From 2392ccb4ff9f0310512a6313240749900567d831 Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Thu, 30 Jan 2014 16:58:25 +0100 Subject: [PATCH] Fallback to global policy in ipa-lockout plugin krbPwdPolicyReference is no longer filled default users. Instead, plugins fallback to hardcoded global policy reference. Fix ipa-lockout plugin to fallback to it instead of failing to apply the policy. https://fedorahosted.org/freeipa/ticket/4085 --- .../ipa-slapi-plugins/ipa-lockout/ipa_lockout.c | 34 ++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c index fd6602fdee9b2fd95c154fd512fcba4f37e56bad..5a24359d319aaea28773daa01d268d2d46583270 100644 --- a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c +++ b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c @@ -49,6 +49,7 @@ #include #include "slapi-plugin.h" #include "nspr.h" +#include #include "util.h" @@ -81,6 +82,8 @@ static int g_plugin_started = 0; static struct ipa_context *global_ipactx = NULL; +static char *ipa_global_policy = NULL; + #define GENERALIZED_TIME_LENGTH 15 /** @@ -142,8 +145,11 @@ ipalockout_get_global_config(struct ipa_context *ipactx) Slapi_Attr *attr = NULL; char *dn = NULL; char *basedn = NULL; + char *realm = NULL; Slapi_DN *sdn; Slapi_Entry *config_entry; + krb5_context krbctx = NULL; + krb5_error_code krberr; int ret; /* Get cn=config so we can get the default naming context */ @@ -167,6 +173,28 @@ ipalockout_get_global_config(struct ipa_context *ipactx) goto done; } + krberr = krb5_init_context(&krbctx); + if (krberr) { + LOG_FATAL("krb5_init_context failed (%d)\n", krberr); + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + krberr = krb5_get_default_realm(krbctx, &realm); + if (krberr) { + LOG_FATAL("Failed to get default realm (%d)\n", krberr); + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + ipa_global_policy = slapi_ch_smprintf("cn=global_policy,cn=%s,cn=kerberos,%s", + realm, basedn); + if (!ipa_global_policy) { + LOG_OOM(); + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + ret = asprintf(&dn, "cn=ipaConfig,cn=etc,%s", basedn); if (ret == -1) { LOG_OOM(); @@ -221,6 +249,8 @@ ipalockout_get_global_config(struct ipa_context *ipactx) done: if (config_entry) slapi_entry_free(config_entry); + free(realm); + krb5_free_context(krbctx); free(dn); free(basedn); return ret; @@ -248,6 +278,8 @@ int ipalockout_getpolicy(Slapi_Entry *target_entry, Slapi_Entry **policy_entry, slapi_valueset_first_value(*values, &sv); *policy_dn = slapi_value_get_string(sv); } + } else { + *policy_dn = ipa_global_policy; } if (*policy_dn == NULL) { @@ -376,6 +408,8 @@ ipalockout_close(Slapi_PBlock * pb) { LOG_TRACE( "--in-->\n"); + slapi_ch_free_string(&ipa_global_policy); + LOG_TRACE("<--out--\n"); return EOK; -- 1.8.5.3