/*
* Iteration callback merges non-replicated attributes from
* old database.
*/
static krb5_error_code
krb5_db2_merge_nra_iterator(krb5_pointer ptr, krb5_db_entry *entry)
{
struct nra_context *nra = (struct nra_context *)ptr;
kdb5_dal_handle *dal_handle = nra->kcontext->dal_handle;
krb5_error_code retval;
int changed;
krb5_db_entry *s_entry;
krb5_db2_context *dst_db;
memset(&s_entry, 0, sizeof(s_entry));
dst_db = dal_handle->db_context;
dal_handle->db_context = nra->db_context;
/* look up the new principal in the old DB */
retval = krb5_db2_get_principal(nra->kcontext, entry->princ, 0, &s_entry);
if (retval != 0) {
/* principal may be newly created, so ignore */
dal_handle->db_context = dst_db;
return 0;
}
/* merge non-replicated attributes from the old entry in */
krb5_db2_merge_principal(nra->kcontext, s_entry, entry, &changed);
dal_handle->db_context = dst_db;
/* if necessary, commit the modified new entry to the new DB */
if (changed) {
retval = krb5_db2_put_principal(nra->kcontext, entry, NULL);
} else {
retval = 0;
}
krb5_db_free_principal(nra->kcontext, s_entry);
return retval;
}
krb5_error_code
krb5_db2_lockout_audit(krb5_context context,
krb5_db_entry *entry,
krb5_timestamp stamp,
krb5_error_code status)
{
krb5_error_code code;
krb5_kvno max_fail = 0;
krb5_deltat failcnt_interval = 0;
krb5_deltat lockout_duration = 0;
krb5_db2_context *db_ctx = context->dal_handle->db_context;
krb5_boolean need_update = FALSE;
krb5_timestamp unlock_time;
switch (status) {
case 0:
case KRB5KDC_ERR_PREAUTH_FAILED:
case KRB5KRB_AP_ERR_BAD_INTEGRITY:
break;
#if 0
case KRB5KDC_ERR_CLIENT_REVOKED:
break;
#endif
default:
return 0;
}
if (!db_ctx->disable_lockout) {
code = lookup_lockout_policy(context, entry, &max_fail,
&failcnt_interval, &lockout_duration);
if (code != 0)
return code;
}
/* Only mark the authentication as successful if the entry
* required preauthentication, otherwise we have no idea. */
if (status == 0 && (entry->attributes & KRB5_KDB_REQUIRES_PRE_AUTH)) {
if (!db_ctx->disable_lockout && entry->fail_auth_count != 0) {
entry->fail_auth_count = 0;
need_update = TRUE;
}
if (!db_ctx->disable_last_success) {
entry->last_success = stamp;
need_update = TRUE;
}
} else if (!db_ctx->disable_lockout &&
(status == KRB5KDC_ERR_PREAUTH_FAILED ||
status == KRB5KRB_AP_ERR_BAD_INTEGRITY)) {
if (krb5_dbe_lookup_last_admin_unlock(context, entry,
&unlock_time) == 0 &&
entry->last_failed <= unlock_time) {
/* Reset fail_auth_count after administrative unlock. */
entry->fail_auth_count = 0;
}
if (failcnt_interval != 0 &&
stamp > entry->last_failed + failcnt_interval) {
/* Reset fail_auth_count after failcnt_interval. */
entry->fail_auth_count = 0;
}
entry->last_failed = stamp;
entry->fail_auth_count++;
need_update = TRUE;
}
if (need_update) {
code = krb5_db2_put_principal(context, entry, NULL);
if (code != 0)
return code;
}
return 0;
}
