summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2010-06-11 16:12:29 -0400
committerRob Crittenden <rcritten@redhat.com>2010-06-24 14:24:15 -0400
commitc5bdfc71939ad5338c707cb6c6b0d2187d78b801 (patch)
tree1ac6a46c9e4dfad47a518d3871bceef96184f91d
parente036283fbbed0c2995986816124c2a561f79fbc4 (diff)
downloadfreeipa-c5bdfc71939ad5338c707cb6c6b0d2187d78b801.tar.gz
freeipa-c5bdfc71939ad5338c707cb6c6b0d2187d78b801.tar.xz
freeipa-c5bdfc71939ad5338c707cb6c6b0d2187d78b801.zip
Don't try to convert a host's password into a keytab.
The migration plugin uses a pre-op function to automatically create kerberos credentials when binding using a password. The problem is that we do a simple bind when doing password-base host enrollment. This was causing krbPasswordExpiration to be set which isn't what we want for hosts. They really shouldn't go through this code at all.
-rw-r--r--daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c20
1 files changed, 15 insertions, 5 deletions
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
index bd04e9d4d..c2d0373e6 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -2168,7 +2168,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
char timestr[GENERALIZED_TIME_LENGTH+1];
time_t time_now = time(NULL);
char *pw = NULL;
- char *krbPrincipalName = NULL;
+ Slapi_Value *objectclass;
svals = (Slapi_Value **)calloc(2, sizeof(Slapi_Value *));
if (!svals) {
@@ -2587,8 +2587,9 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
* the userPassword attribute if it exists
*/
pw = slapi_entry_attr_get_charptr(targetEntry, "userPassword");
- krbPrincipalName = slapi_entry_attr_get_charptr(targetEntry, "krbPrincipalName");
- if ((strncmp(krbPrincipalName, "host/", 5) == 0)) {
+ objectclass = slapi_value_new_string("ipaHost");
+ if ((slapi_entry_attr_has_syntax_value(targetEntry, SLAPI_ATTR_OBJECTCLASS, objectclass)) == 1)
+ {
char * krbLastPwdChange = slapi_entry_attr_get_charptr(targetEntry, "krbLastPwdChange");
char * enrolledBy = slapi_entry_attr_get_charptr(targetEntry, "enrolledBy");
if (NULL == enrolledBy) {
@@ -2604,9 +2605,9 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
"Removing userPassword from host entry\n");
slapi_ch_free_string(&pw);
}
- slapi_ch_free_string(&krbLastPwdChange);
+ slapi_value_free(&objectclass);
}
- slapi_ch_free_string(&krbPrincipalName);
+ slapi_value_free(&objectclass);
/* commit changes */
ret = ipapwd_apply_mods(slapi_entry_get_dn_const(targetEntry), smods);
@@ -3280,6 +3281,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
char *errMesg = "Internal operations error\n"; /* error message */
char *expire = NULL; /* passwordExpirationTime attribute value */
char *dn = NULL; /* bind DN */
+ Slapi_Value *objectclass;
int method; /* authentication method */
int ret = 0;
@@ -3322,6 +3324,14 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
goto done;
}
+ /* we aren't interested in host principals */
+ objectclass = slapi_value_new_string("ipaHost");
+ if ((slapi_entry_attr_has_syntax_value(entry, SLAPI_ATTR_OBJECTCLASS, objectclass)) == 1) {
+ slapi_value_free(&objectclass);
+ goto done;
+ }
+ slapi_value_free(&objectclass);
+
/* check the krbPrincipalKey attribute is NOT present */
ret = slapi_entry_attr_find(entry, "krbprincipalkey", &attr);
if (!ret) {