1/*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License, Version 1.0 only
6 * (the "License").  You may not use this file except in compliance
7 * with the License.
8 *
9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10 * or http://www.opensolaris.org/os/licensing.
11 * See the License for the specific language governing permissions
12 * and limitations under the License.
13 *
14 * When distributing Covered Code, include this CDDL HEADER in each
15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16 * If applicable, add the following below this CDDL HEADER, with the
17 * fields enclosed by brackets "[]" replaced with your own identifying
18 * information: Portions Copyright [yyyy] [name of copyright owner]
19 *
20 * CDDL HEADER END
21 */
22/*
23 * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
24 * Use is subject to license terms.
25 */
26
27#pragma ident	"%Z%%M%	%I%	%E% SMI"
28
29#include "ldap_headers.h"
30
31/*
32 *
33 * LDAP module for pam_sm_authenticate.
34 *
35 * options -
36 *
37 *	debug
38 *	nowarn
39 */
40
41/*
42 * pam_sm_authenticate():
43 * 	Authenticate user.
44 */
45/*ARGSUSED*/
46int
47pam_sm_authenticate(
48	pam_handle_t		*pamh,
49	int 			flags,
50	int			argc,
51	const char		**argv)
52{
53	char			*service = NULL;
54	char			*user = NULL;
55	int			err;
56	int			result = PAM_AUTH_ERR;
57	int			debug = 0;
58	int			i;
59	char			*password = NULL;
60	ns_cred_t		*credp = NULL;
61	int			nowarn = 0;
62
63	/* Get the service and user */
64	if ((err = pam_get_item(pamh, PAM_SERVICE, (void **)&service))
65							!= PAM_SUCCESS ||
66	    (err = pam_get_item(pamh, PAM_USER, (void **)&user)) != PAM_SUCCESS)
67		return (err);
68
69	/*
70	 * Check options passed to this module.
71	 * Silently ignore try_first_pass and use_first_pass options
72	 * for the time being.
73	 */
74	for (i = 0; i < argc; i++) {
75		if (strcmp(argv[i], "debug") == 0)
76			debug = 1;
77		else if (strcmp(argv[i], "nowarn") == 0)
78			nowarn = 1;
79		else if ((strcmp(argv[i], "try_first_pass") != 0) &&
80				(strcmp(argv[i], "use_first_pass") != 0))
81			syslog(LOG_AUTH | LOG_DEBUG,
82				"ldap pam_sm_authenticate(%s), "
83				"illegal scheme option %s", service, argv[i]);
84	}
85
86	if (debug)
87		syslog(LOG_AUTH | LOG_DEBUG,
88			"ldap pam_sm_authenticate(%s %s), flags = %x %s",
89			service, (user && *user != '\0')?user:"no-user", flags,
90			(nowarn)? ", nowarn": "");
91
92	if (!user || *user == '\0')
93		return (PAM_USER_UNKNOWN);
94
95	/* Get the password entered in the first scheme if any */
96	(void) pam_get_item(pamh, PAM_AUTHTOK, (void **) &password);
97	if (password == NULL) {
98		if (debug)
99			syslog(LOG_AUTH | LOG_DEBUG,
100				"ldap pam_sm_authenticate(%s %s), "
101				"AUTHTOK not set", service, user);
102		return (PAM_AUTH_ERR);
103	}
104
105	/*
106	 * Authenticate user using the password from PAM_AUTHTOK.
107	 * If no password available or if authentication fails
108	 * return the appropriate error.
109	 */
110	result = authenticate(&credp, user, password, NULL);
111	if (result == PAM_NEW_AUTHTOK_REQD) {
112		/*
113		 * PAM_NEW_AUTHTOK_REQD means the
114		 * user's password is good but needs
115		 * to change immediately. If the service
116		 * is login or similar programs, the
117		 * user will be asked to change the
118		 * password after the account management
119		 * module is called and determined that
120		 * the password has expired.
121		 * So change the rc to PAM_SUCCESS here.
122		 */
123		result = PAM_SUCCESS;
124	} else if (result == PAM_AUTHTOK_EXPIRED) {
125		/*
126		 * Authentication token is the right one but
127		 * expired. Consider this as pass.
128		 * Change rc to PAM_SUCCESS.
129		 */
130		result = PAM_SUCCESS;
131	}
132
133	if (credp != NULL)
134		(void) __ns_ldap_freeCred(&credp);
135	return (result);
136}
137