1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License, Version 1.0 only
6 * (the "License"). You may not use this file except in compliance
7 * with the License.
8 *
9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10 * or http://www.opensolaris.org/os/licensing.
11 * See the License for the specific language governing permissions
12 * and limitations under the License.
13 *
14 * When distributing Covered Code, include this CDDL HEADER in each
15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16 * If applicable, add the following below this CDDL HEADER, with the
17 * fields enclosed by brackets "[]" replaced with your own identifying
18 * information: Portions Copyright [yyyy] [name of copyright owner]
19 *
20 * CDDL HEADER END
21 */
22 /*
23 * Copyright 2004 Sun Microsystems, Inc. All rights reserved.
24 * Use is subject to license terms.
25 */
26
27 #pragma ident "%Z%%M% %I% %E% SMI"
28
29 #include "ldap_headers.h"
30
31 /*
32 *
33 * LDAP module for pam_sm_authenticate.
34 *
35 * options -
36 *
37 * debug
38 * nowarn
39 */
40
41 /*
42 * pam_sm_authenticate():
43 * Authenticate user.
44 */
45 /*ARGSUSED*/
46 int
pam_sm_authenticate(pam_handle_t * pamh,int flags,int argc,const char ** argv)47 pam_sm_authenticate(
48 pam_handle_t *pamh,
49 int flags,
50 int argc,
51 const char **argv)
52 {
53 char *service = NULL;
54 char *user = NULL;
55 int err;
56 int result = PAM_AUTH_ERR;
57 int debug = 0;
58 int i;
59 char *password = NULL;
60 ns_cred_t *credp = NULL;
61 int nowarn = 0;
62
63 /* Get the service and user */
64 if ((err = pam_get_item(pamh, PAM_SERVICE, (void **)&service))
65 != PAM_SUCCESS ||
66 (err = pam_get_item(pamh, PAM_USER, (void **)&user)) != PAM_SUCCESS)
67 return (err);
68
69 /*
70 * Check options passed to this module.
71 * Silently ignore try_first_pass and use_first_pass options
72 * for the time being.
73 */
74 for (i = 0; i < argc; i++) {
75 if (strcmp(argv[i], "debug") == 0)
76 debug = 1;
77 else if (strcmp(argv[i], "nowarn") == 0)
78 nowarn = 1;
79 else if ((strcmp(argv[i], "try_first_pass") != 0) &&
80 (strcmp(argv[i], "use_first_pass") != 0))
81 syslog(LOG_AUTH | LOG_DEBUG,
82 "ldap pam_sm_authenticate(%s), "
83 "illegal scheme option %s", service, argv[i]);
84 }
85
86 if (debug)
87 syslog(LOG_AUTH | LOG_DEBUG,
88 "ldap pam_sm_authenticate(%s %s), flags = %x %s",
89 service, (user && *user != '\0')?user:"no-user", flags,
90 (nowarn)? ", nowarn": "");
91
92 if (!user || *user == '\0')
93 return (PAM_USER_UNKNOWN);
94
95 /* Get the password entered in the first scheme if any */
96 (void) pam_get_item(pamh, PAM_AUTHTOK, (void **) &password);
97 if (password == NULL) {
98 if (debug)
99 syslog(LOG_AUTH | LOG_DEBUG,
100 "ldap pam_sm_authenticate(%s %s), "
101 "AUTHTOK not set", service, user);
102 return (PAM_AUTH_ERR);
103 }
104
105 /*
106 * Authenticate user using the password from PAM_AUTHTOK.
107 * If no password available or if authentication fails
108 * return the appropriate error.
109 */
110 result = authenticate(&credp, user, password, NULL);
111 if (result == PAM_NEW_AUTHTOK_REQD) {
112 /*
113 * PAM_NEW_AUTHTOK_REQD means the
114 * user's password is good but needs
115 * to change immediately. If the service
116 * is login or similar programs, the
117 * user will be asked to change the
118 * password after the account management
119 * module is called and determined that
120 * the password has expired.
121 * So change the rc to PAM_SUCCESS here.
122 */
123 result = PAM_SUCCESS;
124 } else if (result == PAM_AUTHTOK_EXPIRED) {
125 /*
126 * Authentication token is the right one but
127 * expired. Consider this as pass.
128 * Change rc to PAM_SUCCESS.
129 */
130 result = PAM_SUCCESS;
131 }
132
133 if (credp != NULL)
134 (void) __ns_ldap_freeCred(&credp);
135 return (result);
136 }
137