[Heimdal-source-changes] [heimdal/heimdal] a951e4: lib/kadm5: kadmin hook_libraries plugin interface

GitHub noreply at github.com
Ons Sep 26 21:52:17 CEST 2018 

  Branch: refs/heads/jaltman/krb5-sync
  Home:   https://github.com/heimdal/heimdal
  Commit: a951e48e123dab1583ae711bb26ee612ba4409ad
      https://github.com/heimdal/heimdal/commit/a951e48e123dab1583ae711bb26ee612ba4409ad
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2018-09-26 (Wed, 26 Sep 2018)

  Changed paths:
    A lib/kadm5/kadm5-hook.h
    A lib/kadm5/server_hooks.c

  Log Message:
  -----------
  lib/kadm5: kadmin hook_libraries plugin interface

This change adds plugin support to the kadmin libraries for performing
actions before and after a password change is committed to the KDC database
and after a change is made to the attributes of a principal (specifically,
a change to DISALLOW_ALL_TIX).

This change adds a hook_libraries configuration option to the [kadmin]
section of krb5.conf (or kdc.conf if you use that file) that must be set
to load the module.  That configuration option is in the form:

    [kadmin]
      hook_libraries = /usr/local/lib/krb5/plugins/kadm5_hook/krb5_sync.so

where the value is the full path to the plugin that you want to load.  If
this option is not present, kadmind will not load a plugin and the changes
from the patch will be inactive.  If this option is given and the plugin
cannot be loaded, kadmind startup will abort with a (hopefully useful)
error message in syslog.

Any plugin used with this patch must expose a public struct named
kadm5_hook.  That struct must contain the following:

    typedef struct kadm5_hook {
  const char *name;
  int version;
  const char *vendor;
   krb5_error_code (*init)(krb5_context, void **);
  void (*fini)(krb5_context, void *);
   krb5_error_code (*chpass)(krb5_context, void *, enum kadm5_hook_stage,
                            krb5_principal, const char *);
  krb5_error_code (*create)(krb5_context, void *, enum kadm5_hook_stage,
                            kadm5_principal_ent_t, uint32_t mask,
                            const char *password);
  krb5_error_code (*modify)(krb5_context, void *, enum kadm5_hook_stage,
                            kadm5_principal_ent_t, uint32_t mask);
    } kadm5_hook;

where enum kadm5_hook_stage is:

    enum kadm5_hook_stage {
  KADM5_HOOK_STAGE_PRECOMMIT,
  KADM5_HOOK_STAGE_POSTCOMMIT
    };

init creates a hook context that is passed into all subsequent calls.
chpass is called for password changes, create is called for principal
creation (with the newly-created principal in the kadm5_principal_ent_t
argument), and modify is called when a principal is modified.

These functions should follow the normal Kerberos calling convention of
returning 0 on success and a Kerberos error code on failure, setting the
Kerberos error message in the provided context.

This change is submitted under the following license

  Copyright 2012, 2013
    The Board of Trustees of the Leland Stanford Junior University

  Copying and distribution of this file, with or without modification, are
  permitted in any medium without royalty provided the copyright notice and
  this notice are preserved.  This file is offered as-is, without any
  warranty.

Change-Id: Iebf2c0ac5767f79fe72cc4a1c74521f3cb790d12



      **NOTE:** This service has been marked for deprecation: https://developer.github.com/changes/2018-04-25-github-services-deprecation/

      Functionality will be removed from GitHub.com on January 31st, 2019.

More information about the Heimdal-source-changes mailing list