2N/A/*
2N/A * CDDL HEADER START
2N/A *
2N/A * The contents of this file are subject to the terms of the
2N/A * Common Development and Distribution License, Version 1.0 only
2N/A * (the "License"). You may not use this file except in compliance
2N/A * with the License.
2N/A *
2N/A * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
2N/A * or http://www.opensolaris.org/os/licensing.
2N/A * See the License for the specific language governing permissions
2N/A * and limitations under the License.
2N/A *
2N/A * When distributing Covered Code, include this CDDL HEADER in each
2N/A * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
2N/A * If applicable, add the following below this CDDL HEADER, with the
2N/A * fields enclosed by brackets "[]" replaced with your own identifying
2N/A * information: Portions Copyright [yyyy] [name of copyright owner]
2N/A *
2N/A * CDDL HEADER END
2N/A */
2N/A/*
2N/A * Copyright 2004 Sun Microsystems, Inc. All rights reserved.
2N/A * Use is subject to license terms.
2N/A */
2N/A
2N/A#pragma ident "%Z%%M% %I% %E% SMI"
2N/A
2N/A#include "ldap_headers.h"
2N/A
2N/A/*
2N/A *
2N/A * LDAP module for pam_sm_authenticate.
2N/A *
2N/A * options -
2N/A *
2N/A * debug
2N/A * nowarn
2N/A */
2N/A
2N/A/*
2N/A * pam_sm_authenticate():
2N/A * Authenticate user.
2N/A */
2N/A/*ARGSUSED*/
2N/Aint
2N/Apam_sm_authenticate(
2N/A pam_handle_t *pamh,
2N/A int flags,
2N/A int argc,
2N/A const char **argv)
2N/A{
2N/A char *service = NULL;
2N/A char *user = NULL;
2N/A int err;
2N/A int result = PAM_AUTH_ERR;
2N/A int debug = 0;
2N/A int i;
2N/A char *password = NULL;
2N/A ns_cred_t *credp = NULL;
2N/A int nowarn = 0;
2N/A
2N/A /* Get the service and user */
2N/A if ((err = pam_get_item(pamh, PAM_SERVICE, (void **)&service))
2N/A != PAM_SUCCESS ||
2N/A (err = pam_get_item(pamh, PAM_USER, (void **)&user)) != PAM_SUCCESS)
2N/A return (err);
2N/A
2N/A /*
2N/A * Check options passed to this module.
2N/A * Silently ignore try_first_pass and use_first_pass options
2N/A * for the time being.
2N/A */
2N/A for (i = 0; i < argc; i++) {
2N/A if (strcmp(argv[i], "debug") == 0)
2N/A debug = 1;
2N/A else if (strcmp(argv[i], "nowarn") == 0)
2N/A nowarn = 1;
2N/A else if ((strcmp(argv[i], "try_first_pass") != 0) &&
2N/A (strcmp(argv[i], "use_first_pass") != 0))
2N/A syslog(LOG_AUTH | LOG_DEBUG,
2N/A "ldap pam_sm_authenticate(%s), "
2N/A "illegal scheme option %s", service, argv[i]);
2N/A }
2N/A
2N/A if (debug)
2N/A syslog(LOG_AUTH | LOG_DEBUG,
2N/A "ldap pam_sm_authenticate(%s %s), flags = %x %s",
2N/A service, (user && *user != '\0')?user:"no-user", flags,
2N/A (nowarn)? ", nowarn": "");
2N/A
2N/A if (!user || *user == '\0')
2N/A return (PAM_USER_UNKNOWN);
2N/A
2N/A /* Get the password entered in the first scheme if any */
2N/A (void) pam_get_item(pamh, PAM_AUTHTOK, (void **) &password);
2N/A if (password == NULL) {
2N/A if (debug)
2N/A syslog(LOG_AUTH | LOG_DEBUG,
2N/A "ldap pam_sm_authenticate(%s %s), "
2N/A "AUTHTOK not set", service, user);
2N/A return (PAM_AUTH_ERR);
2N/A }
2N/A
2N/A /*
2N/A * Authenticate user using the password from PAM_AUTHTOK.
2N/A * If no password available or if authentication fails
2N/A * return the appropriate error.
2N/A */
2N/A result = authenticate(&credp, user, password, NULL);
2N/A if (result == PAM_NEW_AUTHTOK_REQD) {
2N/A /*
2N/A * PAM_NEW_AUTHTOK_REQD means the
2N/A * user's password is good but needs
2N/A * to change immediately. If the service
2N/A * is login or similar programs, the
2N/A * user will be asked to change the
2N/A * password after the account management
2N/A * module is called and determined that
2N/A * the password has expired.
2N/A * So change the rc to PAM_SUCCESS here.
2N/A */
2N/A result = PAM_SUCCESS;
2N/A } else if (result == PAM_AUTHTOK_EXPIRED) {
2N/A /*
2N/A * Authentication token is the right one but
2N/A * expired. Consider this as pass.
2N/A * Change rc to PAM_SUCCESS.
2N/A */
2N/A result = PAM_SUCCESS;
2N/A }
2N/A
2N/A if (credp != NULL)
2N/A (void) __ns_ldap_freeCred(&credp);
2N/A return (result);
2N/A}