Line data Source code
1 : /*
2 : SSSD
3 :
4 : ldap_access.c
5 :
6 : Authors:
7 : Simo Sorce <ssorce@redhat.com>
8 :
9 : Copyright (C) 2013 Red Hat
10 :
11 : This program is free software; you can redistribute it and/or modify
12 : it under the terms of the GNU General Public License as published by
13 : the Free Software Foundation; either version 3 of the License, or
14 : (at your option) any later version.
15 :
16 : This program is distributed in the hope that it will be useful,
17 : but WITHOUT ANY WARRANTY; without even the implied warranty of
18 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 : GNU General Public License for more details.
20 :
21 : You should have received a copy of the GNU General Public License
22 : along with this program. If not, see <http://www.gnu.org/licenses/>.
23 : */
24 :
25 : #include <security/pam_modules.h>
26 : #include "src/util/util.h"
27 : #include "src/providers/data_provider.h"
28 : #include "src/providers/backend.h"
29 : #include "src/providers/ldap/sdap_access.h"
30 : #include "providers/ldap/ldap_common.h"
31 :
32 : struct sdap_pam_access_handler_state {
33 : struct pam_data *pd;
34 : };
35 :
36 : static void sdap_pam_access_handler_done(struct tevent_req *subreq);
37 :
38 : struct tevent_req *
39 0 : sdap_pam_access_handler_send(TALLOC_CTX *mem_ctx,
40 : struct sdap_access_ctx *access_ctx,
41 : struct pam_data *pd,
42 : struct dp_req_params *params)
43 : {
44 : struct sdap_pam_access_handler_state *state;
45 : struct tevent_req *subreq;
46 : struct tevent_req *req;
47 :
48 0 : req = tevent_req_create(mem_ctx, &state,
49 : struct sdap_pam_access_handler_state);
50 0 : if (req == NULL) {
51 0 : DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n");
52 0 : return NULL;
53 : }
54 :
55 0 : state->pd = pd;
56 :
57 0 : subreq = sdap_access_send(state, params->ev, params->be_ctx,
58 : params->domain, access_ctx,
59 0 : access_ctx->id_ctx->conn, pd);
60 0 : if (subreq == NULL) {
61 0 : pd->pam_status = PAM_SYSTEM_ERR;
62 0 : goto immediately;
63 : }
64 :
65 0 : tevent_req_set_callback(subreq, sdap_pam_access_handler_done, req);
66 :
67 0 : return req;
68 :
69 : immediately:
70 : /* TODO For backward compatibility we always return EOK to DP now. */
71 0 : tevent_req_done(req);
72 0 : tevent_req_post(req, params->ev);
73 :
74 0 : return req;
75 : }
76 :
77 0 : static void sdap_pam_access_handler_done(struct tevent_req *subreq)
78 : {
79 : struct sdap_pam_access_handler_state *state;
80 : struct tevent_req *req;
81 : errno_t ret;
82 :
83 0 : req = tevent_req_callback_data(subreq, struct tevent_req);
84 0 : state = tevent_req_data(req, struct sdap_pam_access_handler_state);
85 :
86 0 : ret = sdap_access_recv(subreq);
87 0 : talloc_free(subreq);
88 0 : switch (ret) {
89 : case EOK:
90 : case ERR_PASSWORD_EXPIRED_WARN:
91 0 : state->pd->pam_status = PAM_SUCCESS;
92 0 : break;
93 : case ERR_ACCOUNT_EXPIRED:
94 0 : state->pd->pam_status = PAM_ACCT_EXPIRED;
95 0 : break;
96 : case ERR_ACCESS_DENIED:
97 : case ERR_PASSWORD_EXPIRED:
98 : case ERR_PASSWORD_EXPIRED_REJECT:
99 0 : state->pd->pam_status = PAM_PERM_DENIED;
100 0 : break;
101 : case ERR_PASSWORD_EXPIRED_RENEW:
102 0 : state->pd->pam_status = PAM_NEW_AUTHTOK_REQD;
103 0 : break;
104 : default:
105 0 : DEBUG(SSSDBG_CRIT_FAILURE, "Error retrieving access check result.\n");
106 0 : state->pd->pam_status = PAM_SYSTEM_ERR;
107 0 : break;
108 : }
109 :
110 : /* TODO For backward compatibility we always return EOK to DP now. */
111 0 : tevent_req_done(req);
112 0 : }
113 :
114 : errno_t
115 0 : sdap_pam_access_handler_recv(TALLOC_CTX *mem_ctx,
116 : struct tevent_req *req,
117 : struct pam_data **_data)
118 : {
119 0 : struct sdap_pam_access_handler_state *state = NULL;
120 :
121 0 : state = tevent_req_data(req, struct sdap_pam_access_handler_state);
122 :
123 0 : TEVENT_REQ_RETURN_ON_ERROR(req);
124 :
125 0 : *_data = talloc_steal(mem_ctx, state->pd);
126 :
127 0 : return EOK;
128 : }
|
