krb5 commit: Allow principals to refer to nonexistent policies
Greg Hudson
ghudson at MIT.EDU
Wed Jan 9 15:41:47 EST 2013
https://github.com/krb5/krb5/commit/0780e46fc13dbafa177525164997cd204cc50b51
commit 0780e46fc13dbafa177525164997cd204cc50b51
Author: Greg Hudson <ghudson at mit.edu>
Date: Tue Jan 8 15:20:45 2013 -0500
Allow principals to refer to nonexistent policies
Stop using and maintaining the policy_refcnt field, and do not try to
prevent deletion of a policy which is still referenced by principals.
Instead, allow principals to refer to policy names which do not exist
as policy objects; treat those principals as having no associated
policy.
In the kadmin client, warn if addprinc or modprinc tries to reference
a policy which doesn't exist, since the server will no longer error
out in this case.
ticket: 7385
src/include/kdb.h | 2 +-
src/kadmin/cli/kadmin.c | 49 ++-
src/kadmin/dbutil/dump.c | 29 +-
src/lib/kadm5/admin.h | 2 +-
src/lib/kadm5/srv/svr_policy.c | 11 -
src/lib/kadm5/srv/svr_principal.c | 229 ++++---------
.../kadm5/unit-test/api.current/crte-principal.exp | 4 +-
.../kadm5/unit-test/api.current/dlte-policy.exp | 5 +-
.../kadm5/unit-test/api.current/dlte-principal.exp | 76 ----
.../kadm5/unit-test/api.current/mod-principal.exp | 369 +-------------------
src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c | 7 -
src/tests/dejagnu/krb-standalone/kadmin.exp | 3 +-
src/tests/kdbtest.c | 3 +-
13 files changed, 125 insertions(+), 664 deletions(-)
diff --git a/src/include/kdb.h b/src/include/kdb.h
index 1bfb5d0..78d78c5 100644
--- a/src/include/kdb.h
+++ b/src/include/kdb.h
@@ -215,7 +215,7 @@ typedef struct _osa_policy_ent_t {
krb5_ui_4 pw_min_length;
krb5_ui_4 pw_min_classes;
krb5_ui_4 pw_history_num;
- krb5_ui_4 policy_refcnt;
+ krb5_ui_4 policy_refcnt; /* no longer used */
/* Only valid if version > 1 */
krb5_ui_4 pw_max_fail; /* pwdMaxFailure */
krb5_ui_4 pw_failcnt_interval; /* pwdFailureCountInterval */
diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c
index 649bbc1..151f316 100644
--- a/src/kadmin/cli/kadmin.c
+++ b/src/kadmin/cli/kadmin.c
@@ -232,6 +232,17 @@ randkey_princ(krb5_principal princ, krb5_boolean keepold, int n_ks,
return kadm5_randkey_principal(handle, princ, NULL, NULL);
}
+static krb5_boolean
+policy_exists(const char *name)
+{
+ kadm5_policy_ent_rec pol;
+
+ if (kadm5_get_policy(handle, (char *)name, &pol) != 0)
+ return FALSE;
+ kadm5_free_policy_ent(handle, &pol);
+ return TRUE;
+}
+
char *
kadmin_startup(int argc, char *argv[])
{
@@ -1158,7 +1169,6 @@ void
kadmin_addprinc(int argc, char *argv[])
{
kadm5_principal_ent_rec princ;
- kadm5_policy_ent_rec defpol;
long mask;
krb5_boolean randkey = FALSE, old_style_randkey = FALSE;
int n_ks_tuple;
@@ -1184,23 +1194,24 @@ kadmin_addprinc(int argc, char *argv[])
goto cleanup;
}
- /*
- * If -policy was not specified, and -clearpolicy was not
- * specified, and the policy "default" exists, assign it. If
- * -clearpolicy was specified, then KADM5_POLICY_CLR should be
- * unset, since it is never valid for kadm5_create_principal.
- */
- if (!(mask & KADM5_POLICY) && !(mask & KADM5_POLICY_CLR)) {
- if (!kadm5_get_policy(handle, "default", &defpol)) {
+ if (mask & KADM5_POLICY) {
+ /* Warn if the specified policy does not exist. */
+ if (!policy_exists(princ.policy)) {
+ fprintf(stderr, _("WARNING: policy \"%s\" does not exist\n"),
+ princ.policy);
+ }
+ } else if (!(mask & KADM5_POLICY_CLR)) {
+ /* If the policy "default" exists, assign it. */
+ if (policy_exists("default")) {
fprintf(stderr, _("NOTICE: no policy specified for %s; "
"assigning \"default\"\n"), canon);
princ.policy = "default";
mask |= KADM5_POLICY;
- kadm5_free_policy_ent(handle, &defpol);
} else
fprintf(stderr, _("WARNING: no policy specified for %s; "
"defaulting to no policy\n"), canon);
}
+ /* Don't send KADM5_POLICY_CLR to the server. */
mask &= ~KADM5_POLICY_CLR;
if (randkey) {
@@ -1312,6 +1323,13 @@ kadmin_modprinc(int argc, char *argv[])
kadmin_modprinc_usage();
goto cleanup;
}
+ if (mask & KADM5_POLICY) {
+ /* Warn if the specified policy does not exist. */
+ if (!policy_exists(princ.policy)) {
+ fprintf(stderr, _("WARNING: policy \"%s\" does not exist\n"),
+ princ.policy);
+ }
+ }
if (mask) {
/* Skip this if all we're doing is setting certhash. */
retval = kadm5_modify_principal(handle, &princ, mask);
@@ -1336,6 +1354,7 @@ kadmin_getprinc(int argc, char *argv[])
kadm5_principal_ent_rec dprinc;
krb5_principal princ = NULL;
krb5_error_code retval;
+ const char *polname, *noexist;
char *canon = NULL, *princstr = NULL, *modprincstr = NULL;
int i;
size_t j;
@@ -1422,7 +1441,10 @@ kadmin_getprinc(int argc, char *argv[])
printf(" %s", prflags[j]);
}
printf("\n");
- printf(_("Policy: %s\n"), dprinc.policy ? dprinc.policy : _("[none]"));
+ polname = (dprinc.policy != NULL) ? dprinc.policy : _("[none]");
+ noexist = (dprinc.policy != NULL && !policy_exists(dprinc.policy)) ?
+ _(" [does not exist]") : "";
+ printf(_("Policy: %s%s\n"), polname, noexist);
} else {
printf("\"%s\"\t%d\t%d\t%d\t%d\t\"%s\"\t%d\t%d\t%d\t%d\t\"%s\""
"\t%d\t%d\t%d\t%d\t%d",
@@ -1699,7 +1721,6 @@ kadmin_getpol(int argc, char *argv[])
printf(_("Minimum number of password character classes: %ld\n"),
policy.pw_min_classes);
printf(_("Number of old keys kept: %ld\n"), policy.pw_history_num);
- printf(_("Reference count: %ld\n"), policy.policy_refcnt);
printf(_("Maximum password failures before lockout: %lu\n"),
(unsigned long)policy.pw_max_fail);
printf(_("Password failure count reset interval: %s\n"),
@@ -1709,11 +1730,11 @@ kadmin_getpol(int argc, char *argv[])
if (policy.allowed_keysalts != NULL)
printf(_("Allowed key/salt types: %s\n"), policy.allowed_keysalts);
} else {
+ /* Output 0 where we used to output policy_refcnt. */
printf("\"%s\"\t%ld\t%ld\t%ld\t%ld\t%ld\t%ld\t%lu\t%ld\t%ld\t%s\n",
policy.policy, policy.pw_max_life, policy.pw_min_life,
policy.pw_min_length, policy.pw_min_classes,
- policy.pw_history_num, policy.policy_refcnt,
- (unsigned long)policy.pw_max_fail,
+ policy.pw_history_num, 0, (unsigned long)policy.pw_max_fail,
(long)policy.pw_failcnt_interval,
(long)policy.pw_lockout_duration,
(policy.allowed_keysalts == NULL) ? "-" :
diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c
index 7b515bd..af10c9c 100644
--- a/src/kadmin/dbutil/dump.c
+++ b/src/kadmin/dbutil/dump.c
@@ -1112,8 +1112,7 @@ void dump_k5beta7_policy(void *data, osa_policy_ent_t entry)
arg = (struct dump_args *) data;
fprintf(arg->ofile, "policy\t%s\t%d\t%d\t%d\t%d\t%d\t%d\n", entry->name,
entry->pw_min_life, entry->pw_max_life, entry->pw_min_length,
- entry->pw_min_classes, entry->pw_history_num,
- entry->policy_refcnt);
+ entry->pw_min_classes, entry->pw_history_num, 0);
}
void dump_r1_8_policy(void *data, osa_policy_ent_t entry)
@@ -1124,9 +1123,9 @@ void dump_r1_8_policy(void *data, osa_policy_ent_t entry)
fprintf(arg->ofile, "policy\t%s\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\n",
entry->name,
entry->pw_min_life, entry->pw_max_life, entry->pw_min_length,
- entry->pw_min_classes, entry->pw_history_num,
- entry->policy_refcnt, entry->pw_max_fail,
- entry->pw_failcnt_interval, entry->pw_lockout_duration);
+ entry->pw_min_classes, entry->pw_history_num, 0,
+ entry->pw_max_fail, entry->pw_failcnt_interval,
+ entry->pw_lockout_duration);
}
void
@@ -1140,10 +1139,10 @@ dump_r1_11_policy(void *data, osa_policy_ent_t entry)
"%d\t%d\t%d\t%s\t%d",
entry->name,
entry->pw_min_life, entry->pw_max_life, entry->pw_min_length,
- entry->pw_min_classes, entry->pw_history_num,
- entry->policy_refcnt, entry->pw_max_fail,
- entry->pw_failcnt_interval, entry->pw_lockout_duration,
- entry->attributes, entry->max_life, entry->max_renewable_life,
+ entry->pw_min_classes, entry->pw_history_num, 0,
+ entry->pw_max_fail, entry->pw_failcnt_interval,
+ entry->pw_lockout_duration, entry->attributes, entry->max_life,
+ entry->max_renewable_life,
entry->allowed_keysalts ? entry->allowed_keysalts : "-",
entry->n_tl_data);
@@ -2301,7 +2300,7 @@ process_k5beta7_policy(fname, kcontext, filep, flags, linenop)
{
osa_policy_ent_rec rec;
char namebuf[1024];
- int nread, ret;
+ int nread, refcnt, ret;
memset(&rec, 0, sizeof(rec));
@@ -2311,7 +2310,7 @@ process_k5beta7_policy(fname, kcontext, filep, flags, linenop)
nread = fscanf(filep, "%1023s\t%d\t%d\t%d\t%d\t%d\t%d", rec.name,
&rec.pw_min_life, &rec.pw_max_life,
&rec.pw_min_length, &rec.pw_min_classes,
- &rec.pw_history_num, &rec.policy_refcnt);
+ &rec.pw_history_num, &refcnt);
if (nread == EOF)
return -1;
else if (nread != 7) {
@@ -2344,7 +2343,7 @@ process_r1_8_policy(fname, kcontext, filep, flags, linenop)
{
osa_policy_ent_rec rec;
char namebuf[1024];
- int nread, ret;
+ int nread, refcnt, ret;
memset(&rec, 0, sizeof(rec));
@@ -2355,7 +2354,7 @@ process_r1_8_policy(fname, kcontext, filep, flags, linenop)
rec.name,
&rec.pw_min_life, &rec.pw_max_life,
&rec.pw_min_length, &rec.pw_min_classes,
- &rec.pw_history_num, &rec.policy_refcnt,
+ &rec.pw_history_num, &refcnt,
&rec.pw_max_fail, &rec.pw_failcnt_interval,
&rec.pw_lockout_duration);
if (nread == EOF)
@@ -2388,7 +2387,7 @@ process_r1_11_policy(char *fname, krb5_context kcontext, FILE *filep,
krb5_tl_data *tl, *tl_next;
char namebuf[1024];
char keysaltbuf[KRB5_KDB_MAX_ALLOWED_KS_LEN + 1];
- int nread;
+ int nread, refcnt;
int ret = 0;
const char *try2read = NULL;
@@ -2406,7 +2405,7 @@ process_r1_11_policy(char *fname, krb5_context kcontext, FILE *filep,
rec.name,
&rec.pw_min_life, &rec.pw_max_life,
&rec.pw_min_length, &rec.pw_min_classes,
- &rec.pw_history_num, &rec.policy_refcnt,
+ &rec.pw_history_num, &refcnt,
&rec.pw_max_fail, &rec.pw_failcnt_interval,
&rec.pw_lockout_duration,
&rec.attributes, &rec.max_life, &rec.max_renewable_life,
diff --git a/src/lib/kadm5/admin.h b/src/lib/kadm5/admin.h
index 9260cb5..6c2efbc 100644
--- a/src/lib/kadm5/admin.h
+++ b/src/lib/kadm5/admin.h
@@ -219,7 +219,7 @@ typedef struct _kadm5_policy_ent_t {
long pw_min_length;
long pw_min_classes;
long pw_history_num;
- long policy_refcnt;
+ long policy_refcnt; /* no longer used */
/* version 3 fields */
krb5_kvno pw_max_fail;
diff --git a/src/lib/kadm5/srv/svr_policy.c b/src/lib/kadm5/srv/svr_policy.c
index 0d79f86..69d2fea 100644
--- a/src/lib/kadm5/srv/svr_policy.c
+++ b/src/lib/kadm5/srv/svr_policy.c
@@ -158,10 +158,6 @@ kadm5_create_policy_internal(void *server_handle,
else
pent.pw_history_num = entry->pw_history_num;
}
- if (!(mask & KADM5_REF_COUNT))
- pent.policy_refcnt = 0;
- else
- pent.policy_refcnt = entry->policy_refcnt;
if (handle->api_version >= KADM5_API_VERSION_4) {
if (!(mask & KADM5_POLICY_ATTRIBUTES))
@@ -230,10 +226,6 @@ kadm5_delete_policy(void *server_handle, kadm5_policy_t name)
else if (ret)
return ret;
- if(entry->policy_refcnt != 0) {
- krb5_db_free_policy(handle->context, entry);
- return KADM5_POLICY_REF;
- }
krb5_db_free_policy(handle->context, entry);
ret = krb5_db_delete_policy(handle->context, name);
if (ret == KRB5_KDB_POLICY_REF)
@@ -368,8 +360,6 @@ kadm5_modify_policy_internal(void *server_handle,
}
p->pw_history_num = entry->pw_history_num;
}
- if ((mask & KADM5_REF_COUNT))
- p->policy_refcnt = entry->policy_refcnt;
if (handle->api_version >= KADM5_API_VERSION_3) {
if ((mask & KADM5_PW_MAX_FAILURE))
p->pw_max_fail = entry->pw_max_fail;
@@ -448,7 +438,6 @@ kadm5_get_policy(void *server_handle, kadm5_policy_t name,
entry->pw_min_length = t->pw_min_length;
entry->pw_min_classes = t->pw_min_classes;
entry->pw_history_num = t->pw_history_num;
- entry->policy_refcnt = t->policy_refcnt;
if (handle->api_version >= KADM5_API_VERSION_3) {
entry->pw_max_fail = t->pw_max_fail;
entry->pw_failcnt_interval = t->pw_failcnt_interval;
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index ae36841..2000fe4 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -188,6 +188,23 @@ ks_tuple_present(int n_ks_tuple, krb5_key_salt_tuple *ks_tuple,
return FALSE;
}
+/* Fetch a policy if it exists; set *have_pol_out appropriately. Return
+ * success whether or not the policy exists. */
+static kadm5_ret_t
+get_policy(kadm5_server_handle_t handle, const char *name,
+ kadm5_policy_ent_t policy_out, krb5_boolean *have_pol_out)
+{
+ kadm5_ret_t ret;
+
+ *have_pol_out = FALSE;
+ if (name == NULL)
+ return 0;
+ ret = kadm5_get_policy(handle->lhandle, (char *)name, policy_out);
+ if (ret == 0)
+ *have_pol_out = TRUE;
+ return (ret == KADM5_UNK_POLICY) ? 0 : ret;
+}
+
/*
* Apply the -allowedkeysalts policy (see kadmin(1)'s addpol/modpol
* commands). We use the allowed key/salt tuple list as a default if
@@ -202,6 +219,7 @@ apply_keysalt_policy(kadm5_server_handle_t handle, const char *policy,
{
kadm5_ret_t ret;
kadm5_policy_ent_rec polent;
+ krb5_boolean have_polent;
int ak_n_ks_tuple = 0;
int new_n_ks_tuple = 0;
krb5_key_salt_tuple *ak_ks_tuple = NULL;
@@ -215,14 +233,9 @@ apply_keysalt_policy(kadm5_server_handle_t handle, const char *policy,
}
memset(&polent, 0, sizeof(polent));
- if (policy != NULL &&
- (ret = kadm5_get_policy(handle->lhandle, (char *)policy,
- &polent)) != KADM5_OK) {
- if (ret == EINVAL)
- ret = KADM5_BAD_POLICY;
- if (ret)
- goto cleanup;
- }
+ ret = get_policy(handle, policy, &polent, &have_polent);
+ if (ret)
+ goto cleanup;
if (polent.allowed_keysalts == NULL) {
/* Requested keysalts allowed or default to supported_enctypes. */
@@ -292,7 +305,8 @@ apply_keysalt_policy(kadm5_server_handle_t handle, const char *policy,
ret = 0;
cleanup:
- kadm5_free_policy_ent(handle->lhandle, &polent);
+ if (have_polent)
+ kadm5_free_policy_ent(handle->lhandle, &polent);
free(ak_ks_tuple);
if (new_n_kstp != NULL) {
@@ -407,14 +421,9 @@ kadm5_create_principal_3(void *server_handle,
* If we can not find the one specified return an error
*/
if ((mask & KADM5_POLICY)) {
- if ((ret = kadm5_get_policy(handle->lhandle, entry->policy,
- &polent)) != KADM5_OK) {
- if (ret == EINVAL)
- ret = KADM5_BAD_POLICY;
- if (ret)
- goto cleanup;
- }
- have_polent = TRUE;
+ ret = get_policy(handle, entry->policy, &polent, &have_polent);
+ if (ret)
+ goto cleanup;
}
if (password) {
ret = passwd_check(handle, password, have_polent ? &polent : NULL,
@@ -538,7 +547,7 @@ kadm5_create_principal_3(void *server_handle,
single tl_data record, */
adb.admin_history_kvno = INITIAL_HIST_KVNO;
- if (have_polent) {
+ if (mask & KADM5_POLICY) {
adb.aux_attributes = KADM5_POLICY;
/* this does *not* need to be strdup'ed, because adb is xdr */
@@ -547,37 +556,12 @@ kadm5_create_principal_3(void *server_handle,
adb.policy = entry->policy;
}
- /* increment the policy ref count, if any */
-
- if (have_polent) {
- polent.policy_refcnt++;
- if ((ret = kadm5_modify_policy_internal(handle->lhandle, &polent,
- KADM5_REF_COUNT))
- != KADM5_OK)
- goto cleanup;
- }
-
/* In all cases key and the principal data is set, let the database provider know */
kdb->mask = mask | KADM5_KEY_DATA | KADM5_PRINCIPAL ;
/* store the new db entry */
ret = kdb_put_entry(handle, kdb, &adb);
-
- if (ret) {
- if (have_polent) {
- /* decrement the policy ref count */
-
- polent.policy_refcnt--;
- /*
- * if this fails, there's nothing we can do anyway. the
- * policy refcount wil be too high.
- */
- (void) kadm5_modify_policy_internal(handle->lhandle, &polent,
- KADM5_REF_COUNT);
- }
- }
-
(void) k5_kadm5_hook_create(handle->context, handle->hook_handles,
KADM5_HOOK_STAGE_POSTCOMMIT, entry, mask,
new_n_ks_tuple, new_ks_tuple, password);
@@ -595,7 +579,6 @@ kadm5_ret_t
kadm5_delete_principal(void *server_handle, krb5_principal principal)
{
unsigned int ret;
- kadm5_policy_ent_rec polent;
krb5_db_entry *kdb;
osa_princ_ent_rec adb;
kadm5_server_handle_t handle = server_handle;
@@ -616,25 +599,6 @@ kadm5_delete_principal(void *server_handle, krb5_principal principal)
return ret;
}
- if ((adb.aux_attributes & KADM5_POLICY)) {
- if ((ret = kadm5_get_policy(handle->lhandle,
- adb.policy, &polent))
- == KADM5_OK) {
- polent.policy_refcnt--;
- if ((ret = kadm5_modify_policy_internal(handle->lhandle, &polent,
- KADM5_REF_COUNT))
- != KADM5_OK) {
- (void) kadm5_free_policy_ent(handle->lhandle, &polent);
- kdb_free_entry(handle, kdb, &adb);
- return(ret);
- }
- }
- if ((ret = kadm5_free_policy_ent(handle->lhandle, &polent))) {
- kdb_free_entry(handle, kdb, &adb);
- return ret;
- }
- }
-
ret = kdb_delete_entry(handle, principal);
kdb_free_entry(handle, kdb, &adb);
@@ -652,8 +616,8 @@ kadm5_modify_principal(void *server_handle,
kadm5_principal_ent_t entry, long mask)
{
int ret, ret2, i;
- kadm5_policy_ent_rec npol, opol;
- int have_npol = 0, have_opol = 0;
+ kadm5_policy_ent_rec pol;
+ krb5_boolean have_pol = FALSE;
krb5_db_entry *kdb;
krb5_tl_data *tl_data_orig;
osa_princ_ent_rec adb;
@@ -693,99 +657,36 @@ kadm5_modify_principal(void *server_handle,
*/
if ((mask & KADM5_POLICY)) {
- /* get the new policy */
- ret = kadm5_get_policy(handle->lhandle, entry->policy, &npol);
- if (ret) {
- switch (ret) {
- case EINVAL:
- ret = KADM5_BAD_POLICY;
- break;
- case KADM5_UNK_POLICY:
- case KADM5_BAD_POLICY:
- ret = KADM5_UNK_POLICY;
- break;
- }
+ ret = get_policy(handle, entry->policy, &pol, &have_pol);
+ if (ret)
goto done;
- }
- have_npol = 1;
-
- /* if we already have a policy, get it to decrement the refcnt */
- if(adb.aux_attributes & KADM5_POLICY) {
- /* ... but not if the old and new are the same */
- if(strcmp(adb.policy, entry->policy)) {
- ret = kadm5_get_policy(handle->lhandle,
- adb.policy, &opol);
- switch(ret) {
- case EINVAL:
- case KADM5_BAD_POLICY:
- case KADM5_UNK_POLICY:
- break;
- case KADM5_OK:
- have_opol = 1;
- opol.policy_refcnt--;
- break;
- default:
- goto done;
- break;
- }
- npol.policy_refcnt++;
- }
- } else npol.policy_refcnt++;
/* set us up to use the new policy */
adb.aux_attributes |= KADM5_POLICY;
if (adb.policy)
free(adb.policy);
adb.policy = strdup(entry->policy);
-
+ }
+ if (have_pol) {
/* set pw_max_life based on new policy */
- if (npol.pw_max_life) {
+ if (pol.pw_max_life) {
ret = krb5_dbe_lookup_last_pwd_change(handle->context, kdb,
&(kdb->pw_expiration));
if (ret)
goto done;
- kdb->pw_expiration += npol.pw_max_life;
+ kdb->pw_expiration += pol.pw_max_life;
} else {
kdb->pw_expiration = 0;
}
}
- if ((mask & KADM5_POLICY_CLR) &&
- (adb.aux_attributes & KADM5_POLICY)) {
- ret = kadm5_get_policy(handle->lhandle, adb.policy, &opol);
- switch(ret) {
- case EINVAL:
- case KADM5_BAD_POLICY:
- case KADM5_UNK_POLICY:
- ret = KADM5_BAD_DB;
- goto done;
- break;
- case KADM5_OK:
- have_opol = 1;
- if (adb.policy)
- free(adb.policy);
- adb.policy = NULL;
- adb.aux_attributes &= ~KADM5_POLICY;
- kdb->pw_expiration = 0;
- opol.policy_refcnt--;
- break;
- default:
- goto done;
- break;
- }
+ if ((mask & KADM5_POLICY_CLR) && (adb.aux_attributes & KADM5_POLICY)) {
+ free(adb.policy);
+ adb.policy = NULL;
+ adb.aux_attributes &= ~KADM5_POLICY;
+ kdb->pw_expiration = 0;
}
- if (((mask & KADM5_POLICY) || (mask & KADM5_POLICY_CLR)) &&
- (((have_opol) &&
- (ret =
- kadm5_modify_policy_internal(handle->lhandle, &opol,
- KADM5_REF_COUNT))) ||
- ((have_npol) &&
- (ret =
- kadm5_modify_policy_internal(handle->lhandle, &npol,
- KADM5_REF_COUNT)))))
- goto done;
-
if ((mask & KADM5_ATTRIBUTES))
kdb->attributes = entry->attributes;
if ((mask & KADM5_MAX_LIFE))
@@ -847,12 +748,8 @@ kadm5_modify_principal(void *server_handle,
ret = KADM5_OK;
done:
- if (have_opol) {
- ret2 = kadm5_free_policy_ent(handle->lhandle, &opol);
- ret = ret ? ret : ret2;
- }
- if (have_npol) {
- ret2 = kadm5_free_policy_ent(handle->lhandle, &npol);
+ if (have_pol) {
+ ret2 = kadm5_free_policy_ent(handle->lhandle, &pol);
ret = ret ? ret : ret2;
}
kdb_free_entry(handle, kdb, &adb);
@@ -1480,7 +1377,7 @@ kadm5_chpass_principal_3(void *server_handle,
osa_princ_ent_rec adb;
krb5_db_entry *kdb;
int ret, ret2, last_pwd, hist_added;
- int have_pol = 0;
+ krb5_boolean have_pol = FALSE;
kadm5_server_handle_t handle = server_handle;
osa_pw_hist_ent hist;
krb5_keyblock *act_mkey, *hist_keyblocks = NULL;
@@ -1510,10 +1407,11 @@ kadm5_chpass_principal_3(void *server_handle,
goto done;
if ((adb.aux_attributes & KADM5_POLICY)) {
- if ((ret = kadm5_get_policy(handle->lhandle, adb.policy, &pol)))
+ ret = get_policy(handle, adb.policy, &pol, &have_pol);
+ if (ret)
goto done;
- have_pol = 1;
-
+ }
+ if (have_pol) {
/* Create a password history entry before we change kdb's key_data. */
ret = kdb_get_hist_key(handle, &hist_keyblocks, &hist_kvno);
if (ret)
@@ -1693,7 +1591,8 @@ kadm5_randkey_principal_3(void *server_handle,
osa_princ_ent_rec adb;
krb5_int32 now;
kadm5_policy_ent_rec pol;
- int ret, last_pwd, have_pol = 0;
+ int ret, last_pwd;
+ krb5_boolean have_pol = FALSE;
kadm5_server_handle_t handle = server_handle;
krb5_keyblock *act_mkey;
int new_n_ks_tuple = 0;
@@ -1742,11 +1641,11 @@ kadm5_randkey_principal_3(void *server_handle,
goto done;
if ((adb.aux_attributes & KADM5_POLICY)) {
- if ((ret = kadm5_get_policy(handle->lhandle, adb.policy,
- &pol)) != KADM5_OK)
+ ret = get_policy(handle, adb.policy, &pol, &have_pol);
+ if (ret)
goto done;
- have_pol = 1;
-
+ }
+ if (have_pol) {
ret = krb5_dbe_lookup_last_pwd_change(handle->context, kdb, &last_pwd);
if (ret)
goto done;
@@ -1830,7 +1729,8 @@ kadm5_setv4key_principal(void *server_handle,
krb5_int32 now;
kadm5_policy_ent_rec pol;
krb5_keysalt keysalt;
- int i, k, kvno, ret, have_pol = 0;
+ int i, k, kvno, ret;
+ krb5_boolean have_pol = FALSE;
#if 0
int last_pwd;
#endif
@@ -1915,11 +1815,11 @@ kadm5_setv4key_principal(void *server_handle,
goto done;
if ((adb.aux_attributes & KADM5_POLICY)) {
- if ((ret = kadm5_get_policy(handle->lhandle, adb.policy,
- &pol)) != KADM5_OK)
+ ret = get_policy(handle, adb.policy, &pol, &have_pol);
+ if (ret)
goto done;
- have_pol = 1;
-
+ }
+ if (have_pol) {
#if 0
/*
* The spec says this check is overridden if the caller has
@@ -2015,7 +1915,8 @@ kadm5_setkey_principal_3(void *server_handle,
kadm5_policy_ent_rec pol;
krb5_key_data *old_key_data;
int n_old_keys;
- int i, j, k, kvno, ret, have_pol = 0;
+ int i, j, k, kvno, ret;
+ krb5_boolean have_pol = FALSE;
#if 0
int last_pwd;
#endif
@@ -2178,11 +2079,11 @@ kadm5_setkey_principal_3(void *server_handle,
goto done;
if ((adb.aux_attributes & KADM5_POLICY)) {
- if ((ret = kadm5_get_policy(handle->lhandle, adb.policy,
- &pol)) != KADM5_OK)
+ ret = get_policy(handle, adb.policy, &pol, &have_pol);
+ if (ret)
goto done;
- have_pol = 1;
-
+ }
+ if (have_pol) {
#if 0
/*
* The spec says this check is overridden if the caller has
diff --git a/src/lib/kadm5/unit-test/api.current/crte-principal.exp b/src/lib/kadm5/unit-test/api.current/crte-principal.exp
index 774e204..52dda78 100644
--- a/src/lib/kadm5/unit-test/api.current/crte-principal.exp
+++ b/src/lib/kadm5/unit-test/api.current/crte-principal.exp
@@ -536,11 +536,11 @@ proc test21 {} {
perror "$test: unexpected failure in init"
return
}
- one_line_fail_test [format {
+ one_line_succeed_test [format {
kadm5_create_principal $server_handle \
[princ_w_pol "%s/a" non-existant-pol] \
{KADM5_PRINCIPAL KADM5_POLICY} NotinTheDictionary
- } $test] "UNK_POLICY"
+ } $test]
if { ! [cmd {kadm5_destroy $server_handle}]} {
perror "$test: unexpected failure in destroy"
return
diff --git a/src/lib/kadm5/unit-test/api.current/dlte-policy.exp b/src/lib/kadm5/unit-test/api.current/dlte-policy.exp
index cecb5c3..4ba40fd 100644
--- a/src/lib/kadm5/unit-test/api.current/dlte-policy.exp
+++ b/src/lib/kadm5/unit-test/api.current/dlte-policy.exp
@@ -181,8 +181,9 @@ proc test12 {} {
perror "$test: unexpected failure in init"
return
}
- one_line_fail_test \
- {kadm5_delete_policy $server_handle test-pol} "POLICY_REF"
+ one_line_succeed_test [format {
+ kadm5_delete_policy $server_handle "%s/a"
+ } $test]
if { ! [cmd {kadm5_destroy $server_handle}]} {
perror "$test: unexpected failure in destroy"
return
diff --git a/src/lib/kadm5/unit-test/api.current/dlte-principal.exp b/src/lib/kadm5/unit-test/api.current/dlte-principal.exp
index f6d267f..6604685 100644
--- a/src/lib/kadm5/unit-test/api.current/dlte-principal.exp
+++ b/src/lib/kadm5/unit-test/api.current/dlte-principal.exp
@@ -236,82 +236,6 @@ proc test11 {} {
}
test11
-test "delete-principal 12"
-proc test12 {} {
- global test
- global prompt
-
- if {! (( [principal_exists "$test/a"]) ||
- [create_principal_pol "$test/a" test-pol])} {
- error_and_restart "$test: couldn't delete principal \"$test/a\""
- return
- }
- if {! [cmd {
- kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
- $KADM5_STRUCT_VERSION $KADM5_API_VERSION_3 \
- server_handle
- }]} {
- perror "$test: unexpected failure in init"
- return
- }
- if { ! [cmd {kadm5_get_policy $server_handle test-pol p1}]} {
- perror "$test: unexpected failure on get policy"
- return
- }
- if { ! [cmd [format {
- kadm5_delete_principal $server_handle "%s/a"
- } $test]]} {
- fail "$test: delete failed"
- return
- }
- if { [cmd [format {
- kadm5_get_principal $server_handle "%s/a" p KADM5_PRINCIPAL_NORMAL_MASK
- } $test]]} {
- fail "$test: principal still exists"
- return
- }
- if { ! [cmd {kadm5_get_policy $server_handle test-pol p2}]} {
- perror "$test: unexpected failure on get policy"
- return
- }
- send "lindex \$p1 6\n"
- expect {
- -re "(\[0-9\]+)\n$prompt$" {set oldref $expect_out(1,string) }
- timeout {
- error_and_restart "$test: timeout getting principal kvno (second time)"
- return
- }
- eof {
- error_and_restart "$test: eof getting principal kvno (second time)"
- return
- }
- }
-
- send "lindex \$p2 6\n"
- expect {
- -re "(\[0-9\]+)\n$prompt$" {set newref $expect_out(1,string) }
- timeout {
- error_and_restart "$test: timeout getting principal kvno (second time)"
- return
- }
- eof {
- error_and_restart "$test: eof getting principal kvno (second time)"
- return
- }
- }
- if { [expr "$oldref - 1"] != $newref } {
- fail "$test: policy reference count is wrong"
- return;
- }
- pass "$test"
- if { ! [cmd {kadm5_destroy $server_handle}]} {
- perror "$test: unexpected failure in destroy"
- return
- }
-}
-
-test12
-
test "delete-principal 13"
proc test13 {} {
global test
diff --git a/src/lib/kadm5/unit-test/api.current/mod-principal.exp b/src/lib/kadm5/unit-test/api.current/mod-principal.exp
index 25fb272..44f8548 100644
--- a/src/lib/kadm5/unit-test/api.current/mod-principal.exp
+++ b/src/lib/kadm5/unit-test/api.current/mod-principal.exp
@@ -380,10 +380,10 @@ proc test17 {} {
perror "$test: unexpected failure in init"
return
}
- one_line_fail_test [format {
+ one_line_succeed_test [format {
kadm5_modify_principal $server_handle [princ_w_pol "%s/a" \
no-policy] {KADM5_POLICY}
- } $test] "UNK_POLICY"
+ } $test]
if { ! [cmd {kadm5_destroy $server_handle}]} {
perror "$test: unexpected failure in destroy"
return
@@ -391,371 +391,6 @@ proc test17 {} {
}
test17
-test "modify-principal 18"
-proc test18 {} {
- global test
- global prompt
- if {! (( ! [principal_exists "$test/a"]) ||
- [delete_principal "$test/a"])} {
- error_and_restart "$test: couldn't delete principal \"$test/a\""
- return
- }
- if { !( [create_principal "$test/a"])} {
- error_and_restart "$test: could not create principal \"$test/a\""
- return
- }
- if {! [cmd {
- kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
- $KADM5_STRUCT_VERSION $KADM5_API_VERSION_3 \
- server_handle
- }]} {
- perror "$test: unexpected failure in init"
- return
- }
- if { ! [cmd {kadm5_get_policy $server_handle test-pol p1}]} {
- perror "$test: unexpected failure on get policy"
- return
- }
- if {! [cmd [format {
- kadm5_modify_principal $server_handle [princ_w_pol "%s/a" \
- test-pol] {KADM5_POLICY}
- } $test]]} {
- fail "$test: modify failed"
- return
- }
- if {! [cmd [format {
- kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK
- } $test]]} {
- error_and_restart "$test: could not retrieve principal"
- return
- }
- send "lindex \$principal 10\n"
- expect {
- -re "test-pol\n$prompt$" { pass "$test" }
- timeout { fail "$test" }
- }
- send "lindex \$p1 6\n"
- expect {
- -re "(\[0-9\]+)\n$prompt$" {set oldref $expect_out(1,string) }
- timeout {
- error_and_restart "$test: timeout getting principal kvno (second time)"
- return
- }
- eof {
- error_and_restart "$test: eof getting principal kvno (second time)"
- return
- }
- }
- if { ! [cmd {kadm5_get_policy $server_handle test-pol p2}]} {
- perror "$test: unexpected failure on get policy"
- return
- }
-
- send "lindex \$p2 6\n"
- expect {
- -re "(\[0-9\]+)\n$prompt$" {set newref $expect_out(1,string) }
- timeout {
- error_and_restart "$test: timeout getting principal kvno (second time)"
- return
- }
- eof {
- error_and_restart "$test: eof getting principal kvno (second time)"
- return
- }
- }
- if { [expr "$oldref + 1"] != $newref } {
- fail "$test: policy reference count is wrong"
- return;
- }
- if { ! [cmd {kadm5_destroy $server_handle}]} {
- perror "$test: unexpected failure in destroy"
- return
- }
-}
-test18
-
-test "modify-principal 19"
-proc test19 {} {
- global test
- global prompt
- if {! (( ! [principal_exists "$test/a"]) ||
- [delete_principal "$test/a"])} {
- error_and_restart "$test: couldn't delete principal \"$test/a\""
- return
- }
- if { !( [create_principal "$test/a"])} {
- error_and_restart "$test: could not create principal \"$test/a\""
- return
- }
- if {! [cmd {
- kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
- $KADM5_STRUCT_VERSION $KADM5_API_VERSION_3 \
- server_handle
- }]} {
- perror "$test: unexpected failure in init"
- return
- }
- if { ! [cmd {kadm5_get_policy $server_handle test-pol p1}]} {
- perror "$test: unexpected failure on get policy"
- return
- }
- if {! [cmd [format {
- kadm5_modify_principal $server_handle [princ_w_pol "%s/a" \
- test-pol] {KADM5_POLICY}
- } $test]]} {
- fail "$test: modify failed"
- return
- }
- if {! [cmd [format {
- kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK
- } $test]]} {
- error_and_restart "$test: could not retrieve principal"
- return
- }
- send "lindex \$principal 10\n"
- expect {
- -re "test-pol\n$prompt$" { pass "$test" }
- timeout { fail "$test" }
- }
- send "lindex \$p1 6\n"
- expect {
- -re "(\[0-9\]+)\n$prompt$" {set oldref $expect_out(1,string) }
- timeout {
- error_and_restart "$test: timeout getting principal kvno (second time)"
- return
- }
- eof {
- error_and_restart "$test: eof getting principal kvno (second time)"
- return
- }
- }
- if { ! [cmd {kadm5_get_policy $server_handle test-pol p2}]} {
- perror "$test: unexpected failure on get policy"
- return
- }
-
- send "lindex \$p2 6\n"
- expect {
- -re "(\[0-9\]+)\n$prompt$" {set newref $expect_out(1,string) }
- timeout {
- error_and_restart "$test: timeout getting principal kvno (second time)"
- return
- }
- eof {
- error_and_restart "$test: eof getting principal kvno (second time)"
- return
- }
- }
- if { [expr "$oldref + 1"] != $newref } {
- fail "$test: policy reference count is wrong"
- return;
- }
- if { ! [cmd {kadm5_destroy $server_handle}]} {
- perror "$test: unexpected failure in destroy"
- return
- }
-}
-test19
-
-test "modify-principal 20"
-proc test20 {} {
- global test
- global prompt
- if {! (( ! [principal_exists "$test/a"]) ||
- [delete_principal "$test/a"])} {
- error_and_restart "$test: couldn't delete principal \"$test/a\""
- return
- }
- if { !( [create_principal_pol "$test/a" "test-pol"])} {
- error_and_restart "$test: could not create principal \"$test/a\""
- return
- }
- if {! [cmd {
- kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
- $KADM5_STRUCT_VERSION $KADM5_API_VERSION_3 \
- server_handle
- }]} {
- perror "$test: unexpected failure in init"
- return
- }
- if { ! [cmd {kadm5_get_policy $server_handle test-pol p1}]} {
- perror "$test: unexpected failure on get policy"
- return
- }
- if {! [cmd [format {
- kadm5_modify_principal $server_handle [simple_principal "%s/a"] \
- {KADM5_POLICY_CLR}
- } $test]]} {
- perror "$test: modify failed"
- return
- }
- if {! [cmd [format {
- kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK
- } $test]]} {
- error_and_restart "$test: could not retrieve principal"
- return
- }
- send "lindex \$principal 10\n"
- expect {
- -re "test-pol\n$prompt$" { fail "$test" }
- -re "null\n$prompt$" { pass "$test" }
- timeout { pass "$test" }
- }
- send "lindex \$p1 6\n"
- expect {
- -re "(\[0-9\]+)\n$prompt$" {set oldref $expect_out(1,string) }
- timeout {
- error_and_restart "$test: timeout getting principal kvno (second time)"
- return
- }
- eof {
- error_and_restart "$test: eof getting principal kvno (second time)"
- return
- }
- }
- if { ! [cmd {kadm5_get_policy $server_handle test-pol p2}]} {
- perror "$test: unexpected failure on get policy"
- return
- }
-
- send "lindex \$p2 6\n"
- expect {
- -re "(\[0-9\]+)\n$prompt$" {set newref $expect_out(1,string) }
- timeout {
- error_and_restart "$test: timeout getting principal kvno (second time)"
- return
- }
- eof {
- error_and_restart "$test: eof getting principal kvno (second time)"
- return
- }
- }
- if { [expr "$oldref - 1"] != $newref } {
- fail "$test: policy reference count is wrong"
- return;
- }
- if { ! [cmd {kadm5_destroy $server_handle}]} {
- perror "$test: unexpected failure in destroy"
- return
- }
-}
-test20
-
-test "modify-principal 21"
-proc test21 {} {
- global test
- global prompt
- if {! (( ! [principal_exists "$test/a"]) ||
- [delete_principal "$test/a"])} {
- error_and_restart "$test: couldn't delete principal \"$test/a\""
- return
- }
- if { !( [create_principal_pol "$test/a" "test-pol"])} {
- error_and_restart "$test: could not create principal \"$test/a\""
- return
- }
- if {! [cmd {
- kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
- $KADM5_STRUCT_VERSION $KADM5_API_VERSION_3 \
- server_handle
- }]} {
- perror "$test: unexpected failure in init"
- return
- }
- if { ! [cmd {kadm5_get_policy $server_handle test-pol old_p1}]} {
- perror "$test: unexpected failure on get policy"
- return
- }
- if { ! [cmd {kadm5_get_policy $server_handle test-pol-nopw old_p2}]} {
- perror "$test: unexpected failure on get policy"
- return
- }
- if {! [cmd [format {
- kadm5_modify_principal $server_handle [princ_w_pol "%s/a" \
- test-pol-nopw] {KADM5_POLICY}
- } $test]]} {
- fail "$test: modify failed"
- return
- }
- if {! [cmd [format {
- kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK
- } $test]]} {
- error_and_restart "$test: could not retrieve principal"
- return
- }
- send "lindex \$old_p1 6\n"
- expect {
- -re "(\[0-9\]+)\n$prompt$" {set old_p1_ref $expect_out(1,string) }
- timeout {
- error_and_restart "$test: timeout getting principal kvno (second time)"
- return
- }
- eof {
- error_and_restart "$test: eof getting principal kvno (second time)"
- return
- }
- }
- send "lindex \$old_p2 6\n"
- expect {
- -re "(\[0-9\]+)\n$prompt$" {set old_p2_ref $expect_out(1,string) }
- timeout {
- error_and_restart "$test: timeout getting principal kvno (second time)"
- return
- }
- eof {
- error_and_restart "$test: eof getting principal kvno (second time)"
- return
- }
- }
-
- if { ! [cmd {kadm5_get_policy $server_handle test-pol new_p1}]} {
- perror "$test: unexpected failure on get policy"
- return
- }
- if { ! [cmd {kadm5_get_policy $server_handle test-pol-nopw new_p2}]} {
- perror "$test: unexpected failure on get policy"
- return
- }
-
- send "lindex \$new_p1 6\n"
- expect {
- -re "(\[0-9\]+)\n$prompt$" {set new_p1_ref $expect_out(1,string) }
- timeout {
- error_and_restart "$test: timeout getting principal kvno (second time)"
- return
- }
- eof {
- error_and_restart "$test: eof getting principal kvno (second time)"
- return
- }
- }
- send "lindex \$new_p2 6\n"
- expect {
- -re "(\[0-9\]+)\n$prompt$" {set new_p2_ref $expect_out(1,string) }
- timeout {
- error_and_restart "$test: timeout getting principal kvno (second time)"
- return
- }
- eof {
- error_and_restart "$test: eof getting principal kvno (second time)"
- return
- }
- }
- if { [expr "$old_p1_ref - 1"] != $new_p1_ref } {
- fail "$test: policy reference count is wrong"
- return;
- }
- if { [expr "$old_p2_ref + 1"] != $new_p2_ref } {
- fail "$test: policy reference count is wrong"
- return;
- }
- if { ! [cmd {kadm5_destroy $server_handle}]} {
- perror "$test: unexpected failure in destroy"
- return
- }
-}
-test21
-
test "modify-principal 21.5"
proc test21.5 {} {
global test
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
index e955f8e..011b2a0 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
@@ -384,13 +384,6 @@ krb5_ldap_delete_password_policy(krb5_context context, char *policy)
if (st != 0)
goto cleanup;
- st = krb5_ldap_get_reference_count(context, policy_dn,
- "krbPwdPolicyReference", &refcount, ld);
- if (st == 0 && refcount != 0)
- st = KRB5_KDB_POLICY_REF;
- if (st != 0)
- goto cleanup;
-
/* Ensure that the object is a password policy */
if ((st=checkattributevalue(ld, policy_dn, "objectclass", class, &mask)) != 0)
goto cleanup;
diff --git a/src/tests/dejagnu/krb-standalone/kadmin.exp b/src/tests/dejagnu/krb-standalone/kadmin.exp
index 1822bc3..c62e183 100644
--- a/src/tests/dejagnu/krb-standalone/kadmin.exp
+++ b/src/tests/dejagnu/krb-standalone/kadmin.exp
@@ -711,7 +711,6 @@ proc kadmin_addpol { pname } {
expect "Minimum number of password character classes:" {
verbose "got min pw character classes" }
expect "Number of old keys kept:" { verbose "got num old keys kept" }
- expect "Reference count:" { verbose "got refcount" }
expect "kadmin.local: " { send "q\r" }
expect_after
@@ -924,7 +923,7 @@ proc kadmin_showpol { pname } {
}
expect -re "assword\[^\r\n\]*: *"
send "adminpass$KEY\r"
- expect -re "\r.*Policy: $pname.*Number of old keys kept: .*Reference count: .*\r"
+ expect -re "\r.*Policy: $pname.*Number of old keys kept: .*\r"
expect_after
expect eof
set k_stat [wait -i $spawn_id]
diff --git a/src/tests/kdbtest.c b/src/tests/kdbtest.c
index b569b56..93de07b 100644
--- a/src/tests/kdbtest.c
+++ b/src/tests/kdbtest.c
@@ -167,7 +167,7 @@ static osa_policy_ent_rec sample_policy = {
6, /* pw_min_length */
2, /* pw_min_classes */
3, /* pw_history_num */
- 1, /* policy_refcnt */
+ 0, /* policy_refcnt */
2, /* pw_max_fail */
60, /* pw_failcnt_interval */
120, /* pw_lockout_duration */
@@ -377,7 +377,6 @@ main()
CHECK(krb5_dbe_update_tl_data(ctx, ent, &tl_no_policy));
ent->mask = KADM5_POLICY_CLR | KADM5_KEY_DATA;
CHECK(krb5_db_put_principal(ctx, ent));
- /* Deleting polname should work now that the reference is gone. */
CHECK(krb5_db_delete_policy(ctx, polname));
/* Put the modified entry again (with KDB_TL_USER_INFO tl-data for LDAP) as
More information about the cvs-krb5
mailing list