IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-01-26 16:16:31 -06:00
Code Issues Packages Projects Releases Wiki Activity

Improve logging facilities

Browse Source 
Provide simplified logging macros that appropriately use __func__ __FILE__,
__LINE__, or the plugin name depending on the log level.
This commit is contained in:
Simo Sorce 2010-10-06 17:22:43 -04:00
parent ec33e38e9a
commit 016f889a51
5 changed files with 227 additions and 357 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

137
daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
View File

@ -183,9 +183,8 @@ static int ipapwd_chpwop(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
{
if (ber_scanf(ber, "a", &dn) == LBER_ERROR) {
slapi_ch_free_string(&dn);
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop",
"ber_scanf failed\n");
errMesg = "ber_scanf failed at userID parse.\n";
LOG_FATAL("%s", errMesg);
rc = LDAP_PROTOCOL_ERROR;
goto free_and_return;
}
@ -197,9 +196,8 @@ static int ipapwd_chpwop(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
if (tag == LDAP_EXTOP_PASSMOD_TAG_OLDPWD )
{
if (ber_scanf(ber, "a", &oldPasswd) == LBER_ERROR) {
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop",
"ber_scanf failed\n");
errMesg = "ber_scanf failed at oldPasswd parse.\n";
LOG_FATAL("%s", errMesg);
rc = LDAP_PROTOCOL_ERROR;
goto free_and_return;
}
@ -210,9 +208,8 @@ static int ipapwd_chpwop(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
if (tag == LDAP_EXTOP_PASSMOD_TAG_NEWPWD )
{
if (ber_scanf(ber, "a", &newPasswd) == LBER_ERROR) {
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop",
"ber_scanf failed\n");
errMesg = "ber_scanf failed at newPasswd parse.\n";
LOG_FATAL("%s", errMesg);
rc = LDAP_PROTOCOL_ERROR;
goto free_and_return;
}
@ -262,8 +259,8 @@ parse_req_done:
if (dn == NULL || *dn == '\0') {
/* Get the DN from the bind identity on this connection */
dn = slapi_ch_strdup(bindDN);
slapi_log_error(SLAPI_LOG_TRACE, "ipa_pwd_extop",
"Missing userIdentity in request, using the bind DN instead.\n");
LOG_TRACE("Missing userIdentity in request, "
"using the bind DN instead.\n");
}
slapi_pblock_set( pb, SLAPI_ORIGINAL_TARGET, dn );
@ -325,8 +322,7 @@ parse_req_done:
/* If user is authenticated, they already gave their password
* during the bind operation (or used sasl or client cert auth
* or OS creds) */
slapi_log_error(SLAPI_LOG_TRACE, "ipa_pwd_extop",
"oldPasswd provided, but we will ignore it");
LOG_TRACE("oldPasswd provided, but we will ignore it");
}
memset(&pwdata, 0, sizeof(pwdata));
@ -385,7 +381,7 @@ parse_req_done:
goto free_and_return;
}
slapi_log_error(SLAPI_LOG_TRACE, "ipa_pwd_extop", "<= ipapwd_extop: %d\n", rc);
LOG_TRACE("<= result: %d\n", rc);
/* Free anything that we allocated above */
free_and_return:
@ -402,7 +398,7 @@ free_and_return:
if (targetEntry) slapi_entry_free(targetEntry);
if (ber) ber_free(ber, 1);
slapi_log_error(SLAPI_LOG_PLUGIN, "ipa_pwd_extop", errMesg ? errMesg : "success");
LOG(errMesg ? errMesg : "success");
slapi_send_ldap_result(pb, rc, NULL, errMesg, 0, NULL);
return SLAPI_PLUGIN_EXTENDED_SENT_RESULT;
@ -448,16 +444,14 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
svals = (Slapi_Value **)calloc(2, sizeof(Slapi_Value *));
if (!svals) {
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop",
"memory allocation failed\n");
LOG_OOM();
rc = LDAP_OPERATIONS_ERROR;
goto free_and_return;
}
krberr = krb5_init_context(&krbctx);
if (krberr) {
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop",
"krb5_init_context failed\n");
LOG_FATAL("krb5_init_context failed\n");
rc = LDAP_OPERATIONS_ERROR;
goto free_and_return;
}
@ -513,8 +507,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
/* ber parse code */
rtag = ber_scanf(ber, "{a{", &serviceName);
if (rtag == LBER_ERROR) {
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop",
"ber_scanf failed\n");
LOG_FATAL("ber_scanf failed\n");
errMesg = "Invalid payload, failed to decode.\n";
rc = LDAP_PROTOCOL_ERROR;
goto free_and_return;
@ -524,8 +517,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
krberr = krb5_parse_name(krbctx, serviceName, &krbname);
if (krberr) {
slapi_ch_free_string(&serviceName);
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop",
"krb5_parse_name failed\n");
LOG_FATAL("krb5_parse_name failed\n");
rc = LDAP_OPERATIONS_ERROR;
goto free_and_return;
} else {
@ -535,8 +527,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
krberr = krb5_unparse_name(krbctx, krbname, &canonname);
if (krberr) {
slapi_ch_free_string(&serviceName);
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop",
"krb5_unparse_name failed\n");
LOG_FATAL("krb5_unparse_name failed\n");
rc = LDAP_OPERATIONS_ERROR;
goto free_and_return;
}
@ -552,8 +543,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
slapi_sdn_free(&sdn);
bsdn = slapi_be_getsuffix(be, 0);
if (bsdn == NULL) {
slapi_log_error(SLAPI_LOG_TRACE, "ipa_pwd_extop",
"Search for Base DN failed\n");
LOG_TRACE("Search for Base DN failed\n");
errMesg = "PrincipalName not found.\n";
rc = LDAP_NO_SUCH_OBJECT;
goto free_and_return;
@ -576,9 +566,8 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
ret = slapi_search_internal_pb(pbte);
slapi_pblock_get(pbte, SLAPI_PLUGIN_INTOP_RESULT, &res);
if (ret == -1 || res != LDAP_SUCCESS) {
slapi_log_error(SLAPI_LOG_TRACE, "ipa_pwd_extop",
"Search for Principal failed, err (%d)\n",
res?res:ret);
LOG_TRACE("Search for Principal failed, err (%d)\n",
res ? res : ret);
errMesg = "PrincipalName not found.\n";
rc = LDAP_NO_SUCH_OBJECT;
goto free_and_return;
@ -587,7 +576,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
/* get entries */
slapi_pblock_get(pbte, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &es);
if (!es) {
slapi_log_error(SLAPI_LOG_TRACE, "ipa_pwd_extop", "No entries ?!");
LOG_TRACE("No entries ?!");
errMesg = "PrincipalName not found.\n";
rc = LDAP_NO_SUCH_OBJECT;
goto free_and_return;
@ -598,8 +587,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
/* if there is none or more than one, freak out */
if (i != 1) {
slapi_log_error(SLAPI_LOG_TRACE, "ipa_pwd_extop",
"Too many entries, or entry no found (%d)", i);
LOG_TRACE("Too many entries, or entry no found (%d)", i);
errMesg = "PrincipalName not found.\n";
rc = LDAP_NO_SUCH_OBJECT;
goto free_and_return;
@ -643,7 +631,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
kset = malloc(sizeof(struct ipapwd_keyset));
if (!kset) {
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", "malloc failed!\n");
LOG_OOM();
goto free_and_return;
}
@ -673,14 +661,14 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
newset = realloc(kset->keys, sizeof(struct ipapwd_krbkey) * (i + 1));
if (!newset) {
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", "malloc failed!\n");
LOG_OOM();
goto free_and_return;
}
kset->keys = newset;
} else {
kset->keys = malloc(sizeof(struct ipapwd_krbkey));
if (!kset->keys) {
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", "malloc failed!\n");
LOG_OOM();
goto free_and_return;
}
}
@ -694,7 +682,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
/* EncryptionKey */
rtag = ber_scanf(ber, "{t[{t[i]t[o]}]", &ttmp, &ttmp, &tint, &ttmp, &tval);
if (rtag == LBER_ERROR) {
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", "ber_scanf failed\n");
LOG_FATAL("ber_scanf failed\n");
errMesg = "Invalid payload, failed to decode.\n";
rc = LDAP_PROTOCOL_ERROR;
goto free_and_return;
@ -702,7 +690,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
kset->keys[i].ekey = calloc(1, sizeof(struct ipapwd_krbkeydata));
if (!kset->keys[i].ekey) {
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", "malloc failed!\n");
LOG_OOM();
goto free_and_return;
}
@ -714,14 +702,14 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
krberr = krb5_c_encrypt_length(krbctx, krbcfg->kmkey->enctype, plain.length, &klen);
if (krberr) {
free(tval.bv_val);
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", "krb encryption failed!\n");
LOG_FATAL("krb encryption failed!\n");
goto free_and_return;
}
kdata = malloc(2 + klen);
if (!kdata) {
free(tval.bv_val);
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", "malloc failed!\n");
LOG_OOM();
goto free_and_return;
}
encode_int16(plain.length, kdata);
@ -735,7 +723,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
krberr = krb5_c_encrypt(krbctx, krbcfg->kmkey, 0, 0, &plain, &cipher);
if (krberr) {
free(tval.bv_val);
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", "krb encryption failed!\n");
LOG_FATAL("krb encryption failed!\n");
goto free_and_return;
}
@ -748,7 +736,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
rtag = ber_scanf(ber, "t[{t[i]", &ttmp, &ttmp, &tint);
if (rtag == LBER_ERROR) {
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", "ber_scanf failed\n");
LOG_FATAL("ber_scanf failed\n");
errMesg = "Invalid payload, failed to decode.\n";
rc = LDAP_PROTOCOL_ERROR;
goto free_and_return;
@ -756,7 +744,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
kset->keys[i].salt = calloc(1, sizeof(struct ipapwd_krbkeydata));
if (!kset->keys[i].salt) {
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", "malloc failed!\n");
LOG_OOM();
goto free_and_return;
}
@ -767,7 +755,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
rtag = ber_scanf(ber, "t[o]}]", &ttmp, &tval);
if (rtag == LBER_ERROR) {
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", "ber_scanf failed\n");
LOG_FATAL("ber_scanf failed\n");
errMesg = "Invalid payload, failed to decode.\n";
rc = LDAP_PROTOCOL_ERROR;
goto free_and_return;
@ -786,7 +774,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
rtag = ber_scanf(ber, "}", &ttmp);
}
if (rtag == LBER_ERROR) {
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", "ber_scanf failed\n");
LOG_FATAL("ber_scanf failed\n");
errMesg = "Invalid payload, failed to decode.\n";
rc = LDAP_PROTOCOL_ERROR;
goto free_and_return;
@ -801,15 +789,13 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
/* filter un-supported encodings */
ret = filter_keys(krbcfg, kset);
if (ret) {
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop",
"keyset filtering failed\n");
LOG_FATAL("keyset filtering failed\n");
goto free_and_return;
}
/* check if we have any left */
if (kset->num_keys == 0) {
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop",
"keyset filtering rejected all proposed keys\n");
LOG_FATAL("keyset filtering rejected all proposed keys\n");
errMesg = "All enctypes provided are unsupported";
rc = LDAP_UNWILLING_TO_PERFORM;
goto free_and_return;
@ -819,8 +805,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
/* change Last Password Change field with the current date */
if (!gmtime_r(&(time_now), &utctime)) {
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop",
"failed to retrieve current date (buggy gmtime_r ?)\n");
LOG_FATAL("failed to retrieve current date (buggy gmtime_r ?)\n");
slapi_mods_free(&smods);
goto free_and_return;
}
@ -830,8 +815,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
/* FIXME: set Password Expiration date ? */
#if 0
if (!gmtime_r(&(data->expireTime), &utctime)) {
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop",
"failed to convert expiration date\n");
LOG_FATAL("failed to convert expiration date\n");
slapi_ch_free_string(&randPasswd);
slapi_mods_free(&smods);
rc = LDAP_OPERATIONS_ERROR;
@ -843,16 +827,14 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
bval = encode_keys(kset);
if (!bval) {
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop",
"encoding asn1 KrbSalt failed\n");
LOG_FATAL("encoding asn1 KrbSalt failed\n");
slapi_mods_free(&smods);
goto free_and_return;
}
svals[0] = slapi_value_new_berval(bval);
if (!svals[0]) {
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop",
"Converting berval to Slapi_Value\n");
LOG_FATAL("Converting berval to Slapi_Value\n");
slapi_mods_free(&smods);
goto free_and_return;
}
@ -877,8 +859,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
}
if ((NULL != pw) && (NULL == krbLastPwdChange)) {
slapi_mods_add_mod_values(smods, LDAP_MOD_DELETE, "userPassword", NULL);
slapi_log_error(SLAPI_LOG_TRACE, "ipa_pwd_extop",
"Removing userPassword from host entry\n");
LOG_TRACE("Removing userPassword from host entry\n");
slapi_ch_free_string(&pw);
}
slapi_value_free(&objectclass);
@ -978,7 +959,7 @@ free_and_return:
if (rc == LDAP_SUCCESS)
errMesg = NULL;
slapi_log_error(SLAPI_LOG_PLUGIN, "ipa_pwd_extop", errMesg ? errMesg : "success");
LOG(errMesg ? errMesg : "success");
slapi_send_ldap_result(pb, rc, NULL, errMesg, 0, NULL);
return SLAPI_PLUGIN_EXTENDED_SENT_RESULT;
@ -991,7 +972,7 @@ static int ipapwd_extop(Slapi_PBlock *pb)
char *oid = NULL;
int rc, ret;
slapi_log_error(SLAPI_LOG_TRACE, "ipa_pwd_extop", "=> ipapwd_extop\n");
LOG_TRACE("=>\n");
rc = ipapwd_gen_checks(pb, &errMesg, &krbcfg, IPAPWD_CHECK_CONN_SECURE);
if (rc) {
@ -1005,11 +986,10 @@ static int ipapwd_extop(Slapi_PBlock *pb)
if (slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_OID, &oid) != 0) {
errMesg = "Could not get OID value from request.\n";
rc = LDAP_OPERATIONS_ERROR;
slapi_log_error(SLAPI_LOG_PLUGIN, "ipa_pwd_extop", errMesg);
LOG(errMesg);
goto free_and_return;
} else {
slapi_log_error(SLAPI_LOG_PLUGIN, "ipa_pwd_extop",
"Received extended operation request with OID %s\n", oid);
LOG("Received extended operation request with OID %s\n", oid);
}
if (strcasecmp(oid, EXOP_PASSWD_OID) == 0) {
@ -1029,7 +1009,7 @@ static int ipapwd_extop(Slapi_PBlock *pb)
free_and_return:
if (krbcfg) free_ipapwd_krbcfg(&krbcfg);
slapi_log_error(SLAPI_LOG_PLUGIN, "ipa_pwd_extop", errMesg);
LOG(errMesg);
slapi_send_ldap_result(pb, rc, NULL, errMesg, 0, NULL);
return SLAPI_PLUGIN_EXTENDED_SENT_RESULT;
@ -1067,20 +1047,18 @@ static int ipapwd_start( Slapi_PBlock *pb )
krberr = krb5_init_context(&krbctx);
if (krberr) {
slapi_log_error(SLAPI_LOG_FATAL, "ipapwd_start",
"krb5_init_context failed\n");
LOG_FATAL("krb5_init_context failed\n");
return LDAP_OPERATIONS_ERROR;
}
if (slapi_pblock_get(pb, SLAPI_TARGET_DN, &config_dn) != 0) {
slapi_log_error(SLAPI_LOG_FATAL, "ipapwd_start", "No config DN?\n");
LOG_FATAL("No config DN?\n");
ret = LDAP_OPERATIONS_ERROR;
goto done;
}
if (ipapwd_getEntry(config_dn, &config_entry, NULL) != LDAP_SUCCESS) {
slapi_log_error(SLAPI_LOG_FATAL, "ipapwd_start",
"No config Entry?\n");
LOG_FATAL("No config Entry?\n");
ret = LDAP_OPERATIONS_ERROR;
goto done;
}
@ -1088,31 +1066,29 @@ static int ipapwd_start( Slapi_PBlock *pb )
ipa_realm_tree = slapi_entry_attr_get_charptr(config_entry,
"nsslapd-realmtree");
if (!ipa_realm_tree) {
slapi_log_error(SLAPI_LOG_FATAL, "ipapwd_start",
"Missing partition configuration entry "
"(nsslapd-realmTree)!\n");
LOG_FATAL("Missing partition configuration entry "
"(nsslapd-realmTree)!\n");
ret = LDAP_OPERATIONS_ERROR;
goto done;
}
ret = krb5_get_default_realm(krbctx, &realm);
if (ret) {
slapi_log_error(SLAPI_LOG_FATAL, "ipapwd_start",
"Failed to get default realm?!\n");
LOG_FATAL("Failed to get default realm?!\n");
ret = LDAP_OPERATIONS_ERROR;
goto done;
}
ipa_realm_dn = slapi_ch_smprintf("cn=%s,cn=kerberos,%s",
realm, ipa_realm_tree);
if (!ipa_realm_dn) {
slapi_log_error(SLAPI_LOG_FATAL, "ipapwd_start", "Out of memory ?\n");
LOG_OOM();
ret = LDAP_OPERATIONS_ERROR;
goto done;
}
ipa_pwd_config_dn = slapi_ch_strdup(config_dn);
if (!ipa_pwd_config_dn) {
slapi_log_error(SLAPI_LOG_FATAL, "ipapwd_start", "Out of memory ?\n");
LOG_OOM();
ret = LDAP_OPERATIONS_ERROR;
goto done;
}
@ -1120,7 +1096,7 @@ static int ipapwd_start( Slapi_PBlock *pb )
"kadmin/changepw@%s,%s",
realm, ipa_realm_dn);
if (!ipa_changepw_principal_dn) {
slapi_log_error(SLAPI_LOG_FATAL, "ipapwd_start", "Out of memory ?\n");
LOG_OOM();
ret = LDAP_OPERATIONS_ERROR;
goto done;
}
@ -1128,7 +1104,7 @@ static int ipapwd_start( Slapi_PBlock *pb )
ipa_etc_config_dn = slapi_ch_smprintf("cn=ipaConfig,cn=etc,%s",
ipa_realm_tree);
if (!ipa_etc_config_dn) {
slapi_log_error(SLAPI_LOG_FATAL, "ipapwd_start", "Out of memory?\n");
LOG_OOM();
ret = LDAP_OPERATIONS_ERROR;
goto done;
}
@ -1168,14 +1144,12 @@ int ipapwd_init( Slapi_PBlock *pb )
ret = slapi_pblock_get(pb, SLAPI_PLUGIN_IDENTITY, &ipapwd_plugin_id);
if ((ret != 0) || (NULL == ipapwd_plugin_id)) {
slapi_log_error(SLAPI_LOG_PLUGIN, "ipapwd_init",
"Could not get identity or identity was NULL\n");
LOG("Could not get identity or identity was NULL\n");
return -1;
}
if (ipapwd_ext_init() != 0) {
slapi_log_error(SLAPI_LOG_PLUGIN, IPAPWD_PLUGIN_NAME,
"Object Extension Operation failed\n");
LOG("Object Extension Operation failed\n");
return -1;
}
@ -1190,8 +1164,7 @@ int ipapwd_init( Slapi_PBlock *pb )
if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_EXT_OP_NAMELIST, ipapwd_name_list);
if (!ret) slapi_pblock_set(pb, SLAPI_PLUGIN_EXT_OP_FN, (void *)ipapwd_extop);
if (ret) {
slapi_log_error( SLAPI_LOG_PLUGIN, "ipapwd_init",
"Failed to set plug-in version, function, and OID.\n" );
LOG("Failed to set plug-in version, function, and OID.\n" );
return -1;
}

26
daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
View File

@ -64,6 +64,32 @@
#define IPAPWD_FEATURE_DESC "IPA Password Manager"
#define IPAPWD_PLUGIN_DESC "IPA Password Extended Operation plugin"
#ifndef discard_const
#define discard_const(ptr) ((void *)((uintptr_t)(ptr)))
#endif
#define log_func discard_const(__func__)
#define LOG(fmt, ...) \
do { \
slapi_log_error(SLAPI_LOG_PLUGIN, IPAPWD_PLUGIN_NAME, \
fmt, ##__VA_ARGS__); \
} while (0)
#define LOG_FATAL(fmt, ...) \
do { \
slapi_log_error(SLAPI_LOG_PLUGIN, log_func, \
"[file %s, line %d]: " fmt, \
__FILE__, __LINE__, ##__VA_ARGS__); \
} while (0)
#define LOG_TRACE(fmt, ...) \
do { \
slapi_log_error(SLAPI_LOG_PLUGIN, log_func, fmt, ##__VA_ARGS__); \
} while (0)
#define LOG_OOM() LOG_FATAL("Out of Memory!\n")
#define IPAPWD_CHECK_CONN_SECURE 0x00000001
#define IPAPWD_CHECK_DN 0x00000002

201
daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
View File

@ -77,8 +77,7 @@ static int new_ipapwd_encsalt(krb5_context krbctx,
for (i = 0; encsalts[i]; i++) /* count */ ;
es = calloc(i + 1, sizeof(struct ipapwd_encsalt));
if (!es) {
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
"Out of memory!\n");
LOG_OOM();
return LDAP_OPERATIONS_ERROR;
}
@ -92,14 +91,12 @@ static int new_ipapwd_encsalt(krb5_context krbctx,
enc = strdup(encsalts[i]);
if (!enc) {
slapi_log_error(SLAPI_LOG_PLUGIN, IPAPWD_PLUGIN_NAME,
"Allocation error\n");
LOG_OOM();
return LDAP_OPERATIONS_ERROR;
}
salt = strchr(enc, ':');
if (!salt) {
slapi_log_error(SLAPI_LOG_PLUGIN, IPAPWD_PLUGIN_NAME,
"Invalid krb5 enc string\n");
LOG_FATAL("Invalid krb5 enc string\n");
free(enc);
continue;
}
@ -108,8 +105,7 @@ static int new_ipapwd_encsalt(krb5_context krbctx,
krberr = krb5_string_to_enctype(enc, &tmpenc);
if (krberr) {
slapi_log_error(SLAPI_LOG_PLUGIN, IPAPWD_PLUGIN_NAME,
"Invalid krb5 enctype\n");
LOG_FATAL("Invalid krb5 enctype\n");
free(enc);
continue;
}
@ -159,34 +155,32 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)
config = calloc(1, sizeof(struct ipapwd_krbcfg));
if (!config) {
slapi_log_error(SLAPI_LOG_FATAL, __func__, "Out of memory!\n");
LOG_OOM();
goto free_and_error;
}
kmkey = calloc(1, sizeof(krb5_keyblock));
if (!kmkey) {
slapi_log_error(SLAPI_LOG_FATAL, __func__, "Out of memory!\n");
LOG_OOM();
goto free_and_error;
}
config->kmkey = kmkey;
krberr = krb5_init_context(&config->krbctx);
if (krberr) {
slapi_log_error(SLAPI_LOG_FATAL, __func__,
"krb5_init_context failed\n");
LOG_FATAL("krb5_init_context failed\n");
goto free_and_error;
}
ret = krb5_get_default_realm(config->krbctx, &config->realm);
if (ret) {
slapi_log_error(SLAPI_LOG_FATAL, __func__,
"Failed to get default realm?!\n");
LOG_FATAL("Failed to get default realm?!\n");
goto free_and_error;
}
/* get the Realm Container entry */
ret = ipapwd_getEntry(ipa_realm_dn, &realm_entry, NULL);
if (ret != LDAP_SUCCESS) {
slapi_log_error(SLAPI_LOG_FATAL, __func__, "No realm Entry?\n");
LOG_FATAL("No realm Entry?\n");
goto free_and_error;
}
@ -194,34 +188,32 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)
ret = slapi_entry_attr_find(realm_entry, "krbMKey", &a);
if (ret == -1) {
slapi_log_error(SLAPI_LOG_FATAL, __func__, "No master key??\n");
LOG_FATAL("No master key??\n");
goto free_and_error;
}
/* there should be only one value here */
ret = slapi_attr_first_value(a, &v);
if (ret == -1) {
slapi_log_error(SLAPI_LOG_FATAL, __func__, "No master key??\n");
LOG_FATAL("No master key??\n");
goto free_and_error;
}
bval = slapi_value_get_berval(v);
if (!bval) {
slapi_log_error(SLAPI_LOG_FATAL, __func__,
"Error retrieving master key berval\n");
LOG_FATAL("Error retrieving master key berval\n");
goto free_and_error;
}
be = ber_init(bval);
if (!bval) {
slapi_log_error(SLAPI_LOG_FATAL, __func__, "ber_init() failed!\n");
LOG_FATAL("ber_init() failed!\n");
goto free_and_error;
}
tag = ber_scanf(be, "{i{iO}}", &tmp, &ttype, &mkey);
if (tag == LBER_ERROR) {
slapi_log_error(SLAPI_LOG_TRACE, __func__,
"Bad Master key encoding ?!\n");
LOG_FATAL("Bad Master key encoding ?!\n");
goto free_and_error;
}
@ -230,7 +222,7 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)
kmkey->length = mkey->bv_len;
kmkey->contents = malloc(mkey->bv_len);
if (!kmkey->contents) {
slapi_log_error(SLAPI_LOG_FATAL, __func__, "Out of memory!\n");
LOG_OOM();
goto free_and_error;
}
memcpy(kmkey->contents, mkey->bv_val, mkey->bv_len);
@ -250,16 +242,14 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)
&config->num_supp_encsalts);
slapi_ch_array_free(encsalts);
} else {
slapi_log_error(SLAPI_LOG_TRACE, __func__,
"No configured salt types use defaults\n");
LOG("No configured salt types use defaults\n");
ret = new_ipapwd_encsalt(config->krbctx,
ipapwd_def_encsalts,
&config->supp_encsalts,
&config->num_supp_encsalts);
}
if (ret) {
slapi_log_error(SLAPI_LOG_FATAL, __func__,
"Can't get Supported EncSalt Types\n");
LOG_FATAL("Can't get Supported EncSalt Types\n");
goto free_and_error;
}
@ -274,16 +264,14 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)
&config->num_pref_encsalts);
slapi_ch_array_free(encsalts);
} else {
slapi_log_error(SLAPI_LOG_TRACE, __func__,
"No configured salt types use defaults\n");
LOG("No configured salt types use defaults\n");
ret = new_ipapwd_encsalt(config->krbctx,
ipapwd_def_encsalts,
&config->pref_encsalts,
&config->num_pref_encsalts);
}
if (ret) {
slapi_log_error(SLAPI_LOG_FATAL, __func__,
"Can't get Preferred EncSalt Types\n");
LOG_FATAL("Can't get Preferred EncSalt Types\n");
goto free_and_error;
}
@ -292,8 +280,7 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)
/* get the Realm Container entry */
ret = ipapwd_getEntry(ipa_pwd_config_dn, &config_entry, NULL);
if (ret != LDAP_SUCCESS) {
slapi_log_error(SLAPI_LOG_FATAL, __func__,
"No config Entry? Impossible!\n");
LOG_FATAL("No config Entry? Impossible!\n");
goto free_and_error;
}
config->passsync_mgrs =
@ -302,7 +289,7 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)
tmpstr = slapi_ch_strdup("cn=Directory Manager");
slapi_ch_array_add(&config->passsync_mgrs, tmpstr);
if (config->passsync_mgrs == NULL) {
slapi_log_error(SLAPI_LOG_FATAL, __func__, "Out of memory!\n");
LOG_OOM();
goto free_and_error;
}
for (i = 0; config->passsync_mgrs[i]; i++) /* count */ ;
@ -315,7 +302,7 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)
config->allow_nt_hash = false;
ret = ipapwd_getEntry(ipa_etc_config_dn, &config_entry, NULL);
if (ret != LDAP_SUCCESS) {
slapi_log_error(SLAPI_LOG_FATAL, __func__, "No config Entry?\n");
LOG_FATAL("No config Entry?\n");
} else {
tmparray = slapi_entry_attr_get_charray(config_entry,
"ipaConfigString");
@ -405,13 +392,11 @@ static int ipapwd_getPolicy(const char *dn,
Slapi_ValueSet* results = NULL;
char* actual_type_name = NULL;
slapi_log_error(SLAPI_LOG_TRACE, IPAPWD_PLUGIN_NAME,
"ipapwd_getPolicy: Searching policy for [%s]\n", dn);
LOG_TRACE("Searching policy for [%s]\n", dn);
sdn = slapi_sdn_new_dn_byref(dn);
if (sdn == NULL) {
slapi_log_error(SLAPI_LOG_TRACE, IPAPWD_PLUGIN_NAME,
"ipapwd_getPolicy: Out of memory on [%s]\n", dn);
LOG_OOM();
ret = -1;
goto done;
}
@ -424,15 +409,13 @@ static int ipapwd_getPolicy(const char *dn,
krbPwdPolicyReference = slapi_value_get_string(sv);
pdn = krbPwdPolicyReference;
scope = LDAP_SCOPE_BASE;
slapi_log_error(SLAPI_LOG_TRACE, IPAPWD_PLUGIN_NAME,
"ipapwd_getPolicy: using policy reference: %s\n", pdn);
LOG_TRACE("using policy reference: %s\n", pdn);
} else {
/* Find ancestor base DN */
be = slapi_be_select(sdn);
psdn = slapi_be_getsuffix(be, 0);
if (psdn == NULL) {
slapi_log_error(SLAPI_LOG_TRACE, IPAPWD_PLUGIN_NAME,
"ipapwd_getPolicy: Invalid DN [%s]\n", dn);
LOG_FATAL("Invalid DN [%s]\n", dn);
ret = -1;
goto done;
}
@ -456,9 +439,7 @@ static int ipapwd_getPolicy(const char *dn,
ret = slapi_search_internal_pb(pb);
slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &res);
if (ret == -1 || res != LDAP_SUCCESS) {
slapi_log_error(SLAPI_LOG_TRACE, IPAPWD_PLUGIN_NAME,
"ipapwd_getPolicy: Couldn't find policy, err (%d)\n",
res ? res : ret);
LOG_FATAL("Couldn't find policy, err (%d)\n", res ? res : ret);
ret = -1;
goto done;
}
@ -466,8 +447,7 @@ static int ipapwd_getPolicy(const char *dn,
/* get entries */
slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &es);
if (!es) {
slapi_log_error(SLAPI_LOG_TRACE, IPAPWD_PLUGIN_NAME,
"ipapwd_getPolicy: No entries ?!");
LOG_TRACE("No entries ?!");
ret = -1;
goto done;
}
@ -486,8 +466,7 @@ static int ipapwd_getPolicy(const char *dn,
/* count number of RDNs in DN */
edn = ldap_explode_dn(dn, 0);
if (!edn) {
slapi_log_error(SLAPI_LOG_TRACE, IPAPWD_PLUGIN_NAME,
"ipapwd_getPolicy: ldap_explode_dn(dn) failed ?!");
LOG_TRACE("ldap_explode_dn(dn) failed ?!");
ret = -1;
goto done;
}
@ -636,24 +615,21 @@ int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg,
Slapi_DN *sdn;
char *dn = NULL;
slapi_log_error(SLAPI_LOG_TRACE, IPAPWD_PLUGIN_NAME,
"=> ipapwd_gen_checks\n");
LOG_TRACE("=>\n");
#ifdef LDAP_EXTOP_PASSMOD_CONN_SECURE
if (check_flags & IPAPWD_CHECK_CONN_SECURE) {
/* Allow password modify only for SSL/TLS established connections and
* connections using SASL privacy layers */
if (slapi_pblock_get(pb, SLAPI_CONN_SASL_SSF, &sasl_ssf) != 0) {
slapi_log_error(SLAPI_LOG_PLUGIN, IPAPWD_PLUGIN_NAME,
"Could not get SASL SSF from connection\n");
LOG("Could not get SASL SSF from connection\n");
*errMesg = "Operation requires a secure connection.\n";
rc = LDAP_OPERATIONS_ERROR;
goto done;
}
if (slapi_pblock_get(pb, SLAPI_CONN_IS_SSL_SESSION, &is_ssl) != 0) {
slapi_log_error(SLAPI_LOG_PLUGIN, IPAPWD_PLUGIN_NAME,
"Could not get IS SSL from connection\n");
LOG("Could not get IS SSL from connection\n");
*errMesg = "Operation requires a secure connection.\n";
rc = LDAP_OPERATIONS_ERROR;
goto done;
@ -671,18 +647,15 @@ int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg,
/* check we have a valid DN in the pblock or just abort */
ret = slapi_pblock_get(pb, SLAPI_TARGET_DN, &dn);
if (ret) {
slapi_log_error(SLAPI_LOG_PLUGIN, IPAPWD_PLUGIN_NAME,
"Tried to change password for an invalid DN "
"[%s]\n", dn ? dn : "<NULL>");
LOG("Tried to change password for an invalid DN [%s]\n",
dn ? dn : "<NULL>");
*errMesg = "Invalid DN";
rc = LDAP_OPERATIONS_ERROR;
goto done;
}
sdn = slapi_sdn_new_dn_byref(dn);
if (!sdn) {
slapi_log_error(SLAPI_LOG_TRACE, IPAPWD_PLUGIN_NAME,
"Unable to convert dn to sdn %s",
dn ? dn : "<NULL>");
LOG_FATAL("Unable to convert dn to sdn %s", dn ? dn : "<NULL>");
*errMesg = "Internal Error";
rc = LDAP_OPERATIONS_ERROR;
goto done;
@ -701,8 +674,7 @@ int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg,
/* get the kerberos context and master key */
*config = ipapwd_getConfig();
if (NULL == *config) {
slapi_log_error(SLAPI_LOG_PLUGIN, IPAPWD_PLUGIN_NAME,
"Error Retrieving Master Key");
LOG_FATAL("Error Retrieving Master Key");
*errMesg = "Fatal Internal Error";
rc = LDAP_OPERATIONS_ERROR;
}
@ -749,8 +721,7 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data)
tm.tm_mon -= 1;
if (data->timeNow > timegm(&tm)) {
slapi_log_error(SLAPI_LOG_TRACE, IPAPWD_PLUGIN_NAME,
"Account Expired");
LOG_TRACE("Account Expired");
return IPAPWD_POLICY_ERROR | LDAP_PWPOLICY_PWDMODNOTALLOWED;
}
}
@ -761,8 +732,7 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data)
/* find the entry with the password policy */
ret = ipapwd_getPolicy(data->dn, data->target, &policy);
if (ret) {
slapi_log_error(SLAPI_LOG_TRACE, IPAPWD_PLUGIN_NAME,
"No password policy");
LOG_TRACE("No password policy");
goto no_policy;
}
@ -792,8 +762,7 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data)
cpw[0] = slapi_value_new_string(old_pw);
pw = slapi_value_new_string(data->password);
if (!pw) {
slapi_log_error(SLAPI_LOG_PLUGIN, IPAPWD_PLUGIN_NAME,
"ipapwd_checkPassword: Out of Memory\n");
LOG_OOM();
slapi_entry_free(policy);
slapi_ch_free_string(&old_pw);
slapi_value_free(&cpw[0]);
@ -807,8 +776,7 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data)
slapi_value_free(&pw);
if (ret == 0) {
slapi_log_error(SLAPI_LOG_TRACE, IPAPWD_PLUGIN_NAME,
"ipapwd_checkPassword: Password in history\n");
LOG_TRACE("Password in history\n");
slapi_entry_free(policy);
return IPAPWD_POLICY_ERROR | LDAP_PWPOLICY_PWDINHISTORY;
}
@ -835,8 +803,7 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data)
}
/* FIXME: *else* report an error ? */
} else {
slapi_log_error(SLAPI_LOG_TRACE, IPAPWD_PLUGIN_NAME,
"Warning: Last Password Change Time is not available\n");
LOG_TRACE("Warning: Last Password Change Time is not available\n");
}
/* Check min age */
@ -852,13 +819,10 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data)
* missing this happens only when a password is reset
* by an admin or the account is new or no expiration
* policy is set, PASS */
slapi_log_error(SLAPI_LOG_TRACE, IPAPWD_PLUGIN_NAME,
"ipapwd_checkPolicy: Ignore krbMinPwdLife "
"Expiration, not enough info\n");
LOG_TRACE("Ignore krbMinPwdLife Expiration, not enough info\n");
} else if (data->timeNow < data->lastPwChange + krbMinPwdLife) {
slapi_log_error(SLAPI_LOG_TRACE, IPAPWD_PLUGIN_NAME,
"ipapwd_checkPolicy: Too soon to change password\n");
LOG_TRACE("Too soon to change password\n");
slapi_entry_free(policy);
slapi_ch_free_string(&krbPasswordExpiration);
slapi_ch_free_string(&krbLastPwdChange);
@ -957,8 +921,7 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data)
if (max_repeated > 1) --num_categories;
if (num_categories < krbPwdMinDiffChars) {
slapi_log_error(SLAPI_LOG_TRACE, IPAPWD_PLUGIN_NAME,
"ipapwd_checkPassword: Password not complex enough\n");
LOG_TRACE("Password not complex enough\n");
slapi_entry_free(policy);
return IPAPWD_POLICY_ERROR | LDAP_PWPOLICY_INVALIDPWDSYNTAX;
}
@ -980,8 +943,7 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data)
if (count > 0 && data->pwHistoryLen > 0) {
pH = calloc(count + 2, sizeof(Slapi_Value *));
if (!pH) {
slapi_log_error(SLAPI_LOG_PLUGIN, IPAPWD_PLUGIN_NAME,
"ipapwd_checkPassword: Out of Memory\n");
LOG_OOM();
slapi_entry_free(policy);
return LDAP_OPERATIONS_ERROR;
}
@ -1013,8 +975,7 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data)
pw = slapi_value_new_string(data->password);
if (!pw) {
slapi_log_error(SLAPI_LOG_PLUGIN, IPAPWD_PLUGIN_NAME,
"ipapwd_checkPassword: Out of Memory\n");
LOG_OOM();
slapi_entry_free(policy);
free(pH);
return LDAP_OPERATIONS_ERROR;
@ -1029,8 +990,7 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data)
free(pH);
if (ret == 0) {
slapi_log_error(SLAPI_LOG_TRACE, IPAPWD_PLUGIN_NAME,
"ipapwd_checkPassword: Password in history\n");
LOG_TRACE("Password in history\n");
slapi_entry_free(policy);
return IPAPWD_POLICY_ERROR | LDAP_PWPOLICY_PWDINHISTORY;
}
@ -1051,9 +1011,8 @@ no_policy:
pwdCharLen = ldap_utf8characters(data->password);
if (pwdCharLen < krbPwdMinLength) {
slapi_log_error(SLAPI_LOG_TRACE, IPAPWD_PLUGIN_NAME,
"ipapwd_checkPassword: Password too short "
"(%d < %d)\n", pwdCharLen, krbPwdMinLength);
LOG_TRACE("Password too short (%d < %d)\n",
pwdCharLen, krbPwdMinLength);
return IPAPWD_POLICY_ERROR | LDAP_PWPOLICY_PWDTOOSHORT;
}
@ -1073,21 +1032,17 @@ int ipapwd_getEntry(const char *dn, Slapi_Entry **e2, char **attrlist)
Slapi_DN *sdn;
int search_result = 0;
slapi_log_error(SLAPI_LOG_TRACE, IPAPWD_PLUGIN_NAME,
"=> ipapwd_getEntry\n");
LOG_TRACE("=>\n");
sdn = slapi_sdn_new_dn_byref(dn);
search_result = slapi_search_internal_get_entry(sdn, attrlist, e2,
ipapwd_plugin_id);
if (search_result != LDAP_SUCCESS) {
slapi_log_error(SLAPI_LOG_TRACE, IPAPWD_PLUGIN_NAME,
"ipapwd_getEntry: No such entry-(%s), err (%d)\n",
dn, search_result);
LOG_TRACE("No such entry-(%s), err (%d)\n", dn, search_result);
}
slapi_sdn_free(&sdn);
slapi_log_error(SLAPI_LOG_TRACE, IPAPWD_PLUGIN_NAME,
"<= ipapwd_getEntry: %d\n", search_result);
LOG_TRACE("<= result: %d\n", search_result);
return search_result;
}
@ -1117,21 +1072,18 @@ int ipapwd_get_cur_kvno(Slapi_Entry *target)
while (hint != -1) {
cbval = slapi_value_get_berval(sv);
if (!cbval) {
slapi_log_error(SLAPI_LOG_TRACE, IPAPWD_PLUGIN_NAME,
"Error retrieving berval from Slapi_Value\n");
LOG_TRACE("Error retrieving berval from Slapi_Value\n");
goto next;
}
be = ber_init(cbval);
if (!be) {
slapi_log_error(SLAPI_LOG_TRACE, IPAPWD_PLUGIN_NAME,
"ber_init() failed!\n");
LOG_TRACE("ber_init() failed!\n");
goto next;
}
tag = ber_scanf(be, "{xxt[i]", &tmp, &tkvno);
if (tag == LBER_ERROR) {
slapi_log_error(SLAPI_LOG_TRACE, IPAPWD_PLUGIN_NAME,
"Bad OLD key encoding ?!\n");
LOG_TRACE("Bad OLD key encoding ?!\n");
ber_free(be, 1);
goto next;
}
@ -1167,8 +1119,7 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
char *errMesg = NULL;
char *modtime = NULL;
slapi_log_error(SLAPI_LOG_TRACE, IPAPWD_PLUGIN_NAME,
"=> ipapwd_SetPassword\n");
LOG_TRACE("=>\n");
sambaSamAccount = slapi_value_new_string("sambaSamAccount");
if (slapi_entry_attr_has_syntax_value(data->target,
@ -1193,8 +1144,7 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
/* change Last Password Change field with the current date */
if (!gmtime_r(&(data->timeNow), &utctime)) {
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
"failed to retrieve current date (buggy gmtime_r ?)\n");
LOG_FATAL("failed to retrieve current date (buggy gmtime_r ?)\n");
ret = LDAP_OPERATIONS_ERROR;
goto free_and_return;
}
@ -1205,8 +1155,7 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
/* set Password Expiration date */
if (!gmtime_r(&(data->expireTime), &utctime)) {
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
"failed to convert expiration date\n");
LOG_FATAL("failed to convert expiration date\n");
ret = LDAP_OPERATIONS_ERROR;
goto free_and_return;
}
@ -1236,8 +1185,7 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
modtime = slapi_ch_smprintf("%ld", (long)data->timeNow);
}
if (!modtime) {
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
"failed to smprintf string!\n");
LOG_FATAL("failed to smprintf string!\n");
ret = LDAP_OPERATIONS_ERROR;
goto free_and_return;
}
@ -1265,8 +1213,7 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
/* commit changes */
ret = ipapwd_apply_mods(data->dn, smods);
slapi_log_error(SLAPI_LOG_TRACE, IPAPWD_PLUGIN_NAME,
"<= ipapwd_SetPassword: %d\n", ret);
LOG_TRACE("<= result: %d\n", ret);
free_and_return:
if (lm) slapi_ch_free((void **)&lm);
@ -1296,16 +1243,14 @@ Slapi_Value **ipapwd_setPasswordHistory(Slapi_Mods *smods,
}
if (!gmtime_r(&(data->timeNow), &utctime)) {
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
"failed to retrieve current date (buggy gmtime_r ?)\n");
LOG_FATAL("failed to retrieve current date (buggy gmtime_r ?)\n");
return NULL;
}
strftime(timestr, GENERALIZED_TIME_LENGTH+1, "%Y%m%d%H%M%SZ", &utctime);
histr = slapi_ch_smprintf("%s%s", timestr, old_pw);
if (!histr) {
slapi_log_error(SLAPI_LOG_PLUGIN, IPAPWD_PLUGIN_NAME,
"ipapwd_checkPassword: Out of Memory\n");
LOG_OOM();
return NULL;
}
@ -1324,8 +1269,7 @@ Slapi_Value **ipapwd_setPasswordHistory(Slapi_Mods *smods,
if (count > 0 && data->pwHistoryLen > 0) {
pH = calloc(count + 2, sizeof(Slapi_Value *));
if (!pH) {
slapi_log_error(SLAPI_LOG_PLUGIN, IPAPWD_PLUGIN_NAME,
"ipapwd_checkPassword: Out of Memory\n");
LOG_OOM();
free(histr);
return NULL;
}
@ -1363,8 +1307,7 @@ Slapi_Value **ipapwd_setPasswordHistory(Slapi_Mods *smods,
for (i = 0; i < pc; i++) {
pH[i] = slapi_value_dup(pH[i]);
if (pH[i] == NULL) {
slapi_log_error(SLAPI_LOG_PLUGIN, IPAPWD_PLUGIN_NAME,
"ipapwd_checkPassword: Out of Memory\n");
LOG_OOM();
while (i) {
i--;
slapi_value_free(&pH[i]);
@ -1380,8 +1323,7 @@ Slapi_Value **ipapwd_setPasswordHistory(Slapi_Mods *smods,
if (pH == NULL) {
pH = calloc(2, sizeof(Slapi_Value *));
if (!pH) {
slapi_log_error(SLAPI_LOG_PLUGIN, IPAPWD_PLUGIN_NAME,
"ipapwd_checkPassword: Out of Memory\n");
LOG_OOM();
free(histr);
return NULL;
}
@ -1404,8 +1346,7 @@ int ipapwd_apply_mods(const char *dn, Slapi_Mods *mods)
Slapi_PBlock *pb;
int ret;
slapi_log_error(SLAPI_LOG_TRACE, IPAPWD_PLUGIN_NAME,
"=> ipapwd_apply_mods\n");
LOG_TRACE("=>\n");
if (!mods || (slapi_mods_get_num_mods(mods) == 0)) {
return -1;
@ -1421,19 +1362,15 @@ int ipapwd_apply_mods(const char *dn, Slapi_Mods *mods)
ret = slapi_modify_internal_pb(pb);
if (ret) {
slapi_log_error(SLAPI_LOG_TRACE, IPAPWD_PLUGIN_NAME,
"WARNING: modify error %d on entry '%s'\n", ret, dn);
LOG_TRACE("WARNING: modify error %d on entry '%s'\n", ret, dn);
} else {
slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &ret);
if (ret != LDAP_SUCCESS){
slapi_log_error(SLAPI_LOG_TRACE, IPAPWD_PLUGIN_NAME,
"WARNING: modify error %d on entry '%s'\n",
ret, dn);
LOG_TRACE("WARNING: modify error %d on entry '%s'\n", ret, dn);
} else {
slapi_log_error(SLAPI_LOG_TRACE, IPAPWD_PLUGIN_NAME,
"<= ipapwd_apply_mods: Successful\n");
LOG_TRACE("<= Successful\n");
}
}

111
daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c
View File

@ -119,8 +119,7 @@ struct berval *encode_keys(struct ipapwd_keyset *kset)
be = ber_alloc_t(LBER_USE_DER);
if (!be) {
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
"memory allocation failed\n");
LOG_OOM();
return NULL;
}
@ -135,8 +134,7 @@ struct berval *encode_keys(struct ipapwd_keyset *kset)
kset->mkvno,
(ber_tag_t)(LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 4));
if (ret == -1) {
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
"encoding asn1 vno info failed\n");
LOG_FATAL("encoding asn1 vno info failed\n");
goto done;
}
@ -144,8 +142,7 @@ struct berval *encode_keys(struct ipapwd_keyset *kset)
ret = ber_printf(be, "{");
if (ret == -1) {
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
"encoding asn1 EncryptionKey failed\n");
LOG_FATAL("encoding asn1 EncryptionKey failed\n");
goto done;
}
@ -176,8 +173,7 @@ struct berval *encode_keys(struct ipapwd_keyset *kset)
kset->keys[i].ekey->value.bv_val,
kset->keys[i].ekey->value.bv_len);
if (ret == -1) {
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
"encoding asn1 EncryptionKey failed\n");
LOG_FATAL("encoding asn1 EncryptionKey failed\n");
goto done;
}
@ -185,23 +181,20 @@ struct berval *encode_keys(struct ipapwd_keyset *kset)
ret = ber_printf(be, "}");
if (ret == -1) {
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
"encoding asn1 EncryptionKey failed\n");
LOG_FATAL("encoding asn1 EncryptionKey failed\n");
goto done;
}
}
ret = ber_printf(be, "}]}");
if (ret == -1) {
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
"encoding asn1 end of sequences failed\n");
LOG_FATAL("encoding asn1 end of sequences failed\n");
goto done;
}
ret = ber_flatten(be, &bval);
if (ret == -1) {
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
"flattening asn1 failed\n");
LOG_FATAL("flattening asn1 failed\n");
goto done;
}
done:
@ -260,8 +253,7 @@ static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
svals = (Slapi_Value **)calloc(2, sizeof(Slapi_Value *));
if (!svals) {
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
"memory allocation failed\n");
LOG_OOM();
return NULL;
}
@ -271,15 +263,14 @@ static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
"krbPrincipalName");
if (!krbPrincipalName) {
*errMesg = "no krbPrincipalName present in this entry\n";
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME, *errMesg);
LOG_FATAL("%s", *errMesg);
return NULL;
}
krberr = krb5_parse_name(krbctx, krbPrincipalName, &princ);
if (krberr) {
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
"krb5_parse_name failed [%s]\n",
krb5_get_error_message(krbctx, krberr));
LOG_FATAL("krb5_parse_name failed [%s]\n",
krb5_get_error_message(krbctx, krberr));
goto enc_error;
}
@ -298,8 +289,7 @@ static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
kset = malloc(sizeof(struct ipapwd_keyset));
if (!kset) {
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
"malloc failed!\n");
LOG_OOM();
goto enc_error;
}
@ -315,8 +305,7 @@ static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
kset->num_keys = krbcfg->num_pref_encsalts;
kset->keys = calloc(kset->num_keys, sizeof(struct ipapwd_krbkey));
if (!kset->keys) {
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
"malloc failed!\n");
LOG_OOM();
goto enc_error;
}
@ -337,15 +326,13 @@ static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
p = strchr(krbPrincipalName, '@');
if (!p) {
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
"Invalid principal name, no realm found!\n");
LOG_FATAL("Invalid principal name, no realm found!\n");
goto enc_error;
}
p++;
salt.data = strdup(p);
if (!salt.data) {
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
"memory allocation failed\n");
LOG_OOM();
goto enc_error;
}
salt.length = strlen(salt.data); /* final \0 omitted on purpose */
@ -355,9 +342,8 @@ static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
krberr = krb5_principal2salt_norealm(krbctx, princ, &salt);
if (krberr) {
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
"krb5_principal2salt failed [%s]\n",
krb5_get_error_message(krbctx, krberr));
LOG_FATAL("krb5_principal2salt failed [%s]\n",
krb5_get_error_message(krbctx, krberr));
goto enc_error;
}
break;
@ -373,24 +359,21 @@ static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
salt.length = KRB5P_SALT_SIZE;
salt.data = malloc(KRB5P_SALT_SIZE);
if (!salt.data) {
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
"memory allocation failed\n");
LOG_OOM();
goto enc_error;
}
krberr = krb5_c_random_make_octets(krbctx, &salt);
if (krberr) {
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
"krb5_c_random_make_octets failed [%s]\n",
krb5_get_error_message(krbctx, krberr));
LOG_FATAL("krb5_c_random_make_octets failed [%s]\n",
krb5_get_error_message(krbctx, krberr));
goto enc_error;
}
} else {
#endif
krberr = krb5_principal2salt(krbctx, princ, &salt);
if (krberr) {
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
"krb5_principal2salt failed [%s]\n",
krb5_get_error_message(krbctx, krberr));
LOG_FATAL("krb5_principal2salt failed [%s]\n",
krb5_get_error_message(krbctx, krberr));
goto enc_error;
}
#if 0
@ -406,24 +389,21 @@ static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
p = strchr(krbPrincipalName, '@');
if (!p) {
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
"Invalid principal name, no realm found!\n");
LOG_FATAL("Invalid principal name, no realm found!\n");
goto enc_error;
}
p++;
salt.data = strdup(p);
if (!salt.data) {
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
"memory allocation failed\n");
LOG_OOM();
goto enc_error;
}
salt.length = SALT_TYPE_AFS_LENGTH; /* special value */
break;
default:
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
"Invalid salt type [%d]\n",
krbcfg->pref_encsalts[i].salt_type);
LOG_FATAL("Invalid salt type [%d]\n",
krbcfg->pref_encsalts[i].salt_type);
goto enc_error;
}
@ -433,9 +413,8 @@ static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
krbcfg->pref_encsalts[i].enc_type,
&pwd, &salt, &key);
if (krberr) {
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
"krb5_c_string_to_key failed [%s]\n",
krb5_get_error_message(krbctx, krberr));
LOG_FATAL("krb5_c_string_to_key failed [%s]\n",
krb5_get_error_message(krbctx, krberr));
krb5_free_data_contents(krbctx, &salt);
goto enc_error;
}
@ -447,17 +426,15 @@ static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
krbcfg->kmkey->enctype,
key.length, &len);
if (krberr) {
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
"krb5_c_string_to_key failed [%s]\n",
krb5_get_error_message(krbctx, krberr));
LOG_FATAL("krb5_c_string_to_key failed [%s]\n",
krb5_get_error_message(krbctx, krberr));
krb5int_c_free_keyblock_contents(krbctx, &key);
krb5_free_data_contents(krbctx, &salt);
goto enc_error;
}
if ((ptr = (krb5_octet *) malloc(2 + len)) == NULL) {
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
"memory allocation failed\n");
LOG_OOM();
krb5int_c_free_keyblock_contents(krbctx, &key);
krb5_free_data_contents(krbctx, &salt);
goto enc_error;
@ -473,9 +450,8 @@ static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
krberr = krb5_c_encrypt(krbctx, krbcfg->kmkey, 0, 0, &plain, &cipher);
if (krberr) {
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
"krb5_c_encrypt failed [%s]\n",
krb5_get_error_message(krbctx, krberr));
LOG_FATAL("krb5_c_encrypt failed [%s]\n",
krb5_get_error_message(krbctx, krberr));
krb5int_c_free_keyblock_contents(krbctx, &key);
krb5_free_data_contents(krbctx, &salt);
free(ptr);
@ -485,8 +461,7 @@ static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
/* KrbSalt */
kset->keys[i].salt = malloc(sizeof(struct ipapwd_krbkeydata));
if (!kset->keys[i].salt) {
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
"malloc failed!\n");
LOG_OOM();
krb5int_c_free_keyblock_contents(krbctx, &key);
free(ptr);
goto enc_error;
@ -502,8 +477,7 @@ static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
/* EncryptionKey */
kset->keys[i].ekey = malloc(sizeof(struct ipapwd_krbkeydata));
if (!kset->keys[i].ekey) {
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
"malloc failed!\n");
LOG_OOM();
krb5int_c_free_keyblock_contents(krbctx, &key);
free(ptr);
goto enc_error;
@ -512,8 +486,7 @@ static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
kset->keys[i].ekey->value.bv_len = len+2;
kset->keys[i].ekey->value.bv_val = malloc(len+2);
if (!kset->keys[i].ekey->value.bv_val) {
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
"malloc failed!\n");
LOG_OOM();
krb5int_c_free_keyblock_contents(krbctx, &key);
free(ptr);
goto enc_error;
@ -527,15 +500,13 @@ static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
bval = encode_keys(kset);
if (!bval) {
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
"encoding asn1 KrbSalt failed\n");
LOG_FATAL("encoding asn1 KrbSalt failed\n");
goto enc_error;
}
svals[0] = slapi_value_new_berval(bval);
if (!svals[0]) {
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
"Converting berval to Slapi_Value\n");
LOG_FATAL("Converting berval to Slapi_Value\n");
goto enc_error;
}
@ -760,8 +731,7 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
if (!*svals) {
/* errMesg should have been set in encrypt_encode_key() */
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
"key encryption/encoding failed\n");
LOG_FATAL("key encryption/encoding failed\n");
rc = LDAP_OPERATIONS_ERROR;
goto done;
}
@ -778,8 +748,7 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
&ntlm);
if (ret) {
*errMesg = "Failed to generate NT/LM hashes\n";
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
*errMesg);
LOG_FATAL("%s", *errMesg);
rc = LDAP_OPERATIONS_ERROR;
goto done;
}

109
daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
View File

@ -121,15 +121,13 @@ static char *ipapwd_getIpaConfigAttr(const char *attr)
dn = slapi_ch_smprintf("cn=ipaconfig,cn=etc,%s", ipa_realm_tree);
if (!dn) {
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
"Out of memory ?\n");
LOG_OOM();
goto done;
}
ret = ipapwd_getEntry(dn, &entry, (char **) attrs_list);
if (ret) {
slapi_log_error(SLAPI_LOG_PLUGIN, IPAPWD_PLUGIN_NAME,
"failed to retrieve config entry: %s\n", dn);
LOG("failed to retrieve config entry: %s\n", dn);
goto done;
}
@ -166,12 +164,11 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
int ret;
int rc = LDAP_SUCCESS;
slapi_log_error(SLAPI_LOG_TRACE, IPAPWD_PLUGIN_NAME, "=> ipapwd_pre_add\n");
LOG_TRACE("=>\n");
ret = slapi_pblock_get(pb, SLAPI_IS_REPLICATED_OPERATION, &is_repl_op);
if (ret != 0) {
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
"slapi_pblock_get failed!?\n");
LOG_FATAL("slapi_pblock_get failed!?\n");
rc = LDAP_OPERATIONS_ERROR;
goto done;
}
@ -198,8 +195,7 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
if (0 == strncasecmp(userpw, "{CLEAR}", strlen("{CLEAR}"))) {
char *tmp = slapi_ch_strdup(&userpw[strlen("{CLEAR}")]);
if (NULL == tmp) {
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
"Strdup failed, Out of memory\n");
LOG_OOM();
rc = LDAP_OPERATIONS_ERROR;
goto done;
}
@ -228,15 +224,12 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
* generate kerberos keys */
char *enabled = ipapwd_getIpaConfigAttr("ipamigrationenabled");
if (NULL == enabled) {
slapi_log_error(SLAPI_LOG_PLUGIN, IPAPWD_PLUGIN_NAME,
"no ipaMigrationEnabled in config;"
" assuming FALSE\n");
LOG("no ipaMigrationEnabled in config, assuming FALSE\n");
} else if (0 == strcmp(enabled, "TRUE")) {
return 0;
}
slapi_log_error(SLAPI_LOG_PLUGIN, IPAPWD_PLUGIN_NAME,
"pre-hashed passwords are not valid\n");
LOG("pre-hashed passwords are not valid\n");
errMesg = "pre-hashed passwords are not valid\n";
goto done;
}
@ -265,8 +258,7 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
/* time to get the operation handler */
ret = slapi_pblock_get(pb, SLAPI_OPERATION, &op);
if (ret != 0) {
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
"slapi_pblock_get failed!?\n");
LOG_FATAL("slapi_pblock_get failed!?\n");
rc = LDAP_OPERATIONS_ERROR;
goto done;
}
@ -331,8 +323,7 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
/* add/replace values in existing entry */
ret = slapi_entry_attr_replace_sv(e, "krbPrincipalKey", svals);
if (ret) {
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
"failed to set encoded values in entry\n");
LOG_FATAL("failed to set encoded values in entry\n");
rc = LDAP_OPERATIONS_ERROR;
ipapwd_free_slapi_value_array(&svals);
goto done;
@ -406,12 +397,11 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
int is_repl_op, is_pwd_op, is_root, is_krb, is_smb;
int ret, rc;
slapi_log_error(SLAPI_LOG_TRACE, IPAPWD_PLUGIN_NAME, "=> ipapwd_pre_mod\n");
LOG_TRACE( "=>\n");
ret = slapi_pblock_get(pb, SLAPI_IS_REPLICATED_OPERATION, &is_repl_op);
if (ret != 0) {
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
"slapi_pblock_get failed!?\n");
LOG_FATAL("slapi_pblock_get failed!?\n");
rc = LDAP_OPERATIONS_ERROR;
goto done;
}
@ -511,8 +501,7 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
ret = slapi_search_internal_get_entry(tmp_dn, 0, &e, ipapwd_plugin_id);
slapi_sdn_free(&tmp_dn);
if (ret != LDAP_SUCCESS) {
slapi_log_error(SLAPI_LOG_PLUGIN, IPAPWD_PLUGIN_NAME,
"Failed tpo retrieve entry?!?\n");
LOG("Failed to retrieve entry?!\n");
rc = LDAP_NO_SUCH_OBJECT;
goto done;
}
@ -636,8 +625,7 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
if (0 == strncasecmp(userpw, "{CLEAR}", strlen("{CLEAR}"))) {
unhashedpw = slapi_ch_strdup(&userpw[strlen("{CLEAR}")]);
if (NULL == unhashedpw) {
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
"Strdup failed, Out of memory\n");
LOG_OOM();
rc = LDAP_OPERATIONS_ERROR;
goto done;
}
@ -645,8 +633,7 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
} else if (slapi_is_encoded(userpw)) {
slapi_log_error(SLAPI_LOG_PLUGIN, IPAPWD_PLUGIN_NAME,
"Pre-Encoded passwords are not valid\n");
LOG("Pre-Encoded passwords are not valid\n");
errMesg = "Pre-Encoded passwords are not valid\n";
rc = LDAP_CONSTRAINT_VIOLATION;
goto done;
@ -657,8 +644,7 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
/* time to get the operation handler */
ret = slapi_pblock_get(pb, SLAPI_OPERATION, &op);
if (ret != 0) {
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
"slapi_pblock_get failed!?\n");
LOG_FATAL("slapi_pblock_get failed!?\n");
rc = LDAP_OPERATIONS_ERROR;
goto done;
}
@ -798,22 +784,19 @@ static int ipapwd_post_op(Slapi_PBlock *pb)
char timestr[GENERALIZED_TIME_LENGTH+1];
int ret;
slapi_log_error(SLAPI_LOG_TRACE, IPAPWD_PLUGIN_NAME,
"=> ipapwd_post_op\n");
LOG_TRACE("=>\n");
/* time to get the operation handler */
ret = slapi_pblock_get(pb, SLAPI_OPERATION, &op);
if (ret != 0) {
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
"slapi_pblock_get failed!?\n");
LOG_FATAL("slapi_pblock_get failed!?\n");
return 0;
}
pwdop = slapi_get_object_extension(ipapwd_op_ext_list.object_type,
op, ipapwd_op_ext_list.handle);
if (NULL == pwdop) {
slapi_log_error(SLAPI_LOG_PLUGIN, IPAPWD_PLUGIN_NAME,
"Internal error, couldn't find pluginextension ?!\n");
LOG_FATAL("Internal error, couldn't find pluginextension ?!\n");
return 0;
}
@ -822,8 +805,7 @@ static int ipapwd_post_op(Slapi_PBlock *pb)
return 0;
if ( ! (pwdop->is_krb)) {
slapi_log_error(SLAPI_LOG_PLUGIN, IPAPWD_PLUGIN_NAME,
"Not a kerberos user, ignore krb attributes\n");
LOG("Not a kerberos user, ignore krb attributes\n");
return 0;
}
@ -832,8 +814,7 @@ static int ipapwd_post_op(Slapi_PBlock *pb)
/* change Last Password Change field with the current date */
if (!gmtime_r(&(pwdop->pwdata.timeNow), &utctime)) {
slapi_log_error(SLAPI_LOG_PLUGIN, IPAPWD_PLUGIN_NAME,
"failed to parse current date (buggy gmtime_r ?)\n");
LOG_FATAL("failed to parse current date (buggy gmtime_r ?)\n");
goto done;
}
strftime(timestr, GENERALIZED_TIME_LENGTH+1,
@ -843,8 +824,7 @@ static int ipapwd_post_op(Slapi_PBlock *pb)
/* set Password Expiration date */
if (!gmtime_r(&(pwdop->pwdata.expireTime), &utctime)) {
slapi_log_error(SLAPI_LOG_PLUGIN, IPAPWD_PLUGIN_NAME,
"failed to parse expiration date (buggy gmtime_r ?)\n");
LOG_FATAL("failed to parse expiration date (buggy gmtime_r ?)\n");
goto done;
}
strftime(timestr, GENERALIZED_TIME_LENGTH+1,
@ -862,8 +842,7 @@ static int ipapwd_post_op(Slapi_PBlock *pb)
ipapwd_plugin_id);
slapi_sdn_free(&tmp_dn);
if (ret != LDAP_SUCCESS) {
slapi_log_error(SLAPI_LOG_PLUGIN, IPAPWD_PLUGIN_NAME,
"Failed tpo retrieve entry?!?\n");
LOG("Failed to retrieve entry?!\n");
goto done;
}
}
@ -876,8 +855,7 @@ static int ipapwd_post_op(Slapi_PBlock *pb)
ret = ipapwd_apply_mods(pwdop->pwdata.dn, smods);
if (ret)
slapi_log_error(SLAPI_LOG_PLUGIN, IPAPWD_PLUGIN_NAME,
"Failed to set additional password attributes in the post-op!\n");
LOG("Failed to set additional password attributes in the post-op!\n");
done:
if (pwdop && pwdop->pwdata.target) slapi_entry_free(pwdop->pwdata.target);
@ -909,16 +887,14 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
int method; /* authentication method */
int ret = 0;
slapi_log_error(SLAPI_LOG_TRACE, IPAPWD_PLUGIN_NAME,
"=> ipapwd_pre_bind\n");
LOG_TRACE("=>\n");
/* get BIND parameters */
ret |= slapi_pblock_get(pb, SLAPI_BIND_TARGET, &dn);
ret |= slapi_pblock_get(pb, SLAPI_BIND_METHOD, &method);
ret |= slapi_pblock_get(pb, SLAPI_BIND_CREDENTIALS, &credentials);
if (ret) {
slapi_log_error(SLAPI_LOG_FATAL, "ipapwd_pre_bind",
"slapi_pblock_get failed!?\n");
LOG_FATAL("slapi_pblock_get failed!?\n");
goto done;
}
@ -935,16 +911,14 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
/* retrieve user entry */
ret = ipapwd_getEntry(dn, &entry, (char **) attrs_list);
if (ret) {
slapi_log_error(SLAPI_LOG_PLUGIN, "ipapwd_pre_bind",
"failed to retrieve user entry: %s\n", dn);
LOG("failed to retrieve user entry: %s\n", dn);
goto done;
}
/* check the krbPrincipalName attribute is present */
ret = slapi_entry_attr_find(entry, "krbprincipalname", &attr);
if (ret) {
slapi_log_error(SLAPI_LOG_PLUGIN, "ipapwd_pre_bind",
"no krbPrincipalName in user entry: %s\n", dn);
LOG("no krbPrincipalName in user entry: %s\n", dn);
goto done;
}
@ -959,16 +933,14 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
/* check the krbPrincipalKey attribute is NOT present */
ret = slapi_entry_attr_find(entry, "krbprincipalkey", &attr);
if (!ret) {
slapi_log_error(SLAPI_LOG_PLUGIN, "ipapwd_pre_bind",
"kerberos key already present in user entry: %s\n", dn);
LOG("kerberos key already present in user entry: %s\n", dn);
goto done;
}
/* retrieve userPassword attribute */
ret = slapi_entry_attr_find(entry, SLAPI_USERPWD_ATTR, &attr);
if (ret) {
slapi_log_error(SLAPI_LOG_PLUGIN, "ipapwd_pre_bind",
"no " SLAPI_USERPWD_ATTR " in user entry: %s\n", dn);
LOG("no " SLAPI_USERPWD_ATTR " in user entry: %s\n", dn);
goto done;
}
@ -978,8 +950,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
pwd_values = (Slapi_Value **) slapi_ch_malloc(ret);
if (!pwd_values) {
/* probably not required: should terminate the server anyway */
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
"out of memory!?\n");
LOG_OOM();
goto done;
}
/* zero-fill the allocated memory; we need the array ending with NULL */
@ -1001,16 +972,14 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
slapi_value_free(&value);
if (ret) {
slapi_log_error(SLAPI_LOG_PLUGIN, "ipapwd_pre_bind",
"invalid BIND password for user entry: %s\n", dn);
LOG("invalid BIND password for user entry: %s\n", dn);
goto done;
}
/* general checks */
ret = ipapwd_gen_checks(pb, &errMesg, &krbcfg, IPAPWD_CHECK_DN);
if (ret) {
slapi_log_error(SLAPI_LOG_FATAL, "ipapwd_pre_bind",
"ipapwd_gen_checks failed: %s", errMesg);
LOG_FATAL("Generic checks failed: %s", errMesg);
goto done;
}
@ -1020,8 +989,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
* and force a password change on next login */
ret = slapi_entry_attr_delete(entry, SLAPI_USERPWD_ATTR);
if (ret) {
slapi_log_error(SLAPI_LOG_PLUGIN, "ipapwd_pre_bind",
"failed to delete " SLAPI_USERPWD_ATTR "\n");
LOG_FATAL("failed to delete " SLAPI_USERPWD_ATTR "\n");
goto done;
}
@ -1046,22 +1014,19 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
if (ret) {
/* Password fails to meet IPA password policy,
* force user to change his password next time he logs in. */
slapi_log_error(SLAPI_LOG_PLUGIN, "ipapwd_pre_bind",
"password policy check failed on user entry: %s"
" (force password change on next login)\n", dn);
LOG("password policy check failed on user entry: %s"
" (force password change on next login)\n", dn);
pwdata.expireTime = time(NULL);
}
/* generate kerberos keys */
ret = ipapwd_SetPassword(krbcfg, &pwdata, 1);
if (ret) {
slapi_log_error(SLAPI_LOG_PLUGIN, "ipapwd_pre_bind",
"failed to set kerberos key for user entry: %s\n", dn);
LOG("failed to set kerberos key for user entry: %s\n", dn);
goto done;
}
slapi_log_error(SLAPI_LOG_PLUGIN, "ipapwd_pre_bind",
"kerberos key generated for user entry: %s\n", dn);
LOG("kerberos key generated for user entry: %s\n", dn);
done:
slapi_ch_free_string(&expire);