search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
dmake: do not set MAKEFLAGS=k
[unleashed/tickless.git] / usr / src / lib / krb5 / kadm5 / admin.h
blob63c2129bdb924939ce6601e1e58d69000829121c
1 /*
2 * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
3 */
4
5 #ifndef __KADM5_ADMIN_H__
6 #define __KADM5_ADMIN_H__
7
8
9 #ifdef __cplusplus
10 extern "C" {
11 #endif
12
13 /*
14 * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
15 *
16 * Openvision retains the copyright to derivative works of
17 * this source code. Do *NOT* create a derivative of this
18 * source code before consulting with your legal department.
19 * Do *NOT* integrate *ANY* of this source code into another
20 * product before consulting with your legal department.
21 *
22 * For further information, read the top-level Openvision
23 * copyright which is contained in the top-level MIT Kerberos
24 * copyright.
25 *
26 * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
27 *
28 */
29 /*
30 * lib/kadm5/admin.h
31 *
32 * Copyright 2001 by the Massachusetts Institute of Technology.
33 * All Rights Reserved.
34 *
35 * Export of this software from the United States of America may
36 * require a specific license from the United States Government.
37 * It is the responsibility of any person or organization contemplating
38 * export to obtain such a license before exporting.
39 *
40 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
41 * distribute this software and its documentation for any purpose and
42 * without fee is hereby granted, provided that the above copyright
43 * notice appear in all copies and that both that copyright notice and
44 * this permission notice appear in supporting documentation, and that
45 * the name of M.I.T. not be used in advertising or publicity pertaining
46 * to distribution of the software without specific, written prior
47 * permission. Furthermore if you modify this software you must label
48 * your software as modified software and not distribute it in such a
49 * fashion that it might be confused with the original M.I.T. software.
50 * M.I.T. makes no representations about the suitability of
51 * this software for any purpose. It is provided "as is" without express
52 * or implied warranty.
53 *
54 */
55 /*
56 * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved
57 *
58 * $Header$
59 */
60
61 #include <sys/types.h>
62 #include <rpc/types.h>
63 #include <rpc/rpc.h>
64 #include <k5-int.h>
65 #include <krb5.h>
66 #include <krb5/kdb.h>
67 #include <com_err.h>
68 #include <kadm5/kadm_err.h>
69 #include <kadm5/chpass_util_strings.h>
70
71 #define KADM5_ADMIN_SERVICE_P "kadmin@admin"
72 /*
73 * Solaris Kerberos:
74 * The kadmin/admin principal is unused on Solaris. This principal is used
75 * in AUTH_GSSAPI but Solaris doesn't support AUTH_GSSAPI. RPCSEC_GSS can only
76 * be used with host-based principals.
77 *
78 */
79 /* #define KADM5_ADMIN_SERVICE "kadmin/admin" */
80 #define KADM5_CHANGEPW_SERVICE_P "kadmin@changepw"
81 #define KADM5_CHANGEPW_SERVICE "kadmin/changepw"
82 #define KADM5_HIST_PRINCIPAL "kadmin/history"
83 #define KADM5_ADMIN_HOST_SERVICE "kadmin"
84 #define KADM5_CHANGEPW_HOST_SERVICE "changepw"
85 #define KADM5_KIPROP_HOST_SERVICE "kiprop"
86
87 typedef krb5_principal kadm5_princ_t;
88 typedef char *kadm5_policy_t;
89 typedef long kadm5_ret_t;
90 typedef int rpc_int32;
91 typedef unsigned int rpc_u_int32;
92
93 #define KADM5_PW_FIRST_PROMPT \
94 (error_message(CHPASS_UTIL_NEW_PASSWORD_PROMPT))
95 #define KADM5_PW_SECOND_PROMPT \
96 (error_message(CHPASS_UTIL_NEW_PASSWORD_AGAIN_PROMPT))
97
98 /*
99 * Successful return code
100 */
101 #define KADM5_OK 0
102
103 /*
104 * Field masks
105 */
106
107 /* kadm5_principal_ent_t */
108 #define KADM5_PRINCIPAL 0x000001
109 #define KADM5_PRINC_EXPIRE_TIME 0x000002
110 #define KADM5_PW_EXPIRATION 0x000004
111 #define KADM5_LAST_PWD_CHANGE 0x000008
112 #define KADM5_ATTRIBUTES 0x000010
113 #define KADM5_MAX_LIFE 0x000020
114 #define KADM5_MOD_TIME 0x000040
115 #define KADM5_MOD_NAME 0x000080
116 #define KADM5_KVNO 0x000100
117 #define KADM5_MKVNO 0x000200
118 #define KADM5_AUX_ATTRIBUTES 0x000400
119 #define KADM5_POLICY 0x000800
120 #define KADM5_POLICY_CLR 0x001000
121 /* version 2 masks */
122 #define KADM5_MAX_RLIFE 0x002000
123 #define KADM5_LAST_SUCCESS 0x004000
124 #define KADM5_LAST_FAILED 0x008000
125 #define KADM5_FAIL_AUTH_COUNT 0x010000
126 #define KADM5_KEY_DATA 0x020000
127 #define KADM5_TL_DATA 0x040000
128 #ifdef notyet /* Novell */
129 #define KADM5_CPW_FUNCTION 0x080000
130 #define KADM5_RANDKEY_USED 0x100000
131 #endif
132 #define KADM5_LOAD 0x200000
133 /* Solaris Kerberos: adding support for key history in LDAP KDB */
134 #define KADM5_KEY_HIST 0x400000
135
136 /* all but KEY_DATA and TL_DATA */
137 #define KADM5_PRINCIPAL_NORMAL_MASK 0x01ffff
138
139
140 /* kadm5_policy_ent_t */
141 #define KADM5_PW_MAX_LIFE 0x004000
142 #define KADM5_PW_MIN_LIFE 0x008000
143 #define KADM5_PW_MIN_LENGTH 0x010000
144 #define KADM5_PW_MIN_CLASSES 0x020000
145 #define KADM5_PW_HISTORY_NUM 0x040000
146 #define KADM5_REF_COUNT 0x080000
147
148 /* kadm5_config_params */
149 #define KADM5_CONFIG_REALM 0x0000001
150 #define KADM5_CONFIG_DBNAME 0x0000002
151 #define KADM5_CONFIG_MKEY_NAME 0x0000004
152 #define KADM5_CONFIG_MAX_LIFE 0x0000008
153 #define KADM5_CONFIG_MAX_RLIFE 0x0000010
154 #define KADM5_CONFIG_EXPIRATION 0x0000020
155 #define KADM5_CONFIG_FLAGS 0x0000040
156 #define KADM5_CONFIG_ADMIN_KEYTAB 0x0000080
157 #define KADM5_CONFIG_STASH_FILE 0x0000100
158 #define KADM5_CONFIG_ENCTYPE 0x0000200
159 #define KADM5_CONFIG_ADBNAME 0x0000400
160 #define KADM5_CONFIG_ADB_LOCKFILE 0x0000800
161 #define KADM5_CONFIG_PROFILE 0x0001000
162 #define KADM5_CONFIG_ACL_FILE 0x0002000
163 #define KADM5_CONFIG_KADMIND_PORT 0x0004000
164 #define KADM5_CONFIG_ENCTYPES 0x0008000
165 #define KADM5_CONFIG_ADMIN_SERVER 0x0010000
166 #define KADM5_CONFIG_DICT_FILE 0x0020000
167 #define KADM5_CONFIG_MKEY_FROM_KBD 0x0040000
168 #define KADM5_CONFIG_KPASSWD_PORT 0x0080000
169 #define KADM5_CONFIG_KPASSWD_SERVER 0x0100000
170 #define KADM5_CONFIG_KPASSWD_PROTOCOL 0x0200000
171 #define KADM5_CONFIG_IPROP_ENABLED 0x0400000
172 #define KADM5_CONFIG_ULOG_SIZE 0x0800000
173 #define KADM5_CONFIG_POLL_TIME 0x1000000
174
175 /* password change constants */
176 #define KRB5_KPASSWD_SUCCESS 0
177 #define KRB5_KPASSWD_MALFORMED 1
178 #define KRB5_KPASSWD_HARDERROR 2
179 #define KRB5_KPASSWD_AUTHERROR 3
180 #define KRB5_KPASSWD_SOFTERROR 4
181 #define KRB5_KPASSWD_ACCESSDENIED 5
182 #define KRB5_KPASSWD_BAD_VERSION 6
183 #define KRB5_KPASSWD_INITIAL_FLAG_NEEDED 7
184 #define KRB5_KPASSWD_POLICY_REJECT 8
185 #define KRB5_KPASSWD_BAD_PRINCIPAL 9
186 #define KRB5_KPASSWD_ETYPE_NOSUPP 10
187
188 /*
189 * permission bits
190 */
191 #define KADM5_PRIV_GET 0x01
192 #define KADM5_PRIV_ADD 0x02
193 #define KADM5_PRIV_MODIFY 0x04
194 #define KADM5_PRIV_DELETE 0x08
195
196 /*
197 * API versioning constants
198 */
199 #define KADM5_MASK_BITS 0xffffff00
200
201 #define KADM5_STRUCT_VERSION_MASK 0x12345600
202 #define KADM5_STRUCT_VERSION_1 (KADM5_STRUCT_VERSION_MASK|0x01)
203 #define KADM5_STRUCT_VERSION KADM5_STRUCT_VERSION_1
204
205 #define KADM5_API_VERSION_MASK 0x12345700
206 #define KADM5_API_VERSION_1 (KADM5_API_VERSION_MASK|0x01)
207 #define KADM5_API_VERSION_2 (KADM5_API_VERSION_MASK|0x02)
208
209 #ifdef KRB5_DNS_LOOKUP
210 /*
211 * Name length constants for DNS lookups
212 */
213 #define MAX_HOST_NAMELEN 256
214 #define MAX_DNS_NAMELEN (15*(MAX_HOST_NAMELEN + 1)+1)
215 #endif /* KRB5_DNS_LOOKUP */
216
217 typedef struct _kadm5_principal_ent_t_v2 {
218 krb5_principal principal;
219 krb5_timestamp princ_expire_time;
220 krb5_timestamp last_pwd_change;
221 krb5_timestamp pw_expiration;
222 krb5_deltat max_life;
223 krb5_principal mod_name;
224 krb5_timestamp mod_date;
225 krb5_flags attributes;
226 krb5_kvno kvno;
227 krb5_kvno mkvno;
228 char *policy;
229 long aux_attributes;
230
231 /* version 2 fields */
232 krb5_deltat max_renewable_life;
233 krb5_timestamp last_success;
234 krb5_timestamp last_failed;
235 krb5_kvno fail_auth_count;
236 krb5_int16 n_key_data;
237 krb5_int16 n_tl_data;
238 krb5_tl_data *tl_data;
239 krb5_key_data *key_data;
240 } kadm5_principal_ent_rec_v2, *kadm5_principal_ent_t_v2;
241
242 typedef struct _kadm5_principal_ent_t_v1 {
243 krb5_principal principal;
244 krb5_timestamp princ_expire_time;
245 krb5_timestamp last_pwd_change;
246 krb5_timestamp pw_expiration;
247 krb5_deltat max_life;
248 krb5_principal mod_name;
249 krb5_timestamp mod_date;
250 krb5_flags attributes;
251 krb5_kvno kvno;
252 krb5_kvno mkvno;
253 char *policy;
254 long aux_attributes;
255 } kadm5_principal_ent_rec_v1, *kadm5_principal_ent_t_v1;
256
257 #if USE_KADM5_API_VERSION == 1
258 typedef struct _kadm5_principal_ent_t_v1
259 kadm5_principal_ent_rec, *kadm5_principal_ent_t;
260 #else
261 typedef struct _kadm5_principal_ent_t_v2
262 kadm5_principal_ent_rec, *kadm5_principal_ent_t;
263 #endif
264
265 typedef struct _kadm5_policy_ent_t {
266 char *policy;
267 long pw_min_life;
268 long pw_max_life;
269 long pw_min_length;
270 long pw_min_classes;
271 long pw_history_num;
272 long policy_refcnt;
273 } kadm5_policy_ent_rec, *kadm5_policy_ent_t;
274
275 /*
276 * New types to indicate which protocol to use when sending
277 * password change requests
278 */
279 typedef enum {
280 KRB5_CHGPWD_RPCSEC,
281 KRB5_CHGPWD_CHANGEPW_V2
282 } krb5_chgpwd_prot;
283
284 /*
285 * Data structure returned by kadm5_get_config_params()
286 */
287 typedef struct _kadm5_config_params {
288 long mask;
289 char * realm;
290 int kadmind_port;
291 int kpasswd_port;
292
293 char * admin_server;
294 #ifdef notyet /* Novell */ /* ABI change? */
295 char * kpasswd_server;
296 #endif
297
298 char * dbname;
299 char * admin_dbname;
300 char * admin_lockfile;
301 char * admin_keytab;
302 char * acl_file;
303 char * dict_file;
304
305 int mkey_from_kbd;
306 char * stash_file;
307 char * mkey_name;
308 krb5_enctype enctype;
309 krb5_deltat max_life;
310 krb5_deltat max_rlife;
311 krb5_timestamp expiration;
312 krb5_flags flags;
313 krb5_key_salt_tuple *keysalts;
314 krb5_int32 num_keysalts;
315 char *kpasswd_server;
316
317 krb5_chgpwd_prot kpasswd_protocol;
318 bool_t iprop_enabled;
319 int iprop_ulogsize;
320 char *iprop_polltime;
321 } kadm5_config_params;
322
323 /***********************************************************************
324 * This is the old krb5_realm_read_params, which I mutated into
325 * kadm5_get_config_params but which old code (kdb5_* and krb5kdc)
326 * still uses.
327 ***********************************************************************/
328
329 /*
330 * Data structure returned by krb5_read_realm_params()
331 */
332 typedef struct __krb5_realm_params {
333 char * realm_profile;
334 char * realm_dbname;
335 char * realm_mkey_name;
336 char * realm_stash_file;
337 char * realm_kdc_ports;
338 char * realm_kdc_tcp_ports;
339 char * realm_acl_file;
340 krb5_int32 realm_kadmind_port;
341 krb5_enctype realm_enctype;
342 krb5_deltat realm_max_life;
343 krb5_deltat realm_max_rlife;
344 krb5_timestamp realm_expiration;
345 krb5_flags realm_flags;
346 krb5_key_salt_tuple *realm_keysalts;
347 unsigned int realm_reject_bad_transit:1;
348 unsigned int realm_kadmind_port_valid:1;
349 unsigned int realm_enctype_valid:1;
350 unsigned int realm_max_life_valid:1;
351 unsigned int realm_max_rlife_valid:1;
352 unsigned int realm_expiration_valid:1;
353 unsigned int realm_flags_valid:1;
354 unsigned int realm_reject_bad_transit_valid:1;
355 krb5_int32 realm_num_keysalts;
356 } krb5_realm_params;
357
358 /*
359 * functions
360 */
361
362 kadm5_ret_t
363 kadm5_get_adm_host_srv_name(krb5_context context,
364 const char *realm, char **host_service_name);
365
366 kadm5_ret_t
367 kadm5_get_cpw_host_srv_name(krb5_context context,
368 const char *realm, char **host_service_name);
369
370 #if USE_KADM5_API_VERSION > 1
371 krb5_error_code kadm5_get_config_params(krb5_context context,
372 int use_kdc_config,
373 kadm5_config_params *params_in,
374 kadm5_config_params *params_out);
375
376 krb5_error_code kadm5_free_config_params(krb5_context context,
377 kadm5_config_params *params);
378
379 krb5_error_code kadm5_free_realm_params(krb5_context kcontext,
380 kadm5_config_params *params);
381
382 krb5_error_code kadm5_get_admin_service_name(krb5_context, char *,
383 char *, size_t);
384 #endif
385
386 kadm5_ret_t kadm5_init(char *client_name, char *pass,
387 char *service_name,
388 #if USE_KADM5_API_VERSION == 1
389 char *realm,
390 #else
391 kadm5_config_params *params,
392 #endif
393 krb5_ui_4 struct_version,
394 krb5_ui_4 api_version,
395 char **db_args,
396 void **server_handle);
397 kadm5_ret_t kadm5_init_with_password(char *client_name,
398 char *pass,
399 char *service_name,
400 #if USE_KADM5_API_VERSION == 1
401 char *realm,
402 #else
403 kadm5_config_params *params,
404 #endif
405 krb5_ui_4 struct_version,
406 krb5_ui_4 api_version,
407 char **db_args,
408 void **server_handle);
409 kadm5_ret_t kadm5_init_with_skey(char *client_name,
410 char *keytab,
411 char *service_name,
412 #if USE_KADM5_API_VERSION == 1
413 char *realm,
414 #else
415 kadm5_config_params *params,
416 #endif
417 krb5_ui_4 struct_version,
418 krb5_ui_4 api_version,
419 char **db_args,
420 void **server_handle);
421 #if USE_KADM5_API_VERSION > 1
422 kadm5_ret_t kadm5_init_with_creds(char *client_name,
423 krb5_ccache cc,
424 char *service_name,
425 kadm5_config_params *params,
426 krb5_ui_4 struct_version,
427 krb5_ui_4 api_version,
428 char **db_args,
429 void **server_handle);
430 #endif
431 kadm5_ret_t kadm5_lock(void *server_handle);
432 kadm5_ret_t kadm5_unlock(void *server_handle);
433 kadm5_ret_t kadm5_flush(void *server_handle);
434 kadm5_ret_t kadm5_destroy(void *server_handle);
435 kadm5_ret_t kadm5_check_min_life(void *server_handle, /* Solaris Kerberos */
436 krb5_principal principal,
437 char *msg_ret,
438 unsigned int msg_len);
439 kadm5_ret_t kadm5_create_principal(void *server_handle,
440 kadm5_principal_ent_t ent,
441 long mask, char *pass);
442 kadm5_ret_t kadm5_create_principal_3(void *server_handle,
443 kadm5_principal_ent_t ent,
444 long mask,
445 int n_ks_tuple,
446 krb5_key_salt_tuple *ks_tuple,
447 char *pass);
448 kadm5_ret_t kadm5_delete_principal(void *server_handle,
449 krb5_principal principal);
450 kadm5_ret_t kadm5_modify_principal(void *server_handle,
451 kadm5_principal_ent_t ent,
452 long mask);
453 kadm5_ret_t kadm5_rename_principal(void *server_handle,
454 krb5_principal,krb5_principal);
455 #if USE_KADM5_API_VERSION == 1
456 kadm5_ret_t kadm5_get_principal(void *server_handle,
457 krb5_principal principal,
458 kadm5_principal_ent_t *ent);
459 #else
460 kadm5_ret_t kadm5_get_principal(void *server_handle,
461 krb5_principal principal,
462 kadm5_principal_ent_t ent,
463 long mask);
464 #endif
465 kadm5_ret_t kadm5_chpass_principal(void *server_handle,
466 krb5_principal principal,
467 char *pass);
468 kadm5_ret_t kadm5_chpass_principal_3(void *server_handle,
469 krb5_principal principal,
470 krb5_boolean keepold,
471 int n_ks_tuple,
472 krb5_key_salt_tuple *ks_tuple,
473 char *pass);
474 #if USE_KADM5_API_VERSION == 1
475 kadm5_ret_t kadm5_randkey_principal(void *server_handle,
476 krb5_principal principal,
477 krb5_keyblock **keyblock);
478 #else
479
480 /*
481 * Solaris Kerberos:
482 * this routine is only implemented in the client library.
483 */
484 kadm5_ret_t kadm5_randkey_principal_old(void *server_handle,
485 krb5_principal principal,
486 krb5_keyblock **keyblocks,
487 int *n_keys);
488
489 kadm5_ret_t kadm5_randkey_principal(void *server_handle,
490 krb5_principal principal,
491 krb5_keyblock **keyblocks,
492 int *n_keys);
493 kadm5_ret_t kadm5_randkey_principal_3(void *server_handle,
494 krb5_principal principal,
495 krb5_boolean keepold,
496 int n_ks_tuple,
497 krb5_key_salt_tuple *ks_tuple,
498 krb5_keyblock **keyblocks,
499 int *n_keys);
500 #endif
501 kadm5_ret_t kadm5_setv4key_principal(void *server_handle,
502 krb5_principal principal,
503 krb5_keyblock *keyblock);
504
505 kadm5_ret_t kadm5_setkey_principal(void *server_handle,
506 krb5_principal principal,
507 krb5_keyblock *keyblocks,
508 int n_keys);
509
510 kadm5_ret_t kadm5_setkey_principal_3(void *server_handle,
511 krb5_principal principal,
512 krb5_boolean keepold,
513 int n_ks_tuple,
514 krb5_key_salt_tuple *ks_tuple,
515 krb5_keyblock *keyblocks,
516 int n_keys);
517
518 kadm5_ret_t kadm5_decrypt_key(void *server_handle,
519 kadm5_principal_ent_t entry, krb5_int32
520 ktype, krb5_int32 stype, krb5_int32
521 kvno, krb5_keyblock *keyblock,
522 krb5_keysalt *keysalt, int *kvnop);
523
524 kadm5_ret_t kadm5_create_policy(void *server_handle,
525 kadm5_policy_ent_t ent,
526 long mask);
527 /*
528 * kadm5_create_policy_internal is not part of the supported,
529 * exposed API. It is available only in the server library, and you
530 * shouldn't use it unless you know why it's there and how it's
531 * different from kadm5_create_policy.
532 */
533 kadm5_ret_t kadm5_create_policy_internal(void *server_handle,
534 kadm5_policy_ent_t
535 entry, long mask);
536 kadm5_ret_t kadm5_delete_policy(void *server_handle,
537 kadm5_policy_t policy);
538 kadm5_ret_t kadm5_modify_policy(void *server_handle,
539 kadm5_policy_ent_t ent,
540 long mask);
541 /*
542 * kadm5_modify_policy_internal is not part of the supported,
543 * exposed API. It is available only in the server library, and you
544 * shouldn't use it unless you know why it's there and how it's
545 * different from kadm5_modify_policy.
546 */
547 kadm5_ret_t kadm5_modify_policy_internal(void *server_handle,
548 kadm5_policy_ent_t
549 entry, long mask);
550 #if USE_KADM5_API_VERSION == 1
551 kadm5_ret_t kadm5_get_policy(void *server_handle,
552 kadm5_policy_t policy,
553 kadm5_policy_ent_t *ent);
554 #else
555 kadm5_ret_t kadm5_get_policy(void *server_handle,
556 kadm5_policy_t policy,
557 kadm5_policy_ent_t ent);
558 #endif
559 kadm5_ret_t kadm5_get_privs(void *server_handle,
560 long *privs);
561
562 kadm5_ret_t kadm5_chpass_principal_util(void *server_handle,
563 krb5_principal princ,
564 char *new_pw,
565 char **ret_pw,
566 char *msg_ret,
567 unsigned int msg_len);
568
569 kadm5_ret_t kadm5_free_principal_ent(void *server_handle,
570 kadm5_principal_ent_t
571 ent);
572 kadm5_ret_t kadm5_free_policy_ent(void *server_handle,
573 kadm5_policy_ent_t ent);
574
575 kadm5_ret_t kadm5_get_principals(void *server_handle,
576 char *exp, char ***princs,
577 int *count);
578
579 kadm5_ret_t kadm5_get_policies(void *server_handle,
580 char *exp, char ***pols,
581 int *count);
582
583 #if USE_KADM5_API_VERSION > 1
584 kadm5_ret_t kadm5_free_key_data(void *server_handle,
585 krb5_int16 *n_key_data,
586 krb5_key_data *key_data);
587 #endif
588
589 kadm5_ret_t kadm5_free_name_list(void *server_handle, char **names,
590 int count);
591
592 krb5_error_code kadm5_init_krb5_context (krb5_context *);
593
594 #if USE_KADM5_API_VERSION == 1
595 /*
596 * OVSEC_KADM_API_VERSION_1 should be, if possible, compile-time
597 * compatible with KADM5_API_VERSION_2. Basically, this means we have
598 * to continue to provide all the old ovsec_kadm function and symbol
599 * names.
600 */
601
602 #define OVSEC_KADM_ACLFILE "/krb5/ovsec_adm.acl"
603 #define OVSEC_KADM_WORDFILE "/krb5/ovsec_adm.dict"
604
605 #define OVSEC_KADM_ADMIN_SERVICE "ovsec_adm/admin"
606 #define OVSEC_KADM_CHANGEPW_SERVICE "ovsec_adm/changepw"
607 #define OVSEC_KADM_HIST_PRINCIPAL "ovsec_adm/history"
608
609 typedef krb5_principal ovsec_kadm_princ_t;
610 typedef krb5_keyblock ovsec_kadm_keyblock;
611 typedef char *ovsec_kadm_policy_t;
612 typedef long ovsec_kadm_ret_t;
613
614 enum ovsec_kadm_salttype { OVSEC_KADM_SALT_V4, OVSEC_KADM_SALT_NORMAL };
615 enum ovsec_kadm_saltmod { OVSEC_KADM_MOD_KEEP, OVSEC_KADM_MOD_V4, OVSEC_KADM_MOD_NORMAL };
616
617 #define OVSEC_KADM_PW_FIRST_PROMPT \
618 ((char *) error_message(CHPASS_UTIL_NEW_PASSWORD_PROMPT))
619 #define OVSEC_KADM_PW_SECOND_PROMPT \
620 ((char *) error_message(CHPASS_UTIL_NEW_PASSWORD_AGAIN_PROMPT))
621
622 /*
623 * Successful return code
624 */
625 #define OVSEC_KADM_OK 0
626
627 /*
628 * Create/Modify masks
629 */
630 /* principal */
631 #define OVSEC_KADM_PRINCIPAL 0x000001
632 #define OVSEC_KADM_PRINC_EXPIRE_TIME 0x000002
633 #define OVSEC_KADM_PW_EXPIRATION 0x000004
634 #define OVSEC_KADM_LAST_PWD_CHANGE 0x000008
635 #define OVSEC_KADM_ATTRIBUTES 0x000010
636 #define OVSEC_KADM_MAX_LIFE 0x000020
637 #define OVSEC_KADM_MOD_TIME 0x000040
638 #define OVSEC_KADM_MOD_NAME 0x000080
639 #define OVSEC_KADM_KVNO 0x000100
640 #define OVSEC_KADM_MKVNO 0x000200
641 #define OVSEC_KADM_AUX_ATTRIBUTES 0x000400
642 #define OVSEC_KADM_POLICY 0x000800
643 #define OVSEC_KADM_POLICY_CLR 0x001000
644 /* policy */
645 #define OVSEC_KADM_PW_MAX_LIFE 0x004000
646 #define OVSEC_KADM_PW_MIN_LIFE 0x008000
647 #define OVSEC_KADM_PW_MIN_LENGTH 0x010000
648 #define OVSEC_KADM_PW_MIN_CLASSES 0x020000
649 #define OVSEC_KADM_PW_HISTORY_NUM 0x040000
650 #define OVSEC_KADM_REF_COUNT 0x080000
651
652 /*
653 * permission bits
654 */
655 #define OVSEC_KADM_PRIV_GET 0x01
656 #define OVSEC_KADM_PRIV_ADD 0x02
657 #define OVSEC_KADM_PRIV_MODIFY 0x04
658 #define OVSEC_KADM_PRIV_DELETE 0x08
659
660 /*
661 * API versioning constants
662 */
663 #define OVSEC_KADM_MASK_BITS 0xffffff00
664
665 #define OVSEC_KADM_STRUCT_VERSION_MASK 0x12345600
666 #define OVSEC_KADM_STRUCT_VERSION_1 (OVSEC_KADM_STRUCT_VERSION_MASK|0x01)
667 #define OVSEC_KADM_STRUCT_VERSION OVSEC_KADM_STRUCT_VERSION_1
668
669 #define OVSEC_KADM_API_VERSION_MASK 0x12345700
670 #define OVSEC_KADM_API_VERSION_1 (OVSEC_KADM_API_VERSION_MASK|0x01)
671
672
673 typedef struct _ovsec_kadm_principal_ent_t {
674 krb5_principal principal;
675 krb5_timestamp princ_expire_time;
676 krb5_timestamp last_pwd_change;
677 krb5_timestamp pw_expiration;
678 krb5_deltat max_life;
679 krb5_principal mod_name;
680 krb5_timestamp mod_date;
681 krb5_flags attributes;
682 krb5_kvno kvno;
683 krb5_kvno mkvno;
684 char *policy;
685 long aux_attributes;
686 } ovsec_kadm_principal_ent_rec, *ovsec_kadm_principal_ent_t;
687
688 typedef struct _ovsec_kadm_policy_ent_t {
689 char *policy;
690 long pw_min_life;
691 long pw_max_life;
692 long pw_min_length;
693 long pw_min_classes;
694 long pw_history_num;
695 long policy_refcnt;
696 } ovsec_kadm_policy_ent_rec, *ovsec_kadm_policy_ent_t;
697
698 /*
699 * functions
700 */
701 ovsec_kadm_ret_t ovsec_kadm_init(char *client_name, char *pass,
702 char *service_name, char *realm,
703 krb5_ui_4 struct_version,
704 krb5_ui_4 api_version,
705 char **db_args,
706 void **server_handle);
707 ovsec_kadm_ret_t ovsec_kadm_init_with_password(char *client_name,
708 char *pass,
709 char *service_name,
710 char *realm,
711 krb5_ui_4 struct_version,
712 krb5_ui_4 api_version,
713 char ** db_args,
714 void **server_handle);
715 ovsec_kadm_ret_t ovsec_kadm_init_with_skey(char *client_name,
716 char *keytab,
717 char *service_name,
718 char *realm,
719 krb5_ui_4 struct_version,
720 krb5_ui_4 api_version,
721 char **db_args,
722 void **server_handle);
723 ovsec_kadm_ret_t ovsec_kadm_flush(void *server_handle);
724 ovsec_kadm_ret_t ovsec_kadm_destroy(void *server_handle);
725 ovsec_kadm_ret_t ovsec_kadm_create_principal(void *server_handle,
726 ovsec_kadm_principal_ent_t ent,
727 long mask, char *pass);
728 ovsec_kadm_ret_t ovsec_kadm_delete_principal(void *server_handle,
729 krb5_principal principal);
730 ovsec_kadm_ret_t ovsec_kadm_modify_principal(void *server_handle,
731 ovsec_kadm_principal_ent_t ent,
732 long mask);
733 ovsec_kadm_ret_t ovsec_kadm_rename_principal(void *server_handle,
734 krb5_principal,krb5_principal);
735 ovsec_kadm_ret_t ovsec_kadm_get_principal(void *server_handle,
736 krb5_principal principal,
737 ovsec_kadm_principal_ent_t *ent);
738 ovsec_kadm_ret_t ovsec_kadm_chpass_principal(void *server_handle,
739 krb5_principal principal,
740 char *pass);
741 ovsec_kadm_ret_t ovsec_kadm_randkey_principal(void *server_handle,
742 krb5_principal principal,
743 krb5_keyblock **keyblock);
744 ovsec_kadm_ret_t ovsec_kadm_create_policy(void *server_handle,
745 ovsec_kadm_policy_ent_t ent,
746 long mask);
747 /*
748 * ovsec_kadm_create_policy_internal is not part of the supported,
749 * exposed API. It is available only in the server library, and you
750 * shouldn't use it unless you know why it's there and how it's
751 * different from ovsec_kadm_create_policy.
752 */
753 ovsec_kadm_ret_t ovsec_kadm_create_policy_internal(void *server_handle,
754 ovsec_kadm_policy_ent_t
755 entry, long mask);
756 ovsec_kadm_ret_t ovsec_kadm_delete_policy(void *server_handle,
757 ovsec_kadm_policy_t policy);
758 ovsec_kadm_ret_t ovsec_kadm_modify_policy(void *server_handle,
759 ovsec_kadm_policy_ent_t ent,
760 long mask);
761 /*
762 * ovsec_kadm_modify_policy_internal is not part of the supported,
763 * exposed API. It is available only in the server library, and you
764 * shouldn't use it unless you know why it's there and how it's
765 * different from ovsec_kadm_modify_policy.
766 */
767 ovsec_kadm_ret_t ovsec_kadm_modify_policy_internal(void *server_handle,
768 ovsec_kadm_policy_ent_t
769 entry, long mask);
770 ovsec_kadm_ret_t ovsec_kadm_get_policy(void *server_handle,
771 ovsec_kadm_policy_t policy,
772 ovsec_kadm_policy_ent_t *ent);
773 ovsec_kadm_ret_t ovsec_kadm_get_privs(void *server_handle,
774 long *privs);
775
776 ovsec_kadm_ret_t ovsec_kadm_chpass_principal_util(void *server_handle,
777 krb5_principal princ,
778 char *new_pw,
779 char **ret_pw,
780 char *msg_ret);
781
782 ovsec_kadm_ret_t ovsec_kadm_free_principal_ent(void *server_handle,
783 ovsec_kadm_principal_ent_t
784 ent);
785 ovsec_kadm_ret_t ovsec_kadm_free_policy_ent(void *server_handle,
786 ovsec_kadm_policy_ent_t ent);
787
788 ovsec_kadm_ret_t ovsec_kadm_free_name_list(void *server_handle,
789 char **names, int count);
790
791 ovsec_kadm_ret_t ovsec_kadm_get_principals(void *server_handle,
792 char *exp, char ***princs,
793 int *count);
794
795 ovsec_kadm_ret_t ovsec_kadm_get_policies(void *server_handle,
796 char *exp, char ***pols,
797 int *count);
798
799 #define OVSEC_KADM_FAILURE KADM5_FAILURE
800 #define OVSEC_KADM_AUTH_GET KADM5_AUTH_GET
801 #define OVSEC_KADM_AUTH_ADD KADM5_AUTH_ADD
802 #define OVSEC_KADM_AUTH_MODIFY KADM5_AUTH_MODIFY
803 #define OVSEC_KADM_AUTH_DELETE KADM5_AUTH_DELETE
804 #define OVSEC_KADM_AUTH_INSUFFICIENT KADM5_AUTH_INSUFFICIENT
805 #define OVSEC_KADM_BAD_DB KADM5_BAD_DB
806 #define OVSEC_KADM_DUP KADM5_DUP
807 #define OVSEC_KADM_RPC_ERROR KADM5_RPC_ERROR
808 #define OVSEC_KADM_NO_SRV KADM5_NO_SRV
809 #define OVSEC_KADM_BAD_HIST_KEY KADM5_BAD_HIST_KEY
810 #define OVSEC_KADM_NOT_INIT KADM5_NOT_INIT
811 #define OVSEC_KADM_UNK_PRINC KADM5_UNK_PRINC
812 #define OVSEC_KADM_UNK_POLICY KADM5_UNK_POLICY
813 #define OVSEC_KADM_BAD_MASK KADM5_BAD_MASK
814 #define OVSEC_KADM_BAD_CLASS KADM5_BAD_CLASS
815 #define OVSEC_KADM_BAD_LENGTH KADM5_BAD_LENGTH
816 #define OVSEC_KADM_BAD_POLICY KADM5_BAD_POLICY
817 #define OVSEC_KADM_BAD_PRINCIPAL KADM5_BAD_PRINCIPAL
818 #define OVSEC_KADM_BAD_AUX_ATTR KADM5_BAD_AUX_ATTR
819 #define OVSEC_KADM_BAD_HISTORY KADM5_BAD_HISTORY
820 #define OVSEC_KADM_BAD_MIN_PASS_LIFE KADM5_BAD_MIN_PASS_LIFE
821 #define OVSEC_KADM_PASS_Q_TOOSHORT KADM5_PASS_Q_TOOSHORT
822 #define OVSEC_KADM_PASS_Q_CLASS KADM5_PASS_Q_CLASS
823 #define OVSEC_KADM_PASS_Q_DICT KADM5_PASS_Q_DICT
824 #define OVSEC_KADM_PASS_REUSE KADM5_PASS_REUSE
825 #define OVSEC_KADM_PASS_TOOSOON KADM5_PASS_TOOSOON
826 #define OVSEC_KADM_POLICY_REF KADM5_POLICY_REF
827 #define OVSEC_KADM_INIT KADM5_INIT
828 #define OVSEC_KADM_BAD_PASSWORD KADM5_BAD_PASSWORD
829 #define OVSEC_KADM_PROTECT_PRINCIPAL KADM5_PROTECT_PRINCIPAL
830 #define OVSEC_KADM_BAD_SERVER_HANDLE KADM5_BAD_SERVER_HANDLE
831 #define OVSEC_KADM_BAD_STRUCT_VERSION KADM5_BAD_STRUCT_VERSION
832 #define OVSEC_KADM_OLD_STRUCT_VERSION KADM5_OLD_STRUCT_VERSION
833 #define OVSEC_KADM_NEW_STRUCT_VERSION KADM5_NEW_STRUCT_VERSION
834 #define OVSEC_KADM_BAD_API_VERSION KADM5_BAD_API_VERSION
835 #define OVSEC_KADM_OLD_LIB_API_VERSION KADM5_OLD_LIB_API_VERSION
836 #define OVSEC_KADM_OLD_SERVER_API_VERSION KADM5_OLD_SERVER_API_VERSION
837 #define OVSEC_KADM_NEW_LIB_API_VERSION KADM5_NEW_LIB_API_VERSION
838 #define OVSEC_KADM_NEW_SERVER_API_VERSION KADM5_NEW_SERVER_API_VERSION
839 #define OVSEC_KADM_SECURE_PRINC_MISSING KADM5_SECURE_PRINC_MISSING
840 #define OVSEC_KADM_NO_RENAME_SALT KADM5_NO_RENAME_SALT
841
842 #endif /* USE_KADM5_API_VERSION == 1 */
843
844 #define MAXPRINCLEN 125
845
846 void trunc_name(size_t *len, char **dots);
847
848 krb5_chgpwd_prot _kadm5_get_kpasswd_protocol(void *server_handle);
849 kadm5_ret_t kadm5_chpass_principal_v2(void *server_handle,
850 krb5_principal princ,
851 char *new_password,
852 kadm5_ret_t *srvr_rsp_code,
853 krb5_data *srvr_msg);
854
855 void handle_chpw(krb5_context context, int s, void *serverhandle,
856 kadm5_config_params *params);
857
858 #ifdef __cplusplus
859 }
860 #endif
861
862 #endif /* __KADM5_ADMIN_H__ */
unleashed repo fork