summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2011-01-06 13:05:03 +0100
committerStephen Gallagher <sgallagh@redhat.com>2011-01-06 15:15:54 -0500
commit52b703a4c7cc43ae908300795569e27b64186ec8 (patch)
tree2320a1fb0841b0923f7efb388b9bc5b2e325add8
parentc5f66b8c471e472b3c6eecf87c93373ecf8d0890 (diff)
downloadsssd-52b703a4c7cc43ae908300795569e27b64186ec8.tar.gz
sssd-52b703a4c7cc43ae908300795569e27b64186ec8.tar.bz2
sssd-52b703a4c7cc43ae908300795569e27b64186ec8.zip
Convert obfuscated password once at startup
-rw-r--r--src/providers/ldap/ldap_common.c41
-rw-r--r--src/providers/ldap/sdap_async_connection.c14
2 files changed, 41 insertions, 14 deletions
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index f0db53f2..c98dd4ff 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -28,6 +28,7 @@
#include "providers/krb5/krb5_common.h"
#include "util/sss_krb5.h"
+#include "util/crypto/sss_crypto.h"
/* a fd the child process would log into */
int ldap_child_debug_fd = -1;
@@ -203,6 +204,9 @@ int ldap_get_options(TALLOC_CTX *memctx,
const char *ldap_deref;
int ldap_deref_val;
int o;
+ const char *authtok_type;
+ struct dp_opt_blob authtok_blob;
+ char *cleartext;
const int search_base_options[] = { SDAP_USER_SEARCH_BASE,
SDAP_GROUP_SEARCH_BASE,
SDAP_NETGROUP_SEARCH_BASE,
@@ -391,6 +395,43 @@ int ldap_get_options(TALLOC_CTX *memctx,
goto done;
}
+ authtok_type = dp_opt_get_string(opts->basic, SDAP_DEFAULT_AUTHTOK_TYPE);
+ if (authtok_type != NULL &&
+ strcasecmp(authtok_type,"obfuscated_password") == 0) {
+ DEBUG(9, ("Found obfuscated password, "
+ "trying to convert to cleartext.\n"));
+
+ authtok_blob = dp_opt_get_blob(opts->basic, SDAP_DEFAULT_AUTHTOK);
+ if (authtok_blob.data == NULL || authtok_blob.length == 0) {
+ DEBUG(1, ("Missing obfuscated password string.\n"));
+ return EINVAL;
+ }
+
+ ret = sss_password_decrypt(memctx, (char *) authtok_blob.data,
+ &cleartext);
+ if (ret != EOK) {
+ DEBUG(1, ("Cannot convert the obfuscated "
+ "password back to cleartext\n"));
+ return ret;
+ }
+
+ authtok_blob.data = (uint8_t *) cleartext;
+ authtok_blob.length = strlen(cleartext);
+ ret = dp_opt_set_blob(opts->basic, SDAP_DEFAULT_AUTHTOK, authtok_blob);
+ talloc_free(cleartext);
+ if (ret != EOK) {
+ DEBUG(1, ("dp_opt_set_string failed.\n"));
+ return ret;
+ }
+
+ ret = dp_opt_set_string(opts->basic, SDAP_DEFAULT_AUTHTOK_TYPE,
+ "password");
+ if (ret != EOK) {
+ DEBUG(1, ("dp_opt_set_string failed.\n"));
+ return ret;
+ }
+ }
+
ret = EOK;
*_opts = opts;
diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
index 986a56c9..ff8fb0d8 100644
--- a/src/providers/ldap/sdap_async_connection.c
+++ b/src/providers/ldap/sdap_async_connection.c
@@ -24,7 +24,6 @@
#include "util/util.h"
#include "util/sss_krb5.h"
#include "providers/ldap/sdap_async_private.h"
-#include "util/crypto/sss_crypto.h"
#define LDAP_X_SSSD_PASSWORD_EXPIRED 0x555D
@@ -970,25 +969,12 @@ static int sdap_auth_get_authtok(TALLOC_CTX *mem_ctx,
struct dp_opt_blob authtok,
struct berval *pw)
{
- char *cleartext;
- int ret;
-
if (!authtok_type) return EOK;
if (!pw) return EINVAL;
if (strcasecmp(authtok_type,"password") == 0) {
pw->bv_len = authtok.length;
pw->bv_val = (char *) authtok.data;
- } else if (strcasecmp(authtok_type,"obfuscated_password") == 0) {
- ret = sss_password_decrypt(mem_ctx, (char *) authtok.data, &cleartext);
- if (ret != EOK) {
- DEBUG(1, ("Cannot convert the obfuscated "
- "password back to cleartext\n"));
- return ret;
- }
-
- pw->bv_len = strlen(cleartext);
- pw->bv_val = (char *) cleartext;
} else {
DEBUG(1, ("Authentication token type [%s] is not supported\n",
authtok_type));