Add LDAP back end support for policy extensions

ticket: 7223

3 files changed, 127 insertions, 2 deletions

diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif b/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif
index 695c10837..a6e9ef279 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif
@@ -373,6 +373,54 @@ attributetypes: ( 1.3.6.1.4.1.5322.21.2.3
                 SINGLE-VALUE)
 
 
+##### Policy attribute flags
+
+dn: cn=schema
+changetype: modify
+add: attributetypes
+attributetypes: ( 1.2.840.113554.1.4.1.6.2
+                NAME 'krbPwdAttributes'
+                EQUALITY integerMatch
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+                SINGLE-VALUE)
+
+
+##### Policy maximum ticket lifetime
+
+dn: cn=schema
+changetype: modify
+add: attributetypes
+attributetypes: ( 1.2.840.113554.1.4.1.6.3
+                NAME 'krbPwdMaxLife'
+                EQUALITY integerMatch
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+                SINGLE-VALUE)
+
+
+##### Policy maximum ticket renewable lifetime
+
+dn: cn=schema
+changetype: modify
+add: attributetypes
+attributetypes: ( 1.2.840.113554.1.4.1.6.4
+                NAME 'krbPwdMaxRenewableLife'
+                EQUALITY integerMatch
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+                SINGLE-VALUE)
+
+
+##### Allowed enctype:salttype combinations for key changes
+
+dn: cn=schema
+changetype: modify
+add: attributetypes
+attributetypes: ( 1.2.840.113554.1.4.1.6.5
+                NAME 'krbPwdAllowedKeysalts'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE)
+
+
 ##### FDN pointing to a Kerberos Password Policy object
 
 dn: cn=schema
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema b/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema
index f4f8aca3f..ecc7783e5 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema
@@ -297,6 +297,42 @@ attributetype ( 1.3.6.1.4.1.5322.21.2.3
                 SINGLE-VALUE)
 
 
+##### Policy attribute flags
+
+attributetype ( 1.2.840.113554.1.4.1.6.2
+                NAME 'krbPwdAttributes'
+                EQUALITY integerMatch
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+                SINGLE-VALUE)
+
+
+##### Policy maximum ticket lifetime
+
+attributetype ( 1.2.840.113554.1.4.1.6.3
+                NAME 'krbPwdMaxLife'
+                EQUALITY integerMatch
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+                SINGLE-VALUE)
+
+
+##### Policy maximum ticket renewable lifetime
+
+attributetype ( 1.2.840.113554.1.4.1.6.4
+                NAME 'krbPwdMaxRenewableLife'
+                EQUALITY integerMatch
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+                SINGLE-VALUE)
+
+
+##### Allowed enctype:salttype combinations for key changes
+
+attributetype ( 1.2.840.113554.1.4.1.6.5
+                NAME 'krbPwdAllowedKeysalts'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE)
+
+
 ##### FDN pointing to a Kerberos Password Policy object
 
 attributetype ( 2.16.840.1.113719.1.301.4.36.1
@@ -656,7 +692,7 @@ objectclass ( 2.16.840.1.113719.1.301.6.14.1
                 NAME 'krbPwdPolicy' 
                 SUP top
                 MUST ( cn )
-                MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $ krbPwdMinLength $ krbPwdHistoryLength $ krbPwdMaxFailure $ krbPwdFailureCountInterval $ krbPwdLockoutDuration ) )
+                MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $ krbPwdMinLength $ krbPwdHistoryLength $ krbPwdMaxFailure $ krbPwdFailureCountInterval $ krbPwdLockoutDuration $ krbPwdAttributes $ krbPwdMaxLife $ krbPwdMaxRenewableLife $ krbPwdAllowedKeysalts ) )
 
 
 ##### The krbTicketPolicyAux holds Kerberos ticket policy attributes.
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
index f65f626f1..09cfb8ca0 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
@@ -41,7 +41,11 @@ static char *password_policy_attributes[] = { "cn", "krbmaxpwdlife", "krbminpwdl
                                               "krbpwdmindiffchars", "krbpwdminlength",
                                               "krbpwdhistorylength", "krbpwdmaxfailure",
                                               "krbpwdfailurecountinterval",
-                                              "krbpwdlockoutduration", NULL };
+                                              "krbpwdlockoutduration",
+                                              "krbpwdattributes",
+                                              "krbpwdmaxlife",
+                                              "krbpwdmaxrenewablelife",
+                                              "krbpwdallowedkeysalts", NULL };
 
 /* Fill in mods with LDAP operations for the fields of policy, using the
  * modification type op.  mods must be freed by the caller on error. */
@@ -50,6 +54,7 @@ add_policy_mods(krb5_context context, LDAPMod ***mods, osa_policy_ent_t policy,
                 int op)
 {
     krb5_error_code st;
+    char *strval[2] = { NULL };
 
     st = krb5_add_int_mem_ldap_mod(mods, "krbmaxpwdlife", op,
                                    (int)policy->pw_max_life);
@@ -91,6 +96,34 @@ add_policy_mods(krb5_context context, LDAPMod ***mods, osa_policy_ent_t policy,
     if (st)
         return st;
 
+    st = krb5_add_int_mem_ldap_mod(mods, "krbpwdattributes", op,
+                                   (int)policy->attributes);
+    if (st)
+        return st;
+
+    st = krb5_add_int_mem_ldap_mod(mods, "krbpwdmaxlife", op,
+                                   (int)policy->max_life);
+    if (st)
+        return st;
+
+    st = krb5_add_int_mem_ldap_mod(mods, "krbpwdmaxrenewablelife", op,
+                                   (int)policy->max_renewable_life);
+    if (st)
+        return st;
+
+    if (policy->allowed_keysalts != NULL) {
+        strval[0] = policy->allowed_keysalts;
+        st = krb5_add_str_mem_ldap_mod(mods, "krbpwdallowedkeysalts",
+                                       op, strval);
+        if (st)
+            return st;
+    }
+
+    /*
+     * Each policy tl-data type we add should be explicitly marshalled here.
+     * Unlike principals, we do not marshal unrecognized policy tl-data.
+     */
+
     return 0;
 }
 
@@ -235,7 +268,15 @@ populate_policy(krb5_context context,
     krb5_ldap_get_value(ld, ent, "krbpwdmaxfailure", &(pol_entry->pw_max_fail));
     krb5_ldap_get_value(ld, ent, "krbpwdfailurecountinterval", &(pol_entry->pw_failcnt_interval));
     krb5_ldap_get_value(ld, ent, "krbpwdlockoutduration", &(pol_entry->pw_lockout_duration));
+    krb5_ldap_get_value(ld, ent, "krbpwdattributes", &(pol_entry->attributes));
+    krb5_ldap_get_value(ld, ent, "krbpwdmaxlife", &(pol_entry->max_life));
+    krb5_ldap_get_value(ld, ent, "krbpwdmaxrenewablelife",
+                        &(pol_entry->max_renewable_life));
 
+    st = krb5_ldap_get_string(ld, ent, "krbpwdallowedkeysalts",
+                              &(pol_entry->allowed_keysalts), NULL);
+    if (st)
+        goto cleanup;
     /*
      * We don't store the policy refcnt, because principals might be maintained
      * outside of kadmin.  Instead, we will check for principal references when