/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
*/
#include "ldap_headers.h"
#include <malloc.h>
/* ******************************************************************** */
/* */
/* Utilities Functions */
/* */
/* ******************************************************************** */
/*
* __ldap_to_pamerror():
* converts Native LDAP errors to an equivalent PAM error
*/
int
{
switch (ldaperror) {
case NS_LDAP_SUCCESS:
return (PAM_SUCCESS);
case NS_LDAP_OP_FAILED:
return (PAM_PERM_DENIED);
case NS_LDAP_MEMORY:
return (PAM_BUF_ERR);
case NS_LDAP_CONFIG:
return (PAM_SERVICE_ERR);
case NS_LDAP_NOTFOUND:
case NS_LDAP_INTERNAL:
case NS_LDAP_PARTIAL:
case NS_LDAP_INVALID_PARAM:
return (PAM_SYSTEM_ERR);
default:
return (PAM_SYSTEM_ERR);
}
}
/*
* authenticate():
* Returns
* PAM_SUCCESS if authenticated successfully
* PAM_NEW_AUTHTOK_REQD if authenticated but user needs to
* change password immediately
* PAM_MAXTRIES if authentication fails due to too
* many login failures
* PAM_AUTHTOK_EXPIRED if user password expired
* PAM_PERM_DENIED if fail to authenticate
* PAM_AUTH_ERR other errors
*
* Also output the second-until-expired data if authenticated
* but the password is about to expire.
* Authentication is checked by calling __ns_ldap_auth.
*/
int
int *sec_until_expired)
{
int ldaprc;
int authstried = 0;
return (PAM_BUF_ERR);
/* Fill in the user name and password */
(pwd[0] == '\0'))
goto out;
goto out;
goto out;
}
/* get host certificate path, if one is configured */
goto out;
/*
* __ns_ldap_freeCred frees the hostcertpath member, so we
* must assign a copy. Otherwise freeParam and freeCred
* below will double-free the string.
*/
goto out;
}
}
/* Load the service specific authentication method */
goto out;
/*
* if authpp is null, there is no serviceAuthenticationMethod
* try default authenticationMethod
*/
&errorp);
goto out;
}
/*
* if authpp is still null, then can not authenticate, syslog
* error message and return error
*/
"pam_ldap: no authentication method configured");
goto out;
}
/*
* Walk the array and try all authentication methods in order except
* for "none".
*/
continue;
authstried++;
/*
* If rc is NS_LDAP_SUCCESS, done. If not,
* check rc and error info to see if
* there's any password management data.
* If yes, set appropriate PAM result code
* and exit.
*/
if (ldaprc == NS_LDAP_SUCCESS) {
/*
* authenticated and no
* password management info, done.
*/
goto out;
} else if (ldaprc == NS_LDAP_SUCCESS_WITH_INFO) {
/*
* authenticated but need to deal with
* password management info
*/
/*
* clear sec_until_expired just in case
* there's no error info
*/
if (sec_until_expired)
*sec_until_expired = 0;
if (errorp) {
/*
* password about to expire;
* retrieve "seconds until expired"
*/
if (sec_until_expired)
errorp->
/*
* indicate that passwd need to change
* right away
*/
(void) __ns_ldap_freeError(&errorp);
}
goto out;
} else if (ldaprc == NS_LDAP_INTERNAL) {
if (errorp) {
/*
* If error due to password policy, set
* appropriate PAM result code and exit.
*/
else {
/*
* If invalid credential,
* return PAM_AUTH_ERR.
*/
}
(void) __ns_ldap_freeError(&errorp);
goto out;
}
}
/* done with the error info, clean it up */
if (errorp)
(void) __ns_ldap_freeError(&errorp);
}
if (authstried == 0) {
"pam_ldap: no legal authentication method configured");
goto out;
}
out:
result == PAM_NEW_AUTHTOK_REQD)) {
} else {
(void) __ns_ldap_freeCred(&credp);
}
if (certpath)
(void) __ns_ldap_freeParam((void ***)&certpath);
if (authpp)
(void) __ns_ldap_freeParam((void ***)&authpp);
if (errorp)
(void) __ns_ldap_freeError(&errorp);
return (result);
}