diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2010-06-11 16:12:29 -0400 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2010-06-24 14:24:15 -0400 |
| commit | c5bdfc71939ad5338c707cb6c6b0d2187d78b801 (patch) | |
| tree | 1ac6a46c9e4dfad47a518d3871bceef96184f91d | |
| parent | e036283fbbed0c2995986816124c2a561f79fbc4 (diff) | |
| download | freeipa-c5bdfc71939ad5338c707cb6c6b0d2187d78b801.tar.gz freeipa-c5bdfc71939ad5338c707cb6c6b0d2187d78b801.tar.xz freeipa-c5bdfc71939ad5338c707cb6c6b0d2187d78b801.zip | |
Don't try to convert a host's password into a keytab.
The migration plugin uses a pre-op function to automatically create
kerberos credentials when binding using a password.
The problem is that we do a simple bind when doing password-base
host enrollment. This was causing krbPasswordExpiration to be set
which isn't what we want for hosts. They really shouldn't go through
this code at all.
| -rw-r--r-- | daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c | 20 |
1 files changed, 15 insertions, 5 deletions
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c index bd04e9d4d..c2d0373e6 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c @@ -2168,7 +2168,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) char timestr[GENERALIZED_TIME_LENGTH+1]; time_t time_now = time(NULL); char *pw = NULL; - char *krbPrincipalName = NULL; + Slapi_Value *objectclass; svals = (Slapi_Value **)calloc(2, sizeof(Slapi_Value *)); if (!svals) { @@ -2587,8 +2587,9 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) * the userPassword attribute if it exists */ pw = slapi_entry_attr_get_charptr(targetEntry, "userPassword"); - krbPrincipalName = slapi_entry_attr_get_charptr(targetEntry, "krbPrincipalName"); - if ((strncmp(krbPrincipalName, "host/", 5) == 0)) { + objectclass = slapi_value_new_string("ipaHost"); + if ((slapi_entry_attr_has_syntax_value(targetEntry, SLAPI_ATTR_OBJECTCLASS, objectclass)) == 1) + { char * krbLastPwdChange = slapi_entry_attr_get_charptr(targetEntry, "krbLastPwdChange"); char * enrolledBy = slapi_entry_attr_get_charptr(targetEntry, "enrolledBy"); if (NULL == enrolledBy) { @@ -2604,9 +2605,9 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) "Removing userPassword from host entry\n"); slapi_ch_free_string(&pw); } - slapi_ch_free_string(&krbLastPwdChange); + slapi_value_free(&objectclass); } - slapi_ch_free_string(&krbPrincipalName); + slapi_value_free(&objectclass); /* commit changes */ ret = ipapwd_apply_mods(slapi_entry_get_dn_const(targetEntry), smods); @@ -3280,6 +3281,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) char *errMesg = "Internal operations error\n"; /* error message */ char *expire = NULL; /* passwordExpirationTime attribute value */ char *dn = NULL; /* bind DN */ + Slapi_Value *objectclass; int method; /* authentication method */ int ret = 0; @@ -3322,6 +3324,14 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) goto done; } + /* we aren't interested in host principals */ + objectclass = slapi_value_new_string("ipaHost"); + if ((slapi_entry_attr_has_syntax_value(entry, SLAPI_ATTR_OBJECTCLASS, objectclass)) == 1) { + slapi_value_free(&objectclass); + goto done; + } + slapi_value_free(&objectclass); + /* check the krbPrincipalKey attribute is NOT present */ ret = slapi_entry_attr_find(entry, "krbprincipalkey", &attr); if (!ret) { |