git.sur5r.net Git - openldap/blob - servers/slapd/slappasswd.c

   1 /* $OpenLDAP$ */
   2 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
   3  *
   4  * Copyright 1998-2017 The OpenLDAP Foundation.
   5  * Portions Copyright 1998-2003 Kurt D. Zeilenga.
   6  * All rights reserved.
   7  *
   8  * Redistribution and use in source and binary forms, with or without
   9  * modification, are permitted only as authorized by the OpenLDAP
  10  * Public License.
  11  *
  12  * A copy of this license is available in file LICENSE in the
  13  * top-level directory of the distribution or, alternatively, at
  14  * <http://www.OpenLDAP.org/license.html>.
  15  */
  16 /* ACKNOWLEDGEMENTS:
  17  * This work was initially developed by Kurt Zeilenga for inclusion
  18  * in OpenLDAP Software.
  19  */
  20
  21 #include "portable.h"
  22
  23 #include <stdio.h>
  24
  25 #include <ac/stdlib.h>
  26
  27 #include <ac/ctype.h>
  28 #include <ac/signal.h>
  29 #include <ac/socket.h>
  30 #include <ac/string.h>
  31 #include <ac/time.h>
  32 #include <ac/unistd.h>
  33
  34 #include <ldap.h>
  35 #include <lber_pvt.h>
  36 #include <lutil.h>
  37 #include <lutil_sha1.h>
  38
  39 #include "ldap_defaults.h"
  40 #include "slap.h"
  41
  42 static int      verbose = 0;
  43 static char     *modulepath = NULL;
  44 static char     *moduleload = NULL;
  45
  46 static void
  47 usage(const char *s)
  48 {
  49         fprintf(stderr,
  50                 "Usage: %s [options]\n"
  51                 "  -c format\tcrypt(3) salt format\n"
  52                 "  -g\t\tgenerate random password\n"
  53                 "  -h hash\tpassword scheme\n"
  54                 "  -n\t\tomit trailing newline\n"
  55                 "  -o <opt>[=val] specify an option with a(n optional) value\n"
  56                 "  \tmodule-path=<pathspec>\n"
  57                 "  \tmodule-load=<filename>\n"
  58                 "  -s secret\tnew password\n"
  59                 "  -u\t\tgenerate RFC2307 values (default)\n"
  60                 "  -v\t\tincrease verbosity\n"
  61                 "  -T file\tread file for new password\n"
  62                 , s );
  63
  64         exit( EXIT_FAILURE );
  65 }
  66
  67 static int
  68 parse_slappasswdopt( void )
  69 {
  70         size_t  len = 0;
  71         char    *p;
  72
  73         p = strchr( optarg, '=' );
  74         if ( p != NULL ) {
  75                 len = p - optarg;
  76                 p++;
  77         }
  78
  79         if ( strncasecmp( optarg, "module-path", len ) == 0 ) {
  80                 if ( modulepath )
  81                         ch_free( modulepath );
  82                 modulepath = ch_strdup( p );
  83
  84         } else if ( strncasecmp( optarg, "module-load", len ) == 0 ) {
  85                 if ( moduleload )
  86                         ch_free( moduleload );
  87                 moduleload = ch_strdup( p );
  88
  89         } else {
  90                 return -1;
  91         }
  92
  93         return 0;
  94 }
  95
  96 int
  97 slappasswd( int argc, char *argv[] )
  98 {
  99         int rc = EXIT_SUCCESS;
 100 #ifdef LUTIL_SHA1_BYTES
 101         char    *default_scheme = "{SSHA}";
 102 #else
 103         char    *default_scheme = "{SMD5}";
 104 #endif
 105         char    *scheme = default_scheme;
 106
 107         char    *newpw = NULL;
 108         char    *pwfile = NULL;
 109         const char *text;
 110         const char *progname = "slappasswd";
 111
 112         int             i;
 113         char            *newline = "\n";
 114         struct berval passwd = BER_BVNULL;
 115         struct berval hash;
 116
 117 #ifdef LDAP_DEBUG
 118         /* tools default to "none", so that at least LDAP_DEBUG_ANY
 119          * messages show up; use -d 0 to reset */
 120         slap_debug = LDAP_DEBUG_NONE;
 121 #endif
 122         ldap_syslog = 0;
 123
 124         while( (i = getopt( argc, argv,
 125                 "c:d:gh:no:s:T:vu" )) != EOF )
 126         {
 127                 switch (i) {
 128                 case 'c':       /* crypt salt format */
 129                         scheme = "{CRYPT}";
 130                         lutil_salt_format( optarg );
 131                         break;
 132
 133                 case 'g':       /* new password (generate) */
 134                         if ( pwfile != NULL ) {
 135                                 fprintf( stderr, "Option -g incompatible with -T\n" );
 136                                 return EXIT_FAILURE;
 137
 138                         } else if ( newpw != NULL ) {
 139                                 fprintf( stderr, "New password already provided\n" );
 140                                 return EXIT_FAILURE;
 141
 142                         } else if ( lutil_passwd_generate( &passwd, 8 )) {
 143                                 fprintf( stderr, "Password generation failed\n" );
 144                                 return EXIT_FAILURE;
 145                         }
 146                         break;
 147
 148                 case 'h':       /* scheme */
 149                         if ( scheme != default_scheme ) {
 150                                 fprintf( stderr, "Scheme already provided\n" );
 151                                 return EXIT_FAILURE;
 152
 153                         } else {
 154                                 scheme = ch_strdup( optarg );
 155                         }
 156                         break;
 157
 158                 case 'n':
 159                         newline = "";
 160                         break;
 161
 162                 case 'o':
 163                         if ( parse_slappasswdopt() ) {
 164                                 usage ( progname );
 165                         }
 166                         break;
 167
 168                 case 's':       /* new password (secret) */
 169                         if ( pwfile != NULL ) {
 170                                 fprintf( stderr, "Option -s incompatible with -T\n" );
 171                                 return EXIT_FAILURE;
 172
 173                         } else if ( newpw != NULL ) {
 174                                 fprintf( stderr, "New password already provided\n" );
 175                                 return EXIT_FAILURE;
 176
 177                         } else {
 178                                 char* p;
 179                                 newpw = ch_strdup( optarg );
 180
 181                                 for( p = optarg; *p != '\0'; p++ ) {
 182                                         *p = '\0';
 183                                 }
 184                         }
 185                         break;
 186
 187                 case 'T':       /* password file */
 188                         if ( pwfile != NULL ) {
 189                                 fprintf( stderr, "Password file already provided\n" );
 190                                 return EXIT_FAILURE;
 191
 192                         } else if ( newpw != NULL ) {
 193                                 fprintf( stderr, "Option -T incompatible with -s/-g\n" );
 194                                 return EXIT_FAILURE;
 195
 196                         }
 197                         pwfile = optarg;
 198                         break;
 199
 200                 case 'u':       /* RFC2307 userPassword */
 201                         break;
 202
 203                 case 'v':       /* verbose */
 204                         verbose++;
 205                         break;
 206
 207                 default:
 208                         usage ( progname );
 209                 }
 210         }
 211
 212         if( argc - optind != 0 ) {
 213                 usage( progname );
 214         }
 215
 216 #ifdef SLAPD_MODULES
 217         if ( module_init() != 0 ) {
 218                 fprintf( stderr, "%s: module_init failed\n", progname );
 219                 return EXIT_FAILURE;
 220         }
 221
 222         if ( modulepath && module_path(modulepath) ) {
 223                 rc = EXIT_FAILURE;
 224                 goto destroy;
 225         }
 226
 227         if ( moduleload && module_load(moduleload, 0, NULL) ) {
 228                 rc = EXIT_FAILURE;
 229                 goto destroy;
 230         }
 231 #endif
 232
 233         if( pwfile != NULL ) {
 234                 if( lutil_get_filed_password( pwfile, &passwd )) {
 235                         rc = EXIT_FAILURE;
 236                         goto destroy;
 237                 }
 238         } else if ( BER_BVISEMPTY( &passwd )) {
 239                 if( newpw == NULL ) {
 240                         /* prompt for new password */
 241                         char *cknewpw;
 242                         newpw = ch_strdup(getpassphrase("New password: "));
 243                         cknewpw = getpassphrase("Re-enter new password: ");
 244
 245                         if( strcmp( newpw, cknewpw )) {
 246                                 fprintf( stderr, "Password values do not match\n" );
 247                                 rc = EXIT_FAILURE;
 248                                 goto destroy;
 249                         }
 250                 }
 251
 252                 passwd.bv_val = newpw;
 253                 passwd.bv_len = strlen(passwd.bv_val);
 254         } else {
 255                 hash = passwd;
 256                 goto print_pw;
 257         }
 258
 259         lutil_passwd_hash( &passwd, scheme, &hash, &text );
 260         if( hash.bv_val == NULL ) {
 261                 fprintf( stderr,
 262                         "Password generation failed for scheme %s: %s\n",
 263                         scheme, text ? text : "" );
 264                 rc = EXIT_FAILURE;
 265                 goto destroy;
 266         }
 267
 268         if( lutil_passwd( &hash, &passwd, NULL, &text ) ) {
 269                 fprintf( stderr, "Password verification failed. %s\n",
 270                         text ? text : "" );
 271                 rc = EXIT_FAILURE;
 272                 goto destroy;
 273         }
 274
 275 print_pw:;
 276         printf( "%s%s" , hash.bv_val, newline );
 277
 278 destroy:;
 279 #ifdef SLAPD_MODULES
 280         module_kill();
 281 #endif
 282
 283         return rc;
 284 }