usr/src/lib/pam_modules/ldap/ldap_authenticate.c

   1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License, Version 1.0 only
   6  * (the "License").  You may not use this file except in compliance
   7  * with the License.
   8  *
   9  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
  10  * or http://www.opensolaris.org/os/licensing.
  11  * See the License for the specific language governing permissions
  12  * and limitations under the License.
  13  *
  14  * When distributing Covered Code, include this CDDL HEADER in each
  15  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  16  * If applicable, add the following below this CDDL HEADER, with the
  17  * fields enclosed by brackets "[]" replaced with your own identifying
  18  * information: Portions Copyright [yyyy] [name of copyright owner]
  19  *
  20  * CDDL HEADER END
  21  */
  22 /*
  23  * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
  24  * Use is subject to license terms.
  25  */
  26
  27 #pragma ident   "%Z%%M% %I%     %E% SMI"
  28
  29 #include "ldap_headers.h"
  30
  31 /*
  32  *
  33  * LDAP module for pam_sm_authenticate.
  34  *
  35  * options -
  36  *
  37  *      debug
  38  *      nowarn
  39  */
  40
  41 /*
  42  * pam_sm_authenticate():
  43  *      Authenticate user.
  44  */
  45 /*ARGSUSED*/
  46 int
  47 pam_sm_authenticate(
  48         pam_handle_t            *pamh,
  49         int                     flags,
  50         int                     argc,
  51         const char              **argv)
  52 {
  53         char                    *service = NULL;
  54         char                    *user = NULL;
  55         int                     err;
  56         int                     result = PAM_AUTH_ERR;
  57         int                     debug = 0;
  58         int                     i;
  59         char                    *password = NULL;
  60         ns_cred_t               *credp = NULL;
  61         int                     nowarn = 0;
  62
  63         /* Get the service and user */
  64         if ((err = pam_get_item(pamh, PAM_SERVICE, (void **)&service))
  65                                                         != PAM_SUCCESS ||
  66             (err = pam_get_item(pamh, PAM_USER, (void **)&user)) != PAM_SUCCESS)
  67                 return (err);
  68
  69         /*
  70          * Check options passed to this module.
  71          * Silently ignore try_first_pass and use_first_pass options
  72          * for the time being.
  73          */
  74         for (i = 0; i < argc; i++) {
  75                 if (strcmp(argv[i], "debug") == 0)
  76                         debug = 1;
  77                 else if (strcmp(argv[i], "nowarn") == 0)
  78                         nowarn = 1;
  79                 else if ((strcmp(argv[i], "try_first_pass") != 0) &&
  80                                 (strcmp(argv[i], "use_first_pass") != 0))
  81                         syslog(LOG_AUTH | LOG_DEBUG,
  82                                 "ldap pam_sm_authenticate(%s), "
  83                                 "illegal scheme option %s", service, argv[i]);
  84         }
  85
  86         if (debug)
  87                 syslog(LOG_AUTH | LOG_DEBUG,
  88                         "ldap pam_sm_authenticate(%s %s), flags = %x %s",
  89                         service, (user && *user != '\0')?user:"no-user", flags,
  90                         (nowarn)? ", nowarn": "");
  91
  92         if (!user || *user == '\0')
  93                 return (PAM_USER_UNKNOWN);
  94
  95         /* Get the password entered in the first scheme if any */
  96         (void) pam_get_item(pamh, PAM_AUTHTOK, (void **) &password);
  97         if (password == NULL) {
  98                 if (debug)
  99                         syslog(LOG_AUTH | LOG_DEBUG,
 100                                 "ldap pam_sm_authenticate(%s %s), "
 101                                 "AUTHTOK not set", service, user);
 102                 return (PAM_AUTH_ERR);
 103         }
 104
 105         /*
 106          * Authenticate user using the password from PAM_AUTHTOK.
 107          * If no password available or if authentication fails
 108          * return the appropriate error.
 109          */
 110         result = authenticate(&credp, user, password, NULL);
 111         if (result == PAM_NEW_AUTHTOK_REQD) {
 112                 /*
 113                  * PAM_NEW_AUTHTOK_REQD means the
 114                  * user's password is good but needs
 115                  * to change immediately. If the service
 116                  * is login or similar programs, the
 117                  * user will be asked to change the
 118                  * password after the account management
 119                  * module is called and determined that
 120                  * the password has expired.
 121                  * So change the rc to PAM_SUCCESS here.
 122                  */
 123                 result = PAM_SUCCESS;
 124         } else if (result == PAM_AUTHTOK_EXPIRED) {
 125                 /*
 126                  * Authentication token is the right one but
 127                  * expired. Consider this as pass.
 128                  * Change rc to PAM_SUCCESS.
 129                  */
 130                 result = PAM_SUCCESS;
 131         }
 132
 133         if (credp != NULL)
 134                 (void) __ns_ldap_freeCred(&credp);
 135         return (result);
 136 }