diff options
| author | Will Fiveash <will.fiveash@oracle.com> | 2009-01-30 23:55:14 +0000 |
|---|---|---|
| committer | Will Fiveash <will.fiveash@oracle.com> | 2009-01-30 23:55:14 +0000 |
| commit | e246f7e7b2cddfca9eb744f24e50dd034247a74b (patch) | |
| tree | 97ec348048dab2eec4206fa99df1e18adab77cf1 /src/plugins/kdb/ldap/ldap_util | |
| parent | 77b1e1108ca32617fe43825748c68c575e77f010 (diff) | |
| download | krb5-e246f7e7b2cddfca9eb744f24e50dd034247a74b.tar.gz krb5-e246f7e7b2cddfca9eb744f24e50dd034247a74b.tar.xz krb5-e246f7e7b2cddfca9eb744f24e50dd034247a74b.zip | |
Master Key Migration Project
Commit for the Master Key Migration Project.
http://k5wiki.kerberos.org/wiki/Projects/Master_Key_Migration
This commit provides the ability to add a new master key (with an
enctype differing from the current master key) to the master key
principal and stash file and then migrate the encryption of existing
principals long term keys to use the new master key. In addition
deletion of master keys is provided.
ticket: 6354
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21844 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/plugins/kdb/ldap/ldap_util')
| -rw-r--r-- | src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c | 27 |
1 files changed, 19 insertions, 8 deletions
diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c index c13d96710..60d9e25f7 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c @@ -2379,6 +2379,8 @@ kdb_ldap_create_principal (context, princ, op, pblock) krb5_ldap_context *ldap_context=NULL; struct iterate_args iargs; krb5_data *pdata; + krb5_timestamp now; + krb5_actkvno_node actkvno; if ((pblock == NULL) || (context == NULL)) { retval = EINVAL; @@ -2425,14 +2427,12 @@ kdb_ldap_create_principal (context, princ, op, pblock) entry.tl_data = tl_data; entry.n_tl_data += 1; /* Set the creator's name */ - { - krb5_timestamp now; - if ((retval = krb5_timeofday(context, &now))) - goto cleanup; - if ((retval = krb5_dbe_update_mod_princ_data_new(context, &entry, - now, &db_create_princ))) - goto cleanup; - } + if ((retval = krb5_timeofday(context, &now))) + goto cleanup; + if ((retval = krb5_dbe_update_mod_princ_data_new(context, &entry, + now, &db_create_princ))) + goto cleanup; + entry.attributes = pblock->flags; entry.max_life = pblock->max_life; entry.max_renewable_life = pblock->max_rlife; @@ -2507,6 +2507,17 @@ kdb_ldap_create_principal (context, princ, op, pblock) if (retval) { goto cleanup; } + /* + * There should always be at least one "active" mkey so creating the + * KRB5_TL_ACTKVNO entry now so the initial mkey is active. + */ + actkvno.next = NULL; + actkvno.act_kvno = kvno; + actkvno.act_time = now; + retval = krb5_dbe_update_actkvno(context, &entry, &actkvno); + if (retval) + goto cleanup; + break; case NULL_KEY: |