Update krbExtraData too when changing passwords.

Fixes: https://fedorahosted.org/freeipa/ticket/937

daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c

@@ -144,6 +144,7 @@ static int ipapwd_chpwop(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
 	char *attrlist[] = {"*", "passwordHistory", NULL };
 	struct ipapwd_data pwdata;
 	int is_krb, is_smb;
+    char *principal = NULL;
 
 	/* Get the ber value of the extended operation */
 	slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value);
@@ -384,6 +385,14 @@ parse_req_done:
 
 	LOG_TRACE("<= result: %d\n", rc);
 
+    if (pwdata.changetype == IPA_CHANGETYPE_NORMAL) {
+        principal = slapi_entry_attr_get_charptr(pwdata.target,
+                                                 "krbPrincipalName");
+    } else {
+        principal = slapi_ch_smprintf("root/admin@%s", krbcfg->realm);
+    }
+    ipapwd_set_extradata(pwdata.dn, principal, pwdata.timeNow);
+
 	/* Free anything that we allocated above */
 free_and_return:
 	slapi_ch_free_string(&oldPasswd);
@@ -395,6 +404,7 @@ free_and_return:
 	slapi_ch_free_string(&dn);
 	slapi_pblock_set(pb, SLAPI_ORIGINAL_TARGET, NULL);
 	slapi_ch_free_string(&authmethod);
+    slapi_ch_free_string(&principal);
 
 	if (targetEntry) slapi_entry_free(targetEntry);
 	if (ber) ber_free(ber, 1);
@@ -884,6 +894,9 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
 	}
 	slapi_mods_free(&smods);
 
+    ipapwd_set_extradata(slapi_entry_get_dn_const(targetEntry),
+                         serviceName, time_now);
+
 	/* Format of response
 	 *
 	 * KeytabGetRequest ::= SEQUENCE {

daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h

@@ -129,6 +129,9 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
 Slapi_Value **ipapwd_setPasswordHistory(Slapi_Mods *smods,
                                         struct ipapwd_data *data);
 int ipapwd_apply_mods(const char *dn, Slapi_Mods *mods);
+int ipapwd_set_extradata(const char *dn,
+                         const char *principal,
+                         time_t unixtime);
 void ipapwd_free_slapi_value_array(Slapi_Value ***svals);
 void free_ipapwd_krbcfg(struct ipapwd_krbcfg **cfg);
 

daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c

@@ -1230,6 +1230,7 @@ free_and_return:
     return ret;
 }
 
+
 Slapi_Value **ipapwd_setPasswordHistory(Slapi_Mods *smods,
                                         struct ipapwd_data *data)
 {
@@ -1383,6 +1384,63 @@ int ipapwd_apply_mods(const char *dn, Slapi_Mods *mods)
     return ret;
 }
 
+int ipapwd_set_extradata(const char *dn,
+                         const char *principal,
+                         time_t unixtime)
+{
+    Slapi_Mods *smods;
+    Slapi_Value *va[3] = { NULL };
+    struct berval bv;
+    char mkvno[4] = { 0x00, 0x08, 0x01, 0x00 };
+    char *xdata;
+    int xd_len;
+    int p_len;
+    int ret;
+
+    p_len = strlen(principal);
+    xd_len = 2 + 4 + p_len + 1;
+    xdata = malloc(xd_len);
+    if (!xdata) {
+        return LDAP_OPERATIONS_ERROR;
+    }
+
+    smods = slapi_mods_new();
+
+    /* always append a master key kvno of 1 for now */
+    bv.bv_val = mkvno;
+    bv.bv_len = 4;
+    va[0] = slapi_value_new_berval(&bv);
+
+    /* data type id */
+    xdata[0] = 0x00;
+    xdata[1] = 0x02;
+
+    /* unix timestamp in Little Endian */
+    xdata[2] = unixtime & 0xff;
+    xdata[3] = (unixtime & 0xff00) >> 8;
+    xdata[4] = (unixtime & 0xff0000) >> 16;
+    xdata[5] = (unixtime & 0xff000000) >> 24;
+
+    /* append the principal name */
+    strncpy(&xdata[6], principal, p_len);
+
+    xdata[xd_len -1] = 0;
+
+    bv.bv_val = xdata;
+    bv.bv_len = xd_len;
+    va[1] = slapi_value_new_berval(&bv);
+
+    slapi_mods_add_mod_values(smods, LDAP_MOD_REPLACE, "krbExtraData", va);
+
+    ret = ipapwd_apply_mods(dn, smods);
+
+    slapi_value_free(&va[1]);
+    slapi_value_free(&va[0]);
+    slapi_mods_free(&smods);
+
+    return ret;
+}
+
 void ipapwd_free_slapi_value_array(Slapi_Value ***svals)
 {
     Slapi_Value **sv = *svals;

daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c

@@ -786,6 +786,9 @@ static int ipapwd_post_op(Slapi_PBlock *pb)
     struct tm utctime;
     char timestr[GENERALIZED_TIME_LENGTH+1];
     int ret;
+    char *errMsg = "Internal operations error\n";
+    struct ipapwd_krbcfg *krbcfg = NULL;
+    char *principal = NULL;
 
     LOG_TRACE("=>\n");
 
@@ -812,6 +815,12 @@ static int ipapwd_post_op(Slapi_PBlock *pb)
         return 0;
     }
 
+    ret = ipapwd_gen_checks(pb, &errMsg, &krbcfg, 0);
+    if (ret != 0) {
+        LOG_FATAL("ipapwd_gen_checks failed!?\n");
+        return 0;
+    }
+
     /* prepare changes that can be made only as root */
     smods = slapi_mods_new();
 
@@ -860,9 +869,19 @@ static int ipapwd_post_op(Slapi_PBlock *pb)
     if (ret)
         LOG("Failed to set additional password attributes in the post-op!\n");
 
+    if (pwdop->pwdata.changetype == IPA_CHANGETYPE_NORMAL) {
+        principal = slapi_entry_attr_get_charptr(pwdop->pwdata.target,
+                                                 "krbPrincipalName");
+    } else {
+        principal = slapi_ch_smprintf("root/admin@%s", krbcfg->realm);
+    }
+    ipapwd_set_extradata(pwdop->pwdata.dn, principal, pwdop->pwdata.timeNow);
+
 done:
     if (pwdop && pwdop->pwdata.target) slapi_entry_free(pwdop->pwdata.target);
     slapi_mods_free(&smods);
+    slapi_ch_free_string(&principal);
+    free_ipapwd_krbcfg(&krbcfg);
     return 0;
 }