summaryrefslogtreecommitdiffstats
path: root/daemons
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2009-10-02 09:30:16 -0400
committerJason Gerard DeRose <jderose@redhat.com>2009-10-05 13:29:55 -0600
commitdac224c25a2ff8a1400d0a746f600f81cfad6901 (patch)
treebbdb2882717b5f47e39810b8e5d2c504f08f0e6e /daemons
parent97dfa586dea42d44ad8e1d9148547fd805abd046 (diff)
downloadfreeipa-dac224c25a2ff8a1400d0a746f600f81cfad6901.tar.gz
freeipa-dac224c25a2ff8a1400d0a746f600f81cfad6901.tar.xz
freeipa-dac224c25a2ff8a1400d0a746f600f81cfad6901.zip
Add support for per-group kerberos password policy.
Use a Class of Service template to do per-group password policy. The design calls for non-overlapping groups but with cospriority we can still make sense of things. The password policy entries stored under the REALM are keyed only on the group name because the MIT ldap plugin can't handle quotes in the DN. It also can't handle spaces between elements in the DN.
Diffstat (limited to 'daemons')
-rw-r--r--daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c41
1 files changed, 38 insertions, 3 deletions
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
index 744d7dd3a..863687581 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -974,6 +974,30 @@ done:
return ret;
}
+/* Easier handling for virtual attributes. You must call pwd_values_free()
+ * to free memory allocated here. It must be called before
+ * slapi_free_search_results_internal(entries) or
+ * slapi_pblock_destroy(pb)
+ */
+static int
+pwd_get_values(const Slapi_Entry *ent, const char *attrname,
+ Slapi_ValueSet** results, char** actual_type_name,
+ int *buffer_flags)
+{
+ int flags=0;
+ int type_name_disposition = 0;
+
+ int ret = slapi_vattr_values_get((Slapi_Entry *)ent, (char *)attrname, results, &type_name_disposition, actual_type_name, flags, buffer_flags);
+
+ return ret;
+}
+
+static void
+pwd_values_free(Slapi_ValueSet** results, char** actual_type_name, int buffer_flags)
+{
+ slapi_vattr_values_free(results, actual_type_name, buffer_flags);
+}
+
/* searches the directory and finds the policy closest to the DN */
/* return 0 on success, -1 on error or if no policy is found */
static int ipapwd_getPolicy(const char *dn, Slapi_Entry *target, Slapi_Entry **e)
@@ -991,6 +1015,9 @@ static int ipapwd_getPolicy(const char *dn, Slapi_Entry *target, Slapi_Entry **e
char **edn;
int ret, res, dist, rdnc, scope, i;
Slapi_DN *sdn = NULL;
+ int buffer_flags=0;
+ Slapi_ValueSet* results = NULL;
+ char* actual_type_name = NULL;
slapi_log_error(SLAPI_LOG_TRACE, "ipa_pwd_extop",
"ipapwd_getPolicy: Searching policy for [%s]\n", dn);
@@ -1003,10 +1030,15 @@ static int ipapwd_getPolicy(const char *dn, Slapi_Entry *target, Slapi_Entry **e
goto done;
}
- krbPwdPolicyReference = slapi_entry_attr_get_charptr(target, "krbPwdPolicyReference");
- if (krbPwdPolicyReference) {
+ pwd_get_values(target, "krbPwdPolicyReference", &results, &actual_type_name, &buffer_flags);
+ if (results) {
+ Slapi_Value *sv;
+ slapi_valueset_first_value(results, &sv);
+ krbPwdPolicyReference = slapi_value_get_string(sv);
pdn = krbPwdPolicyReference;
scope = LDAP_SCOPE_BASE;
+ slapi_log_error(SLAPI_LOG_TRACE, "ipa_pwd_extop",
+ "ipapwd_getPolicy: using policy reference: %s\n", pdn);
} else {
/* Find ancestor base DN */
be = slapi_be_select(sdn);
@@ -1117,6 +1149,9 @@ static int ipapwd_getPolicy(const char *dn, Slapi_Entry *target, Slapi_Entry **e
*e = slapi_entry_dup(pe);
ret = 0;
done:
+ if (results) {
+ pwd_values_free(&results, &actual_type_name, buffer_flags);
+ }
if (pb) {
slapi_free_search_results_internal(pb);
slapi_pblock_destroy(pb);
@@ -1597,7 +1632,7 @@ no_policy:
if (pwdCharLen < krbPwdMinLength) {
slapi_log_error(SLAPI_LOG_TRACE, "ipa_pwd_extop",
- "ipapwd_checkPassword: Password too short\n");
+ "ipapwd_checkPassword: Password too short (%d < %d)\n", pwdCharLen, krbPwdMinLength);
return IPAPWD_POLICY_ERROR | LDAP_PWPOLICY_PWDTOOSHORT;
}