SambaPasswordPlugin.java revision f983fc4bc7a4dc0e9d175e77cfaf8a2127aaeb2d
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License, Version 1.0 only
* (the "License"). You may not use this file except in compliance
* with the License.
*
* You can obtain a copy of the license at legal-notices/CDDLv1_0.txt
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at legal-notices/CDDLv1_0.txt.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information:
* Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*
*
* Copyright 2011-2012 profiq s.r.o.
* Portions Copyright 2011-2015 ForgeRock AS.
*/
/**
* The Samba password synchronization plugin implementation class.
* <p>
* This plugin synchronizes the userPassword attribute with the Samba password
* attribute(s) for all entries containing the specified Samba object class.
* <p>
* It handles clear-text userPassword modify operations and password modify
* extended operations. It does not cover the case of using pre-encoded
* password.
*/
public final class SambaPasswordPlugin extends
DirectoryServerPlugin<SambaPasswordPluginCfg> implements
{
/**
* The implementation of this algorithm has been derived from BouncyCastle.org
* whose license can be found at http://www.bouncycastle.org/licence.html:
* <p>
* Copyright (c) 2000 - 2011 The Legion Of The Bouncy Castle
* <p>
* Permission is hereby granted, free of charge, to any person obtaining a
* copy of this software and associated documentation files (the "Software"),
* to deal in the Software without restriction, including without limitation
* the rights to use, copy, modify, merge, publish, distribute, sublicense,
* Software is furnished to do so, subject to the following conditions:
* <p>
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
* <p>
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
* DEALINGS IN THE SOFTWARE.
*/
static final class MD4MessageDigest extends MessageDigest
{
// Class is package private for testing.
private final byte[] xBuf = new byte[4];
private int xBufOff;
private long byteCount;
private static final int DIGEST_LENGTH = 16;
private final int[] X = new int[16];
private int xOff;
//
// round 1 left rotates
//
private static final int S11 = 3;
private static final int S12 = 7;
private static final int S13 = 11;
private static final int S14 = 19;
//
// round 2 left rotates
//
private static final int S21 = 3;
private static final int S22 = 5;
private static final int S23 = 9;
private static final int S24 = 13;
//
// round 3 left rotates
//
private static final int S31 = 3;
private static final int S32 = 9;
private static final int S33 = 11;
private static final int S34 = 15;
/**
* Creates a new MD4 message digest algorithm.
*/
{
super("MD4");
engineReset();
}
/**
* {@inheritDoc}
*/
public byte[] engineDigest()
{
final byte[] digestBytes = new byte[DIGEST_LENGTH];
finish();
engineReset();
return digestBytes;
}
/**
* {@inheritDoc}
*/
public void engineReset()
{
byteCount = 0;
xBufOff = 0;
{
xBuf[i] = 0;
}
H1 = 0x67452301;
H2 = 0xefcdab89;
H3 = 0x98badcfe;
H4 = 0x10325476;
xOff = 0;
for (int i = 0; i != X.length; i++)
{
X[i] = 0;
}
}
/**
* {@inheritDoc}
*/
public void engineUpdate(final byte input)
{
{
xBufOff = 0;
}
byteCount++;
}
/**
* {@inheritDoc}
*/
{
//
// fill the current word
//
{
inOff++;
len--;
}
//
// process whole words.
//
{
}
//
// load in the remainder.
//
while (len > 0)
{
inOff++;
len--;
}
}
/*
* F, G, H and I are the basic MD4 functions.
*/
private int F(final int u, final int v, final int w)
{
return (u & v) | (~u & w);
}
private void finish()
{
//
// add the pad bytes.
//
engineUpdate((byte) 128);
while (xBufOff != 0)
{
engineUpdate((byte) 0);
}
processBlock();
}
private int G(final int u, final int v, final int w)
{
return (u & v) | (u & w) | (v & w);
}
private int H(final int u, final int v, final int w)
{
return u ^ v ^ w;
}
private void processBlock()
{
int a = H1;
int b = H2;
int c = H3;
int d = H4;
//
// Round 1 - F cycle, 16 times.
//
//
// Round 2 - G cycle, 16 times.
//
//
// Round 3 - H cycle, 16 times.
//
H1 += a;
H2 += b;
H3 += c;
H4 += d;
//
// reset the offset and clean out the word buffer.
//
xOff = 0;
for (int i = 0; i != X.length; i++)
{
X[i] = 0;
}
}
private void processLength(final long bitLength)
{
if (xOff > 14)
{
processBlock();
}
}
{
if (xOff == 16)
{
processBlock();
}
}
/*
* rotate int x left n bits.
*/
private int rotateLeft(final int x, final int n)
{
return (x << n) | (x >>> (32 - n));
}
{
}
}
/**
* Plugin configuration object.
*/
private SambaPasswordPluginCfg config;
// The name of the Samba LanMan password attribute.
private static final String SAMBA_LM_PASSWORD_ATTRIBUTE_NAME =
"sambaLMPassword";
// The name of the Samba NT password attribute.
private static final String SAMBA_NT_PASSWORD_ATTRIBUTE_NAME =
"sambaNTPassword";
// The name of the Samba account object class.
// The name of the Samba last password change attribute.
/**
* Debug tracer object to log debugging information.
*/
/**
* Password Modify Extended Operation OID.
*/
/**
* Magic string to be used as salt.
*/
// Default timestamp provider implementation.
private static final TimeStampProvider DEFAULT_TIMESTAMP_PROVIDER =
new TimeStampProvider()
{
public long getCurrentTime()
{
}
};
// Use the default implementation of the timestamp provider... by default.
/**
* Add the parity to the 56-bit key converting it to 64-bit key.
*
* @param key56
* 56-bit key.
* @return 64-bit key.
*/
{
final byte[] key64 = new byte[8];
final int[] key7 = new int[7];
final int[] key8 = new int[8];
for (int i = 0; i < 7; i++)
{
}
for (int i = 0; i < 8; i++)
{
}
return key64;
}
/**
* Create a LanMan hash from a clear-text password.
*
* @param password
* Clear-text password.
* @return Hex string version of the hash based on the clear-text password.
* @throws UnsupportedEncodingException
* if the <code>US-ASCII</code> coding is not available.
* @throws NoSuchAlgorithmException
* if the algorithm does not exist for the used provider.
* @throws InvalidKeyException
* if the key is inappropriate to initialize the cipher.
* @throws NoSuchPaddingException
* if the padding scheme is not available.
* @throws IllegalBlockSizeException
* if this encryption algorithm is unable to process the input data
* provided
* @throws BadPaddingException
* if this cipher is in decryption mode, and (un)padding has been
* requested, but the decrypted data is not bounded by the
* appropriate padding bytes
*/
{
// Password has to be OEM encoded and in upper case
// It shouldn't be longer then 14 bytes
int length = 14;
{
}
// The password should be divided into two 7-byte keys
final byte[] key1 = new byte[7];
final byte[] key2 = new byte[7];
if (length <= 7)
{
}
else
{
}
// We create two DES keys using key1 and key2 to on the magic string
// We finally merge hashes and return them to the client
final byte[] lmHash = new byte[16];
}
/**
* Creates a NTLM hash from a clear-text password.
*
* @param password
* Clear text password.
* @return Returns a NTLM hash.
* @throws NoSuchProviderException
* if the BouncyCastle provider does not load
* @throws NoSuchAlgorithmException
* if the MD4 algorithm is not found
* @throws UnsupportedEncodingException
* if the encoding <code>UnicodeLittleUnmarked</code> is not
* supported.
*/
{
}
/**
* Set the parity bit for an integer.
*
* @param integer
* to add the parity bit for.
* @return integer with the parity bit set.
*/
private static int setOddParity(final int parity)
{
if (hasEvenBits)
{
return parity | 0x01;
}
else
{
return parity & 0xFE;
}
}
/**
* Default constructor.
*/
public SambaPasswordPlugin()
{
super();
}
/**
* {@inheritDoc}
*/
final SambaPasswordPluginCfg newConfig)
{
// No validation required and no restart required.
return new ConfigChangeResult();
}
/**
* {@inheritDoc}
*/
{
/*
* If the operation is not Password Modify Extended Operation then skip this
* operation.
*/
{
}
/*
* If the operation has not been successful then ignore the operation.
*/
{
}
/*
* Verify if the operation has been initiated by what was defined as Samba
* administrative user. If so, we will skip this operation to avoid double
* synchronization of Samba attributes.
*/
if (sambaAdminDN != null
&& !sambaAdminDN.isRootDN()
{
if (logger.isTraceEnabled())
{
+ " it was performed by Samba admin user: " + sambaAdminDN);
}
}
// Get the name of the entry and clear passwords from the operation
// attachments.
{
// The attachment is missing which should never happen.
if (logger.isTraceEnabled())
{
}
}
{
if (logger.isTraceEnabled())
{
+ "pre-encoded password");
}
}
@SuppressWarnings("unchecked")
try
{
// Before proceeding make sure this entry has samba object class.
if (!isSynchronizable(entry))
{
if (logger.isTraceEnabled())
{
}
}
/*
* Make an internal connection to process the password modification. It
* will not trigger this plugin again with the pre-operation modify since
* the password passed would be encoded hence the pre operation part would
* skip it.
*/
// Use an assertion control to avoid race conditions since extended
// operation post-ops are done outside of the write lock.
if (!encPasswords.isEmpty())
{
filter);
}
if (logger.isTraceEnabled())
{
}
}
catch (final DirectoryException e)
{
/*
* This exception occurs if there is a problem while retrieving the entry.
* This should never happen as we are processing the post-operation which
* succeeded so the entry has to exist if we have reached this point.
*/
logger.traceException(e);
}
}
/**
* {@inheritDoc}
*/
{
/*
* If the passwords are changed in clear text they will be available with
* the getNewPasswords() method. If they are encoded the method would return
* null. The list of passwords should not be modified.
*/
/*
* If the password list is not empty, we can be sure the current operation
* is the one that applies to our case: - it's a modify operation on
* userPassword attribute - it's replaces or adds new userPassword attribute
* value. If it doesn't then we skip this modify operation.
*/
{
}
// Skip synchronization operations.
{
if (logger.isTraceEnabled())
{
}
}
/*
* Verify if the operation has been initiated by the Samba administrative
* user. If so, we will skip this operation to avoid double synchronization
* of Samba attributes.
*/
if (sambaAdminDN != null
&& !sambaAdminDN.isRootDN()
{
if (logger.isTraceEnabled())
{
+ " it was performed by Samba admin user: " + sambaAdminDN);
}
}
/*
* Before proceeding with the modification, we have to make sure this entry
* is indeed a Samba object.
*/
{
if (logger.isTraceEnabled())
{
logger.trace("Skipping '%s' because it does not have Samba object class.", modifyOperation.getEntryDN());
}
}
/*
* Proceed with processing: add a new modification to the current modify
* operation, so they could be executed at the same time.
*/
// Continue plugin processing.
}
/**
* {@inheritDoc}
*/
{
// Verify config parameters.
{
for (final LocalizableMessage m : messages)
{
}
}
// Register the configuration change listener.
// Save the configuration.
this.config = configuration;
}
/**
* Verifies if the plugin configuration is acceptable.
*
* @param configuration
* The plugin configuration.
* @param unacceptableReasons
* Reasons why the configuration is not acceptable.
* @return Returns <code>true</code> for the correct configuration and
* <code>false</code> for the incorrect one.
*/
public boolean isConfigurationAcceptable(
{
}
/**
* {@inheritDoc}
*/
public boolean isConfigurationChangeAcceptable(
{
/*
* The plugin implements only postoperationmodify and postoperationextended
* plugin types. The rest should be rejected.
*/
.getPluginType();
{
switch (t)
{
case PREOPERATIONMODIFY:
case POSTOPERATIONEXTENDED:
break;
default:
return false;
}
}
return true;
}
/**
* Creates the modifications to modify Samba password attributes. It uses
* clear-text password and encodes it with the appropriate algorithm for it's
* respective type (NTLM or LanMan); then it wraps it in the modifications to
* be added to the modify operation.
*
* @param password
* New password which is to be encoded for Samba.
* @return Returns a list of modifications, or null if a problem occurs.
*/
{
try
{
{
}
{
}
}
catch (final Exception e)
{
}
return modifications;
}
/**
* Verify if the target entry contains pre-defined Samba object class.
*
* @param entry
* The entry being modified.
* @return Returns true if the entry has Samba object class, otherwise returns
* false.
*/
{
}
/**
* Adds modifications for the configured Samba password attributes to the
* current modify operation.
*
* @param modifyOperation
* Current modify operation which will be modified to add Samba
* password attribute changes.
* @param passwords
* List of userPassword clear-text attribute values to be hashed for
* Samba
*/
private void processModification(
{
// Get the last password (in case there is more then one).
try
{
// Generate the necessary modifications.
{
}
}
catch (final DirectoryException e)
{
}
}
/**
* Timestamp provider interface. Intended primarily for testing purposes.
*/
static interface TimeStampProvider
{
/**
* Generates a custom time stamp.
*
* @return A timestamp in UNIX format.
*/
long getCurrentTime();
}
/**
* Use custom timestamp provider. Intended primarily for testing purposes.
*
* @param timeStampProvider Provider object that implements the
* TimeStampProvider interface.
*/
{
}
}