1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2 /* plugins/kdb/ldap/libkdb_ldap/lockout.c */
4 * Copyright (C) 2009 by the Massachusetts Institute of Technology.
7 * Export of this software from the United States of America may
8 * require a specific license from the United States Government.
9 * It is the responsibility of any person or organization contemplating
10 * export to obtain such a license before exporting.
12 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
13 * distribute this software and its documentation for any purpose and
14 * without fee is hereby granted, provided that the above copyright
15 * notice appear in all copies and that both that copyright notice and
16 * this permission notice appear in supporting documentation, and that
17 * the name of M.I.T. not be used in advertising or publicity pertaining
18 * to distribution of the software without specific, written prior
19 * permission. Furthermore if you modify this software you must label
20 * your software as modified software and not distribute it in such a
21 * fashion that it might be confused with the original M.I.T. software.
22 * M.I.T. makes no representations about the suitability of
23 * this software for any purpose. It is provided "as is" without express
24 * or implied warranty.
31 #include <kadm5/admin.h>
35 #include "princ_xdr.h"
36 #include "ldap_principal.h"
37 #include "ldap_pwd_policy.h"
38 #include "ldap_tkt_policy.h"
40 static krb5_error_code
41 lookup_lockout_policy(krb5_context context,
43 krb5_kvno *pw_max_fail,
44 krb5_deltat *pw_failcnt_interval,
45 krb5_deltat *pw_lockout_duration)
49 osa_princ_ent_rec adb;
53 *pw_failcnt_interval = 0;
54 *pw_lockout_duration = 0;
56 tl_data.tl_data_type = KRB5_TL_KADM_DATA;
58 code = krb5_dbe_lookup_tl_data(context, entry, &tl_data);
59 if (code != 0 || tl_data.tl_data_length == 0)
62 memset(&adb, 0, sizeof(adb));
64 code = krb5_lookup_tl_kadm_data(&tl_data, &adb);
68 if (adb.policy != NULL) {
69 osa_policy_ent_t policy = NULL;
71 code = krb5_ldap_get_password_policy(context, adb.policy, &policy);
73 *pw_max_fail = policy->pw_max_fail;
74 *pw_failcnt_interval = policy->pw_failcnt_interval;
75 *pw_lockout_duration = policy->pw_lockout_duration;
77 krb5_ldap_free_password_policy(context, policy);
80 xdrmem_create(&xdrs, NULL, 0, XDR_FREE);
81 ldap_xdr_osa_princ_ent_rec(&xdrs, &adb);
87 /* draft-behera-ldap-password-policy-10.txt 7.1 */
89 locked_check_p(krb5_context context,
92 krb5_timestamp lockout_duration,
95 krb5_timestamp unlock_time;
97 /* If the entry was unlocked since the last failure, it's not locked. */
98 if (krb5_dbe_lookup_last_admin_unlock(context, entry, &unlock_time) == 0 &&
99 entry->last_failed <= unlock_time)
102 if (max_fail == 0 || entry->fail_auth_count < max_fail)
105 if (lockout_duration == 0)
106 return TRUE; /* principal permanently locked */
108 return (stamp < entry->last_failed + lockout_duration);
112 krb5_ldap_lockout_check_policy(krb5_context context,
113 krb5_db_entry *entry,
114 krb5_timestamp stamp)
116 krb5_error_code code;
117 kdb5_dal_handle *dal_handle;
118 krb5_ldap_context *ldap_context;
119 krb5_kvno max_fail = 0;
120 krb5_deltat failcnt_interval = 0;
121 krb5_deltat lockout_duration = 0;
124 if (ldap_context->disable_lockout)
127 code = lookup_lockout_policy(context, entry, &max_fail,
130 if (code != 0 || failcnt_interval == 0)
133 if (locked_check_p(context, stamp, max_fail, lockout_duration, entry))
134 return KRB5KDC_ERR_CLIENT_REVOKED;
140 krb5_ldap_lockout_audit(krb5_context context,
141 krb5_db_entry *entry,
142 krb5_timestamp stamp,
143 krb5_error_code status)
145 krb5_error_code code;
146 kdb5_dal_handle *dal_handle;
147 krb5_ldap_context *ldap_context;
148 krb5_kvno max_fail = 0;
149 krb5_deltat failcnt_interval = 0;
150 krb5_deltat lockout_duration = 0;
151 krb5_timestamp unlock_time;
157 case KRB5KDC_ERR_PREAUTH_FAILED:
158 case KRB5KRB_AP_ERR_BAD_INTEGRITY:
167 if (!ldap_context->disable_lockout) {
168 code = lookup_lockout_policy(context, entry, &max_fail,
176 * Don't continue to modify the DB for an already locked account.
177 * (In most cases, status will be KRB5KDC_ERR_CLIENT_REVOKED, and
178 * this check is unneeded, but in rare cases, we can fail with an
179 * integrity error or preauth failure before a policy check.)
181 if (locked_check_p(context, stamp, max_fail, lockout_duration, entry))
186 /* Only mark the authentication as successful if the entry
187 * required preauthentication, otherwise we have no idea. */
188 if (status == 0 && (entry->attributes & KRB5_KDB_REQUIRES_PRE_AUTH)) {
189 if (!ldap_context->disable_lockout && entry->fail_auth_count != 0) {
190 entry->fail_auth_count = 0;
191 entry->mask |= KADM5_FAIL_AUTH_COUNT;
193 if (!ldap_context->disable_last_success) {
194 entry->last_success = stamp;
195 entry->mask |= KADM5_LAST_SUCCESS;
197 } else if (!ldap_context->disable_lockout &&
198 (status == KRB5KDC_ERR_PREAUTH_FAILED ||
199 status == KRB5KRB_AP_ERR_BAD_INTEGRITY)) {
200 if (krb5_dbe_lookup_last_admin_unlock(context, entry,
201 &unlock_time) == 0 &&
202 entry->last_failed <= unlock_time) {
203 /* Reset fail_auth_count after administrative unlock. */
204 entry->fail_auth_count = 0;
205 entry->mask |= KADM5_FAIL_AUTH_COUNT;
208 if (failcnt_interval != 0 &&
209 stamp > entry->last_failed + failcnt_interval) {
210 /* Reset fail_auth_count after failcnt_interval */
211 entry->fail_auth_count = 0;
212 entry->mask |= KADM5_FAIL_AUTH_COUNT;
215 entry->last_failed = stamp;
216 entry->mask |= KADM5_LAST_FAILED | KADM5_FAIL_AUTH_COUNT_INCREMENT;
220 code = krb5_ldap_put_principal(context, entry, NULL);