summaryrefslogtreecommitdiffstats
path: root/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
diff options
context:
space:
mode:
authorSimo Sorce <simo@redhat.com>2015-04-04 10:53:52 -0400
committerSimo Sorce <simo@redhat.com>2015-05-27 09:45:56 -0400
commitd5b6c8360116857623b4b67a42ed3788df2ba24a (patch)
tree2c3f7a30cc26d0f28a84c30304480804baf3546e /daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
parent01fa05dd4ec7bd79abee8df0dd3642eabf138bcf (diff)
downloadfreeipa-d5b6c8360116857623b4b67a42ed3788df2ba24a.tar.gz
freeipa-d5b6c8360116857623b4b67a42ed3788df2ba24a.tar.xz
freeipa-d5b6c8360116857623b4b67a42ed3788df2ba24a.zip
Detect default encsalts kadmin password change
When kadmin tries to change a password it will get the allowed keysalts from the password policy. Failure to provide them will result in kadmin using the defaults specified in the kdc.conf file or hardcoded defaults (the default salt is then of type NORMAL). This patch provides the supported values that have been read out of the appropriate LDAP attribute when we read the server configuration. Then at actual password change, check if kadmin is handing us back the exact list of supported encsalts we sent it, and in that case replace it with the real default encsalts. Fixes https://fedorahosted.org/freeipa/ticket/4914 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Martin Babinsky <mbabinsk@redhat.com>
Diffstat (limited to 'daemons/ipa-kdb/ipa_kdb_pwdpolicy.c')
-rw-r--r--daemons/ipa-kdb/ipa_kdb_pwdpolicy.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
index 6f3992be6..076314a12 100644
--- a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
+++ b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
@@ -237,6 +237,13 @@ krb5_error_code ipadb_get_pwd_policy(krb5_context kcontext, char *name,
pentry->pw_lockout_duration = result;
}
+ ret = ipa_kstuples_to_string(ipactx->supp_encs, ipactx->n_supp_encs,
+ &pentry->allowed_keysalts);
+ if (ret != 0) {
+ kerr = KRB5_KDB_INTERNAL_ERROR;
+ goto done;
+ }
+
*policy = pentry;
done:
@@ -274,6 +281,7 @@ void ipadb_free_pwd_policy(krb5_context kcontext, osa_policy_ent_t val)
{
if (val) {
free(val->name);
+ free(val->allowed_keysalts);
free(val);
}
}