summaryrefslogtreecommitdiffstats
path: root/daemons/ipa-slapi-plugins
diff options
context:
space:
mode:
authorSimo Sorce <ssorce@redhat.com>2011-02-09 23:48:28 -0500
committerRob Crittenden <rcritten@redhat.com>2011-02-14 13:36:27 -0500
commit5341a22ba2dec5099c8a14c0903c7770884ee6be (patch)
tree2e37685a181133f8a74e495649786c429066a5f9 /daemons/ipa-slapi-plugins
parent03e83f6cc8445976411751617e6b3d81a575807a (diff)
downloadfreeipa-5341a22ba2dec5099c8a14c0903c7770884ee6be.tar.gz
freeipa-5341a22ba2dec5099c8a14c0903c7770884ee6be.tar.xz
freeipa-5341a22ba2dec5099c8a14c0903c7770884ee6be.zip
Update krbExtraData too when changing passwords.
Fixes: https://fedorahosted.org/freeipa/ticket/937
Diffstat (limited to 'daemons/ipa-slapi-plugins')
-rw-r--r--daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c13
-rw-r--r--daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h3
-rw-r--r--daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c58
-rw-r--r--daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c19
4 files changed, 93 insertions, 0 deletions
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
index 5867f0846..7a4591f8a 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -144,6 +144,7 @@ static int ipapwd_chpwop(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
char *attrlist[] = {"*", "passwordHistory", NULL };
struct ipapwd_data pwdata;
int is_krb, is_smb;
+ char *principal = NULL;
/* Get the ber value of the extended operation */
slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value);
@@ -384,6 +385,14 @@ parse_req_done:
LOG_TRACE("<= result: %d\n", rc);
+ if (pwdata.changetype == IPA_CHANGETYPE_NORMAL) {
+ principal = slapi_entry_attr_get_charptr(pwdata.target,
+ "krbPrincipalName");
+ } else {
+ principal = slapi_ch_smprintf("root/admin@%s", krbcfg->realm);
+ }
+ ipapwd_set_extradata(pwdata.dn, principal, pwdata.timeNow);
+
/* Free anything that we allocated above */
free_and_return:
slapi_ch_free_string(&oldPasswd);
@@ -395,6 +404,7 @@ free_and_return:
slapi_ch_free_string(&dn);
slapi_pblock_set(pb, SLAPI_ORIGINAL_TARGET, NULL);
slapi_ch_free_string(&authmethod);
+ slapi_ch_free_string(&principal);
if (targetEntry) slapi_entry_free(targetEntry);
if (ber) ber_free(ber, 1);
@@ -884,6 +894,9 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
}
slapi_mods_free(&smods);
+ ipapwd_set_extradata(slapi_entry_get_dn_const(targetEntry),
+ serviceName, time_now);
+
/* Format of response
*
* KeytabGetRequest ::= SEQUENCE {
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
index aaaeeb717..e204bba20 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
@@ -129,6 +129,9 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
Slapi_Value **ipapwd_setPasswordHistory(Slapi_Mods *smods,
struct ipapwd_data *data);
int ipapwd_apply_mods(const char *dn, Slapi_Mods *mods);
+int ipapwd_set_extradata(const char *dn,
+ const char *principal,
+ time_t unixtime);
void ipapwd_free_slapi_value_array(Slapi_Value ***svals);
void free_ipapwd_krbcfg(struct ipapwd_krbcfg **cfg);
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
index d8a65f0e9..6f4f02e01 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
@@ -1230,6 +1230,7 @@ free_and_return:
return ret;
}
+
Slapi_Value **ipapwd_setPasswordHistory(Slapi_Mods *smods,
struct ipapwd_data *data)
{
@@ -1383,6 +1384,63 @@ int ipapwd_apply_mods(const char *dn, Slapi_Mods *mods)
return ret;
}
+int ipapwd_set_extradata(const char *dn,
+ const char *principal,
+ time_t unixtime)
+{
+ Slapi_Mods *smods;
+ Slapi_Value *va[3] = { NULL };
+ struct berval bv;
+ char mkvno[4] = { 0x00, 0x08, 0x01, 0x00 };
+ char *xdata;
+ int xd_len;
+ int p_len;
+ int ret;
+
+ p_len = strlen(principal);
+ xd_len = 2 + 4 + p_len + 1;
+ xdata = malloc(xd_len);
+ if (!xdata) {
+ return LDAP_OPERATIONS_ERROR;
+ }
+
+ smods = slapi_mods_new();
+
+ /* always append a master key kvno of 1 for now */
+ bv.bv_val = mkvno;
+ bv.bv_len = 4;
+ va[0] = slapi_value_new_berval(&bv);
+
+ /* data type id */
+ xdata[0] = 0x00;
+ xdata[1] = 0x02;
+
+ /* unix timestamp in Little Endian */
+ xdata[2] = unixtime & 0xff;
+ xdata[3] = (unixtime & 0xff00) >> 8;
+ xdata[4] = (unixtime & 0xff0000) >> 16;
+ xdata[5] = (unixtime & 0xff000000) >> 24;
+
+ /* append the principal name */
+ strncpy(&xdata[6], principal, p_len);
+
+ xdata[xd_len -1] = 0;
+
+ bv.bv_val = xdata;
+ bv.bv_len = xd_len;
+ va[1] = slapi_value_new_berval(&bv);
+
+ slapi_mods_add_mod_values(smods, LDAP_MOD_REPLACE, "krbExtraData", va);
+
+ ret = ipapwd_apply_mods(dn, smods);
+
+ slapi_value_free(&va[1]);
+ slapi_value_free(&va[0]);
+ slapi_mods_free(&smods);
+
+ return ret;
+}
+
void ipapwd_free_slapi_value_array(Slapi_Value ***svals)
{
Slapi_Value **sv = *svals;
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
index 34045e208..60a8ca3be 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
@@ -786,6 +786,9 @@ static int ipapwd_post_op(Slapi_PBlock *pb)
struct tm utctime;
char timestr[GENERALIZED_TIME_LENGTH+1];
int ret;
+ char *errMsg = "Internal operations error\n";
+ struct ipapwd_krbcfg *krbcfg = NULL;
+ char *principal = NULL;
LOG_TRACE("=>\n");
@@ -812,6 +815,12 @@ static int ipapwd_post_op(Slapi_PBlock *pb)
return 0;
}
+ ret = ipapwd_gen_checks(pb, &errMsg, &krbcfg, 0);
+ if (ret != 0) {
+ LOG_FATAL("ipapwd_gen_checks failed!?\n");
+ return 0;
+ }
+
/* prepare changes that can be made only as root */
smods = slapi_mods_new();
@@ -860,9 +869,19 @@ static int ipapwd_post_op(Slapi_PBlock *pb)
if (ret)
LOG("Failed to set additional password attributes in the post-op!\n");
+ if (pwdop->pwdata.changetype == IPA_CHANGETYPE_NORMAL) {
+ principal = slapi_entry_attr_get_charptr(pwdop->pwdata.target,
+ "krbPrincipalName");
+ } else {
+ principal = slapi_ch_smprintf("root/admin@%s", krbcfg->realm);
+ }
+ ipapwd_set_extradata(pwdop->pwdata.dn, principal, pwdop->pwdata.timeNow);
+
done:
if (pwdop && pwdop->pwdata.target) slapi_entry_free(pwdop->pwdata.target);
slapi_mods_free(&smods);
+ slapi_ch_free_string(&principal);
+ free_ipapwd_krbcfg(&krbcfg);
return 0;
}