From 49c25dbdf5b51a6cc157135a0d2f89c7eb408dd9 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Thu, 23 Jun 2011 15:02:04 -0400 Subject: ipa-kdb: implement function to retrieve password policies --- daemons/ipa-kdb/Makefile.am | 1 + daemons/ipa-kdb/ipa_kdb.c | 49 ++-------- daemons/ipa-kdb/ipa_kdb.h | 15 +++ daemons/ipa-kdb/ipa_kdb_pwdpolicy.c | 187 ++++++++++++++++++++++++++++++++++++ 4 files changed, 209 insertions(+), 43 deletions(-) create mode 100644 daemons/ipa-kdb/ipa_kdb_pwdpolicy.c (limited to 'daemons/ipa-kdb') diff --git a/daemons/ipa-kdb/Makefile.am b/daemons/ipa-kdb/Makefile.am index 37bfca403..609372612 100644 --- a/daemons/ipa-kdb/Makefile.am +++ b/daemons/ipa-kdb/Makefile.am @@ -30,6 +30,7 @@ ipadb_la_SOURCES = \ ipa_kdb_common.c \ ipa_kdb_mkey.c \ ipa_kdb_principals.c \ + ipa_kdb_pwdpolicy.c \ $(KRB5_UTIL_SRCS) \ $(NULL) diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c index 394cdb7b6..d38ce048d 100644 --- a/daemons/ipa-kdb/ipa_kdb.c +++ b/daemons/ipa-kdb/ipa_kdb.c @@ -400,43 +400,6 @@ static krb5_error_code ipadb_get_age(krb5_context kcontext, return 0; } -static krb5_error_code ipadb_create_policy(krb5_context kcontext, - osa_policy_ent_t policy) -{ - return KRB5_PLUGIN_OP_NOTSUPP; -} - -static krb5_error_code ipadb_get_policy(krb5_context kcontext, char *name, - osa_policy_ent_t *policy) -{ - return KRB5_PLUGIN_OP_NOTSUPP; -} - -static krb5_error_code ipadb_put_policy(krb5_context kcontext, - osa_policy_ent_t policy) -{ - return KRB5_PLUGIN_OP_NOTSUPP; -} - -static krb5_error_code ipadb_iterate_policy(krb5_context kcontext, - char *match_entry, - osa_adb_iter_policy_func func, - void *data) -{ - return KRB5_PLUGIN_OP_NOTSUPP; -} - -static krb5_error_code ipadb_delete_policy(krb5_context kcontext, - char *policy) -{ - return KRB5_PLUGIN_OP_NOTSUPP; -} - -static void ipadb_free_policy(krb5_context kcontext, osa_policy_ent_t val) -{ - return; -} - static void *ipadb_alloc(krb5_context context, void *ptr, size_t size) { return realloc(ptr, size); @@ -466,12 +429,12 @@ kdb_vftabl kdb_function_table = { ipadb_put_principal, /* put_principal */ ipadb_delete_principal, /* delete_principal */ ipadb_iterate, /* iterate */ - ipadb_create_policy, /* create_policy */ - ipadb_get_policy, /* get_policy */ - ipadb_put_policy, /* put_policy */ - ipadb_iterate_policy, /* iter_policy */ - ipadb_delete_policy, /* delete_policy */ - ipadb_free_policy, /* free_policy */ + ipadb_create_pwd_policy, /* create_policy */ + ipadb_get_pwd_policy, /* get_policy */ + ipadb_put_pwd_policy, /* put_policy */ + ipadb_iterate_pwd_policy, /* iter_policy */ + ipadb_delete_pwd_policy, /* delete_policy */ + ipadb_free_pwd_policy, /* free_policy */ ipadb_alloc, /* alloc */ ipadb_free, /* free */ ipadb_fetch_master_key, /* fetch_master_key */ diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h index b76cfdc9d..257145cb6 100644 --- a/daemons/ipa-kdb/ipa_kdb.h +++ b/daemons/ipa-kdb/ipa_kdb.h @@ -133,6 +133,21 @@ krb5_error_code ipadb_iterate(krb5_context kcontext, int (*func)(krb5_pointer, krb5_db_entry *), krb5_pointer func_arg); +/* POLICY FUNCTIONS */ +krb5_error_code ipadb_create_pwd_policy(krb5_context kcontext, + osa_policy_ent_t policy); +krb5_error_code ipadb_get_pwd_policy(krb5_context kcontext, char *name, + osa_policy_ent_t *policy); +krb5_error_code ipadb_put_pwd_policy(krb5_context kcontext, + osa_policy_ent_t policy); +krb5_error_code ipadb_iterate_pwd_policy(krb5_context kcontext, + char *match_entry, + osa_adb_iter_policy_func func, + void *data); +krb5_error_code ipadb_delete_pwd_policy(krb5_context kcontext, + char *policy); +void ipadb_free_pwd_policy(krb5_context kcontext, osa_policy_ent_t val); + /* MASTER KEY FUNCTIONS */ krb5_error_code ipadb_fetch_master_key(krb5_context kcontext, krb5_principal mname, diff --git a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c new file mode 100644 index 000000000..3dc4c2188 --- /dev/null +++ b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c @@ -0,0 +1,187 @@ +/* + * MIT Kerberos KDC database backend for FreeIPA + * + * Authors: Simo Sorce + * + * Copyright (C) 2011 Simo Sorce, Red Hat + * see file 'COPYING' for use and warranty information + * + * This program is free software you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +#include "ipa_kdb.h" + +#define POLICY_SEARCH_FILTER "(&(objectClass=krbPwdPolicy)(cn=%s))" + +static char *std_pwdpolicy_attrs[] = { + "krbmaxpwdlife", + "krbminpwdlife", + "krbpwdmindiffchars", + "krbpwdminlength", + "krbpwdhistorylength", + "krbpwdmaxfailure", + "krbpwdmaxfailurecountinterval", + "krbpwdlockoutduration", + + NULL +}; + +krb5_error_code ipadb_create_pwd_policy(krb5_context kcontext, + osa_policy_ent_t policy) +{ + return KRB5_PLUGIN_OP_NOTSUPP; +} + +krb5_error_code ipadb_get_pwd_policy(krb5_context kcontext, char *name, + osa_policy_ent_t *policy) +{ + struct ipadb_context *ipactx; + char *esc_name = NULL; + char *src_filter = NULL; + krb5_error_code kerr; + LDAPMessage *res = NULL; + LDAPMessage *lentry; + osa_policy_ent_t pentry; + uint32_t result; + int ret; + + ipactx = ipadb_get_context(kcontext); + if (!ipactx) { + return KRB5_KDB_DBNOTINITED; + } + + esc_name = ipadb_filter_escape(name, true); + if (!esc_name) { + return ENOMEM; + } + + ret = asprintf(&src_filter, POLICY_SEARCH_FILTER, esc_name); + if (ret == -1) { + kerr = KRB5_KDB_INTERNAL_ERROR; + goto done; + } + + kerr = ipadb_simple_search(ipactx, + ipactx->realm_base, LDAP_SCOPE_SUBTREE, + src_filter, std_pwdpolicy_attrs, &res); + if (kerr) { + goto done; + } + + lentry = ldap_first_entry(ipactx->lcontext, res); + if (!lentry) { + kerr = KRB5_KDB_INTERNAL_ERROR; + goto done; + } + + pentry = calloc(1, sizeof(osa_policy_ent_t)); + if (!pentry) { + kerr = ENOMEM; + goto done; + } + pentry->version = 1; + pentry->name = strdup(name); + if (!pentry->name) { + kerr = ENOMEM; + goto done; + } + + /* FIXME: what to do with missing attributes ? */ + + ret = ipadb_ldap_attr_to_uint32(ipactx->lcontext, lentry, + "krbMinPwdLife", &result); + if (ret == 0) { + pentry->pw_min_life = result; + } + + ret = ipadb_ldap_attr_to_uint32(ipactx->lcontext, lentry, + "krbMaxPwdLife", &result); + if (ret == 0) { + pentry->pw_max_life = result; + } + + ret = ipadb_ldap_attr_to_uint32(ipactx->lcontext, lentry, + "krbPwdMinLength", &result); + if (ret == 0) { + pentry->pw_min_length = result; + } + + ret = ipadb_ldap_attr_to_uint32(ipactx->lcontext, lentry, + "krbPwdMinDiffChars", &result); + if (ret == 0) { + pentry->pw_min_classes = result; + } + + ret = ipadb_ldap_attr_to_uint32(ipactx->lcontext, lentry, + "krbPwdHistoryLength", &result); + if (ret == 0) { + pentry->pw_history_num = result; + } + + ret = ipadb_ldap_attr_to_uint32(ipactx->lcontext, lentry, + "krbPwdMaxFailure", &result); + if (ret == 0) { + pentry->pw_max_fail = result; + } + + ret = ipadb_ldap_attr_to_uint32(ipactx->lcontext, lentry, + "krbPwdFailureCountInterval", &result); + if (ret == 0) { + pentry->pw_failcnt_interval = result; + } + + ret = ipadb_ldap_attr_to_uint32(ipactx->lcontext, lentry, + "krbPwdLockoutDuration", &result); + if (ret == 0) { + pentry->pw_lockout_duration = result; + } + + *policy = pentry; + +done: + free(esc_name); + free(src_filter); + ldap_msgfree(res); + + return kerr; +} + +krb5_error_code ipadb_put_pwd_policy(krb5_context kcontext, + osa_policy_ent_t policy) +{ + return KRB5_PLUGIN_OP_NOTSUPP; +} + +krb5_error_code ipadb_iterate_pwd_policy(krb5_context kcontext, + char *match_entry, + osa_adb_iter_policy_func func, + void *data) +{ + return KRB5_PLUGIN_OP_NOTSUPP; +} + +krb5_error_code ipadb_delete_pwd_policy(krb5_context kcontext, + char *policy) +{ + return KRB5_PLUGIN_OP_NOTSUPP; +} + +void ipadb_free_pwd_policy(krb5_context kcontext, osa_policy_ent_t val) +{ + if (val) { + free(val->name); + free(val); + } +} + -- cgit