From 0cfd2619c8e8f0d27b5efcb155b03b26b8470abd Mon Sep 17 00:00:00 2001 From: Kurt Zeilenga Date: Mon, 23 Feb 2004 22:46:35 +0000 Subject: [PATCH] Sync with HEAD --- contrib/ldapc++/src/LDAPAttributeList.cpp | 8 +- contrib/ldapc++/src/LDAPAttributeList.h | 10 +- contrib/ldapc++/src/LDAPEntryList.h | 8 +- contrib/ldapc++/src/LDAPModList.cpp | 2 +- contrib/ldapc++/src/LDAPModList.h | 9 +- contrib/ldapc++/src/LDAPReferenceList.h | 8 +- contrib/ldapc++/src/LDAPUrlList.cpp | 2 +- contrib/ldapc++/src/LDAPUrlList.h | 8 +- contrib/ldapc++/src/Makefile.am | 2 +- contrib/ldapc++/src/StringList.cpp | 4 +- contrib/ldapc++/src/StringList.h | 4 +- contrib/slapd-modules/passwd/README | 34 ++++ contrib/slapd-modules/passwd/kerberos.c | 208 ++++++++++++++++++++++ contrib/slapd-modules/passwd/netscape.c | 80 +++++++++ 14 files changed, 354 insertions(+), 33 deletions(-) create mode 100644 contrib/slapd-modules/passwd/README create mode 100644 contrib/slapd-modules/passwd/kerberos.c create mode 100644 contrib/slapd-modules/passwd/netscape.c diff --git a/contrib/ldapc++/src/LDAPAttributeList.cpp b/contrib/ldapc++/src/LDAPAttributeList.cpp index 5d3b467748..235fef3a20 100644 --- a/contrib/ldapc++/src/LDAPAttributeList.cpp +++ b/contrib/ldapc++/src/LDAPAttributeList.cpp @@ -90,7 +90,7 @@ const LDAPAttribute* LDAPAttributeList::getAttributeByName( DEBUG(LDAP_DEBUG_TRACE,"LDAPAttribute::getAttributeByName()" << endl); DEBUG(LDAP_DEBUG_TRACE | LDAP_DEBUG_PARAMETER, " name:" << name << endl); - AttrList::const_iterator i; + LDAPAttributeList::const_iterator i; for( i = m_attrs.begin(); i != m_attrs.end(); i++){ const std::string& tmpType = i->getName(); if(name.size() == tmpType.size()){ @@ -112,7 +112,7 @@ void LDAPAttributeList::addAttribute(const LDAPAttribute& attr){ const std::string::size_type attrLen = attrType.size(); std::string::size_type tmpAttrLen = 0; bool done=false; - AttrList::iterator i; + LDAPAttributeList::iterator i; for( i=m_attrs.begin(); i != m_attrs.end(); i++ ){ const std::string tmpAttrType = i->getName(); tmpAttrLen = tmpAttrType.size(); @@ -141,7 +141,7 @@ void LDAPAttributeList::addAttribute(const LDAPAttribute& attr){ LDAPMod** LDAPAttributeList::toLDAPModArray() const{ DEBUG(LDAP_DEBUG_TRACE,"LDAPAttribute::toLDAPModArray()" << endl); LDAPMod **ret = (LDAPMod**) malloc((m_attrs.size()+1) * sizeof(LDAPMod*)); - AttrList::const_iterator i; + LDAPAttributeList::const_iterator i; int j=0; for (i=m_attrs.begin(); i!= m_attrs.end(); i++, j++){ ret[j]=i->toLDAPMod(); @@ -151,7 +151,7 @@ LDAPMod** LDAPAttributeList::toLDAPModArray() const{ } ostream& operator << (ostream& s, const LDAPAttributeList& al){ - AttrList::const_iterator i; + LDAPAttributeList::const_iterator i; for(i=al.m_attrs.begin(); i!=al.m_attrs.end(); i++){ s << *i << "; "; } diff --git a/contrib/ldapc++/src/LDAPAttributeList.h b/contrib/ldapc++/src/LDAPAttributeList.h index 990a6d8c85..283ad60c68 100644 --- a/contrib/ldapc++/src/LDAPAttributeList.h +++ b/contrib/ldapc++/src/LDAPAttributeList.h @@ -15,18 +15,18 @@ class LDAPAttribute; class LDAPAsynConnection; class LDAPMsg; -typedef std::list AttrList; - /** * This container class is used to store multiple LDAPAttribute-objects. */ class LDAPAttributeList{ + typedef std::list ListType; + private : - AttrList m_attrs; + ListType m_attrs; public : - typedef AttrList::const_iterator const_iterator; - typedef AttrList::iterator iterator; + typedef ListType::const_iterator const_iterator; + typedef ListType::iterator iterator; /** diff --git a/contrib/ldapc++/src/LDAPEntryList.h b/contrib/ldapc++/src/LDAPEntryList.h index c82fb02c2f..c65597e465 100644 --- a/contrib/ldapc++/src/LDAPEntryList.h +++ b/contrib/ldapc++/src/LDAPEntryList.h @@ -10,8 +10,6 @@ class LDAPEntry; -typedef std::list EntryList; - /** * For internal use only. * @@ -19,8 +17,10 @@ typedef std::list EntryList; * LDAPEntry-Objects */ class LDAPEntryList{ + typedef std::list ListType; + public: - typedef EntryList::const_iterator const_iterator; + typedef ListType::const_iterator const_iterator; /** * Copy-Constructor @@ -63,6 +63,6 @@ class LDAPEntryList{ void addEntry(const LDAPEntry& e); private: - EntryList m_entries; + ListType m_entries; }; #endif // LDAP_ENTRY_LIST_H diff --git a/contrib/ldapc++/src/LDAPModList.cpp b/contrib/ldapc++/src/LDAPModList.cpp index d8bed4f685..a7674eb381 100644 --- a/contrib/ldapc++/src/LDAPModList.cpp +++ b/contrib/ldapc++/src/LDAPModList.cpp @@ -28,7 +28,7 @@ LDAPMod** LDAPModList::toLDAPModArray(){ LDAPMod **ret = (LDAPMod**) malloc( (m_modList.size()+1) * sizeof(LDAPMod*)); ret[m_modList.size()]=0; - ModList::const_iterator i; + LDAPModList::ListType::const_iterator i; int j=0; for (i=m_modList.begin(); i != m_modList.end(); i++ , j++){ ret[j]=i->toLDAPMod(); diff --git a/contrib/ldapc++/src/LDAPModList.h b/contrib/ldapc++/src/LDAPModList.h index 313808d5dd..f62e814e09 100644 --- a/contrib/ldapc++/src/LDAPModList.h +++ b/contrib/ldapc++/src/LDAPModList.h @@ -11,18 +11,17 @@ #include #include -typedef std::list ModList; - /** * This container class is used to store multiple LDAPModification-objects. */ class LDAPModList{ + typedef std::list ListType; public : /** * Constructs an empty list. */ - LDAPModList(); + LDAPModList(); /** * Copy-constructor @@ -33,7 +32,7 @@ class LDAPModList{ * Adds one element to the end of the list. * @param mod The LDAPModification to add to the std::list. */ - void addModification(const LDAPModification &mod); + void addModification(const LDAPModification &mod); /** * Translates the list to a 0-terminated array of @@ -42,7 +41,7 @@ class LDAPModList{ LDAPMod** toLDAPModArray(); private : - ModList m_modList; + ListType m_modList; }; #endif //LDAP_MOD_LIST_H diff --git a/contrib/ldapc++/src/LDAPReferenceList.h b/contrib/ldapc++/src/LDAPReferenceList.h index 0aa5a18219..fb289833b2 100644 --- a/contrib/ldapc++/src/LDAPReferenceList.h +++ b/contrib/ldapc++/src/LDAPReferenceList.h @@ -10,16 +10,16 @@ class LDAPSearchReference; -typedef std::list RefList; - /** * Container class for storing a list of Search References * * Used internally only by LDAPSearchResults */ class LDAPReferenceList{ + typedef std::list ListType; + public: - typedef RefList::const_iterator const_iterator; + typedef ListType::const_iterator const_iterator; /** * Constructs an empty list. @@ -66,7 +66,7 @@ class LDAPReferenceList{ void addReference(const LDAPSearchReference& e); private: - RefList m_refs; + ListType m_refs; }; #endif // LDAP_REFERENCE_LIST_H diff --git a/contrib/ldapc++/src/LDAPUrlList.cpp b/contrib/ldapc++/src/LDAPUrlList.cpp index 037349a382..39129aa27f 100644 --- a/contrib/ldapc++/src/LDAPUrlList.cpp +++ b/contrib/ldapc++/src/LDAPUrlList.cpp @@ -11,7 +11,7 @@ using namespace std; LDAPUrlList::LDAPUrlList(){ DEBUG(LDAP_DEBUG_CONSTRUCT," LDAPUrlList::LDAPUrlList()" << endl); - m_urls=UrlList(); + m_urls=LDAPUrlList::ListType(); } LDAPUrlList::LDAPUrlList(const LDAPUrlList& urls){ diff --git a/contrib/ldapc++/src/LDAPUrlList.h b/contrib/ldapc++/src/LDAPUrlList.h index 1247fc6ad1..2051c1c3e8 100644 --- a/contrib/ldapc++/src/LDAPUrlList.h +++ b/contrib/ldapc++/src/LDAPUrlList.h @@ -9,14 +9,14 @@ #include #include -typedef std::list UrlList; - /** * This container class is used to store multiple LDAPUrl-objects. */ class LDAPUrlList{ + typedef std::list ListType; + public: - typedef UrlList::const_iterator const_iterator; + typedef ListType::const_iterator const_iterator; /** * Constructs an empty list. @@ -72,6 +72,6 @@ class LDAPUrlList{ void add(const LDAPUrl& url); private : - UrlList m_urls; + ListType m_urls; }; #endif //LDAP_URL_LIST_H diff --git a/contrib/ldapc++/src/Makefile.am b/contrib/ldapc++/src/Makefile.am index d18fbe7e68..30b121e4ed 100644 --- a/contrib/ldapc++/src/Makefile.am +++ b/contrib/ldapc++/src/Makefile.am @@ -85,5 +85,5 @@ noinst_HEADERS = LDAPAddRequest.h \ LDAPSearchRequest.h libldapcpp_la_LIBADD = -lldap -llber -libldapcpp_la_LDFLAGS = -version-info 0:1:0 +libldapcpp_la_LDFLAGS = -version-info 0:2:0 diff --git a/contrib/ldapc++/src/StringList.cpp b/contrib/ldapc++/src/StringList.cpp index c997c42dfd..1778cac027 100644 --- a/contrib/ldapc++/src/StringList.cpp +++ b/contrib/ldapc++/src/StringList.cpp @@ -12,12 +12,12 @@ StringList::StringList(){ } StringList::StringList(const StringList& sl){ - m_data= ListType(sl.m_data); + m_data= StringList::ListType(sl.m_data); } StringList::StringList(char** values){ if(values == 0){ - m_data=ListType(); + m_data=StringList::ListType(); }else{ char** i; for(i=values; *i != 0; i++){ diff --git a/contrib/ldapc++/src/StringList.h b/contrib/ldapc++/src/StringList.h index caa8ddd147..30f712bd83 100644 --- a/contrib/ldapc++/src/StringList.h +++ b/contrib/ldapc++/src/StringList.h @@ -8,12 +8,12 @@ #include #include -typedef std::list ListType; - /** * Container class to store multiple string-objects */ class StringList{ + typedef std::list ListType; + private: ListType m_data; diff --git a/contrib/slapd-modules/passwd/README b/contrib/slapd-modules/passwd/README new file mode 100644 index 0000000000..55198ff561 --- /dev/null +++ b/contrib/slapd-modules/passwd/README @@ -0,0 +1,34 @@ +Copyright 2004 The OpenLDAP Foundation. All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted only as authorized by the OpenLDAP +Public License. + +This directory contains native slapd plugins for password mechanisms that +are not actively supported by the project. Currently this includes the +Kerberos and Netscape MTA-MD5 password mechanisms. + +To use the Kerberos plugin, add: + +moduleload pw-kerberos.so + +to your slapd configuration file. + +To use the Netscape plugin, add: + +moduleload pw-netscape.so + +to your slapd configuration file. + +No Makefile is provided. Use a command line similar to: + +gcc -shared -I../../../include -Wall -g -DHAVE_KRB5 -o pw-kerberos.so kerberos.c + +to compile the Kerberos plugin. Replace HAVE_KRB5 with HAVE_KRB4 if you want +to use Kerberos IV. If your Kerberos header files are not in the C compiler's +default path, you will need to add a "-I" directive for that as well. + +The corresponding command for the Netscape plugin would be: + +gcc -shared -I../../../include -Wall -g -o pw-netscape.so netscape.c + diff --git a/contrib/slapd-modules/passwd/kerberos.c b/contrib/slapd-modules/passwd/kerberos.c new file mode 100644 index 0000000000..95250c6dba --- /dev/null +++ b/contrib/slapd-modules/passwd/kerberos.c @@ -0,0 +1,208 @@ +/* $OpenLDAP$ */ +/* + * Copyright 1998-2004 The OpenLDAP Foundation. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * . + */ + +#include +#include + +#include +#include /* BER_BVC definition */ +#include "lutil.h" + +#ifdef HAVE_KRB5 +#include +#elif defined(HAVE_KRB4) +#include +#endif + +/* From */ +LDAP_F( char *) ldap_pvt_get_fqdn LDAP_P(( char * )); + +static LUTIL_PASSWD_CHK_FUNC chk_kerberos; +static const struct berval scheme = BER_BVC("{KERBEROS}"); + +static int chk_kerberos( + const struct berval *sc, + const struct berval * passwd, + const struct berval * cred, + const char **text ) +{ + unsigned int i; + int rtn; + + for( i=0; ibv_len; i++) { + if(cred->bv_val[i] == '\0') { + return 1; /* NUL character in password */ + } + } + + if( cred->bv_val[i] != '\0' ) { + return 1; /* cred must behave like a string */ + } + + for( i=0; ibv_len; i++) { + if(passwd->bv_val[i] == '\0') { + return 1; /* NUL character in password */ + } + } + + if( passwd->bv_val[i] != '\0' ) { + return 1; /* passwd must behave like a string */ + } + + rtn = 1; + +#ifdef HAVE_KRB5 /* HAVE_HEIMDAL_KRB5 */ + { +/* Portions: + * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska H\xf6gskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + + krb5_context context; + krb5_error_code ret; + krb5_creds creds; + krb5_get_init_creds_opt get_options; + krb5_verify_init_creds_opt verify_options; + krb5_principal client, server; +#ifdef notdef + krb5_preauthtype pre_auth_types[] = {KRB5_PADATA_ENC_TIMESTAMP}; +#endif + + ret = krb5_init_context( &context ); + if (ret) { + return 1; + } + +#ifdef notdef + krb5_get_init_creds_opt_set_preauth_list(&get_options, + pre_auth_types, 1); +#endif + + krb5_get_init_creds_opt_init( &get_options ); + + krb5_verify_init_creds_opt_init( &verify_options ); + + ret = krb5_parse_name( context, passwd->bv_val, &client ); + + if (ret) { + krb5_free_context( context ); + return 1; + } + + ret = krb5_get_init_creds_password( context, + &creds, client, cred->bv_val, NULL, + NULL, 0, NULL, &get_options ); + + if (ret) { + krb5_free_principal( context, client ); + krb5_free_context( context ); + return 1; + } + + { + char *host = ldap_pvt_get_fqdn( NULL ); + + if( host == NULL ) { + krb5_free_principal( context, client ); + krb5_free_context( context ); + return 1; + } + + ret = krb5_sname_to_principal( context, + host, "ldap", KRB5_NT_SRV_HST, &server ); + + ber_memfree( host ); + } + + if (ret) { + krb5_free_principal( context, client ); + krb5_free_context( context ); + return 1; + } + + ret = krb5_verify_init_creds( context, + &creds, server, NULL, NULL, &verify_options ); + + krb5_free_principal( context, client ); + krb5_free_principal( context, server ); + krb5_free_cred_contents( context, &creds ); + krb5_free_context( context ); + + rtn = !!ret; + } +#elif defined(HAVE_KRB4) + { + /* Borrowed from Heimdal kpopper */ +/* Portions: + * Copyright (c) 1989 Regents of the University of California. + * All rights reserved. The Berkeley software License Agreement + * specifies the terms and conditions for redistribution. + */ + + int status; + char lrealm[REALM_SZ]; + char tkt[MAXHOSTNAMELEN]; + + status = krb_get_lrealm(lrealm,1); + if (status == KFAILURE) { + return 1; + } + + snprintf(tkt, sizeof(tkt), "%s_slapd.%u", + TKT_ROOT, (unsigned)getpid()); + krb_set_tkt_string (tkt); + + status = krb_verify_user( passwd->bv_val, "", lrealm, + cred->bv_val, 1, "ldap"); + + dest_tkt(); /* no point in keeping the tickets */ + + return status == KFAILURE; + } +#endif + + return rtn; +} + +int init_module(int argc, char *argv[]) { + return lutil_passwd_add( (struct berval *)&scheme, chk_kerberos, NULL ); +} diff --git a/contrib/slapd-modules/passwd/netscape.c b/contrib/slapd-modules/passwd/netscape.c new file mode 100644 index 0000000000..3c7d9515a4 --- /dev/null +++ b/contrib/slapd-modules/passwd/netscape.c @@ -0,0 +1,80 @@ +/* $OpenLDAP$ */ +/* + * Copyright 1998-2004 The OpenLDAP Foundation. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * . + */ + +#include +#include + +#include +#include +#include "lutil.h" +#include "lutil_md5.h" + +static LUTIL_PASSWD_CHK_FUNC chk_ns_mta_md5; +static const struct berval scheme = BER_BVC("{NS-MTA-MD5}"); + +#define NS_MTA_MD5_PASSLEN 64 +static int chk_ns_mta_md5( + const struct berval *scheme, + const struct berval *passwd, + const struct berval *cred, + const char **text ) +{ + lutil_MD5_CTX MD5context; + unsigned char MD5digest[LUTIL_MD5_BYTES], c; + char buffer[LUTIL_MD5_BYTES*2]; + int i; + + if( passwd->bv_len != NS_MTA_MD5_PASSLEN ) { + return 1; + } + + /* hash credentials with salt */ + lutil_MD5Init(&MD5context); + lutil_MD5Update(&MD5context, + (const unsigned char *) &passwd->bv_val[32], + 32 ); + + c = 0x59; + lutil_MD5Update(&MD5context, + (const unsigned char *) &c, + 1 ); + + lutil_MD5Update(&MD5context, + (const unsigned char *) cred->bv_val, + cred->bv_len ); + + c = 0xF7; + lutil_MD5Update(&MD5context, + (const unsigned char *) &c, + 1 ); + + lutil_MD5Update(&MD5context, + (const unsigned char *) &passwd->bv_val[32], + 32 ); + + lutil_MD5Final(MD5digest, &MD5context); + + for( i=0; i < sizeof( MD5digest ); i++ ) { + buffer[i+i] = "0123456789abcdef"[(MD5digest[i]>>4) & 0x0F]; + buffer[i+i+1] = "0123456789abcdef"[ MD5digest[i] & 0x0F]; + } + + /* compare */ + return memcmp((char *)passwd->bv_val, + (char *)buffer, sizeof(buffer)) ? 1 : 0; +} + +int init_module(int argc, char *argv[]) { + return lutil_passwd_add( (struct berval *)&scheme, chk_ns_mta_md5, NULL ); +} -- 2.39.5