1*0Sstevel@tonic-gate /*
2*0Sstevel@tonic-gate  * CDDL HEADER START
3*0Sstevel@tonic-gate  *
4*0Sstevel@tonic-gate  * The contents of this file are subject to the terms of the
5*0Sstevel@tonic-gate  * Common Development and Distribution License, Version 1.0 only
6*0Sstevel@tonic-gate  * (the "License").  You may not use this file except in compliance
7*0Sstevel@tonic-gate  * with the License.
8*0Sstevel@tonic-gate  *
9*0Sstevel@tonic-gate  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10*0Sstevel@tonic-gate  * or http://www.opensolaris.org/os/licensing.
11*0Sstevel@tonic-gate  * See the License for the specific language governing permissions
12*0Sstevel@tonic-gate  * and limitations under the License.
13*0Sstevel@tonic-gate  *
14*0Sstevel@tonic-gate  * When distributing Covered Code, include this CDDL HEADER in each
15*0Sstevel@tonic-gate  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16*0Sstevel@tonic-gate  * If applicable, add the following below this CDDL HEADER, with the
17*0Sstevel@tonic-gate  * fields enclosed by brackets "[]" replaced with your own identifying
18*0Sstevel@tonic-gate  * information: Portions Copyright [yyyy] [name of copyright owner]
19*0Sstevel@tonic-gate  *
20*0Sstevel@tonic-gate  * CDDL HEADER END
21*0Sstevel@tonic-gate  */
22*0Sstevel@tonic-gate /*
23*0Sstevel@tonic-gate  * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
24*0Sstevel@tonic-gate  * Use is subject to license terms.
25*0Sstevel@tonic-gate  */
26*0Sstevel@tonic-gate 
27*0Sstevel@tonic-gate #pragma ident	"%Z%%M%	%I%	%E% SMI"
28*0Sstevel@tonic-gate 
29*0Sstevel@tonic-gate #include "ldap_headers.h"
30*0Sstevel@tonic-gate 
31*0Sstevel@tonic-gate /*
32*0Sstevel@tonic-gate  *
33*0Sstevel@tonic-gate  * LDAP module for pam_sm_authenticate.
34*0Sstevel@tonic-gate  *
35*0Sstevel@tonic-gate  * options -
36*0Sstevel@tonic-gate  *
37*0Sstevel@tonic-gate  *	debug
38*0Sstevel@tonic-gate  *	nowarn
39*0Sstevel@tonic-gate  */
40*0Sstevel@tonic-gate 
41*0Sstevel@tonic-gate /*
42*0Sstevel@tonic-gate  * pam_sm_authenticate():
43*0Sstevel@tonic-gate  * 	Authenticate user.
44*0Sstevel@tonic-gate  */
45*0Sstevel@tonic-gate /*ARGSUSED*/
46*0Sstevel@tonic-gate int
pam_sm_authenticate(pam_handle_t * pamh,int flags,int argc,const char ** argv)47*0Sstevel@tonic-gate pam_sm_authenticate(
48*0Sstevel@tonic-gate 	pam_handle_t		*pamh,
49*0Sstevel@tonic-gate 	int 			flags,
50*0Sstevel@tonic-gate 	int			argc,
51*0Sstevel@tonic-gate 	const char		**argv)
52*0Sstevel@tonic-gate {
53*0Sstevel@tonic-gate 	char			*service = NULL;
54*0Sstevel@tonic-gate 	char			*user = NULL;
55*0Sstevel@tonic-gate 	int			err;
56*0Sstevel@tonic-gate 	int			result = PAM_AUTH_ERR;
57*0Sstevel@tonic-gate 	int			debug = 0;
58*0Sstevel@tonic-gate 	int			i;
59*0Sstevel@tonic-gate 	char			*password = NULL;
60*0Sstevel@tonic-gate 	ns_cred_t		*credp = NULL;
61*0Sstevel@tonic-gate 	int			nowarn = 0;
62*0Sstevel@tonic-gate 
63*0Sstevel@tonic-gate 	/* Get the service and user */
64*0Sstevel@tonic-gate 	if ((err = pam_get_item(pamh, PAM_SERVICE, (void **)&service))
65*0Sstevel@tonic-gate 							!= PAM_SUCCESS ||
66*0Sstevel@tonic-gate 	    (err = pam_get_item(pamh, PAM_USER, (void **)&user)) != PAM_SUCCESS)
67*0Sstevel@tonic-gate 		return (err);
68*0Sstevel@tonic-gate 
69*0Sstevel@tonic-gate 	/*
70*0Sstevel@tonic-gate 	 * Check options passed to this module.
71*0Sstevel@tonic-gate 	 * Silently ignore try_first_pass and use_first_pass options
72*0Sstevel@tonic-gate 	 * for the time being.
73*0Sstevel@tonic-gate 	 */
74*0Sstevel@tonic-gate 	for (i = 0; i < argc; i++) {
75*0Sstevel@tonic-gate 		if (strcmp(argv[i], "debug") == 0)
76*0Sstevel@tonic-gate 			debug = 1;
77*0Sstevel@tonic-gate 		else if (strcmp(argv[i], "nowarn") == 0)
78*0Sstevel@tonic-gate 			nowarn = 1;
79*0Sstevel@tonic-gate 		else if ((strcmp(argv[i], "try_first_pass") != 0) &&
80*0Sstevel@tonic-gate 				(strcmp(argv[i], "use_first_pass") != 0))
81*0Sstevel@tonic-gate 			syslog(LOG_AUTH | LOG_DEBUG,
82*0Sstevel@tonic-gate 				"ldap pam_sm_authenticate(%s), "
83*0Sstevel@tonic-gate 				"illegal scheme option %s", service, argv[i]);
84*0Sstevel@tonic-gate 	}
85*0Sstevel@tonic-gate 
86*0Sstevel@tonic-gate 	if (debug)
87*0Sstevel@tonic-gate 		syslog(LOG_AUTH | LOG_DEBUG,
88*0Sstevel@tonic-gate 			"ldap pam_sm_authenticate(%s %s), flags = %x %s",
89*0Sstevel@tonic-gate 			service, (user && *user != '\0')?user:"no-user", flags,
90*0Sstevel@tonic-gate 			(nowarn)? ", nowarn": "");
91*0Sstevel@tonic-gate 
92*0Sstevel@tonic-gate 	if (!user || *user == '\0')
93*0Sstevel@tonic-gate 		return (PAM_USER_UNKNOWN);
94*0Sstevel@tonic-gate 
95*0Sstevel@tonic-gate 	/* Get the password entered in the first scheme if any */
96*0Sstevel@tonic-gate 	(void) pam_get_item(pamh, PAM_AUTHTOK, (void **) &password);
97*0Sstevel@tonic-gate 	if (password == NULL) {
98*0Sstevel@tonic-gate 		if (debug)
99*0Sstevel@tonic-gate 			syslog(LOG_AUTH | LOG_DEBUG,
100*0Sstevel@tonic-gate 				"ldap pam_sm_authenticate(%s %s), "
101*0Sstevel@tonic-gate 				"AUTHTOK not set", service, user);
102*0Sstevel@tonic-gate 		return (PAM_AUTH_ERR);
103*0Sstevel@tonic-gate 	}
104*0Sstevel@tonic-gate 
105*0Sstevel@tonic-gate 	/*
106*0Sstevel@tonic-gate 	 * Authenticate user using the password from PAM_AUTHTOK.
107*0Sstevel@tonic-gate 	 * If no password available or if authentication fails
108*0Sstevel@tonic-gate 	 * return the appropriate error.
109*0Sstevel@tonic-gate 	 */
110*0Sstevel@tonic-gate 	result = authenticate(&credp, user, password, NULL);
111*0Sstevel@tonic-gate 	if (result == PAM_NEW_AUTHTOK_REQD) {
112*0Sstevel@tonic-gate 		/*
113*0Sstevel@tonic-gate 		 * PAM_NEW_AUTHTOK_REQD means the
114*0Sstevel@tonic-gate 		 * user's password is good but needs
115*0Sstevel@tonic-gate 		 * to change immediately. If the service
116*0Sstevel@tonic-gate 		 * is login or similar programs, the
117*0Sstevel@tonic-gate 		 * user will be asked to change the
118*0Sstevel@tonic-gate 		 * password after the account management
119*0Sstevel@tonic-gate 		 * module is called and determined that
120*0Sstevel@tonic-gate 		 * the password has expired.
121*0Sstevel@tonic-gate 		 * So change the rc to PAM_SUCCESS here.
122*0Sstevel@tonic-gate 		 */
123*0Sstevel@tonic-gate 		result = PAM_SUCCESS;
124*0Sstevel@tonic-gate 	} else if (result == PAM_AUTHTOK_EXPIRED) {
125*0Sstevel@tonic-gate 		/*
126*0Sstevel@tonic-gate 		 * Authentication token is the right one but
127*0Sstevel@tonic-gate 		 * expired. Consider this as pass.
128*0Sstevel@tonic-gate 		 * Change rc to PAM_SUCCESS.
129*0Sstevel@tonic-gate 		 */
130*0Sstevel@tonic-gate 		result = PAM_SUCCESS;
131*0Sstevel@tonic-gate 	}
132*0Sstevel@tonic-gate 
133*0Sstevel@tonic-gate 	if (credp != NULL)
134*0Sstevel@tonic-gate 		(void) __ns_ldap_freeCred(&credp);
135*0Sstevel@tonic-gate 	return (result);
136*0Sstevel@tonic-gate }
137