#include <freeradius-devel/radiusd.h>
#include <freeradius-devel/modules.h>
+#include <freeradius-devel/rad_assert.h>
#include <ctype.h>
#include <stdlib.h>
* Check the users password against the standard UNIX
* password table.
*/
-int od_authenticate(void *instance, REQUEST *request)
+static int od_authenticate(UNUSED void *instance, REQUEST *request)
{
char *name, *passwd;
int ret;
* a User-Name attribute.
*/
if (!request->username) {
- radlog(L_AUTH, "rlm_opendirectory: Attribute \"User-Name\" is required for authentication.");
+ RDEBUG("ERROR: You set 'Auth-Type = OpenDirectory' for a request that does not contain a User-Name attribute!");
return RLM_MODULE_INVALID;
}
/*
- * If the User-Password attribute is absent, is it MS-CHAPv2?
+ * Can't do OpenDirectory if there's no password.
*/
- if (!request->password) {
- radlog(L_AUTH, "rlm_opendirectory: Attribute \"User-Password\" is required for authentication.");
- return RLM_MODULE_INVALID;
- }
-
- /*
- * Ensure that we're being passed a plain-text password,
- * and not anything else.
- */
- if (request->password->attribute != PW_PASSWORD) {
- radlog(L_AUTH, "rlm_opendirectory: Attribute \"User-Password\" is required for authentication. Cannot use \"%s\".",
- request->password->name);
+ if (!request->password ||
+ (request->password->attribute != PW_PASSWORD)) {
+ RDEBUG("ERROR: You set 'Auth-Type = OpenDirectory' for a request that does not contain a User-Password attribute!");
return RLM_MODULE_INVALID;
}
}
if (ret != RLM_MODULE_OK) {
- radlog(L_AUTH, "rlm_opendirectory: [%s]: invalid password", name);
+ RDEBUG("[%s]: Invalid password", name);
return ret;
}
/*
* member of the radius group?
*/
-int od_authorize(void *instance, REQUEST *request)
+static int od_authorize(UNUSED void *instance, REQUEST *request)
{
char *name = NULL;
struct passwd *userdata = NULL;
int err;
char host_ipaddr[128] = {0};
- if (request == NULL || request->username == NULL) {
- radlog(L_AUTH, "rlm_opendirectory: Attribute \"User-Name\" is required for authorization.");
- return RLM_MODULE_INVALID;
+ if (!request || !request->username) {
+ RDEBUG("OpenDirectory requires a User-Name attribute.");
+ return RLM_MODULE_NOOP;
}
/* resolve SACL */
}
}
else {
- radlog(L_DBG, "rlm_opendirectory: The SACL group \"%s\" does not exist on this system.", kRadiusSACLName);
+ RDEBUG("The SACL group \"%s\" does not exist on this system.", kRadiusSACLName);
}
/* resolve client access list */
#endif
{
if (rad_client == NULL) {
- radlog(L_DBG, "rlm_opendirectory: The client record could not be found for host %s.",
+ RDEBUG("The client record could not be found for host %s.",
ip_ntoh(&request->packet->src_ipaddr,
host_ipaddr, sizeof(host_ipaddr)));
}
else {
- radlog(L_DBG, "rlm_opendirectory: The host %s does not have an access group.",
+ RDEBUG("The host %s does not have an access group.",
ip_ntoh(&request->packet->src_ipaddr,
host_ipaddr, sizeof(host_ipaddr)));
}
}
if (uuid_is_null(guid_sacl) && uuid_is_null(guid_nasgroup)) {
- radlog(L_DBG, "rlm_opendirectory: no access control groups, all users allowed.");
- if (pairfind(request->config_items, PW_AUTH_TYPE, 0) == NULL) {
+ RDEBUG("no access control groups, all users allowed.");
+ if (pairfind(request->config_items, PW_AUTH_TYPE, 0) == NULL) {
pairadd(&request->config_items, pairmake("Auth-Type", kAuthType, T_OP_EQ));
- radlog(L_DBG, "rlm_opendirectory: Setting Auth-Type = %s", kAuthType);
+ RDEBUG("Setting Auth-Type = %s", kAuthType);
}
return RLM_MODULE_OK;
}
/* resolve user */
uuid_clear(uuid);
name = (char *)request->username->vp_strvalue;
- if (name != NULL) {
- userdata = getpwnam(name);
- if (userdata != NULL) {
- err = mbr_uid_to_uuid(userdata->pw_uid, uuid);
- if (err != 0)
- uuid_clear(uuid);
- }
+ rad_assert(name != NULL);
+
+ userdata = getpwnam(name);
+ if (userdata != NULL) {
+ err = mbr_uid_to_uuid(userdata->pw_uid, uuid);
+ if (err != 0)
+ uuid_clear(uuid);
}
if (uuid_is_null(uuid)) {
- radlog(L_AUTH, "rlm_opendirectory: Could not get the user's uuid.");
+ radius_pairmake(request, &request->packet->vps,
+ "Module-Failure-Message", "Could not get the user's uuid", T_OP_EQ);
return RLM_MODULE_NOTFOUND;
}
if (!uuid_is_null(guid_sacl)) {
err = mbr_check_service_membership(uuid, kRadiusServiceName, &ismember);
if (err != 0) {
- radlog(L_AUTH, "rlm_opendirectory: Failed to check group membership.");
+ radius_pairmake(request, &request->packet->vps,
+ "Module-Failure-Message", "Failed to check group membership", T_OP_EQ);
return RLM_MODULE_FAIL;
}
if (ismember == 0) {
- radlog(L_AUTH, "rlm_opendirectory: User <%s> is not authorized.", name ? name : "unknown");
+ radius_pairmake(request, &request->packet->vps,
+ "Module-Failure-Message", "User is not authorized", T_OP_EQ);
return RLM_MODULE_USERLOCK;
}
}
if (!uuid_is_null(guid_nasgroup)) {
err = mbr_check_membership_refresh(uuid, guid_nasgroup, &ismember);
if (err != 0) {
- radlog(L_AUTH, "rlm_opendirectory: Failed to check group membership.");
+ radius_pairmake(request, &request->packet->vps,
+ "Module-Failure-Message", "Failed to check group membership", T_OP_EQ);
return RLM_MODULE_FAIL;
}
if (ismember == 0) {
- radlog(L_AUTH, "rlm_opendirectory: User <%s> is not authorized.", name ? name : "unknown");
+ radius_pairmake(request, &request->packet->vps,
+ "Module-Failure-Message", "User is not authorized", T_OP_EQ);
return RLM_MODULE_USERLOCK;
}
}
- radlog(L_AUTH, "rlm_opendirectory: User <%s> is authorized.", name ? name : "unknown");
if (pairfind(request->config_items, PW_AUTH_TYPE, 0) == NULL) {
pairadd(&request->config_items, pairmake("Auth-Type", kAuthType, T_OP_EQ));
- radlog(L_DBG, "rlm_opendirectory: Setting Auth-Type = %s", kAuthType);
+ RDEBUG("Setting Auth-Type = %s", kAuthType);
}
+
return RLM_MODULE_OK;
}