1*7c478bd9Sstevel@tonic-gate /*
2*7c478bd9Sstevel@tonic-gate * CDDL HEADER START
3*7c478bd9Sstevel@tonic-gate *
4*7c478bd9Sstevel@tonic-gate * The contents of this file are subject to the terms of the
5*7c478bd9Sstevel@tonic-gate * Common Development and Distribution License, Version 1.0 only
6*7c478bd9Sstevel@tonic-gate * (the "License"). You may not use this file except in compliance
7*7c478bd9Sstevel@tonic-gate * with the License.
8*7c478bd9Sstevel@tonic-gate *
9*7c478bd9Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10*7c478bd9Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing.
11*7c478bd9Sstevel@tonic-gate * See the License for the specific language governing permissions
12*7c478bd9Sstevel@tonic-gate * and limitations under the License.
13*7c478bd9Sstevel@tonic-gate *
14*7c478bd9Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each
15*7c478bd9Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16*7c478bd9Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the
17*7c478bd9Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying
18*7c478bd9Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner]
19*7c478bd9Sstevel@tonic-gate *
20*7c478bd9Sstevel@tonic-gate * CDDL HEADER END
21*7c478bd9Sstevel@tonic-gate */
22*7c478bd9Sstevel@tonic-gate /*
23*7c478bd9Sstevel@tonic-gate * Copyright 2004 Sun Microsystems, Inc. All rights reserved.
24*7c478bd9Sstevel@tonic-gate * Use is subject to license terms.
25*7c478bd9Sstevel@tonic-gate */
26*7c478bd9Sstevel@tonic-gate
27*7c478bd9Sstevel@tonic-gate #include "ldap_headers.h"
28*7c478bd9Sstevel@tonic-gate
29*7c478bd9Sstevel@tonic-gate /*
30*7c478bd9Sstevel@tonic-gate *
31*7c478bd9Sstevel@tonic-gate * LDAP module for pam_sm_authenticate.
32*7c478bd9Sstevel@tonic-gate *
33*7c478bd9Sstevel@tonic-gate * options -
34*7c478bd9Sstevel@tonic-gate *
35*7c478bd9Sstevel@tonic-gate * debug
36*7c478bd9Sstevel@tonic-gate * nowarn
37*7c478bd9Sstevel@tonic-gate */
38*7c478bd9Sstevel@tonic-gate
39*7c478bd9Sstevel@tonic-gate /*
40*7c478bd9Sstevel@tonic-gate * pam_sm_authenticate():
41*7c478bd9Sstevel@tonic-gate * Authenticate user.
42*7c478bd9Sstevel@tonic-gate */
43*7c478bd9Sstevel@tonic-gate /*ARGSUSED*/
44*7c478bd9Sstevel@tonic-gate int
pam_sm_authenticate(pam_handle_t * pamh,int flags,int argc,const char ** argv)45*7c478bd9Sstevel@tonic-gate pam_sm_authenticate(
46*7c478bd9Sstevel@tonic-gate pam_handle_t *pamh,
47*7c478bd9Sstevel@tonic-gate int flags,
48*7c478bd9Sstevel@tonic-gate int argc,
49*7c478bd9Sstevel@tonic-gate const char **argv)
50*7c478bd9Sstevel@tonic-gate {
51*7c478bd9Sstevel@tonic-gate char *service = NULL;
52*7c478bd9Sstevel@tonic-gate char *user = NULL;
53*7c478bd9Sstevel@tonic-gate int err;
54*7c478bd9Sstevel@tonic-gate int result = PAM_AUTH_ERR;
55*7c478bd9Sstevel@tonic-gate int debug = 0;
56*7c478bd9Sstevel@tonic-gate int i;
57*7c478bd9Sstevel@tonic-gate char *password = NULL;
58*7c478bd9Sstevel@tonic-gate ns_cred_t *credp = NULL;
59*7c478bd9Sstevel@tonic-gate int nowarn = 0;
60*7c478bd9Sstevel@tonic-gate
61*7c478bd9Sstevel@tonic-gate /* Get the service and user */
62*7c478bd9Sstevel@tonic-gate if ((err = pam_get_item(pamh, PAM_SERVICE, (void **)&service))
63*7c478bd9Sstevel@tonic-gate != PAM_SUCCESS ||
64*7c478bd9Sstevel@tonic-gate (err = pam_get_item(pamh, PAM_USER, (void **)&user)) != PAM_SUCCESS)
65*7c478bd9Sstevel@tonic-gate return (err);
66*7c478bd9Sstevel@tonic-gate
67*7c478bd9Sstevel@tonic-gate /*
68*7c478bd9Sstevel@tonic-gate * Check options passed to this module.
69*7c478bd9Sstevel@tonic-gate * Silently ignore try_first_pass and use_first_pass options
70*7c478bd9Sstevel@tonic-gate * for the time being.
71*7c478bd9Sstevel@tonic-gate */
72*7c478bd9Sstevel@tonic-gate for (i = 0; i < argc; i++) {
73*7c478bd9Sstevel@tonic-gate if (strcmp(argv[i], "debug") == 0)
74*7c478bd9Sstevel@tonic-gate debug = 1;
75*7c478bd9Sstevel@tonic-gate else if (strcmp(argv[i], "nowarn") == 0)
76*7c478bd9Sstevel@tonic-gate nowarn = 1;
77*7c478bd9Sstevel@tonic-gate else if ((strcmp(argv[i], "try_first_pass") != 0) &&
78*7c478bd9Sstevel@tonic-gate (strcmp(argv[i], "use_first_pass") != 0))
79*7c478bd9Sstevel@tonic-gate syslog(LOG_AUTH | LOG_DEBUG,
80*7c478bd9Sstevel@tonic-gate "ldap pam_sm_authenticate(%s), "
81*7c478bd9Sstevel@tonic-gate "illegal scheme option %s", service, argv[i]);
82*7c478bd9Sstevel@tonic-gate }
83*7c478bd9Sstevel@tonic-gate
84*7c478bd9Sstevel@tonic-gate if (debug)
85*7c478bd9Sstevel@tonic-gate syslog(LOG_AUTH | LOG_DEBUG,
86*7c478bd9Sstevel@tonic-gate "ldap pam_sm_authenticate(%s %s), flags = %x %s",
87*7c478bd9Sstevel@tonic-gate service, (user && *user != '\0')?user:"no-user", flags,
88*7c478bd9Sstevel@tonic-gate (nowarn)? ", nowarn": "");
89*7c478bd9Sstevel@tonic-gate
90*7c478bd9Sstevel@tonic-gate if (!user || *user == '\0')
91*7c478bd9Sstevel@tonic-gate return (PAM_USER_UNKNOWN);
92*7c478bd9Sstevel@tonic-gate
93*7c478bd9Sstevel@tonic-gate /* Get the password entered in the first scheme if any */
94*7c478bd9Sstevel@tonic-gate (void) pam_get_item(pamh, PAM_AUTHTOK, (void **) &password);
95*7c478bd9Sstevel@tonic-gate if (password == NULL) {
96*7c478bd9Sstevel@tonic-gate if (debug)
97*7c478bd9Sstevel@tonic-gate syslog(LOG_AUTH | LOG_DEBUG,
98*7c478bd9Sstevel@tonic-gate "ldap pam_sm_authenticate(%s %s), "
99*7c478bd9Sstevel@tonic-gate "AUTHTOK not set", service, user);
100*7c478bd9Sstevel@tonic-gate return (PAM_AUTH_ERR);
101*7c478bd9Sstevel@tonic-gate }
102*7c478bd9Sstevel@tonic-gate
103*7c478bd9Sstevel@tonic-gate /*
104*7c478bd9Sstevel@tonic-gate * Authenticate user using the password from PAM_AUTHTOK.
105*7c478bd9Sstevel@tonic-gate * If no password available or if authentication fails
106*7c478bd9Sstevel@tonic-gate * return the appropriate error.
107*7c478bd9Sstevel@tonic-gate */
108*7c478bd9Sstevel@tonic-gate result = authenticate(&credp, user, password, NULL);
109*7c478bd9Sstevel@tonic-gate if (result == PAM_NEW_AUTHTOK_REQD) {
110*7c478bd9Sstevel@tonic-gate /*
111*7c478bd9Sstevel@tonic-gate * PAM_NEW_AUTHTOK_REQD means the
112*7c478bd9Sstevel@tonic-gate * user's password is good but needs
113*7c478bd9Sstevel@tonic-gate * to change immediately. If the service
114*7c478bd9Sstevel@tonic-gate * is login or similar programs, the
115*7c478bd9Sstevel@tonic-gate * user will be asked to change the
116*7c478bd9Sstevel@tonic-gate * password after the account management
117*7c478bd9Sstevel@tonic-gate * module is called and determined that
118*7c478bd9Sstevel@tonic-gate * the password has expired.
119*7c478bd9Sstevel@tonic-gate * So change the rc to PAM_SUCCESS here.
120*7c478bd9Sstevel@tonic-gate */
121*7c478bd9Sstevel@tonic-gate result = PAM_SUCCESS;
122*7c478bd9Sstevel@tonic-gate } else if (result == PAM_AUTHTOK_EXPIRED) {
123*7c478bd9Sstevel@tonic-gate /*
124*7c478bd9Sstevel@tonic-gate * Authentication token is the right one but
125*7c478bd9Sstevel@tonic-gate * expired. Consider this as pass.
126*7c478bd9Sstevel@tonic-gate * Change rc to PAM_SUCCESS.
127*7c478bd9Sstevel@tonic-gate */
128*7c478bd9Sstevel@tonic-gate result = PAM_SUCCESS;
129*7c478bd9Sstevel@tonic-gate }
130*7c478bd9Sstevel@tonic-gate
131*7c478bd9Sstevel@tonic-gate if (credp != NULL)
132*7c478bd9Sstevel@tonic-gate (void) __ns_ldap_freeCred(&credp);
133*7c478bd9Sstevel@tonic-gate return (result);
134*7c478bd9Sstevel@tonic-gate }
135