Exemplo n.º 1
0
krb5_error_code
kdb_delete_entry(kadm5_server_handle_t handle, krb5_principal name)
{
    int one = 1;
    krb5_error_code ret;
    
    ret = krb5_db_delete_principal(handle->context, name, &one);

    return ret;
}
Exemplo n.º 2
0
krb5_error_code
kdb_delete_entry(kadm5_server_handle_t handle, krb5_principal name)
{
    krb5_error_code ret;

    ret = krb5_db_delete_principal(handle->context, name);
    if (ret == KRB5_KDB_NOENTRY)
        ret = 0;
    return ret;
}
Exemplo n.º 3
0
Arquivo: kdbtest.c Projeto: WeiY/krb5
int
main()
{
    krb5_db_entry *ent;
    osa_policy_ent_t pol;
    krb5_pa_data **e_data;
    const char *status;
    char *defrealm;
    int count;

    CHECK(krb5_init_context_profile(NULL, KRB5_INIT_CONTEXT_KDC, &ctx));

    /* Currently necessary for krb5_db_open to work. */
    CHECK(krb5_get_default_realm(ctx, &defrealm));

    /* If we can, revert to requiring all entries match sample_princ in
     * iter_princ_handler */
    CHECK_COND(krb5_db_inited(ctx) != 0);
    CHECK(krb5_db_create(ctx, NULL));
    CHECK(krb5_db_inited(ctx));
    CHECK(krb5_db_fini(ctx));
    CHECK_COND(krb5_db_inited(ctx) != 0);

    CHECK_COND(krb5_db_inited(ctx) != 0);
    CHECK(krb5_db_open(ctx, NULL, KRB5_KDB_OPEN_RW | KRB5_KDB_SRV_TYPE_ADMIN));
    CHECK(krb5_db_inited(ctx));

    /* Manipulate a policy, leaving it in place at the end. */
    CHECK_COND(krb5_db_put_policy(ctx, &sample_policy) != 0);
    CHECK_COND(krb5_db_delete_policy(ctx, polname) != 0);
    CHECK_COND(krb5_db_get_policy(ctx, polname, &pol) == KRB5_KDB_NOENTRY);
    CHECK(krb5_db_create_policy(ctx, &sample_policy));
    CHECK_COND(krb5_db_create_policy(ctx, &sample_policy) != 0);
    CHECK(krb5_db_get_policy(ctx, polname, &pol));
    check_policy(pol);
    pol->pw_min_length--;
    CHECK(krb5_db_put_policy(ctx, pol));
    krb5_db_free_policy(ctx, pol);
    CHECK(krb5_db_get_policy(ctx, polname, &pol));
    CHECK_COND(pol->pw_min_length == sample_policy.pw_min_length - 1);
    krb5_db_free_policy(ctx, pol);
    CHECK(krb5_db_delete_policy(ctx, polname));
    CHECK_COND(krb5_db_put_policy(ctx, &sample_policy) != 0);
    CHECK_COND(krb5_db_delete_policy(ctx, polname) != 0);
    CHECK_COND(krb5_db_get_policy(ctx, polname, &pol) == KRB5_KDB_NOENTRY);
    CHECK(krb5_db_create_policy(ctx, &sample_policy));
    count = 0;
    CHECK(krb5_db_iter_policy(ctx, NULL, iter_pol_handler, &count));
    CHECK_COND(count == 1);

    /* Create a principal. */
    CHECK_COND(krb5_db_delete_principal(ctx, &sample_princ) ==
               KRB5_KDB_NOENTRY);
    CHECK_COND(krb5_db_get_principal(ctx, &xrealm_princ, 0, &ent) ==
               KRB5_KDB_NOENTRY);
    CHECK(krb5_db_put_principal(ctx, &sample_entry));
    /* Putting again will fail with LDAP (due to KADM5_PRINCIPAL in mask)
     * but succeed with DB2, so don't check the result. */
    (void)krb5_db_put_principal(ctx, &sample_entry);
    /* But it should succeed in both back ends with KADM5_LOAD in mask. */
    sample_entry.mask |= KADM5_LOAD;
    CHECK(krb5_db_put_principal(ctx, &sample_entry));
    sample_entry.mask &= ~KADM5_LOAD;
    /* Fetch and compare the added principal. */
    CHECK(krb5_db_get_principal(ctx, &sample_princ, 0, &ent));
    check_entry(ent);

    /* We can't set up a successful allowed-to-delegate check through existing
     * APIs yet, but we can make a failed check. */
    CHECK_COND(krb5_db_check_allowed_to_delegate(ctx, &sample_princ, ent,
                                                 &sample_princ) != 0);

    /* Exercise lockout code. */
    /* Policy params: max_fail 2, failcnt_interval 60, lockout_duration 120 */
    /* Initial state: last_success 1, last_failed 5, fail_auth_count 2,
     * last admin unlock 6 */
    /* Check succeeds due to last admin unlock. */
    CHECK(krb5_db_check_policy_as(ctx, NULL, ent, ent, 7, &status, &e_data));
    /* Failure count resets to 1 due to last admin unlock. */
    sim_preauth(8, FALSE, &ent);
    CHECK_COND(ent->fail_auth_count == 1 && ent->last_failed == 8);
    /* Failure count resets to 1 due to failcnt_interval */
    sim_preauth(70, FALSE, &ent);
    CHECK_COND(ent->fail_auth_count == 1 && ent->last_failed == 70);
    /* Failure count resets to 0 due to successful preauth. */
    sim_preauth(75, TRUE, &ent);
    CHECK_COND(ent->fail_auth_count == 0 && ent->last_success == 75);
    /* Failure count increments to 2 and stops incrementing. */
    sim_preauth(80, FALSE, &ent);
    CHECK_COND(ent->fail_auth_count == 1 && ent->last_failed == 80);
    sim_preauth(100, FALSE, &ent);
    CHECK_COND(ent->fail_auth_count == 2 && ent->last_failed == 100);
    sim_preauth(110, FALSE, &ent);
    CHECK_COND(ent->fail_auth_count == 2 && ent->last_failed == 100);
    /* Check fails due to reaching maximum failure count. */
    CHECK_COND(krb5_db_check_policy_as(ctx, NULL, ent, ent, 170, &status,
                                       &e_data) == KRB5KDC_ERR_CLIENT_REVOKED);
    /* Check succeeds after lockout_duration has passed. */
    CHECK(krb5_db_check_policy_as(ctx, NULL, ent, ent, 230, &status, &e_data));
    /* Failure count resets to 1 on next failure. */
    sim_preauth(240, FALSE, &ent);
    CHECK_COND(ent->fail_auth_count == 1 && ent->last_failed == 240);

    /* Exercise LDAP code to clear a policy reference and to set the key
     * data on an existing principal. */
    CHECK(krb5_dbe_update_tl_data(ctx, ent, &tl_no_policy));
    ent->mask = KADM5_POLICY_CLR | KADM5_KEY_DATA;
    CHECK(krb5_db_put_principal(ctx, ent));
    CHECK(krb5_db_delete_policy(ctx, polname));

    /* Put the modified entry again (with KDB_TL_USER_INFO tl-data for LDAP) as
     * from a load operation. */
    ent->mask = (sample_entry.mask & ~KADM5_POLICY) | KADM5_LOAD;
    CHECK(krb5_db_put_principal(ctx, ent));

    /* Exercise LDAP code to create a new principal at a DN from
     * KDB_TL_USER_INFO tl-data. */
    CHECK(krb5_db_delete_principal(ctx, &sample_princ));
    CHECK(krb5_db_put_principal(ctx, ent));
    krb5_db_free_principal(ctx, ent);

    /* Exercise principal iteration code. */
    count = 0;
    CHECK(krb5_db_iterate(ctx, "xy*", iter_princ_handler, &count));
    CHECK_COND(count == 1);

    CHECK(krb5_db_fini(ctx));
    CHECK_COND(krb5_db_inited(ctx) != 0);

    /* It might be nice to exercise krb5_db_destroy here, but the LDAP module
     * doesn't support it. */

    krb5_free_default_realm(ctx, defrealm);
    krb5_free_context(ctx);
    return 0;
}