( sasl_secprops != NULL ) { - rc = ldap_set_option( ld, LDAP_OPT_X_SASL_SECPROPS, - (void *) sasl_secprops ); - - if( rc != LDAP_OPT_SUCCESS ) { - fprintf( stderr, - "Could not set LDAP_OPT_X_SASL_SECPROPS: %s\n", - sasl_secprops ); - return( EXIT_FAILURE ); - } - } - - defaults = lutil_sasl_defaults( ld, - sasl_mech, - sasl_realm, - sasl_authc_id, - passwd.bv_val, - sasl_authz_id ); - - rc = ldap_sasl_interactive_bind_s( ld, binddn, - sasl_mech, NULL, NULL, - sasl_flags, lutil_sasl_interact, defaults ); - - if( rc != LDAP_SUCCESS ) { - ldap_perror( ld, "ldap_sasl_interactive_bind_s" ); - return( EXIT_FAILURE ); - } -#else - fprintf( stderr, "%s was not compiled with SASL support\n", - argv[0] ); - return( EXIT_FAILURE ); -#endif - } - else { - if ( ldap_bind_s( ld, binddn, passwd.bv_val, authmethod ) - != LDAP_SUCCESS ) { - ldap_perror( ld, "ldap_bind" ); - return( EXIT_FAILURE ); - } - } - - if( dn != NULL || oldpw != NULL || newpw != NULL ) { + if( user != NULL || oldpw != NULL || newpw != NULL ) { /* build change password control */ - BerElement *ber = ber_alloc_t( LBER_USE_DER ); + ber = ber_alloc_t( LBER_USE_DER ); if( ber == NULL ) { perror( "ber_alloc_t" ); @@ -630,35 +204,33 @@ main( int argc, char *argv[] ) ber_printf( ber, "{" /*}*/ ); - if( dn != NULL ) { + if( user != NULL ) { ber_printf( ber, "ts", - LDAP_TAG_EXOP_X_MODIFY_PASSWD_ID, dn ); - free(dn); + LDAP_TAG_EXOP_MODIFY_PASSWD_ID, user ); + free(user); } if( oldpw != NULL ) { ber_printf( ber, "ts", - LDAP_TAG_EXOP_X_MODIFY_PASSWD_NEW, oldpw ); + LDAP_TAG_EXOP_MODIFY_PASSWD_OLD, oldpw ); free(oldpw); } if( newpw != NULL ) { ber_printf( ber, "ts", - LDAP_TAG_EXOP_X_MODIFY_PASSWD_NEW, newpw ); + LDAP_TAG_EXOP_MODIFY_PASSWD_NEW, newpw ); free(newpw); } ber_printf( ber, /*{*/ "N}" ); - rc = ber_flatten( ber, &bv ); + rc = ber_flatten2( ber, &bv, 0 ); if( rc < 0 ) { - perror( "ber_flatten" ); + perror( "ber_flatten2" ); ldap_unbind( ld ); return EXIT_FAILURE; } - - ber_free( ber, 1 ); } if ( not ) { @@ -667,10 +239,10 @@ main( int argc, char *argv[] ) } rc = ldap_extended_operation( ld, - LDAP_EXOP_X_MODIFY_PASSWD, bv, + LDAP_EXOP_MODIFY_PASSWD, bv.bv_val ? &bv : NULL, NULL, NULL, &id ); - ber_bvfree( bv ); + ber_free( ber, 1 ); if( rc != LDAP_SUCCESS ) { ldap_perror( ld, "ldap_extended_operation" ); @@ -701,7 +273,7 @@ main( int argc, char *argv[] ) if( retdata != NULL ) { ber_tag_t tag; char *s; - BerElement *ber = ber_init( retdata ); + ber = ber_init( retdata ); if( ber == NULL ) { perror( "ber_init" ); @@ -751,5 +323,5 @@ skip: /* disconnect from server */ ldap_unbind (ld); - return EXIT_SUCCESS; + return code == LDAP_SUCCESS ? EXIT_SUCCESS : EXIT_FAILURE; }