Home | History | Annotate | Download | only in ldap
      1 /*
      2  * CDDL HEADER START
      3  *
      4  * The contents of this file are subject to the terms of the
      5  * Common Development and Distribution License, Version 1.0 only
      6  * (the "License").  You may not use this file except in compliance
      7  * with the License.
      8  *
      9  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
     10  * or http://www.opensolaris.org/os/licensing.
     11  * See the License for the specific language governing permissions
     12  * and limitations under the License.
     13  *
     14  * When distributing Covered Code, include this CDDL HEADER in each
     15  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
     16  * If applicable, add the following below this CDDL HEADER, with the
     17  * fields enclosed by brackets "[]" replaced with your own identifying
     18  * information: Portions Copyright [yyyy] [name of copyright owner]
     19  *
     20  * CDDL HEADER END
     21  */
     22 /*
     23  * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
     24  * Use is subject to license terms.
     25  */
     26 
     27 #pragma ident	"%Z%%M%	%I%	%E% SMI"
     28 
     29 #include "ldap_headers.h"
     30 
     31 /*
     32  *
     33  * LDAP module for pam_sm_authenticate.
     34  *
     35  * options -
     36  *
     37  *	debug
     38  *	nowarn
     39  */
     40 
     41 /*
     42  * pam_sm_authenticate():
     43  * 	Authenticate user.
     44  */
     45 /*ARGSUSED*/
     46 int
     47 pam_sm_authenticate(
     48 	pam_handle_t		*pamh,
     49 	int 			flags,
     50 	int			argc,
     51 	const char		**argv)
     52 {
     53 	char			*service = NULL;
     54 	char			*user = NULL;
     55 	int			err;
     56 	int			result = PAM_AUTH_ERR;
     57 	int			debug = 0;
     58 	int			i;
     59 	char			*password = NULL;
     60 	ns_cred_t		*credp = NULL;
     61 	int			nowarn = 0;
     62 
     63 	/* Get the service and user */
     64 	if ((err = pam_get_item(pamh, PAM_SERVICE, (void **)&service))
     65 							!= PAM_SUCCESS ||
     66 	    (err = pam_get_item(pamh, PAM_USER, (void **)&user)) != PAM_SUCCESS)
     67 		return (err);
     68 
     69 	/*
     70 	 * Check options passed to this module.
     71 	 * Silently ignore try_first_pass and use_first_pass options
     72 	 * for the time being.
     73 	 */
     74 	for (i = 0; i < argc; i++) {
     75 		if (strcmp(argv[i], "debug") == 0)
     76 			debug = 1;
     77 		else if (strcmp(argv[i], "nowarn") == 0)
     78 			nowarn = 1;
     79 		else if ((strcmp(argv[i], "try_first_pass") != 0) &&
     80 				(strcmp(argv[i], "use_first_pass") != 0))
     81 			syslog(LOG_AUTH | LOG_DEBUG,
     82 				"ldap pam_sm_authenticate(%s), "
     83 				"illegal scheme option %s", service, argv[i]);
     84 	}
     85 
     86 	if (debug)
     87 		syslog(LOG_AUTH | LOG_DEBUG,
     88 			"ldap pam_sm_authenticate(%s %s), flags = %x %s",
     89 			service, (user && *user != '\0')?user:"no-user", flags,
     90 			(nowarn)? ", nowarn": "");
     91 
     92 	if (!user || *user == '\0')
     93 		return (PAM_USER_UNKNOWN);
     94 
     95 	/* Get the password entered in the first scheme if any */
     96 	(void) pam_get_item(pamh, PAM_AUTHTOK, (void **) &password);
     97 	if (password == NULL) {
     98 		if (debug)
     99 			syslog(LOG_AUTH | LOG_DEBUG,
    100 				"ldap pam_sm_authenticate(%s %s), "
    101 				"AUTHTOK not set", service, user);
    102 		return (PAM_AUTH_ERR);
    103 	}
    104 
    105 	/*
    106 	 * Authenticate user using the password from PAM_AUTHTOK.
    107 	 * If no password available or if authentication fails
    108 	 * return the appropriate error.
    109 	 */
    110 	result = authenticate(&credp, user, password, NULL);
    111 	if (result == PAM_NEW_AUTHTOK_REQD) {
    112 		/*
    113 		 * PAM_NEW_AUTHTOK_REQD means the
    114 		 * user's password is good but needs
    115 		 * to change immediately. If the service
    116 		 * is login or similar programs, the
    117 		 * user will be asked to change the
    118 		 * password after the account management
    119 		 * module is called and determined that
    120 		 * the password has expired.
    121 		 * So change the rc to PAM_SUCCESS here.
    122 		 */
    123 		result = PAM_SUCCESS;
    124 	} else if (result == PAM_AUTHTOK_EXPIRED) {
    125 		/*
    126 		 * Authentication token is the right one but
    127 		 * expired. Consider this as pass.
    128 		 * Change rc to PAM_SUCCESS.
    129 		 */
    130 		result = PAM_SUCCESS;
    131 	}
    132 
    133 	if (credp != NULL)
    134 		(void) __ns_ldap_freeCred(&credp);
    135 	return (result);
    136 }
    137