summaryrefslogtreecommitdiff
path: root/nslcd/pam.c
diff options
context:
space:
mode:
Diffstat (limited to 'nslcd/pam.c')
-rw-r--r--nslcd/pam.c641
1 files changed, 328 insertions, 313 deletions
diff --git a/nslcd/pam.c b/nslcd/pam.c
index e88282c..1750d4c 100644
--- a/nslcd/pam.c
+++ b/nslcd/pam.c
@@ -41,7 +41,7 @@
/* set up a connection and try to bind with the specified DN and password,
returns an LDAP result code */
-static int try_bind(const char *userdn,const char *password)
+static int try_bind(const char *userdn, const char *password)
{
MYLDAP_SESSION *session;
MYLDAP_SEARCH *search;
@@ -49,29 +49,30 @@ static int try_bind(const char *userdn,const char *password)
static const char *attrs[2];
int rc;
/* set up a new connection */
- session=myldap_create_session();
- if (session==NULL)
+ session = myldap_create_session();
+ if (session == NULL)
return LDAP_UNAVAILABLE;
/* set up credentials for the session */
- myldap_set_credentials(session,userdn,password);
+ myldap_set_credentials(session, userdn, password);
/* perform search for own object (just to do any kind of search) */
- attrs[0]="dn";
- attrs[1]=NULL;
- search=myldap_search(session,userdn,LDAP_SCOPE_BASE,"(objectClass=*)",attrs,&rc);
- if ((search==NULL)||(rc!=LDAP_SUCCESS))
+ attrs[0] = "dn";
+ attrs[1] = NULL;
+ search = myldap_search(session, userdn, LDAP_SCOPE_BASE,
+ "(objectClass=*)", attrs, &rc);
+ if ((search == NULL) || (rc != LDAP_SUCCESS))
{
- if (rc==LDAP_SUCCESS)
- rc=LDAP_LOCAL_ERROR;
- log_log(LOG_WARNING,"%s: lookup failed: %s",userdn,ldap_err2string(rc));
+ if (rc == LDAP_SUCCESS)
+ rc = LDAP_LOCAL_ERROR;
+ log_log(LOG_WARNING, "%s: lookup failed: %s", userdn, ldap_err2string(rc));
}
else
{
- entry=myldap_get_entry(search,&rc);
- if ((entry==NULL)||(rc!=LDAP_SUCCESS))
+ entry = myldap_get_entry(search, &rc);
+ if ((entry == NULL) || (rc != LDAP_SUCCESS))
{
- if (rc==LDAP_SUCCESS)
- rc=LDAP_NO_RESULTS_RETURNED;
- log_log(LOG_WARNING,"%s: lookup failed: %s",userdn,ldap_err2string(rc));
+ if (rc == LDAP_SUCCESS)
+ rc = LDAP_NO_RESULTS_RETURNED;
+ log_log(LOG_WARNING, "%s: lookup failed: %s", userdn, ldap_err2string(rc));
}
}
/* close the session */
@@ -83,87 +84,90 @@ static int try_bind(const char *userdn,const char *password)
/* ensure that both userdn and username are filled in from the entry,
returns an LDAP result code */
static MYLDAP_ENTRY *validate_user(MYLDAP_SESSION *session,
- char *username,int *rcp)
+ char *username, int *rcp)
{
int rc;
- MYLDAP_ENTRY *entry=NULL;
+ MYLDAP_ENTRY *entry = NULL;
/* check username for validity */
if (!isvalidname(username))
{
- log_log(LOG_WARNING,"request denied by validnames option");
- *rcp=LDAP_NO_SUCH_OBJECT;
+ log_log(LOG_WARNING, "request denied by validnames option");
+ *rcp = LDAP_NO_SUCH_OBJECT;
return NULL;
}
/* get the user entry based on the username */
- entry=uid2entry(session,username,&rc);
- if (entry==NULL)
+ entry = uid2entry(session, username, &rc);
+ if (entry == NULL)
{
- if (rc==LDAP_SUCCESS)
- rc=LDAP_NO_SUCH_OBJECT;
- log_log(LOG_DEBUG,"\"%s\": user not found: %s",username,ldap_err2string(rc));
- *rcp=rc;
+ if (rc == LDAP_SUCCESS)
+ rc = LDAP_NO_SUCH_OBJECT;
+ log_log(LOG_DEBUG, "\"%s\": user not found: %s", username, ldap_err2string(rc));
+ *rcp = rc;
}
return entry;
}
/* update the username value from the entry if needed */
-static void update_username(MYLDAP_ENTRY *entry,char *username,size_t username_len)
+static void update_username(MYLDAP_ENTRY *entry, char *username,
+ size_t username_len)
{
const char **values;
const char *value;
/* get the "real" username */
- value=myldap_get_rdn_value(entry,attmap_passwd_uid);
- if (value==NULL)
+ value = myldap_get_rdn_value(entry, attmap_passwd_uid);
+ if (value == NULL)
{
/* get the username from the uid attribute */
- values=myldap_get_values(entry,attmap_passwd_uid);
- if ((values==NULL)||(values[0]==NULL))
+ values = myldap_get_values(entry, attmap_passwd_uid);
+ if ((values == NULL) || (values[0] == NULL))
{
- log_log(LOG_WARNING,"%s: %s: missing",
- myldap_get_dn(entry),attmap_passwd_uid);
+ log_log(LOG_WARNING, "%s: %s: missing",
+ myldap_get_dn(entry), attmap_passwd_uid);
return;
}
- value=values[0];
+ value = values[0];
}
/* check the username */
- if ((value==NULL)||!isvalidname(value)||strlen(value)>=username_len)
+ if ((value == NULL) || !isvalidname(value) || strlen(value) >= username_len)
{
- log_log(LOG_WARNING,"%s: %s: denied by validnames option",
- myldap_get_dn(entry),attmap_passwd_uid);
+ log_log(LOG_WARNING, "%s: %s: denied by validnames option",
+ myldap_get_dn(entry), attmap_passwd_uid);
return;
}
/* check if the username is different and update it if needed */
- if (strcmp(username,value)!=0)
+ if (strcmp(username, value) != 0)
{
- log_log(LOG_INFO,"username changed from \"%s\" to \"%s\"",username,value);
- strcpy(username,value);
+ log_log(LOG_INFO, "username changed from \"%s\" to \"%s\"",
+ username, value);
+ strcpy(username, value);
}
}
-static int check_shadow(MYLDAP_SESSION *session,const char *username,
- char *authzmsg,size_t authzmsgsz,
- int check_maxdays,int check_mindays)
+static int check_shadow(MYLDAP_SESSION *session, const char *username,
+ char *authzmsg, size_t authzmsgsz,
+ int check_maxdays, int check_mindays)
{
- MYLDAP_ENTRY *entry=NULL;
- long today,lastchangedate,mindays,maxdays,warndays,inactdays,expiredate;
+ MYLDAP_ENTRY *entry = NULL;
+ long today, lastchangedate, mindays, maxdays, warndays, inactdays, expiredate;
unsigned long flag;
- long daysleft,inactleft;
+ long daysleft, inactleft;
/* get the shadow entry */
- entry=shadow_uid2entry(session,username,NULL);
- if (entry==NULL)
+ entry = shadow_uid2entry(session, username, NULL);
+ if (entry == NULL)
return NSLCD_PAM_SUCCESS; /* no shadow entry found, nothing to check */
/* get today's date */
- today=(long)(time(NULL)/(60*60*24));
+ today = (long)(time(NULL) / (60 * 60 * 24));
/* get shadown information */
- get_shadow_properties(entry,&lastchangedate,&mindays,&maxdays,&warndays,
- &inactdays,&expiredate,&flag);
+ get_shadow_properties(entry, &lastchangedate, &mindays, &maxdays, &warndays,
+ &inactdays, &expiredate, &flag);
/* check account expiry date */
- if ((expiredate!=-1)&&(today>=expiredate))
+ if ((expiredate != -1) && (today >= expiredate))
{
- daysleft=today-expiredate;
- mysnprintf(authzmsg,authzmsgsz-1,"account expired %ld days ago",daysleft);
- log_log(LOG_WARNING,"%s: %s: %s",
- myldap_get_dn(entry),attmap_shadow_shadowExpire,authzmsg);
+ daysleft = today - expiredate;
+ mysnprintf(authzmsg, authzmsgsz - 1, "account expired %ld days ago",
+ daysleft);
+ log_log(LOG_WARNING, "%s: %s: %s",
+ myldap_get_dn(entry), attmap_shadow_shadowExpire, authzmsg);
return NSLCD_PAM_ACCT_EXPIRED;
}
/* password expiration isn't interesting at this point because the user
@@ -172,67 +176,70 @@ static int check_shadow(MYLDAP_SESSION *session,const char *username,
if (check_maxdays)
{
/* check lastchanged */
- if (lastchangedate==0)
+ if (lastchangedate == 0)
{
- mysnprintf(authzmsg,authzmsgsz-1,"need a new password");
- log_log(LOG_WARNING,"%s: %s: %s",
- myldap_get_dn(entry),attmap_shadow_shadowLastChange,authzmsg);
+ mysnprintf(authzmsg, authzmsgsz - 1, "need a new password");
+ log_log(LOG_WARNING, "%s: %s: %s",
+ myldap_get_dn(entry), attmap_shadow_shadowLastChange, authzmsg);
return NSLCD_PAM_NEW_AUTHTOK_REQD;
}
- else if (today<lastchangedate)
- log_log(LOG_WARNING,"%s: %s: password changed in the future",
- myldap_get_dn(entry),attmap_shadow_shadowLastChange);
- else if (maxdays!=-1)
+ else if (today < lastchangedate)
+ log_log(LOG_WARNING, "%s: %s: password changed in the future",
+ myldap_get_dn(entry), attmap_shadow_shadowLastChange);
+ else if (maxdays != -1)
{
/* check maxdays */
- daysleft=lastchangedate+maxdays-today;
- if (daysleft==0)
- mysnprintf(authzmsg,authzmsgsz-1,"password will expire today");
- else if (daysleft<0)
- mysnprintf(authzmsg,authzmsgsz-1,"password expired %ld days ago",-daysleft);
+ daysleft = lastchangedate + maxdays - today;
+ if (daysleft == 0)
+ mysnprintf(authzmsg, authzmsgsz - 1, "password will expire today");
+ else if (daysleft < 0)
+ mysnprintf(authzmsg, authzmsgsz - 1, "password expired %ld days ago",
+ -daysleft);
/* check inactdays */
- if ((daysleft<=0)&&(inactdays!=-1))
+ if ((daysleft <= 0) && (inactdays != -1))
{
- inactleft=lastchangedate+maxdays+inactdays-today;
- if (inactleft==0)
- mysnprintf(authzmsg+strlen(authzmsg),authzmsgsz-strlen(authzmsg)-1,
+ inactleft = lastchangedate + maxdays + inactdays - today;
+ if (inactleft == 0)
+ mysnprintf(authzmsg + strlen(authzmsg), authzmsgsz - strlen(authzmsg) - 1,
", account will be locked today");
- else if (inactleft>0)
- mysnprintf(authzmsg+strlen(authzmsg),authzmsgsz-strlen(authzmsg)-1,
- ", account will be locked in %ld days",inactleft);
+ else if (inactleft > 0)
+ mysnprintf(authzmsg + strlen(authzmsg), authzmsgsz - strlen(authzmsg) - 1,
+ ", account will be locked in %ld days", inactleft);
else
{
- mysnprintf(authzmsg+strlen(authzmsg),authzmsgsz-strlen(authzmsg)-1,
- ", account locked %ld days ago",-inactleft);
- log_log(LOG_WARNING,"%s: %s: %s",
- myldap_get_dn(entry),attmap_shadow_shadowInactive,authzmsg);
+ mysnprintf(authzmsg + strlen(authzmsg), authzmsgsz - strlen(authzmsg) - 1,
+ ", account locked %ld days ago", -inactleft);
+ log_log(LOG_WARNING, "%s: %s: %s", myldap_get_dn(entry),
+ attmap_shadow_shadowInactive, authzmsg);
return NSLCD_PAM_AUTHTOK_EXPIRED;
}
}
- if (daysleft<=0)
+ if (daysleft <= 0)
{
/* log previously built message */
- log_log(LOG_WARNING,"%s: %s: %s",
- myldap_get_dn(entry),attmap_shadow_shadowMax,authzmsg);
+ log_log(LOG_WARNING, "%s: %s: %s",
+ myldap_get_dn(entry), attmap_shadow_shadowMax, authzmsg);
return NSLCD_PAM_NEW_AUTHTOK_REQD;
}
/* check warndays */
- if ((warndays>0)&&(daysleft<=warndays))
+ if ((warndays > 0) && (daysleft <= warndays))
{
- mysnprintf(authzmsg,authzmsgsz-1,"password will expire in %ld days",daysleft);
- log_log(LOG_WARNING,"%s: %s: %s",
- myldap_get_dn(entry),attmap_shadow_shadowWarning,authzmsg);
+ mysnprintf(authzmsg, authzmsgsz - 1,
+ "password will expire in %ld days", daysleft);
+ log_log(LOG_WARNING, "%s: %s: %s",
+ myldap_get_dn(entry), attmap_shadow_shadowWarning, authzmsg);
}
}
}
if (check_mindays)
{
- daysleft=lastchangedate+mindays-today;
- if ((mindays!=-1)&&(daysleft>0))
+ daysleft = lastchangedate + mindays - today;
+ if ((mindays != -1) && (daysleft > 0))
{
- mysnprintf(authzmsg,authzmsgsz-1,"password cannot be changed for another %ld days",daysleft);
- log_log(LOG_WARNING,"%s: %s: %s",
- myldap_get_dn(entry),attmap_shadow_shadowMin,authzmsg);
+ mysnprintf(authzmsg, authzmsgsz - 1,
+ "password cannot be changed for another %ld days", daysleft);
+ log_log(LOG_WARNING, "%s: %s: %s",
+ myldap_get_dn(entry), attmap_shadow_shadowMin, authzmsg);
return NSLCD_PAM_AUTHTOK_ERR;
}
}
@@ -240,108 +247,109 @@ static int check_shadow(MYLDAP_SESSION *session,const char *username,
}
/* check authentication credentials of the user */
-int nslcd_pam_authc(TFILE *fp,MYLDAP_SESSION *session,uid_t calleruid)
+int nslcd_pam_authc(TFILE *fp, MYLDAP_SESSION *session, uid_t calleruid)
{
int32_t tmpint32;
int rc;
- char username[256],service[64],ruser[256],rhost[HOST_NAME_MAX+1],tty[64];
+ char username[256], service[64], ruser[256], rhost[HOST_NAME_MAX + 1], tty[64];
char password[64];
const char *userdn;
MYLDAP_ENTRY *entry;
- int authzrc=NSLCD_PAM_SUCCESS;
+ int authzrc = NSLCD_PAM_SUCCESS;
char authzmsg[1024];
- authzmsg[0]='\0';
+ authzmsg[0] = '\0';
/* read request parameters */
- READ_STRING(fp,username);
- READ_STRING(fp,service);
- READ_STRING(fp,ruser);
- READ_STRING(fp,rhost);
- READ_STRING(fp,tty);
- READ_STRING(fp,password);
+ READ_STRING(fp, username);
+ READ_STRING(fp, service);
+ READ_STRING(fp, ruser);
+ READ_STRING(fp, rhost);
+ READ_STRING(fp, tty);
+ READ_STRING(fp, password);
/* log call */
- log_setrequest("authc=\"%s\"",username);
- log_log(LOG_DEBUG,"nslcd_pam_authc(\"%s\",\"%s\",\"%s\")",
- username,service,*password?"***":"");
+ log_setrequest("authc=\"%s\"", username);
+ log_log(LOG_DEBUG, "nslcd_pam_authc(\"%s\",\"%s\",\"%s\")",
+ username, service, *password ? "***" : "");
/* write the response header */
- WRITE_INT32(fp,NSLCD_VERSION);
- WRITE_INT32(fp,NSLCD_ACTION_PAM_AUTHC);
+ WRITE_INT32(fp, NSLCD_VERSION);
+ WRITE_INT32(fp, NSLCD_ACTION_PAM_AUTHC);
/* if the username is blank and rootpwmoddn is configured, try to
authenticate as administrator, otherwise validate request as usual */
- if ((*username=='\0')&&(nslcd_cfg->ldc_rootpwmoddn!=NULL))
+ if ((*username == '\0') && (nslcd_cfg->ldc_rootpwmoddn != NULL))
{
- userdn=nslcd_cfg->ldc_rootpwmoddn;
+ userdn = nslcd_cfg->ldc_rootpwmoddn;
/* if the caller is root we will allow the use of the rootpwmodpw option */
- if ((*password=='\0')&&(calleruid==0)&&(nslcd_cfg->ldc_rootpwmodpw!=NULL))
+ if ((*password == '\0') && (calleruid == 0) && (nslcd_cfg->ldc_rootpwmodpw != NULL))
{
- if (strlen(nslcd_cfg->ldc_rootpwmodpw)>=sizeof(password))
+ if (strlen(nslcd_cfg->ldc_rootpwmodpw) >= sizeof(password))
{
- log_log(LOG_ERR,"nslcd_pam_authc(): rootpwmodpw will not fit in password");
+ log_log(LOG_ERR, "nslcd_pam_authc(): rootpwmodpw will not fit in password");
return -1;
}
- strcpy(password,nslcd_cfg->ldc_rootpwmodpw);
+ strcpy(password, nslcd_cfg->ldc_rootpwmodpw);
}
}
else
{
/* try normal authentication, lookup the user entry */
- entry=validate_user(session,username,&rc);
- if (entry==NULL)
+ entry = validate_user(session, username, &rc);
+ if (entry == NULL)
{
/* for user not found we just say no result */
- if (rc==LDAP_NO_SUCH_OBJECT)
+ if (rc == LDAP_NO_SUCH_OBJECT)
{
- WRITE_INT32(fp,NSLCD_RESULT_END);
+ WRITE_INT32(fp, NSLCD_RESULT_END);
}
return -1;
}
- userdn=myldap_get_dn(entry);
- update_username(entry,username,sizeof(username));
+ userdn = myldap_get_dn(entry);
+ update_username(entry, username, sizeof(username));
}
/* try authentication */
- rc=try_bind(userdn,password);
- if (rc==LDAP_SUCCESS)
- log_log(LOG_DEBUG,"bind successful");
+ rc = try_bind(userdn, password);
+ if (rc == LDAP_SUCCESS)
+ log_log(LOG_DEBUG, "bind successful");
/* map result code */
switch (rc)
{
- case LDAP_SUCCESS: rc=NSLCD_PAM_SUCCESS; break;
- case LDAP_INVALID_CREDENTIALS: rc=NSLCD_PAM_AUTH_ERR; break;
- default: rc=NSLCD_PAM_AUTH_ERR;
+ case LDAP_SUCCESS: rc = NSLCD_PAM_SUCCESS; break;
+ case LDAP_INVALID_CREDENTIALS: rc = NSLCD_PAM_AUTH_ERR; break;
+ default: rc = NSLCD_PAM_AUTH_ERR;
}
/* perform shadow attribute checks */
- if (*username!='\0')
- authzrc=check_shadow(session,username,authzmsg,sizeof(authzmsg),1,0);
+ if (*username != '\0')
+ authzrc = check_shadow(session, username, authzmsg, sizeof(authzmsg), 1, 0);
/* write response */
- WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
- WRITE_INT32(fp,rc);
- WRITE_STRING(fp,username);
- WRITE_INT32(fp,authzrc);
- WRITE_STRING(fp,authzmsg);
- WRITE_INT32(fp,NSLCD_RESULT_END);
+ WRITE_INT32(fp, NSLCD_RESULT_BEGIN);
+ WRITE_INT32(fp, rc);
+ WRITE_STRING(fp, username);
+ WRITE_INT32(fp, authzrc);
+ WRITE_STRING(fp, authzmsg);
+ WRITE_INT32(fp, NSLCD_RESULT_END);
return 0;
}
-static void autzsearch_var_add(DICT *dict,const char *name,const char *value)
+static void autzsearch_var_add(DICT *dict, const char *name,
+ const char *value)
{
size_t sz;
char *escaped_value;
/* allocate memory for escaped string */
- sz=((strlen(value)+8)*120)/100;
- escaped_value=(char *)malloc(sz);
- if (escaped_value==NULL)
+ sz = ((strlen(value) + 8) * 120) / 100;
+ escaped_value = (char *)malloc(sz);
+ if (escaped_value == NULL)
{
- log_log(LOG_CRIT,"autzsearch_var_add(): malloc() failed to allocate memory");
+ log_log(LOG_CRIT, "autzsearch_var_add(): malloc() failed to allocate memory");
return;
}
/* perform escaping of the value */
- if(myldap_escape(value,escaped_value,sz))
+ if (myldap_escape(value, escaped_value, sz))
{
- log_log(LOG_CRIT,"autzsearch_var_add(): myldap_escape() failed to fit in buffer");
+ log_log(LOG_CRIT, "autzsearch_var_add(): myldap_escape() failed to fit in buffer");
free(escaped_value);
return;
}
/* add to dict */
- dict_put(dict,name,escaped_value);
+ dict_put(dict, name, escaped_value);
}
static void autzsearch_vars_free(DICT *dict)
@@ -352,10 +360,10 @@ static void autzsearch_vars_free(DICT *dict)
/* go over all keys and free all the values
(they were allocated in autzsearch_var_add) */
/* loop over dictionary contents */
- keys=dict_keys(dict);
- for (i=0;keys[i]!=NULL;i++)
+ keys = dict_keys(dict);
+ for (i = 0; keys[i] != NULL; i++)
{
- value=dict_get(dict,keys[i]);
+ value = dict_get(dict, keys[i]);
if (value)
free(value);
}
@@ -363,22 +371,23 @@ static void autzsearch_vars_free(DICT *dict)
/* after this values from the dict should obviously no longer be used */
}
-static const char *autzsearch_var_get(const char *name,void *expander_attr)
+static const char *autzsearch_var_get(const char *name, void *expander_attr)
{
- DICT *dict=(DICT *)expander_attr;
- return (const char *)dict_get(dict,name);
+ DICT *dict = (DICT *)expander_attr;
+ return (const char *)dict_get(dict, name);
/* TODO: if not set use entry to get attribute name (entry can be an
element in the dict) */
}
/* perform an authorisation search, returns an LDAP status code */
-static int try_autzsearch(MYLDAP_SESSION *session,const char *dn,
- const char *username,const char *servicename,
- const char *ruser,const char *rhost,const char *tty)
+static int try_autzsearch(MYLDAP_SESSION *session, const char *dn,
+ const char *username, const char *servicename,
+ const char *ruser, const char *rhost,
+ const char *tty)
{
- char hostname[HOST_NAME_MAX+1];
+ char hostname[HOST_NAME_MAX + 1];
const char *fqdn;
- DICT *dict=NULL;
+ DICT *dict = NULL;
char filter[4096];
MYLDAP_SEARCH *search;
MYLDAP_ENTRY *entry;
@@ -387,67 +396,68 @@ static int try_autzsearch(MYLDAP_SESSION *session,const char *dn,
const char *res;
int i;
/* go over all pam_authz_search options */
- for (i=0;(i<NSS_LDAP_CONFIG_MAX_AUTHZ_SEARCHES)&&(nslcd_cfg->ldc_pam_authz_search[i]!=NULL);i++)
+ for (i = 0; (i < NSS_LDAP_CONFIG_MAX_AUTHZ_SEARCHES) && (nslcd_cfg->ldc_pam_authz_search[i] != NULL); i++)
{
- if (dict==NULL)
+ if (dict == NULL)
{
/* build the dictionary with variables
NOTE: any variables added here also need to be added to
cfg.c:parse_pam_authz_search_statement() */
- dict=dict_new();
- autzsearch_var_add(dict,"username",username);
- autzsearch_var_add(dict,"service",servicename);
- autzsearch_var_add(dict,"ruser",ruser);
- autzsearch_var_add(dict,"rhost",rhost);
- autzsearch_var_add(dict,"tty",tty);
- if (gethostname(hostname,sizeof(hostname))==0)
- autzsearch_var_add(dict,"hostname",hostname);
- if ((fqdn=getfqdn())!=NULL)
- autzsearch_var_add(dict,"fqdn",fqdn);
- autzsearch_var_add(dict,"dn",dn);
- autzsearch_var_add(dict,"uid",username);
+ dict = dict_new();
+ autzsearch_var_add(dict, "username", username);
+ autzsearch_var_add(dict, "service", servicename);
+ autzsearch_var_add(dict, "ruser", ruser);
+ autzsearch_var_add(dict, "rhost", rhost);
+ autzsearch_var_add(dict, "tty", tty);
+ if (gethostname(hostname, sizeof(hostname)) == 0)
+ autzsearch_var_add(dict, "hostname", hostname);
+ if ((fqdn = getfqdn()) != NULL)
+ autzsearch_var_add(dict, "fqdn", fqdn);
+ autzsearch_var_add(dict, "dn", dn);
+ autzsearch_var_add(dict, "uid", username);
}
/* build the search filter */
- res=expr_parse(nslcd_cfg->ldc_pam_authz_search[i],
- filter,sizeof(filter),
- autzsearch_var_get,(void *)dict);
- if (res==NULL)
+ res = expr_parse(nslcd_cfg->ldc_pam_authz_search[i],
+ filter, sizeof(filter),
+ autzsearch_var_get, (void *)dict);
+ if (res == NULL)
{
autzsearch_vars_free(dict);
dict_free(dict);
- log_log(LOG_ERR,"invalid pam_authz_search \"%s\"",nslcd_cfg->ldc_pam_authz_search[i]);
+ log_log(LOG_ERR, "invalid pam_authz_search \"%s\"",
+ nslcd_cfg->ldc_pam_authz_search[i]);
return LDAP_LOCAL_ERROR;
}
- log_log(LOG_DEBUG,"trying pam_authz_search \"%s\"",filter);
+ log_log(LOG_DEBUG, "trying pam_authz_search \"%s\"", filter);
/* perform the search */
- attrs[0]="dn";
- attrs[1]=NULL;
+ attrs[0] = "dn";
+ attrs[1] = NULL;
/* FIXME: this only searches the first base */
- search=myldap_search(session,nslcd_cfg->ldc_bases[0],LDAP_SCOPE_SUBTREE,
- filter,attrs,&rc);
- if (search==NULL)
+ search = myldap_search(session, nslcd_cfg->ldc_bases[0],
+ LDAP_SCOPE_SUBTREE, filter, attrs, &rc);
+ if (search == NULL)
{
autzsearch_vars_free(dict);
dict_free(dict);
- log_log(LOG_ERR,"pam_authz_search \"%s\" failed: %s",
- filter,ldap_err2string(rc));
+ log_log(LOG_ERR, "pam_authz_search \"%s\" failed: %s",
+ filter, ldap_err2string(rc));
return rc;
}
/* try to get an entry */
- entry=myldap_get_entry(search,&rc);
- if (entry==NULL)
+ entry = myldap_get_entry(search, &rc);
+ if (entry == NULL)
{
autzsearch_vars_free(dict);
dict_free(dict);
- log_log(LOG_ERR,"pam_authz_search \"%s\" found no matches",filter);
- if (rc==LDAP_SUCCESS)
- rc=LDAP_NO_SUCH_OBJECT;
+ log_log(LOG_ERR, "pam_authz_search \"%s\" found no matches", filter);
+ if (rc == LDAP_SUCCESS)
+ rc = LDAP_NO_SUCH_OBJECT;
return rc;
}
- log_log(LOG_DEBUG,"pam_authz_search found \"%s\"",myldap_get_dn(entry));
+ log_log(LOG_DEBUG, "pam_authz_search found \"%s\"", myldap_get_dn(entry));
}
/* we went over all pam_authz_search entries */
- if (dict!=NULL)
+ if (dict != NULL)
{
autzsearch_vars_free(dict);
dict_free(dict);
@@ -456,141 +466,144 @@ static int try_autzsearch(MYLDAP_SESSION *session,const char *dn,
}
/* check authorisation of the user */
-int nslcd_pam_authz(TFILE *fp,MYLDAP_SESSION *session)
+int nslcd_pam_authz(TFILE *fp, MYLDAP_SESSION *session)
{
int32_t tmpint32;
int rc;
- char username[256],service[64],ruser[256],rhost[HOST_NAME_MAX+1],tty[64];
+ char username[256], service[64], ruser[256], rhost[HOST_NAME_MAX + 1], tty[64];
MYLDAP_ENTRY *entry;
char authzmsg[1024];
- authzmsg[0]='\0';
+ authzmsg[0] = '\0';
/* read request parameters */
- READ_STRING(fp,username);
- READ_STRING(fp,service);
- READ_STRING(fp,ruser);
- READ_STRING(fp,rhost);
- READ_STRING(fp,tty);
+ READ_STRING(fp, username);
+ READ_STRING(fp, service);
+ READ_STRING(fp, ruser);
+ READ_STRING(fp, rhost);
+ READ_STRING(fp, tty);
/* log call */
- log_setrequest("authz=\"%s\"",username);
- log_log(LOG_DEBUG,"nslcd_pam_authz(\"%s\",\"%s\",\"%s\",\"%s\",\"%s\")",
- username,service,ruser,rhost,tty);
+ log_setrequest("authz=\"%s\"", username);
+ log_log(LOG_DEBUG, "nslcd_pam_authz(\"%s\",\"%s\",\"%s\",\"%s\",\"%s\")",
+ username, service, ruser, rhost, tty);
/* write the response header */
- WRITE_INT32(fp,NSLCD_VERSION);
- WRITE_INT32(fp,NSLCD_ACTION_PAM_AUTHZ);
+ WRITE_INT32(fp, NSLCD_VERSION);
+ WRITE_INT32(fp, NSLCD_ACTION_PAM_AUTHZ);
/* validate request */
- entry=validate_user(session,username,&rc);
- if (entry==NULL)
+ entry = validate_user(session, username, &rc);
+ if (entry == NULL)
{
/* for user not found we just say no result */
- if (rc==LDAP_NO_SUCH_OBJECT)
+ if (rc == LDAP_NO_SUCH_OBJECT)
{
- WRITE_INT32(fp,NSLCD_RESULT_END);
+ WRITE_INT32(fp, NSLCD_RESULT_END);
}
return -1;
}
/* check authorisation search */
- rc=try_autzsearch(session,myldap_get_dn(entry),username,service,ruser,rhost,tty);
- if (rc!=LDAP_SUCCESS)
+ rc = try_autzsearch(session, myldap_get_dn(entry), username, service, ruser,
+ rhost, tty);
+ if (rc != LDAP_SUCCESS)
{
- WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
- WRITE_INT32(fp,NSLCD_PAM_PERM_DENIED);
- WRITE_STRING(fp,"LDAP authorisation check failed");
- WRITE_INT32(fp,NSLCD_RESULT_END);
+ WRITE_INT32(fp, NSLCD_RESULT_BEGIN);
+ WRITE_INT32(fp, NSLCD_PAM_PERM_DENIED);
+ WRITE_STRING(fp, "LDAP authorisation check failed");
+ WRITE_INT32(fp, NSLCD_RESULT_END);
return 0;
}
/* perform shadow attribute checks */
- rc=check_shadow(session,username,authzmsg,sizeof(authzmsg),0,0);
+ rc = check_shadow(session, username, authzmsg, sizeof(authzmsg), 0, 0);
/* write response */
- WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
- WRITE_INT32(fp,rc);
- WRITE_STRING(fp,authzmsg);
- WRITE_INT32(fp,NSLCD_RESULT_END);
+ WRITE_INT32(fp, NSLCD_RESULT_BEGIN);
+ WRITE_INT32(fp, rc);
+ WRITE_STRING(fp, authzmsg);
+ WRITE_INT32(fp, NSLCD_RESULT_END);
return 0;
}
-int nslcd_pam_sess_o(TFILE *fp,MYLDAP_SESSION *session)
+int nslcd_pam_sess_o(TFILE *fp, MYLDAP_SESSION *session)
{
int32_t tmpint32;
- char username[256],service[64],ruser[256],rhost[HOST_NAME_MAX+1],tty[64];
+ char username[256], service[64], ruser[256], rhost[HOST_NAME_MAX + 1], tty[64];
char sessionid[25];
- static const char alphabet[]="ABCDEFGHIJKLMNOPQRSTUVWXYZ"
- "abcdefghijklmnopqrstuvwxyz"
- "01234567890";
+ static const char alphabet[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+ "abcdefghijklmnopqrstuvwxyz"
+ "01234567890";
int i;
/* read request parameters */
- READ_STRING(fp,username);
- READ_STRING(fp,service);
- READ_STRING(fp,ruser);
- READ_STRING(fp,rhost);
- READ_STRING(fp,tty);
+ READ_STRING(fp, username);
+ READ_STRING(fp, service);
+ READ_STRING(fp, ruser);
+ READ_STRING(fp, rhost);
+ READ_STRING(fp, tty);
/* generate pseudo-random session id */
- for (i=0;i<(sizeof(sessionid)-1);i++)
- sessionid[i]=alphabet[rand()%(sizeof(alphabet)-1)];
- sessionid[i]='\0';
+ for (i = 0; i < (sizeof(sessionid) - 1); i++)
+ sessionid[i] = alphabet[rand() % (sizeof(alphabet) - 1)];
+ sessionid[i] = '\0';
/* log call */
- log_setrequest("sess_o=\"%s\"",username);
- log_log(LOG_DEBUG,"nslcd_pam_sess_o(\"%s\",\"%s\",\"%s\",\"%s\",\"%s\"): %s",
- username,service,tty,rhost,ruser,sessionid);
+ log_setrequest("sess_o=\"%s\"", username);
+ log_log(LOG_DEBUG, "nslcd_pam_sess_o(\"%s\",\"%s\",\"%s\",\"%s\",\"%s\"): %s",
+ username, service, tty, rhost, ruser, sessionid);
/* write the response header */
- WRITE_INT32(fp,NSLCD_VERSION);
- WRITE_INT32(fp,NSLCD_ACTION_PAM_SESS_O);
+ WRITE_INT32(fp, NSLCD_VERSION);
+ WRITE_INT32(fp, NSLCD_ACTION_PAM_SESS_O);
/* write response */
- WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
- WRITE_STRING(fp,sessionid);
- WRITE_INT32(fp,NSLCD_RESULT_END);
+ WRITE_INT32(fp, NSLCD_RESULT_BEGIN);
+ WRITE_STRING(fp, sessionid);
+ WRITE_INT32(fp, NSLCD_RESULT_END);
return 0;
}
-int nslcd_pam_sess_c(TFILE *fp,MYLDAP_SESSION *session)
+int nslcd_pam_sess_c(TFILE *fp, MYLDAP_SESSION *session)
{
int32_t tmpint32;
- char username[256],service[64],ruser[256],rhost[HOST_NAME_MAX+1],tty[64];
+ char username[256], service[64], ruser[256], rhost[HOST_NAME_MAX + 1], tty[64];
char sessionid[64];
/* read request parameters */
- READ_STRING(fp,username);
- READ_STRING(fp,service);
- READ_STRING(fp,ruser);
- READ_STRING(fp,rhost);
- READ_STRING(fp,tty);
- READ_STRING(fp,sessionid);
+ READ_STRING(fp, username);
+ READ_STRING(fp, service);
+ READ_STRING(fp, ruser);
+ READ_STRING(fp, rhost);
+ READ_STRING(fp, tty);
+ READ_STRING(fp, sessionid);
/* log call */
- log_setrequest("sess_c=\"%s\"",username);
- log_log(LOG_DEBUG,"nslcd_pam_sess_c(\"%s\",\"%s\",%s)",
- username,service,sessionid);
+ log_setrequest("sess_c=\"%s\"", username);
+ log_log(LOG_DEBUG, "nslcd_pam_sess_c(\"%s\",\"%s\",%s)",
+ username, service, sessionid);
/* write the response header */
- WRITE_INT32(fp,NSLCD_VERSION);
- WRITE_INT32(fp,NSLCD_ACTION_PAM_SESS_C);
+ WRITE_INT32(fp, NSLCD_VERSION);
+ WRITE_INT32(fp, NSLCD_ACTION_PAM_SESS_C);
/* write response */
- WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
- WRITE_INT32(fp,NSLCD_RESULT_END);
+ WRITE_INT32(fp, NSLCD_RESULT_BEGIN);
+ WRITE_INT32(fp, NSLCD_RESULT_END);
return 0;
}
/* perform an LDAP password modification, returns an LDAP status code */
-static int try_pwmod(const char *binddn,const char *userdn,
- const char *oldpassword,const char *newpassword)
+static int try_pwmod(const char *binddn, const char *userdn,
+ const char *oldpassword, const char *newpassword)
{
MYLDAP_SESSION *session;
char buffer[256];
int rc;
/* set up a new connection */
- session=myldap_create_session();
- if (session==NULL)
+ session = myldap_create_session();
+ if (session == NULL)
return LDAP_UNAVAILABLE;
/* set up credentials for the session */
- myldap_set_credentials(session,binddn,oldpassword);
+ myldap_set_credentials(session, binddn, oldpassword);
/* perform search for own object (just to do any kind of search) */
- if ((lookup_dn2uid(session,userdn,&rc,buffer,sizeof(buffer))!=NULL)&&(rc==LDAP_SUCCESS))
+ if ((lookup_dn2uid(session, userdn, &rc, buffer, sizeof(buffer)) != NULL) &&
+ (rc == LDAP_SUCCESS))
{
/* if doing password modification as admin, don't pass old password along */
- if ((nslcd_cfg->ldc_rootpwmoddn!=NULL)&&(strcmp(binddn,nslcd_cfg->ldc_rootpwmoddn)==0))
- oldpassword=NULL;
+ if ((nslcd_cfg->ldc_rootpwmoddn != NULL) &&
+ (strcmp(binddn, nslcd_cfg->ldc_rootpwmoddn) == 0))
+ oldpassword = NULL;
/* perform password modification */
- rc=myldap_passwd(session,userdn,oldpassword,newpassword);
- if (rc==LDAP_SUCCESS)
+ rc = myldap_passwd(session, userdn, oldpassword, newpassword);
+ if (rc == LDAP_SUCCESS)
{
/* try to update the shadowLastChange attribute */
- (void)update_lastchange(session,userdn);
+ (void)update_lastchange(session, userdn);
}
}
/* close the session */
@@ -599,101 +612,103 @@ static int try_pwmod(const char *binddn,const char *userdn,
return rc;
}
-int nslcd_pam_pwmod(TFILE *fp,MYLDAP_SESSION *session,uid_t calleruid)
+int nslcd_pam_pwmod(TFILE *fp, MYLDAP_SESSION *session, uid_t calleruid)
{
int32_t tmpint32;
int rc;
- char username[256],service[64],ruser[256],rhost[HOST_NAME_MAX+1],tty[64];
+ char username[256], service[64], ruser[256], rhost[HOST_NAME_MAX + 1], tty[64];
int asroot;
char oldpassword[64];
char newpassword[64];
- const char *binddn=NULL; /* the user performing the modification */
+ const char *binddn = NULL; /* the user performing the modification */
MYLDAP_ENTRY *entry;
char authzmsg[1024];
- authzmsg[0]='\0';
+ authzmsg[0] = '\0';
/* read request parameters */
- READ_STRING(fp,username);
- READ_STRING(fp,service);
- READ_STRING(fp,ruser);
- READ_STRING(fp,rhost);
- READ_STRING(fp,tty);
- READ_INT32(fp,asroot);
- READ_STRING(fp,oldpassword);
- READ_STRING(fp,newpassword);
+ READ_STRING(fp, username);
+ READ_STRING(fp, service);
+ READ_STRING(fp, ruser);
+ READ_STRING(fp, rhost);
+ READ_STRING(fp, tty);
+ READ_INT32(fp, asroot);
+ READ_STRING(fp, oldpassword);
+ READ_STRING(fp, newpassword);
/* log call */
- log_setrequest("pwmod=\"%s\"",username);
- log_log(LOG_DEBUG,"nslcd_pam_pwmod(\"%s\",%s,\"%s\",\"%s\",\"%s\")",
- username,asroot?"asroot":"asuser",service,*oldpassword?"***":"",
- *newpassword?"***":"");
+ log_setrequest("pwmod=\"%s\"", username);
+ log_log(LOG_DEBUG, "nslcd_pam_pwmod(\"%s\",%s,\"%s\",\"%s\",\"%s\")",
+ username, asroot ? "asroot" : "asuser", service,
+ *oldpassword ? "***" : "", *newpassword ? "***" : "");
/* write the response header */
- WRITE_INT32(fp,NSLCD_VERSION);
- WRITE_INT32(fp,NSLCD_ACTION_PAM_PWMOD);
+ WRITE_INT32(fp, NSLCD_VERSION);
+ WRITE_INT32(fp, NSLCD_ACTION_PAM_PWMOD);
/* validate request */
- entry=validate_user(session,username,&rc);
- if (entry==NULL)
+ entry = validate_user(session, username, &rc);
+ if (entry == NULL)
{
/* for user not found we just say no result */
- if (rc==LDAP_NO_SUCH_OBJECT)
+ if (rc == LDAP_NO_SUCH_OBJECT)
{
- WRITE_INT32(fp,NSLCD_RESULT_END);
+ WRITE_INT32(fp, NSLCD_RESULT_END);
}
return -1;
}
/* check if pam_password_prohibit_message is set */
- if (nslcd_cfg->pam_password_prohibit_message!=NULL)
+ if (nslcd_cfg->pam_password_prohibit_message != NULL)
{
- log_log(LOG_NOTICE,"password change prohibited");
- WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
- WRITE_INT32(fp,NSLCD_PAM_PERM_DENIED);
- WRITE_STRING(fp,nslcd_cfg->pam_password_prohibit_message);
- WRITE_INT32(fp,NSLCD_RESULT_END);
+ log_log(LOG_NOTICE, "password change prohibited");
+ WRITE_INT32(fp, NSLCD_RESULT_BEGIN);
+ WRITE_INT32(fp, NSLCD_PAM_PERM_DENIED);
+ WRITE_STRING(fp, nslcd_cfg->pam_password_prohibit_message);
+ WRITE_INT32(fp, NSLCD_RESULT_END);
return 0;
}
/* check if the the user passed the rootpwmoddn */
if (asroot)
{
- binddn=nslcd_cfg->ldc_rootpwmoddn;
+ binddn = nslcd_cfg->ldc_rootpwmoddn;
/* check if rootpwmodpw should be used */
- if ((*oldpassword=='\0')&&(calleruid==0)&&(nslcd_cfg->ldc_rootpwmodpw!=NULL))
+ if ((*oldpassword == '\0') && (calleruid == 0) &&
+ (nslcd_cfg->ldc_rootpwmodpw != NULL))
{
- if (strlen(nslcd_cfg->ldc_rootpwmodpw)>=sizeof(oldpassword))
+ if (strlen(nslcd_cfg->ldc_rootpwmodpw) >= sizeof(oldpassword))
{
- log_log(LOG_ERR,"nslcd_pam_pwmod(): rootpwmodpw will not fit in oldpassword");
+ log_log(LOG_ERR, "nslcd_pam_pwmod(): rootpwmodpw will not fit in oldpassword");
return -1;
}
- strcpy(oldpassword,nslcd_cfg->ldc_rootpwmodpw);
+ strcpy(oldpassword, nslcd_cfg->ldc_rootpwmodpw);
}
}
else
{
- binddn=myldap_get_dn(entry);
+ binddn = myldap_get_dn(entry);
/* check whether shadow properties allow password change */
- rc=check_shadow(session,username,authzmsg,sizeof(authzmsg),0,1);
- if (rc!=NSLCD_PAM_SUCCESS)
+ rc = check_shadow(session, username, authzmsg, sizeof(authzmsg), 0, 1);
+ if (rc != NSLCD_PAM_SUCCESS)
{
- WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
- WRITE_INT32(fp,rc);
- WRITE_STRING(fp,authzmsg);
- WRITE_INT32(fp,NSLCD_RESULT_END);
+ WRITE_INT32(fp, NSLCD_RESULT_BEGIN);
+ WRITE_INT32(fp, rc);
+ WRITE_STRING(fp, authzmsg);
+ WRITE_INT32(fp, NSLCD_RESULT_END);
return 0;
}
}
/* perform password modification */
- rc=try_pwmod(binddn,myldap_get_dn(entry),oldpassword,newpassword);
- if (rc!=LDAP_SUCCESS)
+ rc = try_pwmod(binddn, myldap_get_dn(entry), oldpassword, newpassword);
+ if (rc != LDAP_SUCCESS)
{
- mysnprintf(authzmsg,sizeof(authzmsg)-1,"password change failed: %s",ldap_err2string(rc));
- WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
- WRITE_INT32(fp,NSLCD_PAM_PERM_DENIED);
- WRITE_STRING(fp,authzmsg);
- WRITE_INT32(fp,NSLCD_RESULT_END);
+ mysnprintf(authzmsg, sizeof(authzmsg) - 1, "password change failed: %s",
+ ldap_err2string(rc));
+ WRITE_INT32(fp, NSLCD_RESULT_BEGIN);
+ WRITE_INT32(fp, NSLCD_PAM_PERM_DENIED);
+ WRITE_STRING(fp, authzmsg);
+ WRITE_INT32(fp, NSLCD_RESULT_END);
return 0;
}
/* write response */
- log_log(LOG_NOTICE,"password changed for %s",myldap_get_dn(entry));
- WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
- WRITE_INT32(fp,NSLCD_PAM_SUCCESS);
- WRITE_STRING(fp,"");
- WRITE_INT32(fp,NSLCD_RESULT_END);
+ log_log(LOG_NOTICE, "password changed for %s", myldap_get_dn(entry));
+ WRITE_INT32(fp, NSLCD_RESULT_BEGIN);
+ WRITE_INT32(fp, NSLCD_PAM_SUCCESS);
+ WRITE_STRING(fp, "");
+ WRITE_INT32(fp, NSLCD_RESULT_END);
return 0;
}
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2025-08-14 12:17:16 +0000