#define KRB5_CONF_ADMIN_SERVER "admin_server"
#define KRB5_CONF_ALLOW_WEAK_CRYPTO "allow_weak_crypto"
#define KRB5_CONF_AP_REQ_CHECKSUM_TYPE "ap_req_checksum_type"
+#define KRB5_CONF_AUTH_TO_LOCAL "auth_to_local"
+#define KRB5_CONF_AUTH_TO_LOCAL_NAMES "auth_to_local_names"
+#define KRB5_CONF_CANONICALIZE "canonicalize"
#define KRB5_CONF_CCACHE_TYPE "ccache_type"
#define KRB5_CONF_CLOCKSKEW "clockskew"
#define KRB5_CONF_DATABASE_NAME "database_name"
#define KRB5_CONF_DB_MODULES "db_modules"
#define KRB5_CONF_DOMAIN_REALM "domain_realm"
#define KRB5_CONF_DEFAULT_REALM "default_realm"
+#define KRB5_CONF_DEFAULT_DOMAIN "default_domain"
#define KRB5_CONF_DEFAULT_TKT_ENCTYPES "default_tkt_enctypes"
#define KRB5_CONF_DEFAULT_TGS_ENCTYPES "default_tgs_enctypes"
#define KRB5_CONF_DEFAULT_KEYTAB_NAME "default_keytab_name"
#define KRB5_CONF_DNS_LOOKUP_REALM "dns_lookup_realm"
#define KRB5_CONF_DNS_FALLBACK "dns_fallback"
#define KRB5_CONF_EXTRA_ADDRESSES "extra_addresses"
+#define KRB5_CONF_FORWARDABLE "forwardable"
#define KRB5_CONF_HOST_BASED_SERVICES "host_based_services"
#define KRB5_CONF_IPROP_ENABLE "iprop_enable"
#define KRB5_CONF_IPROP_MASTER_ULOGSIZE "iprop_master_ulogsize"
#define KRB5_CONF_KDC "kdc"
#define KRB5_CONF_KDCDEFAULTS "kdcdefaults"
#define KRB5_CONF_KDC_PORTS "kdc_ports"
-#define KRB5_CONF_TCP_PORTS "kdc_tcp_ports"
+#define KRB5_CONF_KDC_TCP_PORTS "kdc_tcp_ports"
#define KRB5_CONF_MAX_DGRAM_REPLY_SIZE "kdc_max_dgram_reply_size"
#define KRB5_CONF_KDC_DEFAULT_OPTIONS "kdc_default_options"
#define KRB5_CONF_KDC_TIMESYNC "kdc_timesync"
#define KRB5_CONF_LDAP_KDC_DN "ldap_kdc_dn"
#define KRB5_CONF_LDAP_KADMIN_DN "ldap_kadmind_dn"
#define KRB5_CONF_LDAP_SERVICE_PASSWORD_FILE "ldap_service_password_file"
+#define KRB5_CONF_LDAP_ROOT_CERTIFICATE_FILE "ldap_root_certificate_file"
#define KRB5_CONF_LDAP_SERVERS "ldap_servers"
#define KRB5_CONF_LDAP_CONNS_PER_SERVER "ldap_conns_per_server"
#define KRB5_CONF_NO_HOST_REFERRAL "no_host_referral"
#define KRB5_CONF_MASTER_KDC "master_kdc"
#define KRB5_CONF_MAX_LIFE "max_life"
#define KRB5_CONF_MAX_RENEWABLE_LIFE "max_renewable_life"
-#define KRB5_CONF_NOADDRESS "noaddresses"
+#define KRB5_CONF_NOADDRESSES "noaddresses"
#define KRB5_CONF_PERMITTED_ENCTYPES "permitted_enctypes"
+#define KRB5_CONF_PKINIT_ALLOW_UPN "pkinit_allow_upn"
#define KRB5_CONF_PKINIT_ANCHORS "pkinit_anchors"
+#define KRB5_CONF_PKINIT_CERT_MATCH "pkinit_cert_match"
+#define KRB5_CONF_PKINIT_DH_MIN_BITS "pkinit_dh_min_bits"
+#define KRB5_CONF_PKINIT_EKU_CHECKING "pkinit_eku_checking"
#define KRB5_CONF_PKINIT_IDENTITY "pkinit_identity"
+#define KRB5_CONF_PKINIT_IDENTITIES "pkinit_identities"
+#define KRB5_CONF_PKINIT_KDC_HOSTNAME "pkinit_kdc_hostname"
#define KRB5_CONF_PKINIT_KDC_OCSP "pkinit_kdc_ocsp"
+#define KRB5_CONF_PKINIT_LONGHORN "pkinit_longhorn"
+#define KRB5_CONF_PKINIT_MAPPING_FILE "pkinit_mappings_file"
#define KRB5_CONF_PKINIT_POOL "pkinit_pool"
#define KRB5_CONF_PKINIT_REVOKE "pkinit_revoke"
-#define KRB5_CONF_PKINIT_MAPPING_FILE "pkinit_mappings_file"
-#define KRB5_CONF_PKINIT_DH_MIN_BITS "pkinit_dh_min_bits"
-#define KRB5_CONF_PKINIT_ALLOW_UPN "pkinit_allow_upn"
#define KRB5_CONF_PKINIT_REQUIRE_CRL_CHECKING "pkinit_require_crl_checking"
-#define KRB5_CONF_PKINIT_EKU_CHECKING "pkinit_eku_checking"
+#define KRB5_CONF_PKINIT_WIN2K "pkinit_win2k"
+#define KRB5_CONF_PKINIT_WIN2K_REQUIRE_BINDING "pkinit_win2k_require_binding"
+#define KRB5_CONF_PREFERRED_PREAUTH_TYPES "preferred_preauth_types"
+#define KRB5_CONF_PROXIABLE "proxiable"
#define KRB5_CONF_RDNS "rdns"
#define KRB5_CONF_REALMS "realms"
#define KRB5_CONF_REALM_TRY_DOMAINS "realm_try_domains"
#define KRB5_CONF_REJECT_BAD_TRANSIT "reject_bad_transit"
+#define KRB5_CONF_RENEW_LIFETIME "renew_lifetime"
#define KRB5_CONF_SAFE_CHECKSUM_TYPE "safe_checksum_type"
#define KRB5_CONF_SUPPORTED_ENCTYPES "supported_enctypes"
+#define KRB5_CONF_TICKET_LIFETIME "ticket_lifetime"
#define KRB5_CONF_UDP_PREFERENCE_LIMIT "udp_preference_limit"
+#define KRB5_CONF_VERIFY_AP_REQ_NOFAIL "verify_ap_req_nofail"
#define KRB5_CONF_V4_INSTANCE_CONVERT "v4_instance_convert"
#define KRB5_CONF_V4_REALM "v4_realm"
#define KRB5_CONF_ASTERISK "*"
(krb5_princ_type(kdc_context, request->server) == KRB5_NT_UNKNOWN &&
kdc_active_realm->realm_host_based_services != NULL &&
(krb5_match_config_pattern(kdc_active_realm->realm_host_based_services, comp1_str) == TRUE ||
- krb5_match_config_pattern(kdc_active_realm->realm_host_based_services, "*") == TRUE))) &&
+ krb5_match_config_pattern(kdc_active_realm->realm_host_based_services, KRB5_CONF_ASTERISK) == TRUE))) &&
(kdc_active_realm->realm_no_host_referral == NULL ||
- (krb5_match_config_pattern(kdc_active_realm->realm_no_host_referral, "*") == FALSE &&
+ (krb5_match_config_pattern(kdc_active_realm->realm_no_host_referral, KRB5_CONF_ASTERISK) == FALSE &&
krb5_match_config_pattern(kdc_active_realm->realm_no_host_referral, comp1_str) == FALSE))) {
if (memchr(comp2->data, '.', comp2->length) == NULL)
{
krb5_error_code retval = 0;
- if (no_refrls && krb5_match_config_pattern(no_refrls, "*") == TRUE) {
- rdp->realm_no_host_referral = strdup("*");
+ if (no_refrls && krb5_match_config_pattern(no_refrls, KRB5_CONF_ASTERISK) == TRUE) {
+ rdp->realm_no_host_referral = strdup(KRB5_CONF_ASTERISK);
if (!rdp->realm_no_host_referral)
retval = ENOMEM;
} else {
if (rparams && rparams->realm_no_host_referral) {
- if (krb5_match_config_pattern(rparams->realm_no_host_referral, "*") == TRUE) {
- rdp->realm_no_host_referral = strdup("*");
+ if (krb5_match_config_pattern(rparams->realm_no_host_referral, KRB5_CONF_ASTERISK) == TRUE) {
+ rdp->realm_no_host_referral = strdup(KRB5_CONF_ASTERISK);
if (!rdp->realm_no_host_referral)
retval = ENOMEM;
} else if (no_refrls && (asprintf(&(rdp->realm_no_host_referral), "%s%s%s%s%s",
rdp->realm_no_host_referral = NULL;
}
- if (rdp->realm_no_host_referral && krb5_match_config_pattern(rdp->realm_no_host_referral, "*") == TRUE) {
+ if (rdp->realm_no_host_referral && krb5_match_config_pattern(rdp->realm_no_host_referral, KRB5_CONF_ASTERISK) == TRUE) {
rdp->realm_host_based_services = NULL;
return 0;
}
- if (host_based_srvcs && (krb5_match_config_pattern(host_based_srvcs, "*") == TRUE)) {
- rdp->realm_host_based_services = strdup("*");
+ if (host_based_srvcs && (krb5_match_config_pattern(host_based_srvcs, KRB5_CONF_ASTERISK) == TRUE)) {
+ rdp->realm_host_based_services = strdup(KRB5_CONF_ASTERISK);
if (!rdp->realm_host_based_services)
retval = ENOMEM;
} else {
if (rparams && rparams->realm_host_based_services) {
- if (krb5_match_config_pattern(rparams->realm_host_based_services, "*") == TRUE) {
- rdp->realm_host_based_services = strdup("*");
+ if (krb5_match_config_pattern(rparams->realm_host_based_services, KRB5_CONF_ASTERISK) == TRUE) {
+ rdp->realm_host_based_services = strdup(KRB5_CONF_ASTERISK);
if (!rdp->realm_host_based_services)
retval = ENOMEM;
} else if (host_based_srvcs && asprintf(&(rdp->realm_host_based_services), "%s%s%s%s%s",
extern char *optarg;
if (!krb5_aprof_init(DEFAULT_KDC_PROFILE, KDC_PROFILE_ENV, &aprof)) {
- hierarchy[0] = "kdcdefaults";
- hierarchy[1] = "kdc_ports";
+ hierarchy[0] = KRB5_CONF_KDCDEFAULTS;
+ hierarchy[1] = KRB5_CONF_KDC_PORTS;
hierarchy[2] = (char *) NULL;
if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &default_udp_ports))
default_udp_ports = 0;
- hierarchy[1] = "kdc_tcp_ports";
+ hierarchy[1] = KRB5_CONF_KDC_TCP_PORTS;
if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &default_tcp_ports))
default_tcp_ports = 0;
- hierarchy[1] = "kdc_max_dgram_reply_size";
+ hierarchy[1] = KRB5_CONF_MAX_DGRAM_REPLY_SIZE;
if (krb5_aprof_get_int32(aprof, hierarchy, TRUE, &max_dgram_reply_size))
max_dgram_reply_size = MAX_DGRAM_SIZE;
- hierarchy[1] = "no_host_referral";
+ hierarchy[1] = KRB5_CONF_NO_HOST_REFERRAL;
if (krb5_aprof_get_string_all(aprof, hierarchy, &no_refrls))
no_refrls = 0;
- if (!no_refrls || krb5_match_config_pattern(no_refrls, "*") == FALSE) {
- hierarchy[1] = "host_based_services";
+ if (!no_refrls || krb5_match_config_pattern(no_refrls, KRB5_CONF_ASTERISK) == FALSE) {
+ hierarchy[1] = KRB5_CONF_HOST_BASED_SERVICES;
if (krb5_aprof_get_string_all(aprof, hierarchy, &host_based_srvcs))
host_based_srvcs = 0;
}
goto cleanup;
/* Initialize realm parameters */
- hierarchy[0] = "realms";
+ hierarchy[0] = KRB5_CONF_REALMS;
hierarchy[1] = lrealm;
hierarchy[3] = (char *) NULL;
aprofile, hierarchy, CONFTAG, DEFAULT)
/* Get the value for the admin server */
- GET_STRING_PARAM(admin_server, KADM5_CONFIG_ADMIN_SERVER, "admin_server",
+ GET_STRING_PARAM(admin_server, KADM5_CONFIG_ADMIN_SERVER, KRB5_CONF_ADMIN_SERVER,
NULL);
if (params.mask & KADM5_CONFIG_ADMIN_SERVER) {
}
/* Get the value for the database */
- GET_STRING_PARAM(dbname, KADM5_CONFIG_DBNAME, "database_name",
+ GET_STRING_PARAM(dbname, KADM5_CONFIG_DBNAME, KRB5_CONF_DATABASE_NAME,
DEFAULT_KDB_FILE);
params.admin_dbname_was_here = NULL;
/* Get the value for the admin (policy) database lock file*/
if (!GET_STRING_PARAM(admin_keytab, KADM5_CONFIG_ADMIN_KEYTAB,
- "admin_keytab", NULL)) {
+ KRB5_CONF_ADMIN_KEYTAB, NULL)) {
const char *s = getenv("KRB5_KTNAME");
if (s == NULL)
s = DEFAULT_KADM5_KEYTAB;
}
/* Get the name of the acl file */
- GET_STRING_PARAM(acl_file, KADM5_CONFIG_ACL_FILE, "acl_file",
+ GET_STRING_PARAM(acl_file, KADM5_CONFIG_ACL_FILE, KRB5_CONF_ACL_FILE,
DEFAULT_KADM5_ACL_FILE);
/* Get the name of the dict file */
- GET_STRING_PARAM(dict_file, KADM5_CONFIG_DICT_FILE, "dict_file", NULL);
+ GET_STRING_PARAM(dict_file, KADM5_CONFIG_DICT_FILE, KRB5_CONF_DICT_FILE, NULL);
#define GET_PORT_PARAM(FIELD, BIT, CONFTAG, DEFAULT) \
get_port_param(¶ms.FIELD, params_in->FIELD, \
aprofile, hierarchy, CONFTAG, DEFAULT)
/* Get the value for the kadmind port */
GET_PORT_PARAM(kadmind_port, KADM5_CONFIG_KADMIND_PORT,
- "kadmind_port", DEFAULT_KADM5_PORT);
+ KRB5_CONF_KADMIND_PORT, DEFAULT_KADM5_PORT);
/* Get the value for the kpasswd port */
GET_PORT_PARAM(kpasswd_port, KADM5_CONFIG_KPASSWD_PORT,
- "kpasswd_port", DEFAULT_KPASSWD_PORT);
+ KRB5_CONF_KPASSWD_PORT, DEFAULT_KPASSWD_PORT);
/* Get the value for the master key name */
GET_STRING_PARAM(mkey_name, KADM5_CONFIG_MKEY_NAME,
- "master_key_name", NULL);
+ KRB5_CONF_MASTER_KEY_NAME, NULL);
/* Get the value for the master key type */
- hierarchy[2] = "master_key_type";
+ hierarchy[2] = KRB5_CONF_MASTER_KEY_TYPE;
if (params_in->mask & KADM5_CONFIG_ENCTYPE) {
params.mask |= KADM5_CONFIG_ENCTYPE;
params.enctype = params_in->enctype;
/* Get the value for the stashfile */
GET_STRING_PARAM(stash_file, KADM5_CONFIG_STASH_FILE,
- "key_stash_file", NULL);
+ KRB5_CONF_KEY_STASH_FILE, NULL);
/* Get the value for maximum ticket lifetime. */
#define GET_DELTAT_PARAM(FIELD, BIT, CONFTAG, DEFAULT) \
¶ms.mask, params_in->mask, BIT, \
aprofile, hierarchy, CONFTAG, DEFAULT)
- GET_DELTAT_PARAM(max_life, KADM5_CONFIG_MAX_LIFE, "max_life",
+ GET_DELTAT_PARAM(max_life, KADM5_CONFIG_MAX_LIFE, KRB5_CONF_MAX_LIFE,
24 * 60 * 60); /* 1 day */
/* Get the value for maximum renewable ticket lifetime. */
- GET_DELTAT_PARAM(max_rlife, KADM5_CONFIG_MAX_RLIFE, "max_renewable_life",
+ GET_DELTAT_PARAM(max_rlife, KADM5_CONFIG_MAX_RLIFE, KRB5_CONF_MAX_RENEWABLE_LIFE,
0);
/* Get the value for the default principal expiration */
- hierarchy[2] = "default_principal_expiration";
+ hierarchy[2] = KRB5_CONF_DEFAULT_PRINCIPAL_EXPIRATION;
if (params_in->mask & KADM5_CONFIG_EXPIRATION) {
params.mask |= KADM5_CONFIG_EXPIRATION;
params.expiration = params_in->expiration;
}
/* Get the value for the default principal flags */
- hierarchy[2] = "default_principal_flags";
+ hierarchy[2] = KRB5_CONF_DEFAULT_PRINCIPAL_FLAGS;
if (params_in->mask & KADM5_CONFIG_FLAGS) {
params.mask |= KADM5_CONFIG_FLAGS;
params.flags = params_in->flags;
}
/* Get the value for the supported enctype/salttype matrix */
- hierarchy[2] = "supported_enctypes";
+ hierarchy[2] = KRB5_CONF_SUPPORTED_ENCTYPES;
if (params_in->mask & KADM5_CONFIG_ENCTYPES) {
/* The following scenario is when the input keysalts are !NULL */
if(params_in->keysalts) {
free(svalue);
}
- hierarchy[2] = "iprop_enable";
+ hierarchy[2] = KRB5_CONF_IPROP_ENABLE;
params.iprop_enabled = FALSE;
params.mask |= KADM5_CONFIG_IPROP_ENABLED;
}
if (!GET_STRING_PARAM(iprop_logfile, KADM5_CONFIG_IPROP_LOGFILE,
- "iprop_logfile", NULL)) {
+ KRB5_CONF_IPROP_LOGFILE, NULL)) {
if (params.mask & KADM5_CONFIG_DBNAME) {
if (asprintf(¶ms.iprop_logfile, "%s.ulog", params.dbname) >= 0) {
params.mask |= KADM5_CONFIG_IPROP_LOGFILE;
}
GET_PORT_PARAM(iprop_port, KADM5_CONFIG_IPROP_PORT,
- "iprop_port", 0);
+ KRB5_CONF_IPROP_PORT, 0);
- hierarchy[2] = "iprop_master_ulogsize";
+ hierarchy[2] = KRB5_CONF_IPROP_MASTER_ULOGSIZE;
params.iprop_ulogsize = DEF_ULOGENTRIES;
params.mask |= KADM5_CONFIG_ULOG_SIZE;
}
GET_DELTAT_PARAM(iprop_poll_time, KADM5_CONFIG_POLL_TIME,
- "iprop_slave_poll", 2 * 60); /* 2m */
+ KRB5_CONF_IPROP_SLAVE_POLL, 2 * 60); /* 2m */
*params_out = params;
memset(rparams, 0, sizeof(krb5_realm_params));
/* Get the value for the database */
- hierarchy[0] = "realms";
+ hierarchy[0] = KRB5_CONF_REALMS;
hierarchy[1] = lrealm;
- hierarchy[2] = "database_name";
+ hierarchy[2] = KRB5_CONF_DATABASE_NAME;
hierarchy[3] = (char *) NULL;
if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue))
rparams->realm_dbname = svalue;
/* Get the value for the KDC port list */
- hierarchy[2] = "kdc_ports";
+ hierarchy[2] = KRB5_CONF_KDC_PORTS;
if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue))
rparams->realm_kdc_ports = svalue;
- hierarchy[2] = "kdc_tcp_ports";
+ hierarchy[2] = KRB5_CONF_KDC_TCP_PORTS;
if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue))
rparams->realm_kdc_tcp_ports = svalue;
/* Get the name of the acl file */
- hierarchy[2] = "acl_file";
+ hierarchy[2] = KRB5_CONF_ACL_FILE;
if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue))
rparams->realm_acl_file = svalue;
/* Get the value for the kadmind port */
- hierarchy[2] = "kadmind_port";
+ hierarchy[2] = KRB5_CONF_KADMIND_PORT;
if (!krb5_aprof_get_int32(aprofile, hierarchy, TRUE, &ivalue)) {
rparams->realm_kadmind_port = ivalue;
rparams->realm_kadmind_port_valid = 1;
}
/* Get the value for the master key name */
- hierarchy[2] = "master_key_name";
+ hierarchy[2] = KRB5_CONF_MASTER_KEY_NAME;
if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue))
rparams->realm_mkey_name = svalue;
/* Get the value for the master key type */
- hierarchy[2] = "master_key_type";
+ hierarchy[2] = KRB5_CONF_MASTER_KEY_TYPE;
if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) {
if (!krb5_string_to_enctype(svalue, &rparams->realm_enctype))
rparams->realm_enctype_valid = 1;
}
/* Get the value for the stashfile */
- hierarchy[2] = "key_stash_file";
+ hierarchy[2] = KRB5_CONF_KEY_STASH_FILE;
if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue))
rparams->realm_stash_file = svalue;
/* Get the value for maximum ticket lifetime. */
- hierarchy[2] = "max_life";
+ hierarchy[2] = KRB5_CONF_MAX_LIFE;
if (!krb5_aprof_get_deltat(aprofile, hierarchy, TRUE, &dtvalue)) {
rparams->realm_max_life = dtvalue;
rparams->realm_max_life_valid = 1;
}
/* Get the value for maximum renewable ticket lifetime. */
- hierarchy[2] = "max_renewable_life";
+ hierarchy[2] = KRB5_CONF_MAX_RENEWABLE_LIFE;
if (!krb5_aprof_get_deltat(aprofile, hierarchy, TRUE, &dtvalue)) {
rparams->realm_max_rlife = dtvalue;
rparams->realm_max_rlife_valid = 1;
}
/* Get the value for the default principal expiration */
- hierarchy[2] = "default_principal_expiration";
+ hierarchy[2] = KRB5_CONF_DEFAULT_PRINCIPAL_EXPIRATION;
if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) {
if (!krb5_string_to_timestamp(svalue,
&rparams->realm_expiration))
free(svalue);
}
- hierarchy[2] = "reject_bad_transit";
+ hierarchy[2] = KRB5_CONF_REJECT_BAD_TRANSIT;
if (!krb5_aprof_get_boolean(aprofile, hierarchy, TRUE, &bvalue)) {
rparams->realm_reject_bad_transit = bvalue;
rparams->realm_reject_bad_transit_valid = 1;
}
- hierarchy[2] = "no_host_referral";
+ hierarchy[2] = KRB5_CONF_NO_HOST_REFERRAL;
if (!krb5_aprof_get_string_all(aprofile, hierarchy, &no_refrls))
rparams->realm_no_host_referral = no_refrls;
else
no_refrls = 0;
- if (!no_refrls || krb5_match_config_pattern(no_refrls, "*") == FALSE) {
- hierarchy[2] = "host_based_services";
+ if (!no_refrls || krb5_match_config_pattern(no_refrls, KRB5_CONF_ASTERISK) == FALSE) {
+ hierarchy[2] = KRB5_CONF_HOST_BASED_SERVICES;
if (!krb5_aprof_get_string_all(aprofile, hierarchy, &host_based_srvcs))
rparams->realm_host_based_services = host_based_srvcs;
else
}
/* Get the value for the default principal flags */
- hierarchy[2] = "default_principal_flags";
+ hierarchy[2] = KRB5_CONF_DEFAULT_PRINCIPAL_FLAGS;
if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) {
char *sp, *ep, *tp;
When it's static, it goes into ".picdata", which is
read-write. */
static const char *const dbpath_names[] = {
- KDB_MODULE_SECTION, "db_module_dir", NULL,
+ KDB_MODULE_SECTION, KRB5_CONF_DB_MODULE_DIR, NULL,
};
const char *filebases[2];
char **profpath = NULL;
if (context->profile == 0)
return KRB5_CONFIG_CANTOPEN;
- retval = profile_get_string(context->profile, "realms",
- tmp_prealm, "v4_realm", 0,
+ retval = profile_get_string(context->profile, KRB5_CONF_REALMS,
+ tmp_prealm, KRB5_CONF_V4_REALM, 0,
&tmp_realm);
free(tmp_prealm);
if (retval) {
/* First, convert the realm, since the v4 realm is not necessarily the same as the v5 realm
To do that, iterate over all the realms in the config file, looking for a matching
v4_realm line */
- names2 [0] = "realms";
+ names2 [0] = KRB5_CONF_REALMS;
names2 [1] = NULL;
retval = profile_iterator_create (context -> profile, names2, PROFILE_ITER_LIST_SECTION | PROFILE_ITER_SECTIONS_ONLY, &iterator);
while (retval == 0) {
retval = profile_iterator (&iterator, &realm_name, &dummy_value);
if ((retval == 0) && (realm_name != NULL)) {
- names [0] = "realms";
+ names [0] = KRB5_CONF_REALMS;
names [1] = realm_name;
- names [2] = "v4_realm";
+ names [2] = KRB5_CONF_V4_REALM;
names [3] = NULL;
retval = profile_get_values (context -> profile, names, &v4realms);
}
name = p->v5_str;
if ((p->flags & DO_REALM_CONVERSION) && !strchr(instance, '.')) {
- names[0] = "realms";
+ names[0] = KRB5_CONF_REALMS;
names[1] = realm;
- names[2] = "v4_instance_convert";
+ names[2] = KRB5_CONF_V4_INSTANCE_CONVERT;
names[3] = instance;
names[4] = 0;
retval = profile_get_values(context->profile, names, &full_name);
profile = context->profile;
- names[0] = "libdefaults";
+ names[0] = KRB5_CONF_LIBDEFAULTS;
/*
* Try number one:
return 0;
}
- ret = krb5_libdefault_string(context, realm, "preferred_preauth_types",
+ ret = krb5_libdefault_string(context, realm, KRB5_CONF_PREFERRED_PREAUTH_TYPES,
&preauth_types);
if ((ret != 0) || (preauth_types == NULL)) {
/* Try to use PKINIT first. */
if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_FORWARDABLE))
tempint = options->forwardable;
else if ((ret = krb5_libdefault_boolean(context, &client->realm,
- "forwardable", &tempint)) == 0)
+ KRB5_CONF_FORWARDABLE, &tempint)) == 0)
;
else
tempint = 0;
if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_PROXIABLE))
tempint = options->proxiable;
else if ((ret = krb5_libdefault_boolean(context, &client->realm,
- "proxiable", &tempint)) == 0)
+ KRB5_CONF_PROXIABLE, &tempint)) == 0)
;
else
tempint = 0;
if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_CANONICALIZE))
tempint = 1;
else if ((ret = krb5_libdefault_boolean(context, &client->realm,
- "canonicalize", &tempint)) == 0)
+ KRB5_CONF_CANONICALIZE, &tempint)) == 0)
;
else
tempint = 0;
if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_TKT_LIFE)) {
tkt_life = options->tkt_life;
} else if ((ret = krb5_libdefault_string(context, &client->realm,
- "ticket_lifetime", &tempstr))
+ KRB5_CONF_TICKET_LIFETIME, &tempstr))
== 0) {
ret = krb5_string_to_deltat(tempstr, &tkt_life);
free(tempstr);
if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE)) {
renew_life = options->renew_life;
} else if ((ret = krb5_libdefault_string(context, &client->realm,
- "renew_lifetime", &tempstr))
+ KRB5_CONF_RENEW_LIFETIME, &tempstr))
== 0) {
ret = krb5_string_to_deltat(tempstr, &renew_life);
free(tempstr);
/* it would be nice if this parsed out an address list, but
that would be work. */
else if (((ret = krb5_libdefault_boolean(context, &client->realm,
- "noaddresses", &tempint)) != 0)
+ KRB5_CONF_NOADDRESSES, &tempint)) != 0)
|| (tempint == 1)) {
;
} else {
/*
* lib/krb5/krb/init_ctx.c
*
- * Copyright 1994,1999,2000, 2002, 2003, 2007, 2008 by the Massachusetts Institute of Technology.
+ * Copyright 1994,1999,2000, 2002, 2003, 2007, 2008, 2009 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
if ((retval = krb5_os_init_context(ctx, kdc)))
goto cleanup;
- retval = profile_get_boolean(ctx->profile, "libdefaults",
- "allow_weak_crypto", NULL, 1, &tmp);
+ retval = profile_get_boolean(ctx->profile, KRB5_CONF_LIBDEFAULTS,
+ KRB5_CONF_ALLOW_WEAK_CRYPTO, NULL, 1, &tmp);
if (retval)
goto cleanup;
ctx->allow_weak_crypto = tmp;
goto cleanup;
ctx->default_realm = 0;
- profile_get_integer(ctx->profile, "libdefaults", "clockskew",
+ profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, KRB5_CONF_CLOCKSKEW,
0, 5 * 60, &tmp);
ctx->clockskew = tmp;
#if 0
/* Default ticket lifetime is currently not supported */
- profile_get_integer(ctx->profile, "libdefaults", "tkt_lifetime",
+ profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, "tkt_lifetime",
0, 10 * 60 * 60, &tmp);
ctx->tkt_lifetime = tmp;
#endif
/* DCE 1.1 and below only support CKSUMTYPE_RSA_MD4 (2) */
/* DCE add kdc_req_checksum_type = 2 to krb5.conf */
- profile_get_integer(ctx->profile, "libdefaults",
- "kdc_req_checksum_type", 0, CKSUMTYPE_RSA_MD5,
+ profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS,
+ KRB5_CONF_KDC_REQ_CHECKSUM_TYPE, 0, CKSUMTYPE_RSA_MD5,
&tmp);
ctx->kdc_req_sumtype = tmp;
- profile_get_integer(ctx->profile, "libdefaults",
- "ap_req_checksum_type", 0, CKSUMTYPE_RSA_MD5,
+ profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS,
+ KRB5_CONF_AP_REQ_CHECKSUM_TYPE, 0, CKSUMTYPE_RSA_MD5,
&tmp);
ctx->default_ap_req_sumtype = tmp;
- profile_get_integer(ctx->profile, "libdefaults",
- "safe_checksum_type", 0,
+ profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS,
+ KRB5_CONF_SAFE_CHECKSUM_TYPE, 0,
CKSUMTYPE_RSA_MD5_DES, &tmp);
ctx->default_safe_sumtype = tmp;
- profile_get_integer(ctx->profile, "libdefaults",
- "kdc_default_options", 0,
+ profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS,
+ KRB5_CONF_KDC_DEFAULT_OPTIONS, 0,
KDC_OPT_RENEWABLE_OK, &tmp);
ctx->kdc_default_options = tmp;
#define DEFAULT_KDC_TIMESYNC 1
- profile_get_integer(ctx->profile, "libdefaults",
- "kdc_timesync", 0, DEFAULT_KDC_TIMESYNC,
+ profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS,
+ KRB5_CONF_KDC_TIMESYNC, 0, DEFAULT_KDC_TIMESYNC,
&tmp);
ctx->library_options = tmp ? KRB5_LIBOPT_SYNC_KDCTIME : 0;
* DCE 1.1 supports a cache type of 2.
*/
#define DEFAULT_CCACHE_TYPE 4
- profile_get_integer(ctx->profile, "libdefaults", "ccache_type",
+ profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, KRB5_CONF_CCACHE_TYPE,
0, DEFAULT_CCACHE_TYPE, &tmp);
ctx->fcc_default_format = tmp + 0x0500;
ctx->prompt_types = 0;
session key types.
*/
- char *retval;
- char *sp, *ep;
+ char *retval = NULL;
+ char *sp = NULL, *ep = NULL;
int i, j, count;
krb5_error_code code;
- code = profile_get_string(context->profile, "libdefaults", profstr,
+ code = profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS, profstr,
NULL, DEFAULT_ETYPE_LIST, &retval);
if (code)
return code;
krb5_error_code
krb5_get_default_in_tkt_ktypes(krb5_context context, krb5_enctype **ktypes)
{
- return(get_profile_etype_list(context, ktypes, "default_tkt_enctypes",
+ return(get_profile_etype_list(context, ktypes, KRB5_CONF_DEFAULT_TKT_ENCTYPES,
context->in_tkt_ktype_count,
context->in_tkt_ktypes));
}
if (context->use_conf_ktypes)
/* This one is set *only* by reading the config file; it's not
set by the application. */
- return(get_profile_etype_list(context, ktypes, "default_tgs_enctypes",
+ return(get_profile_etype_list(context, ktypes, KRB5_CONF_DEFAULT_TKT_ENCTYPES,
0, NULL));
else
- return(get_profile_etype_list(context, ktypes, "default_tgs_enctypes",
+ return(get_profile_etype_list(context, ktypes, KRB5_CONF_DEFAULT_TGS_ENCTYPES,
context->tgs_ktype_count,
context->tgs_ktypes));
}
krb5_error_code KRB5_CALLCONV
krb5_get_permitted_enctypes(krb5_context context, krb5_enctype **ktypes)
{
- return(get_profile_etype_list(context, ktypes, "permitted_enctypes",
+ return(get_profile_etype_list(context, ktypes, KRB5_CONF_PERMITTED_ENCTYPES,
context->tgs_ktype_count,
context->tgs_ktypes));
}
goto cleanup;
} else if (krb5_libdefault_boolean(context,
&creds->client->realm,
- "verify_ap_req_nofail",
+ KRB5_CONF_VERIFY_AP_REQ_NOFAIL,
&nofail)
== 0) {
if (nofail)
*
* [realms]->realm->"auth_to_local_names"->mapping_name
*/
- hierarchy[0] = "realms";
+ hierarchy[0] = KRB5_CONF_REALMS;
hierarchy[1] = realm;
- hierarchy[2] = "auth_to_local_names";
+ hierarchy[2] = KRB5_CONF_AUTH_TO_LOCAL_NAMES;
hierarchy[3] = mname;
hierarchy[4] = (char *) NULL;
if (!(kret = profile_get_values(context->profile,
* DEFAULT - Use default rule.
* The first rule to find a match is used.
*/
- hierarchy[0] = "realms";
+ hierarchy[0] = KRB5_CONF_REALMS;
hierarchy[1] = realm;
- hierarchy[2] = "auth_to_local";
+ hierarchy[2] = KRB5_CONF_AUTH_TO_LOCAL;
hierarchy[3] = (char *) NULL;
if (!(kret = profile_get_values(context->profile,
hierarchy,
*/
context->default_realm = 0;
if (context->profile != 0) {
- retval = profile_get_string(context->profile, "libdefaults",
- "default_realm", 0, 0,
+ retval = profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS,
+ KRB5_CONF_DEFAULT_REALM, 0, 0,
&realm);
if (!retval && realm) {
realm = (char *)NULL;
temp_realm = 0;
while (cp ) {
- retval = profile_get_string(context->profile, "domain_realm", cp,
+ retval = profile_get_string(context->profile, KRB5_CONF_DOMAIN_REALM, cp,
0, (char *)NULL, &temp_realm);
if (retval)
return retval;
rethosts = 0;
- realm_kdc_names[0] = "realms";
+ realm_kdc_names[0] = KRB5_CONF_REALMS;
realm_kdc_names[1] = realm->data;
- realm_kdc_names[2] = "kdc";
+ realm_kdc_names[2] = KRB5_CONF_KDC;
realm_kdc_names[3] = 0;
if (context->profile == 0)
#ifdef DEBUG_REFERRALS
printf(" trying to look up %s in the domain_realm map\n",cp);
#endif
- retval = profile_get_string(context->profile, "domain_realm", cp,
+ retval = profile_get_string(context->profile, KRB5_CONF_DOMAIN_REALM, cp,
0, (char *)NULL, &temp_realm);
if (retval)
return retval;
int limit;
errcode_t code;
- code = profile_get_integer(context->profile, "libdefaults",
- "realm_try_domains", 0, -1, &limit);
+ code = profile_get_integer(context->profile, KRB5_CONF_LIBDEFAULTS,
+ KRB5_CONF_REALM_TRY_DOMAINS, 0, -1, &limit);
if (code == 0) {
retval = domain_heuristic(context, local_host, &realm, limit);
if (retval)
if (strlcpy(name, cp, namesize) >= namesize)
return KRB5_CONFIG_NOTENUFSPACE;
} else if ((profile_get_string(context->profile,
- "libdefaults",
- "default_keytab_name", NULL,
+ KRB5_CONF_LIBDEFAULTS,
+ KRB5_CONF_DEFAULT_KEYTAB_NAME, NULL,
NULL, &retval) == 0) &&
retval) {
if (strlcpy(name, retval, namesize) >= namesize)
{
krb5_error_code err;
static const char *const profile_name[] = {
- "libdefaults", "extra_addresses", 0
+ KRB5_CONF_LIBDEFAULTS, KRB5_CONF_EXTRA_ADDRESSES, 0
};
char **values;
char **iter;
char * value = NULL;
int use_dns = 0;
- code = profile_get_string(context->profile, "libdefaults",
+ code = profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS,
name, 0, 0, &value);
if (value == 0 && code == 0)
- code = profile_get_string(context->profile, "libdefaults",
- "dns_fallback", 0, 0, &value);
+ code = profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS,
+ KRB5_CONF_DNS_FALLBACK, 0, 0, &value);
if (code)
return defalt;
int
_krb5_use_dns_kdc(krb5_context context)
{
- return maybe_use_dns (context, "dns_lookup_kdc", DEFAULT_LOOKUP_KDC);
+ return maybe_use_dns (context, KRB5_CONF_DNS_LOOKUP_KDC, DEFAULT_LOOKUP_KDC);
}
int
_krb5_use_dns_realm(krb5_context context)
{
- return maybe_use_dns (context, "dns_lookup_realm", DEFAULT_LOOKUP_REALM);
+ return maybe_use_dns (context, KRB5_CONF_DNS_LOOKUP_REALM, DEFAULT_LOOKUP_REALM);
}
#endif /* KRB5_DNS_LOOKUP */
masterlist = NULL;
- realm_srv_names[0] = "realms";
+ realm_srv_names[0] = KRB5_CONF_REALMS;
realm_srv_names[1] = host;
realm_srv_names[2] = name;
realm_srv_names[3] = 0;
}
if (get_masters) {
- realm_srv_names[0] = "realms";
+ realm_srv_names[0] = KRB5_CONF_REALMS;
realm_srv_names[1] = host;
- realm_srv_names[2] = "admin_server";
+ realm_srv_names[2] = KRB5_CONF_ADMIN_SERVER;
realm_srv_names[3] = 0;
code = profile_get_values(context->profile, realm_srv_names,
switch (svc) {
case locate_service_kdc:
- profname = "kdc";
+ profname = KRB5_CONF_KDC;
/* We used to use /etc/services for these, but enough systems
have old, crufty, wrong settings that this is probably
better. */
dflport2 = htons(KRB5_DEFAULT_SEC_PORT);
break;
case locate_service_master_kdc:
- profname = "master_kdc";
+ profname = KRB5_CONF_MASTER_KDC;
goto kdc_ports;
case locate_service_kadmin:
- profname = "admin_server";
+ profname = KRB5_CONF_ADMIN_SERVER;
dflport1 = htons(DEFAULT_KADM5_PORT);
break;
case locate_service_krb524:
- profname = "krb524_server";
+ profname = KRB5_CONF_KRB524_SERVER;
serv = getservbyname(KRB524_SERVICE, "udp");
dflport1 = serv ? serv->s_port : htons (KRB524_PORT);
break;
case locate_service_kpasswd:
- profname = "kpasswd_server";
+ profname = KRB5_CONF_KPASSWD_SERVER;
dflport1 = htons(DEFAULT_KPASSWD_PORT);
break;
default:
krb5_error_code retval;
char *temp_domain = 0;
- retval = profile_get_string(context->profile, "realms", realm,
- "default_domain", realm, &temp_domain);
+ retval = profile_get_string(context->profile, KRB5_CONF_REALMS, realm,
+ KRB5_CONF_DEFAULT_DOMAIN, realm, &temp_domain);
if (!retval && temp_domain)
{
*domain = strdup(temp_domain);
if (!tcp_only && context->udp_pref_limit < 0) {
int tmp;
retval = profile_get_integer(context->profile,
- "libdefaults", "udp_preference_limit", 0,
+ KRB5_CONF_LIBDEFAULTS, KRB5_CONF_UDP_PREFERENCE_LIMIT, 0,
DEFAULT_UDP_PREF_LIMIT, &tmp);
if (retval)
return retval;
char * value = NULL;
int use_rdns = 0;
- code = profile_get_string(context->profile, "libdefaults",
- "rdns", 0, 0, &value);
+ code = profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS,
+ KRB5_CONF_RDNS, 0, 0, &value);
if (code)
return defalt;
*/
if (ldap_context->max_server_conns == 0) {
st = prof_get_integer_def (context, conf_section,
- "ldap_conns_per_server",
+ KRB5_CONF_LDAP_CONNS_PER_SERVER,
DEFAULT_CONNS_PER_SERVER,
&ldap_context->max_server_conns);
if (st)
if (ldap_context->bind_dn == NULL) {
char *name = 0;
if (srv_type == KRB5_KDB_SRV_TYPE_KDC)
- name = "ldap_kdc_dn";
+ name = KRB5_CONF_LDAP_KDC_DN;
else if (srv_type == KRB5_KDB_SRV_TYPE_ADMIN)
- name = "ldap_kadmind_dn";
+ name = KRB5_CONF_LDAP_KADMIN_DN;
else if (srv_type == KRB5_KDB_SRV_TYPE_PASSWD)
name = "ldap_kpasswdd_dn";
*/
if (ldap_context->service_password_file == NULL) {
st = prof_get_string_def (context, conf_section,
- "ldap_service_password_file",
+ KRB5_CONF_LDAP_SERVICE_PASSWORD_FILE,
&ldap_context->service_password_file);
if (st)
goto cleanup;
*/
if (ldap_context->root_certificate_file == NULL) {
st = prof_get_string_def (context, conf_section,
- "ldap_root_certificate_file",
+ KRB5_CONF_LDAP_ROOT_CERTIFICATE_FILE,
&ldap_context->root_certificate_file);
if (st)
goto cleanup;
}
if ((st=profile_get_string(context->profile, KDB_MODULE_SECTION, conf_section,
- "ldap_servers", NULL, &tempval)) != 0) {
+ KRB5_CONF_LDAP_SERVERS, NULL, &tempval)) != 0) {
krb5_set_error_message (context, st, "Error reading 'ldap_servers' attribute");
goto cleanup;
}
retval = pkinit_libdefault_strings(context,
krb5_princ_realm(context, kdcprinc),
- "pkinit_kdc_hostname",
+ KRB5_CONF_PKINIT_KDC_HOSTNAME,
&cfghosts);
if (retval || cfghosts == NULL) {
pkiDebug("%s: No pkinit_kdc_hostname values found in config file\n",
context, plgctx, reqctx, request);
pkinit_libdefault_boolean(context, &request->server->realm,
- "pkinit_win2k",
+ KRB5_CONF_PKINIT_WIN2K,
reqctx->opts->win2k_target,
&reqctx->opts->win2k_target);
pkinit_libdefault_boolean(context, &request->server->realm,
- "pkinit_win2k_require_binding",
+ KRB5_CONF_PKINIT_WIN2K_REQUIRE_BINDING,
reqctx->opts->win2k_require_cksum,
&reqctx->opts->win2k_require_cksum);
pkinit_libdefault_boolean(context, &request->server->realm,
- "pkinit_require_crl_checking",
+ KRB5_CONF_PKINIT_REQUIRE_CRL_CHECKING,
reqctx->opts->require_crl_checking,
&reqctx->opts->require_crl_checking);
pkinit_libdefault_integer(context, &request->server->realm,
- "pkinit_dh_min_bits",
+ KRB5_CONF_PKINIT_DH_MIN_BITS,
reqctx->opts->dh_size,
&reqctx->opts->dh_size);
if (reqctx->opts->dh_size != 1024 && reqctx->opts->dh_size != 2048
reqctx->opts->dh_size = PKINIT_DEFAULT_DH_MIN_BITS;
}
pkinit_libdefault_string(context, &request->server->realm,
- "pkinit_eku_checking",
+ KRB5_CONF_PKINIT_EKU_CHECKING,
&eku_string);
if (eku_string != NULL) {
if (strcasecmp(eku_string, "kpKDC") == 0) {
#ifdef LONGHORN_BETA_COMPAT
/* Temporarily just set global flag from config file */
pkinit_libdefault_boolean(context, &request->server->realm,
- "pkinit_longhorn",
+ KRB5_CONF_PKINIT_LONGHORN,
0,
&longhorn);
#endif
/* Only process anchors here if they were not specified on command line */
if (reqctx->idopts->anchors == NULL)
pkinit_libdefault_strings(context, &request->server->realm,
- "pkinit_anchors",
+ KRB5_CONF_PKINIT_ANCHORS,
&reqctx->idopts->anchors);
pkinit_libdefault_strings(context, &request->server->realm,
- "pkinit_pool",
+ KRB5_CONF_PKINIT_POOL,
&reqctx->idopts->intermediates);
pkinit_libdefault_strings(context, &request->server->realm,
- "pkinit_revoke",
+ KRB5_CONF_PKINIT_REVOKE,
&reqctx->idopts->crls);
pkinit_libdefault_strings(context, &request->server->realm,
- "pkinit_identities",
+ KRB5_CONF_PKINIT_IDENTITIES,
&reqctx->idopts->identity_alt);
}
/* If no matching rules, select the default cert and we're done */
pkinit_libdefault_strings(context, krb5_princ_realm(context, princ),
- "pkinit_cert_match", &rules);
+ KRB5_CONF_PKINIT_CERT_MATCH, &rules);
if (rules == NULL) {
pkiDebug("%s: no matching rules found in config file\n", __FUNCTION__);
retval = crypto_cert_select_default(context, plg_cryptoctx,
* }
*/
- names[0] = "realms";
+ names[0] = KRB5_CONF_REALMS;
names[1] = realmname;
names[2] = option;
names[3] = 0;
* option = <value>
*/
- names[0] = "kdcdefaults";
+ names[0] = KRB5_CONF_KDCDEFAULTS;
names[1] = option;
names[2] = 0;
retval = profile_get_values(profile, names, &values);
* }
*/
- names[0] = "libdefaults";
+ names[0] = KRB5_CONF_LIBDEFAULTS;
names[1] = realmstr;
names[2] = option;
names[3] = 0;
* }
*/
- names[0] = "realms";
+ names[0] = KRB5_CONF_REALMS;
names[1] = realmstr;
names[2] = option;
names[3] = 0;
* option = <value>
*/
- names[0] = "libdefaults";
+ names[0] = KRB5_CONF_LIBDEFAULTS;
names[1] = option;
names[2] = 0;
retval = profile_get_values(profile, names, &values);
pkiDebug("%s: entered for realm %s\n", __FUNCTION__, plgctx->realmname);
retval = pkinit_kdcdefault_string(context, plgctx->realmname,
- "pkinit_identity",
+ KRB5_CONF_PKINIT_IDENTITY,
&plgctx->idopts->identity);
if (retval != 0 || NULL == plgctx->idopts->identity) {
retval = EINVAL;
}
retval = pkinit_kdcdefault_strings(context, plgctx->realmname,
- "pkinit_anchors",
+ KRB5_CONF_PKINIT_ANCHORS,
&plgctx->idopts->anchors);
if (retval != 0 || NULL == plgctx->idopts->anchors) {
retval = EINVAL;
}
pkinit_kdcdefault_strings(context, plgctx->realmname,
- "pkinit_pool",
+ KRB5_CONF_PKINIT_POOL,
&plgctx->idopts->intermediates);
pkinit_kdcdefault_strings(context, plgctx->realmname,
- "pkinit_revoke",
+ KRB5_CONF_PKINIT_REVOKE,
&plgctx->idopts->crls);
pkinit_kdcdefault_string(context, plgctx->realmname,
- "pkinit_kdc_ocsp",
+ KRB5_CONF_PKINIT_KDC_OCSP,
&plgctx->idopts->ocsp);
pkinit_kdcdefault_string(context, plgctx->realmname,
- "pkinit_mappings_file",
+ KRB5_CONF_PKINIT_MAPPING_FILE,
&plgctx->idopts->dn_mapping_file);
pkinit_kdcdefault_integer(context, plgctx->realmname,
- "pkinit_dh_min_bits",
+ KRB5_CONF_PKINIT_DH_MIN_BITS,
PKINIT_DEFAULT_DH_MIN_BITS,
&plgctx->opts->dh_min_bits);
- if (plgctx->opts->dh_min_bits < 1024) {
+ if (plgctx->opts->dh_min_bits < PKINIT_DEFAULT_DH_MIN_BITS) {
pkiDebug("%s: invalid value (%d) for pkinit_dh_min_bits, "
"using default value (%d) instead\n", __FUNCTION__,
plgctx->opts->dh_min_bits, PKINIT_DEFAULT_DH_MIN_BITS);
}
pkinit_kdcdefault_boolean(context, plgctx->realmname,
- "pkinit_allow_upn",
+ KRB5_CONF_PKINIT_ALLOW_UPN,
0, &plgctx->opts->allow_upn);
pkinit_kdcdefault_boolean(context, plgctx->realmname,
- "pkinit_require_crl_checking",
+ KRB5_CONF_PKINIT_REQUIRE_CRL_CHECKING,
0, &plgctx->opts->require_crl_checking);
pkinit_kdcdefault_string(context, plgctx->realmname,
- "pkinit_eku_checking",
+ KRB5_CONF_PKINIT_EKU_CHECKING,
&eku_string);
if (eku_string != NULL) {
if (strcasecmp(eku_string, "kpClientAuth") == 0) {