xref: /illumos-gate/usr/src/lib/krb5/kadm5/admin.h (revision 54925bf60766fbb4f1f2d7c843721406a7b7a3fb)
1 /*
2  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  */
5 
6 #ifndef	__KADM5_ADMIN_H__
7 #define	__KADM5_ADMIN_H__
8 
9 #pragma ident	"%Z%%M%	%I%	%E% SMI"
10 
11 #ifdef __cplusplus
12 extern "C" {
13 #endif
14 
15 /*
16  * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
17  *
18  *	Openvision retains the copyright to derivative works of
19  *	this source code.  Do *NOT* create a derivative of this
20  *	source code before consulting with your legal department.
21  *	Do *NOT* integrate *ANY* of this source code into another
22  *	product before consulting with your legal department.
23  *
24  *	For further information, read the top-level Openvision
25  *	copyright which is contained in the top-level MIT Kerberos
26  *	copyright.
27  *
28  * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
29  *
30  */
31 /*
32  * lib/kadm5/admin.h
33  *
34  * Copyright 2001 by the Massachusetts Institute of Technology.
35  * All Rights Reserved.
36  *
37  * Export of this software from the United States of America may
38  *   require a specific license from the United States Government.
39  *   It is the responsibility of any person or organization contemplating
40  *   export to obtain such a license before exporting.
41  *
42  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
43  * distribute this software and its documentation for any purpose and
44  * without fee is hereby granted, provided that the above copyright
45  * notice appear in all copies and that both that copyright notice and
46  * this permission notice appear in supporting documentation, and that
47  * the name of M.I.T. not be used in advertising or publicity pertaining
48  * to distribution of the software without specific, written prior
49  * permission.  Furthermore if you modify this software you must label
50  * your software as modified software and not distribute it in such a
51  * fashion that it might be confused with the original M.I.T. software.
52  * M.I.T. makes no representations about the suitability of
53  * this software for any purpose.  It is provided "as is" without express
54  * or implied warranty.
55  *
56  */
57 /*
58  * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved
59  *
60  * $Header$
61  */
62 
63 #include	<sys/types.h>
64 #include	<rpc/types.h>
65 #include	<rpc/rpc.h>
66 #include	<krb5.h>
67 #include	<k5-int.h>
68 #include	<krb5/kdb.h>
69 #include	<com_err.h>
70 #include	<kadm5/kadm_err.h>
71 #include	<kadm5/chpass_util_strings.h>
72 
73 #define KADM5_ADMIN_SERVICE_P	"kadmin@admin"
74 /*
75  * Solaris Kerberos:
76  * The kadmin/admin principal is unused on Solaris. This principal is used
77  * in AUTH_GSSAPI but Solaris doesn't support AUTH_GSSAPI. RPCSEC_GSS can only
78  * be used with host-based principals.
79  *
80  */
81 /* #define KADM5_ADMIN_SERVICE	"kadmin/admin" */
82 #define KADM5_CHANGEPW_SERVICE_P	"kadmin@changepw"
83 #define KADM5_CHANGEPW_SERVICE	"kadmin/changepw"
84 #define KADM5_HIST_PRINCIPAL	"kadmin/history"
85 #define KADM5_ADMIN_HOST_SERVICE "kadmin"
86 #define KADM5_CHANGEPW_HOST_SERVICE "changepw"
87 #define KADM5_KIPROP_HOST_SERVICE "kiprop"
88 
89 typedef krb5_principal	kadm5_princ_t;
90 typedef	char		*kadm5_policy_t;
91 typedef long		kadm5_ret_t;
92 typedef int rpc_int32;
93 typedef unsigned int rpc_u_int32;
94 
95 #define KADM5_PW_FIRST_PROMPT \
96 	(error_message(CHPASS_UTIL_NEW_PASSWORD_PROMPT))
97 #define KADM5_PW_SECOND_PROMPT \
98 	(error_message(CHPASS_UTIL_NEW_PASSWORD_AGAIN_PROMPT))
99 
100 /*
101  * Successful return code
102  */
103 #define KADM5_OK	0
104 
105 /*
106  * Field masks
107  */
108 
109 /* kadm5_principal_ent_t */
110 #define KADM5_PRINCIPAL		0x000001
111 #define KADM5_PRINC_EXPIRE_TIME	0x000002
112 #define KADM5_PW_EXPIRATION	0x000004
113 #define KADM5_LAST_PWD_CHANGE	0x000008
114 #define KADM5_ATTRIBUTES	0x000010
115 #define KADM5_MAX_LIFE		0x000020
116 #define KADM5_MOD_TIME		0x000040
117 #define KADM5_MOD_NAME		0x000080
118 #define KADM5_KVNO		0x000100
119 #define KADM5_MKVNO		0x000200
120 #define KADM5_AUX_ATTRIBUTES	0x000400
121 #define KADM5_POLICY		0x000800
122 #define KADM5_POLICY_CLR	0x001000
123 /* version 2 masks */
124 #define KADM5_MAX_RLIFE		0x002000
125 #define KADM5_LAST_SUCCESS	0x004000
126 #define KADM5_LAST_FAILED	0x008000
127 #define KADM5_FAIL_AUTH_COUNT	0x010000
128 #define KADM5_KEY_DATA		0x020000
129 #define KADM5_TL_DATA		0x040000
130 #ifdef notyet /* Novell */
131 #define KADM5_CPW_FUNCTION      0x080000
132 #define KADM5_RANDKEY_USED      0x100000
133 #endif
134 #define KADM5_LOAD		0x200000
135 
136 /* all but KEY_DATA and TL_DATA */
137 #define KADM5_PRINCIPAL_NORMAL_MASK 0x01ffff
138 
139 
140 /* kadm5_policy_ent_t */
141 #define KADM5_PW_MAX_LIFE	0x004000
142 #define KADM5_PW_MIN_LIFE	0x008000
143 #define KADM5_PW_MIN_LENGTH	0x010000
144 #define KADM5_PW_MIN_CLASSES	0x020000
145 #define KADM5_PW_HISTORY_NUM	0x040000
146 #define KADM5_REF_COUNT		0x080000
147 
148 /* kadm5_config_params */
149 #define KADM5_CONFIG_REALM		0x0000001
150 #define KADM5_CONFIG_DBNAME		0x0000002
151 #define KADM5_CONFIG_MKEY_NAME		0x0000004
152 #define KADM5_CONFIG_MAX_LIFE		0x0000008
153 #define KADM5_CONFIG_MAX_RLIFE		0x0000010
154 #define KADM5_CONFIG_EXPIRATION		0x0000020
155 #define KADM5_CONFIG_FLAGS		0x0000040
156 #define KADM5_CONFIG_ADMIN_KEYTAB	0x0000080
157 #define KADM5_CONFIG_STASH_FILE		0x0000100
158 #define KADM5_CONFIG_ENCTYPE		0x0000200
159 #define KADM5_CONFIG_ADBNAME		0x0000400
160 #define KADM5_CONFIG_ADB_LOCKFILE	0x0000800
161 #define KADM5_CONFIG_PROFILE		0x0001000
162 #define KADM5_CONFIG_ACL_FILE		0x0002000
163 #define KADM5_CONFIG_KADMIND_PORT	0x0004000
164 #define KADM5_CONFIG_ENCTYPES		0x0008000
165 #define KADM5_CONFIG_ADMIN_SERVER	0x0010000
166 #define KADM5_CONFIG_DICT_FILE		0x0020000
167 #define KADM5_CONFIG_MKEY_FROM_KBD	0x0040000
168 #define KADM5_CONFIG_KPASSWD_PORT	0x0080000
169 #define KADM5_CONFIG_KPASSWD_SERVER	0x0100000
170 #define	KADM5_CONFIG_KPASSWD_PROTOCOL	0x0200000
171 #define	KADM5_CONFIG_IPROP_ENABLED	0x0400000
172 #define	KADM5_CONFIG_ULOG_SIZE		0x0800000
173 #define	KADM5_CONFIG_POLL_TIME		0x1000000
174 
175 /* password change constants */
176 #define	KRB5_KPASSWD_SUCCESS		0
177 #define	KRB5_KPASSWD_MALFORMED		1
178 #define	KRB5_KPASSWD_HARDERROR		2
179 #define	KRB5_KPASSWD_AUTHERROR		3
180 #define	KRB5_KPASSWD_SOFTERROR		4
181 #define	KRB5_KPASSWD_ACCESSDENIED	5
182 #define	KRB5_KPASSWD_BAD_VERSION	6
183 #define	KRB5_KPASSWD_INITIAL_FLAG_NEEDED	7
184 #define	KRB5_KPASSWD_POLICY_REJECT	8
185 #define	KRB5_KPASSWD_BAD_PRINCIPAL	9
186 #define	KRB5_KPASSWD_ETYPE_NOSUPP	10
187 
188 /*
189  * permission bits
190  */
191 #define KADM5_PRIV_GET		0x01
192 #define KADM5_PRIV_ADD		0x02
193 #define KADM5_PRIV_MODIFY	0x04
194 #define KADM5_PRIV_DELETE	0x08
195 
196 /*
197  * API versioning constants
198  */
199 #define KADM5_MASK_BITS		0xffffff00
200 
201 #define KADM5_STRUCT_VERSION_MASK	0x12345600
202 #define KADM5_STRUCT_VERSION_1	(KADM5_STRUCT_VERSION_MASK|0x01)
203 #define KADM5_STRUCT_VERSION	KADM5_STRUCT_VERSION_1
204 
205 #define KADM5_API_VERSION_MASK	0x12345700
206 #define KADM5_API_VERSION_1	(KADM5_API_VERSION_MASK|0x01)
207 #define KADM5_API_VERSION_2	(KADM5_API_VERSION_MASK|0x02)
208 
209 #ifdef KRB5_DNS_LOOKUP
210 /*
211  * Name length constants for DNS lookups
212  */
213 #define	MAX_HOST_NAMELEN 256
214 #define	MAX_DNS_NAMELEN (15*(MAX_HOST_NAMELEN + 1)+1)
215 #endif /* KRB5_DNS_LOOKUP */
216 
217 typedef struct _kadm5_principal_ent_t_v2 {
218 	krb5_principal	principal;
219 	krb5_timestamp	princ_expire_time;
220 	krb5_timestamp	last_pwd_change;
221 	krb5_timestamp	pw_expiration;
222 	krb5_deltat	max_life;
223 	krb5_principal	mod_name;
224 	krb5_timestamp	mod_date;
225 	krb5_flags	attributes;
226 	krb5_kvno	kvno;
227 	krb5_kvno	mkvno;
228 	char		*policy;
229 	long		aux_attributes;
230 
231 	/* version 2 fields */
232 	krb5_deltat max_renewable_life;
233         krb5_timestamp last_success;
234         krb5_timestamp last_failed;
235         krb5_kvno fail_auth_count;
236 	krb5_int16 n_key_data;
237 	krb5_int16 n_tl_data;
238         krb5_tl_data *tl_data;
239 	krb5_key_data *key_data;
240 } kadm5_principal_ent_rec_v2, *kadm5_principal_ent_t_v2;
241 
242 typedef struct _kadm5_principal_ent_t_v1 {
243 	krb5_principal	principal;
244 	krb5_timestamp	princ_expire_time;
245 	krb5_timestamp	last_pwd_change;
246 	krb5_timestamp	pw_expiration;
247 	krb5_deltat	max_life;
248 	krb5_principal	mod_name;
249 	krb5_timestamp	mod_date;
250 	krb5_flags	attributes;
251 	krb5_kvno	kvno;
252 	krb5_kvno	mkvno;
253 	char		*policy;
254 	long		aux_attributes;
255 } kadm5_principal_ent_rec_v1, *kadm5_principal_ent_t_v1;
256 
257 #if USE_KADM5_API_VERSION == 1
258 typedef struct _kadm5_principal_ent_t_v1
259      kadm5_principal_ent_rec, *kadm5_principal_ent_t;
260 #else
261 typedef struct _kadm5_principal_ent_t_v2
262      kadm5_principal_ent_rec, *kadm5_principal_ent_t;
263 #endif
264 
265 typedef struct _kadm5_policy_ent_t {
266 	char		*policy;
267 	long		pw_min_life;
268 	long		pw_max_life;
269 	long		pw_min_length;
270 	long		pw_min_classes;
271 	long		pw_history_num;
272 	long		policy_refcnt;
273 } kadm5_policy_ent_rec, *kadm5_policy_ent_t;
274 
275 #if 0 /************** Begin IFDEF'ed OUT *******************************/
276 typedef struct __krb5_key_salt_tuple {
277      krb5_enctype	ks_enctype;
278      krb5_int32		ks_salttype;
279 } krb5_key_salt_tuple;
280 #endif /**************** END IFDEF'ed OUT *******************************/
281 
282 /*
283  * New types to indicate which protocol to use when sending
284  * password change requests
285  */
286 typedef enum {
287 	KRB5_CHGPWD_RPCSEC,
288 	KRB5_CHGPWD_CHANGEPW_V2
289 } krb5_chgpwd_prot;
290 
291 /*
292  * Data structure returned by kadm5_get_config_params()
293  */
294 typedef struct _kadm5_config_params {
295      long		mask;
296      char *		realm;
297      char *		profile;
298      int		kadmind_port;
299      int		kpasswd_port;
300 
301      char *		admin_server;
302 #ifdef notyet /* Novell */ /* ABI change? */
303      char *		kpasswd_server;
304 #endif
305 
306      char *		dbname;
307      char *		admin_dbname;
308      char *		admin_lockfile;
309      char *		admin_keytab;
310      char *		acl_file;
311      char *		dict_file;
312 
313      int		mkey_from_kbd;
314      char *		stash_file;
315      char *		mkey_name;
316      krb5_enctype	enctype;
317      krb5_deltat	max_life;
318      krb5_deltat	max_rlife;
319      krb5_timestamp	expiration;
320      krb5_flags		flags;
321      krb5_key_salt_tuple *keysalts;
322      krb5_int32		num_keysalts;
323      char 			*kpasswd_server;
324 
325      krb5_chgpwd_prot	kpasswd_protocol;
326      bool_t			iprop_enabled;
327      int			iprop_ulogsize;
328      char			*iprop_polltime;
329 } kadm5_config_params;
330 
331 /***********************************************************************
332  * This is the old krb5_realm_read_params, which I mutated into
333  * kadm5_get_config_params but which old code (kdb5_* and krb5kdc)
334  * still uses.
335  ***********************************************************************/
336 
337 /*
338  * Data structure returned by krb5_read_realm_params()
339  */
340 typedef struct __krb5_realm_params {
341     char *		realm_profile;
342     char *		realm_dbname;
343     char *		realm_mkey_name;
344     char *		realm_stash_file;
345     char *		realm_kdc_ports;
346     char *		realm_kdc_tcp_ports;
347     char *		realm_acl_file;
348     krb5_int32		realm_kadmind_port;
349     krb5_enctype	realm_enctype;
350     krb5_deltat		realm_max_life;
351     krb5_deltat		realm_max_rlife;
352     krb5_timestamp	realm_expiration;
353     krb5_flags		realm_flags;
354     krb5_key_salt_tuple	*realm_keysalts;
355     unsigned int	realm_reject_bad_transit:1;
356     unsigned int	realm_kadmind_port_valid:1;
357     unsigned int	realm_enctype_valid:1;
358     unsigned int	realm_max_life_valid:1;
359     unsigned int	realm_max_rlife_valid:1;
360     unsigned int	realm_expiration_valid:1;
361     unsigned int	realm_flags_valid:1;
362     unsigned int	realm_reject_bad_transit_valid:1;
363     krb5_int32		realm_num_keysalts;
364 } krb5_realm_params;
365 
366 /*
367  * functions
368  */
369 
370 kadm5_ret_t
371 kadm5_get_adm_host_srv_name(krb5_context context,
372                            const char *realm, char **host_service_name);
373 
374 kadm5_ret_t
375 kadm5_get_cpw_host_srv_name(krb5_context context,
376                            const char *realm, char **host_service_name);
377 
378 #if USE_KADM5_API_VERSION > 1
379 krb5_error_code kadm5_get_config_params(krb5_context context,
380 					char *kdcprofile, char *kdcenv,
381 					kadm5_config_params *params_in,
382 					kadm5_config_params *params_out);
383 
384 krb5_error_code kadm5_free_config_params(krb5_context context,
385 					 kadm5_config_params *params);
386 
387 krb5_error_code kadm5_free_realm_params(krb5_context kcontext,
388 					kadm5_config_params *params);
389 
390 krb5_error_code kadm5_get_admin_service_name(krb5_context, char *,
391 					     char *, size_t);
392 #endif
393 
394 kadm5_ret_t    kadm5_init(char *client_name, char *pass,
395 			  char *service_name,
396 #if USE_KADM5_API_VERSION == 1
397 			  char *realm,
398 #else
399 			  kadm5_config_params *params,
400 #endif
401 			  krb5_ui_4 struct_version,
402 			  krb5_ui_4 api_version,
403 			  char **db_args,
404 			  void **server_handle);
405 
406 kadm5_ret_t    kadm5_init_with_password(char *client_name,
407 					char *pass,
408 					char *service_name,
409 #if USE_KADM5_API_VERSION == 1
410 					char *realm,
411 #else
412 					kadm5_config_params *params,
413 #endif
414 					krb5_ui_4 struct_version,
415 					krb5_ui_4 api_version,
416 					char **db_args,
417 					void **server_handle);
418 kadm5_ret_t    kadm5_init_with_skey(char *client_name,
419 				    char *keytab,
420 				    char *service_name,
421 #if USE_KADM5_API_VERSION == 1
422 				    char *realm,
423 #else
424 				    kadm5_config_params *params,
425 #endif
426 				    krb5_ui_4 struct_version,
427 				    krb5_ui_4 api_version,
428 				    char **db_args,
429 				    void **server_handle);
430 #if USE_KADM5_API_VERSION > 1
431 kadm5_ret_t    kadm5_init_with_creds(char *client_name,
432 				     krb5_ccache cc,
433 				     char *service_name,
434 				     kadm5_config_params *params,
435 				     krb5_ui_4 struct_version,
436 				     krb5_ui_4 api_version,
437 				     char **db_args,
438 				     void **server_handle);
439 #endif
440 kadm5_ret_t    kadm5_lock(void *server_handle);
441 kadm5_ret_t    kadm5_unlock(void *server_handle);
442 kadm5_ret_t    kadm5_flush(void *server_handle);
443 kadm5_ret_t    kadm5_destroy(void *server_handle);
444 kadm5_ret_t    kadm5_create_principal(void *server_handle,
445 				      kadm5_principal_ent_t ent,
446 				      long mask, char *pass);
447 kadm5_ret_t    kadm5_create_principal_3(void *server_handle,
448 					kadm5_principal_ent_t ent,
449 					long mask,
450 					int n_ks_tuple,
451 					krb5_key_salt_tuple *ks_tuple,
452 					char *pass);
453 kadm5_ret_t    kadm5_delete_principal(void *server_handle,
454 				      krb5_principal principal);
455 kadm5_ret_t    kadm5_modify_principal(void *server_handle,
456 				      kadm5_principal_ent_t ent,
457 				      long mask);
458 kadm5_ret_t    kadm5_rename_principal(void *server_handle,
459 				      krb5_principal,krb5_principal);
460 #if USE_KADM5_API_VERSION == 1
461 kadm5_ret_t    kadm5_get_principal(void *server_handle,
462 				   krb5_principal principal,
463 				   kadm5_principal_ent_t *ent);
464 #else
465 kadm5_ret_t    kadm5_get_principal(void *server_handle,
466 				   krb5_principal principal,
467 				   kadm5_principal_ent_t ent,
468 				   long mask);
469 #endif
470 kadm5_ret_t    kadm5_chpass_principal(void *server_handle,
471 				      krb5_principal principal,
472 				      char *pass);
473 kadm5_ret_t    kadm5_chpass_principal_3(void *server_handle,
474 					krb5_principal principal,
475 					krb5_boolean keepold,
476 					int n_ks_tuple,
477 					krb5_key_salt_tuple *ks_tuple,
478 					char *pass);
479 #if USE_KADM5_API_VERSION == 1
480 kadm5_ret_t    kadm5_randkey_principal(void *server_handle,
481 				       krb5_principal principal,
482 				       krb5_keyblock **keyblock);
483 #else
484 
485 /*
486  * Solaris Kerberos:
487  * this routine is only implemented in the client library.
488  */
489 kadm5_ret_t    kadm5_randkey_principal_old(void *server_handle,
490 				    krb5_principal principal,
491 				    krb5_keyblock **keyblocks,
492 				    int *n_keys);
493 
494 kadm5_ret_t    kadm5_randkey_principal(void *server_handle,
495 				       krb5_principal principal,
496 				       krb5_keyblock **keyblocks,
497 				       int *n_keys);
498 kadm5_ret_t    kadm5_randkey_principal_3(void *server_handle,
499 					 krb5_principal principal,
500 					 krb5_boolean keepold,
501 					 int n_ks_tuple,
502 					 krb5_key_salt_tuple *ks_tuple,
503 					 krb5_keyblock **keyblocks,
504 					 int *n_keys);
505 #endif
506 kadm5_ret_t    kadm5_setv4key_principal(void *server_handle,
507 					krb5_principal principal,
508 					krb5_keyblock *keyblock);
509 
510 kadm5_ret_t    kadm5_setkey_principal(void *server_handle,
511 				      krb5_principal principal,
512 				      krb5_keyblock *keyblocks,
513 				      int n_keys);
514 
515 kadm5_ret_t    kadm5_setkey_principal_3(void *server_handle,
516 					krb5_principal principal,
517 					krb5_boolean keepold,
518 					int n_ks_tuple,
519 					krb5_key_salt_tuple *ks_tuple,
520 					krb5_keyblock *keyblocks,
521 					int n_keys);
522 
523 kadm5_ret_t    kadm5_decrypt_key(void *server_handle,
524 				 kadm5_principal_ent_t entry, krb5_int32
525 				 ktype, krb5_int32 stype, krb5_int32
526 				 kvno, krb5_keyblock *keyblock,
527 				 krb5_keysalt *keysalt, int *kvnop);
528 
529 kadm5_ret_t    kadm5_create_policy(void *server_handle,
530 				   kadm5_policy_ent_t ent,
531 				   long mask);
532 /*
533  * kadm5_create_policy_internal is not part of the supported,
534  * exposed API.  It is available only in the server library, and you
535  * shouldn't use it unless you know why it's there and how it's
536  * different from kadm5_create_policy.
537  */
538 kadm5_ret_t    kadm5_create_policy_internal(void *server_handle,
539 					    kadm5_policy_ent_t
540 					    entry, long mask);
541 kadm5_ret_t    kadm5_delete_policy(void *server_handle,
542 				   kadm5_policy_t policy);
543 kadm5_ret_t    kadm5_modify_policy(void *server_handle,
544 				   kadm5_policy_ent_t ent,
545 				   long mask);
546 /*
547  * kadm5_modify_policy_internal is not part of the supported,
548  * exposed API.  It is available only in the server library, and you
549  * shouldn't use it unless you know why it's there and how it's
550  * different from kadm5_modify_policy.
551  */
552 kadm5_ret_t    kadm5_modify_policy_internal(void *server_handle,
553 					    kadm5_policy_ent_t
554 					    entry, long mask);
555 #if USE_KADM5_API_VERSION == 1
556 kadm5_ret_t    kadm5_get_policy(void *server_handle,
557 				kadm5_policy_t policy,
558 				kadm5_policy_ent_t *ent);
559 #else
560 kadm5_ret_t    kadm5_get_policy(void *server_handle,
561 				kadm5_policy_t policy,
562 				kadm5_policy_ent_t ent);
563 #endif
564 kadm5_ret_t    kadm5_get_privs(void *server_handle,
565 			       long *privs);
566 
567 kadm5_ret_t    kadm5_chpass_principal_util(void *server_handle,
568 					   krb5_principal princ,
569 					   char *new_pw,
570 					   char **ret_pw,
571 					   char *msg_ret,
572 					   unsigned int msg_len);
573 
574 kadm5_ret_t    kadm5_free_principal_ent(void *server_handle,
575 					kadm5_principal_ent_t
576 					ent);
577 kadm5_ret_t    kadm5_free_policy_ent(void *server_handle,
578 				     kadm5_policy_ent_t ent);
579 
580 kadm5_ret_t    kadm5_get_principals(void *server_handle,
581 				    char *exp, char ***princs,
582 				    int *count);
583 
584 kadm5_ret_t    kadm5_get_policies(void *server_handle,
585 				  char *exp, char ***pols,
586 				  int *count);
587 
588 #if USE_KADM5_API_VERSION > 1
589 kadm5_ret_t    kadm5_free_key_data(void *server_handle,
590 				   krb5_int16 *n_key_data,
591 				   krb5_key_data *key_data);
592 #endif
593 
594 kadm5_ret_t    kadm5_free_name_list(void *server_handle, char **names,
595 				    int count);
596 
597 krb5_error_code kadm5_init_krb5_context (krb5_context *);
598 
599 #if USE_KADM5_API_VERSION == 1
600 /*
601  * OVSEC_KADM_API_VERSION_1 should be, if possible, compile-time
602  * compatible with KADM5_API_VERSION_2.  Basically, this means we have
603  * to continue to provide all the old ovsec_kadm function and symbol
604  * names.
605  */
606 
607 #define OVSEC_KADM_ACLFILE		"/krb5/ovsec_adm.acl"
608 #define	OVSEC_KADM_WORDFILE		"/krb5/ovsec_adm.dict"
609 
610 #define OVSEC_KADM_ADMIN_SERVICE	"ovsec_adm/admin"
611 #define OVSEC_KADM_CHANGEPW_SERVICE	"ovsec_adm/changepw"
612 #define OVSEC_KADM_HIST_PRINCIPAL	"ovsec_adm/history"
613 
614 typedef krb5_principal	ovsec_kadm_princ_t;
615 typedef krb5_keyblock	ovsec_kadm_keyblock;
616 typedef	char		*ovsec_kadm_policy_t;
617 typedef long		ovsec_kadm_ret_t;
618 
619 enum	ovsec_kadm_salttype { OVSEC_KADM_SALT_V4, OVSEC_KADM_SALT_NORMAL };
620 enum	ovsec_kadm_saltmod  { OVSEC_KADM_MOD_KEEP, OVSEC_KADM_MOD_V4, OVSEC_KADM_MOD_NORMAL };
621 
622 #define OVSEC_KADM_PW_FIRST_PROMPT \
623 	((char *) error_message(CHPASS_UTIL_NEW_PASSWORD_PROMPT))
624 #define OVSEC_KADM_PW_SECOND_PROMPT \
625 	((char *) error_message(CHPASS_UTIL_NEW_PASSWORD_AGAIN_PROMPT))
626 
627 /*
628  * Successful return code
629  */
630 #define OVSEC_KADM_OK	0
631 
632 /*
633  * Create/Modify masks
634  */
635 /* principal */
636 #define OVSEC_KADM_PRINCIPAL		0x000001
637 #define OVSEC_KADM_PRINC_EXPIRE_TIME	0x000002
638 #define OVSEC_KADM_PW_EXPIRATION	0x000004
639 #define OVSEC_KADM_LAST_PWD_CHANGE	0x000008
640 #define OVSEC_KADM_ATTRIBUTES		0x000010
641 #define OVSEC_KADM_MAX_LIFE		0x000020
642 #define OVSEC_KADM_MOD_TIME		0x000040
643 #define OVSEC_KADM_MOD_NAME		0x000080
644 #define OVSEC_KADM_KVNO			0x000100
645 #define OVSEC_KADM_MKVNO		0x000200
646 #define OVSEC_KADM_AUX_ATTRIBUTES	0x000400
647 #define OVSEC_KADM_POLICY		0x000800
648 #define OVSEC_KADM_POLICY_CLR		0x001000
649 /* policy */
650 #define OVSEC_KADM_PW_MAX_LIFE		0x004000
651 #define OVSEC_KADM_PW_MIN_LIFE		0x008000
652 #define OVSEC_KADM_PW_MIN_LENGTH	0x010000
653 #define OVSEC_KADM_PW_MIN_CLASSES	0x020000
654 #define OVSEC_KADM_PW_HISTORY_NUM	0x040000
655 #define OVSEC_KADM_REF_COUNT		0x080000
656 
657 /*
658  * permission bits
659  */
660 #define OVSEC_KADM_PRIV_GET	0x01
661 #define OVSEC_KADM_PRIV_ADD	0x02
662 #define OVSEC_KADM_PRIV_MODIFY	0x04
663 #define OVSEC_KADM_PRIV_DELETE	0x08
664 
665 /*
666  * API versioning constants
667  */
668 #define OVSEC_KADM_MASK_BITS		0xffffff00
669 
670 #define OVSEC_KADM_STRUCT_VERSION_MASK	0x12345600
671 #define OVSEC_KADM_STRUCT_VERSION_1	(OVSEC_KADM_STRUCT_VERSION_MASK|0x01)
672 #define OVSEC_KADM_STRUCT_VERSION	OVSEC_KADM_STRUCT_VERSION_1
673 
674 #define OVSEC_KADM_API_VERSION_MASK	0x12345700
675 #define OVSEC_KADM_API_VERSION_1	(OVSEC_KADM_API_VERSION_MASK|0x01)
676 
677 
678 typedef struct _ovsec_kadm_principal_ent_t {
679 	krb5_principal	principal;
680 	krb5_timestamp	princ_expire_time;
681 	krb5_timestamp	last_pwd_change;
682 	krb5_timestamp	pw_expiration;
683 	krb5_deltat	max_life;
684 	krb5_principal	mod_name;
685 	krb5_timestamp	mod_date;
686 	krb5_flags	attributes;
687 	krb5_kvno	kvno;
688 	krb5_kvno	mkvno;
689 	char		*policy;
690 	long		aux_attributes;
691 } ovsec_kadm_principal_ent_rec, *ovsec_kadm_principal_ent_t;
692 
693 typedef struct _ovsec_kadm_policy_ent_t {
694 	char		*policy;
695 	long		pw_min_life;
696 	long		pw_max_life;
697 	long		pw_min_length;
698 	long		pw_min_classes;
699 	long		pw_history_num;
700 	long		policy_refcnt;
701 } ovsec_kadm_policy_ent_rec, *ovsec_kadm_policy_ent_t;
702 
703 /*
704  * functions
705  */
706 ovsec_kadm_ret_t    ovsec_kadm_init(char *client_name, char *pass,
707 				    char *service_name, char *realm,
708 				    krb5_ui_4 struct_version,
709 				    krb5_ui_4 api_version,
710 				    char **db_args,
711 				    void **server_handle);
712 ovsec_kadm_ret_t    ovsec_kadm_init_with_password(char *client_name,
713 						  char *pass,
714 						  char *service_name,
715 						  char *realm,
716 						  krb5_ui_4 struct_version,
717 						  krb5_ui_4 api_version,
718 						  char ** db_args,
719 						  void **server_handle);
720 ovsec_kadm_ret_t    ovsec_kadm_init_with_skey(char *client_name,
721 					      char *keytab,
722 					      char *service_name,
723 					      char *realm,
724 					      krb5_ui_4 struct_version,
725 					      krb5_ui_4 api_version,
726 					      char **db_args,
727 					      void **server_handle);
728 ovsec_kadm_ret_t    ovsec_kadm_flush(void *server_handle);
729 ovsec_kadm_ret_t    ovsec_kadm_destroy(void *server_handle);
730 ovsec_kadm_ret_t    ovsec_kadm_create_principal(void *server_handle,
731 						ovsec_kadm_principal_ent_t ent,
732 						long mask, char *pass);
733 ovsec_kadm_ret_t    ovsec_kadm_delete_principal(void *server_handle,
734 						krb5_principal principal);
735 ovsec_kadm_ret_t    ovsec_kadm_modify_principal(void *server_handle,
736 						ovsec_kadm_principal_ent_t ent,
737 						long mask);
738 ovsec_kadm_ret_t    ovsec_kadm_rename_principal(void *server_handle,
739 						krb5_principal,krb5_principal);
740 ovsec_kadm_ret_t    ovsec_kadm_get_principal(void *server_handle,
741 					     krb5_principal principal,
742 					     ovsec_kadm_principal_ent_t *ent);
743 ovsec_kadm_ret_t    ovsec_kadm_chpass_principal(void *server_handle,
744 						krb5_principal principal,
745 						char *pass);
746 ovsec_kadm_ret_t    ovsec_kadm_randkey_principal(void *server_handle,
747 						 krb5_principal principal,
748 						 krb5_keyblock **keyblock);
749 ovsec_kadm_ret_t    ovsec_kadm_create_policy(void *server_handle,
750 					     ovsec_kadm_policy_ent_t ent,
751 					     long mask);
752 /*
753  * ovsec_kadm_create_policy_internal is not part of the supported,
754  * exposed API.  It is available only in the server library, and you
755  * shouldn't use it unless you know why it's there and how it's
756  * different from ovsec_kadm_create_policy.
757  */
758 ovsec_kadm_ret_t    ovsec_kadm_create_policy_internal(void *server_handle,
759 						      ovsec_kadm_policy_ent_t
760 						      entry, long mask);
761 ovsec_kadm_ret_t    ovsec_kadm_delete_policy(void *server_handle,
762 					     ovsec_kadm_policy_t policy);
763 ovsec_kadm_ret_t    ovsec_kadm_modify_policy(void *server_handle,
764 					     ovsec_kadm_policy_ent_t ent,
765 					     long mask);
766 /*
767  * ovsec_kadm_modify_policy_internal is not part of the supported,
768  * exposed API.  It is available only in the server library, and you
769  * shouldn't use it unless you know why it's there and how it's
770  * different from ovsec_kadm_modify_policy.
771  */
772 ovsec_kadm_ret_t    ovsec_kadm_modify_policy_internal(void *server_handle,
773 						      ovsec_kadm_policy_ent_t
774 						      entry, long mask);
775 ovsec_kadm_ret_t    ovsec_kadm_get_policy(void *server_handle,
776 					  ovsec_kadm_policy_t policy,
777 					  ovsec_kadm_policy_ent_t *ent);
778 ovsec_kadm_ret_t    ovsec_kadm_get_privs(void *server_handle,
779 					 long *privs);
780 
781 ovsec_kadm_ret_t    ovsec_kadm_chpass_principal_util(void *server_handle,
782 						     krb5_principal princ,
783 						     char *new_pw,
784 						     char **ret_pw,
785 						     char *msg_ret);
786 
787 ovsec_kadm_ret_t    ovsec_kadm_free_principal_ent(void *server_handle,
788 						  ovsec_kadm_principal_ent_t
789 						  ent);
790 ovsec_kadm_ret_t    ovsec_kadm_free_policy_ent(void *server_handle,
791 					       ovsec_kadm_policy_ent_t ent);
792 
793 ovsec_kadm_ret_t ovsec_kadm_free_name_list(void *server_handle,
794 					   char **names, int count);
795 
796 ovsec_kadm_ret_t    ovsec_kadm_get_principals(void *server_handle,
797 					      char *exp, char ***princs,
798 					      int *count);
799 
800 ovsec_kadm_ret_t    ovsec_kadm_get_policies(void *server_handle,
801 					    char *exp, char ***pols,
802 					    int *count);
803 
804 #define OVSEC_KADM_FAILURE KADM5_FAILURE
805 #define OVSEC_KADM_AUTH_GET KADM5_AUTH_GET
806 #define OVSEC_KADM_AUTH_ADD KADM5_AUTH_ADD
807 #define OVSEC_KADM_AUTH_MODIFY KADM5_AUTH_MODIFY
808 #define OVSEC_KADM_AUTH_DELETE KADM5_AUTH_DELETE
809 #define OVSEC_KADM_AUTH_INSUFFICIENT KADM5_AUTH_INSUFFICIENT
810 #define OVSEC_KADM_BAD_DB KADM5_BAD_DB
811 #define OVSEC_KADM_DUP KADM5_DUP
812 #define OVSEC_KADM_RPC_ERROR KADM5_RPC_ERROR
813 #define OVSEC_KADM_NO_SRV KADM5_NO_SRV
814 #define OVSEC_KADM_BAD_HIST_KEY KADM5_BAD_HIST_KEY
815 #define OVSEC_KADM_NOT_INIT KADM5_NOT_INIT
816 #define OVSEC_KADM_UNK_PRINC KADM5_UNK_PRINC
817 #define OVSEC_KADM_UNK_POLICY KADM5_UNK_POLICY
818 #define OVSEC_KADM_BAD_MASK KADM5_BAD_MASK
819 #define OVSEC_KADM_BAD_CLASS KADM5_BAD_CLASS
820 #define OVSEC_KADM_BAD_LENGTH KADM5_BAD_LENGTH
821 #define OVSEC_KADM_BAD_POLICY KADM5_BAD_POLICY
822 #define OVSEC_KADM_BAD_PRINCIPAL KADM5_BAD_PRINCIPAL
823 #define OVSEC_KADM_BAD_AUX_ATTR KADM5_BAD_AUX_ATTR
824 #define OVSEC_KADM_BAD_HISTORY KADM5_BAD_HISTORY
825 #define OVSEC_KADM_BAD_MIN_PASS_LIFE KADM5_BAD_MIN_PASS_LIFE
826 #define OVSEC_KADM_PASS_Q_TOOSHORT KADM5_PASS_Q_TOOSHORT
827 #define OVSEC_KADM_PASS_Q_CLASS KADM5_PASS_Q_CLASS
828 #define OVSEC_KADM_PASS_Q_DICT KADM5_PASS_Q_DICT
829 #define OVSEC_KADM_PASS_REUSE KADM5_PASS_REUSE
830 #define OVSEC_KADM_PASS_TOOSOON KADM5_PASS_TOOSOON
831 #define OVSEC_KADM_POLICY_REF KADM5_POLICY_REF
832 #define OVSEC_KADM_INIT KADM5_INIT
833 #define OVSEC_KADM_BAD_PASSWORD KADM5_BAD_PASSWORD
834 #define OVSEC_KADM_PROTECT_PRINCIPAL KADM5_PROTECT_PRINCIPAL
835 #define OVSEC_KADM_BAD_SERVER_HANDLE KADM5_BAD_SERVER_HANDLE
836 #define OVSEC_KADM_BAD_STRUCT_VERSION KADM5_BAD_STRUCT_VERSION
837 #define OVSEC_KADM_OLD_STRUCT_VERSION KADM5_OLD_STRUCT_VERSION
838 #define OVSEC_KADM_NEW_STRUCT_VERSION KADM5_NEW_STRUCT_VERSION
839 #define OVSEC_KADM_BAD_API_VERSION KADM5_BAD_API_VERSION
840 #define OVSEC_KADM_OLD_LIB_API_VERSION KADM5_OLD_LIB_API_VERSION
841 #define OVSEC_KADM_OLD_SERVER_API_VERSION KADM5_OLD_SERVER_API_VERSION
842 #define OVSEC_KADM_NEW_LIB_API_VERSION KADM5_NEW_LIB_API_VERSION
843 #define OVSEC_KADM_NEW_SERVER_API_VERSION KADM5_NEW_SERVER_API_VERSION
844 #define OVSEC_KADM_SECURE_PRINC_MISSING KADM5_SECURE_PRINC_MISSING
845 #define OVSEC_KADM_NO_RENAME_SALT KADM5_NO_RENAME_SALT
846 
847 #endif /* USE_KADM5_API_VERSION == 1 */
848 
849 #define MAXPRINCLEN 125
850 
851 void trunc_name(size_t *len, char **dots);
852 
853 krb5_chgpwd_prot _kadm5_get_kpasswd_protocol(void *server_handle);
854 kadm5_ret_t	kadm5_chpass_principal_v2(void *server_handle,
855 					krb5_principal princ,
856 					char *new_password,
857 					kadm5_ret_t *srvr_rsp_code,
858 					krb5_data *srvr_msg);
859 
860 void handle_chpw(krb5_context context, int s, void *serverhandle,
861 			kadm5_config_params *params);
862 
863 #ifdef __cplusplus
864 }
865 #endif
866 
867 #endif	/* __KADM5_ADMIN_H__ */
868