From: Pierangelo Masarati Date: Sat, 12 Nov 2005 16:18:09 +0000 (+0000) Subject: add support for "sambaPwdMustChange"; add support for back-config X-Git-Tag: OPENLDAP_REL_ENG_2_2_MP~38 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=29fab9cfd4513ed3004e7e28141fbad93969c113;p=openldap add support for "sambaPwdMustChange"; add support for back-config --- diff --git a/contrib/slapd-modules/smbk5pwd/README b/contrib/slapd-modules/smbk5pwd/README index 8ccad2f05a..8031f534cf 100644 --- a/contrib/slapd-modules/smbk5pwd/README +++ b/contrib/slapd-modules/smbk5pwd/README @@ -42,7 +42,38 @@ To use the overlay, add: to your slapd configuration file. (You should obtain the necessary schema files from the Heimdal and/or Samba distributions. At this time, there are several known errors in these schema files that you will have to -correct before they will load in slapd.) +correct before they will load in slapd. As of Samba 3.0 the schema looks +fine as shipped.) + +All modules compiled in (i.e. krb5 and samba) are enabled; the statement + + smbk5pwd-enable + +can be used to enable only the desired one(s); legal values for +are "krb5" and "samba", if they are respectively enabled by defining +DO_KRB5 and DO_SAMBA. + +The samba module also supports the + + smbk5pwd-must-change + +which sets the "sambaPwdMustChange" attribute accordingly to force passwd +expiry. A value of 0 disables this feature. + +The overlay now supports table-driven configuration, and thus can be run-time +loaded and configured via back-config. The layout of the entry is + + # {0}smbk5pwd, {1}bdb, config + dn: olcOverlay={0}smbk5pwd,olcDatabase={1}bdb,cn=config + objectClass: olcOverlayConfig + objectClass: olcSmbK5PwdConfig + olcOverlay: {0}smbk5pwd + olcSmbK5PwdEnable: krb5 + olcSmbK5PwdEnable: samba + olcSmbK5PwdMustChange: 2592000 + +which enables both krb5 and samba modules with a password expiry time +of 30 days. The provided Makefile builds both Kerberos and Samba support by default. You must edit the Makefile to insure that the correct include and library diff --git a/contrib/slapd-modules/smbk5pwd/smbk5pwd.c b/contrib/slapd-modules/smbk5pwd/smbk5pwd.c index 9e8f27c7df..af9988387b 100644 --- a/contrib/slapd-modules/smbk5pwd/smbk5pwd.c +++ b/contrib/slapd-modules/smbk5pwd/smbk5pwd.c @@ -25,6 +25,8 @@ #include #include +#include "config.h" + #ifdef DO_KRB5 #include #include @@ -62,16 +64,41 @@ static ObjectClass *oc_krb5KDCEntry; static AttributeDescription *ad_sambaLMPassword; static AttributeDescription *ad_sambaNTPassword; static AttributeDescription *ad_sambaPwdLastSet; +static AttributeDescription *ad_sambaPwdMustChange; static ObjectClass *oc_sambaSamAccount; #endif -#if 0 -static void smbk5pwd_destroy() { - kadm5_destroy(kadm_context); - krb5_free_context(context); -} +/* Per-instance configuration information */ +typedef struct smbk5pwd_t { + unsigned mode; +#define SMBK5PWD_F_KRB5 (0x1U) +#define SMBK5PWD_F_SAMBA (0x2U) + +#define SMBK5PWD_DO_KRB5(pi) ((pi)->mode & SMBK5PWD_F_KRB5) +#define SMBK5PWD_DO_SAMBA(pi) ((pi)->mode & SMBK5PWD_F_SAMBA) + +#ifdef DO_KRB5 + /* nothing yet */ #endif +#ifdef DO_SAMBA + /* How many seconds before forcing a password change? */ + time_t smb_must_change; +#endif +} smbk5pwd_t; + +static const unsigned SMBK5PWD_F_ALL = + 0 +#ifdef DO_KRB5 + | SMBK5PWD_F_KRB5 +#endif +#ifdef DO_SAMBA + | SMBK5PWD_F_SAMBA +#endif +; + +static int smbk5pwd_modules_init( smbk5pwd_t *pi ); + #ifdef DO_SAMBA static const char hex[] = "0123456789abcdef"; @@ -312,6 +339,7 @@ static int smbk5pwd_exop_passwd( Entry *e; Modifications *ml; slap_overinst *on = (slap_overinst *)op->o_bd->bd_info; + smbk5pwd_t *pi = on->on_bi.bi_private; /* Not the operation we expected, pass it on... */ if ( ber_bvcmp( &slap_EXOP_MODIFY_PASSWD, &op->ore_reqoid ) ) { @@ -331,6 +359,8 @@ static int smbk5pwd_exop_passwd( int kvno, i; Attribute *a; + if ( !SMBK5PWD_DO_KRB5( pi ) ) break; + if ( !is_entry_objectclass(e, oc_krb5KDCEntry, 0 ) ) break; a = attr_find( e->e_attrs, ad_krb5PrincipalName ); @@ -402,12 +432,12 @@ static int smbk5pwd_exop_passwd( "%d", kvno+1 ); BER_BVZERO( &ml->sml_values[1] ); ml->sml_nvalues = NULL; - } while(0); + } while ( 0 ); #endif /* DO_KRB5 */ #ifdef DO_SAMBA /* Samba stuff */ - if ( is_entry_objectclass(e, oc_sambaSamAccount, 0 ) ) { + if ( SMBK5PWD_DO_SAMBA( pi ) && is_entry_objectclass(e, oc_sambaSamAccount, 0 ) ) { struct berval *keys; ber_len_t j,l; wchar_t *wcs, wc; @@ -494,6 +524,28 @@ static int smbk5pwd_exop_passwd( #endif ml->sml_values = keys; ml->sml_nvalues = NULL; + + if (pi->smb_must_change) + { + ml = ch_malloc(sizeof(Modifications)); + ml->sml_next = qpw->rs_mods; + qpw->rs_mods = ml; + + keys = ch_malloc( 2 * sizeof(struct berval) ); + keys[0].bv_val = ch_malloc( STRLENOF( "9223372036854775807L" ) + 1 ); + keys[0].bv_len = snprintf(keys[0].bv_val, + STRLENOF( "9223372036854775807L" ) + 1, + "%ld", slap_get_time() + pi->smb_must_change); + BER_BVZERO( &keys[1] ); + + ml->sml_desc = ad_sambaPwdMustChange; + ml->sml_op = LDAP_MOD_REPLACE; +#ifdef SLAP_MOD_INTERNAL + ml->sml_flags = SLAP_MOD_INTERNAL; +#endif + ml->sml_values = keys; + ml->sml_nvalues = NULL; + } } #endif /* DO_SAMBA */ be_entry_release_r( op, e ); @@ -503,67 +555,358 @@ static int smbk5pwd_exop_passwd( static slap_overinst smbk5pwd; -int smbk5pwd_init() { - int rc; - const char *text; +/* back-config stuff */ +enum { + PC_SMB_MUST_CHANGE = 1, + PC_SMB_ENABLE +}; -#ifdef DO_KRB5 - krb5_error_code ret; - extern HDB * _kadm5_s_get_db(void *); - - /* Make sure all of our necessary schema items are loaded */ - oc_krb5KDCEntry = oc_find("krb5KDCEntry"); - if ( !oc_krb5KDCEntry ) return -1; - - rc = slap_str2ad( "krb5Key", &ad_krb5Key, &text ); - if ( rc ) return rc; - rc = slap_str2ad( "krb5KeyVersionNumber", &ad_krb5KeyVersionNumber, &text ); - if ( rc ) return rc; - rc = slap_str2ad( "krb5PrincipalName", &ad_krb5PrincipalName, &text ); - if ( rc ) return rc; - - /* Initialize Kerberos context */ - ret = krb5_init_context(&context); - if (ret) { - return -1; +static ConfigDriver smbk5pwd_cf_func; + +/* + * NOTE: uses OID arcs OLcfgOvAt:6 and OLcfgOvOc:6 + */ + +static ConfigTable smbk5pwd_cfats[] = { + { "smbk5pwd-enable", "arg", + 2, 0, 0, ARG_MAGIC|PC_SMB_ENABLE, smbk5pwd_cf_func, + "( OLcfgOvAt:6.1 NAME 'olcSmbK5PwdEnable' " + "DESC 'Modules to be enabled' " + "SYNTAX OMsDirectoryString )", NULL, NULL }, + { "smbk5pwd-must-change", "time", + 2, 2, 0, ARG_MAGIC|ARG_INT|PC_SMB_MUST_CHANGE, smbk5pwd_cf_func, + "( OLcfgOvAt:6.2 NAME 'olcSmbK5PwdMustChange' " + "DESC 'Credentials validity interval' " + "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL }, + + { NULL, NULL, 0, 0, 0, ARG_IGNORED } +}; + +static ConfigOCs smbk5pwd_cfocs[] = { + { "( OLcfgOvOc:6.1 " + "NAME 'olcSmbK5PwdConfig' " + "DESC 'smbk5pwd overlay configuration' " + "SUP olcOverlayConfig " + "MAY ( " + "olcSmbK5PwdEnable " + "$ olcSmbK5PwdMustChange " + ") )", Cft_Overlay, smbk5pwd_cfats }, + + { NULL, 0, NULL } +}; + +/* + * add here other functionalities; handle their initialization + * as appropriate in FIXME + */ +static slap_verbmasks smbk5pwd_modules[] = { + { BER_BVC( "krb5" ), SMBK5PWD_F_KRB5 }, + { BER_BVC( "samba" ), SMBK5PWD_F_SAMBA }, + { BER_BVNULL, -1 } +}; + +static int +smbk5pwd_cf_func( ConfigArgs *c ) +{ + slap_overinst *on = (slap_overinst *)c->bi; + + int rc = 0; + smbk5pwd_t *pi = on->on_bi.bi_private; + + if ( c->op == SLAP_CONFIG_EMIT ) { + switch( c->type ) { + case PC_SMB_MUST_CHANGE: +#ifdef DO_SAMBA + c->value_int = pi->smb_must_change; +#else /* ! DO_SAMBA */ + c->value_int = 0; +#endif /* ! DO_SAMBA */ + break; + + case PC_SMB_ENABLE: + c->rvalue_vals = NULL; + if ( pi->mode ) { + mask_to_verbs( smbk5pwd_modules, pi->mode, &c->rvalue_vals ); + if ( c->rvalue_vals == NULL ) { + rc = 1; + } + } + break; + + default: + assert( 0 ); + rc = 1; + } + return rc; + + } else if ( c->op == LDAP_MOD_DELETE ) { + switch( c->type ) { + case PC_SMB_MUST_CHANGE: + break; + + case PC_SMB_ENABLE: + if ( !c->line ) { + pi->mode = 0; + + } else { + slap_mask_t m; + + m = verb_to_mask( c->line, smbk5pwd_modules ); + pi->mode &= ~m; + } + break; + + default: + assert( 0 ); + rc = 1; + } + return rc; + } + + switch( c->type ) { + case PC_SMB_MUST_CHANGE: +#ifdef DO_SAMBA + pi->smb_must_change = c->value_int; +#else /* ! DO_SAMBA */ + Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: " + "<%s> only meaningful " + "when compiled with -DDO_SAMBA.\n", + c->log, c->argv[ 0 ], 0 ); + return 1; +#endif /* ! DO_SAMBA */ + break; + + case PC_SMB_ENABLE: { + slap_mask_t m; + + rc = verbs_to_mask( c->argc, c->argv, smbk5pwd_modules, &m ); + if ( rc ) { + Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: " + "<%s> unknown module \"%s\".\n", + c->log, c->argv[ 0 ], c->argv[ rc ] ); + return 1; + } + pi->mode |= m; + +#ifndef DO_KRB5 + if ( SMBK5PWD_DO_KRB5( pi ) ) { + Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: " + "<%s> module \"%s\" only allowed when compiled with -DDO_KRB5.\n", + c->log, c->argv[ 0 ], c->argv[ i ] ); + return 1; + } +#endif /* ! DO_KRB5 */ + +#ifndef DO_SAMBA + if ( SMBK5PWD_DO_SAMBA( pi ) ) { + Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: " + "<%s> module \"%s\" only allowed when compiled with -DDO_SAMBA.\n", + c->log, c->argv[ 0 ], c->argv[ i ] ); + return 1; + } +#endif /* ! DO_SAMBA */ + + { + BackendDB db = *c->be; + + db.bd_info = (BackendInfo *)on; + rc = smbk5pwd_modules_init( pi ); + if ( rc ) { + return 1; + } + } + + } break; + + default: + assert( 0 ); + return 1; } + return rc; +} + +static int +smbk5pwd_modules_init( smbk5pwd_t *pi ) +{ + int rc; + const char *text; + +#ifdef DO_KRB5 + if ( SMBK5PWD_DO_KRB5( pi ) && oc_krb5KDCEntry == NULL ) { + krb5_error_code ret; + extern HDB *_kadm5_s_get_db(void *); + + /* Make sure all of our necessary schema items are loaded */ + oc_krb5KDCEntry = oc_find("krb5KDCEntry"); + if ( !oc_krb5KDCEntry ) { + Debug( LDAP_DEBUG_ANY, "smbk5pwd: " + "unable to find \"krb5KDCEntry\" objectClass.\n", + 0, 0, 0 ); + return -1; + } + + rc = slap_str2ad( "krb5Key", &ad_krb5Key, &text ); + if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_ANY, "smbk5pwd: " + "unable to find \"krb5Key\" attributeType: %s (%d).\n", + text, rc, 0 ); + return rc; + } - ret = kadm5_s_init_with_password_ctx( context, - KADM5_ADMIN_SERVICE, - NULL, - KADM5_ADMIN_SERVICE, - &conf, 0, 0, &kadm_context ); + rc = slap_str2ad( "krb5KeyVersionNumber", &ad_krb5KeyVersionNumber, &text ); + if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_ANY, "smbk5pwd: " + "unable to find \"krb5KeyVersionNumber\" attributeType: %s (%d).\n", + text, rc, 0 ); + return rc; + } + + rc = slap_str2ad( "krb5PrincipalName", &ad_krb5PrincipalName, &text ); + if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_ANY, "smbk5pwd: " + "unable to find \"krb5PrincipalName\" attributeType: %s (%d).\n", + text, rc, 0 ); + return rc; + } + + /* Initialize Kerberos context */ + ret = krb5_init_context(&context); + if (ret) { + Debug( LDAP_DEBUG_ANY, "smbk5pwd: " + "unable to initialize krb5 context.\n", + 0, 0, 0 ); + return -1; + } + + ret = kadm5_s_init_with_password_ctx( context, + KADM5_ADMIN_SERVICE, + NULL, + KADM5_ADMIN_SERVICE, + &conf, 0, 0, &kadm_context ); - db = _kadm5_s_get_db(kadm_context); + db = _kadm5_s_get_db(kadm_context); + } #endif /* DO_KRB5 */ #ifdef DO_SAMBA - oc_sambaSamAccount = oc_find("sambaSamAccount"); - if ( !oc_sambaSamAccount ) return -1; - - rc = slap_str2ad( "sambaLMPassword", &ad_sambaLMPassword, &text ); - if ( rc ) return rc; - rc = slap_str2ad( "sambaNTPassword", &ad_sambaNTPassword, &text ); - if ( rc ) return rc; - rc = slap_str2ad( "sambaPwdLastSet", &ad_sambaPwdLastSet, &text ); - if ( rc ) return rc; + if ( SMBK5PWD_DO_SAMBA( pi ) && oc_sambaSamAccount == NULL ) { + oc_sambaSamAccount = oc_find( "sambaSamAccount" ); + if ( !oc_sambaSamAccount ) { + Debug( LDAP_DEBUG_ANY, "smbk5pwd: " + "unable to find \"sambaSamAccount\" objectClass.\n", + 0, 0, 0 ); + return -1; + } + + rc = slap_str2ad( "sambaLMPassword", &ad_sambaLMPassword, &text ); + if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_ANY, "smbk5pwd: " + "unable to find \"sambaLMPassword\" attributeType: %s (%d).\n", + text, rc, 0 ); + return rc; + } + + rc = slap_str2ad( "sambaNTPassword", &ad_sambaNTPassword, &text ); + if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_ANY, "smbk5pwd: " + "unable to find \"sambaLMPassword\" attributeType: %s (%d).\n", + text, rc, 0 ); + return rc; + } + + rc = slap_str2ad( "sambaPwdLastSet", &ad_sambaPwdLastSet, &text ); + if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_ANY, "smbk5pwd: " + "unable to find \"sambaLMPassword\" attributeType: %s (%d).\n", + text, rc, 0 ); + return rc; + } + } #endif /* DO_SAMBA */ + return 0; +} + +static int +smbk5pwd_db_init(BackendDB *be) +{ + slap_overinst *on = (slap_overinst *)be->bd_info; + smbk5pwd_t *pi; + + pi = ch_calloc( 1, sizeof( smbk5pwd_t ) ); + if ( pi == NULL ) { + return 1; + } + on->on_bi.bi_private = (void *)pi; + + return 0; +} + +static int +smbk5pwd_db_open(BackendDB *be) +{ + slap_overinst *on = (slap_overinst *)be->bd_info; + smbk5pwd_t *pi = (smbk5pwd_t *)on->on_bi.bi_private; + + int rc; + + if ( pi->mode == 0 ) { + pi->mode = SMBK5PWD_F_ALL; + } + + rc = smbk5pwd_modules_init( pi ); + if ( rc ) { + return rc; + } + + return 0; +} + +static int +smbk5pwd_db_destroy(BackendDB *be) +{ + slap_overinst *on = (slap_overinst *)be->bd_info; + smbk5pwd_t *pi = (smbk5pwd_t *)on->on_bi.bi_private; + + if ( pi ) { + ch_free( pi ); + } + + return 0; +} + +int +smbk5pwd_initialize(void) +{ + int rc; + smbk5pwd.on_bi.bi_type = "smbk5pwd"; - smbk5pwd.on_bi.bi_extended = smbk5pwd_exop_passwd; + smbk5pwd.on_bi.bi_db_init = smbk5pwd_db_init; + smbk5pwd.on_bi.bi_db_open = smbk5pwd_db_open; + smbk5pwd.on_bi.bi_db_destroy = smbk5pwd_db_destroy; + + smbk5pwd.on_bi.bi_extended = smbk5pwd_exop_passwd; + #ifdef DO_KRB5 smbk5pwd.on_bi.bi_op_bind = smbk5pwd_op_bind; lutil_passwd_add( (struct berval *)&k5key_scheme, k5key_chk, k5key_hash ); #endif + smbk5pwd.on_bi.bi_cf_ocs = smbk5pwd_cfocs; + + rc = config_register_schema( smbk5pwd_cfats, smbk5pwd_cfocs ); + if ( rc ) { + return rc; + } + return overlay_register( &smbk5pwd ); } #if SLAPD_OVER_SMBK5PWD == SLAPD_MOD_DYNAMIC int init_module(int argc, char *argv[]) { - return smbk5pwd_init(); + return smbk5pwd_initialize(); } #endif