mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
Experimental Samba and Heimdal password synchronization overlay.
This commit is contained in:
parent
ad6969e6cd
commit
41e53b5a25
37
contrib/slapd-modules/smbk5pwd/Makefile
Normal file
37
contrib/slapd-modules/smbk5pwd/Makefile
Normal file
@ -0,0 +1,37 @@
|
||||
# $OpenLDAP$
|
||||
# Copyright 2004 Howard Chu, Symas Corp. All Rights Reserved.
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted only as authorized by the OpenLDAP
|
||||
# Public License.
|
||||
#
|
||||
# A copy of this license is available in the file LICENSE in the
|
||||
# top-level directory of the distribution or, alternatively, at
|
||||
# <http://www.OpenLDAP.org/license.html>.
|
||||
|
||||
LIBTOOL=../../../libtool
|
||||
OPT=-g -O2
|
||||
CC=gcc
|
||||
|
||||
# Omit DO_KRB5 or DO_SAMBA if you don't want to support it.
|
||||
DEFS=-DDO_KRB5 -DDO_SAMBA
|
||||
|
||||
HEIMDAL_INC=-I/usr/heimdal/include
|
||||
SSL_INC=
|
||||
LDAP_INC=-I../../../include -I../../../servers/slapd
|
||||
INCS=$(LDAP_INC) $(HEIMDAL_INC) $(SSL_INC)
|
||||
|
||||
HEIMDAL_LIB=-L/usr/heimdal/lib -lkrb5 -lkadm5srv
|
||||
SSL_LIB=-lcrypto
|
||||
LDAP_LIB=-lldap_r -llber
|
||||
LIBS=$(LDAP_LIB) $(HEIMDAL_LIB) $(SSL_LIB)
|
||||
|
||||
all: smbk5pwd.la
|
||||
|
||||
|
||||
smbk5pwd.lo: smbk5pwd.c
|
||||
$(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $?
|
||||
|
||||
smbk5pwd.la: smbk5pwd.lo
|
||||
$(LIBTOOL) --mode=link $(CC) $(OPT) -version-info 0:0:0 \
|
||||
-rpath /usr/local/libexec/openldap -module -o $@ $? $(LIBS)
|
51
contrib/slapd-modules/smbk5pwd/README
Normal file
51
contrib/slapd-modules/smbk5pwd/README
Normal file
@ -0,0 +1,51 @@
|
||||
Copyright 2004 Howard Chu, Symas Corp. All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without
|
||||
modification, are permitted only as authorized by the OpenLDAP
|
||||
Public License.
|
||||
|
||||
A copy of this license is available in the file LICENSE in the
|
||||
top-level directory of the distribution or, alternatively, at
|
||||
<http://www.OpenLDAP.org/license.html>.
|
||||
|
||||
This directory contains a slapd overlay, smbk5pwd, that extends the
|
||||
PasswordModify Extended Operation to update Kerberos keys and Samba
|
||||
password hashes for an LDAP user.
|
||||
|
||||
The Kerberos support is written for Heimdal using its hdb-ldap backend.
|
||||
If a PasswordModify is performed on an entry that has the krb5KDCEntry
|
||||
objectclass, then the krb5Key and krb5KeyVersionNumber will be updated
|
||||
using the new password in the PasswordModify request.
|
||||
|
||||
The Samba support is written using the Samba 3.0 LDAP schema. If a
|
||||
PasswordModify is performed on an entry that has the sambaSamAccount
|
||||
objectclass, then the sambaLMPassword, sambaNTPassword, and sambaPwdLastSet
|
||||
attributes will be updated accordingly.
|
||||
|
||||
To use the overlay, add:
|
||||
|
||||
include <path to>/krb5-kdc.schema
|
||||
include <path to>/samba.schema
|
||||
|
||||
moduleload <path to>smbk5pwd.so
|
||||
...
|
||||
|
||||
database bdb
|
||||
...
|
||||
overlay smbk5pwd
|
||||
|
||||
to your slapd configuration file. (You should obtain the necessary schema
|
||||
files from the Heimdal and/or Samba distributions. At this time, there
|
||||
are several known errors in these schema files that you will have to
|
||||
correct before they will load in slapd.)
|
||||
|
||||
The provided Makefile builds both Kerberos and Samba support by default.
|
||||
You must edit the Makefile to insure that the correct include and library
|
||||
paths are used. You can change the DEFS macro if you only want one or the
|
||||
other of Kerberos or Samba support.
|
||||
|
||||
This overlay is only set up to be built as a dynamically loaded module.
|
||||
If you need to build it statically, you will have to move it into the
|
||||
slapd/overlays directory and edit the Makefile and overlays.c to reference
|
||||
it. You will also have to define SLAPD_OVER_SMBK5PWD to SLAPD_MOD_STATIC,
|
||||
and add the relevant libraries to the main slapd link command.
|
401
contrib/slapd-modules/smbk5pwd/smbk5pwd.c
Normal file
401
contrib/slapd-modules/smbk5pwd/smbk5pwd.c
Normal file
@ -0,0 +1,401 @@
|
||||
/* smbk5pwd.c - Overlay for managing Samba and Heimdal passwords */
|
||||
/* $OpenLDAP$ */
|
||||
/*
|
||||
* Copyright 2004 by Howard Chu, Symas Corp.
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted only as authorized by the OpenLDAP
|
||||
* Public License.
|
||||
*
|
||||
* A copy of this license is available in the file LICENSE in the
|
||||
* top-level directory of the distribution or, alternatively, at
|
||||
* <http://www.OpenLDAP.org/license.html>.
|
||||
*/
|
||||
|
||||
#include <portable.h>
|
||||
|
||||
#ifndef SLAPD_OVER_SMBK5PWD
|
||||
#define SLAPD_OVER_SMBK5PWD SLAPD_MOD_DYNAMIC
|
||||
#endif
|
||||
|
||||
#ifdef SLAPD_OVER_SMBK5PWD
|
||||
|
||||
#include <slap.h>
|
||||
#include <ac/errno.h>
|
||||
|
||||
#ifdef DO_KRB5
|
||||
/* make ASN1_MALLOC_ENCODE use our allocator */
|
||||
#define malloc ch_malloc
|
||||
|
||||
#include <krb5.h>
|
||||
#include <kadm5/admin.h>
|
||||
#include <hdb.h>
|
||||
|
||||
static krb5_context context;
|
||||
static void *kadm_context;
|
||||
static kadm5_config_params conf;
|
||||
static HDB *db;
|
||||
|
||||
static AttributeDescription *ad_krb5Key;
|
||||
static AttributeDescription *ad_krb5KeyVersionNumber;
|
||||
static AttributeDescription *ad_krb5PrincipalName;
|
||||
static ObjectClass *oc_krb5KDCEntry;
|
||||
#endif
|
||||
|
||||
#ifdef DO_SAMBA
|
||||
#include <openssl/des.h>
|
||||
#include <openssl/md4.h>
|
||||
|
||||
static AttributeDescription *ad_sambaLMPassword;
|
||||
static AttributeDescription *ad_sambaNTPassword;
|
||||
static AttributeDescription *ad_sambaPwdLastSet;
|
||||
static ObjectClass *oc_sambaSamAccount;
|
||||
#endif
|
||||
|
||||
#if 0
|
||||
static void smbk5pwd_destroy() {
|
||||
kadm5_destroy(kadm_context);
|
||||
krb5_free_context(context);
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef DO_SAMBA
|
||||
static const char hex[] = "0123456789abcdef";
|
||||
|
||||
/* From liblutil/passwd.c... */
|
||||
static void lmPasswd_to_key(
|
||||
const unsigned char *lmPasswd,
|
||||
des_cblock *key)
|
||||
{
|
||||
/* make room for parity bits */
|
||||
((char *)key)[0] = lmPasswd[0];
|
||||
((char *)key)[1] = ((lmPasswd[0]&0x01)<<7) | (lmPasswd[1]>>1);
|
||||
((char *)key)[2] = ((lmPasswd[1]&0x03)<<6) | (lmPasswd[2]>>2);
|
||||
((char *)key)[3] = ((lmPasswd[2]&0x07)<<5) | (lmPasswd[3]>>3);
|
||||
((char *)key)[4] = ((lmPasswd[3]&0x0F)<<4) | (lmPasswd[4]>>4);
|
||||
((char *)key)[5] = ((lmPasswd[4]&0x1F)<<3) | (lmPasswd[5]>>5);
|
||||
((char *)key)[6] = ((lmPasswd[5]&0x3F)<<2) | (lmPasswd[6]>>6);
|
||||
((char *)key)[7] = ((lmPasswd[6]&0x7F)<<1);
|
||||
|
||||
des_set_odd_parity( key );
|
||||
}
|
||||
|
||||
#define MAX_PWLEN 256
|
||||
#define HASHLEN 16
|
||||
|
||||
static void hexify(
|
||||
const char in[HASHLEN],
|
||||
struct berval *out
|
||||
)
|
||||
{
|
||||
int i;
|
||||
char *a;
|
||||
unsigned char *b;
|
||||
|
||||
out->bv_val = ch_malloc(HASHLEN*2 + 1);
|
||||
out->bv_len = HASHLEN*2;
|
||||
|
||||
a = out->bv_val;
|
||||
b = (unsigned char *)in;
|
||||
for (i=0; i<HASHLEN; i++) {
|
||||
*a++ = hex[*b >> 4];
|
||||
*a++ = hex[*b++ & 0x0f];
|
||||
}
|
||||
*a++ = '\0';
|
||||
}
|
||||
|
||||
static void lmhash(
|
||||
struct berval *passwd,
|
||||
struct berval *hash
|
||||
)
|
||||
{
|
||||
char UcasePassword[15];
|
||||
des_cblock key;
|
||||
des_key_schedule schedule;
|
||||
des_cblock StdText = "KGS!@#$%";
|
||||
des_cblock hbuf[2];
|
||||
|
||||
strncpy( UcasePassword, passwd->bv_val, 14 );
|
||||
UcasePassword[14] = '\0';
|
||||
ldap_pvt_str2upper( UcasePassword );
|
||||
|
||||
lmPasswd_to_key( UcasePassword, &key );
|
||||
des_set_key_unchecked( &key, schedule );
|
||||
des_ecb_encrypt( &StdText, &hbuf[0], schedule , DES_ENCRYPT );
|
||||
|
||||
lmPasswd_to_key( &UcasePassword[7], &key );
|
||||
des_set_key_unchecked( &key, schedule );
|
||||
des_ecb_encrypt( &StdText, &hbuf[1], schedule , DES_ENCRYPT );
|
||||
|
||||
hexify( (char *)hbuf, hash );
|
||||
}
|
||||
|
||||
static void nthash(
|
||||
struct berval *passwd,
|
||||
struct berval *hash
|
||||
)
|
||||
{
|
||||
/* Windows currently only allows 14 character passwords, but
|
||||
* may support up to 256 in the future. We assume this means
|
||||
* 256 UCS2 characters, not 256 bytes...
|
||||
*/
|
||||
char hbuf[HASHLEN];
|
||||
int i;
|
||||
MD4_CTX ctx;
|
||||
|
||||
if (passwd->bv_len > MAX_PWLEN*2)
|
||||
passwd->bv_len = MAX_PWLEN*2;
|
||||
|
||||
MD4_Init( &ctx );
|
||||
MD4_Update( &ctx, passwd->bv_val, passwd->bv_len );
|
||||
MD4_Final( hbuf, &ctx );
|
||||
|
||||
hexify( hbuf, hash );
|
||||
}
|
||||
#endif /* DO_SAMBA */
|
||||
|
||||
int smbk5pwd_exop_passwd(
|
||||
Operation *op,
|
||||
SlapReply *rs )
|
||||
{
|
||||
int i, rc;
|
||||
req_pwdexop_s *qpw = &op->oq_pwdexop;
|
||||
Entry *e;
|
||||
Attribute *a;
|
||||
Modifications *ml;
|
||||
slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
|
||||
|
||||
/* Not the operation we expected, pass it on... */
|
||||
if ( ber_bvcmp( &slap_EXOP_MODIFY_PASSWD, &op->ore_reqoid ) ) {
|
||||
return SLAP_CB_CONTINUE;
|
||||
}
|
||||
|
||||
op->o_bd->bd_info = (BackendInfo *)on->on_info;
|
||||
rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e );
|
||||
if ( rc != LDAP_SUCCESS ) return rc;
|
||||
|
||||
#ifdef DO_KRB5
|
||||
/* Kerberos stuff */
|
||||
do {
|
||||
krb5_error_code ret;
|
||||
hdb_entry ent;
|
||||
struct berval *keys;
|
||||
int kvno;
|
||||
|
||||
if ( !is_entry_objectclass(e, oc_krb5KDCEntry, 0 ) ) break;
|
||||
|
||||
a = attr_find( e->e_attrs, ad_krb5PrincipalName );
|
||||
if ( !a ) break;
|
||||
|
||||
memset( &ent, 0, sizeof(ent) );
|
||||
ret = krb5_parse_name(context, a->a_vals[0].bv_val, &ent.principal);
|
||||
if ( ret ) break;
|
||||
|
||||
a = attr_find( e->e_attrs, ad_krb5KeyVersionNumber );
|
||||
if ( a ) {
|
||||
kvno = atoi(a->a_vals[0].bv_val);
|
||||
} else {
|
||||
/* shouldn't happen, this is a required attr */
|
||||
kvno = 0;
|
||||
}
|
||||
|
||||
ret = _kadm5_set_keys(kadm_context, &ent, qpw->rs_new.bv_val);
|
||||
hdb_seal_keys(context, db, &ent);
|
||||
krb5_free_principal( context, ent.principal );
|
||||
|
||||
keys = ch_malloc( (ent.keys.len + 1) * sizeof(struct berval));
|
||||
|
||||
for (i = 0; i < ent.keys.len; i++) {
|
||||
unsigned char *buf;
|
||||
size_t len;
|
||||
|
||||
ASN1_MALLOC_ENCODE(Key, buf, len, &ent.keys.val[i], &len, ret);
|
||||
if (ret != 0)
|
||||
break;
|
||||
|
||||
keys[i].bv_val = buf;
|
||||
keys[i].bv_len = len;
|
||||
}
|
||||
keys[i].bv_val = NULL;
|
||||
keys[i].bv_len = 0;
|
||||
|
||||
if ( i != ent.keys.len ) {
|
||||
ber_bvarray_free( keys );
|
||||
break;
|
||||
}
|
||||
|
||||
ml = ch_malloc(sizeof(Modifications));
|
||||
if (!qpw->rs_modtail) qpw->rs_modtail = &ml->sml_next;
|
||||
ml->sml_next = qpw->rs_mods;
|
||||
qpw->rs_mods = ml;
|
||||
|
||||
ml->sml_desc = ad_krb5Key;
|
||||
ml->sml_op = LDAP_MOD_REPLACE;
|
||||
ml->sml_values = keys;
|
||||
ml->sml_nvalues = NULL;
|
||||
|
||||
ml = ch_malloc(sizeof(Modifications));
|
||||
ml->sml_next = qpw->rs_mods;
|
||||
qpw->rs_mods = ml;
|
||||
|
||||
ml->sml_desc = ad_krb5KeyVersionNumber;
|
||||
ml->sml_op = LDAP_MOD_REPLACE;
|
||||
ml->sml_values = ch_malloc( 2 * sizeof(struct berval));
|
||||
ml->sml_values[0].bv_val = ch_malloc( 64 );
|
||||
ml->sml_values[0].bv_len = sprintf(ml->sml_values[0].bv_val,
|
||||
"%d", kvno+1 );
|
||||
ml->sml_values[1].bv_val = NULL;
|
||||
ml->sml_values[1].bv_len = 0;
|
||||
ml->sml_nvalues = NULL;
|
||||
} while(0);
|
||||
#endif /* DO_KRB5 */
|
||||
|
||||
#ifdef DO_SAMBA
|
||||
/* Samba stuff */
|
||||
if ( is_entry_objectclass(e, oc_sambaSamAccount, 0 ) ) {
|
||||
struct berval *keys;
|
||||
ber_len_t j,l;
|
||||
wchar_t *wcs, wc;
|
||||
char *c, *d;
|
||||
struct berval pwd;
|
||||
|
||||
/* Expand incoming UTF8 string to UCS4 */
|
||||
l = ldap_utf8_chars(qpw->rs_new.bv_val);
|
||||
wcs = ch_malloc((l+1) * sizeof(wchar_t));
|
||||
|
||||
ldap_x_utf8s_to_wcs( wcs, qpw->rs_new.bv_val, l );
|
||||
|
||||
/* Truncate UCS4 to UCS2 */
|
||||
c = (char *)wcs;
|
||||
for (j=0; j<l; j++) {
|
||||
wc = wcs[j];
|
||||
*c++ = wc & 0xff;
|
||||
*c++ = (wc >> 8) & 0xff;
|
||||
}
|
||||
*c++ = 0;
|
||||
pwd.bv_val = (char *)wcs;
|
||||
pwd.bv_len = l * 2;
|
||||
|
||||
ml = ch_malloc(sizeof(Modifications));
|
||||
if (!qpw->rs_modtail) qpw->rs_modtail = &ml->sml_next;
|
||||
ml->sml_next = qpw->rs_mods;
|
||||
qpw->rs_mods = ml;
|
||||
|
||||
keys = ch_malloc( 2 * sizeof(struct berval) );
|
||||
keys[1].bv_val = NULL;
|
||||
keys[1].bv_len = 0;
|
||||
nthash( &pwd, keys );
|
||||
|
||||
ml->sml_desc = ad_sambaNTPassword;
|
||||
ml->sml_op = LDAP_MOD_REPLACE;
|
||||
ml->sml_values = keys;
|
||||
ml->sml_nvalues = NULL;
|
||||
|
||||
/* Truncate UCS2 to 8-bit ASCII */
|
||||
c = pwd.bv_val+1;
|
||||
d = pwd.bv_val+2;
|
||||
for (j=1; j<l; j++) {
|
||||
*c++ = *d++;
|
||||
d++;
|
||||
}
|
||||
|
||||
ml = ch_malloc(sizeof(Modifications));
|
||||
ml->sml_next = qpw->rs_mods;
|
||||
qpw->rs_mods = ml;
|
||||
|
||||
keys = ch_malloc( 2 * sizeof(struct berval) );
|
||||
keys[1].bv_val = NULL;
|
||||
keys[1].bv_len = 0;
|
||||
lmhash( &pwd, keys );
|
||||
|
||||
ml->sml_desc = ad_sambaLMPassword;
|
||||
ml->sml_op = LDAP_MOD_REPLACE;
|
||||
ml->sml_values = keys;
|
||||
ml->sml_nvalues = NULL;
|
||||
|
||||
ch_free(wcs);
|
||||
|
||||
ml = ch_malloc(sizeof(Modifications));
|
||||
ml->sml_next = qpw->rs_mods;
|
||||
qpw->rs_mods = ml;
|
||||
|
||||
keys = ch_malloc( 2 * sizeof(struct berval) );
|
||||
keys[1].bv_val = NULL;
|
||||
keys[1].bv_len = 0;
|
||||
keys[0].bv_val = ch_malloc(16);
|
||||
keys[0].bv_len = sprintf(keys[0].bv_val, "%d",
|
||||
slap_get_time());
|
||||
|
||||
ml->sml_desc = ad_sambaPwdLastSet;
|
||||
ml->sml_op = LDAP_MOD_REPLACE;
|
||||
ml->sml_values = keys;
|
||||
ml->sml_nvalues = NULL;
|
||||
}
|
||||
#endif /* DO_SAMBA */
|
||||
be_entry_release_r( op, e );
|
||||
|
||||
return SLAP_CB_CONTINUE;
|
||||
}
|
||||
|
||||
static slap_overinst smbk5pwd;
|
||||
|
||||
int smbk5pwd_init() {
|
||||
int rc;
|
||||
const char *text;
|
||||
|
||||
#ifdef DO_KRB5
|
||||
krb5_error_code ret;
|
||||
extern HDB * _kadm5_s_get_db(void *);
|
||||
|
||||
/* Make sure all of our necessary schema items are loaded */
|
||||
oc_krb5KDCEntry = oc_find("krb5KDCEntry");
|
||||
if ( !oc_krb5KDCEntry ) return -1;
|
||||
|
||||
rc = slap_str2ad( "krb5Key", &ad_krb5Key, &text );
|
||||
if ( rc ) return rc;
|
||||
rc = slap_str2ad( "krb5KeyVersionNumber", &ad_krb5KeyVersionNumber, &text );
|
||||
if ( rc ) return rc;
|
||||
rc = slap_str2ad( "krb5PrincipalName", &ad_krb5PrincipalName, &text );
|
||||
if ( rc ) return rc;
|
||||
|
||||
/* Initialize Kerberos context */
|
||||
ret = krb5_init_context(&context);
|
||||
if (ret) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
ret = kadm5_s_init_with_password_ctx( context,
|
||||
KADM5_ADMIN_SERVICE,
|
||||
NULL,
|
||||
KADM5_ADMIN_SERVICE,
|
||||
&conf, 0, 0, &kadm_context );
|
||||
|
||||
db = _kadm5_s_get_db(kadm_context);
|
||||
#endif /* DO_KRB5 */
|
||||
|
||||
#ifdef DO_SAMBA
|
||||
oc_sambaSamAccount = oc_find("sambaSamAccount");
|
||||
if ( !oc_sambaSamAccount ) return -1;
|
||||
|
||||
rc = slap_str2ad( "sambaLMPassword", &ad_sambaLMPassword, &text );
|
||||
if ( rc ) return rc;
|
||||
rc = slap_str2ad( "sambaNTPassword", &ad_sambaNTPassword, &text );
|
||||
if ( rc ) return rc;
|
||||
rc = slap_str2ad( "sambaPwdLastSet", &ad_sambaPwdLastSet, &text );
|
||||
if ( rc ) return rc;
|
||||
#endif /* DO_SAMBA */
|
||||
|
||||
smbk5pwd.on_bi.bi_type = "smbk5pwd";
|
||||
smbk5pwd.on_bi.bi_extended = smbk5pwd_exop_passwd;
|
||||
|
||||
return overlay_register( &smbk5pwd );
|
||||
}
|
||||
|
||||
#if SLAPD_OVER_SMBK5PWD == SLAPD_MOD_DYNAMIC
|
||||
int init_module(int argc, char *argv[]) {
|
||||
return smbk5pwd_init();
|
||||
}
|
||||
#endif
|
||||
|
||||
#endif /* defined(SLAPD_OVER_SMBK5PWD) */
|
Loading…
Reference in New Issue
Block a user