17c478bd9Sstevel@tonic-gate /*
27c478bd9Sstevel@tonic-gate * CDDL HEADER START
37c478bd9Sstevel@tonic-gate *
47c478bd9Sstevel@tonic-gate * The contents of this file are subject to the terms of the
5cb5caa98Sdjl * Common Development and Distribution License (the "License").
6cb5caa98Sdjl * You may not use this file except in compliance with the License.
77c478bd9Sstevel@tonic-gate *
87c478bd9Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
97c478bd9Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing.
107c478bd9Sstevel@tonic-gate * See the License for the specific language governing permissions
117c478bd9Sstevel@tonic-gate * and limitations under the License.
127c478bd9Sstevel@tonic-gate *
137c478bd9Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each
147c478bd9Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
157c478bd9Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the
167c478bd9Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying
177c478bd9Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner]
187c478bd9Sstevel@tonic-gate *
197c478bd9Sstevel@tonic-gate * CDDL HEADER END
207c478bd9Sstevel@tonic-gate */
217c478bd9Sstevel@tonic-gate /*
22cb5caa98Sdjl * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
237c478bd9Sstevel@tonic-gate * Use is subject to license terms.
247c478bd9Sstevel@tonic-gate */
257c478bd9Sstevel@tonic-gate
267c478bd9Sstevel@tonic-gate #include <pwd.h>
277c478bd9Sstevel@tonic-gate #include <ctype.h>
287c478bd9Sstevel@tonic-gate #include "ldap_common.h"
297c478bd9Sstevel@tonic-gate
307c478bd9Sstevel@tonic-gate /* publickey attributes filters */
317c478bd9Sstevel@tonic-gate #define _KEY_CN "cn"
327c478bd9Sstevel@tonic-gate #define _KEY_NISPUBLICKEY "nisPublickey"
337c478bd9Sstevel@tonic-gate #define _KEY_NISSECRETKEY "nisSecretkey"
347c478bd9Sstevel@tonic-gate #define _KEY_UIDNUMBER "uidnumber"
357c478bd9Sstevel@tonic-gate
367c478bd9Sstevel@tonic-gate #define _F_GETKEY_USER "(&(objectClass=nisKeyObject)(uidNumber=%s))"
377c478bd9Sstevel@tonic-gate #define _F_GETKEY_USER_SSD "(&(%%s)(uidNumber=%s))"
387c478bd9Sstevel@tonic-gate #define _F_GETKEY_HOST "(&(objectClass=nisKeyObject)(cn=%s))"
397c478bd9Sstevel@tonic-gate #define _F_GETKEY_HOST_SSD "(&(%%s)(cn=%s))"
407c478bd9Sstevel@tonic-gate
417c478bd9Sstevel@tonic-gate static const char *keys_attrs[] = {
427c478bd9Sstevel@tonic-gate _KEY_NISPUBLICKEY,
437c478bd9Sstevel@tonic-gate _KEY_NISSECRETKEY,
447c478bd9Sstevel@tonic-gate (char *)NULL
457c478bd9Sstevel@tonic-gate };
467c478bd9Sstevel@tonic-gate
477c478bd9Sstevel@tonic-gate
487c478bd9Sstevel@tonic-gate /*
49cb5caa98Sdjl * _nss_ldap_key2str is the data marshaling method for the publickey getXbyY
507c478bd9Sstevel@tonic-gate * (e.g., getpublickey() and getsecretkey()) backend processes. This method
517c478bd9Sstevel@tonic-gate * is called after a successful ldap search has been performed. This method
52cb5caa98Sdjl * will parse the ldap search values into "public:secret" file format.
53cb5caa98Sdjl *
54cb5caa98Sdjl * c3d91f44568fbbefada50d336d9bd67b16e7016f987bb607:
55cb5caa98Sdjl * 7675cd9b8753b5db09dabf12da759c2bd1331c927bb322861fffb54be13f55e9
56cb5caa98Sdjl *
57cb5caa98Sdjl * (All in one line)
58cb5caa98Sdjl *
59cb5caa98Sdjl * Publickey does not have a front end marshaller so db_type is set
60cb5caa98Sdjl * for special handling.
617c478bd9Sstevel@tonic-gate */
627c478bd9Sstevel@tonic-gate
637c478bd9Sstevel@tonic-gate static int
_nss_ldap_key2str(ldap_backend_ptr be,nss_XbyY_args_t * argp)64cb5caa98Sdjl _nss_ldap_key2str(ldap_backend_ptr be, nss_XbyY_args_t *argp)
657c478bd9Sstevel@tonic-gate {
667c478bd9Sstevel@tonic-gate int nss_result;
677c478bd9Sstevel@tonic-gate char *keytype = (char *)argp->key.pkey.keytype;
687c478bd9Sstevel@tonic-gate int keytypelen = strlen(keytype);
69cb5caa98Sdjl int len;
70cb5caa98Sdjl int buflen = argp->buf.buflen;
71cb5caa98Sdjl char *buffer, *pkey, *skey;
727c478bd9Sstevel@tonic-gate ns_ldap_result_t *result = be->result;
73cb5caa98Sdjl char **pkey_array, **skey_array;
747c478bd9Sstevel@tonic-gate
75cb5caa98Sdjl if (result == NULL || keytype == NULL) {
76cb5caa98Sdjl nss_result = NSS_STR_PARSE_ERANGE;
77cb5caa98Sdjl goto result_key2str;
787c478bd9Sstevel@tonic-gate }
79cb5caa98Sdjl nss_result = NSS_STR_PARSE_SUCCESS;
80cb5caa98Sdjl (void) memset(argp->buf.buffer, 0, buflen);
817c478bd9Sstevel@tonic-gate /* get the publickey */
82cb5caa98Sdjl pkey_array = __ns_ldap_getAttr(result->entry, _KEY_NISPUBLICKEY);
83cb5caa98Sdjl if (pkey_array == NULL) {
84cb5caa98Sdjl nss_result = NSS_STR_PARSE_PARSE;
85cb5caa98Sdjl goto result_key2str;
867c478bd9Sstevel@tonic-gate }
87cb5caa98Sdjl while (*pkey_array) {
88*6e6545bfSToomas Soome if (strncasecmp(*pkey_array, keytype, keytypelen) == 0)
897c478bd9Sstevel@tonic-gate break;
90cb5caa98Sdjl pkey_array++;
917c478bd9Sstevel@tonic-gate }
92cb5caa98Sdjl if (*pkey_array == NULL) {
93cb5caa98Sdjl nss_result = NSS_STR_PARSE_PARSE;
94cb5caa98Sdjl goto result_key2str;
957c478bd9Sstevel@tonic-gate }
96cb5caa98Sdjl pkey = *pkey_array + keytypelen;
977c478bd9Sstevel@tonic-gate
987c478bd9Sstevel@tonic-gate /* get the secretkey */
99cb5caa98Sdjl skey_array = __ns_ldap_getAttr(result->entry, _KEY_NISSECRETKEY);
100cb5caa98Sdjl if (skey_array == NULL) {
1017c478bd9Sstevel@tonic-gate /*
1027c478bd9Sstevel@tonic-gate * if we got this far, it's possible that the secret
1037c478bd9Sstevel@tonic-gate * key is actually missing or no permission to read it.
1047c478bd9Sstevel@tonic-gate * For the current implementation, we assume that the
1057c478bd9Sstevel@tonic-gate * clients have read permission to the secret key. So,
1067c478bd9Sstevel@tonic-gate * the only possibility of reaching this here is due to
1077c478bd9Sstevel@tonic-gate * missing secret key.
1087c478bd9Sstevel@tonic-gate */
109cb5caa98Sdjl nss_result = NSS_STR_PARSE_PARSE;
110cb5caa98Sdjl goto result_key2str;
1117c478bd9Sstevel@tonic-gate }
112cb5caa98Sdjl while (*skey_array) {
113*6e6545bfSToomas Soome if (strncasecmp(*skey_array, keytype, keytypelen) == 0)
1147c478bd9Sstevel@tonic-gate break;
115cb5caa98Sdjl skey_array++;
1167c478bd9Sstevel@tonic-gate }
117cb5caa98Sdjl if (*skey_array == NULL) {
118cb5caa98Sdjl nss_result = NSS_STR_PARSE_PARSE;
119cb5caa98Sdjl goto result_key2str;
1207c478bd9Sstevel@tonic-gate }
121cb5caa98Sdjl skey = *skey_array + keytypelen;
1227c478bd9Sstevel@tonic-gate
123cb5caa98Sdjl /* 2 = 1 ':' + 1 '\0' */
124cb5caa98Sdjl len = strlen(pkey) + strlen(skey) + 2;
125cb5caa98Sdjl if (len > buflen) {
126cb5caa98Sdjl nss_result = NSS_STR_PARSE_ERANGE;
127cb5caa98Sdjl goto result_key2str;
1287c478bd9Sstevel@tonic-gate }
129cb5caa98Sdjl /*
130cb5caa98Sdjl * publickey does not have a frontend marshaller.
131cb5caa98Sdjl * copy the result to buf.buffer directly
132cb5caa98Sdjl */
133cb5caa98Sdjl buffer = argp->buf.buffer;
1347c478bd9Sstevel@tonic-gate
135cb5caa98Sdjl (void) snprintf(buffer, len, "%s:%s", pkey, skey);
1367c478bd9Sstevel@tonic-gate
137cb5caa98Sdjl be->db_type = NSS_LDAP_DB_PUBLICKEY;
138cb5caa98Sdjl
139cb5caa98Sdjl result_key2str:
1407c478bd9Sstevel@tonic-gate
1417c478bd9Sstevel@tonic-gate (void) __ns_ldap_freeResult(&be->result);
1427c478bd9Sstevel@tonic-gate return ((int)nss_result);
1437c478bd9Sstevel@tonic-gate }
1447c478bd9Sstevel@tonic-gate
1457c478bd9Sstevel@tonic-gate
1467c478bd9Sstevel@tonic-gate /*
1477c478bd9Sstevel@tonic-gate * getkeys gets both the public and secret keys from publickey entry by either
1487c478bd9Sstevel@tonic-gate * uid name or host name. This function constructs an ldap search filter using
1497c478bd9Sstevel@tonic-gate * the name invocation parameter and the getpwnam search filter defined. Once
1507c478bd9Sstevel@tonic-gate * the filter is constructed, we search for a matching entry and marshal the
1517c478bd9Sstevel@tonic-gate * data results into struct passwd for the frontend process. The function
1527c478bd9Sstevel@tonic-gate * _nss_ldap_key2ent performs the data marshaling.
1537c478bd9Sstevel@tonic-gate * The lookups will be done using the proxy credential. We don't want to use
1547c478bd9Sstevel@tonic-gate * the user's credential for lookup at this point because we don't have any
1557c478bd9Sstevel@tonic-gate * secure transport.
1567c478bd9Sstevel@tonic-gate */
1577c478bd9Sstevel@tonic-gate
1587c478bd9Sstevel@tonic-gate static nss_status_t
getkeys(ldap_backend_ptr be,void * a)1597c478bd9Sstevel@tonic-gate getkeys(ldap_backend_ptr be, void *a)
1607c478bd9Sstevel@tonic-gate {
1617c478bd9Sstevel@tonic-gate nss_XbyY_args_t *argp = (nss_XbyY_args_t *)a;
1627c478bd9Sstevel@tonic-gate char searchfilter[SEARCHFILTERLEN];
1637c478bd9Sstevel@tonic-gate char userdata[SEARCHFILTERLEN];
1647c478bd9Sstevel@tonic-gate char netname[SEARCHFILTERLEN];
1657c478bd9Sstevel@tonic-gate char *name, *domain, *p;
1667c478bd9Sstevel@tonic-gate nss_status_t rc;
1677c478bd9Sstevel@tonic-gate int ret;
1687c478bd9Sstevel@tonic-gate
1697c478bd9Sstevel@tonic-gate /*
1707c478bd9Sstevel@tonic-gate * We need to break it down to find if this is a netname for host
1717c478bd9Sstevel@tonic-gate * or user. We'll pass the domain as is to the LDAP call.
1727c478bd9Sstevel@tonic-gate */
1737c478bd9Sstevel@tonic-gate if (_ldap_filter_name(netname, argp->key.pkey.name, sizeof (netname))
1747c478bd9Sstevel@tonic-gate != 0)
1757c478bd9Sstevel@tonic-gate return ((nss_status_t)NSS_NOTFOUND);
176cb5caa98Sdjl
1777c478bd9Sstevel@tonic-gate domain = strchr(netname, '@');
1787c478bd9Sstevel@tonic-gate if (!domain)
1797c478bd9Sstevel@tonic-gate return ((nss_status_t)NSS_NOTFOUND);
1807c478bd9Sstevel@tonic-gate
1817c478bd9Sstevel@tonic-gate *domain++ = '\0';
1827c478bd9Sstevel@tonic-gate if ((p = strchr(netname, '.')) == NULL)
1837c478bd9Sstevel@tonic-gate return ((nss_status_t)NSS_NOTFOUND);
1847c478bd9Sstevel@tonic-gate
1857c478bd9Sstevel@tonic-gate name = ++p;
1867c478bd9Sstevel@tonic-gate if (isdigit(*name)) {
1877c478bd9Sstevel@tonic-gate /* user keys lookup */
1887c478bd9Sstevel@tonic-gate ret = snprintf(searchfilter, sizeof (searchfilter),
1897c478bd9Sstevel@tonic-gate _F_GETKEY_USER, name);
1907c478bd9Sstevel@tonic-gate if (ret >= sizeof (searchfilter) || ret < 0)
1917c478bd9Sstevel@tonic-gate return ((nss_status_t)NSS_NOTFOUND);
1927c478bd9Sstevel@tonic-gate
1937c478bd9Sstevel@tonic-gate ret = snprintf(userdata, sizeof (userdata),
1947c478bd9Sstevel@tonic-gate _F_GETKEY_USER_SSD, name);
1957c478bd9Sstevel@tonic-gate if (ret >= sizeof (userdata) || ret < 0)
1967c478bd9Sstevel@tonic-gate return ((nss_status_t)NSS_NOTFOUND);
1977c478bd9Sstevel@tonic-gate
1987c478bd9Sstevel@tonic-gate rc = (nss_status_t)_nss_ldap_lookup(be, argp,
1997c478bd9Sstevel@tonic-gate _PASSWD, searchfilter, domain,
2007c478bd9Sstevel@tonic-gate _merge_SSD_filter, userdata);
2017c478bd9Sstevel@tonic-gate } else {
2027c478bd9Sstevel@tonic-gate /* host keys lookup */
2037c478bd9Sstevel@tonic-gate ret = snprintf(searchfilter, sizeof (searchfilter),
2047c478bd9Sstevel@tonic-gate _F_GETKEY_HOST, name);
2057c478bd9Sstevel@tonic-gate if (ret >= sizeof (searchfilter) || ret < 0)
2067c478bd9Sstevel@tonic-gate return ((nss_status_t)NSS_NOTFOUND);
2077c478bd9Sstevel@tonic-gate
2087c478bd9Sstevel@tonic-gate ret = snprintf(userdata, sizeof (userdata),
2097c478bd9Sstevel@tonic-gate _F_GETKEY_HOST_SSD, name);
2107c478bd9Sstevel@tonic-gate if (ret >= sizeof (userdata) || ret < 0)
2117c478bd9Sstevel@tonic-gate return ((nss_status_t)NSS_NOTFOUND);
2127c478bd9Sstevel@tonic-gate
2137c478bd9Sstevel@tonic-gate rc = (nss_status_t)_nss_ldap_lookup(be, argp,
2147c478bd9Sstevel@tonic-gate _HOSTS, searchfilter, domain,
2157c478bd9Sstevel@tonic-gate _merge_SSD_filter, userdata);
2167c478bd9Sstevel@tonic-gate }
2177c478bd9Sstevel@tonic-gate return (rc);
2187c478bd9Sstevel@tonic-gate }
2197c478bd9Sstevel@tonic-gate
2207c478bd9Sstevel@tonic-gate
2217c478bd9Sstevel@tonic-gate static ldap_backend_op_t keys_ops[] = {
2227c478bd9Sstevel@tonic-gate _nss_ldap_destr,
2237c478bd9Sstevel@tonic-gate 0,
2247c478bd9Sstevel@tonic-gate 0,
2257c478bd9Sstevel@tonic-gate 0,
2267c478bd9Sstevel@tonic-gate getkeys
2277c478bd9Sstevel@tonic-gate };
2287c478bd9Sstevel@tonic-gate
2297c478bd9Sstevel@tonic-gate
2307c478bd9Sstevel@tonic-gate /*
2317c478bd9Sstevel@tonic-gate * _nss_ldap_publickey_constr is where life begins. This function calls the
2327c478bd9Sstevel@tonic-gate * generic ldap constructor function to define and build the abstract
2337c478bd9Sstevel@tonic-gate * data types required to support ldap operations.
2347c478bd9Sstevel@tonic-gate */
2357c478bd9Sstevel@tonic-gate
2367c478bd9Sstevel@tonic-gate /*ARGSUSED0*/
2377c478bd9Sstevel@tonic-gate nss_backend_t *
_nss_ldap_publickey_constr(const char * dummy1,const char * dummy2,const char * dummy3)2387c478bd9Sstevel@tonic-gate _nss_ldap_publickey_constr(const char *dummy1, const char *dummy2,
2397c478bd9Sstevel@tonic-gate const char *dummy3)
2407c478bd9Sstevel@tonic-gate {
2417c478bd9Sstevel@tonic-gate
2427c478bd9Sstevel@tonic-gate return ((nss_backend_t *)_nss_ldap_constr(keys_ops,
2437c478bd9Sstevel@tonic-gate sizeof (keys_ops)/sizeof (keys_ops[0]),
244cb5caa98Sdjl _PUBLICKEY, keys_attrs, _nss_ldap_key2str));
2457c478bd9Sstevel@tonic-gate }
246