summaryrefslogtreecommitdiffstats
path: root/src/plugins/kdb/ldap
diff options
context:
space:
mode:
Diffstat (limited to 'src/plugins/kdb/ldap')
-rw-r--r--src/plugins/kdb/ldap/ldap_exp.c4
-rw-r--r--src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c27
-rw-r--r--src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h6
-rw-r--r--src/plugins/kdb/ldap/libkdb_ldap/kdb_xdr.c45
-rw-r--r--src/plugins/kdb/ldap/libkdb_ldap/ldap_fetch_mkey.c42
-rw-r--r--src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c9
-rw-r--r--src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h2
-rw-r--r--src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c18
-rw-r--r--src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.h1
9 files changed, 137 insertions, 17 deletions
diff --git a/src/plugins/kdb/ldap/ldap_exp.c b/src/plugins/kdb/ldap/ldap_exp.c
index eaeef2a8c..dcfe93cf9 100644
--- a/src/plugins/kdb/ldap/ldap_exp.c
+++ b/src/plugins/kdb/ldap/ldap_exp.c
@@ -78,10 +78,14 @@ kdb_vftabl kdb_function_table = {
/* optional functions */
/* set_master_key */ krb5_ldap_set_mkey,
/* get_master_key */ krb5_ldap_get_mkey,
+ /* set_master_key_list */ krb5_ldap_set_mkey_list,
+ /* get_master_key_list */ krb5_ldap_get_mkey_list,
/* setup_master_key_name */ NULL,
/* store_master_key */ NULL,
/* fetch_master_key */ NULL /* krb5_ldap_fetch_mkey */,
/* verify_master_key */ NULL /* krb5_ldap_verify_master_key */,
+ /* fetch_master_key_list */ NULL,
+ /* store_master_key_list */ NULL,
/* Search enc type */ NULL,
/* Change pwd */ NULL
diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c
index c13d96710..60d9e25f7 100644
--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c
+++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c
@@ -2379,6 +2379,8 @@ kdb_ldap_create_principal (context, princ, op, pblock)
krb5_ldap_context *ldap_context=NULL;
struct iterate_args iargs;
krb5_data *pdata;
+ krb5_timestamp now;
+ krb5_actkvno_node actkvno;
if ((pblock == NULL) || (context == NULL)) {
retval = EINVAL;
@@ -2425,14 +2427,12 @@ kdb_ldap_create_principal (context, princ, op, pblock)
entry.tl_data = tl_data;
entry.n_tl_data += 1;
/* Set the creator's name */
- {
- krb5_timestamp now;
- if ((retval = krb5_timeofday(context, &now)))
- goto cleanup;
- if ((retval = krb5_dbe_update_mod_princ_data_new(context, &entry,
- now, &db_create_princ)))
- goto cleanup;
- }
+ if ((retval = krb5_timeofday(context, &now)))
+ goto cleanup;
+ if ((retval = krb5_dbe_update_mod_princ_data_new(context, &entry,
+ now, &db_create_princ)))
+ goto cleanup;
+
entry.attributes = pblock->flags;
entry.max_life = pblock->max_life;
entry.max_renewable_life = pblock->max_rlife;
@@ -2507,6 +2507,17 @@ kdb_ldap_create_principal (context, princ, op, pblock)
if (retval) {
goto cleanup;
}
+ /*
+ * There should always be at least one "active" mkey so creating the
+ * KRB5_TL_ACTKVNO entry now so the initial mkey is active.
+ */
+ actkvno.next = NULL;
+ actkvno.act_kvno = kvno;
+ actkvno.act_time = now;
+ retval = krb5_dbe_update_actkvno(context, &entry, &actkvno);
+ if (retval)
+ goto cleanup;
+
break;
case NULL_KEY:
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
index 74bf4b17e..802ab0fc3 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
@@ -267,6 +267,12 @@ krb5_error_code
krb5_ldap_set_mkey(krb5_context, char *, krb5_keyblock *);
krb5_error_code
+krb5_ldap_get_mkey_list (krb5_context context, krb5_keylist_node **key_list);
+
+krb5_error_code
+krb5_ldap_set_mkey_list(krb5_context, krb5_keylist_node *);
+
+krb5_error_code
krb5_ldap_create(krb5_context , char *, char **);
krb5_error_code
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_xdr.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_xdr.c
index d4c6ac832..f8e1d4415 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_xdr.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_xdr.c
@@ -148,6 +148,51 @@ krb5_dbe_lookup_last_pwd_change(context, entry, stamp)
return(0);
}
+#if 0 /************** Begin IFDEF'ed OUT *******************************/
+krb5_error_code
+krb5_dbe_lookup_mkvno(krb5_context context,
+ krb5_db_entry *entry,
+ krb5_kvno *mkvno)
+{
+ krb5_tl_data tl_data;
+ krb5_error_code code;
+ krb5_int16 tmp;
+
+ tl_data.tl_data_type = KRB5_TL_MKVNO;
+
+ if ((code = krb5_dbe_lookup_tl_data(context, entry, &tl_data)))
+ return (code);
+
+ /* XXX need to think about this */
+ if (tl_data.tl_data_length != 2) {
+ *mkvno = 0;
+ return (0);
+ }
+
+ /* XXX this needs to be the inverse of how this is encoded */
+ krb5_kdb_decode_int16(tl_data.tl_data_contents, tmp);
+
+ *mkvno = (krb5_kvno) tmp;
+
+ return (0);
+}
+
+krb5_error_code
+krb5_dbe_update_mkvno(krb5_context context,
+ krb5_db_entry * entry,
+ krb5_kvno mkvno)
+{
+ krb5_tl_data tl_data;
+ krb5_octet buf[2]; /* this is the encoded size of an int16 */
+
+ tl_data.tl_data_type = KRB5_TL_MKVNO;
+ tl_data.tl_data_length = sizeof(buf);
+ krb5_kdb_encode_int16((krb5_int16) mkvno, buf);
+ tl_data.tl_data_contents = buf;
+
+ return (krb5_dbe_update_tl_data(context, entry, &tl_data));
+}
+#endif /**************** END IFDEF'ed OUT *******************************/
/* it seems odd that there's no function to remove a tl_data, but if
I need one, I'll add one */
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_fetch_mkey.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_fetch_mkey.c
index 9a364192a..6da080664 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_fetch_mkey.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_fetch_mkey.c
@@ -98,3 +98,45 @@ krb5_ldap_set_mkey (context, pwd, key)
memcpy(r_params->mkey.contents, key->contents, key->length);
return 0;
}
+
+krb5_error_code
+krb5_ldap_get_mkey_list (krb5_context context, krb5_keylist_node **key_list)
+
+{
+ kdb5_dal_handle *dal_handle=NULL;
+ krb5_ldap_context *ldap_context=NULL;
+
+ /* Clear the global error string */
+ krb5_clear_error_message(context);
+
+ dal_handle = context->dal_handle;
+ ldap_context = (krb5_ldap_context *) dal_handle->db_context;
+
+ if (ldap_context == NULL || ldap_context->lrparams == NULL)
+ return KRB5_KDB_DBNOTINITED;
+
+ *key_list = ldap_context->lrparams->mkey_list;
+ return 0;
+}
+
+krb5_error_code
+krb5_ldap_set_mkey_list(krb5_context context, krb5_keylist_node *key_list)
+{
+ kdb5_dal_handle *dal_handle=NULL;
+ krb5_ldap_context *ldap_context=NULL;
+ krb5_ldap_realm_params *r_params = NULL;
+
+ /* Clear the global error string */
+ krb5_clear_error_message(context);
+
+ dal_handle = context->dal_handle;
+ ldap_context = (krb5_ldap_context *) dal_handle->db_context;
+
+ if (ldap_context == NULL || ldap_context->lrparams == NULL)
+ return KRB5_KDB_DBNOTINITED;
+
+ r_params = ldap_context->lrparams;
+ r_params->mkey_list = key_list;
+ return 0;
+}
+
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
index 79ca63472..f0734deb2 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
@@ -2059,9 +2059,16 @@ populate_krb5_db_entry (krb5_context context,
/* KRBSECRETKEY */
if ((bvalues=ldap_get_values_len(ld, ent, "krbprincipalkey")) != NULL) {
+ krb5_kvno mkvno = 0;
+
mask |= KDB_SECRET_KEY_ATTR;
- if ((st=krb5_decode_krbsecretkey(context, entry, bvalues, &userinfo_tl_data)) != 0)
+ if ((st=krb5_decode_krbsecretkey(context, entry, bvalues, &userinfo_tl_data, &mkvno)) != 0)
goto cleanup;
+ if (mkvno != 0) {
+ /* don't add the tl data if mkvno == 0 */
+ if ((st=krb5_dbe_update_mkvno(context, entry, mkvno)) != 0)
+ goto cleanup;
+ }
}
/* LAST PASSWORD CHANGE */
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h
index 18e2acc06..502e71ccd 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h
@@ -112,7 +112,7 @@ krb5_ldap_parse_principal_name(char *, char **);
krb5_error_code
krb5_decode_krbsecretkey(krb5_context, krb5_db_entry *, struct berval **,
- krb5_tl_data *);
+ krb5_tl_data *, krb5_kvno *);
krb5_error_code
berval2tl_data(struct berval *in, krb5_tl_data **out);
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
index 561a65d99..e52a61897 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
@@ -345,7 +345,7 @@ asn1_encode_sequence_of_keys (krb5_key_data *key_data, krb5_int16 n_key_data,
static krb5_error_code
asn1_decode_sequence_of_keys (krb5_data *in, krb5_key_data **out,
- krb5_int16 *n_key_data, int *mkvno)
+ krb5_int16 *n_key_data, krb5_kvno *mkvno)
{
krb5_error_code err;
ldap_seqof_key_data *p;
@@ -371,7 +371,7 @@ asn1_decode_sequence_of_keys (krb5_data *in, krb5_key_data **out,
/* Decoding ASN.1 encoded key */
static struct berval **
-krb5_encode_krbsecretkey(krb5_key_data *key_data, int n_key_data) {
+krb5_encode_krbsecretkey(krb5_key_data *key_data, int n_key_data, krb5_kvno mkvno) {
struct berval **ret = NULL;
int currkvno;
int num_versions = 1;
@@ -396,7 +396,7 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data, int n_key_data) {
if (i == n_key_data - 1 || key_data[i + 1].key_data_kvno != currkvno) {
asn1_encode_sequence_of_keys (key_data+last,
(krb5_int16) i - last + 1,
- 0, /* For now, mkvno == 0*/
+ mkvno,
&code);
ret[j] = malloc (sizeof (struct berval));
if (ret[j] == NULL) {
@@ -927,8 +927,12 @@ krb5_ldap_put_principal(context, entries, nentries, db_args)
}
if (entries->mask & KADM5_KEY_DATA || entries->mask & KADM5_KVNO) {
+ krb5_kvno mkvno;
+
+ if ((st=krb5_dbe_lookup_mkvno(context, entries, &mkvno)) != 0)
+ goto cleanup;
bersecretkey = krb5_encode_krbsecretkey (entries->key_data,
- entries->n_key_data);
+ entries->n_key_data, mkvno);
if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey",
LDAP_MOD_REPLACE | LDAP_MOD_BVALUES, bersecretkey)) != 0)
@@ -1220,11 +1224,12 @@ cleanup:
}
krb5_error_code
-krb5_decode_krbsecretkey(context, entries, bvalues, userinfo_tl_data)
+krb5_decode_krbsecretkey(context, entries, bvalues, userinfo_tl_data, mkvno)
krb5_context context;
krb5_db_entry *entries;
struct berval **bvalues;
krb5_tl_data *userinfo_tl_data;
+ krb5_kvno *mkvno;
{
char *user=NULL;
int i=0, j=0, noofkeys=0;
@@ -1235,7 +1240,6 @@ krb5_decode_krbsecretkey(context, entries, bvalues, userinfo_tl_data)
goto cleanup;
for (i=0; bvalues[i] != NULL; ++i) {
- int mkvno; /* Not used currently */
krb5_int16 n_kd;
krb5_key_data *kd;
krb5_data in;
@@ -1248,7 +1252,7 @@ krb5_decode_krbsecretkey(context, entries, bvalues, userinfo_tl_data)
st = asn1_decode_sequence_of_keys (&in,
&kd,
&n_kd,
- &mkvno);
+ mkvno);
if (st != 0) {
const char *msg = error_message(st);
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.h b/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.h
index ffe6c3665..db17509ae 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.h
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.h
@@ -68,6 +68,7 @@ typedef struct _krb5_ldap_realm_params {
char **passwdservers;
krb5_tl_data *tl_data;
krb5_keyblock mkey;
+ krb5_keylist_node *mkey_list; /* all master keys in use for the realm */
long mask;
} krb5_ldap_realm_params;
generated by cgit (git 2.34.1) at 2026-02-18 18:10:32 +0000