nslcd.h revision 1.1.1.2
1/* $NetBSD: nslcd.h,v 1.1.1.2 2014/05/28 09:58:28 tron Exp $ */ 2 3/* 4 nslcd.h - file describing client/server protocol 5 6 Copyright (C) 2006 West Consulting 7 Copyright (C) 2006, 2007, 2009, 2010, 2011, 2012 Arthur de Jong 8 9 This library is free software; you can redistribute it and/or 10 modify it under the terms of the GNU Lesser General Public 11 License as published by the Free Software Foundation; either 12 version 2.1 of the License, or (at your option) any later version. 13 14 This library is distributed in the hope that it will be useful, 15 but WITHOUT ANY WARRANTY; without even the implied warranty of 16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 17 Lesser General Public License for more details. 18 19 You should have received a copy of the GNU Lesser General Public 20 License along with this library; if not, write to the Free Software 21 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 22 02110-1301 USA 23*/ 24 25#ifndef _NSLCD_H 26#define _NSLCD_H 1 27 28/* 29 The protocol used between the nslcd client and server is a simple binary 30 protocol. It is request/response based where the client initiates a 31 connection, does a single request and closes the connection again. Any 32 mangled or not understood messages will be silently ignored by the server. 33 34 A request looks like: 35 INT32 NSLCD_VERSION 36 INT32 NSLCD_ACTION_* 37 [request parameters if any] 38 A response looks like: 39 INT32 NSLCD_VERSION 40 INT32 NSLCD_ACTION_* (the original request type) 41 [result(s)] 42 INT32 NSLCD_RESULT_END 43 A single result entry looks like: 44 INT32 NSLCD_RESULT_BEGIN 45 [result value(s)] 46 If a response would return multiple values (e.g. for NSLCD_ACTION_*_ALL 47 functions) each return value will be preceded by a NSLCD_RESULT_BEGIN 48 value. After the last returned result the server sends 49 NSLCD_RESULT_END. If some error occurs (e.g. LDAP server unavailable, 50 error in the request, etc) the server terminates the connection to signal 51 an error condition (breaking the protocol). 52 53 These are the available basic data types: 54 INT32 - 32-bit integer value 55 TYPE - a typed field that is transferred using sizeof() 56 STRING - a string length (32bit) followed by the string value (not 57 null-terminted) the string itself is assumed to be UTF-8 58 STRINGLIST - a 32-bit number noting the number of strings followed by 59 the strings one at a time 60 61 Furthermore the ADDRESS compound data type is defined as: 62 INT32 type of address: e.g. AF_INET or AF_INET6 63 INT32 lenght of address 64 RAW the address itself in network byte order 65 With the ADDRESSLIST using the same construct as with STRINGLIST. 66 67 The protocol uses host-byte order for all types (except in the raw 68 address above). 69*/ 70 71/* The current version of the protocol. Note that version 1 72 is experimental and this version will be used until a 73 1.0 release of nss-pam-ldapd is made. */ 74#define NSLCD_VERSION 1 75 76/* Get a NSLCD configuration option. There is one request parameter: 77 INT32 NSLCD_CONFIG_* 78 the result value is: 79 STRING value, interpretation depending on request */ 80#define NSLCD_ACTION_CONFIG_GET 20006 81 82/* return the message, if any, that is presented to the user when password 83 modification through PAM is prohibited */ 84#define NSLCD_CONFIG_PAM_PASSWORD_PROHIBIT_MESSAGE 852 85 86/* Email alias (/etc/aliases) NSS requests. The result values for a 87 single entry are: 88 STRING alias name 89 STRINGLIST alias rcpts */ 90#define NSLCD_ACTION_ALIAS_BYNAME 4001 91#define NSLCD_ACTION_ALIAS_ALL 4002 92 93/* Ethernet address/name mapping NSS requests. The result values for a 94 single entry are: 95 STRING ether name 96 TYPE(uint8_t[6]) ether address */ 97#define NSLCD_ACTION_ETHER_BYNAME 3001 98#define NSLCD_ACTION_ETHER_BYETHER 3002 99#define NSLCD_ACTION_ETHER_ALL 3005 100 101/* Group and group membership related NSS requests. The result values 102 for a single entry are: 103 STRING group name 104 STRING group password 105 TYPE(gid_t) group id 106 STRINGLIST members (usernames) of the group 107 (not that the BYMEMER call returns an emtpy members list) */ 108#define NSLCD_ACTION_GROUP_BYNAME 5001 109#define NSLCD_ACTION_GROUP_BYGID 5002 110#define NSLCD_ACTION_GROUP_BYMEMBER 5003 111#define NSLCD_ACTION_GROUP_ALL 5004 112 113/* Hostname (/etc/hosts) lookup NSS requests. The result values 114 for an entry are: 115 STRING host name 116 STRINGLIST host aliases 117 ADDRESSLIST host addresses */ 118#define NSLCD_ACTION_HOST_BYNAME 6001 119#define NSLCD_ACTION_HOST_BYADDR 6002 120#define NSLCD_ACTION_HOST_ALL 6005 121 122/* Netgroup NSS request return a number of results. Result values 123 can be either a reference to another netgroup: 124 INT32 NSLCD_NETGROUP_TYPE_NETGROUP 125 STRING other netgroup name 126 or a netgroup triple: 127 INT32 NSLCD_NETGROUP_TYPE_TRIPLE 128 STRING host 129 STRING user 130 STRING domain */ 131#define NSLCD_ACTION_NETGROUP_BYNAME 12001 132#define NSLCD_NETGROUP_TYPE_NETGROUP 123 133#define NSLCD_NETGROUP_TYPE_TRIPLE 456 134 135/* Network name (/etc/networks) NSS requests. Result values for a single 136 entry are: 137 STRING network name 138 STRINGLIST network aliases 139 ADDRESSLIST network addresses */ 140#define NSLCD_ACTION_NETWORK_BYNAME 8001 141#define NSLCD_ACTION_NETWORK_BYADDR 8002 142#define NSLCD_ACTION_NETWORK_ALL 8005 143 144/* User account (/etc/passwd) NSS requests. Result values are: 145 STRING user name 146 STRING user password 147 TYPE(uid_t) user id 148 TYPE(gid_t) group id 149 STRING gecos information 150 STRING home directory 151 STRING login shell */ 152#define NSLCD_ACTION_PASSWD_BYNAME 1001 153#define NSLCD_ACTION_PASSWD_BYUID 1002 154#define NSLCD_ACTION_PASSWD_ALL 1004 155 156/* Protocol information requests. Result values are: 157 STRING protocol name 158 STRINGLIST protocol aliases 159 INT32 protocol number */ 160#define NSLCD_ACTION_PROTOCOL_BYNAME 9001 161#define NSLCD_ACTION_PROTOCOL_BYNUMBER 9002 162#define NSLCD_ACTION_PROTOCOL_ALL 9003 163 164/* RPC information requests. Result values are: 165 STRING rpc name 166 STRINGLIST rpc aliases 167 INT32 rpc number */ 168#define NSLCD_ACTION_RPC_BYNAME 10001 169#define NSLCD_ACTION_RPC_BYNUMBER 10002 170#define NSLCD_ACTION_RPC_ALL 10003 171 172/* Service (/etc/services) information requests. Result values are: 173 STRING service name 174 STRINGLIST service aliases 175 INT32 service (port) number 176 STRING service protocol */ 177#define NSLCD_ACTION_SERVICE_BYNAME 11001 178#define NSLCD_ACTION_SERVICE_BYNUMBER 11002 179#define NSLCD_ACTION_SERVICE_ALL 11005 180 181/* Extended user account (/etc/shadow) information requests. Result 182 values for a single entry are: 183 STRING user name 184 STRING user password 185 INT32 last password change 186 INT32 mindays 187 INT32 maxdays 188 INT32 warn 189 INT32 inact 190 INT32 expire 191 INT32 flag */ 192#define NSLCD_ACTION_SHADOW_BYNAME 2001 193#define NSLCD_ACTION_SHADOW_ALL 2005 194 195/* PAM-related requests. The request parameters for all these requests 196 begin with: 197 STRING user name 198 STRING DN (if value is known already, otherwise empty) 199 STRING service name 200 all requests, except the SESSION requests start the result value with: 201 STRING user name (cannonical name) 202 STRING DN (can be used to speed up requests) 203 Some functions may return an authorisation message. This message, if 204 supplied will be used by the PAM module instead of a message that is 205 generated by the PAM module itself. */ 206 207/* PAM authentication check request. The extra request values are: 208 STRING password 209 and the result value ends with: 210 INT32 authc NSLCD_PAM_* result code 211 INT32 authz NSLCD_PAM_* result code 212 STRING authorisation error message 213 If the username is empty in this request an attempt is made to 214 authenticate as the administrator (set using rootpwmoddn). The returned DN 215 is that of the administrator. */ 216#define NSLCD_ACTION_PAM_AUTHC 20001 217 218/* PAM authorisation check request. The extra request values are: 219 STRING ruser 220 STRING rhost 221 STRING tty 222 and the result value ends with: 223 INT32 authz NSLCD_PAM_* result code 224 STRING authorisation error message */ 225#define NSLCD_ACTION_PAM_AUTHZ 20002 226 227/* PAM session open and close requests. These requests have the following 228 extra request values: 229 STRING tty 230 STRING rhost 231 STRING ruser 232 INT32 session id (ignored for SESS_O) 233 and these calls only return the session ID: 234 INT32 session id 235 The SESS_C must contain the ID that is retured by SESS_O to close the 236 correct session. */ 237#define NSLCD_ACTION_PAM_SESS_O 20003 238#define NSLCD_ACTION_PAM_SESS_C 20004 239 240/* PAM password modification request. This requests has the following extra 241 request values: 242 STRING old password 243 STRING new password 244 and returns there extra result values: 245 INT32 authz NSLCD_PAM_* result code 246 STRING authorisation error message 247 In this request the DN may be set to the administrator's DN. In this 248 case old password should be the administrator's password. This allows 249 the administrator to change any user's password. */ 250#define NSLCD_ACTION_PAM_PWMOD 20005 251 252/* Request result codes. */ 253#define NSLCD_RESULT_BEGIN 0 254#define NSLCD_RESULT_END 3 255 256/* Partial list of PAM result codes. */ 257#define NSLCD_PAM_SUCCESS 0 /* everything ok */ 258#define NSLCD_PAM_PERM_DENIED 6 /* Permission denied */ 259#define NSLCD_PAM_AUTH_ERR 7 /* Authc failure */ 260#define NSLCD_PAM_CRED_INSUFFICIENT 8 /* Cannot access authc data */ 261#define NSLCD_PAM_AUTHINFO_UNAVAIL 9 /* Cannot retrieve authc info */ 262#define NSLCD_PAM_USER_UNKNOWN 10 /* User not known */ 263#define NSLCD_PAM_MAXTRIES 11 /* Retry limit reached */ 264#define NSLCD_PAM_NEW_AUTHTOK_REQD 12 /* Password expired */ 265#define NSLCD_PAM_ACCT_EXPIRED 13 /* Account expired */ 266#define NSLCD_PAM_SESSION_ERR 14 /* Cannot make/remove session record */ 267#define NSLCD_PAM_AUTHTOK_ERR 20 /* Authentication token manipulation error */ 268#define NSLCD_PAM_AUTHTOK_DISABLE_AGING 23 /* Password aging disabled */ 269#define NSLCD_PAM_IGNORE 25 /* Ignore module */ 270#define NSLCD_PAM_ABORT 26 /* Fatal error */ 271#define NSLCD_PAM_AUTHTOK_EXPIRED 27 /* authentication token has expired */ 272 273#endif /* not _NSLCD_H */ 274