1*0Sstevel@tonic-gate /*
2*0Sstevel@tonic-gate * CDDL HEADER START
3*0Sstevel@tonic-gate *
4*0Sstevel@tonic-gate * The contents of this file are subject to the terms of the
5*0Sstevel@tonic-gate * Common Development and Distribution License, Version 1.0 only
6*0Sstevel@tonic-gate * (the "License"). You may not use this file except in compliance
7*0Sstevel@tonic-gate * with the License.
8*0Sstevel@tonic-gate *
9*0Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10*0Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing.
11*0Sstevel@tonic-gate * See the License for the specific language governing permissions
12*0Sstevel@tonic-gate * and limitations under the License.
13*0Sstevel@tonic-gate *
14*0Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each
15*0Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16*0Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the
17*0Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying
18*0Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner]
19*0Sstevel@tonic-gate *
20*0Sstevel@tonic-gate * CDDL HEADER END
21*0Sstevel@tonic-gate */
22*0Sstevel@tonic-gate /*
23*0Sstevel@tonic-gate * Copyright 2004 Sun Microsystems, Inc. All rights reserved.
24*0Sstevel@tonic-gate * Use is subject to license terms.
25*0Sstevel@tonic-gate */
26*0Sstevel@tonic-gate
27*0Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI"
28*0Sstevel@tonic-gate
29*0Sstevel@tonic-gate #include "ldap_headers.h"
30*0Sstevel@tonic-gate #include <malloc.h>
31*0Sstevel@tonic-gate
32*0Sstevel@tonic-gate /* ******************************************************************** */
33*0Sstevel@tonic-gate /* */
34*0Sstevel@tonic-gate /* Utilities Functions */
35*0Sstevel@tonic-gate /* */
36*0Sstevel@tonic-gate /* ******************************************************************** */
37*0Sstevel@tonic-gate
38*0Sstevel@tonic-gate /*
39*0Sstevel@tonic-gate * __ldap_to_pamerror():
40*0Sstevel@tonic-gate * converts Native LDAP errors to an equivalent PAM error
41*0Sstevel@tonic-gate */
42*0Sstevel@tonic-gate int
__ldap_to_pamerror(int ldaperror)43*0Sstevel@tonic-gate __ldap_to_pamerror(int ldaperror)
44*0Sstevel@tonic-gate {
45*0Sstevel@tonic-gate switch (ldaperror) {
46*0Sstevel@tonic-gate case NS_LDAP_SUCCESS:
47*0Sstevel@tonic-gate return (PAM_SUCCESS);
48*0Sstevel@tonic-gate
49*0Sstevel@tonic-gate case NS_LDAP_OP_FAILED:
50*0Sstevel@tonic-gate return (PAM_PERM_DENIED);
51*0Sstevel@tonic-gate
52*0Sstevel@tonic-gate case NS_LDAP_MEMORY:
53*0Sstevel@tonic-gate return (PAM_BUF_ERR);
54*0Sstevel@tonic-gate
55*0Sstevel@tonic-gate case NS_LDAP_CONFIG:
56*0Sstevel@tonic-gate return (PAM_SERVICE_ERR);
57*0Sstevel@tonic-gate
58*0Sstevel@tonic-gate case NS_LDAP_NOTFOUND:
59*0Sstevel@tonic-gate case NS_LDAP_INTERNAL:
60*0Sstevel@tonic-gate case NS_LDAP_PARTIAL:
61*0Sstevel@tonic-gate case NS_LDAP_INVALID_PARAM:
62*0Sstevel@tonic-gate return (PAM_SYSTEM_ERR);
63*0Sstevel@tonic-gate
64*0Sstevel@tonic-gate default:
65*0Sstevel@tonic-gate return (PAM_SYSTEM_ERR);
66*0Sstevel@tonic-gate
67*0Sstevel@tonic-gate }
68*0Sstevel@tonic-gate }
69*0Sstevel@tonic-gate
70*0Sstevel@tonic-gate /*
71*0Sstevel@tonic-gate * authenticate():
72*0Sstevel@tonic-gate * Returns
73*0Sstevel@tonic-gate * PAM_SUCCESS if authenticated successfully
74*0Sstevel@tonic-gate * PAM_NEW_AUTHTOK_REQD if authenticated but user needs to
75*0Sstevel@tonic-gate * change password immediately
76*0Sstevel@tonic-gate * PAM_MAXTRIES if authentication fails due to too
77*0Sstevel@tonic-gate * many login failures
78*0Sstevel@tonic-gate * PAM_AUTHTOK_EXPIRED if user password expired
79*0Sstevel@tonic-gate * PAM_PERM_DENIED if fail to authenticate
80*0Sstevel@tonic-gate * PAM_AUTH_ERR other errors
81*0Sstevel@tonic-gate *
82*0Sstevel@tonic-gate * Also output the second-until-expired data if authenticated
83*0Sstevel@tonic-gate * but the password is about to expire.
84*0Sstevel@tonic-gate * Authentication is checked by calling __ns_ldap_auth.
85*0Sstevel@tonic-gate */
86*0Sstevel@tonic-gate int
authenticate(ns_cred_t ** credpp,char * usrname,char * pwd,int * sec_until_expired)87*0Sstevel@tonic-gate authenticate(ns_cred_t **credpp, char *usrname, char *pwd,
88*0Sstevel@tonic-gate int *sec_until_expired)
89*0Sstevel@tonic-gate {
90*0Sstevel@tonic-gate int result = PAM_AUTH_ERR;
91*0Sstevel@tonic-gate int ldaprc;
92*0Sstevel@tonic-gate int authstried = 0;
93*0Sstevel@tonic-gate char *binddn = NULL;
94*0Sstevel@tonic-gate char **certpath = NULL;
95*0Sstevel@tonic-gate ns_auth_t **app;
96*0Sstevel@tonic-gate ns_auth_t **authpp = NULL;
97*0Sstevel@tonic-gate ns_auth_t *authp = NULL;
98*0Sstevel@tonic-gate ns_cred_t *credp;
99*0Sstevel@tonic-gate ns_ldap_error_t *errorp = NULL;
100*0Sstevel@tonic-gate
101*0Sstevel@tonic-gate if ((credp = (ns_cred_t *)calloc(1, sizeof (ns_cred_t))) == NULL)
102*0Sstevel@tonic-gate return (PAM_BUF_ERR);
103*0Sstevel@tonic-gate
104*0Sstevel@tonic-gate /* Fill in the user name and password */
105*0Sstevel@tonic-gate if ((usrname == NULL) || (pwd == NULL) || (usrname[0] == '\0') ||
106*0Sstevel@tonic-gate (pwd[0] == '\0'))
107*0Sstevel@tonic-gate goto out;
108*0Sstevel@tonic-gate
109*0Sstevel@tonic-gate ldaprc = __ns_ldap_uid2dn(usrname, &binddn, NULL, &errorp);
110*0Sstevel@tonic-gate if ((result = __ldap_to_pamerror(ldaprc)) != PAM_SUCCESS)
111*0Sstevel@tonic-gate goto out;
112*0Sstevel@tonic-gate
113*0Sstevel@tonic-gate credp->cred.unix_cred.userID = strdup(binddn);
114*0Sstevel@tonic-gate credp->cred.unix_cred.passwd = strdup(pwd);
115*0Sstevel@tonic-gate if ((credp->cred.unix_cred.userID == NULL) ||
116*0Sstevel@tonic-gate (credp->cred.unix_cred.passwd == NULL)) {
117*0Sstevel@tonic-gate result = PAM_BUF_ERR;
118*0Sstevel@tonic-gate goto out;
119*0Sstevel@tonic-gate }
120*0Sstevel@tonic-gate
121*0Sstevel@tonic-gate /* get host certificate path, if one is configured */
122*0Sstevel@tonic-gate ldaprc = __ns_ldap_getParam(NS_LDAP_HOST_CERTPATH_P,
123*0Sstevel@tonic-gate (void ***)&certpath, &errorp);
124*0Sstevel@tonic-gate if ((result = __ldap_to_pamerror(ldaprc)) != PAM_SUCCESS)
125*0Sstevel@tonic-gate goto out;
126*0Sstevel@tonic-gate if (certpath && *certpath)
127*0Sstevel@tonic-gate credp->hostcertpath = *certpath;
128*0Sstevel@tonic-gate
129*0Sstevel@tonic-gate /* Load the service specific authentication method */
130*0Sstevel@tonic-gate ldaprc = __ns_ldap_getServiceAuthMethods("pam_ldap", &authpp, &errorp);
131*0Sstevel@tonic-gate if ((result = __ldap_to_pamerror(ldaprc)) != PAM_SUCCESS)
132*0Sstevel@tonic-gate goto out;
133*0Sstevel@tonic-gate
134*0Sstevel@tonic-gate /*
135*0Sstevel@tonic-gate * if authpp is null, there is no serviceAuthenticationMethod
136*0Sstevel@tonic-gate * try default authenticationMethod
137*0Sstevel@tonic-gate */
138*0Sstevel@tonic-gate if (authpp == NULL) {
139*0Sstevel@tonic-gate ldaprc = __ns_ldap_getParam(NS_LDAP_AUTH_P, (void ***)&authpp,
140*0Sstevel@tonic-gate &errorp);
141*0Sstevel@tonic-gate if ((result = __ldap_to_pamerror(ldaprc)) != PAM_SUCCESS)
142*0Sstevel@tonic-gate goto out;
143*0Sstevel@tonic-gate }
144*0Sstevel@tonic-gate
145*0Sstevel@tonic-gate /*
146*0Sstevel@tonic-gate * if authpp is still null, then can not authenticate, syslog
147*0Sstevel@tonic-gate * error message and return error
148*0Sstevel@tonic-gate */
149*0Sstevel@tonic-gate if (authpp == NULL) {
150*0Sstevel@tonic-gate syslog(LOG_ERR,
151*0Sstevel@tonic-gate "pam_ldap: no authentication method configured");
152*0Sstevel@tonic-gate result = PAM_AUTH_ERR;
153*0Sstevel@tonic-gate goto out;
154*0Sstevel@tonic-gate }
155*0Sstevel@tonic-gate
156*0Sstevel@tonic-gate /*
157*0Sstevel@tonic-gate * Walk the array and try all authentication methods in order except
158*0Sstevel@tonic-gate * for "none".
159*0Sstevel@tonic-gate */
160*0Sstevel@tonic-gate for (app = authpp; *app; app++) {
161*0Sstevel@tonic-gate authp = *app;
162*0Sstevel@tonic-gate /* what about disabling other mechanisms? "tls:sasl/EXTERNAL" */
163*0Sstevel@tonic-gate if (authp->type == NS_LDAP_AUTH_NONE)
164*0Sstevel@tonic-gate continue;
165*0Sstevel@tonic-gate authstried++;
166*0Sstevel@tonic-gate credp->auth.type = authp->type;
167*0Sstevel@tonic-gate credp->auth.tlstype = authp->tlstype;
168*0Sstevel@tonic-gate credp->auth.saslmech = authp->saslmech;
169*0Sstevel@tonic-gate credp->auth.saslopt = authp->saslopt;
170*0Sstevel@tonic-gate ldaprc = __ns_ldap_auth(credp, 0, &errorp, NULL, NULL);
171*0Sstevel@tonic-gate
172*0Sstevel@tonic-gate /*
173*0Sstevel@tonic-gate * If rc is NS_LDAP_SUCCESS, done. If not,
174*0Sstevel@tonic-gate * check rc and error info to see if
175*0Sstevel@tonic-gate * there's any password management data.
176*0Sstevel@tonic-gate * If yes, set appropriate PAM result code
177*0Sstevel@tonic-gate * and exit.
178*0Sstevel@tonic-gate */
179*0Sstevel@tonic-gate if (ldaprc == NS_LDAP_SUCCESS) {
180*0Sstevel@tonic-gate /*
181*0Sstevel@tonic-gate * authenticated and no
182*0Sstevel@tonic-gate * password management info, done.
183*0Sstevel@tonic-gate */
184*0Sstevel@tonic-gate result = PAM_SUCCESS;
185*0Sstevel@tonic-gate goto out;
186*0Sstevel@tonic-gate } else if (ldaprc == NS_LDAP_SUCCESS_WITH_INFO) {
187*0Sstevel@tonic-gate /*
188*0Sstevel@tonic-gate * authenticated but need to deal with
189*0Sstevel@tonic-gate * password management info
190*0Sstevel@tonic-gate */
191*0Sstevel@tonic-gate result = PAM_SUCCESS;
192*0Sstevel@tonic-gate
193*0Sstevel@tonic-gate /*
194*0Sstevel@tonic-gate * clear sec_until_expired just in case
195*0Sstevel@tonic-gate * there's no error info
196*0Sstevel@tonic-gate */
197*0Sstevel@tonic-gate if (sec_until_expired)
198*0Sstevel@tonic-gate *sec_until_expired = 0;
199*0Sstevel@tonic-gate
200*0Sstevel@tonic-gate if (errorp) {
201*0Sstevel@tonic-gate if (errorp->pwd_mgmt.status ==
202*0Sstevel@tonic-gate NS_PASSWD_ABOUT_TO_EXPIRE) {
203*0Sstevel@tonic-gate /*
204*0Sstevel@tonic-gate * password about to expire;
205*0Sstevel@tonic-gate * retrieve "seconds until expired"
206*0Sstevel@tonic-gate */
207*0Sstevel@tonic-gate if (sec_until_expired)
208*0Sstevel@tonic-gate *sec_until_expired =
209*0Sstevel@tonic-gate errorp->
210*0Sstevel@tonic-gate pwd_mgmt.sec_until_expired;
211*0Sstevel@tonic-gate } else if (errorp->pwd_mgmt.status ==
212*0Sstevel@tonic-gate NS_PASSWD_CHANGE_NEEDED)
213*0Sstevel@tonic-gate /*
214*0Sstevel@tonic-gate * indicate that passwd need to change
215*0Sstevel@tonic-gate * right away
216*0Sstevel@tonic-gate */
217*0Sstevel@tonic-gate result = PAM_NEW_AUTHTOK_REQD;
218*0Sstevel@tonic-gate
219*0Sstevel@tonic-gate (void) __ns_ldap_freeError(&errorp);
220*0Sstevel@tonic-gate }
221*0Sstevel@tonic-gate goto out;
222*0Sstevel@tonic-gate } else if (ldaprc == NS_LDAP_INTERNAL) {
223*0Sstevel@tonic-gate
224*0Sstevel@tonic-gate if (errorp) {
225*0Sstevel@tonic-gate /*
226*0Sstevel@tonic-gate * If error due to password policy, set
227*0Sstevel@tonic-gate * appropriate PAM result code and exit.
228*0Sstevel@tonic-gate */
229*0Sstevel@tonic-gate if (errorp->pwd_mgmt.status ==
230*0Sstevel@tonic-gate NS_PASSWD_RETRY_EXCEEDED)
231*0Sstevel@tonic-gate result = PAM_MAXTRIES;
232*0Sstevel@tonic-gate else if (errorp->pwd_mgmt.status ==
233*0Sstevel@tonic-gate NS_PASSWD_EXPIRED)
234*0Sstevel@tonic-gate result = PAM_AUTHTOK_EXPIRED;
235*0Sstevel@tonic-gate else {
236*0Sstevel@tonic-gate /*
237*0Sstevel@tonic-gate * If invalid credential,
238*0Sstevel@tonic-gate * return PAM_AUTH_ERR.
239*0Sstevel@tonic-gate */
240*0Sstevel@tonic-gate if (errorp->status ==
241*0Sstevel@tonic-gate LDAP_INVALID_CREDENTIALS)
242*0Sstevel@tonic-gate result = PAM_AUTH_ERR;
243*0Sstevel@tonic-gate }
244*0Sstevel@tonic-gate (void) __ns_ldap_freeError(&errorp);
245*0Sstevel@tonic-gate goto out;
246*0Sstevel@tonic-gate }
247*0Sstevel@tonic-gate }
248*0Sstevel@tonic-gate
249*0Sstevel@tonic-gate /* done with the error info, clean it up */
250*0Sstevel@tonic-gate if (errorp)
251*0Sstevel@tonic-gate (void) __ns_ldap_freeError(&errorp);
252*0Sstevel@tonic-gate }
253*0Sstevel@tonic-gate if (authstried == 0) {
254*0Sstevel@tonic-gate syslog(LOG_ERR,
255*0Sstevel@tonic-gate "pam_ldap: no legal authentication method configured");
256*0Sstevel@tonic-gate result = PAM_AUTH_ERR;
257*0Sstevel@tonic-gate goto out;
258*0Sstevel@tonic-gate }
259*0Sstevel@tonic-gate result = PAM_PERM_DENIED;
260*0Sstevel@tonic-gate
261*0Sstevel@tonic-gate out:
262*0Sstevel@tonic-gate if (binddn)
263*0Sstevel@tonic-gate free(binddn);
264*0Sstevel@tonic-gate
265*0Sstevel@tonic-gate if (credp && (result == PAM_SUCCESS ||
266*0Sstevel@tonic-gate result == PAM_NEW_AUTHTOK_REQD))
267*0Sstevel@tonic-gate if (credpp)
268*0Sstevel@tonic-gate *credpp = credp;
269*0Sstevel@tonic-gate else
270*0Sstevel@tonic-gate (void) __ns_ldap_freeCred(&credp);
271*0Sstevel@tonic-gate
272*0Sstevel@tonic-gate if (authpp)
273*0Sstevel@tonic-gate (void) __ns_ldap_freeParam((void ***)&authpp);
274*0Sstevel@tonic-gate
275*0Sstevel@tonic-gate if (errorp)
276*0Sstevel@tonic-gate (void) __ns_ldap_freeError(&errorp);
277*0Sstevel@tonic-gate
278*0Sstevel@tonic-gate return (result);
279*0Sstevel@tonic-gate }
280