Updates for LDAP-backed Kerberos
Principals are now created implicitly when the LDAP entry for a user is added. We add the keys by "changing" the password from nonexistent to existent.
This commit is contained in:
parent
1c8e247732
commit
778efc71aa
|
@ -32,22 +32,22 @@ void ceo_kadm_cleanup() {
|
|||
|
||||
int ceo_add_princ(char *user, char *password) {
|
||||
krb5_error_code retval;
|
||||
kadm5_principal_ent_rec princ;
|
||||
krb5_principal princ;
|
||||
memset((void *) &princ, 0, sizeof(princ));
|
||||
|
||||
debug("kadmin: adding principal %s", user);
|
||||
|
||||
if ((retval = krb5_parse_name(context, user, &princ.principal))) {
|
||||
if ((retval = krb5_parse_name(context, user, &princ))) {
|
||||
com_err(prog, retval, "while parsing principal name");
|
||||
return retval;
|
||||
}
|
||||
|
||||
if ((retval = kadm5_create_principal(handle, &princ, KADM5_PRINCIPAL, password))) {
|
||||
if ((retval = kadm5_chpass_principal(handle, princ, password))) {
|
||||
com_err(prog, retval, "while creating principal");
|
||||
return retval;
|
||||
}
|
||||
|
||||
krb5_free_principal(context, princ.principal);
|
||||
krb5_free_principal(context, princ);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
20
src/ldap.c
20
src/ldap.c
|
@ -170,7 +170,7 @@ int ceo_add_group_sudo(char *group, char *basedn) {
|
|||
return ret;
|
||||
}
|
||||
|
||||
int ceo_add_user(char *uid, char *basedn, char *objclass, char *cn, char *home, char *shell, int no, ...) {
|
||||
int ceo_add_user(char *uid, char *basedn, char *objclass, char *cn, char *home, char *principal, char *shell, int no, ...) {
|
||||
va_list args;
|
||||
|
||||
if (!uid || !basedn || !cn || !home || !shell)
|
||||
|
@ -179,13 +179,19 @@ int ceo_add_user(char *uid, char *basedn, char *objclass, char *cn, char *home,
|
|||
LDAPMod *mods[16];
|
||||
int i = -1;
|
||||
int ret = 0;
|
||||
int classes = 4;
|
||||
|
||||
mods[++i] = xmalloc(sizeof(LDAPMod));
|
||||
mods[i]->mod_op = LDAP_MOD_ADD;
|
||||
mods[i]->mod_type = "objectClass";
|
||||
char *objectClasses[] = { "top", "account", "posixAccount", "shadowAccount", NULL, NULL };
|
||||
char *objectClasses[] = { "top", "account", "posixAccount", "shadowAccount", NULL, NULL, NULL, NULL };
|
||||
if (objclass != NULL)
|
||||
objectClasses[4] = objclass;
|
||||
objectClasses[classes++] = objclass;
|
||||
if (principal) {
|
||||
objectClasses[classes++] = "krbPrincipalAux";
|
||||
objectClasses[classes++] = "krbTicketPolicyAux";
|
||||
|
||||
}
|
||||
mods[i]->mod_values = objectClasses;
|
||||
|
||||
mods[++i] = xmalloc(sizeof(LDAPMod));
|
||||
|
@ -225,6 +231,14 @@ int ceo_add_user(char *uid, char *basedn, char *objclass, char *cn, char *home,
|
|||
char *homeDirectory[] = { home, NULL };
|
||||
mods[i]->mod_values = homeDirectory;
|
||||
|
||||
if (principal) {
|
||||
mods[++i] = xmalloc(sizeof(LDAPMod));
|
||||
mods[i]->mod_op = LDAP_MOD_ADD;
|
||||
mods[i]->mod_type = "krbPrincipalName";
|
||||
char *krbPrincipalName[] = { principal, NULL };
|
||||
mods[i]->mod_values = krbPrincipalName;
|
||||
}
|
||||
|
||||
va_start(args, no);
|
||||
char *attr;
|
||||
while ((attr = va_arg(args, char *))) {
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
#define LDAP_DEFAULT_PROTOCOL LDAP_VERSION3
|
||||
|
||||
int ceo_add_user(char *, char *, char *, char *, char *, char *, int, ...);
|
||||
int ceo_add_user(char *, char *, char *, char *, char *, char *, char *, int, ...);
|
||||
int ceo_add_group(char *, char *, int);
|
||||
int ceo_add_group_sudo(char *, char *);
|
||||
int ceo_new_uid(int, int);
|
||||
|
|
|
@ -137,9 +137,14 @@ static void adduser_spam(Ceo__AddUser *in, Ceo__AddUserResponse *out, char *clie
|
|||
|
||||
static int32_t addmember(Ceo__AddUser *in, Ceo__AddUserResponse *out) {
|
||||
char homedir[1024];
|
||||
char principal[1024];
|
||||
int user_stat, group_stat, krb_stat, home_stat;
|
||||
int id;
|
||||
|
||||
if (snprintf(principal, sizeof(principal), "%s@%s",
|
||||
in->username, krb5_realm) >= sizeof(principal))
|
||||
fatal("principal overflow");
|
||||
|
||||
if (snprintf(homedir, sizeof(homedir), "%s/%s",
|
||||
member_home, in->username) >= sizeof(homedir))
|
||||
fatal("homedir overflow");
|
||||
|
@ -150,17 +155,17 @@ static int32_t addmember(Ceo__AddUser *in, Ceo__AddUserResponse *out) {
|
|||
if ((krb_stat = ceo_del_princ(in->username)))
|
||||
return response_message(out, EEXIST, "unable to overwrite orphaned kerberos principal %s", in->username);
|
||||
|
||||
if ((krb_stat = ceo_add_princ(in->username, in->password)))
|
||||
return response_message(out, EKERB, "unable to create kerberos principal %s", in->username);
|
||||
response_message(out, 0, "successfully created principal");
|
||||
|
||||
if ((user_stat = ceo_add_user(in->username, ldap_users_base, "member", in->realname, homedir,
|
||||
if ((user_stat = ceo_add_user(in->username, ldap_users_base, "member", in->realname, homedir, principal,
|
||||
member_shell, id, "program", in->program, NULL)))
|
||||
return response_message(out, ELDAP, "unable to create ldap account %s", in->username);
|
||||
response_message(out, 0, "successfully created ldap account");
|
||||
|
||||
/* errors that occur after this point are not fatal */
|
||||
|
||||
if ((krb_stat = ceo_add_princ(in->username, in->password)))
|
||||
return response_message(out, EKERB, "unable to create kerberos principal %s", in->username);
|
||||
response_message(out, 0, "successfully created principal");
|
||||
|
||||
if ((group_stat = ceo_add_group(in->username, ldap_groups_base, id)))
|
||||
response_message(out, ELDAP, "unable to create ldap group %s", in->username);
|
||||
else
|
||||
|
@ -191,7 +196,7 @@ static int32_t addclub(Ceo__AddUser *in, Ceo__AddUserResponse *out) {
|
|||
return response_message(out, EKERB, "unable to clear principal %s", in->username);
|
||||
|
||||
if ((user_stat = ceo_add_user(in->username, ldap_users_base, "club", in->realname, homedir,
|
||||
club_shell, id, NULL)))
|
||||
NULL, club_shell, id, NULL)))
|
||||
return response_message(out, ELDAP, "unable to create ldap account %s", in->username);
|
||||
response_message(out, 0, "successfully created ldap account");
|
||||
|
||||
|
|
Loading…
Reference in New Issue