Long overdue, fix TODOs in the code.
With this patch it is now possible to configure the password plugin so
that only certain types of NTLM hashes are created for Samba objects.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
>From 77b22920bb962c46712c31ac1d66b757b02c7c5a Mon Sep 17 00:00:00 2001
From: Simo Sorce <sso...@redhat.com>
Date: Mon, 4 Oct 2010 14:40:37 -0400
Subject: [PATCH 4/6] Add Generic config class.

Helps when you need to add random snippets of config that really do not deserve
a full atttribute, but are still something you want to put in LDAP and have
replicated.
---
 install/share/60ipaconfig.ldif |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/install/share/60ipaconfig.ldif b/install/share/60ipaconfig.ldif
index 6a22a6c..e93b55e 100644
--- a/install/share/60ipaconfig.ldif
+++ b/install/share/60ipaconfig.ldif
@@ -39,9 +39,13 @@ attributetypes: ( 2.16.840.1.113730.3.8.1.13 NAME 'ipaDefaultEmailDomain' EQUALI
 # ipaMigrationEnabled - if TRUE allow adding user entries with pre-hashed passwords
 attributeTypes: ( 2.16.840.1.113730.3.8.3.22 NAME 'ipaMigrationEnabled' DESC 'Enable adding user entries with pre-hashed passwords.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
 attributetypes: ( 2.16.840.1.113730.3.8.3.23 NAME 'ipaCertificateSubjectBase' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
+## ipaConfigString - can hold any string to be used as configuration for something (it is multivalued)
+attributeTypes: (2.16.840.1.113730.3.8.3.16 NAME 'ipaConfigString' DESC 'Generic configuration stirng' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
 ###############################################
 ##
 ## ObjectClasses
 ##
 ## ipaGuiConfig - GUI config parameters objectclass
 objectClasses: ( 2.16.840.1.113730.3.8.2.1 NAME 'ipaGuiConfig' AUXILIARY MAY ( ipaUserSearchFields $ ipaGroupSearchFields $ ipaSearchTimeLimit $ ipaSearchRecordsLimit $ ipaCustomFields $ ipaHomesRootDir $ ipaDefaultLoginShell $ ipaDefaultPrimaryGroup $ ipaMaxUsernameLength $ ipaPwdExpAdvNotify $ ipaUserObjectClasses $ ipaGroupObjectClasses $ ipaDefaultEmailDomain $ ipaMigrationEnabled $ ipaCertificateSubjectBase) )
+## ipaConfigObject - Generic config strings object holder
+objectClasses: (2.16.840.1.113730.3.8.4.13 NAME 'ipaConfigObject' DESC 'generic config object for IPA' AUXILIARY MAY ( ipaConfigString ) X-ORIGIN 'IPA v2' )
-- 
1.7.2.3

>From 41bd5243cad87adb738b3c5dc3490475b7e6381b Mon Sep 17 00:00:00 2001
From: Simo Sorce <sso...@redhat.com>
Date: Mon, 4 Oct 2010 15:13:36 -0400
Subject: [PATCH 5/6] Add options to control NTLM hashes

By default LM hash is disabled.
Of course generation still depends on whether the SamAccount objectclass is
present in the user object.
---
 .../ipa-pwd-extop/ipa_pwd_extop.c                  |    9 ++++++
 daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h   |    3 ++
 .../ipa-pwd-extop/ipapwd_common.c                  |   28 ++++++++++++++++++++
 .../ipa-pwd-extop/ipapwd_encoding.c                |   26 +++++++++---------
 install/share/bootstrap-template.ldif              |    2 +
 5 files changed, 55 insertions(+), 13 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
index cbf5721..db55981 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -73,6 +73,7 @@ const char *ipa_realm_tree;
 /* dn of Kerberos realm entry */
 const char *ipa_realm_dn;
 const char *ipa_pwd_config_dn;
+const char *ipa_etc_config_dn;
 const char *ipa_changepw_principal_dn;
 
 Slapi_PluginDesc ipapwd_plugin_desc = {
@@ -1117,6 +1118,14 @@ static int ipapwd_start( Slapi_PBlock *pb )
         goto done;
     }
 
+    ipa_etc_config_dn = slapi_ch_smprintf("cn=ipaConfig,cn=etc,%s",
+                                          ipa_realm_tree);
+    if (!ipa_etc_config_dn) {
+        slapi_log_error(SLAPI_LOG_FATAL, "ipapwd_start", "Out of memory?\n");
+        ret = LDAP_OPERATIONS_ERROR;
+        goto done;
+    }
+
     ret = LDAP_SUCCESS;
 
 done:
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
index 450e710..16e0efb 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
@@ -47,6 +47,7 @@
 #include <sys/stat.h>
 #include <fcntl.h>
 #include <unistd.h>
+#include <stdbool.h>
 
 #include <prio.h>
 #include <ssl.h>
@@ -110,6 +111,8 @@ struct ipapwd_krbcfg {
     struct ipapwd_encsalt *pref_encsalts;
     char **passsync_mgrs;
     int num_passsync_mgrs;
+    bool allow_lm_hash;
+    bool allow_nt_hash;
 };
 
 int ipapwd_entry_checks(Slapi_PBlock *pb, struct slapi_entry *e,
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
index 0e08785..42a4abe 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
@@ -48,6 +48,7 @@
 
 extern void *ipapwd_plugin_id;
 extern const char *ipa_realm_dn;
+extern const char *ipa_etc_config_dn;
 extern const char *ipa_pwd_config_dn;
 
 /* These are the default enc:salt types if nothing is defined.
@@ -152,6 +153,7 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)
     const struct berval *bval;
     struct berval *mkey = NULL;
     char **encsalts;
+    char **tmparray;
     char *tmpstr;
     int i, ret;
 
@@ -306,6 +308,32 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)
     for (i = 0; config->passsync_mgrs[i]; i++) /* count */ ;
     config->num_passsync_mgrs = i;
 
+    slapi_entry_free(config_entry);
+
+    /* get the ipa etc/ipaConfig entry */
+    config->allow_lm_hash = false;
+    config->allow_nt_hash = false;
+    ret = ipapwd_getEntry(ipa_etc_config_dn, &config_entry, NULL);
+    if (ret != LDAP_SUCCESS) {
+        slapi_log_error(SLAPI_LOG_FATAL, __func__, "No config Entry?\n");
+    } else {
+        tmparray = slapi_entry_attr_get_charray(config_entry,
+                                                "ipaConfigString");
+        for (i = 0; tmparray && tmparray[i]; i++) {
+            if (strcasecmp(tmparray[i], "AllowLMhash") == 0) {
+                config->allow_lm_hash = true;
+                continue;
+            }
+            if (strcasecmp(tmparray[i], "AllowNThash") == 0) {
+                config->allow_nt_hash = true;
+                continue;
+            }
+        }
+        if (tmparray) slapi_ch_array_free(tmparray);
+    }
+
+    slapi_entry_free(config_entry);
+
     return config;
 
 free_and_error:
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c
index 1b1e6d9..f11efa3 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c
@@ -557,8 +557,6 @@ enc_error:
 }
 
 
-#define KTF_LM_HASH 0x01
-#define KTF_NT_HASH 0x02
 #define KTF_DOS_CHARSET "CP850" /* same default as samba */
 #define KTF_UTF8 "UTF-8"
 #define KTF_UCS2 "UCS-2LE"
@@ -593,16 +591,19 @@ struct ntlm_keys {
 
 /* create the lm and nt hashes
    newPassword: the clear text utf8 password
-   flags: KTF_LM_HASH | KTF_NT_HASH
+   do_lm_hash: determine if LM hash is generated
+   do_nt_hash: determine if NT hash is generated
+   keys[out]: array with generated hashes
 */
 static int encode_ntlm_keys(char *newPasswd,
-                            unsigned int flags,
+                            bool do_lm_hash,
+                            bool do_nt_hash,
                             struct ntlm_keys *keys)
 {
     int ret = 0;
 
     /* do lanman first */
-    if (flags & KTF_LM_HASH) {
+    if (do_lm_hash) {
         iconv_t cd;
         size_t cs, il, ol;
         char *inc, *outc;
@@ -678,7 +679,7 @@ static int encode_ntlm_keys(char *newPasswd,
         memset(keys->lm, 0, 16);
     }
 
-    if (flags & KTF_NT_HASH) {
+    if (do_nt_hash) {
         iconv_t cd;
         size_t cs, il, ol, sl;
         char *inc, *outc;
@@ -770,13 +771,12 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
     if (is_smb) {
         char lm[33], nt[33];
         struct ntlm_keys ntlm;
-        int ntlm_flags = 0;
         int ret;
 
-        /* TODO: retrieve if we want to store the LM hash or not */
-        ntlm_flags = KTF_LM_HASH | KTF_NT_HASH;
-
-        ret = encode_ntlm_keys(userpw, ntlm_flags, &ntlm);
+        ret = encode_ntlm_keys(userpw,
+                               krbcfg->allow_lm_hash,
+                               krbcfg->allow_nt_hash,
+                               &ntlm);
         if (ret) {
             *errMesg = "Failed to generate NT/LM hashes\n";
             slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
@@ -784,12 +784,12 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
             rc = LDAP_OPERATIONS_ERROR;
             goto done;
         }
-        if (ntlm_flags & KTF_LM_HASH) {
+        if (krbcfg->allow_lm_hash) {
             hexbuf(lm, ntlm.lm);
             lm[32] = '\0';
             *lmhash = slapi_ch_strdup(lm);
         }
-        if (ntlm_flags & KTF_NT_HASH) {
+        if (krbcfg->allow_nt_hash) {
             hexbuf(nt, ntlm.nt);
             nt[32] = '\0';
             *nthash = slapi_ch_strdup(nt);
diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif
index 0f132e6..b77740d 100644
--- a/install/share/bootstrap-template.ldif
+++ b/install/share/bootstrap-template.ldif
@@ -187,6 +187,7 @@ changetype: add
 objectClass: nsContainer
 objectClass: top
 objectClass: ipaGuiConfig
+objectClass: ipaConfigObject
 ipaUserSearchFields: uid,givenname,sn,telephonenumber,ou,title
 ipaGroupSearchFields: cn,description
 ipaSearchTimeLimit: 2
@@ -213,6 +214,7 @@ ipaUserObjectClasses: radiusprofile
 ipaUserObjectClasses: ipaobject
 ipaDefaultEmailDomain: $DOMAIN
 ipaMigrationEnabled: FALSE
+ipaConfigString: AllowNThash
 
 dn: cn=account inactivation,cn=accounts,$SUFFIX
 changetype: add
-- 
1.7.2.3

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to