krb5 commit: Add LDAP back end support for policy extensions
Greg Hudson
ghudson at MIT.EDU
Mon Jul 30 19:11:49 EDT 2012
https://github.com/krb5/krb5/commit/5edafa053268fcc021d4f4ec091638efbbaac700
commit 5edafa053268fcc021d4f4ec091638efbbaac700
Author: Greg Hudson <ghudson at mit.edu>
Date: Thu Jul 26 20:11:55 2012 -0400
Add LDAP back end support for policy extensions
ticket: 7223
src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif | 48 ++++++++++++++++++++
src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema | 38 +++++++++++++++-
src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c | 43 +++++++++++++++++-
3 files changed, 127 insertions(+), 2 deletions(-)
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif b/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif
index 695c108..a6e9ef2 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif
@@ -373,6 +373,54 @@ attributetypes: ( 1.3.6.1.4.1.5322.21.2.3
SINGLE-VALUE)
+##### Policy attribute flags
+
+dn: cn=schema
+changetype: modify
+add: attributetypes
+attributetypes: ( 1.2.840.113554.1.4.1.6.2
+ NAME 'krbPwdAttributes'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE)
+
+
+##### Policy maximum ticket lifetime
+
+dn: cn=schema
+changetype: modify
+add: attributetypes
+attributetypes: ( 1.2.840.113554.1.4.1.6.3
+ NAME 'krbPwdMaxLife'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE)
+
+
+##### Policy maximum ticket renewable lifetime
+
+dn: cn=schema
+changetype: modify
+add: attributetypes
+attributetypes: ( 1.2.840.113554.1.4.1.6.4
+ NAME 'krbPwdMaxRenewableLife'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE)
+
+
+##### Allowed enctype:salttype combinations for key changes
+
+dn: cn=schema
+changetype: modify
+add: attributetypes
+attributetypes: ( 1.2.840.113554.1.4.1.6.5
+ NAME 'krbPwdAllowedKeysalts'
+ EQUALITY caseIgnoreIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+ SINGLE-VALUE)
+
+
##### FDN pointing to a Kerberos Password Policy object
dn: cn=schema
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema b/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema
index f4f8aca..ecc7783 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema
@@ -297,6 +297,42 @@ attributetype ( 1.3.6.1.4.1.5322.21.2.3
SINGLE-VALUE)
+##### Policy attribute flags
+
+attributetype ( 1.2.840.113554.1.4.1.6.2
+ NAME 'krbPwdAttributes'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE)
+
+
+##### Policy maximum ticket lifetime
+
+attributetype ( 1.2.840.113554.1.4.1.6.3
+ NAME 'krbPwdMaxLife'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE)
+
+
+##### Policy maximum ticket renewable lifetime
+
+attributetype ( 1.2.840.113554.1.4.1.6.4
+ NAME 'krbPwdMaxRenewableLife'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE)
+
+
+##### Allowed enctype:salttype combinations for key changes
+
+attributetype ( 1.2.840.113554.1.4.1.6.5
+ NAME 'krbPwdAllowedKeysalts'
+ EQUALITY caseIgnoreIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+ SINGLE-VALUE)
+
+
##### FDN pointing to a Kerberos Password Policy object
attributetype ( 2.16.840.1.113719.1.301.4.36.1
@@ -656,7 +692,7 @@ objectclass ( 2.16.840.1.113719.1.301.6.14.1
NAME 'krbPwdPolicy'
SUP top
MUST ( cn )
- MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $ krbPwdMinLength $ krbPwdHistoryLength $ krbPwdMaxFailure $ krbPwdFailureCountInterval $ krbPwdLockoutDuration ) )
+ MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $ krbPwdMinLength $ krbPwdHistoryLength $ krbPwdMaxFailure $ krbPwdFailureCountInterval $ krbPwdLockoutDuration $ krbPwdAttributes $ krbPwdMaxLife $ krbPwdMaxRenewableLife $ krbPwdAllowedKeysalts ) )
##### The krbTicketPolicyAux holds Kerberos ticket policy attributes.
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
index f65f626..09cfb8c 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
@@ -41,7 +41,11 @@ static char *password_policy_attributes[] = { "cn", "krbmaxpwdlife", "krbminpwdl
"krbpwdmindiffchars", "krbpwdminlength",
"krbpwdhistorylength", "krbpwdmaxfailure",
"krbpwdfailurecountinterval",
- "krbpwdlockoutduration", NULL };
+ "krbpwdlockoutduration",
+ "krbpwdattributes",
+ "krbpwdmaxlife",
+ "krbpwdmaxrenewablelife",
+ "krbpwdallowedkeysalts", NULL };
/* Fill in mods with LDAP operations for the fields of policy, using the
* modification type op. mods must be freed by the caller on error. */
@@ -50,6 +54,7 @@ add_policy_mods(krb5_context context, LDAPMod ***mods, osa_policy_ent_t policy,
int op)
{
krb5_error_code st;
+ char *strval[2] = { NULL };
st = krb5_add_int_mem_ldap_mod(mods, "krbmaxpwdlife", op,
(int)policy->pw_max_life);
@@ -91,6 +96,34 @@ add_policy_mods(krb5_context context, LDAPMod ***mods, osa_policy_ent_t policy,
if (st)
return st;
+ st = krb5_add_int_mem_ldap_mod(mods, "krbpwdattributes", op,
+ (int)policy->attributes);
+ if (st)
+ return st;
+
+ st = krb5_add_int_mem_ldap_mod(mods, "krbpwdmaxlife", op,
+ (int)policy->max_life);
+ if (st)
+ return st;
+
+ st = krb5_add_int_mem_ldap_mod(mods, "krbpwdmaxrenewablelife", op,
+ (int)policy->max_renewable_life);
+ if (st)
+ return st;
+
+ if (policy->allowed_keysalts != NULL) {
+ strval[0] = policy->allowed_keysalts;
+ st = krb5_add_str_mem_ldap_mod(mods, "krbpwdallowedkeysalts",
+ op, strval);
+ if (st)
+ return st;
+ }
+
+ /*
+ * Each policy tl-data type we add should be explicitly marshalled here.
+ * Unlike principals, we do not marshal unrecognized policy tl-data.
+ */
+
return 0;
}
@@ -235,7 +268,15 @@ populate_policy(krb5_context context,
krb5_ldap_get_value(ld, ent, "krbpwdmaxfailure", &(pol_entry->pw_max_fail));
krb5_ldap_get_value(ld, ent, "krbpwdfailurecountinterval", &(pol_entry->pw_failcnt_interval));
krb5_ldap_get_value(ld, ent, "krbpwdlockoutduration", &(pol_entry->pw_lockout_duration));
+ krb5_ldap_get_value(ld, ent, "krbpwdattributes", &(pol_entry->attributes));
+ krb5_ldap_get_value(ld, ent, "krbpwdmaxlife", &(pol_entry->max_life));
+ krb5_ldap_get_value(ld, ent, "krbpwdmaxrenewablelife",
+ &(pol_entry->max_renewable_life));
+ st = krb5_ldap_get_string(ld, ent, "krbpwdallowedkeysalts",
+ &(pol_entry->allowed_keysalts), NULL);
+ if (st)
+ goto cleanup;
/*
* We don't store the policy refcnt, because principals might be maintained
* outside of kadmin. Instead, we will check for principal references when
More information about the cvs-krb5
mailing list