Home Explore Help
Register Sign In
Apq
/
389-ds-base
mirror of https://github.com/389ds/389-ds-base.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: 53839a8b27
Branches Tags
389-ds-base
/
ldap
/
servers
/
plugins
/
acctpolicy
/
acct_plugin.c

acct_plugin.c 8.2 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314 
  1. /******************************************************************************
    2. 

  2. Copyright (C) 2009 Hewlett-Packard Development Company, L.P.
    3. 

  3. 

  4. This program is free software; you can redistribute it and/or
    5. 

  5. modify it under the terms of the GNU General Public License
    6. 

  6. version 2 as published by the Free Software Foundation.
    7. 

  7. 

  8. This program is distributed in the hope that it will be useful,
    9. 

  9. but WITHOUT ANY WARRANTY; without even the implied warranty of
    10. 

  10. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    11. 

  11. GNU General Public License for more details.
    12. 

  12. 

  13. You should have received a copy of the GNU General Public License
    14. 

  14. along with this program; if not, write to the Free Software
    15. 

  15. Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
    16. 

  16. 

  17. Contributors:
    18. 

  18. Hewlett-Packard Development Company, L.P.
    19. 

  19. ******************************************************************************/
    20. 

  20. 

  21. /* Account Policy plugin */
    22. 

  22. 

  23. #include <stdio.h>
    24. 

  24. #include <string.h>
    25. 

  25. #include <ctype.h>
    26. 

  26. #include <time.h>
    27. 

  27. #include "slapi-plugin.h"
    28. 

  28. #include "acctpolicy.h"
    29. 

  29. 

  30. /*
    31. 

  31.   Checks bind entry for last login state and compares current time with last
    32. 

  32.   login time plus the limit to decide whether to deny the bind.
    33. 

  33. */
    34. 

  34. static int
    35. 

  35. acct_inact_limit( Slapi_PBlock *pb, char *dn, Slapi_Entry *target_entry, acctPolicy *policy )
    36. 

  36. {
    37. 

  37. 	char *lasttimestr = NULL;
    38. 

  38. 	time_t lim_t, last_t, cur_t;
    39. 

  39. 	int rc = 0; /* Optimistic default */
    40. 

  40. 	acctPluginCfg *cfg;
    41. 

  41. 

  42. 	cfg = get_config();
    43. 

  43. 	if( ( lasttimestr = get_attr_string_val( target_entry,
    44. 

  44. 		cfg->state_attr_name ) ) != NULL ) {
    45. 

  45. 		slapi_log_error( SLAPI_LOG_PLUGIN, PRE_PLUGIN_NAME,
    46. 

  46. 			"\"%s\" login timestamp is %s\n", dn, lasttimestr );
    47. 

  47. 	} else if( ( lasttimestr = get_attr_string_val( target_entry,
    48. 

  48. 		cfg->alt_state_attr_name ) ) != NULL ) {
    49. 

  49. 		slapi_log_error( SLAPI_LOG_PLUGIN, PRE_PLUGIN_NAME,
    50. 

  50. 			"\"%s\" alternate timestamp is %s\n", dn, lasttimestr );
    51. 

  51. 	} else {
    52. 

  52. 		slapi_log_error( SLAPI_LOG_PLUGIN, PRE_PLUGIN_NAME,
    53. 

  53. 			"\"%s\" has no login or creation timestamp\n", dn );
    54. 

  54. 		rc = -1;
    55. 

  55. 		goto done;
    56. 

  56. 	}
    57. 

  57. 

  58. 	last_t = gentimeToEpochtime( lasttimestr );
    59. 

  59. 	cur_t = time( (time_t*)0 );
    60. 

  60. 	lim_t = policy->inactivitylimit;
    61. 

  61. 

  62. 	/* Finally do the time comparison */
    63. 

  63. 	if( cur_t > last_t + lim_t ) {
    64. 

  64. 		slapi_log_error( SLAPI_LOG_PLUGIN, PRE_PLUGIN_NAME,
    65. 

  65. 			"\"%s\" has exceeded inactivity limit  (%ld > (%ld + %ld))\n",
    66. 

  66. 			dn, cur_t, last_t, lim_t );
    67. 

  67. 		rc = 1;
    68. 

  68. 		goto done;
    69. 

  69. 	} else {
    70. 

  70. 		slapi_log_error( SLAPI_LOG_PLUGIN, PRE_PLUGIN_NAME,
    71. 

  71. 			"\"%s\" is within inactivity limit (%ld < (%ld + %ld))\n",
    72. 

  72. 			dn, cur_t, last_t, lim_t );
    73. 

  73. 	}
    74. 

  74. 

  75. done:
    76. 

  76. 	/* Deny bind; the account has exceeded the inactivity limit */
    77. 

  77. 	if( rc == 1 ) {
    78. 

  78. 		slapi_send_ldap_result( pb, LDAP_CONSTRAINT_VIOLATION, NULL,
    79. 

  79. 			"Account inactivity limit exceeded."
    80. 

  80. 			" Contact system administrator to reset.", 0, NULL );
    81. 

  81. 	}
    82. 

  82. 

  83.     slapi_ch_free_string( &lasttimestr );
    84. 

  84. 

  85. 	return( rc );
    86. 

  86. }
    87. 

  87. 

  88. /*
    89. 

  89.   This is called after binds, it updates an attribute in the account
    90. 

  90.   with the current time.
    91. 

  91. */
    92. 

  92. static int
    93. 

  93. acct_record_login( const char *dn )
    94. 

  94. {
    95. 

  95. 	int ldrc;
    96. 

  96. 	int rc = 0; /* Optimistic default */
    97. 

  97. 	LDAPMod *mods[2];
    98. 

  98. 	LDAPMod mod;
    99. 

  99. 	struct berval *vals[2];
    100. 

  100. 	struct berval val;
    101. 

  101. 	char *timestr = NULL;
    102. 

  102. 	acctPluginCfg *cfg;
    103. 

  103. 	void *plugin_id;
    104. 

  104. 	Slapi_PBlock *modpb = NULL;
    105. 

  105. 

  106. 	cfg = get_config();
    107. 

  107. 	plugin_id = get_identity();
    108. 

  108. 

  109. 	timestr = epochtimeToGentime( time( (time_t*)0 ) );
    110. 

  110. 	val.bv_val = timestr;
    111. 

  111. 	val.bv_len = strlen( val.bv_val );
    112. 

  112. 

  113. 	vals [0] = &val;
    114. 

  114. 	vals [1] = NULL;
    115. 

  115. 

  116. 	mod.mod_op = LDAP_MOD_REPLACE | LDAP_MOD_BVALUES;
    117. 

  117. 	mod.mod_type = cfg->state_attr_name;
    118. 

  118. 	mod.mod_bvalues = vals;
    119. 

  119. 

  120. 	mods[0] = &mod;
    121. 

  121. 	mods[1] = NULL;
    122. 

  122. 

  123. 	modpb = slapi_pblock_new();
    124. 

  124. 

  125. 	slapi_modify_internal_set_pb( modpb, dn, mods, NULL, NULL,
    126. 

  126. 	 	plugin_id, SLAPI_OP_FLAG_NO_ACCESS_CHECK |
    127. 

  127. 			SLAPI_OP_FLAG_BYPASS_REFERRALS );
    128. 

  128. 	slapi_modify_internal_pb( modpb );
    129. 

  129. 

  130. 	slapi_pblock_get( modpb, SLAPI_PLUGIN_INTOP_RESULT, &ldrc );
    131. 

  131. 

  132. 	if (ldrc != LDAP_SUCCESS) {
    133. 

  133. 		slapi_log_error( SLAPI_LOG_FATAL, POST_PLUGIN_NAME,
    134. 

  134. 			"Recording %s=%s failed on \"%s\" err=%d\n", cfg->state_attr_name,
    135. 

  135. 			timestr, dn, ldrc );
    136. 

  136. 		rc = -1;
    137. 

  137. 		goto done;
    138. 

  138. 	} else {
    139. 

  139. 		slapi_log_error( SLAPI_LOG_PLUGIN, POST_PLUGIN_NAME,
    140. 

  140. 			"Recorded %s=%s on \"%s\"\n", cfg->state_attr_name, timestr, dn );
    141. 

  141. 	}
    142. 

  142. 

  143. done:
    144. 

  144. 	slapi_pblock_destroy( modpb );
    145. 

  145. 	slapi_ch_free_string( &timestr );
    146. 

  146. 

  147. 	return( rc );
    148. 

  148. }
    149. 

  149. 

  150. /*
    151. 

  151.   Handles bind preop callbacks
    152. 

  152. */
    153. 

  153. int
    154. 

  154. acct_bind_preop( Slapi_PBlock *pb )
    155. 

  155. {
    156. 

  156. 	char *dn = NULL;
    157. 

  157. 	Slapi_DN *sdn = NULL;
    158. 

  158. 	Slapi_Entry *target_entry = NULL;
    159. 

  159. 	int rc = 0; /* Optimistic default */
    160. 

  160. 	int ldrc;
    161. 

  161. 	acctPolicy *policy = NULL;
    162. 

  162. 	void *plugin_id;
    163. 

  163. 

  164. 	slapi_log_error( SLAPI_LOG_PLUGIN, PRE_PLUGIN_NAME,
    165. 

  165. 		"=> acct_bind_preop\n" );
    166. 

  166. 

  167. 	plugin_id = get_identity();
    168. 

  168. 

  169. 	/* This does not give a copy, so don't free it */
    170. 

  170. 	if( slapi_pblock_get( pb, SLAPI_BIND_TARGET, &dn ) != 0 ) {
    171. 

  171. 		slapi_log_error( SLAPI_LOG_FATAL, PRE_PLUGIN_NAME,
    172. 

  172. 			"Error retrieving target DN\n" );
    173. 

  173. 		rc = -1;
    174. 

  174. 		goto done;
    175. 

  175. 	}
    176. 

  176. 

  177. 	/* The plugin wouldn't get called for anonymous binds but let's check */
    178. 

  178. 	if ( dn == NULL ) {
    179. 

  179. 		goto done;
    180. 

  180. 	}
    181. 

  181. 

  182. 	sdn = slapi_sdn_new_dn_byref( dn );
    183. 

  183. 

  184. 	ldrc = slapi_search_internal_get_entry( sdn, NULL, &target_entry,
    185. 

  185. 		plugin_id );
    186. 

  186. 

  187. 	/* There was a problem retrieving the entry */
    188. 

  188. 	if( ldrc != LDAP_SUCCESS ) {
    189. 

  189. 		if( ldrc != LDAP_NO_SUCH_OBJECT ) {
    190. 

  190. 			/* The problem is not a bad bind or virtual entry; halt bind */
    191. 

  191. 			slapi_log_error( SLAPI_LOG_FATAL, PRE_PLUGIN_NAME,
    192. 

  192. 				"Failed to retrieve entry \"%s\": %d\n", dn, ldrc );
    193. 

  193. 			rc = -1;
    194. 

  194. 		}
    195. 

  195. 		goto done;
    196. 

  196. 	}
    197. 

  197. 

  198. 	if( get_acctpolicy( pb, target_entry, plugin_id, &policy ) ) {
    199. 

  199. 		slapi_log_error( SLAPI_LOG_FATAL, PRE_PLUGIN_NAME,
    200. 

  200. 			"Account Policy object for \"%s\" is missing\n", dn );
    201. 

  201. 		rc = -1;
    202. 

  202. 		goto done;
    203. 

  203. 	}
    204. 

  204. 

  205. 	/* Null policy means target isnt's under the influence of a policy */
    206. 

  206. 	if( policy == NULL ) {
    207. 

  207. 		slapi_log_error( SLAPI_LOG_PLUGIN, PRE_PLUGIN_NAME,
    208. 

  208. 			"\"%s\" is not governed by an account policy\n", dn);
    209. 

  209. 		goto done;
    210. 

  210. 	}
    211. 

  211. 

  212. 	/* Check whether the account is in violation of inactivity limit */
    213. 

  213. 	rc = acct_inact_limit( pb, dn, target_entry, policy );
    214. 

  214. 

  215. 	/* ...Any additional account policy enforcement goes here... */
    216. 

  216. 

  217. done:
    218. 

  218. 	/* Internal error */
    219. 

  219. 	if( rc == -1 ) {
    220. 

  220. 		slapi_send_ldap_result( pb, LDAP_UNWILLING_TO_PERFORM, NULL, NULL, 0, NULL );
    221. 

  221. 	}
    222. 

  222. 

  223. 	slapi_entry_free( target_entry );
    224. 

  224. 

  225. 	slapi_sdn_free( &sdn );
    226. 

  226. 

  227. 	free_acctpolicy( &policy );
    228. 

  228. 

  229. 	slapi_log_error( SLAPI_LOG_PLUGIN, PRE_PLUGIN_NAME,
    230. 

  230. 		"<= acct_bind_preop\n" );
    231. 

  231. 

  232. 	return( rc == 0 ? CALLBACK_OK : CALLBACK_ERR );
    233. 

  233. }
    234. 

  234. 

  235. /*
    236. 

  236.   This is called after binds, it updates an attribute in the entry that the
    237. 

  237.   bind DN corresponds to with the current time if it has an account policy
    238. 

  238.   specifier.
    239. 

  239. */
    240. 

  240. int
    241. 

  241. acct_bind_postop( Slapi_PBlock *pb )
    242. 

  242. {
    243. 

  243. 	char *dn = NULL;
    244. 

  244. 	int ldrc, tracklogin = 0;
    245. 

  245. 	int rc = 0; /* Optimistic default */
    246. 

  246. 	Slapi_DN *sdn = NULL;
    247. 

  247. 	Slapi_Entry *target_entry = NULL;
    248. 

  248. 	acctPluginCfg *cfg;
    249. 

  249. 	void *plugin_id;
    250. 

  250. 

  251. 	slapi_log_error( SLAPI_LOG_PLUGIN, POST_PLUGIN_NAME,
    252. 

  252. 		"=> acct_bind_postop\n" );
    253. 

  253. 

  254. 	plugin_id = get_identity();
    255. 

  255. 

  256. 	/* Retrieving SLAPI_CONN_DN from the pb gives a copy */
    257. 

  257. 	if( slapi_pblock_get( pb, SLAPI_CONN_DN, &dn ) != 0 ) {
    258. 

  258. 		slapi_log_error( SLAPI_LOG_FATAL, POST_PLUGIN_NAME,
    259. 

  259. 			"Error retrieving bind DN\n" );
    260. 

  260. 		rc = -1;
    261. 

  261. 		goto done;
    262. 

  262. 	}
    263. 

  263. 

  264. 	/* Client is anonymously bound */
    265. 

  265. 	if( dn == NULL ) {
    266. 

  266. 		goto done;
    267. 

  267. 	}
    268. 

  268. 

  269. 	cfg = get_config();
    270. 

  270. 	tracklogin = cfg->always_record_login;
    271. 

  271. 

  272. 	/* We're not always tracking logins, so check whether the entry is
    273. 

  273. 	   covered by an account policy to decide whether we should track */
    274. 

  274. 	if( tracklogin == 0 ) {
    275. 

  275. 		sdn = slapi_sdn_new_dn_byref( dn );
    276. 

  276. 		ldrc = slapi_search_internal_get_entry( sdn, NULL, &target_entry,
    277. 

  277. 			plugin_id );
    278. 

  278. 

  279. 		if( ldrc != LDAP_SUCCESS ) {
    280. 

  280. 			slapi_log_error( SLAPI_LOG_FATAL, POST_PLUGIN_NAME,
    281. 

  281. 				"Failed to retrieve entry \"%s\": %d\n", dn, ldrc );
    282. 

  282. 			rc = -1;
    283. 

  283. 			goto done;
    284. 

  284. 		} else {
    285. 

  285. 			if( target_entry && has_attr( target_entry,
    286. 

  286. 				cfg->spec_attr_name, NULL ) ) {
    287. 

  287. 				/* This account has a policy specifier */
    288. 

  288. 				tracklogin = 1;
    289. 

  289. 			}
    290. 

  290. 		}
    291. 

  291. 	}
    292. 

  292. 

  293. 	if( tracklogin ) {
    294. 

  294. 		rc = acct_record_login( dn );
    295. 

  295. 	}
    296. 

  296. 

  297. 	/* ...Any additional account policy postops go here... */
    298. 

  298. 

  299. done:
    300. 

  300. 	if( rc == -1 ) {
    301. 

  301. 		slapi_send_ldap_result( pb, LDAP_UNWILLING_TO_PERFORM, NULL, NULL, 0, NULL );
    302. 

  302. 	}
    303. 

  303. 

  304. 	slapi_entry_free( target_entry );
    305. 

  305. 

  306. 	slapi_sdn_free( &sdn );
    307. 

  307. 

  308. 	slapi_ch_free_string( &dn );
    309. 

  309. 

  310. 	slapi_log_error( SLAPI_LOG_PLUGIN, POST_PLUGIN_NAME,
    311. 

  311. 		"<= acct_bind_postop\n" );
    312. 

  312. 

  313. 	return( rc == 0 ? CALLBACK_OK : CALLBACK_ERR );
    314. 

  314. }
    315.