change PAM protocol to be more consistent and simpler

git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1865 ef36b2f9-881f-0410-afb5-c4e39611909c
author: Arthur de Jong <arthur@arthurdejong.org> 2012-12-16 16:17:42 +0100
committer: Arthur de Jong <arthur@arthurdejong.org> 2012-12-16 16:17:42 +0100
commit: 6a74d8dda1ea515c59aebbc1aa0b3093df61244c (patch)
tree: 4dc6c19f67fa550ddfb50a87a741d02d696df115 /nslcd.h
parent: 5f55781beb8bfc84412127b3777e1d1d126459b6 (diff)
1 files changed, 39 insertions, 39 deletions
diff --git a/nslcd.h b/nslcd.h
index 4a9e49c..cf5feb2 100644
--- a/nslcd.h
+++ b/nslcd.h
@@ -191,58 +191,58 @@
 /* PAM-related requests. The request parameters for all these requests
    begin with:
      STRING  user name
-     STRING  DN (if value is known already, otherwise empty)
      STRING  service name
-   all requests, except the SESSION requests start the result value with:
-     STRING  user name (cannonical name)
-     STRING  DN (can be used to speed up requests)
-   Some functions may return an authorisation message. This message, if
-   supplied will be used by the PAM module instead of a message that is
-   generated by the PAM module itself. */
+     STRING  ruser
+     STRING  rhost
+     STRING  tty
+   If the user is not known in LDAP no result may be returned (immediately
+   return NSLCD_RESULT_END instead of a PAM error code). */
 
 /* PAM authentication check request. The extra request values are:
      STRING  password
-   and the result value ends with:
+   and the result value consists of:
      INT32   authc NSLCD_PAM_* result code
+     STRING  user name (the cannonical user name)
      INT32   authz NSLCD_PAM_* result code
      STRING  authorisation error message
    If the username is empty in this request an attempt is made to
-   authenticate as the administrator (set using rootpwmoddn). The returned DN
-   is that of the administrator. */
-#define NSLCD_ACTION_PAM_AUTHC         20001
-
-/* PAM authorisation check request. The extra request values are:
-     STRING ruser
-     STRING rhost
-     STRING tty
-   and the result value ends with:
+   authenticate as the administrator (set using rootpwmoddn).
+   Some authorisation checks are already done during authentication so the
+   response also includes authorisation information. */
+#define NSLCD_ACTION_PAM_AUTHC         21001
+
+/* PAM authorisation check request. The result value consists of:
      INT32   authz NSLCD_PAM_* result code
-     STRING  authorisation error message */
-#define NSLCD_ACTION_PAM_AUTHZ         20002
-
-/* PAM session open and close requests. These requests have the following
-   extra request values:
-     STRING tty
-     STRING rhost
-     STRING ruser
-     INT32 session id (ignored for SESS_O)
-   and these calls only return the session ID:
-     INT32 session id
-   The SESS_C must contain the ID that is retured by SESS_O to close the
-   correct session. */
-#define NSLCD_ACTION_PAM_SESS_O        20003
-#define NSLCD_ACTION_PAM_SESS_C        20004
+     STRING  authorisation error message
+   The authentication check may have already returned some authorisation
+   information. The authorisation error message, if supplied, will be used
+   by the PAM module instead of a message that is generated by the PAM
+   module itself. */
+#define NSLCD_ACTION_PAM_AUTHZ         21002
+
+/* PAM session open request. The result value consists of:
+     STRING   session id
+   This session id may be used to close this session with. */
+#define NSLCD_ACTION_PAM_SESS_O        21003
+
+/* PAM session close request. This request has the following
+   extra request value:
+     STRING   session id
+   and this calls only returns an empty response value. */
+#define NSLCD_ACTION_PAM_SESS_C        21004
+
+/*
+Note: I'm not sure whether PAM result codes are required here.
+*/
 
 /* PAM password modification request. This requests has the following extra
    request values:
-     STRING old password
-     STRING new password
+     INT32   asroot: 0=oldpasswd is user passwd, 1=oldpasswd is root passwd
+     STRING  old password
+     STRING  new password
    and returns there extra result values:
-     INT32   authz NSLCD_PAM_* result code
-     STRING  authorisation error message
-   In this request the DN may be set to the administrator's DN. In this
-   case old password should be the administrator's password. This allows
-   the administrator to change any user's password. */
+     INT32   NSLCD_PAM_* result code
+     STRING  error message */
 #define NSLCD_ACTION_PAM_PWMOD         20005
 
 /* Request result codes. */
author	Arthur de Jong <arthur@arthurdejong.org>	2012-12-16 16:17:42 +0100
committer	Arthur de Jong <arthur@arthurdejong.org>	2012-12-16 16:17:42 +0100
commit	6a74d8dda1ea515c59aebbc1aa0b3093df61244c (patch)
tree	4dc6c19f67fa550ddfb50a87a741d02d696df115 /nslcd.h
parent	5f55781beb8bfc84412127b3777e1d1d126459b6 (diff)