Index: nslcd.h =================================================================== --- nslcd.h (revision 1715) +++ nslcd.h (working copy) @@ -59,17 +59,16 @@ Furthermore the ADDRESS compound data type is defined as: INT32 type of address: e.g. AF_INET or AF_INET6 INT32 lenght of address - RAW the address itself in network byte order + RAW the address itself With the ADDRESSLIST using the same construct as with STRINGLIST. - The protocol uses host-byte order for all types (except in the raw - address above). + The protocol uses network byte order for all types. */ /* The current version of the protocol. Note that version 1 is experimental and this version will be used until a 1.0 release of nss-pam-ldapd is made. */ -#define NSLCD_VERSION 1 +#define NSLCD_VERSION 2 /* Get a NSLCD configuration option. There is one request parameter: INT32 NSLCD_CONFIG_* @@ -80,6 +79,9 @@ /* return the message, if any, that is presented to the user when password modification through PAM is prohibited */ #define NSLCD_CONFIG_PAM_PASSWORD_PROHIBIT_MESSAGE 852 +/* returns either "nopasswd", "userpasswd" or "rootpasswd" to specify + the kind of (old) password required for changing the password */ +#define NSLCD_CONFIG_PAM_ROOTPWMOD 654 /* Email alias (/etc/aliases) NSS requests. The result values for a single entry are: @@ -130,6 +132,18 @@ #define NSLCD_NETGROUP_TYPE_NETGROUP 123 #define NSLCD_NETGROUP_TYPE_TRIPLE 456 +/* +Note: I'm not very happy with the above. We should be getting back a single +result entry: + STRINGLIST other netgroup names + NETGROUPLIST netgroup triples +where each + NETGROUPLIST item consists of + STRING host + STRING user + STRING domain +*/ + /* Network name (/etc/networks) NSS requests. Result values for a single entry are: STRING network name @@ -193,58 +207,58 @@ /* PAM-related requests. The request parameters for all these requests begin with: STRING user name - STRING DN (if value is known already, otherwise empty) STRING service name - all requests, except the SESSION requests start the result value with: - STRING user name (cannonical name) - STRING DN (can be used to speed up requests) - Some functions may return an authorisation message. This message, if - supplied will be used by the PAM module instead of a message that is - generated by the PAM module itself. */ + STRING ruser + STRING rhost + STRING tty + If the user is not known in LDAP no result may be returned (immediately + return NSLCD_RESULT_END instead of a PAM error code). */ /* PAM authentication check request. The extra request values are: STRING password - and the result value ends with: + and the result value consists of: INT32 authc NSLCD_PAM_* result code + STRING user name (the cannonical user name) INT32 authz NSLCD_PAM_* result code STRING authorisation error message If the username is empty in this request an attempt is made to - authenticate as the administrator (set using rootpwmoddn). The returned DN - is that of the administrator. */ -#define NSLCD_ACTION_PAM_AUTHC 20001 + authenticate as the administrator (set using rootpwmoddn). + Some authorisation checks are already done during authentication so the + response also includes authorisation information. */ +#define NSLCD_ACTION_PAM_AUTHC 21001 -/* PAM authorisation check request. The extra request values are: - STRING ruser - STRING rhost - STRING tty - and the result value ends with: +/* PAM authorisation check request. The result value consists of: INT32 authz NSLCD_PAM_* result code - STRING authorisation error message */ -#define NSLCD_ACTION_PAM_AUTHZ 20002 + STRING authorisation error message + The authentication check may have already returned some authorisation + information. The authorisation error message, if supplied, will be used + by the PAM module instead of a message that is generated by the PAM + module itself. */ +#define NSLCD_ACTION_PAM_AUTHZ 21002 -/* PAM session open and close requests. These requests have the following - extra request values: - STRING tty - STRING rhost - STRING ruser - INT32 session id (ignored for SESS_O) - and these calls only return the session ID: - INT32 session id - The SESS_C must contain the ID that is retured by SESS_O to close the - correct session. */ -#define NSLCD_ACTION_PAM_SESS_O 20003 -#define NSLCD_ACTION_PAM_SESS_C 20004 +/* PAM session open request. The result value consists of: + STRING session id + This session id may be used to close this session with. */ +#define NSLCD_ACTION_PAM_SESS_O 21003 +/* PAM session close request. This request has the following + extra request value: + STRING session id + and this calls only returns an empty response value. */ +#define NSLCD_ACTION_PAM_SESS_C 21004 + +/* +Note: I'm not sure whether PAM result codes are required here. +*/ + /* PAM password modification request. This requests has the following extra request values: - STRING old password - STRING new password + INT32 asroot: 0=oldpasswd is user passwd, 1=oldpasswd is root passwd + STRING old password + STRING new password and returns there extra result values: - INT32 authz NSLCD_PAM_* result code - STRING authorisation error message - In this request the DN may be set to the administrator's DN. In this - case old password should be the administrator's password. This allows - the administrator to change any user's password. */ + INT32 NSLCD_PAM_* result code + STRING error message */ #define NSLCD_ACTION_PAM_PWMOD 20005 /* Request result codes. */