17c478bd9Sstevel@tonic-gate /* 2661b8ac7SPeter Shoults * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved. 37c478bd9Sstevel@tonic-gate */ 47c478bd9Sstevel@tonic-gate 57c478bd9Sstevel@tonic-gate #ifndef __KADM5_ADMIN_H__ 67c478bd9Sstevel@tonic-gate #define __KADM5_ADMIN_H__ 77c478bd9Sstevel@tonic-gate 87c478bd9Sstevel@tonic-gate 97c478bd9Sstevel@tonic-gate #ifdef __cplusplus 107c478bd9Sstevel@tonic-gate extern "C" { 117c478bd9Sstevel@tonic-gate #endif 127c478bd9Sstevel@tonic-gate 137c478bd9Sstevel@tonic-gate /* 147c478bd9Sstevel@tonic-gate * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING 157c478bd9Sstevel@tonic-gate * 167c478bd9Sstevel@tonic-gate * Openvision retains the copyright to derivative works of 177c478bd9Sstevel@tonic-gate * this source code. Do *NOT* create a derivative of this 187c478bd9Sstevel@tonic-gate * source code before consulting with your legal department. 197c478bd9Sstevel@tonic-gate * Do *NOT* integrate *ANY* of this source code into another 207c478bd9Sstevel@tonic-gate * product before consulting with your legal department. 217c478bd9Sstevel@tonic-gate * 227c478bd9Sstevel@tonic-gate * For further information, read the top-level Openvision 237c478bd9Sstevel@tonic-gate * copyright which is contained in the top-level MIT Kerberos 247c478bd9Sstevel@tonic-gate * copyright. 257c478bd9Sstevel@tonic-gate * 267c478bd9Sstevel@tonic-gate * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING 277c478bd9Sstevel@tonic-gate * 287c478bd9Sstevel@tonic-gate */ 2956a424ccSmp /* 3056a424ccSmp * lib/kadm5/admin.h 3156a424ccSmp * 3256a424ccSmp * Copyright 2001 by the Massachusetts Institute of Technology. 3356a424ccSmp * All Rights Reserved. 3456a424ccSmp * 3556a424ccSmp * Export of this software from the United States of America may 3656a424ccSmp * require a specific license from the United States Government. 3756a424ccSmp * It is the responsibility of any person or organization contemplating 3856a424ccSmp * export to obtain such a license before exporting. 39*55fea89dSDan Cross * 4056a424ccSmp * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 4156a424ccSmp * distribute this software and its documentation for any purpose and 4256a424ccSmp * without fee is hereby granted, provided that the above copyright 4356a424ccSmp * notice appear in all copies and that both that copyright notice and 4456a424ccSmp * this permission notice appear in supporting documentation, and that 4556a424ccSmp * the name of M.I.T. not be used in advertising or publicity pertaining 4656a424ccSmp * to distribution of the software without specific, written prior 4756a424ccSmp * permission. Furthermore if you modify this software you must label 4856a424ccSmp * your software as modified software and not distribute it in such a 4956a424ccSmp * fashion that it might be confused with the original M.I.T. software. 5056a424ccSmp * M.I.T. makes no representations about the suitability of 5156a424ccSmp * this software for any purpose. It is provided "as is" without express 5256a424ccSmp * or implied warranty. 53*55fea89dSDan Cross * 5456a424ccSmp */ 557c478bd9Sstevel@tonic-gate /* 567c478bd9Sstevel@tonic-gate * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved 577c478bd9Sstevel@tonic-gate * 5854925bf6Swillf * $Header$ 597c478bd9Sstevel@tonic-gate */ 607c478bd9Sstevel@tonic-gate 617c478bd9Sstevel@tonic-gate #include <sys/types.h> 627c478bd9Sstevel@tonic-gate #include <rpc/types.h> 637c478bd9Sstevel@tonic-gate #include <rpc/rpc.h> 647c478bd9Sstevel@tonic-gate #include <k5-int.h> 65159d09a2SMark Phalan #include <krb5.h> 6654925bf6Swillf #include <krb5/kdb.h> 677c478bd9Sstevel@tonic-gate #include <com_err.h> 687c478bd9Sstevel@tonic-gate #include <kadm5/kadm_err.h> 697c478bd9Sstevel@tonic-gate #include <kadm5/chpass_util_strings.h> 707c478bd9Sstevel@tonic-gate 7156a424ccSmp #define KADM5_ADMIN_SERVICE_P "kadmin@admin" 7254925bf6Swillf /* 7354925bf6Swillf * Solaris Kerberos: 7454925bf6Swillf * The kadmin/admin principal is unused on Solaris. This principal is used 7554925bf6Swillf * in AUTH_GSSAPI but Solaris doesn't support AUTH_GSSAPI. RPCSEC_GSS can only 76*55fea89dSDan Cross * be used with host-based principals. 7754925bf6Swillf * 7854925bf6Swillf */ 7954925bf6Swillf /* #define KADM5_ADMIN_SERVICE "kadmin/admin" */ 8056a424ccSmp #define KADM5_CHANGEPW_SERVICE_P "kadmin@changepw" 8156a424ccSmp #define KADM5_CHANGEPW_SERVICE "kadmin/changepw" 8256a424ccSmp #define KADM5_HIST_PRINCIPAL "kadmin/history" 8356a424ccSmp #define KADM5_ADMIN_HOST_SERVICE "kadmin" 8456a424ccSmp #define KADM5_CHANGEPW_HOST_SERVICE "changepw" 8556a424ccSmp #define KADM5_KIPROP_HOST_SERVICE "kiprop" 867c478bd9Sstevel@tonic-gate 877c478bd9Sstevel@tonic-gate typedef krb5_principal kadm5_princ_t; 887c478bd9Sstevel@tonic-gate typedef char *kadm5_policy_t; 897c478bd9Sstevel@tonic-gate typedef long kadm5_ret_t; 907c478bd9Sstevel@tonic-gate typedef int rpc_int32; 917c478bd9Sstevel@tonic-gate typedef unsigned int rpc_u_int32; 927c478bd9Sstevel@tonic-gate 9356a424ccSmp #define KADM5_PW_FIRST_PROMPT \ 9456a424ccSmp (error_message(CHPASS_UTIL_NEW_PASSWORD_PROMPT)) 9556a424ccSmp #define KADM5_PW_SECOND_PROMPT \ 9656a424ccSmp (error_message(CHPASS_UTIL_NEW_PASSWORD_AGAIN_PROMPT)) 977c478bd9Sstevel@tonic-gate 987c478bd9Sstevel@tonic-gate /* 9956a424ccSmp * Successful return code 1007c478bd9Sstevel@tonic-gate */ 10156a424ccSmp #define KADM5_OK 0 1027c478bd9Sstevel@tonic-gate 1037c478bd9Sstevel@tonic-gate /* 1047c478bd9Sstevel@tonic-gate * Field masks 1057c478bd9Sstevel@tonic-gate */ 1067c478bd9Sstevel@tonic-gate 1077c478bd9Sstevel@tonic-gate /* kadm5_principal_ent_t */ 10856a424ccSmp #define KADM5_PRINCIPAL 0x000001 10956a424ccSmp #define KADM5_PRINC_EXPIRE_TIME 0x000002 11056a424ccSmp #define KADM5_PW_EXPIRATION 0x000004 11156a424ccSmp #define KADM5_LAST_PWD_CHANGE 0x000008 11256a424ccSmp #define KADM5_ATTRIBUTES 0x000010 11356a424ccSmp #define KADM5_MAX_LIFE 0x000020 11456a424ccSmp #define KADM5_MOD_TIME 0x000040 11556a424ccSmp #define KADM5_MOD_NAME 0x000080 11656a424ccSmp #define KADM5_KVNO 0x000100 11756a424ccSmp #define KADM5_MKVNO 0x000200 11856a424ccSmp #define KADM5_AUX_ATTRIBUTES 0x000400 11956a424ccSmp #define KADM5_POLICY 0x000800 12056a424ccSmp #define KADM5_POLICY_CLR 0x001000 1217c478bd9Sstevel@tonic-gate /* version 2 masks */ 12256a424ccSmp #define KADM5_MAX_RLIFE 0x002000 12356a424ccSmp #define KADM5_LAST_SUCCESS 0x004000 12456a424ccSmp #define KADM5_LAST_FAILED 0x008000 12556a424ccSmp #define KADM5_FAIL_AUTH_COUNT 0x010000 12656a424ccSmp #define KADM5_KEY_DATA 0x020000 12756a424ccSmp #define KADM5_TL_DATA 0x040000 12854925bf6Swillf #ifdef notyet /* Novell */ 12954925bf6Swillf #define KADM5_CPW_FUNCTION 0x080000 13054925bf6Swillf #define KADM5_RANDKEY_USED 0x100000 13154925bf6Swillf #endif 13254925bf6Swillf #define KADM5_LOAD 0x200000 1332dd2efa5Swillf /* Solaris Kerberos: adding support for key history in LDAP KDB */ 1342dd2efa5Swillf #define KADM5_KEY_HIST 0x400000 13554925bf6Swillf 1367c478bd9Sstevel@tonic-gate /* all but KEY_DATA and TL_DATA */ 13756a424ccSmp #define KADM5_PRINCIPAL_NORMAL_MASK 0x01ffff 1387c478bd9Sstevel@tonic-gate 13954925bf6Swillf 1407c478bd9Sstevel@tonic-gate /* kadm5_policy_ent_t */ 14156a424ccSmp #define KADM5_PW_MAX_LIFE 0x004000 14256a424ccSmp #define KADM5_PW_MIN_LIFE 0x008000 14356a424ccSmp #define KADM5_PW_MIN_LENGTH 0x010000 14456a424ccSmp #define KADM5_PW_MIN_CLASSES 0x020000 14556a424ccSmp #define KADM5_PW_HISTORY_NUM 0x040000 14656a424ccSmp #define KADM5_REF_COUNT 0x080000 1477c478bd9Sstevel@tonic-gate 1487c478bd9Sstevel@tonic-gate /* kadm5_config_params */ 1497c478bd9Sstevel@tonic-gate #define KADM5_CONFIG_REALM 0x0000001 1507c478bd9Sstevel@tonic-gate #define KADM5_CONFIG_DBNAME 0x0000002 1517c478bd9Sstevel@tonic-gate #define KADM5_CONFIG_MKEY_NAME 0x0000004 1527c478bd9Sstevel@tonic-gate #define KADM5_CONFIG_MAX_LIFE 0x0000008 1537c478bd9Sstevel@tonic-gate #define KADM5_CONFIG_MAX_RLIFE 0x0000010 1547c478bd9Sstevel@tonic-gate #define KADM5_CONFIG_EXPIRATION 0x0000020 1557c478bd9Sstevel@tonic-gate #define KADM5_CONFIG_FLAGS 0x0000040 1567c478bd9Sstevel@tonic-gate #define KADM5_CONFIG_ADMIN_KEYTAB 0x0000080 1577c478bd9Sstevel@tonic-gate #define KADM5_CONFIG_STASH_FILE 0x0000100 1587c478bd9Sstevel@tonic-gate #define KADM5_CONFIG_ENCTYPE 0x0000200 1597c478bd9Sstevel@tonic-gate #define KADM5_CONFIG_ADBNAME 0x0000400 1607c478bd9Sstevel@tonic-gate #define KADM5_CONFIG_ADB_LOCKFILE 0x0000800 1617c478bd9Sstevel@tonic-gate #define KADM5_CONFIG_PROFILE 0x0001000 1627c478bd9Sstevel@tonic-gate #define KADM5_CONFIG_ACL_FILE 0x0002000 1637c478bd9Sstevel@tonic-gate #define KADM5_CONFIG_KADMIND_PORT 0x0004000 1647c478bd9Sstevel@tonic-gate #define KADM5_CONFIG_ENCTYPES 0x0008000 1657c478bd9Sstevel@tonic-gate #define KADM5_CONFIG_ADMIN_SERVER 0x0010000 1667c478bd9Sstevel@tonic-gate #define KADM5_CONFIG_DICT_FILE 0x0020000 1677c478bd9Sstevel@tonic-gate #define KADM5_CONFIG_MKEY_FROM_KBD 0x0040000 1687c478bd9Sstevel@tonic-gate #define KADM5_CONFIG_KPASSWD_PORT 0x0080000 1697c478bd9Sstevel@tonic-gate #define KADM5_CONFIG_KPASSWD_SERVER 0x0100000 1707c478bd9Sstevel@tonic-gate #define KADM5_CONFIG_KPASSWD_PROTOCOL 0x0200000 1717c478bd9Sstevel@tonic-gate #define KADM5_CONFIG_IPROP_ENABLED 0x0400000 1727c478bd9Sstevel@tonic-gate #define KADM5_CONFIG_ULOG_SIZE 0x0800000 1737c478bd9Sstevel@tonic-gate #define KADM5_CONFIG_POLL_TIME 0x1000000 1747c478bd9Sstevel@tonic-gate 1757c478bd9Sstevel@tonic-gate /* password change constants */ 1767c478bd9Sstevel@tonic-gate #define KRB5_KPASSWD_SUCCESS 0 1777c478bd9Sstevel@tonic-gate #define KRB5_KPASSWD_MALFORMED 1 1787c478bd9Sstevel@tonic-gate #define KRB5_KPASSWD_HARDERROR 2 1797c478bd9Sstevel@tonic-gate #define KRB5_KPASSWD_AUTHERROR 3 1807c478bd9Sstevel@tonic-gate #define KRB5_KPASSWD_SOFTERROR 4 1817c478bd9Sstevel@tonic-gate #define KRB5_KPASSWD_ACCESSDENIED 5 1827c478bd9Sstevel@tonic-gate #define KRB5_KPASSWD_BAD_VERSION 6 1837c478bd9Sstevel@tonic-gate #define KRB5_KPASSWD_INITIAL_FLAG_NEEDED 7 1847c478bd9Sstevel@tonic-gate #define KRB5_KPASSWD_POLICY_REJECT 8 1857c478bd9Sstevel@tonic-gate #define KRB5_KPASSWD_BAD_PRINCIPAL 9 1867c478bd9Sstevel@tonic-gate #define KRB5_KPASSWD_ETYPE_NOSUPP 10 1877c478bd9Sstevel@tonic-gate 1887c478bd9Sstevel@tonic-gate /* 1897c478bd9Sstevel@tonic-gate * permission bits 1907c478bd9Sstevel@tonic-gate */ 19156a424ccSmp #define KADM5_PRIV_GET 0x01 19256a424ccSmp #define KADM5_PRIV_ADD 0x02 19356a424ccSmp #define KADM5_PRIV_MODIFY 0x04 19456a424ccSmp #define KADM5_PRIV_DELETE 0x08 1957c478bd9Sstevel@tonic-gate 1967c478bd9Sstevel@tonic-gate /* 1977c478bd9Sstevel@tonic-gate * API versioning constants 1987c478bd9Sstevel@tonic-gate */ 19956a424ccSmp #define KADM5_MASK_BITS 0xffffff00 2007c478bd9Sstevel@tonic-gate 20156a424ccSmp #define KADM5_STRUCT_VERSION_MASK 0x12345600 20256a424ccSmp #define KADM5_STRUCT_VERSION_1 (KADM5_STRUCT_VERSION_MASK|0x01) 20356a424ccSmp #define KADM5_STRUCT_VERSION KADM5_STRUCT_VERSION_1 2047c478bd9Sstevel@tonic-gate 20556a424ccSmp #define KADM5_API_VERSION_MASK 0x12345700 20656a424ccSmp #define KADM5_API_VERSION_1 (KADM5_API_VERSION_MASK|0x01) 20756a424ccSmp #define KADM5_API_VERSION_2 (KADM5_API_VERSION_MASK|0x02) 2087c478bd9Sstevel@tonic-gate 2097c478bd9Sstevel@tonic-gate #ifdef KRB5_DNS_LOOKUP 2107c478bd9Sstevel@tonic-gate /* 2117c478bd9Sstevel@tonic-gate * Name length constants for DNS lookups 2127c478bd9Sstevel@tonic-gate */ 2137c478bd9Sstevel@tonic-gate #define MAX_HOST_NAMELEN 256 2147c478bd9Sstevel@tonic-gate #define MAX_DNS_NAMELEN (15*(MAX_HOST_NAMELEN + 1)+1) 2157c478bd9Sstevel@tonic-gate #endif /* KRB5_DNS_LOOKUP */ 2167c478bd9Sstevel@tonic-gate 2177c478bd9Sstevel@tonic-gate typedef struct _kadm5_principal_ent_t_v2 { 2187c478bd9Sstevel@tonic-gate krb5_principal principal; 2197c478bd9Sstevel@tonic-gate krb5_timestamp princ_expire_time; 2207c478bd9Sstevel@tonic-gate krb5_timestamp last_pwd_change; 2217c478bd9Sstevel@tonic-gate krb5_timestamp pw_expiration; 2227c478bd9Sstevel@tonic-gate krb5_deltat max_life; 2237c478bd9Sstevel@tonic-gate krb5_principal mod_name; 2247c478bd9Sstevel@tonic-gate krb5_timestamp mod_date; 2257c478bd9Sstevel@tonic-gate krb5_flags attributes; 2267c478bd9Sstevel@tonic-gate krb5_kvno kvno; 2277c478bd9Sstevel@tonic-gate krb5_kvno mkvno; 2287c478bd9Sstevel@tonic-gate char *policy; 2297c478bd9Sstevel@tonic-gate long aux_attributes; 2307c478bd9Sstevel@tonic-gate 2317c478bd9Sstevel@tonic-gate /* version 2 fields */ 2327c478bd9Sstevel@tonic-gate krb5_deltat max_renewable_life; 23356a424ccSmp krb5_timestamp last_success; 23456a424ccSmp krb5_timestamp last_failed; 23556a424ccSmp krb5_kvno fail_auth_count; 2367c478bd9Sstevel@tonic-gate krb5_int16 n_key_data; 2377c478bd9Sstevel@tonic-gate krb5_int16 n_tl_data; 23856a424ccSmp krb5_tl_data *tl_data; 2397c478bd9Sstevel@tonic-gate krb5_key_data *key_data; 2407c478bd9Sstevel@tonic-gate } kadm5_principal_ent_rec_v2, *kadm5_principal_ent_t_v2; 2417c478bd9Sstevel@tonic-gate 2427c478bd9Sstevel@tonic-gate typedef struct _kadm5_principal_ent_t_v1 { 2437c478bd9Sstevel@tonic-gate krb5_principal principal; 2447c478bd9Sstevel@tonic-gate krb5_timestamp princ_expire_time; 2457c478bd9Sstevel@tonic-gate krb5_timestamp last_pwd_change; 2467c478bd9Sstevel@tonic-gate krb5_timestamp pw_expiration; 2477c478bd9Sstevel@tonic-gate krb5_deltat max_life; 2487c478bd9Sstevel@tonic-gate krb5_principal mod_name; 2497c478bd9Sstevel@tonic-gate krb5_timestamp mod_date; 2507c478bd9Sstevel@tonic-gate krb5_flags attributes; 2517c478bd9Sstevel@tonic-gate krb5_kvno kvno; 2527c478bd9Sstevel@tonic-gate krb5_kvno mkvno; 2537c478bd9Sstevel@tonic-gate char *policy; 2547c478bd9Sstevel@tonic-gate long aux_attributes; 2557c478bd9Sstevel@tonic-gate } kadm5_principal_ent_rec_v1, *kadm5_principal_ent_t_v1; 2567c478bd9Sstevel@tonic-gate 25756a424ccSmp #if USE_KADM5_API_VERSION == 1 25856a424ccSmp typedef struct _kadm5_principal_ent_t_v1 25956a424ccSmp kadm5_principal_ent_rec, *kadm5_principal_ent_t; 26056a424ccSmp #else 2617c478bd9Sstevel@tonic-gate typedef struct _kadm5_principal_ent_t_v2 26256a424ccSmp kadm5_principal_ent_rec, *kadm5_principal_ent_t; 26356a424ccSmp #endif 2647c478bd9Sstevel@tonic-gate 2657c478bd9Sstevel@tonic-gate typedef struct _kadm5_policy_ent_t { 2667c478bd9Sstevel@tonic-gate char *policy; 2677c478bd9Sstevel@tonic-gate long pw_min_life; 2687c478bd9Sstevel@tonic-gate long pw_max_life; 2697c478bd9Sstevel@tonic-gate long pw_min_length; 2707c478bd9Sstevel@tonic-gate long pw_min_classes; 2717c478bd9Sstevel@tonic-gate long pw_history_num; 2727c478bd9Sstevel@tonic-gate long policy_refcnt; 2737c478bd9Sstevel@tonic-gate } kadm5_policy_ent_rec, *kadm5_policy_ent_t; 2747c478bd9Sstevel@tonic-gate 2757c478bd9Sstevel@tonic-gate /* 2767c478bd9Sstevel@tonic-gate * New types to indicate which protocol to use when sending 2777c478bd9Sstevel@tonic-gate * password change requests 2787c478bd9Sstevel@tonic-gate */ 2797c478bd9Sstevel@tonic-gate typedef enum { 2807c478bd9Sstevel@tonic-gate KRB5_CHGPWD_RPCSEC, 2817c478bd9Sstevel@tonic-gate KRB5_CHGPWD_CHANGEPW_V2 2827c478bd9Sstevel@tonic-gate } krb5_chgpwd_prot; 2837c478bd9Sstevel@tonic-gate 2847c478bd9Sstevel@tonic-gate /* 2857c478bd9Sstevel@tonic-gate * Data structure returned by kadm5_get_config_params() 2867c478bd9Sstevel@tonic-gate */ 2877c478bd9Sstevel@tonic-gate typedef struct _kadm5_config_params { 28856a424ccSmp long mask; 28956a424ccSmp char * realm; 29056a424ccSmp int kadmind_port; 29156a424ccSmp int kpasswd_port; 29256a424ccSmp 29356a424ccSmp char * admin_server; 29454925bf6Swillf #ifdef notyet /* Novell */ /* ABI change? */ 29554925bf6Swillf char * kpasswd_server; 29654925bf6Swillf #endif 29756a424ccSmp 29856a424ccSmp char * dbname; 29956a424ccSmp char * admin_dbname; 30056a424ccSmp char * admin_lockfile; 30156a424ccSmp char * admin_keytab; 30256a424ccSmp char * acl_file; 30356a424ccSmp char * dict_file; 30456a424ccSmp 30556a424ccSmp int mkey_from_kbd; 30656a424ccSmp char * stash_file; 30756a424ccSmp char * mkey_name; 30856a424ccSmp krb5_enctype enctype; 30956a424ccSmp krb5_deltat max_life; 31056a424ccSmp krb5_deltat max_rlife; 31156a424ccSmp krb5_timestamp expiration; 31256a424ccSmp krb5_flags flags; 31356a424ccSmp krb5_key_salt_tuple *keysalts; 31456a424ccSmp krb5_int32 num_keysalts; 31556a424ccSmp char *kpasswd_server; 31656a424ccSmp 31756a424ccSmp krb5_chgpwd_prot kpasswd_protocol; 31856a424ccSmp bool_t iprop_enabled; 31956a424ccSmp int iprop_ulogsize; 32056a424ccSmp char *iprop_polltime; 3217c478bd9Sstevel@tonic-gate } kadm5_config_params; 3227c478bd9Sstevel@tonic-gate 3237c478bd9Sstevel@tonic-gate /*********************************************************************** 3247c478bd9Sstevel@tonic-gate * This is the old krb5_realm_read_params, which I mutated into 3257c478bd9Sstevel@tonic-gate * kadm5_get_config_params but which old code (kdb5_* and krb5kdc) 3267c478bd9Sstevel@tonic-gate * still uses. 3277c478bd9Sstevel@tonic-gate ***********************************************************************/ 3287c478bd9Sstevel@tonic-gate 3297c478bd9Sstevel@tonic-gate /* 3307c478bd9Sstevel@tonic-gate * Data structure returned by krb5_read_realm_params() 3317c478bd9Sstevel@tonic-gate */ 3327c478bd9Sstevel@tonic-gate typedef struct __krb5_realm_params { 33356a424ccSmp char * realm_profile; 33456a424ccSmp char * realm_dbname; 33556a424ccSmp char * realm_mkey_name; 33656a424ccSmp char * realm_stash_file; 33756a424ccSmp char * realm_kdc_ports; 33856a424ccSmp char * realm_kdc_tcp_ports; 33956a424ccSmp char * realm_acl_file; 3407c478bd9Sstevel@tonic-gate krb5_int32 realm_kadmind_port; 3417c478bd9Sstevel@tonic-gate krb5_enctype realm_enctype; 3427c478bd9Sstevel@tonic-gate krb5_deltat realm_max_life; 3437c478bd9Sstevel@tonic-gate krb5_deltat realm_max_rlife; 3447c478bd9Sstevel@tonic-gate krb5_timestamp realm_expiration; 3457c478bd9Sstevel@tonic-gate krb5_flags realm_flags; 3467c478bd9Sstevel@tonic-gate krb5_key_salt_tuple *realm_keysalts; 34756a424ccSmp unsigned int realm_reject_bad_transit:1; 3487c478bd9Sstevel@tonic-gate unsigned int realm_kadmind_port_valid:1; 3497c478bd9Sstevel@tonic-gate unsigned int realm_enctype_valid:1; 3507c478bd9Sstevel@tonic-gate unsigned int realm_max_life_valid:1; 3517c478bd9Sstevel@tonic-gate unsigned int realm_max_rlife_valid:1; 3527c478bd9Sstevel@tonic-gate unsigned int realm_expiration_valid:1; 3537c478bd9Sstevel@tonic-gate unsigned int realm_flags_valid:1; 35456a424ccSmp unsigned int realm_reject_bad_transit_valid:1; 3557c478bd9Sstevel@tonic-gate krb5_int32 realm_num_keysalts; 3567c478bd9Sstevel@tonic-gate } krb5_realm_params; 3577c478bd9Sstevel@tonic-gate 3587c478bd9Sstevel@tonic-gate /* 3597c478bd9Sstevel@tonic-gate * functions 3607c478bd9Sstevel@tonic-gate */ 3617c478bd9Sstevel@tonic-gate 3627c478bd9Sstevel@tonic-gate kadm5_ret_t 3637c478bd9Sstevel@tonic-gate kadm5_get_adm_host_srv_name(krb5_context context, 36456a424ccSmp const char *realm, char **host_service_name); 3657c478bd9Sstevel@tonic-gate 3667c478bd9Sstevel@tonic-gate kadm5_ret_t 3677c478bd9Sstevel@tonic-gate kadm5_get_cpw_host_srv_name(krb5_context context, 36856a424ccSmp const char *realm, char **host_service_name); 3697c478bd9Sstevel@tonic-gate 37056a424ccSmp #if USE_KADM5_API_VERSION > 1 3717c478bd9Sstevel@tonic-gate krb5_error_code kadm5_get_config_params(krb5_context context, 372159d09a2SMark Phalan int use_kdc_config, 3737c478bd9Sstevel@tonic-gate kadm5_config_params *params_in, 3747c478bd9Sstevel@tonic-gate kadm5_config_params *params_out); 3757c478bd9Sstevel@tonic-gate 376*55fea89dSDan Cross krb5_error_code kadm5_free_config_params(krb5_context context, 37756a424ccSmp kadm5_config_params *params); 3787c478bd9Sstevel@tonic-gate 3797c478bd9Sstevel@tonic-gate krb5_error_code kadm5_free_realm_params(krb5_context kcontext, 3807c478bd9Sstevel@tonic-gate kadm5_config_params *params); 3817c478bd9Sstevel@tonic-gate 38256a424ccSmp krb5_error_code kadm5_get_admin_service_name(krb5_context, char *, 38356a424ccSmp char *, size_t); 38456a424ccSmp #endif 3857c478bd9Sstevel@tonic-gate 38656a424ccSmp kadm5_ret_t kadm5_init(char *client_name, char *pass, 38756a424ccSmp char *service_name, 38856a424ccSmp #if USE_KADM5_API_VERSION == 1 38956a424ccSmp char *realm, 39056a424ccSmp #else 39156a424ccSmp kadm5_config_params *params, 39256a424ccSmp #endif 39356a424ccSmp krb5_ui_4 struct_version, 39456a424ccSmp krb5_ui_4 api_version, 39554925bf6Swillf char **db_args, 39656a424ccSmp void **server_handle); 3977c478bd9Sstevel@tonic-gate kadm5_ret_t kadm5_init_with_password(char *client_name, 398*55fea89dSDan Cross char *pass, 3997c478bd9Sstevel@tonic-gate char *service_name, 40056a424ccSmp #if USE_KADM5_API_VERSION == 1 40156a424ccSmp char *realm, 40256a424ccSmp #else 4037c478bd9Sstevel@tonic-gate kadm5_config_params *params, 40456a424ccSmp #endif 4057c478bd9Sstevel@tonic-gate krb5_ui_4 struct_version, 4067c478bd9Sstevel@tonic-gate krb5_ui_4 api_version, 40754925bf6Swillf char **db_args, 4087c478bd9Sstevel@tonic-gate void **server_handle); 4097c478bd9Sstevel@tonic-gate kadm5_ret_t kadm5_init_with_skey(char *client_name, 4107c478bd9Sstevel@tonic-gate char *keytab, 4117c478bd9Sstevel@tonic-gate char *service_name, 41256a424ccSmp #if USE_KADM5_API_VERSION == 1 41356a424ccSmp char *realm, 41456a424ccSmp #else 4157c478bd9Sstevel@tonic-gate kadm5_config_params *params, 41656a424ccSmp #endif 4177c478bd9Sstevel@tonic-gate krb5_ui_4 struct_version, 4187c478bd9Sstevel@tonic-gate krb5_ui_4 api_version, 41954925bf6Swillf char **db_args, 4207c478bd9Sstevel@tonic-gate void **server_handle); 42156a424ccSmp #if USE_KADM5_API_VERSION > 1 4227c478bd9Sstevel@tonic-gate kadm5_ret_t kadm5_init_with_creds(char *client_name, 4237c478bd9Sstevel@tonic-gate krb5_ccache cc, 4247c478bd9Sstevel@tonic-gate char *service_name, 4257c478bd9Sstevel@tonic-gate kadm5_config_params *params, 4267c478bd9Sstevel@tonic-gate krb5_ui_4 struct_version, 4277c478bd9Sstevel@tonic-gate krb5_ui_4 api_version, 42854925bf6Swillf char **db_args, 4297c478bd9Sstevel@tonic-gate void **server_handle); 43056a424ccSmp #endif 43156a424ccSmp kadm5_ret_t kadm5_lock(void *server_handle); 43256a424ccSmp kadm5_ret_t kadm5_unlock(void *server_handle); 4337c478bd9Sstevel@tonic-gate kadm5_ret_t kadm5_flush(void *server_handle); 4347c478bd9Sstevel@tonic-gate kadm5_ret_t kadm5_destroy(void *server_handle); 435661b8ac7SPeter Shoults kadm5_ret_t kadm5_check_min_life(void *server_handle, /* Solaris Kerberos */ 436661b8ac7SPeter Shoults krb5_principal principal, 437661b8ac7SPeter Shoults char *msg_ret, 438661b8ac7SPeter Shoults unsigned int msg_len); 4397c478bd9Sstevel@tonic-gate kadm5_ret_t kadm5_create_principal(void *server_handle, 4407c478bd9Sstevel@tonic-gate kadm5_principal_ent_t ent, 4417c478bd9Sstevel@tonic-gate long mask, char *pass); 4427c478bd9Sstevel@tonic-gate kadm5_ret_t kadm5_create_principal_3(void *server_handle, 4437c478bd9Sstevel@tonic-gate kadm5_principal_ent_t ent, 4447c478bd9Sstevel@tonic-gate long mask, 4457c478bd9Sstevel@tonic-gate int n_ks_tuple, 4467c478bd9Sstevel@tonic-gate krb5_key_salt_tuple *ks_tuple, 4477c478bd9Sstevel@tonic-gate char *pass); 4487c478bd9Sstevel@tonic-gate kadm5_ret_t kadm5_delete_principal(void *server_handle, 4497c478bd9Sstevel@tonic-gate krb5_principal principal); 4507c478bd9Sstevel@tonic-gate kadm5_ret_t kadm5_modify_principal(void *server_handle, 4517c478bd9Sstevel@tonic-gate kadm5_principal_ent_t ent, 4527c478bd9Sstevel@tonic-gate long mask); 4537c478bd9Sstevel@tonic-gate kadm5_ret_t kadm5_rename_principal(void *server_handle, 45456a424ccSmp krb5_principal,krb5_principal); 45556a424ccSmp #if USE_KADM5_API_VERSION == 1 4567c478bd9Sstevel@tonic-gate kadm5_ret_t kadm5_get_principal(void *server_handle, 45756a424ccSmp krb5_principal principal, 45856a424ccSmp kadm5_principal_ent_t *ent); 45956a424ccSmp #else 46056a424ccSmp kadm5_ret_t kadm5_get_principal(void *server_handle, 46156a424ccSmp krb5_principal principal, 46256a424ccSmp kadm5_principal_ent_t ent, 46356a424ccSmp long mask); 46456a424ccSmp #endif 4657c478bd9Sstevel@tonic-gate kadm5_ret_t kadm5_chpass_principal(void *server_handle, 4667c478bd9Sstevel@tonic-gate krb5_principal principal, 4677c478bd9Sstevel@tonic-gate char *pass); 4687c478bd9Sstevel@tonic-gate kadm5_ret_t kadm5_chpass_principal_3(void *server_handle, 4697c478bd9Sstevel@tonic-gate krb5_principal principal, 4707c478bd9Sstevel@tonic-gate krb5_boolean keepold, 4717c478bd9Sstevel@tonic-gate int n_ks_tuple, 4727c478bd9Sstevel@tonic-gate krb5_key_salt_tuple *ks_tuple, 4737c478bd9Sstevel@tonic-gate char *pass); 47456a424ccSmp #if USE_KADM5_API_VERSION == 1 47556a424ccSmp kadm5_ret_t kadm5_randkey_principal(void *server_handle, 47656a424ccSmp krb5_principal principal, 47756a424ccSmp krb5_keyblock **keyblock); 47856a424ccSmp #else 4797c478bd9Sstevel@tonic-gate 4807c478bd9Sstevel@tonic-gate /* 4817c478bd9Sstevel@tonic-gate * Solaris Kerberos: 4827c478bd9Sstevel@tonic-gate * this routine is only implemented in the client library. 4837c478bd9Sstevel@tonic-gate */ 4847c478bd9Sstevel@tonic-gate kadm5_ret_t kadm5_randkey_principal_old(void *server_handle, 4857c478bd9Sstevel@tonic-gate krb5_principal principal, 4867c478bd9Sstevel@tonic-gate krb5_keyblock **keyblocks, 4877c478bd9Sstevel@tonic-gate int *n_keys); 4887c478bd9Sstevel@tonic-gate 4897c478bd9Sstevel@tonic-gate kadm5_ret_t kadm5_randkey_principal(void *server_handle, 4907c478bd9Sstevel@tonic-gate krb5_principal principal, 4917c478bd9Sstevel@tonic-gate krb5_keyblock **keyblocks, 4927c478bd9Sstevel@tonic-gate int *n_keys); 4937c478bd9Sstevel@tonic-gate kadm5_ret_t kadm5_randkey_principal_3(void *server_handle, 4947c478bd9Sstevel@tonic-gate krb5_principal principal, 4957c478bd9Sstevel@tonic-gate krb5_boolean keepold, 4967c478bd9Sstevel@tonic-gate int n_ks_tuple, 4977c478bd9Sstevel@tonic-gate krb5_key_salt_tuple *ks_tuple, 4987c478bd9Sstevel@tonic-gate krb5_keyblock **keyblocks, 4997c478bd9Sstevel@tonic-gate int *n_keys); 50056a424ccSmp #endif 5017c478bd9Sstevel@tonic-gate kadm5_ret_t kadm5_setv4key_principal(void *server_handle, 5027c478bd9Sstevel@tonic-gate krb5_principal principal, 5037c478bd9Sstevel@tonic-gate krb5_keyblock *keyblock); 5047c478bd9Sstevel@tonic-gate 5057c478bd9Sstevel@tonic-gate kadm5_ret_t kadm5_setkey_principal(void *server_handle, 5067c478bd9Sstevel@tonic-gate krb5_principal principal, 5077c478bd9Sstevel@tonic-gate krb5_keyblock *keyblocks, 5087c478bd9Sstevel@tonic-gate int n_keys); 5097c478bd9Sstevel@tonic-gate 5107c478bd9Sstevel@tonic-gate kadm5_ret_t kadm5_setkey_principal_3(void *server_handle, 5117c478bd9Sstevel@tonic-gate krb5_principal principal, 5127c478bd9Sstevel@tonic-gate krb5_boolean keepold, 5137c478bd9Sstevel@tonic-gate int n_ks_tuple, 5147c478bd9Sstevel@tonic-gate krb5_key_salt_tuple *ks_tuple, 5157c478bd9Sstevel@tonic-gate krb5_keyblock *keyblocks, 5167c478bd9Sstevel@tonic-gate int n_keys); 5177c478bd9Sstevel@tonic-gate 51856a424ccSmp kadm5_ret_t kadm5_decrypt_key(void *server_handle, 51956a424ccSmp kadm5_principal_ent_t entry, krb5_int32 52056a424ccSmp ktype, krb5_int32 stype, krb5_int32 52156a424ccSmp kvno, krb5_keyblock *keyblock, 52256a424ccSmp krb5_keysalt *keysalt, int *kvnop); 52356a424ccSmp 5247c478bd9Sstevel@tonic-gate kadm5_ret_t kadm5_create_policy(void *server_handle, 5257c478bd9Sstevel@tonic-gate kadm5_policy_ent_t ent, 5267c478bd9Sstevel@tonic-gate long mask); 5277c478bd9Sstevel@tonic-gate /* 5287c478bd9Sstevel@tonic-gate * kadm5_create_policy_internal is not part of the supported, 5297c478bd9Sstevel@tonic-gate * exposed API. It is available only in the server library, and you 5307c478bd9Sstevel@tonic-gate * shouldn't use it unless you know why it's there and how it's 5317c478bd9Sstevel@tonic-gate * different from kadm5_create_policy. 5327c478bd9Sstevel@tonic-gate */ 5337c478bd9Sstevel@tonic-gate kadm5_ret_t kadm5_create_policy_internal(void *server_handle, 5347c478bd9Sstevel@tonic-gate kadm5_policy_ent_t 5357c478bd9Sstevel@tonic-gate entry, long mask); 5367c478bd9Sstevel@tonic-gate kadm5_ret_t kadm5_delete_policy(void *server_handle, 5377c478bd9Sstevel@tonic-gate kadm5_policy_t policy); 5387c478bd9Sstevel@tonic-gate kadm5_ret_t kadm5_modify_policy(void *server_handle, 5397c478bd9Sstevel@tonic-gate kadm5_policy_ent_t ent, 5407c478bd9Sstevel@tonic-gate long mask); 5417c478bd9Sstevel@tonic-gate /* 5427c478bd9Sstevel@tonic-gate * kadm5_modify_policy_internal is not part of the supported, 5437c478bd9Sstevel@tonic-gate * exposed API. It is available only in the server library, and you 5447c478bd9Sstevel@tonic-gate * shouldn't use it unless you know why it's there and how it's 5457c478bd9Sstevel@tonic-gate * different from kadm5_modify_policy. 5467c478bd9Sstevel@tonic-gate */ 5477c478bd9Sstevel@tonic-gate kadm5_ret_t kadm5_modify_policy_internal(void *server_handle, 5487c478bd9Sstevel@tonic-gate kadm5_policy_ent_t 5497c478bd9Sstevel@tonic-gate entry, long mask); 55056a424ccSmp #if USE_KADM5_API_VERSION == 1 55156a424ccSmp kadm5_ret_t kadm5_get_policy(void *server_handle, 55256a424ccSmp kadm5_policy_t policy, 55356a424ccSmp kadm5_policy_ent_t *ent); 55456a424ccSmp #else 5557c478bd9Sstevel@tonic-gate kadm5_ret_t kadm5_get_policy(void *server_handle, 5567c478bd9Sstevel@tonic-gate kadm5_policy_t policy, 5577c478bd9Sstevel@tonic-gate kadm5_policy_ent_t ent); 55856a424ccSmp #endif 5597c478bd9Sstevel@tonic-gate kadm5_ret_t kadm5_get_privs(void *server_handle, 56056a424ccSmp long *privs); 5617c478bd9Sstevel@tonic-gate 5627c478bd9Sstevel@tonic-gate kadm5_ret_t kadm5_chpass_principal_util(void *server_handle, 5637c478bd9Sstevel@tonic-gate krb5_principal princ, 564*55fea89dSDan Cross char *new_pw, 5657c478bd9Sstevel@tonic-gate char **ret_pw, 5667c478bd9Sstevel@tonic-gate char *msg_ret, 56756a424ccSmp unsigned int msg_len); 5687c478bd9Sstevel@tonic-gate 5697c478bd9Sstevel@tonic-gate kadm5_ret_t kadm5_free_principal_ent(void *server_handle, 5707c478bd9Sstevel@tonic-gate kadm5_principal_ent_t 5717c478bd9Sstevel@tonic-gate ent); 5727c478bd9Sstevel@tonic-gate kadm5_ret_t kadm5_free_policy_ent(void *server_handle, 5737c478bd9Sstevel@tonic-gate kadm5_policy_ent_t ent); 5747c478bd9Sstevel@tonic-gate 5757c478bd9Sstevel@tonic-gate kadm5_ret_t kadm5_get_principals(void *server_handle, 5767c478bd9Sstevel@tonic-gate char *exp, char ***princs, 5777c478bd9Sstevel@tonic-gate int *count); 5787c478bd9Sstevel@tonic-gate 5797c478bd9Sstevel@tonic-gate kadm5_ret_t kadm5_get_policies(void *server_handle, 5807c478bd9Sstevel@tonic-gate char *exp, char ***pols, 5817c478bd9Sstevel@tonic-gate int *count); 5827c478bd9Sstevel@tonic-gate 58356a424ccSmp #if USE_KADM5_API_VERSION > 1 5847c478bd9Sstevel@tonic-gate kadm5_ret_t kadm5_free_key_data(void *server_handle, 5857c478bd9Sstevel@tonic-gate krb5_int16 *n_key_data, 5867c478bd9Sstevel@tonic-gate krb5_key_data *key_data); 58756a424ccSmp #endif 58856a424ccSmp 589*55fea89dSDan Cross kadm5_ret_t kadm5_free_name_list(void *server_handle, char **names, 59056a424ccSmp int count); 59156a424ccSmp 59254925bf6Swillf krb5_error_code kadm5_init_krb5_context (krb5_context *); 59354925bf6Swillf 59456a424ccSmp #if USE_KADM5_API_VERSION == 1 59556a424ccSmp /* 59656a424ccSmp * OVSEC_KADM_API_VERSION_1 should be, if possible, compile-time 59756a424ccSmp * compatible with KADM5_API_VERSION_2. Basically, this means we have 59856a424ccSmp * to continue to provide all the old ovsec_kadm function and symbol 59956a424ccSmp * names. 60056a424ccSmp */ 60156a424ccSmp 60256a424ccSmp #define OVSEC_KADM_ACLFILE "/krb5/ovsec_adm.acl" 60356a424ccSmp #define OVSEC_KADM_WORDFILE "/krb5/ovsec_adm.dict" 6047c478bd9Sstevel@tonic-gate 60556a424ccSmp #define OVSEC_KADM_ADMIN_SERVICE "ovsec_adm/admin" 60656a424ccSmp #define OVSEC_KADM_CHANGEPW_SERVICE "ovsec_adm/changepw" 60756a424ccSmp #define OVSEC_KADM_HIST_PRINCIPAL "ovsec_adm/history" 6087c478bd9Sstevel@tonic-gate 60956a424ccSmp typedef krb5_principal ovsec_kadm_princ_t; 61056a424ccSmp typedef krb5_keyblock ovsec_kadm_keyblock; 61156a424ccSmp typedef char *ovsec_kadm_policy_t; 61256a424ccSmp typedef long ovsec_kadm_ret_t; 61356a424ccSmp 61456a424ccSmp enum ovsec_kadm_salttype { OVSEC_KADM_SALT_V4, OVSEC_KADM_SALT_NORMAL }; 61556a424ccSmp enum ovsec_kadm_saltmod { OVSEC_KADM_MOD_KEEP, OVSEC_KADM_MOD_V4, OVSEC_KADM_MOD_NORMAL }; 61656a424ccSmp 61756a424ccSmp #define OVSEC_KADM_PW_FIRST_PROMPT \ 61856a424ccSmp ((char *) error_message(CHPASS_UTIL_NEW_PASSWORD_PROMPT)) 61956a424ccSmp #define OVSEC_KADM_PW_SECOND_PROMPT \ 62056a424ccSmp ((char *) error_message(CHPASS_UTIL_NEW_PASSWORD_AGAIN_PROMPT)) 62156a424ccSmp 62256a424ccSmp /* 62356a424ccSmp * Successful return code 62456a424ccSmp */ 62556a424ccSmp #define OVSEC_KADM_OK 0 626*55fea89dSDan Cross 62756a424ccSmp /* 62856a424ccSmp * Create/Modify masks 62956a424ccSmp */ 63056a424ccSmp /* principal */ 63156a424ccSmp #define OVSEC_KADM_PRINCIPAL 0x000001 63256a424ccSmp #define OVSEC_KADM_PRINC_EXPIRE_TIME 0x000002 63356a424ccSmp #define OVSEC_KADM_PW_EXPIRATION 0x000004 63456a424ccSmp #define OVSEC_KADM_LAST_PWD_CHANGE 0x000008 63556a424ccSmp #define OVSEC_KADM_ATTRIBUTES 0x000010 63656a424ccSmp #define OVSEC_KADM_MAX_LIFE 0x000020 63756a424ccSmp #define OVSEC_KADM_MOD_TIME 0x000040 63856a424ccSmp #define OVSEC_KADM_MOD_NAME 0x000080 63956a424ccSmp #define OVSEC_KADM_KVNO 0x000100 64056a424ccSmp #define OVSEC_KADM_MKVNO 0x000200 64156a424ccSmp #define OVSEC_KADM_AUX_ATTRIBUTES 0x000400 64256a424ccSmp #define OVSEC_KADM_POLICY 0x000800 64356a424ccSmp #define OVSEC_KADM_POLICY_CLR 0x001000 64456a424ccSmp /* policy */ 64556a424ccSmp #define OVSEC_KADM_PW_MAX_LIFE 0x004000 64656a424ccSmp #define OVSEC_KADM_PW_MIN_LIFE 0x008000 64756a424ccSmp #define OVSEC_KADM_PW_MIN_LENGTH 0x010000 64856a424ccSmp #define OVSEC_KADM_PW_MIN_CLASSES 0x020000 64956a424ccSmp #define OVSEC_KADM_PW_HISTORY_NUM 0x040000 65056a424ccSmp #define OVSEC_KADM_REF_COUNT 0x080000 65156a424ccSmp 65256a424ccSmp /* 65356a424ccSmp * permission bits 65456a424ccSmp */ 65556a424ccSmp #define OVSEC_KADM_PRIV_GET 0x01 65656a424ccSmp #define OVSEC_KADM_PRIV_ADD 0x02 65756a424ccSmp #define OVSEC_KADM_PRIV_MODIFY 0x04 65856a424ccSmp #define OVSEC_KADM_PRIV_DELETE 0x08 65956a424ccSmp 66056a424ccSmp /* 66156a424ccSmp * API versioning constants 66256a424ccSmp */ 66356a424ccSmp #define OVSEC_KADM_MASK_BITS 0xffffff00 66456a424ccSmp 66556a424ccSmp #define OVSEC_KADM_STRUCT_VERSION_MASK 0x12345600 66656a424ccSmp #define OVSEC_KADM_STRUCT_VERSION_1 (OVSEC_KADM_STRUCT_VERSION_MASK|0x01) 66756a424ccSmp #define OVSEC_KADM_STRUCT_VERSION OVSEC_KADM_STRUCT_VERSION_1 66856a424ccSmp 66956a424ccSmp #define OVSEC_KADM_API_VERSION_MASK 0x12345700 67056a424ccSmp #define OVSEC_KADM_API_VERSION_1 (OVSEC_KADM_API_VERSION_MASK|0x01) 67156a424ccSmp 67256a424ccSmp 67356a424ccSmp typedef struct _ovsec_kadm_principal_ent_t { 67456a424ccSmp krb5_principal principal; 67556a424ccSmp krb5_timestamp princ_expire_time; 67656a424ccSmp krb5_timestamp last_pwd_change; 67756a424ccSmp krb5_timestamp pw_expiration; 67856a424ccSmp krb5_deltat max_life; 67956a424ccSmp krb5_principal mod_name; 68056a424ccSmp krb5_timestamp mod_date; 68156a424ccSmp krb5_flags attributes; 68256a424ccSmp krb5_kvno kvno; 68356a424ccSmp krb5_kvno mkvno; 68456a424ccSmp char *policy; 68556a424ccSmp long aux_attributes; 68656a424ccSmp } ovsec_kadm_principal_ent_rec, *ovsec_kadm_principal_ent_t; 68756a424ccSmp 68856a424ccSmp typedef struct _ovsec_kadm_policy_ent_t { 68956a424ccSmp char *policy; 69056a424ccSmp long pw_min_life; 69156a424ccSmp long pw_max_life; 69256a424ccSmp long pw_min_length; 69356a424ccSmp long pw_min_classes; 69456a424ccSmp long pw_history_num; 69556a424ccSmp long policy_refcnt; 69656a424ccSmp } ovsec_kadm_policy_ent_rec, *ovsec_kadm_policy_ent_t; 69756a424ccSmp 69856a424ccSmp /* 69956a424ccSmp * functions 70056a424ccSmp */ 70156a424ccSmp ovsec_kadm_ret_t ovsec_kadm_init(char *client_name, char *pass, 70256a424ccSmp char *service_name, char *realm, 70356a424ccSmp krb5_ui_4 struct_version, 70456a424ccSmp krb5_ui_4 api_version, 70554925bf6Swillf char **db_args, 70656a424ccSmp void **server_handle); 70756a424ccSmp ovsec_kadm_ret_t ovsec_kadm_init_with_password(char *client_name, 708*55fea89dSDan Cross char *pass, 70956a424ccSmp char *service_name, 710*55fea89dSDan Cross char *realm, 71156a424ccSmp krb5_ui_4 struct_version, 71256a424ccSmp krb5_ui_4 api_version, 71354925bf6Swillf char ** db_args, 71456a424ccSmp void **server_handle); 71556a424ccSmp ovsec_kadm_ret_t ovsec_kadm_init_with_skey(char *client_name, 71656a424ccSmp char *keytab, 71756a424ccSmp char *service_name, 71856a424ccSmp char *realm, 71956a424ccSmp krb5_ui_4 struct_version, 72056a424ccSmp krb5_ui_4 api_version, 72154925bf6Swillf char **db_args, 72256a424ccSmp void **server_handle); 72356a424ccSmp ovsec_kadm_ret_t ovsec_kadm_flush(void *server_handle); 72456a424ccSmp ovsec_kadm_ret_t ovsec_kadm_destroy(void *server_handle); 72556a424ccSmp ovsec_kadm_ret_t ovsec_kadm_create_principal(void *server_handle, 72656a424ccSmp ovsec_kadm_principal_ent_t ent, 72756a424ccSmp long mask, char *pass); 72856a424ccSmp ovsec_kadm_ret_t ovsec_kadm_delete_principal(void *server_handle, 72956a424ccSmp krb5_principal principal); 73056a424ccSmp ovsec_kadm_ret_t ovsec_kadm_modify_principal(void *server_handle, 73156a424ccSmp ovsec_kadm_principal_ent_t ent, 73256a424ccSmp long mask); 73356a424ccSmp ovsec_kadm_ret_t ovsec_kadm_rename_principal(void *server_handle, 73456a424ccSmp krb5_principal,krb5_principal); 73556a424ccSmp ovsec_kadm_ret_t ovsec_kadm_get_principal(void *server_handle, 73656a424ccSmp krb5_principal principal, 73756a424ccSmp ovsec_kadm_principal_ent_t *ent); 73856a424ccSmp ovsec_kadm_ret_t ovsec_kadm_chpass_principal(void *server_handle, 73956a424ccSmp krb5_principal principal, 74056a424ccSmp char *pass); 74156a424ccSmp ovsec_kadm_ret_t ovsec_kadm_randkey_principal(void *server_handle, 74256a424ccSmp krb5_principal principal, 74356a424ccSmp krb5_keyblock **keyblock); 74456a424ccSmp ovsec_kadm_ret_t ovsec_kadm_create_policy(void *server_handle, 74556a424ccSmp ovsec_kadm_policy_ent_t ent, 74656a424ccSmp long mask); 74756a424ccSmp /* 74856a424ccSmp * ovsec_kadm_create_policy_internal is not part of the supported, 74956a424ccSmp * exposed API. It is available only in the server library, and you 75056a424ccSmp * shouldn't use it unless you know why it's there and how it's 75156a424ccSmp * different from ovsec_kadm_create_policy. 75256a424ccSmp */ 75356a424ccSmp ovsec_kadm_ret_t ovsec_kadm_create_policy_internal(void *server_handle, 75456a424ccSmp ovsec_kadm_policy_ent_t 75556a424ccSmp entry, long mask); 75656a424ccSmp ovsec_kadm_ret_t ovsec_kadm_delete_policy(void *server_handle, 75756a424ccSmp ovsec_kadm_policy_t policy); 75856a424ccSmp ovsec_kadm_ret_t ovsec_kadm_modify_policy(void *server_handle, 75956a424ccSmp ovsec_kadm_policy_ent_t ent, 76056a424ccSmp long mask); 76156a424ccSmp /* 76256a424ccSmp * ovsec_kadm_modify_policy_internal is not part of the supported, 76356a424ccSmp * exposed API. It is available only in the server library, and you 76456a424ccSmp * shouldn't use it unless you know why it's there and how it's 76556a424ccSmp * different from ovsec_kadm_modify_policy. 76656a424ccSmp */ 76756a424ccSmp ovsec_kadm_ret_t ovsec_kadm_modify_policy_internal(void *server_handle, 76856a424ccSmp ovsec_kadm_policy_ent_t 76956a424ccSmp entry, long mask); 77056a424ccSmp ovsec_kadm_ret_t ovsec_kadm_get_policy(void *server_handle, 77156a424ccSmp ovsec_kadm_policy_t policy, 77256a424ccSmp ovsec_kadm_policy_ent_t *ent); 77356a424ccSmp ovsec_kadm_ret_t ovsec_kadm_get_privs(void *server_handle, 77456a424ccSmp long *privs); 77556a424ccSmp 77656a424ccSmp ovsec_kadm_ret_t ovsec_kadm_chpass_principal_util(void *server_handle, 77756a424ccSmp krb5_principal princ, 778*55fea89dSDan Cross char *new_pw, 77956a424ccSmp char **ret_pw, 78056a424ccSmp char *msg_ret); 78156a424ccSmp 78256a424ccSmp ovsec_kadm_ret_t ovsec_kadm_free_principal_ent(void *server_handle, 78356a424ccSmp ovsec_kadm_principal_ent_t 78456a424ccSmp ent); 78556a424ccSmp ovsec_kadm_ret_t ovsec_kadm_free_policy_ent(void *server_handle, 78656a424ccSmp ovsec_kadm_policy_ent_t ent); 78756a424ccSmp 78856a424ccSmp ovsec_kadm_ret_t ovsec_kadm_free_name_list(void *server_handle, 78956a424ccSmp char **names, int count); 79056a424ccSmp 79156a424ccSmp ovsec_kadm_ret_t ovsec_kadm_get_principals(void *server_handle, 79256a424ccSmp char *exp, char ***princs, 79356a424ccSmp int *count); 79456a424ccSmp 79556a424ccSmp ovsec_kadm_ret_t ovsec_kadm_get_policies(void *server_handle, 79656a424ccSmp char *exp, char ***pols, 79756a424ccSmp int *count); 79856a424ccSmp 79956a424ccSmp #define OVSEC_KADM_FAILURE KADM5_FAILURE 80056a424ccSmp #define OVSEC_KADM_AUTH_GET KADM5_AUTH_GET 80156a424ccSmp #define OVSEC_KADM_AUTH_ADD KADM5_AUTH_ADD 80256a424ccSmp #define OVSEC_KADM_AUTH_MODIFY KADM5_AUTH_MODIFY 80356a424ccSmp #define OVSEC_KADM_AUTH_DELETE KADM5_AUTH_DELETE 80456a424ccSmp #define OVSEC_KADM_AUTH_INSUFFICIENT KADM5_AUTH_INSUFFICIENT 80556a424ccSmp #define OVSEC_KADM_BAD_DB KADM5_BAD_DB 80656a424ccSmp #define OVSEC_KADM_DUP KADM5_DUP 80756a424ccSmp #define OVSEC_KADM_RPC_ERROR KADM5_RPC_ERROR 80856a424ccSmp #define OVSEC_KADM_NO_SRV KADM5_NO_SRV 80956a424ccSmp #define OVSEC_KADM_BAD_HIST_KEY KADM5_BAD_HIST_KEY 81056a424ccSmp #define OVSEC_KADM_NOT_INIT KADM5_NOT_INIT 81156a424ccSmp #define OVSEC_KADM_UNK_PRINC KADM5_UNK_PRINC 81256a424ccSmp #define OVSEC_KADM_UNK_POLICY KADM5_UNK_POLICY 81356a424ccSmp #define OVSEC_KADM_BAD_MASK KADM5_BAD_MASK 81456a424ccSmp #define OVSEC_KADM_BAD_CLASS KADM5_BAD_CLASS 81556a424ccSmp #define OVSEC_KADM_BAD_LENGTH KADM5_BAD_LENGTH 81656a424ccSmp #define OVSEC_KADM_BAD_POLICY KADM5_BAD_POLICY 81756a424ccSmp #define OVSEC_KADM_BAD_PRINCIPAL KADM5_BAD_PRINCIPAL 81856a424ccSmp #define OVSEC_KADM_BAD_AUX_ATTR KADM5_BAD_AUX_ATTR 81956a424ccSmp #define OVSEC_KADM_BAD_HISTORY KADM5_BAD_HISTORY 82056a424ccSmp #define OVSEC_KADM_BAD_MIN_PASS_LIFE KADM5_BAD_MIN_PASS_LIFE 82156a424ccSmp #define OVSEC_KADM_PASS_Q_TOOSHORT KADM5_PASS_Q_TOOSHORT 82256a424ccSmp #define OVSEC_KADM_PASS_Q_CLASS KADM5_PASS_Q_CLASS 82356a424ccSmp #define OVSEC_KADM_PASS_Q_DICT KADM5_PASS_Q_DICT 82456a424ccSmp #define OVSEC_KADM_PASS_REUSE KADM5_PASS_REUSE 82556a424ccSmp #define OVSEC_KADM_PASS_TOOSOON KADM5_PASS_TOOSOON 82656a424ccSmp #define OVSEC_KADM_POLICY_REF KADM5_POLICY_REF 82756a424ccSmp #define OVSEC_KADM_INIT KADM5_INIT 82856a424ccSmp #define OVSEC_KADM_BAD_PASSWORD KADM5_BAD_PASSWORD 82956a424ccSmp #define OVSEC_KADM_PROTECT_PRINCIPAL KADM5_PROTECT_PRINCIPAL 83056a424ccSmp #define OVSEC_KADM_BAD_SERVER_HANDLE KADM5_BAD_SERVER_HANDLE 83156a424ccSmp #define OVSEC_KADM_BAD_STRUCT_VERSION KADM5_BAD_STRUCT_VERSION 83256a424ccSmp #define OVSEC_KADM_OLD_STRUCT_VERSION KADM5_OLD_STRUCT_VERSION 83356a424ccSmp #define OVSEC_KADM_NEW_STRUCT_VERSION KADM5_NEW_STRUCT_VERSION 83456a424ccSmp #define OVSEC_KADM_BAD_API_VERSION KADM5_BAD_API_VERSION 83556a424ccSmp #define OVSEC_KADM_OLD_LIB_API_VERSION KADM5_OLD_LIB_API_VERSION 83656a424ccSmp #define OVSEC_KADM_OLD_SERVER_API_VERSION KADM5_OLD_SERVER_API_VERSION 83756a424ccSmp #define OVSEC_KADM_NEW_LIB_API_VERSION KADM5_NEW_LIB_API_VERSION 83856a424ccSmp #define OVSEC_KADM_NEW_SERVER_API_VERSION KADM5_NEW_SERVER_API_VERSION 83956a424ccSmp #define OVSEC_KADM_SECURE_PRINC_MISSING KADM5_SECURE_PRINC_MISSING 84056a424ccSmp #define OVSEC_KADM_NO_RENAME_SALT KADM5_NO_RENAME_SALT 84156a424ccSmp 84256a424ccSmp #endif /* USE_KADM5_API_VERSION == 1 */ 8437c478bd9Sstevel@tonic-gate 84446736d35Ssemery #define MAXPRINCLEN 125 84546736d35Ssemery 84646736d35Ssemery void trunc_name(size_t *len, char **dots); 84746736d35Ssemery 8487c478bd9Sstevel@tonic-gate krb5_chgpwd_prot _kadm5_get_kpasswd_protocol(void *server_handle); 8497c478bd9Sstevel@tonic-gate kadm5_ret_t kadm5_chpass_principal_v2(void *server_handle, 8507c478bd9Sstevel@tonic-gate krb5_principal princ, 8517c478bd9Sstevel@tonic-gate char *new_password, 8527c478bd9Sstevel@tonic-gate kadm5_ret_t *srvr_rsp_code, 8537c478bd9Sstevel@tonic-gate krb5_data *srvr_msg); 8547c478bd9Sstevel@tonic-gate 8557c478bd9Sstevel@tonic-gate void handle_chpw(krb5_context context, int s, void *serverhandle, 8567c478bd9Sstevel@tonic-gate kadm5_config_params *params); 8577c478bd9Sstevel@tonic-gate 8587c478bd9Sstevel@tonic-gate #ifdef __cplusplus 8597c478bd9Sstevel@tonic-gate } 8607c478bd9Sstevel@tonic-gate #endif 8617c478bd9Sstevel@tonic-gate 8627c478bd9Sstevel@tonic-gate #endif /* __KADM5_ADMIN_H__ */ 863