diff options
| author | Simo Sorce <simo@redhat.com> | 2015-04-04 10:53:52 -0400 |
|---|---|---|
| committer | Simo Sorce <simo@redhat.com> | 2015-05-27 09:45:56 -0400 |
| commit | d5b6c8360116857623b4b67a42ed3788df2ba24a (patch) | |
| tree | 2c3f7a30cc26d0f28a84c30304480804baf3546e /daemons/ipa-kdb/ipa_kdb.h | |
| parent | 01fa05dd4ec7bd79abee8df0dd3642eabf138bcf (diff) | |
| download | freeipa-d5b6c8360116857623b4b67a42ed3788df2ba24a.tar.gz freeipa-d5b6c8360116857623b4b67a42ed3788df2ba24a.tar.xz freeipa-d5b6c8360116857623b4b67a42ed3788df2ba24a.zip | |
Detect default encsalts kadmin password change
When kadmin tries to change a password it will get the allowed keysalts
from the password policy. Failure to provide them will result in kadmin
using the defaults specified in the kdc.conf file or hardcoded defaults
(the default salt is then of type NORMAL).
This patch provides the supported values that have been read out of the
appropriate LDAP attribute when we read the server configuration.
Then at actual password change, check if kadmin is handing us back the exact
list of supported encsalts we sent it, and in that case replace it with the
real default encsalts.
Fixes https://fedorahosted.org/freeipa/ticket/4914
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Martin Babinsky <mbabinsk@redhat.com>
Diffstat (limited to 'daemons/ipa-kdb/ipa_kdb.h')
| -rw-r--r-- | daemons/ipa-kdb/ipa_kdb.h | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h index ba9968bce..3c6138599 100644 --- a/daemons/ipa-kdb/ipa_kdb.h +++ b/daemons/ipa-kdb/ipa_kdb.h @@ -106,6 +106,8 @@ struct ipadb_context { bool override_restrictions; krb5_key_salt_tuple *supp_encs; int n_supp_encs; + krb5_key_salt_tuple *def_encs; + int n_def_encs; struct ipadb_mspac *mspac; /* Don't access this directly, use ipadb_get_global_config(). */ |