/*
* Copyright 2004 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#ifndef __KADM5_ADMIN_H__
#define __KADM5_ADMIN_H__
#pragma ident "%Z%%M% %I% %E% SMI"
#ifdef __cplusplus
extern "C" {
#endif
/*
* WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
*
* Openvision retains the copyright to derivative works of
* this source code. Do *NOT* create a derivative of this
* source code before consulting with your legal department.
* Do *NOT* integrate *ANY* of this source code into another
* product before consulting with your legal department.
*
* For further information, read the top-level Openvision
* copyright which is contained in the top-level MIT Kerberos
* copyright.
*
* WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
*
*/
/*
* Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved
*
* $Header: /cvs/krbdev/krb5/src/lib/kadm5/admin.h,v 1.43.2.1 2000/05/19 22:24:14 raeburn Exp $
*/
#include <sys/types.h>
#include <rpc/types.h>
#include <rpc/rpc.h>
#include <krb5.h>
#include <k5-int.h>
#include <com_err.h>
#include <kadm5/kadm_err.h>
#include <kadm5/adb_err.h>
#include <kadm5/chpass_util_strings.h>
#define KADM5_ADMIN_SERVICE_P "kadmin@admin"
#define KADM5_ADMIN_SERVICE "kadmin/admin"
#define KADM5_CHANGEPW_SERVICE_P "kadmin@changepw"
#define KADM5_CHANGEPW_SERVICE "kadmin/changepw"
#define KADM5_HIST_PRINCIPAL "kadmin/history"
#define KADM5_ADMIN_HOST_SERVICE "kadmin"
#define KADM5_CHANGEPW_HOST_SERVICE "changepw"
#define KADM5_KIPROP_HOST_SERVICE "kiprop"
typedef krb5_principal kadm5_princ_t;
typedef char *kadm5_policy_t;
typedef long kadm5_ret_t;
typedef int rpc_int32;
typedef unsigned int rpc_u_int32;
#define KADM5_PW_FIRST_PROMPT \
((char *)error_message(CHPASS_UTIL_NEW_PASSWORD_PROMPT))
#define KADM5_PW_SECOND_PROMPT \
((char *)error_message(CHPASS_UTIL_NEW_PASSWORD_AGAIN_PROMPT))
/*
* Succsessfull return code
*/
#define KADM5_OK 0
/*
* Field masks
*/
/* kadm5_principal_ent_t */
#define KADM5_PRINCIPAL 0x000001
#define KADM5_PRINC_EXPIRE_TIME 0x000002
#define KADM5_PW_EXPIRATION 0x000004
#define KADM5_LAST_PWD_CHANGE 0x000008
#define KADM5_ATTRIBUTES 0x000010
#define KADM5_MAX_LIFE 0x000020
#define KADM5_MOD_TIME 0x000040
#define KADM5_MOD_NAME 0x000080
#define KADM5_KVNO 0x000100
#define KADM5_MKVNO 0x000200
#define KADM5_AUX_ATTRIBUTES 0x000400
#define KADM5_POLICY 0x000800
#define KADM5_POLICY_CLR 0x001000
/* version 2 masks */
#define KADM5_MAX_RLIFE 0x002000
#define KADM5_LAST_SUCCESS 0x004000
#define KADM5_LAST_FAILED 0x008000
#define KADM5_FAIL_AUTH_COUNT 0x010000
#define KADM5_KEY_DATA 0x020000
#define KADM5_TL_DATA 0x040000
/* all but KEY_DATA and TL_DATA */
#define KADM5_PRINCIPAL_NORMAL_MASK 0x01ffff
/* kadm5_policy_ent_t */
#define KADM5_PW_MAX_LIFE 0x004000
#define KADM5_PW_MIN_LIFE 0x008000
#define KADM5_PW_MIN_LENGTH 0x010000
#define KADM5_PW_MIN_CLASSES 0x020000
#define KADM5_PW_HISTORY_NUM 0x040000
#define KADM5_REF_COUNT 0x080000
/* kadm5_config_params */
#define KADM5_CONFIG_REALM 0x0000001
#define KADM5_CONFIG_DBNAME 0x0000002
#define KADM5_CONFIG_MKEY_NAME 0x0000004
#define KADM5_CONFIG_MAX_LIFE 0x0000008
#define KADM5_CONFIG_MAX_RLIFE 0x0000010
#define KADM5_CONFIG_EXPIRATION 0x0000020
#define KADM5_CONFIG_FLAGS 0x0000040
#define KADM5_CONFIG_ADMIN_KEYTAB 0x0000080
#define KADM5_CONFIG_STASH_FILE 0x0000100
#define KADM5_CONFIG_ENCTYPE 0x0000200
#define KADM5_CONFIG_ADBNAME 0x0000400
#define KADM5_CONFIG_ADB_LOCKFILE 0x0000800
#define KADM5_CONFIG_PROFILE 0x0001000
#define KADM5_CONFIG_ACL_FILE 0x0002000
#define KADM5_CONFIG_KADMIND_PORT 0x0004000
#define KADM5_CONFIG_ENCTYPES 0x0008000
#define KADM5_CONFIG_ADMIN_SERVER 0x0010000
#define KADM5_CONFIG_DICT_FILE 0x0020000
#define KADM5_CONFIG_MKEY_FROM_KBD 0x0040000
#define KADM5_CONFIG_KPASSWD_PORT 0x0080000
#define KADM5_CONFIG_KPASSWD_SERVER 0x0100000
#define KADM5_CONFIG_KPASSWD_PROTOCOL 0x0200000
#define KADM5_CONFIG_IPROP_ENABLED 0x0400000
#define KADM5_CONFIG_ULOG_SIZE 0x0800000
#define KADM5_CONFIG_POLL_TIME 0x1000000
/* password change constants */
#define KRB5_KPASSWD_SUCCESS 0
#define KRB5_KPASSWD_MALFORMED 1
#define KRB5_KPASSWD_HARDERROR 2
#define KRB5_KPASSWD_AUTHERROR 3
#define KRB5_KPASSWD_SOFTERROR 4
#define KRB5_KPASSWD_ACCESSDENIED 5
#define KRB5_KPASSWD_BAD_VERSION 6
#define KRB5_KPASSWD_INITIAL_FLAG_NEEDED 7
#define KRB5_KPASSWD_POLICY_REJECT 8
#define KRB5_KPASSWD_BAD_PRINCIPAL 9
#define KRB5_KPASSWD_ETYPE_NOSUPP 10
/*
* permission bits
*/
#define KADM5_PRIV_GET 0x01
#define KADM5_PRIV_ADD 0x02
#define KADM5_PRIV_MODIFY 0x04
#define KADM5_PRIV_DELETE 0x08
/*
* API versioning constants
*/
#define KADM5_MASK_BITS 0xffffff00
#define KADM5_STRUCT_VERSION_MASK 0x12345600
#define KADM5_STRUCT_VERSION_1 (KADM5_STRUCT_VERSION_MASK|0x01)
#define KADM5_STRUCT_VERSION KADM5_STRUCT_VERSION_1
#define KADM5_API_VERSION_MASK 0x12345700
#define KADM5_API_VERSION_1 (KADM5_API_VERSION_MASK|0x01)
#define KADM5_API_VERSION_2 (KADM5_API_VERSION_MASK|0x02)
#ifdef KRB5_DNS_LOOKUP
/*
* Name length constants for DNS lookups
*/
#define MAX_HOST_NAMELEN 256
#define MAX_DNS_NAMELEN (15*(MAX_HOST_NAMELEN + 1)+1)
#endif /* KRB5_DNS_LOOKUP */
typedef struct _kadm5_principal_ent_t_v2 {
krb5_principal principal;
krb5_timestamp princ_expire_time;
krb5_timestamp last_pwd_change;
krb5_timestamp pw_expiration;
krb5_deltat max_life;
krb5_principal mod_name;
krb5_timestamp mod_date;
krb5_flags attributes;
krb5_kvno kvno;
krb5_kvno mkvno;
char *policy;
long aux_attributes;
/* version 2 fields */
krb5_deltat max_renewable_life;
krb5_timestamp last_success;
krb5_timestamp last_failed;
krb5_kvno fail_auth_count;
krb5_int16 n_key_data;
krb5_int16 n_tl_data;
krb5_tl_data *tl_data;
krb5_key_data *key_data;
} kadm5_principal_ent_rec_v2, *kadm5_principal_ent_t_v2;
typedef struct _kadm5_principal_ent_t_v1 {
krb5_principal principal;
krb5_timestamp princ_expire_time;
krb5_timestamp last_pwd_change;
krb5_timestamp pw_expiration;
krb5_deltat max_life;
krb5_principal mod_name;
krb5_timestamp mod_date;
krb5_flags attributes;
krb5_kvno kvno;
krb5_kvno mkvno;
char *policy;
long aux_attributes;
} kadm5_principal_ent_rec_v1, *kadm5_principal_ent_t_v1;
typedef struct _kadm5_principal_ent_t_v2
kadm5_principal_ent_rec, *kadm5_principal_ent_t;
typedef struct _kadm5_policy_ent_t {
char *policy;
long pw_min_life;
long pw_max_life;
long pw_min_length;
long pw_min_classes;
long pw_history_num;
long policy_refcnt;
} kadm5_policy_ent_rec, *kadm5_policy_ent_t;
typedef struct __krb5_key_salt_tuple {
krb5_enctype ks_enctype;
krb5_int32 ks_salttype;
} krb5_key_salt_tuple;
/*
* New types to indicate which protocol to use when sending
* password change requests
*/
typedef enum {
KRB5_CHGPWD_RPCSEC,
KRB5_CHGPWD_CHANGEPW_V2
} krb5_chgpwd_prot;
/*
* Data structure returned by kadm5_get_config_params()
*/
typedef struct _kadm5_config_params {
long mask;
char *realm;
char *profile;
int kadmind_port;
char *admin_server;
char *dbname;
char *admin_dbname;
char *admin_lockfile;
char *admin_keytab;
char *acl_file;
char *dict_file;
int mkey_from_kbd;
char *stash_file;
char *mkey_name;
krb5_enctype enctype;
krb5_deltat max_life;
krb5_deltat max_rlife;
krb5_timestamp expiration;
krb5_flags flags;
krb5_key_salt_tuple *keysalts;
krb5_int32 num_keysalts;
char *kpasswd_server;
int kpasswd_port;
krb5_chgpwd_prot kpasswd_protocol;
bool_t iprop_enabled;
int iprop_ulogsize;
char *iprop_polltime;
} kadm5_config_params;
/***********************************************************************
* This is the old krb5_realm_read_params, which I mutated into
* kadm5_get_config_params but which old code (kdb5_* and krb5kdc)
* still uses.
***********************************************************************/
/*
* Data structure returned by krb5_read_realm_params()
*/
typedef struct __krb5_realm_params {
char *realm_profile;
char *realm_dbname;
char *realm_mkey_name;
char *realm_stash_file;
char *realm_kdc_ports;
char *realm_kdc_tcp_ports;
char *realm_acl_file;
krb5_int32 realm_kadmind_port;
krb5_enctype realm_enctype;
krb5_deltat realm_max_life;
krb5_deltat realm_max_rlife;
krb5_timestamp realm_expiration;
krb5_flags realm_flags;
krb5_key_salt_tuple *realm_keysalts;
unsigned int realm_kadmind_port_valid:1;
unsigned int realm_enctype_valid:1;
unsigned int realm_max_life_valid:1;
unsigned int realm_max_rlife_valid:1;
unsigned int realm_expiration_valid:1;
unsigned int realm_flags_valid:1;
unsigned int realm_filler:7;
krb5_int32 realm_num_keysalts;
} krb5_realm_params;
/*
* functions
*/
kadm5_ret_t
kadm5_get_master(krb5_context context, const char *realm, char **master);
kadm5_ret_t
kadm5_get_adm_host_srv_name(krb5_context context,
const char *realm, char **host_service_name);
kadm5_ret_t
kadm5_get_cpw_host_srv_name(krb5_context context,
const char *realm, char **host_service_name);
krb5_error_code kadm5_get_config_params(krb5_context context,
char *kdcprofile, char *kdcenv,
kadm5_config_params *params_in,
kadm5_config_params *params_out);
/* SUNWresync121 XXX */
krb5_error_code kadm5_free_config_params(krb5_context context,
kadm5_config_params *params);
krb5_error_code kadm5_free_realm_params(krb5_context kcontext,
kadm5_config_params *params);
kadm5_ret_t kadm5_init(char *client_name, char *pass,
char *service_name,
kadm5_config_params *params,
krb5_ui_4 struct_version,
krb5_ui_4 api_version,
void **server_handle);
kadm5_ret_t kadm5_init_with_password(char *client_name,
char *pass,
char *service_name,
kadm5_config_params *params,
krb5_ui_4 struct_version,
krb5_ui_4 api_version,
void **server_handle);
kadm5_ret_t kadm5_init_with_skey(char *client_name,
char *keytab,
char *service_name,
kadm5_config_params *params,
krb5_ui_4 struct_version,
krb5_ui_4 api_version,
void **server_handle);
kadm5_ret_t kadm5_init_with_creds(char *client_name,
krb5_ccache cc,
char *service_name,
kadm5_config_params *params,
krb5_ui_4 struct_version,
krb5_ui_4 api_version,
void **server_handle);
kadm5_ret_t kadm5_flush(void *server_handle);
kadm5_ret_t kadm5_destroy(void *server_handle);
kadm5_ret_t kadm5_create_principal(void *server_handle,
kadm5_principal_ent_t ent,
long mask, char *pass);
kadm5_ret_t kadm5_create_principal_3(void *server_handle,
kadm5_principal_ent_t ent,
long mask,
int n_ks_tuple,
krb5_key_salt_tuple *ks_tuple,
char *pass);
kadm5_ret_t kadm5_delete_principal(void *server_handle,
krb5_principal principal);
kadm5_ret_t kadm5_modify_principal(void *server_handle,
kadm5_principal_ent_t ent,
long mask);
kadm5_ret_t kadm5_rename_principal(void *server_handle,
krb5_principal, krb5_principal);
kadm5_ret_t kadm5_get_principal(void *server_handle,
krb5_principal principal,
kadm5_principal_ent_t ent,
long mask);
kadm5_ret_t kadm5_chpass_principal(void *server_handle,
krb5_principal principal,
char *pass);
kadm5_ret_t kadm5_chpass_principal_3(void *server_handle,
krb5_principal principal,
krb5_boolean keepold,
int n_ks_tuple,
krb5_key_salt_tuple *ks_tuple,
char *pass);
/*
* Solaris Kerberos:
* this routine is only implemented in the client library.
*/
kadm5_ret_t kadm5_randkey_principal_old(void *server_handle,
krb5_principal principal,
krb5_keyblock **keyblocks,
int *n_keys);
kadm5_ret_t kadm5_randkey_principal(void *server_handle,
krb5_principal principal,
krb5_keyblock **keyblocks,
int *n_keys);
kadm5_ret_t kadm5_randkey_principal_3(void *server_handle,
krb5_principal principal,
krb5_boolean keepold,
int n_ks_tuple,
krb5_key_salt_tuple *ks_tuple,
krb5_keyblock **keyblocks,
int *n_keys);
kadm5_ret_t kadm5_setv4key_principal(void *server_handle,
krb5_principal principal,
krb5_keyblock *keyblock);
kadm5_ret_t kadm5_setkey_principal(void *server_handle,
krb5_principal principal,
krb5_keyblock *keyblocks,
int n_keys);
kadm5_ret_t kadm5_setkey_principal_3(void *server_handle,
krb5_principal principal,
krb5_boolean keepold,
int n_ks_tuple,
krb5_key_salt_tuple *ks_tuple,
krb5_keyblock *keyblocks,
int n_keys);
kadm5_ret_t kadm5_create_policy(void *server_handle,
kadm5_policy_ent_t ent,
long mask);
/*
* kadm5_create_policy_internal is not part of the supported,
* exposed API. It is available only in the server library, and you
* shouldn't use it unless you know why it's there and how it's
* different from kadm5_create_policy.
*/
kadm5_ret_t kadm5_create_policy_internal(void *server_handle,
kadm5_policy_ent_t
entry, long mask);
kadm5_ret_t kadm5_delete_policy(void *server_handle,
kadm5_policy_t policy);
kadm5_ret_t kadm5_modify_policy(void *server_handle,
kadm5_policy_ent_t ent,
long mask);
/*
* kadm5_modify_policy_internal is not part of the supported,
* exposed API. It is available only in the server library, and you
* shouldn't use it unless you know why it's there and how it's
* different from kadm5_modify_policy.
*/
kadm5_ret_t kadm5_modify_policy_internal(void *server_handle,
kadm5_policy_ent_t
entry, long mask);
kadm5_ret_t kadm5_get_policy(void *server_handle,
kadm5_policy_t policy,
kadm5_policy_ent_t ent);
kadm5_ret_t kadm5_get_privs(void *server_handle,
long *privs);
kadm5_ret_t kadm5_chpass_principal_util(void *server_handle,
krb5_principal princ,
char *new_pw,
char **ret_pw,
char *msg_ret,
int msg_len);
kadm5_ret_t kadm5_free_principal_ent(void *server_handle,
kadm5_principal_ent_t
ent);
kadm5_ret_t kadm5_free_policy_ent(void *server_handle,
kadm5_policy_ent_t ent);
kadm5_ret_t kadm5_get_principals(void *server_handle,
char *exp, char ***princs,
int *count);
kadm5_ret_t kadm5_get_policies(void *server_handle,
char *exp, char ***pols,
int *count);
kadm5_ret_t kadm5_free_key_data(void *server_handle,
krb5_int16 *n_key_data,
krb5_key_data *key_data);
kadm5_ret_t kadm5_free_name_list(void *server_handle,
char **names, int count);
krb5_chgpwd_prot _kadm5_get_kpasswd_protocol(void *server_handle);
kadm5_ret_t kadm5_chpass_principal_v2(void *server_handle,
krb5_principal princ,
char *new_password,
kadm5_ret_t *srvr_rsp_code,
krb5_data *srvr_msg);
void handle_chpw(krb5_context context, int s, void *serverhandle,
kadm5_config_params *params);
#ifdef __cplusplus
}
#endif
#endif /* __KADM5_ADMIN_H__ */