#define NSLCD_RESULT_END 3 /* key was not found */
#define NSLCD_RESULT_SUCCESS 0 /* everything ok */
+/* Partial list of PAM result codes. */
+#define NSLCD_PAM_SUCCESS 0 /* everything ok */
+#define NSLCD_PAM_PERM_DENIED 6 /* Permission denied */
+#define NSLCD_PAM_AUTH_ERR 7 /* Authc failure */
+#define NSLCD_PAM_CRED_INSUFFICIENT 8 /* Cannot access authc data */
+#define NSLCD_PAM_AUTHINFO_UNAVAIL 9 /* Cannot retrieve authc info */
+#define NSLCD_PAM_USER_UNKNOWN 10 /* User not known */
+#define NSLCD_PAM_MAXTRIES 11 /* Retry limit reached */
+#define NSLCD_PAM_NEW_AUTHTOK_REQD 12 /* Password expired */
+#define NSLCD_PAM_ACCT_EXPIRED 13 /* Account expired */
+#define NSLCD_PAM_SESSION_ERR 14 /* Cannot make/remove session record */
+#define NSLCD_PAM_AUTHTOK_DISABLE_AGING 23 /* Password aging disabled */
+#define NSLCD_PAM_IGNORE 25 /* Ignore module */
+#define NSLCD_PAM_ABORT 26 /* Fatal error */
+
#endif /* not _NSLCD_H */
char buf[1024];
} pld_ctx;
+static int nslcd2pam_rc(int rc)
+{
+#define map(i) case NSLCD_##i : rc = i; break
+ switch(rc) {
+ map(PAM_SUCCESS);
+ map(PAM_PERM_DENIED);
+ map(PAM_AUTH_ERR);
+ map(PAM_CRED_INSUFFICIENT);
+ map(PAM_AUTHINFO_UNAVAIL);
+ map(PAM_USER_UNKNOWN);
+ map(PAM_MAXTRIES);
+ map(PAM_NEW_AUTHTOK_REQD);
+ map(PAM_ACCT_EXPIRED);
+ map(PAM_SESSION_ERR);
+ map(PAM_AUTHTOK_DISABLE_AGING);
+ map(PAM_IGNORE);
+ map(PAM_ABORT);
+ }
+ return rc;
+}
+
static void pam_clr_ctx(
pld_ctx *ctx)
{
READ_INT32(fp,ctx->authok);
READ_INT32(fp,ctx->authz);
READ_STRING_BUF(fp,ctx->authzmsg);
+ ctx->authok = nslcd2pam_rc(ctx->authok);
+ ctx->authz = nslcd2pam_rc(ctx->authz);
return NSS_STATUS_SUCCESS;
}
READ_STRING_BUF(fp,ctx->dn);
READ_INT32(fp,ctx->authz);
READ_STRING_BUF(fp,ctx->authzmsg);
+ ctx->authz = nslcd2pam_rc(ctx->authz);
return NSS_STATUS_SUCCESS;
}
READ_STRING_BUF(fp,ctx->dn);
READ_INT32(fp,ctx->authz);
READ_STRING_BUF(fp,ctx->authzmsg);
+ ctx->authz = nslcd2pam_rc(ctx->authz);
return NSS_STATUS_SUCCESS;
}
#include "nssov.h"
#include "lutil.h"
-#include <security/pam_modules.h>
-
static int ppolicy_cid;
static AttributeDescription *ad_loginStatus;
pi->msg.bv_len = sprintf(pi->msg.bv_val,
"Password expired; %d grace logins remaining",
grace);
- pi->authz = PAM_NEW_AUTHTOK_REQD;
+ pi->authz = NSLCD_PAM_NEW_AUTHTOK_REQD;
} else if (error != PP_noError) {
ber_str2bv(ldap_passwordpolicy_err2txt(error), 0, 0,
&pi->msg);
rs->sr_err = LDAP_SUCCESS;
/* fallthru */
case PP_changeAfterReset:
- pi->authz = PAM_NEW_AUTHTOK_REQD;
+ pi->authz = NSLCD_PAM_NEW_AUTHTOK_REQD;
}
}
}
pi->msg.bv_val = pi->pwd.bv_val;
pi->msg.bv_len = 0;
- pi->authz = PAM_SUCCESS;
+ pi->authz = NSLCD_PAM_SUCCESS;
BER_BVZERO(&pi->dn);
if (!isvalidusername(&pi->uid)) {
Debug(LDAP_DEBUG_ANY,"nssov_pam_do_bind(%s): invalid user name\n",
pi->uid.bv_val,0,0);
- rc = PAM_USER_UNKNOWN;
+ rc = NSLCD_PAM_USER_UNKNOWN;
goto finish;
}
}
BER_BVZERO(&sdn);
if (BER_BVISEMPTY(&pi->dn)) {
- rc = PAM_USER_UNKNOWN;
+ rc = NSLCD_PAM_USER_UNKNOWN;
goto finish;
}
if (BER_BVISEMPTY(&pi->pwd)) {
- rc = PAM_IGNORE;
+ rc = NSLCD_PAM_IGNORE;
goto finish;
}
if (rc == LDAP_SUCCESS)
send_ldap_result(op, &rs);
switch(rs.sr_err) {
- case LDAP_SUCCESS: rc = PAM_SUCCESS; break;
- case LDAP_INVALID_CREDENTIALS: rc = PAM_AUTH_ERR; break;
- default: rc = PAM_AUTH_ERR; break;
+ case LDAP_SUCCESS: rc = NSLCD_PAM_SUCCESS; break;
+ case LDAP_INVALID_CREDENTIALS: rc = NSLCD_PAM_AUTH_ERR; break;
+ default: rc = NSLCD_PAM_AUTH_ERR; break;
}
finish:
return rc;
char dnc[1024];
char uidc[32];
char svcc[256];
- int rc = PAM_SUCCESS;
+ int rc = NSLCD_PAM_SUCCESS;
Entry *e = NULL;
Attribute *a;
SlapReply rs = {REP_RESULT};
/* We don't do authorization if they weren't authenticated by us */
if (BER_BVISEMPTY(&dn)) {
- rc = PAM_USER_UNKNOWN;
+ rc = NSLCD_PAM_USER_UNKNOWN;
goto finish;
}
/* no host entry, no default host -> deny */
if (BER_BVISEMPTY(&hostdn)) {
- rc = PAM_PERM_DENIED;
+ rc = NSLCD_PAM_PERM_DENIED;
authzmsg = hostmsg;
goto finish;
}
rc = op->o_bd->be_compare( op, &rs );
if ( rs.sr_err != LDAP_COMPARE_TRUE ) {
authzmsg = svcmsg;
- rc = PAM_PERM_DENIED;
+ rc = NSLCD_PAM_PERM_DENIED;
goto finish;
}
op->o_dn = odn;
rc = op->o_bd->be_compare( op, &rs );
if ( rs.sr_err != LDAP_COMPARE_TRUE ) {
authzmsg = grpmsg;
- rc = PAM_PERM_DENIED;
+ rc = NSLCD_PAM_PERM_DENIED;
goto finish;
}
}
ni->ni_pam_min_uid || ni->ni_pam_max_uid ) {
rc = be_entry_get_rw( op, &dn, NULL, NULL, 0, &e );
if (rc != LDAP_SUCCESS) {
- rc = PAM_USER_UNKNOWN;
+ rc = NSLCD_PAM_USER_UNKNOWN;
goto finish;
}
}
if (!a || value_find_ex( nssov_pam_host_ad,
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH,
a->a_vals, &global_host_bv, op->o_tmpmemctx )) {
- rc = PAM_PERM_DENIED;
+ rc = NSLCD_PAM_PERM_DENIED;
authzmsg = hostmsg;
goto finish;
}
if (!a || value_find_ex( nssov_pam_svc_ad,
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH,
a->a_vals, &svc, op->o_tmpmemctx )) {
- rc = PAM_PERM_DENIED;
+ rc = NSLCD_PAM_PERM_DENIED;
authzmsg = svcmsg;
goto finish;
}
nssov_mapinfo *mi = &ni->ni_maps[NM_host];
a = attr_find(e->e_attrs, mi->mi_attrs[UIDN_KEY].an_desc);
if (!a) {
- rc = PAM_PERM_DENIED;
+ rc = NSLCD_PAM_PERM_DENIED;
authzmsg = uidmsg;
goto finish;
}
id = (int)strtol(a->a_vals[0].bv_val,&tmp,0);
if (a->a_vals[0].bv_val[0] == '\0' || *tmp != '\0') {
- rc = PAM_PERM_DENIED;
+ rc = NSLCD_PAM_PERM_DENIED;
authzmsg = uidmsg;
goto finish;
}
if ((ni->ni_pam_min_uid && id < ni->ni_pam_min_uid) ||
(ni->ni_pam_max_uid && id > ni->ni_pam_max_uid)) {
- rc = PAM_PERM_DENIED;
+ rc = NSLCD_PAM_PERM_DENIED;
authzmsg = uidmsg;
goto finish;
}
/* This is a prelim check */
if (BER_BVISEMPTY(&pi.dn)) {
rc = pam_do_bind(ni,fp,op,&pi);
- if (rc == PAM_IGNORE)
- rc = PAM_SUCCESS;
+ if (rc == NSLCD_PAM_IGNORE)
+ rc = NSLCD_PAM_SUCCESS;
} else {
BerElementBuffer berbuf;
BerElement *ber = (BerElement *)&berbuf;
if (rs.sr_text)
ber_str2bv(rs.sr_text, 0, 0, &pi.msg);
if (rc == LDAP_SUCCESS)
- rc = PAM_SUCCESS;
+ rc = NSLCD_PAM_SUCCESS;
else
- rc = PAM_PERM_DENIED;
+ rc = NSLCD_PAM_PERM_DENIED;
}
WRITE_INT32(fp,NSLCD_VERSION);
WRITE_INT32(fp,NSLCD_ACTION_PAM_PWMOD);
projects / openldap / commitdiff