Updates for LDAP-backed Kerberos

Principals are now created implicitly when the LDAP entry for a user is added. We add the keys by "changing" the password from nonexistent to existent.
14 years ago · 778efc71aa
parent 1c8e247732
commit 778efc71aa
4 changed files with 33 additions and 14 deletions
--- a/src/kadm.c
+++ b/src/kadm.c
@ -32,22 +32,22 @@ void ceo_kadm_cleanup() {

 int ceo_add_princ(char *user, char *password) {
    krb5_error_code retval;
-    kadm5_principal_ent_rec princ;
+    krb5_principal princ;
    memset((void *) &princ, 0, sizeof(princ));

    debug("kadmin: adding principal %s", user);

-    if ((retval = krb5_parse_name(context, user, &princ.principal))) {
+    if ((retval = krb5_parse_name(context, user, &princ))) {
        com_err(prog, retval, "while parsing principal name");
        return retval;
    }

-    if ((retval = kadm5_create_principal(handle, &princ, KADM5_PRINCIPAL, password))) {
+    if ((retval = kadm5_chpass_principal(handle, princ, password))) {
        com_err(prog, retval, "while creating principal");
        return retval;
    }

-    krb5_free_principal(context, princ.principal);
+    krb5_free_principal(context, princ);
    return 0;
 }

--- a/src/ldap.c
+++ b/src/ldap.c
@ -170,7 +170,7 @@ int ceo_add_group_sudo(char *group, char *basedn) {
    return ret;
 }

-int ceo_add_user(char *uid, char *basedn, char *objclass, char *cn, char *home, char *shell, int no, ...) {
+int ceo_add_user(char *uid, char *basedn, char *objclass, char *cn, char *home, char *principal, char *shell, int no, ...) {
    va_list args;

    if (!uid || !basedn || !cn || !home || !shell)
@ -179,13 +179,19 @@ int ceo_add_user(char *uid, char *basedn, char *objclass, char *cn, char *home,
    LDAPMod *mods[16];
    int i = -1;
    int ret = 0;
+    int classes = 4;

    mods[++i] = xmalloc(sizeof(LDAPMod));
    mods[i]->mod_op = LDAP_MOD_ADD;
    mods[i]->mod_type = "objectClass";
-    char *objectClasses[] = { "top", "account", "posixAccount", "shadowAccount", NULL, NULL };
+    char *objectClasses[] = { "top", "account", "posixAccount", "shadowAccount", NULL, NULL, NULL, NULL };
    if (objclass != NULL)
-        objectClasses[4] = objclass;
+        objectClasses[classes++] = objclass;
+    if (principal) {
+        objectClasses[classes++] = "krbPrincipalAux";
+        objectClasses[classes++] = "krbTicketPolicyAux";
+
+    }
    mods[i]->mod_values = objectClasses;

    mods[++i] = xmalloc(sizeof(LDAPMod));
@ -225,6 +231,14 @@ int ceo_add_user(char *uid, char *basedn, char *objclass, char *cn, char *home,
    char *homeDirectory[] = { home, NULL };
    mods[i]->mod_values = homeDirectory;

+    if (principal) {
+        mods[++i] = xmalloc(sizeof(LDAPMod));
+        mods[i]->mod_op = LDAP_MOD_ADD;
+        mods[i]->mod_type = "krbPrincipalName";
+        char *krbPrincipalName[] = { principal, NULL };
+        mods[i]->mod_values = krbPrincipalName;
+    }
+
    va_start(args, no);
    char *attr;
    while ((attr = va_arg(args, char *))) {
--- a/src/ldap.h
+++ b/src/ldap.h
@ -1,6 +1,6 @@
 #define LDAP_DEFAULT_PROTOCOL LDAP_VERSION3

-int ceo_add_user(char *, char *, char *, char *, char *, char *, int, ...);
+int ceo_add_user(char *, char *, char *, char *, char *, char *, char *, int, ...);
 int ceo_add_group(char *, char *, int);
 int ceo_add_group_sudo(char *, char *);
 int ceo_new_uid(int, int);
--- a/src/op-adduser.c
+++ b/src/op-adduser.c
@ -137,9 +137,14 @@ static void adduser_spam(Ceo__AddUser *in, Ceo__AddUserResponse *out, char *clie

 static int32_t addmember(Ceo__AddUser *in, Ceo__AddUserResponse *out) {
    char homedir[1024];
+    char principal[1024];
    int user_stat, group_stat, krb_stat, home_stat;
    int id;

+    if (snprintf(principal, sizeof(principal), "%s@%s",
+                in->username, krb5_realm) >= sizeof(principal))
+        fatal("principal overflow");
+
    if (snprintf(homedir, sizeof(homedir), "%s/%s",
                 member_home, in->username) >= sizeof(homedir))
        fatal("homedir overflow");
@ -150,17 +155,17 @@ static int32_t addmember(Ceo__AddUser *in, Ceo__AddUserResponse *out) {
    if ((krb_stat = ceo_del_princ(in->username)))
        return response_message(out, EEXIST, "unable to overwrite orphaned kerberos principal %s", in->username);

-    if ((krb_stat = ceo_add_princ(in->username, in->password)))
-        return response_message(out, EKERB, "unable to create kerberos principal %s", in->username);
-    response_message(out, 0, "successfully created principal");
-
-    if ((user_stat = ceo_add_user(in->username, ldap_users_base, "member", in->realname, homedir,
+    if ((user_stat = ceo_add_user(in->username, ldap_users_base, "member", in->realname, homedir, principal,
            member_shell, id, "program", in->program, NULL)))
        return response_message(out, ELDAP, "unable to create ldap account %s", in->username);
    response_message(out, 0, "successfully created ldap account");

    /* errors that occur after this point are not fatal  */

+    if ((krb_stat = ceo_add_princ(in->username, in->password)))
+        return response_message(out, EKERB, "unable to create kerberos principal %s", in->username);
+    response_message(out, 0, "successfully created principal");
+
    if ((group_stat = ceo_add_group(in->username, ldap_groups_base, id)))
        response_message(out, ELDAP, "unable to create ldap group %s", in->username);
    else
@ -191,7 +196,7 @@ static int32_t addclub(Ceo__AddUser *in, Ceo__AddUserResponse *out) {
        return response_message(out, EKERB, "unable to clear principal %s", in->username);

    if ((user_stat = ceo_add_user(in->username, ldap_users_base, "club", in->realname, homedir,
-            club_shell, id, NULL)))
+            NULL, club_shell, id, NULL)))
        return response_message(out, ELDAP, "unable to create ldap account %s", in->username);
    response_message(out, 0, "successfully created ldap account");