int authcustomcommon(const char *user, const char *pass,
int (*callback)(struct authinfo *, void *),
void *arg)
{
struct authinfo auth;
int rc;
memset(&auth, 0, sizeof(auth));
rc=do_auth_custom(user, &auth);
if (rc)
return (rc);
if (pass == 0)
return (0); /* Just get the authentication info */
if (auth.clearpasswd)
{
if (strcmp(pass, auth.clearpasswd))
return (-1);
}
else
{
const char *p=auth.passwd;
if (!p || authcheckpassword(pass, p))
return (-1);
}
return ((*callback)(&auth, arg));
}
static bool docheckpw(authsqliteuserinfo &authinfo, const char *pass)
{
if (!authinfo.cryptpw.empty())
{
if (authcheckpassword(pass, authinfo.cryptpw.c_str()))
{
errno=EPERM;
return false; /* User/Password not found. */
}
}
else if (!authinfo.clearpw.empty())
{
if (authinfo.clearpw != pass)
{
if (courier_authdebug_login_level >= 2)
{
DPRINTF("supplied password '%s' does not match clearpasswd '%s'",
pass, authinfo.clearpw.c_str());
}
else
{
DPRINTF("supplied password does not match clearpasswd");
}
errno=EPERM;
return false;
}
}
else
{
DPRINTF("no password available to compare");
errno=EPERM;
return false; /* Username not found */
}
return true;
}
static int callback_pwd(struct authinfo *a, void *p)
{
struct callback_info *i=(struct callback_info *)p;
if (a->passwd == 0 || authcheckpassword(i->pass, a->passwd))
return (-1);
if ((i->userret=strdup(a->sysusername)) == 0)
{
perror("malloc");
return (1);
}
if (i->callback_func == 0)
authsuccess(a->homedir, a->sysusername, 0, &a->sysgroupid,
a->address, a->fullname);
else
{
a->address=a->sysusername;
(*i->callback_func)(a, i->callback_arg);
}
return (0);
}
static int dochangepwd1(const char *service, const char *uid,
const char *opwd, const char *npwd, int hmac_flag)
{
char *udbs;
char *services;
char *passwords;
int rc;
char *u;
struct userdbs *udb;
udbs=userdbshadow(USERDB "shadow.dat", uid);
if (!udbs)
{
errno=EINVAL;
return (1);
}
if ((services=malloc(strlen(service)+sizeof("pw"))) == 0)
{
perror("malloc");
free(udbs);
errno=EPERM;
return (1);
}
strcat(strcpy(services, service), "pw");
passwords=userdb_gets(udbs, services);
free(services);
if (passwords == 0)
{
passwords=userdb_gets(udbs, "systempw");
service="system";
}
if (!passwords || (hmac_flag ? strcmp(opwd, passwords):
authcheckpassword(opwd, passwords)))
{
if (passwords)
free(passwords);
free(udbs);
errno=EPERM;
return (1);
}
free(passwords);
free(udbs);
userdb_init(USERDB ".dat");
if ( (u=userdb(uid)) == 0 ||
(udb=userdb_creates(u)) == 0)
{
if (u)
free(u);
errno=EPERM;
return (1);
}
rc=dochangepwd2(service, uid, u, udb, npwd);
userdb_frees(udb);
free(u);
return (rc);
}
static int auth_ldap_do3(const char *attrname,
const char *user, const char *pass,
int (*callback)(struct authinfo *, void *),
void *arg, const char *newpass,
const char *authaddr)
{
char *newpass_crypt=0;
const char *attributes[10], *ldap_attributes[10];
struct timeval timeout;
LDAPMessage *result;
LDAPMessage *entry;
char *filter, *dn;
int i, j;
struct authinfo auth;
char *homeDir=0;
char *mailDir=0;
char *userPassword=0;
char *cryptPassword=0;
char *cn=0;
uid_t au;
gid_t ag;
int rc;
char *quota=0;
int additionalFilter = 0;
int hasAdditionalFilter = 0;
hasAdditionalFilter = my_ldap.filter != 0;
memset(&auth, 0, sizeof(auth));
if (hasAdditionalFilter)
{
/* To add the additional filter, we need to add on the
* additional size for "(&)" and the other filter. So
* filter+3
*/
additionalFilter = strlen(my_ldap.filter) + 3;
}
if ((filter=malloc(additionalFilter+strlen(attrname)+strlen(user)+
(my_ldap.domain ? strlen(my_ldap.domain):0)+
sizeof ("(=@)"))) == 0)
{
perror("malloc");
return 1;
}
strcpy(filter, "\0");
if (hasAdditionalFilter)
{
strcat(filter, "(&");
strcat(filter, my_ldap.filter);
}
strcat(strcat(strcat(strcat(filter, "("), attrname), "="), user);
if ( my_ldap.domain && my_ldap.domain[0] && strchr(user, '@') == 0 )
strcat(strcat(filter, "@"), my_ldap.domain);
strcat(filter, ")");
if (hasAdditionalFilter)
{
strcat(filter, ")");
}
timeout.tv_sec=my_ldap.timeout;
timeout.tv_usec=0;
read_env("LDAP_HOMEDIR", &attributes[0], "", 0, "homeDir");
read_env("LDAP_MAILDIR", &attributes[1], "", 0, 0);
read_env("LDAP_FULLNAME", &attributes[2], "", 0, "cn");
read_env("LDAP_CLEARPW", &attributes[3], "", 0, 0);
read_env("LDAP_CRYPTPW", &attributes[4], "", 0, 0);
read_env("LDAP_UID", &attributes[5], "", 0, 0);
read_env("LDAP_GID", &attributes[6], "", 0, 0);
attributes[7]=my_ldap.mail;
read_env("LDAP_MAILDIRQUOTA", &attributes[8], "", 0, 0);
j=0;
for (i=0; i<9; i++)
{
if (attributes[i])
ldap_attributes[j++]=attributes[i];
}
ldap_attributes[j]=0;
if (ldaperror(ldap_search_st(my_ldap_fp,
(char *)my_ldap.basedn,LDAP_SCOPE_SUBTREE,
filter, (char **)ldap_attributes, 0,
&timeout, &result)
!= LDAP_SUCCESS))
{
free(filter);
if (my_ldap_fp) return (-1);
return (1);
}
free(filter);
/* If we are more than one result, reject */
if (ldap_count_entries(my_ldap_fp,result)!=1)
{
ldap_msgfree(result);
return -1;
}
#if DEBUG_LDAP
syslog(LOG_DAEMON|LOG_CRIT,"Nombre de résulat: %d\n",ldap_count_entries(my_ldap_fp,result));
#endif
dn = ldap_get_dn(my_ldap_fp, result);
#if DEBUG_LDAP
syslog(LOG_DAEMON|LOG_CRIT,"DN: %s\n",dn);
#endif
if (dn == NULL)
{
ldap_perror(my_ldap_fp, "ldap_get_dn");
return -1;
}
/* Get the pointer on this result */
entry=ldap_first_entry(my_ldap_fp,result);
if (entry==NULL)
{
ldap_perror(my_ldap_fp,"ldap_first_entry");
free(dn);
return -1;
}
#if DEBUG_LDAP
syslog(LOG_DAEMON|LOG_CRIT,"after ldap_first_entry\n");
#endif
/* Copy the directory and the password into struct */
copy_value(my_ldap_fp,entry,attributes[0],&homeDir, user);
if (attributes[1])
copy_value(my_ldap_fp,entry,attributes[1],&mailDir, user);
copy_value(my_ldap_fp,entry,attributes[2],&cn, user);
if (attributes[3])
copy_value(my_ldap_fp,entry,attributes[3],&userPassword, user);
if (attributes[4])
copy_value(my_ldap_fp,entry,attributes[4],&cryptPassword, user);
au=my_ldap.uid;
ag=my_ldap.gid;
if (attributes[5])
{
char *p=0;
unsigned long n;
copy_value(my_ldap_fp, entry, attributes[5], &p, user);
if (p) {
if (sscanf(p, "%lu", &n) > 0)
au= (uid_t)n;
free(p);
}
#if DEBUG_LDAP
syslog(LOG_DAEMON|LOG_CRIT,"au= %d\n",au);
#endif
}
if (attributes[6])
{
char *p=0;
unsigned long n;
copy_value(my_ldap_fp, entry, attributes[6], &p, user);
if (p) {
if (sscanf(p, "%lu", &n) > 0)
ag= (gid_t)n;
free(p);
}
#if DEBUG_LDAP
syslog(LOG_DAEMON|LOG_CRIT,"ag= %d\n",ag);
#endif
}
if (attributes[8])
copy_value(my_ldap_fp,entry,attributes[8],"a, user);
if (homeDir != 0 && my_ldap.mailroot != 0 && *my_ldap.mailroot)
{
char *new_mailroot=malloc(strlen(homeDir)+
strlen(my_ldap.mailroot)+2);
if (!new_mailroot)
{
syslog(LOG_DAEMON|LOG_CRIT, "authldap: malloc failed");
rc= -1;
}
else
{
strcat(strcat(strcpy(new_mailroot, my_ldap.mailroot),
"/"), homeDir);
free(homeDir);
homeDir=new_mailroot;
}
}
auth.sysusername=user;
auth.sysuserid= &au;
auth.sysgroupid= ag;
auth.homedir=homeDir;
auth.address=authaddr;
auth.fullname=cn;
auth.maildir=mailDir;
auth.clearpasswd=userPassword;
auth.passwd=cryptPassword;
auth.quota=quota;
if (auth.sysusername == 0)
auth.sysusername=auth.address="";
if (homeDir == 0)
auth.homedir="";
rc=0;
if (au == 0 || ag == 0)
{
syslog(LOG_DAEMON|LOG_CRIT,
"authlib: refuse to authenticate %s: uid=%d, gid=%d\n",
user, au, ag);
rc= 1;
}
if (pass)
{
if (my_ldap.authbind)
{
LDAP *bindp=ldapconnect();
if (!bindp)
rc=1;
else
{
#if HAVE_LDAP_TLS
if(my_ldap.tls && enable_tls_on(bindp)) {
#if HAVE_SYSLOG_H
syslog(LOG_DAEMON|LOG_CRIT, "authlib: LDAP_TLS enabled but I'm unable to start tls, check your config\n");
#endif
rc = 1;
} else {
#endif
switch (ldap_simple_bind_s(bindp, dn, (char *)pass))
{
case LDAP_SUCCESS:
break;
case LDAP_INVALID_CREDENTIALS:
rc = -1;
break;
default:
rc = 1;
break;
}
#if HAVE_LDAP_TLS
}
#endif
ldap_unbind(bindp);
}
if (rc == 0 && newpass)
{
if ((newpass_crypt=authcryptpasswd(newpass,
NULL))
== 0)
rc= -1;
}
}
else
{
if (auth.clearpasswd)
{
if (strcmp(pass,auth.clearpasswd))
rc= -1;
}
else
{
const char *p=auth.passwd;
if (p && strncasecmp(p, "{crypt}", 7) == 0)
p += 7; /* For authcheckpassword */
if (!p || authcheckpassword(pass, p))
rc= -1;
}
if (rc == 0 && newpass && auth.passwd)
{
if ((newpass_crypt=authcryptpasswd(newpass,
auth.passwd)
) == 0)
rc= -1;
}
}
}
if (rc == 0 && newpass)
{
LDAPMod *mods[3];
int mod_index=0;
LDAPMod mod_clear, mod_crypt;
char *mod_clear_vals[2], *mod_crypt_vals[2];
if (attributes[3])
{
mods[mod_index]= &mod_clear;
mod_clear.mod_op=LDAP_MOD_REPLACE;
mod_clear.mod_type=(char *)attributes[3];
mod_clear.mod_values=mod_clear_vals;
mod_clear_vals[0]=(char *)newpass;
mod_clear_vals[1]=NULL;
++mod_index;
}
if (attributes[4] && newpass_crypt)
{
mods[mod_index]= &mod_crypt;
mod_crypt.mod_op=LDAP_MOD_REPLACE;
mod_crypt.mod_type=(char *)attributes[4];
mod_crypt.mod_values=mod_crypt_vals;
mod_crypt_vals[0]=newpass_crypt;
mod_crypt_vals[1]=NULL;
++mod_index;
}
if (mod_index == 0)
rc= -1;
else
{
mods[mod_index]=0;
if (ldap_modify_s(my_ldap_fp, dn, mods))
{
rc= -1;
}
}
}
if (newpass_crypt)
free(newpass_crypt);
free (dn);
#if DEBUG_LDAP
syslog(LOG_DAEMON|LOG_CRIT,"before callback rc=%d\n",rc);
#endif
if (rc == 0 && callback)
rc= (*callback)(&auth, arg);
#if DEBUG_LDAP
syslog(LOG_DAEMON|LOG_CRIT,"after callback rc=%d\n",rc);
#endif
ldap_msgfree(result);
if (homeDir) free(homeDir);
if (mailDir) free(mailDir);
if (userPassword) free(userPassword);
if (cryptPassword) free(cryptPassword);
if (cn) free(cn);
if (quota) free(quota);
return (rc);
}
static int dochangepwd1(const char *service, const char *uid,
const char *opwd, const char *npwd,
const char *hmac_flag)
{
char *udbs;
char *services;
char *passwords;
int rc;
char *u;
struct userdbs *udb;
udbs=userdbshadow(USERDB "shadow.dat", uid);
if (!udbs)
{
errno=ENOENT;
return (-1);
}
if ((services=malloc(strlen(service)+sizeof("pw"))) == 0)
{
perror("malloc");
free(udbs);
errno=EPERM;
return (1);
}
strcat(strcpy(services, service), "pw");
DPRINTF("Checking for password called \"%s\"", services);
passwords=userdb_gets(udbs, services);
free(services);
if (passwords == 0 && hmac_flag == 0)
{
DPRINTF("Not found, checking for \"systempw\"");
passwords=userdb_gets(udbs, "systempw");
service="system";
}
if (!passwords || (hmac_flag ? strcmp(opwd, passwords):
authcheckpassword(opwd, passwords)))
{
if (!passwords)
{
DPRINTF("Password not found.");
}
else
{
DPRINTF("Password didn't match.");
}
if (passwords)
free(passwords);
free(udbs);
errno=EPERM;
return (-1);
}
free(passwords);
free(udbs);
userdb_init(USERDB ".dat");
if ( (u=userdb(uid)) == 0 ||
(udb=userdb_creates(u)) == 0)
{
if (u)
free(u);
errno=EPERM;
return (1);
}
rc=dochangepwd2(service, uid, u, udb, npwd);
userdb_frees(udb);
free(u);
return (rc);
}