10Sstevel@tonic-gate /*
20Sstevel@tonic-gate * CDDL HEADER START
30Sstevel@tonic-gate *
40Sstevel@tonic-gate * The contents of this file are subject to the terms of the
5*2830Sdjl * Common Development and Distribution License (the "License").
6*2830Sdjl * You may not use this file except in compliance with the License.
70Sstevel@tonic-gate *
80Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
90Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing.
100Sstevel@tonic-gate * See the License for the specific language governing permissions
110Sstevel@tonic-gate * and limitations under the License.
120Sstevel@tonic-gate *
130Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each
140Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
150Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the
160Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying
170Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner]
180Sstevel@tonic-gate *
190Sstevel@tonic-gate * CDDL HEADER END
200Sstevel@tonic-gate */
210Sstevel@tonic-gate /*
22*2830Sdjl * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
230Sstevel@tonic-gate * Use is subject to license terms.
240Sstevel@tonic-gate */
250Sstevel@tonic-gate
260Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI"
270Sstevel@tonic-gate
280Sstevel@tonic-gate #include <pwd.h>
290Sstevel@tonic-gate #include <ctype.h>
300Sstevel@tonic-gate #include "ldap_common.h"
310Sstevel@tonic-gate
320Sstevel@tonic-gate /* publickey attributes filters */
330Sstevel@tonic-gate #define _KEY_CN "cn"
340Sstevel@tonic-gate #define _KEY_NISPUBLICKEY "nisPublickey"
350Sstevel@tonic-gate #define _KEY_NISSECRETKEY "nisSecretkey"
360Sstevel@tonic-gate #define _KEY_UIDNUMBER "uidnumber"
370Sstevel@tonic-gate
380Sstevel@tonic-gate #define _F_GETKEY_USER "(&(objectClass=nisKeyObject)(uidNumber=%s))"
390Sstevel@tonic-gate #define _F_GETKEY_USER_SSD "(&(%%s)(uidNumber=%s))"
400Sstevel@tonic-gate #define _F_GETKEY_HOST "(&(objectClass=nisKeyObject)(cn=%s))"
410Sstevel@tonic-gate #define _F_GETKEY_HOST_SSD "(&(%%s)(cn=%s))"
420Sstevel@tonic-gate
430Sstevel@tonic-gate static const char *keys_attrs[] = {
440Sstevel@tonic-gate _KEY_NISPUBLICKEY,
450Sstevel@tonic-gate _KEY_NISSECRETKEY,
460Sstevel@tonic-gate (char *)NULL
470Sstevel@tonic-gate };
480Sstevel@tonic-gate
490Sstevel@tonic-gate
500Sstevel@tonic-gate /*
51*2830Sdjl * _nss_ldap_key2str is the data marshaling method for the publickey getXbyY
520Sstevel@tonic-gate * (e.g., getpublickey() and getsecretkey()) backend processes. This method
530Sstevel@tonic-gate * is called after a successful ldap search has been performed. This method
54*2830Sdjl * will parse the ldap search values into "public:secret" file format.
55*2830Sdjl *
56*2830Sdjl * c3d91f44568fbbefada50d336d9bd67b16e7016f987bb607:
57*2830Sdjl * 7675cd9b8753b5db09dabf12da759c2bd1331c927bb322861fffb54be13f55e9
58*2830Sdjl *
59*2830Sdjl * (All in one line)
60*2830Sdjl *
61*2830Sdjl * Publickey does not have a front end marshaller so db_type is set
62*2830Sdjl * for special handling.
630Sstevel@tonic-gate */
640Sstevel@tonic-gate
650Sstevel@tonic-gate static int
_nss_ldap_key2str(ldap_backend_ptr be,nss_XbyY_args_t * argp)66*2830Sdjl _nss_ldap_key2str(ldap_backend_ptr be, nss_XbyY_args_t *argp)
670Sstevel@tonic-gate {
680Sstevel@tonic-gate int nss_result;
690Sstevel@tonic-gate char *keytype = (char *)argp->key.pkey.keytype;
700Sstevel@tonic-gate int keytypelen = strlen(keytype);
71*2830Sdjl int len;
72*2830Sdjl int buflen = argp->buf.buflen;
73*2830Sdjl char *buffer, *pkey, *skey;
740Sstevel@tonic-gate ns_ldap_result_t *result = be->result;
75*2830Sdjl char **pkey_array, **skey_array;
760Sstevel@tonic-gate
77*2830Sdjl if (result == NULL || keytype == NULL) {
78*2830Sdjl nss_result = NSS_STR_PARSE_ERANGE;
79*2830Sdjl goto result_key2str;
800Sstevel@tonic-gate }
81*2830Sdjl nss_result = NSS_STR_PARSE_SUCCESS;
82*2830Sdjl (void) memset(argp->buf.buffer, 0, buflen);
830Sstevel@tonic-gate /* get the publickey */
84*2830Sdjl pkey_array = __ns_ldap_getAttr(result->entry, _KEY_NISPUBLICKEY);
85*2830Sdjl if (pkey_array == NULL) {
86*2830Sdjl nss_result = NSS_STR_PARSE_PARSE;
87*2830Sdjl goto result_key2str;
880Sstevel@tonic-gate }
89*2830Sdjl while (*pkey_array) {
90*2830Sdjl if (strncasecmp(*pkey_array, keytype, keytypelen) == NULL)
91*2830Sdjl break;
92*2830Sdjl pkey_array++;
930Sstevel@tonic-gate }
94*2830Sdjl if (*pkey_array == NULL) {
95*2830Sdjl nss_result = NSS_STR_PARSE_PARSE;
96*2830Sdjl goto result_key2str;
970Sstevel@tonic-gate }
98*2830Sdjl pkey = *pkey_array + keytypelen;
990Sstevel@tonic-gate
1000Sstevel@tonic-gate /* get the secretkey */
101*2830Sdjl skey_array = __ns_ldap_getAttr(result->entry, _KEY_NISSECRETKEY);
102*2830Sdjl if (skey_array == NULL) {
1030Sstevel@tonic-gate /*
1040Sstevel@tonic-gate * if we got this far, it's possible that the secret
1050Sstevel@tonic-gate * key is actually missing or no permission to read it.
1060Sstevel@tonic-gate * For the current implementation, we assume that the
1070Sstevel@tonic-gate * clients have read permission to the secret key. So,
1080Sstevel@tonic-gate * the only possibility of reaching this here is due to
1090Sstevel@tonic-gate * missing secret key.
1100Sstevel@tonic-gate */
111*2830Sdjl nss_result = NSS_STR_PARSE_PARSE;
112*2830Sdjl goto result_key2str;
1130Sstevel@tonic-gate }
114*2830Sdjl while (*skey_array) {
115*2830Sdjl if (strncasecmp(*skey_array, keytype, keytypelen) == NULL)
1160Sstevel@tonic-gate break;
117*2830Sdjl skey_array++;
1180Sstevel@tonic-gate }
119*2830Sdjl if (*skey_array == NULL) {
120*2830Sdjl nss_result = NSS_STR_PARSE_PARSE;
121*2830Sdjl goto result_key2str;
1220Sstevel@tonic-gate }
123*2830Sdjl skey = *skey_array + keytypelen;
1240Sstevel@tonic-gate
125*2830Sdjl /* 2 = 1 ':' + 1 '\0' */
126*2830Sdjl len = strlen(pkey) + strlen(skey) + 2;
127*2830Sdjl if (len > buflen) {
128*2830Sdjl nss_result = NSS_STR_PARSE_ERANGE;
129*2830Sdjl goto result_key2str;
1300Sstevel@tonic-gate }
131*2830Sdjl /*
132*2830Sdjl * publickey does not have a frontend marshaller.
133*2830Sdjl * copy the result to buf.buffer directly
134*2830Sdjl */
135*2830Sdjl buffer = argp->buf.buffer;
1360Sstevel@tonic-gate
137*2830Sdjl (void) snprintf(buffer, len, "%s:%s", pkey, skey);
1380Sstevel@tonic-gate
139*2830Sdjl be->db_type = NSS_LDAP_DB_PUBLICKEY;
140*2830Sdjl
141*2830Sdjl result_key2str:
1420Sstevel@tonic-gate
1430Sstevel@tonic-gate (void) __ns_ldap_freeResult(&be->result);
1440Sstevel@tonic-gate return ((int)nss_result);
1450Sstevel@tonic-gate }
1460Sstevel@tonic-gate
1470Sstevel@tonic-gate
1480Sstevel@tonic-gate /*
1490Sstevel@tonic-gate * getkeys gets both the public and secret keys from publickey entry by either
1500Sstevel@tonic-gate * uid name or host name. This function constructs an ldap search filter using
1510Sstevel@tonic-gate * the name invocation parameter and the getpwnam search filter defined. Once
1520Sstevel@tonic-gate * the filter is constructed, we search for a matching entry and marshal the
1530Sstevel@tonic-gate * data results into struct passwd for the frontend process. The function
1540Sstevel@tonic-gate * _nss_ldap_key2ent performs the data marshaling.
1550Sstevel@tonic-gate * The lookups will be done using the proxy credential. We don't want to use
1560Sstevel@tonic-gate * the user's credential for lookup at this point because we don't have any
1570Sstevel@tonic-gate * secure transport.
1580Sstevel@tonic-gate */
1590Sstevel@tonic-gate
1600Sstevel@tonic-gate static nss_status_t
getkeys(ldap_backend_ptr be,void * a)1610Sstevel@tonic-gate getkeys(ldap_backend_ptr be, void *a)
1620Sstevel@tonic-gate {
1630Sstevel@tonic-gate nss_XbyY_args_t *argp = (nss_XbyY_args_t *)a;
1640Sstevel@tonic-gate char searchfilter[SEARCHFILTERLEN];
1650Sstevel@tonic-gate char userdata[SEARCHFILTERLEN];
1660Sstevel@tonic-gate char netname[SEARCHFILTERLEN];
1670Sstevel@tonic-gate char *name, *domain, *p;
1680Sstevel@tonic-gate nss_status_t rc;
1690Sstevel@tonic-gate int ret;
1700Sstevel@tonic-gate
1710Sstevel@tonic-gate /*
1720Sstevel@tonic-gate * We need to break it down to find if this is a netname for host
1730Sstevel@tonic-gate * or user. We'll pass the domain as is to the LDAP call.
1740Sstevel@tonic-gate */
1750Sstevel@tonic-gate if (_ldap_filter_name(netname, argp->key.pkey.name, sizeof (netname))
1760Sstevel@tonic-gate != 0)
1770Sstevel@tonic-gate return ((nss_status_t)NSS_NOTFOUND);
178*2830Sdjl
1790Sstevel@tonic-gate domain = strchr(netname, '@');
1800Sstevel@tonic-gate if (!domain)
1810Sstevel@tonic-gate return ((nss_status_t)NSS_NOTFOUND);
1820Sstevel@tonic-gate
1830Sstevel@tonic-gate *domain++ = '\0';
1840Sstevel@tonic-gate if ((p = strchr(netname, '.')) == NULL)
1850Sstevel@tonic-gate return ((nss_status_t)NSS_NOTFOUND);
1860Sstevel@tonic-gate
1870Sstevel@tonic-gate name = ++p;
1880Sstevel@tonic-gate if (isdigit(*name)) {
1890Sstevel@tonic-gate /* user keys lookup */
1900Sstevel@tonic-gate ret = snprintf(searchfilter, sizeof (searchfilter),
1910Sstevel@tonic-gate _F_GETKEY_USER, name);
1920Sstevel@tonic-gate if (ret >= sizeof (searchfilter) || ret < 0)
1930Sstevel@tonic-gate return ((nss_status_t)NSS_NOTFOUND);
1940Sstevel@tonic-gate
1950Sstevel@tonic-gate ret = snprintf(userdata, sizeof (userdata),
1960Sstevel@tonic-gate _F_GETKEY_USER_SSD, name);
1970Sstevel@tonic-gate if (ret >= sizeof (userdata) || ret < 0)
1980Sstevel@tonic-gate return ((nss_status_t)NSS_NOTFOUND);
1990Sstevel@tonic-gate
2000Sstevel@tonic-gate rc = (nss_status_t)_nss_ldap_lookup(be, argp,
2010Sstevel@tonic-gate _PASSWD, searchfilter, domain,
2020Sstevel@tonic-gate _merge_SSD_filter, userdata);
2030Sstevel@tonic-gate } else {
2040Sstevel@tonic-gate /* host keys lookup */
2050Sstevel@tonic-gate ret = snprintf(searchfilter, sizeof (searchfilter),
2060Sstevel@tonic-gate _F_GETKEY_HOST, name);
2070Sstevel@tonic-gate if (ret >= sizeof (searchfilter) || ret < 0)
2080Sstevel@tonic-gate return ((nss_status_t)NSS_NOTFOUND);
2090Sstevel@tonic-gate
2100Sstevel@tonic-gate ret = snprintf(userdata, sizeof (userdata),
2110Sstevel@tonic-gate _F_GETKEY_HOST_SSD, name);
2120Sstevel@tonic-gate if (ret >= sizeof (userdata) || ret < 0)
2130Sstevel@tonic-gate return ((nss_status_t)NSS_NOTFOUND);
2140Sstevel@tonic-gate
2150Sstevel@tonic-gate rc = (nss_status_t)_nss_ldap_lookup(be, argp,
2160Sstevel@tonic-gate _HOSTS, searchfilter, domain,
2170Sstevel@tonic-gate _merge_SSD_filter, userdata);
2180Sstevel@tonic-gate }
2190Sstevel@tonic-gate return (rc);
2200Sstevel@tonic-gate }
2210Sstevel@tonic-gate
2220Sstevel@tonic-gate
2230Sstevel@tonic-gate static ldap_backend_op_t keys_ops[] = {
2240Sstevel@tonic-gate _nss_ldap_destr,
2250Sstevel@tonic-gate 0,
2260Sstevel@tonic-gate 0,
2270Sstevel@tonic-gate 0,
2280Sstevel@tonic-gate getkeys
2290Sstevel@tonic-gate };
2300Sstevel@tonic-gate
2310Sstevel@tonic-gate
2320Sstevel@tonic-gate /*
2330Sstevel@tonic-gate * _nss_ldap_publickey_constr is where life begins. This function calls the
2340Sstevel@tonic-gate * generic ldap constructor function to define and build the abstract
2350Sstevel@tonic-gate * data types required to support ldap operations.
2360Sstevel@tonic-gate */
2370Sstevel@tonic-gate
2380Sstevel@tonic-gate /*ARGSUSED0*/
2390Sstevel@tonic-gate nss_backend_t *
_nss_ldap_publickey_constr(const char * dummy1,const char * dummy2,const char * dummy3)2400Sstevel@tonic-gate _nss_ldap_publickey_constr(const char *dummy1, const char *dummy2,
2410Sstevel@tonic-gate const char *dummy3)
2420Sstevel@tonic-gate {
2430Sstevel@tonic-gate
2440Sstevel@tonic-gate return ((nss_backend_t *)_nss_ldap_constr(keys_ops,
2450Sstevel@tonic-gate sizeof (keys_ops)/sizeof (keys_ops[0]),
246*2830Sdjl _PUBLICKEY, keys_attrs, _nss_ldap_key2str));
2470Sstevel@tonic-gate }
248