|
 |
9991ea |
From 2392ccb4ff9f0310512a6313240749900567d831 Mon Sep 17 00:00:00 2001
|
|
|
9991ea |
From: Martin Kosek <mkosek@redhat.com>
|
|
|
9991ea |
Date: Thu, 30 Jan 2014 16:58:25 +0100
|
|
|
9991ea |
Subject: [PATCH] Fallback to global policy in ipa-lockout plugin
|
|
|
9991ea |
|
|
|
9991ea |
krbPwdPolicyReference is no longer filled default users. Instead, plugins
|
|
|
9991ea |
fallback to hardcoded global policy reference.
|
|
|
9991ea |
|
|
|
9991ea |
Fix ipa-lockout plugin to fallback to it instead of failing to apply
|
|
|
9991ea |
the policy.
|
|
|
9991ea |
|
|
|
9991ea |
https://fedorahosted.org/freeipa/ticket/4085
|
|
|
9991ea |
---
|
|
|
9991ea |
.../ipa-slapi-plugins/ipa-lockout/ipa_lockout.c | 34 ++++++++++++++++++++++
|
|
|
9991ea |
1 file changed, 34 insertions(+)
|
|
|
9991ea |
|
|
|
9991ea |
diff --git a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
|
|
|
9991ea |
index fd6602fdee9b2fd95c154fd512fcba4f37e56bad..5a24359d319aaea28773daa01d268d2d46583270 100644
|
|
|
9991ea |
--- a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
|
|
|
9991ea |
+++ b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
|
|
|
9991ea |
@@ -49,6 +49,7 @@
|
|
|
9991ea |
#include <time.h>
|
|
|
9991ea |
#include "slapi-plugin.h"
|
|
|
9991ea |
#include "nspr.h"
|
|
|
9991ea |
+#include <krb5.h>
|
|
|
9991ea |
|
|
|
9991ea |
#include "util.h"
|
|
|
9991ea |
|
|
|
9991ea |
@@ -81,6 +82,8 @@ static int g_plugin_started = 0;
|
|
|
9991ea |
|
|
|
9991ea |
static struct ipa_context *global_ipactx = NULL;
|
|
|
9991ea |
|
|
|
9991ea |
+static char *ipa_global_policy = NULL;
|
|
|
9991ea |
+
|
|
|
9991ea |
#define GENERALIZED_TIME_LENGTH 15
|
|
|
9991ea |
|
|
|
9991ea |
/**
|
|
|
9991ea |
@@ -142,8 +145,11 @@ ipalockout_get_global_config(struct ipa_context *ipactx)
|
|
|
9991ea |
Slapi_Attr *attr = NULL;
|
|
|
9991ea |
char *dn = NULL;
|
|
|
9991ea |
char *basedn = NULL;
|
|
|
9991ea |
+ char *realm = NULL;
|
|
|
9991ea |
Slapi_DN *sdn;
|
|
|
9991ea |
Slapi_Entry *config_entry;
|
|
|
9991ea |
+ krb5_context krbctx = NULL;
|
|
|
9991ea |
+ krb5_error_code krberr;
|
|
|
9991ea |
int ret;
|
|
|
9991ea |
|
|
|
9991ea |
/* Get cn=config so we can get the default naming context */
|
|
|
9991ea |
@@ -167,6 +173,28 @@ ipalockout_get_global_config(struct ipa_context *ipactx)
|
|
|
9991ea |
goto done;
|
|
|
9991ea |
}
|
|
|
9991ea |
|
|
|
9991ea |
+ krberr = krb5_init_context(&krbctx);
|
|
|
9991ea |
+ if (krberr) {
|
|
|
9991ea |
+ LOG_FATAL("krb5_init_context failed (%d)\n", krberr);
|
|
|
9991ea |
+ ret = LDAP_OPERATIONS_ERROR;
|
|
|
9991ea |
+ goto done;
|
|
|
9991ea |
+ }
|
|
|
9991ea |
+
|
|
|
9991ea |
+ krberr = krb5_get_default_realm(krbctx, &realm;;
|
|
|
9991ea |
+ if (krberr) {
|
|
|
9991ea |
+ LOG_FATAL("Failed to get default realm (%d)\n", krberr);
|
|
|
9991ea |
+ ret = LDAP_OPERATIONS_ERROR;
|
|
|
9991ea |
+ goto done;
|
|
|
9991ea |
+ }
|
|
|
9991ea |
+
|
|
|
9991ea |
+ ipa_global_policy = slapi_ch_smprintf("cn=global_policy,cn=%s,cn=kerberos,%s",
|
|
|
9991ea |
+ realm, basedn);
|
|
|
9991ea |
+ if (!ipa_global_policy) {
|
|
|
9991ea |
+ LOG_OOM();
|
|
|
9991ea |
+ ret = LDAP_OPERATIONS_ERROR;
|
|
|
9991ea |
+ goto done;
|
|
|
9991ea |
+ }
|
|
|
9991ea |
+
|
|
|
9991ea |
ret = asprintf(&dn, "cn=ipaConfig,cn=etc,%s", basedn);
|
|
|
9991ea |
if (ret == -1) {
|
|
|
9991ea |
LOG_OOM();
|
|
|
9991ea |
@@ -221,6 +249,8 @@ ipalockout_get_global_config(struct ipa_context *ipactx)
|
|
|
9991ea |
done:
|
|
|
9991ea |
if (config_entry)
|
|
|
9991ea |
slapi_entry_free(config_entry);
|
|
|
9991ea |
+ free(realm);
|
|
|
9991ea |
+ krb5_free_context(krbctx);
|
|
|
9991ea |
free(dn);
|
|
|
9991ea |
free(basedn);
|
|
|
9991ea |
return ret;
|
|
|
9991ea |
@@ -248,6 +278,8 @@ int ipalockout_getpolicy(Slapi_Entry *target_entry, Slapi_Entry **policy_entry,
|
|
|
9991ea |
slapi_valueset_first_value(*values, &sv;;
|
|
|
9991ea |
*policy_dn = slapi_value_get_string(sv);
|
|
|
9991ea |
}
|
|
|
9991ea |
+ } else {
|
|
|
9991ea |
+ *policy_dn = ipa_global_policy;
|
|
|
9991ea |
}
|
|
|
9991ea |
|
|
|
9991ea |
if (*policy_dn == NULL) {
|
|
|
9991ea |
@@ -376,6 +408,8 @@ ipalockout_close(Slapi_PBlock * pb)
|
|
|
9991ea |
{
|
|
|
9991ea |
LOG_TRACE( "--in-->\n");
|
|
|
9991ea |
|
|
|
9991ea |
+ slapi_ch_free_string(&ipa_global_policy);
|
|
|
9991ea |
+
|
|
|
9991ea |
LOG_TRACE("<--out--\n");
|
|
|
9991ea |
|
|
|
9991ea |
return EOK;
|
|
|
9991ea |
--
|
|
|
9991ea |
1.8.5.3
|
|
|
9991ea |
|