Project

General

Profile

TrueliteFileServer » smbk5pwd.patch

Patch al pacchetto debian di openldap - Simone Piccardi, 08/31/2011 02:58 PM

View differences:

contrib/slapd-modules/README 2010-04-13 22:22:25.000000000 +0200 → contrib/slapd-modules/README 2011-08-30 16:17:52.000000000 +0200
49 49
	Proxy Authorization compatibility with obsolete internet-draft.
50 50

  
51 51
smbk5pwd (overlay)
52
	Make the PasswordModify Extended Operation update Kerberos
53
	keys and Samba password hashes as well as userPassword.
52
	Make the PasswordModify Extended Operation update Kerberos keys,
53
	Samba password hashes, and shadowLastChange, as well as userPassword.
54 54

  
55 55
trace (overlay)
56 56
	Trace overlay invocation.
contrib/slapd-modules/smbk5pwd/Makefile 2011-08-30 16:10:25.000000000 +0200 → contrib/slapd-modules/smbk5pwd/Makefile 2011-08-30 16:18:10.000000000 +0200
16 16
OPT=-g -O2
17 17
CC=gcc
18 18

  
19
# Omit DO_KRB5 or DO_SAMBA if you don't want to support it.
20
DEFS=-DDO_KRB5 -DDO_SAMBA
19
# Omit DO_KRB5, DO_SAMBA, or DO_SHADOW if you don't want to support it.
20
DEFS=-DDO_KRB5 -DDO_SAMBA -DDO_SHADOW
21 21

  
22 22
HEIMDAL_INC=-I/usr/include
23 23
SSL_INC=
contrib/slapd-modules/smbk5pwd/README 2010-04-13 22:22:30.000000000 +0200 → contrib/slapd-modules/smbk5pwd/README 2011-08-30 16:18:37.000000000 +0200
1 1
This directory contains a slapd overlay, smbk5pwd, that extends the
2
PasswordModify Extended Operation to update Kerberos keys and Samba
3
password hashes for an LDAP user.
2
PasswordModify Extended Operation to update Kerberos keys, Samba
3
password hashes, and the shadowLastChange attribute for an LDAP user.
4 4

  
5 5
The Kerberos support is written for Heimdal using its hdb-ldap backend.
6 6
If a PasswordModify is performed on an entry that has the krb5KDCEntry
......
17 17
objectclass, then the sambaLMPassword, sambaNTPassword, and sambaPwdLastSet
18 18
attributes will be updated accordingly.
19 19

  
20
The Shadow support updates the shadowLastChange attribute to the current
21
date if a PasswordModify is performed on an entry that has the
22
shadowAccount objectclass.
23

  
20 24
To use the overlay, add:
21 25

  
22 26
	include <path to>/krb5-kdc.schema
......
40 44
	smbk5pwd-enable		<module>
41 45

  
42 46
can be used to enable only the desired one(s); legal values for <module>
43
are "krb5" and "samba", if they are respectively enabled by defining
44
DO_KRB5 and DO_SAMBA.
47
are "krb5", "samba", and "shadow", if they are respectively enabled by defining
48
DO_KRB5, DO_SAMBA, and DO_SHADOW.
45 49

  
46 50
The samba module also supports the
47 51

  
......
60 64
	olcOverlay: {0}smbk5pwd
61 65
	olcSmbK5PwdEnable: krb5
62 66
	olcSmbK5PwdEnable: samba
67
	olcSmbK5PwdEnable: shadow
63 68
	olcSmbK5PwdMustChange: 2592000
64 69

  
65
which enables both krb5 and samba modules with a password expiry time
66
of 30 days.
70
which enables all the krb5, samba, and shadow modules with a password
71
expiry time of 30 days.
67 72

  
68
The provided Makefile builds both Kerberos and Samba support by default.
69
You must edit the Makefile to insure that the correct include and library
70
paths are used. You can change the DEFS macro if you only want one or the
71
other of Kerberos or Samba support.
73
The provided Makefile builds all of Kerberos, Samba, and Shadow support by
74
default. You must edit the Makefile to insure that the correct include and
75
library paths are used. You can change the DEFS macro if you only want partial
76
support.
72 77

  
73 78
This overlay is only set up to be built as a dynamically loaded module.
74 79
On most platforms, in order for the module to be usable, all of the 
contrib/slapd-modules/smbk5pwd/smbk5pwd.c 2010-04-13 22:22:30.000000000 +0200 → contrib/slapd-modules/smbk5pwd/smbk5pwd.c 2011-08-30 16:18:20.000000000 +0200
17 17
/* ACKNOWLEDGEMENTS:
18 18
 * Support for table-driven configuration added by Pierangelo Masarati.
19 19
 * Support for sambaPwdMustChange and sambaPwdCanChange added by Marco D'Ettorre.
20
 * Support for shadowLastChange added by Mark A. Ziesemer <www.ziesemer.com>.
20 21
 */
21 22

  
22 23
#include <portable.h>
......
81 82
static ObjectClass *oc_sambaSamAccount;
82 83
#endif
83 84

  
85
#ifdef DO_SAMBA
86
static AttributeDescription *ad_shadowLastChange;
87
static ObjectClass *oc_shadowAccount;
88
#endif
89

  
84 90
/* Per-instance configuration information */
85 91
typedef struct smbk5pwd_t {
86 92
	unsigned	mode;
87 93
#define	SMBK5PWD_F_KRB5		(0x1U)
88 94
#define	SMBK5PWD_F_SAMBA	(0x2U)
95
#define SMBK5PWD_F_SHADOW	(0x4U)
89 96

  
90 97
#define SMBK5PWD_DO_KRB5(pi)	((pi)->mode & SMBK5PWD_F_KRB5)
91 98
#define SMBK5PWD_DO_SAMBA(pi)	((pi)->mode & SMBK5PWD_F_SAMBA)
99
#define SMBK5PWD_DO_SHADOW(pi)	((pi)->mode & SMBK5PWD_F_SHADOW)
92 100

  
93 101
#ifdef DO_KRB5
94 102
	/* nothing yet */
......
100 108
	/* How many seconds after allowing a password change? */
101 109
	time_t  smb_can_change;
102 110
#endif
111

  
112
#ifdef DO_SHADOW
113
	/* nothing yet */
114
#endif
103 115
} smbk5pwd_t;
104 116

  
105 117
static const unsigned SMBK5PWD_F_ALL	=
......
110 122
#ifdef DO_SAMBA
111 123
	| SMBK5PWD_F_SAMBA
112 124
#endif
125
#ifdef DO_SHADOW
126
	| SMBK5PWD_F_SHADOW
127
#endif
113 128
;
114 129

  
115 130
static int smbk5pwd_modules_init( smbk5pwd_t *pi );
......
653 668
		}
654 669
	}
655 670
#endif /* DO_SAMBA */
671

  
672
#ifdef DO_SHADOW
673
	/* Shadow stuff */
674
	if ( SMBK5PWD_DO_SHADOW( pi ) && is_entry_objectclass(e, oc_shadowAccount, 0 ) ) {
675
		struct berval *keys;
676
	
677
		ml = ch_malloc(sizeof(Modifications));
678
		ml->sml_next = qpw->rs_mods;
679
		qpw->rs_mods = ml;
680

  
681
		keys = ch_malloc( 2 * sizeof(struct berval) );
682
		keys[0].bv_val = ch_malloc( LDAP_PVT_INTTYPE_CHARS(long) );
683
		keys[0].bv_len = snprintf(keys[0].bv_val,
684
			LDAP_PVT_INTTYPE_CHARS(long),
685
			"%ld", slap_get_time() / 60 / 60 / 24 );
686
		BER_BVZERO( &keys[1] );
687

  
688
		ml->sml_desc = ad_shadowLastChange;
689
		ml->sml_op = LDAP_MOD_REPLACE;
690
#ifdef SLAP_MOD_INTERNAL
691
		ml->sml_flags = SLAP_MOD_INTERNAL;
692
#endif
693
		ml->sml_numvals = 1;
694
		ml->sml_values = keys;
695
		ml->sml_nvalues = NULL;
696
	}
697
#endif /* DO_SHADOW */
698

  
656 699
	be_entry_release_r( op, e );
657 700
	qpw->rs_new.bv_val[qpw->rs_new.bv_len] = term;
658 701

  
......
715 758
static slap_verbmasks smbk5pwd_modules[] = {
716 759
	{ BER_BVC( "krb5" ),		SMBK5PWD_F_KRB5	},
717 760
	{ BER_BVC( "samba" ),		SMBK5PWD_F_SAMBA },
761
	{ BER_BVC( "shadow" ),		SMBK5PWD_F_SHADOW },
718 762
	{ BER_BVNULL,			-1 }
719 763
};
720 764

  
......
860 904
		}
861 905
#endif /* ! DO_SAMBA */
862 906

  
907
#ifndef DO_SHADOW
908
		if ( SMBK5PWD_DO_SHADOW( pi ) ) {
909
			Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: "
910
			"<%s> module \"%s\" only allowed when compiled with -DDO_SHADOW.\n",
911
			c->log, c->argv[ 0 ], c->argv[ rc ] );
912
			pi->mode = mode;
913
			return 1;
914
		}
915
#endif /* ! DO_SHADOW */
916

  
863 917
		{
864 918
			BackendDB	db = *c->be;
865 919

  
......
882 936
	return rc;
883 937
}
884 938

  
939
typedef struct smbk5pwd_verify_schema_t {
940
	const char  *name;
941
	AttributeDescription **adp;
942
} smbk5pwd_verify_schema_t;
943

  
885 944
static int
886
smbk5pwd_modules_init( smbk5pwd_t *pi )
945
smbk5pwd_modules_verify_schema(const char *ocName, ObjectClass **oc, smbk5pwd_verify_schema_t *ad)
887 946
{
888
	static struct {
889
		const char		*name;
890
		AttributeDescription	**adp;
947
	int i, rc;
948

  
949

  
950
	*oc = oc_find( ocName );
951
	if ( !*oc ) {
952
		Debug( LDAP_DEBUG_ANY, "smbk5pwd: "
953
			"unable to find \"%s\" objectClass.\n",
954
			ocName, 0, 0 );
955
		return -1;
956
	}
957

  
958
	for ( i = 0; ad[ i ].name != NULL; i++ ) {
959
		const char *text;
960

  
961
		*(ad[ i ].adp) = NULL;
962

  
963
		rc = slap_str2ad( ad[ i ].name, ad[ i ].adp, &text );
964
		if ( rc != LDAP_SUCCESS ) {
965
			Debug( LDAP_DEBUG_ANY, "smbk5pwd: "
966
				"unable to find \"%s\" attributeType: %s (%d).\n",
967
				ad[ i ].name, text, rc );
968
			*oc = NULL;
969
			return rc;
970
		}
891 971
	}
972
}
973

  
974
static int
975
smbk5pwd_modules_init( smbk5pwd_t *pi )
976
{
977

  
892 978
#ifdef DO_KRB5
893
	krb5_ad[] = {
979
	smbk5pwd_verify_schema_t krb5_ad[] = {
894 980
		{ "krb5Key",			&ad_krb5Key },
895 981
		{ "krb5KeyVersionNumber",	&ad_krb5KeyVersionNumber },
896 982
		{ "krb5PrincipalName",		&ad_krb5PrincipalName },
897 983
		{ "krb5ValidEnd",		&ad_krb5ValidEnd },
898 984
		{ NULL }
899
	},
985
	};
900 986
#endif /* DO_KRB5 */
901 987
#ifdef DO_SAMBA
902
	samba_ad[] = {
988
	smbk5pwd_verify_schema_t samba_ad[] = {
903 989
		{ "sambaLMPassword",		&ad_sambaLMPassword },
904 990
		{ "sambaNTPassword",		&ad_sambaNTPassword },
905 991
		{ "sambaPwdLastSet",		&ad_sambaPwdLastSet },
906 992
		{ "sambaPwdMustChange",		&ad_sambaPwdMustChange },
907 993
		{ "sambaPwdCanChange",		&ad_sambaPwdCanChange },
908 994
		{ NULL }
909
	},
995
	};
910 996
#endif /* DO_SAMBA */
911
	dummy_ad;
912 997

  
913
	/* this is to silence the unused var warning */
914
	dummy_ad.name = NULL;
998
#ifdef DO_SHADOW
999
	smbk5pwd_verify_schema_t shadow_ad[] = {
1000
		{ "shadowLastChange",  &ad_shadowLastChange },
1001
		{ NULL }
1002
	};
1003
#endif /* DO_SHADOW */
915 1004

  
916 1005
#ifdef DO_KRB5
917 1006
	if ( SMBK5PWD_DO_KRB5( pi ) && oc_krb5KDCEntry == NULL ) {
918 1007
		krb5_error_code	ret;
919 1008
		extern HDB 	*_kadm5_s_get_db(void *);
920 1009

  
921
		int		i, rc;
922

  
923
		/* Make sure all of our necessary schema items are loaded */
924
		oc_krb5KDCEntry = oc_find( "krb5KDCEntry" );
925
		if ( !oc_krb5KDCEntry ) {
926
			Debug( LDAP_DEBUG_ANY, "smbk5pwd: "
927
				"unable to find \"krb5KDCEntry\" objectClass.\n",
928
				0, 0, 0 );
929
			return -1;
930
		}
931

  
932
		for ( i = 0; krb5_ad[ i ].name != NULL; i++ ) {
933
			const char	*text;
934

  
935
			*(krb5_ad[ i ].adp) = NULL;
936

  
937
			rc = slap_str2ad( krb5_ad[ i ].name, krb5_ad[ i ].adp, &text );
938
			if ( rc != LDAP_SUCCESS ) {
939
				Debug( LDAP_DEBUG_ANY, "smbk5pwd: "
940
					"unable to find \"%s\" attributeType: %s (%d).\n",
941
					krb5_ad[ i ].name, text, rc );
942
				oc_krb5KDCEntry = NULL;
943
				return rc;
944
			}
1010
		int rc = smbk5pwd_modules_verify_schema("krb5KDCEntry", &oc_krb5KDCEntry, krb5_ad);
1011
		if ( rc != LDAP_SUCCESS ) {
1012
			return rc;
945 1013
		}
946 1014

  
947 1015
		/* Initialize Kerberos context */
......
980 1048

  
981 1049
#ifdef DO_SAMBA
982 1050
	if ( SMBK5PWD_DO_SAMBA( pi ) && oc_sambaSamAccount == NULL ) {
983
		int		i, rc;
984

  
985
		oc_sambaSamAccount = oc_find( "sambaSamAccount" );
986
		if ( !oc_sambaSamAccount ) {
987
			Debug( LDAP_DEBUG_ANY, "smbk5pwd: "
988
				"unable to find \"sambaSamAccount\" objectClass.\n",
989
				0, 0, 0 );
990
			return -1;
1051
		int rc = smbk5pwd_modules_verify_schema("sambaSamAccount", &oc_sambaSamAccount, samba_ad);
1052
		if ( rc != LDAP_SUCCESS ) {
1053
			return rc;
991 1054
		}
1055
	}
1056
#endif /* DO_SAMBA */
992 1057

  
993
		for ( i = 0; samba_ad[ i ].name != NULL; i++ ) {
994
			const char	*text;
995

  
996
			*(samba_ad[ i ].adp) = NULL;
997

  
998
			rc = slap_str2ad( samba_ad[ i ].name, samba_ad[ i ].adp, &text );
999
			if ( rc != LDAP_SUCCESS ) {
1000
				Debug( LDAP_DEBUG_ANY, "smbk5pwd: "
1001
					"unable to find \"%s\" attributeType: %s (%d).\n",
1002
					samba_ad[ i ].name, text, rc );
1003
				oc_sambaSamAccount = NULL;
1004
				return rc;
1005
			}
1058
#ifdef DO_SHADOW
1059
	if ( SMBK5PWD_DO_SHADOW( pi ) && oc_shadowAccount == NULL ) {
1060
		int rc = smbk5pwd_modules_verify_schema("shadowAccount", &oc_shadowAccount, shadow_ad);
1061
		if ( rc != LDAP_SUCCESS ) {
1062
			return rc;
1006 1063
		}
1007 1064
	}
1008
#endif /* DO_SAMBA */
1065
#endif /* DO_SHADOW */
1009 1066

  
1010 1067
	return 0;
1011 1068
}
    (1-1/1)