diff options
| author | Simo Sorce <simo@redhat.com> | 2015-11-24 13:42:10 -0500 |
|---|---|---|
| committer | Simo Sorce <simo@redhat.com> | 2015-12-02 16:14:03 -0500 |
| commit | bde182421226bb32ab676c13a85bc95a2572f322 (patch) | |
| tree | 616b1a991bf03dbfde0766b104e119486a29d2c3 | |
| parent | c6264b4344021b368077ffd2fee70f8541c2953f (diff) | |
| download | freeipa-bde182421226bb32ab676c13a85bc95a2572f322.tar.gz freeipa-bde182421226bb32ab676c13a85bc95a2572f322.tar.xz freeipa-bde182421226bb32ab676c13a85bc95a2572f322.zip | |
Introduce option to disable the SetKeytab exop
If DisableSetKeytab is set in ipaConfig options then setkeytab will not be
available. The default is still to allow this operation for backwards
compatibility towards older clients that do not know how to use the new
GetKeytab extended operation.
Signed-off-by: Simo Sorce <simo@redhat.com>
Ticket: https://fedorahosted.org/freeipa/ticket/5485
| -rw-r--r-- | API.txt | 2 | ||||
| -rw-r--r-- | daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c | 4 | ||||
| -rw-r--r-- | daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c | 5 | ||||
| -rw-r--r-- | daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h | 1 | ||||
| -rw-r--r-- | ipalib/plugins/config.py | 1 |
5 files changed, 12 insertions, 1 deletions
@@ -766,7 +766,7 @@ args: 0,25,3 option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('delattr*', cli_name='delattr', exclude='webui') -option: StrEnum('ipaconfigstring', attribute=True, autofill=False, cli_name='ipaconfigstring', csv=True, multivalue=True, required=False, values=(u'AllowNThash', u'KDC:Disable Last Success', u'KDC:Disable Lockout')) +option: StrEnum('ipaconfigstring', attribute=True, autofill=False, cli_name='ipaconfigstring', csv=True, multivalue=True, required=False, values=(u'AllowNThash', u'DisableSetKeytab', u'KDC:Disable Last Success', u'KDC:Disable Lockout')) option: Str('ipadefaultemaildomain', attribute=True, autofill=False, cli_name='emaildomain', multivalue=False, required=False) option: Str('ipadefaultloginshell', attribute=True, autofill=False, cli_name='defaultshell', multivalue=False, required=False) option: Str('ipadefaultprimarygroup', attribute=True, autofill=False, cli_name='defaultgroup', multivalue=False, required=False) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c index 5dc606d22..f79c0b4a6 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c @@ -232,6 +232,7 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void) /* get the ipa etc/ipaConfig entry */ config->allow_nt_hash = false; + config->disable_setkeytab = false; ret = ipapwd_getEntry(ipa_etc_config_dn, &config_entry, NULL); if (ret != LDAP_SUCCESS) { LOG_FATAL("No config Entry?\n"); @@ -243,6 +244,9 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void) if (strcasecmp(tmparray[i], "AllowNThash") == 0) { config->allow_nt_hash = true; continue; + } else if (strcasecmp(tmparray[i], "DisableSetKeytab") == 0) { + config->disable_setkeytab = true; + continue; } } if (tmparray) slapi_ch_array_free(tmparray); diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c index dc657cc4e..aa45ed3e7 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c @@ -1742,6 +1742,11 @@ static int ipapwd_extop(Slapi_PBlock *pb) return ret; } if (strcasecmp(oid, KEYTAB_SET_OID) == 0) { + if (krbcfg->disable_setkeytab) { + errMesg = "Operation administratively disabled.\n"; + rc = LDAP_UNWILLING_TO_PERFORM; + goto free_and_return; + } ret = ipapwd_setkeytab(pb, krbcfg); free_ipapwd_krbcfg(&krbcfg); return ret; diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h index 2e9d4fe86..a6a85d78d 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h @@ -109,6 +109,7 @@ struct ipapwd_krbcfg { char **passsync_mgrs; int num_passsync_mgrs; bool allow_nt_hash; + bool disable_setkeytab; }; int ipapwd_entry_checks(Slapi_PBlock *pb, struct slapi_entry *e, diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py index 86b7ca863..ce7966bf5 100644 --- a/ipalib/plugins/config.py +++ b/ipalib/plugins/config.py @@ -201,6 +201,7 @@ class config(LDAPObject): label=_('Password plugin features'), doc=_('Extra hashes to generate in password plug-in'), values=(u'AllowNThash', + u'DisableSetKeytab', u'KDC:Disable Last Success', u'KDC:Disable Lockout'), csv=True, ), |