X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fpasswd.c;h=2eb9a96da15ce7be328c628354abdb385876cb5b;hb=9b4bf8a973c8cfea809be9a4b658f785a6b16f2f;hp=bfeec38bf92a4ebb2f994da9ca1de60a0fa02c44;hpb=354d0d5b508666af7fa4e3135c2b3a980b17c422;p=openldap diff --git a/servers/slapd/passwd.c b/servers/slapd/passwd.c index bfeec38bf9..2eb9a96da1 100644 --- a/servers/slapd/passwd.c +++ b/servers/slapd/passwd.c @@ -1,7 +1,7 @@ /* bind.c - ldbm backend bind and unbind routines */ /* $OpenLDAP$ */ /* - * Copyright 1998-1999 The OpenLDAP Foundation, All Rights Reserved. + * Copyright 1998-2003 The OpenLDAP Foundation, All Rights Reserved. * COPYING RESTRICTIONS APPLY, see COPYRIGHT file */ @@ -16,127 +16,178 @@ #include "slap.h" +#include #include -static int passwd_main( - SLAP_EXTOP_CALLBACK_FN ext_callback, - Connection *conn, Operation *op, char *oid, - struct berval *reqdata, struct berval **rspdata, char **text ) +int passwd_extop( + Operation *op, + SlapReply *rs ) { - int rc; - - assert( oid != NULL ); - assert( strcmp( LDAP_EXOP_X_MODIFY_PASSWD, oid ) == 0 ); + assert( ber_bvcmp( &slap_EXOP_MODIFY_PASSWD, &op->ore_reqoid ) == 0 ); - if( op->o_dn == NULL || op->o_dn[0] == '\0' ) { - *text = ch_strdup("only authenicated users may change passwords"); + if( op->o_dn.bv_len == 0 ) { + rs->sr_text = "only authenticated users may change passwords"; return LDAP_STRONG_AUTH_REQUIRED; } - if( reqdata == NULL || reqdata->bv_len == 0 ) { - *text = ch_strdup("request data missing"); - return LDAP_PROTOCOL_ERROR; + ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex ); + op->o_bd = op->o_conn->c_authz_backend; + ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex ); + + if( op->o_bd && !op->o_bd->be_extended ) { + rs->sr_text = "operation not supported for current user"; + return LDAP_UNWILLING_TO_PERFORM; } - if( conn->c_authz_backend != NULL && - conn->c_authz_backend->be_extended ) - { - rc = conn->c_authz_backend->be_extended( - conn->c_authz_backend, - conn, op, oid, reqdata, rspdata, text ); + if (backend_check_restrictions( op, rs, + (struct berval *)&slap_EXOP_MODIFY_PASSWD ) != LDAP_SUCCESS) { + return rs->sr_err; + } + + if( op->o_bd == NULL ) { +#ifdef HAVE_CYRUS_SASL + rs->sr_err = slap_sasl_setpass( op, rs ); +#else + rs->sr_text = "no authz backend"; + rs->sr_err = LDAP_OTHER; +#endif + +#ifndef SLAPD_MULTIMASTER + /* This does not apply to multi-master case */ + } else if( op->o_bd->be_update_ndn.bv_len ) { + /* we SHOULD return a referral in this case */ + rs->sr_ref = referral_rewrite( op->o_bd->be_update_refs, + NULL, NULL, LDAP_SCOPE_DEFAULT ); + rs->sr_err = LDAP_REFERRAL; +#endif /* !SLAPD_MULTIMASTER */ } else { - *text = ch_strdup("operation not supported for current user"); - rc = LDAP_UNWILLING_TO_PERFORM; + rs->sr_err = op->o_bd->be_extended( op, rs ); } - return rc; + return rs->sr_err; } int slap_passwd_parse( struct berval *reqdata, - struct berval **id, - struct berval **old, - struct berval **new, - char **text ) + struct berval *id, + struct berval *oldpass, + struct berval *newpass, + const char **text ) { int rc = LDAP_SUCCESS; ber_tag_t tag; ber_len_t len; - BerElement *ber; - - assert( reqdata != NULL ); + char berbuf[LBER_ELEMENT_SIZEOF]; + BerElement *ber = (BerElement *)berbuf; - ber = ber_init( reqdata ); + if( reqdata == NULL ) { + return LDAP_SUCCESS; + } - if( ber == NULL ) { - Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ber_init failed\n", - 0, 0, 0 ); - *text = ch_strdup("password decoding error"); + if( reqdata->bv_len == 0 ) { + *text = "empty request data field"; return LDAP_PROTOCOL_ERROR; } - tag = ber_scanf(ber, "{" /*}*/); + /* ber_init2 uses reqdata directly, doesn't allocate new buffers */ + ber_init2( ber, reqdata, 0 ); - if( tag == LBER_ERROR ) { - goto decoding_error; - } + tag = ber_scanf( ber, "{" /*}*/ ); - tag = ber_peek_tag( ber, &len ); + if( tag != LBER_ERROR ) { + tag = ber_peek_tag( ber, &len ); + } - if( tag == LDAP_TAG_EXOP_X_MODIFY_PASSWD_ID ) { + if( tag == LDAP_TAG_EXOP_MODIFY_PASSWD_ID ) { if( id == NULL ) { +#ifdef NEW_LOGGING + LDAP_LOG( OPERATION, ERR, + "slap_passwd_parse: ID not allowed.\n", 0, 0, 0 ); +#else Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID not allowed.\n", 0, 0, 0 ); +#endif + *text = "user must change own password"; rc = LDAP_UNWILLING_TO_PERFORM; goto done; } - tag = ber_scanf( ber, "O", id ); + tag = ber_scanf( ber, "m", id ); if( tag == LBER_ERROR ) { +#ifdef NEW_LOGGING + LDAP_LOG( OPERATION, ERR, + "slap_passwd_parse: ID parse failed.\n", 0, 0, 0 ); +#else Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID parse failed.\n", 0, 0, 0 ); +#endif + goto decoding_error; } tag = ber_peek_tag( ber, &len); } - if( tag == LDAP_TAG_EXOP_X_MODIFY_PASSWD_OLD ) { - if( old == NULL ) { + if( tag == LDAP_TAG_EXOP_MODIFY_PASSWD_OLD ) { + if( oldpass == NULL ) { +#ifdef NEW_LOGGING + LDAP_LOG( OPERATION, ERR, + "slap_passwd_parse: OLD not allowed.\n" , 0, 0, 0 ); +#else Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: OLD not allowed.\n", 0, 0, 0 ); +#endif + *text = "use bind to verify old password"; rc = LDAP_UNWILLING_TO_PERFORM; goto done; } - tag = ber_scanf( ber, "O", old ); + tag = ber_scanf( ber, "m", oldpass ); if( tag == LBER_ERROR ) { +#ifdef NEW_LOGGING + LDAP_LOG( OPERATION, ERR, + "slap_passwd_parse: ID parse failed.\n" , 0, 0, 0 ); +#else Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID parse failed.\n", 0, 0, 0 ); +#endif + goto decoding_error; } - tag = ber_peek_tag( ber, &len); + tag = ber_peek_tag( ber, &len ); } - if( tag == LDAP_TAG_EXOP_X_MODIFY_PASSWD_NEW ) { - if( new == NULL ) { + if( tag == LDAP_TAG_EXOP_MODIFY_PASSWD_NEW ) { + if( newpass == NULL ) { +#ifdef NEW_LOGGING + LDAP_LOG( OPERATION, ERR, + "slap_passwd_parse: NEW not allowed.\n", 0, 0, 0 ); +#else Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: NEW not allowed.\n", 0, 0, 0 ); +#endif + *text = "user specified passwords disallowed"; rc = LDAP_UNWILLING_TO_PERFORM; goto done; } - tag = ber_scanf( ber, "O", new ); + tag = ber_scanf( ber, "m", newpass ); if( tag == LBER_ERROR ) { +#ifdef NEW_LOGGING + LDAP_LOG( OPERATION, ERR, + "slap_passwd_parse: OLD parse failed.\n", 0, 0, 0 ); +#else Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: OLD parse failed.\n", 0, 0, 0 ); +#endif + goto decoding_error; } @@ -145,83 +196,141 @@ int slap_passwd_parse( struct berval *reqdata, if( len != 0 ) { decoding_error: +#ifdef NEW_LOGGING + LDAP_LOG( OPERATION, ERR, + "slap_passwd_parse: decoding error, len=%ld\n", (long)len, 0, 0 ); +#else Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: decoding error, len=%ld\n", (long) len, 0, 0 ); +#endif - *text = ch_strdup("data decoding error"); + *text = "data decoding error"; rc = LDAP_PROTOCOL_ERROR; } done: - if( rc != LDAP_SUCCESS ) { - if( id != NULL ) { - ber_bvfree( *id ); - *id = NULL; - } + return rc; +} - if( old != NULL ) { - ber_bvfree( *old ); - *old = NULL; - } +struct berval * slap_passwd_return( + struct berval *cred ) +{ + int rc; + struct berval *bv = NULL; + char berbuf[LBER_ELEMENT_SIZEOF]; + /* opaque structure, size unknown but smaller than berbuf */ + BerElement *ber = (BerElement *)berbuf; + + assert( cred != NULL ); + +#ifdef NEW_LOGGING + LDAP_LOG( OPERATION, ENTRY, + "slap_passwd_return: %ld\n",(long)cred->bv_len, 0, 0 ); +#else + Debug( LDAP_DEBUG_TRACE, "slap_passwd_return: %ld\n", + (long) cred->bv_len, 0, 0 ); +#endif + + ber_init_w_nullc( ber, LBER_USE_DER ); - if( new != NULL ) { - ber_bvfree( *new ); - *new = NULL; - } + rc = ber_printf( ber, "{tON}", + LDAP_TAG_EXOP_MODIFY_PASSWD_GEN, cred ); + + if( rc >= 0 ) { + (void) ber_flatten( ber, &bv ); } - ber_free( ber, 1 ); - return rc; -} + ber_free_buf( ber ); -int -slap_passwd_init( void ) -{ - return load_extop( LDAP_EXOP_X_MODIFY_PASSWD, passwd_main ); + return bv; } int slap_passwd_check( + Connection *conn, Attribute *a, struct berval *cred ) { - int i; - for ( i = 0; a->a_vals[i] != NULL; i++ ) { - int result; + int result = 1; + struct berval *bv; -#ifdef SLAPD_CRYPT - ldap_pvt_thread_mutex_lock( &crypt_mutex ); +#if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD ) + ldap_pvt_thread_mutex_lock( &passwd_mutex ); +#ifdef SLAPD_SPASSWD + lutil_passwd_sasl_conn = conn->c_sasl_context; #endif - - result = lutil_passwd( a->a_vals[i], cred, NULL ); - -#ifdef SLAPD_CRYPT - ldap_pvt_thread_mutex_unlock( &crypt_mutex ); #endif - return result; + for ( bv = a->a_vals; bv->bv_val != NULL; bv++ ) { + if( !lutil_passwd( bv, cred, NULL ) ) { + result = 0; + break; + } } - return( 1 ); +#if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD ) +#ifdef SLAPD_SPASSWD + lutil_passwd_sasl_conn = NULL; +#endif + ldap_pvt_thread_mutex_unlock( &passwd_mutex ); +#endif + + return result; } -struct berval * slap_passwd_generate( - struct berval * cred ) +void +slap_passwd_generate( struct berval *pass ) { - char* hash = default_passwd_hash ? default_passwd_hash : "{SSHA}"; + struct berval *tmp; +#ifdef NEW_LOGGING + LDAP_LOG( OPERATION, ENTRY, "slap_passwd_generate: begin\n", 0, 0, 0 ); +#else + Debug( LDAP_DEBUG_TRACE, "slap_passwd_generate\n", 0, 0, 0 ); +#endif + /* + * generate passwords of only 8 characters as some getpass(3) + * implementations truncate at 8 characters. + */ + tmp = lutil_passwd_generate( 8 ); + if (tmp) { + *pass = *tmp; + free(tmp); + } else { + pass->bv_val = NULL; + pass->bv_len = 0; + } +} - struct berval *new; +void +slap_passwd_hash( + struct berval * cred, + struct berval * new ) +{ + struct berval *tmp; +#ifdef LUTIL_SHA1_BYTES + char* hash = default_passwd_hash ? default_passwd_hash : "{SSHA}"; +#else + char* hash = default_passwd_hash ? default_passwd_hash : "{SMD5}"; +#endif + -#ifdef SLAPD_CRYPT - ldap_pvt_thread_mutex_lock( &crypt_mutex ); +#if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD ) + ldap_pvt_thread_mutex_lock( &passwd_mutex ); #endif - new = lutil_passwd_generate( cred , hash ); + tmp = lutil_passwd_hash( cred , hash ); -#ifdef SLAPD_CRYPT - ldap_pvt_thread_mutex_unlock( &crypt_mutex ); +#if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD ) + ldap_pvt_thread_mutex_unlock( &passwd_mutex ); #endif - return new; + if( tmp == NULL ) { + new->bv_len = 0; + new->bv_val = NULL; + } + + *new = *tmp; + free( tmp ); + return; }