| blob | 0340b884202d4706ca9d71017a4a1a99c5bd5e2b |
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 * Copyright (c) 2016 by Delphix. All rights reserved.
25 */
27 #include <stdio.h>
28 #include <errno.h>
29 #include <stdlib.h>
30 #include <string.h>
31 #include <unistd.h>
32 #include <macros.h>
33 #include <priv.h>
37 #include <nss_dbdefs.h>
38 #include <nsswitch.h>
40 #include <pwd.h>
41 #include <shadow.h>
42 #include <syslog.h>
50 #define STRDUP_OR_RET(to, from) \
51 if ((to = strdup(from)) == NULL) \
52 return (PWU_NOMEM);
54 #define STRDUP_OR_ERR(to, from, err) \
55 if (((to) = strdup(from)) == NULL) \
56 (err) = PWU_NOMEM;
58 #define NUM_TO_STR(to, from) \
59 { \
60 char nb[MAX_INT_LEN]; \
62 return (PWU_NOMEM); \
63 STRDUP_OR_RET(to, nb); \
64 }
66 #define NEW_ATTR(p, i, attr, val) \
67 { \
68 p[i] = new_attr(attr, (val)); \
69 if (p[i] == NULL) \
70 return (PWU_NOMEM); \
71 i++; \
72 }
82 /*
83 * ldap function pointer table, used by passwdutil_init to initialize
84 * the global Repository-OPerations table "rops"
85 */
88 ldap_getattr,
89 ldap_getpwnam,
90 ldap_update,
91 ldap_putpwnam,
92 ldap_user_to_authenticate,
94 NULL /* unlock */
95 };
97 /*
98 * structure used to keep state between get/update/put calls
99 */
111 /*
112 * The following define's are taken from
113 * usr/src/lib/nsswitch/ldap/common/getpwnam.c
114 */
116 /* passwd attributes filters */
129 /* shadow attributes filters */
140 /*
141 * Frees up an ldapbuf_t
142 */
144 static void
146 {
154 }
164 }
165 }
167 }
173 }
174 }
176 }
177 }
179 /*
180 * int ldap_user_to_authenticate(user, rep, auth_user, privileged)
181 *
182 * If the Shadow Update functionality is enabled, then we check to
183 * see if the caller has 0 as the euid or has all zone privs. If so,
184 * the caller would be able to modify shadow(4) data stored on the
185 * LDAP server. Otherwise, when LDAP Shadow Update is not enabled,
186 * we can't determine whether the user is "privileged" in the LDAP
187 * sense. The operation should be attempted and will succeed if the
188 * user had privileges. For our purposes, we say that the user is
189 * privileged if they are attempting to change another user's
190 * password attributes.
191 */
192 int
195 {
197 uid_t uid;
198 uid_t priviledged_uid;
209 /*
210 * need equivalent of write access to /etc/shadow
211 * the privilege escalation model is euid == 0 || all zone privs
212 */
214 boolean_t priv;
226 }
227 /*
228 * priv can change anyone's password,
229 * only root isn't prompted.
230 */
240 }
241 }
244 }
247 /* changing our own, not privileged */
256 /*
257 * specific case for root
258 * we want 'user' to be authenticated.
259 */
264 }
270 /* hmm. can't find name of current user...??? */
277 }
278 }
279 }
282 }
284 /*
285 * int ldap_getattr(name, item, rep)
286 *
287 * retrieve attributes specified in "item" for user "name".
288 */
289 /*ARGSUSED*/
290 int
292 {
334 /* integer values */
344 else
350 else
356 else
362 else
368 else
374 else
386 }
387 }
389 out:
393 }
395 /*
396 * int ldap_getpwnam(name, items, rep, buf)
397 *
398 * There is no need to get the old values from the ldap
399 * server, as the update will update each item individually.
400 * Therefore, we only allocate a buffer that will be used by
401 * _update and _putpwnam to hold the attributes to update.
402 *
403 * Only when we're about to update a password, we need to retrieve
404 * the old password since it contains salt-information.
405 */
406 /*ARGSUSED*/
407 int
410 {
414 /*
415 * [sp]attrs is treated as NULL terminated
416 */
447 }
449 /* remember if shadow update is enabled */
455 out:
459 }
461 /*
462 * new_attr(name, value)
463 *
464 * create a new LDAP attribute to be sent to the server
465 */
466 ns_ldap_attr_t *
468 {
478 }
481 }
484 }
486 /*
487 * max_present(list)
488 *
489 * returns '1' if a ATTR_MAX with value != -1 is present. (in other words:
490 * if password aging is to be turned on).
491 */
492 static int
494 {
498 else
501 }
503 /*
504 * attr_addmod(attrs, idx, item, val)
505 *
506 * Adds or updates attribute 'item' in ldap_attrs list to value
507 * update idx if item is added
508 * return: -1 - PWU_NOMEM/error, 0 - success
509 */
510 static int
512 {
516 /* stringize the value or abort */
520 /* check for existence and modify existing */
530 }
531 }
532 /* else add */
541 }
543 /*
544 * ldap_update(items, rep, buf)
545 *
546 * create LDAP attributes in 'buf' for each attribute in 'items'.
547 */
548 /*ARGSUSED*/
549 int
551 {
571 /*
572 * if sp_max==0 and shadow update is enabled:
573 * disable passwd aging after updating the password
574 */
581 /*
582 * There is a special case for ldap: if the
583 * password is to be deleted (-d to passwd),
584 * p->data.val_s will be NULL.
585 */
589 cryptlen =
604 /* algorithm problem? */
606 "passwdutil: crypt_gensalt "
609 }
619 }
621 /*
622 * If not managing passwordAccount,
623 * insert the new password in the
624 * passwd attr array and break.
625 */
630 }
632 /*
633 * Managing passwordAccount, insert the
634 * new password, along with lastChange and
635 * shadowFlag, in the shadow attr array.
636 */
651 /*
652 * For server policy, don't crypt the password,
653 * send the password as is to the server and
654 * let the LDAP server do its own password
655 * encryption
656 */
662 /* XX correct? */
672 }
681 }
690 }
692 /* We don't update NAME, UID, GID */
696 /* Unsupported item */
713 }
721 }
740 }
753 }
797 /* Turn off aging. Reset min and warn too */
804 /* Turn account aging on */
806 /*
807 * minage was not set with command-
808 * line option: set to zero
809 */
813 val);
814 }
815 /*
816 * If aging was turned off, we update lstchg.
817 * We take care not to update lstchg if the
818 * user has no password, otherwise the user
819 * might not be required to provide a password
820 * the next time they log in.
821 *
822 * Also, if lstchg != -1 (i.e., not set)
823 * we keep the old value.
824 */
829 _S_LASTCHANGE,
833 }
834 }
874 }
886 }
894 }
895 }
897 /*
898 * If the ldap client is configured with shadow update enabled,
899 * then what should the new aging values look like?
900 *
901 * There are a number of different conditions
902 *
903 * a) aging is already configured: don't touch it
904 *
905 * b) disable_aging is set: disable aging
906 *
907 * c) aging is not configured: turn on default aging;
908 *
909 * b) and c) of course only if aging_needed and !aging_set.
910 * (i.e., password changed, and aging values not changed)
911 */
914 /* a) aging not yet configured */
917 /* b) turn off aging */
927 /* c) */
939 }
940 }
941 }
947 }
949 /*
950 * ldap_to_pwu_code(error, pwd_status)
951 *
952 * translation from LDAP return values and PWU return values
953 */
954 int
956 {
979 }
981 }
982 }
984 int
987 {
1003 /* for admin shadow update, dn and pwd will be set later in libsldap */
1005 /* Fill in the user name and password */
1010 }
1012 /* get host certificate path, if one is configured */
1021 /* Load the service specific authentication method */
1028 /*
1029 * if authpp is null, there is no serviceAuthenticationMethod
1030 * try default authenticationMethod
1031 */
1037 }
1039 /*
1040 * if authpp is still null, then can not authenticate, syslog
1041 * error message and return error
1042 */
1048 }
1050 /*
1051 * Walk the array and try all authentication methods in order except
1052 * for "none".
1053 */
1056 /* what about disabling other mechanisms? "tls:sasl/EXTERNAL" */
1059 authstried++;
1071 }
1073 /*
1074 * if change not allowed due to configuration, indicate so
1075 * to the caller
1076 */
1082 }
1084 /*
1085 * other errors might need to be added to this list, for
1086 * the current supported mechanisms this is sufficient
1087 */
1094 }
1096 /*
1097 * If there is error related to password policy,
1098 * return it to caller
1099 */
1108 /* we don't really care about the error, just clean it up */
1111 }
1117 }
1120 out:
1131 }
1134 /*
1135 * ldap_putpwnam(name, oldpw, rep, buf)
1136 *
1137 * update the LDAP server with the attributes contained in 'buf'.
1138 */
1139 /*ARGSUSED*/
1140 int
1142 {
1152 uid_t uid;
1157 /*
1158 * convert name of user whose attributes we are changing
1159 * to a distinguished name
1160 */
1165 /* update shadow via ldap_cachemgr if it is enabled */
1168 /*
1169 * flag NS_LDAP_UPDATE_SHADOW indicates the shadow update
1170 * should be done via ldap_cachemgr
1171 */
1173 NS_LDAP_UPDATE_SHADOW);
1175 }
1177 /*
1178 * The LDAP server checks whether we are permitted to perform
1179 * the requested change. We need to send the name of the user
1180 * who is executing this piece of code, together with his
1181 * current password to the server.
1182 * If this is executed by a normal user changing his/her own
1183 * password, this will simply be the OLD password that is to
1184 * be changed.
1185 * Specific case if the user who is executing this piece
1186 * of code is root. We will then issue the LDAP request
1187 * with the DN of the user we want to change the passwd of.
1188 */
1190 /*
1191 * create a dn for the user who is executing this code
1192 */
1198 }
1200 /*
1201 * User executing this code is not known to the LDAP
1202 * server. This operation is to be denied
1203 */
1206 }
1218 out:
1223 }