#include "includes.h"
#include <lber.h>
#include <ldap.h>
#include <wchar.h>
#include "smbldap.h"
#define NMASLDAP_GET_LOGIN_CONFIG_REQUEST "2.16.840.1.113719.1.39.42.100.3"
#define NMASLDAP_GET_LOGIN_CONFIG_RESPONSE "2.16.840.1.113719.1.39.42.100.4"
#define NMASLDAP_SET_PASSWORD_REQUEST "2.16.840.1.113719.1.39.42.100.11"
#define NMASLDAP_SET_PASSWORD_RESPONSE "2.16.840.1.113719.1.39.42.100.12"
#define NMASLDAP_GET_PASSWORD_REQUEST "2.16.840.1.113719.1.39.42.100.13"
#define NMASLDAP_GET_PASSWORD_RESPONSE "2.16.840.1.113719.1.39.42.100.14"
#define NMAS_LDAP_EXT_VERSION 1
static int berEncodePasswordData(
struct berval **requestBV,
const char *objectDN,
const char *password,
const char *password2)
{
int err = 0, rc=0;
BerElement *requestBer = NULL;
const char * utf8ObjPtr = NULL;
int utf8ObjSize = 0;
const char * utf8PwdPtr = NULL;
int utf8PwdSize = 0;
const char * utf8Pwd2Ptr = NULL;
int utf8Pwd2Size = 0;
utf8ObjSize = strlen(objectDN)+1;
utf8ObjPtr = objectDN;
if (password != NULL)
{
utf8PwdSize = strlen(password)+1;
utf8PwdPtr = password;
}
if (password2 != NULL)
{
utf8Pwd2Size = strlen(password2)+1;
utf8Pwd2Ptr = password2;
}
if((requestBer = ber_alloc()) == NULL)
{
err = LDAP_ENCODING_ERROR;
goto Cleanup;
}
if (password != NULL && password2 != NULL)
{
rc = ber_printf(requestBer, "{iooo}", NMAS_LDAP_EXT_VERSION, utf8ObjPtr, utf8ObjSize, utf8PwdPtr, utf8PwdSize, utf8Pwd2Ptr, utf8Pwd2Size);
}
else if (password != NULL)
{
rc = ber_printf(requestBer, "{ioo}", NMAS_LDAP_EXT_VERSION, utf8ObjPtr, utf8ObjSize, utf8PwdPtr, utf8PwdSize);
}
else
{
rc = ber_printf(requestBer, "{io}", NMAS_LDAP_EXT_VERSION, utf8ObjPtr, utf8ObjSize);
}
if (rc < 0)
{
err = LDAP_ENCODING_ERROR;
goto Cleanup;
}
else
{
err = 0;
}
if(ber_flatten(requestBer, requestBV) == LBER_ERROR)
{
err = LDAP_ENCODING_ERROR;
goto Cleanup;
}
Cleanup:
if(requestBer)
{
ber_free(requestBer, 1);
}
return err;
}
static int berEncodeLoginData(
struct berval **requestBV,
char *objectDN,
unsigned int methodIDLen,
unsigned int *methodID,
char *tag,
size_t putDataLen,
void *putData)
{
int err = 0;
BerElement *requestBer = NULL;
unsigned int i;
unsigned int elemCnt = methodIDLen / sizeof(unsigned int);
char *utf8ObjPtr=NULL;
int utf8ObjSize = 0;
char *utf8TagPtr = NULL;
int utf8TagSize = 0;
utf8ObjPtr = objectDN;
utf8ObjSize = strlen(utf8ObjPtr)+1;
utf8TagPtr = tag;
utf8TagSize = strlen(utf8TagPtr)+1;
if((requestBer = ber_alloc()) == NULL)
{
err = LDAP_ENCODING_ERROR;
goto Cleanup;
}
err = (ber_printf(requestBer, "{io", NMAS_LDAP_EXT_VERSION, utf8ObjPtr, utf8ObjSize) < 0) ? LDAP_ENCODING_ERROR : 0;
if (!err)
{
err = (ber_printf(requestBer, "{i{", methodIDLen) < 0) ? LDAP_ENCODING_ERROR : 0;
}
for (i = 0; !err && i < elemCnt; i++)
{
err = (ber_printf(requestBer, "i", methodID[i]) < 0) ? LDAP_ENCODING_ERROR : 0;
}
if (!err)
{
err = (ber_printf(requestBer, "}}", 0) < 0) ? LDAP_ENCODING_ERROR : 0;
}
if(putData)
{
err = (ber_printf(requestBer, "oio}", utf8TagPtr, utf8TagSize, putDataLen, putData, putDataLen) < 0) ? LDAP_ENCODING_ERROR : 0;
}
else
{
err = (ber_printf(requestBer, "o}", utf8TagPtr, utf8TagSize) < 0) ? LDAP_ENCODING_ERROR : 0;
}
if (err)
{
goto Cleanup;
}
if(ber_flatten(requestBer, requestBV) == LBER_ERROR)
{
err = LDAP_ENCODING_ERROR;
goto Cleanup;
}
Cleanup:
if(requestBer)
{
ber_free(requestBer, 1);
}
return err;
}
static int berDecodeLoginData(
struct berval *replyBV,
int *serverVersion,
size_t *retDataLen,
void *retData )
{
int err = 0;
BerElement *replyBer = NULL;
char *retOctStr = NULL;
size_t retOctStrLen = 0;
if((replyBer = ber_init(replyBV)) == NULL)
{
err = LDAP_OPERATIONS_ERROR;
goto Cleanup;
}
if(retData)
{
retOctStrLen = *retDataLen + 1;
retOctStr = SMB_MALLOC_ARRAY(char, retOctStrLen);
if(!retOctStr)
{
err = LDAP_OPERATIONS_ERROR;
goto Cleanup;
}
if(ber_scanf(replyBer, "{iis}", serverVersion, &err, retOctStr, &retOctStrLen) != -1)
{
if (*retDataLen >= retOctStrLen)
{
memcpy(retData, retOctStr, retOctStrLen);
}
else if (!err)
{
err = LDAP_NO_MEMORY;
}
*retDataLen = retOctStrLen;
}
else if (!err)
{
err = LDAP_DECODING_ERROR;
}
}
else
{
if(ber_scanf(replyBer, "{ii}", serverVersion, &err) == -1)
{
if (!err)
{
err = LDAP_DECODING_ERROR;
}
}
}
Cleanup:
if(replyBer)
{
ber_free(replyBer, 1);
}
if (retOctStr != NULL)
{
memset(retOctStr, 0, retOctStrLen);
free(retOctStr);
}
return err;
}
static int getLoginConfig(
LDAP *ld,
char *objectDN,
unsigned int methodIDLen,
unsigned int *methodID,
char *tag,
size_t *dataLen,
void *data )
{
int err = 0;
struct berval *requestBV = NULL;
char *replyOID = NULL;
struct berval *replyBV = NULL;
int serverVersion = 0;
if((strlen(objectDN) == 0) || ld == NULL)
{
return LDAP_NO_SUCH_ATTRIBUTE;
}
err = berEncodeLoginData(&requestBV, objectDN, methodIDLen, methodID, tag, 0, NULL);
if(err)
{
goto Cleanup;
}
if((err = ldap_extended_operation_s(ld, NMASLDAP_GET_LOGIN_CONFIG_REQUEST,
requestBV, NULL, NULL, &replyOID, &replyBV)))
{
goto Cleanup;
}
if(!replyOID)
{
err = LDAP_NOT_SUPPORTED;
goto Cleanup;
}
if(strcmp(replyOID, NMASLDAP_GET_LOGIN_CONFIG_RESPONSE))
{
err = LDAP_NOT_SUPPORTED;
goto Cleanup;
}
if(!replyBV)
{
err = LDAP_OPERATIONS_ERROR;
goto Cleanup;
}
err = berDecodeLoginData(replyBV, &serverVersion, dataLen, data);
if(serverVersion != NMAS_LDAP_EXT_VERSION)
{
err = LDAP_OPERATIONS_ERROR;
goto Cleanup;
}
Cleanup:
if(replyBV)
{
ber_bvfree(replyBV);
}
if(replyOID)
{
ldap_memfree(replyOID);
}
if(requestBV)
{
ber_bvfree(requestBV);
}
return err;
}
static int nmasldap_get_simple_pwd(
LDAP *ld,
char *objectDN,
size_t pwdLen,
char *pwd )
{
int err = 0;
unsigned int methodID = 0;
unsigned int methodIDLen = sizeof(methodID);
char tag[] = {'P','A','S','S','W','O','R','D',' ','H','A','S','H',0};
char *pwdBuf=NULL;
size_t pwdBufLen, bufferLen;
bufferLen = pwdBufLen = pwdLen+2;
pwdBuf = SMB_MALLOC_ARRAY(char, pwdBufLen);
if(pwdBuf == NULL)
{
return LDAP_NO_MEMORY;
}
err = getLoginConfig(ld, objectDN, methodIDLen, &methodID, tag, &pwdBufLen, pwdBuf);
if (err == 0)
{
if (pwdBufLen !=0)
{
pwdBuf[pwdBufLen] = 0;
switch (pwdBuf[0])
{
case 1:
break;
case 2:
case 3:
case 4:
case 8:
default:
err = LDAP_INAPPROPRIATE_AUTH;
break;
}
if (!err)
{
if (pwdLen >= pwdBufLen-1)
{
memcpy(pwd, &pwdBuf[1], pwdBufLen-1);
}
else
{
err = LDAP_NO_MEMORY;
}
}
}
}
if (pwdBuf != NULL)
{
memset(pwdBuf, 0, bufferLen);
free(pwdBuf);
}
return err;
}
static int nmasldap_set_password(
LDAP *ld,
const char *objectDN,
const char *pwd )
{
int err = 0;
struct berval *requestBV = NULL;
char *replyOID = NULL;
struct berval *replyBV = NULL;
int serverVersion;
if(objectDN == NULL || (strlen(objectDN) == 0) || pwd == NULL || ld == NULL)
{
return LDAP_NO_SUCH_ATTRIBUTE;
}
err = berEncodePasswordData(&requestBV, objectDN, pwd, NULL);
if(err)
{
goto Cleanup;
}
if((err = ldap_extended_operation_s(ld, NMASLDAP_SET_PASSWORD_REQUEST, requestBV, NULL, NULL, &replyOID, &replyBV)))
{
goto Cleanup;
}
if(!replyOID)
{
err = LDAP_NOT_SUPPORTED;
goto Cleanup;
}
if(strcmp(replyOID, NMASLDAP_SET_PASSWORD_RESPONSE))
{
err = LDAP_NOT_SUPPORTED;
goto Cleanup;
}
if(!replyBV)
{
err = LDAP_OPERATIONS_ERROR;
goto Cleanup;
}
err = berDecodeLoginData(replyBV, &serverVersion, NULL, NULL);
if(serverVersion != NMAS_LDAP_EXT_VERSION)
{
err = LDAP_OPERATIONS_ERROR;
goto Cleanup;
}
Cleanup:
if(replyBV)
{
ber_bvfree(replyBV);
}
if(replyOID)
{
ldap_memfree(replyOID);
}
if(requestBV)
{
ber_bvfree(requestBV);
}
return err;
}
static int nmasldap_get_password(
LDAP *ld,
char *objectDN,
size_t *pwdSize,
unsigned char *pwd )
{
int err = 0;
struct berval *requestBV = NULL;
char *replyOID = NULL;
struct berval *replyBV = NULL;
int serverVersion;
char *pwdBuf;
size_t pwdBufLen, bufferLen;
if(objectDN == NULL || (strlen(objectDN) == 0) || pwdSize == NULL || ld == NULL)
{
return LDAP_NO_SUCH_ATTRIBUTE;
}
bufferLen = pwdBufLen = *pwdSize;
pwdBuf = SMB_MALLOC_ARRAY(char, pwdBufLen+2);
if(pwdBuf == NULL)
{
return LDAP_NO_MEMORY;
}
err = berEncodePasswordData(&requestBV, objectDN, NULL, NULL);
if(err)
{
goto Cleanup;
}
if((err = ldap_extended_operation_s(ld, NMASLDAP_GET_PASSWORD_REQUEST, requestBV, NULL, NULL, &replyOID, &replyBV)))
{
goto Cleanup;
}
if(!replyOID)
{
err = LDAP_NOT_SUPPORTED;
goto Cleanup;
}
if(strcmp(replyOID, NMASLDAP_GET_PASSWORD_RESPONSE))
{
err = LDAP_NOT_SUPPORTED;
goto Cleanup;
}
if(!replyBV)
{
err = LDAP_OPERATIONS_ERROR;
goto Cleanup;
}
err = berDecodeLoginData(replyBV, &serverVersion, &pwdBufLen, pwdBuf);
if(serverVersion != NMAS_LDAP_EXT_VERSION)
{
err = LDAP_OPERATIONS_ERROR;
goto Cleanup;
}
if (!err && pwdBufLen != 0)
{
if (*pwdSize >= pwdBufLen+1 && pwd != NULL)
{
memcpy(pwd, pwdBuf, pwdBufLen);
pwd[pwdBufLen] = 0;
}
*pwdSize = pwdBufLen;
}
Cleanup:
if(replyBV)
{
ber_bvfree(replyBV);
}
if(replyOID)
{
ldap_memfree(replyOID);
}
if(requestBV)
{
ber_bvfree(requestBV);
}
if (pwdBuf != NULL)
{
memset(pwdBuf, 0, bufferLen);
free(pwdBuf);
}
return err;
}
int pdb_nds_get_password(
struct smbldap_state *ldap_state,
char *object_dn,
size_t *pwd_len,
char *pwd )
{
LDAP *ld = ldap_state->ldap_struct;
int rc = -1;
rc = nmasldap_get_password(ld, object_dn, pwd_len, (unsigned char *)pwd);
if (rc == LDAP_SUCCESS) {
#ifdef DEBUG_PASSWORD
DEBUG(100,("nmasldap_get_password returned %s for %s\n", pwd, object_dn));
#endif
DEBUG(5, ("NDS Universal Password retrieved for %s\n", object_dn));
} else {
DEBUG(3, ("NDS Universal Password NOT retrieved for %s\n", object_dn));
}
if (rc != LDAP_SUCCESS) {
rc = nmasldap_get_simple_pwd(ld, object_dn, *pwd_len, pwd);
if (rc == LDAP_SUCCESS) {
#ifdef DEBUG_PASSWORD
DEBUG(100,("nmasldap_get_simple_pwd returned %s for %s\n", pwd, object_dn));
#endif
DEBUG(5, ("NDS Simple Password retrieved for %s\n", object_dn));
} else {
DEBUG(3, ("NDS Simple Password NOT retrieved for %s\n", object_dn));
return LDAP_INVALID_CREDENTIALS;
}
}
return LDAP_SUCCESS;
}
int pdb_nds_set_password(
struct smbldap_state *ldap_state,
char *object_dn,
const char *pwd )
{
LDAP *ld = ldap_state->ldap_struct;
int rc = -1;
LDAPMod **tmpmods = NULL;
rc = nmasldap_set_password(ld, object_dn, pwd);
if (rc == LDAP_SUCCESS) {
DEBUG(5,("NDS Universal Password changed for user %s\n", object_dn));
} else {
char *ld_error = NULL;
ldap_get_option(ld, LDAP_OPT_ERROR_STRING, &ld_error);
DEBUG(3,("NDS Universal Password could not be changed for user %s: %s (%s)\n",
object_dn, ldap_err2string(rc), ld_error?ld_error:"unknown"));
SAFE_FREE(ld_error);
}
smbldap_set_mod(&tmpmods, LDAP_MOD_REPLACE, "userPassword", pwd);
rc = smbldap_modify(ldap_state, object_dn, tmpmods);
return rc;
}
static NTSTATUS pdb_nds_update_login_attempts(struct pdb_methods *methods,
struct samu *sam_acct, BOOL success)
{
struct ldapsam_privates *ldap_state;
if ((!methods) || (!sam_acct)) {
DEBUG(3,("pdb_nds_update_login_attempts: invalid parameter.\n"));
return NT_STATUS_MEMORY_NOT_ALLOCATED;
}
ldap_state = (struct ldapsam_privates *)methods->private_data;
if (ldap_state) {
int rc = 0;
char *dn;
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
const char **attr_list;
size_t pwd_len;
char clear_text_pw[512];
LDAP *ld = NULL;
const char *username = pdb_get_username(sam_acct);
BOOL got_clear_text_pw = False;
DEBUG(5,("pdb_nds_update_login_attempts: %s login for %s\n",
success ? "Successful" : "Failed", username));
result = (LDAPMessage *)pdb_get_backend_private_data(sam_acct, methods);
if (!result) {
attr_list = get_userattr_list(NULL,
ldap_state->schema_ver);
rc = ldapsam_search_suffix_by_name(ldap_state, username, &result, attr_list );
TALLOC_FREE( attr_list );
if (rc != LDAP_SUCCESS) {
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
}
pdb_set_backend_private_data(sam_acct, result, NULL,
methods, PDB_CHANGED);
talloc_autofree_ldapmsg(sam_acct, result);
}
if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) == 0) {
DEBUG(0, ("pdb_nds_update_login_attempts: No user to modify!\n"));
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
}
entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
if (!dn) {
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
}
DEBUG(3, ("pdb_nds_update_login_attempts: username %s found dn '%s'\n", username, dn));
pwd_len = sizeof(clear_text_pw);
if (success == True) {
if (pdb_nds_get_password(ldap_state->smbldap_state, dn, &pwd_len, clear_text_pw) == LDAP_SUCCESS) {
got_clear_text_pw = True;
}
} else {
generate_random_buffer((unsigned char *)clear_text_pw, 24);
clear_text_pw[24] = '\0';
DEBUG(5,("pdb_nds_update_login_attempts: using random password %s\n", clear_text_pw));
}
if((success != True) || (got_clear_text_pw == True)) {
rc = smb_ldap_setup_full_conn(&ld, ldap_state->location);
if (rc) {
return NT_STATUS_INVALID_CONNECTION;
}
rc = ldap_simple_bind_s(ld, dn, clear_text_pw);
ldap_unbind(ld);
if (rc == LDAP_SUCCESS) {
DEBUG(5,("pdb_nds_update_login_attempts: ldap_simple_bind_s Successful for %s\n", username));
} else {
NTSTATUS nt_status = NT_STATUS_ACCOUNT_RESTRICTION;
DEBUG(5,("pdb_nds_update_login_attempts: ldap_simple_bind_s Failed for %s\n", username));
switch(rc) {
case LDAP_INVALID_CREDENTIALS:
nt_status = NT_STATUS_WRONG_PASSWORD;
break;
case LDAP_UNWILLING_TO_PERFORM:
nt_status = NT_STATUS_ACCOUNT_DISABLED;
break;
default:
break;
}
return nt_status;
}
}
}
return NT_STATUS_OK;
}
static NTSTATUS pdb_init_NDS_ldapsam_common(struct pdb_methods **pdb_method, const char *location)
{
struct ldapsam_privates *ldap_state =
(struct ldapsam_privates *)((*pdb_method)->private_data);
ldap_state->is_nds_ldap = True;
(*pdb_method)->update_login_attempts = pdb_nds_update_login_attempts;
ldap_state->location = SMB_STRDUP(location);
return NT_STATUS_OK;
}
static NTSTATUS pdb_init_NDS_ldapsam_compat(struct pdb_methods **pdb_method, const char *location)
{
NTSTATUS nt_status = pdb_init_ldapsam_compat(pdb_method, location);
(*pdb_method)->name = "NDS_ldapsam_compat";
pdb_init_NDS_ldapsam_common(pdb_method, location);
return nt_status;
}
static NTSTATUS pdb_init_NDS_ldapsam(struct pdb_methods **pdb_method, const char *location)
{
NTSTATUS nt_status = pdb_init_ldapsam(pdb_method, location);
(*pdb_method)->name = "NDS_ldapsam";
pdb_init_NDS_ldapsam_common(pdb_method, location);
return nt_status;
}
NTSTATUS pdb_nds_init(void)
{
NTSTATUS nt_status;
if (!NT_STATUS_IS_OK(nt_status = smb_register_passdb(PASSDB_INTERFACE_VERSION, "NDS_ldapsam", pdb_init_NDS_ldapsam)))
return nt_status;
if (!NT_STATUS_IS_OK(nt_status = smb_register_passdb(PASSDB_INTERFACE_VERSION, "NDS_ldapsam_compat", pdb_init_NDS_ldapsam_compat)))
return nt_status;
return NT_STATUS_OK;
}