1 /* 2 * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved. 3 */ 4 5 #ifndef __KADM5_ADMIN_H__ 6 #define __KADM5_ADMIN_H__ 7 8 9 #ifdef __cplusplus 10 extern "C" { 11 #endif 12 13 /* 14 * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING 15 * 16 * Openvision retains the copyright to derivative works of 17 * this source code. Do *NOT* create a derivative of this 18 * source code before consulting with your legal department. 19 * Do *NOT* integrate *ANY* of this source code into another 20 * product before consulting with your legal department. 21 * 22 * For further information, read the top-level Openvision 23 * copyright which is contained in the top-level MIT Kerberos 24 * copyright. 25 * 26 * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING 27 * 28 */ 29 /* 30 * lib/kadm5/admin.h 31 * 32 * Copyright 2001 by the Massachusetts Institute of Technology. 33 * All Rights Reserved. 34 * 35 * Export of this software from the United States of America may 36 * require a specific license from the United States Government. 37 * It is the responsibility of any person or organization contemplating 38 * export to obtain such a license before exporting. 39 * 40 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 41 * distribute this software and its documentation for any purpose and 42 * without fee is hereby granted, provided that the above copyright 43 * notice appear in all copies and that both that copyright notice and 44 * this permission notice appear in supporting documentation, and that 45 * the name of M.I.T. not be used in advertising or publicity pertaining 46 * to distribution of the software without specific, written prior 47 * permission. Furthermore if you modify this software you must label 48 * your software as modified software and not distribute it in such a 49 * fashion that it might be confused with the original M.I.T. software. 50 * M.I.T. makes no representations about the suitability of 51 * this software for any purpose. It is provided "as is" without express 52 * or implied warranty. 53 * 54 */ 55 /* 56 * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved 57 * 58 * $Header$ 59 */ 60 61 #include <sys/types.h> 62 #include <rpc/types.h> 63 #include <rpc/rpc.h> 64 #include <k5-int.h> 65 #include <krb5.h> 66 #include <krb5/kdb.h> 67 #include <com_err.h> 68 #include <kadm5/kadm_err.h> 69 #include <kadm5/chpass_util_strings.h> 70 71 #define KADM5_ADMIN_SERVICE_P "kadmin@admin" 72 /* 73 * Solaris Kerberos: 74 * The kadmin/admin principal is unused on Solaris. This principal is used 75 * in AUTH_GSSAPI but Solaris doesn't support AUTH_GSSAPI. RPCSEC_GSS can only 76 * be used with host-based principals. 77 * 78 */ 79 /* #define KADM5_ADMIN_SERVICE "kadmin/admin" */ 80 #define KADM5_CHANGEPW_SERVICE_P "kadmin@changepw" 81 #define KADM5_CHANGEPW_SERVICE "kadmin/changepw" 82 #define KADM5_HIST_PRINCIPAL "kadmin/history" 83 #define KADM5_ADMIN_HOST_SERVICE "kadmin" 84 #define KADM5_CHANGEPW_HOST_SERVICE "changepw" 85 #define KADM5_KIPROP_HOST_SERVICE "kiprop" 86 87 typedef krb5_principal kadm5_princ_t; 88 typedef char *kadm5_policy_t; 89 typedef long kadm5_ret_t; 90 typedef int rpc_int32; 91 typedef unsigned int rpc_u_int32; 92 93 #define KADM5_PW_FIRST_PROMPT \ 94 (error_message(CHPASS_UTIL_NEW_PASSWORD_PROMPT)) 95 #define KADM5_PW_SECOND_PROMPT \ 96 (error_message(CHPASS_UTIL_NEW_PASSWORD_AGAIN_PROMPT)) 97 98 /* 99 * Successful return code 100 */ 101 #define KADM5_OK 0 102 103 /* 104 * Field masks 105 */ 106 107 /* kadm5_principal_ent_t */ 108 #define KADM5_PRINCIPAL 0x000001 109 #define KADM5_PRINC_EXPIRE_TIME 0x000002 110 #define KADM5_PW_EXPIRATION 0x000004 111 #define KADM5_LAST_PWD_CHANGE 0x000008 112 #define KADM5_ATTRIBUTES 0x000010 113 #define KADM5_MAX_LIFE 0x000020 114 #define KADM5_MOD_TIME 0x000040 115 #define KADM5_MOD_NAME 0x000080 116 #define KADM5_KVNO 0x000100 117 #define KADM5_MKVNO 0x000200 118 #define KADM5_AUX_ATTRIBUTES 0x000400 119 #define KADM5_POLICY 0x000800 120 #define KADM5_POLICY_CLR 0x001000 121 /* version 2 masks */ 122 #define KADM5_MAX_RLIFE 0x002000 123 #define KADM5_LAST_SUCCESS 0x004000 124 #define KADM5_LAST_FAILED 0x008000 125 #define KADM5_FAIL_AUTH_COUNT 0x010000 126 #define KADM5_KEY_DATA 0x020000 127 #define KADM5_TL_DATA 0x040000 128 #ifdef notyet /* Novell */ 129 #define KADM5_CPW_FUNCTION 0x080000 130 #define KADM5_RANDKEY_USED 0x100000 131 #endif 132 #define KADM5_LOAD 0x200000 133 /* Solaris Kerberos: adding support for key history in LDAP KDB */ 134 #define KADM5_KEY_HIST 0x400000 135 136 /* all but KEY_DATA and TL_DATA */ 137 #define KADM5_PRINCIPAL_NORMAL_MASK 0x01ffff 138 139 140 /* kadm5_policy_ent_t */ 141 #define KADM5_PW_MAX_LIFE 0x004000 142 #define KADM5_PW_MIN_LIFE 0x008000 143 #define KADM5_PW_MIN_LENGTH 0x010000 144 #define KADM5_PW_MIN_CLASSES 0x020000 145 #define KADM5_PW_HISTORY_NUM 0x040000 146 #define KADM5_REF_COUNT 0x080000 147 148 /* kadm5_config_params */ 149 #define KADM5_CONFIG_REALM 0x0000001 150 #define KADM5_CONFIG_DBNAME 0x0000002 151 #define KADM5_CONFIG_MKEY_NAME 0x0000004 152 #define KADM5_CONFIG_MAX_LIFE 0x0000008 153 #define KADM5_CONFIG_MAX_RLIFE 0x0000010 154 #define KADM5_CONFIG_EXPIRATION 0x0000020 155 #define KADM5_CONFIG_FLAGS 0x0000040 156 #define KADM5_CONFIG_ADMIN_KEYTAB 0x0000080 157 #define KADM5_CONFIG_STASH_FILE 0x0000100 158 #define KADM5_CONFIG_ENCTYPE 0x0000200 159 #define KADM5_CONFIG_ADBNAME 0x0000400 160 #define KADM5_CONFIG_ADB_LOCKFILE 0x0000800 161 #define KADM5_CONFIG_PROFILE 0x0001000 162 #define KADM5_CONFIG_ACL_FILE 0x0002000 163 #define KADM5_CONFIG_KADMIND_PORT 0x0004000 164 #define KADM5_CONFIG_ENCTYPES 0x0008000 165 #define KADM5_CONFIG_ADMIN_SERVER 0x0010000 166 #define KADM5_CONFIG_DICT_FILE 0x0020000 167 #define KADM5_CONFIG_MKEY_FROM_KBD 0x0040000 168 #define KADM5_CONFIG_KPASSWD_PORT 0x0080000 169 #define KADM5_CONFIG_KPASSWD_SERVER 0x0100000 170 #define KADM5_CONFIG_KPASSWD_PROTOCOL 0x0200000 171 #define KADM5_CONFIG_IPROP_ENABLED 0x0400000 172 #define KADM5_CONFIG_ULOG_SIZE 0x0800000 173 #define KADM5_CONFIG_POLL_TIME 0x1000000 174 175 /* password change constants */ 176 #define KRB5_KPASSWD_SUCCESS 0 177 #define KRB5_KPASSWD_MALFORMED 1 178 #define KRB5_KPASSWD_HARDERROR 2 179 #define KRB5_KPASSWD_AUTHERROR 3 180 #define KRB5_KPASSWD_SOFTERROR 4 181 #define KRB5_KPASSWD_ACCESSDENIED 5 182 #define KRB5_KPASSWD_BAD_VERSION 6 183 #define KRB5_KPASSWD_INITIAL_FLAG_NEEDED 7 184 #define KRB5_KPASSWD_POLICY_REJECT 8 185 #define KRB5_KPASSWD_BAD_PRINCIPAL 9 186 #define KRB5_KPASSWD_ETYPE_NOSUPP 10 187 188 /* 189 * permission bits 190 */ 191 #define KADM5_PRIV_GET 0x01 192 #define KADM5_PRIV_ADD 0x02 193 #define KADM5_PRIV_MODIFY 0x04 194 #define KADM5_PRIV_DELETE 0x08 195 196 /* 197 * API versioning constants 198 */ 199 #define KADM5_MASK_BITS 0xffffff00 200 201 #define KADM5_STRUCT_VERSION_MASK 0x12345600 202 #define KADM5_STRUCT_VERSION_1 (KADM5_STRUCT_VERSION_MASK|0x01) 203 #define KADM5_STRUCT_VERSION KADM5_STRUCT_VERSION_1 204 205 #define KADM5_API_VERSION_MASK 0x12345700 206 #define KADM5_API_VERSION_1 (KADM5_API_VERSION_MASK|0x01) 207 #define KADM5_API_VERSION_2 (KADM5_API_VERSION_MASK|0x02) 208 209 #ifdef KRB5_DNS_LOOKUP 210 /* 211 * Name length constants for DNS lookups 212 */ 213 #define MAX_HOST_NAMELEN 256 214 #define MAX_DNS_NAMELEN (15*(MAX_HOST_NAMELEN + 1)+1) 215 #endif /* KRB5_DNS_LOOKUP */ 216 217 typedef struct _kadm5_principal_ent_t_v2 { 218 krb5_principal principal; 219 krb5_timestamp princ_expire_time; 220 krb5_timestamp last_pwd_change; 221 krb5_timestamp pw_expiration; 222 krb5_deltat max_life; 223 krb5_principal mod_name; 224 krb5_timestamp mod_date; 225 krb5_flags attributes; 226 krb5_kvno kvno; 227 krb5_kvno mkvno; 228 char *policy; 229 long aux_attributes; 230 231 /* version 2 fields */ 232 krb5_deltat max_renewable_life; 233 krb5_timestamp last_success; 234 krb5_timestamp last_failed; 235 krb5_kvno fail_auth_count; 236 krb5_int16 n_key_data; 237 krb5_int16 n_tl_data; 238 krb5_tl_data *tl_data; 239 krb5_key_data *key_data; 240 } kadm5_principal_ent_rec_v2, *kadm5_principal_ent_t_v2; 241 242 typedef struct _kadm5_principal_ent_t_v1 { 243 krb5_principal principal; 244 krb5_timestamp princ_expire_time; 245 krb5_timestamp last_pwd_change; 246 krb5_timestamp pw_expiration; 247 krb5_deltat max_life; 248 krb5_principal mod_name; 249 krb5_timestamp mod_date; 250 krb5_flags attributes; 251 krb5_kvno kvno; 252 krb5_kvno mkvno; 253 char *policy; 254 long aux_attributes; 255 } kadm5_principal_ent_rec_v1, *kadm5_principal_ent_t_v1; 256 257 #if USE_KADM5_API_VERSION == 1 258 typedef struct _kadm5_principal_ent_t_v1 259 kadm5_principal_ent_rec, *kadm5_principal_ent_t; 260 #else 261 typedef struct _kadm5_principal_ent_t_v2 262 kadm5_principal_ent_rec, *kadm5_principal_ent_t; 263 #endif 264 265 typedef struct _kadm5_policy_ent_t { 266 char *policy; 267 long pw_min_life; 268 long pw_max_life; 269 long pw_min_length; 270 long pw_min_classes; 271 long pw_history_num; 272 long policy_refcnt; 273 } kadm5_policy_ent_rec, *kadm5_policy_ent_t; 274 275 /* 276 * New types to indicate which protocol to use when sending 277 * password change requests 278 */ 279 typedef enum { 280 KRB5_CHGPWD_RPCSEC, 281 KRB5_CHGPWD_CHANGEPW_V2 282 } krb5_chgpwd_prot; 283 284 /* 285 * Data structure returned by kadm5_get_config_params() 286 */ 287 typedef struct _kadm5_config_params { 288 long mask; 289 char * realm; 290 int kadmind_port; 291 int kpasswd_port; 292 293 char * admin_server; 294 #ifdef notyet /* Novell */ /* ABI change? */ 295 char * kpasswd_server; 296 #endif 297 298 char * dbname; 299 char * admin_dbname; 300 char * admin_lockfile; 301 char * admin_keytab; 302 char * acl_file; 303 char * dict_file; 304 305 int mkey_from_kbd; 306 char * stash_file; 307 char * mkey_name; 308 krb5_enctype enctype; 309 krb5_deltat max_life; 310 krb5_deltat max_rlife; 311 krb5_timestamp expiration; 312 krb5_flags flags; 313 krb5_key_salt_tuple *keysalts; 314 krb5_int32 num_keysalts; 315 char *kpasswd_server; 316 317 krb5_chgpwd_prot kpasswd_protocol; 318 bool_t iprop_enabled; 319 int iprop_ulogsize; 320 char *iprop_polltime; 321 } kadm5_config_params; 322 323 /*********************************************************************** 324 * This is the old krb5_realm_read_params, which I mutated into 325 * kadm5_get_config_params but which old code (kdb5_* and krb5kdc) 326 * still uses. 327 ***********************************************************************/ 328 329 /* 330 * Data structure returned by krb5_read_realm_params() 331 */ 332 typedef struct __krb5_realm_params { 333 char * realm_profile; 334 char * realm_dbname; 335 char * realm_mkey_name; 336 char * realm_stash_file; 337 char * realm_kdc_ports; 338 char * realm_kdc_tcp_ports; 339 char * realm_acl_file; 340 krb5_int32 realm_kadmind_port; 341 krb5_enctype realm_enctype; 342 krb5_deltat realm_max_life; 343 krb5_deltat realm_max_rlife; 344 krb5_timestamp realm_expiration; 345 krb5_flags realm_flags; 346 krb5_key_salt_tuple *realm_keysalts; 347 unsigned int realm_reject_bad_transit:1; 348 unsigned int realm_kadmind_port_valid:1; 349 unsigned int realm_enctype_valid:1; 350 unsigned int realm_max_life_valid:1; 351 unsigned int realm_max_rlife_valid:1; 352 unsigned int realm_expiration_valid:1; 353 unsigned int realm_flags_valid:1; 354 unsigned int realm_reject_bad_transit_valid:1; 355 krb5_int32 realm_num_keysalts; 356 } krb5_realm_params; 357 358 /* 359 * functions 360 */ 361 362 kadm5_ret_t 363 kadm5_get_adm_host_srv_name(krb5_context context, 364 const char *realm, char **host_service_name); 365 366 kadm5_ret_t 367 kadm5_get_cpw_host_srv_name(krb5_context context, 368 const char *realm, char **host_service_name); 369 370 #if USE_KADM5_API_VERSION > 1 371 krb5_error_code kadm5_get_config_params(krb5_context context, 372 int use_kdc_config, 373 kadm5_config_params *params_in, 374 kadm5_config_params *params_out); 375 376 krb5_error_code kadm5_free_config_params(krb5_context context, 377 kadm5_config_params *params); 378 379 krb5_error_code kadm5_free_realm_params(krb5_context kcontext, 380 kadm5_config_params *params); 381 382 krb5_error_code kadm5_get_admin_service_name(krb5_context, char *, 383 char *, size_t); 384 #endif 385 386 kadm5_ret_t kadm5_init(char *client_name, char *pass, 387 char *service_name, 388 #if USE_KADM5_API_VERSION == 1 389 char *realm, 390 #else 391 kadm5_config_params *params, 392 #endif 393 krb5_ui_4 struct_version, 394 krb5_ui_4 api_version, 395 char **db_args, 396 void **server_handle); 397 kadm5_ret_t kadm5_init_with_password(char *client_name, 398 char *pass, 399 char *service_name, 400 #if USE_KADM5_API_VERSION == 1 401 char *realm, 402 #else 403 kadm5_config_params *params, 404 #endif 405 krb5_ui_4 struct_version, 406 krb5_ui_4 api_version, 407 char **db_args, 408 void **server_handle); 409 kadm5_ret_t kadm5_init_with_skey(char *client_name, 410 char *keytab, 411 char *service_name, 412 #if USE_KADM5_API_VERSION == 1 413 char *realm, 414 #else 415 kadm5_config_params *params, 416 #endif 417 krb5_ui_4 struct_version, 418 krb5_ui_4 api_version, 419 char **db_args, 420 void **server_handle); 421 #if USE_KADM5_API_VERSION > 1 422 kadm5_ret_t kadm5_init_with_creds(char *client_name, 423 krb5_ccache cc, 424 char *service_name, 425 kadm5_config_params *params, 426 krb5_ui_4 struct_version, 427 krb5_ui_4 api_version, 428 char **db_args, 429 void **server_handle); 430 #endif 431 kadm5_ret_t kadm5_lock(void *server_handle); 432 kadm5_ret_t kadm5_unlock(void *server_handle); 433 kadm5_ret_t kadm5_flush(void *server_handle); 434 kadm5_ret_t kadm5_destroy(void *server_handle); 435 kadm5_ret_t kadm5_check_min_life(void *server_handle, /* Solaris Kerberos */ 436 krb5_principal principal, 437 char *msg_ret, 438 unsigned int msg_len); 439 kadm5_ret_t kadm5_create_principal(void *server_handle, 440 kadm5_principal_ent_t ent, 441 long mask, char *pass); 442 kadm5_ret_t kadm5_create_principal_3(void *server_handle, 443 kadm5_principal_ent_t ent, 444 long mask, 445 int n_ks_tuple, 446 krb5_key_salt_tuple *ks_tuple, 447 char *pass); 448 kadm5_ret_t kadm5_delete_principal(void *server_handle, 449 krb5_principal principal); 450 kadm5_ret_t kadm5_modify_principal(void *server_handle, 451 kadm5_principal_ent_t ent, 452 long mask); 453 kadm5_ret_t kadm5_rename_principal(void *server_handle, 454 krb5_principal,krb5_principal); 455 #if USE_KADM5_API_VERSION == 1 456 kadm5_ret_t kadm5_get_principal(void *server_handle, 457 krb5_principal principal, 458 kadm5_principal_ent_t *ent); 459 #else 460 kadm5_ret_t kadm5_get_principal(void *server_handle, 461 krb5_principal principal, 462 kadm5_principal_ent_t ent, 463 long mask); 464 #endif 465 kadm5_ret_t kadm5_chpass_principal(void *server_handle, 466 krb5_principal principal, 467 char *pass); 468 kadm5_ret_t kadm5_chpass_principal_3(void *server_handle, 469 krb5_principal principal, 470 krb5_boolean keepold, 471 int n_ks_tuple, 472 krb5_key_salt_tuple *ks_tuple, 473 char *pass); 474 #if USE_KADM5_API_VERSION == 1 475 kadm5_ret_t kadm5_randkey_principal(void *server_handle, 476 krb5_principal principal, 477 krb5_keyblock **keyblock); 478 #else 479 480 /* 481 * Solaris Kerberos: 482 * this routine is only implemented in the client library. 483 */ 484 kadm5_ret_t kadm5_randkey_principal_old(void *server_handle, 485 krb5_principal principal, 486 krb5_keyblock **keyblocks, 487 int *n_keys); 488 489 kadm5_ret_t kadm5_randkey_principal(void *server_handle, 490 krb5_principal principal, 491 krb5_keyblock **keyblocks, 492 int *n_keys); 493 kadm5_ret_t kadm5_randkey_principal_3(void *server_handle, 494 krb5_principal principal, 495 krb5_boolean keepold, 496 int n_ks_tuple, 497 krb5_key_salt_tuple *ks_tuple, 498 krb5_keyblock **keyblocks, 499 int *n_keys); 500 #endif 501 kadm5_ret_t kadm5_setv4key_principal(void *server_handle, 502 krb5_principal principal, 503 krb5_keyblock *keyblock); 504 505 kadm5_ret_t kadm5_setkey_principal(void *server_handle, 506 krb5_principal principal, 507 krb5_keyblock *keyblocks, 508 int n_keys); 509 510 kadm5_ret_t kadm5_setkey_principal_3(void *server_handle, 511 krb5_principal principal, 512 krb5_boolean keepold, 513 int n_ks_tuple, 514 krb5_key_salt_tuple *ks_tuple, 515 krb5_keyblock *keyblocks, 516 int n_keys); 517 518 kadm5_ret_t kadm5_decrypt_key(void *server_handle, 519 kadm5_principal_ent_t entry, krb5_int32 520 ktype, krb5_int32 stype, krb5_int32 521 kvno, krb5_keyblock *keyblock, 522 krb5_keysalt *keysalt, int *kvnop); 523 524 kadm5_ret_t kadm5_create_policy(void *server_handle, 525 kadm5_policy_ent_t ent, 526 long mask); 527 /* 528 * kadm5_create_policy_internal is not part of the supported, 529 * exposed API. It is available only in the server library, and you 530 * shouldn't use it unless you know why it's there and how it's 531 * different from kadm5_create_policy. 532 */ 533 kadm5_ret_t kadm5_create_policy_internal(void *server_handle, 534 kadm5_policy_ent_t 535 entry, long mask); 536 kadm5_ret_t kadm5_delete_policy(void *server_handle, 537 kadm5_policy_t policy); 538 kadm5_ret_t kadm5_modify_policy(void *server_handle, 539 kadm5_policy_ent_t ent, 540 long mask); 541 /* 542 * kadm5_modify_policy_internal is not part of the supported, 543 * exposed API. It is available only in the server library, and you 544 * shouldn't use it unless you know why it's there and how it's 545 * different from kadm5_modify_policy. 546 */ 547 kadm5_ret_t kadm5_modify_policy_internal(void *server_handle, 548 kadm5_policy_ent_t 549 entry, long mask); 550 #if USE_KADM5_API_VERSION == 1 551 kadm5_ret_t kadm5_get_policy(void *server_handle, 552 kadm5_policy_t policy, 553 kadm5_policy_ent_t *ent); 554 #else 555 kadm5_ret_t kadm5_get_policy(void *server_handle, 556 kadm5_policy_t policy, 557 kadm5_policy_ent_t ent); 558 #endif 559 kadm5_ret_t kadm5_get_privs(void *server_handle, 560 long *privs); 561 562 kadm5_ret_t kadm5_chpass_principal_util(void *server_handle, 563 krb5_principal princ, 564 char *new_pw, 565 char **ret_pw, 566 char *msg_ret, 567 unsigned int msg_len); 568 569 kadm5_ret_t kadm5_free_principal_ent(void *server_handle, 570 kadm5_principal_ent_t 571 ent); 572 kadm5_ret_t kadm5_free_policy_ent(void *server_handle, 573 kadm5_policy_ent_t ent); 574 575 kadm5_ret_t kadm5_get_principals(void *server_handle, 576 char *exp, char ***princs, 577 int *count); 578 579 kadm5_ret_t kadm5_get_policies(void *server_handle, 580 char *exp, char ***pols, 581 int *count); 582 583 #if USE_KADM5_API_VERSION > 1 584 kadm5_ret_t kadm5_free_key_data(void *server_handle, 585 krb5_int16 *n_key_data, 586 krb5_key_data *key_data); 587 #endif 588 589 kadm5_ret_t kadm5_free_name_list(void *server_handle, char **names, 590 int count); 591 592 krb5_error_code kadm5_init_krb5_context (krb5_context *); 593 594 #if USE_KADM5_API_VERSION == 1 595 /* 596 * OVSEC_KADM_API_VERSION_1 should be, if possible, compile-time 597 * compatible with KADM5_API_VERSION_2. Basically, this means we have 598 * to continue to provide all the old ovsec_kadm function and symbol 599 * names. 600 */ 601 602 #define OVSEC_KADM_ACLFILE "/krb5/ovsec_adm.acl" 603 #define OVSEC_KADM_WORDFILE "/krb5/ovsec_adm.dict" 604 605 #define OVSEC_KADM_ADMIN_SERVICE "ovsec_adm/admin" 606 #define OVSEC_KADM_CHANGEPW_SERVICE "ovsec_adm/changepw" 607 #define OVSEC_KADM_HIST_PRINCIPAL "ovsec_adm/history" 608 609 typedef krb5_principal ovsec_kadm_princ_t; 610 typedef krb5_keyblock ovsec_kadm_keyblock; 611 typedef char *ovsec_kadm_policy_t; 612 typedef long ovsec_kadm_ret_t; 613 614 enum ovsec_kadm_salttype { OVSEC_KADM_SALT_V4, OVSEC_KADM_SALT_NORMAL }; 615 enum ovsec_kadm_saltmod { OVSEC_KADM_MOD_KEEP, OVSEC_KADM_MOD_V4, OVSEC_KADM_MOD_NORMAL }; 616 617 #define OVSEC_KADM_PW_FIRST_PROMPT \ 618 ((char *) error_message(CHPASS_UTIL_NEW_PASSWORD_PROMPT)) 619 #define OVSEC_KADM_PW_SECOND_PROMPT \ 620 ((char *) error_message(CHPASS_UTIL_NEW_PASSWORD_AGAIN_PROMPT)) 621 622 /* 623 * Successful return code 624 */ 625 #define OVSEC_KADM_OK 0 626 627 /* 628 * Create/Modify masks 629 */ 630 /* principal */ 631 #define OVSEC_KADM_PRINCIPAL 0x000001 632 #define OVSEC_KADM_PRINC_EXPIRE_TIME 0x000002 633 #define OVSEC_KADM_PW_EXPIRATION 0x000004 634 #define OVSEC_KADM_LAST_PWD_CHANGE 0x000008 635 #define OVSEC_KADM_ATTRIBUTES 0x000010 636 #define OVSEC_KADM_MAX_LIFE 0x000020 637 #define OVSEC_KADM_MOD_TIME 0x000040 638 #define OVSEC_KADM_MOD_NAME 0x000080 639 #define OVSEC_KADM_KVNO 0x000100 640 #define OVSEC_KADM_MKVNO 0x000200 641 #define OVSEC_KADM_AUX_ATTRIBUTES 0x000400 642 #define OVSEC_KADM_POLICY 0x000800 643 #define OVSEC_KADM_POLICY_CLR 0x001000 644 /* policy */ 645 #define OVSEC_KADM_PW_MAX_LIFE 0x004000 646 #define OVSEC_KADM_PW_MIN_LIFE 0x008000 647 #define OVSEC_KADM_PW_MIN_LENGTH 0x010000 648 #define OVSEC_KADM_PW_MIN_CLASSES 0x020000 649 #define OVSEC_KADM_PW_HISTORY_NUM 0x040000 650 #define OVSEC_KADM_REF_COUNT 0x080000 651 652 /* 653 * permission bits 654 */ 655 #define OVSEC_KADM_PRIV_GET 0x01 656 #define OVSEC_KADM_PRIV_ADD 0x02 657 #define OVSEC_KADM_PRIV_MODIFY 0x04 658 #define OVSEC_KADM_PRIV_DELETE 0x08 659 660 /* 661 * API versioning constants 662 */ 663 #define OVSEC_KADM_MASK_BITS 0xffffff00 664 665 #define OVSEC_KADM_STRUCT_VERSION_MASK 0x12345600 666 #define OVSEC_KADM_STRUCT_VERSION_1 (OVSEC_KADM_STRUCT_VERSION_MASK|0x01) 667 #define OVSEC_KADM_STRUCT_VERSION OVSEC_KADM_STRUCT_VERSION_1 668 669 #define OVSEC_KADM_API_VERSION_MASK 0x12345700 670 #define OVSEC_KADM_API_VERSION_1 (OVSEC_KADM_API_VERSION_MASK|0x01) 671 672 673 typedef struct _ovsec_kadm_principal_ent_t { 674 krb5_principal principal; 675 krb5_timestamp princ_expire_time; 676 krb5_timestamp last_pwd_change; 677 krb5_timestamp pw_expiration; 678 krb5_deltat max_life; 679 krb5_principal mod_name; 680 krb5_timestamp mod_date; 681 krb5_flags attributes; 682 krb5_kvno kvno; 683 krb5_kvno mkvno; 684 char *policy; 685 long aux_attributes; 686 } ovsec_kadm_principal_ent_rec, *ovsec_kadm_principal_ent_t; 687 688 typedef struct _ovsec_kadm_policy_ent_t { 689 char *policy; 690 long pw_min_life; 691 long pw_max_life; 692 long pw_min_length; 693 long pw_min_classes; 694 long pw_history_num; 695 long policy_refcnt; 696 } ovsec_kadm_policy_ent_rec, *ovsec_kadm_policy_ent_t; 697 698 /* 699 * functions 700 */ 701 ovsec_kadm_ret_t ovsec_kadm_init(char *client_name, char *pass, 702 char *service_name, char *realm, 703 krb5_ui_4 struct_version, 704 krb5_ui_4 api_version, 705 char **db_args, 706 void **server_handle); 707 ovsec_kadm_ret_t ovsec_kadm_init_with_password(char *client_name, 708 char *pass, 709 char *service_name, 710 char *realm, 711 krb5_ui_4 struct_version, 712 krb5_ui_4 api_version, 713 char ** db_args, 714 void **server_handle); 715 ovsec_kadm_ret_t ovsec_kadm_init_with_skey(char *client_name, 716 char *keytab, 717 char *service_name, 718 char *realm, 719 krb5_ui_4 struct_version, 720 krb5_ui_4 api_version, 721 char **db_args, 722 void **server_handle); 723 ovsec_kadm_ret_t ovsec_kadm_flush(void *server_handle); 724 ovsec_kadm_ret_t ovsec_kadm_destroy(void *server_handle); 725 ovsec_kadm_ret_t ovsec_kadm_create_principal(void *server_handle, 726 ovsec_kadm_principal_ent_t ent, 727 long mask, char *pass); 728 ovsec_kadm_ret_t ovsec_kadm_delete_principal(void *server_handle, 729 krb5_principal principal); 730 ovsec_kadm_ret_t ovsec_kadm_modify_principal(void *server_handle, 731 ovsec_kadm_principal_ent_t ent, 732 long mask); 733 ovsec_kadm_ret_t ovsec_kadm_rename_principal(void *server_handle, 734 krb5_principal,krb5_principal); 735 ovsec_kadm_ret_t ovsec_kadm_get_principal(void *server_handle, 736 krb5_principal principal, 737 ovsec_kadm_principal_ent_t *ent); 738 ovsec_kadm_ret_t ovsec_kadm_chpass_principal(void *server_handle, 739 krb5_principal principal, 740 char *pass); 741 ovsec_kadm_ret_t ovsec_kadm_randkey_principal(void *server_handle, 742 krb5_principal principal, 743 krb5_keyblock **keyblock); 744 ovsec_kadm_ret_t ovsec_kadm_create_policy(void *server_handle, 745 ovsec_kadm_policy_ent_t ent, 746 long mask); 747 /* 748 * ovsec_kadm_create_policy_internal is not part of the supported, 749 * exposed API. It is available only in the server library, and you 750 * shouldn't use it unless you know why it's there and how it's 751 * different from ovsec_kadm_create_policy. 752 */ 753 ovsec_kadm_ret_t ovsec_kadm_create_policy_internal(void *server_handle, 754 ovsec_kadm_policy_ent_t 755 entry, long mask); 756 ovsec_kadm_ret_t ovsec_kadm_delete_policy(void *server_handle, 757 ovsec_kadm_policy_t policy); 758 ovsec_kadm_ret_t ovsec_kadm_modify_policy(void *server_handle, 759 ovsec_kadm_policy_ent_t ent, 760 long mask); 761 /* 762 * ovsec_kadm_modify_policy_internal is not part of the supported, 763 * exposed API. It is available only in the server library, and you 764 * shouldn't use it unless you know why it's there and how it's 765 * different from ovsec_kadm_modify_policy. 766 */ 767 ovsec_kadm_ret_t ovsec_kadm_modify_policy_internal(void *server_handle, 768 ovsec_kadm_policy_ent_t 769 entry, long mask); 770 ovsec_kadm_ret_t ovsec_kadm_get_policy(void *server_handle, 771 ovsec_kadm_policy_t policy, 772 ovsec_kadm_policy_ent_t *ent); 773 ovsec_kadm_ret_t ovsec_kadm_get_privs(void *server_handle, 774 long *privs); 775 776 ovsec_kadm_ret_t ovsec_kadm_chpass_principal_util(void *server_handle, 777 krb5_principal princ, 778 char *new_pw, 779 char **ret_pw, 780 char *msg_ret); 781 782 ovsec_kadm_ret_t ovsec_kadm_free_principal_ent(void *server_handle, 783 ovsec_kadm_principal_ent_t 784 ent); 785 ovsec_kadm_ret_t ovsec_kadm_free_policy_ent(void *server_handle, 786 ovsec_kadm_policy_ent_t ent); 787 788 ovsec_kadm_ret_t ovsec_kadm_free_name_list(void *server_handle, 789 char **names, int count); 790 791 ovsec_kadm_ret_t ovsec_kadm_get_principals(void *server_handle, 792 char *exp, char ***princs, 793 int *count); 794 795 ovsec_kadm_ret_t ovsec_kadm_get_policies(void *server_handle, 796 char *exp, char ***pols, 797 int *count); 798 799 #define OVSEC_KADM_FAILURE KADM5_FAILURE 800 #define OVSEC_KADM_AUTH_GET KADM5_AUTH_GET 801 #define OVSEC_KADM_AUTH_ADD KADM5_AUTH_ADD 802 #define OVSEC_KADM_AUTH_MODIFY KADM5_AUTH_MODIFY 803 #define OVSEC_KADM_AUTH_DELETE KADM5_AUTH_DELETE 804 #define OVSEC_KADM_AUTH_INSUFFICIENT KADM5_AUTH_INSUFFICIENT 805 #define OVSEC_KADM_BAD_DB KADM5_BAD_DB 806 #define OVSEC_KADM_DUP KADM5_DUP 807 #define OVSEC_KADM_RPC_ERROR KADM5_RPC_ERROR 808 #define OVSEC_KADM_NO_SRV KADM5_NO_SRV 809 #define OVSEC_KADM_BAD_HIST_KEY KADM5_BAD_HIST_KEY 810 #define OVSEC_KADM_NOT_INIT KADM5_NOT_INIT 811 #define OVSEC_KADM_UNK_PRINC KADM5_UNK_PRINC 812 #define OVSEC_KADM_UNK_POLICY KADM5_UNK_POLICY 813 #define OVSEC_KADM_BAD_MASK KADM5_BAD_MASK 814 #define OVSEC_KADM_BAD_CLASS KADM5_BAD_CLASS 815 #define OVSEC_KADM_BAD_LENGTH KADM5_BAD_LENGTH 816 #define OVSEC_KADM_BAD_POLICY KADM5_BAD_POLICY 817 #define OVSEC_KADM_BAD_PRINCIPAL KADM5_BAD_PRINCIPAL 818 #define OVSEC_KADM_BAD_AUX_ATTR KADM5_BAD_AUX_ATTR 819 #define OVSEC_KADM_BAD_HISTORY KADM5_BAD_HISTORY 820 #define OVSEC_KADM_BAD_MIN_PASS_LIFE KADM5_BAD_MIN_PASS_LIFE 821 #define OVSEC_KADM_PASS_Q_TOOSHORT KADM5_PASS_Q_TOOSHORT 822 #define OVSEC_KADM_PASS_Q_CLASS KADM5_PASS_Q_CLASS 823 #define OVSEC_KADM_PASS_Q_DICT KADM5_PASS_Q_DICT 824 #define OVSEC_KADM_PASS_REUSE KADM5_PASS_REUSE 825 #define OVSEC_KADM_PASS_TOOSOON KADM5_PASS_TOOSOON 826 #define OVSEC_KADM_POLICY_REF KADM5_POLICY_REF 827 #define OVSEC_KADM_INIT KADM5_INIT 828 #define OVSEC_KADM_BAD_PASSWORD KADM5_BAD_PASSWORD 829 #define OVSEC_KADM_PROTECT_PRINCIPAL KADM5_PROTECT_PRINCIPAL 830 #define OVSEC_KADM_BAD_SERVER_HANDLE KADM5_BAD_SERVER_HANDLE 831 #define OVSEC_KADM_BAD_STRUCT_VERSION KADM5_BAD_STRUCT_VERSION 832 #define OVSEC_KADM_OLD_STRUCT_VERSION KADM5_OLD_STRUCT_VERSION 833 #define OVSEC_KADM_NEW_STRUCT_VERSION KADM5_NEW_STRUCT_VERSION 834 #define OVSEC_KADM_BAD_API_VERSION KADM5_BAD_API_VERSION 835 #define OVSEC_KADM_OLD_LIB_API_VERSION KADM5_OLD_LIB_API_VERSION 836 #define OVSEC_KADM_OLD_SERVER_API_VERSION KADM5_OLD_SERVER_API_VERSION 837 #define OVSEC_KADM_NEW_LIB_API_VERSION KADM5_NEW_LIB_API_VERSION 838 #define OVSEC_KADM_NEW_SERVER_API_VERSION KADM5_NEW_SERVER_API_VERSION 839 #define OVSEC_KADM_SECURE_PRINC_MISSING KADM5_SECURE_PRINC_MISSING 840 #define OVSEC_KADM_NO_RENAME_SALT KADM5_NO_RENAME_SALT 841 842 #endif /* USE_KADM5_API_VERSION == 1 */ 843 844 #define MAXPRINCLEN 125 845 846 void trunc_name(size_t *len, char **dots); 847 848 krb5_chgpwd_prot _kadm5_get_kpasswd_protocol(void *server_handle); 849 kadm5_ret_t kadm5_chpass_principal_v2(void *server_handle, 850 krb5_principal princ, 851 char *new_password, 852 kadm5_ret_t *srvr_rsp_code, 853 krb5_data *srvr_msg); 854 855 void handle_chpw(krb5_context context, int s, void *serverhandle, 856 kadm5_config_params *params); 857 858 #ifdef __cplusplus 859 } 860 #endif 861 862 #endif /* __KADM5_ADMIN_H__ */ 863