From 21f54059788d28599bb215cb1246f88cae6c7450 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Thu, 23 Apr 2009 08:23:58 +0000
Subject: [PATCH] Use nslcd-mapped PAM error codes instead of actual PAM error
 codes

---
 contrib/slapd-modules/nssov/nss-ldapd/nslcd.h | 15 ++++++
 .../slapd-modules/nssov/nss-ldapd/nss/pam.c   | 25 ++++++++++
 contrib/slapd-modules/nssov/pam.c             | 50 +++++++++----------
 3 files changed, 64 insertions(+), 26 deletions(-)

diff --git a/contrib/slapd-modules/nssov/nss-ldapd/nslcd.h b/contrib/slapd-modules/nssov/nss-ldapd/nslcd.h
index 8a2a999d27..7dc94370f6 100644
--- a/contrib/slapd-modules/nssov/nss-ldapd/nslcd.h
+++ b/contrib/slapd-modules/nssov/nss-ldapd/nslcd.h
@@ -207,4 +207,19 @@
 #define NSLCD_RESULT_END              3 /* key was not found */
 #define NSLCD_RESULT_SUCCESS               0 /* everything ok */
 
+/* Partial list of PAM result codes. */
+#define NSLCD_PAM_SUCCESS             0 /* everything ok */
+#define NSLCD_PAM_PERM_DENIED         6 /* Permission denied */
+#define NSLCD_PAM_AUTH_ERR            7 /* Authc failure */
+#define NSLCD_PAM_CRED_INSUFFICIENT   8 /* Cannot access authc data */
+#define NSLCD_PAM_AUTHINFO_UNAVAIL    9 /* Cannot retrieve authc info */
+#define NSLCD_PAM_USER_UNKNOWN       10 /* User not known */
+#define NSLCD_PAM_MAXTRIES           11 /* Retry limit reached */
+#define NSLCD_PAM_NEW_AUTHTOK_REQD   12 /* Password expired */
+#define NSLCD_PAM_ACCT_EXPIRED       13 /* Account expired */
+#define NSLCD_PAM_SESSION_ERR        14 /* Cannot make/remove session record */
+#define NSLCD_PAM_AUTHTOK_DISABLE_AGING 23 /* Password aging disabled */
+#define NSLCD_PAM_IGNORE             25 /* Ignore module */
+#define NSLCD_PAM_ABORT              26 /* Fatal error */
+
 #endif /* not _NSLCD_H */
diff --git a/contrib/slapd-modules/nssov/nss-ldapd/nss/pam.c b/contrib/slapd-modules/nssov/nss-ldapd/nss/pam.c
index b6ad67fdff..2d9c8d1bda 100644
--- a/contrib/slapd-modules/nssov/nss-ldapd/nss/pam.c
+++ b/contrib/slapd-modules/nssov/nss-ldapd/nss/pam.c
@@ -69,6 +69,27 @@ typedef struct pld_ctx {
 	char buf[1024];
 } pld_ctx;
 
+static int nslcd2pam_rc(int rc)
+{
+#define	map(i)	case NSLCD_##i : rc = i; break
+	switch(rc) {
+		map(PAM_SUCCESS);
+		map(PAM_PERM_DENIED);
+		map(PAM_AUTH_ERR);
+		map(PAM_CRED_INSUFFICIENT);
+		map(PAM_AUTHINFO_UNAVAIL);
+		map(PAM_USER_UNKNOWN);
+		map(PAM_MAXTRIES);
+		map(PAM_NEW_AUTHTOK_REQD);
+		map(PAM_ACCT_EXPIRED);
+		map(PAM_SESSION_ERR);
+		map(PAM_AUTHTOK_DISABLE_AGING);
+		map(PAM_IGNORE);
+		map(PAM_ABORT);
+	}
+	return rc;
+}
+
 static void pam_clr_ctx(
 	pld_ctx *ctx)
 {
@@ -201,6 +222,8 @@ static enum nss_status pam_read_authc(
 	READ_INT32(fp,ctx->authok);
 	READ_INT32(fp,ctx->authz);
 	READ_STRING_BUF(fp,ctx->authzmsg);
+	ctx->authok = nslcd2pam_rc(ctx->authok);
+	ctx->authz = nslcd2pam_rc(ctx->authz);
 	return NSS_STATUS_SUCCESS;
 }
 
@@ -330,6 +353,7 @@ static enum nss_status pam_read_authz(
 	READ_STRING_BUF(fp,ctx->dn);
 	READ_INT32(fp,ctx->authz);
 	READ_STRING_BUF(fp,ctx->authzmsg);
+	ctx->authz = nslcd2pam_rc(ctx->authz);
 	return NSS_STATUS_SUCCESS;
 }
 
@@ -537,6 +561,7 @@ static enum nss_status pam_read_pwmod(
 	READ_STRING_BUF(fp,ctx->dn);
 	READ_INT32(fp,ctx->authz);
 	READ_STRING_BUF(fp,ctx->authzmsg);
+	ctx->authz = nslcd2pam_rc(ctx->authz);
 	return NSS_STATUS_SUCCESS;
 }
 
diff --git a/contrib/slapd-modules/nssov/pam.c b/contrib/slapd-modules/nssov/pam.c
index b43c25915b..0401c8d7e8 100644
--- a/contrib/slapd-modules/nssov/pam.c
+++ b/contrib/slapd-modules/nssov/pam.c
@@ -16,8 +16,6 @@
 #include "nssov.h"
 #include "lutil.h"
 
-#include <security/pam_modules.h>
-
 static int ppolicy_cid;
 static AttributeDescription *ad_loginStatus;
 
@@ -90,7 +88,7 @@ static int pam_bindcb(
 					pi->msg.bv_len = sprintf(pi->msg.bv_val,
 						"Password expired; %d grace logins remaining",
 						grace);
-					pi->authz = PAM_NEW_AUTHTOK_REQD;
+					pi->authz = NSLCD_PAM_NEW_AUTHTOK_REQD;
 				} else if (error != PP_noError) {
 					ber_str2bv(ldap_passwordpolicy_err2txt(error), 0, 0,
 						&pi->msg);
@@ -100,7 +98,7 @@ static int pam_bindcb(
 						rs->sr_err = LDAP_SUCCESS;
 						/* fallthru */
 					case PP_changeAfterReset:
-						pi->authz = PAM_NEW_AUTHTOK_REQD;
+						pi->authz = NSLCD_PAM_NEW_AUTHTOK_REQD;
 					}
 				}
 			}
@@ -120,13 +118,13 @@ int pam_do_bind(nssov_info *ni,TFILE *fp,Operation *op,
 
 	pi->msg.bv_val = pi->pwd.bv_val;
 	pi->msg.bv_len = 0;
-	pi->authz = PAM_SUCCESS;
+	pi->authz = NSLCD_PAM_SUCCESS;
 	BER_BVZERO(&pi->dn);
 
 	if (!isvalidusername(&pi->uid)) {
 		Debug(LDAP_DEBUG_ANY,"nssov_pam_do_bind(%s): invalid user name\n",
 			pi->uid.bv_val,0,0);
-		rc = PAM_USER_UNKNOWN;
+		rc = NSLCD_PAM_USER_UNKNOWN;
 		goto finish;
 	}
 
@@ -153,12 +151,12 @@ int pam_do_bind(nssov_info *ni,TFILE *fp,Operation *op,
 	}
 	BER_BVZERO(&sdn);
 	if (BER_BVISEMPTY(&pi->dn)) {
-		rc = PAM_USER_UNKNOWN;
+		rc = NSLCD_PAM_USER_UNKNOWN;
 		goto finish;
 	}
 
 	if (BER_BVISEMPTY(&pi->pwd)) {
-		rc = PAM_IGNORE;
+		rc = NSLCD_PAM_IGNORE;
 		goto finish;
 	}
 
@@ -195,9 +193,9 @@ int pam_do_bind(nssov_info *ni,TFILE *fp,Operation *op,
 	if (rc == LDAP_SUCCESS)
 		send_ldap_result(op, &rs);
 	switch(rs.sr_err) {
-	case LDAP_SUCCESS: rc = PAM_SUCCESS; break;
-	case LDAP_INVALID_CREDENTIALS: rc = PAM_AUTH_ERR; break;
-	default: rc = PAM_AUTH_ERR; break;
+	case LDAP_SUCCESS: rc = NSLCD_PAM_SUCCESS; break;
+	case LDAP_INVALID_CREDENTIALS: rc = NSLCD_PAM_AUTH_ERR; break;
+	default: rc = NSLCD_PAM_AUTH_ERR; break;
 	}
 finish:
 	return rc;
@@ -263,7 +261,7 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op)
 	char dnc[1024];
 	char uidc[32];
 	char svcc[256];
-	int rc = PAM_SUCCESS;
+	int rc = NSLCD_PAM_SUCCESS;
 	Entry *e = NULL;
 	Attribute *a;
 	SlapReply rs = {REP_RESULT};
@@ -283,7 +281,7 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op)
 
 	/* We don't do authorization if they weren't authenticated by us */
 	if (BER_BVISEMPTY(&dn)) {
-		rc = PAM_USER_UNKNOWN;
+		rc = NSLCD_PAM_USER_UNKNOWN;
 		goto finish;
 	}
 
@@ -331,7 +329,7 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op)
 
 			/* no host entry, no default host -> deny */
 			if (BER_BVISEMPTY(&hostdn)) {
-				rc = PAM_PERM_DENIED;
+				rc = NSLCD_PAM_PERM_DENIED;
 				authzmsg = hostmsg;
 				goto finish;
 			}
@@ -348,7 +346,7 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op)
 		rc = op->o_bd->be_compare( op, &rs );
 		if ( rs.sr_err != LDAP_COMPARE_TRUE ) {
 			authzmsg = svcmsg;
-			rc = PAM_PERM_DENIED;
+			rc = NSLCD_PAM_PERM_DENIED;
 			goto finish;
 		}
 		op->o_dn = odn;
@@ -371,7 +369,7 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op)
 		rc = op->o_bd->be_compare( op, &rs );
 		if ( rs.sr_err != LDAP_COMPARE_TRUE ) {
 			authzmsg = grpmsg;
-			rc = PAM_PERM_DENIED;
+			rc = NSLCD_PAM_PERM_DENIED;
 			goto finish;
 		}
 	}
@@ -382,7 +380,7 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op)
 		ni->ni_pam_min_uid || ni->ni_pam_max_uid ) {
 		rc = be_entry_get_rw( op, &dn, NULL, NULL, 0, &e );
 		if (rc != LDAP_SUCCESS) {
-			rc = PAM_USER_UNKNOWN;
+			rc = NSLCD_PAM_USER_UNKNOWN;
 			goto finish;
 		}
 	}
@@ -391,7 +389,7 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op)
 		if (!a || value_find_ex( nssov_pam_host_ad,
 			SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH,
 			a->a_vals, &global_host_bv, op->o_tmpmemctx )) {
-			rc = PAM_PERM_DENIED;
+			rc = NSLCD_PAM_PERM_DENIED;
 			authzmsg = hostmsg;
 			goto finish;
 		}
@@ -401,7 +399,7 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op)
 		if (!a || value_find_ex( nssov_pam_svc_ad,
 			SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH,
 			a->a_vals, &svc, op->o_tmpmemctx )) {
-			rc = PAM_PERM_DENIED;
+			rc = NSLCD_PAM_PERM_DENIED;
 			authzmsg = svcmsg;
 			goto finish;
 		}
@@ -416,19 +414,19 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op)
 		nssov_mapinfo *mi = &ni->ni_maps[NM_host];
 		a = attr_find(e->e_attrs, mi->mi_attrs[UIDN_KEY].an_desc);
 		if (!a) {
-			rc = PAM_PERM_DENIED;
+			rc = NSLCD_PAM_PERM_DENIED;
 			authzmsg = uidmsg;
 			goto finish;
 		}
 		id = (int)strtol(a->a_vals[0].bv_val,&tmp,0);
 		if (a->a_vals[0].bv_val[0] == '\0' || *tmp != '\0') {
-			rc = PAM_PERM_DENIED;
+			rc = NSLCD_PAM_PERM_DENIED;
 			authzmsg = uidmsg;
 			goto finish;
 		}
 		if ((ni->ni_pam_min_uid && id < ni->ni_pam_min_uid) ||
 			(ni->ni_pam_max_uid && id > ni->ni_pam_max_uid)) {
-			rc = PAM_PERM_DENIED;
+			rc = NSLCD_PAM_PERM_DENIED;
 			authzmsg = uidmsg;
 			goto finish;
 		}
@@ -588,8 +586,8 @@ int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op)
 	/* This is a prelim check */
 	if (BER_BVISEMPTY(&pi.dn)) {
 		rc = pam_do_bind(ni,fp,op,&pi);
-		if (rc == PAM_IGNORE)
-			rc = PAM_SUCCESS;
+		if (rc == NSLCD_PAM_IGNORE)
+			rc = NSLCD_PAM_SUCCESS;
 	} else {
 		BerElementBuffer berbuf;
 		BerElement *ber = (BerElement *)&berbuf;
@@ -620,9 +618,9 @@ int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op)
 		if (rs.sr_text)
 			ber_str2bv(rs.sr_text, 0, 0, &pi.msg);
 		if (rc == LDAP_SUCCESS)
-			rc = PAM_SUCCESS;
+			rc = NSLCD_PAM_SUCCESS;
 		else
-			rc = PAM_PERM_DENIED;
+			rc = NSLCD_PAM_PERM_DENIED;
 	}
 	WRITE_INT32(fp,NSLCD_VERSION);
 	WRITE_INT32(fp,NSLCD_ACTION_PAM_PWMOD);
-- 
2.39.5