need advice on how to deal with KADM5_POLICY attribute
Will Fiveash
William.Fiveash at Sun.COM
Sun Sep 24 20:31:00 EDT 2006
I'm close to getting the "kdb5_util load" command to work with the LDAP
KDB plugin however I'm having some difficulty understanding how to deal
with princ. records that have a policy reference. Note that I
have modified the dump.c:process_k5beta6_record() function to set the
dbentry.mask so the krb5_ldap_put_principal() will properly create the
princ attributes when putting the princ entry to the directory. For
example:
if (nread == 8) {
dbentry.attributes = (krb5_flags) t2;
dbentry.max_life = (krb5_deltat) t3;
dbentry.max_renewable_life = (krb5_deltat) t4;
dbentry.expiration = (krb5_timestamp) t5;
dbentry.pw_expiration = (krb5_timestamp) t6;
dbentry.last_success = (krb5_timestamp) t7;
dbentry.last_failed = (krb5_timestamp) t8;
dbentry.fail_auth_count = (krb5_kvno) t9;
dbentry.mask = KADM5_PRINCIPAL | KADM5_ATTRIBUTES |
KADM5_MAX_LIFE | KADM5_MAX_RLIFE | KADM5_PRINC_EXPIRE_TIME |
KADM5_LAST_SUCCESS | KADM5_LAST_FAILED | KADM5_FAIL_AUTH_COUNT;
What I'm confused about is how to determine when the KADM5_POLICY mask
field should be set so that krb5_ldap_put_principal() will do the right
thing. I think the policy reference is in the tl_data if it exists but
I am unsure as to the best way to detect this. I'm assuming that in the
process_k5beta6_record() where it does:
if (!error && dbentry.n_tl_data) {
for (tl = dbentry.tl_data; tl; tl = tl->tl_data_next) {
nread = fscanf(filep, "%d\t%d\t", &t1, &t2);
if (nread == 2) {
tl->tl_data_type = (krb5_int16) t1;
if (t1 == KRB5_TL_KADM_DATA) {
/*
* XXX How to determine when to dbentry.mask |= KADM5_POLICY?
*/
}
that the tl_data_type would be tested to see if it contains
KRB5_TL_KADM_DATA and the data would be checked to see if it contained a
policy but this is conjecture on my part.
--
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)
More information about the krbdev
mailing list