From krb5-bugs-incoming-bounces@PCH.MIT.EDU Thu Feb 7 20:06:04 2008
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.12.9) with ESMTP
id m18164HW003824; Thu, 7 Feb 2008 20:06:04 -0500 (EST)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id m1815xI2015097;
Thu, 7 Feb 2008 20:05:59 -0500
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
[18.7.7.76])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id m1815vtV015094
for <krb5-bugs-incoming@PCH.mit.edu>; Thu, 7 Feb 2008 20:05:57 -0500
Received: from mit.edu (W92-130-BARRACUDA-3.MIT.EDU [18.7.21.224])
by fort-point-station.mit.edu (8.13.6/8.9.2) with ESMTP id
m1815iam028397
for <krb5-bugs@mit.edu>; Thu, 7 Feb 2008 20:05:44 -0500 (EST)
Received: from sca-ea-mail-4.sun.com (sca-ea-mail-4.Sun.COM [192.18.43.22])
by mit.edu (Spam Firewall) with ESMTP id 895F0D944BF
for <krb5-bugs@mit.edu>; Thu, 7 Feb 2008 20:05:23 -0500 (EST)
Received: from dm-central-02.central.sun.com ([129.147.62.5])
by sca-ea-mail-4.sun.com (8.13.6+Sun/8.12.9) with ESMTP id
m1815MRh018083 for <krb5-bugs@mit.edu>; Fri, 8 Feb 2008 01:05:22 GMT
Received: from alton.central.sun.com (alton.Central.Sun.COM [129.153.128.101])
by dm-central-02.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL,
v2.2) with ESMTP id m1815LWV006144
for <krb5-bugs@mit.edu>; Thu, 7 Feb 2008 18:05:22 -0700 (MST)
Received: from alton.central.sun.com (localhost [127.0.0.1])
by alton.central.sun.com (8.14.2+Sun/8.14.2) with ESMTP id
m180vqjr026039
for <krb5-bugs@mit.edu>; Thu, 7 Feb 2008 18:57:52 -0600 (CST)
Received: (from willf@localhost)
by alton.central.sun.com (8.14.2+Sun/8.14.2/Submit) id m180vp3s026038
for krb5-bugs@mit.edu; Thu, 7 Feb 2008 18:57:51 -0600 (CST)
X-Authentication-Warning: alton.central.sun.com: willf set sender to
William.Fiveash@sun.com using -f
Date: Thu, 7 Feb 2008 18:57:51 -0600
From: Will Fiveash <William.Fiveash@sun.com>
To: krb5-bugs@mit.edu
Message-ID: <20080208005751.GB1209@sun.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-send-pr-version: 3.99
User-Agent: Mutt/1.5.11
X-Spam-Score: 2.29
X-Spam-Level: ** (2.29)
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
X-BeenThere: krb5-bugs-incoming@mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Sender: krb5-bugs-incoming-bounces@PCH.MIT.EDU
Errors-To: krb5-bugs-incoming-bounces@PCH.MIT.EDU
System: SunOS alton 5.11 snv_82 i86pc i386 i86pc
Architecture: i86pc
disables the functionality of policy history (limiting reuse of a password).
Here's the fix that works for me:
Index: src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
===================================================================
--- src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c (revision 20223)
+++ src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c (working copy)
@@ -966,9 +966,13 @@
#ifdef SECURID
|| ptr->tl_data_type == KRB5_TL_DB_ARGS
#endif
- || ptr->tl_data_type == KRB5_TL_KADM_DATA
|| ptr->tl_data_type == KDB_TL_USER_INFO)
continue;
+
+ /* want to store key history */
+ if (ptr->tl_data_type == KRB5_TL_KADM_DATA && ! entries->mask & KADM5_KEY_HIST)
+ continue;
+
count++;
}
if (count != 0) {
@@ -986,9 +990,13 @@
#ifdef SECURID
|| ptr->tl_data_type == KRB5_TL_DB_ARGS
#endif
- || ptr->tl_data_type == KRB5_TL_KADM_DATA
|| ptr->tl_data_type == KDB_TL_USER_INFO)
continue;
+
+ /* want to store key history */
+ if (ptr->tl_data_type == KRB5_TL_KADM_DATA && ! entries->mask & KADM5_KEY_HIST)
+ continue;
+
if ((st = tl_data2berval (ptr, &ber_tl_data[j])) != 0)
break;
j++;
Index: src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c
===================================================================
--- src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c (revision 20223)
+++ src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c (working copy)
@@ -200,9 +200,10 @@
}
krb5_error_code
-krb5_update_tl_kadm_data(policy_dn, new_tl_data)
+krb5_update_tl_kadm_data(policy_dn, new_tl_data, old_tl_data)
char * policy_dn;
krb5_tl_data * new_tl_data;
+ krb5_tl_data * old_tl_data;
{
XDR xdrs;
osa_princ_ent_t princ_entry;
@@ -211,8 +212,25 @@
return ENOMEM;
memset(princ_entry, 0, sizeof(osa_princ_ent_rec));
- princ_entry->admin_history_kvno = 2;
princ_entry->aux_attributes = KADM5_POLICY;
+
+ /* adding support for key history in LDAP KDB */
+ if (old_tl_data != NULL) {
+ /* get the key history from the old tl_data */
+ xdrmem_create(&xdrs, (caddr_t)old_tl_data->tl_data_contents,
+ old_tl_data->tl_data_length, XDR_DECODE);
+ if (! ldap_xdr_osa_princ_ent_rec(&xdrs, princ_entry)) {
+ xdr_destroy(&xdrs);
+ free(princ_entry);
+ return(KADM5_XDR_FAILURE);
+ }
+ xdr_destroy(&xdrs);
+ /* will set the policy field further down, avoid mem leak */
+ free(princ_entry->policy);
+ } else {
+ princ_entry->admin_history_kvno = 2;
+ }
+
princ_entry->policy = policy_dn;
xdralloc_create(&xdrs, XDR_ENCODE);
Index: src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
===================================================================
--- src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c (revision 20223)
+++ src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c (working copy)
@@ -2042,7 +2042,7 @@
if ((st = krb5_ldap_policydn_to_name (context, pwdpolicydn, &polname)) != 0)
goto cleanup;
- if ((st = krb5_update_tl_kadm_data(polname, &kadm_tl_data)) != 0) {
+ if ((st = krb5_update_tl_kadm_data(polname, &kadm_tl_data, entry->tl_data)) != 0) {
goto cleanup;
}
krb5_dbe_update_tl_data(context, entry, &kadm_tl_data);
Index: src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.h
===================================================================
--- src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.h (revision 20223)
+++ src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.h (working copy)
@@ -56,6 +56,6 @@
krb5_lookup_tl_kadm_data(krb5_tl_data *tl_data, osa_princ_ent_rec *princ_entry);
krb5_error_code
-krb5_update_tl_kadm_data(char *, krb5_tl_data *);
+krb5_update_tl_kadm_data(char *, krb5_tl_data *, krb5_tl_data *);
#endif
Index: src/lib/kadm5/srv/svr_principal.c
===================================================================
--- src/lib/kadm5/srv/svr_principal.c (revision 20223)
+++ src/lib/kadm5/srv/svr_principal.c (working copy)
@@ -1442,7 +1442,10 @@
goto done;
/* key data and attributes changed, let the database provider know */
- kdb.mask = KADM5_KEY_DATA | KADM5_ATTRIBUTES /* | KADM5_CPW_FUNCTION */;
+ if (hist_added == 1)
+ kdb.mask = KADM5_KEY_DATA | KADM5_ATTRIBUTES | KADM5_KEY_HIST /* | KADM5_CPW_FUNCTION */;
+ else
+ kdb.mask = KADM5_KEY_DATA | KADM5_ATTRIBUTES /* | KADM5_CPW_FUNCTION */;
if ((ret = kdb_put_entry(handle, &kdb, &adb)))
goto done;
Index: src/lib/kadm5/admin.h
===================================================================
--- src/lib/kadm5/admin.h (revision 20223)
+++ src/lib/kadm5/admin.h (working copy)
@@ -93,6 +93,7 @@
#define KADM5_RANDKEY_USED 0x100000
#endif
#define KADM5_LOAD 0x200000
+#define KADM5_KEY_HIST 0x400000
/* all but KEY_DATA and TL_DATA */
#define KADM5_PRINCIPAL_NORMAL_MASK 0x01ffff
--Boundary_(ID_/Jq+vC5GKwdVHvvesUN+3w)--
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.12.9) with ESMTP
id m18164HW003824; Thu, 7 Feb 2008 20:06:04 -0500 (EST)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id m1815xI2015097;
Thu, 7 Feb 2008 20:05:59 -0500
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
[18.7.7.76])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id m1815vtV015094
for <krb5-bugs-incoming@PCH.mit.edu>; Thu, 7 Feb 2008 20:05:57 -0500
Received: from mit.edu (W92-130-BARRACUDA-3.MIT.EDU [18.7.21.224])
by fort-point-station.mit.edu (8.13.6/8.9.2) with ESMTP id
m1815iam028397
for <krb5-bugs@mit.edu>; Thu, 7 Feb 2008 20:05:44 -0500 (EST)
Received: from sca-ea-mail-4.sun.com (sca-ea-mail-4.Sun.COM [192.18.43.22])
by mit.edu (Spam Firewall) with ESMTP id 895F0D944BF
for <krb5-bugs@mit.edu>; Thu, 7 Feb 2008 20:05:23 -0500 (EST)
Received: from dm-central-02.central.sun.com ([129.147.62.5])
by sca-ea-mail-4.sun.com (8.13.6+Sun/8.12.9) with ESMTP id
m1815MRh018083 for <krb5-bugs@mit.edu>; Fri, 8 Feb 2008 01:05:22 GMT
Received: from alton.central.sun.com (alton.Central.Sun.COM [129.153.128.101])
by dm-central-02.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL,
v2.2) with ESMTP id m1815LWV006144
for <krb5-bugs@mit.edu>; Thu, 7 Feb 2008 18:05:22 -0700 (MST)
Received: from alton.central.sun.com (localhost [127.0.0.1])
by alton.central.sun.com (8.14.2+Sun/8.14.2) with ESMTP id
m180vqjr026039
for <krb5-bugs@mit.edu>; Thu, 7 Feb 2008 18:57:52 -0600 (CST)
Received: (from willf@localhost)
by alton.central.sun.com (8.14.2+Sun/8.14.2/Submit) id m180vp3s026038
for krb5-bugs@mit.edu; Thu, 7 Feb 2008 18:57:51 -0600 (CST)
X-Authentication-Warning: alton.central.sun.com: willf set sender to
William.Fiveash@sun.com using -f
Date: Thu, 7 Feb 2008 18:57:51 -0600
From: Will Fiveash <William.Fiveash@sun.com>
To: krb5-bugs@mit.edu
Message-ID: <20080208005751.GB1209@sun.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-send-pr-version: 3.99
User-Agent: Mutt/1.5.11
X-Spam-Score: 2.29
X-Spam-Level: ** (2.29)
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
X-BeenThere: krb5-bugs-incoming@mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Sender: krb5-bugs-incoming-bounces@PCH.MIT.EDU
Errors-To: krb5-bugs-incoming-bounces@PCH.MIT.EDU
Show quoted text
>Submitter-Id: net
>Originator: William Fiveash
>Organization: Sun Microsystems
>Confidential: no
>Synopsis: password history doesn't work with LDAP KDB
>Severity: serious
>Priority: medium
>Category: krb5-kdc
>Class: sw-bug
>Release: krb5-1.6.3
>Environment:
>Originator: William Fiveash
>Organization: Sun Microsystems
>Confidential: no
>Synopsis: password history doesn't work with LDAP KDB
>Severity: serious
>Priority: medium
>Category: krb5-kdc
>Class: sw-bug
>Release: krb5-1.6.3
>Environment:
System: SunOS alton 5.11 snv_82 i86pc i386 i86pc
Architecture: i86pc
Show quoted text
>Description:
The LDAP KDB plugin is not storing password/key history. This in turndisables the functionality of policy history (limiting reuse of a password).
Show quoted text
>How-To-Repeat:
Show quoted text
>Fix:
Here's the fix that works for me:
Index: src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
===================================================================
--- src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c (revision 20223)
+++ src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c (working copy)
@@ -966,9 +966,13 @@
#ifdef SECURID
|| ptr->tl_data_type == KRB5_TL_DB_ARGS
#endif
- || ptr->tl_data_type == KRB5_TL_KADM_DATA
|| ptr->tl_data_type == KDB_TL_USER_INFO)
continue;
+
+ /* want to store key history */
+ if (ptr->tl_data_type == KRB5_TL_KADM_DATA && ! entries->mask & KADM5_KEY_HIST)
+ continue;
+
count++;
}
if (count != 0) {
@@ -986,9 +990,13 @@
#ifdef SECURID
|| ptr->tl_data_type == KRB5_TL_DB_ARGS
#endif
- || ptr->tl_data_type == KRB5_TL_KADM_DATA
|| ptr->tl_data_type == KDB_TL_USER_INFO)
continue;
+
+ /* want to store key history */
+ if (ptr->tl_data_type == KRB5_TL_KADM_DATA && ! entries->mask & KADM5_KEY_HIST)
+ continue;
+
if ((st = tl_data2berval (ptr, &ber_tl_data[j])) != 0)
break;
j++;
Index: src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c
===================================================================
--- src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c (revision 20223)
+++ src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c (working copy)
@@ -200,9 +200,10 @@
}
krb5_error_code
-krb5_update_tl_kadm_data(policy_dn, new_tl_data)
+krb5_update_tl_kadm_data(policy_dn, new_tl_data, old_tl_data)
char * policy_dn;
krb5_tl_data * new_tl_data;
+ krb5_tl_data * old_tl_data;
{
XDR xdrs;
osa_princ_ent_t princ_entry;
@@ -211,8 +212,25 @@
return ENOMEM;
memset(princ_entry, 0, sizeof(osa_princ_ent_rec));
- princ_entry->admin_history_kvno = 2;
princ_entry->aux_attributes = KADM5_POLICY;
+
+ /* adding support for key history in LDAP KDB */
+ if (old_tl_data != NULL) {
+ /* get the key history from the old tl_data */
+ xdrmem_create(&xdrs, (caddr_t)old_tl_data->tl_data_contents,
+ old_tl_data->tl_data_length, XDR_DECODE);
+ if (! ldap_xdr_osa_princ_ent_rec(&xdrs, princ_entry)) {
+ xdr_destroy(&xdrs);
+ free(princ_entry);
+ return(KADM5_XDR_FAILURE);
+ }
+ xdr_destroy(&xdrs);
+ /* will set the policy field further down, avoid mem leak */
+ free(princ_entry->policy);
+ } else {
+ princ_entry->admin_history_kvno = 2;
+ }
+
princ_entry->policy = policy_dn;
xdralloc_create(&xdrs, XDR_ENCODE);
Index: src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
===================================================================
--- src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c (revision 20223)
+++ src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c (working copy)
@@ -2042,7 +2042,7 @@
if ((st = krb5_ldap_policydn_to_name (context, pwdpolicydn, &polname)) != 0)
goto cleanup;
- if ((st = krb5_update_tl_kadm_data(polname, &kadm_tl_data)) != 0) {
+ if ((st = krb5_update_tl_kadm_data(polname, &kadm_tl_data, entry->tl_data)) != 0) {
goto cleanup;
}
krb5_dbe_update_tl_data(context, entry, &kadm_tl_data);
Index: src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.h
===================================================================
--- src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.h (revision 20223)
+++ src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.h (working copy)
@@ -56,6 +56,6 @@
krb5_lookup_tl_kadm_data(krb5_tl_data *tl_data, osa_princ_ent_rec *princ_entry);
krb5_error_code
-krb5_update_tl_kadm_data(char *, krb5_tl_data *);
+krb5_update_tl_kadm_data(char *, krb5_tl_data *, krb5_tl_data *);
#endif
Index: src/lib/kadm5/srv/svr_principal.c
===================================================================
--- src/lib/kadm5/srv/svr_principal.c (revision 20223)
+++ src/lib/kadm5/srv/svr_principal.c (working copy)
@@ -1442,7 +1442,10 @@
goto done;
/* key data and attributes changed, let the database provider know */
- kdb.mask = KADM5_KEY_DATA | KADM5_ATTRIBUTES /* | KADM5_CPW_FUNCTION */;
+ if (hist_added == 1)
+ kdb.mask = KADM5_KEY_DATA | KADM5_ATTRIBUTES | KADM5_KEY_HIST /* | KADM5_CPW_FUNCTION */;
+ else
+ kdb.mask = KADM5_KEY_DATA | KADM5_ATTRIBUTES /* | KADM5_CPW_FUNCTION */;
if ((ret = kdb_put_entry(handle, &kdb, &adb)))
goto done;
Index: src/lib/kadm5/admin.h
===================================================================
--- src/lib/kadm5/admin.h (revision 20223)
+++ src/lib/kadm5/admin.h (working copy)
@@ -93,6 +93,7 @@
#define KADM5_RANDKEY_USED 0x100000
#endif
#define KADM5_LOAD 0x200000
+#define KADM5_KEY_HIST 0x400000
/* all but KEY_DATA and TL_DATA */
#define KADM5_PRINCIPAL_NORMAL_MASK 0x01ffff
--Boundary_(ID_/Jq+vC5GKwdVHvvesUN+3w)--