1/* 2 nslcd.h - file describing client/server protocol 3 4 Copyright (C) 2006 West Consulting 5 Copyright (C) 2006, 2007, 2009, 2010 Arthur de Jong 6 7 This library is free software; you can redistribute it and/or 8 modify it under the terms of the GNU Lesser General Public 9 License as published by the Free Software Foundation; either 10 version 2.1 of the License, or (at your option) any later version. 11 12 This library is distributed in the hope that it will be useful, 13 but WITHOUT ANY WARRANTY; without even the implied warranty of 14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 15 Lesser General Public License for more details. 16 17 You should have received a copy of the GNU Lesser General Public 18 License along with this library; if not, write to the Free Software 19 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 20 02110-1301 USA 21*/ 22 23#ifndef _NSLCD_H 24#define _NSLCD_H 1 25 26/* 27 The protocol used between the nslcd client and server is a simple binary 28 protocol. It is request/response based where the client initiates a 29 connection, does a single request and closes the connection again. Any 30 mangled or not understood messages will be silently ignored by the server. 31 32 A request looks like: 33 INT32 NSLCD_VERSION 34 INT32 NSLCD_ACTION_* 35 [request parameters if any] 36 A response looks like: 37 INT32 NSLCD_VERSION 38 INT32 NSLCD_ACTION_* (the original request type) 39 [result(s)] 40 INT32 NSLCD_RESULT_END 41 A single result entry looks like: 42 INT32 NSLCD_RESULT_BEGIN 43 [result value(s)] 44 If a response would return multiple values (e.g. for NSLCD_ACTION_*_ALL 45 functions) each return value will be preceded by a NSLCD_RESULT_BEGIN 46 value. After the last returned result the server sends 47 NSLCD_RESULT_END. If some error occurs (e.g. LDAP server unavailable, 48 error in the request, etc) the server terminates the connection to signal 49 an error condition (breaking the protocol). 50 51 These are the available basic data types: 52 INT32 - 32-bit integer value 53 TYPE - a typed field that is transferred using sizeof() 54 STRING - a string length (32bit) followed by the string value (not 55 null-terminted) the string itself is assumed to be UTF-8 56 STRINGLIST - a 32-bit number noting the number of strings followed by 57 the strings one at a time 58 59 Furthermore the ADDRESS compound data type is defined as: 60 INT32 type of address: e.g. AF_INET or AF_INET6 61 INT32 lenght of address 62 RAW the address itself in network byte order 63 With the ADDRESSLIST using the same construct as with STRINGLIST. 64 65 The protocol uses host-byte order for all types (except in the raw 66 address above). 67*/ 68 69/* The current version of the protocol. Note that version 1 70 is experimental and this version will be used until a 71 1.0 release of nss-pam-ldapd is made. */ 72#define NSLCD_VERSION 1 73 74/* Email alias (/etc/aliases) NSS requests. The result values for a 75 single entry are: 76 STRING alias name 77 STRINGLIST alias rcpts */ 78#define NSLCD_ACTION_ALIAS_BYNAME 4001 79#define NSLCD_ACTION_ALIAS_ALL 4002 80 81/* Ethernet address/name mapping NSS requests. The result values for a 82 single entry are: 83 STRING ether name 84 TYPE(uint8_t[6]) ether address */ 85#define NSLCD_ACTION_ETHER_BYNAME 3001 86#define NSLCD_ACTION_ETHER_BYETHER 3002 87#define NSLCD_ACTION_ETHER_ALL 3005 88 89/* Group and group membership related NSS requests. The result values 90 for a single entry are: 91 STRING group name 92 STRING group password 93 TYPE(gid_t) group id 94 STRINGLIST members (usernames) of the group 95 (not that the BYMEMER call returns an emtpy members list) */ 96#define NSLCD_ACTION_GROUP_BYNAME 5001 97#define NSLCD_ACTION_GROUP_BYGID 5002 98#define NSLCD_ACTION_GROUP_BYMEMBER 5003 99#define NSLCD_ACTION_GROUP_ALL 5004 100 101/* Hostname (/etc/hosts) lookup NSS requests. The result values 102 for an entry are: 103 STRING host name 104 STRINGLIST host aliases 105 ADDRESSLIST host addresses */ 106#define NSLCD_ACTION_HOST_BYNAME 6001 107#define NSLCD_ACTION_HOST_BYADDR 6002 108#define NSLCD_ACTION_HOST_ALL 6005 109 110/* Netgroup NSS request return a number of results. Result values 111 can be either a reference to another netgroup: 112 INT32 NSLCD_NETGROUP_TYPE_NETGROUP 113 STRING other netgroup name 114 or a netgroup triple: 115 INT32 NSLCD_NETGROUP_TYPE_TRIPLE 116 STRING host 117 STRING user 118 STRING domain */ 119#define NSLCD_ACTION_NETGROUP_BYNAME 12001 120#define NSLCD_NETGROUP_TYPE_NETGROUP 123 121#define NSLCD_NETGROUP_TYPE_TRIPLE 456 122 123/* Network name (/etc/networks) NSS requests. Result values for a single 124 entry are: 125 STRING network name 126 STRINGLIST network aliases 127 ADDRESSLIST network addresses */ 128#define NSLCD_ACTION_NETWORK_BYNAME 8001 129#define NSLCD_ACTION_NETWORK_BYADDR 8002 130#define NSLCD_ACTION_NETWORK_ALL 8005 131 132/* User account (/etc/passwd) NSS requests. Result values are: 133 STRING user name 134 STRING user password 135 TYPE(uid_t) user id 136 TYPE(gid_t) group id 137 STRING gecos information 138 STRING home directory 139 STRING login shell */ 140#define NSLCD_ACTION_PASSWD_BYNAME 1001 141#define NSLCD_ACTION_PASSWD_BYUID 1002 142#define NSLCD_ACTION_PASSWD_ALL 1004 143 144/* Protocol information requests. Result values are: 145 STRING protocol name 146 STRINGLIST protocol aliases 147 INT32 protocol number */ 148#define NSLCD_ACTION_PROTOCOL_BYNAME 9001 149#define NSLCD_ACTION_PROTOCOL_BYNUMBER 9002 150#define NSLCD_ACTION_PROTOCOL_ALL 9003 151 152/* RPC information requests. Result values are: 153 STRING rpc name 154 STRINGLIST rpc aliases 155 INT32 rpc number */ 156#define NSLCD_ACTION_RPC_BYNAME 10001 157#define NSLCD_ACTION_RPC_BYNUMBER 10002 158#define NSLCD_ACTION_RPC_ALL 10003 159 160/* Service (/etc/services) information requests. Result values are: 161 STRING service name 162 STRINGLIST service aliases 163 INT32 service (port) number 164 STRING service protocol */ 165#define NSLCD_ACTION_SERVICE_BYNAME 11001 166#define NSLCD_ACTION_SERVICE_BYNUMBER 11002 167#define NSLCD_ACTION_SERVICE_ALL 11005 168 169/* Extended user account (/etc/shadow) information requests. Result 170 values for a single entry are: 171 STRING user name 172 STRING user password 173 INT32 last password change 174 INT32 mindays 175 INT32 maxdays 176 INT32 warn 177 INT32 inact 178 INT32 expire 179 INT32 flag */ 180#define NSLCD_ACTION_SHADOW_BYNAME 2001 181#define NSLCD_ACTION_SHADOW_ALL 2005 182 183/* PAM-related requests. The request parameters for all these requests 184 begin with: 185 STRING user name 186 STRING DN (if value is known already, otherwise empty) 187 STRING service name 188 all requests, except the SESSION requests start the result value with: 189 STRING user name (cannonical name) 190 STRING DN (can be used to speed up requests) */ 191 192/* PAM authentication check request. The extra request values are: 193 STRING password 194 and the result value ends with: 195 INT32 authc NSLCD_PAM_* result code 196 INT32 authz NSLCD_PAM_* result code 197 STRING authorisation error message 198 If the username is empty in this request an attempt is made to 199 authenticate as the administrator (set using rootpwmoddn). The returned DN 200 is that of the administrator. */ 201#define NSLCD_ACTION_PAM_AUTHC 20001 202 203/* PAM authorisation check request. The extra request values are: 204 STRING ruser 205 STRING rhost 206 STRING tty 207 and the result value ends with: 208 INT32 authz NSLCD_PAM_* result code 209 STRING authorisation error message */ 210#define NSLCD_ACTION_PAM_AUTHZ 20002 211 212/* PAM session open and close requests. These requests have the following 213 extra request values: 214 STRING tty 215 STRING rhost 216 STRING ruser 217 INT32 session id (ignored for SESS_O) 218 and these calls only return the session ID: 219 INT32 session id 220 The SESS_C must contain the ID that is retured by SESS_O to close the 221 correct session. */ 222#define NSLCD_ACTION_PAM_SESS_O 20003 223#define NSLCD_ACTION_PAM_SESS_C 20004 224 225/* PAM password modification request. This requests has the following extra 226 request values: 227 STRING old password 228 STRING new password 229 and returns there extra result values: 230 INT32 authz NSLCD_PAM_* result code 231 STRING authorisation error message 232 In this request the DN may be set to the administrator's DN. In this 233 case old password should be the administrator's password. This allows 234 the administrator to change any user's password. */ 235#define NSLCD_ACTION_PAM_PWMOD 20005 236 237/* Request result codes. */ 238#define NSLCD_RESULT_BEGIN 0 239#define NSLCD_RESULT_END 3 240 241/* Partial list of PAM result codes. */ 242#define NSLCD_PAM_SUCCESS 0 /* everything ok */ 243#define NSLCD_PAM_PERM_DENIED 6 /* Permission denied */ 244#define NSLCD_PAM_AUTH_ERR 7 /* Authc failure */ 245#define NSLCD_PAM_CRED_INSUFFICIENT 8 /* Cannot access authc data */ 246#define NSLCD_PAM_AUTHINFO_UNAVAIL 9 /* Cannot retrieve authc info */ 247#define NSLCD_PAM_USER_UNKNOWN 10 /* User not known */ 248#define NSLCD_PAM_MAXTRIES 11 /* Retry limit reached */ 249#define NSLCD_PAM_NEW_AUTHTOK_REQD 12 /* Password expired */ 250#define NSLCD_PAM_ACCT_EXPIRED 13 /* Account expired */ 251#define NSLCD_PAM_SESSION_ERR 14 /* Cannot make/remove session record */ 252#define NSLCD_PAM_AUTHTOK_DISABLE_AGING 23 /* Password aging disabled */ 253#define NSLCD_PAM_IGNORE 25 /* Ignore module */ 254#define NSLCD_PAM_ABORT 26 /* Fatal error */ 255 256#endif /* not _NSLCD_H */ 257