Line data Source code
1 : /*
2 : SSSD
3 :
4 : ldap_access.c
5 :
6 : Authors:
7 : Simo Sorce <ssorce@redhat.com>
8 :
9 : Copyright (C) 2013 Red Hat
10 :
11 : This program is free software; you can redistribute it and/or modify
12 : it under the terms of the GNU General Public License as published by
13 : the Free Software Foundation; either version 3 of the License, or
14 : (at your option) any later version.
15 :
16 : This program is distributed in the hope that it will be useful,
17 : but WITHOUT ANY WARRANTY; without even the implied warranty of
18 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 : GNU General Public License for more details.
20 :
21 : You should have received a copy of the GNU General Public License
22 : along with this program. If not, see <http://www.gnu.org/licenses/>.
23 : */
24 :
25 : #include <security/pam_modules.h>
26 : #include "src/util/util.h"
27 : #include "src/providers/data_provider.h"
28 : #include "src/providers/dp_backend.h"
29 : #include "src/providers/ldap/sdap_access.h"
30 : #include "providers/ldap/ldap_common.h"
31 :
32 0 : static void sdap_access_reply(struct be_req *be_req, int pam_status)
33 : {
34 : struct pam_data *pd;
35 0 : pd = talloc_get_type(be_req_get_data(be_req), struct pam_data);
36 0 : pd->pam_status = pam_status;
37 :
38 0 : if (pam_status == PAM_SUCCESS || pam_status == PAM_PERM_DENIED
39 0 : || pam_status == PAM_ACCT_EXPIRED) {
40 0 : be_req_terminate(be_req, DP_ERR_OK, pam_status, NULL);
41 : } else {
42 0 : be_req_terminate(be_req, DP_ERR_FATAL, pam_status, NULL);
43 : }
44 0 : }
45 :
46 : static void sdap_access_done(struct tevent_req *req);
47 0 : void sdap_pam_access_handler(struct be_req *breq)
48 : {
49 0 : struct be_ctx *be_ctx = be_req_get_be_ctx(breq);
50 : struct pam_data *pd;
51 : struct tevent_req *req;
52 : struct sdap_access_ctx *access_ctx;
53 : struct sss_domain_info *dom;
54 :
55 0 : pd = talloc_get_type(be_req_get_data(breq), struct pam_data);
56 :
57 0 : access_ctx =
58 0 : talloc_get_type(be_ctx->bet_info[BET_ACCESS].pvt_bet_data,
59 : struct sdap_access_ctx);
60 :
61 0 : dom = be_ctx->domain;
62 0 : if (strcasecmp(pd->domain, be_ctx->domain->name) != 0) {
63 : /* Subdomain request, verify subdomain */
64 0 : dom = find_domain_by_name(be_ctx->domain, pd->domain, true);
65 : }
66 :
67 0 : req = sdap_access_send(breq, be_ctx->ev, be_ctx,
68 : dom, access_ctx,
69 0 : access_ctx->id_ctx->conn,
70 : pd);
71 0 : if (req == NULL) {
72 0 : DEBUG(SSSDBG_CRIT_FAILURE, "Unable to start sdap_access request\n");
73 0 : sdap_access_reply(breq, PAM_SYSTEM_ERR);
74 0 : return;
75 : }
76 :
77 0 : tevent_req_set_callback(req, sdap_access_done, breq);
78 : }
79 :
80 0 : static void sdap_access_done(struct tevent_req *req)
81 : {
82 : errno_t ret;
83 : int pam_status;
84 0 : struct be_req *breq =
85 0 : tevent_req_callback_data(req, struct be_req);
86 :
87 0 : ret = sdap_access_recv(req);
88 0 : talloc_zfree(req);
89 0 : switch (ret) {
90 : case EOK:
91 0 : pam_status = PAM_SUCCESS;
92 0 : break;
93 : case ERR_ACCESS_DENIED:
94 0 : pam_status = PAM_PERM_DENIED;
95 0 : break;
96 : case ERR_ACCOUNT_EXPIRED:
97 0 : pam_status = PAM_ACCT_EXPIRED;
98 0 : break;
99 : case ERR_PASSWORD_EXPIRED:
100 0 : pam_status = PAM_PERM_DENIED;
101 0 : break;
102 : case ERR_PASSWORD_EXPIRED_REJECT:
103 0 : pam_status = PAM_PERM_DENIED;
104 0 : break;
105 : case ERR_PASSWORD_EXPIRED_WARN:
106 0 : pam_status = PAM_SUCCESS;
107 0 : break;
108 : case ERR_PASSWORD_EXPIRED_RENEW:
109 0 : pam_status = PAM_NEW_AUTHTOK_REQD;
110 0 : break;
111 : default:
112 0 : DEBUG(SSSDBG_CRIT_FAILURE, "Error retrieving access check result.\n");
113 0 : pam_status = PAM_SYSTEM_ERR;
114 0 : break;
115 : }
116 :
117 0 : sdap_access_reply(breq, pam_status);
118 0 : }
|
