7a468783159880f81f7cd9270ee94bf0954d6a56Simo Sorce/*
7a468783159880f81f7cd9270ee94bf0954d6a56Simo Sorce SSSD
7a468783159880f81f7cd9270ee94bf0954d6a56Simo Sorce
7a468783159880f81f7cd9270ee94bf0954d6a56Simo Sorce ldap_access.c
7a468783159880f81f7cd9270ee94bf0954d6a56Simo Sorce
7a468783159880f81f7cd9270ee94bf0954d6a56Simo Sorce Authors:
7a468783159880f81f7cd9270ee94bf0954d6a56Simo Sorce Simo Sorce <ssorce@redhat.com>
7a468783159880f81f7cd9270ee94bf0954d6a56Simo Sorce
7a468783159880f81f7cd9270ee94bf0954d6a56Simo Sorce Copyright (C) 2013 Red Hat
7a468783159880f81f7cd9270ee94bf0954d6a56Simo Sorce
7a468783159880f81f7cd9270ee94bf0954d6a56Simo Sorce This program is free software; you can redistribute it and/or modify
7a468783159880f81f7cd9270ee94bf0954d6a56Simo Sorce it under the terms of the GNU General Public License as published by
7a468783159880f81f7cd9270ee94bf0954d6a56Simo Sorce the Free Software Foundation; either version 3 of the License, or
7a468783159880f81f7cd9270ee94bf0954d6a56Simo Sorce (at your option) any later version.
7a468783159880f81f7cd9270ee94bf0954d6a56Simo Sorce
7a468783159880f81f7cd9270ee94bf0954d6a56Simo Sorce This program is distributed in the hope that it will be useful,
7a468783159880f81f7cd9270ee94bf0954d6a56Simo Sorce but WITHOUT ANY WARRANTY; without even the implied warranty of
7a468783159880f81f7cd9270ee94bf0954d6a56Simo Sorce MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
7a468783159880f81f7cd9270ee94bf0954d6a56Simo Sorce GNU General Public License for more details.
7a468783159880f81f7cd9270ee94bf0954d6a56Simo Sorce
7a468783159880f81f7cd9270ee94bf0954d6a56Simo Sorce You should have received a copy of the GNU General Public License
7a468783159880f81f7cd9270ee94bf0954d6a56Simo Sorce along with this program. If not, see <http://www.gnu.org/licenses/>.
7a468783159880f81f7cd9270ee94bf0954d6a56Simo Sorce*/
7a468783159880f81f7cd9270ee94bf0954d6a56Simo Sorce
7a468783159880f81f7cd9270ee94bf0954d6a56Simo Sorce#include <security/pam_modules.h>
7a468783159880f81f7cd9270ee94bf0954d6a56Simo Sorce#include "src/util/util.h"
7a468783159880f81f7cd9270ee94bf0954d6a56Simo Sorce#include "src/providers/data_provider.h"
cc2d77d5218c188119fa954c856e858cbde76947Pavel Březina#include "src/providers/backend.h"
7a468783159880f81f7cd9270ee94bf0954d6a56Simo Sorce#include "src/providers/ldap/sdap_access.h"
5cd4414fce1e0eb4133dfc6fc828bf25c8a959f9Lukas Slebodnik#include "providers/ldap/ldap_common.h"
7a468783159880f81f7cd9270ee94bf0954d6a56Simo Sorce
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březinastruct sdap_pam_access_handler_state {
7a468783159880f81f7cd9270ee94bf0954d6a56Simo Sorce struct pam_data *pd;
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina};
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březinastatic void sdap_pam_access_handler_done(struct tevent_req *subreq);
7a468783159880f81f7cd9270ee94bf0954d6a56Simo Sorce
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březinastruct tevent_req *
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březinasdap_pam_access_handler_send(TALLOC_CTX *mem_ctx,
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina struct sdap_access_ctx *access_ctx,
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina struct pam_data *pd,
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina struct dp_req_params *params)
7a468783159880f81f7cd9270ee94bf0954d6a56Simo Sorce{
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina struct sdap_pam_access_handler_state *state;
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina struct tevent_req *subreq;
7a468783159880f81f7cd9270ee94bf0954d6a56Simo Sorce struct tevent_req *req;
7a468783159880f81f7cd9270ee94bf0954d6a56Simo Sorce
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina req = tevent_req_create(mem_ctx, &state,
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina struct sdap_pam_access_handler_state);
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina if (req == NULL) {
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n");
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina return NULL;
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina }
7a468783159880f81f7cd9270ee94bf0954d6a56Simo Sorce
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina state->pd = pd;
7a468783159880f81f7cd9270ee94bf0954d6a56Simo Sorce
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina subreq = sdap_access_send(state, params->ev, params->be_ctx,
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina params->domain, access_ctx,
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina access_ctx->id_ctx->conn, pd);
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina if (subreq == NULL) {
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina pd->pam_status = PAM_SYSTEM_ERR;
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina goto immediately;
443eb8217741df57d9f58f2098487b91e3404e71Jakub Hrozek }
443eb8217741df57d9f58f2098487b91e3404e71Jakub Hrozek
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina tevent_req_set_callback(subreq, sdap_pam_access_handler_done, req);
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina return req;
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březinaimmediately:
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina /* TODO For backward compatibility we always return EOK to DP now. */
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina tevent_req_done(req);
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina tevent_req_post(req, params->ev);
7a468783159880f81f7cd9270ee94bf0954d6a56Simo Sorce
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina return req;
7a468783159880f81f7cd9270ee94bf0954d6a56Simo Sorce}
7a468783159880f81f7cd9270ee94bf0954d6a56Simo Sorce
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březinastatic void sdap_pam_access_handler_done(struct tevent_req *subreq)
7a468783159880f81f7cd9270ee94bf0954d6a56Simo Sorce{
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina struct sdap_pam_access_handler_state *state;
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina struct tevent_req *req;
7a468783159880f81f7cd9270ee94bf0954d6a56Simo Sorce errno_t ret;
7a468783159880f81f7cd9270ee94bf0954d6a56Simo Sorce
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina req = tevent_req_callback_data(subreq, struct tevent_req);
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina state = tevent_req_data(req, struct sdap_pam_access_handler_state);
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina ret = sdap_access_recv(subreq);
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina talloc_free(subreq);
dfd71fc92db940b2892cc996911cec03d7b6c52bSimo Sorce switch (ret) {
dfd71fc92db940b2892cc996911cec03d7b6c52bSimo Sorce case EOK:
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina case ERR_PASSWORD_EXPIRED_WARN:
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina state->pd->pam_status = PAM_SUCCESS;
dfd71fc92db940b2892cc996911cec03d7b6c52bSimo Sorce break;
ee02e59e4d966f44c7a48ad04474156fc65d7006Pavel Březina case ERR_ACCOUNT_EXPIRED:
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina state->pd->pam_status = PAM_ACCT_EXPIRED;
ee02e59e4d966f44c7a48ad04474156fc65d7006Pavel Březina break;
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina case ERR_ACCESS_DENIED:
c9b0071bfcb8eb8c71e40248de46d23aceecc0f3Pavel Reichl case ERR_PASSWORD_EXPIRED:
c9b0071bfcb8eb8c71e40248de46d23aceecc0f3Pavel Reichl case ERR_PASSWORD_EXPIRED_REJECT:
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina state->pd->pam_status = PAM_PERM_DENIED;
c9b0071bfcb8eb8c71e40248de46d23aceecc0f3Pavel Reichl break;
c9b0071bfcb8eb8c71e40248de46d23aceecc0f3Pavel Reichl case ERR_PASSWORD_EXPIRED_RENEW:
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina state->pd->pam_status = PAM_NEW_AUTHTOK_REQD;
c9b0071bfcb8eb8c71e40248de46d23aceecc0f3Pavel Reichl break;
dfd71fc92db940b2892cc996911cec03d7b6c52bSimo Sorce default:
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "Error retrieving access check result.\n");
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina state->pd->pam_status = PAM_SYSTEM_ERR;
dfd71fc92db940b2892cc996911cec03d7b6c52bSimo Sorce break;
7a468783159880f81f7cd9270ee94bf0954d6a56Simo Sorce }
7a468783159880f81f7cd9270ee94bf0954d6a56Simo Sorce
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina /* TODO For backward compatibility we always return EOK to DP now. */
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina tevent_req_done(req);
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina}
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březinaerrno_t
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březinasdap_pam_access_handler_recv(TALLOC_CTX *mem_ctx,
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina struct tevent_req *req,
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina struct pam_data **_data)
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina{
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina struct sdap_pam_access_handler_state *state = NULL;
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina state = tevent_req_data(req, struct sdap_pam_access_handler_state);
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina TEVENT_REQ_RETURN_ON_ERROR(req);
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina *_data = talloc_steal(mem_ctx, state->pd);
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina return EOK;
7a468783159880f81f7cd9270ee94bf0954d6a56Simo Sorce}