#ifdef WITH_MOZLDAP

#define LDAP_OPT_SUCCESS LDAP_SUCCESS

#define LDAP_TAG_EXOP_MODIFY_PASSWD_ID ((ber_tag_t) 0x80U)

#define LDAP_TAG_EXOP_MODIFY_PASSWD_OLD ((ber_tag_t) 0x81U)

#define LDAP_TAG_EXOP_MODIFY_PASSWD_NEW ((ber_tag_t) 0x82U)

#endif

#include "config.h"

#include <time.h>

#include <errno.h>

#include <sys/time.h>

#include <strings.h>

#include <shadow.h>

#include <security/pam_modules.h>

#include "util/util.h"

#include "util/user_info_msg.h"

#include "db/sysdb.h"

#include "providers/ldap/ldap_common.h"

#include "providers/ldap/sdap_async.h"

#include "providers/ldap/sdap_async_private.h"

#include "providers/ldap/ldap_auth.h"

#include "providers/ldap/sdap_access.h"

#define LDAP_PWEXPIRE_WARNING_TIME 0

static errno_t add_expired_warning(struct pam_data *pd, long exp_time)

{

int ret;

uint32_t *data;

if (exp_time < 0 || exp_time > UINT32_MAX) {

DEBUG(SSSDBG_CRIT_FAILURE, "Time to expire out of range.\n");

return EINVAL;

}

data = talloc_array(pd, uint32_t, 2);

if (data == NULL) {

DEBUG(SSSDBG_CRIT_FAILURE, "talloc_size failed.\n");

return ENOMEM;

}

data[0] = SSS_PAM_USER_INFO_EXPIRE_WARN;

data[1] = (uint32_t) exp_time;

ret = pam_add_response(pd, SSS_PAM_USER_INFO, 2 * sizeof(uint32_t),

(uint8_t *) data);

if (ret != EOK) {

DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n");

}

return EOK;

}

static errno_t check_pwexpire_kerberos(const char *expire_date, time_t now,

struct pam_data *pd,

int pwd_exp_warning)

{

time_t expire_time;

int expiration_warning;

int ret = ERR_INTERNAL;

ret = sss_utc_to_time_t(expire_date, "%Y%m%d%H%M%SZ",

&expire_time);

if (ret != EOK) {

DEBUG(SSSDBG_MINOR_FAILURE, "sss_utc_to_time_t failed with %d:%s.\n",

ret, sss_strerror(ret));

return ret;

}

DEBUG(SSSDBG_TRACE_ALL,

"Time info: tzname[0] [%s] tzname[1] [%s] timezone [%ld] "

"daylight [%d] now [%ld] expire_time [%ld].\n", tzname[0],

tzname[1], timezone, daylight, now, expire_time);

if (difftime(now, expire_time) > 0.0) {

DEBUG(SSSDBG_CONF_SETTINGS, "Kerberos password expired.\n");

ret = ERR_PASSWORD_EXPIRED;

} else {

if (pwd_exp_warning >= 0) {

expiration_warning = pwd_exp_warning;

} else {

expiration_warning = KERBEROS_PWEXPIRE_WARNING_TIME;

}

if (pd != NULL &&

(difftime(now + expiration_warning, expire_time) > 0.0 ||

expiration_warning == 0)) {

ret = add_expired_warning(pd, (long) difftime(expire_time, now));

if (ret != EOK) {

DEBUG(SSSDBG_CRIT_FAILURE, "add_expired_warning failed.\n");

}

}

ret = EOK;

}

return ret;

}

static errno_t check_pwexpire_shadow(struct spwd *spwd, time_t now,

struct pam_data *pd)

{

long today;

long password_age;

long exp;

int ret;

if (spwd->sp_lstchg <= 0) {

DEBUG(SSSDBG_CONF_SETTINGS,

"Last change day is not set, new password needed.\n");

return ERR_PASSWORD_EXPIRED;

}

today = (long) (now / (60 * 60 *24));

password_age = today - spwd->sp_lstchg;

if (password_age < 0) {

DEBUG(SSSDBG_OP_FAILURE,

"The last password change time is in the future!.\n");

return EOK;

}

if ((spwd->sp_expire != -1 && today > spwd->sp_expire) ||

(spwd->sp_max != -1 && spwd->sp_inact != -1 &&

password_age > spwd->sp_max + spwd->sp_inact))

{

DEBUG(SSSDBG_CONF_SETTINGS, "Account expired.\n");

return ERR_ACCOUNT_EXPIRED;

}

if (spwd->sp_max != -1 && password_age > spwd->sp_max) {

DEBUG(SSSDBG_CONF_SETTINGS, "Password expired.\n");

return ERR_PASSWORD_EXPIRED;

}

if (pd != NULL && spwd->sp_max != -1 && spwd->sp_warn != -1 &&

password_age > spwd->sp_max - spwd->sp_warn ) {

/* add_expired_warning() expects time in seconds */

exp = (spwd->sp_max - password_age) * (60 * 60 * 24);

if (exp == 0) {

/* Seconds until next midnight */

exp = ((today + 1) * (60 * 60 * 24)) - now;

}

ret = add_expired_warning(pd, exp);

if (ret != EOK) {

DEBUG(SSSDBG_CRIT_FAILURE, "add_expired_warning failed.\n");

}

}

return EOK;

}

static errno_t check_pwexpire_ldap(struct pam_data *pd,

struct sdap_ppolicy_data *ppolicy,

int pwd_exp_warning)

{

int ret = EOK;

if (ppolicy->grace >= 0 || ppolicy->expire > 0) {

uint32_t *data;

uint32_t *ptr;

if (pwd_exp_warning < 0) {

pwd_exp_warning = 0;

}

data = talloc_size(pd, 2* sizeof(uint32_t));

if (data == NULL) {

DEBUG(SSSDBG_CRIT_FAILURE, "talloc_size failed.\n");

return ENOMEM;

}

ptr = data;

if (ppolicy->grace >= 0) {

*ptr = SSS_PAM_USER_INFO_GRACE_LOGIN;

ptr++;

*ptr = ppolicy->grace;

} else if (ppolicy->expire > 0) {

if (pwd_exp_warning != 0 && ppolicy->expire > pwd_exp_warning) {

/* do not warn */

goto done;

}

/* send warning */

*ptr = SSS_PAM_USER_INFO_EXPIRE_WARN;

ptr++;

*ptr = ppolicy->expire;

}

ret = pam_add_response(pd, SSS_PAM_USER_INFO, 2* sizeof(uint32_t),

(uint8_t*)data);

if (ret != EOK) {

DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n");

}

}

done:

return ret;

}

errno_t check_pwexpire_policy(enum pwexpire pw_expire_type,

void *pw_expire_data,

struct pam_data *pd,

int pwd_expiration_warning)

{

errno_t ret;

switch (pw_expire_type) {

case PWEXPIRE_SHADOW:

ret = check_pwexpire_shadow(pw_expire_data, time(NULL), pd);

break;

case PWEXPIRE_KERBEROS:

ret = check_pwexpire_kerberos(pw_expire_data, time(NULL), pd,

pwd_expiration_warning);

break;

case PWEXPIRE_LDAP_PASSWORD_POLICY:

ret = check_pwexpire_ldap(pd, pw_expire_data,

pwd_expiration_warning);

break;

case PWEXPIRE_NONE:

ret = EOK;

break;

default:

DEBUG(SSSDBG_CRIT_FAILURE, "Unknown password expiration type.\n");

ret = EINVAL;

}

return ret;

}

static errno_t

find_password_expiration_attributes(TALLOC_CTX *mem_ctx,

const struct ldb_message *msg,

struct dp_option *opts,

enum pwexpire *type, void **data)

{

const char *mark;

const char *val;

struct spwd *spwd;

const char *pwd_policy;

int ret;

*type = PWEXPIRE_NONE;

*data = NULL;

pwd_policy = dp_opt_get_string(opts, SDAP_PWD_POLICY);

if (pwd_policy == NULL) {

DEBUG(SSSDBG_CRIT_FAILURE, "Missing password policy.\n");

return EINVAL;

}

if (strcasecmp(pwd_policy, PWD_POL_OPT_NONE) == 0) {

DEBUG(SSSDBG_TRACE_ALL, "No password policy requested.\n");

return EOK;

} else if (strcasecmp(pwd_policy, PWD_POL_OPT_MIT) == 0) {

mark = ldb_msg_find_attr_as_string(msg, SYSDB_KRBPW_LASTCHANGE, NULL);

if (mark != NULL) {

DEBUG(SSSDBG_TRACE_ALL,

"Found Kerberos password expiration attributes.\n");

val = ldb_msg_find_attr_as_string(msg, SYSDB_KRBPW_EXPIRATION,

NULL);

if (val != NULL) {

*data = talloc_strdup(mem_ctx, val);

if (*data == NULL) {

DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed.\n");

return ENOMEM;

}

*type = PWEXPIRE_KERBEROS;

return EOK;

}

} else {

DEBUG(SSSDBG_CRIT_FAILURE,

"No Kerberos password expiration attributes found, "

"but MIT Kerberos password policy was requested. "

"Access will be denied.\n");

return EACCES;

}

} else if (strcasecmp(pwd_policy, PWD_POL_OPT_SHADOW) == 0) {

mark = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_LASTCHANGE, NULL);

if (mark != NULL) {

DEBUG(SSSDBG_TRACE_ALL,

"Found shadow password expiration attributes.\n");

spwd = talloc_zero(mem_ctx, struct spwd);

if (spwd == NULL) {

DEBUG(SSSDBG_CRIT_FAILURE, "talloc failed.\n");

return ENOMEM;

}

val = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_LASTCHANGE, NULL);

ret = string_to_shadowpw_days(val, &spwd->sp_lstchg);

if (ret != EOK) goto shadow_fail;

val = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_MIN, NULL);

ret = string_to_shadowpw_days(val, &spwd->sp_min);

if (ret != EOK) goto shadow_fail;

val = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_MAX, NULL);

ret = string_to_shadowpw_days(val, &spwd->sp_max);

if (ret != EOK) goto shadow_fail;

val = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_WARNING, NULL);

ret = string_to_shadowpw_days(val, &spwd->sp_warn);

if (ret != EOK) goto shadow_fail;

val = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_INACTIVE, NULL);

ret = string_to_shadowpw_days(val, &spwd->sp_inact);

if (ret != EOK) goto shadow_fail;

val = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_EXPIRE, NULL);

ret = string_to_shadowpw_days(val, &spwd->sp_expire);

if (ret != EOK) goto shadow_fail;

*data = spwd;

*type = PWEXPIRE_SHADOW;

return EOK;

} else {

DEBUG(SSSDBG_CRIT_FAILURE, "No shadow password attributes found, "

"but shadow password policy was requested. "

"Access will be denied.\n");

return EACCES;

}

}

DEBUG(SSSDBG_TRACE_ALL, "No password expiration attributes found.\n");

return EOK;

shadow_fail:

talloc_free(spwd);

return ret;

}

struct get_user_dn_state {

char *username;

char *orig_dn;

};

static void get_user_dn_done(struct tevent_req *subreq);

static struct tevent_req *get_user_dn_send(TALLOC_CTX *memctx,

struct tevent_context *ev,

struct sss_domain_info *domain,

struct sdap_handle *sh,

struct sdap_options *opts,

const char *username)

{

struct tevent_req *req;

struct tevent_req *subreq;

struct get_user_dn_state *state;

char *clean_name;

char *filter;

const char **attrs;

errno_t ret;

req = tevent_req_create(memctx, &state, struct get_user_dn_state);

if (!req) return NULL;

ret = sss_parse_internal_fqname(state, username,

&state->username, NULL);

if (ret != EOK) {

DEBUG(SSSDBG_OP_FAILURE, "Cannot parse %s\n", username);

goto done;

}

ret = sss_filter_sanitize(state, state->username, &clean_name);

if (ret != EOK) {

goto done;

}

filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s))",

opts->user_map[SDAP_AT_USER_NAME].name,

clean_name,

opts->user_map[SDAP_OC_USER].name);

talloc_zfree(clean_name);

if (filter == NULL) {

DEBUG(SSSDBG_OP_FAILURE, "Failed to build the base filter\n");

ret = ENOMEM;

goto done;

}

/* We're mostly interested in the DN anyway */

attrs = talloc_array(state, const char *, 3);

if (attrs == NULL) {

ret = ENOMEM;

goto done;

}

attrs[0] = "objectclass";

attrs[1] = opts->user_map[SDAP_AT_USER_NAME].name;

attrs[2] = NULL;

subreq = sdap_search_user_send(state, ev, domain, opts,

opts->sdom->user_search_bases,

sh, attrs, filter,

dp_opt_get_int(opts->basic,

SDAP_SEARCH_TIMEOUT),

SDAP_LOOKUP_SINGLE);

if (!subreq) {

ret = ENOMEM;

goto done;

}

tevent_req_set_callback(subreq, get_user_dn_done, req);

return req;

done:

if (ret == EOK) {

tevent_req_done(req);

} else {

tevent_req_error(req, ret);

}

tevent_req_post(req, ev);

return req;

}

static void get_user_dn_done(struct tevent_req *subreq)

{

errno_t ret;

struct tevent_req *req = tevent_req_callback_data(subreq,

struct tevent_req);

struct get_user_dn_state *state = tevent_req_data(req,

struct get_user_dn_state);

struct ldb_message_element *el;

struct sysdb_attrs **users;

size_t count;

ret = sdap_search_user_recv(state, subreq, NULL, &users, &count);

talloc_zfree(subreq);

if (ret && ret != ENOENT) {

DEBUG(SSSDBG_OP_FAILURE, "Failed to retrieve users\n");

tevent_req_error(req, ret);

return;

}

if (count == 0) {

DEBUG(SSSDBG_OP_FAILURE, "No such user\n");

tevent_req_error(req, ENOMEM);

return;

} else if (count > 1) {

DEBUG(SSSDBG_OP_FAILURE, "Multiple users matched\n");

tevent_req_error(req, EIO);

return;

}

/* exactly one user. Get the originalDN */

ret = sysdb_attrs_get_el_ext(users[0], SYSDB_ORIG_DN, false, &el);

if (ret != EOK) {

DEBUG(SSSDBG_OP_FAILURE,

"originalDN is not available for [%s].\n", state->username);

tevent_req_error(req, ret);

return;

}

state->orig_dn = talloc_strdup(state, (const char *) el->values[0].data);

if (state->orig_dn == NULL) {

tevent_req_error(req, ENOMEM);

return;

}

DEBUG(SSSDBG_TRACE_INTERNAL, "Found originalDN [%s] for [%s]\n",

state->orig_dn, state->username);

tevent_req_done(req);

}

static int get_user_dn_recv(TALLOC_CTX *mem_ctx, struct tevent_req *req,

char **orig_dn)

{

struct get_user_dn_state *state = tevent_req_data(req,

struct get_user_dn_state);

if (orig_dn) {

*orig_dn = talloc_move(mem_ctx, &state->orig_dn);

}

TEVENT_REQ_RETURN_ON_ERROR(req);

return EOK;

}

int get_user_dn(TALLOC_CTX *memctx,

struct sss_domain_info *domain,

struct sdap_options *opts,

const char *username,

char **user_dn,

enum pwexpire *user_pw_expire_type,

void **user_pw_expire_data)

{

TALLOC_CTX *tmpctx;

enum pwexpire pw_expire_type;

void *pw_expire_data;

struct ldb_result *res;

const char **attrs;

const char *dn;

int ret;

tmpctx = talloc_new(memctx);

if (!tmpctx) {

return ENOMEM;

}

attrs = talloc_array(tmpctx, const char *, 11);

if (!attrs) {

ret = ENOMEM;

goto done;

}

attrs[0] = SYSDB_ORIG_DN;

attrs[1] = SYSDB_SHADOWPW_LASTCHANGE;

attrs[2] = SYSDB_SHADOWPW_MIN;

attrs[3] = SYSDB_SHADOWPW_MAX;

attrs[4] = SYSDB_SHADOWPW_WARNING;

attrs[5] = SYSDB_SHADOWPW_INACTIVE;

attrs[6] = SYSDB_SHADOWPW_EXPIRE;

attrs[7] = SYSDB_KRBPW_LASTCHANGE;

attrs[8] = SYSDB_KRBPW_EXPIRATION;

attrs[9] = SYSDB_PWD_ATTRIBUTE;

attrs[10] = NULL;

ret = sysdb_get_user_attr(tmpctx, domain, username, attrs, &res);

if (ret) {

goto done;

}

switch (res->count) {

case 0:

/* No such user entry? Look it up */

ret = EAGAIN;

break;

case 1:

dn = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_ORIG_DN, NULL);

if (dn == NULL) {

/* The user entry has no original DN. This is the case when the ID

ret = EAGAIN;

break;

}

dn = talloc_strdup(tmpctx, dn);

if (!dn) {

ret = ENOMEM;

break;

}

ret = find_password_expiration_attributes(tmpctx,

res->msgs[0],

opts->basic,

&pw_expire_type,

&pw_expire_data);

if (ret != EOK) {

DEBUG(SSSDBG_CRIT_FAILURE,

"find_password_expiration_attributes failed.\n");

}

break;

default:

DEBUG(SSSDBG_CRIT_FAILURE,

"User search by name (%s) returned > 1 results!\n",

username);

ret = EFAULT;

break;

}

done:

if (ret == EOK) {

*user_dn = talloc_strdup(memctx, dn);

if (!*user_dn) {

ret = ENOMEM;

}

/* pw_expire_data may be NULL */

*user_pw_expire_data = talloc_steal(memctx, pw_expire_data);

*user_pw_expire_type = pw_expire_type;

}

talloc_zfree(tmpctx);

return ret;

}

struct auth_state {

struct tevent_context *ev;

struct sdap_auth_ctx *ctx;

const char *username;

struct sss_auth_token *authtok;

struct sdap_service *sdap_service;

struct sdap_handle *sh;

char *dn;

enum pwexpire pw_expire_type;

void *pw_expire_data;

struct fo_server *srv;

};

static struct tevent_req *auth_get_server(struct tevent_req *req);

static void auth_get_dn_done(struct tevent_req *subreq);

static void auth_do_bind(struct tevent_req *req);

static void auth_resolve_done(struct tevent_req *subreq);

static void auth_connect_done(struct tevent_req *subreq);

static void auth_bind_user_done(struct tevent_req *subreq);

static struct tevent_req *auth_send(TALLOC_CTX *memctx,

struct tevent_context *ev,

struct sdap_auth_ctx *ctx,

const char *username,

struct sss_auth_token *authtok,

bool try_chpass_service)

{

struct tevent_req *req;

struct auth_state *state;

req = tevent_req_create(memctx, &state, struct auth_state);

if (!req) return NULL;

/* The token must be a password token */

if (sss_authtok_get_type(authtok) != SSS_AUTHTOK_TYPE_PASSWORD) {

tevent_req_error(req, ERR_AUTH_FAILED);

return tevent_req_post(req, ev);

}

state->ev = ev;

state->ctx = ctx;

state->username = username;

state->authtok = authtok;

state->srv = NULL;

if (try_chpass_service && ctx->chpass_service != NULL &&

ctx->chpass_service->name != NULL) {

state->sdap_service = ctx->chpass_service;

} else {

state->sdap_service = ctx->service;

}

if (!auth_get_server(req)) goto fail;

return req;

fail:

talloc_zfree(req);

return NULL;

}

static struct tevent_req *auth_get_server(struct tevent_req *req)

{

struct tevent_req *next_req;

struct auth_state *state = tevent_req_data(req,

struct auth_state);

/* NOTE: this call may cause service->uri to be refreshed

next_req = be_resolve_server_send(state,

state->ev,

state->ctx->be,

state->sdap_service->name,

state->srv == NULL ? true : false);

if (!next_req) {

DEBUG(SSSDBG_CRIT_FAILURE, "be_resolve_server_send failed.\n");

return NULL;

}

tevent_req_set_callback(next_req, auth_resolve_done, req);

return next_req;

}

static void auth_resolve_done(struct tevent_req *subreq)

{

struct tevent_req *req = tevent_req_callback_data(subreq,

struct tevent_req);

struct auth_state *state = tevent_req_data(req,

struct auth_state);

int ret;

bool use_tls;

ret = be_resolve_server_recv(subreq, state, &state->srv);

talloc_zfree(subreq);

if (ret) {

/* all servers have been tried and none

tevent_req_error(req, ETIMEDOUT);

return;

}

/* Determine whether we need to use TLS */

if (sdap_is_secure_uri(state->ctx->service->uri)) {

DEBUG(SSSDBG_TRACE_INTERNAL,

"[%s] is a secure channel. No need to run START_TLS\n",

state->ctx->service->uri);

use_tls = false;

} else {

/* Check for undocumented debugging feature to disable TLS

use_tls = !dp_opt_get_bool(state->ctx->opts->basic, SDAP_DISABLE_AUTH_TLS);

if (!use_tls) {

sss_log(SSS_LOG_ALERT, "LDAP authentication being performed over "

"insecure connection. This should be done "

"for debugging purposes only.");

}

}

subreq = sdap_connect_send(state, state->ev, state->ctx->opts,

state->sdap_service->uri,

state->sdap_service->sockaddr, use_tls);

if (!subreq) {

tevent_req_error(req, ENOMEM);

return;

}

tevent_req_set_callback(subreq, auth_connect_done, req);

}

static void auth_connect_done(struct tevent_req *subreq)

{

struct tevent_req *req = tevent_req_callback_data(subreq,

struct tevent_req);

struct auth_state *state = tevent_req_data(req,

struct auth_state);

int ret;

ret = sdap_connect_recv(subreq, state, &state->sh);

talloc_zfree(subreq);

if (ret) {

if (state->srv) {

/* mark this server as bad if connection failed */

be_fo_set_port_status(state->ctx->be,

state->sdap_service->name,

state->srv, PORT_NOT_WORKING);

}

if (auth_get_server(req) == NULL) {

tevent_req_error(req, ENOMEM);

}

return;

} else if (state->srv) {

be_fo_set_port_status(state->ctx->be, state->sdap_service->name,

state->srv, PORT_WORKING);

}

/* In case the ID provider is set to proxy, this might be the first

if (state->sh->connected == false) {

ret = sdap_set_connected(state->sh, state->ev);

if (ret) {

DEBUG(SSSDBG_OP_FAILURE, "Cannot set connected status\n");

tevent_req_error(req, ret);

return;

}

}

ret = get_user_dn(state, state->ctx->be->domain,

state->ctx->opts, state->username, &state->dn,

&state->pw_expire_type, &state->pw_expire_data);

if (ret == EOK) {

/* All required user data was pre-cached during an identity lookup.

auth_do_bind(req);

return;

} else if (ret == EAGAIN) {

/* The cached user entry was missing the bind DN. Need to look

subreq = get_user_dn_send(req, state->ev, state->ctx->be->domain,

state->sh, state->ctx->opts, state->username);

if (subreq == NULL) {

tevent_req_error(req, ENOMEM);

return;

}

tevent_req_set_callback(subreq, auth_get_dn_done, req);

return;

}

tevent_req_error(req, ret);

return;

}

static void auth_get_dn_done(struct tevent_req *subreq)

{

struct tevent_req *req = tevent_req_callback_data(subreq,

struct tevent_req);

struct auth_state *state = tevent_req_data(req, struct auth_state);

errno_t ret;

ret = get_user_dn_recv(state, subreq, &state->dn);

talloc_zfree(subreq);

if (ret != EOK) {

tevent_req_error(req, ERR_ACCOUNT_UNKNOWN);

return;

}

/* The DN was found with an LDAP lookup

return auth_do_bind(req);

}

static void auth_do_bind(struct tevent_req *req)

{

struct auth_state *state = tevent_req_data(req, struct auth_state);

struct tevent_req *subreq;

subreq = sdap_auth_send(state, state->ev, state->sh,

NULL, NULL, state->dn,

state->authtok,

dp_opt_get_int(state->ctx->opts->basic,

SDAP_OPT_TIMEOUT));

if (!subreq) {

tevent_req_error(req, ENOMEM);

return;

}

tevent_req_set_callback(subreq, auth_bind_user_done, req);

}

static void auth_bind_user_done(struct tevent_req *subreq)

{

struct tevent_req *req = tevent_req_callback_data(subreq,

struct tevent_req);

struct auth_state *state = tevent_req_data(req,

struct auth_state);

int ret;

struct sdap_ppolicy_data *ppolicy = NULL;

ret = sdap_auth_recv(subreq, state, &ppolicy);

talloc_zfree(subreq);

if (ppolicy != NULL) {

DEBUG(SSSDBG_TRACE_ALL,"Found ppolicy data, "

"assuming LDAP password policies are active.\n");

state->pw_expire_type = PWEXPIRE_LDAP_PASSWORD_POLICY;

state->pw_expire_data = ppolicy;

}

switch (ret) {

case EOK:

break;

case ETIMEDOUT:

case ERR_NETWORK_IO:

if (auth_get_server(req) == NULL) {

tevent_req_error(req, ENOMEM);

}

return;

default:

tevent_req_error(req, ret);

return;

}

tevent_req_done(req);

}

static errno_t auth_recv(struct tevent_req *req, TALLOC_CTX *memctx,

struct sdap_handle **sh, char **dn,

enum pwexpire *pw_expire_type, void **pw_expire_data)

{

struct auth_state *state = tevent_req_data(req, struct auth_state);

if (sh != NULL) {

*sh = talloc_steal(memctx, state->sh);

if (*sh == NULL) return ENOMEM;

}

if (dn != NULL) {

*dn = talloc_steal(memctx, state->dn);

if (*dn == NULL) return ENOMEM;

}

if (pw_expire_data != NULL) {

*pw_expire_data = talloc_steal(memctx, state->pw_expire_data);

}

*pw_expire_type = state->pw_expire_type;

TEVENT_REQ_RETURN_ON_ERROR(req);

return EOK;

}

struct sdap_pam_auth_handler_state {

struct pam_data *pd;

struct be_ctx *be_ctx;

};

static void sdap_pam_auth_handler_done(struct tevent_req *subreq);

struct tevent_req *

sdap_pam_auth_handler_send(TALLOC_CTX *mem_ctx,

struct sdap_auth_ctx *auth_ctx,

struct pam_data *pd,

struct dp_req_params *params)

{

struct sdap_pam_auth_handler_state *state;

struct tevent_req *subreq;

struct tevent_req *req;

req = tevent_req_create(mem_ctx, &state,

struct sdap_pam_auth_handler_state);

if (req == NULL) {

DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n");

return NULL;

}

state->pd = pd;

state->be_ctx = params->be_ctx;

pd->pam_status = PAM_SYSTEM_ERR;

switch (pd->cmd) {

case SSS_PAM_AUTHENTICATE:

subreq = auth_send(state, params->ev, auth_ctx,

pd->user, pd->authtok, false);

if (subreq == NULL) {

pd->pam_status = PAM_SYSTEM_ERR;

goto immediately;

}

tevent_req_set_callback(subreq, sdap_pam_auth_handler_done, req);

break;

case SSS_PAM_CHAUTHTOK_PRELIM:

subreq = auth_send(state, params->ev, auth_ctx,

pd->user, pd->authtok, true);

if (subreq == NULL) {

pd->pam_status = PAM_SYSTEM_ERR;

goto immediately;

}

tevent_req_set_callback(subreq, sdap_pam_auth_handler_done, req);

break;

case SSS_PAM_CHAUTHTOK:

pd->pam_status = PAM_SYSTEM_ERR;

goto immediately;

case SSS_PAM_ACCT_MGMT:

case SSS_PAM_SETCRED:

case SSS_PAM_OPEN_SESSION:

case SSS_PAM_CLOSE_SESSION:

pd->pam_status = PAM_SUCCESS;

goto immediately;

default:

pd->pam_status = PAM_MODULE_UNKNOWN;

goto immediately;

}

return req;

immediately:

/* TODO For backward compatibility we always return EOK to DP now. */

tevent_req_done(req);

tevent_req_post(req, params->ev);

return req;

}

static void sdap_pam_auth_handler_done(struct tevent_req *subreq)

{

struct sdap_pam_auth_handler_state *state;

struct tevent_req *req;

enum pwexpire pw_expire_type;

void *pw_expire_data;

const char *password;

errno_t ret;

req = tevent_req_callback_data(subreq, struct tevent_req);

state = tevent_req_data(req, struct sdap_pam_auth_handler_state);

ret = auth_recv(subreq, state, NULL, NULL,

&pw_expire_type, &pw_expire_data);

talloc_free(subreq);

if (ret == EOK) {

ret = check_pwexpire_policy(pw_expire_type, pw_expire_data, state->pd,

state->be_ctx->domain->pwd_expiration_warning);

if (ret == EINVAL) {

/* Unknown password expiration type. */

state->pd->pam_status = PAM_SYSTEM_ERR;

goto done;

}

}

switch (ret) {

case EOK:

state->pd->pam_status = PAM_SUCCESS;

break;

case ERR_AUTH_DENIED:

state->pd->pam_status = PAM_PERM_DENIED;

break;

case ERR_AUTH_FAILED:

state->pd->pam_status = PAM_AUTH_ERR;

break;

case ETIMEDOUT:

case ERR_NETWORK_IO:

state->pd->pam_status = PAM_AUTHINFO_UNAVAIL;

be_mark_offline(state->be_ctx);

break;

case ERR_ACCOUNT_EXPIRED:

state->pd->pam_status = PAM_ACCT_EXPIRED;

break;

case ERR_PASSWORD_EXPIRED:

state->pd->pam_status = PAM_NEW_AUTHTOK_REQD;

break;

case ERR_ACCOUNT_LOCKED:

state->pd->account_locked = true;

state->pd->pam_status = PAM_PERM_DENIED;

break;

default:

state->pd->pam_status = PAM_SYSTEM_ERR;

break;

}

if (ret == EOK && state->be_ctx->domain->cache_credentials) {

ret = sss_authtok_get_password(state->pd->authtok, &password, NULL);

if (ret == EOK) {

ret = sysdb_cache_password(state->be_ctx->domain, state->pd->user,

password);

}

/* password caching failures are not fatal errors */

if (ret != EOK) {

DEBUG(SSSDBG_OP_FAILURE, "Failed to cache password for %s\n",

state->pd->user);

} else {

DEBUG(SSSDBG_CONF_SETTINGS, "Password successfully cached for %s\n",

state->pd->user);

}

}

done:

/* TODO For backward compatibility we always return EOK to DP now. */

tevent_req_done(req);

}

sdap_pam_auth_handler_recv(TALLOC_CTX *mem_ctx,

struct tevent_req *req,

struct pam_data **_data)

{

struct sdap_pam_auth_handler_state *state = NULL;

state = tevent_req_data(req, struct sdap_pam_auth_handler_state);

TEVENT_REQ_RETURN_ON_ERROR(req);

*_data = talloc_steal(mem_ctx, state->pd);

return EOK;

}

struct sdap_pam_chpass_handler_state {

struct be_ctx *be_ctx;

struct tevent_context *ev;

struct sdap_auth_ctx *auth_ctx;

struct pam_data *pd;

struct sdap_handle *sh;

char *dn;

};

static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq);

static void sdap_pam_chpass_handler_chpass_done(struct tevent_req *subreq);

static void sdap_pam_chpass_handler_last_done(struct tevent_req *subreq);

struct tevent_req *

sdap_pam_chpass_handler_send(TALLOC_CTX *mem_ctx,

struct sdap_auth_ctx *auth_ctx,

struct pam_data *pd,

struct dp_req_params *params)

{

struct sdap_pam_chpass_handler_state *state;

struct tevent_req *subreq;

struct tevent_req *req;

req = tevent_req_create(mem_ctx, &state,

struct sdap_pam_chpass_handler_state);

if (req == NULL) {

DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n");

return NULL;

}

state->pd = pd;

state->be_ctx = params->be_ctx;

state->auth_ctx = auth_ctx;

state->ev = params->ev;

if (be_is_offline(state->be_ctx)) {

pd->pam_status = PAM_AUTHINFO_UNAVAIL;

goto immediately;

}

if ((pd->priv == 1) && (pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM) &&

(sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD)) {

DEBUG(SSSDBG_CONF_SETTINGS,

"Password reset by root is not supported.\n");

pd->pam_status = PAM_PERM_DENIED;

goto immediately;

}

DEBUG(SSSDBG_OP_FAILURE,

"starting password change request for user [%s].\n", pd->user);

pd->pam_status = PAM_SYSTEM_ERR;

if (pd->cmd != SSS_PAM_CHAUTHTOK && pd->cmd != SSS_PAM_CHAUTHTOK_PRELIM) {

DEBUG(SSSDBG_OP_FAILURE,

"chpass target was called by wrong pam command.\n");

goto immediately;

}

subreq = auth_send(state, params->ev, auth_ctx,

pd->user, pd->authtok, true);

if (subreq == NULL) {

pd->pam_status = PAM_SYSTEM_ERR;

goto immediately;

}

tevent_req_set_callback(subreq, sdap_pam_chpass_handler_auth_done, req);

return req;

immediately:

/* TODO For backward compatibility we always return EOK to DP now. */

tevent_req_done(req);

tevent_req_post(req, params->ev);

return req;

}

static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)

{

struct sdap_pam_chpass_handler_state *state;

struct tevent_req *req;

enum pwexpire pw_expire_type;

void *pw_expire_data;

size_t msg_len;

uint8_t *msg;

errno_t ret;

req = tevent_req_callback_data(subreq, struct tevent_req);

state = tevent_req_data(req, struct sdap_pam_chpass_handler_state);

ret = auth_recv(subreq, state, &state->sh, &state->dn,

&pw_expire_type, &pw_expire_data);

talloc_free(subreq);

if ((ret == EOK || ret == ERR_PASSWORD_EXPIRED) &&

state->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM) {

DEBUG(SSSDBG_TRACE_ALL, "Initial authentication for change "

"password operation successful.\n");

state->pd->pam_status = PAM_SUCCESS;

goto done;

}

if (ret == EOK) {

switch (pw_expire_type) {

case PWEXPIRE_SHADOW:

ret = check_pwexpire_shadow(pw_expire_data, time(NULL), NULL);

break;

case PWEXPIRE_KERBEROS:

ret = check_pwexpire_kerberos(pw_expire_data, time(NULL), NULL,

state->be_ctx->domain->pwd_expiration_warning);

if (ret == ERR_PASSWORD_EXPIRED) {

DEBUG(SSSDBG_CRIT_FAILURE, "LDAP provider cannot change "

"kerberos passwords.\n");

state->pd->pam_status = PAM_SYSTEM_ERR;

goto done;

}

break;

case PWEXPIRE_LDAP_PASSWORD_POLICY:

case PWEXPIRE_NONE:

break;

default:

DEBUG(SSSDBG_CRIT_FAILURE, "Unknown password expiration type.\n");

state->pd->pam_status = PAM_SYSTEM_ERR;

goto done;

}

}

switch (ret) {

case EOK:

case ERR_PASSWORD_EXPIRED:

DEBUG(SSSDBG_TRACE_LIBS,

"user [%s] successfully authenticated.\n", state->dn);

if (pw_expire_type == PWEXPIRE_SHADOW) {

/* TODO: implement async ldap modify request */

DEBUG(SSSDBG_CRIT_FAILURE,

"Changing shadow password attributes not implemented.\n");

state->pd->pam_status = PAM_MODULE_UNKNOWN;

goto done;

} else {

const char *password;

const char *new_password;

int timeout;

ret = sss_authtok_get_password(state->pd->authtok,

&password, NULL);

if (ret) {

state->pd->pam_status = PAM_SYSTEM_ERR;

goto done;

}

ret = sss_authtok_get_password(state->pd->newauthtok,

&new_password, NULL);

if (ret) {

state->pd->pam_status = PAM_SYSTEM_ERR;

goto done;

}

timeout = dp_opt_get_int(state->auth_ctx->opts->basic,

SDAP_OPT_TIMEOUT);

subreq = sdap_exop_modify_passwd_send(state, state->ev,

state->sh, state->dn,

password, new_password,

timeout);

if (subreq == NULL) {

DEBUG(SSSDBG_OP_FAILURE, "Failed to change password for "

"%s\n", state->pd->user);

state->pd->pam_status = PAM_SYSTEM_ERR;

goto done;

}

tevent_req_set_callback(subreq,

sdap_pam_chpass_handler_chpass_done,

req);

return;

}

break;

case ERR_AUTH_DENIED:

case ERR_AUTH_FAILED:

state->pd->pam_status = PAM_AUTH_ERR;

ret = pack_user_info_chpass_error(state->pd, "Old password not "

"accepted.", &msg_len, &msg);

if (ret != EOK) {

DEBUG(SSSDBG_CRIT_FAILURE,

"pack_user_info_chpass_error failed.\n");

} else {

ret = pam_add_response(state->pd, SSS_PAM_USER_INFO,

msg_len, msg);

if (ret != EOK) {

DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n");

}

}

break;

case ETIMEDOUT:

case ERR_NETWORK_IO:

state->pd->pam_status = PAM_AUTHINFO_UNAVAIL;

be_mark_offline(state->be_ctx);

break;

default:

state->pd->pam_status = PAM_SYSTEM_ERR;

break;

}

done:

/* TODO For backward compatibility we always return EOK to DP now. */

tevent_req_done(req);

}

static void sdap_pam_chpass_handler_chpass_done(struct tevent_req *subreq)

{

struct sdap_pam_chpass_handler_state *state;

struct tevent_req *req;

char *user_error_message = NULL;

char *lastchanged_name;

size_t msg_len;

uint8_t *msg;

errno_t ret;

req = tevent_req_callback_data(subreq, struct tevent_req);

state = tevent_req_data(req, struct sdap_pam_chpass_handler_state);

ret = sdap_exop_modify_passwd_recv(subreq, state, &user_error_message);

talloc_free(subreq);

switch (ret) {

case EOK:

state->pd->pam_status = PAM_SUCCESS;

break;

case ERR_CHPASS_DENIED:

state->pd->pam_status = PAM_NEW_AUTHTOK_REQD;

break;

case ERR_NETWORK_IO:

state->pd->pam_status = PAM_AUTHTOK_ERR;

break;

default:

state->pd->pam_status = PAM_SYSTEM_ERR;

break;

}

if (state->pd->pam_status != PAM_SUCCESS && user_error_message != NULL) {

ret = pack_user_info_chpass_error(state->pd, user_error_message,

&msg_len, &msg);

if (ret != EOK) {

DEBUG(SSSDBG_CRIT_FAILURE, "pack_user_info_chpass_error failed.\n");

} else {

ret = pam_add_response(state->pd, SSS_PAM_USER_INFO, msg_len, msg);

if (ret != EOK) {

DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n");

}

}

}

if (state->pd->pam_status == PAM_SUCCESS &&

dp_opt_get_bool(state->auth_ctx->opts->basic,

SDAP_CHPASS_UPDATE_LAST_CHANGE)) {

lastchanged_name = state->auth_ctx->opts->user_map[SDAP_AT_SP_LSTCHG].name;

subreq = sdap_modify_shadow_lastchange_send(state, state->ev,

state->sh, state->dn,

lastchanged_name);

if (subreq == NULL) {

state->pd->pam_status = PAM_SYSTEM_ERR;

goto done;

}

tevent_req_set_callback(subreq, sdap_pam_chpass_handler_last_done, req);

return;

}

done:

/* TODO For backward compatibility we always return EOK to DP now. */

tevent_req_done(req);

}

static void sdap_pam_chpass_handler_last_done(struct tevent_req *subreq)

{

struct sdap_pam_chpass_handler_state *state;

struct tevent_req *req;

errno_t ret;

req = tevent_req_callback_data(subreq, struct tevent_req);

state = tevent_req_data(req, struct sdap_pam_chpass_handler_state);

ret = sdap_modify_shadow_lastchange_recv(subreq);

talloc_free(subreq);

if (ret != EOK) {

state->pd->pam_status = PAM_SYSTEM_ERR;

goto done;

}

state->pd->pam_status = PAM_SUCCESS;

done:

/* TODO For backward compatibility we always return EOK to DP now. */

tevent_req_done(req);

}

sdap_pam_chpass_handler_recv(TALLOC_CTX *mem_ctx,

struct tevent_req *req,

struct pam_data **_data)

{

struct sdap_pam_chpass_handler_state *state = NULL;

state = tevent_req_data(req, struct sdap_pam_chpass_handler_state);

TEVENT_REQ_RETURN_ON_ERROR(req);

*_data = talloc_steal(mem_ctx, state->pd);

return EOK;

}