1 /* 2 * Copyright 2006 Sun Microsystems, Inc. All rights reserved. 3 * Use is subject to license terms. 4 */ 5 6 #ifndef __KADM5_ADMIN_H__ 7 #define __KADM5_ADMIN_H__ 8 9 #pragma ident "%Z%%M% %I% %E% SMI" 10 11 #ifdef __cplusplus 12 extern "C" { 13 #endif 14 15 /* 16 * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING 17 * 18 * Openvision retains the copyright to derivative works of 19 * this source code. Do *NOT* create a derivative of this 20 * source code before consulting with your legal department. 21 * Do *NOT* integrate *ANY* of this source code into another 22 * product before consulting with your legal department. 23 * 24 * For further information, read the top-level Openvision 25 * copyright which is contained in the top-level MIT Kerberos 26 * copyright. 27 * 28 * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING 29 * 30 */ 31 /* 32 * lib/kadm5/admin.h 33 * 34 * Copyright 2001 by the Massachusetts Institute of Technology. 35 * All Rights Reserved. 36 * 37 * Export of this software from the United States of America may 38 * require a specific license from the United States Government. 39 * It is the responsibility of any person or organization contemplating 40 * export to obtain such a license before exporting. 41 * 42 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 43 * distribute this software and its documentation for any purpose and 44 * without fee is hereby granted, provided that the above copyright 45 * notice appear in all copies and that both that copyright notice and 46 * this permission notice appear in supporting documentation, and that 47 * the name of M.I.T. not be used in advertising or publicity pertaining 48 * to distribution of the software without specific, written prior 49 * permission. Furthermore if you modify this software you must label 50 * your software as modified software and not distribute it in such a 51 * fashion that it might be confused with the original M.I.T. software. 52 * M.I.T. makes no representations about the suitability of 53 * this software for any purpose. It is provided "as is" without express 54 * or implied warranty. 55 * 56 */ 57 /* 58 * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved 59 * 60 * $Header: /cvs/krbdev/krb5/src/lib/kadm5/admin.h,v 1.54 2004/08/21 02:31:09 tlyu Exp $ 61 */ 62 63 #include <sys/types.h> 64 #include <rpc/types.h> 65 #include <rpc/rpc.h> 66 #include <krb5.h> 67 #include <k5-int.h> 68 #include <com_err.h> 69 #include <kadm5/kadm_err.h> 70 #include <kadm5/adb_err.h> 71 #include <kadm5/chpass_util_strings.h> 72 73 #define KADM5_ADMIN_SERVICE_P "kadmin@admin" 74 #define KADM5_ADMIN_SERVICE "kadmin/admin" 75 #define KADM5_CHANGEPW_SERVICE_P "kadmin@changepw" 76 #define KADM5_CHANGEPW_SERVICE "kadmin/changepw" 77 #define KADM5_HIST_PRINCIPAL "kadmin/history" 78 #define KADM5_ADMIN_HOST_SERVICE "kadmin" 79 #define KADM5_CHANGEPW_HOST_SERVICE "changepw" 80 #define KADM5_KIPROP_HOST_SERVICE "kiprop" 81 82 typedef krb5_principal kadm5_princ_t; 83 typedef char *kadm5_policy_t; 84 typedef long kadm5_ret_t; 85 typedef int rpc_int32; 86 typedef unsigned int rpc_u_int32; 87 88 #define KADM5_PW_FIRST_PROMPT \ 89 (error_message(CHPASS_UTIL_NEW_PASSWORD_PROMPT)) 90 #define KADM5_PW_SECOND_PROMPT \ 91 (error_message(CHPASS_UTIL_NEW_PASSWORD_AGAIN_PROMPT)) 92 93 /* 94 * Successful return code 95 */ 96 #define KADM5_OK 0 97 98 /* 99 * Field masks 100 */ 101 102 /* kadm5_principal_ent_t */ 103 #define KADM5_PRINCIPAL 0x000001 104 #define KADM5_PRINC_EXPIRE_TIME 0x000002 105 #define KADM5_PW_EXPIRATION 0x000004 106 #define KADM5_LAST_PWD_CHANGE 0x000008 107 #define KADM5_ATTRIBUTES 0x000010 108 #define KADM5_MAX_LIFE 0x000020 109 #define KADM5_MOD_TIME 0x000040 110 #define KADM5_MOD_NAME 0x000080 111 #define KADM5_KVNO 0x000100 112 #define KADM5_MKVNO 0x000200 113 #define KADM5_AUX_ATTRIBUTES 0x000400 114 #define KADM5_POLICY 0x000800 115 #define KADM5_POLICY_CLR 0x001000 116 /* version 2 masks */ 117 #define KADM5_MAX_RLIFE 0x002000 118 #define KADM5_LAST_SUCCESS 0x004000 119 #define KADM5_LAST_FAILED 0x008000 120 #define KADM5_FAIL_AUTH_COUNT 0x010000 121 #define KADM5_KEY_DATA 0x020000 122 #define KADM5_TL_DATA 0x040000 123 /* all but KEY_DATA and TL_DATA */ 124 #define KADM5_PRINCIPAL_NORMAL_MASK 0x01ffff 125 126 /* kadm5_policy_ent_t */ 127 #define KADM5_PW_MAX_LIFE 0x004000 128 #define KADM5_PW_MIN_LIFE 0x008000 129 #define KADM5_PW_MIN_LENGTH 0x010000 130 #define KADM5_PW_MIN_CLASSES 0x020000 131 #define KADM5_PW_HISTORY_NUM 0x040000 132 #define KADM5_REF_COUNT 0x080000 133 134 /* kadm5_config_params */ 135 #define KADM5_CONFIG_REALM 0x0000001 136 #define KADM5_CONFIG_DBNAME 0x0000002 137 #define KADM5_CONFIG_MKEY_NAME 0x0000004 138 #define KADM5_CONFIG_MAX_LIFE 0x0000008 139 #define KADM5_CONFIG_MAX_RLIFE 0x0000010 140 #define KADM5_CONFIG_EXPIRATION 0x0000020 141 #define KADM5_CONFIG_FLAGS 0x0000040 142 #define KADM5_CONFIG_ADMIN_KEYTAB 0x0000080 143 #define KADM5_CONFIG_STASH_FILE 0x0000100 144 #define KADM5_CONFIG_ENCTYPE 0x0000200 145 #define KADM5_CONFIG_ADBNAME 0x0000400 146 #define KADM5_CONFIG_ADB_LOCKFILE 0x0000800 147 #define KADM5_CONFIG_PROFILE 0x0001000 148 #define KADM5_CONFIG_ACL_FILE 0x0002000 149 #define KADM5_CONFIG_KADMIND_PORT 0x0004000 150 #define KADM5_CONFIG_ENCTYPES 0x0008000 151 #define KADM5_CONFIG_ADMIN_SERVER 0x0010000 152 #define KADM5_CONFIG_DICT_FILE 0x0020000 153 #define KADM5_CONFIG_MKEY_FROM_KBD 0x0040000 154 #define KADM5_CONFIG_KPASSWD_PORT 0x0080000 155 #define KADM5_CONFIG_KPASSWD_SERVER 0x0100000 156 #define KADM5_CONFIG_KPASSWD_PROTOCOL 0x0200000 157 #define KADM5_CONFIG_IPROP_ENABLED 0x0400000 158 #define KADM5_CONFIG_ULOG_SIZE 0x0800000 159 #define KADM5_CONFIG_POLL_TIME 0x1000000 160 161 /* password change constants */ 162 #define KRB5_KPASSWD_SUCCESS 0 163 #define KRB5_KPASSWD_MALFORMED 1 164 #define KRB5_KPASSWD_HARDERROR 2 165 #define KRB5_KPASSWD_AUTHERROR 3 166 #define KRB5_KPASSWD_SOFTERROR 4 167 #define KRB5_KPASSWD_ACCESSDENIED 5 168 #define KRB5_KPASSWD_BAD_VERSION 6 169 #define KRB5_KPASSWD_INITIAL_FLAG_NEEDED 7 170 #define KRB5_KPASSWD_POLICY_REJECT 8 171 #define KRB5_KPASSWD_BAD_PRINCIPAL 9 172 #define KRB5_KPASSWD_ETYPE_NOSUPP 10 173 174 /* 175 * permission bits 176 */ 177 #define KADM5_PRIV_GET 0x01 178 #define KADM5_PRIV_ADD 0x02 179 #define KADM5_PRIV_MODIFY 0x04 180 #define KADM5_PRIV_DELETE 0x08 181 182 /* 183 * API versioning constants 184 */ 185 #define KADM5_MASK_BITS 0xffffff00 186 187 #define KADM5_STRUCT_VERSION_MASK 0x12345600 188 #define KADM5_STRUCT_VERSION_1 (KADM5_STRUCT_VERSION_MASK|0x01) 189 #define KADM5_STRUCT_VERSION KADM5_STRUCT_VERSION_1 190 191 #define KADM5_API_VERSION_MASK 0x12345700 192 #define KADM5_API_VERSION_1 (KADM5_API_VERSION_MASK|0x01) 193 #define KADM5_API_VERSION_2 (KADM5_API_VERSION_MASK|0x02) 194 195 #ifdef KRB5_DNS_LOOKUP 196 /* 197 * Name length constants for DNS lookups 198 */ 199 #define MAX_HOST_NAMELEN 256 200 #define MAX_DNS_NAMELEN (15*(MAX_HOST_NAMELEN + 1)+1) 201 #endif /* KRB5_DNS_LOOKUP */ 202 203 typedef struct _kadm5_principal_ent_t_v2 { 204 krb5_principal principal; 205 krb5_timestamp princ_expire_time; 206 krb5_timestamp last_pwd_change; 207 krb5_timestamp pw_expiration; 208 krb5_deltat max_life; 209 krb5_principal mod_name; 210 krb5_timestamp mod_date; 211 krb5_flags attributes; 212 krb5_kvno kvno; 213 krb5_kvno mkvno; 214 char *policy; 215 long aux_attributes; 216 217 /* version 2 fields */ 218 krb5_deltat max_renewable_life; 219 krb5_timestamp last_success; 220 krb5_timestamp last_failed; 221 krb5_kvno fail_auth_count; 222 krb5_int16 n_key_data; 223 krb5_int16 n_tl_data; 224 krb5_tl_data *tl_data; 225 krb5_key_data *key_data; 226 } kadm5_principal_ent_rec_v2, *kadm5_principal_ent_t_v2; 227 228 typedef struct _kadm5_principal_ent_t_v1 { 229 krb5_principal principal; 230 krb5_timestamp princ_expire_time; 231 krb5_timestamp last_pwd_change; 232 krb5_timestamp pw_expiration; 233 krb5_deltat max_life; 234 krb5_principal mod_name; 235 krb5_timestamp mod_date; 236 krb5_flags attributes; 237 krb5_kvno kvno; 238 krb5_kvno mkvno; 239 char *policy; 240 long aux_attributes; 241 } kadm5_principal_ent_rec_v1, *kadm5_principal_ent_t_v1; 242 243 #if USE_KADM5_API_VERSION == 1 244 typedef struct _kadm5_principal_ent_t_v1 245 kadm5_principal_ent_rec, *kadm5_principal_ent_t; 246 #else 247 typedef struct _kadm5_principal_ent_t_v2 248 kadm5_principal_ent_rec, *kadm5_principal_ent_t; 249 #endif 250 251 typedef struct _kadm5_policy_ent_t { 252 char *policy; 253 long pw_min_life; 254 long pw_max_life; 255 long pw_min_length; 256 long pw_min_classes; 257 long pw_history_num; 258 long policy_refcnt; 259 } kadm5_policy_ent_rec, *kadm5_policy_ent_t; 260 261 typedef struct __krb5_key_salt_tuple { 262 krb5_enctype ks_enctype; 263 krb5_int32 ks_salttype; 264 } krb5_key_salt_tuple; 265 266 /* 267 * New types to indicate which protocol to use when sending 268 * password change requests 269 */ 270 typedef enum { 271 KRB5_CHGPWD_RPCSEC, 272 KRB5_CHGPWD_CHANGEPW_V2 273 } krb5_chgpwd_prot; 274 275 /* 276 * Data structure returned by kadm5_get_config_params() 277 */ 278 typedef struct _kadm5_config_params { 279 long mask; 280 char * realm; 281 char * profile; 282 int kadmind_port; 283 int kpasswd_port; 284 285 char * admin_server; 286 287 char * dbname; 288 char * admin_dbname; 289 char * admin_lockfile; 290 char * admin_keytab; 291 char * acl_file; 292 char * dict_file; 293 294 int mkey_from_kbd; 295 char * stash_file; 296 char * mkey_name; 297 krb5_enctype enctype; 298 krb5_deltat max_life; 299 krb5_deltat max_rlife; 300 krb5_timestamp expiration; 301 krb5_flags flags; 302 krb5_key_salt_tuple *keysalts; 303 krb5_int32 num_keysalts; 304 char *kpasswd_server; 305 306 krb5_chgpwd_prot kpasswd_protocol; 307 bool_t iprop_enabled; 308 int iprop_ulogsize; 309 char *iprop_polltime; 310 } kadm5_config_params; 311 312 /*********************************************************************** 313 * This is the old krb5_realm_read_params, which I mutated into 314 * kadm5_get_config_params but which old code (kdb5_* and krb5kdc) 315 * still uses. 316 ***********************************************************************/ 317 318 /* 319 * Data structure returned by krb5_read_realm_params() 320 */ 321 typedef struct __krb5_realm_params { 322 char * realm_profile; 323 char * realm_dbname; 324 char * realm_mkey_name; 325 char * realm_stash_file; 326 char * realm_kdc_ports; 327 char * realm_kdc_tcp_ports; 328 char * realm_acl_file; 329 krb5_int32 realm_kadmind_port; 330 krb5_enctype realm_enctype; 331 krb5_deltat realm_max_life; 332 krb5_deltat realm_max_rlife; 333 krb5_timestamp realm_expiration; 334 krb5_flags realm_flags; 335 krb5_key_salt_tuple *realm_keysalts; 336 unsigned int realm_reject_bad_transit:1; 337 unsigned int realm_kadmind_port_valid:1; 338 unsigned int realm_enctype_valid:1; 339 unsigned int realm_max_life_valid:1; 340 unsigned int realm_max_rlife_valid:1; 341 unsigned int realm_expiration_valid:1; 342 unsigned int realm_flags_valid:1; 343 unsigned int realm_reject_bad_transit_valid:1; 344 krb5_int32 realm_num_keysalts; 345 } krb5_realm_params; 346 347 /* 348 * functions 349 */ 350 351 kadm5_ret_t 352 kadm5_get_adm_host_srv_name(krb5_context context, 353 const char *realm, char **host_service_name); 354 355 kadm5_ret_t 356 kadm5_get_cpw_host_srv_name(krb5_context context, 357 const char *realm, char **host_service_name); 358 359 #if USE_KADM5_API_VERSION > 1 360 krb5_error_code kadm5_get_config_params(krb5_context context, 361 char *kdcprofile, char *kdcenv, 362 kadm5_config_params *params_in, 363 kadm5_config_params *params_out); 364 365 krb5_error_code kadm5_free_config_params(krb5_context context, 366 kadm5_config_params *params); 367 368 krb5_error_code kadm5_free_realm_params(krb5_context kcontext, 369 kadm5_config_params *params); 370 371 krb5_error_code kadm5_get_admin_service_name(krb5_context, char *, 372 char *, size_t); 373 #endif 374 375 kadm5_ret_t kadm5_init(char *client_name, char *pass, 376 char *service_name, 377 #if USE_KADM5_API_VERSION == 1 378 char *realm, 379 #else 380 kadm5_config_params *params, 381 #endif 382 krb5_ui_4 struct_version, 383 krb5_ui_4 api_version, 384 void **server_handle); 385 kadm5_ret_t kadm5_init_with_password(char *client_name, 386 char *pass, 387 char *service_name, 388 #if USE_KADM5_API_VERSION == 1 389 char *realm, 390 #else 391 kadm5_config_params *params, 392 #endif 393 krb5_ui_4 struct_version, 394 krb5_ui_4 api_version, 395 void **server_handle); 396 kadm5_ret_t kadm5_init_with_skey(char *client_name, 397 char *keytab, 398 char *service_name, 399 #if USE_KADM5_API_VERSION == 1 400 char *realm, 401 #else 402 kadm5_config_params *params, 403 #endif 404 krb5_ui_4 struct_version, 405 krb5_ui_4 api_version, 406 void **server_handle); 407 #if USE_KADM5_API_VERSION > 1 408 kadm5_ret_t kadm5_init_with_creds(char *client_name, 409 krb5_ccache cc, 410 char *service_name, 411 kadm5_config_params *params, 412 krb5_ui_4 struct_version, 413 krb5_ui_4 api_version, 414 void **server_handle); 415 #endif 416 kadm5_ret_t kadm5_lock(void *server_handle); 417 kadm5_ret_t kadm5_unlock(void *server_handle); 418 kadm5_ret_t kadm5_flush(void *server_handle); 419 kadm5_ret_t kadm5_destroy(void *server_handle); 420 kadm5_ret_t kadm5_create_principal(void *server_handle, 421 kadm5_principal_ent_t ent, 422 long mask, char *pass); 423 kadm5_ret_t kadm5_create_principal_3(void *server_handle, 424 kadm5_principal_ent_t ent, 425 long mask, 426 int n_ks_tuple, 427 krb5_key_salt_tuple *ks_tuple, 428 char *pass); 429 kadm5_ret_t kadm5_delete_principal(void *server_handle, 430 krb5_principal principal); 431 kadm5_ret_t kadm5_modify_principal(void *server_handle, 432 kadm5_principal_ent_t ent, 433 long mask); 434 kadm5_ret_t kadm5_rename_principal(void *server_handle, 435 krb5_principal,krb5_principal); 436 #if USE_KADM5_API_VERSION == 1 437 kadm5_ret_t kadm5_get_principal(void *server_handle, 438 krb5_principal principal, 439 kadm5_principal_ent_t *ent); 440 #else 441 kadm5_ret_t kadm5_get_principal(void *server_handle, 442 krb5_principal principal, 443 kadm5_principal_ent_t ent, 444 long mask); 445 #endif 446 kadm5_ret_t kadm5_chpass_principal(void *server_handle, 447 krb5_principal principal, 448 char *pass); 449 kadm5_ret_t kadm5_chpass_principal_3(void *server_handle, 450 krb5_principal principal, 451 krb5_boolean keepold, 452 int n_ks_tuple, 453 krb5_key_salt_tuple *ks_tuple, 454 char *pass); 455 #if USE_KADM5_API_VERSION == 1 456 kadm5_ret_t kadm5_randkey_principal(void *server_handle, 457 krb5_principal principal, 458 krb5_keyblock **keyblock); 459 #else 460 461 /* 462 * Solaris Kerberos: 463 * this routine is only implemented in the client library. 464 */ 465 kadm5_ret_t kadm5_randkey_principal_old(void *server_handle, 466 krb5_principal principal, 467 krb5_keyblock **keyblocks, 468 int *n_keys); 469 470 kadm5_ret_t kadm5_randkey_principal(void *server_handle, 471 krb5_principal principal, 472 krb5_keyblock **keyblocks, 473 int *n_keys); 474 kadm5_ret_t kadm5_randkey_principal_3(void *server_handle, 475 krb5_principal principal, 476 krb5_boolean keepold, 477 int n_ks_tuple, 478 krb5_key_salt_tuple *ks_tuple, 479 krb5_keyblock **keyblocks, 480 int *n_keys); 481 #endif 482 kadm5_ret_t kadm5_setv4key_principal(void *server_handle, 483 krb5_principal principal, 484 krb5_keyblock *keyblock); 485 486 kadm5_ret_t kadm5_setkey_principal(void *server_handle, 487 krb5_principal principal, 488 krb5_keyblock *keyblocks, 489 int n_keys); 490 491 kadm5_ret_t kadm5_setkey_principal_3(void *server_handle, 492 krb5_principal principal, 493 krb5_boolean keepold, 494 int n_ks_tuple, 495 krb5_key_salt_tuple *ks_tuple, 496 krb5_keyblock *keyblocks, 497 int n_keys); 498 499 kadm5_ret_t kadm5_decrypt_key(void *server_handle, 500 kadm5_principal_ent_t entry, krb5_int32 501 ktype, krb5_int32 stype, krb5_int32 502 kvno, krb5_keyblock *keyblock, 503 krb5_keysalt *keysalt, int *kvnop); 504 505 kadm5_ret_t kadm5_create_policy(void *server_handle, 506 kadm5_policy_ent_t ent, 507 long mask); 508 /* 509 * kadm5_create_policy_internal is not part of the supported, 510 * exposed API. It is available only in the server library, and you 511 * shouldn't use it unless you know why it's there and how it's 512 * different from kadm5_create_policy. 513 */ 514 kadm5_ret_t kadm5_create_policy_internal(void *server_handle, 515 kadm5_policy_ent_t 516 entry, long mask); 517 kadm5_ret_t kadm5_delete_policy(void *server_handle, 518 kadm5_policy_t policy); 519 kadm5_ret_t kadm5_modify_policy(void *server_handle, 520 kadm5_policy_ent_t ent, 521 long mask); 522 /* 523 * kadm5_modify_policy_internal is not part of the supported, 524 * exposed API. It is available only in the server library, and you 525 * shouldn't use it unless you know why it's there and how it's 526 * different from kadm5_modify_policy. 527 */ 528 kadm5_ret_t kadm5_modify_policy_internal(void *server_handle, 529 kadm5_policy_ent_t 530 entry, long mask); 531 #if USE_KADM5_API_VERSION == 1 532 kadm5_ret_t kadm5_get_policy(void *server_handle, 533 kadm5_policy_t policy, 534 kadm5_policy_ent_t *ent); 535 #else 536 kadm5_ret_t kadm5_get_policy(void *server_handle, 537 kadm5_policy_t policy, 538 kadm5_policy_ent_t ent); 539 #endif 540 kadm5_ret_t kadm5_get_privs(void *server_handle, 541 long *privs); 542 543 kadm5_ret_t kadm5_chpass_principal_util(void *server_handle, 544 krb5_principal princ, 545 char *new_pw, 546 char **ret_pw, 547 char *msg_ret, 548 unsigned int msg_len); 549 550 kadm5_ret_t kadm5_free_principal_ent(void *server_handle, 551 kadm5_principal_ent_t 552 ent); 553 kadm5_ret_t kadm5_free_policy_ent(void *server_handle, 554 kadm5_policy_ent_t ent); 555 556 kadm5_ret_t kadm5_get_principals(void *server_handle, 557 char *exp, char ***princs, 558 int *count); 559 560 kadm5_ret_t kadm5_get_policies(void *server_handle, 561 char *exp, char ***pols, 562 int *count); 563 564 #if USE_KADM5_API_VERSION > 1 565 kadm5_ret_t kadm5_free_key_data(void *server_handle, 566 krb5_int16 *n_key_data, 567 krb5_key_data *key_data); 568 #endif 569 570 kadm5_ret_t kadm5_free_name_list(void *server_handle, char **names, 571 int count); 572 573 #if USE_KADM5_API_VERSION == 1 574 /* 575 * OVSEC_KADM_API_VERSION_1 should be, if possible, compile-time 576 * compatible with KADM5_API_VERSION_2. Basically, this means we have 577 * to continue to provide all the old ovsec_kadm function and symbol 578 * names. 579 */ 580 581 #define OVSEC_KADM_ACLFILE "/krb5/ovsec_adm.acl" 582 #define OVSEC_KADM_WORDFILE "/krb5/ovsec_adm.dict" 583 584 #define OVSEC_KADM_ADMIN_SERVICE "ovsec_adm/admin" 585 #define OVSEC_KADM_CHANGEPW_SERVICE "ovsec_adm/changepw" 586 #define OVSEC_KADM_HIST_PRINCIPAL "ovsec_adm/history" 587 588 typedef krb5_principal ovsec_kadm_princ_t; 589 typedef krb5_keyblock ovsec_kadm_keyblock; 590 typedef char *ovsec_kadm_policy_t; 591 typedef long ovsec_kadm_ret_t; 592 593 enum ovsec_kadm_salttype { OVSEC_KADM_SALT_V4, OVSEC_KADM_SALT_NORMAL }; 594 enum ovsec_kadm_saltmod { OVSEC_KADM_MOD_KEEP, OVSEC_KADM_MOD_V4, OVSEC_KADM_MOD_NORMAL }; 595 596 #define OVSEC_KADM_PW_FIRST_PROMPT \ 597 ((char *) error_message(CHPASS_UTIL_NEW_PASSWORD_PROMPT)) 598 #define OVSEC_KADM_PW_SECOND_PROMPT \ 599 ((char *) error_message(CHPASS_UTIL_NEW_PASSWORD_AGAIN_PROMPT)) 600 601 /* 602 * Successful return code 603 */ 604 #define OVSEC_KADM_OK 0 605 606 /* 607 * Create/Modify masks 608 */ 609 /* principal */ 610 #define OVSEC_KADM_PRINCIPAL 0x000001 611 #define OVSEC_KADM_PRINC_EXPIRE_TIME 0x000002 612 #define OVSEC_KADM_PW_EXPIRATION 0x000004 613 #define OVSEC_KADM_LAST_PWD_CHANGE 0x000008 614 #define OVSEC_KADM_ATTRIBUTES 0x000010 615 #define OVSEC_KADM_MAX_LIFE 0x000020 616 #define OVSEC_KADM_MOD_TIME 0x000040 617 #define OVSEC_KADM_MOD_NAME 0x000080 618 #define OVSEC_KADM_KVNO 0x000100 619 #define OVSEC_KADM_MKVNO 0x000200 620 #define OVSEC_KADM_AUX_ATTRIBUTES 0x000400 621 #define OVSEC_KADM_POLICY 0x000800 622 #define OVSEC_KADM_POLICY_CLR 0x001000 623 /* policy */ 624 #define OVSEC_KADM_PW_MAX_LIFE 0x004000 625 #define OVSEC_KADM_PW_MIN_LIFE 0x008000 626 #define OVSEC_KADM_PW_MIN_LENGTH 0x010000 627 #define OVSEC_KADM_PW_MIN_CLASSES 0x020000 628 #define OVSEC_KADM_PW_HISTORY_NUM 0x040000 629 #define OVSEC_KADM_REF_COUNT 0x080000 630 631 /* 632 * permission bits 633 */ 634 #define OVSEC_KADM_PRIV_GET 0x01 635 #define OVSEC_KADM_PRIV_ADD 0x02 636 #define OVSEC_KADM_PRIV_MODIFY 0x04 637 #define OVSEC_KADM_PRIV_DELETE 0x08 638 639 /* 640 * API versioning constants 641 */ 642 #define OVSEC_KADM_MASK_BITS 0xffffff00 643 644 #define OVSEC_KADM_STRUCT_VERSION_MASK 0x12345600 645 #define OVSEC_KADM_STRUCT_VERSION_1 (OVSEC_KADM_STRUCT_VERSION_MASK|0x01) 646 #define OVSEC_KADM_STRUCT_VERSION OVSEC_KADM_STRUCT_VERSION_1 647 648 #define OVSEC_KADM_API_VERSION_MASK 0x12345700 649 #define OVSEC_KADM_API_VERSION_1 (OVSEC_KADM_API_VERSION_MASK|0x01) 650 651 652 typedef struct _ovsec_kadm_principal_ent_t { 653 krb5_principal principal; 654 krb5_timestamp princ_expire_time; 655 krb5_timestamp last_pwd_change; 656 krb5_timestamp pw_expiration; 657 krb5_deltat max_life; 658 krb5_principal mod_name; 659 krb5_timestamp mod_date; 660 krb5_flags attributes; 661 krb5_kvno kvno; 662 krb5_kvno mkvno; 663 char *policy; 664 long aux_attributes; 665 } ovsec_kadm_principal_ent_rec, *ovsec_kadm_principal_ent_t; 666 667 typedef struct _ovsec_kadm_policy_ent_t { 668 char *policy; 669 long pw_min_life; 670 long pw_max_life; 671 long pw_min_length; 672 long pw_min_classes; 673 long pw_history_num; 674 long policy_refcnt; 675 } ovsec_kadm_policy_ent_rec, *ovsec_kadm_policy_ent_t; 676 677 /* 678 * functions 679 */ 680 ovsec_kadm_ret_t ovsec_kadm_init(char *client_name, char *pass, 681 char *service_name, char *realm, 682 krb5_ui_4 struct_version, 683 krb5_ui_4 api_version, 684 void **server_handle); 685 ovsec_kadm_ret_t ovsec_kadm_init_with_password(char *client_name, 686 char *pass, 687 char *service_name, 688 char *realm, 689 krb5_ui_4 struct_version, 690 krb5_ui_4 api_version, 691 void **server_handle); 692 ovsec_kadm_ret_t ovsec_kadm_init_with_skey(char *client_name, 693 char *keytab, 694 char *service_name, 695 char *realm, 696 krb5_ui_4 struct_version, 697 krb5_ui_4 api_version, 698 void **server_handle); 699 ovsec_kadm_ret_t ovsec_kadm_flush(void *server_handle); 700 ovsec_kadm_ret_t ovsec_kadm_destroy(void *server_handle); 701 ovsec_kadm_ret_t ovsec_kadm_create_principal(void *server_handle, 702 ovsec_kadm_principal_ent_t ent, 703 long mask, char *pass); 704 ovsec_kadm_ret_t ovsec_kadm_delete_principal(void *server_handle, 705 krb5_principal principal); 706 ovsec_kadm_ret_t ovsec_kadm_modify_principal(void *server_handle, 707 ovsec_kadm_principal_ent_t ent, 708 long mask); 709 ovsec_kadm_ret_t ovsec_kadm_rename_principal(void *server_handle, 710 krb5_principal,krb5_principal); 711 ovsec_kadm_ret_t ovsec_kadm_get_principal(void *server_handle, 712 krb5_principal principal, 713 ovsec_kadm_principal_ent_t *ent); 714 ovsec_kadm_ret_t ovsec_kadm_chpass_principal(void *server_handle, 715 krb5_principal principal, 716 char *pass); 717 ovsec_kadm_ret_t ovsec_kadm_randkey_principal(void *server_handle, 718 krb5_principal principal, 719 krb5_keyblock **keyblock); 720 ovsec_kadm_ret_t ovsec_kadm_create_policy(void *server_handle, 721 ovsec_kadm_policy_ent_t ent, 722 long mask); 723 /* 724 * ovsec_kadm_create_policy_internal is not part of the supported, 725 * exposed API. It is available only in the server library, and you 726 * shouldn't use it unless you know why it's there and how it's 727 * different from ovsec_kadm_create_policy. 728 */ 729 ovsec_kadm_ret_t ovsec_kadm_create_policy_internal(void *server_handle, 730 ovsec_kadm_policy_ent_t 731 entry, long mask); 732 ovsec_kadm_ret_t ovsec_kadm_delete_policy(void *server_handle, 733 ovsec_kadm_policy_t policy); 734 ovsec_kadm_ret_t ovsec_kadm_modify_policy(void *server_handle, 735 ovsec_kadm_policy_ent_t ent, 736 long mask); 737 /* 738 * ovsec_kadm_modify_policy_internal is not part of the supported, 739 * exposed API. It is available only in the server library, and you 740 * shouldn't use it unless you know why it's there and how it's 741 * different from ovsec_kadm_modify_policy. 742 */ 743 ovsec_kadm_ret_t ovsec_kadm_modify_policy_internal(void *server_handle, 744 ovsec_kadm_policy_ent_t 745 entry, long mask); 746 ovsec_kadm_ret_t ovsec_kadm_get_policy(void *server_handle, 747 ovsec_kadm_policy_t policy, 748 ovsec_kadm_policy_ent_t *ent); 749 ovsec_kadm_ret_t ovsec_kadm_get_privs(void *server_handle, 750 long *privs); 751 752 ovsec_kadm_ret_t ovsec_kadm_chpass_principal_util(void *server_handle, 753 krb5_principal princ, 754 char *new_pw, 755 char **ret_pw, 756 char *msg_ret); 757 758 ovsec_kadm_ret_t ovsec_kadm_free_principal_ent(void *server_handle, 759 ovsec_kadm_principal_ent_t 760 ent); 761 ovsec_kadm_ret_t ovsec_kadm_free_policy_ent(void *server_handle, 762 ovsec_kadm_policy_ent_t ent); 763 764 ovsec_kadm_ret_t ovsec_kadm_free_name_list(void *server_handle, 765 char **names, int count); 766 767 ovsec_kadm_ret_t ovsec_kadm_get_principals(void *server_handle, 768 char *exp, char ***princs, 769 int *count); 770 771 ovsec_kadm_ret_t ovsec_kadm_get_policies(void *server_handle, 772 char *exp, char ***pols, 773 int *count); 774 775 #define OVSEC_KADM_FAILURE KADM5_FAILURE 776 #define OVSEC_KADM_AUTH_GET KADM5_AUTH_GET 777 #define OVSEC_KADM_AUTH_ADD KADM5_AUTH_ADD 778 #define OVSEC_KADM_AUTH_MODIFY KADM5_AUTH_MODIFY 779 #define OVSEC_KADM_AUTH_DELETE KADM5_AUTH_DELETE 780 #define OVSEC_KADM_AUTH_INSUFFICIENT KADM5_AUTH_INSUFFICIENT 781 #define OVSEC_KADM_BAD_DB KADM5_BAD_DB 782 #define OVSEC_KADM_DUP KADM5_DUP 783 #define OVSEC_KADM_RPC_ERROR KADM5_RPC_ERROR 784 #define OVSEC_KADM_NO_SRV KADM5_NO_SRV 785 #define OVSEC_KADM_BAD_HIST_KEY KADM5_BAD_HIST_KEY 786 #define OVSEC_KADM_NOT_INIT KADM5_NOT_INIT 787 #define OVSEC_KADM_UNK_PRINC KADM5_UNK_PRINC 788 #define OVSEC_KADM_UNK_POLICY KADM5_UNK_POLICY 789 #define OVSEC_KADM_BAD_MASK KADM5_BAD_MASK 790 #define OVSEC_KADM_BAD_CLASS KADM5_BAD_CLASS 791 #define OVSEC_KADM_BAD_LENGTH KADM5_BAD_LENGTH 792 #define OVSEC_KADM_BAD_POLICY KADM5_BAD_POLICY 793 #define OVSEC_KADM_BAD_PRINCIPAL KADM5_BAD_PRINCIPAL 794 #define OVSEC_KADM_BAD_AUX_ATTR KADM5_BAD_AUX_ATTR 795 #define OVSEC_KADM_BAD_HISTORY KADM5_BAD_HISTORY 796 #define OVSEC_KADM_BAD_MIN_PASS_LIFE KADM5_BAD_MIN_PASS_LIFE 797 #define OVSEC_KADM_PASS_Q_TOOSHORT KADM5_PASS_Q_TOOSHORT 798 #define OVSEC_KADM_PASS_Q_CLASS KADM5_PASS_Q_CLASS 799 #define OVSEC_KADM_PASS_Q_DICT KADM5_PASS_Q_DICT 800 #define OVSEC_KADM_PASS_REUSE KADM5_PASS_REUSE 801 #define OVSEC_KADM_PASS_TOOSOON KADM5_PASS_TOOSOON 802 #define OVSEC_KADM_POLICY_REF KADM5_POLICY_REF 803 #define OVSEC_KADM_INIT KADM5_INIT 804 #define OVSEC_KADM_BAD_PASSWORD KADM5_BAD_PASSWORD 805 #define OVSEC_KADM_PROTECT_PRINCIPAL KADM5_PROTECT_PRINCIPAL 806 #define OVSEC_KADM_BAD_SERVER_HANDLE KADM5_BAD_SERVER_HANDLE 807 #define OVSEC_KADM_BAD_STRUCT_VERSION KADM5_BAD_STRUCT_VERSION 808 #define OVSEC_KADM_OLD_STRUCT_VERSION KADM5_OLD_STRUCT_VERSION 809 #define OVSEC_KADM_NEW_STRUCT_VERSION KADM5_NEW_STRUCT_VERSION 810 #define OVSEC_KADM_BAD_API_VERSION KADM5_BAD_API_VERSION 811 #define OVSEC_KADM_OLD_LIB_API_VERSION KADM5_OLD_LIB_API_VERSION 812 #define OVSEC_KADM_OLD_SERVER_API_VERSION KADM5_OLD_SERVER_API_VERSION 813 #define OVSEC_KADM_NEW_LIB_API_VERSION KADM5_NEW_LIB_API_VERSION 814 #define OVSEC_KADM_NEW_SERVER_API_VERSION KADM5_NEW_SERVER_API_VERSION 815 #define OVSEC_KADM_SECURE_PRINC_MISSING KADM5_SECURE_PRINC_MISSING 816 #define OVSEC_KADM_NO_RENAME_SALT KADM5_NO_RENAME_SALT 817 818 #endif /* USE_KADM5_API_VERSION == 1 */ 819 820 krb5_chgpwd_prot _kadm5_get_kpasswd_protocol(void *server_handle); 821 kadm5_ret_t kadm5_chpass_principal_v2(void *server_handle, 822 krb5_principal princ, 823 char *new_password, 824 kadm5_ret_t *srvr_rsp_code, 825 krb5_data *srvr_msg); 826 827 void handle_chpw(krb5_context context, int s, void *serverhandle, 828 kadm5_config_params *params); 829 830 #ifdef __cplusplus 831 } 832 #endif 833 834 #endif /* __KADM5_ADMIN_H__ */ 835