diff options
| author | Greg Hudson <ghudson@mit.edu> | 2009-10-25 16:55:12 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2009-10-25 16:55:12 +0000 |
| commit | 8d31a9d396f5bea88def4db395ad12dca2ac2e9f (patch) | |
| tree | 244f8f5b525432a2a2a280403f38d7b2fbdc0dfd /src/lib/kdb | |
| parent | b82e46df9b6cbf663512985a99c6d79f2b0cb796 (diff) | |
| download | krb5-8d31a9d396f5bea88def4db395ad12dca2ac2e9f.tar.gz krb5-8d31a9d396f5bea88def4db395ad12dca2ac2e9f.tar.xz krb5-8d31a9d396f5bea88def4db395ad12dca2ac2e9f.zip | |
Account lockout
Merge Luke's users/lhoward/lockout2 branch to trunk. Implements
account lockout policies for preauth-using principals using existing
principal metadata fields and new policy fields. The kadmin API
version is bumped from 2 to 3 to compatibly extend the policy_ent_rec
structure.
ticket: 6577
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23038 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/kdb')
| -rw-r--r-- | src/lib/kdb/iprop.x | 6 | ||||
| -rw-r--r-- | src/lib/kdb/kdb_convert.c | 75 |
2 files changed, 51 insertions, 30 deletions
diff --git a/src/lib/kdb/iprop.x b/src/lib/kdb/iprop.x index 840e7a2e5..82ffdfe05 100644 --- a/src/lib/kdb/iprop.x +++ b/src/lib/kdb/iprop.x @@ -219,5 +219,11 @@ program KRB5_IPROP_PROG { */ kdb_fullresync_result_t IPROP_FULL_RESYNC(void) = 2; + + /* + * Full resync with version marker + */ + kdb_fullresync_result_t + IPROP_FULL_RESYNC_EXT(uint32_t) = 3; } = 1; } = 100423; diff --git a/src/lib/kdb/kdb_convert.c b/src/lib/kdb/kdb_convert.c index cecf5133f..9eacac3ea 100644 --- a/src/lib/kdb/kdb_convert.c +++ b/src/lib/kdb/kdb_convert.c @@ -44,6 +44,7 @@ typedef enum { */ static void find_changed_attrs(krb5_db_entry *current, krb5_db_entry *new, + krb5_boolean exclude_nra, kdbe_attr_type_t *attrs, int *nattrs) { int i = 0, j = 0; @@ -65,14 +66,16 @@ find_changed_attrs(krb5_db_entry *current, krb5_db_entry *new, if (current->pw_expiration != new->pw_expiration) attrs[i++] = AT_PW_EXP; - if (current->last_success != new->last_success) - attrs[i++] = AT_LAST_SUCCESS; + if (!exclude_nra) { + if (current->last_success != new->last_success) + attrs[i++] = AT_LAST_SUCCESS; - if (current->last_failed != new->last_failed) - attrs[i++] = AT_LAST_FAILED; + if (current->last_failed != new->last_failed) + attrs[i++] = AT_LAST_FAILED; - if (current->fail_auth_count != new->fail_auth_count) - attrs[i++] = AT_FAIL_AUTH_COUNT; + if (current->fail_auth_count != new->fail_auth_count) + attrs[i++] = AT_FAIL_AUTH_COUNT; + } if ((current->princ->type == new->princ->type) && (current->princ->length == new->princ->length)) { @@ -128,7 +131,6 @@ find_changed_attrs(krb5_db_entry *current, krb5_db_entry *new, break; } } - } else { attrs[i++] = AT_TL_DATA; } @@ -307,6 +309,8 @@ ulog_conv_2logentry(krb5_context context, krb5_db_entry *entries, kdb_incr_update_t *upd; krb5_db_entry *ent; int kadm_data_yes; + /* always exclude non-replicated attributes, for now */ + krb5_boolean exclude_nra = TRUE; if ((updates == NULL) || (entries == NULL)) return (KRB5KRB_ERR_GENERIC); @@ -320,6 +324,10 @@ ulog_conv_2logentry(krb5_context context, krb5_db_entry *entries, kadm_data_yes = 0; attr_types = NULL; + /* + * XXX we rely on the good behaviour of the database not to + * exceed this limit. + */ if ((upd->kdb_update.kdbe_t_val = (kdbe_val_t *) malloc(MAXENTRY_SIZE)) == NULL) { return (ENOMEM); @@ -359,7 +367,7 @@ ulog_conv_2logentry(krb5_context context, krb5_db_entry *entries, nattrs++; } } else { - find_changed_attrs(&curr, ent, attr_types, &nattrs); + find_changed_attrs(&curr, ent, exclude_nra, attr_types, &nattrs); krb5_db_free_principal(context, &curr, nprincs); } @@ -413,7 +421,7 @@ ulog_conv_2logentry(krb5_context context, krb5_db_entry *entries, break; case AT_LAST_SUCCESS: - if (ent->last_success >= 0) { + if (!exclude_nra && ent->last_success >= 0) { ULOG_ENTRY_TYPE(upd, ++final).av_type = AT_LAST_SUCCESS; ULOG_ENTRY(upd, @@ -423,7 +431,7 @@ ulog_conv_2logentry(krb5_context context, krb5_db_entry *entries, break; case AT_LAST_FAILED: - if (ent->last_failed >= 0) { + if (!exclude_nra && ent->last_failed >= 0) { ULOG_ENTRY_TYPE(upd, ++final).av_type = AT_LAST_FAILED; ULOG_ENTRY(upd, @@ -433,7 +441,7 @@ ulog_conv_2logentry(krb5_context context, krb5_db_entry *entries, break; case AT_FAIL_AUTH_COUNT: - if (ent->fail_auth_count >= (krb5_kvno)0) { + if (!exclude_nra && ent->fail_auth_count >= (krb5_kvno)0) { ULOG_ENTRY_TYPE(upd, ++final).av_type = AT_FAIL_AUTH_COUNT; ULOG_ENTRY(upd, @@ -611,6 +619,7 @@ ulog_conv_2dbentry(krb5_context context, krb5_db_entry *entries, int k; krb5_db_entry *ent; kdb_incr_update_t *upd; + int slave; if ((updates == NULL) || (entries == NULL)) return (KRB5KRB_ERR_GENERIC); @@ -618,6 +627,9 @@ ulog_conv_2dbentry(krb5_context context, krb5_db_entry *entries, ent = entries; upd = updates; + slave = (context->kdblog_context != NULL) && + (context->kdblog_context->iproprole == IPROP_SLAVE); + for (k = 0; k < nentries; k++) { krb5_principal mod_princ = NULL; int i, j, cnt = 0, mod_time = 0, nattrs, nprincs = 0; @@ -692,15 +704,18 @@ ulog_conv_2dbentry(krb5_context context, krb5_db_entry *entries, break; case AT_LAST_SUCCESS: - ent->last_success = (krb5_timestamp) u.av_last_success; + if (!slave) + ent->last_success = (krb5_timestamp) u.av_last_success; break; case AT_LAST_FAILED: - ent->last_failed = (krb5_timestamp) u.av_last_failed; + if (!slave) + ent->last_failed = (krb5_timestamp) u.av_last_failed; break; case AT_FAIL_AUTH_COUNT: - ent->fail_auth_count = (krb5_kvno) u.av_fail_auth_count; + if (!slave) + ent->fail_auth_count = (krb5_kvno) u.av_fail_auth_count; break; case AT_PRINC: @@ -765,34 +780,34 @@ ulog_conv_2dbentry(krb5_context context, krb5_db_entry *entries, } break; - case AT_TL_DATA: + case AT_TL_DATA: { + int t; + cnt = u.av_tldata.av_tldata_len; - newtl = malloc(cnt * sizeof (krb5_tl_data)); - (void) memset(newtl, 0, (cnt * sizeof (krb5_tl_data))); + newtl = calloc(cnt, sizeof (krb5_tl_data)); if (newtl == NULL) return (ENOMEM); - for (j = 0; j < cnt; j++) { - newtl[j].tl_data_type = (krb5_int16)u.av_tldata.av_tldata_val[j].tl_type; - newtl[j].tl_data_length = (krb5_int16)u.av_tldata.av_tldata_val[j].tl_data.tl_data_len; - newtl[j].tl_data_contents = NULL; - newtl[j].tl_data_contents = malloc(newtl[j].tl_data_length * sizeof (krb5_octet)); - if (newtl[j].tl_data_contents == NULL) + for (j = 0, t = 0; j < cnt; j++) { + newtl[t].tl_data_type = (krb5_int16)u.av_tldata.av_tldata_val[j].tl_type; + newtl[t].tl_data_length = (krb5_int16)u.av_tldata.av_tldata_val[j].tl_data.tl_data_len; + newtl[t].tl_data_contents = malloc(newtl[t].tl_data_length * sizeof (krb5_octet)); + if (newtl[t].tl_data_contents == NULL) /* XXX Memory leak: newtl and previously allocated elements. */ return (ENOMEM); - (void) memset(newtl[j].tl_data_contents, 0, (newtl[j].tl_data_length * sizeof (krb5_octet))); - (void) memcpy(newtl[j].tl_data_contents, u.av_tldata.av_tldata_val[j].tl_data.tl_data_val, newtl[j].tl_data_length); - newtl[j].tl_data_next = NULL; - if (j > 0) - newtl[j - 1].tl_data_next = &newtl[j]; + (void) memcpy(newtl[t].tl_data_contents, u.av_tldata.av_tldata_val[t].tl_data.tl_data_val, newtl[t].tl_data_length); + newtl[t].tl_data_next = NULL; + if (t > 0) + newtl[t - 1].tl_data_next = &newtl[t]; + t++; } if ((ret = krb5_dbe_update_tl_data(context, ent, newtl))) return (ret); - for (j = 0; j < cnt; j++) + for (j = 0; j < t; j++) if (newtl[j].tl_data_contents) { free(newtl[j].tl_data_contents); newtl[j].tl_data_contents = NULL; @@ -803,7 +818,7 @@ ulog_conv_2dbentry(krb5_context context, krb5_db_entry *entries, } break; /* END CSTYLED */ - + } case AT_PW_LAST_CHANGE: if ((ret = krb5_dbe_update_last_pwd_change(context, ent, u.av_pw_last_change))) |