xref: /titanic_51/usr/src/lib/krb5/kadm5/admin.h (revision fcf3ce441efd61da9bb2884968af01cb7c1452cc)
1 /*
2  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  */
5 
6 #ifndef	__KADM5_ADMIN_H__
7 #define	__KADM5_ADMIN_H__
8 
9 #pragma ident	"%Z%%M%	%I%	%E% SMI"
10 
11 #ifdef __cplusplus
12 extern "C" {
13 #endif
14 
15 /*
16  * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
17  *
18  *	Openvision retains the copyright to derivative works of
19  *	this source code.  Do *NOT* create a derivative of this
20  *	source code before consulting with your legal department.
21  *	Do *NOT* integrate *ANY* of this source code into another
22  *	product before consulting with your legal department.
23  *
24  *	For further information, read the top-level Openvision
25  *	copyright which is contained in the top-level MIT Kerberos
26  *	copyright.
27  *
28  * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
29  *
30  */
31 /*
32  * lib/kadm5/admin.h
33  *
34  * Copyright 2001 by the Massachusetts Institute of Technology.
35  * All Rights Reserved.
36  *
37  * Export of this software from the United States of America may
38  *   require a specific license from the United States Government.
39  *   It is the responsibility of any person or organization contemplating
40  *   export to obtain such a license before exporting.
41  *
42  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
43  * distribute this software and its documentation for any purpose and
44  * without fee is hereby granted, provided that the above copyright
45  * notice appear in all copies and that both that copyright notice and
46  * this permission notice appear in supporting documentation, and that
47  * the name of M.I.T. not be used in advertising or publicity pertaining
48  * to distribution of the software without specific, written prior
49  * permission.  Furthermore if you modify this software you must label
50  * your software as modified software and not distribute it in such a
51  * fashion that it might be confused with the original M.I.T. software.
52  * M.I.T. makes no representations about the suitability of
53  * this software for any purpose.  It is provided "as is" without express
54  * or implied warranty.
55  *
56  */
57 /*
58  * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved
59  *
60  * $Header$
61  */
62 
63 #include	<sys/types.h>
64 #include	<rpc/types.h>
65 #include	<rpc/rpc.h>
66 #include	<krb5.h>
67 #include	<k5-int.h>
68 #include	<krb5/kdb.h>
69 #include	<com_err.h>
70 #include	<kadm5/kadm_err.h>
71 #include	<kadm5/chpass_util_strings.h>
72 
73 #define KADM5_ADMIN_SERVICE_P	"kadmin@admin"
74 /*
75  * Solaris Kerberos:
76  * The kadmin/admin principal is unused on Solaris. This principal is used
77  * in AUTH_GSSAPI but Solaris doesn't support AUTH_GSSAPI. RPCSEC_GSS can only
78  * be used with host-based principals.
79  *
80  */
81 /* #define KADM5_ADMIN_SERVICE	"kadmin/admin" */
82 #define KADM5_CHANGEPW_SERVICE_P	"kadmin@changepw"
83 #define KADM5_CHANGEPW_SERVICE	"kadmin/changepw"
84 #define KADM5_HIST_PRINCIPAL	"kadmin/history"
85 #define KADM5_ADMIN_HOST_SERVICE "kadmin"
86 #define KADM5_CHANGEPW_HOST_SERVICE "changepw"
87 #define KADM5_KIPROP_HOST_SERVICE "kiprop"
88 
89 typedef krb5_principal	kadm5_princ_t;
90 typedef	char		*kadm5_policy_t;
91 typedef long		kadm5_ret_t;
92 typedef int rpc_int32;
93 typedef unsigned int rpc_u_int32;
94 
95 #define KADM5_PW_FIRST_PROMPT \
96 	(error_message(CHPASS_UTIL_NEW_PASSWORD_PROMPT))
97 #define KADM5_PW_SECOND_PROMPT \
98 	(error_message(CHPASS_UTIL_NEW_PASSWORD_AGAIN_PROMPT))
99 
100 /*
101  * Successful return code
102  */
103 #define KADM5_OK	0
104 
105 /*
106  * Field masks
107  */
108 
109 /* kadm5_principal_ent_t */
110 #define KADM5_PRINCIPAL		0x000001
111 #define KADM5_PRINC_EXPIRE_TIME	0x000002
112 #define KADM5_PW_EXPIRATION	0x000004
113 #define KADM5_LAST_PWD_CHANGE	0x000008
114 #define KADM5_ATTRIBUTES	0x000010
115 #define KADM5_MAX_LIFE		0x000020
116 #define KADM5_MOD_TIME		0x000040
117 #define KADM5_MOD_NAME		0x000080
118 #define KADM5_KVNO		0x000100
119 #define KADM5_MKVNO		0x000200
120 #define KADM5_AUX_ATTRIBUTES	0x000400
121 #define KADM5_POLICY		0x000800
122 #define KADM5_POLICY_CLR	0x001000
123 /* version 2 masks */
124 #define KADM5_MAX_RLIFE		0x002000
125 #define KADM5_LAST_SUCCESS	0x004000
126 #define KADM5_LAST_FAILED	0x008000
127 #define KADM5_FAIL_AUTH_COUNT	0x010000
128 #define KADM5_KEY_DATA		0x020000
129 #define KADM5_TL_DATA		0x040000
130 #ifdef notyet /* Novell */
131 #define KADM5_CPW_FUNCTION      0x080000
132 #define KADM5_RANDKEY_USED      0x100000
133 #endif
134 #define KADM5_LOAD		0x200000
135 /* Solaris Kerberos: adding support for key history in LDAP KDB */
136 #define KADM5_KEY_HIST		0x400000
137 
138 /* all but KEY_DATA and TL_DATA */
139 #define KADM5_PRINCIPAL_NORMAL_MASK 0x01ffff
140 
141 
142 /* kadm5_policy_ent_t */
143 #define KADM5_PW_MAX_LIFE	0x004000
144 #define KADM5_PW_MIN_LIFE	0x008000
145 #define KADM5_PW_MIN_LENGTH	0x010000
146 #define KADM5_PW_MIN_CLASSES	0x020000
147 #define KADM5_PW_HISTORY_NUM	0x040000
148 #define KADM5_REF_COUNT		0x080000
149 
150 /* kadm5_config_params */
151 #define KADM5_CONFIG_REALM		0x0000001
152 #define KADM5_CONFIG_DBNAME		0x0000002
153 #define KADM5_CONFIG_MKEY_NAME		0x0000004
154 #define KADM5_CONFIG_MAX_LIFE		0x0000008
155 #define KADM5_CONFIG_MAX_RLIFE		0x0000010
156 #define KADM5_CONFIG_EXPIRATION		0x0000020
157 #define KADM5_CONFIG_FLAGS		0x0000040
158 #define KADM5_CONFIG_ADMIN_KEYTAB	0x0000080
159 #define KADM5_CONFIG_STASH_FILE		0x0000100
160 #define KADM5_CONFIG_ENCTYPE		0x0000200
161 #define KADM5_CONFIG_ADBNAME		0x0000400
162 #define KADM5_CONFIG_ADB_LOCKFILE	0x0000800
163 #define KADM5_CONFIG_PROFILE		0x0001000
164 #define KADM5_CONFIG_ACL_FILE		0x0002000
165 #define KADM5_CONFIG_KADMIND_PORT	0x0004000
166 #define KADM5_CONFIG_ENCTYPES		0x0008000
167 #define KADM5_CONFIG_ADMIN_SERVER	0x0010000
168 #define KADM5_CONFIG_DICT_FILE		0x0020000
169 #define KADM5_CONFIG_MKEY_FROM_KBD	0x0040000
170 #define KADM5_CONFIG_KPASSWD_PORT	0x0080000
171 #define KADM5_CONFIG_KPASSWD_SERVER	0x0100000
172 #define	KADM5_CONFIG_KPASSWD_PROTOCOL	0x0200000
173 #define	KADM5_CONFIG_IPROP_ENABLED	0x0400000
174 #define	KADM5_CONFIG_ULOG_SIZE		0x0800000
175 #define	KADM5_CONFIG_POLL_TIME		0x1000000
176 
177 /* password change constants */
178 #define	KRB5_KPASSWD_SUCCESS		0
179 #define	KRB5_KPASSWD_MALFORMED		1
180 #define	KRB5_KPASSWD_HARDERROR		2
181 #define	KRB5_KPASSWD_AUTHERROR		3
182 #define	KRB5_KPASSWD_SOFTERROR		4
183 #define	KRB5_KPASSWD_ACCESSDENIED	5
184 #define	KRB5_KPASSWD_BAD_VERSION	6
185 #define	KRB5_KPASSWD_INITIAL_FLAG_NEEDED	7
186 #define	KRB5_KPASSWD_POLICY_REJECT	8
187 #define	KRB5_KPASSWD_BAD_PRINCIPAL	9
188 #define	KRB5_KPASSWD_ETYPE_NOSUPP	10
189 
190 /*
191  * permission bits
192  */
193 #define KADM5_PRIV_GET		0x01
194 #define KADM5_PRIV_ADD		0x02
195 #define KADM5_PRIV_MODIFY	0x04
196 #define KADM5_PRIV_DELETE	0x08
197 
198 /*
199  * API versioning constants
200  */
201 #define KADM5_MASK_BITS		0xffffff00
202 
203 #define KADM5_STRUCT_VERSION_MASK	0x12345600
204 #define KADM5_STRUCT_VERSION_1	(KADM5_STRUCT_VERSION_MASK|0x01)
205 #define KADM5_STRUCT_VERSION	KADM5_STRUCT_VERSION_1
206 
207 #define KADM5_API_VERSION_MASK	0x12345700
208 #define KADM5_API_VERSION_1	(KADM5_API_VERSION_MASK|0x01)
209 #define KADM5_API_VERSION_2	(KADM5_API_VERSION_MASK|0x02)
210 
211 #ifdef KRB5_DNS_LOOKUP
212 /*
213  * Name length constants for DNS lookups
214  */
215 #define	MAX_HOST_NAMELEN 256
216 #define	MAX_DNS_NAMELEN (15*(MAX_HOST_NAMELEN + 1)+1)
217 #endif /* KRB5_DNS_LOOKUP */
218 
219 typedef struct _kadm5_principal_ent_t_v2 {
220 	krb5_principal	principal;
221 	krb5_timestamp	princ_expire_time;
222 	krb5_timestamp	last_pwd_change;
223 	krb5_timestamp	pw_expiration;
224 	krb5_deltat	max_life;
225 	krb5_principal	mod_name;
226 	krb5_timestamp	mod_date;
227 	krb5_flags	attributes;
228 	krb5_kvno	kvno;
229 	krb5_kvno	mkvno;
230 	char		*policy;
231 	long		aux_attributes;
232 
233 	/* version 2 fields */
234 	krb5_deltat max_renewable_life;
235         krb5_timestamp last_success;
236         krb5_timestamp last_failed;
237         krb5_kvno fail_auth_count;
238 	krb5_int16 n_key_data;
239 	krb5_int16 n_tl_data;
240         krb5_tl_data *tl_data;
241 	krb5_key_data *key_data;
242 } kadm5_principal_ent_rec_v2, *kadm5_principal_ent_t_v2;
243 
244 typedef struct _kadm5_principal_ent_t_v1 {
245 	krb5_principal	principal;
246 	krb5_timestamp	princ_expire_time;
247 	krb5_timestamp	last_pwd_change;
248 	krb5_timestamp	pw_expiration;
249 	krb5_deltat	max_life;
250 	krb5_principal	mod_name;
251 	krb5_timestamp	mod_date;
252 	krb5_flags	attributes;
253 	krb5_kvno	kvno;
254 	krb5_kvno	mkvno;
255 	char		*policy;
256 	long		aux_attributes;
257 } kadm5_principal_ent_rec_v1, *kadm5_principal_ent_t_v1;
258 
259 #if USE_KADM5_API_VERSION == 1
260 typedef struct _kadm5_principal_ent_t_v1
261      kadm5_principal_ent_rec, *kadm5_principal_ent_t;
262 #else
263 typedef struct _kadm5_principal_ent_t_v2
264      kadm5_principal_ent_rec, *kadm5_principal_ent_t;
265 #endif
266 
267 typedef struct _kadm5_policy_ent_t {
268 	char		*policy;
269 	long		pw_min_life;
270 	long		pw_max_life;
271 	long		pw_min_length;
272 	long		pw_min_classes;
273 	long		pw_history_num;
274 	long		policy_refcnt;
275 } kadm5_policy_ent_rec, *kadm5_policy_ent_t;
276 
277 #if 0 /************** Begin IFDEF'ed OUT *******************************/
278 typedef struct __krb5_key_salt_tuple {
279      krb5_enctype	ks_enctype;
280      krb5_int32		ks_salttype;
281 } krb5_key_salt_tuple;
282 #endif /**************** END IFDEF'ed OUT *******************************/
283 
284 /*
285  * New types to indicate which protocol to use when sending
286  * password change requests
287  */
288 typedef enum {
289 	KRB5_CHGPWD_RPCSEC,
290 	KRB5_CHGPWD_CHANGEPW_V2
291 } krb5_chgpwd_prot;
292 
293 /*
294  * Data structure returned by kadm5_get_config_params()
295  */
296 typedef struct _kadm5_config_params {
297      long		mask;
298      char *		realm;
299      char *		profile;
300      int		kadmind_port;
301      int		kpasswd_port;
302 
303      char *		admin_server;
304 #ifdef notyet /* Novell */ /* ABI change? */
305      char *		kpasswd_server;
306 #endif
307 
308      char *		dbname;
309      char *		admin_dbname;
310      char *		admin_lockfile;
311      char *		admin_keytab;
312      char *		acl_file;
313      char *		dict_file;
314 
315      int		mkey_from_kbd;
316      char *		stash_file;
317      char *		mkey_name;
318      krb5_enctype	enctype;
319      krb5_deltat	max_life;
320      krb5_deltat	max_rlife;
321      krb5_timestamp	expiration;
322      krb5_flags		flags;
323      krb5_key_salt_tuple *keysalts;
324      krb5_int32		num_keysalts;
325      char 			*kpasswd_server;
326 
327      krb5_chgpwd_prot	kpasswd_protocol;
328      bool_t			iprop_enabled;
329      int			iprop_ulogsize;
330      char			*iprop_polltime;
331 } kadm5_config_params;
332 
333 /***********************************************************************
334  * This is the old krb5_realm_read_params, which I mutated into
335  * kadm5_get_config_params but which old code (kdb5_* and krb5kdc)
336  * still uses.
337  ***********************************************************************/
338 
339 /*
340  * Data structure returned by krb5_read_realm_params()
341  */
342 typedef struct __krb5_realm_params {
343     char *		realm_profile;
344     char *		realm_dbname;
345     char *		realm_mkey_name;
346     char *		realm_stash_file;
347     char *		realm_kdc_ports;
348     char *		realm_kdc_tcp_ports;
349     char *		realm_acl_file;
350     krb5_int32		realm_kadmind_port;
351     krb5_enctype	realm_enctype;
352     krb5_deltat		realm_max_life;
353     krb5_deltat		realm_max_rlife;
354     krb5_timestamp	realm_expiration;
355     krb5_flags		realm_flags;
356     krb5_key_salt_tuple	*realm_keysalts;
357     unsigned int	realm_reject_bad_transit:1;
358     unsigned int	realm_kadmind_port_valid:1;
359     unsigned int	realm_enctype_valid:1;
360     unsigned int	realm_max_life_valid:1;
361     unsigned int	realm_max_rlife_valid:1;
362     unsigned int	realm_expiration_valid:1;
363     unsigned int	realm_flags_valid:1;
364     unsigned int	realm_reject_bad_transit_valid:1;
365     krb5_int32		realm_num_keysalts;
366 } krb5_realm_params;
367 
368 /*
369  * functions
370  */
371 
372 kadm5_ret_t
373 kadm5_get_adm_host_srv_name(krb5_context context,
374                            const char *realm, char **host_service_name);
375 
376 kadm5_ret_t
377 kadm5_get_cpw_host_srv_name(krb5_context context,
378                            const char *realm, char **host_service_name);
379 
380 #if USE_KADM5_API_VERSION > 1
381 krb5_error_code kadm5_get_config_params(krb5_context context,
382 					char *kdcprofile, char *kdcenv,
383 					kadm5_config_params *params_in,
384 					kadm5_config_params *params_out);
385 
386 krb5_error_code kadm5_free_config_params(krb5_context context,
387 					 kadm5_config_params *params);
388 
389 krb5_error_code kadm5_free_realm_params(krb5_context kcontext,
390 					kadm5_config_params *params);
391 
392 krb5_error_code kadm5_get_admin_service_name(krb5_context, char *,
393 					     char *, size_t);
394 #endif
395 
396 kadm5_ret_t    kadm5_init(char *client_name, char *pass,
397 			  char *service_name,
398 #if USE_KADM5_API_VERSION == 1
399 			  char *realm,
400 #else
401 			  kadm5_config_params *params,
402 #endif
403 			  krb5_ui_4 struct_version,
404 			  krb5_ui_4 api_version,
405 			  char **db_args,
406 			  void **server_handle);
407 
408 kadm5_ret_t    kadm5_init_with_password(char *client_name,
409 					char *pass,
410 					char *service_name,
411 #if USE_KADM5_API_VERSION == 1
412 					char *realm,
413 #else
414 					kadm5_config_params *params,
415 #endif
416 					krb5_ui_4 struct_version,
417 					krb5_ui_4 api_version,
418 					char **db_args,
419 					void **server_handle);
420 kadm5_ret_t    kadm5_init_with_skey(char *client_name,
421 				    char *keytab,
422 				    char *service_name,
423 #if USE_KADM5_API_VERSION == 1
424 				    char *realm,
425 #else
426 				    kadm5_config_params *params,
427 #endif
428 				    krb5_ui_4 struct_version,
429 				    krb5_ui_4 api_version,
430 				    char **db_args,
431 				    void **server_handle);
432 #if USE_KADM5_API_VERSION > 1
433 kadm5_ret_t    kadm5_init_with_creds(char *client_name,
434 				     krb5_ccache cc,
435 				     char *service_name,
436 				     kadm5_config_params *params,
437 				     krb5_ui_4 struct_version,
438 				     krb5_ui_4 api_version,
439 				     char **db_args,
440 				     void **server_handle);
441 #endif
442 kadm5_ret_t    kadm5_lock(void *server_handle);
443 kadm5_ret_t    kadm5_unlock(void *server_handle);
444 kadm5_ret_t    kadm5_flush(void *server_handle);
445 kadm5_ret_t    kadm5_destroy(void *server_handle);
446 kadm5_ret_t    kadm5_create_principal(void *server_handle,
447 				      kadm5_principal_ent_t ent,
448 				      long mask, char *pass);
449 kadm5_ret_t    kadm5_create_principal_3(void *server_handle,
450 					kadm5_principal_ent_t ent,
451 					long mask,
452 					int n_ks_tuple,
453 					krb5_key_salt_tuple *ks_tuple,
454 					char *pass);
455 kadm5_ret_t    kadm5_delete_principal(void *server_handle,
456 				      krb5_principal principal);
457 kadm5_ret_t    kadm5_modify_principal(void *server_handle,
458 				      kadm5_principal_ent_t ent,
459 				      long mask);
460 kadm5_ret_t    kadm5_rename_principal(void *server_handle,
461 				      krb5_principal,krb5_principal);
462 #if USE_KADM5_API_VERSION == 1
463 kadm5_ret_t    kadm5_get_principal(void *server_handle,
464 				   krb5_principal principal,
465 				   kadm5_principal_ent_t *ent);
466 #else
467 kadm5_ret_t    kadm5_get_principal(void *server_handle,
468 				   krb5_principal principal,
469 				   kadm5_principal_ent_t ent,
470 				   long mask);
471 #endif
472 kadm5_ret_t    kadm5_chpass_principal(void *server_handle,
473 				      krb5_principal principal,
474 				      char *pass);
475 kadm5_ret_t    kadm5_chpass_principal_3(void *server_handle,
476 					krb5_principal principal,
477 					krb5_boolean keepold,
478 					int n_ks_tuple,
479 					krb5_key_salt_tuple *ks_tuple,
480 					char *pass);
481 #if USE_KADM5_API_VERSION == 1
482 kadm5_ret_t    kadm5_randkey_principal(void *server_handle,
483 				       krb5_principal principal,
484 				       krb5_keyblock **keyblock);
485 #else
486 
487 /*
488  * Solaris Kerberos:
489  * this routine is only implemented in the client library.
490  */
491 kadm5_ret_t    kadm5_randkey_principal_old(void *server_handle,
492 				    krb5_principal principal,
493 				    krb5_keyblock **keyblocks,
494 				    int *n_keys);
495 
496 kadm5_ret_t    kadm5_randkey_principal(void *server_handle,
497 				       krb5_principal principal,
498 				       krb5_keyblock **keyblocks,
499 				       int *n_keys);
500 kadm5_ret_t    kadm5_randkey_principal_3(void *server_handle,
501 					 krb5_principal principal,
502 					 krb5_boolean keepold,
503 					 int n_ks_tuple,
504 					 krb5_key_salt_tuple *ks_tuple,
505 					 krb5_keyblock **keyblocks,
506 					 int *n_keys);
507 #endif
508 kadm5_ret_t    kadm5_setv4key_principal(void *server_handle,
509 					krb5_principal principal,
510 					krb5_keyblock *keyblock);
511 
512 kadm5_ret_t    kadm5_setkey_principal(void *server_handle,
513 				      krb5_principal principal,
514 				      krb5_keyblock *keyblocks,
515 				      int n_keys);
516 
517 kadm5_ret_t    kadm5_setkey_principal_3(void *server_handle,
518 					krb5_principal principal,
519 					krb5_boolean keepold,
520 					int n_ks_tuple,
521 					krb5_key_salt_tuple *ks_tuple,
522 					krb5_keyblock *keyblocks,
523 					int n_keys);
524 
525 kadm5_ret_t    kadm5_decrypt_key(void *server_handle,
526 				 kadm5_principal_ent_t entry, krb5_int32
527 				 ktype, krb5_int32 stype, krb5_int32
528 				 kvno, krb5_keyblock *keyblock,
529 				 krb5_keysalt *keysalt, int *kvnop);
530 
531 kadm5_ret_t    kadm5_create_policy(void *server_handle,
532 				   kadm5_policy_ent_t ent,
533 				   long mask);
534 /*
535  * kadm5_create_policy_internal is not part of the supported,
536  * exposed API.  It is available only in the server library, and you
537  * shouldn't use it unless you know why it's there and how it's
538  * different from kadm5_create_policy.
539  */
540 kadm5_ret_t    kadm5_create_policy_internal(void *server_handle,
541 					    kadm5_policy_ent_t
542 					    entry, long mask);
543 kadm5_ret_t    kadm5_delete_policy(void *server_handle,
544 				   kadm5_policy_t policy);
545 kadm5_ret_t    kadm5_modify_policy(void *server_handle,
546 				   kadm5_policy_ent_t ent,
547 				   long mask);
548 /*
549  * kadm5_modify_policy_internal is not part of the supported,
550  * exposed API.  It is available only in the server library, and you
551  * shouldn't use it unless you know why it's there and how it's
552  * different from kadm5_modify_policy.
553  */
554 kadm5_ret_t    kadm5_modify_policy_internal(void *server_handle,
555 					    kadm5_policy_ent_t
556 					    entry, long mask);
557 #if USE_KADM5_API_VERSION == 1
558 kadm5_ret_t    kadm5_get_policy(void *server_handle,
559 				kadm5_policy_t policy,
560 				kadm5_policy_ent_t *ent);
561 #else
562 kadm5_ret_t    kadm5_get_policy(void *server_handle,
563 				kadm5_policy_t policy,
564 				kadm5_policy_ent_t ent);
565 #endif
566 kadm5_ret_t    kadm5_get_privs(void *server_handle,
567 			       long *privs);
568 
569 kadm5_ret_t    kadm5_chpass_principal_util(void *server_handle,
570 					   krb5_principal princ,
571 					   char *new_pw,
572 					   char **ret_pw,
573 					   char *msg_ret,
574 					   unsigned int msg_len);
575 
576 kadm5_ret_t    kadm5_free_principal_ent(void *server_handle,
577 					kadm5_principal_ent_t
578 					ent);
579 kadm5_ret_t    kadm5_free_policy_ent(void *server_handle,
580 				     kadm5_policy_ent_t ent);
581 
582 kadm5_ret_t    kadm5_get_principals(void *server_handle,
583 				    char *exp, char ***princs,
584 				    int *count);
585 
586 kadm5_ret_t    kadm5_get_policies(void *server_handle,
587 				  char *exp, char ***pols,
588 				  int *count);
589 
590 #if USE_KADM5_API_VERSION > 1
591 kadm5_ret_t    kadm5_free_key_data(void *server_handle,
592 				   krb5_int16 *n_key_data,
593 				   krb5_key_data *key_data);
594 #endif
595 
596 kadm5_ret_t    kadm5_free_name_list(void *server_handle, char **names,
597 				    int count);
598 
599 krb5_error_code kadm5_init_krb5_context (krb5_context *);
600 
601 #if USE_KADM5_API_VERSION == 1
602 /*
603  * OVSEC_KADM_API_VERSION_1 should be, if possible, compile-time
604  * compatible with KADM5_API_VERSION_2.  Basically, this means we have
605  * to continue to provide all the old ovsec_kadm function and symbol
606  * names.
607  */
608 
609 #define OVSEC_KADM_ACLFILE		"/krb5/ovsec_adm.acl"
610 #define	OVSEC_KADM_WORDFILE		"/krb5/ovsec_adm.dict"
611 
612 #define OVSEC_KADM_ADMIN_SERVICE	"ovsec_adm/admin"
613 #define OVSEC_KADM_CHANGEPW_SERVICE	"ovsec_adm/changepw"
614 #define OVSEC_KADM_HIST_PRINCIPAL	"ovsec_adm/history"
615 
616 typedef krb5_principal	ovsec_kadm_princ_t;
617 typedef krb5_keyblock	ovsec_kadm_keyblock;
618 typedef	char		*ovsec_kadm_policy_t;
619 typedef long		ovsec_kadm_ret_t;
620 
621 enum	ovsec_kadm_salttype { OVSEC_KADM_SALT_V4, OVSEC_KADM_SALT_NORMAL };
622 enum	ovsec_kadm_saltmod  { OVSEC_KADM_MOD_KEEP, OVSEC_KADM_MOD_V4, OVSEC_KADM_MOD_NORMAL };
623 
624 #define OVSEC_KADM_PW_FIRST_PROMPT \
625 	((char *) error_message(CHPASS_UTIL_NEW_PASSWORD_PROMPT))
626 #define OVSEC_KADM_PW_SECOND_PROMPT \
627 	((char *) error_message(CHPASS_UTIL_NEW_PASSWORD_AGAIN_PROMPT))
628 
629 /*
630  * Successful return code
631  */
632 #define OVSEC_KADM_OK	0
633 
634 /*
635  * Create/Modify masks
636  */
637 /* principal */
638 #define OVSEC_KADM_PRINCIPAL		0x000001
639 #define OVSEC_KADM_PRINC_EXPIRE_TIME	0x000002
640 #define OVSEC_KADM_PW_EXPIRATION	0x000004
641 #define OVSEC_KADM_LAST_PWD_CHANGE	0x000008
642 #define OVSEC_KADM_ATTRIBUTES		0x000010
643 #define OVSEC_KADM_MAX_LIFE		0x000020
644 #define OVSEC_KADM_MOD_TIME		0x000040
645 #define OVSEC_KADM_MOD_NAME		0x000080
646 #define OVSEC_KADM_KVNO			0x000100
647 #define OVSEC_KADM_MKVNO		0x000200
648 #define OVSEC_KADM_AUX_ATTRIBUTES	0x000400
649 #define OVSEC_KADM_POLICY		0x000800
650 #define OVSEC_KADM_POLICY_CLR		0x001000
651 /* policy */
652 #define OVSEC_KADM_PW_MAX_LIFE		0x004000
653 #define OVSEC_KADM_PW_MIN_LIFE		0x008000
654 #define OVSEC_KADM_PW_MIN_LENGTH	0x010000
655 #define OVSEC_KADM_PW_MIN_CLASSES	0x020000
656 #define OVSEC_KADM_PW_HISTORY_NUM	0x040000
657 #define OVSEC_KADM_REF_COUNT		0x080000
658 
659 /*
660  * permission bits
661  */
662 #define OVSEC_KADM_PRIV_GET	0x01
663 #define OVSEC_KADM_PRIV_ADD	0x02
664 #define OVSEC_KADM_PRIV_MODIFY	0x04
665 #define OVSEC_KADM_PRIV_DELETE	0x08
666 
667 /*
668  * API versioning constants
669  */
670 #define OVSEC_KADM_MASK_BITS		0xffffff00
671 
672 #define OVSEC_KADM_STRUCT_VERSION_MASK	0x12345600
673 #define OVSEC_KADM_STRUCT_VERSION_1	(OVSEC_KADM_STRUCT_VERSION_MASK|0x01)
674 #define OVSEC_KADM_STRUCT_VERSION	OVSEC_KADM_STRUCT_VERSION_1
675 
676 #define OVSEC_KADM_API_VERSION_MASK	0x12345700
677 #define OVSEC_KADM_API_VERSION_1	(OVSEC_KADM_API_VERSION_MASK|0x01)
678 
679 
680 typedef struct _ovsec_kadm_principal_ent_t {
681 	krb5_principal	principal;
682 	krb5_timestamp	princ_expire_time;
683 	krb5_timestamp	last_pwd_change;
684 	krb5_timestamp	pw_expiration;
685 	krb5_deltat	max_life;
686 	krb5_principal	mod_name;
687 	krb5_timestamp	mod_date;
688 	krb5_flags	attributes;
689 	krb5_kvno	kvno;
690 	krb5_kvno	mkvno;
691 	char		*policy;
692 	long		aux_attributes;
693 } ovsec_kadm_principal_ent_rec, *ovsec_kadm_principal_ent_t;
694 
695 typedef struct _ovsec_kadm_policy_ent_t {
696 	char		*policy;
697 	long		pw_min_life;
698 	long		pw_max_life;
699 	long		pw_min_length;
700 	long		pw_min_classes;
701 	long		pw_history_num;
702 	long		policy_refcnt;
703 } ovsec_kadm_policy_ent_rec, *ovsec_kadm_policy_ent_t;
704 
705 /*
706  * functions
707  */
708 ovsec_kadm_ret_t    ovsec_kadm_init(char *client_name, char *pass,
709 				    char *service_name, char *realm,
710 				    krb5_ui_4 struct_version,
711 				    krb5_ui_4 api_version,
712 				    char **db_args,
713 				    void **server_handle);
714 ovsec_kadm_ret_t    ovsec_kadm_init_with_password(char *client_name,
715 						  char *pass,
716 						  char *service_name,
717 						  char *realm,
718 						  krb5_ui_4 struct_version,
719 						  krb5_ui_4 api_version,
720 						  char ** db_args,
721 						  void **server_handle);
722 ovsec_kadm_ret_t    ovsec_kadm_init_with_skey(char *client_name,
723 					      char *keytab,
724 					      char *service_name,
725 					      char *realm,
726 					      krb5_ui_4 struct_version,
727 					      krb5_ui_4 api_version,
728 					      char **db_args,
729 					      void **server_handle);
730 ovsec_kadm_ret_t    ovsec_kadm_flush(void *server_handle);
731 ovsec_kadm_ret_t    ovsec_kadm_destroy(void *server_handle);
732 ovsec_kadm_ret_t    ovsec_kadm_create_principal(void *server_handle,
733 						ovsec_kadm_principal_ent_t ent,
734 						long mask, char *pass);
735 ovsec_kadm_ret_t    ovsec_kadm_delete_principal(void *server_handle,
736 						krb5_principal principal);
737 ovsec_kadm_ret_t    ovsec_kadm_modify_principal(void *server_handle,
738 						ovsec_kadm_principal_ent_t ent,
739 						long mask);
740 ovsec_kadm_ret_t    ovsec_kadm_rename_principal(void *server_handle,
741 						krb5_principal,krb5_principal);
742 ovsec_kadm_ret_t    ovsec_kadm_get_principal(void *server_handle,
743 					     krb5_principal principal,
744 					     ovsec_kadm_principal_ent_t *ent);
745 ovsec_kadm_ret_t    ovsec_kadm_chpass_principal(void *server_handle,
746 						krb5_principal principal,
747 						char *pass);
748 ovsec_kadm_ret_t    ovsec_kadm_randkey_principal(void *server_handle,
749 						 krb5_principal principal,
750 						 krb5_keyblock **keyblock);
751 ovsec_kadm_ret_t    ovsec_kadm_create_policy(void *server_handle,
752 					     ovsec_kadm_policy_ent_t ent,
753 					     long mask);
754 /*
755  * ovsec_kadm_create_policy_internal is not part of the supported,
756  * exposed API.  It is available only in the server library, and you
757  * shouldn't use it unless you know why it's there and how it's
758  * different from ovsec_kadm_create_policy.
759  */
760 ovsec_kadm_ret_t    ovsec_kadm_create_policy_internal(void *server_handle,
761 						      ovsec_kadm_policy_ent_t
762 						      entry, long mask);
763 ovsec_kadm_ret_t    ovsec_kadm_delete_policy(void *server_handle,
764 					     ovsec_kadm_policy_t policy);
765 ovsec_kadm_ret_t    ovsec_kadm_modify_policy(void *server_handle,
766 					     ovsec_kadm_policy_ent_t ent,
767 					     long mask);
768 /*
769  * ovsec_kadm_modify_policy_internal is not part of the supported,
770  * exposed API.  It is available only in the server library, and you
771  * shouldn't use it unless you know why it's there and how it's
772  * different from ovsec_kadm_modify_policy.
773  */
774 ovsec_kadm_ret_t    ovsec_kadm_modify_policy_internal(void *server_handle,
775 						      ovsec_kadm_policy_ent_t
776 						      entry, long mask);
777 ovsec_kadm_ret_t    ovsec_kadm_get_policy(void *server_handle,
778 					  ovsec_kadm_policy_t policy,
779 					  ovsec_kadm_policy_ent_t *ent);
780 ovsec_kadm_ret_t    ovsec_kadm_get_privs(void *server_handle,
781 					 long *privs);
782 
783 ovsec_kadm_ret_t    ovsec_kadm_chpass_principal_util(void *server_handle,
784 						     krb5_principal princ,
785 						     char *new_pw,
786 						     char **ret_pw,
787 						     char *msg_ret);
788 
789 ovsec_kadm_ret_t    ovsec_kadm_free_principal_ent(void *server_handle,
790 						  ovsec_kadm_principal_ent_t
791 						  ent);
792 ovsec_kadm_ret_t    ovsec_kadm_free_policy_ent(void *server_handle,
793 					       ovsec_kadm_policy_ent_t ent);
794 
795 ovsec_kadm_ret_t ovsec_kadm_free_name_list(void *server_handle,
796 					   char **names, int count);
797 
798 ovsec_kadm_ret_t    ovsec_kadm_get_principals(void *server_handle,
799 					      char *exp, char ***princs,
800 					      int *count);
801 
802 ovsec_kadm_ret_t    ovsec_kadm_get_policies(void *server_handle,
803 					    char *exp, char ***pols,
804 					    int *count);
805 
806 #define OVSEC_KADM_FAILURE KADM5_FAILURE
807 #define OVSEC_KADM_AUTH_GET KADM5_AUTH_GET
808 #define OVSEC_KADM_AUTH_ADD KADM5_AUTH_ADD
809 #define OVSEC_KADM_AUTH_MODIFY KADM5_AUTH_MODIFY
810 #define OVSEC_KADM_AUTH_DELETE KADM5_AUTH_DELETE
811 #define OVSEC_KADM_AUTH_INSUFFICIENT KADM5_AUTH_INSUFFICIENT
812 #define OVSEC_KADM_BAD_DB KADM5_BAD_DB
813 #define OVSEC_KADM_DUP KADM5_DUP
814 #define OVSEC_KADM_RPC_ERROR KADM5_RPC_ERROR
815 #define OVSEC_KADM_NO_SRV KADM5_NO_SRV
816 #define OVSEC_KADM_BAD_HIST_KEY KADM5_BAD_HIST_KEY
817 #define OVSEC_KADM_NOT_INIT KADM5_NOT_INIT
818 #define OVSEC_KADM_UNK_PRINC KADM5_UNK_PRINC
819 #define OVSEC_KADM_UNK_POLICY KADM5_UNK_POLICY
820 #define OVSEC_KADM_BAD_MASK KADM5_BAD_MASK
821 #define OVSEC_KADM_BAD_CLASS KADM5_BAD_CLASS
822 #define OVSEC_KADM_BAD_LENGTH KADM5_BAD_LENGTH
823 #define OVSEC_KADM_BAD_POLICY KADM5_BAD_POLICY
824 #define OVSEC_KADM_BAD_PRINCIPAL KADM5_BAD_PRINCIPAL
825 #define OVSEC_KADM_BAD_AUX_ATTR KADM5_BAD_AUX_ATTR
826 #define OVSEC_KADM_BAD_HISTORY KADM5_BAD_HISTORY
827 #define OVSEC_KADM_BAD_MIN_PASS_LIFE KADM5_BAD_MIN_PASS_LIFE
828 #define OVSEC_KADM_PASS_Q_TOOSHORT KADM5_PASS_Q_TOOSHORT
829 #define OVSEC_KADM_PASS_Q_CLASS KADM5_PASS_Q_CLASS
830 #define OVSEC_KADM_PASS_Q_DICT KADM5_PASS_Q_DICT
831 #define OVSEC_KADM_PASS_REUSE KADM5_PASS_REUSE
832 #define OVSEC_KADM_PASS_TOOSOON KADM5_PASS_TOOSOON
833 #define OVSEC_KADM_POLICY_REF KADM5_POLICY_REF
834 #define OVSEC_KADM_INIT KADM5_INIT
835 #define OVSEC_KADM_BAD_PASSWORD KADM5_BAD_PASSWORD
836 #define OVSEC_KADM_PROTECT_PRINCIPAL KADM5_PROTECT_PRINCIPAL
837 #define OVSEC_KADM_BAD_SERVER_HANDLE KADM5_BAD_SERVER_HANDLE
838 #define OVSEC_KADM_BAD_STRUCT_VERSION KADM5_BAD_STRUCT_VERSION
839 #define OVSEC_KADM_OLD_STRUCT_VERSION KADM5_OLD_STRUCT_VERSION
840 #define OVSEC_KADM_NEW_STRUCT_VERSION KADM5_NEW_STRUCT_VERSION
841 #define OVSEC_KADM_BAD_API_VERSION KADM5_BAD_API_VERSION
842 #define OVSEC_KADM_OLD_LIB_API_VERSION KADM5_OLD_LIB_API_VERSION
843 #define OVSEC_KADM_OLD_SERVER_API_VERSION KADM5_OLD_SERVER_API_VERSION
844 #define OVSEC_KADM_NEW_LIB_API_VERSION KADM5_NEW_LIB_API_VERSION
845 #define OVSEC_KADM_NEW_SERVER_API_VERSION KADM5_NEW_SERVER_API_VERSION
846 #define OVSEC_KADM_SECURE_PRINC_MISSING KADM5_SECURE_PRINC_MISSING
847 #define OVSEC_KADM_NO_RENAME_SALT KADM5_NO_RENAME_SALT
848 
849 #endif /* USE_KADM5_API_VERSION == 1 */
850 
851 #define MAXPRINCLEN 125
852 
853 void trunc_name(size_t *len, char **dots);
854 
855 krb5_chgpwd_prot _kadm5_get_kpasswd_protocol(void *server_handle);
856 kadm5_ret_t	kadm5_chpass_principal_v2(void *server_handle,
857 					krb5_principal princ,
858 					char *new_password,
859 					kadm5_ret_t *srvr_rsp_code,
860 					krb5_data *srvr_msg);
861 
862 void handle_chpw(krb5_context context, int s, void *serverhandle,
863 			kadm5_config_params *params);
864 
865 #ifdef __cplusplus
866 }
867 #endif
868 
869 #endif	/* __KADM5_ADMIN_H__ */
870