/* * Iteration callback merges non-replicated attributes from * old database. */ static krb5_error_code krb5_db2_merge_nra_iterator(krb5_pointer ptr, krb5_db_entry *entry) { struct nra_context *nra = (struct nra_context *)ptr; kdb5_dal_handle *dal_handle = nra->kcontext->dal_handle; krb5_error_code retval; int changed; krb5_db_entry *s_entry; krb5_db2_context *dst_db; memset(&s_entry, 0, sizeof(s_entry)); dst_db = dal_handle->db_context; dal_handle->db_context = nra->db_context; /* look up the new principal in the old DB */ retval = krb5_db2_get_principal(nra->kcontext, entry->princ, 0, &s_entry); if (retval != 0) { /* principal may be newly created, so ignore */ dal_handle->db_context = dst_db; return 0; } /* merge non-replicated attributes from the old entry in */ krb5_db2_merge_principal(nra->kcontext, s_entry, entry, &changed); dal_handle->db_context = dst_db; /* if necessary, commit the modified new entry to the new DB */ if (changed) { retval = krb5_db2_put_principal(nra->kcontext, entry, NULL); } else { retval = 0; } krb5_db_free_principal(nra->kcontext, s_entry); return retval; }
krb5_error_code krb5_db2_lockout_audit(krb5_context context, krb5_db_entry *entry, krb5_timestamp stamp, krb5_error_code status) { krb5_error_code code; krb5_kvno max_fail = 0; krb5_deltat failcnt_interval = 0; krb5_deltat lockout_duration = 0; krb5_db2_context *db_ctx = context->dal_handle->db_context; krb5_boolean need_update = FALSE; krb5_timestamp unlock_time; switch (status) { case 0: case KRB5KDC_ERR_PREAUTH_FAILED: case KRB5KRB_AP_ERR_BAD_INTEGRITY: break; #if 0 case KRB5KDC_ERR_CLIENT_REVOKED: break; #endif default: return 0; } if (!db_ctx->disable_lockout) { code = lookup_lockout_policy(context, entry, &max_fail, &failcnt_interval, &lockout_duration); if (code != 0) return code; } /* Only mark the authentication as successful if the entry * required preauthentication, otherwise we have no idea. */ if (status == 0 && (entry->attributes & KRB5_KDB_REQUIRES_PRE_AUTH)) { if (!db_ctx->disable_lockout && entry->fail_auth_count != 0) { entry->fail_auth_count = 0; need_update = TRUE; } if (!db_ctx->disable_last_success) { entry->last_success = stamp; need_update = TRUE; } } else if (!db_ctx->disable_lockout && (status == KRB5KDC_ERR_PREAUTH_FAILED || status == KRB5KRB_AP_ERR_BAD_INTEGRITY)) { if (krb5_dbe_lookup_last_admin_unlock(context, entry, &unlock_time) == 0 && entry->last_failed <= unlock_time) { /* Reset fail_auth_count after administrative unlock. */ entry->fail_auth_count = 0; } if (failcnt_interval != 0 && stamp > entry->last_failed + failcnt_interval) { /* Reset fail_auth_count after failcnt_interval. */ entry->fail_auth_count = 0; } entry->last_failed = stamp; entry->fail_auth_count++; need_update = TRUE; } if (need_update) { code = krb5_db2_put_principal(context, entry, NULL); if (code != 0) return code; } return 0; }