Blob Blame History Raw
   nslcd.h - file describing client/server protocol

   Copyright (C) 2006 West Consulting
   Copyright (C) 2006, 2007, 2009, 2010, 2011, 2012, 2013 Arthur de Jong

   This library is free software; you can redistribute it and/or
   modify it under the terms of the GNU Lesser General Public
   License as published by the Free Software Foundation; either
   version 2.1 of the License, or (at your option) any later version.

   This library is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   Lesser General Public License for more details.

   You should have received a copy of the GNU Lesser General Public
   License along with this library; if not, write to the Free Software
   Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
   02110-1301 USA

#ifndef _NSLCD_H
#define _NSLCD_H 1

   The protocol used between the nslcd client and server is a simple binary
   protocol. It is request/response based where the client initiates a
   connection, does a single request and closes the connection again. Any
   mangled or not understood messages will be silently ignored by the server.

   A request looks like:
     [request parameters if any]
   A response looks like:
     INT32  NSLCD_ACTION_* (the original request type)
   A single result entry looks like:
     [result value(s)]
   If a response would return multiple values (e.g. for NSLCD_ACTION_*_ALL
   functions) each return value will be preceded by a NSLCD_RESULT_BEGIN
   value. After the last returned result the server sends
   NSLCD_RESULT_END. If some error occurs (e.g. LDAP server unavailable,
   error in the request, etc) the server terminates the connection to signal
   an error condition (breaking the protocol).

   These are the available basic data types:
     INT32  - 32-bit integer value
     TYPE   - a typed field that is transferred using sizeof()
     STRING - a string length (32bit) followed by the string value (not
              null-terminted) the string itself is assumed to be UTF-8
     STRINGLIST - a 32-bit number noting the number of strings followed by
                  the strings one at a time

   Furthermore the ADDRESS compound data type is defined as:
     INT32  type of address: e.g. AF_INET or AF_INET6
     INT32  lenght of address
     RAW    the address itself
   With the ADDRESSLIST using the same construct as with STRINGLIST.

   The protocol uses network byte order for all types.

/* The current version of the protocol. This protocol should only be
   updated with major backwards-incompatible changes. */
#define NSLCD_VERSION 0x00000002

/* Get a NSLCD configuration option. There is one request parameter:
  the result value is:
    STRING  value, interpretation depending on request */
#define NSLCD_ACTION_CONFIG_GET        0x00010001

/* return the message, if any, that is presented to the user when password
   modification through PAM is prohibited */

/* Email alias (/etc/aliases) NSS requests. The result values for a
   single entry are:
     STRING      alias name
     STRINGLIST  alias rcpts */
#define NSLCD_ACTION_ALIAS_BYNAME      0x00020001
#define NSLCD_ACTION_ALIAS_ALL         0x00020008

/* Ethernet address/name mapping NSS requests. The result values for a
   single entry are:
     STRING            ether name
     TYPE(uint8_t[6])  ether address */
#define NSLCD_ACTION_ETHER_BYNAME      0x00030001
#define NSLCD_ACTION_ETHER_BYETHER     0x00030002
#define NSLCD_ACTION_ETHER_ALL         0x00030008

/* Group and group membership related NSS requests. The result values
   for a single entry are:
     STRING       group name
     STRING       group password
     INT32        group id
     STRINGLIST   members (usernames) of the group
     (not that the BYMEMER call returns an emtpy members list) */
#define NSLCD_ACTION_GROUP_BYNAME      0x00040001
#define NSLCD_ACTION_GROUP_BYGID       0x00040002
#define NSLCD_ACTION_GROUP_BYMEMBER    0x00040006
#define NSLCD_ACTION_GROUP_ALL         0x00040008

/* Hostname (/etc/hosts) lookup NSS requests. The result values
   for an entry are:
     STRING       host name
     STRINGLIST   host aliases
     ADDRESSLIST  host addresses */
#define NSLCD_ACTION_HOST_BYNAME       0x00050001
#define NSLCD_ACTION_HOST_BYADDR       0x00050002
#define NSLCD_ACTION_HOST_ALL          0x00050008

/* Netgroup NSS result entries contain a number of parts. A result entry
   starts with:
     STRING  netgroup name
   followed by zero or more references to other netgroups or netgroup
   triples. A reference to another netgroup looks like:
     STRING  other netgroup name
   A a netgroup triple looks like:
     STRING  host
     STRING  user
     STRING  domain
   A netgroup result entry is terminated by:
#define NSLCD_ACTION_NETGROUP_ALL      0x00060008

/* Network name (/etc/networks) NSS requests. Result values for a single
   entry are:
     STRING       network name
     STRINGLIST   network aliases
     ADDRESSLIST  network addresses */
#define NSLCD_ACTION_NETWORK_BYNAME    0x00070001
#define NSLCD_ACTION_NETWORK_BYADDR    0x00070002
#define NSLCD_ACTION_NETWORK_ALL       0x00070008

/* User account (/etc/passwd) NSS requests. Result values are:
     STRING       user name
     STRING       user password
     INT32        user id
     INT32        group id
     STRING       gecos information
     STRING       home directory
     STRING       login shell */
#define NSLCD_ACTION_PASSWD_BYNAME     0x00080001
#define NSLCD_ACTION_PASSWD_BYUID      0x00080002
#define NSLCD_ACTION_PASSWD_ALL        0x00080008

/* Protocol information requests. Result values are:
     STRING      protocol name
     STRINGLIST  protocol aliases
     INT32       protocol number */
#define NSLCD_ACTION_PROTOCOL_ALL      0x00090008

/* RPC information requests. Result values are:
     STRING      rpc name
     STRINGLIST  rpc aliases
     INT32       rpc number */
#define NSLCD_ACTION_RPC_BYNAME        0x000a0001
#define NSLCD_ACTION_RPC_BYNUMBER      0x000a0002
#define NSLCD_ACTION_RPC_ALL           0x000a0008

/* Service (/etc/services) information requests. The BYNAME and BYNUMBER
   requests contain an extra protocol string in the request which, if not
   blank, will filter the services by this protocol. Result values are:
     STRING      service name
     STRINGLIST  service aliases
     INT32       service (port) number
     STRING      service protocol */
#define NSLCD_ACTION_SERVICE_BYNAME    0x000b0001
#define NSLCD_ACTION_SERVICE_ALL       0x000b0008

/* Extended user account (/etc/shadow) information requests. Result
   values for a single entry are:
     STRING  user name
     STRING  user password
     INT32   last password change
     INT32   mindays
     INT32   maxdays
     INT32   warn
     INT32   inact
     INT32   expire
     INT32   flag */
#define NSLCD_ACTION_SHADOW_BYNAME     0x000c0001
#define NSLCD_ACTION_SHADOW_ALL        0x000c0008

/* PAM-related requests. The request parameters for all these requests
   begin with:
     STRING  user name
     STRING  service name
     STRING  ruser
     STRING  rhost
     STRING  tty
   If the user is not known in LDAP no result may be returned (immediately
   return NSLCD_RESULT_END instead of a PAM error code). */

/* PAM authentication check request. The extra request values are:
     STRING  password
   and the result value consists of:
     INT32   authc NSLCD_PAM_* result code
     STRING  user name (the cannonical user name)
     INT32   authz NSLCD_PAM_* result code
     STRING  authorisation error message
   If the username is empty in this request an attempt is made to
   authenticate as the administrator (set using rootpwmoddn).
   Some authorisation checks are already done during authentication so the
   response also includes authorisation information. */
#define NSLCD_ACTION_PAM_AUTHC         0x000d0001

/* PAM authorisation check request. The result value consists of:
     INT32   authz NSLCD_PAM_* result code
     STRING  authorisation error message
   The authentication check may have already returned some authorisation
   information. The authorisation error message, if supplied, will be used
   by the PAM module instead of a message that is generated by the PAM
   module itself. */
#define NSLCD_ACTION_PAM_AUTHZ         0x000d0002

/* PAM session open request. The result value consists of:
     STRING   session id
   This session id may be used to close this session with. */
#define NSLCD_ACTION_PAM_SESS_O        0x000d0003

/* PAM session close request. This request has the following
   extra request value:
     STRING   session id
   and this calls only returns an empty response value. */
#define NSLCD_ACTION_PAM_SESS_C        0x000d0004

/* PAM password modification request. This requests has the following extra
   request values:
     INT32   asroot: 0=oldpasswd is user passwd, 1=oldpasswd is root passwd
     STRING  old password
     STRING  new password
   and returns there extra result values:
     INT32   NSLCD_PAM_* result code
     STRING  error message */
#define NSLCD_ACTION_PAM_PWMOD         0x000d0005

/* User information change request. This request allows one to change
   their full name and other information. The request parameters for this
   request are:
     STRING  user name
     INT32   asroot: 0=passwd is user passwd, 1=passwd is root passwd
     STRING  password
   followed by one or more of the below, terminated by NSLCD_USERMOD_END
     STRING  new value
   the response consists of one or more of the entries below, terminated
     STRING  response
   (if the response is blank, the change went OK, otherwise the string
   contains an error message)
#define NSLCD_ACTION_USERMOD           0x000e0001

/* These are the possible values for the NSLCD_ACTION_USERMOD operation
   above. */
#define NSLCD_USERMOD_END        0 /* end of change values */
#define NSLCD_USERMOD_RESULT     1 /* global result value */
#define NSLCD_USERMOD_FULLNAME   2 /* full name */
#define NSLCD_USERMOD_ROOMNUMBER 3 /* room number */
#define NSLCD_USERMOD_WORKPHONE  4 /* office phone number */
#define NSLCD_USERMOD_HOMEPHONE  5 /* home phone number */
#define NSLCD_USERMOD_OTHER      6 /* other info */
#define NSLCD_USERMOD_HOMEDIR    7 /* home directory */
#define NSLCD_USERMOD_SHELL      8 /* login shell */

/* Request result codes. */
#define NSLCD_RESULT_END   2

/* Partial list of PAM result codes. */
#define NSLCD_PAM_SUCCESS             0 /* everything ok */
#define NSLCD_PAM_PERM_DENIED         6 /* Permission denied */
#define NSLCD_PAM_AUTH_ERR            7 /* Authc failure */
#define NSLCD_PAM_CRED_INSUFFICIENT   8 /* Cannot access authc data */
#define NSLCD_PAM_AUTHINFO_UNAVAIL    9 /* Cannot retrieve authc info */
#define NSLCD_PAM_USER_UNKNOWN       10 /* User not known */
#define NSLCD_PAM_MAXTRIES           11 /* Retry limit reached */
#define NSLCD_PAM_NEW_AUTHTOK_REQD   12 /* Password expired */
#define NSLCD_PAM_ACCT_EXPIRED       13 /* Account expired */
#define NSLCD_PAM_SESSION_ERR        14 /* Cannot make/remove session record */
#define NSLCD_PAM_AUTHTOK_ERR        20 /* Authentication token manipulation error */
#define NSLCD_PAM_AUTHTOK_DISABLE_AGING 23 /* Password aging disabled */
#define NSLCD_PAM_IGNORE             25 /* Ignore module */
#define NSLCD_PAM_ABORT              26 /* Fatal error */
#define NSLCD_PAM_AUTHTOK_EXPIRED    27 /* authentication token has expired */

#endif /* not _NSLCD_H */