diff options
author | Nathaniel McCallum <npmccallum@redhat.com> | 2013-04-11 13:50:42 -0400 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2013-05-17 09:30:51 +0200 |
commit | 5d51ae50a59466fa2d6d230d7f2879de34210f0c (patch) | |
tree | ab0e851651e14b8a44664199d2160766335cf6c4 /daemons/ipa-kdb/ipa_kdb.c | |
parent | cb689354357d5311e7ecb231a34e867c23b8a803 (diff) | |
download | freeipa-5d51ae50a59466fa2d6d230d7f2879de34210f0c.tar.gz freeipa-5d51ae50a59466fa2d6d230d7f2879de34210f0c.tar.xz freeipa-5d51ae50a59466fa2d6d230d7f2879de34210f0c.zip |
ipa-kdb: Add OTP support
If OTP is enabled for a user, then:
1. Long-term keys are not provided to KDB
2. The user string 'otp' is defined to KDB
Since it is not secure to send radius configuration information
over krb5 user strings, we simply set the string to a known default
('[]') which enables the default configuration in the KDC.
https://fedorahosted.org/freeipa/ticket/3561
http://freeipa.org/page/V3/OTP
Diffstat (limited to 'daemons/ipa-kdb/ipa_kdb.c')
-rw-r--r-- | daemons/ipa-kdb/ipa_kdb.c | 38 |
1 files changed, 37 insertions, 1 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c index e5c718ea9..8464264cf 100644 --- a/daemons/ipa-kdb/ipa_kdb.c +++ b/daemons/ipa-kdb/ipa_kdb.c @@ -173,9 +173,42 @@ done: return base; } +static const struct { + const char *name; + enum ipadb_user_auth flag; +} userauth_table[] = { + { "disabled", IPADB_USER_AUTH_DISABLED }, + { "password", IPADB_USER_AUTH_PASSWORD }, + { "radius", IPADB_USER_AUTH_RADIUS }, + { "otp", IPADB_USER_AUTH_OTP }, + { } +}; + +void ipadb_get_user_auth(LDAP *lcontext, LDAPMessage *le, + enum ipadb_user_auth *userauth) +{ + struct berval **vals; + int i, j; + + *userauth = IPADB_USER_AUTH_EMPTY; + vals = ldap_get_values_len(lcontext, le, IPA_USER_AUTH_TYPE); + if (!vals) + return; + + for (i = 0; vals[i]; i++) { + for (j = 0; userauth_table[j].name; j++) { + if (strcasecmp(vals[i]->bv_val, userauth_table[j].name) == 0) { + *userauth |= userauth_table[j].flag; + break; + } + } + } +} + int ipadb_get_global_configs(struct ipadb_context *ipactx) { - char *attrs[] = { "ipaConfigString", IPA_KRB_AUTHZ_DATA_ATTR, NULL }; + char *attrs[] = { "ipaConfigString", IPA_KRB_AUTHZ_DATA_ATTR, + IPA_USER_AUTH_TYPE, NULL }; struct berval **vals = NULL; LDAPMessage *res = NULL; LDAPMessage *first; @@ -203,6 +236,9 @@ int ipadb_get_global_configs(struct ipadb_context *ipactx) goto done; } + /* Check for permitted authentication types. */ + ipadb_get_user_auth(ipactx->lcontext, res, &ipactx->user_auth); + vals = ldap_get_values_len(ipactx->lcontext, first, "ipaConfigString"); if (!vals || !vals[0]) { |