From c5bdfc71939ad5338c707cb6c6b0d2187d78b801 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Jun 24 2010 18:24:15 +0000 Subject: Don't try to convert a host's password into a keytab. The migration plugin uses a pre-op function to automatically create kerberos credentials when binding using a password. The problem is that we do a simple bind when doing password-base host enrollment. This was causing krbPasswordExpiration to be set which isn't what we want for hosts. They really shouldn't go through this code at all. --- diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c index bd04e9d..c2d0373 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c @@ -2168,7 +2168,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) char timestr[GENERALIZED_TIME_LENGTH+1]; time_t time_now = time(NULL); char *pw = NULL; - char *krbPrincipalName = NULL; + Slapi_Value *objectclass; svals = (Slapi_Value **)calloc(2, sizeof(Slapi_Value *)); if (!svals) { @@ -2587,8 +2587,9 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) * the userPassword attribute if it exists */ pw = slapi_entry_attr_get_charptr(targetEntry, "userPassword"); - krbPrincipalName = slapi_entry_attr_get_charptr(targetEntry, "krbPrincipalName"); - if ((strncmp(krbPrincipalName, "host/", 5) == 0)) { + objectclass = slapi_value_new_string("ipaHost"); + if ((slapi_entry_attr_has_syntax_value(targetEntry, SLAPI_ATTR_OBJECTCLASS, objectclass)) == 1) + { char * krbLastPwdChange = slapi_entry_attr_get_charptr(targetEntry, "krbLastPwdChange"); char * enrolledBy = slapi_entry_attr_get_charptr(targetEntry, "enrolledBy"); if (NULL == enrolledBy) { @@ -2604,9 +2605,9 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) "Removing userPassword from host entry\n"); slapi_ch_free_string(&pw); } - slapi_ch_free_string(&krbLastPwdChange); + slapi_value_free(&objectclass); } - slapi_ch_free_string(&krbPrincipalName); + slapi_value_free(&objectclass); /* commit changes */ ret = ipapwd_apply_mods(slapi_entry_get_dn_const(targetEntry), smods); @@ -3280,6 +3281,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) char *errMesg = "Internal operations error\n"; /* error message */ char *expire = NULL; /* passwordExpirationTime attribute value */ char *dn = NULL; /* bind DN */ + Slapi_Value *objectclass; int method; /* authentication method */ int ret = 0; @@ -3322,6 +3324,14 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) goto done; } + /* we aren't interested in host principals */ + objectclass = slapi_value_new_string("ipaHost"); + if ((slapi_entry_attr_has_syntax_value(entry, SLAPI_ATTR_OBJECTCLASS, objectclass)) == 1) { + slapi_value_free(&objectclass); + goto done; + } + slapi_value_free(&objectclass); + /* check the krbPrincipalKey attribute is NOT present */ ret = slapi_entry_attr_find(entry, "krbprincipalkey", &attr); if (!ret) {