Updates for LDAP-backed Kerberos

Principals are now created implicitly when the LDAP entry for a user
is added. We add the keys by "changing" the password from nonexistent
to existent.
This commit is contained in:
Michael Spang 2009-07-29 16:42:56 -04:00
parent 1c8e247732
commit 778efc71aa
4 changed files with 33 additions and 14 deletions

View File

@ -32,22 +32,22 @@ void ceo_kadm_cleanup() {
int ceo_add_princ(char *user, char *password) {
krb5_error_code retval;
kadm5_principal_ent_rec princ;
krb5_principal princ;
memset((void *) &princ, 0, sizeof(princ));
debug("kadmin: adding principal %s", user);
if ((retval = krb5_parse_name(context, user, &princ.principal))) {
if ((retval = krb5_parse_name(context, user, &princ))) {
com_err(prog, retval, "while parsing principal name");
return retval;
}
if ((retval = kadm5_create_principal(handle, &princ, KADM5_PRINCIPAL, password))) {
if ((retval = kadm5_chpass_principal(handle, princ, password))) {
com_err(prog, retval, "while creating principal");
return retval;
}
krb5_free_principal(context, princ.principal);
krb5_free_principal(context, princ);
return 0;
}

View File

@ -170,7 +170,7 @@ int ceo_add_group_sudo(char *group, char *basedn) {
return ret;
}
int ceo_add_user(char *uid, char *basedn, char *objclass, char *cn, char *home, char *shell, int no, ...) {
int ceo_add_user(char *uid, char *basedn, char *objclass, char *cn, char *home, char *principal, char *shell, int no, ...) {
va_list args;
if (!uid || !basedn || !cn || !home || !shell)
@ -179,13 +179,19 @@ int ceo_add_user(char *uid, char *basedn, char *objclass, char *cn, char *home,
LDAPMod *mods[16];
int i = -1;
int ret = 0;
int classes = 4;
mods[++i] = xmalloc(sizeof(LDAPMod));
mods[i]->mod_op = LDAP_MOD_ADD;
mods[i]->mod_type = "objectClass";
char *objectClasses[] = { "top", "account", "posixAccount", "shadowAccount", NULL, NULL };
char *objectClasses[] = { "top", "account", "posixAccount", "shadowAccount", NULL, NULL, NULL, NULL };
if (objclass != NULL)
objectClasses[4] = objclass;
objectClasses[classes++] = objclass;
if (principal) {
objectClasses[classes++] = "krbPrincipalAux";
objectClasses[classes++] = "krbTicketPolicyAux";
}
mods[i]->mod_values = objectClasses;
mods[++i] = xmalloc(sizeof(LDAPMod));
@ -225,6 +231,14 @@ int ceo_add_user(char *uid, char *basedn, char *objclass, char *cn, char *home,
char *homeDirectory[] = { home, NULL };
mods[i]->mod_values = homeDirectory;
if (principal) {
mods[++i] = xmalloc(sizeof(LDAPMod));
mods[i]->mod_op = LDAP_MOD_ADD;
mods[i]->mod_type = "krbPrincipalName";
char *krbPrincipalName[] = { principal, NULL };
mods[i]->mod_values = krbPrincipalName;
}
va_start(args, no);
char *attr;
while ((attr = va_arg(args, char *))) {

View File

@ -1,6 +1,6 @@
#define LDAP_DEFAULT_PROTOCOL LDAP_VERSION3
int ceo_add_user(char *, char *, char *, char *, char *, char *, int, ...);
int ceo_add_user(char *, char *, char *, char *, char *, char *, char *, int, ...);
int ceo_add_group(char *, char *, int);
int ceo_add_group_sudo(char *, char *);
int ceo_new_uid(int, int);

View File

@ -137,9 +137,14 @@ static void adduser_spam(Ceo__AddUser *in, Ceo__AddUserResponse *out, char *clie
static int32_t addmember(Ceo__AddUser *in, Ceo__AddUserResponse *out) {
char homedir[1024];
char principal[1024];
int user_stat, group_stat, krb_stat, home_stat;
int id;
if (snprintf(principal, sizeof(principal), "%s@%s",
in->username, krb5_realm) >= sizeof(principal))
fatal("principal overflow");
if (snprintf(homedir, sizeof(homedir), "%s/%s",
member_home, in->username) >= sizeof(homedir))
fatal("homedir overflow");
@ -150,17 +155,17 @@ static int32_t addmember(Ceo__AddUser *in, Ceo__AddUserResponse *out) {
if ((krb_stat = ceo_del_princ(in->username)))
return response_message(out, EEXIST, "unable to overwrite orphaned kerberos principal %s", in->username);
if ((krb_stat = ceo_add_princ(in->username, in->password)))
return response_message(out, EKERB, "unable to create kerberos principal %s", in->username);
response_message(out, 0, "successfully created principal");
if ((user_stat = ceo_add_user(in->username, ldap_users_base, "member", in->realname, homedir,
if ((user_stat = ceo_add_user(in->username, ldap_users_base, "member", in->realname, homedir, principal,
member_shell, id, "program", in->program, NULL)))
return response_message(out, ELDAP, "unable to create ldap account %s", in->username);
response_message(out, 0, "successfully created ldap account");
/* errors that occur after this point are not fatal */
if ((krb_stat = ceo_add_princ(in->username, in->password)))
return response_message(out, EKERB, "unable to create kerberos principal %s", in->username);
response_message(out, 0, "successfully created principal");
if ((group_stat = ceo_add_group(in->username, ldap_groups_base, id)))
response_message(out, ELDAP, "unable to create ldap group %s", in->username);
else
@ -191,7 +196,7 @@ static int32_t addclub(Ceo__AddUser *in, Ceo__AddUserResponse *out) {
return response_message(out, EKERB, "unable to clear principal %s", in->username);
if ((user_stat = ceo_add_user(in->username, ldap_users_base, "club", in->realname, homedir,
club_shell, id, NULL)))
NULL, club_shell, id, NULL)))
return response_message(out, ELDAP, "unable to create ldap account %s", in->username);
response_message(out, 0, "successfully created ldap account");