Commit Graph

717 Commits

Author SHA1 Message Date
Nicolas Williams
fbc87e46fd Fix sqlite HDB backend init bug 2016-02-26 00:55:31 -06:00
Nicolas Williams
76965a2a14 Add missing initialization of mandatory 2016-02-16 20:49:32 -06:00
Timothy Pearson
f5f76ee72c Add ability to store extended principal attributes in LDAP
A careful code review was undertaken, and it was determined
that the best way to store the extended attributes was in a
native ASN1 encoded field.  LDAP does not understand the
SEQUENCE of SEQUENCE structures used extensively throughout
the extended attributes structure, and there was already a
precedent set for storing the krb5Key data in a native ASN1
encoded field.
2015-09-27 16:36:24 -05:00
Stefan Metzmacher
078e6f5dd2 kdc: add support for HDB_ERR_WRONG_REALM
A backend can return this if asked with HDB_F_GET_CLIENT|HDB_F_FOR_AS_REQ
for a KRB5_NT_ENTERPRISE_PRINCIPAL record or for HDB_F_GET_SERVER | HDB_F_FOR_TGS_REQ.

entry_ex->entry.principal->realm needs to return the real realm of the principal
(or at least a the realm of the next cross-realm trust hop).

This is needed to route enterprise principals between AD domain trusts.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2015-07-31 17:30:23 +12:00
Nicolas Williams
528b6d093c coverity 1164092 2015-04-18 23:19:25 -05:00
Jeffrey Altman
902aa4ee02 tests on Windows
Modify the NTMakefile rules for tests so that a failed test does
not prevent subsequent tests from being executed.

Change-Id: I9595ad4a1527feae7c402241bf06ab21a0b76d4a
2015-03-21 15:44:48 -04:00
Nicolas Williams
95e56fa3ae hdb: fix hdb_unseal_keys_kvno return when no history
Prior to this change hdb_unseal_keys_kvno() could return successfully (0)
if the choice_HDB_extension_data_hist_keys extension was found but the
hist_keys list was empty.  As a side effect callers would believe that the
provide hdb_entry keys were unsealed when they weren't.  This could cause
the KDC or kadmin to report invalid key size errors.

If the extension is present and the history list is empty attempt to
unseal the provided hdb_entry using hdb_unseal_keys_mkey().

Change-Id: I9218b02bccdbcf22133a9464a677374db53ade85
2015-03-14 16:08:22 -04:00
Love Hörnquist Åstrand
24c8bac3b8 In all_etypes prefer des3-cbc-sha1 over arcfour-hmac-md5 2014-09-09 18:15:08 +02:00
Love Hörnquist Åstrand
37afa01be3 rename roken base64, fixes #107 2014-08-22 20:57:24 -07:00
Jelmer Vernooij
70e43e9808 Fix some typos. 2014-04-25 02:42:17 +02:00
Ken Dreyer
10519ce50d remove hdb ldap create declarations
The hdb_ldap_create and hdb_ldapi_create prototypes use the "static"
keyword, but the functions themselves are not implemented as static.

Heimdal's buildsystem dynamically adds function declarations to
hdb-protos.h based on the actual function implementations. Those
declarations in hdb-protos.h are not declared as static.

Since the build system generates the declarations dynamically, just
remove them from hdb-ldap.c.
2014-03-27 12:11:29 -06:00
Love Hörnquist Åstrand
4fa77ebb03 clean files 2014-02-16 11:51:56 -08:00
Love Hörnquist Åstrand
4d39bae8bb use noinst_HEADERS for hdb-private.h 2014-02-16 09:15:53 -08:00
Love Hörnquist Åstrand
f2e69c9c62 make hdb plugin test pass 2014-02-14 19:36:36 -08:00
Jeffrey Clark
cc1faff15f Simple hdb plugin test
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
2014-01-31 08:49:55 +01:00
Jeffrey Clark
c1c7da7f79 Fix compiling hdb ldap as a module
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
2014-01-31 08:49:51 +01:00
Love Hörnquist Åstrand
d8d0e659ce make sure h is set at when we find a match, from [GITHUB #54] 2014-01-31 08:45:29 +01:00
Nicolas Williams
2c16b0da30 Be verbose about MIT dump entry parsing failures 2013-11-20 01:07:54 -06:00
Nicolas Williams
e9d21aeffc Fix bug in loading MIT dumps 2013-11-20 01:07:54 -06:00
Love Hornquist Astrand
10f3c8b56e add possible to set rules on what enctypes to use based on glob matching on principal 2013-10-18 10:01:55 +02:00
Love Hornquist Astrand
1d84562886 add HDBGET: that only supports get, iteration doesnt really make sense for the HDB keytab except when dumping 2013-10-15 12:40:39 +02:00
Jeffrey Altman
50381859a0 hdb: fix parsing of mkey db string
The use of the wrong value for the length of ":mkey=" was identified
by Brian May and reported via github:

  https://github.com/heimdal/heimdal/issues/40

Change-Id: I0aed86a5bb0359b7a266369076fde5e62f23b5fe
2013-10-13 19:59:48 -04:00
Jeffrey Altman
3c3e2ad5e6 Windows: ktutil.exe requires libkadmsrv and libhdb
Include libkadmsrv.dll and libhdb.dll in the assembly which are
required for ktutil.exe to load.

Change-Id: Ic72d51e72daac71683a7f7000fe084197ee3c94a
2013-09-13 22:17:43 -04:00
Nicolas Williams
ccb148eedb lib/hdb/db3.c:DB_open() needs to DB_close() more
Without this the KDC can trip the assert in DB_open().
2013-09-12 12:14:39 -05:00
Nicolas Williams
075a0d32ee Add UPN support to sqlite HDB backend 2013-08-06 20:54:23 -05:00
Love Hornquist Astrand
82d71b063b support db6 too, based on patch from Lars Wendler <wendler@fasihi.net> 2013-07-18 14:58:54 +02:00
Nicolas Williams
a53f3a49e2 Fix unused variable warnings 2013-06-02 15:52:41 -05:00
Landon Fuller
6fb9bc86b7 Add a configuration option to enable LDAP Start TLS.
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
2013-04-24 16:21:15 -07:00
Landon Fuller
96e9025675 Add support for specifying bind DN and password.
This uses a seperate hdb-ldap-secret-file configuration value, which
specifies an external file that may be used to supply the LDAP bind dn
and password. This allows that specific file to be configured with more
restrictive permissions than the global krb5.conf.

Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
2013-04-24 16:21:15 -07:00
Landon Fuller
8cb8a8932e Remove unnecessary strdup() (and resulting leak)
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
2013-04-24 16:21:15 -07:00
Landon Fuller
e58308e2a6 Add support for specifying an LDAP URL.
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
2013-04-24 16:21:14 -07:00
Love Hornquist Astrand
9b6cae5408 remove unused code that I meant to drop 2013-03-05 20:06:15 -08:00
Nicolas Williams
d9764a5399 Make lib/hdb/hdb.c build (but hdb plugins broken) 2013-03-05 21:47:21 -06:00
Love Hornquist Astrand
3cba540a5f fix prototypes 2013-03-04 10:24:35 -08:00
Love Hornquist Astrand
1eb4e2516e unify hdb_so_method and hdb_method 2013-03-04 10:18:16 -08:00
Tollef Fog Heen
4787ea76a9 Update hdb's use of the plugin interface
The various _krb5_plugin_* functions are gone, replace this with the new world order.

Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
2013-03-04 10:00:41 -08:00
Arvid Requate
3cf3708950 honour krb5PasswordEnd also if sambaPwdLastSet
Commit 9f696b11c2 changed the
behaviour of key expiry for principals that have an sambaPwdLastSet
attribute in LDAP. The change was twofold:

* if "password_lifetime" is not set in kdc.conf a default lifetime
  of 1 year is enforced

* krb5PasswordEnd is not honoured.

This patch causes pw_end to be modified only if sambaPwdLastSet
*and* "password_lifetime" is defined in kdc.conf.

Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
2013-03-04 09:47:46 -08:00
Howard Chu
9f95207933 Add support for OpenLDAP libmdb 2012-10-07 16:47:45 -07:00
Love Hornquist Astrand
216bfa564d rename mdb to mitdb 2012-10-06 15:38:56 -07:00
Love Hornquist Astrand
d9aa1ff496 use configuration for db-dir 2012-10-01 09:50:46 -07:00
Roland C. Dowdeswell
be5afdbf7f Make concurrent builds work.
To stop the errors when building concurrently, we make a number of
changes:

        1.  stop including generated files in *_SOURCES,

        2.  make *-protos.h and *-private.h depend on the *_SOURCES,

        3.  make all objects depend on *-{protos,private}.h,

        4.  in a few places change dir/header.h to $(srcdir)/dir/header.h,

This appears to work for me with make -j16 on a 4-way box.
2012-08-08 00:04:04 +01:00
Roland C. Dowdeswell
7de08cd5d0 hdb.h uses FILE * and so should #include <stdio.h>. 2012-06-27 01:58:19 +01:00
Jeffrey Altman
aed7a3b948 Windows: missing exports on Windows
synchronize the export lists on Windows and UNIX.
When new functions are exported on UNIX or Windows,
the "test" build target on Windows will verify if
the export lists are in sync.

Change-Id: I9df3607983b03ee8dc6fa7cd22f85b07a6cee784
2012-06-12 18:48:37 -04:00
Jeffrey Altman
b8e7f977f8 Windows: link libhdb against heimbase
heim_abort and heim_assert are not exported from heimdal.dll.
must link against heimbase to use them.

Change-Id: I57a29b90360f9036723c114f03a95684a4802529
2012-06-12 18:48:33 -04:00
Viktor Dukhovni
1614c49354 DB_CURSOR_BULK requires DB 4.8 or later 2012-05-29 18:56:44 +01:00
Roland C. Dowdeswell
2a27d50fa1 Formatting: unnecessary lines and trailing whitespace. 2012-05-22 23:08:18 +01:00
Viktor Dukhovni
e41ff9c0f5 Open cursor for bulk retrieval 2012-05-22 22:33:25 +01:00
Roland C. Dowdeswell
2656659fc2 Fix a typo in a comment. 2012-05-21 17:12:16 +01:00
Roland C. Dowdeswell
ac18aa10dc Eliminate unused variable warning. 2012-05-21 13:33:42 +01:00
Nicolas Williams
a3947acb38 Fix segfault in MIT dump entry parsing code 2012-05-19 21:57:53 -05:00