xref: /titanic_50/usr/src/lib/krb5/kadm5/admin.h (revision 84f7a9b9dca4f23b5f50edef0e59d7eb44301114)
1 /*
2  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  */
5 
6 #ifndef	__KADM5_ADMIN_H__
7 #define	__KADM5_ADMIN_H__
8 
9 #pragma ident	"%Z%%M%	%I%	%E% SMI"
10 
11 #ifdef __cplusplus
12 extern "C" {
13 #endif
14 
15 /*
16  * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
17  *
18  *	Openvision retains the copyright to derivative works of
19  *	this source code.  Do *NOT* create a derivative of this
20  *	source code before consulting with your legal department.
21  *	Do *NOT* integrate *ANY* of this source code into another
22  *	product before consulting with your legal department.
23  *
24  *	For further information, read the top-level Openvision
25  *	copyright which is contained in the top-level MIT Kerberos
26  *	copyright.
27  *
28  * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
29  *
30  */
31 /*
32  * lib/kadm5/admin.h
33  *
34  * Copyright 2001 by the Massachusetts Institute of Technology.
35  * All Rights Reserved.
36  *
37  * Export of this software from the United States of America may
38  *   require a specific license from the United States Government.
39  *   It is the responsibility of any person or organization contemplating
40  *   export to obtain such a license before exporting.
41  *
42  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
43  * distribute this software and its documentation for any purpose and
44  * without fee is hereby granted, provided that the above copyright
45  * notice appear in all copies and that both that copyright notice and
46  * this permission notice appear in supporting documentation, and that
47  * the name of M.I.T. not be used in advertising or publicity pertaining
48  * to distribution of the software without specific, written prior
49  * permission.  Furthermore if you modify this software you must label
50  * your software as modified software and not distribute it in such a
51  * fashion that it might be confused with the original M.I.T. software.
52  * M.I.T. makes no representations about the suitability of
53  * this software for any purpose.  It is provided "as is" without express
54  * or implied warranty.
55  *
56  */
57 /*
58  * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved
59  *
60  * $Header: /cvs/krbdev/krb5/src/lib/kadm5/admin.h,v 1.54 2004/08/21 02:31:09 tlyu Exp $
61  */
62 
63 #include	<sys/types.h>
64 #include	<rpc/types.h>
65 #include	<rpc/rpc.h>
66 #include	<krb5.h>
67 #include	<k5-int.h>
68 #include	<com_err.h>
69 #include	<kadm5/kadm_err.h>
70 #include	<kadm5/adb_err.h>
71 #include	<kadm5/chpass_util_strings.h>
72 
73 #define KADM5_ADMIN_SERVICE_P	"kadmin@admin"
74 #define KADM5_ADMIN_SERVICE	"kadmin/admin"
75 #define KADM5_CHANGEPW_SERVICE_P	"kadmin@changepw"
76 #define KADM5_CHANGEPW_SERVICE	"kadmin/changepw"
77 #define KADM5_HIST_PRINCIPAL	"kadmin/history"
78 #define KADM5_ADMIN_HOST_SERVICE "kadmin"
79 #define KADM5_CHANGEPW_HOST_SERVICE "changepw"
80 #define KADM5_KIPROP_HOST_SERVICE "kiprop"
81 
82 typedef krb5_principal	kadm5_princ_t;
83 typedef	char		*kadm5_policy_t;
84 typedef long		kadm5_ret_t;
85 typedef int rpc_int32;
86 typedef unsigned int rpc_u_int32;
87 
88 #define KADM5_PW_FIRST_PROMPT \
89 	(error_message(CHPASS_UTIL_NEW_PASSWORD_PROMPT))
90 #define KADM5_PW_SECOND_PROMPT \
91 	(error_message(CHPASS_UTIL_NEW_PASSWORD_AGAIN_PROMPT))
92 
93 /*
94  * Successful return code
95  */
96 #define KADM5_OK	0
97 
98 /*
99  * Field masks
100  */
101 
102 /* kadm5_principal_ent_t */
103 #define KADM5_PRINCIPAL		0x000001
104 #define KADM5_PRINC_EXPIRE_TIME	0x000002
105 #define KADM5_PW_EXPIRATION	0x000004
106 #define KADM5_LAST_PWD_CHANGE	0x000008
107 #define KADM5_ATTRIBUTES	0x000010
108 #define KADM5_MAX_LIFE		0x000020
109 #define KADM5_MOD_TIME		0x000040
110 #define KADM5_MOD_NAME		0x000080
111 #define KADM5_KVNO		0x000100
112 #define KADM5_MKVNO		0x000200
113 #define KADM5_AUX_ATTRIBUTES	0x000400
114 #define KADM5_POLICY		0x000800
115 #define KADM5_POLICY_CLR	0x001000
116 /* version 2 masks */
117 #define KADM5_MAX_RLIFE		0x002000
118 #define KADM5_LAST_SUCCESS	0x004000
119 #define KADM5_LAST_FAILED	0x008000
120 #define KADM5_FAIL_AUTH_COUNT	0x010000
121 #define KADM5_KEY_DATA		0x020000
122 #define KADM5_TL_DATA		0x040000
123 /* all but KEY_DATA and TL_DATA */
124 #define KADM5_PRINCIPAL_NORMAL_MASK 0x01ffff
125 
126 /* kadm5_policy_ent_t */
127 #define KADM5_PW_MAX_LIFE	0x004000
128 #define KADM5_PW_MIN_LIFE	0x008000
129 #define KADM5_PW_MIN_LENGTH	0x010000
130 #define KADM5_PW_MIN_CLASSES	0x020000
131 #define KADM5_PW_HISTORY_NUM	0x040000
132 #define KADM5_REF_COUNT		0x080000
133 
134 /* kadm5_config_params */
135 #define KADM5_CONFIG_REALM		0x0000001
136 #define KADM5_CONFIG_DBNAME		0x0000002
137 #define KADM5_CONFIG_MKEY_NAME		0x0000004
138 #define KADM5_CONFIG_MAX_LIFE		0x0000008
139 #define KADM5_CONFIG_MAX_RLIFE		0x0000010
140 #define KADM5_CONFIG_EXPIRATION		0x0000020
141 #define KADM5_CONFIG_FLAGS		0x0000040
142 #define KADM5_CONFIG_ADMIN_KEYTAB	0x0000080
143 #define KADM5_CONFIG_STASH_FILE		0x0000100
144 #define KADM5_CONFIG_ENCTYPE		0x0000200
145 #define KADM5_CONFIG_ADBNAME		0x0000400
146 #define KADM5_CONFIG_ADB_LOCKFILE	0x0000800
147 #define KADM5_CONFIG_PROFILE		0x0001000
148 #define KADM5_CONFIG_ACL_FILE		0x0002000
149 #define KADM5_CONFIG_KADMIND_PORT	0x0004000
150 #define KADM5_CONFIG_ENCTYPES		0x0008000
151 #define KADM5_CONFIG_ADMIN_SERVER	0x0010000
152 #define KADM5_CONFIG_DICT_FILE		0x0020000
153 #define KADM5_CONFIG_MKEY_FROM_KBD	0x0040000
154 #define KADM5_CONFIG_KPASSWD_PORT	0x0080000
155 #define KADM5_CONFIG_KPASSWD_SERVER	0x0100000
156 #define	KADM5_CONFIG_KPASSWD_PROTOCOL	0x0200000
157 #define	KADM5_CONFIG_IPROP_ENABLED	0x0400000
158 #define	KADM5_CONFIG_ULOG_SIZE		0x0800000
159 #define	KADM5_CONFIG_POLL_TIME		0x1000000
160 
161 /* password change constants */
162 #define	KRB5_KPASSWD_SUCCESS		0
163 #define	KRB5_KPASSWD_MALFORMED		1
164 #define	KRB5_KPASSWD_HARDERROR		2
165 #define	KRB5_KPASSWD_AUTHERROR		3
166 #define	KRB5_KPASSWD_SOFTERROR		4
167 #define	KRB5_KPASSWD_ACCESSDENIED	5
168 #define	KRB5_KPASSWD_BAD_VERSION	6
169 #define	KRB5_KPASSWD_INITIAL_FLAG_NEEDED	7
170 #define	KRB5_KPASSWD_POLICY_REJECT	8
171 #define	KRB5_KPASSWD_BAD_PRINCIPAL	9
172 #define	KRB5_KPASSWD_ETYPE_NOSUPP	10
173 
174 /*
175  * permission bits
176  */
177 #define KADM5_PRIV_GET		0x01
178 #define KADM5_PRIV_ADD		0x02
179 #define KADM5_PRIV_MODIFY	0x04
180 #define KADM5_PRIV_DELETE	0x08
181 
182 /*
183  * API versioning constants
184  */
185 #define KADM5_MASK_BITS		0xffffff00
186 
187 #define KADM5_STRUCT_VERSION_MASK	0x12345600
188 #define KADM5_STRUCT_VERSION_1	(KADM5_STRUCT_VERSION_MASK|0x01)
189 #define KADM5_STRUCT_VERSION	KADM5_STRUCT_VERSION_1
190 
191 #define KADM5_API_VERSION_MASK	0x12345700
192 #define KADM5_API_VERSION_1	(KADM5_API_VERSION_MASK|0x01)
193 #define KADM5_API_VERSION_2	(KADM5_API_VERSION_MASK|0x02)
194 
195 #ifdef KRB5_DNS_LOOKUP
196 /*
197  * Name length constants for DNS lookups
198  */
199 #define	MAX_HOST_NAMELEN 256
200 #define	MAX_DNS_NAMELEN (15*(MAX_HOST_NAMELEN + 1)+1)
201 #endif /* KRB5_DNS_LOOKUP */
202 
203 typedef struct _kadm5_principal_ent_t_v2 {
204 	krb5_principal	principal;
205 	krb5_timestamp	princ_expire_time;
206 	krb5_timestamp	last_pwd_change;
207 	krb5_timestamp	pw_expiration;
208 	krb5_deltat	max_life;
209 	krb5_principal	mod_name;
210 	krb5_timestamp	mod_date;
211 	krb5_flags	attributes;
212 	krb5_kvno	kvno;
213 	krb5_kvno	mkvno;
214 	char		*policy;
215 	long		aux_attributes;
216 
217 	/* version 2 fields */
218 	krb5_deltat max_renewable_life;
219         krb5_timestamp last_success;
220         krb5_timestamp last_failed;
221         krb5_kvno fail_auth_count;
222 	krb5_int16 n_key_data;
223 	krb5_int16 n_tl_data;
224         krb5_tl_data *tl_data;
225 	krb5_key_data *key_data;
226 } kadm5_principal_ent_rec_v2, *kadm5_principal_ent_t_v2;
227 
228 typedef struct _kadm5_principal_ent_t_v1 {
229 	krb5_principal	principal;
230 	krb5_timestamp	princ_expire_time;
231 	krb5_timestamp	last_pwd_change;
232 	krb5_timestamp	pw_expiration;
233 	krb5_deltat	max_life;
234 	krb5_principal	mod_name;
235 	krb5_timestamp	mod_date;
236 	krb5_flags	attributes;
237 	krb5_kvno	kvno;
238 	krb5_kvno	mkvno;
239 	char		*policy;
240 	long		aux_attributes;
241 } kadm5_principal_ent_rec_v1, *kadm5_principal_ent_t_v1;
242 
243 #if USE_KADM5_API_VERSION == 1
244 typedef struct _kadm5_principal_ent_t_v1
245      kadm5_principal_ent_rec, *kadm5_principal_ent_t;
246 #else
247 typedef struct _kadm5_principal_ent_t_v2
248      kadm5_principal_ent_rec, *kadm5_principal_ent_t;
249 #endif
250 
251 typedef struct _kadm5_policy_ent_t {
252 	char		*policy;
253 	long		pw_min_life;
254 	long		pw_max_life;
255 	long		pw_min_length;
256 	long		pw_min_classes;
257 	long		pw_history_num;
258 	long		policy_refcnt;
259 } kadm5_policy_ent_rec, *kadm5_policy_ent_t;
260 
261 typedef struct __krb5_key_salt_tuple {
262      krb5_enctype	ks_enctype;
263      krb5_int32		ks_salttype;
264 } krb5_key_salt_tuple;
265 
266 /*
267  * New types to indicate which protocol to use when sending
268  * password change requests
269  */
270 typedef enum {
271 	KRB5_CHGPWD_RPCSEC,
272 	KRB5_CHGPWD_CHANGEPW_V2
273 } krb5_chgpwd_prot;
274 
275 /*
276  * Data structure returned by kadm5_get_config_params()
277  */
278 typedef struct _kadm5_config_params {
279      long		mask;
280      char *		realm;
281      char *		profile;
282      int		kadmind_port;
283      int		kpasswd_port;
284 
285      char *		admin_server;
286 
287      char *		dbname;
288      char *		admin_dbname;
289      char *		admin_lockfile;
290      char *		admin_keytab;
291      char *		acl_file;
292      char *		dict_file;
293 
294      int		mkey_from_kbd;
295      char *		stash_file;
296      char *		mkey_name;
297      krb5_enctype	enctype;
298      krb5_deltat	max_life;
299      krb5_deltat	max_rlife;
300      krb5_timestamp	expiration;
301      krb5_flags		flags;
302      krb5_key_salt_tuple *keysalts;
303      krb5_int32		num_keysalts;
304      char 			*kpasswd_server;
305 
306      krb5_chgpwd_prot	kpasswd_protocol;
307      bool_t			iprop_enabled;
308      int			iprop_ulogsize;
309      char			*iprop_polltime;
310 } kadm5_config_params;
311 
312 /***********************************************************************
313  * This is the old krb5_realm_read_params, which I mutated into
314  * kadm5_get_config_params but which old code (kdb5_* and krb5kdc)
315  * still uses.
316  ***********************************************************************/
317 
318 /*
319  * Data structure returned by krb5_read_realm_params()
320  */
321 typedef struct __krb5_realm_params {
322     char *		realm_profile;
323     char *		realm_dbname;
324     char *		realm_mkey_name;
325     char *		realm_stash_file;
326     char *		realm_kdc_ports;
327     char *		realm_kdc_tcp_ports;
328     char *		realm_acl_file;
329     krb5_int32		realm_kadmind_port;
330     krb5_enctype	realm_enctype;
331     krb5_deltat		realm_max_life;
332     krb5_deltat		realm_max_rlife;
333     krb5_timestamp	realm_expiration;
334     krb5_flags		realm_flags;
335     krb5_key_salt_tuple	*realm_keysalts;
336     unsigned int	realm_reject_bad_transit:1;
337     unsigned int	realm_kadmind_port_valid:1;
338     unsigned int	realm_enctype_valid:1;
339     unsigned int	realm_max_life_valid:1;
340     unsigned int	realm_max_rlife_valid:1;
341     unsigned int	realm_expiration_valid:1;
342     unsigned int	realm_flags_valid:1;
343     unsigned int	realm_reject_bad_transit_valid:1;
344     krb5_int32		realm_num_keysalts;
345 } krb5_realm_params;
346 
347 /*
348  * functions
349  */
350 
351 kadm5_ret_t
352 kadm5_get_adm_host_srv_name(krb5_context context,
353                            const char *realm, char **host_service_name);
354 
355 kadm5_ret_t
356 kadm5_get_cpw_host_srv_name(krb5_context context,
357                            const char *realm, char **host_service_name);
358 
359 #if USE_KADM5_API_VERSION > 1
360 krb5_error_code kadm5_get_config_params(krb5_context context,
361 					char *kdcprofile, char *kdcenv,
362 					kadm5_config_params *params_in,
363 					kadm5_config_params *params_out);
364 
365 krb5_error_code kadm5_free_config_params(krb5_context context,
366 					 kadm5_config_params *params);
367 
368 krb5_error_code kadm5_free_realm_params(krb5_context kcontext,
369 					kadm5_config_params *params);
370 
371 krb5_error_code kadm5_get_admin_service_name(krb5_context, char *,
372 					     char *, size_t);
373 #endif
374 
375 kadm5_ret_t    kadm5_init(char *client_name, char *pass,
376 			  char *service_name,
377 #if USE_KADM5_API_VERSION == 1
378 			  char *realm,
379 #else
380 			  kadm5_config_params *params,
381 #endif
382 			  krb5_ui_4 struct_version,
383 			  krb5_ui_4 api_version,
384 			  void **server_handle);
385 kadm5_ret_t    kadm5_init_with_password(char *client_name,
386 					char *pass,
387 					char *service_name,
388 #if USE_KADM5_API_VERSION == 1
389 					char *realm,
390 #else
391 					kadm5_config_params *params,
392 #endif
393 					krb5_ui_4 struct_version,
394 					krb5_ui_4 api_version,
395 					void **server_handle);
396 kadm5_ret_t    kadm5_init_with_skey(char *client_name,
397 				    char *keytab,
398 				    char *service_name,
399 #if USE_KADM5_API_VERSION == 1
400 				    char *realm,
401 #else
402 				    kadm5_config_params *params,
403 #endif
404 				    krb5_ui_4 struct_version,
405 				    krb5_ui_4 api_version,
406 				    void **server_handle);
407 #if USE_KADM5_API_VERSION > 1
408 kadm5_ret_t    kadm5_init_with_creds(char *client_name,
409 				     krb5_ccache cc,
410 				     char *service_name,
411 				     kadm5_config_params *params,
412 				     krb5_ui_4 struct_version,
413 				     krb5_ui_4 api_version,
414 				     void **server_handle);
415 #endif
416 kadm5_ret_t    kadm5_lock(void *server_handle);
417 kadm5_ret_t    kadm5_unlock(void *server_handle);
418 kadm5_ret_t    kadm5_flush(void *server_handle);
419 kadm5_ret_t    kadm5_destroy(void *server_handle);
420 kadm5_ret_t    kadm5_create_principal(void *server_handle,
421 				      kadm5_principal_ent_t ent,
422 				      long mask, char *pass);
423 kadm5_ret_t    kadm5_create_principal_3(void *server_handle,
424 					kadm5_principal_ent_t ent,
425 					long mask,
426 					int n_ks_tuple,
427 					krb5_key_salt_tuple *ks_tuple,
428 					char *pass);
429 kadm5_ret_t    kadm5_delete_principal(void *server_handle,
430 				      krb5_principal principal);
431 kadm5_ret_t    kadm5_modify_principal(void *server_handle,
432 				      kadm5_principal_ent_t ent,
433 				      long mask);
434 kadm5_ret_t    kadm5_rename_principal(void *server_handle,
435 				      krb5_principal,krb5_principal);
436 #if USE_KADM5_API_VERSION == 1
437 kadm5_ret_t    kadm5_get_principal(void *server_handle,
438 				   krb5_principal principal,
439 				   kadm5_principal_ent_t *ent);
440 #else
441 kadm5_ret_t    kadm5_get_principal(void *server_handle,
442 				   krb5_principal principal,
443 				   kadm5_principal_ent_t ent,
444 				   long mask);
445 #endif
446 kadm5_ret_t    kadm5_chpass_principal(void *server_handle,
447 				      krb5_principal principal,
448 				      char *pass);
449 kadm5_ret_t    kadm5_chpass_principal_3(void *server_handle,
450 					krb5_principal principal,
451 					krb5_boolean keepold,
452 					int n_ks_tuple,
453 					krb5_key_salt_tuple *ks_tuple,
454 					char *pass);
455 #if USE_KADM5_API_VERSION == 1
456 kadm5_ret_t    kadm5_randkey_principal(void *server_handle,
457 				       krb5_principal principal,
458 				       krb5_keyblock **keyblock);
459 #else
460 
461 /*
462  * Solaris Kerberos:
463  * this routine is only implemented in the client library.
464  */
465 kadm5_ret_t    kadm5_randkey_principal_old(void *server_handle,
466 				    krb5_principal principal,
467 				    krb5_keyblock **keyblocks,
468 				    int *n_keys);
469 
470 kadm5_ret_t    kadm5_randkey_principal(void *server_handle,
471 				       krb5_principal principal,
472 				       krb5_keyblock **keyblocks,
473 				       int *n_keys);
474 kadm5_ret_t    kadm5_randkey_principal_3(void *server_handle,
475 					 krb5_principal principal,
476 					 krb5_boolean keepold,
477 					 int n_ks_tuple,
478 					 krb5_key_salt_tuple *ks_tuple,
479 					 krb5_keyblock **keyblocks,
480 					 int *n_keys);
481 #endif
482 kadm5_ret_t    kadm5_setv4key_principal(void *server_handle,
483 					krb5_principal principal,
484 					krb5_keyblock *keyblock);
485 
486 kadm5_ret_t    kadm5_setkey_principal(void *server_handle,
487 				      krb5_principal principal,
488 				      krb5_keyblock *keyblocks,
489 				      int n_keys);
490 
491 kadm5_ret_t    kadm5_setkey_principal_3(void *server_handle,
492 					krb5_principal principal,
493 					krb5_boolean keepold,
494 					int n_ks_tuple,
495 					krb5_key_salt_tuple *ks_tuple,
496 					krb5_keyblock *keyblocks,
497 					int n_keys);
498 
499 kadm5_ret_t    kadm5_decrypt_key(void *server_handle,
500 				 kadm5_principal_ent_t entry, krb5_int32
501 				 ktype, krb5_int32 stype, krb5_int32
502 				 kvno, krb5_keyblock *keyblock,
503 				 krb5_keysalt *keysalt, int *kvnop);
504 
505 kadm5_ret_t    kadm5_create_policy(void *server_handle,
506 				   kadm5_policy_ent_t ent,
507 				   long mask);
508 /*
509  * kadm5_create_policy_internal is not part of the supported,
510  * exposed API.  It is available only in the server library, and you
511  * shouldn't use it unless you know why it's there and how it's
512  * different from kadm5_create_policy.
513  */
514 kadm5_ret_t    kadm5_create_policy_internal(void *server_handle,
515 					    kadm5_policy_ent_t
516 					    entry, long mask);
517 kadm5_ret_t    kadm5_delete_policy(void *server_handle,
518 				   kadm5_policy_t policy);
519 kadm5_ret_t    kadm5_modify_policy(void *server_handle,
520 				   kadm5_policy_ent_t ent,
521 				   long mask);
522 /*
523  * kadm5_modify_policy_internal is not part of the supported,
524  * exposed API.  It is available only in the server library, and you
525  * shouldn't use it unless you know why it's there and how it's
526  * different from kadm5_modify_policy.
527  */
528 kadm5_ret_t    kadm5_modify_policy_internal(void *server_handle,
529 					    kadm5_policy_ent_t
530 					    entry, long mask);
531 #if USE_KADM5_API_VERSION == 1
532 kadm5_ret_t    kadm5_get_policy(void *server_handle,
533 				kadm5_policy_t policy,
534 				kadm5_policy_ent_t *ent);
535 #else
536 kadm5_ret_t    kadm5_get_policy(void *server_handle,
537 				kadm5_policy_t policy,
538 				kadm5_policy_ent_t ent);
539 #endif
540 kadm5_ret_t    kadm5_get_privs(void *server_handle,
541 			       long *privs);
542 
543 kadm5_ret_t    kadm5_chpass_principal_util(void *server_handle,
544 					   krb5_principal princ,
545 					   char *new_pw,
546 					   char **ret_pw,
547 					   char *msg_ret,
548 					   unsigned int msg_len);
549 
550 kadm5_ret_t    kadm5_free_principal_ent(void *server_handle,
551 					kadm5_principal_ent_t
552 					ent);
553 kadm5_ret_t    kadm5_free_policy_ent(void *server_handle,
554 				     kadm5_policy_ent_t ent);
555 
556 kadm5_ret_t    kadm5_get_principals(void *server_handle,
557 				    char *exp, char ***princs,
558 				    int *count);
559 
560 kadm5_ret_t    kadm5_get_policies(void *server_handle,
561 				  char *exp, char ***pols,
562 				  int *count);
563 
564 #if USE_KADM5_API_VERSION > 1
565 kadm5_ret_t    kadm5_free_key_data(void *server_handle,
566 				   krb5_int16 *n_key_data,
567 				   krb5_key_data *key_data);
568 #endif
569 
570 kadm5_ret_t    kadm5_free_name_list(void *server_handle, char **names,
571 				    int count);
572 
573 #if USE_KADM5_API_VERSION == 1
574 /*
575  * OVSEC_KADM_API_VERSION_1 should be, if possible, compile-time
576  * compatible with KADM5_API_VERSION_2.  Basically, this means we have
577  * to continue to provide all the old ovsec_kadm function and symbol
578  * names.
579  */
580 
581 #define OVSEC_KADM_ACLFILE		"/krb5/ovsec_adm.acl"
582 #define	OVSEC_KADM_WORDFILE		"/krb5/ovsec_adm.dict"
583 
584 #define OVSEC_KADM_ADMIN_SERVICE	"ovsec_adm/admin"
585 #define OVSEC_KADM_CHANGEPW_SERVICE	"ovsec_adm/changepw"
586 #define OVSEC_KADM_HIST_PRINCIPAL	"ovsec_adm/history"
587 
588 typedef krb5_principal	ovsec_kadm_princ_t;
589 typedef krb5_keyblock	ovsec_kadm_keyblock;
590 typedef	char		*ovsec_kadm_policy_t;
591 typedef long		ovsec_kadm_ret_t;
592 
593 enum	ovsec_kadm_salttype { OVSEC_KADM_SALT_V4, OVSEC_KADM_SALT_NORMAL };
594 enum	ovsec_kadm_saltmod  { OVSEC_KADM_MOD_KEEP, OVSEC_KADM_MOD_V4, OVSEC_KADM_MOD_NORMAL };
595 
596 #define OVSEC_KADM_PW_FIRST_PROMPT \
597 	((char *) error_message(CHPASS_UTIL_NEW_PASSWORD_PROMPT))
598 #define OVSEC_KADM_PW_SECOND_PROMPT \
599 	((char *) error_message(CHPASS_UTIL_NEW_PASSWORD_AGAIN_PROMPT))
600 
601 /*
602  * Successful return code
603  */
604 #define OVSEC_KADM_OK	0
605 
606 /*
607  * Create/Modify masks
608  */
609 /* principal */
610 #define OVSEC_KADM_PRINCIPAL		0x000001
611 #define OVSEC_KADM_PRINC_EXPIRE_TIME	0x000002
612 #define OVSEC_KADM_PW_EXPIRATION	0x000004
613 #define OVSEC_KADM_LAST_PWD_CHANGE	0x000008
614 #define OVSEC_KADM_ATTRIBUTES		0x000010
615 #define OVSEC_KADM_MAX_LIFE		0x000020
616 #define OVSEC_KADM_MOD_TIME		0x000040
617 #define OVSEC_KADM_MOD_NAME		0x000080
618 #define OVSEC_KADM_KVNO			0x000100
619 #define OVSEC_KADM_MKVNO		0x000200
620 #define OVSEC_KADM_AUX_ATTRIBUTES	0x000400
621 #define OVSEC_KADM_POLICY		0x000800
622 #define OVSEC_KADM_POLICY_CLR		0x001000
623 /* policy */
624 #define OVSEC_KADM_PW_MAX_LIFE		0x004000
625 #define OVSEC_KADM_PW_MIN_LIFE		0x008000
626 #define OVSEC_KADM_PW_MIN_LENGTH	0x010000
627 #define OVSEC_KADM_PW_MIN_CLASSES	0x020000
628 #define OVSEC_KADM_PW_HISTORY_NUM	0x040000
629 #define OVSEC_KADM_REF_COUNT		0x080000
630 
631 /*
632  * permission bits
633  */
634 #define OVSEC_KADM_PRIV_GET	0x01
635 #define OVSEC_KADM_PRIV_ADD	0x02
636 #define OVSEC_KADM_PRIV_MODIFY	0x04
637 #define OVSEC_KADM_PRIV_DELETE	0x08
638 
639 /*
640  * API versioning constants
641  */
642 #define OVSEC_KADM_MASK_BITS		0xffffff00
643 
644 #define OVSEC_KADM_STRUCT_VERSION_MASK	0x12345600
645 #define OVSEC_KADM_STRUCT_VERSION_1	(OVSEC_KADM_STRUCT_VERSION_MASK|0x01)
646 #define OVSEC_KADM_STRUCT_VERSION	OVSEC_KADM_STRUCT_VERSION_1
647 
648 #define OVSEC_KADM_API_VERSION_MASK	0x12345700
649 #define OVSEC_KADM_API_VERSION_1	(OVSEC_KADM_API_VERSION_MASK|0x01)
650 
651 
652 typedef struct _ovsec_kadm_principal_ent_t {
653 	krb5_principal	principal;
654 	krb5_timestamp	princ_expire_time;
655 	krb5_timestamp	last_pwd_change;
656 	krb5_timestamp	pw_expiration;
657 	krb5_deltat	max_life;
658 	krb5_principal	mod_name;
659 	krb5_timestamp	mod_date;
660 	krb5_flags	attributes;
661 	krb5_kvno	kvno;
662 	krb5_kvno	mkvno;
663 	char		*policy;
664 	long		aux_attributes;
665 } ovsec_kadm_principal_ent_rec, *ovsec_kadm_principal_ent_t;
666 
667 typedef struct _ovsec_kadm_policy_ent_t {
668 	char		*policy;
669 	long		pw_min_life;
670 	long		pw_max_life;
671 	long		pw_min_length;
672 	long		pw_min_classes;
673 	long		pw_history_num;
674 	long		policy_refcnt;
675 } ovsec_kadm_policy_ent_rec, *ovsec_kadm_policy_ent_t;
676 
677 /*
678  * functions
679  */
680 ovsec_kadm_ret_t    ovsec_kadm_init(char *client_name, char *pass,
681 				    char *service_name, char *realm,
682 				    krb5_ui_4 struct_version,
683 				    krb5_ui_4 api_version,
684 				    void **server_handle);
685 ovsec_kadm_ret_t    ovsec_kadm_init_with_password(char *client_name,
686 						  char *pass,
687 						  char *service_name,
688 						  char *realm,
689 						  krb5_ui_4 struct_version,
690 						  krb5_ui_4 api_version,
691 						  void **server_handle);
692 ovsec_kadm_ret_t    ovsec_kadm_init_with_skey(char *client_name,
693 					      char *keytab,
694 					      char *service_name,
695 					      char *realm,
696 					      krb5_ui_4 struct_version,
697 					      krb5_ui_4 api_version,
698 					      void **server_handle);
699 ovsec_kadm_ret_t    ovsec_kadm_flush(void *server_handle);
700 ovsec_kadm_ret_t    ovsec_kadm_destroy(void *server_handle);
701 ovsec_kadm_ret_t    ovsec_kadm_create_principal(void *server_handle,
702 						ovsec_kadm_principal_ent_t ent,
703 						long mask, char *pass);
704 ovsec_kadm_ret_t    ovsec_kadm_delete_principal(void *server_handle,
705 						krb5_principal principal);
706 ovsec_kadm_ret_t    ovsec_kadm_modify_principal(void *server_handle,
707 						ovsec_kadm_principal_ent_t ent,
708 						long mask);
709 ovsec_kadm_ret_t    ovsec_kadm_rename_principal(void *server_handle,
710 						krb5_principal,krb5_principal);
711 ovsec_kadm_ret_t    ovsec_kadm_get_principal(void *server_handle,
712 					     krb5_principal principal,
713 					     ovsec_kadm_principal_ent_t *ent);
714 ovsec_kadm_ret_t    ovsec_kadm_chpass_principal(void *server_handle,
715 						krb5_principal principal,
716 						char *pass);
717 ovsec_kadm_ret_t    ovsec_kadm_randkey_principal(void *server_handle,
718 						 krb5_principal principal,
719 						 krb5_keyblock **keyblock);
720 ovsec_kadm_ret_t    ovsec_kadm_create_policy(void *server_handle,
721 					     ovsec_kadm_policy_ent_t ent,
722 					     long mask);
723 /*
724  * ovsec_kadm_create_policy_internal is not part of the supported,
725  * exposed API.  It is available only in the server library, and you
726  * shouldn't use it unless you know why it's there and how it's
727  * different from ovsec_kadm_create_policy.
728  */
729 ovsec_kadm_ret_t    ovsec_kadm_create_policy_internal(void *server_handle,
730 						      ovsec_kadm_policy_ent_t
731 						      entry, long mask);
732 ovsec_kadm_ret_t    ovsec_kadm_delete_policy(void *server_handle,
733 					     ovsec_kadm_policy_t policy);
734 ovsec_kadm_ret_t    ovsec_kadm_modify_policy(void *server_handle,
735 					     ovsec_kadm_policy_ent_t ent,
736 					     long mask);
737 /*
738  * ovsec_kadm_modify_policy_internal is not part of the supported,
739  * exposed API.  It is available only in the server library, and you
740  * shouldn't use it unless you know why it's there and how it's
741  * different from ovsec_kadm_modify_policy.
742  */
743 ovsec_kadm_ret_t    ovsec_kadm_modify_policy_internal(void *server_handle,
744 						      ovsec_kadm_policy_ent_t
745 						      entry, long mask);
746 ovsec_kadm_ret_t    ovsec_kadm_get_policy(void *server_handle,
747 					  ovsec_kadm_policy_t policy,
748 					  ovsec_kadm_policy_ent_t *ent);
749 ovsec_kadm_ret_t    ovsec_kadm_get_privs(void *server_handle,
750 					 long *privs);
751 
752 ovsec_kadm_ret_t    ovsec_kadm_chpass_principal_util(void *server_handle,
753 						     krb5_principal princ,
754 						     char *new_pw,
755 						     char **ret_pw,
756 						     char *msg_ret);
757 
758 ovsec_kadm_ret_t    ovsec_kadm_free_principal_ent(void *server_handle,
759 						  ovsec_kadm_principal_ent_t
760 						  ent);
761 ovsec_kadm_ret_t    ovsec_kadm_free_policy_ent(void *server_handle,
762 					       ovsec_kadm_policy_ent_t ent);
763 
764 ovsec_kadm_ret_t ovsec_kadm_free_name_list(void *server_handle,
765 					   char **names, int count);
766 
767 ovsec_kadm_ret_t    ovsec_kadm_get_principals(void *server_handle,
768 					      char *exp, char ***princs,
769 					      int *count);
770 
771 ovsec_kadm_ret_t    ovsec_kadm_get_policies(void *server_handle,
772 					    char *exp, char ***pols,
773 					    int *count);
774 
775 #define OVSEC_KADM_FAILURE KADM5_FAILURE
776 #define OVSEC_KADM_AUTH_GET KADM5_AUTH_GET
777 #define OVSEC_KADM_AUTH_ADD KADM5_AUTH_ADD
778 #define OVSEC_KADM_AUTH_MODIFY KADM5_AUTH_MODIFY
779 #define OVSEC_KADM_AUTH_DELETE KADM5_AUTH_DELETE
780 #define OVSEC_KADM_AUTH_INSUFFICIENT KADM5_AUTH_INSUFFICIENT
781 #define OVSEC_KADM_BAD_DB KADM5_BAD_DB
782 #define OVSEC_KADM_DUP KADM5_DUP
783 #define OVSEC_KADM_RPC_ERROR KADM5_RPC_ERROR
784 #define OVSEC_KADM_NO_SRV KADM5_NO_SRV
785 #define OVSEC_KADM_BAD_HIST_KEY KADM5_BAD_HIST_KEY
786 #define OVSEC_KADM_NOT_INIT KADM5_NOT_INIT
787 #define OVSEC_KADM_UNK_PRINC KADM5_UNK_PRINC
788 #define OVSEC_KADM_UNK_POLICY KADM5_UNK_POLICY
789 #define OVSEC_KADM_BAD_MASK KADM5_BAD_MASK
790 #define OVSEC_KADM_BAD_CLASS KADM5_BAD_CLASS
791 #define OVSEC_KADM_BAD_LENGTH KADM5_BAD_LENGTH
792 #define OVSEC_KADM_BAD_POLICY KADM5_BAD_POLICY
793 #define OVSEC_KADM_BAD_PRINCIPAL KADM5_BAD_PRINCIPAL
794 #define OVSEC_KADM_BAD_AUX_ATTR KADM5_BAD_AUX_ATTR
795 #define OVSEC_KADM_BAD_HISTORY KADM5_BAD_HISTORY
796 #define OVSEC_KADM_BAD_MIN_PASS_LIFE KADM5_BAD_MIN_PASS_LIFE
797 #define OVSEC_KADM_PASS_Q_TOOSHORT KADM5_PASS_Q_TOOSHORT
798 #define OVSEC_KADM_PASS_Q_CLASS KADM5_PASS_Q_CLASS
799 #define OVSEC_KADM_PASS_Q_DICT KADM5_PASS_Q_DICT
800 #define OVSEC_KADM_PASS_REUSE KADM5_PASS_REUSE
801 #define OVSEC_KADM_PASS_TOOSOON KADM5_PASS_TOOSOON
802 #define OVSEC_KADM_POLICY_REF KADM5_POLICY_REF
803 #define OVSEC_KADM_INIT KADM5_INIT
804 #define OVSEC_KADM_BAD_PASSWORD KADM5_BAD_PASSWORD
805 #define OVSEC_KADM_PROTECT_PRINCIPAL KADM5_PROTECT_PRINCIPAL
806 #define OVSEC_KADM_BAD_SERVER_HANDLE KADM5_BAD_SERVER_HANDLE
807 #define OVSEC_KADM_BAD_STRUCT_VERSION KADM5_BAD_STRUCT_VERSION
808 #define OVSEC_KADM_OLD_STRUCT_VERSION KADM5_OLD_STRUCT_VERSION
809 #define OVSEC_KADM_NEW_STRUCT_VERSION KADM5_NEW_STRUCT_VERSION
810 #define OVSEC_KADM_BAD_API_VERSION KADM5_BAD_API_VERSION
811 #define OVSEC_KADM_OLD_LIB_API_VERSION KADM5_OLD_LIB_API_VERSION
812 #define OVSEC_KADM_OLD_SERVER_API_VERSION KADM5_OLD_SERVER_API_VERSION
813 #define OVSEC_KADM_NEW_LIB_API_VERSION KADM5_NEW_LIB_API_VERSION
814 #define OVSEC_KADM_NEW_SERVER_API_VERSION KADM5_NEW_SERVER_API_VERSION
815 #define OVSEC_KADM_SECURE_PRINC_MISSING KADM5_SECURE_PRINC_MISSING
816 #define OVSEC_KADM_NO_RENAME_SALT KADM5_NO_RENAME_SALT
817 
818 #endif /* USE_KADM5_API_VERSION == 1 */
819 
820 #define MAXPRINCLEN 125
821 
822 void trunc_name(size_t *len, char **dots);
823 
824 krb5_chgpwd_prot _kadm5_get_kpasswd_protocol(void *server_handle);
825 kadm5_ret_t	kadm5_chpass_principal_v2(void *server_handle,
826 					krb5_principal princ,
827 					char *new_password,
828 					kadm5_ret_t *srvr_rsp_code,
829 					krb5_data *srvr_msg);
830 
831 void handle_chpw(krb5_context context, int s, void *serverhandle,
832 			kadm5_config_params *params);
833 
834 #ifdef __cplusplus
835 }
836 #endif
837 
838 #endif	/* __KADM5_ADMIN_H__ */
839