A patch to support S4U2proxy in db2 module
Weijun Wang
weijun.wang at oracle.com
Tue Jul 3 05:11:26 EDT 2012
Hi All
I'm playing with MIT krb5's S4U2proxy feature, but the db2 backend does
not implement the check_allowed_to_delegate callback.
Here is a patch for it. It makes use of the "allowed_to_delegate_to"
string attribute. The value can be either "*", "s1", or "s1 s2".
I haven't written a lot of C codes in the past few years, so there might
be some coding errors.
Thanks
Weijun
-------------- next part --------------
# HG changeset patch
# Parent a3ee99c1bcbf2ec16494bd01a1b428faeef0e063
diff --git a/src/plugins/kdb/db2/db2_exp.c b/src/plugins/kdb/db2/db2_exp.c
--- a/src/plugins/kdb/db2/db2_exp.c
+++ b/src/plugins/kdb/db2/db2_exp.c
@@ -180,6 +180,13 @@
krb5_timestamp authtime, krb5_error_code error_code),
(kcontext, request, client, server, authtime, error_code));
+WRAP_K (krb5_db2_check_allowed_to_delegate,
+ (krb5_context kcontext,
+ krb5_const_principal client,
+ const krb5_db_entry *server,
+ krb5_const_principal proxy),
+ (kcontext, client, server, proxy));
+
static krb5_error_code
hack_init (void)
{
@@ -235,5 +242,6 @@
/* check_policy_as */ wrap_krb5_db2_check_policy_as,
0,
/* audit_as_req */ wrap_krb5_db2_audit_as_req,
- 0, 0
+ 0,
+ /* check_allowed_to_delegate */ wrap_krb5_db2_check_allowed_to_delegate
};
diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c
--- a/src/plugins/kdb/db2/kdb_db2.c
+++ b/src/plugins/kdb/db2/kdb_db2.c
@@ -1425,3 +1425,54 @@
{
(void) krb5_db2_lockout_audit(kcontext, client, authtime, error_code);
}
+
+/*
+ * Use the "allowed_to_delegate_to" string attribute to determine when
+ * S4U2proxy can be performed. The value should take the form of
+ *
+ * proxy1 proxy2...
+ *
+ * proxy1 (and proxy2...) can also be * to match all princpals. It
+ * MUST NOT include the realm name.
+ */
+krb5_error_code
+krb5_db2_check_allowed_to_delegate(krb5_context kcontext,
+ krb5_const_principal client,
+ const krb5_db_entry *server,
+ krb5_const_principal proxy)
+{
+ char *proxy_name = NULL;
+ char *conf = NULL;
+ krb5_error_code retval;;
+
+ if (retval = krb5_unparse_name_flags(kcontext, proxy,
+ KRB5_PRINCIPAL_UNPARSE_SHORT, &proxy_name)) {
+ goto cleanup;
+ }
+
+ if (retval = krb5_dbe_get_string(kcontext, server,
+ "allowed_to_delegate_to", &conf)) {
+ goto cleanup;
+ }
+
+ retval = KRB5KDC_ERR_POLICY;
+ if (conf != NULL) {
+ char *name_r;
+ char *name = strtok_r(conf, " ", &name_r);
+ while (name != NULL) {
+ if (!strcmp(name, "*") || !strcmp(name, proxy_name)) {
+ retval = 0;
+ goto cleanup;
+ }
+ name = strtok_r(NULL, ",;", &name_r);
+ }
+ }
+
+cleanup:
+ if (conf)
+ krb5_dbe_free_string(kcontext, conf);
+ if (proxy_name)
+ krb5_free_unparsed_name(kcontext, proxy_name);
+
+ return retval;
+}
diff --git a/src/plugins/kdb/db2/kdb_db2.h b/src/plugins/kdb/db2/kdb_db2.h
--- a/src/plugins/kdb/db2/kdb_db2.h
+++ b/src/plugins/kdb/db2/kdb_db2.h
@@ -142,4 +142,9 @@
krb5_db_entry *client, krb5_db_entry *server,
krb5_timestamp authtime, krb5_error_code error_code);
+krb5_error_code
+krb5_db2_check_allowed_to_delegate(krb5_context kcontext,
+ krb5_const_principal client,
+ const krb5_db_entry *server,
+ krb5_const_principal proxy);
#endif /* KRB5_KDB_DB2_H */
More information about the Kerberos
mailing list