1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License, Version 1.0 only
6  * (the "License").  You may not use this file except in compliance
7  * with the License.
8  *
9  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10  * or http://www.opensolaris.org/os/licensing.
11  * See the License for the specific language governing permissions
12  * and limitations under the License.
13  *
14  * When distributing Covered Code, include this CDDL HEADER in each
15  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16  * If applicable, add the following below this CDDL HEADER, with the
17  * fields enclosed by brackets "[]" replaced with your own identifying
18  * information: Portions Copyright [yyyy] [name of copyright owner]
19  *
20  * CDDL HEADER END
21  */
22 /*
23  * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 
28 #ifndef	_NS_SLDAP_H
29 #define	_NS_SLDAP_H
30 
31 #pragma ident	"%Z%%M%	%I%	%E% SMI"
32 
33 #ifdef __cplusplus
34 extern "C" {
35 #endif
36 
37 #include <stdio.h>
38 #include <sys/types.h>
39 #include <lber.h>
40 #include <ldap.h>
41 
42 /*
43  * Version
44  */
45 #define	NS_LDAP_VERSION		NS_LDAP_VERSION_2
46 #define	NS_LDAP_VERSION_1	"1.0"
47 #define	NS_LDAP_VERSION_2	"2.0"
48 
49 /*
50  * Flags
51  */
52 #define	NS_LDAP_HARD		  0x001
53 #define	NS_LDAP_ALL_RES		  0x002
54 
55 /* Search Referral Option */
56 typedef enum SearchRef {
57 	NS_LDAP_FOLLOWREF	= 0x004,
58 	NS_LDAP_NOREF		= 0x008
59 } SearchRef_t;
60 
61 typedef enum ScopeType {
62 	NS_LDAP_SCOPE_BASE	= 0x010,
63 	NS_LDAP_SCOPE_ONELEVEL	= 0x020,
64 	NS_LDAP_SCOPE_SUBTREE	= 0x040
65 } ScopeType_t;
66 
67 /*
68  * BE VERY CAREFUL. DO NOT USE FLAG NS_LDAP_KEEP_CONN UNLESS YOU MUST
69  * IN libsldap.so.1 THERE IS NO CONNECTION GARBAGE COLLECTION AND IF
70  * THIS FLAG GETS USED THERE MIGHT BE A CONNECTION LEAK. CURRENTLY THIS
71  * IS ONLY SUPPORTED FOR LIST AND INTENDED FOR APPLICATIONS LIKE AUTOMOUNTER
72  */
73 
74 #define	NS_LDAP_KEEP_CONN	  0x080
75 #define	NS_LDAP_NEW_CONN	  0x400
76 #define	NS_LDAP_NOMAP		  0x800
77 
78 #define	NS_LDAP_PAGE_CTRL	  0x1000
79 #define	NS_LDAP_NO_PAGE_CTRL	  0x0000
80 
81 /*
82  * NS_LDAP_NOT_CVT_DN is needed when attribute mapping is used
83  * to retrieve the DN in LDAP and DN is not to be converted when
84  * being passed back to the application. See __ns_ldap_uid2dn()
85  * and __ns_ldap_host2dn() for such usage.
86  */
87 #define	NS_LDAP_NOT_CVT_DN	0x2000
88 
89 /*
90  * Authentication Information
91  */
92 typedef enum CredLevel {
93 	NS_LDAP_CRED_ANON	= 0,
94 	NS_LDAP_CRED_PROXY	= 1,
95 	NS_LDAP_CRED_SELF	= 2	/* currently not supported */
96 } CredLevel_t;
97 
98 typedef enum AuthType {
99 	NS_LDAP_AUTH_NONE	= 0,
100 	NS_LDAP_AUTH_SIMPLE	= 1,
101 	NS_LDAP_AUTH_SASL	= 2,
102 	NS_LDAP_AUTH_TLS	= 3,	/* implied SASL usage */
103 	NS_LDAP_AUTH_ATLS	= 4	/* implied SASL usage */
104 } AuthType_t;
105 
106 typedef enum TlsType {
107 	NS_LDAP_TLS_NONE	= 0,
108 	NS_LDAP_TLS_SIMPLE	= 1,
109 	NS_LDAP_TLS_SASL	= 2
110 } TlsType_t;
111 
112 typedef enum SaslMech {
113 	NS_LDAP_SASL_NONE	= 0,	/* No SASL mechanism */
114 	NS_LDAP_SASL_CRAM_MD5	= 1,
115 	NS_LDAP_SASL_DIGEST_MD5	= 2,
116 	NS_LDAP_SASL_EXTERNAL	= 3,	/* currently not supported */
117 	NS_LDAP_SASL_GSSAPI	= 4,	/* currently not supported */
118 	NS_LDAP_SASL_SPNEGO	= 5	/* currently not supported */
119 } SaslMech_t;
120 
121 typedef enum SaslOpt {
122 	NS_LDAP_SASLOPT_NONE	= 0,
123 	NS_LDAP_SASLOPT_INT	= 1,	/* currently not supported */
124 	NS_LDAP_SASLOPT_PRIV	= 2	/* currently not supported */
125 } SaslOpt_t;
126 
127 typedef enum PrefOnly {
128 	NS_LDAP_PREF_FALSE	= 0,
129 	NS_LDAP_PREF_TRUE	= 1
130 } PrefOnly_t;
131 
132 typedef struct UnixCred {
133 	char	*userID;	/* Unix ID number */
134 	char	*passwd;	/* password */
135 } UnixCred_t;
136 
137 typedef struct CertCred {
138 	char	*path;		/* certificate path */
139 	char	*passwd;	/* password */
140 	char	*nickname;	/* nickname */
141 } CertCred_t;
142 
143 typedef struct ns_auth {
144 	AuthType_t	type;
145 	TlsType_t	tlstype;
146 	SaslMech_t	saslmech;
147 	SaslOpt_t	saslopt;
148 } ns_auth_t;
149 
150 typedef struct ns_cred {
151 	ns_auth_t	auth;
152 	char		*hostcertpath;
153 	union {
154 		UnixCred_t	unix_cred;
155 		CertCred_t	cert_cred;
156 	} cred;
157 } ns_cred_t;
158 
159 
160 typedef struct LineBuf {
161 	char *str;
162 	int len;
163 	int alloc;
164 } LineBuf;
165 
166 /*
167  * Configuration Information
168  */
169 
170 typedef enum {
171 	NS_LDAP_FILE_VERSION_P		= 0,
172 	NS_LDAP_BINDDN_P		= 1,
173 	NS_LDAP_BINDPASSWD_P		= 2,
174 	NS_LDAP_SERVERS_P		= 3,
175 	NS_LDAP_SEARCH_BASEDN_P		= 4,
176 	NS_LDAP_AUTH_P			= 5,
177 /*
178  * NS_LDAP_TRANSPORT_SEC_P is only left in for backward compatibility
179  * with version 1 clients and their configuration files.  The only
180  * supported value is NS_LDAP_SEC_NONE.  No application should be
181  * using this parameter type (either through getParam or setParam.
182  */
183 	NS_LDAP_TRANSPORT_SEC_P		= 6,
184 	NS_LDAP_SEARCH_REF_P		= 7,
185 	NS_LDAP_DOMAIN_P		= 8,
186 	NS_LDAP_EXP_P			= 9,
187 	NS_LDAP_CERT_PATH_P		= 10,
188 	NS_LDAP_CERT_PASS_P		= 11,
189 	NS_LDAP_SEARCH_DN_P		= 12,
190 	NS_LDAP_SEARCH_SCOPE_P		= 13,
191 	NS_LDAP_SEARCH_TIME_P		= 14,
192 	NS_LDAP_SERVER_PREF_P		= 15,
193 	NS_LDAP_PREF_ONLY_P		= 16,
194 	NS_LDAP_CACHETTL_P		= 17,
195 	NS_LDAP_PROFILE_P		= 18,
196 	NS_LDAP_CREDENTIAL_LEVEL_P	= 19,
197 	NS_LDAP_SERVICE_SEARCH_DESC_P	= 20,
198 	NS_LDAP_BIND_TIME_P		= 21,
199 	NS_LDAP_ATTRIBUTEMAP_P		= 22,
200 	NS_LDAP_OBJECTCLASSMAP_P	= 23,
201 	NS_LDAP_CERT_NICKNAME_P		= 24,
202 	NS_LDAP_SERVICE_AUTH_METHOD_P	= 25,
203 	NS_LDAP_SERVICE_CRED_LEVEL_P	= 26,
204 	NS_LDAP_HOST_CERTPATH_P		= 27,
205 /*
206  * The following entry (max ParamIndexType) is an internal
207  * placeholder.  It must be the last (and highest value)
208  * entry in this eNum.  Please update accordingly.
209  */
210 	NS_LDAP_MAX_PIT_P		= 28
211 
212 } ParamIndexType;
213 
214 /*
215  * __ns_ldap_*() return codes
216  */
217 typedef enum {
218 	NS_LDAP_SUCCESS		= 0, /* success, no info in errorp */
219 	NS_LDAP_OP_FAILED	= 1, /* failed operation, no info in errorp */
220 	NS_LDAP_NOTFOUND	= 2, /* entry not found, no info in errorp */
221 	NS_LDAP_MEMORY		= 3, /* memory failure, no info in errorp */
222 	NS_LDAP_CONFIG		= 4, /* config problem, detail in errorp */
223 	NS_LDAP_PARTIAL		= 5, /* partial result, detail in errorp */
224 	NS_LDAP_INTERNAL	= 7, /* LDAP error, detail in errorp */
225 	NS_LDAP_INVALID_PARAM	= 8, /* LDAP error, no info in errorp */
226 	NS_LDAP_SUCCESS_WITH_INFO
227 				= 9  /* success, with info in errorp */
228 } ns_ldap_return_code;
229 
230 /*
231  * Detailed error code for NS_LDAP_CONFIG
232  */
233 typedef enum {
234 	NS_CONFIG_SYNTAX	= 0,	/* syntax error */
235 	NS_CONFIG_NODEFAULT	= 1,	/* no default value */
236 	NS_CONFIG_NOTLOADED	= 2,	/* configuration not loaded */
237 	NS_CONFIG_NOTALLOW	= 3,	/* operation requested not allowed */
238 	NS_CONFIG_FILE		= 4,	/* configuration file problem */
239 	NS_CONFIG_CACHEMGR	= 5	/* error with door to ldap_cachemgr */
240 } ns_ldap_config_return_code;
241 
242 /*
243  * Detailed error code for NS_LDAP_PARTIAL
244  */
245 typedef enum {
246 	NS_PARTIAL_TIMEOUT	= 0,	/* partial results due to timeout */
247 	NS_PARTIAL_OTHER	= 1	/* error encountered */
248 } ns_ldap_partial_return_code;
249 
250 /*
251  * For use by __ns_ldap_addTypedEntry() for publickey serivicetype
252  */
253 typedef enum {
254 	NS_HOSTCRED_FALSE = 0,
255 	NS_HOSTCRED_TRUE  = 1
256 } hostcred_t;
257 
258 /*
259  * Detailed password status
260  */
261 typedef enum {
262 	NS_PASSWD_GOOD			= 0,	/* password is good */
263 	NS_PASSWD_ABOUT_TO_EXPIRE	= 1,	/* password is good but */
264 						/* about to expire */
265 	NS_PASSWD_CHANGE_NEEDED		= 2,	/* good but need to be */
266 						/* changed immediately */
267 	NS_PASSWD_EXPIRED		= 3,	/* password expired */
268 	NS_PASSWD_RETRY_EXCEEDED	= 4,	/* exceed retry limit; */
269 						/* account is locked */
270 	NS_PASSWD_CHANGE_NOT_ALLOWED	= 5,	/* can only be changed */
271 						/* by the administrator */
272 	NS_PASSWD_INVALID_SYNTAX	= 6,	/* can not be changed: */
273 						/* new password has */
274 						/* invalid syntax -- */
275 						/* same value as attr */
276 						/* cn, sn, uid, etc. */
277 	NS_PASSWD_TOO_SHORT		= 7,	/* can not be changed: */
278 						/* new password has */
279 						/* less chars than */
280 						/* required */
281 	NS_PASSWD_IN_HISTORY		= 8,	/* can not be changed: */
282 						/* reuse old password  */
283 	NS_PASSWD_WITHIN_MIN_AGE	= 9 	/* can not be changed: */
284 						/* within minimum age  */
285 } ns_ldap_passwd_status_t;
286 
287 /*
288  * Password management information structure
289  */
290 typedef struct ns_ldap_passwd_mgmt {
291 	ns_ldap_passwd_status_t
292 		status;			/* password status */
293 	int	sec_until_expired;	/* seconds until expired, */
294 					/* valid if status is */
295 					/* NS_PASSWD_ABOUT_TO_EXPIRE */
296 } ns_ldap_passwd_mgmt_t;
297 
298 
299 /*
300  * Simplified LDAP Naming API result structure
301  */
302 typedef struct ns_ldap_error {
303 	int	status;				/* LDAP error code */
304 	char	*message;			/* LDAP error message */
305 	ns_ldap_passwd_mgmt_t	pwd_mgmt;	/* LDAP password */
306 						/* management info */
307 } ns_ldap_error_t;
308 
309 typedef struct	 ns_ldap_attr {
310 	char	*attrname;			/* attribute name */
311 	uint_t	value_count;
312 	char	**attrvalue;			/* attribute values */
313 } ns_ldap_attr_t;
314 
315 typedef struct ns_ldap_entry {
316 	uint_t		attr_count;		/* number of attributes */
317 	ns_ldap_attr_t	**attr_pair;		/* attributes pairs */
318 	struct ns_ldap_entry *next;		/* next entry */
319 } ns_ldap_entry_t;
320 
321 typedef struct ns_ldap_result {
322 	uint_t	entries_count;		/* number of entries */
323 	ns_ldap_entry_t	*entry;		/* data */
324 } ns_ldap_result_t;
325 
326 /*
327  * structures for the conversion routines used by typedAddEntry()
328  */
329 
330 typedef struct _ns_netgroups {
331 	char  *name;
332 	char  **triplet;
333 	char  **netgroup;
334 } _ns_netgroups_t;
335 
336 typedef struct _ns_netmasks {
337 	char *netnumber;
338 	char *netmask;
339 } _ns_netmasks_t;
340 
341 typedef struct _ns_bootp {
342 	char *name;
343 	char **param;
344 } _ns_bootp_t;
345 
346 typedef struct _ns_ethers {
347 	char *name;
348 	char *ether;
349 } _ns_ethers_t;
350 
351 typedef struct _ns_pubkey {
352 	char *name;
353 	hostcred_t hostcred;
354 	char *pubkey;
355 	char *privkey;
356 } _ns_pubkey_t;
357 
358 typedef struct _ns_alias {
359 	char *alias;
360 	char **member;
361 } _ns_alias_t;
362 
363 typedef struct _ns_automount {
364 	char *mapname;
365 	char *key;
366 	char *value;
367 } _ns_automount_t;
368 
369 /*
370  * return values for the callback function in __ns_ldap_list()
371  */
372 #define	NS_LDAP_CB_NEXT	0	/* get the next entry */
373 #define	NS_LDAP_CB_DONE	1	/* done */
374 
375 /*
376  * Input values for the type specified in __ns_ldap_addTypedEntry()
377  * and __ns_ldap_delTypedEntry()
378  */
379 
380 #define	NS_LDAP_TYPE_PASSWD	"passwd"
381 #define	NS_LDAP_TYPE_GROUP	"group"
382 #define	NS_LDAP_TYPE_HOSTS	"hosts"
383 #define	NS_LDAP_TYPE_IPNODES	"ipnodes"
384 #define	NS_LDAP_TYPE_PROFILE	"prof_attr"
385 #define	NS_LDAP_TYPE_RPC	"rpc"
386 #define	NS_LDAP_TYPE_PROTOCOLS	"protocols"
387 #define	NS_LDAP_TYPE_NETWORKS	"networks"
388 #define	NS_LDAP_TYPE_NETGROUP	"netgroup"
389 #define	NS_LDAP_TYPE_ALIASES	"aliases"
390 #define	NS_LDAP_TYPE_SERVICES	"services"
391 #define	NS_LDAP_TYPE_ETHERS	"ethers"
392 #define	NS_LDAP_TYPE_SHADOW	"shadow"
393 #define	NS_LDAP_TYPE_NETMASKS	"netmasks"
394 #define	NS_LDAP_TYPE_AUTHATTR	"auth_attr"
395 #define	NS_LDAP_TYPE_EXECATTR	"exec_attr"
396 #define	NS_LDAP_TYPE_USERATTR	"user_attr"
397 #define	NS_LDAP_TYPE_PROJECT	"project"
398 #define	NS_LDAP_TYPE_PUBLICKEY	"publickey"
399 #define	NS_LDAP_TYPE_AUUSER	"audit_user"
400 #define	NS_LDAP_TYPE_BOOTPARAMS "bootparams"
401 #define	NS_LDAP_TYPE_AUTOMOUNT  "auto_"
402 
403 /*
404  * service descriptor/attribute mapping structure
405  */
406 
407 typedef struct ns_ldap_search_desc {
408 	char		*basedn;	/* search base dn */
409 	ScopeType_t	scope;		/* search scope */
410 	char		*filter;	/* search filter */
411 } ns_ldap_search_desc_t;
412 
413 typedef struct ns_ldap_attribute_map {
414 	char		*origAttr;	/* original attribute */
415 	char		**mappedAttr;	/* mapped attribute(s) */
416 } ns_ldap_attribute_map_t;
417 
418 typedef struct ns_ldap_objectclass_map {
419 	char		*origOC;	/* original objectclass */
420 	char		*mappedOC;	/* mapped objectclass */
421 } ns_ldap_objectclass_map_t;
422 
423 /*
424  * Simplified LDAP Naming APIs
425  */
426 int __ns_ldap_list(
427 	const char *service,
428 	const char *filter,
429 	int (*init_filter_cb)(const ns_ldap_search_desc_t *desc,
430 			char **realfilter, const void *userdata),
431 	const char * const *attribute,
432 	const ns_cred_t *cred,
433 	const int flags,
434 	ns_ldap_result_t ** result,
435 	ns_ldap_error_t ** errorp,
436 	int (*callback)(const ns_ldap_entry_t *entry, const void *userdata),
437 	const void *userdata);
438 
439 int  __ns_ldap_addAttr(
440 	const char *service,
441 	const char *dn,
442 	const ns_ldap_attr_t * const *attr,
443 	const ns_cred_t *cred,
444 	const int flags,
445 	ns_ldap_error_t **errorp);
446 
447 int __ns_ldap_delAttr(
448 	const char *service,
449 	const char *dn,
450 	const ns_ldap_attr_t * const *attr,
451 	const ns_cred_t *cred,
452 	const int flags,
453 	ns_ldap_error_t **errorp);
454 
455 int  __ns_ldap_repAttr(
456 	const char *service,
457 	const char *dn,
458 	const ns_ldap_attr_t * const *attr,
459 	const ns_cred_t *cred,
460 	const int flags,
461 	ns_ldap_error_t **errorp);
462 
463 int  __ns_ldap_addEntry(
464 	const char *service,
465 	const char *dn,
466 	const ns_ldap_entry_t *entry,
467 	const ns_cred_t *cred,
468 	const int flags,
469 	ns_ldap_error_t **errorp);
470 
471 int  __ns_ldap_addTypedEntry(
472 	const char *servicetype,
473 	const char *basedn,
474 	const void *data,
475 	const int  create,
476 	const ns_cred_t *cred,
477 	const int flags,
478 	ns_ldap_error_t **errorp);
479 
480 int __ns_ldap_delEntry(
481 	const char *service,
482 	const char *dn,
483 	const ns_cred_t *cred,
484 	const int flags,
485 	ns_ldap_error_t **errorp);
486 
487 int __ns_ldap_firstEntry(
488 	const char *service,
489 	const char *filter,
490 	int (*init_filter_cb)(const ns_ldap_search_desc_t *desc,
491 			char **realfilter, const void *userdata),
492 	const char * const *attribute,
493 	const ns_cred_t *cred,
494 	const int flags,
495 	void **cookie,
496 	ns_ldap_result_t ** result,
497 	ns_ldap_error_t **errorp,
498 	const void *userdata);
499 
500 int  __ns_ldap_nextEntry(
501 	void *cookie,
502 	ns_ldap_result_t ** result,
503 	ns_ldap_error_t **errorp);
504 
505 int  __ns_ldap_endEntry(
506 	void **cookie,
507 	ns_ldap_error_t **errorp);
508 
509 int __ns_ldap_freeResult(
510 	ns_ldap_result_t **result);
511 
512 int __ns_ldap_freeError(
513 	ns_ldap_error_t **errorp);
514 
515 int  __ns_ldap_uid2dn(
516 	const char *uid,
517 	char **userDN,
518 	const ns_cred_t *cred,
519 	ns_ldap_error_t ** errorp);
520 
521 int  __ns_ldap_host2dn(
522 	const char *host,
523 	const char *domain,
524 	char **hostDN,
525 	const ns_cred_t *cred,
526 	ns_ldap_error_t ** errorp);
527 
528 int  __ns_ldap_dn2domain(
529 	const char *dn,
530 	char **domain,
531 	const ns_cred_t *cred,
532 	ns_ldap_error_t ** errorp);
533 
534 int __ns_ldap_auth(
535 	const ns_cred_t *cred,
536 	const int flag,
537 	ns_ldap_error_t **errorp,
538 	LDAPControl **serverctrls,
539 	LDAPControl **clientctrls);
540 
541 int __ns_ldap_freeCred(
542 	ns_cred_t **credp);
543 
544 int __ns_ldap_err2str(
545 	int err,
546 	char **strmsg);
547 
548 int __ns_ldap_setParam(
549 	const ParamIndexType type,
550 	const void *data,
551 	ns_ldap_error_t **errorp);
552 
553 int __ns_ldap_getParam(
554 	const ParamIndexType type,
555 	void ***data,
556 	ns_ldap_error_t **errorp);
557 
558 int __ns_ldap_freeParam(
559 	void ***data);
560 
561 char **__ns_ldap_getAttr(
562 	const ns_ldap_entry_t *entry,
563 	const char *attrname);
564 
565 int __ns_ldap_getServiceAuthMethods(
566 	const char *service,
567 	ns_auth_t ***auth,
568 	ns_ldap_error_t **errorp);
569 
570 int __ns_ldap_getSearchDescriptors(
571 	const char *service,
572 	ns_ldap_search_desc_t ***desc,
573 	ns_ldap_error_t **errorp);
574 
575 int __ns_ldap_freeSearchDescriptors(
576 	ns_ldap_search_desc_t ***desc);
577 
578 int __ns_ldap_getAttributeMaps(
579 	const char *service,
580 	ns_ldap_attribute_map_t ***maps,
581 	ns_ldap_error_t **errorp);
582 
583 int __ns_ldap_freeAttributeMaps(
584 	ns_ldap_attribute_map_t ***maps);
585 
586 char **__ns_ldap_getMappedAttributes(
587 	const char *service,
588 	const char *origAttribute);
589 
590 char **__ns_ldap_getOrigAttribute(
591 	const char *service,
592 	const char *mappedAttribute);
593 
594 int __ns_ldap_getObjectClassMaps(
595 	const char *service,
596 	ns_ldap_objectclass_map_t ***maps,
597 	ns_ldap_error_t **errorp);
598 
599 int __ns_ldap_freeObjectClassMaps(
600 	ns_ldap_objectclass_map_t ***maps);
601 
602 char **__ns_ldap_getMappedObjectClass(
603 	const char *service,
604 	const char *origObjectClass);
605 
606 char **__ns_ldap_getOrigObjectClass(
607 	const char *service,
608 	const char *mappedObjectClass);
609 
610 int __ns_ldap_getParamType(
611 	const char *value,
612 	ParamIndexType *type);
613 #ifdef __cplusplus
614 }
615 #endif
616 
617 #endif /* _NS_SLDAP_H */
618