openldap/clients/tools/ldappasswd.c

433 lines
9.5 KiB
C
Raw Normal View History

2003-11-26 07:17:08 +08:00
/* ldappasswd -- a tool for change LDAP passwords */
/* $OpenLDAP$ */
2003-11-26 07:17:08 +08:00
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
2009-01-22 08:40:04 +08:00
* Copyright 1998-2009 The OpenLDAP Foundation.
2003-11-26 07:17:08 +08:00
* Portions Copyright 1998-2003 Kurt D. Zeilenga.
* Portions Copyright 1998-2001 Net Boolean Incorporated.
* Portions Copyright 2001-2003 IBM Corporation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted only as authorized by the OpenLDAP
* Public License.
*
* A copy of this license is available in the file LICENSE in the
* top-level directory of the distribution or, alternatively, at
* <http://www.OpenLDAP.org/license.html>.
*/
/* Portions Copyright (c) 1992-1996 Regents of the University of Michigan.
* All rights reserved.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and that due credit is given
* to the University of Michigan at Ann Arbor. The name of the
* University may not be used to endorse or promote products derived
* from this software without specific prior written permission. This
* software is provided ``as is'' without express or implied warranty.
*/
2003-11-26 10:58:56 +08:00
/* ACKNOWLEDGEMENTS:
* The original ldappasswd(1) tool was developed by Dave Storey (F5
2003-11-26 07:17:08 +08:00
* Network), based on other OpenLDAP client tools (which are, of
* course, based on U-MICH LDAP). This version was rewritten
* by Kurt D. Zeilenga (based on other OpenLDAP client tools).
1999-08-05 07:55:45 +08:00
*/
#include "portable.h"
#include <stdio.h>
1999-06-03 08:37:44 +08:00
#include <ac/stdlib.h>
Vienna Bulk Commit This commit includes many changes. All changes compile under NT but have not been tested under UNIX. A Summary of changes (likely incomplete): NT changes: Removed lint. Clean up configuration support for "Debug", "Release", "SDebug", and "SRelease" configurations. Share output directories for clients, libraries, and slapd. (maybe they should be combined further and moved to build/{,S}{Debug,Release}). Enable threading when _MT is defined. Enable debuging when _DEBUG is defined. Disable setting of NDEBUG under Release/SRelease. Asserts are disabled in <ac/assert.h> when LDAP_DEBUG is not defined. Added 'build/main.dsp' Master project. Removed non-slapd projects from slapd.dsp (see main.dsp). Removed replaced many uses of _WIN32 macro with feature based macros. ldap_cdefs.h changes #define LDAP_CONST const (see below) #define LDAP_F(type) LDAP_F_PRE type LDAP_F_POST To allow specifiers to be added before and after the type declaration. (For DLL handling) LBER/LDAP changes Namespace changes: s/lber_/ber_/ for here and there. s/NAME_ERROR/LDAP_NAME_ERROR/g Deleted NULLMSG and other NULL* macros for namespace reasons. "const" libraries. Installed headers (ie: lber.h, ldap.h) use LDAP_CONST macro. Normally set to 'const' when __STDC__. Can be set externally to enable/disable 'constification' of external interface. Internal interface always uses 'const'. Did not fix warnings in -lldif (in lieu of new LDIF parser). Added _ext API implementations (excepting search and bind). Need to implement ldap_int_get_controls() for reponses with controls. Added numberous assert() checks. LDAP_R _MT defines HAVE_NT_THREADS Added numberous assert() checks. Changed ldap_pthread_t back to unsigned long. Used cast to HANDLE in _join(). LDBM Replaced _WIN32 with HAVE_SYSLOG ud Added version string if MKVERSION is not defined. (MKVERSION needs to be set under UNIX). slapd Made connection sockbuf field a pointer to a sockbuf. This removed slap.h dependency on lber-int.h. lber-int.h now only included by those files needing to mess with the sockbuf. Used ber_* functions/macros to access sockbuf internals whenever possible. Added version string if MKVERSION is not defined. (MKVERSION needs to be set under UNIX). Removed FD_SET unsigned lint slapd/tools Used EXEEXT to added ".exe" to routines. Need to define EXEEXT under UNIX. ldappasswd Added ldappasswd.dsp. Ported to NT. Used getpid() to seed rand(). nt_debug Minor cleanup. Added "portable.h" include and used <ac/*.h> where appropriate. Added const to char* format argument.
1999-05-19 09:12:33 +08:00
#include <ac/ctype.h>
#include <ac/socket.h>
#include <ac/string.h>
Vienna Bulk Commit This commit includes many changes. All changes compile under NT but have not been tested under UNIX. A Summary of changes (likely incomplete): NT changes: Removed lint. Clean up configuration support for "Debug", "Release", "SDebug", and "SRelease" configurations. Share output directories for clients, libraries, and slapd. (maybe they should be combined further and moved to build/{,S}{Debug,Release}). Enable threading when _MT is defined. Enable debuging when _DEBUG is defined. Disable setting of NDEBUG under Release/SRelease. Asserts are disabled in <ac/assert.h> when LDAP_DEBUG is not defined. Added 'build/main.dsp' Master project. Removed non-slapd projects from slapd.dsp (see main.dsp). Removed replaced many uses of _WIN32 macro with feature based macros. ldap_cdefs.h changes #define LDAP_CONST const (see below) #define LDAP_F(type) LDAP_F_PRE type LDAP_F_POST To allow specifiers to be added before and after the type declaration. (For DLL handling) LBER/LDAP changes Namespace changes: s/lber_/ber_/ for here and there. s/NAME_ERROR/LDAP_NAME_ERROR/g Deleted NULLMSG and other NULL* macros for namespace reasons. "const" libraries. Installed headers (ie: lber.h, ldap.h) use LDAP_CONST macro. Normally set to 'const' when __STDC__. Can be set externally to enable/disable 'constification' of external interface. Internal interface always uses 'const'. Did not fix warnings in -lldif (in lieu of new LDIF parser). Added _ext API implementations (excepting search and bind). Need to implement ldap_int_get_controls() for reponses with controls. Added numberous assert() checks. LDAP_R _MT defines HAVE_NT_THREADS Added numberous assert() checks. Changed ldap_pthread_t back to unsigned long. Used cast to HANDLE in _join(). LDBM Replaced _WIN32 with HAVE_SYSLOG ud Added version string if MKVERSION is not defined. (MKVERSION needs to be set under UNIX). slapd Made connection sockbuf field a pointer to a sockbuf. This removed slap.h dependency on lber-int.h. lber-int.h now only included by those files needing to mess with the sockbuf. Used ber_* functions/macros to access sockbuf internals whenever possible. Added version string if MKVERSION is not defined. (MKVERSION needs to be set under UNIX). Removed FD_SET unsigned lint slapd/tools Used EXEEXT to added ".exe" to routines. Need to define EXEEXT under UNIX. ldappasswd Added ldappasswd.dsp. Ported to NT. Used getpid() to seed rand(). nt_debug Minor cleanup. Added "portable.h" include and used <ac/*.h> where appropriate. Added const to char* format argument.
1999-05-19 09:12:33 +08:00
#include <ac/time.h>
#include <ac/unistd.h>
#include <ldap.h>
#include "lutil.h"
#include "lutil_ldap.h"
#include "ldap_defaults.h"
#include "common.h"
2003-03-31 14:29:59 +08:00
static struct berval newpw = { 0, NULL };
static struct berval oldpw = { 0, NULL };
static int want_newpw = 0;
static int want_oldpw = 0;
2003-03-31 14:29:59 +08:00
static char *oldpwfile = NULL;
static char *newpwfile = NULL;
void
usage( void )
{
2003-04-06 10:59:15 +08:00
fprintf( stderr, _("Change password of an LDAP user\n\n"));
fprintf( stderr,_("usage: %s [options] [user]\n"), prog);
2004-08-28 10:30:18 +08:00
fprintf( stderr, _(" user: the authentication identity, commonly a DN\n"));
2003-04-06 10:59:15 +08:00
fprintf( stderr, _("Password change options:\n"));
fprintf( stderr, _(" -a secret old password\n"));
fprintf( stderr, _(" -A prompt for old password\n"));
fprintf( stderr, _(" -t file read file for old password\n"));
fprintf( stderr, _(" -s secret new password\n"));
fprintf( stderr, _(" -S prompt for new password\n"));
fprintf( stderr, _(" -T file read file for new password\n"));
tool_common_usage();
exit( EXIT_FAILURE );
}
2000-07-16 08:14:08 +08:00
2003-03-31 14:29:59 +08:00
const char options[] = "a:As:St:T:"
2008-11-21 11:30:15 +08:00
"d:D:e:h:H:InNO:o:p:QR:U:vVw:WxX:y:Y:Z";
int
handle_private_option( int i )
{
switch ( i ) {
#if 0
2004-03-13 06:34:07 +08:00
case 'E': /* passwd extensions */ {
int crit;
char *control, *cvalue;
if( protocol == LDAP_VERSION2 ) {
2003-04-06 10:59:15 +08:00
fprintf( stderr, _("%s: -E incompatible with LDAPv%d\n"),
prog, protocol );
exit( EXIT_FAILURE );
}
/* should be extended to support comma separated list of
* [!]key[=value] parameters, e.g. -E !foo,bar=567
*/
crit = 0;
cvalue = NULL;
if( optarg[0] == '!' ) {
crit = 1;
optarg++;
}
control = strdup( optarg );
if ( (cvalue = strchr( control, '=' )) != NULL ) {
*cvalue++ = '\0';
}
2004-03-13 06:34:07 +08:00
fprintf( stderr, _("Invalid passwd extension name: %s\n"), control );
usage();
2003-03-31 14:29:59 +08:00
}
#endif
case 'a': /* old password (secret) */
2003-03-31 14:29:59 +08:00
oldpw.bv_val = strdup( optarg );
{
char* p;
for( p = optarg; *p != '\0'; p++ ) {
*p = '\0';
}
}
2003-03-31 14:29:59 +08:00
oldpw.bv_len = strlen( oldpw.bv_val );
break;
case 'A': /* prompt for old password */
want_oldpw++;
break;
case 's': /* new password (secret) */
2003-03-31 14:29:59 +08:00
newpw.bv_val = strdup (optarg);
{
char* p;
2000-11-06 23:53:02 +08:00
for( p = optarg; *p != '\0'; p++ ) {
*p = '\0';
2000-07-16 08:21:41 +08:00
}
}
2003-03-31 14:29:59 +08:00
newpw.bv_len = strlen( newpw.bv_val );
break;
case 'S': /* prompt for user password */
want_newpw++;
break;
2003-03-31 14:29:59 +08:00
case 't':
oldpwfile = optarg;
break;
case 'T':
newpwfile = optarg;
break;
default:
return 0;
}
return 1;
}
int
main( int argc, char *argv[] )
{
int rc;
char *user = NULL;
LDAP *ld = NULL;
struct berval bv = {0, NULL};
BerElement *ber = NULL;
int id, code = LDAP_OTHER;
LDAPMessage *res;
char *matcheddn = NULL, *text = NULL, **refs = NULL;
char *retoid = NULL;
struct berval *retdata = NULL;
LDAPControl **ctrls = NULL;
2006-01-09 03:51:28 +08:00
tool_init( TOOL_PASSWD );
prog = lutil_progname( "ldappasswd", argc, argv );
/* LDAPv3 only */
protocol = LDAP_VERSION3;
tool_args( argc, argv );
2000-07-16 08:23:41 +08:00
2000-09-07 02:45:12 +08:00
if( argc - optind > 1 ) {
usage();
2000-09-07 02:45:12 +08:00
} else if ( argc - optind == 1 ) {
user = strdup( argv[optind] );
} else {
user = NULL;
}
2003-03-31 14:29:59 +08:00
if( oldpwfile ) {
rc = lutil_get_filed_password( oldpwfile, &oldpw );
if( rc ) {
rc = EXIT_FAILURE;
goto done;
}
2003-03-31 14:29:59 +08:00
}
if( want_oldpw && oldpw.bv_val == NULL ) {
/* prompt for old password */
char *ckoldpw;
2003-04-06 10:59:15 +08:00
oldpw.bv_val = strdup(getpassphrase(_("Old password: ")));
ckoldpw = getpassphrase(_("Re-enter old password: "));
2003-03-31 14:29:59 +08:00
if( oldpw.bv_val == NULL || ckoldpw == NULL ||
strcmp( oldpw.bv_val, ckoldpw ))
{
2003-04-06 10:59:15 +08:00
fprintf( stderr, _("passwords do not match\n") );
rc = EXIT_FAILURE;
goto done;
}
2003-03-31 14:29:59 +08:00
oldpw.bv_len = strlen( oldpw.bv_val );
}
if( newpwfile ) {
rc = lutil_get_filed_password( newpwfile, &newpw );
if( rc ) {
rc = EXIT_FAILURE;
goto done;
}
}
2003-03-31 14:29:59 +08:00
if( want_newpw && newpw.bv_val == NULL ) {
/* prompt for new password */
char *cknewpw;
2003-04-06 10:59:15 +08:00
newpw.bv_val = strdup(getpassphrase(_("New password: ")));
cknewpw = getpassphrase(_("Re-enter new password: "));
2003-03-31 14:29:59 +08:00
if( newpw.bv_val == NULL || cknewpw == NULL ||
strcmp( newpw.bv_val, cknewpw ))
{
2003-04-06 10:59:15 +08:00
fprintf( stderr, _("passwords do not match\n") );
rc = EXIT_FAILURE;
goto done;
}
2003-03-31 14:29:59 +08:00
newpw.bv_len = strlen( newpw.bv_val );
}
2003-09-13 04:10:05 +08:00
if ( pw_file ) {
rc = lutil_get_filed_password( pw_file, &passwd );
if( rc ) {
rc = EXIT_FAILURE;
goto done;
}
2003-09-13 04:10:05 +08:00
} else if ( want_bindpw ) {
passwd.bv_val = getpassphrase( _("Enter LDAP Password: ") );
passwd.bv_len = passwd.bv_val ? strlen( passwd.bv_val ) : 0;
}
ld = tool_conn_setup( 0, 0 );
tool_bind( ld );
if ( assertion || authzid || manageDSAit || noop ) {
tool_server_controls( ld, NULL, 0 );
}
2003-03-31 14:29:59 +08:00
if( user != NULL || oldpw.bv_val != NULL || newpw.bv_val != NULL ) {
2006-08-17 08:26:25 +08:00
/* build the password modify request data */
ber = ber_alloc_t( LBER_USE_DER );
if( ber == NULL ) {
perror( "ber_alloc_t" );
rc = EXIT_FAILURE;
goto done;
}
ber_printf( ber, "{" /*}*/ );
2000-09-07 02:45:12 +08:00
if( user != NULL ) {
ber_printf( ber, "ts",
LDAP_TAG_EXOP_MODIFY_PASSWD_ID, user );
2000-09-07 02:45:12 +08:00
free(user);
}
2003-03-31 14:29:59 +08:00
if( oldpw.bv_val != NULL ) {
ber_printf( ber, "tO",
LDAP_TAG_EXOP_MODIFY_PASSWD_OLD, &oldpw );
free(oldpw.bv_val);
}
2003-03-31 14:29:59 +08:00
if( newpw.bv_val != NULL ) {
ber_printf( ber, "tO",
LDAP_TAG_EXOP_MODIFY_PASSWD_NEW, &newpw );
free(newpw.bv_val);
}
ber_printf( ber, /*{*/ "N}" );
rc = ber_flatten2( ber, &bv, 0 );
if( rc < 0 ) {
perror( "ber_flatten2" );
rc = EXIT_FAILURE;
goto done;
}
}
2006-01-09 03:51:28 +08:00
if ( dont ) {
rc = LDAP_SUCCESS;
goto done;
}
tool_server_controls( ld, NULL, 0);
rc = ldap_extended_operation( ld,
LDAP_EXOP_MODIFY_PASSWD, bv.bv_val ? &bv : NULL,
NULL, NULL, &id );
ber_free( ber, 1 );
if( rc != LDAP_SUCCESS ) {
tool_perror( "ldap_extended_operation", rc, NULL, NULL, NULL, NULL );
rc = EXIT_FAILURE;
goto done;
}
2005-04-20 05:21:51 +08:00
for ( ; ; ) {
struct timeval tv;
if ( tool_check_abandon( ld, id ) ) {
return LDAP_CANCELLED;
}
tv.tv_sec = 0;
tv.tv_usec = 100000;
rc = ldap_result( ld, LDAP_RES_ANY, LDAP_MSG_ALL, &tv, &res );
if ( rc < 0 ) {
tool_perror( "ldap_result", rc, NULL, NULL, NULL, NULL );
2005-04-20 05:21:51 +08:00
return rc;
}
if ( rc != 0 ) {
break;
}
}
2003-03-31 14:29:59 +08:00
rc = ldap_parse_result( ld, res,
&code, &matcheddn, &text, &refs, &ctrls, 0 );
if( rc != LDAP_SUCCESS ) {
tool_perror( "ldap_parse_result", rc, NULL, NULL, NULL, NULL );
rc = EXIT_FAILURE;
goto done;
}
rc = ldap_parse_extended_result( ld, res, &retoid, &retdata, 1 );
if( rc != LDAP_SUCCESS ) {
tool_perror( "ldap_parse_extended_result", rc, NULL, NULL, NULL, NULL );
rc = EXIT_FAILURE;
goto done;
}
if( retdata != NULL ) {
ber_tag_t tag;
char *s;
ber = ber_init( retdata );
if( ber == NULL ) {
perror( "ber_init" );
rc = EXIT_FAILURE;
goto done;
}
/* we should check the tag */
tag = ber_scanf( ber, "{a}", &s);
if( tag == LBER_ERROR ) {
perror( "ber_scanf" );
} else {
2003-04-06 10:59:15 +08:00
printf(_("New password: %s\n"), s);
ber_memfree( s );
}
ber_free( ber, 1 );
} else if ( code == LDAP_SUCCESS && newpw.bv_val == NULL ) {
tool_perror( "ldap_parse_extended_result", LDAP_DECODING_ERROR,
" new password expected", NULL, NULL, NULL );
}
if( verbose || code != LDAP_SUCCESS ||
matcheddn || text || refs || ctrls )
{
2003-04-06 10:59:15 +08:00
printf( _("Result: %s (%d)\n"), ldap_err2string( code ), code );
if( text && *text ) {
2003-04-06 10:59:15 +08:00
printf( _("Additional info: %s\n"), text );
}
if( matcheddn && *matcheddn ) {
2003-04-06 10:59:15 +08:00
printf( _("Matched DN: %s\n"), matcheddn );
}
if( refs ) {
int i;
for( i=0; refs[i]; i++ ) {
2003-04-06 10:59:15 +08:00
printf(_("Referral: %s\n"), refs[i] );
}
}
if( ctrls ) {
tool_print_ctrls( ld, ctrls );
ldap_controls_free( ctrls );
}
}
ber_memfree( text );
ber_memfree( matcheddn );
ber_memvfree( (void **) refs );
ber_memfree( retoid );
ber_bvfree( retdata );
rc = ( code == LDAP_SUCCESS ) ? EXIT_SUCCESS : EXIT_FAILURE;
done:
/* disconnect from server */
2006-02-16 16:21:02 +08:00
if ( ld )
tool_unbind( ld );
tool_destroy();
return rc;
}