Subject says it all. Tested via kadmin.local list_policies Ticket: 3015 Simo.
-- Simo Sorce * Red Hat, Inc * New York
From f3f6e6d1e80aa2cce042022c102d156998576545 Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Mon, 7 Dec 2015 14:09:35 -0500 Subject: [PATCH] Implement pwd policy iterator Signed-off-by: Simo Sorce <s...@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/3015 --- daemons/ipa-kdb/ipa_kdb_pwdpolicy.c | 165 ++++++++++++++++++++++++------------ 1 file changed, 110 insertions(+), 55 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c index 076314a12840881a340763ab5693131aaccafec6..4718601463211bb1fa70efd45d981f0198832489 100644 --- a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c +++ b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c @@ -34,7 +34,7 @@ char *std_pwdpolicy_attrs[] = { "krbpwdmaxfailure", "krbpwdfailurecountinterval", "krbpwdlockoutduration", - + "cn", NULL }; @@ -133,62 +133,40 @@ krb5_error_code ipadb_create_pwd_policy(krb5_context kcontext, return KRB5_PLUGIN_OP_NOTSUPP; } -krb5_error_code ipadb_get_pwd_policy(krb5_context kcontext, char *name, - osa_policy_ent_t *policy) +void ipadb_free_pwd_policy(krb5_context kcontext, osa_policy_ent_t val) +{ + if (val) { + free(val->name); + free(val->allowed_keysalts); + free(val); + } +} + +krb5_error_code ipadb_parse_pwd_policy_entry(struct ipadb_context *ipactx, + LDAPMessage *lentry, + osa_policy_ent_t *policy) { - struct ipadb_context *ipactx; - char *esc_name = NULL; - char *src_filter = NULL; - krb5_error_code kerr; - LDAPMessage *res = NULL; - LDAPMessage *lentry; osa_policy_ent_t pentry = NULL; + krb5_error_code kerr; uint32_t result; int ret; - ipactx = ipadb_get_context(kcontext); - if (!ipactx) { - return KRB5_KDB_DBNOTINITED; - } - - esc_name = ipadb_filter_escape(name, true); - if (!esc_name) { - return ENOMEM; - } - - ret = asprintf(&src_filter, POLICY_SEARCH_FILTER, esc_name); - if (ret == -1) { - kerr = KRB5_KDB_INTERNAL_ERROR; - goto done; - } - - kerr = ipadb_simple_search(ipactx, - ipactx->realm_base, LDAP_SCOPE_SUBTREE, - src_filter, std_pwdpolicy_attrs, &res); - if (kerr) { - goto done; - } - - lentry = ldap_first_entry(ipactx->lcontext, res); - if (!lentry) { - kerr = KRB5_KDB_INTERNAL_ERROR; - goto done; - } - pentry = calloc(1, sizeof(osa_policy_ent_rec)); if (!pentry) { kerr = ENOMEM; goto done; } pentry->version = 1; - pentry->name = strdup(name); - if (!pentry->name) { - kerr = ENOMEM; - goto done; - } /* FIXME: what to do with missing attributes ? */ + ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, + "cn", &pentry->name); + if (ret != 0) { + kerr = KRB5_KDB_INTERNAL_ERROR; + goto done; + } + ret = ipadb_ldap_attr_to_uint32(ipactx->lcontext, lentry, "krbMinPwdLife", &result); if (ret == 0) { @@ -245,15 +223,73 @@ krb5_error_code ipadb_get_pwd_policy(krb5_context kcontext, char *name, } *policy = pentry; + kerr = 0; done: if (kerr) { - free(pentry); + ipadb_free_pwd_policy(NULL, pentry); } + + return kerr; +} + +static krb5_error_code search_pwd_policy_entry(struct ipadb_context *ipactx, + char *match_entry, bool exact, + LDAPMessage **res) +{ + char *src_filter = NULL; + char *esc_name = NULL; + krb5_error_code kerr; + int ret; + + esc_name = ipadb_filter_escape((match_entry ? match_entry : "*"), exact); + if (!esc_name) { + return ENOMEM; + } + + ret = asprintf(&src_filter, POLICY_SEARCH_FILTER, esc_name); + if (ret == -1) { + kerr = KRB5_KDB_INTERNAL_ERROR; + goto done; + } + + kerr = ipadb_simple_search(ipactx, + ipactx->realm_base, LDAP_SCOPE_SUBTREE, + src_filter, std_pwdpolicy_attrs, res); + +done: free(esc_name); free(src_filter); + + return kerr; +} + +krb5_error_code ipadb_get_pwd_policy(krb5_context kcontext, char *name, + osa_policy_ent_t *policy) +{ + struct ipadb_context *ipactx; + krb5_error_code kerr; + LDAPMessage *res = NULL; + LDAPMessage *lentry; + + ipactx = ipadb_get_context(kcontext); + if (!ipactx) { + return KRB5_KDB_DBNOTINITED; + } + + kerr = search_pwd_policy_entry(ipactx, name, true, &res); + if (kerr) return kerr; + + lentry = ldap_first_entry(ipactx->lcontext, res); + if (!lentry) { + kerr = KRB5_KDB_INTERNAL_ERROR; + goto done; + } + + kerr = ipadb_parse_pwd_policy_entry(ipactx, lentry, policy); + +done: ldap_msgfree(res); - return kerr; } @@ -268,7 +304,35 @@ krb5_error_code ipadb_iterate_pwd_policy(krb5_context kcontext, osa_adb_iter_policy_func func, void *data) { - return KRB5_PLUGIN_OP_NOTSUPP; + struct ipadb_context *ipactx; + krb5_error_code kerr; + LDAPMessage *res = NULL; + LDAPMessage *lentry; + osa_policy_ent_t policy; + + ipactx = ipadb_get_context(kcontext); + if (!ipactx) { + return KRB5_KDB_DBNOTINITED; + } + + kerr = search_pwd_policy_entry(ipactx, match_entry, false, &res); + if (kerr) return kerr; + + lentry = ldap_first_entry(ipactx->lcontext, res); + while (lentry) { + policy = NULL; + + kerr = ipadb_parse_pwd_policy_entry(ipactx, lentry, &policy); + if (kerr == 0) { + func(data, policy); + } + ipadb_free_pwd_policy(kcontext, policy); + + lentry = ldap_next_entry(ipactx->lcontext, lentry); + } + + ldap_msgfree(res); + return kerr; } krb5_error_code ipadb_delete_pwd_policy(krb5_context kcontext, @@ -277,15 +341,6 @@ krb5_error_code ipadb_delete_pwd_policy(krb5_context kcontext, return KRB5_PLUGIN_OP_NOTSUPP; } -void ipadb_free_pwd_policy(krb5_context kcontext, osa_policy_ent_t val) -{ - if (val) { - free(val->name); - free(val->allowed_keysalts); - free(val); - } -} - krb5_error_code ipadb_check_policy_as(krb5_context kcontext, krb5_kdc_req *request, krb5_db_entry *client, -- 2.5.0
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
