IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Pass the user to the password policy check in the kdb driver

Browse Source 
If the entry contains a uid then pass that into the policy checker
for the usercheck policy check.

https://pagure.io/freeipa/issue/6964
https://pagure.io/freeipa/issue/5948
https://pagure.io/freeipa/issue/2445
https://pagure.io/freeipa/issue/298

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This commit is contained in:
Rob Crittenden 2020-09-24 22:39:36 -04:00
parent 46d0096218
commit 6da070e655
4 changed files with 64 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
daemons/ipa-kdb/ipa_kdb.h
View File

@ -149,6 +149,7 @@ struct ipadb_e_data {
bool ipa_user; bool ipa_user;
char *entry_dn; char *entry_dn;
char *passwd; char *passwd;
char *user;
time_t last_pwd_change; time_t last_pwd_change;
char *pw_policy_dn; char *pw_policy_dn;
char **pw_history; char **pw_history;

21
daemons/ipa-kdb/ipa_kdb_passwords.c
View File

@ -53,6 +53,25 @@ static krb5_error_code ipapwd_error_to_kerr(krb5_context context,
kerr = KADM5_PASS_Q_CLASS; kerr = KADM5_PASS_Q_CLASS;
krb5_set_error_message(context, kerr, "Password is too simple"); krb5_set_error_message(context, kerr, "Password is too simple");
break; break;
case IPAPWD_POLICY_PWD_CONSECUTIVE:
kerr = KADM5_PASS_Q_GENERIC;
krb5_set_error_message(context, kerr, "Password has repeating characters");
break;
case IPAPWD_POLICY_PWD_SEQUENCE:
kerr = KADM5_PASS_Q_GENERIC;
krb5_set_error_message(context, kerr, "Password contains a monotonic sequence");
case IPAPWD_POLICY_PWD_PALINDROME:
kerr = KADM5_PASS_Q_GENERIC;
krb5_set_error_message(context, kerr, "Password is a palindrome");
break;
case IPAPWD_POLICY_PWD_USER:
kerr = KADM5_PASS_Q_GENERIC;
krb5_set_error_message(context, kerr, "Password contains the user name");
break;
case IPAPWD_POLICY_PWD_DICT_WORD:
kerr = KADM5_PASS_Q_DICT;
krb5_set_error_message(context, kerr, "Password contains dictionary words");
break;
default: default:
kerr = KADM5_PASS_Q_GENERIC; kerr = KADM5_PASS_Q_GENERIC;
break; break;
@ -95,7 +114,7 @@ static krb5_error_code ipadb_check_pw_policy(krb5_context context,
if (kerr != 0) { if (kerr != 0) {
return kerr; return kerr;
} }
ret = ipapwd_check_policy(ied->pol, passwd, time(NULL), ret = ipapwd_check_policy(ied->pol, passwd, ied->user, time(NULL),
db_entry->expiration, db_entry->expiration,
db_entry->pw_expiration, db_entry->pw_expiration,
ied->last_pwd_change, ied->last_pwd_change,

10
daemons/ipa-kdb/ipa_kdb_principals.c
View File

@ -74,6 +74,7 @@ static char *std_principal_attrs[] = {
"krbMaxRenewableAge", "krbMaxRenewableAge",
/* IPA SPECIFIC ATTRIBUTES */ /* IPA SPECIFIC ATTRIBUTES */
"uid",
"nsaccountlock", "nsaccountlock",
"passwordHistory", "passwordHistory",
IPA_KRB_AUTHZ_DATA_ATTR, IPA_KRB_AUTHZ_DATA_ATTR,
@ -589,6 +590,7 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
krb5_kvno mkvno = 0; krb5_kvno mkvno = 0;
char **restrlist; char **restrlist;
char *restring; char *restring;
char *uidstring;
char **authz_data_list; char **authz_data_list;
krb5_timestamp restime; krb5_timestamp restime;
bool resbool; bool resbool;
@ -839,6 +841,13 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
} }
if (ret == 0) { if (ret == 0) {
ied->ipa_user = true; ied->ipa_user = true;
ret = ipadb_ldap_attr_to_str(lcontext, lentry,
"uid", &uidstring);
if (ret != 0 && ret != ENOENT) {
kerr = ret;
goto done;
}
ied->user = uidstring;
} }
/* check if it has the krbTicketPolicyAux objectclass */ /* check if it has the krbTicketPolicyAux objectclass */
@ -1551,6 +1560,7 @@ void ipadb_free_principal_e_data(krb5_context kcontext, krb5_octet *e_data)
if (ied->magic == IPA_E_DATA_MAGIC) { if (ied->magic == IPA_E_DATA_MAGIC) {
ldap_memfree(ied->entry_dn); ldap_memfree(ied->entry_dn);
free(ied->passwd); free(ied->passwd);
free(ied->user);
free(ied->pw_policy_dn); free(ied->pw_policy_dn);
for (i = 0; ied->pw_history && ied->pw_history[i]; i++) { for (i = 0; ied->pw_history && ied->pw_history[i]; i++) {
free(ied->pw_history[i]); free(ied->pw_history[i]);

33
daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
View File

@ -34,6 +34,10 @@ char *std_pwdpolicy_attrs[] = {
"krbpwdmaxfailure", "krbpwdmaxfailure",
"krbpwdfailurecountinterval", "krbpwdfailurecountinterval",
"krbpwdlockoutduration", "krbpwdlockoutduration",
"ipapwdmaxrepeat",
"ipapwdmaxsequence",
"ipapwddictcheck",
"ipapwdusercheck",
NULL NULL
}; };
@ -47,6 +51,7 @@ krb5_error_code ipadb_get_ipapwd_policy(struct ipadb_context *ipactx,
LDAPMessage *res = NULL; LDAPMessage *res = NULL;
LDAPMessage *lentry; LDAPMessage *lentry;
uint32_t result; uint32_t result;
bool resbool;
int ret; int ret;
pol = calloc(1, sizeof(struct ipapwd_policy)); pol = calloc(1, sizeof(struct ipapwd_policy));
@ -117,6 +122,34 @@ krb5_error_code ipadb_get_ipapwd_policy(struct ipadb_context *ipactx,
pol->lockout_duration = result; pol->lockout_duration = result;
} }
ret = ipadb_ldap_attr_to_uint32(ipactx->lcontext, lentry,
"ipaPwdMaxRepeat", &result);
if (ret == 0) {
pol->max_repeat = result;
}
ret = ipadb_ldap_attr_to_uint32(ipactx->lcontext, lentry,
"ipaPwdMaxSequence", &result);
if (ret == 0) {
pol->max_sequence = result;
}
ret = ipadb_ldap_attr_to_bool(ipactx->lcontext, lentry,
"ipaPwdDictCheck", &resbool);
if (ret == 0 && resbool == true) {
pol->dictcheck = 1;
}
ret = ipadb_ldap_attr_to_bool(ipactx->lcontext, lentry,
"ipaPwdUserCheck", &resbool);
if (ret == 0 && resbool == true) {
pol->usercheck = 1;
}
if (ret == 0) {
pol->max_sequence = result;
}
*_pol = pol; *_pol = pol;
done: done: