2N/A * The contents of this file are subject to the terms of the 2N/A * Common Development and Distribution License (the "License"). 2N/A * You may not use this file except in compliance with the License. 2N/A * See the License for the specific language governing permissions 2N/A * and limitations under the License. 2N/A * When distributing Covered Code, include this CDDL HEADER in each 2N/A * If applicable, add the following below this CDDL HEADER, with the 2N/A * fields enclosed by brackets "[]" replaced with your own identifying 2N/A * information: Portions Copyright [yyyy] [name of copyright owner] 2N/A * Copyright (c) 1999, 2011, Oracle and/or its affiliates. All rights reserved. 2N/A/* ******************************************************************** */ 2N/A/* Utilities Functions */ 2N/A/* ******************************************************************** */ 2N/A * __ldap_to_pamerror(): 2N/A * converts Native LDAP errors to an equivalent PAM error 2N/A * PAM_SUCCESS if authenticated successfully 2N/A * PAM_NEW_AUTHTOK_REQD if authenticated but user needs to 2N/A * change password immediately 2N/A * PAM_MAXTRIES if authentication fails due to too 2N/A * many login failures 2N/A * PAM_AUTHTOK_EXPIRED if user password expired 2N/A * PAM_PERM_DENIED if fail to authenticate 2N/A * PAM_AUTH_ERR other errors 2N/A * Also output the second-until-expired data if authenticated 2N/A * but the password is about to expire. 2N/A * Authentication is checked by calling __ns_ldap_auth. 2N/A /* Fill in the user name and password */ 2N/A /* get host certificate path, if one is configured */ 2N/A * __ns_ldap_freeCred frees the hostcertpath member, so we 2N/A * must assign a copy. Otherwise freeParam and freeCred 2N/A * below will double-free the string. 2N/A /* Load the service specific authentication method */ 2N/A * if authpp is null, there is no serviceAuthenticationMethod 2N/A * try default authenticationMethod 2N/A * if authpp is still null, then can not authenticate, syslog 2N/A * error message and return error 2N/A "pam_ldap: no authentication method configured");
2N/A * Walk the array and try all authentication methods in order except 2N/A * If rc is NS_LDAP_SUCCESS, done. If not, 2N/A * check rc and error info to see if 2N/A * there's any password management data. 2N/A * If yes, set appropriate PAM result code 2N/A * authenticated and no 2N/A * password management info, done. 2N/A * authenticated but need to deal with 2N/A * password management info 2N/A * clear sec_until_expired just in case 2N/A * there's no error info 2N/A * password about to expire; 2N/A * retrieve "seconds until expired" 2N/A * indicate that passwd need to change 2N/A * If error due to password policy, set 2N/A * appropriate PAM result code and exit. 2N/A * If invalid credential, 2N/A * return PAM_AUTH_ERR. 2N/A /* done with the error info, clean it up */ 2N/A "pam_ldap: no legal authentication method configured");