17c478bdstevel@tonic-gate/*
27c478bdstevel@tonic-gate * CDDL HEADER START
37c478bdstevel@tonic-gate *
47c478bdstevel@tonic-gate * The contents of this file are subject to the terms of the
5350f572sdussud * Common Development and Distribution License (the "License").
6350f572sdussud * You may not use this file except in compliance with the License.
77c478bdstevel@tonic-gate *
87c478bdstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
97c478bdstevel@tonic-gate * or http://www.opensolaris.org/os/licensing.
107c478bdstevel@tonic-gate * See the License for the specific language governing permissions
117c478bdstevel@tonic-gate * and limitations under the License.
127c478bdstevel@tonic-gate *
137c478bdstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each
147c478bdstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
157c478bdstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the
167c478bdstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying
177c478bdstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner]
187c478bdstevel@tonic-gate *
197c478bdstevel@tonic-gate * CDDL HEADER END
207c478bdstevel@tonic-gate */
217c478bdstevel@tonic-gate/*
22a87701eGary Mills * Copyright 2015 Gary Mills
23350f572sdussud * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
247c478bdstevel@tonic-gate * Use is subject to license terms.
257c478bdstevel@tonic-gate */
267c478bdstevel@tonic-gate
277c478bdstevel@tonic-gate/*
287c478bdstevel@tonic-gate * DESCRIPTION: This is the N2L equivalent of changepasswd.c. The traditional
297c478bdstevel@tonic-gate *		version modifies the NIS source files and then initiates a
307c478bdstevel@tonic-gate *		ypmake to make the maps and push them.
317c478bdstevel@tonic-gate *
327c478bdstevel@tonic-gate *		For N2L there are no source files and the policy is that the
337c478bdstevel@tonic-gate *		definitive information is that contained in the DIT. Old
347c478bdstevel@tonic-gate *		information is read from LDAP. Assuming	this authenticates, and
357c478bdstevel@tonic-gate *		the change is acceptable, this information is modified and
367c478bdstevel@tonic-gate *		written back to LDAP.
377c478bdstevel@tonic-gate *
387c478bdstevel@tonic-gate *		Related map entries are then found and 	updated finally
397c478bdstevel@tonic-gate *		yppushes of the changed maps are initiated. Since the
407c478bdstevel@tonic-gate *		definitive information has already correctly been updated the
417c478bdstevel@tonic-gate *		code is tolerant of some errors during this operation.
427c478bdstevel@tonic-gate *
437c478bdstevel@tonic-gate *		What was previously in the maps is irrelevant.
447c478bdstevel@tonic-gate *
457c478bdstevel@tonic-gate *		Some less than perfect code (like inline constants for
467c478bdstevel@tonic-gate *		return values and a few globals) is retained from the original.
477c478bdstevel@tonic-gate */
487c478bdstevel@tonic-gate
497c478bdstevel@tonic-gate#include <sys/types.h>
507c478bdstevel@tonic-gate#include <sys/stat.h>
517c478bdstevel@tonic-gate#include <ctype.h>
527c478bdstevel@tonic-gate#include <unistd.h>
537c478bdstevel@tonic-gate#include <stdlib.h>
547c478bdstevel@tonic-gate#include <string.h>
557c478bdstevel@tonic-gate#include <stdio.h>
567c478bdstevel@tonic-gate#include <errno.h>
577c478bdstevel@tonic-gate#include <syslog.h>
587c478bdstevel@tonic-gate#include <pwd.h>
597c478bdstevel@tonic-gate#include <signal.h>
607c478bdstevel@tonic-gate#include <crypt.h>
617c478bdstevel@tonic-gate#include <rpc/rpc.h>
627c478bdstevel@tonic-gate#include <rpcsvc/yppasswd.h>
637c478bdstevel@tonic-gate#include <utmpx.h>
647c478bdstevel@tonic-gate#include <shadow.h>
657c478bdstevel@tonic-gate
667c478bdstevel@tonic-gate#include <ndbm.h>
677c478bdstevel@tonic-gate/* DO NOT INCLUDE SHIM_HOOKS.H */
687c478bdstevel@tonic-gate#include "shim.h"
697c478bdstevel@tonic-gate#include "yptol.h"
707c478bdstevel@tonic-gate#include "../ldap_util.h"
717c478bdstevel@tonic-gate
72a87701eGary Mills/*
73a87701eGary Mills * Undocumented external function in libnsl
74a87701eGary Mills */
75a87701eGary Millsextern int  getdomainname(char *, int);
76a87701eGary Mills
777c478bdstevel@tonic-gate/* Constants */
787c478bdstevel@tonic-gate#define	CRYPTPWSIZE CRYPT_MAXCIPHERTEXTLEN
797c478bdstevel@tonic-gate#define	STRSIZE 100
807c478bdstevel@tonic-gate#define	FINGERSIZE (4 * STRSIZE - 4)
817c478bdstevel@tonic-gate#define	SHELLSIZE (STRSIZE - 2)
827c478bdstevel@tonic-gate
837c478bdstevel@tonic-gate#define	UTUSERLEN (sizeof (((struct utmpx *)0)->ut_user))
847c478bdstevel@tonic-gate#define	COLON_CHAR ':'
857c478bdstevel@tonic-gate
867c478bdstevel@tonic-gate/*
877c478bdstevel@tonic-gate * Path to DBM files. This is only required for N2L mode. Traditional mode
887c478bdstevel@tonic-gate * works with the source files and uses the NIS Makefile to generate the maps.
897c478bdstevel@tonic-gate * Seems to be hard coded in the rest of NIS so same is done here.
907c478bdstevel@tonic-gate */
917c478bdstevel@tonic-gate#define	YPDBPATH "/var/yp"
927c478bdstevel@tonic-gate
937c478bdstevel@tonic-gate/* Names of password and adjunct mappings. Used to access DIT */
947c478bdstevel@tonic-gate#define	BYNAME ".byname"
957c478bdstevel@tonic-gate#define	BYUID ".byuid"
967c478bdstevel@tonic-gate#define	BYGID ".bygid"
977c478bdstevel@tonic-gate#define	PASSWD_MAPPING "passwd" BYNAME
987c478bdstevel@tonic-gate#define	PASSWD_ADJUNCT_MAPPING "passwd.adjunct" BYNAME
997c478bdstevel@tonic-gate#define	AGEING_MAPPING "ageing" BYNAME
1007c478bdstevel@tonic-gate
1017c478bdstevel@tonic-gate/* Bitmasks used in list of fields to change */
1027c478bdstevel@tonic-gate#define	CNG_PASSWD 	0x0001
1037c478bdstevel@tonic-gate#define	CNG_SH		0x0002
1047c478bdstevel@tonic-gate#define	CNG_GECOS	0x0004
1057c478bdstevel@tonic-gate
1067c478bdstevel@tonic-gate/* Globals :-( */
1077c478bdstevel@tonic-gateextern int single, nogecos, noshell, nopw, mflag;
1087c478bdstevel@tonic-gate
1097c478bdstevel@tonic-gate/*
1107c478bdstevel@tonic-gate * Structure for containing the information is currently in the DIT. This is
1117c478bdstevel@tonic-gate * similar to the passwd structure defined in getpwent(3C) apart from.
1127c478bdstevel@tonic-gate *
1137c478bdstevel@tonic-gate * 1. Since GID and UID are never changed they are not converted to integers.
1147c478bdstevel@tonic-gate * 2. There are extra fields to hold adjunct information.
1157c478bdstevel@tonic-gate * 3. There are extra fields to hold widely used information.
1167c478bdstevel@tonic-gate */
1177c478bdstevel@tonic-gatestruct passwd_entry {
1187c478bdstevel@tonic-gate	char 	*pw_name;
1197c478bdstevel@tonic-gate	char 	*pw_passwd;
1207c478bdstevel@tonic-gate	char	*pw_uid;
1217c478bdstevel@tonic-gate	char	*pw_gid;
1227c478bdstevel@tonic-gate	char	*pw_gecos;
1237c478bdstevel@tonic-gate	char	*pw_dir;
1247c478bdstevel@tonic-gate	char	*pw_shell;
1257c478bdstevel@tonic-gate	char	*adjunct_tail;	/* Tail of adjunct entry (opaque) */
1267c478bdstevel@tonic-gate	bool_t	adjunct;	/* Flag indicating if DIT has adjunct info */
1277c478bdstevel@tonic-gate	char	*pwd_str;	/* New password string */
1287c478bdstevel@tonic-gate	char	*adjunct_str;	/* New adjunct string */
1297c478bdstevel@tonic-gate};
1307c478bdstevel@tonic-gate
1317c478bdstevel@tonic-gate/* Prototypes */
1327c478bdstevel@tonic-gateextern bool_t validloginshell(char *sh, char *arg, int);
1337c478bdstevel@tonic-gateextern int    validstr(char *str, size_t size);
1347c478bdstevel@tonic-gate
1357c478bdstevel@tonic-gatesuc_code write_shadow_info(char *, struct spwd *);
1367c478bdstevel@tonic-gateint put_new_info(struct passwd_entry *, char *);
1377c478bdstevel@tonic-gatechar *create_pwd_str(struct passwd_entry *, bool_t);
1387c478bdstevel@tonic-gateint proc_domain(struct yppasswd *, bool_t, char *);
1397c478bdstevel@tonic-gateint proc_request(struct yppasswd *, struct passwd_entry *, bool_t, char *);
1407c478bdstevel@tonic-gateint modify_ent(struct yppasswd *, struct passwd_entry *t, bool_t, char *);
1417c478bdstevel@tonic-gateint get_change_list(struct yppasswd *, struct passwd_entry *);
1427c478bdstevel@tonic-gatestruct passwd_entry *get_old_info(char *, char *);
1437c478bdstevel@tonic-gatestatic char *get_next_token(char *, char **, char *);
1447c478bdstevel@tonic-gatevoid free_pwd_entry(struct passwd_entry *);
1457c478bdstevel@tonic-gatestruct spwd *get_old_shadow(char *, char *);
1467c478bdstevel@tonic-gatesuc_code decode_shadow_entry(datum *, struct spwd *);
1477c478bdstevel@tonic-gatevoid free_shadow_entry(struct spwd *);
1487c478bdstevel@tonic-gateint proc_maps(char *, struct passwd_entry *);
1497c478bdstevel@tonic-gateint proc_map_list(char **, char *, struct passwd_entry *, bool_t);
1507c478bdstevel@tonic-gateint update_single_map(char *, struct passwd_entry *, bool_t);
1517c478bdstevel@tonic-gatebool_t strend(char *s1, char *s2);
1527c478bdstevel@tonic-gate
1537c478bdstevel@tonic-gate/*
1547c478bdstevel@tonic-gate * FUNCTION:	shim_changepasswd()
1557c478bdstevel@tonic-gate *
1567c478bdstevel@tonic-gate * DESCRIPTION:	N2L version of changepasswd(). When this is called 'useshadow'
1577c478bdstevel@tonic-gate *		etc. will have been set up but are meaningless. We work out
1587c478bdstevel@tonic-gate *		what to change based on information from the DIT.
1597c478bdstevel@tonic-gate *
1607c478bdstevel@tonic-gate * INPUTS:	Identical to changepasswd()
1617c478bdstevel@tonic-gate *
1627c478bdstevel@tonic-gate * OUTPUTS:	Identical to changepasswd()
1637c478bdstevel@tonic-gate */
1647c478bdstevel@tonic-gatevoid
1657c478bdstevel@tonic-gateshim_changepasswd(SVCXPRT *transp)
1667c478bdstevel@tonic-gate{
1677c478bdstevel@tonic-gate	struct yppasswd yppwd;
1687c478bdstevel@tonic-gate	bool_t	root_on_master = FALSE;
1697c478bdstevel@tonic-gate	char domain[MAXNETNAMELEN+1];
1707c478bdstevel@tonic-gate	char **domain_list;
1717c478bdstevel@tonic-gate	int dom_count, i;
1727c478bdstevel@tonic-gate
1737c478bdstevel@tonic-gate	int	ret, ans = 2;	/* Answer codes */
1747c478bdstevel@tonic-gate
1757c478bdstevel@tonic-gate	/* Clean out yppwd ... maybe we don't trust RPC */
1767c478bdstevel@tonic-gate	memset(&yppwd, 0, sizeof (struct yppasswd));
1777c478bdstevel@tonic-gate
1787c478bdstevel@tonic-gate	/* Get the RPC args */
1797c478bdstevel@tonic-gate	if (!svc_getargs(transp, xdr_yppasswd, (caddr_t)&yppwd)) {
1807c478bdstevel@tonic-gate		svcerr_decode(transp);
1817c478bdstevel@tonic-gate		return;
1827c478bdstevel@tonic-gate	}
1837c478bdstevel@tonic-gate
1847c478bdstevel@tonic-gate	/* Perform basic validation */
1857c478bdstevel@tonic-gate	if ((!validstr(yppwd.newpw.pw_passwd, CRYPTPWSIZE)) ||
1867c478bdstevel@tonic-gate		(!validstr(yppwd.newpw.pw_name, UTUSERLEN)) ||
1877c478bdstevel@tonic-gate		(!validstr(yppwd.newpw.pw_gecos, FINGERSIZE)) ||
1887c478bdstevel@tonic-gate		(!validstr(yppwd.newpw.pw_shell, SHELLSIZE))) {
1897c478bdstevel@tonic-gate		svcerr_decode(transp);
1907c478bdstevel@tonic-gate		return;
1917c478bdstevel@tonic-gate	}
1927c478bdstevel@tonic-gate
1937c478bdstevel@tonic-gate	/*
1947c478bdstevel@tonic-gate	 * Special case: root on the master server can change other
1957c478bdstevel@tonic-gate	 * users' passwords without first entering the old password.
1967c478bdstevel@tonic-gate	 * We need to ensure that this is indeed root on the master
1977c478bdstevel@tonic-gate	 * server. (bug 1253949)
1987c478bdstevel@tonic-gate	 */
1997c478bdstevel@tonic-gate	if (strcmp(transp->xp_netid, "ticlts") == 0) {
2007c478bdstevel@tonic-gate		svc_local_cred_t cred;
2017c478bdstevel@tonic-gate		if (!svc_get_local_cred(transp, &cred)) {
2027c478bdstevel@tonic-gate			logmsg(MSG_NOTIMECHECK, LOG_ERR,
2037c478bdstevel@tonic-gate					"Couldn't get local user credentials");
2047c478bdstevel@tonic-gate		} else if (cred.ruid == 0)
2057c478bdstevel@tonic-gate			root_on_master = TRUE;
2067c478bdstevel@tonic-gate	}
2077c478bdstevel@tonic-gate
2087c478bdstevel@tonic-gate	/*
2097c478bdstevel@tonic-gate	 * Get the domain name. This is tricky because a N2L server may be
2107c478bdstevel@tonic-gate	 * handling multiple domains. There is nothing in the request to
2117c478bdstevel@tonic-gate	 * indicate which one we are trying to change a passwd for. First
2127c478bdstevel@tonic-gate	 * we try to get a list of password related domains from the mapping
2137c478bdstevel@tonic-gate	 * file.
2147c478bdstevel@tonic-gate	 */
215350f572sdussud	if (0 !=
216350f572sdussud	    (dom_count = get_mapping_yppasswdd_domain_list(&domain_list))) {
2177c478bdstevel@tonic-gate		/* Got a domain list ... process all the domains */
2187c478bdstevel@tonic-gate		for (i = 0; i < dom_count; i ++) {
2197c478bdstevel@tonic-gate			ret = proc_domain(&yppwd, root_on_master,
2207c478bdstevel@tonic-gate								domain_list[i]);
2217c478bdstevel@tonic-gate
2227c478bdstevel@tonic-gate			/* If one has worked don't care if others fail */
2237c478bdstevel@tonic-gate			if (0 != ans)
2247c478bdstevel@tonic-gate				ans = ret;
2257c478bdstevel@tonic-gate		}
2267c478bdstevel@tonic-gate	}
2277c478bdstevel@tonic-gate	else
2287c478bdstevel@tonic-gate	{
2297c478bdstevel@tonic-gate		/*
2307c478bdstevel@tonic-gate		 * There was no domain list in the mapping file. The
2317c478bdstevel@tonic-gate		 * traditional version of this code calls ypmake which picks
2327c478bdstevel@tonic-gate		 * up the domain returned by getdomainname(). Fall back to the
2337c478bdstevel@tonic-gate		 * same mechanism.
2347c478bdstevel@tonic-gate		 */
2357c478bdstevel@tonic-gate		if (0 > getdomainname(domain, MAXNETNAMELEN+1)) {
2367c478bdstevel@tonic-gate			logmsg(MSG_NOTIMECHECK, LOG_ERR,
2377c478bdstevel@tonic-gate					"Could not get any domain info");
2387c478bdstevel@tonic-gate		} else {
2397c478bdstevel@tonic-gate			/* Got one domain ... process it. */
2407c478bdstevel@tonic-gate			ans = proc_domain(&yppwd, root_on_master, domain);
2417c478bdstevel@tonic-gate		}
2427c478bdstevel@tonic-gate	}
2437c478bdstevel@tonic-gate
2447c478bdstevel@tonic-gate	/* Send reply packet */
2457c478bdstevel@tonic-gate	if (!svc_sendreply(transp, xdr_int, (char *)&ans))
2467c478bdstevel@tonic-gate		logmsg(MSG_NOTIMECHECK, LOG_WARNING,
2477c478bdstevel@tonic-gate						"could not reply to RPC call");
2487c478bdstevel@tonic-gate}
2497c478bdstevel@tonic-gate
2507c478bdstevel@tonic-gate/*
2517c478bdstevel@tonic-gate * FUNCTION : 	proc_domain()
2527c478bdstevel@tonic-gate *
2537c478bdstevel@tonic-gate * DESCRIPTION:	Process a request for one domain
2547c478bdstevel@tonic-gate *
2557c478bdstevel@tonic-gate * GIVEN :	Pointer to the request.
2567c478bdstevel@tonic-gate *		Root on master flag
2577c478bdstevel@tonic-gate *		Domain
2587c478bdstevel@tonic-gate *
2597c478bdstevel@tonic-gate * OUTPUTS :	Answer code for reply
2607c478bdstevel@tonic-gate */
2617c478bdstevel@tonic-gateint
2627c478bdstevel@tonic-gateproc_domain(struct yppasswd *yppwd, bool_t root_on_master, char *domain)
2637c478bdstevel@tonic-gate{
2647c478bdstevel@tonic-gate	struct passwd_entry *old_pwd;
2657c478bdstevel@tonic-gate	char	*p;
2667c478bdstevel@tonic-gate	int ans = 2;
2677c478bdstevel@tonic-gate
2687c478bdstevel@tonic-gate	/* security hole fix from original source */
2697c478bdstevel@tonic-gate	for (p = yppwd->newpw.pw_name; (*p != '\0'); p++)
2707c478bdstevel@tonic-gate		if ((*p == ':') || !(isprint(*p)))
2717c478bdstevel@tonic-gate			*p = '$';	/* you lose buckwheat */
2727c478bdstevel@tonic-gate	for (p = yppwd->newpw.pw_passwd; (*p != '\0'); p++)
2737c478bdstevel@tonic-gate		if ((*p == ':') || !(isprint(*p)))
2747c478bdstevel@tonic-gate			*p = '$';	/* you lose buckwheat */
2757c478bdstevel@tonic-gate
2767c478bdstevel@tonic-gate	/* Get old info from DIT for this domain */
2777c478bdstevel@tonic-gate	old_pwd = get_old_info(yppwd->newpw.pw_name, domain);
2787c478bdstevel@tonic-gate	if (NULL ==  old_pwd) {
2797c478bdstevel@tonic-gate		logmsg(MSG_NOTIMECHECK, LOG_ERR,
2807c478bdstevel@tonic-gate				"Could not get old information for %s in "
2817c478bdstevel@tonic-gate				"domain %s", yppwd->newpw.pw_name, domain);
2827c478bdstevel@tonic-gate		return (ans);
2837c478bdstevel@tonic-gate	}
2847c478bdstevel@tonic-gate
2857c478bdstevel@tonic-gate	/* Have a request that can be replied to */
2867c478bdstevel@tonic-gate	ans = proc_request(yppwd, old_pwd, root_on_master, domain);
2877c478bdstevel@tonic-gate	free_pwd_entry(old_pwd);
2887c478bdstevel@tonic-gate
2897c478bdstevel@tonic-gate	return (ans);
2907c478bdstevel@tonic-gate}
2917c478bdstevel@tonic-gate
2927c478bdstevel@tonic-gate/*
2937c478bdstevel@tonic-gate * FUNCTION :	proc_request()
2947c478bdstevel@tonic-gate *
2957c478bdstevel@tonic-gate * DESCRIPTION:	Process a request
2967c478bdstevel@tonic-gate *
2977c478bdstevel@tonic-gate * GIVEN :	Pointer to the request.
2987c478bdstevel@tonic-gate *		Pointer to old information from LDAP
2997c478bdstevel@tonic-gate *		Root on master flag
3007c478bdstevel@tonic-gate *		Domain
3017c478bdstevel@tonic-gate *
3027c478bdstevel@tonic-gate * OUTPUTS :	Answer code for reply
3037c478bdstevel@tonic-gate */
3047c478bdstevel@tonic-gateint
3057c478bdstevel@tonic-gateproc_request(struct yppasswd *yppwd, struct passwd_entry *old_pwd,
3067c478bdstevel@tonic-gate					bool_t root_on_master, char *domain)
3077c478bdstevel@tonic-gate{
3087c478bdstevel@tonic-gate	struct sigaction sa, osa1, osa2, osa3;
3097c478bdstevel@tonic-gate	int	ans;
3107c478bdstevel@tonic-gate
3117c478bdstevel@tonic-gate	/* Authenticate */
3127c478bdstevel@tonic-gate	if ((0 != strcmp(crypt(yppwd->oldpass, old_pwd->pw_passwd),
3137c478bdstevel@tonic-gate				old_pwd->pw_passwd)) && !root_on_master) {
3147c478bdstevel@tonic-gate		logmsg(MSG_NOTIMECHECK, LOG_NOTICE, "Passwd incorrect %s",
3157c478bdstevel@tonic-gate						yppwd->newpw.pw_name);
3167c478bdstevel@tonic-gate		return (7);
3177c478bdstevel@tonic-gate	}
3187c478bdstevel@tonic-gate
3197c478bdstevel@tonic-gate	/* Work out what we have to change and change it */
3207c478bdstevel@tonic-gate	ans = modify_ent(yppwd, old_pwd, root_on_master, domain);
3217c478bdstevel@tonic-gate	if (0 != ans)
3227c478bdstevel@tonic-gate		return (ans);
3237c478bdstevel@tonic-gate
3247c478bdstevel@tonic-gate	/*
3257c478bdstevel@tonic-gate	 * Generate passwd and adjunct map entries. This creates extra
3267c478bdstevel@tonic-gate	 * malloced strings in old_pwd. These will be freed when
3277c478bdstevel@tonic-gate	 * free_pwd_entry() is called to free up the rest of the structure.
3287c478bdstevel@tonic-gate	 */
3297c478bdstevel@tonic-gate	old_pwd->pwd_str = create_pwd_str(old_pwd, FALSE);
3307c478bdstevel@tonic-gate	if (NULL == old_pwd->pwd_str) {
3317c478bdstevel@tonic-gate		logmsg(MSG_NOTIMECHECK, LOG_ERR,
3327c478bdstevel@tonic-gate					"Could not create passwd entry");
3337c478bdstevel@tonic-gate		return (2);
3347c478bdstevel@tonic-gate	}
3357c478bdstevel@tonic-gate	if (old_pwd->adjunct) {
3367c478bdstevel@tonic-gate		old_pwd->adjunct_str = create_pwd_str(old_pwd, TRUE);
3377c478bdstevel@tonic-gate		if (NULL == old_pwd->adjunct_str) {
3387c478bdstevel@tonic-gate			logmsg(MSG_NOTIMECHECK, LOG_ERR,
3397c478bdstevel@tonic-gate					"Could not create adjunct entry");
3407c478bdstevel@tonic-gate			return (2);
3417c478bdstevel@tonic-gate		}
3427c478bdstevel@tonic-gate	} else {
3437c478bdstevel@tonic-gate		old_pwd->adjunct_str = NULL;
3447c478bdstevel@tonic-gate	}
3457c478bdstevel@tonic-gate
3467c478bdstevel@tonic-gate	/* Put the information back to DIT */
3477c478bdstevel@tonic-gate	ans = put_new_info(old_pwd, domain);
3487c478bdstevel@tonic-gate	if (0 != ans) {
3497c478bdstevel@tonic-gate		return (ans);
3507c478bdstevel@tonic-gate	}
3517c478bdstevel@tonic-gate
3527c478bdstevel@tonic-gate	/* Are going to be forking pushes, set up signals */
3537c478bdstevel@tonic-gate	memset(&sa, 0, sizeof (struct sigaction));
3547c478bdstevel@tonic-gate	sa.sa_handler = SIG_IGN;
3557c478bdstevel@tonic-gate	sigaction(SIGTSTP, &sa, (struct sigaction *)0);
3567c478bdstevel@tonic-gate	sigaction(SIGHUP,  &sa, &osa1);
3577c478bdstevel@tonic-gate	sigaction(SIGINT,  &sa, &osa2);
3587c478bdstevel@tonic-gate	sigaction(SIGQUIT, &sa, &osa3);
3597c478bdstevel@tonic-gate
3607c478bdstevel@tonic-gate	/* Update and push all the maps */
3617c478bdstevel@tonic-gate	ans = proc_maps(domain, old_pwd);
3627c478bdstevel@tonic-gate
3637c478bdstevel@tonic-gate	/* Tidy up signals */
3647c478bdstevel@tonic-gate	sigaction(SIGHUP,  &osa1, (struct sigaction *)0);
3657c478bdstevel@tonic-gate	sigaction(SIGINT,  &osa2, (struct sigaction *)0);
3667c478bdstevel@tonic-gate	sigaction(SIGQUIT, &osa3, (struct sigaction *)0);
3677c478bdstevel@tonic-gate
3687c478bdstevel@tonic-gate	return (ans);
3697c478bdstevel@tonic-gate}
3707c478bdstevel@tonic-gate
3717c478bdstevel@tonic-gate/*
3727c478bdstevel@tonic-gate * FUNCTION:	proc_maps()
3737c478bdstevel@tonic-gate *
3747c478bdstevel@tonic-gate * DESCRIPTION: Gets all the map lists and processes them.
3757c478bdstevel@tonic-gate *
3767c478bdstevel@tonic-gate * INPUTS:	Domain name
3777c478bdstevel@tonic-gate *		New info to write into maps
3787c478bdstevel@tonic-gate *
3797c478bdstevel@tonic-gate * OUTPUT :	Answer code
3807c478bdstevel@tonic-gate */
3817c478bdstevel@tonic-gateint
3827c478bdstevel@tonic-gateproc_maps(char *domain, struct passwd_entry *pwd)
3837c478bdstevel@tonic-gate{
3847c478bdstevel@tonic-gate	char	**map_list; 	/* Array of passwd or adjunct maps */
3857c478bdstevel@tonic-gate	int	ans = 0;
3867c478bdstevel@tonic-gate
3877c478bdstevel@tonic-gate	/* Get list of passwd maps from mapping file */
3887c478bdstevel@tonic-gate	map_list = get_passwd_list(FALSE, domain);
3897c478bdstevel@tonic-gate	if (map_list != NULL) {
3907c478bdstevel@tonic-gate		/* Process list of passwd maps */
3917c478bdstevel@tonic-gate		ans = proc_map_list(map_list, domain, pwd, FALSE);
3927c478bdstevel@tonic-gate		free_passwd_list(map_list);
3937c478bdstevel@tonic-gate		if (0 != ans)
3947c478bdstevel@tonic-gate			return (ans);
3957c478bdstevel@tonic-gate	}
3967c478bdstevel@tonic-gate
3977c478bdstevel@tonic-gate	/*
3987c478bdstevel@tonic-gate	 * If we get here either there were no passwd maps or there were
3997c478bdstevel@tonic-gate	 * some and they were processed successfully. Either case is good
4007c478bdstevel@tonic-gate	 * continue and process passwd.adjunct maps.
4017c478bdstevel@tonic-gate	 */
4027c478bdstevel@tonic-gate
4037c478bdstevel@tonic-gate	/* Get list of adjunct maps from mapping file */
4047c478bdstevel@tonic-gate	map_list = get_passwd_list(TRUE, domain);
4057c478bdstevel@tonic-gate	if (map_list != NULL) {
4067c478bdstevel@tonic-gate		/*
4077c478bdstevel@tonic-gate		 * Process list of adjunct maps. If the required information
4087c478bdstevel@tonic-gate		 * is not present in LDAP then the updates attempts will log
4097c478bdstevel@tonic-gate		 * an error. No need to make the check here
4107c478bdstevel@tonic-gate		 */
4117c478bdstevel@tonic-gate		ans = proc_map_list(map_list, domain, pwd, TRUE);
4127c478bdstevel@tonic-gate		free_passwd_list(map_list);
4137c478bdstevel@tonic-gate	}
4147c478bdstevel@tonic-gate
4157c478bdstevel@tonic-gate	return (ans);
4167c478bdstevel@tonic-gate}
4177c478bdstevel@tonic-gate
4187c478bdstevel@tonic-gate/*
4197c478bdstevel@tonic-gate * FUNCTION:	proc_map_list()
4207c478bdstevel@tonic-gate *
4217c478bdstevel@tonic-gate * DESCRIPTION: Finds entries in one list of map that need to be updated.
4227c478bdstevel@tonic-gate *		updates them and writes them back.
4237c478bdstevel@tonic-gate *
4247c478bdstevel@tonic-gate * INPUTS:	Null terminated list of maps to process.
4257c478bdstevel@tonic-gate *		Domain name
4267c478bdstevel@tonic-gate *		Information to write (including user name)
4277c478bdstevel@tonic-gate *		Flag indicating if this is the adjunct list
4287c478bdstevel@tonic-gate *
4297c478bdstevel@tonic-gate * OUTPUTS:	An error code
4307c478bdstevel@tonic-gate */
4317c478bdstevel@tonic-gateint
4327c478bdstevel@tonic-gateproc_map_list(char **map_list, char *domain,
4337c478bdstevel@tonic-gate				struct passwd_entry *pwd, bool_t adjunct_flag)
4347c478bdstevel@tonic-gate{
4357c478bdstevel@tonic-gate	char 	*myself = "proc_map_list";
4367c478bdstevel@tonic-gate	char	*map_name;
4377c478bdstevel@tonic-gate	char	cmdbuf[BUFSIZ];
4387c478bdstevel@tonic-gate	int	map_name_len = 0;
4397c478bdstevel@tonic-gate	int	index, ans = 0;
4407c478bdstevel@tonic-gate
4417c478bdstevel@tonic-gate	/* If this is a adjunct list check LDAP had some adjunct info */
4427c478bdstevel@tonic-gate	if ((adjunct_flag) && (!pwd->adjunct)) {
4437c478bdstevel@tonic-gate		logmsg(MSG_NOTIMECHECK, LOG_INFO,
4447c478bdstevel@tonic-gate			"Have adjunct map list but no adjunct data in DIT");
4457c478bdstevel@tonic-gate		/* Not a disaster */
4467c478bdstevel@tonic-gate		return (0);
4477c478bdstevel@tonic-gate	}
4487c478bdstevel@tonic-gate
4497c478bdstevel@tonic-gate	/* Allocate enough buffer to take longest map name */
4507c478bdstevel@tonic-gate	for (index = 0; map_list[index] != NULL; index ++)
4517c478bdstevel@tonic-gate		if (map_name_len < strlen(map_list[index]))
4527c478bdstevel@tonic-gate			map_name_len = strlen(map_list[index]);
4537c478bdstevel@tonic-gate	map_name_len += strlen(YPDBPATH);
4547c478bdstevel@tonic-gate	map_name_len += strlen(NTOL_PREFIX);
4557c478bdstevel@tonic-gate	map_name_len += strlen(domain);
4567c478bdstevel@tonic-gate	map_name_len += 3;
4577c478bdstevel@tonic-gate	if (NULL == (map_name = am(myself, map_name_len))) {
4587c478bdstevel@tonic-gate		logmsg(MSG_NOMEM, LOG_ERR, "Could not alloc map name");
4597c478bdstevel@tonic-gate		return (2);
4607c478bdstevel@tonic-gate	}
4617c478bdstevel@tonic-gate
4627c478bdstevel@tonic-gate	/* For all maps in list */
4637c478bdstevel@tonic-gate	for (index = 0; map_list[index] != NULL; index ++) {
4647c478bdstevel@tonic-gate
4657c478bdstevel@tonic-gate		/* Generate full map name */
4667c478bdstevel@tonic-gate		strcpy(map_name, YPDBPATH);
4677c478bdstevel@tonic-gate		add_separator(map_name);
4687c478bdstevel@tonic-gate		strcat(map_name, domain);
4697c478bdstevel@tonic-gate		add_separator(map_name);
4707c478bdstevel@tonic-gate		strcat(map_name, NTOL_PREFIX);
4717c478bdstevel@tonic-gate		strcat(map_name, map_list[index]);
4727c478bdstevel@tonic-gate
4737c478bdstevel@tonic-gate		if (0 != (ans = update_single_map(map_name, pwd, adjunct_flag)))
4747c478bdstevel@tonic-gate			break;
4757c478bdstevel@tonic-gate	}
4767c478bdstevel@tonic-gate
4777c478bdstevel@tonic-gate	/* Done with full map path */
4787c478bdstevel@tonic-gate	sfree(map_name);
4797c478bdstevel@tonic-gate
4807c478bdstevel@tonic-gate	/*
4817c478bdstevel@tonic-gate	 * If (ans != 0) then one more maps have failed. LDAP has however been
4827c478bdstevel@tonic-gate	 * updates. This is the definitive source for information there is no
4837c478bdstevel@tonic-gate	 * need to unwind. (This was probably due to maps that were already
4847c478bdstevel@tonic-gate	 * corrupt).
4857c478bdstevel@tonic-gate	 */
4867c478bdstevel@tonic-gate
4877c478bdstevel@tonic-gate	/*
4887c478bdstevel@tonic-gate	 * If it all worked fork off push operations for the maps. Since we
4897c478bdstevel@tonic-gate	 * want the map to end up with it's traditional name on the slave send
4907c478bdstevel@tonic-gate	 * the name without its LDAP_ prefix. The slave will call ypxfrd
4917c478bdstevel@tonic-gate	 * which, since it is running in N2L mode, will put the prefix back on
4927c478bdstevel@tonic-gate	 * before reading the file.
4937c478bdstevel@tonic-gate	 */
4947c478bdstevel@tonic-gate	if (mflag && (0 == ans)) {
4957c478bdstevel@tonic-gate		for (index = 0; (map_name = map_list[index]) != NULL;
4967c478bdstevel@tonic-gate								index ++) {
4977c478bdstevel@tonic-gate			if (fork() == 0) {
4987c478bdstevel@tonic-gate				/*
4997c478bdstevel@tonic-gate				 * Define full path to yppush. Probably also
5007c478bdstevel@tonic-gate				 * best for security.
5017c478bdstevel@tonic-gate				 */
5027c478bdstevel@tonic-gate				strcpy(cmdbuf, "/usr/lib/netsvc/yp/yppush ");
5037c478bdstevel@tonic-gate				strcat(cmdbuf, map_name);
5047c478bdstevel@tonic-gate				if (0 > system(cmdbuf))
5057c478bdstevel@tonic-gate					logmsg(MSG_NOTIMECHECK, LOG_ERR,
5067c478bdstevel@tonic-gate						"Could not initiate yppush");
5077c478bdstevel@tonic-gate				exit(0);
5087c478bdstevel@tonic-gate			}
5097c478bdstevel@tonic-gate		}
5107c478bdstevel@tonic-gate	}
5117c478bdstevel@tonic-gate	return (ans);
5127c478bdstevel@tonic-gate}
5137c478bdstevel@tonic-gate
5147c478bdstevel@tonic-gate/*
5157c478bdstevel@tonic-gate * FUNCTION :	update_single_map()
5167c478bdstevel@tonic-gate *
5177c478bdstevel@tonic-gate * DESCRIPTION:	Updates one map. This is messy because we want to lock the map
5187c478bdstevel@tonic-gate *		to prevent other processes from updating it at the same time.
5197c478bdstevel@tonic-gate *		This mandates that we open it using the shim. When we
5207c478bdstevel@tonic-gate *		write to it however we DO NOT want to write through to LDAP
5217c478bdstevel@tonic-gate *		i.e. do not want to use the shim.
5227c478bdstevel@tonic-gate *
5237c478bdstevel@tonic-gate *		Solution : Do not include shim_hooks.h but call the shim
5247c478bdstevel@tonic-gate *		versions of dbm_functions explicitly where needed.
5257c478bdstevel@tonic-gate *
5267c478bdstevel@tonic-gate * INPUT :	Full name of map
5277c478bdstevel@tonic-gate *		Information to write (including user name)
5287c478bdstevel@tonic-gate *		Flag indicating if this is an adjunct map.
5297c478bdstevel@tonic-gate *
5307c478bdstevel@tonic-gate * OUTPUT :	Answer code
5317c478bdstevel@tonic-gate *
5327c478bdstevel@tonic-gate */
5337c478bdstevel@tonic-gateint
5347c478bdstevel@tonic-gateupdate_single_map(char *map_name, struct passwd_entry *pwd, bool_t adjunct_flag)
5357c478bdstevel@tonic-gate{
5367c478bdstevel@tonic-gate	DBM	*map;
5377c478bdstevel@tonic-gate	int	res;
5387c478bdstevel@tonic-gate	datum	data, key;
5397c478bdstevel@tonic-gate
5407c478bdstevel@tonic-gate	/* Set up data */
5417c478bdstevel@tonic-gate	if (adjunct_flag)
5427c478bdstevel@tonic-gate		data.dptr = pwd->adjunct_str;
5437c478bdstevel@tonic-gate	else
5447c478bdstevel@tonic-gate		data.dptr = pwd->pwd_str;
5457c478bdstevel@tonic-gate	data.dsize = strlen(data.dptr);
5467c478bdstevel@tonic-gate
5477c478bdstevel@tonic-gate	/* Set up key dependent on which type of map this is */
5487c478bdstevel@tonic-gate	key.dptr = NULL;
5497c478bdstevel@tonic-gate	if (strend(map_name, BYNAME))
5507c478bdstevel@tonic-gate		key.dptr = pwd->pw_name;
5517c478bdstevel@tonic-gate	if (strend(map_name, BYUID))
5527c478bdstevel@tonic-gate		key.dptr = pwd->pw_uid;
5537c478bdstevel@tonic-gate	if (strend(map_name, BYGID))
5547c478bdstevel@tonic-gate		key.dptr = pwd->pw_gid;
5557c478bdstevel@tonic-gate
5567c478bdstevel@tonic-gate	if (NULL == key.dptr) {
5577c478bdstevel@tonic-gate		logmsg(MSG_NOTIMECHECK, LOG_ERR,
5587c478bdstevel@tonic-gate					"Unrecognized map type %s", map_name);
5597c478bdstevel@tonic-gate		return (0);		/* Next map */
5607c478bdstevel@tonic-gate	}
5617c478bdstevel@tonic-gate	key.dsize = strlen(key.dptr);
5627c478bdstevel@tonic-gate
5637c478bdstevel@tonic-gate	/* Open the map */
5647c478bdstevel@tonic-gate	map = shim_dbm_open(map_name, O_RDWR, 0600);
5657c478bdstevel@tonic-gate	if (NULL == map) {
5667c478bdstevel@tonic-gate		logmsg(MSG_NOTIMECHECK, LOG_ERR, "Could not open %s", map_name);
5677c478bdstevel@tonic-gate		return (0);		/* Next map */
5687c478bdstevel@tonic-gate	}
5697c478bdstevel@tonic-gate
5707c478bdstevel@tonic-gate	/* Lock map for update. Painful and may block but have to do it */
5717c478bdstevel@tonic-gate	if (SUCCESS != lock_map_update((map_ctrl *)map)) {
5727c478bdstevel@tonic-gate		logmsg(MSG_NOTIMECHECK, LOG_ERR,
5737c478bdstevel@tonic-gate				"Could not lock map %s for update", map_name);
5747c478bdstevel@tonic-gate		shim_dbm_close(map);
5757c478bdstevel@tonic-gate		return (2);
5767c478bdstevel@tonic-gate	}
5777c478bdstevel@tonic-gate
5787c478bdstevel@tonic-gate	/* Do the update use simple DBM operation */
5797c478bdstevel@tonic-gate	res = dbm_store(((map_ctrl *)map)->entries, key, data, DBM_REPLACE);
5807c478bdstevel@tonic-gate
5817c478bdstevel@tonic-gate	/* update entry TTL. If we fail not a problem will just timeout early */
5827c478bdstevel@tonic-gate	update_entry_ttl((map_ctrl *)map, &key, TTL_RAND);
5837c478bdstevel@tonic-gate
5847c478bdstevel@tonic-gate	/*
5857c478bdstevel@tonic-gate	 * Map has been modified so update YP_LAST_MODIFIED. In the vanilla
5867c478bdstevel@tonic-gate	 * NIS case this would have been done by the ypmake done after updating
5877c478bdstevel@tonic-gate	 * the passwd source file. If this fails not a great problem the map
5887c478bdstevel@tonic-gate	 */
5897c478bdstevel@tonic-gate	if (FAILURE == update_timestamp(((map_ctrl *)map)->entries)) {
5907c478bdstevel@tonic-gate		logmsg(MSG_NOTIMECHECK, LOG_ERR, "Could not update "
5917c478bdstevel@tonic-gate			"YP_LAST_MODIFIED %s will not be pushed this time",
5927c478bdstevel@tonic-gate			map_name);
5937c478bdstevel@tonic-gate	}
5947c478bdstevel@tonic-gate
5957c478bdstevel@tonic-gate	/*
5967c478bdstevel@tonic-gate	 * Possibly should hold the lock until after push is complete
5977c478bdstevel@tonic-gate	 * but this could deadlock if client is slow and ypxfrd also
5987c478bdstevel@tonic-gate	 * decides to do an update.
5997c478bdstevel@tonic-gate	 */
6007c478bdstevel@tonic-gate	unlock_map_update((map_ctrl *)map);
6017c478bdstevel@tonic-gate
6027c478bdstevel@tonic-gate	/* Close the map */
6037c478bdstevel@tonic-gate	shim_dbm_close(map);
6047c478bdstevel@tonic-gate
6057c478bdstevel@tonic-gate	if (0 != res) {
6067c478bdstevel@tonic-gate		logmsg(MSG_NOTIMECHECK, LOG_ERR,
6077c478bdstevel@tonic-gate					"Could not update map %s", map_name);
6087c478bdstevel@tonic-gate		return (2);
6097c478bdstevel@tonic-gate	}
6107c478bdstevel@tonic-gate
6117c478bdstevel@tonic-gate	return (0);
6127c478bdstevel@tonic-gate}
6137c478bdstevel@tonic-gate
6147c478bdstevel@tonic-gate/*
6157c478bdstevel@tonic-gate * FUNCTION :	strend()
6167c478bdstevel@tonic-gate *
6177c478bdstevel@tonic-gate * DESCRIPTION:	Determines if one string ends with another.
6187c478bdstevel@tonic-gate */
6197c478bdstevel@tonic-gatebool_t
6207c478bdstevel@tonic-gatestrend(char *s1, char *s2)
6217c478bdstevel@tonic-gate{
6227c478bdstevel@tonic-gate	int len_dif;
6237c478bdstevel@tonic-gate
6247c478bdstevel@tonic-gate	len_dif = strlen(s1) - strlen(s2);
6257c478bdstevel@tonic-gate	if (0 > len_dif)
6267c478bdstevel@tonic-gate		return (FALSE);
6277c478bdstevel@tonic-gate	if (0 == strcmp(s1 + len_dif, s2))
6287c478bdstevel@tonic-gate		return (TRUE);
6297c478bdstevel@tonic-gate	return (FALSE);
6307c478bdstevel@tonic-gate}
6317c478bdstevel@tonic-gate
6327c478bdstevel@tonic-gate/*
6337c478bdstevel@tonic-gate * FUNCTION:	modify_ent()
6347c478bdstevel@tonic-gate *
6357c478bdstevel@tonic-gate * DESCRIPTION: Modify an entry to reflect a request.
6367c478bdstevel@tonic-gate *
6377c478bdstevel@tonic-gate * INPUT:	Pointer to the request.
6387c478bdstevel@tonic-gate *		Pointer to the entry to modify.
6397c478bdstevel@tonic-gate *		Flag indication if we are root on master
6407c478bdstevel@tonic-gate *		Domain
6417c478bdstevel@tonic-gate *
6427c478bdstevel@tonic-gate * OUTPUT:	Error code
6437c478bdstevel@tonic-gate */
6447c478bdstevel@tonic-gateint
6457c478bdstevel@tonic-gatemodify_ent(struct yppasswd *yppwd, struct passwd_entry *old_ent,
6467c478bdstevel@tonic-gate					bool_t root_on_master, char *domain)
6477c478bdstevel@tonic-gate{
6487c478bdstevel@tonic-gate	int change_list;
6497c478bdstevel@tonic-gate	struct spwd *shadow;
6507c478bdstevel@tonic-gate	time_t now;
6517c478bdstevel@tonic-gate
6527c478bdstevel@tonic-gate	/* Get list of changes */
6537c478bdstevel@tonic-gate	change_list = get_change_list(yppwd, old_ent);
6547c478bdstevel@tonic-gate
6557c478bdstevel@tonic-gate	if (!change_list) {
6567c478bdstevel@tonic-gate		logmsg(MSG_NOTIMECHECK, LOG_NOTICE,
6577c478bdstevel@tonic-gate				"No change for %s", yppwd->newpw.pw_name);
6587c478bdstevel@tonic-gate		return (3);
6597c478bdstevel@tonic-gate	}
6607c478bdstevel@tonic-gate
6617c478bdstevel@tonic-gate	/* Check that the shell we have been given is acceptable. */
6627c478bdstevel@tonic-gate	if ((change_list & CNG_SH) && (!validloginshell(old_ent->pw_shell,
6637c478bdstevel@tonic-gate					yppwd->newpw.pw_shell, root_on_master)))
6647c478bdstevel@tonic-gate		return (2);
6657c478bdstevel@tonic-gate
6667c478bdstevel@tonic-gate	/*
6677c478bdstevel@tonic-gate	 * If changing the password do any aging checks.
6687c478bdstevel@tonic-gate	 * Since there are no shadow maps this is done by accessing
6697c478bdstevel@tonic-gate	 * attributes in the DIT via the mapping system.
6707c478bdstevel@tonic-gate	 */
6717c478bdstevel@tonic-gate	if (change_list & CNG_PASSWD) {
6727c478bdstevel@tonic-gate
6737c478bdstevel@tonic-gate		/* Try to get shadow information */
6747c478bdstevel@tonic-gate		shadow = get_old_shadow(yppwd->newpw.pw_name, domain);
6757c478bdstevel@tonic-gate
6767c478bdstevel@tonic-gate		/* If there is shadow information make password aging checks */
6777c478bdstevel@tonic-gate		if (NULL != shadow) {
6787c478bdstevel@tonic-gate			now = DAY_NOW;
6797c478bdstevel@tonic-gate			/* password aging - bug for bug compatibility */
6807c478bdstevel@tonic-gate			if (shadow->sp_max != -1) {
6817c478bdstevel@tonic-gate				if (now < shadow->sp_lstchg + shadow->sp_min) {
6827c478bdstevel@tonic-gate					logmsg(MSG_NOTIMECHECK, LOG_ERR,
6837c478bdstevel@tonic-gate					"Sorry: < %ld days since "
6847c478bdstevel@tonic-gate					"the last change", shadow->sp_min);
6857c478bdstevel@tonic-gate					free_shadow_entry(shadow);
6867c478bdstevel@tonic-gate					return (2);
6877c478bdstevel@tonic-gate				}
6887c478bdstevel@tonic-gate		}
6897c478bdstevel@tonic-gate
6907c478bdstevel@tonic-gate			/* Update time of change */
6917c478bdstevel@tonic-gate			shadow->sp_lstchg = now;
6927c478bdstevel@tonic-gate
6937c478bdstevel@tonic-gate			/* Write it back */
6947c478bdstevel@tonic-gate			write_shadow_info(domain, shadow);
6957c478bdstevel@tonic-gate
6967c478bdstevel@tonic-gate			free_shadow_entry(shadow);
6977c478bdstevel@tonic-gate		}
6987c478bdstevel@tonic-gate	}
6997c478bdstevel@tonic-gate
7007c478bdstevel@tonic-gate	/* Make changes to old entity */
7017c478bdstevel@tonic-gate	if (change_list & CNG_GECOS) {
7027c478bdstevel@tonic-gate		if (NULL != old_ent->pw_gecos)
7037c478bdstevel@tonic-gate			sfree(old_ent->pw_gecos);
7047c478bdstevel@tonic-gate		old_ent->pw_gecos = strdup(yppwd->newpw.pw_gecos);
7057c478bdstevel@tonic-gate		if (NULL == old_ent->pw_gecos) {
7067c478bdstevel@tonic-gate			logmsg(MSG_NOMEM, LOG_ERR, "Could not allocate gecos");
7077c478bdstevel@tonic-gate			return (2);
7087c478bdstevel@tonic-gate		}
7097c478bdstevel@tonic-gate	}
7107c478bdstevel@tonic-gate
7117c478bdstevel@tonic-gate	if (change_list & CNG_SH) {
7127c478bdstevel@tonic-gate		if (NULL != old_ent->pw_shell)
7137c478bdstevel@tonic-gate			sfree(old_ent->pw_shell);
7147c478bdstevel@tonic-gate		old_ent->pw_shell = strdup(yppwd->newpw.pw_shell);
7157c478bdstevel@tonic-gate		if (NULL == old_ent->pw_shell) {
7167c478bdstevel@tonic-gate			logmsg(MSG_NOMEM, LOG_ERR, "Could not allocate shell");
7177c478bdstevel@tonic-gate			return (2);
7187c478bdstevel@tonic-gate		}
7197c478bdstevel@tonic-gate	}
7207c478bdstevel@tonic-gate
7217c478bdstevel@tonic-gate	if (change_list & CNG_PASSWD) {
7227c478bdstevel@tonic-gate		if (NULL != old_ent->pw_passwd)
7237c478bdstevel@tonic-gate			sfree(old_ent->pw_passwd);
7247c478bdstevel@tonic-gate		old_ent->pw_passwd = strdup(yppwd->newpw.pw_passwd);
7257c478bdstevel@tonic-gate		if (NULL == old_ent->pw_passwd) {
7267c478bdstevel@tonic-gate			logmsg(MSG_NOMEM, LOG_ERR, "Could not allocate passwd");
7277c478bdstevel@tonic-gate			return (2);
7287c478bdstevel@tonic-gate		}
7297c478bdstevel@tonic-gate	}
7307c478bdstevel@tonic-gate
7317c478bdstevel@tonic-gate	return (0);
7327c478bdstevel@tonic-gate}
7337c478bdstevel@tonic-gate
7347c478bdstevel@tonic-gate/*
7357c478bdstevel@tonic-gate * FUNCTION :	get_change_list()
7367c478bdstevel@tonic-gate *
7377c478bdstevel@tonic-gate * DESCRIPTION:	Works out what we have to change.
7387c478bdstevel@tonic-gate *
7397c478bdstevel@tonic-gate * INPUTS :	Request.
7407c478bdstevel@tonic-gate *		Structure containing current state of entry
7417c478bdstevel@tonic-gate *
7427c478bdstevel@tonic-gate * OUTPUTS :	A bitmask signaling what to change. (Implemented in this
7437c478bdstevel@tonic-gate *		way to make it easy to pass between functions).
7447c478bdstevel@tonic-gate */
7457c478bdstevel@tonic-gateint
7467c478bdstevel@tonic-gateget_change_list(struct yppasswd *yppwd, struct passwd_entry *old_ent)
7477c478bdstevel@tonic-gate{
7487c478bdstevel@tonic-gate	int list = 0;
7497c478bdstevel@tonic-gate	char *p;
7507c478bdstevel@tonic-gate
7517c478bdstevel@tonic-gate	p = yppwd->newpw.pw_passwd;
7527c478bdstevel@tonic-gate	if ((!nopw) &&
7537c478bdstevel@tonic-gate		p && *p &&
7547c478bdstevel@tonic-gate		!(*p++ == '#' && *p++ == '#' &&
7557c478bdstevel@tonic-gate		(strcmp(p, old_ent->pw_name) == 0)) &&
7567c478bdstevel@tonic-gate		(strcmp(crypt(old_ent->pw_passwd,
7577c478bdstevel@tonic-gate			yppwd->newpw.pw_passwd), yppwd->newpw.pw_passwd) != 0))
7587c478bdstevel@tonic-gate		list |= CNG_PASSWD;
7597c478bdstevel@tonic-gate
7607c478bdstevel@tonic-gate	if ((NULL != old_ent->pw_shell) &&
7617c478bdstevel@tonic-gate		(!noshell) &&
7627c478bdstevel@tonic-gate		(strcmp(old_ent->pw_shell, yppwd->newpw.pw_shell) != 0)) {
7637c478bdstevel@tonic-gate		if (single)
7647c478bdstevel@tonic-gate			list = 0;
7657c478bdstevel@tonic-gate		list |= CNG_SH;
7667c478bdstevel@tonic-gate	}
7677c478bdstevel@tonic-gate
7687c478bdstevel@tonic-gate	if ((NULL != old_ent->pw_gecos) &&
7697c478bdstevel@tonic-gate		(!nogecos) &&
7707c478bdstevel@tonic-gate		(strcmp(old_ent->pw_gecos, yppwd->newpw.pw_gecos) != 0)) {
7717c478bdstevel@tonic-gate		if (single)
7727c478bdstevel@tonic-gate			list = 0;
7737c478bdstevel@tonic-gate		list |= CNG_GECOS;
7747c478bdstevel@tonic-gate	}
7757c478bdstevel@tonic-gate
7767c478bdstevel@tonic-gate	return (list);
7777c478bdstevel@tonic-gate}
7787c478bdstevel@tonic-gate
7797c478bdstevel@tonic-gate/*
7807c478bdstevel@tonic-gate * FUNCTION :	decode_pwd_entry()
7817c478bdstevel@tonic-gate *
7827c478bdstevel@tonic-gate * DESCRIPTION:	Pulls apart a password entry. Because the password entry has
7837c478bdstevel@tonic-gate *		come from the mapping system it can be assumed to be correctly
7847c478bdstevel@tonic-gate *		formatted and relatively simple parsing can be done.
7857c478bdstevel@tonic-gate *
7867c478bdstevel@tonic-gate *		Substrings are put into malloced memory. Caller to free.
7877c478bdstevel@tonic-gate *
7887c478bdstevel@tonic-gate *		For adjunct files most of it is left empty.
7897c478bdstevel@tonic-gate *
7907c478bdstevel@tonic-gate *		It would be nice to use getpwent and friends for this work but
7917c478bdstevel@tonic-gate *		these only seem to exist for files and it seems excessive to
7927c478bdstevel@tonic-gate *		create a temporary file for this operation.
7937c478bdstevel@tonic-gate *
7947c478bdstevel@tonic-gate * INPUTS:	Pointer to datum containing password string.
7957c478bdstevel@tonic-gate *		Pointer to structure in which to return results
7967c478bdstevel@tonic-gate *		Flag indicating if we are decoding passwd or passwd.adjunct
7977c478bdstevel@tonic-gate *
7987c478bdstevel@tonic-gate * OUTPUTS:	SUCCESS = Decoded successfully
7997c478bdstevel@tonic-gate *		FAILURE = Not decoded successfully. Caller to tidy up.
8007c478bdstevel@tonic-gate */
8017c478bdstevel@tonic-gatesuc_code
8027c478bdstevel@tonic-gatedecode_pwd_entry(datum *data, struct passwd_entry *pwd, bool_t adjunct)
8037c478bdstevel@tonic-gate{
8047c478bdstevel@tonic-gate	char *myself = "decode_pwd_entry";
8057c478bdstevel@tonic-gate	char *p, *str_end, *temp;
8067c478bdstevel@tonic-gate
8077c478bdstevel@tonic-gate	/* Work out last location in string */
8087c478bdstevel@tonic-gate	str_end = data->dptr + data->dsize;
8097c478bdstevel@tonic-gate
8107c478bdstevel@tonic-gate	/* Name */
8117c478bdstevel@tonic-gate	if (NULL == (p = get_next_token(data->dptr, &temp, str_end)))
8127c478bdstevel@tonic-gate		return (FAILURE);
8137c478bdstevel@tonic-gate	if (adjunct) {
8147c478bdstevel@tonic-gate		/* If we found an adjunct version this is the one to use */
8157c478bdstevel@tonic-gate		if (NULL != pwd->pw_name)
8167c478bdstevel@tonic-gate			sfree(pwd->pw_name);
8177c478bdstevel@tonic-gate	}
8187c478bdstevel@tonic-gate	pwd->pw_name = temp;
8197c478bdstevel@tonic-gate
8207c478bdstevel@tonic-gate	/* Password */
8217c478bdstevel@tonic-gate	if (NULL == (p = get_next_token(p, &temp, str_end)))
8227c478bdstevel@tonic-gate		return (FAILURE);
8237c478bdstevel@tonic-gate	if (adjunct) {
8247c478bdstevel@tonic-gate		/* If we found an adjunct version this is the one to use */
8257c478bdstevel@tonic-gate		if (NULL != pwd->pw_passwd)
8267c478bdstevel@tonic-gate			sfree(pwd->pw_passwd);
8277c478bdstevel@tonic-gate	}
8287c478bdstevel@tonic-gate	pwd->pw_passwd = temp;
8297c478bdstevel@tonic-gate
8307c478bdstevel@tonic-gate	if (adjunct) {
8317c478bdstevel@tonic-gate		/* Store adjunct information in opaque string */
8327c478bdstevel@tonic-gate		pwd->adjunct_tail = am(myself, str_end - p + 1);
8337c478bdstevel@tonic-gate		if (NULL == pwd->adjunct_tail)
8347c478bdstevel@tonic-gate			return (FAILURE);
8357c478bdstevel@tonic-gate		strncpy(pwd->adjunct_tail, p, str_end - p);
8367c478bdstevel@tonic-gate		pwd->adjunct_tail[str_end - p] = '\0';
8377c478bdstevel@tonic-gate
8387c478bdstevel@tonic-gate		/* Remember that LDAP contained adjunct data */
8397c478bdstevel@tonic-gate		pwd->adjunct = TRUE;
8407c478bdstevel@tonic-gate		return (SUCCESS);
8417c478bdstevel@tonic-gate	}
8427c478bdstevel@tonic-gate
8437c478bdstevel@tonic-gate	/* If we get here not adjunct. Decode rest of passwd */
8447c478bdstevel@tonic-gate
8457c478bdstevel@tonic-gate	/* UID */
8467c478bdstevel@tonic-gate	if (NULL == (p = get_next_token(p, &(pwd->pw_uid), str_end)))
8477c478bdstevel@tonic-gate		return (FAILURE);
8487c478bdstevel@tonic-gate
8497c478bdstevel@tonic-gate	/* GID */
8507c478bdstevel@tonic-gate	if (NULL == (p = get_next_token(p, &(pwd->pw_gid), str_end)))
8517c478bdstevel@tonic-gate		return (FAILURE);
8527c478bdstevel@tonic-gate
8537c478bdstevel@tonic-gate	/* Gecos */
8547c478bdstevel@tonic-gate	if (NULL == (p = get_next_token(p, &(pwd->pw_gecos), str_end)))
8557c478bdstevel@tonic-gate		return (FAILURE);
8567c478bdstevel@tonic-gate
8577c478bdstevel@tonic-gate	/* Home dir */
8587c478bdstevel@tonic-gate	if (NULL == (p = get_next_token(p, &(pwd->pw_dir), str_end)))
8597c478bdstevel@tonic-gate		return (FAILURE);
8607c478bdstevel@tonic-gate
8617c478bdstevel@tonic-gate	/* Shell may not be present so don't check return */
8627c478bdstevel@tonic-gate	get_next_token(p, &(pwd->pw_shell), str_end);
8637c478bdstevel@tonic-gate
8647c478bdstevel@tonic-gate	if (NULL == pwd->pw_shell)
8657c478bdstevel@tonic-gate		return (FAILURE);
8667c478bdstevel@tonic-gate
8677c478bdstevel@tonic-gate	return (SUCCESS);
8687c478bdstevel@tonic-gate}
8697c478bdstevel@tonic-gate
8707c478bdstevel@tonic-gate/*
8717c478bdstevel@tonic-gate * FUNCTION :	get_next_token()
8727c478bdstevel@tonic-gate *
8737c478bdstevel@tonic-gate * DESCRIPTION:	Gets the next token from a string upto the next colon or the
8747c478bdstevel@tonic-gate *		end of the string. The duplicates this token into malloced
8757c478bdstevel@tonic-gate *		memory removing any spaces.
8767c478bdstevel@tonic-gate *
8777c478bdstevel@tonic-gate * INPUTS :	String to search for token. NOT NULL TERMINATED
8787c478bdstevel@tonic-gate *		Location to return result (NULL if result not required)
8797c478bdstevel@tonic-gate *		Last location in string
8807c478bdstevel@tonic-gate *
8817c478bdstevel@tonic-gate * OUTPUT :	Pointer into the string immediately after the token.
8827c478bdstevel@tonic-gate *		NULL if end of string reached or error.
8837c478bdstevel@tonic-gate */
8847c478bdstevel@tonic-gatestatic char *
8857c478bdstevel@tonic-gateget_next_token(char *str, char **op, char *str_end)
8867c478bdstevel@tonic-gate{
8877c478bdstevel@tonic-gate	char *myself = "get_next_token";
8887c478bdstevel@tonic-gate	char *p, *tok_start, *tok_end;
8897c478bdstevel@tonic-gate
8907c478bdstevel@tonic-gate	p = str;
8917c478bdstevel@tonic-gate	/* Skip leading whitespace */
8927c478bdstevel@tonic-gate	while (' ' == *p)
8937c478bdstevel@tonic-gate		p++;
8947c478bdstevel@tonic-gate	tok_start = p;
8957c478bdstevel@tonic-gate	tok_end = p;
8967c478bdstevel@tonic-gate
8977c478bdstevel@tonic-gate	while ((str_end + 1 != p) && (COLON_CHAR != *p)) {
8987c478bdstevel@tonic-gate		if (' ' != *p)
8997c478bdstevel@tonic-gate			tok_end = p;
9007c478bdstevel@tonic-gate		p++;
9017c478bdstevel@tonic-gate	}
9027c478bdstevel@tonic-gate
9037c478bdstevel@tonic-gate	/* Required string is now between start and end */
9047c478bdstevel@tonic-gate	if (NULL != op) {
9057c478bdstevel@tonic-gate		*op = am(myself, tok_end - tok_start + 2);
9067c478bdstevel@tonic-gate		if (NULL == *op) {
9077c478bdstevel@tonic-gate			logmsg(MSG_NOMEM, LOG_ERR,
9087c478bdstevel@tonic-gate					"Could not alloc memory for token");
9097c478bdstevel@tonic-gate			return (NULL);
9107c478bdstevel@tonic-gate		}
9117c478bdstevel@tonic-gate		strncpy(*op, tok_start, tok_end - tok_start + 1);
9127c478bdstevel@tonic-gate
9137c478bdstevel@tonic-gate		/* Terminate token */
9147c478bdstevel@tonic-gate		(*op)[tok_end - tok_start + 1] = '\0';
9157c478bdstevel@tonic-gate
9167c478bdstevel@tonic-gate	}
9177c478bdstevel@tonic-gate
9187c478bdstevel@tonic-gate	/* Check if we reached the end of the input string */
9197c478bdstevel@tonic-gate	if ('\0' == *p)
9207c478bdstevel@tonic-gate		return (NULL);
9217c478bdstevel@tonic-gate
9227c478bdstevel@tonic-gate	/* There is some more */
9237c478bdstevel@tonic-gate	p++;
9247c478bdstevel@tonic-gate	return (p);
9257c478bdstevel@tonic-gate}
9267c478bdstevel@tonic-gate
9277c478bdstevel@tonic-gate/*
9287c478bdstevel@tonic-gate * FUNCTION :	free_pwd_entry()
9297c478bdstevel@tonic-gate *
9307c478bdstevel@tonic-gate * DESCRIPTION:	Frees up a pwd_entry structure and its contents.
9317c478bdstevel@tonic-gate *
9327c478bdstevel@tonic-gate * INPUTS:	Pointer to the structure to free.
9337c478bdstevel@tonic-gate *
9347c478bdstevel@tonic-gate * OUTPUT:	Nothing
9357c478bdstevel@tonic-gate */
9367c478bdstevel@tonic-gatevoid
9377c478bdstevel@tonic-gatefree_pwd_entry(struct passwd_entry *pwd)
9387c478bdstevel@tonic-gate{
9397c478bdstevel@tonic-gate	/* Free up strings */
9407c478bdstevel@tonic-gate	if (NULL != pwd->pw_name)
9417c478bdstevel@tonic-gate		sfree(pwd->pw_name);
9427c478bdstevel@tonic-gate
9437c478bdstevel@tonic-gate	if (NULL != pwd->pw_passwd)
9447c478bdstevel@tonic-gate		sfree(pwd->pw_passwd);
9457c478bdstevel@tonic-gate
9467c478bdstevel@tonic-gate	if (NULL != pwd->pw_gecos)
9477c478bdstevel@tonic-gate		sfree(pwd->pw_gecos);
9487c478bdstevel@tonic-gate
9497c478bdstevel@tonic-gate	if (NULL != pwd->pw_shell)
9507c478bdstevel@tonic-gate		sfree(pwd->pw_shell);
9517c478bdstevel@tonic-gate
9527c478bdstevel@tonic-gate	if (NULL != pwd->pw_dir)
9537c478bdstevel@tonic-gate		sfree(pwd->pw_dir);
9547c478bdstevel@tonic-gate
9557c478bdstevel@tonic-gate	if (NULL != pwd->adjunct_tail)
9567c478bdstevel@tonic-gate		sfree(pwd->adjunct_tail);
9577c478bdstevel@tonic-gate
9587c478bdstevel@tonic-gate	if (NULL != pwd->pwd_str)
9597c478bdstevel@tonic-gate		sfree(pwd->pwd_str);
9607c478bdstevel@tonic-gate
9617c478bdstevel@tonic-gate	if (NULL != pwd->adjunct_str)
9627c478bdstevel@tonic-gate		sfree(pwd->adjunct_str);
9637c478bdstevel@tonic-gate
9647c478bdstevel@tonic-gate	/* Free up structure */
9657c478bdstevel@tonic-gate	sfree(pwd);
9667c478bdstevel@tonic-gate}
9677c478bdstevel@tonic-gate
9687c478bdstevel@tonic-gate/*
9697c478bdstevel@tonic-gate * FUNCTION :	create_pwd_str()
9707c478bdstevel@tonic-gate *
9717c478bdstevel@tonic-gate * DESCRIPTION:	Builds up a new password entity string from a passwd structure.
9727c478bdstevel@tonic-gate *
9737c478bdstevel@tonic-gate * INPUTS :	Structure containing password details
9747c478bdstevel@tonic-gate *		Flag indicating if we should create an adjunct or passwd string.
9757c478bdstevel@tonic-gate *
9767c478bdstevel@tonic-gate * OUTPUTS :	String in malloced memory (to be freed by caller).
9777c478bdstevel@tonic-gate *		NULL on failure.
9787c478bdstevel@tonic-gate */
9797c478bdstevel@tonic-gatechar *
9807c478bdstevel@tonic-gatecreate_pwd_str(struct passwd_entry *pwd, bool_t adjunct)
9817c478bdstevel@tonic-gate{
9827c478bdstevel@tonic-gate	char *myself = "create_pwd_str";
9837c478bdstevel@tonic-gate	char *s;
9847c478bdstevel@tonic-gate	int len;
9857c478bdstevel@tonic-gate
9867c478bdstevel@tonic-gate	/* Separator string so we can strcat separator onto things */
9877c478bdstevel@tonic-gate	char sep_str[2] = {COLON_CHAR, '\0'};
9887c478bdstevel@tonic-gate
9897c478bdstevel@tonic-gate	/* Work out the size */
9907c478bdstevel@tonic-gate	len = strlen(pwd->pw_name) + 1;
9917c478bdstevel@tonic-gate	len += strlen(pwd->pw_passwd) + 1;
9927c478bdstevel@tonic-gate	if (adjunct) {
9937c478bdstevel@tonic-gate		len += strlen(pwd->adjunct_tail) + 1;
9947c478bdstevel@tonic-gate	} else {
9957c478bdstevel@tonic-gate		len += strlen(pwd->pw_uid) + 1;
9967c478bdstevel@tonic-gate		len += strlen(pwd->pw_gid) + 1;
9977c478bdstevel@tonic-gate		len += strlen(pwd->pw_gecos) + 1;
9987c478bdstevel@tonic-gate		len += strlen(pwd->pw_dir) + 1;
9997c478bdstevel@tonic-gate		len += strlen(pwd->pw_shell) + 1;
10007c478bdstevel@tonic-gate	}
10017c478bdstevel@tonic-gate
10027c478bdstevel@tonic-gate	/* Allocate some memory for it */
10037c478bdstevel@tonic-gate	s = am(myself, len);
10047c478bdstevel@tonic-gate	if (NULL == s)
10057c478bdstevel@tonic-gate		return (NULL);
10067c478bdstevel@tonic-gate
10077c478bdstevel@tonic-gate	strcpy(s, pwd->pw_name);
10087c478bdstevel@tonic-gate	strcat(s, sep_str);
10097c478bdstevel@tonic-gate	if (!adjunct) {
10107c478bdstevel@tonic-gate		/* Build up a passwd string */
10117c478bdstevel@tonic-gate
10127c478bdstevel@tonic-gate		/* If LDAP contains adjunct info then passwd is 'x' */
10137c478bdstevel@tonic-gate		if (pwd->adjunct) {
10147c478bdstevel@tonic-gate			strcat(s, "##");
10157c478bdstevel@tonic-gate			strcat(s,  pwd->pw_name);
10167c478bdstevel@tonic-gate		} else {
10177c478bdstevel@tonic-gate			strcat(s, pwd->pw_passwd);
10187c478bdstevel@tonic-gate		}
10197c478bdstevel@tonic-gate		strcat(s, sep_str);
10207c478bdstevel@tonic-gate		strcat(s, pwd->pw_uid);
10217c478bdstevel@tonic-gate		strcat(s, sep_str);
10227c478bdstevel@tonic-gate		strcat(s, pwd->pw_gid);
10237c478bdstevel@tonic-gate		strcat(s, sep_str);
10247c478bdstevel@tonic-gate		strcat(s, pwd->pw_gecos);
10257c478bdstevel@tonic-gate		strcat(s, sep_str);
10267c478bdstevel@tonic-gate		strcat(s, pwd->pw_dir);
10277c478bdstevel@tonic-gate		strcat(s, sep_str);
10287c478bdstevel@tonic-gate		strcat(s, pwd->pw_shell);
10297c478bdstevel@tonic-gate	} else {
10307c478bdstevel@tonic-gate		/* Build up a passwd_adjunct string */
10317c478bdstevel@tonic-gate		strcat(s, pwd->pw_passwd);
10327c478bdstevel@tonic-gate		strcat(s, sep_str);
10337c478bdstevel@tonic-gate		strcat(s, pwd->adjunct_tail);
10347c478bdstevel@tonic-gate	}
10357c478bdstevel@tonic-gate
10367c478bdstevel@tonic-gate	return (s);
10377c478bdstevel@tonic-gate}
10387c478bdstevel@tonic-gate
10397c478bdstevel@tonic-gate/*
10407c478bdstevel@tonic-gate * FUNCTION:	get_old_info()
10417c478bdstevel@tonic-gate *
10427c478bdstevel@tonic-gate * DESCRIPTION:	Gets as much information as possible from LDAP about one user.
10437c478bdstevel@tonic-gate *
10447c478bdstevel@tonic-gate *		This goes through the mapping system. This is messy because
10457c478bdstevel@tonic-gate *		them mapping system will build up a password entry from the
10467c478bdstevel@tonic-gate *		contents of the DIT. We then have to parse this to recover
10477c478bdstevel@tonic-gate *		it's individual fields.
10487c478bdstevel@tonic-gate *
10497c478bdstevel@tonic-gate * INPUT:	Pointer to user name
10507c478bdstevel@tonic-gate *		Domain
10517c478bdstevel@tonic-gate *
10527c478bdstevel@tonic-gate * OUTPUT:	The info in malloced space. To be freed by caller.
10537c478bdstevel@tonic-gate *		NULL on failure.
10547c478bdstevel@tonic-gate */
10557c478bdstevel@tonic-gatestruct passwd_entry *
10567c478bdstevel@tonic-gateget_old_info(char *name, char *domain)
10577c478bdstevel@tonic-gate{
10587c478bdstevel@tonic-gate	char *myself = "get_old_info";
10597c478bdstevel@tonic-gate	struct passwd_entry *old_passwd;
10607c478bdstevel@tonic-gate	datum	key, data;
10617c478bdstevel@tonic-gate	suc_code res;
10627c478bdstevel@tonic-gate
10637c478bdstevel@tonic-gate	/* Get the password entry */
10647c478bdstevel@tonic-gate	key.dptr = name;
10657c478bdstevel@tonic-gate	key.dsize = strlen(key.dptr);
10667c478bdstevel@tonic-gate	read_from_dit(PASSWD_MAPPING, domain, &key, &data);
10677c478bdstevel@tonic-gate	if (NULL == data.dptr) {
10687c478bdstevel@tonic-gate		logmsg(MSG_NOTIMECHECK, LOG_ERR,
10697c478bdstevel@tonic-gate					"Could not read old pwd for %s", name);
10707c478bdstevel@tonic-gate		return (NULL);
10717c478bdstevel@tonic-gate	}
10727c478bdstevel@tonic-gate
10737c478bdstevel@tonic-gate	/* Pull password apart */
10747c478bdstevel@tonic-gate	old_passwd = am(myself, sizeof (struct passwd_entry));
10757c478bdstevel@tonic-gate	if (NULL == old_passwd) {
10767c478bdstevel@tonic-gate		logmsg(MSG_NOMEM, LOG_ERR, "Could not alloc for pwd decode");
10777c478bdstevel@tonic-gate		sfree(data.dptr);
10787c478bdstevel@tonic-gate		return (NULL);
10797c478bdstevel@tonic-gate	}
10807c478bdstevel@tonic-gate
10817c478bdstevel@tonic-gate	/* No data yet */
10827c478bdstevel@tonic-gate	old_passwd->pw_name = NULL;
10837c478bdstevel@tonic-gate	old_passwd->pw_passwd = NULL;
10847c478bdstevel@tonic-gate	old_passwd->pw_uid = NULL;
10857c478bdstevel@tonic-gate	old_passwd->pw_gid = NULL;
10867c478bdstevel@tonic-gate	old_passwd->pw_gecos = NULL;
10877c478bdstevel@tonic-gate	old_passwd->pw_dir = NULL;
10887c478bdstevel@tonic-gate	old_passwd->pw_shell = NULL;
10897c478bdstevel@tonic-gate	old_passwd->adjunct_tail = NULL;
10907c478bdstevel@tonic-gate	old_passwd->pwd_str = NULL;
10917c478bdstevel@tonic-gate	old_passwd->adjunct_str = NULL;
10927c478bdstevel@tonic-gate	old_passwd->adjunct = FALSE;
10937c478bdstevel@tonic-gate
10947c478bdstevel@tonic-gate	res = decode_pwd_entry(&data, old_passwd, FALSE);
10957c478bdstevel@tonic-gate	sfree(data.dptr);
10967c478bdstevel@tonic-gate	if (SUCCESS != res) {
10977c478bdstevel@tonic-gate		free_pwd_entry(old_passwd);
10987c478bdstevel@tonic-gate		return (NULL);
10997c478bdstevel@tonic-gate	}
11007c478bdstevel@tonic-gate
11017c478bdstevel@tonic-gate	/* Try to get the adjunct entry */
11027c478bdstevel@tonic-gate	read_from_dit(PASSWD_ADJUNCT_MAPPING, domain, &key, &data);
11037c478bdstevel@tonic-gate	if (NULL == data.dptr) {
11047c478bdstevel@tonic-gate		/* Fine just no adjunct data */
11057c478bdstevel@tonic-gate		old_passwd->adjunct = FALSE;
11067c478bdstevel@tonic-gate	} else {
11077c478bdstevel@tonic-gate		res = decode_pwd_entry(&data, old_passwd, TRUE);
11087c478bdstevel@tonic-gate		sfree(data.dptr);
11097c478bdstevel@tonic-gate		if (SUCCESS != res) {
11107c478bdstevel@tonic-gate			free_pwd_entry(old_passwd);
11117c478bdstevel@tonic-gate			return (NULL);
11127c478bdstevel@tonic-gate		}
11137c478bdstevel@tonic-gate	}
11147c478bdstevel@tonic-gate
11157c478bdstevel@tonic-gate	return (old_passwd);
11167c478bdstevel@tonic-gate}
11177c478bdstevel@tonic-gate
11187c478bdstevel@tonic-gate/*
11197c478bdstevel@tonic-gate * FUNCTION :	put_new_info()
11207c478bdstevel@tonic-gate *
11217c478bdstevel@tonic-gate * DESCRIPTION:	Generates new map strings and puts them back to LDAP
11227c478bdstevel@tonic-gate *
11237c478bdstevel@tonic-gate * INPUTS:	Info to put back
11247c478bdstevel@tonic-gate *		Domain
11257c478bdstevel@tonic-gate *
11267c478bdstevel@tonic-gate * OUTPUT:	Answer code.
11277c478bdstevel@tonic-gate */
11287c478bdstevel@tonic-gateint
11297c478bdstevel@tonic-gateput_new_info(struct passwd_entry *pwd, char *domain)
11307c478bdstevel@tonic-gate{
11317c478bdstevel@tonic-gate	datum	key, data;
11327c478bdstevel@tonic-gate
11337c478bdstevel@tonic-gate	/* Write it back to LDAP */
11347c478bdstevel@tonic-gate	data.dptr = pwd->pwd_str;
11357c478bdstevel@tonic-gate	data.dsize = strlen(data.dptr);
11367c478bdstevel@tonic-gate	key.dptr = pwd->pw_name;
11377c478bdstevel@tonic-gate	key.dsize = strlen(key.dptr);
11387c478bdstevel@tonic-gate	if (SUCCESS != write_to_dit(PASSWD_MAPPING, domain, key, data,
11397c478bdstevel@tonic-gate								TRUE, FALSE))
11407c478bdstevel@tonic-gate		return (2);
11417c478bdstevel@tonic-gate
11427c478bdstevel@tonic-gate
11437c478bdstevel@tonic-gate	/* If DIT contains adjunct information do the same for adjunct */
11447c478bdstevel@tonic-gate	if (pwd->adjunct) {
11457c478bdstevel@tonic-gate		data.dptr = pwd->adjunct_str;
11467c478bdstevel@tonic-gate		data.dsize = strlen(data.dptr);
11477c478bdstevel@tonic-gate		key.dptr = pwd->pw_name;
11487c478bdstevel@tonic-gate		key.dsize = strlen(key.dptr);
11497c478bdstevel@tonic-gate		if (SUCCESS != write_to_dit(PASSWD_ADJUNCT_MAPPING, domain,
11507c478bdstevel@tonic-gate						key, data, TRUE, FALSE))
11517c478bdstevel@tonic-gate			return (2);
11527c478bdstevel@tonic-gate	}
11537c478bdstevel@tonic-gate
11547c478bdstevel@tonic-gate	return (0);
11557c478bdstevel@tonic-gate
11567c478bdstevel@tonic-gate}
11577c478bdstevel@tonic-gate
11587c478bdstevel@tonic-gate/*
11597c478bdstevel@tonic-gate * FUNCTION :   get_old_shadow()
11607c478bdstevel@tonic-gate *
11617c478bdstevel@tonic-gate * DESCRIPTION :Extracts and decodes shadow information from the DIT
11627c478bdstevel@tonic-gate *		See also comments under decode_pwd_entry().
11637c478bdstevel@tonic-gate *
11647c478bdstevel@tonic-gate * INPUTS :     User name
11657c478bdstevel@tonic-gate *		Domain name
11667c478bdstevel@tonic-gate *
11677c478bdstevel@tonic-gate * OUTPUT :     Shadow information in malloced memory. To be freed by caller.
11687c478bdstevel@tonic-gate */
11697c478bdstevel@tonic-gatestruct spwd *
11707c478bdstevel@tonic-gateget_old_shadow(char *name, char *domain)
11717c478bdstevel@tonic-gate{
11727c478bdstevel@tonic-gate	char *myself = "get_old_shadow";
11737c478bdstevel@tonic-gate	struct spwd *sp;
11747c478bdstevel@tonic-gate	datum key, data;
11757c478bdstevel@tonic-gate	suc_code res;
11767c478bdstevel@tonic-gate
11777c478bdstevel@tonic-gate	/* Get the info */
11787c478bdstevel@tonic-gate	key.dptr = name;
11797c478bdstevel@tonic-gate	key.dsize = strlen(key.dptr);	/* Len excluding terminator */
11807c478bdstevel@tonic-gate	read_from_dit(AGEING_MAPPING, domain, &key, &data);
11817c478bdstevel@tonic-gate
11827c478bdstevel@tonic-gate	if (NULL == data.dptr) {
11837c478bdstevel@tonic-gate		/* OK just have no shadow info in DIT */
11847c478bdstevel@tonic-gate		return (NULL);
11857c478bdstevel@tonic-gate	}
11867c478bdstevel@tonic-gate
11877c478bdstevel@tonic-gate	/* Pull shadow apart */
11887c478bdstevel@tonic-gate	if (NULL == (sp = am(myself, sizeof (struct spwd)))) {
11897c478bdstevel@tonic-gate		logmsg(MSG_NOMEM, LOG_ERR,
11907c478bdstevel@tonic-gate					"Could not alloc for shadow decode");
11917c478bdstevel@tonic-gate		sfree(data.dptr);
11927c478bdstevel@tonic-gate		return (NULL);
11937c478bdstevel@tonic-gate	}
11947c478bdstevel@tonic-gate	sp->sp_namp = NULL;
11957c478bdstevel@tonic-gate	sp->sp_pwdp = NULL;
11967c478bdstevel@tonic-gate
11977c478bdstevel@tonic-gate	res = decode_shadow_entry(&data, sp);
11987c478bdstevel@tonic-gate	sfree(data.dptr);
11997c478bdstevel@tonic-gate	if (SUCCESS != res) {
12007c478bdstevel@tonic-gate		free_shadow_entry(sp);
12017c478bdstevel@tonic-gate		return (NULL);
12027c478bdstevel@tonic-gate	}
12037c478bdstevel@tonic-gate
12047c478bdstevel@tonic-gate	return (sp);
12057c478bdstevel@tonic-gate}
12067c478bdstevel@tonic-gate
12077c478bdstevel@tonic-gate/*
12087c478bdstevel@tonic-gate * FUNCTION :	decode_shadow_entry()
12097c478bdstevel@tonic-gate *
12107c478bdstevel@tonic-gate * DESCRIPTION:	Pulls apart ageing information. For convenience this is stored
12117c478bdstevel@tonic-gate *		in a partially filled spwd structure.
12127c478bdstevel@tonic-gate *
12137c478bdstevel@tonic-gate *		SEE COMMENTS FOR decode_pwd_entry()
12147c478bdstevel@tonic-gate */
12157c478bdstevel@tonic-gatesuc_code
12167c478bdstevel@tonic-gatedecode_shadow_entry(datum *data, struct spwd *sp)
12177c478bdstevel@tonic-gate{
12187c478bdstevel@tonic-gate	char *p, *str_end, *temp;
12197c478bdstevel@tonic-gate
12207c478bdstevel@tonic-gate	/* Work out last location in string */
12217c478bdstevel@tonic-gate	str_end = data->dptr + data->dsize;
12227c478bdstevel@tonic-gate
12237c478bdstevel@tonic-gate	/* Name */
12247c478bdstevel@tonic-gate	if (NULL == (p = get_next_token(data->dptr, &(sp->sp_namp), str_end)))
12257c478bdstevel@tonic-gate		return (FAILURE);
12267c478bdstevel@tonic-gate
12277c478bdstevel@tonic-gate	/* date of last change */
12287c478bdstevel@tonic-gate	if (NULL == (p = get_next_token(p, &temp, str_end)))
12297c478bdstevel@tonic-gate		return (FAILURE);
12307c478bdstevel@tonic-gate	sp->sp_lstchg = atoi(temp);
12317c478bdstevel@tonic-gate
12327c478bdstevel@tonic-gate	/* min days to passwd change */
12337c478bdstevel@tonic-gate	if (NULL == (p = get_next_token(p, &temp, str_end)))
12347c478bdstevel@tonic-gate		return (FAILURE);
12357c478bdstevel@tonic-gate	sp->sp_min = atoi(temp);
12367c478bdstevel@tonic-gate
12377c478bdstevel@tonic-gate	/* max days to passwd change */
12387c478bdstevel@tonic-gate	if (NULL == (p = get_next_token(p, &temp, str_end)))
12397c478bdstevel@tonic-gate		return (FAILURE);
12407c478bdstevel@tonic-gate	sp->sp_max = atoi(temp);
12417c478bdstevel@tonic-gate
12427c478bdstevel@tonic-gate	/* warning period */
12437c478bdstevel@tonic-gate	if (NULL == (p = get_next_token(p, &temp, str_end)))
12447c478bdstevel@tonic-gate		return (FAILURE);
12457c478bdstevel@tonic-gate	sp->sp_warn = atoi(temp);
12467c478bdstevel@tonic-gate
12477c478bdstevel@tonic-gate	/* max days inactive */
12487c478bdstevel@tonic-gate	if (NULL == (p = get_next_token(p, &temp, str_end)))
12497c478bdstevel@tonic-gate		return (FAILURE);
12507c478bdstevel@tonic-gate	sp->sp_inact = atoi(temp);
12517c478bdstevel@tonic-gate
12527c478bdstevel@tonic-gate	/* account expiry date */
12537c478bdstevel@tonic-gate	if (NULL == (p = get_next_token(p, &temp, str_end)))
12547c478bdstevel@tonic-gate		return (FAILURE);
12557c478bdstevel@tonic-gate	sp->sp_expire = atoi(temp);
12567c478bdstevel@tonic-gate
12577c478bdstevel@tonic-gate	/* flag  */
12587c478bdstevel@tonic-gate	if (NULL != (p = get_next_token(p, &temp, str_end)))
12597c478bdstevel@tonic-gate		return (FAILURE);
12607c478bdstevel@tonic-gate	sp->sp_flag = atoi(temp);
12617c478bdstevel@tonic-gate
12627c478bdstevel@tonic-gate	return (SUCCESS);
12637c478bdstevel@tonic-gate}
12647c478bdstevel@tonic-gate
12657c478bdstevel@tonic-gate/*
12667c478bdstevel@tonic-gate * FUNCTION :	write_shadow_info()
12677c478bdstevel@tonic-gate *
12687c478bdstevel@tonic-gate * DESCRIPTION:	Writes shadow information back to the DIT.
12697c478bdstevel@tonic-gate *
12707c478bdstevel@tonic-gate * INPUTS :	Domain
12717c478bdstevel@tonic-gate *		Information to write
12727c478bdstevel@tonic-gate *
12737c478bdstevel@tonic-gate * OUTPUT :	Success code
12747c478bdstevel@tonic-gate *
12757c478bdstevel@tonic-gate */
12767c478bdstevel@tonic-gatesuc_code
12777c478bdstevel@tonic-gatewrite_shadow_info(char *domain, struct spwd *sp)
12787c478bdstevel@tonic-gate{
12797c478bdstevel@tonic-gate	char *myself = "write_shadow_info";
12807c478bdstevel@tonic-gate	datum key, data;
12817c478bdstevel@tonic-gate	char *str;
12827c478bdstevel@tonic-gate	suc_code res;
12837c478bdstevel@tonic-gate	int len;
12847c478bdstevel@tonic-gate
12857c478bdstevel@tonic-gate	/* Work out how long string will be */
12867c478bdstevel@tonic-gate	len = strlen(sp->sp_namp) + 1;
12877c478bdstevel@tonic-gate
12887c478bdstevel@tonic-gate	/*
12897c478bdstevel@tonic-gate	 * Bit crude but if we assume 1 byte is 3 decimal characters
12907c478bdstevel@tonic-gate	 * will get enough buffer for the longs and some spare.
12917c478bdstevel@tonic-gate	 */
12927c478bdstevel@tonic-gate	len += 7 * (3 * sizeof (long) + 1);
12937c478bdstevel@tonic-gate
12947c478bdstevel@tonic-gate	/* Allocate some memory */
12957c478bdstevel@tonic-gate	str = am(myself, len);
12967c478bdstevel@tonic-gate	if (NULL == str) {
12977c478bdstevel@tonic-gate		logmsg(MSG_NOMEM, LOG_ERR, "Could not aloc for shadow write");
12987c478bdstevel@tonic-gate		return (FAILURE);
12997c478bdstevel@tonic-gate	}
13007c478bdstevel@tonic-gate
13017c478bdstevel@tonic-gate	/* Build up shadow string */
13027c478bdstevel@tonic-gate	sprintf(str, "%s%c%d%c%d%c%d%c%d%c%d%c%d%c%d",
13037c478bdstevel@tonic-gate		sp->sp_namp, COLON_CHAR,
13047c478bdstevel@tonic-gate		sp->sp_lstchg, COLON_CHAR,
13057c478bdstevel@tonic-gate		sp->sp_min, COLON_CHAR,
13067c478bdstevel@tonic-gate		sp->sp_max, COLON_CHAR,
13077c478bdstevel@tonic-gate		sp->sp_warn, COLON_CHAR,
13087c478bdstevel@tonic-gate		sp->sp_inact, COLON_CHAR,
13097c478bdstevel@tonic-gate		sp->sp_expire, COLON_CHAR,
13107c478bdstevel@tonic-gate		sp->sp_flag);
13117c478bdstevel@tonic-gate
13127c478bdstevel@tonic-gate	/* Write it */
13137c478bdstevel@tonic-gate	data.dptr = str;
13147c478bdstevel@tonic-gate	data.dsize = strlen(data.dptr);
13157c478bdstevel@tonic-gate	key.dptr = sp->sp_namp;
13167c478bdstevel@tonic-gate	key.dsize = strlen(key.dptr);
13177c478bdstevel@tonic-gate	res = write_to_dit(AGEING_MAPPING, domain, key, data, TRUE, FALSE);
13187c478bdstevel@tonic-gate
13197c478bdstevel@tonic-gate	sfree(str);
13207c478bdstevel@tonic-gate	return (res);
13217c478bdstevel@tonic-gate}
13227c478bdstevel@tonic-gate
13237c478bdstevel@tonic-gate/*
13247c478bdstevel@tonic-gate * FUNCTION :	free_shadow_entry()
13257c478bdstevel@tonic-gate *
13267c478bdstevel@tonic-gate * DESCRIPTION:	Frees up a shadow information structure
13277c478bdstevel@tonic-gate *
13287c478bdstevel@tonic-gate * INPUTS :	Structure to free
13297c478bdstevel@tonic-gate *
13307c478bdstevel@tonic-gate * OUTPUTS :	Nothing
13317c478bdstevel@tonic-gate */
13327c478bdstevel@tonic-gatevoid
13337c478bdstevel@tonic-gatefree_shadow_entry(struct spwd *spwd)
13347c478bdstevel@tonic-gate{
13357c478bdstevel@tonic-gate	if (NULL != spwd->sp_namp)
13367c478bdstevel@tonic-gate		sfree(spwd->sp_namp);
13377c478bdstevel@tonic-gate
13387c478bdstevel@tonic-gate	if (NULL != spwd->sp_pwdp)
13397c478bdstevel@tonic-gate		sfree(spwd->sp_pwdp);
13407c478bdstevel@tonic-gate
13417c478bdstevel@tonic-gate	/* No need to free numerics */
13427c478bdstevel@tonic-gate
13437c478bdstevel@tonic-gate	/* Free up structure */
13447c478bdstevel@tonic-gate	sfree(spwd);
13457c478bdstevel@tonic-gate}
1346