OpenLDAP: [PATCH] slappasswd: Add support loading a dynamically loadable

  • Download Gist
openldap-2.4.31-slappasswd-moduleload.patch
Diff
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215
From 9cb4cb040e77372ea892bba81136d2741a6707bb Mon Sep 17 00:00:00 2001
From: SATOH Fumiyasu <fumiyas@osstech.co.jp>
Date: Thu, 31 May 2012 13:13:41 +0900
Subject: [PATCH] slappasswd: Add support loading a dynamically loadable
module
 
Add "-o module-path=<pathspec>" and "-o module-load=<filename>"
options to load a dynamically loadable password hash module
(e.g., slapd-sha2).
---
doc/man/man8/slappasswd.8 | 18 ++++++++-
servers/slapd/slappasswd.c | 89 ++++++++++++++++++++++++++++++++++++++++----
2 files changed, 99 insertions(+), 8 deletions(-)
 
diff --git a/doc/man/man8/slappasswd.8 b/doc/man/man8/slappasswd.8
index dbd28fd..6a5b761 100644
--- a/doc/man/man8/slappasswd.8
+++ b/doc/man/man8/slappasswd.8
@@ -18,7 +18,8 @@ slappasswd \- OpenLDAP password utility
.BI \-c \ salt-format\fR]
[\c
.BR \-n ]
-.B
+[\c
+.BI \-o \ option\fR[ = value\fR]]
.LP
.SH DESCRIPTION
.LP
@@ -154,6 +155,21 @@ which provides 31 characters of salt.
.BI \-n
Omit the trailing newline; useful to pipe the credentials
into a command.
+.TP
+.BI \-o \ option\fR[ = value\fR]
+Specify an
+.I option
+with a(n optional)
+.IR value .
+Possible generic options/values are:
+.LP
+.nf
+ module\-path=<pathspec> (see `\fBmodulepath\fP' in slapd.conf(5))
+ module\-load=<filename> (see `\fBmoduleload\fP' in slapd.conf(5))
+
+.in
+You can load a dynamically loadable password hash module by
+using this option.
.SH LIMITATIONS
The practice of storing hashed passwords in userPassword violates
Standard Track (RFC 4519) schema specifications and may hinder
diff --git a/servers/slapd/slappasswd.c b/servers/slapd/slappasswd.c
index cfd6981..4238f0c 100644
--- a/servers/slapd/slappasswd.c
+++ b/servers/slapd/slappasswd.c
@@ -40,6 +40,8 @@
#include "slap.h"
static int verbose = 0;
+static char *modulepath = NULL;
+static char *moduleload = NULL;
static void
usage(const char *s)
@@ -50,6 +52,9 @@ usage(const char *s)
" -g\t\tgenerate random password\n"
" -h hash\tpassword scheme\n"
" -n\t\tomit trailing newline\n"
+ " -o <opt>[=val] specify an option with a(n optional) value\n"
+ " \tmodule-path=<pathspec>\n"
+ " \tmodule-load=<filename>\n"
" -s secret\tnew password\n"
" -u\t\tgenerate RFC2307 values (default)\n"
" -v\t\tincrease verbosity\n"
@@ -59,9 +64,39 @@ usage(const char *s)
exit( EXIT_FAILURE );
}
+static int
+parse_slappasswdopt( void )
+{
+ size_t len = 0;
+ char *p;
+
+ p = strchr( optarg, '=' );
+ if ( p != NULL ) {
+ len = p - optarg;
+ p++;
+ }
+
+ if ( strncasecmp( optarg, "module-path", len ) == 0 ) {
+ if ( modulepath )
+ ch_free( modulepath );
+ modulepath = ch_strdup( p );
+
+ } else if ( strncasecmp( optarg, "module-load", len ) == 0 ) {
+ if ( moduleload )
+ ch_free( moduleload );
+ moduleload = ch_strdup( p );
+
+ } else {
+ return -1;
+ }
+
+ return 0;
+}
+
int
slappasswd( int argc, char *argv[] )
{
+ int rc = EXIT_SUCCESS;
#ifdef LUTIL_SHA1_BYTES
char *default_scheme = "{SSHA}";
#else
@@ -79,8 +114,15 @@ slappasswd( int argc, char *argv[] )
struct berval passwd = BER_BVNULL;
struct berval hash;
+#ifdef LDAP_DEBUG
+ /* tools default to "none", so that at least LDAP_DEBUG_ANY
+ * messages show up; use -d 0 to reset */
+ slap_debug = LDAP_DEBUG_NONE;
+#endif
+ ldap_syslog = 0;
+
while( (i = getopt( argc, argv,
- "c:d:gh:ns:T:vu" )) != EOF )
+ "c:d:gh:no:s:T:vu" )) != EOF )
{
switch (i) {
case 'c': /* crypt salt format */
@@ -117,6 +159,12 @@ slappasswd( int argc, char *argv[] )
newline = "";
break;
+ case 'o':
+ if ( parse_slappasswdopt() ) {
+ usage ( progname );
+ }
+ break;
+
case 's': /* new password (secret) */
if ( pwfile != NULL ) {
fprintf( stderr, "Option -s incompatible with -T\n" );
@@ -163,11 +211,29 @@ slappasswd( int argc, char *argv[] )
if( argc - optind != 0 ) {
usage( progname );
- }
+ }
+
+#ifdef SLAPD_MODULES
+ if ( module_init() != 0 ) {
+ fprintf( stderr, "%s: module_init failed\n", progname );
+ return EXIT_FAILURE;
+ }
+
+ if ( modulepath && module_path(modulepath) ) {
+ rc = EXIT_FAILURE;
+ goto destroy;
+ }
+
+ if ( moduleload && module_load(moduleload, 0, NULL) ) {
+ rc = EXIT_FAILURE;
+ goto destroy;
+ }
+#endif
if( pwfile != NULL ) {
if( lutil_get_filed_password( pwfile, &passwd )) {
- return EXIT_FAILURE;
+ rc = EXIT_FAILURE;
+ goto destroy;
}
} else if ( BER_BVISEMPTY( &passwd )) {
if( newpw == NULL ) {
@@ -178,7 +244,8 @@ slappasswd( int argc, char *argv[] )
if( strcmp( newpw, cknewpw )) {
fprintf( stderr, "Password values do not match\n" );
- return EXIT_FAILURE;
+ rc = EXIT_FAILURE;
+ goto destroy;
}
}
@@ -194,16 +261,24 @@ slappasswd( int argc, char *argv[] )
fprintf( stderr,
"Password generation failed for scheme %s: %s\n",
scheme, text ? text : "" );
- return EXIT_FAILURE;
+ rc = EXIT_FAILURE;
+ goto destroy;
}
if( lutil_passwd( &hash, &passwd, NULL, &text ) ) {
fprintf( stderr, "Password verification failed. %s\n",
text ? text : "" );
- return EXIT_FAILURE;
+ rc = EXIT_FAILURE;
+ goto destroy;
}
print_pw:;
printf( "%s%s" , hash.bv_val, newline );
- return EXIT_SUCCESS;
+
+destroy:;
+#ifdef SLAPD_MODULES
+ module_kill();
+#endif
+
+ return rc;
}
--
1.7.10

Please sign in to comment on this gist.

Something went wrong with that request. Please try again.