On Fri, 2012-07-27 at 18:54 -0400, Simo Sorce wrote:
> On Fri, 2012-07-27 at 07:15 +0300, Alexander Bokovoy wrote:
> > On Thu, 12 Jul 2012, Alexander Bokovoy wrote:
> > >On Thu, 12 Jul 2012, Simo Sorce wrote:
> > >>On Thu, 2012-07-12 at 10:48 +0300, Alexander Bokovoy wrote:
> > >>>On Wed, 11 Jul 2012, Simo Sorce wrote:
> > >>>>From 84ef09a1193ff42fc301fb71354055c5039f51a5 Mon Sep 17 00:00:00 2001
> > >>>>From: Simo Sorce <sso...@redhat.com>
> > >>>>Date: Fri, 6 Jul 2012 16:18:29 -0400
> > >>>>Subject: [PATCH] Add special modify op to regen ipaNTHash
> > >>>>
> > >>>>The NT Hash is the same thing as the RC4-HMAC key, so we add a function
> > >>>>to
> > >>>>extract it from krb5 keys if they are available to avoid forcing a
> > >>>>password
> > >>>>change when configuring trust relationships.
> > >>>>---
> > >>>> .../ipa-pwd-extop/ipapwd_prepost.c | 147
> > >>>> +++++++++++++++++++-
> > >>>> 1 file changed, 144 insertions(+), 3 deletions(-)
> > >>>>
> > >>>>diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
> > >>>>b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
> > >>>>index
> > >>>>deae6477772f82edcc4674a1c9580661c3dae94b..24fa52eb9ac92004576ccdba4f576162c358770d
> > >>>> 100644
> > >>>>--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
> > >>>>+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
> > >>>>@@ -41,7 +41,12 @@
> > >>>> # include <config.h>
> > >>>> #endif
> > >>>>
> > >>>>-#define _XOPEN_SOURCE /* strptime needs this */
> > >>>>+/* strptime needs _XOPEN_SOURCE and endian.h needs __USE_BSD
> > >>>>+ * _GNU_SOURCE imply both, and we use it elsewhere, so use this */
> > >>>>+#ifndef _GNU_SOURCE
> > >>>>+#define _GNU_SOURCE 1
> > >>>>+#endif
> > >>>>+
> > >>>> #include <stdio.h>
> > >>>> #include <string.h>
> > >>>> #include <strings.h>
> > >>>>@@ -53,6 +58,7 @@
> > >>>> #include <dirsrv/slapi-plugin.h>
> > >>>> #include <lber.h>
> > >>>> #include <time.h>
> > >>>>+#include <endian.h>
> > >>>>
> > >>>> #include "ipapwd.h"
> > >>>> #include "util.h"
> > >>>>@@ -379,6 +385,12 @@ done:
> > >>>> return 0;
> > >>>> }
> > >>>>
> > >>>>+#define NTHASH_REGEN_VAL "MagicRegen"
> > >>>>+#define NTHASH_REGEN_LEN sizeof(NTHASH_REGEN_VAL)
> > >>>>+static int ipapwd_regen_nthash(Slapi_PBlock *pb, Slapi_Mods *smods,
> > >>>>+ char *dn, struct slapi_entry *entry,
> > >>>>+ struct ipapwd_krbcfg *krbcfg);
> > >>>>+
> > >>>> /* PRE MOD Operation:
> > >>>> * Gets the clean text password (fail the operation if the password
> > >>>> came
> > >>>> * pre-hashed, unless this is a replicated operation).
> > >>>>@@ -407,6 +419,7 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
> > >>>> int has_krb_keys = 0;
> > >>>> int has_history = 0;
> > >>>> int gen_krb_keys = 0;
> > >>>>+ int is_magic_regen = 0;
> > >>>> int ret, rc;
> > >>>>
> > >>>> LOG_TRACE( "=>\n");
> > >>>>@@ -447,6 +460,27 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
> > >>>> default:
> > >>>> break;
> > >>>> }
> > >>>>+ } else if (slapi_attr_types_equivalent(lmod->mod_type,
> > >>>>"ipaNTHash")) {
> > >>>>+ /* check op filtering out LDAP_MOD_BVALUES */
> > >>>>+ switch (lmod->mod_op & 0x0f) {
> > >>>>+ case LDAP_MOD_REPLACE:
> > >>>This is still LDAP_MOD_REPLACE, not LDAP_MOD_ADD.
> > >>
> > >>This is because I resent the old patch :(
> > >>
> > >>Hopefully the correct patch is now attached.
> > >Yes, now it is updated, thanks.
> > >
> > >I'm going to experiment a bit with these patches, adding ipasam
> > >responder to test them.
> > Here is ipasam part.
>
> ACK the ipasam part.
Pushed all 4 patches to master.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
