diff options
author | Simo Sorce <ssorce@redhat.com> | 2012-02-17 11:45:56 -0500 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2012-02-19 20:43:45 -0500 |
commit | 9942a29cab06ff99cdd3380c4daf3b41ebdf2fb8 (patch) | |
tree | e150e2563621eea350338ccb617f63e7044315b4 /daemons/ipa-kdb/ipa_kdb_pwdpolicy.c | |
parent | ffd39503c1e4c1b7a309953e232d4727551a58c3 (diff) | |
download | freeipa-9942a29cab06ff99cdd3380c4daf3b41ebdf2fb8.tar.gz freeipa-9942a29cab06ff99cdd3380c4daf3b41ebdf2fb8.tar.xz freeipa-9942a29cab06ff99cdd3380c4daf3b41ebdf2fb8.zip |
policy: add function to check lockout policy
Fixes: https://fedorahosted.org/freeipa/ticket/2393
Diffstat (limited to 'daemons/ipa-kdb/ipa_kdb_pwdpolicy.c')
-rw-r--r-- | daemons/ipa-kdb/ipa_kdb_pwdpolicy.c | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c index 03948029f..91de0342b 100644 --- a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c +++ b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c @@ -275,3 +275,56 @@ void ipadb_free_pwd_policy(krb5_context kcontext, osa_policy_ent_t val) } } +krb5_error_code ipadb_check_policy_as(krb5_context kcontext, + krb5_kdc_req *request, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_timestamp kdc_time, + const char **status, + krb5_pa_data ***e_data) +{ + struct ipadb_context *ipactx; + struct ipadb_e_data *ied; + krb5_error_code kerr; + + if (!client) { + return ENOENT; + } + + ipactx = ipadb_get_context(kcontext); + if (!ipactx) { + return EINVAL; + } + + ied = (struct ipadb_e_data *)client->e_data; + if (!ied) { + return EINVAL; + } + + if (!ied->pol) { + kerr = ipadb_get_ipapwd_policy(ipactx, ied->pw_policy_dn, &ied->pol); + if (kerr != 0) { + return kerr; + } + } + + if (client->last_failed <= ied->last_admin_unlock) { + /* admin unlocked the account */ + return 0; + } + + if (ied->pol->max_fail == 0 || + client->fail_auth_count < ied->pol->max_fail) { + /* still within allowed failures range */ + return 0; + } + + if (ied->pol->lockout_duration == 0 || + client->last_failed + ied->pol->lockout_duration > kdc_time) { + /* ok client permanently locked, or within lockout period */ + *status = "LOCKED_OUT"; + return KRB5KDC_ERR_CLIENT_REVOKED; + } + + return 0; +} |