1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
3 * lib/kdb/kdb_ldap/ldap_create.c
5 * Copyright (c) 2004-2005, Novell, Inc.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions are met:
11 * * Redistributions of source code must retain the above copyright notice,
12 * this list of conditions and the following disclaimer.
13 * * Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * * The copyright holder's name is not used to endorse or promote products
17 * derived from this software without specific prior written permission.
19 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
23 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
24 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
25 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
26 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
27 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29 * POSSIBILITY OF SUCH DAMAGE.
33 * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
34 * Use is subject to license terms.
37 #include "ldap_main.h"
38 #include "ldap_realm.h"
39 #include "ldap_principal.h"
40 #include "ldap_krbcontainer.h"
44 * ******************************************************************************
46 * ******************************************************************************
50 * This function will create a krbcontainer and realm on the LDAP Server, with
51 * the specified attributes.
54 krb5_ldap_create(krb5_context context, char *conf_section, char **db_args)
56 krb5_error_code status = 0;
57 char **t_ptr = db_args;
58 krb5_ldap_realm_params *rparams = NULL;
59 kdb5_dal_handle *dal_handle = NULL;
60 krb5_ldap_context *ldap_context=NULL;
61 krb5_boolean realm_obj_created = FALSE;
62 krb5_boolean krbcontainer_obj_created = FALSE;
63 krb5_ldap_krbcontainer_params kparams = {0};
66 #ifdef HAVE_EDIRECTORY
67 int i = 0, rightsmask = 0;
70 /* Clear the global error string */
71 krb5_clear_error_message(context);
73 ldap_context = malloc(sizeof(krb5_ldap_context));
74 if (ldap_context == NULL) {
78 memset(ldap_context, 0, sizeof(*ldap_context));
80 ldap_context->kcontext = context;
82 /* populate ldap_context with ldap specific options */
83 while (t_ptr && *t_ptr) {
84 char *opt = NULL, *val = NULL;
86 if ((status = krb5_ldap_get_db_opt(*t_ptr, &opt, &val)) != 0) {
89 if (opt && !strcmp(opt, "binddn")) {
90 if (ldap_context->bind_dn) {
94 krb5_set_error_message (context, status, "'binddn' missing");
99 krb5_set_error_message (context, status, "'binddn' value missing");
103 ldap_context->bind_dn = strdup(val);
104 if (ldap_context->bind_dn == NULL) {
110 } else if (opt && !strcmp(opt, "nconns")) {
111 if (ldap_context->max_server_conns) {
115 krb5_set_error_message (context, status, "'nconns' missing");
120 krb5_set_error_message (context, status, "'nconns' value missing");
124 ldap_context->max_server_conns = atoi(val) ? atoi(val) : DEFAULT_CONNS_PER_SERVER;
125 } else if (opt && !strcmp(opt, "bindpwd")) {
126 if (ldap_context->bind_pwd) {
130 krb5_set_error_message (context, status, "'bindpwd' missing");
135 krb5_set_error_message (context, status, "'bindpwd' value missing");
139 ldap_context->bind_pwd = strdup(val);
140 if (ldap_context->bind_pwd == NULL) {
146 } else if (opt && !strcmp(opt, "host")) {
149 krb5_set_error_message (context, status, "'host' value missing");
153 if (ldap_context->server_info_list == NULL)
154 ldap_context->server_info_list =
155 (krb5_ldap_server_info **) calloc(SERV_COUNT+1, sizeof(krb5_ldap_server_info *));
157 if (ldap_context->server_info_list == NULL) {
164 ldap_context->server_info_list[srv_cnt] =
165 (krb5_ldap_server_info *) calloc(1, sizeof(krb5_ldap_server_info));
166 if (ldap_context->server_info_list[srv_cnt] == NULL) {
173 ldap_context->server_info_list[srv_cnt]->server_status = NOTSET;
175 ldap_context->server_info_list[srv_cnt]->server_name = strdup(val);
176 if (ldap_context->server_info_list[srv_cnt]->server_name == NULL) {
184 #ifdef HAVE_EDIRECTORY
185 } else if (opt && !strcmp(opt, "cert")) {
188 krb5_set_error_message (context, status, "'cert' value missing");
193 if (ldap_context->root_certificate_file == NULL) {
194 ldap_context->root_certificate_file = strdup(val);
195 if (ldap_context->root_certificate_file == NULL) {
204 if (asprintf(&newstr, "%s %s",
205 ldap_context->root_certificate_file, val) < 0) {
211 ldap_context->root_certificate_file = newstr;
215 /* ignore hash argument. Might have been passed from create */
217 if (opt && !strcmp(opt, "temporary")) {
219 * temporary is passed in when kdb5_util load without -update is done.
220 * This is unsupported by the LDAP plugin.
222 krb5_set_error_message (context, status,
223 "creation of LDAP entries aborted, plugin requires -update argument");
225 krb5_set_error_message (context, status, "unknown option \'%s\'",
238 dal_handle = context->dal_handle;
239 dal_handle->db_context = (kdb5_dal_handle *) ldap_context;
241 status = krb5_ldap_read_server_params(context, conf_section, KRB5_KDB_SRV_TYPE_ADMIN);
243 dal_handle->db_context = NULL;
244 prepend_err_str (context, "Error reading LDAP server params: ", status, status);
247 status = krb5_ldap_db_init(context, ldap_context);
252 /* read the kerberos container */
253 if ((status = krb5_ldap_read_krbcontainer_params(context,
254 &(ldap_context->krbcontainer))) == KRB5_KDB_NOENTRY) {
256 /* Read the kerberos container location from configuration file */
257 if (ldap_context->conf_section) {
258 if ((status = profile_get_string(context->profile,
259 KDB_MODULE_SECTION, ldap_context->conf_section,
260 "ldap_kerberos_container_dn", NULL,
261 &kparams.DN)) != 0) {
265 if (kparams.DN == NULL) {
266 if ((status = profile_get_string(context->profile,
267 KDB_MODULE_DEF_SECTION,
268 "ldap_kerberos_container_dn", NULL,
269 NULL, &kparams.DN)) != 0) {
274 /* create the kerberos container */
275 status = krb5_ldap_create_krbcontainer(context,
276 ((kparams.DN != NULL) ? &kparams : NULL));
280 krbcontainer_obj_created = TRUE;
282 status = krb5_ldap_read_krbcontainer_params(context,
283 &(ldap_context->krbcontainer));
291 rparams = (krb5_ldap_realm_params *) malloc(sizeof(krb5_ldap_realm_params));
292 if (rparams == NULL) {
296 memset(rparams, 0, sizeof(*rparams));
297 rparams->realm_name = strdup(context->default_realm);
298 if (rparams->realm_name == NULL) {
303 if ((status = krb5_ldap_create_realm(context, rparams, mask)))
306 /* We just created the Realm container. Here starts our transaction tracking */
307 realm_obj_created = TRUE;
309 /* verify realm object */
310 if ((status = krb5_ldap_read_realm_params(context,
312 &(ldap_context->lrparams),
316 #ifdef HAVE_EDIRECTORY
317 if ((mask & LDAP_REALM_KDCSERVERS) || (mask & LDAP_REALM_ADMINSERVERS) ||
318 (mask & LDAP_REALM_PASSWDSERVERS)) {
321 rightsmask |= LDAP_REALM_RIGHTS;
322 rightsmask |= LDAP_SUBTREE_RIGHTS;
323 if ((rparams != NULL) && (rparams->kdcservers != NULL)) {
324 for (i=0; (rparams->kdcservers[i] != NULL); i++) {
325 if ((status=krb5_ldap_add_service_rights(context,
326 LDAP_KDC_SERVICE, rparams->kdcservers[i],
327 rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
334 rightsmask |= LDAP_REALM_RIGHTS;
335 rightsmask |= LDAP_SUBTREE_RIGHTS;
336 if ((rparams != NULL) && (rparams->adminservers != NULL)) {
337 for (i=0; (rparams->adminservers[i] != NULL); i++) {
338 if ((status=krb5_ldap_add_service_rights(context,
339 LDAP_ADMIN_SERVICE, rparams->adminservers[i],
340 rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
347 rightsmask |= LDAP_REALM_RIGHTS;
348 rightsmask |= LDAP_SUBTREE_RIGHTS;
349 if ((rparams != NULL) && (rparams->passwdservers != NULL)) {
350 for (i=0; (rparams->passwdservers[i] != NULL); i++) {
351 if ((status=krb5_ldap_add_service_rights(context,
352 LDAP_PASSWD_SERVICE, rparams->passwdservers[i],
353 rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
363 /* If the krbcontainer/realm creation is not complete, do the roll-back here */
364 if ((krbcontainer_obj_created) && (!realm_obj_created)) {
366 rc = krb5_ldap_delete_krbcontainer(context,
367 ((kparams.DN != NULL) ? &kparams : NULL));
368 krb5_set_error_message(context, rc,
369 "could not complete roll-back, error deleting Kerberos Container");
372 /* should call krb5_ldap_free_krbcontainer_params() but can't */
373 if (kparams.DN != NULL)
374 krb5_xfree(kparams.DN);
377 krb5_ldap_free_realm_params(rparams);