diff options
| author | Simo Sorce <ssorce@redhat.com> | 2012-02-17 11:45:56 -0500 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2012-02-19 20:43:45 -0500 |
| commit | 9942a29cab06ff99cdd3380c4daf3b41ebdf2fb8 (patch) | |
| tree | e150e2563621eea350338ccb617f63e7044315b4 /daemons | |
| parent | ffd39503c1e4c1b7a309953e232d4727551a58c3 (diff) | |
| download | freeipa-9942a29cab06ff99cdd3380c4daf3b41ebdf2fb8.tar.gz freeipa-9942a29cab06ff99cdd3380c4daf3b41ebdf2fb8.tar.xz freeipa-9942a29cab06ff99cdd3380c4daf3b41ebdf2fb8.zip | |
policy: add function to check lockout policy
Fixes: https://fedorahosted.org/freeipa/ticket/2393
Diffstat (limited to 'daemons')
| -rw-r--r-- | daemons/ipa-kdb/ipa_kdb.c | 2 | ||||
| -rw-r--r-- | daemons/ipa-kdb/ipa_kdb.h | 8 | ||||
| -rw-r--r-- | daemons/ipa-kdb/ipa_kdb_pwdpolicy.c | 53 |
3 files changed, 62 insertions, 1 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c index 1dae4e6c1..ed87d6fef 100644 --- a/daemons/ipa-kdb/ipa_kdb.c +++ b/daemons/ipa-kdb/ipa_kdb.c @@ -454,7 +454,7 @@ kdb_vftabl kdb_function_table = { NULL, /* encrypt_key_data */ ipadb_sign_authdata, /* sign_authdata */ NULL, /* check_transited_realms */ - NULL, /* check_policy_as */ + ipadb_check_policy_as, /* check_policy_as */ NULL, /* check_policy_tgs */ ipadb_audit_as_req, /* audit_as_req */ NULL, /* refresh_config */ diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h index 22e28223c..996d8448b 100644 --- a/daemons/ipa-kdb/ipa_kdb.h +++ b/daemons/ipa-kdb/ipa_kdb.h @@ -185,6 +185,14 @@ krb5_error_code ipadb_delete_pwd_policy(krb5_context kcontext, char *policy); void ipadb_free_pwd_policy(krb5_context kcontext, osa_policy_ent_t val); +krb5_error_code ipadb_check_policy_as(krb5_context kcontext, + krb5_kdc_req *request, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_timestamp kdc_time, + const char **status, + krb5_pa_data ***e_data); + /* MASTER KEY FUNCTIONS */ krb5_error_code ipadb_fetch_master_key(krb5_context kcontext, krb5_principal mname, diff --git a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c index 03948029f..91de0342b 100644 --- a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c +++ b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c @@ -275,3 +275,56 @@ void ipadb_free_pwd_policy(krb5_context kcontext, osa_policy_ent_t val) } } +krb5_error_code ipadb_check_policy_as(krb5_context kcontext, + krb5_kdc_req *request, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_timestamp kdc_time, + const char **status, + krb5_pa_data ***e_data) +{ + struct ipadb_context *ipactx; + struct ipadb_e_data *ied; + krb5_error_code kerr; + + if (!client) { + return ENOENT; + } + + ipactx = ipadb_get_context(kcontext); + if (!ipactx) { + return EINVAL; + } + + ied = (struct ipadb_e_data *)client->e_data; + if (!ied) { + return EINVAL; + } + + if (!ied->pol) { + kerr = ipadb_get_ipapwd_policy(ipactx, ied->pw_policy_dn, &ied->pol); + if (kerr != 0) { + return kerr; + } + } + + if (client->last_failed <= ied->last_admin_unlock) { + /* admin unlocked the account */ + return 0; + } + + if (ied->pol->max_fail == 0 || + client->fail_auth_count < ied->pol->max_fail) { + /* still within allowed failures range */ + return 0; + } + + if (ied->pol->lockout_duration == 0 || + client->last_failed + ied->pol->lockout_duration > kdc_time) { + /* ok client permanently locked, or within lockout period */ + *status = "LOCKED_OUT"; + return KRB5KDC_ERR_CLIENT_REVOKED; + } + + return 0; +} |