mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 23:50:03 -06:00
Allow admins to disable preauth for SPNs.
Some legacy softare is not able to properly cope with preauthentication, allow the admins to disable the requirement to use preauthentication for all Service Principal Names if they so desire. IPA Users are excluded, for users, which use password of lessere entrpy, preauthentication is always required by default. This setting does NOT override explicit policies set on service principals or in the global policy, it only affects the default. Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/3860 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This commit is contained in:
parent
de63e16922
commit
3e45c9be0a
2
API.txt
2
API.txt
@ -766,7 +766,7 @@ args: 0,25,3
|
||||
option: Str('addattr*', cli_name='addattr', exclude='webui')
|
||||
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
|
||||
option: Str('delattr*', cli_name='delattr', exclude='webui')
|
||||
option: StrEnum('ipaconfigstring', attribute=True, autofill=False, cli_name='ipaconfigstring', csv=True, multivalue=True, required=False, values=(u'AllowNThash', u'KDC:Disable Last Success', u'KDC:Disable Lockout'))
|
||||
option: StrEnum('ipaconfigstring', attribute=True, autofill=False, cli_name='ipaconfigstring', csv=True, multivalue=True, required=False, values=(u'AllowNThash', u'KDC:Disable Last Success', u'KDC:Disable Lockout', u'KDC:Disable Default Preauth for SPNs'))
|
||||
option: Str('ipadefaultemaildomain', attribute=True, autofill=False, cli_name='emaildomain', multivalue=False, required=False)
|
||||
option: Str('ipadefaultloginshell', attribute=True, autofill=False, cli_name='defaultshell', multivalue=False, required=False)
|
||||
option: Str('ipadefaultprimarygroup', attribute=True, autofill=False, cli_name='defaultgroup', multivalue=False, required=False)
|
||||
|
4
VERSION
4
VERSION
@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
|
||||
# #
|
||||
########################################################
|
||||
IPA_API_VERSION_MAJOR=2
|
||||
IPA_API_VERSION_MINOR=163
|
||||
# Last change: jcholast - replica install: add remote connection check over API
|
||||
IPA_API_VERSION_MINOR=164
|
||||
# Last change: simo - add optional string to disable preauth for SPNs
|
||||
|
@ -261,12 +261,13 @@ static int ipadb_load_global_config(struct ipadb_context *ipactx)
|
||||
vals[i]->bv_val, vals[i]->bv_len) == 0) {
|
||||
ipactx->config.disable_last_success = true;
|
||||
continue;
|
||||
}
|
||||
|
||||
if (strncasecmp("KDC:Disable Lockout",
|
||||
vals[i]->bv_val, vals[i]->bv_len) == 0) {
|
||||
} else if (strncasecmp("KDC:Disable Lockout",
|
||||
vals[i]->bv_val, vals[i]->bv_len) == 0) {
|
||||
ipactx->config.disable_lockout = true;
|
||||
continue;
|
||||
} else if (strncasecmp("KDC:Disable Default Preauth for SPNs",
|
||||
vals[i]->bv_val, vals[i]->bv_len) == 0) {
|
||||
ipactx->config.disable_preauth_for_spns = true;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -93,6 +93,7 @@ struct ipadb_global_config {
|
||||
bool disable_lockout;
|
||||
char **authz_data;
|
||||
enum ipadb_user_auth user_auth;
|
||||
bool disable_preauth_for_spns;
|
||||
};
|
||||
|
||||
struct ipadb_context {
|
||||
|
@ -921,6 +921,25 @@ static krb5_error_code ipadb_find_principal(krb5_context kcontext,
|
||||
return 0;
|
||||
}
|
||||
|
||||
static krb5_flags maybe_require_preauth(struct ipadb_context *ipactx,
|
||||
krb5_db_entry *entry)
|
||||
{
|
||||
const struct ipadb_global_config *config;
|
||||
struct ipadb_e_data *ied;
|
||||
|
||||
config = ipadb_get_global_config(ipactx);
|
||||
if (config->disable_preauth_for_spns) {
|
||||
ied = (struct ipadb_e_data *)entry->e_data;
|
||||
if (ied && ied->ipa_user != true) {
|
||||
/* not a user, assume SPN */
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
/* By default require preauth for all principals */
|
||||
return KRB5_KDB_REQUIRES_PRE_AUTH;
|
||||
}
|
||||
|
||||
static krb5_error_code ipadb_fetch_tktpolicy(krb5_context kcontext,
|
||||
LDAPMessage *lentry,
|
||||
krb5_db_entry *entry,
|
||||
@ -991,7 +1010,7 @@ static krb5_error_code ipadb_fetch_tktpolicy(krb5_context kcontext,
|
||||
if (ret == 0) {
|
||||
entry->attributes |= result;
|
||||
} else {
|
||||
entry->attributes |= KRB5_KDB_REQUIRES_PRE_AUTH;
|
||||
entry->attributes |= maybe_require_preauth(ipactx, entry);
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -1007,7 +1026,7 @@ static krb5_error_code ipadb_fetch_tktpolicy(krb5_context kcontext,
|
||||
entry->max_renewable_life = 604800;
|
||||
}
|
||||
if (polmask & TKTFLAGS_BIT) {
|
||||
entry->attributes |= KRB5_KDB_REQUIRES_PRE_AUTH;
|
||||
entry->attributes |= maybe_require_preauth(ipactx, entry);
|
||||
}
|
||||
|
||||
kerr = 0;
|
||||
|
@ -205,7 +205,8 @@ class config(LDAPObject):
|
||||
label=_('Password plugin features'),
|
||||
doc=_('Extra hashes to generate in password plug-in'),
|
||||
values=(u'AllowNThash',
|
||||
u'KDC:Disable Last Success', u'KDC:Disable Lockout'),
|
||||
u'KDC:Disable Last Success', u'KDC:Disable Lockout',
|
||||
u'KDC:Disable Default Preauth for SPNs'),
|
||||
csv=True,
|
||||
),
|
||||
Str('ipaselinuxusermaporder',
|
||||
|
Loading…
Reference in New Issue
Block a user