1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License, Version 1.0 only 6 * (the "License"). You may not use this file except in compliance 7 * with the License. 8 * 9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10 * or http://www.opensolaris.org/os/licensing. 11 * See the License for the specific language governing permissions 12 * and limitations under the License. 13 * 14 * When distributing Covered Code, include this CDDL HEADER in each 15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16 * If applicable, add the following below this CDDL HEADER, with the 17 * fields enclosed by brackets "[]" replaced with your own identifying 18 * information: Portions Copyright [yyyy] [name of copyright owner] 19 * 20 * CDDL HEADER END 21 */ 22 /* 23 * Copyright 2004 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #pragma ident "%Z%%M% %I% %E% SMI" 28 29 #include "ldap_headers.h" 30 31 /* 32 * 33 * LDAP module for pam_sm_authenticate. 34 * 35 * options - 36 * 37 * debug 38 * nowarn 39 */ 40 41 /* 42 * pam_sm_authenticate(): 43 * Authenticate user. 44 */ 45 /*ARGSUSED*/ 46 int 47 pam_sm_authenticate( 48 pam_handle_t *pamh, 49 int flags, 50 int argc, 51 const char **argv) 52 { 53 char *service = NULL; 54 char *user = NULL; 55 int err; 56 int result = PAM_AUTH_ERR; 57 int debug = 0; 58 int i; 59 char *password = NULL; 60 ns_cred_t *credp = NULL; 61 int nowarn = 0; 62 63 /* Get the service and user */ 64 if ((err = pam_get_item(pamh, PAM_SERVICE, (void **)&service)) 65 != PAM_SUCCESS || 66 (err = pam_get_item(pamh, PAM_USER, (void **)&user)) != PAM_SUCCESS) 67 return (err); 68 69 /* 70 * Check options passed to this module. 71 * Silently ignore try_first_pass and use_first_pass options 72 * for the time being. 73 */ 74 for (i = 0; i < argc; i++) { 75 if (strcmp(argv[i], "debug") == 0) 76 debug = 1; 77 else if (strcmp(argv[i], "nowarn") == 0) 78 nowarn = 1; 79 else if ((strcmp(argv[i], "try_first_pass") != 0) && 80 (strcmp(argv[i], "use_first_pass") != 0)) 81 syslog(LOG_AUTH | LOG_DEBUG, 82 "ldap pam_sm_authenticate(%s), " 83 "illegal scheme option %s", service, argv[i]); 84 } 85 86 if (debug) 87 syslog(LOG_AUTH | LOG_DEBUG, 88 "ldap pam_sm_authenticate(%s %s), flags = %x %s", 89 service, (user && *user != '\0')?user:"no-user", flags, 90 (nowarn)? ", nowarn": ""); 91 92 if (!user || *user == '\0') 93 return (PAM_USER_UNKNOWN); 94 95 /* Get the password entered in the first scheme if any */ 96 (void) pam_get_item(pamh, PAM_AUTHTOK, (void **) &password); 97 if (password == NULL) { 98 if (debug) 99 syslog(LOG_AUTH | LOG_DEBUG, 100 "ldap pam_sm_authenticate(%s %s), " 101 "AUTHTOK not set", service, user); 102 return (PAM_AUTH_ERR); 103 } 104 105 /* 106 * Authenticate user using the password from PAM_AUTHTOK. 107 * If no password available or if authentication fails 108 * return the appropriate error. 109 */ 110 result = authenticate(&credp, user, password, NULL); 111 if (result == PAM_NEW_AUTHTOK_REQD) { 112 /* 113 * PAM_NEW_AUTHTOK_REQD means the 114 * user's password is good but needs 115 * to change immediately. If the service 116 * is login or similar programs, the 117 * user will be asked to change the 118 * password after the account management 119 * module is called and determined that 120 * the password has expired. 121 * So change the rc to PAM_SUCCESS here. 122 */ 123 result = PAM_SUCCESS; 124 } else if (result == PAM_AUTHTOK_EXPIRED) { 125 /* 126 * Authentication token is the right one but 127 * expired. Consider this as pass. 128 * Change rc to PAM_SUCCESS. 129 */ 130 result = PAM_SUCCESS; 131 } 132 133 if (credp != NULL) 134 (void) __ns_ldap_freeCred(&credp); 135 return (result); 136 } 137