admin.h revision 46736d35df047bb400483364f76bfcb08cdcbb25
/*
* Copyright 2007 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#ifndef __KADM5_ADMIN_H__
#define __KADM5_ADMIN_H__
#pragma ident "%Z%%M% %I% %E% SMI"
#ifdef __cplusplus
extern "C" {
#endif
/*
* WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
*
* Openvision retains the copyright to derivative works of
* this source code. Do *NOT* create a derivative of this
* source code before consulting with your legal department.
* Do *NOT* integrate *ANY* of this source code into another
* product before consulting with your legal department.
*
* For further information, read the top-level Openvision
* copyright which is contained in the top-level MIT Kerberos
* copyright.
*
* WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
*
*/
/*
*
* Copyright 2001 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
*
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* notice appear in all copies and that both that copyright notice and
* this permission notice appear in supporting documentation, and that
* the name of M.I.T. not be used in advertising or publicity pertaining
* to distribution of the software without specific, written prior
* permission. Furthermore if you modify this software you must label
* your software as modified software and not distribute it in such a
* fashion that it might be confused with the original M.I.T. software.
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
*
*/
/*
* Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved
*
*/
#include <krb5.h>
#include <k5-int.h>
#include <com_err.h>
#include <kadm5/kadm_err.h>
#include <kadm5/chpass_util_strings.h>
#define KADM5_ADMIN_SERVICE_P "kadmin@admin"
#define KADM5_ADMIN_SERVICE "kadmin/admin"
#define KADM5_CHANGEPW_SERVICE_P "kadmin@changepw"
#define KADM5_CHANGEPW_SERVICE "kadmin/changepw"
#define KADM5_HIST_PRINCIPAL "kadmin/history"
#define KADM5_ADMIN_HOST_SERVICE "kadmin"
#define KADM5_CHANGEPW_HOST_SERVICE "changepw"
#define KADM5_KIPROP_HOST_SERVICE "kiprop"
typedef krb5_principal kadm5_princ_t;
typedef char *kadm5_policy_t;
typedef long kadm5_ret_t;
typedef int rpc_int32;
typedef unsigned int rpc_u_int32;
#define KADM5_PW_FIRST_PROMPT \
#define KADM5_PW_SECOND_PROMPT \
/*
* Successful return code
*/
#define KADM5_OK 0
/*
* Field masks
*/
/* kadm5_principal_ent_t */
#define KADM5_PRINCIPAL 0x000001
#define KADM5_PRINC_EXPIRE_TIME 0x000002
#define KADM5_PW_EXPIRATION 0x000004
#define KADM5_LAST_PWD_CHANGE 0x000008
#define KADM5_ATTRIBUTES 0x000010
#define KADM5_MAX_LIFE 0x000020
#define KADM5_MOD_TIME 0x000040
#define KADM5_MOD_NAME 0x000080
#define KADM5_KVNO 0x000100
#define KADM5_MKVNO 0x000200
#define KADM5_AUX_ATTRIBUTES 0x000400
#define KADM5_POLICY 0x000800
#define KADM5_POLICY_CLR 0x001000
/* version 2 masks */
#define KADM5_MAX_RLIFE 0x002000
#define KADM5_LAST_SUCCESS 0x004000
#define KADM5_LAST_FAILED 0x008000
#define KADM5_FAIL_AUTH_COUNT 0x010000
#define KADM5_KEY_DATA 0x020000
#define KADM5_TL_DATA 0x040000
/* all but KEY_DATA and TL_DATA */
#define KADM5_PRINCIPAL_NORMAL_MASK 0x01ffff
/* kadm5_policy_ent_t */
#define KADM5_PW_MAX_LIFE 0x004000
#define KADM5_PW_MIN_LIFE 0x008000
#define KADM5_PW_MIN_LENGTH 0x010000
#define KADM5_PW_MIN_CLASSES 0x020000
#define KADM5_PW_HISTORY_NUM 0x040000
#define KADM5_REF_COUNT 0x080000
/* kadm5_config_params */
#define KADM5_CONFIG_REALM 0x0000001
#define KADM5_CONFIG_DBNAME 0x0000002
#define KADM5_CONFIG_MKEY_NAME 0x0000004
#define KADM5_CONFIG_MAX_LIFE 0x0000008
#define KADM5_CONFIG_MAX_RLIFE 0x0000010
#define KADM5_CONFIG_EXPIRATION 0x0000020
#define KADM5_CONFIG_FLAGS 0x0000040
#define KADM5_CONFIG_ADMIN_KEYTAB 0x0000080
#define KADM5_CONFIG_STASH_FILE 0x0000100
#define KADM5_CONFIG_ENCTYPE 0x0000200
#define KADM5_CONFIG_ADBNAME 0x0000400
#define KADM5_CONFIG_ADB_LOCKFILE 0x0000800
#define KADM5_CONFIG_PROFILE 0x0001000
#define KADM5_CONFIG_ACL_FILE 0x0002000
#define KADM5_CONFIG_KADMIND_PORT 0x0004000
#define KADM5_CONFIG_ENCTYPES 0x0008000
#define KADM5_CONFIG_ADMIN_SERVER 0x0010000
#define KADM5_CONFIG_DICT_FILE 0x0020000
#define KADM5_CONFIG_MKEY_FROM_KBD 0x0040000
#define KADM5_CONFIG_KPASSWD_PORT 0x0080000
#define KADM5_CONFIG_KPASSWD_SERVER 0x0100000
#define KADM5_CONFIG_KPASSWD_PROTOCOL 0x0200000
#define KADM5_CONFIG_IPROP_ENABLED 0x0400000
#define KADM5_CONFIG_ULOG_SIZE 0x0800000
#define KADM5_CONFIG_POLL_TIME 0x1000000
/* password change constants */
#define KRB5_KPASSWD_SUCCESS 0
#define KRB5_KPASSWD_MALFORMED 1
#define KRB5_KPASSWD_HARDERROR 2
#define KRB5_KPASSWD_AUTHERROR 3
#define KRB5_KPASSWD_SOFTERROR 4
#define KRB5_KPASSWD_ACCESSDENIED 5
#define KRB5_KPASSWD_BAD_VERSION 6
#define KRB5_KPASSWD_INITIAL_FLAG_NEEDED 7
#define KRB5_KPASSWD_POLICY_REJECT 8
#define KRB5_KPASSWD_BAD_PRINCIPAL 9
#define KRB5_KPASSWD_ETYPE_NOSUPP 10
/*
* permission bits
*/
#define KADM5_PRIV_GET 0x01
#define KADM5_PRIV_ADD 0x02
#define KADM5_PRIV_MODIFY 0x04
#define KADM5_PRIV_DELETE 0x08
/*
* API versioning constants
*/
#define KADM5_MASK_BITS 0xffffff00
#define KADM5_STRUCT_VERSION_MASK 0x12345600
#define KADM5_API_VERSION_MASK 0x12345700
#ifdef KRB5_DNS_LOOKUP
/*
* Name length constants for DNS lookups
*/
#define MAX_HOST_NAMELEN 256
#endif /* KRB5_DNS_LOOKUP */
typedef struct _kadm5_principal_ent_t_v2 {
char *policy;
long aux_attributes;
/* version 2 fields */
typedef struct _kadm5_principal_ent_t_v1 {
char *policy;
long aux_attributes;
#if USE_KADM5_API_VERSION == 1
typedef struct _kadm5_principal_ent_t_v1
#else
typedef struct _kadm5_principal_ent_t_v2
#endif
typedef struct _kadm5_policy_ent_t {
char *policy;
long pw_min_life;
long pw_max_life;
long pw_min_length;
long pw_min_classes;
long pw_history_num;
long policy_refcnt;
typedef struct __krb5_key_salt_tuple {
/*
* New types to indicate which protocol to use when sending
* password change requests
*/
typedef enum {
/*
* Data structure returned by kadm5_get_config_params()
*/
typedef struct _kadm5_config_params {
long mask;
char * realm;
char * profile;
int kadmind_port;
int kpasswd_port;
char * admin_server;
char * dbname;
char * admin_dbname;
char * admin_lockfile;
char * admin_keytab;
char * acl_file;
char * dict_file;
int mkey_from_kbd;
char * stash_file;
char * mkey_name;
char *kpasswd_server;
int iprop_ulogsize;
char *iprop_polltime;
/***********************************************************************
* This is the old krb5_realm_read_params, which I mutated into
* kadm5_get_config_params but which old code (kdb5_* and krb5kdc)
* still uses.
***********************************************************************/
/*
* Data structure returned by krb5_read_realm_params()
*/
typedef struct __krb5_realm_params {
char * realm_profile;
char * realm_dbname;
char * realm_mkey_name;
char * realm_stash_file;
char * realm_kdc_ports;
char * realm_kdc_tcp_ports;
char * realm_acl_file;
unsigned int realm_reject_bad_transit:1;
unsigned int realm_kadmind_port_valid:1;
unsigned int realm_enctype_valid:1;
unsigned int realm_max_life_valid:1;
unsigned int realm_max_rlife_valid:1;
unsigned int realm_expiration_valid:1;
unsigned int realm_flags_valid:1;
unsigned int realm_reject_bad_transit_valid:1;
/*
* functions
*/
const char *realm, char **host_service_name);
const char *realm, char **host_service_name);
#if USE_KADM5_API_VERSION > 1
char *kdcprofile, char *kdcenv,
char *, size_t);
#endif
char *service_name,
#if USE_KADM5_API_VERSION == 1
char *realm,
#else
#endif
void **server_handle);
char *pass,
char *service_name,
#if USE_KADM5_API_VERSION == 1
char *realm,
#else
#endif
void **server_handle);
char *keytab,
char *service_name,
#if USE_KADM5_API_VERSION == 1
char *realm,
#else
#endif
void **server_handle);
#if USE_KADM5_API_VERSION > 1
char *service_name,
void **server_handle);
#endif
long mask,
int n_ks_tuple,
char *pass);
long mask);
#if USE_KADM5_API_VERSION == 1
#else
long mask);
#endif
char *pass);
int n_ks_tuple,
char *pass);
#if USE_KADM5_API_VERSION == 1
#else
/*
* Solaris Kerberos:
* this routine is only implemented in the client library.
*/
int *n_keys);
int *n_keys);
int n_ks_tuple,
int *n_keys);
#endif
int n_keys);
int n_ks_tuple,
int n_keys);
long mask);
/*
* kadm5_create_policy_internal is not part of the supported,
* exposed API. It is available only in the server library, and you
* shouldn't use it unless you know why it's there and how it's
* different from kadm5_create_policy.
*/
long mask);
/*
* kadm5_modify_policy_internal is not part of the supported,
* exposed API. It is available only in the server library, and you
* shouldn't use it unless you know why it's there and how it's
* different from kadm5_modify_policy.
*/
#if USE_KADM5_API_VERSION == 1
#else
#endif
long *privs);
char *new_pw,
char **ret_pw,
char *msg_ret,
unsigned int msg_len);
ent);
int *count);
int *count);
#if USE_KADM5_API_VERSION > 1
#endif
int count);
#if USE_KADM5_API_VERSION == 1
/*
* OVSEC_KADM_API_VERSION_1 should be, if possible, compile-time
* compatible with KADM5_API_VERSION_2. Basically, this means we have
* to continue to provide all the old ovsec_kadm function and symbol
* names.
*/
#define OVSEC_KADM_ACLFILE "/krb5/ovsec_adm.acl"
#define OVSEC_KADM_WORDFILE "/krb5/ovsec_adm.dict"
#define OVSEC_KADM_ADMIN_SERVICE "ovsec_adm/admin"
#define OVSEC_KADM_CHANGEPW_SERVICE "ovsec_adm/changepw"
#define OVSEC_KADM_HIST_PRINCIPAL "ovsec_adm/history"
typedef krb5_principal ovsec_kadm_princ_t;
typedef krb5_keyblock ovsec_kadm_keyblock;
typedef char *ovsec_kadm_policy_t;
typedef long ovsec_kadm_ret_t;
#define OVSEC_KADM_PW_FIRST_PROMPT \
((char *) error_message(CHPASS_UTIL_NEW_PASSWORD_PROMPT))
#define OVSEC_KADM_PW_SECOND_PROMPT \
((char *) error_message(CHPASS_UTIL_NEW_PASSWORD_AGAIN_PROMPT))
/*
* Successful return code
*/
#define OVSEC_KADM_OK 0
/*
*/
/* principal */
#define OVSEC_KADM_PRINCIPAL 0x000001
#define OVSEC_KADM_PRINC_EXPIRE_TIME 0x000002
#define OVSEC_KADM_PW_EXPIRATION 0x000004
#define OVSEC_KADM_LAST_PWD_CHANGE 0x000008
#define OVSEC_KADM_ATTRIBUTES 0x000010
#define OVSEC_KADM_MAX_LIFE 0x000020
#define OVSEC_KADM_MOD_TIME 0x000040
#define OVSEC_KADM_MOD_NAME 0x000080
#define OVSEC_KADM_KVNO 0x000100
#define OVSEC_KADM_MKVNO 0x000200
#define OVSEC_KADM_AUX_ATTRIBUTES 0x000400
#define OVSEC_KADM_POLICY 0x000800
#define OVSEC_KADM_POLICY_CLR 0x001000
/* policy */
#define OVSEC_KADM_PW_MAX_LIFE 0x004000
#define OVSEC_KADM_PW_MIN_LIFE 0x008000
#define OVSEC_KADM_PW_MIN_LENGTH 0x010000
#define OVSEC_KADM_PW_MIN_CLASSES 0x020000
#define OVSEC_KADM_PW_HISTORY_NUM 0x040000
#define OVSEC_KADM_REF_COUNT 0x080000
/*
* permission bits
*/
#define OVSEC_KADM_PRIV_GET 0x01
#define OVSEC_KADM_PRIV_ADD 0x02
#define OVSEC_KADM_PRIV_MODIFY 0x04
#define OVSEC_KADM_PRIV_DELETE 0x08
/*
* API versioning constants
*/
#define OVSEC_KADM_MASK_BITS 0xffffff00
#define OVSEC_KADM_STRUCT_VERSION_MASK 0x12345600
#define OVSEC_KADM_API_VERSION_MASK 0x12345700
typedef struct _ovsec_kadm_principal_ent_t {
char *policy;
long aux_attributes;
typedef struct _ovsec_kadm_policy_ent_t {
char *policy;
long pw_min_life;
long pw_max_life;
long pw_min_length;
long pw_min_classes;
long pw_history_num;
long policy_refcnt;
/*
* functions
*/
char *service_name, char *realm,
void **server_handle);
char *pass,
char *service_name,
char *realm,
void **server_handle);
char *keytab,
char *service_name,
char *realm,
void **server_handle);
long mask);
char *pass);
long mask);
/*
* ovsec_kadm_create_policy_internal is not part of the supported,
* exposed API. It is available only in the server library, and you
* shouldn't use it unless you know why it's there and how it's
* different from ovsec_kadm_create_policy.
*/
long mask);
/*
* ovsec_kadm_modify_policy_internal is not part of the supported,
* exposed API. It is available only in the server library, and you
* shouldn't use it unless you know why it's there and how it's
* different from ovsec_kadm_modify_policy.
*/
long *privs);
char *new_pw,
char **ret_pw,
char *msg_ret);
ent);
int *count);
int *count);
#define OVSEC_KADM_FAILURE KADM5_FAILURE
#define OVSEC_KADM_AUTH_GET KADM5_AUTH_GET
#define OVSEC_KADM_AUTH_ADD KADM5_AUTH_ADD
#define OVSEC_KADM_BAD_DB KADM5_BAD_DB
#define OVSEC_KADM_DUP KADM5_DUP
#define OVSEC_KADM_RPC_ERROR KADM5_RPC_ERROR
#define OVSEC_KADM_NO_SRV KADM5_NO_SRV
#define OVSEC_KADM_NOT_INIT KADM5_NOT_INIT
#define OVSEC_KADM_UNK_PRINC KADM5_UNK_PRINC
#define OVSEC_KADM_BAD_MASK KADM5_BAD_MASK
#define OVSEC_KADM_BAD_CLASS KADM5_BAD_CLASS
#define OVSEC_KADM_INIT KADM5_INIT
#endif /* USE_KADM5_API_VERSION == 1 */
#define MAXPRINCLEN 125
char *new_password,
#ifdef __cplusplus
}
#endif
#endif /* __KADM5_ADMIN_H__ */