upstream/openldap
1
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2026-01-03 13:40:37 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Use nslcd-mapped PAM error codes instead of actual PAM error codes

Browse source
This commit is contained in:
Howard Chu 2009-04-23 08:23:58 +00:00
parent 50283523bd
commit 21f5405978
3 changed files with 64 additions and 26 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
contrib/slapd-modules/nssov/nss-ldapd/nslcd.h
View file

@ -207,4 +207,19 @@
#define NSLCD_RESULT_END 3 /* key was not found */
#define NSLCD_RESULT_SUCCESS 0 /* everything ok */
/* Partial list of PAM result codes. */
#define NSLCD_PAM_SUCCESS 0 /* everything ok */
#define NSLCD_PAM_PERM_DENIED 6 /* Permission denied */
#define NSLCD_PAM_AUTH_ERR 7 /* Authc failure */
#define NSLCD_PAM_CRED_INSUFFICIENT 8 /* Cannot access authc data */
#define NSLCD_PAM_AUTHINFO_UNAVAIL 9 /* Cannot retrieve authc info */
#define NSLCD_PAM_USER_UNKNOWN 10 /* User not known */
#define NSLCD_PAM_MAXTRIES 11 /* Retry limit reached */
#define NSLCD_PAM_NEW_AUTHTOK_REQD 12 /* Password expired */
#define NSLCD_PAM_ACCT_EXPIRED 13 /* Account expired */
#define NSLCD_PAM_SESSION_ERR 14 /* Cannot make/remove session record */
#define NSLCD_PAM_AUTHTOK_DISABLE_AGING 23 /* Password aging disabled */
#define NSLCD_PAM_IGNORE 25 /* Ignore module */
#define NSLCD_PAM_ABORT 26 /* Fatal error */
#endif /* not _NSLCD_H */

25
contrib/slapd-modules/nssov/nss-ldapd/nss/pam.c
View file

@ -69,6 +69,27 @@ typedef struct pld_ctx {
char buf[1024];
} pld_ctx;
static int nslcd2pam_rc(int rc)
{
#define map(i) case NSLCD_##i : rc = i; break
switch(rc) {
map(PAM_SUCCESS);
map(PAM_PERM_DENIED);
map(PAM_AUTH_ERR);
map(PAM_CRED_INSUFFICIENT);
map(PAM_AUTHINFO_UNAVAIL);
map(PAM_USER_UNKNOWN);
map(PAM_MAXTRIES);
map(PAM_NEW_AUTHTOK_REQD);
map(PAM_ACCT_EXPIRED);
map(PAM_SESSION_ERR);
map(PAM_AUTHTOK_DISABLE_AGING);
map(PAM_IGNORE);
map(PAM_ABORT);
}
return rc;
}
static void pam_clr_ctx(
pld_ctx *ctx)
{
@ -201,6 +222,8 @@ static enum nss_status pam_read_authc(
READ_INT32(fp,ctx->authok);
READ_INT32(fp,ctx->authz);
READ_STRING_BUF(fp,ctx->authzmsg);
ctx->authok = nslcd2pam_rc(ctx->authok);
ctx->authz = nslcd2pam_rc(ctx->authz);
return NSS_STATUS_SUCCESS;
}
@ -330,6 +353,7 @@ static enum nss_status pam_read_authz(
READ_STRING_BUF(fp,ctx->dn);
READ_INT32(fp,ctx->authz);
READ_STRING_BUF(fp,ctx->authzmsg);
ctx->authz = nslcd2pam_rc(ctx->authz);
return NSS_STATUS_SUCCESS;
}
@ -537,6 +561,7 @@ static enum nss_status pam_read_pwmod(
READ_STRING_BUF(fp,ctx->dn);
READ_INT32(fp,ctx->authz);
READ_STRING_BUF(fp,ctx->authzmsg);
ctx->authz = nslcd2pam_rc(ctx->authz);
return NSS_STATUS_SUCCESS;
}

50
contrib/slapd-modules/nssov/pam.c
View file

@ -16,8 +16,6 @@
#include "nssov.h"
#include "lutil.h"
#include <security/pam_modules.h>
static int ppolicy_cid;
static AttributeDescription *ad_loginStatus;
@ -90,7 +88,7 @@ static int pam_bindcb(
pi->msg.bv_len = sprintf(pi->msg.bv_val,
"Password expired; %d grace logins remaining",
grace);
pi->authz = PAM_NEW_AUTHTOK_REQD;
pi->authz = NSLCD_PAM_NEW_AUTHTOK_REQD;
} else if (error != PP_noError) {
ber_str2bv(ldap_passwordpolicy_err2txt(error), 0, 0,
&pi->msg);
@ -100,7 +98,7 @@ static int pam_bindcb(
rs->sr_err = LDAP_SUCCESS;
/* fallthru */
case PP_changeAfterReset:
pi->authz = PAM_NEW_AUTHTOK_REQD;
pi->authz = NSLCD_PAM_NEW_AUTHTOK_REQD;
}
}
}
@ -120,13 +118,13 @@ int pam_do_bind(nssov_info *ni,TFILE *fp,Operation *op,
pi->msg.bv_val = pi->pwd.bv_val;
pi->msg.bv_len = 0;
pi->authz = PAM_SUCCESS;
pi->authz = NSLCD_PAM_SUCCESS;
BER_BVZERO(&pi->dn);
if (!isvalidusername(&pi->uid)) {
Debug(LDAP_DEBUG_ANY,"nssov_pam_do_bind(%s): invalid user name\n",
pi->uid.bv_val,0,0);
rc = PAM_USER_UNKNOWN;
rc = NSLCD_PAM_USER_UNKNOWN;
goto finish;
}
@ -153,12 +151,12 @@ int pam_do_bind(nssov_info *ni,TFILE *fp,Operation *op,
}
BER_BVZERO(&sdn);
if (BER_BVISEMPTY(&pi->dn)) {
rc = PAM_USER_UNKNOWN;
rc = NSLCD_PAM_USER_UNKNOWN;
goto finish;
}
if (BER_BVISEMPTY(&pi->pwd)) {
rc = PAM_IGNORE;
rc = NSLCD_PAM_IGNORE;
goto finish;
}
@ -195,9 +193,9 @@ int pam_do_bind(nssov_info *ni,TFILE *fp,Operation *op,
if (rc == LDAP_SUCCESS)
send_ldap_result(op, &rs);
switch(rs.sr_err) {
case LDAP_SUCCESS: rc = PAM_SUCCESS; break;
case LDAP_INVALID_CREDENTIALS: rc = PAM_AUTH_ERR; break;
default: rc = PAM_AUTH_ERR; break;
case LDAP_SUCCESS: rc = NSLCD_PAM_SUCCESS; break;
case LDAP_INVALID_CREDENTIALS: rc = NSLCD_PAM_AUTH_ERR; break;
default: rc = NSLCD_PAM_AUTH_ERR; break;
}
finish:
return rc;
@ -263,7 +261,7 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op)
char dnc[1024];
char uidc[32];
char svcc[256];
int rc = PAM_SUCCESS;
int rc = NSLCD_PAM_SUCCESS;
Entry *e = NULL;
Attribute *a;
SlapReply rs = {REP_RESULT};
@ -283,7 +281,7 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op)
/* We don't do authorization if they weren't authenticated by us */
if (BER_BVISEMPTY(&dn)) {
rc = PAM_USER_UNKNOWN;
rc = NSLCD_PAM_USER_UNKNOWN;
goto finish;
}
@ -331,7 +329,7 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op)
/* no host entry, no default host -> deny */
if (BER_BVISEMPTY(&hostdn)) {
rc = PAM_PERM_DENIED;
rc = NSLCD_PAM_PERM_DENIED;
authzmsg = hostmsg;
goto finish;
}
@ -348,7 +346,7 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op)
rc = op->o_bd->be_compare( op, &rs );
if ( rs.sr_err != LDAP_COMPARE_TRUE ) {
authzmsg = svcmsg;
rc = PAM_PERM_DENIED;
rc = NSLCD_PAM_PERM_DENIED;
goto finish;
}
op->o_dn = odn;
@ -371,7 +369,7 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op)
rc = op->o_bd->be_compare( op, &rs );
if ( rs.sr_err != LDAP_COMPARE_TRUE ) {
authzmsg = grpmsg;
rc = PAM_PERM_DENIED;
rc = NSLCD_PAM_PERM_DENIED;
goto finish;
}
}
@ -382,7 +380,7 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op)
ni->ni_pam_min_uid || ni->ni_pam_max_uid ) {
rc = be_entry_get_rw( op, &dn, NULL, NULL, 0, &e );
if (rc != LDAP_SUCCESS) {
rc = PAM_USER_UNKNOWN;
rc = NSLCD_PAM_USER_UNKNOWN;
goto finish;
}
}
@ -391,7 +389,7 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op)
if (!a || value_find_ex( nssov_pam_host_ad,
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH,
a->a_vals, &global_host_bv, op->o_tmpmemctx )) {
rc = PAM_PERM_DENIED;
rc = NSLCD_PAM_PERM_DENIED;
authzmsg = hostmsg;
goto finish;
}
@ -401,7 +399,7 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op)
if (!a || value_find_ex( nssov_pam_svc_ad,
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH,
a->a_vals, &svc, op->o_tmpmemctx )) {
rc = PAM_PERM_DENIED;
rc = NSLCD_PAM_PERM_DENIED;
authzmsg = svcmsg;
goto finish;
}
@ -416,19 +414,19 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op)
nssov_mapinfo *mi = &ni->ni_maps[NM_host];
a = attr_find(e->e_attrs, mi->mi_attrs[UIDN_KEY].an_desc);
if (!a) {
rc = PAM_PERM_DENIED;
rc = NSLCD_PAM_PERM_DENIED;
authzmsg = uidmsg;
goto finish;
}
id = (int)strtol(a->a_vals[0].bv_val,&tmp,0);
if (a->a_vals[0].bv_val[0] == '\0' || *tmp != '\0') {
rc = PAM_PERM_DENIED;
rc = NSLCD_PAM_PERM_DENIED;
authzmsg = uidmsg;
goto finish;
}
if ((ni->ni_pam_min_uid && id < ni->ni_pam_min_uid) ||
(ni->ni_pam_max_uid && id > ni->ni_pam_max_uid)) {
rc = PAM_PERM_DENIED;
rc = NSLCD_PAM_PERM_DENIED;
authzmsg = uidmsg;
goto finish;
}
@ -588,8 +586,8 @@ int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op)
/* This is a prelim check */
if (BER_BVISEMPTY(&pi.dn)) {
rc = pam_do_bind(ni,fp,op,&pi);
if (rc == PAM_IGNORE)
rc = PAM_SUCCESS;
if (rc == NSLCD_PAM_IGNORE)
rc = NSLCD_PAM_SUCCESS;
} else {
BerElementBuffer berbuf;
BerElement *ber = (BerElement *)&berbuf;
@ -620,9 +618,9 @@ int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op)
if (rs.sr_text)
ber_str2bv(rs.sr_text, 0, 0, &pi.msg);
if (rc == LDAP_SUCCESS)
rc = PAM_SUCCESS;
rc = NSLCD_PAM_SUCCESS;
else
rc = PAM_PERM_DENIED;
rc = NSLCD_PAM_PERM_DENIED;
}
WRITE_INT32(fp,NSLCD_VERSION);
WRITE_INT32(fp,NSLCD_ACTION_PAM_PWMOD);