From 2392ccb4ff9f0310512a6313240749900567d831 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek@redhat.com>
Date: Thu, 30 Jan 2014 16:58:25 +0100
Subject: [PATCH] Fallback to global policy in ipa-lockout plugin
krbPwdPolicyReference is no longer filled default users. Instead, plugins
fallback to hardcoded global policy reference.
Fix ipa-lockout plugin to fallback to it instead of failing to apply
the policy.
https://fedorahosted.org/freeipa/ticket/4085
---
.../ipa-slapi-plugins/ipa-lockout/ipa_lockout.c | 34 ++++++++++++++++++++++
1 file changed, 34 insertions(+)
diff --git a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
index fd6602fdee9b2fd95c154fd512fcba4f37e56bad..5a24359d319aaea28773daa01d268d2d46583270 100644
--- a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
+++ b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
@@ -49,6 +49,7 @@
#include <time.h>
#include "slapi-plugin.h"
#include "nspr.h"
+#include <krb5.h>
#include "util.h"
@@ -81,6 +82,8 @@ static int g_plugin_started = 0;
static struct ipa_context *global_ipactx = NULL;
+static char *ipa_global_policy = NULL;
+
#define GENERALIZED_TIME_LENGTH 15
/**
@@ -142,8 +145,11 @@ ipalockout_get_global_config(struct ipa_context *ipactx)
Slapi_Attr *attr = NULL;
char *dn = NULL;
char *basedn = NULL;
+ char *realm = NULL;
Slapi_DN *sdn;
Slapi_Entry *config_entry;
+ krb5_context krbctx = NULL;
+ krb5_error_code krberr;
int ret;
/* Get cn=config so we can get the default naming context */
@@ -167,6 +173,28 @@ ipalockout_get_global_config(struct ipa_context *ipactx)
goto done;
}
+ krberr = krb5_init_context(&krbctx);
+ if (krberr) {
+ LOG_FATAL("krb5_init_context failed (%d)\n", krberr);
+ ret = LDAP_OPERATIONS_ERROR;
+ goto done;
+ }
+
+ krberr = krb5_get_default_realm(krbctx, &realm);
+ if (krberr) {
+ LOG_FATAL("Failed to get default realm (%d)\n", krberr);
+ ret = LDAP_OPERATIONS_ERROR;
+ goto done;
+ }
+
+ ipa_global_policy = slapi_ch_smprintf("cn=global_policy,cn=%s,cn=kerberos,%s",
+ realm, basedn);
+ if (!ipa_global_policy) {
+ LOG_OOM();
+ ret = LDAP_OPERATIONS_ERROR;
+ goto done;
+ }
+
ret = asprintf(&dn, "cn=ipaConfig,cn=etc,%s", basedn);
if (ret == -1) {
LOG_OOM();
@@ -221,6 +249,8 @@ ipalockout_get_global_config(struct ipa_context *ipactx)
done:
if (config_entry)
slapi_entry_free(config_entry);
+ free(realm);
+ krb5_free_context(krbctx);
free(dn);
free(basedn);
return ret;
@@ -248,6 +278,8 @@ int ipalockout_getpolicy(Slapi_Entry *target_entry, Slapi_Entry **policy_entry,
slapi_valueset_first_value(*values, &sv);
*policy_dn = slapi_value_get_string(sv);
}
+ } else {
+ *policy_dn = ipa_global_policy;
}
if (*policy_dn == NULL) {
@@ -376,6 +408,8 @@ ipalockout_close(Slapi_PBlock * pb)
{
LOG_TRACE( "--in-->\n");
+ slapi_ch_free_string(&ipa_global_policy);
+
LOG_TRACE("<--out--\n");
return EOK;
--
1.8.5.3