/* * CDDL HEADER START * * The contents of this file are subject to the terms of the * Common Development and Distribution License, Version 1.0 only * (the "License"). You may not use this file except in compliance * with the License. * * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE * or http://www.opensolaris.org/os/licensing. * See the License for the specific language governing permissions * and limitations under the License. * * When distributing Covered Code, include this CDDL HEADER in each * file and include the License file at usr/src/OPENSOLARIS.LICENSE. * If applicable, add the following below this CDDL HEADER, with the * fields enclosed by brackets "[]" replaced with your own identifying * information: Portions Copyright [yyyy] [name of copyright owner] * * CDDL HEADER END */ /* * Copyright 2004 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ #pragma ident "%Z%%M% %I% %E% SMI" #include "ldap_headers.h" /* * * LDAP module for pam_sm_authenticate. * * options - * * debug * nowarn */ /* * pam_sm_authenticate(): * Authenticate user. */ /*ARGSUSED*/ int pam_sm_authenticate( pam_handle_t *pamh, int flags, int argc, const char **argv) { char *service = NULL; char *user = NULL; int err; int result = PAM_AUTH_ERR; int debug = 0; int i; char *password = NULL; ns_cred_t *credp = NULL; int nowarn = 0; /* Get the service and user */ if ((err = pam_get_item(pamh, PAM_SERVICE, (void **)&service)) != PAM_SUCCESS || (err = pam_get_item(pamh, PAM_USER, (void **)&user)) != PAM_SUCCESS) return (err); /* * Check options passed to this module. * Silently ignore try_first_pass and use_first_pass options * for the time being. */ for (i = 0; i < argc; i++) { if (strcmp(argv[i], "debug") == 0) debug = 1; else if (strcmp(argv[i], "nowarn") == 0) nowarn = 1; else if ((strcmp(argv[i], "try_first_pass") != 0) && (strcmp(argv[i], "use_first_pass") != 0)) syslog(LOG_AUTH | LOG_DEBUG, "ldap pam_sm_authenticate(%s), " "illegal scheme option %s", service, argv[i]); } if (debug) syslog(LOG_AUTH | LOG_DEBUG, "ldap pam_sm_authenticate(%s %s), flags = %x %s", service, (user && *user != '\0')?user:"no-user", flags, (nowarn)? ", nowarn": ""); if (!user || *user == '\0') return (PAM_USER_UNKNOWN); /* Get the password entered in the first scheme if any */ (void) pam_get_item(pamh, PAM_AUTHTOK, (void **) &password); if (password == NULL) { if (debug) syslog(LOG_AUTH | LOG_DEBUG, "ldap pam_sm_authenticate(%s %s), " "AUTHTOK not set", service, user); return (PAM_AUTH_ERR); } /* * Authenticate user using the password from PAM_AUTHTOK. * If no password available or if authentication fails * return the appropriate error. */ result = authenticate(&credp, user, password, NULL); if (result == PAM_NEW_AUTHTOK_REQD) { /* * PAM_NEW_AUTHTOK_REQD means the * user's password is good but needs * to change immediately. If the service * is login or similar programs, the * user will be asked to change the * password after the account management * module is called and determined that * the password has expired. * So change the rc to PAM_SUCCESS here. */ result = PAM_SUCCESS; } else if (result == PAM_AUTHTOK_EXPIRED) { /* * Authentication token is the right one but * expired. Consider this as pass. * Change rc to PAM_SUCCESS. */ result = PAM_SUCCESS; } if (credp != NULL) (void) __ns_ldap_freeCred(&credp); return (result); }