From bde182421226bb32ab676c13a85bc95a2572f322 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 24 Nov 2015 13:42:10 -0500 Subject: Introduce option to disable the SetKeytab exop If DisableSetKeytab is set in ipaConfig options then setkeytab will not be available. The default is still to allow this operation for backwards compatibility towards older clients that do not know how to use the new GetKeytab extended operation. Signed-off-by: Simo Sorce Ticket: https://fedorahosted.org/freeipa/ticket/5485 --- API.txt | 2 +- daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c | 4 ++++ daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c | 5 +++++ daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h | 1 + ipalib/plugins/config.py | 1 + 5 files changed, 12 insertions(+), 1 deletion(-) diff --git a/API.txt b/API.txt index 1e6942d06..bcdbe6bb6 100644 --- a/API.txt +++ b/API.txt @@ -766,7 +766,7 @@ args: 0,25,3 option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('delattr*', cli_name='delattr', exclude='webui') -option: StrEnum('ipaconfigstring', attribute=True, autofill=False, cli_name='ipaconfigstring', csv=True, multivalue=True, required=False, values=(u'AllowNThash', u'KDC:Disable Last Success', u'KDC:Disable Lockout')) +option: StrEnum('ipaconfigstring', attribute=True, autofill=False, cli_name='ipaconfigstring', csv=True, multivalue=True, required=False, values=(u'AllowNThash', u'DisableSetKeytab', u'KDC:Disable Last Success', u'KDC:Disable Lockout')) option: Str('ipadefaultemaildomain', attribute=True, autofill=False, cli_name='emaildomain', multivalue=False, required=False) option: Str('ipadefaultloginshell', attribute=True, autofill=False, cli_name='defaultshell', multivalue=False, required=False) option: Str('ipadefaultprimarygroup', attribute=True, autofill=False, cli_name='defaultgroup', multivalue=False, required=False) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c index 5dc606d22..f79c0b4a6 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c @@ -232,6 +232,7 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void) /* get the ipa etc/ipaConfig entry */ config->allow_nt_hash = false; + config->disable_setkeytab = false; ret = ipapwd_getEntry(ipa_etc_config_dn, &config_entry, NULL); if (ret != LDAP_SUCCESS) { LOG_FATAL("No config Entry?\n"); @@ -243,6 +244,9 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void) if (strcasecmp(tmparray[i], "AllowNThash") == 0) { config->allow_nt_hash = true; continue; + } else if (strcasecmp(tmparray[i], "DisableSetKeytab") == 0) { + config->disable_setkeytab = true; + continue; } } if (tmparray) slapi_ch_array_free(tmparray); diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c index dc657cc4e..aa45ed3e7 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c @@ -1742,6 +1742,11 @@ static int ipapwd_extop(Slapi_PBlock *pb) return ret; } if (strcasecmp(oid, KEYTAB_SET_OID) == 0) { + if (krbcfg->disable_setkeytab) { + errMesg = "Operation administratively disabled.\n"; + rc = LDAP_UNWILLING_TO_PERFORM; + goto free_and_return; + } ret = ipapwd_setkeytab(pb, krbcfg); free_ipapwd_krbcfg(&krbcfg); return ret; diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h index 2e9d4fe86..a6a85d78d 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h @@ -109,6 +109,7 @@ struct ipapwd_krbcfg { char **passsync_mgrs; int num_passsync_mgrs; bool allow_nt_hash; + bool disable_setkeytab; }; int ipapwd_entry_checks(Slapi_PBlock *pb, struct slapi_entry *e, diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py index 86b7ca863..ce7966bf5 100644 --- a/ipalib/plugins/config.py +++ b/ipalib/plugins/config.py @@ -201,6 +201,7 @@ class config(LDAPObject): label=_('Password plugin features'), doc=_('Extra hashes to generate in password plug-in'), values=(u'AllowNThash', + u'DisableSetKeytab', u'KDC:Disable Last Success', u'KDC:Disable Lockout'), csv=True, ), -- cgit