1
/** BEGIN COPYRIGHT BLOCK
2
* This program is free software; you can redistribute it and/or modify
3
* it under the terms of the GNU General Public License as published by
4
* the Free Software Foundation, either version 3 of the License, or
5
* (at your option) any later version.
7
* This program is distributed in the hope that it will be useful,
8
* but WITHOUT ANY WARRANTY; without even the implied warranty of
9
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10
* GNU General Public License for more details.
12
* You should have received a copy of the GNU General Public License
13
* along with this program. If not, see <http://www.gnu.org/licenses/>.
15
* Additional permission under GPLv3 section 7:
17
* In the following paragraph, "GPL" means the GNU General Public
18
* License, version 3 or any later version, and "Non-GPL Code" means
19
* code that is governed neither by the GPL nor a license
20
* compatible with the GPL.
22
* You may link the code of this Program with Non-GPL Code and convey
23
* linked combinations including the two, provided that such Non-GPL
24
* Code only links to the code of this Program through those well
25
* defined interfaces identified in the file named EXCEPTION found in
26
* the source code files (the "Approved Interfaces"). The files of
27
* Non-GPL Code may instantiate templates or use macros or inline
28
* functions from the Approved Interfaces without causing the resulting
29
* work to be covered by the GPL. Only the copyright holders of this
30
* Program may make changes or additions to the list of Approved
33
* Copyright (C) 2005 Red Hat, Inc.
34
* All rights reserved.
35
* END COPYRIGHT BLOCK **/
42
* Enroll a host into the IPA domain.
48
#include <dirsrv/slapi-plugin.h>
53
#define IPA_PLUGIN_NAME "ipa-enrollment"
55
/* OID of the extended operation handled by this plug-in */
56
#define JOIN_OID "2.16.840.1.113730.3.8.10.3"
58
Slapi_PluginDesc pdesc = {
62
"IPA Enrollment Extended Operation plugin"
65
static char *ipaenrollment_oid_list[] = {
70
static char *ipaenrollment_name_list[] = {
71
"Enrollment Extended Operation",
75
static void *ipaenrollment_plugin_id;
78
static const char *ipa_realm_dn;
81
ipaenrollement_secure(Slapi_PBlock *pb, char **errMesg)
84
int rc = LDAP_SUCCESS;
86
LOG_TRACE("=> ipaenrollment_secure\n");
88
/* Allow enrollment on all connections with a Security Strength
89
* Factor (SSF) higher than 1 */
90
if (slapi_pblock_get(pb, SLAPI_OPERATION_SSF, &ssf) != 0) {
91
LOG_TRACE("Could not get SSF from connection\n");
92
*errMesg = "Operation requires a secure connection.\n";
93
rc = LDAP_OPERATIONS_ERROR;
98
*errMesg = "Kerberos realm is not set.\n";
99
LOG_FATAL("%s", errMesg);
100
rc = LDAP_OPERATIONS_ERROR;
105
*errMesg = "Operation requires a secure connection.\n";
106
rc = LDAP_CONFIDENTIALITY_REQUIRED;
111
LOG_TRACE("<= ipaenrollment_secure\n");
116
/* The extop call passes in the FQDN of the host to enroll.
117
* We take that and set the krbPrincipalName and add the appropriate
118
* objectclasses, then return krbPrincipalName. The caller should take
119
* this and pass it to ipa-getkeytab to generate the keytab.
121
* The password for the entry is removed by ipa-getkeytab.
124
ipa_join(Slapi_PBlock *pb)
127
char *errMesg = NULL;
128
struct berval *extop_value = NULL;
129
Slapi_PBlock *pbte = NULL;
130
Slapi_PBlock *pbtm = NULL;
131
Slapi_Entry *targetEntry=NULL;
134
Slapi_Entry **es = NULL;
135
int rc=0, ret=0, res, i;
137
char *krbLastPwdChange = NULL;
140
char *attrlist[] = {"fqdn", "krbPrincipalKey", "krbLastPwdChange", "krbPrincipalName", NULL };
143
int scope = LDAP_SCOPE_SUBTREE;
144
char *principal = NULL;
145
struct berval retbval;
148
errMesg = "Kerberos realm is not set.\n";
149
LOG_FATAL("%s", errMesg);
150
rc = LDAP_OPERATIONS_ERROR;
151
goto free_and_return;
155
slapi_pblock_get(pb, SLAPI_CONN_DN, &bindDN);
157
/* If the connection is bound anonymously we must refuse to process
160
if (bindDN == NULL || *bindDN == '\0') {
161
/* Refuse the operation because they're bound anonymously */
162
errMesg = "Anonymous Binds are not allowed.\n";
163
rc = LDAP_INSUFFICIENT_ACCESS;
164
goto free_and_return;
167
/* Get the ber value of the extended operation */
168
slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value);
170
/* We are passed in the FQDN of the host to enroll. Do an internal
171
* search and pull that entry.
173
filter = slapi_ch_smprintf("(fqdn=%s)", extop_value->bv_val);
174
pbte = slapi_pblock_new();
175
slapi_search_internal_set_pb(pbte,
176
ipa_realm_dn, scope, filter, attrlist, 0,
179
ipaenrollment_plugin_id,
182
/* do search the tree */
183
ret = slapi_search_internal_pb(pbte);
184
slapi_pblock_get(pbte, SLAPI_PLUGIN_INTOP_RESULT, &res);
185
if (ret == -1 || res != LDAP_SUCCESS) {
186
LOG_TRACE("Search for host failed, err (%d)\n", res?res:ret);
187
errMesg = "Host not found.\n";
188
rc = LDAP_NO_SUCH_OBJECT;
189
goto free_and_return;
193
slapi_pblock_get(pbte, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &es);
195
LOG_TRACE("No entries ?!");
196
errMesg = "Host not found.\n";
197
rc = LDAP_NO_SUCH_OBJECT;
198
goto free_and_return;
202
for (i = 0; es[i]; i++) /* count */ ;
204
/* if there is none or more than one, freak out */
206
LOG_TRACE("Too many entries, or entry no found (%d)", i);
207
errMesg = "Host not found.\n";
208
rc = LDAP_NO_SUCH_OBJECT;
209
goto free_and_return;
213
/* Is this host already enrolled? */
214
krbLastPwdChange = slapi_entry_attr_get_charptr(targetEntry, "krbLastPwdChange");
215
if (NULL != krbLastPwdChange) {
216
LOG_TRACE("Host already enrolled");
217
errMesg = "Host already enrolled.\n";
218
rc = LDAP_OPERATIONS_ERROR;
219
goto free_and_return;
222
/* First thing to do is to ask access control if the bound identity has
223
* rights to modify the userpassword attribute on this entry. If not,
224
* then we fail immediately with insufficient access. This means that
225
* we don't leak any useful information to the client such as current
226
* password wrong, etc.
229
is_root = slapi_dn_isroot(bindDN);
230
if (slapi_pblock_set(pb, SLAPI_REQUESTOR_ISROOT, &is_root)) {
231
LOG_FATAL("slapi_pblock_set failed!\n");
232
rc = LDAP_OPERATIONS_ERROR;
233
goto free_and_return;
236
/* In order to perform the access control check,
237
* we need to select a backend (even though
238
* we don't actually need it otherwise).
240
sdn = slapi_sdn_new_dn_byval(bindDN);
241
be = slapi_be_select(sdn);
242
if (slapi_pblock_set(pb, SLAPI_BACKEND, be)) {
243
LOG_FATAL("slapi_pblock_set failed!\n");
244
rc = LDAP_OPERATIONS_ERROR;
245
goto free_and_return;
249
* If the user has WRITE-ONLY access, a new keytab is set on the entry.
252
ret = slapi_access_allowed(pb, targetEntry, "krbPrincipalKey", NULL, SLAPI_ACL_WRITE);
253
if (ret != LDAP_SUCCESS) {
254
errMesg = "Insufficient access rights\n";
255
rc = LDAP_INSUFFICIENT_ACCESS;
256
goto free_and_return;
259
/* If a principal is already set return the name */
260
principal = slapi_entry_attr_get_charptr(targetEntry, "krbPrincipalName");
261
if (NULL != principal)
264
/* Add the elements needed for enrollment */
265
smods = slapi_mods_new();
266
fqdn = slapi_entry_attr_get_charptr(targetEntry, "fqdn");
267
principal = slapi_ch_smprintf("host/%s@%s", fqdn, realm);
268
slapi_mods_add_string(smods, LDAP_MOD_ADD, "krbPrincipalName", principal);
269
slapi_mods_add_string(smods, LDAP_MOD_ADD, "objectClass", "krbPrincipalAux");
271
pbtm = slapi_pblock_new();
272
slapi_modify_internal_set_pb (pbtm, slapi_entry_get_dn_const(targetEntry),
273
slapi_mods_get_ldapmods_byref(smods),
276
ipaenrollment_plugin_id, /* PluginID */
279
rc = slapi_modify_internal_pb (pbtm);
281
LOG_TRACE("WARNING: modify error %d on entry '%s'\n",
282
rc, slapi_entry_get_dn_const(targetEntry));
284
slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &rc);
286
if (rc != LDAP_SUCCESS){
287
LOG_TRACE("WARNING: modify error %d on entry '%s'\n",
288
rc, slapi_entry_get_dn_const(targetEntry));
290
LOG_TRACE("<= apply mods: Successful\n");
295
/* Return the krbprincipalname */
296
retbval.bv_val = principal;
297
retbval.bv_len = strlen(principal);
299
ret = slapi_pblock_set(pb, SLAPI_EXT_OP_RET_OID, JOIN_OID);
300
if (!ret) ret = slapi_pblock_set(pb, SLAPI_EXT_OP_RET_VALUE, &retbval);
302
errMesg = "Could not set return values";
303
LOG("%s\n", errMesg);
304
rc = SLAPI_PLUGIN_EXTENDED_SENT_RESULT;
307
/* Free anything that we allocated above */
311
slapi_free_search_results_internal(pbte);
312
slapi_pblock_destroy(pbte);
315
slapi_pblock_destroy(pbtm);
318
if (krbLastPwdChange) slapi_ch_free_string(&krbLastPwdChange);
320
LOG(errMesg ? errMesg : "success\n");
321
slapi_send_ldap_result(pb, rc, NULL, errMesg, 0, NULL);
325
return SLAPI_PLUGIN_EXTENDED_SENT_RESULT;
328
/* Extended operation plug-in */
330
ipaenrollment_extop(Slapi_PBlock *pb)
333
char *errMesg = NULL;
336
LOG_TRACE("=> ipaenrollment_extop\n");
338
rc = ipaenrollement_secure(pb, &errMesg);
340
goto free_and_return;
343
/* Get the OID and the value included in the request */
344
if (slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_OID, &oid ) != 0) {
345
errMesg = "Could not get OID and value from request.\n";
346
rc = LDAP_OPERATIONS_ERROR;
348
goto free_and_return;
351
if (strcasecmp(oid, JOIN_OID) == 0) {
356
errMesg = "Request OID does not match supported OIDs.\n";
357
rc = LDAP_OPERATIONS_ERROR;
361
slapi_send_ldap_result(pb, rc, NULL, errMesg, 0, NULL);
363
return SLAPI_PLUGIN_EXTENDED_SENT_RESULT;
367
ipaenrollment_start(Slapi_PBlock *pb)
369
krb5_error_code krberr;
371
char *config_dn = NULL;
372
char *partition_dn = NULL;
373
Slapi_Entry *config_entry = NULL;
374
int ret = LDAP_SUCCESS;
378
krberr = krb5_init_context(&krbctx);
380
LOG_FATAL("krb5_init_context failed\n");
381
/* Yes, we failed, but it is because /etc/krb5.conf doesn't exist
382
* or is misconfigured. Start up in a degraded mode.
387
krberr = krb5_get_default_realm(krbctx, &realm);
390
LOG_FATAL("Failed to get default realm?!\n");
394
if (slapi_pblock_get(pb, SLAPI_TARGET_DN, &config_dn) != 0) {
395
LOG_FATAL("No config DN?\n");
398
sdn = slapi_sdn_new_dn_byref(config_dn);
399
if ((rc = slapi_search_internal_get_entry(sdn, NULL, &config_entry,
400
ipaenrollment_plugin_id)) != LDAP_SUCCESS ){
401
LOG_TRACE("ipaenrollment_start: No such entry-(%s), err (%d)\n",
404
slapi_sdn_free(&sdn);
406
partition_dn = slapi_entry_attr_get_charptr(config_entry, "nsslapd-realmtree");
408
LOG_FATAL("Missing partition configuration entry (nsslapd-realmTree)!\n");
409
ret = LDAP_OPERATIONS_ERROR;
413
ipa_realm_dn = slapi_ch_smprintf("cn=computers,cn=accounts,%s", partition_dn);
414
slapi_ch_free_string(&partition_dn);
416
LOG_FATAL("Out of memory ?\n");
417
ret = LDAP_OPERATIONS_ERROR;
422
if (krbctx) krb5_free_context(krbctx);
423
if (config_entry) slapi_entry_free(config_entry);
429
ipaenrollment_init(Slapi_PBlock *pb)
433
/* Get the arguments appended to the plugin extendedop directive
434
* in the plugin entry. The first argument
435
* (after the standard arguments for the directive) should
436
* contain the OID of the extended op.
439
ret = slapi_pblock_get(pb, SLAPI_PLUGIN_IDENTITY, &ipaenrollment_plugin_id);
440
if ((ret != 0) || (NULL == ipaenrollment_plugin_id)) {
441
LOG("Could not get identity or identity was NULL\n");
445
LOG("Registering plug-in for extended op.\n");
447
/* Register the plug-in function as an extended operation
449
ret = slapi_pblock_set(pb, SLAPI_PLUGIN_VERSION, SLAPI_PLUGIN_VERSION_01);
450
if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_START_FN, (void *)ipaenrollment_start);
451
if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_DESCRIPTION, (void *)&pdesc);
452
if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_EXT_OP_OIDLIST, ipaenrollment_oid_list);
453
if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_EXT_OP_NAMELIST, ipaenrollment_name_list);
454
if (!ret) slapi_pblock_set(pb, SLAPI_PLUGIN_EXT_OP_FN, (void *)ipaenrollment_extop);
457
LOG("Failed to set plug-in version, function, and OID.\n");