| blob | 4c43eb7adb04f5522b5131214c4361e5d75156d1 |
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 * Copyright (c) 2016 by Delphix. All rights reserved.
25 */
27 #include <stdio.h>
28 #include <errno.h>
29 #include <stdlib.h>
30 #include <string.h>
31 #include <unistd.h>
32 #include <macros.h>
33 #include <priv.h>
37 #include <nss_dbdefs.h>
38 #include <nsswitch.h>
40 #include <pwd.h>
41 #include <shadow.h>
42 #include <syslog.h>
50 #define STRDUP_OR_RET(to, from) \
51 if ((to = strdup(from)) == NULL) \
52 return (PWU_NOMEM);
54 #define STRDUP_OR_ERR(to, from, err) \
55 if (((to) = strdup(from)) == NULL) \
56 (err) = PWU_NOMEM;
58 #define NUM_TO_STR(to, from) \
59 { \
60 char nb[MAX_INT_LEN]; \
62 return (PWU_NOMEM); \
63 STRDUP_OR_RET(to, nb); \
64 }
66 #define NEW_ATTR(p, i, attr, val) \
67 { \
68 p[i] = new_attr(attr, (val)); \
69 if (p[i] == NULL) \
70 return (PWU_NOMEM); \
71 i++; \
72 }
82 /*
83 * ldap function pointer table, used by passwdutil_init to initialize
84 * the global Repository-OPerations table "rops"
85 */
88 ldap_getattr,
89 ldap_getpwnam,
90 ldap_update,
91 ldap_putpwnam,
92 ldap_user_to_authenticate,
94 NULL /* unlock */
95 };
97 /*
98 * structure used to keep state between get/update/put calls
99 */
111 /*
112 * The following define's are taken from
113 * usr/src/lib/nsswitch/ldap/common/getpwnam.c
114 */
116 /* passwd attributes filters */
129 /* shadow attributes filters */
140 /*
141 * Frees up an ldapbuf_t
142 */
144 static void
146 {
154 }
164 }
165 }
167 }
173 }
174 }
176 }
177 }
179 /*
180 * int ldap_user_to_authenticate(user, rep, auth_user, privileged)
181 *
182 * If the Shadow Update functionality is enabled, then we check to
183 * see if the caller has 0 as the euid or has all zone privs. If so,
184 * the caller would be able to modify shadow(4) data stored on the
185 * LDAP server. Otherwise, when LDAP Shadow Update is not enabled,
186 * we can't determine whether the user is "privileged" in the LDAP
187 * sense. The operation should be attempted and will succeed if the
188 * user had privileges. For our purposes, we say that the user is
189 * privileged if they are attempting to change another user's
190 * password attributes.
191 */
192 int
195 {
197 uid_t uid;
198 uid_t priviledged_uid;
209 /*
210 * need equivalent of write access to /etc/shadow
211 * the privilege escalation model is euid == 0 || all zone privs
212 */
214 boolean_t priv;
226 }
227 /*
228 * priv can change anyone's password,
229 * only root isn't prompted.
230 */
240 }
241 }
244 }
247 /* changing our own, not privileged */
255 /*
256 * specific case for root
257 * we want 'user' to be authenticated.
258 */
263 }
268 /* hmm. can't find name of current user...??? */
275 }
276 }
277 }
280 }
282 /*
283 * int ldap_getattr(name, item, rep)
284 *
285 * retrieve attributes specified in "item" for user "name".
286 */
287 /*ARGSUSED*/
288 int
290 {
332 /* integer values */
342 else
348 else
354 else
360 else
366 else
372 else
384 }
385 }
387 out:
391 }
393 /*
394 * int ldap_getpwnam(name, items, rep, buf)
395 *
396 * There is no need to get the old values from the ldap
397 * server, as the update will update each item individually.
398 * Therefore, we only allocate a buffer that will be used by
399 * _update and _putpwnam to hold the attributes to update.
400 *
401 * Only when we're about to update a password, we need to retrieve
402 * the old password since it contains salt-information.
403 */
404 /*ARGSUSED*/
405 int
408 {
412 /*
413 * [sp]attrs is treated as NULL terminated
414 */
445 }
447 /* remember if shadow update is enabled */
453 out:
457 }
459 /*
460 * new_attr(name, value)
461 *
462 * create a new LDAP attribute to be sent to the server
463 */
464 ns_ldap_attr_t *
466 {
476 }
479 }
482 }
484 /*
485 * max_present(list)
486 *
487 * returns '1' if a ATTR_MAX with value != -1 is present. (in other words:
488 * if password aging is to be turned on).
489 */
490 static int
492 {
496 else
499 }
501 /*
502 * attr_addmod(attrs, idx, item, val)
503 *
504 * Adds or updates attribute 'item' in ldap_attrs list to value
505 * update idx if item is added
506 * return: -1 - PWU_NOMEM/error, 0 - success
507 */
508 static int
510 {
514 /* stringize the value or abort */
518 /* check for existence and modify existing */
528 }
529 }
530 /* else add */
539 }
541 /*
542 * ldap_update(items, rep, buf)
543 *
544 * create LDAP attributes in 'buf' for each attribute in 'items'.
545 */
546 /*ARGSUSED*/
547 int
549 {
569 /*
570 * if sp_max==0 and shadow update is enabled:
571 * disable passwd aging after updating the password
572 */
579 /*
580 * There is a special case for ldap: if the
581 * password is to be deleted (-d to passwd),
582 * p->data.val_s will be NULL.
583 */
587 cryptlen =
602 /* algorithm problem? */
604 "passwdutil: crypt_gensalt "
607 }
617 }
619 /*
620 * If not managing passwordAccount,
621 * insert the new password in the
622 * passwd attr array and break.
623 */
628 }
630 /*
631 * Managing passwordAccount, insert the
632 * new password, along with lastChange and
633 * shadowFlag, in the shadow attr array.
634 */
649 /*
650 * For server policy, don't crypt the password,
651 * send the password as is to the server and
652 * let the LDAP server do its own password
653 * encryption
654 */
660 /* XX correct? */
670 }
679 }
688 }
690 /* We don't update NAME, UID, GID */
694 /* Unsupported item */
711 }
719 }
738 }
751 }
795 /* Turn off aging. Reset min and warn too */
802 /* Turn account aging on */
804 /*
805 * minage was not set with command-
806 * line option: set to zero
807 */
811 val);
812 }
813 /*
814 * If aging was turned off, we update lstchg.
815 * We take care not to update lstchg if the
816 * user has no password, otherwise the user
817 * might not be required to provide a password
818 * the next time they log in.
819 *
820 * Also, if lstchg != -1 (i.e., not set)
821 * we keep the old value.
822 */
827 _S_LASTCHANGE,
831 }
832 }
872 }
884 }
892 }
893 }
895 /*
896 * If the ldap client is configured with shadow update enabled,
897 * then what should the new aging values look like?
898 *
899 * There are a number of different conditions
900 *
901 * a) aging is already configured: don't touch it
902 *
903 * b) disable_aging is set: disable aging
904 *
905 * c) aging is not configured: turn on default aging;
906 *
907 * b) and c) of course only if aging_needed and !aging_set.
908 * (i.e., password changed, and aging values not changed)
909 */
912 /* a) aging not yet configured */
915 /* b) turn off aging */
925 /* c) */
937 }
938 }
939 }
945 }
947 /*
948 * ldap_to_pwu_code(error, pwd_status)
949 *
950 * translation from LDAP return values and PWU return values
951 */
952 int
954 {
977 }
979 }
980 }
982 int
985 {
1001 /* for admin shadow update, dn and pwd will be set later in libsldap */
1003 /* Fill in the user name and password */
1008 }
1010 /* get host certificate path, if one is configured */
1019 /* Load the service specific authentication method */
1026 /*
1027 * if authpp is null, there is no serviceAuthenticationMethod
1028 * try default authenticationMethod
1029 */
1035 }
1037 /*
1038 * if authpp is still null, then can not authenticate, syslog
1039 * error message and return error
1040 */
1046 }
1048 /*
1049 * Walk the array and try all authentication methods in order except
1050 * for "none".
1051 */
1054 /* what about disabling other mechanisms? "tls:sasl/EXTERNAL" */
1057 authstried++;
1069 }
1071 /*
1072 * if change not allowed due to configuration, indicate so
1073 * to the caller
1074 */
1080 }
1082 /*
1083 * other errors might need to be added to this list, for
1084 * the current supported mechanisms this is sufficient
1085 */
1092 }
1094 /*
1095 * If there is error related to password policy,
1096 * return it to caller
1097 */
1106 /* we don't really care about the error, just clean it up */
1109 }
1115 }
1118 out:
1129 }
1132 /*
1133 * ldap_putpwnam(name, oldpw, rep, buf)
1134 *
1135 * update the LDAP server with the attributes contained in 'buf'.
1136 */
1137 /*ARGSUSED*/
1138 int
1140 {
1150 uid_t uid;
1155 /*
1156 * convert name of user whose attributes we are changing
1157 * to a distinguished name
1158 */
1163 /* update shadow via ldap_cachemgr if it is enabled */
1166 /*
1167 * flag NS_LDAP_UPDATE_SHADOW indicates the shadow update
1168 * should be done via ldap_cachemgr
1169 */
1171 NS_LDAP_UPDATE_SHADOW);
1173 }
1175 /*
1176 * The LDAP server checks whether we are permitted to perform
1177 * the requested change. We need to send the name of the user
1178 * who is executing this piece of code, together with his
1179 * current password to the server.
1180 * If this is executed by a normal user changing his/her own
1181 * password, this will simply be the OLD password that is to
1182 * be changed.
1183 * Specific case if the user who is executing this piece
1184 * of code is root. We will then issue the LDAP request
1185 * with the DN of the user we want to change the passwd of.
1186 */
1188 /*
1189 * create a dn for the user who is executing this code
1190 */
1196 }
1198 /*
1199 * User executing this code is not known to the LDAP
1200 * server. This operation is to be denied
1201 */
1204 }
1216 out:
1221 }