xref: /onnv-gate/usr/src/lib/pam_modules/ldap/ldap_utils.c (revision 0:68f95e015346)
1*0Sstevel@tonic-gate /*
2*0Sstevel@tonic-gate  * CDDL HEADER START
3*0Sstevel@tonic-gate  *
4*0Sstevel@tonic-gate  * The contents of this file are subject to the terms of the
5*0Sstevel@tonic-gate  * Common Development and Distribution License, Version 1.0 only
6*0Sstevel@tonic-gate  * (the "License").  You may not use this file except in compliance
7*0Sstevel@tonic-gate  * with the License.
8*0Sstevel@tonic-gate  *
9*0Sstevel@tonic-gate  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10*0Sstevel@tonic-gate  * or http://www.opensolaris.org/os/licensing.
11*0Sstevel@tonic-gate  * See the License for the specific language governing permissions
12*0Sstevel@tonic-gate  * and limitations under the License.
13*0Sstevel@tonic-gate  *
14*0Sstevel@tonic-gate  * When distributing Covered Code, include this CDDL HEADER in each
15*0Sstevel@tonic-gate  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16*0Sstevel@tonic-gate  * If applicable, add the following below this CDDL HEADER, with the
17*0Sstevel@tonic-gate  * fields enclosed by brackets "[]" replaced with your own identifying
18*0Sstevel@tonic-gate  * information: Portions Copyright [yyyy] [name of copyright owner]
19*0Sstevel@tonic-gate  *
20*0Sstevel@tonic-gate  * CDDL HEADER END
21*0Sstevel@tonic-gate  */
22*0Sstevel@tonic-gate /*
23*0Sstevel@tonic-gate  * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
24*0Sstevel@tonic-gate  * Use is subject to license terms.
25*0Sstevel@tonic-gate  */
26*0Sstevel@tonic-gate 
27*0Sstevel@tonic-gate #pragma ident	"%Z%%M%	%I%	%E% SMI"
28*0Sstevel@tonic-gate 
29*0Sstevel@tonic-gate #include "ldap_headers.h"
30*0Sstevel@tonic-gate #include <malloc.h>
31*0Sstevel@tonic-gate 
32*0Sstevel@tonic-gate /* ******************************************************************** */
33*0Sstevel@tonic-gate /*									*/
34*0Sstevel@tonic-gate /* 		Utilities Functions					*/
35*0Sstevel@tonic-gate /*									*/
36*0Sstevel@tonic-gate /* ******************************************************************** */
37*0Sstevel@tonic-gate 
38*0Sstevel@tonic-gate /*
39*0Sstevel@tonic-gate  * __ldap_to_pamerror():
40*0Sstevel@tonic-gate  *	converts Native LDAP errors to an equivalent PAM error
41*0Sstevel@tonic-gate  */
42*0Sstevel@tonic-gate int
__ldap_to_pamerror(int ldaperror)43*0Sstevel@tonic-gate __ldap_to_pamerror(int ldaperror)
44*0Sstevel@tonic-gate {
45*0Sstevel@tonic-gate 	switch (ldaperror) {
46*0Sstevel@tonic-gate 		case NS_LDAP_SUCCESS:
47*0Sstevel@tonic-gate 			return (PAM_SUCCESS);
48*0Sstevel@tonic-gate 
49*0Sstevel@tonic-gate 		case NS_LDAP_OP_FAILED:
50*0Sstevel@tonic-gate 			return (PAM_PERM_DENIED);
51*0Sstevel@tonic-gate 
52*0Sstevel@tonic-gate 		case NS_LDAP_MEMORY:
53*0Sstevel@tonic-gate 			return (PAM_BUF_ERR);
54*0Sstevel@tonic-gate 
55*0Sstevel@tonic-gate 		case NS_LDAP_CONFIG:
56*0Sstevel@tonic-gate 			return (PAM_SERVICE_ERR);
57*0Sstevel@tonic-gate 
58*0Sstevel@tonic-gate 		case NS_LDAP_NOTFOUND:
59*0Sstevel@tonic-gate 		case NS_LDAP_INTERNAL:
60*0Sstevel@tonic-gate 		case NS_LDAP_PARTIAL:
61*0Sstevel@tonic-gate 		case NS_LDAP_INVALID_PARAM:
62*0Sstevel@tonic-gate 			return (PAM_SYSTEM_ERR);
63*0Sstevel@tonic-gate 
64*0Sstevel@tonic-gate 		default:
65*0Sstevel@tonic-gate 			return (PAM_SYSTEM_ERR);
66*0Sstevel@tonic-gate 
67*0Sstevel@tonic-gate 	}
68*0Sstevel@tonic-gate }
69*0Sstevel@tonic-gate 
70*0Sstevel@tonic-gate /*
71*0Sstevel@tonic-gate  * authenticate():
72*0Sstevel@tonic-gate  *	Returns
73*0Sstevel@tonic-gate  *	  PAM_SUCCESS            if authenticated successfully
74*0Sstevel@tonic-gate  *	  PAM_NEW_AUTHTOK_REQD   if authenticated but user needs to
75*0Sstevel@tonic-gate  *                               change password immediately
76*0Sstevel@tonic-gate  *        PAM_MAXTRIES           if authentication fails due to too
77*0Sstevel@tonic-gate  *                               many login failures
78*0Sstevel@tonic-gate  *        PAM_AUTHTOK_EXPIRED    if user password expired
79*0Sstevel@tonic-gate  *        PAM_PERM_DENIED        if fail to authenticate
80*0Sstevel@tonic-gate  *        PAM_AUTH_ERR           other errors
81*0Sstevel@tonic-gate  *
82*0Sstevel@tonic-gate  *      Also output the second-until-expired data if authenticated
83*0Sstevel@tonic-gate  *      but the password is about to expire.
84*0Sstevel@tonic-gate  *	Authentication is checked by calling __ns_ldap_auth.
85*0Sstevel@tonic-gate  */
86*0Sstevel@tonic-gate int
authenticate(ns_cred_t ** credpp,char * usrname,char * pwd,int * sec_until_expired)87*0Sstevel@tonic-gate authenticate(ns_cred_t **credpp, char *usrname, char *pwd,
88*0Sstevel@tonic-gate 		int *sec_until_expired)
89*0Sstevel@tonic-gate {
90*0Sstevel@tonic-gate 	int		result = PAM_AUTH_ERR;
91*0Sstevel@tonic-gate 	int		ldaprc;
92*0Sstevel@tonic-gate 	int		authstried = 0;
93*0Sstevel@tonic-gate 	char		*binddn = NULL;
94*0Sstevel@tonic-gate 	char		**certpath = NULL;
95*0Sstevel@tonic-gate 	ns_auth_t	**app;
96*0Sstevel@tonic-gate 	ns_auth_t	**authpp = NULL;
97*0Sstevel@tonic-gate 	ns_auth_t	*authp = NULL;
98*0Sstevel@tonic-gate 	ns_cred_t	*credp;
99*0Sstevel@tonic-gate 	ns_ldap_error_t	*errorp = NULL;
100*0Sstevel@tonic-gate 
101*0Sstevel@tonic-gate 	if ((credp = (ns_cred_t *)calloc(1, sizeof (ns_cred_t))) == NULL)
102*0Sstevel@tonic-gate 		return (PAM_BUF_ERR);
103*0Sstevel@tonic-gate 
104*0Sstevel@tonic-gate 	/* Fill in the user name and password */
105*0Sstevel@tonic-gate 	if ((usrname == NULL) || (pwd == NULL) || (usrname[0] == '\0') ||
106*0Sstevel@tonic-gate 		(pwd[0] == '\0'))
107*0Sstevel@tonic-gate 		goto out;
108*0Sstevel@tonic-gate 
109*0Sstevel@tonic-gate 	ldaprc = __ns_ldap_uid2dn(usrname, &binddn, NULL, &errorp);
110*0Sstevel@tonic-gate 	if ((result = __ldap_to_pamerror(ldaprc)) != PAM_SUCCESS)
111*0Sstevel@tonic-gate 		goto out;
112*0Sstevel@tonic-gate 
113*0Sstevel@tonic-gate 	credp->cred.unix_cred.userID = strdup(binddn);
114*0Sstevel@tonic-gate 	credp->cred.unix_cred.passwd = strdup(pwd);
115*0Sstevel@tonic-gate 	if ((credp->cred.unix_cred.userID == NULL) ||
116*0Sstevel@tonic-gate 		(credp->cred.unix_cred.passwd == NULL)) {
117*0Sstevel@tonic-gate 		result = PAM_BUF_ERR;
118*0Sstevel@tonic-gate 		goto out;
119*0Sstevel@tonic-gate 	}
120*0Sstevel@tonic-gate 
121*0Sstevel@tonic-gate 	/* get host certificate path, if one is configured */
122*0Sstevel@tonic-gate 	ldaprc = __ns_ldap_getParam(NS_LDAP_HOST_CERTPATH_P,
123*0Sstevel@tonic-gate 		(void ***)&certpath, &errorp);
124*0Sstevel@tonic-gate 	if ((result = __ldap_to_pamerror(ldaprc)) != PAM_SUCCESS)
125*0Sstevel@tonic-gate 		goto out;
126*0Sstevel@tonic-gate 	if (certpath && *certpath)
127*0Sstevel@tonic-gate 		credp->hostcertpath = *certpath;
128*0Sstevel@tonic-gate 
129*0Sstevel@tonic-gate 	/* Load the service specific authentication method */
130*0Sstevel@tonic-gate 	ldaprc = __ns_ldap_getServiceAuthMethods("pam_ldap", &authpp, &errorp);
131*0Sstevel@tonic-gate 	if ((result = __ldap_to_pamerror(ldaprc)) != PAM_SUCCESS)
132*0Sstevel@tonic-gate 		goto out;
133*0Sstevel@tonic-gate 
134*0Sstevel@tonic-gate 	/*
135*0Sstevel@tonic-gate 	 * if authpp is null, there is no serviceAuthenticationMethod
136*0Sstevel@tonic-gate 	 * try default authenticationMethod
137*0Sstevel@tonic-gate 	 */
138*0Sstevel@tonic-gate 	if (authpp == NULL) {
139*0Sstevel@tonic-gate 		ldaprc = __ns_ldap_getParam(NS_LDAP_AUTH_P, (void ***)&authpp,
140*0Sstevel@tonic-gate 			&errorp);
141*0Sstevel@tonic-gate 		if ((result = __ldap_to_pamerror(ldaprc)) != PAM_SUCCESS)
142*0Sstevel@tonic-gate 			goto out;
143*0Sstevel@tonic-gate 	}
144*0Sstevel@tonic-gate 
145*0Sstevel@tonic-gate 	/*
146*0Sstevel@tonic-gate 	 * if authpp is still null, then can not authenticate, syslog
147*0Sstevel@tonic-gate 	 * error message and return error
148*0Sstevel@tonic-gate 	 */
149*0Sstevel@tonic-gate 	if (authpp == NULL) {
150*0Sstevel@tonic-gate 		syslog(LOG_ERR,
151*0Sstevel@tonic-gate 			"pam_ldap: no authentication method configured");
152*0Sstevel@tonic-gate 		result = PAM_AUTH_ERR;
153*0Sstevel@tonic-gate 		goto out;
154*0Sstevel@tonic-gate 	}
155*0Sstevel@tonic-gate 
156*0Sstevel@tonic-gate 	/*
157*0Sstevel@tonic-gate 	 * Walk the array and try all authentication methods in order except
158*0Sstevel@tonic-gate 	 * for "none".
159*0Sstevel@tonic-gate 	 */
160*0Sstevel@tonic-gate 	for (app = authpp; *app; app++) {
161*0Sstevel@tonic-gate 		authp = *app;
162*0Sstevel@tonic-gate 		/* what about disabling other mechanisms? "tls:sasl/EXTERNAL" */
163*0Sstevel@tonic-gate 		if (authp->type == NS_LDAP_AUTH_NONE)
164*0Sstevel@tonic-gate 			continue;
165*0Sstevel@tonic-gate 		authstried++;
166*0Sstevel@tonic-gate 		credp->auth.type = authp->type;
167*0Sstevel@tonic-gate 		credp->auth.tlstype = authp->tlstype;
168*0Sstevel@tonic-gate 		credp->auth.saslmech = authp->saslmech;
169*0Sstevel@tonic-gate 		credp->auth.saslopt = authp->saslopt;
170*0Sstevel@tonic-gate 		ldaprc = __ns_ldap_auth(credp, 0, &errorp, NULL, NULL);
171*0Sstevel@tonic-gate 
172*0Sstevel@tonic-gate 		/*
173*0Sstevel@tonic-gate 		 * If rc is NS_LDAP_SUCCESS, done. If not,
174*0Sstevel@tonic-gate 		 * check rc and error info to see if
175*0Sstevel@tonic-gate 		 * there's any password management data.
176*0Sstevel@tonic-gate 		 * If yes, set appropriate PAM result code
177*0Sstevel@tonic-gate 		 * and exit.
178*0Sstevel@tonic-gate 		 */
179*0Sstevel@tonic-gate 		if (ldaprc == NS_LDAP_SUCCESS) {
180*0Sstevel@tonic-gate 			/*
181*0Sstevel@tonic-gate 			 * authenticated and no
182*0Sstevel@tonic-gate 			 * password management info, done.
183*0Sstevel@tonic-gate 			 */
184*0Sstevel@tonic-gate 			result = PAM_SUCCESS;
185*0Sstevel@tonic-gate 			goto out;
186*0Sstevel@tonic-gate 		} else if (ldaprc == NS_LDAP_SUCCESS_WITH_INFO) {
187*0Sstevel@tonic-gate 			/*
188*0Sstevel@tonic-gate 			 * authenticated but need to deal with
189*0Sstevel@tonic-gate 			 * password management info
190*0Sstevel@tonic-gate 			 */
191*0Sstevel@tonic-gate 			result = PAM_SUCCESS;
192*0Sstevel@tonic-gate 
193*0Sstevel@tonic-gate 			/*
194*0Sstevel@tonic-gate 			 * clear sec_until_expired just in case
195*0Sstevel@tonic-gate 			 * there's no error info
196*0Sstevel@tonic-gate 			 */
197*0Sstevel@tonic-gate 			if (sec_until_expired)
198*0Sstevel@tonic-gate 				*sec_until_expired = 0;
199*0Sstevel@tonic-gate 
200*0Sstevel@tonic-gate 			if (errorp) {
201*0Sstevel@tonic-gate 				if (errorp->pwd_mgmt.status ==
202*0Sstevel@tonic-gate 					NS_PASSWD_ABOUT_TO_EXPIRE) {
203*0Sstevel@tonic-gate 					/*
204*0Sstevel@tonic-gate 					 * password about to expire;
205*0Sstevel@tonic-gate 					 * retrieve "seconds until expired"
206*0Sstevel@tonic-gate 					 */
207*0Sstevel@tonic-gate 					if (sec_until_expired)
208*0Sstevel@tonic-gate 						*sec_until_expired =
209*0Sstevel@tonic-gate 						errorp->
210*0Sstevel@tonic-gate 						pwd_mgmt.sec_until_expired;
211*0Sstevel@tonic-gate 				} else if (errorp->pwd_mgmt.status ==
212*0Sstevel@tonic-gate 					NS_PASSWD_CHANGE_NEEDED)
213*0Sstevel@tonic-gate 					/*
214*0Sstevel@tonic-gate 					 * indicate that passwd need to change
215*0Sstevel@tonic-gate 					 * right away
216*0Sstevel@tonic-gate 					 */
217*0Sstevel@tonic-gate 					result = PAM_NEW_AUTHTOK_REQD;
218*0Sstevel@tonic-gate 
219*0Sstevel@tonic-gate 				(void) __ns_ldap_freeError(&errorp);
220*0Sstevel@tonic-gate 			}
221*0Sstevel@tonic-gate 			goto out;
222*0Sstevel@tonic-gate 		} else if (ldaprc == NS_LDAP_INTERNAL) {
223*0Sstevel@tonic-gate 
224*0Sstevel@tonic-gate 			if (errorp) {
225*0Sstevel@tonic-gate 				/*
226*0Sstevel@tonic-gate 				 * If error due to password policy, set
227*0Sstevel@tonic-gate 				 * appropriate PAM result code and exit.
228*0Sstevel@tonic-gate 				 */
229*0Sstevel@tonic-gate 				if (errorp->pwd_mgmt.status ==
230*0Sstevel@tonic-gate 					NS_PASSWD_RETRY_EXCEEDED)
231*0Sstevel@tonic-gate 					result = PAM_MAXTRIES;
232*0Sstevel@tonic-gate 				else if (errorp->pwd_mgmt.status ==
233*0Sstevel@tonic-gate 					NS_PASSWD_EXPIRED)
234*0Sstevel@tonic-gate 					result = PAM_AUTHTOK_EXPIRED;
235*0Sstevel@tonic-gate 				else {
236*0Sstevel@tonic-gate 					/*
237*0Sstevel@tonic-gate 					 * If invalid credential,
238*0Sstevel@tonic-gate 					 * return PAM_AUTH_ERR.
239*0Sstevel@tonic-gate 					 */
240*0Sstevel@tonic-gate 					if (errorp->status ==
241*0Sstevel@tonic-gate 						LDAP_INVALID_CREDENTIALS)
242*0Sstevel@tonic-gate 						result = PAM_AUTH_ERR;
243*0Sstevel@tonic-gate 				}
244*0Sstevel@tonic-gate 				(void) __ns_ldap_freeError(&errorp);
245*0Sstevel@tonic-gate 				goto out;
246*0Sstevel@tonic-gate 			}
247*0Sstevel@tonic-gate 		}
248*0Sstevel@tonic-gate 
249*0Sstevel@tonic-gate 		/* done with the error info, clean it up */
250*0Sstevel@tonic-gate 		if (errorp)
251*0Sstevel@tonic-gate 			(void) __ns_ldap_freeError(&errorp);
252*0Sstevel@tonic-gate 	}
253*0Sstevel@tonic-gate 	if (authstried == 0) {
254*0Sstevel@tonic-gate 		syslog(LOG_ERR,
255*0Sstevel@tonic-gate 			"pam_ldap: no legal authentication method configured");
256*0Sstevel@tonic-gate 		result = PAM_AUTH_ERR;
257*0Sstevel@tonic-gate 		goto out;
258*0Sstevel@tonic-gate 	}
259*0Sstevel@tonic-gate 	result = PAM_PERM_DENIED;
260*0Sstevel@tonic-gate 
261*0Sstevel@tonic-gate out:
262*0Sstevel@tonic-gate 	if (binddn)
263*0Sstevel@tonic-gate 		free(binddn);
264*0Sstevel@tonic-gate 
265*0Sstevel@tonic-gate 	if (credp && (result == PAM_SUCCESS ||
266*0Sstevel@tonic-gate 		result == PAM_NEW_AUTHTOK_REQD))
267*0Sstevel@tonic-gate 		if (credpp)
268*0Sstevel@tonic-gate 			*credpp = credp;
269*0Sstevel@tonic-gate 	else
270*0Sstevel@tonic-gate 		(void) __ns_ldap_freeCred(&credp);
271*0Sstevel@tonic-gate 
272*0Sstevel@tonic-gate 	if (authpp)
273*0Sstevel@tonic-gate 		(void) __ns_ldap_freeParam((void ***)&authpp);
274*0Sstevel@tonic-gate 
275*0Sstevel@tonic-gate 	if (errorp)
276*0Sstevel@tonic-gate 		(void) __ns_ldap_freeError(&errorp);
277*0Sstevel@tonic-gate 
278*0Sstevel@tonic-gate 	return (result);
279*0Sstevel@tonic-gate }
280