On 01/30/2014 07:19 PM, Rob Crittenden wrote:
> Martin Kosek wrote:
>> krbPwdPolicyReference is no longer filled default users. Instead, plugins
>> fallback to hardcoded global policy reference.
>>
>> Fix ipa-lockout plugin to fallback to it instead of failing to apply
>> the policy.
>>
>> https://fedorahosted.org/freeipa/ticket/4085
> 
> NACK.
> 
> I think you should include the value of krberr in error messages (we aren't
> exactly consistent in this elsewhere in the code but we need to start 
> somewhere).
> 
> You check the wrong value after the krb5_get_default_realm() call.
> 
> It is probably better to use slapi_ch_free_string() than free().
> 
> At some point we'll need a common library where this sort of operation can be
> done.
> 
> rob

Good catch, sending updated patch.

Martin
From 2392ccb4ff9f0310512a6313240749900567d831 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Thu, 30 Jan 2014 16:58:25 +0100
Subject: [PATCH] Fallback to global policy in ipa-lockout plugin

krbPwdPolicyReference is no longer filled default users. Instead, plugins
fallback to hardcoded global policy reference.

Fix ipa-lockout plugin to fallback to it instead of failing to apply
the policy.

https://fedorahosted.org/freeipa/ticket/4085
---
 .../ipa-slapi-plugins/ipa-lockout/ipa_lockout.c    | 34 ++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
index fd6602fdee9b2fd95c154fd512fcba4f37e56bad..5a24359d319aaea28773daa01d268d2d46583270 100644
--- a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
+++ b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
@@ -49,6 +49,7 @@
 #include <time.h>
 #include "slapi-plugin.h"
 #include "nspr.h"
+#include <krb5.h>
 
 #include "util.h"
 
@@ -81,6 +82,8 @@ static int g_plugin_started = 0;
 
 static struct ipa_context *global_ipactx = NULL;
 
+static char *ipa_global_policy = NULL;
+
 #define GENERALIZED_TIME_LENGTH 15
 
 /**
@@ -142,8 +145,11 @@ ipalockout_get_global_config(struct ipa_context *ipactx)
     Slapi_Attr *attr = NULL;
     char *dn = NULL;
     char *basedn = NULL;
+    char *realm = NULL;
     Slapi_DN *sdn;
     Slapi_Entry *config_entry;
+    krb5_context krbctx = NULL;
+    krb5_error_code krberr;
     int ret;
 
     /* Get cn=config so we can get the default naming context */
@@ -167,6 +173,28 @@ ipalockout_get_global_config(struct ipa_context *ipactx)
         goto done;
     }
 
+    krberr = krb5_init_context(&krbctx);
+    if (krberr) {
+        LOG_FATAL("krb5_init_context failed (%d)\n", krberr);
+        ret = LDAP_OPERATIONS_ERROR;
+        goto done;
+    }
+
+    krberr = krb5_get_default_realm(krbctx, &realm);
+    if (krberr) {
+        LOG_FATAL("Failed to get default realm (%d)\n", krberr);
+        ret = LDAP_OPERATIONS_ERROR;
+        goto done;
+    }
+
+    ipa_global_policy = slapi_ch_smprintf("cn=global_policy,cn=%s,cn=kerberos,%s",
+                                          realm, basedn);
+    if (!ipa_global_policy) {
+        LOG_OOM();
+        ret = LDAP_OPERATIONS_ERROR;
+        goto done;
+    }
+
     ret = asprintf(&dn, "cn=ipaConfig,cn=etc,%s", basedn);
     if (ret == -1) {
         LOG_OOM();
@@ -221,6 +249,8 @@ ipalockout_get_global_config(struct ipa_context *ipactx)
 done:
     if (config_entry)
         slapi_entry_free(config_entry);
+    free(realm);
+    krb5_free_context(krbctx);
     free(dn);
     free(basedn);
     return ret;
@@ -248,6 +278,8 @@ int ipalockout_getpolicy(Slapi_Entry *target_entry, Slapi_Entry **policy_entry,
             slapi_valueset_first_value(*values, &sv);
             *policy_dn = slapi_value_get_string(sv);
         }
+    } else {
+        *policy_dn = ipa_global_policy;
     }
 
     if (*policy_dn == NULL) {
@@ -376,6 +408,8 @@ ipalockout_close(Slapi_PBlock * pb)
 {
     LOG_TRACE( "--in-->\n");
 
+    slapi_ch_free_string(&ipa_global_policy);
+
     LOG_TRACE("<--out--\n");
 
     return EOK;
-- 
1.8.5.3

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to