1*0Sstevel@tonic-gate /*
2*0Sstevel@tonic-gate * CDDL HEADER START
3*0Sstevel@tonic-gate *
4*0Sstevel@tonic-gate * The contents of this file are subject to the terms of the
5*0Sstevel@tonic-gate * Common Development and Distribution License, Version 1.0 only
6*0Sstevel@tonic-gate * (the "License"). You may not use this file except in compliance
7*0Sstevel@tonic-gate * with the License.
8*0Sstevel@tonic-gate *
9*0Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10*0Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing.
11*0Sstevel@tonic-gate * See the License for the specific language governing permissions
12*0Sstevel@tonic-gate * and limitations under the License.
13*0Sstevel@tonic-gate *
14*0Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each
15*0Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16*0Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the
17*0Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying
18*0Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner]
19*0Sstevel@tonic-gate *
20*0Sstevel@tonic-gate * CDDL HEADER END
21*0Sstevel@tonic-gate */
22*0Sstevel@tonic-gate /*
23*0Sstevel@tonic-gate * Copyright 2004 Sun Microsystems, Inc. All rights reserved.
24*0Sstevel@tonic-gate * Use is subject to license terms.
25*0Sstevel@tonic-gate */
26*0Sstevel@tonic-gate
27*0Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI"
28*0Sstevel@tonic-gate
29*0Sstevel@tonic-gate #include "ldap_headers.h"
30*0Sstevel@tonic-gate
31*0Sstevel@tonic-gate /*
32*0Sstevel@tonic-gate *
33*0Sstevel@tonic-gate * LDAP module for pam_sm_authenticate.
34*0Sstevel@tonic-gate *
35*0Sstevel@tonic-gate * options -
36*0Sstevel@tonic-gate *
37*0Sstevel@tonic-gate * debug
38*0Sstevel@tonic-gate * nowarn
39*0Sstevel@tonic-gate */
40*0Sstevel@tonic-gate
41*0Sstevel@tonic-gate /*
42*0Sstevel@tonic-gate * pam_sm_authenticate():
43*0Sstevel@tonic-gate * Authenticate user.
44*0Sstevel@tonic-gate */
45*0Sstevel@tonic-gate /*ARGSUSED*/
46*0Sstevel@tonic-gate int
pam_sm_authenticate(pam_handle_t * pamh,int flags,int argc,const char ** argv)47*0Sstevel@tonic-gate pam_sm_authenticate(
48*0Sstevel@tonic-gate pam_handle_t *pamh,
49*0Sstevel@tonic-gate int flags,
50*0Sstevel@tonic-gate int argc,
51*0Sstevel@tonic-gate const char **argv)
52*0Sstevel@tonic-gate {
53*0Sstevel@tonic-gate char *service = NULL;
54*0Sstevel@tonic-gate char *user = NULL;
55*0Sstevel@tonic-gate int err;
56*0Sstevel@tonic-gate int result = PAM_AUTH_ERR;
57*0Sstevel@tonic-gate int debug = 0;
58*0Sstevel@tonic-gate int i;
59*0Sstevel@tonic-gate char *password = NULL;
60*0Sstevel@tonic-gate ns_cred_t *credp = NULL;
61*0Sstevel@tonic-gate int nowarn = 0;
62*0Sstevel@tonic-gate
63*0Sstevel@tonic-gate /* Get the service and user */
64*0Sstevel@tonic-gate if ((err = pam_get_item(pamh, PAM_SERVICE, (void **)&service))
65*0Sstevel@tonic-gate != PAM_SUCCESS ||
66*0Sstevel@tonic-gate (err = pam_get_item(pamh, PAM_USER, (void **)&user)) != PAM_SUCCESS)
67*0Sstevel@tonic-gate return (err);
68*0Sstevel@tonic-gate
69*0Sstevel@tonic-gate /*
70*0Sstevel@tonic-gate * Check options passed to this module.
71*0Sstevel@tonic-gate * Silently ignore try_first_pass and use_first_pass options
72*0Sstevel@tonic-gate * for the time being.
73*0Sstevel@tonic-gate */
74*0Sstevel@tonic-gate for (i = 0; i < argc; i++) {
75*0Sstevel@tonic-gate if (strcmp(argv[i], "debug") == 0)
76*0Sstevel@tonic-gate debug = 1;
77*0Sstevel@tonic-gate else if (strcmp(argv[i], "nowarn") == 0)
78*0Sstevel@tonic-gate nowarn = 1;
79*0Sstevel@tonic-gate else if ((strcmp(argv[i], "try_first_pass") != 0) &&
80*0Sstevel@tonic-gate (strcmp(argv[i], "use_first_pass") != 0))
81*0Sstevel@tonic-gate syslog(LOG_AUTH | LOG_DEBUG,
82*0Sstevel@tonic-gate "ldap pam_sm_authenticate(%s), "
83*0Sstevel@tonic-gate "illegal scheme option %s", service, argv[i]);
84*0Sstevel@tonic-gate }
85*0Sstevel@tonic-gate
86*0Sstevel@tonic-gate if (debug)
87*0Sstevel@tonic-gate syslog(LOG_AUTH | LOG_DEBUG,
88*0Sstevel@tonic-gate "ldap pam_sm_authenticate(%s %s), flags = %x %s",
89*0Sstevel@tonic-gate service, (user && *user != '\0')?user:"no-user", flags,
90*0Sstevel@tonic-gate (nowarn)? ", nowarn": "");
91*0Sstevel@tonic-gate
92*0Sstevel@tonic-gate if (!user || *user == '\0')
93*0Sstevel@tonic-gate return (PAM_USER_UNKNOWN);
94*0Sstevel@tonic-gate
95*0Sstevel@tonic-gate /* Get the password entered in the first scheme if any */
96*0Sstevel@tonic-gate (void) pam_get_item(pamh, PAM_AUTHTOK, (void **) &password);
97*0Sstevel@tonic-gate if (password == NULL) {
98*0Sstevel@tonic-gate if (debug)
99*0Sstevel@tonic-gate syslog(LOG_AUTH | LOG_DEBUG,
100*0Sstevel@tonic-gate "ldap pam_sm_authenticate(%s %s), "
101*0Sstevel@tonic-gate "AUTHTOK not set", service, user);
102*0Sstevel@tonic-gate return (PAM_AUTH_ERR);
103*0Sstevel@tonic-gate }
104*0Sstevel@tonic-gate
105*0Sstevel@tonic-gate /*
106*0Sstevel@tonic-gate * Authenticate user using the password from PAM_AUTHTOK.
107*0Sstevel@tonic-gate * If no password available or if authentication fails
108*0Sstevel@tonic-gate * return the appropriate error.
109*0Sstevel@tonic-gate */
110*0Sstevel@tonic-gate result = authenticate(&credp, user, password, NULL);
111*0Sstevel@tonic-gate if (result == PAM_NEW_AUTHTOK_REQD) {
112*0Sstevel@tonic-gate /*
113*0Sstevel@tonic-gate * PAM_NEW_AUTHTOK_REQD means the
114*0Sstevel@tonic-gate * user's password is good but needs
115*0Sstevel@tonic-gate * to change immediately. If the service
116*0Sstevel@tonic-gate * is login or similar programs, the
117*0Sstevel@tonic-gate * user will be asked to change the
118*0Sstevel@tonic-gate * password after the account management
119*0Sstevel@tonic-gate * module is called and determined that
120*0Sstevel@tonic-gate * the password has expired.
121*0Sstevel@tonic-gate * So change the rc to PAM_SUCCESS here.
122*0Sstevel@tonic-gate */
123*0Sstevel@tonic-gate result = PAM_SUCCESS;
124*0Sstevel@tonic-gate } else if (result == PAM_AUTHTOK_EXPIRED) {
125*0Sstevel@tonic-gate /*
126*0Sstevel@tonic-gate * Authentication token is the right one but
127*0Sstevel@tonic-gate * expired. Consider this as pass.
128*0Sstevel@tonic-gate * Change rc to PAM_SUCCESS.
129*0Sstevel@tonic-gate */
130*0Sstevel@tonic-gate result = PAM_SUCCESS;
131*0Sstevel@tonic-gate }
132*0Sstevel@tonic-gate
133*0Sstevel@tonic-gate if (credp != NULL)
134*0Sstevel@tonic-gate (void) __ns_ldap_freeCred(&credp);
135*0Sstevel@tonic-gate return (result);
136*0Sstevel@tonic-gate }
137