diff options
Diffstat (limited to 'src/plugins/kdb/db2')
| -rw-r--r-- | src/plugins/kdb/db2/Makefile.in | 12 | ||||
| -rw-r--r-- | src/plugins/kdb/db2/db2_exp.c | 10 | ||||
| -rw-r--r-- | src/plugins/kdb/db2/kdb_db2.c | 241 | ||||
| -rw-r--r-- | src/plugins/kdb/db2/kdb_db2.h | 22 | ||||
| -rw-r--r-- | src/plugins/kdb/db2/kdb_ext.c | 99 | ||||
| -rw-r--r-- | src/plugins/kdb/db2/lockout.c | 196 | ||||
| -rw-r--r-- | src/plugins/kdb/db2/pol_xdr.c | 26 | ||||
| -rw-r--r-- | src/plugins/kdb/db2/policy_db.h | 1 |
8 files changed, 564 insertions, 43 deletions
diff --git a/src/plugins/kdb/db2/Makefile.in b/src/plugins/kdb/db2/Makefile.in index dd3045c..b2532a4 100644 --- a/src/plugins/kdb/db2/Makefile.in +++ b/src/plugins/kdb/db2/Makefile.in @@ -25,7 +25,7 @@ DB_DEPS-redirect = $(BUILDTOP)/include/db.h DB_LIB = @DB_LIB@ KDB5_DB_LIB = @KDB5_DB_LIB@ DB_DEPLIB = $(DB_DEPLIB-@DB_VERSION@) -DB_DEPLIB-k5 = $(TOPLIBD)/libdb$(DEPLIBEXT) +DB_DEPLIB-k5 = $(TOPLIBD)/libdb$(DEPLIBEXT) $(KADMSRV_DEPLIBS) DB_DEPLIB-sys = LIBBASE=db2 @@ -39,7 +39,7 @@ SHLIB_EXPDEPS = \ $(GSSRPC_DEPLIBS) \ $(TOPLIBD)/libk5crypto$(SHLIBEXT) \ $(TOPLIBD)/libkrb5$(SHLIBEXT) -SHLIB_EXPLIBS= $(GSSRPC_LIBS) -lkrb5 -lcom_err -lk5crypto $(KDB5_DB_LIB) $(SUPPORT_LIB) $(LIBS) @DB_EXTRA_LIBS@ +SHLIB_EXPLIBS= $(GSSRPC_LIBS) -lkrb5 -lcom_err -lk5crypto $(KDB5_DB_LIB) $(KADMSRV_LIBS) $(SUPPORT_LIB) $(LIBS) @DB_EXTRA_LIBS@ SHLIB_DIRS=-L$(TOPLIBD) SHLIB_RDIRS=$(KRB5_LIBDIR) @@ -56,8 +56,10 @@ SRCS= \ $(srcdir)/adb_openclose.c \ $(srcdir)/adb_policy.c \ $(srcdir)/kdb_db2.c \ + $(srcdir)/kdb_ext.c \ $(srcdir)/pol_xdr.c \ - $(srcdir)/db2_exp.c + $(srcdir)/db2_exp.c \ + $(srcdir)/lockout.c STOBJLISTS=OBJS.ST $(DBOBJLISTS) STLIBOBJS= \ @@ -65,8 +67,10 @@ STLIBOBJS= \ adb_openclose.o \ adb_policy.o \ kdb_db2.o \ + kdb_ext.o \ pol_xdr.o \ - db2_exp.o + db2_exp.o \ + lockout.o all-unix:: all-liblinks install-unix:: install-libs diff --git a/src/plugins/kdb/db2/db2_exp.c b/src/plugins/kdb/db2/db2_exp.c index 85864ac..2e1f3b5 100644 --- a/src/plugins/kdb/db2/db2_exp.c +++ b/src/plugins/kdb/db2/db2_exp.c @@ -197,6 +197,13 @@ WRAP_K (krb5_db2_promote_db, ( krb5_context kcontext, char *conf_section, char **db_args ), (kcontext, conf_section, db_args)); +WRAP_K (krb5_db2_invoke, + (krb5_context kcontext, + unsigned int method, + const krb5_data *request, + krb5_data *response), + (kcontext, method, request, response)); + static krb5_error_code hack_init () { @@ -256,5 +263,6 @@ kdb_vftabl PLUGIN_SYMBOL_NAME(krb5_db2, kdb_function_table) = { /* get_master_key_list */ wrap_krb5_db2_db_get_mkey_list, /* blah blah blah */ 0,0,0,0,0,0,0,0, /* promote_db */ wrap_krb5_db2_promote_db, - 0,0,0, + 0, 0, + /* invoke */ wrap_krb5_db2_invoke }; diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c index a947f2b..b987039 100644 --- a/src/plugins/kdb/db2/kdb_db2.c +++ b/src/plugins/kdb/db2/kdb_db2.c @@ -1,7 +1,7 @@ /* * lib/kdb/kdb_db2.c * - * Copyright 1997,2006,2007,2008 by the Massachusetts Institute of Technology. + * Copyright 1997,2006,2007-2009 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -68,8 +68,6 @@ #define KDB_DB2_DATABASE_NAME "database_name" -#include "kdb_db2.h" - static char *gen_dbsuffix(char *, char *); static krb5_error_code krb5_db2_db_start_update(krb5_context); @@ -774,7 +772,7 @@ destroy_file_suffix(char *dbname, char *suffix) char *filename; struct stat statb; int nb, fd; - unsigned int j; + int j; off_t pos; char buf[BUFSIZ]; char zbuf[BUFSIZ]; @@ -1315,6 +1313,9 @@ krb5_db2_open(krb5_context kcontext, else if (!opt && !strcmp(val, "temporary") ) { tempdb = 1; } + else if (!opt && !strcmp(val, "merge_nra")) { + ; + } /* ignore hash argument. Might have been passed from create */ else if (!opt || strcmp(opt, "hash")) { krb5_set_error_message(kcontext, EINVAL, @@ -1394,8 +1395,9 @@ krb5_db2_create(krb5_context kcontext, char *conf_section, char **db_args) } else if (!opt && !strcmp(val, "temporary")) { tempdb = 1; - } - else if (opt && !strcmp(opt, "hash")) { + } else if (!opt && !strcmp(val, "merge_nra")) { + ; + } else if (opt && !strcmp(opt, "hash")) { flags = KRB5_KDB_CREATE_HASH; } else { krb5_set_error_message(kcontext, EINVAL, @@ -1563,7 +1565,7 @@ krb5_db2_db_set_option(krb5_context kcontext, int option, void *value) krb5_db2_context *db_ctx; kdb5_dal_handle *dal_handle; - if (!k5db2_inited(kcontext)) + if (!k5db2_inited(kcontext)) return KRB5_KDB_DBNOTINITED; dal_handle = kcontext->dal_handle; @@ -1679,6 +1681,8 @@ krb5_db2_promote_db(krb5_context kcontext, char *conf_section, char **db_args) krb5_error_code status = 0; char *db_name = NULL; char *temp_db_name = NULL; + char **db_argp; + int merge_nra = 0; krb5_clear_error_message (kcontext); @@ -1699,7 +1703,14 @@ krb5_db2_promote_db(krb5_context kcontext, char *conf_section, char **db_args) goto clean_n_exit; } - status = krb5_db2_db_rename (kcontext, temp_db_name, db_name); + for (db_argp = db_args; *db_argp; db_argp++) { + if (!strcmp(*db_argp, "merge_nra")) { + merge_nra++; + break; + } + } + + status = krb5_db2_db_rename (kcontext, temp_db_name, db_name, merge_nra); if (status) goto clean_n_exit; @@ -1711,6 +1722,154 @@ clean_n_exit: return status; } +/* + * Merge non-replicated attributes from src into dst, setting + * changed to non-zero if dst was changed. + * + * Non-replicated attributes are: last_success, last_failed, + * fail_auth_count, and any negative TL data values. + */ +static krb5_error_code +krb5_db2_merge_principal(krb5_context kcontext, + krb5_db_entry *src, + krb5_db_entry *dst, + int *changed) +{ + *changed = 0; + + if (dst->last_success != src->last_success) { + dst->last_success = src->last_success; + (*changed)++; + } + + if (dst->last_failed != src->last_failed) { + dst->last_failed = src->last_failed; + (*changed)++; + } + + if (dst->fail_auth_count != src->fail_auth_count) { + dst->fail_auth_count = src->fail_auth_count; + (*changed)++; + } + + return 0; +} + +struct nra_context { + krb5_context kcontext; + krb5_db2_context *db_context; +}; + +/* + * Iteration callback merges non-replicated attributes from + * old database. + */ +static krb5_error_code +krb5_db2_merge_nra_iterator(krb5_pointer ptr, krb5_db_entry *entry) +{ + struct nra_context *nra = (struct nra_context *)ptr; + kdb5_dal_handle *dal_handle = nra->kcontext->dal_handle; + krb5_error_code retval; + int n_entries = 0, changed; + krb5_db_entry s_entry; + krb5_boolean more; + krb5_db2_context *dst_db; + + memset(&s_entry, 0, sizeof(s_entry)); + + dst_db = dal_handle->db_context; + dal_handle->db_context = nra->db_context; + + /* look up the new principal in the old DB */ + retval = krb5_db2_db_get_principal(nra->kcontext, + entry->princ, + &s_entry, + &n_entries, + &more); + if (retval != 0 || n_entries == 0) { + /* principal may be newly created, so ignore */ + dal_handle->db_context = dst_db; + return 0; + } + + /* merge non-replicated attributes from the old entry in */ + krb5_db2_merge_principal(nra->kcontext, &s_entry, entry, &changed); + + dal_handle->db_context = dst_db; + + /* if necessary, commit the modified new entry to the new DB */ + if (changed) { + retval = krb5_db2_db_put_principal(nra->kcontext, + entry, + &n_entries, + NULL); + } else { + retval = 0; + } + + return retval; +} + +/* + * Merge non-replicated attributes (that is, lockout-related + * attributes and negative TL data types) from the old database + * into the new one. + * + * Note: src_db is locked on success. + */ +static krb5_error_code +krb5_db2_begin_nra_merge(krb5_context kcontext, + krb5_db2_context *src_db, + krb5_db2_context *dst_db) +{ + krb5_error_code retval; + kdb5_dal_handle *dal_handle = kcontext->dal_handle; + struct nra_context nra; + + nra.kcontext = kcontext; + nra.db_context = dst_db; + + assert(dal_handle->db_context == dst_db); + dal_handle->db_context = src_db; + + retval = krb5_db2_db_lock(kcontext, KRB5_LOCKMODE_EXCLUSIVE); + if (retval) { + dal_handle->db_context = dst_db; + return retval; + } + + retval = krb5_db2_db_iterate_ext(kcontext, + krb5_db2_merge_nra_iterator, + &nra, + 0, + 0); + if (retval != 0) + (void) krb5_db2_db_unlock(kcontext); + + dal_handle->db_context = dst_db; + + return retval; +} + +/* + * Finish merge of non-replicated attributes by unlocking + * src_db. + */ +static krb5_error_code +krb5_db2_end_nra_merge(krb5_context kcontext, + krb5_db2_context *src_db, + krb5_db2_context *dst_db) +{ + krb5_error_code retval; + kdb5_dal_handle *dal_handle = kcontext->dal_handle; + + dal_handle->db_context = src_db; + retval = krb5_db2_db_unlock(kcontext); + dal_handle->db_context = dst_db; + + return retval; +} + /* Retrieved from pre-DAL code base. */ /* * "Atomically" rename the database in a way that locks out read @@ -1723,12 +1882,12 @@ clean_n_exit: * have to go through the same stuff that we went through up in db_destroy. */ krb5_error_code -krb5_db2_db_rename(context, from, to) +krb5_db2_db_rename(context, from, to, merge_nra) krb5_context context; char *from; char *to; + int merge_nra; { - DB *db; char *fromok; krb5_error_code retval; krb5_db2_context *s_context, *db_ctx; @@ -1745,13 +1904,10 @@ krb5_db2_db_rename(context, from, to) * files must exist because krb5_db2_db_lock, called below, * will fail otherwise. */ - db = k5db2_dbopen(db_ctx, to, O_RDWR|O_CREAT, 0600, 0); - if (db == NULL) { - retval = errno; + retval = krb5_db2_db_create(context, to, 0); + if (retval != 0 && retval != EEXIST) goto errout; - } - else - (*db->close)(db); + /* * Set the database to the target, so that other processes sharing * the target will stop their activity, and notice the new database. @@ -1764,25 +1920,6 @@ krb5_db2_db_rename(context, from, to) if (retval) goto errout; - { - /* Ugly brute force hack. - - Should be going through nice friendly helper routines for - this, but it's a mess of jumbled so-called interfaces right - now. */ - char policy[2048], new_policy[2048]; - assert (strlen(db_ctx->db_name) < 2000); - snprintf(policy, sizeof(policy), "%s.kadm5", db_ctx->db_name); - snprintf(new_policy, sizeof(new_policy), - "%s~.kadm5", db_ctx->db_name); - if (0 != rename(new_policy, policy)) { - retval = errno; - goto errout; - } - strlcat(new_policy, ".lock",sizeof(new_policy)); - (void) unlink(new_policy); - } - db_ctx->db_lf_name = gen_dbsuffix(db_ctx->db_name, KDB2_LOCK_EXT); if (db_ctx->db_lf_name == NULL) { retval = ENOMEM; @@ -1813,6 +1950,11 @@ krb5_db2_db_rename(context, from, to) if ((retval = krb5_db2_db_start_update(context))) goto errfromok; + if (merge_nra) { + if ((retval = krb5_db2_begin_nra_merge(context, s_context, db_ctx))) + goto errfromok; + } + if (rename(from, to)) { retval = errno; goto errfromok; @@ -1821,7 +1963,35 @@ krb5_db2_db_rename(context, from, to) retval = errno; goto errfromok; } + + if (merge_nra) { + krb5_db2_end_nra_merge(context, s_context, db_ctx); + } + retval = krb5_db2_db_end_update(context); + if (retval) + goto errfromok; + + { + /* XXX moved so that NRA merge works */ + /* Ugly brute force hack. + + Should be going through nice friendly helper routines for + this, but it's a mess of jumbled so-called interfaces right + now. */ + char policy[2048], new_policy[2048]; + assert (strlen(db_ctx->db_name) < 2000); + snprintf(policy, sizeof(policy), "%s.kadm5", db_ctx->db_name); + snprintf(new_policy, sizeof(new_policy), + "%s~.kadm5", db_ctx->db_name); + if (0 != rename(new_policy, policy)) { + retval = errno; + goto errfromok; + } + strlcat(new_policy, ".lock",sizeof(new_policy)); + (void) unlink(new_policy); + } + errfromok: free_dbsuffix(fromok); errout: @@ -1839,3 +2009,4 @@ errout: return retval; } + diff --git a/src/plugins/kdb/db2/kdb_db2.h b/src/plugins/kdb/db2/kdb_db2.h index 640c4d6..cef7b64 100644 --- a/src/plugins/kdb/db2/kdb_db2.h +++ b/src/plugins/kdb/db2/kdb_db2.h @@ -71,7 +71,8 @@ krb5_error_code krb5_db2_db_destroy krb5_error_code krb5_db2_db_rename (krb5_context, char *, - char * ); + char *, + int ); krb5_error_code krb5_db2_db_get_principal (krb5_context, krb5_const_principal, @@ -219,4 +220,23 @@ void krb5_db2_free_policy( krb5_context kcontext, /* Thread-safety wrapper slapped on top of original implementation. */ extern k5_mutex_t *krb5_db2_mutex; +/* lockout */ +krb5_error_code +krb5_db2_lockout_check_policy(krb5_context context, + krb5_db_entry *entry, + krb5_timestamp stamp); + +krb5_error_code +krb5_db2_lockout_audit(krb5_context context, + krb5_db_entry *entry, + krb5_timestamp stamp, + krb5_error_code status); + +/* methods */ +krb5_error_code +krb5_db2_invoke(krb5_context context, + unsigned int method, + const krb5_data *req, + krb5_data *rep); + #endif /* KRB5_KDB_DB2_H */ diff --git a/src/plugins/kdb/db2/kdb_ext.c b/src/plugins/kdb/db2/kdb_ext.c new file mode 100644 index 0000000..9d73966 --- /dev/null +++ b/src/plugins/kdb/db2/kdb_ext.c @@ -0,0 +1,99 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* + * plugins/kdb/db2/kdb_ext.c + * + * Copyright (C) 2009 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * + * + */ + +#include "k5-int.h" +#include "kdb.h" +#include <stdio.h> +#include <errno.h> +#include <kdb_ext.h> +#include "kdb_db2.h" + +static krb5_error_code +krb5_db2_check_policy_as(krb5_context context, + unsigned int method, + const krb5_data *request, + krb5_data *response) +{ + const kdb_check_policy_as_req *req; + kdb_check_policy_as_rep *rep; + krb5_error_code code; + + req = (const kdb_check_policy_as_req *)request->data; + rep = (kdb_check_policy_as_rep *)response->data; + + rep->status = NULL; + + code = krb5_db2_lockout_check_policy(context, req->client, + req->kdc_time); + if (code == KRB5KDC_ERR_CLIENT_REVOKED) + rep->status = "LOCKED_OUT"; + + return code; +} + +static krb5_error_code +krb5_db2_audit_as(krb5_context context, + unsigned int method, + const krb5_data *request, + krb5_data *response) +{ + const kdb_audit_as_req *req; + krb5_error_code code; + + req = (const kdb_audit_as_req *)request->data; + + code = krb5_db2_lockout_audit(context, req->client, + req->authtime, req->error_code); + + return code; +} + +krb5_error_code +krb5_db2_invoke(krb5_context context, + unsigned int method, + const krb5_data *req, + krb5_data *rep) +{ + krb5_error_code code = KRB5_KDB_DBTYPE_NOSUP; + + switch (method) { + case KRB5_KDB_METHOD_CHECK_POLICY_AS: + code = krb5_db2_check_policy_as(context, method, req, rep); + break; + case KRB5_KDB_METHOD_AUDIT_AS: + code = krb5_db2_audit_as(context, method, req, rep); + break; + default: + break; + } + + return code; +} + diff --git a/src/plugins/kdb/db2/lockout.c b/src/plugins/kdb/db2/lockout.c new file mode 100644 index 0000000..1e6602d --- /dev/null +++ b/src/plugins/kdb/db2/lockout.c @@ -0,0 +1,196 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* + * plugins/kdb/db2/lockout.c + * + * Copyright (C) 2009 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * + * + */ + +#include "k5-int.h" +#include "kdb.h" +#include <stdio.h> +#include <errno.h> +#include <kadm5/server_internal.h> +#include "kdb_db2.h" + +/* + * Helper routines for databases that wish to use the default + * principal lockout functionality. + */ + +static krb5_error_code +lookup_lockout_policy(krb5_context context, + krb5_db_entry *entry, + krb5_kvno *pw_max_fail, + krb5_deltat *pw_failcnt_interval, + krb5_deltat *pw_lockout_duration) +{ + krb5_tl_data tl_data; + krb5_error_code code; + osa_princ_ent_rec adb; + XDR xdrs; + + *pw_max_fail = 0; + *pw_failcnt_interval = 0; + *pw_lockout_duration = 0; + + tl_data.tl_data_type = KRB5_TL_KADM_DATA; + + code = krb5_dbe_lookup_tl_data(context, entry, &tl_data); + if (code != 0 || tl_data.tl_data_length == 0) + return code; + + memset(&adb, 0, sizeof(adb)); + xdrmem_create(&xdrs, (char *)tl_data.tl_data_contents, + tl_data.tl_data_length, XDR_DECODE); + if (!xdr_osa_princ_ent_rec(&xdrs, &adb)) { + xdr_destroy(&xdrs); + return KADM5_XDR_FAILURE; + } + + if (adb.policy != NULL) { + osa_policy_ent_t policy = NULL; + int count = 0; + + code = krb5_db2_get_policy(context, adb.policy, + &policy, &count); + if (code == 0 && count == 1) { + *pw_max_fail = policy->pw_max_fail; + *pw_failcnt_interval = policy->pw_failcnt_interval; + *pw_lockout_duration = policy->pw_lockout_duration; + } + if (policy != NULL) + krb5_db2_free_policy(context, policy); + } + + xdr_destroy(&xdrs); + + xdrmem_create(&xdrs, NULL, 0, XDR_FREE); + xdr_osa_princ_ent_rec(&xdrs, &adb); + xdr_destroy(&xdrs); + + return 0; +} + +/* draft-behera-ldap-password-policy-10.txt 7.1 */ +static krb5_boolean +locked_check_p(krb5_context context, + krb5_timestamp stamp, + krb5_kvno max_fail, + krb5_timestamp lockout_duration, + krb5_db_entry *entry) +{ + if (max_fail == 0 || entry->fail_auth_count < max_fail) + return FALSE; + + if (lockout_duration == 0) + return TRUE; /* principal permanently locked */ + + return (stamp < entry->last_failed + lockout_duration); +} + +krb5_error_code +krb5_db2_lockout_check_policy(krb5_context context, + krb5_db_entry *entry, + krb5_timestamp stamp) +{ + krb5_error_code code; + krb5_kvno max_fail = 0; + krb5_deltat failcnt_interval = 0; + krb5_deltat lockout_duration = 0; + + code = lookup_lockout_policy(context, entry, &max_fail, + &failcnt_interval, + &lockout_duration); + if (code != 0) + return code; + + if (locked_check_p(context, stamp, max_fail, lockout_duration, entry)) + return KRB5KDC_ERR_CLIENT_REVOKED; + + return 0; +} + +krb5_error_code +krb5_db2_lockout_audit(krb5_context context, + krb5_db_entry *entry, + krb5_timestamp stamp, + krb5_error_code status) +{ + krb5_error_code code; + krb5_kvno max_fail = 0; + krb5_deltat failcnt_interval = 0; + krb5_deltat lockout_duration = 0; + int nentries = 1; + + switch (status) { + case 0: + case KRB5KDC_ERR_PREAUTH_FAILED: + case KRB5KRB_AP_ERR_BAD_INTEGRITY: + break; +#if 0 + case KRB5KDC_ERR_CLIENT_REVOKED: + break; +#endif + default: + return 0; + } + + code = lookup_lockout_policy(context, entry, &max_fail, + &failcnt_interval, + &lockout_duration); + if (code != 0) + return code; + + assert (!locked_check_p(context, stamp, max_fail, lockout_duration, entry)); + + if (status == 0 && (entry->attributes & KRB5_KDB_REQUIRES_PRE_AUTH)) { + /* + * Only mark the authentication as successful if the entry + * required preauthentication, otherwise we have no idea. + */ + entry->fail_auth_count = 0; + entry->last_success = stamp; + } else if (status == KRB5KDC_ERR_PREAUTH_FAILED || + status == KRB5KRB_AP_ERR_BAD_INTEGRITY) { + if (failcnt_interval != 0 && + stamp > entry->last_failed + failcnt_interval) { + /* Reset fail_auth_count after failcnt_interval */ + entry->fail_auth_count = 0; + } + + entry->last_failed = stamp; + entry->fail_auth_count++; + } else + return 0; /* nothing to do */ + + code = krb5_db2_db_put_principal(context, entry, + &nentries, NULL); + if (code != 0) + return code; + + return 0; +} + diff --git a/src/plugins/kdb/db2/pol_xdr.c b/src/plugins/kdb/db2/pol_xdr.c index 82e29b8..31856fb 100644 --- a/src/plugins/kdb/db2/pol_xdr.c +++ b/src/plugins/kdb/db2/pol_xdr.c @@ -51,14 +51,27 @@ bool_t xdr_nullstring(XDR *xdrs, char **objp) return FALSE; } +static int +osa_policy_min_vers(osa_policy_ent_t objp) +{ + int vers; + + if (objp->pw_max_fail || + objp->pw_failcnt_interval || + objp->pw_lockout_duration) + vers = OSA_ADB_POLICY_VERSION_2; + else + vers = OSA_ADB_POLICY_VERSION_1; + return vers; +} bool_t xdr_osa_policy_ent_rec(XDR *xdrs, osa_policy_ent_t objp) { switch (xdrs->x_op) { case XDR_ENCODE: - objp->version = OSA_ADB_POLICY_VERSION_1; + objp->version = osa_policy_min_vers(objp); /* fall through */ case XDR_FREE: if (!xdr_int(xdrs, &objp->version)) @@ -67,7 +80,8 @@ xdr_osa_policy_ent_rec(XDR *xdrs, osa_policy_ent_t objp) case XDR_DECODE: if (!xdr_int(xdrs, &objp->version)) return FALSE; - if (objp->version != OSA_ADB_POLICY_VERSION_1) + if (objp->version != OSA_ADB_POLICY_VERSION_1 && + objp->version != OSA_ADB_POLICY_VERSION_2) return FALSE; break; } @@ -86,5 +100,13 @@ xdr_osa_policy_ent_rec(XDR *xdrs, osa_policy_ent_t objp) return (FALSE); if (!xdr_u_int32(xdrs, &objp->policy_refcnt)) return (FALSE); + if (objp->version > OSA_ADB_POLICY_VERSION_1) { + if (!xdr_u_int32(xdrs, &objp->pw_max_fail)) + return (FALSE); + if (!xdr_u_int32(xdrs, &objp->pw_failcnt_interval)) + return (FALSE); + if (!xdr_u_int32(xdrs, &objp->pw_lockout_duration)) + return (FALSE); + } return (TRUE); } diff --git a/src/plugins/kdb/db2/policy_db.h b/src/plugins/kdb/db2/policy_db.h index 11fece3..d841d73 100644 --- a/src/plugins/kdb/db2/policy_db.h +++ b/src/plugins/kdb/db2/policy_db.h @@ -39,6 +39,7 @@ typedef long osa_adb_ret_t; #define OSA_ADB_POLICY_VERSION_MASK 0x12345D00 #define OSA_ADB_POLICY_VERSION_1 0x12345D01 +#define OSA_ADB_POLICY_VERSION_2 0x12345D02 |