X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fpasswd.c;h=f45b974272d4bb57a657a29aea2d56f4c2313c0f;hb=82540c5cc1be5bf17b22f3a41d12d1bc56180654;hp=6e0b31b0e338bc53db8e096e3662010137f67a19;hpb=87dc3e20918a8a15bd1cc74a00412f1f53677827;p=openldap diff --git a/servers/slapd/passwd.c b/servers/slapd/passwd.c index 6e0b31b0e3..f45b974272 100644 --- a/servers/slapd/passwd.c +++ b/servers/slapd/passwd.c @@ -1,7 +1,7 @@ /* bind.c - ldbm backend bind and unbind routines */ /* $OpenLDAP$ */ /* - * Copyright 1998-2000 The OpenLDAP Foundation, All Rights Reserved. + * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved. * COPYING RESTRICTIONS APPLY, see COPYRIGHT file */ @@ -16,6 +16,7 @@ #include "slap.h" +#include #include int passwd_extop( @@ -26,85 +27,100 @@ int passwd_extop( struct berval **rspdata, LDAPControl ***rspctrls, const char **text, - struct berval ***refs ) + BerVarray *refs ) { + Backend *be; int rc; assert( reqoid != NULL ); - assert( strcmp( LDAP_EXOP_X_MODIFY_PASSWD, reqoid ) == 0 ); + assert( strcmp( LDAP_EXOP_MODIFY_PASSWD, reqoid ) == 0 ); - if( op->o_dn == NULL || op->o_dn[0] == '\0' ) { - *text = "only authenicated users may change passwords"; + if( op->o_dn.bv_len == 0 ) { + *text = "only authenticated users may change passwords"; return LDAP_STRONG_AUTH_REQUIRED; } - if( conn->c_authz_backend != NULL && conn->c_authz_backend->be_extended ) { - if( conn->c_authz_backend->be_restrictops & SLAP_RESTRICT_OP_MODIFY ) { - *text = "authorization database is read only"; - rc = LDAP_UNWILLING_TO_PERFORM; + ldap_pvt_thread_mutex_lock( &conn->c_mutex ); + be = conn->c_authz_backend; + ldap_pvt_thread_mutex_unlock( &conn->c_mutex ); - } else if( conn->c_authz_backend->be_update_ndn != NULL ) { - /* we SHOULD return a referral in this case */ - *refs = conn->c_authz_backend->be_update_refs; - rc = LDAP_REFERRAL; + if( be && !be->be_extended ) { + *text = "operation not supported for current user"; + return LDAP_UNWILLING_TO_PERFORM; + } - } else { - rc = conn->c_authz_backend->be_extended( - conn->c_authz_backend, conn, op, - reqoid, reqdata, - rspoid, rspdata, rspctrls, - text, refs ); - } + { + struct berval passwd = BER_BVC( LDAP_EXOP_MODIFY_PASSWD ); + rc = backend_check_restrictions( be, conn, op, &passwd, text ); + } + + if( rc != LDAP_SUCCESS ) { + return rc; + } + + if( be == NULL ) { +#ifdef HAVE_CYRUS_SASL + rc = slap_sasl_setpass( conn, op, + reqoid, reqdata, + rspoid, rspdata, rspctrls, + text ); +#else + *text = "no authz backend"; + rc = LDAP_OTHER; +#endif + + } else if( be->be_update_ndn.bv_len ) { + /* we SHOULD return a referral in this case */ + *refs = referral_rewrite( be->be_update_refs, + NULL, NULL, LDAP_SCOPE_DEFAULT ); + rc = LDAP_REFERRAL; } else { - *text = "operation not supported for current user"; - rc = LDAP_UNWILLING_TO_PERFORM; + rc = be->be_extended( + be, conn, op, + reqoid, reqdata, + rspoid, rspdata, rspctrls, + text, refs ); } return rc; } int slap_passwd_parse( struct berval *reqdata, - struct berval **id, - struct berval **oldpass, - struct berval **newpass, + struct berval *id, + struct berval *oldpass, + struct berval *newpass, const char **text ) { int rc = LDAP_SUCCESS; ber_tag_t tag; ber_len_t len; - BerElement *ber; + char berbuf[256]; + BerElement *ber = (BerElement *)berbuf; if( reqdata == NULL ) { return LDAP_SUCCESS; } - ber = ber_init( reqdata ); - - if( ber == NULL ) { -#ifdef NEW_LOGGING - LDAP_LOG(( "operation", LDAP_LEVEL_ERR, - "slap_passwd_parse: ber_init failed\n" )); -#else - Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ber_init failed\n", - 0, 0, 0 ); -#endif - - *text = "password decoding error"; + if( reqdata->bv_len == 0 ) { + *text = "empty request data field"; return LDAP_PROTOCOL_ERROR; } + /* ber_init2 uses reqdata directly, doesn't allocate new buffers */ + ber_init2( ber, reqdata, 0 ); + tag = ber_scanf( ber, "{" /*}*/ ); if( tag != LBER_ERROR ) { tag = ber_peek_tag( ber, &len ); } - if( tag == LDAP_TAG_EXOP_X_MODIFY_PASSWD_ID ) { + if( tag == LDAP_TAG_EXOP_MODIFY_PASSWD_ID ) { if( id == NULL ) { #ifdef NEW_LOGGING - LDAP_LOG(( "operation", LDAP_LEVEL_ERR, - "slap_passwd_parse: ID not allowed.\n")); + LDAP_LOG( OPERATION, ERR, + "slap_passwd_parse: ID not allowed.\n", 0, 0, 0 ); #else Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID not allowed.\n", 0, 0, 0 ); @@ -115,12 +131,12 @@ int slap_passwd_parse( struct berval *reqdata, goto done; } - tag = ber_scanf( ber, "O", id ); + tag = ber_scanf( ber, "m", id ); if( tag == LBER_ERROR ) { #ifdef NEW_LOGGING - LDAP_LOG(( "operation", LDAP_LEVEL_ERR, - "slap_passwd_parse: ID parse failed.\n")); + LDAP_LOG( OPERATION, ERR, + "slap_passwd_parse: ID parse failed.\n", 0, 0, 0 ); #else Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID parse failed.\n", 0, 0, 0 ); @@ -132,11 +148,11 @@ int slap_passwd_parse( struct berval *reqdata, tag = ber_peek_tag( ber, &len); } - if( tag == LDAP_TAG_EXOP_X_MODIFY_PASSWD_OLD ) { + if( tag == LDAP_TAG_EXOP_MODIFY_PASSWD_OLD ) { if( oldpass == NULL ) { #ifdef NEW_LOGGING - LDAP_LOG(( "operation", LDAP_LEVEL_ERR, - "slap_passwd_parse: OLD not allowed.\n" )); + LDAP_LOG( OPERATION, ERR, + "slap_passwd_parse: OLD not allowed.\n" , 0, 0, 0 ); #else Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: OLD not allowed.\n", 0, 0, 0 ); @@ -147,12 +163,12 @@ int slap_passwd_parse( struct berval *reqdata, goto done; } - tag = ber_scanf( ber, "O", oldpass ); + tag = ber_scanf( ber, "m", oldpass ); if( tag == LBER_ERROR ) { #ifdef NEW_LOGGING - LDAP_LOG(( "operation", LDAP_LEVEL_ERR, - "slap_passwd_parse: ID parse failed.\n" )); + LDAP_LOG( OPERATION, ERR, + "slap_passwd_parse: ID parse failed.\n" , 0, 0, 0 ); #else Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID parse failed.\n", 0, 0, 0 ); @@ -161,14 +177,14 @@ int slap_passwd_parse( struct berval *reqdata, goto decoding_error; } - tag = ber_peek_tag( ber, &len); + tag = ber_peek_tag( ber, &len ); } - if( tag == LDAP_TAG_EXOP_X_MODIFY_PASSWD_NEW ) { + if( tag == LDAP_TAG_EXOP_MODIFY_PASSWD_NEW ) { if( newpass == NULL ) { #ifdef NEW_LOGGING - LDAP_LOG(( "operation", LDAP_LEVEL_ERR, - "slap_passwd_parse: NEW not allowed.\n" )); + LDAP_LOG( OPERATION, ERR, + "slap_passwd_parse: NEW not allowed.\n", 0, 0, 0 ); #else Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: NEW not allowed.\n", 0, 0, 0 ); @@ -179,12 +195,12 @@ int slap_passwd_parse( struct berval *reqdata, goto done; } - tag = ber_scanf( ber, "O", newpass ); + tag = ber_scanf( ber, "m", newpass ); if( tag == LBER_ERROR ) { #ifdef NEW_LOGGING - LDAP_LOG(( "operation", LDAP_LEVEL_ERR, - "slap_passwd_parse: OLD parse failed.\n")); + LDAP_LOG( OPERATION, ERR, + "slap_passwd_parse: OLD parse failed.\n", 0, 0, 0 ); #else Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: OLD parse failed.\n", 0, 0, 0 ); @@ -199,38 +215,19 @@ int slap_passwd_parse( struct berval *reqdata, if( len != 0 ) { decoding_error: #ifdef NEW_LOGGING - LDAP_LOG(( "operation", LDAP_LEVEL_ERR, - "slap_passwd_parse: decoding error, len=%ld\n", (long)len )); + LDAP_LOG( OPERATION, ERR, + "slap_passwd_parse: decoding error, len=%ld\n", (long)len, 0, 0 ); #else Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: decoding error, len=%ld\n", (long) len, 0, 0 ); #endif - *text = "data decoding error"; rc = LDAP_PROTOCOL_ERROR; } done: - if( rc != LDAP_SUCCESS ) { - if( id != NULL ) { - ber_bvfree( *id ); - *id = NULL; - } - - if( oldpass != NULL ) { - ber_bvfree( *oldpass ); - *oldpass = NULL; - } - - if( newpass != NULL ) { - ber_bvfree( *newpass ); - *newpass = NULL; - } - } - - ber_free( ber, 1 ); return rc; } @@ -238,33 +235,31 @@ struct berval * slap_passwd_return( struct berval *cred ) { int rc; - struct berval *bv; - BerElement *ber = ber_alloc_t(LBER_USE_DER); + struct berval *bv = NULL; + char berbuf[256]; + /* opaque structure, size unknown but smaller than berbuf */ + BerElement *ber = (BerElement *)berbuf; assert( cred != NULL ); #ifdef NEW_LOGGING - LDAP_LOG(( "operation", LDAP_LEVEL_ENTRY, - "slap_passwd_return: %ld\n",(long)cred->bv_len )); + LDAP_LOG( OPERATION, ENTRY, + "slap_passwd_return: %ld\n",(long)cred->bv_len, 0, 0 ); #else Debug( LDAP_DEBUG_TRACE, "slap_passwd_return: %ld\n", (long) cred->bv_len, 0, 0 ); #endif - - - if( ber == NULL ) return NULL; + ber_init_w_nullc( ber, LBER_USE_DER ); + rc = ber_printf( ber, "{tON}", - LDAP_TAG_EXOP_X_MODIFY_PASSWD_GEN, cred ); + LDAP_TAG_EXOP_MODIFY_PASSWD_GEN, cred ); - if( rc == -1 ) { - ber_free( ber, 1 ); - return NULL; + if( rc >= 0 ) { + (void) ber_flatten( ber, &bv ); } - (void) ber_flatten( ber, &bv ); - - ber_free( ber, 1 ); + ber_free_buf( ber ); return bv; } @@ -275,8 +270,8 @@ slap_passwd_check( Attribute *a, struct berval *cred ) { - int i; int result = 1; + struct berval *bv; #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD ) ldap_pvt_thread_mutex_lock( &passwd_mutex ); @@ -285,8 +280,8 @@ slap_passwd_check( #endif #endif - for ( i = 0; a->a_vals[i] != NULL; i++ ) { - if( !lutil_passwd( a->a_vals[i], cred, NULL ) ) { + for ( bv = a->a_vals; bv->bv_val != NULL; bv++ ) { + if( !lutil_passwd( bv, cred, NULL ) ) { result = 0; break; } @@ -302,26 +297,35 @@ slap_passwd_check( return result; } -struct berval * slap_passwd_generate( void ) +void +slap_passwd_generate( struct berval *pass ) { + struct berval *tmp; #ifdef NEW_LOGGING - LDAP_LOG(( "operation", LDAP_LEVEL_ENTRY, - "slap_passwd_generate: begin\n" )); + LDAP_LOG( OPERATION, ENTRY, "slap_passwd_generate: begin\n", 0, 0, 0 ); #else Debug( LDAP_DEBUG_TRACE, "slap_passwd_generate\n", 0, 0, 0 ); #endif - - /* * generate passwords of only 8 characters as some getpass(3) * implementations truncate at 8 characters. */ - return lutil_passwd_generate( 8 ); + tmp = lutil_passwd_generate( 8 ); + if (tmp) { + *pass = *tmp; + free(tmp); + } else { + pass->bv_val = NULL; + pass->bv_len = 0; + } } -struct berval * slap_passwd_hash( - struct berval * cred ) +void +slap_passwd_hash( + struct berval * cred, + struct berval * new ) { + struct berval *tmp; #ifdef LUTIL_SHA1_BYTES char* hash = default_passwd_hash ? default_passwd_hash : "{SSHA}"; #else @@ -329,17 +333,22 @@ struct berval * slap_passwd_hash( #endif - struct berval *new; - #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD ) ldap_pvt_thread_mutex_lock( &passwd_mutex ); #endif - new = lutil_passwd_hash( cred , hash ); + tmp = lutil_passwd_hash( cred , hash ); #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD ) ldap_pvt_thread_mutex_unlock( &passwd_mutex ); #endif - return new; + if( tmp == NULL ) { + new->bv_len = 0; + new->bv_val = NULL; + } + + *new = *tmp; + free( tmp ); + return; }