/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#include <nsswitch.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <syslog.h>
#include <stdlib.h>
#include <unistd.h>
#include "ns_sldap.h"
#include <nss_dbdefs.h>
#include <nsswitch.h>
#include <pwd.h>
#include <shadow.h>
#include "passwdutil.h"
/*
* name_to_int(rep)
*
* Translate the repository to a bitmask.
* if we don't recognise the repository name, we return REP_ERANGE
*/
int
{
} else {
else
result = REP_ERANGE;
(void) __nsw_freeconfig(cfg);
}
}
return (result);
}
/*
* Figure out which repository we use in compat mode.
*/
int
get_compat_mode(void)
{
}
(void) __nsw_freeconfig(cfg);
return (result);
}
/*
* get_ns(rep, accesstype)
*
* returns a bitmask of repositories to use based on either
* 1. the repository that is given as argument
* 2. the nsswitch.conf file
* 3. the type of access requested
*
* "accesstype" indicates whether we are reading from or writing to the
* repository. We need to know this since "compat" will translate into
* REP_NSS (the nss-switch) for READ access (needed to decode
* the black-magic '+' entries) but it translates into a bitmask
* on WRITE access.
*
* If we detect read-access in compat mode, we augment the result
* with one of REP_COMPAT_{NIS,LDAP}. We need this in order to
* implement ATTR_REP_NAME in nss_getpwnam.
*
* A return value of REP_NOREP indicates an error.
*/
int
{
if (rep != PWU_DEFAULT_REP) {
return (result);
}
/*
* No config found. The user didn't supply a repository,
* so we try to change the password in the default
* repositories (files and nis) even though we cannot
* find the name service switch entry. (Backward compat)
*/
"passwd not found.");
return (result);
}
/*
* Supported nsswitch.conf can have a maximum of 3 repositories.
* If we encounter an unsupported nsswitch.conf, we return REP_NSS
* to fall back to the nsswitch backend.
*
* Note that specifying 'ad' in the configuration is acceptable
* though changing AD users' passwords through passwd(1) is not.
* Therefore "ad" will be silently ignored.
*/
/* files or compat */
if (accesstype == PWU_READ)
else
} else
/* AD is ignored */
} else {
}
/*
* Valid configurations with 3 repositories are:
* files ad [nis | ldap ] OR
* files [nis | ldap ] ad
*/
else
else
} else {
}
} else {
}
(void) __nsw_freeconfig(conf);
return (result);
}
static void
nss_db_params_t *p;
{
p->name = NSS_DBNAM_PASSWD;
p->flags |= NSS_USE_DEFAULT_CONFIG;
p->default_config = "ldap";
}
static void
nss_db_params_t *p;
{
p->name = NSS_DBNAM_SHADOW;
p->flags |= NSS_USE_DEFAULT_CONFIG;
p->default_config = "ldap";
}
#ifdef PAM_NIS
static void
nss_db_params_t *p;
{
p->name = NSS_DBNAM_PASSWD;
p->flags |= NSS_USE_DEFAULT_CONFIG;
p->default_config = "nis";
}
static void
nss_db_params_t *p;
{
p->name = NSS_DBNAM_SHADOW;
p->flags |= NSS_USE_DEFAULT_CONFIG;
p->default_config = "nis";
}
#endif /* PAM_NIS */
static char *
char **nextpp;
{
char *p = *nextpp;
char *q = p;
char c;
if (p == 0) {
return (0);
}
while ((c = *q) != '\0' && c != ':') {
q++;
}
if (c == '\0') {
*nextpp = 0;
} else {
*q++ = '\0';
*nextpp = q;
}
return (p);
}
/*
* Return values: 0 = success, 1 = parse error, 2 = erange ...
* The structure pointer passed in is a structure in the caller's space
* wherein the field pointers would be set to areas in the buffer if
* need be. instring and buffer should be separate areas.
*/
static int
{
char *p, *next;
return (NSS_STR_PARSE_ERANGE);
}
/*
* We copy the input string into the output buffer and
* operate on it in place.
*/
if (*p == '\0') {
/* Empty username; not allowed */
return (NSS_STR_PARSE_PARSE);
}
if (black_magic) {
/*
* pwconv tests pw_passwd and pw_age == NULL
*/
/*
* the rest of the passwd entry is "optional"
*/
}
if (p == 0) {
if (black_magic)
return (NSS_STR_PARSE_SUCCESS);
else
return (NSS_STR_PARSE_PARSE);
}
for (; *p != '\0'; p++) { /* age */
if (*p == ',') {
*p++ = '\0';
break;
}
}
p = next; /* uid */
if (p == 0 || *p == '\0') {
if (black_magic)
return (NSS_STR_PARSE_SUCCESS);
else
return (NSS_STR_PARSE_PARSE);
}
if (!black_magic) {
if (next == p) {
/* uid field should be nonempty */
return (NSS_STR_PARSE_PARSE);
}
/*
* The old code (in 2.0 thru 2.5) would check
* for the uid being negative, or being greater
* than 60001 (the rfs limit). If it met either of
* these conditions, the uid was translated to 60001.
*
* Now we just check for ephemeral uids; anything else
* is administrative policy
*/
}
if (*next++ != ':') {
if (black_magic)
else
return (NSS_STR_PARSE_PARSE);
}
p = next; /* gid */
if (p == 0 || *p == '\0') {
if (black_magic)
return (NSS_STR_PARSE_SUCCESS);
else
return (NSS_STR_PARSE_PARSE);
}
if (!black_magic) {
if (next == p) {
/* gid field should be nonempty */
return (NSS_STR_PARSE_PARSE);
}
/*
* gid should be non-negative; anything else
* is administrative policy.
*/
}
if (*next++ != ':') {
if (black_magic)
else
return (NSS_STR_PARSE_PARSE);
}
if (p == 0) {
if (black_magic)
return (NSS_STR_PARSE_SUCCESS);
else
return (NSS_STR_PARSE_PARSE);
}
if (p == 0) {
if (black_magic)
return (NSS_STR_PARSE_SUCCESS);
else
return (NSS_STR_PARSE_PARSE);
}
if (p == 0) {
if (black_magic)
return (NSS_STR_PARSE_SUCCESS);
else
return (NSS_STR_PARSE_PARSE);
}
/* Better not be any more fields... */
if (next == 0) {
/* Successfully parsed and stored */
return (NSS_STR_PARSE_SUCCESS);
}
return (NSS_STR_PARSE_PARSE);
}
typedef const char *constp;
/*
* Return value 1 means success and more input, 0 means error or no more
*/
static int
int uns;
void *valp;
{
char *endfield;
int len;
long x;
unsigned long ux;
if (p == 0 || p >= limit) {
return (0);
}
if (*p == ':') {
p++;
*nextp = p;
return (p < limit);
}
}
/*
* We want to use strtol() and we have a readonly non-zero-terminated
* string, so first we copy and terminate the interesting bit.
* Ugh. (It's convenient to terminate with a colon rather than \0).
*/
/* Error -- field is too big to be a legit number */
return (0);
}
p = limit;
} else {
}
if (uns) {
if (*endfield != ':') {
/* Error -- expected <integer><colon> */
return (0);
}
} else {
if (*endfield != ':') {
/* Error -- expected <integer><colon> */
return (0);
}
*((int *)valp) = (int)x;
}
*nextp = p;
return (p < limit);
}
/*
* str2spwd() -- convert a string to a shadow passwd entry. The parser is
* more liberal than the passwd or group parsers; since it's legitimate
* for almost all the fields here to be blank, the parser lets one omit
* any number of blank fields at the end of the entry. The acceptable
* forms for '+' and '-' entries are the same as those for normal entries.
* === Is this likely to do more harm than good?
*
* Return values: 0 = success, 1 = parse error, 2 = erange ...
* The structure pointer passed in is a structure in the caller's space
* wherein the field pointers would be set to areas in the buffer if
* need be. instring and buffer should be separate areas.
*/
int
const char *instr;
int lenstr;
void *ent; /* really (struct spwd *) */
char *buffer;
int buflen;
{
char *bufp;
++p >= limit ||
p = 0;
} else {
p++;
}
return (NSS_STR_PARSE_ERANGE);
}
if (black_magic)
return (NSS_STR_PARSE_SUCCESS);
else
return (NSS_STR_PARSE_PARSE);
}
*bufp++ = '\0';
if (instr == 0) {
if (black_magic)
return (NSS_STR_PARSE_SUCCESS);
else
return (NSS_STR_PARSE_PARSE);
}
*bufp++ = '\0';
p = bufp;
} /* else p was set when we copied name and passwd into the buffer */
return (NSS_STR_PARSE_SUCCESS);
return (NSS_STR_PARSE_SUCCESS);
return (NSS_STR_PARSE_SUCCESS);
return (NSS_STR_PARSE_SUCCESS);
return (NSS_STR_PARSE_SUCCESS);
return (NSS_STR_PARSE_SUCCESS);
return (NSS_STR_PARSE_SUCCESS);
if (p != limit) {
/* Syntax error -- garbage at end of line */
return (NSS_STR_PARSE_PARSE);
}
return (NSS_STR_PARSE_SUCCESS);
}
static DEFINE_NSS_DB_ROOT(db_root);
#define GETBUF() \
#pragma fini(endutilpwent)
static void
endutilpwent(void)
{
}
/*ARGSUSED*/
struct passwd *
{
nss_XbyY_buf_t *b = GETBUF();
if (b == 0)
return (0);
switch (reptype) {
case REP_LDAP:
break;
#ifdef PAM_NIS
case REP_NIS:
break;
#endif
default:
return (NULL);
}
}
/*ARGSUSED*/
struct passwd *
{
nss_XbyY_buf_t *b = GETBUF();
if (b == 0)
return (0);
switch (reptype) {
case REP_LDAP:
break;
#ifdef PAM_NIS
case REP_NIS:
break;
#endif
default:
return (NULL);
}
}
static DEFINE_NSS_DB_ROOT(spdb_root);
#define GETSPBUF() \
#pragma fini(endutilspent)
static void
endutilspent(void)
{
}
/*ARGSUSED*/
struct spwd *
{
nss_XbyY_buf_t *b = GETSPBUF();
if (b == 0)
return (0);
switch (reptype) {
case REP_LDAP:
break;
#ifdef PAM_NIS
case REP_NIS:
break;
#endif
default:
return (NULL);
}
}