From krb5-bugs-incoming-bounces@PCH.MIT.EDU Thu Feb 7 20:06:04 2008 Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.12.9) with ESMTP id m18164HW003824; Thu, 7 Feb 2008 20:06:04 -0500 (EST) Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id m1815xI2015097; Thu, 7 Feb 2008 20:05:59 -0500 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id m1815vtV015094 for ; Thu, 7 Feb 2008 20:05:57 -0500 Received: from mit.edu (W92-130-BARRACUDA-3.MIT.EDU [18.7.21.224]) by fort-point-station.mit.edu (8.13.6/8.9.2) with ESMTP id m1815iam028397 for ; Thu, 7 Feb 2008 20:05:44 -0500 (EST) Received: from sca-ea-mail-4.sun.com (sca-ea-mail-4.Sun.COM [192.18.43.22]) by mit.edu (Spam Firewall) with ESMTP id 895F0D944BF for ; Thu, 7 Feb 2008 20:05:23 -0500 (EST) Received: from dm-central-02.central.sun.com ([129.147.62.5]) by sca-ea-mail-4.sun.com (8.13.6+Sun/8.12.9) with ESMTP id m1815MRh018083 for ; Fri, 8 Feb 2008 01:05:22 GMT Received: from alton.central.sun.com (alton.Central.Sun.COM [129.153.128.101]) by dm-central-02.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL, v2.2) with ESMTP id m1815LWV006144 for ; Thu, 7 Feb 2008 18:05:22 -0700 (MST) Received: from alton.central.sun.com (localhost [127.0.0.1]) by alton.central.sun.com (8.14.2+Sun/8.14.2) with ESMTP id m180vqjr026039 for ; Thu, 7 Feb 2008 18:57:52 -0600 (CST) Received: (from willf@localhost) by alton.central.sun.com (8.14.2+Sun/8.14.2/Submit) id m180vp3s026038 for krb5-bugs@mit.edu; Thu, 7 Feb 2008 18:57:51 -0600 (CST) X-Authentication-Warning: alton.central.sun.com: willf set sender to William.Fiveash@sun.com using -f Date: Thu, 7 Feb 2008 18:57:51 -0600 From: Will Fiveash To: krb5-bugs@mit.edu Message-ID: <20080208005751.GB1209@sun.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-send-pr-version: 3.99 User-Agent: Mutt/1.5.11 X-Spam-Score: 2.29 X-Spam-Level: ** (2.29) X-Spam-Flag: NO X-Scanned-By: MIMEDefang 2.42 X-BeenThere: krb5-bugs-incoming@mailman.mit.edu X-Mailman-Version: 2.1.6 Precedence: list Sender: krb5-bugs-incoming-bounces@PCH.MIT.EDU Errors-To: krb5-bugs-incoming-bounces@PCH.MIT.EDU >Submitter-Id: net >Originator: William Fiveash >Organization: Sun Microsystems >Confidential: no >Synopsis: password history doesn't work with LDAP KDB >Severity: serious >Priority: medium >Category: krb5-kdc >Class: sw-bug >Release: krb5-1.6.3 >Environment: System: SunOS alton 5.11 snv_82 i86pc i386 i86pc Architecture: i86pc >Description: The LDAP KDB plugin is not storing password/key history. This in turn disables the functionality of policy history (limiting reuse of a password). >How-To-Repeat: >Fix: Here's the fix that works for me: Index: src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c =================================================================== --- src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c (revision 20223) +++ src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c (working copy) @@ -966,9 +966,13 @@ #ifdef SECURID || ptr->tl_data_type == KRB5_TL_DB_ARGS #endif - || ptr->tl_data_type == KRB5_TL_KADM_DATA || ptr->tl_data_type == KDB_TL_USER_INFO) continue; + + /* want to store key history */ + if (ptr->tl_data_type == KRB5_TL_KADM_DATA && ! entries->mask & KADM5_KEY_HIST) + continue; + count++; } if (count != 0) { @@ -986,9 +990,13 @@ #ifdef SECURID || ptr->tl_data_type == KRB5_TL_DB_ARGS #endif - || ptr->tl_data_type == KRB5_TL_KADM_DATA || ptr->tl_data_type == KDB_TL_USER_INFO) continue; + + /* want to store key history */ + if (ptr->tl_data_type == KRB5_TL_KADM_DATA && ! entries->mask & KADM5_KEY_HIST) + continue; + if ((st = tl_data2berval (ptr, &ber_tl_data[j])) != 0) break; j++; Index: src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c =================================================================== --- src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c (revision 20223) +++ src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c (working copy) @@ -200,9 +200,10 @@ } krb5_error_code -krb5_update_tl_kadm_data(policy_dn, new_tl_data) +krb5_update_tl_kadm_data(policy_dn, new_tl_data, old_tl_data) char * policy_dn; krb5_tl_data * new_tl_data; + krb5_tl_data * old_tl_data; { XDR xdrs; osa_princ_ent_t princ_entry; @@ -211,8 +212,25 @@ return ENOMEM; memset(princ_entry, 0, sizeof(osa_princ_ent_rec)); - princ_entry->admin_history_kvno = 2; princ_entry->aux_attributes = KADM5_POLICY; + + /* adding support for key history in LDAP KDB */ + if (old_tl_data != NULL) { + /* get the key history from the old tl_data */ + xdrmem_create(&xdrs, (caddr_t)old_tl_data->tl_data_contents, + old_tl_data->tl_data_length, XDR_DECODE); + if (! ldap_xdr_osa_princ_ent_rec(&xdrs, princ_entry)) { + xdr_destroy(&xdrs); + free(princ_entry); + return(KADM5_XDR_FAILURE); + } + xdr_destroy(&xdrs); + /* will set the policy field further down, avoid mem leak */ + free(princ_entry->policy); + } else { + princ_entry->admin_history_kvno = 2; + } + princ_entry->policy = policy_dn; xdralloc_create(&xdrs, XDR_ENCODE); Index: src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c =================================================================== --- src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c (revision 20223) +++ src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c (working copy) @@ -2042,7 +2042,7 @@ if ((st = krb5_ldap_policydn_to_name (context, pwdpolicydn, &polname)) != 0) goto cleanup; - if ((st = krb5_update_tl_kadm_data(polname, &kadm_tl_data)) != 0) { + if ((st = krb5_update_tl_kadm_data(polname, &kadm_tl_data, entry->tl_data)) != 0) { goto cleanup; } krb5_dbe_update_tl_data(context, entry, &kadm_tl_data); Index: src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.h =================================================================== --- src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.h (revision 20223) +++ src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.h (working copy) @@ -56,6 +56,6 @@ krb5_lookup_tl_kadm_data(krb5_tl_data *tl_data, osa_princ_ent_rec *princ_entry); krb5_error_code -krb5_update_tl_kadm_data(char *, krb5_tl_data *); +krb5_update_tl_kadm_data(char *, krb5_tl_data *, krb5_tl_data *); #endif Index: src/lib/kadm5/srv/svr_principal.c =================================================================== --- src/lib/kadm5/srv/svr_principal.c (revision 20223) +++ src/lib/kadm5/srv/svr_principal.c (working copy) @@ -1442,7 +1442,10 @@ goto done; /* key data and attributes changed, let the database provider know */ - kdb.mask = KADM5_KEY_DATA | KADM5_ATTRIBUTES /* | KADM5_CPW_FUNCTION */; + if (hist_added == 1) + kdb.mask = KADM5_KEY_DATA | KADM5_ATTRIBUTES | KADM5_KEY_HIST /* | KADM5_CPW_FUNCTION */; + else + kdb.mask = KADM5_KEY_DATA | KADM5_ATTRIBUTES /* | KADM5_CPW_FUNCTION */; if ((ret = kdb_put_entry(handle, &kdb, &adb))) goto done; Index: src/lib/kadm5/admin.h =================================================================== --- src/lib/kadm5/admin.h (revision 20223) +++ src/lib/kadm5/admin.h (working copy) @@ -93,6 +93,7 @@ #define KADM5_RANDKEY_USED 0x100000 #endif #define KADM5_LOAD 0x200000 +#define KADM5_KEY_HIST 0x400000 /* all but KEY_DATA and TL_DATA */ #define KADM5_PRINCIPAL_NORMAL_MASK 0x01ffff --Boundary_(ID_/Jq+vC5GKwdVHvvesUN+3w)--