From 5341a22ba2dec5099c8a14c0903c7770884ee6be Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Wed, 9 Feb 2011 23:48:28 -0500 Subject: Update krbExtraData too when changing passwords. Fixes: https://fedorahosted.org/freeipa/ticket/937 --- .../ipa-pwd-extop/ipa_pwd_extop.c | 13 +++++ daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h | 3 ++ .../ipa-pwd-extop/ipapwd_common.c | 58 ++++++++++++++++++++++ .../ipa-pwd-extop/ipapwd_prepost.c | 19 +++++++ 4 files changed, 93 insertions(+) (limited to 'daemons') diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c index 5867f0846..7a4591f8a 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c @@ -144,6 +144,7 @@ static int ipapwd_chpwop(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) char *attrlist[] = {"*", "passwordHistory", NULL }; struct ipapwd_data pwdata; int is_krb, is_smb; + char *principal = NULL; /* Get the ber value of the extended operation */ slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value); @@ -384,6 +385,14 @@ parse_req_done: LOG_TRACE("<= result: %d\n", rc); + if (pwdata.changetype == IPA_CHANGETYPE_NORMAL) { + principal = slapi_entry_attr_get_charptr(pwdata.target, + "krbPrincipalName"); + } else { + principal = slapi_ch_smprintf("root/admin@%s", krbcfg->realm); + } + ipapwd_set_extradata(pwdata.dn, principal, pwdata.timeNow); + /* Free anything that we allocated above */ free_and_return: slapi_ch_free_string(&oldPasswd); @@ -395,6 +404,7 @@ free_and_return: slapi_ch_free_string(&dn); slapi_pblock_set(pb, SLAPI_ORIGINAL_TARGET, NULL); slapi_ch_free_string(&authmethod); + slapi_ch_free_string(&principal); if (targetEntry) slapi_entry_free(targetEntry); if (ber) ber_free(ber, 1); @@ -884,6 +894,9 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) } slapi_mods_free(&smods); + ipapwd_set_extradata(slapi_entry_get_dn_const(targetEntry), + serviceName, time_now); + /* Format of response * * KeytabGetRequest ::= SEQUENCE { diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h index aaaeeb717..e204bba20 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h @@ -129,6 +129,9 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg, Slapi_Value **ipapwd_setPasswordHistory(Slapi_Mods *smods, struct ipapwd_data *data); int ipapwd_apply_mods(const char *dn, Slapi_Mods *mods); +int ipapwd_set_extradata(const char *dn, + const char *principal, + time_t unixtime); void ipapwd_free_slapi_value_array(Slapi_Value ***svals); void free_ipapwd_krbcfg(struct ipapwd_krbcfg **cfg); diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c index d8a65f0e9..6f4f02e01 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c @@ -1230,6 +1230,7 @@ free_and_return: return ret; } + Slapi_Value **ipapwd_setPasswordHistory(Slapi_Mods *smods, struct ipapwd_data *data) { @@ -1383,6 +1384,63 @@ int ipapwd_apply_mods(const char *dn, Slapi_Mods *mods) return ret; } +int ipapwd_set_extradata(const char *dn, + const char *principal, + time_t unixtime) +{ + Slapi_Mods *smods; + Slapi_Value *va[3] = { NULL }; + struct berval bv; + char mkvno[4] = { 0x00, 0x08, 0x01, 0x00 }; + char *xdata; + int xd_len; + int p_len; + int ret; + + p_len = strlen(principal); + xd_len = 2 + 4 + p_len + 1; + xdata = malloc(xd_len); + if (!xdata) { + return LDAP_OPERATIONS_ERROR; + } + + smods = slapi_mods_new(); + + /* always append a master key kvno of 1 for now */ + bv.bv_val = mkvno; + bv.bv_len = 4; + va[0] = slapi_value_new_berval(&bv); + + /* data type id */ + xdata[0] = 0x00; + xdata[1] = 0x02; + + /* unix timestamp in Little Endian */ + xdata[2] = unixtime & 0xff; + xdata[3] = (unixtime & 0xff00) >> 8; + xdata[4] = (unixtime & 0xff0000) >> 16; + xdata[5] = (unixtime & 0xff000000) >> 24; + + /* append the principal name */ + strncpy(&xdata[6], principal, p_len); + + xdata[xd_len -1] = 0; + + bv.bv_val = xdata; + bv.bv_len = xd_len; + va[1] = slapi_value_new_berval(&bv); + + slapi_mods_add_mod_values(smods, LDAP_MOD_REPLACE, "krbExtraData", va); + + ret = ipapwd_apply_mods(dn, smods); + + slapi_value_free(&va[1]); + slapi_value_free(&va[0]); + slapi_mods_free(&smods); + + return ret; +} + void ipapwd_free_slapi_value_array(Slapi_Value ***svals) { Slapi_Value **sv = *svals; diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c index 34045e208..60a8ca3be 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c @@ -786,6 +786,9 @@ static int ipapwd_post_op(Slapi_PBlock *pb) struct tm utctime; char timestr[GENERALIZED_TIME_LENGTH+1]; int ret; + char *errMsg = "Internal operations error\n"; + struct ipapwd_krbcfg *krbcfg = NULL; + char *principal = NULL; LOG_TRACE("=>\n"); @@ -812,6 +815,12 @@ static int ipapwd_post_op(Slapi_PBlock *pb) return 0; } + ret = ipapwd_gen_checks(pb, &errMsg, &krbcfg, 0); + if (ret != 0) { + LOG_FATAL("ipapwd_gen_checks failed!?\n"); + return 0; + } + /* prepare changes that can be made only as root */ smods = slapi_mods_new(); @@ -860,9 +869,19 @@ static int ipapwd_post_op(Slapi_PBlock *pb) if (ret) LOG("Failed to set additional password attributes in the post-op!\n"); + if (pwdop->pwdata.changetype == IPA_CHANGETYPE_NORMAL) { + principal = slapi_entry_attr_get_charptr(pwdop->pwdata.target, + "krbPrincipalName"); + } else { + principal = slapi_ch_smprintf("root/admin@%s", krbcfg->realm); + } + ipapwd_set_extradata(pwdop->pwdata.dn, principal, pwdop->pwdata.timeNow); + done: if (pwdop && pwdop->pwdata.target) slapi_entry_free(pwdop->pwdata.target); slapi_mods_free(&smods); + slapi_ch_free_string(&principal); + free_ipapwd_krbcfg(&krbcfg); return 0; } -- cgit