summaryrefslogtreecommitdiffstats
path: root/daemons/ipa-slapi-plugins/ipa-pwd-extop
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2009-09-14 17:04:08 -0400
committerJason Gerard DeRose <jderose@redhat.com>2009-09-24 17:45:49 -0600
commitd0587cbdd5bc5e07a6e8519deb07adaace643740 (patch)
treeaa6b96e33337a809687ab025ec4d2a392ca757f0 /daemons/ipa-slapi-plugins/ipa-pwd-extop
parent4f4d57cd30ac7169e18a8e2e22e62d8bdda083c4 (diff)
downloadfreeipa-d0587cbdd5bc5e07a6e8519deb07adaace643740.tar.gz
freeipa-d0587cbdd5bc5e07a6e8519deb07adaace643740.tar.xz
freeipa-d0587cbdd5bc5e07a6e8519deb07adaace643740.zip
Enrollment for a host in an IPA domain
This will create a host service principal and may create a host entry (for admins). A keytab will be generated, by default in /etc/krb5.keytab If no kerberos credentails are available then enrollment over LDAPS is used if a password is provided. This change requires that openldap be used as our C LDAP client. It is much easier to do SSL using openldap than mozldap (no certdb required). Otherwise we'd have to write a slew of extra code to create a temporary cert database, import the CA cert, ...
Diffstat (limited to 'daemons/ipa-slapi-plugins/ipa-pwd-extop')
-rw-r--r--daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c40
1 files changed, 39 insertions, 1 deletions
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
index 24acc8875..744d7dd3a 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -2088,6 +2088,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
Slapi_Entry *targetEntry=NULL;
struct berval *bval = NULL;
Slapi_Value **svals = NULL;
+ Slapi_Value **evals = NULL;
const char *bdn;
const Slapi_DN *bsdn;
Slapi_DN *sdn;
@@ -2095,7 +2096,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
Slapi_Entry **es = NULL;
int scope, res;
char *filter;
- char *attrlist[] = {"krbPrincipalKey", "krbLastPwdChange", NULL };
+ char *attrlist[] = {"krbPrincipalKey", "krbLastPwdChange", "userPassword", "krbPrincipalName", "enrolledBy", NULL };
krb5_context krbctx = NULL;
krb5_principal krbname = NULL;
krb5_error_code krberr;
@@ -2108,6 +2109,8 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
struct tm utctime;
char timestr[GENERALIZED_TIME_LENGTH+1];
time_t time_now = time(NULL);
+ char *pw = NULL;
+ char *krbPrincipalName = NULL;
svals = (Slapi_Value **)calloc(2, sizeof(Slapi_Value *));
if (!svals) {
@@ -2522,6 +2525,31 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
slapi_mods_add_mod_values(smods, LDAP_MOD_REPLACE, "krbPrincipalKey", svals);
+ /* If we are creating a keytab for a host service attempt to remove
+ * the userPassword attribute if it exists
+ */
+ pw = slapi_entry_attr_get_charptr(targetEntry, "userPassword");
+ krbPrincipalName = slapi_entry_attr_get_charptr(targetEntry, "krbPrincipalName");
+ if ((strncmp(krbPrincipalName, "host/", 5) == 0)) {
+ char * krbLastPwdChange = slapi_entry_attr_get_charptr(targetEntry, "krbLastPwdChange");
+ char * enrolledBy = slapi_entry_attr_get_charptr(targetEntry, "enrolledBy");
+ if (NULL == enrolledBy) {
+ evals = (Slapi_Value **)calloc(2, sizeof(Slapi_Value *));
+ evals[0] = slapi_value_new_string(bindDN);
+ slapi_mods_add_mod_values(smods, LDAP_MOD_ADD, "enrolledBy", evals);
+ } else {
+ slapi_ch_free_string(&enrolledBy);
+ }
+ if ((NULL != pw) && (NULL == krbLastPwdChange)) {
+ slapi_mods_add_mod_values(smods, LDAP_MOD_DELETE, "userPassword", NULL);
+ slapi_log_error(SLAPI_LOG_TRACE, "ipa_pwd_extop",
+ "Removing userPassword from host entry\n");
+ slapi_ch_free_string(&pw);
+ }
+ slapi_ch_free_string(&krbLastPwdChange);
+ }
+ slapi_ch_free_string(&krbPrincipalName);
+
/* commit changes */
ret = ipapwd_apply_mods(slapi_entry_get_dn_const(targetEntry), smods);
@@ -2603,10 +2631,18 @@ free_and_return:
}
free(svals);
}
+ if (evals) {
+ for (i = 0; evals[i]; i++) {
+ slapi_value_free(&evals[i]);
+ }
+ free(evals);
+ }
if (krbname) krb5_free_principal(krbctx, krbname);
if (krbctx) krb5_free_context(krbctx);
+ if (rc == LDAP_SUCCESS)
+ errMesg = NULL;
slapi_log_error(SLAPI_LOG_PLUGIN, "ipa_pwd_extop", errMesg ? errMesg : "success");
slapi_send_ldap_result(pb, rc, NULL, errMesg, 0, NULL);
@@ -2938,6 +2974,8 @@ static int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg,
}
sdn = slapi_sdn_new_dn_byref(dn);
if (!sdn) {
+ slapi_log_error(SLAPI_LOG_TRACE, "ipa_pwd_extop",
+ "Unable to convert dn to sdn %s", dn?dn:"<NULL>");
*errMesg = "Internal Error";
rc = LDAP_OPERATIONS_ERROR;
goto done;
generated by cgit (git 2.34.1) at 2024-06-08 12:01:28 +0000