int nssov_config(nssov_info *ni,TFILE *fp,Operation *op) { int opt; int32_t tmpint32; struct berval *msg = BER_BVC(""); int rc = NSLCD_PAM_SUCCESS; READ_INT32(fp,opt); Debug(LDAP_DEBUG_TRACE, "nssov_config (%d)\n",opt,0,0); switch (opt) { case NSLCD_CONFIG_PAM_PASSWORD_PROHIBIT_MESSAGE: /* request for pam password_prothibit_message */ /* nssov_pam prohibits password */ if (!BER_BVISEMPTY(&ni->ni_pam_password_prohibit_message)) { Debug(LDAP_DEBUG_TRACE,"nssov_config(): %s (%s)\n", "password_prohibit_message", ni->ni_pam_password_prohibit_message.bv_val,0); msg = &ni->ni_pam_password_prohibit_message; rc = NSLCD_PAM_PERM_DENIED; } /* fall through */ default: break; } done:; WRITE_INT32(fp,NSLCD_VERSION); WRITE_INT32(fp,NSLCD_ACTION_CONFIG_GET); WRITE_INT32(fp,NSLCD_RESULT_BEGIN); WRITE_BERVAL(fp,msg); WRITE_INT32(fp,NSLCD_RESULT_END); return 0; }
int pam_authc(nssov_info *ni,TFILE *fp,Operation *op) { int32_t tmpint32; int rc; slap_callback cb = {0}; char dnc[1024]; char uidc[32]; char svcc[256]; char pwdc[256]; struct berval sdn, dn; struct paminfo pi; READ_STRING(fp,uidc); pi.uid.bv_val = uidc; pi.uid.bv_len = tmpint32; READ_STRING(fp,dnc); pi.dn.bv_val = dnc; pi.dn.bv_len = tmpint32; READ_STRING(fp,svcc); pi.svc.bv_val = svcc; pi.svc.bv_len = tmpint32; READ_STRING(fp,pwdc); pi.pwd.bv_val = pwdc; pi.pwd.bv_len = tmpint32; Debug(LDAP_DEBUG_TRACE,"nssov_pam_authc(%s)\n",pi.uid.bv_val,0,0); rc = pam_do_bind(ni, fp, op, &pi); finish: WRITE_INT32(fp,NSLCD_VERSION); WRITE_INT32(fp,NSLCD_ACTION_PAM_AUTHC); WRITE_INT32(fp,NSLCD_RESULT_BEGIN); WRITE_BERVAL(fp,&pi.uid); WRITE_BERVAL(fp,&pi.dn); WRITE_INT32(fp,rc); WRITE_INT32(fp,pi.authz); /* authz */ WRITE_BERVAL(fp,&pi.msg); /* authzmsg */ return 0; }
int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op) { struct berval npw; int32_t tmpint32; char dnc[1024]; char uidc[32]; char opwc[256]; char npwc[256]; char svcc[256]; struct paminfo pi; int rc; READ_STRING(fp,uidc); pi.uid.bv_val = uidc; pi.uid.bv_len = tmpint32; READ_STRING(fp,dnc); pi.dn.bv_val = dnc; pi.dn.bv_len = tmpint32; READ_STRING(fp,svcc); pi.svc.bv_val = svcc; pi.svc.bv_len = tmpint32; READ_STRING(fp,opwc); pi.pwd.bv_val = opwc; pi.pwd.bv_len = tmpint32; READ_STRING(fp,npwc); npw.bv_val = npwc; npw.bv_len = tmpint32; Debug(LDAP_DEBUG_TRACE,"nssov_pam_pwmod(%s), %s\n", pi.dn.bv_val,pi.uid.bv_val,0); BER_BVZERO(&pi.msg); /* This is a prelim check */ if (BER_BVISEMPTY(&pi.dn)) { rc = pam_do_bind(ni,fp,op,&pi); if (rc == NSLCD_PAM_IGNORE) rc = NSLCD_PAM_SUCCESS; } else { BerElementBuffer berbuf; BerElement *ber = (BerElement *)&berbuf; struct berval bv; SlapReply rs = {REP_RESULT}; slap_callback cb = {0}; ber_init_w_nullc(ber, LBER_USE_DER); ber_printf(ber, "{"); if (!BER_BVISEMPTY(&pi.pwd)) ber_printf(ber, "tO", LDAP_TAG_EXOP_MODIFY_PASSWD_OLD, &pi.pwd); if (!BER_BVISEMPTY(&npw)) ber_printf(ber, "tO", LDAP_TAG_EXOP_MODIFY_PASSWD_NEW, &npw); ber_printf(ber, "N}"); ber_flatten2(ber, &bv, 0); op->o_tag = LDAP_REQ_EXTENDED; op->ore_reqoid = slap_EXOP_MODIFY_PASSWD; op->ore_reqdata = &bv; op->o_dn = pi.dn; op->o_ndn = pi.dn; op->o_callback = &cb; op->o_conn->c_authz_backend = op->o_bd; cb.sc_response = slap_null_cb; op->o_bd = frontendDB; rc = op->o_bd->be_extended(op, &rs); if (rs.sr_text) ber_str2bv(rs.sr_text, 0, 0, &pi.msg); if (rc == LDAP_SUCCESS) rc = NSLCD_PAM_SUCCESS; else rc = NSLCD_PAM_PERM_DENIED; } WRITE_INT32(fp,NSLCD_VERSION); WRITE_INT32(fp,NSLCD_ACTION_PAM_PWMOD); WRITE_INT32(fp,NSLCD_RESULT_BEGIN); WRITE_BERVAL(fp,&pi.uid); WRITE_BERVAL(fp,&pi.dn); WRITE_INT32(fp,rc); WRITE_BERVAL(fp,&pi.msg); return 0; }
int pam_authz(nssov_info *ni,TFILE *fp,Operation *op) { struct berval dn, uid, svc, ruser, rhost, tty; struct berval authzmsg = BER_BVNULL; int32_t tmpint32; char dnc[1024]; char uidc[32]; char svcc[256]; char ruserc[32]; char rhostc[256]; char ttyc[256]; int rc; Entry *e = NULL; Attribute *a; slap_callback cb = {0}; READ_STRING(fp,uidc); uid.bv_val = uidc; uid.bv_len = tmpint32; READ_STRING(fp,dnc); dn.bv_val = dnc; dn.bv_len = tmpint32; READ_STRING(fp,svcc); svc.bv_val = svcc; svc.bv_len = tmpint32; READ_STRING(fp,ruserc); ruser.bv_val = ruserc; ruser.bv_len = tmpint32; READ_STRING(fp,rhostc); rhost.bv_val = rhostc; rhost.bv_len = tmpint32; READ_STRING(fp,ttyc); tty.bv_val = ttyc; tty.bv_len = tmpint32; Debug(LDAP_DEBUG_TRACE,"nssov_pam_authz(%s)\n",dn.bv_val,0,0); /* If we didn't do authc, we don't have a DN yet */ if (BER_BVISEMPTY(&dn)) { struct paminfo pi; pi.uid = uid; pi.svc = svc; rc = pam_uid2dn(ni, op, &pi); if (rc) goto finish; dn = pi.dn; } /* See if they have access to the host and service */ if ((ni->ni_pam_opts & NI_PAM_HOSTSVC) && nssov_pam_svc_ad) { AttributeAssertion ava = ATTRIBUTEASSERTION_INIT; struct berval hostdn = BER_BVNULL; struct berval odn = op->o_ndn; SlapReply rs = {REP_RESULT}; op->o_dn = dn; op->o_ndn = dn; { nssov_mapinfo *mi = &ni->ni_maps[NM_host]; char fbuf[1024]; struct berval filter = {sizeof(fbuf),fbuf}; SlapReply rs2 = {REP_RESULT}; /* Lookup the host entry */ nssov_filter_byname(mi,0,&global_host_bv,&filter); cb.sc_private = &hostdn; cb.sc_response = nssov_name2dn_cb; op->o_callback = &cb; op->o_req_dn = mi->mi_base; op->o_req_ndn = mi->mi_base; op->ors_scope = mi->mi_scope; op->ors_filterstr = filter; op->ors_filter = str2filter_x(op, filter.bv_val); op->ors_attrs = slap_anlist_no_attrs; op->ors_tlimit = SLAP_NO_LIMIT; op->ors_slimit = 2; rc = op->o_bd->be_search(op, &rs2); filter_free_x(op, op->ors_filter, 1); if (BER_BVISEMPTY(&hostdn) && !BER_BVISEMPTY(&ni->ni_pam_defhost)) { filter.bv_len = sizeof(fbuf); filter.bv_val = fbuf; rs_reinit(&rs2, REP_RESULT); nssov_filter_byname(mi,0,&ni->ni_pam_defhost,&filter); op->ors_filterstr = filter; op->ors_filter = str2filter_x(op, filter.bv_val); rc = op->o_bd->be_search(op, &rs2); filter_free_x(op, op->ors_filter, 1); } /* no host entry, no default host -> deny */ if (BER_BVISEMPTY(&hostdn)) { rc = NSLCD_PAM_PERM_DENIED; authzmsg = hostmsg; goto finish; } } cb.sc_response = pam_compare_cb; cb.sc_private = NULL; op->o_tag = LDAP_REQ_COMPARE; op->o_req_dn = hostdn; op->o_req_ndn = hostdn; ava.aa_desc = nssov_pam_svc_ad; ava.aa_value = svc; op->orc_ava = &ava; rc = op->o_bd->be_compare( op, &rs ); if ( cb.sc_private == NULL ) { authzmsg = svcmsg; rc = NSLCD_PAM_PERM_DENIED; goto finish; } op->o_dn = odn; op->o_ndn = odn; } /* See if they're a member of the group */ if ((ni->ni_pam_opts & NI_PAM_USERGRP) && !BER_BVISEMPTY(&ni->ni_pam_group_dn) && ni->ni_pam_group_ad) { AttributeAssertion ava = ATTRIBUTEASSERTION_INIT; SlapReply rs = {REP_RESULT}; op->o_callback = &cb; cb.sc_response = slap_null_cb; op->o_tag = LDAP_REQ_COMPARE; op->o_req_dn = ni->ni_pam_group_dn; op->o_req_ndn = ni->ni_pam_group_dn; ava.aa_desc = ni->ni_pam_group_ad; ava.aa_value = dn; op->orc_ava = &ava; rc = op->o_bd->be_compare( op, &rs ); if ( rs.sr_err != LDAP_COMPARE_TRUE ) { authzmsg = grpmsg; rc = NSLCD_PAM_PERM_DENIED; goto finish; } } /* We need to check the user's entry for these bits */ if ((ni->ni_pam_opts & (NI_PAM_USERHOST|NI_PAM_USERSVC)) || ni->ni_pam_template_ad || ni->ni_pam_min_uid || ni->ni_pam_max_uid ) { rc = be_entry_get_rw( op, &dn, NULL, NULL, 0, &e ); if (rc != LDAP_SUCCESS) { rc = NSLCD_PAM_USER_UNKNOWN; goto finish; } } if ((ni->ni_pam_opts & NI_PAM_USERHOST) && nssov_pam_host_ad) { a = attr_find(e->e_attrs, nssov_pam_host_ad); if (!a || attr_valfind( a, SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH | SLAP_MR_VALUE_OF_SYNTAX, &global_host_bv, NULL, op->o_tmpmemctx )) { rc = NSLCD_PAM_PERM_DENIED; authzmsg = hostmsg; goto finish; } } if ((ni->ni_pam_opts & NI_PAM_USERSVC) && nssov_pam_svc_ad) { a = attr_find(e->e_attrs, nssov_pam_svc_ad); if (!a || attr_valfind( a, SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH | SLAP_MR_VALUE_OF_SYNTAX, &svc, NULL, op->o_tmpmemctx )) { rc = NSLCD_PAM_PERM_DENIED; authzmsg = svcmsg; goto finish; } } /* from passwd.c */ #define UIDN_KEY 2 if (ni->ni_pam_min_uid || ni->ni_pam_max_uid) { int id; char *tmp; nssov_mapinfo *mi = &ni->ni_maps[NM_passwd]; a = attr_find(e->e_attrs, mi->mi_attrs[UIDN_KEY].an_desc); if (!a) { rc = NSLCD_PAM_PERM_DENIED; authzmsg = uidmsg; goto finish; } id = (int)strtol(a->a_vals[0].bv_val,&tmp,0); if (a->a_vals[0].bv_val[0] == '\0' || *tmp != '\0') { rc = NSLCD_PAM_PERM_DENIED; authzmsg = uidmsg; goto finish; } if ((ni->ni_pam_min_uid && id < ni->ni_pam_min_uid) || (ni->ni_pam_max_uid && id > ni->ni_pam_max_uid)) { rc = NSLCD_PAM_PERM_DENIED; authzmsg = uidmsg; goto finish; } } if (ni->ni_pam_template_ad) { a = attr_find(e->e_attrs, ni->ni_pam_template_ad); if (a) uid = a->a_vals[0]; else if (!BER_BVISEMPTY(&ni->ni_pam_template)) uid = ni->ni_pam_template; } rc = NSLCD_PAM_SUCCESS; finish: WRITE_INT32(fp,NSLCD_VERSION); WRITE_INT32(fp,NSLCD_ACTION_PAM_AUTHZ); WRITE_INT32(fp,NSLCD_RESULT_BEGIN); WRITE_BERVAL(fp,&uid); WRITE_BERVAL(fp,&dn); WRITE_INT32(fp,rc); WRITE_BERVAL(fp,&authzmsg); if (e) { be_entry_release_r(op, e); } return 0; }