int nssov_config(nssov_info *ni,TFILE *fp,Operation *op)
{
int opt;
int32_t tmpint32;
struct berval *msg = BER_BVC("");
int rc = NSLCD_PAM_SUCCESS;
READ_INT32(fp,opt);
Debug(LDAP_DEBUG_TRACE, "nssov_config (%d)\n",opt,0,0);
switch (opt) {
case NSLCD_CONFIG_PAM_PASSWORD_PROHIBIT_MESSAGE:
/* request for pam password_prothibit_message */
/* nssov_pam prohibits password */
if (!BER_BVISEMPTY(&ni->ni_pam_password_prohibit_message)) {
Debug(LDAP_DEBUG_TRACE,"nssov_config(): %s (%s)\n",
"password_prohibit_message",
ni->ni_pam_password_prohibit_message.bv_val,0);
msg = &ni->ni_pam_password_prohibit_message;
rc = NSLCD_PAM_PERM_DENIED;
}
/* fall through */
default:
break;
}
done:;
WRITE_INT32(fp,NSLCD_VERSION);
WRITE_INT32(fp,NSLCD_ACTION_CONFIG_GET);
WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
WRITE_BERVAL(fp,msg);
WRITE_INT32(fp,NSLCD_RESULT_END);
return 0;
}
void client_write_move(remote_process_client *client, const struct ct_move *move)
{
WRITE_BYTE(MSG_MOVE_MESSAGE);
WRITE_BYTE(1);
WRITE_BYTE((signed char)move->action);
WRITE_BYTE((signed char)move->direction);
WRITE_INT32(move->position.x);
WRITE_INT32(move->position.y);
FLUSH();
}
/* get a single passwd entry by uid */
nss_status_t _nss_ldap_getpwuid_r(uid_t uid, struct passwd *result,
char *buffer, size_t buflen, int *errnop)
{
NSS_GETONE(NSLCD_ACTION_PASSWD_BYUID,
WRITE_INT32(fp, uid),
read_passwd(fp, result, buffer, buflen, errnop));
}
static int write_alias(TFILE *fp,MYLDAP_ENTRY *entry,const char *reqalias)
{
int32_t tmpint32,tmp2int32,tmp3int32;
const char **names,**members;
int i;
/* get the name of the alias */
names=myldap_get_values(entry,attmap_alias_cn);
if ((names==NULL)||(names[0]==NULL))
{
log_log(LOG_WARNING,"alias entry %s does not contain %s value",
myldap_get_dn(entry),attmap_alias_cn);
return 0;
}
/* get the members of the alias */
members=myldap_get_values(entry,attmap_alias_rfc822MailMember);
/* for each name, write an entry */
for (i=0;names[i]!=NULL;i++)
{
if ((reqalias==NULL)||(strcasecmp(reqalias,names[i])==0))
{
WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
WRITE_STRING(fp,names[i]);
WRITE_STRINGLIST(fp,members);
}
}
return 0;
}
int pam_authc(nssov_info *ni,TFILE *fp,Operation *op)
{
int32_t tmpint32;
int rc;
slap_callback cb = {0};
char dnc[1024];
char uidc[32];
char svcc[256];
char pwdc[256];
struct berval sdn, dn;
struct paminfo pi;
READ_STRING(fp,uidc);
pi.uid.bv_val = uidc;
pi.uid.bv_len = tmpint32;
READ_STRING(fp,dnc);
pi.dn.bv_val = dnc;
pi.dn.bv_len = tmpint32;
READ_STRING(fp,svcc);
pi.svc.bv_val = svcc;
pi.svc.bv_len = tmpint32;
READ_STRING(fp,pwdc);
pi.pwd.bv_val = pwdc;
pi.pwd.bv_len = tmpint32;
Debug(LDAP_DEBUG_TRACE,"nssov_pam_authc(%s)\n",pi.uid.bv_val,0,0);
rc = pam_do_bind(ni, fp, op, &pi);
finish:
WRITE_INT32(fp,NSLCD_VERSION);
WRITE_INT32(fp,NSLCD_ACTION_PAM_AUTHC);
WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
WRITE_BERVAL(fp,&pi.uid);
WRITE_BERVAL(fp,&pi.dn);
WRITE_INT32(fp,rc);
WRITE_INT32(fp,pi.authz); /* authz */
WRITE_BERVAL(fp,&pi.msg); /* authzmsg */
return 0;
}
/* write a single network entry to the stream */
static int write_network(TFILE *fp,MYLDAP_ENTRY *entry)
{
int32_t tmpint32,tmp2int32,tmp3int32;
int numaddr,i;
const char *networkname;
const char **networknames;
const char **addresses;
/* get the most canonical name */
networkname=myldap_get_rdn_value(entry,attmap_network_cn);
/* get the other names for the network */
networknames=myldap_get_values(entry,attmap_network_cn);
if ((networknames==NULL)||(networknames[0]==NULL))
{
log_log(LOG_WARNING,"network entry %s does not contain %s value",
myldap_get_dn(entry),attmap_network_cn);
return 0;
}
/* if the networkname is not yet found, get the first entry from networknames */
if (networkname==NULL)
networkname=networknames[0];
/* get the addresses */
addresses=myldap_get_values(entry,attmap_network_ipNetworkNumber);
if ((addresses==NULL)||(addresses[0]==NULL))
{
log_log(LOG_WARNING,"network entry %s does not contain %s value",
myldap_get_dn(entry),attmap_network_ipNetworkNumber);
return 0;
}
/* write the entry */
WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
WRITE_STRING(fp,networkname);
WRITE_STRINGLIST_EXCEPT(fp,networknames,networkname);
for (numaddr=0;addresses[numaddr]!=NULL;numaddr++)
/*noting*/ ;
WRITE_INT32(fp,numaddr);
for (i=0;i<numaddr;i++)
{
WRITE_ADDRESS(fp,addresses[i]);
}
return 0;
}
static int write_shadow(TFILE *fp, MYLDAP_ENTRY *entry, const char *requser,
uid_t calleruid)
{
int32_t tmpint32;
const char **usernames;
const char *passwd;
long lastchangedate;
long mindays;
long maxdays;
long warndays;
long inactdays;
long expiredate;
unsigned long flag;
int i;
char passbuffer[BUFLEN_PASSWORDHASH];
/* get username */
usernames = myldap_get_values(entry, attmap_shadow_uid);
if ((usernames == NULL) || (usernames[0] == NULL))
{
log_log(LOG_WARNING, "%s: %s: missing",
myldap_get_dn(entry), attmap_shadow_uid);
return 0;
}
/* get password */
passwd = get_userpassword(entry, attmap_shadow_userPassword,
passbuffer, sizeof(passbuffer));
if ((passwd == NULL) || (calleruid != 0))
passwd = default_shadow_userPassword;
/* get expiry properties */
get_shadow_properties(entry, &lastchangedate, &mindays, &maxdays, &warndays,
&inactdays, &expiredate, &flag);
/* write the entries */
for (i = 0; usernames[i] != NULL; i++)
if ((requser == NULL) || (STR_CMP(requser, usernames[i]) == 0))
{
WRITE_INT32(fp, NSLCD_RESULT_BEGIN);
WRITE_STRING(fp, usernames[i]);
WRITE_STRING(fp, passwd);
WRITE_INT32(fp, lastchangedate);
WRITE_INT32(fp, mindays);
WRITE_INT32(fp, maxdays);
WRITE_INT32(fp, warndays);
WRITE_INT32(fp, inactdays);
WRITE_INT32(fp, expiredate);
WRITE_INT32(fp, flag);
}
return 0;
}
/* this writes a single address to the stream */
int write_address(TFILE *fp,const char *addr)
{
int32_t tmpint32;
struct in_addr ipv4addr;
struct in6_addr ipv6addr;
/* try to parse the address as IPv4 first, fall back to IPv6 */
if (inet_pton(AF_INET,addr,&ipv4addr)>0)
{
/* write address type */
WRITE_INT32(fp,AF_INET);
/* write the address length */
WRITE_INT32(fp,sizeof(struct in_addr));
/* write the address itself (in network byte order) */
WRITE_TYPE(fp,ipv4addr,struct in_addr);
}
else if (inet_pton(AF_INET6,addr,&ipv6addr)>0)
{
/* write address type */
WRITE_INT32(fp,AF_INET6);
/* write the address length */
WRITE_INT32(fp,sizeof(struct in6_addr));
/* write the address itself (in network byte order) */
WRITE_TYPE(fp,ipv6addr,struct in6_addr);
}
else
{
/* failure, log but write simple invalid address
(otherwise the address list is messed up) */
/* TODO: have error message in correct format */
log_log(LOG_WARNING,"unparseble address: %s",addr);
/* write an illegal address type */
WRITE_INT32(fp,-1);
/* write an emtpy address */
WRITE_INT32(fp,0);
}
/* we're done */
return 0;
}
/* this writes a single address to the stream */
int write_address(TFILE *fp,struct berval *addr)
{
int32_t tmpint32;
struct in_addr ipv4addr;
struct in6_addr ipv6addr;
/* try to parse the address as IPv4 first, fall back to IPv6 */
if (inet_pton(AF_INET,addr->bv_val,&ipv4addr)>0)
{
/* write address type */
WRITE_INT32(fp,AF_INET);
/* write the address length */
WRITE_INT32(fp,sizeof(struct in_addr));
/* write the address itself (in network byte order) */
WRITE_TYPE(fp,ipv4addr,struct in_addr);
}
else if (inet_pton(AF_INET6,addr->bv_val,&ipv6addr)>0)
{
/* write address type */
WRITE_INT32(fp,AF_INET6);
/* write the address length */
WRITE_INT32(fp,sizeof(struct in6_addr));
/* write the address itself (in network byte order) */
WRITE_TYPE(fp,ipv6addr,struct in6_addr);
}
else
{
/* failure, log but write simple invalid address
(otherwise the address list is messed up) */
/* TODO: have error message in correct format */
Debug(LDAP_DEBUG_ANY,"nssov: unparseable address: %s\n",addr->bv_val,0,0);
/* write an illegal address type */
WRITE_INT32(fp,-1);
/* write an empty address */
WRITE_INT32(fp,0);
}
/* we're done */
return 0;
}
static int write_protocol(TFILE *fp, MYLDAP_ENTRY *entry, const char *reqname)
{
int32_t tmpint32, tmp2int32, tmp3int32;
const char *name;
const char **aliases;
const char **protos;
char *tmp;
long proto;
int i;
/* get the most canonical name */
name = myldap_get_rdn_value(entry, attmap_protocol_cn);
/* get the other names for the protocol */
aliases = myldap_get_values(entry, attmap_protocol_cn);
if ((aliases == NULL) || (aliases[0] == NULL))
{
log_log(LOG_WARNING, "%s: %s: missing",
myldap_get_dn(entry), attmap_protocol_cn);
return 0;
}
/* if the protocol name is not yet found, get the first entry */
if (name == NULL)
name = aliases[0];
/* check case of returned protocol entry */
if ((reqname != NULL) && (STR_CMP(reqname, name) != 0))
{
for (i = 0; (aliases[i] != NULL) && (STR_CMP(reqname, aliases[i]) != 0); i++)
/* nothing */ ;
if (aliases[i] == NULL)
return 0; /* neither the name nor any of the aliases matched */
}
/* get the protocol number */
protos = myldap_get_values(entry, attmap_protocol_ipProtocolNumber);
if ((protos == NULL) || (protos[0] == NULL))
{
log_log(LOG_WARNING, "%s: %s: missing",
myldap_get_dn(entry), attmap_protocol_ipProtocolNumber);
return 0;
}
else if (protos[1] != NULL)
{
log_log(LOG_WARNING, "%s: %s: multiple values",
myldap_get_dn(entry), attmap_protocol_ipProtocolNumber);
}
errno = 0;
proto = strtol(protos[0], &tmp, 10);
if ((*(protos[0]) == '\0') || (*tmp != '\0'))
{
log_log(LOG_WARNING, "%s: %s: non-numeric",
myldap_get_dn(entry), attmap_protocol_ipProtocolNumber);
return 0;
}
else if ((errno != 0) || (proto < 0) || (proto > (long)UINT8_MAX))
{
log_log(LOG_WARNING, "%s: %s: out of range",
myldap_get_dn(entry), attmap_protocol_ipProtocolNumber);
return 0;
}
/* write entry */
WRITE_INT32(fp, NSLCD_RESULT_BEGIN);
WRITE_STRING(fp, name);
WRITE_STRINGLIST_EXCEPT(fp, aliases, name);
/* proto number is actually an 8-bit value but we write 32 bits anyway */
WRITE_INT32(fp, proto);
return 0;
}
int nslcd_usermod(TFILE *fp, MYLDAP_SESSION *session, uid_t calleruid)
{
int32_t tmpint32;
int rc = LDAP_SUCCESS;
char username[BUFLEN_NAME];
int asroot, isroot;
char password[BUFLEN_PASSWORD];
int32_t param;
char buffer[4096];
size_t buflen = sizeof(buffer);
size_t bufptr = 0;
const char *value = NULL;
const char *fullname = NULL, *roomnumber = NULL, *workphone = NULL;
const char *homephone = NULL, *other = NULL, *homedir = NULL;
const char *shell = NULL;
const char *binddn = NULL; /* the user performing the modification */
MYLDAP_ENTRY *entry;
MYLDAP_SESSION *newsession;
char errmsg[BUFLEN_MESSAGE];
/* read request parameters */
READ_STRING(fp, username);
READ_INT32(fp, asroot);
READ_STRING(fp, password);
/* read the usermod parameters */
while (1)
{
READ_INT32(fp, param);
if (param == NSLCD_USERMOD_END)
break;
READ_BUF_STRING(fp, value);
switch (param)
{
case NSLCD_USERMOD_FULLNAME: fullname = value; break;
case NSLCD_USERMOD_ROOMNUMBER: roomnumber = value; break;
case NSLCD_USERMOD_WORKPHONE: workphone = value; break;
case NSLCD_USERMOD_HOMEPHONE: homephone = value; break;
case NSLCD_USERMOD_OTHER: other = value; break;
case NSLCD_USERMOD_HOMEDIR: homedir = value; break;
case NSLCD_USERMOD_SHELL: shell = value; break;
default: /* other parameters are silently ignored */ break;
}
}
/* log call */
log_setrequest("usermod=\"%s\"", username);
log_log(LOG_DEBUG, "nslcd_usermod(\"%s\",%s,\"%s\")",
username, asroot ? "asroot" : "asuser", *password ? "***" : "");
if (fullname != NULL)
log_log(LOG_DEBUG, "nslcd_usermod(fullname=\"%s\")", fullname);
if (roomnumber != NULL)
log_log(LOG_DEBUG, "nslcd_usermod(roomnumber=\"%s\")", roomnumber);
if (workphone != NULL)
log_log(LOG_DEBUG, "nslcd_usermod(workphone=\"%s\")", workphone);
if (homephone != NULL)
log_log(LOG_DEBUG, "nslcd_usermod(homephone=\"%s\")", homephone);
if (other != NULL)
log_log(LOG_DEBUG, "nslcd_usermod(other=\"%s\")", other);
if (homedir != NULL)
log_log(LOG_DEBUG, "nslcd_usermod(homedir=\"%s\")", homedir);
if (shell != NULL)
log_log(LOG_DEBUG, "nslcd_usermod(shell=\"%s\")", shell);
/* write the response header */
WRITE_INT32(fp, NSLCD_VERSION);
WRITE_INT32(fp, NSLCD_ACTION_USERMOD);
/* validate request */
entry = validate_user(session, username, &rc);
if (entry == NULL)
{
/* for user not found we just say no result, otherwise break the protocol */
if (rc == LDAP_NO_SUCH_OBJECT)
{
WRITE_INT32(fp, NSLCD_RESULT_END);
}
return -1;
}
/* check if it is a modification as root */
isroot = (calleruid == 0) && asroot;
if (asroot)
{
if (nslcd_cfg->rootpwmoddn == NULL)
{
log_log(LOG_NOTICE, "rootpwmoddn not configured");
/* we break the protocol */
return -1;
}
binddn = nslcd_cfg->rootpwmoddn;
/* check if rootpwmodpw should be used */
if ((*password == '\0') && isroot && (nslcd_cfg->rootpwmodpw != NULL))
{
if (strlen(nslcd_cfg->rootpwmodpw) >= sizeof(password))
{
log_log(LOG_ERR, "nslcd_pam_pwmod(): rootpwmodpw will not fit in password");
return -1;
}
strcpy(password, nslcd_cfg->rootpwmodpw);
}
}
else
binddn = myldap_get_dn(entry);
WRITE_INT32(fp, NSLCD_RESULT_BEGIN);
/* home directory change requires either root or valid directory */
if ((homedir != NULL) && (!isroot) && !is_valid_homedir(homedir))
{
log_log(LOG_NOTICE, "invalid directory: %s", homedir);
WRITE_INT32(fp, NSLCD_USERMOD_HOMEDIR);
WRITE_STRING(fp, "invalid directory");
homedir = NULL;
}
/* shell change requires either root or a valid shell */
if ((shell != NULL) && (!isroot) && !is_valid_shell(shell))
{
log_log(LOG_NOTICE, "invalid shell: %s", shell);
WRITE_INT32(fp, NSLCD_USERMOD_SHELL);
WRITE_STRING(fp, "invalid shell");
shell = NULL;
}
/* perform requested changes */
newsession = get_session(binddn, myldap_get_dn(entry), password, &rc);
if (newsession != NULL)
{
rc = change(newsession, myldap_get_dn(entry), homedir, shell);
myldap_session_close(newsession);
}
/* return response to caller */
if (rc != LDAP_SUCCESS)
{
log_log(LOG_WARNING, "%s: modification failed: %s",
myldap_get_dn(entry), ldap_err2string(rc));
mysnprintf(errmsg, sizeof(errmsg) - 1, "change failed: %s", ldap_err2string(rc));
WRITE_INT32(fp, NSLCD_USERMOD_RESULT);
WRITE_STRING(fp, errmsg);
WRITE_INT32(fp, NSLCD_USERMOD_END);
WRITE_INT32(fp, NSLCD_RESULT_END);
return 0;
}
log_log(LOG_NOTICE, "changed information for %s", myldap_get_dn(entry));
WRITE_INT32(fp, NSLCD_USERMOD_END);
WRITE_INT32(fp, NSLCD_RESULT_END);
return 0;
}
void client_write_protocol_version(remote_process_client *client)
{
WRITE_BYTE(MSG_PROTOCOL_VERSION);
WRITE_INT32(2);
FLUSH();
}
static void client_write_string(remote_process_client *client, const char *str)
{
int32 length = (int32)strlen(str);
WRITE_INT32(length);
client_write_bytes(client, str, length);
}
int pam_authz(nssov_info *ni,TFILE *fp,Operation *op)
{
struct berval dn, uid, svc, ruser, rhost, tty;
struct berval authzmsg = BER_BVNULL;
int32_t tmpint32;
char dnc[1024];
char uidc[32];
char svcc[256];
char ruserc[32];
char rhostc[256];
char ttyc[256];
int rc;
Entry *e = NULL;
Attribute *a;
slap_callback cb = {0};
READ_STRING(fp,uidc);
uid.bv_val = uidc;
uid.bv_len = tmpint32;
READ_STRING(fp,dnc);
dn.bv_val = dnc;
dn.bv_len = tmpint32;
READ_STRING(fp,svcc);
svc.bv_val = svcc;
svc.bv_len = tmpint32;
READ_STRING(fp,ruserc);
ruser.bv_val = ruserc;
ruser.bv_len = tmpint32;
READ_STRING(fp,rhostc);
rhost.bv_val = rhostc;
rhost.bv_len = tmpint32;
READ_STRING(fp,ttyc);
tty.bv_val = ttyc;
tty.bv_len = tmpint32;
Debug(LDAP_DEBUG_TRACE,"nssov_pam_authz(%s)\n",dn.bv_val,0,0);
/* If we didn't do authc, we don't have a DN yet */
if (BER_BVISEMPTY(&dn)) {
struct paminfo pi;
pi.uid = uid;
pi.svc = svc;
rc = pam_uid2dn(ni, op, &pi);
if (rc) goto finish;
dn = pi.dn;
}
/* See if they have access to the host and service */
if ((ni->ni_pam_opts & NI_PAM_HOSTSVC) && nssov_pam_svc_ad) {
AttributeAssertion ava = ATTRIBUTEASSERTION_INIT;
struct berval hostdn = BER_BVNULL;
struct berval odn = op->o_ndn;
SlapReply rs = {REP_RESULT};
op->o_dn = dn;
op->o_ndn = dn;
{
nssov_mapinfo *mi = &ni->ni_maps[NM_host];
char fbuf[1024];
struct berval filter = {sizeof(fbuf),fbuf};
SlapReply rs2 = {REP_RESULT};
/* Lookup the host entry */
nssov_filter_byname(mi,0,&global_host_bv,&filter);
cb.sc_private = &hostdn;
cb.sc_response = nssov_name2dn_cb;
op->o_callback = &cb;
op->o_req_dn = mi->mi_base;
op->o_req_ndn = mi->mi_base;
op->ors_scope = mi->mi_scope;
op->ors_filterstr = filter;
op->ors_filter = str2filter_x(op, filter.bv_val);
op->ors_attrs = slap_anlist_no_attrs;
op->ors_tlimit = SLAP_NO_LIMIT;
op->ors_slimit = 2;
rc = op->o_bd->be_search(op, &rs2);
filter_free_x(op, op->ors_filter, 1);
if (BER_BVISEMPTY(&hostdn) &&
!BER_BVISEMPTY(&ni->ni_pam_defhost)) {
filter.bv_len = sizeof(fbuf);
filter.bv_val = fbuf;
rs_reinit(&rs2, REP_RESULT);
nssov_filter_byname(mi,0,&ni->ni_pam_defhost,&filter);
op->ors_filterstr = filter;
op->ors_filter = str2filter_x(op, filter.bv_val);
rc = op->o_bd->be_search(op, &rs2);
filter_free_x(op, op->ors_filter, 1);
}
/* no host entry, no default host -> deny */
if (BER_BVISEMPTY(&hostdn)) {
rc = NSLCD_PAM_PERM_DENIED;
authzmsg = hostmsg;
goto finish;
}
}
cb.sc_response = pam_compare_cb;
cb.sc_private = NULL;
op->o_tag = LDAP_REQ_COMPARE;
op->o_req_dn = hostdn;
op->o_req_ndn = hostdn;
ava.aa_desc = nssov_pam_svc_ad;
ava.aa_value = svc;
op->orc_ava = &ava;
rc = op->o_bd->be_compare( op, &rs );
if ( cb.sc_private == NULL ) {
authzmsg = svcmsg;
rc = NSLCD_PAM_PERM_DENIED;
goto finish;
}
op->o_dn = odn;
op->o_ndn = odn;
}
/* See if they're a member of the group */
if ((ni->ni_pam_opts & NI_PAM_USERGRP) &&
!BER_BVISEMPTY(&ni->ni_pam_group_dn) &&
ni->ni_pam_group_ad) {
AttributeAssertion ava = ATTRIBUTEASSERTION_INIT;
SlapReply rs = {REP_RESULT};
op->o_callback = &cb;
cb.sc_response = slap_null_cb;
op->o_tag = LDAP_REQ_COMPARE;
op->o_req_dn = ni->ni_pam_group_dn;
op->o_req_ndn = ni->ni_pam_group_dn;
ava.aa_desc = ni->ni_pam_group_ad;
ava.aa_value = dn;
op->orc_ava = &ava;
rc = op->o_bd->be_compare( op, &rs );
if ( rs.sr_err != LDAP_COMPARE_TRUE ) {
authzmsg = grpmsg;
rc = NSLCD_PAM_PERM_DENIED;
goto finish;
}
}
/* We need to check the user's entry for these bits */
if ((ni->ni_pam_opts & (NI_PAM_USERHOST|NI_PAM_USERSVC)) ||
ni->ni_pam_template_ad ||
ni->ni_pam_min_uid || ni->ni_pam_max_uid ) {
rc = be_entry_get_rw( op, &dn, NULL, NULL, 0, &e );
if (rc != LDAP_SUCCESS) {
rc = NSLCD_PAM_USER_UNKNOWN;
goto finish;
}
}
if ((ni->ni_pam_opts & NI_PAM_USERHOST) && nssov_pam_host_ad) {
a = attr_find(e->e_attrs, nssov_pam_host_ad);
if (!a || attr_valfind( a,
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
SLAP_MR_VALUE_OF_SYNTAX,
&global_host_bv, NULL, op->o_tmpmemctx )) {
rc = NSLCD_PAM_PERM_DENIED;
authzmsg = hostmsg;
goto finish;
}
}
if ((ni->ni_pam_opts & NI_PAM_USERSVC) && nssov_pam_svc_ad) {
a = attr_find(e->e_attrs, nssov_pam_svc_ad);
if (!a || attr_valfind( a,
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
SLAP_MR_VALUE_OF_SYNTAX,
&svc, NULL, op->o_tmpmemctx )) {
rc = NSLCD_PAM_PERM_DENIED;
authzmsg = svcmsg;
goto finish;
}
}
/* from passwd.c */
#define UIDN_KEY 2
if (ni->ni_pam_min_uid || ni->ni_pam_max_uid) {
int id;
char *tmp;
nssov_mapinfo *mi = &ni->ni_maps[NM_passwd];
a = attr_find(e->e_attrs, mi->mi_attrs[UIDN_KEY].an_desc);
if (!a) {
rc = NSLCD_PAM_PERM_DENIED;
authzmsg = uidmsg;
goto finish;
}
id = (int)strtol(a->a_vals[0].bv_val,&tmp,0);
if (a->a_vals[0].bv_val[0] == '\0' || *tmp != '\0') {
rc = NSLCD_PAM_PERM_DENIED;
authzmsg = uidmsg;
goto finish;
}
if ((ni->ni_pam_min_uid && id < ni->ni_pam_min_uid) ||
(ni->ni_pam_max_uid && id > ni->ni_pam_max_uid)) {
rc = NSLCD_PAM_PERM_DENIED;
authzmsg = uidmsg;
goto finish;
}
}
if (ni->ni_pam_template_ad) {
a = attr_find(e->e_attrs, ni->ni_pam_template_ad);
if (a)
uid = a->a_vals[0];
else if (!BER_BVISEMPTY(&ni->ni_pam_template))
uid = ni->ni_pam_template;
}
rc = NSLCD_PAM_SUCCESS;
finish:
WRITE_INT32(fp,NSLCD_VERSION);
WRITE_INT32(fp,NSLCD_ACTION_PAM_AUTHZ);
WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
WRITE_BERVAL(fp,&uid);
WRITE_BERVAL(fp,&dn);
WRITE_INT32(fp,rc);
WRITE_BERVAL(fp,&authzmsg);
if (e) {
be_entry_release_r(op, e);
}
return 0;
}
static nss_status_t passwd_getpwuid(nss_backend_t UNUSED(*be), void *args)
{
NSS_GETONE(NSLCD_ACTION_PASSWD_BYUID,
WRITE_INT32(fp, NSS_ARGS(args)->key.uid),
read_result(fp, args));
}
/* write a single rpc entry to the stream */
static int write_rpc(TFILE *fp, MYLDAP_ENTRY *entry, const char *reqname)
{
int32_t tmpint32, tmp2int32, tmp3int32;
const char *name;
const char **aliases;
const char **numbers;
char *tmp;
unsigned long number;
int i;
/* get the most canonical name */
name = myldap_get_rdn_value(entry, attmap_rpc_cn);
/* get the other names for the rpc entries */
aliases = myldap_get_values(entry, attmap_rpc_cn);
if ((aliases == NULL) || (aliases[0] == NULL))
{
log_log(LOG_WARNING, "%s: %s: missing",
myldap_get_dn(entry), attmap_rpc_cn);
return 0;
}
/* if the rpc name is not yet found, get the first entry */
if (name == NULL)
name = aliases[0];
/* check case of returned rpc entry */
if ((reqname != NULL) && (STR_CMP(reqname, name) != 0))
{
for (i = 0; (aliases[i] != NULL) && (STR_CMP(reqname, aliases[i]) != 0); i++)
/* nothing */ ;
if (aliases[i] == NULL)
return 0; /* neither the name nor any of the aliases matched */
}
/* get the rpc number */
numbers = myldap_get_values(entry, attmap_rpc_oncRpcNumber);
if ((numbers == NULL) || (numbers[0] == NULL))
{
log_log(LOG_WARNING, "%s: %s: missing",
myldap_get_dn(entry), attmap_rpc_oncRpcNumber);
return 0;
}
else if (numbers[1] != NULL)
{
log_log(LOG_WARNING, "%s: %s: multiple values",
myldap_get_dn(entry), attmap_rpc_oncRpcNumber);
}
errno = 0;
number = strtol(numbers[0], &tmp, 10);
if ((*(numbers[0]) == '\0') || (*tmp != '\0'))
{
log_log(LOG_WARNING, "%s: %s: non-numeric",
myldap_get_dn(entry), attmap_rpc_oncRpcNumber);
return 0;
}
else if ((errno != 0) || (number > UINT32_MAX))
{
log_log(LOG_WARNING, "%s: %s: out of range",
myldap_get_dn(entry), attmap_rpc_oncRpcNumber);
return 0;
}
/* write the entry */
WRITE_INT32(fp, NSLCD_RESULT_BEGIN);
WRITE_STRING(fp, name);
WRITE_STRINGLIST_EXCEPT(fp, aliases, name);
WRITE_INT32(fp, number);
return 0;
}
static int pam_sess(nssov_info *ni,TFILE *fp,Operation *op,int action)
{
struct berval dn, uid, svc, tty, rhost, ruser;
int32_t tmpint32;
char dnc[1024];
char svcc[256];
char uidc[32];
char ttyc[32];
char rhostc[256];
char ruserc[32];
slap_callback cb = {0};
SlapReply rs = {REP_RESULT};
char timebuf[LDAP_LUTIL_GENTIME_BUFSIZE];
struct berval timestamp, bv[2], *nbv;
time_t stamp;
Modifications mod;
READ_STRING(fp,uidc);
uid.bv_val = uidc;
uid.bv_len = tmpint32;
READ_STRING(fp,dnc);
dn.bv_val = dnc;
dn.bv_len = tmpint32;
READ_STRING(fp,svcc);
svc.bv_val = svcc;
svc.bv_len = tmpint32;
READ_STRING(fp,ttyc);
tty.bv_val = ttyc;
tty.bv_len = tmpint32;
READ_STRING(fp,rhostc);
rhost.bv_val = rhostc;
rhost.bv_len = tmpint32;
READ_STRING(fp,ruserc);
ruser.bv_val = ruserc;
ruser.bv_len = tmpint32;
READ_INT32(fp,stamp);
Debug(LDAP_DEBUG_TRACE,"nssov_pam_sess_%c(%s)\n",
action==NSLCD_ACTION_PAM_SESS_O ? 'o' : 'c', dn.bv_val,0);
if (!dn.bv_len || !ni->ni_pam_sessions) return 0;
{
int i, found=0;
for (i=0; !BER_BVISNULL(&ni->ni_pam_sessions[i]); i++) {
if (ni->ni_pam_sessions[i].bv_len != svc.bv_len)
continue;
if (!strcasecmp(ni->ni_pam_sessions[i].bv_val, svc.bv_val)) {
found = 1;
break;
}
}
if (!found) return 0;
}
slap_op_time( &op->o_time, &op->o_tincr );
timestamp.bv_len = sizeof(timebuf);
timestamp.bv_val = timebuf;
if (action == NSLCD_ACTION_PAM_SESS_O )
stamp = op->o_time;
slap_timestamp( &stamp, ×tamp );
bv[0].bv_len = timestamp.bv_len + global_host_bv.bv_len + svc.bv_len +
tty.bv_len + ruser.bv_len + rhost.bv_len + STRLENOF(" (@)");
bv[0].bv_val = op->o_tmpalloc( bv[0].bv_len+1, op->o_tmpmemctx );
sprintf(bv[0].bv_val, "%s %s %s %s (%s@%s)",
timestamp.bv_val, global_host_bv.bv_val, svc.bv_val, tty.bv_val,
ruser.bv_val, rhost.bv_val);
mod.sml_numvals = 1;
mod.sml_values = bv;
BER_BVZERO(&bv[1]);
attr_normalize( ad_loginStatus, bv, &nbv, op->o_tmpmemctx );
mod.sml_nvalues = nbv;
mod.sml_desc = ad_loginStatus;
mod.sml_op = action == NSLCD_ACTION_PAM_SESS_O ? LDAP_MOD_ADD :
LDAP_MOD_DELETE;
mod.sml_flags = SLAP_MOD_INTERNAL;
mod.sml_next = NULL;
cb.sc_response = slap_null_cb;
op->o_callback = &cb;
op->o_tag = LDAP_REQ_MODIFY;
op->o_dn = op->o_bd->be_rootdn;
op->o_ndn = op->o_bd->be_rootndn;
op->orm_modlist = &mod;
op->orm_no_opattrs = 1;
op->o_req_dn = dn;
op->o_req_ndn = dn;
op->o_bd->be_modify( op, &rs );
if ( mod.sml_next ) {
slap_mods_free( mod.sml_next, 1 );
}
ber_bvarray_free_x( nbv, op->o_tmpmemctx );
WRITE_INT32(fp,NSLCD_VERSION);
WRITE_INT32(fp,action);
WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
WRITE_INT32(fp,op->o_time);
return 0;
}
int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op)
{
struct berval npw;
int32_t tmpint32;
char dnc[1024];
char uidc[32];
char opwc[256];
char npwc[256];
char svcc[256];
struct paminfo pi;
int rc;
READ_STRING(fp,uidc);
pi.uid.bv_val = uidc;
pi.uid.bv_len = tmpint32;
READ_STRING(fp,dnc);
pi.dn.bv_val = dnc;
pi.dn.bv_len = tmpint32;
READ_STRING(fp,svcc);
pi.svc.bv_val = svcc;
pi.svc.bv_len = tmpint32;
READ_STRING(fp,opwc);
pi.pwd.bv_val = opwc;
pi.pwd.bv_len = tmpint32;
READ_STRING(fp,npwc);
npw.bv_val = npwc;
npw.bv_len = tmpint32;
Debug(LDAP_DEBUG_TRACE,"nssov_pam_pwmod(%s), %s\n",
pi.dn.bv_val,pi.uid.bv_val,0);
BER_BVZERO(&pi.msg);
/* This is a prelim check */
if (BER_BVISEMPTY(&pi.dn)) {
rc = pam_do_bind(ni,fp,op,&pi);
if (rc == NSLCD_PAM_IGNORE)
rc = NSLCD_PAM_SUCCESS;
} else {
BerElementBuffer berbuf;
BerElement *ber = (BerElement *)&berbuf;
struct berval bv;
SlapReply rs = {REP_RESULT};
slap_callback cb = {0};
ber_init_w_nullc(ber, LBER_USE_DER);
ber_printf(ber, "{");
if (!BER_BVISEMPTY(&pi.pwd))
ber_printf(ber, "tO", LDAP_TAG_EXOP_MODIFY_PASSWD_OLD,
&pi.pwd);
if (!BER_BVISEMPTY(&npw))
ber_printf(ber, "tO", LDAP_TAG_EXOP_MODIFY_PASSWD_NEW,
&npw);
ber_printf(ber, "N}");
ber_flatten2(ber, &bv, 0);
op->o_tag = LDAP_REQ_EXTENDED;
op->ore_reqoid = slap_EXOP_MODIFY_PASSWD;
op->ore_reqdata = &bv;
op->o_dn = pi.dn;
op->o_ndn = pi.dn;
op->o_callback = &cb;
op->o_conn->c_authz_backend = op->o_bd;
cb.sc_response = slap_null_cb;
op->o_bd = frontendDB;
rc = op->o_bd->be_extended(op, &rs);
if (rs.sr_text)
ber_str2bv(rs.sr_text, 0, 0, &pi.msg);
if (rc == LDAP_SUCCESS)
rc = NSLCD_PAM_SUCCESS;
else
rc = NSLCD_PAM_PERM_DENIED;
}
WRITE_INT32(fp,NSLCD_VERSION);
WRITE_INT32(fp,NSLCD_ACTION_PAM_PWMOD);
WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
WRITE_BERVAL(fp,&pi.uid);
WRITE_BERVAL(fp,&pi.dn);
WRITE_INT32(fp,rc);
WRITE_BERVAL(fp,&pi.msg);
return 0;
}
