* initial credentials. Returns a Kerberos status code.
*/
static krb5_error_code
-get_creds(struct plugin_config *config, krb5_context ctx, krb5_ccache *cc)
+get_creds(kadm5_hook_modinfo *config, krb5_context ctx, krb5_ccache *cc)
{
krb5_error_code code;
krb5_keytab kt = NULL;
* and always involves changing the realm. Returns a Kerberos error code.
*/
static krb5_error_code
-get_ad_principal(struct plugin_config *config, krb5_context ctx,
+get_ad_principal(kadm5_hook_modinfo *config, krb5_context ctx,
krb5_const_principal principal, krb5_principal *ad_principal)
{
krb5_error_code code;
* length. Returns a Kerberos error code.
*/
krb5_error_code
-pwupdate_ad_change(struct plugin_config *config, krb5_context ctx,
+pwupdate_ad_change(kadm5_hook_modinfo *config, krb5_context ctx,
krb5_principal principal, const char *password,
int pwlen UNUSED)
{
* length.
*/
krb5_error_code
-pwupdate_ad_status(struct plugin_config *config, krb5_context ctx,
+pwupdate_ad_status(kadm5_hook_modinfo *config, krb5_context ctx,
krb5_principal principal, int enabled)
{
krb5_ccache ccache;
* This function returns failure only if it could not allocate memory.
*/
krb5_error_code
-pwupdate_init(struct plugin_config **result, krb5_context ctx)
+pwupdate_init(kadm5_hook_modinfo **result, krb5_context ctx)
{
- struct plugin_config *config;
+ kadm5_hook_modinfo *config;
/* Allocate our internal data. */
- config = calloc(1, sizeof(struct plugin_config));
+ config = calloc(1, sizeof(*config));
if (config == NULL)
return sync_error_system(ctx, "cannot allocate memory");
* since we don't store any other local state.
*/
void
-pwupdate_close(struct plugin_config *config)
+pwupdate_close(kadm5_hook_modinfo *config)
{
if (config->ad_keytab != NULL)
free(config->ad_keytab);
* proceed, logs a debug-level message to syslog.
*/
static int
-principal_allowed(struct plugin_config *config, krb5_context ctx,
+principal_allowed(kadm5_hook_modinfo *config, krb5_context ctx,
krb5_principal principal, int pwchange)
{
char *display;
* Currently, we can't do anything in that case, so just skip it.
*/
krb5_error_code
-pwupdate_precommit_password(struct plugin_config *config, krb5_context ctx,
+pwupdate_precommit_password(kadm5_hook_modinfo *config, krb5_context ctx,
krb5_principal principal,
const char *password, int pwlen)
{
* Currently, there are none.
*/
krb5_error_code
-pwupdate_postcommit_password(struct plugin_config *config UNUSED,
+pwupdate_postcommit_password(kadm5_hook_modinfo *config UNUSED,
krb5_context ctx UNUSED,
krb5_principal principal UNUSED,
const char *password UNUSED, int pwlen UNUSED)
* queue it for later processing.
*/
krb5_error_code
-pwupdate_postcommit_status(struct plugin_config *config, krb5_context ctx,
+pwupdate_postcommit_status(kadm5_hook_modinfo *config, krb5_context ctx,
krb5_principal principal, int enabled)
{
krb5_error_code code;
static krb5_error_code
init(krb5_context ctx, void **data)
{
- return pwupdate_init((struct plugin_config **) data, ctx);
+ return pwupdate_init((kadm5_hook_modinfo **) data, ctx);
}
* or on any other error.
*/
int
-pwupdate_instance_exists(struct plugin_config *config UNUSED,
+pwupdate_instance_exists(kadm5_hook_modinfo *config UNUSED,
krb5_context ctx, krb5_principal base,
const char *instance)
{
#include <config.h>
#include <portable/krb5.h>
#include <portable/macros.h>
+#include <portable/stdbool.h>
-#include <sys/types.h>
+#ifdef HAVE_KRB5_KADM5_HOOK_PLUGIN
+# include <krb5/kadm5_hook_plugin.h>
+#else
+typedef struct kadm5_hook_modinfo_st kadm5_hook_modinfo;
+#endif
/*
* Local configuration information for the module. This contains all the
* parameters that are read from the krb5-sync sub-section of the appdefaults
- * section when the module is initialized. This structure is passed as an
- * opaque pointer back to the caller, which is then expected to pass it in as
- * the first argument to the other calls.
+ * section when the module is initialized.
+ *
+ * MIT Kerberos uses this type as an abstract data type for any data that a
+ * kadmin hook needs to carry. Reuse it since then we get type checking for
+ * at least the MIT plugin.
*/
-struct plugin_config {
- char *ad_keytab;
- char *ad_principal;
- char *ad_realm;
+struct kadm5_hook_modinfo_st {
char *ad_admin_server;
- char *ad_ldap_base;
char *ad_base_instance;
char *ad_instances;
+ char *ad_keytab;
+ char *ad_ldap_base;
+ char *ad_principal;
bool ad_queue_only;
+ char *ad_realm;
char *queue_dir;
};
#pragma GCC visibility push(hidden)
/* General public API. */
-krb5_error_code pwupdate_init(struct plugin_config **, krb5_context);
-void pwupdate_close(struct plugin_config *);
-krb5_error_code pwupdate_precommit_password(struct plugin_config *,
+krb5_error_code pwupdate_init(kadm5_hook_modinfo **, krb5_context);
+void pwupdate_close(kadm5_hook_modinfo *);
+krb5_error_code pwupdate_precommit_password(kadm5_hook_modinfo *,
krb5_context, krb5_principal,
const char *password,
int pwlen);
-krb5_error_code pwupdate_postcommit_password(struct plugin_config *,
+krb5_error_code pwupdate_postcommit_password(kadm5_hook_modinfo *,
krb5_context, krb5_principal,
const char *password,
int pwlen);
-krb5_error_code pwupdate_postcommit_status(struct plugin_config *,
+krb5_error_code pwupdate_postcommit_status(kadm5_hook_modinfo *,
krb5_context, krb5_principal,
int enabled);
/* Password changing. */
-krb5_error_code pwupdate_ad_change(struct plugin_config *, krb5_context,
+krb5_error_code pwupdate_ad_change(kadm5_hook_modinfo *, krb5_context,
krb5_principal, const char *password,
int pwlen);
/* Account status update. */
-krb5_error_code pwupdate_ad_status(struct plugin_config *, krb5_context,
+krb5_error_code pwupdate_ad_status(kadm5_hook_modinfo *, krb5_context,
krb5_principal, int enabled);
/* Instance lookups. */
-int pwupdate_instance_exists(struct plugin_config *, krb5_context,
+int pwupdate_instance_exists(kadm5_hook_modinfo *, krb5_context,
krb5_principal, const char *instance);
/* Queuing. */
-int pwupdate_queue_conflict(struct plugin_config *, krb5_context,
+int pwupdate_queue_conflict(kadm5_hook_modinfo *, krb5_context,
krb5_principal, const char *domain,
const char *operation);
-krb5_error_code pwupdate_queue_write(struct plugin_config *, krb5_context,
+krb5_error_code pwupdate_queue_write(kadm5_hook_modinfo *, krb5_context,
krb5_principal, const char *domain,
const char *operation,
const char *password);
static kadm5_ret_t
init(krb5_context ctx, kadm5_hook_modinfo **data)
{
- return pwupdate_init((struct plugin_config **) data, ctx);
+ return pwupdate_init(data, ctx);
}
static void
fini(krb5_context ctx UNUSED, kadm5_hook_modinfo *data)
{
- pwupdate_close((struct plugin_config *) data);
+ pwupdate_close(data);
}
/* Dispatch to the appropriate function. */
length = strlen(password);
if (stage == KADM5_HOOK_STAGE_PRECOMMIT)
- code = pwupdate_precommit_password((struct plugin_config *) data,
- ctx, princ, password, length);
+ code = pwupdate_precommit_password(data, ctx, princ, password, length);
else if (stage == KADM5_HOOK_STAGE_POSTCOMMIT)
- code = pwupdate_postcommit_password((struct plugin_config *) data,
- ctx, princ, password, length);
+ code = pwupdate_postcommit_password(data, ctx, princ, password,
+ length);
return code;
}
if (mask & KADM5_ATTRIBUTES && stage == KADM5_HOOK_STAGE_POSTCOMMIT) {
enabled = !(entry->attributes & KRB5_KDB_DISALLOW_ALL_TIX);
- return pwupdate_postcommit_status((struct plugin_config *) data,
- ctx, entry->principal, enabled);
+ return pwupdate_postcommit_status(data, ctx, entry->principal,
+ enabled);
}
return 0;
}
* script. Perl makes it very annoying to use fcntl locking on Linux.
*/
static int
-lock_queue(struct plugin_config *config)
+lock_queue(kadm5_hook_modinfo *config)
{
char *lockpath = NULL;
int fd = -1;
* On failure, return -1 (still true but distinguished).
*/
int
-pwupdate_queue_conflict(struct plugin_config *config, krb5_context ctx,
+pwupdate_queue_conflict(kadm5_hook_modinfo *config, krb5_context ctx,
krb5_principal principal, const char *domain,
const char *operation)
{
* enable and disable). Returns a Kerberos error code.
*/
krb5_error_code
-pwupdate_queue_write(struct plugin_config *config, krb5_context ctx,
+pwupdate_queue_write(kadm5_hook_modinfo *config, krb5_context ctx,
krb5_principal principal, const char *domain,
const char *operation, const char *password)
{
krb5_context ctx;
krb5_principal princ;
void *handle = NULL;
- void *data = NULL;
+ void *config = NULL;
struct kadm5_hook *hook = NULL;
kadm5_principal_ent_rec entity;
const char *message;
if (hook == NULL)
ok_block(8, false, "No symbol in plugin");
else {
- is_int(0, hook->init(ctx, &data), "init");
- ok(data != NULL, "...and data is not NULL");
- code = hook->chpass(ctx, data, KADM5_HOOK_STAGE_PRECOMMIT, princ,
+ is_int(0, hook->init(ctx, &config), "init");
+ ok(config != NULL, "...and config is not NULL");
+ code = hook->chpass(ctx, config, KADM5_HOOK_STAGE_PRECOMMIT, princ,
"test");
is_int(ENOENT, code, "chpass");
message = krb5_get_error_message(ctx, code);
krb5_free_error_message(ctx, message);
/* Test chpass with a NULL password. */
- code = hook->chpass(ctx, data, KADM5_HOOK_STAGE_PRECOMMIT, princ,
+ code = hook->chpass(ctx, config, KADM5_HOOK_STAGE_PRECOMMIT, princ,
NULL);
is_int(0, code, "chpass with NULL password");
memset(&entity, 0, sizeof(entity));
entity.principal = princ;
entity.attributes = KRB5_KDB_DISALLOW_ALL_TIX;
- code = hook->create(ctx, data, KADM5_HOOK_STAGE_PRECOMMIT, &entity,
+ code = hook->create(ctx, config, KADM5_HOOK_STAGE_PRECOMMIT, &entity,
0, "test");
is_int(ENOENT, code, "create");
message = krb5_get_error_message(ctx, code);
strlen("cannot lock queue")),
0, "...with correct error message");
krb5_free_error_message(ctx, message);
- code = hook->modify(ctx, data, KADM5_HOOK_STAGE_POSTCOMMIT, &entity,
+ code = hook->modify(ctx, config, KADM5_HOOK_STAGE_POSTCOMMIT, &entity,
KADM5_ATTRIBUTES);
is_int(ENOENT, code, "modify");
message = krb5_get_error_message(ctx, code);
krb5_free_error_message(ctx, message);
/* Test create with a NULL password. */
- code = hook->create(ctx, data, KADM5_HOOK_STAGE_PRECOMMIT, &entity,
+ code = hook->create(ctx, config, KADM5_HOOK_STAGE_PRECOMMIT, &entity,
0, NULL);
is_int(0, code, "create with NULL password");
/* Close down the module. */
- hook->fini(ctx, data);
+ hook->fini(ctx, config);
}
/* Clean up. */
krb5_context ctx;
krb5_principal princ;
krb5_error_code code;
- struct plugin_config *config;
+ kadm5_hook_modinfo *config;
char buffer[BUFSIZ];
time_t now, try;
struct tm *date;
krb5_context ctx;
krb5_principal princ;
krb5_error_code code;
- struct plugin_config *data;
+ kadm5_hook_modinfo *data;
int fd;
char buffer[BUFSIZ];
time_t now, try;
* successful, and exit with an error message if we weren't.
*/
static void
-ad_password(struct plugin_config *data, krb5_context ctx,
+ad_password(kadm5_hook_modinfo *config, krb5_context ctx,
krb5_principal principal, char *password, const char *user)
{
krb5_error_code code;
- code = pwupdate_ad_change(data, ctx, principal, password,
+ code = pwupdate_ad_change(config, ctx, principal, password,
strlen(password));
if (code != 0)
die_krb5(ctx, code, "AD password change for %s failed", user);
* we were successful, and exit with an error message if we weren't.
*/
static void
-ad_status(struct plugin_config *data, krb5_context ctx,
+ad_status(kadm5_hook_modinfo *config, krb5_context ctx,
krb5_principal principal, bool enable, const char *user)
{
krb5_error_code code;
- code = pwupdate_ad_status(data, ctx, principal, enable);
+ code = pwupdate_ad_status(config, ctx, principal, enable);
if (code != 0)
die_krb5(ctx, code, "AD status change for %s failed", user);
notice("AD status change for %s succeeded", user);
* supported for AFS.
*/
static void
-process_queue_file(struct plugin_config *data, krb5_context ctx,
+process_queue_file(kadm5_hook_modinfo *config, krb5_context ctx,
const char *filename)
{
FILE *queue;
if (password) {
read_line(queue, filename, buffer, sizeof(buffer));
if (ad)
- ad_password(data, ctx, principal, buffer, user);
+ ad_password(config, ctx, principal, buffer, user);
} else if (enable || disable) {
- ad_status(data, ctx, principal, enable, user);
+ ad_status(config, ctx, principal, enable, user);
}
/* If we got here, we were successful. Close the file and delete it. */
char *password = NULL;
char *filename = NULL;
char *user;
- struct plugin_config *config;
+ kadm5_hook_modinfo *config;
krb5_context ctx;
krb5_error_code code;
krb5_principal principal;