ldap_auth.c revision 1c48b5a62f73234ed26bb20f0ab345ab61cda0ab
/*
SSSD
LDAP Backend Module
Authors:
Sumit Bose <sbose@redhat.com>
Copyright (C) 2008 Red Hat
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#ifdef WITH_MOZLDAP
#define LDAP_OPT_SUCCESS LDAP_SUCCESS
#define LDAP_TAG_EXOP_MODIFY_PASSWD_ID ((ber_tag_t) 0x80U)
#define LDAP_TAG_EXOP_MODIFY_PASSWD_OLD ((ber_tag_t) 0x81U)
#define LDAP_TAG_EXOP_MODIFY_PASSWD_NEW ((ber_tag_t) 0x82U)
#endif
#define _XOPEN_SOURCE 500 /* for strptime() */
#include <time.h>
#undef _XOPEN_SOURCE
#include <errno.h>
#include <sys/time.h>
#include <strings.h>
#include <shadow.h>
#include <security/pam_modules.h>
#include "util/util.h"
#include "util/user_info_msg.h"
#include "db/sysdb.h"
#include "providers/ldap/ldap_common.h"
#include "providers/ldap/sdap_async.h"
enum pwexpire {
PWEXPIRE_NONE = 0,
PWEXPIRE_LDAP_PASSWORD_POLICY,
PWEXPIRE_KERBEROS,
PWEXPIRE_SHADOW
};
static errno_t check_pwexpire_kerberos(const char *expire_date, time_t now,
enum sdap_result *result)
{
char *end;
struct tm tm = {0, 0, 0, 0, 0, 0, 0, 0, 0};
time_t expire_time;
*result = SDAP_AUTH_FAILED;
end = strptime(expire_date, "%Y%m%d%H%M%SZ", &tm);
if (end == NULL) {
DEBUG(1, ("Kerberos expire date [%s] invalid.\n", expire_date));
return EINVAL;
}
if (*end != '\0') {
DEBUG(1, ("Kerberos expire date [%s] contains extra characters.\n",
expire_date));
return EINVAL;
}
expire_time = mktime(&tm);
if (expire_time == -1) {
DEBUG(1, ("mktime failed to convert [%s].\n", expire_date));
return EINVAL;
}
tzset();
expire_time -= timezone;
DEBUG(9, ("Time info: tzname[0] [%s] tzname[1] [%s] timezone [%d] "
"daylight [%d] now [%d] expire_time [%d].\n", tzname[0],
tzname[1], timezone, daylight, now, expire_time));
if (difftime(now, expire_time) > 0.0) {
DEBUG(4, ("Kerberos password expired.\n"));
*result = SDAP_AUTH_PW_EXPIRED;
} else {
*result = SDAP_AUTH_SUCCESS;
}
return EOK;
}
static errno_t check_pwexpire_shadow(struct spwd *spwd, time_t now,
enum sdap_result *result)
{
long today;
long password_age;
if (spwd->sp_lstchg <= 0) {
DEBUG(4, ("Last change day is not set, new password needed.\n"));
*result = SDAP_AUTH_PW_EXPIRED;
return EOK;
}
today = (long) (now / (60 * 60 *24));
password_age = today - spwd->sp_lstchg;
if (password_age < 0) {
DEBUG(2, ("The last password change time is in the future!.\n"));
*result = SDAP_AUTH_SUCCESS;
return EOK;
}
if ((spwd->sp_expire != -1 && today > spwd->sp_expire) ||
(spwd->sp_max != -1 && spwd->sp_inact != -1 &&
password_age > spwd->sp_max + spwd->sp_inact))
{
DEBUG(4, ("Account expired.\n"));
*result = SDAP_ACCT_EXPIRED;
return EOK;
}
if (spwd->sp_max != -1 && password_age > spwd->sp_max) {
DEBUG(4, ("Password expired.\n"));
*result = SDAP_AUTH_PW_EXPIRED;
return EOK;
}
/* TODO: evaluate spwd->min and spwd->warn */
*result = SDAP_AUTH_SUCCESS;
return EOK;
}
static errno_t string_to_shadowpw_days(const char *s, long *d)
{
long l;
char *endptr;
if (s == NULL || *s == '\0') {
*d = -1;
return EOK;
}
errno = 0;
l = strtol(s, &endptr, 10);
if (errno != 0) {
DEBUG(1, ("strtol failed [%d][%s].\n", errno, strerror(errno)));
return errno;
}
if (*endptr != '\0') {
DEBUG(1, ("Input string [%s] is invalid.\n", s));
return EINVAL;
}
if (*d < -1) {
DEBUG(1, ("Input string contains not allowed negative value [%d].\n",
*d));
return EINVAL;
}
*d = l;
return EOK;
}
static errno_t find_password_expiration_attributes(TALLOC_CTX *mem_ctx,
const struct ldb_message *msg,
struct dp_option *opts,
enum pwexpire *type, void **data)
{
const char *mark;
const char *val;
struct spwd *spwd;
const char *pwd_policy;
int ret;
*type = PWEXPIRE_NONE;
*data = NULL;
pwd_policy = dp_opt_get_string(opts, SDAP_PWD_POLICY);
if (pwd_policy == NULL) {
DEBUG(1, ("Missing password policy.\n"));
return EINVAL;
}
mark = ldb_msg_find_attr_as_string(msg, SYSDB_PWD_ATTRIBUTE, NULL);
if (mark != NULL) {
DEBUG(9, ("Found pwdAttribute, "
"assuming LDAP password policies are active.\n"));
*type = PWEXPIRE_LDAP_PASSWORD_POLICY;
return EOK;
}
if (strcasecmp(pwd_policy, PWD_POL_OPT_NONE) == 0) {
DEBUG(9, ("No password policy requested.\n"));
return EOK;
} else if (strcasecmp(pwd_policy, PWD_POL_OPT_MIT) == 0) {
mark = ldb_msg_find_attr_as_string(msg, SYSDB_KRBPW_LASTCHANGE, NULL);
if (mark != NULL) {
DEBUG(9, ("Found Kerberos password expiration attributes.\n"))
val = ldb_msg_find_attr_as_string(msg, SYSDB_KRBPW_EXPIRATION,
NULL);
if (val != NULL) {
*data = talloc_strdup(mem_ctx, val);
if (*data == NULL) {
DEBUG(1, ("talloc_strdup failed.\n"));
return ENOMEM;
}
*type = PWEXPIRE_KERBEROS;
return EOK;
}
} else {
DEBUG(1, ("No Kerberos password expiration attributes found, "
"but MIT Kerberos password policy was requested.\n"));
return EINVAL;
}
} else if (strcasecmp(pwd_policy, PWD_POL_OPT_SHADOW) == 0) {
mark = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_LASTCHANGE, NULL);
if (mark != NULL) {
DEBUG(9, ("Found shadow password expiration attributes.\n"))
spwd = talloc_zero(mem_ctx, struct spwd);
if (spwd == NULL) {
DEBUG(1, ("talloc failed.\n"));
return ENOMEM;
}
val = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_LASTCHANGE, NULL);
ret = string_to_shadowpw_days(val, &spwd->sp_lstchg);
if (ret != EOK) goto shadow_fail;
val = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_MIN, NULL);
ret = string_to_shadowpw_days(val, &spwd->sp_min);
if (ret != EOK) goto shadow_fail;
val = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_MAX, NULL);
ret = string_to_shadowpw_days(val, &spwd->sp_max);
if (ret != EOK) goto shadow_fail;
val = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_WARNING, NULL);
ret = string_to_shadowpw_days(val, &spwd->sp_warn);
if (ret != EOK) goto shadow_fail;
val = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_INACTIVE, NULL);
ret = string_to_shadowpw_days(val, &spwd->sp_inact);
if (ret != EOK) goto shadow_fail;
val = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_EXPIRE, NULL);
ret = string_to_shadowpw_days(val, &spwd->sp_expire);
if (ret != EOK) goto shadow_fail;
*data = spwd;
*type = PWEXPIRE_SHADOW;
return EOK;
} else {
DEBUG(1, ("No shadow password attributes found, "
"but shadow password policy was requested.\n"));
return EINVAL;
}
}
DEBUG(9, ("No password expiration attributes found.\n"));
return EOK;
shadow_fail:
talloc_free(spwd);
return ret;
}
/* ==Get-User-DN========================================================== */
struct get_user_dn_state {
struct tevent_context *ev;
struct sdap_auth_ctx *ctx;
struct sdap_handle *sh;
const char **attrs;
const char *name;
char *dn;
enum pwexpire pw_expire_type;
void *pw_expire_data;
};
static void get_user_dn_done(void *pvt, int err, struct ldb_result *res);
struct tevent_req *get_user_dn_send(TALLOC_CTX *memctx,
struct tevent_context *ev,
struct sdap_auth_ctx *ctx,
struct sdap_handle *sh,
const char *username)
{
struct tevent_req *req;
struct get_user_dn_state *state;
int ret;
req = tevent_req_create(memctx, &state, struct get_user_dn_state);
if (!req) return NULL;
state->ev = ev;
state->ctx = ctx;
state->sh = sh;
state->name = username;
state->attrs = talloc_array(state, const char *, 11);
if (!state->attrs) {
talloc_zfree(req);
return NULL;
}
state->attrs[0] = SYSDB_ORIG_DN;
state->attrs[1] = SYSDB_SHADOWPW_LASTCHANGE;
state->attrs[2] = SYSDB_SHADOWPW_MIN;
state->attrs[3] = SYSDB_SHADOWPW_MAX;
state->attrs[4] = SYSDB_SHADOWPW_WARNING;
state->attrs[5] = SYSDB_SHADOWPW_INACTIVE;
state->attrs[6] = SYSDB_SHADOWPW_EXPIRE;
state->attrs[7] = SYSDB_KRBPW_LASTCHANGE;
state->attrs[8] = SYSDB_KRBPW_EXPIRATION;
state->attrs[9] = SYSDB_PWD_ATTRIBUTE;
state->attrs[10] = NULL;
/* this sysdb call uses a sysdn operation, which means it will be
* schedule only after we return, no timer hack needed */
ret = sysdb_get_user_attr(state, state->ctx->be->sysdb,
state->ctx->be->domain, state->name,
state->attrs, get_user_dn_done, req);
if (ret) {
tevent_req_error(req, ret);
tevent_req_post(req, ev);
}
return req;
}
static void get_user_dn_done(void *pvt, int err, struct ldb_result *res)
{
struct tevent_req *req = talloc_get_type(pvt, struct tevent_req);
struct get_user_dn_state *state = tevent_req_data(req,
struct get_user_dn_state);
const char *dn;
int ret;
if (err != LDB_SUCCESS) {
tevent_req_error(req, EIO);
return;
}
switch (res->count) {
case 0:
/* FIXME: not in cache, needs a true search */
tevent_req_error(req, ENOENT);
break;
case 1:
dn = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_ORIG_DN, NULL);
if (!dn) {
/* TODO: try to search ldap server ? */
/* FIXME: remove once we store originalDN on every call
* NOTE: this is wrong, works only with some DITs */
dn = talloc_asprintf(state, "%s=%s,%s",
state->ctx->opts->user_map[SDAP_AT_USER_NAME].name,
state->name,
dp_opt_get_string(state->ctx->opts->basic,
SDAP_USER_SEARCH_BASE));
if (!dn) {
tevent_req_error(req, ENOMEM);
break;
}
}
state->dn = talloc_strdup(state, dn);
if (!state->dn) {
tevent_req_error(req, ENOMEM);
break;
}
ret = find_password_expiration_attributes(state, res->msgs[0],
state->ctx->opts->basic,
&state->pw_expire_type,
&state->pw_expire_data);
if (ret != EOK) {
DEBUG(1, ("find_password_expiration_attributes failed.\n"));
tevent_req_error(req, ENOMEM);
break;
}
tevent_req_done(req);
break;
default:
DEBUG(1, ("A user search by name (%s) returned > 1 results!\n",
state->name));
tevent_req_error(req, EFAULT);
break;
}
}
static int get_user_dn_recv(struct tevent_req *req,
TALLOC_CTX *memctx, char **dn,
enum pwexpire *pw_expire_type,
void **pw_expire_data)
{
struct get_user_dn_state *state = tevent_req_data(req,
struct get_user_dn_state);
TEVENT_REQ_RETURN_ON_ERROR(req);
*dn = talloc_steal(memctx, state->dn);
if (!*dn) return ENOMEM;
/* state->pw_expire_data may be NULL */
*pw_expire_data = talloc_steal(memctx, state->pw_expire_data);
*pw_expire_type = state->pw_expire_type;
return EOK;
}
/* ==Authenticate-User==================================================== */
struct auth_state {
struct tevent_context *ev;
struct sdap_auth_ctx *ctx;
const char *username;
struct dp_opt_blob password;
struct sdap_handle *sh;
enum sdap_result result;
char *dn;
enum pwexpire pw_expire_type;
void *pw_expire_data;
struct fo_server *srv;
};
static void auth_resolve_done(struct tevent_req *subreq);
static void auth_connect_done(struct tevent_req *subreq);
static void auth_get_user_dn_done(struct tevent_req *subreq);
static void auth_bind_user_done(struct tevent_req *subreq);
static struct tevent_req *auth_send(TALLOC_CTX *memctx,
struct tevent_context *ev,
struct sdap_auth_ctx *ctx,
const char *username,
struct dp_opt_blob password)
{
struct tevent_req *req, *subreq;
struct auth_state *state;
req = tevent_req_create(memctx, &state, struct auth_state);
if (!req) return NULL;
state->ev = ev;
state->ctx = ctx;
state->username = username;
state->password = password;
state->srv = NULL;
subreq = be_resolve_server_send(state, ev, ctx->be, ctx->service->name);
if (!subreq) goto fail;
tevent_req_set_callback(subreq, auth_resolve_done, req);
return req;
fail:
talloc_zfree(req);
return NULL;
}
static void auth_resolve_done(struct tevent_req *subreq)
{
struct tevent_req *req = tevent_req_callback_data(subreq,
struct tevent_req);
struct auth_state *state = tevent_req_data(req,
struct auth_state);
int ret;
ret = be_resolve_server_recv(subreq, &state->srv);
talloc_zfree(subreq);
if (ret) {
tevent_req_error(req, ret);
return;
}
subreq = sdap_connect_send(state, state->ev, state->ctx->opts,
state->ctx->service->uri, true);
if (!subreq) {
tevent_req_error(req, ENOMEM);
return;
}
tevent_req_set_callback(subreq, auth_connect_done, req);
}
static void auth_connect_done(struct tevent_req *subreq)
{
struct tevent_req *req = tevent_req_callback_data(subreq,
struct tevent_req);
struct auth_state *state = tevent_req_data(req,
struct auth_state);
int ret;
ret = sdap_connect_recv(subreq, state, &state->sh);
talloc_zfree(subreq);
if (ret) {
if (state->srv) {
/* mark this server as bad if connection failed */
fo_set_port_status(state->srv, PORT_NOT_WORKING);
}
tevent_req_error(req, ret);
return;
} else if (state->srv) {
fo_set_port_status(state->srv, PORT_WORKING);
}
subreq = get_user_dn_send(state, state->ev,
state->ctx, state->sh,
state->username);
if (!subreq) {
tevent_req_error(req, ENOMEM);
return;
}
tevent_req_set_callback(subreq, auth_get_user_dn_done, req);
}
static void auth_get_user_dn_done(struct tevent_req *subreq)
{
struct tevent_req *req = tevent_req_callback_data(subreq,
struct tevent_req);
struct auth_state *state = tevent_req_data(req,
struct auth_state);
int ret;
ret = get_user_dn_recv(subreq, state, &state->dn, &state->pw_expire_type,
&state->pw_expire_data);
talloc_zfree(subreq);
if (ret) {
tevent_req_error(req, ret);
return;
}
subreq = sdap_auth_send(state, state->ev, state->sh,
NULL, NULL, state->dn,
"password", state->password);
if (!subreq) {
tevent_req_error(req, ENOMEM);
return;
}
tevent_req_set_callback(subreq, auth_bind_user_done, req);
}
static void auth_bind_user_done(struct tevent_req *subreq)
{
struct tevent_req *req = tevent_req_callback_data(subreq,
struct tevent_req);
struct auth_state *state = tevent_req_data(req,
struct auth_state);
int ret;
ret = sdap_auth_recv(subreq, &state->result);
talloc_zfree(subreq);
if (ret) {
tevent_req_error(req, ret);
return;
}
tevent_req_done(req);
}
int auth_recv(struct tevent_req *req,
TALLOC_CTX *memctx,
struct sdap_handle **sh,
enum sdap_result *result, char **dn,
enum pwexpire *pw_expire_type, void **pw_expire_data)
{
struct auth_state *state = tevent_req_data(req, struct auth_state);
enum tevent_req_state tstate;
uint64_t err;
if (tevent_req_is_error(req, &tstate, &err)) {
switch (tstate) {
case TEVENT_REQ_USER_ERROR:
if (err == ETIMEDOUT) *result = SDAP_UNAVAIL;
else *result = SDAP_ERROR;
return err;
default:
*result = SDAP_ERROR;
return EIO;
}
}
if (sh != NULL) {
*sh = talloc_steal(memctx, state->sh);
if (*sh == NULL) return ENOMEM;
}
if (dn != NULL) {
*dn = talloc_steal(memctx, state->dn);
if (*dn == NULL) return ENOMEM;
}
if (pw_expire_data != NULL) {
*pw_expire_data = talloc_steal(memctx, state->pw_expire_data);
}
*pw_expire_type = state->pw_expire_type;
*result = state->result;
return EOK;
}
/* ==Perform-Password-Change===================== */
struct sdap_pam_chpass_state {
struct be_req *breq;
struct pam_data *pd;
const char *username;
char *dn;
char *password;
char *new_password;
struct sdap_handle *sh;
};
static void sdap_auth4chpass_done(struct tevent_req *req);
static void sdap_pam_chpass_done(struct tevent_req *req);
static void sdap_pam_auth_reply(struct be_req *breq, int dp_err, int result);
void sdap_pam_chpass_handler(struct be_req *breq)
{
struct sdap_pam_chpass_state *state;
struct sdap_auth_ctx *ctx;
struct tevent_req *subreq;
struct pam_data *pd;
struct dp_opt_blob authtok;
int dp_err = DP_ERR_FATAL;
ctx = talloc_get_type(breq->be_ctx->bet_info[BET_CHPASS].pvt_bet_data,
struct sdap_auth_ctx);
pd = talloc_get_type(breq->req_data, struct pam_data);
if (be_is_offline(ctx->be)) {
DEBUG(4, ("Backend is marked offline, retry later!\n"));
pd->pam_status = PAM_AUTHINFO_UNAVAIL;
dp_err = DP_ERR_OFFLINE;
goto done;
}
DEBUG(2, ("starting password change request for user [%s].\n", pd->user));
pd->pam_status = PAM_SYSTEM_ERR;
if (pd->cmd != SSS_PAM_CHAUTHTOK && pd->cmd != SSS_PAM_CHAUTHTOK_PRELIM) {
DEBUG(2, ("chpass target was called by wrong pam command.\n"));
goto done;
}
state = talloc_zero(breq, struct sdap_pam_chpass_state);
if (!state) goto done;
state->breq = breq;
state->pd = pd;
state->username = pd->user;
state->password = talloc_strndup(state,
(char *)pd->authtok, pd->authtok_size);
if (!state->password) goto done;
talloc_set_destructor((TALLOC_CTX *)state->password,
password_destructor);
if (pd->cmd == SSS_PAM_CHAUTHTOK) {
state->new_password = talloc_strndup(state,
(char *)pd->newauthtok,
pd->newauthtok_size);
if (!state->new_password) goto done;
talloc_set_destructor((TALLOC_CTX *)state->new_password,
password_destructor);
}
authtok.data = (uint8_t *)state->password;
authtok.length = strlen(state->password);
subreq = auth_send(breq, breq->be_ctx->ev,
ctx, state->username, authtok);
if (!subreq) goto done;
tevent_req_set_callback(subreq, sdap_auth4chpass_done, state);
return;
done:
sdap_pam_auth_reply(breq, dp_err, pd->pam_status);
}
static void sdap_auth4chpass_done(struct tevent_req *req)
{
struct sdap_pam_chpass_state *state =
tevent_req_callback_data(req, struct sdap_pam_chpass_state);
struct tevent_req *subreq;
enum sdap_result result;
enum pwexpire pw_expire_type;
void *pw_expire_data;
int dp_err = DP_ERR_FATAL;
int ret;
ret = auth_recv(req, state, &state->sh,
&result, &state->dn,
&pw_expire_type, &pw_expire_data);
talloc_zfree(req);
if (ret) {
state->pd->pam_status = PAM_SYSTEM_ERR;
goto done;
}
if (result == SDAP_AUTH_SUCCESS &&
state->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM) {
DEBUG(9, ("Initial authentication for change password operation "
"successful.\n"));
state->pd->pam_status = PAM_SUCCESS;
goto done;
}
if (result == SDAP_AUTH_SUCCESS) {
switch (pw_expire_type) {
case PWEXPIRE_SHADOW:
ret = check_pwexpire_shadow(pw_expire_data, time(NULL),
&result);
if (ret != EOK) {
DEBUG(1, ("check_pwexpire_shadow failed.\n"));
state->pd->pam_status = PAM_SYSTEM_ERR;
goto done;
}
break;
case PWEXPIRE_KERBEROS:
ret = check_pwexpire_kerberos(pw_expire_data, time(NULL),
&result);
if (ret != EOK) {
DEBUG(1, ("check_pwexpire_kerberos failed.\n"));
state->pd->pam_status = PAM_SYSTEM_ERR;
goto done;
}
if (result == SDAP_AUTH_PW_EXPIRED) {
DEBUG(1, ("LDAP provider cannot change kerberos "
"passwords.\n"));
state->pd->pam_status = PAM_SYSTEM_ERR;
goto done;
}
break;
case PWEXPIRE_LDAP_PASSWORD_POLICY:
case PWEXPIRE_NONE:
break;
default:
DEBUG(1, ("Unknow pasword expiration type.\n"));
state->pd->pam_status = PAM_SYSTEM_ERR;
goto done;
}
}
switch (result) {
case SDAP_AUTH_SUCCESS:
case SDAP_AUTH_PW_EXPIRED:
DEBUG(7, ("user [%s] successfully authenticated.\n", state->dn));
if (pw_expire_type == PWEXPIRE_SHADOW) {
/* TODO: implement async ldap modify request */
DEBUG(1, ("Changing shadow password attributes not implemented.\n"));
state->pd->pam_status = PAM_MODULE_UNKNOWN;
goto done;
} else {
subreq = sdap_exop_modify_passwd_send(state,
state->breq->be_ctx->ev,
state->sh,
state->dn,
state->password,
state->new_password);
if (!subreq) {
DEBUG(2, ("Failed to change password for %s\n", state->username));
goto done;
}
tevent_req_set_callback(subreq, sdap_pam_chpass_done, state);
return;
}
break;
case SDAP_AUTH_FAILED:
state->pd->pam_status = PAM_AUTH_ERR;
break;
default:
state->pd->pam_status = PAM_SYSTEM_ERR;
}
done:
sdap_pam_auth_reply(state->breq, dp_err, state->pd->pam_status);
}
static void sdap_pam_chpass_done(struct tevent_req *req)
{
struct sdap_pam_chpass_state *state =
tevent_req_callback_data(req, struct sdap_pam_chpass_state);
enum sdap_result result;
int dp_err = DP_ERR_FATAL;
int ret;
char *user_error_message = NULL;
size_t msg_len;
uint8_t *msg;
ret = sdap_exop_modify_passwd_recv(req, state, &result, &user_error_message);
talloc_zfree(req);
if (ret) {
state->pd->pam_status = PAM_SYSTEM_ERR;
goto done;
}
switch (result) {
case SDAP_SUCCESS:
state->pd->pam_status = PAM_SUCCESS;
dp_err = DP_ERR_OK;
break;
default:
state->pd->pam_status = PAM_AUTHTOK_ERR;
if (user_error_message != NULL) {
ret = pack_user_info_chpass_error(state->pd, user_error_message,
&msg_len, &msg);
if (ret != EOK) {
DEBUG(1, ("pack_user_info_chpass_error failed.\n"));
} else {
ret = pam_add_response(state->pd, SSS_PAM_USER_INFO, msg_len,
msg);
if (ret != EOK) {
DEBUG(1, ("pam_add_response failed.\n"));
}
}
}
}
done:
sdap_pam_auth_reply(state->breq, dp_err, state->pd->pam_status);
}
/* ==Perform-User-Authentication-and-Password-Caching===================== */
struct sdap_pam_auth_state {
struct be_req *breq;
struct pam_data *pd;
const char *username;
struct dp_opt_blob password;
};
static void sdap_pam_auth_done(struct tevent_req *req);
static void sdap_password_cache_done(struct tevent_req *req);
void sdap_pam_auth_handler(struct be_req *breq)
{
struct sdap_pam_auth_state *state;
struct sdap_auth_ctx *ctx;
struct tevent_req *subreq;
struct pam_data *pd;
int dp_err = DP_ERR_FATAL;
ctx = talloc_get_type(breq->be_ctx->bet_info[BET_AUTH].pvt_bet_data,
struct sdap_auth_ctx);
pd = talloc_get_type(breq->req_data, struct pam_data);
if (be_is_offline(ctx->be)) {
DEBUG(4, ("Backend is marked offline, retry later!\n"));
pd->pam_status = PAM_AUTHINFO_UNAVAIL;
dp_err = DP_ERR_OFFLINE;
goto done;
}
pd->pam_status = PAM_SYSTEM_ERR;
switch (pd->cmd) {
case SSS_PAM_AUTHENTICATE:
case SSS_PAM_CHAUTHTOK_PRELIM:
state = talloc_zero(breq, struct sdap_pam_auth_state);
if (!state) goto done;
state->breq = breq;
state->pd = pd;
state->username = pd->user;
state->password.data = pd->authtok;
state->password.length = pd->authtok_size;
subreq = auth_send(breq, breq->be_ctx->ev, ctx,
state->username, state->password);
if (!subreq) goto done;
tevent_req_set_callback(subreq, sdap_pam_auth_done, state);
return;
case SSS_PAM_CHAUTHTOK:
break;
case SSS_PAM_ACCT_MGMT:
case SSS_PAM_SETCRED:
case SSS_PAM_OPEN_SESSION:
case SSS_PAM_CLOSE_SESSION:
pd->pam_status = PAM_SUCCESS;
dp_err = DP_ERR_OK;
break;
default:
pd->pam_status = PAM_MODULE_UNKNOWN;
dp_err = DP_ERR_OK;
}
done:
sdap_pam_auth_reply(breq, dp_err, pd->pam_status);
}
static void sdap_pam_auth_done(struct tevent_req *req)
{
struct sdap_pam_auth_state *state =
tevent_req_callback_data(req, struct sdap_pam_auth_state);
struct tevent_req *subreq;
enum sdap_result result;
enum pwexpire pw_expire_type;
void *pw_expire_data;
int dp_err = DP_ERR_OK;
int ret;
ret = auth_recv(req, state, NULL,
&result, NULL,
&pw_expire_type, &pw_expire_data);
talloc_zfree(req);
if (ret) {
state->pd->pam_status = PAM_SYSTEM_ERR;
dp_err = DP_ERR_FATAL;
goto done;
}
if (result == SDAP_AUTH_SUCCESS) {
switch (pw_expire_type) {
case PWEXPIRE_SHADOW:
ret = check_pwexpire_shadow(pw_expire_data, time(NULL),
&result);
if (ret != EOK) {
DEBUG(1, ("check_pwexpire_shadow failed.\n"));
state->pd->pam_status = PAM_SYSTEM_ERR;
goto done;
}
break;
case PWEXPIRE_KERBEROS:
ret = check_pwexpire_kerberos(pw_expire_data, time(NULL),
&result);
if (ret != EOK) {
DEBUG(1, ("check_pwexpire_kerberos failed.\n"));
state->pd->pam_status = PAM_SYSTEM_ERR;
goto done;
}
break;
case PWEXPIRE_LDAP_PASSWORD_POLICY:
case PWEXPIRE_NONE:
break;
default:
DEBUG(1, ("Unknow pasword expiration type.\n"));
state->pd->pam_status = PAM_SYSTEM_ERR;
goto done;
}
}
switch (result) {
case SDAP_AUTH_SUCCESS:
state->pd->pam_status = PAM_SUCCESS;
break;
case SDAP_AUTH_FAILED:
state->pd->pam_status = PAM_PERM_DENIED;
break;
case SDAP_UNAVAIL:
state->pd->pam_status = PAM_AUTHINFO_UNAVAIL;
break;
case SDAP_ACCT_EXPIRED:
state->pd->pam_status = PAM_ACCT_EXPIRED;
break;
case SDAP_AUTH_PW_EXPIRED:
state->pd->pam_status = PAM_AUTHTOK_EXPIRED;
break;
default:
state->pd->pam_status = PAM_SYSTEM_ERR;
dp_err = DP_ERR_FATAL;
}
if (result == SDAP_UNAVAIL) {
be_mark_offline(state->breq->be_ctx);
dp_err = DP_ERR_OFFLINE;
goto done;
}
if (result == SDAP_AUTH_SUCCESS &&
state->breq->be_ctx->domain->cache_credentials) {
char *password = talloc_strndup(state, (char *)
state->password.data,
state->password.length);
/* password caching failures are not fatal errors */
if (!password) {
DEBUG(2, ("Failed to cache password for %s\n", state->username));
goto done;
}
talloc_set_destructor((TALLOC_CTX *)password, password_destructor);
subreq = sysdb_cache_password_send(state,
state->breq->be_ctx->ev,
state->breq->be_ctx->sysdb,
NULL,
state->breq->be_ctx->domain,
state->username, password);
/* password caching failures are not fatal errors */
if (!subreq) {
DEBUG(2, ("Failed to cache password for %s\n", state->username));
goto done;
}
tevent_req_set_callback(subreq, sdap_password_cache_done, state);
return;
}
done:
sdap_pam_auth_reply(state->breq, dp_err, state->pd->pam_status);
}
static void sdap_password_cache_done(struct tevent_req *subreq)
{
struct sdap_pam_auth_state *state = tevent_req_callback_data(subreq,
struct sdap_pam_auth_state);
int ret;
ret = sysdb_cache_password_recv(subreq);
talloc_zfree(subreq);
if (ret) {
/* password caching failures are not fatal errors */
DEBUG(2, ("Failed to cache password for %s\n", state->username));
} else {
DEBUG(4, ("Password successfully cached for %s\n", state->username));
}
sdap_pam_auth_reply(state->breq, DP_ERR_OK, state->pd->pam_status);
}
static void sdap_pam_auth_reply(struct be_req *req, int dp_err, int result)
{
req->fn(req, dp_err, result, NULL);
}