#ifdef WITH_MOZLDAP

#define LDAP_OPT_SUCCESS LDAP_SUCCESS

#define LDAP_TAG_EXOP_MODIFY_PASSWD_ID ((ber_tag_t) 0x80U)

#define LDAP_TAG_EXOP_MODIFY_PASSWD_OLD ((ber_tag_t) 0x81U)

#define LDAP_TAG_EXOP_MODIFY_PASSWD_NEW ((ber_tag_t) 0x82U)

#endif

#define _XOPEN_SOURCE 500 /* for strptime() */

#include <time.h>

#undef _XOPEN_SOURCE

#include <errno.h>

#include <sys/time.h>

#include <strings.h>

#include <shadow.h>

#include <security/pam_modules.h>

#include "util/util.h"

#include "util/user_info_msg.h"

#include "db/sysdb.h"

#include "providers/ldap/ldap_common.h"

#include "providers/ldap/sdap_async.h"

enum pwexpire {

PWEXPIRE_NONE = 0,

PWEXPIRE_LDAP_PASSWORD_POLICY,

PWEXPIRE_KERBEROS,

PWEXPIRE_SHADOW

};

static errno_t check_pwexpire_kerberos(const char *expire_date, time_t now,

enum sdap_result *result)

{

char *end;

struct tm tm = {0, 0, 0, 0, 0, 0, 0, 0, 0};

time_t expire_time;

*result = SDAP_AUTH_FAILED;

end = strptime(expire_date, "%Y%m%d%H%M%SZ", &tm);

if (end == NULL) {

DEBUG(1, ("Kerberos expire date [%s] invalid.\n", expire_date));

return EINVAL;

}

if (*end != '\0') {

DEBUG(1, ("Kerberos expire date [%s] contains extra characters.\n",

expire_date));

return EINVAL;

}

expire_time = mktime(&tm);

if (expire_time == -1) {

DEBUG(1, ("mktime failed to convert [%s].\n", expire_date));

return EINVAL;

}

tzset();

expire_time -= timezone;

DEBUG(9, ("Time info: tzname[0] [%s] tzname[1] [%s] timezone [%d] "

"daylight [%d] now [%d] expire_time [%d].\n", tzname[0],

tzname[1], timezone, daylight, now, expire_time));

if (difftime(now, expire_time) > 0.0) {

DEBUG(4, ("Kerberos password expired.\n"));

*result = SDAP_AUTH_PW_EXPIRED;

} else {

*result = SDAP_AUTH_SUCCESS;

}

return EOK;

}

static errno_t check_pwexpire_shadow(struct spwd *spwd, time_t now,

enum sdap_result *result)

{

long today;

long password_age;

if (spwd->sp_lstchg <= 0) {

DEBUG(4, ("Last change day is not set, new password needed.\n"));

*result = SDAP_AUTH_PW_EXPIRED;

return EOK;

}

today = (long) (now / (60 * 60 *24));

password_age = today - spwd->sp_lstchg;

if (password_age < 0) {

DEBUG(2, ("The last password change time is in the future!.\n"));

*result = SDAP_AUTH_SUCCESS;

return EOK;

}

if ((spwd->sp_expire != -1 && today > spwd->sp_expire) ||

(spwd->sp_max != -1 && spwd->sp_inact != -1 &&

password_age > spwd->sp_max + spwd->sp_inact))

{

DEBUG(4, ("Account expired.\n"));

*result = SDAP_ACCT_EXPIRED;

return EOK;

}

if (spwd->sp_max != -1 && password_age > spwd->sp_max) {

DEBUG(4, ("Password expired.\n"));

*result = SDAP_AUTH_PW_EXPIRED;

return EOK;

}

*result = SDAP_AUTH_SUCCESS;

return EOK;

}

static errno_t string_to_shadowpw_days(const char *s, long *d)

{

long l;

char *endptr;

if (s == NULL || *s == '\0') {

*d = -1;

return EOK;

}

errno = 0;

l = strtol(s, &endptr, 10);

if (errno != 0) {

DEBUG(1, ("strtol failed [%d][%s].\n", errno, strerror(errno)));

return errno;

}

if (*endptr != '\0') {

DEBUG(1, ("Input string [%s] is invalid.\n", s));

return EINVAL;

}

if (*d < -1) {

DEBUG(1, ("Input string contains not allowed negative value [%d].\n",

*d));

return EINVAL;

}

*d = l;

return EOK;

}

static errno_t find_password_expiration_attributes(TALLOC_CTX *mem_ctx,

const struct ldb_message *msg,

struct dp_option *opts,

enum pwexpire *type, void **data)

{

const char *mark;

const char *val;

struct spwd *spwd;

const char *pwd_policy;

int ret;

*type = PWEXPIRE_NONE;

*data = NULL;

pwd_policy = dp_opt_get_string(opts, SDAP_PWD_POLICY);

if (pwd_policy == NULL) {

DEBUG(1, ("Missing password policy.\n"));

return EINVAL;

}

mark = ldb_msg_find_attr_as_string(msg, SYSDB_PWD_ATTRIBUTE, NULL);

if (mark != NULL) {

DEBUG(9, ("Found pwdAttribute, "

"assuming LDAP password policies are active.\n"));

*type = PWEXPIRE_LDAP_PASSWORD_POLICY;

return EOK;

}

if (strcasecmp(pwd_policy, PWD_POL_OPT_NONE) == 0) {

DEBUG(9, ("No password policy requested.\n"));

return EOK;

} else if (strcasecmp(pwd_policy, PWD_POL_OPT_MIT) == 0) {

mark = ldb_msg_find_attr_as_string(msg, SYSDB_KRBPW_LASTCHANGE, NULL);

if (mark != NULL) {

DEBUG(9, ("Found Kerberos password expiration attributes.\n"))

val = ldb_msg_find_attr_as_string(msg, SYSDB_KRBPW_EXPIRATION,

NULL);

if (val != NULL) {

*data = talloc_strdup(mem_ctx, val);

if (*data == NULL) {

DEBUG(1, ("talloc_strdup failed.\n"));

return ENOMEM;

}

*type = PWEXPIRE_KERBEROS;

return EOK;

}

} else {

DEBUG(1, ("No Kerberos password expiration attributes found, "

"but MIT Kerberos password policy was requested.\n"));

return EINVAL;

}

} else if (strcasecmp(pwd_policy, PWD_POL_OPT_SHADOW) == 0) {

mark = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_LASTCHANGE, NULL);

if (mark != NULL) {

DEBUG(9, ("Found shadow password expiration attributes.\n"))

spwd = talloc_zero(mem_ctx, struct spwd);

if (spwd == NULL) {

DEBUG(1, ("talloc failed.\n"));

return ENOMEM;

}

val = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_LASTCHANGE, NULL);

ret = string_to_shadowpw_days(val, &spwd->sp_lstchg);

if (ret != EOK) goto shadow_fail;

val = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_MIN, NULL);

ret = string_to_shadowpw_days(val, &spwd->sp_min);

if (ret != EOK) goto shadow_fail;

val = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_MAX, NULL);

ret = string_to_shadowpw_days(val, &spwd->sp_max);

if (ret != EOK) goto shadow_fail;

val = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_WARNING, NULL);

ret = string_to_shadowpw_days(val, &spwd->sp_warn);

if (ret != EOK) goto shadow_fail;

val = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_INACTIVE, NULL);

ret = string_to_shadowpw_days(val, &spwd->sp_inact);

if (ret != EOK) goto shadow_fail;

val = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_EXPIRE, NULL);

ret = string_to_shadowpw_days(val, &spwd->sp_expire);

if (ret != EOK) goto shadow_fail;

*data = spwd;

*type = PWEXPIRE_SHADOW;

return EOK;

} else {

DEBUG(1, ("No shadow password attributes found, "

"but shadow password policy was requested.\n"));

return EINVAL;

}

}

DEBUG(9, ("No password expiration attributes found.\n"));

return EOK;

shadow_fail:

talloc_free(spwd);

return ret;

}

struct get_user_dn_state {

struct tevent_context *ev;

struct sdap_auth_ctx *ctx;

struct sdap_handle *sh;

const char **attrs;

const char *name;

char *dn;

enum pwexpire pw_expire_type;

void *pw_expire_data;

};

static void get_user_dn_done(void *pvt, int err, struct ldb_result *res);

struct tevent_req *get_user_dn_send(TALLOC_CTX *memctx,

struct tevent_context *ev,

struct sdap_auth_ctx *ctx,

struct sdap_handle *sh,

const char *username)

{

struct tevent_req *req;

struct get_user_dn_state *state;

int ret;

req = tevent_req_create(memctx, &state, struct get_user_dn_state);

if (!req) return NULL;

state->ev = ev;

state->ctx = ctx;

state->sh = sh;

state->name = username;

state->attrs = talloc_array(state, const char *, 11);

if (!state->attrs) {

talloc_zfree(req);

return NULL;

}

state->attrs[0] = SYSDB_ORIG_DN;

state->attrs[1] = SYSDB_SHADOWPW_LASTCHANGE;

state->attrs[2] = SYSDB_SHADOWPW_MIN;

state->attrs[3] = SYSDB_SHADOWPW_MAX;

state->attrs[4] = SYSDB_SHADOWPW_WARNING;

state->attrs[5] = SYSDB_SHADOWPW_INACTIVE;

state->attrs[6] = SYSDB_SHADOWPW_EXPIRE;

state->attrs[7] = SYSDB_KRBPW_LASTCHANGE;

state->attrs[8] = SYSDB_KRBPW_EXPIRATION;

state->attrs[9] = SYSDB_PWD_ATTRIBUTE;

state->attrs[10] = NULL;

/* this sysdb call uses a sysdn operation, which means it will be

ret = sysdb_get_user_attr(state, state->ctx->be->sysdb,

state->ctx->be->domain, state->name,

state->attrs, get_user_dn_done, req);

if (ret) {

tevent_req_error(req, ret);

tevent_req_post(req, ev);

}

return req;

}

static void get_user_dn_done(void *pvt, int err, struct ldb_result *res)

{

struct tevent_req *req = talloc_get_type(pvt, struct tevent_req);

struct get_user_dn_state *state = tevent_req_data(req,

struct get_user_dn_state);

const char *dn;

int ret;

if (err != LDB_SUCCESS) {

tevent_req_error(req, EIO);

return;

}

switch (res->count) {

case 0:

/* FIXME: not in cache, needs a true search */

tevent_req_error(req, ENOENT);

break;

case 1:

dn = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_ORIG_DN, NULL);

if (!dn) {

/* TODO: try to search ldap server ? */

/* FIXME: remove once we store originalDN on every call

dn = talloc_asprintf(state, "%s=%s,%s",

state->ctx->opts->user_map[SDAP_AT_USER_NAME].name,

state->name,

dp_opt_get_string(state->ctx->opts->basic,

SDAP_USER_SEARCH_BASE));

if (!dn) {

tevent_req_error(req, ENOMEM);

break;

}

}

state->dn = talloc_strdup(state, dn);

if (!state->dn) {

tevent_req_error(req, ENOMEM);

break;

}

ret = find_password_expiration_attributes(state, res->msgs[0],

state->ctx->opts->basic,

&state->pw_expire_type,

&state->pw_expire_data);

if (ret != EOK) {

DEBUG(1, ("find_password_expiration_attributes failed.\n"));

tevent_req_error(req, ENOMEM);

break;

}

tevent_req_done(req);

break;

default:

DEBUG(1, ("A user search by name (%s) returned > 1 results!\n",

state->name));

tevent_req_error(req, EFAULT);

break;

}

}

static int get_user_dn_recv(struct tevent_req *req,

TALLOC_CTX *memctx, char **dn,

enum pwexpire *pw_expire_type,

void **pw_expire_data)

{

struct get_user_dn_state *state = tevent_req_data(req,

struct get_user_dn_state);

TEVENT_REQ_RETURN_ON_ERROR(req);

*dn = talloc_steal(memctx, state->dn);

if (!*dn) return ENOMEM;

/* state->pw_expire_data may be NULL */

*pw_expire_data = talloc_steal(memctx, state->pw_expire_data);

*pw_expire_type = state->pw_expire_type;

return EOK;

}

struct auth_state {

struct tevent_context *ev;

struct sdap_auth_ctx *ctx;

const char *username;

struct dp_opt_blob password;

struct sdap_handle *sh;

enum sdap_result result;

char *dn;

enum pwexpire pw_expire_type;

void *pw_expire_data;

struct fo_server *srv;

};

static void auth_resolve_done(struct tevent_req *subreq);

static void auth_connect_done(struct tevent_req *subreq);

static void auth_get_user_dn_done(struct tevent_req *subreq);

static void auth_bind_user_done(struct tevent_req *subreq);

static struct tevent_req *auth_send(TALLOC_CTX *memctx,

struct tevent_context *ev,

struct sdap_auth_ctx *ctx,

const char *username,

struct dp_opt_blob password)

{

struct tevent_req *req, *subreq;

struct auth_state *state;

req = tevent_req_create(memctx, &state, struct auth_state);

if (!req) return NULL;

state->ev = ev;

state->ctx = ctx;

state->username = username;

state->password = password;

state->srv = NULL;

subreq = be_resolve_server_send(state, ev, ctx->be, ctx->service->name);

if (!subreq) goto fail;

tevent_req_set_callback(subreq, auth_resolve_done, req);

return req;

fail:

talloc_zfree(req);

return NULL;

}

static void auth_resolve_done(struct tevent_req *subreq)

{

struct tevent_req *req = tevent_req_callback_data(subreq,

struct tevent_req);

struct auth_state *state = tevent_req_data(req,

struct auth_state);

int ret;

ret = be_resolve_server_recv(subreq, &state->srv);

talloc_zfree(subreq);

if (ret) {

tevent_req_error(req, ret);

return;

}

subreq = sdap_connect_send(state, state->ev, state->ctx->opts,

state->ctx->service->uri, true);

if (!subreq) {

tevent_req_error(req, ENOMEM);

return;

}

tevent_req_set_callback(subreq, auth_connect_done, req);

}

static void auth_connect_done(struct tevent_req *subreq)

{

struct tevent_req *req = tevent_req_callback_data(subreq,

struct tevent_req);

struct auth_state *state = tevent_req_data(req,

struct auth_state);

int ret;

ret = sdap_connect_recv(subreq, state, &state->sh);

talloc_zfree(subreq);

if (ret) {

if (state->srv) {

/* mark this server as bad if connection failed */

fo_set_port_status(state->srv, PORT_NOT_WORKING);

}

tevent_req_error(req, ret);

return;

} else if (state->srv) {

fo_set_port_status(state->srv, PORT_WORKING);

}

subreq = get_user_dn_send(state, state->ev,

state->ctx, state->sh,

state->username);

if (!subreq) {

tevent_req_error(req, ENOMEM);

return;

}

tevent_req_set_callback(subreq, auth_get_user_dn_done, req);

}

static void auth_get_user_dn_done(struct tevent_req *subreq)

{

struct tevent_req *req = tevent_req_callback_data(subreq,

struct tevent_req);

struct auth_state *state = tevent_req_data(req,

struct auth_state);

int ret;

ret = get_user_dn_recv(subreq, state, &state->dn, &state->pw_expire_type,

&state->pw_expire_data);

talloc_zfree(subreq);

if (ret) {

tevent_req_error(req, ret);

return;

}

subreq = sdap_auth_send(state, state->ev, state->sh,

NULL, NULL, state->dn,

"password", state->password);

if (!subreq) {

tevent_req_error(req, ENOMEM);

return;

}

tevent_req_set_callback(subreq, auth_bind_user_done, req);

}

static void auth_bind_user_done(struct tevent_req *subreq)

{

struct tevent_req *req = tevent_req_callback_data(subreq,

struct tevent_req);

struct auth_state *state = tevent_req_data(req,

struct auth_state);

int ret;

ret = sdap_auth_recv(subreq, &state->result);

talloc_zfree(subreq);

if (ret) {

tevent_req_error(req, ret);

return;

}

tevent_req_done(req);

}

int auth_recv(struct tevent_req *req,

TALLOC_CTX *memctx,

struct sdap_handle **sh,

enum sdap_result *result, char **dn,

enum pwexpire *pw_expire_type, void **pw_expire_data)

{

struct auth_state *state = tevent_req_data(req, struct auth_state);

enum tevent_req_state tstate;

uint64_t err;

if (tevent_req_is_error(req, &tstate, &err)) {

switch (tstate) {

case TEVENT_REQ_USER_ERROR:

if (err == ETIMEDOUT) *result = SDAP_UNAVAIL;

else *result = SDAP_ERROR;

return err;

default:

*result = SDAP_ERROR;

return EIO;

}

}

if (sh != NULL) {

*sh = talloc_steal(memctx, state->sh);

if (*sh == NULL) return ENOMEM;

}

if (dn != NULL) {

*dn = talloc_steal(memctx, state->dn);

if (*dn == NULL) return ENOMEM;

}

if (pw_expire_data != NULL) {

*pw_expire_data = talloc_steal(memctx, state->pw_expire_data);

}

*pw_expire_type = state->pw_expire_type;

*result = state->result;

return EOK;

}

struct sdap_pam_chpass_state {

struct be_req *breq;

struct pam_data *pd;

const char *username;

char *dn;

char *password;

char *new_password;

struct sdap_handle *sh;

};

static void sdap_auth4chpass_done(struct tevent_req *req);

static void sdap_pam_chpass_done(struct tevent_req *req);

static void sdap_pam_auth_reply(struct be_req *breq, int dp_err, int result);

void sdap_pam_chpass_handler(struct be_req *breq)

{

struct sdap_pam_chpass_state *state;

struct sdap_auth_ctx *ctx;

struct tevent_req *subreq;

struct pam_data *pd;

struct dp_opt_blob authtok;

int dp_err = DP_ERR_FATAL;

ctx = talloc_get_type(breq->be_ctx->bet_info[BET_CHPASS].pvt_bet_data,

struct sdap_auth_ctx);

pd = talloc_get_type(breq->req_data, struct pam_data);

if (be_is_offline(ctx->be)) {

DEBUG(4, ("Backend is marked offline, retry later!\n"));

pd->pam_status = PAM_AUTHINFO_UNAVAIL;

dp_err = DP_ERR_OFFLINE;

goto done;

}

DEBUG(2, ("starting password change request for user [%s].\n", pd->user));

pd->pam_status = PAM_SYSTEM_ERR;

if (pd->cmd != SSS_PAM_CHAUTHTOK && pd->cmd != SSS_PAM_CHAUTHTOK_PRELIM) {

DEBUG(2, ("chpass target was called by wrong pam command.\n"));

goto done;

}

state = talloc_zero(breq, struct sdap_pam_chpass_state);

if (!state) goto done;

state->breq = breq;

state->pd = pd;

state->username = pd->user;

state->password = talloc_strndup(state,

(char *)pd->authtok, pd->authtok_size);

if (!state->password) goto done;

talloc_set_destructor((TALLOC_CTX *)state->password,

password_destructor);

if (pd->cmd == SSS_PAM_CHAUTHTOK) {

state->new_password = talloc_strndup(state,

(char *)pd->newauthtok,

pd->newauthtok_size);

if (!state->new_password) goto done;

talloc_set_destructor((TALLOC_CTX *)state->new_password,

password_destructor);

}

authtok.data = (uint8_t *)state->password;

authtok.length = strlen(state->password);

subreq = auth_send(breq, breq->be_ctx->ev,

ctx, state->username, authtok);

if (!subreq) goto done;

tevent_req_set_callback(subreq, sdap_auth4chpass_done, state);

return;

done:

sdap_pam_auth_reply(breq, dp_err, pd->pam_status);

}

static void sdap_auth4chpass_done(struct tevent_req *req)

{

struct sdap_pam_chpass_state *state =

tevent_req_callback_data(req, struct sdap_pam_chpass_state);

struct tevent_req *subreq;

enum sdap_result result;

enum pwexpire pw_expire_type;

void *pw_expire_data;

int dp_err = DP_ERR_FATAL;

int ret;

ret = auth_recv(req, state, &state->sh,

&result, &state->dn,

&pw_expire_type, &pw_expire_data);

talloc_zfree(req);

if (ret) {

state->pd->pam_status = PAM_SYSTEM_ERR;

goto done;

}

if (result == SDAP_AUTH_SUCCESS &&

state->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM) {

DEBUG(9, ("Initial authentication for change password operation "

"successful.\n"));

state->pd->pam_status = PAM_SUCCESS;

goto done;

}

if (result == SDAP_AUTH_SUCCESS) {

switch (pw_expire_type) {

case PWEXPIRE_SHADOW:

ret = check_pwexpire_shadow(pw_expire_data, time(NULL),

&result);

if (ret != EOK) {

DEBUG(1, ("check_pwexpire_shadow failed.\n"));

state->pd->pam_status = PAM_SYSTEM_ERR;

goto done;

}

break;

case PWEXPIRE_KERBEROS:

ret = check_pwexpire_kerberos(pw_expire_data, time(NULL),

&result);

if (ret != EOK) {

DEBUG(1, ("check_pwexpire_kerberos failed.\n"));

state->pd->pam_status = PAM_SYSTEM_ERR;

goto done;

}

if (result == SDAP_AUTH_PW_EXPIRED) {

DEBUG(1, ("LDAP provider cannot change kerberos "

"passwords.\n"));

state->pd->pam_status = PAM_SYSTEM_ERR;

goto done;

}

break;

case PWEXPIRE_LDAP_PASSWORD_POLICY:

case PWEXPIRE_NONE:

break;

default:

DEBUG(1, ("Unknow pasword expiration type.\n"));

state->pd->pam_status = PAM_SYSTEM_ERR;

goto done;

}

}

switch (result) {

case SDAP_AUTH_SUCCESS:

case SDAP_AUTH_PW_EXPIRED:

DEBUG(7, ("user [%s] successfully authenticated.\n", state->dn));

if (pw_expire_type == PWEXPIRE_SHADOW) {

DEBUG(1, ("Changing shadow password attributes not implemented.\n"));

state->pd->pam_status = PAM_MODULE_UNKNOWN;

goto done;

} else {

subreq = sdap_exop_modify_passwd_send(state,

state->breq->be_ctx->ev,

state->sh,

state->dn,

state->password,

state->new_password);

if (!subreq) {

DEBUG(2, ("Failed to change password for %s\n", state->username));

goto done;

}

tevent_req_set_callback(subreq, sdap_pam_chpass_done, state);

return;

}

break;

case SDAP_AUTH_FAILED:

state->pd->pam_status = PAM_AUTH_ERR;

break;

default:

state->pd->pam_status = PAM_SYSTEM_ERR;

}

done:

sdap_pam_auth_reply(state->breq, dp_err, state->pd->pam_status);

}

static void sdap_pam_chpass_done(struct tevent_req *req)

{

struct sdap_pam_chpass_state *state =

tevent_req_callback_data(req, struct sdap_pam_chpass_state);

enum sdap_result result;

int dp_err = DP_ERR_FATAL;

int ret;

char *user_error_message = NULL;

size_t msg_len;

uint8_t *msg;

ret = sdap_exop_modify_passwd_recv(req, state, &result, &user_error_message);

talloc_zfree(req);

if (ret) {

state->pd->pam_status = PAM_SYSTEM_ERR;

goto done;

}

switch (result) {

case SDAP_SUCCESS:

state->pd->pam_status = PAM_SUCCESS;

dp_err = DP_ERR_OK;

break;

default:

state->pd->pam_status = PAM_AUTHTOK_ERR;

if (user_error_message != NULL) {

ret = pack_user_info_chpass_error(state->pd, user_error_message,

&msg_len, &msg);

if (ret != EOK) {

DEBUG(1, ("pack_user_info_chpass_error failed.\n"));

} else {

ret = pam_add_response(state->pd, SSS_PAM_USER_INFO, msg_len,

msg);

if (ret != EOK) {

DEBUG(1, ("pam_add_response failed.\n"));

}

}

}

}

done:

sdap_pam_auth_reply(state->breq, dp_err, state->pd->pam_status);

}

struct sdap_pam_auth_state {

struct be_req *breq;

struct pam_data *pd;

const char *username;

struct dp_opt_blob password;

};

static void sdap_pam_auth_done(struct tevent_req *req);

static void sdap_password_cache_done(struct tevent_req *req);

void sdap_pam_auth_handler(struct be_req *breq)

{

struct sdap_pam_auth_state *state;

struct sdap_auth_ctx *ctx;

struct tevent_req *subreq;

struct pam_data *pd;

int dp_err = DP_ERR_FATAL;

ctx = talloc_get_type(breq->be_ctx->bet_info[BET_AUTH].pvt_bet_data,

struct sdap_auth_ctx);

pd = talloc_get_type(breq->req_data, struct pam_data);

if (be_is_offline(ctx->be)) {

DEBUG(4, ("Backend is marked offline, retry later!\n"));

pd->pam_status = PAM_AUTHINFO_UNAVAIL;

dp_err = DP_ERR_OFFLINE;

goto done;

}

pd->pam_status = PAM_SYSTEM_ERR;

switch (pd->cmd) {

case SSS_PAM_AUTHENTICATE:

case SSS_PAM_CHAUTHTOK_PRELIM:

state = talloc_zero(breq, struct sdap_pam_auth_state);

if (!state) goto done;

state->breq = breq;

state->pd = pd;

state->username = pd->user;

state->password.data = pd->authtok;

state->password.length = pd->authtok_size;

subreq = auth_send(breq, breq->be_ctx->ev, ctx,

state->username, state->password);

if (!subreq) goto done;

tevent_req_set_callback(subreq, sdap_pam_auth_done, state);

return;

case SSS_PAM_CHAUTHTOK:

break;

case SSS_PAM_ACCT_MGMT:

case SSS_PAM_SETCRED:

case SSS_PAM_OPEN_SESSION:

case SSS_PAM_CLOSE_SESSION:

pd->pam_status = PAM_SUCCESS;

dp_err = DP_ERR_OK;

break;

default:

pd->pam_status = PAM_MODULE_UNKNOWN;

dp_err = DP_ERR_OK;

}

done:

sdap_pam_auth_reply(breq, dp_err, pd->pam_status);

}

static void sdap_pam_auth_done(struct tevent_req *req)

{

struct sdap_pam_auth_state *state =

tevent_req_callback_data(req, struct sdap_pam_auth_state);

struct tevent_req *subreq;

enum sdap_result result;

enum pwexpire pw_expire_type;

void *pw_expire_data;

int dp_err = DP_ERR_OK;

int ret;

ret = auth_recv(req, state, NULL,

&result, NULL,

&pw_expire_type, &pw_expire_data);

talloc_zfree(req);

if (ret) {

state->pd->pam_status = PAM_SYSTEM_ERR;

dp_err = DP_ERR_FATAL;

goto done;

}

if (result == SDAP_AUTH_SUCCESS) {

switch (pw_expire_type) {

case PWEXPIRE_SHADOW:

ret = check_pwexpire_shadow(pw_expire_data, time(NULL),

&result);

if (ret != EOK) {

DEBUG(1, ("check_pwexpire_shadow failed.\n"));

state->pd->pam_status = PAM_SYSTEM_ERR;

goto done;

}

break;

case PWEXPIRE_KERBEROS:

ret = check_pwexpire_kerberos(pw_expire_data, time(NULL),

&result);

if (ret != EOK) {

DEBUG(1, ("check_pwexpire_kerberos failed.\n"));

state->pd->pam_status = PAM_SYSTEM_ERR;

goto done;

}

break;

case PWEXPIRE_LDAP_PASSWORD_POLICY:

case PWEXPIRE_NONE:

break;

default:

DEBUG(1, ("Unknow pasword expiration type.\n"));

state->pd->pam_status = PAM_SYSTEM_ERR;

goto done;

}

}

switch (result) {

case SDAP_AUTH_SUCCESS:

state->pd->pam_status = PAM_SUCCESS;

break;

case SDAP_AUTH_FAILED:

state->pd->pam_status = PAM_PERM_DENIED;

break;

case SDAP_UNAVAIL:

state->pd->pam_status = PAM_AUTHINFO_UNAVAIL;

break;

case SDAP_ACCT_EXPIRED:

state->pd->pam_status = PAM_ACCT_EXPIRED;

break;

case SDAP_AUTH_PW_EXPIRED:

state->pd->pam_status = PAM_NEW_AUTHTOK_REQD;

break;

default:

state->pd->pam_status = PAM_SYSTEM_ERR;

dp_err = DP_ERR_FATAL;

}

if (result == SDAP_UNAVAIL) {

be_mark_offline(state->breq->be_ctx);

dp_err = DP_ERR_OFFLINE;

goto done;

}

if (result == SDAP_AUTH_SUCCESS &&

state->breq->be_ctx->domain->cache_credentials) {

char *password = talloc_strndup(state, (char *)

state->password.data,

state->password.length);

/* password caching failures are not fatal errors */

if (!password) {

DEBUG(2, ("Failed to cache password for %s\n", state->username));

goto done;

}

talloc_set_destructor((TALLOC_CTX *)password, password_destructor);

subreq = sysdb_cache_password_send(state,

state->breq->be_ctx->ev,

state->breq->be_ctx->sysdb,

NULL,

state->breq->be_ctx->domain,

state->username, password);

/* password caching failures are not fatal errors */

if (!subreq) {

DEBUG(2, ("Failed to cache password for %s\n", state->username));

goto done;

}

tevent_req_set_callback(subreq, sdap_password_cache_done, state);

return;

}

done:

sdap_pam_auth_reply(state->breq, dp_err, state->pd->pam_status);

}

static void sdap_password_cache_done(struct tevent_req *subreq)

{

struct sdap_pam_auth_state *state = tevent_req_callback_data(subreq,

struct sdap_pam_auth_state);

int ret;

ret = sysdb_cache_password_recv(subreq);

talloc_zfree(subreq);

if (ret) {

/* password caching failures are not fatal errors */

DEBUG(2, ("Failed to cache password for %s\n", state->username));

} else {

DEBUG(4, ("Password successfully cached for %s\n", state->username));

}

sdap_pam_auth_reply(state->breq, DP_ERR_OK, state->pd->pam_status);

}

static void sdap_pam_auth_reply(struct be_req *req, int dp_err, int result)

{

req->fn(req, dp_err, result, NULL);

}