[krbdev.mit.edu #5889] password history doesn't work with LDAP KDB

The RT System itself via RT rt-comment at krbdev.mit.edu
Thu Feb 7 20:06:10 EST 2008 

>From krb5-bugs-incoming-bounces at PCH.MIT.EDU  Thu Feb  7 20:06:04 2008
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.12.9) with ESMTP
	id m18164HW003824; Thu, 7 Feb 2008 20:06:04 -0500 (EST)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
	by pch.mit.edu (8.13.6/8.12.8) with ESMTP id m1815xI2015097;
	Thu, 7 Feb 2008 20:05:59 -0500
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
	[18.7.7.76])
	by pch.mit.edu (8.13.6/8.12.8) with ESMTP id m1815vtV015094
	for <krb5-bugs-incoming at PCH.mit.edu>; Thu, 7 Feb 2008 20:05:57 -0500
Received: from mit.edu (W92-130-BARRACUDA-3.MIT.EDU [18.7.21.224])
	by fort-point-station.mit.edu (8.13.6/8.9.2) with ESMTP id
	m1815iam028397
	for <krb5-bugs at mit.edu>; Thu, 7 Feb 2008 20:05:44 -0500 (EST)
Received: from sca-ea-mail-4.sun.com (sca-ea-mail-4.Sun.COM [192.18.43.22])
	by mit.edu (Spam Firewall) with ESMTP id 895F0D944BF
	for <krb5-bugs at mit.edu>; Thu,  7 Feb 2008 20:05:23 -0500 (EST)
Received: from dm-central-02.central.sun.com ([129.147.62.5])
	by sca-ea-mail-4.sun.com (8.13.6+Sun/8.12.9) with ESMTP id
	m1815MRh018083 for <krb5-bugs at mit.edu>; Fri, 8 Feb 2008 01:05:22 GMT
Received: from alton.central.sun.com (alton.Central.Sun.COM [129.153.128.101])
	by dm-central-02.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL,
	v2.2) with ESMTP id m1815LWV006144
	for <krb5-bugs at mit.edu>; Thu, 7 Feb 2008 18:05:22 -0700 (MST)
Received: from alton.central.sun.com (localhost [127.0.0.1])
	by alton.central.sun.com (8.14.2+Sun/8.14.2) with ESMTP id
	m180vqjr026039
	for <krb5-bugs at mit.edu>; Thu, 7 Feb 2008 18:57:52 -0600 (CST)
Received: (from willf at localhost)
	by alton.central.sun.com (8.14.2+Sun/8.14.2/Submit) id m180vp3s026038
	for krb5-bugs at mit.edu; Thu, 7 Feb 2008 18:57:51 -0600 (CST)
X-Authentication-Warning: alton.central.sun.com: willf set sender to
	William.Fiveash at sun.com using -f
Date: Thu, 7 Feb 2008 18:57:51 -0600
From: Will Fiveash <William.Fiveash at sun.com>
To: krb5-bugs at mit.edu
Message-ID: <20080208005751.GB1209 at sun.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-send-pr-version: 3.99
User-Agent: Mutt/1.5.11
X-Spam-Score: 2.29
X-Spam-Level: ** (2.29)
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
X-BeenThere: krb5-bugs-incoming at mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Sender: krb5-bugs-incoming-bounces at PCH.MIT.EDU
Errors-To: krb5-bugs-incoming-bounces at PCH.MIT.EDU


>Submitter-Id:	net
>Originator:	William Fiveash
>Organization: Sun Microsystems
>Confidential:	no
>Synopsis:	password history doesn't work with LDAP KDB
>Severity:	serious 
>Priority:	medium 
>Category:	krb5-kdc
>Class:		sw-bug
>Release:	krb5-1.6.3
>Environment:
	
System: SunOS alton 5.11 snv_82 i86pc i386 i86pc
Architecture: i86pc

>Description:
The LDAP KDB plugin is not storing password/key history.  This in turn
disables the functionality of policy history (limiting reuse of a password).

>How-To-Repeat:

>Fix:

Here's the fix that works for me:

Index: src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
===================================================================
--- src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c	(revision 20223)
+++ src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c	(working copy)
@@ -966,9 +966,13 @@
 #ifdef SECURID
 		    || ptr->tl_data_type == KRB5_TL_DB_ARGS
 #endif
-		    || ptr->tl_data_type == KRB5_TL_KADM_DATA
 		    || ptr->tl_data_type == KDB_TL_USER_INFO)
 		    continue;
+
+		/* want to store key history */
+		if (ptr->tl_data_type == KRB5_TL_KADM_DATA && ! entries->mask & KADM5_KEY_HIST)
+		    continue;
+
 		count++;
 	    }
 	    if (count != 0) {
@@ -986,9 +990,13 @@
 #ifdef SECURID
 			|| ptr->tl_data_type == KRB5_TL_DB_ARGS
 #endif
-			|| ptr->tl_data_type == KRB5_TL_KADM_DATA
 			|| ptr->tl_data_type == KDB_TL_USER_INFO)
 			continue;
+
+		    /* want to store key history */
+		    if (ptr->tl_data_type == KRB5_TL_KADM_DATA && ! entries->mask & KADM5_KEY_HIST)
+			continue;
+
 		    if ((st = tl_data2berval (ptr, &ber_tl_data[j])) != 0)
 			break;
 		    j++;
Index: src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c
===================================================================
--- src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c	(revision 20223)
+++ src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c	(working copy)
@@ -200,9 +200,10 @@
 }
 
 krb5_error_code
-krb5_update_tl_kadm_data(policy_dn, new_tl_data)
+krb5_update_tl_kadm_data(policy_dn, new_tl_data, old_tl_data)
     char	        * policy_dn;
     krb5_tl_data        * new_tl_data;
+    krb5_tl_data        * old_tl_data;
 {
     XDR xdrs;
     osa_princ_ent_t princ_entry;
@@ -211,8 +212,25 @@
 	return ENOMEM;
 
     memset(princ_entry, 0, sizeof(osa_princ_ent_rec));
-    princ_entry->admin_history_kvno = 2;
     princ_entry->aux_attributes = KADM5_POLICY;
+
+    /* adding support for key history in LDAP KDB */
+    if (old_tl_data != NULL) {
+	/* get the key history from the old tl_data */
+	xdrmem_create(&xdrs, (caddr_t)old_tl_data->tl_data_contents,
+	    old_tl_data->tl_data_length, XDR_DECODE);
+	if (! ldap_xdr_osa_princ_ent_rec(&xdrs, princ_entry)) {
+	    xdr_destroy(&xdrs);
+	    free(princ_entry);
+	    return(KADM5_XDR_FAILURE);
+	}
+	xdr_destroy(&xdrs);
+	/* will set the policy field further down, avoid mem leak */
+	free(princ_entry->policy);
+    } else {
+	princ_entry->admin_history_kvno = 2;
+    }
+
     princ_entry->policy = policy_dn;
 
     xdralloc_create(&xdrs, XDR_ENCODE);
Index: src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
===================================================================
--- src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c	(revision 20223)
+++ src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c	(working copy)
@@ -2042,7 +2042,7 @@
 	if ((st = krb5_ldap_policydn_to_name (context, pwdpolicydn, &polname)) != 0)
 	    goto cleanup;
 
-	if ((st = krb5_update_tl_kadm_data(polname, &kadm_tl_data)) != 0) {
+	if ((st = krb5_update_tl_kadm_data(polname, &kadm_tl_data, entry->tl_data)) != 0) {
 	    goto cleanup;
 	}
 	krb5_dbe_update_tl_data(context, entry, &kadm_tl_data);
Index: src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.h
===================================================================
--- src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.h	(revision 20223)
+++ src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.h	(working copy)
@@ -56,6 +56,6 @@
 krb5_lookup_tl_kadm_data(krb5_tl_data *tl_data, osa_princ_ent_rec *princ_entry);
 
 krb5_error_code
-krb5_update_tl_kadm_data(char *, krb5_tl_data *);
+krb5_update_tl_kadm_data(char *, krb5_tl_data *, krb5_tl_data *);
 
 #endif
Index: src/lib/kadm5/srv/svr_principal.c
===================================================================
--- src/lib/kadm5/srv/svr_principal.c	(revision 20223)
+++ src/lib/kadm5/srv/svr_principal.c	(working copy)
@@ -1442,7 +1442,10 @@
 	goto done;
 
     /* key data and attributes changed, let the database provider know */
-    kdb.mask = KADM5_KEY_DATA | KADM5_ATTRIBUTES /* | KADM5_CPW_FUNCTION */;
+    if (hist_added == 1)
+	kdb.mask = KADM5_KEY_DATA | KADM5_ATTRIBUTES | KADM5_KEY_HIST /* | KADM5_CPW_FUNCTION */;
+    else
+	kdb.mask = KADM5_KEY_DATA | KADM5_ATTRIBUTES /* | KADM5_CPW_FUNCTION */;
 
     if ((ret = kdb_put_entry(handle, &kdb, &adb)))
 	goto done;
Index: src/lib/kadm5/admin.h
===================================================================
--- src/lib/kadm5/admin.h	(revision 20223)
+++ src/lib/kadm5/admin.h	(working copy)
@@ -93,6 +93,7 @@
 #define KADM5_RANDKEY_USED      0x100000
 #endif
 #define KADM5_LOAD		0x200000
+#define KADM5_KEY_HIST		0x400000
 
 /* all but KEY_DATA and TL_DATA */
 #define KADM5_PRINCIPAL_NORMAL_MASK 0x01ffff


--Boundary_(ID_/Jq+vC5GKwdVHvvesUN+3w)--

More information about the krb5-bugs mailing list