Updates for LDAP-backed Kerberos

Principals are now created implicitly when the LDAP entry for a user
is added. We add the keys by "changing" the password from nonexistent
to existent.

src/kadm.c

@@ -32,22 +32,22 @@ void ceo_kadm_cleanup() {
 
 int ceo_add_princ(char *user, char *password) {
     krb5_error_code retval;
-    kadm5_principal_ent_rec princ;
+    krb5_principal princ;
     memset((void *) &princ, 0, sizeof(princ));
 
     debug("kadmin: adding principal %s", user);
 
-    if ((retval = krb5_parse_name(context, user, &princ.principal))) {
+    if ((retval = krb5_parse_name(context, user, &princ))) {
         com_err(prog, retval, "while parsing principal name");
         return retval;
     }
 
-    if ((retval = kadm5_create_principal(handle, &princ, KADM5_PRINCIPAL, password))) {
+    if ((retval = kadm5_chpass_principal(handle, princ, password))) {
         com_err(prog, retval, "while creating principal");
         return retval;
     }
 
-    krb5_free_principal(context, princ.principal);
+    krb5_free_principal(context, princ);
     return 0;
 }
 

src/ldap.c

@@ -170,7 +170,7 @@ int ceo_add_group_sudo(char *group, char *basedn) {
     return ret;
 }
 
-int ceo_add_user(char *uid, char *basedn, char *objclass, char *cn, char *home, char *shell, int no, ...) {
+int ceo_add_user(char *uid, char *basedn, char *objclass, char *cn, char *home, char *principal, char *shell, int no, ...) {
     va_list args;
 
     if (!uid || !basedn || !cn || !home || !shell)
@@ -179,13 +179,19 @@ int ceo_add_user(char *uid, char *basedn, char *objclass, char *cn, char *home,
     LDAPMod *mods[16];
     int i = -1;
     int ret = 0;
+    int classes = 4;
 
     mods[++i] = xmalloc(sizeof(LDAPMod));
     mods[i]->mod_op = LDAP_MOD_ADD;
     mods[i]->mod_type = "objectClass";
-    char *objectClasses[] = { "top", "account", "posixAccount", "shadowAccount", NULL, NULL };
+    char *objectClasses[] = { "top", "account", "posixAccount", "shadowAccount", NULL, NULL, NULL, NULL };
     if (objclass != NULL)
-        objectClasses[4] = objclass;
+        objectClasses[classes++] = objclass;
+    if (principal) {
+        objectClasses[classes++] = "krbPrincipalAux";
+        objectClasses[classes++] = "krbTicketPolicyAux";
+
+    }
     mods[i]->mod_values = objectClasses;
 
     mods[++i] = xmalloc(sizeof(LDAPMod));
@@ -225,6 +231,14 @@ int ceo_add_user(char *uid, char *basedn, char *objclass, char *cn, char *home,
     char *homeDirectory[] = { home, NULL };
     mods[i]->mod_values = homeDirectory;
 
+    if (principal) {
+        mods[++i] = xmalloc(sizeof(LDAPMod));
+        mods[i]->mod_op = LDAP_MOD_ADD;
+        mods[i]->mod_type = "krbPrincipalName";
+        char *krbPrincipalName[] = { principal, NULL };
+        mods[i]->mod_values = krbPrincipalName;
+    }
+
     va_start(args, no);
     char *attr;
     while ((attr = va_arg(args, char *))) {

src/ldap.h

@@ -1,6 +1,6 @@
 #define LDAP_DEFAULT_PROTOCOL LDAP_VERSION3
 
-int ceo_add_user(char *, char *, char *, char *, char *, char *, int, ...);
+int ceo_add_user(char *, char *, char *, char *, char *, char *, char *, int, ...);
 int ceo_add_group(char *, char *, int);
 int ceo_add_group_sudo(char *, char *);
 int ceo_new_uid(int, int);

src/op-adduser.c

@@ -137,9 +137,14 @@ static void adduser_spam(Ceo__AddUser *in, Ceo__AddUserResponse *out, char *clie
 
 static int32_t addmember(Ceo__AddUser *in, Ceo__AddUserResponse *out) {
     char homedir[1024];
+    char principal[1024];
     int user_stat, group_stat, krb_stat, home_stat;
     int id;
 
+    if (snprintf(principal, sizeof(principal), "%s@%s",
+                in->username, krb5_realm) >= sizeof(principal))
+        fatal("principal overflow");
+
     if (snprintf(homedir, sizeof(homedir), "%s/%s",
                  member_home, in->username) >= sizeof(homedir))
         fatal("homedir overflow");
@@ -150,17 +155,17 @@ static int32_t addmember(Ceo__AddUser *in, Ceo__AddUserResponse *out) {
     if ((krb_stat = ceo_del_princ(in->username)))
         return response_message(out, EEXIST, "unable to overwrite orphaned kerberos principal %s", in->username);
 
-    if ((krb_stat = ceo_add_princ(in->username, in->password)))
+    if ((user_stat = ceo_add_user(in->username, ldap_users_base, "member", in->realname, homedir, principal,
-        return response_message(out, EKERB, "unable to create kerberos principal %s", in->username);
-    response_message(out, 0, "successfully created principal");
-
-    if ((user_stat = ceo_add_user(in->username, ldap_users_base, "member", in->realname, homedir,
             member_shell, id, "program", in->program, NULL)))
         return response_message(out, ELDAP, "unable to create ldap account %s", in->username);
     response_message(out, 0, "successfully created ldap account");
 
     /* errors that occur after this point are not fatal  */
 
+    if ((krb_stat = ceo_add_princ(in->username, in->password)))
+        return response_message(out, EKERB, "unable to create kerberos principal %s", in->username);
+    response_message(out, 0, "successfully created principal");
+
     if ((group_stat = ceo_add_group(in->username, ldap_groups_base, id)))
         response_message(out, ELDAP, "unable to create ldap group %s", in->username);
     else
@@ -191,7 +196,7 @@ static int32_t addclub(Ceo__AddUser *in, Ceo__AddUserResponse *out) {
         return response_message(out, EKERB, "unable to clear principal %s", in->username);
 
     if ((user_stat = ceo_add_user(in->username, ldap_users_base, "club", in->realname, homedir,
-            club_shell, id, NULL)))
+            NULL, club_shell, id, NULL)))
         return response_message(out, ELDAP, "unable to create ldap account %s", in->username);
     response_message(out, 0, "successfully created ldap account");