summaryrefslogtreecommitdiff
path: root/server/responder/pam
diff options
context:
space:
mode:
authorSimo Sorce <ssorce@redhat.com>2009-05-11 09:08:31 -0400
committerSimo Sorce <ssorce@redhat.com>2009-05-18 15:27:48 -0400
commit66c727e0e7b34d19cdb8dbdc0a0fae15d9d5ff25 (patch)
tree35caa2b93baa413e516c1834626a14e36c811017 /server/responder/pam
parent3594dff371450e4530bf26f3bc4b2ea195270bcd (diff)
downloadsssd-66c727e0e7b34d19cdb8dbdc0a0fae15d9d5ff25.tar.gz
sssd-66c727e0e7b34d19cdb8dbdc0a0fae15d9d5ff25.tar.bz2
sssd-66c727e0e7b34d19cdb8dbdc0a0fae15d9d5ff25.zip
Move actual password caching into sysdb
Convert auth modules to do the caching themselves
Diffstat (limited to 'server/responder/pam')
-rw-r--r--server/responder/pam/pam_LOCAL_domain.c2
-rw-r--r--server/responder/pam/pamsrv.h1
-rw-r--r--server/responder/pam/pamsrv_cache.c112
-rw-r--r--server/responder/pam/pamsrv_cmd.c13
4 files changed, 2 insertions, 126 deletions
diff --git a/server/responder/pam/pam_LOCAL_domain.c b/server/responder/pam/pam_LOCAL_domain.c
index 614d640e..010bd8d4 100644
--- a/server/responder/pam/pam_LOCAL_domain.c
+++ b/server/responder/pam/pam_LOCAL_domain.c
@@ -115,7 +115,7 @@ static void set_user_attr_req(struct sysdb_req *req, void *pvt)
lreq->sysdb_req = req;
- ret = sysdb_set_user_attr(req, lreq->dbctx, lreq->preq->domain,
+ ret = sysdb_set_user_attr(req, lreq->preq->domain,
lreq->preq->pd->user, lreq->mod_attrs,
set_user_attr_callback, lreq);
if (ret != EOK)
diff --git a/server/responder/pam/pamsrv.h b/server/responder/pam/pamsrv.h
index d95df169..fa688fe1 100644
--- a/server/responder/pam/pamsrv.h
+++ b/server/responder/pam/pamsrv.h
@@ -27,7 +27,6 @@ struct sss_cmd_table *register_sss_cmds(void);
int pam_dp_send_req(struct pam_auth_req *preq, int timeout);
-int pam_cache_credentials(struct pam_auth_req *preq);
int pam_cache_auth(struct pam_auth_req *preq);
int LOCAL_pam_handler(struct pam_auth_req *preq);
diff --git a/server/responder/pam/pamsrv_cache.c b/server/responder/pam/pamsrv_cache.c
index ed18f6a1..d1c34e5f 100644
--- a/server/responder/pam/pamsrv_cache.c
+++ b/server/responder/pam/pamsrv_cache.c
@@ -53,120 +53,10 @@ static int authtok2str(const void *mem_ctx,
struct set_attrs_ctx {
struct pam_auth_req *preq;
- struct sysdb_attrs *attrs;
struct sysdb_req *sysreq;
+ char *password;
};
-static void pc_set_user_attr_callback(void *pvt,
- int ldb_status,
- struct ldb_result *res)
-{
- struct set_attrs_ctx *ctx;
- int error;
-
- ctx = talloc_get_type(pvt, struct set_attrs_ctx);
- error = sysdb_error_to_errno(ldb_status);
-
- sysdb_transaction_done(ctx->sysreq, error);
-
- if (ldb_status != LDB_SUCCESS) {
- DEBUG(2, ("Failed to cache credentials for user [%s] (%d)!\n",
- ctx->preq->pd->user, error, strerror(error)));
- }
-
- ctx->preq->callback(ctx->preq);
-}
-
-static void pc_set_user_attr_req(struct sysdb_req *req, void *pvt)
-{
- struct set_attrs_ctx *ctx;
- int ret;
-
- DEBUG(4, ("entering pc_set_user_attr_req\n"));
-
- ctx = talloc_get_type(pvt, struct set_attrs_ctx);
-
- ctx->sysreq = req;
-
- ret = sysdb_set_user_attr(req, ctx->preq->cctx->rctx->sysdb,
- ctx->preq->domain,
- ctx->preq->pd->user,
- ctx->attrs,
- pc_set_user_attr_callback, ctx);
- if (ret != EOK) {
- sysdb_transaction_done(ctx->sysreq, ret);
- }
-
- if (ret != EOK) {
- DEBUG(2, ("Failed to cache credentials for user [%s] (%d)!\n",
- ctx->preq->pd->user, ret, strerror(ret)));
- ctx->preq->callback(ctx->preq);
- }
-}
-
-int pam_cache_credentials(struct pam_auth_req *preq)
-{
- struct set_attrs_ctx *ctx;
- struct pam_data *pd;
- char *password = NULL;
- char *comphash = NULL;
- char *salt;
- int i, ret;
-
- pd = preq->pd;
-
- ret = authtok2str(preq, pd->authtok, pd->authtok_size, &password);
- if (ret) {
- DEBUG(4, ("Invalid auth token.\n"));
- ret = EINVAL;
- goto done;
- }
-
- ret = s3crypt_gen_salt(preq, &salt);
- if (ret) {
- DEBUG(4, ("Failed to generate random salt.\n"));
- goto done;
- }
-
- ret = s3crypt_sha512(preq, password, salt, &comphash);
- if (ret) {
- DEBUG(4, ("Failed to create password hash.\n"));
- goto done;
- }
-
- ctx = talloc_zero(preq, struct set_attrs_ctx);
- if (!ctx) {
- ret = ENOMEM;
- goto done;
- }
- ctx->preq = preq;
-
- ctx->attrs = sysdb_new_attrs(ctx);
- if (!ctx->attrs) {
- ret = ENOMEM;
- goto done;
- }
-
- ret = sysdb_attrs_add_string(ctx->attrs, SYSDB_CACHEDPWD, comphash);
- if (ret) goto done;
-
- /* FIXME: should we use a different attribute for chache passwords ?? */
- ret = sysdb_attrs_add_long(ctx->attrs, "lastCachedPasswordChange",
- (long)time(NULL));
- if (ret) goto done;
-
- ret = sysdb_transaction(ctx, preq->cctx->rctx->sysdb,
- pc_set_user_attr_req, ctx);
-
-done:
- if (password) for (i = 0; password[i]; i++) password[i] = 0;
- if (ret != EOK) {
- DEBUG(2, ("Failed to cache credentials for user [%s] (%d)!\n",
- pd->user, ret, strerror(ret)));
- }
- return ret;
-}
-
static void pam_cache_auth_return(struct pam_auth_req *preq, int error)
{
preq->pd->pam_status = error;
diff --git a/server/responder/pam/pamsrv_cmd.c b/server/responder/pam/pamsrv_cmd.c
index 00765d47..40cccffb 100644
--- a/server/responder/pam/pamsrv_cmd.c
+++ b/server/responder/pam/pamsrv_cmd.c
@@ -263,19 +263,6 @@ static void pam_reply(struct pam_auth_req *preq)
(preq->domain->cache_credentials == true) &&
(pd->offline_auth == false)) {
- if (pd->pam_status == PAM_SUCCESS) {
- pd->offline_auth = true;
- preq->callback = pam_reply;
- ret = pam_cache_credentials(preq);
- if (ret == EOK) {
- return;
- }
- else {
- DEBUG(0, ("Failed to cache credentials"));
- /* this error is not fatal, continue */
- }
- }
-
if (pd->pam_status == PAM_AUTHINFO_UNAVAIL) {
/* do auth with offline credentials */
pd->offline_auth = true;