diff options
author | Greg Hudson <ghudson@mit.edu> | 2010-08-12 17:41:41 +0000 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2010-08-12 17:41:41 +0000 |
commit | 06bdc5c1cd257e7e85d8d29833ca54dd55b3a4f2 (patch) | |
tree | b7353e6ae8e6d93b1f58a4b31e29be204c89bd08 /src/include | |
parent | 1c0791bb201ff274dbbf8aa644bfffc200f15f08 (diff) | |
download | krb5-06bdc5c1cd257e7e85d8d29833ca54dd55b3a4f2.tar.gz krb5-06bdc5c1cd257e7e85d8d29833ca54dd55b3a4f2.tar.xz krb5-06bdc5c1cd257e7e85d8d29833ca54dd55b3a4f2.zip |
Add GIC option for password/account expiration callback
Add a new GIC option to specify a callback to receive password and
account expiration times found in an AS reply.
See also:
http://k5wiki.kerberos.org/wiki/Projects/Password_expiration_API
ticket: 6755
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24241 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/include')
-rw-r--r-- | src/include/k5-int.h | 2 | ||||
-rw-r--r-- | src/include/krb5/krb5.hin | 44 |
2 files changed, 46 insertions, 0 deletions
diff --git a/src/include/k5-int.h b/src/include/k5-int.h index 19bf26b38..bb078c070 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -1142,6 +1142,8 @@ typedef struct _krb5_gic_opt_private { char * fast_ccache_name; krb5_ccache out_ccache; krb5_flags fast_flags; + krb5_expire_callback_func *expire_cb; + void *expire_data; } krb5_gic_opt_private; /* diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin index 7d7e425a3..f49ef95e2 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -1003,6 +1003,8 @@ krb5_verify_checksum(krb5_context context, krb5_cksumtype ctype, #define KRB5_LRQ_ONE_LAST_REQ (-5) #define KRB5_LRQ_ALL_PW_EXPTIME 6 #define KRB5_LRQ_ONE_PW_EXPTIME (-6) +#define KRB5_LRQ_ALL_ACCT_EXPTIME 7 +#define KRB5_LRQ_ONE_ACCT_EXPTIME (-7) /* PADATA types */ #define KRB5_PADATA_NONE 0 @@ -2352,6 +2354,48 @@ krb5_get_init_creds_opt_get_fast_flags(krb5_context context, /* Fast flags*/ #define KRB5_FAST_REQUIRED 1l<<0 /*!< Require KDC to support FAST*/ +typedef void +krb5_expire_callback_func(krb5_context context, void *data, + krb5_timestamp password_expiration, + krb5_timestamp account_expiration, + krb5_boolean is_last_req); + +/** + * Set a callback to receive password and account expiration times. + * + * This option only applies to krb5_get_init_creds_password(). @a cb will be + * invoked if and only if credentials are successfully acquired. The callback + * will receive the @a context from the krb5_get_init_creds_password() call and + * the @a data argument supplied with this API. The remaining arguments should + * be interpreted as follows: + * + * If @a is_last_req is true, then the KDC reply contained last-req entries + * which unambiguously indicated the password expiration, account expiration, + * or both. (If either value was not present, the corresponding argument will + * be 0.) Furthermore, a non-zero @a password_expiration should be taken as a + * suggestion from the KDC that a warning be displayed. + * + * If @a is_last_req is false, then @a account_expiration will be 0 and @a + * password_expiration will contain the expiration time of either the password + * or account, or 0 if no expiration time was indicated in the KDC reply. The + * callback should independently decide whether to display a password + * expiration warning. + * + * Note that @a cb may be invoked even if credentials are being acquired for + * the kadmin/changepw service in order to change the password. It is the + * caller's responsibility to avoid displaying a password expiry warning in + * this case. + * + * Setting an expire callback with this API will cause + * krb5_get_init_creds_password() not to send password expiry warnings to the + * prompter, as it ordinarily may. + */ +krb5_error_code KRB5_CALLCONV +krb5_get_init_creds_opt_set_expire_callback(krb5_context context, + krb5_get_init_creds_opt *opt, + krb5_expire_callback_func cb, + void *data); + krb5_error_code KRB5_CALLCONV krb5_get_init_creds_password(krb5_context context, krb5_creds *creds, krb5_principal client, char *password, |