Skip Menu |
 

Download (untitled) / with headers
text/plain 7.5KiB
From krb5-bugs-incoming-bounces@PCH.MIT.EDU Thu Feb 7 20:06:04 2008
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.12.9) with ESMTP
id m18164HW003824; Thu, 7 Feb 2008 20:06:04 -0500 (EST)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id m1815xI2015097;
Thu, 7 Feb 2008 20:05:59 -0500
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
[18.7.7.76])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id m1815vtV015094
for <krb5-bugs-incoming@PCH.mit.edu>; Thu, 7 Feb 2008 20:05:57 -0500
Received: from mit.edu (W92-130-BARRACUDA-3.MIT.EDU [18.7.21.224])
by fort-point-station.mit.edu (8.13.6/8.9.2) with ESMTP id
m1815iam028397
for <krb5-bugs@mit.edu>; Thu, 7 Feb 2008 20:05:44 -0500 (EST)
Received: from sca-ea-mail-4.sun.com (sca-ea-mail-4.Sun.COM [192.18.43.22])
by mit.edu (Spam Firewall) with ESMTP id 895F0D944BF
for <krb5-bugs@mit.edu>; Thu, 7 Feb 2008 20:05:23 -0500 (EST)
Received: from dm-central-02.central.sun.com ([129.147.62.5])
by sca-ea-mail-4.sun.com (8.13.6+Sun/8.12.9) with ESMTP id
m1815MRh018083 for <krb5-bugs@mit.edu>; Fri, 8 Feb 2008 01:05:22 GMT
Received: from alton.central.sun.com (alton.Central.Sun.COM [129.153.128.101])
by dm-central-02.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL,
v2.2) with ESMTP id m1815LWV006144
for <krb5-bugs@mit.edu>; Thu, 7 Feb 2008 18:05:22 -0700 (MST)
Received: from alton.central.sun.com (localhost [127.0.0.1])
by alton.central.sun.com (8.14.2+Sun/8.14.2) with ESMTP id
m180vqjr026039
for <krb5-bugs@mit.edu>; Thu, 7 Feb 2008 18:57:52 -0600 (CST)
Received: (from willf@localhost)
by alton.central.sun.com (8.14.2+Sun/8.14.2/Submit) id m180vp3s026038
for krb5-bugs@mit.edu; Thu, 7 Feb 2008 18:57:51 -0600 (CST)
X-Authentication-Warning: alton.central.sun.com: willf set sender to
William.Fiveash@sun.com using -f
Date: Thu, 7 Feb 2008 18:57:51 -0600
From: Will Fiveash <William.Fiveash@sun.com>
To: krb5-bugs@mit.edu
Message-ID: <20080208005751.GB1209@sun.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-send-pr-version: 3.99
User-Agent: Mutt/1.5.11
X-Spam-Score: 2.29
X-Spam-Level: ** (2.29)
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
X-BeenThere: krb5-bugs-incoming@mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Sender: krb5-bugs-incoming-bounces@PCH.MIT.EDU
Errors-To: krb5-bugs-incoming-bounces@PCH.MIT.EDU


Show quoted text
>Submitter-Id: net
>Originator: William Fiveash
>Organization: Sun Microsystems
>Confidential: no
>Synopsis: password history doesn't work with LDAP KDB
>Severity: serious
>Priority: medium
>Category: krb5-kdc
>Class: sw-bug
>Release: krb5-1.6.3
>Environment:

System: SunOS alton 5.11 snv_82 i86pc i386 i86pc
Architecture: i86pc

Show quoted text
>Description:
The LDAP KDB plugin is not storing password/key history. This in turn
disables the functionality of policy history (limiting reuse of a password).

Show quoted text
>How-To-Repeat:

Show quoted text
>Fix:

Here's the fix that works for me:

Index: src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
===================================================================
--- src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c (revision 20223)
+++ src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c (working copy)
@@ -966,9 +966,13 @@
#ifdef SECURID
|| ptr->tl_data_type == KRB5_TL_DB_ARGS
#endif
- || ptr->tl_data_type == KRB5_TL_KADM_DATA
|| ptr->tl_data_type == KDB_TL_USER_INFO)
continue;
+
+ /* want to store key history */
+ if (ptr->tl_data_type == KRB5_TL_KADM_DATA && ! entries->mask & KADM5_KEY_HIST)
+ continue;
+
count++;
}
if (count != 0) {
@@ -986,9 +990,13 @@
#ifdef SECURID
|| ptr->tl_data_type == KRB5_TL_DB_ARGS
#endif
- || ptr->tl_data_type == KRB5_TL_KADM_DATA
|| ptr->tl_data_type == KDB_TL_USER_INFO)
continue;
+
+ /* want to store key history */
+ if (ptr->tl_data_type == KRB5_TL_KADM_DATA && ! entries->mask & KADM5_KEY_HIST)
+ continue;
+
if ((st = tl_data2berval (ptr, &ber_tl_data[j])) != 0)
break;
j++;
Index: src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c
===================================================================
--- src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c (revision 20223)
+++ src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c (working copy)
@@ -200,9 +200,10 @@
}

krb5_error_code
-krb5_update_tl_kadm_data(policy_dn, new_tl_data)
+krb5_update_tl_kadm_data(policy_dn, new_tl_data, old_tl_data)
char * policy_dn;
krb5_tl_data * new_tl_data;
+ krb5_tl_data * old_tl_data;
{
XDR xdrs;
osa_princ_ent_t princ_entry;
@@ -211,8 +212,25 @@
return ENOMEM;

memset(princ_entry, 0, sizeof(osa_princ_ent_rec));
- princ_entry->admin_history_kvno = 2;
princ_entry->aux_attributes = KADM5_POLICY;
+
+ /* adding support for key history in LDAP KDB */
+ if (old_tl_data != NULL) {
+ /* get the key history from the old tl_data */
+ xdrmem_create(&xdrs, (caddr_t)old_tl_data->tl_data_contents,
+ old_tl_data->tl_data_length, XDR_DECODE);
+ if (! ldap_xdr_osa_princ_ent_rec(&xdrs, princ_entry)) {
+ xdr_destroy(&xdrs);
+ free(princ_entry);
+ return(KADM5_XDR_FAILURE);
+ }
+ xdr_destroy(&xdrs);
+ /* will set the policy field further down, avoid mem leak */
+ free(princ_entry->policy);
+ } else {
+ princ_entry->admin_history_kvno = 2;
+ }
+
princ_entry->policy = policy_dn;

xdralloc_create(&xdrs, XDR_ENCODE);
Index: src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
===================================================================
--- src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c (revision 20223)
+++ src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c (working copy)
@@ -2042,7 +2042,7 @@
if ((st = krb5_ldap_policydn_to_name (context, pwdpolicydn, &polname)) != 0)
goto cleanup;

- if ((st = krb5_update_tl_kadm_data(polname, &kadm_tl_data)) != 0) {
+ if ((st = krb5_update_tl_kadm_data(polname, &kadm_tl_data, entry->tl_data)) != 0) {
goto cleanup;
}
krb5_dbe_update_tl_data(context, entry, &kadm_tl_data);
Index: src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.h
===================================================================
--- src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.h (revision 20223)
+++ src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.h (working copy)
@@ -56,6 +56,6 @@
krb5_lookup_tl_kadm_data(krb5_tl_data *tl_data, osa_princ_ent_rec *princ_entry);

krb5_error_code
-krb5_update_tl_kadm_data(char *, krb5_tl_data *);
+krb5_update_tl_kadm_data(char *, krb5_tl_data *, krb5_tl_data *);

#endif
Index: src/lib/kadm5/srv/svr_principal.c
===================================================================
--- src/lib/kadm5/srv/svr_principal.c (revision 20223)
+++ src/lib/kadm5/srv/svr_principal.c (working copy)
@@ -1442,7 +1442,10 @@
goto done;

/* key data and attributes changed, let the database provider know */
- kdb.mask = KADM5_KEY_DATA | KADM5_ATTRIBUTES /* | KADM5_CPW_FUNCTION */;
+ if (hist_added == 1)
+ kdb.mask = KADM5_KEY_DATA | KADM5_ATTRIBUTES | KADM5_KEY_HIST /* | KADM5_CPW_FUNCTION */;
+ else
+ kdb.mask = KADM5_KEY_DATA | KADM5_ATTRIBUTES /* | KADM5_CPW_FUNCTION */;

if ((ret = kdb_put_entry(handle, &kdb, &adb)))
goto done;
Index: src/lib/kadm5/admin.h
===================================================================
--- src/lib/kadm5/admin.h (revision 20223)
+++ src/lib/kadm5/admin.h (working copy)
@@ -93,6 +93,7 @@
#define KADM5_RANDKEY_USED 0x100000
#endif
#define KADM5_LOAD 0x200000
+#define KADM5_KEY_HIST 0x400000

/* all but KEY_DATA and TL_DATA */
#define KADM5_PRINCIPAL_NORMAL_MASK 0x01ffff


--Boundary_(ID_/Jq+vC5GKwdVHvvesUN+3w)--
Subject: Password history in LDAP KDB plugin
Allow using password history in policies with LDAP KDB plugin, as
submitted in this pull request:

https://github.com/krb5/krb5/pull/132#issuecomment-52522419
From: ghudson@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 1.2KiB

Implement password history in LDAP KDB module

The password history is stored in the kerberos LDAP schema attribute
'krbPwdHistory', with one history entry per attribute. When the
history is decoded, the history entries are sorted by kvno with the
next replacement key set to the end of the list. Based on a patch
from Tomas Kuthan.

https://github.com/krb5/krb5/commit/b46cce2ea8c0841f7f93db73eefcd180c87a3eae
Author: Sarah Day <sarahday@mit.edu>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: b46cce2ea8c0841f7f93db73eefcd180c87a3eae
Branch: master
src/lib/kadm5/admin.h | 2 +-
src/lib/kadm5/srv/svr_principal.c | 3 +
src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c | 39 ++-
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c | 46 ++-
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h | 13 +-
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 403 ++++++++++++++++----
src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c | 10 +-
src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.h | 2 +-
src/tests/kdbtest.c | 2 +-
src/tests/t_kdb.py | 25 ++
10 files changed, 438 insertions(+), 107 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Fix populate_krb5_db_entry() princ_ent init

The most recent commit introduced a new variable princ_ent in
populate_krb5_db_entry(). princ_ent is cleaned up by the function's
cleanup label, so it must be initialized before any "goto cleanup"
statements.

https://github.com/krb5/krb5/commit/9526953f36b39323ec07448a5f218d27c6f1c76f
Author: Greg Hudson <ghudson@mit.edu>
Commit: 9526953f36b39323ec07448a5f218d27c6f1c76f
Branch: master
src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)