nslcd.h revision 1.1.1.2 
1/*	$NetBSD: nslcd.h,v 1.1.1.2 2014/05/28 09:58:28 tron Exp $	*/
2
3/*
4   nslcd.h - file describing client/server protocol
5
6   Copyright (C) 2006 West Consulting
7   Copyright (C) 2006, 2007, 2009, 2010, 2011, 2012 Arthur de Jong
8
9   This library is free software; you can redistribute it and/or
10   modify it under the terms of the GNU Lesser General Public
11   License as published by the Free Software Foundation; either
12   version 2.1 of the License, or (at your option) any later version.
13
14   This library is distributed in the hope that it will be useful,
15   but WITHOUT ANY WARRANTY; without even the implied warranty of
16   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
17   Lesser General Public License for more details.
18
19   You should have received a copy of the GNU Lesser General Public
20   License along with this library; if not, write to the Free Software
21   Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
22   02110-1301 USA
23*/
24
25#ifndef _NSLCD_H
26#define _NSLCD_H 1
27
28/*
29   The protocol used between the nslcd client and server is a simple binary
30   protocol. It is request/response based where the client initiates a
31   connection, does a single request and closes the connection again. Any
32   mangled or not understood messages will be silently ignored by the server.
33
34   A request looks like:
35     INT32  NSLCD_VERSION
36     INT32  NSLCD_ACTION_*
37     [request parameters if any]
38   A response looks like:
39     INT32  NSLCD_VERSION
40     INT32  NSLCD_ACTION_* (the original request type)
41     [result(s)]
42     INT32  NSLCD_RESULT_END
43   A single result entry looks like:
44     INT32  NSLCD_RESULT_BEGIN
45     [result value(s)]
46   If a response would return multiple values (e.g. for NSLCD_ACTION_*_ALL
47   functions) each return value will be preceded by a NSLCD_RESULT_BEGIN
48   value. After the last returned result the server sends
49   NSLCD_RESULT_END. If some error occurs (e.g. LDAP server unavailable,
50   error in the request, etc) the server terminates the connection to signal
51   an error condition (breaking the protocol).
52
53   These are the available basic data types:
54     INT32  - 32-bit integer value
55     TYPE   - a typed field that is transferred using sizeof()
56     STRING - a string length (32bit) followed by the string value (not
57              null-terminted) the string itself is assumed to be UTF-8
58     STRINGLIST - a 32-bit number noting the number of strings followed by
59                  the strings one at a time
60
61   Furthermore the ADDRESS compound data type is defined as:
62     INT32  type of address: e.g. AF_INET or AF_INET6
63     INT32  lenght of address
64     RAW    the address itself in network byte order
65   With the ADDRESSLIST using the same construct as with STRINGLIST.
66
67   The protocol uses host-byte order for all types (except in the raw
68   address above).
69*/
70
71/* The current version of the protocol. Note that version 1
72   is experimental and this version will be used until a
73   1.0 release of nss-pam-ldapd is made. */
74#define NSLCD_VERSION 1
75
76/* Get a NSLCD configuration option. There is one request parameter:
77    INT32   NSLCD_CONFIG_*
78  the result value is:
79    STRING  value, interpretation depending on request */
80#define NSLCD_ACTION_CONFIG_GET        20006
81
82/* return the message, if any, that is presented to the user when password
83   modification through PAM is prohibited */
84#define NSLCD_CONFIG_PAM_PASSWORD_PROHIBIT_MESSAGE  852
85
86/* Email alias (/etc/aliases) NSS requests. The result values for a
87   single entry are:
88     STRING      alias name
89     STRINGLIST  alias rcpts */
90#define NSLCD_ACTION_ALIAS_BYNAME       4001
91#define NSLCD_ACTION_ALIAS_ALL          4002
92
93/* Ethernet address/name mapping NSS requests. The result values for a
94   single entry are:
95     STRING            ether name
96     TYPE(uint8_t[6])  ether address */
97#define NSLCD_ACTION_ETHER_BYNAME       3001
98#define NSLCD_ACTION_ETHER_BYETHER      3002
99#define NSLCD_ACTION_ETHER_ALL          3005
100
101/* Group and group membership related NSS requests. The result values
102   for a single entry are:
103     STRING       group name
104     STRING       group password
105     TYPE(gid_t)  group id
106     STRINGLIST   members (usernames) of the group
107     (not that the BYMEMER call returns an emtpy members list) */
108#define NSLCD_ACTION_GROUP_BYNAME       5001
109#define NSLCD_ACTION_GROUP_BYGID        5002
110#define NSLCD_ACTION_GROUP_BYMEMBER     5003
111#define NSLCD_ACTION_GROUP_ALL          5004
112
113/* Hostname (/etc/hosts) lookup NSS requests. The result values
114   for an entry are:
115     STRING       host name
116     STRINGLIST   host aliases
117     ADDRESSLIST  host addresses */
118#define NSLCD_ACTION_HOST_BYNAME        6001
119#define NSLCD_ACTION_HOST_BYADDR        6002
120#define NSLCD_ACTION_HOST_ALL           6005
121
122/* Netgroup NSS request return a number of results. Result values
123   can be either a reference to another netgroup:
124     INT32   NSLCD_NETGROUP_TYPE_NETGROUP
125     STRING  other netgroup name
126   or a netgroup triple:
127     INT32   NSLCD_NETGROUP_TYPE_TRIPLE
128     STRING  host
129     STRING  user
130     STRING  domain */
131#define NSLCD_ACTION_NETGROUP_BYNAME   12001
132#define NSLCD_NETGROUP_TYPE_NETGROUP 123
133#define NSLCD_NETGROUP_TYPE_TRIPLE   456
134
135/* Network name (/etc/networks) NSS requests. Result values for a single
136   entry are:
137     STRING       network name
138     STRINGLIST   network aliases
139     ADDRESSLIST  network addresses */
140#define NSLCD_ACTION_NETWORK_BYNAME     8001
141#define NSLCD_ACTION_NETWORK_BYADDR     8002
142#define NSLCD_ACTION_NETWORK_ALL        8005
143
144/* User account (/etc/passwd) NSS requests. Result values are:
145     STRING       user name
146     STRING       user password
147     TYPE(uid_t)  user id
148     TYPE(gid_t)  group id
149     STRING       gecos information
150     STRING       home directory
151     STRING       login shell */
152#define NSLCD_ACTION_PASSWD_BYNAME      1001
153#define NSLCD_ACTION_PASSWD_BYUID       1002
154#define NSLCD_ACTION_PASSWD_ALL         1004
155
156/* Protocol information requests. Result values are:
157     STRING      protocol name
158     STRINGLIST  protocol aliases
159     INT32       protocol number */
160#define NSLCD_ACTION_PROTOCOL_BYNAME    9001
161#define NSLCD_ACTION_PROTOCOL_BYNUMBER  9002
162#define NSLCD_ACTION_PROTOCOL_ALL       9003
163
164/* RPC information requests. Result values are:
165     STRING      rpc name
166     STRINGLIST  rpc aliases
167     INT32       rpc number */
168#define NSLCD_ACTION_RPC_BYNAME        10001
169#define NSLCD_ACTION_RPC_BYNUMBER      10002
170#define NSLCD_ACTION_RPC_ALL           10003
171
172/* Service (/etc/services) information requests. Result values are:
173     STRING      service name
174     STRINGLIST  service aliases
175     INT32       service (port) number
176     STRING      service protocol */
177#define NSLCD_ACTION_SERVICE_BYNAME    11001
178#define NSLCD_ACTION_SERVICE_BYNUMBER  11002
179#define NSLCD_ACTION_SERVICE_ALL       11005
180
181/* Extended user account (/etc/shadow) information requests. Result
182   values for a single entry are:
183     STRING  user name
184     STRING  user password
185     INT32   last password change
186     INT32   mindays
187     INT32   maxdays
188     INT32   warn
189     INT32   inact
190     INT32   expire
191     INT32   flag */
192#define NSLCD_ACTION_SHADOW_BYNAME      2001
193#define NSLCD_ACTION_SHADOW_ALL         2005
194
195/* PAM-related requests. The request parameters for all these requests
196   begin with:
197     STRING  user name
198     STRING  DN (if value is known already, otherwise empty)
199     STRING  service name
200   all requests, except the SESSION requests start the result value with:
201     STRING  user name (cannonical name)
202     STRING  DN (can be used to speed up requests)
203   Some functions may return an authorisation message. This message, if
204   supplied will be used by the PAM module instead of a message that is
205   generated by the PAM module itself. */
206
207/* PAM authentication check request. The extra request values are:
208     STRING  password
209   and the result value ends with:
210     INT32   authc NSLCD_PAM_* result code
211     INT32   authz NSLCD_PAM_* result code
212     STRING  authorisation error message
213   If the username is empty in this request an attempt is made to
214   authenticate as the administrator (set using rootpwmoddn). The returned DN
215   is that of the administrator. */
216#define NSLCD_ACTION_PAM_AUTHC         20001
217
218/* PAM authorisation check request. The extra request values are:
219     STRING ruser
220     STRING rhost
221     STRING tty
222   and the result value ends with:
223     INT32   authz NSLCD_PAM_* result code
224     STRING  authorisation error message */
225#define NSLCD_ACTION_PAM_AUTHZ         20002
226
227/* PAM session open and close requests. These requests have the following
228   extra request values:
229     STRING tty
230     STRING rhost
231     STRING ruser
232     INT32 session id (ignored for SESS_O)
233   and these calls only return the session ID:
234     INT32 session id
235   The SESS_C must contain the ID that is retured by SESS_O to close the
236   correct session. */
237#define NSLCD_ACTION_PAM_SESS_O        20003
238#define NSLCD_ACTION_PAM_SESS_C        20004
239
240/* PAM password modification request. This requests has the following extra
241   request values:
242     STRING old password
243     STRING new password
244   and returns there extra result values:
245     INT32   authz NSLCD_PAM_* result code
246     STRING  authorisation error message
247   In this request the DN may be set to the administrator's DN. In this
248   case old password should be the administrator's password. This allows
249   the administrator to change any user's password. */
250#define NSLCD_ACTION_PAM_PWMOD         20005
251
252/* Request result codes. */
253#define NSLCD_RESULT_BEGIN                 0
254#define NSLCD_RESULT_END                   3
255
256/* Partial list of PAM result codes. */
257#define NSLCD_PAM_SUCCESS             0 /* everything ok */
258#define NSLCD_PAM_PERM_DENIED         6 /* Permission denied */
259#define NSLCD_PAM_AUTH_ERR            7 /* Authc failure */
260#define NSLCD_PAM_CRED_INSUFFICIENT   8 /* Cannot access authc data */
261#define NSLCD_PAM_AUTHINFO_UNAVAIL    9 /* Cannot retrieve authc info */
262#define NSLCD_PAM_USER_UNKNOWN       10 /* User not known */
263#define NSLCD_PAM_MAXTRIES           11 /* Retry limit reached */
264#define NSLCD_PAM_NEW_AUTHTOK_REQD   12 /* Password expired */
265#define NSLCD_PAM_ACCT_EXPIRED       13 /* Account expired */
266#define NSLCD_PAM_SESSION_ERR        14 /* Cannot make/remove session record */
267#define NSLCD_PAM_AUTHTOK_ERR        20 /* Authentication token manipulation error */
268#define NSLCD_PAM_AUTHTOK_DISABLE_AGING 23 /* Password aging disabled */
269#define NSLCD_PAM_IGNORE             25 /* Ignore module */
270#define NSLCD_PAM_ABORT              26 /* Fatal error */
271#define NSLCD_PAM_AUTHTOK_EXPIRED    27 /* authentication token has expired */
272
273#endif /* not _NSLCD_H */
274