xref: /illumos-gate/usr/src/lib/krb5/kadm5/admin.h (revision 159d09a20817016f09b3ea28d1bdada4a336bb91) 
1 /*
2  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  */
5 
6 #ifndef	__KADM5_ADMIN_H__
7 #define	__KADM5_ADMIN_H__
8 
9 
10 #ifdef __cplusplus
11 extern "C" {
12 #endif
13 
14 /*
15  * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
16  *
17  *	Openvision retains the copyright to derivative works of
18  *	this source code.  Do *NOT* create a derivative of this
19  *	source code before consulting with your legal department.
20  *	Do *NOT* integrate *ANY* of this source code into another
21  *	product before consulting with your legal department.
22  *
23  *	For further information, read the top-level Openvision
24  *	copyright which is contained in the top-level MIT Kerberos
25  *	copyright.
26  *
27  * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
28  *
29  */
30 /*
31  * lib/kadm5/admin.h
32  *
33  * Copyright 2001 by the Massachusetts Institute of Technology.
34  * All Rights Reserved.
35  *
36  * Export of this software from the United States of America may
37  *   require a specific license from the United States Government.
38  *   It is the responsibility of any person or organization contemplating
39  *   export to obtain such a license before exporting.
40  *
41  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
42  * distribute this software and its documentation for any purpose and
43  * without fee is hereby granted, provided that the above copyright
44  * notice appear in all copies and that both that copyright notice and
45  * this permission notice appear in supporting documentation, and that
46  * the name of M.I.T. not be used in advertising or publicity pertaining
47  * to distribution of the software without specific, written prior
48  * permission.  Furthermore if you modify this software you must label
49  * your software as modified software and not distribute it in such a
50  * fashion that it might be confused with the original M.I.T. software.
51  * M.I.T. makes no representations about the suitability of
52  * this software for any purpose.  It is provided "as is" without express
53  * or implied warranty.
54  *
55  */
56 /*
57  * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved
58  *
59  * $Header$
60  */
61 
62 #include	<sys/types.h>
63 #include	<rpc/types.h>
64 #include	<rpc/rpc.h>
65 #include	<k5-int.h>
66 #include	<krb5.h>
67 #include	<krb5/kdb.h>
68 #include	<com_err.h>
69 #include	<kadm5/kadm_err.h>
70 #include	<kadm5/chpass_util_strings.h>
71 
72 #define KADM5_ADMIN_SERVICE_P	"kadmin@admin"
73 /*
74  * Solaris Kerberos:
75  * The kadmin/admin principal is unused on Solaris. This principal is used
76  * in AUTH_GSSAPI but Solaris doesn't support AUTH_GSSAPI. RPCSEC_GSS can only
77  * be used with host-based principals.
78  *
79  */
80 /* #define KADM5_ADMIN_SERVICE	"kadmin/admin" */
81 #define KADM5_CHANGEPW_SERVICE_P	"kadmin@changepw"
82 #define KADM5_CHANGEPW_SERVICE	"kadmin/changepw"
83 #define KADM5_HIST_PRINCIPAL	"kadmin/history"
84 #define KADM5_ADMIN_HOST_SERVICE "kadmin"
85 #define KADM5_CHANGEPW_HOST_SERVICE "changepw"
86 #define KADM5_KIPROP_HOST_SERVICE "kiprop"
87 
88 typedef krb5_principal	kadm5_princ_t;
89 typedef	char		*kadm5_policy_t;
90 typedef long		kadm5_ret_t;
91 typedef int rpc_int32;
92 typedef unsigned int rpc_u_int32;
93 
94 #define KADM5_PW_FIRST_PROMPT \
95 	(error_message(CHPASS_UTIL_NEW_PASSWORD_PROMPT))
96 #define KADM5_PW_SECOND_PROMPT \
97 	(error_message(CHPASS_UTIL_NEW_PASSWORD_AGAIN_PROMPT))
98 
99 /*
100  * Successful return code
101  */
102 #define KADM5_OK	0
103 
104 /*
105  * Field masks
106  */
107 
108 /* kadm5_principal_ent_t */
109 #define KADM5_PRINCIPAL		0x000001
110 #define KADM5_PRINC_EXPIRE_TIME	0x000002
111 #define KADM5_PW_EXPIRATION	0x000004
112 #define KADM5_LAST_PWD_CHANGE	0x000008
113 #define KADM5_ATTRIBUTES	0x000010
114 #define KADM5_MAX_LIFE		0x000020
115 #define KADM5_MOD_TIME		0x000040
116 #define KADM5_MOD_NAME		0x000080
117 #define KADM5_KVNO		0x000100
118 #define KADM5_MKVNO		0x000200
119 #define KADM5_AUX_ATTRIBUTES	0x000400
120 #define KADM5_POLICY		0x000800
121 #define KADM5_POLICY_CLR	0x001000
122 /* version 2 masks */
123 #define KADM5_MAX_RLIFE		0x002000
124 #define KADM5_LAST_SUCCESS	0x004000
125 #define KADM5_LAST_FAILED	0x008000
126 #define KADM5_FAIL_AUTH_COUNT	0x010000
127 #define KADM5_KEY_DATA		0x020000
128 #define KADM5_TL_DATA		0x040000
129 #ifdef notyet /* Novell */
130 #define KADM5_CPW_FUNCTION      0x080000
131 #define KADM5_RANDKEY_USED      0x100000
132 #endif
133 #define KADM5_LOAD		0x200000
134 /* Solaris Kerberos: adding support for key history in LDAP KDB */
135 #define KADM5_KEY_HIST		0x400000
136 
137 /* all but KEY_DATA and TL_DATA */
138 #define KADM5_PRINCIPAL_NORMAL_MASK 0x01ffff
139 
140 
141 /* kadm5_policy_ent_t */
142 #define KADM5_PW_MAX_LIFE	0x004000
143 #define KADM5_PW_MIN_LIFE	0x008000
144 #define KADM5_PW_MIN_LENGTH	0x010000
145 #define KADM5_PW_MIN_CLASSES	0x020000
146 #define KADM5_PW_HISTORY_NUM	0x040000
147 #define KADM5_REF_COUNT		0x080000
148 
149 /* kadm5_config_params */
150 #define KADM5_CONFIG_REALM		0x0000001
151 #define KADM5_CONFIG_DBNAME		0x0000002
152 #define KADM5_CONFIG_MKEY_NAME		0x0000004
153 #define KADM5_CONFIG_MAX_LIFE		0x0000008
154 #define KADM5_CONFIG_MAX_RLIFE		0x0000010
155 #define KADM5_CONFIG_EXPIRATION		0x0000020
156 #define KADM5_CONFIG_FLAGS		0x0000040
157 #define KADM5_CONFIG_ADMIN_KEYTAB	0x0000080
158 #define KADM5_CONFIG_STASH_FILE		0x0000100
159 #define KADM5_CONFIG_ENCTYPE		0x0000200
160 #define KADM5_CONFIG_ADBNAME		0x0000400
161 #define KADM5_CONFIG_ADB_LOCKFILE	0x0000800
162 #define KADM5_CONFIG_PROFILE		0x0001000
163 #define KADM5_CONFIG_ACL_FILE		0x0002000
164 #define KADM5_CONFIG_KADMIND_PORT	0x0004000
165 #define KADM5_CONFIG_ENCTYPES		0x0008000
166 #define KADM5_CONFIG_ADMIN_SERVER	0x0010000
167 #define KADM5_CONFIG_DICT_FILE		0x0020000
168 #define KADM5_CONFIG_MKEY_FROM_KBD	0x0040000
169 #define KADM5_CONFIG_KPASSWD_PORT	0x0080000
170 #define KADM5_CONFIG_KPASSWD_SERVER	0x0100000
171 #define	KADM5_CONFIG_KPASSWD_PROTOCOL	0x0200000
172 #define	KADM5_CONFIG_IPROP_ENABLED	0x0400000
173 #define	KADM5_CONFIG_ULOG_SIZE		0x0800000
174 #define	KADM5_CONFIG_POLL_TIME		0x1000000
175 
176 /* password change constants */
177 #define	KRB5_KPASSWD_SUCCESS		0
178 #define	KRB5_KPASSWD_MALFORMED		1
179 #define	KRB5_KPASSWD_HARDERROR		2
180 #define	KRB5_KPASSWD_AUTHERROR		3
181 #define	KRB5_KPASSWD_SOFTERROR		4
182 #define	KRB5_KPASSWD_ACCESSDENIED	5
183 #define	KRB5_KPASSWD_BAD_VERSION	6
184 #define	KRB5_KPASSWD_INITIAL_FLAG_NEEDED	7
185 #define	KRB5_KPASSWD_POLICY_REJECT	8
186 #define	KRB5_KPASSWD_BAD_PRINCIPAL	9
187 #define	KRB5_KPASSWD_ETYPE_NOSUPP	10
188 
189 /*
190  * permission bits
191  */
192 #define KADM5_PRIV_GET		0x01
193 #define KADM5_PRIV_ADD		0x02
194 #define KADM5_PRIV_MODIFY	0x04
195 #define KADM5_PRIV_DELETE	0x08
196 
197 /*
198  * API versioning constants
199  */
200 #define KADM5_MASK_BITS		0xffffff00
201 
202 #define KADM5_STRUCT_VERSION_MASK	0x12345600
203 #define KADM5_STRUCT_VERSION_1	(KADM5_STRUCT_VERSION_MASK|0x01)
204 #define KADM5_STRUCT_VERSION	KADM5_STRUCT_VERSION_1
205 
206 #define KADM5_API_VERSION_MASK	0x12345700
207 #define KADM5_API_VERSION_1	(KADM5_API_VERSION_MASK|0x01)
208 #define KADM5_API_VERSION_2	(KADM5_API_VERSION_MASK|0x02)
209 
210 #ifdef KRB5_DNS_LOOKUP
211 /*
212  * Name length constants for DNS lookups
213  */
214 #define	MAX_HOST_NAMELEN 256
215 #define	MAX_DNS_NAMELEN (15*(MAX_HOST_NAMELEN + 1)+1)
216 #endif /* KRB5_DNS_LOOKUP */
217 
218 typedef struct _kadm5_principal_ent_t_v2 {
219 	krb5_principal	principal;
220 	krb5_timestamp	princ_expire_time;
221 	krb5_timestamp	last_pwd_change;
222 	krb5_timestamp	pw_expiration;
223 	krb5_deltat	max_life;
224 	krb5_principal	mod_name;
225 	krb5_timestamp	mod_date;
226 	krb5_flags	attributes;
227 	krb5_kvno	kvno;
228 	krb5_kvno	mkvno;
229 	char		*policy;
230 	long		aux_attributes;
231 
232 	/* version 2 fields */
233 	krb5_deltat max_renewable_life;
234         krb5_timestamp last_success;
235         krb5_timestamp last_failed;
236         krb5_kvno fail_auth_count;
237 	krb5_int16 n_key_data;
238 	krb5_int16 n_tl_data;
239         krb5_tl_data *tl_data;
240 	krb5_key_data *key_data;
241 } kadm5_principal_ent_rec_v2, *kadm5_principal_ent_t_v2;
242 
243 typedef struct _kadm5_principal_ent_t_v1 {
244 	krb5_principal	principal;
245 	krb5_timestamp	princ_expire_time;
246 	krb5_timestamp	last_pwd_change;
247 	krb5_timestamp	pw_expiration;
248 	krb5_deltat	max_life;
249 	krb5_principal	mod_name;
250 	krb5_timestamp	mod_date;
251 	krb5_flags	attributes;
252 	krb5_kvno	kvno;
253 	krb5_kvno	mkvno;
254 	char		*policy;
255 	long		aux_attributes;
256 } kadm5_principal_ent_rec_v1, *kadm5_principal_ent_t_v1;
257 
258 #if USE_KADM5_API_VERSION == 1
259 typedef struct _kadm5_principal_ent_t_v1
260      kadm5_principal_ent_rec, *kadm5_principal_ent_t;
261 #else
262 typedef struct _kadm5_principal_ent_t_v2
263      kadm5_principal_ent_rec, *kadm5_principal_ent_t;
264 #endif
265 
266 typedef struct _kadm5_policy_ent_t {
267 	char		*policy;
268 	long		pw_min_life;
269 	long		pw_max_life;
270 	long		pw_min_length;
271 	long		pw_min_classes;
272 	long		pw_history_num;
273 	long		policy_refcnt;
274 } kadm5_policy_ent_rec, *kadm5_policy_ent_t;
275 
276 /*
277  * New types to indicate which protocol to use when sending
278  * password change requests
279  */
280 typedef enum {
281 	KRB5_CHGPWD_RPCSEC,
282 	KRB5_CHGPWD_CHANGEPW_V2
283 } krb5_chgpwd_prot;
284 
285 /*
286  * Data structure returned by kadm5_get_config_params()
287  */
288 typedef struct _kadm5_config_params {
289      long		mask;
290      char *		realm;
291      int		kadmind_port;
292      int		kpasswd_port;
293 
294      char *		admin_server;
295 #ifdef notyet /* Novell */ /* ABI change? */
296      char *		kpasswd_server;
297 #endif
298 
299      char *		dbname;
300      char *		admin_dbname;
301      char *		admin_lockfile;
302      char *		admin_keytab;
303      char *		acl_file;
304      char *		dict_file;
305 
306      int		mkey_from_kbd;
307      char *		stash_file;
308      char *		mkey_name;
309      krb5_enctype	enctype;
310      krb5_deltat	max_life;
311      krb5_deltat	max_rlife;
312      krb5_timestamp	expiration;
313      krb5_flags		flags;
314      krb5_key_salt_tuple *keysalts;
315      krb5_int32		num_keysalts;
316      char 			*kpasswd_server;
317 
318      krb5_chgpwd_prot	kpasswd_protocol;
319      bool_t			iprop_enabled;
320      int			iprop_ulogsize;
321      char			*iprop_polltime;
322 } kadm5_config_params;
323 
324 /***********************************************************************
325  * This is the old krb5_realm_read_params, which I mutated into
326  * kadm5_get_config_params but which old code (kdb5_* and krb5kdc)
327  * still uses.
328  ***********************************************************************/
329 
330 /*
331  * Data structure returned by krb5_read_realm_params()
332  */
333 typedef struct __krb5_realm_params {
334     char *		realm_profile;
335     char *		realm_dbname;
336     char *		realm_mkey_name;
337     char *		realm_stash_file;
338     char *		realm_kdc_ports;
339     char *		realm_kdc_tcp_ports;
340     char *		realm_acl_file;
341     krb5_int32		realm_kadmind_port;
342     krb5_enctype	realm_enctype;
343     krb5_deltat		realm_max_life;
344     krb5_deltat		realm_max_rlife;
345     krb5_timestamp	realm_expiration;
346     krb5_flags		realm_flags;
347     krb5_key_salt_tuple	*realm_keysalts;
348     unsigned int	realm_reject_bad_transit:1;
349     unsigned int	realm_kadmind_port_valid:1;
350     unsigned int	realm_enctype_valid:1;
351     unsigned int	realm_max_life_valid:1;
352     unsigned int	realm_max_rlife_valid:1;
353     unsigned int	realm_expiration_valid:1;
354     unsigned int	realm_flags_valid:1;
355     unsigned int	realm_reject_bad_transit_valid:1;
356     krb5_int32		realm_num_keysalts;
357 } krb5_realm_params;
358 
359 /*
360  * functions
361  */
362 
363 kadm5_ret_t
364 kadm5_get_adm_host_srv_name(krb5_context context,
365                            const char *realm, char **host_service_name);
366 
367 kadm5_ret_t
368 kadm5_get_cpw_host_srv_name(krb5_context context,
369                            const char *realm, char **host_service_name);
370 
371 #if USE_KADM5_API_VERSION > 1
372 krb5_error_code kadm5_get_config_params(krb5_context context,
373 					int use_kdc_config,
374 					kadm5_config_params *params_in,
375 					kadm5_config_params *params_out);
376 
377 krb5_error_code kadm5_free_config_params(krb5_context context,
378 					 kadm5_config_params *params);
379 
380 krb5_error_code kadm5_free_realm_params(krb5_context kcontext,
381 					kadm5_config_params *params);
382 
383 krb5_error_code kadm5_get_admin_service_name(krb5_context, char *,
384 					     char *, size_t);
385 #endif
386 
387 kadm5_ret_t    kadm5_init(char *client_name, char *pass,
388 			  char *service_name,
389 #if USE_KADM5_API_VERSION == 1
390 			  char *realm,
391 #else
392 			  kadm5_config_params *params,
393 #endif
394 			  krb5_ui_4 struct_version,
395 			  krb5_ui_4 api_version,
396 			  char **db_args,
397 			  void **server_handle);
398 kadm5_ret_t    kadm5_init_with_password(char *client_name,
399 					char *pass,
400 					char *service_name,
401 #if USE_KADM5_API_VERSION == 1
402 					char *realm,
403 #else
404 					kadm5_config_params *params,
405 #endif
406 					krb5_ui_4 struct_version,
407 					krb5_ui_4 api_version,
408 					char **db_args,
409 					void **server_handle);
410 kadm5_ret_t    kadm5_init_with_skey(char *client_name,
411 				    char *keytab,
412 				    char *service_name,
413 #if USE_KADM5_API_VERSION == 1
414 				    char *realm,
415 #else
416 				    kadm5_config_params *params,
417 #endif
418 				    krb5_ui_4 struct_version,
419 				    krb5_ui_4 api_version,
420 				    char **db_args,
421 				    void **server_handle);
422 #if USE_KADM5_API_VERSION > 1
423 kadm5_ret_t    kadm5_init_with_creds(char *client_name,
424 				     krb5_ccache cc,
425 				     char *service_name,
426 				     kadm5_config_params *params,
427 				     krb5_ui_4 struct_version,
428 				     krb5_ui_4 api_version,
429 				     char **db_args,
430 				     void **server_handle);
431 #endif
432 kadm5_ret_t    kadm5_lock(void *server_handle);
433 kadm5_ret_t    kadm5_unlock(void *server_handle);
434 kadm5_ret_t    kadm5_flush(void *server_handle);
435 kadm5_ret_t    kadm5_destroy(void *server_handle);
436 kadm5_ret_t    kadm5_create_principal(void *server_handle,
437 				      kadm5_principal_ent_t ent,
438 				      long mask, char *pass);
439 kadm5_ret_t    kadm5_create_principal_3(void *server_handle,
440 					kadm5_principal_ent_t ent,
441 					long mask,
442 					int n_ks_tuple,
443 					krb5_key_salt_tuple *ks_tuple,
444 					char *pass);
445 kadm5_ret_t    kadm5_delete_principal(void *server_handle,
446 				      krb5_principal principal);
447 kadm5_ret_t    kadm5_modify_principal(void *server_handle,
448 				      kadm5_principal_ent_t ent,
449 				      long mask);
450 kadm5_ret_t    kadm5_rename_principal(void *server_handle,
451 				      krb5_principal,krb5_principal);
452 #if USE_KADM5_API_VERSION == 1
453 kadm5_ret_t    kadm5_get_principal(void *server_handle,
454 				   krb5_principal principal,
455 				   kadm5_principal_ent_t *ent);
456 #else
457 kadm5_ret_t    kadm5_get_principal(void *server_handle,
458 				   krb5_principal principal,
459 				   kadm5_principal_ent_t ent,
460 				   long mask);
461 #endif
462 kadm5_ret_t    kadm5_chpass_principal(void *server_handle,
463 				      krb5_principal principal,
464 				      char *pass);
465 kadm5_ret_t    kadm5_chpass_principal_3(void *server_handle,
466 					krb5_principal principal,
467 					krb5_boolean keepold,
468 					int n_ks_tuple,
469 					krb5_key_salt_tuple *ks_tuple,
470 					char *pass);
471 #if USE_KADM5_API_VERSION == 1
472 kadm5_ret_t    kadm5_randkey_principal(void *server_handle,
473 				       krb5_principal principal,
474 				       krb5_keyblock **keyblock);
475 #else
476 
477 /*
478  * Solaris Kerberos:
479  * this routine is only implemented in the client library.
480  */
481 kadm5_ret_t    kadm5_randkey_principal_old(void *server_handle,
482 				    krb5_principal principal,
483 				    krb5_keyblock **keyblocks,
484 				    int *n_keys);
485 
486 kadm5_ret_t    kadm5_randkey_principal(void *server_handle,
487 				       krb5_principal principal,
488 				       krb5_keyblock **keyblocks,
489 				       int *n_keys);
490 kadm5_ret_t    kadm5_randkey_principal_3(void *server_handle,
491 					 krb5_principal principal,
492 					 krb5_boolean keepold,
493 					 int n_ks_tuple,
494 					 krb5_key_salt_tuple *ks_tuple,
495 					 krb5_keyblock **keyblocks,
496 					 int *n_keys);
497 #endif
498 kadm5_ret_t    kadm5_setv4key_principal(void *server_handle,
499 					krb5_principal principal,
500 					krb5_keyblock *keyblock);
501 
502 kadm5_ret_t    kadm5_setkey_principal(void *server_handle,
503 				      krb5_principal principal,
504 				      krb5_keyblock *keyblocks,
505 				      int n_keys);
506 
507 kadm5_ret_t    kadm5_setkey_principal_3(void *server_handle,
508 					krb5_principal principal,
509 					krb5_boolean keepold,
510 					int n_ks_tuple,
511 					krb5_key_salt_tuple *ks_tuple,
512 					krb5_keyblock *keyblocks,
513 					int n_keys);
514 
515 kadm5_ret_t    kadm5_decrypt_key(void *server_handle,
516 				 kadm5_principal_ent_t entry, krb5_int32
517 				 ktype, krb5_int32 stype, krb5_int32
518 				 kvno, krb5_keyblock *keyblock,
519 				 krb5_keysalt *keysalt, int *kvnop);
520 
521 kadm5_ret_t    kadm5_create_policy(void *server_handle,
522 				   kadm5_policy_ent_t ent,
523 				   long mask);
524 /*
525  * kadm5_create_policy_internal is not part of the supported,
526  * exposed API.  It is available only in the server library, and you
527  * shouldn't use it unless you know why it's there and how it's
528  * different from kadm5_create_policy.
529  */
530 kadm5_ret_t    kadm5_create_policy_internal(void *server_handle,
531 					    kadm5_policy_ent_t
532 					    entry, long mask);
533 kadm5_ret_t    kadm5_delete_policy(void *server_handle,
534 				   kadm5_policy_t policy);
535 kadm5_ret_t    kadm5_modify_policy(void *server_handle,
536 				   kadm5_policy_ent_t ent,
537 				   long mask);
538 /*
539  * kadm5_modify_policy_internal is not part of the supported,
540  * exposed API.  It is available only in the server library, and you
541  * shouldn't use it unless you know why it's there and how it's
542  * different from kadm5_modify_policy.
543  */
544 kadm5_ret_t    kadm5_modify_policy_internal(void *server_handle,
545 					    kadm5_policy_ent_t
546 					    entry, long mask);
547 #if USE_KADM5_API_VERSION == 1
548 kadm5_ret_t    kadm5_get_policy(void *server_handle,
549 				kadm5_policy_t policy,
550 				kadm5_policy_ent_t *ent);
551 #else
552 kadm5_ret_t    kadm5_get_policy(void *server_handle,
553 				kadm5_policy_t policy,
554 				kadm5_policy_ent_t ent);
555 #endif
556 kadm5_ret_t    kadm5_get_privs(void *server_handle,
557 			       long *privs);
558 
559 kadm5_ret_t    kadm5_chpass_principal_util(void *server_handle,
560 					   krb5_principal princ,
561 					   char *new_pw,
562 					   char **ret_pw,
563 					   char *msg_ret,
564 					   unsigned int msg_len);
565 
566 kadm5_ret_t    kadm5_free_principal_ent(void *server_handle,
567 					kadm5_principal_ent_t
568 					ent);
569 kadm5_ret_t    kadm5_free_policy_ent(void *server_handle,
570 				     kadm5_policy_ent_t ent);
571 
572 kadm5_ret_t    kadm5_get_principals(void *server_handle,
573 				    char *exp, char ***princs,
574 				    int *count);
575 
576 kadm5_ret_t    kadm5_get_policies(void *server_handle,
577 				  char *exp, char ***pols,
578 				  int *count);
579 
580 #if USE_KADM5_API_VERSION > 1
581 kadm5_ret_t    kadm5_free_key_data(void *server_handle,
582 				   krb5_int16 *n_key_data,
583 				   krb5_key_data *key_data);
584 #endif
585 
586 kadm5_ret_t    kadm5_free_name_list(void *server_handle, char **names,
587 				    int count);
588 
589 krb5_error_code kadm5_init_krb5_context (krb5_context *);
590 
591 #if USE_KADM5_API_VERSION == 1
592 /*
593  * OVSEC_KADM_API_VERSION_1 should be, if possible, compile-time
594  * compatible with KADM5_API_VERSION_2.  Basically, this means we have
595  * to continue to provide all the old ovsec_kadm function and symbol
596  * names.
597  */
598 
599 #define OVSEC_KADM_ACLFILE		"/krb5/ovsec_adm.acl"
600 #define	OVSEC_KADM_WORDFILE		"/krb5/ovsec_adm.dict"
601 
602 #define OVSEC_KADM_ADMIN_SERVICE	"ovsec_adm/admin"
603 #define OVSEC_KADM_CHANGEPW_SERVICE	"ovsec_adm/changepw"
604 #define OVSEC_KADM_HIST_PRINCIPAL	"ovsec_adm/history"
605 
606 typedef krb5_principal	ovsec_kadm_princ_t;
607 typedef krb5_keyblock	ovsec_kadm_keyblock;
608 typedef	char		*ovsec_kadm_policy_t;
609 typedef long		ovsec_kadm_ret_t;
610 
611 enum	ovsec_kadm_salttype { OVSEC_KADM_SALT_V4, OVSEC_KADM_SALT_NORMAL };
612 enum	ovsec_kadm_saltmod  { OVSEC_KADM_MOD_KEEP, OVSEC_KADM_MOD_V4, OVSEC_KADM_MOD_NORMAL };
613 
614 #define OVSEC_KADM_PW_FIRST_PROMPT \
615 	((char *) error_message(CHPASS_UTIL_NEW_PASSWORD_PROMPT))
616 #define OVSEC_KADM_PW_SECOND_PROMPT \
617 	((char *) error_message(CHPASS_UTIL_NEW_PASSWORD_AGAIN_PROMPT))
618 
619 /*
620  * Successful return code
621  */
622 #define OVSEC_KADM_OK	0
623 
624 /*
625  * Create/Modify masks
626  */
627 /* principal */
628 #define OVSEC_KADM_PRINCIPAL		0x000001
629 #define OVSEC_KADM_PRINC_EXPIRE_TIME	0x000002
630 #define OVSEC_KADM_PW_EXPIRATION	0x000004
631 #define OVSEC_KADM_LAST_PWD_CHANGE	0x000008
632 #define OVSEC_KADM_ATTRIBUTES		0x000010
633 #define OVSEC_KADM_MAX_LIFE		0x000020
634 #define OVSEC_KADM_MOD_TIME		0x000040
635 #define OVSEC_KADM_MOD_NAME		0x000080
636 #define OVSEC_KADM_KVNO			0x000100
637 #define OVSEC_KADM_MKVNO		0x000200
638 #define OVSEC_KADM_AUX_ATTRIBUTES	0x000400
639 #define OVSEC_KADM_POLICY		0x000800
640 #define OVSEC_KADM_POLICY_CLR		0x001000
641 /* policy */
642 #define OVSEC_KADM_PW_MAX_LIFE		0x004000
643 #define OVSEC_KADM_PW_MIN_LIFE		0x008000
644 #define OVSEC_KADM_PW_MIN_LENGTH	0x010000
645 #define OVSEC_KADM_PW_MIN_CLASSES	0x020000
646 #define OVSEC_KADM_PW_HISTORY_NUM	0x040000
647 #define OVSEC_KADM_REF_COUNT		0x080000
648 
649 /*
650  * permission bits
651  */
652 #define OVSEC_KADM_PRIV_GET	0x01
653 #define OVSEC_KADM_PRIV_ADD	0x02
654 #define OVSEC_KADM_PRIV_MODIFY	0x04
655 #define OVSEC_KADM_PRIV_DELETE	0x08
656 
657 /*
658  * API versioning constants
659  */
660 #define OVSEC_KADM_MASK_BITS		0xffffff00
661 
662 #define OVSEC_KADM_STRUCT_VERSION_MASK	0x12345600
663 #define OVSEC_KADM_STRUCT_VERSION_1	(OVSEC_KADM_STRUCT_VERSION_MASK|0x01)
664 #define OVSEC_KADM_STRUCT_VERSION	OVSEC_KADM_STRUCT_VERSION_1
665 
666 #define OVSEC_KADM_API_VERSION_MASK	0x12345700
667 #define OVSEC_KADM_API_VERSION_1	(OVSEC_KADM_API_VERSION_MASK|0x01)
668 
669 
670 typedef struct _ovsec_kadm_principal_ent_t {
671 	krb5_principal	principal;
672 	krb5_timestamp	princ_expire_time;
673 	krb5_timestamp	last_pwd_change;
674 	krb5_timestamp	pw_expiration;
675 	krb5_deltat	max_life;
676 	krb5_principal	mod_name;
677 	krb5_timestamp	mod_date;
678 	krb5_flags	attributes;
679 	krb5_kvno	kvno;
680 	krb5_kvno	mkvno;
681 	char		*policy;
682 	long		aux_attributes;
683 } ovsec_kadm_principal_ent_rec, *ovsec_kadm_principal_ent_t;
684 
685 typedef struct _ovsec_kadm_policy_ent_t {
686 	char		*policy;
687 	long		pw_min_life;
688 	long		pw_max_life;
689 	long		pw_min_length;
690 	long		pw_min_classes;
691 	long		pw_history_num;
692 	long		policy_refcnt;
693 } ovsec_kadm_policy_ent_rec, *ovsec_kadm_policy_ent_t;
694 
695 /*
696  * functions
697  */
698 ovsec_kadm_ret_t    ovsec_kadm_init(char *client_name, char *pass,
699 				    char *service_name, char *realm,
700 				    krb5_ui_4 struct_version,
701 				    krb5_ui_4 api_version,
702 				    char **db_args,
703 				    void **server_handle);
704 ovsec_kadm_ret_t    ovsec_kadm_init_with_password(char *client_name,
705 						  char *pass,
706 						  char *service_name,
707 						  char *realm,
708 						  krb5_ui_4 struct_version,
709 						  krb5_ui_4 api_version,
710 						  char ** db_args,
711 						  void **server_handle);
712 ovsec_kadm_ret_t    ovsec_kadm_init_with_skey(char *client_name,
713 					      char *keytab,
714 					      char *service_name,
715 					      char *realm,
716 					      krb5_ui_4 struct_version,
717 					      krb5_ui_4 api_version,
718 					      char **db_args,
719 					      void **server_handle);
720 ovsec_kadm_ret_t    ovsec_kadm_flush(void *server_handle);
721 ovsec_kadm_ret_t    ovsec_kadm_destroy(void *server_handle);
722 ovsec_kadm_ret_t    ovsec_kadm_create_principal(void *server_handle,
723 						ovsec_kadm_principal_ent_t ent,
724 						long mask, char *pass);
725 ovsec_kadm_ret_t    ovsec_kadm_delete_principal(void *server_handle,
726 						krb5_principal principal);
727 ovsec_kadm_ret_t    ovsec_kadm_modify_principal(void *server_handle,
728 						ovsec_kadm_principal_ent_t ent,
729 						long mask);
730 ovsec_kadm_ret_t    ovsec_kadm_rename_principal(void *server_handle,
731 						krb5_principal,krb5_principal);
732 ovsec_kadm_ret_t    ovsec_kadm_get_principal(void *server_handle,
733 					     krb5_principal principal,
734 					     ovsec_kadm_principal_ent_t *ent);
735 ovsec_kadm_ret_t    ovsec_kadm_chpass_principal(void *server_handle,
736 						krb5_principal principal,
737 						char *pass);
738 ovsec_kadm_ret_t    ovsec_kadm_randkey_principal(void *server_handle,
739 						 krb5_principal principal,
740 						 krb5_keyblock **keyblock);
741 ovsec_kadm_ret_t    ovsec_kadm_create_policy(void *server_handle,
742 					     ovsec_kadm_policy_ent_t ent,
743 					     long mask);
744 /*
745  * ovsec_kadm_create_policy_internal is not part of the supported,
746  * exposed API.  It is available only in the server library, and you
747  * shouldn't use it unless you know why it's there and how it's
748  * different from ovsec_kadm_create_policy.
749  */
750 ovsec_kadm_ret_t    ovsec_kadm_create_policy_internal(void *server_handle,
751 						      ovsec_kadm_policy_ent_t
752 						      entry, long mask);
753 ovsec_kadm_ret_t    ovsec_kadm_delete_policy(void *server_handle,
754 					     ovsec_kadm_policy_t policy);
755 ovsec_kadm_ret_t    ovsec_kadm_modify_policy(void *server_handle,
756 					     ovsec_kadm_policy_ent_t ent,
757 					     long mask);
758 /*
759  * ovsec_kadm_modify_policy_internal is not part of the supported,
760  * exposed API.  It is available only in the server library, and you
761  * shouldn't use it unless you know why it's there and how it's
762  * different from ovsec_kadm_modify_policy.
763  */
764 ovsec_kadm_ret_t    ovsec_kadm_modify_policy_internal(void *server_handle,
765 						      ovsec_kadm_policy_ent_t
766 						      entry, long mask);
767 ovsec_kadm_ret_t    ovsec_kadm_get_policy(void *server_handle,
768 					  ovsec_kadm_policy_t policy,
769 					  ovsec_kadm_policy_ent_t *ent);
770 ovsec_kadm_ret_t    ovsec_kadm_get_privs(void *server_handle,
771 					 long *privs);
772 
773 ovsec_kadm_ret_t    ovsec_kadm_chpass_principal_util(void *server_handle,
774 						     krb5_principal princ,
775 						     char *new_pw,
776 						     char **ret_pw,
777 						     char *msg_ret);
778 
779 ovsec_kadm_ret_t    ovsec_kadm_free_principal_ent(void *server_handle,
780 						  ovsec_kadm_principal_ent_t
781 						  ent);
782 ovsec_kadm_ret_t    ovsec_kadm_free_policy_ent(void *server_handle,
783 					       ovsec_kadm_policy_ent_t ent);
784 
785 ovsec_kadm_ret_t ovsec_kadm_free_name_list(void *server_handle,
786 					   char **names, int count);
787 
788 ovsec_kadm_ret_t    ovsec_kadm_get_principals(void *server_handle,
789 					      char *exp, char ***princs,
790 					      int *count);
791 
792 ovsec_kadm_ret_t    ovsec_kadm_get_policies(void *server_handle,
793 					    char *exp, char ***pols,
794 					    int *count);
795 
796 #define OVSEC_KADM_FAILURE KADM5_FAILURE
797 #define OVSEC_KADM_AUTH_GET KADM5_AUTH_GET
798 #define OVSEC_KADM_AUTH_ADD KADM5_AUTH_ADD
799 #define OVSEC_KADM_AUTH_MODIFY KADM5_AUTH_MODIFY
800 #define OVSEC_KADM_AUTH_DELETE KADM5_AUTH_DELETE
801 #define OVSEC_KADM_AUTH_INSUFFICIENT KADM5_AUTH_INSUFFICIENT
802 #define OVSEC_KADM_BAD_DB KADM5_BAD_DB
803 #define OVSEC_KADM_DUP KADM5_DUP
804 #define OVSEC_KADM_RPC_ERROR KADM5_RPC_ERROR
805 #define OVSEC_KADM_NO_SRV KADM5_NO_SRV
806 #define OVSEC_KADM_BAD_HIST_KEY KADM5_BAD_HIST_KEY
807 #define OVSEC_KADM_NOT_INIT KADM5_NOT_INIT
808 #define OVSEC_KADM_UNK_PRINC KADM5_UNK_PRINC
809 #define OVSEC_KADM_UNK_POLICY KADM5_UNK_POLICY
810 #define OVSEC_KADM_BAD_MASK KADM5_BAD_MASK
811 #define OVSEC_KADM_BAD_CLASS KADM5_BAD_CLASS
812 #define OVSEC_KADM_BAD_LENGTH KADM5_BAD_LENGTH
813 #define OVSEC_KADM_BAD_POLICY KADM5_BAD_POLICY
814 #define OVSEC_KADM_BAD_PRINCIPAL KADM5_BAD_PRINCIPAL
815 #define OVSEC_KADM_BAD_AUX_ATTR KADM5_BAD_AUX_ATTR
816 #define OVSEC_KADM_BAD_HISTORY KADM5_BAD_HISTORY
817 #define OVSEC_KADM_BAD_MIN_PASS_LIFE KADM5_BAD_MIN_PASS_LIFE
818 #define OVSEC_KADM_PASS_Q_TOOSHORT KADM5_PASS_Q_TOOSHORT
819 #define OVSEC_KADM_PASS_Q_CLASS KADM5_PASS_Q_CLASS
820 #define OVSEC_KADM_PASS_Q_DICT KADM5_PASS_Q_DICT
821 #define OVSEC_KADM_PASS_REUSE KADM5_PASS_REUSE
822 #define OVSEC_KADM_PASS_TOOSOON KADM5_PASS_TOOSOON
823 #define OVSEC_KADM_POLICY_REF KADM5_POLICY_REF
824 #define OVSEC_KADM_INIT KADM5_INIT
825 #define OVSEC_KADM_BAD_PASSWORD KADM5_BAD_PASSWORD
826 #define OVSEC_KADM_PROTECT_PRINCIPAL KADM5_PROTECT_PRINCIPAL
827 #define OVSEC_KADM_BAD_SERVER_HANDLE KADM5_BAD_SERVER_HANDLE
828 #define OVSEC_KADM_BAD_STRUCT_VERSION KADM5_BAD_STRUCT_VERSION
829 #define OVSEC_KADM_OLD_STRUCT_VERSION KADM5_OLD_STRUCT_VERSION
830 #define OVSEC_KADM_NEW_STRUCT_VERSION KADM5_NEW_STRUCT_VERSION
831 #define OVSEC_KADM_BAD_API_VERSION KADM5_BAD_API_VERSION
832 #define OVSEC_KADM_OLD_LIB_API_VERSION KADM5_OLD_LIB_API_VERSION
833 #define OVSEC_KADM_OLD_SERVER_API_VERSION KADM5_OLD_SERVER_API_VERSION
834 #define OVSEC_KADM_NEW_LIB_API_VERSION KADM5_NEW_LIB_API_VERSION
835 #define OVSEC_KADM_NEW_SERVER_API_VERSION KADM5_NEW_SERVER_API_VERSION
836 #define OVSEC_KADM_SECURE_PRINC_MISSING KADM5_SECURE_PRINC_MISSING
837 #define OVSEC_KADM_NO_RENAME_SALT KADM5_NO_RENAME_SALT
838 
839 #endif /* USE_KADM5_API_VERSION == 1 */
840 
841 #define MAXPRINCLEN 125
842 
843 void trunc_name(size_t *len, char **dots);
844 
845 krb5_chgpwd_prot _kadm5_get_kpasswd_protocol(void *server_handle);
846 kadm5_ret_t	kadm5_chpass_principal_v2(void *server_handle,
847 					krb5_principal princ,
848 					char *new_password,
849 					kadm5_ret_t *srvr_rsp_code,
850 					krb5_data *srvr_msg);
851 
852 void handle_chpw(krb5_context context, int s, void *serverhandle,
853 			kadm5_config_params *params);
854 
855 #ifdef __cplusplus
856 }
857 #endif
858 
859 #endif	/* __KADM5_ADMIN_H__ */
860