summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSimo Sorce <ssorce@redhat.com>2011-06-23 15:02:04 -0400
committerSimo Sorce <ssorce@redhat.com>2011-08-26 08:24:49 -0400
commit49c25dbdf5b51a6cc157135a0d2f89c7eb408dd9 (patch)
treed36dc34e6ca42f728d34679ddbfe3c8282e48aad
parent0a4f7960b9cb2cc43c014a9ba5f96ddfbf5713fe (diff)
downloadfreeipa-49c25dbdf5b51a6cc157135a0d2f89c7eb408dd9.tar.gz
freeipa-49c25dbdf5b51a6cc157135a0d2f89c7eb408dd9.tar.xz
freeipa-49c25dbdf5b51a6cc157135a0d2f89c7eb408dd9.zip
ipa-kdb: implement function to retrieve password policies
-rw-r--r--daemons/ipa-kdb/Makefile.am1
-rw-r--r--daemons/ipa-kdb/ipa_kdb.c49
-rw-r--r--daemons/ipa-kdb/ipa_kdb.h15
-rw-r--r--daemons/ipa-kdb/ipa_kdb_pwdpolicy.c187
4 files changed, 209 insertions, 43 deletions
diff --git a/daemons/ipa-kdb/Makefile.am b/daemons/ipa-kdb/Makefile.am
index 37bfca403..609372612 100644
--- a/daemons/ipa-kdb/Makefile.am
+++ b/daemons/ipa-kdb/Makefile.am
@@ -30,6 +30,7 @@ ipadb_la_SOURCES = \
ipa_kdb_common.c \
ipa_kdb_mkey.c \
ipa_kdb_principals.c \
+ ipa_kdb_pwdpolicy.c \
$(KRB5_UTIL_SRCS) \
$(NULL)
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index 394cdb7b6..d38ce048d 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -400,43 +400,6 @@ static krb5_error_code ipadb_get_age(krb5_context kcontext,
return 0;
}
-static krb5_error_code ipadb_create_policy(krb5_context kcontext,
- osa_policy_ent_t policy)
-{
- return KRB5_PLUGIN_OP_NOTSUPP;
-}
-
-static krb5_error_code ipadb_get_policy(krb5_context kcontext, char *name,
- osa_policy_ent_t *policy)
-{
- return KRB5_PLUGIN_OP_NOTSUPP;
-}
-
-static krb5_error_code ipadb_put_policy(krb5_context kcontext,
- osa_policy_ent_t policy)
-{
- return KRB5_PLUGIN_OP_NOTSUPP;
-}
-
-static krb5_error_code ipadb_iterate_policy(krb5_context kcontext,
- char *match_entry,
- osa_adb_iter_policy_func func,
- void *data)
-{
- return KRB5_PLUGIN_OP_NOTSUPP;
-}
-
-static krb5_error_code ipadb_delete_policy(krb5_context kcontext,
- char *policy)
-{
- return KRB5_PLUGIN_OP_NOTSUPP;
-}
-
-static void ipadb_free_policy(krb5_context kcontext, osa_policy_ent_t val)
-{
- return;
-}
-
static void *ipadb_alloc(krb5_context context, void *ptr, size_t size)
{
return realloc(ptr, size);
@@ -466,12 +429,12 @@ kdb_vftabl kdb_function_table = {
ipadb_put_principal, /* put_principal */
ipadb_delete_principal, /* delete_principal */
ipadb_iterate, /* iterate */
- ipadb_create_policy, /* create_policy */
- ipadb_get_policy, /* get_policy */
- ipadb_put_policy, /* put_policy */
- ipadb_iterate_policy, /* iter_policy */
- ipadb_delete_policy, /* delete_policy */
- ipadb_free_policy, /* free_policy */
+ ipadb_create_pwd_policy, /* create_policy */
+ ipadb_get_pwd_policy, /* get_policy */
+ ipadb_put_pwd_policy, /* put_policy */
+ ipadb_iterate_pwd_policy, /* iter_policy */
+ ipadb_delete_pwd_policy, /* delete_policy */
+ ipadb_free_pwd_policy, /* free_policy */
ipadb_alloc, /* alloc */
ipadb_free, /* free */
ipadb_fetch_master_key, /* fetch_master_key */
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index b76cfdc9d..257145cb6 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -133,6 +133,21 @@ krb5_error_code ipadb_iterate(krb5_context kcontext,
int (*func)(krb5_pointer, krb5_db_entry *),
krb5_pointer func_arg);
+/* POLICY FUNCTIONS */
+krb5_error_code ipadb_create_pwd_policy(krb5_context kcontext,
+ osa_policy_ent_t policy);
+krb5_error_code ipadb_get_pwd_policy(krb5_context kcontext, char *name,
+ osa_policy_ent_t *policy);
+krb5_error_code ipadb_put_pwd_policy(krb5_context kcontext,
+ osa_policy_ent_t policy);
+krb5_error_code ipadb_iterate_pwd_policy(krb5_context kcontext,
+ char *match_entry,
+ osa_adb_iter_policy_func func,
+ void *data);
+krb5_error_code ipadb_delete_pwd_policy(krb5_context kcontext,
+ char *policy);
+void ipadb_free_pwd_policy(krb5_context kcontext, osa_policy_ent_t val);
+
/* MASTER KEY FUNCTIONS */
krb5_error_code ipadb_fetch_master_key(krb5_context kcontext,
krb5_principal mname,
diff --git a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
new file mode 100644
index 000000000..3dc4c2188
--- /dev/null
+++ b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
@@ -0,0 +1,187 @@
+/*
+ * MIT Kerberos KDC database backend for FreeIPA
+ *
+ * Authors: Simo Sorce <ssorce@redhat.com>
+ *
+ * Copyright (C) 2011 Simo Sorce, Red Hat
+ * see file 'COPYING' for use and warranty information
+ *
+ * This program is free software you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "ipa_kdb.h"
+
+#define POLICY_SEARCH_FILTER "(&(objectClass=krbPwdPolicy)(cn=%s))"
+
+static char *std_pwdpolicy_attrs[] = {
+ "krbmaxpwdlife",
+ "krbminpwdlife",
+ "krbpwdmindiffchars",
+ "krbpwdminlength",
+ "krbpwdhistorylength",
+ "krbpwdmaxfailure",
+ "krbpwdmaxfailurecountinterval",
+ "krbpwdlockoutduration",
+
+ NULL
+};
+
+krb5_error_code ipadb_create_pwd_policy(krb5_context kcontext,
+ osa_policy_ent_t policy)
+{
+ return KRB5_PLUGIN_OP_NOTSUPP;
+}
+
+krb5_error_code ipadb_get_pwd_policy(krb5_context kcontext, char *name,
+ osa_policy_ent_t *policy)
+{
+ struct ipadb_context *ipactx;
+ char *esc_name = NULL;
+ char *src_filter = NULL;
+ krb5_error_code kerr;
+ LDAPMessage *res = NULL;
+ LDAPMessage *lentry;
+ osa_policy_ent_t pentry;
+ uint32_t result;
+ int ret;
+
+ ipactx = ipadb_get_context(kcontext);
+ if (!ipactx) {
+ return KRB5_KDB_DBNOTINITED;
+ }
+
+ esc_name = ipadb_filter_escape(name, true);
+ if (!esc_name) {
+ return ENOMEM;
+ }
+
+ ret = asprintf(&src_filter, POLICY_SEARCH_FILTER, esc_name);
+ if (ret == -1) {
+ kerr = KRB5_KDB_INTERNAL_ERROR;
+ goto done;
+ }
+
+ kerr = ipadb_simple_search(ipactx,
+ ipactx->realm_base, LDAP_SCOPE_SUBTREE,
+ src_filter, std_pwdpolicy_attrs, &res);
+ if (kerr) {
+ goto done;
+ }
+
+ lentry = ldap_first_entry(ipactx->lcontext, res);
+ if (!lentry) {
+ kerr = KRB5_KDB_INTERNAL_ERROR;
+ goto done;
+ }
+
+ pentry = calloc(1, sizeof(osa_policy_ent_t));
+ if (!pentry) {
+ kerr = ENOMEM;
+ goto done;
+ }
+ pentry->version = 1;
+ pentry->name = strdup(name);
+ if (!pentry->name) {
+ kerr = ENOMEM;
+ goto done;
+ }
+
+ /* FIXME: what to do with missing attributes ? */
+
+ ret = ipadb_ldap_attr_to_uint32(ipactx->lcontext, lentry,
+ "krbMinPwdLife", &result);
+ if (ret == 0) {
+ pentry->pw_min_life = result;
+ }
+
+ ret = ipadb_ldap_attr_to_uint32(ipactx->lcontext, lentry,
+ "krbMaxPwdLife", &result);
+ if (ret == 0) {
+ pentry->pw_max_life = result;
+ }
+
+ ret = ipadb_ldap_attr_to_uint32(ipactx->lcontext, lentry,
+ "krbPwdMinLength", &result);
+ if (ret == 0) {
+ pentry->pw_min_length = result;
+ }
+
+ ret = ipadb_ldap_attr_to_uint32(ipactx->lcontext, lentry,
+ "krbPwdMinDiffChars", &result);
+ if (ret == 0) {
+ pentry->pw_min_classes = result;
+ }
+
+ ret = ipadb_ldap_attr_to_uint32(ipactx->lcontext, lentry,
+ "krbPwdHistoryLength", &result);
+ if (ret == 0) {
+ pentry->pw_history_num = result;
+ }
+
+ ret = ipadb_ldap_attr_to_uint32(ipactx->lcontext, lentry,
+ "krbPwdMaxFailure", &result);
+ if (ret == 0) {
+ pentry->pw_max_fail = result;
+ }
+
+ ret = ipadb_ldap_attr_to_uint32(ipactx->lcontext, lentry,
+ "krbPwdFailureCountInterval", &result);
+ if (ret == 0) {
+ pentry->pw_failcnt_interval = result;
+ }
+
+ ret = ipadb_ldap_attr_to_uint32(ipactx->lcontext, lentry,
+ "krbPwdLockoutDuration", &result);
+ if (ret == 0) {
+ pentry->pw_lockout_duration = result;
+ }
+
+ *policy = pentry;
+
+done:
+ free(esc_name);
+ free(src_filter);
+ ldap_msgfree(res);
+
+ return kerr;
+}
+
+krb5_error_code ipadb_put_pwd_policy(krb5_context kcontext,
+ osa_policy_ent_t policy)
+{
+ return KRB5_PLUGIN_OP_NOTSUPP;
+}
+
+krb5_error_code ipadb_iterate_pwd_policy(krb5_context kcontext,
+ char *match_entry,
+ osa_adb_iter_policy_func func,
+ void *data)
+{
+ return KRB5_PLUGIN_OP_NOTSUPP;
+}
+
+krb5_error_code ipadb_delete_pwd_policy(krb5_context kcontext,
+ char *policy)
+{
+ return KRB5_PLUGIN_OP_NOTSUPP;
+}
+
+void ipadb_free_pwd_policy(krb5_context kcontext, osa_policy_ent_t val)
+{
+ if (val) {
+ free(val->name);
+ free(val);
+ }
+}
+