IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Don't set krbLastPwdChange when setting a host OTP password.

Browse Source 
We have no visibility into whether an entry has a keytab or not so
krbLastPwdChange is used as a rough guide.

If this value exists during enrollment then it fails because the host
is considered already joined. This was getting set when a OTP was
added to a host that had already been enrolled (e.g. you enroll a host,
unenroll it, set a OTP, then try to re-enroll). The second enrollment
was failing because the enrollment plugin thought it was still
enrolled becaused krbLastPwdChange was set.

https://fedorahosted.org/freeipa/ticket/1357
This commit is contained in:
Rob Crittenden 2011-06-28 13:09:18 -04:00
parent e5a5c781f9
commit a00b03831b
3 changed files with 70 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
View File

@ -141,6 +141,7 @@ static int ipapwd_chpwop(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
struct berval *extop_value = NULL;
BerElement *ber = NULL;
Slapi_Entry *targetEntry=NULL;
Slapi_Value *objectclass=NULL;
char *attrlist[] = {"*", "passwordHistory", NULL };
struct ipapwd_data pwdata;
int is_krb, is_smb;
@ -288,6 +289,14 @@ parse_req_done:
goto free_and_return;
}
/* When setting the password for host principals do not set kerberos
* keys */
objectclass = slapi_value_new_string("ipaHost");
if ((slapi_entry_attr_has_syntax_value(targetEntry, SLAPI_ATTR_OBJECTCLASS, objectclass)) == 1) {
is_krb = 0;
}
slapi_value_free(&objectclass);
/* First thing to do is to ask access control if the bound identity has
* rights to modify the userpassword attribute on this entry. If not,
* then we fail immediately with insufficient access. This means that

14
daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
View File

@ -1120,7 +1120,9 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
char *lm = NULL;
char *nt = NULL;
int is_smb = 0;
int is_host = 0;
Slapi_Value *sambaSamAccount;
Slapi_Value *ipaHost;
char *errMesg = NULL;
char *modtime = NULL;
@ -1133,6 +1135,13 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
}
slapi_value_free(&sambaSamAccount);
ipaHost = slapi_value_new_string("ipaHost");
if (slapi_entry_attr_has_syntax_value(data->target,
"objectClass", ipaHost)) {
is_host = 1;
}
slapi_value_free(&ipaHost);
ret = ipapwd_gen_hashes(krbcfg, data,
data->password,
is_krb, is_smb,
@ -1147,6 +1156,10 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
slapi_mods_add_mod_values(smods, LDAP_MOD_REPLACE,
"krbPrincipalKey", svals);
/* krbLastPwdChange is used to tell whether a host entry has a
* keytab so don't set it on hosts.
*/
if (!is_host) {
/* change Last Password Change field with the current date */
if (!gmtime_r(&(data->timeNow), &utctime)) {
LOG_FATAL("failed to retrieve current date (buggy gmtime_r ?)\n");
@ -1169,6 +1182,7 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
"krbPasswordExpiration", timestr);
}
}
if (lm) {
slapi_mods_add_string(smods, LDAP_MOD_REPLACE,

50
daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
View File

@ -793,6 +793,7 @@ static int ipapwd_post_op(Slapi_PBlock *pb)
char *errMsg = "Internal operations error\n";
struct ipapwd_krbcfg *krbcfg = NULL;
char *principal = NULL;
Slapi_Value *ipahost;
LOG_TRACE("=>\n");
@ -828,26 +829,6 @@ static int ipapwd_post_op(Slapi_PBlock *pb)
/* prepare changes that can be made only as root */
smods = slapi_mods_new();
/* change Last Password Change field with the current date */
if (!gmtime_r(&(pwdop->pwdata.timeNow), &utctime)) {
LOG_FATAL("failed to parse current date (buggy gmtime_r ?)\n");
goto done;
}
strftime(timestr, GENERALIZED_TIME_LENGTH+1,
"%Y%m%d%H%M%SZ", &utctime);
slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
"krbLastPwdChange", timestr);
/* set Password Expiration date */
if (!gmtime_r(&(pwdop->pwdata.expireTime), &utctime)) {
LOG_FATAL("failed to parse expiration date (buggy gmtime_r ?)\n");
goto done;
}
strftime(timestr, GENERALIZED_TIME_LENGTH+1,
"%Y%m%d%H%M%SZ", &utctime);
slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
"krbPasswordExpiration", timestr);
/* This was a mod operation on an existing entry, make sure we also update
* the password history based on the entry we saved from the pre-op */
if (IPAPWD_OP_MOD == pwdop->pwd_op) {
@ -869,6 +850,35 @@ static int ipapwd_post_op(Slapi_PBlock *pb)
}
}
/* set Password Expiration date */
if (!gmtime_r(&(pwdop->pwdata.expireTime), &utctime)) {
LOG_FATAL("failed to parse expiration date (buggy gmtime_r ?)\n");
goto done;
}
strftime(timestr, GENERALIZED_TIME_LENGTH+1,
"%Y%m%d%H%M%SZ", &utctime);
slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
"krbPasswordExpiration", timestr);
/* Don't set a last password change password on host passwords. This
* attribute is used to tell whether we have a valid keytab. If we
* set it on userPassword it confuses enrollment.
*/
ipahost = slapi_value_new_string("ipaHost");
if (!pwdop->pwdata.target || (slapi_entry_attr_has_syntax_value(pwdop->pwdata.target, SLAPI_ATTR_OBJECTCLASS, ipahost)) == 0) {
/* change Last Password Change field with the current date */
if (!gmtime_r(&(pwdop->pwdata.timeNow), &utctime)) {
LOG_FATAL("failed to parse current date (buggy gmtime_r ?)\n");
slapi_value_free(&ipahost);
goto done;
}
strftime(timestr, GENERALIZED_TIME_LENGTH+1,
"%Y%m%d%H%M%SZ", &utctime);
slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
"krbLastPwdChange", timestr);
}
slapi_value_free(&ipahost);
ret = ipapwd_apply_mods(pwdop->pwdata.dn, smods);
if (ret)
LOG("Failed to set additional password attributes in the post-op!\n");