1/* $OpenLDAP$ */
2/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
3 *
4 * Copyright 2004-2011 The OpenLDAP Foundation.
5 * Portions Copyright 2004 Hewlett-Packard Company.
6 * Portions Copyright 2004 Howard Chu, Symas Corp.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted only as authorized by the OpenLDAP
11 * Public License.
12 *
13 * A copy of this license is available in the file LICENSE in the
14 * top-level directory of the distribution or, alternatively, at
15 * <http://www.OpenLDAP.org/license.html>.
16 */
17/* ACKNOWLEDGEMENTS:
18 * This work was developed by Howard Chu for inclusion in
19 * OpenLDAP Software, based on prior work by Neil Dunbar (HP).
20 * This work was sponsored by the Hewlett-Packard Company.
21 */
22
23#include "portable.h"
24
25#include <stdio.h>
26#include <ac/stdlib.h>
27#include <ac/string.h>
28#include <ac/time.h>
29
30#include "ldap-int.h"
31
32#ifdef LDAP_CONTROL_PASSWORDPOLICYREQUEST
33
34/* IMPLICIT TAGS, all context-specific */
35#define PPOLICY_WARNING 0xa0L	/* constructed + 0 */
36#define PPOLICY_ERROR 0x81L		/* primitive + 1 */
37
38#define PPOLICY_EXPIRE 0x80L	/* primitive + 0 */
39#define PPOLICY_GRACE  0x81L	/* primitive + 1 */
40
41/*---
42   ldap_create_passwordpolicy_control
43
44   Create and encode the Password Policy Request
45
46   ld        (IN)  An LDAP session handle, as obtained from a call to
47				   ldap_init().
48
49   ctrlp     (OUT) A result parameter that will be assigned the address
50				   of an LDAPControl structure that contains the
51				   passwordPolicyRequest control created by this function.
52				   The memory occupied by the LDAPControl structure
53				   SHOULD be freed when it is no longer in use by
54				   calling ldap_control_free().
55
56
57   There is no control value for a password policy request
58 ---*/
59
60int
61ldap_create_passwordpolicy_control( LDAP *ld,
62                                    LDAPControl **ctrlp )
63{
64	assert( ld != NULL );
65	assert( LDAP_VALID( ld ) );
66	assert( ctrlp != NULL );
67
68	ld->ld_errno = ldap_control_create( LDAP_CONTROL_PASSWORDPOLICYREQUEST,
69		0, NULL, 0, ctrlp );
70
71	return ld->ld_errno;
72}
73
74
75/*---
76   ldap_parse_passwordpolicy_control
77
78   Decode the passwordPolicyResponse control and return information.
79
80   ld           (IN)   An LDAP session handle.
81
82   ctrl         (IN)   The address of an
83					   LDAPControl structure, either obtained
84					   by running thorugh the list of response controls or
85					   by a call to ldap_control_find().
86
87   exptimep     (OUT)  This result parameter is filled in with the number of seconds before
88                                           the password will expire, if expiration is imminent
89                                           (imminency defined by the password policy). If expiration
90                                           is not imminent, the value is set to -1.
91
92   gracep       (OUT)  This result parameter is filled in with the number of grace logins after
93                                           the password has expired, before no further login attempts
94                                           will be allowed.
95
96   errorcodep   (OUT)  This result parameter is filled in with the error code of the password operation
97                                           If no error was detected, this error is set to PP_noError.
98
99   Ber encoding
100
101   PasswordPolicyResponseValue ::= SEQUENCE {
102       warning [0] CHOICE {
103           timeBeforeExpiration [0] INTEGER (0 .. maxInt),
104           graceLoginsRemaining [1] INTEGER (0 .. maxInt) } OPTIONAL
105       error [1] ENUMERATED {
106           passwordExpired        (0),
107           accountLocked          (1),
108           changeAfterReset       (2),
109           passwordModNotAllowed  (3),
110           mustSupplyOldPassword  (4),
111           invalidPasswordSyntax  (5),
112           passwordTooShort       (6),
113           passwordTooYoung       (7),
114           passwordInHistory      (8) } OPTIONAL }
115
116---*/
117
118int
119ldap_parse_passwordpolicy_control(
120	LDAP           *ld,
121	LDAPControl    *ctrl,
122	ber_int_t      *expirep,
123	ber_int_t      *gracep,
124	LDAPPasswordPolicyError *errorp )
125{
126	BerElement  *ber;
127	int exp = -1, grace = -1;
128	ber_tag_t tag;
129	ber_len_t berLen;
130        char *last;
131	int err = PP_noError;
132
133	assert( ld != NULL );
134	assert( LDAP_VALID( ld ) );
135	assert( ctrl != NULL );
136
137	/* Create a BerElement from the berval returned in the control. */
138	ber = ber_init(&ctrl->ldctl_value);
139
140	if (ber == NULL) {
141		ld->ld_errno = LDAP_NO_MEMORY;
142		return(ld->ld_errno);
143	}
144
145	tag = ber_peek_tag( ber, &berLen );
146	if (tag != LBER_SEQUENCE) goto exit;
147
148	for( tag = ber_first_element( ber, &berLen, &last );
149		tag != LBER_DEFAULT;
150		tag = ber_next_element( ber, &berLen, last ) )
151	{
152		switch (tag) {
153		case PPOLICY_WARNING:
154			ber_skip_tag(ber, &berLen );
155			tag = ber_peek_tag( ber, &berLen );
156			switch( tag ) {
157			case PPOLICY_EXPIRE:
158				if (ber_get_int( ber, &exp ) == LBER_DEFAULT) goto exit;
159				break;
160			case PPOLICY_GRACE:
161				if (ber_get_int( ber, &grace ) == LBER_DEFAULT) goto exit;
162				break;
163			default:
164				goto exit;
165			}
166			break;
167		case PPOLICY_ERROR:
168			if (ber_get_enum( ber, &err ) == LBER_DEFAULT) goto exit;
169			break;
170		default:
171			goto exit;
172		}
173	}
174
175	ber_free(ber, 1);
176
177	/* Return data to the caller for items that were requested. */
178	if (expirep) *expirep = exp;
179	if (gracep) *gracep = grace;
180	if (errorp) *errorp = err;
181
182	ld->ld_errno = LDAP_SUCCESS;
183	return(ld->ld_errno);
184
185  exit:
186	ber_free(ber, 1);
187	ld->ld_errno = LDAP_DECODING_ERROR;
188	return(ld->ld_errno);
189}
190
191const char *
192ldap_passwordpolicy_err2txt( LDAPPasswordPolicyError err )
193{
194	switch(err) {
195	case PP_passwordExpired: return "Password expired";
196	case PP_accountLocked: return "Account locked";
197	case PP_changeAfterReset: return "Password must be changed";
198	case PP_passwordModNotAllowed: return "Policy prevents password modification";
199	case PP_mustSupplyOldPassword: return "Policy requires old password in order to change password";
200	case PP_insufficientPasswordQuality: return "Password fails quality checks";
201	case PP_passwordTooShort: return "Password is too short for policy";
202	case PP_passwordTooYoung: return "Password has been changed too recently";
203	case PP_passwordInHistory: return "New password is in list of old passwords";
204	case PP_noError: return "No error";
205	default: return "Unknown error code";
206	}
207}
208
209#endif /* LDAP_CONTROL_PASSWORDPOLICYREQUEST */
210