2004-03-13 17:13:11 +08:00
|
|
|
/* $OpenLDAP$ */
|
|
|
|
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
|
|
|
|
*
|
|
|
|
* Copyright 2004 The OpenLDAP Foundation.
|
|
|
|
* All rights reserved.
|
|
|
|
*
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
* modification, are permitted only as authorized by the OpenLDAP
|
|
|
|
* Public License.
|
2004-03-13 05:22:32 +08:00
|
|
|
*
|
2004-03-13 17:13:11 +08:00
|
|
|
* A copy of this license is available in the file LICENSE in the
|
|
|
|
* top-level directory of the distribution or, alternatively, at
|
|
|
|
* <http://www.OpenLDAP.org/license.html>.
|
2004-03-13 05:22:32 +08:00
|
|
|
*/
|
|
|
|
|
|
|
|
#include "portable.h"
|
|
|
|
|
|
|
|
#include <stdio.h>
|
|
|
|
#include <ac/stdlib.h>
|
|
|
|
#include <ac/string.h>
|
|
|
|
#include <ac/time.h>
|
|
|
|
|
|
|
|
#include "ldap-int.h"
|
|
|
|
|
|
|
|
#define PPOLICY_WARNING 0xa0L
|
|
|
|
#define PPOLICY_ERROR 0xa1L
|
|
|
|
|
|
|
|
#define PPOLICY_EXPIRE 0xa0L
|
|
|
|
#define PPOLICY_GRACE 0xa1L
|
|
|
|
|
|
|
|
/*---
|
|
|
|
ldap_create_passwordpolicy_control
|
|
|
|
|
|
|
|
Create and encode the Password Policy Request
|
|
|
|
|
|
|
|
ld (IN) An LDAP session handle, as obtained from a call to
|
|
|
|
ldap_init().
|
|
|
|
|
|
|
|
ctrlp (OUT) A result parameter that will be assigned the address
|
|
|
|
of an LDAPControl structure that contains the
|
|
|
|
passwordPolicyRequest control created by this function.
|
|
|
|
The memory occupied by the LDAPControl structure
|
|
|
|
SHOULD be freed when it is no longer in use by
|
|
|
|
calling ldap_control_free().
|
|
|
|
|
|
|
|
|
|
|
|
There is no control value for a password policy request
|
|
|
|
---*/
|
|
|
|
|
|
|
|
int
|
|
|
|
ldap_create_passwordpolicy_control( LDAP *ld,
|
|
|
|
LDAPControl **ctrlp )
|
|
|
|
{
|
|
|
|
BerElement *ber;
|
|
|
|
|
|
|
|
assert( ld != NULL );
|
|
|
|
assert( LDAP_VALID( ld ) );
|
|
|
|
assert( ctrlp != NULL );
|
|
|
|
|
|
|
|
if ((ber = ldap_alloc_ber_with_options(ld)) == NULL) {
|
|
|
|
ld->ld_errno = LDAP_NO_MEMORY;
|
|
|
|
return(LDAP_NO_MEMORY);
|
|
|
|
}
|
|
|
|
|
|
|
|
ld->ld_errno = ldap_create_control( LDAP_CONTROL_PASSWORDPOLICYREQUEST,
|
|
|
|
ber, 0, ctrlp);
|
|
|
|
|
|
|
|
ber_free(ber, 1);
|
|
|
|
return(ld->ld_errno);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/*---
|
|
|
|
ldap_parse_passwordpolicy_control
|
|
|
|
|
|
|
|
Decode the passwordPolicyResponse control and return information.
|
|
|
|
|
|
|
|
ld (IN) An LDAP session handle.
|
|
|
|
|
2004-03-16 07:53:37 +08:00
|
|
|
ctrls (IN) The address of an
|
|
|
|
LDAPControl structure, typically obtained
|
|
|
|
by a call to ldap_find_control().
|
2004-03-13 05:22:32 +08:00
|
|
|
|
|
|
|
exptimep (OUT) This result parameter is filled in with the number of seconds before
|
|
|
|
the password will expire, if expiration is imminent
|
|
|
|
(imminency defined by the password policy). If expiration
|
|
|
|
is not imminent, the value is set to -1.
|
|
|
|
|
|
|
|
gracep (OUT) This result parameter is filled in with the number of grace logins after
|
|
|
|
the password has expired, before no further login attempts
|
|
|
|
will be allowed.
|
|
|
|
|
|
|
|
errorcodep (OUT) This result parameter is filled in with the error code of the password operation
|
|
|
|
If no error was detected, this error is set to PP_noError.
|
|
|
|
|
|
|
|
Ber encoding
|
|
|
|
|
|
|
|
PasswordPolicyResponseValue ::= SEQUENCE {
|
|
|
|
warning [0] CHOICE {
|
|
|
|
timeBeforeExpiration [0] INTEGER (0 .. maxInt),
|
|
|
|
graceLoginsRemaining [1] INTEGER (0 .. maxInt) } OPTIONAL
|
|
|
|
error [1] ENUMERATED {
|
|
|
|
passwordExpired (0),
|
|
|
|
accountLocked (1),
|
|
|
|
changeAfterReset (2),
|
|
|
|
passwordModNotAllowed (3),
|
|
|
|
mustSupplyOldPassword (4),
|
|
|
|
invalidPasswordSyntax (5),
|
|
|
|
passwordTooShort (6),
|
|
|
|
passwordTooYoung (7),
|
|
|
|
passwordInHistory (8) } OPTIONAL }
|
|
|
|
|
|
|
|
---*/
|
|
|
|
|
|
|
|
int
|
|
|
|
ldap_parse_passwordpolicy_control(
|
|
|
|
LDAP *ld,
|
2004-03-16 07:53:37 +08:00
|
|
|
LDAPControl *ctrl,
|
2004-03-13 05:22:32 +08:00
|
|
|
int *expirep,
|
|
|
|
int *gracep,
|
|
|
|
LDAPPasswordPolicyError *errorp )
|
|
|
|
{
|
|
|
|
BerElement *ber;
|
|
|
|
int i, exp = -1, grace = -1;
|
|
|
|
ber_tag_t tag;
|
|
|
|
ber_len_t berLen;
|
|
|
|
char *last;
|
|
|
|
LDAPPasswordPolicyError err = PP_noError;
|
|
|
|
|
|
|
|
assert( ld != NULL );
|
|
|
|
assert( LDAP_VALID( ld ) );
|
2004-03-16 07:53:37 +08:00
|
|
|
assert( ctrl );
|
2004-03-13 05:22:32 +08:00
|
|
|
|
|
|
|
/* Create a BerElement from the berval returned in the control. */
|
2004-03-16 07:53:37 +08:00
|
|
|
ber = ber_init(&ctrl->ldctl_value);
|
2004-03-13 05:22:32 +08:00
|
|
|
|
|
|
|
if (ber == NULL) {
|
|
|
|
ld->ld_errno = LDAP_NO_MEMORY;
|
|
|
|
return(ld->ld_errno);
|
|
|
|
}
|
|
|
|
|
|
|
|
tag = ber_peek_tag( ber, &berLen );
|
|
|
|
if (tag != LBER_SEQUENCE) goto exit;
|
|
|
|
|
|
|
|
for( tag = ber_first_element( ber, &berLen, &last );
|
|
|
|
tag != LBER_DEFAULT;
|
|
|
|
tag = ber_next_element( ber, &berLen, last ) ) {
|
|
|
|
switch (tag) {
|
|
|
|
case PPOLICY_WARNING:
|
|
|
|
ber_skip_tag(ber, &berLen );
|
|
|
|
tag = ber_peek_tag( ber, &berLen );
|
|
|
|
switch( tag ) {
|
|
|
|
case PPOLICY_EXPIRE:
|
|
|
|
if (ber_get_int( ber, &exp ) == LBER_DEFAULT) goto exit;
|
|
|
|
break;
|
|
|
|
case PPOLICY_GRACE:
|
|
|
|
if (ber_get_int( ber, &grace ) == LBER_DEFAULT) goto exit;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
goto exit;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
break;
|
|
|
|
case PPOLICY_ERROR:
|
|
|
|
if (ber_get_enum( ber, (int *)&err ) == LBER_DEFAULT) goto exit;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
goto exit;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
ber_free(ber, 1);
|
|
|
|
|
|
|
|
/* Return data to the caller for items that were requested. */
|
|
|
|
if (expirep) *expirep = exp;
|
|
|
|
if (gracep) *gracep = grace;
|
|
|
|
if (errorp) *errorp = err;
|
|
|
|
|
|
|
|
ld->ld_errno = LDAP_SUCCESS;
|
|
|
|
return(ld->ld_errno);
|
|
|
|
|
|
|
|
exit:
|
|
|
|
ber_free(ber, 1);
|
|
|
|
ld->ld_errno = LDAP_DECODING_ERROR;
|
|
|
|
return(ld->ld_errno);
|
|
|
|
}
|
2004-03-16 07:53:37 +08:00
|
|
|
|
|
|
|
const char *
|
|
|
|
ldap_passwordpolicy_err2txt( LDAPPasswordPolicyError err )
|
|
|
|
{
|
|
|
|
switch(err) {
|
|
|
|
case PP_passwordExpired: return "Password expired";
|
|
|
|
case PP_accountLocked: return "Account locked";
|
|
|
|
case PP_changeAfterReset: return "Password must be changed";
|
|
|
|
case PP_passwordModNotAllowed: return "Policy prevents password modification";
|
|
|
|
case PP_mustSupplyOldPassword: return "Policy requires old password in order to change password";
|
|
|
|
case PP_insufficientPasswordQuality: return "Password fails quality checks";
|
|
|
|
case PP_passwordTooShort: return "Password is too short for policy";
|
|
|
|
case PP_passwordTooYoung: return "Password has been changed too recently";
|
|
|
|
case PP_passwordInHistory: return "New password is in list of old passwords";
|
|
|
|
case PP_noError: return "No error";
|
|
|
|
default: return "Unknown error code";
|
|
|
|
}
|
|
|
|
}
|