diff options
author | Simo Sorce <ssorce@redhat.com> | 2012-02-17 11:45:56 -0500 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2012-02-19 20:43:58 -0500 |
commit | 9fbe19adb43a758d91042289ea1c69114469e663 (patch) | |
tree | 528b99e2d73b9e33b263f2044d2d050154c963e5 /daemons | |
parent | 6c222bdd1f4783c1a8a5c2b0b247279e63bd31c6 (diff) | |
download | freeipa.git-9fbe19adb43a758d91042289ea1c69114469e663.tar.gz freeipa.git-9fbe19adb43a758d91042289ea1c69114469e663.tar.xz freeipa.git-9fbe19adb43a758d91042289ea1c69114469e663.zip |
policy: add function to check lockout policy
Fixes: https://fedorahosted.org/freeipa/ticket/2393
Diffstat (limited to 'daemons')
-rw-r--r-- | daemons/ipa-kdb/ipa_kdb.c | 2 | ||||
-rw-r--r-- | daemons/ipa-kdb/ipa_kdb.h | 8 | ||||
-rw-r--r-- | daemons/ipa-kdb/ipa_kdb_pwdpolicy.c | 53 |
3 files changed, 62 insertions, 1 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c index ebd72627..4c1fdfc0 100644 --- a/daemons/ipa-kdb/ipa_kdb.c +++ b/daemons/ipa-kdb/ipa_kdb.c @@ -455,7 +455,7 @@ kdb_vftabl kdb_function_table = { NULL, /* encrypt_key_data */ NULL, /*ipadb_sign_authdata, */ /* sign_authdata */ NULL, /* check_transited_realms */ - NULL, /* check_policy_as */ + ipadb_check_policy_as, /* check_policy_as */ NULL, /* check_policy_tgs */ ipadb_audit_as_req, /* audit_as_req */ NULL, /* refresh_config */ diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h index 2f09272c..9330a2e0 100644 --- a/daemons/ipa-kdb/ipa_kdb.h +++ b/daemons/ipa-kdb/ipa_kdb.h @@ -185,6 +185,14 @@ krb5_error_code ipadb_delete_pwd_policy(krb5_context kcontext, char *policy); void ipadb_free_pwd_policy(krb5_context kcontext, osa_policy_ent_t val); +krb5_error_code ipadb_check_policy_as(krb5_context kcontext, + krb5_kdc_req *request, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_timestamp kdc_time, + const char **status, + krb5_pa_data ***e_data); + /* MASTER KEY FUNCTIONS */ krb5_error_code ipadb_fetch_master_key(krb5_context kcontext, krb5_principal mname, diff --git a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c index 03948029..91de0342 100644 --- a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c +++ b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c @@ -275,3 +275,56 @@ void ipadb_free_pwd_policy(krb5_context kcontext, osa_policy_ent_t val) } } +krb5_error_code ipadb_check_policy_as(krb5_context kcontext, + krb5_kdc_req *request, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_timestamp kdc_time, + const char **status, + krb5_pa_data ***e_data) +{ + struct ipadb_context *ipactx; + struct ipadb_e_data *ied; + krb5_error_code kerr; + + if (!client) { + return ENOENT; + } + + ipactx = ipadb_get_context(kcontext); + if (!ipactx) { + return EINVAL; + } + + ied = (struct ipadb_e_data *)client->e_data; + if (!ied) { + return EINVAL; + } + + if (!ied->pol) { + kerr = ipadb_get_ipapwd_policy(ipactx, ied->pw_policy_dn, &ied->pol); + if (kerr != 0) { + return kerr; + } + } + + if (client->last_failed <= ied->last_admin_unlock) { + /* admin unlocked the account */ + return 0; + } + + if (ied->pol->max_fail == 0 || + client->fail_auth_count < ied->pol->max_fail) { + /* still within allowed failures range */ + return 0; + } + + if (ied->pol->lockout_duration == 0 || + client->last_failed + ied->pol->lockout_duration > kdc_time) { + /* ok client permanently locked, or within lockout period */ + *status = "LOCKED_OUT"; + return KRB5KDC_ERR_CLIENT_REVOKED; + } + + return 0; +} |