admin.h revision 3998:e0575d2275f8 
1/*
2 * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
3 * Use is subject to license terms.
4 */
5
6#ifndef	__KADM5_ADMIN_H__
7#define	__KADM5_ADMIN_H__
8
9#pragma ident	"%Z%%M%	%I%	%E% SMI"
10
11#ifdef __cplusplus
12extern "C" {
13#endif
14
15/*
16 * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
17 *
18 *	Openvision retains the copyright to derivative works of
19 *	this source code.  Do *NOT* create a derivative of this
20 *	source code before consulting with your legal department.
21 *	Do *NOT* integrate *ANY* of this source code into another
22 *	product before consulting with your legal department.
23 *
24 *	For further information, read the top-level Openvision
25 *	copyright which is contained in the top-level MIT Kerberos
26 *	copyright.
27 *
28 * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
29 *
30 */
31/*
32 * lib/kadm5/admin.h
33 *
34 * Copyright 2001 by the Massachusetts Institute of Technology.
35 * All Rights Reserved.
36 *
37 * Export of this software from the United States of America may
38 *   require a specific license from the United States Government.
39 *   It is the responsibility of any person or organization contemplating
40 *   export to obtain such a license before exporting.
41 *
42 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
43 * distribute this software and its documentation for any purpose and
44 * without fee is hereby granted, provided that the above copyright
45 * notice appear in all copies and that both that copyright notice and
46 * this permission notice appear in supporting documentation, and that
47 * the name of M.I.T. not be used in advertising or publicity pertaining
48 * to distribution of the software without specific, written prior
49 * permission.  Furthermore if you modify this software you must label
50 * your software as modified software and not distribute it in such a
51 * fashion that it might be confused with the original M.I.T. software.
52 * M.I.T. makes no representations about the suitability of
53 * this software for any purpose.  It is provided "as is" without express
54 * or implied warranty.
55 *
56 */
57/*
58 * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved
59 *
60 * $Header: /cvs/krbdev/krb5/src/lib/kadm5/admin.h,v 1.54 2004/08/21 02:31:09 tlyu Exp $
61 */
62
63#include	<sys/types.h>
64#include	<rpc/types.h>
65#include	<rpc/rpc.h>
66#include	<krb5.h>
67#include	<k5-int.h>
68#include	<com_err.h>
69#include	<kadm5/kadm_err.h>
70#include	<kadm5/adb_err.h>
71#include	<kadm5/chpass_util_strings.h>
72
73#define KADM5_ADMIN_SERVICE_P	"kadmin@admin"
74#define KADM5_ADMIN_SERVICE	"kadmin/admin"
75#define KADM5_CHANGEPW_SERVICE_P	"kadmin@changepw"
76#define KADM5_CHANGEPW_SERVICE	"kadmin/changepw"
77#define KADM5_HIST_PRINCIPAL	"kadmin/history"
78#define KADM5_ADMIN_HOST_SERVICE "kadmin"
79#define KADM5_CHANGEPW_HOST_SERVICE "changepw"
80#define KADM5_KIPROP_HOST_SERVICE "kiprop"
81
82typedef krb5_principal	kadm5_princ_t;
83typedef	char		*kadm5_policy_t;
84typedef long		kadm5_ret_t;
85typedef int rpc_int32;
86typedef unsigned int rpc_u_int32;
87
88#define KADM5_PW_FIRST_PROMPT \
89	(error_message(CHPASS_UTIL_NEW_PASSWORD_PROMPT))
90#define KADM5_PW_SECOND_PROMPT \
91	(error_message(CHPASS_UTIL_NEW_PASSWORD_AGAIN_PROMPT))
92
93/*
94 * Successful return code
95 */
96#define KADM5_OK	0
97
98/*
99 * Field masks
100 */
101
102/* kadm5_principal_ent_t */
103#define KADM5_PRINCIPAL		0x000001
104#define KADM5_PRINC_EXPIRE_TIME	0x000002
105#define KADM5_PW_EXPIRATION	0x000004
106#define KADM5_LAST_PWD_CHANGE	0x000008
107#define KADM5_ATTRIBUTES	0x000010
108#define KADM5_MAX_LIFE		0x000020
109#define KADM5_MOD_TIME		0x000040
110#define KADM5_MOD_NAME		0x000080
111#define KADM5_KVNO		0x000100
112#define KADM5_MKVNO		0x000200
113#define KADM5_AUX_ATTRIBUTES	0x000400
114#define KADM5_POLICY		0x000800
115#define KADM5_POLICY_CLR	0x001000
116/* version 2 masks */
117#define KADM5_MAX_RLIFE		0x002000
118#define KADM5_LAST_SUCCESS	0x004000
119#define KADM5_LAST_FAILED	0x008000
120#define KADM5_FAIL_AUTH_COUNT	0x010000
121#define KADM5_KEY_DATA		0x020000
122#define KADM5_TL_DATA		0x040000
123/* all but KEY_DATA and TL_DATA */
124#define KADM5_PRINCIPAL_NORMAL_MASK 0x01ffff
125
126/* kadm5_policy_ent_t */
127#define KADM5_PW_MAX_LIFE	0x004000
128#define KADM5_PW_MIN_LIFE	0x008000
129#define KADM5_PW_MIN_LENGTH	0x010000
130#define KADM5_PW_MIN_CLASSES	0x020000
131#define KADM5_PW_HISTORY_NUM	0x040000
132#define KADM5_REF_COUNT		0x080000
133
134/* kadm5_config_params */
135#define KADM5_CONFIG_REALM		0x0000001
136#define KADM5_CONFIG_DBNAME		0x0000002
137#define KADM5_CONFIG_MKEY_NAME		0x0000004
138#define KADM5_CONFIG_MAX_LIFE		0x0000008
139#define KADM5_CONFIG_MAX_RLIFE		0x0000010
140#define KADM5_CONFIG_EXPIRATION		0x0000020
141#define KADM5_CONFIG_FLAGS		0x0000040
142#define KADM5_CONFIG_ADMIN_KEYTAB	0x0000080
143#define KADM5_CONFIG_STASH_FILE		0x0000100
144#define KADM5_CONFIG_ENCTYPE		0x0000200
145#define KADM5_CONFIG_ADBNAME		0x0000400
146#define KADM5_CONFIG_ADB_LOCKFILE	0x0000800
147#define KADM5_CONFIG_PROFILE		0x0001000
148#define KADM5_CONFIG_ACL_FILE		0x0002000
149#define KADM5_CONFIG_KADMIND_PORT	0x0004000
150#define KADM5_CONFIG_ENCTYPES		0x0008000
151#define KADM5_CONFIG_ADMIN_SERVER	0x0010000
152#define KADM5_CONFIG_DICT_FILE		0x0020000
153#define KADM5_CONFIG_MKEY_FROM_KBD	0x0040000
154#define KADM5_CONFIG_KPASSWD_PORT	0x0080000
155#define KADM5_CONFIG_KPASSWD_SERVER	0x0100000
156#define	KADM5_CONFIG_KPASSWD_PROTOCOL	0x0200000
157#define	KADM5_CONFIG_IPROP_ENABLED	0x0400000
158#define	KADM5_CONFIG_ULOG_SIZE		0x0800000
159#define	KADM5_CONFIG_POLL_TIME		0x1000000
160
161/* password change constants */
162#define	KRB5_KPASSWD_SUCCESS		0
163#define	KRB5_KPASSWD_MALFORMED		1
164#define	KRB5_KPASSWD_HARDERROR		2
165#define	KRB5_KPASSWD_AUTHERROR		3
166#define	KRB5_KPASSWD_SOFTERROR		4
167#define	KRB5_KPASSWD_ACCESSDENIED	5
168#define	KRB5_KPASSWD_BAD_VERSION	6
169#define	KRB5_KPASSWD_INITIAL_FLAG_NEEDED	7
170#define	KRB5_KPASSWD_POLICY_REJECT	8
171#define	KRB5_KPASSWD_BAD_PRINCIPAL	9
172#define	KRB5_KPASSWD_ETYPE_NOSUPP	10
173
174/*
175 * permission bits
176 */
177#define KADM5_PRIV_GET		0x01
178#define KADM5_PRIV_ADD		0x02
179#define KADM5_PRIV_MODIFY	0x04
180#define KADM5_PRIV_DELETE	0x08
181
182/*
183 * API versioning constants
184 */
185#define KADM5_MASK_BITS		0xffffff00
186
187#define KADM5_STRUCT_VERSION_MASK	0x12345600
188#define KADM5_STRUCT_VERSION_1	(KADM5_STRUCT_VERSION_MASK|0x01)
189#define KADM5_STRUCT_VERSION	KADM5_STRUCT_VERSION_1
190
191#define KADM5_API_VERSION_MASK	0x12345700
192#define KADM5_API_VERSION_1	(KADM5_API_VERSION_MASK|0x01)
193#define KADM5_API_VERSION_2	(KADM5_API_VERSION_MASK|0x02)
194
195#ifdef KRB5_DNS_LOOKUP
196/*
197 * Name length constants for DNS lookups
198 */
199#define	MAX_HOST_NAMELEN 256
200#define	MAX_DNS_NAMELEN (15*(MAX_HOST_NAMELEN + 1)+1)
201#endif /* KRB5_DNS_LOOKUP */
202
203typedef struct _kadm5_principal_ent_t_v2 {
204	krb5_principal	principal;
205	krb5_timestamp	princ_expire_time;
206	krb5_timestamp	last_pwd_change;
207	krb5_timestamp	pw_expiration;
208	krb5_deltat	max_life;
209	krb5_principal	mod_name;
210	krb5_timestamp	mod_date;
211	krb5_flags	attributes;
212	krb5_kvno	kvno;
213	krb5_kvno	mkvno;
214	char		*policy;
215	long		aux_attributes;
216
217	/* version 2 fields */
218	krb5_deltat max_renewable_life;
219        krb5_timestamp last_success;
220        krb5_timestamp last_failed;
221        krb5_kvno fail_auth_count;
222	krb5_int16 n_key_data;
223	krb5_int16 n_tl_data;
224        krb5_tl_data *tl_data;
225	krb5_key_data *key_data;
226} kadm5_principal_ent_rec_v2, *kadm5_principal_ent_t_v2;
227
228typedef struct _kadm5_principal_ent_t_v1 {
229	krb5_principal	principal;
230	krb5_timestamp	princ_expire_time;
231	krb5_timestamp	last_pwd_change;
232	krb5_timestamp	pw_expiration;
233	krb5_deltat	max_life;
234	krb5_principal	mod_name;
235	krb5_timestamp	mod_date;
236	krb5_flags	attributes;
237	krb5_kvno	kvno;
238	krb5_kvno	mkvno;
239	char		*policy;
240	long		aux_attributes;
241} kadm5_principal_ent_rec_v1, *kadm5_principal_ent_t_v1;
242
243#if USE_KADM5_API_VERSION == 1
244typedef struct _kadm5_principal_ent_t_v1
245     kadm5_principal_ent_rec, *kadm5_principal_ent_t;
246#else
247typedef struct _kadm5_principal_ent_t_v2
248     kadm5_principal_ent_rec, *kadm5_principal_ent_t;
249#endif
250
251typedef struct _kadm5_policy_ent_t {
252	char		*policy;
253	long		pw_min_life;
254	long		pw_max_life;
255	long		pw_min_length;
256	long		pw_min_classes;
257	long		pw_history_num;
258	long		policy_refcnt;
259} kadm5_policy_ent_rec, *kadm5_policy_ent_t;
260
261typedef struct __krb5_key_salt_tuple {
262     krb5_enctype	ks_enctype;
263     krb5_int32		ks_salttype;
264} krb5_key_salt_tuple;
265
266/*
267 * New types to indicate which protocol to use when sending
268 * password change requests
269 */
270typedef enum {
271	KRB5_CHGPWD_RPCSEC,
272	KRB5_CHGPWD_CHANGEPW_V2
273} krb5_chgpwd_prot;
274
275/*
276 * Data structure returned by kadm5_get_config_params()
277 */
278typedef struct _kadm5_config_params {
279     long		mask;
280     char *		realm;
281     char *		profile;
282     int		kadmind_port;
283     int		kpasswd_port;
284
285     char *		admin_server;
286
287     char *		dbname;
288     char *		admin_dbname;
289     char *		admin_lockfile;
290     char *		admin_keytab;
291     char *		acl_file;
292     char *		dict_file;
293
294     int		mkey_from_kbd;
295     char *		stash_file;
296     char *		mkey_name;
297     krb5_enctype	enctype;
298     krb5_deltat	max_life;
299     krb5_deltat	max_rlife;
300     krb5_timestamp	expiration;
301     krb5_flags		flags;
302     krb5_key_salt_tuple *keysalts;
303     krb5_int32		num_keysalts;
304     char 			*kpasswd_server;
305
306     krb5_chgpwd_prot	kpasswd_protocol;
307     bool_t			iprop_enabled;
308     int			iprop_ulogsize;
309     char			*iprop_polltime;
310} kadm5_config_params;
311
312/***********************************************************************
313 * This is the old krb5_realm_read_params, which I mutated into
314 * kadm5_get_config_params but which old code (kdb5_* and krb5kdc)
315 * still uses.
316 ***********************************************************************/
317
318/*
319 * Data structure returned by krb5_read_realm_params()
320 */
321typedef struct __krb5_realm_params {
322    char *		realm_profile;
323    char *		realm_dbname;
324    char *		realm_mkey_name;
325    char *		realm_stash_file;
326    char *		realm_kdc_ports;
327    char *		realm_kdc_tcp_ports;
328    char *		realm_acl_file;
329    krb5_int32		realm_kadmind_port;
330    krb5_enctype	realm_enctype;
331    krb5_deltat		realm_max_life;
332    krb5_deltat		realm_max_rlife;
333    krb5_timestamp	realm_expiration;
334    krb5_flags		realm_flags;
335    krb5_key_salt_tuple	*realm_keysalts;
336    unsigned int	realm_reject_bad_transit:1;
337    unsigned int	realm_kadmind_port_valid:1;
338    unsigned int	realm_enctype_valid:1;
339    unsigned int	realm_max_life_valid:1;
340    unsigned int	realm_max_rlife_valid:1;
341    unsigned int	realm_expiration_valid:1;
342    unsigned int	realm_flags_valid:1;
343    unsigned int	realm_reject_bad_transit_valid:1;
344    krb5_int32		realm_num_keysalts;
345} krb5_realm_params;
346
347/*
348 * functions
349 */
350
351kadm5_ret_t
352kadm5_get_adm_host_srv_name(krb5_context context,
353                           const char *realm, char **host_service_name);
354
355kadm5_ret_t
356kadm5_get_cpw_host_srv_name(krb5_context context,
357                           const char *realm, char **host_service_name);
358
359#if USE_KADM5_API_VERSION > 1
360krb5_error_code kadm5_get_config_params(krb5_context context,
361					char *kdcprofile, char *kdcenv,
362					kadm5_config_params *params_in,
363					kadm5_config_params *params_out);
364
365krb5_error_code kadm5_free_config_params(krb5_context context,
366					 kadm5_config_params *params);
367
368krb5_error_code kadm5_free_realm_params(krb5_context kcontext,
369					kadm5_config_params *params);
370
371krb5_error_code kadm5_get_admin_service_name(krb5_context, char *,
372					     char *, size_t);
373#endif
374
375kadm5_ret_t    kadm5_init(char *client_name, char *pass,
376			  char *service_name,
377#if USE_KADM5_API_VERSION == 1
378			  char *realm,
379#else
380			  kadm5_config_params *params,
381#endif
382			  krb5_ui_4 struct_version,
383			  krb5_ui_4 api_version,
384			  void **server_handle);
385kadm5_ret_t    kadm5_init_with_password(char *client_name,
386					char *pass,
387					char *service_name,
388#if USE_KADM5_API_VERSION == 1
389					char *realm,
390#else
391					kadm5_config_params *params,
392#endif
393					krb5_ui_4 struct_version,
394					krb5_ui_4 api_version,
395					void **server_handle);
396kadm5_ret_t    kadm5_init_with_skey(char *client_name,
397				    char *keytab,
398				    char *service_name,
399#if USE_KADM5_API_VERSION == 1
400				    char *realm,
401#else
402				    kadm5_config_params *params,
403#endif
404				    krb5_ui_4 struct_version,
405				    krb5_ui_4 api_version,
406				    void **server_handle);
407#if USE_KADM5_API_VERSION > 1
408kadm5_ret_t    kadm5_init_with_creds(char *client_name,
409				     krb5_ccache cc,
410				     char *service_name,
411				     kadm5_config_params *params,
412				     krb5_ui_4 struct_version,
413				     krb5_ui_4 api_version,
414				     void **server_handle);
415#endif
416kadm5_ret_t    kadm5_lock(void *server_handle);
417kadm5_ret_t    kadm5_unlock(void *server_handle);
418kadm5_ret_t    kadm5_flush(void *server_handle);
419kadm5_ret_t    kadm5_destroy(void *server_handle);
420kadm5_ret_t    kadm5_create_principal(void *server_handle,
421				      kadm5_principal_ent_t ent,
422				      long mask, char *pass);
423kadm5_ret_t    kadm5_create_principal_3(void *server_handle,
424					kadm5_principal_ent_t ent,
425					long mask,
426					int n_ks_tuple,
427					krb5_key_salt_tuple *ks_tuple,
428					char *pass);
429kadm5_ret_t    kadm5_delete_principal(void *server_handle,
430				      krb5_principal principal);
431kadm5_ret_t    kadm5_modify_principal(void *server_handle,
432				      kadm5_principal_ent_t ent,
433				      long mask);
434kadm5_ret_t    kadm5_rename_principal(void *server_handle,
435				      krb5_principal,krb5_principal);
436#if USE_KADM5_API_VERSION == 1
437kadm5_ret_t    kadm5_get_principal(void *server_handle,
438				   krb5_principal principal,
439				   kadm5_principal_ent_t *ent);
440#else
441kadm5_ret_t    kadm5_get_principal(void *server_handle,
442				   krb5_principal principal,
443				   kadm5_principal_ent_t ent,
444				   long mask);
445#endif
446kadm5_ret_t    kadm5_chpass_principal(void *server_handle,
447				      krb5_principal principal,
448				      char *pass);
449kadm5_ret_t    kadm5_chpass_principal_3(void *server_handle,
450					krb5_principal principal,
451					krb5_boolean keepold,
452					int n_ks_tuple,
453					krb5_key_salt_tuple *ks_tuple,
454					char *pass);
455#if USE_KADM5_API_VERSION == 1
456kadm5_ret_t    kadm5_randkey_principal(void *server_handle,
457				       krb5_principal principal,
458				       krb5_keyblock **keyblock);
459#else
460
461/*
462 * Solaris Kerberos:
463 * this routine is only implemented in the client library.
464 */
465kadm5_ret_t    kadm5_randkey_principal_old(void *server_handle,
466				    krb5_principal principal,
467				    krb5_keyblock **keyblocks,
468				    int *n_keys);
469
470kadm5_ret_t    kadm5_randkey_principal(void *server_handle,
471				       krb5_principal principal,
472				       krb5_keyblock **keyblocks,
473				       int *n_keys);
474kadm5_ret_t    kadm5_randkey_principal_3(void *server_handle,
475					 krb5_principal principal,
476					 krb5_boolean keepold,
477					 int n_ks_tuple,
478					 krb5_key_salt_tuple *ks_tuple,
479					 krb5_keyblock **keyblocks,
480					 int *n_keys);
481#endif
482kadm5_ret_t    kadm5_setv4key_principal(void *server_handle,
483					krb5_principal principal,
484					krb5_keyblock *keyblock);
485
486kadm5_ret_t    kadm5_setkey_principal(void *server_handle,
487				      krb5_principal principal,
488				      krb5_keyblock *keyblocks,
489				      int n_keys);
490
491kadm5_ret_t    kadm5_setkey_principal_3(void *server_handle,
492					krb5_principal principal,
493					krb5_boolean keepold,
494					int n_ks_tuple,
495					krb5_key_salt_tuple *ks_tuple,
496					krb5_keyblock *keyblocks,
497					int n_keys);
498
499kadm5_ret_t    kadm5_decrypt_key(void *server_handle,
500				 kadm5_principal_ent_t entry, krb5_int32
501				 ktype, krb5_int32 stype, krb5_int32
502				 kvno, krb5_keyblock *keyblock,
503				 krb5_keysalt *keysalt, int *kvnop);
504
505kadm5_ret_t    kadm5_create_policy(void *server_handle,
506				   kadm5_policy_ent_t ent,
507				   long mask);
508/*
509 * kadm5_create_policy_internal is not part of the supported,
510 * exposed API.  It is available only in the server library, and you
511 * shouldn't use it unless you know why it's there and how it's
512 * different from kadm5_create_policy.
513 */
514kadm5_ret_t    kadm5_create_policy_internal(void *server_handle,
515					    kadm5_policy_ent_t
516					    entry, long mask);
517kadm5_ret_t    kadm5_delete_policy(void *server_handle,
518				   kadm5_policy_t policy);
519kadm5_ret_t    kadm5_modify_policy(void *server_handle,
520				   kadm5_policy_ent_t ent,
521				   long mask);
522/*
523 * kadm5_modify_policy_internal is not part of the supported,
524 * exposed API.  It is available only in the server library, and you
525 * shouldn't use it unless you know why it's there and how it's
526 * different from kadm5_modify_policy.
527 */
528kadm5_ret_t    kadm5_modify_policy_internal(void *server_handle,
529					    kadm5_policy_ent_t
530					    entry, long mask);
531#if USE_KADM5_API_VERSION == 1
532kadm5_ret_t    kadm5_get_policy(void *server_handle,
533				kadm5_policy_t policy,
534				kadm5_policy_ent_t *ent);
535#else
536kadm5_ret_t    kadm5_get_policy(void *server_handle,
537				kadm5_policy_t policy,
538				kadm5_policy_ent_t ent);
539#endif
540kadm5_ret_t    kadm5_get_privs(void *server_handle,
541			       long *privs);
542
543kadm5_ret_t    kadm5_chpass_principal_util(void *server_handle,
544					   krb5_principal princ,
545					   char *new_pw,
546					   char **ret_pw,
547					   char *msg_ret,
548					   unsigned int msg_len);
549
550kadm5_ret_t    kadm5_free_principal_ent(void *server_handle,
551					kadm5_principal_ent_t
552					ent);
553kadm5_ret_t    kadm5_free_policy_ent(void *server_handle,
554				     kadm5_policy_ent_t ent);
555
556kadm5_ret_t    kadm5_get_principals(void *server_handle,
557				    char *exp, char ***princs,
558				    int *count);
559
560kadm5_ret_t    kadm5_get_policies(void *server_handle,
561				  char *exp, char ***pols,
562				  int *count);
563
564#if USE_KADM5_API_VERSION > 1
565kadm5_ret_t    kadm5_free_key_data(void *server_handle,
566				   krb5_int16 *n_key_data,
567				   krb5_key_data *key_data);
568#endif
569
570kadm5_ret_t    kadm5_free_name_list(void *server_handle, char **names,
571				    int count);
572
573#if USE_KADM5_API_VERSION == 1
574/*
575 * OVSEC_KADM_API_VERSION_1 should be, if possible, compile-time
576 * compatible with KADM5_API_VERSION_2.  Basically, this means we have
577 * to continue to provide all the old ovsec_kadm function and symbol
578 * names.
579 */
580
581#define OVSEC_KADM_ACLFILE		"/krb5/ovsec_adm.acl"
582#define	OVSEC_KADM_WORDFILE		"/krb5/ovsec_adm.dict"
583
584#define OVSEC_KADM_ADMIN_SERVICE	"ovsec_adm/admin"
585#define OVSEC_KADM_CHANGEPW_SERVICE	"ovsec_adm/changepw"
586#define OVSEC_KADM_HIST_PRINCIPAL	"ovsec_adm/history"
587
588typedef krb5_principal	ovsec_kadm_princ_t;
589typedef krb5_keyblock	ovsec_kadm_keyblock;
590typedef	char		*ovsec_kadm_policy_t;
591typedef long		ovsec_kadm_ret_t;
592
593enum	ovsec_kadm_salttype { OVSEC_KADM_SALT_V4, OVSEC_KADM_SALT_NORMAL };
594enum	ovsec_kadm_saltmod  { OVSEC_KADM_MOD_KEEP, OVSEC_KADM_MOD_V4, OVSEC_KADM_MOD_NORMAL };
595
596#define OVSEC_KADM_PW_FIRST_PROMPT \
597	((char *) error_message(CHPASS_UTIL_NEW_PASSWORD_PROMPT))
598#define OVSEC_KADM_PW_SECOND_PROMPT \
599	((char *) error_message(CHPASS_UTIL_NEW_PASSWORD_AGAIN_PROMPT))
600
601/*
602 * Successful return code
603 */
604#define OVSEC_KADM_OK	0
605
606/*
607 * Create/Modify masks
608 */
609/* principal */
610#define OVSEC_KADM_PRINCIPAL		0x000001
611#define OVSEC_KADM_PRINC_EXPIRE_TIME	0x000002
612#define OVSEC_KADM_PW_EXPIRATION	0x000004
613#define OVSEC_KADM_LAST_PWD_CHANGE	0x000008
614#define OVSEC_KADM_ATTRIBUTES		0x000010
615#define OVSEC_KADM_MAX_LIFE		0x000020
616#define OVSEC_KADM_MOD_TIME		0x000040
617#define OVSEC_KADM_MOD_NAME		0x000080
618#define OVSEC_KADM_KVNO			0x000100
619#define OVSEC_KADM_MKVNO		0x000200
620#define OVSEC_KADM_AUX_ATTRIBUTES	0x000400
621#define OVSEC_KADM_POLICY		0x000800
622#define OVSEC_KADM_POLICY_CLR		0x001000
623/* policy */
624#define OVSEC_KADM_PW_MAX_LIFE		0x004000
625#define OVSEC_KADM_PW_MIN_LIFE		0x008000
626#define OVSEC_KADM_PW_MIN_LENGTH	0x010000
627#define OVSEC_KADM_PW_MIN_CLASSES	0x020000
628#define OVSEC_KADM_PW_HISTORY_NUM	0x040000
629#define OVSEC_KADM_REF_COUNT		0x080000
630
631/*
632 * permission bits
633 */
634#define OVSEC_KADM_PRIV_GET	0x01
635#define OVSEC_KADM_PRIV_ADD	0x02
636#define OVSEC_KADM_PRIV_MODIFY	0x04
637#define OVSEC_KADM_PRIV_DELETE	0x08
638
639/*
640 * API versioning constants
641 */
642#define OVSEC_KADM_MASK_BITS		0xffffff00
643
644#define OVSEC_KADM_STRUCT_VERSION_MASK	0x12345600
645#define OVSEC_KADM_STRUCT_VERSION_1	(OVSEC_KADM_STRUCT_VERSION_MASK|0x01)
646#define OVSEC_KADM_STRUCT_VERSION	OVSEC_KADM_STRUCT_VERSION_1
647
648#define OVSEC_KADM_API_VERSION_MASK	0x12345700
649#define OVSEC_KADM_API_VERSION_1	(OVSEC_KADM_API_VERSION_MASK|0x01)
650
651
652typedef struct _ovsec_kadm_principal_ent_t {
653	krb5_principal	principal;
654	krb5_timestamp	princ_expire_time;
655	krb5_timestamp	last_pwd_change;
656	krb5_timestamp	pw_expiration;
657	krb5_deltat	max_life;
658	krb5_principal	mod_name;
659	krb5_timestamp	mod_date;
660	krb5_flags	attributes;
661	krb5_kvno	kvno;
662	krb5_kvno	mkvno;
663	char		*policy;
664	long		aux_attributes;
665} ovsec_kadm_principal_ent_rec, *ovsec_kadm_principal_ent_t;
666
667typedef struct _ovsec_kadm_policy_ent_t {
668	char		*policy;
669	long		pw_min_life;
670	long		pw_max_life;
671	long		pw_min_length;
672	long		pw_min_classes;
673	long		pw_history_num;
674	long		policy_refcnt;
675} ovsec_kadm_policy_ent_rec, *ovsec_kadm_policy_ent_t;
676
677/*
678 * functions
679 */
680ovsec_kadm_ret_t    ovsec_kadm_init(char *client_name, char *pass,
681				    char *service_name, char *realm,
682				    krb5_ui_4 struct_version,
683				    krb5_ui_4 api_version,
684				    void **server_handle);
685ovsec_kadm_ret_t    ovsec_kadm_init_with_password(char *client_name,
686						  char *pass,
687						  char *service_name,
688						  char *realm,
689						  krb5_ui_4 struct_version,
690						  krb5_ui_4 api_version,
691						  void **server_handle);
692ovsec_kadm_ret_t    ovsec_kadm_init_with_skey(char *client_name,
693					      char *keytab,
694					      char *service_name,
695					      char *realm,
696					      krb5_ui_4 struct_version,
697					      krb5_ui_4 api_version,
698					      void **server_handle);
699ovsec_kadm_ret_t    ovsec_kadm_flush(void *server_handle);
700ovsec_kadm_ret_t    ovsec_kadm_destroy(void *server_handle);
701ovsec_kadm_ret_t    ovsec_kadm_create_principal(void *server_handle,
702						ovsec_kadm_principal_ent_t ent,
703						long mask, char *pass);
704ovsec_kadm_ret_t    ovsec_kadm_delete_principal(void *server_handle,
705						krb5_principal principal);
706ovsec_kadm_ret_t    ovsec_kadm_modify_principal(void *server_handle,
707						ovsec_kadm_principal_ent_t ent,
708						long mask);
709ovsec_kadm_ret_t    ovsec_kadm_rename_principal(void *server_handle,
710						krb5_principal,krb5_principal);
711ovsec_kadm_ret_t    ovsec_kadm_get_principal(void *server_handle,
712					     krb5_principal principal,
713					     ovsec_kadm_principal_ent_t *ent);
714ovsec_kadm_ret_t    ovsec_kadm_chpass_principal(void *server_handle,
715						krb5_principal principal,
716						char *pass);
717ovsec_kadm_ret_t    ovsec_kadm_randkey_principal(void *server_handle,
718						 krb5_principal principal,
719						 krb5_keyblock **keyblock);
720ovsec_kadm_ret_t    ovsec_kadm_create_policy(void *server_handle,
721					     ovsec_kadm_policy_ent_t ent,
722					     long mask);
723/*
724 * ovsec_kadm_create_policy_internal is not part of the supported,
725 * exposed API.  It is available only in the server library, and you
726 * shouldn't use it unless you know why it's there and how it's
727 * different from ovsec_kadm_create_policy.
728 */
729ovsec_kadm_ret_t    ovsec_kadm_create_policy_internal(void *server_handle,
730						      ovsec_kadm_policy_ent_t
731						      entry, long mask);
732ovsec_kadm_ret_t    ovsec_kadm_delete_policy(void *server_handle,
733					     ovsec_kadm_policy_t policy);
734ovsec_kadm_ret_t    ovsec_kadm_modify_policy(void *server_handle,
735					     ovsec_kadm_policy_ent_t ent,
736					     long mask);
737/*
738 * ovsec_kadm_modify_policy_internal is not part of the supported,
739 * exposed API.  It is available only in the server library, and you
740 * shouldn't use it unless you know why it's there and how it's
741 * different from ovsec_kadm_modify_policy.
742 */
743ovsec_kadm_ret_t    ovsec_kadm_modify_policy_internal(void *server_handle,
744						      ovsec_kadm_policy_ent_t
745						      entry, long mask);
746ovsec_kadm_ret_t    ovsec_kadm_get_policy(void *server_handle,
747					  ovsec_kadm_policy_t policy,
748					  ovsec_kadm_policy_ent_t *ent);
749ovsec_kadm_ret_t    ovsec_kadm_get_privs(void *server_handle,
750					 long *privs);
751
752ovsec_kadm_ret_t    ovsec_kadm_chpass_principal_util(void *server_handle,
753						     krb5_principal princ,
754						     char *new_pw,
755						     char **ret_pw,
756						     char *msg_ret);
757
758ovsec_kadm_ret_t    ovsec_kadm_free_principal_ent(void *server_handle,
759						  ovsec_kadm_principal_ent_t
760						  ent);
761ovsec_kadm_ret_t    ovsec_kadm_free_policy_ent(void *server_handle,
762					       ovsec_kadm_policy_ent_t ent);
763
764ovsec_kadm_ret_t ovsec_kadm_free_name_list(void *server_handle,
765					   char **names, int count);
766
767ovsec_kadm_ret_t    ovsec_kadm_get_principals(void *server_handle,
768					      char *exp, char ***princs,
769					      int *count);
770
771ovsec_kadm_ret_t    ovsec_kadm_get_policies(void *server_handle,
772					    char *exp, char ***pols,
773					    int *count);
774
775#define OVSEC_KADM_FAILURE KADM5_FAILURE
776#define OVSEC_KADM_AUTH_GET KADM5_AUTH_GET
777#define OVSEC_KADM_AUTH_ADD KADM5_AUTH_ADD
778#define OVSEC_KADM_AUTH_MODIFY KADM5_AUTH_MODIFY
779#define OVSEC_KADM_AUTH_DELETE KADM5_AUTH_DELETE
780#define OVSEC_KADM_AUTH_INSUFFICIENT KADM5_AUTH_INSUFFICIENT
781#define OVSEC_KADM_BAD_DB KADM5_BAD_DB
782#define OVSEC_KADM_DUP KADM5_DUP
783#define OVSEC_KADM_RPC_ERROR KADM5_RPC_ERROR
784#define OVSEC_KADM_NO_SRV KADM5_NO_SRV
785#define OVSEC_KADM_BAD_HIST_KEY KADM5_BAD_HIST_KEY
786#define OVSEC_KADM_NOT_INIT KADM5_NOT_INIT
787#define OVSEC_KADM_UNK_PRINC KADM5_UNK_PRINC
788#define OVSEC_KADM_UNK_POLICY KADM5_UNK_POLICY
789#define OVSEC_KADM_BAD_MASK KADM5_BAD_MASK
790#define OVSEC_KADM_BAD_CLASS KADM5_BAD_CLASS
791#define OVSEC_KADM_BAD_LENGTH KADM5_BAD_LENGTH
792#define OVSEC_KADM_BAD_POLICY KADM5_BAD_POLICY
793#define OVSEC_KADM_BAD_PRINCIPAL KADM5_BAD_PRINCIPAL
794#define OVSEC_KADM_BAD_AUX_ATTR KADM5_BAD_AUX_ATTR
795#define OVSEC_KADM_BAD_HISTORY KADM5_BAD_HISTORY
796#define OVSEC_KADM_BAD_MIN_PASS_LIFE KADM5_BAD_MIN_PASS_LIFE
797#define OVSEC_KADM_PASS_Q_TOOSHORT KADM5_PASS_Q_TOOSHORT
798#define OVSEC_KADM_PASS_Q_CLASS KADM5_PASS_Q_CLASS
799#define OVSEC_KADM_PASS_Q_DICT KADM5_PASS_Q_DICT
800#define OVSEC_KADM_PASS_REUSE KADM5_PASS_REUSE
801#define OVSEC_KADM_PASS_TOOSOON KADM5_PASS_TOOSOON
802#define OVSEC_KADM_POLICY_REF KADM5_POLICY_REF
803#define OVSEC_KADM_INIT KADM5_INIT
804#define OVSEC_KADM_BAD_PASSWORD KADM5_BAD_PASSWORD
805#define OVSEC_KADM_PROTECT_PRINCIPAL KADM5_PROTECT_PRINCIPAL
806#define OVSEC_KADM_BAD_SERVER_HANDLE KADM5_BAD_SERVER_HANDLE
807#define OVSEC_KADM_BAD_STRUCT_VERSION KADM5_BAD_STRUCT_VERSION
808#define OVSEC_KADM_OLD_STRUCT_VERSION KADM5_OLD_STRUCT_VERSION
809#define OVSEC_KADM_NEW_STRUCT_VERSION KADM5_NEW_STRUCT_VERSION
810#define OVSEC_KADM_BAD_API_VERSION KADM5_BAD_API_VERSION
811#define OVSEC_KADM_OLD_LIB_API_VERSION KADM5_OLD_LIB_API_VERSION
812#define OVSEC_KADM_OLD_SERVER_API_VERSION KADM5_OLD_SERVER_API_VERSION
813#define OVSEC_KADM_NEW_LIB_API_VERSION KADM5_NEW_LIB_API_VERSION
814#define OVSEC_KADM_NEW_SERVER_API_VERSION KADM5_NEW_SERVER_API_VERSION
815#define OVSEC_KADM_SECURE_PRINC_MISSING KADM5_SECURE_PRINC_MISSING
816#define OVSEC_KADM_NO_RENAME_SALT KADM5_NO_RENAME_SALT
817
818#endif /* USE_KADM5_API_VERSION == 1 */
819
820#define MAXPRINCLEN 125
821
822void trunc_name(size_t *len, char **dots);
823
824krb5_chgpwd_prot _kadm5_get_kpasswd_protocol(void *server_handle);
825kadm5_ret_t	kadm5_chpass_principal_v2(void *server_handle,
826					krb5_principal princ,
827					char *new_password,
828					kadm5_ret_t *srvr_rsp_code,
829					krb5_data *srvr_msg);
830
831void handle_chpw(krb5_context context, int s, void *serverhandle,
832			kadm5_config_params *params);
833
834#ifdef __cplusplus
835}
836#endif
837
838#endif	/* __KADM5_ADMIN_H__ */
839