1 /* $NetBSD: nslcd.h,v 1.2 2021/08/14 16:14:52 christos Exp $ */ 2 3 /* 4 nslcd.h - file describing client/server protocol 5 6 Copyright (C) 2006 West Consulting 7 Copyright (C) 2006, 2007, 2009, 2010, 2011, 2012, 2013 Arthur de Jong 8 9 This library is free software; you can redistribute it and/or 10 modify it under the terms of the GNU Lesser General Public 11 License as published by the Free Software Foundation; either 12 version 2.1 of the License, or (at your option) any later version. 13 14 This library is distributed in the hope that it will be useful, 15 but WITHOUT ANY WARRANTY; without even the implied warranty of 16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 17 Lesser General Public License for more details. 18 19 You should have received a copy of the GNU Lesser General Public 20 License along with this library; if not, write to the Free Software 21 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 22 02110-1301 USA 23 */ 24 25 #ifndef _NSLCD_H 26 #define _NSLCD_H 1 27 28 /* 29 The protocol used between the nslcd client and server is a simple binary 30 protocol. It is request/response based where the client initiates a 31 connection, does a single request and closes the connection again. Any 32 mangled or not understood messages will be silently ignored by the server. 33 34 A request looks like: 35 INT32 NSLCD_VERSION 36 INT32 NSLCD_ACTION_* 37 [request parameters if any] 38 A response looks like: 39 INT32 NSLCD_VERSION 40 INT32 NSLCD_ACTION_* (the original request type) 41 [result(s)] 42 INT32 NSLCD_RESULT_END 43 A single result entry looks like: 44 INT32 NSLCD_RESULT_BEGIN 45 [result value(s)] 46 If a response would return multiple values (e.g. for NSLCD_ACTION_*_ALL 47 functions) each return value will be preceded by a NSLCD_RESULT_BEGIN 48 value. After the last returned result the server sends 49 NSLCD_RESULT_END. If some error occurs (e.g. LDAP server unavailable, 50 error in the request, etc) the server terminates the connection to signal 51 an error condition (breaking the protocol). 52 53 These are the available basic data types: 54 INT32 - 32-bit integer value 55 TYPE - a typed field that is transferred using sizeof() 56 STRING - a string length (32bit) followed by the string value (not 57 null-terminated) the string itself is assumed to be UTF-8 58 STRINGLIST - a 32-bit number noting the number of strings followed by 59 the strings one at a time 60 61 Furthermore the ADDRESS compound data type is defined as: 62 INT32 type of address: e.g. AF_INET or AF_INET6 63 INT32 length of address 64 RAW the address itself 65 With the ADDRESSLIST using the same construct as with STRINGLIST. 66 67 The protocol uses network byte order for all types. 68 */ 69 70 /* The current version of the protocol. This protocol should only be 71 updated with major backwards-incompatible changes. */ 72 #define NSLCD_VERSION 0x00000002 73 74 /* Get a NSLCD configuration option. There is one request parameter: 75 INT32 NSLCD_CONFIG_* 76 the result value is: 77 STRING value, interpretation depending on request */ 78 #define NSLCD_ACTION_CONFIG_GET 0x00010001 79 80 /* return the message, if any, that is presented to the user when password 81 modification through PAM is prohibited */ 82 #define NSLCD_CONFIG_PAM_PASSWORD_PROHIBIT_MESSAGE 1 83 84 /* Email alias (/etc/aliases) NSS requests. The result values for a 85 single entry are: 86 STRING alias name 87 STRINGLIST alias rcpts */ 88 #define NSLCD_ACTION_ALIAS_BYNAME 0x00020001 89 #define NSLCD_ACTION_ALIAS_ALL 0x00020008 90 91 /* Ethernet address/name mapping NSS requests. The result values for a 92 single entry are: 93 STRING ether name 94 TYPE(uint8_t[6]) ether address */ 95 #define NSLCD_ACTION_ETHER_BYNAME 0x00030001 96 #define NSLCD_ACTION_ETHER_BYETHER 0x00030002 97 #define NSLCD_ACTION_ETHER_ALL 0x00030008 98 99 /* Group and group membership related NSS requests. The result values 100 for a single entry are: 101 STRING group name 102 STRING group password 103 INT32 group id 104 STRINGLIST members (usernames) of the group 105 (not that the BYMEMER call returns an empty members list) */ 106 #define NSLCD_ACTION_GROUP_BYNAME 0x00040001 107 #define NSLCD_ACTION_GROUP_BYGID 0x00040002 108 #define NSLCD_ACTION_GROUP_BYMEMBER 0x00040006 109 #define NSLCD_ACTION_GROUP_ALL 0x00040008 110 111 /* Hostname (/etc/hosts) lookup NSS requests. The result values 112 for an entry are: 113 STRING host name 114 STRINGLIST host aliases 115 ADDRESSLIST host addresses */ 116 #define NSLCD_ACTION_HOST_BYNAME 0x00050001 117 #define NSLCD_ACTION_HOST_BYADDR 0x00050002 118 #define NSLCD_ACTION_HOST_ALL 0x00050008 119 120 /* Netgroup NSS result entries contain a number of parts. A result entry 121 starts with: 122 STRING netgroup name 123 followed by zero or more references to other netgroups or netgroup 124 triples. A reference to another netgroup looks like: 125 INT32 NSLCD_NETGROUP_TYPE_NETGROUP 126 STRING other netgroup name 127 A a netgroup triple looks like: 128 INT32 NSLCD_NETGROUP_TYPE_TRIPLE 129 STRING host 130 STRING user 131 STRING domain 132 A netgroup result entry is terminated by: 133 INT32 NSLCD_NETGROUP_TYPE_END 134 */ 135 #define NSLCD_ACTION_NETGROUP_BYNAME 0x00060001 136 #define NSLCD_ACTION_NETGROUP_ALL 0x00060008 137 #define NSLCD_NETGROUP_TYPE_NETGROUP 1 138 #define NSLCD_NETGROUP_TYPE_TRIPLE 2 139 #define NSLCD_NETGROUP_TYPE_END 3 140 141 /* Network name (/etc/networks) NSS requests. Result values for a single 142 entry are: 143 STRING network name 144 STRINGLIST network aliases 145 ADDRESSLIST network addresses */ 146 #define NSLCD_ACTION_NETWORK_BYNAME 0x00070001 147 #define NSLCD_ACTION_NETWORK_BYADDR 0x00070002 148 #define NSLCD_ACTION_NETWORK_ALL 0x00070008 149 150 /* User account (/etc/passwd) NSS requests. Result values are: 151 STRING user name 152 STRING user password 153 INT32 user id 154 INT32 group id 155 STRING gecos information 156 STRING home directory 157 STRING login shell */ 158 #define NSLCD_ACTION_PASSWD_BYNAME 0x00080001 159 #define NSLCD_ACTION_PASSWD_BYUID 0x00080002 160 #define NSLCD_ACTION_PASSWD_ALL 0x00080008 161 162 /* Protocol information requests. Result values are: 163 STRING protocol name 164 STRINGLIST protocol aliases 165 INT32 protocol number */ 166 #define NSLCD_ACTION_PROTOCOL_BYNAME 0x00090001 167 #define NSLCD_ACTION_PROTOCOL_BYNUMBER 0x00090002 168 #define NSLCD_ACTION_PROTOCOL_ALL 0x00090008 169 170 /* RPC information requests. Result values are: 171 STRING rpc name 172 STRINGLIST rpc aliases 173 INT32 rpc number */ 174 #define NSLCD_ACTION_RPC_BYNAME 0x000a0001 175 #define NSLCD_ACTION_RPC_BYNUMBER 0x000a0002 176 #define NSLCD_ACTION_RPC_ALL 0x000a0008 177 178 /* Service (/etc/services) information requests. The BYNAME and BYNUMBER 179 requests contain an extra protocol string in the request which, if not 180 blank, will filter the services by this protocol. Result values are: 181 STRING service name 182 STRINGLIST service aliases 183 INT32 service (port) number 184 STRING service protocol */ 185 #define NSLCD_ACTION_SERVICE_BYNAME 0x000b0001 186 #define NSLCD_ACTION_SERVICE_BYNUMBER 0x000b0002 187 #define NSLCD_ACTION_SERVICE_ALL 0x000b0008 188 189 /* Extended user account (/etc/shadow) information requests. Result 190 values for a single entry are: 191 STRING user name 192 STRING user password 193 INT32 last password change 194 INT32 mindays 195 INT32 maxdays 196 INT32 warn 197 INT32 inact 198 INT32 expire 199 INT32 flag */ 200 #define NSLCD_ACTION_SHADOW_BYNAME 0x000c0001 201 #define NSLCD_ACTION_SHADOW_ALL 0x000c0008 202 203 /* PAM-related requests. The request parameters for all these requests 204 begin with: 205 STRING user name 206 STRING service name 207 STRING ruser 208 STRING rhost 209 STRING tty 210 If the user is not known in LDAP no result may be returned (immediately 211 return NSLCD_RESULT_END instead of a PAM error code). */ 212 213 /* PAM authentication check request. The extra request values are: 214 STRING password 215 and the result value consists of: 216 INT32 authc NSLCD_PAM_* result code 217 STRING user name (the canonical user name) 218 INT32 authz NSLCD_PAM_* result code 219 STRING authorisation error message 220 If the username is empty in this request an attempt is made to 221 authenticate as the administrator (set using rootpwmoddn). 222 Some authorisation checks are already done during authentication so the 223 response also includes authorisation information. */ 224 #define NSLCD_ACTION_PAM_AUTHC 0x000d0001 225 226 /* PAM authorisation check request. The result value consists of: 227 INT32 authz NSLCD_PAM_* result code 228 STRING authorisation error message 229 The authentication check may have already returned some authorisation 230 information. The authorisation error message, if supplied, will be used 231 by the PAM module instead of a message that is generated by the PAM 232 module itself. */ 233 #define NSLCD_ACTION_PAM_AUTHZ 0x000d0002 234 235 /* PAM session open request. The result value consists of: 236 STRING session id 237 This session id may be used to close this session with. */ 238 #define NSLCD_ACTION_PAM_SESS_O 0x000d0003 239 240 /* PAM session close request. This request has the following 241 extra request value: 242 STRING session id 243 and this calls only returns an empty response value. */ 244 #define NSLCD_ACTION_PAM_SESS_C 0x000d0004 245 246 /* PAM password modification request. This requests has the following extra 247 request values: 248 INT32 asroot: 0=oldpasswd is user passwd, 1=oldpasswd is root passwd 249 STRING old password 250 STRING new password 251 and returns there extra result values: 252 INT32 NSLCD_PAM_* result code 253 STRING error message */ 254 #define NSLCD_ACTION_PAM_PWMOD 0x000d0005 255 256 /* User information change request. This request allows one to change 257 their full name and other information. The request parameters for this 258 request are: 259 STRING user name 260 INT32 asroot: 0=passwd is user passwd, 1=passwd is root passwd 261 STRING password 262 followed by one or more of the below, terminated by NSLCD_USERMOD_END 263 INT32 NSLCD_USERMOD_* 264 STRING new value 265 the response consists of one or more of the entries below, terminated 266 by NSLCD_USERMOD_END: 267 INT32 NSLCD_USERMOD_* 268 STRING response 269 (if the response is blank, the change went OK, otherwise the string 270 contains an error message) 271 */ 272 #define NSLCD_ACTION_USERMOD 0x000e0001 273 274 /* These are the possible values for the NSLCD_ACTION_USERMOD operation 275 above. */ 276 #define NSLCD_USERMOD_END 0 /* end of change values */ 277 #define NSLCD_USERMOD_RESULT 1 /* global result value */ 278 #define NSLCD_USERMOD_FULLNAME 2 /* full name */ 279 #define NSLCD_USERMOD_ROOMNUMBER 3 /* room number */ 280 #define NSLCD_USERMOD_WORKPHONE 4 /* office phone number */ 281 #define NSLCD_USERMOD_HOMEPHONE 5 /* home phone number */ 282 #define NSLCD_USERMOD_OTHER 6 /* other info */ 283 #define NSLCD_USERMOD_HOMEDIR 7 /* home directory */ 284 #define NSLCD_USERMOD_SHELL 8 /* login shell */ 285 286 /* Request result codes. */ 287 #define NSLCD_RESULT_BEGIN 1 288 #define NSLCD_RESULT_END 2 289 290 /* Partial list of PAM result codes. */ 291 #define NSLCD_PAM_SUCCESS 0 /* everything ok */ 292 #define NSLCD_PAM_PERM_DENIED 6 /* Permission denied */ 293 #define NSLCD_PAM_AUTH_ERR 7 /* Authc failure */ 294 #define NSLCD_PAM_CRED_INSUFFICIENT 8 /* Cannot access authc data */ 295 #define NSLCD_PAM_AUTHINFO_UNAVAIL 9 /* Cannot retrieve authc info */ 296 #define NSLCD_PAM_USER_UNKNOWN 10 /* User not known */ 297 #define NSLCD_PAM_MAXTRIES 11 /* Retry limit reached */ 298 #define NSLCD_PAM_NEW_AUTHTOK_REQD 12 /* Password expired */ 299 #define NSLCD_PAM_ACCT_EXPIRED 13 /* Account expired */ 300 #define NSLCD_PAM_SESSION_ERR 14 /* Cannot make/remove session record */ 301 #define NSLCD_PAM_AUTHTOK_ERR 20 /* Authentication token manipulation error */ 302 #define NSLCD_PAM_AUTHTOK_DISABLE_AGING 23 /* Password aging disabled */ 303 #define NSLCD_PAM_IGNORE 25 /* Ignore module */ 304 #define NSLCD_PAM_ABORT 26 /* Fatal error */ 305 #define NSLCD_PAM_AUTHTOK_EXPIRED 27 /* authentication token has expired */ 306 307 #endif /* not _NSLCD_H */ 308