1 /* smbk5pwd.c - Overlay for managing Samba and Heimdal passwords */
2 /* $OpenLDAP$ */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
4 *
5 * Copyright 2004-2021 The OpenLDAP Foundation.
6 * Portions Copyright 2004-2005 by Howard Chu, Symas Corp.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted only as authorized by the OpenLDAP
11 * Public License.
12 *
13 * A copy of this license is available in the file LICENSE in the
14 * top-level directory of the distribution or, alternatively, at
15 * <http://www.OpenLDAP.org/license.html>.
16 */
17 /* ACKNOWLEDGEMENTS:
18 * Support for table-driven configuration added by Pierangelo Masarati.
19 * Support for sambaPwdMustChange and sambaPwdCanChange added by Marco D'Ettorre.
20 * Support for shadowLastChange added by SATOH Fumiyasu @ OSS Technology, Inc.
21 */
22
23 #include <portable.h>
24
25 #ifndef SLAPD_OVER_SMBK5PWD
26 #define SLAPD_OVER_SMBK5PWD SLAPD_MOD_DYNAMIC
27 #endif
28
29 #ifdef SLAPD_OVER_SMBK5PWD
30
31 #include <slap.h>
32 #include <ac/errno.h>
33 #include <ac/string.h>
34
35 #include "config.h"
36
37 #ifdef DO_KRB5
38 #include <lber.h>
39 #include <lber_pvt.h>
40 #include <lutil.h>
41
42 /* make ASN1_MALLOC_ENCODE use our allocator */
43 #define malloc ch_malloc
44
45 #include <krb5.h>
46 #include <kadm5/admin.h>
47 #include <hdb.h>
48
49 #ifndef HDB_INTERFACE_VERSION
50 #define HDB_MASTER_KEY_SET master_key_set
51 #else
52 #define HDB_MASTER_KEY_SET hdb_master_key_set
53 #endif
54
55 static krb5_context context;
56 static void *kadm_context;
57 static kadm5_config_params conf;
58 static HDB *db;
59
60 static AttributeDescription *ad_krb5Key;
61 static AttributeDescription *ad_krb5KeyVersionNumber;
62 static AttributeDescription *ad_krb5PrincipalName;
63 static AttributeDescription *ad_krb5ValidEnd;
64 static ObjectClass *oc_krb5KDCEntry;
65 #endif
66
67 #ifdef DO_SAMBA
68 #ifdef HAVE_GNUTLS
69 #include <nettle/des.h>
70 #include <nettle/md4.h>
71 typedef unsigned char DES_cblock[8];
72 #elif HAVE_OPENSSL
73 #include <openssl/des.h>
74 #include <openssl/md4.h>
75 #else
76 #error Unsupported crypto backend.
77 #endif
78 #include "ldap_utf8.h"
79
80 static AttributeDescription *ad_sambaLMPassword;
81 static AttributeDescription *ad_sambaNTPassword;
82 static AttributeDescription *ad_sambaPwdLastSet;
83 static AttributeDescription *ad_sambaPwdMustChange;
84 static AttributeDescription *ad_sambaPwdCanChange;
85 static ObjectClass *oc_sambaSamAccount;
86 #endif
87
88 #ifdef DO_SHADOW
89 static AttributeDescription *ad_shadowLastChange;
90 static ObjectClass *oc_shadowAccount;
91 #endif
92
93 /* Per-instance configuration information */
94 typedef struct smbk5pwd_t {
95 unsigned mode;
96 #define SMBK5PWD_F_KRB5 (0x1U)
97 #define SMBK5PWD_F_SAMBA (0x2U)
98 #define SMBK5PWD_F_SHADOW (0x4U)
99
100 #define SMBK5PWD_DO_KRB5(pi) ((pi)->mode & SMBK5PWD_F_KRB5)
101 #define SMBK5PWD_DO_SAMBA(pi) ((pi)->mode & SMBK5PWD_F_SAMBA)
102 #define SMBK5PWD_DO_SHADOW(pi) ((pi)->mode & SMBK5PWD_F_SHADOW)
103
104 #ifdef DO_KRB5
105 /* nothing yet */
106 #endif
107
108 #ifdef DO_SAMBA
109 /* How many seconds before forcing a password change? */
110 time_t smb_must_change;
111 /* How many seconds after allowing a password change? */
112 time_t smb_can_change;
113 #endif
114
115 #ifdef DO_SHADOW
116 /* nothing yet */
117 #endif
118 } smbk5pwd_t;
119
120 static const unsigned SMBK5PWD_F_ALL =
121 0
122 #ifdef DO_KRB5
123 | SMBK5PWD_F_KRB5
124 #endif
125 #ifdef DO_SAMBA
126 | SMBK5PWD_F_SAMBA
127 #endif
128 #ifdef DO_SHADOW
129 | SMBK5PWD_F_SHADOW
130 #endif
131 ;
132
133 static int smbk5pwd_modules_init( smbk5pwd_t *pi );
134
135 #ifdef DO_SAMBA
136 static const char hex[] = "0123456789abcdef";
137
138 /* From liblutil/passwd.c... */
lmPasswd_to_key(const char * lmPasswd,DES_cblock * key)139 static void lmPasswd_to_key(
140 const char *lmPasswd,
141 DES_cblock *key)
142 {
143 const unsigned char *lpw = (const unsigned char *)lmPasswd;
144 unsigned char *k = (unsigned char *)key;
145
146 /* make room for parity bits */
147 k[0] = lpw[0];
148 k[1] = ((lpw[0]&0x01)<<7) | (lpw[1]>>1);
149 k[2] = ((lpw[1]&0x03)<<6) | (lpw[2]>>2);
150 k[3] = ((lpw[2]&0x07)<<5) | (lpw[3]>>3);
151 k[4] = ((lpw[3]&0x0F)<<4) | (lpw[4]>>4);
152 k[5] = ((lpw[4]&0x1F)<<3) | (lpw[5]>>5);
153 k[6] = ((lpw[5]&0x3F)<<2) | (lpw[6]>>6);
154 k[7] = ((lpw[6]&0x7F)<<1);
155
156 #ifdef HAVE_OPENSSL
157 DES_set_odd_parity( key );
158 #endif
159 }
160
161 #define MAX_PWLEN 256
162 #define HASHLEN 16
163
hexify(const char in[HASHLEN],struct berval * out)164 static void hexify(
165 const char in[HASHLEN],
166 struct berval *out
167 )
168 {
169 int i;
170 char *a;
171 unsigned char *b;
172
173 out->bv_val = ch_malloc(HASHLEN*2 + 1);
174 out->bv_len = HASHLEN*2;
175
176 a = out->bv_val;
177 b = (unsigned char *)in;
178 for (i=0; i<HASHLEN; i++) {
179 *a++ = hex[*b >> 4];
180 *a++ = hex[*b++ & 0x0f];
181 }
182 *a++ = '\0';
183 }
184
lmhash(struct berval * passwd,struct berval * hash)185 static void lmhash(
186 struct berval *passwd,
187 struct berval *hash
188 )
189 {
190 char UcasePassword[15];
191 DES_cblock key;
192 DES_cblock StdText = "KGS!@#$%";
193 DES_cblock hbuf[2];
194 #ifdef HAVE_OPENSSL
195 DES_key_schedule schedule;
196 #elif defined(HAVE_GNUTLS)
197 struct des_ctx ctx;
198 #endif
199
200 strncpy( UcasePassword, passwd->bv_val, 14 );
201 UcasePassword[14] = '\0';
202 ldap_pvt_str2upper( UcasePassword );
203
204 lmPasswd_to_key( UcasePassword, &key );
205 #ifdef HAVE_GNUTLS
206 des_set_key( &ctx, key );
207 des_encrypt( &ctx, sizeof(key), hbuf[0], StdText );
208
209 lmPasswd_to_key( &UcasePassword[7], &key );
210 des_set_key( &ctx, key );
211 des_encrypt( &ctx, sizeof(key), hbuf[1], StdText );
212 #elif defined(HAVE_OPENSSL)
213 DES_set_key_unchecked( &key, &schedule );
214 DES_ecb_encrypt( &StdText, &hbuf[0], &schedule , DES_ENCRYPT );
215
216 lmPasswd_to_key( &UcasePassword[7], &key );
217 DES_set_key_unchecked( &key, &schedule );
218 DES_ecb_encrypt( &StdText, &hbuf[1], &schedule , DES_ENCRYPT );
219 #endif
220
221 hexify( (char *)hbuf, hash );
222 }
223
nthash(struct berval * passwd,struct berval * hash)224 static void nthash(
225 struct berval *passwd,
226 struct berval *hash
227 )
228 {
229 /* Windows currently only allows 14 character passwords, but
230 * may support up to 256 in the future. We assume this means
231 * 256 UCS2 characters, not 256 bytes...
232 */
233 char hbuf[HASHLEN];
234 #ifdef HAVE_OPENSSL
235 MD4_CTX ctx;
236 #elif defined(HAVE_GNUTLS)
237 struct md4_ctx ctx;
238 #endif
239
240 if (passwd->bv_len > MAX_PWLEN*2)
241 passwd->bv_len = MAX_PWLEN*2;
242
243 #ifdef HAVE_OPENSSL
244 MD4_Init( &ctx );
245 MD4_Update( &ctx, passwd->bv_val, passwd->bv_len );
246 MD4_Final( (unsigned char *)hbuf, &ctx );
247 #elif defined(HAVE_GNUTLS)
248 md4_init( &ctx );
249 md4_update( &ctx, passwd->bv_len, (unsigned char *)passwd->bv_val );
250 md4_digest( &ctx, sizeof(hbuf), (unsigned char *)hbuf );
251 #endif
252
253 hexify( hbuf, hash );
254 }
255 #endif /* DO_SAMBA */
256
257 #ifdef DO_KRB5
258
smbk5pwd_op_cleanup(Operation * op,SlapReply * rs)259 static int smbk5pwd_op_cleanup(
260 Operation *op,
261 SlapReply *rs )
262 {
263 slap_callback *cb;
264
265 /* clear out the current key */
266 ldap_pvt_thread_pool_setkey( op->o_threadctx, smbk5pwd_op_cleanup,
267 NULL, 0, NULL, NULL );
268
269 /* free the callback */
270 cb = op->o_callback;
271 op->o_callback = cb->sc_next;
272 op->o_tmpfree( cb, op->o_tmpmemctx );
273 return 0;
274 }
275
smbk5pwd_op_bind(Operation * op,SlapReply * rs)276 static int smbk5pwd_op_bind(
277 Operation *op,
278 SlapReply *rs )
279 {
280 /* If this is a simple Bind, stash the Op pointer so our chk
281 * function can find it. Set a cleanup callback to clear it
282 * out when the Bind completes.
283 */
284 if ( op->oq_bind.rb_method == LDAP_AUTH_SIMPLE ) {
285 slap_callback *cb;
286 ldap_pvt_thread_pool_setkey( op->o_threadctx,
287 smbk5pwd_op_cleanup, op, 0, NULL, NULL );
288 cb = op->o_tmpcalloc( 1, sizeof(slap_callback), op->o_tmpmemctx );
289 cb->sc_cleanup = smbk5pwd_op_cleanup;
290 cb->sc_next = op->o_callback;
291 op->o_callback = cb;
292 }
293 return SLAP_CB_CONTINUE;
294 }
295
296 static LUTIL_PASSWD_CHK_FUNC k5key_chk;
297 static LUTIL_PASSWD_HASH_FUNC k5key_hash;
298 static const struct berval k5key_scheme = BER_BVC("{K5KEY}");
299
300 /* This password scheme stores no data in the userPassword attribute
301 * other than the scheme name. It assumes the invoking entry is a
302 * krb5KDCentry and compares the passed-in credentials against the
303 * krb5Key attribute. The krb5Key may be multi-valued, but they are
304 * simply multiple keytypes generated from the same input string, so
305 * only the first value needs to be compared here.
306 *
307 * Since the lutil_passwd API doesn't pass the Entry object in, we
308 * have to fetch it ourselves in order to get access to the other
309 * attributes. We accomplish this with the help of the overlay's Bind
310 * function, which stores the current Operation pointer in thread-specific
311 * storage so we can retrieve it here. The Operation provides all
312 * the necessary context for us to get Entry from the database.
313 */
k5key_chk(const struct berval * sc,const struct berval * passwd,const struct berval * cred,const char ** text)314 static int k5key_chk(
315 const struct berval *sc,
316 const struct berval *passwd,
317 const struct berval *cred,
318 const char **text )
319 {
320 void *ctx, *op_tmp;
321 Operation *op;
322 int rc;
323 Entry *e;
324 Attribute *a;
325 krb5_error_code ret;
326 krb5_keyblock key;
327 krb5_salt salt;
328 hdb_entry ent;
329
330 /* Find our thread context, find our Operation */
331 ctx = ldap_pvt_thread_pool_context();
332
333 if ( ldap_pvt_thread_pool_getkey( ctx, smbk5pwd_op_cleanup, &op_tmp, NULL )
334 || !op_tmp )
335 return LUTIL_PASSWD_ERR;
336 op = op_tmp;
337
338 rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e );
339 if ( rc != LDAP_SUCCESS ) return LUTIL_PASSWD_ERR;
340
341 rc = LUTIL_PASSWD_ERR;
342 do {
343 size_t l;
344 Key ekey = {0};
345
346 a = attr_find( e->e_attrs, ad_krb5PrincipalName );
347 if (!a ) break;
348
349 memset( &ent, 0, sizeof(ent) );
350 ret = krb5_parse_name(context, a->a_vals[0].bv_val, &ent.principal);
351 if ( ret ) break;
352
353 a = attr_find( e->e_attrs, ad_krb5ValidEnd );
354 if (a) {
355 struct lutil_tm tm;
356 struct lutil_timet tt;
357 if ( lutil_parsetime( a->a_vals[0].bv_val, &tm ) == 0 &&
358 lutil_tm2time( &tm, &tt ) == 0 && tt.tt_usec < op->o_time ) {
359 /* Account is expired */
360 rc = LUTIL_PASSWD_ERR;
361 break;
362 }
363 }
364
365 krb5_get_pw_salt( context, ent.principal, &salt );
366 krb5_free_principal( context, ent.principal );
367
368 a = attr_find( e->e_attrs, ad_krb5Key );
369 if ( !a ) break;
370
371 ent.keys.len = 1;
372 ent.keys.val = &ekey;
373 decode_Key((unsigned char *) a->a_vals[0].bv_val,
374 (size_t) a->a_vals[0].bv_len, &ent.keys.val[0], &l);
375 if ( db->HDB_MASTER_KEY_SET )
376 hdb_unseal_keys( context, db, &ent );
377
378 krb5_string_to_key_salt( context, ekey.key.keytype, cred->bv_val,
379 salt, &key );
380
381 krb5_free_salt( context, salt );
382
383 if ( memcmp( ekey.key.keyvalue.data, key.keyvalue.data,
384 key.keyvalue.length ) == 0 ) rc = LUTIL_PASSWD_OK;
385
386 krb5_free_keyblock_contents( context, &key );
387 krb5_free_keyblock_contents( context, &ekey.key );
388
389 } while(0);
390 be_entry_release_r( op, e );
391 return rc;
392 }
393
k5key_hash(const struct berval * scheme,const struct berval * passwd,struct berval * hash,const char ** text)394 static int k5key_hash(
395 const struct berval *scheme,
396 const struct berval *passwd,
397 struct berval *hash,
398 const char **text )
399 {
400 ber_dupbv( hash, (struct berval *)&k5key_scheme );
401 return LUTIL_PASSWD_OK;
402 }
403 #endif /* DO_KRB5 */
404
smbk5pwd_exop_passwd(Operation * op,SlapReply * rs)405 static int smbk5pwd_exop_passwd(
406 Operation *op,
407 SlapReply *rs )
408 {
409 int rc;
410 req_pwdexop_s *qpw = &op->oq_pwdexop;
411 Entry *e;
412 Modifications *ml;
413 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
414 smbk5pwd_t *pi = on->on_bi.bi_private;
415 char term;
416
417 /* Not the operation we expected, pass it on... */
418 if ( ber_bvcmp( &slap_EXOP_MODIFY_PASSWD, &op->ore_reqoid ) ) {
419 return SLAP_CB_CONTINUE;
420 }
421
422 op->o_bd->bd_info = (BackendInfo *)on->on_info;
423 rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e );
424 if ( rc != LDAP_SUCCESS ) return rc;
425
426 term = qpw->rs_new.bv_val[qpw->rs_new.bv_len];
427 qpw->rs_new.bv_val[qpw->rs_new.bv_len] = '\0';
428
429 #ifdef DO_KRB5
430 /* Kerberos stuff */
431 do {
432 krb5_error_code ret;
433 hdb_entry ent;
434 struct berval *keys;
435 size_t nkeys;
436 int kvno, i;
437 Attribute *a;
438
439 if ( !SMBK5PWD_DO_KRB5( pi ) ) break;
440
441 if ( !is_entry_objectclass(e, oc_krb5KDCEntry, 0 ) ) break;
442
443 a = attr_find( e->e_attrs, ad_krb5PrincipalName );
444 if ( !a ) break;
445
446 memset( &ent, 0, sizeof(ent) );
447 ret = krb5_parse_name(context, a->a_vals[0].bv_val, &ent.principal);
448 if ( ret ) break;
449
450 a = attr_find( e->e_attrs, ad_krb5KeyVersionNumber );
451 kvno = 0;
452 if ( a ) {
453 if ( lutil_atoi( &kvno, a->a_vals[0].bv_val ) != 0 ) {
454 Debug( LDAP_DEBUG_ANY, "%s smbk5pwd EXOP: "
455 "dn=\"%s\" unable to parse krb5KeyVersionNumber=\"%s\"\n",
456 op->o_log_prefix, e->e_name.bv_val, a->a_vals[0].bv_val );
457 }
458
459 } else {
460 /* shouldn't happen, this is a required attr */
461 Debug( LDAP_DEBUG_ANY, "%s smbk5pwd EXOP: "
462 "dn=\"%s\" missing krb5KeyVersionNumber\n",
463 op->o_log_prefix, e->e_name.bv_val, 0 );
464 }
465
466 ret = hdb_generate_key_set_password(context, ent.principal,
467 qpw->rs_new.bv_val, &ent.keys.val, &nkeys);
468 ent.keys.len = nkeys;
469 hdb_seal_keys(context, db, &ent);
470 krb5_free_principal( context, ent.principal );
471
472 keys = ch_malloc( (ent.keys.len + 1) * sizeof(struct berval));
473
474 for (i = 0; i < ent.keys.len; i++) {
475 unsigned char *buf;
476 size_t len;
477
478 ASN1_MALLOC_ENCODE(Key, buf, len, &ent.keys.val[i], &len, ret);
479 if (ret != 0)
480 break;
481
482 keys[i].bv_val = (char *)buf;
483 keys[i].bv_len = len;
484 }
485 BER_BVZERO( &keys[i] );
486
487 hdb_free_keys(context, ent.keys.len, ent.keys.val);
488
489 if ( i != ent.keys.len ) {
490 ber_bvarray_free( keys );
491 break;
492 }
493
494 ml = ch_malloc(sizeof(Modifications));
495 if (!qpw->rs_modtail) qpw->rs_modtail = &ml->sml_next;
496 ml->sml_next = qpw->rs_mods;
497 qpw->rs_mods = ml;
498
499 ml->sml_desc = ad_krb5Key;
500 ml->sml_op = LDAP_MOD_REPLACE;
501 #ifdef SLAP_MOD_INTERNAL
502 ml->sml_flags = SLAP_MOD_INTERNAL;
503 #endif
504 ml->sml_numvals = i;
505 ml->sml_values = keys;
506 ml->sml_nvalues = NULL;
507
508 ml = ch_malloc(sizeof(Modifications));
509 ml->sml_next = qpw->rs_mods;
510 qpw->rs_mods = ml;
511
512 ml->sml_desc = ad_krb5KeyVersionNumber;
513 ml->sml_op = LDAP_MOD_REPLACE;
514 #ifdef SLAP_MOD_INTERNAL
515 ml->sml_flags = SLAP_MOD_INTERNAL;
516 #endif
517 ml->sml_numvals = 1;
518 ml->sml_values = ch_malloc( 2 * sizeof(struct berval));
519 ml->sml_values[0].bv_val = ch_malloc( 64 );
520 ml->sml_values[0].bv_len = sprintf(ml->sml_values[0].bv_val,
521 "%d", kvno+1 );
522 BER_BVZERO( &ml->sml_values[1] );
523 ml->sml_nvalues = NULL;
524 } while ( 0 );
525 #endif /* DO_KRB5 */
526
527 #ifdef DO_SAMBA
528 /* Samba stuff */
529 if ( SMBK5PWD_DO_SAMBA( pi ) && is_entry_objectclass(e, oc_sambaSamAccount, 0 ) ) {
530 struct berval *keys;
531 ber_len_t j,l;
532 wchar_t *wcs, wc;
533 char *c, *d;
534 struct berval pwd;
535
536 /* Expand incoming UTF8 string to UCS4 */
537 l = ldap_utf8_chars(qpw->rs_new.bv_val);
538 wcs = ch_malloc((l+1) * sizeof(wchar_t));
539
540 ldap_x_utf8s_to_wcs( wcs, qpw->rs_new.bv_val, l );
541
542 /* Truncate UCS4 to UCS2 */
543 c = (char *)wcs;
544 for (j=0; j<l; j++) {
545 wc = wcs[j];
546 *c++ = wc & 0xff;
547 *c++ = (wc >> 8) & 0xff;
548 }
549 *c++ = 0;
550 pwd.bv_val = (char *)wcs;
551 pwd.bv_len = l * 2;
552
553 ml = ch_malloc(sizeof(Modifications));
554 if (!qpw->rs_modtail) qpw->rs_modtail = &ml->sml_next;
555 ml->sml_next = qpw->rs_mods;
556 qpw->rs_mods = ml;
557
558 keys = ch_malloc( 2 * sizeof(struct berval) );
559 BER_BVZERO( &keys[1] );
560 nthash( &pwd, keys );
561
562 ml->sml_desc = ad_sambaNTPassword;
563 ml->sml_op = LDAP_MOD_REPLACE;
564 #ifdef SLAP_MOD_INTERNAL
565 ml->sml_flags = SLAP_MOD_INTERNAL;
566 #endif
567 ml->sml_numvals = 1;
568 ml->sml_values = keys;
569 ml->sml_nvalues = NULL;
570
571 /* Truncate UCS2 to 8-bit ASCII */
572 c = pwd.bv_val+1;
573 d = pwd.bv_val+2;
574 for (j=1; j<l; j++) {
575 *c++ = *d++;
576 d++;
577 }
578 pwd.bv_len /= 2;
579 pwd.bv_val[pwd.bv_len] = '\0';
580
581 ml = ch_malloc(sizeof(Modifications));
582 ml->sml_next = qpw->rs_mods;
583 qpw->rs_mods = ml;
584
585 keys = ch_malloc( 2 * sizeof(struct berval) );
586 BER_BVZERO( &keys[1] );
587 lmhash( &pwd, keys );
588
589 ml->sml_desc = ad_sambaLMPassword;
590 ml->sml_op = LDAP_MOD_REPLACE;
591 #ifdef SLAP_MOD_INTERNAL
592 ml->sml_flags = SLAP_MOD_INTERNAL;
593 #endif
594 ml->sml_numvals = 1;
595 ml->sml_values = keys;
596 ml->sml_nvalues = NULL;
597
598 ch_free(wcs);
599
600 ml = ch_malloc(sizeof(Modifications));
601 ml->sml_next = qpw->rs_mods;
602 qpw->rs_mods = ml;
603
604 keys = ch_malloc( 2 * sizeof(struct berval) );
605 keys[0].bv_val = ch_malloc( LDAP_PVT_INTTYPE_CHARS(long) );
606 keys[0].bv_len = snprintf(keys[0].bv_val,
607 LDAP_PVT_INTTYPE_CHARS(long),
608 "%ld", slap_get_time());
609 BER_BVZERO( &keys[1] );
610
611 ml->sml_desc = ad_sambaPwdLastSet;
612 ml->sml_op = LDAP_MOD_REPLACE;
613 #ifdef SLAP_MOD_INTERNAL
614 ml->sml_flags = SLAP_MOD_INTERNAL;
615 #endif
616 ml->sml_numvals = 1;
617 ml->sml_values = keys;
618 ml->sml_nvalues = NULL;
619
620 if (pi->smb_must_change)
621 {
622 ml = ch_malloc(sizeof(Modifications));
623 ml->sml_next = qpw->rs_mods;
624 qpw->rs_mods = ml;
625
626 keys = ch_malloc( 2 * sizeof(struct berval) );
627 keys[0].bv_val = ch_malloc( LDAP_PVT_INTTYPE_CHARS(long) );
628 keys[0].bv_len = snprintf(keys[0].bv_val,
629 LDAP_PVT_INTTYPE_CHARS(long),
630 "%ld", slap_get_time() + pi->smb_must_change);
631 BER_BVZERO( &keys[1] );
632
633 ml->sml_desc = ad_sambaPwdMustChange;
634 ml->sml_op = LDAP_MOD_REPLACE;
635 #ifdef SLAP_MOD_INTERNAL
636 ml->sml_flags = SLAP_MOD_INTERNAL;
637 #endif
638 ml->sml_numvals = 1;
639 ml->sml_values = keys;
640 ml->sml_nvalues = NULL;
641 }
642
643 if (pi->smb_can_change)
644 {
645 ml = ch_malloc(sizeof(Modifications));
646 ml->sml_next = qpw->rs_mods;
647 qpw->rs_mods = ml;
648
649 keys = ch_malloc( 2 * sizeof(struct berval) );
650 keys[0].bv_val = ch_malloc( LDAP_PVT_INTTYPE_CHARS(long) );
651 keys[0].bv_len = snprintf(keys[0].bv_val,
652 LDAP_PVT_INTTYPE_CHARS(long),
653 "%ld", slap_get_time() + pi->smb_can_change);
654 BER_BVZERO( &keys[1] );
655
656 ml->sml_desc = ad_sambaPwdCanChange;
657 ml->sml_op = LDAP_MOD_REPLACE;
658 #ifdef SLAP_MOD_INTERNAL
659 ml->sml_flags = SLAP_MOD_INTERNAL;
660 #endif
661 ml->sml_numvals = 1;
662 ml->sml_values = keys;
663 ml->sml_nvalues = NULL;
664 }
665 }
666 #endif /* DO_SAMBA */
667
668 #ifdef DO_SHADOW
669 /* shadow stuff */
670 if ( SMBK5PWD_DO_SHADOW( pi ) && is_entry_objectclass(e, oc_shadowAccount, 0 ) ) {
671 struct berval *keys;
672
673 ml = ch_malloc(sizeof(Modifications));
674 if (!qpw->rs_modtail) qpw->rs_modtail = &ml->sml_next;
675 ml->sml_next = qpw->rs_mods;
676 qpw->rs_mods = ml;
677
678 keys = ch_malloc( sizeof(struct berval) * 2);
679 BER_BVZERO( &keys[1] );
680 keys[0].bv_val = ch_malloc( LDAP_PVT_INTTYPE_CHARS(long) );
681 keys[0].bv_len = snprintf(keys[0].bv_val,
682 LDAP_PVT_INTTYPE_CHARS(long),
683 "%ld", (long)(slap_get_time() / (60 * 60 * 24)));
684
685 ml->sml_desc = ad_shadowLastChange;
686 ml->sml_op = LDAP_MOD_REPLACE;
687 #ifdef SLAP_MOD_INTERNAL
688 ml->sml_flags = SLAP_MOD_INTERNAL;
689 #endif
690 ml->sml_numvals = 1;
691 ml->sml_values = keys;
692 ml->sml_nvalues = NULL;
693 }
694 #endif /* DO_SHADOW */
695
696 be_entry_release_r( op, e );
697 qpw->rs_new.bv_val[qpw->rs_new.bv_len] = term;
698
699 return SLAP_CB_CONTINUE;
700 }
701
702 static slap_overinst smbk5pwd;
703
704 /* back-config stuff */
705 enum {
706 PC_SMB_MUST_CHANGE = 1,
707 PC_SMB_CAN_CHANGE,
708 PC_SMB_ENABLE
709 };
710
711 static ConfigDriver smbk5pwd_cf_func;
712
713 /*
714 * NOTE: uses OID arcs OLcfgCtAt:1 and OLcfgCtOc:1
715 */
716
717 static ConfigTable smbk5pwd_cfats[] = {
718 { "smbk5pwd-enable", "arg",
719 2, 0, 0, ARG_MAGIC|PC_SMB_ENABLE, smbk5pwd_cf_func,
720 "( OLcfgCtAt:1.1 NAME 'olcSmbK5PwdEnable' "
721 "DESC 'Modules to be enabled' "
722 "SYNTAX OMsDirectoryString )", NULL, NULL },
723 { "smbk5pwd-must-change", "time",
724 2, 2, 0, ARG_MAGIC|ARG_INT|PC_SMB_MUST_CHANGE, smbk5pwd_cf_func,
725 "( OLcfgCtAt:1.2 NAME 'olcSmbK5PwdMustChange' "
726 "DESC 'Credentials validity interval' "
727 "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
728 { "smbk5pwd-can-change", "time",
729 2, 2, 0, ARG_MAGIC|ARG_INT|PC_SMB_CAN_CHANGE, smbk5pwd_cf_func,
730 "( OLcfgCtAt:1.3 NAME 'olcSmbK5PwdCanChange' "
731 "DESC 'Credentials minimum validity interval' "
732 "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
733
734 { NULL, NULL, 0, 0, 0, ARG_IGNORED }
735 };
736
737 static ConfigOCs smbk5pwd_cfocs[] = {
738 { "( OLcfgCtOc:1.1 "
739 "NAME 'olcSmbK5PwdConfig' "
740 "DESC 'smbk5pwd overlay configuration' "
741 "SUP olcOverlayConfig "
742 "MAY ( "
743 "olcSmbK5PwdEnable "
744 "$ olcSmbK5PwdMustChange "
745 "$ olcSmbK5PwdCanChange "
746 ") )", Cft_Overlay, smbk5pwd_cfats },
747
748 { NULL, 0, NULL }
749 };
750
751 /*
752 * add here other functionalities; handle their initialization
753 * as appropriate in smbk5pwd_modules_init().
754 */
755 static slap_verbmasks smbk5pwd_modules[] = {
756 { BER_BVC( "krb5" ), SMBK5PWD_F_KRB5 },
757 { BER_BVC( "samba" ), SMBK5PWD_F_SAMBA },
758 { BER_BVC( "shadow" ), SMBK5PWD_F_SHADOW },
759 { BER_BVNULL, -1 }
760 };
761
762 static int
smbk5pwd_cf_func(ConfigArgs * c)763 smbk5pwd_cf_func( ConfigArgs *c )
764 {
765 slap_overinst *on = (slap_overinst *)c->bi;
766
767 int rc = 0;
768 smbk5pwd_t *pi = on->on_bi.bi_private;
769
770 if ( c->op == SLAP_CONFIG_EMIT ) {
771 switch( c->type ) {
772 case PC_SMB_MUST_CHANGE:
773 #ifdef DO_SAMBA
774 c->value_int = pi->smb_must_change;
775 #else /* ! DO_SAMBA */
776 c->value_int = 0;
777 #endif /* ! DO_SAMBA */
778 break;
779
780 case PC_SMB_CAN_CHANGE:
781 #ifdef DO_SAMBA
782 c->value_int = pi->smb_can_change;
783 #else /* ! DO_SAMBA */
784 c->value_int = 0;
785 #endif /* ! DO_SAMBA */
786 break;
787
788 case PC_SMB_ENABLE:
789 c->rvalue_vals = NULL;
790 if ( pi->mode ) {
791 mask_to_verbs( smbk5pwd_modules, pi->mode, &c->rvalue_vals );
792 if ( c->rvalue_vals == NULL ) {
793 rc = 1;
794 }
795 }
796 break;
797
798 default:
799 assert( 0 );
800 rc = 1;
801 }
802 return rc;
803
804 } else if ( c->op == LDAP_MOD_DELETE ) {
805 switch( c->type ) {
806 case PC_SMB_MUST_CHANGE:
807 break;
808
809 case PC_SMB_CAN_CHANGE:
810 break;
811
812 case PC_SMB_ENABLE:
813 if ( !c->line ) {
814 pi->mode = 0;
815
816 } else {
817 int i;
818
819 i = verb_to_mask( c->line, smbk5pwd_modules );
820 pi->mode &= ~smbk5pwd_modules[i].mask;
821 }
822 break;
823
824 default:
825 assert( 0 );
826 rc = 1;
827 }
828 return rc;
829 }
830
831 switch( c->type ) {
832 case PC_SMB_MUST_CHANGE:
833 #ifdef DO_SAMBA
834 if ( c->value_int < 0 ) {
835 Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: "
836 "<%s> invalid negative value \"%d\".",
837 c->log, c->argv[ 0 ], 0 );
838 return 1;
839 }
840 pi->smb_must_change = c->value_int;
841 #else /* ! DO_SAMBA */
842 Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: "
843 "<%s> only meaningful "
844 "when compiled with -DDO_SAMBA.\n",
845 c->log, c->argv[ 0 ], 0 );
846 return 1;
847 #endif /* ! DO_SAMBA */
848 break;
849
850 case PC_SMB_CAN_CHANGE:
851 #ifdef DO_SAMBA
852 if ( c->value_int < 0 ) {
853 Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: "
854 "<%s> invalid negative value \"%d\".",
855 c->log, c->argv[ 0 ], 0 );
856 return 1;
857 }
858 pi->smb_can_change = c->value_int;
859 #else /* ! DO_SAMBA */
860 Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: "
861 "<%s> only meaningful "
862 "when compiled with -DDO_SAMBA.\n",
863 c->log, c->argv[ 0 ], 0 );
864 return 1;
865 #endif /* ! DO_SAMBA */
866 break;
867
868 case PC_SMB_ENABLE: {
869 slap_mask_t mode = pi->mode, m = 0;
870
871 rc = verbs_to_mask( c->argc, c->argv, smbk5pwd_modules, &m );
872 if ( rc > 0 ) {
873 Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: "
874 "<%s> unknown module \"%s\".\n",
875 c->log, c->argv[ 0 ], c->argv[ rc ] );
876 return 1;
877 }
878
879 /* we can hijack the smbk5pwd_t structure because
880 * from within the configuration, this is the only
881 * active thread. */
882 pi->mode |= m;
883
884 #ifndef DO_KRB5
885 if ( SMBK5PWD_DO_KRB5( pi ) ) {
886 Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: "
887 "<%s> module \"%s\" only allowed when compiled with -DDO_KRB5.\n",
888 c->log, c->argv[ 0 ], c->argv[ rc ] );
889 pi->mode = mode;
890 return 1;
891 }
892 #endif /* ! DO_KRB5 */
893
894 #ifndef DO_SAMBA
895 if ( SMBK5PWD_DO_SAMBA( pi ) ) {
896 Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: "
897 "<%s> module \"%s\" only allowed when compiled with -DDO_SAMBA.\n",
898 c->log, c->argv[ 0 ], c->argv[ rc ] );
899 pi->mode = mode;
900 return 1;
901 }
902 #endif /* ! DO_SAMBA */
903
904 #ifndef DO_SHADOW
905 if ( SMBK5PWD_DO_SHADOW( pi ) ) {
906 Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: "
907 "<%s> module \"%s\" only allowed when compiled with -DDO_SHADOW.\n",
908 c->log, c->argv[ 0 ], c->argv[ rc ] );
909 pi->mode = mode;
910 return 1;
911 }
912 #endif /* ! DO_SHADOW */
913
914 /* Re-initialize the module, because
915 * the configuration might have changed */
916 rc = smbk5pwd_modules_init( pi );
917 if ( rc ) {
918 pi->mode = mode;
919 return 1;
920 }
921
922 } break;
923
924 default:
925 assert( 0 );
926 return 1;
927 }
928 return rc;
929 }
930
931 static int
smbk5pwd_modules_init(smbk5pwd_t * pi)932 smbk5pwd_modules_init( smbk5pwd_t *pi )
933 {
934 static struct {
935 const char *name;
936 AttributeDescription **adp;
937 }
938 #ifdef DO_KRB5
939 krb5_ad[] = {
940 { "krb5Key", &ad_krb5Key },
941 { "krb5KeyVersionNumber", &ad_krb5KeyVersionNumber },
942 { "krb5PrincipalName", &ad_krb5PrincipalName },
943 { "krb5ValidEnd", &ad_krb5ValidEnd },
944 { NULL }
945 },
946 #endif /* DO_KRB5 */
947 #ifdef DO_SAMBA
948 samba_ad[] = {
949 { "sambaLMPassword", &ad_sambaLMPassword },
950 { "sambaNTPassword", &ad_sambaNTPassword },
951 { "sambaPwdLastSet", &ad_sambaPwdLastSet },
952 { "sambaPwdMustChange", &ad_sambaPwdMustChange },
953 { "sambaPwdCanChange", &ad_sambaPwdCanChange },
954 { NULL }
955 },
956 #endif /* DO_SAMBA */
957 #ifdef DO_SHADOW
958 shadow_ad[] = {
959 { "shadowLastChange", &ad_shadowLastChange },
960 { NULL }
961 },
962 #endif /* DO_SHADOW */
963 dummy_ad;
964
965 /* this is to silence the unused var warning */
966 (void) dummy_ad;
967
968 #ifdef DO_KRB5
969 if ( SMBK5PWD_DO_KRB5( pi ) && oc_krb5KDCEntry == NULL ) {
970 krb5_error_code ret;
971 extern HDB *_kadm5_s_get_db(void *);
972
973 int i, rc;
974
975 /* Make sure all of our necessary schema items are loaded */
976 oc_krb5KDCEntry = oc_find( "krb5KDCEntry" );
977 if ( !oc_krb5KDCEntry ) {
978 Debug( LDAP_DEBUG_ANY, "smbk5pwd: "
979 "unable to find \"krb5KDCEntry\" objectClass.\n",
980 0, 0, 0 );
981 return -1;
982 }
983
984 for ( i = 0; krb5_ad[ i ].name != NULL; i++ ) {
985 const char *text;
986
987 *(krb5_ad[ i ].adp) = NULL;
988
989 rc = slap_str2ad( krb5_ad[ i ].name, krb5_ad[ i ].adp, &text );
990 if ( rc != LDAP_SUCCESS ) {
991 Debug( LDAP_DEBUG_ANY, "smbk5pwd: "
992 "unable to find \"%s\" attributeType: %s (%d).\n",
993 krb5_ad[ i ].name, text, rc );
994 oc_krb5KDCEntry = NULL;
995 return rc;
996 }
997 }
998
999 /* Initialize Kerberos context */
1000 ret = krb5_init_context(&context);
1001 if (ret) {
1002 Debug( LDAP_DEBUG_ANY, "smbk5pwd: "
1003 "unable to initialize krb5 context (%d).\n",
1004 ret, 0, 0 );
1005 oc_krb5KDCEntry = NULL;
1006 return -1;
1007 }
1008
1009 ret = kadm5_s_init_with_password_ctx( context,
1010 KADM5_ADMIN_SERVICE,
1011 NULL,
1012 KADM5_ADMIN_SERVICE,
1013 &conf, 0, 0, &kadm_context );
1014 if (ret) {
1015 char *err_str, *err_msg = "<unknown error>";
1016 err_str = krb5_get_error_string( context );
1017 if (!err_str)
1018 err_msg = (char *)krb5_get_err_text( context, ret );
1019 Debug( LDAP_DEBUG_ANY, "smbk5pwd: "
1020 "unable to initialize krb5 admin context: %s (%d).\n",
1021 err_str ? err_str : err_msg, ret, 0 );
1022 if (err_str)
1023 krb5_free_error_string( context, err_str );
1024 krb5_free_context( context );
1025 oc_krb5KDCEntry = NULL;
1026 return -1;
1027 }
1028
1029 db = _kadm5_s_get_db( kadm_context );
1030 }
1031 #endif /* DO_KRB5 */
1032
1033 #ifdef DO_SAMBA
1034 if ( SMBK5PWD_DO_SAMBA( pi ) && oc_sambaSamAccount == NULL ) {
1035 int i, rc;
1036
1037 oc_sambaSamAccount = oc_find( "sambaSamAccount" );
1038 if ( !oc_sambaSamAccount ) {
1039 Debug( LDAP_DEBUG_ANY, "smbk5pwd: "
1040 "unable to find \"sambaSamAccount\" objectClass.\n",
1041 0, 0, 0 );
1042 return -1;
1043 }
1044
1045 for ( i = 0; samba_ad[ i ].name != NULL; i++ ) {
1046 const char *text;
1047
1048 *(samba_ad[ i ].adp) = NULL;
1049
1050 rc = slap_str2ad( samba_ad[ i ].name, samba_ad[ i ].adp, &text );
1051 if ( rc != LDAP_SUCCESS ) {
1052 Debug( LDAP_DEBUG_ANY, "smbk5pwd: "
1053 "unable to find \"%s\" attributeType: %s (%d).\n",
1054 samba_ad[ i ].name, text, rc );
1055 oc_sambaSamAccount = NULL;
1056 return rc;
1057 }
1058 }
1059 }
1060 #endif /* DO_SAMBA */
1061
1062 #ifdef DO_SHADOW
1063 if ( SMBK5PWD_DO_SHADOW( pi ) && oc_shadowAccount == NULL ) {
1064 int i, rc;
1065
1066 oc_shadowAccount = oc_find( "shadowAccount" );
1067 if ( !oc_shadowAccount ) {
1068 Debug( LDAP_DEBUG_ANY, "smbk5pwd: "
1069 "unable to find \"shadowAccount\" objectClass.\n",
1070 0, 0, 0 );
1071 return -1;
1072 }
1073
1074 for ( i = 0; shadow_ad[ i ].name != NULL; i++ ) {
1075 const char *text;
1076
1077 *(shadow_ad[ i ].adp) = NULL;
1078
1079 rc = slap_str2ad( shadow_ad[ i ].name, shadow_ad[ i ].adp, &text );
1080 if ( rc != LDAP_SUCCESS ) {
1081 Debug( LDAP_DEBUG_ANY, "smbk5pwd: "
1082 "unable to find \"%s\" attributeType: %s (%d).\n",
1083 shadow_ad[ i ].name, text, rc );
1084 oc_shadowAccount = NULL;
1085 return rc;
1086 }
1087 }
1088 }
1089 #endif /* DO_SHADOW */
1090
1091 return 0;
1092 }
1093
1094 static int
smbk5pwd_db_init(BackendDB * be,ConfigReply * cr)1095 smbk5pwd_db_init(BackendDB *be, ConfigReply *cr)
1096 {
1097 slap_overinst *on = (slap_overinst *)be->bd_info;
1098 smbk5pwd_t *pi;
1099
1100 pi = ch_calloc( 1, sizeof( smbk5pwd_t ) );
1101 if ( pi == NULL ) {
1102 return 1;
1103 }
1104 on->on_bi.bi_private = (void *)pi;
1105
1106 return 0;
1107 }
1108
1109 static int
smbk5pwd_db_open(BackendDB * be,ConfigReply * cr)1110 smbk5pwd_db_open(BackendDB *be, ConfigReply *cr)
1111 {
1112 slap_overinst *on = (slap_overinst *)be->bd_info;
1113 smbk5pwd_t *pi = (smbk5pwd_t *)on->on_bi.bi_private;
1114
1115 int rc;
1116
1117 if ( pi->mode == 0 ) {
1118 pi->mode = SMBK5PWD_F_ALL;
1119 }
1120
1121 rc = smbk5pwd_modules_init( pi );
1122 if ( rc ) {
1123 return rc;
1124 }
1125
1126 return 0;
1127 }
1128
1129 static int
smbk5pwd_db_destroy(BackendDB * be,ConfigReply * cr)1130 smbk5pwd_db_destroy(BackendDB *be, ConfigReply *cr)
1131 {
1132 slap_overinst *on = (slap_overinst *)be->bd_info;
1133 smbk5pwd_t *pi = (smbk5pwd_t *)on->on_bi.bi_private;
1134
1135 if ( pi ) {
1136 ch_free( pi );
1137 }
1138
1139 return 0;
1140 }
1141
1142 int
smbk5pwd_initialize(void)1143 smbk5pwd_initialize(void)
1144 {
1145 int rc;
1146
1147 smbk5pwd.on_bi.bi_type = "smbk5pwd";
1148
1149 smbk5pwd.on_bi.bi_db_init = smbk5pwd_db_init;
1150 smbk5pwd.on_bi.bi_db_open = smbk5pwd_db_open;
1151 smbk5pwd.on_bi.bi_db_destroy = smbk5pwd_db_destroy;
1152
1153 smbk5pwd.on_bi.bi_extended = smbk5pwd_exop_passwd;
1154
1155 #ifdef DO_KRB5
1156 smbk5pwd.on_bi.bi_op_bind = smbk5pwd_op_bind;
1157
1158 lutil_passwd_add( (struct berval *)&k5key_scheme, k5key_chk, k5key_hash );
1159 #endif
1160
1161 smbk5pwd.on_bi.bi_cf_ocs = smbk5pwd_cfocs;
1162
1163 rc = config_register_schema( smbk5pwd_cfats, smbk5pwd_cfocs );
1164 if ( rc ) {
1165 return rc;
1166 }
1167
1168 return overlay_register( &smbk5pwd );
1169 }
1170
1171 #if SLAPD_OVER_SMBK5PWD == SLAPD_MOD_DYNAMIC
init_module(int argc,char * argv[])1172 int init_module(int argc, char *argv[]) {
1173 return smbk5pwd_initialize();
1174 }
1175 #endif
1176
1177 #endif /* defined(SLAPD_OVER_SMBK5PWD) */
1178