summaryrefslogtreecommitdiff
path: root/src/providers/ldap/ldap_child.c
diff options
context:
space:
mode:
authoreindenbom <eindenbom@gmail.com>2010-07-02 18:38:48 +0400
committerStephen Gallagher <sgallagh@redhat.com>2010-07-09 11:44:06 -0400
commita2cabe1873c4d01c18ef6617b6b1f10a0ce3560e (patch)
treedf627427a5f2755612e96bedfcfb72edc4ae73fd /src/providers/ldap/ldap_child.c
parent780ffc9f6d5e1fcd4df3d390b56cb98878223cc0 (diff)
downloadsssd-a2cabe1873c4d01c18ef6617b6b1f10a0ce3560e.tar.gz
sssd-a2cabe1873c4d01c18ef6617b6b1f10a0ce3560e.tar.bz2
sssd-a2cabe1873c4d01c18ef6617b6b1f10a0ce3560e.zip
GSSAPI ticket expiry time is returned from ldap_child and stored in sdap_handle for future reference.
Diffstat (limited to 'src/providers/ldap/ldap_child.c')
-rw-r--r--src/providers/ldap/ldap_child.c35
1 files changed, 28 insertions, 7 deletions
diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c
index 3369d709..19162e92 100644
--- a/src/providers/ldap/ldap_child.c
+++ b/src/providers/ldap/ldap_child.c
@@ -94,13 +94,13 @@ static errno_t unpack_buffer(uint8_t *buf, size_t size,
return EOK;
}
-static int pack_buffer(struct response *r, int result, const char *msg)
+static int pack_buffer(struct response *r, int result, const char *msg, time_t expire_time)
{
int len;
size_t p = 0;
len = strlen(msg);
- r->size = 2 * sizeof(uint32_t) + len;
+ r->size = 2 * sizeof(uint32_t) + len + sizeof(time_t);
r->buf = talloc_array(r, uint8_t, r->size);
if(!r->buf) {
@@ -116,6 +116,9 @@ static int pack_buffer(struct response *r, int result, const char *msg)
/* message itself */
safealign_memcpy(&r->buf[p], msg, len, &p);
+ /* ticket expiration time */
+ safealign_memcpy(&r->buf[p], &expire_time, sizeof(expire_time), &p);
+
return EOK;
}
@@ -124,7 +127,8 @@ static int ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
const char *princ_str,
const char *keytab_name,
const krb5_deltat lifetime,
- const char **ccname_out)
+ const char **ccname_out,
+ time_t *expire_time_out)
{
char *ccname;
char *realm_name = NULL;
@@ -136,6 +140,8 @@ static int ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
krb5_creds my_creds;
krb5_get_init_creds_opt options;
krb5_error_code krberr;
+ krb5_timestamp kdc_time_offset;
+ int kdc_time_offset_usec;
int ret;
krberr = krb5_init_context(&context);
@@ -254,8 +260,20 @@ static int ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
goto done;
}
+ krberr = krb5_get_time_offsets(context, &kdc_time_offset, &kdc_time_offset_usec);
+ if (krberr) {
+ DEBUG(2, ("Failed to get KDC time offset: %s\n",
+ sss_krb5_get_error_message(context, krberr)));
+ kdc_time_offset = 0;
+ } else {
+ if (kdc_time_offset_usec > 0) {
+ kdc_time_offset++;
+ }
+ }
+
ret = EOK;
*ccname_out = ccname;
+ *expire_time_out = my_creds.times.endtime - kdc_time_offset;
done:
if (keytab) krb5_kt_close(context, keytab);
@@ -265,6 +283,7 @@ done:
static int prepare_response(TALLOC_CTX *mem_ctx,
const char *ccname,
+ time_t expire_time,
krb5_error_code kerr,
struct response **rsp)
{
@@ -279,7 +298,7 @@ static int prepare_response(TALLOC_CTX *mem_ctx,
r->size = 0;
if (kerr == 0) {
- ret = pack_buffer(r, EOK, ccname);
+ ret = pack_buffer(r, EOK, ccname, expire_time);
} else {
krb5_msg = sss_krb5_get_error_message(krb5_error_ctx, kerr);
if (krb5_msg == NULL) {
@@ -287,7 +306,7 @@ static int prepare_response(TALLOC_CTX *mem_ctx,
return ENOMEM;
}
- ret = pack_buffer(r, EFAULT, krb5_msg);
+ ret = pack_buffer(r, EFAULT, krb5_msg, 0);
sss_krb5_free_error_message(krb5_error_ctx, krb5_msg);
}
@@ -311,6 +330,7 @@ int main(int argc, const char *argv[])
uint8_t *buf = NULL;
ssize_t len = 0;
const char *ccname = NULL;
+ time_t expire_time = 0;
struct input_buffer *ibuf = NULL;
struct response *resp = NULL;
size_t written;
@@ -397,13 +417,14 @@ int main(int argc, const char *argv[])
kerr = ldap_child_get_tgt_sync(main_ctx,
ibuf->realm_str, ibuf->princ_str,
- ibuf->keytab_name, ibuf->lifetime, &ccname);
+ ibuf->keytab_name, ibuf->lifetime,
+ &ccname, &expire_time);
if (kerr != EOK) {
DEBUG(1, ("ldap_child_get_tgt_sync failed.\n"));
/* Do not return, must report failure */
}
- ret = prepare_response(main_ctx, ccname, kerr, &resp);
+ ret = prepare_response(main_ctx, ccname, expire_time, kerr, &resp);
if (ret != EOK) {
DEBUG(1, ("prepare_response failed. [%d][%s].\n", ret, strerror(ret)));
return ENOMEM;