Pass the user to the password policy check in the kdb driver

If the entry contains a uid then pass that into the policy checker for the usercheck policy check. https://pagure.io/freeipa/issue/6964 https://pagure.io/freeipa/issue/5948 https://pagure.io/freeipa/issue/2445 https://pagure.io/freeipa/issue/298 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
2025-02-25 18:55:28 -06:00 · 2020-09-24 22:39:36 -04:00 · 2020-09-24 22:39:36 -04:00 · 6da070e655
commit 6da070e655
parent 46d0096218
4 changed files with 64 additions and 1 deletions
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@ -149,6 +149,7 @@ struct ipadb_e_data {
    bool ipa_user;
    char *entry_dn;
    char *passwd;
+    char *user;
    time_t last_pwd_change;
    char *pw_policy_dn;
    char **pw_history;
--- a/daemons/ipa-kdb/ipa_kdb_passwords.c
+++ b/daemons/ipa-kdb/ipa_kdb_passwords.c
@ -53,6 +53,25 @@ static krb5_error_code ipapwd_error_to_kerr(krb5_context context,
        kerr = KADM5_PASS_Q_CLASS;
        krb5_set_error_message(context, kerr, "Password is too simple");
        break;
+    case IPAPWD_POLICY_PWD_CONSECUTIVE:
+        kerr = KADM5_PASS_Q_GENERIC;
+        krb5_set_error_message(context, kerr, "Password has repeating characters");
+        break;
+    case IPAPWD_POLICY_PWD_SEQUENCE:
+        kerr = KADM5_PASS_Q_GENERIC;
+        krb5_set_error_message(context, kerr, "Password contains a monotonic sequence");
+    case IPAPWD_POLICY_PWD_PALINDROME:
+        kerr = KADM5_PASS_Q_GENERIC;
+        krb5_set_error_message(context, kerr, "Password is a palindrome");
+        break;
+    case IPAPWD_POLICY_PWD_USER:
+        kerr = KADM5_PASS_Q_GENERIC;
+        krb5_set_error_message(context, kerr, "Password contains the user name");
+        break;
+    case IPAPWD_POLICY_PWD_DICT_WORD:
+        kerr = KADM5_PASS_Q_DICT;
+        krb5_set_error_message(context, kerr, "Password contains dictionary words");
+        break;
    default:
        kerr = KADM5_PASS_Q_GENERIC;
        break;
@ -95,7 +114,7 @@ static krb5_error_code ipadb_check_pw_policy(krb5_context context,
    if (kerr != 0) {
        return kerr;
    }
-    ret = ipapwd_check_policy(ied->pol, passwd, time(NULL),
+    ret = ipapwd_check_policy(ied->pol, passwd, ied->user, time(NULL),
                              db_entry->expiration,
                              db_entry->pw_expiration,
                              ied->last_pwd_change,
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@ -74,6 +74,7 @@ static char *std_principal_attrs[] = {
    "krbMaxRenewableAge",

    /* IPA SPECIFIC ATTRIBUTES */
+    "uid",
    "nsaccountlock",
    "passwordHistory",
    IPA_KRB_AUTHZ_DATA_ATTR,
@ -589,6 +590,7 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
    krb5_kvno mkvno = 0;
    char **restrlist;
    char *restring;
+    char *uidstring;
    char **authz_data_list;
    krb5_timestamp restime;
    bool resbool;
@ -839,6 +841,13 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
    }
    if (ret == 0) {
        ied->ipa_user = true;
+        ret = ipadb_ldap_attr_to_str(lcontext, lentry,
+                                     "uid", &uidstring);
+        if (ret != 0 && ret != ENOENT) {
+            kerr = ret;
+            goto done;
+        }
+        ied->user = uidstring;
    }

    /* check if it has the krbTicketPolicyAux objectclass */
@ -1551,6 +1560,7 @@ void ipadb_free_principal_e_data(krb5_context kcontext, krb5_octet *e_data)
    if (ied->magic == IPA_E_DATA_MAGIC) {
 	ldap_memfree(ied->entry_dn);
 	free(ied->passwd);
+	free(ied->user);
 	free(ied->pw_policy_dn);
 	for (i = 0; ied->pw_history && ied->pw_history[i]; i++) {
 	    free(ied->pw_history[i]);
--- a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
+++ b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
@ -34,6 +34,10 @@ char *std_pwdpolicy_attrs[] = {
    "krbpwdmaxfailure",
    "krbpwdfailurecountinterval",
    "krbpwdlockoutduration",
+    "ipapwdmaxrepeat",
+    "ipapwdmaxsequence",
+    "ipapwddictcheck",
+    "ipapwdusercheck",

    NULL
 };
@ -47,6 +51,7 @@ krb5_error_code ipadb_get_ipapwd_policy(struct ipadb_context *ipactx,
    LDAPMessage *res = NULL;
    LDAPMessage *lentry;
    uint32_t result;
+    bool resbool;
    int ret;

    pol = calloc(1, sizeof(struct ipapwd_policy));
@ -117,6 +122,34 @@ krb5_error_code ipadb_get_ipapwd_policy(struct ipadb_context *ipactx,
        pol->lockout_duration = result;
    }

+    ret = ipadb_ldap_attr_to_uint32(ipactx->lcontext, lentry,
+                                    "ipaPwdMaxRepeat", &result);
+    if (ret == 0) {
+        pol->max_repeat = result;
+    }
+
+    ret = ipadb_ldap_attr_to_uint32(ipactx->lcontext, lentry,
+                                    "ipaPwdMaxSequence", &result);
+    if (ret == 0) {
+        pol->max_sequence = result;
+    }
+
+    ret = ipadb_ldap_attr_to_bool(ipactx->lcontext, lentry,
+                                  "ipaPwdDictCheck", &resbool);
+    if (ret == 0 && resbool == true) {
+        pol->dictcheck = 1;
+    }
+
+    ret = ipadb_ldap_attr_to_bool(ipactx->lcontext, lentry,
+                                  "ipaPwdUserCheck", &resbool);
+    if (ret == 0 && resbool == true) {
+        pol->usercheck = 1;
+    }
+
+    if (ret == 0) {
+        pol->max_sequence = result;
+    }
+
    *_pol = pol;

 done: