ipa_auth.c revision a3c8390d19593b1e5277d95bfb4ab206d4785150
acc039dfc0b0f4588cf2feec04727b61e1c672a1Timo Sirainen IPA Backend Module -- Authentication
28b8434ca4cba2e310d13ffc55e895d658725f43Timo Sirainen Sumit Bose <sbose@redhat.com>
4909421ac41e143fe07a235c0d11e9f0452d716bTimo Sirainen Copyright (C) 2009 Red Hat
1c633f71ec2060e5bfa500a97f34cd881a958ecdTimo Sirainen This program is free software; you can redistribute it and/or modify
134582c78f038b4d9b9fde127399aefa50935a53Timo Sirainen it under the terms of the GNU General Public License as published by
a6ab8f00351265e35b79f3a22b1f5a4978ae5c35Timo Sirainen the Free Software Foundation; either version 3 of the License, or
4909421ac41e143fe07a235c0d11e9f0452d716bTimo Sirainen (at your option) any later version.
a6ab8f00351265e35b79f3a22b1f5a4978ae5c35Timo Sirainen This program is distributed in the hope that it will be useful,
a6ab8f00351265e35b79f3a22b1f5a4978ae5c35Timo Sirainen but WITHOUT ANY WARRANTY; without even the implied warranty of
a6ab8f00351265e35b79f3a22b1f5a4978ae5c35Timo Sirainen MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
a6ab8f00351265e35b79f3a22b1f5a4978ae5c35Timo Sirainen GNU General Public License for more details.
8aa6fe58b1832da498b49de4383f9f1ef458945dTimo Sirainen You should have received a copy of the GNU General Public License
8aa6fe58b1832da498b49de4383f9f1ef458945dTimo Sirainen along with this program. If not, see <http://www.gnu.org/licenses/>.
5fbccc935e3f7b916aa7c6e302a212821072e83aTimo Sirainenstatic void get_password_migration_flag_auth_done(struct tevent_req *subreq);
5fbccc935e3f7b916aa7c6e302a212821072e83aTimo Sirainenstatic void get_password_migration_flag_done(struct tevent_req *subreq);
bd417d416988d11a6b555b9aa57779e7ed976951Timo Sirainenstatic struct tevent_req *get_password_migration_flag_send(TALLOC_CTX *memctx,
bd417d416988d11a6b555b9aa57779e7ed976951Timo Sirainen struct get_password_migration_flag_state *state;
bd417d416988d11a6b555b9aa57779e7ed976951Timo Sirainen if (sdap_id_ctx == NULL || ipa_realm == NULL) {
bd417d416988d11a6b555b9aa57779e7ed976951Timo Sirainen DEBUG(SSSDBG_OP_FAILURE, "Missing parameter.\n");
bd417d416988d11a6b555b9aa57779e7ed976951Timo Sirainen DEBUG(SSSDBG_OP_FAILURE, "tevent_req_create failed.\n");
bd417d416988d11a6b555b9aa57779e7ed976951Timo Sirainen DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed.\n");
bd417d416988d11a6b555b9aa57779e7ed976951Timo Sirainen subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret);
bd417d416988d11a6b555b9aa57779e7ed976951Timo Sirainen DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_connect_send failed: %d(%s).\n",
bd417d416988d11a6b555b9aa57779e7ed976951Timo Sirainen tevent_req_set_callback(subreq, get_password_migration_flag_auth_done, req);
bb1a7da5a76625640a5a207b19ed3abdb70c9617Timo Sirainenstatic void get_password_migration_flag_auth_done(struct tevent_req *subreq)
bb1a7da5a76625640a5a207b19ed3abdb70c9617Timo Sirainen struct tevent_req *req = tevent_req_callback_data(subreq,
bd417d416988d11a6b555b9aa57779e7ed976951Timo Sirainen struct get_password_migration_flag_state *state = tevent_req_data(req,
bd417d416988d11a6b555b9aa57779e7ed976951Timo Sirainen ret = sdap_id_op_connect_recv(subreq, &dp_error);
acc039dfc0b0f4588cf2feec04727b61e1c672a1Timo Sirainen "No IPA server is available, cannot get the "
bd417d416988d11a6b555b9aa57779e7ed976951Timo Sirainen "migration flag while offline\n");
bd417d416988d11a6b555b9aa57779e7ed976951Timo Sirainen "Failed to connect to IPA server: [%d](%s)\n",
bd417d416988d11a6b555b9aa57779e7ed976951Timo Sirainen subreq = ipa_get_config_send(state, state->ev,
5fbccc935e3f7b916aa7c6e302a212821072e83aTimo Sirainen state->sdap_id_ctx->opts, state->ipa_realm, NULL);
a6ab8f00351265e35b79f3a22b1f5a4978ae5c35Timo Sirainen tevent_req_set_callback(subreq, get_password_migration_flag_done, req);
bd417d416988d11a6b555b9aa57779e7ed976951Timo Sirainenstatic void get_password_migration_flag_done(struct tevent_req *subreq)
767431e5084a037c4dbefdf30ebfa03c84b1f449Timo Sirainen struct tevent_req *req = tevent_req_callback_data(subreq,
9ce62fcb795a4bb57f1c003fc8cbd63bff6e5463Timo Sirainen struct get_password_migration_flag_state *state = tevent_req_data(req,
9f3bb0e10835efb0c9b1eb9e09e16b614ec41b97Timo Sirainen ret = ipa_get_config_recv(subreq, state, &reply);
acc039dfc0b0f4588cf2feec04727b61e1c672a1Timo Sirainen ret = sysdb_attrs_get_string(reply, IPA_CONFIG_MIGRATION_ENABLED, &value);
28b8434ca4cba2e310d13ffc55e895d658725f43Timo Sirainen if (ret == EOK && strcasecmp(value, "true") == 0) {
acc039dfc0b0f4588cf2feec04727b61e1c672a1Timo Sirainenstatic int get_password_migration_flag_recv(struct tevent_req *req,
acc039dfc0b0f4588cf2feec04727b61e1c672a1Timo Sirainen struct get_password_migration_flag_state *state = tevent_req_data(req,
a3a55999bcfe2e57941cb64343f4ea80beabdab7Timo Sirainen *password_migration = state->password_migration;
f2a1955d993f67982bc40ad7bbae9a036dabfd64Timo Sirainenstatic void ipa_auth_handler_done(struct tevent_req *req);
f2a1955d993f67982bc40ad7bbae9a036dabfd64Timo Sirainenstatic void ipa_get_migration_flag_done(struct tevent_req *req);
f2a1955d993f67982bc40ad7bbae9a036dabfd64Timo Sirainenstatic void ipa_migration_flag_connect_done(struct tevent_req *req);
f2a1955d993f67982bc40ad7bbae9a036dabfd64Timo Sirainenstatic void ipa_auth_ldap_done(struct tevent_req *req);
cc52f19439f17c03e37fd65c6299a77d5c5e638aTimo Sirainenstatic void ipa_auth_handler_retry_done(struct tevent_req *req);
f2a1955d993f67982bc40ad7bbae9a036dabfd64Timo Sirainen talloc_get_type(be_req_get_data(be_req), struct pam_data);
f2a1955d993f67982bc40ad7bbae9a036dabfd64Timo Sirainen struct be_ctx *be_ctx = be_req_get_be_ctx(be_req);
e16cdc182bf122c37e252b49809db688e874b2a3Timo Sirainen state = talloc_zero(be_req, struct ipa_auth_state);
e16cdc182bf122c37e252b49809db688e874b2a3Timo Sirainen DEBUG(SSSDBG_OP_FAILURE, "talloc_zero failed.\n");
968b2f633b7405bc2cf0596d04762994ceb279d0Timo Sirainen DEBUG(SSSDBG_OP_FAILURE, "Unsupported PAM task.\n");
968b2f633b7405bc2cf0596d04762994ceb279d0Timo Sirainen req = krb5_auth_send(state, state->ev, be_ctx, state->pd,
968b2f633b7405bc2cf0596d04762994ceb279d0Timo Sirainen DEBUG(SSSDBG_OP_FAILURE, "krb5_auth_send failed.\n");
d5eb47a791ec56149fd711cd8e44efc8babeaae5Timo Sirainen tevent_req_set_callback(req, ipa_auth_handler_done, state);
2e533fb1283b5f06a4063b519e47f1861c910386Timo Sirainen be_req_terminate(be_req, DP_ERR_FATAL, pd->pam_status, NULL);
2e533fb1283b5f06a4063b519e47f1861c910386Timo Sirainenstatic void ipa_auth_handler_done(struct tevent_req *req)
d5ef38077adbff5b3e4d0b3c94a2057581dc78b6Timo Sirainen struct ipa_auth_state *state = tevent_req_callback_data(req,
a3a55999bcfe2e57941cb64343f4ea80beabdab7Timo Sirainen ret = krb5_auth_recv(req, &pam_status, &dp_err);
ff3337516aad9843599905aeeb29812ea67c09d1Timo Sirainen if (ret != EOK && pam_status != PAM_CRED_ERR) {
4605cab1123700c52c515a433a2802fcbc827c62Timo Sirainen DEBUG(SSSDBG_OP_FAILURE, "krb5_auth_recv request failed.\n");
5296198635718c9bf5b2f972c9d5be52092d3d58Timo Sirainen req = get_password_migration_flag_send(state, state->ev,
a672f99363d5f37060c1331d00d2ee3c4626310fTimo Sirainen "get_password_migration_flag failed.\n");
5296198635718c9bf5b2f972c9d5be52092d3d58Timo Sirainen tevent_req_set_callback(req, ipa_get_migration_flag_done, state);
7ed711d973b319320da100d3e905ef7b99ed69d6Timo Sirainen be_req_terminate(state->be_req, dp_err, state->pd->pam_status, NULL);
5296198635718c9bf5b2f972c9d5be52092d3d58Timo Sirainenstatic void ipa_get_migration_flag_done(struct tevent_req *req)
5296198635718c9bf5b2f972c9d5be52092d3d58Timo Sirainen struct ipa_auth_state *state = tevent_req_callback_data(req,
4909421ac41e143fe07a235c0d11e9f0452d716bTimo Sirainen ret = get_password_migration_flag_recv(req, &state->password_migration);
4a26584a87ee0e986d23a224b3b3e85c44254d7fTimo Sirainen DEBUG(SSSDBG_OP_FAILURE, "get_password_migration_flag "
968b2f633b7405bc2cf0596d04762994ceb279d0Timo Sirainen "request failed.\n");
a2857829c642e2671779576b00c37b7d04693731Timo Sirainen DEBUG(SSSDBG_OP_FAILURE, "sdap_cli_connect_send failed.\n");
a2857829c642e2671779576b00c37b7d04693731Timo Sirainen tevent_req_set_callback(req, ipa_migration_flag_connect_done, state);
a2857829c642e2671779576b00c37b7d04693731Timo Sirainen DEBUG(SSSDBG_CONF_SETTINGS, "Password migration is not enabled.\n");
a2857829c642e2671779576b00c37b7d04693731Timo Sirainen be_req_terminate(state->be_req, dp_err, state->pd->pam_status, NULL);
a2857829c642e2671779576b00c37b7d04693731Timo Sirainenstatic void ipa_migration_flag_connect_done(struct tevent_req *req)
a6ab8f00351265e35b79f3a22b1f5a4978ae5c35Timo Sirainen struct ipa_auth_state *state = tevent_req_callback_data(req,
1d5dbb87f3485544db62896e2d56c663cb728c17Timo Sirainen struct be_ctx *be_ctx = be_req_get_be_ctx(state->be_req);
1d5dbb87f3485544db62896e2d56c663cb728c17Timo Sirainen const char **attrs;
1d5dbb87f3485544db62896e2d56c663cb728c17Timo Sirainen const char *dn;
cf0ad1a0bddb0787f3d7b408a96d721a8b2a98a3Timo Sirainen ret = sdap_cli_connect_recv(req, state, NULL, &state->sh, NULL);
aee3e2f7ab2b27572a90b9e7fd8fe60f13c6637eTimo Sirainen "Cannot connect to LDAP server to perform migration\n");
10515cb90514b169ab6c3693c72c4bf1017476dbTimo Sirainen DEBUG(SSSDBG_TRACE_FUNC, "Assuming Kerberos password is missing, "
10515cb90514b169ab6c3693c72c4bf1017476dbTimo Sirainen "starting password migration.\n");
7ed711d973b319320da100d3e905ef7b99ed69d6Timo Sirainen ret = sysdb_search_user_by_name(state, be_ctx->domain, state->pd->user,
4909421ac41e143fe07a235c0d11e9f0452d716bTimo Sirainen DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_user_by_name failed.\n");
goto done;
goto done;
done:
struct ipa_auth_state);
int ret;
switch (ret) {
case EOK:
case ERR_AUTH_DENIED:
case ERR_AUTH_FAILED:
case ERR_PASSWORD_EXPIRED:
goto done;
goto done;
goto done;
done:
struct ipa_auth_state);
int ret;
int pam_status;
int dp_err;
goto done;
done: