2 * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
18 * 3. Neither the name of the Institute nor the names of its contributors
19 * may be used to endorse or promote products derived from this software
20 * without specific prior written permission.
22 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
37 #include <parse_bytes.h>
42 krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
44 krb5_kdc_configuration *c;
46 c = calloc(1, sizeof(*c));
48 krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
52 c->require_preauth = TRUE;
53 c->kdc_warn_pwexpire = 0;
54 c->encode_as_rep_as_tgs_rep = FALSE;
55 c->check_ticket_addresses = TRUE;
56 c->allow_null_ticket_addresses = TRUE;
57 c->allow_anonymous = FALSE;
58 c->trpolicy = TRPOLICY_ALWAYS_CHECK;
60 c->enable_kaserver = FALSE;
61 c->enable_524 = FALSE;
62 c->enable_v4_cross_realm = FALSE;
63 c->enable_pkinit = FALSE;
64 c->pkinit_princ_in_cert = TRUE;
65 c->pkinit_require_binding = TRUE;
71 krb5_config_get_bool_default(context, NULL,
73 "kdc", "require-preauth", NULL);
75 krb5_config_get_bool_default(context, NULL,
77 "kdc", "enable-kerberos4", NULL);
78 c->enable_v4_cross_realm =
79 krb5_config_get_bool_default(context, NULL,
80 c->enable_v4_cross_realm,
82 "enable-kerberos4-cross-realm", NULL);
84 krb5_config_get_bool_default(context, NULL,
86 "kdc", "enable-524", NULL);
88 krb5_config_get_bool_default(context, NULL,
90 "kdc", "enable-digest", NULL);
95 digests = krb5_config_get_string(context, NULL,
97 "digests_allowed", NULL);
100 c->digests_allowed = parse_flags(digests,_kdc_digestunits, 0);
101 if (c->digests_allowed == -1) {
102 kdc_log(context, c, 0,
103 "unparsable digest units (%s), turning off digest",
105 c->enable_digest = 0;
106 } else if (c->digests_allowed == 0) {
107 kdc_log(context, c, 0,
108 "no digest enable, turning digest off",
110 c->enable_digest = 0;
115 krb5_config_get_bool_default(context, NULL,
117 "kdc", "enable-kx509", NULL);
119 if (c->enable_kx509) {
121 krb5_config_get_string(context, NULL,
122 "kdc", "kx509_template", NULL);
124 krb5_config_get_string(context, NULL,
125 "kdc", "kx509_ca", NULL);
126 if (c->kx509_ca == NULL || c->kx509_template == NULL) {
127 kdc_log(context, c, 0,
128 "missing kx509 configuration, turning off");
129 c->enable_kx509 = FALSE;
133 c->check_ticket_addresses =
134 krb5_config_get_bool_default(context, NULL,
135 c->check_ticket_addresses,
137 "check-ticket-addresses", NULL);
138 c->allow_null_ticket_addresses =
139 krb5_config_get_bool_default(context, NULL,
140 c->allow_null_ticket_addresses,
142 "allow-null-ticket-addresses", NULL);
145 krb5_config_get_bool_default(context, NULL,
148 "allow-anonymous", NULL);
150 c->max_datagram_reply_length =
151 krb5_config_get_int_default(context,
155 "max-kdc-datagram-reply-length",
159 const char *trpolicy_str;
162 krb5_config_get_string_default(context, NULL, "DEFAULT", "kdc",
163 "transited-policy", NULL);
164 if(strcasecmp(trpolicy_str, "always-check") == 0) {
165 c->trpolicy = TRPOLICY_ALWAYS_CHECK;
166 } else if(strcasecmp(trpolicy_str, "allow-per-principal") == 0) {
167 c->trpolicy = TRPOLICY_ALLOW_PER_PRINCIPAL;
168 } else if(strcasecmp(trpolicy_str, "always-honour-request") == 0) {
169 c->trpolicy = TRPOLICY_ALWAYS_HONOUR_REQUEST;
170 } else if(strcasecmp(trpolicy_str, "DEFAULT") == 0) {
173 kdc_log(context, c, 0,
174 "unknown transited-policy: %s, "
175 "reverting to default (always-check)",
182 p = krb5_config_get_string (context, NULL,
187 c->v4_realm = strdup(p);
188 if (c->v4_realm == NULL)
189 krb5_errx(context, 1, "out of memory");
196 krb5_config_get_bool_default(context,
199 "kdc", "enable-kaserver", NULL);
202 c->encode_as_rep_as_tgs_rep =
203 krb5_config_get_bool_default(context, NULL,
204 c->encode_as_rep_as_tgs_rep,
206 "encode_as_rep_as_tgs_rep", NULL);
208 c->kdc_warn_pwexpire =
209 krb5_config_get_time_default (context, NULL,
210 c->kdc_warn_pwexpire,
211 "kdc", "kdc_warn_pwexpire", NULL);
216 krb5_config_get_bool_default(context,
222 if (c->enable_pkinit) {
223 const char *user_id, *anchors, *ocsp_file;
224 char **pool_list, **revoke_list;
227 krb5_config_get_string(context, NULL,
228 "kdc", "pkinit_identity", NULL);
230 krb5_errx(context, 1, "pkinit enabled but no identity");
232 anchors = krb5_config_get_string(context, NULL,
233 "kdc", "pkinit_anchors", NULL);
235 krb5_errx(context, 1, "pkinit enabled but no X509 anchors");
238 krb5_config_get_strings(context, NULL,
239 "kdc", "pkinit_pool", NULL);
242 krb5_config_get_strings(context, NULL,
243 "kdc", "pkinit_revoke", NULL);
246 krb5_config_get_string(context, NULL,
247 "kdc", "pkinit_kdc_ocsp", NULL);
249 c->pkinit_kdc_ocsp_file = strdup(ocsp_file);
250 if (c->pkinit_kdc_ocsp_file == NULL)
251 krb5_errx(context, 1, "out of memory");
254 _kdc_pk_initialize(context, c, user_id, anchors,
255 pool_list, revoke_list);
257 krb5_config_free_strings(pool_list);
258 krb5_config_free_strings(revoke_list);
260 c->pkinit_princ_in_cert =
261 krb5_config_get_bool_default(context, NULL,
262 c->pkinit_princ_in_cert,
264 "pkinit_principal_in_certificate",
267 c->pkinit_require_binding =
268 krb5_config_get_bool_default(context, NULL,
269 c->pkinit_require_binding,
271 "pkinit_win2k_require_binding",
275 c->pkinit_dh_min_bits =
276 krb5_config_get_int_default(context, NULL,
278 "kdc", "pkinit_dh_min_bits", NULL);
git.samba.org / kai / samba.git / blob