X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fpasswd.c;h=0c898771ec4b4c2a9defe96c4f18789c092bd23c;hb=f8fb4aca7668c722f41941be719203aa8c298e12;hp=b06cd71e056fdad8cbe4c8a7dfcec2c68e5372f7;hpb=d5edb4bff62150cf35e8b9c59798017ff58febc0;p=openldap diff --git a/servers/slapd/passwd.c b/servers/slapd/passwd.c index b06cd71e05..0c898771ec 100644 --- a/servers/slapd/passwd.c +++ b/servers/slapd/passwd.c @@ -1,7 +1,7 @@ /* bind.c - ldbm backend bind and unbind routines */ /* $OpenLDAP$ */ /* - * Copyright 1998-1999 The OpenLDAP Foundation, All Rights Reserved. + * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved. * COPYING RESTRICTIONS APPLY, see COPYRIGHT file */ @@ -18,131 +18,337 @@ #include -static int passwd_main( - SLAP_EXTOP_CALLBACK_FN ext_callback, - Connection *conn, Operation *op, char *oid, - struct berval *reqdata, struct berval **rspdata, char **text ) +int passwd_extop( + Connection *conn, Operation *op, + const char *reqoid, + struct berval *reqdata, + char **rspoid, + struct berval **rspdata, + LDAPControl ***rspctrls, + const char **text, + BVarray *refs ) { int rc; - BerElement *ber; - struct berval *cred = NULL; - ber_int_t type; - assert( oid != NULL ); - assert( strcmp( LDAP_EXOP_X_MODIFY_PASSWD, oid ) == 0 ); + assert( reqoid != NULL ); + assert( strcmp( LDAP_EXOP_X_MODIFY_PASSWD, reqoid ) == 0 ); - if( op->o_dn == NULL || op->o_dn[0] == '\0' ) { - *text = ch_strdup("only authenicated users may change passwords"); + if( op->o_dn.bv_len == 0 ) { + *text = "only authenticated users may change passwords"; return LDAP_STRONG_AUTH_REQUIRED; } - if( reqdata == NULL || reqdata->bv_len == 0 ) { - *text = ch_strdup("data missing"); - return LDAP_PROTOCOL_ERROR; + if( conn->c_authz_backend != NULL && conn->c_authz_backend->be_extended ) { + if( conn->c_authz_backend->be_restrictops & SLAP_RESTRICT_OP_MODIFY ) { + *text = "authorization database is read only"; + rc = LDAP_UNWILLING_TO_PERFORM; + + } else if( conn->c_authz_backend->be_update_ndn.bv_len ) { + /* we SHOULD return a referral in this case */ + *refs = referral_rewrite( conn->c_authz_backend->be_update_refs, + NULL, NULL, LDAP_SCOPE_DEFAULT ); + rc = LDAP_REFERRAL; + + } else { + rc = conn->c_authz_backend->be_extended( + conn->c_authz_backend, conn, op, + reqoid, reqdata, + rspoid, rspdata, rspctrls, + text, refs ); + } + + } else { + *text = "operation not supported for current user"; + rc = LDAP_UNWILLING_TO_PERFORM; + } + + return rc; +} + +int slap_passwd_parse( struct berval *reqdata, + struct berval *id, + struct berval *oldpass, + struct berval *newpass, + const char **text ) +{ + int rc = LDAP_SUCCESS; + ber_tag_t tag; + ber_len_t len; + BerElement *ber; + + if( reqdata == NULL ) { + return LDAP_SUCCESS; } ber = ber_init( reqdata ); if( ber == NULL ) { - *text = ch_strdup("password decoding error"); +#ifdef NEW_LOGGING + LDAP_LOG(( "operation", LDAP_LEVEL_ERR, + "slap_passwd_parse: ber_init failed\n" )); +#else + Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ber_init failed\n", + 0, 0, 0 ); +#endif + + *text = "password decoding error"; return LDAP_PROTOCOL_ERROR; } - rc = ber_scanf(ber, "{iO}", &type, &cred ); - ber_free( ber, 1 ); + tag = ber_scanf( ber, "{" /*}*/ ); - if( rc == LBER_ERROR ) { - *text = ch_strdup("data decoding error"); - return LDAP_PROTOCOL_ERROR; + if( tag != LBER_ERROR ) { + tag = ber_peek_tag( ber, &len ); } - if( cred == NULL || cred->bv_len == 0 ) { - *text = ch_strdup("password missing"); - return LDAP_PROTOCOL_ERROR; + if( tag == LDAP_TAG_EXOP_X_MODIFY_PASSWD_ID ) { + if( id == NULL ) { +#ifdef NEW_LOGGING + LDAP_LOG(( "operation", LDAP_LEVEL_ERR, + "slap_passwd_parse: ID not allowed.\n")); +#else + Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID not allowed.\n", + 0, 0, 0 ); +#endif + + *text = "user must change own password"; + rc = LDAP_UNWILLING_TO_PERFORM; + goto done; + } + + tag = ber_scanf( ber, "m", id ); + + if( tag == LBER_ERROR ) { +#ifdef NEW_LOGGING + LDAP_LOG(( "operation", LDAP_LEVEL_ERR, + "slap_passwd_parse: ID parse failed.\n")); +#else + Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID parse failed.\n", + 0, 0, 0 ); +#endif + + goto decoding_error; + } + + tag = ber_peek_tag( ber, &len); } - if( type != 0 ) { - ber_bvfree( cred ); - *text = ch_strdup("password type unknown"); - return LDAP_PROTOCOL_ERROR; + if( tag == LDAP_TAG_EXOP_X_MODIFY_PASSWD_OLD ) { + if( oldpass == NULL ) { +#ifdef NEW_LOGGING + LDAP_LOG(( "operation", LDAP_LEVEL_ERR, + "slap_passwd_parse: OLD not allowed.\n" )); +#else + Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: OLD not allowed.\n", + 0, 0, 0 ); +#endif + + *text = "use bind to verify old password"; + rc = LDAP_UNWILLING_TO_PERFORM; + goto done; + } + + tag = ber_scanf( ber, "m", oldpass ); + + if( tag == LBER_ERROR ) { +#ifdef NEW_LOGGING + LDAP_LOG(( "operation", LDAP_LEVEL_ERR, + "slap_passwd_parse: ID parse failed.\n" )); +#else + Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID parse failed.\n", + 0, 0, 0 ); +#endif + + goto decoding_error; + } + + tag = ber_peek_tag( ber, &len); } - if( conn->c_authz_backend != NULL && - conn->c_authz_backend->be_extended ) - { - rc = conn->c_authz_backend->be_extended( - conn->c_authz_backend, - conn, op, - oid, cred, rspdata, text ); + if( tag == LDAP_TAG_EXOP_X_MODIFY_PASSWD_NEW ) { + if( newpass == NULL ) { +#ifdef NEW_LOGGING + LDAP_LOG(( "operation", LDAP_LEVEL_ERR, + "slap_passwd_parse: NEW not allowed.\n" )); +#else + Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: NEW not allowed.\n", + 0, 0, 0 ); +#endif - } else { - *text = ch_strdup("operation not supported for current user"); - rc = LDAP_UNWILLING_TO_PERFORM; + *text = "user specified passwords disallowed"; + rc = LDAP_UNWILLING_TO_PERFORM; + goto done; + } + + tag = ber_scanf( ber, "m", newpass ); + + if( tag == LBER_ERROR ) { +#ifdef NEW_LOGGING + LDAP_LOG(( "operation", LDAP_LEVEL_ERR, + "slap_passwd_parse: OLD parse failed.\n")); +#else + Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: OLD parse failed.\n", + 0, 0, 0 ); +#endif + + goto decoding_error; + } + + tag = ber_peek_tag( ber, &len ); + } + + if( len != 0 ) { +decoding_error: +#ifdef NEW_LOGGING + LDAP_LOG(( "operation", LDAP_LEVEL_ERR, + "slap_passwd_parse: decoding error, len=%ld\n", (long)len )); +#else + Debug( LDAP_DEBUG_TRACE, + "slap_passwd_parse: decoding error, len=%ld\n", + (long) len, 0, 0 ); +#endif + + + *text = "data decoding error"; + rc = LDAP_PROTOCOL_ERROR; } - ber_bvfree( cred ); +done: + if( rc != LDAP_SUCCESS ) { + if( id && id->bv_val != NULL ) { + free( id->bv_val ); + id->bv_val = NULL; + } + + if( oldpass && oldpass->bv_val != NULL ) { + free( oldpass->bv_val ); + oldpass->bv_val = NULL; + } + + if( newpass && newpass->bv_val != NULL ) { + free( newpass->bv_val ); + newpass->bv_val = NULL; + } + } + + ber_free( ber, 1 ); return rc; } -int -slap_passwd_init( void ) +struct berval * slap_passwd_return( + struct berval *cred ) { - return load_extop( LDAP_EXOP_X_MODIFY_PASSWD, passwd_main ); + int rc; + struct berval *bv = NULL; + char berbuf[256]; + /* opaque structure, size unknown but smaller than berbuf */ + BerElement *ber = (BerElement *)berbuf; + + assert( cred != NULL ); + +#ifdef NEW_LOGGING + LDAP_LOG(( "operation", LDAP_LEVEL_ENTRY, + "slap_passwd_return: %ld\n",(long)cred->bv_len )); +#else + Debug( LDAP_DEBUG_TRACE, "slap_passwd_return: %ld\n", + (long) cred->bv_len, 0, 0 ); +#endif + + ber_init_w_nullc( ber, LBER_USE_DER ); + + rc = ber_printf( ber, "{tON}", + LDAP_TAG_EXOP_X_MODIFY_PASSWD_GEN, cred ); + + if( rc >= 0 ) { + (void) ber_flatten( ber, &bv ); + } + + ber_free_buf( ber ); + + return bv; } int slap_passwd_check( + Connection *conn, Attribute *a, struct berval *cred ) { - int i; - for ( i = 0; a->a_vals[i] != NULL; i++ ) { - int result; + int result = 1; + struct berval *bv; -#ifdef SLAPD_CRYPT - ldap_pvt_thread_mutex_lock( &crypt_mutex ); +#if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD ) + ldap_pvt_thread_mutex_lock( &passwd_mutex ); +#ifdef SLAPD_SPASSWD + lutil_passwd_sasl_conn = conn->c_sasl_context; #endif - - result = lutil_passwd( - a->a_vals[i]->bv_val, - cred->bv_val, - NULL ); - -#ifdef SLAPD_CRYPT - ldap_pvt_thread_mutex_unlock( &crypt_mutex ); #endif - return result; + for ( bv = a->a_vals; bv->bv_val != NULL; bv++ ) { + if( !lutil_passwd( bv, cred, NULL ) ) { + result = 0; + break; + } } - return( 1 ); +#if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD ) +#ifdef SLAPD_SPASSWD + lutil_passwd_sasl_conn = NULL; +#endif + ldap_pvt_thread_mutex_unlock( &passwd_mutex ); +#endif + + return result; } -struct berval * slap_passwd_generate( - struct berval * cred ) +void +slap_passwd_generate( struct berval *pass ) { - char* hash = default_passwd_hash ? default_passwd_hash : "{SSHA}"; - - struct berval *new = ber_memalloc( sizeof(struct berval) ); + struct berval *tmp; +#ifdef NEW_LOGGING + LDAP_LOG(( "operation", LDAP_LEVEL_ENTRY, + "slap_passwd_generate: begin\n" )); +#else + Debug( LDAP_DEBUG_TRACE, "slap_passwd_generate\n", 0, 0, 0 ); +#endif + /* + * generate passwords of only 8 characters as some getpass(3) + * implementations truncate at 8 characters. + */ + tmp = lutil_passwd_generate( 8 ); + if (tmp) { + *pass = *tmp; + free(tmp); + } else { + pass->bv_val = NULL; + pass->bv_len = 0; + } +} - if( new == NULL ) return NULL; +void +slap_passwd_hash( + struct berval * cred, + struct berval * new ) +{ + struct berval *tmp; +#ifdef LUTIL_SHA1_BYTES + char* hash = default_passwd_hash ? default_passwd_hash : "{SSHA}"; +#else + char* hash = default_passwd_hash ? default_passwd_hash : "{SMD5}"; +#endif + -#ifdef SLAPD_CRYPT - ldap_pvt_thread_mutex_lock( &crypt_mutex ); +#if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD ) + ldap_pvt_thread_mutex_lock( &passwd_mutex ); #endif - new->bv_val = lutil_passwd_generate( cred->bv_val , hash ); + tmp = lutil_passwd_hash( cred , hash ); -#ifdef SLAPD_CRYPT - ldap_pvt_thread_mutex_unlock( &crypt_mutex ); +#if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD ) + ldap_pvt_thread_mutex_unlock( &passwd_mutex ); #endif + *new = *tmp; + free( tmp ); - if( new->bv_val == NULL ) { - ber_bvfree( new ); - return NULL; - } - - new->bv_len = strlen( new->bv_val ); - - return new; + return; }