1 /* 2 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 3 * Use is subject to license terms. 4 */ 5 6 #ifndef __KADM5_ADMIN_H__ 7 #define __KADM5_ADMIN_H__ 8 9 10 #ifdef __cplusplus 11 extern "C" { 12 #endif 13 14 /* 15 * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING 16 * 17 * Openvision retains the copyright to derivative works of 18 * this source code. Do *NOT* create a derivative of this 19 * source code before consulting with your legal department. 20 * Do *NOT* integrate *ANY* of this source code into another 21 * product before consulting with your legal department. 22 * 23 * For further information, read the top-level Openvision 24 * copyright which is contained in the top-level MIT Kerberos 25 * copyright. 26 * 27 * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING 28 * 29 */ 30 /* 31 * lib/kadm5/admin.h 32 * 33 * Copyright 2001 by the Massachusetts Institute of Technology. 34 * All Rights Reserved. 35 * 36 * Export of this software from the United States of America may 37 * require a specific license from the United States Government. 38 * It is the responsibility of any person or organization contemplating 39 * export to obtain such a license before exporting. 40 * 41 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 42 * distribute this software and its documentation for any purpose and 43 * without fee is hereby granted, provided that the above copyright 44 * notice appear in all copies and that both that copyright notice and 45 * this permission notice appear in supporting documentation, and that 46 * the name of M.I.T. not be used in advertising or publicity pertaining 47 * to distribution of the software without specific, written prior 48 * permission. Furthermore if you modify this software you must label 49 * your software as modified software and not distribute it in such a 50 * fashion that it might be confused with the original M.I.T. software. 51 * M.I.T. makes no representations about the suitability of 52 * this software for any purpose. It is provided "as is" without express 53 * or implied warranty. 54 * 55 */ 56 /* 57 * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved 58 * 59 * $Header$ 60 */ 61 62 #include <sys/types.h> 63 #include <rpc/types.h> 64 #include <rpc/rpc.h> 65 #include <k5-int.h> 66 #include <krb5.h> 67 #include <krb5/kdb.h> 68 #include <com_err.h> 69 #include <kadm5/kadm_err.h> 70 #include <kadm5/chpass_util_strings.h> 71 72 #define KADM5_ADMIN_SERVICE_P "kadmin@admin" 73 /* 74 * Solaris Kerberos: 75 * The kadmin/admin principal is unused on Solaris. This principal is used 76 * in AUTH_GSSAPI but Solaris doesn't support AUTH_GSSAPI. RPCSEC_GSS can only 77 * be used with host-based principals. 78 * 79 */ 80 /* #define KADM5_ADMIN_SERVICE "kadmin/admin" */ 81 #define KADM5_CHANGEPW_SERVICE_P "kadmin@changepw" 82 #define KADM5_CHANGEPW_SERVICE "kadmin/changepw" 83 #define KADM5_HIST_PRINCIPAL "kadmin/history" 84 #define KADM5_ADMIN_HOST_SERVICE "kadmin" 85 #define KADM5_CHANGEPW_HOST_SERVICE "changepw" 86 #define KADM5_KIPROP_HOST_SERVICE "kiprop" 87 88 typedef krb5_principal kadm5_princ_t; 89 typedef char *kadm5_policy_t; 90 typedef long kadm5_ret_t; 91 typedef int rpc_int32; 92 typedef unsigned int rpc_u_int32; 93 94 #define KADM5_PW_FIRST_PROMPT \ 95 (error_message(CHPASS_UTIL_NEW_PASSWORD_PROMPT)) 96 #define KADM5_PW_SECOND_PROMPT \ 97 (error_message(CHPASS_UTIL_NEW_PASSWORD_AGAIN_PROMPT)) 98 99 /* 100 * Successful return code 101 */ 102 #define KADM5_OK 0 103 104 /* 105 * Field masks 106 */ 107 108 /* kadm5_principal_ent_t */ 109 #define KADM5_PRINCIPAL 0x000001 110 #define KADM5_PRINC_EXPIRE_TIME 0x000002 111 #define KADM5_PW_EXPIRATION 0x000004 112 #define KADM5_LAST_PWD_CHANGE 0x000008 113 #define KADM5_ATTRIBUTES 0x000010 114 #define KADM5_MAX_LIFE 0x000020 115 #define KADM5_MOD_TIME 0x000040 116 #define KADM5_MOD_NAME 0x000080 117 #define KADM5_KVNO 0x000100 118 #define KADM5_MKVNO 0x000200 119 #define KADM5_AUX_ATTRIBUTES 0x000400 120 #define KADM5_POLICY 0x000800 121 #define KADM5_POLICY_CLR 0x001000 122 /* version 2 masks */ 123 #define KADM5_MAX_RLIFE 0x002000 124 #define KADM5_LAST_SUCCESS 0x004000 125 #define KADM5_LAST_FAILED 0x008000 126 #define KADM5_FAIL_AUTH_COUNT 0x010000 127 #define KADM5_KEY_DATA 0x020000 128 #define KADM5_TL_DATA 0x040000 129 #ifdef notyet /* Novell */ 130 #define KADM5_CPW_FUNCTION 0x080000 131 #define KADM5_RANDKEY_USED 0x100000 132 #endif 133 #define KADM5_LOAD 0x200000 134 /* Solaris Kerberos: adding support for key history in LDAP KDB */ 135 #define KADM5_KEY_HIST 0x400000 136 137 /* all but KEY_DATA and TL_DATA */ 138 #define KADM5_PRINCIPAL_NORMAL_MASK 0x01ffff 139 140 141 /* kadm5_policy_ent_t */ 142 #define KADM5_PW_MAX_LIFE 0x004000 143 #define KADM5_PW_MIN_LIFE 0x008000 144 #define KADM5_PW_MIN_LENGTH 0x010000 145 #define KADM5_PW_MIN_CLASSES 0x020000 146 #define KADM5_PW_HISTORY_NUM 0x040000 147 #define KADM5_REF_COUNT 0x080000 148 149 /* kadm5_config_params */ 150 #define KADM5_CONFIG_REALM 0x0000001 151 #define KADM5_CONFIG_DBNAME 0x0000002 152 #define KADM5_CONFIG_MKEY_NAME 0x0000004 153 #define KADM5_CONFIG_MAX_LIFE 0x0000008 154 #define KADM5_CONFIG_MAX_RLIFE 0x0000010 155 #define KADM5_CONFIG_EXPIRATION 0x0000020 156 #define KADM5_CONFIG_FLAGS 0x0000040 157 #define KADM5_CONFIG_ADMIN_KEYTAB 0x0000080 158 #define KADM5_CONFIG_STASH_FILE 0x0000100 159 #define KADM5_CONFIG_ENCTYPE 0x0000200 160 #define KADM5_CONFIG_ADBNAME 0x0000400 161 #define KADM5_CONFIG_ADB_LOCKFILE 0x0000800 162 #define KADM5_CONFIG_PROFILE 0x0001000 163 #define KADM5_CONFIG_ACL_FILE 0x0002000 164 #define KADM5_CONFIG_KADMIND_PORT 0x0004000 165 #define KADM5_CONFIG_ENCTYPES 0x0008000 166 #define KADM5_CONFIG_ADMIN_SERVER 0x0010000 167 #define KADM5_CONFIG_DICT_FILE 0x0020000 168 #define KADM5_CONFIG_MKEY_FROM_KBD 0x0040000 169 #define KADM5_CONFIG_KPASSWD_PORT 0x0080000 170 #define KADM5_CONFIG_KPASSWD_SERVER 0x0100000 171 #define KADM5_CONFIG_KPASSWD_PROTOCOL 0x0200000 172 #define KADM5_CONFIG_IPROP_ENABLED 0x0400000 173 #define KADM5_CONFIG_ULOG_SIZE 0x0800000 174 #define KADM5_CONFIG_POLL_TIME 0x1000000 175 176 /* password change constants */ 177 #define KRB5_KPASSWD_SUCCESS 0 178 #define KRB5_KPASSWD_MALFORMED 1 179 #define KRB5_KPASSWD_HARDERROR 2 180 #define KRB5_KPASSWD_AUTHERROR 3 181 #define KRB5_KPASSWD_SOFTERROR 4 182 #define KRB5_KPASSWD_ACCESSDENIED 5 183 #define KRB5_KPASSWD_BAD_VERSION 6 184 #define KRB5_KPASSWD_INITIAL_FLAG_NEEDED 7 185 #define KRB5_KPASSWD_POLICY_REJECT 8 186 #define KRB5_KPASSWD_BAD_PRINCIPAL 9 187 #define KRB5_KPASSWD_ETYPE_NOSUPP 10 188 189 /* 190 * permission bits 191 */ 192 #define KADM5_PRIV_GET 0x01 193 #define KADM5_PRIV_ADD 0x02 194 #define KADM5_PRIV_MODIFY 0x04 195 #define KADM5_PRIV_DELETE 0x08 196 197 /* 198 * API versioning constants 199 */ 200 #define KADM5_MASK_BITS 0xffffff00 201 202 #define KADM5_STRUCT_VERSION_MASK 0x12345600 203 #define KADM5_STRUCT_VERSION_1 (KADM5_STRUCT_VERSION_MASK|0x01) 204 #define KADM5_STRUCT_VERSION KADM5_STRUCT_VERSION_1 205 206 #define KADM5_API_VERSION_MASK 0x12345700 207 #define KADM5_API_VERSION_1 (KADM5_API_VERSION_MASK|0x01) 208 #define KADM5_API_VERSION_2 (KADM5_API_VERSION_MASK|0x02) 209 210 #ifdef KRB5_DNS_LOOKUP 211 /* 212 * Name length constants for DNS lookups 213 */ 214 #define MAX_HOST_NAMELEN 256 215 #define MAX_DNS_NAMELEN (15*(MAX_HOST_NAMELEN + 1)+1) 216 #endif /* KRB5_DNS_LOOKUP */ 217 218 typedef struct _kadm5_principal_ent_t_v2 { 219 krb5_principal principal; 220 krb5_timestamp princ_expire_time; 221 krb5_timestamp last_pwd_change; 222 krb5_timestamp pw_expiration; 223 krb5_deltat max_life; 224 krb5_principal mod_name; 225 krb5_timestamp mod_date; 226 krb5_flags attributes; 227 krb5_kvno kvno; 228 krb5_kvno mkvno; 229 char *policy; 230 long aux_attributes; 231 232 /* version 2 fields */ 233 krb5_deltat max_renewable_life; 234 krb5_timestamp last_success; 235 krb5_timestamp last_failed; 236 krb5_kvno fail_auth_count; 237 krb5_int16 n_key_data; 238 krb5_int16 n_tl_data; 239 krb5_tl_data *tl_data; 240 krb5_key_data *key_data; 241 } kadm5_principal_ent_rec_v2, *kadm5_principal_ent_t_v2; 242 243 typedef struct _kadm5_principal_ent_t_v1 { 244 krb5_principal principal; 245 krb5_timestamp princ_expire_time; 246 krb5_timestamp last_pwd_change; 247 krb5_timestamp pw_expiration; 248 krb5_deltat max_life; 249 krb5_principal mod_name; 250 krb5_timestamp mod_date; 251 krb5_flags attributes; 252 krb5_kvno kvno; 253 krb5_kvno mkvno; 254 char *policy; 255 long aux_attributes; 256 } kadm5_principal_ent_rec_v1, *kadm5_principal_ent_t_v1; 257 258 #if USE_KADM5_API_VERSION == 1 259 typedef struct _kadm5_principal_ent_t_v1 260 kadm5_principal_ent_rec, *kadm5_principal_ent_t; 261 #else 262 typedef struct _kadm5_principal_ent_t_v2 263 kadm5_principal_ent_rec, *kadm5_principal_ent_t; 264 #endif 265 266 typedef struct _kadm5_policy_ent_t { 267 char *policy; 268 long pw_min_life; 269 long pw_max_life; 270 long pw_min_length; 271 long pw_min_classes; 272 long pw_history_num; 273 long policy_refcnt; 274 } kadm5_policy_ent_rec, *kadm5_policy_ent_t; 275 276 /* 277 * New types to indicate which protocol to use when sending 278 * password change requests 279 */ 280 typedef enum { 281 KRB5_CHGPWD_RPCSEC, 282 KRB5_CHGPWD_CHANGEPW_V2 283 } krb5_chgpwd_prot; 284 285 /* 286 * Data structure returned by kadm5_get_config_params() 287 */ 288 typedef struct _kadm5_config_params { 289 long mask; 290 char * realm; 291 int kadmind_port; 292 int kpasswd_port; 293 294 char * admin_server; 295 #ifdef notyet /* Novell */ /* ABI change? */ 296 char * kpasswd_server; 297 #endif 298 299 char * dbname; 300 char * admin_dbname; 301 char * admin_lockfile; 302 char * admin_keytab; 303 char * acl_file; 304 char * dict_file; 305 306 int mkey_from_kbd; 307 char * stash_file; 308 char * mkey_name; 309 krb5_enctype enctype; 310 krb5_deltat max_life; 311 krb5_deltat max_rlife; 312 krb5_timestamp expiration; 313 krb5_flags flags; 314 krb5_key_salt_tuple *keysalts; 315 krb5_int32 num_keysalts; 316 char *kpasswd_server; 317 318 krb5_chgpwd_prot kpasswd_protocol; 319 bool_t iprop_enabled; 320 int iprop_ulogsize; 321 char *iprop_polltime; 322 } kadm5_config_params; 323 324 /*********************************************************************** 325 * This is the old krb5_realm_read_params, which I mutated into 326 * kadm5_get_config_params but which old code (kdb5_* and krb5kdc) 327 * still uses. 328 ***********************************************************************/ 329 330 /* 331 * Data structure returned by krb5_read_realm_params() 332 */ 333 typedef struct __krb5_realm_params { 334 char * realm_profile; 335 char * realm_dbname; 336 char * realm_mkey_name; 337 char * realm_stash_file; 338 char * realm_kdc_ports; 339 char * realm_kdc_tcp_ports; 340 char * realm_acl_file; 341 krb5_int32 realm_kadmind_port; 342 krb5_enctype realm_enctype; 343 krb5_deltat realm_max_life; 344 krb5_deltat realm_max_rlife; 345 krb5_timestamp realm_expiration; 346 krb5_flags realm_flags; 347 krb5_key_salt_tuple *realm_keysalts; 348 unsigned int realm_reject_bad_transit:1; 349 unsigned int realm_kadmind_port_valid:1; 350 unsigned int realm_enctype_valid:1; 351 unsigned int realm_max_life_valid:1; 352 unsigned int realm_max_rlife_valid:1; 353 unsigned int realm_expiration_valid:1; 354 unsigned int realm_flags_valid:1; 355 unsigned int realm_reject_bad_transit_valid:1; 356 krb5_int32 realm_num_keysalts; 357 } krb5_realm_params; 358 359 /* 360 * functions 361 */ 362 363 kadm5_ret_t 364 kadm5_get_adm_host_srv_name(krb5_context context, 365 const char *realm, char **host_service_name); 366 367 kadm5_ret_t 368 kadm5_get_cpw_host_srv_name(krb5_context context, 369 const char *realm, char **host_service_name); 370 371 #if USE_KADM5_API_VERSION > 1 372 krb5_error_code kadm5_get_config_params(krb5_context context, 373 int use_kdc_config, 374 kadm5_config_params *params_in, 375 kadm5_config_params *params_out); 376 377 krb5_error_code kadm5_free_config_params(krb5_context context, 378 kadm5_config_params *params); 379 380 krb5_error_code kadm5_free_realm_params(krb5_context kcontext, 381 kadm5_config_params *params); 382 383 krb5_error_code kadm5_get_admin_service_name(krb5_context, char *, 384 char *, size_t); 385 #endif 386 387 kadm5_ret_t kadm5_init(char *client_name, char *pass, 388 char *service_name, 389 #if USE_KADM5_API_VERSION == 1 390 char *realm, 391 #else 392 kadm5_config_params *params, 393 #endif 394 krb5_ui_4 struct_version, 395 krb5_ui_4 api_version, 396 char **db_args, 397 void **server_handle); 398 kadm5_ret_t kadm5_init_with_password(char *client_name, 399 char *pass, 400 char *service_name, 401 #if USE_KADM5_API_VERSION == 1 402 char *realm, 403 #else 404 kadm5_config_params *params, 405 #endif 406 krb5_ui_4 struct_version, 407 krb5_ui_4 api_version, 408 char **db_args, 409 void **server_handle); 410 kadm5_ret_t kadm5_init_with_skey(char *client_name, 411 char *keytab, 412 char *service_name, 413 #if USE_KADM5_API_VERSION == 1 414 char *realm, 415 #else 416 kadm5_config_params *params, 417 #endif 418 krb5_ui_4 struct_version, 419 krb5_ui_4 api_version, 420 char **db_args, 421 void **server_handle); 422 #if USE_KADM5_API_VERSION > 1 423 kadm5_ret_t kadm5_init_with_creds(char *client_name, 424 krb5_ccache cc, 425 char *service_name, 426 kadm5_config_params *params, 427 krb5_ui_4 struct_version, 428 krb5_ui_4 api_version, 429 char **db_args, 430 void **server_handle); 431 #endif 432 kadm5_ret_t kadm5_lock(void *server_handle); 433 kadm5_ret_t kadm5_unlock(void *server_handle); 434 kadm5_ret_t kadm5_flush(void *server_handle); 435 kadm5_ret_t kadm5_destroy(void *server_handle); 436 kadm5_ret_t kadm5_create_principal(void *server_handle, 437 kadm5_principal_ent_t ent, 438 long mask, char *pass); 439 kadm5_ret_t kadm5_create_principal_3(void *server_handle, 440 kadm5_principal_ent_t ent, 441 long mask, 442 int n_ks_tuple, 443 krb5_key_salt_tuple *ks_tuple, 444 char *pass); 445 kadm5_ret_t kadm5_delete_principal(void *server_handle, 446 krb5_principal principal); 447 kadm5_ret_t kadm5_modify_principal(void *server_handle, 448 kadm5_principal_ent_t ent, 449 long mask); 450 kadm5_ret_t kadm5_rename_principal(void *server_handle, 451 krb5_principal,krb5_principal); 452 #if USE_KADM5_API_VERSION == 1 453 kadm5_ret_t kadm5_get_principal(void *server_handle, 454 krb5_principal principal, 455 kadm5_principal_ent_t *ent); 456 #else 457 kadm5_ret_t kadm5_get_principal(void *server_handle, 458 krb5_principal principal, 459 kadm5_principal_ent_t ent, 460 long mask); 461 #endif 462 kadm5_ret_t kadm5_chpass_principal(void *server_handle, 463 krb5_principal principal, 464 char *pass); 465 kadm5_ret_t kadm5_chpass_principal_3(void *server_handle, 466 krb5_principal principal, 467 krb5_boolean keepold, 468 int n_ks_tuple, 469 krb5_key_salt_tuple *ks_tuple, 470 char *pass); 471 #if USE_KADM5_API_VERSION == 1 472 kadm5_ret_t kadm5_randkey_principal(void *server_handle, 473 krb5_principal principal, 474 krb5_keyblock **keyblock); 475 #else 476 477 /* 478 * Solaris Kerberos: 479 * this routine is only implemented in the client library. 480 */ 481 kadm5_ret_t kadm5_randkey_principal_old(void *server_handle, 482 krb5_principal principal, 483 krb5_keyblock **keyblocks, 484 int *n_keys); 485 486 kadm5_ret_t kadm5_randkey_principal(void *server_handle, 487 krb5_principal principal, 488 krb5_keyblock **keyblocks, 489 int *n_keys); 490 kadm5_ret_t kadm5_randkey_principal_3(void *server_handle, 491 krb5_principal principal, 492 krb5_boolean keepold, 493 int n_ks_tuple, 494 krb5_key_salt_tuple *ks_tuple, 495 krb5_keyblock **keyblocks, 496 int *n_keys); 497 #endif 498 kadm5_ret_t kadm5_setv4key_principal(void *server_handle, 499 krb5_principal principal, 500 krb5_keyblock *keyblock); 501 502 kadm5_ret_t kadm5_setkey_principal(void *server_handle, 503 krb5_principal principal, 504 krb5_keyblock *keyblocks, 505 int n_keys); 506 507 kadm5_ret_t kadm5_setkey_principal_3(void *server_handle, 508 krb5_principal principal, 509 krb5_boolean keepold, 510 int n_ks_tuple, 511 krb5_key_salt_tuple *ks_tuple, 512 krb5_keyblock *keyblocks, 513 int n_keys); 514 515 kadm5_ret_t kadm5_decrypt_key(void *server_handle, 516 kadm5_principal_ent_t entry, krb5_int32 517 ktype, krb5_int32 stype, krb5_int32 518 kvno, krb5_keyblock *keyblock, 519 krb5_keysalt *keysalt, int *kvnop); 520 521 kadm5_ret_t kadm5_create_policy(void *server_handle, 522 kadm5_policy_ent_t ent, 523 long mask); 524 /* 525 * kadm5_create_policy_internal is not part of the supported, 526 * exposed API. It is available only in the server library, and you 527 * shouldn't use it unless you know why it's there and how it's 528 * different from kadm5_create_policy. 529 */ 530 kadm5_ret_t kadm5_create_policy_internal(void *server_handle, 531 kadm5_policy_ent_t 532 entry, long mask); 533 kadm5_ret_t kadm5_delete_policy(void *server_handle, 534 kadm5_policy_t policy); 535 kadm5_ret_t kadm5_modify_policy(void *server_handle, 536 kadm5_policy_ent_t ent, 537 long mask); 538 /* 539 * kadm5_modify_policy_internal is not part of the supported, 540 * exposed API. It is available only in the server library, and you 541 * shouldn't use it unless you know why it's there and how it's 542 * different from kadm5_modify_policy. 543 */ 544 kadm5_ret_t kadm5_modify_policy_internal(void *server_handle, 545 kadm5_policy_ent_t 546 entry, long mask); 547 #if USE_KADM5_API_VERSION == 1 548 kadm5_ret_t kadm5_get_policy(void *server_handle, 549 kadm5_policy_t policy, 550 kadm5_policy_ent_t *ent); 551 #else 552 kadm5_ret_t kadm5_get_policy(void *server_handle, 553 kadm5_policy_t policy, 554 kadm5_policy_ent_t ent); 555 #endif 556 kadm5_ret_t kadm5_get_privs(void *server_handle, 557 long *privs); 558 559 kadm5_ret_t kadm5_chpass_principal_util(void *server_handle, 560 krb5_principal princ, 561 char *new_pw, 562 char **ret_pw, 563 char *msg_ret, 564 unsigned int msg_len); 565 566 kadm5_ret_t kadm5_free_principal_ent(void *server_handle, 567 kadm5_principal_ent_t 568 ent); 569 kadm5_ret_t kadm5_free_policy_ent(void *server_handle, 570 kadm5_policy_ent_t ent); 571 572 kadm5_ret_t kadm5_get_principals(void *server_handle, 573 char *exp, char ***princs, 574 int *count); 575 576 kadm5_ret_t kadm5_get_policies(void *server_handle, 577 char *exp, char ***pols, 578 int *count); 579 580 #if USE_KADM5_API_VERSION > 1 581 kadm5_ret_t kadm5_free_key_data(void *server_handle, 582 krb5_int16 *n_key_data, 583 krb5_key_data *key_data); 584 #endif 585 586 kadm5_ret_t kadm5_free_name_list(void *server_handle, char **names, 587 int count); 588 589 krb5_error_code kadm5_init_krb5_context (krb5_context *); 590 591 #if USE_KADM5_API_VERSION == 1 592 /* 593 * OVSEC_KADM_API_VERSION_1 should be, if possible, compile-time 594 * compatible with KADM5_API_VERSION_2. Basically, this means we have 595 * to continue to provide all the old ovsec_kadm function and symbol 596 * names. 597 */ 598 599 #define OVSEC_KADM_ACLFILE "/krb5/ovsec_adm.acl" 600 #define OVSEC_KADM_WORDFILE "/krb5/ovsec_adm.dict" 601 602 #define OVSEC_KADM_ADMIN_SERVICE "ovsec_adm/admin" 603 #define OVSEC_KADM_CHANGEPW_SERVICE "ovsec_adm/changepw" 604 #define OVSEC_KADM_HIST_PRINCIPAL "ovsec_adm/history" 605 606 typedef krb5_principal ovsec_kadm_princ_t; 607 typedef krb5_keyblock ovsec_kadm_keyblock; 608 typedef char *ovsec_kadm_policy_t; 609 typedef long ovsec_kadm_ret_t; 610 611 enum ovsec_kadm_salttype { OVSEC_KADM_SALT_V4, OVSEC_KADM_SALT_NORMAL }; 612 enum ovsec_kadm_saltmod { OVSEC_KADM_MOD_KEEP, OVSEC_KADM_MOD_V4, OVSEC_KADM_MOD_NORMAL }; 613 614 #define OVSEC_KADM_PW_FIRST_PROMPT \ 615 ((char *) error_message(CHPASS_UTIL_NEW_PASSWORD_PROMPT)) 616 #define OVSEC_KADM_PW_SECOND_PROMPT \ 617 ((char *) error_message(CHPASS_UTIL_NEW_PASSWORD_AGAIN_PROMPT)) 618 619 /* 620 * Successful return code 621 */ 622 #define OVSEC_KADM_OK 0 623 624 /* 625 * Create/Modify masks 626 */ 627 /* principal */ 628 #define OVSEC_KADM_PRINCIPAL 0x000001 629 #define OVSEC_KADM_PRINC_EXPIRE_TIME 0x000002 630 #define OVSEC_KADM_PW_EXPIRATION 0x000004 631 #define OVSEC_KADM_LAST_PWD_CHANGE 0x000008 632 #define OVSEC_KADM_ATTRIBUTES 0x000010 633 #define OVSEC_KADM_MAX_LIFE 0x000020 634 #define OVSEC_KADM_MOD_TIME 0x000040 635 #define OVSEC_KADM_MOD_NAME 0x000080 636 #define OVSEC_KADM_KVNO 0x000100 637 #define OVSEC_KADM_MKVNO 0x000200 638 #define OVSEC_KADM_AUX_ATTRIBUTES 0x000400 639 #define OVSEC_KADM_POLICY 0x000800 640 #define OVSEC_KADM_POLICY_CLR 0x001000 641 /* policy */ 642 #define OVSEC_KADM_PW_MAX_LIFE 0x004000 643 #define OVSEC_KADM_PW_MIN_LIFE 0x008000 644 #define OVSEC_KADM_PW_MIN_LENGTH 0x010000 645 #define OVSEC_KADM_PW_MIN_CLASSES 0x020000 646 #define OVSEC_KADM_PW_HISTORY_NUM 0x040000 647 #define OVSEC_KADM_REF_COUNT 0x080000 648 649 /* 650 * permission bits 651 */ 652 #define OVSEC_KADM_PRIV_GET 0x01 653 #define OVSEC_KADM_PRIV_ADD 0x02 654 #define OVSEC_KADM_PRIV_MODIFY 0x04 655 #define OVSEC_KADM_PRIV_DELETE 0x08 656 657 /* 658 * API versioning constants 659 */ 660 #define OVSEC_KADM_MASK_BITS 0xffffff00 661 662 #define OVSEC_KADM_STRUCT_VERSION_MASK 0x12345600 663 #define OVSEC_KADM_STRUCT_VERSION_1 (OVSEC_KADM_STRUCT_VERSION_MASK|0x01) 664 #define OVSEC_KADM_STRUCT_VERSION OVSEC_KADM_STRUCT_VERSION_1 665 666 #define OVSEC_KADM_API_VERSION_MASK 0x12345700 667 #define OVSEC_KADM_API_VERSION_1 (OVSEC_KADM_API_VERSION_MASK|0x01) 668 669 670 typedef struct _ovsec_kadm_principal_ent_t { 671 krb5_principal principal; 672 krb5_timestamp princ_expire_time; 673 krb5_timestamp last_pwd_change; 674 krb5_timestamp pw_expiration; 675 krb5_deltat max_life; 676 krb5_principal mod_name; 677 krb5_timestamp mod_date; 678 krb5_flags attributes; 679 krb5_kvno kvno; 680 krb5_kvno mkvno; 681 char *policy; 682 long aux_attributes; 683 } ovsec_kadm_principal_ent_rec, *ovsec_kadm_principal_ent_t; 684 685 typedef struct _ovsec_kadm_policy_ent_t { 686 char *policy; 687 long pw_min_life; 688 long pw_max_life; 689 long pw_min_length; 690 long pw_min_classes; 691 long pw_history_num; 692 long policy_refcnt; 693 } ovsec_kadm_policy_ent_rec, *ovsec_kadm_policy_ent_t; 694 695 /* 696 * functions 697 */ 698 ovsec_kadm_ret_t ovsec_kadm_init(char *client_name, char *pass, 699 char *service_name, char *realm, 700 krb5_ui_4 struct_version, 701 krb5_ui_4 api_version, 702 char **db_args, 703 void **server_handle); 704 ovsec_kadm_ret_t ovsec_kadm_init_with_password(char *client_name, 705 char *pass, 706 char *service_name, 707 char *realm, 708 krb5_ui_4 struct_version, 709 krb5_ui_4 api_version, 710 char ** db_args, 711 void **server_handle); 712 ovsec_kadm_ret_t ovsec_kadm_init_with_skey(char *client_name, 713 char *keytab, 714 char *service_name, 715 char *realm, 716 krb5_ui_4 struct_version, 717 krb5_ui_4 api_version, 718 char **db_args, 719 void **server_handle); 720 ovsec_kadm_ret_t ovsec_kadm_flush(void *server_handle); 721 ovsec_kadm_ret_t ovsec_kadm_destroy(void *server_handle); 722 ovsec_kadm_ret_t ovsec_kadm_create_principal(void *server_handle, 723 ovsec_kadm_principal_ent_t ent, 724 long mask, char *pass); 725 ovsec_kadm_ret_t ovsec_kadm_delete_principal(void *server_handle, 726 krb5_principal principal); 727 ovsec_kadm_ret_t ovsec_kadm_modify_principal(void *server_handle, 728 ovsec_kadm_principal_ent_t ent, 729 long mask); 730 ovsec_kadm_ret_t ovsec_kadm_rename_principal(void *server_handle, 731 krb5_principal,krb5_principal); 732 ovsec_kadm_ret_t ovsec_kadm_get_principal(void *server_handle, 733 krb5_principal principal, 734 ovsec_kadm_principal_ent_t *ent); 735 ovsec_kadm_ret_t ovsec_kadm_chpass_principal(void *server_handle, 736 krb5_principal principal, 737 char *pass); 738 ovsec_kadm_ret_t ovsec_kadm_randkey_principal(void *server_handle, 739 krb5_principal principal, 740 krb5_keyblock **keyblock); 741 ovsec_kadm_ret_t ovsec_kadm_create_policy(void *server_handle, 742 ovsec_kadm_policy_ent_t ent, 743 long mask); 744 /* 745 * ovsec_kadm_create_policy_internal is not part of the supported, 746 * exposed API. It is available only in the server library, and you 747 * shouldn't use it unless you know why it's there and how it's 748 * different from ovsec_kadm_create_policy. 749 */ 750 ovsec_kadm_ret_t ovsec_kadm_create_policy_internal(void *server_handle, 751 ovsec_kadm_policy_ent_t 752 entry, long mask); 753 ovsec_kadm_ret_t ovsec_kadm_delete_policy(void *server_handle, 754 ovsec_kadm_policy_t policy); 755 ovsec_kadm_ret_t ovsec_kadm_modify_policy(void *server_handle, 756 ovsec_kadm_policy_ent_t ent, 757 long mask); 758 /* 759 * ovsec_kadm_modify_policy_internal is not part of the supported, 760 * exposed API. It is available only in the server library, and you 761 * shouldn't use it unless you know why it's there and how it's 762 * different from ovsec_kadm_modify_policy. 763 */ 764 ovsec_kadm_ret_t ovsec_kadm_modify_policy_internal(void *server_handle, 765 ovsec_kadm_policy_ent_t 766 entry, long mask); 767 ovsec_kadm_ret_t ovsec_kadm_get_policy(void *server_handle, 768 ovsec_kadm_policy_t policy, 769 ovsec_kadm_policy_ent_t *ent); 770 ovsec_kadm_ret_t ovsec_kadm_get_privs(void *server_handle, 771 long *privs); 772 773 ovsec_kadm_ret_t ovsec_kadm_chpass_principal_util(void *server_handle, 774 krb5_principal princ, 775 char *new_pw, 776 char **ret_pw, 777 char *msg_ret); 778 779 ovsec_kadm_ret_t ovsec_kadm_free_principal_ent(void *server_handle, 780 ovsec_kadm_principal_ent_t 781 ent); 782 ovsec_kadm_ret_t ovsec_kadm_free_policy_ent(void *server_handle, 783 ovsec_kadm_policy_ent_t ent); 784 785 ovsec_kadm_ret_t ovsec_kadm_free_name_list(void *server_handle, 786 char **names, int count); 787 788 ovsec_kadm_ret_t ovsec_kadm_get_principals(void *server_handle, 789 char *exp, char ***princs, 790 int *count); 791 792 ovsec_kadm_ret_t ovsec_kadm_get_policies(void *server_handle, 793 char *exp, char ***pols, 794 int *count); 795 796 #define OVSEC_KADM_FAILURE KADM5_FAILURE 797 #define OVSEC_KADM_AUTH_GET KADM5_AUTH_GET 798 #define OVSEC_KADM_AUTH_ADD KADM5_AUTH_ADD 799 #define OVSEC_KADM_AUTH_MODIFY KADM5_AUTH_MODIFY 800 #define OVSEC_KADM_AUTH_DELETE KADM5_AUTH_DELETE 801 #define OVSEC_KADM_AUTH_INSUFFICIENT KADM5_AUTH_INSUFFICIENT 802 #define OVSEC_KADM_BAD_DB KADM5_BAD_DB 803 #define OVSEC_KADM_DUP KADM5_DUP 804 #define OVSEC_KADM_RPC_ERROR KADM5_RPC_ERROR 805 #define OVSEC_KADM_NO_SRV KADM5_NO_SRV 806 #define OVSEC_KADM_BAD_HIST_KEY KADM5_BAD_HIST_KEY 807 #define OVSEC_KADM_NOT_INIT KADM5_NOT_INIT 808 #define OVSEC_KADM_UNK_PRINC KADM5_UNK_PRINC 809 #define OVSEC_KADM_UNK_POLICY KADM5_UNK_POLICY 810 #define OVSEC_KADM_BAD_MASK KADM5_BAD_MASK 811 #define OVSEC_KADM_BAD_CLASS KADM5_BAD_CLASS 812 #define OVSEC_KADM_BAD_LENGTH KADM5_BAD_LENGTH 813 #define OVSEC_KADM_BAD_POLICY KADM5_BAD_POLICY 814 #define OVSEC_KADM_BAD_PRINCIPAL KADM5_BAD_PRINCIPAL 815 #define OVSEC_KADM_BAD_AUX_ATTR KADM5_BAD_AUX_ATTR 816 #define OVSEC_KADM_BAD_HISTORY KADM5_BAD_HISTORY 817 #define OVSEC_KADM_BAD_MIN_PASS_LIFE KADM5_BAD_MIN_PASS_LIFE 818 #define OVSEC_KADM_PASS_Q_TOOSHORT KADM5_PASS_Q_TOOSHORT 819 #define OVSEC_KADM_PASS_Q_CLASS KADM5_PASS_Q_CLASS 820 #define OVSEC_KADM_PASS_Q_DICT KADM5_PASS_Q_DICT 821 #define OVSEC_KADM_PASS_REUSE KADM5_PASS_REUSE 822 #define OVSEC_KADM_PASS_TOOSOON KADM5_PASS_TOOSOON 823 #define OVSEC_KADM_POLICY_REF KADM5_POLICY_REF 824 #define OVSEC_KADM_INIT KADM5_INIT 825 #define OVSEC_KADM_BAD_PASSWORD KADM5_BAD_PASSWORD 826 #define OVSEC_KADM_PROTECT_PRINCIPAL KADM5_PROTECT_PRINCIPAL 827 #define OVSEC_KADM_BAD_SERVER_HANDLE KADM5_BAD_SERVER_HANDLE 828 #define OVSEC_KADM_BAD_STRUCT_VERSION KADM5_BAD_STRUCT_VERSION 829 #define OVSEC_KADM_OLD_STRUCT_VERSION KADM5_OLD_STRUCT_VERSION 830 #define OVSEC_KADM_NEW_STRUCT_VERSION KADM5_NEW_STRUCT_VERSION 831 #define OVSEC_KADM_BAD_API_VERSION KADM5_BAD_API_VERSION 832 #define OVSEC_KADM_OLD_LIB_API_VERSION KADM5_OLD_LIB_API_VERSION 833 #define OVSEC_KADM_OLD_SERVER_API_VERSION KADM5_OLD_SERVER_API_VERSION 834 #define OVSEC_KADM_NEW_LIB_API_VERSION KADM5_NEW_LIB_API_VERSION 835 #define OVSEC_KADM_NEW_SERVER_API_VERSION KADM5_NEW_SERVER_API_VERSION 836 #define OVSEC_KADM_SECURE_PRINC_MISSING KADM5_SECURE_PRINC_MISSING 837 #define OVSEC_KADM_NO_RENAME_SALT KADM5_NO_RENAME_SALT 838 839 #endif /* USE_KADM5_API_VERSION == 1 */ 840 841 #define MAXPRINCLEN 125 842 843 void trunc_name(size_t *len, char **dots); 844 845 krb5_chgpwd_prot _kadm5_get_kpasswd_protocol(void *server_handle); 846 kadm5_ret_t kadm5_chpass_principal_v2(void *server_handle, 847 krb5_principal princ, 848 char *new_password, 849 kadm5_ret_t *srvr_rsp_code, 850 krb5_data *srvr_msg); 851 852 void handle_chpw(krb5_context context, int s, void *serverhandle, 853 kadm5_config_params *params); 854 855 #ifdef __cplusplus 856 } 857 #endif 858 859 #endif /* __KADM5_ADMIN_H__ */ 860
Indexes created Wed Feb 10 02:29:26 UTC 2010
Terms of Use |
Privacy |
Trademarks |
Copyright Policy |
Site Guidelines |
Site Map |
Help
Your use of this web site or any of its content or software indicates your agreement to be bound by these Terms of Use.
© 2010, Oracle Corporation and/or its affiliates
