Please note that I haven't fully tested this yet, the LDAP server configuration needed for this is a little bit twisted ;-) I will perform more testing during the weekend. Consider this patch being preliminary and don't push it until it's tested.
Thanks Jan
From 449b8bf683192637566bceb6136cd88db4ffca4a Mon Sep 17 00:00:00 2001 From: Jan Zeleny <jzel...@redhat.com> Date: Fri, 3 Feb 2012 09:33:08 -0500 Subject: [PATCH] Basic support for changing password in shadow expiration schema https://fedorahosted.org/sssd/ticket/1019 --- src/providers/ldap/ldap_auth.c | 58 ++++++++++++++- src/providers/ldap/ldap_common.c | 1 + src/providers/ldap/sdap.h | 1 + src/providers/ldap/sdap_async.c | 147 ++++++++++++++++++++++++++++++++++++++ src/providers/ldap/sdap_async.h | 11 +++ 5 files changed, 214 insertions(+), 4 deletions(-) diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c index f58d52feed5c28b63864e42a2f6e04223c57afe1..decb90892e8dc1bf248e819db4995d58f8126c2e 100644 --- a/src/providers/ldap/ldap_auth.c +++ b/src/providers/ldap/ldap_auth.c @@ -45,6 +45,7 @@ #include "db/sysdb.h" #include "providers/ldap/ldap_common.h" #include "providers/ldap/sdap_async.h" +#include "providers/ldap/sdap_async_private.h" /* MIT Kerberos has the same hardcoded warning interval of 7 days. Due to the * fact that using the expiration time of a Kerberos password with LDAP @@ -705,6 +706,8 @@ struct sdap_pam_chpass_state { char *password; char *new_password; struct sdap_handle *sh; + + struct sdap_auth_ctx *ctx; }; static void sdap_auth4chpass_done(struct tevent_req *req); @@ -754,6 +757,7 @@ void sdap_pam_chpass_handler(struct be_req *breq) state->breq = breq; state->pd = pd; state->username = pd->user; + state->ctx = ctx; state->password = talloc_strndup(state, (char *)pd->authtok, pd->authtok_size); if (!state->password) goto done; @@ -782,6 +786,7 @@ done: sdap_pam_auth_reply(breq, dp_err, pd->pam_status); } +static void sdap_ldap_passwd_change_done(struct tevent_req *req); static void sdap_auth4chpass_done(struct tevent_req *req) { struct sdap_pam_chpass_state *state = @@ -791,6 +796,8 @@ static void sdap_auth4chpass_done(struct tevent_req *req) enum pwexpire pw_expire_type; void *pw_expire_data; int dp_err = DP_ERR_FATAL; + char *lastchanged_name; + char *password_name; int ret; ret = auth_recv(req, state, &state->sh, @@ -853,10 +860,31 @@ static void sdap_auth4chpass_done(struct tevent_req *req) case SDAP_AUTH_PW_EXPIRED: DEBUG(7, ("user [%s] successfully authenticated.\n", state->dn)); if (pw_expire_type == PWEXPIRE_SHADOW) { -/* TODO: implement async ldap modify request */ - DEBUG(1, ("Changing shadow password attributes not implemented.\n")); - state->pd->pam_status = PAM_MODULE_UNKNOWN; - goto done; + if (dp_opt_get_bool(state->ctx->opts->basic, + SDAP_CHPASS_UPDATE_LAST_CHANGE)) { + lastchanged_name = state->ctx->opts->user_map[SDAP_AT_SP_LSTCHG].name; + password_name = state->ctx->opts->user_map[SDAP_AT_USER_PWD].name; + + subreq = sdap_ldap_modify_passwd_send(state, + state->breq->be_ctx->ev, + state->sh, + state->dn, + state->new_password, + password_name, + lastchanged_name); + if (subreq == NULL) { + state->pd->pam_status = PAM_SYSTEM_ERR; + goto done; + } + + tevent_req_set_callback(subreq, sdap_ldap_passwd_change_done, state); + return; + } else { + DEBUG(SSSDBG_CRIT_FAILURE, + ("Changing shadow password attributes not configured.\n")); + state->pd->pam_status = PAM_MODULE_UNKNOWN; + goto done; + } } else { subreq = sdap_exop_modify_passwd_send(state, state->breq->be_ctx->ev, @@ -935,9 +963,31 @@ static void sdap_pam_chpass_done(struct tevent_req *req) } } + done: sdap_pam_auth_reply(state->breq, dp_err, state->pd->pam_status); } + +static void sdap_ldap_passwd_change_done(struct tevent_req *req) +{ + struct sdap_pam_chpass_state *state = + tevent_req_callback_data(req, struct sdap_pam_chpass_state); + int dp_err = DP_ERR_FATAL; + errno_t ret; + + ret = sdap_ldap_modify_passwd_recv(req); + if (ret != EOK) { + state->pd->pam_status = PAM_SYSTEM_ERR; + goto done; + } + + dp_err = DP_ERR_OK; + state->pd->pam_status = PAM_SUCCESS; + +done: + sdap_pam_auth_reply(state->breq, dp_err, state->pd->pam_status); +} + /* ==Perform-User-Authentication-and-Password-Caching===================== */ struct sdap_pam_auth_state { diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c index 786e06b3d936f0cb2c86b0df2a399c14913e03fe..6b2d3c9512942aab7a65a3f8f668e3688c47d15f 100644 --- a/src/providers/ldap/ldap_common.c +++ b/src/providers/ldap/ldap_common.c @@ -91,6 +91,7 @@ struct dp_option default_basic_opts[] = { { "ldap_access_order", DP_OPT_STRING, { "filter" }, NULL_STRING }, { "ldap_chpass_uri", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_chpass_dns_service_name", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_chpass_update_last_change", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_enumeration_search_timeout", DP_OPT_NUMBER, { .number = 60 }, NULL_NUMBER }, /* Do not include ldap_auth_disable_tls_never_use_in_production in the * manpages or SSSDConfig API diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h index 7bf1805c1798752e87d30e8173ea1b7c4944078b..87ef457b3bae8573b688347aebd1e19bf33d698a 100644 --- a/src/providers/ldap/sdap.h +++ b/src/providers/ldap/sdap.h @@ -202,6 +202,7 @@ enum sdap_basic_opt { SDAP_ACCESS_ORDER, SDAP_CHPASS_URI, SDAP_CHPASS_DNS_SERVICE_NAME, + SDAP_CHPASS_UPDATE_LAST_CHANGE, SDAP_ENUM_SEARCH_TIMEOUT, SDAP_DISABLE_AUTH_TLS, SDAP_PAGE_SIZE, diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c index c2f616bef13744916d2b0c5bab92524566959af9..8f748f76067888a6ed3aeeb7eb2c47781aa727e5 100644 --- a/src/providers/ldap/sdap_async.c +++ b/src/providers/ldap/sdap_async.c @@ -691,6 +691,153 @@ int sdap_exop_modify_passwd_recv(struct tevent_req *req, return EOK; } +/* ==Update-passwordLastChanged-attribute====================== */ +struct update_last_changed_state { + struct tevent_context *ev; + struct sdap_handle *sh; + struct sdap_op *op; + + const char *dn; + LDAPMod **mods; +}; + +static void sdap_ldap_modify_passwd_done(struct sdap_op *op, + struct sdap_msg *reply, + int error, void *pvt); + +struct tevent_req * +sdap_ldap_modify_passwd_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_handle *sh, + const char *dn, + char *password, + char *password_name, + char *lastchanged_name) +{ + struct tevent_req *req; + struct update_last_changed_state *state; + char **values; + errno_t ret; + int msgid; + + req = tevent_req_create(mem_ctx, &state, struct update_last_changed_state); + if (req == NULL) { + return NULL; + } + + state->ev = ev; + state->sh = sh; + state->dn = dn; + state->mods = talloc_zero_array(state, LDAPMod *, 3); + if (state->mods == NULL) { + ret = ENOMEM; + goto done; + } + state->mods[0] = talloc_zero(state->mods, LDAPMod); + state->mods[1] = talloc_zero(state->mods, LDAPMod); + if (!state->mods[0] || !state->mods[1]) { + ret = ENOMEM; + goto done; + } + values = talloc_zero_array(state->mods[0], char *, 2); + if (values == NULL) { + ret = ENOMEM; + goto done; + } + values[0] = talloc_asprintf(values, "%ld", (long)time(NULL)); + if (values[0] == NULL) { + ret = ENOMEM; + goto done; + } + state->mods[0]->mod_op = LDAP_MOD_REPLACE; + state->mods[0]->mod_type = lastchanged_name; + state->mods[0]->mod_vals.modv_strvals = values; + + values = talloc_zero_array(state->mods[1], char *, 2); + if (values == NULL) { + ret = ENOMEM; + goto done; + } + values[0] = talloc_strdup(values, password); + if (values[0] == NULL) { + ret = ENOMEM; + goto done; + } + state->mods[1]->mod_op = LDAP_MOD_REPLACE; + state->mods[1]->mod_type = password_name; + state->mods[1]->mod_vals.modv_strvals = values; + state->mods[2] = NULL; + + ret = ldap_modify_ext(state->sh->ldap, state->dn, state->mods, + NULL, NULL, &msgid); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to send operation!\n")); + goto done; + } + + ret = sdap_op_add(state, state->ev, state->sh, msgid, + sdap_ldap_modify_passwd_done, req, 5, &state->op); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to set up operation!\n")); + goto done; + } + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + tevent_req_post(req, ev); + } + return req; +} + +static void sdap_ldap_modify_passwd_done(struct sdap_op *op, + struct sdap_msg *reply, + int error, void *pvt) +{ + struct tevent_req *req = talloc_get_type(pvt, struct tevent_req); + struct update_last_changed_state *state; + state = tevent_req_data(req, struct update_last_changed_state); + char *errmsg; + int result; + errno_t ret; + + if (error) { + tevent_req_error(req, error); + return; + } + + ret = ldap_parse_result(state->sh->ldap, reply->msg, + &result, NULL, &errmsg, NULL, + NULL, 0); + if (ret != LDAP_SUCCESS) { + DEBUG(SSSDBG_OP_FAILURE, ("ldap_parse_result failed (%d)\n", + state->op->msgid)); + ret = EIO; + goto done; + } + + DEBUG(SSSDBG_OP_FAILURE, ("Updating lastPwdChange result: %s(%d), %s\n", + sss_ldap_err2string(result), + result, errmsg)); + +done: + ldap_memfree(errmsg); + + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } +} + +errno_t sdap_ldap_modify_passwd_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + + /* ==Fetch-RootDSE============================================= */ struct sdap_get_rootdse_state { diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h index 8f8af47d5b17792325eb504d0b25f3658bb766ba..b7531ee21c9d0a7fbcc63c79ea6319517c9eb8af 100644 --- a/src/providers/ldap/sdap_async.h +++ b/src/providers/ldap/sdap_async.h @@ -132,6 +132,17 @@ int sdap_exop_modify_passwd_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, enum sdap_result *result, char **user_error_msg); +struct tevent_req * +sdap_ldap_modify_passwd_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_handle *sh, + const char *dn, + char *password, + char *password_name, + char *lastchanged_name); + +errno_t sdap_ldap_modify_passwd_recv(struct tevent_req *req); + enum connect_tls { CON_TLS_DFL, CON_TLS_ON, -- 1.7.6.4
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel