From d19a011c84949c323194fe389f1e84d0dcc61c70 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum <npmccallum@redhat.com>
Date: Mon, 10 Nov 2014 22:46:44 -0500
Subject: [PATCH] Move authentication configuration cache into libotp
This enables plugins to share authentication configuration cache code.
Additionally, update the caching mechanism to be declarative and faster.
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
---
.../ipa-slapi-plugins/ipa-pwd-extop/Makefile.am | 1 -
daemons/ipa-slapi-plugins/ipa-pwd-extop/authcfg.c | 280 ---------------------
daemons/ipa-slapi-plugins/ipa-pwd-extop/authcfg.h | 82 ------
.../ipa-pwd-extop/ipa_pwd_extop.c | 21 +-
daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 50 ++--
daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.c | 4 +-
daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.h | 4 +-
daemons/ipa-slapi-plugins/libotp/Makefile.am | 2 +-
daemons/ipa-slapi-plugins/libotp/otp_config.c | 274 ++++++++++++++++++++
daemons/ipa-slapi-plugins/libotp/otp_config.h | 65 +++++
daemons/ipa-slapi-plugins/libotp/otp_token.c | 58 ++---
daemons/ipa-slapi-plugins/libotp/otp_token.h | 11 +-
12 files changed, 395 insertions(+), 457 deletions(-)
delete mode 100644 daemons/ipa-slapi-plugins/ipa-pwd-extop/authcfg.c
delete mode 100644 daemons/ipa-slapi-plugins/ipa-pwd-extop/authcfg.h
create mode 100644 daemons/ipa-slapi-plugins/libotp/otp_config.c
create mode 100644 daemons/ipa-slapi-plugins/libotp/otp_config.h
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
index eeb352611e5b67a2f6803b59414fb31c37f39f33..1ab6c6704e401810772a5ababc7cc5eec19d2c83 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
@@ -44,7 +44,6 @@ libipa_pwd_extop_la_LIBADD = \
$(ASN1_UTIL_DIR)/libipaasn1.la \
$(NULL)
libipa_pwd_extop_la_SOURCES = \
- authcfg.c \
common.c \
encoding.c \
prepost.c \
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/authcfg.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/authcfg.c
deleted file mode 100644
index 3ab5668edd7edcb9eaf247c18b964f6584c9d439..0000000000000000000000000000000000000000
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/authcfg.c
+++ /dev/null
@@ -1,280 +0,0 @@
-/** BEGIN COPYRIGHT BLOCK
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program. If not, see <http://www.gnu.org/licenses/>.
- *
- * Additional permission under GPLv3 section 7:
- *
- * In the following paragraph, "GPL" means the GNU General Public
- * License, version 3 or any later version, and "Non-GPL Code" means
- * code that is governed neither by the GPL nor a license
- * compatible with the GPL.
- *
- * You may link the code of this Program with Non-GPL Code and convey
- * linked combinations including the two, provided that such Non-GPL
- * Code only links to the code of this Program through those well
- * defined interfaces identified in the file named EXCEPTION found in
- * the source code files (the "Approved Interfaces"). The files of
- * Non-GPL Code may instantiate templates or use macros or inline
- * functions from the Approved Interfaces without causing the resulting
- * work to be covered by the GPL. Only the copyright holders of this
- * Program may make changes or additions to the list of Approved
- * Interfaces.
- *
- * Authors:
- * Nathaniel McCallum <npmccallum@redhat.com>
- *
- * Copyright (C) 2014 Red Hat, Inc.
- * All rights reserved.
- * END COPYRIGHT BLOCK **/
-
-#include "authcfg.h"
-#include "ipapwd.h"
-
-#include "pratom.h"
-
-static struct config {
- struct config *next;
- Slapi_DN *suffix;
- uint32_t config;
-} *config;
-
-static uint32_t string_to_config(const char *str)
-{
- static const struct {
- const char *string;
- uint32_t config;
- } map[] = {
- { "disabled", AUTHCFG_AUTH_TYPE_DISABLED },
- { "password", AUTHCFG_AUTH_TYPE_PASSWORD },
- { "otp", AUTHCFG_AUTH_TYPE_OTP },
- { "pkinit", AUTHCFG_AUTH_TYPE_PKINIT },
- { "radius", AUTHCFG_AUTH_TYPE_RADIUS },
- {}
- };
-
- for (uint32_t i = 0; map[i].string != NULL; i++) {
- if (strcasecmp(map[i].string, str) == 0)
- return map[i].config;
- }
-
- return AUTHCFG_AUTH_TYPE_NONE;
-}
-
-static uint32_t entry_to_config(Slapi_Entry *e)
-{
- char **auth_types = NULL;
-
- if (e == NULL)
- return AUTHCFG_AUTH_TYPE_NONE;
-
- /* Fetch the auth type values from the config entry. */
- auth_types = slapi_entry_attr_get_charray(e, "ipaUserAuthType");
- if (auth_types == NULL)
- return AUTHCFG_AUTH_TYPE_NONE;
-
- uint32_t types = AUTHCFG_AUTH_TYPE_NONE;
- for (uint32_t i = 0; auth_types[i] != NULL; i++)
- types |= string_to_config(auth_types[i]);
-
- slapi_ch_array_free(auth_types);
-
- return types;
-}
-
-static Slapi_DN *suffix_to_config_dn(Slapi_DN *suffix)
-{
- Slapi_DN *sdn = NULL;
- char *dn = NULL;
-
- if (suffix == NULL)
- return NULL;
-
- dn = PR_smprintf("cn=ipaConfig,cn=etc,%s", slapi_sdn_get_dn(suffix));
- if (dn == NULL)
- return NULL;
-
- sdn = slapi_sdn_new_dn_byval(dn);
- PR_smprintf_free(dn);
- return sdn;
-}
-
-static uint32_t suffix_to_config(Slapi_DN *suffix)
-{
- static char *attrs[] = { "ipaUserAuthType", NULL };
- Slapi_Entry *entry = NULL;
- Slapi_DN *sdn = NULL;
- uint32_t types;
- int ret;
-
- sdn = suffix_to_config_dn(suffix);
- if (sdn == NULL)
- return AUTHCFG_AUTH_TYPE_NONE;
-
- ret = slapi_search_internal_get_entry(sdn, attrs, &entry,
- ipapwd_get_plugin_id());
- slapi_sdn_free(&sdn);
- if (ret != LDAP_SUCCESS)
- return AUTHCFG_AUTH_TYPE_NONE;
-
- types = entry_to_config(entry);
- slapi_entry_free(entry);
-
- return types;
-}
-
-static Slapi_DN *sdn_to_suffix(Slapi_DN *sdn)
-{
- Slapi_DN *suffix = NULL;
- void *node = NULL;
-
- if (sdn == NULL)
- return NULL;
-
- for (suffix = slapi_get_first_suffix(&node, 0); suffix != NULL;
- suffix = slapi_get_next_suffix(&node, 0)) {
- if (slapi_sdn_issuffix(sdn, suffix))
- return suffix;
- }
-
- return NULL;
-}
-
-static bool sdn_is_config(Slapi_DN *sdn)
-{
- Slapi_DN *sfx = NULL;
- Slapi_DN *cfg = NULL;
- int cmp;
-
- if (sdn == NULL)
- return false;
-
- sfx = sdn_to_suffix(sdn);
- if (sfx == NULL)
- return false;
-
- cfg = suffix_to_config_dn(sfx);
- if (cfg == NULL)
- return false;
-
- cmp = slapi_sdn_compare(cfg, sdn);
- slapi_sdn_free(&cfg);
- return cmp == 0;
-}
-
-void cache_free(struct config **cfg)
-{
- if (cfg == NULL || *cfg == NULL)
- return;
-
- cache_free(&(*cfg)->next);
- free(*cfg);
- *cfg = NULL;
-}
-
-bool authcfg_init(void)
-{
- struct config *cfg = NULL;
- Slapi_DN *sfx = NULL;
- void *node = NULL;
-
- /* If we are already initialized, return true. */
- if (config != NULL)
- return true;
-
- /* Look up the config for each suffix. */
- for (sfx = slapi_get_first_suffix(&node, 0); sfx != NULL;
- sfx = slapi_get_next_suffix(&node, 0)) {
- cfg = calloc(1, sizeof(*cfg));
- if (cfg == NULL) {
- authcfg_fini();
- return false;
- }
-
- cfg->suffix = sfx;
- cfg->config = suffix_to_config(sfx);
- cfg->next = config;
- config = cfg;
- }
-
- return true;
-}
-
-void authcfg_fini(void)
-{
- cache_free(&config);
-}
-
-uint32_t authcfg_get_auth_types(Slapi_Entry *user_entry)
-{
- uint32_t glbl = AUTHCFG_AUTH_TYPE_NONE;
- uint32_t user = AUTHCFG_AUTH_TYPE_NONE;
- Slapi_DN *sfx = NULL;
- Slapi_DN *sdn = NULL;
-
- /* Find the root suffix. */
- sdn = slapi_entry_get_sdn(user_entry);
- sfx = sdn_to_suffix(sdn);
-
- /* Find the global config. */
- if (sfx != NULL) {
- for (struct config *cfg = config; cfg && sfx; cfg = cfg->next) {
- if (slapi_sdn_compare(sfx, cfg->suffix) == 0) {
- glbl = PR_ATOMIC_ADD(&cfg->config, 0);
- break;
- }
- }
- }
-
- /* Global disabled overrides user settings. */
- if (glbl & AUTHCFG_AUTH_TYPE_DISABLED)
- return AUTHCFG_AUTH_TYPE_DISABLED;
-
- /* Get the user's config. */
- user = entry_to_config(user_entry);
-
- if (user == AUTHCFG_AUTH_TYPE_NONE) {
- if (glbl == AUTHCFG_AUTH_TYPE_NONE)
- return AUTHCFG_AUTH_TYPE_PASSWORD;
- return glbl;
- }
-
- return user & ~AUTHCFG_AUTH_TYPE_DISABLED;
-}
-
-void authcfg_reload_global_config(Slapi_DN *sdn, Slapi_Entry *config_entry)
-{
- uint32_t glbl = AUTHCFG_AUTH_TYPE_NONE;
- Slapi_DN *sfx = NULL;
- Slapi_DN *dest;
-
- /* Get the destination DN. */
- dest = config_entry == NULL ? NULL : slapi_entry_get_sdn(config_entry);
-
- /* Added, modified, moved into place. */
- if (sdn_is_config(dest)) {
- sfx = sdn_to_suffix(dest);
- glbl = entry_to_config(config_entry);
-
- /* Deleted, moved out of place. */
- } else if (sdn_is_config(sdn)) {
- sfx = sdn_to_suffix(sdn);
- }
-
- /* Reload config. */
- for (struct config *cfg = config; cfg && sfx; cfg = cfg->next) {
- if (slapi_sdn_compare(sfx, cfg->suffix) == 0) {
- PR_ATOMIC_SET(&cfg->config, glbl);
- break;
- }
- }
-}
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/authcfg.h b/daemons/ipa-slapi-plugins/ipa-pwd-extop/authcfg.h
deleted file mode 100644
index c2fc24605c0f915261a57967c43c35ab6e773263..0000000000000000000000000000000000000000
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/authcfg.h
+++ /dev/null
@@ -1,82 +0,0 @@
-/** BEGIN COPYRIGHT BLOCK
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program. If not, see <http://www.gnu.org/licenses/>.
- *
- * Additional permission under GPLv3 section 7:
- *
- * In the following paragraph, "GPL" means the GNU General Public
- * License, version 3 or any later version, and "Non-GPL Code" means
- * code that is governed neither by the GPL nor a license
- * compatible with the GPL.
- *
- * You may link the code of this Program with Non-GPL Code and convey
- * linked combinations including the two, provided that such Non-GPL
- * Code only links to the code of this Program through those well
- * defined interfaces identified in the file named EXCEPTION found in
- * the source code files (the "Approved Interfaces"). The files of
- * Non-GPL Code may instantiate templates or use macros or inline
- * functions from the Approved Interfaces without causing the resulting
- * work to be covered by the GPL. Only the copyright holders of this
- * Program may make changes or additions to the list of Approved
- * Interfaces.
- *
- * Authors:
- * Nathaniel McCallum <npmccallum@redhat.com>
- *
- * Copyright (C) 2014 Red Hat, Inc.
- * All rights reserved.
- * END COPYRIGHT BLOCK **/
-
-
-#ifndef AUTHCFG_H_
-#define AUTHCFG_H_
-
-#include <dirsrv/slapi-plugin.h>
-#include <stdbool.h>
-
-#define AUTHCFG_AUTH_TYPE_NONE 0
-#define AUTHCFG_AUTH_TYPE_DISABLED 1
-#define AUTHCFG_AUTH_TYPE_PASSWORD 2
-#define AUTHCFG_AUTH_TYPE_OTP 4
-#define AUTHCFG_AUTH_TYPE_PKINIT 8
-#define AUTHCFG_AUTH_TYPE_RADIUS 16
-
-/* Initialize authentication configuration.
- *
- * Thread Safety: NO
- */
-bool authcfg_init(void);
-
-/* Free global authentication configuration resources.
- *
- * Thread Safety: NO
- */
-void authcfg_fini(void);
-
-/* Gets the permitted authentication types for the given user entry.
- *
- * The entry should be queried for the "ipaUserAuthType" attribute.
- *
- * Thread Safety: YES
- */
-uint32_t authcfg_get_auth_types(Slapi_Entry *user_entry);
-
-/* Reloads configuration from the specified global config entry.
- *
- * If the provided entry isn't a global config entry, this is a no-op.
- *
- * Thread Safety: YES
- */
-void authcfg_reload_global_config(Slapi_DN *sdn, Slapi_Entry *config_entry);
-
-#endif /* AUTHCFG_H_ */
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
index ceea49cab50b0836c882240f210339e60d26729b..09c877f7010d3cc252c9f38e827cd33b63dea3b6 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -39,7 +39,7 @@
#include "ipapwd.h"
#include "util.h"
-#include "authcfg.h"
+#include "../libotp/otp_config.h"
#include "ipa_asn1.h"
/*
@@ -89,6 +89,8 @@ Slapi_PluginDesc ipapwd_plugin_desc = {
void *ipapwd_plugin_id;
static int usetxn = 0;
+extern struct otp_config *otp_config;
+
void *ipapwd_get_plugin_id(void)
{
return ipapwd_plugin_id;
@@ -1792,16 +1794,6 @@ static int ipapwd_start( Slapi_PBlock *pb )
Slapi_Entry *config_entry = NULL;
int ret;
- /* NOTE: We never call authcfg_fini() from a destructor. This is because
- * it may race with threaded requests at shutdown. This leak should
- * only occur when the DS is exiting, so it isn't a big deal.
- */
- if (!authcfg_init()) {
- LOG_FATAL("AuthConf initialization failed!\n");
- ret = LDAP_OPERATIONS_ERROR;
- goto done;
- }
-
krberr = krb5_init_context(&krbctx);
if (krberr) {
LOG_FATAL("krb5_init_context failed\n");
@@ -1871,11 +1863,16 @@ static int ipapwd_start( Slapi_PBlock *pb )
ret = LDAP_SUCCESS;
+ /* NOTE: We never call otp_config_fini() from a destructor. This is because
+ * it may race with threaded requests at shutdown. This leak should
+ * only occur when the DS is exiting, so it isn't a big deal.
+ */
+ otp_config = otp_config_init(ipapwd_plugin_id);
+
done:
free(realm);
krb5_free_context(krbctx);
if (config_entry) slapi_entry_free(config_entry);
- if (ret != LDAP_SUCCESS) authcfg_fini();
return ret;
}
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
index 1dff6db1a8cfcc295ba43d1c29d8887e3cf37fec..96c55f39ba2a9dc1e9fc80d5f7d46787803ece47 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
@@ -63,7 +63,6 @@
#include "ipapwd.h"
#include "util.h"
#include "syncreq.h"
-#include "authcfg.h"
#define IPAPWD_OP_NULL 0
#define IPAPWD_OP_ADD 1
@@ -75,6 +74,8 @@ extern Slapi_PluginDesc ipapwd_plugin_desc;
extern void *ipapwd_plugin_id;
extern const char *ipa_realm_tree;
+struct otp_config *otp_config = NULL;
+
/* structure with information for each extension */
struct ipapwd_op_ext {
char *object_name; /* name of the object extended */
@@ -967,23 +968,9 @@ static int ipapwd_regen_nthash(Slapi_PBlock *pb, Slapi_Mods *smods,
return ret;
}
-static int ipapwd_post_authcfg(Slapi_PBlock *pb)
+static int ipapwd_post_updatecfg(Slapi_PBlock *pb)
{
- Slapi_Entry *config_entry = NULL;
- Slapi_DN *sdn = NULL;
- int oprc = 0;
-
- /* Just bail if the operation failed. */
- if (slapi_pblock_get(pb, SLAPI_PLUGIN_OPRETURN, &oprc) != 0 || oprc != 0)
- return 0;
-
- if (slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn) != 0)
- return 0;
-
- /* Ignore the error here (delete operations). */
- slapi_pblock_get(pb, SLAPI_ENTRY_POST_OP, &config_entry);
-
- authcfg_reload_global_config(sdn, config_entry);
+ otp_config_update(otp_config, pb);
return 0;
}
@@ -1003,8 +990,7 @@ static int ipapwd_post_modadd(Slapi_PBlock *pb)
LOG_TRACE("=>\n");
- /* Ignore error when parsing configuration. */
- ipapwd_post_authcfg(pb);
+ otp_config_update(otp_config, pb);
/* time to get the operation handler */
ret = slapi_pblock_get(pb, SLAPI_OPERATION, &op);
@@ -1144,7 +1130,7 @@ static bool ipapwd_do_otp_auth(const char *dn, Slapi_Entry *bind_entry,
bool success = false;
/* Find all of the user's active tokens. */
- tokens = otp_token_find(ipapwd_plugin_id, dn, NULL, true, NULL);
+ tokens = otp_token_find(otp_config, dn, NULL, true, NULL);
if (tokens == NULL) {
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
"%s: can't find tokens for '%s'.\n", __func__, dn);
@@ -1190,11 +1176,7 @@ static bool ipapwd_pre_bind_otp(const char *bind_dn, Slapi_Entry *entry,
uint32_t auth_types;
/* Get the configured authentication types. */
- auth_types = authcfg_get_auth_types(entry);
-
- /* If global disabled flag is set, just punt. */
- if (auth_types & AUTHCFG_AUTH_TYPE_DISABLED)
- return true;
+ auth_types = otp_config_auth_types(otp_config, entry);
/*
* IMPORTANT SECTION!
@@ -1206,14 +1188,14 @@ static bool ipapwd_pre_bind_otp(const char *bind_dn, Slapi_Entry *entry,
* 2. If PWD is enabled or OTP succeeded, fall through to PWD validation.
*/
- if (auth_types & AUTHCFG_AUTH_TYPE_OTP) {
+ if (auth_types & OTP_CONFIG_AUTH_TYPE_OTP) {
LOG_PLUGIN_NAME(IPAPWD_PLUGIN_NAME,
"Attempting OTP authentication for '%s'.\n", bind_dn);
if (ipapwd_do_otp_auth(bind_dn, entry, creds))
return true;
}
- return auth_types & AUTHCFG_AUTH_TYPE_PASSWORD;
+ return auth_types & OTP_CONFIG_AUTH_TYPE_PASSWORD;
}
static int ipapwd_authenticate(const char *dn, Slapi_Entry *entry,
@@ -1461,7 +1443,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
}
/* Attempt to handle a token synchronization request. */
- if (syncreq && !sync_request_handle(ipapwd_get_plugin_id(), pb, dn))
+ if (syncreq && !sync_request_handle(otp_config, pb, dn))
goto invalid_creds;
/* Attempt to write out kerberos keys for the user. */
@@ -1513,9 +1495,9 @@ int ipapwd_post_init(Slapi_PBlock *pb)
ret = slapi_pblock_set(pb, SLAPI_PLUGIN_VERSION, SLAPI_PLUGIN_VERSION_01);
if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_DESCRIPTION, (void *)&ipapwd_plugin_desc);
if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_POST_ADD_FN, (void *)ipapwd_post_modadd);
- if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_POST_DELETE_FN, (void *)ipapwd_post_authcfg);
+ if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_POST_DELETE_FN, (void *)ipapwd_post_updatecfg);
if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_POST_MODIFY_FN, (void *)ipapwd_post_modadd);
- if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_POST_MODRDN_FN, (void *)ipapwd_post_authcfg);
+ if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_POST_MODRDN_FN, (void *)ipapwd_post_updatecfg);
return ret;
}
@@ -1526,10 +1508,10 @@ int ipapwd_intpost_init(Slapi_PBlock *pb)
ret = slapi_pblock_set(pb, SLAPI_PLUGIN_VERSION, SLAPI_PLUGIN_VERSION_03);
if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_DESCRIPTION, (void *)&ipapwd_plugin_desc);
- if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_POST_ADD_FN, (void *)ipapwd_post_authcfg);
- if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_POST_DELETE_FN, (void *)ipapwd_post_authcfg);
- if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_POST_MODIFY_FN, (void *)ipapwd_post_authcfg);
- if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_POST_MODRDN_FN, (void *)ipapwd_post_authcfg);
+ if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_POST_ADD_FN, (void *)ipapwd_post_updatecfg);
+ if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_POST_DELETE_FN, (void *)ipapwd_post_updatecfg);
+ if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_POST_MODIFY_FN, (void *)ipapwd_post_updatecfg);
+ if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_POST_MODRDN_FN, (void *)ipapwd_post_updatecfg);
return ret;
}
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.c
index 10c49b724ee276d2b1fb89891a6eb4ee8eaa8fab..0aef438023e7f23d7219273e9f5efd5572e73c3f 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.c
@@ -52,7 +52,7 @@ bool sync_request_present(Slapi_PBlock *pb)
return ldap_control_find(OTP_SYNC_REQUEST_OID, controls, NULL) != NULL;
}
-bool sync_request_handle(Slapi_ComponentId *plugin_id, Slapi_PBlock *pb,
+bool sync_request_handle(const struct otp_config *cfg, Slapi_PBlock *pb,
const char *user_dn)
{
struct otp_token **tokens = NULL;
@@ -90,7 +90,7 @@ bool sync_request_handle(Slapi_ComponentId *plugin_id, Slapi_PBlock *pb,
/* Process the synchronization. */
success = false;
if (ber_scanf(ber, "}") != LBER_ERROR) {
- tokens = otp_token_find(plugin_id, user_dn, token_dn, true, NULL);
+ tokens = otp_token_find(cfg, user_dn, token_dn, true, NULL);
if (tokens != NULL) {
success = otp_token_sync_berval(tokens, OTP_SYNC_MAX_STEPS, first, second);
otp_token_free_array(tokens);
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.h b/daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.h
index 34235901b7b2e49cc6e79423a92e0e4930c0b8cb..98a97c4c9f6d2e6bf74f97fc93053b3aebbc7821 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.h
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.h
@@ -41,7 +41,7 @@
#ifndef SYNCREQ_H_
#define SYNCREQ_H_
-#include <dirsrv/slapi-plugin.h>
+#include "../libotp/otp_config.h"
#include <stdbool.h>
/*
@@ -57,7 +57,7 @@
bool sync_request_present(Slapi_PBlock *pb);
-bool sync_request_handle(Slapi_ComponentId *plugin_id, Slapi_PBlock *pb,
+bool sync_request_handle(const struct otp_config *cfg, Slapi_PBlock *pb,
const char *user_dn);
#endif /* SYNCREQ_H_ */
diff --git a/daemons/ipa-slapi-plugins/libotp/Makefile.am b/daemons/ipa-slapi-plugins/libotp/Makefile.am
index 012c8339199af5f63e6434b94109af2d93a38b45..4428f6bdc38a4e4ec224d1fa70744d8381f7e0b1 100644
--- a/daemons/ipa-slapi-plugins/libotp/Makefile.am
+++ b/daemons/ipa-slapi-plugins/libotp/Makefile.am
@@ -3,7 +3,7 @@ AM_CPPFLAGS = -I/usr/include/dirsrv
noinst_LTLIBRARIES = libhotp.la libotp.la
libhotp_la_SOURCES = hotp.c hotp.h
-libotp_la_SOURCES = otp_token.c otp_token.h
+libotp_la_SOURCES = otp_config.c otp_config.h otp_token.c otp_token.h
libotp_la_LIBADD = libhotp.la
check_PROGRAMS = t_hotp
diff --git a/daemons/ipa-slapi-plugins/libotp/otp_config.c b/daemons/ipa-slapi-plugins/libotp/otp_config.c
new file mode 100644
index 0000000000000000000000000000000000000000..1b7c1e658f126e3d1e8eabd129bb69dc5c4ce970
--- /dev/null
+++ b/daemons/ipa-slapi-plugins/libotp/otp_config.c
@@ -0,0 +1,274 @@
+/** BEGIN COPYRIGHT BLOCK
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * Additional permission under GPLv3 section 7:
+ *
+ * In the following paragraph, "GPL" means the GNU General Public
+ * License, version 3 or any later version, and "Non-GPL Code" means
+ * code that is governed neither by the GPL nor a license
+ * compatible with the GPL.
+ *
+ * You may link the code of this Program with Non-GPL Code and convey
+ * linked combinations including the two, provided that such Non-GPL
+ * Code only links to the code of this Program through those well
+ * defined interfaces identified in the file named EXCEPTION found in
+ * the source code files (the "Approved Interfaces"). The files of
+ * Non-GPL Code may instantiate templates or use macros or inline
+ * functions from the Approved Interfaces without causing the resulting
+ * work to be covered by the GPL. Only the copyright holders of this
+ * Program may make changes or additions to the list of Approved
+ * Interfaces.
+ *
+ * Authors:
+ * Nathaniel McCallum <npmccallum@redhat.com>
+ *
+ * Copyright (C) 2014 Red Hat, Inc.
+ * All rights reserved.
+ * END COPYRIGHT BLOCK **/
+
+#include "otp_config.h"
+
+#include <pratom.h>
+#include <plstr.h>
+
+#define OTP_CONFIG_AUTH_TYPE_DISABLED (1 << 31)
+
+struct spec {
+ uint32_t (*func)(Slapi_Entry *, const char *attr);
+ const char *prefix;
+ const char *attr;
+ uint32_t dflt;
+};
+
+struct record {
+ struct record *next;
+ const struct spec *spec;
+ Slapi_DN *sdn;
+ uint32_t value;
+};
+
+struct otp_config {
+ Slapi_ComponentId *plugin_id;
+ struct record *records;
+};
+
+static uint32_t string_to_types(const char *str)
+{
+ static const struct {
+ const char *string;
+ uint32_t config;
+ } map[] = {
+ { "disabled", OTP_CONFIG_AUTH_TYPE_DISABLED },
+ { "password", OTP_CONFIG_AUTH_TYPE_PASSWORD },
+ { "otp", OTP_CONFIG_AUTH_TYPE_OTP },
+ { "pkinit", OTP_CONFIG_AUTH_TYPE_PKINIT },
+ { "radius", OTP_CONFIG_AUTH_TYPE_RADIUS },
+ {}
+ };
+
+ for (uint32_t i = 0; map[i].string != NULL; i++) {
+ if (strcasecmp(map[i].string, str) == 0)
+ return map[i].config;
+ }
+
+ return OTP_CONFIG_AUTH_TYPE_NONE;
+}
+
+static uint32_t entry_to_authtypes(Slapi_Entry *e, const char *attr)
+{
+ char **auth_types = NULL;
+
+ if (e == NULL)
+ return OTP_CONFIG_AUTH_TYPE_NONE;
+
+ /* Fetch the auth type values from the config entry. */
+ auth_types = slapi_entry_attr_get_charray(e, attr);
+ if (auth_types == NULL)
+ return OTP_CONFIG_AUTH_TYPE_NONE;
+
+ uint32_t types = OTP_CONFIG_AUTH_TYPE_NONE;
+ for (uint32_t i = 0; auth_types[i] != NULL; i++)
+ types |= string_to_types(auth_types[i]);
+
+ slapi_ch_array_free(auth_types);
+ return types;
+}
+
+static const struct spec authtypes = {
+ entry_to_authtypes,
+ "cn=ipaConfig,cn=etc,%s",
+ "ipaUserAuthType",
+ OTP_CONFIG_AUTH_TYPE_PASSWORD
+};
+
+static Slapi_DN *make_sdn(const char *prefix, const Slapi_DN *suffix)
+{
+ char *dn = slapi_ch_smprintf(prefix, slapi_sdn_get_dn(suffix));
+ return slapi_sdn_new_dn_passin(dn);
+}
+
+static uint32_t find_value(const struct otp_config *cfg,
+ const Slapi_DN *suffix, const struct spec *spec)
+{
+ uint32_t value = 0;
+ Slapi_DN *sdn;
+
+ sdn = make_sdn(spec->prefix, suffix);
+ for (struct record *rec = cfg->records; rec != NULL; rec = rec->next) {
+ if (rec->spec == spec) {
+ value = PR_ATOMIC_ADD(&rec->value, 0);
+ break;
+ }
+ }
+
+ slapi_sdn_free(&sdn);
+ return value;
+}
+
+static void update(const struct otp_config *cfg, Slapi_DN *src,
+ Slapi_Entry *entry)
+{
+ Slapi_DN *dst = entry == NULL ? NULL : slapi_entry_get_sdn(entry);
+
+ for (struct record *rec = cfg->records; rec != NULL; rec = rec->next) {
+ uint32_t val = rec->spec->dflt;
+
+ /* If added, modified or moved into place... */
+ if (dst != NULL && slapi_sdn_compare(rec->sdn, dst) == 0) {
+ Slapi_Attr *attr = NULL;
+ if (slapi_entry_attr_find(entry, rec->spec->attr, &attr) == 0)
+ val = rec->spec->func(entry, rec->spec->attr);
+
+ /* If NOT deleted or moved out of place... */
+ } else if (slapi_sdn_compare(rec->sdn, src) != 0)
+ continue;
+
+ PR_ATOMIC_SET(&rec->value, val);
+ }
+}
+
+struct otp_config *otp_config_init(Slapi_ComponentId *plugin_id)
+{
+ static const struct spec *specs[] = {
+ &authtypes,
+ NULL
+ };
+
+ struct otp_config *cfg = NULL;
+ void *node = NULL;
+
+ cfg = (typeof(cfg)) slapi_ch_calloc(1, sizeof(*cfg));
+ cfg->plugin_id = plugin_id;
+
+ /* Build the config table. */
+ for (Slapi_DN *sfx = slapi_get_first_suffix(&node, 0);
+ sfx != NULL;
+ sfx = slapi_get_next_suffix(&node, 0)) {
+ for (size_t i = 0; specs[i] != NULL; i++) {
+ Slapi_Entry *entry = NULL;
+ struct record *rec;
+
+ /* Create the config entry. */
+ rec = (typeof(rec)) slapi_ch_calloc(1, sizeof(*rec));
+ rec->spec = specs[i];
+ rec->sdn = make_sdn(rec->spec->prefix, sfx);
+
+ /* Add config to the list. */
+ rec->next = cfg->records;
+ cfg->records = rec;
+
+ /* Load the specified entry. */
+ slapi_search_internal_get_entry(rec->sdn, NULL, &entry, plugin_id);
+ update(cfg, rec->sdn, entry);
+ slapi_entry_free(entry);
+ }
+ }
+
+ return cfg;
+}
+
+static void record_fini(struct record **rec)
+{
+ if (rec == NULL || *rec == NULL)
+ return;
+
+ record_fini(&(*rec)->next);
+ slapi_sdn_free(&(*rec)->sdn);
+ slapi_ch_free((void **) rec);
+}
+
+void otp_config_fini(struct otp_config **cfg)
+{
+ if (cfg == NULL || *cfg == NULL)
+ return;
+
+ record_fini(&(*cfg)->records);
+ slapi_ch_free((void **) cfg);
+}
+
+void otp_config_update(struct otp_config *cfg, Slapi_PBlock *pb)
+{
+ Slapi_Entry *entry = NULL;
+ Slapi_DN *src = NULL;
+ int oprc = 0;
+
+ /* Just bail if the operation failed. */
+ if (slapi_pblock_get(pb, SLAPI_PLUGIN_OPRETURN, &oprc) != 0 || oprc != 0)
+ return;
+
+ /* Get the source SDN. */
+ if (slapi_pblock_get(pb, SLAPI_TARGET_SDN, &src) != 0)
+ return;
+
+ /* Ignore the error here (delete operations). */
+ (void) slapi_pblock_get(pb, SLAPI_ENTRY_POST_OP, &entry);
+
+ update(cfg, src, entry);
+}
+
+Slapi_ComponentId *otp_config_plugin_id(const struct otp_config *cfg)
+{
+ if (cfg == NULL)
+ return NULL;
+
+ return cfg->plugin_id;
+}
+
+uint32_t otp_config_auth_types(const struct otp_config *cfg,
+ Slapi_Entry *user_entry)
+{
+ uint32_t glbl = OTP_CONFIG_AUTH_TYPE_NONE;
+ uint32_t user = OTP_CONFIG_AUTH_TYPE_NONE;
+ const Slapi_DN *sfx;
+
+ /* Load the global value. */
+ sfx = slapi_get_suffix_by_dn(slapi_entry_get_sdn(user_entry));
+ glbl = find_value(cfg, sfx, &authtypes);
+
+ /* Load the user value if not disabled. */
+ if ((glbl & OTP_CONFIG_AUTH_TYPE_DISABLED) == 0)
+ user = entry_to_authtypes(user_entry, authtypes.attr);
+
+ /* Filter out the disabled flag. */
+ glbl &= ~OTP_CONFIG_AUTH_TYPE_DISABLED;
+ user &= ~OTP_CONFIG_AUTH_TYPE_DISABLED;
+
+ if (user != OTP_CONFIG_AUTH_TYPE_NONE)
+ return user;
+
+ if (glbl != OTP_CONFIG_AUTH_TYPE_NONE)
+ return glbl;
+
+ return OTP_CONFIG_AUTH_TYPE_PASSWORD;
+}
diff --git a/daemons/ipa-slapi-plugins/libotp/otp_config.h b/daemons/ipa-slapi-plugins/libotp/otp_config.h
new file mode 100644
index 0000000000000000000000000000000000000000..bfd514bd542b7d707e9eab4a9cdf31a4f6839ae5
--- /dev/null
+++ b/daemons/ipa-slapi-plugins/libotp/otp_config.h
@@ -0,0 +1,65 @@
+/** BEGIN COPYRIGHT BLOCK
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * Additional permission under GPLv3 section 7:
+ *
+ * In the following paragraph, "GPL" means the GNU General Public
+ * License, version 3 or any later version, and "Non-GPL Code" means
+ * code that is governed neither by the GPL nor a license
+ * compatible with the GPL.
+ *
+ * You may link the code of this Program with Non-GPL Code and convey
+ * linked combinations including the two, provided that such Non-GPL
+ * Code only links to the code of this Program through those well
+ * defined interfaces identified in the file named EXCEPTION found in
+ * the source code files (the "Approved Interfaces"). The files of
+ * Non-GPL Code may instantiate templates or use macros or inline
+ * functions from the Approved Interfaces without causing the resulting
+ * work to be covered by the GPL. Only the copyright holders of this
+ * Program may make changes or additions to the list of Approved
+ * Interfaces.
+ *
+ * Authors:
+ * Nathaniel McCallum <npmccallum@redhat.com>
+ *
+ * Copyright (C) 2014 Red Hat, Inc.
+ * All rights reserved.
+ * END COPYRIGHT BLOCK **/
+
+#pragma once
+
+#include <dirsrv/slapi-plugin.h>
+
+#define OTP_CONFIG_AUTH_TYPE_NONE 0
+#define OTP_CONFIG_AUTH_TYPE_PASSWORD (1 << 0)
+#define OTP_CONFIG_AUTH_TYPE_OTP (1 << 1)
+#define OTP_CONFIG_AUTH_TYPE_PKINIT (1 << 2)
+#define OTP_CONFIG_AUTH_TYPE_RADIUS (1 << 3)
+
+struct otp_config;
+
+struct otp_config *otp_config_init(Slapi_ComponentId *plugin_id);
+
+void otp_config_fini(struct otp_config **cfg);
+
+void otp_config_update(struct otp_config *cfg, Slapi_PBlock *pb);
+
+Slapi_ComponentId *otp_config_plugin_id(const struct otp_config *cfg);
+
+/* Gets the permitted authentication types for the given user entry.
+ *
+ * The entry should be queried for the "ipaUserAuthType" attribute.
+ */
+uint32_t otp_config_auth_types(const struct otp_config *cfg,
+ Slapi_Entry *user_entry);
diff --git a/daemons/ipa-slapi-plugins/libotp/otp_token.c b/daemons/ipa-slapi-plugins/libotp/otp_token.c
index 7860c8aba6e12e319d633ee8e165403289a7528b..eef07268507444897d50509a54f2877866b9c07a 100644
--- a/daemons/ipa-slapi-plugins/libotp/otp_token.c
+++ b/daemons/ipa-slapi-plugins/libotp/otp_token.c
@@ -59,7 +59,7 @@ enum type {
};
struct otp_token {
- Slapi_ComponentId *plugin_id;
+ const struct otp_config *cfg;
Slapi_DN *sdn;
struct hotp_token token;
enum type type;
@@ -75,21 +75,6 @@ struct otp_token {
};
};
-static const char *get_basedn(Slapi_DN *dn)
-{
- Slapi_DN *suffix = NULL;
- void *node = NULL;
-
- for (suffix = slapi_get_first_suffix(&node, 0);
- suffix != NULL;
- suffix = slapi_get_next_suffix(&node, 0)) {
- if (slapi_sdn_issuffix(dn, suffix))
- return (char *) slapi_sdn_get_dn(suffix);
- }
-
- return NULL;
-}
-
static inline bool is_algo_valid(const char *algo)
{
static const char *valid_algos[] = { "sha1", "sha256", "sha384",
@@ -142,8 +127,8 @@ static bool writeattr(const struct otp_token *token, const char *attr,
snprintf(value, sizeof(value), "%lld", val);
pb = slapi_pblock_new();
- slapi_modify_internal_set_pb(pb, slapi_sdn_get_dn(token->sdn),
- mods, NULL, NULL, token->plugin_id, 0);
+ slapi_modify_internal_set_pb(pb, slapi_sdn_get_dn(token->sdn), mods, NULL,
+ NULL, otp_config_plugin_id(token->cfg), 0);
if (slapi_modify_internal_pb(pb) != 0)
goto error;
if (slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &ret) != 0)
@@ -251,7 +236,7 @@ void otp_token_free_array(struct otp_token **tokens)
free(tokens);
}
-static struct otp_token *otp_token_new(Slapi_ComponentId *id,
+static struct otp_token *otp_token_new(const struct otp_config *cfg,
Slapi_Entry *entry)
{
const struct berval *tmp;
@@ -261,7 +246,7 @@ static struct otp_token *otp_token_new(Slapi_ComponentId *id,
token = calloc(1, sizeof(struct otp_token));
if (token == NULL)
return NULL;
- token->plugin_id = id;
+ token->cfg = cfg;
/* Get the token type. */
vals = slapi_entry_attr_get_charray(entry, "objectClass");
@@ -333,16 +318,16 @@ error:
return NULL;
}
-static struct otp_token **find(Slapi_ComponentId *id, const char *user_dn,
+static struct otp_token **find(const struct otp_config *cfg, const char *user_dn,
const char *token_dn, const char *intfilter,
const char *extfilter)
{
struct otp_token **tokens = NULL;
+ const Slapi_DN *basedn = NULL;
Slapi_Entry **entries = NULL;
Slapi_PBlock *pb = NULL;
Slapi_DN *sdn = NULL;
char *filter = NULL;
- const char *basedn = NULL;
size_t count = 0;
int result = -1;
@@ -367,20 +352,19 @@ static struct otp_token **find(Slapi_ComponentId *id, const char *user_dn,
if (token_dn != NULL) {
/* Find only the token specified. */
slapi_search_internal_set_pb(pb, token_dn, LDAP_SCOPE_BASE, filter,
- NULL, 0, NULL, NULL, id, 0);
+ NULL, 0, NULL, NULL,
+ otp_config_plugin_id(cfg), 0);
} else {
sdn = slapi_sdn_new_dn_byval(user_dn);
- if (sdn == NULL)
- goto error;
-
- basedn = get_basedn(sdn);
+ basedn = slapi_get_suffix_by_dn(sdn);
+ slapi_sdn_free(&sdn);
if (basedn == NULL)
goto error;
/* Find all user tokens. */
- slapi_search_internal_set_pb(pb, basedn,
- LDAP_SCOPE_SUBTREE, filter, NULL,
- 0, NULL, NULL, id, 0);
+ slapi_search_internal_set_pb(pb, slapi_sdn_get_dn(basedn),
+ LDAP_SCOPE_SUBTREE, filter, NULL, 0,
+ NULL, NULL, otp_config_plugin_id(cfg), 0);
}
slapi_search_internal_pb(pb);
slapi_ch_free_string(&filter);
@@ -402,7 +386,7 @@ static struct otp_token **find(Slapi_ComponentId *id, const char *user_dn,
if (tokens == NULL)
goto error;
for (count = 0; entries[count] != NULL; count++) {
- tokens[count] = otp_token_new(id, entries[count]);
+ tokens[count] = otp_token_new(cfg, entries[count]);
if (tokens[count] == NULL) {
otp_token_free_array(tokens);
tokens = NULL;
@@ -411,15 +395,13 @@ static struct otp_token **find(Slapi_ComponentId *id, const char *user_dn,
}
error:
- if (sdn != NULL)
- slapi_sdn_free(&sdn);
slapi_pblock_destroy(pb);
return tokens;
}
-struct otp_token **
-otp_token_find(Slapi_ComponentId *id, const char *user_dn, const char *token_dn,
- bool active, const char *filter)
+struct otp_token **otp_token_find(const struct otp_config *cfg,
+ const char *user_dn, const char *token_dn,
+ bool active, const char *filter)
{
static const char template[] =
"(|(ipatokenNotBefore<=%04d%02d%02d%02d%02d%02dZ)(!(ipatokenNotBefore=*)))"
@@ -430,7 +412,7 @@ otp_token_find(Slapi_ComponentId *id, const char *user_dn, const char *token_dn,
time_t now;
if (!active)
- return find(id, user_dn, token_dn, NULL, filter);
+ return find(cfg, user_dn, token_dn, NULL, filter);
/* Get the current time. */
if (time(&now) == (time_t) -1)
@@ -446,7 +428,7 @@ otp_token_find(Slapi_ComponentId *id, const char *user_dn, const char *token_dn,
tm.tm_hour, tm.tm_min, tm.tm_sec) < 0)
return NULL;
- return find(id, user_dn, token_dn, actfilt, filter);
+ return find(cfg, user_dn, token_dn, actfilt, filter);
}
int otp_token_get_digits(struct otp_token *token)
diff --git a/daemons/ipa-slapi-plugins/libotp/otp_token.h b/daemons/ipa-slapi-plugins/libotp/otp_token.h
index 2f336780682b5ea2838b558079e2ae85f6e2afba..4b159077d933555d18e804174e29e22f1e8f0110 100644
--- a/daemons/ipa-slapi-plugins/libotp/otp_token.h
+++ b/daemons/ipa-slapi-plugins/libotp/otp_token.h
@@ -39,14 +39,15 @@
#pragma once
-#include <dirsrv/slapi-plugin.h>
+#include "otp_config.h"
#include <stdbool.h>
#include <stdlib.h>
struct otp_token;
/* Frees the token array. */
-void otp_token_free_array(struct otp_token **tokens);
+void
+otp_token_free_array(struct otp_token **tokens);
/* Find tokens.
*
@@ -65,9 +66,9 @@ void otp_token_free_array(struct otp_token **tokens);
* Returns NULL on error. If no tokens are found, an empty array is returned.
* The array is NULL terminated.
*/
-struct otp_token **otp_token_find(Slapi_ComponentId *id, const char *user_dn,
- const char *token_dn, bool active,
- const char *filter);
+struct otp_token **otp_token_find(const struct otp_config *cfg,
+ const char *user_dn, const char *token_dn,
+ bool active, const char *filter);
/* Get the length of the token code. */
int otp_token_get_digits(struct otp_token *token);
--
2.1.0