policy: add function to check lockout policy

Fixes: https://fedorahosted.org/freeipa/ticket/2393
2025-02-25 18:55:28 -06:00 · 2012-02-17 11:45:56 -05:00 · 2012-02-17 11:45:56 -05:00 · 9942a29cab
commit 9942a29cab
parent ffd39503c1
3 changed files with 62 additions and 1 deletions
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@ -454,7 +454,7 @@ kdb_vftabl kdb_function_table = {
    NULL,                               /* encrypt_key_data */
    ipadb_sign_authdata,                /* sign_authdata */
    NULL,                               /* check_transited_realms */
-    NULL,                               /* check_policy_as */
+    ipadb_check_policy_as,              /* check_policy_as */
    NULL,                               /* check_policy_tgs */
    ipadb_audit_as_req,                 /* audit_as_req */
    NULL,                               /* refresh_config */
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@ -185,6 +185,14 @@ krb5_error_code ipadb_delete_pwd_policy(krb5_context kcontext,
                                        char *policy);
 void ipadb_free_pwd_policy(krb5_context kcontext, osa_policy_ent_t val);
 krb5_error_code ipadb_check_policy_as(krb5_context kcontext,
                                      krb5_kdc_req *request,
                                      krb5_db_entry *client,
                                      krb5_db_entry *server,
                                      krb5_timestamp kdc_time,
                                      const char **status,
                                      krb5_pa_data ***e_data);
 /* MASTER KEY FUNCTIONS */
 krb5_error_code ipadb_fetch_master_key(krb5_context kcontext,
                                       krb5_principal mname,
--- a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
+++ b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
@ -275,3 +275,56 @@ void ipadb_free_pwd_policy(krb5_context kcontext, osa_policy_ent_t val)
    }
 }
 krb5_error_code ipadb_check_policy_as(krb5_context kcontext,
                                      krb5_kdc_req *request,
                                      krb5_db_entry *client,
                                      krb5_db_entry *server,
                                      krb5_timestamp kdc_time,
                                      const char **status,
                                      krb5_pa_data ***e_data)
 {
    struct ipadb_context *ipactx;
    struct ipadb_e_data *ied;
    krb5_error_code kerr;
    if (!client) {
        return ENOENT;
    }
    ipactx = ipadb_get_context(kcontext);
    if (!ipactx) {
        return EINVAL;
    }
    ied = (struct ipadb_e_data *)client->e_data;
    if (!ied) {
        return EINVAL;
    }
    if (!ied->pol) {
        kerr = ipadb_get_ipapwd_policy(ipactx, ied->pw_policy_dn, &ied->pol);
        if (kerr != 0) {
            return kerr;
        }
    }
    if (client->last_failed <= ied->last_admin_unlock) {
        /* admin unlocked the account */
        return 0;
    }
    if (ied->pol->max_fail == 0 ||
        client->fail_auth_count < ied->pol->max_fail) {
        /* still within allowed failures range */
        return 0;
    }
    if (ied->pol->lockout_duration == 0 ||
        client->last_failed + ied->pol->lockout_duration > kdc_time) {
        /* ok client permanently locked, or within lockout period */
        *status = "LOCKED_OUT";
        return KRB5KDC_ERR_CLIENT_REVOKED;
    }
    return 0;
 }