1 /* smbk5pwd.c - Overlay for managing Samba and Heimdal passwords */ 2 /* $OpenLDAP: pkg/ldap/contrib/slapd-modules/smbk5pwd/smbk5pwd.c,v 1.17.2.12 2008/07/09 22:59:00 quanah Exp $ */ 3 /* 4 * Copyright 2004-2005 by Howard Chu, Symas Corp. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted only as authorized by the OpenLDAP 9 * Public License. 10 * 11 * A copy of this license is available in the file LICENSE in the 12 * top-level directory of the distribution or, alternatively, at 13 * <http://www.OpenLDAP.org/license.html>. 14 */ 15 /* 16 * Support for table-driven configuration added by Pierangelo Masarati. 17 * Support for sambaPwdMustChange and sambaPwdCanChange added by Marco D'Ettorre. 18 * 19 * The conditions of the OpenLDAP Public License apply. 20 */ 21 22 #include <portable.h> 23 24 #ifndef SLAPD_OVER_SMBK5PWD 25 #define SLAPD_OVER_SMBK5PWD SLAPD_MOD_DYNAMIC 26 #endif 27 28 #ifdef SLAPD_OVER_SMBK5PWD 29 30 #include <slap.h> 31 #include <ac/errno.h> 32 #include <ac/string.h> 33 34 #include "config.h" 35 36 #ifdef DO_KRB5 37 #include <lber.h> 38 #include <lber_pvt.h> 39 #include <lutil.h> 40 41 /* make ASN1_MALLOC_ENCODE use our allocator */ 42 #define malloc ch_malloc 43 44 #include <krb5.h> 45 #include <kadm5/admin.h> 46 #include <hdb.h> 47 48 #ifndef HDB_INTERFACE_VERSION 49 #define HDB_MASTER_KEY_SET master_key_set 50 #else 51 #define HDB_MASTER_KEY_SET hdb_master_key_set 52 #endif 53 54 static krb5_context context; 55 static void *kadm_context; 56 static kadm5_config_params conf; 57 static HDB *db; 58 59 static AttributeDescription *ad_krb5Key; 60 static AttributeDescription *ad_krb5KeyVersionNumber; 61 static AttributeDescription *ad_krb5PrincipalName; 62 static ObjectClass *oc_krb5KDCEntry; 63 #endif 64 65 #ifdef DO_SAMBA 66 #include <openssl/des.h> 67 #include <openssl/md4.h> 68 #include "ldap_utf8.h" 69 70 static AttributeDescription *ad_sambaLMPassword; 71 static AttributeDescription *ad_sambaNTPassword; 72 static AttributeDescription *ad_sambaPwdLastSet; 73 static AttributeDescription *ad_sambaPwdMustChange; 74 static AttributeDescription *ad_sambaPwdCanChange; 75 static ObjectClass *oc_sambaSamAccount; 76 #endif 77 78 /* Per-instance configuration information */ 79 typedef struct smbk5pwd_t { 80 unsigned mode; 81 #define SMBK5PWD_F_KRB5 (0x1U) 82 #define SMBK5PWD_F_SAMBA (0x2U) 83 84 #define SMBK5PWD_DO_KRB5(pi) ((pi)->mode & SMBK5PWD_F_KRB5) 85 #define SMBK5PWD_DO_SAMBA(pi) ((pi)->mode & SMBK5PWD_F_SAMBA) 86 87 #ifdef DO_KRB5 88 /* nothing yet */ 89 #endif 90 91 #ifdef DO_SAMBA 92 /* How many seconds before forcing a password change? */ 93 time_t smb_must_change; 94 /* How many seconds after allowing a password change? */ 95 time_t smb_can_change; 96 #endif 97 } smbk5pwd_t; 98 99 static const unsigned SMBK5PWD_F_ALL = 100 0 101 #ifdef DO_KRB5 102 | SMBK5PWD_F_KRB5 103 #endif 104 #ifdef DO_SAMBA 105 | SMBK5PWD_F_SAMBA 106 #endif 107 ; 108 109 static int smbk5pwd_modules_init( smbk5pwd_t *pi ); 110 111 #ifdef DO_SAMBA 112 static const char hex[] = "0123456789abcdef"; 113 114 /* From liblutil/passwd.c... */ 115 static void lmPasswd_to_key( 116 const char *lmPasswd, 117 DES_cblock *key) 118 { 119 const unsigned char *lpw = (const unsigned char *)lmPasswd; 120 unsigned char *k = (unsigned char *)key; 121 122 /* make room for parity bits */ 123 k[0] = lpw[0]; 124 k[1] = ((lpw[0]&0x01)<<7) | (lpw[1]>>1); 125 k[2] = ((lpw[1]&0x03)<<6) | (lpw[2]>>2); 126 k[3] = ((lpw[2]&0x07)<<5) | (lpw[3]>>3); 127 k[4] = ((lpw[3]&0x0F)<<4) | (lpw[4]>>4); 128 k[5] = ((lpw[4]&0x1F)<<3) | (lpw[5]>>5); 129 k[6] = ((lpw[5]&0x3F)<<2) | (lpw[6]>>6); 130 k[7] = ((lpw[6]&0x7F)<<1); 131 132 des_set_odd_parity( key ); 133 } 134 135 #define MAX_PWLEN 256 136 #define HASHLEN 16 137 138 static void hexify( 139 const char in[HASHLEN], 140 struct berval *out 141 ) 142 { 143 int i; 144 char *a; 145 unsigned char *b; 146 147 out->bv_val = ch_malloc(HASHLEN*2 + 1); 148 out->bv_len = HASHLEN*2; 149 150 a = out->bv_val; 151 b = (unsigned char *)in; 152 for (i=0; i<HASHLEN; i++) { 153 *a++ = hex[*b >> 4]; 154 *a++ = hex[*b++ & 0x0f]; 155 } 156 *a++ = '\0'; 157 } 158 159 static void lmhash( 160 struct berval *passwd, 161 struct berval *hash 162 ) 163 { 164 char UcasePassword[15]; 165 DES_cblock key; 166 DES_key_schedule schedule; 167 DES_cblock StdText = "KGS!@#$%"; 168 DES_cblock hbuf[2]; 169 170 strncpy( UcasePassword, passwd->bv_val, 14 ); 171 UcasePassword[14] = '\0'; 172 ldap_pvt_str2upper( UcasePassword ); 173 174 lmPasswd_to_key( UcasePassword, &key ); 175 des_set_key_unchecked( &key, schedule ); 176 des_ecb_encrypt( &StdText, &hbuf[0], schedule , DES_ENCRYPT ); 177 178 lmPasswd_to_key( &UcasePassword[7], &key ); 179 des_set_key_unchecked( &key, schedule ); 180 des_ecb_encrypt( &StdText, &hbuf[1], schedule , DES_ENCRYPT ); 181 182 hexify( (char *)hbuf, hash ); 183 } 184 185 static void nthash( 186 struct berval *passwd, 187 struct berval *hash 188 ) 189 { 190 /* Windows currently only allows 14 character passwords, but 191 * may support up to 256 in the future. We assume this means 192 * 256 UCS2 characters, not 256 bytes... 193 */ 194 char hbuf[HASHLEN]; 195 MD4_CTX ctx; 196 197 if (passwd->bv_len > MAX_PWLEN*2) 198 passwd->bv_len = MAX_PWLEN*2; 199 200 MD4_Init( &ctx ); 201 MD4_Update( &ctx, passwd->bv_val, passwd->bv_len ); 202 MD4_Final( (unsigned char *)hbuf, &ctx ); 203 204 hexify( hbuf, hash ); 205 } 206 #endif /* DO_SAMBA */ 207 208 #ifdef DO_KRB5 209 210 static int smbk5pwd_op_cleanup( 211 Operation *op, 212 SlapReply *rs ) 213 { 214 slap_callback *cb; 215 216 /* clear out the current key */ 217 ldap_pvt_thread_pool_setkey( op->o_threadctx, smbk5pwd_op_cleanup, 218 NULL, 0, NULL, NULL ); 219 220 /* free the callback */ 221 cb = op->o_callback; 222 op->o_callback = cb->sc_next; 223 op->o_tmpfree( cb, op->o_tmpmemctx ); 224 return 0; 225 } 226 227 static int smbk5pwd_op_bind( 228 Operation *op, 229 SlapReply *rs ) 230 { 231 /* If this is a simple Bind, stash the Op pointer so our chk 232 * function can find it. Set a cleanup callback to clear it 233 * out when the Bind completes. 234 */ 235 if ( op->oq_bind.rb_method == LDAP_AUTH_SIMPLE ) { 236 slap_callback *cb; 237 ldap_pvt_thread_pool_setkey( op->o_threadctx, 238 smbk5pwd_op_cleanup, op, 0, NULL, NULL ); 239 cb = op->o_tmpcalloc( 1, sizeof(slap_callback), op->o_tmpmemctx ); 240 cb->sc_cleanup = smbk5pwd_op_cleanup; 241 cb->sc_next = op->o_callback; 242 op->o_callback = cb; 243 } 244 return SLAP_CB_CONTINUE; 245 } 246 247 static LUTIL_PASSWD_CHK_FUNC k5key_chk; 248 static LUTIL_PASSWD_HASH_FUNC k5key_hash; 249 static const struct berval k5key_scheme = BER_BVC("{K5KEY}"); 250 251 /* This password scheme stores no data in the userPassword attribute 252 * other than the scheme name. It assumes the invoking entry is a 253 * krb5KDCentry and compares the passed-in credentials against the 254 * krb5Key attribute. The krb5Key may be multi-valued, but they are 255 * simply multiple keytypes generated from the same input string, so 256 * only the first value needs to be compared here. 257 * 258 * Since the lutil_passwd API doesn't pass the Entry object in, we 259 * have to fetch it ourselves in order to get access to the other 260 * attributes. We accomplish this with the help of the overlay's Bind 261 * function, which stores the current Operation pointer in thread-specific 262 * storage so we can retrieve it here. The Operation provides all 263 * the necessary context for us to get Entry from the database. 264 */ 265 static int k5key_chk( 266 const struct berval *sc, 267 const struct berval *passwd, 268 const struct berval *cred, 269 const char **text ) 270 { 271 void *ctx, *op_tmp; 272 Operation *op; 273 int rc; 274 Entry *e; 275 Attribute *a; 276 krb5_error_code ret; 277 krb5_keyblock key; 278 krb5_salt salt; 279 hdb_entry ent; 280 281 /* Find our thread context, find our Operation */ 282 ctx = ldap_pvt_thread_pool_context(); 283 284 if ( ldap_pvt_thread_pool_getkey( ctx, smbk5pwd_op_cleanup, &op_tmp, NULL ) 285 || !op_tmp ) 286 return LUTIL_PASSWD_ERR; 287 op = op_tmp; 288 289 rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e ); 290 if ( rc != LDAP_SUCCESS ) return LUTIL_PASSWD_ERR; 291 292 rc = LUTIL_PASSWD_ERR; 293 do { 294 size_t l; 295 Key ekey = {0}; 296 297 a = attr_find( e->e_attrs, ad_krb5PrincipalName ); 298 if (!a ) break; 299 300 memset( &ent, 0, sizeof(ent) ); 301 ret = krb5_parse_name(context, a->a_vals[0].bv_val, &ent.principal); 302 if ( ret ) break; 303 krb5_get_pw_salt( context, ent.principal, &salt ); 304 krb5_free_principal( context, ent.principal ); 305 306 a = attr_find( e->e_attrs, ad_krb5Key ); 307 if ( !a ) break; 308 309 ent.keys.len = 1; 310 ent.keys.val = &ekey; 311 decode_Key((unsigned char *) a->a_vals[0].bv_val, 312 (size_t) a->a_vals[0].bv_len, &ent.keys.val[0], &l); 313 if ( db->HDB_MASTER_KEY_SET ) 314 hdb_unseal_keys( context, db, &ent ); 315 316 krb5_string_to_key_salt( context, ekey.key.keytype, cred->bv_val, 317 salt, &key ); 318 319 krb5_free_salt( context, salt ); 320 321 if ( memcmp( ekey.key.keyvalue.data, key.keyvalue.data, 322 key.keyvalue.length ) == 0 ) rc = LUTIL_PASSWD_OK; 323 324 krb5_free_keyblock_contents( context, &key ); 325 krb5_free_keyblock_contents( context, &ekey.key ); 326 327 } while(0); 328 be_entry_release_r( op, e ); 329 return rc; 330 } 331 332 static int k5key_hash( 333 const struct berval *scheme, 334 const struct berval *passwd, 335 struct berval *hash, 336 const char **text ) 337 { 338 ber_dupbv( hash, (struct berval *)&k5key_scheme ); 339 return LUTIL_PASSWD_OK; 340 } 341 #endif /* DO_KRB5 */ 342 343 static int smbk5pwd_exop_passwd( 344 Operation *op, 345 SlapReply *rs ) 346 { 347 int rc; 348 req_pwdexop_s *qpw = &op->oq_pwdexop; 349 Entry *e; 350 Modifications *ml; 351 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info; 352 smbk5pwd_t *pi = on->on_bi.bi_private; 353 char term; 354 355 /* Not the operation we expected, pass it on... */ 356 if ( ber_bvcmp( &slap_EXOP_MODIFY_PASSWD, &op->ore_reqoid ) ) { 357 return SLAP_CB_CONTINUE; 358 } 359 360 op->o_bd->bd_info = (BackendInfo *)on->on_info; 361 rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e ); 362 if ( rc != LDAP_SUCCESS ) return rc; 363 364 term = qpw->rs_new.bv_val[qpw->rs_new.bv_len]; 365 qpw->rs_new.bv_val[qpw->rs_new.bv_len] = '\0'; 366 367 #ifdef DO_KRB5 368 /* Kerberos stuff */ 369 do { 370 krb5_error_code ret; 371 hdb_entry ent; 372 struct berval *keys; 373 int kvno, i; 374 Attribute *a; 375 376 if ( !SMBK5PWD_DO_KRB5( pi ) ) break; 377 378 if ( !is_entry_objectclass(e, oc_krb5KDCEntry, 0 ) ) break; 379 380 a = attr_find( e->e_attrs, ad_krb5PrincipalName ); 381 if ( !a ) break; 382 383 memset( &ent, 0, sizeof(ent) ); 384 ret = krb5_parse_name(context, a->a_vals[0].bv_val, &ent.principal); 385 if ( ret ) break; 386 387 a = attr_find( e->e_attrs, ad_krb5KeyVersionNumber ); 388 kvno = 0; 389 if ( a ) { 390 if ( lutil_atoi( &kvno, a->a_vals[0].bv_val ) != 0 ) { 391 Debug( LDAP_DEBUG_ANY, "%s smbk5pwd EXOP: " 392 "dn=\"%s\" unable to parse krb5KeyVersionNumber=\"%s\"\n", 393 op->o_log_prefix, e->e_name.bv_val, a->a_vals[0].bv_val ); 394 } 395 396 } else { 397 /* shouldn't happen, this is a required attr */ 398 Debug( LDAP_DEBUG_ANY, "%s smbk5pwd EXOP: " 399 "dn=\"%s\" missing krb5KeyVersionNumber\n", 400 op->o_log_prefix, e->e_name.bv_val, 0 ); 401 } 402 403 ret = _kadm5_set_keys(kadm_context, &ent, qpw->rs_new.bv_val); 404 hdb_seal_keys(context, db, &ent); 405 krb5_free_principal( context, ent.principal ); 406 407 keys = ch_malloc( (ent.keys.len + 1) * sizeof(struct berval)); 408 409 for (i = 0; i < ent.keys.len; i++) { 410 unsigned char *buf; 411 size_t len; 412 413 ASN1_MALLOC_ENCODE(Key, buf, len, &ent.keys.val[i], &len, ret); 414 if (ret != 0) 415 break; 416 417 keys[i].bv_val = (char *)buf; 418 keys[i].bv_len = len; 419 } 420 BER_BVZERO( &keys[i] ); 421 422 _kadm5_free_keys(kadm_context, ent.keys.len, ent.keys.val); 423 424 if ( i != ent.keys.len ) { 425 ber_bvarray_free( keys ); 426 break; 427 } 428 429 ml = ch_malloc(sizeof(Modifications)); 430 if (!qpw->rs_modtail) qpw->rs_modtail = &ml->sml_next; 431 ml->sml_next = qpw->rs_mods; 432 qpw->rs_mods = ml; 433 434 ml->sml_desc = ad_krb5Key; 435 ml->sml_op = LDAP_MOD_REPLACE; 436 #ifdef SLAP_MOD_INTERNAL 437 ml->sml_flags = SLAP_MOD_INTERNAL; 438 #endif 439 ml->sml_numvals = i; 440 ml->sml_values = keys; 441 ml->sml_nvalues = NULL; 442 443 ml = ch_malloc(sizeof(Modifications)); 444 ml->sml_next = qpw->rs_mods; 445 qpw->rs_mods = ml; 446 447 ml->sml_desc = ad_krb5KeyVersionNumber; 448 ml->sml_op = LDAP_MOD_REPLACE; 449 #ifdef SLAP_MOD_INTERNAL 450 ml->sml_flags = SLAP_MOD_INTERNAL; 451 #endif 452 ml->sml_numvals = 1; 453 ml->sml_values = ch_malloc( 2 * sizeof(struct berval)); 454 ml->sml_values[0].bv_val = ch_malloc( 64 ); 455 ml->sml_values[0].bv_len = sprintf(ml->sml_values[0].bv_val, 456 "%d", kvno+1 ); 457 BER_BVZERO( &ml->sml_values[1] ); 458 ml->sml_nvalues = NULL; 459 } while ( 0 ); 460 #endif /* DO_KRB5 */ 461 462 #ifdef DO_SAMBA 463 /* Samba stuff */ 464 if ( SMBK5PWD_DO_SAMBA( pi ) && is_entry_objectclass(e, oc_sambaSamAccount, 0 ) ) { 465 struct berval *keys; 466 ber_len_t j,l; 467 wchar_t *wcs, wc; 468 char *c, *d; 469 struct berval pwd; 470 471 /* Expand incoming UTF8 string to UCS4 */ 472 l = ldap_utf8_chars(qpw->rs_new.bv_val); 473 wcs = ch_malloc((l+1) * sizeof(wchar_t)); 474 475 ldap_x_utf8s_to_wcs( wcs, qpw->rs_new.bv_val, l ); 476 477 /* Truncate UCS4 to UCS2 */ 478 c = (char *)wcs; 479 for (j=0; j<l; j++) { 480 wc = wcs[j]; 481 *c++ = wc & 0xff; 482 *c++ = (wc >> 8) & 0xff; 483 } 484 *c++ = 0; 485 pwd.bv_val = (char *)wcs; 486 pwd.bv_len = l * 2; 487 488 ml = ch_malloc(sizeof(Modifications)); 489 if (!qpw->rs_modtail) qpw->rs_modtail = &ml->sml_next; 490 ml->sml_next = qpw->rs_mods; 491 qpw->rs_mods = ml; 492 493 keys = ch_malloc( 2 * sizeof(struct berval) ); 494 BER_BVZERO( &keys[1] ); 495 nthash( &pwd, keys ); 496 497 ml->sml_desc = ad_sambaNTPassword; 498 ml->sml_op = LDAP_MOD_REPLACE; 499 #ifdef SLAP_MOD_INTERNAL 500 ml->sml_flags = SLAP_MOD_INTERNAL; 501 #endif 502 ml->sml_numvals = 1; 503 ml->sml_values = keys; 504 ml->sml_nvalues = NULL; 505 506 /* Truncate UCS2 to 8-bit ASCII */ 507 c = pwd.bv_val+1; 508 d = pwd.bv_val+2; 509 for (j=1; j<l; j++) { 510 *c++ = *d++; 511 d++; 512 } 513 pwd.bv_len /= 2; 514 pwd.bv_val[pwd.bv_len] = '\0'; 515 516 ml = ch_malloc(sizeof(Modifications)); 517 ml->sml_next = qpw->rs_mods; 518 qpw->rs_mods = ml; 519 520 keys = ch_malloc( 2 * sizeof(struct berval) ); 521 BER_BVZERO( &keys[1] ); 522 lmhash( &pwd, keys ); 523 524 ml->sml_desc = ad_sambaLMPassword; 525 ml->sml_op = LDAP_MOD_REPLACE; 526 #ifdef SLAP_MOD_INTERNAL 527 ml->sml_flags = SLAP_MOD_INTERNAL; 528 #endif 529 ml->sml_numvals = 1; 530 ml->sml_values = keys; 531 ml->sml_nvalues = NULL; 532 533 ch_free(wcs); 534 535 ml = ch_malloc(sizeof(Modifications)); 536 ml->sml_next = qpw->rs_mods; 537 qpw->rs_mods = ml; 538 539 keys = ch_malloc( 2 * sizeof(struct berval) ); 540 keys[0].bv_val = ch_malloc( LDAP_PVT_INTTYPE_CHARS(long) ); 541 keys[0].bv_len = snprintf(keys[0].bv_val, 542 LDAP_PVT_INTTYPE_CHARS(long), 543 "%ld", slap_get_time()); 544 BER_BVZERO( &keys[1] ); 545 546 ml->sml_desc = ad_sambaPwdLastSet; 547 ml->sml_op = LDAP_MOD_REPLACE; 548 #ifdef SLAP_MOD_INTERNAL 549 ml->sml_flags = SLAP_MOD_INTERNAL; 550 #endif 551 ml->sml_numvals = 1; 552 ml->sml_values = keys; 553 ml->sml_nvalues = NULL; 554 555 if (pi->smb_must_change) 556 { 557 ml = ch_malloc(sizeof(Modifications)); 558 ml->sml_next = qpw->rs_mods; 559 qpw->rs_mods = ml; 560 561 keys = ch_malloc( 2 * sizeof(struct berval) ); 562 keys[0].bv_val = ch_malloc( LDAP_PVT_INTTYPE_CHARS(long) ); 563 keys[0].bv_len = snprintf(keys[0].bv_val, 564 LDAP_PVT_INTTYPE_CHARS(long), 565 "%ld", slap_get_time() + pi->smb_must_change); 566 BER_BVZERO( &keys[1] ); 567 568 ml->sml_desc = ad_sambaPwdMustChange; 569 ml->sml_op = LDAP_MOD_REPLACE; 570 #ifdef SLAP_MOD_INTERNAL 571 ml->sml_flags = SLAP_MOD_INTERNAL; 572 #endif 573 ml->sml_numvals = 1; 574 ml->sml_values = keys; 575 ml->sml_nvalues = NULL; 576 } 577 578 if (pi->smb_can_change) 579 { 580 ml = ch_malloc(sizeof(Modifications)); 581 ml->sml_next = qpw->rs_mods; 582 qpw->rs_mods = ml; 583 584 keys = ch_malloc( 2 * sizeof(struct berval) ); 585 keys[0].bv_val = ch_malloc( LDAP_PVT_INTTYPE_CHARS(long) ); 586 keys[0].bv_len = snprintf(keys[0].bv_val, 587 LDAP_PVT_INTTYPE_CHARS(long), 588 "%ld", slap_get_time() + pi->smb_can_change); 589 BER_BVZERO( &keys[1] ); 590 591 ml->sml_desc = ad_sambaPwdCanChange; 592 ml->sml_op = LDAP_MOD_REPLACE; 593 #ifdef SLAP_MOD_INTERNAL 594 ml->sml_flags = SLAP_MOD_INTERNAL; 595 #endif 596 ml->sml_numvals = 1; 597 ml->sml_values = keys; 598 ml->sml_nvalues = NULL; 599 } 600 } 601 #endif /* DO_SAMBA */ 602 be_entry_release_r( op, e ); 603 qpw->rs_new.bv_val[qpw->rs_new.bv_len] = term; 604 605 return SLAP_CB_CONTINUE; 606 } 607 608 static slap_overinst smbk5pwd; 609 610 /* back-config stuff */ 611 enum { 612 PC_SMB_MUST_CHANGE = 1, 613 PC_SMB_CAN_CHANGE, 614 PC_SMB_ENABLE 615 }; 616 617 static ConfigDriver smbk5pwd_cf_func; 618 619 /* 620 * NOTE: uses OID arcs OLcfgCtAt:1 and OLcfgCtOc:1 621 */ 622 623 static ConfigTable smbk5pwd_cfats[] = { 624 { "smbk5pwd-enable", "arg", 625 2, 0, 0, ARG_MAGIC|PC_SMB_ENABLE, smbk5pwd_cf_func, 626 "( OLcfgCtAt:1.1 NAME 'olcSmbK5PwdEnable' " 627 "DESC 'Modules to be enabled' " 628 "SYNTAX OMsDirectoryString )", NULL, NULL }, 629 { "smbk5pwd-must-change", "time", 630 2, 2, 0, ARG_MAGIC|ARG_INT|PC_SMB_MUST_CHANGE, smbk5pwd_cf_func, 631 "( OLcfgCtAt:1.2 NAME 'olcSmbK5PwdMustChange' " 632 "DESC 'Credentials validity interval' " 633 "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL }, 634 { "smbk5pwd-can-change", "time", 635 2, 2, 0, ARG_MAGIC|ARG_INT|PC_SMB_CAN_CHANGE, smbk5pwd_cf_func, 636 "( OLcfgCtAt:1.3 NAME 'olcSmbK5PwdCanChange' " 637 "DESC 'Credentials minimum validity interval' " 638 "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL }, 639 640 { NULL, NULL, 0, 0, 0, ARG_IGNORED } 641 }; 642 643 static ConfigOCs smbk5pwd_cfocs[] = { 644 { "( OLcfgCtOc:1.1 " 645 "NAME 'olcSmbK5PwdConfig' " 646 "DESC 'smbk5pwd overlay configuration' " 647 "SUP olcOverlayConfig " 648 "MAY ( " 649 "olcSmbK5PwdEnable " 650 "$ olcSmbK5PwdMustChange " 651 "$ olcSmbK5PwdCanChange " 652 ") )", Cft_Overlay, smbk5pwd_cfats }, 653 654 { NULL, 0, NULL } 655 }; 656 657 /* 658 * add here other functionalities; handle their initialization 659 * as appropriate in smbk5pwd_modules_init(). 660 */ 661 static slap_verbmasks smbk5pwd_modules[] = { 662 { BER_BVC( "krb5" ), SMBK5PWD_F_KRB5 }, 663 { BER_BVC( "samba" ), SMBK5PWD_F_SAMBA }, 664 { BER_BVNULL, -1 } 665 }; 666 667 static int 668 smbk5pwd_cf_func( ConfigArgs *c ) 669 { 670 slap_overinst *on = (slap_overinst *)c->bi; 671 672 int rc = 0; 673 smbk5pwd_t *pi = on->on_bi.bi_private; 674 675 if ( c->op == SLAP_CONFIG_EMIT ) { 676 switch( c->type ) { 677 case PC_SMB_MUST_CHANGE: 678 #ifdef DO_SAMBA 679 c->value_int = pi->smb_must_change; 680 #else /* ! DO_SAMBA */ 681 c->value_int = 0; 682 #endif /* ! DO_SAMBA */ 683 break; 684 685 case PC_SMB_CAN_CHANGE: 686 #ifdef DO_SAMBA 687 c->value_int = pi->smb_can_change; 688 #else /* ! DO_SAMBA */ 689 c->value_int = 0; 690 #endif /* ! DO_SAMBA */ 691 break; 692 693 case PC_SMB_ENABLE: 694 c->rvalue_vals = NULL; 695 if ( pi->mode ) { 696 mask_to_verbs( smbk5pwd_modules, pi->mode, &c->rvalue_vals ); 697 if ( c->rvalue_vals == NULL ) { 698 rc = 1; 699 } 700 } 701 break; 702 703 default: 704 assert( 0 ); 705 rc = 1; 706 } 707 return rc; 708 709 } else if ( c->op == LDAP_MOD_DELETE ) { 710 switch( c->type ) { 711 case PC_SMB_MUST_CHANGE: 712 break; 713 714 case PC_SMB_CAN_CHANGE: 715 break; 716 717 case PC_SMB_ENABLE: 718 if ( !c->line ) { 719 pi->mode = 0; 720 721 } else { 722 slap_mask_t m; 723 724 m = verb_to_mask( c->line, smbk5pwd_modules ); 725 pi->mode &= ~m; 726 } 727 break; 728 729 default: 730 assert( 0 ); 731 rc = 1; 732 } 733 return rc; 734 } 735 736 switch( c->type ) { 737 case PC_SMB_MUST_CHANGE: 738 #ifdef DO_SAMBA 739 if ( c->value_int < 0 ) { 740 Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: " 741 "<%s> invalid negative value \"%d\".", 742 c->log, c->argv[ 0 ], 0 ); 743 return 1; 744 } 745 pi->smb_must_change = c->value_int; 746 #else /* ! DO_SAMBA */ 747 Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: " 748 "<%s> only meaningful " 749 "when compiled with -DDO_SAMBA.\n", 750 c->log, c->argv[ 0 ], 0 ); 751 return 1; 752 #endif /* ! DO_SAMBA */ 753 break; 754 755 case PC_SMB_CAN_CHANGE: 756 #ifdef DO_SAMBA 757 if ( c->value_int < 0 ) { 758 Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: " 759 "<%s> invalid negative value \"%d\".", 760 c->log, c->argv[ 0 ], 0 ); 761 return 1; 762 } 763 pi->smb_can_change = c->value_int; 764 #else /* ! DO_SAMBA */ 765 Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: " 766 "<%s> only meaningful " 767 "when compiled with -DDO_SAMBA.\n", 768 c->log, c->argv[ 0 ], 0 ); 769 return 1; 770 #endif /* ! DO_SAMBA */ 771 break; 772 773 case PC_SMB_ENABLE: { 774 slap_mask_t mode = pi->mode, m; 775 776 rc = verbs_to_mask( c->argc, c->argv, smbk5pwd_modules, &m ); 777 if ( rc > 0 ) { 778 Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: " 779 "<%s> unknown module \"%s\".\n", 780 c->log, c->argv[ 0 ], c->argv[ rc ] ); 781 return 1; 782 } 783 784 /* we can hijack the smbk5pwd_t structure because 785 * from within the configuration, this is the only 786 * active thread. */ 787 pi->mode |= m; 788 789 #ifndef DO_KRB5 790 if ( SMBK5PWD_DO_KRB5( pi ) ) { 791 Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: " 792 "<%s> module \"%s\" only allowed when compiled with -DDO_KRB5.\n", 793 c->log, c->argv[ 0 ], c->argv[ rc ] ); 794 pi->mode = mode; 795 return 1; 796 } 797 #endif /* ! DO_KRB5 */ 798 799 #ifndef DO_SAMBA 800 if ( SMBK5PWD_DO_SAMBA( pi ) ) { 801 Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: " 802 "<%s> module \"%s\" only allowed when compiled with -DDO_SAMBA.\n", 803 c->log, c->argv[ 0 ], c->argv[ rc ] ); 804 pi->mode = mode; 805 return 1; 806 } 807 #endif /* ! DO_SAMBA */ 808 809 { 810 BackendDB db = *c->be; 811 812 /* Re-initialize the module, because 813 * the configuration might have changed */ 814 db.bd_info = (BackendInfo *)on; 815 rc = smbk5pwd_modules_init( pi ); 816 if ( rc ) { 817 pi->mode = mode; 818 return 1; 819 } 820 } 821 822 } break; 823 824 default: 825 assert( 0 ); 826 return 1; 827 } 828 return rc; 829 } 830 831 static int 832 smbk5pwd_modules_init( smbk5pwd_t *pi ) 833 { 834 static struct { 835 const char *name; 836 AttributeDescription **adp; 837 } 838 #ifdef DO_KRB5 839 krb5_ad[] = { 840 { "krb5Key", &ad_krb5Key }, 841 { "krb5KeyVersionNumber", &ad_krb5KeyVersionNumber }, 842 { "krb5PrincipalName", &ad_krb5PrincipalName }, 843 { NULL } 844 }, 845 #endif /* DO_KRB5 */ 846 #ifdef DO_SAMBA 847 samba_ad[] = { 848 { "sambaLMPassword", &ad_sambaLMPassword }, 849 { "sambaNTPassword", &ad_sambaNTPassword }, 850 { "sambaPwdLastSet", &ad_sambaPwdLastSet }, 851 { "sambaPwdMustChange", &ad_sambaPwdMustChange }, 852 { "sambaPwdCanChange", &ad_sambaPwdCanChange }, 853 { NULL } 854 }, 855 #endif /* DO_SAMBA */ 856 dummy_ad; 857 858 /* this is to silence the unused var warning */ 859 dummy_ad.name = NULL; 860 861 #ifdef DO_KRB5 862 if ( SMBK5PWD_DO_KRB5( pi ) && oc_krb5KDCEntry == NULL ) { 863 krb5_error_code ret; 864 extern HDB *_kadm5_s_get_db(void *); 865 866 int i, rc; 867 868 /* Make sure all of our necessary schema items are loaded */ 869 oc_krb5KDCEntry = oc_find( "krb5KDCEntry" ); 870 if ( !oc_krb5KDCEntry ) { 871 Debug( LDAP_DEBUG_ANY, "smbk5pwd: " 872 "unable to find \"krb5KDCEntry\" objectClass.\n", 873 0, 0, 0 ); 874 return -1; 875 } 876 877 for ( i = 0; krb5_ad[ i ].name != NULL; i++ ) { 878 const char *text; 879 880 *(krb5_ad[ i ].adp) = NULL; 881 882 rc = slap_str2ad( krb5_ad[ i ].name, krb5_ad[ i ].adp, &text ); 883 if ( rc != LDAP_SUCCESS ) { 884 Debug( LDAP_DEBUG_ANY, "smbk5pwd: " 885 "unable to find \"%s\" attributeType: %s (%d).\n", 886 krb5_ad[ i ].name, text, rc ); 887 oc_krb5KDCEntry = NULL; 888 return rc; 889 } 890 } 891 892 /* Initialize Kerberos context */ 893 ret = krb5_init_context(&context); 894 if (ret) { 895 Debug( LDAP_DEBUG_ANY, "smbk5pwd: " 896 "unable to initialize krb5 context (%d).\n", 897 ret, 0, 0 ); 898 oc_krb5KDCEntry = NULL; 899 return -1; 900 } 901 902 ret = kadm5_s_init_with_password_ctx( context, 903 KADM5_ADMIN_SERVICE, 904 NULL, 905 KADM5_ADMIN_SERVICE, 906 &conf, 0, 0, &kadm_context ); 907 if (ret) { 908 char *err_str, *err_msg = "<unknown error>"; 909 err_str = krb5_get_error_string( context ); 910 if (!err_str) 911 err_msg = krb5_get_err_text( context, ret ); 912 Debug( LDAP_DEBUG_ANY, "smbk5pwd: " 913 "unable to initialize krb5 admin context: %s (%d).\n", 914 err_str ? err_str : err_msg, ret, 0 ); 915 if (err_str) 916 krb5_free_error_string( context, err_str ); 917 krb5_free_context( context ); 918 oc_krb5KDCEntry = NULL; 919 return -1; 920 } 921 922 db = _kadm5_s_get_db( kadm_context ); 923 } 924 #endif /* DO_KRB5 */ 925 926 #ifdef DO_SAMBA 927 if ( SMBK5PWD_DO_SAMBA( pi ) && oc_sambaSamAccount == NULL ) { 928 int i, rc; 929 930 oc_sambaSamAccount = oc_find( "sambaSamAccount" ); 931 if ( !oc_sambaSamAccount ) { 932 Debug( LDAP_DEBUG_ANY, "smbk5pwd: " 933 "unable to find \"sambaSamAccount\" objectClass.\n", 934 0, 0, 0 ); 935 return -1; 936 } 937 938 for ( i = 0; samba_ad[ i ].name != NULL; i++ ) { 939 const char *text; 940 941 *(samba_ad[ i ].adp) = NULL; 942 943 rc = slap_str2ad( samba_ad[ i ].name, samba_ad[ i ].adp, &text ); 944 if ( rc != LDAP_SUCCESS ) { 945 Debug( LDAP_DEBUG_ANY, "smbk5pwd: " 946 "unable to find \"%s\" attributeType: %s (%d).\n", 947 samba_ad[ i ].name, text, rc ); 948 oc_sambaSamAccount = NULL; 949 return rc; 950 } 951 } 952 } 953 #endif /* DO_SAMBA */ 954 955 return 0; 956 } 957 958 static int 959 smbk5pwd_db_init(BackendDB *be, ConfigReply *cr) 960 { 961 slap_overinst *on = (slap_overinst *)be->bd_info; 962 smbk5pwd_t *pi; 963 964 pi = ch_calloc( 1, sizeof( smbk5pwd_t ) ); 965 if ( pi == NULL ) { 966 return 1; 967 } 968 on->on_bi.bi_private = (void *)pi; 969 970 return 0; 971 } 972 973 static int 974 smbk5pwd_db_open(BackendDB *be, ConfigReply *cr) 975 { 976 slap_overinst *on = (slap_overinst *)be->bd_info; 977 smbk5pwd_t *pi = (smbk5pwd_t *)on->on_bi.bi_private; 978 979 int rc; 980 981 if ( pi->mode == 0 ) { 982 pi->mode = SMBK5PWD_F_ALL; 983 } 984 985 rc = smbk5pwd_modules_init( pi ); 986 if ( rc ) { 987 return rc; 988 } 989 990 return 0; 991 } 992 993 static int 994 smbk5pwd_db_destroy(BackendDB *be, ConfigReply *cr) 995 { 996 slap_overinst *on = (slap_overinst *)be->bd_info; 997 smbk5pwd_t *pi = (smbk5pwd_t *)on->on_bi.bi_private; 998 999 if ( pi ) { 1000 ch_free( pi ); 1001 } 1002 1003 return 0; 1004 } 1005 1006 int 1007 smbk5pwd_initialize(void) 1008 { 1009 int rc; 1010 1011 smbk5pwd.on_bi.bi_type = "smbk5pwd"; 1012 1013 smbk5pwd.on_bi.bi_db_init = smbk5pwd_db_init; 1014 smbk5pwd.on_bi.bi_db_open = smbk5pwd_db_open; 1015 smbk5pwd.on_bi.bi_db_destroy = smbk5pwd_db_destroy; 1016 1017 smbk5pwd.on_bi.bi_extended = smbk5pwd_exop_passwd; 1018 1019 #ifdef DO_KRB5 1020 smbk5pwd.on_bi.bi_op_bind = smbk5pwd_op_bind; 1021 1022 lutil_passwd_add( (struct berval *)&k5key_scheme, k5key_chk, k5key_hash ); 1023 #endif 1024 1025 smbk5pwd.on_bi.bi_cf_ocs = smbk5pwd_cfocs; 1026 1027 rc = config_register_schema( smbk5pwd_cfats, smbk5pwd_cfocs ); 1028 if ( rc ) { 1029 return rc; 1030 } 1031 1032 return overlay_register( &smbk5pwd ); 1033 } 1034 1035 #if SLAPD_OVER_SMBK5PWD == SLAPD_MOD_DYNAMIC 1036 int init_module(int argc, char *argv[]) { 1037 return smbk5pwd_initialize(); 1038 } 1039 #endif 1040 1041 #endif /* defined(SLAPD_OVER_SMBK5PWD) */ 1042