SINGLE-VALUE)
+##### Policy attribute flags
+
+dn: cn=schema
+changetype: modify
+add: attributetypes
+attributetypes: ( 1.2.840.113554.1.4.1.6.2
+ NAME 'krbPwdAttributes'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE)
+
+
+##### Policy maximum ticket lifetime
+
+dn: cn=schema
+changetype: modify
+add: attributetypes
+attributetypes: ( 1.2.840.113554.1.4.1.6.3
+ NAME 'krbPwdMaxLife'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE)
+
+
+##### Policy maximum ticket renewable lifetime
+
+dn: cn=schema
+changetype: modify
+add: attributetypes
+attributetypes: ( 1.2.840.113554.1.4.1.6.4
+ NAME 'krbPwdMaxRenewableLife'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE)
+
+
+##### Allowed enctype:salttype combinations for key changes
+
+dn: cn=schema
+changetype: modify
+add: attributetypes
+attributetypes: ( 1.2.840.113554.1.4.1.6.5
+ NAME 'krbPwdAllowedKeysalts'
+ EQUALITY caseIgnoreIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+ SINGLE-VALUE)
+
+
##### FDN pointing to a Kerberos Password Policy object
dn: cn=schema
SINGLE-VALUE)
+##### Policy attribute flags
+
+attributetype ( 1.2.840.113554.1.4.1.6.2
+ NAME 'krbPwdAttributes'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE)
+
+
+##### Policy maximum ticket lifetime
+
+attributetype ( 1.2.840.113554.1.4.1.6.3
+ NAME 'krbPwdMaxLife'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE)
+
+
+##### Policy maximum ticket renewable lifetime
+
+attributetype ( 1.2.840.113554.1.4.1.6.4
+ NAME 'krbPwdMaxRenewableLife'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE)
+
+
+##### Allowed enctype:salttype combinations for key changes
+
+attributetype ( 1.2.840.113554.1.4.1.6.5
+ NAME 'krbPwdAllowedKeysalts'
+ EQUALITY caseIgnoreIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+ SINGLE-VALUE)
+
+
##### FDN pointing to a Kerberos Password Policy object
attributetype ( 2.16.840.1.113719.1.301.4.36.1
NAME 'krbPwdPolicy'
SUP top
MUST ( cn )
- MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $ krbPwdMinLength $ krbPwdHistoryLength $ krbPwdMaxFailure $ krbPwdFailureCountInterval $ krbPwdLockoutDuration ) )
+ MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $ krbPwdMinLength $ krbPwdHistoryLength $ krbPwdMaxFailure $ krbPwdFailureCountInterval $ krbPwdLockoutDuration $ krbPwdAttributes $ krbPwdMaxLife $ krbPwdMaxRenewableLife $ krbPwdAllowedKeysalts ) )
##### The krbTicketPolicyAux holds Kerberos ticket policy attributes.
"krbpwdmindiffchars", "krbpwdminlength",
"krbpwdhistorylength", "krbpwdmaxfailure",
"krbpwdfailurecountinterval",
- "krbpwdlockoutduration", NULL };
+ "krbpwdlockoutduration",
+ "krbpwdattributes",
+ "krbpwdmaxlife",
+ "krbpwdmaxrenewablelife",
+ "krbpwdallowedkeysalts", NULL };
/* Fill in mods with LDAP operations for the fields of policy, using the
* modification type op. mods must be freed by the caller on error. */
int op)
{
krb5_error_code st;
+ char *strval[2] = { NULL };
st = krb5_add_int_mem_ldap_mod(mods, "krbmaxpwdlife", op,
(int)policy->pw_max_life);
if (st)
return st;
+ st = krb5_add_int_mem_ldap_mod(mods, "krbpwdattributes", op,
+ (int)policy->attributes);
+ if (st)
+ return st;
+
+ st = krb5_add_int_mem_ldap_mod(mods, "krbpwdmaxlife", op,
+ (int)policy->max_life);
+ if (st)
+ return st;
+
+ st = krb5_add_int_mem_ldap_mod(mods, "krbpwdmaxrenewablelife", op,
+ (int)policy->max_renewable_life);
+ if (st)
+ return st;
+
+ if (policy->allowed_keysalts != NULL) {
+ strval[0] = policy->allowed_keysalts;
+ st = krb5_add_str_mem_ldap_mod(mods, "krbpwdallowedkeysalts",
+ op, strval);
+ if (st)
+ return st;
+ }
+
+ /*
+ * Each policy tl-data type we add should be explicitly marshalled here.
+ * Unlike principals, we do not marshal unrecognized policy tl-data.
+ */
+
return 0;
}
krb5_ldap_get_value(ld, ent, "krbpwdmaxfailure", &(pol_entry->pw_max_fail));
krb5_ldap_get_value(ld, ent, "krbpwdfailurecountinterval", &(pol_entry->pw_failcnt_interval));
krb5_ldap_get_value(ld, ent, "krbpwdlockoutduration", &(pol_entry->pw_lockout_duration));
+ krb5_ldap_get_value(ld, ent, "krbpwdattributes", &(pol_entry->attributes));
+ krb5_ldap_get_value(ld, ent, "krbpwdmaxlife", &(pol_entry->max_life));
+ krb5_ldap_get_value(ld, ent, "krbpwdmaxrenewablelife",
+ &(pol_entry->max_renewable_life));
+ st = krb5_ldap_get_string(ld, ent, "krbpwdallowedkeysalts",
+ &(pol_entry->allowed_keysalts), NULL);
+ if (st)
+ goto cleanup;
/*
* We don't store the policy refcnt, because principals might be maintained
* outside of kadmin. Instead, we will check for principal references when
projects / thirdparty / krb5.git / commitdiff
