diff options
author | Martin Kosek <mkosek@redhat.com> | 2014-01-30 16:58:25 +0100 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2014-02-03 08:57:14 +0100 |
commit | d85e2c9a8220e5a61c8dbc205d71693e832b668a (patch) | |
tree | daaca502b70b4d17690e9db5c8bd330c582f696f /daemons/ipa-slapi-plugins | |
parent | df3fa943abf58f2ad02919ecb1b199f3ff6d510b (diff) | |
download | freeipa-d85e2c9a8220e5a61c8dbc205d71693e832b668a.tar.gz freeipa-d85e2c9a8220e5a61c8dbc205d71693e832b668a.tar.xz freeipa-d85e2c9a8220e5a61c8dbc205d71693e832b668a.zip |
Fallback to global policy in ipa-lockout plugin
krbPwdPolicyReference is no longer filled default users. Instead, plugins
fallback to hardcoded global policy reference.
Fix ipa-lockout plugin to fallback to it instead of failing to apply
the policy.
https://fedorahosted.org/freeipa/ticket/4085
Diffstat (limited to 'daemons/ipa-slapi-plugins')
-rw-r--r-- | daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c index fd6602fde..5a24359d3 100644 --- a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c +++ b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c @@ -49,6 +49,7 @@ #include <time.h> #include "slapi-plugin.h" #include "nspr.h" +#include <krb5.h> #include "util.h" @@ -81,6 +82,8 @@ static int g_plugin_started = 0; static struct ipa_context *global_ipactx = NULL; +static char *ipa_global_policy = NULL; + #define GENERALIZED_TIME_LENGTH 15 /** @@ -142,8 +145,11 @@ ipalockout_get_global_config(struct ipa_context *ipactx) Slapi_Attr *attr = NULL; char *dn = NULL; char *basedn = NULL; + char *realm = NULL; Slapi_DN *sdn; Slapi_Entry *config_entry; + krb5_context krbctx = NULL; + krb5_error_code krberr; int ret; /* Get cn=config so we can get the default naming context */ @@ -167,6 +173,28 @@ ipalockout_get_global_config(struct ipa_context *ipactx) goto done; } + krberr = krb5_init_context(&krbctx); + if (krberr) { + LOG_FATAL("krb5_init_context failed (%d)\n", krberr); + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + krberr = krb5_get_default_realm(krbctx, &realm); + if (krberr) { + LOG_FATAL("Failed to get default realm (%d)\n", krberr); + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + ipa_global_policy = slapi_ch_smprintf("cn=global_policy,cn=%s,cn=kerberos,%s", + realm, basedn); + if (!ipa_global_policy) { + LOG_OOM(); + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + ret = asprintf(&dn, "cn=ipaConfig,cn=etc,%s", basedn); if (ret == -1) { LOG_OOM(); @@ -221,6 +249,8 @@ ipalockout_get_global_config(struct ipa_context *ipactx) done: if (config_entry) slapi_entry_free(config_entry); + free(realm); + krb5_free_context(krbctx); free(dn); free(basedn); return ret; @@ -248,6 +278,8 @@ int ipalockout_getpolicy(Slapi_Entry *target_entry, Slapi_Entry **policy_entry, slapi_valueset_first_value(*values, &sv); *policy_dn = slapi_value_get_string(sv); } + } else { + *policy_dn = ipa_global_policy; } if (*policy_dn == NULL) { @@ -376,6 +408,8 @@ ipalockout_close(Slapi_PBlock * pb) { LOG_TRACE( "--in-->\n"); + slapi_ch_free_string(&ipa_global_policy); + LOG_TRACE("<--out--\n"); return EOK; |