xref: /netbsd-src/external/bsd/openldap/dist/contrib/slapd-modules/nssov/nss-pam-ldapd/nslcd.h (revision b7b7574d3bf8eeb51a1fa3977b59142ec6434a55) 
1 /*	$NetBSD: nslcd.h,v 1.1.1.2 2014/05/28 09:58:28 tron Exp $	*/
2 
3 /*
4    nslcd.h - file describing client/server protocol
5 
6    Copyright (C) 2006 West Consulting
7    Copyright (C) 2006, 2007, 2009, 2010, 2011, 2012 Arthur de Jong
8 
9    This library is free software; you can redistribute it and/or
10    modify it under the terms of the GNU Lesser General Public
11    License as published by the Free Software Foundation; either
12    version 2.1 of the License, or (at your option) any later version.
13 
14    This library is distributed in the hope that it will be useful,
15    but WITHOUT ANY WARRANTY; without even the implied warranty of
16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
17    Lesser General Public License for more details.
18 
19    You should have received a copy of the GNU Lesser General Public
20    License along with this library; if not, write to the Free Software
21    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
22    02110-1301 USA
23 */
24 
25 #ifndef _NSLCD_H
26 #define _NSLCD_H 1
27 
28 /*
29    The protocol used between the nslcd client and server is a simple binary
30    protocol. It is request/response based where the client initiates a
31    connection, does a single request and closes the connection again. Any
32    mangled or not understood messages will be silently ignored by the server.
33 
34    A request looks like:
35      INT32  NSLCD_VERSION
36      INT32  NSLCD_ACTION_*
37      [request parameters if any]
38    A response looks like:
39      INT32  NSLCD_VERSION
40      INT32  NSLCD_ACTION_* (the original request type)
41      [result(s)]
42      INT32  NSLCD_RESULT_END
43    A single result entry looks like:
44      INT32  NSLCD_RESULT_BEGIN
45      [result value(s)]
46    If a response would return multiple values (e.g. for NSLCD_ACTION_*_ALL
47    functions) each return value will be preceded by a NSLCD_RESULT_BEGIN
48    value. After the last returned result the server sends
49    NSLCD_RESULT_END. If some error occurs (e.g. LDAP server unavailable,
50    error in the request, etc) the server terminates the connection to signal
51    an error condition (breaking the protocol).
52 
53    These are the available basic data types:
54      INT32  - 32-bit integer value
55      TYPE   - a typed field that is transferred using sizeof()
56      STRING - a string length (32bit) followed by the string value (not
57               null-terminted) the string itself is assumed to be UTF-8
58      STRINGLIST - a 32-bit number noting the number of strings followed by
59                   the strings one at a time
60 
61    Furthermore the ADDRESS compound data type is defined as:
62      INT32  type of address: e.g. AF_INET or AF_INET6
63      INT32  lenght of address
64      RAW    the address itself in network byte order
65    With the ADDRESSLIST using the same construct as with STRINGLIST.
66 
67    The protocol uses host-byte order for all types (except in the raw
68    address above).
69 */
70 
71 /* The current version of the protocol. Note that version 1
72    is experimental and this version will be used until a
73    1.0 release of nss-pam-ldapd is made. */
74 #define NSLCD_VERSION 1
75 
76 /* Get a NSLCD configuration option. There is one request parameter:
77     INT32   NSLCD_CONFIG_*
78   the result value is:
79     STRING  value, interpretation depending on request */
80 #define NSLCD_ACTION_CONFIG_GET        20006
81 
82 /* return the message, if any, that is presented to the user when password
83    modification through PAM is prohibited */
84 #define NSLCD_CONFIG_PAM_PASSWORD_PROHIBIT_MESSAGE  852
85 
86 /* Email alias (/etc/aliases) NSS requests. The result values for a
87    single entry are:
88      STRING      alias name
89      STRINGLIST  alias rcpts */
90 #define NSLCD_ACTION_ALIAS_BYNAME       4001
91 #define NSLCD_ACTION_ALIAS_ALL          4002
92 
93 /* Ethernet address/name mapping NSS requests. The result values for a
94    single entry are:
95      STRING            ether name
96      TYPE(uint8_t[6])  ether address */
97 #define NSLCD_ACTION_ETHER_BYNAME       3001
98 #define NSLCD_ACTION_ETHER_BYETHER      3002
99 #define NSLCD_ACTION_ETHER_ALL          3005
100 
101 /* Group and group membership related NSS requests. The result values
102    for a single entry are:
103      STRING       group name
104      STRING       group password
105      TYPE(gid_t)  group id
106      STRINGLIST   members (usernames) of the group
107      (not that the BYMEMER call returns an emtpy members list) */
108 #define NSLCD_ACTION_GROUP_BYNAME       5001
109 #define NSLCD_ACTION_GROUP_BYGID        5002
110 #define NSLCD_ACTION_GROUP_BYMEMBER     5003
111 #define NSLCD_ACTION_GROUP_ALL          5004
112 
113 /* Hostname (/etc/hosts) lookup NSS requests. The result values
114    for an entry are:
115      STRING       host name
116      STRINGLIST   host aliases
117      ADDRESSLIST  host addresses */
118 #define NSLCD_ACTION_HOST_BYNAME        6001
119 #define NSLCD_ACTION_HOST_BYADDR        6002
120 #define NSLCD_ACTION_HOST_ALL           6005
121 
122 /* Netgroup NSS request return a number of results. Result values
123    can be either a reference to another netgroup:
124      INT32   NSLCD_NETGROUP_TYPE_NETGROUP
125      STRING  other netgroup name
126    or a netgroup triple:
127      INT32   NSLCD_NETGROUP_TYPE_TRIPLE
128      STRING  host
129      STRING  user
130      STRING  domain */
131 #define NSLCD_ACTION_NETGROUP_BYNAME   12001
132 #define NSLCD_NETGROUP_TYPE_NETGROUP 123
133 #define NSLCD_NETGROUP_TYPE_TRIPLE   456
134 
135 /* Network name (/etc/networks) NSS requests. Result values for a single
136    entry are:
137      STRING       network name
138      STRINGLIST   network aliases
139      ADDRESSLIST  network addresses */
140 #define NSLCD_ACTION_NETWORK_BYNAME     8001
141 #define NSLCD_ACTION_NETWORK_BYADDR     8002
142 #define NSLCD_ACTION_NETWORK_ALL        8005
143 
144 /* User account (/etc/passwd) NSS requests. Result values are:
145      STRING       user name
146      STRING       user password
147      TYPE(uid_t)  user id
148      TYPE(gid_t)  group id
149      STRING       gecos information
150      STRING       home directory
151      STRING       login shell */
152 #define NSLCD_ACTION_PASSWD_BYNAME      1001
153 #define NSLCD_ACTION_PASSWD_BYUID       1002
154 #define NSLCD_ACTION_PASSWD_ALL         1004
155 
156 /* Protocol information requests. Result values are:
157      STRING      protocol name
158      STRINGLIST  protocol aliases
159      INT32       protocol number */
160 #define NSLCD_ACTION_PROTOCOL_BYNAME    9001
161 #define NSLCD_ACTION_PROTOCOL_BYNUMBER  9002
162 #define NSLCD_ACTION_PROTOCOL_ALL       9003
163 
164 /* RPC information requests. Result values are:
165      STRING      rpc name
166      STRINGLIST  rpc aliases
167      INT32       rpc number */
168 #define NSLCD_ACTION_RPC_BYNAME        10001
169 #define NSLCD_ACTION_RPC_BYNUMBER      10002
170 #define NSLCD_ACTION_RPC_ALL           10003
171 
172 /* Service (/etc/services) information requests. Result values are:
173      STRING      service name
174      STRINGLIST  service aliases
175      INT32       service (port) number
176      STRING      service protocol */
177 #define NSLCD_ACTION_SERVICE_BYNAME    11001
178 #define NSLCD_ACTION_SERVICE_BYNUMBER  11002
179 #define NSLCD_ACTION_SERVICE_ALL       11005
180 
181 /* Extended user account (/etc/shadow) information requests. Result
182    values for a single entry are:
183      STRING  user name
184      STRING  user password
185      INT32   last password change
186      INT32   mindays
187      INT32   maxdays
188      INT32   warn
189      INT32   inact
190      INT32   expire
191      INT32   flag */
192 #define NSLCD_ACTION_SHADOW_BYNAME      2001
193 #define NSLCD_ACTION_SHADOW_ALL         2005
194 
195 /* PAM-related requests. The request parameters for all these requests
196    begin with:
197      STRING  user name
198      STRING  DN (if value is known already, otherwise empty)
199      STRING  service name
200    all requests, except the SESSION requests start the result value with:
201      STRING  user name (cannonical name)
202      STRING  DN (can be used to speed up requests)
203    Some functions may return an authorisation message. This message, if
204    supplied will be used by the PAM module instead of a message that is
205    generated by the PAM module itself. */
206 
207 /* PAM authentication check request. The extra request values are:
208      STRING  password
209    and the result value ends with:
210      INT32   authc NSLCD_PAM_* result code
211      INT32   authz NSLCD_PAM_* result code
212      STRING  authorisation error message
213    If the username is empty in this request an attempt is made to
214    authenticate as the administrator (set using rootpwmoddn). The returned DN
215    is that of the administrator. */
216 #define NSLCD_ACTION_PAM_AUTHC         20001
217 
218 /* PAM authorisation check request. The extra request values are:
219      STRING ruser
220      STRING rhost
221      STRING tty
222    and the result value ends with:
223      INT32   authz NSLCD_PAM_* result code
224      STRING  authorisation error message */
225 #define NSLCD_ACTION_PAM_AUTHZ         20002
226 
227 /* PAM session open and close requests. These requests have the following
228    extra request values:
229      STRING tty
230      STRING rhost
231      STRING ruser
232      INT32 session id (ignored for SESS_O)
233    and these calls only return the session ID:
234      INT32 session id
235    The SESS_C must contain the ID that is retured by SESS_O to close the
236    correct session. */
237 #define NSLCD_ACTION_PAM_SESS_O        20003
238 #define NSLCD_ACTION_PAM_SESS_C        20004
239 
240 /* PAM password modification request. This requests has the following extra
241    request values:
242      STRING old password
243      STRING new password
244    and returns there extra result values:
245      INT32   authz NSLCD_PAM_* result code
246      STRING  authorisation error message
247    In this request the DN may be set to the administrator's DN. In this
248    case old password should be the administrator's password. This allows
249    the administrator to change any user's password. */
250 #define NSLCD_ACTION_PAM_PWMOD         20005
251 
252 /* Request result codes. */
253 #define NSLCD_RESULT_BEGIN                 0
254 #define NSLCD_RESULT_END                   3
255 
256 /* Partial list of PAM result codes. */
257 #define NSLCD_PAM_SUCCESS             0 /* everything ok */
258 #define NSLCD_PAM_PERM_DENIED         6 /* Permission denied */
259 #define NSLCD_PAM_AUTH_ERR            7 /* Authc failure */
260 #define NSLCD_PAM_CRED_INSUFFICIENT   8 /* Cannot access authc data */
261 #define NSLCD_PAM_AUTHINFO_UNAVAIL    9 /* Cannot retrieve authc info */
262 #define NSLCD_PAM_USER_UNKNOWN       10 /* User not known */
263 #define NSLCD_PAM_MAXTRIES           11 /* Retry limit reached */
264 #define NSLCD_PAM_NEW_AUTHTOK_REQD   12 /* Password expired */
265 #define NSLCD_PAM_ACCT_EXPIRED       13 /* Account expired */
266 #define NSLCD_PAM_SESSION_ERR        14 /* Cannot make/remove session record */
267 #define NSLCD_PAM_AUTHTOK_ERR        20 /* Authentication token manipulation error */
268 #define NSLCD_PAM_AUTHTOK_DISABLE_AGING 23 /* Password aging disabled */
269 #define NSLCD_PAM_IGNORE             25 /* Ignore module */
270 #define NSLCD_PAM_ABORT              26 /* Fatal error */
271 #define NSLCD_PAM_AUTHTOK_EXPIRED    27 /* authentication token has expired */
272 
273 #endif /* not _NSLCD_H */
274