IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Don't try to convert a host's password into a keytab.

Browse Source 
The migration plugin uses a pre-op function to automatically create
kerberos credentials when binding using a password.

The problem is that we do a simple bind when doing password-base
host enrollment. This was causing krbPasswordExpiration to be set
which isn't what we want for hosts. They really shouldn't go through
this code at all.
This commit is contained in:
Rob Crittenden 2010-06-11 16:12:29 -04:00
parent e036283fbb
commit c5bdfc7193
1 changed files with 15 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
View File

@ -2168,7 +2168,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
char timestr[GENERALIZED_TIME_LENGTH+1];
time_t time_now = time(NULL);
char *pw = NULL;
char *krbPrincipalName = NULL;
Slapi_Value *objectclass;
svals = (Slapi_Value **)calloc(2, sizeof(Slapi_Value *));
if (!svals) {
@ -2587,8 +2587,9 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
* the userPassword attribute if it exists
*/
pw = slapi_entry_attr_get_charptr(targetEntry, "userPassword");
krbPrincipalName = slapi_entry_attr_get_charptr(targetEntry, "krbPrincipalName");
if ((strncmp(krbPrincipalName, "host/", 5) == 0)) {
objectclass = slapi_value_new_string("ipaHost");
if ((slapi_entry_attr_has_syntax_value(targetEntry, SLAPI_ATTR_OBJECTCLASS, objectclass)) == 1)
{
char * krbLastPwdChange = slapi_entry_attr_get_charptr(targetEntry, "krbLastPwdChange");
char * enrolledBy = slapi_entry_attr_get_charptr(targetEntry, "enrolledBy");
if (NULL == enrolledBy) {
@ -2604,9 +2605,9 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
"Removing userPassword from host entry\n");
slapi_ch_free_string(&pw);
}
slapi_ch_free_string(&krbLastPwdChange);
slapi_value_free(&objectclass);
}
slapi_ch_free_string(&krbPrincipalName);
slapi_value_free(&objectclass);
/* commit changes */
ret = ipapwd_apply_mods(slapi_entry_get_dn_const(targetEntry), smods);
@ -3280,6 +3281,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
char *errMesg = "Internal operations error\n"; /* error message */
char *expire = NULL; /* passwordExpirationTime attribute value */
char *dn = NULL; /* bind DN */
Slapi_Value *objectclass;
int method; /* authentication method */
int ret = 0;
@ -3322,6 +3324,14 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
goto done;
}
/* we aren't interested in host principals */
objectclass = slapi_value_new_string("ipaHost");
if ((slapi_entry_attr_has_syntax_value(entry, SLAPI_ATTR_OBJECTCLASS, objectclass)) == 1) {
slapi_value_free(&objectclass);
goto done;
}
slapi_value_free(&objectclass);
/* check the krbPrincipalKey attribute is NOT present */
ret = slapi_entry_attr_find(entry, "krbprincipalkey", &attr);
if (!ret) {