static void do_successful_login(struct LOCAL_request *lreq)
{
int ret;
lreq->mod_attrs = sysdb_new_attrs(lreq);
NULL_CHECK_OR_JUMP(lreq->mod_attrs, ("sysdb_new_attrs failed.\n"),
lreq->error, ENOMEM, done);
ret = sysdb_attrs_add_long(lreq->mod_attrs,
SYSDB_LAST_LOGIN, (long)time(NULL));
NEQ_CHECK_OR_JUMP(ret, EOK, ("sysdb_attrs_add_long failed.\n"),
lreq->error, ret, done);
ret = sysdb_attrs_add_long(lreq->mod_attrs, SYSDB_FAILED_LOGIN_ATTEMPTS, 0L);
NEQ_CHECK_OR_JUMP(ret, EOK, ("sysdb_attrs_add_long failed.\n"),
lreq->error, ret, done);
ret = sysdb_set_user_attr(lreq->dbctx, lreq->domain,
lreq->preq->pd->user,
lreq->mod_attrs, SYSDB_MOD_REP);
NEQ_CHECK_OR_JUMP(ret, EOK, ("sysdb_set_user_attr failed.\n"),
lreq->error, ret, done);
done:
return;
}
static void do_pam_chauthtok(struct LOCAL_request *lreq)
{
int ret;
char *newauthtok;
char *salt;
char *new_hash;
struct pam_data *pd;
pd = lreq->preq->pd;
newauthtok = talloc_strndup(lreq, (char *) pd->newauthtok,
pd->newauthtok_size);
NULL_CHECK_OR_JUMP(newauthtok, ("talloc_strndup failed.\n"), lreq->error,
ENOMEM, done);
memset(pd->newauthtok, 0, pd->newauthtok_size);
if (strlen(newauthtok) == 0) {
/* TODO: should we allow null passwords via a config option ? */
DEBUG(1, ("Empty passwords are not allowed!\n"));
lreq->error = EINVAL;
goto done;
}
ret = s3crypt_gen_salt(lreq, &salt);
NEQ_CHECK_OR_JUMP(ret, EOK, ("Salt generation failed.\n"),
lreq->error, ret, done);
DEBUG(4, ("Using salt [%s]\n", salt));
ret = s3crypt_sha512(lreq, newauthtok, salt, &new_hash);
NEQ_CHECK_OR_JUMP(ret, EOK, ("Hash generation failed.\n"),
lreq->error, ret, done);
DEBUG(4, ("New hash [%s]\n", new_hash));
memset(newauthtok, 0, pd->newauthtok_size);
lreq->mod_attrs = sysdb_new_attrs(lreq);
NULL_CHECK_OR_JUMP(lreq->mod_attrs, ("sysdb_new_attrs failed.\n"),
lreq->error, ENOMEM, done);
ret = sysdb_attrs_add_string(lreq->mod_attrs, SYSDB_PWD, new_hash);
NEQ_CHECK_OR_JUMP(ret, EOK, ("sysdb_attrs_add_string failed.\n"),
lreq->error, ret, done);
ret = sysdb_attrs_add_long(lreq->mod_attrs,
"lastPasswordChange", (long)time(NULL));
NEQ_CHECK_OR_JUMP(ret, EOK, ("sysdb_attrs_add_long failed.\n"),
lreq->error, ret, done);
ret = sysdb_set_user_attr(lreq->dbctx, lreq->preq->pd->user,
lreq->mod_attrs, SYSDB_MOD_REP);
NEQ_CHECK_OR_JUMP(ret, EOK, ("sysdb_set_user_attr failed.\n"),
lreq->error, ret, done);
done:
return;
}
static void do_failed_login(struct LOCAL_request *lreq)
{
int ret;
int failedLoginAttempts;
struct pam_data *pd;
pd = lreq->preq->pd;
pd->pam_status = PAM_AUTH_ERR;
/* TODO: maybe add more inteligent delay calculation */
pd->response_delay = 3;
lreq->mod_attrs = sysdb_new_attrs(lreq);
NULL_CHECK_OR_JUMP(lreq->mod_attrs, ("sysdb_new_attrs failed.\n"),
lreq->error, ENOMEM, done);
ret = sysdb_attrs_add_long(lreq->mod_attrs,
SYSDB_LAST_FAILED_LOGIN, (long)time(NULL));
NEQ_CHECK_OR_JUMP(ret, EOK, ("sysdb_attrs_add_long failed.\n"),
lreq->error, ret, done);
failedLoginAttempts = ldb_msg_find_attr_as_int(lreq->res->msgs[0],
SYSDB_FAILED_LOGIN_ATTEMPTS,
0);
failedLoginAttempts++;
ret = sysdb_attrs_add_long(lreq->mod_attrs,
SYSDB_FAILED_LOGIN_ATTEMPTS,
(long)failedLoginAttempts);
NEQ_CHECK_OR_JUMP(ret, EOK, ("sysdb_attrs_add_long failed.\n"),
lreq->error, ret, done);
ret = sysdb_set_user_attr(lreq->dbctx, lreq->domain,
lreq->preq->pd->user,
lreq->mod_attrs, SYSDB_MOD_REP);
NEQ_CHECK_OR_JUMP(ret, EOK, ("sysdb_set_user_attr failed.\n"),
lreq->error, ret, done);
done:
return;
}
static void do_pam_chauthtok(struct LOCAL_request *lreq)
{
int ret;
const char *password;
char *salt;
char *new_hash;
struct pam_data *pd;
pd = lreq->preq->pd;
ret = sss_authtok_get_password(pd->newauthtok, &password, NULL);
if (ret) {
/* TODO: should we allow null passwords via a config option ? */
if (ret == ENOENT) {
DEBUG(1, ("Empty passwords are not allowed!\n"));
}
lreq->error = EINVAL;
goto done;
}
ret = s3crypt_gen_salt(lreq, &salt);
NEQ_CHECK_OR_JUMP(ret, EOK, ("Salt generation failed.\n"),
lreq->error, ret, done);
DEBUG(4, ("Using salt [%s]\n", salt));
ret = s3crypt_sha512(lreq, password, salt, &new_hash);
NEQ_CHECK_OR_JUMP(ret, EOK, ("Hash generation failed.\n"),
lreq->error, ret, done);
DEBUG(4, ("New hash [%s]\n", new_hash));
lreq->mod_attrs = sysdb_new_attrs(lreq);
NULL_CHECK_OR_JUMP(lreq->mod_attrs, ("sysdb_new_attrs failed.\n"),
lreq->error, ENOMEM, done);
ret = sysdb_attrs_add_string(lreq->mod_attrs, SYSDB_PWD, new_hash);
NEQ_CHECK_OR_JUMP(ret, EOK, ("sysdb_attrs_add_string failed.\n"),
lreq->error, ret, done);
ret = sysdb_attrs_add_long(lreq->mod_attrs,
"lastPasswordChange", (long)time(NULL));
NEQ_CHECK_OR_JUMP(ret, EOK, ("sysdb_attrs_add_long failed.\n"),
lreq->error, ret, done);
ret = sysdb_set_user_attr(lreq->dbctx, lreq->domain,
lreq->preq->pd->user,
lreq->mod_attrs, SYSDB_MOD_REP);
NEQ_CHECK_OR_JUMP(ret, EOK, ("sysdb_set_user_attr failed.\n"),
lreq->error, ret, done);
done:
sss_authtok_set_empty(pd->newauthtok);
}
static int usermod_build_attrs(TALLOC_CTX *mem_ctx,
const char *gecos,
const char *home,
const char *shell,
uid_t uid,
gid_t gid,
int lock,
struct sysdb_attrs **_attrs)
{
int ret;
struct sysdb_attrs *attrs;
attrs = sysdb_new_attrs(mem_ctx);
if (attrs == NULL) {
return ENOMEM;
}
if (shell) {
ret = sysdb_attrs_add_string(attrs,
SYSDB_SHELL,
shell);
VAR_CHECK(ret, EOK, SYSDB_SHELL,
"Could not add attribute to changeset\n");
}
if (home) {
ret = sysdb_attrs_add_string(attrs,
SYSDB_HOMEDIR,
home);
VAR_CHECK(ret, EOK, SYSDB_HOMEDIR,
"Could not add attribute to changeset\n");
}
if (gecos) {
ret = sysdb_attrs_add_string(attrs,
SYSDB_GECOS,
gecos);
VAR_CHECK(ret, EOK, SYSDB_GECOS,
"Could not add attribute to changeset\n");
}
if (uid) {
ret = sysdb_attrs_add_long(attrs,
SYSDB_UIDNUM,
uid);
VAR_CHECK(ret, EOK, SYSDB_UIDNUM,
"Could not add attribute to changeset\n");
}
if (gid) {
ret = sysdb_attrs_add_long(attrs,
SYSDB_GIDNUM,
gid);
VAR_CHECK(ret, EOK, SYSDB_GIDNUM,
"Could not add attribute to changeset\n");
}
if (lock == DO_LOCK) {
ret = sysdb_attrs_add_string(attrs,
SYSDB_DISABLED,
"true");
VAR_CHECK(ret, EOK, SYSDB_DISABLED,
"Could not add attribute to changeset\n");
}
if (lock == DO_UNLOCK) {
/* PAM code checks for 'false' value in SYSDB_DISABLED attribute */
ret = sysdb_attrs_add_string(attrs,
SYSDB_DISABLED,
"false");
VAR_CHECK(ret, EOK, SYSDB_DISABLED,
"Could not add attribute to changeset\n");
}
*_attrs = attrs;
return EOK;
}
static int usermod_build_attrs(TALLOC_CTX *mem_ctx,
const char *gecos,
const char *home,
const char *shell,
uid_t uid,
gid_t gid,
int lock,
struct sysdb_attrs **_attrs)
{
int ret = EOK;
struct sysdb_attrs *attrs;
const char *attr_name = NULL;
attrs = sysdb_new_attrs(mem_ctx);
if (attrs == NULL) {
return ENOMEM;
}
if (shell) {
attr_name = SYSDB_SHELL;
ret = sysdb_attrs_add_string(attrs,
attr_name,
shell);
}
if (ret == EOK && home) {
attr_name = SYSDB_HOMEDIR;
ret = sysdb_attrs_add_string(attrs,
attr_name,
home);
}
if (ret == EOK && gecos) {
attr_name = SYSDB_GECOS;
ret = sysdb_attrs_add_string(attrs,
attr_name,
gecos);
}
if (ret == EOK && uid) {
attr_name = SYSDB_UIDNUM;
ret = sysdb_attrs_add_long(attrs,
attr_name,
uid);
}
if (ret == EOK && gid) {
attr_name = SYSDB_GIDNUM;
ret = sysdb_attrs_add_long(attrs,
attr_name,
gid);
}
if (ret == EOK && lock == DO_LOCK) {
attr_name = SYSDB_DISABLED;
ret = sysdb_attrs_add_string(attrs,
attr_name,
"true");
}
if (ret == EOK && lock == DO_UNLOCK) {
attr_name = SYSDB_DISABLED;
/* PAM code checks for 'false' value in SYSDB_DISABLED attribute */
ret = sysdb_attrs_add_string(attrs,
attr_name,
"false");
}
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Could not add attribute [%s] to changeset.\n", attr_name);
return ret;
}
*_attrs = attrs;
return EOK;
}
