summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMartin Kosek <mkosek@redhat.com>2014-01-30 16:58:25 +0100
committerMartin Kosek <mkosek@redhat.com>2014-02-03 08:57:14 +0100
commitd85e2c9a8220e5a61c8dbc205d71693e832b668a (patch)
treedaaca502b70b4d17690e9db5c8bd330c582f696f
parentdf3fa943abf58f2ad02919ecb1b199f3ff6d510b (diff)
downloadfreeipa-d85e2c9a8220e5a61c8dbc205d71693e832b668a.zip
freeipa-d85e2c9a8220e5a61c8dbc205d71693e832b668a.tar.gz
freeipa-d85e2c9a8220e5a61c8dbc205d71693e832b668a.tar.xz
Fallback to global policy in ipa-lockout plugin
krbPwdPolicyReference is no longer filled default users. Instead, plugins fallback to hardcoded global policy reference. Fix ipa-lockout plugin to fallback to it instead of failing to apply the policy. https://fedorahosted.org/freeipa/ticket/4085
-rw-r--r--daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c34
1 files changed, 34 insertions, 0 deletions
diff --git a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
index fd6602f..5a24359 100644
--- a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
+++ b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
@@ -49,6 +49,7 @@
#include <time.h>
#include "slapi-plugin.h"
#include "nspr.h"
+#include <krb5.h>
#include "util.h"
@@ -81,6 +82,8 @@ static int g_plugin_started = 0;
static struct ipa_context *global_ipactx = NULL;
+static char *ipa_global_policy = NULL;
+
#define GENERALIZED_TIME_LENGTH 15
/**
@@ -142,8 +145,11 @@ ipalockout_get_global_config(struct ipa_context *ipactx)
Slapi_Attr *attr = NULL;
char *dn = NULL;
char *basedn = NULL;
+ char *realm = NULL;
Slapi_DN *sdn;
Slapi_Entry *config_entry;
+ krb5_context krbctx = NULL;
+ krb5_error_code krberr;
int ret;
/* Get cn=config so we can get the default naming context */
@@ -167,6 +173,28 @@ ipalockout_get_global_config(struct ipa_context *ipactx)
goto done;
}
+ krberr = krb5_init_context(&krbctx);
+ if (krberr) {
+ LOG_FATAL("krb5_init_context failed (%d)\n", krberr);
+ ret = LDAP_OPERATIONS_ERROR;
+ goto done;
+ }
+
+ krberr = krb5_get_default_realm(krbctx, &realm);
+ if (krberr) {
+ LOG_FATAL("Failed to get default realm (%d)\n", krberr);
+ ret = LDAP_OPERATIONS_ERROR;
+ goto done;
+ }
+
+ ipa_global_policy = slapi_ch_smprintf("cn=global_policy,cn=%s,cn=kerberos,%s",
+ realm, basedn);
+ if (!ipa_global_policy) {
+ LOG_OOM();
+ ret = LDAP_OPERATIONS_ERROR;
+ goto done;
+ }
+
ret = asprintf(&dn, "cn=ipaConfig,cn=etc,%s", basedn);
if (ret == -1) {
LOG_OOM();
@@ -221,6 +249,8 @@ ipalockout_get_global_config(struct ipa_context *ipactx)
done:
if (config_entry)
slapi_entry_free(config_entry);
+ free(realm);
+ krb5_free_context(krbctx);
free(dn);
free(basedn);
return ret;
@@ -248,6 +278,8 @@ int ipalockout_getpolicy(Slapi_Entry *target_entry, Slapi_Entry **policy_entry,
slapi_valueset_first_value(*values, &sv);
*policy_dn = slapi_value_get_string(sv);
}
+ } else {
+ *policy_dn = ipa_global_policy;
}
if (*policy_dn == NULL) {
@@ -376,6 +408,8 @@ ipalockout_close(Slapi_PBlock * pb)
{
LOG_TRACE( "--in-->\n");
+ slapi_ch_free_string(&ipa_global_policy);
+
LOG_TRACE("<--out--\n");
return EOK;