Account lockout

Merge Luke's users/lhoward/lockout2 branch to trunk. Implements account lockout policies for preauth-using principals using existing principal metadata fields and new policy fields. The kadmin API version is bumped from 2 to 3 to compatibly extend the policy_ent_rec structure. ticket: 6577 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23038 dc483132-0cff-0310-8789-dd5450dbe970
author: Greg Hudson <ghudson@mit.edu> 2009-10-25 16:55:12 +0000
committer: Greg Hudson <ghudson@mit.edu> 2009-10-25 16:55:12 +0000
commit: 8d31a9d396f5bea88def4db395ad12dca2ac2e9f (patch)
tree: 244f8f5b525432a2a2a280403f38d7b2fbdc0dfd /src/kadmin/server
parent: b82e46df9b6cbf663512985a99c6d79f2b0cb796 (diff)
download: krb5-8d31a9d396f5bea88def4db395ad12dca2ac2e9f.tar.gz
krb5-8d31a9d396f5bea88def4db395ad12dca2ac2e9f.tar.xz
krb5-8d31a9d396f5bea88def4db395ad12dca2ac2e9f.zip
3 files changed, 36 insertions, 7 deletions
diff --git a/src/kadmin/server/ipropd_svc.c b/src/kadmin/server/ipropd_svc.c
index 9140bbdc4..127a5045d 100644
--- a/src/kadmin/server/ipropd_svc.c
+++ b/src/kadmin/server/ipropd_svc.c
@@ -241,8 +241,8 @@ getclhoststr(char *clprinc, char *cl, size_t len)
     return (NULL);
 }
 
-kdb_fullresync_result_t *
-iprop_full_resync_1_svc(/* LINTED */ void *argp, struct svc_req *rqstp)
+static kdb_fullresync_result_t *
+ipropx_resync(uint32_t vers, struct svc_req *rqstp)
 {
     static kdb_fullresync_result_t ret;
     char *tmpf = 0;
@@ -255,6 +255,13 @@ iprop_full_resync_1_svc(/* LINTED */ void *argp, struct svc_req *rqstp)
     char *client_name = NULL, *service_name = NULL;
     char *whoami = "iprop_full_resync_1";
 
+    /*
+     * vers contains the highest version number the client is
+     * willing to accept. A client can always accept a lower
+     * version: the version number is indicated in the dump
+     * header.
+     */
+
     /* default return code */
     ret.ret = UPDATE_ERROR;
 
@@ -323,10 +330,12 @@ iprop_full_resync_1_svc(/* LINTED */ void *argp, struct svc_req *rqstp)
 
     /*
      * note the -i; modified version of kdb5_util dump format
-     * to include sno (serial number)
+     * to include sno (serial number). This argument is now
+     * versioned (-i0 for legacy dump format, -i1 for ipropx
+     * version 1 format, etc)
      */
-    if (asprintf(&ubuf, "%s dump -i %s </dev/null 2>&1",
-		 KPROPD_DEFAULT_KDB5_UTIL, tmpf) < 0) {
+    if (asprintf(&ubuf, "%s dump -i%d %s </dev/null 2>&1",
+		 KPROPD_DEFAULT_KDB5_UTIL, vers, tmpf) < 0) {
 	krb5_klog_syslog(LOG_ERR,
 			 _("%s: cannot construct kdb5 util dump string too long; out of memory"),
 			 whoami);
@@ -422,6 +431,18 @@ out:
     return (&ret);
 }
 
+kdb_fullresync_result_t *
+iprop_full_resync_1_svc(/* LINTED */ void *argp, struct svc_req *rqstp)
+{
+    return ipropx_resync(IPROPX_VERSION_0, rqstp);
+}
+
+kdb_fullresync_result_t *
+iprop_full_resync_ext_1_svc(uint32_t *argp, struct svc_req *rqstp)
+{
+    return ipropx_resync(*argp, rqstp);
+}
+
 static int
 check_iprop_rpcsec_auth(struct svc_req *rqstp)
 {
@@ -535,6 +556,12 @@ krb5_iprop_prog_1(struct svc_req *rqstp,
 	local = (char *(*)()) iprop_full_resync_1_svc;
 	break;
 
+    case IPROP_FULL_RESYNC_EXT:
+	_xdr_argument = xdr_u_int32;
+	_xdr_result = xdr_kdb_fullresync_result_t;
+	local = (char *(*)()) iprop_full_resync_ext_1_svc;
+	break;
+
     default:
 	krb5_klog_syslog(LOG_ERR,
 			 _("RPC unknown request: %d (%s)"),
diff --git a/src/kadmin/server/ovsec_kadmd.c b/src/kadmin/server/ovsec_kadmd.c
index fb42c7bde..c01cbef73 100644
--- a/src/kadmin/server/ovsec_kadmd.c
+++ b/src/kadmin/server/ovsec_kadmd.c
@@ -306,7 +306,7 @@ int main(int argc, char *argv[])
      if((ret = kadm5_init(context, "kadmind", NULL,
 			  NULL, &params,
 			  KADM5_STRUCT_VERSION,
-			  KADM5_API_VERSION_2,
+			  KADM5_API_VERSION_3,
 			  db_args,
 		     &global_server_handle)) != KADM5_OK) {
 	  const char *e_txt = krb5_get_error_message (context, ret);
diff --git a/src/kadmin/server/server_stubs.c b/src/kadmin/server/server_stubs.c
index dc949ff18..9449fe8c2 100644
--- a/src/kadmin/server/server_stubs.c
+++ b/src/kadmin/server/server_stubs.c
@@ -1598,12 +1598,14 @@ generic_ret *init_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp)
      trunc_name(&slen, &sdots);
      /* okay to cast lengths to int because trunc_name limits max value */
      krb5_klog_syslog(LOG_NOTICE, "Request: kadm5_init, %.*s%s, %s, "
-		      "client=%.*s%s, service=%.*s%s, addr=%s, flavor=%d",
+		      "client=%.*s%s, service=%.*s%s, addr=%s, "
+		      "vers=%d, flavor=%d",
 		      (int)clen, (char *)client_name.value, cdots,
 		      errmsg ? errmsg : "success",
 		      (int)clen, (char *)client_name.value, cdots,
 		      (int)slen, (char *)service_name.value, sdots,
 		      inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr),
+		      ret.api_version & ~(KADM5_API_VERSION_MASK),
 		      rqstp->rq_cred.oa_flavor);
      if (errmsg != NULL)
 	 krb5_free_error_message(NULL, errmsg);
author	Greg Hudson <ghudson@mit.edu>	2009-10-25 16:55:12 +0000
committer	Greg Hudson <ghudson@mit.edu>	2009-10-25 16:55:12 +0000
commit	8d31a9d396f5bea88def4db395ad12dca2ac2e9f (patch)
tree	244f8f5b525432a2a2a280403f38d7b2fbdc0dfd /src/kadmin/server
parent	b82e46df9b6cbf663512985a99c6d79f2b0cb796 (diff)
download	krb5-8d31a9d396f5bea88def4db395ad12dca2ac2e9f.tar.gz krb5-8d31a9d396f5bea88def4db395ad12dca2ac2e9f.tar.xz krb5-8d31a9d396f5bea88def4db395ad12dca2ac2e9f.zip