diff options
| author | Tomas Babej <tbabej@redhat.com> | 2014-04-01 12:41:16 +0200 |
|---|---|---|
| committer | Alexander Bokovoy <abokovoy@redhat.com> | 2014-05-05 18:50:01 +0300 |
| commit | 5d78cdf80951748f5f954a69c41a2a2cb1b84812 (patch) | |
| tree | 7e73d71c74c082e50f863d1c50248d8ccb50d6f0 /daemons | |
| parent | c3d7e66291987149b3b9a019945179c54debfbf1 (diff) | |
| download | freeipa-5d78cdf80951748f5f954a69c41a2a2cb1b84812.tar.gz freeipa-5d78cdf80951748f5f954a69c41a2a2cb1b84812.tar.xz freeipa-5d78cdf80951748f5f954a69c41a2a2cb1b84812.zip | |
ipa-pwd-extop: Deny LDAP binds for accounts with expired principals
Adds a check for krbprincipalexpiration attribute to pre_bind operation
in ipa-pwd-extop dirsrv plugin. If the principal is expired, auth is
denied and LDAP_UNWILLING_TO_PERFORM along with the error message is
sent back to the client. Since krbprincipalexpiration attribute is not
mandatory, if there is no value set, the check is passed.
https://fedorahosted.org/freeipa/ticket/3305
Reviewed-By: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Diffstat (limited to 'daemons')
| -rw-r--r-- | daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 35 |
1 files changed, 34 insertions, 1 deletions
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c index def312ca8..23c7cb18c 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c @@ -1381,7 +1381,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) static const char *attrs_list[] = { SLAPI_USERPWD_ATTR, "ipaUserAuthType", "krbprincipalkey", "uid", "krbprincipalname", "objectclass", "passwordexpirationtime", - "passwordhistory", + "passwordhistory", "krbprincipalexpiration", NULL }; struct berval *credentials = NULL; @@ -1390,6 +1390,10 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) int method = 0; bool syncreq; int ret = 0; + time_t current_time; + time_t expire_time; + char *principal_expire = NULL; + struct tm expire_tm; /* get BIND parameters */ ret |= slapi_pblock_get(pb, SLAPI_BIND_TARGET, &dn); @@ -1411,6 +1415,35 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) return 0; } + /* Check if the principal is not expired */ + principal_expire = slapi_entry_attr_get_charptr(entry, "krbPrincipalExpiration"); + + if (principal_expire) { + /* if it is set, check whether the principal has not expired */ + memset(&expire_tm, 0, sizeof (expire_tm)); + + if (strptime(principal_expire, "%Y%m%d%H%M%SZ", &expire_tm)) { + expire_time = mktime(&expire_tm); + current_time = time(NULL); + + /* mktime returns -1 if the tm struct cannot be represented as + * as calendar time (seconds since the Epoch). This might + * happen with tm structs that are ill-formated or on 32-bit + * platforms with dates that would cause overflow + * (year 2038 and later). + * In such cases, skip the expiration check. */ + + if (current_time > expire_time && expire_time > 0) { + LOG_FATAL("kerberos principal in %s is expired\n", dn); + slapi_entry_free(entry); + slapi_send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, + "Account (Kerberos principal) is expired", + 0, NULL); + return -1; + } + } + } + /* Try to do OTP first. */ syncreq = sync_request_present(pb); if (!syncreq && !ipapwd_pre_bind_otp(dn, entry, credentials)) { |