summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--Makefile.am6
-rw-r--r--src/man/sssd-ldap.5.xml11
-rw-r--r--src/providers/ldap/sdap_async_connection.c59
3 files changed, 66 insertions, 10 deletions
diff --git a/Makefile.am b/Makefile.am
index d6aef7fd..f3f5a329 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -782,7 +782,8 @@ libsss_ldap_la_CFLAGS = \
libsss_ldap_la_LIBADD = \
$(OPENLDAP_LIBS) \
$(DHASH_LIBS) \
- $(KRB5_LIBS)
+ $(KRB5_LIBS) \
+ libsss_crypt.la
libsss_ldap_la_LDFLAGS = \
-version-info 1:0:0 \
-module
@@ -871,7 +872,8 @@ libsss_ipa_la_LIBADD = \
$(OPENLDAP_LIBS) \
$(DHASH_LIBS) \
$(KEYUTILS_LIBS) \
- $(KRB5_LIBS)
+ $(KRB5_LIBS) \
+ libsss_crypt.la
libsss_ipa_la_LDFLAGS = \
-version-info 1:0:0 \
-module
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index 346faf8d..b32096dd 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -120,7 +120,16 @@
<listitem>
<para>
The type of the authentication token of the
- default bind DN. The only currently supported value is "password".
+ default bind DN.
+ </para>
+ <para>
+ The two mechanisms currently supported are:
+ </para>
+ <para>
+ password
+ </para>
+ <para>
+ obfuscated_password
</para>
</listitem>
</varlistentry>
diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
index d2ca356f..682d74c8 100644
--- a/src/providers/ldap/sdap_async_connection.c
+++ b/src/providers/ldap/sdap_async_connection.c
@@ -25,6 +25,7 @@
#include "util/sss_krb5.h"
#include "providers/ldap/sdap_async_private.h"
#include "providers/ldap/ldap_req_wrap.h"
+#include "util/crypto/sss_crypto.h"
#define LDAP_X_SSSD_PASSWORD_EXPIRED 0x555D
@@ -786,6 +787,10 @@ struct sdap_auth_state {
};
static void sdap_auth_done(struct tevent_req *subreq);
+static int sdap_auth_get_authtok(TALLOC_CTX *memctx,
+ const char *authtok_type,
+ struct dp_opt_blob authtok,
+ struct berval *pw);
/* TODO: handle sasl_cred */
struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx,
@@ -799,18 +804,25 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx,
{
struct tevent_req *req, *subreq;
struct sdap_auth_state *state;
-
- if (authtok_type != NULL && strcasecmp(authtok_type,"password") != 0) {
- DEBUG(1,("Authentication token type [%s] is not supported"));
- return NULL;
- }
+ int ret;
req = tevent_req_create(memctx, &state, struct sdap_auth_state);
if (!req) return NULL;
state->user_dn = user_dn;
- state->pw.bv_val = (char *)authtok.data;
- state->pw.bv_len = authtok.length;
+
+ ret = sdap_auth_get_authtok(state, authtok_type, authtok, &state->pw);
+ if (ret != EOK) {
+ if (ret == ENOSYS) {
+ DEBUG(1, ("Getting authtok is not supported with the "
+ "crypto library compiled with, authentication "
+ "might fail!\n"));
+ } else {
+ DEBUG(1, ("Cannot parse authtok.\n"));
+ tevent_req_error(req, ret);
+ return tevent_req_post(req, ev);
+ }
+ }
if (sasl_mech) {
state->is_sasl = true;
@@ -832,6 +844,39 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx,
return req;
}
+static int sdap_auth_get_authtok(TALLOC_CTX *mem_ctx,
+ const char *authtok_type,
+ struct dp_opt_blob authtok,
+ struct berval *pw)
+{
+ char *cleartext;
+ int ret;
+
+ if (!authtok_type) return EOK;
+ if (!pw) return EINVAL;
+
+ if (strcasecmp(authtok_type,"password") == 0) {
+ pw->bv_len = authtok.length;
+ pw->bv_val = (char *) authtok.data;
+ } else if (strcasecmp(authtok_type,"obfuscated_password") == 0) {
+ ret = sss_password_decrypt(mem_ctx, (char *) authtok.data, &cleartext);
+ if (ret != EOK) {
+ DEBUG(1, ("Cannot convert the obfuscated "
+ "password back to cleartext\n"));
+ return ret;
+ }
+
+ pw->bv_len = strlen(cleartext);
+ pw->bv_val = (char *) cleartext;
+ } else {
+ DEBUG(1, ("Authentication token type [%s] is not supported\n",
+ authtok_type));
+ return EINVAL;
+ }
+
+ return EOK;
+}
+
static void sdap_auth_done(struct tevent_req *subreq)
{
struct tevent_req *req = tevent_req_callback_data(subreq,