lib/kadm5 \
lib/kdb \
lib/krb5 \
+ plugins \
prototype \
slave
include/k5-platform.h \
include/gssrpc \
lib/krb5/krb/deltat.c \
- lib/krb5/unicode
+ lib/krb5/unicode \
+ plugins/kdb/db2/libdb2 \
+ plugins/kdb/db2/pol_xdr.c \
+ plugins/kdb/hdb/hdb.h \
+ plugins/kdb/hdb/hdb_asn1.h \
+ plugins/kdb/hdb/hdb_err.h \
+ plugins/kdb/hdb/windc_plugin.h \
+ plugins/kdb/ldap/libkdb_ldap/princ_xdr.c \
+ plugins/kdb/ldap/libkdb_ldap/princ_xdr.h \
+ plugins/preauth/pkinit
EXCLUDES = `for i in $(BSDFILES) $(OTHEREXCLUDES); do echo $$i; done | $(AWK) '{ print "-path", $$1, "-o" }'` -path /dev/null
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* plugins/authdata/greet/
*
static krb5_error_code
greet_authdata(krb5_context ctx, krb5_db_entry *client,
- krb5_data *req_pkt,
- krb5_kdc_req *request,
- krb5_enc_tkt_part * enc_tkt_reply)
+ krb5_data *req_pkt,
+ krb5_kdc_req *request,
+ krb5_enc_tkt_part * enc_tkt_reply)
{
#define GREET_SIZE (20)
a = calloc(1, sizeof(*a));
if (p == NULL || a == NULL) {
- free(p);
- free(a);
- return ENOMEM;
+ free(p);
+ free(a);
+ return ENOMEM;
}
strncpy(p, "hello there", GREET_SIZE-1);
a->magic = KV5M_AUTHDATA;
a->length = GREET_SIZE;
a->contents = (unsigned char *)p;
if (enc_tkt_reply->authorization_data == 0) {
- count = 0;
+ count = 0;
} else {
- for (count = 0; enc_tkt_reply->authorization_data[count] != 0; count++)
- ;
+ for (count = 0; enc_tkt_reply->authorization_data[count] != 0; count++)
+ ;
}
new_ad = realloc(enc_tkt_reply->authorization_data,
- (count+2) * sizeof(krb5_authdata *));
+ (count+2) * sizeof(krb5_authdata *));
if (new_ad == NULL) {
- free(p);
- free(a);
- return ENOMEM;
+ free(p);
+ free(a);
+ return ENOMEM;
}
enc_tkt_reply->authorization_data = new_ad;
new_ad[count] = a;
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* plugins/authdata/greet_client/
*
static krb5_error_code
greet_delete_attribute(krb5_context kcontext,
- krb5_authdata_context context,
- void *plugin_context,
- void *request_context,
- const krb5_data *attribute)
+ krb5_authdata_context context,
+ void *plugin_context,
+ void *request_context,
+ const krb5_data *attribute)
{
struct greet_context *greet = (struct greet_context *)request_context;
struct greet_context *greet = (struct greet_context *)request_context;
*sizep += sizeof(krb5_int32) +
- greet->greeting.length +
- sizeof(krb5_int32);
+ greet->greeting.length +
+ sizeof(krb5_int32);
return 0;
}
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* plugins/authdata/greet_server/
*
krb5_data *greeting = NULL;
if (request->msg_type != KRB5_TGS_REQ)
- return 0;
+ return 0;
code = greet_hello(context, &greeting);
if (code != 0)
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved
*
static char *rcsid = "$Header$";
#endif
-#include <sys/file.h>
-#include <fcntl.h>
-#include <unistd.h>
+#include <sys/file.h>
+#include <fcntl.h>
+#include <unistd.h>
#include <k5-int.h>
-#include "policy_db.h"
-#include <stdlib.h>
+#include "policy_db.h"
+#include <stdlib.h>
#include <db.h>
#define MAX_LOCK_TRIES 5
struct _locklist {
- osa_adb_lock_ent lockinfo;
- struct _locklist *next;
+ osa_adb_lock_ent lockinfo;
+ struct _locklist *next;
};
-krb5_error_code osa_adb_create_db(char *filename, char *lockfilename,
- int magic)
+krb5_error_code
+osa_adb_create_db(char *filename, char *lockfilename, int magic)
{
- int lf;
- DB *db;
- BTREEINFO btinfo;
-
- memset(&btinfo, 0, sizeof(btinfo));
- btinfo.flags = 0;
- btinfo.cachesize = 0;
- btinfo.psize = 4096;
- btinfo.lorder = 0;
- btinfo.minkeypage = 0;
- btinfo.compare = NULL;
- btinfo.prefix = NULL;
- db = dbopen(filename, O_RDWR | O_CREAT | O_EXCL, 0600, DB_BTREE, &btinfo);
- if (db == NULL)
- return errno;
- if (db->close(db) < 0)
- return errno;
-
- /* only create the lock file if we successfully created the db */
- lf = THREEPARAMOPEN(lockfilename, O_RDWR | O_CREAT | O_EXCL, 0600);
- if (lf == -1)
- return errno;
- (void) close(lf);
-
- return OSA_ADB_OK;
+ int lf;
+ DB *db;
+ BTREEINFO btinfo;
+
+ memset(&btinfo, 0, sizeof(btinfo));
+ btinfo.flags = 0;
+ btinfo.cachesize = 0;
+ btinfo.psize = 4096;
+ btinfo.lorder = 0;
+ btinfo.minkeypage = 0;
+ btinfo.compare = NULL;
+ btinfo.prefix = NULL;
+ db = dbopen(filename, O_RDWR | O_CREAT | O_EXCL, 0600, DB_BTREE, &btinfo);
+ if (db == NULL)
+ return errno;
+ if (db->close(db) < 0)
+ return errno;
+
+ /* only create the lock file if we successfully created the db */
+ lf = THREEPARAMOPEN(lockfilename, O_RDWR | O_CREAT | O_EXCL, 0600);
+ if (lf == -1)
+ return errno;
+ (void) close(lf);
+
+ return OSA_ADB_OK;
}
-krb5_error_code osa_adb_destroy_db(char *filename, char *lockfilename,
- int magic)
+krb5_error_code
+osa_adb_destroy_db(char *filename, char *lockfilename, int magic)
{
- /* the admin databases do not contain security-critical data */
- if (unlink(filename) < 0 ||
- unlink(lockfilename) < 0)
- return errno;
- return OSA_ADB_OK;
+ /* the admin databases do not contain security-critical data */
+ if (unlink(filename) < 0 ||
+ unlink(lockfilename) < 0)
+ return errno;
+ return OSA_ADB_OK;
}
-krb5_error_code osa_adb_rename_db(char *filefrom, char *lockfrom,
- char *fileto, char *lockto, int magic)
+krb5_error_code
+osa_adb_rename_db(char *filefrom, char *lockfrom, char *fileto, char *lockto,
+ int magic)
{
- osa_adb_db_t fromdb, todb;
- krb5_error_code ret;
-
- /* make sure todb exists */
- if ((ret = osa_adb_create_db(fileto, lockto, magic)) &&
- ret != EEXIST)
- return ret;
-
- if ((ret = osa_adb_init_db(&fromdb, filefrom, lockfrom, magic)))
- return ret;
- if ((ret = osa_adb_init_db(&todb, fileto, lockto, magic))) {
- (void) osa_adb_fini_db(fromdb, magic);
- return ret;
- }
- if ((ret = osa_adb_get_lock(fromdb, KRB5_DB_LOCKMODE_PERMANENT))) {
- (void) osa_adb_fini_db(fromdb, magic);
- (void) osa_adb_fini_db(todb, magic);
- return ret;
- }
- if ((ret = osa_adb_get_lock(todb, KRB5_DB_LOCKMODE_PERMANENT))) {
- (void) osa_adb_fini_db(fromdb, magic);
- (void) osa_adb_fini_db(todb, magic);
- return ret;
- }
- if ((rename(filefrom, fileto) < 0)) {
- (void) osa_adb_fini_db(fromdb, magic);
- (void) osa_adb_fini_db(todb, magic);
- return errno;
- }
- /*
- * Do not release the lock on fromdb because it is being renamed
- * out of existence; no one can ever use it again.
- */
- if ((ret = osa_adb_release_lock(todb))) {
- (void) osa_adb_fini_db(fromdb, magic);
- (void) osa_adb_fini_db(todb, magic);
- return ret;
- }
-
- (void) osa_adb_fini_db(fromdb, magic);
- (void) osa_adb_fini_db(todb, magic);
- return 0;
+ osa_adb_db_t fromdb, todb;
+ krb5_error_code ret;
+
+ /* make sure todb exists */
+ if ((ret = osa_adb_create_db(fileto, lockto, magic)) &&
+ ret != EEXIST)
+ return ret;
+
+ if ((ret = osa_adb_init_db(&fromdb, filefrom, lockfrom, magic)))
+ return ret;
+ if ((ret = osa_adb_init_db(&todb, fileto, lockto, magic))) {
+ (void) osa_adb_fini_db(fromdb, magic);
+ return ret;
+ }
+ if ((ret = osa_adb_get_lock(fromdb, KRB5_DB_LOCKMODE_PERMANENT))) {
+ (void) osa_adb_fini_db(fromdb, magic);
+ (void) osa_adb_fini_db(todb, magic);
+ return ret;
+ }
+ if ((ret = osa_adb_get_lock(todb, KRB5_DB_LOCKMODE_PERMANENT))) {
+ (void) osa_adb_fini_db(fromdb, magic);
+ (void) osa_adb_fini_db(todb, magic);
+ return ret;
+ }
+ if ((rename(filefrom, fileto) < 0)) {
+ (void) osa_adb_fini_db(fromdb, magic);
+ (void) osa_adb_fini_db(todb, magic);
+ return errno;
+ }
+ /*
+ * Do not release the lock on fromdb because it is being renamed
+ * out of existence; no one can ever use it again.
+ */
+ if ((ret = osa_adb_release_lock(todb))) {
+ (void) osa_adb_fini_db(fromdb, magic);
+ (void) osa_adb_fini_db(todb, magic);
+ return ret;
+ }
+
+ (void) osa_adb_fini_db(fromdb, magic);
+ (void) osa_adb_fini_db(todb, magic);
+ return 0;
}
-krb5_error_code osa_adb_init_db(osa_adb_db_t *dbp, char *filename,
- char *lockfilename, int magic)
+krb5_error_code
+osa_adb_init_db(osa_adb_db_t *dbp, char *filename, char *lockfilename,
+ int magic)
{
- osa_adb_db_t db;
- static struct _locklist *locklist = NULL;
- struct _locklist *lockp;
- krb5_error_code code;
-
- if (dbp == NULL || filename == NULL)
- return EINVAL;
-
- db = (osa_adb_princ_t) malloc(sizeof(osa_adb_db_ent));
- if (db == NULL)
- return ENOMEM;
-
- memset(db, 0, sizeof(*db));
- db->info.hash = NULL;
- db->info.bsize = 256;
- db->info.ffactor = 8;
- db->info.nelem = 25000;
- db->info.lorder = 0;
-
- db->btinfo.flags = 0;
- db->btinfo.cachesize = 0;
- db->btinfo.psize = 4096;
- db->btinfo.lorder = 0;
- db->btinfo.minkeypage = 0;
- db->btinfo.compare = NULL;
- db->btinfo.prefix = NULL;
- /*
- * A process is allowed to open the same database multiple times
- * and access it via different handles. If the handles use
- * distinct lockinfo structures, things get confused: lock(A),
- * lock(B), release(B) will result in the kernel unlocking the
- * lock file but handle A will still think the file is locked.
- * Therefore, all handles using the same lock file must share a
- * single lockinfo structure.
- *
- * It is not sufficient to have a single lockinfo structure,
- * however, because a single process may also wish to open
- * multiple different databases simultaneously, with different
- * lock files. This code used to use a single static lockinfo
- * structure, which means that the second database opened used
- * the first database's lock file. This was Bad.
- *
- * We now maintain a linked list of lockinfo structures, keyed by
- * lockfilename. An entry is added when this function is called
- * with a new lockfilename, and all subsequent calls with that
- * lockfilename use the existing entry, updating the refcnt.
- * When the database is closed with fini_db(), the refcnt is
- * decremented, and when it is zero the lockinfo structure is
- * freed and reset. The entry in the linked list, however, is
- * never removed; it will just be reinitialized the next time
- * init_db is called with the right lockfilename.
- */
-
- /* find or create the lockinfo structure for lockfilename */
- lockp = locklist;
- while (lockp) {
- if (strcmp(lockp->lockinfo.filename, lockfilename) == 0)
- break;
- else
- lockp = lockp->next;
- }
- if (lockp == NULL) {
- /* doesn't exist, create it, add to list */
- lockp = (struct _locklist *) malloc(sizeof(*lockp));
- if (lockp == NULL) {
- free(db);
- return ENOMEM;
- }
- memset(lockp, 0, sizeof(*lockp));
- lockp->next = locklist;
- locklist = lockp;
- }
-
- /* now initialize lockp->lockinfo if necessary */
- if (lockp->lockinfo.lockfile == NULL) {
- if ((code = krb5int_init_context_kdc(&lockp->lockinfo.context))) {
- free(db);
- return((krb5_error_code) code);
- }
-
- /*
- * needs be open read/write so that write locking can work with
- * POSIX systems
- */
- lockp->lockinfo.filename = strdup(lockfilename);
- if ((lockp->lockinfo.lockfile = fopen(lockfilename, "r+")) == NULL) {
- /*
- * maybe someone took away write permission so we could only
- * get shared locks?
- */
- if ((lockp->lockinfo.lockfile = fopen(lockfilename, "r"))
- == NULL) {
- free(db);
- return OSA_ADB_NOLOCKFILE;
- }
- }
- set_cloexec_file(lockp->lockinfo.lockfile);
- lockp->lockinfo.lockmode = lockp->lockinfo.lockcnt = 0;
- }
-
- /* lockp is set, lockinfo is initialized, update the reference count */
- db->lock = &lockp->lockinfo;
- db->lock->refcnt++;
-
- db->opencnt = 0;
- db->filename = strdup(filename);
- db->magic = magic;
-
- *dbp = db;
-
- return OSA_ADB_OK;
+ osa_adb_db_t db;
+ static struct _locklist *locklist = NULL;
+ struct _locklist *lockp;
+ krb5_error_code code;
+
+ if (dbp == NULL || filename == NULL)
+ return EINVAL;
+
+ db = (osa_adb_princ_t) malloc(sizeof(osa_adb_db_ent));
+ if (db == NULL)
+ return ENOMEM;
+
+ memset(db, 0, sizeof(*db));
+ db->info.hash = NULL;
+ db->info.bsize = 256;
+ db->info.ffactor = 8;
+ db->info.nelem = 25000;
+ db->info.lorder = 0;
+
+ db->btinfo.flags = 0;
+ db->btinfo.cachesize = 0;
+ db->btinfo.psize = 4096;
+ db->btinfo.lorder = 0;
+ db->btinfo.minkeypage = 0;
+ db->btinfo.compare = NULL;
+ db->btinfo.prefix = NULL;
+ /*
+ * A process is allowed to open the same database multiple times
+ * and access it via different handles. If the handles use
+ * distinct lockinfo structures, things get confused: lock(A),
+ * lock(B), release(B) will result in the kernel unlocking the
+ * lock file but handle A will still think the file is locked.
+ * Therefore, all handles using the same lock file must share a
+ * single lockinfo structure.
+ *
+ * It is not sufficient to have a single lockinfo structure,
+ * however, because a single process may also wish to open
+ * multiple different databases simultaneously, with different
+ * lock files. This code used to use a single static lockinfo
+ * structure, which means that the second database opened used
+ * the first database's lock file. This was Bad.
+ *
+ * We now maintain a linked list of lockinfo structures, keyed by
+ * lockfilename. An entry is added when this function is called
+ * with a new lockfilename, and all subsequent calls with that
+ * lockfilename use the existing entry, updating the refcnt.
+ * When the database is closed with fini_db(), the refcnt is
+ * decremented, and when it is zero the lockinfo structure is
+ * freed and reset. The entry in the linked list, however, is
+ * never removed; it will just be reinitialized the next time
+ * init_db is called with the right lockfilename.
+ */
+
+ /* find or create the lockinfo structure for lockfilename */
+ lockp = locklist;
+ while (lockp) {
+ if (strcmp(lockp->lockinfo.filename, lockfilename) == 0)
+ break;
+ else
+ lockp = lockp->next;
+ }
+ if (lockp == NULL) {
+ /* doesn't exist, create it, add to list */
+ lockp = (struct _locklist *) malloc(sizeof(*lockp));
+ if (lockp == NULL) {
+ free(db);
+ return ENOMEM;
+ }
+ memset(lockp, 0, sizeof(*lockp));
+ lockp->next = locklist;
+ locklist = lockp;
+ }
+
+ /* now initialize lockp->lockinfo if necessary */
+ if (lockp->lockinfo.lockfile == NULL) {
+ if ((code = krb5int_init_context_kdc(&lockp->lockinfo.context))) {
+ free(db);
+ return((krb5_error_code) code);
+ }
+
+ /*
+ * needs be open read/write so that write locking can work with
+ * POSIX systems
+ */
+ lockp->lockinfo.filename = strdup(lockfilename);
+ if ((lockp->lockinfo.lockfile = fopen(lockfilename, "r+")) == NULL) {
+ /*
+ * maybe someone took away write permission so we could only
+ * get shared locks?
+ */
+ if ((lockp->lockinfo.lockfile = fopen(lockfilename, "r"))
+ == NULL) {
+ free(db);
+ return OSA_ADB_NOLOCKFILE;
+ }
+ }
+ set_cloexec_file(lockp->lockinfo.lockfile);
+ lockp->lockinfo.lockmode = lockp->lockinfo.lockcnt = 0;
+ }
+
+ /* lockp is set, lockinfo is initialized, update the reference count */
+ db->lock = &lockp->lockinfo;
+ db->lock->refcnt++;
+
+ db->opencnt = 0;
+ db->filename = strdup(filename);
+ db->magic = magic;
+
+ *dbp = db;
+
+ return OSA_ADB_OK;
}
-krb5_error_code osa_adb_fini_db(osa_adb_db_t db, int magic)
+krb5_error_code
+osa_adb_fini_db(osa_adb_db_t db, int magic)
{
- if (db->magic != magic)
- return EINVAL;
- if (db->lock->refcnt == 0) {
- /* barry says this can't happen */
- return OSA_ADB_FAILURE;
- } else {
- db->lock->refcnt--;
- }
-
- if (db->lock->refcnt == 0) {
- /*
- * Don't free db->lock->filename, it is used as a key to
- * find the lockinfo entry in the linked list. If the
- * lockfile doesn't exist, we must be closing the database
- * after trashing it. This has to be allowed, so don't
- * generate an error.
- */
- if (db->lock->lockmode != KRB5_DB_LOCKMODE_PERMANENT)
- (void) fclose(db->lock->lockfile);
- db->lock->lockfile = NULL;
- krb5_free_context(db->lock->context);
- }
-
- db->magic = 0;
- free(db->filename);
- free(db);
- return OSA_ADB_OK;
+ if (db->magic != magic)
+ return EINVAL;
+ if (db->lock->refcnt == 0) {
+ /* barry says this can't happen */
+ return OSA_ADB_FAILURE;
+ } else {
+ db->lock->refcnt--;
+ }
+
+ if (db->lock->refcnt == 0) {
+ /*
+ * Don't free db->lock->filename, it is used as a key to
+ * find the lockinfo entry in the linked list. If the
+ * lockfile doesn't exist, we must be closing the database
+ * after trashing it. This has to be allowed, so don't
+ * generate an error.
+ */
+ if (db->lock->lockmode != KRB5_DB_LOCKMODE_PERMANENT)
+ (void) fclose(db->lock->lockfile);
+ db->lock->lockfile = NULL;
+ krb5_free_context(db->lock->context);
+ }
+
+ db->magic = 0;
+ free(db->filename);
+ free(db);
+ return OSA_ADB_OK;
}
-krb5_error_code osa_adb_get_lock(osa_adb_db_t db, int mode)
+krb5_error_code
+osa_adb_get_lock(osa_adb_db_t db, int mode)
{
- int tries, gotlock, perm, krb5_mode, ret = 0;
-
- if (db->lock->lockmode >= mode) {
- /* No need to upgrade lock, just incr refcnt and return */
- db->lock->lockcnt++;
- return(OSA_ADB_OK);
- }
-
- perm = 0;
- switch (mode) {
- case KRB5_DB_LOCKMODE_PERMANENT:
- perm = 1;
- case KRB5_DB_LOCKMODE_EXCLUSIVE:
- krb5_mode = KRB5_LOCKMODE_EXCLUSIVE;
- break;
- case KRB5_DB_LOCKMODE_SHARED:
- krb5_mode = KRB5_LOCKMODE_SHARED;
- break;
- default:
- return(EINVAL);
- }
-
- for (gotlock = tries = 0; tries < MAX_LOCK_TRIES; tries++) {
- if ((ret = krb5_lock_file(db->lock->context,
- fileno(db->lock->lockfile),
- krb5_mode|KRB5_LOCKMODE_DONTBLOCK)) == 0) {
- gotlock++;
- break;
- } else if (ret == EBADF && mode == KRB5_DB_LOCKMODE_EXCLUSIVE)
- /* tried to exclusive-lock something we don't have */
- /* write access to */
- return OSA_ADB_NOEXCL_PERM;
-
- sleep(1);
- }
-
- /* test for all the likely "can't get lock" error codes */
- if (ret == EACCES || ret == EAGAIN || ret == EWOULDBLOCK)
- return OSA_ADB_CANTLOCK_DB;
- else if (ret != 0)
- return ret;
-
- /*
- * If the file no longer exists, someone acquired a permanent
- * lock. If that process terminates its exclusive lock is lost,
- * but if we already had the file open we can (probably) lock it
- * even though it has been unlinked. So we need to insist that
- * it exist.
- */
- if (access(db->lock->filename, F_OK) < 0) {
- (void) krb5_lock_file(db->lock->context,
- fileno(db->lock->lockfile),
- KRB5_LOCKMODE_UNLOCK);
- return OSA_ADB_NOLOCKFILE;
- }
-
- /* we have the shared/exclusive lock */
-
- if (perm) {
- if (unlink(db->lock->filename) < 0) {
- /* somehow we can't delete the file, but we already */
- /* have the lock, so release it and return */
-
- ret = errno;
- (void) krb5_lock_file(db->lock->context,
- fileno(db->lock->lockfile),
- KRB5_LOCKMODE_UNLOCK);
-
- /* maybe we should return CANTLOCK_DB.. but that would */
- /* look just like the db was already locked */
- return ret;
- }
-
- /* this releases our exclusive lock.. which is okay because */
- /* now no one else can get one either */
- (void) fclose(db->lock->lockfile);
- }
-
- db->lock->lockmode = mode;
- db->lock->lockcnt++;
- return OSA_ADB_OK;
+ int tries, gotlock, perm, krb5_mode, ret = 0;
+
+ if (db->lock->lockmode >= mode) {
+ /* No need to upgrade lock, just incr refcnt and return */
+ db->lock->lockcnt++;
+ return(OSA_ADB_OK);
+ }
+
+ perm = 0;
+ switch (mode) {
+ case KRB5_DB_LOCKMODE_PERMANENT:
+ perm = 1;
+ case KRB5_DB_LOCKMODE_EXCLUSIVE:
+ krb5_mode = KRB5_LOCKMODE_EXCLUSIVE;
+ break;
+ case KRB5_DB_LOCKMODE_SHARED:
+ krb5_mode = KRB5_LOCKMODE_SHARED;
+ break;
+ default:
+ return(EINVAL);
+ }
+
+ for (gotlock = tries = 0; tries < MAX_LOCK_TRIES; tries++) {
+ if ((ret = krb5_lock_file(db->lock->context,
+ fileno(db->lock->lockfile),
+ krb5_mode|KRB5_LOCKMODE_DONTBLOCK)) == 0) {
+ gotlock++;
+ break;
+ } else if (ret == EBADF && mode == KRB5_DB_LOCKMODE_EXCLUSIVE)
+ /* tried to exclusive-lock something we don't have */
+ /* write access to */
+ return OSA_ADB_NOEXCL_PERM;
+
+ sleep(1);
+ }
+
+ /* test for all the likely "can't get lock" error codes */
+ if (ret == EACCES || ret == EAGAIN || ret == EWOULDBLOCK)
+ return OSA_ADB_CANTLOCK_DB;
+ else if (ret != 0)
+ return ret;
+
+ /*
+ * If the file no longer exists, someone acquired a permanent
+ * lock. If that process terminates its exclusive lock is lost,
+ * but if we already had the file open we can (probably) lock it
+ * even though it has been unlinked. So we need to insist that
+ * it exist.
+ */
+ if (access(db->lock->filename, F_OK) < 0) {
+ (void) krb5_lock_file(db->lock->context,
+ fileno(db->lock->lockfile),
+ KRB5_LOCKMODE_UNLOCK);
+ return OSA_ADB_NOLOCKFILE;
+ }
+
+ /* we have the shared/exclusive lock */
+
+ if (perm) {
+ if (unlink(db->lock->filename) < 0) {
+ /* somehow we can't delete the file, but we already */
+ /* have the lock, so release it and return */
+
+ ret = errno;
+ (void) krb5_lock_file(db->lock->context,
+ fileno(db->lock->lockfile),
+ KRB5_LOCKMODE_UNLOCK);
+
+ /* maybe we should return CANTLOCK_DB.. but that would */
+ /* look just like the db was already locked */
+ return ret;
+ }
+
+ /* this releases our exclusive lock.. which is okay because */
+ /* now no one else can get one either */
+ (void) fclose(db->lock->lockfile);
+ }
+
+ db->lock->lockmode = mode;
+ db->lock->lockcnt++;
+ return OSA_ADB_OK;
}
-krb5_error_code osa_adb_release_lock(osa_adb_db_t db)
+krb5_error_code
+osa_adb_release_lock(osa_adb_db_t db)
{
- int ret, fd;
-
- if (!db->lock->lockcnt) /* lock already unlocked */
- return OSA_ADB_NOTLOCKED;
-
- if (--db->lock->lockcnt == 0) {
- if (db->lock->lockmode == KRB5_DB_LOCKMODE_PERMANENT) {
- /* now we need to create the file since it does not exist */
- fd = THREEPARAMOPEN(db->lock->filename,O_RDWR | O_CREAT | O_EXCL,
- 0600);
- if (fd < 0)
- return OSA_ADB_NOLOCKFILE;
- set_cloexec_fd(fd);
- if ((db->lock->lockfile = fdopen(fd, "w+")) == NULL)
- return OSA_ADB_NOLOCKFILE;
- } else if ((ret = krb5_lock_file(db->lock->context,
- fileno(db->lock->lockfile),
- KRB5_LOCKMODE_UNLOCK)))
- return ret;
-
- db->lock->lockmode = 0;
- }
- return OSA_ADB_OK;
+ int ret, fd;
+
+ if (!db->lock->lockcnt) /* lock already unlocked */
+ return OSA_ADB_NOTLOCKED;
+
+ if (--db->lock->lockcnt == 0) {
+ if (db->lock->lockmode == KRB5_DB_LOCKMODE_PERMANENT) {
+ /* now we need to create the file since it does not exist */
+ fd = THREEPARAMOPEN(db->lock->filename,O_RDWR | O_CREAT | O_EXCL,
+ 0600);
+ if (fd < 0)
+ return OSA_ADB_NOLOCKFILE;
+ set_cloexec_fd(fd);
+ if ((db->lock->lockfile = fdopen(fd, "w+")) == NULL)
+ return OSA_ADB_NOLOCKFILE;
+ } else if ((ret = krb5_lock_file(db->lock->context,
+ fileno(db->lock->lockfile),
+ KRB5_LOCKMODE_UNLOCK)))
+ return ret;
+
+ db->lock->lockmode = 0;
+ }
+ return OSA_ADB_OK;
}
-krb5_error_code osa_adb_open_and_lock(osa_adb_princ_t db, int locktype)
+krb5_error_code
+osa_adb_open_and_lock(osa_adb_princ_t db, int locktype)
{
- int ret;
-
- ret = osa_adb_get_lock(db, locktype);
- if (ret != OSA_ADB_OK)
- return ret;
- if (db->opencnt)
- goto open_ok;
-
- db->db = dbopen(db->filename, O_RDWR, 0600, DB_BTREE, &db->btinfo);
- if (db->db != NULL)
- goto open_ok;
- switch (errno) {
+ int ret;
+
+ ret = osa_adb_get_lock(db, locktype);
+ if (ret != OSA_ADB_OK)
+ return ret;
+ if (db->opencnt)
+ goto open_ok;
+
+ db->db = dbopen(db->filename, O_RDWR, 0600, DB_BTREE, &db->btinfo);
+ if (db->db != NULL)
+ goto open_ok;
+ switch (errno) {
#ifdef EFTYPE
- case EFTYPE:
+ case EFTYPE:
#endif
- case EINVAL:
- db->db = dbopen(db->filename, O_RDWR, 0600, DB_HASH, &db->info);
- if (db->db != NULL)
- goto open_ok;
- default:
- (void) osa_adb_release_lock(db);
- if (errno == EINVAL)
- return OSA_ADB_BAD_DB;
- return errno;
- }
+ case EINVAL:
+ db->db = dbopen(db->filename, O_RDWR, 0600, DB_HASH, &db->info);
+ if (db->db != NULL)
+ goto open_ok;
+ default:
+ (void) osa_adb_release_lock(db);
+ if (errno == EINVAL)
+ return OSA_ADB_BAD_DB;
+ return errno;
+ }
open_ok:
- db->opencnt++;
- return OSA_ADB_OK;
+ db->opencnt++;
+ return OSA_ADB_OK;
}
-krb5_error_code osa_adb_close_and_unlock(osa_adb_princ_t db)
+krb5_error_code
+osa_adb_close_and_unlock(osa_adb_princ_t db)
{
- if (--db->opencnt)
- return osa_adb_release_lock(db);
- if(db->db != NULL && db->db->close(db->db) == -1) {
- (void) osa_adb_release_lock(db);
- return OSA_ADB_FAILURE;
- }
+ if (--db->opencnt)
+ return osa_adb_release_lock(db);
+ if(db->db != NULL && db->db->close(db->db) == -1) {
+ (void) osa_adb_release_lock(db);
+ return OSA_ADB_FAILURE;
+ }
- db->db = NULL;
+ db->db = NULL;
- return(osa_adb_release_lock(db));
+ return(osa_adb_release_lock(db));
}
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved
*
static char *rcsid = "$Header$";
#endif
-#include <sys/file.h>
-#include <fcntl.h>
-#include "policy_db.h"
-#include <stdlib.h>
-#include <string.h>
+#include <sys/file.h>
+#include <fcntl.h>
+#include "policy_db.h"
+#include <stdlib.h>
+#include <string.h>
#include <errno.h>
-#define OPENLOCK(db, mode) \
-{ \
- int olret; \
- if (db == NULL) \
- return EINVAL; \
- else if (db->magic != OSA_ADB_POLICY_DB_MAGIC) \
- return OSA_ADB_DBINIT; \
- else if ((olret = osa_adb_open_and_lock(db, mode)) != OSA_ADB_OK) \
- return olret; \
- }
-
-#define CLOSELOCK(db) \
-{ \
- int cl_ret; \
- if ((cl_ret = osa_adb_close_and_unlock(db)) != OSA_ADB_OK) \
- return cl_ret; \
-}
+#define OPENLOCK(db, mode) \
+ { \
+ int olret; \
+ if (db == NULL) \
+ return EINVAL; \
+ else if (db->magic != OSA_ADB_POLICY_DB_MAGIC) \
+ return OSA_ADB_DBINIT; \
+ else if ((olret = osa_adb_open_and_lock(db, mode)) != OSA_ADB_OK) \
+ return olret; \
+ }
+
+#define CLOSELOCK(db) \
+ { \
+ int cl_ret; \
+ if ((cl_ret = osa_adb_close_and_unlock(db)) != OSA_ADB_OK) \
+ return cl_ret; \
+ }
/*
* Purpose: create a policy entry in the policy db.
*
* Arguments:
- * entry (input) pointer to the entry to be added
- * <return value> OSA_ADB_OK on success, else error code.
+ * entry (input) pointer to the entry to be added
+ * <return value> OSA_ADB_OK on success, else error code.
*
* Requires:
- * entry have a valid name.
+ * entry have a valid name.
*
* Effects:
- * creates the entry in the db
+ * creates the entry in the db
*
* Modifies:
- * the policy db.
+ * the policy db.
*
*/
krb5_error_code
osa_adb_create_policy(osa_adb_policy_t db, osa_policy_ent_t entry)
{
- DBT dbkey;
- DBT dbdata;
- XDR xdrs;
- int ret;
+ DBT dbkey;
+ DBT dbdata;
+ XDR xdrs;
+ int ret;
OPENLOCK(db, KRB5_DB_LOCKMODE_EXCLUSIVE);
if(entry->name == NULL) {
- ret = EINVAL;
- goto error;
+ ret = EINVAL;
+ goto error;
}
dbkey.data = entry->name;
dbkey.size = (strlen(entry->name) + 1);
switch(db->db->get(db->db, &dbkey, &dbdata, 0)) {
case 0:
- ret = OSA_ADB_DUP;
- goto error;
+ ret = OSA_ADB_DUP;
+ goto error;
case 1:
- break;
+ break;
default:
- ret = errno;
- goto error;
+ ret = errno;
+ goto error;
}
xdralloc_create(&xdrs, XDR_ENCODE);
if(!xdr_osa_policy_ent_rec(&xdrs, entry)) {
- xdr_destroy(&xdrs);
- ret = OSA_ADB_XDR_FAILURE;
- goto error;
+ xdr_destroy(&xdrs);
+ ret = OSA_ADB_XDR_FAILURE;
+ goto error;
}
dbdata.data = xdralloc_getdata(&xdrs);
dbdata.size = xdr_getpos(&xdrs);
switch(db->db->put(db->db, &dbkey, &dbdata, R_NOOVERWRITE)) {
case 0:
- if((db->db->sync(db->db, 0)) == -1)
- ret = OSA_ADB_FAILURE;
- ret = OSA_ADB_OK;
- break;
+ if((db->db->sync(db->db, 0)) == -1)
+ ret = OSA_ADB_FAILURE;
+ ret = OSA_ADB_OK;
+ break;
case 1:
- ret = OSA_ADB_DUP;
- break;
+ ret = OSA_ADB_DUP;
+ break;
default:
- ret = OSA_ADB_FAILURE;
- break;
+ ret = OSA_ADB_FAILURE;
+ break;
}
xdr_destroy(&xdrs);
* Purpose: destroy a policy entry
*
* Arguments:
- * db (input) database handle
- * name (input) name of policy
- * <return value> OSA_ADB_OK on success, or error code.
+ * db (input) database handle
+ * name (input) name of policy
+ * <return value> OSA_ADB_OK on success, or error code.
*
* Requires:
- * db being valid.
- * name being non-null.
+ * db being valid.
+ * name being non-null.
* Effects:
- * deletes policy from db.
+ * deletes policy from db.
*
* Modifies:
- * policy db.
+ * policy db.
*
*/
krb5_error_code
osa_adb_destroy_policy(osa_adb_policy_t db, char *name)
{
- DBT dbkey;
- int status, ret;
+ DBT dbkey;
+ int status, ret;
OPENLOCK(db, KRB5_DB_LOCKMODE_EXCLUSIVE);
if(name == NULL) {
- ret = EINVAL;
- goto error;
+ ret = EINVAL;
+ goto error;
}
dbkey.data = name;
dbkey.size = (strlen(name) + 1);
status = db->db->del(db->db, &dbkey, 0);
switch(status) {
case 1:
- ret = OSA_ADB_NOENT;
- goto error;
+ ret = OSA_ADB_NOENT;
+ goto error;
case 0:
- if ((db->db->sync(db->db, 0)) == -1) {
- ret = OSA_ADB_FAILURE;
- goto error;
- }
- ret = OSA_ADB_OK;
- break;
+ if ((db->db->sync(db->db, 0)) == -1) {
+ ret = OSA_ADB_FAILURE;
+ goto error;
+ }
+ ret = OSA_ADB_OK;
+ break;
default:
- ret = OSA_ADB_FAILURE;
- goto error;
+ ret = OSA_ADB_FAILURE;
+ goto error;
}
error:
* Purpose: retrieve policy
*
* Arguments:
- * db (input) db handle
- * name (input) name of policy
- * entry (output) policy entry
+ * db (input) db handle
+ * name (input) name of policy
+ * entry (output) policy entry
* cnt (inout) Number of entries
- * <return value> 0 on success, error code on failure.
+ * <return value> 0 on success, error code on failure.
*
* Requires:
* Effects:
*/
krb5_error_code
osa_adb_get_policy(osa_adb_policy_t db, char *name,
- osa_policy_ent_t *entry, int *cnt)
+ osa_policy_ent_t *entry, int *cnt)
{
- DBT dbkey;
- DBT dbdata;
- XDR xdrs;
- int ret;
- char *aligned_data;
+ DBT dbkey;
+ DBT dbdata;
+ XDR xdrs;
+ int ret;
+ char *aligned_data;
OPENLOCK(db, KRB5_DB_LOCKMODE_SHARED);
*cnt = 1;
if(name == NULL) {
- ret = EINVAL;
- goto error;
+ ret = EINVAL;
+ goto error;
}
dbkey.data = name;
dbkey.size = (strlen(dbkey.data) + 1);
dbdata.size = 0;
switch((db->db->get(db->db, &dbkey, &dbdata, 0))) {
case 1:
- ret = 0;
- *cnt = 0;
- goto error;
+ ret = 0;
+ *cnt = 0;
+ goto error;
case 0:
- break;
+ break;
default:
- ret = OSA_ADB_FAILURE;
- goto error;
+ ret = OSA_ADB_FAILURE;
+ goto error;
}
if (!(*(entry) = (osa_policy_ent_t)malloc(sizeof(osa_policy_ent_rec)))) {
- ret = ENOMEM;
- goto error;
+ ret = ENOMEM;
+ goto error;
}
if (!(aligned_data = (char *) malloc(dbdata.size))) {
- ret = ENOMEM;
- goto error;
+ ret = ENOMEM;
+ goto error;
}
memcpy(aligned_data, dbdata.data, dbdata.size);
memset(*entry, 0, sizeof(osa_policy_ent_rec));
xdrmem_create(&xdrs, aligned_data, dbdata.size, XDR_DECODE);
if (!xdr_osa_policy_ent_rec(&xdrs, *entry))
- ret = OSA_ADB_FAILURE;
+ ret = OSA_ADB_FAILURE;
else ret = OSA_ADB_OK;
xdr_destroy(&xdrs);
free(aligned_data);
* Purpose: update a policy in the dababase
*
* Arguments:
- * db (input) db handle
- * entry (input) policy entry
- * <return value> 0 on success error code on failure.
+ * db (input) db handle
+ * entry (input) policy entry
+ * <return value> 0 on success error code on failure.
*
* Requires:
- * [requires]
+ * [requires]
*
* Effects:
- * [effects]
+ * [effects]
*
* Modifies:
- * [modifies]
+ * [modifies]
*
*/
krb5_error_code
osa_adb_put_policy(osa_adb_policy_t db, osa_policy_ent_t entry)
{
- DBT dbkey;
- DBT dbdata;
- DBT tmpdb;
- XDR xdrs;
- int ret;
+ DBT dbkey;
+ DBT dbdata;
+ DBT tmpdb;
+ XDR xdrs;
+ int ret;
OPENLOCK(db, KRB5_DB_LOCKMODE_EXCLUSIVE);
if(entry->name == NULL) {
- ret = EINVAL;
- goto error;
+ ret = EINVAL;
+ goto error;
}
dbkey.data = entry->name;
dbkey.size = (strlen(entry->name) + 1);
switch(db->db->get(db->db, &dbkey, &tmpdb, 0)) {
case 0:
- break;
+ break;
case 1:
- ret = OSA_ADB_NOENT;
- goto error;
+ ret = OSA_ADB_NOENT;
+ goto error;
default:
- ret = OSA_ADB_FAILURE;
- goto error;
+ ret = OSA_ADB_FAILURE;
+ goto error;
}
xdralloc_create(&xdrs, XDR_ENCODE);
if(!xdr_osa_policy_ent_rec(&xdrs, entry)) {
- xdr_destroy(&xdrs);
- ret = OSA_ADB_XDR_FAILURE;
- goto error;
+ xdr_destroy(&xdrs);
+ ret = OSA_ADB_XDR_FAILURE;
+ goto error;
}
dbdata.data = xdralloc_getdata(&xdrs);
dbdata.size = xdr_getpos(&xdrs);
switch(db->db->put(db->db, &dbkey, &dbdata, 0)) {
case 0:
- if((db->db->sync(db->db, 0)) == -1)
- ret = OSA_ADB_FAILURE;
- ret = OSA_ADB_OK;
- break;
+ if((db->db->sync(db->db, 0)) == -1)
+ ret = OSA_ADB_FAILURE;
+ ret = OSA_ADB_OK;
+ break;
default:
- ret = OSA_ADB_FAILURE;
- break;
+ ret = OSA_ADB_FAILURE;
+ break;
}
xdr_destroy(&xdrs);
* Purpose: iterate over the policy database.
*
* Arguments:
- * db (input) db handle
- * func (input) fucntion pointer to call
- * data opaque data type
- * <return value> 0 on success error code on failure
+ * db (input) db handle
+ * func (input) fucntion pointer to call
+ * data opaque data type
+ * <return value> 0 on success error code on failure
*
* Requires:
* Effects:
*/
krb5_error_code
osa_adb_iter_policy(osa_adb_policy_t db, osa_adb_iter_policy_func func,
- void *data)
+ void *data)
{
- DBT dbkey,
- dbdata;
- XDR xdrs;
- int ret;
- osa_policy_ent_t entry;
- char *aligned_data;
+ DBT dbkey,
+ dbdata;
+ XDR xdrs;
+ int ret;
+ osa_policy_ent_t entry;
+ char *aligned_data;
OPENLOCK(db, KRB5_DB_LOCKMODE_EXCLUSIVE); /* hmmm */
if((ret = db->db->seq(db->db, &dbkey, &dbdata, R_FIRST)) == -1) {
- ret = errno;
- goto error;
+ ret = errno;
+ goto error;
}
while (ret == 0) {
- if (!(entry = (osa_policy_ent_t) malloc(sizeof(osa_policy_ent_rec)))) {
- ret = ENOMEM;
- goto error;
- }
-
- if(!(aligned_data = (char *) malloc(dbdata.size))) {
- ret = ENOMEM;
- goto error;
- }
- memcpy(aligned_data, dbdata.data, dbdata.size);
-
- memset(entry, 0, sizeof(osa_policy_ent_rec));
- xdrmem_create(&xdrs, aligned_data, dbdata.size, XDR_DECODE);
- if(!xdr_osa_policy_ent_rec(&xdrs, entry)) {
- xdr_destroy(&xdrs);
- free(aligned_data);
- osa_free_policy_ent(entry);
- ret = OSA_ADB_FAILURE;
- goto error;
- }
- (*func)(data, entry);
- xdr_destroy(&xdrs);
- free(aligned_data);
- osa_free_policy_ent(entry);
- ret = db->db->seq(db->db, &dbkey, &dbdata, R_NEXT);
+ if (!(entry = (osa_policy_ent_t) malloc(sizeof(osa_policy_ent_rec)))) {
+ ret = ENOMEM;
+ goto error;
+ }
+
+ if(!(aligned_data = (char *) malloc(dbdata.size))) {
+ ret = ENOMEM;
+ goto error;
+ }
+ memcpy(aligned_data, dbdata.data, dbdata.size);
+
+ memset(entry, 0, sizeof(osa_policy_ent_rec));
+ xdrmem_create(&xdrs, aligned_data, dbdata.size, XDR_DECODE);
+ if(!xdr_osa_policy_ent_rec(&xdrs, entry)) {
+ xdr_destroy(&xdrs);
+ free(aligned_data);
+ osa_free_policy_ent(entry);
+ ret = OSA_ADB_FAILURE;
+ goto error;
+ }
+ (*func)(data, entry);
+ xdr_destroy(&xdrs);
+ free(aligned_data);
+ osa_free_policy_ent(entry);
+ ret = db->db->seq(db->db, &dbkey, &dbdata, R_NEXT);
}
if(ret == -1)
- ret = errno;
+ ret = errno;
else ret = OSA_ADB_OK;
error:
void
osa_free_policy_ent(osa_policy_ent_t val)
{
- XDR xdrs;
+ XDR xdrs;
- xdrmem_create(&xdrs, NULL, 0, XDR_FREE);
+ xdrmem_create(&xdrs, NULL, 0, XDR_FREE);
- xdr_osa_policy_ent_rec(&xdrs, val);
+ xdr_osa_policy_ent_rec(&xdrs, val);
- free(val);
+ free(val);
}
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* Copyright 2006 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*/
/**********************************************************************
-*
-* C %name: db2_exp.c %
-* Instance: idc_sec_2
-* Description:
-* %created_by: spradeep %
-* %date_created: Tue Apr 5 11:44:00 2005 %
-*
-**********************************************************************/
+ *
+ * C %name: db2_exp.c %
+ * Instance: idc_sec_2
+ * Description:
+ * %created_by: spradeep %
+ * %date_created: Tue Apr 5 11:44:00 2005 %
+ *
+ **********************************************************************/
#ifndef lint
static char *_csrc = "@(#) %filespec: db2_exp.c~5 % (%full_filespec: db2_exp.c~5:csrc:idc_sec#2 %)";
#endif
k5_mutex_t *krb5_db2_mutex;
-#define WRAP(NAME,TYPE,ARGLIST,ARGNAMES,ERROR_RESULT) \
- static TYPE wrap_##NAME ARGLIST \
- { \
- TYPE result; \
- int code = k5_mutex_lock (krb5_db2_mutex); \
- if (code) { return ERROR_RESULT; } \
- result = NAME ARGNAMES; \
- k5_mutex_unlock (krb5_db2_mutex); \
- return result; \
- } \
- /* hack: decl to allow a following ";" */ \
- static TYPE wrap_##NAME ()
+#define WRAP(NAME,TYPE,ARGLIST,ARGNAMES,ERROR_RESULT) \
+ static TYPE wrap_##NAME ARGLIST \
+ { \
+ TYPE result; \
+ int code = k5_mutex_lock (krb5_db2_mutex); \
+ if (code) { return ERROR_RESULT; } \
+ result = NAME ARGNAMES; \
+ k5_mutex_unlock (krb5_db2_mutex); \
+ return result; \
+ } \
+ /* hack: decl to allow a following ";" */ \
+ static TYPE wrap_##NAME ()
/* Two special cases: void (can't assign result), and krb5_error_code
(return error from locking code). */
-#define WRAP_VOID(NAME,ARGLIST,ARGNAMES) \
- static void wrap_##NAME ARGLIST \
- { \
- int code = k5_mutex_lock (krb5_db2_mutex); \
- if (code) { return; } \
- NAME ARGNAMES; \
- k5_mutex_unlock (krb5_db2_mutex); \
- } \
- /* hack: decl to allow a following ";" */ \
- static void wrap_##NAME ()
+#define WRAP_VOID(NAME,ARGLIST,ARGNAMES) \
+ static void wrap_##NAME ARGLIST \
+ { \
+ int code = k5_mutex_lock (krb5_db2_mutex); \
+ if (code) { return; } \
+ NAME ARGNAMES; \
+ k5_mutex_unlock (krb5_db2_mutex); \
+ } \
+ /* hack: decl to allow a following ";" */ \
+ static void wrap_##NAME ()
-#define WRAP_K(NAME,ARGLIST,ARGNAMES) \
- WRAP(NAME,krb5_error_code,ARGLIST,ARGNAMES,code)
+#define WRAP_K(NAME,ARGLIST,ARGNAMES) \
+ WRAP(NAME,krb5_error_code,ARGLIST,ARGNAMES,code)
WRAP_K (krb5_db2_open,
- ( krb5_context kcontext,
- char *conf_section,
- char **db_args,
- int mode ),
- (kcontext, conf_section, db_args, mode));
+ ( krb5_context kcontext,
+ char *conf_section,
+ char **db_args,
+ int mode ),
+ (kcontext, conf_section, db_args, mode));
WRAP_K (krb5_db2_db_fini, (krb5_context ctx), (ctx));
WRAP_K (krb5_db2_create,
- ( krb5_context kcontext, char *conf_section, char **db_args ),
- (kcontext, conf_section, db_args));
+ ( krb5_context kcontext, char *conf_section, char **db_args ),
+ (kcontext, conf_section, db_args));
WRAP_K (krb5_db2_destroy,
- ( krb5_context kcontext, char *conf_section, char **db_args ),
- (kcontext, conf_section, db_args));
+ ( krb5_context kcontext, char *conf_section, char **db_args ),
+ (kcontext, conf_section, db_args));
WRAP_K (krb5_db2_db_get_age,
- (krb5_context ctx,
- char *s,
- time_t *t),
- (ctx, s, t));
+ (krb5_context ctx,
+ char *s,
+ time_t *t),
+ (ctx, s, t));
WRAP_K (krb5_db2_db_set_option,
- ( krb5_context kcontext,
- int option,
- void *value ),
- (kcontext, option, value));
+ ( krb5_context kcontext,
+ int option,
+ void *value ),
+ (kcontext, option, value));
WRAP_K (krb5_db2_db_lock,
- ( krb5_context context,
- int in_mode),
- (context, in_mode));
+ ( krb5_context context,
+ int in_mode),
+ (context, in_mode));
WRAP_K (krb5_db2_db_unlock, (krb5_context ctx), (ctx));
WRAP_K (krb5_db2_db_get_principal,
- (krb5_context ctx,
- krb5_const_principal p,
- unsigned int flags,
- krb5_db_entry *d,
- int * i,
- krb5_boolean *b),
- (ctx, p, d, i, b));
+ (krb5_context ctx,
+ krb5_const_principal p,
+ unsigned int flags,
+ krb5_db_entry *d,
+ int * i,
+ krb5_boolean *b),
+ (ctx, p, d, i, b));
WRAP_K (krb5_db2_db_free_principal,
- (krb5_context ctx,
- krb5_db_entry *d,
- int i),
- (ctx, d, i));
+ (krb5_context ctx,
+ krb5_db_entry *d,
+ int i),
+ (ctx, d, i));
WRAP_K (krb5_db2_db_put_principal,
- (krb5_context ctx,
- krb5_db_entry *d,
- int *i,
- char **db_args),
- (ctx, d, i, db_args));
+ (krb5_context ctx,
+ krb5_db_entry *d,
+ int *i,
+ char **db_args),
+ (ctx, d, i, db_args));
WRAP_K (krb5_db2_db_delete_principal,
- (krb5_context context,
- krb5_const_principal searchfor,
- int *nentries),
- (context, searchfor, nentries));
+ (krb5_context context,
+ krb5_const_principal searchfor,
+ int *nentries),
+ (context, searchfor, nentries));
WRAP_K (krb5_db2_db_iterate,
- (krb5_context ctx, char *s,
- krb5_error_code (*f) (krb5_pointer,
- krb5_db_entry *),
- krb5_pointer p),
- (ctx, s, f, p));
+ (krb5_context ctx, char *s,
+ krb5_error_code (*f) (krb5_pointer,
+ krb5_db_entry *),
+ krb5_pointer p),
+ (ctx, s, f, p));
WRAP_K (krb5_db2_create_policy,
- (krb5_context context, osa_policy_ent_t entry),
- (context, entry));
+ (krb5_context context, osa_policy_ent_t entry),
+ (context, entry));
WRAP_K (krb5_db2_get_policy,
- ( krb5_context kcontext,
- char *name,
- osa_policy_ent_t *policy,
- int *cnt),
- (kcontext, name, policy, cnt));
+ ( krb5_context kcontext,
+ char *name,
+ osa_policy_ent_t *policy,
+ int *cnt),
+ (kcontext, name, policy, cnt));
WRAP_K (krb5_db2_put_policy,
- ( krb5_context kcontext, osa_policy_ent_t policy ),
- (kcontext, policy));
+ ( krb5_context kcontext, osa_policy_ent_t policy ),
+ (kcontext, policy));
WRAP_K (krb5_db2_iter_policy,
- ( krb5_context kcontext,
- char *match_entry,
- osa_adb_iter_policy_func func,
- void *data ),
- (kcontext, match_entry, func, data));
+ ( krb5_context kcontext,
+ char *match_entry,
+ osa_adb_iter_policy_func func,
+ void *data ),
+ (kcontext, match_entry, func, data));
WRAP_K (krb5_db2_delete_policy,
- ( krb5_context kcontext, char *policy ),
- (kcontext, policy));
+ ( krb5_context kcontext, char *policy ),
+ (kcontext, policy));
WRAP_VOID (krb5_db2_free_policy,
- ( krb5_context kcontext, osa_policy_ent_t entry ),
- (kcontext, entry));
+ ( krb5_context kcontext, osa_policy_ent_t entry ),
+ (kcontext, entry));
WRAP_K (krb5_db2_set_master_key_ext,
- ( krb5_context kcontext, char *pwd, krb5_keyblock *key),
- (kcontext, pwd, key));
+ ( krb5_context kcontext, char *pwd, krb5_keyblock *key),
+ (kcontext, pwd, key));
WRAP_K (krb5_db2_db_get_mkey,
- ( krb5_context context, krb5_keyblock **key),
- (context, key));
+ ( krb5_context context, krb5_keyblock **key),
+ (context, key));
WRAP_K (krb5_db2_db_set_mkey_list,
- ( krb5_context kcontext, krb5_keylist_node *keylist),
- (kcontext, keylist));
+ ( krb5_context kcontext, krb5_keylist_node *keylist),
+ (kcontext, keylist));
WRAP_K (krb5_db2_db_get_mkey_list,
- ( krb5_context context, krb5_keylist_node **keylist),
- (context, keylist));
+ ( krb5_context context, krb5_keylist_node **keylist),
+ (context, keylist));
WRAP_K (krb5_db2_promote_db,
- ( krb5_context kcontext, char *conf_section, char **db_args ),
- (kcontext, conf_section, db_args));
+ ( krb5_context kcontext, char *conf_section, char **db_args ),
+ (kcontext, conf_section, db_args));
WRAP_K (krb5_db2_invoke,
- (krb5_context kcontext,
- unsigned int method,
- const krb5_data *request,
- krb5_data *response),
- (kcontext, method, request, response));
+ (krb5_context kcontext,
+ unsigned int method,
+ const krb5_data *request,
+ krb5_data *response),
+ (kcontext, method, request, response));
static krb5_error_code
hack_init ()
krb5_error_code c;
c = krb5int_mutex_alloc (&krb5_db2_mutex);
if (c)
- return c;
+ return c;
return krb5_db2_lib_init ();
}
*/
kdb_vftabl PLUGIN_SYMBOL_NAME(krb5_db2, kdb_function_table) = {
- 1, /* major version number 1 */
- 0, /* minor version number 0 */
- /* init_library */ hack_init,
- /* fini_library */ hack_cleanup,
- /* init_module */ wrap_krb5_db2_open,
- /* fini_module */ wrap_krb5_db2_db_fini,
- /* db_create */ wrap_krb5_db2_create,
- /* db_destroy */ wrap_krb5_db2_destroy,
- /* db_get_age */ wrap_krb5_db2_db_get_age,
- /* db_set_option */ wrap_krb5_db2_db_set_option,
- /* db_lock */ wrap_krb5_db2_db_lock,
- /* db_unlock */ wrap_krb5_db2_db_unlock,
- /* db_get_principal */ wrap_krb5_db2_db_get_principal,
- /* db_free_principal */ wrap_krb5_db2_db_free_principal,
- /* db_put_principal */ wrap_krb5_db2_db_put_principal,
- /* db_delete_principal */ wrap_krb5_db2_db_delete_principal,
- /* db_iterate */ wrap_krb5_db2_db_iterate,
- /* db_create_policy */ wrap_krb5_db2_create_policy,
- /* db_get_policy */ wrap_krb5_db2_get_policy,
- /* db_put_policy */ wrap_krb5_db2_put_policy,
- /* db_iter_policy */ wrap_krb5_db2_iter_policy,
- /* db_delete_policy */ wrap_krb5_db2_delete_policy,
- /* db_free_policy */ wrap_krb5_db2_free_policy,
- /* db_supported_realms */ NULL,
- /* db_free_supported_realms */ NULL,
- /* errcode_2_string */ NULL,
- /* release_errcode_string */ NULL,
- /* db_alloc */ krb5_db2_alloc,
- /* db_free */ krb5_db2_free,
- /* set_master_key */ wrap_krb5_db2_set_master_key_ext,
- /* get_master_key */ wrap_krb5_db2_db_get_mkey,
- /* set_master_key_list */ wrap_krb5_db2_db_set_mkey_list,
- /* get_master_key_list */ wrap_krb5_db2_db_get_mkey_list,
- /* blah blah blah */ 0,0,0,0,0,0,0,0,
- /* promote_db */ wrap_krb5_db2_promote_db,
- 0, 0,
- /* invoke */ wrap_krb5_db2_invoke
+ 1, /* major version number 1 */
+ 0, /* minor version number 0 */
+ /* init_library */ hack_init,
+ /* fini_library */ hack_cleanup,
+ /* init_module */ wrap_krb5_db2_open,
+ /* fini_module */ wrap_krb5_db2_db_fini,
+ /* db_create */ wrap_krb5_db2_create,
+ /* db_destroy */ wrap_krb5_db2_destroy,
+ /* db_get_age */ wrap_krb5_db2_db_get_age,
+ /* db_set_option */ wrap_krb5_db2_db_set_option,
+ /* db_lock */ wrap_krb5_db2_db_lock,
+ /* db_unlock */ wrap_krb5_db2_db_unlock,
+ /* db_get_principal */ wrap_krb5_db2_db_get_principal,
+ /* db_free_principal */ wrap_krb5_db2_db_free_principal,
+ /* db_put_principal */ wrap_krb5_db2_db_put_principal,
+ /* db_delete_principal */ wrap_krb5_db2_db_delete_principal,
+ /* db_iterate */ wrap_krb5_db2_db_iterate,
+ /* db_create_policy */ wrap_krb5_db2_create_policy,
+ /* db_get_policy */ wrap_krb5_db2_get_policy,
+ /* db_put_policy */ wrap_krb5_db2_put_policy,
+ /* db_iter_policy */ wrap_krb5_db2_iter_policy,
+ /* db_delete_policy */ wrap_krb5_db2_delete_policy,
+ /* db_free_policy */ wrap_krb5_db2_free_policy,
+ /* db_supported_realms */ NULL,
+ /* db_free_supported_realms */ NULL,
+ /* errcode_2_string */ NULL,
+ /* release_errcode_string */ NULL,
+ /* db_alloc */ krb5_db2_alloc,
+ /* db_free */ krb5_db2_free,
+ /* set_master_key */ wrap_krb5_db2_set_master_key_ext,
+ /* get_master_key */ wrap_krb5_db2_db_get_mkey,
+ /* set_master_key_list */ wrap_krb5_db2_db_set_mkey_list,
+ /* get_master_key_list */ wrap_krb5_db2_db_get_mkey_list,
+ /* blah blah blah */ 0,0,0,0,0,0,0,0,
+ /* promote_db */ wrap_krb5_db2_promote_db,
+ 0, 0,
+ /* invoke */ wrap_krb5_db2_invoke
};
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* lib/kdb/kdb_db2.c
*
/*
* Routines to deal with context.
*/
-#define k5db2_inited(c) (c && c->dal_handle \
- && c->dal_handle->db_context \
+#define k5db2_inited(c) (c && c->dal_handle \
+ && c->dal_handle->db_context \
&& ((krb5_db2_context *) c->dal_handle->db_context)->db_inited)
static krb5_error_code
{
char *pos = strchr(input, '=');
if (pos == NULL) {
- *opt = NULL;
- *val = strdup(input);
- if (*val == NULL) {
- return ENOMEM;
- }
+ *opt = NULL;
+ *val = strdup(input);
+ if (*val == NULL) {
+ return ENOMEM;
+ }
} else {
- *opt = malloc((pos - input) + 1);
- *val = strdup(pos + 1);
- if (!*opt || !*val) {
- free(*opt);
- *opt = NULL;
- free(*val);
- *val = NULL;
- return ENOMEM;
- }
- memcpy(*opt, input, pos - input);
- (*opt)[pos - input] = '\0';
+ *opt = malloc((pos - input) + 1);
+ *val = strdup(pos + 1);
+ if (!*opt || !*val) {
+ free(*opt);
+ *opt = NULL;
+ free(*val);
+ *val = NULL;
+ return ENOMEM;
+ }
+ memcpy(*opt, input, pos - input);
+ (*opt)[pos - input] = '\0';
}
return (0);
* are the caller's problem.
*/
if (dbctx->db_lf_name)
- free(dbctx->db_lf_name);
+ free(dbctx->db_lf_name);
if (dbctx->db_name && (dbctx->db_name != default_db_name))
- free(dbctx->db_name);
+ free(dbctx->db_name);
/*
* Clear the structure and reset the defaults.
*/
dal_handle = context->dal_handle;
if (dal_handle->db_context == NULL) {
- db_ctx = (krb5_db2_context *) malloc(sizeof(krb5_db2_context));
- if (db_ctx == NULL)
- return ENOMEM;
- else {
- memset(db_ctx, 0, sizeof(krb5_db2_context));
- k5db2_clear_context((krb5_db2_context *) db_ctx);
- dal_handle->db_context = (void *) db_ctx;
- }
+ db_ctx = (krb5_db2_context *) malloc(sizeof(krb5_db2_context));
+ if (db_ctx == NULL)
+ return ENOMEM;
+ else {
+ memset(db_ctx, 0, sizeof(krb5_db2_context));
+ k5db2_clear_context((krb5_db2_context *) db_ctx);
+ dal_handle->db_context = (void *) db_ctx;
+ }
}
return (0);
}
char *dbsuffix;
if (sfx == NULL)
- return ((char *) NULL);
+ return ((char *) NULL);
if (asprintf(&dbsuffix, "%s%s", db_name, sfx) < 0)
- return (0);
+ return (0);
return dbsuffix;
}
bti.prefix = NULL;
if (tempdb) {
- fname = gen_dbsuffix(fname, "~");
+ fname = gen_dbsuffix(fname, "~");
} else {
- fname = strdup(fname);
+ fname = strdup(fname);
}
if (fname == NULL)
{
- errno = ENOMEM;
- return NULL;
+ errno = ENOMEM;
+ return NULL;
}
hashi.nelem = 1;
db = dbopen(fname, flags, mode,
- dbc->hashfirst ? DB_HASH : DB_BTREE,
- dbc->hashfirst ? (void *) &hashi : (void *) &bti);
+ dbc->hashfirst ? DB_HASH : DB_BTREE,
+ dbc->hashfirst ? (void *) &hashi : (void *) &bti);
if (db != NULL) {
- free(fname);
- return db;
+ free(fname);
+ return db;
}
switch (errno) {
#ifdef EFTYPE
case EFTYPE:
#endif
case EINVAL:
- db = dbopen(fname, flags, mode,
- dbc->hashfirst ? DB_BTREE : DB_HASH,
- dbc->hashfirst ? (void *) &bti : (void *) &hashi);
- if (db != NULL)
- dbc->hashfirst = !dbc->hashfirst;
+ db = dbopen(fname, flags, mode,
+ dbc->hashfirst ? DB_BTREE : DB_HASH,
+ dbc->hashfirst ? (void *) &bti : (void *) &hashi);
+ if (db != NULL)
+ dbc->hashfirst = !dbc->hashfirst;
default:
- free(fname);
- return db;
+ free(fname);
+ return db;
}
}
kdb5_dal_handle *dal_handle;
if (k5db2_inited(context))
- return KRB5_KDB_DBNOTINITED;
+ return KRB5_KDB_DBNOTINITED;
dal_handle = context->dal_handle;
dbc = (krb5_db2_context *) dal_handle->db_context;
dbc->hashfirst = hashfirst;
char policy_db_name[1024], policy_lock_name[1024];
if (k5db2_inited(context))
- return 0;
+ return 0;
/* Check for presence of our context, if not present, allocate one. */
if ((retval = k5db2_init_context(context)))
- return (retval);
+ return (retval);
dal_handle = context->dal_handle;
db_ctx = dal_handle->db_context;
db_ctx->db = NULL;
if (!(filename = gen_dbsuffix(db_ctx->db_name, db_ctx->tempdb
- ?KDB2_TEMP_LOCK_EXT:KDB2_LOCK_EXT)))
- return ENOMEM;
- db_ctx->db_lf_name = filename; /* so it gets freed by clear_context */
+ ?KDB2_TEMP_LOCK_EXT:KDB2_LOCK_EXT)))
+ return ENOMEM;
+ db_ctx->db_lf_name = filename; /* so it gets freed by clear_context */
/*
* should be opened read/write so that write locking can work with
* POSIX systems
*/
if ((db_ctx->db_lf_file = open(filename, O_RDWR, 0666)) < 0) {
- if ((db_ctx->db_lf_file = open(filename, O_RDONLY, 0666)) < 0) {
- retval = errno;
- goto err_out;
- }
+ if ((db_ctx->db_lf_file = open(filename, O_RDONLY, 0666)) < 0) {
+ retval = errno;
+ goto err_out;
+ }
}
set_cloexec_fd(db_ctx->db_lf_file);
db_ctx->db_inited++;
if ((retval = krb5_db2_db_get_age(context, NULL, &db_ctx->db_lf_time)))
- goto err_out;
+ goto err_out;
snprintf(policy_db_name, sizeof(policy_db_name),
- db_ctx->tempdb ? "%s~.kadm5" : "%s.kadm5",
- db_ctx->db_name);
+ db_ctx->tempdb ? "%s~.kadm5" : "%s.kadm5",
+ db_ctx->db_name);
snprintf(policy_lock_name, sizeof(policy_lock_name),
- "%s.lock", policy_db_name);
+ "%s.lock", policy_db_name);
if ((retval = osa_adb_init_db(&db_ctx->policy_db, policy_db_name,
- policy_lock_name, OSA_ADB_POLICY_DB_MAGIC)))
+ policy_lock_name, OSA_ADB_POLICY_DB_MAGIC)))
{
- goto err_out;
+ goto err_out;
}
return 0;
- err_out:
+err_out:
db_ctx->db = NULL;
k5db2_clear_context(db_ctx);
return (retval);
dal_handle = context->dal_handle;
if (dal_handle == NULL) {
- return 0;
+ return 0;
}
db_ctx = (krb5_db2_context *) dal_handle->db_context;
if (k5db2_inited(context)) {
- if (close(db_ctx->db_lf_file))
- retval = errno;
- else
- retval = 0;
+ if (close(db_ctx->db_lf_file))
+ retval = errno;
+ else
+ retval = 0;
}
if (db_ctx) {
- if (db_ctx->policy_db) {
- retval =
- osa_adb_fini_db(db_ctx->policy_db, OSA_ADB_POLICY_DB_MAGIC);
- if (retval)
- return retval;
- }
+ if (db_ctx->policy_db) {
+ retval =
+ osa_adb_fini_db(db_ctx->policy_db, OSA_ADB_POLICY_DB_MAGIC);
+ if (retval)
+ return retval;
+ }
- k5db2_clear_context(db_ctx);
- /* free(dal_handle->db_context); */
- dal_handle->db_context = NULL;
+ k5db2_clear_context(db_ctx);
+ /* free(dal_handle->db_context); */
+ dal_handle->db_context = NULL;
}
return retval;
}
kdb5_dal_handle *dal_handle;
if (!k5db2_inited(context))
- return (KRB5_KDB_DBNOTINITED);
+ return (KRB5_KDB_DBNOTINITED);
dal_handle = context->dal_handle;
db_ctx = dal_handle->db_context;
kdb5_dal_handle *dal_handle;
if (!k5db2_inited(context))
- return (KRB5_KDB_DBNOTINITED);
+ return (KRB5_KDB_DBNOTINITED);
dal_handle = context->dal_handle;
db_ctx = dal_handle->db_context;
kdb5_dal_handle *dal_handle;
if (!k5db2_inited(context))
- return (KRB5_KDB_DBNOTINITED);
+ return (KRB5_KDB_DBNOTINITED);
dal_handle = context->dal_handle;
db_ctx = dal_handle->db_context;
kdb5_dal_handle *dal_handle;
if (!k5db2_inited(context))
- return (KRB5_KDB_DBNOTINITED);
+ return (KRB5_KDB_DBNOTINITED);
dal_handle = context->dal_handle;
db_ctx = dal_handle->db_context;
kdb5_dal_handle *dal_handle;
if (k5db2_inited(context))
- return KRB5_KDB_DBINITED;
+ return KRB5_KDB_DBINITED;
/* Check for presence of our context, if not present, allocate one. */
if ((kret = k5db2_init_context(context)))
- return (kret);
+ return (kret);
if (name == NULL)
- name = default_db_name;
+ name = default_db_name;
dal_handle = context->dal_handle;
db_ctx = dal_handle->db_context;
db_ctx->tempdb = tempdb;
db = k5db2_dbopen(db_ctx, name, O_RDONLY, 0, tempdb);
if (db == NULL)
- return errno;
+ return errno;
db_ctx->db_name = strdup(name);
(*db->close) (db);
struct stat st;
if (!k5db2_inited(context))
- return (KRB5_KDB_DBNOTINITED);
+ return (KRB5_KDB_DBNOTINITED);
dal_handle = context->dal_handle;
db_ctx = (krb5_db2_context *) dal_handle->db_context;
if (fstat(db_ctx->db_lf_file, &st) < 0)
- *age = -1;
+ *age = -1;
else
- *age = st.st_mtime;
+ *age = st.st_mtime;
return 0;
}
struct utimbuf utbuf;
if (!k5db2_inited(context))
- return (KRB5_KDB_DBNOTINITED);
+ return (KRB5_KDB_DBNOTINITED);
retval = 0;
dal_handle = context->dal_handle;
db_ctx = dal_handle->db_context;
now = time((time_t *) NULL);
if (fstat(db_ctx->db_lf_file, &st) == 0) {
- if (st.st_mtime >= now) {
- utbuf.actime = st.st_mtime + 1;
- utbuf.modtime = st.st_mtime + 1;
- if (utime(db_ctx->db_lf_name, &utbuf))
- retval = errno;
- } else {
- if (utime(db_ctx->db_lf_name, (struct utimbuf *) NULL))
- retval = errno;
- }
+ if (st.st_mtime >= now) {
+ utbuf.actime = st.st_mtime + 1;
+ utbuf.modtime = st.st_mtime + 1;
+ if (utime(db_ctx->db_lf_name, &utbuf))
+ retval = errno;
+ } else {
+ if (utime(db_ctx->db_lf_name, (struct utimbuf *) NULL))
+ retval = errno;
+ }
} else
- retval = errno;
+ retval = errno;
if (!retval) {
- if (fstat(db_ctx->db_lf_file, &st) == 0)
- db_ctx->db_lf_time = st.st_mtime;
- else
- retval = errno;
+ if (fstat(db_ctx->db_lf_file, &st) == 0)
+ db_ctx->db_lf_time = st.st_mtime;
+ else
+ retval = errno;
}
return (retval);
}
switch (in_mode) {
case KRB5_DB_LOCKMODE_PERMANENT:
- mode = KRB5_DB_LOCKMODE_EXCLUSIVE;
- break;
+ mode = KRB5_DB_LOCKMODE_EXCLUSIVE;
+ break;
case KRB5_DB_LOCKMODE_EXCLUSIVE:
- mode = KRB5_LOCKMODE_EXCLUSIVE;
- break;
+ mode = KRB5_LOCKMODE_EXCLUSIVE;
+ break;
case KRB5_DB_LOCKMODE_SHARED:
- mode = KRB5_LOCKMODE_SHARED;
- break;
+ mode = KRB5_LOCKMODE_SHARED;
+ break;
default:
- return EINVAL;
+ return EINVAL;
}
if (!k5db2_inited(context))
- return KRB5_KDB_DBNOTINITED;
+ return KRB5_KDB_DBNOTINITED;
dal_handle = context->dal_handle;
db_ctx = (krb5_db2_context *) dal_handle->db_context;
if (db_ctx->db_locks_held && (db_ctx->db_lock_mode >= mode)) {
- /* No need to upgrade lock, just return */
- db_ctx->db_locks_held++;
- goto policy_lock;
+ /* No need to upgrade lock, just return */
+ db_ctx->db_locks_held++;
+ goto policy_lock;
}
if ((mode != KRB5_LOCKMODE_SHARED) && (mode != KRB5_LOCKMODE_EXCLUSIVE))
- return KRB5_KDB_BADLOCKMODE;
+ return KRB5_KDB_BADLOCKMODE;
krb5_lock_mode = mode | KRB5_LOCKMODE_DONTBLOCK;
for (gotlock = tries = 0; tries < MAX_LOCK_TRIES; tries++) {
- retval = krb5_lock_file(context, db_ctx->db_lf_file, krb5_lock_mode);
- if (retval == 0) {
- gotlock++;
- break;
- } else if (retval == EBADF && mode == KRB5_DB_LOCKMODE_EXCLUSIVE)
- /* tried to exclusive-lock something we don't have */
- /* write access to */
- return KRB5_KDB_CANTLOCK_DB;
- sleep(1);
+ retval = krb5_lock_file(context, db_ctx->db_lf_file, krb5_lock_mode);
+ if (retval == 0) {
+ gotlock++;
+ break;
+ } else if (retval == EBADF && mode == KRB5_DB_LOCKMODE_EXCLUSIVE)
+ /* tried to exclusive-lock something we don't have */
+ /* write access to */
+ return KRB5_KDB_CANTLOCK_DB;
+ sleep(1);
}
if (retval == EACCES)
- return KRB5_KDB_CANTLOCK_DB;
+ return KRB5_KDB_CANTLOCK_DB;
else if (retval == EAGAIN || retval == EWOULDBLOCK)
- return OSA_ADB_CANTLOCK_DB;
+ return OSA_ADB_CANTLOCK_DB;
else if (retval != 0)
- return retval;
+ return retval;
if ((retval = krb5_db2_db_get_age(context, NULL, &mod_time)))
- goto lock_error;
+ goto lock_error;
db = k5db2_dbopen(db_ctx, db_ctx->db_name,
- mode == KRB5_LOCKMODE_SHARED ? O_RDONLY : O_RDWR, 0600, db_ctx->tempdb);
+ mode == KRB5_LOCKMODE_SHARED ? O_RDONLY : O_RDWR, 0600, db_ctx->tempdb);
if (db) {
- db_ctx->db_lf_time = mod_time;
- db_ctx->db = db;
+ db_ctx->db_lf_time = mod_time;
+ db_ctx->db = db;
} else {
- retval = errno;
- db_ctx->db = NULL;
- goto lock_error;
+ retval = errno;
+ db_ctx->db = NULL;
+ goto lock_error;
}
db_ctx->db_lock_mode = mode;
db_ctx->db_locks_held++;
- policy_lock:
+policy_lock:
if ((retval = osa_adb_get_lock(db_ctx->policy_db, in_mode))) {
- krb5_db2_db_unlock(context);
+ krb5_db2_db_unlock(context);
}
return retval;
- lock_error:;
+lock_error:;
db_ctx->db_lock_mode = 0;
db_ctx->db_locks_held = 0;
krb5_db2_db_unlock(context);
krb5_error_code retval;
if (!k5db2_inited(context))
- return KRB5_KDB_DBNOTINITED;
+ return KRB5_KDB_DBNOTINITED;
dal_handle = context->dal_handle;
db_ctx = (krb5_db2_context *) dal_handle->db_context;
if ((retval = osa_adb_release_lock(db_ctx->policy_db))) {
- return retval;
+ return retval;
}
- if (!db_ctx->db_locks_held) /* lock already unlocked */
- return KRB5_KDB_NOTLOCKED;
+ if (!db_ctx->db_locks_held) /* lock already unlocked */
+ return KRB5_KDB_NOTLOCKED;
db = db_ctx->db;
if (--(db_ctx->db_locks_held) == 0) {
- (*db->close) (db);
- db_ctx->db = NULL;
+ (*db->close) (db);
+ db_ctx->db = NULL;
- retval = krb5_lock_file(context, db_ctx->db_lf_file,
- KRB5_LOCKMODE_UNLOCK);
- db_ctx->db_lock_mode = 0;
- return (retval);
+ retval = krb5_lock_file(context, db_ctx->db_lf_file,
+ KRB5_LOCKMODE_UNLOCK);
+ db_ctx->db_lock_mode = 0;
+ return (retval);
}
return 0;
}
char policy_db_name[1024], policy_lock_name[1024];
if ((retval = k5db2_init_context(context)))
- return (retval);
+ return (retval);
dal_handle = context->dal_handle;
db_ctx = (krb5_db2_context *) dal_handle->db_context;
switch (flags) {
case KRB5_KDB_CREATE_HASH:
- if ((retval = krb5_db2_db_set_hashfirst(context, TRUE)))
- return retval;
- break;
+ if ((retval = krb5_db2_db_set_hashfirst(context, TRUE)))
+ return retval;
+ break;
case KRB5_KDB_CREATE_BTREE:
case 0:
- if ((retval = krb5_db2_db_set_hashfirst(context, FALSE)))
- return retval;
- break;
+ if ((retval = krb5_db2_db_set_hashfirst(context, FALSE)))
+ return retval;
+ break;
default:
- return KRB5_KDB_BAD_CREATEFLAGS;
+ return KRB5_KDB_BAD_CREATEFLAGS;
}
db = k5db2_dbopen(db_ctx, db_name, O_RDWR | O_CREAT | O_EXCL, 0600, db_ctx->tempdb);
if (db == NULL)
- return errno;
+ return errno;
(*db->close) (db);
db_name2 = db_ctx->tempdb ? gen_dbsuffix(db_name, "~") : strdup(db_name);
if (db_name2 == NULL)
- return ENOMEM;
+ return ENOMEM;
okname = gen_dbsuffix(db_name2, KDB2_LOCK_EXT);
if (!okname)
- retval = ENOMEM;
+ retval = ENOMEM;
else {
- fd = open(okname, O_CREAT | O_RDWR | O_TRUNC, 0600);
- if (fd < 0)
- retval = errno;
- else
- close(fd);
- free_dbsuffix(okname);
+ fd = open(okname, O_CREAT | O_RDWR | O_TRUNC, 0600);
+ if (fd < 0)
+ retval = errno;
+ else
+ close(fd);
+ free_dbsuffix(okname);
}
snprintf(policy_db_name, sizeof(policy_db_name), "%s.kadm5", db_name2);
snprintf(policy_lock_name, sizeof(policy_lock_name),
- "%s.lock", policy_db_name);
+ "%s.lock", policy_db_name);
retval = osa_adb_create_db(policy_db_name,
- policy_lock_name, OSA_ADB_POLICY_DB_MAGIC);
+ policy_lock_name, OSA_ADB_POLICY_DB_MAGIC);
free(db_name2);
return retval;
}
char *filename;
struct stat statb;
int nb, fd;
- int j;
+ int j;
off_t pos;
char buf[BUFSIZ];
char zbuf[BUFSIZ];
filename = gen_dbsuffix(dbname, suffix);
if (filename == 0)
- return ENOMEM;
+ return ENOMEM;
if ((fd = open(filename, O_RDWR, 0)) < 0) {
- free(filename);
- return errno;
+ free(filename);
+ return errno;
}
set_cloexec_fd(fd);
/* fstat() will probably not fail unless using a remote filesystem
* (which is inappropriate for the kerberos database) so this check
* is mostly paranoia. */
if (fstat(fd, &statb) == -1) {
- int retval = errno;
- free(filename);
- return retval;
+ int retval = errno;
+ free(filename);
+ return retval;
}
/*
* Stroll through the file, reading in BUFSIZ chunks. If everything
memset(zbuf, 0, BUFSIZ);
pos = 0;
while (pos < statb.st_size) {
- dowrite = 0;
- nb = read(fd, buf, BUFSIZ);
- if (nb < 0) {
- int retval = errno;
- free(filename);
- return retval;
- }
- for (j = 0; j < nb; j++) {
- if (buf[j] != '\0') {
- dowrite = 1;
- break;
- }
- }
- /* For signedness */
- j = nb;
- if (dowrite) {
- lseek(fd, pos, SEEK_SET);
- nb = write(fd, zbuf, j);
- if (nb < 0) {
- int retval = errno;
- free(filename);
- return retval;
- }
- }
- pos += nb;
+ dowrite = 0;
+ nb = read(fd, buf, BUFSIZ);
+ if (nb < 0) {
+ int retval = errno;
+ free(filename);
+ return retval;
+ }
+ for (j = 0; j < nb; j++) {
+ if (buf[j] != '\0') {
+ dowrite = 1;
+ break;
+ }
+ }
+ /* For signedness */
+ j = nb;
+ if (dowrite) {
+ lseek(fd, pos, SEEK_SET);
+ nb = write(fd, zbuf, j);
+ if (nb < 0) {
+ int retval = errno;
+ free(filename);
+ return retval;
+ }
+ }
+ pos += nb;
}
/* ??? Is fsync really needed? I don't know of any non-networked
* filesystem which will discard queued writes to disk if a file
close(fd);
if (unlink(filename)) {
- free(filename);
- return (errno);
+ free(filename);
+ return (errno);
}
free(filename);
return (0);
tmpcontext = 0;
if (!context->dal_handle
- || !context->dal_handle->db_context) {
- tmpcontext = 1;
- if ((retval1 = k5db2_init_context(context)))
- return (retval1);
+ || !context->dal_handle->db_context) {
+ tmpcontext = 1;
+ if ((retval1 = k5db2_init_context(context)))
+ return (retval1);
}
retval1 = retval2 = 0;
retval2 = destroy_file_suffix(dbname, KDB2_LOCK_EXT);
if (tmpcontext) {
- k5db2_clear_context((krb5_db2_context *) context->dal_handle->db_context);
- free(context->dal_handle->db_context);
- context->dal_handle->db_context = NULL;
+ k5db2_clear_context((krb5_db2_context *) context->dal_handle->db_context);
+ free(context->dal_handle->db_context);
+ context->dal_handle->db_context = NULL;
}
if (retval1 || retval2)
- return (retval1 ? retval1 : retval2);
+ return (retval1 ? retval1 : retval2);
snprintf(policy_db_name, sizeof(policy_db_name), "%s.kadm5", dbname);
snprintf(policy_lock_name, sizeof(policy_lock_name),
- "%s.lock", policy_db_name);
+ "%s.lock", policy_db_name);
retval1 = osa_adb_destroy_db(policy_db_name,
- policy_lock_name, OSA_ADB_POLICY_DB_MAGIC);
+ policy_lock_name, OSA_ADB_POLICY_DB_MAGIC);
return retval1;
}
krb5_error_code
krb5_db2_db_get_principal(krb5_context context,
- krb5_const_principal searchfor,
- krb5_db_entry *entries, /* filled in */
- int *nentries, /* how much room/how many found */
- krb5_boolean *more) /* are there more? */
+ krb5_const_principal searchfor,
+ krb5_db_entry *entries, /* filled in */
+ int *nentries, /* how much room/how many found */
+ krb5_boolean *more) /* are there more? */
{
krb5_db2_context *db_ctx;
krb5_error_code retval;
*nentries = 0;
if (!k5db2_inited(context))
- return KRB5_KDB_DBNOTINITED;
+ return KRB5_KDB_DBNOTINITED;
dal_handle = context->dal_handle;
db_ctx = (krb5_db2_context *) dal_handle->db_context;
for (trynum = 0; trynum < KRB5_DB2_MAX_RETRY; trynum++) {
- if ((retval = krb5_db2_db_lock(context, KRB5_LOCKMODE_SHARED))) {
- if (db_ctx->db_nb_locks)
- return (retval);
- sleep(1);
- continue;
- }
- break;
+ if ((retval = krb5_db2_db_lock(context, KRB5_LOCKMODE_SHARED))) {
+ if (db_ctx->db_nb_locks)
+ return (retval);
+ sleep(1);
+ continue;
+ }
+ break;
}
if (trynum == KRB5_DB2_MAX_RETRY)
- return KRB5_KDB_DB_INUSE;
+ return KRB5_KDB_DB_INUSE;
/* XXX deal with wildcard lookups */
retval = krb5_encode_princ_dbkey(context, &keydata, searchfor);
if (retval)
- goto cleanup;
+ goto cleanup;
key.data = keydata.data;
key.size = keydata.length;
krb5_free_data_contents(context, &keydata);
switch (dbret) {
case 1:
- retval = 0;
+ retval = 0;
case -1:
default:
- *nentries = 0;
- goto cleanup;
+ *nentries = 0;
+ goto cleanup;
case 0:
- contdata.data = contents.data;
- contdata.length = contents.size;
- retval = krb5_decode_princ_contents(context, &contdata, entries);
- if (!retval)
- *nentries = 1;
- break;
+ contdata.data = contents.data;
+ contdata.length = contents.size;
+ retval = krb5_decode_princ_contents(context, &contdata, entries);
+ if (!retval)
+ *nentries = 1;
+ break;
}
- cleanup:
- (void) krb5_db2_db_unlock(context); /* unlock read lock */
+cleanup:
+ (void) krb5_db2_db_unlock(context); /* unlock read lock */
return retval;
}
/*
Free stuff returned by krb5_db2_db_get_principal.
- */
+*/
krb5_error_code
krb5_db2_db_free_principal(krb5_context context, krb5_db_entry *entries,
- int nentries)
+ int nentries)
{
register int i;
for (i = 0; i < nentries; i++)
- krb5_dbe_free_contents(context, &entries[i]);
+ krb5_dbe_free_contents(context, &entries[i]);
return 0;
}
acutally stored; the first *"nstored" records will have been stored in the
database (even if an error occurs).
- */
+*/
krb5_error_code
krb5_db2_db_put_principal(krb5_context context,
- krb5_db_entry *entries,
- int *nentries, /* number of entry structs to update */
- char **db_args)
+ krb5_db_entry *entries,
+ int *nentries, /* number of entry structs to update */
+ char **db_args)
{
int i, n, dbret;
DB *db;
krb5_clear_error_message (context);
if (db_args) {
- /* DB2 does not support db_args DB arguments for principal */
- krb5_set_error_message(context, EINVAL,
- "Unsupported argument \"%s\" for db2",
- db_args[0]);
- return EINVAL;
+ /* DB2 does not support db_args DB arguments for principal */
+ krb5_set_error_message(context, EINVAL,
+ "Unsupported argument \"%s\" for db2",
+ db_args[0]);
+ return EINVAL;
}
n = *nentries;
*nentries = 0;
if (!k5db2_inited(context))
- return KRB5_KDB_DBNOTINITED;
+ return KRB5_KDB_DBNOTINITED;
dal_handle = context->dal_handle;
db_ctx = (krb5_db2_context *) dal_handle->db_context;
if ((retval = krb5_db2_db_lock(context, KRB5_LOCKMODE_EXCLUSIVE)))
- return retval;
+ return retval;
db = db_ctx->db;
if ((retval = krb5_db2_db_start_update(context))) {
- (void) krb5_db2_db_unlock(context);
- return retval;
+ (void) krb5_db2_db_unlock(context);
+ return retval;
}
/* for each one, stuff temps, and do replace/append */
for (i = 0; i < n; i++) {
- retval = krb5_encode_princ_contents(context, &contdata, entries);
- if (retval)
- break;
- contents.data = contdata.data;
- contents.size = contdata.length;
- retval = krb5_encode_princ_dbkey(context, &keydata, entries->princ);
- if (retval) {
- krb5_free_data_contents(context, &contdata);
- break;
- }
-
- key.data = keydata.data;
- key.size = keydata.length;
- dbret = (*db->put) (db, &key, &contents, 0);
- retval = dbret ? errno : 0;
- krb5_free_data_contents(context, &keydata);
- krb5_free_data_contents(context, &contdata);
- if (retval)
- break;
- entries++; /* bump to next struct */
+ retval = krb5_encode_princ_contents(context, &contdata, entries);
+ if (retval)
+ break;
+ contents.data = contdata.data;
+ contents.size = contdata.length;
+ retval = krb5_encode_princ_dbkey(context, &keydata, entries->princ);
+ if (retval) {
+ krb5_free_data_contents(context, &contdata);
+ break;
+ }
+
+ key.data = keydata.data;
+ key.size = keydata.length;
+ dbret = (*db->put) (db, &key, &contents, 0);
+ retval = dbret ? errno : 0;
+ krb5_free_data_contents(context, &keydata);
+ krb5_free_data_contents(context, &contdata);
+ if (retval)
+ break;
+ entries++; /* bump to next struct */
}
(void) krb5_db2_db_end_update(context);
- (void) krb5_db2_db_unlock(context); /* unlock database */
+ (void) krb5_db2_db_unlock(context); /* unlock database */
*nentries = i;
return (retval);
}
krb5_error_code
krb5_db2_db_delete_principal(krb5_context context,
- krb5_const_principal searchfor,
- int *nentries) /* how many found & deleted */
+ krb5_const_principal searchfor,
+ int *nentries) /* how many found & deleted */
{
krb5_error_code retval;
krb5_db_entry entry;
kdb5_dal_handle *dal_handle;
if (!k5db2_inited(context))
- return KRB5_KDB_DBNOTINITED;
+ return KRB5_KDB_DBNOTINITED;
dal_handle = context->dal_handle;
db_ctx = (krb5_db2_context *) dal_handle->db_context;
if ((retval = krb5_db2_db_lock(context, KRB5_LOCKMODE_EXCLUSIVE)))
- return (retval);
+ return (retval);
if ((retval = krb5_db2_db_start_update(context))) {
- (void) krb5_db2_db_unlock(context); /* unlock write lock */
- return (retval);
+ (void) krb5_db2_db_unlock(context); /* unlock write lock */
+ return (retval);
}
if ((retval = krb5_encode_princ_dbkey(context, &keydata, searchfor)))
- goto cleanup;
+ goto cleanup;
key.data = keydata.data;
key.size = keydata.length;
retval = errno;
switch (dbret) {
case 1:
- retval = KRB5_KDB_NOENTRY;
+ retval = KRB5_KDB_NOENTRY;
case -1:
default:
- *nentries = 0;
- goto cleankey;
+ *nentries = 0;
+ goto cleankey;
case 0:
- ;
+ ;
}
memset(&entry, 0, sizeof(entry));
contdata.data = contents.data;
contdata.length = contents.size;
retval = krb5_decode_princ_contents(context, &contdata, &entry);
if (retval)
- goto cleankey;
+ goto cleankey;
*nentries = 1;
/* Clear encrypted key contents */
for (i = 0; i < entry.n_key_data; i++) {
- if (entry.key_data[i].key_data_length[0]) {
- memset(entry.key_data[i].key_data_contents[0], 0,
- (unsigned) entry.key_data[i].key_data_length[0]);
- }
+ if (entry.key_data[i].key_data_length[0]) {
+ memset(entry.key_data[i].key_data_contents[0], 0,
+ (unsigned) entry.key_data[i].key_data_length[0]);
+ }
}
retval = krb5_encode_princ_contents(context, &contdata, &entry);
krb5_dbe_free_contents(context, &entry);
if (retval)
- goto cleankey;
+ goto cleankey;
contents.data = contdata.data;
contents.size = contdata.length;
retval = dbret ? errno : 0;
krb5_free_data_contents(context, &contdata);
if (retval)
- goto cleankey;
+ goto cleankey;
dbret = (*db->del) (db, &key, 0);
retval = dbret ? errno : 0;
- cleankey:
+cleankey:
krb5_free_data_contents(context, &keydata);
- cleanup:
+cleanup:
(void) krb5_db2_db_end_update(context);
- (void) krb5_db2_db_unlock(context); /* unlock write lock */
+ (void) krb5_db2_db_unlock(context); /* unlock write lock */
return retval;
}
krb5_error_code
krb5_db2_db_iterate_ext(krb5_context context,
- krb5_error_code(*func) (krb5_pointer, krb5_db_entry *),
- krb5_pointer func_arg,
- int backwards, int recursive)
+ krb5_error_code(*func) (krb5_pointer, krb5_db_entry *),
+ krb5_pointer func_arg,
+ int backwards, int recursive)
{
krb5_db2_context *db_ctx;
DB *db;
cookie = NULL;
if (!k5db2_inited(context))
- return KRB5_KDB_DBNOTINITED;
+ return KRB5_KDB_DBNOTINITED;
dal_handle = context->dal_handle;
db_ctx = (krb5_db2_context *) dal_handle->db_context;
retval = krb5_db2_db_lock(context, KRB5_LOCKMODE_SHARED);
if (retval)
- return retval;
+ return retval;
db = db_ctx->db;
if (recursive && db->type != DB_BTREE) {
- (void) krb5_db2_db_unlock(context);
- return KRB5_KDB_UK_RERROR; /* Not optimal, but close enough. */
+ (void) krb5_db2_db_unlock(context);
+ return KRB5_KDB_UK_RERROR; /* Not optimal, but close enough. */
}
if (!recursive) {
- dbret = (*db->seq) (db, &key, &contents, backwards ? R_LAST : R_FIRST);
+ dbret = (*db->seq) (db, &key, &contents, backwards ? R_LAST : R_FIRST);
} else {
#ifdef HAVE_BT_RSEQ
- dbret = bt_rseq(db, &key, &contents, &cookie,
- backwards ? R_LAST : R_FIRST);
+ dbret = bt_rseq(db, &key, &contents, &cookie,
+ backwards ? R_LAST : R_FIRST);
#else
- (void) krb5_db2_db_unlock(context);
- return KRB5_KDB_UK_RERROR; /* Not optimal, but close enough. */
+ (void) krb5_db2_db_unlock(context);
+ return KRB5_KDB_UK_RERROR; /* Not optimal, but close enough. */
#endif
}
while (dbret == 0) {
- krb5_error_code retval2;
-
- contdata.data = contents.data;
- contdata.length = contents.size;
- retval = krb5_decode_princ_contents(context, &contdata, &entries);
- if (retval)
- break;
- retval = k5_mutex_unlock(krb5_db2_mutex);
- if (retval)
- break;
- retval = (*func) (func_arg, &entries);
- krb5_dbe_free_contents(context, &entries);
- retval2 = k5_mutex_lock(krb5_db2_mutex);
- /* Note: If re-locking fails, the wrapper in db2_exp.c will
- still try to unlock it again. That would be a bug. Fix
- when integrating the locking better. */
- if (retval)
- break;
- if (retval2) {
- retval = retval2;
- break;
- }
- if (!recursive) {
- dbret = (*db->seq) (db, &key, &contents,
- backwards ? R_PREV : R_NEXT);
- } else {
+ krb5_error_code retval2;
+
+ contdata.data = contents.data;
+ contdata.length = contents.size;
+ retval = krb5_decode_princ_contents(context, &contdata, &entries);
+ if (retval)
+ break;
+ retval = k5_mutex_unlock(krb5_db2_mutex);
+ if (retval)
+ break;
+ retval = (*func) (func_arg, &entries);
+ krb5_dbe_free_contents(context, &entries);
+ retval2 = k5_mutex_lock(krb5_db2_mutex);
+ /* Note: If re-locking fails, the wrapper in db2_exp.c will
+ still try to unlock it again. That would be a bug. Fix
+ when integrating the locking better. */
+ if (retval)
+ break;
+ if (retval2) {
+ retval = retval2;
+ break;
+ }
+ if (!recursive) {
+ dbret = (*db->seq) (db, &key, &contents,
+ backwards ? R_PREV : R_NEXT);
+ } else {
#ifdef HAVE_BT_RSEQ
- dbret = bt_rseq(db, &key, &contents, &cookie,
- backwards ? R_PREV : R_NEXT);
+ dbret = bt_rseq(db, &key, &contents, &cookie,
+ backwards ? R_PREV : R_NEXT);
#else
- (void) krb5_db2_db_unlock(context);
- return KRB5_KDB_UK_RERROR; /* Not optimal, but close enough. */
+ (void) krb5_db2_db_unlock(context);
+ return KRB5_KDB_UK_RERROR; /* Not optimal, but close enough. */
#endif
- }
+ }
}
switch (dbret) {
case 1:
case 0:
- break;
+ break;
case -1:
default:
- retval = errno;
+ retval = errno;
}
(void) krb5_db2_db_unlock(context);
return retval;
krb5_error_code
krb5_db2_db_iterate(krb5_context context,
- char *match_expr,
- krb5_error_code(*func) (krb5_pointer, krb5_db_entry *),
- krb5_pointer func_arg)
+ char *match_expr,
+ krb5_error_code(*func) (krb5_pointer, krb5_db_entry *),
+ krb5_pointer func_arg)
{
return krb5_db2_db_iterate_ext(context, func, func_arg, 0, 0);
}
dal_handle = context->dal_handle;
old = mode;
if (dal_handle && (db_ctx = (krb5_db2_context *) dal_handle->db_context)) {
- old = db_ctx->db_nb_locks;
- db_ctx->db_nb_locks = mode;
+ old = db_ctx->db_nb_locks;
+ db_ctx->db_nb_locks = mode;
}
return old;
}
krb5_error_code
krb5_db2_open(krb5_context kcontext,
- char *conf_section, char **db_args, int mode)
+ char *conf_section, char **db_args, int mode)
{
krb5_error_code status = 0;
char **t_ptr = db_args;
krb5_clear_error_message (kcontext);
if (k5db2_inited(kcontext))
- return 0;
+ return 0;
while (t_ptr && *t_ptr) {
- char *opt = NULL, *val = NULL;
-
- krb5_db2_get_db_opt(*t_ptr, &opt, &val);
- if (opt && !strcmp(opt, "dbname")) {
- if (dbname) free(dbname);
- dbname = strdup(val);
- if (dbname == NULL) {
- free(opt);
- free(val);
- return ENOMEM;
- }
- }
- else if (!opt && !strcmp(val, "temporary") ) {
- tempdb = 1;
- }
- else if (!opt && !strcmp(val, "merge_nra")) {
- ;
- }
- /* ignore hash argument. Might have been passed from create */
- else if (!opt || strcmp(opt, "hash")) {
- krb5_set_error_message(kcontext, EINVAL,
- "Unsupported argument \"%s\" for db2",
- opt ? opt : val);
- free(opt);
- free(val);
- return EINVAL;
- }
-
- free(opt);
- free(val);
- t_ptr++;
+ char *opt = NULL, *val = NULL;
+
+ krb5_db2_get_db_opt(*t_ptr, &opt, &val);
+ if (opt && !strcmp(opt, "dbname")) {
+ if (dbname) free(dbname);
+ dbname = strdup(val);
+ if (dbname == NULL) {
+ free(opt);
+ free(val);
+ return ENOMEM;
+ }
+ }
+ else if (!opt && !strcmp(val, "temporary") ) {
+ tempdb = 1;
+ }
+ else if (!opt && !strcmp(val, "merge_nra")) {
+ ;
+ }
+ /* ignore hash argument. Might have been passed from create */
+ else if (!opt || strcmp(opt, "hash")) {
+ krb5_set_error_message(kcontext, EINVAL,
+ "Unsupported argument \"%s\" for db2",
+ opt ? opt : val);
+ free(opt);
+ free(val);
+ return EINVAL;
+ }
+
+ free(opt);
+ free(val);
+ t_ptr++;
}
if(dbname) {
- status = krb5_db2_db_set_name(kcontext, dbname, tempdb);
- free(dbname);
- if (status) {
- goto clean_n_exit;
- }
- db_name_set = 1;
+ status = krb5_db2_db_set_name(kcontext, dbname, tempdb);
+ free(dbname);
+ if (status) {
+ goto clean_n_exit;
+ }
+ db_name_set = 1;
}
if (!db_name_set) {
- char *value = NULL;
- status = profile_get_string(KRB5_DB_GET_PROFILE(kcontext), KDB_MODULE_SECTION, conf_section, KDB_DB2_DATABASE_NAME, /* under given conf section */
- NULL, &value);
+ char *value = NULL;
+ status = profile_get_string(KRB5_DB_GET_PROFILE(kcontext), KDB_MODULE_SECTION, conf_section, KDB_DB2_DATABASE_NAME, /* under given conf section */
+ NULL, &value);
- if (value == NULL) {
- /* special case for db2. We might actually be looking at old type config file where database is specified as part of realm */
- status = profile_get_string(KRB5_DB_GET_PROFILE(kcontext), KDB_REALM_SECTION, KRB5_DB_GET_REALM(kcontext), KDB_DB2_DATABASE_NAME, /* under given realm */
- default_db_name, &value);
- if (status) {
- goto clean_n_exit;
- }
- }
+ if (value == NULL) {
+ /* special case for db2. We might actually be looking at old type config file where database is specified as part of realm */
+ status = profile_get_string(KRB5_DB_GET_PROFILE(kcontext), KDB_REALM_SECTION, KRB5_DB_GET_REALM(kcontext), KDB_DB2_DATABASE_NAME, /* under given realm */
+ default_db_name, &value);
+ if (status) {
+ goto clean_n_exit;
+ }
+ }
- status = krb5_db2_db_set_name(kcontext, value, tempdb);
- profile_release_string(value);
- if (status) {
- goto clean_n_exit;
- }
+ status = krb5_db2_db_set_name(kcontext, value, tempdb);
+ profile_release_string(value);
+ if (status) {
+ goto clean_n_exit;
+ }
}
status = krb5_db2_db_init(kcontext);
- clean_n_exit:
+clean_n_exit:
return status;
}
krb5_clear_error_message (kcontext);
if (k5db2_inited(kcontext))
- return 0;
+ return 0;
while (t_ptr && *t_ptr) {
- char *opt = NULL, *val = NULL;
-
- krb5_db2_get_db_opt(*t_ptr, &opt, &val);
- if (opt && !strcmp(opt, "dbname")) {
- db_name = strdup(val);
- if (db_name == NULL) {
- free(opt);
- free(val);
- return ENOMEM;
- }
- }
- else if (!opt && !strcmp(val, "temporary")) {
- tempdb = 1;
- } else if (!opt && !strcmp(val, "merge_nra")) {
- ;
- } else if (opt && !strcmp(opt, "hash")) {
- flags = KRB5_KDB_CREATE_HASH;
- } else {
- krb5_set_error_message(kcontext, EINVAL,
- "Unsupported argument \"%s\" for db2",
- opt ? opt : val);
- free(opt);
- free(val);
- return EINVAL;
- }
-
- free(opt);
- free(val);
- t_ptr++;
+ char *opt = NULL, *val = NULL;
+
+ krb5_db2_get_db_opt(*t_ptr, &opt, &val);
+ if (opt && !strcmp(opt, "dbname")) {
+ db_name = strdup(val);
+ if (db_name == NULL) {
+ free(opt);
+ free(val);
+ return ENOMEM;
+ }
+ }
+ else if (!opt && !strcmp(val, "temporary")) {
+ tempdb = 1;
+ } else if (!opt && !strcmp(val, "merge_nra")) {
+ ;
+ } else if (opt && !strcmp(opt, "hash")) {
+ flags = KRB5_KDB_CREATE_HASH;
+ } else {
+ krb5_set_error_message(kcontext, EINVAL,
+ "Unsupported argument \"%s\" for db2",
+ opt ? opt : val);
+ free(opt);
+ free(val);
+ return EINVAL;
+ }
+
+ free(opt);
+ free(val);
+ t_ptr++;
}
if (db_name) {
- status = krb5_db2_db_set_name(kcontext, db_name, tempdb);
- if (!status) {
- status = EEXIST;
- goto clean_n_exit;
- }
- db_name_set = 1;
+ status = krb5_db2_db_set_name(kcontext, db_name, tempdb);
+ if (!status) {
+ status = EEXIST;
+ goto clean_n_exit;
+ }
+ db_name_set = 1;
}
if (!db_name_set) {
- char *value = NULL;
- status = profile_get_string(KRB5_DB_GET_PROFILE(kcontext),
- KDB_MODULE_SECTION, conf_section,
- /* under given conf section */
- KDB_DB2_DATABASE_NAME, NULL, &value);
-
- if (value == NULL) {
- /* Special case for db2. We might actually be looking at
- * old type config file where database is specified as
- * part of realm. */
- status = profile_get_string(KRB5_DB_GET_PROFILE(kcontext),
- KDB_REALM_SECTION,
- KRB5_DB_GET_REALM(kcontext),
- /* under given realm */
- KDB_DB2_DATABASE_NAME,
- default_db_name, &value);
- if (status) {
- goto clean_n_exit;
- }
- }
-
- db_name = strdup(value);
- if (db_name == NULL) {
- status = ENOMEM;
- profile_release_string(value);
- goto clean_n_exit;
- }
- status = krb5_db2_db_set_name(kcontext, value, tempdb);
- profile_release_string(value);
- if (!status) {
- status = EEXIST;
- goto clean_n_exit;
- }
+ char *value = NULL;
+ status = profile_get_string(KRB5_DB_GET_PROFILE(kcontext),
+ KDB_MODULE_SECTION, conf_section,
+ /* under given conf section */
+ KDB_DB2_DATABASE_NAME, NULL, &value);
+
+ if (value == NULL) {
+ /* Special case for db2. We might actually be looking at
+ * old type config file where database is specified as
+ * part of realm. */
+ status = profile_get_string(KRB5_DB_GET_PROFILE(kcontext),
+ KDB_REALM_SECTION,
+ KRB5_DB_GET_REALM(kcontext),
+ /* under given realm */
+ KDB_DB2_DATABASE_NAME,
+ default_db_name, &value);
+ if (status) {
+ goto clean_n_exit;
+ }
+ }
+
+ db_name = strdup(value);
+ if (db_name == NULL) {
+ status = ENOMEM;
+ profile_release_string(value);
+ goto clean_n_exit;
+ }
+ status = krb5_db2_db_set_name(kcontext, value, tempdb);
+ profile_release_string(value);
+ if (!status) {
+ status = EEXIST;
+ goto clean_n_exit;
+ }
}
status = krb5_db2_db_create(kcontext, db_name, flags);
if (status)
- goto clean_n_exit;
+ goto clean_n_exit;
/* db2 has a problem of needing to close and open the database again. This removes that need */
status = krb5_db2_db_fini(kcontext);
if (status)
- goto clean_n_exit;
+ goto clean_n_exit;
status = krb5_db2_open(kcontext, conf_section, db_args, KRB5_KDB_OPEN_RW);
- clean_n_exit:
+clean_n_exit:
if (db_name)
- free(db_name);
+ free(db_name);
return status;
}
char *db_name = NULL;
while (t_ptr && *t_ptr) {
- char *opt = NULL, *val = NULL;
-
- krb5_db2_get_db_opt(*t_ptr, &opt, &val);
- if (opt && !strcmp(opt, "dbname")) {
- db_name = strdup(val);
- if (db_name == NULL) {
- free(opt);
- free(val);
- return ENOMEM;
- }
- }
- else if (!opt && !strcmp(val, "temporary")) {
- tempdb = 1;
- }
- /* ignore hash argument. Might have been passed from create */
- else if (!opt || strcmp(opt, "hash")) {
- free(opt);
- free(val);
- return EINVAL;
- }
-
- free(opt);
- free(val);
- t_ptr++;
+ char *opt = NULL, *val = NULL;
+
+ krb5_db2_get_db_opt(*t_ptr, &opt, &val);
+ if (opt && !strcmp(opt, "dbname")) {
+ db_name = strdup(val);
+ if (db_name == NULL) {
+ free(opt);
+ free(val);
+ return ENOMEM;
+ }
+ }
+ else if (!opt && !strcmp(val, "temporary")) {
+ tempdb = 1;
+ }
+ /* ignore hash argument. Might have been passed from create */
+ else if (!opt || strcmp(opt, "hash")) {
+ free(opt);
+ free(val);
+ return EINVAL;
+ }
+
+ free(opt);
+ free(val);
+ t_ptr++;
}
if (db_name) {
- status = krb5_db2_db_set_name(kcontext, db_name, tempdb);
- if (status) {
- goto clean_n_exit;
- }
- db_name_set = 1;
+ status = krb5_db2_db_set_name(kcontext, db_name, tempdb);
+ if (status) {
+ goto clean_n_exit;
+ }
+ db_name_set = 1;
}
if (!db_name_set) {
- char *value = NULL;
- status = profile_get_string(KRB5_DB_GET_PROFILE(kcontext), KDB_MODULE_SECTION, conf_section, KDB_DB2_DATABASE_NAME, /* under given conf section */
- NULL, &value);
-
- if (value == NULL) {
- /* special case for db2. We might actually be looking at old type config file where database is specified as part of realm */
- status = profile_get_string(KRB5_DB_GET_PROFILE(kcontext), KDB_REALM_SECTION, KRB5_DB_GET_REALM(kcontext), KDB_DB2_DATABASE_NAME, /* under given realm */
- default_db_name, &value);
- if (status) {
- goto clean_n_exit;
- }
- }
-
- db_name = strdup(value);
- if (db_name == NULL) {
- status = ENOMEM;
- goto clean_n_exit;
- }
- status = krb5_db2_db_set_name(kcontext, value, tempdb);
- profile_release_string(value);
- if (status) {
- goto clean_n_exit;
- }
+ char *value = NULL;
+ status = profile_get_string(KRB5_DB_GET_PROFILE(kcontext), KDB_MODULE_SECTION, conf_section, KDB_DB2_DATABASE_NAME, /* under given conf section */
+ NULL, &value);
+
+ if (value == NULL) {
+ /* special case for db2. We might actually be looking at old type config file where database is specified as part of realm */
+ status = profile_get_string(KRB5_DB_GET_PROFILE(kcontext), KDB_REALM_SECTION, KRB5_DB_GET_REALM(kcontext), KDB_DB2_DATABASE_NAME, /* under given realm */
+ default_db_name, &value);
+ if (status) {
+ goto clean_n_exit;
+ }
+ }
+
+ db_name = strdup(value);
+ if (db_name == NULL) {
+ status = ENOMEM;
+ goto clean_n_exit;
+ }
+ status = krb5_db2_db_set_name(kcontext, value, tempdb);
+ profile_release_string(value);
+ if (status) {
+ goto clean_n_exit;
+ }
}
status = krb5_db2_db_destroy(kcontext, db_name);
- clean_n_exit:
+clean_n_exit:
if (db_name)
- free(db_name);
+ free(db_name);
return status;
}
krb5_error_code
krb5_db2_set_master_key_ext(krb5_context kcontext,
- char *pwd, krb5_keyblock * key)
+ char *pwd, krb5_keyblock * key)
{
return krb5_db2_db_set_mkey(kcontext, key);
}
kdb5_dal_handle *dal_handle;
if (!k5db2_inited(kcontext))
- return KRB5_KDB_DBNOTINITED;
+ return KRB5_KDB_DBNOTINITED;
dal_handle = kcontext->dal_handle;
db_ctx = (krb5_db2_context *) dal_handle->db_context;
switch (option) {
case KRB5_KDB_OPT_SET_DB_NAME:
- status = krb5_db2_db_set_name(kcontext, (char *) value, db_ctx->tempdb);
- break;
+ status = krb5_db2_db_set_name(kcontext, (char *) value, db_ctx->tempdb);
+ break;
case KRB5_KDB_OPT_SET_LOCK_MODE:
- oldval = krb5_db2_db_set_lockmode(kcontext, *((krb5_boolean *) value));
- *((krb5_boolean *) value) = oldval;
- break;
+ oldval = krb5_db2_db_set_lockmode(kcontext, *((krb5_boolean *) value));
+ *((krb5_boolean *) value) = oldval;
+ break;
default:
- status = -1; /* TBD */
- break;
+ status = -1; /* TBD */
+ break;
}
return status;
krb5_error_code
krb5_db2_get_policy(krb5_context kcontext,
- char *name, osa_policy_ent_t * policy, int *cnt)
+ char *name, osa_policy_ent_t * policy, int *cnt)
{
kdb5_dal_handle *dal_handle;
krb5_db2_context *dbc;
krb5_error_code
krb5_db2_iter_policy(krb5_context kcontext,
- char *match_entry,
- osa_adb_iter_policy_func func, void *data)
+ char *match_entry,
+ osa_adb_iter_policy_func func, void *data)
{
kdb5_dal_handle *dal_handle;
krb5_db2_context *dbc;
krb5_clear_error_message (kcontext);
{
- kdb5_dal_handle *dal_handle = kcontext->dal_handle;
- krb5_db2_context *db_ctx = dal_handle->db_context;
- db_name = strdup(db_ctx->db_name);
- if (db_name == NULL) {
- status = ENOMEM;
- goto clean_n_exit;
- }
+ kdb5_dal_handle *dal_handle = kcontext->dal_handle;
+ krb5_db2_context *db_ctx = dal_handle->db_context;
+ db_name = strdup(db_ctx->db_name);
+ if (db_name == NULL) {
+ status = ENOMEM;
+ goto clean_n_exit;
+ }
}
assert(kcontext->dal_handle != NULL);
temp_db_name = gen_dbsuffix(db_name, "~");
if (temp_db_name == NULL) {
- status = ENOMEM;
- goto clean_n_exit;
+ status = ENOMEM;
+ goto clean_n_exit;
}
for (db_argp = db_args; *db_argp; db_argp++) {
- if (!strcmp(*db_argp, "merge_nra")) {
- merge_nra++;
- break;
- }
+ if (!strcmp(*db_argp, "merge_nra")) {
+ merge_nra++;
+ break;
+ }
}
status = krb5_db2_db_rename (kcontext, temp_db_name, db_name, merge_nra);
if (status)
- goto clean_n_exit;
+ goto clean_n_exit;
clean_n_exit:
if (db_name)
- free(db_name);
+ free(db_name);
if (temp_db_name)
- free(temp_db_name);
+ free(temp_db_name);
return status;
}
*/
static krb5_error_code
krb5_db2_merge_principal(krb5_context kcontext,
- krb5_db_entry *src,
- krb5_db_entry *dst,
- int *changed)
+ krb5_db_entry *src,
+ krb5_db_entry *dst,
+ int *changed)
{
*changed = 0;
if (dst->last_success != src->last_success) {
- dst->last_success = src->last_success;
- (*changed)++;
+ dst->last_success = src->last_success;
+ (*changed)++;
}
if (dst->last_failed != src->last_failed) {
- dst->last_failed = src->last_failed;
- (*changed)++;
+ dst->last_failed = src->last_failed;
+ (*changed)++;
}
if (dst->fail_auth_count != src->fail_auth_count) {
- dst->fail_auth_count = src->fail_auth_count;
- (*changed)++;
+ dst->fail_auth_count = src->fail_auth_count;
+ (*changed)++;
}
return 0;
/* look up the new principal in the old DB */
retval = krb5_db2_db_get_principal(nra->kcontext,
- entry->princ,
- &s_entry,
- &n_entries,
- &more);
+ entry->princ,
+ &s_entry,
+ &n_entries,
+ &more);
if (retval != 0 || n_entries == 0) {
- /* principal may be newly created, so ignore */
- dal_handle->db_context = dst_db;
- return 0;
+ /* principal may be newly created, so ignore */
+ dal_handle->db_context = dst_db;
+ return 0;
}
/* merge non-replicated attributes from the old entry in */
/* if necessary, commit the modified new entry to the new DB */
if (changed) {
- retval = krb5_db2_db_put_principal(nra->kcontext,
- entry,
- &n_entries,
- NULL);
+ retval = krb5_db2_db_put_principal(nra->kcontext,
+ entry,
+ &n_entries,
+ NULL);
} else {
- retval = 0;
+ retval = 0;
}
return retval;
*/
static krb5_error_code
krb5_db2_begin_nra_merge(krb5_context kcontext,
- krb5_db2_context *src_db,
- krb5_db2_context *dst_db)
+ krb5_db2_context *src_db,
+ krb5_db2_context *dst_db)
{
krb5_error_code retval;
kdb5_dal_handle *dal_handle = kcontext->dal_handle;
retval = krb5_db2_db_lock(kcontext, KRB5_LOCKMODE_EXCLUSIVE);
if (retval) {
- dal_handle->db_context = dst_db;
- return retval;
+ dal_handle->db_context = dst_db;
+ return retval;
}
retval = krb5_db2_db_iterate_ext(kcontext,
- krb5_db2_merge_nra_iterator,
- &nra,
- 0,
- 0);
+ krb5_db2_merge_nra_iterator,
+ &nra,
+ 0,
+ 0);
if (retval != 0)
- (void) krb5_db2_db_unlock(kcontext);
+ (void) krb5_db2_db_unlock(kcontext);
dal_handle->db_context = dst_db;
*/
static krb5_error_code
krb5_db2_end_nra_merge(krb5_context kcontext,
- krb5_db2_context *src_db,
- krb5_db2_context *dst_db)
+ krb5_db2_context *src_db,
+ krb5_db2_context *dst_db)
{
krb5_error_code retval;
kdb5_dal_handle *dal_handle = kcontext->dal_handle;
s_context = dal_handle->db_context;
dal_handle->db_context = NULL;
if ((retval = k5db2_init_context(context)))
- return retval;
+ return retval;
db_ctx = (krb5_db2_context *) dal_handle->db_context;
/*
*/
retval = krb5_db2_db_create(context, to, 0);
if (retval != 0 && retval != EEXIST)
- goto errout;
+ goto errout;
/*
* Set the database to the target, so that other processes sharing
*/
retval = krb5_db2_db_set_name(context, to, 0);
if (retval)
- goto errout;
+ goto errout;
retval = krb5_db2_db_init(context);
if (retval)
- goto errout;
+ goto errout;
db_ctx->db_lf_name = gen_dbsuffix(db_ctx->db_name, KDB2_LOCK_EXT);
if (db_ctx->db_lf_name == NULL) {
- retval = ENOMEM;
- goto errout;
+ retval = ENOMEM;
+ goto errout;
}
db_ctx->db_lf_file = open(db_ctx->db_lf_name, O_RDWR|O_CREAT, 0600);
if (db_ctx->db_lf_file < 0) {
- retval = errno;
- goto errout;
+ retval = errno;
+ goto errout;
}
set_cloexec_fd(db_ctx->db_lf_file);
retval = krb5_db2_db_get_age(context, NULL, &db_ctx->db_lf_time);
if (retval)
- goto errout;
+ goto errout;
fromok = gen_dbsuffix(from, KDB2_LOCK_EXT);
if (fromok == NULL) {
- retval = ENOMEM;
- goto errout;
+ retval = ENOMEM;
+ goto errout;
}
if ((retval = krb5_db2_db_lock(context, KRB5_LOCKMODE_EXCLUSIVE)))
- goto errfromok;
+ goto errfromok;
if ((retval = krb5_db2_db_start_update(context)))
- goto errfromok;
+ goto errfromok;
if (merge_nra) {
- if ((retval = krb5_db2_begin_nra_merge(context, s_context, db_ctx)))
- goto errfromok;
+ if ((retval = krb5_db2_begin_nra_merge(context, s_context, db_ctx)))
+ goto errfromok;
}
if (rename(from, to)) {
- retval = errno;
- goto errfromok;
+ retval = errno;
+ goto errfromok;
}
if (unlink(fromok)) {
- retval = errno;
- goto errfromok;
+ retval = errno;
+ goto errfromok;
}
if (merge_nra) {
- krb5_db2_end_nra_merge(context, s_context, db_ctx);
+ krb5_db2_end_nra_merge(context, s_context, db_ctx);
}
retval = krb5_db2_db_end_update(context);
if (retval)
- goto errfromok;
+ goto errfromok;
{
- /* XXX moved so that NRA merge works */
- /* Ugly brute force hack.
-
- Should be going through nice friendly helper routines for
- this, but it's a mess of jumbled so-called interfaces right
- now. */
- char policy[2048], new_policy[2048];
- assert (strlen(db_ctx->db_name) < 2000);
- snprintf(policy, sizeof(policy), "%s.kadm5", db_ctx->db_name);
- snprintf(new_policy, sizeof(new_policy),
- "%s~.kadm5", db_ctx->db_name);
- if (0 != rename(new_policy, policy)) {
- retval = errno;
- goto errfromok;
- }
- strlcat(new_policy, ".lock",sizeof(new_policy));
- (void) unlink(new_policy);
+ /* XXX moved so that NRA merge works */
+ /* Ugly brute force hack.
+
+ Should be going through nice friendly helper routines for
+ this, but it's a mess of jumbled so-called interfaces right
+ now. */
+ char policy[2048], new_policy[2048];
+ assert (strlen(db_ctx->db_name) < 2000);
+ snprintf(policy, sizeof(policy), "%s.kadm5", db_ctx->db_name);
+ snprintf(new_policy, sizeof(new_policy),
+ "%s~.kadm5", db_ctx->db_name);
+ if (0 != rename(new_policy, policy)) {
+ retval = errno;
+ goto errfromok;
+ }
+ strlcat(new_policy, ".lock",sizeof(new_policy));
+ (void) unlink(new_policy);
}
errfromok:
free_dbsuffix(fromok);
errout:
if (dal_handle->db_context) {
- if (db_ctx->db_lf_file >= 0) {
- krb5_db2_db_unlock(context);
- close(db_ctx->db_lf_file);
- }
- k5db2_clear_context((krb5_db2_context *) dal_handle->db_context);
- free(dal_handle->db_context);
+ if (db_ctx->db_lf_file >= 0) {
+ krb5_db2_db_unlock(context);
+ close(db_ctx->db_lf_file);
+ }
+ k5db2_clear_context((krb5_db2_context *) dal_handle->db_context);
+ free(dal_handle->db_context);
}
dal_handle->db_context = s_context;
- (void) krb5_db2_db_unlock(context); /* unlock saved context db */
+ (void) krb5_db2_db_unlock(context); /* unlock saved context db */
return retval;
}
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* lib/kdb/kdb_db2.h
*
typedef struct _krb5_db2_context {
krb5_boolean db_inited; /* Context initialized */
char * db_name; /* Name of database */
- DB * db; /* DB handle */
- krb5_boolean hashfirst; /* Try hash database type first */
+ DB * db; /* DB handle */
+ krb5_boolean hashfirst; /* Try hash database type first */
char * db_lf_name; /* Name of lock file */
int db_lf_file; /* File descriptor of lock file */
time_t db_lf_time; /* Time last updated */
#define KDB2_LOCK_EXT ".ok"
#define KDB2_TEMP_LOCK_EXT "~.ok"
-krb5_error_code krb5_db2_db_init
- (krb5_context);
-krb5_error_code krb5_db2_db_fini
- (krb5_context);
-krb5_error_code krb5_db2_db_get_age
- (krb5_context,
- char *,
- time_t * );
-krb5_error_code krb5_db2_db_create
- (krb5_context,
- char *,
- krb5_int32);
-krb5_error_code krb5_db2_db_destroy
- (krb5_context,
- char * );
-krb5_error_code krb5_db2_db_rename
- (krb5_context,
- char *,
- char *,
- int );
-krb5_error_code krb5_db2_db_get_principal
- (krb5_context,
- krb5_const_principal,
- krb5_db_entry *,
- int *,
- krb5_boolean * );
-krb5_error_code krb5_db2_db_free_principal
- (krb5_context,
- krb5_db_entry *,
- int );
-krb5_error_code krb5_db2_db_put_principal
- (krb5_context,
- krb5_db_entry *,
- int *,
- char **db_args
- );
-krb5_error_code krb5_db2_db_iterate_ext
- (krb5_context,
- krb5_error_code (*) (krb5_pointer,
- krb5_db_entry *),
- krb5_pointer, int, int );
-krb5_error_code krb5_db2_db_iterate
-(krb5_context,char *,
- krb5_error_code (*) (krb5_pointer,
- krb5_db_entry *),
- krb5_pointer );
-krb5_error_code krb5_db2_db_set_nonblocking
- (krb5_context,
- krb5_boolean,
- krb5_boolean * );
-krb5_boolean krb5_db2_db_set_lockmode
- (krb5_context,
- krb5_boolean );
-krb5_error_code krb5_db2_db_open_database
- (krb5_context);
-krb5_error_code krb5_db2_db_close_database
- (krb5_context);
+krb5_error_code krb5_db2_db_init(krb5_context);
+krb5_error_code krb5_db2_db_fini(krb5_context);
+krb5_error_code krb5_db2_db_get_age(krb5_context, char *, time_t *);
+krb5_error_code krb5_db2_db_create(krb5_context, char *, krb5_int32);
+krb5_error_code krb5_db2_db_destroy(krb5_context, char *);
+krb5_error_code krb5_db2_db_rename(krb5_context, char *, char *, int );
+krb5_error_code krb5_db2_db_get_principal(krb5_context, krb5_const_principal,
+ krb5_db_entry *, int *,
+ krb5_boolean *);
+krb5_error_code krb5_db2_db_free_principal(krb5_context, krb5_db_entry *, int);
+krb5_error_code krb5_db2_db_put_principal(krb5_context, krb5_db_entry *,
+ int *, char **db_args);
+krb5_error_code krb5_db2_db_iterate_ext(krb5_context,
+ krb5_error_code (*)(krb5_pointer,
+ krb5_db_entry *),
+ krb5_pointer, int, int);
+krb5_error_code krb5_db2_db_iterate(krb5_context, char *,
+ krb5_error_code (*)(krb5_pointer,
+ krb5_db_entry *),
+ krb5_pointer);
+krb5_error_code krb5_db2_db_set_nonblocking(krb5_context, krb5_boolean,
+ krb5_boolean *);
+krb5_boolean krb5_db2_db_set_lockmode(krb5_context, krb5_boolean);
+krb5_error_code krb5_db2_db_open_database(krb5_context);
+krb5_error_code krb5_db2_db_close_database(krb5_context);
krb5_error_code
-krb5_db2_set_master_key_ext ( krb5_context kcontext,
- char *pwd,
- krb5_keyblock *key);
+krb5_db2_set_master_key_ext(krb5_context kcontext, char *pwd,
+ krb5_keyblock *key);
krb5_error_code
-krb5_db2_db_set_mkey( krb5_context context,
- krb5_keyblock *key);
+krb5_db2_db_set_mkey(krb5_context context, krb5_keyblock *key);
krb5_error_code
-krb5_db2_db_get_mkey( krb5_context context,
- krb5_keyblock **key);
+krb5_db2_db_get_mkey(krb5_context context, krb5_keyblock **key);
+
krb5_error_code
-krb5_db2_db_set_mkey_list( krb5_context context,
- krb5_keylist_node *keylist);
+krb5_db2_db_set_mkey_list(krb5_context context, krb5_keylist_node *keylist);
krb5_error_code
-krb5_db2_db_get_mkey_list( krb5_context context,
- krb5_keylist_node **keylist);
+krb5_db2_db_get_mkey_list(krb5_context context, krb5_keylist_node **keylist);
krb5_error_code
-krb5_db2_db_put_principal( krb5_context context,
- krb5_db_entry *entries,
- register int *nentries,
- char **db_args);
+krb5_db2_db_put_principal(krb5_context context, krb5_db_entry *entries,
+ register int *nentries, char **db_args);
krb5_error_code
krb5_db2_db_delete_principal(krb5_context context,
- krb5_const_principal searchfor,
- int *nentries);
+ krb5_const_principal searchfor, int *nentries);
krb5_error_code krb5_db2_lib_init(void);
-
krb5_error_code krb5_db2_lib_cleanup(void);
+krb5_error_code krb5_db2_db_unlock(krb5_context);
krb5_error_code
-krb5_db2_db_unlock(krb5_context);
+krb5_db2_promote_db(krb5_context kcontext, char *conf_section, char **db_args);
krb5_error_code
-krb5_db2_promote_db(krb5_context kcontext,
- char *conf_section,
- char **db_args);
+krb5_db2_db_set_option(krb5_context kcontext, int option, void *value );
krb5_error_code
-krb5_db2_db_set_option ( krb5_context kcontext,
- int option,
- void *value );
-
-krb5_error_code
-krb5_db2_db_lock( krb5_context context,
- int in_mode);
-
+krb5_db2_db_lock(krb5_context context, int in_mode);
krb5_error_code
-krb5_db2_open( krb5_context kcontext,
- char *conf_section,
- char **db_args,
- int mode );
-
-krb5_error_code krb5_db2_create( krb5_context kcontext,
- char *conf_section,
- char **db_args );
-
-krb5_error_code krb5_db2_destroy( krb5_context kcontext,
- char *conf_section,
- char **db_args );
-
-const char * krb5_db2_err2str( krb5_context kcontext,
- long err_code );
-
-void *
-krb5_db2_alloc( krb5_context kcontext,
- void *ptr,
- size_t size );
-
-void
-krb5_db2_free( krb5_context kcontext,
- void *ptr );
+krb5_db2_open(krb5_context kcontext, char *conf_section, char **db_args,
+ int mode);
+krb5_error_code krb5_db2_create(krb5_context kcontext, char *conf_section,
+ char **db_args);
+krb5_error_code krb5_db2_destroy(krb5_context kcontext, char *conf_section,
+ char **db_args);
+const char *krb5_db2_err2str(krb5_context kcontext, long err_code);
+void *krb5_db2_alloc(krb5_context kcontext, void *ptr, size_t size);
+void krb5_db2_free(krb5_context kcontext, void *ptr);
/* policy management functions */
krb5_error_code
krb5_db2_create_policy(krb5_context context, osa_policy_ent_t entry);
-krb5_error_code krb5_db2_get_policy ( krb5_context kcontext,
- char *name,
- osa_policy_ent_t *policy,
- int *cnt);
+krb5_error_code krb5_db2_get_policy(krb5_context kcontext,
+ char *name, osa_policy_ent_t *policy,
+ int *cnt);
-krb5_error_code krb5_db2_put_policy ( krb5_context kcontext,
- osa_policy_ent_t policy );
+krb5_error_code krb5_db2_put_policy(krb5_context kcontext,
+ osa_policy_ent_t policy);
-krb5_error_code krb5_db2_iter_policy ( krb5_context kcontext,
- char *match_entry,
- osa_adb_iter_policy_func func,
- void *data );
+krb5_error_code krb5_db2_iter_policy(krb5_context kcontext, char *match_entry,
+ osa_adb_iter_policy_func func,
+ void *data);
-krb5_error_code krb5_db2_delete_policy ( krb5_context kcontext,
- char *policy );
+krb5_error_code krb5_db2_delete_policy(krb5_context kcontext, char *policy);
-void krb5_db2_free_policy( krb5_context kcontext,
- osa_policy_ent_t entry );
+void krb5_db2_free_policy(krb5_context kcontext, osa_policy_ent_t entry);
/* Thread-safety wrapper slapped on top of original implementation. */
extern k5_mutex_t *krb5_db2_mutex;
-/* -*- mode: c; indent-tabs-mode: nil -*- */
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* plugins/kdb/db2/kdb_ext.c
*
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* lib/kdb/kdb_xdr.c
*
#include "kdb_xdr.h"
krb5_error_code
-krb5_encode_princ_dbkey(context, key, principal)
- krb5_context context;
- krb5_data *key;
- krb5_const_principal principal;
+krb5_encode_princ_dbkey(krb5_context context, krb5_data *key,
+ krb5_const_principal principal)
{
char *princ_name;
krb5_error_code retval;
}
void
-krb5_free_princ_dbkey(context, key)
- krb5_context context;
- krb5_data *key;
+krb5_free_princ_dbkey(krb5_context context, krb5_data *key)
{
(void) krb5_free_data_contents(context, key);
}
krb5_error_code
-krb5_encode_princ_contents(context, content, entry)
- krb5_context context;
- krb5_data * content;
- krb5_db_entry * entry;
+krb5_encode_princ_contents(krb5_context context, krb5_data *content,
+ krb5_db_entry *entry)
{
- int i, j;
- unsigned int unparse_princ_size;
- char * unparse_princ;
- unsigned char * nextloc;
- krb5_tl_data * tl_data;
- krb5_error_code retval;
- krb5_int16 psize16;
+ int i, j;
+ unsigned int unparse_princ_size;
+ char * unparse_princ;
+ unsigned char * nextloc;
+ krb5_tl_data * tl_data;
+ krb5_error_code retval;
+ krb5_int16 psize16;
/*
* Generate one lump of data from the krb5_db_entry.
* Need 2 bytes for the length of the base structure
* then 36 [ 8 * 4 + 2 * 2] bytes for the base information
* [ attributes, max_life, max_renewable_life, expiration,
- * pw_expiration, last_success, last_failed, fail_auth_count ]
+ * pw_expiration, last_success, last_failed, fail_auth_count ]
* [ n_key_data, n_tl_data ]
* then XX bytes [ e_length ] for the extra data [ e_data ]
* then XX bytes [ 2 for length + length for string ] for the principal,
content->length = entry->len + entry->e_length;
if ((retval = krb5_unparse_name(context, entry->princ, &unparse_princ)))
- return(retval);
+ return(retval);
unparse_princ_size = strlen(unparse_princ) + 1;
content->length += unparse_princ_size;
i = 0;
/* tl_data is a linked list */
for (tl_data = entry->tl_data; tl_data; tl_data = tl_data->tl_data_next) {
- content->length += tl_data->tl_data_length;
- content->length += 4; /* type, length */
- i++;
+ content->length += tl_data->tl_data_length;
+ content->length += 4; /* type, length */
+ i++;
}
if (i != entry->n_tl_data) {
- retval = KRB5_KDB_TRUNCATED_RECORD;
- goto epc_error;
+ retval = KRB5_KDB_TRUNCATED_RECORD;
+ goto epc_error;
}
/* key_data is an array */
for (i = 0; i < entry->n_key_data; i++) {
- content->length += 4; /* Version, KVNO */
- for (j = 0; j < entry->key_data[i].key_data_ver; j++) {
- content->length += entry->key_data[i].key_data_length[j];
- content->length += 4; /* type + length */
- }
+ content->length += 4; /* Version, KVNO */
+ for (j = 0; j < entry->key_data[i].key_data_ver; j++) {
+ content->length += entry->key_data[i].key_data_length[j];
+ content->length += 4; /* type + length */
+ }
}
if ((content->data = malloc(content->length)) == NULL) {
- retval = ENOMEM;
- goto epc_error;
+ retval = ENOMEM;
+ goto epc_error;
}
/*
*/
nextloc = (unsigned char *)content->data;
- /* Base Length */
+ /* Base Length */
krb5_kdb_encode_int16(entry->len, nextloc);
nextloc += 2;
- /* Attributes */
+ /* Attributes */
krb5_kdb_encode_int32(entry->attributes, nextloc);
nextloc += 4;
- /* Max Life */
+ /* Max Life */
krb5_kdb_encode_int32(entry->max_life, nextloc);
nextloc += 4;
- /* Max Renewable Life */
+ /* Max Renewable Life */
krb5_kdb_encode_int32(entry->max_renewable_life, nextloc);
nextloc += 4;
- /* When the client expires */
+ /* When the client expires */
krb5_kdb_encode_int32(entry->expiration, nextloc);
nextloc += 4;
- /* When its passwd expires */
+ /* When its passwd expires */
krb5_kdb_encode_int32(entry->pw_expiration, nextloc);
nextloc += 4;
- /* Last successful passwd */
+ /* Last successful passwd */
krb5_kdb_encode_int32(entry->last_success, nextloc);
nextloc += 4;
- /* Last failed passwd attempt */
+ /* Last failed passwd attempt */
krb5_kdb_encode_int32(entry->last_failed, nextloc);
nextloc += 4;
- /* # of failed passwd attempt */
+ /* # of failed passwd attempt */
krb5_kdb_encode_int32(entry->fail_auth_count, nextloc);
nextloc += 4;
- /* # tl_data strutures */
+ /* # tl_data strutures */
krb5_kdb_encode_int16(entry->n_tl_data, nextloc);
nextloc += 2;
- /* # key_data strutures */
+ /* # key_data strutures */
krb5_kdb_encode_int16(entry->n_key_data, nextloc);
nextloc += 2;
- /* Put extended fields here */
+ /* Put extended fields here */
if (entry->len != KRB5_KDB_V1_BASE_LENGTH)
- abort();
+ abort();
- /* Any extra data that this version doesn't understand. */
+ /* Any extra data that this version doesn't understand. */
if (entry->e_length) {
- memcpy(nextloc, entry->e_data, entry->e_length);
- nextloc += entry->e_length;
+ memcpy(nextloc, entry->e_data, entry->e_length);
+ nextloc += entry->e_length;
}
- /*
- * Now we get to the principal.
- * To squeze a few extra bytes out it is always assumed to come
- * after the base type.
- */
+ /*
+ * Now we get to the principal.
+ * To squeze a few extra bytes out it is always assumed to come
+ * after the base type.
+ */
psize16 = (krb5_int16) unparse_princ_size;
krb5_kdb_encode_int16(psize16, nextloc);
nextloc += 2;
(void) memcpy(nextloc, unparse_princ, unparse_princ_size);
nextloc += unparse_princ_size;
- /* tl_data is a linked list, of type, legth, contents */
+ /* tl_data is a linked list, of type, legth, contents */
for (tl_data = entry->tl_data; tl_data; tl_data = tl_data->tl_data_next) {
- krb5_kdb_encode_int16(tl_data->tl_data_type, nextloc);
- nextloc += 2;
- krb5_kdb_encode_int16(tl_data->tl_data_length, nextloc);
- nextloc += 2;
+ krb5_kdb_encode_int16(tl_data->tl_data_type, nextloc);
+ nextloc += 2;
+ krb5_kdb_encode_int16(tl_data->tl_data_length, nextloc);
+ nextloc += 2;
- memcpy(nextloc, tl_data->tl_data_contents, tl_data->tl_data_length);
- nextloc += tl_data->tl_data_length;
+ memcpy(nextloc, tl_data->tl_data_contents, tl_data->tl_data_length);
+ nextloc += tl_data->tl_data_length;
}
- /* key_data is an array */
+ /* key_data is an array */
for (i = 0; i < entry->n_key_data; i++) {
- krb5_kdb_encode_int16(entry->key_data[i].key_data_ver, nextloc);
- nextloc += 2;
- krb5_kdb_encode_int16(entry->key_data[i].key_data_kvno, nextloc);
- nextloc += 2;
-
- for (j = 0; j < entry->key_data[i].key_data_ver; j++) {
- krb5_int16 type = entry->key_data[i].key_data_type[j];
- krb5_ui_2 length = entry->key_data[i].key_data_length[j];
-
- krb5_kdb_encode_int16(type, nextloc);
- nextloc += 2;
- krb5_kdb_encode_int16(length, nextloc);
- nextloc += 2;
-
- if (length) {
- memcpy(nextloc, entry->key_data[i].key_data_contents[j],length);
- nextloc += length;
- }
- }
+ krb5_kdb_encode_int16(entry->key_data[i].key_data_ver, nextloc);
+ nextloc += 2;
+ krb5_kdb_encode_int16(entry->key_data[i].key_data_kvno, nextloc);
+ nextloc += 2;
+
+ for (j = 0; j < entry->key_data[i].key_data_ver; j++) {
+ krb5_int16 type = entry->key_data[i].key_data_type[j];
+ krb5_ui_2 length = entry->key_data[i].key_data_length[j];
+
+ krb5_kdb_encode_int16(type, nextloc);
+ nextloc += 2;
+ krb5_kdb_encode_int16(length, nextloc);
+ nextloc += 2;
+
+ if (length) {
+ memcpy(nextloc, entry->key_data[i].key_data_contents[j],length);
+ nextloc += length;
+ }
+ }
}
epc_error:;
}
void
-krb5_free_princ_contents(context, contents)
- krb5_context context;
- krb5_data *contents;
+krb5_free_princ_contents(krb5_context context, krb5_data *contents)
{
krb5_free_data_contents(context, contents);
return;
}
krb5_error_code
-krb5_decode_princ_contents(context, content, entry)
- krb5_context context;
- krb5_data * content;
- krb5_db_entry * entry;
+krb5_decode_princ_contents(krb5_context context, krb5_data *content,
+ krb5_db_entry *entry)
{
- int sizeleft, i;
- unsigned char * nextloc;
+ int sizeleft, i;
+ unsigned char * nextloc;
krb5_tl_data ** tl_data;
- krb5_int16 i16;
+ krb5_int16 i16;
krb5_error_code retval;
nextloc = (unsigned char *)content->data;
sizeleft = content->length;
if ((sizeleft -= KRB5_KDB_V1_BASE_LENGTH) < 0)
- return KRB5_KDB_TRUNCATED_RECORD;
+ return KRB5_KDB_TRUNCATED_RECORD;
- /* Base Length */
+ /* Base Length */
krb5_kdb_decode_int16(nextloc, entry->len);
nextloc += 2;
- /* Attributes */
+ /* Attributes */
krb5_kdb_decode_int32(nextloc, entry->attributes);
nextloc += 4;
- /* Max Life */
+ /* Max Life */
krb5_kdb_decode_int32(nextloc, entry->max_life);
nextloc += 4;
- /* Max Renewable Life */
+ /* Max Renewable Life */
krb5_kdb_decode_int32(nextloc, entry->max_renewable_life);
nextloc += 4;
- /* When the client expires */
+ /* When the client expires */
krb5_kdb_decode_int32(nextloc, entry->expiration);
nextloc += 4;
- /* When its passwd expires */
+ /* When its passwd expires */
krb5_kdb_decode_int32(nextloc, entry->pw_expiration);
nextloc += 4;
- /* Last successful passwd */
+ /* Last successful passwd */
krb5_kdb_decode_int32(nextloc, entry->last_success);
nextloc += 4;
- /* Last failed passwd attempt */
+ /* Last failed passwd attempt */
krb5_kdb_decode_int32(nextloc, entry->last_failed);
nextloc += 4;
- /* # of failed passwd attempt */
+ /* # of failed passwd attempt */
krb5_kdb_decode_int32(nextloc, entry->fail_auth_count);
nextloc += 4;
- /* # tl_data strutures */
+ /* # tl_data strutures */
krb5_kdb_decode_int16(nextloc, entry->n_tl_data);
nextloc += 2;
if (entry->n_tl_data < 0)
- return KRB5_KDB_TRUNCATED_RECORD;
+ return KRB5_KDB_TRUNCATED_RECORD;
- /* # key_data strutures */
+ /* # key_data strutures */
krb5_kdb_decode_int16(nextloc, entry->n_key_data);
nextloc += 2;
if (entry->n_key_data < 0)
- return KRB5_KDB_TRUNCATED_RECORD;
+ return KRB5_KDB_TRUNCATED_RECORD;
- /* Check for extra data */
+ /* Check for extra data */
if (entry->len > KRB5_KDB_V1_BASE_LENGTH) {
- entry->e_length = entry->len - KRB5_KDB_V1_BASE_LENGTH;
- if ((entry->e_data = (krb5_octet *)malloc(entry->e_length))) {
- memcpy(entry->e_data, nextloc, entry->e_length);
- nextloc += entry->e_length;
- } else {
- return ENOMEM;
- }
+ entry->e_length = entry->len - KRB5_KDB_V1_BASE_LENGTH;
+ if ((entry->e_data = (krb5_octet *)malloc(entry->e_length))) {
+ memcpy(entry->e_data, nextloc, entry->e_length);
+ nextloc += entry->e_length;
+ } else {
+ return ENOMEM;
+ }
}
/*
* (stored as a string which gets unparsed.)
*/
if ((sizeleft -= 2) < 0) {
- retval = KRB5_KDB_TRUNCATED_RECORD;
- goto error_out;
+ retval = KRB5_KDB_TRUNCATED_RECORD;
+ goto error_out;
}
i = 0;
nextloc += 2;
if ((retval = krb5_parse_name(context, (char *)nextloc, &(entry->princ))))
- goto error_out;
+ goto error_out;
if (((size_t) i != (strlen((char *)nextloc) + 1)) || (sizeleft < i)) {
- retval = KRB5_KDB_TRUNCATED_RECORD;
- goto error_out;
+ retval = KRB5_KDB_TRUNCATED_RECORD;
+ goto error_out;
}
sizeleft -= i;
nextloc += i;
- /* tl_data is a linked list */
+ /* tl_data is a linked list */
tl_data = &entry->tl_data;
for (i = 0; i < entry->n_tl_data; i++) {
- if ((sizeleft -= 4) < 0) {
- retval = KRB5_KDB_TRUNCATED_RECORD;
- goto error_out;
- }
- if ((*tl_data = (krb5_tl_data *)
- malloc(sizeof(krb5_tl_data))) == NULL) {
- retval = ENOMEM;
- goto error_out;
- }
- (*tl_data)->tl_data_next = NULL;
- (*tl_data)->tl_data_contents = NULL;
- krb5_kdb_decode_int16(nextloc, (*tl_data)->tl_data_type);
- nextloc += 2;
- krb5_kdb_decode_int16(nextloc, (*tl_data)->tl_data_length);
- nextloc += 2;
-
- if ((sizeleft -= (*tl_data)->tl_data_length) < 0) {
- retval = KRB5_KDB_TRUNCATED_RECORD;
- goto error_out;
- }
- if (((*tl_data)->tl_data_contents = (krb5_octet *)
- malloc((*tl_data)->tl_data_length)) == NULL) {
- retval = ENOMEM;
- goto error_out;
- }
- memcpy((*tl_data)->tl_data_contents,nextloc,(*tl_data)->tl_data_length);
- nextloc += (*tl_data)->tl_data_length;
- tl_data = &((*tl_data)->tl_data_next);
+ if ((sizeleft -= 4) < 0) {
+ retval = KRB5_KDB_TRUNCATED_RECORD;
+ goto error_out;
+ }
+ if ((*tl_data = (krb5_tl_data *)
+ malloc(sizeof(krb5_tl_data))) == NULL) {
+ retval = ENOMEM;
+ goto error_out;
+ }
+ (*tl_data)->tl_data_next = NULL;
+ (*tl_data)->tl_data_contents = NULL;
+ krb5_kdb_decode_int16(nextloc, (*tl_data)->tl_data_type);
+ nextloc += 2;
+ krb5_kdb_decode_int16(nextloc, (*tl_data)->tl_data_length);
+ nextloc += 2;
+
+ if ((sizeleft -= (*tl_data)->tl_data_length) < 0) {
+ retval = KRB5_KDB_TRUNCATED_RECORD;
+ goto error_out;
+ }
+ if (((*tl_data)->tl_data_contents = (krb5_octet *)
+ malloc((*tl_data)->tl_data_length)) == NULL) {
+ retval = ENOMEM;
+ goto error_out;
+ }
+ memcpy((*tl_data)->tl_data_contents,nextloc,(*tl_data)->tl_data_length);
+ nextloc += (*tl_data)->tl_data_length;
+ tl_data = &((*tl_data)->tl_data_next);
}
- /* key_data is an array */
+ /* key_data is an array */
if (entry->n_key_data && ((entry->key_data = (krb5_key_data *)
- malloc(sizeof(krb5_key_data) * entry->n_key_data)) == NULL)) {
+ malloc(sizeof(krb5_key_data) * entry->n_key_data)) == NULL)) {
retval = ENOMEM;
- goto error_out;
+ goto error_out;
}
for (i = 0; i < entry->n_key_data; i++) {
- krb5_key_data * key_data;
+ krb5_key_data * key_data;
int j;
- if ((sizeleft -= 4) < 0) {
- retval = KRB5_KDB_TRUNCATED_RECORD;
- goto error_out;
- }
- key_data = entry->key_data + i;
- memset(key_data, 0, sizeof(krb5_key_data));
- krb5_kdb_decode_int16(nextloc, key_data->key_data_ver);
- nextloc += 2;
- krb5_kdb_decode_int16(nextloc, key_data->key_data_kvno);
- nextloc += 2;
-
- /* key_data_ver determins number of elements and how to unparse them. */
- if (key_data->key_data_ver <= KRB5_KDB_V1_KEY_DATA_ARRAY) {
- for (j = 0; j < key_data->key_data_ver; j++) {
- if ((sizeleft -= 4) < 0) {
- retval = KRB5_KDB_TRUNCATED_RECORD;
- goto error_out;
- }
- krb5_kdb_decode_int16(nextloc, key_data->key_data_type[j]);
- nextloc += 2;
- krb5_kdb_decode_int16(nextloc, key_data->key_data_length[j]);
- nextloc += 2;
-
- if ((sizeleft -= key_data->key_data_length[j]) < 0) {
- retval = KRB5_KDB_TRUNCATED_RECORD;
- goto error_out;
- }
- if (key_data->key_data_length[j]) {
- if ((key_data->key_data_contents[j] = (krb5_octet *)
- malloc(key_data->key_data_length[j])) == NULL) {
- retval = ENOMEM;
- goto error_out;
- }
- memcpy(key_data->key_data_contents[j], nextloc,
- key_data->key_data_length[j]);
- nextloc += key_data->key_data_length[j];
- }
- }
- } else {
- /* This isn't right. I'll fix it later */
- abort();
- }
+ if ((sizeleft -= 4) < 0) {
+ retval = KRB5_KDB_TRUNCATED_RECORD;
+ goto error_out;
+ }
+ key_data = entry->key_data + i;
+ memset(key_data, 0, sizeof(krb5_key_data));
+ krb5_kdb_decode_int16(nextloc, key_data->key_data_ver);
+ nextloc += 2;
+ krb5_kdb_decode_int16(nextloc, key_data->key_data_kvno);
+ nextloc += 2;
+
+ /* key_data_ver determins number of elements and how to unparse them. */
+ if (key_data->key_data_ver <= KRB5_KDB_V1_KEY_DATA_ARRAY) {
+ for (j = 0; j < key_data->key_data_ver; j++) {
+ if ((sizeleft -= 4) < 0) {
+ retval = KRB5_KDB_TRUNCATED_RECORD;
+ goto error_out;
+ }
+ krb5_kdb_decode_int16(nextloc, key_data->key_data_type[j]);
+ nextloc += 2;
+ krb5_kdb_decode_int16(nextloc, key_data->key_data_length[j]);
+ nextloc += 2;
+
+ if ((sizeleft -= key_data->key_data_length[j]) < 0) {
+ retval = KRB5_KDB_TRUNCATED_RECORD;
+ goto error_out;
+ }
+ if (key_data->key_data_length[j]) {
+ if ((key_data->key_data_contents[j] = (krb5_octet *)
+ malloc(key_data->key_data_length[j])) == NULL) {
+ retval = ENOMEM;
+ goto error_out;
+ }
+ memcpy(key_data->key_data_contents[j], nextloc,
+ key_data->key_data_length[j]);
+ nextloc += key_data->key_data_length[j];
+ }
+ }
+ } else {
+ /* This isn't right. I'll fix it later */
+ abort();
+ }
}
return 0;
}
void
-krb5_dbe_free_contents(context, entry)
- krb5_context context;
- krb5_db_entry * entry;
+krb5_dbe_free_contents(krb5_context context, krb5_db_entry *entry)
{
- krb5_tl_data * tl_data_next;
- krb5_tl_data * tl_data;
+ krb5_tl_data * tl_data_next;
+ krb5_tl_data * tl_data;
int i, j;
if (entry->e_data)
- free(entry->e_data);
+ free(entry->e_data);
if (entry->princ)
- krb5_free_principal(context, entry->princ);
+ krb5_free_principal(context, entry->princ);
for (tl_data = entry->tl_data; tl_data; tl_data = tl_data_next) {
- tl_data_next = tl_data->tl_data_next;
- if (tl_data->tl_data_contents)
- free(tl_data->tl_data_contents);
- free(tl_data);
+ tl_data_next = tl_data->tl_data_next;
+ if (tl_data->tl_data_contents)
+ free(tl_data->tl_data_contents);
+ free(tl_data);
}
if (entry->key_data) {
- for (i = 0; i < entry->n_key_data; i++) {
- for (j = 0; j < entry->key_data[i].key_data_ver; j++) {
- if (entry->key_data[i].key_data_length[j]) {
- if (entry->key_data[i].key_data_contents[j]) {
- memset(entry->key_data[i].key_data_contents[j],
- 0,
- (unsigned) entry->key_data[i].key_data_length[j]);
- free (entry->key_data[i].key_data_contents[j]);
- }
- }
- entry->key_data[i].key_data_contents[j] = NULL;
- entry->key_data[i].key_data_length[j] = 0;
- entry->key_data[i].key_data_type[j] = 0;
- }
- }
- free(entry->key_data);
+ for (i = 0; i < entry->n_key_data; i++) {
+ for (j = 0; j < entry->key_data[i].key_data_ver; j++) {
+ if (entry->key_data[i].key_data_length[j]) {
+ if (entry->key_data[i].key_data_contents[j]) {
+ memset(entry->key_data[i].key_data_contents[j],
+ 0,
+ (unsigned) entry->key_data[i].key_data_length[j]);
+ free (entry->key_data[i].key_data_contents[j]);
+ }
+ }
+ entry->key_data[i].key_data_contents[j] = NULL;
+ entry->key_data[i].key_data_length[j] = 0;
+ entry->key_data[i].key_data_type[j] = 0;
+ }
+ }
+ free(entry->key_data);
}
memset(entry, 0, sizeof(*entry));
return;
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
#ifndef _KDB2_XDR_H
#define _KDB2_XDR_H
#include "kdb.h"
krb5_error_code
-krb5_encode_princ_dbkey( krb5_context context,
- krb5_data *key,
- krb5_const_principal principal);
+krb5_encode_princ_dbkey(krb5_context context, krb5_data *key,
+ krb5_const_principal principal);
krb5_error_code
-krb5_decode_princ_contents( krb5_context context,
- krb5_data * content,
- krb5_db_entry * entry);
+krb5_decode_princ_contents(krb5_context context, krb5_data *content,
+ krb5_db_entry *entry);
void
-krb5_dbe_free_contents( krb5_context context,
- krb5_db_entry * entry);
+krb5_dbe_free_contents(krb5_context context, krb5_db_entry *entry);
krb5_error_code
-krb5_encode_princ_contents( krb5_context context,
- krb5_data * content,
- krb5_db_entry * entry);
-
+krb5_encode_princ_contents(krb5_context context, krb5_data *content,
+ krb5_db_entry *entry);
void
-krb5_free_princ_dbkey( krb5_context context,
- krb5_data *key);
+krb5_free_princ_dbkey(krb5_context context, krb5_data *key);
void
-krb5_free_princ_contents( krb5_context context,
- krb5_data *contents);
+krb5_free_princ_contents(krb5_context context, krb5_data *contents);
#endif
-/* -*- mode: c; indent-tabs-mode: nil -*- */
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* plugins/kdb/db2/lockout.c
*
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* Data Types for policy and principal information that
* exists in the respective databases.
#include "adb_err.h"
#include <com_err.h>
-typedef long osa_adb_ret_t;
+typedef long osa_adb_ret_t;
-#define OSA_ADB_POLICY_DB_MAGIC 0x12345A00
+#define OSA_ADB_POLICY_DB_MAGIC 0x12345A00
-#define OSA_ADB_POLICY_VERSION_MASK 0x12345D00
-#define OSA_ADB_POLICY_VERSION_1 0x12345D01
-#define OSA_ADB_POLICY_VERSION_2 0x12345D02
+#define OSA_ADB_POLICY_VERSION_MASK 0x12345D00
+#define OSA_ADB_POLICY_VERSION_1 0x12345D01
+#define OSA_ADB_POLICY_VERSION_2 0x12345D02
typedef struct _osa_adb_db_lock_ent_t {
- FILE *lockfile;
- char *filename;
- int refcnt, lockmode, lockcnt;
- krb5_context context;
+ FILE *lockfile;
+ char *filename;
+ int refcnt, lockmode, lockcnt;
+ krb5_context context;
} osa_adb_lock_ent, *osa_adb_lock_t;
typedef struct _osa_adb_db_ent_t {
- int magic;
- DB *db;
- HASHINFO info;
- BTREEINFO btinfo;
- char *filename;
- osa_adb_lock_t lock;
- int opencnt;
+ int magic;
+ DB *db;
+ HASHINFO info;
+ BTREEINFO btinfo;
+ char *filename;
+ osa_adb_lock_t lock;
+ int opencnt;
} osa_adb_db_ent, *osa_adb_db_t, *osa_adb_princ_t, *osa_adb_policy_t;
/*
* Return Code (the rest are in adb_err.h)
*/
-#define OSA_ADB_OK 0
+#define OSA_ADB_OK 0
/*
* Functions
*/
-krb5_error_code osa_adb_create_db(char *filename, char *lockfile, int magic);
-krb5_error_code osa_adb_destroy_db(char *filename, char *lockfile, int magic);
-krb5_error_code osa_adb_rename_db(char *filefrom, char *lockfrom,
- char *fileto, char *lockto, int magic);
-krb5_error_code osa_adb_init_db(osa_adb_db_t *dbp, char *filename,
- char *lockfile, int magic);
-krb5_error_code osa_adb_fini_db(osa_adb_db_t db, int magic);
-krb5_error_code osa_adb_get_lock(osa_adb_db_t db, int mode);
-krb5_error_code osa_adb_release_lock(osa_adb_db_t db);
+krb5_error_code osa_adb_create_db(char *filename, char *lockfile, int magic);
+krb5_error_code osa_adb_destroy_db(char *filename, char *lockfile, int magic);
+krb5_error_code osa_adb_rename_db(char *filefrom, char *lockfrom,
+ char *fileto, char *lockto, int magic);
+krb5_error_code osa_adb_init_db(osa_adb_db_t *dbp, char *filename,
+ char *lockfile, int magic);
+krb5_error_code osa_adb_fini_db(osa_adb_db_t db, int magic);
+krb5_error_code osa_adb_get_lock(osa_adb_db_t db, int mode);
+krb5_error_code osa_adb_release_lock(osa_adb_db_t db);
krb5_error_code osa_adb_open_and_lock(osa_adb_princ_t db, int locktype);
krb5_error_code osa_adb_close_and_unlock(osa_adb_princ_t db);
-krb5_error_code osa_adb_close_policy(osa_adb_policy_t db);
-krb5_error_code osa_adb_create_policy(osa_adb_policy_t db,
- osa_policy_ent_t entry);
-krb5_error_code osa_adb_destroy_policy(osa_adb_policy_t db,
- char * name);
-krb5_error_code osa_adb_get_policy(osa_adb_policy_t db,
- char * name,
- osa_policy_ent_t *entry,
- int *cnt);
-krb5_error_code osa_adb_put_policy(osa_adb_policy_t db,
- osa_policy_ent_t entry);
-krb5_error_code osa_adb_iter_policy(osa_adb_policy_t db,
- osa_adb_iter_policy_func func,
- void * data);
-void osa_free_policy_ent(osa_policy_ent_t val);
-
-bool_t xdr_osa_policy_ent_rec(XDR *xdrs, osa_policy_ent_t objp);
+krb5_error_code osa_adb_close_policy(osa_adb_policy_t db);
+krb5_error_code osa_adb_create_policy(osa_adb_policy_t db,
+ osa_policy_ent_t entry);
+krb5_error_code osa_adb_destroy_policy(osa_adb_policy_t db,
+ char * name);
+krb5_error_code osa_adb_get_policy(osa_adb_policy_t db,
+ char * name,
+ osa_policy_ent_t *entry,
+ int *cnt);
+krb5_error_code osa_adb_put_policy(osa_adb_policy_t db,
+ osa_policy_ent_t entry);
+krb5_error_code osa_adb_iter_policy(osa_adb_policy_t db,
+ osa_adb_iter_policy_func func,
+ void * data);
+void osa_free_policy_ent(osa_policy_ent_t val);
+
+bool_t xdr_osa_policy_ent_rec(XDR *xdrs, osa_policy_ent_t objp);
#endif /* __ADB_H__ */
-/* -*- mode: c; indent-tabs-mode: nil -*- */
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* plugins/kdb/hdb/kdb_hdb.c
*
goto cleanup;
}
-#define GET_PLUGIN_FUNC(_lib, _sym, _member) do { \
- code = krb5int_get_plugin_func(kh->_lib, _sym, \
- (void (**)())&kh->_member, &errinfo); \
- if (code != 0) \
- goto cleanup; \
+#define GET_PLUGIN_FUNC(_lib, _sym, _member) do { \
+ code = krb5int_get_plugin_func(kh->_lib, _sym, \
+ (void (**)())&kh->_member, &errinfo); \
+ if (code != 0) \
+ goto cleanup; \
} while (0)
/* libkrb5 */
static krb5_error_code
kh_db_set_option(krb5_context context,
- int option,
- void *value)
+ int option,
+ void *value)
{
return KRB5_KDB_DBTYPE_NOSUP;
}
-/* -*- mode: c; indent-tabs-mode: nil -*- */
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* plugins/kdb/hdb/kdb_hdb.c
*
void *windc_ctx;
} kh_db_context;
-#define KH_DB_CONTEXT(_context) \
+#define KH_DB_CONTEXT(_context) \
((kh_db_context *)(_context)->dal_handle->db_context)
-#define KH_DB_ENTRY(_entry) \
+#define KH_DB_ENTRY(_entry) \
((hdb_entry_ex *)(_entry)->e_data)
/* kdb_hdb.c */
/* kdb_marshal.c */
-#define KH_MARSHAL_KEY(_kkey, _hkey) do { \
- (_hkey)->keytype = (_kkey)->enctype; \
- (_hkey)->keyvalue.data = (_kkey)->contents; \
- (_hkey)->keyvalue.length = (_kkey)->length; \
+#define KH_MARSHAL_KEY(_kkey, _hkey) do { \
+ (_hkey)->keytype = (_kkey)->enctype; \
+ (_hkey)->keyvalue.data = (_kkey)->contents; \
+ (_hkey)->keyvalue.length = (_kkey)->length; \
} while (0)
krb5_error_code
-/* -*- mode: c; indent-tabs-mode: nil -*- */
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* plugins/kdb/hdb/kdb_marshal.c
*
#if 0
static krb5_error_code
kh_marshal_octet_string(krb5_context context,
- const krb5_data *in_data,
- heim_octet_string *out_data)
+ const krb5_data *in_data,
+ heim_octet_string *out_data)
{
out_data->data = malloc(in_data->length);
if (out_data->data == NULL)
}
for (i = 0; i < kprinc->length; i++) {
code = kh_marshal_general_string(context, &kprinc->data[i],
- &hprinc->name.name_string.val[i]);
+ &hprinc->name.name_string.val[i]);
if (code != 0) {
kh_free_Principal(context, hprinc);
return code;
code = kh_unmarshal_Event(context,
hentry->modified_by ? hentry->modified_by :
- &hentry->created_by,
+ &hentry->created_by,
kentry);
if (code != 0)
goto cleanup;
-/* -*- mode: c; indent-tabs-mode: nil -*- */
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* plugins/kdb/hdb/kdb_windc.c
*
code = kh_windc_pac_verify(context, kh, client_hprinc,
req->client ?
- KH_DB_ENTRY(req->client) : NULL,
+ KH_DB_ENTRY(req->client) : NULL,
KH_DB_ENTRY(req->server),
&hpac);
if (code != 0)
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* lib/kdb/kdb_ldap/ldap_exp.c
*
*/
kdb_vftabl PLUGIN_SYMBOL_NAME(krb5_ldap, kdb_function_table) = {
- 1, /* major version number 1 */
- 0, /* minor version number 0 */
- /* init_library */ krb5_ldap_lib_init,
- /* fini_library */ krb5_ldap_lib_cleanup,
- /* init_module */ krb5_ldap_open,
- /* fini_module */ krb5_ldap_close,
- /* db_create */ krb5_ldap_create,
- /* db_destroy */ krb5_ldap_delete_realm_1,
- /* db_get_age */ krb5_ldap_db_get_age,
- /* db_set_option */ krb5_ldap_set_option,
- /* db_lock */ krb5_ldap_lock,
- /* db_unlock */ krb5_ldap_unlock,
- /* db_get_principal */ krb5_ldap_get_principal,
- /* db_free_principal */ krb5_ldap_free_principal,
- /* db_put_principal */ krb5_ldap_put_principal,
- /* db_delete_principal */ krb5_ldap_delete_principal,
- /* db_iterate */ krb5_ldap_iterate,
- /* db_create_policy */ krb5_ldap_create_password_policy,
- /* db_get_policy */ krb5_ldap_get_password_policy,
- /* db_put_policy */ krb5_ldap_put_password_policy,
- /* db_iter_policy */ krb5_ldap_iterate_password_policy,
- /* db_delete_policy */ krb5_ldap_delete_password_policy,
- /* db_free_policy */ krb5_ldap_free_password_policy,
- /* db_supported_realms */ krb5_ldap_supported_realms,
- /* db_free_supported_realms */ krb5_ldap_free_supported_realms,
- /* errcode_2_string */ krb5_ldap_errcode_2_string,
- /* release_errcode_string */ krb5_ldap_release_errcode_string,
- /* db_alloc */ krb5_ldap_alloc,
- /* db_free */ krb5_ldap_free,
- /* optional functions */
- /* set_master_key */ krb5_ldap_set_mkey,
- /* get_master_key */ krb5_ldap_get_mkey,
- /* set_master_key_list */ krb5_ldap_set_mkey_list,
- /* get_master_key_list */ krb5_ldap_get_mkey_list,
- /* setup_master_key_name */ NULL,
- /* store_master_key */ NULL,
- /* fetch_master_key */ NULL /* krb5_ldap_fetch_mkey */,
- /* verify_master_key */ NULL /* krb5_ldap_verify_master_key */,
- /* fetch_master_key_list */ NULL,
- /* store_master_key_list */ NULL,
- /* Search enc type */ NULL,
- /* Change pwd */ NULL,
- /* promote_db */ NULL,
- /* dbekd_decrypt_key_data */ NULL,
- /* dbekd_encrypt_key_data */ NULL,
- /* db_invoke */ krb5_ldap_invoke,
+ 1, /* major version number 1 */
+ 0, /* minor version number 0 */
+ /* init_library */ krb5_ldap_lib_init,
+ /* fini_library */ krb5_ldap_lib_cleanup,
+ /* init_module */ krb5_ldap_open,
+ /* fini_module */ krb5_ldap_close,
+ /* db_create */ krb5_ldap_create,
+ /* db_destroy */ krb5_ldap_delete_realm_1,
+ /* db_get_age */ krb5_ldap_db_get_age,
+ /* db_set_option */ krb5_ldap_set_option,
+ /* db_lock */ krb5_ldap_lock,
+ /* db_unlock */ krb5_ldap_unlock,
+ /* db_get_principal */ krb5_ldap_get_principal,
+ /* db_free_principal */ krb5_ldap_free_principal,
+ /* db_put_principal */ krb5_ldap_put_principal,
+ /* db_delete_principal */ krb5_ldap_delete_principal,
+ /* db_iterate */ krb5_ldap_iterate,
+ /* db_create_policy */ krb5_ldap_create_password_policy,
+ /* db_get_policy */ krb5_ldap_get_password_policy,
+ /* db_put_policy */ krb5_ldap_put_password_policy,
+ /* db_iter_policy */ krb5_ldap_iterate_password_policy,
+ /* db_delete_policy */ krb5_ldap_delete_password_policy,
+ /* db_free_policy */ krb5_ldap_free_password_policy,
+ /* db_supported_realms */ krb5_ldap_supported_realms,
+ /* db_free_supported_realms */ krb5_ldap_free_supported_realms,
+ /* errcode_2_string */ krb5_ldap_errcode_2_string,
+ /* release_errcode_string */ krb5_ldap_release_errcode_string,
+ /* db_alloc */ krb5_ldap_alloc,
+ /* db_free */ krb5_ldap_free,
+ /* optional functions */
+ /* set_master_key */ krb5_ldap_set_mkey,
+ /* get_master_key */ krb5_ldap_get_mkey,
+ /* set_master_key_list */ krb5_ldap_set_mkey_list,
+ /* get_master_key_list */ krb5_ldap_get_mkey_list,
+ /* setup_master_key_name */ NULL,
+ /* store_master_key */ NULL,
+ /* fetch_master_key */ NULL /* krb5_ldap_fetch_mkey */,
+ /* verify_master_key */ NULL /* krb5_ldap_verify_master_key */,
+ /* fetch_master_key_list */ NULL,
+ /* store_master_key_list */ NULL,
+ /* Search enc type */ NULL,
+ /* Change pwd */ NULL,
+ /* promote_db */ NULL,
+ /* dbekd_decrypt_key_data */ NULL,
+ /* dbekd_encrypt_key_data */ NULL,
+ /* db_invoke */ krb5_ldap_invoke,
};
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* kadmin/ldap_util/kdb5_ldap_list.c
*/
/*
* Counts the number of entries in the given array of strings
*/
-int list_count_str_array(char **list)
+int
+list_count_str_array(char **list)
{
int i = 0;
if (list == NULL)
- return 0;
+ return 0;
for (i = 0; *list != NULL; list++) {
- i++;
+ i++;
}
return i;
/*
* Counts the number of entries in the given array of integers
*/
-int list_count_int_array(int *list)
+int
+list_count_int_array(int *list)
{
int i = 0;
if (list == NULL)
- return 0;
+ return 0;
for (i = 0; *list != END_OF_LIST; list++) {
- i++;
+ i++;
}
return i;
/*
* Frees the entries in a given list and not the list pointer
*/
-void krb5_free_list_entries(list)
- char **list;
+void
+krb5_free_list_entries(char **list)
{
if (list == NULL)
- return;
+ return;
for (; *list != NULL; list++) {
- free(*list);
- *list = NULL;
+ free(*list);
+ *list = NULL;
}
return;
* and return the result as a list
*/
krb5_error_code
-krb5_parse_list(buffer, delimiter, list)
- char *buffer;
- char *delimiter;
- char **list;
+krb5_parse_list(char *buffer, char *delimiter, char **list)
{
char *str = NULL;
char *token = NULL;
int count = 0;
if ((buffer == NULL) || (list == NULL) || (delimiter == NULL)) {
- return EINVAL;
+ return EINVAL;
}
str = strdup(buffer);
if (str == NULL)
- return ENOMEM;
+ return ENOMEM;
token = strtok_r(str, delimiter, &ptrptr);
for (count = 1; ((token != NULL) && (count < MAX_LIST_ENTRIES));
- plist++, count++) {
- *plist = strdup(token);
- if (*plist == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
- token = strtok_r(NULL, delimiter, &ptrptr);
+ plist++, count++) {
+ *plist = strdup(token);
+ if (*plist == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+ token = strtok_r(NULL, delimiter, &ptrptr);
}
*plist = NULL;
cleanup:
if (str) {
- free(str);
- str = NULL;
+ free(str);
+ str = NULL;
}
if (retval)
- krb5_free_list_entries(list);
+ krb5_free_list_entries(list);
return retval;
}
-int compare_int(m1, m2)
- const void *m1;
- const void *m2;
+int
+compare_int(const void *m1, const void *m2)
{
int mi1 = *(const int *)m1;
int mi2 = *(const int *)m2;
* entries present in the source list, depending on the mode
* (ADD or DELETE).
*/
-void list_modify_str_array(destlist, sourcelist, mode)
- char ***destlist;
- const char **sourcelist;
- int mode;
+void
+list_modify_str_array(char ***destlist, const char **sourcelist, int mode)
{
char **dlist = NULL, **tmplist = NULL;
const char **slist = NULL;
int found = 0;
if ((destlist == NULL) || (*destlist == NULL) || (sourcelist == NULL))
- return;
+ return;
/* We need to add every entry present in the source list to
* the destination list */
if (mode == LIST_MODE_ADD) {
- /* Traverse throught the end of destlist for appending */
- for (dlist = *destlist, dcount = 0; *dlist != NULL;
- dlist++, dcount++) {
- ; /* NULL statement */
- }
- /* Count the number of entries in the source list */
- for (slist = sourcelist, scount = 0; *slist != NULL;
- slist++, scount++) {
- ; /* NULL statement */
- }
- /* Reset the slist pointer to the start of source list */
- slist = sourcelist;
-
- /* Now append the source list to the existing destlist */
- if ((dcount + scount) < MAX_LIST_ENTRIES)
- copycount = scount;
- else
- /* Leave the last entry for list terminator(=NULL) */
- copycount = (MAX_LIST_ENTRIES -1) - dcount;
-
- memcpy(dlist, slist, (sizeof(char *) * copycount));
- dlist += copycount;
- *dlist = NULL;
+ /* Traverse throught the end of destlist for appending */
+ for (dlist = *destlist, dcount = 0; *dlist != NULL;
+ dlist++, dcount++) {
+ ; /* NULL statement */
+ }
+ /* Count the number of entries in the source list */
+ for (slist = sourcelist, scount = 0; *slist != NULL;
+ slist++, scount++) {
+ ; /* NULL statement */
+ }
+ /* Reset the slist pointer to the start of source list */
+ slist = sourcelist;
+
+ /* Now append the source list to the existing destlist */
+ if ((dcount + scount) < MAX_LIST_ENTRIES)
+ copycount = scount;
+ else
+ /* Leave the last entry for list terminator(=NULL) */
+ copycount = (MAX_LIST_ENTRIES -1) - dcount;
+
+ memcpy(dlist, slist, (sizeof(char *) * copycount));
+ dlist += copycount;
+ *dlist = NULL;
} else if (mode == LIST_MODE_DELETE) {
- /* We need to delete every entry present in the source list
- * from the destination list */
- for (slist = sourcelist; *slist != NULL; slist++) {
- for (dlist = *destlist; *dlist != NULL; dlist++) {
- found = 0; /* value not found */
- /* DN is case insensitive string */
- if (strcasecmp(*dlist, *slist) == 0) {
- found = 1;
- free(*dlist);
- /* Advance the rest of the entries by one */
- for (tmplist = dlist; *tmplist != NULL; tmplist++) {
- *tmplist = *(tmplist+1);
- }
- break;
- }
- }
- }
+ /* We need to delete every entry present in the source list
+ * from the destination list */
+ for (slist = sourcelist; *slist != NULL; slist++) {
+ for (dlist = *destlist; *dlist != NULL; dlist++) {
+ found = 0; /* value not found */
+ /* DN is case insensitive string */
+ if (strcasecmp(*dlist, *slist) == 0) {
+ found = 1;
+ free(*dlist);
+ /* Advance the rest of the entries by one */
+ for (tmplist = dlist; *tmplist != NULL; tmplist++) {
+ *tmplist = *(tmplist+1);
+ }
+ break;
+ }
+ }
+ }
}
return;
* entries present in the source list, depending on the mode
* (ADD or DELETE). where the list is array of integers.
*/
-int list_modify_int_array(destlist, sourcelist, mode)
- int *destlist;
- const int *sourcelist;
- int mode;
+int
+list_modify_int_array(int *destlist, const int *sourcelist, int mode)
{
int *dlist = NULL, *tmplist = NULL;
const int *slist = NULL;
int tcount = 0;
if ((destlist == NULL) || (sourcelist == NULL))
- return 0;
+ return 0;
/* We need to add every entry present in the source list to the
* destination list */
if (mode == LIST_MODE_ADD) {
- /* Traverse throught the end of destlist for appending */
- for (dlist = destlist, dcount = 0; *dlist != END_OF_LIST;
- dlist++, dcount++)
- ; /* NULL statement */
-
- /* Count the number of entries in the source list */
- for (slist = sourcelist, scount = 0; *slist != END_OF_LIST;
- slist++, scount++)
- ; /* NULL statement */
-
- /* Reset the slist pointer to the start of source list */
- slist = sourcelist;
-
- /* Now append the source list to the existing destlist */
- if ((dcount + scount) < MAX_LIST_ENTRIES)
- copycount = scount;
- else
- /* Leave the last entry for list terminator(=NULL) */
- copycount = (MAX_LIST_ENTRIES -1) - dcount;
-
- memcpy(dlist, slist, (sizeof(int) * copycount));
- dlist += copycount;
- *dlist = END_OF_LIST;
- tcount = dcount + copycount;
+ /* Traverse throught the end of destlist for appending */
+ for (dlist = destlist, dcount = 0; *dlist != END_OF_LIST;
+ dlist++, dcount++)
+ ; /* NULL statement */
+
+ /* Count the number of entries in the source list */
+ for (slist = sourcelist, scount = 0; *slist != END_OF_LIST;
+ slist++, scount++)
+ ; /* NULL statement */
+
+ /* Reset the slist pointer to the start of source list */
+ slist = sourcelist;
+
+ /* Now append the source list to the existing destlist */
+ if ((dcount + scount) < MAX_LIST_ENTRIES)
+ copycount = scount;
+ else
+ /* Leave the last entry for list terminator(=NULL) */
+ copycount = (MAX_LIST_ENTRIES -1) - dcount;
+
+ memcpy(dlist, slist, (sizeof(int) * copycount));
+ dlist += copycount;
+ *dlist = END_OF_LIST;
+ tcount = dcount + copycount;
} else if (mode == LIST_MODE_DELETE) {
- /* We need to delete every entry present in the source list from
- * the destination list */
- for (slist = sourcelist; *slist != END_OF_LIST; slist++) {
- for (dlist = destlist; *dlist != END_OF_LIST; dlist++) {
- if (*dlist == *slist) {
- /* Advance the rest of the entries by one */
- for (tmplist = dlist; *tmplist != END_OF_LIST; tmplist++) {
- *tmplist = *(tmplist+1);
- }
- break;
- }
- }
- }
- /* count the number of entries */
- for (dlist = destlist, tcount = 0; *dlist != END_OF_LIST; dlist++) {
- tcount++;
- }
+ /* We need to delete every entry present in the source list from
+ * the destination list */
+ for (slist = sourcelist; *slist != END_OF_LIST; slist++) {
+ for (dlist = destlist; *dlist != END_OF_LIST; dlist++) {
+ if (*dlist == *slist) {
+ /* Advance the rest of the entries by one */
+ for (tmplist = dlist; *tmplist != END_OF_LIST; tmplist++) {
+ *tmplist = *(tmplist+1);
+ }
+ break;
+ }
+ }
+ }
+ /* count the number of entries */
+ for (dlist = destlist, tcount = 0; *dlist != END_OF_LIST; dlist++) {
+ tcount++;
+ }
}
return tcount;
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* kadmin/ldap_util/kdb5_ldap_list.h
*/
*/
-#define MAX_LIST_ENTRIES 64
-#define END_OF_LIST -1 /* End of List */
-#define LIST_DELIMITER ":" /* List entry separator */
-#define LIST_MODE_ADD 0x701 /* Add to the List */
-#define LIST_MODE_DELETE 0x702 /* Delete from the list */
-#define MAX_LEN_LIST_ENTRY 512 /* Max len of an entry */
+#define MAX_LIST_ENTRIES 64
+#define END_OF_LIST -1 /* End of List */
+#define LIST_DELIMITER ":" /* List entry separator */
+#define LIST_MODE_ADD 0x701 /* Add to the List */
+#define LIST_MODE_DELETE 0x702 /* Delete from the list */
+#define MAX_LEN_LIST_ENTRY 512 /* Max len of an entry */
extern krb5_error_code krb5_parse_list(char *buffer, char *delimiter, char **list);
extern void krb5_free_list_entries(char **list);
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* kadmin/ldap_util/kdb5_ldap_policy.c
*/
extern char *yes;
extern kadm5_config_params global_params;
-static krb5_error_code init_ldap_realm (int argc, char *argv[]) {
+static krb5_error_code
+init_ldap_realm(int argc, char *argv[])
+{
/* This operation is being performed in the context of a realm. So,
* initialize the realm */
int mask = 0;
if (ldap_context->krbcontainer == NULL) {
retval = krb5_ldap_read_krbcontainer_params (util_context,
- &(ldap_context->krbcontainer));
+ &(ldap_context->krbcontainer));
if (retval != 0) {
com_err(progname, retval, "while reading kerberos container information");
goto cleanup;
if (ldap_context->lrparams == NULL) {
retval = krb5_ldap_read_realm_params(util_context,
- global_params.realm,
- &(ldap_context->lrparams),
- &mask);
+ global_params.realm,
+ &(ldap_context->lrparams),
+ &mask);
if (retval != 0) {
goto cleanup;
* specified attributes.
*/
void
-kdb5_ldap_create_policy(argc, argv)
- int argc;
- char *argv[];
+kdb5_ldap_create_policy(int argc, char *argv[])
{
char *me = progname;
krb5_error_code retval = 0;
/* Check for number of arguments */
if ((argc < 2) || (argc > 16)) {
- goto err_usage;
+ goto err_usage;
}
/* Allocate memory for policy parameters structure */
policyparams = (krb5_ldap_policy_params*) calloc(1, sizeof(krb5_ldap_policy_params));
if (policyparams == NULL) {
- retval = ENOMEM;
- goto cleanup;
+ retval = ENOMEM;
+ goto cleanup;
}
/* Get current time */
/* Parse all arguments */
for (i = 1; i < argc; i++) {
- if (!strcmp(argv[i], "-maxtktlife")) {
- if (++i > argc - 1)
- goto err_usage;
-
- date = get_date(argv[i]);
- if (date == (time_t)(-1)) {
- retval = EINVAL;
- com_err (me, retval, "while providing time specification");
- goto err_nomsg;
- }
-
- policyparams->maxtktlife = date - now;
-
- mask |= LDAP_POLICY_MAXTKTLIFE;
- } else if (!strcmp(argv[i], "-maxrenewlife")) {
- if (++i > argc - 1)
- goto err_usage;
-
- date = get_date(argv[i]);
- if (date == (time_t)(-1)) {
- retval = EINVAL;
- com_err (me, retval, "while providing time specification");
- goto err_nomsg;
- }
-
- policyparams->maxrenewlife = date - now;
-
- mask |= LDAP_POLICY_MAXRENEWLIFE;
- } else if (!strcmp((argv[i] + 1), "allow_postdated")) {
- if (*(argv[i]) == '+')
- policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_POSTDATED);
- else if (*(argv[i]) == '-')
- policyparams->tktflags |= KRB5_KDB_DISALLOW_POSTDATED;
- else
- goto err_usage;
-
- mask |= LDAP_POLICY_TKTFLAGS;
- } else if (!strcmp((argv[i] + 1), "allow_forwardable")) {
- if (*(argv[i]) == '+')
- policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_FORWARDABLE);
- else if (*(argv[i]) == '-')
- policyparams->tktflags |= KRB5_KDB_DISALLOW_FORWARDABLE;
- else
- goto err_usage;
-
- mask |= LDAP_POLICY_TKTFLAGS;
- } else if (!strcmp((argv[i] + 1), "allow_renewable")) {
- if (*(argv[i]) == '+')
- policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_RENEWABLE);
- else if (*(argv[i]) == '-')
- policyparams->tktflags |= KRB5_KDB_DISALLOW_RENEWABLE;
- else
- goto err_usage;
-
- mask |= LDAP_POLICY_TKTFLAGS;
- } else if (!strcmp((argv[i] + 1), "allow_proxiable")) {
- if (*(argv[i]) == '+')
- policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_PROXIABLE);
- else if (*(argv[i]) == '-')
- policyparams->tktflags |= KRB5_KDB_DISALLOW_PROXIABLE;
- else
- goto err_usage;
-
- mask |= LDAP_POLICY_TKTFLAGS;
- } else if (!strcmp((argv[i] + 1), "allow_dup_skey")) {
- if (*(argv[i]) == '+')
- policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_DUP_SKEY);
- else if (*(argv[i]) == '-')
- policyparams->tktflags |= KRB5_KDB_DISALLOW_DUP_SKEY;
- else
- goto err_usage;
-
- mask |= LDAP_POLICY_TKTFLAGS;
- } else if (!strcmp((argv[i] + 1), "requires_preauth")) {
- if (*(argv[i]) == '+')
- policyparams->tktflags |= KRB5_KDB_REQUIRES_PRE_AUTH;
- else if (*(argv[i]) == '-')
- policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PRE_AUTH);
- else
- goto err_usage;
-
- mask |= LDAP_POLICY_TKTFLAGS;
- } else if (!strcmp((argv[i] + 1), "requires_hwauth")) {
- if (*(argv[i]) == '+')
- policyparams->tktflags |= KRB5_KDB_REQUIRES_HW_AUTH;
- else if (*(argv[i]) == '-')
- policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_HW_AUTH);
- else
- goto err_usage;
-
- mask |= LDAP_POLICY_TKTFLAGS;
- } else if (!strcmp((argv[i] + 1), "allow_svr")) {
- if (*(argv[i]) == '+')
- policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_SVR);
- else if (*(argv[i]) == '-')
- policyparams->tktflags |= KRB5_KDB_DISALLOW_SVR;
- else
- goto err_usage;
-
- mask |= LDAP_POLICY_TKTFLAGS;
- } else if (!strcmp((argv[i] + 1), "allow_tgs_req")) {
- if (*(argv[i]) == '+')
- policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_TGT_BASED);
- else if (*(argv[i]) == '-')
- policyparams->tktflags |= KRB5_KDB_DISALLOW_TGT_BASED;
- else
- goto err_usage;
-
- mask |= LDAP_POLICY_TKTFLAGS;
- } else if (!strcmp((argv[i] + 1), "allow_tix")) {
- if (*(argv[i]) == '+')
- policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_ALL_TIX);
- else if (*(argv[i]) == '-')
- policyparams->tktflags |= KRB5_KDB_DISALLOW_ALL_TIX;
- else
- goto err_usage;
-
- mask |= LDAP_POLICY_TKTFLAGS;
- } else if (!strcmp((argv[i] + 1), "needchange")) {
- if (*(argv[i]) == '+')
- policyparams->tktflags |= KRB5_KDB_REQUIRES_PWCHANGE;
- else if (*(argv[i]) == '-')
- policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PWCHANGE);
- else
- goto err_usage;
-
- mask |= LDAP_POLICY_TKTFLAGS;
- } else if (!strcmp((argv[i] + 1), "password_changing_service")) {
- if (*(argv[i]) == '+')
- policyparams->tktflags |= KRB5_KDB_PWCHANGE_SERVICE;
- else if (*(argv[i]) == '-')
- policyparams->tktflags &= (int)(~KRB5_KDB_PWCHANGE_SERVICE);
- else
- goto err_usage;
-
- mask |= LDAP_POLICY_TKTFLAGS;
- } else { /* Any other argument must be policy DN */
- /* First check if policy DN is already provided --
- if so, there's a usage error */
+ if (!strcmp(argv[i], "-maxtktlife")) {
+ if (++i > argc - 1)
+ goto err_usage;
+
+ date = get_date(argv[i]);
+ if (date == (time_t)(-1)) {
+ retval = EINVAL;
+ com_err (me, retval, "while providing time specification");
+ goto err_nomsg;
+ }
+
+ policyparams->maxtktlife = date - now;
+
+ mask |= LDAP_POLICY_MAXTKTLIFE;
+ } else if (!strcmp(argv[i], "-maxrenewlife")) {
+ if (++i > argc - 1)
+ goto err_usage;
+
+ date = get_date(argv[i]);
+ if (date == (time_t)(-1)) {
+ retval = EINVAL;
+ com_err (me, retval, "while providing time specification");
+ goto err_nomsg;
+ }
+
+ policyparams->maxrenewlife = date - now;
+
+ mask |= LDAP_POLICY_MAXRENEWLIFE;
+ } else if (!strcmp((argv[i] + 1), "allow_postdated")) {
+ if (*(argv[i]) == '+')
+ policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_POSTDATED);
+ else if (*(argv[i]) == '-')
+ policyparams->tktflags |= KRB5_KDB_DISALLOW_POSTDATED;
+ else
+ goto err_usage;
+
+ mask |= LDAP_POLICY_TKTFLAGS;
+ } else if (!strcmp((argv[i] + 1), "allow_forwardable")) {
+ if (*(argv[i]) == '+')
+ policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_FORWARDABLE);
+ else if (*(argv[i]) == '-')
+ policyparams->tktflags |= KRB5_KDB_DISALLOW_FORWARDABLE;
+ else
+ goto err_usage;
+
+ mask |= LDAP_POLICY_TKTFLAGS;
+ } else if (!strcmp((argv[i] + 1), "allow_renewable")) {
+ if (*(argv[i]) == '+')
+ policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_RENEWABLE);
+ else if (*(argv[i]) == '-')
+ policyparams->tktflags |= KRB5_KDB_DISALLOW_RENEWABLE;
+ else
+ goto err_usage;
+
+ mask |= LDAP_POLICY_TKTFLAGS;
+ } else if (!strcmp((argv[i] + 1), "allow_proxiable")) {
+ if (*(argv[i]) == '+')
+ policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_PROXIABLE);
+ else if (*(argv[i]) == '-')
+ policyparams->tktflags |= KRB5_KDB_DISALLOW_PROXIABLE;
+ else
+ goto err_usage;
+
+ mask |= LDAP_POLICY_TKTFLAGS;
+ } else if (!strcmp((argv[i] + 1), "allow_dup_skey")) {
+ if (*(argv[i]) == '+')
+ policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_DUP_SKEY);
+ else if (*(argv[i]) == '-')
+ policyparams->tktflags |= KRB5_KDB_DISALLOW_DUP_SKEY;
+ else
+ goto err_usage;
+
+ mask |= LDAP_POLICY_TKTFLAGS;
+ } else if (!strcmp((argv[i] + 1), "requires_preauth")) {
+ if (*(argv[i]) == '+')
+ policyparams->tktflags |= KRB5_KDB_REQUIRES_PRE_AUTH;
+ else if (*(argv[i]) == '-')
+ policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PRE_AUTH);
+ else
+ goto err_usage;
+
+ mask |= LDAP_POLICY_TKTFLAGS;
+ } else if (!strcmp((argv[i] + 1), "requires_hwauth")) {
+ if (*(argv[i]) == '+')
+ policyparams->tktflags |= KRB5_KDB_REQUIRES_HW_AUTH;
+ else if (*(argv[i]) == '-')
+ policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_HW_AUTH);
+ else
+ goto err_usage;
+
+ mask |= LDAP_POLICY_TKTFLAGS;
+ } else if (!strcmp((argv[i] + 1), "allow_svr")) {
+ if (*(argv[i]) == '+')
+ policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_SVR);
+ else if (*(argv[i]) == '-')
+ policyparams->tktflags |= KRB5_KDB_DISALLOW_SVR;
+ else
+ goto err_usage;
+
+ mask |= LDAP_POLICY_TKTFLAGS;
+ } else if (!strcmp((argv[i] + 1), "allow_tgs_req")) {
+ if (*(argv[i]) == '+')
+ policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_TGT_BASED);
+ else if (*(argv[i]) == '-')
+ policyparams->tktflags |= KRB5_KDB_DISALLOW_TGT_BASED;
+ else
+ goto err_usage;
+
+ mask |= LDAP_POLICY_TKTFLAGS;
+ } else if (!strcmp((argv[i] + 1), "allow_tix")) {
+ if (*(argv[i]) == '+')
+ policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_ALL_TIX);
+ else if (*(argv[i]) == '-')
+ policyparams->tktflags |= KRB5_KDB_DISALLOW_ALL_TIX;
+ else
+ goto err_usage;
+
+ mask |= LDAP_POLICY_TKTFLAGS;
+ } else if (!strcmp((argv[i] + 1), "needchange")) {
+ if (*(argv[i]) == '+')
+ policyparams->tktflags |= KRB5_KDB_REQUIRES_PWCHANGE;
+ else if (*(argv[i]) == '-')
+ policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PWCHANGE);
+ else
+ goto err_usage;
+
+ mask |= LDAP_POLICY_TKTFLAGS;
+ } else if (!strcmp((argv[i] + 1), "password_changing_service")) {
+ if (*(argv[i]) == '+')
+ policyparams->tktflags |= KRB5_KDB_PWCHANGE_SERVICE;
+ else if (*(argv[i]) == '-')
+ policyparams->tktflags &= (int)(~KRB5_KDB_PWCHANGE_SERVICE);
+ else
+ goto err_usage;
+
+ mask |= LDAP_POLICY_TKTFLAGS;
+ } else { /* Any other argument must be policy DN */
+ /* First check if policy DN is already provided --
+ if so, there's a usage error */
if (policyparams->policy != NULL)
- goto err_usage;
+ goto err_usage;
- /* If not present already, fill up policy DN */
+ /* If not present already, fill up policy DN */
policyparams->policy = strdup(argv[i]);
if (policyparams->policy == NULL) {
- retval = ENOMEM;
- com_err(me, retval, "while creating policy object");
- goto err_nomsg;
- }
- }
+ retval = ENOMEM;
+ com_err(me, retval, "while creating policy object");
+ goto err_nomsg;
+ }
+ }
}
/* policy DN is a mandatory argument. If not provided, print usage */
if (policyparams->policy == NULL)
- goto err_usage;
+ goto err_usage;
if ((retval = init_ldap_realm (argc, argv))) {
com_err(me, retval, "while reading realm information");
/* Create object with all attributes provided */
if ((retval = krb5_ldap_create_policy(util_context, policyparams, mask)) != 0)
- goto cleanup;
+ goto cleanup;
goto cleanup;
krb5_ldap_free_policy (util_context, policyparams);
if (print_usage)
- db_usage(CREATE_POLICY);
+ db_usage(CREATE_POLICY);
if (retval) {
- if (!no_msg)
- com_err(me, retval, "while creating policy object");
+ if (!no_msg)
+ com_err(me, retval, "while creating policy object");
- exit_status++;
+ exit_status++;
}
return;
* object interactively, unless forced through an option.
*/
void
-kdb5_ldap_destroy_policy(argc, argv)
- int argc;
- char *argv[];
+kdb5_ldap_destroy_policy(int argc, char *argv[])
{
char *me = progname;
krb5_error_code retval = 0;
int i = 0;
if ((argc < 2) || (argc > 3)) {
- goto err_usage;
+ goto err_usage;
}
for (i = 1; i < argc; i++) {
- if (strcmp(argv[i], "-force") == 0) {
- force++;
- } else { /* Any other argument must be policy DN */
- /* First check if policy DN is already provided --
- if so, there's a usage error */
+ if (strcmp(argv[i], "-force") == 0) {
+ force++;
+ } else { /* Any other argument must be policy DN */
+ /* First check if policy DN is already provided --
+ if so, there's a usage error */
if (policy != NULL)
- goto err_usage;
+ goto err_usage;
- /* If not present already, fill up policy DN */
+ /* If not present already, fill up policy DN */
policy = strdup(argv[i]);
if (policy == NULL) {
- retval = ENOMEM;
- com_err(me, retval, "while destroying policy object");
- goto err_nomsg;
- }
- }
+ retval = ENOMEM;
+ com_err(me, retval, "while destroying policy object");
+ goto err_nomsg;
+ }
+ }
}
if (policy == NULL)
- goto err_usage;
+ goto err_usage;
if (!force) {
printf("This will delete the policy object '%s', are you sure?\n", policy);
- printf("(type 'yes' to confirm)? ");
+ printf("(type 'yes' to confirm)? ");
- if (fgets(buf, sizeof(buf), stdin) == NULL) {
- retval = EINVAL;
- goto cleanup;
- }
+ if (fgets(buf, sizeof(buf), stdin) == NULL) {
+ retval = EINVAL;
+ goto cleanup;
+ }
- if (strcmp(buf, yes)) {
- exit_status++;
- goto cleanup;
- }
+ if (strcmp(buf, yes)) {
+ exit_status++;
+ goto cleanup;
+ }
}
if ((retval = init_ldap_realm (argc, argv)))
goto err_nomsg;
if ((retval = krb5_ldap_read_policy(util_context, policy, &policyparams, &mask)))
- goto cleanup;
+ goto cleanup;
if ((retval = krb5_ldap_delete_policy(util_context, policy)))
- goto cleanup;
+ goto cleanup;
printf("** policy object '%s' deleted.\n", policy);
goto cleanup;
krb5_ldap_free_policy (util_context, policyparams);
if (policy) {
- free (policy);
+ free (policy);
}
if (print_usage) {
- db_usage(DESTROY_POLICY);
+ db_usage(DESTROY_POLICY);
}
if (retval) {
- if (!no_msg)
- com_err(me, retval, "while destroying policy object");
+ if (!no_msg)
+ com_err(me, retval, "while destroying policy object");
- exit_status++;
+ exit_status++;
}
return;
* policy object.
*/
void
-kdb5_ldap_modify_policy(argc, argv)
- int argc;
- char *argv[];
+kdb5_ldap_modify_policy(int argc, char *argv[])
{
char *me = progname;
krb5_error_code retval = 0;
since atleast one parameter should be given in
addition to 'modify_policy' and policy DN */
if ((argc < 3) || (argc > 16)) {
- goto err_usage;
+ goto err_usage;
}
/* Parse all arguments, only to pick up policy DN (Pass 1) */
for (i = 1; i < argc; i++) {
- /* Skip arguments next to 'maxtktlife'
- and 'maxrenewlife' arguments */
- if (!strcmp(argv[i], "-maxtktlife")) {
- ++i;
- } else if (!strcmp(argv[i], "-maxrenewlife")) {
- ++i;
- }
- /* Do nothing for ticket flag arguments */
- else if (!strcmp((argv[i] + 1), "allow_postdated") ||
- !strcmp((argv[i] + 1), "allow_forwardable") ||
- !strcmp((argv[i] + 1), "allow_renewable") ||
- !strcmp((argv[i] + 1), "allow_proxiable") ||
- !strcmp((argv[i] + 1), "allow_dup_skey") ||
- !strcmp((argv[i] + 1), "requires_preauth") ||
- !strcmp((argv[i] + 1), "requires_hwauth") ||
- !strcmp((argv[i] + 1), "allow_svr") ||
- !strcmp((argv[i] + 1), "allow_tgs_req") ||
- !strcmp((argv[i] + 1), "allow_tix") ||
- !strcmp((argv[i] + 1), "needchange") ||
- !strcmp((argv[i] + 1), "password_changing_service")) {
- } else { /* Any other argument must be policy DN */
- /* First check if policy DN is already provided --
- if so, there's a usage error */
+ /* Skip arguments next to 'maxtktlife'
+ and 'maxrenewlife' arguments */
+ if (!strcmp(argv[i], "-maxtktlife")) {
+ ++i;
+ } else if (!strcmp(argv[i], "-maxrenewlife")) {
+ ++i;
+ }
+ /* Do nothing for ticket flag arguments */
+ else if (!strcmp((argv[i] + 1), "allow_postdated") ||
+ !strcmp((argv[i] + 1), "allow_forwardable") ||
+ !strcmp((argv[i] + 1), "allow_renewable") ||
+ !strcmp((argv[i] + 1), "allow_proxiable") ||
+ !strcmp((argv[i] + 1), "allow_dup_skey") ||
+ !strcmp((argv[i] + 1), "requires_preauth") ||
+ !strcmp((argv[i] + 1), "requires_hwauth") ||
+ !strcmp((argv[i] + 1), "allow_svr") ||
+ !strcmp((argv[i] + 1), "allow_tgs_req") ||
+ !strcmp((argv[i] + 1), "allow_tix") ||
+ !strcmp((argv[i] + 1), "needchange") ||
+ !strcmp((argv[i] + 1), "password_changing_service")) {
+ } else { /* Any other argument must be policy DN */
+ /* First check if policy DN is already provided --
+ if so, there's a usage error */
if (policy != NULL)
- goto err_usage;
+ goto err_usage;
- /* If not present already, fill up policy DN */
+ /* If not present already, fill up policy DN */
policy = strdup(argv[i]);
if (policy == NULL) {
- retval = ENOMEM;
- com_err(me, retval, "while modifying policy object");
- goto err_nomsg;
- }
- }
+ retval = ENOMEM;
+ com_err(me, retval, "while modifying policy object");
+ goto err_nomsg;
+ }
+ }
}
if (policy == NULL)
- goto err_usage;
+ goto err_usage;
if ((retval = init_ldap_realm (argc, argv)))
- goto cleanup;
+ goto cleanup;
retval = krb5_ldap_read_policy(util_context, policy, &policyparams, &in_mask);
if (retval) {
com_err(me, retval, "while reading information of policy '%s'", policy);
- goto err_nomsg;
+ goto err_nomsg;
}
/* Get current time */
/* Parse all arguments, but skip policy DN (Pass 2) */
for (i = 1; i < argc; i++) {
- if (!strcmp(argv[i], "-maxtktlife")) {
- if (++i > argc - 1)
- goto err_usage;
-
- date = get_date(argv[i]);
- if (date == (time_t)(-1)) {
- retval = EINVAL;
- com_err (me, retval, "while providing time specification");
- goto err_nomsg;
- }
-
- policyparams->maxtktlife = date - now;
-
- out_mask |= LDAP_POLICY_MAXTKTLIFE;
- } else if (!strcmp(argv[i], "-maxrenewlife")) {
- if (++i > argc - 1)
- goto err_usage;
-
- date = get_date(argv[i]);
- if (date == (time_t)(-1)) {
- retval = EINVAL;
- com_err (me, retval, "while providing time specification");
- goto err_nomsg;
- }
-
- policyparams->maxrenewlife = date - now;
-
- out_mask |= LDAP_POLICY_MAXRENEWLIFE;
- } else if (!strcmp((argv[i] + 1), "allow_postdated")) {
- if (*(argv[i]) == '+')
- policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_POSTDATED);
- else if (*(argv[i]) == '-')
- policyparams->tktflags |= KRB5_KDB_DISALLOW_POSTDATED;
- else
- goto err_usage;
-
- out_mask |= LDAP_POLICY_TKTFLAGS;
- } else if (!strcmp((argv[i] + 1), "allow_forwardable")) {
- if (*(argv[i]) == '+')
- policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_FORWARDABLE);
- else if (*(argv[i]) == '-')
- policyparams->tktflags |= KRB5_KDB_DISALLOW_FORWARDABLE;
- else
- goto err_usage;
-
- out_mask |= LDAP_POLICY_TKTFLAGS;
- } else if (!strcmp((argv[i] + 1), "allow_renewable")) {
- if (*(argv[i]) == '+')
- policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_RENEWABLE);
- else if (*(argv[i]) == '-')
- policyparams->tktflags |= KRB5_KDB_DISALLOW_RENEWABLE;
- else
- goto err_usage;
-
- out_mask |= LDAP_POLICY_TKTFLAGS;
- } else if (!strcmp((argv[i] + 1), "allow_proxiable")) {
- if (*(argv[i]) == '+')
- policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_PROXIABLE);
- else if (*(argv[i]) == '-')
- policyparams->tktflags |= KRB5_KDB_DISALLOW_PROXIABLE;
- else
- goto err_usage;
-
- out_mask |= LDAP_POLICY_TKTFLAGS;
- } else if (!strcmp((argv[i] + 1), "allow_dup_skey")) {
- if (*(argv[i]) == '+')
- policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_DUP_SKEY);
- else if (*(argv[i]) == '-')
- policyparams->tktflags |= KRB5_KDB_DISALLOW_DUP_SKEY;
- else
- goto err_usage;
-
- out_mask |= LDAP_POLICY_TKTFLAGS;
- } else if (!strcmp((argv[i] + 1), "requires_preauth")) {
- if (*(argv[i]) == '+')
- policyparams->tktflags |= KRB5_KDB_REQUIRES_PRE_AUTH;
- else if (*(argv[i]) == '-')
- policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PRE_AUTH);
- else
- goto err_usage;
-
- out_mask |= LDAP_POLICY_TKTFLAGS;
- } else if (!strcmp((argv[i] + 1), "requires_hwauth")) {
- if (*(argv[i]) == '+')
- policyparams->tktflags |= KRB5_KDB_REQUIRES_HW_AUTH;
- else if (*(argv[i]) == '-')
- policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_HW_AUTH);
- else
- goto err_usage;
-
- out_mask |= LDAP_POLICY_TKTFLAGS;
- } else if (!strcmp((argv[i] + 1), "allow_svr")) {
- if (*(argv[i]) == '+')
- policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_SVR);
- else if (*(argv[i]) == '-')
- policyparams->tktflags |= KRB5_KDB_DISALLOW_SVR;
- else
- goto err_usage;
-
- out_mask |= LDAP_POLICY_TKTFLAGS;
- } else if (!strcmp((argv[i] + 1), "allow_tgs_req")) {
- if (*(argv[i]) == '+')
- policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_TGT_BASED);
- else if (*(argv[i]) == '-')
- policyparams->tktflags |= KRB5_KDB_DISALLOW_TGT_BASED;
- else
- goto err_usage;
-
- out_mask |= LDAP_POLICY_TKTFLAGS;
- } else if (!strcmp((argv[i] + 1), "allow_tix")) {
- if (*(argv[i]) == '+')
- policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_ALL_TIX);
- else if (*(argv[i]) == '-')
- policyparams->tktflags |= KRB5_KDB_DISALLOW_ALL_TIX;
- else
- goto err_usage;
-
- out_mask |= LDAP_POLICY_TKTFLAGS;
- } else if (!strcmp((argv[i] + 1), "needchange")) {
- if (*(argv[i]) == '+')
- policyparams->tktflags |= KRB5_KDB_REQUIRES_PWCHANGE;
- else if (*(argv[i]) == '-')
- policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PWCHANGE);
- else
- goto err_usage;
-
- out_mask |= LDAP_POLICY_TKTFLAGS;
- } else if (!strcmp((argv[i] + 1), "password_changing_service")) {
- if (*(argv[i]) == '+')
- policyparams->tktflags |= KRB5_KDB_PWCHANGE_SERVICE;
- else if (*(argv[i]) == '-')
- policyparams->tktflags &= (int)(~KRB5_KDB_PWCHANGE_SERVICE);
- else
- goto err_usage;
-
- out_mask |= LDAP_POLICY_TKTFLAGS;
- } else {
- /* Any other argument must be policy DN
- -- skip it */
- }
+ if (!strcmp(argv[i], "-maxtktlife")) {
+ if (++i > argc - 1)
+ goto err_usage;
+
+ date = get_date(argv[i]);
+ if (date == (time_t)(-1)) {
+ retval = EINVAL;
+ com_err (me, retval, "while providing time specification");
+ goto err_nomsg;
+ }
+
+ policyparams->maxtktlife = date - now;
+
+ out_mask |= LDAP_POLICY_MAXTKTLIFE;
+ } else if (!strcmp(argv[i], "-maxrenewlife")) {
+ if (++i > argc - 1)
+ goto err_usage;
+
+ date = get_date(argv[i]);
+ if (date == (time_t)(-1)) {
+ retval = EINVAL;
+ com_err (me, retval, "while providing time specification");
+ goto err_nomsg;
+ }
+
+ policyparams->maxrenewlife = date - now;
+
+ out_mask |= LDAP_POLICY_MAXRENEWLIFE;
+ } else if (!strcmp((argv[i] + 1), "allow_postdated")) {
+ if (*(argv[i]) == '+')
+ policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_POSTDATED);
+ else if (*(argv[i]) == '-')
+ policyparams->tktflags |= KRB5_KDB_DISALLOW_POSTDATED;
+ else
+ goto err_usage;
+
+ out_mask |= LDAP_POLICY_TKTFLAGS;
+ } else if (!strcmp((argv[i] + 1), "allow_forwardable")) {
+ if (*(argv[i]) == '+')
+ policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_FORWARDABLE);
+ else if (*(argv[i]) == '-')
+ policyparams->tktflags |= KRB5_KDB_DISALLOW_FORWARDABLE;
+ else
+ goto err_usage;
+
+ out_mask |= LDAP_POLICY_TKTFLAGS;
+ } else if (!strcmp((argv[i] + 1), "allow_renewable")) {
+ if (*(argv[i]) == '+')
+ policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_RENEWABLE);
+ else if (*(argv[i]) == '-')
+ policyparams->tktflags |= KRB5_KDB_DISALLOW_RENEWABLE;
+ else
+ goto err_usage;
+
+ out_mask |= LDAP_POLICY_TKTFLAGS;
+ } else if (!strcmp((argv[i] + 1), "allow_proxiable")) {
+ if (*(argv[i]) == '+')
+ policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_PROXIABLE);
+ else if (*(argv[i]) == '-')
+ policyparams->tktflags |= KRB5_KDB_DISALLOW_PROXIABLE;
+ else
+ goto err_usage;
+
+ out_mask |= LDAP_POLICY_TKTFLAGS;
+ } else if (!strcmp((argv[i] + 1), "allow_dup_skey")) {
+ if (*(argv[i]) == '+')
+ policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_DUP_SKEY);
+ else if (*(argv[i]) == '-')
+ policyparams->tktflags |= KRB5_KDB_DISALLOW_DUP_SKEY;
+ else
+ goto err_usage;
+
+ out_mask |= LDAP_POLICY_TKTFLAGS;
+ } else if (!strcmp((argv[i] + 1), "requires_preauth")) {
+ if (*(argv[i]) == '+')
+ policyparams->tktflags |= KRB5_KDB_REQUIRES_PRE_AUTH;
+ else if (*(argv[i]) == '-')
+ policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PRE_AUTH);
+ else
+ goto err_usage;
+
+ out_mask |= LDAP_POLICY_TKTFLAGS;
+ } else if (!strcmp((argv[i] + 1), "requires_hwauth")) {
+ if (*(argv[i]) == '+')
+ policyparams->tktflags |= KRB5_KDB_REQUIRES_HW_AUTH;
+ else if (*(argv[i]) == '-')
+ policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_HW_AUTH);
+ else
+ goto err_usage;
+
+ out_mask |= LDAP_POLICY_TKTFLAGS;
+ } else if (!strcmp((argv[i] + 1), "allow_svr")) {
+ if (*(argv[i]) == '+')
+ policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_SVR);
+ else if (*(argv[i]) == '-')
+ policyparams->tktflags |= KRB5_KDB_DISALLOW_SVR;
+ else
+ goto err_usage;
+
+ out_mask |= LDAP_POLICY_TKTFLAGS;
+ } else if (!strcmp((argv[i] + 1), "allow_tgs_req")) {
+ if (*(argv[i]) == '+')
+ policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_TGT_BASED);
+ else if (*(argv[i]) == '-')
+ policyparams->tktflags |= KRB5_KDB_DISALLOW_TGT_BASED;
+ else
+ goto err_usage;
+
+ out_mask |= LDAP_POLICY_TKTFLAGS;
+ } else if (!strcmp((argv[i] + 1), "allow_tix")) {
+ if (*(argv[i]) == '+')
+ policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_ALL_TIX);
+ else if (*(argv[i]) == '-')
+ policyparams->tktflags |= KRB5_KDB_DISALLOW_ALL_TIX;
+ else
+ goto err_usage;
+
+ out_mask |= LDAP_POLICY_TKTFLAGS;
+ } else if (!strcmp((argv[i] + 1), "needchange")) {
+ if (*(argv[i]) == '+')
+ policyparams->tktflags |= KRB5_KDB_REQUIRES_PWCHANGE;
+ else if (*(argv[i]) == '-')
+ policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PWCHANGE);
+ else
+ goto err_usage;
+
+ out_mask |= LDAP_POLICY_TKTFLAGS;
+ } else if (!strcmp((argv[i] + 1), "password_changing_service")) {
+ if (*(argv[i]) == '+')
+ policyparams->tktflags |= KRB5_KDB_PWCHANGE_SERVICE;
+ else if (*(argv[i]) == '-')
+ policyparams->tktflags &= (int)(~KRB5_KDB_PWCHANGE_SERVICE);
+ else
+ goto err_usage;
+
+ out_mask |= LDAP_POLICY_TKTFLAGS;
+ } else {
+ /* Any other argument must be policy DN
+ -- skip it */
+ }
}
/* Modify attributes of object */
if ((retval = krb5_ldap_modify_policy(util_context, policyparams, out_mask)))
- goto cleanup;
+ goto cleanup;
goto cleanup;
free (policy);
if (print_usage)
- db_usage(MODIFY_POLICY);
+ db_usage(MODIFY_POLICY);
if (retval) {
- if (!no_msg)
- com_err(me, retval, "while modifying policy object");
+ if (!no_msg)
+ com_err(me, retval, "while modifying policy object");
- exit_status++;
+ exit_status++;
}
return;
* fetching the information from the LDAP Server.
*/
void
-kdb5_ldap_view_policy(argc, argv)
- int argc;
- char *argv[];
+kdb5_ldap_view_policy(int argc, char *argv[])
{
char *me = progname;
krb5_ldap_policy_params *policyparams = NULL;
int mask = 0;
if (argc != 2) {
- goto err_usage;
+ goto err_usage;
}
policy = strdup(argv[1]);
if (policy == NULL) {
- com_err(me, ENOMEM, "while viewing policy");
- exit_status++;
- goto cleanup;
+ com_err(me, ENOMEM, "while viewing policy");
+ exit_status++;
+ goto cleanup;
}
if ((retval = init_ldap_realm (argc, argv)))
goto cleanup;
if ((retval = krb5_ldap_read_policy(util_context, policy, &policyparams, &mask))) {
- com_err(me, retval, "while viewing policy '%s'", policy);
- exit_status++;
- goto cleanup;
+ com_err(me, retval, "while viewing policy '%s'", policy);
+ exit_status++;
+ goto cleanup;
}
print_policy_params (policyparams, mask);
krb5_ldap_free_policy (util_context, policyparams);
if (policy)
- free (policy);
+ free (policy);
if (print_usage) {
- db_usage(VIEW_POLICY);
+ db_usage(VIEW_POLICY);
}
return;
* standard output.
*/
static void
-print_policy_params(policyparams, mask)
- krb5_ldap_policy_params *policyparams;
- int mask;
+print_policy_params(krb5_ldap_policy_params *policyparams, int mask)
{
/* Print the policy DN */
printf("%25s: %s\n", "Ticket policy", policyparams->policy);
/* Print max. ticket life and max. renewable life, if present */
if (mask & LDAP_POLICY_MAXTKTLIFE)
- printf("%25s: %s\n", "Maximum ticket life", strdur(policyparams->maxtktlife));
+ printf("%25s: %s\n", "Maximum ticket life", strdur(policyparams->maxtktlife));
if (mask & LDAP_POLICY_MAXRENEWLIFE)
- printf("%25s: %s\n", "Maximum renewable life", strdur(policyparams->maxrenewlife));
+ printf("%25s: %s\n", "Maximum renewable life", strdur(policyparams->maxrenewlife));
/* Service flags are printed */
printf("%25s: ", "Ticket flags");
if (mask & LDAP_POLICY_TKTFLAGS) {
- int ticketflags = policyparams->tktflags;
+ int ticketflags = policyparams->tktflags;
- if (ticketflags & KRB5_KDB_DISALLOW_POSTDATED)
- printf("%s ","DISALLOW_POSTDATED");
+ if (ticketflags & KRB5_KDB_DISALLOW_POSTDATED)
+ printf("%s ","DISALLOW_POSTDATED");
- if (ticketflags & KRB5_KDB_DISALLOW_FORWARDABLE)
- printf("%s ","DISALLOW_FORWARDABLE");
+ if (ticketflags & KRB5_KDB_DISALLOW_FORWARDABLE)
+ printf("%s ","DISALLOW_FORWARDABLE");
- if (ticketflags & KRB5_KDB_DISALLOW_RENEWABLE)
- printf("%s ","DISALLOW_RENEWABLE");
+ if (ticketflags & KRB5_KDB_DISALLOW_RENEWABLE)
+ printf("%s ","DISALLOW_RENEWABLE");
- if (ticketflags & KRB5_KDB_DISALLOW_PROXIABLE)
- printf("%s ","DISALLOW_PROXIABLE");
+ if (ticketflags & KRB5_KDB_DISALLOW_PROXIABLE)
+ printf("%s ","DISALLOW_PROXIABLE");
- if (ticketflags & KRB5_KDB_DISALLOW_DUP_SKEY)
- printf("%s ","DISALLOW_DUP_SKEY");
+ if (ticketflags & KRB5_KDB_DISALLOW_DUP_SKEY)
+ printf("%s ","DISALLOW_DUP_SKEY");
- if (ticketflags & KRB5_KDB_REQUIRES_PRE_AUTH)
- printf("%s ","REQUIRES_PRE_AUTH");
+ if (ticketflags & KRB5_KDB_REQUIRES_PRE_AUTH)
+ printf("%s ","REQUIRES_PRE_AUTH");
- if (ticketflags & KRB5_KDB_REQUIRES_HW_AUTH)
- printf("%s ","REQUIRES_HW_AUTH");
+ if (ticketflags & KRB5_KDB_REQUIRES_HW_AUTH)
+ printf("%s ","REQUIRES_HW_AUTH");
- if (ticketflags & KRB5_KDB_DISALLOW_SVR)
- printf("%s ","DISALLOW_SVR");
+ if (ticketflags & KRB5_KDB_DISALLOW_SVR)
+ printf("%s ","DISALLOW_SVR");
- if (ticketflags & KRB5_KDB_DISALLOW_TGT_BASED)
- printf("%s ","DISALLOW_TGT_BASED");
+ if (ticketflags & KRB5_KDB_DISALLOW_TGT_BASED)
+ printf("%s ","DISALLOW_TGT_BASED");
- if (ticketflags & KRB5_KDB_DISALLOW_ALL_TIX)
- printf("%s ","DISALLOW_ALL_TIX");
+ if (ticketflags & KRB5_KDB_DISALLOW_ALL_TIX)
+ printf("%s ","DISALLOW_ALL_TIX");
- if (ticketflags & KRB5_KDB_REQUIRES_PWCHANGE)
- printf("%s ","REQUIRES_PWCHANGE");
+ if (ticketflags & KRB5_KDB_REQUIRES_PWCHANGE)
+ printf("%s ","REQUIRES_PWCHANGE");
- if (ticketflags & KRB5_KDB_PWCHANGE_SERVICE)
- printf("%s ","PWCHANGE_SERVICE");
+ if (ticketflags & KRB5_KDB_PWCHANGE_SERVICE)
+ printf("%s ","PWCHANGE_SERVICE");
}
printf("\n");
* This function will list the DNs of policy objects under a specific
* sub-tree (entire tree by default)
*/
-void kdb5_ldap_list_policies(argc, argv)
- int argc;
- char *argv[];
+void
+kdb5_ldap_list_policies(int argc, char *argv[])
{
char *me = progname;
krb5_error_code retval = 0;
/* Check for number of arguments */
if ((argc != 1) && (argc != 3)) {
- goto err_usage;
+ goto err_usage;
}
if ((retval = init_ldap_realm (argc, argv)))
- goto cleanup;
+ goto cleanup;
retval = krb5_ldap_list_policy(util_context, basedn, &list);
if ((retval != 0) || (list == NULL))
- goto cleanup;
+ goto cleanup;
for (plist = list; *plist != NULL; plist++) {
- printf("%s\n", *plist);
+ printf("%s\n", *plist);
}
goto cleanup;
cleanup:
if (list != NULL) {
- krb5_free_list_entries (list);
- free (list);
+ krb5_free_list_entries (list);
+ free (list);
}
if (basedn)
- free (basedn);
+ free (basedn);
if (print_usage) {
- db_usage(LIST_POLICY);
+ db_usage(LIST_POLICY);
}
if (retval) {
- com_err(me, retval, "while listing policy objects");
- exit_status++;
+ com_err(me, retval, "while listing policy objects");
+ exit_status++;
}
return;
/* Reproduced from kadmin.c, instead of linking
the entire kadmin.o */
-static char *strdur(duration)
- time_t duration;
+static char *
+strdur(time_t duration)
{
static char out[50];
int neg, days, hours, minutes, seconds;
if (duration < 0) {
- duration *= -1;
- neg = 1;
+ duration *= -1;
+ neg = 1;
} else
- neg = 0;
+ neg = 0;
days = duration / (24 * 3600);
duration %= 24 * 3600;
hours = duration / 3600;
duration %= 60;
seconds = duration;
snprintf(out, sizeof(out), "%s%d %s %02d:%02d:%02d", neg ? "-" : "",
- days, days == 1 ? "day" : "days", hours, minutes, seconds);
+ days, days == 1 ? "day" : "days", hours, minutes, seconds);
return out;
}
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* kadmin/ldap_util/kdb5_ldap_policy.h
*/
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* kadmin/ldap_util/kdb5_ldap_realm.c
*
static krb5_principal_data db_create_princ = {
- 0, /* magic number */
- {0, 0, 0}, /* krb5_data realm */
- db_creator_entries, /* krb5_data *data */
- 1, /* int length */
- KRB5_NT_SRV_INST /* int type */
+ 0, /* magic number */
+ {0, 0, 0}, /* krb5_data realm */
+ db_creator_entries, /* krb5_data *data */
+ 1, /* int length */
+ KRB5_NT_SRV_INST /* int type */
};
extern char *mkey_password;
static void print_realm_params(krb5_ldap_realm_params *rparams, int mask);
static int kdb_ldap_create_principal (krb5_context context, krb5_principal
- princ, enum ap_op op, struct realm_info *pblock);
+ princ, enum ap_op op, struct realm_info *pblock);
static char *strdur(time_t duration);
#define CHANGEPW_LIFETIME 60*5 /* 5 minutes */
#ifdef HAVE_EDIRECTORY
-#define FREE_DN_LIST(dnlist) if (dnlist != NULL) { \
- for (idx=0; dnlist[idx] != NULL; idx++) \
- free(dnlist[idx]); \
- free(dnlist); \
- }
+#define FREE_DN_LIST(dnlist) if (dnlist != NULL) { \
+ for (idx=0; dnlist[idx] != NULL; idx++) \
+ free(dnlist[idx]); \
+ free(dnlist); \
+ }
#endif
-static int get_ticket_policy(rparams,i,argv,argc)
- krb5_ldap_realm_params *rparams;
- int *i;
- char *argv[];
- int argc;
+static int
+get_ticket_policy(krb5_ldap_realm_params *rparams, int *i, char *argv[],
+ int argc)
{
time_t date;
time_t now;
time(&now);
if (!strcmp(argv[*i], "-maxtktlife")) {
- if (++(*i) > argc-1)
- goto err_usage;
- date = get_date(argv[*i]);
- if (date == (time_t)(-1)) {
- retval = EINVAL;
- com_err (me, retval, "while providing time specification");
- goto err_nomsg;
- }
- rparams->max_life = date-now;
- mask |= LDAP_REALM_MAXTICKETLIFE;
+ if (++(*i) > argc-1)
+ goto err_usage;
+ date = get_date(argv[*i]);
+ if (date == (time_t)(-1)) {
+ retval = EINVAL;
+ com_err (me, retval, "while providing time specification");
+ goto err_nomsg;
+ }
+ rparams->max_life = date-now;
+ mask |= LDAP_REALM_MAXTICKETLIFE;
}
else if (!strcmp(argv[*i], "-maxrenewlife")) {
- if (++(*i) > argc-1)
- goto err_usage;
-
- date = get_date(argv[*i]);
- if (date == (time_t)(-1)) {
- retval = EINVAL;
- com_err (me, retval, "while providing time specification");
- goto err_nomsg;
- }
- rparams->max_renewable_life = date-now;
- mask |= LDAP_REALM_MAXRENEWLIFE;
+ if (++(*i) > argc-1)
+ goto err_usage;
+
+ date = get_date(argv[*i]);
+ if (date == (time_t)(-1)) {
+ retval = EINVAL;
+ com_err (me, retval, "while providing time specification");
+ goto err_nomsg;
+ }
+ rparams->max_renewable_life = date-now;
+ mask |= LDAP_REALM_MAXRENEWLIFE;
} else if (!strcmp((argv[*i] + 1), "allow_postdated")) {
- if (*(argv[*i]) == '+')
- rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_POSTDATED);
- else if (*(argv[*i]) == '-')
- rparams->tktflags |= KRB5_KDB_DISALLOW_POSTDATED;
- else
- goto err_usage;
-
- mask |= LDAP_REALM_KRBTICKETFLAGS;
+ if (*(argv[*i]) == '+')
+ rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_POSTDATED);
+ else if (*(argv[*i]) == '-')
+ rparams->tktflags |= KRB5_KDB_DISALLOW_POSTDATED;
+ else
+ goto err_usage;
+
+ mask |= LDAP_REALM_KRBTICKETFLAGS;
} else if (!strcmp((argv[*i] + 1), "allow_forwardable")) {
- if (*(argv[*i]) == '+')
- rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_FORWARDABLE);
+ if (*(argv[*i]) == '+')
+ rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_FORWARDABLE);
- else if (*(argv[*i]) == '-')
- rparams->tktflags |= KRB5_KDB_DISALLOW_FORWARDABLE;
- else
- goto err_usage;
+ else if (*(argv[*i]) == '-')
+ rparams->tktflags |= KRB5_KDB_DISALLOW_FORWARDABLE;
+ else
+ goto err_usage;
- mask |= LDAP_REALM_KRBTICKETFLAGS;
+ mask |= LDAP_REALM_KRBTICKETFLAGS;
} else if (!strcmp((argv[*i] + 1), "allow_renewable")) {
- if (*(argv[*i]) == '+')
- rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_RENEWABLE);
- else if (*(argv[*i]) == '-')
- rparams->tktflags |= KRB5_KDB_DISALLOW_RENEWABLE;
- else
- goto err_usage;
-
- mask |= LDAP_REALM_KRBTICKETFLAGS;
+ if (*(argv[*i]) == '+')
+ rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_RENEWABLE);
+ else if (*(argv[*i]) == '-')
+ rparams->tktflags |= KRB5_KDB_DISALLOW_RENEWABLE;
+ else
+ goto err_usage;
+
+ mask |= LDAP_REALM_KRBTICKETFLAGS;
} else if (!strcmp((argv[*i] + 1), "allow_proxiable")) {
- if (*(argv[*i]) == '+')
- rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_PROXIABLE);
- else if (*(argv[*i]) == '-')
- rparams->tktflags |= KRB5_KDB_DISALLOW_PROXIABLE;
- else
- goto err_usage;
-
- mask |= LDAP_REALM_KRBTICKETFLAGS;
+ if (*(argv[*i]) == '+')
+ rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_PROXIABLE);
+ else if (*(argv[*i]) == '-')
+ rparams->tktflags |= KRB5_KDB_DISALLOW_PROXIABLE;
+ else
+ goto err_usage;
+
+ mask |= LDAP_REALM_KRBTICKETFLAGS;
} else if (!strcmp((argv[*i] + 1), "allow_dup_skey")) {
- if (*(argv[*i]) == '+')
- rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_DUP_SKEY);
- else if (*(argv[*i]) == '-')
- rparams->tktflags |= KRB5_KDB_DISALLOW_DUP_SKEY;
- else
- goto err_usage;
+ if (*(argv[*i]) == '+')
+ rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_DUP_SKEY);
+ else if (*(argv[*i]) == '-')
+ rparams->tktflags |= KRB5_KDB_DISALLOW_DUP_SKEY;
+ else
+ goto err_usage;
- mask |= LDAP_REALM_KRBTICKETFLAGS;
+ mask |= LDAP_REALM_KRBTICKETFLAGS;
}
else if (!strcmp((argv[*i] + 1), "requires_preauth")) {
- if (*(argv[*i]) == '+')
- rparams->tktflags |= KRB5_KDB_REQUIRES_PRE_AUTH;
- else if (*(argv[*i]) == '-')
- rparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PRE_AUTH);
- else
- goto err_usage;
-
- mask |= LDAP_REALM_KRBTICKETFLAGS;
+ if (*(argv[*i]) == '+')
+ rparams->tktflags |= KRB5_KDB_REQUIRES_PRE_AUTH;
+ else if (*(argv[*i]) == '-')
+ rparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PRE_AUTH);
+ else
+ goto err_usage;
+
+ mask |= LDAP_REALM_KRBTICKETFLAGS;
} else if (!strcmp((argv[*i] + 1), "requires_hwauth")) {
- if (*(argv[*i]) == '+')
- rparams->tktflags |= KRB5_KDB_REQUIRES_HW_AUTH;
- else if (*(argv[*i]) == '-')
- rparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_HW_AUTH);
- else
- goto err_usage;
-
- mask |= LDAP_REALM_KRBTICKETFLAGS;
+ if (*(argv[*i]) == '+')
+ rparams->tktflags |= KRB5_KDB_REQUIRES_HW_AUTH;
+ else if (*(argv[*i]) == '-')
+ rparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_HW_AUTH);
+ else
+ goto err_usage;
+
+ mask |= LDAP_REALM_KRBTICKETFLAGS;
} else if (!strcmp((argv[*i] + 1), "allow_svr")) {
- if (*(argv[*i]) == '+')
- rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_SVR);
- else if (*(argv[*i]) == '-')
- rparams->tktflags |= KRB5_KDB_DISALLOW_SVR;
- else
- goto err_usage;
-
- mask |= LDAP_REALM_KRBTICKETFLAGS;
+ if (*(argv[*i]) == '+')
+ rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_SVR);
+ else if (*(argv[*i]) == '-')
+ rparams->tktflags |= KRB5_KDB_DISALLOW_SVR;
+ else
+ goto err_usage;
+
+ mask |= LDAP_REALM_KRBTICKETFLAGS;
} else if (!strcmp((argv[*i] + 1), "allow_tgs_req")) {
- if (*(argv[*i]) == '+')
- rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_TGT_BASED);
- else if (*(argv[*i]) == '-')
- rparams->tktflags |= KRB5_KDB_DISALLOW_TGT_BASED;
- else
- goto err_usage;
-
- mask |= LDAP_REALM_KRBTICKETFLAGS;
+ if (*(argv[*i]) == '+')
+ rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_TGT_BASED);
+ else if (*(argv[*i]) == '-')
+ rparams->tktflags |= KRB5_KDB_DISALLOW_TGT_BASED;
+ else
+ goto err_usage;
+
+ mask |= LDAP_REALM_KRBTICKETFLAGS;
} else if (!strcmp((argv[*i] + 1), "allow_tix")) {
- if (*(argv[*i]) == '+')
- rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_ALL_TIX);
- else if (*(argv[*i]) == '-')
- rparams->tktflags |= KRB5_KDB_DISALLOW_ALL_TIX;
- else
- goto err_usage;
-
- mask |= LDAP_REALM_KRBTICKETFLAGS;
+ if (*(argv[*i]) == '+')
+ rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_ALL_TIX);
+ else if (*(argv[*i]) == '-')
+ rparams->tktflags |= KRB5_KDB_DISALLOW_ALL_TIX;
+ else
+ goto err_usage;
+
+ mask |= LDAP_REALM_KRBTICKETFLAGS;
} else if (!strcmp((argv[*i] + 1), "needchange")) {
- if (*(argv[*i]) == '+')
- rparams->tktflags |= KRB5_KDB_REQUIRES_PWCHANGE;
- else if (*(argv[*i]) == '-')
- rparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PWCHANGE);
- else
- goto err_usage;
-
- mask |= LDAP_REALM_KRBTICKETFLAGS;
+ if (*(argv[*i]) == '+')
+ rparams->tktflags |= KRB5_KDB_REQUIRES_PWCHANGE;
+ else if (*(argv[*i]) == '-')
+ rparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PWCHANGE);
+ else
+ goto err_usage;
+
+ mask |= LDAP_REALM_KRBTICKETFLAGS;
} else if (!strcmp((argv[*i] + 1), "password_changing_service")) {
- if (*(argv[*i]) == '+')
- rparams->tktflags |= KRB5_KDB_PWCHANGE_SERVICE;
- else if (*(argv[*i]) == '-')
- rparams->tktflags &= (int)(~KRB5_KDB_PWCHANGE_SERVICE);
- else
- goto err_usage;
+ if (*(argv[*i]) == '+')
+ rparams->tktflags |= KRB5_KDB_PWCHANGE_SERVICE;
+ else if (*(argv[*i]) == '-')
+ rparams->tktflags &= (int)(~KRB5_KDB_PWCHANGE_SERVICE);
+ else
+ goto err_usage;
- mask |=LDAP_REALM_KRBTICKETFLAGS;
+ mask |=LDAP_REALM_KRBTICKETFLAGS;
}
err_usage:
print_usage = TRUE;
* This function will create a realm on the LDAP Server, with
* the specified attributes.
*/
-void kdb5_ldap_create(argc, argv)
- int argc;
- char *argv[];
+void
+kdb5_ldap_create(int argc, char *argv[])
{
krb5_error_code retval = 0;
krb5_keyblock master_keyblock;
memset(&master_keyblock, 0, sizeof(master_keyblock));
rparams = (krb5_ldap_realm_params *)malloc(
- sizeof(krb5_ldap_realm_params));
+ sizeof(krb5_ldap_realm_params));
if (rparams == NULL) {
- retval = ENOMEM;
- goto cleanup;
+ retval = ENOMEM;
+ goto cleanup;
}
memset(rparams, 0, sizeof(krb5_ldap_realm_params));
/* Parse the arguments */
for (i = 1; i < argc; i++) {
- if (!strcmp(argv[i], "-subtrees")) {
- if (++i > argc-1)
- goto err_usage;
-
- if (strncmp(argv[i], "", strlen(argv[i]))!=0) {
- list = (char **) calloc(MAX_LIST_ENTRIES, sizeof(char *));
- if (list == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
- if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
- free(list);
- list = NULL;
- goto cleanup;
- }
-
- rparams->subtreecount=0;
- while (list[rparams->subtreecount]!=NULL)
- (rparams->subtreecount)++;
- rparams->subtree = list;
- } else if (strncmp(argv[i], "", strlen(argv[i]))==0) {
- /* dont allow subtree value to be set at the root(NULL, "") of the tree */
- com_err(progname, EINVAL,
- "for subtree while creating realm '%s'",
- global_params.realm);
- goto err_nomsg;
- }
- rparams->subtree[rparams->subtreecount] = NULL;
- mask |= LDAP_REALM_SUBTREE;
- } else if (!strcmp(argv[i], "-containerref")) {
- if (++i > argc-1)
- goto err_usage;
- if (strncmp(argv[i], "", strlen(argv[i]))==0) {
- /* dont allow containerref value to be set at the root(NULL, "") of the tree */
- com_err(progname, EINVAL,
- "for container reference while creating realm '%s'",
- global_params.realm);
- goto err_nomsg;
- }
- rparams->containerref = strdup(argv[i]);
- if (rparams->containerref == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
- mask |= LDAP_REALM_CONTREF;
- } else if (!strcmp(argv[i], "-sscope")) {
- if (++i > argc-1)
- goto err_usage;
- /* Possible values for search scope are
- * one (or 1) and sub (or 2)
- */
- if (!strcasecmp(argv[i], "one")) {
- rparams->search_scope = 1;
- } else if (!strcasecmp(argv[i], "sub")) {
- rparams->search_scope = 2;
- } else {
- rparams->search_scope = atoi(argv[i]);
- if ((rparams->search_scope != 1) &&
- (rparams->search_scope != 2)) {
- com_err(progname, EINVAL,
- "invalid search scope while creating realm '%s'",
- global_params.realm);
- goto err_nomsg;
- }
- }
- mask |= LDAP_REALM_SEARCHSCOPE;
- }
+ if (!strcmp(argv[i], "-subtrees")) {
+ if (++i > argc-1)
+ goto err_usage;
+
+ if (strncmp(argv[i], "", strlen(argv[i]))!=0) {
+ list = (char **) calloc(MAX_LIST_ENTRIES, sizeof(char *));
+ if (list == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+ if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
+ free(list);
+ list = NULL;
+ goto cleanup;
+ }
+
+ rparams->subtreecount=0;
+ while (list[rparams->subtreecount]!=NULL)
+ (rparams->subtreecount)++;
+ rparams->subtree = list;
+ } else if (strncmp(argv[i], "", strlen(argv[i]))==0) {
+ /* dont allow subtree value to be set at the root(NULL, "") of the tree */
+ com_err(progname, EINVAL,
+ "for subtree while creating realm '%s'",
+ global_params.realm);
+ goto err_nomsg;
+ }
+ rparams->subtree[rparams->subtreecount] = NULL;
+ mask |= LDAP_REALM_SUBTREE;
+ } else if (!strcmp(argv[i], "-containerref")) {
+ if (++i > argc-1)
+ goto err_usage;
+ if (strncmp(argv[i], "", strlen(argv[i]))==0) {
+ /* dont allow containerref value to be set at the root(NULL, "") of the tree */
+ com_err(progname, EINVAL,
+ "for container reference while creating realm '%s'",
+ global_params.realm);
+ goto err_nomsg;
+ }
+ rparams->containerref = strdup(argv[i]);
+ if (rparams->containerref == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+ mask |= LDAP_REALM_CONTREF;
+ } else if (!strcmp(argv[i], "-sscope")) {
+ if (++i > argc-1)
+ goto err_usage;
+ /* Possible values for search scope are
+ * one (or 1) and sub (or 2)
+ */
+ if (!strcasecmp(argv[i], "one")) {
+ rparams->search_scope = 1;
+ } else if (!strcasecmp(argv[i], "sub")) {
+ rparams->search_scope = 2;
+ } else {
+ rparams->search_scope = atoi(argv[i]);
+ if ((rparams->search_scope != 1) &&
+ (rparams->search_scope != 2)) {
+ com_err(progname, EINVAL,
+ "invalid search scope while creating realm '%s'",
+ global_params.realm);
+ goto err_nomsg;
+ }
+ }
+ mask |= LDAP_REALM_SEARCHSCOPE;
+ }
#ifdef HAVE_EDIRECTORY
- else if (!strcmp(argv[i], "-kdcdn")) {
- if (++i > argc-1)
- goto err_usage;
- rparams->kdcservers = (char **)malloc(
- sizeof(char *) * MAX_LIST_ENTRIES);
- if (rparams->kdcservers == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
- memset(rparams->kdcservers, 0, sizeof(char*)*MAX_LIST_ENTRIES);
- if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
- rparams->kdcservers))) {
- goto cleanup;
- }
- mask |= LDAP_REALM_KDCSERVERS;
- } else if (!strcmp(argv[i], "-admindn")) {
- if (++i > argc-1)
- goto err_usage;
- rparams->adminservers = (char **)malloc(
- sizeof(char *) * MAX_LIST_ENTRIES);
- if (rparams->adminservers == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
- memset(rparams->adminservers, 0, sizeof(char*)*MAX_LIST_ENTRIES);
- if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
- rparams->adminservers))) {
- goto cleanup;
- }
- mask |= LDAP_REALM_ADMINSERVERS;
- } else if (!strcmp(argv[i], "-pwddn")) {
- if (++i > argc-1)
- goto err_usage;
- rparams->passwdservers = (char **)malloc(
- sizeof(char *) * MAX_LIST_ENTRIES);
- if (rparams->passwdservers == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
- memset(rparams->passwdservers, 0, sizeof(char*)*MAX_LIST_ENTRIES);
- if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
- rparams->passwdservers))) {
- goto cleanup;
- }
- mask |= LDAP_REALM_PASSWDSERVERS;
- }
+ else if (!strcmp(argv[i], "-kdcdn")) {
+ if (++i > argc-1)
+ goto err_usage;
+ rparams->kdcservers = (char **)malloc(
+ sizeof(char *) * MAX_LIST_ENTRIES);
+ if (rparams->kdcservers == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+ memset(rparams->kdcservers, 0, sizeof(char*)*MAX_LIST_ENTRIES);
+ if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
+ rparams->kdcservers))) {
+ goto cleanup;
+ }
+ mask |= LDAP_REALM_KDCSERVERS;
+ } else if (!strcmp(argv[i], "-admindn")) {
+ if (++i > argc-1)
+ goto err_usage;
+ rparams->adminservers = (char **)malloc(
+ sizeof(char *) * MAX_LIST_ENTRIES);
+ if (rparams->adminservers == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+ memset(rparams->adminservers, 0, sizeof(char*)*MAX_LIST_ENTRIES);
+ if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
+ rparams->adminservers))) {
+ goto cleanup;
+ }
+ mask |= LDAP_REALM_ADMINSERVERS;
+ } else if (!strcmp(argv[i], "-pwddn")) {
+ if (++i > argc-1)
+ goto err_usage;
+ rparams->passwdservers = (char **)malloc(
+ sizeof(char *) * MAX_LIST_ENTRIES);
+ if (rparams->passwdservers == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+ memset(rparams->passwdservers, 0, sizeof(char*)*MAX_LIST_ENTRIES);
+ if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
+ rparams->passwdservers))) {
+ goto cleanup;
+ }
+ mask |= LDAP_REALM_PASSWDSERVERS;
+ }
#endif
- else if (!strcmp(argv[i], "-s")) {
- do_stash = 1;
- } else if ((ret_mask= get_ticket_policy(rparams,&i,argv,argc)) !=0) {
- mask|=ret_mask;
- }
+ else if (!strcmp(argv[i], "-s")) {
+ do_stash = 1;
+ } else if ((ret_mask= get_ticket_policy(rparams,&i,argv,argc)) !=0) {
+ mask|=ret_mask;
+ }
- else {
- printf("'%s' is an invalid option\n", argv[i]);
- goto err_usage;
- }
+ else {
+ printf("'%s' is an invalid option\n", argv[i]);
+ goto err_usage;
+ }
}
/* If the default enctype/salttype is not provided, use the
printf("Initializing database for realm '%s'\n", global_params.realm);
if (!mkey_password) {
- unsigned int pw_size;
- printf("You will be prompted for the database Master Password.\n");
- printf("It is important that you NOT FORGET this password.\n");
- fflush(stdout);
-
- pw_size = sizeof (pw_str);
- memset(pw_str, 0, pw_size);
-
- retval = krb5_read_password(util_context, KRB5_KDC_MKEY_1, KRB5_KDC_MKEY_2,
- pw_str, &pw_size);
- if (retval) {
- com_err(progname, retval, "while reading master key from keyboard");
- goto err_nomsg;
- }
- mkey_password = pw_str;
+ unsigned int pw_size;
+ printf("You will be prompted for the database Master Password.\n");
+ printf("It is important that you NOT FORGET this password.\n");
+ fflush(stdout);
+
+ pw_size = sizeof (pw_str);
+ memset(pw_str, 0, pw_size);
+
+ retval = krb5_read_password(util_context, KRB5_KDC_MKEY_1, KRB5_KDC_MKEY_2,
+ pw_str, &pw_size);
+ if (retval) {
+ com_err(progname, retval, "while reading master key from keyboard");
+ goto err_nomsg;
+ }
+ mkey_password = pw_str;
}
rparams->mkey.enctype = global_params.enctype;
rparams->mkey.length = strlen(mkey_password) + 1;
rparams->mkey.contents = (krb5_octet *)strdup(mkey_password);
if (rparams->mkey.contents == NULL) {
- retval = ENOMEM;
- goto cleanup;
+ retval = ENOMEM;
+ goto cleanup;
}
rparams->realm_name = strdup(global_params.realm);
if (rparams->realm_name == NULL) {
- retval = ENOMEM;
- com_err(progname, ENOMEM, "while creating realm '%s'",
- global_params.realm);
- goto err_nomsg;
+ retval = ENOMEM;
+ com_err(progname, ENOMEM, "while creating realm '%s'",
+ global_params.realm);
+ goto err_nomsg;
}
dal_handle = util_context->dal_handle;
ldap_context = (krb5_ldap_context *) dal_handle->db_context;
if (!ldap_context) {
- retval = EINVAL;
- goto cleanup;
+ retval = EINVAL;
+ goto cleanup;
}
/* read the kerberos container */
if ((retval=krb5_ldap_read_krbcontainer_params (util_context,
- &(ldap_context->krbcontainer))) == KRB5_KDB_NOENTRY) {
- /* Prompt the user for entering the DN of Kerberos container */
- char krb_location[MAX_KRB_CONTAINER_LEN];
- krb5_ldap_krbcontainer_params kparams;
- int krb_location_len = 0;
- memset(&kparams, 0, sizeof(kparams));
-
- /* Read the kerberos container location from configuration file */
- if (ldap_context->conf_section) {
- if ((retval=profile_get_string(util_context->profile,
- KDB_MODULE_SECTION, ldap_context->conf_section,
- "ldap_kerberos_container_dn", NULL,
- &kparams.DN)) != 0) {
- goto cleanup;
- }
- }
- if (kparams.DN == NULL) {
- if ((retval=profile_get_string(util_context->profile,
- KDB_MODULE_DEF_SECTION,
- "ldap_kerberos_container_dn", NULL,
- NULL, &kparams.DN)) != 0) {
- goto cleanup;
- }
- }
-
- printf("\nKerberos container is missing. Creating now...\n");
- if (kparams.DN == NULL) {
+ &(ldap_context->krbcontainer))) == KRB5_KDB_NOENTRY) {
+ /* Prompt the user for entering the DN of Kerberos container */
+ char krb_location[MAX_KRB_CONTAINER_LEN];
+ krb5_ldap_krbcontainer_params kparams;
+ int krb_location_len = 0;
+ memset(&kparams, 0, sizeof(kparams));
+
+ /* Read the kerberos container location from configuration file */
+ if (ldap_context->conf_section) {
+ if ((retval=profile_get_string(util_context->profile,
+ KDB_MODULE_SECTION, ldap_context->conf_section,
+ "ldap_kerberos_container_dn", NULL,
+ &kparams.DN)) != 0) {
+ goto cleanup;
+ }
+ }
+ if (kparams.DN == NULL) {
+ if ((retval=profile_get_string(util_context->profile,
+ KDB_MODULE_DEF_SECTION,
+ "ldap_kerberos_container_dn", NULL,
+ NULL, &kparams.DN)) != 0) {
+ goto cleanup;
+ }
+ }
+
+ printf("\nKerberos container is missing. Creating now...\n");
+ if (kparams.DN == NULL) {
#ifdef HAVE_EDIRECTORY
- printf("Enter DN of Kerberos container [cn=Kerberos,cn=Security]: ");
+ printf("Enter DN of Kerberos container [cn=Kerberos,cn=Security]: ");
#else
- printf("Enter DN of Kerberos container: ");
+ printf("Enter DN of Kerberos container: ");
#endif
- if (fgets(krb_location, MAX_KRB_CONTAINER_LEN, stdin) != NULL) {
- /* Remove the newline character at the end */
- krb_location_len = strlen(krb_location);
- if ((krb_location[krb_location_len - 1] == '\n') ||
- (krb_location[krb_location_len - 1] == '\r')) {
- krb_location[krb_location_len - 1] = '\0';
- krb_location_len--;
- }
- /* If the user has not given any input, take the default location */
- else if (krb_location[0] == '\0')
- kparams.DN = NULL;
- else
- kparams.DN = krb_location;
- } else
- kparams.DN = NULL;
- }
-
- /* create the kerberos container */
- retval = krb5_ldap_create_krbcontainer(util_context,
- ((kparams.DN != NULL) ? &kparams : NULL));
- if (retval)
- goto cleanup;
-
- retval = krb5_ldap_read_krbcontainer_params(util_context,
- &(ldap_context->krbcontainer));
- if (retval) {
- com_err(progname, retval, "while reading kerberos container information");
- goto cleanup;
- }
+ if (fgets(krb_location, MAX_KRB_CONTAINER_LEN, stdin) != NULL) {
+ /* Remove the newline character at the end */
+ krb_location_len = strlen(krb_location);
+ if ((krb_location[krb_location_len - 1] == '\n') ||
+ (krb_location[krb_location_len - 1] == '\r')) {
+ krb_location[krb_location_len - 1] = '\0';
+ krb_location_len--;
+ }
+ /* If the user has not given any input, take the default location */
+ else if (krb_location[0] == '\0')
+ kparams.DN = NULL;
+ else
+ kparams.DN = krb_location;
+ } else
+ kparams.DN = NULL;
+ }
+
+ /* create the kerberos container */
+ retval = krb5_ldap_create_krbcontainer(util_context,
+ ((kparams.DN != NULL) ? &kparams : NULL));
+ if (retval)
+ goto cleanup;
+
+ retval = krb5_ldap_read_krbcontainer_params(util_context,
+ &(ldap_context->krbcontainer));
+ if (retval) {
+ com_err(progname, retval, "while reading kerberos container information");
+ goto cleanup;
+ }
} else if (retval) {
- com_err(progname, retval, "while reading kerberos container information");
- goto cleanup;
+ com_err(progname, retval, "while reading kerberos container information");
+ goto cleanup;
}
if ((retval = krb5_ldap_create_realm(util_context,
- /* global_params.realm, */ rparams, mask))) {
- goto cleanup;
+ /* global_params.realm, */ rparams, mask))) {
+ goto cleanup;
}
/* We just created the Realm container. Here starts our transaction tracking */
realm_obj_created = TRUE;
if ((retval = krb5_ldap_read_realm_params(util_context,
- global_params.realm,
- &(ldap_context->lrparams),
- &mask))) {
- com_err(progname, retval, "while reading information of realm '%s'",
- global_params.realm);
- goto err_nomsg;
+ global_params.realm,
+ &(ldap_context->lrparams),
+ &mask))) {
+ com_err(progname, retval, "while reading information of realm '%s'",
+ global_params.realm);
+ goto err_nomsg;
}
ldap_context->lrparams->realm_name = strdup(global_params.realm);
if (ldap_context->lrparams->realm_name == NULL) {
- retval = ENOMEM;
- goto cleanup;
+ retval = ENOMEM;
+ goto cleanup;
}
/* assemble & parse the master key name */
if ((retval = krb5_db_setup_mkey_name(util_context,
- global_params.mkey_name,
- global_params.realm,
- 0, &master_princ))) {
- com_err(progname, retval, "while setting up master key name");
- goto err_nomsg;
+ global_params.mkey_name,
+ global_params.realm,
+ 0, &master_princ))) {
+ com_err(progname, retval, "while setting up master key name");
+ goto err_nomsg;
}
/* Obtain master key from master password */
{
- krb5_data master_salt, pwd;
-
- pwd.data = mkey_password;
- pwd.length = strlen(mkey_password);
- retval = krb5_principal2salt(util_context, master_princ, &master_salt);
- if (retval) {
- com_err(progname, retval, "while calculating master key salt");
- goto err_nomsg;
- }
+ krb5_data master_salt, pwd;
+
+ pwd.data = mkey_password;
+ pwd.length = strlen(mkey_password);
+ retval = krb5_principal2salt(util_context, master_princ, &master_salt);
+ if (retval) {
+ com_err(progname, retval, "while calculating master key salt");
+ goto err_nomsg;
+ }
- retval = krb5_c_string_to_key(util_context, rparams->mkey.enctype,
- &pwd, &master_salt, &master_keyblock);
+ retval = krb5_c_string_to_key(util_context, rparams->mkey.enctype,
+ &pwd, &master_salt, &master_keyblock);
- if (master_salt.data)
- free(master_salt.data);
+ if (master_salt.data)
+ free(master_salt.data);
- if (retval) {
- com_err(progname, retval, "while transforming master key from password");
- goto err_nomsg;
- }
+ if (retval) {
+ com_err(progname, retval, "while transforming master key from password");
+ goto err_nomsg;
+ }
}
rblock.key = &master_keyblock;
ldap_context->lrparams->mkey = master_keyblock;
ldap_context->lrparams->mkey.contents = (krb5_octet *) malloc
- (master_keyblock.length);
+ (master_keyblock.length);
if (ldap_context->lrparams->mkey.contents == NULL) {
- retval = ENOMEM;
- goto cleanup;
+ retval = ENOMEM;
+ goto cleanup;
}
memcpy (ldap_context->lrparams->mkey.contents, master_keyblock.contents,
- master_keyblock.length);
+ master_keyblock.length);
/* Create special principals inside the realm subtree */
{
- char princ_name[MAX_PRINC_SIZE];
- krb5_principal_data tgt_princ = {
- 0, /* magic number */
- {0, 0, 0}, /* krb5_data realm */
- tgt_princ_entries, /* krb5_data *data */
- 2, /* int length */
- KRB5_NT_SRV_INST /* int type */
- };
- krb5_principal p, temp_p=NULL;
-
- krb5_princ_set_realm_data(util_context, &tgt_princ, global_params.realm);
- krb5_princ_set_realm_length(util_context, &tgt_princ, strlen(global_params.realm));
- krb5_princ_component(util_context, &tgt_princ,1)->data = global_params.realm;
- krb5_princ_component(util_context, &tgt_princ,1)->length = strlen(global_params.realm);
- /* The container reference value is set to NULL, to avoid service principals
- * getting created within the container reference at realm creation */
- if (ldap_context->lrparams->containerref != NULL) {
- oldcontainerref = ldap_context->lrparams->containerref;
- ldap_context->lrparams->containerref = NULL;
- }
-
- /* Create 'K/M' ... */
- rblock.flags |= KRB5_KDB_DISALLOW_ALL_TIX;
- if ((retval = kdb_ldap_create_principal(util_context, master_princ, MASTER_KEY, &rblock))) {
- com_err(progname, retval, "while adding entries to the database");
- goto err_nomsg;
- }
-
- /* Create 'krbtgt' ... */
- rblock.flags = 0; /* reset the flags */
- if ((retval = kdb_ldap_create_principal(util_context, &tgt_princ, TGT_KEY, &rblock))) {
- com_err(progname, retval, "while adding entries to the database");
- goto err_nomsg;
- }
-
- /* Create 'kadmin/admin' ... */
- snprintf(princ_name, sizeof(princ_name), "%s@%s", KADM5_ADMIN_SERVICE, global_params.realm);
- if ((retval = krb5_parse_name(util_context, princ_name, &p))) {
- com_err(progname, retval, "while adding entries to the database");
- goto err_nomsg;
- }
- rblock.max_life = ADMIN_LIFETIME;
- rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED;
- if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) {
- krb5_free_principal(util_context, p);
- com_err(progname, retval, "while adding entries to the database");
- goto err_nomsg;
- }
- krb5_free_principal(util_context, p);
-
- /* Create 'kadmin/changepw' ... */
- snprintf(princ_name, sizeof(princ_name), "%s@%s", KADM5_CHANGEPW_SERVICE, global_params.realm);
- if ((retval = krb5_parse_name(util_context, princ_name, &p))) {
- com_err(progname, retval, "while adding entries to the database");
- goto err_nomsg;
- }
- rblock.max_life = CHANGEPW_LIFETIME;
- rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED |
- KRB5_KDB_PWCHANGE_SERVICE;
- if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) {
- krb5_free_principal(util_context, p);
- com_err(progname, retval, "while adding entries to the database");
- goto err_nomsg;
- }
- krb5_free_principal(util_context, p);
-
- /* Create 'kadmin/history' ... */
- snprintf(princ_name, sizeof(princ_name), "%s@%s", KADM5_HIST_PRINCIPAL, global_params.realm);
- if ((retval = krb5_parse_name(util_context, princ_name, &p))) {
- com_err(progname, retval, "while adding entries to the database");
- goto err_nomsg;
- }
- rblock.max_life = global_params.max_life;
- rblock.flags = 0;
- if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) {
- krb5_free_principal(util_context, p);
- com_err(progname, retval, "while adding entries to the database");
- goto err_nomsg;
- }
- krb5_free_principal(util_context, p);
-
- /* Create 'kadmin/<hostname>' ... */
- if ((retval=krb5_sname_to_principal(util_context, NULL, "kadmin", KRB5_NT_SRV_HST, &p))) {
- com_err(progname, retval, "krb5_sname_to_principal, while adding entries to the database");
- goto err_nomsg;
- }
-
- if ((retval=krb5_copy_principal(util_context, p, &temp_p))) {
- com_err(progname, retval, "krb5_copy_principal, while adding entries to the database");
- goto err_nomsg;
- }
-
- /* change the realm portion to the default realm */
- free(temp_p->realm.data);
- temp_p->realm.length = strlen(util_context->default_realm);
- temp_p->realm.data = strdup(util_context->default_realm);
- if (temp_p->realm.data == NULL) {
- com_err(progname, ENOMEM, "while adding entries to the database");
- goto err_nomsg;
- }
-
- rblock.max_life = ADMIN_LIFETIME;
- rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED;
- if ((retval = kdb_ldap_create_principal(util_context, temp_p, TGT_KEY, &rblock))) {
- krb5_free_principal(util_context, p);
- com_err(progname, retval, "while adding entries to the database");
- goto err_nomsg;
- }
- krb5_free_principal(util_context, temp_p);
- krb5_free_principal(util_context, p);
-
- if (oldcontainerref != NULL) {
- ldap_context->lrparams->containerref = oldcontainerref;
- oldcontainerref=NULL;
- }
+ char princ_name[MAX_PRINC_SIZE];
+ krb5_principal_data tgt_princ = {
+ 0, /* magic number */
+ {0, 0, 0}, /* krb5_data realm */
+ tgt_princ_entries, /* krb5_data *data */
+ 2, /* int length */
+ KRB5_NT_SRV_INST /* int type */
+ };
+ krb5_principal p, temp_p=NULL;
+
+ krb5_princ_set_realm_data(util_context, &tgt_princ, global_params.realm);
+ krb5_princ_set_realm_length(util_context, &tgt_princ, strlen(global_params.realm));
+ krb5_princ_component(util_context, &tgt_princ,1)->data = global_params.realm;
+ krb5_princ_component(util_context, &tgt_princ,1)->length = strlen(global_params.realm);
+ /* The container reference value is set to NULL, to avoid service principals
+ * getting created within the container reference at realm creation */
+ if (ldap_context->lrparams->containerref != NULL) {
+ oldcontainerref = ldap_context->lrparams->containerref;
+ ldap_context->lrparams->containerref = NULL;
+ }
+
+ /* Create 'K/M' ... */
+ rblock.flags |= KRB5_KDB_DISALLOW_ALL_TIX;
+ if ((retval = kdb_ldap_create_principal(util_context, master_princ, MASTER_KEY, &rblock))) {
+ com_err(progname, retval, "while adding entries to the database");
+ goto err_nomsg;
+ }
+
+ /* Create 'krbtgt' ... */
+ rblock.flags = 0; /* reset the flags */
+ if ((retval = kdb_ldap_create_principal(util_context, &tgt_princ, TGT_KEY, &rblock))) {
+ com_err(progname, retval, "while adding entries to the database");
+ goto err_nomsg;
+ }
+
+ /* Create 'kadmin/admin' ... */
+ snprintf(princ_name, sizeof(princ_name), "%s@%s", KADM5_ADMIN_SERVICE, global_params.realm);
+ if ((retval = krb5_parse_name(util_context, princ_name, &p))) {
+ com_err(progname, retval, "while adding entries to the database");
+ goto err_nomsg;
+ }
+ rblock.max_life = ADMIN_LIFETIME;
+ rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED;
+ if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) {
+ krb5_free_principal(util_context, p);
+ com_err(progname, retval, "while adding entries to the database");
+ goto err_nomsg;
+ }
+ krb5_free_principal(util_context, p);
+
+ /* Create 'kadmin/changepw' ... */
+ snprintf(princ_name, sizeof(princ_name), "%s@%s", KADM5_CHANGEPW_SERVICE, global_params.realm);
+ if ((retval = krb5_parse_name(util_context, princ_name, &p))) {
+ com_err(progname, retval, "while adding entries to the database");
+ goto err_nomsg;
+ }
+ rblock.max_life = CHANGEPW_LIFETIME;
+ rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED |
+ KRB5_KDB_PWCHANGE_SERVICE;
+ if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) {
+ krb5_free_principal(util_context, p);
+ com_err(progname, retval, "while adding entries to the database");
+ goto err_nomsg;
+ }
+ krb5_free_principal(util_context, p);
+
+ /* Create 'kadmin/history' ... */
+ snprintf(princ_name, sizeof(princ_name), "%s@%s", KADM5_HIST_PRINCIPAL, global_params.realm);
+ if ((retval = krb5_parse_name(util_context, princ_name, &p))) {
+ com_err(progname, retval, "while adding entries to the database");
+ goto err_nomsg;
+ }
+ rblock.max_life = global_params.max_life;
+ rblock.flags = 0;
+ if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) {
+ krb5_free_principal(util_context, p);
+ com_err(progname, retval, "while adding entries to the database");
+ goto err_nomsg;
+ }
+ krb5_free_principal(util_context, p);
+
+ /* Create 'kadmin/<hostname>' ... */
+ if ((retval=krb5_sname_to_principal(util_context, NULL, "kadmin", KRB5_NT_SRV_HST, &p))) {
+ com_err(progname, retval, "krb5_sname_to_principal, while adding entries to the database");
+ goto err_nomsg;
+ }
+
+ if ((retval=krb5_copy_principal(util_context, p, &temp_p))) {
+ com_err(progname, retval, "krb5_copy_principal, while adding entries to the database");
+ goto err_nomsg;
+ }
+
+ /* change the realm portion to the default realm */
+ free(temp_p->realm.data);
+ temp_p->realm.length = strlen(util_context->default_realm);
+ temp_p->realm.data = strdup(util_context->default_realm);
+ if (temp_p->realm.data == NULL) {
+ com_err(progname, ENOMEM, "while adding entries to the database");
+ goto err_nomsg;
+ }
+
+ rblock.max_life = ADMIN_LIFETIME;
+ rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED;
+ if ((retval = kdb_ldap_create_principal(util_context, temp_p, TGT_KEY, &rblock))) {
+ krb5_free_principal(util_context, p);
+ com_err(progname, retval, "while adding entries to the database");
+ goto err_nomsg;
+ }
+ krb5_free_principal(util_context, temp_p);
+ krb5_free_principal(util_context, p);
+
+ if (oldcontainerref != NULL) {
+ ldap_context->lrparams->containerref = oldcontainerref;
+ oldcontainerref=NULL;
+ }
}
#ifdef HAVE_EDIRECTORY
if ((mask & LDAP_REALM_KDCSERVERS) || (mask & LDAP_REALM_ADMINSERVERS) ||
- (mask & LDAP_REALM_PASSWDSERVERS)) {
-
- printf("Changing rights for the service object. Please wait ... ");
- fflush(stdout);
-
- rightsmask =0;
- rightsmask |= LDAP_REALM_RIGHTS;
- rightsmask |= LDAP_SUBTREE_RIGHTS;
- if ((rparams != NULL) && (rparams->kdcservers != NULL)) {
- for (i=0; (rparams->kdcservers[i] != NULL); i++) {
- if ((retval=krb5_ldap_add_service_rights(util_context,
- LDAP_KDC_SERVICE, rparams->kdcservers[i],
- rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
- printf("failed\n");
- com_err(progname, retval, "while assigning rights to '%s'",
- rparams->realm_name);
- goto err_nomsg;
- }
- }
- }
-
- rightsmask = 0;
- rightsmask |= LDAP_REALM_RIGHTS;
- rightsmask |= LDAP_SUBTREE_RIGHTS;
- if ((rparams != NULL) && (rparams->adminservers != NULL)) {
- for (i=0; (rparams->adminservers[i] != NULL); i++) {
- if ((retval=krb5_ldap_add_service_rights(util_context,
- LDAP_ADMIN_SERVICE, rparams->adminservers[i],
- rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
- printf("failed\n");
- com_err(progname, retval, "while assigning rights to '%s'",
- rparams->realm_name);
- goto err_nomsg;
- }
- }
- }
-
- rightsmask = 0;
- rightsmask |= LDAP_REALM_RIGHTS;
- rightsmask |= LDAP_SUBTREE_RIGHTS;
- if ((rparams != NULL) && (rparams->passwdservers != NULL)) {
- for (i=0; (rparams->passwdservers[i] != NULL); i++) {
- if ((retval=krb5_ldap_add_service_rights(util_context,
- LDAP_PASSWD_SERVICE, rparams->passwdservers[i],
- rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
- printf("failed\n");
- com_err(progname, retval, "while assigning rights to '%s'",
- rparams->realm_name);
- goto err_nomsg;
- }
- }
- }
-
- printf("done\n");
+ (mask & LDAP_REALM_PASSWDSERVERS)) {
+
+ printf("Changing rights for the service object. Please wait ... ");
+ fflush(stdout);
+
+ rightsmask =0;
+ rightsmask |= LDAP_REALM_RIGHTS;
+ rightsmask |= LDAP_SUBTREE_RIGHTS;
+ if ((rparams != NULL) && (rparams->kdcservers != NULL)) {
+ for (i=0; (rparams->kdcservers[i] != NULL); i++) {
+ if ((retval=krb5_ldap_add_service_rights(util_context,
+ LDAP_KDC_SERVICE, rparams->kdcservers[i],
+ rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+ printf("failed\n");
+ com_err(progname, retval, "while assigning rights to '%s'",
+ rparams->realm_name);
+ goto err_nomsg;
+ }
+ }
+ }
+
+ rightsmask = 0;
+ rightsmask |= LDAP_REALM_RIGHTS;
+ rightsmask |= LDAP_SUBTREE_RIGHTS;
+ if ((rparams != NULL) && (rparams->adminservers != NULL)) {
+ for (i=0; (rparams->adminservers[i] != NULL); i++) {
+ if ((retval=krb5_ldap_add_service_rights(util_context,
+ LDAP_ADMIN_SERVICE, rparams->adminservers[i],
+ rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+ printf("failed\n");
+ com_err(progname, retval, "while assigning rights to '%s'",
+ rparams->realm_name);
+ goto err_nomsg;
+ }
+ }
+ }
+
+ rightsmask = 0;
+ rightsmask |= LDAP_REALM_RIGHTS;
+ rightsmask |= LDAP_SUBTREE_RIGHTS;
+ if ((rparams != NULL) && (rparams->passwdservers != NULL)) {
+ for (i=0; (rparams->passwdservers[i] != NULL); i++) {
+ if ((retval=krb5_ldap_add_service_rights(util_context,
+ LDAP_PASSWD_SERVICE, rparams->passwdservers[i],
+ rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+ printf("failed\n");
+ com_err(progname, retval, "while assigning rights to '%s'",
+ rparams->realm_name);
+ goto err_nomsg;
+ }
+ }
+ }
+
+ printf("done\n");
}
#endif
/* The Realm creation is completed. Here is the end of transaction */
else
mkey_kvno = 1; /* Default */
- retval = krb5_def_store_mkey(util_context,
- global_params.stash_file,
- master_princ,
+ retval = krb5_def_store_mkey(util_context,
+ global_params.stash_file,
+ master_princ,
mkey_kvno,
- &master_keyblock, NULL);
- if (retval) {
- com_err(progname, errno, "while storing key");
- printf("Warning: couldn't stash master key.\n");
- }
+ &master_keyblock, NULL);
+ if (retval) {
+ com_err(progname, errno, "while storing key");
+ printf("Warning: couldn't stash master key.\n");
+ }
}
goto cleanup;
cleanup:
/* If the Realm creation is not complete, do the roll-back here */
if ((realm_obj_created) && (!create_complete))
- krb5_ldap_delete_realm(util_context, global_params.realm);
+ krb5_ldap_delete_realm(util_context, global_params.realm);
if (rparams)
- krb5_ldap_free_realm_params(rparams);
+ krb5_ldap_free_realm_params(rparams);
memset (pw_str, 0, sizeof (pw_str));
if (print_usage)
- db_usage(CREATE_REALM);
+ db_usage(CREATE_REALM);
if (retval) {
- if (!no_msg) {
- com_err(progname, retval, "while creating realm '%s'",
- global_params.realm);
- }
- exit_status++;
+ if (!no_msg) {
+ com_err(progname, retval, "while creating realm '%s'",
+ global_params.realm);
+ }
+ exit_status++;
}
return;
/*
* This function will modify the attributes of a given realm object
*/
-void kdb5_ldap_modify(argc, argv)
- int argc;
- char *argv[];
+void
+kdb5_ldap_modify(int argc, char *argv[])
{
krb5_error_code retval = 0;
krb5_ldap_realm_params *rparams = NULL;
dal_handle = util_context->dal_handle;
ldap_context = (krb5_ldap_context *) dal_handle->db_context;
if (!(ldap_context)) {
- retval = EINVAL;
- goto cleanup;
+ retval = EINVAL;
+ goto cleanup;
}
if ((retval = krb5_ldap_read_krbcontainer_params(util_context,
- &(ldap_context->krbcontainer)))) {
- com_err(progname, retval, "while reading Kerberos container information");
- goto err_nomsg;
+ &(ldap_context->krbcontainer)))) {
+ com_err(progname, retval, "while reading Kerberos container information");
+ goto err_nomsg;
}
retval = krb5_ldap_read_realm_params(util_context,
- global_params.realm, &rparams, &rmask);
+ global_params.realm, &rparams, &rmask);
if (retval)
- goto cleanup;
+ goto cleanup;
/* Parse the arguments */
for (i = 1; i < argc; i++) {
- int k = 0;
- if (!strcmp(argv[i], "-subtrees")) {
- if (++i > argc-1)
- goto err_usage;
+ int k = 0;
+ if (!strcmp(argv[i], "-subtrees")) {
+ if (++i > argc-1)
+ goto err_usage;
- if (rmask & LDAP_REALM_SUBTREE) {
- if (rparams->subtree) {
+ if (rmask & LDAP_REALM_SUBTREE) {
+ if (rparams->subtree) {
#ifdef HAVE_EDIRECTORY
- oldsubtrees = (char **) calloc(rparams->subtreecount+1, sizeof(char *));
- if (oldsubtrees == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
- for (k=0; rparams->subtree[k]!=NULL && rparams->subtreecount; k++) {
- oldsubtrees[k] = strdup(rparams->subtree[k]);
- if (oldsubtrees[k] == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
- }
+ oldsubtrees = (char **) calloc(rparams->subtreecount+1, sizeof(char *));
+ if (oldsubtrees == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+ for (k=0; rparams->subtree[k]!=NULL && rparams->subtreecount; k++) {
+ oldsubtrees[k] = strdup(rparams->subtree[k]);
+ if (oldsubtrees[k] == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+ }
#endif
- for (k=0; k<rparams->subtreecount && rparams->subtree[k]; k++)
- free(rparams->subtree[k]);
- rparams->subtreecount=0;
- }
- }
- if (strncmp(argv[i] ,"", strlen(argv[i]))!=0) {
- slist = (char **) calloc(MAX_LIST_ENTRIES, sizeof(char *));
- if (slist == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
- if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, slist))) {
- free(slist);
- slist = NULL;
- goto cleanup;
- }
-
- rparams->subtreecount=0;
- while (slist[rparams->subtreecount]!=NULL)
- (rparams->subtreecount)++;
- rparams->subtree = slist;
- } else if (strncmp(argv[i], "", strlen(argv[i]))==0) {
- /* dont allow subtree value to be set at the root(NULL, "") of the tree */
- com_err(progname, EINVAL,
- "for subtree while modifying realm '%s'",
- global_params.realm);
- goto err_nomsg;
- }
- rparams->subtree[rparams->subtreecount] = NULL;
- mask |= LDAP_REALM_SUBTREE;
- } else if (!strncmp(argv[i], "-containerref", strlen(argv[i]))) {
- if (++i > argc-1)
- goto err_usage;
- if (strncmp(argv[i], "", strlen(argv[i]))==0) {
- /* dont allow containerref value to be set at the root(NULL, "") of the tree */
- com_err(progname, EINVAL,
- "for container reference while modifying realm '%s'",
- global_params.realm);
- goto err_nomsg;
- }
+ for (k=0; k<rparams->subtreecount && rparams->subtree[k]; k++)
+ free(rparams->subtree[k]);
+ rparams->subtreecount=0;
+ }
+ }
+ if (strncmp(argv[i] ,"", strlen(argv[i]))!=0) {
+ slist = (char **) calloc(MAX_LIST_ENTRIES, sizeof(char *));
+ if (slist == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+ if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, slist))) {
+ free(slist);
+ slist = NULL;
+ goto cleanup;
+ }
+
+ rparams->subtreecount=0;
+ while (slist[rparams->subtreecount]!=NULL)
+ (rparams->subtreecount)++;
+ rparams->subtree = slist;
+ } else if (strncmp(argv[i], "", strlen(argv[i]))==0) {
+ /* dont allow subtree value to be set at the root(NULL, "") of the tree */
+ com_err(progname, EINVAL,
+ "for subtree while modifying realm '%s'",
+ global_params.realm);
+ goto err_nomsg;
+ }
+ rparams->subtree[rparams->subtreecount] = NULL;
+ mask |= LDAP_REALM_SUBTREE;
+ } else if (!strncmp(argv[i], "-containerref", strlen(argv[i]))) {
+ if (++i > argc-1)
+ goto err_usage;
+ if (strncmp(argv[i], "", strlen(argv[i]))==0) {
+ /* dont allow containerref value to be set at the root(NULL, "") of the tree */
+ com_err(progname, EINVAL,
+ "for container reference while modifying realm '%s'",
+ global_params.realm);
+ goto err_nomsg;
+ }
#ifdef HAVE_EDIRECTORY
if (rparams->containerref != NULL) {
oldcontainerref = rparams->containerref;
}
#endif
- rparams->containerref = strdup(argv[i]);
- if (rparams->containerref == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
- mask |= LDAP_REALM_CONTREF;
- } else if (!strcmp(argv[i], "-sscope")) {
- if (++i > argc-1)
- goto err_usage;
- /* Possible values for search scope are
- * one (or 1) and sub (or 2)
- */
- if (strcasecmp(argv[i], "one") == 0) {
- rparams->search_scope = 1;
- } else if (strcasecmp(argv[i], "sub") == 0) {
- rparams->search_scope = 2;
- } else {
- rparams->search_scope = atoi(argv[i]);
- if ((rparams->search_scope != 1) &&
- (rparams->search_scope != 2)) {
- retval = EINVAL;
- com_err(progname, retval,
- "specified for search scope while modifying information of realm '%s'",
- global_params.realm);
- goto err_nomsg;
- }
- }
- mask |= LDAP_REALM_SEARCHSCOPE;
- }
+ rparams->containerref = strdup(argv[i]);
+ if (rparams->containerref == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+ mask |= LDAP_REALM_CONTREF;
+ } else if (!strcmp(argv[i], "-sscope")) {
+ if (++i > argc-1)
+ goto err_usage;
+ /* Possible values for search scope are
+ * one (or 1) and sub (or 2)
+ */
+ if (strcasecmp(argv[i], "one") == 0) {
+ rparams->search_scope = 1;
+ } else if (strcasecmp(argv[i], "sub") == 0) {
+ rparams->search_scope = 2;
+ } else {
+ rparams->search_scope = atoi(argv[i]);
+ if ((rparams->search_scope != 1) &&
+ (rparams->search_scope != 2)) {
+ retval = EINVAL;
+ com_err(progname, retval,
+ "specified for search scope while modifying information of realm '%s'",
+ global_params.realm);
+ goto err_nomsg;
+ }
+ }
+ mask |= LDAP_REALM_SEARCHSCOPE;
+ }
#ifdef HAVE_EDIRECTORY
- else if (!strcmp(argv[i], "-kdcdn")) {
- if (++i > argc-1)
- goto err_usage;
-
- if ((rmask & LDAP_REALM_KDCSERVERS) && (rparams->kdcservers)) {
- if (!oldkdcdns) {
- /* Store the old kdc dns list for removing rights */
- oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
- if (oldkdcdns == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
-
- for (j=0; rparams->kdcservers[j] != NULL; j++) {
- oldkdcdns[j] = strdup(rparams->kdcservers[j]);
- if (oldkdcdns[j] == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
- }
- oldkdcdns[j] = NULL;
- }
-
- krb5_free_list_entries(rparams->kdcservers);
- free(rparams->kdcservers);
- }
-
- rparams->kdcservers = (char **)malloc(
- sizeof(char *) * MAX_LIST_ENTRIES);
- if (rparams->kdcservers == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
- memset(rparams->kdcservers, 0, sizeof(char *)*MAX_LIST_ENTRIES);
- if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
- rparams->kdcservers))) {
- goto cleanup;
- }
- mask |= LDAP_REALM_KDCSERVERS;
- /* Going to replace the existing value by this new value. Hence
- * setting flag indicating that add or clear options will be ignored
- */
- newkdcdn = 1;
- } else if (!strcmp(argv[i], "-clearkdcdn")) {
- if (++i > argc-1)
- goto err_usage;
- if ((!newkdcdn) && (rmask & LDAP_REALM_KDCSERVERS) && (rparams->kdcservers)) {
- if (!oldkdcdns) {
- /* Store the old kdc dns list for removing rights */
- oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
- if (oldkdcdns == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
-
- for (j=0; rparams->kdcservers[j] != NULL; j++) {
- oldkdcdns[j] = strdup(rparams->kdcservers[j]);
- if (oldkdcdns[j] == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
- }
- oldkdcdns[j] = NULL;
- }
-
- memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES);
- if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
- goto cleanup;
- }
- list_modify_str_array(&rparams->kdcservers, (const char **)list,
- LIST_MODE_DELETE);
- mask |= LDAP_REALM_KDCSERVERS;
- krb5_free_list_entries(list);
- }
- } else if (!strcmp(argv[i], "-addkdcdn")) {
- if (++i > argc-1)
- goto err_usage;
- if (!newkdcdn) {
- if ((rmask & LDAP_REALM_KDCSERVERS) && (rparams->kdcservers) && (!oldkdcdns)) {
- /* Store the old kdc dns list for removing rights */
- oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
- if (oldkdcdns == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
-
- for (j = 0; rparams->kdcservers[j] != NULL; j++) {
- oldkdcdns[j] = strdup(rparams->kdcservers[j]);
- if (oldkdcdns[j] == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
- }
- oldkdcdns[j] = NULL;
- }
-
- memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES);
- if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
- goto cleanup;
- }
- existing_entries = list_count_str_array(rparams->kdcservers);
- list_entries = list_count_str_array(list);
- if (rmask & LDAP_REALM_KDCSERVERS) {
- tempstr = (char **)realloc(
- rparams->kdcservers,
- sizeof(char *) * (existing_entries+list_entries+1));
- if (tempstr == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
- rparams->kdcservers = tempstr;
- } else {
- rparams->kdcservers = (char **)malloc(sizeof(char *) * (list_entries+1));
- if (rparams->kdcservers == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
- memset(rparams->kdcservers, 0, sizeof(char *) * (list_entries+1));
- }
- list_modify_str_array(&rparams->kdcservers, (const char **)list,
- LIST_MODE_ADD);
- mask |= LDAP_REALM_KDCSERVERS;
- }
- } else if (!strcmp(argv[i], "-admindn")) {
- if (++i > argc-1)
- goto err_usage;
-
- if ((rmask & LDAP_REALM_ADMINSERVERS) && (rparams->adminservers)) {
- if (!oldadmindns) {
- /* Store the old admin dns list for removing rights */
- oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
- if (oldadmindns == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
-
- for (j=0; rparams->adminservers[j] != NULL; j++) {
- oldadmindns[j] = strdup(rparams->adminservers[j]);
- if (oldadmindns[j] == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
- }
- oldadmindns[j] = NULL;
- }
-
- krb5_free_list_entries(rparams->adminservers);
- free(rparams->adminservers);
- }
-
- rparams->adminservers = (char **)malloc(
- sizeof(char *) * MAX_LIST_ENTRIES);
- if (rparams->adminservers == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
- memset(rparams->adminservers, 0, sizeof(char *)*MAX_LIST_ENTRIES);
- if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
- rparams->adminservers))) {
- goto cleanup;
- }
- mask |= LDAP_REALM_ADMINSERVERS;
- /* Going to replace the existing value by this new value. Hence
- * setting flag indicating that add or clear options will be ignored
- */
- newadmindn = 1;
- } else if (!strcmp(argv[i], "-clearadmindn")) {
- if (++i > argc-1)
- goto err_usage;
-
- if ((!newadmindn) && (rmask & LDAP_REALM_ADMINSERVERS) && (rparams->adminservers)) {
- if (!oldadmindns) {
- /* Store the old admin dns list for removing rights */
- oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
- if (oldadmindns == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
-
- for (j=0; rparams->adminservers[j] != NULL; j++) {
- oldadmindns[j] = strdup(rparams->adminservers[j]);
- if (oldadmindns[j] == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
- }
- oldadmindns[j] = NULL;
- }
-
- memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES);
- if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
- goto cleanup;
- }
- list_modify_str_array(&rparams->adminservers, (const char **)list,
- LIST_MODE_DELETE);
- mask |= LDAP_REALM_ADMINSERVERS;
- krb5_free_list_entries(list);
- }
- } else if (!strcmp(argv[i], "-addadmindn")) {
- if (++i > argc-1)
- goto err_usage;
- if (!newadmindn) {
- if ((rmask & LDAP_REALM_ADMINSERVERS) && (rparams->adminservers) && (!oldadmindns)) {
- /* Store the old admin dns list for removing rights */
- oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
- if (oldadmindns == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
-
- for (j=0; rparams->adminservers[j] != NULL; j++) {
- oldadmindns[j] = strdup(rparams->adminservers[j]);
- if (oldadmindns[j] == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
- }
- oldadmindns[j] = NULL;
- }
-
- memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES);
- if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
- goto cleanup;
- }
- existing_entries = list_count_str_array(rparams->adminservers);
- list_entries = list_count_str_array(list);
- if (rmask & LDAP_REALM_ADMINSERVERS) {
- tempstr = (char **)realloc(
- rparams->adminservers,
- sizeof(char *) * (existing_entries+list_entries+1));
- if (tempstr == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
- rparams->adminservers = tempstr;
- } else {
- rparams->adminservers = (char **)malloc(sizeof(char *) * (list_entries+1));
- if (rparams->adminservers == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
- memset(rparams->adminservers, 0, sizeof(char *) * (list_entries+1));
- }
- list_modify_str_array(&rparams->adminservers, (const char **)list,
- LIST_MODE_ADD);
- mask |= LDAP_REALM_ADMINSERVERS;
- }
- } else if (!strcmp(argv[i], "-pwddn")) {
- if (++i > argc-1)
- goto err_usage;
-
- if ((rmask & LDAP_REALM_PASSWDSERVERS) && (rparams->passwdservers)) {
- if (!oldpwddns) {
- /* Store the old pwd dns list for removing rights */
- oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
- if (oldpwddns == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
-
- for (j=0; rparams->passwdservers[j] != NULL; j++) {
- oldpwddns[j] = strdup(rparams->passwdservers[j]);
- if (oldpwddns[j] == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
- }
- oldpwddns[j] = NULL;
- }
-
- krb5_free_list_entries(rparams->passwdservers);
- free(rparams->passwdservers);
- }
-
- rparams->passwdservers = (char **)malloc(
- sizeof(char *) * MAX_LIST_ENTRIES);
- if (rparams->passwdservers == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
- memset(rparams->passwdservers, 0, sizeof(char *)*MAX_LIST_ENTRIES);
- if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
- rparams->passwdservers))) {
- goto cleanup;
- }
- mask |= LDAP_REALM_PASSWDSERVERS;
- /* Going to replace the existing value by this new value. Hence
- * setting flag indicating that add or clear options will be ignored
- */
- newpwddn = 1;
- } else if (!strcmp(argv[i], "-clearpwddn")) {
- if (++i > argc-1)
- goto err_usage;
-
- if ((!newpwddn) && (rmask & LDAP_REALM_PASSWDSERVERS) && (rparams->passwdservers)) {
- if (!oldpwddns) {
- /* Store the old pwd dns list for removing rights */
- oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
- if (oldpwddns == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
-
- for (j=0; rparams->passwdservers[j] != NULL; j++) {
- oldpwddns[j] = strdup(rparams->passwdservers[j]);
- if (oldpwddns[j] == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
- }
- oldpwddns[j] = NULL;
- }
-
- memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES);
- if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
- goto cleanup;
- }
- list_modify_str_array(&rparams->passwdservers, (const char**)list,
- LIST_MODE_DELETE);
- mask |= LDAP_REALM_PASSWDSERVERS;
- krb5_free_list_entries(list);
- }
- } else if (!strcmp(argv[i], "-addpwddn")) {
- if (++i > argc-1)
- goto err_usage;
- if (!newpwddn) {
- if ((rmask & LDAP_REALM_PASSWDSERVERS) && (rparams->passwdservers) && (!oldpwddns)) {
- /* Store the old pwd dns list for removing rights */
- oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
- if (oldpwddns == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
-
- for (j=0; rparams->passwdservers[j] != NULL; j++) {
- oldpwddns[j] = strdup(rparams->passwdservers[j]);
- if (oldpwddns[j] == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
- }
- oldpwddns[j] = NULL;
- }
-
- memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES);
- if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
- goto cleanup;
- }
- existing_entries = list_count_str_array(rparams->passwdservers);
- list_entries = list_count_str_array(list);
- if (rmask & LDAP_REALM_PASSWDSERVERS) {
- tempstr = (char **)realloc(
- rparams->passwdservers,
- sizeof(char *) * (existing_entries+list_entries+1));
- if (tempstr == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
- rparams->passwdservers = tempstr;
- } else {
- rparams->passwdservers = (char **)malloc(sizeof(char *) * (list_entries+1));
- if (rparams->passwdservers == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
- memset(rparams->passwdservers, 0, sizeof(char *) * (list_entries+1));
- }
- list_modify_str_array(&rparams->passwdservers, (const char**)list,
- LIST_MODE_ADD);
- mask |= LDAP_REALM_PASSWDSERVERS;
- }
- }
+ else if (!strcmp(argv[i], "-kdcdn")) {
+ if (++i > argc-1)
+ goto err_usage;
+
+ if ((rmask & LDAP_REALM_KDCSERVERS) && (rparams->kdcservers)) {
+ if (!oldkdcdns) {
+ /* Store the old kdc dns list for removing rights */
+ oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
+ if (oldkdcdns == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+
+ for (j=0; rparams->kdcservers[j] != NULL; j++) {
+ oldkdcdns[j] = strdup(rparams->kdcservers[j]);
+ if (oldkdcdns[j] == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+ }
+ oldkdcdns[j] = NULL;
+ }
+
+ krb5_free_list_entries(rparams->kdcservers);
+ free(rparams->kdcservers);
+ }
+
+ rparams->kdcservers = (char **)malloc(
+ sizeof(char *) * MAX_LIST_ENTRIES);
+ if (rparams->kdcservers == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+ memset(rparams->kdcservers, 0, sizeof(char *)*MAX_LIST_ENTRIES);
+ if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
+ rparams->kdcservers))) {
+ goto cleanup;
+ }
+ mask |= LDAP_REALM_KDCSERVERS;
+ /* Going to replace the existing value by this new value. Hence
+ * setting flag indicating that add or clear options will be ignored
+ */
+ newkdcdn = 1;
+ } else if (!strcmp(argv[i], "-clearkdcdn")) {
+ if (++i > argc-1)
+ goto err_usage;
+ if ((!newkdcdn) && (rmask & LDAP_REALM_KDCSERVERS) && (rparams->kdcservers)) {
+ if (!oldkdcdns) {
+ /* Store the old kdc dns list for removing rights */
+ oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
+ if (oldkdcdns == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+
+ for (j=0; rparams->kdcservers[j] != NULL; j++) {
+ oldkdcdns[j] = strdup(rparams->kdcservers[j]);
+ if (oldkdcdns[j] == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+ }
+ oldkdcdns[j] = NULL;
+ }
+
+ memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES);
+ if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
+ goto cleanup;
+ }
+ list_modify_str_array(&rparams->kdcservers, (const char **)list,
+ LIST_MODE_DELETE);
+ mask |= LDAP_REALM_KDCSERVERS;
+ krb5_free_list_entries(list);
+ }
+ } else if (!strcmp(argv[i], "-addkdcdn")) {
+ if (++i > argc-1)
+ goto err_usage;
+ if (!newkdcdn) {
+ if ((rmask & LDAP_REALM_KDCSERVERS) && (rparams->kdcservers) && (!oldkdcdns)) {
+ /* Store the old kdc dns list for removing rights */
+ oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
+ if (oldkdcdns == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+
+ for (j = 0; rparams->kdcservers[j] != NULL; j++) {
+ oldkdcdns[j] = strdup(rparams->kdcservers[j]);
+ if (oldkdcdns[j] == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+ }
+ oldkdcdns[j] = NULL;
+ }
+
+ memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES);
+ if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
+ goto cleanup;
+ }
+ existing_entries = list_count_str_array(rparams->kdcservers);
+ list_entries = list_count_str_array(list);
+ if (rmask & LDAP_REALM_KDCSERVERS) {
+ tempstr = (char **)realloc(
+ rparams->kdcservers,
+ sizeof(char *) * (existing_entries+list_entries+1));
+ if (tempstr == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+ rparams->kdcservers = tempstr;
+ } else {
+ rparams->kdcservers = (char **)malloc(sizeof(char *) * (list_entries+1));
+ if (rparams->kdcservers == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+ memset(rparams->kdcservers, 0, sizeof(char *) * (list_entries+1));
+ }
+ list_modify_str_array(&rparams->kdcservers, (const char **)list,
+ LIST_MODE_ADD);
+ mask |= LDAP_REALM_KDCSERVERS;
+ }
+ } else if (!strcmp(argv[i], "-admindn")) {
+ if (++i > argc-1)
+ goto err_usage;
+
+ if ((rmask & LDAP_REALM_ADMINSERVERS) && (rparams->adminservers)) {
+ if (!oldadmindns) {
+ /* Store the old admin dns list for removing rights */
+ oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
+ if (oldadmindns == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+
+ for (j=0; rparams->adminservers[j] != NULL; j++) {
+ oldadmindns[j] = strdup(rparams->adminservers[j]);
+ if (oldadmindns[j] == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+ }
+ oldadmindns[j] = NULL;
+ }
+
+ krb5_free_list_entries(rparams->adminservers);
+ free(rparams->adminservers);
+ }
+
+ rparams->adminservers = (char **)malloc(
+ sizeof(char *) * MAX_LIST_ENTRIES);
+ if (rparams->adminservers == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+ memset(rparams->adminservers, 0, sizeof(char *)*MAX_LIST_ENTRIES);
+ if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
+ rparams->adminservers))) {
+ goto cleanup;
+ }
+ mask |= LDAP_REALM_ADMINSERVERS;
+ /* Going to replace the existing value by this new value. Hence
+ * setting flag indicating that add or clear options will be ignored
+ */
+ newadmindn = 1;
+ } else if (!strcmp(argv[i], "-clearadmindn")) {
+ if (++i > argc-1)
+ goto err_usage;
+
+ if ((!newadmindn) && (rmask & LDAP_REALM_ADMINSERVERS) && (rparams->adminservers)) {
+ if (!oldadmindns) {
+ /* Store the old admin dns list for removing rights */
+ oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
+ if (oldadmindns == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+
+ for (j=0; rparams->adminservers[j] != NULL; j++) {
+ oldadmindns[j] = strdup(rparams->adminservers[j]);
+ if (oldadmindns[j] == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+ }
+ oldadmindns[j] = NULL;
+ }
+
+ memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES);
+ if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
+ goto cleanup;
+ }
+ list_modify_str_array(&rparams->adminservers, (const char **)list,
+ LIST_MODE_DELETE);
+ mask |= LDAP_REALM_ADMINSERVERS;
+ krb5_free_list_entries(list);
+ }
+ } else if (!strcmp(argv[i], "-addadmindn")) {
+ if (++i > argc-1)
+ goto err_usage;
+ if (!newadmindn) {
+ if ((rmask & LDAP_REALM_ADMINSERVERS) && (rparams->adminservers) && (!oldadmindns)) {
+ /* Store the old admin dns list for removing rights */
+ oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
+ if (oldadmindns == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+
+ for (j=0; rparams->adminservers[j] != NULL; j++) {
+ oldadmindns[j] = strdup(rparams->adminservers[j]);
+ if (oldadmindns[j] == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+ }
+ oldadmindns[j] = NULL;
+ }
+
+ memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES);
+ if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
+ goto cleanup;
+ }
+ existing_entries = list_count_str_array(rparams->adminservers);
+ list_entries = list_count_str_array(list);
+ if (rmask & LDAP_REALM_ADMINSERVERS) {
+ tempstr = (char **)realloc(
+ rparams->adminservers,
+ sizeof(char *) * (existing_entries+list_entries+1));
+ if (tempstr == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+ rparams->adminservers = tempstr;
+ } else {
+ rparams->adminservers = (char **)malloc(sizeof(char *) * (list_entries+1));
+ if (rparams->adminservers == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+ memset(rparams->adminservers, 0, sizeof(char *) * (list_entries+1));
+ }
+ list_modify_str_array(&rparams->adminservers, (const char **)list,
+ LIST_MODE_ADD);
+ mask |= LDAP_REALM_ADMINSERVERS;
+ }
+ } else if (!strcmp(argv[i], "-pwddn")) {
+ if (++i > argc-1)
+ goto err_usage;
+
+ if ((rmask & LDAP_REALM_PASSWDSERVERS) && (rparams->passwdservers)) {
+ if (!oldpwddns) {
+ /* Store the old pwd dns list for removing rights */
+ oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
+ if (oldpwddns == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+
+ for (j=0; rparams->passwdservers[j] != NULL; j++) {
+ oldpwddns[j] = strdup(rparams->passwdservers[j]);
+ if (oldpwddns[j] == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+ }
+ oldpwddns[j] = NULL;
+ }
+
+ krb5_free_list_entries(rparams->passwdservers);
+ free(rparams->passwdservers);
+ }
+
+ rparams->passwdservers = (char **)malloc(
+ sizeof(char *) * MAX_LIST_ENTRIES);
+ if (rparams->passwdservers == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+ memset(rparams->passwdservers, 0, sizeof(char *)*MAX_LIST_ENTRIES);
+ if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
+ rparams->passwdservers))) {
+ goto cleanup;
+ }
+ mask |= LDAP_REALM_PASSWDSERVERS;
+ /* Going to replace the existing value by this new value. Hence
+ * setting flag indicating that add or clear options will be ignored
+ */
+ newpwddn = 1;
+ } else if (!strcmp(argv[i], "-clearpwddn")) {
+ if (++i > argc-1)
+ goto err_usage;
+
+ if ((!newpwddn) && (rmask & LDAP_REALM_PASSWDSERVERS) && (rparams->passwdservers)) {
+ if (!oldpwddns) {
+ /* Store the old pwd dns list for removing rights */
+ oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
+ if (oldpwddns == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+
+ for (j=0; rparams->passwdservers[j] != NULL; j++) {
+ oldpwddns[j] = strdup(rparams->passwdservers[j]);
+ if (oldpwddns[j] == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+ }
+ oldpwddns[j] = NULL;
+ }
+
+ memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES);
+ if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
+ goto cleanup;
+ }
+ list_modify_str_array(&rparams->passwdservers, (const char**)list,
+ LIST_MODE_DELETE);
+ mask |= LDAP_REALM_PASSWDSERVERS;
+ krb5_free_list_entries(list);
+ }
+ } else if (!strcmp(argv[i], "-addpwddn")) {
+ if (++i > argc-1)
+ goto err_usage;
+ if (!newpwddn) {
+ if ((rmask & LDAP_REALM_PASSWDSERVERS) && (rparams->passwdservers) && (!oldpwddns)) {
+ /* Store the old pwd dns list for removing rights */
+ oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
+ if (oldpwddns == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+
+ for (j=0; rparams->passwdservers[j] != NULL; j++) {
+ oldpwddns[j] = strdup(rparams->passwdservers[j]);
+ if (oldpwddns[j] == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+ }
+ oldpwddns[j] = NULL;
+ }
+
+ memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES);
+ if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
+ goto cleanup;
+ }
+ existing_entries = list_count_str_array(rparams->passwdservers);
+ list_entries = list_count_str_array(list);
+ if (rmask & LDAP_REALM_PASSWDSERVERS) {
+ tempstr = (char **)realloc(
+ rparams->passwdservers,
+ sizeof(char *) * (existing_entries+list_entries+1));
+ if (tempstr == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+ rparams->passwdservers = tempstr;
+ } else {
+ rparams->passwdservers = (char **)malloc(sizeof(char *) * (list_entries+1));
+ if (rparams->passwdservers == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+ memset(rparams->passwdservers, 0, sizeof(char *) * (list_entries+1));
+ }
+ list_modify_str_array(&rparams->passwdservers, (const char**)list,
+ LIST_MODE_ADD);
+ mask |= LDAP_REALM_PASSWDSERVERS;
+ }
+ }
#endif
- else if ((ret_mask= get_ticket_policy(rparams,&i,argv,argc)) !=0) {
- mask|=ret_mask;
- } else {
- printf("'%s' is an invalid option\n", argv[i]);
- goto err_usage;
- }
+ else if ((ret_mask= get_ticket_policy(rparams,&i,argv,argc)) !=0) {
+ mask|=ret_mask;
+ } else {
+ printf("'%s' is an invalid option\n", argv[i]);
+ goto err_usage;
+ }
}
if ((retval = krb5_ldap_modify_realm(util_context,
- /* global_params.realm, */ rparams, mask))) {
- goto cleanup;
+ /* global_params.realm, */ rparams, mask))) {
+ goto cleanup;
}
#ifdef HAVE_EDIRECTORY
if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_CONTREF) || (mask & LDAP_REALM_KDCSERVERS) ||
- (mask & LDAP_REALM_ADMINSERVERS) || (mask & LDAP_REALM_PASSWDSERVERS)) {
+ (mask & LDAP_REALM_ADMINSERVERS) || (mask & LDAP_REALM_PASSWDSERVERS)) {
- printf("Changing rights for the service object. Please wait ... ");
- fflush(stdout);
+ printf("Changing rights for the service object. Please wait ... ");
+ fflush(stdout);
if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_CONTREF)) {
subtree_changed = 1;
- }
+ }
if ((subtree_changed) || (mask & LDAP_REALM_KDCSERVERS)) {
/* Remove the rights on the old subtrees */
for (i=0; (kdcdns[i] != NULL); i++) {
if ((retval=krb5_ldap_delete_service_rights(util_context,
- LDAP_KDC_SERVICE, kdcdns[i],
- rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) {
+ LDAP_KDC_SERVICE, kdcdns[i],
+ rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) {
printf("failed\n");
com_err(progname, retval, "while assigning rights '%s'",
- rparams->realm_name);
+ rparams->realm_name);
goto err_nomsg;
- }
- }
- }
+ }
+ }
+ }
for (i=0; (kdcdns[i] != NULL); i++) {
if ((retval=krb5_ldap_add_service_rights(util_context,
- LDAP_KDC_SERVICE, kdcdns[i],
- rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+ LDAP_KDC_SERVICE, kdcdns[i],
+ rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
printf("failed\n");
com_err(progname, retval, "while assigning rights '%s'",
- rparams->realm_name);
+ rparams->realm_name);
goto err_nomsg;
- }
- }
- }
- }
+ }
+ }
+ }
+ }
if (!subtree_changed) {
char **newdns = NULL;
if (oldkdcdns != NULL) {
newdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
if (newdns == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
+ retval = ENOMEM;
+ goto cleanup;
+ }
- if ((rparams != NULL) && (rparams->kdcservers != NULL)) {
- for (j=0; rparams->kdcservers[j]!= NULL; j++) {
+ if ((rparams != NULL) && (rparams->kdcservers != NULL)) {
+ for (j=0; rparams->kdcservers[j]!= NULL; j++) {
newdns[j] = strdup(rparams->kdcservers[j]);
if (newdns[j] == NULL) {
FREE_DN_LIST(newdns);
- retval = ENOMEM;
- goto cleanup;
- }
- }
+ retval = ENOMEM;
+ goto cleanup;
+ }
+ }
newdns[j] = NULL;
- }
+ }
disjoint_members(oldkdcdns, newdns);
for (i=0; (oldkdcdns[i] != NULL); i++) {
if ((retval=krb5_ldap_delete_service_rights(util_context,
- LDAP_KDC_SERVICE, oldkdcdns[i],
- rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+ LDAP_KDC_SERVICE, oldkdcdns[i],
+ rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
printf("failed\n");
com_err(progname, retval, "while assigning rights '%s'",
- rparams->realm_name);
+ rparams->realm_name);
FREE_DN_LIST(newdns);
goto err_nomsg;
- }
- }
+ }
+ }
for (i=0; (newdns[i] != NULL); i++) {
if ((retval=krb5_ldap_add_service_rights(util_context,
- LDAP_KDC_SERVICE, newdns[i],
- rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+ LDAP_KDC_SERVICE, newdns[i],
+ rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
printf("failed\n");
com_err(progname, retval, "while assigning rights '%s'",
- rparams->realm_name);
+ rparams->realm_name);
FREE_DN_LIST(newdns);
goto err_nomsg;
- }
+ }
}
for (i=0; (newdns[i] != NULL); i++) {
free(newdns[i]);
newdns = rparams->kdcservers;
for (i=0; (newdns[i] != NULL); i++) {
if ((retval=krb5_ldap_add_service_rights(util_context,
- LDAP_KDC_SERVICE, newdns[i],
- rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+ LDAP_KDC_SERVICE, newdns[i],
+ rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
printf("failed\n");
com_err(progname, retval, "while assigning rights '%s'",
- rparams->realm_name);
+ rparams->realm_name);
goto err_nomsg;
- }
- }
- }
+ }
+ }
+ }
}
if (subtree_changed && (mask & LDAP_REALM_KDCSERVERS)) {
char **newdns = rparams->kdcservers;
- rightsmask =0;
+ rightsmask =0;
rightsmask = LDAP_REALM_RIGHTS;
- rightsmask |= LDAP_SUBTREE_RIGHTS;
+ rightsmask |= LDAP_SUBTREE_RIGHTS;
if (oldkdcdns != NULL) {
- for (i=0; (oldkdcdns[i] != NULL); i++) {
- if ((retval=krb5_ldap_delete_service_rights(util_context,
- LDAP_KDC_SERVICE, oldkdcdns[i],
- rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) {
- printf("failed\n");
- com_err(progname, retval, "while assigning rights '%s'",
- rparams->realm_name);
- goto err_nomsg;
- }
- }
- }
+ for (i=0; (oldkdcdns[i] != NULL); i++) {
+ if ((retval=krb5_ldap_delete_service_rights(util_context,
+ LDAP_KDC_SERVICE, oldkdcdns[i],
+ rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) {
+ printf("failed\n");
+ com_err(progname, retval, "while assigning rights '%s'",
+ rparams->realm_name);
+ goto err_nomsg;
+ }
+ }
+ }
for (i=0; (newdns[i] != NULL); i++) {
if ((retval=krb5_ldap_add_service_rights(util_context,
- LDAP_KDC_SERVICE, newdns[i],
- rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+ LDAP_KDC_SERVICE, newdns[i],
+ rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
printf("failed\n");
com_err(progname, retval, "while assigning rights '%s'",
- rparams->realm_name);
+ rparams->realm_name);
goto err_nomsg;
}
}
if (rparams->adminservers != NULL) {
char **admindns = rparams->adminservers;
/* Only subtree and/or container ref has changed */
- rightsmask =0;
+ rightsmask =0;
/* KADMINSERVERS have not changed. Realm rights need not be changed */;
- rightsmask |= LDAP_SUBTREE_RIGHTS;
+ rightsmask |= LDAP_SUBTREE_RIGHTS;
if ((oldsubtrees != NULL) || (oldcontainerref != NULL)) {
/* Remove the rights on the old subtrees */
for (i=0; (admindns[i] != NULL); i++) {
if ((retval=krb5_ldap_delete_service_rights(util_context,
- LDAP_ADMIN_SERVICE, admindns[i],
- rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) {
+ LDAP_ADMIN_SERVICE, admindns[i],
+ rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) {
printf("failed\n");
com_err(progname, retval, "while assigning rights '%s'",
- rparams->realm_name);
+ rparams->realm_name);
goto err_nomsg;
}
}
}
for (i=0; (admindns[i] != NULL); i++) {
- if ((retval=krb5_ldap_add_service_rights(util_context,
- LDAP_ADMIN_SERVICE, admindns[i],
- rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
- printf("failed\n");
+ if ((retval=krb5_ldap_add_service_rights(util_context,
+ LDAP_ADMIN_SERVICE, admindns[i],
+ rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+ printf("failed\n");
com_err(progname, retval, "while assigning rights '%s'",
- rparams->realm_name);
- goto err_nomsg;
- }
- }
- }
- }
+ rparams->realm_name);
+ goto err_nomsg;
+ }
+ }
+ }
+ }
if (!subtree_changed) {
char **newdns = NULL;
if (oldadmindns != NULL) {
newdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
if (newdns == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
+ retval = ENOMEM;
+ goto cleanup;
+ }
- if ((rparams != NULL) && (rparams->adminservers != NULL)) {
- for (j=0; rparams->adminservers[j]!= NULL; j++) {
+ if ((rparams != NULL) && (rparams->adminservers != NULL)) {
+ for (j=0; rparams->adminservers[j]!= NULL; j++) {
newdns[j] = strdup(rparams->adminservers[j]);
if (newdns[j] == NULL) {
FREE_DN_LIST(newdns);
- retval = ENOMEM;
- goto cleanup;
- }
- }
+ retval = ENOMEM;
+ goto cleanup;
+ }
+ }
newdns[j] = NULL;
- }
+ }
disjoint_members(oldadmindns, newdns);
for (i=0; (oldadmindns[i] != NULL); i++) {
if ((retval=krb5_ldap_delete_service_rights(util_context,
- LDAP_ADMIN_SERVICE, oldadmindns[i],
- rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+ LDAP_ADMIN_SERVICE, oldadmindns[i],
+ rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
printf("failed\n");
com_err(progname, retval, "while assigning rights '%s'",
- rparams->realm_name);
+ rparams->realm_name);
FREE_DN_LIST(newdns);
goto err_nomsg;
- }
+ }
}
for (i=0; (newdns[i] != NULL); i++) {
if ((retval=krb5_ldap_add_service_rights(util_context,
- LDAP_ADMIN_SERVICE, newdns[i],
- rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+ LDAP_ADMIN_SERVICE, newdns[i],
+ rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
printf("failed\n");
com_err(progname, retval, "while assigning rights '%s'",
- rparams->realm_name);
+ rparams->realm_name);
FREE_DN_LIST(newdns);
goto err_nomsg;
- }
- }
+ }
+ }
for (i=0; (newdns[i] != NULL); i++) {
free(newdns[i]);
}
newdns = rparams->adminservers;
for (i=0; (newdns[i] != NULL); i++) {
if ((retval=krb5_ldap_add_service_rights(util_context,
- LDAP_ADMIN_SERVICE, newdns[i],
- rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+ LDAP_ADMIN_SERVICE, newdns[i],
+ rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
printf("failed\n");
com_err(progname, retval, "while assigning rights '%s'",
- rparams->realm_name);
+ rparams->realm_name);
goto err_nomsg;
- }
- }
- }
+ }
+ }
+ }
}
if (subtree_changed && (mask & LDAP_REALM_ADMINSERVERS)) {
char **newdns = rparams->adminservers;
- rightsmask = 0;
+ rightsmask = 0;
rightsmask = LDAP_REALM_RIGHTS;
- rightsmask |= LDAP_SUBTREE_RIGHTS;
+ rightsmask |= LDAP_SUBTREE_RIGHTS;
if (oldadmindns != NULL) {
- for (i=0; (oldadmindns[i] != NULL); i++) {
- if ((retval=krb5_ldap_delete_service_rights(util_context,
- LDAP_ADMIN_SERVICE, oldadmindns[i],
- rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) {
- printf("failed\n");
- com_err(progname, retval, "while assigning rights '%s'",
- rparams->realm_name);
- goto err_nomsg;
- }
- }
- }
+ for (i=0; (oldadmindns[i] != NULL); i++) {
+ if ((retval=krb5_ldap_delete_service_rights(util_context,
+ LDAP_ADMIN_SERVICE, oldadmindns[i],
+ rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) {
+ printf("failed\n");
+ com_err(progname, retval, "while assigning rights '%s'",
+ rparams->realm_name);
+ goto err_nomsg;
+ }
+ }
+ }
for (i=0; (newdns[i] != NULL); i++) {
if ((retval=krb5_ldap_add_service_rights(util_context,
- LDAP_ADMIN_SERVICE, newdns[i],
- rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+ LDAP_ADMIN_SERVICE, newdns[i],
+ rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
printf("failed\n");
com_err(progname, retval, "while assigning rights '%s'",
- rparams->realm_name);
+ rparams->realm_name);
goto err_nomsg;
}
}
if (rparams->passwdservers != NULL) {
char **passwddns = rparams->passwdservers;
/* Only subtree and/or container ref has changed */
- rightsmask = 0;
+ rightsmask = 0;
/* KPASSWDSERVERS have not changed. Realm rights need not be changed */;
- rightsmask |= LDAP_SUBTREE_RIGHTS;
+ rightsmask |= LDAP_SUBTREE_RIGHTS;
if ((oldsubtrees != NULL) || (oldcontainerref != NULL)) {
/* Remove the rights on the old subtrees */
for (i=0; (passwddns[i] != NULL); i++) {
if ((retval=krb5_ldap_delete_service_rights(util_context,
- LDAP_PASSWD_SERVICE, passwddns[i],
- rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) {
+ LDAP_PASSWD_SERVICE, passwddns[i],
+ rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) {
printf("failed\n");
com_err(progname, retval, "while assigning rights '%s'",
- rparams->realm_name);
+ rparams->realm_name);
goto err_nomsg;
}
}
}
for (i=0; (passwddns[i] != NULL); i++) {
- if ((retval=krb5_ldap_add_service_rights(util_context,
- LDAP_PASSWD_SERVICE, passwddns[i],
- rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
- printf("failed\n");
+ if ((retval=krb5_ldap_add_service_rights(util_context,
+ LDAP_PASSWD_SERVICE, passwddns[i],
+ rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+ printf("failed\n");
com_err(progname, retval, "while assigning rights '%s'",
- rparams->realm_name);
- goto err_nomsg;
- }
- }
- }
- }
+ rparams->realm_name);
+ goto err_nomsg;
+ }
+ }
+ }
+ }
if (!subtree_changed) {
char **newdns = NULL;
if (oldpwddns != NULL) {
newdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
if (newdns == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
+ retval = ENOMEM;
+ goto cleanup;
+ }
- if ((rparams != NULL) && (rparams->passwdservers != NULL)) {
- for (j=0; rparams->passwdservers[j]!= NULL; j++) {
+ if ((rparams != NULL) && (rparams->passwdservers != NULL)) {
+ for (j=0; rparams->passwdservers[j]!= NULL; j++) {
newdns[j] = strdup(rparams->passwdservers[j]);
if (newdns[j] == NULL) {
FREE_DN_LIST(newdns);
- retval = ENOMEM;
- goto cleanup;
- }
- }
+ retval = ENOMEM;
+ goto cleanup;
+ }
+ }
newdns[j] = NULL;
- }
+ }
disjoint_members(oldpwddns, newdns);
for (i=0; (oldpwddns[i] != NULL); i++) {
if ((retval=krb5_ldap_delete_service_rights(util_context,
- LDAP_PASSWD_SERVICE, oldpwddns[i],
- rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+ LDAP_PASSWD_SERVICE, oldpwddns[i],
+ rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
printf("failed\n");
com_err(progname, retval, "while assigning rights '%s'",
- rparams->realm_name);
+ rparams->realm_name);
FREE_DN_LIST(newdns);
goto err_nomsg;
- }
- }
+ }
+ }
for (i=0; (newdns[i] != NULL); i++) {
if ((retval=krb5_ldap_add_service_rights(util_context,
- LDAP_PASSWD_SERVICE, newdns[i],
- rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+ LDAP_PASSWD_SERVICE, newdns[i],
+ rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
printf("failed\n");
com_err(progname, retval, "while assigning rights '%s'",
- rparams->realm_name);
+ rparams->realm_name);
FREE_DN_LIST(newdns);
goto err_nomsg;
- }
+ }
}
for (i=0; (newdns[i] != NULL); i++) {
free(newdns[i]);
newdns = rparams->passwdservers;
for (i=0; (newdns[i] != NULL); i++) {
if ((retval=krb5_ldap_add_service_rights(util_context,
- LDAP_PASSWD_SERVICE, newdns[i],
- rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+ LDAP_PASSWD_SERVICE, newdns[i],
+ rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
printf("failed\n");
com_err(progname, retval, "while assigning rights '%s'",
- rparams->realm_name);
+ rparams->realm_name);
goto err_nomsg;
- }
- }
- }
+ }
+ }
+ }
}
if (subtree_changed && (mask & LDAP_REALM_PASSWDSERVERS)) {
char **newdns = rparams->passwdservers;
- rightsmask =0;
+ rightsmask =0;
rightsmask = LDAP_REALM_RIGHTS;
- rightsmask |= LDAP_SUBTREE_RIGHTS;
+ rightsmask |= LDAP_SUBTREE_RIGHTS;
if (oldpwddns != NULL) {
- for (i=0; (oldpwddns[i] != NULL); i++) {
- if ((retval = krb5_ldap_delete_service_rights(util_context,
- LDAP_PASSWD_SERVICE, oldpwddns[i],
- rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) {
- printf("failed\n");
- com_err(progname, retval, "while assigning rights '%s'",
- rparams->realm_name);
- goto err_nomsg;
- }
- }
- }
+ for (i=0; (oldpwddns[i] != NULL); i++) {
+ if ((retval = krb5_ldap_delete_service_rights(util_context,
+ LDAP_PASSWD_SERVICE, oldpwddns[i],
+ rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) {
+ printf("failed\n");
+ com_err(progname, retval, "while assigning rights '%s'",
+ rparams->realm_name);
+ goto err_nomsg;
+ }
+ }
+ }
for (i=0; (newdns[i] != NULL); i++) {
- if ((retval = krb5_ldap_add_service_rights(util_context,
- LDAP_PASSWD_SERVICE, newdns[i],
- rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
- printf("failed\n");
+ if ((retval = krb5_ldap_add_service_rights(util_context,
+ LDAP_PASSWD_SERVICE, newdns[i],
+ rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+ printf("failed\n");
com_err(progname, retval, "while assigning rights '%s'",
- rparams->realm_name);
- goto err_nomsg;
- }
- }
- }
- }
- printf("done\n");
+ rparams->realm_name);
+ goto err_nomsg;
+ }
+ }
+ }
+ }
+ printf("done\n");
}
#endif
#ifdef HAVE_EDIRECTORY
if (oldkdcdns) {
- for (i=0; oldkdcdns[i] != NULL; i++)
- free(oldkdcdns[i]);
- free(oldkdcdns);
+ for (i=0; oldkdcdns[i] != NULL; i++)
+ free(oldkdcdns[i]);
+ free(oldkdcdns);
}
if (oldpwddns) {
- for (i=0; oldpwddns[i] != NULL; i++)
- free(oldpwddns[i]);
- free(oldpwddns);
+ for (i=0; oldpwddns[i] != NULL; i++)
+ free(oldpwddns[i]);
+ free(oldpwddns);
}
if (oldadmindns) {
- for (i=0; oldadmindns[i] != NULL; i++)
- free(oldadmindns[i]);
- free(oldadmindns);
+ for (i=0; oldadmindns[i] != NULL; i++)
+ free(oldadmindns[i]);
+ free(oldadmindns);
}
if (newkdcdns) {
- for (i=0; newkdcdns[i] != NULL; i++)
- free(newkdcdns[i]);
- free(newkdcdns);
+ for (i=0; newkdcdns[i] != NULL; i++)
+ free(newkdcdns[i]);
+ free(newkdcdns);
}
if (newpwddns) {
- for (i=0; newpwddns[i] != NULL; i++)
- free(newpwddns[i]);
- free(newpwddns);
+ for (i=0; newpwddns[i] != NULL; i++)
+ free(newpwddns[i]);
+ free(newpwddns);
}
if (newadmindns) {
- for (i=0; newadmindns[i] != NULL; i++)
- free(newadmindns[i]);
- free(newadmindns);
+ for (i=0; newadmindns[i] != NULL; i++)
+ free(newadmindns[i]);
+ free(newadmindns);
}
if (oldsubtrees) {
- for (i=0;oldsubtrees[i]!=NULL; i++)
- free(oldsubtrees[i]);
- free(oldsubtrees);
+ for (i=0;oldsubtrees[i]!=NULL; i++)
+ free(oldsubtrees[i]);
+ free(oldsubtrees);
}
if (newsubtrees) {
- for (i=0;newsubtrees[i]!=NULL; i++)
- free(newsubtrees[i]);
- free(oldsubtrees);
+ for (i=0;newsubtrees[i]!=NULL; i++)
+ free(newsubtrees[i]);
+ free(oldsubtrees);
}
#endif
if (print_usage) {
- db_usage(MODIFY_REALM);
+ db_usage(MODIFY_REALM);
}
if (retval) {
- if (!no_msg)
- com_err(progname, retval, "while modifying information of realm '%s'",
- global_params.realm);
- exit_status++;
+ if (!no_msg)
+ com_err(progname, retval, "while modifying information of realm '%s'",
+ global_params.realm);
+ exit_status++;
}
return;
/*
* This function displays the attributes of a Realm
*/
-void kdb5_ldap_view(argc, argv)
- int argc;
- char *argv[];
+void
+kdb5_ldap_view(int argc, char *argv[])
{
krb5_ldap_realm_params *rparams = NULL;
krb5_error_code retval = 0;
dal_handle = util_context->dal_handle;
ldap_context = (krb5_ldap_context *) dal_handle->db_context;
if (!(ldap_context)) {
- retval = EINVAL;
- com_err(progname, retval, "while initializing database");
- exit_status++;
- return;
+ retval = EINVAL;
+ com_err(progname, retval, "while initializing database");
+ exit_status++;
+ return;
}
/* Read the kerberos container information */
if ((retval = krb5_ldap_read_krbcontainer_params(util_context,
- &(ldap_context->krbcontainer))) != 0) {
- com_err(progname, retval, "while reading kerberos container information");
- exit_status++;
- return;
+ &(ldap_context->krbcontainer))) != 0) {
+ com_err(progname, retval, "while reading kerberos container information");
+ exit_status++;
+ return;
}
if ((retval = krb5_ldap_read_realm_params(util_context,
- global_params.realm, &rparams, &mask)) || (!rparams)) {
- com_err(progname, retval, "while reading information of realm '%s'",
- global_params.realm);
- exit_status++;
- return;
+ global_params.realm, &rparams, &mask)) || (!rparams)) {
+ com_err(progname, retval, "while reading information of realm '%s'",
+ global_params.realm);
+ exit_status++;
+ return;
}
print_realm_params(rparams, mask);
krb5_ldap_free_realm_params(rparams);
return;
}
-static char *strdur(duration)
- time_t duration;
+static char *
+strdur(time_t duration)
{
static char out[50];
int neg, days, hours, minutes, seconds;
if (duration < 0) {
- duration *= -1;
- neg = 1;
+ duration *= -1;
+ neg = 1;
} else
- neg = 0;
+ neg = 0;
days = duration / (24 * 3600);
duration %= 24 * 3600;
hours = duration / 3600;
duration %= 60;
seconds = duration;
snprintf(out, sizeof(out), "%s%d %s %02d:%02d:%02d", neg ? "-" : "",
- days, days == 1 ? "day" : "days",
- hours, minutes, seconds);
+ days, days == 1 ? "day" : "days",
+ hours, minutes, seconds);
return out;
}
* This function prints the attributes of a given realm to the
* standard output.
*/
-static void print_realm_params(krb5_ldap_realm_params *rparams, int mask)
+static void
+print_realm_params(krb5_ldap_realm_params *rparams, int mask)
{
char **slist = NULL;
unsigned int num_entry_printed = 0, i = 0;
/* Print the Realm Attributes on the standard output */
printf("%25s: %-50s\n", "Realm Name", global_params.realm);
if (mask & LDAP_REALM_SUBTREE) {
- for (i=0; rparams->subtree[i]!=NULL; i++)
- printf("%25s: %-50s\n", "Subtree", rparams->subtree[i]);
+ for (i=0; rparams->subtree[i]!=NULL; i++)
+ printf("%25s: %-50s\n", "Subtree", rparams->subtree[i]);
}
if (mask & LDAP_REALM_CONTREF)
- printf("%25s: %-50s\n", "Principal Container Reference", rparams->containerref);
+ printf("%25s: %-50s\n", "Principal Container Reference", rparams->containerref);
if (mask & LDAP_REALM_SEARCHSCOPE) {
- if ((rparams->search_scope != 1) &&
- (rparams->search_scope != 2)) {
- printf("%25s: %-50s\n", "SearchScope", "Invalid !");
- } else {
- printf("%25s: %-50s\n", "SearchScope",
- (rparams->search_scope == 1) ? "ONE" : "SUB");
- }
+ if ((rparams->search_scope != 1) &&
+ (rparams->search_scope != 2)) {
+ printf("%25s: %-50s\n", "SearchScope", "Invalid !");
+ } else {
+ printf("%25s: %-50s\n", "SearchScope",
+ (rparams->search_scope == 1) ? "ONE" : "SUB");
+ }
}
if (mask & LDAP_REALM_KDCSERVERS) {
- printf("%25s:", "KDC Services");
- if (rparams->kdcservers != NULL) {
- num_entry_printed = 0;
- for (slist = rparams->kdcservers; *slist != NULL; slist++) {
- if (num_entry_printed)
- printf(" %25s %-50s\n", " ", *slist);
- else
- printf(" %-50s\n", *slist);
- num_entry_printed++;
- }
- }
- if (num_entry_printed == 0)
- printf("\n");
+ printf("%25s:", "KDC Services");
+ if (rparams->kdcservers != NULL) {
+ num_entry_printed = 0;
+ for (slist = rparams->kdcservers; *slist != NULL; slist++) {
+ if (num_entry_printed)
+ printf(" %25s %-50s\n", " ", *slist);
+ else
+ printf(" %-50s\n", *slist);
+ num_entry_printed++;
+ }
+ }
+ if (num_entry_printed == 0)
+ printf("\n");
}
if (mask & LDAP_REALM_ADMINSERVERS) {
- printf("%25s:", "Admin Services");
- if (rparams->adminservers != NULL) {
- num_entry_printed = 0;
- for (slist = rparams->adminservers; *slist != NULL; slist++) {
- if (num_entry_printed)
- printf(" %25s %-50s\n", " ", *slist);
- else
- printf(" %-50s\n", *slist);
- num_entry_printed++;
- }
- }
- if (num_entry_printed == 0)
- printf("\n");
+ printf("%25s:", "Admin Services");
+ if (rparams->adminservers != NULL) {
+ num_entry_printed = 0;
+ for (slist = rparams->adminservers; *slist != NULL; slist++) {
+ if (num_entry_printed)
+ printf(" %25s %-50s\n", " ", *slist);
+ else
+ printf(" %-50s\n", *slist);
+ num_entry_printed++;
+ }
+ }
+ if (num_entry_printed == 0)
+ printf("\n");
}
if (mask & LDAP_REALM_PASSWDSERVERS) {
- printf("%25s:", "Passwd Services");
- if (rparams->passwdservers != NULL) {
- num_entry_printed = 0;
- for (slist = rparams->passwdservers; *slist != NULL; slist++) {
- if (num_entry_printed)
- printf(" %25s %-50s\n", " ", *slist);
- else
- printf(" %-50s\n", *slist);
- num_entry_printed++;
- }
- }
- if (num_entry_printed == 0)
- printf("\n");
+ printf("%25s:", "Passwd Services");
+ if (rparams->passwdservers != NULL) {
+ num_entry_printed = 0;
+ for (slist = rparams->passwdservers; *slist != NULL; slist++) {
+ if (num_entry_printed)
+ printf(" %25s %-50s\n", " ", *slist);
+ else
+ printf(" %-50s\n", *slist);
+ num_entry_printed++;
+ }
+ }
+ if (num_entry_printed == 0)
+ printf("\n");
}
if (mask & LDAP_REALM_MAXTICKETLIFE) {
- printf("%25s:", "Maximum Ticket Life");
- printf(" %s \n", strdur(rparams->max_life));
+ printf("%25s:", "Maximum Ticket Life");
+ printf(" %s \n", strdur(rparams->max_life));
}
if (mask & LDAP_REALM_MAXRENEWLIFE) {
- printf("%25s:", "Maximum Renewable Life");
- printf(" %s \n", strdur(rparams->max_renewable_life));
+ printf("%25s:", "Maximum Renewable Life");
+ printf(" %s \n", strdur(rparams->max_renewable_life));
}
if (mask & LDAP_REALM_KRBTICKETFLAGS) {
- int ticketflags = rparams->tktflags;
+ int ticketflags = rparams->tktflags;
- printf("%25s: ", "Ticket flags");
- if (ticketflags & KRB5_KDB_DISALLOW_POSTDATED)
- printf("%s ","DISALLOW_POSTDATED");
+ printf("%25s: ", "Ticket flags");
+ if (ticketflags & KRB5_KDB_DISALLOW_POSTDATED)
+ printf("%s ","DISALLOW_POSTDATED");
- if (ticketflags & KRB5_KDB_DISALLOW_FORWARDABLE)
- printf("%s ","DISALLOW_FORWARDABLE");
+ if (ticketflags & KRB5_KDB_DISALLOW_FORWARDABLE)
+ printf("%s ","DISALLOW_FORWARDABLE");
- if (ticketflags & KRB5_KDB_DISALLOW_RENEWABLE)
- printf("%s ","DISALLOW_RENEWABLE");
+ if (ticketflags & KRB5_KDB_DISALLOW_RENEWABLE)
+ printf("%s ","DISALLOW_RENEWABLE");
- if (ticketflags & KRB5_KDB_DISALLOW_PROXIABLE)
- printf("%s ","DISALLOW_PROXIABLE");
+ if (ticketflags & KRB5_KDB_DISALLOW_PROXIABLE)
+ printf("%s ","DISALLOW_PROXIABLE");
- if (ticketflags & KRB5_KDB_DISALLOW_DUP_SKEY)
- printf("%s ","DISALLOW_DUP_SKEY");
+ if (ticketflags & KRB5_KDB_DISALLOW_DUP_SKEY)
+ printf("%s ","DISALLOW_DUP_SKEY");
- if (ticketflags & KRB5_KDB_REQUIRES_PRE_AUTH)
- printf("%s ","REQUIRES_PRE_AUTH");
+ if (ticketflags & KRB5_KDB_REQUIRES_PRE_AUTH)
+ printf("%s ","REQUIRES_PRE_AUTH");
- if (ticketflags & KRB5_KDB_REQUIRES_HW_AUTH)
- printf("%s ","REQUIRES_HW_AUTH");
+ if (ticketflags & KRB5_KDB_REQUIRES_HW_AUTH)
+ printf("%s ","REQUIRES_HW_AUTH");
- if (ticketflags & KRB5_KDB_DISALLOW_SVR)
- printf("%s ","DISALLOW_SVR");
+ if (ticketflags & KRB5_KDB_DISALLOW_SVR)
+ printf("%s ","DISALLOW_SVR");
- if (ticketflags & KRB5_KDB_DISALLOW_TGT_BASED)
- printf("%s ","DISALLOW_TGT_BASED");
+ if (ticketflags & KRB5_KDB_DISALLOW_TGT_BASED)
+ printf("%s ","DISALLOW_TGT_BASED");
- if (ticketflags & KRB5_KDB_DISALLOW_ALL_TIX)
- printf("%s ","DISALLOW_ALL_TIX");
+ if (ticketflags & KRB5_KDB_DISALLOW_ALL_TIX)
+ printf("%s ","DISALLOW_ALL_TIX");
- if (ticketflags & KRB5_KDB_REQUIRES_PWCHANGE)
- printf("%s ","REQUIRES_PWCHANGE");
+ if (ticketflags & KRB5_KDB_REQUIRES_PWCHANGE)
+ printf("%s ","REQUIRES_PWCHANGE");
- if (ticketflags & KRB5_KDB_PWCHANGE_SERVICE)
- printf("%s ","PWCHANGE_SERVICE");
+ if (ticketflags & KRB5_KDB_PWCHANGE_SERVICE)
+ printf("%s ","PWCHANGE_SERVICE");
- printf("\n");
+ printf("\n");
}
* This function lists the Realm(s) present under the Kerberos container
* on the LDAP Server.
*/
-void kdb5_ldap_list(argc, argv)
- int argc;
- char *argv[];
+void
+kdb5_ldap_list(int argc, char *argv[])
{
char **list = NULL;
char **plist = NULL;
dal_handle = util_context->dal_handle;
ldap_context = (krb5_ldap_context *) dal_handle->db_context;
if (!(ldap_context)) {
- retval = EINVAL;
- exit_status++;
- return;
+ retval = EINVAL;
+ exit_status++;
+ return;
}
/* Read the kerberos container information */
if ((retval = krb5_ldap_read_krbcontainer_params(util_context,
- &(ldap_context->krbcontainer))) != 0) {
- com_err(progname, retval, "while reading kerberos container information");
- exit_status++;
- return;
+ &(ldap_context->krbcontainer))) != 0) {
+ com_err(progname, retval, "while reading kerberos container information");
+ exit_status++;
+ return;
}
retval = krb5_ldap_list_realm(util_context, &list);
if (retval != 0) {
- krb5_ldap_free_krbcontainer_params(ldap_context->krbcontainer);
- ldap_context->krbcontainer = NULL;
- com_err (progname, retval, "while listing realms");
- exit_status++;
- return;
+ krb5_ldap_free_krbcontainer_params(ldap_context->krbcontainer);
+ ldap_context->krbcontainer = NULL;
+ com_err (progname, retval, "while listing realms");
+ exit_status++;
+ return;
}
/* This is to handle the case of realm not present */
if (list == NULL) {
- krb5_ldap_free_krbcontainer_params(ldap_context->krbcontainer);
- ldap_context->krbcontainer = NULL;
- return;
+ krb5_ldap_free_krbcontainer_params(ldap_context->krbcontainer);
+ ldap_context->krbcontainer = NULL;
+ return;
}
for (plist = list; *plist != NULL; plist++) {
- printf("%s\n", *plist);
+ printf("%s\n", *plist);
}
krb5_ldap_free_krbcontainer_params(ldap_context->krbcontainer);
ldap_context->krbcontainer = NULL;
/* Start duplicate code ... */
static krb5_error_code
-krb5_dbe_update_tl_data_new(context, entry, new_tl_data)
- krb5_context context;
- krb5_db_entry *entry;
- krb5_tl_data *new_tl_data;
+krb5_dbe_update_tl_data_new(krb5_context context, krb5_db_entry *entry,
+ krb5_tl_data *new_tl_data)
{
krb5_tl_data *tl_data = NULL;
krb5_octet *tmp;
/* copy the new data first, so we can fail cleanly if malloc()
* fails */
/*
- if ((tmp =
- (krb5_octet *) krb5_db_alloc(context, NULL,
- new_tl_data->tl_data_length)) == NULL)
+ if ((tmp =
+ (krb5_octet *) krb5_db_alloc(context, NULL,
+ new_tl_data->tl_data_length)) == NULL)
*/
if ((tmp = (krb5_octet *) malloc (new_tl_data->tl_data_length)) == NULL)
- return (ENOMEM);
+ return (ENOMEM);
/* Find an existing entry of the specified type and point at
* it, or NULL if not found */
- if (new_tl_data->tl_data_type != KRB5_TL_DB_ARGS) { /* db_args can be multiple */
- for (tl_data = entry->tl_data; tl_data;
- tl_data = tl_data->tl_data_next)
- if (tl_data->tl_data_type == new_tl_data->tl_data_type)
- break;
+ if (new_tl_data->tl_data_type != KRB5_TL_DB_ARGS) { /* db_args can be multiple */
+ for (tl_data = entry->tl_data; tl_data;
+ tl_data = tl_data->tl_data_next)
+ if (tl_data->tl_data_type == new_tl_data->tl_data_type)
+ break;
}
/* if necessary, chain a new record in the beginning and point at it */
if (!tl_data) {
/*
- if ((tl_data =
- (krb5_tl_data *) krb5_db_alloc(context, NULL,
- sizeof(krb5_tl_data)))
- == NULL) {
+ if ((tl_data =
+ (krb5_tl_data *) krb5_db_alloc(context, NULL,
+ sizeof(krb5_tl_data)))
+ == NULL) {
*/
- if ((tl_data = (krb5_tl_data *) malloc (sizeof(krb5_tl_data))) == NULL) {
- free(tmp);
- return (ENOMEM);
- }
- memset(tl_data, 0, sizeof(krb5_tl_data));
- tl_data->tl_data_next = entry->tl_data;
- entry->tl_data = tl_data;
- entry->n_tl_data++;
+ if ((tl_data = (krb5_tl_data *) malloc (sizeof(krb5_tl_data))) == NULL) {
+ free(tmp);
+ return (ENOMEM);
+ }
+ memset(tl_data, 0, sizeof(krb5_tl_data));
+ tl_data->tl_data_next = entry->tl_data;
+ entry->tl_data = tl_data;
+ entry->n_tl_data++;
}
/* fill in the record */
if (tl_data->tl_data_contents)
- krb5_db_free(context, tl_data->tl_data_contents);
+ krb5_db_free(context, tl_data->tl_data_contents);
tl_data->tl_data_type = new_tl_data->tl_data_type;
tl_data->tl_data_length = new_tl_data->tl_data_length;
}
static krb5_error_code
-krb5_dbe_update_mod_princ_data_new(context, entry, mod_date, mod_princ)
- krb5_context context;
- krb5_db_entry * entry;
- krb5_timestamp mod_date;
- krb5_const_principal mod_princ;
+krb5_dbe_update_mod_princ_data_new(krb5_context context, krb5_db_entry *entry,
+ krb5_timestamp mod_date,
+ krb5_const_principal mod_princ)
{
krb5_tl_data tl_data;
- krb5_error_code retval = 0;
- krb5_octet * nextloc = 0;
- char * unparse_mod_princ = 0;
- unsigned int unparse_mod_princ_size;
+ krb5_error_code retval = 0;
+ krb5_octet * nextloc = 0;
+ char * unparse_mod_princ = 0;
+ unsigned int unparse_mod_princ_size;
if ((retval = krb5_unparse_name(context, mod_princ,
- &unparse_mod_princ)))
- return(retval);
+ &unparse_mod_princ)))
+ return(retval);
unparse_mod_princ_size = strlen(unparse_mod_princ) + 1;
if ((nextloc = (krb5_octet *) malloc(unparse_mod_princ_size + 4))
- == NULL) {
- free(unparse_mod_princ);
- return(ENOMEM);
+ == NULL) {
+ free(unparse_mod_princ);
+ return(ENOMEM);
}
tl_data.tl_data_type = KRB5_TL_MOD_PRINC;
}
static krb5_error_code
-kdb_ldap_tgt_keysalt_iterate(ksent, ptr)
- krb5_key_salt_tuple *ksent;
- krb5_pointer ptr;
+kdb_ldap_tgt_keysalt_iterate(krb5_key_salt_tuple *ksent, krb5_pointer ptr)
{
krb5_context context;
krb5_error_code kret;
pwd.length = strlen(mkey_password);
kret = krb5_c_random_seed(context, &pwd);
if (kret)
- return kret;
+ return kret;
/*if (!(kret = krb5_dbe_create_key_data(iargs->ctx, iargs->dbentp))) {*/
if ((entry->key_data =
- (krb5_key_data *) realloc(entry->key_data,
- (sizeof(krb5_key_data) *
- (entry->n_key_data + 1)))) == NULL)
- return (ENOMEM);
+ (krb5_key_data *) realloc(entry->key_data,
+ (sizeof(krb5_key_data) *
+ (entry->n_key_data + 1)))) == NULL)
+ return (ENOMEM);
memset(entry->key_data + entry->n_key_data, 0, sizeof(krb5_key_data));
ind = entry->n_key_data++;
if (!(kret = krb5_c_make_random_key(context, ksent->ks_enctype,
- &key))) {
- kret = krb5_dbekd_encrypt_key_data(context,
- iargs->rblock->key,
- &key,
- NULL,
- 1,
- &entry->key_data[ind]);
- krb5_free_keyblock_contents(context, &key);
+ &key))) {
+ kret = krb5_dbekd_encrypt_key_data(context,
+ iargs->rblock->key,
+ &key,
+ NULL,
+ 1,
+ &entry->key_data[ind]);
+ krb5_free_keyblock_contents(context, &key);
}
/*}*/
* creating the realm object.
*/
static int
-kdb_ldap_create_principal (context, princ, op, pblock)
- krb5_context context;
- krb5_principal princ;
- enum ap_op op;
- struct realm_info *pblock;
+kdb_ldap_create_principal(krb5_context context, krb5_principal princ,
+ enum ap_op op, struct realm_info *pblock)
{
int retval=0, currlen=0, princtype = 2 /* Service Principal */;
unsigned char *curr=NULL;
krb5_actkvno_node actkvno;
if ((pblock == NULL) || (context == NULL)) {
- retval = EINVAL;
- goto cleanup;
+ retval = EINVAL;
+ goto cleanup;
}
dal_handle = context->dal_handle;
ldap_context = (krb5_ldap_context *) dal_handle->db_context;
if (!(ldap_context)) {
- retval = EINVAL;
- goto cleanup;
+ retval = EINVAL;
+ goto cleanup;
}
memset(&entry, 0, sizeof(entry));
tl_data = malloc(sizeof(*tl_data));
if (tl_data == NULL) {
- retval = ENOMEM;
- goto cleanup;
+ retval = ENOMEM;
+ goto cleanup;
}
memset(tl_data, 0, sizeof(*tl_data));
tl_data->tl_data_length = 1 + 2 + 2 + 1 + 2 + 4;
tl_data->tl_data_type = 7; /* KDB_TL_USER_INFO */
curr = tl_data->tl_data_contents = malloc(tl_data->tl_data_length);
if (tl_data->tl_data_contents == NULL) {
- retval = ENOMEM;
- goto cleanup;
+ retval = ENOMEM;
+ goto cleanup;
}
memset(curr, 1, 1); /* Passing the mask as principal type */
entry.expiration = pblock->expiration;
entry.mask = mask;
if ((retval = krb5_copy_principal(context, princ, &entry.princ)))
- goto cleanup;
+ goto cleanup;
switch (op) {
case TGT_KEY:
- if ((pdata = krb5_princ_component(context, princ, 1)) &&
- pdata->length == strlen("history") &&
- !memcmp(pdata->data, "history", strlen("history"))) {
-
- /* Allocate memory for storing the key */
- if ((entry.key_data = (krb5_key_data *) malloc(
- sizeof(krb5_key_data))) == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
-
- memset(entry.key_data, 0, sizeof(krb5_key_data));
- entry.n_key_data++;
-
- retval = krb5_c_make_random_key(context, global_params.enctype, &key);
- if (retval) {
- goto cleanup;
- }
- kvno = 1; /* New key is getting set */
- retval = krb5_dbekd_encrypt_key_data(context,
- &ldap_context->lrparams->mkey,
- &key, NULL, kvno,
- &entry.key_data[entry.n_key_data - 1]);
- krb5_free_keyblock_contents(context, &key);
- if (retval) {
- goto cleanup;
- }
- } else {
- /*retval = krb5_c_make_random_key(context, 16, &key) ;*/
- iargs.ctx = context;
- iargs.rblock = pblock;
- iargs.dbentp = &entry;
-
- /*
- * Iterate through the key/salt list, ignoring salt types.
- */
- if ((retval = krb5_keysalt_iterate(pblock->kslist,
- pblock->nkslist,
- 1,
- kdb_ldap_tgt_keysalt_iterate,
- (krb5_pointer) &iargs)))
- return retval;
- }
- break;
+ if ((pdata = krb5_princ_component(context, princ, 1)) &&
+ pdata->length == strlen("history") &&
+ !memcmp(pdata->data, "history", strlen("history"))) {
+
+ /* Allocate memory for storing the key */
+ if ((entry.key_data = (krb5_key_data *) malloc(
+ sizeof(krb5_key_data))) == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+
+ memset(entry.key_data, 0, sizeof(krb5_key_data));
+ entry.n_key_data++;
+
+ retval = krb5_c_make_random_key(context, global_params.enctype, &key);
+ if (retval) {
+ goto cleanup;
+ }
+ kvno = 1; /* New key is getting set */
+ retval = krb5_dbekd_encrypt_key_data(context,
+ &ldap_context->lrparams->mkey,
+ &key, NULL, kvno,
+ &entry.key_data[entry.n_key_data - 1]);
+ krb5_free_keyblock_contents(context, &key);
+ if (retval) {
+ goto cleanup;
+ }
+ } else {
+ /*retval = krb5_c_make_random_key(context, 16, &key) ;*/
+ iargs.ctx = context;
+ iargs.rblock = pblock;
+ iargs.dbentp = &entry;
+
+ /*
+ * Iterate through the key/salt list, ignoring salt types.
+ */
+ if ((retval = krb5_keysalt_iterate(pblock->kslist,
+ pblock->nkslist,
+ 1,
+ kdb_ldap_tgt_keysalt_iterate,
+ (krb5_pointer) &iargs)))
+ return retval;
+ }
+ break;
case MASTER_KEY:
- /* Allocate memory for storing the key */
- if ((entry.key_data = (krb5_key_data *) malloc(
- sizeof(krb5_key_data))) == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
-
- memset(entry.key_data, 0, sizeof(krb5_key_data));
- entry.n_key_data++;
- kvno = 1; /* New key is getting set */
- retval = krb5_dbekd_encrypt_key_data(context, pblock->key,
- &ldap_context->lrparams->mkey,
- NULL, kvno,
- &entry.key_data[entry.n_key_data - 1]);
- if (retval) {
- goto cleanup;
- }
+ /* Allocate memory for storing the key */
+ if ((entry.key_data = (krb5_key_data *) malloc(
+ sizeof(krb5_key_data))) == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+
+ memset(entry.key_data, 0, sizeof(krb5_key_data));
+ entry.n_key_data++;
+ kvno = 1; /* New key is getting set */
+ retval = krb5_dbekd_encrypt_key_data(context, pblock->key,
+ &ldap_context->lrparams->mkey,
+ NULL, kvno,
+ &entry.key_data[entry.n_key_data - 1]);
+ if (retval) {
+ goto cleanup;
+ }
/*
* There should always be at least one "active" mkey so creating the
* KRB5_TL_ACTKVNO entry now so the initial mkey is active.
actkvno.act_kvno = kvno;
actkvno.act_time = now;
retval = krb5_dbe_update_actkvno(context, &entry, &actkvno);
- if (retval)
- goto cleanup;
+ if (retval)
+ goto cleanup;
- break;
+ break;
case NULL_KEY:
default:
- break;
+ break;
} /* end of switch */
retval = krb5_ldap_put_principal(context, &entry, &nentry, NULL);
if (retval) {
- com_err(NULL, retval, "while adding entries to database");
- goto cleanup;
+ com_err(NULL, retval, "while adding entries to database");
+ goto cleanup;
}
cleanup:
* This function destroys the realm object and the associated principals
*/
void
-kdb5_ldap_destroy(argc, argv)
- int argc;
- char *argv[];
+kdb5_ldap_destroy(int argc, char *argv[])
{
extern char *optarg;
extern int optind;
optind = 1;
while ((optchar = getopt(argc, argv, "f")) != -1) {
- switch (optchar) {
- case 'f':
- force++;
- break;
- case '?':
- default:
- db_usage(DESTROY_REALM);
- return;
- /*NOTREACHED*/
- }
+ switch (optchar) {
+ case 'f':
+ force++;
+ break;
+ case '?':
+ default:
+ db_usage(DESTROY_REALM);
+ return;
+ /*NOTREACHED*/
+ }
}
if (!force) {
- printf("Deleting KDC database of '%s', are you sure?\n", global_params.realm);
- printf("(type 'yes' to confirm)? ");
- if (fgets(buf, sizeof(buf), stdin) == NULL) {
- exit_status++;
- return;
- }
- if (strcmp(buf, yes)) {
- exit_status++;
- return;
- }
- printf("OK, deleting database of '%s'...\n", global_params.realm);
+ printf("Deleting KDC database of '%s', are you sure?\n", global_params.realm);
+ printf("(type 'yes' to confirm)? ");
+ if (fgets(buf, sizeof(buf), stdin) == NULL) {
+ exit_status++;
+ return;
+ }
+ if (strcmp(buf, yes)) {
+ exit_status++;
+ return;
+ }
+ printf("OK, deleting database of '%s'...\n", global_params.realm);
}
dal_handle = util_context->dal_handle;
ldap_context = (krb5_ldap_context *) dal_handle->db_context;
if (!(ldap_context)) {
- com_err(progname, EINVAL, "while initializing database");
- exit_status++;
- return;
+ com_err(progname, EINVAL, "while initializing database");
+ exit_status++;
+ return;
}
/* Read the kerberos container from the LDAP Server */
if ((retval = krb5_ldap_read_krbcontainer_params(util_context,
- &(ldap_context->krbcontainer))) != 0) {
- com_err(progname, retval, "while reading kerberos container information");
- exit_status++;
- return;
+ &(ldap_context->krbcontainer))) != 0) {
+ com_err(progname, retval, "while reading kerberos container information");
+ exit_status++;
+ return;
}
/* Read the Realm information from the LDAP Server */
if ((retval = krb5_ldap_read_realm_params(util_context, global_params.realm,
- &(ldap_context->lrparams), &mask)) != 0) {
- com_err(progname, retval, "while reading realm information");
- exit_status++;
- return;
+ &(ldap_context->lrparams), &mask)) != 0) {
+ com_err(progname, retval, "while reading realm information");
+ exit_status++;
+ return;
}
#ifdef HAVE_EDIRECTORY
if ((mask & LDAP_REALM_KDCSERVERS) || (mask & LDAP_REALM_ADMINSERVERS) ||
- (mask & LDAP_REALM_PASSWDSERVERS)) {
-
- printf("Changing rights for the service object. Please wait ... ");
- fflush(stdout);
-
- rparams = ldap_context->lrparams;
- rightsmask = 0;
- rightsmask |= LDAP_REALM_RIGHTS;
- rightsmask |= LDAP_SUBTREE_RIGHTS;
- if ((rparams != NULL) && (rparams->kdcservers != NULL)) {
- for (i=0; (rparams->kdcservers[i] != NULL); i++) {
- if ((retval = krb5_ldap_delete_service_rights(util_context,
- LDAP_KDC_SERVICE, rparams->kdcservers[i],
- rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
- printf("failed\n");
- com_err(progname, retval, "while assigning rights to '%s'",
- rparams->realm_name);
- return;
- }
- }
- }
- rightsmask = 0;
- rightsmask |= LDAP_REALM_RIGHTS;
- rightsmask |= LDAP_SUBTREE_RIGHTS;
- if ((rparams != NULL) && (rparams->adminservers != NULL)) {
- for (i=0; (rparams->adminservers[i] != NULL); i++) {
- if ((retval = krb5_ldap_delete_service_rights(util_context,
- LDAP_ADMIN_SERVICE, rparams->adminservers[i],
- rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
- printf("failed\n");
- com_err(progname, retval, "while assigning rights to '%s'",
- rparams->realm_name);
- return;
- }
- }
- }
- rightsmask = 0;
- rightsmask |= LDAP_REALM_RIGHTS;
- rightsmask |= LDAP_SUBTREE_RIGHTS;
- if ((rparams != NULL) && (rparams->passwdservers != NULL)) {
- for (i=0; (rparams->passwdservers[i] != NULL); i++) {
- if ((retval = krb5_ldap_delete_service_rights(util_context,
- LDAP_PASSWD_SERVICE, rparams->passwdservers[i],
- rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
- printf("failed\n");
- com_err(progname, retval, "while assigning rights to '%s'",
- rparams->realm_name);
- return;
- }
- }
- }
- printf("done\n");
+ (mask & LDAP_REALM_PASSWDSERVERS)) {
+
+ printf("Changing rights for the service object. Please wait ... ");
+ fflush(stdout);
+
+ rparams = ldap_context->lrparams;
+ rightsmask = 0;
+ rightsmask |= LDAP_REALM_RIGHTS;
+ rightsmask |= LDAP_SUBTREE_RIGHTS;
+ if ((rparams != NULL) && (rparams->kdcservers != NULL)) {
+ for (i=0; (rparams->kdcservers[i] != NULL); i++) {
+ if ((retval = krb5_ldap_delete_service_rights(util_context,
+ LDAP_KDC_SERVICE, rparams->kdcservers[i],
+ rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+ printf("failed\n");
+ com_err(progname, retval, "while assigning rights to '%s'",
+ rparams->realm_name);
+ return;
+ }
+ }
+ }
+ rightsmask = 0;
+ rightsmask |= LDAP_REALM_RIGHTS;
+ rightsmask |= LDAP_SUBTREE_RIGHTS;
+ if ((rparams != NULL) && (rparams->adminservers != NULL)) {
+ for (i=0; (rparams->adminservers[i] != NULL); i++) {
+ if ((retval = krb5_ldap_delete_service_rights(util_context,
+ LDAP_ADMIN_SERVICE, rparams->adminservers[i],
+ rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+ printf("failed\n");
+ com_err(progname, retval, "while assigning rights to '%s'",
+ rparams->realm_name);
+ return;
+ }
+ }
+ }
+ rightsmask = 0;
+ rightsmask |= LDAP_REALM_RIGHTS;
+ rightsmask |= LDAP_SUBTREE_RIGHTS;
+ if ((rparams != NULL) && (rparams->passwdservers != NULL)) {
+ for (i=0; (rparams->passwdservers[i] != NULL); i++) {
+ if ((retval = krb5_ldap_delete_service_rights(util_context,
+ LDAP_PASSWD_SERVICE, rparams->passwdservers[i],
+ rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+ printf("failed\n");
+ com_err(progname, retval, "while assigning rights to '%s'",
+ rparams->realm_name);
+ return;
+ }
+ }
+ }
+ printf("done\n");
}
#endif
/* Delete the realm container and all the associated principals */
retval = krb5_ldap_delete_realm(util_context, global_params.realm);
if (retval) {
- com_err(progname, retval, "deleting database of '%s'", global_params.realm);
- exit_status++;
- return;
+ com_err(progname, retval, "deleting database of '%s'", global_params.realm);
+ exit_status++;
+ return;
}
printf("** Database of '%s' destroyed.\n", global_params.realm);
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* kadmin/ldap_util/kdb5_ldap_realm.h
*/
* POSSIBILITY OF SUCH DAMAGE.
*/
-#define BUFF_LEN 64 /* Max len of enctype string */
-#define MAX_PRINC_SIZE 256
+#define BUFF_LEN 64 /* Max len of enctype string */
+#define MAX_PRINC_SIZE 256
enum ap_op {
- NULL_KEY, /* setup null keys */
- MASTER_KEY, /* use master key as new key */
- TGT_KEY /* special handling for tgt key */
+ NULL_KEY, /* setup null keys */
+ MASTER_KEY, /* use master key as new key */
+ TGT_KEY /* special handling for tgt key */
};
struct realm_info {
};
struct iterate_args {
- krb5_context ctx;
- struct realm_info *rblock;
- krb5_db_entry *dbentp;
+ krb5_context ctx;
+ struct realm_info *rblock;
+ krb5_db_entry *dbentp;
};
-extern void kdb5_ldap_create (int argc, char **argv);
-extern void kdb5_ldap_destroy (int argc, char **argv);
-extern void kdb5_ldap_modify (int argc, char **argv);
-extern void kdb5_ldap_view (int argc, char **argv);
-extern void kdb5_ldap_list (int argc, char **argv);
+extern void kdb5_ldap_create(int argc, char **argv);
+extern void kdb5_ldap_destroy(int argc, char **argv);
+extern void kdb5_ldap_modify(int argc, char **argv);
+extern void kdb5_ldap_view(int argc, char **argv);
+extern void kdb5_ldap_list(int argc, char **argv);
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* kadmin/ldap_util/kdb5_ldap_services.c
*/
static krb5_error_code
rem_service_entry_from_file(int argc,
- char *argv[],
- char *file_name,
- char *service_object);
+ char *argv[],
+ char *file_name,
+ char *service_object);
static void
print_service_params(krb5_ldap_service_params *lserparams, int mask);
extern char *yes;
extern krb5_boolean db_inited;
-static int process_host_list(char **host_list, int servicetype)
+static int
+process_host_list(char **host_list, int servicetype)
{
krb5_error_code retval = 0;
char *pchr = NULL;
/* Protocol and port number processing */
for (j = 0; host_list[j]; j++) {
- /* Look for one hash */
- if ((pchr = strchr(host_list[j], HOST_INFO_DELIMITER))) {
- unsigned int hostname_len = pchr - host_list[j];
-
- /* Check input for buffer overflow */
- if (hostname_len >= MAX_LEN_LIST_ENTRY) {
- retval = EINVAL;
- goto cleanup;
- }
-
- /* First copy off the host name portion */
- strncpy (host_str, host_list[j], hostname_len);
-
- /* Parse for the protocol string and translate to number */
- strncpy (proto_str, pchr + 1, PROTOCOL_STR_LEN);
- if (!strcmp(proto_str, "udp"))
- snprintf (proto_str, sizeof(proto_str), "%d",
- PROTOCOL_NUM_UDP);
- else if (!strcmp(proto_str, "tcp"))
- snprintf (proto_str, sizeof(proto_str), "%d",
- PROTOCOL_NUM_TCP);
- else
- proto_str[0] = '\0'; /* Make the string null if invalid */
-
- /* Look for one more hash */
- if ((pchr = strchr(pchr + 1, HOST_INFO_DELIMITER))) {
- /* Parse for the port string and check if it is numeric */
- strncpy (port_str, pchr + 1, PORT_STR_LEN);
- if (!strtol(port_str, NULL, 10)) /* Not a valid number */
- port_str[0] = '\0';
- } else
- port_str[0] = '\0';
- } else { /* We have only host name */
- strncpy (host_str, host_list[j], MAX_LEN_LIST_ENTRY - 1);
- proto_str[0] = '\0';
- port_str[0] = '\0';
- }
-
- /* Now, based on service type, fill in suitable protocol
- and port values if they are absent or not matching */
- if (servicetype == LDAP_KDC_SERVICE) {
- if (proto_str[0] == '\0')
- snprintf (proto_str, sizeof(proto_str), "%d",
- PROTOCOL_DEFAULT_KDC);
-
- if (port_str[0] == '\0')
- snprintf (port_str, sizeof(port_str), "%d", PORT_DEFAULT_KDC);
- } else if (servicetype == LDAP_ADMIN_SERVICE) {
- if (proto_str[0] == '\0')
- snprintf (proto_str, sizeof(proto_str), "%d",
- PROTOCOL_DEFAULT_ADM);
- else if (strcmp(proto_str, "1")) {
- snprintf (proto_str, sizeof(proto_str), "%d",
- PROTOCOL_DEFAULT_ADM);
-
- /* Print warning message */
- printf ("Admin Server supports only TCP protocol, hence setting that\n");
- }
-
- if (port_str[0] == '\0')
- snprintf (port_str, sizeof(port_str), "%d", PORT_DEFAULT_ADM);
- } else if (servicetype == LDAP_PASSWD_SERVICE) {
- if (proto_str[0] == '\0')
- snprintf (proto_str, sizeof(proto_str), "%d",
- PROTOCOL_DEFAULT_PWD);
- else if (strcmp(proto_str, "0")) {
- snprintf (proto_str, sizeof(proto_str), "%d",
- PROTOCOL_DEFAULT_PWD);
-
- /* Print warning message */
- printf ("Password Server supports only UDP protocol, hence setting that\n");
- }
-
- if (port_str[0] == '\0')
- sprintf (port_str, "%d", PORT_DEFAULT_PWD);
- }
-
- /* Finally form back the string */
- free (host_list[j]);
- host_list[j] = (char*) malloc(sizeof(char) *
- (strlen(host_str) + strlen(proto_str) + strlen(port_str) + 2 + 1));
- if (host_list[j] == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
- snprintf (host_list[j], strlen(host_str) + strlen(proto_str) + strlen(port_str) + 2 + 1,
- "%s#%s#%s", host_str, proto_str, port_str);
+ /* Look for one hash */
+ if ((pchr = strchr(host_list[j], HOST_INFO_DELIMITER))) {
+ unsigned int hostname_len = pchr - host_list[j];
+
+ /* Check input for buffer overflow */
+ if (hostname_len >= MAX_LEN_LIST_ENTRY) {
+ retval = EINVAL;
+ goto cleanup;
+ }
+
+ /* First copy off the host name portion */
+ strncpy (host_str, host_list[j], hostname_len);
+
+ /* Parse for the protocol string and translate to number */
+ strncpy (proto_str, pchr + 1, PROTOCOL_STR_LEN);
+ if (!strcmp(proto_str, "udp"))
+ snprintf (proto_str, sizeof(proto_str), "%d",
+ PROTOCOL_NUM_UDP);
+ else if (!strcmp(proto_str, "tcp"))
+ snprintf (proto_str, sizeof(proto_str), "%d",
+ PROTOCOL_NUM_TCP);
+ else
+ proto_str[0] = '\0'; /* Make the string null if invalid */
+
+ /* Look for one more hash */
+ if ((pchr = strchr(pchr + 1, HOST_INFO_DELIMITER))) {
+ /* Parse for the port string and check if it is numeric */
+ strncpy (port_str, pchr + 1, PORT_STR_LEN);
+ if (!strtol(port_str, NULL, 10)) /* Not a valid number */
+ port_str[0] = '\0';
+ } else
+ port_str[0] = '\0';
+ } else { /* We have only host name */
+ strncpy (host_str, host_list[j], MAX_LEN_LIST_ENTRY - 1);
+ proto_str[0] = '\0';
+ port_str[0] = '\0';
+ }
+
+ /* Now, based on service type, fill in suitable protocol
+ and port values if they are absent or not matching */
+ if (servicetype == LDAP_KDC_SERVICE) {
+ if (proto_str[0] == '\0')
+ snprintf (proto_str, sizeof(proto_str), "%d",
+ PROTOCOL_DEFAULT_KDC);
+
+ if (port_str[0] == '\0')
+ snprintf (port_str, sizeof(port_str), "%d", PORT_DEFAULT_KDC);
+ } else if (servicetype == LDAP_ADMIN_SERVICE) {
+ if (proto_str[0] == '\0')
+ snprintf (proto_str, sizeof(proto_str), "%d",
+ PROTOCOL_DEFAULT_ADM);
+ else if (strcmp(proto_str, "1")) {
+ snprintf (proto_str, sizeof(proto_str), "%d",
+ PROTOCOL_DEFAULT_ADM);
+
+ /* Print warning message */
+ printf ("Admin Server supports only TCP protocol, hence setting that\n");
+ }
+
+ if (port_str[0] == '\0')
+ snprintf (port_str, sizeof(port_str), "%d", PORT_DEFAULT_ADM);
+ } else if (servicetype == LDAP_PASSWD_SERVICE) {
+ if (proto_str[0] == '\0')
+ snprintf (proto_str, sizeof(proto_str), "%d",
+ PROTOCOL_DEFAULT_PWD);
+ else if (strcmp(proto_str, "0")) {
+ snprintf (proto_str, sizeof(proto_str), "%d",
+ PROTOCOL_DEFAULT_PWD);
+
+ /* Print warning message */
+ printf ("Password Server supports only UDP protocol, hence setting that\n");
+ }
+
+ if (port_str[0] == '\0')
+ sprintf (port_str, "%d", PORT_DEFAULT_PWD);
+ }
+
+ /* Finally form back the string */
+ free (host_list[j]);
+ host_list[j] = (char*) malloc(sizeof(char) *
+ (strlen(host_str) + strlen(proto_str) + strlen(port_str) + 2 + 1));
+ if (host_list[j] == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+ snprintf (host_list[j], strlen(host_str) + strlen(proto_str) + strlen(port_str) + 2 + 1,
+ "%s#%s#%s", host_str, proto_str, port_str);
}
cleanup:
* Kerberos container location.
*/
static krb5_error_code
-convert_realm_name2dn_list(list, krbcontainer_loc)
- char **list;
- const char *krbcontainer_loc;
+convert_realm_name2dn_list(char **list, const char *krbcontainer_loc)
{
krb5_error_code retval = 0;
char temp_str[MAX_DN_CHARS] = "\0";
int i = 0;
if (list == NULL) {
- return EINVAL;
+ return EINVAL;
}
for (i = 0; (list[i] != NULL) && (i < MAX_LIST_ENTRIES); i++) {
- /* Restrict copying to max. length to avoid buffer overflow */
- snprintf (temp_str, MAX_DN_CHARS, "cn=%s,%s", list[i], krbcontainer_loc);
+ /* Restrict copying to max. length to avoid buffer overflow */
+ snprintf (temp_str, MAX_DN_CHARS, "cn=%s,%s", list[i], krbcontainer_loc);
- /* Make copy of string to temporary node */
- temp_node = strdup(temp_str);
- if (list[i] == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
+ /* Make copy of string to temporary node */
+ temp_node = strdup(temp_str);
+ if (list[i] == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
- /* On success, free list node and attach new one */
- free (list[i]);
- list[i] = temp_node;
- temp_node = NULL;
+ /* On success, free list node and attach new one */
+ free (list[i]);
+ list[i] = temp_node;
+ temp_node = NULL;
}
cleanup:
* This function will create a service object on the LDAP Server, with the
* specified attributes.
*/
-void kdb5_ldap_create_service(argc, argv)
- int argc;
- char *argv[];
+void
+kdb5_ldap_create_service(int argc, char *argv[])
{
char *me = progname;
krb5_error_code retval = 0;
/* Check for number of arguments */
if ((argc < 3) || (argc > 10)) {
- exit_status++;
- goto err_usage;
+ exit_status++;
+ goto err_usage;
}
/* Allocate memory for service parameters structure */
srvparams = (krb5_ldap_service_params*) calloc(1, sizeof(krb5_ldap_service_params));
if (srvparams == NULL) {
- retval = ENOMEM;
- goto cleanup;
+ retval = ENOMEM;
+ goto cleanup;
}
dal_handle = util_context->dal_handle;
of arguments */
extra_argv = (char **) calloc((unsigned int)argc, sizeof(char*));
if (extra_argv == NULL) {
- retval = ENOMEM;
- goto cleanup;
+ retval = ENOMEM;
+ goto cleanup;
}
/* Set first of the extra arguments as the program name */
* and for assigning rights
*/
if ((retval = krb5_ldap_read_krbcontainer_params(util_context,
- &(ldap_context->krbcontainer)))) {
- com_err(me, retval, "while reading Kerberos container information");
- goto cleanup;
+ &(ldap_context->krbcontainer)))) {
+ com_err(me, retval, "while reading Kerberos container information");
+ goto cleanup;
}
/* Parse all arguments */
for (i = 1; i < argc; i++) {
- if (!strcmp(argv[i], "-kdc")) {
- srvparams->servicetype = LDAP_KDC_SERVICE;
- } else if (!strcmp(argv[i], "-admin")) {
- srvparams->servicetype = LDAP_ADMIN_SERVICE;
- } else if (!strcmp(argv[i], "-pwd")) {
- srvparams->servicetype = LDAP_PASSWD_SERVICE;
- } else if (!strcmp(argv[i], "-servicehost")) {
- if (++i > argc - 1)
- goto err_usage;
-
- srvparams->krbhostservers = (char **)calloc(MAX_LIST_ENTRIES,
- sizeof(char *));
- if (srvparams->krbhostservers == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
-
- if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
- srvparams->krbhostservers))) {
- goto cleanup;
- }
-
- if ((retval = process_host_list (srvparams->krbhostservers,
- srvparams->servicetype))) {
- goto cleanup;
- }
-
- mask |= LDAP_SERVICE_HOSTSERVER;
- } else if (!strcmp(argv[i], "-realm")) {
- if (++i > argc - 1)
- goto err_usage;
-
- srvparams->krbrealmreferences = (char **)calloc(MAX_LIST_ENTRIES,
- sizeof(char *));
- if (srvparams->krbrealmreferences == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
-
- if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
- srvparams->krbrealmreferences))) {
- goto cleanup;
- }
-
- /* Convert realm names to realm DNs */
- if ((retval = convert_realm_name2dn_list(
- srvparams->krbrealmreferences,
- ldap_context->krbcontainer->DN))) {
- goto cleanup;
- }
-
- mask |= LDAP_SERVICE_REALMREFERENCE;
- }
- /* If argument is none of the above and beginning with '-',
- * it must be related to password -- collect it
- * to pass onto kdb5_ldap_set_service_password()
- */
- else if (*(argv[i]) == '-') {
- /* Checking for options of setting the password for the
- * service (by using 'setsrvpw') is not modular. --need to
- * have a common function that can be shared with 'setsrvpw'
- */
- if (!strcmp(argv[i], "-randpw")) {
- extra_argv[extra_argc] = argv[i];
- extra_argc++;
- } else if (!strcmp(argv[i], "-fileonly")) {
- extra_argv[extra_argc] = argv[i];
- extra_argc++;
- }
- /* For '-f' option alone, pick up the following argument too */
- else if (!strcmp(argv[i], "-f")) {
- extra_argv[extra_argc] = argv[i];
- extra_argc++;
-
- if (++i > argc - 1)
- goto err_usage;
-
- extra_argv[extra_argc] = argv[i];
- extra_argc++;
- } else { /* Any other option is invalid */
- exit_status++;
- goto err_usage;
- }
- } else { /* Any other argument must be service DN */
- /* First check if service DN is already provided --
- * if so, there's a usage error
- */
- if (srvparams->servicedn != NULL) {
- com_err(me, EINVAL, "while creating service object");
- goto err_usage;
- }
-
- /* If not present already, fill up service DN */
- srvparams->servicedn = strdup(argv[i]);
- if (srvparams->servicedn == NULL) {
- com_err(me, ENOMEM, "while creating service object");
- goto err_nomsg;
- }
- }
+ if (!strcmp(argv[i], "-kdc")) {
+ srvparams->servicetype = LDAP_KDC_SERVICE;
+ } else if (!strcmp(argv[i], "-admin")) {
+ srvparams->servicetype = LDAP_ADMIN_SERVICE;
+ } else if (!strcmp(argv[i], "-pwd")) {
+ srvparams->servicetype = LDAP_PASSWD_SERVICE;
+ } else if (!strcmp(argv[i], "-servicehost")) {
+ if (++i > argc - 1)
+ goto err_usage;
+
+ srvparams->krbhostservers = (char **)calloc(MAX_LIST_ENTRIES,
+ sizeof(char *));
+ if (srvparams->krbhostservers == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+
+ if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
+ srvparams->krbhostservers))) {
+ goto cleanup;
+ }
+
+ if ((retval = process_host_list (srvparams->krbhostservers,
+ srvparams->servicetype))) {
+ goto cleanup;
+ }
+
+ mask |= LDAP_SERVICE_HOSTSERVER;
+ } else if (!strcmp(argv[i], "-realm")) {
+ if (++i > argc - 1)
+ goto err_usage;
+
+ srvparams->krbrealmreferences = (char **)calloc(MAX_LIST_ENTRIES,
+ sizeof(char *));
+ if (srvparams->krbrealmreferences == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+
+ if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
+ srvparams->krbrealmreferences))) {
+ goto cleanup;
+ }
+
+ /* Convert realm names to realm DNs */
+ if ((retval = convert_realm_name2dn_list(
+ srvparams->krbrealmreferences,
+ ldap_context->krbcontainer->DN))) {
+ goto cleanup;
+ }
+
+ mask |= LDAP_SERVICE_REALMREFERENCE;
+ }
+ /* If argument is none of the above and beginning with '-',
+ * it must be related to password -- collect it
+ * to pass onto kdb5_ldap_set_service_password()
+ */
+ else if (*(argv[i]) == '-') {
+ /* Checking for options of setting the password for the
+ * service (by using 'setsrvpw') is not modular. --need to
+ * have a common function that can be shared with 'setsrvpw'
+ */
+ if (!strcmp(argv[i], "-randpw")) {
+ extra_argv[extra_argc] = argv[i];
+ extra_argc++;
+ } else if (!strcmp(argv[i], "-fileonly")) {
+ extra_argv[extra_argc] = argv[i];
+ extra_argc++;
+ }
+ /* For '-f' option alone, pick up the following argument too */
+ else if (!strcmp(argv[i], "-f")) {
+ extra_argv[extra_argc] = argv[i];
+ extra_argc++;
+
+ if (++i > argc - 1)
+ goto err_usage;
+
+ extra_argv[extra_argc] = argv[i];
+ extra_argc++;
+ } else { /* Any other option is invalid */
+ exit_status++;
+ goto err_usage;
+ }
+ } else { /* Any other argument must be service DN */
+ /* First check if service DN is already provided --
+ * if so, there's a usage error
+ */
+ if (srvparams->servicedn != NULL) {
+ com_err(me, EINVAL, "while creating service object");
+ goto err_usage;
+ }
+
+ /* If not present already, fill up service DN */
+ srvparams->servicedn = strdup(argv[i]);
+ if (srvparams->servicedn == NULL) {
+ com_err(me, ENOMEM, "while creating service object");
+ goto err_nomsg;
+ }
+ }
}
/* No point in proceeding further if service DN value is not available */
if (srvparams->servicedn == NULL) {
- com_err(me, EINVAL, "while creating service object");
- goto err_usage;
+ com_err(me, EINVAL, "while creating service object");
+ goto err_usage;
}
if (srvparams->servicetype == 0) { /* Not provided and hence not set */
- com_err(me, EINVAL, "while creating service object");
- goto err_usage;
+ com_err(me, EINVAL, "while creating service object");
+ goto err_usage;
}
/* Create object with all attributes provided */
if ((retval = krb5_ldap_create_service(util_context, srvparams, mask)))
- goto cleanup;
+ goto cleanup;
service_obj_created = TRUE;
/* Set password too */
if (extra_argc >= 1) {
- /* Set service DN as the last argument */
- extra_argv[extra_argc] = strdup(srvparams->servicedn);
- if (extra_argv[extra_argc] == NULL) {
+ /* Set service DN as the last argument */
+ extra_argv[extra_argc] = strdup(srvparams->servicedn);
+ if (extra_argv[extra_argc] == NULL) {
retval = ENOMEM;
goto cleanup;
}
- extra_argc++;
+ extra_argc++;
- if ((retval = kdb5_ldap_set_service_password(extra_argc, extra_argv)) != 0) {
- goto err_nomsg;
- }
+ if ((retval = kdb5_ldap_set_service_password(extra_argc, extra_argv)) != 0) {
+ goto err_nomsg;
+ }
}
/* Rights assignment */
if (mask & LDAP_SERVICE_REALMREFERENCE) {
- printf("%s","Changing rights for the service object. Please wait ... ");
- fflush(stdout);
-
- rightsmask =0;
- rightsmask |= LDAP_REALM_RIGHTS;
- rightsmask |= LDAP_SUBTREE_RIGHTS;
-
- if ((srvparams != NULL) && (srvparams->krbrealmreferences != NULL)) {
- for (i=0; (srvparams->krbrealmreferences[i] != NULL); i++) {
-
- /* Get the realm name, not the dn */
- temprdns = ldap_explode_dn(srvparams->krbrealmreferences[i], 1);
-
- if (temprdns[0] == NULL) {
- retval = EINVAL;
- goto cleanup;
- }
-
- realmName = strdup(temprdns[0]);
- if (realmName == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
-
- if ((retval = krb5_ldap_read_realm_params(util_context,
- realmName, &rparams, &rmask))) {
- com_err(me, retval, "while reading information of realm '%s'",
- realmName);
- goto cleanup;
- }
-
- if ((retval = krb5_ldap_add_service_rights(util_context,
- srvparams->servicetype, srvparams->servicedn,
- realmName, rparams->subtree, rparams->containerref, rightsmask))) {
- printf("failed\n");
- com_err(me, retval, "while assigning rights '%s'",
- srvparams->servicedn);
- goto cleanup;
- }
-
- if (rparams)
- krb5_ldap_free_realm_params(rparams);
- }
- }
- printf("done\n");
+ printf("%s","Changing rights for the service object. Please wait ... ");
+ fflush(stdout);
+
+ rightsmask =0;
+ rightsmask |= LDAP_REALM_RIGHTS;
+ rightsmask |= LDAP_SUBTREE_RIGHTS;
+
+ if ((srvparams != NULL) && (srvparams->krbrealmreferences != NULL)) {
+ for (i=0; (srvparams->krbrealmreferences[i] != NULL); i++) {
+
+ /* Get the realm name, not the dn */
+ temprdns = ldap_explode_dn(srvparams->krbrealmreferences[i], 1);
+
+ if (temprdns[0] == NULL) {
+ retval = EINVAL;
+ goto cleanup;
+ }
+
+ realmName = strdup(temprdns[0]);
+ if (realmName == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+
+ if ((retval = krb5_ldap_read_realm_params(util_context,
+ realmName, &rparams, &rmask))) {
+ com_err(me, retval, "while reading information of realm '%s'",
+ realmName);
+ goto cleanup;
+ }
+
+ if ((retval = krb5_ldap_add_service_rights(util_context,
+ srvparams->servicetype, srvparams->servicedn,
+ realmName, rparams->subtree, rparams->containerref, rightsmask))) {
+ printf("failed\n");
+ com_err(me, retval, "while assigning rights '%s'",
+ srvparams->servicedn);
+ goto cleanup;
+ }
+
+ if (rparams)
+ krb5_ldap_free_realm_params(rparams);
+ }
+ }
+ printf("done\n");
}
goto cleanup;
cleanup:
if ((retval != 0) && (service_obj_created == TRUE)) {
- /* This is for deleting the service object if something goes
- * wrong in creating the service object
- */
+ /* This is for deleting the service object if something goes
+ * wrong in creating the service object
+ */
- /* srvparams is populated from the user input and should be correct as
- * we were successful in creating a service object. Reusing the same
- */
- krb5_ldap_delete_service(util_context, srvparams, srvparams->servicedn);
+ /* srvparams is populated from the user input and should be correct as
+ * we were successful in creating a service object. Reusing the same
+ */
+ krb5_ldap_delete_service(util_context, srvparams, srvparams->servicedn);
}
/* Clean-up structure */
krb5_ldap_free_service (util_context, srvparams);
if (extra_argv) {
- free (extra_argv);
- extra_argv = NULL;
+ free (extra_argv);
+ extra_argv = NULL;
}
if (realmName) {
- free(realmName);
- realmName = NULL;
+ free(realmName);
+ realmName = NULL;
}
if (print_usage)
- db_usage (CREATE_SERVICE);
+ db_usage (CREATE_SERVICE);
if (retval) {
- if (!no_msg)
- com_err(me, retval, "while creating service object");
+ if (!no_msg)
+ com_err(me, retval, "while creating service object");
- exit_status++;
+ exit_status++;
}
return;
* This function will modify the attributes of a given service
* object on the LDAP Server
*/
-void kdb5_ldap_modify_service(argc, argv)
- int argc;
- char *argv[];
+void
+kdb5_ldap_modify_service(int argc, char *argv[])
{
char *me = progname;
krb5_error_code retval = 0;
/* Check for number of arguments */
if ((argc < 3) || (argc > 10)) {
- exit_status++;
- goto err_usage;
+ exit_status++;
+ goto err_usage;
}
dal_handle = util_context->dal_handle;
/* Parse all arguments, only to pick up service DN (Pass 1) */
for (i = 1; i < argc; i++) {
- /* Skip arguments next to 'servicehost'
- and 'realmdn' arguments */
- if (!strcmp(argv[i], "-servicehost")) {
- ++i;
- } else if (!strcmp(argv[i], "-clearservicehost")) {
- ++i;
- } else if (!strcmp(argv[i], "-addservicehost")) {
- ++i;
- } else if (!strcmp(argv[i], "-realm")) {
- ++i;
- } else if (!strcmp(argv[i], "-clearrealm")) {
- ++i;
- } else if (!strcmp(argv[i], "-addrealm")) {
- ++i;
- } else { /* Any other argument must be service DN */
- /* First check if service DN is already provided --
- if so, there's a usage error */
- if (servicedn != NULL) {
- com_err(me, EINVAL, "while modifying service object");
- goto err_usage;
- }
-
- /* If not present already, fill up service DN */
- servicedn = strdup(argv[i]);
- if (servicedn == NULL) {
- com_err(me, ENOMEM, "while modifying service object");
- goto err_nomsg;
- }
- }
+ /* Skip arguments next to 'servicehost'
+ and 'realmdn' arguments */
+ if (!strcmp(argv[i], "-servicehost")) {
+ ++i;
+ } else if (!strcmp(argv[i], "-clearservicehost")) {
+ ++i;
+ } else if (!strcmp(argv[i], "-addservicehost")) {
+ ++i;
+ } else if (!strcmp(argv[i], "-realm")) {
+ ++i;
+ } else if (!strcmp(argv[i], "-clearrealm")) {
+ ++i;
+ } else if (!strcmp(argv[i], "-addrealm")) {
+ ++i;
+ } else { /* Any other argument must be service DN */
+ /* First check if service DN is already provided --
+ if so, there's a usage error */
+ if (servicedn != NULL) {
+ com_err(me, EINVAL, "while modifying service object");
+ goto err_usage;
+ }
+
+ /* If not present already, fill up service DN */
+ servicedn = strdup(argv[i]);
+ if (servicedn == NULL) {
+ com_err(me, ENOMEM, "while modifying service object");
+ goto err_nomsg;
+ }
+ }
}
/* No point in proceeding further if service DN value is not available */
if (servicedn == NULL) {
- com_err(me, EINVAL, "while modifying service object");
- goto err_usage;
+ com_err(me, EINVAL, "while modifying service object");
+ goto err_usage;
}
retval = krb5_ldap_read_service(util_context, servicedn, &srvparams, &in_mask);
if (retval) {
- com_err(me, retval, "while reading information of service '%s'",
- servicedn);
- goto err_nomsg;
+ com_err(me, retval, "while reading information of service '%s'",
+ servicedn);
+ goto err_nomsg;
}
/* Read Kerberos container info, to construct realm DN from name
* and for assigning rights
*/
if ((retval = krb5_ldap_read_krbcontainer_params(util_context,
- &(ldap_context->krbcontainer)))) {
- com_err(me, retval, "while reading Kerberos container information");
- goto cleanup;
+ &(ldap_context->krbcontainer)))) {
+ com_err(me, retval, "while reading Kerberos container information");
+ goto cleanup;
}
/* Parse all arguments, but skip the service DN (Pass 2) */
for (i = 1; i < argc; i++) {
- if (!strcmp(argv[i], "-servicehost")) {
- if (++i > argc - 1)
- goto err_usage;
-
- /* Free the old list if available */
- if (srvparams->krbhostservers) {
- krb5_free_list_entries (srvparams->krbhostservers);
- free (srvparams->krbhostservers);
- }
-
- srvparams->krbhostservers = (char **)calloc(MAX_LIST_ENTRIES,
- sizeof(char *));
- if (srvparams->krbhostservers == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
-
- if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
- srvparams->krbhostservers))) {
- goto cleanup;
- }
-
- if ((retval = process_host_list (srvparams->krbhostservers,
- srvparams->servicetype))) {
- goto cleanup;
- }
-
- out_mask |= LDAP_SERVICE_HOSTSERVER;
-
- /* Set flag to ignore 'add' and 'clear' */
- srvhost_flag = 1;
- } else if (!strcmp(argv[i], "-clearservicehost")) {
- if (++i > argc - 1)
- goto err_usage;
-
- if (!srvhost_flag) {
- /* If attribute doesn't exist, don't permit 'clear' option */
- if ((in_mask & LDAP_SERVICE_HOSTSERVER) == 0) {
- /* Send out some proper error message here */
- com_err(me, EINVAL, "service host list is empty\n");
- goto err_nomsg;
- }
-
- /* Allocate list for processing */
- list = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
- if (list == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
-
- if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list)))
- goto cleanup;
-
- if ((retval = process_host_list (list, srvparams->servicetype))) {
- goto cleanup;
- }
-
- list_modify_str_array(&(srvparams->krbhostservers),
- (const char**)list, LIST_MODE_DELETE);
-
- out_mask |= LDAP_SERVICE_HOSTSERVER;
-
- /* Clean up */
- free (list);
- list = NULL;
- }
- } else if (!strcmp(argv[i], "-addservicehost")) {
- if (++i > argc - 1)
- goto err_usage;
-
- if (!srvhost_flag) {
- /* Allocate list for processing */
- list = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
- if (list == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
-
- if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list)))
- goto cleanup;
-
- if ((retval = process_host_list (list, srvparams->servicetype))) {
- goto cleanup;
- }
-
- /* Call list_modify_str_array() only if host server attribute
- * exists already --Actually, it's better to handle this
- * within list_modify_str_array()
- */
- if (in_mask & LDAP_SERVICE_HOSTSERVER) {
- /* Re-size existing list */
- existing_entries = list_count_str_array(srvparams->krbhostservers);
- new_entries = list_count_str_array(list);
- temp_ptr = (char **) realloc(srvparams->krbhostservers,
- sizeof(char *) * (existing_entries + new_entries + 1));
- if (temp_ptr == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
- srvparams->krbhostservers = temp_ptr;
-
- list_modify_str_array(&(srvparams->krbhostservers),
- (const char**)list, LIST_MODE_ADD);
-
- /* Clean up */
- free (list);
- list = NULL;
- } else
- srvparams->krbhostservers = list;
-
- out_mask |= LDAP_SERVICE_HOSTSERVER;
- }
- } else if (!strcmp(argv[i], "-realm")) {
- if (++i > argc - 1)
- goto err_usage;
-
- if ((in_mask & LDAP_SERVICE_REALMREFERENCE) && (srvparams->krbrealmreferences)) {
- if (!oldrealmrefs) {
- /* Store the old realm list for removing rights */
- oldrealmrefs = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
- if (oldrealmrefs == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
-
- for (j = 0; srvparams->krbrealmreferences[j] != NULL; j++) {
- oldrealmrefs[j] = strdup(srvparams->krbrealmreferences[j]);
- if (oldrealmrefs[j] == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
- }
- oldrealmrefs[j] = NULL;
- }
-
- /* Free the old list if available */
- krb5_free_list_entries (srvparams->krbrealmreferences);
- free (srvparams->krbrealmreferences);
- }
-
- srvparams->krbrealmreferences = (char **)calloc(MAX_LIST_ENTRIES,
- sizeof(char *));
- if (srvparams->krbrealmreferences == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
-
- if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
- srvparams->krbrealmreferences))) {
- goto cleanup;
- }
-
- /* Convert realm names to realm DNs */
- if ((retval = convert_realm_name2dn_list(
- srvparams->krbrealmreferences,
- ldap_context->krbcontainer->DN))) {
- goto cleanup;
- }
-
- out_mask |= LDAP_SERVICE_REALMREFERENCE;
-
- /* Set flag to ignore 'add' and 'clear' */
- realmdn_flag = 1;
- } else if (!strcmp(argv[i], "-clearrealm")) {
- if (++i > argc - 1)
- goto err_usage;
-
- if (!realmdn_flag) {
- /* If attribute doesn't exist, don't permit 'clear' option */
- if (((in_mask & LDAP_SERVICE_REALMREFERENCE) == 0) || (srvparams->krbrealmreferences == NULL)) {
- /* Send out some proper error message here */
- goto err_nomsg;
- }
-
- if (!oldrealmrefs) {
- /* Store the old realm list for removing rights */
- oldrealmrefs = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
- if (oldrealmrefs == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
-
- for (j = 0; srvparams->krbrealmreferences[j] != NULL; j++) {
- oldrealmrefs[j] = strdup(srvparams->krbrealmreferences[j]);
- if (oldrealmrefs[j] == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
- }
- oldrealmrefs[j] = NULL;
- }
-
- /* Allocate list for processing */
- list = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
- if (list == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
-
- if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list)))
- goto cleanup;
-
- /* Convert realm names to realm DNs */
- if ((retval = convert_realm_name2dn_list(list,
- ldap_context->krbcontainer->DN))) {
- goto cleanup;
- }
-
- list_modify_str_array(&(srvparams->krbrealmreferences),
- (const char**)list, LIST_MODE_DELETE);
-
- out_mask |= LDAP_SERVICE_REALMREFERENCE;
-
- /* Clean up */
- free (list);
- list = NULL;
- }
- } else if (!strcmp(argv[i], "-addrealm")) {
- if (++i > argc - 1)
- goto err_usage;
-
- if (!realmdn_flag) {
- /* Allocate list for processing */
- list = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
- if (list == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
-
- if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list)))
- goto cleanup;
-
- /* Convert realm names to realm DNs */
- if ((retval = convert_realm_name2dn_list(list,
- ldap_context->krbcontainer->DN))) {
- goto cleanup;
- }
-
- if ((in_mask & LDAP_SERVICE_REALMREFERENCE) && (srvparams->krbrealmreferences) && (!oldrealmrefs)) {
- /* Store the old realm list for removing rights */
- oldrealmrefs = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
- if (oldrealmrefs == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
-
- for (j = 0; srvparams->krbrealmreferences[j] != NULL; j++) {
- oldrealmrefs[j] = strdup(srvparams->krbrealmreferences[j]);
- if (oldrealmrefs[j] == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
- }
- oldrealmrefs[j] = NULL;
- }
-
- /* Call list_modify_str_array() only if realm DN attribute
- * exists already -- Actually, it's better to handle this
- * within list_modify_str_array() */
- if (in_mask & LDAP_SERVICE_REALMREFERENCE) {
- /* Re-size existing list */
- existing_entries = list_count_str_array(
- srvparams->krbrealmreferences);
- new_entries = list_count_str_array(list);
- temp_ptr = (char **) realloc(srvparams->krbrealmreferences,
- sizeof(char *) * (existing_entries + new_entries + 1));
- if (temp_ptr == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
- srvparams->krbrealmreferences = temp_ptr;
-
- list_modify_str_array(&(srvparams->krbrealmreferences),
- (const char**)list, LIST_MODE_ADD);
-
- /* Clean up */
- free (list);
- list = NULL;
- } else
- srvparams->krbrealmreferences = list;
-
- out_mask |= LDAP_SERVICE_REALMREFERENCE;
- }
- } else {
- /* Any other argument must be service DN
- -- skip it */
- }
+ if (!strcmp(argv[i], "-servicehost")) {
+ if (++i > argc - 1)
+ goto err_usage;
+
+ /* Free the old list if available */
+ if (srvparams->krbhostservers) {
+ krb5_free_list_entries (srvparams->krbhostservers);
+ free (srvparams->krbhostservers);
+ }
+
+ srvparams->krbhostservers = (char **)calloc(MAX_LIST_ENTRIES,
+ sizeof(char *));
+ if (srvparams->krbhostservers == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+
+ if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
+ srvparams->krbhostservers))) {
+ goto cleanup;
+ }
+
+ if ((retval = process_host_list (srvparams->krbhostservers,
+ srvparams->servicetype))) {
+ goto cleanup;
+ }
+
+ out_mask |= LDAP_SERVICE_HOSTSERVER;
+
+ /* Set flag to ignore 'add' and 'clear' */
+ srvhost_flag = 1;
+ } else if (!strcmp(argv[i], "-clearservicehost")) {
+ if (++i > argc - 1)
+ goto err_usage;
+
+ if (!srvhost_flag) {
+ /* If attribute doesn't exist, don't permit 'clear' option */
+ if ((in_mask & LDAP_SERVICE_HOSTSERVER) == 0) {
+ /* Send out some proper error message here */
+ com_err(me, EINVAL, "service host list is empty\n");
+ goto err_nomsg;
+ }
+
+ /* Allocate list for processing */
+ list = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
+ if (list == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+
+ if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list)))
+ goto cleanup;
+
+ if ((retval = process_host_list (list, srvparams->servicetype))) {
+ goto cleanup;
+ }
+
+ list_modify_str_array(&(srvparams->krbhostservers),
+ (const char**)list, LIST_MODE_DELETE);
+
+ out_mask |= LDAP_SERVICE_HOSTSERVER;
+
+ /* Clean up */
+ free (list);
+ list = NULL;
+ }
+ } else if (!strcmp(argv[i], "-addservicehost")) {
+ if (++i > argc - 1)
+ goto err_usage;
+
+ if (!srvhost_flag) {
+ /* Allocate list for processing */
+ list = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
+ if (list == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+
+ if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list)))
+ goto cleanup;
+
+ if ((retval = process_host_list (list, srvparams->servicetype))) {
+ goto cleanup;
+ }
+
+ /* Call list_modify_str_array() only if host server attribute
+ * exists already --Actually, it's better to handle this
+ * within list_modify_str_array()
+ */
+ if (in_mask & LDAP_SERVICE_HOSTSERVER) {
+ /* Re-size existing list */
+ existing_entries = list_count_str_array(srvparams->krbhostservers);
+ new_entries = list_count_str_array(list);
+ temp_ptr = (char **) realloc(srvparams->krbhostservers,
+ sizeof(char *) * (existing_entries + new_entries + 1));
+ if (temp_ptr == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+ srvparams->krbhostservers = temp_ptr;
+
+ list_modify_str_array(&(srvparams->krbhostservers),
+ (const char**)list, LIST_MODE_ADD);
+
+ /* Clean up */
+ free (list);
+ list = NULL;
+ } else
+ srvparams->krbhostservers = list;
+
+ out_mask |= LDAP_SERVICE_HOSTSERVER;
+ }
+ } else if (!strcmp(argv[i], "-realm")) {
+ if (++i > argc - 1)
+ goto err_usage;
+
+ if ((in_mask & LDAP_SERVICE_REALMREFERENCE) && (srvparams->krbrealmreferences)) {
+ if (!oldrealmrefs) {
+ /* Store the old realm list for removing rights */
+ oldrealmrefs = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
+ if (oldrealmrefs == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+
+ for (j = 0; srvparams->krbrealmreferences[j] != NULL; j++) {
+ oldrealmrefs[j] = strdup(srvparams->krbrealmreferences[j]);
+ if (oldrealmrefs[j] == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+ }
+ oldrealmrefs[j] = NULL;
+ }
+
+ /* Free the old list if available */
+ krb5_free_list_entries (srvparams->krbrealmreferences);
+ free (srvparams->krbrealmreferences);
+ }
+
+ srvparams->krbrealmreferences = (char **)calloc(MAX_LIST_ENTRIES,
+ sizeof(char *));
+ if (srvparams->krbrealmreferences == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+
+ if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
+ srvparams->krbrealmreferences))) {
+ goto cleanup;
+ }
+
+ /* Convert realm names to realm DNs */
+ if ((retval = convert_realm_name2dn_list(
+ srvparams->krbrealmreferences,
+ ldap_context->krbcontainer->DN))) {
+ goto cleanup;
+ }
+
+ out_mask |= LDAP_SERVICE_REALMREFERENCE;
+
+ /* Set flag to ignore 'add' and 'clear' */
+ realmdn_flag = 1;
+ } else if (!strcmp(argv[i], "-clearrealm")) {
+ if (++i > argc - 1)
+ goto err_usage;
+
+ if (!realmdn_flag) {
+ /* If attribute doesn't exist, don't permit 'clear' option */
+ if (((in_mask & LDAP_SERVICE_REALMREFERENCE) == 0) || (srvparams->krbrealmreferences == NULL)) {
+ /* Send out some proper error message here */
+ goto err_nomsg;
+ }
+
+ if (!oldrealmrefs) {
+ /* Store the old realm list for removing rights */
+ oldrealmrefs = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
+ if (oldrealmrefs == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+
+ for (j = 0; srvparams->krbrealmreferences[j] != NULL; j++) {
+ oldrealmrefs[j] = strdup(srvparams->krbrealmreferences[j]);
+ if (oldrealmrefs[j] == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+ }
+ oldrealmrefs[j] = NULL;
+ }
+
+ /* Allocate list for processing */
+ list = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
+ if (list == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+
+ if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list)))
+ goto cleanup;
+
+ /* Convert realm names to realm DNs */
+ if ((retval = convert_realm_name2dn_list(list,
+ ldap_context->krbcontainer->DN))) {
+ goto cleanup;
+ }
+
+ list_modify_str_array(&(srvparams->krbrealmreferences),
+ (const char**)list, LIST_MODE_DELETE);
+
+ out_mask |= LDAP_SERVICE_REALMREFERENCE;
+
+ /* Clean up */
+ free (list);
+ list = NULL;
+ }
+ } else if (!strcmp(argv[i], "-addrealm")) {
+ if (++i > argc - 1)
+ goto err_usage;
+
+ if (!realmdn_flag) {
+ /* Allocate list for processing */
+ list = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
+ if (list == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+
+ if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list)))
+ goto cleanup;
+
+ /* Convert realm names to realm DNs */
+ if ((retval = convert_realm_name2dn_list(list,
+ ldap_context->krbcontainer->DN))) {
+ goto cleanup;
+ }
+
+ if ((in_mask & LDAP_SERVICE_REALMREFERENCE) && (srvparams->krbrealmreferences) && (!oldrealmrefs)) {
+ /* Store the old realm list for removing rights */
+ oldrealmrefs = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
+ if (oldrealmrefs == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+
+ for (j = 0; srvparams->krbrealmreferences[j] != NULL; j++) {
+ oldrealmrefs[j] = strdup(srvparams->krbrealmreferences[j]);
+ if (oldrealmrefs[j] == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+ }
+ oldrealmrefs[j] = NULL;
+ }
+
+ /* Call list_modify_str_array() only if realm DN attribute
+ * exists already -- Actually, it's better to handle this
+ * within list_modify_str_array() */
+ if (in_mask & LDAP_SERVICE_REALMREFERENCE) {
+ /* Re-size existing list */
+ existing_entries = list_count_str_array(
+ srvparams->krbrealmreferences);
+ new_entries = list_count_str_array(list);
+ temp_ptr = (char **) realloc(srvparams->krbrealmreferences,
+ sizeof(char *) * (existing_entries + new_entries + 1));
+ if (temp_ptr == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+ srvparams->krbrealmreferences = temp_ptr;
+
+ list_modify_str_array(&(srvparams->krbrealmreferences),
+ (const char**)list, LIST_MODE_ADD);
+
+ /* Clean up */
+ free (list);
+ list = NULL;
+ } else
+ srvparams->krbrealmreferences = list;
+
+ out_mask |= LDAP_SERVICE_REALMREFERENCE;
+ }
+ } else {
+ /* Any other argument must be service DN
+ -- skip it */
+ }
}
/* Modify attributes of object */
if ((retval = krb5_ldap_modify_service(util_context, srvparams, out_mask)))
- goto cleanup;
+ goto cleanup;
/* Service rights modification code */
if (out_mask & LDAP_SERVICE_REALMREFERENCE) {
- printf("%s","Changing rights for the service object. Please wait ... ");
- fflush(stdout);
-
- newrealmrefs = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
- if (newrealmrefs == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
-
- if ((srvparams != NULL) && (srvparams->krbrealmreferences != NULL)) {
- for (j = 0; srvparams->krbrealmreferences[j] != NULL; j++) {
- newrealmrefs[j] = strdup(srvparams->krbrealmreferences[j]);
- if (newrealmrefs[j] == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
- }
- newrealmrefs[j] = NULL;
- }
- disjoint_members(oldrealmrefs, newrealmrefs);
-
- /* Delete the rights for the given service, on each of the realm
- * container & subtree in the old realm reference list.
- */
- if (oldrealmrefs) {
- rightsmask = 0;
- rightsmask |= LDAP_REALM_RIGHTS;
- rightsmask |= LDAP_SUBTREE_RIGHTS;
-
- for (i = 0; (oldrealmrefs[i] != NULL); i++) {
- /* Get the realm name, not the dn */
- temprdns = ldap_explode_dn(oldrealmrefs[i], 1);
-
- if (temprdns[0] == NULL) {
- retval = EINVAL;
- goto cleanup;
- }
-
- realmName = strdup(temprdns[0]);
- if (realmName == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
-
- if ((retval = krb5_ldap_read_realm_params(util_context,
- realmName, &rparams, &rmask))) {
- com_err(me, retval, "while reading information of realm '%s'",
- realmName);
- goto err_nomsg;
- }
-
- if ((retval = krb5_ldap_delete_service_rights(util_context,
- srvparams->servicetype, srvparams->servicedn,
- realmName, rparams->subtree, rparams->containerref, rightsmask))) {
- printf("failed\n");
- com_err(me, retval, "while assigning rights '%s'",
- srvparams->servicedn);
- goto err_nomsg;
- }
-
- if (rparams)
- krb5_ldap_free_realm_params(rparams);
- }
- }
-
- /* Add the rights for the given service, on each of the realm
- * container & subtree in the new realm reference list.
- */
- if (newrealmrefs) {
- rightsmask = 0;
- rightsmask |= LDAP_REALM_RIGHTS;
- rightsmask |= LDAP_SUBTREE_RIGHTS;
-
- for (i = 0; (newrealmrefs[i] != NULL); i++) {
- /* Get the realm name, not the dn */
- temprdns = ldap_explode_dn(newrealmrefs[i], 1);
-
- if (temprdns[0] == NULL) {
- retval = EINVAL;
- goto cleanup;
- }
-
- realmName = strdup(temprdns[0]);
- if (realmName == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
-
- if ((retval = krb5_ldap_read_krbcontainer_params(util_context,
- &(ldap_context->krbcontainer)))) {
- com_err(me, retval,
- "while reading Kerberos container information");
- goto cleanup;
- }
-
- if ((retval = krb5_ldap_read_realm_params(util_context,
- realmName, &rparams, &rmask))) {
- com_err(me, retval, "while reading information of realm '%s'",
- realmName);
- goto err_nomsg;
- }
-
- if ((retval = krb5_ldap_add_service_rights(util_context,
- srvparams->servicetype, srvparams->servicedn,
- realmName, rparams->subtree, rparams->containerref, rightsmask))) {
- printf("failed\n");
- com_err(me, retval, "while assigning rights '%s'",
- srvparams->servicedn);
- goto err_nomsg;
- }
-
- if (rparams) {
- krb5_ldap_free_realm_params(rparams);
- rparams = NULL;
- }
- }
- printf("done\n");
- }
+ printf("%s","Changing rights for the service object. Please wait ... ");
+ fflush(stdout);
+
+ newrealmrefs = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
+ if (newrealmrefs == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+
+ if ((srvparams != NULL) && (srvparams->krbrealmreferences != NULL)) {
+ for (j = 0; srvparams->krbrealmreferences[j] != NULL; j++) {
+ newrealmrefs[j] = strdup(srvparams->krbrealmreferences[j]);
+ if (newrealmrefs[j] == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+ }
+ newrealmrefs[j] = NULL;
+ }
+ disjoint_members(oldrealmrefs, newrealmrefs);
+
+ /* Delete the rights for the given service, on each of the realm
+ * container & subtree in the old realm reference list.
+ */
+ if (oldrealmrefs) {
+ rightsmask = 0;
+ rightsmask |= LDAP_REALM_RIGHTS;
+ rightsmask |= LDAP_SUBTREE_RIGHTS;
+
+ for (i = 0; (oldrealmrefs[i] != NULL); i++) {
+ /* Get the realm name, not the dn */
+ temprdns = ldap_explode_dn(oldrealmrefs[i], 1);
+
+ if (temprdns[0] == NULL) {
+ retval = EINVAL;
+ goto cleanup;
+ }
+
+ realmName = strdup(temprdns[0]);
+ if (realmName == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+
+ if ((retval = krb5_ldap_read_realm_params(util_context,
+ realmName, &rparams, &rmask))) {
+ com_err(me, retval, "while reading information of realm '%s'",
+ realmName);
+ goto err_nomsg;
+ }
+
+ if ((retval = krb5_ldap_delete_service_rights(util_context,
+ srvparams->servicetype, srvparams->servicedn,
+ realmName, rparams->subtree, rparams->containerref, rightsmask))) {
+ printf("failed\n");
+ com_err(me, retval, "while assigning rights '%s'",
+ srvparams->servicedn);
+ goto err_nomsg;
+ }
+
+ if (rparams)
+ krb5_ldap_free_realm_params(rparams);
+ }
+ }
+
+ /* Add the rights for the given service, on each of the realm
+ * container & subtree in the new realm reference list.
+ */
+ if (newrealmrefs) {
+ rightsmask = 0;
+ rightsmask |= LDAP_REALM_RIGHTS;
+ rightsmask |= LDAP_SUBTREE_RIGHTS;
+
+ for (i = 0; (newrealmrefs[i] != NULL); i++) {
+ /* Get the realm name, not the dn */
+ temprdns = ldap_explode_dn(newrealmrefs[i], 1);
+
+ if (temprdns[0] == NULL) {
+ retval = EINVAL;
+ goto cleanup;
+ }
+
+ realmName = strdup(temprdns[0]);
+ if (realmName == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+
+ if ((retval = krb5_ldap_read_krbcontainer_params(util_context,
+ &(ldap_context->krbcontainer)))) {
+ com_err(me, retval,
+ "while reading Kerberos container information");
+ goto cleanup;
+ }
+
+ if ((retval = krb5_ldap_read_realm_params(util_context,
+ realmName, &rparams, &rmask))) {
+ com_err(me, retval, "while reading information of realm '%s'",
+ realmName);
+ goto err_nomsg;
+ }
+
+ if ((retval = krb5_ldap_add_service_rights(util_context,
+ srvparams->servicetype, srvparams->servicedn,
+ realmName, rparams->subtree, rparams->containerref, rightsmask))) {
+ printf("failed\n");
+ com_err(me, retval, "while assigning rights '%s'",
+ srvparams->servicedn);
+ goto err_nomsg;
+ }
+
+ if (rparams) {
+ krb5_ldap_free_realm_params(rparams);
+ rparams = NULL;
+ }
+ }
+ printf("done\n");
+ }
}
goto cleanup;
krb5_ldap_free_service(util_context, srvparams);
if (servicedn)
- free(servicedn);
+ free(servicedn);
if (list) {
- free(list);
- list = NULL;
+ free(list);
+ list = NULL;
}
if (oldrealmrefs) {
- for (i = 0; oldrealmrefs[i] != NULL; i++)
- free(oldrealmrefs[i]);
- free(oldrealmrefs);
+ for (i = 0; oldrealmrefs[i] != NULL; i++)
+ free(oldrealmrefs[i]);
+ free(oldrealmrefs);
}
if (newrealmrefs) {
- for (i = 0; newrealmrefs[i] != NULL; i++)
- free(newrealmrefs[i]);
- free(newrealmrefs);
+ for (i = 0; newrealmrefs[i] != NULL; i++)
+ free(newrealmrefs[i]);
+ free(newrealmrefs);
}
if (realmName) {
- free(realmName);
- realmName = NULL;
+ free(realmName);
+ realmName = NULL;
}
if (print_usage)
- db_usage(MODIFY_SERVICE);
+ db_usage(MODIFY_SERVICE);
if (retval) {
- if (!no_msg)
- com_err(me, retval, "while modifying service object");
- exit_status++;
+ if (!no_msg)
+ com_err(me, retval, "while modifying service object");
+ exit_status++;
}
return;
* from the service password file.
*/
static krb5_error_code
-rem_service_entry_from_file(argc, argv, file_name, service_object)
- int argc;
- char *argv[];
- char *file_name;
- char *service_object;
+rem_service_entry_from_file(int argc, char *argv[], char *file_name,
+ char *service_object)
{
int st = EINVAL;
char *me = progname;
/* Check for permissions on the password file */
if (access(file_name, W_OK) == -1) {
- /* If the specified file itself is not there, no need to show error */
- if (errno == ENOENT) {
- st=0;
- goto cleanup;
- } else {
- com_err(me, errno, "while deleting entry from file %s", file_name);
- goto cleanup;
- }
+ /* If the specified file itself is not there, no need to show error */
+ if (errno == ENOENT) {
+ st=0;
+ goto cleanup;
+ } else {
+ com_err(me, errno, "while deleting entry from file %s", file_name);
+ goto cleanup;
+ }
}
/* Create a temporary file which contains all the entries except the
entry for the given service dn */
pfile = fopen(file_name, "r+");
if (pfile == NULL) {
- com_err(me, errno, "while deleting entry from file %s", file_name);
- goto cleanup;
+ com_err(me, errno, "while deleting entry from file %s", file_name);
+ goto cleanup;
}
set_cloexec_file(pfile);
/* Create a new file with the extension .tmp */
tmp_file = (char *)malloc(strlen(file_name) + 4 + 1);
if (tmp_file == NULL) {
- com_err(me, ENOMEM, "while deleting entry from file");
- fclose(pfile);
- goto cleanup;
+ com_err(me, ENOMEM, "while deleting entry from file");
+ fclose(pfile);
+ goto cleanup;
}
snprintf (tmp_file, strlen(file_name) + 4 + 1, "%s%s", file_name, ".tmp");
tmpfd = creat(tmp_file, S_IRUSR|S_IWUSR);
umask(omask);
if (tmpfd == -1) {
- com_err(me, errno, "while deleting entry from file\n");
- fclose(pfile);
- goto cleanup;
+ com_err(me, errno, "while deleting entry from file\n");
+ fclose(pfile);
+ goto cleanup;
}
/* Copy only those lines which donot have the specified service dn */
while (fgets(line, MAX_LEN, pfile) != NULL) {
- if ((strstr(line, service_object) != NULL) &&
- (line[strlen(service_object)] == '#')) {
- continue;
- } else {
- len = strlen(line);
- if (write(tmpfd, line, len) != len) {
- com_err(me, errno, "while deleting entry from file\n");
- close(tmpfd);
- unlink(tmp_file);
- fclose(pfile);
- goto cleanup;
- }
- }
+ if ((strstr(line, service_object) != NULL) &&
+ (line[strlen(service_object)] == '#')) {
+ continue;
+ } else {
+ len = strlen(line);
+ if (write(tmpfd, line, len) != len) {
+ com_err(me, errno, "while deleting entry from file\n");
+ close(tmpfd);
+ unlink(tmp_file);
+ fclose(pfile);
+ goto cleanup;
+ }
+ }
}
fclose(pfile);
if (unlink(file_name) == 0) {
- link(tmp_file, file_name);
+ link(tmp_file, file_name);
} else {
- com_err(me, errno, "while deleting entry from file\n");
+ com_err(me, errno, "while deleting entry from file\n");
}
unlink(tmp_file);
cleanup:
if (tmp_file)
- free(tmp_file);
+ free(tmp_file);
return st;
}
* and unlink the references to the Realm objects (if any)
*/
void
-kdb5_ldap_destroy_service(argc, argv)
- int argc;
- char *argv[];
+kdb5_ldap_destroy_service(int argc, char *argv[])
{
int i = 0;
char buf[5] = {0};
krb5_boolean print_usage = FALSE;
if ((argc < 2) || (argc > 5)) {
- exit_status++;
- goto err_usage;
+ exit_status++;
+ goto err_usage;
}
for (i=1; i < argc; i++) {
- if (strcmp(argv[i],"-force")==0) {
- force++;
- } else if (strcmp(argv[i],"-f")==0) {
- if (argv[i+1]) {
- stashfilename=strdup(argv[i+1]);
- if (stashfilename == NULL) {
- com_err(progname, ENOMEM, "while destroying service");
- exit_status++;
- goto cleanup;
- }
- i++;
- } else {
- exit_status++;
- goto err_usage;
- }
- } else {
- if ((argv[i]) && (servicedn == NULL)) {
- servicedn=strdup(argv[i]);
- if (servicedn == NULL) {
- com_err(progname, ENOMEM, "while destroying service");
- exit_status++;
- goto cleanup;
- }
- } else {
- exit_status++;
- goto err_usage;
- }
- }
+ if (strcmp(argv[i],"-force")==0) {
+ force++;
+ } else if (strcmp(argv[i],"-f")==0) {
+ if (argv[i+1]) {
+ stashfilename=strdup(argv[i+1]);
+ if (stashfilename == NULL) {
+ com_err(progname, ENOMEM, "while destroying service");
+ exit_status++;
+ goto cleanup;
+ }
+ i++;
+ } else {
+ exit_status++;
+ goto err_usage;
+ }
+ } else {
+ if ((argv[i]) && (servicedn == NULL)) {
+ servicedn=strdup(argv[i]);
+ if (servicedn == NULL) {
+ com_err(progname, ENOMEM, "while destroying service");
+ exit_status++;
+ goto cleanup;
+ }
+ } else {
+ exit_status++;
+ goto err_usage;
+ }
+ }
}
if (!servicedn) {
- exit_status++;
- goto err_usage;
+ exit_status++;
+ goto err_usage;
}
if (!force) {
- printf("This will delete the service object '%s', are you sure?\n", servicedn);
- printf("(type 'yes' to confirm)? ");
- if (fgets(buf, sizeof(buf), stdin) == NULL) {
- exit_status++;
- goto cleanup;;
- }
- if (strcmp(buf, yes)) {
- exit_status++;
- goto cleanup;
- }
+ printf("This will delete the service object '%s', are you sure?\n", servicedn);
+ printf("(type 'yes' to confirm)? ");
+ if (fgets(buf, sizeof(buf), stdin) == NULL) {
+ exit_status++;
+ goto cleanup;;
+ }
+ if (strcmp(buf, yes)) {
+ exit_status++;
+ goto cleanup;
+ }
}
if ((retval = krb5_ldap_read_service(util_context, servicedn,
- &lserparams, &mask))) {
- com_err(progname, retval, "while destroying service '%s'",servicedn);
- exit_status++;
- goto cleanup;
+ &lserparams, &mask))) {
+ com_err(progname, retval, "while destroying service '%s'",servicedn);
+ exit_status++;
+ goto cleanup;
}
retval = krb5_ldap_delete_service(util_context, lserparams, servicedn);
if (retval) {
- com_err(progname, retval, "while destroying service '%s'", servicedn);
- exit_status++;
- goto cleanup;
+ com_err(progname, retval, "while destroying service '%s'", servicedn);
+ exit_status++;
+ goto cleanup;
}
if (stashfilename == NULL) {
- stashfilename = strdup(DEF_SERVICE_PASSWD_FILE);
- if (stashfilename == NULL) {
- com_err(progname, ENOMEM, "while destroying service");
- exit_status++;
- goto cleanup;
- }
+ stashfilename = strdup(DEF_SERVICE_PASSWD_FILE);
+ if (stashfilename == NULL) {
+ com_err(progname, ENOMEM, "while destroying service");
+ exit_status++;
+ goto cleanup;
+ }
}
printf("** service object '%s' deleted.\n", servicedn);
retval = rem_service_entry_from_file(argc, argv, stashfilename, servicedn);
if (retval)
- printf("** error removing service object entry '%s' from password file.\n",
- servicedn);
+ printf("** error removing service object entry '%s' from password file.\n",
+ servicedn);
goto cleanup;
cleanup:
if (lserparams) {
- krb5_ldap_free_service(util_context, lserparams);
+ krb5_ldap_free_service(util_context, lserparams);
}
if (servicedn) {
- free(servicedn);
+ free(servicedn);
}
if (stashfilename) {
- free(stashfilename);
+ free(stashfilename);
}
if (print_usage) {
- db_usage(DESTROY_SERVICE);
+ db_usage(DESTROY_SERVICE);
}
return;
/*
* This function will display information about the given service object
*/
-void kdb5_ldap_view_service(argc, argv)
- int argc;
- char *argv[];
+void
+kdb5_ldap_view_service(int argc, char *argv[])
{
krb5_ldap_service_params *lserparams = NULL;
krb5_error_code retval = 0;
krb5_boolean print_usage = FALSE;
if (!(argc == 2)) {
- exit_status++;
- goto err_usage;
+ exit_status++;
+ goto err_usage;
}
servicedn=strdup(argv[1]);
if (servicedn == NULL) {
- com_err(progname, ENOMEM, "while viewing service");
- exit_status++;
- goto cleanup;
+ com_err(progname, ENOMEM, "while viewing service");
+ exit_status++;
+ goto cleanup;
}
if ((retval = krb5_ldap_read_service(util_context, servicedn, &lserparams, &mask))) {
- com_err(progname, retval, "while viewing service '%s'",servicedn);
- exit_status++;
- goto cleanup;
+ com_err(progname, retval, "while viewing service '%s'",servicedn);
+ exit_status++;
+ goto cleanup;
}
print_service_params(lserparams, mask);
cleanup:
if (lserparams) {
- krb5_ldap_free_service(util_context, lserparams);
+ krb5_ldap_free_service(util_context, lserparams);
}
if (servicedn)
- free(servicedn);
+ free(servicedn);
if (print_usage) {
- db_usage(VIEW_SERVICE);
+ db_usage(VIEW_SERVICE);
}
return;
* This function will list the DNs of kerberos services present on
* the LDAP Server under a specific sub-tree (entire tree by default)
*/
-void kdb5_ldap_list_services(argc, argv)
- int argc;
- char *argv[];
+void
+kdb5_ldap_list_services(int argc, char *argv[])
{
char *me = progname;
krb5_error_code retval = 0;
/* Check for number of arguments */
if ((argc != 1) && (argc != 3)) {
- exit_status++;
- goto err_usage;
+ exit_status++;
+ goto err_usage;
}
/* Parse base DN argument if present */
if (argc == 3) {
- if (strcmp(argv[1], "-basedn")) {
- retval = EINVAL;
- goto err_usage;
- }
+ if (strcmp(argv[1], "-basedn")) {
+ retval = EINVAL;
+ goto err_usage;
+ }
- basedn = strdup(argv[2]);
- if (basedn == NULL) {
- com_err(me, ENOMEM, "while listing services");
- exit_status++;
- goto cleanup;
- }
+ basedn = strdup(argv[2]);
+ if (basedn == NULL) {
+ com_err(me, ENOMEM, "while listing services");
+ exit_status++;
+ goto cleanup;
+ }
}
retval = krb5_ldap_list_services(util_context, basedn, &list);
if ((retval != 0) || (list == NULL)) {
- exit_status++;
- goto cleanup;
+ exit_status++;
+ goto cleanup;
}
for (plist = list; *plist != NULL; plist++) {
- printf("%s\n", *plist);
+ printf("%s\n", *plist);
}
goto cleanup;
cleanup:
if (list != NULL) {
- krb5_free_list_entries (list);
- free (list);
+ krb5_free_list_entries (list);
+ free (list);
}
if (basedn)
- free (basedn);
+ free (basedn);
if (print_usage) {
- db_usage(LIST_SERVICE);
+ db_usage(LIST_SERVICE);
}
if (retval) {
- com_err(me, retval, "while listing policy objects");
- exit_status++;
+ com_err(me, retval, "while listing policy objects");
+ exit_status++;
}
return;
* to the standard output
*/
static void
-print_service_params(lserparams, mask)
- krb5_ldap_service_params *lserparams;
- int mask;
+print_service_params(krb5_ldap_service_params *lserparams, int mask)
{
int i=0;
/* Print the service type of the object to be read */
if (lserparams->servicetype == LDAP_KDC_SERVICE) {
- printf("%20s%-20s\n","Service type: ","kdc");
+ printf("%20s%-20s\n","Service type: ","kdc");
} else if (lserparams->servicetype == LDAP_ADMIN_SERVICE) {
- printf("%20s%-20s\n","Service type: ","admin");
+ printf("%20s%-20s\n","Service type: ","admin");
} else if (lserparams->servicetype == LDAP_PASSWD_SERVICE) {
- printf("%20s%-20s\n","Service type: ","pwd");
+ printf("%20s%-20s\n","Service type: ","pwd");
}
/* Print the host server values */
printf("%20s\n","Service host list: ");
if (mask & LDAP_SERVICE_HOSTSERVER) {
- for (i=0; lserparams->krbhostservers[i] != NULL; ++i) {
- printf("%20s%-50s\n","",lserparams->krbhostservers[i]);
- }
+ for (i=0; lserparams->krbhostservers[i] != NULL; ++i) {
+ printf("%20s%-50s\n","",lserparams->krbhostservers[i]);
+ }
}
/* Print the realm reference dn values */
printf("%20s\n","Realm DN list: ");
if (mask & LDAP_SERVICE_REALMREFERENCE) {
- for (i=0; lserparams && lserparams->krbrealmreferences && lserparams->krbrealmreferences[i] != NULL; ++i) {
- printf("%20s%-50s\n","",lserparams->krbrealmreferences[i]);
- }
+ for (i=0; lserparams && lserparams->krbrealmreferences && lserparams->krbrealmreferences[i] != NULL; ++i) {
+ printf("%20s%-50s\n","",lserparams->krbrealmreferences[i]);
+ }
}
return;
* OUTPUT:
* RANDOM_PASSWD_LEN length random password
*/
-static int generate_random_password(krb5_context ctxt, char **randpwd, unsigned int *passlen)
+static int
+generate_random_password(krb5_context ctxt, char **randpwd,
+ unsigned int *passlen)
{
char *random_pwd = NULL;
int ret = 0;
data.length = RANDOM_PASSWD_LEN;
random_pwd = (char *)malloc(data.length + 1);
if (random_pwd == NULL) {
- com_err("setsrvpw", ENOMEM, "while generating random password");
- return ENOMEM;
+ com_err("setsrvpw", ENOMEM, "while generating random password");
+ return ENOMEM;
}
memset(random_pwd, 0, data.length + 1);
data.data = random_pwd;
ret = krb5_c_random_make_octets(ctxt, &data);
if (ret) {
- com_err("setsrvpw", ret, "Error generating random password");
- free(random_pwd);
- return ret;
+ com_err("setsrvpw", ret, "Error generating random password");
+ free(random_pwd);
+ return ret;
}
for (i=0; i<data.length; i++) {
- /* restricting to ascii chars. Need to change this when 8.8 supports */
- if ((unsigned char)random_pwd[i] > 127) {
- random_pwd[i] = (unsigned char)random_pwd[i] % 128;
- } else if (random_pwd[i] == 0) {
- random_pwd[i] = (rand()/(RAND_MAX/127 + 1))+1;
- }
+ /* restricting to ascii chars. Need to change this when 8.8 supports */
+ if ((unsigned char)random_pwd[i] > 127) {
+ random_pwd[i] = (unsigned char)random_pwd[i] % 128;
+ } else if (random_pwd[i] == 0) {
+ random_pwd[i] = (rand()/(RAND_MAX/127 + 1))+1;
+ }
}
*randpwd = random_pwd;
* void
*/
int
-kdb5_ldap_set_service_password(argc, argv)
- int argc;
- char **argv;
+kdb5_ldap_set_service_password(int argc, char **argv)
{
krb5_ldap_context *lparams = NULL;
char *file_name = NULL;
/* The arguments for setsrv password should contain the service object DN
* and options to specify whether the password should be updated in file only
* or both file and directory. So the possible combination of arguments are:
- * setsrvpw servicedn wherein argc is 2
- * setsrvpw -fileonly servicedn wherein argc is 3
- * setsrvpw -randpw servicedn wherein argc is 3
- * setsrvpw -f filename servicedn wherein argc is 4
- * setsrvpw -fileonly -f filename servicedn wherein argc is 5
- * setsrvpw -randpw -f filename servicedn wherein argc is 5
+ * setsrvpw servicedn wherein argc is 2
+ * setsrvpw -fileonly servicedn wherein argc is 3
+ * setsrvpw -randpw servicedn wherein argc is 3
+ * setsrvpw -f filename servicedn wherein argc is 4
+ * setsrvpw -fileonly -f filename servicedn wherein argc is 5
+ * setsrvpw -randpw -f filename servicedn wherein argc is 5
*/
if ((argc < 2) || (argc > 5)) {
- print_usage = TRUE;
- goto cleanup;
+ print_usage = TRUE;
+ goto cleanup;
}
dal_handle = util_context->dal_handle;
lparams = (krb5_ldap_context *) dal_handle->db_context;
if (lparams == NULL) {
- printf("%s: Invalid LDAP handle\n", me);
- goto cleanup;
+ printf("%s: Invalid LDAP handle\n", me);
+ goto cleanup;
}
/* Parse the arguments */
for (i = 1; i < argc -1 ; i++) {
- if (strcmp(argv[i], "-randpw") == 0) {
- random_passwd = 1;
- } else if (strcmp(argv[i], "-fileonly") == 0) {
- set_dir_pwd = 0;
- } else if (strcmp(argv[i], "-f") == 0) {
- if (argv[++i] == NULL) {
- print_usage = TRUE;
- goto cleanup;
- }
-
- file_name = strdup(argv[i]);
- if (file_name == NULL) {
- com_err(me, ENOMEM, "while setting service object password");
- goto cleanup;
- }
- /* Verify if the file location has the proper file name
- * for eg, if the file location is a directory like /home/temp/,
- * we reject it.
- */
- filelen = strlen(file_name);
- if ((filelen == 0) || (file_name[filelen-1] == '/')) {
- printf("%s: Filename not specified for setting service object password\n", me);
- print_usage = TRUE;
- goto cleanup;
- }
- } else {
- printf("%s: Invalid option specified for \"setsrvpw\" command\n", me);
- print_usage = TRUE;
- goto cleanup;
- }
+ if (strcmp(argv[i], "-randpw") == 0) {
+ random_passwd = 1;
+ } else if (strcmp(argv[i], "-fileonly") == 0) {
+ set_dir_pwd = 0;
+ } else if (strcmp(argv[i], "-f") == 0) {
+ if (argv[++i] == NULL) {
+ print_usage = TRUE;
+ goto cleanup;
+ }
+
+ file_name = strdup(argv[i]);
+ if (file_name == NULL) {
+ com_err(me, ENOMEM, "while setting service object password");
+ goto cleanup;
+ }
+ /* Verify if the file location has the proper file name
+ * for eg, if the file location is a directory like /home/temp/,
+ * we reject it.
+ */
+ filelen = strlen(file_name);
+ if ((filelen == 0) || (file_name[filelen-1] == '/')) {
+ printf("%s: Filename not specified for setting service object password\n", me);
+ print_usage = TRUE;
+ goto cleanup;
+ }
+ } else {
+ printf("%s: Invalid option specified for \"setsrvpw\" command\n", me);
+ print_usage = TRUE;
+ goto cleanup;
+ }
}
if (i != argc-1) {
- print_usage = TRUE;
- goto cleanup;
+ print_usage = TRUE;
+ goto cleanup;
}
service_object = strdup(argv[i]);
if (service_object == NULL) {
- com_err(me, ENOMEM, "while setting service object password");
- goto cleanup;
+ com_err(me, ENOMEM, "while setting service object password");
+ goto cleanup;
}
if (strlen(service_object) == 0) {
- printf("%s: Service object not specified for \"setsrvpw\" command\n", me);
- print_usage = TRUE;
- goto cleanup;
+ printf("%s: Service object not specified for \"setsrvpw\" command\n", me);
+ print_usage = TRUE;
+ goto cleanup;
}
if (service_object[0] == '-') {
- print_usage = TRUE;
- goto cleanup;
+ print_usage = TRUE;
+ goto cleanup;
}
if (file_name == NULL) {
- file_name = strdup(DEF_SERVICE_PASSWD_FILE);
- if (file_name == NULL) {
- com_err(me, ENOMEM, "while setting service object password");
- goto cleanup;
- }
+ file_name = strdup(DEF_SERVICE_PASSWD_FILE);
+ if (file_name == NULL) {
+ com_err(me, ENOMEM, "while setting service object password");
+ goto cleanup;
+ }
}
if (set_dir_pwd) {
- if (db_inited == FALSE) {
- if ((errcode = krb5_ldap_db_init(util_context, lparams))) {
- com_err(me, errcode, "while initializing database");
- goto cleanup;
- }
- db_init_local = TRUE;
- }
+ if (db_inited == FALSE) {
+ if ((errcode = krb5_ldap_db_init(util_context, lparams))) {
+ com_err(me, errcode, "while initializing database");
+ goto cleanup;
+ }
+ db_init_local = TRUE;
+ }
}
if (random_passwd) {
- if (!set_dir_pwd) {
- printf("%s: Invalid option specified for \"setsrvpw\" command\n", me);
- print_usage = TRUE;
- goto cleanup;
- } else {
- /* Generate random password */
-
- if ((errcode = generate_random_password(util_context, &passwd, &passwd_len))) {
- printf("%s: Failed to set service object password\n", me);
- goto cleanup;
- }
- passwd_len = strlen(passwd);
- }
+ if (!set_dir_pwd) {
+ printf("%s: Invalid option specified for \"setsrvpw\" command\n", me);
+ print_usage = TRUE;
+ goto cleanup;
+ } else {
+ /* Generate random password */
+
+ if ((errcode = generate_random_password(util_context, &passwd, &passwd_len))) {
+ printf("%s: Failed to set service object password\n", me);
+ goto cleanup;
+ }
+ passwd_len = strlen(passwd);
+ }
} else {
- /* Get the service object password from the terminal */
- passwd = (char *)malloc(MAX_SERVICE_PASSWD_LEN + 1);
- if (passwd == NULL) {
- com_err(me, ENOMEM, "while setting service object password");
- goto cleanup;
- }
- memset(passwd, 0, MAX_SERVICE_PASSWD_LEN + 1);
- passwd_len = MAX_SERVICE_PASSWD_LEN;
-
- if (asprintf(&prompt1, "Password for \"%s\"", service_object) < 0) {
- com_err(me, ENOMEM, "while setting service object password");
- goto cleanup;
- }
-
- if (asprintf(&prompt2, "Re-enter password for \"%s\"",
- service_object) < 0) {
- com_err(me, ENOMEM, "while setting service object password");
- free(prompt1);
- goto cleanup;
- }
-
- retval = krb5_read_password(util_context, prompt1, prompt2, passwd, &passwd_len);
- free(prompt1);
- free(prompt2);
- if (retval) {
- com_err(me, retval, "while setting service object password");
- memset(passwd, 0, MAX_SERVICE_PASSWD_LEN);
- goto cleanup;
- }
- if (passwd_len == 0) {
- printf("%s: Invalid password\n", me);
- memset(passwd, 0, MAX_SERVICE_PASSWD_LEN);
- goto cleanup;
- }
- passwd_len = strlen(passwd);
+ /* Get the service object password from the terminal */
+ passwd = (char *)malloc(MAX_SERVICE_PASSWD_LEN + 1);
+ if (passwd == NULL) {
+ com_err(me, ENOMEM, "while setting service object password");
+ goto cleanup;
+ }
+ memset(passwd, 0, MAX_SERVICE_PASSWD_LEN + 1);
+ passwd_len = MAX_SERVICE_PASSWD_LEN;
+
+ if (asprintf(&prompt1, "Password for \"%s\"", service_object) < 0) {
+ com_err(me, ENOMEM, "while setting service object password");
+ goto cleanup;
+ }
+
+ if (asprintf(&prompt2, "Re-enter password for \"%s\"",
+ service_object) < 0) {
+ com_err(me, ENOMEM, "while setting service object password");
+ free(prompt1);
+ goto cleanup;
+ }
+
+ retval = krb5_read_password(util_context, prompt1, prompt2, passwd, &passwd_len);
+ free(prompt1);
+ free(prompt2);
+ if (retval) {
+ com_err(me, retval, "while setting service object password");
+ memset(passwd, 0, MAX_SERVICE_PASSWD_LEN);
+ goto cleanup;
+ }
+ if (passwd_len == 0) {
+ printf("%s: Invalid password\n", me);
+ memset(passwd, 0, MAX_SERVICE_PASSWD_LEN);
+ goto cleanup;
+ }
+ passwd_len = strlen(passwd);
}
/* Hex the password */
{
- krb5_data pwd, hex;
- pwd.length = passwd_len;
- pwd.data = passwd;
-
- errcode = tohex(pwd, &hex);
- if (errcode != 0) {
- if (hex.length != 0) {
- memset(hex.data, 0, hex.length);
- free(hex.data);
- }
- com_err(me, errcode, "Failed to convert the password to hex");
- memset(passwd, 0, passwd_len);
- goto cleanup;
- }
- /* Password = {HEX}<encrypted password>:<encrypted key> */
- if (asprintf(&str, "%s#{HEX}%s\n", service_object, hex.data) < 0) {
- com_err(me, ENOMEM, "while setting service object password");
- memset(passwd, 0, passwd_len);
- memset(hex.data, 0, hex.length);
- free(hex.data);
- goto cleanup;
- }
- encrypted_passwd.value = (unsigned char *)str;
- encrypted_passwd.len = strlen(str);
- memset(hex.data, 0, hex.length);
- free(hex.data);
+ krb5_data pwd, hex;
+ pwd.length = passwd_len;
+ pwd.data = passwd;
+
+ errcode = tohex(pwd, &hex);
+ if (errcode != 0) {
+ if (hex.length != 0) {
+ memset(hex.data, 0, hex.length);
+ free(hex.data);
+ }
+ com_err(me, errcode, "Failed to convert the password to hex");
+ memset(passwd, 0, passwd_len);
+ goto cleanup;
+ }
+ /* Password = {HEX}<encrypted password>:<encrypted key> */
+ if (asprintf(&str, "%s#{HEX}%s\n", service_object, hex.data) < 0) {
+ com_err(me, ENOMEM, "while setting service object password");
+ memset(passwd, 0, passwd_len);
+ memset(hex.data, 0, hex.length);
+ free(hex.data);
+ goto cleanup;
+ }
+ encrypted_passwd.value = (unsigned char *)str;
+ encrypted_passwd.len = strlen(str);
+ memset(hex.data, 0, hex.length);
+ free(hex.data);
}
/* We should check if the file exists and we have permission to write into that file */
if (access(file_name, W_OK) == -1) {
- if (errno == ENOENT) {
- mode_t omask;
- int fd = -1;
-
- printf("File does not exist. Creating the file %s...\n", file_name);
- omask = umask(077);
- fd = creat(file_name, S_IRUSR|S_IWUSR);
- umask(omask);
- if (fd == -1) {
- com_err(me, errno, "Error creating file %s", file_name);
- memset(passwd, 0, passwd_len);
- goto cleanup;
- }
- close(fd);
- } else {
- com_err(me, errno, "Unable to access the file %s", file_name);
- memset(passwd, 0, passwd_len);
- goto cleanup;
- }
+ if (errno == ENOENT) {
+ mode_t omask;
+ int fd = -1;
+
+ printf("File does not exist. Creating the file %s...\n", file_name);
+ omask = umask(077);
+ fd = creat(file_name, S_IRUSR|S_IWUSR);
+ umask(omask);
+ if (fd == -1) {
+ com_err(me, errno, "Error creating file %s", file_name);
+ memset(passwd, 0, passwd_len);
+ goto cleanup;
+ }
+ close(fd);
+ } else {
+ com_err(me, errno, "Unable to access the file %s", file_name);
+ memset(passwd, 0, passwd_len);
+ goto cleanup;
+ }
}
if (set_dir_pwd) {
- if ((errcode = krb5_ldap_set_service_passwd(util_context, service_object, passwd)) != 0) {
- com_err(me, errcode, "Failed to set password for service object %s", service_object);
- memset(passwd, 0, passwd_len);
- goto cleanup;
- }
+ if ((errcode = krb5_ldap_set_service_passwd(util_context, service_object, passwd)) != 0) {
+ com_err(me, errcode, "Failed to set password for service object %s", service_object);
+ memset(passwd, 0, passwd_len);
+ goto cleanup;
+ }
}
memset(passwd, 0, passwd_len);
/* set password in the file */
pfile = fopen(file_name, "r+");
if (pfile == NULL) {
- com_err(me, errno, "Failed to open file %s", file_name);
- goto cleanup;
+ com_err(me, errno, "Failed to open file %s", file_name);
+ goto cleanup;
}
set_cloexec_file(pfile);
while (fgets(line, MAX_LEN, pfile) != NULL) {
- if ((str = strstr(line, service_object)) != NULL) {
- if (line[strlen(service_object)] == '#') {
- break;
- }
- str = NULL;
- }
+ if ((str = strstr(line, service_object)) != NULL) {
+ if (line[strlen(service_object)] == '#') {
+ break;
+ }
+ str = NULL;
+ }
}
if (str == NULL) {
- if (feof(pfile)) {
- /* If the service object dn is not present in the service password file */
- if (fwrite(encrypted_passwd.value, (unsigned int)encrypted_passwd.len, 1, pfile) != 1) {
- com_err(me, errno, "Failed to write service object password to file");
- goto cleanup;
- }
- } else {
- com_err(me, errno, "Error reading service object password file");
- goto cleanup;
- }
- fclose(pfile);
- pfile = NULL;
+ if (feof(pfile)) {
+ /* If the service object dn is not present in the service password file */
+ if (fwrite(encrypted_passwd.value, (unsigned int)encrypted_passwd.len, 1, pfile) != 1) {
+ com_err(me, errno, "Failed to write service object password to file");
+ goto cleanup;
+ }
+ } else {
+ com_err(me, errno, "Error reading service object password file");
+ goto cleanup;
+ }
+ fclose(pfile);
+ pfile = NULL;
} else {
- /* Password entry for the service object is already present in the file */
- /* Delete the existing entry and add the new entry */
- FILE *newfile = NULL;
- mode_t omask;
-
- /* Create a new file with the extension .tmp */
- if (asprintf(&tmp_file,"%s.tmp",file_name) < 0) {
- com_err(me, ENOMEM, "while setting service object password");
- goto cleanup;
- }
-
- omask = umask(077);
- newfile = fopen(tmp_file, "w+");
- umask(omask);
- if (newfile == NULL) {
- com_err(me, errno, "Error creating file %s", tmp_file);
- goto cleanup;
- }
- set_cloexec_file(newfile);
-
- fseek(pfile, 0, SEEK_SET);
- while (fgets(line, MAX_LEN, pfile) != NULL) {
- if (((str = strstr(line, service_object)) != NULL) && (line[strlen(service_object)] == '#')) {
- if (fprintf(newfile, "%s", encrypted_passwd.value) < 0) {
- com_err(me, errno, "Failed to write service object password to file");
- fclose(newfile);
- unlink(tmp_file);
- goto cleanup;
- }
- } else {
- if (fprintf(newfile, "%s", line) < 0) {
- com_err(me, errno, "Failed to write service object password to file");
- fclose(newfile);
- unlink(tmp_file);
- goto cleanup;
- }
- }
- }
-
- if (!feof(pfile)) {
- com_err(me, errno, "Error reading service object password file");
- fclose(newfile);
- unlink(tmp_file);
- goto cleanup;
- }
-
- /* TODO: file lock for the service password file */
- fclose(pfile);
- pfile = NULL;
-
- fclose(newfile);
- newfile = NULL;
-
- if (unlink(file_name) == 0) {
- link(tmp_file, file_name);
- } else {
- com_err(me, errno, "Failed to write service object password to file");
- unlink(tmp_file);
- goto cleanup;
- }
- unlink(tmp_file);
+ /* Password entry for the service object is already present in the file */
+ /* Delete the existing entry and add the new entry */
+ FILE *newfile = NULL;
+ mode_t omask;
+
+ /* Create a new file with the extension .tmp */
+ if (asprintf(&tmp_file,"%s.tmp",file_name) < 0) {
+ com_err(me, ENOMEM, "while setting service object password");
+ goto cleanup;
+ }
+
+ omask = umask(077);
+ newfile = fopen(tmp_file, "w+");
+ umask(omask);
+ if (newfile == NULL) {
+ com_err(me, errno, "Error creating file %s", tmp_file);
+ goto cleanup;
+ }
+ set_cloexec_file(newfile);
+
+ fseek(pfile, 0, SEEK_SET);
+ while (fgets(line, MAX_LEN, pfile) != NULL) {
+ if (((str = strstr(line, service_object)) != NULL) && (line[strlen(service_object)] == '#')) {
+ if (fprintf(newfile, "%s", encrypted_passwd.value) < 0) {
+ com_err(me, errno, "Failed to write service object password to file");
+ fclose(newfile);
+ unlink(tmp_file);
+ goto cleanup;
+ }
+ } else {
+ if (fprintf(newfile, "%s", line) < 0) {
+ com_err(me, errno, "Failed to write service object password to file");
+ fclose(newfile);
+ unlink(tmp_file);
+ goto cleanup;
+ }
+ }
+ }
+
+ if (!feof(pfile)) {
+ com_err(me, errno, "Error reading service object password file");
+ fclose(newfile);
+ unlink(tmp_file);
+ goto cleanup;
+ }
+
+ /* TODO: file lock for the service password file */
+ fclose(pfile);
+ pfile = NULL;
+
+ fclose(newfile);
+ newfile = NULL;
+
+ if (unlink(file_name) == 0) {
+ link(tmp_file, file_name);
+ } else {
+ com_err(me, errno, "Failed to write service object password to file");
+ unlink(tmp_file);
+ goto cleanup;
+ }
+ unlink(tmp_file);
}
errcode = 0;
cleanup:
if (db_init_local)
- krb5_ldap_close(util_context);
+ krb5_ldap_close(util_context);
if (service_object)
- free(service_object);
+ free(service_object);
if (file_name)
- free(file_name);
+ free(file_name);
if (passwd)
- free(passwd);
+ free(passwd);
if (encrypted_passwd.value) {
- memset(encrypted_passwd.value, 0, encrypted_passwd.len);
- free(encrypted_passwd.value);
+ memset(encrypted_passwd.value, 0, encrypted_passwd.len);
+ free(encrypted_passwd.value);
}
if (pfile)
- fclose(pfile);
+ fclose(pfile);
if (tmp_file)
- free(tmp_file);
+ free(tmp_file);
if (print_usage)
- db_usage(SET_SRV_PW);
+ db_usage(SET_SRV_PW);
return errcode;
}
* little more secure than storing plain password in the file ...
*/
void
-kdb5_ldap_stash_service_password(argc, argv)
- int argc;
- char **argv;
+kdb5_ldap_stash_service_password(int argc, char **argv)
{
int ret = 0;
unsigned int passwd_len = 0;
* 'filename' is the path of the stash file
*/
if (argc != 2 && argc != 4) {
- print_usage = TRUE;
- goto cleanup;
+ print_usage = TRUE;
+ goto cleanup;
}
if (argc == 4) {
- /* Find the stash file name */
- if (strcmp (argv[1], "-f") == 0) {
- if (((file_name = strdup (argv[2])) == NULL) ||
- ((service_object = strdup (argv[3])) == NULL)) {
- com_err(me, ENOMEM, "while setting service object password");
- goto cleanup;
- }
- } else if (strcmp (argv[2], "-f") == 0) {
- if (((file_name = strdup (argv[3])) == NULL) ||
- ((service_object = strdup (argv[1])) == NULL)) {
- com_err(me, ENOMEM, "while setting service object password");
- goto cleanup;
- }
- } else {
- print_usage = TRUE;
- goto cleanup;
- }
- if (file_name == NULL) {
- com_err(me, ENOMEM, "while setting service object password");
- goto cleanup;
- }
+ /* Find the stash file name */
+ if (strcmp (argv[1], "-f") == 0) {
+ if (((file_name = strdup (argv[2])) == NULL) ||
+ ((service_object = strdup (argv[3])) == NULL)) {
+ com_err(me, ENOMEM, "while setting service object password");
+ goto cleanup;
+ }
+ } else if (strcmp (argv[2], "-f") == 0) {
+ if (((file_name = strdup (argv[3])) == NULL) ||
+ ((service_object = strdup (argv[1])) == NULL)) {
+ com_err(me, ENOMEM, "while setting service object password");
+ goto cleanup;
+ }
+ } else {
+ print_usage = TRUE;
+ goto cleanup;
+ }
+ if (file_name == NULL) {
+ com_err(me, ENOMEM, "while setting service object password");
+ goto cleanup;
+ }
} else { /* argc == 2 */
- char *section;
-
- service_object = strdup (argv[1]);
- if (service_object == NULL) {
- com_err(me, ENOMEM, "while setting service object password");
- goto cleanup;
- }
-
- /* Pick up the stash-file name from krb5.conf */
- profile_get_string(util_context->profile, KDB_REALM_SECTION,
- util_context->default_realm, KDB_MODULE_POINTER, NULL, §ion);
-
- if (section == NULL) {
- profile_get_string(util_context->profile, KDB_MODULE_DEF_SECTION,
- KDB_MODULE_POINTER, NULL, NULL, §ion);
- if (section == NULL) {
- /* Stash file path neither in krb5.conf nor on command line */
- file_name = strdup(DEF_SERVICE_PASSWD_FILE);
- if (file_name == NULL) {
- com_err(me, ENOMEM, "while setting service object password");
- goto cleanup;
- }
- goto done;
- }
- }
-
- profile_get_string (util_context->profile, KDB_MODULE_SECTION, section,
- "ldap_service_password_file", NULL, &file_name);
+ char *section;
+
+ service_object = strdup (argv[1]);
+ if (service_object == NULL) {
+ com_err(me, ENOMEM, "while setting service object password");
+ goto cleanup;
+ }
+
+ /* Pick up the stash-file name from krb5.conf */
+ profile_get_string(util_context->profile, KDB_REALM_SECTION,
+ util_context->default_realm, KDB_MODULE_POINTER, NULL, §ion);
+
+ if (section == NULL) {
+ profile_get_string(util_context->profile, KDB_MODULE_DEF_SECTION,
+ KDB_MODULE_POINTER, NULL, NULL, §ion);
+ if (section == NULL) {
+ /* Stash file path neither in krb5.conf nor on command line */
+ file_name = strdup(DEF_SERVICE_PASSWD_FILE);
+ if (file_name == NULL) {
+ com_err(me, ENOMEM, "while setting service object password");
+ goto cleanup;
+ }
+ goto done;
+ }
+ }
+
+ profile_get_string (util_context->profile, KDB_MODULE_SECTION, section,
+ "ldap_service_password_file", NULL, &file_name);
}
done:
/* Get password from user */
{
- char prompt1[256], prompt2[256];
-
- /* Get the service object password from the terminal */
- memset(passwd, 0, sizeof (passwd));
- passwd_len = sizeof (passwd);
-
- /* size of prompt = strlen of servicedn + strlen("Password for \" \"") */
- assert (sizeof (prompt1) > (strlen (service_object)
- + sizeof ("Password for \" \"")));
- snprintf(prompt1, sizeof(prompt1), "Password for \"%s\"", service_object);
-
- /* size of prompt = strlen of servicedn + strlen("Re-enter Password for \" \"") */
- assert (sizeof (prompt2) > (strlen (service_object)
- + sizeof ("Re-enter Password for \" \"")));
- snprintf(prompt2, sizeof(prompt2), "Re-enter password for \"%s\"", service_object);
-
- ret = krb5_read_password(util_context, prompt1, prompt2, passwd, &passwd_len);
- if (ret != 0) {
- com_err(me, ret, "while setting service object password");
- memset(passwd, 0, sizeof (passwd));
- goto cleanup;
- }
+ char prompt1[256], prompt2[256];
+
+ /* Get the service object password from the terminal */
+ memset(passwd, 0, sizeof (passwd));
+ passwd_len = sizeof (passwd);
+
+ /* size of prompt = strlen of servicedn + strlen("Password for \" \"") */
+ assert (sizeof (prompt1) > (strlen (service_object)
+ + sizeof ("Password for \" \"")));
+ snprintf(prompt1, sizeof(prompt1), "Password for \"%s\"", service_object);
+
+ /* size of prompt = strlen of servicedn + strlen("Re-enter Password for \" \"") */
+ assert (sizeof (prompt2) > (strlen (service_object)
+ + sizeof ("Re-enter Password for \" \"")));
+ snprintf(prompt2, sizeof(prompt2), "Re-enter password for \"%s\"", service_object);
+
+ ret = krb5_read_password(util_context, prompt1, prompt2, passwd, &passwd_len);
+ if (ret != 0) {
+ com_err(me, ret, "while setting service object password");
+ memset(passwd, 0, sizeof (passwd));
+ goto cleanup;
+ }
- if (passwd_len == 0) {
- printf("%s: Invalid password\n", me);
- memset(passwd, 0, MAX_SERVICE_PASSWD_LEN);
- goto cleanup;
- }
+ if (passwd_len == 0) {
+ printf("%s: Invalid password\n", me);
+ memset(passwd, 0, MAX_SERVICE_PASSWD_LEN);
+ goto cleanup;
+ }
}
/* Convert the password to hexadecimal */
{
- krb5_data pwd;
+ krb5_data pwd;
- pwd.length = passwd_len;
- pwd.data = passwd;
+ pwd.length = passwd_len;
+ pwd.data = passwd;
- ret = tohex(pwd, &hexpasswd);
- if (ret != 0) {
- com_err(me, ret, "Failed to convert the password to hexadecimal");
- memset(passwd, 0, passwd_len);
- goto cleanup;
- }
+ ret = tohex(pwd, &hexpasswd);
+ if (ret != 0) {
+ com_err(me, ret, "Failed to convert the password to hexadecimal");
+ memset(passwd, 0, passwd_len);
+ goto cleanup;
+ }
}
memset(passwd, 0, passwd_len);
old_mode = umask(0177);
pfile = fopen(file_name, "a+");
if (pfile == NULL) {
- com_err(me, errno, "Failed to open file %s: %s", file_name,
- strerror (errno));
- goto cleanup;
+ com_err(me, errno, "Failed to open file %s: %s", file_name,
+ strerror (errno));
+ goto cleanup;
}
set_cloexec_file(pfile);
rewind (pfile);
umask(old_mode);
while (fgets (line, MAX_LEN, pfile) != NULL) {
- if ((str = strstr (line, service_object)) != NULL) {
- /* White spaces not allowed */
- if (line [strlen (service_object)] == '#')
- break;
- str = NULL;
- }
+ if ((str = strstr (line, service_object)) != NULL) {
+ /* White spaces not allowed */
+ if (line [strlen (service_object)] == '#')
+ break;
+ str = NULL;
+ }
}
if (str == NULL) {
- if (feof(pfile)) {
- /* If the service object dn is not present in the service password file */
- if (fprintf(pfile, "%s#{HEX}%s\n", service_object, hexpasswd.data) < 0) {
- com_err(me, errno, "Failed to write service object password to file");
- fclose(pfile);
- goto cleanup;
- }
- } else {
- com_err(me, errno, "Error reading service object password file");
- fclose(pfile);
- goto cleanup;
- }
- fclose(pfile);
+ if (feof(pfile)) {
+ /* If the service object dn is not present in the service password file */
+ if (fprintf(pfile, "%s#{HEX}%s\n", service_object, hexpasswd.data) < 0) {
+ com_err(me, errno, "Failed to write service object password to file");
+ fclose(pfile);
+ goto cleanup;
+ }
+ } else {
+ com_err(me, errno, "Error reading service object password file");
+ fclose(pfile);
+ goto cleanup;
+ }
+ fclose(pfile);
} else {
- /*
- * Password entry for the service object is already present in the file
- * Delete the existing entry and add the new entry
- */
- FILE *newfile;
-
- mode_t omask;
-
- /* Create a new file with the extension .tmp */
- if (asprintf(&tmp_file,"%s.tmp",file_name) < 0) {
- com_err(me, ENOMEM, "while setting service object password");
- fclose(pfile);
- goto cleanup;
- }
-
- omask = umask(077);
- newfile = fopen(tmp_file, "w");
- umask (omask);
- if (newfile == NULL) {
- com_err(me, errno, "Error creating file %s", tmp_file);
- fclose(pfile);
- goto cleanup;
- }
- set_cloexec_file(newfile);
-
- fseek(pfile, 0, SEEK_SET);
- while (fgets(line, MAX_LEN, pfile) != NULL) {
- if (((str = strstr(line, service_object)) != NULL) &&
- (line[strlen(service_object)] == '#')) {
- if (fprintf(newfile, "%s#{HEX}%s\n", service_object, hexpasswd.data) < 0) {
- com_err(me, errno, "Failed to write service object password to file");
- fclose(newfile);
- unlink(tmp_file);
- fclose(pfile);
- goto cleanup;
- }
- } else {
- if (fprintf (newfile, "%s", line) < 0) {
- com_err(me, errno, "Failed to write service object password to file");
- fclose(newfile);
- unlink(tmp_file);
- fclose(pfile);
- goto cleanup;
- }
- }
- }
-
- if (!feof(pfile)) {
- com_err(me, errno, "Error reading service object password file");
- fclose(newfile);
- unlink(tmp_file);
- fclose(pfile);
- goto cleanup;
- }
-
- /* TODO: file lock for the service passowrd file */
-
- fclose(pfile);
- fclose(newfile);
-
- ret = rename(tmp_file, file_name);
- if (ret != 0) {
- com_err(me, errno, "Failed to write service object password to "
- "file");
- goto cleanup;
- }
+ /*
+ * Password entry for the service object is already present in the file
+ * Delete the existing entry and add the new entry
+ */
+ FILE *newfile;
+
+ mode_t omask;
+
+ /* Create a new file with the extension .tmp */
+ if (asprintf(&tmp_file,"%s.tmp",file_name) < 0) {
+ com_err(me, ENOMEM, "while setting service object password");
+ fclose(pfile);
+ goto cleanup;
+ }
+
+ omask = umask(077);
+ newfile = fopen(tmp_file, "w");
+ umask (omask);
+ if (newfile == NULL) {
+ com_err(me, errno, "Error creating file %s", tmp_file);
+ fclose(pfile);
+ goto cleanup;
+ }
+ set_cloexec_file(newfile);
+
+ fseek(pfile, 0, SEEK_SET);
+ while (fgets(line, MAX_LEN, pfile) != NULL) {
+ if (((str = strstr(line, service_object)) != NULL) &&
+ (line[strlen(service_object)] == '#')) {
+ if (fprintf(newfile, "%s#{HEX}%s\n", service_object, hexpasswd.data) < 0) {
+ com_err(me, errno, "Failed to write service object password to file");
+ fclose(newfile);
+ unlink(tmp_file);
+ fclose(pfile);
+ goto cleanup;
+ }
+ } else {
+ if (fprintf (newfile, "%s", line) < 0) {
+ com_err(me, errno, "Failed to write service object password to file");
+ fclose(newfile);
+ unlink(tmp_file);
+ fclose(pfile);
+ goto cleanup;
+ }
+ }
+ }
+
+ if (!feof(pfile)) {
+ com_err(me, errno, "Error reading service object password file");
+ fclose(newfile);
+ unlink(tmp_file);
+ fclose(pfile);
+ goto cleanup;
+ }
+
+ /* TODO: file lock for the service passowrd file */
+
+ fclose(pfile);
+ fclose(newfile);
+
+ ret = rename(tmp_file, file_name);
+ if (ret != 0) {
+ com_err(me, errno, "Failed to write service object password to "
+ "file");
+ goto cleanup;
+ }
}
ret = 0;
cleanup:
if (hexpasswd.length != 0) {
- memset(hexpasswd.data, 0, hexpasswd.length);
- free(hexpasswd.data);
+ memset(hexpasswd.data, 0, hexpasswd.length);
+ free(hexpasswd.data);
}
if (service_object)
- free(service_object);
+ free(service_object);
if (file_name)
- free(file_name);
+ free(file_name);
if (tmp_file)
- free(tmp_file);
+ free(tmp_file);
if (print_usage)
- usage();
-/* db_usage(STASH_SRV_PW); */
+ usage();
+/* db_usage(STASH_SRV_PW); */
if (ret)
- exit_status++;
+ exit_status++;
}
#endif /* #ifdef HAVE_EDIRECTORY */
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* kadmin/ldap_util/kdb5_services.h
*/
#include "ldap_misc.h"
-#define MAX_DN_CHARS 256
-#define HOST_INFO_DELIMITER '#'
-#define PROTOCOL_STR_LEN 3
-#define PROTOCOL_NUM_UDP 0
-#define PROTOCOL_NUM_TCP 1
-#define PROTOCOL_DEFAULT_KDC PROTOCOL_NUM_UDP
-#define PROTOCOL_DEFAULT_ADM PROTOCOL_NUM_TCP
-#define PROTOCOL_DEFAULT_PWD PROTOCOL_NUM_UDP
-#define PORT_STR_LEN 5
-#define PORT_DEFAULT_KDC 88
-#define PORT_DEFAULT_ADM 749
-#define PORT_DEFAULT_PWD 464
+#define MAX_DN_CHARS 256
+#define HOST_INFO_DELIMITER '#'
+#define PROTOCOL_STR_LEN 3
+#define PROTOCOL_NUM_UDP 0
+#define PROTOCOL_NUM_TCP 1
+#define PROTOCOL_DEFAULT_KDC PROTOCOL_NUM_UDP
+#define PROTOCOL_DEFAULT_ADM PROTOCOL_NUM_TCP
+#define PROTOCOL_DEFAULT_PWD PROTOCOL_NUM_UDP
+#define PORT_STR_LEN 5
+#define PORT_DEFAULT_KDC 88
+#define PORT_DEFAULT_ADM 749
+#define PORT_DEFAULT_PWD 464
-#define MAX_LEN 1024
-#define MAX_SERVICE_PASSWD_LEN 256
-#define RANDOM_PASSWD_LEN 128
+#define MAX_LEN 1024
+#define MAX_SERVICE_PASSWD_LEN 256
+#define RANDOM_PASSWD_LEN 128
#define DEF_SERVICE_PASSWD_FILE "/usr/local/var/service_passwd"
extern int enc_password(struct data pwd, struct data *enc_key, struct data *enc_pass);
extern int tohex(krb5_data, krb5_data *);
-extern void kdb5_ldap_create_service (int argc, char **argv);
-extern void kdb5_ldap_modify_service (int argc, char **argv);
+extern void kdb5_ldap_create_service(int argc, char **argv);
+extern void kdb5_ldap_modify_service(int argc, char **argv);
extern void kdb5_ldap_destroy_service(int argc, char **argv);
extern void kdb5_ldap_list_services(int argc, char **argv);
extern void kdb5_ldap_view_service(int argc, char **argv);
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* kadmin/ldap_util/kdb5_ldap_util.c
*
* This function prints the usage of kdb5_ldap_util, which is
* the LDAP configuration utility.
*/
-void usage(void)
+void
+usage(void)
{
fprintf(stderr, "Usage: "
-"kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldapuri]\n"
-"\tcmd [cmd_options]\n"
+ "kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldapuri]\n"
+ "\tcmd [cmd_options]\n"
/* Create realm */
-"create [-subtrees subtree_dn_list] [-sscope search_scope] [-containerref container_reference_dn]\n"
+ "create [-subtrees subtree_dn_list] [-sscope search_scope] [-containerref container_reference_dn]\n"
#ifdef HAVE_EDIRECTORY
-"\t\t[-kdcdn kdc_service_list] [-admindn admin_service_list]\n"
-"\t\t[-pwddn passwd_service_list]\n"
+ "\t\t[-kdcdn kdc_service_list] [-admindn admin_service_list]\n"
+ "\t\t[-pwddn passwd_service_list]\n"
#endif
-"\t\t[-m|-P password|-sf stashfilename] [-k mkeytype] [-kv mkeyVNO] [-s]\n"
-"\t\t[-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life]\n"
-"\t\t[ticket_flags] [-r realm]\n"
+ "\t\t[-m|-P password|-sf stashfilename] [-k mkeytype] [-kv mkeyVNO] [-s]\n"
+ "\t\t[-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life]\n"
+ "\t\t[ticket_flags] [-r realm]\n"
/* modify realm */
-"modify [-subtrees subtree_dn_list] [-sscope search_scope] [-containerref container_reference_dn]\n"
+ "modify [-subtrees subtree_dn_list] [-sscope search_scope] [-containerref container_reference_dn]\n"
#ifdef HAVE_EDIRECTORY
-"\t\t[-kdcdn kdc_service_list |\n"
-"\t\t[-clearkdcdn kdc_service_list] [-addkdcdn kdc_service_list]]\n"
-"\t\t[-admindn admin_service_list | [-clearadmindn admin_service_list]\n"
-"\t\t[-addadmindn admin_service_list]] [-pwddn passwd_service_list |\n"
-"\t\t[-clearpwddn passwd_service_list] [-addpwddn passwd_service_list]]\n"
+ "\t\t[-kdcdn kdc_service_list |\n"
+ "\t\t[-clearkdcdn kdc_service_list] [-addkdcdn kdc_service_list]]\n"
+ "\t\t[-admindn admin_service_list | [-clearadmindn admin_service_list]\n"
+ "\t\t[-addadmindn admin_service_list]] [-pwddn passwd_service_list |\n"
+ "\t\t[-clearpwddn passwd_service_list] [-addpwddn passwd_service_list]]\n"
#endif
-"\t\t[-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life]\n"
-"\t\t[ticket_flags] [-r realm]\n"
+ "\t\t[-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life]\n"
+ "\t\t[ticket_flags] [-r realm]\n"
/* View realm */
-"view [-r realm]\n"
+ "view [-r realm]\n"
/* Destroy realm */
-"destroy [-f] [-r realm]\n"
+ "destroy [-f] [-r realm]\n"
/* List realms */
-"list\n"
+ "list\n"
#ifdef HAVE_EDIRECTORY
/* Create Service */
-"create_service {-kdc|-admin|-pwd} [-servicehost service_host_list]\n"
-"\t\t[-realm realm_list] \n"
-"\t\t[-randpw|-fileonly] [-f filename] service_dn\n"
+ "create_service {-kdc|-admin|-pwd} [-servicehost service_host_list]\n"
+ "\t\t[-realm realm_list] \n"
+ "\t\t[-randpw|-fileonly] [-f filename] service_dn\n"
/* Modify service */
-"modify_service [-servicehost service_host_list |\n"
-"\t\t[-clearservicehost service_host_list]\n"
-"\t\t[-addservicehost service_host_list]]\n"
-"\t\t[-realm realm_list | [-clearrealm realm_list]\n"
-"\t\t[-addrealm realm_list]] service_dn\n"
+ "modify_service [-servicehost service_host_list |\n"
+ "\t\t[-clearservicehost service_host_list]\n"
+ "\t\t[-addservicehost service_host_list]]\n"
+ "\t\t[-realm realm_list | [-clearrealm realm_list]\n"
+ "\t\t[-addrealm realm_list]] service_dn\n"
/* View Service */
-"view_service service_dn\n"
+ "view_service service_dn\n"
/* Destroy Service */
-"destroy_service [-force] [-f stashfilename] service_dn\n"
+ "destroy_service [-force] [-f stashfilename] service_dn\n"
/* List services */
-"list_service [-basedn base_dn]\n"
+ "list_service [-basedn base_dn]\n"
/* Set Service password */
-"setsrvpw [-randpw|-fileonly] [-f filename] service_dn\n"
+ "setsrvpw [-randpw|-fileonly] [-f filename] service_dn\n"
#else
/* Stash the service password */
-"stashsrvpw [-f filename] service_dn\n"
+ "stashsrvpw [-f filename] service_dn\n"
#endif
/* Create policy */
-"create_policy [-r realm] [-maxtktlife max_ticket_life]\n"
-"\t\t[-maxrenewlife max_renewable_ticket_life] [ticket_flags] policy\n"
+ "create_policy [-r realm] [-maxtktlife max_ticket_life]\n"
+ "\t\t[-maxrenewlife max_renewable_ticket_life] [ticket_flags] policy\n"
/* Modify policy */
-"modify_policy [-r realm] [-maxtktlife max_ticket_life]\n"
-"\t\t[-maxrenewlife max_renewable_ticket_life] [ticket_flags] policy\n"
+ "modify_policy [-r realm] [-maxtktlife max_ticket_life]\n"
+ "\t\t[-maxrenewlife max_renewable_ticket_life] [ticket_flags] policy\n"
/* View policy */
-"view_policy [-r realm] policy\n"
+ "view_policy [-r realm] policy\n"
/* Destroy policy */
-"destroy_policy [-r realm] [-force] policy\n"
+ "destroy_policy [-r realm] [-force] policy\n"
/* List policies */
-"list_policy [-r realm]\n"
+ "list_policy [-r realm]\n"
- );
+ );
}
-void db_usage (int type) {
+void
+db_usage(int type)
+{
/*
* This should print usage of 'type' command. For now, we will print usage
* of all commands.
int i;
for (i = 0; cmd_table[i].name != NULL; i++)
- if (strcmp(cmd_table[i].name, name) == 0)
- return &cmd_table[i];
+ if (strcmp(cmd_table[i].name, name) == 0)
+ return &cmd_table[i];
return NULL;
}
* in the command table, which can be used to get the corresponding
* help from the help message table.
*/
-int cmd_index(name)
- char *name;
+int
+cmd_index(char *name)
{
int i;
if (name == NULL)
- return -1;
+ return -1;
for (i = 0; cmd_table[i].name != NULL; i++)
- if (strcmp(cmd_table[i].name, name) == 0)
- return i;
+ if (strcmp(cmd_table[i].name, name) == 0)
+ return i;
return -1;
}
-static void extended_com_err_fn (const char *myprog, errcode_t code,
- const char *fmt, va_list args)
+static void
+extended_com_err_fn(const char *myprog, errcode_t code, const char *fmt,
+ va_list args)
{
const char *emsg;
emsg = krb5_get_error_message (util_context, code);
fprintf (stderr, "\n");
}
-int main(argc, argv)
- int argc;
- char *argv[];
+int
+main(int argc, char *argv[])
{
struct _cmd_table *cmd = NULL;
char *koptarg = NULL, **cmd_argv = NULL;
retval = krb5_init_context(&util_context);
set_com_err_hook(extended_com_err_fn);
if (retval) {
- com_err (progname, retval, "while initializing Kerberos code");
- exit_status++;
- goto cleanup;
+ com_err (progname, retval, "while initializing Kerberos code");
+ exit_status++;
+ goto cleanup;
}
cmd_argv = (char **) malloc(sizeof(char *)*argc);
if (cmd_argv == NULL) {
- com_err(progname, ENOMEM, "while creating sub-command arguments");
- exit_status++;
- goto cleanup;
+ com_err(progname, ENOMEM, "while creating sub-command arguments");
+ exit_status++;
+ goto cleanup;
}
memset(cmd_argv, 0, sizeof(char *)*argc);
cmd_argc = 1;
argv++; argc--;
while (*argv) {
- if (strcmp(*argv, "--help") == 0) {
- print_help_message = TRUE;
- }
- if (strcmp(*argv, "-P") == 0 && ARG_VAL) {
- mkey_password = koptarg;
- manual_mkey = TRUE;
- } else if (strcmp(*argv, "-r") == 0 && ARG_VAL) {
- global_params.realm = koptarg;
- global_params.mask |= KADM5_CONFIG_REALM;
- /* not sure this is really necessary */
- if ((retval = krb5_set_default_realm(util_context,
- global_params.realm))) {
- com_err(progname, retval, "while setting default realm name");
- exit_status++;
- goto cleanup;
- }
- } else if (strcmp(*argv, "-k") == 0 && ARG_VAL) {
- if (krb5_string_to_enctype(koptarg, &global_params.enctype)) {
- com_err(progname, EINVAL, ": %s is an invalid enctype", koptarg);
- exit_status++;
- goto cleanup;
+ if (strcmp(*argv, "--help") == 0) {
+ print_help_message = TRUE;
+ }
+ if (strcmp(*argv, "-P") == 0 && ARG_VAL) {
+ mkey_password = koptarg;
+ manual_mkey = TRUE;
+ } else if (strcmp(*argv, "-r") == 0 && ARG_VAL) {
+ global_params.realm = koptarg;
+ global_params.mask |= KADM5_CONFIG_REALM;
+ /* not sure this is really necessary */
+ if ((retval = krb5_set_default_realm(util_context,
+ global_params.realm))) {
+ com_err(progname, retval, "while setting default realm name");
+ exit_status++;
+ goto cleanup;
+ }
+ } else if (strcmp(*argv, "-k") == 0 && ARG_VAL) {
+ if (krb5_string_to_enctype(koptarg, &global_params.enctype)) {
+ com_err(progname, EINVAL, ": %s is an invalid enctype", koptarg);
+ exit_status++;
+ goto cleanup;
} else
- global_params.mask |= KADM5_CONFIG_ENCTYPE;
- } else if (strcmp(*argv, "-kv") == 0 && ARG_VAL) {
- global_params.kvno = (krb5_kvno) atoi(koptarg);
+ global_params.mask |= KADM5_CONFIG_ENCTYPE;
+ } else if (strcmp(*argv, "-kv") == 0 && ARG_VAL) {
+ global_params.kvno = (krb5_kvno) atoi(koptarg);
if (global_params.kvno == IGNORE_VNO) {
com_err(progname, EINVAL, ": %s is an invalid mkeyVNO", koptarg);
- exit_status++;
- goto cleanup;
+ exit_status++;
+ goto cleanup;
} else
global_params.mask |= KADM5_CONFIG_KVNO;
- } else if (strcmp(*argv, "-M") == 0 && ARG_VAL) {
- global_params.mkey_name = koptarg;
- global_params.mask |= KADM5_CONFIG_MKEY_NAME;
- } else if (strcmp(*argv, "-sf") == 0 && ARG_VAL) {
- global_params.stash_file = koptarg;
- global_params.mask |= KADM5_CONFIG_STASH_FILE;
- } else if (strcmp(*argv, "-m") == 0) {
- manual_mkey = TRUE;
- global_params.mkey_from_kbd = 1;
- global_params.mask |= KADM5_CONFIG_MKEY_FROM_KBD;
- } else if (strcmp(*argv, "-D") == 0 && ARG_VAL) {
- bind_dn = koptarg;
- if (bind_dn == NULL) {
- com_err(progname, ENOMEM, "while reading ldap parameters");
- exit_status++;
- goto cleanup;
- }
- ldapmask |= CMD_LDAP_D;
- } else if (strcmp(*argv, "-w") == 0 && ARG_VAL) {
- passwd = strdup(koptarg);
- if (passwd == NULL) {
- com_err(progname, ENOMEM, "while reading ldap parameters");
- exit_status++;
- goto cleanup;
- }
- ldapmask |= CMD_LDAP_W;
- } else if (strcmp(*argv, "-H") == 0 && ARG_VAL) {
- ldap_server = koptarg;
- if (ldap_server == NULL) {
- com_err(progname, ENOMEM, "while reading ldap parameters");
- exit_status++;
- goto cleanup;
- }
- ldapmask |= CMD_LDAP_H;
- } else if (cmd_lookup(*argv) != NULL) {
- if (cmd_argv[0] == NULL)
- cmd_argv[0] = *argv;
- else {
- free(cmd_argv);
- cmd_argv = NULL;
- usage();
- goto cleanup;
- }
- } else {
- cmd_argv[cmd_argc++] = *argv;
- }
- argv++; argc--;
+ } else if (strcmp(*argv, "-M") == 0 && ARG_VAL) {
+ global_params.mkey_name = koptarg;
+ global_params.mask |= KADM5_CONFIG_MKEY_NAME;
+ } else if (strcmp(*argv, "-sf") == 0 && ARG_VAL) {
+ global_params.stash_file = koptarg;
+ global_params.mask |= KADM5_CONFIG_STASH_FILE;
+ } else if (strcmp(*argv, "-m") == 0) {
+ manual_mkey = TRUE;
+ global_params.mkey_from_kbd = 1;
+ global_params.mask |= KADM5_CONFIG_MKEY_FROM_KBD;
+ } else if (strcmp(*argv, "-D") == 0 && ARG_VAL) {
+ bind_dn = koptarg;
+ if (bind_dn == NULL) {
+ com_err(progname, ENOMEM, "while reading ldap parameters");
+ exit_status++;
+ goto cleanup;
+ }
+ ldapmask |= CMD_LDAP_D;
+ } else if (strcmp(*argv, "-w") == 0 && ARG_VAL) {
+ passwd = strdup(koptarg);
+ if (passwd == NULL) {
+ com_err(progname, ENOMEM, "while reading ldap parameters");
+ exit_status++;
+ goto cleanup;
+ }
+ ldapmask |= CMD_LDAP_W;
+ } else if (strcmp(*argv, "-H") == 0 && ARG_VAL) {
+ ldap_server = koptarg;
+ if (ldap_server == NULL) {
+ com_err(progname, ENOMEM, "while reading ldap parameters");
+ exit_status++;
+ goto cleanup;
+ }
+ ldapmask |= CMD_LDAP_H;
+ } else if (cmd_lookup(*argv) != NULL) {
+ if (cmd_argv[0] == NULL)
+ cmd_argv[0] = *argv;
+ else {
+ free(cmd_argv);
+ cmd_argv = NULL;
+ usage();
+ goto cleanup;
+ }
+ } else {
+ cmd_argv[cmd_argc++] = *argv;
+ }
+ argv++; argc--;
}
if (cmd_argv[0] == NULL) {
- free(cmd_argv);
- cmd_argv = NULL;
- usage();
- goto cleanup;
+ free(cmd_argv);
+ cmd_argv = NULL;
+ usage();
+ goto cleanup;
}
/* if we need to print the help message (because of --help option)
* we will print the help corresponding to the sub-command.
*/
if (print_help_message) {
- free(cmd_argv);
- cmd_argv = NULL;
- usage();
- goto cleanup;
+ free(cmd_argv);
+ cmd_argv = NULL;
+ usage();
+ goto cleanup;
}
/* We need to check for the presence of default realm name only in
}
if (!util_context->default_realm) {
- char *temp = NULL;
- retval = krb5_get_default_realm(util_context, &temp);
- if (retval) {
- if (realm_name_required) {
- com_err (progname, retval, "while getting default realm");
- exit_status++;
- goto cleanup;
- }
- } else
- util_context->default_realm = temp;
+ char *temp = NULL;
+ retval = krb5_get_default_realm(util_context, &temp);
+ if (retval) {
+ if (realm_name_required) {
+ com_err (progname, retval, "while getting default realm");
+ exit_status++;
+ goto cleanup;
+ }
+ } else
+ util_context->default_realm = temp;
}
/* If we have the realm name, we can safely say that
* realm_name is required so that we don't neglect any information.
*/
else
- realm_name_required = TRUE;
+ realm_name_required = TRUE;
retval = profile_get_string(util_context->profile, KDB_REALM_SECTION,
- util_context->default_realm, KDB_MODULE_POINTER,
- NULL,
- &value);
+ util_context->default_realm, KDB_MODULE_POINTER,
+ NULL,
+ &value);
if (!(value)) {
- retval = profile_get_string(util_context->profile, KDB_MODULE_DEF_SECTION,
- KDB_MODULE_POINTER, NULL,
- NULL,
- &value);
- if (!(value)) {
- if (util_context->default_realm)
- conf_section = strdup(util_context->default_realm);
- } else {
- conf_section = strdup(value);
- free(value);
- }
+ retval = profile_get_string(util_context->profile, KDB_MODULE_DEF_SECTION,
+ KDB_MODULE_POINTER, NULL,
+ NULL,
+ &value);
+ if (!(value)) {
+ if (util_context->default_realm)
+ conf_section = strdup(util_context->default_realm);
+ } else {
+ conf_section = strdup(value);
+ free(value);
+ }
} else {
- conf_section = strdup(value);
- free(value);
+ conf_section = strdup(value);
+ free(value);
}
if (realm_name_required) {
- retval = kadm5_get_config_params(util_context, 1,
- &global_params, &global_params);
- if (retval) {
- com_err(progname, retval, "while retreiving configuration parameters");
- exit_status++;
- goto cleanup;
- }
- gp_is_static = 0;
+ retval = kadm5_get_config_params(util_context, 1,
+ &global_params, &global_params);
+ if (retval) {
+ com_err(progname, retval, "while retreiving configuration parameters");
+ exit_status++;
+ goto cleanup;
+ }
+ gp_is_static = 0;
}
if ((retval = krb5_ldap_lib_init()) != 0) {
- com_err(progname, retval, "while initializing error handling");
- exit_status++;
- goto cleanup;
+ com_err(progname, retval, "while initializing error handling");
+ exit_status++;
+ goto cleanup;
}
/* Initialize the ldap context */
ldap_context = calloc(sizeof(krb5_ldap_context), 1);
if (ldap_context == NULL) {
- com_err(progname, ENOMEM, "while initializing ldap handle");
- exit_status++;
- goto cleanup;
+ com_err(progname, ENOMEM, "while initializing ldap handle");
+ exit_status++;
+ goto cleanup;
}
ldap_context->kcontext = util_context;
/* If LDAP parameters are specified, replace them with the values from config */
if (ldapmask & CMD_LDAP_D) {
- /* If password is not specified, prompt for it */
- if (passwd == NULL) {
- passwd = (char *)malloc(MAX_PASSWD_LEN);
- if (passwd == NULL) {
- com_err(progname, ENOMEM, "while retrieving ldap configuration");
- exit_status++;
- goto cleanup;
- }
- prompt = (char *)malloc(MAX_PASSWD_PROMPT_LEN);
- if (prompt == NULL) {
- free(passwd);
- passwd = NULL;
- com_err(progname, ENOMEM, "while retrieving ldap configuration");
- exit_status++;
- goto cleanup;
- }
- memset(passwd, 0, MAX_PASSWD_LEN);
- passwd_len = MAX_PASSWD_LEN - 1;
- snprintf(prompt, MAX_PASSWD_PROMPT_LEN, "Password for \"%s\"", bind_dn);
-
- db_retval = krb5_read_password(util_context, prompt, NULL, passwd, &passwd_len);
-
- if ((db_retval) || (passwd_len == 0)) {
- com_err(progname, ENOMEM, "while retrieving ldap configuration");
- free(passwd);
- passwd = NULL;
- exit_status++;
- goto cleanup;
- }
- }
-
- ldap_context->bind_pwd = passwd;
- passwd = NULL;
+ /* If password is not specified, prompt for it */
+ if (passwd == NULL) {
+ passwd = (char *)malloc(MAX_PASSWD_LEN);
+ if (passwd == NULL) {
+ com_err(progname, ENOMEM, "while retrieving ldap configuration");
+ exit_status++;
+ goto cleanup;
+ }
+ prompt = (char *)malloc(MAX_PASSWD_PROMPT_LEN);
+ if (prompt == NULL) {
+ free(passwd);
+ passwd = NULL;
+ com_err(progname, ENOMEM, "while retrieving ldap configuration");
+ exit_status++;
+ goto cleanup;
+ }
+ memset(passwd, 0, MAX_PASSWD_LEN);
+ passwd_len = MAX_PASSWD_LEN - 1;
+ snprintf(prompt, MAX_PASSWD_PROMPT_LEN, "Password for \"%s\"", bind_dn);
+
+ db_retval = krb5_read_password(util_context, prompt, NULL, passwd, &passwd_len);
+
+ if ((db_retval) || (passwd_len == 0)) {
+ com_err(progname, ENOMEM, "while retrieving ldap configuration");
+ free(passwd);
+ passwd = NULL;
+ exit_status++;
+ goto cleanup;
+ }
+ }
+
+ ldap_context->bind_pwd = passwd;
+ passwd = NULL;
}
/* If ldaphost is specified, release entry filled by configuration & use this */
if (ldapmask & CMD_LDAP_H) {
- ldap_context->server_info_list = (krb5_ldap_server_info **) calloc (2, sizeof (krb5_ldap_server_info *)) ;
- if (ldap_context->server_info_list == NULL) {
- com_err(progname, ENOMEM, "while initializing server list");
- exit_status++;
- goto cleanup;
- }
-
- ldap_context->server_info_list[0] = (krb5_ldap_server_info *) calloc (1, sizeof (krb5_ldap_server_info));
- if (ldap_context->server_info_list[0] == NULL) {
- com_err(progname, ENOMEM, "while initializing server list");
- exit_status++;
- goto cleanup;
- }
-
- ldap_context->server_info_list[0]->server_status = NOTSET;
-
- ldap_context->server_info_list[0]->server_name = strdup(ldap_server);
- if (ldap_context->server_info_list[0]->server_name == NULL) {
- com_err(progname, ENOMEM, "while initializing server list");
- exit_status++;
- goto cleanup;
- }
+ ldap_context->server_info_list = (krb5_ldap_server_info **) calloc (2, sizeof (krb5_ldap_server_info *)) ;
+ if (ldap_context->server_info_list == NULL) {
+ com_err(progname, ENOMEM, "while initializing server list");
+ exit_status++;
+ goto cleanup;
+ }
+
+ ldap_context->server_info_list[0] = (krb5_ldap_server_info *) calloc (1, sizeof (krb5_ldap_server_info));
+ if (ldap_context->server_info_list[0] == NULL) {
+ com_err(progname, ENOMEM, "while initializing server list");
+ exit_status++;
+ goto cleanup;
+ }
+
+ ldap_context->server_info_list[0]->server_status = NOTSET;
+
+ ldap_context->server_info_list[0]->server_name = strdup(ldap_server);
+ if (ldap_context->server_info_list[0]->server_name == NULL) {
+ com_err(progname, ENOMEM, "while initializing server list");
+ exit_status++;
+ goto cleanup;
+ }
}
if (bind_dn) {
- ldap_context->bind_dn = strdup(bind_dn);
- if (ldap_context->bind_dn == NULL) {
- com_err(progname, ENOMEM, "while retrieving ldap configuration");
- exit_status++;
- goto cleanup;
- }
+ ldap_context->bind_dn = strdup(bind_dn);
+ if (ldap_context->bind_dn == NULL) {
+ com_err(progname, ENOMEM, "while retrieving ldap configuration");
+ exit_status++;
+ goto cleanup;
+ }
} else
- ldap_context->bind_dn = NULL;
+ ldap_context->bind_dn = NULL;
ldap_context->service_type = SERVICE_DN_TYPE_CLIENT;
if (realm_name_required) {
- if ((global_params.enctype != ENCTYPE_UNKNOWN) &&
- (!krb5_c_valid_enctype(global_params.enctype))) {
- com_err(progname, KRB5_PROG_KEYTYPE_NOSUPP,
- "while setting up enctype %d", global_params.enctype);
- }
+ if ((global_params.enctype != ENCTYPE_UNKNOWN) &&
+ (!krb5_c_valid_enctype(global_params.enctype))) {
+ com_err(progname, KRB5_PROG_KEYTYPE_NOSUPP,
+ "while setting up enctype %d", global_params.enctype);
+ }
}
cmd = cmd_lookup(cmd_argv[0]);
/* Setup DAL handle to access the database */
db_retval = krb5_db_setup_lib_handle(util_context);
if (db_retval) {
- com_err(progname, db_retval, "while setting up lib handle");
- exit_status++;
- goto cleanup;
+ com_err(progname, db_retval, "while setting up lib handle");
+ exit_status++;
+ goto cleanup;
}
util_context->dal_handle->db_context = ldap_context;
ldap_context = NULL;
db_retval = krb5_ldap_read_server_params(util_context, conf_section, KRB5_KDB_SRV_TYPE_OTHER);
if (db_retval) {
- com_err(progname, db_retval, "while reading ldap configuration");
- exit_status++;
- goto cleanup;
+ com_err(progname, db_retval, "while reading ldap configuration");
+ exit_status++;
+ goto cleanup;
}
if (cmd->opendb) {
- db_retval = krb5_ldap_db_init(util_context, (krb5_ldap_context *)util_context->dal_handle->db_context);
- if (db_retval) {
- com_err(progname, db_retval, "while initializing database");
- exit_status++;
- goto cleanup;
- }
- db_inited = TRUE;
+ db_retval = krb5_ldap_db_init(util_context, (krb5_ldap_context *)util_context->dal_handle->db_context);
+ if (db_retval) {
+ com_err(progname, db_retval, "while initializing database");
+ exit_status++;
+ goto cleanup;
+ }
+ db_inited = TRUE;
}
(*cmd->func)(cmd_argc, cmd_argv);
cleanup:
if (passwd) {
- memset(passwd, 0, strlen(passwd));
- free(passwd);
+ memset(passwd, 0, strlen(passwd));
+ free(passwd);
}
if (ldap_context) {
- krb5_ldap_free_server_context_params(ldap_context);
- free(ldap_context);
+ krb5_ldap_free_server_context_params(ldap_context);
+ free(ldap_context);
}
if (util_context) {
- if (gp_is_static == 0)
- kadm5_free_config_params(util_context, &global_params);
- krb5_ldap_close(util_context);
- krb5_free_context(util_context);
+ if (gp_is_static == 0)
+ kadm5_free_config_params(util_context, &global_params);
+ krb5_ldap_close(util_context);
+ krb5_free_context(util_context);
}
if (cmd_argv)
- free(cmd_argv);
+ free(cmd_argv);
if (prompt)
- free(prompt);
+ free(prompt);
if (conf_section)
- free(conf_section);
+ free(conf_section);
if (usage_print) {
- usage();
+ usage();
}
return exit_status;
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* kadmin/ldap_util/kdb5_ldap_util.h
*/
/* Following are the bitmaps that indicate which of the options among -D, -w, -h, -p & -t
* were specified on the command line.
*/
-#define CMD_LDAP_D 0x1 /* set if -D option is specified */
-#define CMD_LDAP_W 0x2 /* set if -w option is specified */
-#define CMD_LDAP_H 0x4 /* set if -h option is specified */
-#define CMD_LDAP_P 0x8 /* set if -p option is specified */
+#define CMD_LDAP_D 0x1 /* set if -D option is specified */
+#define CMD_LDAP_W 0x2 /* set if -w option is specified */
+#define CMD_LDAP_H 0x4 /* set if -h option is specified */
+#define CMD_LDAP_P 0x8 /* set if -p option is specified */
#define MAX_PASSWD_LEN 1024
#define MAX_PASSWD_PROMPT_LEN 276 /* max_dn_size(=256) + strlen("Password for \" \"")=20 */
-/* -*- mode: c; indent-tabs-mode: nil -*- */
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* plugins/kdb/ldap/kdb_ext.c
*
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* lib/kdb/kdb_ldap/kdb_ldap.c
*
*val = NULL;
if (pos == NULL) {
- *opt = strdup(input);
- if (*opt == NULL) {
- return ENOMEM;
- }
+ *opt = strdup(input);
+ if (*opt == NULL) {
+ return ENOMEM;
+ }
} else {
- int len = pos - input;
- *opt = malloc((unsigned) len + 1);
- if (!*opt) {
- return ENOMEM;
- }
- memcpy(*opt, input, (unsigned) len);
- /* ignore trailing blanks */
- while (isblank((*opt)[len-1]))
- --len;
- (*opt)[len] = '\0';
-
- pos += 1; /* move past '=' */
- while (isblank(*pos)) /* ignore leading blanks */
- pos += 1;
- if (*pos != '\0') {
- *val = strdup (pos);
- if (!*val) {
- free (*opt);
- return ENOMEM;
- }
- }
+ int len = pos - input;
+ *opt = malloc((unsigned) len + 1);
+ if (!*opt) {
+ return ENOMEM;
+ }
+ memcpy(*opt, input, (unsigned) len);
+ /* ignore trailing blanks */
+ while (isblank((*opt)[len-1]))
+ --len;
+ (*opt)[len] = '\0';
+
+ pos += 1; /* move past '=' */
+ while (isblank(*pos)) /* ignore leading blanks */
+ pos += 1;
+ if (*pos != '\0') {
+ *val = strdup (pos);
+ if (!*val) {
+ free (*opt);
+ return ENOMEM;
+ }
+ }
}
return (0);
SETUP_CONTEXT();
if ((retval=krb5_ldap_read_krbcontainer_params(context, &(ldap_context->krbcontainer)))) {
- prepend_err_str (context, "Unable to read Kerberos container", retval, retval);
- goto cleanup;
+ prepend_err_str (context, "Unable to read Kerberos container", retval, retval);
+ goto cleanup;
}
if ((retval=krb5_ldap_read_realm_params(context, context->default_realm, &(ldap_context->lrparams), &mask))) {
- prepend_err_str (context, "Unable to read Realm", retval, retval);
- goto cleanup;
+ prepend_err_str (context, "Unable to read Realm", retval, retval);
+ goto cleanup;
}
if (((mask & LDAP_REALM_MAXTICKETLIFE) == 0) || ((mask & LDAP_REALM_MAXRENEWLIFE) == 0)
- || ((mask & LDAP_REALM_KRBTICKETFLAGS) == 0)) {
+ || ((mask & LDAP_REALM_KRBTICKETFLAGS) == 0)) {
kadm5_config_params params_in, params_out;
memset(¶ms_in, 0, sizeof(params_in));
* value assertion.
*/
static int
-has_rootdse_ava(context, ldap_server, attribute, value)
- krb5_context context;
- char *ldap_server;
- char *attribute;
- char *value;
+has_rootdse_ava(krb5_context context, char *ldap_server, char *attribute,
+ char *value)
{
int i=0, flag=0, ret=0, retval=0;
char *attrs[2], **values=NULL;
retval = ldap_initialize(&ld, ldap_server);
if (retval != LDAP_SUCCESS) {
- ret = 2; /* Don't know */
- goto cleanup;
+ ret = 2; /* Don't know */
+ goto cleanup;
}
cred.bv_val = "";
/* Anonymous bind */
retval = ldap_sasl_bind_s(ld, "", NULL, &cred, NULL, NULL, NULL);
if (retval != LDAP_SUCCESS) {
- ret = 2; /* Don't know */
- goto cleanup;
+ ret = 2; /* Don't know */
+ goto cleanup;
}
retval = ldap_search_ext_s(ld, "", LDAP_SCOPE_BASE, NULL, attrs, 0, NULL, NULL, NULL, 0, &res);
if (retval != LDAP_SUCCESS) {
- ret = 2; /* Don't know */
- goto cleanup;
+ ret = 2; /* Don't know */
+ goto cleanup;
}
msg = ldap_first_message(ld, res);
if (msg == NULL) {
- ret = 2; /* Don't know */
- goto cleanup;
+ ret = 2; /* Don't know */
+ goto cleanup;
}
values = ldap_get_values(ld, msg, attribute);
if (values == NULL) {
- ret = 1; /* Not supported */
- goto cleanup;
+ ret = 1; /* Not supported */
+ goto cleanup;
}
for (i = 0; values[i] != NULL; i++) {
- if (strcmp(values[i], value) == 0) {
- flag = 1;
- break;
- }
+ if (strcmp(values[i], value) == 0) {
+ flag = 1;
+ break;
+ }
}
if (flag != 1) {
- ret = 1; /* Not supported */
- goto cleanup;
+ ret = 1; /* Not supported */
+ goto cleanup;
}
cleanup:
if (values != NULL)
- ldap_value_free(values);
+ ldap_value_free(values);
if (res != NULL)
- ldap_msgfree(res);
+ ldap_msgfree(res);
if (ld != NULL)
- ldap_unbind_ext_s(ld, NULL, NULL);
+ ldap_unbind_ext_s(ld, NULL, NULL);
return ret;
}
* 2 => don't know
*/
int
-has_sasl_external_mech(context, ldap_server)
- krb5_context context;
- char *ldap_server;
+has_sasl_external_mech(krb5_context context, char *ldap_server)
{
int ret;
ret = has_rootdse_ava(context, ldap_server,
- "supportedSASLMechanisms", "EXTERNAL");
+ "supportedSASLMechanisms", "EXTERNAL");
switch (ret) {
case 1: /* not supported */
- krb5_set_error_message(context, 1, "%s", ERR_MSG2);
- break;
+ krb5_set_error_message(context, 1, "%s", ERR_MSG2);
+ break;
case 2: /* don't know */
- krb5_set_error_message(context, 1, "%s", ERR_MSG1);
- break;
+ krb5_set_error_message(context, 1, "%s", ERR_MSG1);
+ break;
default:
- break;
+ break;
}
return ret;
char *ldap_server;
{
return has_rootdse_ava(context, ldap_server,
- "supportedFeatures", "1.3.6.1.1.14");
+ "supportedFeatures", "1.3.6.1.1.14");
}
-void * krb5_ldap_alloc(krb5_context context, void *ptr, size_t size)
+void *
+krb5_ldap_alloc(krb5_context context, void *ptr, size_t size)
{
return realloc(ptr, size);
}
-void krb5_ldap_free(krb5_context context, void *ptr)
-
+void
+krb5_ldap_free(krb5_context context, void *ptr)
{
free(ptr);
}
-krb5_error_code krb5_ldap_open(krb5_context context,
- char *conf_section,
- char **db_args,
- int mode)
+krb5_error_code
+krb5_ldap_open(krb5_context context, char *conf_section, char **db_args,
+ int mode)
{
krb5_error_code status = 0;
char **t_ptr = db_args;
ldap_context = calloc(1, sizeof(krb5_ldap_context));
if (ldap_context == NULL) {
- status = ENOMEM;
- goto clean_n_exit;
+ status = ENOMEM;
+ goto clean_n_exit;
}
ldap_context->kcontext = context;
while (t_ptr && *t_ptr) {
- char *opt = NULL, *val = NULL;
-
- if ((status = krb5_ldap_get_db_opt(*t_ptr, &opt, &val)) != 0) {
- goto clean_n_exit;
- }
- if (opt && !strcmp(opt, "binddn")) {
- if (ldap_context->bind_dn) {
- free (opt);
- free (val);
- status = EINVAL;
- krb5_set_error_message (context, status, "'binddn' missing");
- goto clean_n_exit;
- }
- if (val == NULL) {
- status = EINVAL;
- krb5_set_error_message (context, status, "'binddn' value missing");
- free(opt);
- goto clean_n_exit;
- }
- ldap_context->bind_dn = strdup(val);
- if (ldap_context->bind_dn == NULL) {
- free (opt);
- free (val);
- status = ENOMEM;
- goto clean_n_exit;
- }
- } else if (opt && !strcmp(opt, "nconns")) {
- if (ldap_context->max_server_conns) {
- free (opt);
- free (val);
- status = EINVAL;
- krb5_set_error_message (context, status, "'nconns' missing");
- goto clean_n_exit;
- }
- if (val == NULL) {
- status = EINVAL;
- krb5_set_error_message (context, status, "'nconns' value missing");
- free(opt);
- goto clean_n_exit;
- }
- ldap_context->max_server_conns = atoi(val) ? atoi(val) : DEFAULT_CONNS_PER_SERVER;
- } else if (opt && !strcmp(opt, "bindpwd")) {
- if (ldap_context->bind_pwd) {
- free (opt);
- free (val);
- status = EINVAL;
- krb5_set_error_message (context, status, "'bindpwd' missing");
- goto clean_n_exit;
- }
- if (val == NULL) {
- status = EINVAL;
- krb5_set_error_message (context, status, "'bindpwd' value missing");
- free(opt);
- goto clean_n_exit;
- }
- ldap_context->bind_pwd = strdup(val);
- if (ldap_context->bind_pwd == NULL) {
- free (opt);
- free (val);
- status = ENOMEM;
- goto clean_n_exit;
- }
- } else if (opt && !strcmp(opt, "host")) {
- if (val == NULL) {
- status = EINVAL;
- krb5_set_error_message (context, status, "'host' value missing");
- free(opt);
- goto clean_n_exit;
- }
- if (ldap_context->server_info_list == NULL)
- ldap_context->server_info_list = (krb5_ldap_server_info **) calloc (SERV_COUNT+1, sizeof (krb5_ldap_server_info *)) ;
-
- if (ldap_context->server_info_list == NULL) {
- free (opt);
- free (val);
- status = ENOMEM;
- goto clean_n_exit;
- }
-
- ldap_context->server_info_list[srv_cnt] = (krb5_ldap_server_info *) calloc (1, sizeof (krb5_ldap_server_info));
- if (ldap_context->server_info_list[srv_cnt] == NULL) {
- free (opt);
- free (val);
- status = ENOMEM;
- goto clean_n_exit;
- }
-
- ldap_context->server_info_list[srv_cnt]->server_status = NOTSET;
-
- ldap_context->server_info_list[srv_cnt]->server_name = strdup(val);
- if (ldap_context->server_info_list[srv_cnt]->server_name == NULL) {
- free (opt);
- free (val);
- status = ENOMEM;
- goto clean_n_exit;
- }
-
- srv_cnt++;
+ char *opt = NULL, *val = NULL;
+
+ if ((status = krb5_ldap_get_db_opt(*t_ptr, &opt, &val)) != 0) {
+ goto clean_n_exit;
+ }
+ if (opt && !strcmp(opt, "binddn")) {
+ if (ldap_context->bind_dn) {
+ free (opt);
+ free (val);
+ status = EINVAL;
+ krb5_set_error_message (context, status, "'binddn' missing");
+ goto clean_n_exit;
+ }
+ if (val == NULL) {
+ status = EINVAL;
+ krb5_set_error_message (context, status, "'binddn' value missing");
+ free(opt);
+ goto clean_n_exit;
+ }
+ ldap_context->bind_dn = strdup(val);
+ if (ldap_context->bind_dn == NULL) {
+ free (opt);
+ free (val);
+ status = ENOMEM;
+ goto clean_n_exit;
+ }
+ } else if (opt && !strcmp(opt, "nconns")) {
+ if (ldap_context->max_server_conns) {
+ free (opt);
+ free (val);
+ status = EINVAL;
+ krb5_set_error_message (context, status, "'nconns' missing");
+ goto clean_n_exit;
+ }
+ if (val == NULL) {
+ status = EINVAL;
+ krb5_set_error_message (context, status, "'nconns' value missing");
+ free(opt);
+ goto clean_n_exit;
+ }
+ ldap_context->max_server_conns = atoi(val) ? atoi(val) : DEFAULT_CONNS_PER_SERVER;
+ } else if (opt && !strcmp(opt, "bindpwd")) {
+ if (ldap_context->bind_pwd) {
+ free (opt);
+ free (val);
+ status = EINVAL;
+ krb5_set_error_message (context, status, "'bindpwd' missing");
+ goto clean_n_exit;
+ }
+ if (val == NULL) {
+ status = EINVAL;
+ krb5_set_error_message (context, status, "'bindpwd' value missing");
+ free(opt);
+ goto clean_n_exit;
+ }
+ ldap_context->bind_pwd = strdup(val);
+ if (ldap_context->bind_pwd == NULL) {
+ free (opt);
+ free (val);
+ status = ENOMEM;
+ goto clean_n_exit;
+ }
+ } else if (opt && !strcmp(opt, "host")) {
+ if (val == NULL) {
+ status = EINVAL;
+ krb5_set_error_message (context, status, "'host' value missing");
+ free(opt);
+ goto clean_n_exit;
+ }
+ if (ldap_context->server_info_list == NULL)
+ ldap_context->server_info_list = (krb5_ldap_server_info **) calloc (SERV_COUNT+1, sizeof (krb5_ldap_server_info *)) ;
+
+ if (ldap_context->server_info_list == NULL) {
+ free (opt);
+ free (val);
+ status = ENOMEM;
+ goto clean_n_exit;
+ }
+
+ ldap_context->server_info_list[srv_cnt] = (krb5_ldap_server_info *) calloc (1, sizeof (krb5_ldap_server_info));
+ if (ldap_context->server_info_list[srv_cnt] == NULL) {
+ free (opt);
+ free (val);
+ status = ENOMEM;
+ goto clean_n_exit;
+ }
+
+ ldap_context->server_info_list[srv_cnt]->server_status = NOTSET;
+
+ ldap_context->server_info_list[srv_cnt]->server_name = strdup(val);
+ if (ldap_context->server_info_list[srv_cnt]->server_name == NULL) {
+ free (opt);
+ free (val);
+ status = ENOMEM;
+ goto clean_n_exit;
+ }
+
+ srv_cnt++;
#ifdef HAVE_EDIRECTORY
- } else if (opt && !strcmp(opt, "cert")) {
- if (val == NULL) {
- status = EINVAL;
- krb5_set_error_message (context, status, "'cert' value missing");
- free(opt);
- goto clean_n_exit;
- }
-
- if (ldap_context->root_certificate_file == NULL) {
- ldap_context->root_certificate_file = strdup(val);
- if (ldap_context->root_certificate_file == NULL) {
- free (opt);
- free (val);
- status = ENOMEM;
- goto clean_n_exit;
- }
- } else {
- char *newstr;
-
- if (asprintf(&newstr, "%s %s",
- ldap_context->root_certificate_file, val) < 0) {
- free (opt);
- free (val);
- status = ENOMEM;
- goto clean_n_exit;
- }
- free(ldap_context->root_certificate_file);
- ldap_context->root_certificate_file = newstr;
- }
+ } else if (opt && !strcmp(opt, "cert")) {
+ if (val == NULL) {
+ status = EINVAL;
+ krb5_set_error_message (context, status, "'cert' value missing");
+ free(opt);
+ goto clean_n_exit;
+ }
+
+ if (ldap_context->root_certificate_file == NULL) {
+ ldap_context->root_certificate_file = strdup(val);
+ if (ldap_context->root_certificate_file == NULL) {
+ free (opt);
+ free (val);
+ status = ENOMEM;
+ goto clean_n_exit;
+ }
+ } else {
+ char *newstr;
+
+ if (asprintf(&newstr, "%s %s",
+ ldap_context->root_certificate_file, val) < 0) {
+ free (opt);
+ free (val);
+ status = ENOMEM;
+ goto clean_n_exit;
+ }
+ free(ldap_context->root_certificate_file);
+ ldap_context->root_certificate_file = newstr;
+ }
#endif
- } else {
- /* ignore hash argument. Might have been passed from create */
- status = EINVAL;
- if (opt && !strcmp(opt, "temporary")) {
- /*
- * temporary is passed in when kdb5_util load without -update is done.
- * This is unsupported by the LDAP plugin.
- */
- krb5_set_error_message (context, status,
- "open of LDAP directory aborted, plugin requires -update argument");
- } else {
- krb5_set_error_message (context, status, "unknown option \'%s\'",
- opt?opt:val);
- }
- free(opt);
- free(val);
- goto clean_n_exit;
- }
-
- free(opt);
- free(val);
- t_ptr++;
+ } else {
+ /* ignore hash argument. Might have been passed from create */
+ status = EINVAL;
+ if (opt && !strcmp(opt, "temporary")) {
+ /*
+ * temporary is passed in when kdb5_util load without -update is done.
+ * This is unsupported by the LDAP plugin.
+ */
+ krb5_set_error_message (context, status,
+ "open of LDAP directory aborted, plugin requires -update argument");
+ } else {
+ krb5_set_error_message (context, status, "unknown option \'%s\'",
+ opt?opt:val);
+ }
+ free(opt);
+ free(val);
+ goto clean_n_exit;
+ }
+
+ free(opt);
+ free(val);
+ t_ptr++;
}
dal_handle = context->dal_handle;
dal_handle->db_context = ldap_context;
status = krb5_ldap_read_server_params(context, conf_section, mode & 0x0300);
if (status) {
- if (ldap_context)
- krb5_ldap_free_ldap_context(ldap_context);
- ldap_context = NULL;
- dal_handle->db_context = NULL;
- prepend_err_str (context, "Error reading LDAP server params: ", status, status);
- goto clean_n_exit;
+ if (ldap_context)
+ krb5_ldap_free_ldap_context(ldap_context);
+ ldap_context = NULL;
+ dal_handle->db_context = NULL;
+ prepend_err_str (context, "Error reading LDAP server params: ", status, status);
+ goto clean_n_exit;
}
if ((status=krb5_ldap_db_init(context, ldap_context)) != 0) {
- goto clean_n_exit;
+ goto clean_n_exit;
}
if ((status=krb5_ldap_read_startup_information(context)) != 0) {
- goto clean_n_exit;
+ goto clean_n_exit;
}
clean_n_exit:
/* may be clearing up is not required db_fini might do it for us, check out */
if (status) {
- krb5_ldap_close(context);
+ krb5_ldap_close(context);
}
return status;
}
#include "ldap_err.h"
int
-set_ldap_error (krb5_context ctx, int st, int op)
+set_ldap_error(krb5_context ctx, int st, int op)
{
int translated_st = translate_ldap_error(st, op);
krb5_set_error_message(ctx, translated_st, "%s", ldap_err2string(st));
}
void
-prepend_err_str (krb5_context ctx, const char *str, krb5_error_code err,
- krb5_error_code oerr)
+prepend_err_str(krb5_context ctx, const char *str, krb5_error_code err,
+ krb5_error_code oerr)
{
const char *omsg;
if (oerr == 0) oerr = err;
extern krb5int_access accessor;
MAKE_INIT_FUNCTION(kldap_init_fn);
-int kldap_init_fn(void)
+int
+kldap_init_fn(void)
{
/* Global (per-module) initialization. */
return krb5int_accessor (&accessor, KRB5INT_ACCESS_VERSION);
}
-int kldap_ensure_initialized(void)
+int
+kldap_ensure_initialized(void)
{
return CALL_INIT_FUNCTION (kldap_init_fn);
}
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* lib/kdb/kdb_ldap/kdb_ldap.h
*
#define CHECK_STATUS 1
#define SETUP_CONTEXT() if (context == NULL || context->dal_handle == NULL \
- || context->dal_handle->db_context == NULL) { \
- return EINVAL; \
- } \
- dal_handle = context->dal_handle; \
- ldap_context = (krb5_ldap_context *) dal_handle->db_context; \
+ || context->dal_handle->db_context == NULL) { \
+ return EINVAL; \
+ } \
+ dal_handle = context->dal_handle; \
+ ldap_context = (krb5_ldap_context *) dal_handle->db_context; \
if (ldap_context == NULL || ldap_context->server_info_list == NULL) \
return KRB5_KDB_DBNOTINITED;
-#define GET_HANDLE() ld = NULL; \
+#define GET_HANDLE() ld = NULL; \
st = krb5_ldap_request_handle_from_pool(ldap_context, &ldap_server_handle); \
- if (st != 0) { \
+ if (st != 0) { \
prepend_err_str(context, "LDAP handle unavailable: ", KRB5_KDB_ACCESS_ERROR, st); \
- st = KRB5_KDB_ACCESS_ERROR; \
- goto cleanup; \
- } \
+ st = KRB5_KDB_ACCESS_ERROR; \
+ goto cleanup; \
+ } \
ld = ldap_server_handle->ldap_handle;
extern int set_ldap_error (krb5_context ctx, int st, int op);
#define LDAP_SEARCH(base, scope, filter, attrs) LDAP_SEARCH_1(base, scope, filter, attrs, CHECK_STATUS)
-#define LDAP_SEARCH_1(base, scope, filter, attrs, status_check) \
- do { \
- st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL, NULL, &timelimit, LDAP_NO_LIMIT, &result); \
- if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \
- tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle); \
- if (ldap_server_handle) \
- ld = ldap_server_handle->ldap_handle; \
- } \
- }while (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR && tempst == 0); \
- \
- if (status_check != IGNORE_STATUS) { \
- if (tempst != 0) { \
+#define LDAP_SEARCH_1(base, scope, filter, attrs, status_check) \
+ do { \
+ st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL, NULL, &timelimit, LDAP_NO_LIMIT, &result); \
+ if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \
+ tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle); \
+ if (ldap_server_handle) \
+ ld = ldap_server_handle->ldap_handle; \
+ } \
+ }while (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR && tempst == 0); \
+ \
+ if (status_check != IGNORE_STATUS) { \
+ if (tempst != 0) { \
prepend_err_str(context, "LDAP handle unavailable: ", KRB5_KDB_ACCESS_ERROR, st); \
- st = KRB5_KDB_ACCESS_ERROR; \
- goto cleanup; \
- } \
- if (st != LDAP_SUCCESS) { \
- st = set_ldap_error(context, st, OP_SEARCH); \
- goto cleanup; \
- } \
- }
-
-
-#define CHECK_CLASS_VALIDITY(st, mask, str) \
- if (st != 0 || mask == 0) { \
- if (st == 0 && mask == 0) { \
- st = set_ldap_error(context, LDAP_OBJECT_CLASS_VIOLATION, OP_SEARCH); \
- } \
- prepend_err_str(context, str, st, st); \
- goto cleanup; \
- }
-
-#define CHECK_NULL(ptr) if (ptr == NULL) { \
- st = ENOMEM; \
- goto cleanup; \
- }
-
-#define STORE16_INT(ptr, val) store_16_be(val, ptr)
+ st = KRB5_KDB_ACCESS_ERROR; \
+ goto cleanup; \
+ } \
+ if (st != LDAP_SUCCESS) { \
+ st = set_ldap_error(context, st, OP_SEARCH); \
+ goto cleanup; \
+ } \
+ }
+
+
+#define CHECK_CLASS_VALIDITY(st, mask, str) \
+ if (st != 0 || mask == 0) { \
+ if (st == 0 && mask == 0) { \
+ st = set_ldap_error(context, LDAP_OBJECT_CLASS_VIOLATION, OP_SEARCH); \
+ } \
+ prepend_err_str(context, str, st, st); \
+ goto cleanup; \
+ }
+
+#define CHECK_NULL(ptr) if (ptr == NULL) { \
+ st = ENOMEM; \
+ goto cleanup; \
+ }
+
+#define STORE16_INT(ptr, val) store_16_be(val, ptr)
#define STORE32_INT(ptr, val) store_32_be(val, ptr)
#define UNSTORE16_INT(ptr, val) (val = load_16_be(ptr))
#define UNSTORE32_INT(ptr, val) (val = load_32_be(ptr))
#define KDB_TL_LINKDN 0x07
-#define CHECK_LDAP_HANDLE(lcontext) if (!(ldap_context \
- && ldap_context->server_info_list)) { \
- return KRB5_KDB_DBNOTINITED; \
- }
+#define CHECK_LDAP_HANDLE(lcontext) if (!(ldap_context \
+ && ldap_context->server_info_list)) { \
+ return KRB5_KDB_DBNOTINITED; \
+ }
#define HNDL_LOCK(lcontext) k5_mutex_lock(&lcontext->hndl_lock)
#define HNDL_UNLOCK(lcontext) k5_mutex_unlock(&lcontext->hndl_lock)
} krb5_ldap_server_handle;
struct _krb5_ldap_server_info {
- krb5_ldap_server_type server_type;
+ krb5_ldap_server_type server_type;
krb5_ldap_server_status server_status;
krb5_ui_4 num_conns;
krb5_ldap_server_handle *ldap_server_handles;
time_t downtime;
- char *server_name;
+ char *server_name;
#ifdef HAVE_EDIRECTORY
- char *root_certificate_file;
+ char *root_certificate_file;
#endif
- int modify_increment;
+ int modify_increment;
struct _krb5_ldap_server_info *next;
};
typedef enum {SERVICE_DN_TYPE_SERVER, SERVICE_DN_TYPE_CLIENT} krb5_ldap_servicetype;
typedef struct _krb5_ldap_context {
- krb5_ldap_servicetype service_type;
- krb5_ldap_server_info **server_info_list;
- krb5_ui_4 max_server_conns;
- char *conf_section;
- char *bind_dn;
- char *bind_pwd;
- char *service_password_file;
- char *root_certificate_file;
- char *service_cert_path;
- char *service_cert_pass;
- krb5_ldap_certificates **certificates;
- krb5_ui_4 cert_count; /* certificate count */
- k5_mutex_t hndl_lock;
- krb5_ldap_krbcontainer_params *krbcontainer;
- krb5_ldap_realm_params *lrparams;
- krb5_context kcontext; /* to set the error code and message */
+ krb5_ldap_servicetype service_type;
+ krb5_ldap_server_info **server_info_list;
+ krb5_ui_4 max_server_conns;
+ char *conf_section;
+ char *bind_dn;
+ char *bind_pwd;
+ char *service_password_file;
+ char *root_certificate_file;
+ char *service_cert_path;
+ char *service_cert_pass;
+ krb5_ldap_certificates **certificates;
+ krb5_ui_4 cert_count; /* certificate count */
+ k5_mutex_t hndl_lock;
+ krb5_ldap_krbcontainer_params *krbcontainer;
+ krb5_ldap_realm_params *lrparams;
+ krb5_context kcontext; /* to set the error code and message */
} krb5_ldap_context;
typedef struct {
- int nkey;
- struct berval **keys;
+ int nkey;
+ struct berval **keys;
}KEY;
-#define k5ldap_inited(c) (c && c->db_context \
- && ((kdb5_dal_handle*)c->db_context)->db_context \
- && ((krb5_ldap_context *) ((kdb5_dal_handle*)c->db_context)->db_context))
+#define k5ldap_inited(c) (c && c->db_context \
+ && ((kdb5_dal_handle*)c->db_context)->db_context \
+ && ((krb5_ldap_context *) ((kdb5_dal_handle*)c->db_context)->db_context))
/* misc functions */
krb5_error_code
krb5_ldap_open( krb5_context , char *,
- char **db_args,
- int mode );
+ char **db_args,
+ int mode );
krb5_error_code
krb5_ldap_close( krb5_context );
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* lib/kdb/kdb_ldap/kdb_ldap_conn.c
*
#include <kdb5.h>
static krb5_error_code
-krb5_validate_ldap_context(krb5_context context, krb5_ldap_context *ldap_context)
+krb5_validate_ldap_context(krb5_context context,
+ krb5_ldap_context *ldap_context)
{
krb5_error_code st=0;
unsigned char *password=NULL;
if (ldap_context->bind_dn == NULL) {
- st = EINVAL;
- krb5_set_error_message(context, st, "LDAP bind dn value missing ");
- goto err_out;
+ st = EINVAL;
+ krb5_set_error_message(context, st, "LDAP bind dn value missing ");
+ goto err_out;
}
if (ldap_context->bind_pwd == NULL && ldap_context->service_password_file == NULL) {
- st = EINVAL;
- krb5_set_error_message(context, st, "LDAP bind password value missing ");
- goto err_out;
+ st = EINVAL;
+ krb5_set_error_message(context, st, "LDAP bind password value missing ");
+ goto err_out;
}
if (ldap_context->bind_pwd == NULL && ldap_context->service_password_file !=
- NULL && ldap_context->service_cert_path == NULL) {
- if ((st=krb5_ldap_readpassword(context, ldap_context, &password)) != 0) {
- prepend_err_str(context, "Error reading password from stash: ", st, st);
- goto err_out;
- }
-
- /* Check if the returned 'password' is actually the path of a certificate */
- if (!strncmp("{FILE}", (char *)password, 6)) {
- /* 'password' format: <path>\0<password> */
- ldap_context->service_cert_path = strdup((char *)password + strlen("{FILE}"));
- if (password[strlen((char *)password) + 1] == '\0')
- ldap_context->service_cert_pass = NULL;
- else
- ldap_context->service_cert_pass = strdup((char *)password +
- strlen((char *)password) + 1);
- free(password);
- } else {
- ldap_context->bind_pwd = (char *)password;
- if (ldap_context->bind_pwd == NULL) {
- st = EINVAL;
- krb5_set_error_message(context, st, "Error reading password from stash");
- goto err_out;
- }
- }
+ NULL && ldap_context->service_cert_path == NULL) {
+ if ((st=krb5_ldap_readpassword(context, ldap_context, &password)) != 0) {
+ prepend_err_str(context, "Error reading password from stash: ", st, st);
+ goto err_out;
+ }
+
+ /* Check if the returned 'password' is actually the path of a certificate */
+ if (!strncmp("{FILE}", (char *)password, 6)) {
+ /* 'password' format: <path>\0<password> */
+ ldap_context->service_cert_path = strdup((char *)password + strlen("{FILE}"));
+ if (password[strlen((char *)password) + 1] == '\0')
+ ldap_context->service_cert_pass = NULL;
+ else
+ ldap_context->service_cert_pass = strdup((char *)password +
+ strlen((char *)password) + 1);
+ free(password);
+ } else {
+ ldap_context->bind_pwd = (char *)password;
+ if (ldap_context->bind_pwd == NULL) {
+ st = EINVAL;
+ krb5_set_error_message(context, st, "Error reading password from stash");
+ goto err_out;
+ }
+ }
}
/* NULL password not allowed */
if (ldap_context->bind_pwd != NULL && strlen(ldap_context->bind_pwd) == 0) {
- st = EINVAL;
- krb5_set_error_message(context, st, "Service password length is zero");
- goto err_out;
+ st = EINVAL;
+ krb5_set_error_message(context, st, "Service password length is zero");
+ goto err_out;
}
err_out:
*/
static krb5_error_code
-krb5_ldap_bind(ldap_context, ldap_server_handle)
- krb5_ldap_context *ldap_context;
- krb5_ldap_server_handle *ldap_server_handle;
+krb5_ldap_bind(krb5_ldap_context *ldap_context,
+ krb5_ldap_server_handle *ldap_server_handle)
{
krb5_error_code st=0;
struct berval bv={0, NULL}, *servercreds=NULL;
if (ldap_context->service_cert_path != NULL) {
- /* Certificate based bind (SASL EXTERNAL mechanism) */
-
- st = ldap_sasl_bind_s(ldap_server_handle->ldap_handle,
- NULL, /* Authenticating dn */
- "EXTERNAL", /* Method used for authentication */
- &bv,
- NULL,
- NULL,
- &servercreds);
-
- if (st == LDAP_SASL_BIND_IN_PROGRESS) {
- st = ldap_sasl_bind_s(ldap_server_handle->ldap_handle,
- NULL,
- "EXTERNAL",
- servercreds,
- NULL,
- NULL,
- &servercreds);
- }
+ /* Certificate based bind (SASL EXTERNAL mechanism) */
+
+ st = ldap_sasl_bind_s(ldap_server_handle->ldap_handle,
+ NULL, /* Authenticating dn */
+ "EXTERNAL", /* Method used for authentication */
+ &bv,
+ NULL,
+ NULL,
+ &servercreds);
+
+ if (st == LDAP_SASL_BIND_IN_PROGRESS) {
+ st = ldap_sasl_bind_s(ldap_server_handle->ldap_handle,
+ NULL,
+ "EXTERNAL",
+ servercreds,
+ NULL,
+ NULL,
+ &servercreds);
+ }
} else {
- /* password based simple bind */
+ /* password based simple bind */
bv.bv_val = ldap_context->bind_pwd;
bv.bv_len = strlen(ldap_context->bind_pwd);
st = ldap_sasl_bind_s(ldap_server_handle->ldap_handle,
- ldap_context->bind_dn,
- NULL, &bv, NULL,
- NULL, NULL);
+ ldap_context->bind_dn,
+ NULL, &bv, NULL,
+ NULL, NULL);
}
return st;
}
static krb5_error_code
-krb5_ldap_initialize(ldap_context, server_info)
- krb5_ldap_context *ldap_context;
- krb5_ldap_server_info *server_info;
+krb5_ldap_initialize(krb5_ldap_context *ldap_context,
+ krb5_ldap_server_info *server_info)
{
krb5_error_code st=0;
krb5_ldap_server_handle *ldap_server_handle=NULL;
ldap_server_handle = calloc(1, sizeof(krb5_ldap_server_handle));
if (ldap_server_handle == NULL) {
- st = ENOMEM;
- goto err_out;
+ st = ENOMEM;
+ goto err_out;
}
/* ldap init */
if ((st = ldap_initialize(&ldap_server_handle->ldap_handle, server_info->server_name)) != 0) {
- if (ldap_context->kcontext)
- krb5_set_error_message (ldap_context->kcontext, KRB5_KDB_ACCESS_ERROR, "%s",
- ldap_err2string(st));
- st = KRB5_KDB_ACCESS_ERROR;
- goto err_out;
+ if (ldap_context->kcontext)
+ krb5_set_error_message (ldap_context->kcontext, KRB5_KDB_ACCESS_ERROR, "%s",
+ ldap_err2string(st));
+ st = KRB5_KDB_ACCESS_ERROR;
+ goto err_out;
}
if ((st=krb5_ldap_bind(ldap_context, ldap_server_handle)) == 0) {
- ldap_server_handle->server_info_update_pending = FALSE;
- server_info->server_status = ON;
- krb5_update_ldap_handle(ldap_server_handle, server_info);
+ ldap_server_handle->server_info_update_pending = FALSE;
+ server_info->server_status = ON;
+ krb5_update_ldap_handle(ldap_server_handle, server_info);
} else {
- if (ldap_context->kcontext)
- krb5_set_error_message (ldap_context->kcontext,
- KRB5_KDB_ACCESS_ERROR, "%s",
- ldap_err2string(st));
- st = KRB5_KDB_ACCESS_ERROR;
- server_info->server_status = OFF;
- time(&server_info->downtime);
- /* ldap_unbind_s(ldap_server_handle->ldap_handle); */
- free(ldap_server_handle);
+ if (ldap_context->kcontext)
+ krb5_set_error_message (ldap_context->kcontext,
+ KRB5_KDB_ACCESS_ERROR, "%s",
+ ldap_err2string(st));
+ st = KRB5_KDB_ACCESS_ERROR;
+ server_info->server_status = OFF;
+ time(&server_info->downtime);
+ /* ldap_unbind_s(ldap_server_handle->ldap_handle); */
+ free(ldap_server_handle);
}
err_out:
struct timeval local_timelimit = {10,0};
if ((st=krb5_validate_ldap_context(context, ldap_context)) != 0)
- goto err_out;
+ goto err_out;
ldap_set_option(NULL, LDAP_OPT_PROTOCOL_VERSION, &version);
#ifdef LDAP_OPT_NETWORK_TIMEOUT
st = HNDL_LOCK(ldap_context);
if (st)
- return st;
+ return st;
while (ldap_context->server_info_list[cnt] != NULL) {
- krb5_ldap_server_info *server_info=NULL;
+ krb5_ldap_server_info *server_info=NULL;
- server_info = ldap_context->server_info_list[cnt];
+ server_info = ldap_context->server_info_list[cnt];
- if (server_info->server_status == NOTSET) {
- unsigned int conns=0;
+ if (server_info->server_status == NOTSET) {
+ unsigned int conns=0;
- /*
- * Check if the server has to perform certificate-based authentication
- */
- if (ldap_context->service_cert_path != NULL) {
- /* Find out if the server supports SASL EXTERNAL mechanism */
- if (has_sasl_external_mech(context, server_info->server_name) == 1) {
- cnt++;
- sasl_mech_supported = FALSE;
- continue; /* Check the next LDAP server */
- }
- sasl_mech_supported = TRUE;
- }
+ /*
+ * Check if the server has to perform certificate-based authentication
+ */
+ if (ldap_context->service_cert_path != NULL) {
+ /* Find out if the server supports SASL EXTERNAL mechanism */
+ if (has_sasl_external_mech(context, server_info->server_name) == 1) {
+ cnt++;
+ sasl_mech_supported = FALSE;
+ continue; /* Check the next LDAP server */
+ }
+ sasl_mech_supported = TRUE;
+ }
- krb5_clear_error_message(context);
+ krb5_clear_error_message(context);
#ifdef LDAP_MOD_INCREMENT
- server_info->modify_increment =
- (has_modify_increment(context, server_info->server_name) == 0);
+ server_info->modify_increment =
+ (has_modify_increment(context, server_info->server_name) == 0);
#else
- server_info->modify_increment = 0;
+ server_info->modify_increment = 0;
#endif /* LDAP_MOD_INCREMENT */
- for (conns=0; conns < ldap_context->max_server_conns; ++conns) {
- if ((st=krb5_ldap_initialize(ldap_context, server_info)) != 0)
- break;
- } /* for (conn= ... */
+ for (conns=0; conns < ldap_context->max_server_conns; ++conns) {
+ if ((st=krb5_ldap_initialize(ldap_context, server_info)) != 0)
+ break;
+ } /* for (conn= ... */
- if (server_info->server_status == ON)
- break; /* server init successful, so break */
- }
- ++cnt;
+ if (server_info->server_status == ON)
+ break; /* server init successful, so break */
+ }
+ ++cnt;
}
HNDL_UNLOCK(ldap_context);
err_out:
if (sasl_mech_supported == FALSE) {
- st = KRB5_KDB_ACCESS_ERROR;
- krb5_set_error_message (context, st,
- "Certificate based authentication requested but "
- "not supported by LDAP servers");
+ st = KRB5_KDB_ACCESS_ERROR;
+ krb5_set_error_message (context, st,
+ "Certificate based authentication requested but "
+ "not supported by LDAP servers");
}
return (st);
}
krb5_ldap_server_info *server_info=NULL;
while (ldap_context->server_info_list[cnt] != NULL) {
- server_info = ldap_context->server_info_list[cnt];
- if ((server_info->server_status == NOTSET || server_info->server_status == ON)) {
- if (server_info->num_conns < ldap_context->max_server_conns-1) {
- st = krb5_ldap_initialize(ldap_context, server_info);
- if (st == LDAP_SUCCESS)
- goto cleanup;
- }
- }
- ++cnt;
+ server_info = ldap_context->server_info_list[cnt];
+ if ((server_info->server_status == NOTSET || server_info->server_status == ON)) {
+ if (server_info->num_conns < ldap_context->max_server_conns-1) {
+ st = krb5_ldap_initialize(ldap_context, server_info);
+ if (st == LDAP_SUCCESS)
+ goto cleanup;
+ }
+ }
+ ++cnt;
}
/* If we are here, try to connect to all the servers */
cnt = 0;
while (ldap_context->server_info_list[cnt] != NULL) {
- server_info = ldap_context->server_info_list[cnt];
- st = krb5_ldap_initialize(ldap_context, server_info);
- if (st == LDAP_SUCCESS)
- goto cleanup;
- ++cnt;
+ server_info = ldap_context->server_info_list[cnt];
+ st = krb5_ldap_initialize(ldap_context, server_info);
+ if (st == LDAP_SUCCESS)
+ goto cleanup;
+ ++cnt;
}
cleanup:
return (st);
}
krb5_error_code
-krb5_ldap_rebind(ldap_context, ldap_server_handle)
- krb5_ldap_context *ldap_context;
- krb5_ldap_server_handle **ldap_server_handle;
+krb5_ldap_rebind(krb5_ldap_context *ldap_context,
+ krb5_ldap_server_handle **ldap_server_handle)
{
krb5_ldap_server_handle *handle = *ldap_server_handle;
if ((ldap_initialize(&handle->ldap_handle, handle->server_info->server_name) != LDAP_SUCCESS)
- || (krb5_ldap_bind(ldap_context, handle) != LDAP_SUCCESS))
- return krb5_ldap_request_next_handle_from_pool(ldap_context, ldap_server_handle);
+ || (krb5_ldap_bind(ldap_context, handle) != LDAP_SUCCESS))
+ return krb5_ldap_request_next_handle_from_pool(ldap_context, ldap_server_handle);
return LDAP_SUCCESS;
}
/*
* DAL API functions
*/
-krb5_error_code krb5_ldap_lib_init()
+krb5_error_code
+krb5_ldap_lib_init()
{
return 0;
}
-krb5_error_code krb5_ldap_lib_cleanup()
+krb5_error_code
+krb5_ldap_lib_cleanup()
{
/* right now, no cleanup required */
return 0;
krb5_ldap_free_ldap_context(krb5_ldap_context *ldap_context)
{
if (ldap_context == NULL)
- return 0;
+ return 0;
krb5_ldap_free_krbcontainer_params(ldap_context->krbcontainer);
ldap_context->krbcontainer = NULL;
krb5_ldap_context *ldap_context=NULL;
if (context == NULL ||
- context->dal_handle == NULL ||
- context->dal_handle->db_context == NULL)
- return 0;
+ context->dal_handle == NULL ||
+ context->dal_handle->db_context == NULL)
+ return 0;
dal_handle = context->dal_handle;
ldap_context = (krb5_ldap_context *) dal_handle->db_context;
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* lib/kdb/kdb_ldap/kdb_xdr.c
*
#define safe_realloc(p,n) ((p)?(realloc(p,n)):(malloc(n)))
krb5_error_code
-krb5_dbe_update_tl_data(context, entry, new_tl_data)
- krb5_context context;
- krb5_db_entry * entry;
- krb5_tl_data * new_tl_data;
+krb5_dbe_update_tl_data(krb5_context context, krb5_db_entry *entry,
+ krb5_tl_data *new_tl_data)
{
krb5_tl_data * tl_data;
krb5_octet * tmp;
fails */
if ((tmp = (krb5_octet *) malloc(new_tl_data->tl_data_length)) == NULL)
- return(ENOMEM);
+ return(ENOMEM);
/* Find an existing entry of the specified type and point at
it, or NULL if not found */
for (tl_data = entry->tl_data; tl_data; tl_data = tl_data->tl_data_next)
- if (tl_data->tl_data_type == new_tl_data->tl_data_type)
- break;
+ if (tl_data->tl_data_type == new_tl_data->tl_data_type)
+ break;
/* if necessary, chain a new record in the beginning and point at it */
if (!tl_data) {
- if ((tl_data = (krb5_tl_data *) calloc(1, sizeof(krb5_tl_data)))
- == NULL) {
- free(tmp);
- return(ENOMEM);
- }
- tl_data->tl_data_next = entry->tl_data;
- entry->tl_data = tl_data;
- entry->n_tl_data++;
+ if ((tl_data = (krb5_tl_data *) calloc(1, sizeof(krb5_tl_data)))
+ == NULL) {
+ free(tmp);
+ return(ENOMEM);
+ }
+ tl_data->tl_data_next = entry->tl_data;
+ entry->tl_data = tl_data;
+ entry->n_tl_data++;
}
/* fill in the record */
if (tl_data->tl_data_contents)
- free(tl_data->tl_data_contents);
+ free(tl_data->tl_data_contents);
tl_data->tl_data_type = new_tl_data->tl_data_type;
tl_data->tl_data_length = new_tl_data->tl_data_length;
}
krb5_error_code
-krb5_dbe_lookup_tl_data(context, entry, ret_tl_data)
- krb5_context context;
- krb5_db_entry * entry;
- krb5_tl_data * ret_tl_data;
+krb5_dbe_lookup_tl_data(krb5_context context, krb5_db_entry *entry,
+ krb5_tl_data *ret_tl_data)
{
krb5_tl_data *tl_data;
for (tl_data = entry->tl_data; tl_data; tl_data = tl_data->tl_data_next) {
- if (tl_data->tl_data_type == ret_tl_data->tl_data_type) {
- *ret_tl_data = *tl_data;
- return(0);
- }
+ if (tl_data->tl_data_type == ret_tl_data->tl_data_type) {
+ *ret_tl_data = *tl_data;
+ return(0);
+ }
}
/* if the requested record isn't found, return zero bytes.
}
krb5_error_code
-krb5_dbe_update_last_pwd_change(context, entry, stamp)
- krb5_context context;
- krb5_db_entry * entry;
- krb5_timestamp stamp;
+krb5_dbe_update_last_pwd_change(krb5_context context, krb5_db_entry *entry,
+ krb5_timestamp stamp)
{
krb5_tl_data tl_data;
krb5_octet buf[4]; /* this is the encoded size of an int32 */
}
krb5_error_code
-krb5_dbe_lookup_last_pwd_change(context, entry, stamp)
- krb5_context context;
- krb5_db_entry * entry;
- krb5_timestamp * stamp;
+krb5_dbe_lookup_last_pwd_change(krb5_context context, krb5_db_entry *entry,
+ krb5_timestamp *stamp)
{
krb5_tl_data tl_data;
- krb5_error_code code;
- krb5_int32 tmp;
+ krb5_error_code code;
+ krb5_int32 tmp;
tl_data.tl_data_type = KRB5_TL_LAST_PWD_CHANGE;
if ((code = krb5_dbe_lookup_tl_data(context, entry, &tl_data)))
- return(code);
+ return(code);
if (tl_data.tl_data_length != 4) {
- *stamp = 0;
- return(0);
+ *stamp = 0;
+ return(0);
}
krb5_kdb_decode_int32(tl_data.tl_data_contents, tmp);
I need one, I'll add one */
krb5_error_code
-krb5_dbe_update_mod_princ_data(context, entry, mod_date, mod_princ)
- krb5_context context;
- krb5_db_entry * entry;
- krb5_timestamp mod_date;
- krb5_const_principal mod_princ;
+krb5_dbe_update_mod_princ_data(krb5_context context, krb5_db_entry *entry,
+ krb5_timestamp mod_date,
+ krb5_const_principal mod_princ)
{
krb5_tl_data tl_data;
- krb5_error_code retval = 0;
- krb5_octet * nextloc = 0;
- char * unparse_mod_princ = 0;
- unsigned int unparse_mod_princ_size;
+ krb5_error_code retval = 0;
+ krb5_octet * nextloc = 0;
+ char * unparse_mod_princ = 0;
+ unsigned int unparse_mod_princ_size;
if ((retval = krb5_unparse_name(context, mod_princ,
- &unparse_mod_princ)))
- return(retval);
+ &unparse_mod_princ)))
+ return(retval);
unparse_mod_princ_size = strlen(unparse_mod_princ) + 1;
if ((nextloc = (krb5_octet *) malloc(unparse_mod_princ_size + 4))
- == NULL) {
- free(unparse_mod_princ);
- return(ENOMEM);
+ == NULL) {
+ free(unparse_mod_princ);
+ return(ENOMEM);
}
tl_data.tl_data_type = KRB5_TL_MOD_PRINC;
}
krb5_error_code
-krb5_dbe_lookup_mod_princ_data(context, entry, mod_time, mod_princ)
- krb5_context context;
- krb5_db_entry * entry;
- krb5_timestamp * mod_time;
- krb5_principal * mod_princ;
+krb5_dbe_lookup_mod_princ_data(krb5_context context, krb5_db_entry *entry,
+ krb5_timestamp *mod_time,
+ krb5_principal *mod_princ)
{
krb5_tl_data tl_data;
- krb5_error_code code;
+ krb5_error_code code;
tl_data.tl_data_type = KRB5_TL_MOD_PRINC;
if ((code = krb5_dbe_lookup_tl_data(context, entry, &tl_data)))
- return(code);
+ return(code);
if ((tl_data.tl_data_length < 5) ||
- (tl_data.tl_data_contents[tl_data.tl_data_length-1] != '\0'))
- return(KRB5_KDB_TRUNCATED_RECORD);
+ (tl_data.tl_data_contents[tl_data.tl_data_length-1] != '\0'))
+ return(KRB5_KDB_TRUNCATED_RECORD);
/* Mod Date */
krb5_kdb_decode_int32(tl_data.tl_data_contents, *mod_time);
/* Mod Princ */
if ((code = krb5_parse_name(context,
- (const char *) (tl_data.tl_data_contents+4),
- mod_princ)))
- return(code);
+ (const char *) (tl_data.tl_data_contents+4),
+ mod_princ)))
+ return(code);
return(0);
}
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
#ifndef _KDB2_XDR_H
#define _KDB2_XDR_H
#include "kdb.h"
krb5_error_code
-krb5_encode_princ_dbkey( krb5_context context,
- krb5_data *key,
- krb5_const_principal principal);
+krb5_encode_princ_dbkey(krb5_context context,
+ krb5_data *key,
+ krb5_const_principal principal);
krb5_error_code
-krb5_decode_princ_contents( krb5_context context,
- krb5_data * content,
- krb5_db_entry * entry);
+krb5_decode_princ_contents(krb5_context context,
+ krb5_data *content,
+ krb5_db_entry *entry);
void
-krb5_dbe_free_contents( krb5_context context,
- krb5_db_entry * entry);
+krb5_dbe_free_contents(krb5_context context,
+ krb5_db_entry *entry);
krb5_error_code
-krb5_encode_princ_contents( krb5_context context,
- krb5_data * content,
- krb5_db_entry * entry);
+krb5_encode_princ_contents(krb5_context context,
+ krb5_data *content,
+ krb5_db_entry *entry);
void
-krb5_free_princ_dbkey( krb5_context context,
- krb5_data *key);
+krb5_free_princ_dbkey(krb5_context context,
+ krb5_data *key);
void
-krb5_free_princ_contents( krb5_context context,
- krb5_data *contents);
+krb5_free_princ_contents(krb5_context context,
+ krb5_data *contents);
#endif
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* lib/kdb/kdb_ldap/ldap_create.c
*
* the specified attributes.
*/
krb5_error_code
-krb5_ldap_create (krb5_context context, char *conf_section, char **db_args)
+krb5_ldap_create(krb5_context context, char *conf_section, char **db_args)
{
krb5_error_code status = 0;
char **t_ptr = db_args;
ldap_context = malloc(sizeof(krb5_ldap_context));
if (ldap_context == NULL) {
- status = ENOMEM;
- goto cleanup;
+ status = ENOMEM;
+ goto cleanup;
}
memset(ldap_context, 0, sizeof(*ldap_context));
/* populate ldap_context with ldap specific options */
while (t_ptr && *t_ptr) {
- char *opt = NULL, *val = NULL;
-
- if ((status = krb5_ldap_get_db_opt(*t_ptr, &opt, &val)) != 0) {
- goto cleanup;
- }
- if (opt && !strcmp(opt, "binddn")) {
- if (ldap_context->bind_dn) {
- free (opt);
- free (val);
- status = EINVAL;
- krb5_set_error_message (context, status, "'binddn' missing");
- goto cleanup;
- }
- if (val == NULL) {
- status = EINVAL;
- krb5_set_error_message (context, status, "'binddn' value missing");
- free(opt);
- goto cleanup;
- }
- ldap_context->bind_dn = strdup(val);
- if (ldap_context->bind_dn == NULL) {
- free (opt);
- free (val);
- status = ENOMEM;
- goto cleanup;
- }
- } else if (opt && !strcmp(opt, "nconns")) {
- if (ldap_context->max_server_conns) {
- free (opt);
- free (val);
- status = EINVAL;
- krb5_set_error_message (context, status, "'nconns' missing");
- goto cleanup;
- }
- if (val == NULL) {
- status = EINVAL;
- krb5_set_error_message (context, status, "'nconns' value missing");
- free(opt);
- goto cleanup;
- }
- ldap_context->max_server_conns = atoi(val) ? atoi(val) : DEFAULT_CONNS_PER_SERVER;
- } else if (opt && !strcmp(opt, "bindpwd")) {
- if (ldap_context->bind_pwd) {
- free (opt);
- free (val);
- status = EINVAL;
- krb5_set_error_message (context, status, "'bindpwd' missing");
- goto cleanup;
- }
- if (val == NULL) {
- status = EINVAL;
- krb5_set_error_message (context, status, "'bindpwd' value missing");
- free(opt);
- goto cleanup;
- }
- ldap_context->bind_pwd = strdup(val);
- if (ldap_context->bind_pwd == NULL) {
- free (opt);
- free (val);
- status = ENOMEM;
- goto cleanup;
- }
- } else if (opt && !strcmp(opt, "host")) {
- if (val == NULL) {
- status = EINVAL;
- krb5_set_error_message (context, status, "'host' value missing");
- free(opt);
- goto cleanup;
- }
- if (ldap_context->server_info_list == NULL)
- ldap_context->server_info_list =
- (krb5_ldap_server_info **) calloc(SERV_COUNT+1, sizeof(krb5_ldap_server_info *));
-
- if (ldap_context->server_info_list == NULL) {
- free (opt);
- free (val);
- status = ENOMEM;
- goto cleanup;
- }
-
- ldap_context->server_info_list[srv_cnt] =
- (krb5_ldap_server_info *) calloc(1, sizeof(krb5_ldap_server_info));
- if (ldap_context->server_info_list[srv_cnt] == NULL) {
- free (opt);
- free (val);
- status = ENOMEM;
- goto cleanup;
- }
-
- ldap_context->server_info_list[srv_cnt]->server_status = NOTSET;
-
- ldap_context->server_info_list[srv_cnt]->server_name = strdup(val);
- if (ldap_context->server_info_list[srv_cnt]->server_name == NULL) {
- free (opt);
- free (val);
- status = ENOMEM;
- goto cleanup;
- }
-
- srv_cnt++;
+ char *opt = NULL, *val = NULL;
+
+ if ((status = krb5_ldap_get_db_opt(*t_ptr, &opt, &val)) != 0) {
+ goto cleanup;
+ }
+ if (opt && !strcmp(opt, "binddn")) {
+ if (ldap_context->bind_dn) {
+ free (opt);
+ free (val);
+ status = EINVAL;
+ krb5_set_error_message (context, status, "'binddn' missing");
+ goto cleanup;
+ }
+ if (val == NULL) {
+ status = EINVAL;
+ krb5_set_error_message (context, status, "'binddn' value missing");
+ free(opt);
+ goto cleanup;
+ }
+ ldap_context->bind_dn = strdup(val);
+ if (ldap_context->bind_dn == NULL) {
+ free (opt);
+ free (val);
+ status = ENOMEM;
+ goto cleanup;
+ }
+ } else if (opt && !strcmp(opt, "nconns")) {
+ if (ldap_context->max_server_conns) {
+ free (opt);
+ free (val);
+ status = EINVAL;
+ krb5_set_error_message (context, status, "'nconns' missing");
+ goto cleanup;
+ }
+ if (val == NULL) {
+ status = EINVAL;
+ krb5_set_error_message (context, status, "'nconns' value missing");
+ free(opt);
+ goto cleanup;
+ }
+ ldap_context->max_server_conns = atoi(val) ? atoi(val) : DEFAULT_CONNS_PER_SERVER;
+ } else if (opt && !strcmp(opt, "bindpwd")) {
+ if (ldap_context->bind_pwd) {
+ free (opt);
+ free (val);
+ status = EINVAL;
+ krb5_set_error_message (context, status, "'bindpwd' missing");
+ goto cleanup;
+ }
+ if (val == NULL) {
+ status = EINVAL;
+ krb5_set_error_message (context, status, "'bindpwd' value missing");
+ free(opt);
+ goto cleanup;
+ }
+ ldap_context->bind_pwd = strdup(val);
+ if (ldap_context->bind_pwd == NULL) {
+ free (opt);
+ free (val);
+ status = ENOMEM;
+ goto cleanup;
+ }
+ } else if (opt && !strcmp(opt, "host")) {
+ if (val == NULL) {
+ status = EINVAL;
+ krb5_set_error_message (context, status, "'host' value missing");
+ free(opt);
+ goto cleanup;
+ }
+ if (ldap_context->server_info_list == NULL)
+ ldap_context->server_info_list =
+ (krb5_ldap_server_info **) calloc(SERV_COUNT+1, sizeof(krb5_ldap_server_info *));
+
+ if (ldap_context->server_info_list == NULL) {
+ free (opt);
+ free (val);
+ status = ENOMEM;
+ goto cleanup;
+ }
+
+ ldap_context->server_info_list[srv_cnt] =
+ (krb5_ldap_server_info *) calloc(1, sizeof(krb5_ldap_server_info));
+ if (ldap_context->server_info_list[srv_cnt] == NULL) {
+ free (opt);
+ free (val);
+ status = ENOMEM;
+ goto cleanup;
+ }
+
+ ldap_context->server_info_list[srv_cnt]->server_status = NOTSET;
+
+ ldap_context->server_info_list[srv_cnt]->server_name = strdup(val);
+ if (ldap_context->server_info_list[srv_cnt]->server_name == NULL) {
+ free (opt);
+ free (val);
+ status = ENOMEM;
+ goto cleanup;
+ }
+
+ srv_cnt++;
#ifdef HAVE_EDIRECTORY
- } else if (opt && !strcmp(opt, "cert")) {
- if (val == NULL) {
- status = EINVAL;
- krb5_set_error_message (context, status, "'cert' value missing");
- free(opt);
- goto cleanup;
- }
-
- if (ldap_context->root_certificate_file == NULL) {
- ldap_context->root_certificate_file = strdup(val);
- if (ldap_context->root_certificate_file == NULL) {
- free (opt);
- free (val);
- status = ENOMEM;
- goto cleanup;
- }
- } else {
- char *newstr;
-
- if (asprintf(&newstr, "%s %s",
- ldap_context->root_certificate_file, val) < 0) {
- free (opt);
- free (val);
- status = ENOMEM;
- goto cleanup;
- }
- ldap_context->root_certificate_file = newstr;
- }
+ } else if (opt && !strcmp(opt, "cert")) {
+ if (val == NULL) {
+ status = EINVAL;
+ krb5_set_error_message (context, status, "'cert' value missing");
+ free(opt);
+ goto cleanup;
+ }
+
+ if (ldap_context->root_certificate_file == NULL) {
+ ldap_context->root_certificate_file = strdup(val);
+ if (ldap_context->root_certificate_file == NULL) {
+ free (opt);
+ free (val);
+ status = ENOMEM;
+ goto cleanup;
+ }
+ } else {
+ char *newstr;
+
+ if (asprintf(&newstr, "%s %s",
+ ldap_context->root_certificate_file, val) < 0) {
+ free (opt);
+ free (val);
+ status = ENOMEM;
+ goto cleanup;
+ }
+ ldap_context->root_certificate_file = newstr;
+ }
#endif
- } else {
- /* ignore hash argument. Might have been passed from create */
- status = EINVAL;
- if (opt && !strcmp(opt, "temporary")) {
- /*
- * temporary is passed in when kdb5_util load without -update is done.
- * This is unsupported by the LDAP plugin.
- */
- krb5_set_error_message (context, status,
- "creation of LDAP entries aborted, plugin requires -update argument");
- } else {
- krb5_set_error_message (context, status, "unknown option \'%s\'",
- opt?opt:val);
- }
- free(opt);
- free(val);
- goto cleanup;
- }
-
- free(opt);
- free(val);
- t_ptr++;
+ } else {
+ /* ignore hash argument. Might have been passed from create */
+ status = EINVAL;
+ if (opt && !strcmp(opt, "temporary")) {
+ /*
+ * temporary is passed in when kdb5_util load without -update is done.
+ * This is unsupported by the LDAP plugin.
+ */
+ krb5_set_error_message (context, status,
+ "creation of LDAP entries aborted, plugin requires -update argument");
+ } else {
+ krb5_set_error_message (context, status, "unknown option \'%s\'",
+ opt?opt:val);
+ }
+ free(opt);
+ free(val);
+ goto cleanup;
+ }
+
+ free(opt);
+ free(val);
+ t_ptr++;
}
dal_handle = context->dal_handle;
status = krb5_ldap_read_server_params(context, conf_section, KRB5_KDB_SRV_TYPE_ADMIN);
if (status) {
- dal_handle->db_context = NULL;
- prepend_err_str (context, "Error reading LDAP server params: ", status, status);
- goto cleanup;
+ dal_handle->db_context = NULL;
+ prepend_err_str (context, "Error reading LDAP server params: ", status, status);
+ goto cleanup;
}
status = krb5_ldap_db_init(context, ldap_context);
if (status) {
- goto cleanup;
+ goto cleanup;
}
/* read the kerberos container */
if ((status = krb5_ldap_read_krbcontainer_params(context,
- &(ldap_context->krbcontainer))) == KRB5_KDB_NOENTRY) {
-
- /* Read the kerberos container location from configuration file */
- if (ldap_context->conf_section) {
- if ((status = profile_get_string(context->profile,
- KDB_MODULE_SECTION, ldap_context->conf_section,
- "ldap_kerberos_container_dn", NULL,
- &kparams.DN)) != 0) {
- goto cleanup;
- }
- }
- if (kparams.DN == NULL) {
- if ((status = profile_get_string(context->profile,
- KDB_MODULE_DEF_SECTION,
- "ldap_kerberos_container_dn", NULL,
- NULL, &kparams.DN)) != 0) {
- goto cleanup;
- }
- }
-
- /* create the kerberos container */
- status = krb5_ldap_create_krbcontainer(context,
- ((kparams.DN != NULL) ? &kparams : NULL));
- if (status)
- goto cleanup;
-
- krbcontainer_obj_created = TRUE;
-
- status = krb5_ldap_read_krbcontainer_params(context,
- &(ldap_context->krbcontainer));
- if (status)
- goto cleanup;
+ &(ldap_context->krbcontainer))) == KRB5_KDB_NOENTRY) {
+
+ /* Read the kerberos container location from configuration file */
+ if (ldap_context->conf_section) {
+ if ((status = profile_get_string(context->profile,
+ KDB_MODULE_SECTION, ldap_context->conf_section,
+ "ldap_kerberos_container_dn", NULL,
+ &kparams.DN)) != 0) {
+ goto cleanup;
+ }
+ }
+ if (kparams.DN == NULL) {
+ if ((status = profile_get_string(context->profile,
+ KDB_MODULE_DEF_SECTION,
+ "ldap_kerberos_container_dn", NULL,
+ NULL, &kparams.DN)) != 0) {
+ goto cleanup;
+ }
+ }
+
+ /* create the kerberos container */
+ status = krb5_ldap_create_krbcontainer(context,
+ ((kparams.DN != NULL) ? &kparams : NULL));
+ if (status)
+ goto cleanup;
+
+ krbcontainer_obj_created = TRUE;
+
+ status = krb5_ldap_read_krbcontainer_params(context,
+ &(ldap_context->krbcontainer));
+ if (status)
+ goto cleanup;
} else if (status) {
- goto cleanup;
+ goto cleanup;
}
rparams = (krb5_ldap_realm_params *) malloc(sizeof(krb5_ldap_realm_params));
if (rparams == NULL) {
- status = ENOMEM;
- goto cleanup;
+ status = ENOMEM;
+ goto cleanup;
}
memset(rparams, 0, sizeof(*rparams));
rparams->realm_name = strdup(context->default_realm);
if (rparams->realm_name == NULL) {
- status = ENOMEM;
- goto cleanup;
+ status = ENOMEM;
+ goto cleanup;
}
if ((status = krb5_ldap_create_realm(context, rparams, mask)))
- goto cleanup;
+ goto cleanup;
/* We just created the Realm container. Here starts our transaction tracking */
realm_obj_created = TRUE;
/* verify realm object */
if ((status = krb5_ldap_read_realm_params(context,
- rparams->realm_name,
- &(ldap_context->lrparams),
- &mask)))
- goto cleanup;
+ rparams->realm_name,
+ &(ldap_context->lrparams),
+ &mask)))
+ goto cleanup;
#ifdef HAVE_EDIRECTORY
if ((mask & LDAP_REALM_KDCSERVERS) || (mask & LDAP_REALM_ADMINSERVERS) ||
- (mask & LDAP_REALM_PASSWDSERVERS)) {
-
- rightsmask =0;
- rightsmask |= LDAP_REALM_RIGHTS;
- rightsmask |= LDAP_SUBTREE_RIGHTS;
- if ((rparams != NULL) && (rparams->kdcservers != NULL)) {
- for (i=0; (rparams->kdcservers[i] != NULL); i++) {
- if ((status=krb5_ldap_add_service_rights(context,
- LDAP_KDC_SERVICE, rparams->kdcservers[i],
- rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
- goto cleanup;
- }
- }
- }
-
- rightsmask = 0;
- rightsmask |= LDAP_REALM_RIGHTS;
- rightsmask |= LDAP_SUBTREE_RIGHTS;
- if ((rparams != NULL) && (rparams->adminservers != NULL)) {
- for (i=0; (rparams->adminservers[i] != NULL); i++) {
- if ((status=krb5_ldap_add_service_rights(context,
- LDAP_ADMIN_SERVICE, rparams->adminservers[i],
- rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
- goto cleanup;
- }
- }
- }
-
- rightsmask = 0;
- rightsmask |= LDAP_REALM_RIGHTS;
- rightsmask |= LDAP_SUBTREE_RIGHTS;
- if ((rparams != NULL) && (rparams->passwdservers != NULL)) {
- for (i=0; (rparams->passwdservers[i] != NULL); i++) {
- if ((status=krb5_ldap_add_service_rights(context,
- LDAP_PASSWD_SERVICE, rparams->passwdservers[i],
- rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
- goto cleanup;
- }
- }
- }
+ (mask & LDAP_REALM_PASSWDSERVERS)) {
+
+ rightsmask =0;
+ rightsmask |= LDAP_REALM_RIGHTS;
+ rightsmask |= LDAP_SUBTREE_RIGHTS;
+ if ((rparams != NULL) && (rparams->kdcservers != NULL)) {
+ for (i=0; (rparams->kdcservers[i] != NULL); i++) {
+ if ((status=krb5_ldap_add_service_rights(context,
+ LDAP_KDC_SERVICE, rparams->kdcservers[i],
+ rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+ goto cleanup;
+ }
+ }
+ }
+
+ rightsmask = 0;
+ rightsmask |= LDAP_REALM_RIGHTS;
+ rightsmask |= LDAP_SUBTREE_RIGHTS;
+ if ((rparams != NULL) && (rparams->adminservers != NULL)) {
+ for (i=0; (rparams->adminservers[i] != NULL); i++) {
+ if ((status=krb5_ldap_add_service_rights(context,
+ LDAP_ADMIN_SERVICE, rparams->adminservers[i],
+ rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+ goto cleanup;
+ }
+ }
+ }
+
+ rightsmask = 0;
+ rightsmask |= LDAP_REALM_RIGHTS;
+ rightsmask |= LDAP_SUBTREE_RIGHTS;
+ if ((rparams != NULL) && (rparams->passwdservers != NULL)) {
+ for (i=0; (rparams->passwdservers[i] != NULL); i++) {
+ if ((status=krb5_ldap_add_service_rights(context,
+ LDAP_PASSWD_SERVICE, rparams->passwdservers[i],
+ rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+ goto cleanup;
+ }
+ }
+ }
}
#endif
/* If the krbcontainer/realm creation is not complete, do the roll-back here */
if ((krbcontainer_obj_created) && (!realm_obj_created)) {
- int rc;
- rc = krb5_ldap_delete_krbcontainer(context,
- ((kparams.DN != NULL) ? &kparams : NULL));
- krb5_set_error_message(context, rc,
- "could not complete roll-back, error deleting Kerberos Container");
+ int rc;
+ rc = krb5_ldap_delete_krbcontainer(context,
+ ((kparams.DN != NULL) ? &kparams : NULL));
+ krb5_set_error_message(context, rc,
+ "could not complete roll-back, error deleting Kerberos Container");
}
/* should call krb5_ldap_free_krbcontainer_params() but can't */
if (kparams.DN != NULL)
- krb5_xfree(kparams.DN);
+ krb5_xfree(kparams.DN);
if (rparams)
- krb5_ldap_free_realm_params(rparams);
+ krb5_ldap_free_realm_params(rparams);
return(status);
}
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
#include <ldap.h>
#include <errno.h>
#include <krb5.h>
* OP_ABANDON => ldap_abandon
*/
-int translate_ldap_error(int err, int op) {
+int
+translate_ldap_error(int err, int op) {
switch (err) {
case LDAP_SUCCESS:
- return 0;
+ return 0;
case LDAP_OPERATIONS_ERROR:
- /* LDAP_OPERATIONS_ERROR: Indicates an internal error. The server is
- * unable to respond with a more specific error and is also unable
- * to properly respond to a request */
+ /* LDAP_OPERATIONS_ERROR: Indicates an internal error. The server is
+ * unable to respond with a more specific error and is also unable
+ * to properly respond to a request */
case LDAP_UNAVAILABLE_CRITICAL_EXTENSION:
- /* LDAP server was unable to satisfy a request because one or more
- * critical extensions were not available */
- /* This might mean that the schema was not extended ... */
+ /* LDAP server was unable to satisfy a request because one or more
+ * critical extensions were not available */
+ /* This might mean that the schema was not extended ... */
case LDAP_UNDEFINED_TYPE:
- /* The attribute specified in the modify or add operation does not
- * exist in the LDAP server's schema. */
- return KRB5_KDB_INTERNAL_ERROR;
+ /* The attribute specified in the modify or add operation does not
+ * exist in the LDAP server's schema. */
+ return KRB5_KDB_INTERNAL_ERROR;
case LDAP_INAPPROPRIATE_MATCHING:
- /* The matching rule specified in the search filter does not match a
- * rule defined for the attribute's syntax */
- return KRB5_KDB_UK_RERROR;
+ /* The matching rule specified in the search filter does not match a
+ * rule defined for the attribute's syntax */
+ return KRB5_KDB_UK_RERROR;
case LDAP_CONSTRAINT_VIOLATION:
- /* The attribute value specified in a modify, add, or modify DN
- * operation violates constraints placed on the attribute */
+ /* The attribute value specified in a modify, add, or modify DN
+ * operation violates constraints placed on the attribute */
case LDAP_TYPE_OR_VALUE_EXISTS:
- /* The attribute value specified in a modify or add operation
- * already exists as a value for that attribute */
- return KRB5_KDB_UK_SERROR;
+ /* The attribute value specified in a modify or add operation
+ * already exists as a value for that attribute */
+ return KRB5_KDB_UK_SERROR;
case LDAP_INVALID_SYNTAX:
- /* The attribute value specified in an add, compare, or modify
- * operation is an unrecognized or invalid syntax for the attribute */
- if (op == OP_ADD || op == OP_MOD)
- return KRB5_KDB_UK_SERROR;
- else /* OP_CMP */
- return KRB5_KDB_UK_RERROR;
-
- /* Ensure that the following don't occur in the DAL-LDAP code.
- * Don't rely on the LDAP server to catch it */
+ /* The attribute value specified in an add, compare, or modify
+ * operation is an unrecognized or invalid syntax for the attribute */
+ if (op == OP_ADD || op == OP_MOD)
+ return KRB5_KDB_UK_SERROR;
+ else /* OP_CMP */
+ return KRB5_KDB_UK_RERROR;
+
+ /* Ensure that the following don't occur in the DAL-LDAP code.
+ * Don't rely on the LDAP server to catch it */
case LDAP_SASL_BIND_IN_PROGRESS:
- /* This is not an error. So, this function should not be called */
+ /* This is not an error. So, this function should not be called */
case LDAP_COMPARE_FALSE:
case LDAP_COMPARE_TRUE:
- /* LDAP_COMPARE_FALSE and LDAP_COMPARE_TRUE are not errors. This
- * function should not be invoked for them */
+ /* LDAP_COMPARE_FALSE and LDAP_COMPARE_TRUE are not errors. This
+ * function should not be invoked for them */
case LDAP_RESULTS_TOO_LARGE: /* CLDAP */
case LDAP_TIMELIMIT_EXCEEDED:
case LDAP_SIZELIMIT_EXCEEDED:
- return KRB5_KDB_SERVER_INTERNAL_ERR;
+ return KRB5_KDB_SERVER_INTERNAL_ERR;
case LDAP_INVALID_DN_SYNTAX:
- /* The syntax of the DN is incorrect */
- return EINVAL;
+ /* The syntax of the DN is incorrect */
+ return EINVAL;
case LDAP_PROTOCOL_ERROR:
- /* LDAP_PROTOCOL_ERROR: Indicates that the server has received an
- * invalid or malformed request from the client */
+ /* LDAP_PROTOCOL_ERROR: Indicates that the server has received an
+ * invalid or malformed request from the client */
case LDAP_CONFIDENTIALITY_REQUIRED:
- /* Bind problems ... */
+ /* Bind problems ... */
case LDAP_AUTH_METHOD_NOT_SUPPORTED:
-/* case LDAP_STRONG_AUTH_NOT_SUPPORTED: // Is this a bind error ? */
+/* case LDAP_STRONG_AUTH_NOT_SUPPORTED: // Is this a bind error ? */
case LDAP_INAPPROPRIATE_AUTH:
case LDAP_INVALID_CREDENTIALS:
case LDAP_UNAVAILABLE:
- return KRB5_KDB_ACCESS_ERROR;
+ return KRB5_KDB_ACCESS_ERROR;
case LDAP_STRONG_AUTH_REQUIRED:
- if (op == OP_BIND) /* the LDAP server accepts only strong authentication. */
- return KRB5_KDB_ACCESS_ERROR;
- else /* Client requested an operation such that requires strong authentication */
- return KRB5_KDB_CONSTRAINT_VIOLATION;
+ if (op == OP_BIND) /* the LDAP server accepts only strong authentication. */
+ return KRB5_KDB_ACCESS_ERROR;
+ else /* Client requested an operation such that requires strong authentication */
+ return KRB5_KDB_CONSTRAINT_VIOLATION;
case LDAP_REFERRAL:
- return KRB5_KDB_NOENTRY;
+ return KRB5_KDB_NOENTRY;
case LDAP_ADMINLIMIT_EXCEEDED:
- /* An LDAP server limit set by an administrative authority has been
- * exceeded */
- return KRB5_KDB_CONSTRAINT_VIOLATION;
+ /* An LDAP server limit set by an administrative authority has been
+ * exceeded */
+ return KRB5_KDB_CONSTRAINT_VIOLATION;
case LDAP_UNWILLING_TO_PERFORM:
- /* The LDAP server cannot process the request because of
- * server-defined restrictions */
- return KRB5_KDB_CONSTRAINT_VIOLATION;
+ /* The LDAP server cannot process the request because of
+ * server-defined restrictions */
+ return KRB5_KDB_CONSTRAINT_VIOLATION;
case LDAP_NO_SUCH_ATTRIBUTE:
- /* Indicates that the attribute specified in the modify or compare
- * operation does not exist in the entry */
- if (op == OP_MOD)
- return KRB5_KDB_UK_SERROR;
- else /* OP_CMP */
- return KRB5_KDB_TRUNCATED_RECORD;
+ /* Indicates that the attribute specified in the modify or compare
+ * operation does not exist in the entry */
+ if (op == OP_MOD)
+ return KRB5_KDB_UK_SERROR;
+ else /* OP_CMP */
+ return KRB5_KDB_TRUNCATED_RECORD;
case LDAP_ALIAS_DEREF_PROBLEM:
- /* Either the client does not have access rights to read the aliased
- * object's name or dereferencing is not allowed */
+ /* Either the client does not have access rights to read the aliased
+ * object's name or dereferencing is not allowed */
#ifdef LDAP_PROXY_AUTHZ_FAILURE
case LDAP_PROXY_AUTHZ_FAILURE: // Is this correct ?
#endif
case LDAP_INSUFFICIENT_ACCESS:
- /* Caller does not have sufficient rights to perform the requested
- * operation */
- return KRB5_KDB_UNAUTH;
+ /* Caller does not have sufficient rights to perform the requested
+ * operation */
+ return KRB5_KDB_UNAUTH;
case LDAP_LOOP_DETECT:
- /* Client discovered an alias or referral loop */
- return KRB5_KDB_DB_CORRUPT;
+ /* Client discovered an alias or referral loop */
+ return KRB5_KDB_DB_CORRUPT;
default:
- if (LDAP_NAME_ERROR (err))
- return KRB5_KDB_NOENTRY;
+ if (LDAP_NAME_ERROR (err))
+ return KRB5_KDB_NOENTRY;
- if (LDAP_SECURITY_ERROR (err))
- return KRB5_KDB_UNAUTH;
+ if (LDAP_SECURITY_ERROR (err))
+ return KRB5_KDB_UNAUTH;
- if (LDAP_SERVICE_ERROR (err) || LDAP_API_ERROR (err) || LDAP_X_ERROR (err))
- return KRB5_KDB_ACCESS_ERROR;
+ if (LDAP_SERVICE_ERROR (err) || LDAP_API_ERROR (err) || LDAP_X_ERROR (err))
+ return KRB5_KDB_ACCESS_ERROR;
- if (LDAP_UPDATE_ERROR(err))
- return KRB5_KDB_UK_SERROR;
+ if (LDAP_UPDATE_ERROR(err))
+ return KRB5_KDB_UK_SERROR;
- /* LDAP_OTHER */
- return KRB5_KDB_SERVER_INTERNAL_ERR;
+ /* LDAP_OTHER */
+ return KRB5_KDB_SERVER_INTERNAL_ERR;
}
}
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
#define OP_INIT 1
#define OP_BIND 2
#define OP_UNBIND 3
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* lib/kdb/kdb_ldap/ldap_fetch_mkey.c
*
*/
krb5_error_code
-krb5_ldap_get_mkey (context, key)
- krb5_context context;
- krb5_keyblock **key;
-
+krb5_ldap_get_mkey(krb5_context context, krb5_keyblock **key)
{
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_context *ldap_context=NULL;
ldap_context = (krb5_ldap_context *) dal_handle->db_context;
if (ldap_context == NULL || ldap_context->lrparams == NULL)
- return KRB5_KDB_DBNOTINITED;
+ return KRB5_KDB_DBNOTINITED;
*key = &ldap_context->lrparams->mkey;
return 0;
*/
krb5_error_code
-krb5_ldap_set_mkey (context, pwd, key)
- krb5_context context;
- char *pwd;
- krb5_keyblock *key;
+krb5_ldap_set_mkey(krb5_context context, char *pwd, krb5_keyblock *key)
{
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_context *ldap_context=NULL;
ldap_context = (krb5_ldap_context *) dal_handle->db_context;
if (ldap_context == NULL || ldap_context->lrparams == NULL)
- return KRB5_KDB_DBNOTINITED;
+ return KRB5_KDB_DBNOTINITED;
r_params = ldap_context->lrparams;
if (r_params->mkey.contents) {
- free (r_params->mkey.contents);
- r_params->mkey.contents=NULL;
+ free (r_params->mkey.contents);
+ r_params->mkey.contents=NULL;
}
r_params->mkey.magic = key->magic;
r_params->mkey.length = key->length;
r_params->mkey.contents = malloc(key->length);
if (r_params->mkey.contents == NULL)
- return ENOMEM;
+ return ENOMEM;
memcpy(r_params->mkey.contents, key->contents, key->length);
return 0;
}
krb5_error_code
-krb5_ldap_get_mkey_list (krb5_context context, krb5_keylist_node **key_list)
-
+krb5_ldap_get_mkey_list(krb5_context context, krb5_keylist_node **key_list)
{
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_context *ldap_context=NULL;
ldap_context = (krb5_ldap_context *) dal_handle->db_context;
if (ldap_context == NULL || ldap_context->lrparams == NULL)
- return KRB5_KDB_DBNOTINITED;
+ return KRB5_KDB_DBNOTINITED;
*key_list = ldap_context->lrparams->mkey_list;
return 0;
ldap_context = (krb5_ldap_context *) dal_handle->db_context;
if (ldap_context == NULL || ldap_context->lrparams == NULL)
- return KRB5_KDB_DBNOTINITED;
+ return KRB5_KDB_DBNOTINITED;
r_params = ldap_context->lrparams;
r_params->mkey_list = key_list;
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* lib/kdb/kdb_ldap/ldap_handle.c
*
*/
static krb5_error_code
-krb5_update_server_info(ldap_server_handle, server_info)
- krb5_ldap_server_handle *ldap_server_handle;
- krb5_ldap_server_info *server_info;
+krb5_update_server_info(krb5_ldap_server_handle *ldap_server_handle,
+ krb5_ldap_server_info *server_info)
{
krb5_error_code st=0;
struct timeval ztime={0, 0};
LDAPMessage *result=NULL;
if (ldap_server_handle == NULL || server_info == NULL)
- return -1;
+ return -1;
while (st == 0) {
- st = ldap_result(ldap_server_handle->ldap_handle, ldap_server_handle->msgid,
- LDAP_MSG_ALL, &ztime, &result);
- switch (st) {
- case -1:
- server_info->server_status = OFF;
- time(&server_info->downtime);
- break;
-
- case 0:
- continue;
- break;
-
- case LDAP_RES_BIND:
- if ((st=ldap_result2error(ldap_server_handle->ldap_handle, result, 1)) == LDAP_SUCCESS) {
- server_info->server_status = ON;
- } else {
- /* ?? */ krb5_set_error_message(0, 0, "%s", ldap_err2string(st));
- server_info->server_status = OFF;
- time(&server_info->downtime);
- }
- ldap_msgfree(result);
- break;
- default:
- ldap_msgfree(result);
- continue;
- break;
- }
+ st = ldap_result(ldap_server_handle->ldap_handle, ldap_server_handle->msgid,
+ LDAP_MSG_ALL, &ztime, &result);
+ switch (st) {
+ case -1:
+ server_info->server_status = OFF;
+ time(&server_info->downtime);
+ break;
+
+ case 0:
+ continue;
+ break;
+
+ case LDAP_RES_BIND:
+ if ((st=ldap_result2error(ldap_server_handle->ldap_handle, result, 1)) == LDAP_SUCCESS) {
+ server_info->server_status = ON;
+ } else {
+ /* ?? */ krb5_set_error_message(0, 0, "%s", ldap_err2string(st));
+ server_info->server_status = OFF;
+ time(&server_info->downtime);
+ }
+ ldap_msgfree(result);
+ break;
+ default:
+ ldap_msgfree(result);
+ continue;
+ break;
+ }
}
ldap_server_handle->server_info_update_pending = FALSE;
return 0;
*/
static krb5_ldap_server_handle *
-krb5_get_ldap_handle(ldap_context)
- krb5_ldap_context *ldap_context;
+krb5_get_ldap_handle(krb5_ldap_context *ldap_context)
{
krb5_ldap_server_handle *ldap_server_handle=NULL;
krb5_ldap_server_info *ldap_server_info=NULL;
int cnt=0;
while (ldap_context->server_info_list[cnt] != NULL) {
- ldap_server_info = ldap_context->server_info_list[cnt];
- if (ldap_server_info->server_status != OFF) {
- if (ldap_server_info->ldap_server_handles != NULL) {
- ldap_server_handle = ldap_server_info->ldap_server_handles;
- ldap_server_info->ldap_server_handles = ldap_server_handle->next;
- break;
+ ldap_server_info = ldap_context->server_info_list[cnt];
+ if (ldap_server_info->server_status != OFF) {
+ if (ldap_server_info->ldap_server_handles != NULL) {
+ ldap_server_handle = ldap_server_info->ldap_server_handles;
+ ldap_server_info->ldap_server_handles = ldap_server_handle->next;
+ break;
#ifdef ASYNC_BIND
- if (ldap_server_handle->server_info_update_pending == TRUE) {
- krb5_update_server_info(context, ldap_server_handle,
- ldap_server_info);
- }
-
- if (ldap_server_info->server_status == ON) {
- ldap_server_info->ldap_server_handles = ldap_server_handle->next;
- break;
- } else
- ldap_server_handle = NULL;
+ if (ldap_server_handle->server_info_update_pending == TRUE) {
+ krb5_update_server_info(context, ldap_server_handle,
+ ldap_server_info);
+ }
+
+ if (ldap_server_info->server_status == ON) {
+ ldap_server_info->ldap_server_handles = ldap_server_handle->next;
+ break;
+ } else
+ ldap_server_handle = NULL;
#endif
- }
- }
- ++cnt;
+ }
+ }
+ ++cnt;
}
return ldap_server_handle;
}
*/
static krb5_ldap_server_handle *
-krb5_retry_get_ldap_handle(ldap_context, st)
- krb5_ldap_context *ldap_context;
- krb5_error_code *st;
+krb5_retry_get_ldap_handle(krb5_ldap_context *ldap_context,
+ krb5_error_code *st)
{
krb5_ldap_server_handle *ldap_server_handle=NULL;
if ((*st=krb5_ldap_db_single_init(ldap_context)) != 0)
- return NULL;
+ return NULL;
ldap_server_handle = krb5_get_ldap_handle(ldap_context);
return ldap_server_handle;
*/
static krb5_error_code
-krb5_put_ldap_handle(ldap_server_handle)
- krb5_ldap_server_handle *ldap_server_handle;
+krb5_put_ldap_handle(krb5_ldap_server_handle *ldap_server_handle)
{
if (ldap_server_handle == NULL)
- return 0;
+ return 0;
ldap_server_handle->next = ldap_server_handle->server_info->ldap_server_handles;
ldap_server_handle->server_info->ldap_server_handles = ldap_server_handle;
*/
krb5_error_code
-krb5_update_ldap_handle(ldap_server_handle, server_info)
- krb5_ldap_server_handle *ldap_server_handle;
- krb5_ldap_server_info *server_info;
+krb5_update_ldap_handle(krb5_ldap_server_handle *ldap_server_handle,
+ krb5_ldap_server_info *server_info)
{
if (ldap_server_handle == NULL || server_info == NULL)
- return 0;
+ return 0;
ldap_server_handle->next = server_info->ldap_server_handles;
server_info->ldap_server_handles = ldap_server_handle;
*/
static krb5_error_code
-krb5_ldap_cleanup_handles(ldap_server_info)
- krb5_ldap_server_info *ldap_server_info;
+krb5_ldap_cleanup_handles(krb5_ldap_server_info *ldap_server_info)
{
krb5_ldap_server_handle *ldap_server_handle = NULL;
while (ldap_server_info->ldap_server_handles != NULL) {
- ldap_server_handle = ldap_server_info->ldap_server_handles;
- ldap_server_info->ldap_server_handles = ldap_server_handle->next;
- /* ldap_unbind_s(ldap_server_handle); */
- free (ldap_server_handle);
- ldap_server_handle = NULL;
+ ldap_server_handle = ldap_server_info->ldap_server_handles;
+ ldap_server_info->ldap_server_handles = ldap_server_handle->next;
+ /* ldap_unbind_s(ldap_server_handle); */
+ free (ldap_server_handle);
+ ldap_server_handle = NULL;
}
return 0;
}
*/
krb5_error_code
-krb5_ldap_request_handle_from_pool(ldap_context, ldap_server_handle)
- krb5_ldap_context *ldap_context;
- krb5_ldap_server_handle **ldap_server_handle;
+krb5_ldap_request_handle_from_pool(krb5_ldap_context *ldap_context,
+ krb5_ldap_server_handle **
+ ldap_server_handle)
{
krb5_error_code st=0;
st = HNDL_LOCK(ldap_context);
if (st)
- return st;
+ return st;
if (((*ldap_server_handle)=krb5_get_ldap_handle(ldap_context)) == NULL)
- (*ldap_server_handle)=krb5_retry_get_ldap_handle(ldap_context, &st);
+ (*ldap_server_handle)=krb5_retry_get_ldap_handle(ldap_context, &st);
HNDL_UNLOCK(ldap_context);
return st;
}
*/
krb5_error_code
-krb5_ldap_request_next_handle_from_pool(ldap_context, ldap_server_handle)
- krb5_ldap_context *ldap_context;
- krb5_ldap_server_handle **ldap_server_handle;
+krb5_ldap_request_next_handle_from_pool(krb5_ldap_context *ldap_context,
+ krb5_ldap_server_handle **
+ ldap_server_handle)
{
krb5_error_code st=0;
st = HNDL_LOCK(ldap_context);
if (st)
- return st;
+ return st;
(*ldap_server_handle)->server_info->server_status = OFF;
time(&(*ldap_server_handle)->server_info->downtime);
krb5_put_ldap_handle(*ldap_server_handle);
krb5_ldap_cleanup_handles((*ldap_server_handle)->server_info);
if (((*ldap_server_handle)=krb5_get_ldap_handle(ldap_context)) == NULL)
- (*ldap_server_handle)=krb5_retry_get_ldap_handle(ldap_context, &st);
+ (*ldap_server_handle)=krb5_retry_get_ldap_handle(ldap_context, &st);
HNDL_UNLOCK(ldap_context);
return st;
}
*/
void
-krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle)
- krb5_ldap_context *ldap_context;
- krb5_ldap_server_handle *ldap_server_handle;
+krb5_ldap_put_handle_to_pool(krb5_ldap_context *ldap_context,
+ krb5_ldap_server_handle *ldap_server_handle)
{
if (ldap_server_handle != NULL) {
- if (HNDL_LOCK(ldap_context) == 0) {
- krb5_put_ldap_handle(ldap_server_handle);
- HNDL_UNLOCK(ldap_context);
- }
+ if (HNDL_LOCK(ldap_context) == 0) {
+ krb5_put_ldap_handle(ldap_server_handle);
+ HNDL_UNLOCK(ldap_context);
+ }
}
return;
}
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* lib/kdb/kdb_ldap/ldap_handle.h
*
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* lib/kdb/kdb_ldap/ldap_krbcontainer.c
*
krb5_ldap_free_krbcontainer_params(krb5_ldap_krbcontainer_params *cparams)
{
if (cparams == NULL)
- return;
+ return;
if (cparams->policyreference)
- krb5_xfree(cparams->policyreference);
+ krb5_xfree(cparams->policyreference);
if (cparams->parent)
- krb5_xfree(cparams->parent);
+ krb5_xfree(cparams->parent);
if (cparams->DN)
- krb5_xfree(cparams->DN);
+ krb5_xfree(cparams->DN);
krb5_xfree(cparams);
*/
krb5_error_code
-krb5_ldap_read_krbcontainer_params(krb5_context context,
- krb5_ldap_krbcontainer_params **cparamp)
+krb5_ldap_read_krbcontainer_params(krb5_context context,
+ krb5_ldap_krbcontainer_params **cparamp)
{
krb5_error_code st=0, tempst=0;
/* read kerberos containter location from [dbmodules] section of krb5.conf file */
if (ldap_context->conf_section) {
- if ((st=profile_get_string(context->profile, KDB_MODULE_SECTION, ldap_context->conf_section,
- "ldap_kerberos_container_dn", NULL,
- &cparams->DN)) != 0) {
- krb5_set_error_message(context, st, "Error reading kerberos container location "
- "from krb5.conf");
- goto cleanup;
- }
+ if ((st=profile_get_string(context->profile, KDB_MODULE_SECTION, ldap_context->conf_section,
+ "ldap_kerberos_container_dn", NULL,
+ &cparams->DN)) != 0) {
+ krb5_set_error_message(context, st, "Error reading kerberos container location "
+ "from krb5.conf");
+ goto cleanup;
+ }
}
/* read kerberos containter location from [dbdefaults] section of krb5.conf file */
if (cparams->DN == NULL) {
- if ((st=profile_get_string(context->profile, KDB_MODULE_DEF_SECTION,
- "ldap_kerberos_container_dn", NULL,
- NULL, &cparams->DN)) != 0) {
- krb5_set_error_message(context, st, "Error reading kerberos container location "
- "from krb5.conf");
- goto cleanup;
- }
+ if ((st=profile_get_string(context->profile, KDB_MODULE_DEF_SECTION,
+ "ldap_kerberos_container_dn", NULL,
+ NULL, &cparams->DN)) != 0) {
+ krb5_set_error_message(context, st, "Error reading kerberos container location "
+ "from krb5.conf");
+ goto cleanup;
+ }
}
#ifndef HAVE_EDIRECTORY
* is missing in the conf file. In openldap we will have to return an error.
*/
if (cparams->DN == NULL) {
- st = KRB5_KDB_SERVER_INTERNAL_ERR;
- krb5_set_error_message(context, st, "Kerberos container location not specified");
- goto cleanup;
+ st = KRB5_KDB_SERVER_INTERNAL_ERR;
+ krb5_set_error_message(context, st, "Kerberos container location not specified");
+ goto cleanup;
}
#endif
if (cparams->DN != NULL) {
- /* NOTE: krbmaxtktlife, krbmaxrenewableage ... present on Kerberos Container is
- * not read
- */
- LDAP_SEARCH_1(cparams->DN, LDAP_SCOPE_BASE, "(objectclass=krbContainer)", policyrefattribute, IGNORE_STATUS);
- if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_OBJECT) {
- st = set_ldap_error(context, st, OP_SEARCH);
- goto cleanup;
- }
-
- if (st == LDAP_NO_SUCH_OBJECT) {
- st = KRB5_KDB_NOENTRY;
- goto cleanup;
- }
+ /* NOTE: krbmaxtktlife, krbmaxrenewableage ... present on Kerberos Container is
+ * not read
+ */
+ LDAP_SEARCH_1(cparams->DN, LDAP_SCOPE_BASE, "(objectclass=krbContainer)", policyrefattribute, IGNORE_STATUS);
+ if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_OBJECT) {
+ st = set_ldap_error(context, st, OP_SEARCH);
+ goto cleanup;
+ }
+
+ if (st == LDAP_NO_SUCH_OBJECT) {
+ st = KRB5_KDB_NOENTRY;
+ goto cleanup;
+ }
}
#ifdef HAVE_EDIRECTORY
* then fall back to the default value
*/
if ((cparams->DN == NULL) || (st == LDAP_NO_SUCH_OBJECT)) {
- /*
- * kerberos container can be anywhere. locate it by reading the security
- * container to find the location.
- */
- LDAP_SEARCH(SECURITY_CONTAINER, LDAP_SCOPE_BASE, NULL, krbcontainerrefattr);
- if ((ent = ldap_first_entry(ld, result)) != NULL) {
- if ((st=krb5_ldap_get_string(ld, ent, "krbcontainerreference",
- &(cparams->DN), NULL)) != 0)
- goto cleanup;
- if (cparams->DN == NULL) {
- cparams->DN = strdup(KERBEROS_CONTAINER);
- CHECK_NULL(cparams->DN);
- }
- }
- ldap_msgfree(result);
-
- /* NOTE: krbmaxtktlife, krbmaxrenewableage ... attributes present on
- * Kerberos Container is not read
- */
- LDAP_SEARCH(cparams->DN, LDAP_SCOPE_BASE, "(objectclass=krbContainer)", policyrefattribute);
+ /*
+ * kerberos container can be anywhere. locate it by reading the security
+ * container to find the location.
+ */
+ LDAP_SEARCH(SECURITY_CONTAINER, LDAP_SCOPE_BASE, NULL, krbcontainerrefattr);
+ if ((ent = ldap_first_entry(ld, result)) != NULL) {
+ if ((st=krb5_ldap_get_string(ld, ent, "krbcontainerreference",
+ &(cparams->DN), NULL)) != 0)
+ goto cleanup;
+ if (cparams->DN == NULL) {
+ cparams->DN = strdup(KERBEROS_CONTAINER);
+ CHECK_NULL(cparams->DN);
+ }
+ }
+ ldap_msgfree(result);
+
+ /* NOTE: krbmaxtktlife, krbmaxrenewableage ... attributes present on
+ * Kerberos Container is not read
+ */
+ LDAP_SEARCH(cparams->DN, LDAP_SCOPE_BASE, "(objectclass=krbContainer)", policyrefattribute);
}
#endif
if ((ent = ldap_first_entry(ld, result))) {
- if ((st=krb5_ldap_get_string(ld, ent, "krbticketpolicyreference",
- &(cparams->policyreference), NULL)) != 0)
- goto cleanup;
+ if ((st=krb5_ldap_get_string(ld, ent, "krbticketpolicyreference",
+ &(cparams->policyreference), NULL)) != 0)
+ goto cleanup;
}
ldap_msgfree(result);
if (cparams->policyreference != NULL) {
- LDAP_SEARCH_1(cparams->policyreference, LDAP_SCOPE_BASE, NULL, policy_attributes, IGNORE_STATUS);
- if (st != LDAP_SUCCESS && st!= LDAP_NO_SUCH_OBJECT) {
- st = set_ldap_error(context, st, OP_SEARCH);
- goto cleanup;
- }
- st = LDAP_SUCCESS; /* reset the return status in case it is LDAP_NO_SUCH_OBJECT */
-
- ent=ldap_first_entry(ld, result);
- if (ent != NULL) {
- krb5_ldap_get_value(ld, ent, "krbmaxtktlife", &(cparams->max_life));
- krb5_ldap_get_value(ld, ent, "krbmaxrenewableage", &(cparams->max_renewable_life));
- krb5_ldap_get_value(ld, ent, "krbticketflags", &(cparams->tktflags));
- }
- ldap_msgfree(result);
+ LDAP_SEARCH_1(cparams->policyreference, LDAP_SCOPE_BASE, NULL, policy_attributes, IGNORE_STATUS);
+ if (st != LDAP_SUCCESS && st!= LDAP_NO_SUCH_OBJECT) {
+ st = set_ldap_error(context, st, OP_SEARCH);
+ goto cleanup;
+ }
+ st = LDAP_SUCCESS; /* reset the return status in case it is LDAP_NO_SUCH_OBJECT */
+
+ ent=ldap_first_entry(ld, result);
+ if (ent != NULL) {
+ krb5_ldap_get_value(ld, ent, "krbmaxtktlife", &(cparams->max_life));
+ krb5_ldap_get_value(ld, ent, "krbmaxrenewableage", &(cparams->max_renewable_life));
+ krb5_ldap_get_value(ld, ent, "krbticketflags", &(cparams->tktflags));
+ }
+ ldap_msgfree(result);
}
*cparamp=cparams;
cleanup:
if (st != 0) {
- krb5_ldap_free_krbcontainer_params(cparams);
- *cparamp=NULL;
+ krb5_ldap_free_krbcontainer_params(cparams);
+ *cparamp=NULL;
}
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
return st;
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* lib/kdb/kdb_ldap/ldap_krbcontainer.h
*
#ifndef _LDAP_KRBCONTAINER_H_
#define _LDAP_KRBCONTAINER_H_ 1
-#define MAX_KRB_CONTAINER_LEN 256
+#define MAX_KRB_CONTAINER_LEN 256
/* kerberos container structure */
typedef struct _krb5_ldap_krbcontainer_params {
- char *parent;
- char *DN;
- char *policyreference;
- krb5_int32 max_life;
- krb5_int32 max_renewable_life;
- krb5_int32 tktflags;
+ char *parent;
+ char *DN;
+ char *policyreference;
+ krb5_int32 max_life;
+ krb5_int32 max_renewable_life;
+ krb5_int32 tktflags;
} krb5_ldap_krbcontainer_params;
void
krb5_ldap_free_krbcontainer_params(krb5_ldap_krbcontainer_params *);
krb5_error_code
-krb5_ldap_read_krbcontainer_params(krb5_context , krb5_ldap_krbcontainer_params **);
+krb5_ldap_read_krbcontainer_params(krb5_context,
+ krb5_ldap_krbcontainer_params **);
krb5_error_code
-krb5_ldap_create_krbcontainer(krb5_context, const krb5_ldap_krbcontainer_params *);
+krb5_ldap_create_krbcontainer(krb5_context,
+ const krb5_ldap_krbcontainer_params *);
krb5_error_code
krb5_ldap_delete_krbcontainer(krb5_context,
- const krb5_ldap_krbcontainer_params *);
+ const krb5_ldap_krbcontainer_params *);
#endif
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* lib/kdb/kdb_ldap/ldap_main.h
*
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* lib/kdb/kdb_ldap/ldap_misc.c
*
static krb5_error_code
remove_overlapping_subtrees(char **listin, char **listop, int *subtcount,
- int sscope);
+ int sscope);
/* Linux (GNU Libc) provides a length-limited variant of strdup.
But all the world's not Linux. */
#undef strndup
#define strndup my_strndup
#ifdef HAVE_LDAP_STR2DN
-static char *my_strndup (const char *input, size_t limit)
+static char *
+my_strndup(const char *input, size_t limit)
{
size_t len = strlen(input);
char *result;
if (len > limit) {
- result = malloc(1 + limit);
- if (result != NULL) {
- memcpy(result, input, limit);
- result[limit] = 0;
- }
- return result;
+ result = malloc(1 + limit);
+ if (result != NULL) {
+ memcpy(result, input, limit);
+ result[limit] = 0;
+ }
+ return result;
} else
- return strdup(input);
+ return strdup(input);
}
#endif
to the default section, then to hard-coded values. */
static errcode_t
prof_get_integer_def(krb5_context ctx, const char *conf_section,
- const char *name, int dfl, krb5_ui_4 *out)
+ const char *name, int dfl, krb5_ui_4 *out)
{
errcode_t err;
int out_temp = 0;
err = profile_get_integer (ctx->profile,
- KDB_MODULE_SECTION, conf_section, name,
- 0, &out_temp);
+ KDB_MODULE_SECTION, conf_section, name,
+ 0, &out_temp);
if (err) {
- krb5_set_error_message (ctx, err, "Error reading '%s' attribute: %s",
- name, error_message(err));
- return err;
+ krb5_set_error_message (ctx, err, "Error reading '%s' attribute: %s",
+ name, error_message(err));
+ return err;
}
if (out_temp != 0) {
- *out = out_temp;
- return 0;
+ *out = out_temp;
+ return 0;
}
err = profile_get_integer (ctx->profile,
- KDB_MODULE_DEF_SECTION, name, 0,
- dfl, &out_temp);
+ KDB_MODULE_DEF_SECTION, name, 0,
+ dfl, &out_temp);
if (err) {
- krb5_set_error_message (ctx, err, "Error reading '%s' attribute: %s",
- name, error_message(err));
- return err;
+ krb5_set_error_message (ctx, err, "Error reading '%s' attribute: %s",
+ name, error_message(err));
+ return err;
}
*out = out_temp;
return 0;
bother with the extra argument. */
static errcode_t
prof_get_string_def(krb5_context ctx, const char *conf_section,
- const char *name, char **out)
+ const char *name, char **out)
{
errcode_t err;
err = profile_get_string (ctx->profile,
- KDB_MODULE_SECTION, conf_section, name,
- 0, out);
+ KDB_MODULE_SECTION, conf_section, name,
+ 0, out);
if (err) {
- krb5_set_error_message (ctx, err, "Error reading '%s' attribute: %s",
- name, error_message(err));
- return err;
+ krb5_set_error_message (ctx, err, "Error reading '%s' attribute: %s",
+ name, error_message(err));
+ return err;
}
if (*out != 0)
- return 0;
+ return 0;
err = profile_get_string (ctx->profile,
- KDB_MODULE_DEF_SECTION, name, 0,
- 0, out);
+ KDB_MODULE_DEF_SECTION, name, 0,
+ 0, out);
if (err) {
- krb5_set_error_message (ctx, err, "Error reading '%s' attribute: %s",
- name, error_message(err));
- return err;
+ krb5_set_error_message (ctx, err, "Error reading '%s' attribute: %s",
+ name, error_message(err));
+ return err;
}
return 0;
}
* these are ldap_server ....
*/
krb5_error_code
-krb5_ldap_read_server_params(context, conf_section, srv_type)
- krb5_context context;
- char *conf_section;
- int srv_type;
+krb5_ldap_read_server_params(krb5_context context, char *conf_section,
+ int srv_type)
{
char *tempval=NULL, *save_ptr=NULL;
const char *delims="\t\n\f\v\r ,";
/* copy the conf_section into ldap_context for later use */
if (conf_section) {
- ldap_context->conf_section = strdup (conf_section);
- if (ldap_context->conf_section == NULL) {
- st = ENOMEM;
- goto cleanup;
- }
+ ldap_context->conf_section = strdup (conf_section);
+ if (ldap_context->conf_section == NULL) {
+ st = ENOMEM;
+ goto cleanup;
+ }
}
/* initialize the mutexs and condition variable */
/* this mutex is used in ldap reconnection pool */
if (k5_mutex_init(&(ldap_context->hndl_lock)) != 0) {
- st = KRB5_KDB_SERVER_INTERNAL_ERR;
+ st = KRB5_KDB_SERVER_INTERNAL_ERR;
#if 0
- st = -1;
- krb5_ldap_dal_err_funcp(context, krb5_err_have_str, st,
- "k5_mutex_init failed");
+ st = -1;
+ krb5_ldap_dal_err_funcp(context, krb5_err_have_str, st,
+ "k5_mutex_init failed");
#endif
- goto cleanup;
+ goto cleanup;
}
/*
* connections per ldap server.
*/
if (ldap_context->max_server_conns == 0) {
- st = prof_get_integer_def (context, conf_section,
- KRB5_CONF_LDAP_CONNS_PER_SERVER,
- DEFAULT_CONNS_PER_SERVER,
- &ldap_context->max_server_conns);
- if (st)
- goto cleanup;
+ st = prof_get_integer_def (context, conf_section,
+ KRB5_CONF_LDAP_CONNS_PER_SERVER,
+ DEFAULT_CONNS_PER_SERVER,
+ &ldap_context->max_server_conns);
+ if (st)
+ goto cleanup;
}
if (ldap_context->max_server_conns < 2) {
- st = EINVAL;
- krb5_set_error_message (context, st,
- "Minimum connections required per server is 2");
- goto cleanup;
+ st = EINVAL;
+ krb5_set_error_message (context, st,
+ "Minimum connections required per server is 2");
+ goto cleanup;
}
/*
* server. The srv_type decides which dn to read.
*/
if (ldap_context->bind_dn == NULL) {
- char *name = 0;
- if (srv_type == KRB5_KDB_SRV_TYPE_KDC)
- name = KRB5_CONF_LDAP_KDC_DN;
- else if (srv_type == KRB5_KDB_SRV_TYPE_ADMIN)
- name = KRB5_CONF_LDAP_KADMIN_DN;
- else if (srv_type == KRB5_KDB_SRV_TYPE_PASSWD)
- name = "ldap_kpasswdd_dn";
-
- if (name) {
- st = prof_get_string_def (context, conf_section, name,
- &ldap_context->bind_dn);
- if (st)
- goto cleanup;
- }
+ char *name = 0;
+ if (srv_type == KRB5_KDB_SRV_TYPE_KDC)
+ name = KRB5_CONF_LDAP_KDC_DN;
+ else if (srv_type == KRB5_KDB_SRV_TYPE_ADMIN)
+ name = KRB5_CONF_LDAP_KADMIN_DN;
+ else if (srv_type == KRB5_KDB_SRV_TYPE_PASSWD)
+ name = "ldap_kpasswdd_dn";
+
+ if (name) {
+ st = prof_get_string_def (context, conf_section, name,
+ &ldap_context->bind_dn);
+ if (st)
+ goto cleanup;
+ }
}
/*
* the KDC, ADMIN and PASSWD dns.
*/
if (ldap_context->service_password_file == NULL) {
- st = prof_get_string_def (context, conf_section,
- KRB5_CONF_LDAP_SERVICE_PASSWORD_FILE,
- &ldap_context->service_password_file);
- if (st)
- goto cleanup;
+ st = prof_get_string_def (context, conf_section,
+ KRB5_CONF_LDAP_SERVICE_PASSWORD_FILE,
+ &ldap_context->service_password_file);
+ if (st)
+ goto cleanup;
}
#ifdef HAVE_EDIRECTORY
* certificate of the Directory.
*/
if (ldap_context->root_certificate_file == NULL) {
- st = prof_get_string_def (context, conf_section,
- KRB5_CONF_LDAP_ROOT_CERTIFICATE_FILE,
- &ldap_context->root_certificate_file);
- if (st)
- goto cleanup;
+ st = prof_get_string_def (context, conf_section,
+ KRB5_CONF_LDAP_ROOT_CERTIFICATE_FILE,
+ &ldap_context->root_certificate_file);
+ if (st)
+ goto cleanup;
}
#endif
*/
if (ldap_context->server_info_list == NULL) {
- unsigned int ele=0;
-
- server_info = &(ldap_context->server_info_list);
- *server_info = (krb5_ldap_server_info **) calloc (SERV_COUNT+1,
- sizeof (krb5_ldap_server_info *));
-
- if (*server_info == NULL) {
- st = ENOMEM;
- goto cleanup;
- }
-
- if ((st=profile_get_string(context->profile, KDB_MODULE_SECTION, conf_section,
- KRB5_CONF_LDAP_SERVERS, NULL, &tempval)) != 0) {
- krb5_set_error_message (context, st, "Error reading 'ldap_servers' attribute");
- goto cleanup;
- }
-
- if (tempval == NULL) {
-
- (*server_info)[ele] = (krb5_ldap_server_info *)calloc(1,
- sizeof(krb5_ldap_server_info));
-
- (*server_info)[ele]->server_name = strdup("ldapi://");
- if ((*server_info)[ele]->server_name == NULL) {
- st = ENOMEM;
- goto cleanup;
- }
- (*server_info)[ele]->server_status = NOTSET;
- } else {
- char *item=NULL;
-
- item = strtok_r(tempval,delims,&save_ptr);
- while (item != NULL && ele<SERV_COUNT) {
- (*server_info)[ele] = (krb5_ldap_server_info *)calloc(1,
- sizeof(krb5_ldap_server_info));
- if ((*server_info)[ele] == NULL) {
- st = ENOMEM;
- goto cleanup;
- }
- (*server_info)[ele]->server_name = strdup(item);
- if ((*server_info)[ele]->server_name == NULL) {
- st = ENOMEM;
- goto cleanup;
- }
-
- (*server_info)[ele]->server_status = NOTSET;
- item = strtok_r(NULL,delims,&save_ptr);
- ++ele;
- }
- profile_release_string(tempval);
- }
+ unsigned int ele=0;
+
+ server_info = &(ldap_context->server_info_list);
+ *server_info = (krb5_ldap_server_info **) calloc (SERV_COUNT+1,
+ sizeof (krb5_ldap_server_info *));
+
+ if (*server_info == NULL) {
+ st = ENOMEM;
+ goto cleanup;
+ }
+
+ if ((st=profile_get_string(context->profile, KDB_MODULE_SECTION, conf_section,
+ KRB5_CONF_LDAP_SERVERS, NULL, &tempval)) != 0) {
+ krb5_set_error_message (context, st, "Error reading 'ldap_servers' attribute");
+ goto cleanup;
+ }
+
+ if (tempval == NULL) {
+
+ (*server_info)[ele] = (krb5_ldap_server_info *)calloc(1,
+ sizeof(krb5_ldap_server_info));
+
+ (*server_info)[ele]->server_name = strdup("ldapi://");
+ if ((*server_info)[ele]->server_name == NULL) {
+ st = ENOMEM;
+ goto cleanup;
+ }
+ (*server_info)[ele]->server_status = NOTSET;
+ } else {
+ char *item=NULL;
+
+ item = strtok_r(tempval,delims,&save_ptr);
+ while (item != NULL && ele<SERV_COUNT) {
+ (*server_info)[ele] = (krb5_ldap_server_info *)calloc(1,
+ sizeof(krb5_ldap_server_info));
+ if ((*server_info)[ele] == NULL) {
+ st = ENOMEM;
+ goto cleanup;
+ }
+ (*server_info)[ele]->server_name = strdup(item);
+ if ((*server_info)[ele]->server_name == NULL) {
+ st = ENOMEM;
+ goto cleanup;
+ }
+
+ (*server_info)[ele]->server_status = NOTSET;
+ item = strtok_r(NULL,delims,&save_ptr);
+ ++ele;
+ }
+ profile_release_string(tempval);
+ }
}
cleanup:
*/
krb5_error_code
-krb5_ldap_free_server_context_params(ldap_context)
- krb5_ldap_context *ldap_context;
+krb5_ldap_free_server_context_params(krb5_ldap_context *ldap_context)
{
int i=0;
krb5_ldap_server_handle *ldap_server_handle=NULL, *next_ldap_server_handle=NULL;
if (ldap_context == NULL)
- return 0;
+ return 0;
/* Free all ldap servers list and the ldap handles associated with
the ldap server. */
if (ldap_context->server_info_list) {
- while (ldap_context->server_info_list[i]) {
- if (ldap_context->server_info_list[i]->server_name) {
- free (ldap_context->server_info_list[i]->server_name);
- }
+ while (ldap_context->server_info_list[i]) {
+ if (ldap_context->server_info_list[i]->server_name) {
+ free (ldap_context->server_info_list[i]->server_name);
+ }
#ifdef HAVE_EDIRECTORY
- if (ldap_context->server_info_list[i]->root_certificate_file) {
- free (ldap_context->server_info_list[i]->root_certificate_file);
- }
+ if (ldap_context->server_info_list[i]->root_certificate_file) {
+ free (ldap_context->server_info_list[i]->root_certificate_file);
+ }
#endif
- if (ldap_context->server_info_list[i]->ldap_server_handles) {
- ldap_server_handle = ldap_context->server_info_list[i]->ldap_server_handles;
- while (ldap_server_handle) {
- ldap_unbind_ext_s(ldap_server_handle->ldap_handle, NULL, NULL);
- ldap_server_handle->ldap_handle = NULL;
- next_ldap_server_handle = ldap_server_handle->next;
- krb5_xfree(ldap_server_handle);
- ldap_server_handle = next_ldap_server_handle;
- }
- }
- krb5_xfree(ldap_context->server_info_list[i]);
- i++;
- }
- krb5_xfree(ldap_context->server_info_list);
+ if (ldap_context->server_info_list[i]->ldap_server_handles) {
+ ldap_server_handle = ldap_context->server_info_list[i]->ldap_server_handles;
+ while (ldap_server_handle) {
+ ldap_unbind_ext_s(ldap_server_handle->ldap_handle, NULL, NULL);
+ ldap_server_handle->ldap_handle = NULL;
+ next_ldap_server_handle = ldap_server_handle->next;
+ krb5_xfree(ldap_server_handle);
+ ldap_server_handle = next_ldap_server_handle;
+ }
+ }
+ krb5_xfree(ldap_context->server_info_list[i]);
+ i++;
+ }
+ krb5_xfree(ldap_context->server_info_list);
}
if (ldap_context->conf_section != NULL) {
- krb5_xfree(ldap_context->conf_section);
- ldap_context->conf_section = NULL;
+ krb5_xfree(ldap_context->conf_section);
+ ldap_context->conf_section = NULL;
}
if (ldap_context->bind_dn != NULL) {
- krb5_xfree(ldap_context->bind_dn);
- ldap_context->bind_dn = NULL;
+ krb5_xfree(ldap_context->bind_dn);
+ ldap_context->bind_dn = NULL;
}
if (ldap_context->bind_pwd != NULL) {
- memset(ldap_context->bind_pwd, 0, strlen(ldap_context->bind_pwd));
- krb5_xfree(ldap_context->bind_pwd);
- ldap_context->bind_pwd = NULL;
+ memset(ldap_context->bind_pwd, 0, strlen(ldap_context->bind_pwd));
+ krb5_xfree(ldap_context->bind_pwd);
+ ldap_context->bind_pwd = NULL;
}
if (ldap_context->service_password_file != NULL) {
- krb5_xfree(ldap_context->service_password_file);
- ldap_context->service_password_file = NULL;
+ krb5_xfree(ldap_context->service_password_file);
+ ldap_context->service_password_file = NULL;
}
#ifdef HAVE_EDIRECTORY
if (ldap_context->root_certificate_file != NULL) {
- krb5_xfree(ldap_context->root_certificate_file);
- ldap_context->root_certificate_file = NULL;
+ krb5_xfree(ldap_context->root_certificate_file);
+ ldap_context->root_certificate_file = NULL;
}
#endif
if (ldap_context->service_cert_path != NULL) {
- krb5_xfree(ldap_context->service_cert_path);
- ldap_context->service_cert_path = NULL;
+ krb5_xfree(ldap_context->service_cert_path);
+ ldap_context->service_cert_path = NULL;
}
if (ldap_context->service_cert_pass != NULL) {
- krb5_xfree(ldap_context->service_cert_pass);
- ldap_context->service_cert_pass = NULL;
+ krb5_xfree(ldap_context->service_cert_pass);
+ ldap_context->service_cert_pass = NULL;
}
if (ldap_context->certificates) {
- i=0;
- while (ldap_context->certificates[i] != NULL) {
- krb5_xfree(ldap_context->certificates[i]->certificate);
- krb5_xfree(ldap_context->certificates[i]);
- ++i;
- }
- krb5_xfree(ldap_context->certificates);
+ i=0;
+ while (ldap_context->certificates[i] != NULL) {
+ krb5_xfree(ldap_context->certificates[i]->certificate);
+ krb5_xfree(ldap_context->certificates[i]);
+ ++i;
+ }
+ krb5_xfree(ldap_context->certificates);
}
return(0);
}
krb5_error_code
-krb5_ldap_free_server_params(ldap_context)
- krb5_ldap_context *ldap_context;
+krb5_ldap_free_server_params(krb5_ldap_context *ldap_context)
{
if (ldap_context == NULL)
return 0;
*/
krb5_error_code
-is_principal_in_realm(ldap_context, searchfor)
- krb5_ldap_context *ldap_context;
- krb5_const_principal searchfor;
+is_principal_in_realm(krb5_ldap_context *ldap_context,
+ krb5_const_principal searchfor)
{
size_t defrealmlen=0;
char *defrealm=NULL;
* "krbtgt". All this check is done in the immediate block.
*/
if (searchfor->length == 2)
- if ((strncasecmp(searchfor->data[0].data, "krbtgt",
- FIND_MAX(searchfor->data[0].length, strlen("krbtgt"))) == 0) &&
- (strncasecmp(searchfor->data[1].data, defrealm,
- FIND_MAX(searchfor->data[1].length, defrealmlen)) == 0))
- return 0;
+ if ((strncasecmp(searchfor->data[0].data, "krbtgt",
+ FIND_MAX(searchfor->data[0].length, strlen("krbtgt"))) == 0) &&
+ (strncasecmp(searchfor->data[1].data, defrealm,
+ FIND_MAX(searchfor->data[1].length, defrealmlen)) == 0))
+ return 0;
/* first check the length, if they are not equal, then they are not same */
if (strlen(defrealm) != searchfor->realm.length)
- return 1;
+ return 1;
/* if the length is equal, check for the contents */
if (strncmp(defrealm, searchfor->realm.data,
- searchfor->realm.length) != 0)
- return 1;
+ searchfor->realm.length) != 0)
+ return 1;
/* if we are here, then the realm portions match, return 0 */
return 0;
}
* it is the subtree information associated with the realm.
*/
krb5_error_code
-krb5_get_subtree_info(ldap_context, subtreearr, ntree)
- krb5_ldap_context *ldap_context;
- char ***subtreearr;
- unsigned int *ntree;
+krb5_get_subtree_info(krb5_ldap_context *ldap_context, char ***subtreearr,
+ unsigned int *ntree)
{
int st=0, i=0, subtreecount=0;
- int ncount=0, search_scope=0;
+ int ncount=0, search_scope=0;
char **subtree=NULL, *realm_cont_dn=NULL;
char **subtarr=NULL;
char *containerref=NULL;
- char **newsubtree=NULL;
+ char **newsubtree=NULL;
containerref = ldap_context->lrparams->containerref;
subtree = ldap_context->lrparams->subtree;
subtarr = (char **) malloc(sizeof(char *) * (subtreecount + 1 /*realm dn*/ + 1 /*containerref*/ + 1));
if (subtarr == NULL) {
- st = ENOMEM;
- goto cleanup;
+ st = ENOMEM;
+ goto cleanup;
}
memset(subtarr, 0, (sizeof(char *) * (subtreecount+1+1+1)));
/* get the complete subtree list */
for (i=0; i<subtreecount && subtree[i]!=NULL; i++) {
- subtarr[i] = strdup(subtree[i]);
- if (subtarr[i] == NULL) {
- st = ENOMEM;
- goto cleanup;
- }
+ subtarr[i] = strdup(subtree[i]);
+ if (subtarr[i] == NULL) {
+ st = ENOMEM;
+ goto cleanup;
+ }
}
subtarr[i] = strdup(realm_cont_dn);
if (subtarr[i++] == NULL) {
- st = ENOMEM;
- goto cleanup;
+ st = ENOMEM;
+ goto cleanup;
}
if (containerref != NULL) {
- subtarr[i] = strdup(containerref);
- if (subtarr[i++] == NULL) {
- st = ENOMEM;
- goto cleanup;
- }
+ subtarr[i] = strdup(containerref);
+ if (subtarr[i++] == NULL) {
+ st = ENOMEM;
+ goto cleanup;
+ }
}
ncount = i;
}
memset(newsubtree, 0, (sizeof(char *) * (ncount+1)));
if ((st = remove_overlapping_subtrees(subtarr, newsubtree, &ncount,
- search_scope)) != 0) {
+ search_scope)) != 0) {
goto cleanup;
}
cleanup:
if (subtarr != NULL) {
- for (i=0; subtarr[i] != NULL; i++)
- free(subtarr[i]);
- free(subtarr);
+ for (i=0; subtarr[i] != NULL; i++)
+ free(subtarr[i]);
+ free(subtarr);
}
if (st != 0) {
if (newsubtree != NULL) {
- for (i=0; newsubtree[i] != NULL; i++)
- free(newsubtree[i]);
- free(newsubtree);
+ for (i=0; newsubtree[i] != NULL; i++)
+ free(newsubtree[i]);
+ free(newsubtree);
}
}
return st;
*/
krb5_error_code
-store_tl_data(tl_data, tl_type, value)
- krb5_tl_data *tl_data;
- int tl_type;
- void *value;
+store_tl_data(krb5_tl_data *tl_data, int tl_type, void *value)
{
unsigned int currlen=0, tldatalen=0;
unsigned char *curr=NULL;
case KDB_TL_PRINCTYPE:
case KDB_TL_MASK:
{
- int *iptr = (int *)value;
- int ivalue = *iptr;
-
- currlen = tl_data->tl_data_length;
- tl_data->tl_data_length += 1 + 2 + 2;
- /* allocate required memory */
- reallocptr = tl_data->tl_data_contents;
- tl_data->tl_data_contents = realloc(tl_data->tl_data_contents,
- tl_data->tl_data_length);
- if (tl_data->tl_data_contents == NULL) {
- if (reallocptr)
- free (reallocptr);
- return ENOMEM;
- }
- curr = (tl_data->tl_data_contents + currlen);
-
- /* store the tl_type value */
- memset(curr, tl_type, 1);
- curr += 1;
- /* store the content length */
- tldatalen = 2;
- STORE16_INT(curr, tldatalen);
- curr += 2;
- /* store the content */
- STORE16_INT(curr, ivalue);
- curr += 2;
- break;
+ int *iptr = (int *)value;
+ int ivalue = *iptr;
+
+ currlen = tl_data->tl_data_length;
+ tl_data->tl_data_length += 1 + 2 + 2;
+ /* allocate required memory */
+ reallocptr = tl_data->tl_data_contents;
+ tl_data->tl_data_contents = realloc(tl_data->tl_data_contents,
+ tl_data->tl_data_length);
+ if (tl_data->tl_data_contents == NULL) {
+ if (reallocptr)
+ free (reallocptr);
+ return ENOMEM;
+ }
+ curr = (tl_data->tl_data_contents + currlen);
+
+ /* store the tl_type value */
+ memset(curr, tl_type, 1);
+ curr += 1;
+ /* store the content length */
+ tldatalen = 2;
+ STORE16_INT(curr, tldatalen);
+ curr += 2;
+ /* store the content */
+ STORE16_INT(curr, ivalue);
+ curr += 2;
+ break;
}
case KDB_TL_USERDN:
case KDB_TL_LINKDN:
{
- char *cptr = (char *)value;
-
- currlen = tl_data->tl_data_length;
- tl_data->tl_data_length += 1 + 2 + strlen(cptr);
- /* allocate required memory */
- reallocptr = tl_data->tl_data_contents;
- tl_data->tl_data_contents = realloc(tl_data->tl_data_contents,
- tl_data->tl_data_length);
- if (tl_data->tl_data_contents == NULL) {
- if (reallocptr)
- free (reallocptr);
- return ENOMEM;
- }
- curr = (tl_data->tl_data_contents + currlen);
-
- /* store the tl_type value */
- memset(curr, tl_type, 1);
- curr += 1;
- /* store the content length */
- tldatalen = strlen(cptr);
- STORE16_INT(curr, tldatalen);
- curr += 2;
- /* store the content */
- memcpy(curr, cptr, tldatalen);
- curr += tldatalen;
- break;
+ char *cptr = (char *)value;
+
+ currlen = tl_data->tl_data_length;
+ tl_data->tl_data_length += 1 + 2 + strlen(cptr);
+ /* allocate required memory */
+ reallocptr = tl_data->tl_data_contents;
+ tl_data->tl_data_contents = realloc(tl_data->tl_data_contents,
+ tl_data->tl_data_length);
+ if (tl_data->tl_data_contents == NULL) {
+ if (reallocptr)
+ free (reallocptr);
+ return ENOMEM;
+ }
+ curr = (tl_data->tl_data_contents + currlen);
+
+ /* store the tl_type value */
+ memset(curr, tl_type, 1);
+ curr += 1;
+ /* store the content length */
+ tldatalen = strlen(cptr);
+ STORE16_INT(curr, tldatalen);
+ curr += 2;
+ /* store the content */
+ memcpy(curr, cptr, tldatalen);
+ curr += tldatalen;
+ break;
}
default:
- return 1;
+ return 1;
}
return 0;
*/
krb5_error_code
-decode_tl_data(tl_data, tl_type, data)
- krb5_tl_data *tl_data;
- int tl_type;
- void **data;
+decode_tl_data(krb5_tl_data *tl_data, int tl_type, void **data)
{
int subtype=0, i=0, limit=10;
unsigned int sublen=0;
curr = tl_data->tl_data_contents;
while (curr < (tl_data->tl_data_contents + tl_data->tl_data_length)) {
- /* get the type of the content */
- subtype = (int) curr[0];
- /* forward by 1 byte*/
- curr += 1;
-
- if (subtype == tl_type) {
- switch (subtype) {
-
- case KDB_TL_PRINCCOUNT:
- case KDB_TL_PRINCTYPE:
- case KDB_TL_MASK:
- /* get the length of the content */
- UNSTORE16_INT(curr, sublen);
- /* forward by 2 bytes */
- curr += 2;
- /* get the actual content */
- if (sublen == 2) {
- /* intptr = malloc(sublen); */
- intptr = malloc(sizeof(krb5_int32));
- if (intptr == NULL)
- return ENOMEM;
- memset(intptr, 0, sublen);
- UNSTORE16_INT(curr, (*intptr));
- *data = intptr;
- } else {
- longptr = malloc(sublen);
- if (longptr == NULL)
- return ENOMEM;
- memset(longptr, 0, sublen);
- UNSTORE32_INT(curr, (*longptr));
- *data = longptr;
- }
- curr += sublen;
- st = 0;
- return st;
- break;
-
- case KDB_TL_CONTAINERDN:
- case KDB_TL_USERDN:
- /* get the length of the content */
- UNSTORE16_INT(curr, sublen);
- /* forward by 2 bytes */
- curr += 2;
- DN = malloc (sublen + 1);
- if (DN == NULL)
- return ENOMEM;
- memcpy(DN, curr, sublen);
- DN[sublen] = 0;
- *data = DN;
- curr += sublen;
- st = 0;
- return st;
- break;
-
- case KDB_TL_LINKDN:
- if (DNarr == NULL) {
- DNarr = calloc(limit, sizeof(char *));
- if (DNarr == NULL)
- return ENOMEM;
- }
- if (i == limit-1) {
- limit *= 2;
- DNarr = realloc(DNarr, sizeof(char *) * (limit));
- if (DNarr == NULL)
- return ENOMEM;
- }
-
- /* get the length of the content */
- UNSTORE16_INT(curr, sublen);
- /* forward by 2 bytes */
- curr += 2;
- DNarr[i] = malloc (sublen + 1);
- if (DNarr[i] == NULL)
- return ENOMEM;
- memcpy(DNarr[i], curr, sublen);
- DNarr[i][sublen] = 0;
- ++i;
- curr += sublen;
- *data = DNarr;
- st=0;
- break;
- }
- } else {
- /* move to the current content block */
- UNSTORE16_INT(curr, sublen);
- curr += 2 + sublen;
- }
+ /* get the type of the content */
+ subtype = (int) curr[0];
+ /* forward by 1 byte*/
+ curr += 1;
+
+ if (subtype == tl_type) {
+ switch (subtype) {
+
+ case KDB_TL_PRINCCOUNT:
+ case KDB_TL_PRINCTYPE:
+ case KDB_TL_MASK:
+ /* get the length of the content */
+ UNSTORE16_INT(curr, sublen);
+ /* forward by 2 bytes */
+ curr += 2;
+ /* get the actual content */
+ if (sublen == 2) {
+ /* intptr = malloc(sublen); */
+ intptr = malloc(sizeof(krb5_int32));
+ if (intptr == NULL)
+ return ENOMEM;
+ memset(intptr, 0, sublen);
+ UNSTORE16_INT(curr, (*intptr));
+ *data = intptr;
+ } else {
+ longptr = malloc(sublen);
+ if (longptr == NULL)
+ return ENOMEM;
+ memset(longptr, 0, sublen);
+ UNSTORE32_INT(curr, (*longptr));
+ *data = longptr;
+ }
+ curr += sublen;
+ st = 0;
+ return st;
+ break;
+
+ case KDB_TL_CONTAINERDN:
+ case KDB_TL_USERDN:
+ /* get the length of the content */
+ UNSTORE16_INT(curr, sublen);
+ /* forward by 2 bytes */
+ curr += 2;
+ DN = malloc (sublen + 1);
+ if (DN == NULL)
+ return ENOMEM;
+ memcpy(DN, curr, sublen);
+ DN[sublen] = 0;
+ *data = DN;
+ curr += sublen;
+ st = 0;
+ return st;
+ break;
+
+ case KDB_TL_LINKDN:
+ if (DNarr == NULL) {
+ DNarr = calloc(limit, sizeof(char *));
+ if (DNarr == NULL)
+ return ENOMEM;
+ }
+ if (i == limit-1) {
+ limit *= 2;
+ DNarr = realloc(DNarr, sizeof(char *) * (limit));
+ if (DNarr == NULL)
+ return ENOMEM;
+ }
+
+ /* get the length of the content */
+ UNSTORE16_INT(curr, sublen);
+ /* forward by 2 bytes */
+ curr += 2;
+ DNarr[i] = malloc (sublen + 1);
+ if (DNarr[i] == NULL)
+ return ENOMEM;
+ memcpy(DNarr[i], curr, sublen);
+ DNarr[i][sublen] = 0;
+ ++i;
+ curr += sublen;
+ *data = DNarr;
+ st=0;
+ break;
+ }
+ } else {
+ /* move to the current content block */
+ UNSTORE16_INT(curr, sublen);
+ curr += 2 + sublen;
+ }
}
return st;
}
* wrapper routines for decode_tl_data
*/
static krb5_error_code
-krb5_get_int_from_tl_data(context, entries, type, intval)
- krb5_context context;
- krb5_db_entry *entries;
- int type;
- int *intval;
+krb5_get_int_from_tl_data(krb5_context context, krb5_db_entry *entries,
+ int type, int *intval)
{
krb5_error_code st=0;
krb5_tl_data tl_data;
tl_data.tl_data_type = KDB_TL_USER_INFO;
if (((st=krb5_dbe_lookup_tl_data(context, entries, &tl_data)) != 0) || tl_data.tl_data_length == 0)
- goto cleanup;
+ goto cleanup;
if (decode_tl_data(&tl_data, type, &voidptr) == 0) {
- intptr = (int *) voidptr;
- *intval = *intptr;
- free(intptr);
+ intptr = (int *) voidptr;
+ *intval = *intptr;
+ free(intptr);
}
cleanup:
* object (user, policy ...).
*/
krb5_error_code
-krb5_get_attributes_mask(context, entries, mask)
- krb5_context context;
- krb5_db_entry *entries;
- int *mask;
+krb5_get_attributes_mask(krb5_context context, krb5_db_entry *entries,
+ int *mask)
{
return krb5_get_int_from_tl_data(context, entries, KDB_TL_MASK, mask);
}
krb5_error_code
-krb5_get_princ_type(context, entries, ptype)
- krb5_context context;
- krb5_db_entry *entries;
- int *ptype;
+krb5_get_princ_type(krb5_context context, krb5_db_entry *entries, int *ptype)
{
return krb5_get_int_from_tl_data(context, entries, KDB_TL_PRINCTYPE, ptype);
}
krb5_error_code
-krb5_get_princ_count(context, entries, pcount)
- krb5_context context;
- krb5_db_entry *entries;
- int *pcount;
+krb5_get_princ_count(krb5_context context, krb5_db_entry *entries, int *pcount)
{
return krb5_get_int_from_tl_data(context, entries, KDB_TL_PRINCCOUNT, pcount);
}
krb5_error_code
-krb5_get_linkdn(context, entries, link_dn)
- krb5_context context;
- krb5_db_entry *entries;
- char ***link_dn;
+krb5_get_linkdn(krb5_context context, krb5_db_entry *entries, char ***link_dn)
{
krb5_error_code st=0;
krb5_tl_data tl_data;
*link_dn = NULL;
tl_data.tl_data_type = KDB_TL_USER_INFO;
if (((st=krb5_dbe_lookup_tl_data(context, entries, &tl_data)) != 0) || tl_data.tl_data_length == 0)
- goto cleanup;
+ goto cleanup;
if (decode_tl_data(&tl_data, KDB_TL_LINKDN, &voidptr) == 0) {
- *link_dn = (char **) voidptr;
+ *link_dn = (char **) voidptr;
}
cleanup:
}
static krb5_error_code
-krb5_get_str_from_tl_data(context, entries, type, strval)
- krb5_context context;
- krb5_db_entry *entries;
- int type;
- char **strval;
+krb5_get_str_from_tl_data(krb5_context context, krb5_db_entry *entries,
+ int type, char **strval)
{
krb5_error_code st=0;
krb5_tl_data tl_data;
void *voidptr=NULL;
if (type != KDB_TL_USERDN && type != KDB_TL_CONTAINERDN) {
- st = EINVAL;
- goto cleanup;
+ st = EINVAL;
+ goto cleanup;
}
tl_data.tl_data_type = KDB_TL_USER_INFO;
if (((st=krb5_dbe_lookup_tl_data(context, entries, &tl_data)) != 0) || tl_data.tl_data_length == 0)
- goto cleanup;
+ goto cleanup;
if (decode_tl_data(&tl_data, type, &voidptr) == 0) {
- *strval = (char *) voidptr;
+ *strval = (char *) voidptr;
}
cleanup:
}
krb5_error_code
-krb5_get_userdn(context, entries, userdn)
- krb5_context context;
- krb5_db_entry *entries;
- char **userdn;
+krb5_get_userdn(krb5_context context, krb5_db_entry *entries, char **userdn)
{
*userdn = NULL;
return krb5_get_str_from_tl_data(context, entries, KDB_TL_USERDN, userdn);
}
krb5_error_code
-krb5_get_containerdn(context, entries, containerdn)
- krb5_context context;
- krb5_db_entry *entries;
- char **containerdn;
+krb5_get_containerdn(krb5_context context, krb5_db_entry *entries,
+ char **containerdn)
{
*containerdn = NULL;
return krb5_get_str_from_tl_data(context, entries, KDB_TL_CONTAINERDN, containerdn);
*/
krb5_error_code
-checkattributevalue (ld, dn, attribute, attrvalues, mask)
- LDAP *ld;
- char *dn;
- char *attribute;
- char **attrvalues;
- int *mask;
+checkattributevalue(LDAP *ld, char *dn, char *attribute, char **attrvalues,
+ int *mask)
{
int st=0, one=1;
char **values=NULL, *attributes[2] = {NULL};
LDAPMessage *result=NULL, *entry=NULL;
if (strlen(dn) == 0) {
- st = set_ldap_error(0, LDAP_NO_SUCH_OBJECT, OP_SEARCH);
- return st;
+ st = set_ldap_error(0, LDAP_NO_SUCH_OBJECT, OP_SEARCH);
+ return st;
}
attributes[0] = attribute;
/* read the attribute values from the dn */
if ((st = ldap_search_ext_s(ld,
- dn,
- LDAP_SCOPE_BASE,
- 0,
- attributes,
- 0,
- NULL,
- NULL,
- &timelimit,
- LDAP_NO_LIMIT,
- &result)) != LDAP_SUCCESS) {
- st = set_ldap_error(0, st, OP_SEARCH);
- return st;
+ dn,
+ LDAP_SCOPE_BASE,
+ 0,
+ attributes,
+ 0,
+ NULL,
+ NULL,
+ &timelimit,
+ LDAP_NO_LIMIT,
+ &result)) != LDAP_SUCCESS) {
+ st = set_ldap_error(0, st, OP_SEARCH);
+ return st;
}
/*
* existence of the object alone.
*/
if (attribute == NULL || attrvalues == NULL)
- goto cleanup;
+ goto cleanup;
/* reset the bit mask */
*mask = 0;
if ((entry=ldap_first_entry(ld, result)) != NULL) {
- /* read the attribute values */
- if ((values=ldap_get_values(ld, entry, attribute)) != NULL) {
- int i,j;
-
- /*
- * Compare the read attribute values with the attrvalues
- * array and set the appropriate bit mask.
- */
- for (j=0; attrvalues[j]; ++j) {
- for (i=0; values[i]; ++i) {
- if (strcasecmp(values[i], attrvalues[j]) == 0) {
- *mask |= (one<<j);
- break;
- }
- }
- }
- ldap_value_free(values);
- }
+ /* read the attribute values */
+ if ((values=ldap_get_values(ld, entry, attribute)) != NULL) {
+ int i,j;
+
+ /*
+ * Compare the read attribute values with the attrvalues
+ * array and set the appropriate bit mask.
+ */
+ for (j=0; attrvalues[j]; ++j) {
+ for (i=0; values[i]; ++i) {
+ if (strcasecmp(values[i], attrvalues[j]) == 0) {
+ *mask |= (one<<j);
+ break;
+ }
+ }
+ }
+ ldap_value_free(values);
+ }
}
cleanup:
*/
krb5_error_code
-updateAttribute (ld, dn, attribute, value)
- LDAP *ld;
- char *dn;
- char *attribute;
- char *value;
+updateAttribute(LDAP *ld, char *dn, char *attribute, char *value)
{
int st=0;
LDAPMod modAttr, *mods[2]={NULL};
* LDAP_TYPE_OR_VALUE_EXISTS is for multi-valued attribute
*/
if (st == LDAP_ALREADY_EXISTS || st == LDAP_TYPE_OR_VALUE_EXISTS)
- st = 0;
+ st = 0;
if (st != 0) {
- st = set_ldap_error (0, st, OP_MOD);
+ st = set_ldap_error (0, st, OP_MOD);
}
return st;
*/
krb5_error_code
-deleteAttribute (ld, dn, attribute, value)
- LDAP *ld;
- char *dn;
- char *attribute;
- char *value;
+deleteAttribute(LDAP *ld, char *dn, char *attribute, char *value)
{
krb5_error_code st=0;
LDAPMod modAttr, *mods[2]={NULL};
/* if either the attribute or the attribute value is missing return a success */
if (st == LDAP_NO_SUCH_ATTRIBUTE || st == LDAP_UNDEFINED_TYPE)
- st = 0;
+ st = 0;
if (st != 0) {
- st = set_ldap_error (0, st, OP_MOD);
+ st = set_ldap_error (0, st, OP_MOD);
}
return st;
*/
krb5_error_code
-disjoint_members(src, dest)
- char **src;
- char **dest;
+disjoint_members(char **src, char **dest)
{
int i=0, j=0, slen=0, dlen=0;
/* validate the input parameters */
if (src == NULL || dest == NULL)
- return 0;
+ return 0;
/* compute the first array length */
for (i=0;src[i]; ++i)
- ;
+ ;
/* return if the length is 0 */
if (i==0)
- return 0;
+ return 0;
/* index of the last element and also the length of the array */
slen = i-1;
/* compute the second array length */
for (i=0;dest[i]; ++i)
- ;
+ ;
/* return if the length is 0 */
if (i==0)
- return 0;
+ return 0;
/* index of the last element and also the length of the array */
dlen = i-1;
/* check for the similar elements and delete them from both the arrays */
for (i=0; src[i]; ++i) {
- for (j=0; dest[j]; ++j) {
-
- /* if the element are same */
- if (strcasecmp(src[i], dest[j]) == 0) {
- /*
- * If the matched element is in the middle, then copy
- * the last element to the matched index.
- */
- if (i != slen) {
- free (src[i]);
- src[i] = src[slen];
- src[slen] = NULL;
- } else {
- /*
- * If the matched element is the last, free it and
- * set it to NULL.
- */
- free (src[i]);
- src[i] = NULL;
- }
- /* reduce the array length by 1 */
- slen -= 1;
-
- /* repeat the same processing for the second array too */
- if (j != dlen) {
- free(dest[j]);
- dest[j] = dest[dlen];
- dest[dlen] = NULL;
- } else {
- free(dest[j]);
- dest[j] = NULL;
- }
- dlen -=1;
-
- /*
- * The source array is reduced by 1, so reduce the
- * index variable used for source array by 1. No need
- * to adjust the second array index variable as it is
- * reset while entering the inner loop.
- */
- i -= 1;
- break;
- }
- }
+ for (j=0; dest[j]; ++j) {
+
+ /* if the element are same */
+ if (strcasecmp(src[i], dest[j]) == 0) {
+ /*
+ * If the matched element is in the middle, then copy
+ * the last element to the matched index.
+ */
+ if (i != slen) {
+ free (src[i]);
+ src[i] = src[slen];
+ src[slen] = NULL;
+ } else {
+ /*
+ * If the matched element is the last, free it and
+ * set it to NULL.
+ */
+ free (src[i]);
+ src[i] = NULL;
+ }
+ /* reduce the array length by 1 */
+ slen -= 1;
+
+ /* repeat the same processing for the second array too */
+ if (j != dlen) {
+ free(dest[j]);
+ dest[j] = dest[dlen];
+ dest[dlen] = NULL;
+ } else {
+ free(dest[j]);
+ dest[j] = NULL;
+ }
+ dlen -=1;
+
+ /*
+ * The source array is reduced by 1, so reduce the
+ * index variable used for source array by 1. No need
+ * to adjust the second array index variable as it is
+ * reset while entering the inner loop.
+ */
+ i -= 1;
+ break;
+ }
+ }
}
return 0;
}
*/
krb5_error_code
-copy_arrays(src, dest, count)
- char **src;
- char ***dest;
- int count;
+copy_arrays(char **src, char ***dest, int count)
{
krb5_error_code st=0;
int i=0;
/* validate the input parameters */
if (src == NULL || dest == NULL)
- return 0;
+ return 0;
/* allocate memory for the dest array */
*dest = (char **) calloc((unsigned) count+1, sizeof(char *));
if (*dest == NULL) {
- st = ENOMEM;
- goto cleanup;
+ st = ENOMEM;
+ goto cleanup;
}
/* copy the members from src to dest array. */
for (i=0; i < count && src[i] != NULL; ++i) {
- (*dest)[i] = strdup(src[i]);
- if ((*dest)[i] == NULL) {
- st = ENOMEM;
- goto cleanup;
- }
+ (*dest)[i] = strdup(src[i]);
+ if ((*dest)[i] == NULL) {
+ st = ENOMEM;
+ goto cleanup;
+ }
}
cleanup:
/* in case of error free up everything and return */
if (st != 0) {
- if (*dest != NULL) {
- for (i=0; (*dest)[i]; ++i) {
- free ((*dest)[i]);
- (*dest)[i] = NULL;
- }
- free (*dest);
- *dest = NULL;
- }
+ if (*dest != NULL) {
+ for (i=0; (*dest)[i]; ++i) {
+ free ((*dest)[i]);
+ (*dest)[i] = NULL;
+ }
+ free (*dest);
+ *dest = NULL;
+ }
}
return st;
}
static krb5_error_code
-getepochtime(strtime, epochtime)
- char *strtime;
- krb5_timestamp *epochtime;
+getepochtime(char *strtime, krb5_timestamp *epochtime)
{
struct tm tme;
memset(&tme, 0, sizeof(tme));
if (strptime(strtime,"%Y%m%d%H%M%SZ", &tme) == NULL) {
- *epochtime = 0;
- return EINVAL;
+ *epochtime = 0;
+ return EINVAL;
}
*epochtime = krb5int_gmt_mktime(&tme);
return 0;
*/
krb5_error_code
-krb5_ldap_get_value(ld, ent, attribute, retval)
- LDAP *ld;
- LDAPMessage *ent;
- char *attribute;
- int *retval;
+krb5_ldap_get_value(LDAP *ld, LDAPMessage *ent, char *attribute, int *retval)
{
char **values=NULL;
*retval = 0;
values=ldap_get_values(ld, ent, attribute);
if (values != NULL) {
- if (values[0] != NULL)
- *retval = atoi(values[0]);
- ldap_value_free(values);
- return 0;
+ if (values[0] != NULL)
+ *retval = atoi(values[0]);
+ ldap_value_free(values);
+ return 0;
}
return 1;
}
*
*/
krb5_error_code
-krb5_ldap_get_string(ld, ent, attribute, retstr, attr_present)
- LDAP *ld;
- LDAPMessage *ent;
- char *attribute;
- char **retstr;
- krb5_boolean *attr_present;
+krb5_ldap_get_string(LDAP *ld, LDAPMessage *ent, char *attribute,
+ char **retstr, krb5_boolean *attr_present)
{
char **values=NULL;
krb5_error_code st=0;
*retstr = NULL;
if (attr_present != NULL)
- *attr_present = FALSE;
+ *attr_present = FALSE;
values=ldap_get_values(ld, ent, attribute);
if (values != NULL) {
- if (values[0] != NULL) {
- if (attr_present!= NULL)
- *attr_present = TRUE;
- *retstr = strdup(values[0]);
- if (*retstr == NULL)
- st = ENOMEM;
- }
- ldap_value_free(values);
+ if (values[0] != NULL) {
+ if (attr_present!= NULL)
+ *attr_present = TRUE;
+ *retstr = strdup(values[0]);
+ if (*retstr == NULL)
+ st = ENOMEM;
+ }
+ ldap_value_free(values);
}
return st;
}
* of the attribute.
*/
krb5_error_code
-krb5_ldap_get_strings(ld, ent, attribute, retarr, attr_present)
- LDAP *ld;
- LDAPMessage *ent;
- char *attribute;
- char ***retarr;
- krb5_boolean *attr_present;
+krb5_ldap_get_strings(LDAP *ld, LDAPMessage *ent, char *attribute,
+ char ***retarr, krb5_boolean *attr_present)
{
char **values=NULL;
krb5_error_code st=0;
*retarr = NULL;
if (attr_present != NULL)
- *attr_present = FALSE;
+ *attr_present = FALSE;
values=ldap_get_values(ld, ent, attribute);
if (values != NULL) {
- if (attr_present != NULL)
- *attr_present = TRUE;
-
- count = ldap_count_values(values);
- *retarr = (char **) calloc(count+1, sizeof(char *));
- if (*retarr == NULL) {
- st = ENOMEM;
- return st;
- }
- for (i=0; i< count; ++i) {
- (*retarr)[i] = strdup(values[i]);
- if ((*retarr)[i] == NULL) {
- st = ENOMEM;
- goto cleanup;
- }
- }
- ldap_value_free(values);
+ if (attr_present != NULL)
+ *attr_present = TRUE;
+
+ count = ldap_count_values(values);
+ *retarr = (char **) calloc(count+1, sizeof(char *));
+ if (*retarr == NULL) {
+ st = ENOMEM;
+ return st;
+ }
+ for (i=0; i< count; ++i) {
+ (*retarr)[i] = strdup(values[i]);
+ if ((*retarr)[i] == NULL) {
+ st = ENOMEM;
+ goto cleanup;
+ }
+ }
+ ldap_value_free(values);
}
cleanup:
if (st != 0) {
- if (*retarr != NULL) {
- for (i=0; i< count; ++i)
- if ((*retarr)[i] != NULL)
- free ((*retarr)[i]);
- free (*retarr);
- }
+ if (*retarr != NULL) {
+ for (i=0; i< count; ++i)
+ if ((*retarr)[i] != NULL)
+ free ((*retarr)[i]);
+ free (*retarr);
+ }
}
return st;
}
krb5_error_code
-krb5_ldap_get_time(ld, ent, attribute, rettime, attr_present)
- LDAP *ld;
- LDAPMessage *ent;
- char *attribute;
- krb5_timestamp *rettime;
- krb5_boolean *attr_present;
+krb5_ldap_get_time(LDAP *ld, LDAPMessage *ent, char *attribute,
+ krb5_timestamp *rettime, krb5_boolean *attr_present)
{
char **values=NULL;
krb5_error_code st=0;
values=ldap_get_values(ld, ent, attribute);
if (values != NULL) {
- if (values[0] != NULL) {
- *attr_present = TRUE;
- st = getepochtime(values[0], rettime);
- }
- ldap_value_free(values);
+ if (values[0] != NULL) {
+ *attr_present = TRUE;
+ st = getepochtime(values[0], rettime);
+ }
+ ldap_value_free(values);
}
return st;
}
*/
krb5_error_code
-krb5_add_member(mods, count)
- LDAPMod ***mods;
- int *count;
+krb5_add_member(LDAPMod ***mods, int *count)
{
int i=0;
LDAPMod **lmods=NULL;
if ((*mods) != NULL) {
- for (;(*mods)[i] != NULL; ++i)
- ;
+ for (;(*mods)[i] != NULL; ++i)
+ ;
}
lmods = (LDAPMod **) realloc((*mods), (2+i) * sizeof(LDAPMod *));
if (lmods == NULL)
- return ENOMEM;
+ return ENOMEM;
*mods = lmods;
(*mods)[i+1] = NULL;
(*mods)[i] = (LDAPMod *) calloc(1, sizeof (LDAPMod));
if ((*mods)[i] == NULL)
- return ENOMEM;
+ return ENOMEM;
*count = i;
return 0;
}
krb5_error_code
-krb5_add_str_mem_ldap_mod(mods, attribute, op, values)
- LDAPMod ***mods;
- char *attribute;
- int op;
- char **values;
-
+krb5_add_str_mem_ldap_mod(LDAPMod ***mods, char *attribute, int op,
+ char **values)
{
int i=0, j=0;
krb5_error_code st=0;
if ((st=krb5_add_member(mods, &i)) != 0)
- return st;
+ return st;
(*mods)[i]->mod_type = strdup(attribute);
if ((*mods)[i]->mod_type == NULL)
- return ENOMEM;
+ return ENOMEM;
(*mods)[i]->mod_op = op;
(*mods)[i]->mod_values = NULL;
if (values != NULL) {
- for (j=0; values[j] != NULL; ++j)
- ;
- (*mods)[i]->mod_values = malloc (sizeof(char *) * (j+1));
- if ((*mods)[i]->mod_values == NULL)
- return ENOMEM;
-
- for (j=0; values[j] != NULL; ++j) {
- (*mods)[i]->mod_values[j] = strdup(values[j]);
- if ((*mods)[i]->mod_values[j] == NULL)
- return ENOMEM;
- }
- (*mods)[i]->mod_values[j] = NULL;
+ for (j=0; values[j] != NULL; ++j)
+ ;
+ (*mods)[i]->mod_values = malloc (sizeof(char *) * (j+1));
+ if ((*mods)[i]->mod_values == NULL)
+ return ENOMEM;
+
+ for (j=0; values[j] != NULL; ++j) {
+ (*mods)[i]->mod_values[j] = strdup(values[j]);
+ if ((*mods)[i]->mod_values[j] == NULL)
+ return ENOMEM;
+ }
+ (*mods)[i]->mod_values[j] = NULL;
}
return 0;
}
krb5_error_code
-krb5_add_ber_mem_ldap_mod(mods, attribute, op, ber_values)
- LDAPMod ***mods;
- char *attribute;
- int op;
- struct berval **ber_values;
-
+krb5_add_ber_mem_ldap_mod(LDAPMod ***mods, char *attribute, int op,
+ struct berval **ber_values)
{
int i=0, j=0;
krb5_error_code st=0;
if ((st=krb5_add_member(mods, &i)) != 0)
- return st;
+ return st;
(*mods)[i]->mod_type = strdup(attribute);
if ((*mods)[i]->mod_type == NULL)
- return ENOMEM;
+ return ENOMEM;
(*mods)[i]->mod_op = op;
for (j=0; ber_values[j] != NULL; ++j)
- ;
+ ;
(*mods)[i]->mod_bvalues = malloc (sizeof(struct berval *) * (j+1));
if ((*mods)[i]->mod_bvalues == NULL)
- return ENOMEM;
+ return ENOMEM;
for (j=0; ber_values[j] != NULL; ++j) {
- (*mods)[i]->mod_bvalues[j] = calloc(1, sizeof(struct berval));
- if ((*mods)[i]->mod_bvalues[j] == NULL)
- return ENOMEM;
+ (*mods)[i]->mod_bvalues[j] = calloc(1, sizeof(struct berval));
+ if ((*mods)[i]->mod_bvalues[j] == NULL)
+ return ENOMEM;
- (*mods)[i]->mod_bvalues[j]->bv_len = ber_values[j]->bv_len;
- (*mods)[i]->mod_bvalues[j]->bv_val = malloc((*mods)[i]->mod_bvalues[j]->bv_len);
- if ((*mods)[i]->mod_bvalues[j]->bv_val == NULL)
- return ENOMEM;
+ (*mods)[i]->mod_bvalues[j]->bv_len = ber_values[j]->bv_len;
+ (*mods)[i]->mod_bvalues[j]->bv_val = malloc((*mods)[i]->mod_bvalues[j]->bv_len);
+ if ((*mods)[i]->mod_bvalues[j]->bv_val == NULL)
+ return ENOMEM;
- memcpy((*mods)[i]->mod_bvalues[j]->bv_val, ber_values[j]->bv_val,
- ber_values[j]->bv_len);
+ memcpy((*mods)[i]->mod_bvalues[j]->bv_val, ber_values[j]->bv_val,
+ ber_values[j]->bv_len);
}
(*mods)[i]->mod_bvalues[j] = NULL;
return 0;
}
krb5_error_code
-krb5_add_int_arr_mem_ldap_mod(mods, attribute, op, value)
- LDAPMod ***mods;
- char *attribute;
- int op;
- int *value;
-
+krb5_add_int_arr_mem_ldap_mod(LDAPMod ***mods, char *attribute, int op,
+ int *value)
{
int i=0, j=0;
krb5_error_code st=0;
if ((st=krb5_add_member(mods, &i)) != 0)
- return st;
+ return st;
(*mods)[i]->mod_type = strdup(attribute);
if ((*mods)[i]->mod_type == NULL)
- return ENOMEM;
+ return ENOMEM;
(*mods)[i]->mod_op = op;
for (j=0; value[j] != -1; ++j)
- ;
+ ;
(*mods)[i]->mod_values = malloc(sizeof(char *) * (j+1));
for (j=0; value[j] != -1; ++j) {
- if (((*mods)[i]->mod_values[j] = format_d(value[j])) == NULL)
- return ENOMEM;
+ if (((*mods)[i]->mod_values[j] = format_d(value[j])) == NULL)
+ return ENOMEM;
}
(*mods)[i]->mod_values[j] = NULL;
return 0;
}
krb5_error_code
-krb5_add_int_mem_ldap_mod(mods, attribute, op, value)
- LDAPMod ***mods;
- char *attribute;
- int op;
- int value;
-
+krb5_add_int_mem_ldap_mod(LDAPMod ***mods, char *attribute, int op, int value)
{
int i=0;
krb5_error_code st=0;
if ((st=krb5_add_member(mods, &i)) != 0)
- return st;
+ return st;
(*mods)[i]->mod_type = strdup(attribute);
if ((*mods)[i]->mod_type == NULL)
- return ENOMEM;
+ return ENOMEM;
(*mods)[i]->mod_op = op;
(*mods)[i]->mod_values = calloc (2, sizeof(char *));
if (((*mods)[i]->mod_values[0] = format_d(value)) == NULL)
- return ENOMEM;
+ return ENOMEM;
return 0;
}
* are a limited number of LDAP handles.
*/
krb5_error_code
-krb5_ldap_get_reference_count (krb5_context context, char *dn, char *refattr,
- int *count, LDAP *ld)
+krb5_ldap_get_reference_count(krb5_context context, char *dn, char *refattr,
+ int *count, LDAP *ld)
{
int st = 0, tempst = 0, gothandle = 0;
- unsigned int i, ntrees;
+ unsigned int i, ntrees;
char *refcntattr[2];
char *filter = NULL;
char **subtree = NULL, *ptr = NULL;
if (dn == NULL || refattr == NULL) {
- st = EINVAL;
- goto cleanup;
+ st = EINVAL;
+ goto cleanup;
}
SETUP_CONTEXT();
if (ld == NULL) {
- GET_HANDLE();
- gothandle = 1;
+ GET_HANDLE();
+ gothandle = 1;
}
refcntattr [0] = refattr;
ptr = ldap_filter_correct (dn);
if (ptr == NULL) {
- st = ENOMEM;
- goto cleanup;
+ st = ENOMEM;
+ goto cleanup;
}
if (asprintf (&filter, "%s=%s", refattr, ptr) < 0) {
- filter = NULL;
- st = ENOMEM;
- goto cleanup;
+ filter = NULL;
+ st = ENOMEM;
+ goto cleanup;
}
if ((st = krb5_get_subtree_info(ldap_context, &subtree, &ntrees)) != 0)
- goto cleanup;
+ goto cleanup;
for (i = 0, *count = 0; i < ntrees; i++) {
- int n;
-
- LDAP_SEARCH(subtree[i],
- LDAP_SCOPE_SUBTREE,
- filter,
- refcntattr);
- n = ldap_count_entries (ld, result);
- if (n == -1) {
- int ret, errcode = 0;
- ret = ldap_parse_result (ld, result, &errcode, NULL, NULL, NULL, NULL, 0);
- if (ret != LDAP_SUCCESS)
- errcode = ret;
- st = translate_ldap_error (errcode, OP_SEARCH);
- goto cleanup;
- }
+ int n;
+
+ LDAP_SEARCH(subtree[i],
+ LDAP_SCOPE_SUBTREE,
+ filter,
+ refcntattr);
+ n = ldap_count_entries (ld, result);
+ if (n == -1) {
+ int ret, errcode = 0;
+ ret = ldap_parse_result (ld, result, &errcode, NULL, NULL, NULL, NULL, 0);
+ if (ret != LDAP_SUCCESS)
+ errcode = ret;
+ st = translate_ldap_error (errcode, OP_SEARCH);
+ goto cleanup;
+ }
- ldap_msgfree(result);
- result = NULL;
+ ldap_msgfree(result);
+ result = NULL;
- *count += n;
+ *count += n;
}
cleanup:
if (filter != NULL)
- free (filter);
+ free (filter);
if (result != NULL)
- ldap_msgfree (result);
+ ldap_msgfree (result);
if (subtree != NULL) {
- for (i = 0; i < ntrees; i++)
- free (subtree[i]);
- free (subtree);
+ for (i = 0; i < ntrees; i++)
+ free (subtree[i]);
+ free (subtree);
}
if (ptr != NULL)
- free (ptr);
+ free (ptr);
if (gothandle == 1)
- krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
+ krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
return st;
}
* For now, policy objects are expected to be directly under the realm
* container.
*/
-krb5_error_code krb5_ldap_policydn_to_name (context, policy_dn, name)
- krb5_context context;
- char *policy_dn;
- char **name;
+krb5_error_code
+krb5_ldap_policydn_to_name(krb5_context context, char *policy_dn, char **name)
{
int len1, len2;
krb5_error_code st = 0;
SETUP_CONTEXT();
if (ldap_context->lrparams->realmdn == NULL) {
- st = EINVAL;
- goto cleanup;
+ st = EINVAL;
+ goto cleanup;
}
len1 = strlen (ldap_context->lrparams->realmdn);
len2 = strlen (policy_dn);
if (len1 == 0 || len2 == 0 || len1 > len2) {
- st = EINVAL;
- goto cleanup;
+ st = EINVAL;
+ goto cleanup;
}
if (strcmp (ldap_context->lrparams->realmdn, policy_dn + (len2 - len1)) != 0) {
- st = EINVAL;
- goto cleanup;
+ st = EINVAL;
+ goto cleanup;
}
#if defined HAVE_LDAP_STR2DN
{
- char *rdn;
- LDAPDN dn;
- rdn = strndup(policy_dn, len2 - len1 - 1); /* 1 character for ',' */
-
- if (ldap_str2dn (rdn, &dn, LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PEDANTIC) != 0) {
- st = EINVAL;
- goto cleanup;
- }
- if (dn[0] == NULL || dn[1] != NULL)
- st = EINVAL;
- else if (strcasecmp (dn[0][0]->la_attr.bv_val, "cn") != 0)
- st = EINVAL;
- else {
- *name = strndup(dn[0][0]->la_value.bv_val, dn[0][0]->la_value.bv_len);
- if (*name == NULL)
- st = EINVAL;
- }
-
- ldap_memfree (dn);
+ char *rdn;
+ LDAPDN dn;
+ rdn = strndup(policy_dn, len2 - len1 - 1); /* 1 character for ',' */
+
+ if (ldap_str2dn (rdn, &dn, LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PEDANTIC) != 0) {
+ st = EINVAL;
+ goto cleanup;
+ }
+ if (dn[0] == NULL || dn[1] != NULL)
+ st = EINVAL;
+ else if (strcasecmp (dn[0][0]->la_attr.bv_val, "cn") != 0)
+ st = EINVAL;
+ else {
+ *name = strndup(dn[0][0]->la_value.bv_val, dn[0][0]->la_value.bv_len);
+ if (*name == NULL)
+ st = EINVAL;
+ }
+
+ ldap_memfree (dn);
}
#elif defined HAVE_LDAP_EXPLODE_DN
{
- char **parsed_dn;
-
- /* 1 = return DN components without type prefix */
- parsed_dn = ldap_explode_dn(policy_dn, 1);
- if (parsed_dn == NULL) {
- st = EINVAL;
- } else {
- *name = strdup(parsed_dn[0]);
- if (*name == NULL)
- st = EINVAL;
-
- ldap_value_free(parsed_dn);
- }
+ char **parsed_dn;
+
+ /* 1 = return DN components without type prefix */
+ parsed_dn = ldap_explode_dn(policy_dn, 1);
+ if (parsed_dn == NULL) {
+ st = EINVAL;
+ } else {
+ *name = strdup(parsed_dn[0]);
+ if (*name == NULL)
+ st = EINVAL;
+
+ ldap_value_free(parsed_dn);
+ }
}
#else
st = EINVAL;
return st;
}
-krb5_error_code krb5_ldap_name_to_policydn (context, name, policy_dn)
- krb5_context context;
- char *name;
- char **policy_dn;
+krb5_error_code
+krb5_ldap_name_to_policydn(krb5_context context, char *name, char **policy_dn)
{
int len;
char *ptr = NULL;
/* validate the input parameters */
if (name == NULL) {
- st = EINVAL;
- goto cleanup;
+ st = EINVAL;
+ goto cleanup;
}
/* Used for removing policy reference from an object */
if (name[0] == '\0') {
- if ((*policy_dn = strdup ("")) == NULL)
- st = ENOMEM;
- goto cleanup;
+ if ((*policy_dn = strdup ("")) == NULL)
+ st = ENOMEM;
+ goto cleanup;
}
SETUP_CONTEXT();
if (ldap_context->lrparams->realmdn == NULL) {
- st = EINVAL;
- goto cleanup;
+ st = EINVAL;
+ goto cleanup;
}
len = strlen (ldap_context->lrparams->realmdn);
ptr = ldap_filter_correct (name);
if (ptr == NULL) {
- st = ENOMEM;
- goto cleanup;
+ st = ENOMEM;
+ goto cleanup;
}
len += strlen (ptr);
*policy_dn = (char *) malloc (len);
if (*policy_dn == NULL) {
- st = ENOMEM;
- goto cleanup;
+ st = ENOMEM;
+ goto cleanup;
}
sprintf (*policy_dn, "cn=%s,%s", ptr, ldap_context->lrparams->realmdn);
cleanup:
if (ptr != NULL)
- free (ptr);
+ free (ptr);
return st;
}
/* remove overlapping and repeated subtree entries from the list of subtrees */
static krb5_error_code
-remove_overlapping_subtrees(char **listin, char **listop, int *subtcount, int sscope)
+remove_overlapping_subtrees(char **listin, char **listop, int *subtcount,
+ int sscope)
{
int slen=0, k=0, j=0, lendiff=0;
int count = *subtcount;
slen = count-1;
for (k=0; k<=slen && listin[k]!=NULL ; k++) {
- for (j=k+1; j<=slen && listin[j]!=NULL ;j++) {
- lendiff = strlen(listin[k]) - strlen(listin[j]);
- if (sscope == 2) {
- if ((lendiff > 0) && (strcasecmp((listin[k])+lendiff, listin[j])==0)) {
- if (k != slen) {
- free(listin[k]);
- listin[k] = listin[slen];
- listin[slen] = NULL;
- } else {
- free(listin[k]);
- listin[k] = NULL;
- }
- slen-=1;
- k-=1;
- break;
- } else if ((lendiff < 0) && (strcasecmp((listin[j])+abs(lendiff), listin[k])==0)) {
- if (j != slen) {
- free(listin[j]);
- listin[j] = listin[slen];
- listin[slen]=NULL;
- } else {
- free(listin[j]);
- listin[j] = NULL;
- }
- slen-=1;
- j-=1;
- }
- }
- if ((lendiff == 0) && (strcasecmp(listin[j], listin[k])==0)) {
- if (j != slen) {
- free(listin[j]);
- listin[j] = listin[slen];
- listin[slen]=NULL;
- } else {
- free(listin[j]);
- listin[j] = NULL;
- }
- slen -=1;
- j-=1;
- }
- }
+ for (j=k+1; j<=slen && listin[j]!=NULL ;j++) {
+ lendiff = strlen(listin[k]) - strlen(listin[j]);
+ if (sscope == 2) {
+ if ((lendiff > 0) && (strcasecmp((listin[k])+lendiff, listin[j])==0)) {
+ if (k != slen) {
+ free(listin[k]);
+ listin[k] = listin[slen];
+ listin[slen] = NULL;
+ } else {
+ free(listin[k]);
+ listin[k] = NULL;
+ }
+ slen-=1;
+ k-=1;
+ break;
+ } else if ((lendiff < 0) && (strcasecmp((listin[j])+abs(lendiff), listin[k])==0)) {
+ if (j != slen) {
+ free(listin[j]);
+ listin[j] = listin[slen];
+ listin[slen]=NULL;
+ } else {
+ free(listin[j]);
+ listin[j] = NULL;
+ }
+ slen-=1;
+ j-=1;
+ }
+ }
+ if ((lendiff == 0) && (strcasecmp(listin[j], listin[k])==0)) {
+ if (j != slen) {
+ free(listin[j]);
+ listin[j] = listin[slen];
+ listin[slen]=NULL;
+ } else {
+ free(listin[j]);
+ listin[j] = NULL;
+ }
+ slen -=1;
+ j-=1;
+ }
+ }
}
*subtcount=slen+1;
for (k=0; k<*subtcount && listin[k]!=NULL; k++) {
- subtree[k] = strdup(listin[k]);
- if (subtree[k] == NULL) {
- return ENOMEM;
- }
+ subtree[k] = strdup(listin[k]);
+ if (subtree[k] == NULL) {
+ return ENOMEM;
+ }
}
return 0;
}
* the results of a principal search of the directory.
*/
krb5_error_code
-populate_krb5_db_entry (krb5_context context,
- krb5_ldap_context *ldap_context,
- LDAP *ld,
- LDAPMessage *ent,
- krb5_const_principal princ,
- krb5_db_entry *entry)
+populate_krb5_db_entry(krb5_context context, krb5_ldap_context *ldap_context,
+ LDAP *ld, LDAPMessage *ent, krb5_const_principal princ,
+ krb5_db_entry *entry)
{
krb5_error_code st = 0;
unsigned int mask = 0;
char *DN = NULL;
if (princ == NULL) {
- /* XXX WAF probably should just extract princ from ldap result */
- st = EINVAL;
- goto cleanup;
+ /* XXX WAF probably should just extract princ from ldap result */
+ st = EINVAL;
+ goto cleanup;
} else {
- if ((st=krb5_copy_principal(context, princ, &(entry->princ))) != 0)
- goto cleanup;
+ if ((st=krb5_copy_principal(context, princ, &(entry->princ))) != 0)
+ goto cleanup;
}
/* get the associated directory user information */
if ((values = ldap_get_values(ld, ent, "krbprincipalname")) != NULL) {
- int i, pcount=0, kerberos_principal_object_type=0;
- char *user;
-
- if ((st=krb5_unparse_name(context, princ, &user)) != 0)
- goto cleanup;
-
- for (i=0; values[i] != NULL; ++i) {
- if (strcasecmp(values[i], user) == 0) {
- pcount = ldap_count_values(values);
- break;
- }
- }
- ldap_value_free(values);
- free(user);
-
- if ((DN = ldap_get_dn(ld, ent)) == NULL) {
- ldap_get_option(ld, LDAP_OPT_RESULT_CODE, &st);
- st = set_ldap_error(context, st, 0);
- goto cleanup;
- }
-
- if ((values=ldap_get_values(ld, ent, "objectclass")) != NULL) {
- for (i=0; values[i] != NULL; ++i)
- if (strcasecmp(values[i], "krbprincipal") == 0) {
- kerberos_principal_object_type = KDB_STANDALONE_PRINCIPAL_OBJECT;
- if ((st=store_tl_data(&userinfo_tl_data, KDB_TL_PRINCTYPE,
- &kerberos_principal_object_type)) != 0)
- goto cleanup;
- break;
- }
- ldap_value_free(values);
- }
-
- /* add principalcount, DN and principaltype user information to tl_data */
- if (((st=store_tl_data(&userinfo_tl_data, KDB_TL_PRINCCOUNT, &pcount)) != 0) ||
- ((st=store_tl_data(&userinfo_tl_data, KDB_TL_USERDN, DN)) != 0))
- goto cleanup;
+ int i, pcount=0, kerberos_principal_object_type=0;
+ char *user;
+
+ if ((st=krb5_unparse_name(context, princ, &user)) != 0)
+ goto cleanup;
+
+ for (i=0; values[i] != NULL; ++i) {
+ if (strcasecmp(values[i], user) == 0) {
+ pcount = ldap_count_values(values);
+ break;
+ }
+ }
+ ldap_value_free(values);
+ free(user);
+
+ if ((DN = ldap_get_dn(ld, ent)) == NULL) {
+ ldap_get_option(ld, LDAP_OPT_RESULT_CODE, &st);
+ st = set_ldap_error(context, st, 0);
+ goto cleanup;
+ }
+
+ if ((values=ldap_get_values(ld, ent, "objectclass")) != NULL) {
+ for (i=0; values[i] != NULL; ++i)
+ if (strcasecmp(values[i], "krbprincipal") == 0) {
+ kerberos_principal_object_type = KDB_STANDALONE_PRINCIPAL_OBJECT;
+ if ((st=store_tl_data(&userinfo_tl_data, KDB_TL_PRINCTYPE,
+ &kerberos_principal_object_type)) != 0)
+ goto cleanup;
+ break;
+ }
+ ldap_value_free(values);
+ }
+
+ /* add principalcount, DN and principaltype user information to tl_data */
+ if (((st=store_tl_data(&userinfo_tl_data, KDB_TL_PRINCCOUNT, &pcount)) != 0) ||
+ ((st=store_tl_data(&userinfo_tl_data, KDB_TL_USERDN, DN)) != 0))
+ goto cleanup;
}
/* read all the kerberos attributes */
/* KRBLASTSUCCESSFULAUTH */
if ((st=krb5_ldap_get_time(ld, ent, "krbLastSuccessfulAuth",
- &(entry->last_success), &attr_present)) != 0)
- goto cleanup;
+ &(entry->last_success), &attr_present)) != 0)
+ goto cleanup;
if (attr_present == TRUE)
- mask |= KDB_LAST_SUCCESS_ATTR;
+ mask |= KDB_LAST_SUCCESS_ATTR;
/* KRBLASTFAILEDAUTH */
if ((st=krb5_ldap_get_time(ld, ent, "krbLastFailedAuth",
- &(entry->last_failed), &attr_present)) != 0)
- goto cleanup;
+ &(entry->last_failed), &attr_present)) != 0)
+ goto cleanup;
if (attr_present == TRUE)
- mask |= KDB_LAST_FAILED_ATTR;
+ mask |= KDB_LAST_FAILED_ATTR;
/* KRBLOGINFAILEDCOUNT */
if (krb5_ldap_get_value(ld, ent, "krbLoginFailedCount",
- &(entry->fail_auth_count)) == 0)
- mask |= KDB_FAIL_AUTH_COUNT_ATTR;
+ &(entry->fail_auth_count)) == 0)
+ mask |= KDB_FAIL_AUTH_COUNT_ATTR;
/* KRBMAXTICKETLIFE */
if (krb5_ldap_get_value(ld, ent, "krbmaxticketlife", &(entry->max_life)) == 0)
- mask |= KDB_MAX_LIFE_ATTR;
+ mask |= KDB_MAX_LIFE_ATTR;
/* KRBMAXRENEWABLEAGE */
if (krb5_ldap_get_value(ld, ent, "krbmaxrenewableage",
- &(entry->max_renewable_life)) == 0)
- mask |= KDB_MAX_RLIFE_ATTR;
+ &(entry->max_renewable_life)) == 0)
+ mask |= KDB_MAX_RLIFE_ATTR;
/* KRBTICKETFLAGS */
if (krb5_ldap_get_value(ld, ent, "krbticketflags", &(entry->attributes)) == 0)
- mask |= KDB_TKT_FLAGS_ATTR;
+ mask |= KDB_TKT_FLAGS_ATTR;
/* PRINCIPAL EXPIRATION TIME */
if ((st=krb5_ldap_get_time(ld, ent, "krbprincipalexpiration", &(entry->expiration),
- &attr_present)) != 0)
- goto cleanup;
+ &attr_present)) != 0)
+ goto cleanup;
if (attr_present == TRUE)
- mask |= KDB_PRINC_EXPIRE_TIME_ATTR;
+ mask |= KDB_PRINC_EXPIRE_TIME_ATTR;
/* PASSWORD EXPIRATION TIME */
if ((st=krb5_ldap_get_time(ld, ent, "krbpasswordexpiration", &(entry->pw_expiration),
- &attr_present)) != 0)
- goto cleanup;
+ &attr_present)) != 0)
+ goto cleanup;
if (attr_present == TRUE)
- mask |= KDB_PWD_EXPIRE_TIME_ATTR;
+ mask |= KDB_PWD_EXPIRE_TIME_ATTR;
/* KRBPOLICYREFERENCE */
if ((st=krb5_ldap_get_string(ld, ent, "krbticketpolicyreference", &policydn,
- &attr_present)) != 0)
- goto cleanup;
+ &attr_present)) != 0)
+ goto cleanup;
if (attr_present == TRUE) {
- mask |= KDB_POL_REF_ATTR;
- /* Ensure that the policy is inside the realm container */
- if ((st = krb5_ldap_policydn_to_name (context, policydn, &tktpolname)) != 0)
- goto cleanup;
+ mask |= KDB_POL_REF_ATTR;
+ /* Ensure that the policy is inside the realm container */
+ if ((st = krb5_ldap_policydn_to_name (context, policydn, &tktpolname)) != 0)
+ goto cleanup;
}
/* KRBPWDPOLICYREFERENCE */
if ((st=krb5_ldap_get_string(ld, ent, "krbpwdpolicyreference", &pwdpolicydn,
- &attr_present)) != 0)
- goto cleanup;
+ &attr_present)) != 0)
+ goto cleanup;
if (attr_present == TRUE) {
- krb5_tl_data kadm_tl_data;
+ krb5_tl_data kadm_tl_data;
- mask |= KDB_PWD_POL_REF_ATTR;
+ mask |= KDB_PWD_POL_REF_ATTR;
- /* Ensure that the policy is inside the realm container */
- if ((st = krb5_ldap_policydn_to_name (context, pwdpolicydn, &polname)) != 0)
- goto cleanup;
+ /* Ensure that the policy is inside the realm container */
+ if ((st = krb5_ldap_policydn_to_name (context, pwdpolicydn, &polname)) != 0)
+ goto cleanup;
- if ((st = krb5_update_tl_kadm_data(polname, &kadm_tl_data)) != 0) {
- goto cleanup;
- }
- krb5_dbe_update_tl_data(context, entry, &kadm_tl_data);
+ if ((st = krb5_update_tl_kadm_data(polname, &kadm_tl_data)) != 0) {
+ goto cleanup;
+ }
+ krb5_dbe_update_tl_data(context, entry, &kadm_tl_data);
}
/* KRBSECRETKEY */
if ((bvalues=ldap_get_values_len(ld, ent, "krbprincipalkey")) != NULL) {
krb5_kvno mkvno = 0;
- mask |= KDB_SECRET_KEY_ATTR;
- if ((st=krb5_decode_krbsecretkey(context, entry, bvalues, &userinfo_tl_data, &mkvno)) != 0)
- goto cleanup;
+ mask |= KDB_SECRET_KEY_ATTR;
+ if ((st=krb5_decode_krbsecretkey(context, entry, bvalues, &userinfo_tl_data, &mkvno)) != 0)
+ goto cleanup;
if (mkvno != 0) {
/* don't add the tl data if mkvno == 0 */
if ((st=krb5_dbe_update_mkvno(context, entry, mkvno)) != 0)
/* LAST PASSWORD CHANGE */
{
- krb5_timestamp lstpwdchng=0;
- if ((st=krb5_ldap_get_time(ld, ent, "krbLastPwdChange",
- &lstpwdchng, &attr_present)) != 0)
- goto cleanup;
- if (attr_present == TRUE) {
- if ((st=krb5_dbe_update_last_pwd_change(context, entry,
- lstpwdchng)))
- goto cleanup;
- mask |= KDB_LAST_PWD_CHANGE_ATTR;
- }
+ krb5_timestamp lstpwdchng=0;
+ if ((st=krb5_ldap_get_time(ld, ent, "krbLastPwdChange",
+ &lstpwdchng, &attr_present)) != 0)
+ goto cleanup;
+ if (attr_present == TRUE) {
+ if ((st=krb5_dbe_update_last_pwd_change(context, entry,
+ lstpwdchng)))
+ goto cleanup;
+ mask |= KDB_LAST_PWD_CHANGE_ATTR;
+ }
}
/* ALLOWED TO DELEGATE TO */
{
- char **a2d2 = NULL;
- int i;
- krb5_tl_data **tlp;
-
- st = krb5_ldap_get_strings(ld, ent, "krbAllowedToDelegateTo",
- &a2d2, &attr_present);
- if (st != 0)
- goto cleanup;
-
- if (attr_present == TRUE) {
- for (tlp = &entry->tl_data; *tlp; tlp = &(*tlp)->tl_data_next)
- ;
- for (i = 0; a2d2[i] != NULL; i++) {
- krb5_tl_data *tl = k5alloc(sizeof(*tl), &st);
- if (st != 0) {
- ldap_value_free(a2d2);
- goto cleanup;
- }
- tl->tl_data_type = KRB5_TL_CONSTRAINED_DELEGATION_ACL;
- tl->tl_data_length = strlen(a2d2[i]);
- tl->tl_data_contents = (krb5_octet *)strdup(a2d2[i]);
- if (tl->tl_data_contents == NULL) {
- st = ENOMEM;
- ldap_value_free(a2d2);
- free(tl);
- goto cleanup;
- }
- tl->tl_data_next = NULL;
- *tlp = tl;
- tlp = &tl->tl_data_next;
- }
- ldap_value_free(a2d2);
- }
+ char **a2d2 = NULL;
+ int i;
+ krb5_tl_data **tlp;
+
+ st = krb5_ldap_get_strings(ld, ent, "krbAllowedToDelegateTo",
+ &a2d2, &attr_present);
+ if (st != 0)
+ goto cleanup;
+
+ if (attr_present == TRUE) {
+ for (tlp = &entry->tl_data; *tlp; tlp = &(*tlp)->tl_data_next)
+ ;
+ for (i = 0; a2d2[i] != NULL; i++) {
+ krb5_tl_data *tl = k5alloc(sizeof(*tl), &st);
+ if (st != 0) {
+ ldap_value_free(a2d2);
+ goto cleanup;
+ }
+ tl->tl_data_type = KRB5_TL_CONSTRAINED_DELEGATION_ACL;
+ tl->tl_data_length = strlen(a2d2[i]);
+ tl->tl_data_contents = (krb5_octet *)strdup(a2d2[i]);
+ if (tl->tl_data_contents == NULL) {
+ st = ENOMEM;
+ ldap_value_free(a2d2);
+ free(tl);
+ goto cleanup;
+ }
+ tl->tl_data_next = NULL;
+ *tlp = tl;
+ tlp = &tl->tl_data_next;
+ }
+ ldap_value_free(a2d2);
+ }
}
/* KRBOBJECTREFERENCES */
{
- int i=0;
-
- if ((st = krb5_ldap_get_strings(ld, ent, "krbobjectreferences",
- &link_references, &attr_present)) != 0)
- goto cleanup;
- if (link_references != NULL) {
- for (i=0; link_references[i] != NULL; ++i) {
- if ((st = store_tl_data(&userinfo_tl_data, KDB_TL_LINKDN,
- link_references[i])) != 0)
- goto cleanup;
- }
- }
+ int i=0;
+
+ if ((st = krb5_ldap_get_strings(ld, ent, "krbobjectreferences",
+ &link_references, &attr_present)) != 0)
+ goto cleanup;
+ if (link_references != NULL) {
+ for (i=0; link_references[i] != NULL; ++i) {
+ if ((st = store_tl_data(&userinfo_tl_data, KDB_TL_LINKDN,
+ link_references[i])) != 0)
+ goto cleanup;
+ }
+ }
}
/* Set tl_data */
{
- int i;
- struct berval **ber_tl_data = NULL;
- krb5_tl_data *ptr = NULL;
-
- if ((ber_tl_data = ldap_get_values_len (ld, ent, "krbExtraData")) != NULL) {
- for (i = 0; ber_tl_data[i] != NULL; i++) {
- if ((st = berval2tl_data (ber_tl_data[i] , &ptr)) != 0)
- break;
- if ((st = krb5_dbe_update_tl_data(context, entry, ptr)) != 0)
- break;
- }
- ldap_value_free_len (ber_tl_data);
- if (st != 0)
- goto cleanup;
- mask |= KDB_EXTRA_DATA_ATTR;
- }
+ int i;
+ struct berval **ber_tl_data = NULL;
+ krb5_tl_data *ptr = NULL;
+
+ if ((ber_tl_data = ldap_get_values_len (ld, ent, "krbExtraData")) != NULL) {
+ for (i = 0; ber_tl_data[i] != NULL; i++) {
+ if ((st = berval2tl_data (ber_tl_data[i] , &ptr)) != 0)
+ break;
+ if ((st = krb5_dbe_update_tl_data(context, entry, ptr)) != 0)
+ break;
+ }
+ ldap_value_free_len (ber_tl_data);
+ if (st != 0)
+ goto cleanup;
+ mask |= KDB_EXTRA_DATA_ATTR;
+ }
}
/* update the mask of attributes present on the directory object to the tl_data */
if ((st=store_tl_data(&userinfo_tl_data, KDB_TL_MASK, &mask)) != 0)
- goto cleanup;
+ goto cleanup;
if ((st=krb5_dbe_update_tl_data(context, entry, &userinfo_tl_data)) != 0)
- goto cleanup;
+ goto cleanup;
#ifdef HAVE_EDIRECTORY
{
- krb5_timestamp expiretime=0;
- char *is_login_disabled=NULL;
-
- /* LOGIN EXPIRATION TIME */
- if ((st=krb5_ldap_get_time(ld, ent, "loginexpirationtime", &expiretime,
- &attr_present)) != 0)
- goto cleanup;
-
- if (attr_present == TRUE) {
- if ((mask & KDB_PRINC_EXPIRE_TIME_ATTR) == 1) {
- if (expiretime < entry->expiration)
- entry->expiration = expiretime;
- } else {
- entry->expiration = expiretime;
- }
- }
-
- /* LOGIN DISABLED */
- if ((st=krb5_ldap_get_string(ld, ent, "logindisabled", &is_login_disabled,
- &attr_present)) != 0)
- goto cleanup;
- if (attr_present == TRUE) {
- if (strcasecmp(is_login_disabled, "TRUE")== 0)
- entry->attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
- free (is_login_disabled);
- }
+ krb5_timestamp expiretime=0;
+ char *is_login_disabled=NULL;
+
+ /* LOGIN EXPIRATION TIME */
+ if ((st=krb5_ldap_get_time(ld, ent, "loginexpirationtime", &expiretime,
+ &attr_present)) != 0)
+ goto cleanup;
+
+ if (attr_present == TRUE) {
+ if ((mask & KDB_PRINC_EXPIRE_TIME_ATTR) == 1) {
+ if (expiretime < entry->expiration)
+ entry->expiration = expiretime;
+ } else {
+ entry->expiration = expiretime;
+ }
+ }
+
+ /* LOGIN DISABLED */
+ if ((st=krb5_ldap_get_string(ld, ent, "logindisabled", &is_login_disabled,
+ &attr_present)) != 0)
+ goto cleanup;
+ if (attr_present == TRUE) {
+ if (strcasecmp(is_login_disabled, "TRUE")== 0)
+ entry->attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
+ free (is_login_disabled);
+ }
}
#endif
if ((st=krb5_read_tkt_policy (context, ldap_context, entry, tktpolname)) !=0)
- goto cleanup;
+ goto cleanup;
/* We already know that the policy is inside the realm container. */
if (polname) {
- osa_policy_ent_t pwdpol;
- int cnt=0;
- krb5_timestamp last_pw_changed;
- krb5_ui_4 pw_max_life;
+ osa_policy_ent_t pwdpol;
+ int cnt=0;
+ krb5_timestamp last_pw_changed;
+ krb5_ui_4 pw_max_life;
- memset(&pwdpol, 0, sizeof(pwdpol));
+ memset(&pwdpol, 0, sizeof(pwdpol));
- if ((st=krb5_ldap_get_password_policy(context, polname, &pwdpol, &cnt)) != 0)
- goto cleanup;
- pw_max_life = pwdpol->pw_max_life;
- free (pwdpol);
+ if ((st=krb5_ldap_get_password_policy(context, polname, &pwdpol, &cnt)) != 0)
+ goto cleanup;
+ pw_max_life = pwdpol->pw_max_life;
+ free (pwdpol);
- if (pw_max_life > 0) {
- if ((st=krb5_dbe_lookup_last_pwd_change(context, entry, &last_pw_changed)) != 0)
- goto cleanup;
+ if (pw_max_life > 0) {
+ if ((st=krb5_dbe_lookup_last_pwd_change(context, entry, &last_pw_changed)) != 0)
+ goto cleanup;
- if ((mask & KDB_PWD_EXPIRE_TIME_ATTR) == 1) {
- if ((last_pw_changed + pw_max_life) < entry->pw_expiration)
- entry->pw_expiration = last_pw_changed + pw_max_life;
- } else
- entry->pw_expiration = last_pw_changed + pw_max_life;
- }
+ if ((mask & KDB_PWD_EXPIRE_TIME_ATTR) == 1) {
+ if ((last_pw_changed + pw_max_life) < entry->pw_expiration)
+ entry->pw_expiration = last_pw_changed + pw_max_life;
+ } else
+ entry->pw_expiration = last_pw_changed + pw_max_life;
+ }
}
/* XXX so krb5_encode_princ_contents() will be happy */
entry->len = KRB5_KDB_V1_BASE_LENGTH;
cleanup:
if (DN != NULL)
- ldap_memfree(DN);
+ ldap_memfree(DN);
if (userinfo_tl_data.tl_data_contents != NULL)
- free(userinfo_tl_data.tl_data_contents);
+ free(userinfo_tl_data.tl_data_contents);
if (pwdpolicydn != NULL)
- free(pwdpolicydn);
+ free(pwdpolicydn);
if (polname != NULL)
- free(polname);
+ free(polname);
if (tktpolname != NULL)
- free (tktpolname);
+ free (tktpolname);
if (policydn != NULL)
- free(policydn);
+ free(policydn);
if (link_references) {
int i;
#endif
if (rc == 0) {
- ld = ldap_init(ludp->lud_host, ludp->lud_port);
- if (ld != NULL) {
- *ldp = ld;
+ ld = ldap_init(ludp->lud_host, ludp->lud_port);
+ if (ld != NULL) {
+ *ldp = ld;
#if 0
- printf("lud_host %s lud_port %d\n", ludp->lud_host,
- ludp->lud_port);
+ printf("lud_host %s lud_port %d\n", ludp->lud_host,
+ ludp->lud_port);
#endif
- }
- else
- rc = KRB5_KDB_ACCESS_ERROR;
+ }
+ else
+ rc = KRB5_KDB_ACCESS_ERROR;
- ldap_free_urldesc(ludp);
+ ldap_free_urldesc(ludp);
}
return rc;
}
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* lib/kdb/kdb_ldap/ldap_misc.h
*
krb5_error_code
populate_krb5_db_entry(krb5_context context,
- krb5_ldap_context *ldap_context,
- LDAP *ld,
- LDAPMessage *ent,
- krb5_const_principal princ,
- krb5_db_entry *entry);
+ krb5_ldap_context *ldap_context,
+ LDAP *ld,
+ LDAPMessage *ent,
+ krb5_const_principal princ,
+ krb5_db_entry *entry);
int kldap_ensure_initialized (void);
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* lib/kdb/kdb_ldap/ldap_principal.c
*
struct timeval timelimit = {300, 0}; /* 5 minutes */
char *principal_attributes[] = { "krbprincipalname",
- "krbcanonicalname",
- "objectclass",
- "krbprincipalkey",
- "krbmaxrenewableage",
- "krbmaxticketlife",
- "krbticketflags",
- "krbprincipalexpiration",
- "krbticketpolicyreference",
- "krbUpEnabled",
- "krbpwdpolicyreference",
- "krbpasswordexpiration",
+ "krbcanonicalname",
+ "objectclass",
+ "krbprincipalkey",
+ "krbmaxrenewableage",
+ "krbmaxticketlife",
+ "krbticketflags",
+ "krbprincipalexpiration",
+ "krbticketpolicyreference",
+ "krbUpEnabled",
+ "krbpwdpolicyreference",
+ "krbpasswordexpiration",
"krbLastFailedAuth",
"krbLoginFailedCount",
"krbLastSuccessfulAuth",
#ifdef HAVE_EDIRECTORY
- "loginexpirationtime",
- "logindisabled",
+ "loginexpirationtime",
+ "logindisabled",
#endif
- "krbLastPwdChange",
- "krbExtraData",
- "krbObjectReferences",
- "krbAllowedToDelegateTo",
- NULL };
+ "krbLastPwdChange",
+ "krbExtraData",
+ "krbObjectReferences",
+ "krbAllowedToDelegateTo",
+ NULL };
/* Must match KDB_*_ATTR macros in ldap_principal.h. */
static char *attributes_set[] = { "krbmaxticketlife",
- "krbmaxrenewableage",
- "krbticketflags",
- "krbprincipalexpiration",
- "krbticketpolicyreference",
- "krbUpEnabled",
- "krbpwdpolicyreference",
- "krbpasswordexpiration",
- "krbprincipalkey",
+ "krbmaxrenewableage",
+ "krbticketflags",
+ "krbprincipalexpiration",
+ "krbticketpolicyreference",
+ "krbUpEnabled",
+ "krbpwdpolicyreference",
+ "krbpasswordexpiration",
+ "krbprincipalkey",
"krblastpwdchange",
"krbextradata",
"krbLastSuccessfulAuth",
"krbLastFailedAuth",
"krbLoginFailedCount",
- NULL };
+ NULL };
void
-krb5_dbe_free_contents(context, entry)
- krb5_context context;
- krb5_db_entry *entry;
+krb5_dbe_free_contents(krb5_context context, krb5_db_entry *entry)
{
- krb5_tl_data *tl_data_next=NULL;
- krb5_tl_data *tl_data=NULL;
+ krb5_tl_data *tl_data_next=NULL;
+ krb5_tl_data *tl_data=NULL;
int i, j;
if (entry->e_data)
- free(entry->e_data);
+ free(entry->e_data);
if (entry->princ)
- krb5_free_principal(context, entry->princ);
+ krb5_free_principal(context, entry->princ);
for (tl_data = entry->tl_data; tl_data; tl_data = tl_data_next) {
- tl_data_next = tl_data->tl_data_next;
- if (tl_data->tl_data_contents)
- free(tl_data->tl_data_contents);
- free(tl_data);
+ tl_data_next = tl_data->tl_data_next;
+ if (tl_data->tl_data_contents)
+ free(tl_data->tl_data_contents);
+ free(tl_data);
}
if (entry->key_data) {
- for (i = 0; i < entry->n_key_data; i++) {
- for (j = 0; j < entry->key_data[i].key_data_ver; j++) {
- if (entry->key_data[i].key_data_length[j]) {
- if (entry->key_data[i].key_data_contents[j]) {
- memset(entry->key_data[i].key_data_contents[j],
- 0,
- (unsigned) entry->key_data[i].key_data_length[j]);
- free (entry->key_data[i].key_data_contents[j]);
- }
- }
- entry->key_data[i].key_data_contents[j] = NULL;
- entry->key_data[i].key_data_length[j] = 0;
- entry->key_data[i].key_data_type[j] = 0;
- }
- }
- free(entry->key_data);
+ for (i = 0; i < entry->n_key_data; i++) {
+ for (j = 0; j < entry->key_data[i].key_data_ver; j++) {
+ if (entry->key_data[i].key_data_length[j]) {
+ if (entry->key_data[i].key_data_contents[j]) {
+ memset(entry->key_data[i].key_data_contents[j],
+ 0,
+ (unsigned) entry->key_data[i].key_data_length[j]);
+ free (entry->key_data[i].key_data_contents[j]);
+ }
+ }
+ entry->key_data[i].key_data_contents[j] = NULL;
+ entry->key_data[i].key_data_length[j] = 0;
+ entry->key_data[i].key_data_type[j] = 0;
+ }
+ }
+ free(entry->key_data);
}
memset(entry, 0, sizeof(*entry));
return;
krb5_error_code
-krb5_ldap_free_principal(kcontext , entries, nentries)
- krb5_context kcontext;
- krb5_db_entry *entries;
- int nentries;
+krb5_ldap_free_principal(krb5_context kcontext, krb5_db_entry *entries,
+ int nentries)
{
register int i;
for (i = 0; i < nentries; i++)
- krb5_dbe_free_contents(kcontext, &entries[i]);
+ krb5_dbe_free_contents(kcontext, &entries[i]);
return 0;
}
krb5_error_code
-krb5_ldap_iterate(context, match_expr, func, func_arg)
- krb5_context context;
- char *match_expr;
- krb5_error_code (*func) (krb5_pointer, krb5_db_entry *);
- krb5_pointer func_arg;
+krb5_ldap_iterate(krb5_context context, char *match_expr,
+ krb5_error_code (*func)(krb5_pointer, krb5_db_entry *),
+ krb5_pointer func_arg)
{
krb5_db_entry entry;
krb5_principal principal;
realm = ldap_context->lrparams->realm_name;
if (realm == NULL) {
- realm = context->default_realm;
- if (realm == NULL) {
- st = EINVAL;
- krb5_set_error_message(context, st, "Default realm not set");
- goto cleanup;
- }
+ realm = context->default_realm;
+ if (realm == NULL) {
+ st = EINVAL;
+ krb5_set_error_message(context, st, "Default realm not set");
+ goto cleanup;
+ }
}
/*
* If no match_expr then iterate through all krb princs like the db2 plugin
*/
if (match_expr == NULL)
- match_expr = default_match_expr;
+ match_expr = default_match_expr;
if (asprintf(&filter, FILTER"%s))", match_expr) < 0)
- filter = NULL;
+ filter = NULL;
CHECK_NULL(filter);
if ((st = krb5_get_subtree_info(ldap_context, &subtree, &ntree)) != 0)
- goto cleanup;
+ goto cleanup;
GET_HANDLE();
for (tree=0; tree < ntree; ++tree) {
- LDAP_SEARCH(subtree[tree], ldap_context->lrparams->search_scope, filter, principal_attributes);
- for (ent=ldap_first_entry(ld, result); ent != NULL; ent=ldap_next_entry(ld, ent)) {
- values=ldap_get_values(ld, ent, "krbcanonicalname");
- if (values == NULL)
- values=ldap_get_values(ld, ent, "krbprincipalname");
- if (values != NULL) {
- for (i=0; values[i] != NULL; ++i) {
- if (krb5_ldap_parse_principal_name(values[i], &princ_name) != 0)
- continue;
- if (krb5_parse_name(context, princ_name, &principal) != 0)
- continue;
- if (is_principal_in_realm(ldap_context, principal) == 0) {
- if ((st = populate_krb5_db_entry(context, ldap_context, ld, ent, principal,
- &entry)) != 0)
- goto cleanup;
- (*func)(func_arg, &entry);
- krb5_dbe_free_contents(context, &entry);
- (void) krb5_free_principal(context, principal);
- free(princ_name);
- break;
- }
- (void) krb5_free_principal(context, principal);
- free(princ_name);
- }
- ldap_value_free(values);
- }
- } /* end of for (ent= ... */
- ldap_msgfree(result);
+ LDAP_SEARCH(subtree[tree], ldap_context->lrparams->search_scope, filter, principal_attributes);
+ for (ent=ldap_first_entry(ld, result); ent != NULL; ent=ldap_next_entry(ld, ent)) {
+ values=ldap_get_values(ld, ent, "krbcanonicalname");
+ if (values == NULL)
+ values=ldap_get_values(ld, ent, "krbprincipalname");
+ if (values != NULL) {
+ for (i=0; values[i] != NULL; ++i) {
+ if (krb5_ldap_parse_principal_name(values[i], &princ_name) != 0)
+ continue;
+ if (krb5_parse_name(context, princ_name, &principal) != 0)
+ continue;
+ if (is_principal_in_realm(ldap_context, principal) == 0) {
+ if ((st = populate_krb5_db_entry(context, ldap_context, ld, ent, principal,
+ &entry)) != 0)
+ goto cleanup;
+ (*func)(func_arg, &entry);
+ krb5_dbe_free_contents(context, &entry);
+ (void) krb5_free_principal(context, principal);
+ free(princ_name);
+ break;
+ }
+ (void) krb5_free_principal(context, principal);
+ free(princ_name);
+ }
+ ldap_value_free(values);
+ }
+ } /* end of for (ent= ... */
+ ldap_msgfree(result);
} /* end of for (tree= ... */
cleanup:
if (filter)
- free (filter);
+ free (filter);
for (;ntree; --ntree)
- if (subtree[ntree-1])
- free (subtree[ntree-1]);
+ if (subtree[ntree-1])
+ free (subtree[ntree-1]);
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
return st;
* delete a principal from the directory.
*/
krb5_error_code
-krb5_ldap_delete_principal(context, searchfor, nentries)
- krb5_context context;
- krb5_const_principal searchfor;
- int *nentries; /* how many found & deleted */
+krb5_ldap_delete_principal(krb5_context context,
+ krb5_const_principal searchfor, int *nentries)
{
char *user=NULL, *DN=NULL, *strval[10] = {NULL};
LDAPMod **mods=NULL;
LDAP *ld=NULL;
- int j=0, ptype=0, pcount=0, attrsetmask=0;
+ int j=0, ptype=0, pcount=0, attrsetmask=0;
krb5_error_code st=0;
krb5_boolean singleentry=FALSE;
KEY *secretkey=NULL;
SETUP_CONTEXT();
/* get the principal info */
if ((st=krb5_ldap_get_principal(context, searchfor, 0, &entries, nentries, &more)) != 0 || *nentries == 0)
- goto cleanup;
+ goto cleanup;
if (((st=krb5_get_princ_type(context, &entries, &(ptype))) != 0) ||
- ((st=krb5_get_attributes_mask(context, &entries, &(attrsetmask))) != 0) ||
- ((st=krb5_get_princ_count(context, &entries, &(pcount))) != 0) ||
- ((st=krb5_get_userdn(context, &entries, &(DN))) != 0))
- goto cleanup;
+ ((st=krb5_get_attributes_mask(context, &entries, &(attrsetmask))) != 0) ||
+ ((st=krb5_get_princ_count(context, &entries, &(pcount))) != 0) ||
+ ((st=krb5_get_userdn(context, &entries, &(DN))) != 0))
+ goto cleanup;
if (DN == NULL) {
- st = EINVAL;
- krb5_set_error_message(context, st, "DN information missing");
- goto cleanup;
+ st = EINVAL;
+ krb5_set_error_message(context, st, "DN information missing");
+ goto cleanup;
}
GET_HANDLE();
goto cleanup;
}
} else {
- if (((st=krb5_unparse_name(context, searchfor, &user)) != 0)
- || ((st=krb5_ldap_unparse_principal_name(user)) != 0))
- goto cleanup;
-
- memset(strval, 0, sizeof(strval));
- strval[0] = user;
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalname", LDAP_MOD_DELETE,
- strval)) != 0)
- goto cleanup;
-
- singleentry = (pcount == 1) ? TRUE: FALSE;
- if (singleentry == FALSE) {
- if (secretkey != NULL) {
- if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey", LDAP_MOD_DELETE | LDAP_MOD_BVALUES,
- secretkey->keys)) != 0)
- goto cleanup;
- }
- } else {
- /*
- * If the Kerberos user principal to be deleted happens to be the last one associated
- * with the directory user object, then it is time to delete the other kerberos
- * specific attributes like krbmaxticketlife, i.e, unkerberize the directory user.
- * From the attrsetmask value, identify the attributes set on the directory user
- * object and delete them.
- * NOTE: krbsecretkey attribute has per principal entries. There can be chances that the
- * other principals' keys are exisiting/left-over. So delete all the values.
- */
- while (attrsetmask) {
- if (attrsetmask & 1) {
- if ((st=krb5_add_str_mem_ldap_mod(&mods, attributes_set[j], LDAP_MOD_DELETE,
- NULL)) != 0)
- goto cleanup;
- }
- attrsetmask >>= 1;
- ++j;
- }
-
- /* the same should be done with the objectclass attributes */
- {
- char *attrvalues[] = {"krbticketpolicyaux", "krbprincipalaux", NULL};
-/* char *attrvalues[] = {"krbpwdpolicyrefaux", "krbticketpolicyaux", "krbprincipalaux", NULL}; */
- int p, q, r=0, amask=0;
-
- if ((st=checkattributevalue(ld, DN, "objectclass", attrvalues, &amask)) != 0)
- goto cleanup;
- memset(strval, 0, sizeof(strval));
- for (p=1, q=0; p<=4; p<<=1, ++q)
- if (p & amask)
- strval[r++] = attrvalues[q];
- strval[r] = NULL;
- if (r > 0) {
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_DELETE,
- strval)) != 0)
- goto cleanup;
- }
- }
- }
- st=ldap_modify_ext_s(ld, DN, mods, NULL, NULL);
- if (st != LDAP_SUCCESS) {
- st = set_ldap_error(context, st, OP_MOD);
- goto cleanup;
- }
+ if (((st=krb5_unparse_name(context, searchfor, &user)) != 0)
+ || ((st=krb5_ldap_unparse_principal_name(user)) != 0))
+ goto cleanup;
+
+ memset(strval, 0, sizeof(strval));
+ strval[0] = user;
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalname", LDAP_MOD_DELETE,
+ strval)) != 0)
+ goto cleanup;
+
+ singleentry = (pcount == 1) ? TRUE: FALSE;
+ if (singleentry == FALSE) {
+ if (secretkey != NULL) {
+ if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey", LDAP_MOD_DELETE | LDAP_MOD_BVALUES,
+ secretkey->keys)) != 0)
+ goto cleanup;
+ }
+ } else {
+ /*
+ * If the Kerberos user principal to be deleted happens to be the last one associated
+ * with the directory user object, then it is time to delete the other kerberos
+ * specific attributes like krbmaxticketlife, i.e, unkerberize the directory user.
+ * From the attrsetmask value, identify the attributes set on the directory user
+ * object and delete them.
+ * NOTE: krbsecretkey attribute has per principal entries. There can be chances that the
+ * other principals' keys are exisiting/left-over. So delete all the values.
+ */
+ while (attrsetmask) {
+ if (attrsetmask & 1) {
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, attributes_set[j], LDAP_MOD_DELETE,
+ NULL)) != 0)
+ goto cleanup;
+ }
+ attrsetmask >>= 1;
+ ++j;
+ }
+
+ /* the same should be done with the objectclass attributes */
+ {
+ char *attrvalues[] = {"krbticketpolicyaux", "krbprincipalaux", NULL};
+/* char *attrvalues[] = {"krbpwdpolicyrefaux", "krbticketpolicyaux", "krbprincipalaux", NULL}; */
+ int p, q, r=0, amask=0;
+
+ if ((st=checkattributevalue(ld, DN, "objectclass", attrvalues, &amask)) != 0)
+ goto cleanup;
+ memset(strval, 0, sizeof(strval));
+ for (p=1, q=0; p<=4; p<<=1, ++q)
+ if (p & amask)
+ strval[r++] = attrvalues[q];
+ strval[r] = NULL;
+ if (r > 0) {
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_DELETE,
+ strval)) != 0)
+ goto cleanup;
+ }
+ }
+ }
+ st=ldap_modify_ext_s(ld, DN, mods, NULL, NULL);
+ if (st != LDAP_SUCCESS) {
+ st = set_ldap_error(context, st, OP_MOD);
+ goto cleanup;
+ }
}
cleanup:
if (user)
- free (user);
+ free (user);
if (DN)
- free (DN);
+ free (DN);
if (secretkey != NULL) {
- int i=0;
- while (i < secretkey->nkey) {
- free (secretkey->keys[i]->bv_val);
- free (secretkey->keys[i]);
- ++i;
- }
- free (secretkey->keys);
- free (secretkey);
+ int i=0;
+ while (i < secretkey->nkey) {
+ free (secretkey->keys[i]->bv_val);
+ free (secretkey->keys[i]);
+ ++i;
+ }
+ free (secretkey->keys);
+ free (secretkey);
}
if (st == 0)
- krb5_ldap_free_principal(context, &entries, *nentries);
+ krb5_ldap_free_principal(context, &entries, *nentries);
ldap_mods_free(mods, 1);
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
out = user_name;
for (in = user_name; *in; in++) {
- if (*in == '\\' && *(in + 1) == '@')
- continue;
- *out++ = *in;
+ if (*in == '\\' && *(in + 1) == '@')
+ continue;
+ *out++ = *in;
}
*out = '\0';
*/
krb5_error_code
-krb5_ldap_parse_principal_name(i_princ_name, o_princ_name)
- char *i_princ_name;
- char **o_princ_name;
+krb5_ldap_parse_principal_name(char *i_princ_name, char **o_princ_name)
{
const char *at_rlm_name, *p;
struct k5buf buf;
at_rlm_name = strrchr(i_princ_name, '@');
if (!at_rlm_name) {
- *o_princ_name = strdup(i_princ_name);
- if (!o_princ_name)
- return ENOMEM;
+ *o_princ_name = strdup(i_princ_name);
+ if (!o_princ_name)
+ return ENOMEM;
} else {
- krb5int_buf_init_dynamic(&buf);
- for (p = i_princ_name; p < at_rlm_name; p++) {
- if (*p == '@')
- krb5int_buf_add(&buf, "\\");
- krb5int_buf_add_len(&buf, p, 1);
- }
- krb5int_buf_add(&buf, at_rlm_name);
- *o_princ_name = krb5int_buf_data(&buf);
- if (!*o_princ_name)
- return ENOMEM;
+ krb5int_buf_init_dynamic(&buf);
+ for (p = i_princ_name; p < at_rlm_name; p++) {
+ if (*p == '@')
+ krb5int_buf_add(&buf, "\\");
+ krb5int_buf_add_len(&buf, p, 1);
+ }
+ krb5int_buf_add(&buf, at_rlm_name);
+ *o_princ_name = krb5int_buf_data(&buf);
+ if (!*o_princ_name)
+ return ENOMEM;
}
return 0;
}
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* lib/kdb/kdb_ldap/ldap_principal.h
*
#define KEYHEADER 12
-#define NOOFKEYS(ptr) ((ptr[10]<<8) | ptr[11])
+#define NOOFKEYS(ptr) ((ptr[10]<<8) | ptr[11])
-#define PRINCIPALLEN(ptr) ((ptr[0]<<8) | ptr[1])
-#define PRINCIPALNAME(ptr) (ptr + KEYHEADER + (NOOFKEYS(ptr) *8))
+#define PRINCIPALLEN(ptr) ((ptr[0]<<8) | ptr[1])
+#define PRINCIPALNAME(ptr) (ptr + KEYHEADER + (NOOFKEYS(ptr) *8))
-#define KEYBODY(ptr) PRINCIPALNAME(ptr) + PRINCIPALLEN(ptr)
+#define KEYBODY(ptr) PRINCIPALNAME(ptr) + PRINCIPALLEN(ptr)
-#define PKEYVER(ptr) ((ptr[2]<<8) | ptr[3])
-#define MKEYVER(ptr) ((ptr[4]<<8) | ptr[5])
+#define PKEYVER(ptr) ((ptr[2]<<8) | ptr[3])
+#define MKEYVER(ptr) ((ptr[4]<<8) | ptr[5])
-#define KEYTYPE(ptr,j) ((ptr[KEYHEADER+(j*8)]<<8) | ptr[KEYHEADER+1+(j*8)])
-#define KEYLENGTH(ptr,j) ((ptr[KEYHEADER+2+(j*8)]<<8) | ptr[KEYHEADER+3+(j*8)])
-#define SALTTYPE(ptr,j) ((ptr[KEYHEADER+4+(j*8)]<<8) | ptr[KEYHEADER+5+(j*8)])
-#define SALTLENGTH(ptr,j) ((ptr[KEYHEADER+6+(j*8)]<<8) | ptr[KEYHEADER+7+(j*8)])
+#define KEYTYPE(ptr,j) ((ptr[KEYHEADER+(j*8)]<<8) | ptr[KEYHEADER+1+(j*8)])
+#define KEYLENGTH(ptr,j) ((ptr[KEYHEADER+2+(j*8)]<<8) | ptr[KEYHEADER+3+(j*8)])
+#define SALTTYPE(ptr,j) ((ptr[KEYHEADER+4+(j*8)]<<8) | ptr[KEYHEADER+5+(j*8)])
+#define SALTLENGTH(ptr,j) ((ptr[KEYHEADER+6+(j*8)]<<8) | ptr[KEYHEADER+7+(j*8)])
#define MAX_KEY_LENGTH 1024
#define CONTAINERDN_ARG "containerdn"
#define LINKDN_ARG "linkdn"
/* #define FILTER "(&(objectclass=krbprincipalaux)(krbprincipalname=" */
- #define FILTER "(&(|(objectclass=krbprincipalaux)(objectclass=krbprincipal))(krbprincipalname="
+#define FILTER "(&(|(objectclass=krbprincipalaux)(objectclass=krbprincipal))(krbprincipalname="
#define KDB_USER_PRINCIPAL 0x01
#define KDB_SERVICE_PRINCIPAL 0x02
* and krb5_ldap_put_principal(). If present, it means that the
* krbPwdMaxFailure attribute should be incremented by one.
*/
-#define KADM5_FAIL_AUTH_COUNT_INCREMENT 0x080000 /* KADM5_CPW_FUNCTION */
+#define KADM5_FAIL_AUTH_COUNT_INCREMENT 0x080000 /* KADM5_CPW_FUNCTION */
extern struct timeval timeout;
extern char *policyclass[];
krb5_error_code
krb5_ldap_get_principal(krb5_context , krb5_const_principal ,
- unsigned int, krb5_db_entry *,int *, krb5_boolean *);
+ unsigned int, krb5_db_entry *, int *, krb5_boolean *);
krb5_error_code
krb5_ldap_delete_principal(krb5_context, krb5_const_principal, int *);
krb5_ldap_free_principal(krb5_context, krb5_db_entry *, int );
krb5_error_code
-krb5_ldap_iterate(krb5_context, char *, krb5_error_code (*) (krb5_pointer, krb5_db_entry *),
+krb5_ldap_iterate(krb5_context, char *,
+ krb5_error_code (*)(krb5_pointer, krb5_db_entry *),
krb5_pointer/*, int */);
void
krb5_error_code
krb5_decode_krbsecretkey(krb5_context, krb5_db_entry *, struct berval **,
- krb5_tl_data *, krb5_kvno *);
+ krb5_tl_data *, krb5_kvno *);
krb5_error_code
berval2tl_data(struct berval *in, krb5_tl_data **out);
krb5_error_code
-krb5_read_tkt_policy (krb5_context, krb5_ldap_context *, krb5_db_entry *, char *);
+krb5_read_tkt_policy(krb5_context, krb5_ldap_context *, krb5_db_entry *,
+ char *);
#endif
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* lib/kdb/kdb_ldap/ldap_principal2.c
*
{
*out = (krb5_tl_data *) malloc (sizeof (krb5_tl_data));
if (*out == NULL)
- return ENOMEM;
+ return ENOMEM;
(*out)->tl_data_length = in->bv_len - 2;
(*out)->tl_data_contents = (krb5_octet *) malloc
- ((*out)->tl_data_length * sizeof (krb5_octet));
+ ((*out)->tl_data_length * sizeof (krb5_octet));
if ((*out)->tl_data_contents == NULL) {
- free (*out);
- return ENOMEM;
+ free (*out);
+ return ENOMEM;
}
UNSTORE16_INT (in->bv_val, (*out)->tl_data_type);
* okay.
*/
if (!(flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY))
- return TRUE;
+ return TRUE;
if (flags & KRB5_KDB_FLAG_CANONICALIZE)
- return TRUE;
+ return TRUE;
return FALSE;
}
*/
krb5_error_code
-krb5_ldap_get_principal(context, searchfor, flags, entries, nentries, more)
- krb5_context context;
- krb5_const_principal searchfor;
- unsigned int flags;
- krb5_db_entry *entries; /* filled in */
- int *nentries; /* how much room/how many found */
- krb5_boolean *more; /* are there more? */
+krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor,
+ unsigned int flags, krb5_db_entry *entries,
+ int *nentries, krb5_boolean *more)
{
char *user=NULL, *filter=NULL, **subtree=NULL;
unsigned int tree=0, ntrees=1, princlen=0;
- krb5_error_code tempst=0, st=0;
+ krb5_error_code tempst=0, st=0;
char **values=NULL, *cname=NULL;
- LDAP *ld=NULL;
- LDAPMessage *result=NULL, *ent=NULL;
+ LDAP *ld=NULL;
+ LDAPMessage *result=NULL, *ent=NULL;
krb5_ldap_context *ldap_context=NULL;
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_server_handle *ldap_server_handle=NULL;
- krb5_principal cprinc=NULL;
+ krb5_principal cprinc=NULL;
/* Clear the global error string */
krb5_clear_error_message(context);
memset(entries, 0, sizeof(*entries));
if (searchfor == NULL)
- return EINVAL;
+ return EINVAL;
dal_handle = context->dal_handle;
ldap_context = (krb5_ldap_context *) dal_handle->db_context;
CHECK_LDAP_HANDLE(ldap_context);
if (is_principal_in_realm(ldap_context, searchfor) != 0) {
- *more = 0;
- krb5_set_error_message (context, st, "Principal does not belong to realm");
- goto cleanup;
+ *more = 0;
+ krb5_set_error_message (context, st, "Principal does not belong to realm");
+ goto cleanup;
}
if ((st=krb5_unparse_name(context, searchfor, &user)) != 0)
- goto cleanup;
+ goto cleanup;
if ((st=krb5_ldap_unparse_principal_name(user)) != 0)
- goto cleanup;
+ goto cleanup;
princlen = strlen(FILTER) + strlen(user) + 2 + 1; /* 2 for closing brackets */
if ((filter = malloc(princlen)) == NULL) {
- st = ENOMEM;
- goto cleanup;
+ st = ENOMEM;
+ goto cleanup;
}
snprintf(filter, princlen, FILTER"%s))", user);
if ((st = krb5_get_subtree_info(ldap_context, &subtree, &ntrees)) != 0)
- goto cleanup;
+ goto cleanup;
GET_HANDLE();
for (tree=0; tree < ntrees && *nentries == 0; ++tree) {
- LDAP_SEARCH(subtree[tree], ldap_context->lrparams->search_scope, filter, principal_attributes);
- for (ent=ldap_first_entry(ld, result); ent != NULL && *nentries == 0; ent=ldap_next_entry(ld, ent)) {
-
- /* get the associated directory user information */
- if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) {
- int i;
-
- /* a wild-card in a principal name can return a list of kerberos principals.
- * Make sure that the correct principal is returned.
- * NOTE: a principalname k* in ldap server will return all the principals starting with a k
- */
- for (i=0; values[i] != NULL; ++i) {
- if (strcmp(values[i], user) == 0) {
- *nentries = 1;
- break;
- }
- }
- ldap_value_free(values);
-
- if (*nentries == 0) /* no matching principal found */
- continue;
- }
-
- if ((values=ldap_get_values(ld, ent, "krbcanonicalname")) != NULL) {
- if (values[0] && strcmp(values[0], user) != 0) {
- /* We matched an alias, not the canonical name. */
- if (aliases_ok(flags)) {
- st = krb5_ldap_parse_principal_name(values[0], &cname);
- if (st != 0)
- goto cleanup;
- st = krb5_parse_name(context, cname, &cprinc);
- if (st != 0)
- goto cleanup;
- } else /* No canonicalization, so don't return aliases. */
- *nentries = 0;
- }
- ldap_value_free(values);
- if (*nentries == 0)
- continue;
- }
-
- if ((st = populate_krb5_db_entry(context, ldap_context, ld, ent,
- cprinc ? cprinc : searchfor,
- entries)) != 0)
- goto cleanup;
- }
- ldap_msgfree(result);
- result = NULL;
+ LDAP_SEARCH(subtree[tree], ldap_context->lrparams->search_scope, filter, principal_attributes);
+ for (ent=ldap_first_entry(ld, result); ent != NULL && *nentries == 0; ent=ldap_next_entry(ld, ent)) {
+
+ /* get the associated directory user information */
+ if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) {
+ int i;
+
+ /* a wild-card in a principal name can return a list of kerberos principals.
+ * Make sure that the correct principal is returned.
+ * NOTE: a principalname k* in ldap server will return all the principals starting with a k
+ */
+ for (i=0; values[i] != NULL; ++i) {
+ if (strcmp(values[i], user) == 0) {
+ *nentries = 1;
+ break;
+ }
+ }
+ ldap_value_free(values);
+
+ if (*nentries == 0) /* no matching principal found */
+ continue;
+ }
+
+ if ((values=ldap_get_values(ld, ent, "krbcanonicalname")) != NULL) {
+ if (values[0] && strcmp(values[0], user) != 0) {
+ /* We matched an alias, not the canonical name. */
+ if (aliases_ok(flags)) {
+ st = krb5_ldap_parse_principal_name(values[0], &cname);
+ if (st != 0)
+ goto cleanup;
+ st = krb5_parse_name(context, cname, &cprinc);
+ if (st != 0)
+ goto cleanup;
+ } else /* No canonicalization, so don't return aliases. */
+ *nentries = 0;
+ }
+ ldap_value_free(values);
+ if (*nentries == 0)
+ continue;
+ }
+
+ if ((st = populate_krb5_db_entry(context, ldap_context, ld, ent,
+ cprinc ? cprinc : searchfor,
+ entries)) != 0)
+ goto cleanup;
+ }
+ ldap_msgfree(result);
+ result = NULL;
} /* for (tree=0 ... */
/* once done, put back the ldap handle */
ldap_msgfree(result);
if (*nentries == 0 || st != 0)
- krb5_dbe_free_contents(context, entries);
+ krb5_dbe_free_contents(context, entries);
if (filter)
- free (filter);
+ free (filter);
if (subtree) {
- for (; ntrees; --ntrees)
- if (subtree[ntrees-1])
- free (subtree[ntrees-1]);
- free (subtree);
+ for (; ntrees; --ntrees)
+ if (subtree[ntrees-1])
+ free (subtree[ntrees-1]);
+ free (subtree);
}
if (ldap_server_handle)
- krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
+ krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
if (user)
- free(user);
+ free(user);
if (cname)
- free(cname);
+ free(cname);
if (cprinc)
- krb5_free_principal(context, cprinc);
+ krb5_free_principal(context, cprinc);
return st;
}
}xargs_t;
static void
-free_xargs(xargs)
- xargs_t xargs;
+free_xargs(xargs_t xargs)
{
if (xargs.dn)
- free (xargs.dn);
+ free (xargs.dn);
if (xargs.linkdn)
- free(xargs.linkdn);
+ free(xargs.linkdn);
if (xargs.containerdn)
- free (xargs.containerdn);
+ free (xargs.containerdn);
if (xargs.tktpolicydn)
- free (xargs.tktpolicydn);
+ free (xargs.tktpolicydn);
}
static krb5_error_code
-process_db_args(context, db_args, xargs, optype)
- krb5_context context;
- char **db_args;
- xargs_t *xargs;
- OPERATION optype;
+process_db_args(krb5_context context, char **db_args, xargs_t *xargs,
+ OPERATION optype)
{
int i=0;
krb5_error_code st=0;
unsigned int arg_val_len=0;
if (db_args) {
- for (i=0; db_args[i]; ++i) {
- arg = strtok_r(db_args[i], "=", &arg_val);
- if (strcmp(arg, TKTPOLICY_ARG) == 0) {
- dptr = &xargs->tktpolicydn;
- } else {
- if (strcmp(arg, USERDN_ARG) == 0) {
- if (optype == MODIFY_PRINCIPAL ||
- xargs->dn != NULL || xargs->containerdn != NULL ||
- xargs->linkdn != NULL) {
- st = EINVAL;
- snprintf(errbuf, sizeof(errbuf),
- "%s option not supported", arg);
- krb5_set_error_message(context, st, "%s", errbuf);
- goto cleanup;
- }
- dptr = &xargs->dn;
- } else if (strcmp(arg, CONTAINERDN_ARG) == 0) {
- if (optype == MODIFY_PRINCIPAL ||
- xargs->dn != NULL || xargs->containerdn != NULL) {
- st = EINVAL;
- snprintf(errbuf, sizeof(errbuf),
- "%s option not supported", arg);
- krb5_set_error_message(context, st, "%s", errbuf);
- goto cleanup;
- }
- dptr = &xargs->containerdn;
- } else if (strcmp(arg, LINKDN_ARG) == 0) {
- if (xargs->dn != NULL || xargs->linkdn != NULL) {
- st = EINVAL;
- snprintf(errbuf, sizeof(errbuf),
- "%s option not supported", arg);
- krb5_set_error_message(context, st, "%s", errbuf);
- goto cleanup;
- }
- dptr = &xargs->linkdn;
- } else {
- st = EINVAL;
- snprintf(errbuf, sizeof(errbuf), "unknown option: %s", arg);
- krb5_set_error_message(context, st, "%s", errbuf);
- goto cleanup;
- }
-
- xargs->dn_from_kbd = TRUE;
- if (arg_val == NULL || strlen(arg_val) == 0) {
- st = EINVAL;
- snprintf(errbuf, sizeof(errbuf),
- "%s option value missing", arg);
- krb5_set_error_message(context, st, "%s", errbuf);
- goto cleanup;
- }
- }
-
- if (arg_val == NULL) {
- st = EINVAL;
- snprintf(errbuf, sizeof(errbuf),
- "%s option value missing", arg);
- krb5_set_error_message(context, st, "%s", errbuf);
- goto cleanup;
- }
- arg_val_len = strlen(arg_val) + 1;
-
- if (strcmp(arg, TKTPOLICY_ARG) == 0) {
- if ((st = krb5_ldap_name_to_policydn (context,
- arg_val,
- dptr)) != 0)
- goto cleanup;
- } else {
- *dptr = calloc (1, arg_val_len);
- if (*dptr == NULL) {
- st = ENOMEM;
- goto cleanup;
- }
- memcpy(*dptr, arg_val, arg_val_len);
- }
- }
+ for (i=0; db_args[i]; ++i) {
+ arg = strtok_r(db_args[i], "=", &arg_val);
+ if (strcmp(arg, TKTPOLICY_ARG) == 0) {
+ dptr = &xargs->tktpolicydn;
+ } else {
+ if (strcmp(arg, USERDN_ARG) == 0) {
+ if (optype == MODIFY_PRINCIPAL ||
+ xargs->dn != NULL || xargs->containerdn != NULL ||
+ xargs->linkdn != NULL) {
+ st = EINVAL;
+ snprintf(errbuf, sizeof(errbuf),
+ "%s option not supported", arg);
+ krb5_set_error_message(context, st, "%s", errbuf);
+ goto cleanup;
+ }
+ dptr = &xargs->dn;
+ } else if (strcmp(arg, CONTAINERDN_ARG) == 0) {
+ if (optype == MODIFY_PRINCIPAL ||
+ xargs->dn != NULL || xargs->containerdn != NULL) {
+ st = EINVAL;
+ snprintf(errbuf, sizeof(errbuf),
+ "%s option not supported", arg);
+ krb5_set_error_message(context, st, "%s", errbuf);
+ goto cleanup;
+ }
+ dptr = &xargs->containerdn;
+ } else if (strcmp(arg, LINKDN_ARG) == 0) {
+ if (xargs->dn != NULL || xargs->linkdn != NULL) {
+ st = EINVAL;
+ snprintf(errbuf, sizeof(errbuf),
+ "%s option not supported", arg);
+ krb5_set_error_message(context, st, "%s", errbuf);
+ goto cleanup;
+ }
+ dptr = &xargs->linkdn;
+ } else {
+ st = EINVAL;
+ snprintf(errbuf, sizeof(errbuf), "unknown option: %s", arg);
+ krb5_set_error_message(context, st, "%s", errbuf);
+ goto cleanup;
+ }
+
+ xargs->dn_from_kbd = TRUE;
+ if (arg_val == NULL || strlen(arg_val) == 0) {
+ st = EINVAL;
+ snprintf(errbuf, sizeof(errbuf),
+ "%s option value missing", arg);
+ krb5_set_error_message(context, st, "%s", errbuf);
+ goto cleanup;
+ }
+ }
+
+ if (arg_val == NULL) {
+ st = EINVAL;
+ snprintf(errbuf, sizeof(errbuf),
+ "%s option value missing", arg);
+ krb5_set_error_message(context, st, "%s", errbuf);
+ goto cleanup;
+ }
+ arg_val_len = strlen(arg_val) + 1;
+
+ if (strcmp(arg, TKTPOLICY_ARG) == 0) {
+ if ((st = krb5_ldap_name_to_policydn (context,
+ arg_val,
+ dptr)) != 0)
+ goto cleanup;
+ } else {
+ *dptr = calloc (1, arg_val_len);
+ if (*dptr == NULL) {
+ st = ENOMEM;
+ goto cleanup;
+ }
+ memcpy(*dptr, arg_val, arg_val_len);
+ }
+ }
}
cleanup:
krb5int_access accessor;
static krb5_error_code
-asn1_encode_sequence_of_keys (krb5_key_data *key_data, krb5_int16 n_key_data,
- krb5_int32 mkvno, krb5_data **code)
+asn1_encode_sequence_of_keys(krb5_key_data *key_data, krb5_int16 n_key_data,
+ krb5_int32 mkvno, krb5_data **code)
{
krb5_error_code err;
ldap_seqof_key_data val;
*/
err = kldap_ensure_initialized ();
if (err)
- return err;
+ return err;
val.key_data = key_data;
val.n_key_data = n_key_data;
}
static krb5_error_code
-asn1_decode_sequence_of_keys (krb5_data *in, krb5_key_data **out,
- krb5_int16 *n_key_data, krb5_kvno *mkvno)
+asn1_decode_sequence_of_keys(krb5_data *in, krb5_key_data **out,
+ krb5_int16 *n_key_data, krb5_kvno *mkvno)
{
krb5_error_code err;
ldap_seqof_key_data *p;
*/
err = kldap_ensure_initialized ();
if (err)
- return err;
+ return err;
err = accessor.asn1_ldap_decode_sequence_of_keys(in, &p);
if (err)
- return err;
+ return err;
*out = p->key_data;
*n_key_data = p->n_key_data;
*mkvno = p->mkvno;
/* Decoding ASN.1 encoded key */
static struct berval **
-krb5_encode_krbsecretkey(krb5_key_data *key_data, int n_key_data, krb5_kvno mkvno) {
+krb5_encode_krbsecretkey(krb5_key_data *key_data, int n_key_data,
+ krb5_kvno mkvno) {
struct berval **ret = NULL;
int currkvno;
int num_versions = 1;
krb5_error_code err = 0;
if (n_key_data <= 0)
- return NULL;
+ return NULL;
/* Find the number of key versions */
for (i = 0; i < n_key_data - 1; i++)
- if (key_data[i].key_data_kvno != key_data[i + 1].key_data_kvno)
- num_versions++;
+ if (key_data[i].key_data_kvno != key_data[i + 1].key_data_kvno)
+ num_versions++;
ret = (struct berval **) calloc (num_versions + 1, sizeof (struct berval *));
if (ret == NULL) {
- err = ENOMEM;
- goto cleanup;
+ err = ENOMEM;
+ goto cleanup;
}
for (i = 0, last = 0, j = 0, currkvno = key_data[0].key_data_kvno; i < n_key_data; i++) {
- krb5_data *code;
- if (i == n_key_data - 1 || key_data[i + 1].key_data_kvno != currkvno) {
- asn1_encode_sequence_of_keys (key_data+last,
- (krb5_int16) i - last + 1,
- mkvno,
- &code);
- ret[j] = malloc (sizeof (struct berval));
- if (ret[j] == NULL) {
- err = ENOMEM;
- goto cleanup;
- }
- /*CHECK_NULL(ret[j]); */
- ret[j]->bv_len = code->length;
- ret[j]->bv_val = code->data;
- j++;
- last = i + 1;
-
- currkvno = key_data[i].key_data_kvno;
- }
+ krb5_data *code;
+ if (i == n_key_data - 1 || key_data[i + 1].key_data_kvno != currkvno) {
+ asn1_encode_sequence_of_keys (key_data+last,
+ (krb5_int16) i - last + 1,
+ mkvno,
+ &code);
+ ret[j] = malloc (sizeof (struct berval));
+ if (ret[j] == NULL) {
+ err = ENOMEM;
+ goto cleanup;
+ }
+ /*CHECK_NULL(ret[j]); */
+ ret[j]->bv_len = code->length;
+ ret[j]->bv_val = code->data;
+ j++;
+ last = i + 1;
+
+ currkvno = key_data[i].key_data_kvno;
+ }
}
ret[num_versions] = NULL;
cleanup:
if (err != 0) {
- if (ret != NULL) {
- for (i = 0; i <= num_versions; i++)
- if (ret[i] != NULL)
- free (ret[i]);
- free (ret);
- ret = NULL;
- }
+ if (ret != NULL) {
+ for (i = 0; i <= num_versions; i++)
+ if (ret[i] != NULL)
+ free (ret[i]);
+ free (ret);
+ ret = NULL;
+ }
}
return ret;
}
-static krb5_error_code tl_data2berval (krb5_tl_data *in, struct berval **out) {
+static krb5_error_code
+tl_data2berval (krb5_tl_data *in, struct berval **out)
+{
*out = (struct berval *) malloc (sizeof (struct berval));
if (*out == NULL)
- return ENOMEM;
+ return ENOMEM;
(*out)->bv_len = in->tl_data_length + 2;
(*out)->bv_val = (char *) malloc ((*out)->bv_len);
if ((*out)->bv_val == NULL) {
- free (*out);
- return ENOMEM;
+ free (*out);
+ return ENOMEM;
}
STORE16_INT((*out)->bv_val, in->tl_data_type);
}
krb5_error_code
-krb5_ldap_put_principal(context, entries, nentries, db_args)
- krb5_context context;
- krb5_db_entry *entries;
- register int *nentries; /* number of entry structs to update */
- char **db_args;
+krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entries,
+ int *nentries, char **db_args)
{
- int i=0, l=0, kerberos_principal_object_type=0;
- krb5_error_code st=0, tempst=0;
- LDAP *ld=NULL;
+ int i=0, l=0, kerberos_principal_object_type=0;
+ krb5_error_code st=0, tempst=0;
+ LDAP *ld=NULL;
LDAPMessage *result=NULL, *ent=NULL;
char *user=NULL, *subtree=NULL, *principal_dn=NULL;
char **values=NULL, *strval[10]={NULL}, errbuf[1024];
- struct berval **bersecretkey=NULL;
- LDAPMod **mods=NULL;
+ struct berval **bersecretkey=NULL;
+ LDAPMod **mods=NULL;
krb5_boolean create_standalone_prinicipal=FALSE;
krb5_boolean krb_identity_exists=FALSE, establish_links=FALSE;
char *standalone_principal_dn=NULL;
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_context *ldap_context=NULL;
krb5_ldap_server_handle *ldap_server_handle=NULL;
- osa_princ_ent_rec princ_ent;
+ osa_princ_ent_rec princ_ent;
xargs_t xargs = {0};
char *polname = NULL;
OPERATION optype;
- krb5_boolean found_entry = FALSE;
+ krb5_boolean found_entry = FALSE;
/* Clear the global error string */
krb5_clear_error_message(context);
SETUP_CONTEXT();
if (ldap_context->lrparams == NULL || ldap_context->krbcontainer == NULL)
- return EINVAL;
+ return EINVAL;
/* get ldap handle */
GET_HANDLE();
for (i=0; i < *nentries; ++i, ++entries) {
- if (is_principal_in_realm(ldap_context, entries->princ) != 0) {
- st = EINVAL;
- krb5_set_error_message(context, st, "Principal does not belong to the default realm");
- goto cleanup;
- }
-
- /* get the principal information to act on */
- if (entries->princ) {
- if (((st=krb5_unparse_name(context, entries->princ, &user)) != 0) ||
- ((st=krb5_ldap_unparse_principal_name(user)) != 0))
- goto cleanup;
- }
-
- /* Identity the type of operation, it can be
- * add principal or modify principal.
- * hack if the entries->mask has KRB_PRINCIPAL flag set
- * then it is a add operation
- */
- if (entries->mask & KADM5_PRINCIPAL)
- optype = ADD_PRINCIPAL;
- else
- optype = MODIFY_PRINCIPAL;
-
- if (((st=krb5_get_princ_type(context, entries, &kerberos_principal_object_type)) != 0) ||
- ((st=krb5_get_userdn(context, entries, &principal_dn)) != 0))
- goto cleanup;
-
- if ((st=process_db_args(context, db_args, &xargs, optype)) != 0)
- goto cleanup;
-
- if (entries->mask & KADM5_LOAD) {
- int tree = 0, ntrees = 0, princlen = 0, numlentries = 0;
- char **subtreelist = NULL, *filter = NULL;
-
- /* A load operation is special, will do a mix-in (add krbprinc
- * attrs to a non-krb object entry) if an object exists with a
- * matching krbprincipalname attribute so try to find existing
- * object and set principal_dn. This assumes that the
- * krbprincipalname attribute is unique (only one object entry has
- * a particular krbprincipalname attribute).
- */
- if (user == NULL) {
- /* must have principal name for search */
- st = EINVAL;
- krb5_set_error_message(context, st, "operation can not continue, principal name not found");
- goto cleanup;
- }
- princlen = strlen(FILTER) + strlen(user) + 2 + 1; /* 2 for closing brackets */
- if ((filter = malloc(princlen)) == NULL) {
- st = ENOMEM;
- goto cleanup;
- }
- snprintf(filter, princlen, FILTER"%s))", user);
-
- /* get the current subtree list */
- if ((st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees)) != 0)
- goto cleanup;
-
- found_entry = FALSE;
- /* search for entry with matching krbprincipalname attribute */
- for (tree = 0; found_entry == FALSE && tree < ntrees; ++tree) {
- result = NULL;
- if (principal_dn == NULL) {
- LDAP_SEARCH_1(subtreelist[tree], ldap_context->lrparams->search_scope, filter, principal_attributes, IGNORE_STATUS);
- } else {
- /* just look for entry with principal_dn */
- LDAP_SEARCH_1(principal_dn, LDAP_SCOPE_BASE, filter, principal_attributes, IGNORE_STATUS);
- }
- if (st == LDAP_SUCCESS) {
- numlentries = ldap_count_entries(ld, result);
- if (numlentries > 1) {
- ldap_msgfree(result);
- free(filter);
- st = EINVAL;
- krb5_set_error_message(context, st,
- "operation can not continue, more than one entry with principal name \"%s\" found",
- user);
- goto cleanup;
- } else if (numlentries == 1) {
- found_entry = TRUE;
- if (principal_dn == NULL) {
- ent = ldap_first_entry(ld, result);
- if (ent != NULL) {
- /* setting principal_dn will cause that entry to be modified further down */
- if ((principal_dn = ldap_get_dn(ld, ent)) == NULL) {
- ldap_get_option (ld, LDAP_OPT_RESULT_CODE, &st);
- st = set_ldap_error (context, st, 0);
- ldap_msgfree(result);
- free(filter);
- goto cleanup;
- }
- }
- }
- }
- if (result)
- ldap_msgfree(result);
- } else if (st != LDAP_NO_SUCH_OBJECT) {
- /* could not perform search, return with failure */
- st = set_ldap_error (context, st, 0);
- free(filter);
- goto cleanup;
- }
- /*
- * If it isn't found then assume a standalone princ entry is to
- * be created.
- */
- } /* end for (tree = 0; principal_dn == ... */
-
- free(filter);
-
- if (found_entry == FALSE && principal_dn != NULL) {
- /*
- * if principal_dn is null then there is code further down to
- * deal with setting standalone_principal_dn. Also note that
- * this will set create_standalone_prinicipal true for
- * non-mix-in entries which is okay if loading from a dump.
- */
- create_standalone_prinicipal = TRUE;
- standalone_principal_dn = strdup(principal_dn);
- CHECK_NULL(standalone_principal_dn);
- }
- } /* end if (entries->mask & KADM5_LOAD */
-
- /* time to generate the DN information with the help of
- * containerdn, principalcontainerreference or
- * realmcontainerdn information
- */
- if (principal_dn == NULL && xargs.dn == NULL) { /* creation of standalone principal */
- /* get the subtree information */
- if (entries->princ->length == 2 && entries->princ->data[0].length == strlen("krbtgt") &&
- strncmp(entries->princ->data[0].data, "krbtgt", entries->princ->data[0].length) == 0) {
- /* if the principal is a inter-realm principal, always created in the realm container */
- subtree = strdup(ldap_context->lrparams->realmdn);
- } else if (xargs.containerdn) {
- if ((st=checkattributevalue(ld, xargs.containerdn, NULL, NULL, NULL)) != 0) {
- if (st == KRB5_KDB_NOENTRY || st == KRB5_KDB_CONSTRAINT_VIOLATION) {
- int ost = st;
- st = EINVAL;
- snprintf(errbuf, sizeof(errbuf), "'%s' not found: ",
- xargs.containerdn);
- prepend_err_str(context, errbuf, st, ost);
- }
- goto cleanup;
- }
- subtree = strdup(xargs.containerdn);
- } else if (ldap_context->lrparams->containerref && strlen(ldap_context->lrparams->containerref) != 0) {
- /*
- * Here the subtree should be changed with
- * principalcontainerreference attribute value
- */
- subtree = strdup(ldap_context->lrparams->containerref);
- } else {
- subtree = strdup(ldap_context->lrparams->realmdn);
- }
- CHECK_NULL(subtree);
-
- if (asprintf(&standalone_principal_dn, "krbprincipalname=%s,%s",
- user, subtree) < 0)
- standalone_principal_dn = NULL;
- CHECK_NULL(standalone_principal_dn);
- /*
- * free subtree when you are done using the subtree
- * set the boolean create_standalone_prinicipal to TRUE
- */
- create_standalone_prinicipal = TRUE;
- free(subtree);
- subtree = NULL;
- }
-
- /*
- * If the DN information is presented by the user, time to
- * validate the input to ensure that the DN falls under
- * any of the subtrees
- */
- if (xargs.dn_from_kbd == TRUE) {
- /* make sure the DN falls in the subtree */
- int tre=0, dnlen=0, subtreelen=0, ntrees=0;
- char **subtreelist=NULL;
- char *dn=NULL;
- krb5_boolean outofsubtree=TRUE;
-
- if (xargs.dn != NULL) {
- dn = xargs.dn;
- } else if (xargs.linkdn != NULL) {
- dn = xargs.linkdn;
- } else if (standalone_principal_dn != NULL) {
- /*
- * Even though the standalone_principal_dn is constructed
- * within this function, there is the containerdn input
- * from the user that can become part of the it.
- */
- dn = standalone_principal_dn;
- }
-
- /* get the current subtree list */
- if ((st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees)) != 0)
- goto cleanup;
-
- for (tre=0; tre<ntrees; ++tre) {
- if (subtreelist[tre] == NULL || strlen(subtreelist[tre]) == 0) {
- outofsubtree = FALSE;
- break;
- } else {
- dnlen = strlen (dn);
- subtreelen = strlen(subtreelist[tre]);
- if ((dnlen >= subtreelen) && (strcasecmp((dn + dnlen - subtreelen), subtreelist[tre]) == 0)) {
- outofsubtree = FALSE;
- break;
- }
- }
- }
-
- for (tre=0; tre < ntrees; ++tre) {
- free(subtreelist[tre]);
- }
-
- if (outofsubtree == TRUE) {
- st = EINVAL;
- krb5_set_error_message(context, st, "DN is out of the realm subtree");
- goto cleanup;
- }
-
- /*
- * dn value will be set either by dn, linkdn or the standalone_principal_dn
- * In the first 2 cases, the dn should be existing and in the last case we
- * are supposed to create the ldap object. so the below should not be
- * executed for the last case.
- */
-
- if (standalone_principal_dn == NULL) {
- /*
- * If the ldap object is missing, this results in an error.
- */
-
- /*
- * Search for krbprincipalname attribute here.
- * This is to find if a kerberos identity is already present
- * on the ldap object, in which case adding a kerberos identity
- * on the ldap object should result in an error.
- */
- char *attributes[]={"krbticketpolicyreference", "krbprincipalname", NULL};
-
- LDAP_SEARCH_1(dn, LDAP_SCOPE_BASE, 0, attributes, IGNORE_STATUS);
- if (st == LDAP_SUCCESS) {
- ent = ldap_first_entry(ld, result);
- if (ent != NULL) {
- if ((values=ldap_get_values(ld, ent, "krbticketpolicyreference")) != NULL) {
- ldap_value_free(values);
- }
-
- if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) {
- krb_identity_exists = TRUE;
- ldap_value_free(values);
- }
- }
- ldap_msgfree(result);
- } else {
- st = set_ldap_error(context, st, OP_SEARCH);
- goto cleanup;
- }
- }
- }
-
- /*
- * If xargs.dn is set then the request is to add a
- * kerberos principal on a ldap object, but if
- * there is one already on the ldap object this
- * should result in an error.
- */
-
- if (xargs.dn != NULL && krb_identity_exists == TRUE) {
- st = EINVAL;
- snprintf(errbuf, sizeof(errbuf), "ldap object is already kerberized");
- krb5_set_error_message(context, st, "%s", errbuf);
- goto cleanup;
- }
-
- if (xargs.linkdn != NULL) {
- /*
- * link information can be changed using modprinc.
- * However, link information can be changed only on the
- * standalone kerberos principal objects. A standalone
- * kerberos principal object is of type krbprincipal
- * structural objectclass.
- *
- * NOTE: kerberos principals on an ldap object can't be
- * linked to other ldap objects.
- */
- if (optype == MODIFY_PRINCIPAL &&
- kerberos_principal_object_type != KDB_STANDALONE_PRINCIPAL_OBJECT) {
- st = EINVAL;
- snprintf(errbuf, sizeof(errbuf),
- "link information can not be set/updated as the kerberos principal belongs to an ldap object");
- krb5_set_error_message(context, st, "%s", errbuf);
- goto cleanup;
- }
+ if (is_principal_in_realm(ldap_context, entries->princ) != 0) {
+ st = EINVAL;
+ krb5_set_error_message(context, st, "Principal does not belong to the default realm");
+ goto cleanup;
+ }
+
+ /* get the principal information to act on */
+ if (entries->princ) {
+ if (((st=krb5_unparse_name(context, entries->princ, &user)) != 0) ||
+ ((st=krb5_ldap_unparse_principal_name(user)) != 0))
+ goto cleanup;
+ }
+
+ /* Identity the type of operation, it can be
+ * add principal or modify principal.
+ * hack if the entries->mask has KRB_PRINCIPAL flag set
+ * then it is a add operation
+ */
+ if (entries->mask & KADM5_PRINCIPAL)
+ optype = ADD_PRINCIPAL;
+ else
+ optype = MODIFY_PRINCIPAL;
+
+ if (((st=krb5_get_princ_type(context, entries, &kerberos_principal_object_type)) != 0) ||
+ ((st=krb5_get_userdn(context, entries, &principal_dn)) != 0))
+ goto cleanup;
+
+ if ((st=process_db_args(context, db_args, &xargs, optype)) != 0)
+ goto cleanup;
+
+ if (entries->mask & KADM5_LOAD) {
+ int tree = 0, ntrees = 0, princlen = 0, numlentries = 0;
+ char **subtreelist = NULL, *filter = NULL;
+
+ /* A load operation is special, will do a mix-in (add krbprinc
+ * attrs to a non-krb object entry) if an object exists with a
+ * matching krbprincipalname attribute so try to find existing
+ * object and set principal_dn. This assumes that the
+ * krbprincipalname attribute is unique (only one object entry has
+ * a particular krbprincipalname attribute).
+ */
+ if (user == NULL) {
+ /* must have principal name for search */
+ st = EINVAL;
+ krb5_set_error_message(context, st, "operation can not continue, principal name not found");
+ goto cleanup;
+ }
+ princlen = strlen(FILTER) + strlen(user) + 2 + 1; /* 2 for closing brackets */
+ if ((filter = malloc(princlen)) == NULL) {
+ st = ENOMEM;
+ goto cleanup;
+ }
+ snprintf(filter, princlen, FILTER"%s))", user);
+
+ /* get the current subtree list */
+ if ((st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees)) != 0)
+ goto cleanup;
+
+ found_entry = FALSE;
+ /* search for entry with matching krbprincipalname attribute */
+ for (tree = 0; found_entry == FALSE && tree < ntrees; ++tree) {
+ result = NULL;
+ if (principal_dn == NULL) {
+ LDAP_SEARCH_1(subtreelist[tree], ldap_context->lrparams->search_scope, filter, principal_attributes, IGNORE_STATUS);
+ } else {
+ /* just look for entry with principal_dn */
+ LDAP_SEARCH_1(principal_dn, LDAP_SCOPE_BASE, filter, principal_attributes, IGNORE_STATUS);
+ }
+ if (st == LDAP_SUCCESS) {
+ numlentries = ldap_count_entries(ld, result);
+ if (numlentries > 1) {
+ ldap_msgfree(result);
+ free(filter);
+ st = EINVAL;
+ krb5_set_error_message(context, st,
+ "operation can not continue, more than one entry with principal name \"%s\" found",
+ user);
+ goto cleanup;
+ } else if (numlentries == 1) {
+ found_entry = TRUE;
+ if (principal_dn == NULL) {
+ ent = ldap_first_entry(ld, result);
+ if (ent != NULL) {
+ /* setting principal_dn will cause that entry to be modified further down */
+ if ((principal_dn = ldap_get_dn(ld, ent)) == NULL) {
+ ldap_get_option (ld, LDAP_OPT_RESULT_CODE, &st);
+ st = set_ldap_error (context, st, 0);
+ ldap_msgfree(result);
+ free(filter);
+ goto cleanup;
+ }
+ }
+ }
+ }
+ if (result)
+ ldap_msgfree(result);
+ } else if (st != LDAP_NO_SUCH_OBJECT) {
+ /* could not perform search, return with failure */
+ st = set_ldap_error (context, st, 0);
+ free(filter);
+ goto cleanup;
+ }
+ /*
+ * If it isn't found then assume a standalone princ entry is to
+ * be created.
+ */
+ } /* end for (tree = 0; principal_dn == ... */
+
+ free(filter);
+
+ if (found_entry == FALSE && principal_dn != NULL) {
+ /*
+ * if principal_dn is null then there is code further down to
+ * deal with setting standalone_principal_dn. Also note that
+ * this will set create_standalone_prinicipal true for
+ * non-mix-in entries which is okay if loading from a dump.
+ */
+ create_standalone_prinicipal = TRUE;
+ standalone_principal_dn = strdup(principal_dn);
+ CHECK_NULL(standalone_principal_dn);
+ }
+ } /* end if (entries->mask & KADM5_LOAD */
+
+ /* time to generate the DN information with the help of
+ * containerdn, principalcontainerreference or
+ * realmcontainerdn information
+ */
+ if (principal_dn == NULL && xargs.dn == NULL) { /* creation of standalone principal */
+ /* get the subtree information */
+ if (entries->princ->length == 2 && entries->princ->data[0].length == strlen("krbtgt") &&
+ strncmp(entries->princ->data[0].data, "krbtgt", entries->princ->data[0].length) == 0) {
+ /* if the principal is a inter-realm principal, always created in the realm container */
+ subtree = strdup(ldap_context->lrparams->realmdn);
+ } else if (xargs.containerdn) {
+ if ((st=checkattributevalue(ld, xargs.containerdn, NULL, NULL, NULL)) != 0) {
+ if (st == KRB5_KDB_NOENTRY || st == KRB5_KDB_CONSTRAINT_VIOLATION) {
+ int ost = st;
+ st = EINVAL;
+ snprintf(errbuf, sizeof(errbuf), "'%s' not found: ",
+ xargs.containerdn);
+ prepend_err_str(context, errbuf, st, ost);
+ }
+ goto cleanup;
+ }
+ subtree = strdup(xargs.containerdn);
+ } else if (ldap_context->lrparams->containerref && strlen(ldap_context->lrparams->containerref) != 0) {
+ /*
+ * Here the subtree should be changed with
+ * principalcontainerreference attribute value
+ */
+ subtree = strdup(ldap_context->lrparams->containerref);
+ } else {
+ subtree = strdup(ldap_context->lrparams->realmdn);
+ }
+ CHECK_NULL(subtree);
+
+ if (asprintf(&standalone_principal_dn, "krbprincipalname=%s,%s",
+ user, subtree) < 0)
+ standalone_principal_dn = NULL;
+ CHECK_NULL(standalone_principal_dn);
+ /*
+ * free subtree when you are done using the subtree
+ * set the boolean create_standalone_prinicipal to TRUE
+ */
+ create_standalone_prinicipal = TRUE;
+ free(subtree);
+ subtree = NULL;
+ }
+
+ /*
+ * If the DN information is presented by the user, time to
+ * validate the input to ensure that the DN falls under
+ * any of the subtrees
+ */
+ if (xargs.dn_from_kbd == TRUE) {
+ /* make sure the DN falls in the subtree */
+ int tre=0, dnlen=0, subtreelen=0, ntrees=0;
+ char **subtreelist=NULL;
+ char *dn=NULL;
+ krb5_boolean outofsubtree=TRUE;
+
+ if (xargs.dn != NULL) {
+ dn = xargs.dn;
+ } else if (xargs.linkdn != NULL) {
+ dn = xargs.linkdn;
+ } else if (standalone_principal_dn != NULL) {
+ /*
+ * Even though the standalone_principal_dn is constructed
+ * within this function, there is the containerdn input
+ * from the user that can become part of the it.
+ */
+ dn = standalone_principal_dn;
+ }
+
+ /* get the current subtree list */
+ if ((st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees)) != 0)
+ goto cleanup;
+
+ for (tre=0; tre<ntrees; ++tre) {
+ if (subtreelist[tre] == NULL || strlen(subtreelist[tre]) == 0) {
+ outofsubtree = FALSE;
+ break;
+ } else {
+ dnlen = strlen (dn);
+ subtreelen = strlen(subtreelist[tre]);
+ if ((dnlen >= subtreelen) && (strcasecmp((dn + dnlen - subtreelen), subtreelist[tre]) == 0)) {
+ outofsubtree = FALSE;
+ break;
+ }
+ }
+ }
+
+ for (tre=0; tre < ntrees; ++tre) {
+ free(subtreelist[tre]);
+ }
+
+ if (outofsubtree == TRUE) {
+ st = EINVAL;
+ krb5_set_error_message(context, st, "DN is out of the realm subtree");
+ goto cleanup;
+ }
+
+ /*
+ * dn value will be set either by dn, linkdn or the standalone_principal_dn
+ * In the first 2 cases, the dn should be existing and in the last case we
+ * are supposed to create the ldap object. so the below should not be
+ * executed for the last case.
+ */
+
+ if (standalone_principal_dn == NULL) {
+ /*
+ * If the ldap object is missing, this results in an error.
+ */
+
+ /*
+ * Search for krbprincipalname attribute here.
+ * This is to find if a kerberos identity is already present
+ * on the ldap object, in which case adding a kerberos identity
+ * on the ldap object should result in an error.
+ */
+ char *attributes[]={"krbticketpolicyreference", "krbprincipalname", NULL};
+
+ LDAP_SEARCH_1(dn, LDAP_SCOPE_BASE, 0, attributes, IGNORE_STATUS);
+ if (st == LDAP_SUCCESS) {
+ ent = ldap_first_entry(ld, result);
+ if (ent != NULL) {
+ if ((values=ldap_get_values(ld, ent, "krbticketpolicyreference")) != NULL) {
+ ldap_value_free(values);
+ }
+
+ if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) {
+ krb_identity_exists = TRUE;
+ ldap_value_free(values);
+ }
+ }
+ ldap_msgfree(result);
+ } else {
+ st = set_ldap_error(context, st, OP_SEARCH);
+ goto cleanup;
+ }
+ }
+ }
+
+ /*
+ * If xargs.dn is set then the request is to add a
+ * kerberos principal on a ldap object, but if
+ * there is one already on the ldap object this
+ * should result in an error.
+ */
+
+ if (xargs.dn != NULL && krb_identity_exists == TRUE) {
+ st = EINVAL;
+ snprintf(errbuf, sizeof(errbuf), "ldap object is already kerberized");
+ krb5_set_error_message(context, st, "%s", errbuf);
+ goto cleanup;
+ }
+
+ if (xargs.linkdn != NULL) {
+ /*
+ * link information can be changed using modprinc.
+ * However, link information can be changed only on the
+ * standalone kerberos principal objects. A standalone
+ * kerberos principal object is of type krbprincipal
+ * structural objectclass.
+ *
+ * NOTE: kerberos principals on an ldap object can't be
+ * linked to other ldap objects.
+ */
+ if (optype == MODIFY_PRINCIPAL &&
+ kerberos_principal_object_type != KDB_STANDALONE_PRINCIPAL_OBJECT) {
+ st = EINVAL;
+ snprintf(errbuf, sizeof(errbuf),
+ "link information can not be set/updated as the kerberos principal belongs to an ldap object");
+ krb5_set_error_message(context, st, "%s", errbuf);
+ goto cleanup;
+ }
/*
* Check the link information. If there is already a link
* existing then this operation is not allowed.
}
}
- establish_links = TRUE;
- }
-
- if (entries->mask & KADM5_LAST_SUCCESS) {
- memset(strval, 0, sizeof(strval));
- if ((strval[0]=getstringtime(entries->last_success)) == NULL)
- goto cleanup;
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastSuccessfulAuth", LDAP_MOD_REPLACE, strval)) != 0) {
- free (strval[0]);
- goto cleanup;
- }
- free (strval[0]);
- }
-
- if (entries->mask & KADM5_LAST_FAILED) {
- memset(strval, 0, sizeof(strval));
- if ((strval[0]=getstringtime(entries->last_failed)) == NULL)
- goto cleanup;
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastFailedAuth", LDAP_MOD_REPLACE, strval)) != 0) {
- free (strval[0]);
- goto cleanup;
- }
- free(strval[0]);
- }
-
- if (entries->mask & KADM5_FAIL_AUTH_COUNT) {
- krb5_kvno fail_auth_count;
-
- fail_auth_count = entries->fail_auth_count;
- if (entries->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT)
- fail_auth_count++;
-
- st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount",
- LDAP_MOD_REPLACE,
- fail_auth_count);
- if (st != 0)
- goto cleanup;
- } else if (entries->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT) {
- /*
- * If the client library and server supports RFC 4525,
- * then use it to increment by one the value of the
- * krbLoginFailedCount attribute. Otherwise, assert the
- * (provided) old value by deleting it before adding.
- */
+ establish_links = TRUE;
+ }
+
+ if (entries->mask & KADM5_LAST_SUCCESS) {
+ memset(strval, 0, sizeof(strval));
+ if ((strval[0]=getstringtime(entries->last_success)) == NULL)
+ goto cleanup;
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastSuccessfulAuth", LDAP_MOD_REPLACE, strval)) != 0) {
+ free (strval[0]);
+ goto cleanup;
+ }
+ free (strval[0]);
+ }
+
+ if (entries->mask & KADM5_LAST_FAILED) {
+ memset(strval, 0, sizeof(strval));
+ if ((strval[0]=getstringtime(entries->last_failed)) == NULL)
+ goto cleanup;
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastFailedAuth", LDAP_MOD_REPLACE, strval)) != 0) {
+ free (strval[0]);
+ goto cleanup;
+ }
+ free(strval[0]);
+ }
+
+ if (entries->mask & KADM5_FAIL_AUTH_COUNT) {
+ krb5_kvno fail_auth_count;
+
+ fail_auth_count = entries->fail_auth_count;
+ if (entries->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT)
+ fail_auth_count++;
+
+ st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount",
+ LDAP_MOD_REPLACE,
+ fail_auth_count);
+ if (st != 0)
+ goto cleanup;
+ } else if (entries->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT) {
+ /*
+ * If the client library and server supports RFC 4525,
+ * then use it to increment by one the value of the
+ * krbLoginFailedCount attribute. Otherwise, assert the
+ * (provided) old value by deleting it before adding.
+ */
#ifdef LDAP_MOD_INCREMENT
- if (ldap_server_handle->server_info->modify_increment) {
- st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount",
- LDAP_MOD_INCREMENT, 1);
- if (st != 0)
- goto cleanup;
- } else
+ if (ldap_server_handle->server_info->modify_increment) {
+ st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount",
+ LDAP_MOD_INCREMENT, 1);
+ if (st != 0)
+ goto cleanup;
+ } else
#endif /* LDAP_MOD_INCREMENT */
- if (entries->fail_auth_count == 0) {
- /*
- * Unfortunately we have no way of distinguishing between
- * an absent and a zero-valued attribute by the time we are
- * called here. So, although this creates a race condition,
- * it appears impossible to assert the old value as that
- * would fail were the attribute absent.
- */
- st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount",
- LDAP_MOD_REPLACE, 1);
- if (st != 0)
- goto cleanup;
- } else {
- st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount",
- LDAP_MOD_DELETE,
- entries->fail_auth_count);
- if (st != 0)
- goto cleanup;
-
- st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount",
- LDAP_MOD_ADD,
- entries->fail_auth_count + 1);
- if (st != 0)
- goto cleanup;
- }
- }
-
- if (entries->mask & KADM5_MAX_LIFE) {
- if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxticketlife", LDAP_MOD_REPLACE, entries->max_life)) != 0)
- goto cleanup;
- }
-
- if (entries->mask & KADM5_MAX_RLIFE) {
- if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxrenewableage", LDAP_MOD_REPLACE,
- entries->max_renewable_life)) != 0)
- goto cleanup;
- }
-
- if (entries->mask & KADM5_ATTRIBUTES) {
- if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbticketflags", LDAP_MOD_REPLACE,
- entries->attributes)) != 0)
- goto cleanup;
- }
-
- if (entries->mask & KADM5_PRINCIPAL) {
- memset(strval, 0, sizeof(strval));
- strval[0] = user;
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalname", LDAP_MOD_REPLACE, strval)) != 0)
- goto cleanup;
- }
-
- if (entries->mask & KADM5_PRINC_EXPIRE_TIME) {
- memset(strval, 0, sizeof(strval));
- if ((strval[0]=getstringtime(entries->expiration)) == NULL)
- goto cleanup;
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalexpiration", LDAP_MOD_REPLACE, strval)) != 0) {
- free (strval[0]);
- goto cleanup;
- }
- free (strval[0]);
- }
-
- if (entries->mask & KADM5_PW_EXPIRATION) {
- memset(strval, 0, sizeof(strval));
- if ((strval[0]=getstringtime(entries->pw_expiration)) == NULL)
- goto cleanup;
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpasswordexpiration",
- LDAP_MOD_REPLACE,
- strval)) != 0) {
- free (strval[0]);
- goto cleanup;
- }
- free (strval[0]);
- }
-
- if (entries->mask & KADM5_POLICY) {
- memset(&princ_ent, 0, sizeof(princ_ent));
- for (tl_data=entries->tl_data; tl_data; tl_data=tl_data->tl_data_next) {
- if (tl_data->tl_data_type == KRB5_TL_KADM_DATA) {
- /* FIX ME: I guess the princ_ent should be freed after this call */
- if ((st = krb5_lookup_tl_kadm_data(tl_data, &princ_ent)) != 0) {
- goto cleanup;
- }
- }
- }
-
- if (princ_ent.aux_attributes & KADM5_POLICY) {
- memset(strval, 0, sizeof(strval));
- if ((st = krb5_ldap_name_to_policydn (context, princ_ent.policy, &polname)) != 0)
- goto cleanup;
- strval[0] = polname;
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_REPLACE, strval)) != 0)
- goto cleanup;
- } else {
- st = EINVAL;
- krb5_set_error_message(context, st, "Password policy value null");
- goto cleanup;
- }
- } else if (entries->mask & KADM5_LOAD && found_entry == TRUE) {
- /*
- * a load is special in that existing entries must have attrs that
- * removed.
- */
-
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_REPLACE, NULL)) != 0)
- goto cleanup;
- }
-
- if (entries->mask & KADM5_POLICY_CLR) {
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_DELETE, NULL)) != 0)
- goto cleanup;
- }
-
- if (entries->mask & KADM5_KEY_DATA || entries->mask & KADM5_KVNO) {
+ if (entries->fail_auth_count == 0) {
+ /*
+ * Unfortunately we have no way of distinguishing between
+ * an absent and a zero-valued attribute by the time we are
+ * called here. So, although this creates a race condition,
+ * it appears impossible to assert the old value as that
+ * would fail were the attribute absent.
+ */
+ st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount",
+ LDAP_MOD_REPLACE, 1);
+ if (st != 0)
+ goto cleanup;
+ } else {
+ st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount",
+ LDAP_MOD_DELETE,
+ entries->fail_auth_count);
+ if (st != 0)
+ goto cleanup;
+
+ st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount",
+ LDAP_MOD_ADD,
+ entries->fail_auth_count + 1);
+ if (st != 0)
+ goto cleanup;
+ }
+ }
+
+ if (entries->mask & KADM5_MAX_LIFE) {
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxticketlife", LDAP_MOD_REPLACE, entries->max_life)) != 0)
+ goto cleanup;
+ }
+
+ if (entries->mask & KADM5_MAX_RLIFE) {
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxrenewableage", LDAP_MOD_REPLACE,
+ entries->max_renewable_life)) != 0)
+ goto cleanup;
+ }
+
+ if (entries->mask & KADM5_ATTRIBUTES) {
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbticketflags", LDAP_MOD_REPLACE,
+ entries->attributes)) != 0)
+ goto cleanup;
+ }
+
+ if (entries->mask & KADM5_PRINCIPAL) {
+ memset(strval, 0, sizeof(strval));
+ strval[0] = user;
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalname", LDAP_MOD_REPLACE, strval)) != 0)
+ goto cleanup;
+ }
+
+ if (entries->mask & KADM5_PRINC_EXPIRE_TIME) {
+ memset(strval, 0, sizeof(strval));
+ if ((strval[0]=getstringtime(entries->expiration)) == NULL)
+ goto cleanup;
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalexpiration", LDAP_MOD_REPLACE, strval)) != 0) {
+ free (strval[0]);
+ goto cleanup;
+ }
+ free (strval[0]);
+ }
+
+ if (entries->mask & KADM5_PW_EXPIRATION) {
+ memset(strval, 0, sizeof(strval));
+ if ((strval[0]=getstringtime(entries->pw_expiration)) == NULL)
+ goto cleanup;
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpasswordexpiration",
+ LDAP_MOD_REPLACE,
+ strval)) != 0) {
+ free (strval[0]);
+ goto cleanup;
+ }
+ free (strval[0]);
+ }
+
+ if (entries->mask & KADM5_POLICY) {
+ memset(&princ_ent, 0, sizeof(princ_ent));
+ for (tl_data=entries->tl_data; tl_data; tl_data=tl_data->tl_data_next) {
+ if (tl_data->tl_data_type == KRB5_TL_KADM_DATA) {
+ /* FIX ME: I guess the princ_ent should be freed after this call */
+ if ((st = krb5_lookup_tl_kadm_data(tl_data, &princ_ent)) != 0) {
+ goto cleanup;
+ }
+ }
+ }
+
+ if (princ_ent.aux_attributes & KADM5_POLICY) {
+ memset(strval, 0, sizeof(strval));
+ if ((st = krb5_ldap_name_to_policydn (context, princ_ent.policy, &polname)) != 0)
+ goto cleanup;
+ strval[0] = polname;
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_REPLACE, strval)) != 0)
+ goto cleanup;
+ } else {
+ st = EINVAL;
+ krb5_set_error_message(context, st, "Password policy value null");
+ goto cleanup;
+ }
+ } else if (entries->mask & KADM5_LOAD && found_entry == TRUE) {
+ /*
+ * a load is special in that existing entries must have attrs that
+ * removed.
+ */
+
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_REPLACE, NULL)) != 0)
+ goto cleanup;
+ }
+
+ if (entries->mask & KADM5_POLICY_CLR) {
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_DELETE, NULL)) != 0)
+ goto cleanup;
+ }
+
+ if (entries->mask & KADM5_KEY_DATA || entries->mask & KADM5_KVNO) {
krb5_kvno mkvno;
if ((st=krb5_dbe_lookup_mkvno(context, entries, &mkvno)) != 0)
goto cleanup;
- bersecretkey = krb5_encode_krbsecretkey (entries->key_data,
- entries->n_key_data, mkvno);
-
- if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey",
- LDAP_MOD_REPLACE | LDAP_MOD_BVALUES, bersecretkey)) != 0)
- goto cleanup;
-
- if (!(entries->mask & KADM5_PRINCIPAL)) {
- memset(strval, 0, sizeof(strval));
- if ((strval[0]=getstringtime(entries->pw_expiration)) == NULL)
- goto cleanup;
- if ((st=krb5_add_str_mem_ldap_mod(&mods,
- "krbpasswordexpiration",
- LDAP_MOD_REPLACE, strval)) != 0) {
- free (strval[0]);
- goto cleanup;
- }
- free (strval[0]);
- }
-
- /* Update last password change whenever a new key is set */
- {
- krb5_timestamp last_pw_changed;
- if ((st=krb5_dbe_lookup_last_pwd_change(context, entries,
- &last_pw_changed)) != 0)
- goto cleanup;
-
- memset(strval, 0, sizeof(strval));
- if ((strval[0] = getstringtime(last_pw_changed)) == NULL)
- goto cleanup;
-
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastPwdChange",
- LDAP_MOD_REPLACE, strval)) != 0) {
- free (strval[0]);
- goto cleanup;
- }
- free (strval[0]);
- }
-
- } /* Modify Key data ends here */
-
- /* Set tl_data */
- if (entries->tl_data != NULL) {
- int count = 0;
- struct berval **ber_tl_data = NULL;
- krb5_tl_data *ptr;
- for (ptr = entries->tl_data; ptr != NULL; ptr = ptr->tl_data_next) {
- if (ptr->tl_data_type == KRB5_TL_LAST_PWD_CHANGE
+ bersecretkey = krb5_encode_krbsecretkey (entries->key_data,
+ entries->n_key_data, mkvno);
+
+ if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey",
+ LDAP_MOD_REPLACE | LDAP_MOD_BVALUES, bersecretkey)) != 0)
+ goto cleanup;
+
+ if (!(entries->mask & KADM5_PRINCIPAL)) {
+ memset(strval, 0, sizeof(strval));
+ if ((strval[0]=getstringtime(entries->pw_expiration)) == NULL)
+ goto cleanup;
+ if ((st=krb5_add_str_mem_ldap_mod(&mods,
+ "krbpasswordexpiration",
+ LDAP_MOD_REPLACE, strval)) != 0) {
+ free (strval[0]);
+ goto cleanup;
+ }
+ free (strval[0]);
+ }
+
+ /* Update last password change whenever a new key is set */
+ {
+ krb5_timestamp last_pw_changed;
+ if ((st=krb5_dbe_lookup_last_pwd_change(context, entries,
+ &last_pw_changed)) != 0)
+ goto cleanup;
+
+ memset(strval, 0, sizeof(strval));
+ if ((strval[0] = getstringtime(last_pw_changed)) == NULL)
+ goto cleanup;
+
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastPwdChange",
+ LDAP_MOD_REPLACE, strval)) != 0) {
+ free (strval[0]);
+ goto cleanup;
+ }
+ free (strval[0]);
+ }
+
+ } /* Modify Key data ends here */
+
+ /* Set tl_data */
+ if (entries->tl_data != NULL) {
+ int count = 0;
+ struct berval **ber_tl_data = NULL;
+ krb5_tl_data *ptr;
+ for (ptr = entries->tl_data; ptr != NULL; ptr = ptr->tl_data_next) {
+ if (ptr->tl_data_type == KRB5_TL_LAST_PWD_CHANGE
#ifdef SECURID
- || ptr->tl_data_type == KRB5_TL_DB_ARGS
+ || ptr->tl_data_type == KRB5_TL_DB_ARGS
#endif
- || ptr->tl_data_type == KRB5_TL_KADM_DATA
- || ptr->tl_data_type == KDB_TL_USER_INFO
- || ptr->tl_data_type == KRB5_TL_CONSTRAINED_DELEGATION_ACL)
- continue;
- count++;
- }
- if (count != 0) {
- int j;
- ber_tl_data = (struct berval **) calloc (count + 1,
- sizeof (struct berval*));
- if (ber_tl_data == NULL) {
- st = ENOMEM;
- goto cleanup;
- }
- for (j = 0, ptr = entries->tl_data; ptr != NULL; ptr = ptr->tl_data_next) {
- /* Ignore tl_data that are stored in separate directory
- * attributes */
- if (ptr->tl_data_type == KRB5_TL_LAST_PWD_CHANGE
+ || ptr->tl_data_type == KRB5_TL_KADM_DATA
+ || ptr->tl_data_type == KDB_TL_USER_INFO
+ || ptr->tl_data_type == KRB5_TL_CONSTRAINED_DELEGATION_ACL)
+ continue;
+ count++;
+ }
+ if (count != 0) {
+ int j;
+ ber_tl_data = (struct berval **) calloc (count + 1,
+ sizeof (struct berval*));
+ if (ber_tl_data == NULL) {
+ st = ENOMEM;
+ goto cleanup;
+ }
+ for (j = 0, ptr = entries->tl_data; ptr != NULL; ptr = ptr->tl_data_next) {
+ /* Ignore tl_data that are stored in separate directory
+ * attributes */
+ if (ptr->tl_data_type == KRB5_TL_LAST_PWD_CHANGE
#ifdef SECURID
- || ptr->tl_data_type == KRB5_TL_DB_ARGS
+ || ptr->tl_data_type == KRB5_TL_DB_ARGS
#endif
- || ptr->tl_data_type == KRB5_TL_KADM_DATA
- || ptr->tl_data_type == KDB_TL_USER_INFO
- || ptr->tl_data_type == KRB5_TL_CONSTRAINED_DELEGATION_ACL)
- continue;
- if ((st = tl_data2berval (ptr, &ber_tl_data[j])) != 0)
- break;
- j++;
- }
- if (st != 0) {
- for (j = 0; ber_tl_data[j] != NULL; j++) {
- free (ber_tl_data[j]->bv_val);
- free (ber_tl_data[j]);
- }
- free (ber_tl_data);
- goto cleanup;
- }
- ber_tl_data[count] = NULL;
- if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbExtraData",
- LDAP_MOD_REPLACE | LDAP_MOD_BVALUES,
- ber_tl_data)) != 0)
- goto cleanup;
- }
- }
-
- /* Directory specific attribute */
- if (xargs.tktpolicydn != NULL) {
- int tmask=0;
-
- if (strlen(xargs.tktpolicydn) != 0) {
- st = checkattributevalue(ld, xargs.tktpolicydn, "objectclass", policyclass, &tmask);
- CHECK_CLASS_VALIDITY(st, tmask, "ticket policy object value: ");
-
- strval[0] = xargs.tktpolicydn;
- strval[1] = NULL;
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbticketpolicyreference", LDAP_MOD_REPLACE, strval)) != 0)
- goto cleanup;
-
- } else {
- /* if xargs.tktpolicydn is a empty string, then delete
- * already existing krbticketpolicyreference attr */
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbticketpolicyreference", LDAP_MOD_DELETE, NULL)) != 0)
- goto cleanup;
- }
-
- }
-
- if (establish_links == TRUE) {
- memset(strval, 0, sizeof(strval));
- strval[0] = xargs.linkdn;
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbObjectReferences", LDAP_MOD_REPLACE, strval)) != 0)
- goto cleanup;
- }
-
- /*
- * in case mods is NULL then return
- * not sure but can happen in a modprinc
- * so no need to return an error
- * addprinc will at least have the principal name
- * and the keys passed in
- */
- if (mods == NULL)
- goto cleanup;
-
- if (create_standalone_prinicipal == TRUE) {
- memset(strval, 0, sizeof(strval));
- strval[0] = "krbprincipal";
- strval[1] = "krbprincipalaux";
- strval[2] = "krbTicketPolicyAux";
-
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0)
- goto cleanup;
-
- st = ldap_add_ext_s(ld, standalone_principal_dn, mods, NULL, NULL);
- if (st == LDAP_ALREADY_EXISTS && entries->mask & KADM5_LOAD) {
- /* a load operation must replace an existing entry */
- st = ldap_delete_ext_s(ld, standalone_principal_dn, NULL, NULL);
- if (st != LDAP_SUCCESS) {
- snprintf(errbuf, sizeof(errbuf), "Principal delete failed (trying to replace entry): %s",
- ldap_err2string(st));
- st = translate_ldap_error (st, OP_ADD);
- krb5_set_error_message(context, st, "%s", errbuf);
- goto cleanup;
- } else {
- st = ldap_add_ext_s(ld, standalone_principal_dn, mods, NULL, NULL);
- }
- }
- if (st != LDAP_SUCCESS) {
- snprintf(errbuf, sizeof(errbuf), "Principal add failed: %s", ldap_err2string(st));
- st = translate_ldap_error (st, OP_ADD);
- krb5_set_error_message(context, st, "%s", errbuf);
- goto cleanup;
- }
- } else {
- /*
- * Here existing ldap object is modified and can be related
- * to any attribute, so always ensure that the ldap
- * object is extended with all the kerberos related
- * objectclasses so that there are no constraint
- * violations.
- */
- {
- char *attrvalues[] = {"krbprincipalaux", "krbTicketPolicyAux", NULL};
- int p, q, r=0, amask=0;
-
- if ((st=checkattributevalue(ld, (xargs.dn) ? xargs.dn : principal_dn,
- "objectclass", attrvalues, &amask)) != 0)
- goto cleanup;
-
- memset(strval, 0, sizeof(strval));
- for (p=1, q=0; p<=2; p<<=1, ++q) {
- if ((p & amask) == 0)
- strval[r++] = attrvalues[q];
- }
- if (r != 0) {
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0)
- goto cleanup;
- }
- }
- if (xargs.dn != NULL)
- st=ldap_modify_ext_s(ld, xargs.dn, mods, NULL, NULL);
- else
- st = ldap_modify_ext_s(ld, principal_dn, mods, NULL, NULL);
-
- if (st != LDAP_SUCCESS) {
- snprintf(errbuf, sizeof(errbuf), "User modification failed: %s", ldap_err2string(st));
- st = translate_ldap_error (st, OP_MOD);
- krb5_set_error_message(context, st, "%s", errbuf);
- goto cleanup;
- }
-
- if (entries->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT)
- entries->fail_auth_count++;
- }
+ || ptr->tl_data_type == KRB5_TL_KADM_DATA
+ || ptr->tl_data_type == KDB_TL_USER_INFO
+ || ptr->tl_data_type == KRB5_TL_CONSTRAINED_DELEGATION_ACL)
+ continue;
+ if ((st = tl_data2berval (ptr, &ber_tl_data[j])) != 0)
+ break;
+ j++;
+ }
+ if (st != 0) {
+ for (j = 0; ber_tl_data[j] != NULL; j++) {
+ free (ber_tl_data[j]->bv_val);
+ free (ber_tl_data[j]);
+ }
+ free (ber_tl_data);
+ goto cleanup;
+ }
+ ber_tl_data[count] = NULL;
+ if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbExtraData",
+ LDAP_MOD_REPLACE | LDAP_MOD_BVALUES,
+ ber_tl_data)) != 0)
+ goto cleanup;
+ }
+ }
+
+ /* Directory specific attribute */
+ if (xargs.tktpolicydn != NULL) {
+ int tmask=0;
+
+ if (strlen(xargs.tktpolicydn) != 0) {
+ st = checkattributevalue(ld, xargs.tktpolicydn, "objectclass", policyclass, &tmask);
+ CHECK_CLASS_VALIDITY(st, tmask, "ticket policy object value: ");
+
+ strval[0] = xargs.tktpolicydn;
+ strval[1] = NULL;
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbticketpolicyreference", LDAP_MOD_REPLACE, strval)) != 0)
+ goto cleanup;
+
+ } else {
+ /* if xargs.tktpolicydn is a empty string, then delete
+ * already existing krbticketpolicyreference attr */
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbticketpolicyreference", LDAP_MOD_DELETE, NULL)) != 0)
+ goto cleanup;
+ }
+
+ }
+
+ if (establish_links == TRUE) {
+ memset(strval, 0, sizeof(strval));
+ strval[0] = xargs.linkdn;
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbObjectReferences", LDAP_MOD_REPLACE, strval)) != 0)
+ goto cleanup;
+ }
+
+ /*
+ * in case mods is NULL then return
+ * not sure but can happen in a modprinc
+ * so no need to return an error
+ * addprinc will at least have the principal name
+ * and the keys passed in
+ */
+ if (mods == NULL)
+ goto cleanup;
+
+ if (create_standalone_prinicipal == TRUE) {
+ memset(strval, 0, sizeof(strval));
+ strval[0] = "krbprincipal";
+ strval[1] = "krbprincipalaux";
+ strval[2] = "krbTicketPolicyAux";
+
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0)
+ goto cleanup;
+
+ st = ldap_add_ext_s(ld, standalone_principal_dn, mods, NULL, NULL);
+ if (st == LDAP_ALREADY_EXISTS && entries->mask & KADM5_LOAD) {
+ /* a load operation must replace an existing entry */
+ st = ldap_delete_ext_s(ld, standalone_principal_dn, NULL, NULL);
+ if (st != LDAP_SUCCESS) {
+ snprintf(errbuf, sizeof(errbuf), "Principal delete failed (trying to replace entry): %s",
+ ldap_err2string(st));
+ st = translate_ldap_error (st, OP_ADD);
+ krb5_set_error_message(context, st, "%s", errbuf);
+ goto cleanup;
+ } else {
+ st = ldap_add_ext_s(ld, standalone_principal_dn, mods, NULL, NULL);
+ }
+ }
+ if (st != LDAP_SUCCESS) {
+ snprintf(errbuf, sizeof(errbuf), "Principal add failed: %s", ldap_err2string(st));
+ st = translate_ldap_error (st, OP_ADD);
+ krb5_set_error_message(context, st, "%s", errbuf);
+ goto cleanup;
+ }
+ } else {
+ /*
+ * Here existing ldap object is modified and can be related
+ * to any attribute, so always ensure that the ldap
+ * object is extended with all the kerberos related
+ * objectclasses so that there are no constraint
+ * violations.
+ */
+ {
+ char *attrvalues[] = {"krbprincipalaux", "krbTicketPolicyAux", NULL};
+ int p, q, r=0, amask=0;
+
+ if ((st=checkattributevalue(ld, (xargs.dn) ? xargs.dn : principal_dn,
+ "objectclass", attrvalues, &amask)) != 0)
+ goto cleanup;
+
+ memset(strval, 0, sizeof(strval));
+ for (p=1, q=0; p<=2; p<<=1, ++q) {
+ if ((p & amask) == 0)
+ strval[r++] = attrvalues[q];
+ }
+ if (r != 0) {
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0)
+ goto cleanup;
+ }
+ }
+ if (xargs.dn != NULL)
+ st=ldap_modify_ext_s(ld, xargs.dn, mods, NULL, NULL);
+ else
+ st = ldap_modify_ext_s(ld, principal_dn, mods, NULL, NULL);
+
+ if (st != LDAP_SUCCESS) {
+ snprintf(errbuf, sizeof(errbuf), "User modification failed: %s", ldap_err2string(st));
+ st = translate_ldap_error (st, OP_MOD);
+ krb5_set_error_message(context, st, "%s", errbuf);
+ goto cleanup;
+ }
+
+ if (entries->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT)
+ entries->fail_auth_count++;
+ }
}
cleanup:
if (user)
- free(user);
+ free(user);
free_xargs(xargs);
if (standalone_principal_dn)
- free(standalone_principal_dn);
+ free(standalone_principal_dn);
if (principal_dn)
- free (principal_dn);
+ free (principal_dn);
if (polname != NULL)
- free(polname);
+ free(polname);
if (subtree)
- free (subtree);
+ free (subtree);
if (bersecretkey) {
- for (l=0; bersecretkey[l]; ++l) {
- if (bersecretkey[l]->bv_val)
- free (bersecretkey[l]->bv_val);
- free (bersecretkey[l]);
- }
- free (bersecretkey);
+ for (l=0; bersecretkey[l]; ++l) {
+ if (bersecretkey[l]->bv_val)
+ free (bersecretkey[l]->bv_val);
+ free (bersecretkey[l]);
+ }
+ free (bersecretkey);
}
if (keys)
- free (keys);
+ free (keys);
ldap_mods_free(mods, 1);
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
}
krb5_error_code
-krb5_read_tkt_policy (context, ldap_context, entries, policy)
- krb5_context context;
- krb5_ldap_context *ldap_context;
- krb5_db_entry *entries;
- char *policy;
+krb5_read_tkt_policy(krb5_context context, krb5_ldap_context *ldap_context,
+ krb5_db_entry *entries, char *policy)
{
krb5_error_code st=0;
unsigned int mask=0, omask=0;
krb5_ldap_policy_params *tktpoldnparam=NULL;
if ((st=krb5_get_attributes_mask(context, entries, &mask)) != 0)
- goto cleanup;
+ goto cleanup;
if ((mask & tkt_mask) == tkt_mask)
- goto cleanup;
+ goto cleanup;
if (policy != NULL) {
- st = krb5_ldap_read_policy(context, policy, &tktpoldnparam, &omask);
- if (st && st != KRB5_KDB_NOENTRY) {
- prepend_err_str(context, "Error reading ticket policy. ", st, st);
- goto cleanup;
- }
+ st = krb5_ldap_read_policy(context, policy, &tktpoldnparam, &omask);
+ if (st && st != KRB5_KDB_NOENTRY) {
+ prepend_err_str(context, "Error reading ticket policy. ", st, st);
+ goto cleanup;
+ }
- st = 0; /* reset the return status */
+ st = 0; /* reset the return status */
}
if ((mask & KDB_MAX_LIFE_ATTR) == 0) {
- if ((omask & KDB_MAX_LIFE_ATTR) == KDB_MAX_LIFE_ATTR)
- entries->max_life = tktpoldnparam->maxtktlife;
- else if (ldap_context->lrparams->max_life)
- entries->max_life = ldap_context->lrparams->max_life;
+ if ((omask & KDB_MAX_LIFE_ATTR) == KDB_MAX_LIFE_ATTR)
+ entries->max_life = tktpoldnparam->maxtktlife;
+ else if (ldap_context->lrparams->max_life)
+ entries->max_life = ldap_context->lrparams->max_life;
}
if ((mask & KDB_MAX_RLIFE_ATTR) == 0) {
- if ((omask & KDB_MAX_RLIFE_ATTR) == KDB_MAX_RLIFE_ATTR)
- entries->max_renewable_life = tktpoldnparam->maxrenewlife;
- else if (ldap_context->lrparams->max_renewable_life)
- entries->max_renewable_life = ldap_context->lrparams->max_renewable_life;
+ if ((omask & KDB_MAX_RLIFE_ATTR) == KDB_MAX_RLIFE_ATTR)
+ entries->max_renewable_life = tktpoldnparam->maxrenewlife;
+ else if (ldap_context->lrparams->max_renewable_life)
+ entries->max_renewable_life = ldap_context->lrparams->max_renewable_life;
}
if ((mask & KDB_TKT_FLAGS_ATTR) == 0) {
- if ((omask & KDB_TKT_FLAGS_ATTR) == KDB_TKT_FLAGS_ATTR)
- entries->attributes = tktpoldnparam->tktflags;
- else if (ldap_context->lrparams->tktflags)
- entries->attributes |= ldap_context->lrparams->tktflags;
+ if ((omask & KDB_TKT_FLAGS_ATTR) == KDB_TKT_FLAGS_ATTR)
+ entries->attributes = tktpoldnparam->tktflags;
+ else if (ldap_context->lrparams->tktflags)
+ entries->attributes |= ldap_context->lrparams->tktflags;
}
krb5_ldap_free_policy(context, tktpoldnparam);
}
krb5_error_code
-krb5_decode_krbsecretkey(context, entries, bvalues, userinfo_tl_data, mkvno)
- krb5_context context;
- krb5_db_entry *entries;
- struct berval **bvalues;
- krb5_tl_data *userinfo_tl_data;
- krb5_kvno *mkvno;
+krb5_decode_krbsecretkey(krb5_context context, krb5_db_entry *entries,
+ struct berval **bvalues,
+ krb5_tl_data *userinfo_tl_data, krb5_kvno *mkvno)
{
char *user=NULL;
int i=0, j=0, noofkeys=0;
krb5_error_code st=0;
if ((st=krb5_unparse_name(context, entries->princ, &user)) != 0)
- goto cleanup;
+ goto cleanup;
for (i=0; bvalues[i] != NULL; ++i) {
- krb5_int16 n_kd;
- krb5_key_data *kd;
- krb5_data in;
-
- if (bvalues[i]->bv_len == 0)
- continue;
- in.length = bvalues[i]->bv_len;
- in.data = bvalues[i]->bv_val;
-
- st = asn1_decode_sequence_of_keys (&in,
- &kd,
- &n_kd,
- mkvno);
-
- if (st != 0) {
- const char *msg = error_message(st);
- st = -1; /* Something more appropriate ? */
- krb5_set_error_message (context, st,
- "unable to decode stored principal key data (%s)", msg);
- goto cleanup;
- }
- noofkeys += n_kd;
- tmp = key_data;
- key_data = realloc (key_data, noofkeys * sizeof (krb5_key_data));
- if (key_data == NULL) {
- key_data = tmp;
- st = ENOMEM;
- goto cleanup;
- }
- for (j = 0; j < n_kd; j++)
- key_data[noofkeys - n_kd + j] = kd[j];
- free (kd);
+ krb5_int16 n_kd;
+ krb5_key_data *kd;
+ krb5_data in;
+
+ if (bvalues[i]->bv_len == 0)
+ continue;
+ in.length = bvalues[i]->bv_len;
+ in.data = bvalues[i]->bv_val;
+
+ st = asn1_decode_sequence_of_keys (&in,
+ &kd,
+ &n_kd,
+ mkvno);
+
+ if (st != 0) {
+ const char *msg = error_message(st);
+ st = -1; /* Something more appropriate ? */
+ krb5_set_error_message (context, st,
+ "unable to decode stored principal key data (%s)", msg);
+ goto cleanup;
+ }
+ noofkeys += n_kd;
+ tmp = key_data;
+ key_data = realloc (key_data, noofkeys * sizeof (krb5_key_data));
+ if (key_data == NULL) {
+ key_data = tmp;
+ st = ENOMEM;
+ goto cleanup;
+ }
+ for (j = 0; j < n_kd; j++)
+ key_data[noofkeys - n_kd + j] = kd[j];
+ free (kd);
}
entries->n_key_data = noofkeys;
}
static char *
-getstringtime(epochtime)
- krb5_timestamp epochtime;
+getstringtime(krb5_timestamp epochtime)
{
struct tm tme;
char *strtime=NULL;
- time_t posixtime = epochtime;
+ time_t posixtime = epochtime;
strtime = calloc (50, 1);
if (strtime == NULL)
- return NULL;
+ return NULL;
if (gmtime_r(&posixtime, &tme) == NULL)
- return NULL;
+ return NULL;
strftime(strtime, 50, "%Y%m%d%H%M%SZ", &tme);
return strtime;
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* lib/kdb/kdb_ldap/ldap_pwd_policy.c
*
#include "ldap_err.h"
static char *password_policy_attributes[] = { "cn", "krbmaxpwdlife", "krbminpwdlife",
- "krbpwdmindiffchars", "krbpwdminlength",
- "krbpwdhistorylength", "krbpwdmaxfailure",
- "krbpwdfailurecountinterval",
- "krbpwdlockoutduration", NULL };
+ "krbpwdmindiffchars", "krbpwdminlength",
+ "krbpwdhistorylength", "krbpwdmaxfailure",
+ "krbpwdfailurecountinterval",
+ "krbpwdlockoutduration", NULL };
/*
* Function to create password policy object.
*/
krb5_error_code
-krb5_ldap_create_password_policy (context, policy)
- krb5_context context;
- osa_policy_ent_t policy;
+krb5_ldap_create_password_policy(krb5_context context, osa_policy_ent_t policy)
{
- krb5_error_code st=0;
- LDAP *ld=NULL;
- LDAPMod **mods={NULL};
+ krb5_error_code st=0;
+ LDAP *ld=NULL;
+ LDAPMod **mods={NULL};
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_context *ldap_context=NULL;
krb5_ldap_server_handle *ldap_server_handle=NULL;
/* validate the input parameters */
if (policy == NULL || policy->name == NULL)
- return EINVAL;
+ return EINVAL;
SETUP_CONTEXT();
GET_HANDLE();
st = krb5_ldap_name_to_policydn (context, policy->name, &policy_dn);
if (st != 0)
- goto cleanup;
+ goto cleanup;
/* get the first component of the dn to set the cn attribute */
rdns = ldap_explode_dn(policy_dn, 1);
if (rdns == NULL) {
- st = EINVAL;
- krb5_set_error_message(context, st, "Invalid password policy DN syntax");
- goto cleanup;
+ st = EINVAL;
+ krb5_set_error_message(context, st, "Invalid password policy DN syntax");
+ goto cleanup;
}
strval[0] = rdns[0];
if ((st=krb5_add_str_mem_ldap_mod(&mods, "cn", LDAP_MOD_ADD, strval)) != 0)
- goto cleanup;
+ goto cleanup;
strval[0] = "krbPwdPolicy";
if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0)
- goto cleanup;
+ goto cleanup;
if (((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxpwdlife", LDAP_MOD_ADD,
- (signed) policy->pw_max_life)) != 0)
- || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbminpwdlife", LDAP_MOD_ADD,
- (signed) policy->pw_min_life)) != 0)
- || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdmindiffchars", LDAP_MOD_ADD,
- (signed) policy->pw_min_classes)) != 0)
- || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdminlength", LDAP_MOD_ADD,
- (signed) policy->pw_min_length)) != 0)
- || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdhistorylength", LDAP_MOD_ADD,
- (signed) policy->pw_history_num)) != 0)
- || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdmaxfailure", LDAP_MOD_ADD,
- (signed) policy->pw_max_fail)) != 0)
- || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdfailurecountinterval", LDAP_MOD_ADD,
- (signed) policy->pw_failcnt_interval)) != 0)
- || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdlockoutduration", LDAP_MOD_ADD,
- (signed) policy->pw_lockout_duration)) != 0))
- goto cleanup;
+ (signed) policy->pw_max_life)) != 0)
+ || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbminpwdlife", LDAP_MOD_ADD,
+ (signed) policy->pw_min_life)) != 0)
+ || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdmindiffchars", LDAP_MOD_ADD,
+ (signed) policy->pw_min_classes)) != 0)
+ || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdminlength", LDAP_MOD_ADD,
+ (signed) policy->pw_min_length)) != 0)
+ || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdhistorylength", LDAP_MOD_ADD,
+ (signed) policy->pw_history_num)) != 0)
+ || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdmaxfailure", LDAP_MOD_ADD,
+ (signed) policy->pw_max_fail)) != 0)
+ || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdfailurecountinterval", LDAP_MOD_ADD,
+ (signed) policy->pw_failcnt_interval)) != 0)
+ || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdlockoutduration", LDAP_MOD_ADD,
+ (signed) policy->pw_lockout_duration)) != 0))
+ goto cleanup;
/* password policy object creation */
if ((st=ldap_add_ext_s(ld, policy_dn, mods, NULL, NULL)) != LDAP_SUCCESS) {
- st = set_ldap_error (context, st, OP_ADD);
- goto cleanup;
+ st = set_ldap_error (context, st, OP_ADD);
+ goto cleanup;
}
cleanup:
if (rdns)
- ldap_value_free(rdns);
+ ldap_value_free(rdns);
if (policy_dn != NULL)
- free (policy_dn);
+ free (policy_dn);
ldap_mods_free(mods, 1);
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
return(st);
*/
krb5_error_code
-krb5_ldap_put_password_policy (context, policy)
- krb5_context context;
- osa_policy_ent_t policy;
+krb5_ldap_put_password_policy(krb5_context context, osa_policy_ent_t policy)
{
char *policy_dn;
- krb5_error_code st=0;
- LDAP *ld=NULL;
- LDAPMod **mods=NULL;
+ krb5_error_code st=0;
+ LDAP *ld=NULL;
+ LDAPMod **mods=NULL;
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_context *ldap_context=NULL;
krb5_ldap_server_handle *ldap_server_handle=NULL;
/* validate the input parameters */
if (policy == NULL || policy->name == NULL)
- return EINVAL;
+ return EINVAL;
SETUP_CONTEXT();
GET_HANDLE();
st = krb5_ldap_name_to_policydn (context, policy->name, &policy_dn);
if (st != 0)
- goto cleanup;
+ goto cleanup;
if (((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxpwdlife", LDAP_MOD_REPLACE,
- (signed) policy->pw_max_life)) != 0)
- || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbminpwdlife", LDAP_MOD_REPLACE,
- (signed) policy->pw_min_life)) != 0)
- || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdmindiffchars", LDAP_MOD_REPLACE,
- (signed) policy->pw_min_classes)) != 0)
- || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdminlength", LDAP_MOD_REPLACE,
- (signed) policy->pw_min_length)) != 0)
- || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdhistorylength", LDAP_MOD_REPLACE,
- (signed) policy->pw_history_num)) != 0)
- || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdmaxfailure", LDAP_MOD_REPLACE,
- (signed) policy->pw_max_fail)) != 0)
- || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdfailurecountinterval", LDAP_MOD_REPLACE,
- (signed) policy->pw_failcnt_interval)) != 0)
- || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdlockoutduration", LDAP_MOD_REPLACE,
- (signed) policy->pw_lockout_duration)) != 0))
- goto cleanup;
+ (signed) policy->pw_max_life)) != 0)
+ || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbminpwdlife", LDAP_MOD_REPLACE,
+ (signed) policy->pw_min_life)) != 0)
+ || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdmindiffchars", LDAP_MOD_REPLACE,
+ (signed) policy->pw_min_classes)) != 0)
+ || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdminlength", LDAP_MOD_REPLACE,
+ (signed) policy->pw_min_length)) != 0)
+ || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdhistorylength", LDAP_MOD_REPLACE,
+ (signed) policy->pw_history_num)) != 0)
+ || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdmaxfailure", LDAP_MOD_REPLACE,
+ (signed) policy->pw_max_fail)) != 0)
+ || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdfailurecountinterval", LDAP_MOD_REPLACE,
+ (signed) policy->pw_failcnt_interval)) != 0)
+ || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdlockoutduration", LDAP_MOD_REPLACE,
+ (signed) policy->pw_lockout_duration)) != 0))
+ goto cleanup;
/* modify the password policy object. */
/*
* management of only such policy objects.
*/
if ((st=ldap_modify_ext_s(ld, policy_dn, mods, NULL, NULL)) != LDAP_SUCCESS) {
- st = set_ldap_error (context, st, OP_MOD);
- goto cleanup;
+ st = set_ldap_error (context, st, OP_MOD);
+ goto cleanup;
}
cleanup:
if (policy_dn != NULL)
- free (policy_dn);
+ free (policy_dn);
ldap_mods_free(mods, 1);
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
return(st);
static krb5_error_code
populate_policy(krb5_context context,
- LDAP *ld,
- LDAPMessage *ent,
- char *pol_name,
- osa_policy_ent_t pol_entry)
+ LDAP *ld,
+ LDAPMessage *ent,
+ char *pol_name,
+ osa_policy_ent_t pol_entry)
{
int st = 0;
char *pol_dn;
/* Get the reference count */
pol_dn = ldap_get_dn(ld, ent);
st = krb5_ldap_get_reference_count (context, pol_dn, "krbPwdPolicyReference",
- &(pol_entry->policy_refcnt), ld);
+ &(pol_entry->policy_refcnt), ld);
ldap_memfree(pol_dn);
cleanup:
}
static krb5_error_code
-krb5_ldap_get_password_policy_from_dn (krb5_context context,
- char *pol_name,
- char *pol_dn,
- osa_policy_ent_t *policy,
- int *cnt)
+krb5_ldap_get_password_policy_from_dn(krb5_context context, char *pol_name,
+ char *pol_dn, osa_policy_ent_t *policy,
+ int *cnt)
{
krb5_error_code st=0, tempst=0;
- LDAP *ld=NULL;
+ LDAP *ld=NULL;
LDAPMessage *result=NULL,*ent=NULL;
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_context *ldap_context=NULL;
/* validate the input parameters */
if (pol_dn == NULL)
- return EINVAL;
+ return EINVAL;
*policy = NULL;
SETUP_CONTEXT();
*cnt = 0;
*(policy) = (osa_policy_ent_t) malloc(sizeof(osa_policy_ent_rec));
if (*policy == NULL) {
- st = ENOMEM;
- goto cleanup;
+ st = ENOMEM;
+ goto cleanup;
}
memset(*policy, 0, sizeof(osa_policy_ent_rec));
ent=ldap_first_entry(ld, result);
if (ent != NULL) {
- if ((st = populate_policy(context, ld, ent, pol_name, *policy)) != 0)
- goto cleanup;
+ if ((st = populate_policy(context, ld, ent, pol_name, *policy)) != 0)
+ goto cleanup;
#if 0 /************** Begin IFDEF'ed OUT *******************************/
- krb5_ldap_get_value(ld, ent, "krbmaxpwdlife", &((*policy)->pw_max_life));
- krb5_ldap_get_value(ld, ent, "krbminpwdlife", &((*policy)->pw_min_life));
- krb5_ldap_get_value(ld, ent, "krbpwdmindiffchars", &((*policy)->pw_min_classes));
- krb5_ldap_get_value(ld, ent, "krbpwdminlength", &((*policy)->pw_min_length));
- krb5_ldap_get_value(ld, ent, "krbpwdhistorylength", &((*policy)->pw_history_num));
-
- /* Get the reference count */
- st = krb5_ldap_get_reference_count (context,
- name,
- "krbPwdPolicyReference",
- &(*policy)->policy_refcnt,
- ld);
+ krb5_ldap_get_value(ld, ent, "krbmaxpwdlife", &((*policy)->pw_max_life));
+ krb5_ldap_get_value(ld, ent, "krbminpwdlife", &((*policy)->pw_min_life));
+ krb5_ldap_get_value(ld, ent, "krbpwdmindiffchars", &((*policy)->pw_min_classes));
+ krb5_ldap_get_value(ld, ent, "krbpwdminlength", &((*policy)->pw_min_length));
+ krb5_ldap_get_value(ld, ent, "krbpwdhistorylength", &((*policy)->pw_history_num));
+
+ /* Get the reference count */
+ st = krb5_ldap_get_reference_count (context,
+ name,
+ "krbPwdPolicyReference",
+ &(*policy)->policy_refcnt,
+ ld);
#endif /**************** END IFDEF'ed OUT *******************************/
}
cleanup:
ldap_msgfree(result);
if (st != 0) {
- if (*policy != NULL) {
- krb5_ldap_free_password_policy(context, *policy);
- *policy = NULL;
- }
+ if (*policy != NULL) {
+ krb5_ldap_free_password_policy(context, *policy);
+ *policy = NULL;
+ }
}
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
* 'krb5_ldap_get_password_policy_from_dn'
*/
krb5_error_code
-krb5_ldap_get_password_policy (context, name, policy, cnt)
- krb5_context context;
- char *name;
- osa_policy_ent_t *policy;
- int *cnt;
+krb5_ldap_get_password_policy(krb5_context context, char *name,
+ osa_policy_ent_t *policy, int *cnt)
{
krb5_error_code st = 0;
char *policy_dn = NULL;
/* validate the input parameters */
if (name == NULL) {
- st = EINVAL;
- goto cleanup;
+ st = EINVAL;
+ goto cleanup;
}
st = krb5_ldap_name_to_policydn(context, name, &policy_dn);
if (st != 0)
- goto cleanup;
+ goto cleanup;
st = krb5_ldap_get_password_policy_from_dn(context, name, policy_dn, policy, cnt);
cleanup:
if (policy_dn != NULL)
- free (policy_dn);
+ free (policy_dn);
return st;
}
krb5_error_code
-krb5_ldap_delete_password_policy (context, policy)
- krb5_context context;
- char *policy;
+krb5_ldap_delete_password_policy(krb5_context context, char *policy)
{
int mask = 0;
char *policy_dn = NULL, *class[] = {"krbpwdpolicy", NULL};
/* validate the input parameters */
if (policy == NULL)
- return EINVAL;
+ return EINVAL;
SETUP_CONTEXT();
GET_HANDLE();
st = krb5_ldap_name_to_policydn (context, policy, &policy_dn);
if (st != 0)
- goto cleanup;
+ goto cleanup;
/* Ensure that the object is a password policy */
if ((st=checkattributevalue(ld, policy_dn, "objectclass", class, &mask)) != 0)
- goto cleanup;
+ goto cleanup;
if (mask == 0) {
- st = KRB5_KDB_NOENTRY;
- goto cleanup;
+ st = KRB5_KDB_NOENTRY;
+ goto cleanup;
}
if ((st=ldap_delete_ext_s(ld, policy_dn, NULL, NULL)) != LDAP_SUCCESS) {
- st = set_ldap_error (context, st, OP_DEL);
- goto cleanup;
+ st = set_ldap_error (context, st, OP_DEL);
+ goto cleanup;
}
cleanup:
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
if (policy_dn != NULL)
- free (policy_dn);
+ free (policy_dn);
return st;
}
krb5_error_code
-krb5_ldap_iterate_password_policy(context, match_expr, func, func_arg)
- krb5_context context;
- char *match_expr;
- void (*func) (krb5_pointer, osa_policy_ent_t);
- krb5_pointer func_arg;
+krb5_ldap_iterate_password_policy(krb5_context context, char *match_expr,
+ void (*func)(krb5_pointer, osa_policy_ent_t),
+ krb5_pointer func_arg)
{
osa_policy_ent_rec *entry=NULL;
- char *policy=NULL;
+ char *policy=NULL;
krb5_error_code st=0, tempst=0;
- LDAP *ld=NULL;
- LDAPMessage *result=NULL, *ent=NULL;
+ LDAP *ld=NULL;
+ LDAPMessage *result=NULL, *ent=NULL;
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_context *ldap_context=NULL;
krb5_ldap_server_handle *ldap_server_handle=NULL;
GET_HANDLE();
if (ldap_context->lrparams->realmdn == NULL) {
- st = EINVAL;
- goto cleanup;
+ st = EINVAL;
+ goto cleanup;
}
LDAP_SEARCH(ldap_context->lrparams->realmdn, LDAP_SCOPE_ONELEVEL, "(objectclass=krbpwdpolicy)", password_policy_attributes);
for (ent=ldap_first_entry(ld, result); ent != NULL; ent=ldap_next_entry(ld, ent)) {
- krb5_boolean attr_present;
-
- st = krb5_ldap_get_string(ld, ent, "cn", &policy, &attr_present);
- if (st != 0)
- goto cleanup;
- if (attr_present == FALSE)
- continue;
-
- entry = (osa_policy_ent_t) malloc(sizeof(osa_policy_ent_rec));
- CHECK_NULL(entry);
- memset(entry, 0, sizeof(osa_policy_ent_rec));
- if ((st = populate_policy(context, ld, ent, policy, entry)) != 0)
- goto cleanup;
+ krb5_boolean attr_present;
+
+ st = krb5_ldap_get_string(ld, ent, "cn", &policy, &attr_present);
+ if (st != 0)
+ goto cleanup;
+ if (attr_present == FALSE)
+ continue;
+
+ entry = (osa_policy_ent_t) malloc(sizeof(osa_policy_ent_rec));
+ CHECK_NULL(entry);
+ memset(entry, 0, sizeof(osa_policy_ent_rec));
+ if ((st = populate_policy(context, ld, ent, policy, entry)) != 0)
+ goto cleanup;
#if 0 /************** Begin IFDEF'ed OUT *******************************/
- entry->name = policy;
- entry->version = 1;
-
- krb5_ldap_get_value(ld, ent, "krbmaxpwdlife", &(entry->pw_max_life));
- krb5_ldap_get_value(ld, ent, "krbminpwdlife", &(entry->pw_min_life));
- krb5_ldap_get_value(ld, ent, "krbpwdmindiffchars", &(entry->pw_min_classes));
- krb5_ldap_get_value(ld, ent, "krbpwdminlength", &(entry->pw_min_length));
- krb5_ldap_get_value(ld, ent, "krbpwdhistorylength", &(entry->pw_history_num));
-
- /* Get the reference count */
- st = krb5_ldap_get_reference_count (context,
- policy,
- "krbPwdPolicyReference",
- &(entry->policy_refcnt),
- ld);
+ entry->name = policy;
+ entry->version = 1;
+
+ krb5_ldap_get_value(ld, ent, "krbmaxpwdlife", &(entry->pw_max_life));
+ krb5_ldap_get_value(ld, ent, "krbminpwdlife", &(entry->pw_min_life));
+ krb5_ldap_get_value(ld, ent, "krbpwdmindiffchars", &(entry->pw_min_classes));
+ krb5_ldap_get_value(ld, ent, "krbpwdminlength", &(entry->pw_min_length));
+ krb5_ldap_get_value(ld, ent, "krbpwdhistorylength", &(entry->pw_history_num));
+
+ /* Get the reference count */
+ st = krb5_ldap_get_reference_count (context,
+ policy,
+ "krbPwdPolicyReference",
+ &(entry->policy_refcnt),
+ ld);
#endif /**************** END IFDEF'ed OUT *******************************/
- (*func)(func_arg, entry);
- /* XXX this will free policy so don't free it */
- krb5_ldap_free_password_policy(context, entry);
- entry = NULL;
+ (*func)(func_arg, entry);
+ /* XXX this will free policy so don't free it */
+ krb5_ldap_free_password_policy(context, entry);
+ entry = NULL;
}
ldap_msgfree(result);
cleanup:
if (entry)
- free (entry);
+ free (entry);
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
return st;
osa_policy_ent_t entry;
{
if (entry) {
- if (entry->name)
- free(entry->name);
- free(entry);
+ if (entry->name)
+ free(entry->name);
+ free(entry);
}
return;
}
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* lib/kdb/kdb_ldap/ldap_pwd_policy.h
*
#define _LDAP_KRBPWDPOLICY_H_
krb5_error_code
-krb5_ldap_get_password_policy (krb5_context , char *, osa_policy_ent_t *, int *);
+krb5_ldap_get_password_policy(krb5_context, char *, osa_policy_ent_t *, int *);
krb5_error_code
-krb5_ldap_create_password_policy (krb5_context , osa_policy_ent_t );
+krb5_ldap_create_password_policy(krb5_context, osa_policy_ent_t);
krb5_error_code
-krb5_ldap_put_password_policy ( krb5_context kcontext, osa_policy_ent_t policy );
+krb5_ldap_put_password_policy(krb5_context kcontext, osa_policy_ent_t policy);
krb5_error_code
-krb5_ldap_delete_password_policy ( krb5_context kcontext, char *policy );
+krb5_ldap_delete_password_policy (krb5_context kcontext, char *policy);
krb5_error_code
krb5_ldap_iterate_password_policy(krb5_context, char *,
- void (*) (krb5_pointer, osa_policy_ent_t ),
- krb5_pointer);
+ void (*)(krb5_pointer, osa_policy_ent_t),
+ krb5_pointer);
void
-krb5_ldap_free_password_policy( krb5_context kcontext, osa_policy_ent_t entry );
+krb5_ldap_free_password_policy(krb5_context kcontext, osa_policy_ent_t entry);
#endif
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* lib/kdb/kdb_ldap/ldap_realm.c
*
#define END_OF_LIST -1
char *realm_attributes[] = {"krbSearchScope","krbSubTrees", "krbPrincContainerRef",
- "krbMaxTicketLife", "krbMaxRenewableAge",
- "krbTicketFlags", "krbUpEnabled",
- "krbTicketPolicyReference",
- "krbLdapServers",
- "krbKdcServers", "krbAdmServers",
- "krbPwdServers", NULL};
+ "krbMaxTicketLife", "krbMaxRenewableAge",
+ "krbTicketFlags", "krbUpEnabled",
+ "krbTicketPolicyReference",
+ "krbLdapServers",
+ "krbKdcServers", "krbAdmServers",
+ "krbPwdServers", NULL};
char *policy_attributes[] = { "krbMaxTicketLife",
- "krbMaxRenewableAge",
- "krbTicketFlags",
- NULL };
+ "krbMaxRenewableAge",
+ "krbTicketFlags",
+ NULL };
* Function to remove all special characters from a string (rfc2254).
* Use whenever exact matching is to be done ...
*/
-char *ldap_filter_correct (char *in)
+char *
+ldap_filter_correct (char *in)
{
size_t i, count;
char *out, *ptr;
size_t len = strlen(in);
for (i = 0, count = 0; i < len; i++)
- switch (in[i]) {
- case '*':
- case '(':
- case ')':
- case '\\':
- case '\0':
- count ++;
- }
+ switch (in[i]) {
+ case '*':
+ case '(':
+ case ')':
+ case '\\':
+ case '\0':
+ count ++;
+ }
out = (char *)malloc((len + (count * 2) + 1) * sizeof (char));
assert (out != NULL);
memset(out, 0, len + (count * 2) + 1);
for (i = 0, ptr = out; i < len; i++)
- switch (in[i]) {
- case '*':
- ptr[0] = '\\';
- ptr[1] = '2';
- ptr[2] = 'a';
- ptr += 3;
- break;
- case '(':
- ptr[0] = '\\';
- ptr[1] = '2';
- ptr[2] = '8';
- ptr += 3;
- break;
- case ')':
- ptr[0] = '\\';
- ptr[1] = '2';
- ptr[2] = '9';
- ptr += 3;
- break;
- case '\\':
- ptr[0] = '\\';
- ptr[1] = '5';
- ptr[2] = 'c';
- ptr += 3;
- break;
- case '\0':
- ptr[0] = '\\';
- ptr[1] = '0';
- ptr[2] = '0';
- ptr += 3;
- break;
- default:
- ptr[0] = in[i];
- ptr += 1;
- break;
- }
+ switch (in[i]) {
+ case '*':
+ ptr[0] = '\\';
+ ptr[1] = '2';
+ ptr[2] = 'a';
+ ptr += 3;
+ break;
+ case '(':
+ ptr[0] = '\\';
+ ptr[1] = '2';
+ ptr[2] = '8';
+ ptr += 3;
+ break;
+ case ')':
+ ptr[0] = '\\';
+ ptr[1] = '2';
+ ptr[2] = '9';
+ ptr += 3;
+ break;
+ case '\\':
+ ptr[0] = '\\';
+ ptr[1] = '5';
+ ptr[2] = 'c';
+ ptr += 3;
+ break;
+ case '\0':
+ ptr[0] = '\\';
+ ptr[1] = '0';
+ ptr[2] = '0';
+ ptr += 3;
+ break;
+ default:
+ ptr[0] = in[i];
+ ptr += 1;
+ break;
+ }
/* ptr[count - 1] = '\0'; */
return out;
}
-static int principal_in_realm_2(krb5_principal principal, char *realm) {
+static int
+principal_in_realm_2(krb5_principal principal, char *realm) {
/* Cross realm trust ... */
if (principal->length == 2 &&
- principal->data[0].length == sizeof ("krbtgt") &&
- strncasecmp (principal->data[0].data, "krbtgt", sizeof ("krbtgt")) &&
- principal->data[1].length == strlen (realm) &&
- strncasecmp (principal->data[1].data, realm, strlen (realm)))
- return 0;
+ principal->data[0].length == sizeof ("krbtgt") &&
+ strncasecmp (principal->data[0].data, "krbtgt", sizeof ("krbtgt")) &&
+ principal->data[1].length == strlen (realm) &&
+ strncasecmp (principal->data[1].data, realm, strlen (realm)))
+ return 0;
if (strlen(realm) != principal->realm.length)
- return 1;
+ return 1;
if (strncasecmp(realm, principal->realm.data, principal->realm.length) != 0)
- return 1;
+ return 1;
return 0;
}
*/
krb5_error_code
-krb5_ldap_list_realm(context, realms)
- krb5_context context;
- char ***realms;
+krb5_ldap_list_realm(krb5_context context, char ***realms)
{
char **values = NULL;
unsigned int i = 0;
- int count = 0;
+ int count = 0;
krb5_error_code st = 0, tempst = 0;
LDAP *ld = NULL;
LDAPMessage *result = NULL, *ent = NULL;
/* get the kerberos container DN information */
if (ldap_context->krbcontainer == NULL) {
- if ((st = krb5_ldap_read_krbcontainer_params(context,
- &(ldap_context->krbcontainer))) != 0)
- goto cleanup;
+ if ((st = krb5_ldap_read_krbcontainer_params(context,
+ &(ldap_context->krbcontainer))) != 0)
+ goto cleanup;
}
/* get ldap handle */
GET_HANDLE ();
{
- char *cn[] = {"cn", NULL};
- LDAP_SEARCH(ldap_context->krbcontainer->DN,
- LDAP_SCOPE_ONELEVEL,
- "(objectclass=krbRealmContainer)",
- cn);
+ char *cn[] = {"cn", NULL};
+ LDAP_SEARCH(ldap_context->krbcontainer->DN,
+ LDAP_SCOPE_ONELEVEL,
+ "(objectclass=krbRealmContainer)",
+ cn);
}
*realms = NULL;
count = ldap_count_entries (ld, result);
if (count == -1) {
- ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &st);
- st = set_ldap_error (context, st, OP_SEARCH);
- goto cleanup;
+ ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &st);
+ st = set_ldap_error (context, st, OP_SEARCH);
+ goto cleanup;
}
*realms = calloc((unsigned int) count+1, sizeof (char *));
CHECK_NULL(*realms);
for (ent = ldap_first_entry(ld, result), count = 0; ent != NULL;
- ent = ldap_next_entry(ld, ent)) {
+ ent = ldap_next_entry(ld, ent)) {
- if ((values = ldap_get_values (ld, ent, "cn")) != NULL) {
+ if ((values = ldap_get_values (ld, ent, "cn")) != NULL) {
- (*realms)[count] = strdup(values[0]);
- CHECK_NULL((*realms)[count]);
- count += 1;
+ (*realms)[count] = strdup(values[0]);
+ CHECK_NULL((*realms)[count]);
+ count += 1;
- ldap_value_free(values);
- }
+ ldap_value_free(values);
+ }
} /* for (ent= ... */
ldap_msgfree(result);
/* some error, free up all the memory */
if (st != 0) {
- if (*realms) {
- for (i=0; (*realms)[i] != NULL; ++i) {
- free ((*realms)[i]);
- }
- free (*realms);
- *realms = NULL;
- }
+ if (*realms) {
+ for (i=0; (*realms)[i] != NULL; ++i) {
+ free ((*realms)[i]);
+ }
+ free (*realms);
+ *realms = NULL;
+ }
}
/* If there are no elements, still return a NULL terminated array */
}
krb5_error_code
-krb5_ldap_delete_realm (context, lrealm)
- krb5_context context;
- char *lrealm;
+krb5_ldap_delete_realm (krb5_context context, char *lrealm)
{
LDAP *ld = NULL;
krb5_error_code st = 0, tempst=0;
SETUP_CONTEXT ();
if (lrealm == NULL) {
- st = EINVAL;
- krb5_set_error_message (context, st, "Realm information not available");
- goto cleanup;
+ st = EINVAL;
+ krb5_set_error_message (context, st, "Realm information not available");
+ goto cleanup;
}
if ((st=krb5_ldap_read_realm_params(context, lrealm, &rparam, &mask)) != 0)
- goto cleanup;
+ goto cleanup;
/* get ldap handle */
GET_HANDLE ();
/* delete all the principals belonging to the realm in the tree */
{
- char *attr[] = {"krbprincipalname", NULL}, *realm=NULL, filter[256];
- krb5_ldap_context lcontext;
+ char *attr[] = {"krbprincipalname", NULL}, *realm=NULL, filter[256];
+ krb5_ldap_context lcontext;
- realm = ldap_filter_correct (lrealm);
- assert (sizeof (filter) >= sizeof ("(krbprincipalname=)") +
- strlen (realm) + 2 /* "*@" */ + 1);
+ realm = ldap_filter_correct (lrealm);
+ assert (sizeof (filter) >= sizeof ("(krbprincipalname=)") +
+ strlen (realm) + 2 /* "*@" */ + 1);
- snprintf (filter, sizeof(filter), "(krbprincipalname=*@%s)", realm);
- free (realm);
+ snprintf (filter, sizeof(filter), "(krbprincipalname=*@%s)", realm);
+ free (realm);
- /* LDAP_SEARCH(NULL, LDAP_SCOPE_SUBTREE, filter, attr); */
- memset(&lcontext, 0, sizeof(krb5_ldap_context));
- lcontext.lrparams = rparam;
- if ((st=krb5_get_subtree_info(&lcontext, &subtrees, &ntree)) != 0)
- goto cleanup;
+ /* LDAP_SEARCH(NULL, LDAP_SCOPE_SUBTREE, filter, attr); */
+ memset(&lcontext, 0, sizeof(krb5_ldap_context));
+ lcontext.lrparams = rparam;
+ if ((st=krb5_get_subtree_info(&lcontext, &subtrees, &ntree)) != 0)
+ goto cleanup;
result_arr = (LDAPMessage **) calloc((unsigned int)ntree+1,
- sizeof(LDAPMessage *));
+ sizeof(LDAPMessage *));
if (result_arr == NULL) {
st = ENOMEM;
goto cleanup;
}
- for (l=0; l < ntree; ++l) {
- LDAP_SEARCH(subtrees[l], rparam->search_scope, filter, attr);
- result_arr[l] = result;
- }
+ for (l=0; l < ntree; ++l) {
+ LDAP_SEARCH(subtrees[l], rparam->search_scope, filter, attr);
+ result_arr[l] = result;
+ }
}
/* NOTE: Here all the principals should be cached and the ldap handle should be freed,
* thread-safe this should suffice.
*/
for (j=0; (result=result_arr[j]) != NULL; ++j) {
- for (ent = ldap_first_entry (ld, result); ent != NULL;
- ent = ldap_next_entry (ld, ent)) {
- if ((values = ldap_get_values(ld, ent, "krbPrincipalName")) != NULL) {
- for (i = 0; values[i] != NULL; ++i) {
- krb5_parse_name(context, values[i], &principal);
- if (principal_in_realm_2(principal, lrealm) == 0) {
- int nent = 0;
- if ((st=krb5_ldap_delete_principal(context, principal,
- &nent)) != LDAP_SUCCESS)
- goto cleanup;
- }
- krb5_free_principal(context, principal);
- }
- ldap_value_free(values);
- }
- }
- ldap_msgfree(result);
+ for (ent = ldap_first_entry (ld, result); ent != NULL;
+ ent = ldap_next_entry (ld, ent)) {
+ if ((values = ldap_get_values(ld, ent, "krbPrincipalName")) != NULL) {
+ for (i = 0; values[i] != NULL; ++i) {
+ krb5_parse_name(context, values[i], &principal);
+ if (principal_in_realm_2(principal, lrealm) == 0) {
+ int nent = 0;
+ if ((st=krb5_ldap_delete_principal(context, principal,
+ &nent)) != LDAP_SUCCESS)
+ goto cleanup;
+ }
+ krb5_free_principal(context, principal);
+ }
+ ldap_value_free(values);
+ }
+ }
+ ldap_msgfree(result);
}
/* Delete all password policies */
/* Delete all ticket policies */
{
- if ((st = krb5_ldap_list_policy (context, ldap_context->lrparams->realmdn, &policy)) != 0) {
- prepend_err_str (context, "Error reading ticket policy: ", st, st);
- goto cleanup;
- }
+ if ((st = krb5_ldap_list_policy (context, ldap_context->lrparams->realmdn, &policy)) != 0) {
+ prepend_err_str (context, "Error reading ticket policy: ", st, st);
+ goto cleanup;
+ }
- for (i = 0; policy [i] != NULL; i++)
- krb5_ldap_delete_policy(context, policy[i]);
+ for (i = 0; policy [i] != NULL; i++)
+ krb5_ldap_delete_policy(context, policy[i]);
}
/* Delete the realm object */
if ((st=ldap_delete_ext_s(ld, ldap_context->lrparams->realmdn, NULL, NULL)) != LDAP_SUCCESS) {
- int ost = st;
- st = translate_ldap_error (st, OP_DEL);
- krb5_set_error_message (context, st, "Realm Delete FAILED: %s",
- ldap_err2string(ost));
+ int ost = st;
+ st = translate_ldap_error (st, OP_DEL);
+ krb5_set_error_message (context, st, "Realm Delete FAILED: %s",
+ ldap_err2string(ost));
}
cleanup:
if (subtrees) {
- for (l=0; l < ntree; ++l) {
- if (subtrees[l])
- free (subtrees[l]);
+ for (l=0; l < ntree; ++l) {
+ if (subtrees[l])
+ free (subtrees[l]);
}
- free (subtrees);
+ free (subtrees);
}
if (policy != NULL) {
- for (i = 0; policy[i] != NULL; i++)
- free (policy[i]);
- free (policy);
+ for (i = 0; policy[i] != NULL; i++)
+ free (policy[i]);
+ free (policy);
}
krb5_ldap_free_realm_params(rparam);
*/
krb5_error_code
-krb5_ldap_modify_realm(context, rparams, mask)
- krb5_context context;
- krb5_ldap_realm_params *rparams;
- int mask;
+krb5_ldap_modify_realm(krb5_context context, krb5_ldap_realm_params *rparams,
+ int mask)
{
LDAP *ld=NULL;
krb5_error_code st=0;
krb5_ldap_server_handle *ldap_server_handle=NULL;
if (mask == 0)
- return 0;
+ return 0;
if (rparams == NULL) {
- st = EINVAL;
- return st;
+ st = EINVAL;
+ return st;
}
SETUP_CONTEXT ();
/* Check validity of arguments */
if (ldap_context->krbcontainer == NULL ||
- rparams->tl_data == NULL ||
- rparams->tl_data->tl_data_contents == NULL ||
- ((mask & LDAP_REALM_SUBTREE) && rparams->subtree == NULL) ||
- ((mask & LDAP_REALM_CONTREF) && rparams->containerref == NULL) ||
+ rparams->tl_data == NULL ||
+ rparams->tl_data->tl_data_contents == NULL ||
+ ((mask & LDAP_REALM_SUBTREE) && rparams->subtree == NULL) ||
+ ((mask & LDAP_REALM_CONTREF) && rparams->containerref == NULL) ||
#ifdef HAVE_EDIRECTORY
- ((mask & LDAP_REALM_KDCSERVERS) && rparams->kdcservers == NULL) ||
- ((mask & LDAP_REALM_ADMINSERVERS) && rparams->adminservers == NULL) ||
- ((mask & LDAP_REALM_PASSWDSERVERS) && rparams->passwdservers == NULL) ||
+ ((mask & LDAP_REALM_KDCSERVERS) && rparams->kdcservers == NULL) ||
+ ((mask & LDAP_REALM_ADMINSERVERS) && rparams->adminservers == NULL) ||
+ ((mask & LDAP_REALM_PASSWDSERVERS) && rparams->passwdservers == NULL) ||
#endif
- 0) {
- st = EINVAL;
- goto cleanup;
+ 0) {
+ st = EINVAL;
+ goto cleanup;
}
/* get ldap handle */
/* get the oldmask obtained from the krb5_ldap_read_realm_params */
{
- void *voidptr=NULL;
-
- if ((st=decode_tl_data(rparams->tl_data, KDB_TL_MASK, &voidptr)) == 0) {
- oldmask = *((int *) voidptr);
- free (voidptr);
- } else {
- st = EINVAL;
- krb5_set_error_message (context, st, "tl_data not available");
- return st;
- }
+ void *voidptr=NULL;
+
+ if ((st=decode_tl_data(rparams->tl_data, KDB_TL_MASK, &voidptr)) == 0) {
+ oldmask = *((int *) voidptr);
+ free (voidptr);
+ } else {
+ st = EINVAL;
+ krb5_set_error_message (context, st, "tl_data not available");
+ return st;
+ }
}
if ( rparams->subtree!=NULL) {
/*replace the subtrees with the present if the subtrees are present*/
for(k=0;k<rparams->subtreecount && rparams->subtree[k]!=NULL;k++) {
- if (strlen(rparams->subtree[k]) != 0) {
- st = checkattributevalue(ld, rparams->subtree[k], "Objectclass", subtreeclass,
- &objectmask);
- CHECK_CLASS_VALIDITY(st, objectmask, "subtree value: ");
- }
+ if (strlen(rparams->subtree[k]) != 0) {
+ st = checkattributevalue(ld, rparams->subtree[k], "Objectclass", subtreeclass,
+ &objectmask);
+ CHECK_CLASS_VALIDITY(st, objectmask, "subtree value: ");
+ }
+ }
+ strval = rparams->subtree;
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbsubtrees", LDAP_MOD_REPLACE,
+ strval)) != 0) {
+ goto cleanup;
}
- strval = rparams->subtree;
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbsubtrees", LDAP_MOD_REPLACE,
- strval)) != 0) {
- goto cleanup;
- }
}
}
if (mask & LDAP_REALM_CONTREF) {
if (strlen(rparams->containerref) != 0 ) {
st = checkattributevalue(ld, rparams->containerref, "Objectclass", subtreeclass,
- &objectmask);
+ &objectmask);
CHECK_CLASS_VALIDITY(st, objectmask, "container reference value: ");
strvalprc[0] = rparams->containerref;
strvalprc[1] = NULL;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbPrincContainerRef", LDAP_MOD_REPLACE,
- strvalprc)) != 0)
+ strvalprc)) != 0)
goto cleanup;
}
}
/* SEARCHSCOPE ATTRIBUTE */
if (mask & LDAP_REALM_SEARCHSCOPE) {
- if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbsearchscope", LDAP_MOD_REPLACE,
- (rparams->search_scope == LDAP_SCOPE_ONELEVEL
- || rparams->search_scope == LDAP_SCOPE_SUBTREE) ?
- rparams->search_scope : LDAP_SCOPE_SUBTREE)) != 0)
- goto cleanup;
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbsearchscope", LDAP_MOD_REPLACE,
+ (rparams->search_scope == LDAP_SCOPE_ONELEVEL
+ || rparams->search_scope == LDAP_SCOPE_SUBTREE) ?
+ rparams->search_scope : LDAP_SCOPE_SUBTREE)) != 0)
+ goto cleanup;
}
if (mask & LDAP_REALM_MAXRENEWLIFE) {
- if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbMaxRenewableAge", LDAP_MOD_REPLACE,
- rparams->max_renewable_life)) != 0)
- goto cleanup;
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbMaxRenewableAge", LDAP_MOD_REPLACE,
+ rparams->max_renewable_life)) != 0)
+ goto cleanup;
}
/* krbMaxTicketLife ATTRIBUTE */
if (mask & LDAP_REALM_MAXTICKETLIFE) {
- if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbMaxTicketLife", LDAP_MOD_REPLACE,
- rparams->max_life)) != 0)
- goto cleanup;
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbMaxTicketLife", LDAP_MOD_REPLACE,
+ rparams->max_life)) != 0)
+ goto cleanup;
}
/* krbTicketFlags ATTRIBUTE */
if (mask & LDAP_REALM_KRBTICKETFLAGS) {
- if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbTicketFlags", LDAP_MOD_REPLACE,
- rparams->tktflags)) != 0)
- goto cleanup;
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbTicketFlags", LDAP_MOD_REPLACE,
+ rparams->tktflags)) != 0)
+ goto cleanup;
}
/* KDCSERVERS ATTRIBUTE */
if (mask & LDAP_REALM_KDCSERVERS) {
- /* validate the server list */
- for (i=0; rparams->kdcservers[i] != NULL; ++i) {
- st = checkattributevalue(ld, rparams->kdcservers[i], "objectClass", kdcclass,
- &objectmask);
- CHECK_CLASS_VALIDITY(st, objectmask, "kdc service object value: ");
- }
-
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbkdcservers", LDAP_MOD_REPLACE,
- rparams->kdcservers)) != 0)
- goto cleanup;
+ /* validate the server list */
+ for (i=0; rparams->kdcservers[i] != NULL; ++i) {
+ st = checkattributevalue(ld, rparams->kdcservers[i], "objectClass", kdcclass,
+ &objectmask);
+ CHECK_CLASS_VALIDITY(st, objectmask, "kdc service object value: ");
+ }
+
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbkdcservers", LDAP_MOD_REPLACE,
+ rparams->kdcservers)) != 0)
+ goto cleanup;
}
/* ADMINSERVERS ATTRIBUTE */
if (mask & LDAP_REALM_ADMINSERVERS) {
- /* validate the server list */
- for (i=0; rparams->adminservers[i] != NULL; ++i) {
- st = checkattributevalue(ld, rparams->adminservers[i], "objectClass", adminclass,
- &objectmask);
- CHECK_CLASS_VALIDITY(st, objectmask, "admin service object value: ");
- }
-
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbadmservers", LDAP_MOD_REPLACE,
- rparams->adminservers)) != 0)
- goto cleanup;
+ /* validate the server list */
+ for (i=0; rparams->adminservers[i] != NULL; ++i) {
+ st = checkattributevalue(ld, rparams->adminservers[i], "objectClass", adminclass,
+ &objectmask);
+ CHECK_CLASS_VALIDITY(st, objectmask, "admin service object value: ");
+ }
+
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbadmservers", LDAP_MOD_REPLACE,
+ rparams->adminservers)) != 0)
+ goto cleanup;
}
/* PASSWDSERVERS ATTRIBUTE */
if (mask & LDAP_REALM_PASSWDSERVERS) {
- /* validate the server list */
- for (i=0; rparams->passwdservers[i] != NULL; ++i) {
- st = checkattributevalue(ld, rparams->passwdservers[i], "objectClass", pwdclass,
- &objectmask);
- CHECK_CLASS_VALIDITY(st, objectmask, "password service object value: ");
- }
-
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdservers", LDAP_MOD_REPLACE,
- rparams->passwdservers)) != 0)
- goto cleanup;
+ /* validate the server list */
+ for (i=0; rparams->passwdservers[i] != NULL; ++i) {
+ st = checkattributevalue(ld, rparams->passwdservers[i], "objectClass", pwdclass,
+ &objectmask);
+ CHECK_CLASS_VALIDITY(st, objectmask, "password service object value: ");
+ }
+
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdservers", LDAP_MOD_REPLACE,
+ rparams->passwdservers)) != 0)
+ goto cleanup;
}
/*
* deletions/additions to the list.
*/
if (mask & LDAP_REALM_KDCSERVERS || mask & LDAP_REALM_ADMINSERVERS ||
- mask & LDAP_REALM_PASSWDSERVERS) {
- char *servers[] = {"krbKdcServers", "krbAdmServers", "krbPwdServers", NULL};
-
- if ((st= ldap_search_ext_s(ld,
- rparams->realmdn,
- LDAP_SCOPE_BASE,
- 0,
- servers,
- 0,
- NULL,
- NULL,
- NULL,
- 0,
- &result)) != LDAP_SUCCESS) {
- st = set_ldap_error (context, st, OP_SEARCH);
- goto cleanup;
- }
-
- ent = ldap_first_entry(ld, result);
- if (ent) {
- if ((values=ldap_get_values(ld, ent, "krbKdcServers")) != NULL) {
- count = ldap_count_values(values);
- if ((st=copy_arrays(values, &oldkdcservers, count)) != 0)
- goto cleanup;
- ldap_value_free(values);
- }
-
- if ((values=ldap_get_values(ld, ent, "krbAdmServers")) != NULL) {
- count = ldap_count_values(values);
- if ((st=copy_arrays(values, &oldadminservers, count)) != 0)
- goto cleanup;
- ldap_value_free(values);
- }
-
- if ((values=ldap_get_values(ld, ent, "krbPwdServers")) != NULL) {
- count = ldap_count_values(values);
- if ((st=copy_arrays(values, &oldpasswdservers, count)) != 0)
- goto cleanup;
- ldap_value_free(values);
- }
- }
- ldap_msgfree(result);
+ mask & LDAP_REALM_PASSWDSERVERS) {
+ char *servers[] = {"krbKdcServers", "krbAdmServers", "krbPwdServers", NULL};
+
+ if ((st= ldap_search_ext_s(ld,
+ rparams->realmdn,
+ LDAP_SCOPE_BASE,
+ 0,
+ servers,
+ 0,
+ NULL,
+ NULL,
+ NULL,
+ 0,
+ &result)) != LDAP_SUCCESS) {
+ st = set_ldap_error (context, st, OP_SEARCH);
+ goto cleanup;
+ }
+
+ ent = ldap_first_entry(ld, result);
+ if (ent) {
+ if ((values=ldap_get_values(ld, ent, "krbKdcServers")) != NULL) {
+ count = ldap_count_values(values);
+ if ((st=copy_arrays(values, &oldkdcservers, count)) != 0)
+ goto cleanup;
+ ldap_value_free(values);
+ }
+
+ if ((values=ldap_get_values(ld, ent, "krbAdmServers")) != NULL) {
+ count = ldap_count_values(values);
+ if ((st=copy_arrays(values, &oldadminservers, count)) != 0)
+ goto cleanup;
+ ldap_value_free(values);
+ }
+
+ if ((values=ldap_get_values(ld, ent, "krbPwdServers")) != NULL) {
+ count = ldap_count_values(values);
+ if ((st=copy_arrays(values, &oldpasswdservers, count)) != 0)
+ goto cleanup;
+ ldap_value_free(values);
+ }
+ }
+ ldap_msgfree(result);
}
#endif
/* Realm modify opearation */
if (mods != NULL) {
if ((st=ldap_modify_ext_s(ld, rparams->realmdn, mods, NULL, NULL)) != LDAP_SUCCESS) {
- st = set_ldap_error (context, st, OP_MOD);
- goto cleanup;
+ st = set_ldap_error (context, st, OP_MOD);
+ goto cleanup;
}
}
* to the 4 servers' list.
*/
if (mask & LDAP_REALM_KDCSERVERS) {
- char **newkdcservers=NULL;
-
- count = ldap_count_values(rparams->kdcservers);
- if ((st=copy_arrays(rparams->kdcservers, &newkdcservers, count)) != 0)
- goto cleanup;
-
- /* find the deletions and additions to the server list */
- if (oldkdcservers && newkdcservers)
- disjoint_members(oldkdcservers, newkdcservers);
-
- /* delete the krbRealmReferences attribute from the servers that are dis-associated. */
- if (oldkdcservers)
- for (i=0; oldkdcservers[i]; ++i)
- if ((st=deleteAttribute(ld, oldkdcservers[i], "krbRealmReferences",
- rparams->realmdn)) != 0) {
- snprintf (errbuf, sizeof(errbuf), "Error removing 'krbRealmReferences' from %s: ",
- oldkdcservers[i]);
- prepend_err_str (context, errbuf, st, st);
- goto cleanup;
- }
-
- /* add the krbRealmReferences attribute from the servers that are associated. */
- if (newkdcservers)
- for (i=0; newkdcservers[i]; ++i)
- if ((st=updateAttribute(ld, newkdcservers[i], "krbRealmReferences",
- rparams->realmdn)) != 0) {
- snprintf (errbuf, sizeof(errbuf), "Error adding 'krbRealmReferences' to %s: ",
- newkdcservers[i]);
- prepend_err_str (context, errbuf, st, st);
- goto cleanup;
- }
-
- if (newkdcservers)
- ldap_value_free(newkdcservers);
+ char **newkdcservers=NULL;
+
+ count = ldap_count_values(rparams->kdcservers);
+ if ((st=copy_arrays(rparams->kdcservers, &newkdcservers, count)) != 0)
+ goto cleanup;
+
+ /* find the deletions and additions to the server list */
+ if (oldkdcservers && newkdcservers)
+ disjoint_members(oldkdcservers, newkdcservers);
+
+ /* delete the krbRealmReferences attribute from the servers that are dis-associated. */
+ if (oldkdcservers)
+ for (i=0; oldkdcservers[i]; ++i)
+ if ((st=deleteAttribute(ld, oldkdcservers[i], "krbRealmReferences",
+ rparams->realmdn)) != 0) {
+ snprintf (errbuf, sizeof(errbuf), "Error removing 'krbRealmReferences' from %s: ",
+ oldkdcservers[i]);
+ prepend_err_str (context, errbuf, st, st);
+ goto cleanup;
+ }
+
+ /* add the krbRealmReferences attribute from the servers that are associated. */
+ if (newkdcservers)
+ for (i=0; newkdcservers[i]; ++i)
+ if ((st=updateAttribute(ld, newkdcservers[i], "krbRealmReferences",
+ rparams->realmdn)) != 0) {
+ snprintf (errbuf, sizeof(errbuf), "Error adding 'krbRealmReferences' to %s: ",
+ newkdcservers[i]);
+ prepend_err_str (context, errbuf, st, st);
+ goto cleanup;
+ }
+
+ if (newkdcservers)
+ ldap_value_free(newkdcservers);
}
if (mask & LDAP_REALM_ADMINSERVERS) {
- char **newadminservers=NULL;
-
- count = ldap_count_values(rparams->adminservers);
- if ((st=copy_arrays(rparams->adminservers, &newadminservers, count)) != 0)
- goto cleanup;
-
- /* find the deletions and additions to the server list */
- if (oldadminservers && newadminservers)
- disjoint_members(oldadminservers, newadminservers);
-
- /* delete the krbRealmReferences attribute from the servers that are dis-associated. */
- if (oldadminservers)
- for (i=0; oldadminservers[i]; ++i)
- if ((st=deleteAttribute(ld, oldadminservers[i], "krbRealmReferences",
- rparams->realmdn)) != 0) {
- snprintf(errbuf, sizeof(errbuf), "Error removing 'krbRealmReferences' from "
- "%s: ", oldadminservers[i]);
- prepend_err_str (context, errbuf, st, st);
- goto cleanup;
- }
-
- /* add the krbRealmReferences attribute from the servers that are associated. */
- if (newadminservers)
- for (i=0; newadminservers[i]; ++i)
- if ((st=updateAttribute(ld, newadminservers[i], "krbRealmReferences",
- rparams->realmdn)) != 0) {
- snprintf(errbuf, sizeof(errbuf), "Error adding 'krbRealmReferences' to %s: ",
- newadminservers[i]);
- prepend_err_str (context, errbuf, st, st);
- goto cleanup;
- }
- if (newadminservers)
- ldap_value_free(newadminservers);
+ char **newadminservers=NULL;
+
+ count = ldap_count_values(rparams->adminservers);
+ if ((st=copy_arrays(rparams->adminservers, &newadminservers, count)) != 0)
+ goto cleanup;
+
+ /* find the deletions and additions to the server list */
+ if (oldadminservers && newadminservers)
+ disjoint_members(oldadminservers, newadminservers);
+
+ /* delete the krbRealmReferences attribute from the servers that are dis-associated. */
+ if (oldadminservers)
+ for (i=0; oldadminservers[i]; ++i)
+ if ((st=deleteAttribute(ld, oldadminservers[i], "krbRealmReferences",
+ rparams->realmdn)) != 0) {
+ snprintf(errbuf, sizeof(errbuf), "Error removing 'krbRealmReferences' from "
+ "%s: ", oldadminservers[i]);
+ prepend_err_str (context, errbuf, st, st);
+ goto cleanup;
+ }
+
+ /* add the krbRealmReferences attribute from the servers that are associated. */
+ if (newadminservers)
+ for (i=0; newadminservers[i]; ++i)
+ if ((st=updateAttribute(ld, newadminservers[i], "krbRealmReferences",
+ rparams->realmdn)) != 0) {
+ snprintf(errbuf, sizeof(errbuf), "Error adding 'krbRealmReferences' to %s: ",
+ newadminservers[i]);
+ prepend_err_str (context, errbuf, st, st);
+ goto cleanup;
+ }
+ if (newadminservers)
+ ldap_value_free(newadminservers);
}
if (mask & LDAP_REALM_PASSWDSERVERS) {
- char **newpasswdservers=NULL;
-
- count = ldap_count_values(rparams->passwdservers);
- if ((st=copy_arrays(rparams->passwdservers, &newpasswdservers, count)) != 0)
- goto cleanup;
-
- /* find the deletions and additions to the server list */
- if (oldpasswdservers && newpasswdservers)
- disjoint_members(oldpasswdservers, newpasswdservers);
-
- /* delete the krbRealmReferences attribute from the servers that are dis-associated. */
- if (oldpasswdservers)
- for (i=0; oldpasswdservers[i]; ++i)
- if ((st=deleteAttribute(ld, oldpasswdservers[i], "krbRealmReferences",
- rparams->realmdn)) != 0) {
- snprintf(errbuf, sizeof(errbuf), "Error removing 'krbRealmReferences' from "
- "%s: ", oldpasswdservers[i]);
- prepend_err_str (context, errbuf, st, st);
- goto cleanup;
- }
-
- /* add the krbRealmReferences attribute from the servers that are associated. */
- if (newpasswdservers)
- for (i=0; newpasswdservers[i]; ++i)
- if ((st=updateAttribute(ld, newpasswdservers[i], "krbRealmReferences",
- rparams->realmdn)) != 0) {
- snprintf(errbuf, sizeof(errbuf), "Error adding 'krbRealmReferences' to %s: ",
- newpasswdservers[i]);
- prepend_err_str (context, errbuf, st, st);
- goto cleanup;
- }
- if (newpasswdservers)
- ldap_value_free(newpasswdservers);
+ char **newpasswdservers=NULL;
+
+ count = ldap_count_values(rparams->passwdservers);
+ if ((st=copy_arrays(rparams->passwdservers, &newpasswdservers, count)) != 0)
+ goto cleanup;
+
+ /* find the deletions and additions to the server list */
+ if (oldpasswdservers && newpasswdservers)
+ disjoint_members(oldpasswdservers, newpasswdservers);
+
+ /* delete the krbRealmReferences attribute from the servers that are dis-associated. */
+ if (oldpasswdservers)
+ for (i=0; oldpasswdservers[i]; ++i)
+ if ((st=deleteAttribute(ld, oldpasswdservers[i], "krbRealmReferences",
+ rparams->realmdn)) != 0) {
+ snprintf(errbuf, sizeof(errbuf), "Error removing 'krbRealmReferences' from "
+ "%s: ", oldpasswdservers[i]);
+ prepend_err_str (context, errbuf, st, st);
+ goto cleanup;
+ }
+
+ /* add the krbRealmReferences attribute from the servers that are associated. */
+ if (newpasswdservers)
+ for (i=0; newpasswdservers[i]; ++i)
+ if ((st=updateAttribute(ld, newpasswdservers[i], "krbRealmReferences",
+ rparams->realmdn)) != 0) {
+ snprintf(errbuf, sizeof(errbuf), "Error adding 'krbRealmReferences' to %s: ",
+ newpasswdservers[i]);
+ prepend_err_str (context, errbuf, st, st);
+ goto cleanup;
+ }
+ if (newpasswdservers)
+ ldap_value_free(newpasswdservers);
}
#endif
#ifdef HAVE_EDIRECTORY
if (oldkdcservers) {
- for (i=0; oldkdcservers[i]; ++i)
- free(oldkdcservers[i]);
- free(oldkdcservers);
+ for (i=0; oldkdcservers[i]; ++i)
+ free(oldkdcservers[i]);
+ free(oldkdcservers);
}
if (oldadminservers) {
- for (i=0; oldadminservers[i]; ++i)
- free(oldadminservers[i]);
- free(oldadminservers);
+ for (i=0; oldadminservers[i]; ++i)
+ free(oldadminservers[i]);
+ free(oldadminservers);
}
if (oldpasswdservers) {
- for (i=0; oldpasswdservers[i]; ++i)
- free(oldpasswdservers[i]);
- free(oldpasswdservers);
+ for (i=0; oldpasswdservers[i]; ++i)
+ free(oldpasswdservers[i]);
+ free(oldpasswdservers);
}
#endif
*/
krb5_error_code
-krb5_ldap_create_krbcontainer(context, krbcontparams)
- krb5_context context;
- const krb5_ldap_krbcontainer_params *krbcontparams;
+krb5_ldap_create_krbcontainer(krb5_context context,
+ const
+ krb5_ldap_krbcontainer_params *krbcontparams)
{
LDAP *ld=NULL;
char *strval[2]={NULL}, *kerberoscontdn=NULL, **rdns=NULL;
GET_HANDLE ();
if (krbcontparams != NULL && krbcontparams->DN != NULL) {
- kerberoscontdn = krbcontparams->DN;
+ kerberoscontdn = krbcontparams->DN;
} else {
- /* If the user has not given, use the default cn=Kerberos,cn=Security */
+ /* If the user has not given, use the default cn=Kerberos,cn=Security */
#ifdef HAVE_EDIRECTORY
- kerberoscontdn = KERBEROS_CONTAINER;
+ kerberoscontdn = KERBEROS_CONTAINER;
#else
- st = EINVAL;
- krb5_set_error_message (context, st, "Kerberos Container information is missing");
- goto cleanup;
+ st = EINVAL;
+ krb5_set_error_message (context, st, "Kerberos Container information is missing");
+ goto cleanup;
#endif
}
strval[0] = "krbContainer";
strval[1] = NULL;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0)
- goto cleanup;
+ goto cleanup;
rdns = ldap_explode_dn(kerberoscontdn, 1);
if (rdns == NULL) {
- st = EINVAL;
- krb5_set_error_message(context, st, "Invalid Kerberos container DN");
- goto cleanup;
+ st = EINVAL;
+ krb5_set_error_message(context, st, "Invalid Kerberos container DN");
+ goto cleanup;
}
strval[0] = rdns[0];
strval[1] = NULL;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "cn", LDAP_MOD_ADD, strval)) != 0)
- goto cleanup;
+ goto cleanup;
/* check if the policy reference value exists and is of krbticketpolicyreference object class */
if (krbcontparams && krbcontparams->policyreference) {
- st = checkattributevalue(ld, krbcontparams->policyreference, "objectclass", policyclass,
- &pmask);
- CHECK_CLASS_VALIDITY(st, pmask, "ticket policy object value: ");
-
- strval[0] = krbcontparams->policyreference;
- strval[1] = NULL;
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbticketpolicyreference", LDAP_MOD_ADD,
- strval)) != 0)
- goto cleanup;
+ st = checkattributevalue(ld, krbcontparams->policyreference, "objectclass", policyclass,
+ &pmask);
+ CHECK_CLASS_VALIDITY(st, pmask, "ticket policy object value: ");
+
+ strval[0] = krbcontparams->policyreference;
+ strval[1] = NULL;
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbticketpolicyreference", LDAP_MOD_ADD,
+ strval)) != 0)
+ goto cleanup;
}
/* create the kerberos container */
if ((st = ldap_add_ext_s(ld, kerberoscontdn, mods, NULL, NULL)) != LDAP_SUCCESS) {
- int ost = st;
- st = translate_ldap_error (st, OP_ADD);
- krb5_set_error_message (context, st, "Kerberos Container create FAILED: %s", ldap_err2string(ost));
- goto cleanup;
+ int ost = st;
+ st = translate_ldap_error (st, OP_ADD);
+ krb5_set_error_message (context, st, "Kerberos Container create FAILED: %s", ldap_err2string(ost));
+ goto cleanup;
}
#ifdef HAVE_EDIRECTORY
/* check whether the security container is bound to krbcontainerrefaux object class */
if ((st=checkattributevalue(ld, SECURITY_CONTAINER, "objectClass",
- krbContainerRefclass, &crmask)) != 0) {
- prepend_err_str (context, "Security Container read FAILED: ", st, st);
- /* delete Kerberos Container, status ignored intentionally */
- ldap_delete_ext_s(ld, kerberoscontdn, NULL, NULL);
- goto cleanup;
+ krbContainerRefclass, &crmask)) != 0) {
+ prepend_err_str (context, "Security Container read FAILED: ", st, st);
+ /* delete Kerberos Container, status ignored intentionally */
+ ldap_delete_ext_s(ld, kerberoscontdn, NULL, NULL);
+ goto cleanup;
}
if (crmask == 0) {
- /* Security Container is extended with krbcontainerrefaux object class */
- strval[0] = "krbContainerRefAux";
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0)
- goto cleanup;
+ /* Security Container is extended with krbcontainerrefaux object class */
+ strval[0] = "krbContainerRefAux";
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0)
+ goto cleanup;
}
strval[0] = kerberoscontdn;
strval[1] = NULL;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbcontainerreference", LDAP_MOD_ADD, strval)) != 0)
- goto cleanup;
+ goto cleanup;
/* update the security container with krbContainerReference attribute */
if ((st=ldap_modify_ext_s(ld, SECURITY_CONTAINER, mods, NULL, NULL)) != LDAP_SUCCESS) {
- int ost = st;
- st = translate_ldap_error (st, OP_MOD);
- krb5_set_error_message (context, st, "Security Container update FAILED: %s", ldap_err2string(ost));
- /* delete Kerberos Container, status ignored intentionally */
- ldap_delete_ext_s(ld, kerberoscontdn, NULL, NULL);
- goto cleanup;
+ int ost = st;
+ st = translate_ldap_error (st, OP_MOD);
+ krb5_set_error_message (context, st, "Security Container update FAILED: %s", ldap_err2string(ost));
+ /* delete Kerberos Container, status ignored intentionally */
+ ldap_delete_ext_s(ld, kerberoscontdn, NULL, NULL);
+ goto cleanup;
}
#endif
cleanup:
if (rdns)
- ldap_value_free (rdns);
+ ldap_value_free (rdns);
ldap_mods_free(mods, 1);
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
krb5_error_code
krb5_ldap_delete_krbcontainer(krb5_context context,
- const krb5_ldap_krbcontainer_params *krbcontparams)
+ const
+ krb5_ldap_krbcontainer_params *krbcontparams)
{
LDAP *ld=NULL;
char *kerberoscontdn=NULL;
GET_HANDLE ();
if (krbcontparams != NULL && krbcontparams->DN != NULL) {
- kerberoscontdn = krbcontparams->DN;
+ kerberoscontdn = krbcontparams->DN;
} else {
- /* If the user has not given, use the default cn=Kerberos,cn=Security */
+ /* If the user has not given, use the default cn=Kerberos,cn=Security */
#ifdef HAVE_EDIRECTORY
- kerberoscontdn = KERBEROS_CONTAINER;
+ kerberoscontdn = KERBEROS_CONTAINER;
#else
- st = EINVAL;
- krb5_set_error_message (context, st, "Kerberos Container information is missing");
- goto cleanup;
+ st = EINVAL;
+ krb5_set_error_message (context, st, "Kerberos Container information is missing");
+ goto cleanup;
#endif
}
/* delete the kerberos container */
if ((st = ldap_delete_ext_s(ld, kerberoscontdn, NULL, NULL)) != LDAP_SUCCESS) {
- int ost = st;
- st = translate_ldap_error (st, OP_ADD);
- krb5_set_error_message (context, st, "Kerberos Container delete FAILED: %s", ldap_err2string(ost));
- goto cleanup;
+ int ost = st;
+ st = translate_ldap_error (st, OP_ADD);
+ krb5_set_error_message (context, st, "Kerberos Container delete FAILED: %s", ldap_err2string(ost));
+ goto cleanup;
}
cleanup:
*/
krb5_error_code
-krb5_ldap_create_realm(context, rparams, mask)
- krb5_context context;
- krb5_ldap_realm_params *rparams;
- int mask;
+krb5_ldap_create_realm(krb5_context context, krb5_ldap_realm_params *rparams,
+ int mask)
{
LDAP *ld=NULL;
krb5_error_code st=0;
char *dn=NULL;
char *strval[4]={NULL};
- char *contref[2]={NULL};
+ char *contref[2]={NULL};
LDAPMod **mods = NULL;
int i=0, objectmask=0, subtreecount=0;
kdb5_dal_handle *dal_handle=NULL;
/* Check input validity ... */
if (ldap_context->krbcontainer == NULL ||
- ldap_context->krbcontainer->DN == NULL ||
- rparams == NULL ||
- rparams->realm_name == NULL ||
- ((mask & LDAP_REALM_SUBTREE) && rparams->subtree == NULL) ||
- ((mask & LDAP_REALM_CONTREF) && rparams->containerref == NULL) ||
- ((mask & LDAP_REALM_POLICYREFERENCE) && rparams->policyreference == NULL) ||
+ ldap_context->krbcontainer->DN == NULL ||
+ rparams == NULL ||
+ rparams->realm_name == NULL ||
+ ((mask & LDAP_REALM_SUBTREE) && rparams->subtree == NULL) ||
+ ((mask & LDAP_REALM_CONTREF) && rparams->containerref == NULL) ||
+ ((mask & LDAP_REALM_POLICYREFERENCE) && rparams->policyreference == NULL) ||
#ifdef HAVE_EDIRECTORY
- ((mask & LDAP_REALM_KDCSERVERS) && rparams->kdcservers == NULL) ||
- ((mask & LDAP_REALM_ADMINSERVERS) && rparams->adminservers == NULL) ||
- ((mask & LDAP_REALM_PASSWDSERVERS) && rparams->passwdservers == NULL) ||
+ ((mask & LDAP_REALM_KDCSERVERS) && rparams->kdcservers == NULL) ||
+ ((mask & LDAP_REALM_ADMINSERVERS) && rparams->adminservers == NULL) ||
+ ((mask & LDAP_REALM_PASSWDSERVERS) && rparams->passwdservers == NULL) ||
#endif
- 0) {
- st = EINVAL;
- return st;
+ 0) {
+ st = EINVAL;
+ return st;
}
if (ldap_context->krbcontainer == NULL) {
- if ((st = krb5_ldap_read_krbcontainer_params(context,
- &(ldap_context->krbcontainer))) != 0)
- goto cleanup;
+ if ((st = krb5_ldap_read_krbcontainer_params(context,
+ &(ldap_context->krbcontainer))) != 0)
+ goto cleanup;
}
/* get ldap handle */
realm_name = rparams->realm_name;
if (asprintf(&dn, "cn=%s,%s", realm_name,
- ldap_context->krbcontainer->DN) < 0)
- dn = NULL;
+ ldap_context->krbcontainer->DN) < 0)
+ dn = NULL;
CHECK_NULL(dn);
strval[0] = realm_name;
strval[1] = NULL;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "cn", LDAP_MOD_ADD, strval)) != 0)
- goto cleanup;
+ goto cleanup;
strval[0] = "top";
strval[1] = "krbrealmcontainer";
strval[3] = NULL;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0)
- goto cleanup;
+ goto cleanup;
/* SUBTREE ATTRIBUTE */
if (mask & LDAP_REALM_SUBTREE) {
if ( rparams->subtree!=NULL) {
- subtreecount = rparams->subtreecount;
- for (i=0; rparams->subtree[i]!=NULL && i<subtreecount; i++) {
- if (strlen(rparams->subtree[i]) != 0) {
- st = checkattributevalue(ld, rparams->subtree[i], "Objectclass", subtreeclass,
- &objectmask);
- CHECK_CLASS_VALIDITY(st, objectmask, "realm object value: ");
- }
- }
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbsubtrees", LDAP_MOD_ADD,
- rparams->subtree)) != 0) {
- goto cleanup;
- }
- }
+ subtreecount = rparams->subtreecount;
+ for (i=0; rparams->subtree[i]!=NULL && i<subtreecount; i++) {
+ if (strlen(rparams->subtree[i]) != 0) {
+ st = checkattributevalue(ld, rparams->subtree[i], "Objectclass", subtreeclass,
+ &objectmask);
+ CHECK_CLASS_VALIDITY(st, objectmask, "realm object value: ");
+ }
+ }
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbsubtrees", LDAP_MOD_ADD,
+ rparams->subtree)) != 0) {
+ goto cleanup;
+ }
+ }
}
/* CONTAINER REFERENCE ATTRIBUTE */
if (mask & LDAP_REALM_CONTREF) {
if (strlen(rparams->containerref) != 0 ) {
st = checkattributevalue(ld, rparams->containerref, "Objectclass", subtreeclass,
- &objectmask);
+ &objectmask);
CHECK_CLASS_VALIDITY(st, objectmask, "realm object value: ");
contref[0] = rparams->containerref;
contref[1] = NULL;
/* SEARCHSCOPE ATTRIBUTE */
if (mask & LDAP_REALM_SEARCHSCOPE) {
- if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbsearchscope", LDAP_MOD_ADD,
- (rparams->search_scope == LDAP_SCOPE_ONELEVEL
- || rparams->search_scope == LDAP_SCOPE_SUBTREE) ?
- rparams->search_scope : LDAP_SCOPE_SUBTREE)) != 0)
- goto cleanup;
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbsearchscope", LDAP_MOD_ADD,
+ (rparams->search_scope == LDAP_SCOPE_ONELEVEL
+ || rparams->search_scope == LDAP_SCOPE_SUBTREE) ?
+ rparams->search_scope : LDAP_SCOPE_SUBTREE)) != 0)
+ goto cleanup;
}
if (mask & LDAP_REALM_MAXRENEWLIFE) {
- if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbMaxRenewableAge", LDAP_MOD_ADD,
- rparams->max_renewable_life)) != 0)
- goto cleanup;
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbMaxRenewableAge", LDAP_MOD_ADD,
+ rparams->max_renewable_life)) != 0)
+ goto cleanup;
}
/* krbMaxTicketLife ATTRIBUTE */
if (mask & LDAP_REALM_MAXTICKETLIFE) {
- if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbMaxTicketLife", LDAP_MOD_ADD,
- rparams->max_life)) != 0)
- goto cleanup;
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbMaxTicketLife", LDAP_MOD_ADD,
+ rparams->max_life)) != 0)
+ goto cleanup;
}
/* krbTicketFlags ATTRIBUTE */
if (mask & LDAP_REALM_KRBTICKETFLAGS) {
- if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbTicketFlags", LDAP_MOD_ADD,
- rparams->tktflags)) != 0)
- goto cleanup;
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbTicketFlags", LDAP_MOD_ADD,
+ rparams->tktflags)) != 0)
+ goto cleanup;
}
/* KDCSERVERS ATTRIBUTE */
if (mask & LDAP_REALM_KDCSERVERS) {
- /* validate the server list */
- for (i=0; rparams->kdcservers[i] != NULL; ++i) {
- st = checkattributevalue(ld, rparams->kdcservers[i], "objectClass", kdcclass,
- &objectmask);
- CHECK_CLASS_VALIDITY(st, objectmask, "kdc service object value: ");
+ /* validate the server list */
+ for (i=0; rparams->kdcservers[i] != NULL; ++i) {
+ st = checkattributevalue(ld, rparams->kdcservers[i], "objectClass", kdcclass,
+ &objectmask);
+ CHECK_CLASS_VALIDITY(st, objectmask, "kdc service object value: ");
- }
+ }
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbkdcservers", LDAP_MOD_ADD,
- rparams->kdcservers)) != 0)
- goto cleanup;
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbkdcservers", LDAP_MOD_ADD,
+ rparams->kdcservers)) != 0)
+ goto cleanup;
}
/* ADMINSERVERS ATTRIBUTE */
if (mask & LDAP_REALM_ADMINSERVERS) {
- /* validate the server list */
- for (i=0; rparams->adminservers[i] != NULL; ++i) {
- st = checkattributevalue(ld, rparams->adminservers[i], "objectClass", adminclass,
- &objectmask);
- CHECK_CLASS_VALIDITY(st, objectmask, "admin service object value: ");
+ /* validate the server list */
+ for (i=0; rparams->adminservers[i] != NULL; ++i) {
+ st = checkattributevalue(ld, rparams->adminservers[i], "objectClass", adminclass,
+ &objectmask);
+ CHECK_CLASS_VALIDITY(st, objectmask, "admin service object value: ");
- }
+ }
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbadmservers", LDAP_MOD_ADD,
- rparams->adminservers)) != 0)
- goto cleanup;
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbadmservers", LDAP_MOD_ADD,
+ rparams->adminservers)) != 0)
+ goto cleanup;
}
/* PASSWDSERVERS ATTRIBUTE */
if (mask & LDAP_REALM_PASSWDSERVERS) {
- /* validate the server list */
- for (i=0; rparams->passwdservers[i] != NULL; ++i) {
- st = checkattributevalue(ld, rparams->passwdservers[i], "objectClass", pwdclass,
- &objectmask);
- CHECK_CLASS_VALIDITY(st, objectmask, "password service object value: ");
+ /* validate the server list */
+ for (i=0; rparams->passwdservers[i] != NULL; ++i) {
+ st = checkattributevalue(ld, rparams->passwdservers[i], "objectClass", pwdclass,
+ &objectmask);
+ CHECK_CLASS_VALIDITY(st, objectmask, "password service object value: ");
- }
+ }
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdservers", LDAP_MOD_ADD,
- rparams->passwdservers)) != 0)
- goto cleanup;
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdservers", LDAP_MOD_ADD,
+ rparams->passwdservers)) != 0)
+ goto cleanup;
}
#endif
/* realm creation operation */
if ((st=ldap_add_ext_s(ld, dn, mods, NULL, NULL)) != LDAP_SUCCESS) {
- st = set_ldap_error (context, st, OP_ADD);
- goto cleanup;
+ st = set_ldap_error (context, st, OP_ADD);
+ goto cleanup;
}
#ifdef HAVE_EDIRECTORY
if (mask & LDAP_REALM_KDCSERVERS)
- for (i=0; rparams->kdcservers[i]; ++i)
- if ((st=updateAttribute(ld, rparams->kdcservers[i], "krbRealmReferences", dn)) != 0) {
- snprintf(errbuf, sizeof(errbuf), "Error adding 'krbRealmReferences' to %s: ",
- rparams->kdcservers[i]);
- prepend_err_str (context, errbuf, st, st);
- /* delete Realm, status ignored intentionally */
- ldap_delete_ext_s(ld, dn, NULL, NULL);
- goto cleanup;
- }
+ for (i=0; rparams->kdcservers[i]; ++i)
+ if ((st=updateAttribute(ld, rparams->kdcservers[i], "krbRealmReferences", dn)) != 0) {
+ snprintf(errbuf, sizeof(errbuf), "Error adding 'krbRealmReferences' to %s: ",
+ rparams->kdcservers[i]);
+ prepend_err_str (context, errbuf, st, st);
+ /* delete Realm, status ignored intentionally */
+ ldap_delete_ext_s(ld, dn, NULL, NULL);
+ goto cleanup;
+ }
if (mask & LDAP_REALM_ADMINSERVERS)
- for (i=0; rparams->adminservers[i]; ++i)
- if ((st=updateAttribute(ld, rparams->adminservers[i], "krbRealmReferences", dn)) != 0) {
- snprintf(errbuf, sizeof(errbuf), "Error adding 'krbRealmReferences' to %s: ",
- rparams->adminservers[i]);
- prepend_err_str (context, errbuf, st, st);
- /* delete Realm, status ignored intentionally */
- ldap_delete_ext_s(ld, dn, NULL, NULL);
- goto cleanup;
- }
+ for (i=0; rparams->adminservers[i]; ++i)
+ if ((st=updateAttribute(ld, rparams->adminservers[i], "krbRealmReferences", dn)) != 0) {
+ snprintf(errbuf, sizeof(errbuf), "Error adding 'krbRealmReferences' to %s: ",
+ rparams->adminservers[i]);
+ prepend_err_str (context, errbuf, st, st);
+ /* delete Realm, status ignored intentionally */
+ ldap_delete_ext_s(ld, dn, NULL, NULL);
+ goto cleanup;
+ }
if (mask & LDAP_REALM_PASSWDSERVERS)
- for (i=0; rparams->passwdservers[i]; ++i)
- if ((st=updateAttribute(ld, rparams->passwdservers[i], "krbRealmReferences", dn)) != 0) {
- snprintf(errbuf, sizeof(errbuf), "Error adding 'krbRealmReferences' to %s: ",
- rparams->passwdservers[i]);
- prepend_err_str (context, errbuf, st, st);
- /* delete Realm, status ignored intentionally */
- ldap_delete_ext_s(ld, dn, NULL, NULL);
- goto cleanup;
- }
+ for (i=0; rparams->passwdservers[i]; ++i)
+ if ((st=updateAttribute(ld, rparams->passwdservers[i], "krbRealmReferences", dn)) != 0) {
+ snprintf(errbuf, sizeof(errbuf), "Error adding 'krbRealmReferences' to %s: ",
+ rparams->passwdservers[i]);
+ prepend_err_str (context, errbuf, st, st);
+ /* delete Realm, status ignored intentionally */
+ ldap_delete_ext_s(ld, dn, NULL, NULL);
+ goto cleanup;
+ }
#endif
cleanup:
if (dn)
- free(dn);
+ free(dn);
ldap_mods_free(mods, 1);
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
*/
krb5_error_code
-krb5_ldap_read_realm_params(context, lrealm, rlparamp, mask)
- krb5_context context;
- char *lrealm;
- krb5_ldap_realm_params **rlparamp;
- int *mask;
+krb5_ldap_read_realm_params(krb5_context context, char *lrealm,
+ krb5_ldap_realm_params **rlparamp, int *mask)
{
char **values=NULL, *krbcontDN=NULL /*, *curr=NULL */;
#ifdef HAVE_EDIRECTORY
/* validate the input parameter */
if (lrealm == NULL ||
- ldap_context->krbcontainer == NULL ||
- ldap_context->krbcontainer->DN == NULL) {
- st = EINVAL;
- goto cleanup;
+ ldap_context->krbcontainer == NULL ||
+ ldap_context->krbcontainer->DN == NULL) {
+ st = EINVAL;
+ goto cleanup;
}
/* read kerberos container, if not read already */
if (ldap_context->krbcontainer == NULL) {
- if ((st = krb5_ldap_read_krbcontainer_params(context,
- &(ldap_context->krbcontainer))) != 0)
- goto cleanup;
+ if ((st = krb5_ldap_read_krbcontainer_params(context,
+ &(ldap_context->krbcontainer))) != 0)
+ goto cleanup;
}
/* get ldap handle */
GET_HANDLE ();
/* allocate tl_data structure to store MASK information */
rlparams->tl_data = malloc (sizeof(krb5_tl_data));
if (rlparams->tl_data == NULL) {
- st = ENOMEM;
- goto cleanup;
+ st = ENOMEM;
+ goto cleanup;
}
memset(rlparams->tl_data, 0, sizeof(krb5_tl_data));
rlparams->tl_data->tl_data_type = KDB_TL_USER_INFO;
krbcontDN = ldap_context->krbcontainer->DN;
if (asprintf(&rlparams->realmdn, "cn=%s,%s", lrealm, krbcontDN) < 0) {
- rlparams->realmdn = NULL;
- st = ENOMEM;
- goto cleanup;
+ rlparams->realmdn = NULL;
+ st = ENOMEM;
+ goto cleanup;
}
/* populate the realm name in the structure */
ent = ldap_first_entry (ld, result);
if (ent == NULL) {
- ldap_get_option (ld, LDAP_OPT_ERROR_NUMBER, (void *) &st);
+ ldap_get_option (ld, LDAP_OPT_ERROR_NUMBER, (void *) &st);
#if 0
- st = translate_ldap_error(st, OP_SEARCH);
+ st = translate_ldap_error(st, OP_SEARCH);
#endif
- goto cleanup;
+ goto cleanup;
}
/* Read the attributes */
{
- if ((values=ldap_get_values(ld, ent, "krbSubTrees")) != NULL) {
+ if ((values=ldap_get_values(ld, ent, "krbSubTrees")) != NULL) {
rlparams->subtreecount = ldap_count_values(values);
rlparams->subtree = (char **) malloc(sizeof(char *) * (rlparams->subtreecount + 1));
- if (rlparams->subtree == NULL) {
- st = ENOMEM;
- goto cleanup;
- }
+ if (rlparams->subtree == NULL) {
+ st = ENOMEM;
+ goto cleanup;
+ }
for (x=0; x<rlparams->subtreecount; x++) {
rlparams->subtree[x] = strdup(values[x]);
- if (rlparams->subtree[x] == NULL) {
- st = ENOMEM;
- goto cleanup;
- }
+ if (rlparams->subtree[x] == NULL) {
+ st = ENOMEM;
+ goto cleanup;
+ }
}
rlparams->subtree[rlparams->subtreecount] = NULL;
- *mask |= LDAP_REALM_SUBTREE;
- ldap_value_free(values);
- }
+ *mask |= LDAP_REALM_SUBTREE;
+ ldap_value_free(values);
+ }
if((values=ldap_get_values(ld, ent, "krbPrincContainerRef")) != NULL) {
rlparams->containerref = strdup(values[0]);
ldap_value_free(values);
}
- if ((values=ldap_get_values(ld, ent, "krbSearchScope")) != NULL) {
- rlparams->search_scope=atoi(values[0]);
- /* searchscope can be ONE-LEVEL or SUBTREE, else default to SUBTREE */
- if (!(rlparams->search_scope==1 || rlparams->search_scope==2))
- rlparams->search_scope = LDAP_SCOPE_SUBTREE;
- *mask |= LDAP_REALM_SEARCHSCOPE;
- ldap_value_free(values);
- }
-
- if ((values=ldap_get_values(ld, ent, "krbMaxTicketLife")) != NULL) {
- rlparams->max_life = atoi(values[0]);
- *mask |= LDAP_REALM_MAXTICKETLIFE;
- ldap_value_free(values);
- }
-
- if ((values=ldap_get_values(ld, ent, "krbMaxRenewableAge")) != NULL) {
- rlparams->max_renewable_life = atoi(values[0]);
- *mask |= LDAP_REALM_MAXRENEWLIFE;
- ldap_value_free(values);
- }
-
- if ((values=ldap_get_values(ld, ent, "krbTicketFlags")) != NULL) {
- rlparams->tktflags = atoi(values[0]);
- *mask |= LDAP_REALM_KRBTICKETFLAGS;
- ldap_value_free(values);
- }
+ if ((values=ldap_get_values(ld, ent, "krbSearchScope")) != NULL) {
+ rlparams->search_scope=atoi(values[0]);
+ /* searchscope can be ONE-LEVEL or SUBTREE, else default to SUBTREE */
+ if (!(rlparams->search_scope==1 || rlparams->search_scope==2))
+ rlparams->search_scope = LDAP_SCOPE_SUBTREE;
+ *mask |= LDAP_REALM_SEARCHSCOPE;
+ ldap_value_free(values);
+ }
+
+ if ((values=ldap_get_values(ld, ent, "krbMaxTicketLife")) != NULL) {
+ rlparams->max_life = atoi(values[0]);
+ *mask |= LDAP_REALM_MAXTICKETLIFE;
+ ldap_value_free(values);
+ }
+
+ if ((values=ldap_get_values(ld, ent, "krbMaxRenewableAge")) != NULL) {
+ rlparams->max_renewable_life = atoi(values[0]);
+ *mask |= LDAP_REALM_MAXRENEWLIFE;
+ ldap_value_free(values);
+ }
+
+ if ((values=ldap_get_values(ld, ent, "krbTicketFlags")) != NULL) {
+ rlparams->tktflags = atoi(values[0]);
+ *mask |= LDAP_REALM_KRBTICKETFLAGS;
+ ldap_value_free(values);
+ }
#ifdef HAVE_EDIRECTORY
- if ((values=ldap_get_values(ld, ent, "krbKdcServers")) != NULL) {
- count = ldap_count_values(values);
- if ((st=copy_arrays(values, &(rlparams->kdcservers), (int) count)) != 0)
- goto cleanup;
- *mask |= LDAP_REALM_KDCSERVERS;
- ldap_value_free(values);
- }
-
- if ((values=ldap_get_values(ld, ent, "krbAdmServers")) != NULL) {
- count = ldap_count_values(values);
- if ((st=copy_arrays(values, &(rlparams->adminservers), (int) count)) != 0)
- goto cleanup;
- *mask |= LDAP_REALM_ADMINSERVERS;
- ldap_value_free(values);
- }
-
- if ((values=ldap_get_values(ld, ent, "krbPwdServers")) != NULL) {
- count = ldap_count_values(values);
- if ((st=copy_arrays(values, &(rlparams->passwdservers), (int) count)) != 0)
- goto cleanup;
- *mask |= LDAP_REALM_PASSWDSERVERS;
- ldap_value_free(values);
- }
+ if ((values=ldap_get_values(ld, ent, "krbKdcServers")) != NULL) {
+ count = ldap_count_values(values);
+ if ((st=copy_arrays(values, &(rlparams->kdcservers), (int) count)) != 0)
+ goto cleanup;
+ *mask |= LDAP_REALM_KDCSERVERS;
+ ldap_value_free(values);
+ }
+
+ if ((values=ldap_get_values(ld, ent, "krbAdmServers")) != NULL) {
+ count = ldap_count_values(values);
+ if ((st=copy_arrays(values, &(rlparams->adminservers), (int) count)) != 0)
+ goto cleanup;
+ *mask |= LDAP_REALM_ADMINSERVERS;
+ ldap_value_free(values);
+ }
+
+ if ((values=ldap_get_values(ld, ent, "krbPwdServers")) != NULL) {
+ count = ldap_count_values(values);
+ if ((st=copy_arrays(values, &(rlparams->passwdservers), (int) count)) != 0)
+ goto cleanup;
+ *mask |= LDAP_REALM_PASSWDSERVERS;
+ ldap_value_free(values);
+ }
#endif
}
ldap_msgfree(result);
*/
if ((!(*mask & LDAP_REALM_MAXTICKETLIFE && *mask & LDAP_REALM_MAXRENEWLIFE &&
- *mask & LDAP_REALM_KRBTICKETFLAGS)) && rlparams->policyreference) {
-
- LDAP_SEARCH_1(rlparams->policyreference, LDAP_SCOPE_BASE, NULL, policy_attributes, IGNORE_STATUS);
- if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_OBJECT) {
- int ost = st;
- st = translate_ldap_error (st, OP_SEARCH);
- krb5_set_error_message (context, st, "Policy object read failed: %s", ldap_err2string(ost));
- goto cleanup;
- }
- ent = ldap_first_entry (ld, result);
- if (ent != NULL) {
- if ((*mask & LDAP_REALM_MAXTICKETLIFE) == 0) {
- if ((values=ldap_get_values(ld, ent, "krbmaxticketlife")) != NULL) {
- rlparams->max_life = atoi(values[0]);
- *mask |= LDAP_REALM_MAXTICKETLIFE;
- ldap_value_free(values);
- }
- }
-
- if ((*mask & LDAP_REALM_MAXRENEWLIFE) == 0) {
- if ((values=ldap_get_values(ld, ent, "krbmaxrenewableage")) != NULL) {
- rlparams->max_renewable_life = atoi(values[0]);
- *mask |= LDAP_REALM_MAXRENEWLIFE;
- ldap_value_free(values);
- }
- }
-
- if ((*mask & LDAP_REALM_KRBTICKETFLAGS) == 0) {
- if ((values=ldap_get_values(ld, ent, "krbticketflags")) != NULL) {
- rlparams->tktflags = atoi(values[0]);
- *mask |= LDAP_REALM_KRBTICKETFLAGS;
- ldap_value_free(values);
- }
- }
- }
- ldap_msgfree(result);
+ *mask & LDAP_REALM_KRBTICKETFLAGS)) && rlparams->policyreference) {
+
+ LDAP_SEARCH_1(rlparams->policyreference, LDAP_SCOPE_BASE, NULL, policy_attributes, IGNORE_STATUS);
+ if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_OBJECT) {
+ int ost = st;
+ st = translate_ldap_error (st, OP_SEARCH);
+ krb5_set_error_message (context, st, "Policy object read failed: %s", ldap_err2string(ost));
+ goto cleanup;
+ }
+ ent = ldap_first_entry (ld, result);
+ if (ent != NULL) {
+ if ((*mask & LDAP_REALM_MAXTICKETLIFE) == 0) {
+ if ((values=ldap_get_values(ld, ent, "krbmaxticketlife")) != NULL) {
+ rlparams->max_life = atoi(values[0]);
+ *mask |= LDAP_REALM_MAXTICKETLIFE;
+ ldap_value_free(values);
+ }
+ }
+
+ if ((*mask & LDAP_REALM_MAXRENEWLIFE) == 0) {
+ if ((values=ldap_get_values(ld, ent, "krbmaxrenewableage")) != NULL) {
+ rlparams->max_renewable_life = atoi(values[0]);
+ *mask |= LDAP_REALM_MAXRENEWLIFE;
+ ldap_value_free(values);
+ }
+ }
+
+ if ((*mask & LDAP_REALM_KRBTICKETFLAGS) == 0) {
+ if ((values=ldap_get_values(ld, ent, "krbticketflags")) != NULL) {
+ rlparams->tktflags = atoi(values[0]);
+ *mask |= LDAP_REALM_KRBTICKETFLAGS;
+ ldap_value_free(values);
+ }
+ }
+ }
+ ldap_msgfree(result);
}
rlparams->mask = *mask;
/* if there is an error, free allocated structures */
if (st != 0) {
- krb5_ldap_free_realm_params(rlparams);
- *rlparamp=NULL;
+ krb5_ldap_free_realm_params(rlparams);
+ *rlparamp=NULL;
}
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
return st;
Free the krb5_ldap_realm_params.
*/
void
-krb5_ldap_free_realm_params(rparams)
- krb5_ldap_realm_params *rparams;
+krb5_ldap_free_realm_params(krb5_ldap_realm_params *rparams)
{
int i=0;
if (rparams) {
- if (rparams->realmdn)
- free(rparams->realmdn);
+ if (rparams->realmdn)
+ free(rparams->realmdn);
- if (rparams->realm_name)
- krb5_xfree(rparams->realm_name);
+ if (rparams->realm_name)
+ krb5_xfree(rparams->realm_name);
+
+ if (rparams->subtree) {
+ for (i=0; i<rparams->subtreecount && rparams->subtree[i] ; i++)
+ krb5_xfree(rparams->subtree[i]);
+ krb5_xfree(rparams->subtree);
+ }
+
+ if (rparams->kdcservers) {
+ for (i=0; rparams->kdcservers[i]; ++i)
+ krb5_xfree(rparams->kdcservers[i]);
+ krb5_xfree(rparams->kdcservers);
+ }
+
+ if (rparams->adminservers) {
+ for (i=0; rparams->adminservers[i]; ++i)
+ krb5_xfree(rparams->adminservers[i]);
+ krb5_xfree(rparams->adminservers);
+ }
+
+ if (rparams->passwdservers) {
+ for (i=0; rparams->passwdservers[i]; ++i)
+ krb5_xfree(rparams->passwdservers[i]);
+ krb5_xfree(rparams->passwdservers);
+ }
+
+ if (rparams->tl_data) {
+ if (rparams->tl_data->tl_data_contents)
+ krb5_xfree(rparams->tl_data->tl_data_contents);
+ krb5_xfree(rparams->tl_data);
+ }
- if (rparams->subtree) {
- for (i=0; i<rparams->subtreecount && rparams->subtree[i] ; i++)
- krb5_xfree(rparams->subtree[i]);
- krb5_xfree(rparams->subtree);
+ if (rparams->mkey.contents) {
+ memset(rparams->mkey.contents, 0, rparams->mkey.length);
+ krb5_xfree(rparams->mkey.contents);
}
- if (rparams->kdcservers) {
- for (i=0; rparams->kdcservers[i]; ++i)
- krb5_xfree(rparams->kdcservers[i]);
- krb5_xfree(rparams->kdcservers);
- }
-
- if (rparams->adminservers) {
- for (i=0; rparams->adminservers[i]; ++i)
- krb5_xfree(rparams->adminservers[i]);
- krb5_xfree(rparams->adminservers);
- }
-
- if (rparams->passwdservers) {
- for (i=0; rparams->passwdservers[i]; ++i)
- krb5_xfree(rparams->passwdservers[i]);
- krb5_xfree(rparams->passwdservers);
- }
-
- if (rparams->tl_data) {
- if (rparams->tl_data->tl_data_contents)
- krb5_xfree(rparams->tl_data->tl_data_contents);
- krb5_xfree(rparams->tl_data);
- }
-
- if (rparams->mkey.contents) {
- memset(rparams->mkey.contents, 0, rparams->mkey.length);
- krb5_xfree(rparams->mkey.contents);
- }
-
- krb5_xfree(rparams);
+ krb5_xfree(rparams);
}
return;
}
*/
krb5_error_code
-krb5_ldap_delete_realm_1(krb5_context kcontext, char *conf_section, char **db_args)
+krb5_ldap_delete_realm_1(krb5_context kcontext, char *conf_section,
+ char **db_args)
{
krb5_error_code status = KRB5_PLUGIN_OP_NOTSUPP;
krb5_set_error_message(kcontext, status, "LDAP %s", error_message(status));
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* lib/kdb/kdb_ldap/ldap_realm.h
*
#define LDAP_REALM_MAXTICKETLIFE 0x0100
#define LDAP_REALM_MAXRENEWLIFE 0x0200
#define LDAP_REALM_KRBTICKETFLAGS 0x0400
-#define LDAP_REALM_CONTREF 0x0800
+#define LDAP_REALM_CONTREF 0x0800
extern char *policy_attributes[];
/* realm container structure */
typedef struct _krb5_ldap_realm_params {
- char *realmdn;
- char *realm_name;
- char **subtree;
- char *containerref;
- char *policyreference;
- int search_scope;
- int upenabled;
- int subtreecount;
- krb5_int32 max_life;
- krb5_int32 max_renewable_life;
- krb5_int32 tktflags;
- char **kdcservers;
- char **adminservers;
- char **passwdservers;
- krb5_tl_data *tl_data;
- krb5_keyblock mkey;
- krb5_keylist_node *mkey_list; /* all master keys in use for the realm */
- long mask;
+ char *realmdn;
+ char *realm_name;
+ char **subtree;
+ char *containerref;
+ char *policyreference;
+ int search_scope;
+ int upenabled;
+ int subtreecount;
+ krb5_int32 max_life;
+ krb5_int32 max_renewable_life;
+ krb5_int32 tktflags;
+ char **kdcservers;
+ char **adminservers;
+ char **passwdservers;
+ krb5_tl_data *tl_data;
+ krb5_keyblock mkey;
+ krb5_keylist_node *mkey_list; /* all master keys in use for the realm */
+ long mask;
} krb5_ldap_realm_params;
krb5_ldap_create_realm(krb5_context, krb5_ldap_realm_params *, int);
krb5_error_code
-krb5_ldap_read_realm_params(krb5_context , char *, krb5_ldap_realm_params **, int *);
+krb5_ldap_read_realm_params(krb5_context, char *, krb5_ldap_realm_params **,
+ int *);
void
krb5_ldap_free_realm_params(krb5_ldap_realm_params *);
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* lib/kdb/kdb_ldap/ldap_service_rights.c
*
*/
krb5_error_code
-krb5_ldap_add_service_rights(context, servicetype, serviceobjdn, realmname, subtreeparam, contref, mask)
- krb5_context context;
- int servicetype;
- char *serviceobjdn;
- char *realmname;
- char **subtreeparam;
- char *contref;
- int mask;
+krb5_ldap_add_service_rights(krb5_context context, int servicetype,
+ char *serviceobjdn, char *realmname,
+ char **subtreeparam, char *contref, int mask)
{
int st=0,i=0,j=0;
GET_HANDLE();
if ((serviceobjdn == NULL) || (realmname == NULL) || (servicetype < 0) || (servicetype > 4)
- || (ldap_context->krbcontainer->DN == NULL)) {
- st=-1;
- goto cleanup;
+ || (ldap_context->krbcontainer->DN == NULL)) {
+ st=-1;
+ goto cleanup;
}
if (subtreeparam != NULL) {
memset(subtree, 0, sizeof(char *) * (subtreecount + 1));
if (subtreeparam != NULL) {
for(i=0; subtreeparam[i]!=NULL; i++) {
- subtree[i] = strdup(subtreeparam[i]);
- if(subtree[i] == NULL) {
- st = ENOMEM;
- goto cleanup;
+ subtree[i] = strdup(subtreeparam[i]);
+ if(subtree[i] == NULL) {
+ st = ENOMEM;
+ goto cleanup;
+ }
}
}
- }
if (contref != NULL) {
subtree[i] = strdup(contref);
}
/* Set the rights for the realm */
if (mask & LDAP_REALM_RIGHTS) {
- /* Set the rights for the service object on the security container */
- seccontclass.mod_op = LDAP_MOD_ADD;
- seccontclass.mod_type = "ACL";
-
- for (i=0; strcmp(security_container[i][0], "") != 0; i++) {
-
- asprintf(&seccontacls[0], "%s%s%s", security_container[i][0], serviceobjdn,
- security_container[i][1]);
- seccontclass.mod_values = seccontacls;
-
- seccontarr[0] = &seccontclass;
-
- st = ldap_modify_ext_s(ld,
- SECURITY_CONTAINER,
- seccontarr,
- NULL,
- NULL);
- if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
- free(seccontacls[0]);
- st = set_ldap_error (context, st, OP_MOD);
- goto cleanup;
- }
- free(seccontacls[0]);
- }
+ /* Set the rights for the service object on the security container */
+ seccontclass.mod_op = LDAP_MOD_ADD;
+ seccontclass.mod_type = "ACL";
+ for (i=0; strcmp(security_container[i][0], "") != 0; i++) {
- /* Set the rights for the service object on the kerberos container */
- krbcontclass.mod_op = LDAP_MOD_ADD;
- krbcontclass.mod_type = "ACL";
-
- for (i=0; strcmp(kerberos_container[i][0], "") != 0; i++) {
- asprintf(&krbcontacls[0], "%s%s%s", kerberos_container[i][0], serviceobjdn,
- kerberos_container[i][1]);
- krbcontclass.mod_values = krbcontacls;
-
- krbcontarr[0] = &krbcontclass;
-
- st = ldap_modify_ext_s(ld,
- ldap_context->krbcontainer->DN,
- krbcontarr,
- NULL,
- NULL);
- if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
- free(krbcontacls[0]);
- st = set_ldap_error (context, st, OP_MOD);
- goto cleanup;
- }
- free(krbcontacls[0]);
- }
+ asprintf(&seccontacls[0], "%s%s%s", security_container[i][0], serviceobjdn,
+ security_container[i][1]);
+ seccontclass.mod_values = seccontacls;
+
+ seccontarr[0] = &seccontclass;
+
+ st = ldap_modify_ext_s(ld,
+ SECURITY_CONTAINER,
+ seccontarr,
+ NULL,
+ NULL);
+ if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
+ free(seccontacls[0]);
+ st = set_ldap_error (context, st, OP_MOD);
+ goto cleanup;
+ }
+ free(seccontacls[0]);
+ }
+
+
+ /* Set the rights for the service object on the kerberos container */
+ krbcontclass.mod_op = LDAP_MOD_ADD;
+ krbcontclass.mod_type = "ACL";
+
+ for (i=0; strcmp(kerberos_container[i][0], "") != 0; i++) {
+ asprintf(&krbcontacls[0], "%s%s%s", kerberos_container[i][0], serviceobjdn,
+ kerberos_container[i][1]);
+ krbcontclass.mod_values = krbcontacls;
+
+ krbcontarr[0] = &krbcontclass;
- /* Construct the realm dn from realm name */
- asprintf(&realmdn,"cn=%s,%s", realmname, ldap_context->krbcontainer->DN);
-
- realmclass.mod_op = LDAP_MOD_ADD;
- realmclass.mod_type = "ACL";
-
- if (servicetype == LDAP_KDC_SERVICE) {
- for (i=0; strcmp(kdcrights_realmcontainer[i][0], "") != 0; i++) {
- asprintf(&realmacls[0], "%s%s%s", kdcrights_realmcontainer[i][0], serviceobjdn,
- kdcrights_realmcontainer[i][1]);
- realmclass.mod_values = realmacls;
-
- realmarr[0] = &realmclass;
-
- st = ldap_modify_ext_s(ld,
- realmdn,
- realmarr,
- NULL,
- NULL);
- if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
- free(realmacls[0]);
- st = set_ldap_error (context, st, OP_MOD);
- goto cleanup;
- }
- free(realmacls[0]);
- }
- } else if (servicetype == LDAP_ADMIN_SERVICE) {
- for (i=0; strcmp(adminrights_realmcontainer[i][0], "") != 0; i++) {
- asprintf(&realmacls[0], "%s%s%s", adminrights_realmcontainer[i][0], serviceobjdn,
- adminrights_realmcontainer[i][1]);
- realmclass.mod_values = realmacls;
-
- realmarr[0] = &realmclass;
-
- st = ldap_modify_ext_s(ld,
- realmdn,
- realmarr,
- NULL,
- NULL);
- if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
- free(realmacls[0]);
- st = set_ldap_error (context, st, OP_MOD);
- goto cleanup;
- }
- free(realmacls[0]);
- }
- } else if (servicetype == LDAP_PASSWD_SERVICE) {
- for (i=0; strcmp(pwdrights_realmcontainer[i][0], "")!=0; i++) {
- asprintf(&realmacls[0], "%s%s%s", pwdrights_realmcontainer[i][0], serviceobjdn,
- pwdrights_realmcontainer[i][1]);
- realmclass.mod_values = realmacls;
-
- realmarr[0] = &realmclass;
-
-
- st = ldap_modify_ext_s(ld,
- realmdn,
- realmarr,
- NULL,
- NULL);
- if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
- free(realmacls[0]);
- st = set_ldap_error (context, st, OP_MOD);
- goto cleanup;
- }
- free(realmacls[0]);
- }
- }
+ st = ldap_modify_ext_s(ld,
+ ldap_context->krbcontainer->DN,
+ krbcontarr,
+ NULL,
+ NULL);
+ if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
+ free(krbcontacls[0]);
+ st = set_ldap_error (context, st, OP_MOD);
+ goto cleanup;
+ }
+ free(krbcontacls[0]);
+ }
+
+ /* Construct the realm dn from realm name */
+ asprintf(&realmdn,"cn=%s,%s", realmname, ldap_context->krbcontainer->DN);
+
+ realmclass.mod_op = LDAP_MOD_ADD;
+ realmclass.mod_type = "ACL";
+
+ if (servicetype == LDAP_KDC_SERVICE) {
+ for (i=0; strcmp(kdcrights_realmcontainer[i][0], "") != 0; i++) {
+ asprintf(&realmacls[0], "%s%s%s", kdcrights_realmcontainer[i][0], serviceobjdn,
+ kdcrights_realmcontainer[i][1]);
+ realmclass.mod_values = realmacls;
+
+ realmarr[0] = &realmclass;
+
+ st = ldap_modify_ext_s(ld,
+ realmdn,
+ realmarr,
+ NULL,
+ NULL);
+ if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
+ free(realmacls[0]);
+ st = set_ldap_error (context, st, OP_MOD);
+ goto cleanup;
+ }
+ free(realmacls[0]);
+ }
+ } else if (servicetype == LDAP_ADMIN_SERVICE) {
+ for (i=0; strcmp(adminrights_realmcontainer[i][0], "") != 0; i++) {
+ asprintf(&realmacls[0], "%s%s%s", adminrights_realmcontainer[i][0], serviceobjdn,
+ adminrights_realmcontainer[i][1]);
+ realmclass.mod_values = realmacls;
+
+ realmarr[0] = &realmclass;
+
+ st = ldap_modify_ext_s(ld,
+ realmdn,
+ realmarr,
+ NULL,
+ NULL);
+ if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
+ free(realmacls[0]);
+ st = set_ldap_error (context, st, OP_MOD);
+ goto cleanup;
+ }
+ free(realmacls[0]);
+ }
+ } else if (servicetype == LDAP_PASSWD_SERVICE) {
+ for (i=0; strcmp(pwdrights_realmcontainer[i][0], "")!=0; i++) {
+ asprintf(&realmacls[0], "%s%s%s", pwdrights_realmcontainer[i][0], serviceobjdn,
+ pwdrights_realmcontainer[i][1]);
+ realmclass.mod_values = realmacls;
+
+ realmarr[0] = &realmclass;
+
+
+ st = ldap_modify_ext_s(ld,
+ realmdn,
+ realmarr,
+ NULL,
+ NULL);
+ if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
+ free(realmacls[0]);
+ st = set_ldap_error (context, st, OP_MOD);
+ goto cleanup;
+ }
+ free(realmacls[0]);
+ }
+ }
} /* Realm rights settings ends here */
/* Subtree rights to be set */
if ((mask & LDAP_SUBTREE_RIGHTS) && (subtree != NULL)) {
- /* Populate the acl data to be added to the subtree */
- subtreeclass.mod_op = LDAP_MOD_ADD;
- subtreeclass.mod_type = "ACL";
+ /* Populate the acl data to be added to the subtree */
+ subtreeclass.mod_op = LDAP_MOD_ADD;
+ subtreeclass.mod_type = "ACL";
- if (servicetype == LDAP_KDC_SERVICE) {
- for (i=0; strcmp(kdcrights_subtree[i][0], "")!=0; i++) {
- asprintf(&subtreeacls[0], "%s%s%s", kdcrights_subtree[i][0], serviceobjdn,
- kdcrights_subtree[i][1]);
- subtreeclass.mod_values = subtreeacls;
+ if (servicetype == LDAP_KDC_SERVICE) {
+ for (i=0; strcmp(kdcrights_subtree[i][0], "")!=0; i++) {
+ asprintf(&subtreeacls[0], "%s%s%s", kdcrights_subtree[i][0], serviceobjdn,
+ kdcrights_subtree[i][1]);
+ subtreeclass.mod_values = subtreeacls;
- subtreearr[0] = &subtreeclass;
+ subtreearr[0] = &subtreeclass;
/* set rights to a list of subtrees */
for(j=0; subtree[j]!=NULL && j<subtreecount;j++) {
- st = ldap_modify_ext_s(ld,
- subtree[j],
- subtreearr,
- NULL,
- NULL);
- if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
- free(subtreeacls[0]);
- st = set_ldap_error (context, st, OP_MOD);
- goto cleanup;
- }
+ st = ldap_modify_ext_s(ld,
+ subtree[j],
+ subtreearr,
+ NULL,
+ NULL);
+ if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
+ free(subtreeacls[0]);
+ st = set_ldap_error (context, st, OP_MOD);
+ goto cleanup;
+ }
}
- free(subtreeacls[0]);
- }
- } else if (servicetype == LDAP_ADMIN_SERVICE) {
- for (i=0; strcmp(adminrights_subtree[i][0], "")!=0; i++) {
- asprintf(&subtreeacls[0], "%s%s%s", adminrights_subtree[i][0], serviceobjdn,
- adminrights_subtree[i][1]);
- subtreeclass.mod_values = subtreeacls;
+ free(subtreeacls[0]);
+ }
+ } else if (servicetype == LDAP_ADMIN_SERVICE) {
+ for (i=0; strcmp(adminrights_subtree[i][0], "")!=0; i++) {
+ asprintf(&subtreeacls[0], "%s%s%s", adminrights_subtree[i][0], serviceobjdn,
+ adminrights_subtree[i][1]);
+ subtreeclass.mod_values = subtreeacls;
- subtreearr[0] = &subtreeclass;
+ subtreearr[0] = &subtreeclass;
/* set rights to a list of subtrees */
for(j=0; subtree[j]!=NULL && j<subtreecount;j++) {
- st = ldap_modify_ext_s(ld,
- subtree[j],
- subtreearr,
- NULL,
- NULL);
- if (st != LDAP_SUCCESS && st !=LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
- free(subtreeacls[0]);
- st = set_ldap_error (context, st, OP_MOD);
- goto cleanup;
- }
+ st = ldap_modify_ext_s(ld,
+ subtree[j],
+ subtreearr,
+ NULL,
+ NULL);
+ if (st != LDAP_SUCCESS && st !=LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
+ free(subtreeacls[0]);
+ st = set_ldap_error (context, st, OP_MOD);
+ goto cleanup;
+ }
}
- free(subtreeacls[0]);
- }
- } else if (servicetype == LDAP_PASSWD_SERVICE) {
- for (i=0; strcmp(pwdrights_subtree[i][0], "") != 0; i++) {
- asprintf(&subtreeacls[0], "%s%s%s", pwdrights_subtree[i][0], serviceobjdn,
- pwdrights_subtree[i][1]);
- subtreeclass.mod_values = subtreeacls;
+ free(subtreeacls[0]);
+ }
+ } else if (servicetype == LDAP_PASSWD_SERVICE) {
+ for (i=0; strcmp(pwdrights_subtree[i][0], "") != 0; i++) {
+ asprintf(&subtreeacls[0], "%s%s%s", pwdrights_subtree[i][0], serviceobjdn,
+ pwdrights_subtree[i][1]);
+ subtreeclass.mod_values = subtreeacls;
- subtreearr[0] = &subtreeclass;
+ subtreearr[0] = &subtreeclass;
/* set rights to a list of subtrees */
for(j=0; subtree[j]!=NULL && j<subtreecount;j++) {
- st = ldap_modify_ext_s(ld,
- subtree[j],
- subtreearr,
- NULL,
- NULL);
- if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
- free(subtreeacls[0]);
- st = set_ldap_error (context, st, OP_MOD);
- goto cleanup;
- }
+ st = ldap_modify_ext_s(ld,
+ subtree[j],
+ subtreearr,
+ NULL,
+ NULL);
+ if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
+ free(subtreeacls[0]);
+ st = set_ldap_error (context, st, OP_MOD);
+ goto cleanup;
+ }
}
- free(subtreeacls[0]);
- }
- }
+ free(subtreeacls[0]);
+ }
+ }
} /* Subtree rights settings ends here */
st = 0;
cleanup:
if (realmdn)
- free(realmdn);
+ free(realmdn);
if (subtree)
- free(subtree);
+ free(subtree);
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
return st;
*/
krb5_error_code
-krb5_ldap_delete_service_rights(context, servicetype, serviceobjdn, realmname, subtreeparam, contref, mask)
- krb5_context context;
- int servicetype;
- char *serviceobjdn;
- char *realmname;
- char **subtreeparam;
- char *contref;
- int mask;
+krb5_ldap_delete_service_rights(krb5_context context, int servicetype,
+ char *serviceobjdn, char *realmname,
+ char **subtreeparam, char *contref, int mask)
{
int st=0,i=0,j=0;
GET_HANDLE();
if ((serviceobjdn == NULL) || (realmname == NULL) || (servicetype < 0) || (servicetype > 4)
- || (ldap_context->krbcontainer->DN == NULL)) {
- st = -1;
- goto cleanup;
+ || (ldap_context->krbcontainer->DN == NULL)) {
+ st = -1;
+ goto cleanup;
}
if (subtreeparam != NULL) {
- while(subtreeparam[subtreecount])
- subtreecount++;
+ while(subtreeparam[subtreecount])
+ subtreecount++;
}
if (contref != NULL) {
subtreecount++;
memset(subtree, 0, sizeof(char *) * (subtreecount + 1));
if (subtreeparam != NULL) {
for(i=0; subtreeparam[i]!=NULL; i++) {
- subtree[i] = strdup(subtreeparam[i]);
- if(subtree[i] == NULL) {
- st = ENOMEM;
- goto cleanup;
- }
- }
+ subtree[i] = strdup(subtreeparam[i]);
+ if(subtree[i] == NULL) {
+ st = ENOMEM;
+ goto cleanup;
+ }
+ }
}
if (contref != NULL) {
subtree[i] = strdup(contref);
/* Set the rights for the realm */
if (mask & LDAP_REALM_RIGHTS) {
- asprintf(&realmdn,"cn=%s,%s", realmname, ldap_context->krbcontainer->DN);
-
- realmclass.mod_op=LDAP_MOD_DELETE;
- realmclass.mod_type="ACL";
-
- if (servicetype == LDAP_KDC_SERVICE) {
- for (i=0; strcmp(kdcrights_realmcontainer[i][0], "") != 0; i++) {
- asprintf(&realmacls[0], "%s%s%s", kdcrights_realmcontainer[i][0], serviceobjdn,
- kdcrights_realmcontainer[i][1]);
- realmclass.mod_values= realmacls;
-
- realmarr[0]=&realmclass;
-
- st = ldap_modify_ext_s(ld,
- realmdn,
- realmarr,
- NULL,
- NULL);
- if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
- free(realmacls[0]);
- st = set_ldap_error (context, st, OP_MOD);
- goto cleanup;
- }
- free(realmacls[0]);
- }
- } else if (servicetype == LDAP_ADMIN_SERVICE) {
- for (i=0; strcmp(adminrights_realmcontainer[i][0], "") != 0; i++) {
- asprintf(&realmacls[0], "%s%s%s", adminrights_realmcontainer[i][0], serviceobjdn,
- adminrights_realmcontainer[i][1]);
- realmclass.mod_values= realmacls;
-
- realmarr[0]=&realmclass;
-
- st = ldap_modify_ext_s(ld,
- realmdn,
- realmarr,
- NULL,
- NULL);
- if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
- free(realmacls[0]);
- st = set_ldap_error (context, st, OP_MOD);
- goto cleanup;
- }
- free(realmacls[0]);
- }
- } else if (servicetype == LDAP_PASSWD_SERVICE) {
- for (i=0; strcmp(pwdrights_realmcontainer[i][0], "") != 0; i++) {
- asprintf(&realmacls[0], "%s%s%s", pwdrights_realmcontainer[i][0], serviceobjdn,
- pwdrights_realmcontainer[i][1]);
- realmclass.mod_values= realmacls;
-
- realmarr[0]=&realmclass;
-
- st = ldap_modify_ext_s(ld,
- realmdn,
- realmarr,
- NULL,
- NULL);
- if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
- free(realmacls[0]);
- st = set_ldap_error (context, st, OP_MOD);
- goto cleanup;
- }
- free(realmacls[0]);
- }
- }
+ asprintf(&realmdn,"cn=%s,%s", realmname, ldap_context->krbcontainer->DN);
+
+ realmclass.mod_op=LDAP_MOD_DELETE;
+ realmclass.mod_type="ACL";
+
+ if (servicetype == LDAP_KDC_SERVICE) {
+ for (i=0; strcmp(kdcrights_realmcontainer[i][0], "") != 0; i++) {
+ asprintf(&realmacls[0], "%s%s%s", kdcrights_realmcontainer[i][0], serviceobjdn,
+ kdcrights_realmcontainer[i][1]);
+ realmclass.mod_values= realmacls;
+
+ realmarr[0]=&realmclass;
+
+ st = ldap_modify_ext_s(ld,
+ realmdn,
+ realmarr,
+ NULL,
+ NULL);
+ if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
+ free(realmacls[0]);
+ st = set_ldap_error (context, st, OP_MOD);
+ goto cleanup;
+ }
+ free(realmacls[0]);
+ }
+ } else if (servicetype == LDAP_ADMIN_SERVICE) {
+ for (i=0; strcmp(adminrights_realmcontainer[i][0], "") != 0; i++) {
+ asprintf(&realmacls[0], "%s%s%s", adminrights_realmcontainer[i][0], serviceobjdn,
+ adminrights_realmcontainer[i][1]);
+ realmclass.mod_values= realmacls;
+
+ realmarr[0]=&realmclass;
+
+ st = ldap_modify_ext_s(ld,
+ realmdn,
+ realmarr,
+ NULL,
+ NULL);
+ if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
+ free(realmacls[0]);
+ st = set_ldap_error (context, st, OP_MOD);
+ goto cleanup;
+ }
+ free(realmacls[0]);
+ }
+ } else if (servicetype == LDAP_PASSWD_SERVICE) {
+ for (i=0; strcmp(pwdrights_realmcontainer[i][0], "") != 0; i++) {
+ asprintf(&realmacls[0], "%s%s%s", pwdrights_realmcontainer[i][0], serviceobjdn,
+ pwdrights_realmcontainer[i][1]);
+ realmclass.mod_values= realmacls;
+
+ realmarr[0]=&realmclass;
+
+ st = ldap_modify_ext_s(ld,
+ realmdn,
+ realmarr,
+ NULL,
+ NULL);
+ if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
+ free(realmacls[0]);
+ st = set_ldap_error (context, st, OP_MOD);
+ goto cleanup;
+ }
+ free(realmacls[0]);
+ }
+ }
} /* Realm rights setting ends here */
/* Set the rights for the subtree */
if ((mask & LDAP_SUBTREE_RIGHTS) && (subtree != NULL)) {
- /* Populate the acl data to be added to the subtree */
- subtreeclass.mod_op=LDAP_MOD_DELETE;
- subtreeclass.mod_type="ACL";
+ /* Populate the acl data to be added to the subtree */
+ subtreeclass.mod_op=LDAP_MOD_DELETE;
+ subtreeclass.mod_type="ACL";
- if (servicetype == LDAP_KDC_SERVICE) {
- for (i=0; strcmp(kdcrights_subtree[i][0], "")!=0; i++) {
- asprintf(&subtreeacls[0], "%s%s%s", kdcrights_subtree[i][0], serviceobjdn,
- kdcrights_subtree[i][1]);
- subtreeclass.mod_values= subtreeacls;
+ if (servicetype == LDAP_KDC_SERVICE) {
+ for (i=0; strcmp(kdcrights_subtree[i][0], "")!=0; i++) {
+ asprintf(&subtreeacls[0], "%s%s%s", kdcrights_subtree[i][0], serviceobjdn,
+ kdcrights_subtree[i][1]);
+ subtreeclass.mod_values= subtreeacls;
- subtreearr[0]=&subtreeclass;
+ subtreearr[0]=&subtreeclass;
for(j=0; subtree[j]!=NULL && j<subtreecount; j++) {
- st = ldap_modify_ext_s(ld,
- subtree[j],
- subtreearr,
- NULL,
- NULL);
- if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
- free(subtreeacls[0]);
- st = set_ldap_error (context, st, OP_MOD);
- goto cleanup;
- }
+ st = ldap_modify_ext_s(ld,
+ subtree[j],
+ subtreearr,
+ NULL,
+ NULL);
+ if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
+ free(subtreeacls[0]);
+ st = set_ldap_error (context, st, OP_MOD);
+ goto cleanup;
+ }
}
- free(subtreeacls[0]);
- }
- } else if (servicetype == LDAP_ADMIN_SERVICE) {
- for (i=0; strcmp(adminrights_subtree[i][0], "") != 0; i++) {
- asprintf(&subtreeacls[0], "%s%s%s", adminrights_subtree[i][0], serviceobjdn,
- adminrights_subtree[i][1]);
- subtreeclass.mod_values= subtreeacls;
+ free(subtreeacls[0]);
+ }
+ } else if (servicetype == LDAP_ADMIN_SERVICE) {
+ for (i=0; strcmp(adminrights_subtree[i][0], "") != 0; i++) {
+ asprintf(&subtreeacls[0], "%s%s%s", adminrights_subtree[i][0], serviceobjdn,
+ adminrights_subtree[i][1]);
+ subtreeclass.mod_values= subtreeacls;
- subtreearr[0]=&subtreeclass;
+ subtreearr[0]=&subtreeclass;
for(j=0; subtree[j]!=NULL && j<subtreecount; j++) {
- st = ldap_modify_ext_s(ld,
- subtree[j],
- subtreearr,
- NULL,
- NULL);
- if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
- free(subtreeacls[0]);
- st = set_ldap_error (context, st, OP_MOD);
- goto cleanup;
- }
+ st = ldap_modify_ext_s(ld,
+ subtree[j],
+ subtreearr,
+ NULL,
+ NULL);
+ if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
+ free(subtreeacls[0]);
+ st = set_ldap_error (context, st, OP_MOD);
+ goto cleanup;
+ }
}
- free(subtreeacls[0]);
- }
- } else if (servicetype == LDAP_PASSWD_SERVICE) {
- for (i=0; strcmp(pwdrights_subtree[i][0], "") != 0; i++) {
- asprintf(&subtreeacls[0], "%s%s%s", pwdrights_subtree[i][0], serviceobjdn,
- pwdrights_subtree[i][1]);
- subtreeclass.mod_values= subtreeacls;
+ free(subtreeacls[0]);
+ }
+ } else if (servicetype == LDAP_PASSWD_SERVICE) {
+ for (i=0; strcmp(pwdrights_subtree[i][0], "") != 0; i++) {
+ asprintf(&subtreeacls[0], "%s%s%s", pwdrights_subtree[i][0], serviceobjdn,
+ pwdrights_subtree[i][1]);
+ subtreeclass.mod_values= subtreeacls;
- subtreearr[0]=&subtreeclass;
+ subtreearr[0]=&subtreeclass;
for(j=0; subtree[j]!=NULL && j<subtreecount; j++) {
- st = ldap_modify_ext_s(ld,
- subtree[j],
- subtreearr,
- NULL,
- NULL);
- if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
- free(subtreeacls[0]);
- st = set_ldap_error (context, st, OP_MOD);
- goto cleanup;
- }
+ st = ldap_modify_ext_s(ld,
+ subtree[j],
+ subtreearr,
+ NULL,
+ NULL);
+ if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
+ free(subtreeacls[0]);
+ st = set_ldap_error (context, st, OP_MOD);
+ goto cleanup;
+ }
}
- free(subtreeacls[0]);
- }
- }
+ free(subtreeacls[0]);
+ }
+ }
} /* Subtree rights setting ends here */
st = 0;
cleanup:
if (realmdn)
- free(realmdn);
+ free(realmdn);
if (subtree)
- free(subtree);
+ free(subtree);
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
return st;
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* lib/kdb/kdb_ldap/ldap_service_stash.c
*
#include "ldap_service_stash.h"
krb5_error_code
-krb5_ldap_readpassword(context, ldap_context, password)
- krb5_context context;
- krb5_ldap_context *ldap_context;
- unsigned char **password;
+krb5_ldap_readpassword(krb5_context context, krb5_ldap_context *ldap_context,
+ unsigned char **password)
{
int entryfound=0;
krb5_error_code st=0;
*password = NULL;
if (ldap_context->service_password_file)
- file = ldap_context->service_password_file;
+ file = ldap_context->service_password_file;
#ifndef HAVE_STRERROR_R
# undef strerror_r
/* check whether file exists */
if (access(file, F_OK) < 0) {
- st = errno;
- strerror_r(errno, errbuf, sizeof(errbuf));
- krb5_set_error_message (context, st, "%s", errbuf);
- goto rp_exit;
+ st = errno;
+ strerror_r(errno, errbuf, sizeof(errbuf));
+ krb5_set_error_message (context, st, "%s", errbuf);
+ goto rp_exit;
}
/* check read access */
if (access(file, R_OK) < 0) {
- st = errno;
- strerror_r(errno, errbuf, sizeof(errbuf));
- krb5_set_error_message (context, st, "%s", errbuf);
- goto rp_exit;
+ st = errno;
+ strerror_r(errno, errbuf, sizeof(errbuf));
+ krb5_set_error_message (context, st, "%s", errbuf);
+ goto rp_exit;
}
if ((fptr=fopen(file, "r")) == NULL) {
- st = errno;
- strerror_r(errno, errbuf, sizeof(errbuf));
- krb5_set_error_message (context, st, "%s", errbuf);
- goto rp_exit;
+ st = errno;
+ strerror_r(errno, errbuf, sizeof(errbuf));
+ krb5_set_error_message (context, st, "%s", errbuf);
+ goto rp_exit;
}
set_cloexec_file(fptr);
/* get the record from the file */
while (fgets(line, RECORDLEN, fptr)!= NULL) {
- char tmp[RECORDLEN];
-
- tmp[0] = '\0';
- /* Handle leading white-spaces */
- for (start = line; isspace(*start); ++start);
-
- /* Handle comment lines */
- if (*start == '!' || *start == '#')
- continue;
- sscanf(line, "%*[ \t]%[^#]", tmp);
- if (tmp[0] == '\0')
- sscanf(line, "%[^#]", tmp);
- if (strcasecmp(tmp, ldap_context->bind_dn) == 0) {
- entryfound = 1; /* service_dn record found !!! */
- break;
- }
+ char tmp[RECORDLEN];
+
+ tmp[0] = '\0';
+ /* Handle leading white-spaces */
+ for (start = line; isspace(*start); ++start);
+
+ /* Handle comment lines */
+ if (*start == '!' || *start == '#')
+ continue;
+ sscanf(line, "%*[ \t]%[^#]", tmp);
+ if (tmp[0] == '\0')
+ sscanf(line, "%[^#]", tmp);
+ if (strcasecmp(tmp, ldap_context->bind_dn) == 0) {
+ entryfound = 1; /* service_dn record found !!! */
+ break;
+ }
}
fclose (fptr);
if (entryfound == 0) {
- st = KRB5_KDB_SERVER_INTERNAL_ERR;
- krb5_set_error_message (context, st, "Bind DN entry missing in stash file");
- goto rp_exit;
+ st = KRB5_KDB_SERVER_INTERNAL_ERR;
+ krb5_set_error_message (context, st, "Bind DN entry missing in stash file");
+ goto rp_exit;
}
/* replace the \n with \0 */
start = strchr(line, '\n');
if (start)
- *start = '\0';
+ *start = '\0';
start = strchr(line, '#');
if (start == NULL) {
- /* password field missing */
- st = KRB5_KDB_SERVER_INTERNAL_ERR;
- krb5_set_error_message (context, st, "Stash file entry corrupt");
- goto rp_exit;
+ /* password field missing */
+ st = KRB5_KDB_SERVER_INTERNAL_ERR;
+ krb5_set_error_message (context, st, "Stash file entry corrupt");
+ goto rp_exit;
}
++ start;
/* Extract the plain password / certificate file information */
{
- struct data PT, CT;
-
- /* Check if the entry has the path of a certificate */
- if (!strncmp(start, "{FILE}", strlen("{FILE}"))) {
- /* Set *password = {FILE}<path to cert>\0<cert password> */
- size_t len = strlen(start);
-
- *password = (unsigned char *)malloc(len + 2);
- if (*password == NULL) {
- st = ENOMEM;
- goto rp_exit;
- }
- memcpy(*password, start, len);
- (*password)[len] = '\0';
- (*password)[len + 1] = '\0';
- goto got_password;
- } else {
- CT.value = (unsigned char *)start;
- CT.len = strlen((char *)CT.value);
- st = dec_password(CT, &PT);
- if (st != 0) {
- switch (st) {
- case ERR_NO_MEM:
- st = ENOMEM;
- break;
- case ERR_PWD_ZERO:
- st = EINVAL;
- krb5_set_error_message(context, st, "Password has zero length");
- break;
- case ERR_PWD_BAD:
- st = EINVAL;
- krb5_set_error_message(context, st, "Password corrupted");
- break;
- case ERR_PWD_NOT_HEX:
- st = EINVAL;
- krb5_set_error_message(context, st, "Not a hexadecimal password");
- break;
- default:
- st = KRB5_KDB_SERVER_INTERNAL_ERR;
- break;
- }
- goto rp_exit;
- }
- *password = PT.value;
- }
+ struct data PT, CT;
+
+ /* Check if the entry has the path of a certificate */
+ if (!strncmp(start, "{FILE}", strlen("{FILE}"))) {
+ /* Set *password = {FILE}<path to cert>\0<cert password> */
+ size_t len = strlen(start);
+
+ *password = (unsigned char *)malloc(len + 2);
+ if (*password == NULL) {
+ st = ENOMEM;
+ goto rp_exit;
+ }
+ memcpy(*password, start, len);
+ (*password)[len] = '\0';
+ (*password)[len + 1] = '\0';
+ goto got_password;
+ } else {
+ CT.value = (unsigned char *)start;
+ CT.len = strlen((char *)CT.value);
+ st = dec_password(CT, &PT);
+ if (st != 0) {
+ switch (st) {
+ case ERR_NO_MEM:
+ st = ENOMEM;
+ break;
+ case ERR_PWD_ZERO:
+ st = EINVAL;
+ krb5_set_error_message(context, st, "Password has zero length");
+ break;
+ case ERR_PWD_BAD:
+ st = EINVAL;
+ krb5_set_error_message(context, st, "Password corrupted");
+ break;
+ case ERR_PWD_NOT_HEX:
+ st = EINVAL;
+ krb5_set_error_message(context, st, "Not a hexadecimal password");
+ break;
+ default:
+ st = KRB5_KDB_SERVER_INTERNAL_ERR;
+ break;
+ }
+ goto rp_exit;
+ }
+ *password = PT.value;
+ }
}
got_password:
rp_exit:
if (st) {
- if (*password)
- free (*password);
- *password = NULL;
+ if (*password)
+ free (*password);
+ *password = NULL;
}
return st;
}
/* Encodes a sequence of bytes in hexadecimal */
int
-tohex(in, ret)
- krb5_data in;
- krb5_data *ret;
+tohex(krb5_data in, krb5_data *ret)
{
int i=0, err = 0;
ret->data = malloc((unsigned int)in.length * 2 + 1 /*Null termination */);
if (ret->data == NULL) {
- err = ENOMEM;
- goto cleanup;
+ err = ENOMEM;
+ goto cleanup;
}
ret->length = in.length * 2;
ret->data[ret->length] = 0;
for (i = 0; i < in.length; i++)
- snprintf(ret->data + 2 * i, 3, "%02x", in.data[i] & 0xff);
+ snprintf(ret->data + 2 * i, 3, "%02x", in.data[i] & 0xff);
cleanup:
if (ret->length == 0) {
- free(ret->data);
- ret->data = NULL;
+ free(ret->data);
+ ret->data = NULL;
}
return err;
* ERR_PWD_NOT_HEX - Not a hexadecimal password
*/
-int dec_password(struct data pwd, struct data *ret) {
+int
+dec_password(struct data pwd, struct data *ret)
+{
int err=0;
int i=0, j=0;
ret->value = NULL;
if (pwd.len == 0) {
- err = ERR_PWD_ZERO;
- ret->len = 0;
- goto cleanup;
+ err = ERR_PWD_ZERO;
+ ret->len = 0;
+ goto cleanup;
}
/* Check if it is a hexadecimal encoded password */
if (pwd.len >= strlen("{HEX}") &&
- strncmp((char *)pwd.value, "{HEX}", strlen("{HEX}")) == 0) {
-
- if ((pwd.len - strlen("{HEX}")) % 2 != 0) {
- /* A hexadecimal encoded password should have even length */
- err = ERR_PWD_BAD;
- ret->len = 0;
- goto cleanup;
- }
- ret->value = (unsigned char *)malloc((pwd.len - strlen("{HEX}")) / 2 + 1);
- if (ret->value == NULL) {
- err = ERR_NO_MEM;
- ret->len = 0;
- goto cleanup;
- }
- ret->len = (pwd.len - strlen("{HEX}")) / 2;
- ret->value[ret->len] = '\0';
- for (i = strlen("{HEX}"), j = 0; i < pwd.len; i += 2, j++) {
- unsigned int k;
- /* Check if it is a hexadecimal number */
- if (isxdigit(pwd.value[i]) == 0 || isxdigit(pwd.value[i + 1]) == 0) {
- err = ERR_PWD_NOT_HEX;
- ret->len = 0;
- goto cleanup;
- }
- sscanf((char *)pwd.value + i, "%2x", &k);
- ret->value[j] = k;
- }
- goto cleanup;
+ strncmp((char *)pwd.value, "{HEX}", strlen("{HEX}")) == 0) {
+
+ if ((pwd.len - strlen("{HEX}")) % 2 != 0) {
+ /* A hexadecimal encoded password should have even length */
+ err = ERR_PWD_BAD;
+ ret->len = 0;
+ goto cleanup;
+ }
+ ret->value = (unsigned char *)malloc((pwd.len - strlen("{HEX}")) / 2 + 1);
+ if (ret->value == NULL) {
+ err = ERR_NO_MEM;
+ ret->len = 0;
+ goto cleanup;
+ }
+ ret->len = (pwd.len - strlen("{HEX}")) / 2;
+ ret->value[ret->len] = '\0';
+ for (i = strlen("{HEX}"), j = 0; i < pwd.len; i += 2, j++) {
+ unsigned int k;
+ /* Check if it is a hexadecimal number */
+ if (isxdigit(pwd.value[i]) == 0 || isxdigit(pwd.value[i + 1]) == 0) {
+ err = ERR_PWD_NOT_HEX;
+ ret->len = 0;
+ goto cleanup;
+ }
+ sscanf((char *)pwd.value + i, "%2x", &k);
+ ret->value[j] = k;
+ }
+ goto cleanup;
} else {
- err = ERR_PWD_NOT_HEX;
- ret->len = 0;
- goto cleanup;
+ err = ERR_PWD_NOT_HEX;
+ ret->len = 0;
+ goto cleanup;
}
cleanup:
if (ret->len == 0) {
- free(ret->value);
- ret->value = NULL;
+ free(ret->value);
+ ret->value = NULL;
}
return(err);
}
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* lib/kdb/kdb_ldap/ldap_service_stash.h
*
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* lib/kdb/kdb_ldap/ldap_services.c
*
*/
krb5_error_code
-krb5_ldap_create_service(context, service, mask)
- krb5_context context;
- krb5_ldap_service_params *service;
- int mask;
+krb5_ldap_create_service(krb5_context context,
+ krb5_ldap_service_params *service, int mask)
{
int i=0, j=0;
krb5_error_code st=0;
/* validate the input parameter */
if (service == NULL || service->servicedn == NULL) {
- st = EINVAL;
- krb5_set_error_message (context, st, "Service DN NULL");
- goto cleanup;
+ st = EINVAL;
+ krb5_set_error_message (context, st, "Service DN NULL");
+ goto cleanup;
}
SETUP_CONTEXT();
memset(strval, 0, sizeof(strval));
strval[0] = "krbService";
if (service->servicetype == LDAP_KDC_SERVICE) {
- strval[1] = "krbKdcService";
- realmattr = "krbKdcServers";
+ strval[1] = "krbKdcService";
+ realmattr = "krbKdcServers";
} else if (service->servicetype == LDAP_ADMIN_SERVICE) {
- strval[1] = "krbAdmService";
- realmattr = "krbAdmServers";
+ strval[1] = "krbAdmService";
+ realmattr = "krbAdmServers";
} else if (service->servicetype == LDAP_PASSWD_SERVICE) {
- strval[1] = "krbPwdService";
- realmattr = "krbPwdServers";
+ strval[1] = "krbPwdService";
+ realmattr = "krbPwdServers";
} else {
- strval[1] = "krbKdcService";
- realmattr = "krbKdcServers";
+ strval[1] = "krbKdcService";
+ realmattr = "krbKdcServers";
}
if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0)
- goto cleanup;
+ goto cleanup;
rdns = ldap_explode_dn(service->servicedn, 1);
if (rdns == NULL) {
- st = LDAP_INVALID_DN_SYNTAX;
- goto cleanup;
+ st = LDAP_INVALID_DN_SYNTAX;
+ goto cleanup;
}
memset(strval, 0, sizeof(strval));
strval[0] = rdns[0];
if ((st=krb5_add_str_mem_ldap_mod(&mods, "cn", LDAP_MOD_ADD, strval)) != 0)
- goto cleanup;
+ goto cleanup;
if (mask & LDAP_SERVICE_SERVICEFLAG) {
- if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbserviceflags", LDAP_MOD_ADD,
- service->krbserviceflags)) != 0)
- goto cleanup;
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbserviceflags", LDAP_MOD_ADD,
+ service->krbserviceflags)) != 0)
+ goto cleanup;
}
if (mask & LDAP_SERVICE_HOSTSERVER) {
- if (service->krbhostservers != NULL) {
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbhostserver", LDAP_MOD_ADD,
- service->krbhostservers)) != 0)
- goto cleanup;
- } else {
- st = EINVAL;
- krb5_set_error_message (context, st, "'krbhostserver' argument invalid");
- goto cleanup;
- }
+ if (service->krbhostservers != NULL) {
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbhostserver", LDAP_MOD_ADD,
+ service->krbhostservers)) != 0)
+ goto cleanup;
+ } else {
+ st = EINVAL;
+ krb5_set_error_message (context, st, "'krbhostserver' argument invalid");
+ goto cleanup;
+ }
}
if (mask & LDAP_SERVICE_REALMREFERENCE) {
- if (service->krbrealmreferences != NULL) {
- unsigned int realmmask=0;
-
- /* check for the validity of the values */
- for (j=0; service->krbrealmreferences[j] != NULL; ++j) {
- st = checkattributevalue(ld, service->krbrealmreferences[j], "ObjectClass",
- realmcontclass, &realmmask);
- CHECK_CLASS_VALIDITY(st, realmmask, "realm object value: ");
- }
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbrealmreferences", LDAP_MOD_ADD,
- service->krbrealmreferences)) != 0)
- goto cleanup;
- } else {
- st = EINVAL;
- krb5_set_error_message (context, st, "Server has no 'krbrealmreferences'");
- goto cleanup;
- }
+ if (service->krbrealmreferences != NULL) {
+ unsigned int realmmask=0;
+
+ /* check for the validity of the values */
+ for (j=0; service->krbrealmreferences[j] != NULL; ++j) {
+ st = checkattributevalue(ld, service->krbrealmreferences[j], "ObjectClass",
+ realmcontclass, &realmmask);
+ CHECK_CLASS_VALIDITY(st, realmmask, "realm object value: ");
+ }
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbrealmreferences", LDAP_MOD_ADD,
+ service->krbrealmreferences)) != 0)
+ goto cleanup;
+ } else {
+ st = EINVAL;
+ krb5_set_error_message (context, st, "Server has no 'krbrealmreferences'");
+ goto cleanup;
+ }
}
/* ldap add operation */
if ((st=ldap_add_ext_s(ld, service->servicedn, mods, NULL, NULL)) != LDAP_SUCCESS) {
- st = set_ldap_error (context, st, OP_ADD);
- goto cleanup;
+ st = set_ldap_error (context, st, OP_ADD);
+ goto cleanup;
}
/*
* to have a reference to the service object just created.
*/
if (mask & LDAP_SERVICE_REALMREFERENCE) {
- for (i=0; service->krbrealmreferences[i]; ++i) {
- if ((st=updateAttribute(ld, service->krbrealmreferences[i], realmattr,
- service->servicedn)) != 0) {
- snprintf (errbuf, sizeof(errbuf),
- "Error adding 'krbRealmReferences' to %s: ",
- service->krbrealmreferences[i]);
- prepend_err_str (context, errbuf, st, st);
- /* delete service object, status ignored intentionally */
- ldap_delete_ext_s(ld, service->servicedn, NULL, NULL);
- goto cleanup;
- }
- }
+ for (i=0; service->krbrealmreferences[i]; ++i) {
+ if ((st=updateAttribute(ld, service->krbrealmreferences[i], realmattr,
+ service->servicedn)) != 0) {
+ snprintf (errbuf, sizeof(errbuf),
+ "Error adding 'krbRealmReferences' to %s: ",
+ service->krbrealmreferences[i]);
+ prepend_err_str (context, errbuf, st, st);
+ /* delete service object, status ignored intentionally */
+ ldap_delete_ext_s(ld, service->servicedn, NULL, NULL);
+ goto cleanup;
+ }
+ }
}
cleanup:
if (rdns)
- ldap_value_free (rdns);
+ ldap_value_free (rdns);
ldap_mods_free(mods, 1);
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
*/
krb5_error_code
-krb5_ldap_modify_service(context, service, mask)
- krb5_context context;
- krb5_ldap_service_params *service;
- int mask;
+krb5_ldap_modify_service(krb5_context context,
+ krb5_ldap_service_params *service, int mask)
{
int i=0, j=0, count=0;
krb5_error_code st=0;
/* validate the input parameter */
if (service == NULL || service->servicedn == NULL) {
- st = EINVAL;
- krb5_set_error_message (context, st, "Service DN is NULL");
- goto cleanup;
+ st = EINVAL;
+ krb5_set_error_message (context, st, "Service DN is NULL");
+ goto cleanup;
}
SETUP_CONTEXT();
GET_HANDLE();
if (mask & LDAP_SERVICE_SERVICEFLAG) {
- if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbserviceflags", LDAP_MOD_REPLACE,
- service->krbserviceflags)) != 0)
- goto cleanup;
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbserviceflags", LDAP_MOD_REPLACE,
+ service->krbserviceflags)) != 0)
+ goto cleanup;
}
if (mask & LDAP_SERVICE_HOSTSERVER) {
- if (service->krbhostservers != NULL) {
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbhostserver", LDAP_MOD_REPLACE,
- service->krbhostservers)) != 0)
- goto cleanup;
- } else {
- st = EINVAL;
- krb5_set_error_message (context, st, "'krbhostserver' value invalid");
- goto cleanup;
- }
+ if (service->krbhostservers != NULL) {
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbhostserver", LDAP_MOD_REPLACE,
+ service->krbhostservers)) != 0)
+ goto cleanup;
+ } else {
+ st = EINVAL;
+ krb5_set_error_message (context, st, "'krbhostserver' value invalid");
+ goto cleanup;
+ }
}
if (mask & LDAP_SERVICE_REALMREFERENCE) {
- if (service->krbrealmreferences != NULL) {
- unsigned int realmmask=0;
-
- /* check for the validity of the values */
- for (j=0; service->krbrealmreferences[j]; ++j) {
- st = checkattributevalue(ld, service->krbrealmreferences[j], "ObjectClass",
- realmcontclass, &realmmask);
- CHECK_CLASS_VALIDITY(st, realmmask, "realm object value: ");
- }
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbrealmreferences", LDAP_MOD_REPLACE,
- service->krbrealmreferences)) != 0)
- goto cleanup;
-
-
- /* get the attribute of the realm to be set */
- if (service->servicetype == LDAP_KDC_SERVICE)
- realmattr = "krbKdcServers";
- else if (service->servicetype == LDAP_ADMIN_SERVICE)
- realmattr = "krbAdmservers";
- else if (service->servicetype == LDAP_PASSWD_SERVICE)
- realmattr = "krbPwdServers";
- else
- realmattr = "krbKdcServers";
-
- /* read the existing list of krbRealmreferences. this will needed */
- if ((st = ldap_search_ext_s (ld,
- service->servicedn,
- LDAP_SCOPE_BASE,
- 0,
- attr,
- 0,
- NULL,
- NULL,
- NULL,
- 0,
- &result)) != LDAP_SUCCESS) {
- st = set_ldap_error (context, st, OP_SEARCH);
- goto cleanup;
- }
-
- ent = ldap_first_entry(ld, result);
- if (ent) {
- if ((values=ldap_get_values(ld, ent, "krbRealmReferences")) != NULL) {
- count = ldap_count_values(values);
- if ((st=copy_arrays(values, &oldrealmrefs, count)) != 0)
- goto cleanup;
- ldap_value_free(values);
- }
- }
- ldap_msgfree(result);
- } else {
- st = EINVAL;
- krb5_set_error_message (context, st, "'krbRealmReferences' value invalid");
- goto cleanup;
- }
+ if (service->krbrealmreferences != NULL) {
+ unsigned int realmmask=0;
+
+ /* check for the validity of the values */
+ for (j=0; service->krbrealmreferences[j]; ++j) {
+ st = checkattributevalue(ld, service->krbrealmreferences[j], "ObjectClass",
+ realmcontclass, &realmmask);
+ CHECK_CLASS_VALIDITY(st, realmmask, "realm object value: ");
+ }
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbrealmreferences", LDAP_MOD_REPLACE,
+ service->krbrealmreferences)) != 0)
+ goto cleanup;
+
+
+ /* get the attribute of the realm to be set */
+ if (service->servicetype == LDAP_KDC_SERVICE)
+ realmattr = "krbKdcServers";
+ else if (service->servicetype == LDAP_ADMIN_SERVICE)
+ realmattr = "krbAdmservers";
+ else if (service->servicetype == LDAP_PASSWD_SERVICE)
+ realmattr = "krbPwdServers";
+ else
+ realmattr = "krbKdcServers";
+
+ /* read the existing list of krbRealmreferences. this will needed */
+ if ((st = ldap_search_ext_s (ld,
+ service->servicedn,
+ LDAP_SCOPE_BASE,
+ 0,
+ attr,
+ 0,
+ NULL,
+ NULL,
+ NULL,
+ 0,
+ &result)) != LDAP_SUCCESS) {
+ st = set_ldap_error (context, st, OP_SEARCH);
+ goto cleanup;
+ }
+
+ ent = ldap_first_entry(ld, result);
+ if (ent) {
+ if ((values=ldap_get_values(ld, ent, "krbRealmReferences")) != NULL) {
+ count = ldap_count_values(values);
+ if ((st=copy_arrays(values, &oldrealmrefs, count)) != 0)
+ goto cleanup;
+ ldap_value_free(values);
+ }
+ }
+ ldap_msgfree(result);
+ } else {
+ st = EINVAL;
+ krb5_set_error_message (context, st, "'krbRealmReferences' value invalid");
+ goto cleanup;
+ }
}
/* ldap modify operation */
if ((st=ldap_modify_ext_s(ld, service->servicedn, mods, NULL, NULL)) != LDAP_SUCCESS) {
- st = set_ldap_error (context, st, OP_MOD);
- goto cleanup;
+ st = set_ldap_error (context, st, OP_MOD);
+ goto cleanup;
}
/*
*/
if (mask & LDAP_SERVICE_REALMREFERENCE) {
- /* get the count of the new list of krbrealmreferences */
- for (i=0; service->krbrealmreferences[i]; ++i)
- ;
-
- /* make a new copy of the krbrealmreferences */
- if ((st=copy_arrays(service->krbrealmreferences, &newrealmrefs, i)) != 0)
- goto cleanup;
-
- /* find the deletions/additions to the list of krbrealmreferences */
- if (disjoint_members(oldrealmrefs, newrealmrefs) != 0)
- goto cleanup;
-
- /* see if some of the attributes have to be deleted */
- if (oldrealmrefs) {
-
- /* update the dn represented by the attribute that is to be deleted */
- for (i=0; oldrealmrefs[i]; ++i)
- if ((st=deleteAttribute(ld, oldrealmrefs[i], realmattr, service->servicedn)) != 0) {
- prepend_err_str (context, "Error deleting realm attribute:", st, st);
- goto cleanup;
- }
- }
-
- /* see if some of the attributes have to be added */
- for (i=0; newrealmrefs[i]; ++i)
- if ((st=updateAttribute(ld, newrealmrefs[i], realmattr, service->servicedn)) != 0) {
- prepend_err_str (context, "Error updating realm attribute: ", st, st);
- goto cleanup;
- }
+ /* get the count of the new list of krbrealmreferences */
+ for (i=0; service->krbrealmreferences[i]; ++i)
+ ;
+
+ /* make a new copy of the krbrealmreferences */
+ if ((st=copy_arrays(service->krbrealmreferences, &newrealmrefs, i)) != 0)
+ goto cleanup;
+
+ /* find the deletions/additions to the list of krbrealmreferences */
+ if (disjoint_members(oldrealmrefs, newrealmrefs) != 0)
+ goto cleanup;
+
+ /* see if some of the attributes have to be deleted */
+ if (oldrealmrefs) {
+
+ /* update the dn represented by the attribute that is to be deleted */
+ for (i=0; oldrealmrefs[i]; ++i)
+ if ((st=deleteAttribute(ld, oldrealmrefs[i], realmattr, service->servicedn)) != 0) {
+ prepend_err_str (context, "Error deleting realm attribute:", st, st);
+ goto cleanup;
+ }
+ }
+
+ /* see if some of the attributes have to be added */
+ for (i=0; newrealmrefs[i]; ++i)
+ if ((st=updateAttribute(ld, newrealmrefs[i], realmattr, service->servicedn)) != 0) {
+ prepend_err_str (context, "Error updating realm attribute: ", st, st);
+ goto cleanup;
+ }
}
cleanup:
if (oldrealmrefs) {
- for (i=0; oldrealmrefs[i]; ++i)
- free (oldrealmrefs[i]);
- free (oldrealmrefs);
+ for (i=0; oldrealmrefs[i]; ++i)
+ free (oldrealmrefs[i]);
+ free (oldrealmrefs);
}
if (newrealmrefs) {
- for (i=0; newrealmrefs[i]; ++i)
- free (newrealmrefs[i]);
- free (newrealmrefs);
+ for (i=0; newrealmrefs[i]; ++i)
+ free (newrealmrefs[i]);
+ free (newrealmrefs);
}
ldap_mods_free(mods, 1);
krb5_error_code
-krb5_ldap_delete_service(context, service, servicedn)
- krb5_context context;
- krb5_ldap_service_params *service;
- char *servicedn;
+krb5_ldap_delete_service(krb5_context context,
+ krb5_ldap_service_params *service, char *servicedn)
{
krb5_error_code st = 0;
LDAP *ld=NULL;
st = ldap_delete_ext_s(ld, servicedn, NULL, NULL);
if (st != 0) {
- st = set_ldap_error (context, st, OP_DEL);
+ st = set_ldap_error (context, st, OP_DEL);
}
/* NOTE: This should be removed now as the backlinks are going off in OpenLDAP */
/* time to delete krbrealmreferences. This is only for OpenLDAP */
#ifndef HAVE_EDIRECTORY
{
- int i=0;
- char *attr=NULL;
-
- if (service) {
- if (service->krbrealmreferences) {
- if (service->servicetype == LDAP_KDC_SERVICE)
- attr = "krbkdcservers";
- else if (service->servicetype == LDAP_ADMIN_SERVICE)
- attr = "krbadmservers";
- else if (service->servicetype == LDAP_PASSWD_SERVICE)
- attr = "krbpwdservers";
-
- for (i=0; service->krbrealmreferences[i]; ++i) {
- deleteAttribute(ld, service->krbrealmreferences[i], attr, servicedn);
- }
- }
- }
+ int i=0;
+ char *attr=NULL;
+
+ if (service) {
+ if (service->krbrealmreferences) {
+ if (service->servicetype == LDAP_KDC_SERVICE)
+ attr = "krbkdcservers";
+ else if (service->servicetype == LDAP_ADMIN_SERVICE)
+ attr = "krbadmservers";
+ else if (service->servicetype == LDAP_PASSWD_SERVICE)
+ attr = "krbpwdservers";
+
+ for (i=0; service->krbrealmreferences[i]; ++i) {
+ deleteAttribute(ld, service->krbrealmreferences[i], attr, servicedn);
+ }
+ }
+ }
}
#endif
*/
krb5_error_code
-krb5_ldap_list_services(context, containerdn, services)
- krb5_context context;
- char *containerdn;
- char ***services;
+krb5_ldap_list_services(krb5_context context, char *containerdn,
+ char ***services)
{
return (krb5_ldap_list(context, services, "krbService", containerdn));
}
* This function reads the service object from Directory
*/
krb5_error_code
-krb5_ldap_read_service(context, servicedn, service, omask)
- krb5_context context;
- char *servicedn;
- krb5_ldap_service_params **service;
- int *omask;
+krb5_ldap_read_service(krb5_context context, char *servicedn,
+ krb5_ldap_service_params **service, int *omask)
{
char **values=NULL;
int i=0, count=0, objectmask=0;
krb5_error_code st=0, tempst=0;
LDAPMessage *result=NULL,*ent=NULL;
char *attributes[] = {"krbHostServer", "krbServiceflags",
- "krbRealmReferences", "objectclass", NULL};
+ "krbRealmReferences", "objectclass", NULL};
char *attrvalues[] = {"krbService", NULL};
krb5_ldap_service_params *lservice=NULL;
krb5_ldap_context *ldap_context=NULL;
/* validate the input parameter */
if (servicedn == NULL) {
- st = EINVAL;
- krb5_set_error_message (context, st, "Service DN NULL");
- goto cleanup;
+ st = EINVAL;
+ krb5_set_error_message (context, st, "Service DN NULL");
+ goto cleanup;
}
SETUP_CONTEXT();
/* Initialize service structure */
lservice =(krb5_ldap_service_params *) calloc(1, sizeof(krb5_ldap_service_params));
if (lservice == NULL) {
- st = ENOMEM;
- goto cleanup;
+ st = ENOMEM;
+ goto cleanup;
}
/* allocate tl_data structure to store MASK information */
lservice->tl_data = calloc (1, sizeof(*lservice->tl_data));
if (lservice->tl_data == NULL) {
- st = ENOMEM;
- goto cleanup;
+ st = ENOMEM;
+ goto cleanup;
}
lservice->tl_data->tl_data_type = KDB_TL_USER_INFO;
ent=ldap_first_entry(ld, result);
if (ent != NULL) {
- if ((values=ldap_get_values(ld, ent, "krbServiceFlags")) != NULL) {
- lservice->krbserviceflags = atoi(values[0]);
- *omask |= LDAP_SERVICE_SERVICEFLAG;
- ldap_value_free(values);
- }
-
- if ((values=ldap_get_values(ld, ent, "krbHostServer")) != NULL) {
- count = ldap_count_values(values);
- if ((st=copy_arrays(values, &(lservice->krbhostservers), count)) != 0)
- goto cleanup;
- *omask |= LDAP_SERVICE_HOSTSERVER;
- ldap_value_free(values);
- }
-
- if ((values=ldap_get_values(ld, ent, "krbRealmReferences")) != NULL) {
- count = ldap_count_values(values);
- if ((st=copy_arrays(values, &(lservice->krbrealmreferences), count)) != 0)
- goto cleanup;
- *omask |= LDAP_SERVICE_REALMREFERENCE;
- ldap_value_free(values);
- }
-
- if ((values=ldap_get_values(ld, ent, "objectClass")) != NULL) {
- for (i=0; values[i]; ++i) {
- if (strcasecmp(values[i], "krbKdcService") == 0) {
- lservice->servicetype = LDAP_KDC_SERVICE;
- break;
- }
-
- if (strcasecmp(values[i], "krbAdmService") == 0) {
- lservice->servicetype = LDAP_ADMIN_SERVICE;
- break;
- }
-
- if (strcasecmp(values[i], "krbPwdService") == 0) {
- lservice->servicetype = LDAP_PASSWD_SERVICE;
- break;
- }
- }
- ldap_value_free(values);
- }
+ if ((values=ldap_get_values(ld, ent, "krbServiceFlags")) != NULL) {
+ lservice->krbserviceflags = atoi(values[0]);
+ *omask |= LDAP_SERVICE_SERVICEFLAG;
+ ldap_value_free(values);
+ }
+
+ if ((values=ldap_get_values(ld, ent, "krbHostServer")) != NULL) {
+ count = ldap_count_values(values);
+ if ((st=copy_arrays(values, &(lservice->krbhostservers), count)) != 0)
+ goto cleanup;
+ *omask |= LDAP_SERVICE_HOSTSERVER;
+ ldap_value_free(values);
+ }
+
+ if ((values=ldap_get_values(ld, ent, "krbRealmReferences")) != NULL) {
+ count = ldap_count_values(values);
+ if ((st=copy_arrays(values, &(lservice->krbrealmreferences), count)) != 0)
+ goto cleanup;
+ *omask |= LDAP_SERVICE_REALMREFERENCE;
+ ldap_value_free(values);
+ }
+
+ if ((values=ldap_get_values(ld, ent, "objectClass")) != NULL) {
+ for (i=0; values[i]; ++i) {
+ if (strcasecmp(values[i], "krbKdcService") == 0) {
+ lservice->servicetype = LDAP_KDC_SERVICE;
+ break;
+ }
+
+ if (strcasecmp(values[i], "krbAdmService") == 0) {
+ lservice->servicetype = LDAP_ADMIN_SERVICE;
+ break;
+ }
+
+ if (strcasecmp(values[i], "krbPwdService") == 0) {
+ lservice->servicetype = LDAP_PASSWD_SERVICE;
+ break;
+ }
+ }
+ ldap_value_free(values);
+ }
}
ldap_msgfree(result);
cleanup:
if (st != 0) {
- krb5_ldap_free_service(context, lservice);
- *service = NULL;
+ krb5_ldap_free_service(context, lservice);
+ *service = NULL;
} else {
- store_tl_data(lservice->tl_data, KDB_TL_MASK, omask);
- *service = lservice;
+ store_tl_data(lservice->tl_data, KDB_TL_MASK, omask);
+ *service = lservice;
}
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
*/
krb5_error_code
-krb5_ldap_free_service(context, service)
- krb5_context context;
- krb5_ldap_service_params *service;
+krb5_ldap_free_service(krb5_context context, krb5_ldap_service_params *service)
{
int i=0;
if (service == NULL)
- return 0;
+ return 0;
if (service->servicedn)
- free (service->servicedn);
+ free (service->servicedn);
if (service->krbrealmreferences) {
- for (i=0; service->krbrealmreferences[i]; ++i)
- free (service->krbrealmreferences[i]);
- free (service->krbrealmreferences);
+ for (i=0; service->krbrealmreferences[i]; ++i)
+ free (service->krbrealmreferences[i]);
+ free (service->krbrealmreferences);
}
if (service->krbhostservers) {
- for (i=0; service->krbhostservers[i]; ++i)
- free (service->krbhostservers[i]);
- free (service->krbhostservers);
+ for (i=0; service->krbhostservers[i]; ++i)
+ free (service->krbhostservers[i]);
+ free (service->krbhostservers);
}
if (service->tl_data) {
- if (service->tl_data->tl_data_contents)
- free (service->tl_data->tl_data_contents);
- free (service->tl_data);
+ if (service->tl_data->tl_data_contents)
+ free (service->tl_data->tl_data_contents);
+ free (service->tl_data);
}
free (service);
}
krb5_error_code
-krb5_ldap_set_service_passwd(context, service, passwd)
- krb5_context context;
- char *service;
- char *passwd;
+krb5_ldap_set_service_passwd(krb5_context context, char *service, char *passwd)
{
krb5_error_code st=0;
LDAPMod **mods=NULL;
GET_HANDLE();
if ((st=krb5_add_str_mem_ldap_mod(&mods, "userPassword", LDAP_MOD_REPLACE, password)) != 0)
- goto cleanup;
+ goto cleanup;
st = ldap_modify_ext_s(ld, service, mods, NULL, NULL);
if (st) {
- st = set_ldap_error (context, st, OP_MOD);
+ st = set_ldap_error (context, st, OP_MOD);
}
cleanup:
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* lib/kdb/kdb_ldap/ldap_services.h
*
#define SERVICE_PROTOCOL_TYPE_TCP "1"
typedef struct _krb5_ldap_service_params {
- char *servicedn;
- int servicetype;
- int krbserviceflags;
- char **krbhostservers;
- char **krbrealmreferences;
- krb5_tl_data *tl_data;
+ char *servicedn;
+ int servicetype;
+ int krbserviceflags;
+ char **krbhostservers;
+ char **krbrealmreferences;
+ krb5_tl_data *tl_data;
} krb5_ldap_service_params;
#ifdef HAVE_EDIRECTORY
krb5_error_code
-krb5_ldap_read_service( krb5_context, char *, krb5_ldap_service_params **, int *);
+krb5_ldap_read_service(krb5_context, char *, krb5_ldap_service_params **,
+ int *);
krb5_error_code
-krb5_ldap_create_service( krb5_context, krb5_ldap_service_params *,int);
+krb5_ldap_create_service(krb5_context, krb5_ldap_service_params *, int);
krb5_error_code
-krb5_ldap_modify_service( krb5_context, krb5_ldap_service_params *, int);
+krb5_ldap_modify_service(krb5_context, krb5_ldap_service_params *, int);
krb5_error_code
-krb5_ldap_delete_service( krb5_context, krb5_ldap_service_params *, char *);
+krb5_ldap_delete_service(krb5_context, krb5_ldap_service_params *, char *);
krb5_error_code
-krb5_ldap_list_services( krb5_context, char *, char ***);
+krb5_ldap_list_services(krb5_context, char *, char ***);
krb5_error_code
-krb5_ldap_free_service( krb5_context, krb5_ldap_service_params *);
+krb5_ldap_free_service(krb5_context, krb5_ldap_service_params *);
krb5_error_code
-krb5_ldap_set_service_passwd( krb5_context, char *, char *);
+krb5_ldap_set_service_passwd(krb5_context, char *, char *);
krb5_error_code
-krb5_ldap_add_service_rights( krb5_context, int, char *, char *, char **, char *, int);
+krb5_ldap_add_service_rights(krb5_context, int, char *, char *, char **,
+ char *, int);
krb5_error_code
-krb5_ldap_delete_service_rights( krb5_context, int, char *, char *, char **, char *, int);
+krb5_ldap_delete_service_rights(krb5_context, int, char *, char *, char **,
+ char *, int);
#endif
#endif
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* lib/kdb/kdb_ldap/ldap_tkt_policy.c
*
* create the Ticket policy object in Directory.
*/
krb5_error_code
-krb5_ldap_create_policy(context, policy, mask)
- krb5_context context;
- krb5_ldap_policy_params *policy;
- int mask;
+krb5_ldap_create_policy(krb5_context context, krb5_ldap_policy_params *policy,
+ int mask)
{
krb5_error_code st=0;
LDAP *ld=NULL;
/* validate the input parameters */
if (policy == NULL || policy->policy == NULL) {
- st = EINVAL;
- krb5_set_error_message (context, st, "Ticket Policy Name missing");
- goto cleanup;
+ st = EINVAL;
+ krb5_set_error_message (context, st, "Ticket Policy Name missing");
+ goto cleanup;
}
SETUP_CONTEXT();
GET_HANDLE();
if ((st = krb5_ldap_name_to_policydn (context, policy->policy, &policy_dn)) != 0)
- goto cleanup;
+ goto cleanup;
memset(strval, 0, sizeof(strval));
strval[0] = policy->policy;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "cn", LDAP_MOD_ADD, strval)) != 0)
- goto cleanup;
+ goto cleanup;
memset(strval, 0, sizeof(strval));
strval[0] = "krbTicketPolicy";
strval[1] = "krbTicketPolicyaux";
if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0)
- goto cleanup;
+ goto cleanup;
if (mask & LDAP_POLICY_MAXTKTLIFE) {
- if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxticketlife", LDAP_MOD_ADD,
- policy->maxtktlife)) != 0)
- goto cleanup;
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxticketlife", LDAP_MOD_ADD,
+ policy->maxtktlife)) != 0)
+ goto cleanup;
}
if (mask & LDAP_POLICY_MAXRENEWLIFE) {
- if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxrenewableage", LDAP_MOD_ADD,
- policy->maxrenewlife)) != 0)
- goto cleanup;
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxrenewableage", LDAP_MOD_ADD,
+ policy->maxrenewlife)) != 0)
+ goto cleanup;
}
if (mask & LDAP_POLICY_TKTFLAGS) {
- if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbticketflags", LDAP_MOD_ADD,
- policy->tktflags)) != 0)
- goto cleanup;
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbticketflags", LDAP_MOD_ADD,
+ policy->tktflags)) != 0)
+ goto cleanup;
}
/* ldap add operation */
if ((st=ldap_add_ext_s(ld, policy_dn, mods, NULL, NULL)) != LDAP_SUCCESS) {
- st = set_ldap_error (context, st, OP_ADD);
- goto cleanup;
+ st = set_ldap_error (context, st, OP_ADD);
+ goto cleanup;
}
cleanup:
if (policy_dn != NULL)
- free(policy_dn);
+ free(policy_dn);
ldap_mods_free(mods, 1);
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
*/
krb5_error_code
-krb5_ldap_modify_policy(context, policy, mask)
- krb5_context context;
- krb5_ldap_policy_params *policy;
- int mask;
+krb5_ldap_modify_policy(krb5_context context, krb5_ldap_policy_params *policy,
+ int mask)
{
int objectmask=0;
krb5_error_code st=0;
/* validate the input parameters */
if (policy == NULL || policy->policy==NULL) {
- st = EINVAL;
- krb5_set_error_message (context, st, "Ticket Policy Name missing");
- goto cleanup;
+ st = EINVAL;
+ krb5_set_error_message (context, st, "Ticket Policy Name missing");
+ goto cleanup;
}
SETUP_CONTEXT();
GET_HANDLE();
if ((st = krb5_ldap_name_to_policydn (context, policy->policy, &policy_dn)) != 0)
- goto cleanup;
+ goto cleanup;
/* the policydn object should be of the krbTicketPolicy object class */
st = checkattributevalue(ld, policy_dn, "objectClass", attrvalues, &objectmask);
CHECK_CLASS_VALIDITY(st, objectmask, "ticket policy object: ");
if ((objectmask & 0x02) == 0) { /* add krbticketpolicyaux to the object class list */
- memset(strval, 0, sizeof(strval));
- strval[0] = "krbTicketPolicyAux";
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0)
- goto cleanup;
+ memset(strval, 0, sizeof(strval));
+ strval[0] = "krbTicketPolicyAux";
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0)
+ goto cleanup;
}
if (mask & LDAP_POLICY_MAXTKTLIFE) {
- if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxticketlife", LDAP_MOD_REPLACE,
- policy->maxtktlife)) != 0)
- goto cleanup;
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxticketlife", LDAP_MOD_REPLACE,
+ policy->maxtktlife)) != 0)
+ goto cleanup;
}
if (mask & LDAP_POLICY_MAXRENEWLIFE) {
- if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxrenewableage", LDAP_MOD_REPLACE,
- policy->maxrenewlife)) != 0)
- goto cleanup;
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxrenewableage", LDAP_MOD_REPLACE,
+ policy->maxrenewlife)) != 0)
+ goto cleanup;
}
if (mask & LDAP_POLICY_TKTFLAGS) {
- if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbticketflags", LDAP_MOD_REPLACE,
- policy->tktflags)) != 0)
- goto cleanup;
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbticketflags", LDAP_MOD_REPLACE,
+ policy->tktflags)) != 0)
+ goto cleanup;
}
if ((st=ldap_modify_ext_s(ld, policy_dn, mods, NULL, NULL)) != LDAP_SUCCESS) {
- st = set_ldap_error (context, st, OP_MOD);
- goto cleanup;
+ st = set_ldap_error (context, st, OP_MOD);
+ goto cleanup;
}
cleanup:
*/
krb5_error_code
-krb5_ldap_read_policy(context, policyname, policy, omask)
- krb5_context context;
- char *policyname;
- krb5_ldap_policy_params **policy;
- int *omask;
+krb5_ldap_read_policy(krb5_context context, char *policyname,
+ krb5_ldap_policy_params **policy, int *omask)
{
krb5_error_code st=0, tempst=0;
int objectmask=0;
/* validate the input parameters */
if (policyname == NULL || policy == NULL) {
- st = EINVAL;
- krb5_set_error_message(context, st, "Ticket Policy Object information missing");
- goto cleanup;
+ st = EINVAL;
+ krb5_set_error_message(context, st, "Ticket Policy Object information missing");
+ goto cleanup;
}
SETUP_CONTEXT();
GET_HANDLE();
if ((st = krb5_ldap_name_to_policydn (context, policyname, &policy_dn)) != 0)
- goto cleanup;
+ goto cleanup;
/* the policydn object should be of the krbTicketPolicy object class */
st = checkattributevalue(ld, policy_dn, "objectClass", attrvalues, &objectmask);
memset(lpolicy, 0, sizeof(krb5_ldap_policy_params));
if ((lpolicy->policy = strdup (policyname)) == NULL) {
- st = ENOMEM;
- goto cleanup;
+ st = ENOMEM;
+ goto cleanup;
}
lpolicy->tl_data = calloc (1, sizeof(*lpolicy->tl_data));
ent=ldap_first_entry(ld, result);
if (ent != NULL) {
- if (krb5_ldap_get_value(ld, ent, "krbmaxticketlife", (int *) &(lpolicy->maxtktlife)) == 0)
- *omask |= LDAP_POLICY_MAXTKTLIFE;
+ if (krb5_ldap_get_value(ld, ent, "krbmaxticketlife", (int *) &(lpolicy->maxtktlife)) == 0)
+ *omask |= LDAP_POLICY_MAXTKTLIFE;
- if (krb5_ldap_get_value(ld, ent, "krbmaxrenewableage", (int *) &(lpolicy->maxrenewlife)) == 0)
- *omask |= LDAP_POLICY_MAXRENEWLIFE;
+ if (krb5_ldap_get_value(ld, ent, "krbmaxrenewableage", (int *) &(lpolicy->maxrenewlife)) == 0)
+ *omask |= LDAP_POLICY_MAXRENEWLIFE;
- if (krb5_ldap_get_value(ld, ent, "krbticketflags", (int *) &(lpolicy->tktflags)) == 0)
- *omask |= LDAP_POLICY_TKTFLAGS;
+ if (krb5_ldap_get_value(ld, ent, "krbticketflags", (int *) &(lpolicy->tktflags)) == 0)
+ *omask |= LDAP_POLICY_TKTFLAGS;
}
ldap_msgfree(result);
cleanup:
if (st != 0) {
- krb5_ldap_free_policy(context, lpolicy);
- *policy = NULL;
+ krb5_ldap_free_policy(context, lpolicy);
+ *policy = NULL;
}
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
return st;
*/
krb5_error_code
-krb5_ldap_delete_policy(context, policyname)
- krb5_context context;
- char *policyname;
+krb5_ldap_delete_policy(krb5_context context, char *policyname)
{
- int refcount = 0;
- char *policy_dn = NULL;
+ int refcount = 0;
+ char *policy_dn = NULL;
krb5_error_code st = 0;
LDAP *ld = NULL;
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_context *ldap_context=NULL;
krb5_ldap_server_handle *ldap_server_handle=NULL;
- if (policyname == NULL) {
- st = EINVAL;
- prepend_err_str (context,"Ticket Policy Object DN missing",st,st);
- goto cleanup;
+ if (policyname == NULL) {
+ st = EINVAL;
+ prepend_err_str (context,"Ticket Policy Object DN missing",st,st);
+ goto cleanup;
}
* it is greater than 0. */
if ((st = krb5_ldap_get_reference_count (context, policy_dn,
- "krbTicketPolicyReference", &refcount, ld)) != 0)
+ "krbTicketPolicyReference", &refcount, ld)) != 0)
goto cleanup;
if (refcount == 0) {
- if ((st=ldap_delete_ext_s(ld, policy_dn, NULL, NULL)) != 0) {
- prepend_err_str (context,ldap_err2string(st),st,st);
+ if ((st=ldap_delete_ext_s(ld, policy_dn, NULL, NULL)) != 0) {
+ prepend_err_str (context,ldap_err2string(st),st,st);
- goto cleanup;
- }
+ goto cleanup;
+ }
} else {
- st = EINVAL;
- prepend_err_str (context,"Delete Failed: One or more Principals associated with the Ticket Policy",st,st);
- goto cleanup;
+ st = EINVAL;
+ prepend_err_str (context,"Delete Failed: One or more Principals associated with the Ticket Policy",st,st);
+ goto cleanup;
}
cleanup:
*/
krb5_error_code
-krb5_ldap_list_policy(context, containerdn, policy)
- krb5_context context;
- char *containerdn;
- char ***policy;
+krb5_ldap_list_policy(krb5_context context, char *containerdn, char ***policy)
{
int i, j, count;
char **list = NULL;
}
if ((st = krb5_ldap_list(context, &list, "krbTicketPolicy", policycontainerdn)) != 0)
- goto cleanup;
+ goto cleanup;
for (i = 0; list[i] != NULL; i++);
*policy = (char **) calloc ((unsigned) count + 1, sizeof(char *));
if (*policy == NULL) {
- st = ENOMEM;
- goto cleanup;
+ st = ENOMEM;
+ goto cleanup;
}
for (i = 0, j = 0; list[i] != NULL; i++, j++) {
- int ret;
- ret = krb5_ldap_policydn_to_name (context, list[i], &(*policy)[i]);
- if (ret != 0)
- j--;
+ int ret;
+ ret = krb5_ldap_policydn_to_name (context, list[i], &(*policy)[i]);
+ if (ret != 0)
+ j--;
}
cleanup:
*/
krb5_error_code
-krb5_ldap_free_policy(context, policy)
- krb5_context context;
- krb5_ldap_policy_params *policy;
+krb5_ldap_free_policy(krb5_context context, krb5_ldap_policy_params *policy)
{
krb5_error_code st=0;
if (policy == NULL)
- return st;
+ return st;
if (policy->policy)
- free (policy->policy);
+ free (policy->policy);
if (policy->tl_data) {
- if (policy->tl_data->tl_data_contents)
- free (policy->tl_data->tl_data_contents);
- free (policy->tl_data);
+ if (policy->tl_data->tl_data_contents)
+ free (policy->tl_data->tl_data_contents);
+ free (policy->tl_data);
}
free (policy);
*/
krb5_error_code
-krb5_ldap_list(context, list, objectclass, containerdn)
- krb5_context context;
- char ***list;
- char *objectclass;
- char *containerdn;
+krb5_ldap_list(krb5_context context, char ***list, char *objectclass,
+ char *containerdn)
{
char *filter=NULL, *dn=NULL;
krb5_error_code st=0, tempst=0;
/* check if the containerdn exists */
if (containerdn) {
- if ((st=checkattributevalue(ld, containerdn, NULL, NULL, NULL)) != 0) {
- prepend_err_str (context, "Error reading container object: ", st, st);
- goto cleanup;
- }
+ if ((st=checkattributevalue(ld, containerdn, NULL, NULL, NULL)) != 0) {
+ prepend_err_str (context, "Error reading container object: ", st, st);
+ goto cleanup;
+ }
}
/* set the filter for the search operation */
filterlen = strlen("(objectclass=") + strlen(objectclass) + 1 + 1;
filter = malloc ((unsigned) filterlen);
if (filter == NULL) {
- st = ENOMEM;
- goto cleanup;
+ st = ENOMEM;
+ goto cleanup;
}
snprintf(filter, (unsigned) filterlen,"(objectclass=%s)",objectclass);
count = ldap_count_entries(ld, result);
if (count == -1) {
- ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &st);
- st = set_ldap_error(context, st, OP_SEARCH);
- goto cleanup;
+ ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &st);
+ st = set_ldap_error(context, st, OP_SEARCH);
+ goto cleanup;
}
*list = (char **) calloc ((unsigned) count+1, sizeof(char *));
if (*list == NULL) {
- st = ENOMEM;
- goto cleanup;
+ st = ENOMEM;
+ goto cleanup;
}
for (ent=ldap_first_entry(ld, result), count=0; ent != NULL; ent=ldap_next_entry(ld, ent), ++count) {
- if ((dn=ldap_get_dn(ld, ent)) == NULL)
- continue;
- if (((*list)[count] = strdup(dn)) == NULL) {
- ldap_memfree (dn);
- st = ENOMEM;
- goto cleanup;
- }
- ldap_memfree(dn);
+ if ((dn=ldap_get_dn(ld, ent)) == NULL)
+ continue;
+ if (((*list)[count] = strdup(dn)) == NULL) {
+ ldap_memfree (dn);
+ st = ENOMEM;
+ goto cleanup;
+ }
+ ldap_memfree(dn);
}
ldap_msgfree(result);
cleanup:
if (filter)
- free (filter);
+ free (filter);
/* some error, free up all the memory */
if (st != 0) {
- if (*list) {
- for (i=0; (*list)[i]; ++i)
- free ((*list)[i]);
- free (*list);
- *list = NULL;
- }
+ if (*list) {
+ for (i=0; (*list)[i]; ++i)
+ free ((*list)[i]);
+ free (*list);
+ *list = NULL;
+ }
}
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
return st;
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* lib/kdb/kdb_ldap/ldap_tkt_policy.h
*
/* policy object structure */
typedef struct _krb5_ldap_policy_params {
- char *policy;
- long mask;
- long maxtktlife;
- long maxrenewlife;
- long tktflags;
- krb5_tl_data *tl_data;
+ char *policy;
+ long mask;
+ long maxtktlife;
+ long maxrenewlife;
+ long tktflags;
+ krb5_tl_data *tl_data;
}krb5_ldap_policy_params;
krb5_error_code
krb5_ldap_free_policy(krb5_context, krb5_ldap_policy_params *);
krb5_error_code
-krb5_ldap_change_count(krb5_context ,char * , int);
+krb5_ldap_change_count(krb5_context, char *, int);
#endif
-/* -*- mode: c; indent-tabs-mode: nil -*- */
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* plugins/kdb/ldap/lockout.c
*
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* plugins/locate/python/py-locate.c
*
#error "Where's the Python header file?"
#endif
#include <errno.h>
-#include "k5-platform.h" /* for init/fini macros */
+#include "k5-platform.h" /* for init/fini macros */
#include "fake-addrinfo.h"
#include <krb5/locate_plugin.h>
-#define LIBDIR "/tmp" /* should be imported from configure */
-#define SCRIPT_PATH LIBDIR "/krb5/locate-service.py"
-#define LOOKUP_FUNC_NAME "locate"
+#define LIBDIR "/tmp" /* should be imported from configure */
+#define SCRIPT_PATH LIBDIR "/krb5/locate-service.py"
+#define LOOKUP_FUNC_NAME "locate"
static PyObject *locatefn;
MAKE_INIT_FUNCTION(my_init);
MAKE_FINI_FUNCTION(my_fini);
-#define F (strchr(__FILE__, '/') ? 1 + strrchr(__FILE__, '/') : __FILE__)
+#define F (strchr(__FILE__, '/') ? 1 + strrchr(__FILE__, '/') : __FILE__)
-static krb5_context sctx; /* XXX ugly hack! */
+static krb5_context sctx; /* XXX ugly hack! */
int
-my_init (void)
+my_init(void)
{
PyObject *mainmodule;
FILE *f;
// fprintf(stderr, "trying to load %s\n", SCRIPT_PATH);
f = fopen(SCRIPT_PATH, "r");
if (f == NULL) {
- if (sctx)
- krb5_set_error_message(sctx, -1,
- "couldn't open Python script %s (%s)",
- SCRIPT_PATH, strerror(errno));
- return -1;
+ if (sctx)
+ krb5_set_error_message(sctx, -1,
+ "couldn't open Python script %s (%s)",
+ SCRIPT_PATH, strerror(errno));
+ return -1;
}
set_cloexec_file(f);
PyRun_SimpleFile (f, SCRIPT_PATH);
if (PyErr_Occurred()) { fprintf(stderr,"%s:%d: python error\n", F, __LINE__); PyErr_Print(); return -1; }
/* Don't DECREF mainmodule, it's sometimes causing crashes. */
if (locatefn == 0)
- return -1;
+ return -1;
if (!PyCallable_Check (locatefn)) {
- Py_DECREF (locatefn);
- locatefn = 0;
- return -1;
+ Py_DECREF (locatefn);
+ locatefn = 0;
+ return -1;
}
if (PyErr_Occurred()) { fprintf(stderr,"%s:%d: python error\n", F, __LINE__); PyErr_Print(); return -1; }
return 0;
}
void
-my_fini (void)
+my_fini(void)
{
// fprintf(stderr, "%s:%d: Python module finalization\n", F, __LINE__);
if (! INITIALIZER_RAN (my_init))
- return;
+ return;
Py_DECREF (locatefn);
locatefn = 0;
Py_Finalize ();
}
static krb5_error_code
-ctxinit (krb5_context ctx, void **blobptr)
+ctxinit(krb5_context ctx, void **blobptr)
{
/* If we wanted to create a separate Python interpreter instance,
look up the pathname of the script in the config file used for
}
static void
-ctxfini (void *blob)
+ctxfini(void *blob)
{
}
isn't going to be very useful to the caller.) */
static krb5_error_code
-lookup (void *blob, enum locate_service_type svc, const char *realm,
- int socktype, int family,
- int (*cbfunc)(void *, int, struct sockaddr *), void *cbdata)
+lookup(void *blob, enum locate_service_type svc, const char *realm,
+ int socktype, int family,
+ int (*cbfunc)(void *, int, struct sockaddr *), void *cbdata)
{
PyObject *py_result, *svcarg, *realmarg, *arglist;
int listsize, i, x;
int thissocktype;
// fprintf(stderr, "%s:%d: lookup(%d,%s,%d,%d)\n", F, __LINE__,
-// svc, realm, socktype, family);
- sctx = blob; /* XXX: Not thread safe! */
+// svc, realm, socktype, family);
+ sctx = blob; /* XXX: Not thread safe! */
i = CALL_INIT_FUNCTION (my_init);
if (i) {
#if 0
- fprintf(stderr, "%s:%d: module initialization failed\n", F, __LINE__);
+ fprintf(stderr, "%s:%d: module initialization failed\n", F, __LINE__);
#endif
- return i;
+ return i;
}
if (locatefn == 0)
- return KRB5_PLUGIN_NO_HANDLE;
+ return KRB5_PLUGIN_NO_HANDLE;
svcarg = PyInt_FromLong (svc);
/* error? */
realmarg = PyString_FromString ((char *) realm);
py_result = PyObject_CallObject (locatefn, arglist);
Py_DECREF (arglist);
if (PyErr_Occurred()) {
- fprintf(stderr,"%s:%d: python error\n", F, __LINE__);
- PyErr_Print();
- krb5_set_error_message(blob, -1,
- "Python evaluation error, see stderr");
- return -1;
+ fprintf(stderr,"%s:%d: python error\n", F, __LINE__);
+ PyErr_Print();
+ krb5_set_error_message(blob, -1,
+ "Python evaluation error, see stderr");
+ return -1;
}
if (py_result == 0) {
- fprintf(stderr, "%s:%d: returned null object\n", F, __LINE__);
- return -1;
+ fprintf(stderr, "%s:%d: returned null object\n", F, __LINE__);
+ return -1;
}
if (py_result == Py_False)
- return KRB5_PLUGIN_NO_HANDLE;
+ return KRB5_PLUGIN_NO_HANDLE;
if (! PyList_Check (py_result)) {
- Py_DECREF (py_result);
- fprintf(stderr, "%s:%d: returned non-list, non-False\n", F, __LINE__);
- krb5_set_error_message(blob, -1,
- "Python script error -- returned non-list, non-False result");
- return -1;
+ Py_DECREF (py_result);
+ fprintf(stderr, "%s:%d: returned non-list, non-False\n", F, __LINE__);
+ krb5_set_error_message(blob, -1,
+ "Python script error -- returned non-list, non-False result");
+ return -1;
}
listsize = PyList_Size (py_result);
/* allocate */
aihints.ai_flags = AI_NUMERICHOST;
aihints.ai_family = family;
for (i = 0; i < listsize; i++) {
- PyObject *answer, *field;
- char *hoststr, *portstr, portbuf[3*sizeof(long) + 4];
- int cbret;
+ PyObject *answer, *field;
+ char *hoststr, *portstr, portbuf[3*sizeof(long) + 4];
+ int cbret;
- answer = PyList_GetItem (py_result, i);
- if (! PyTuple_Check (answer)) {
- krb5_set_error_message(blob, -1,
- "Python script error -- returned item %d not a tuple", i);
- /* leak? */
- return -1;
- }
- if (PyTuple_Size (answer) != 3) {
- krb5_set_error_message(blob, -1,
- "Python script error -- returned tuple %d size %d should be 3",
- i, PyTuple_Size (answer));
- /* leak? */
- return -1;
- }
- field = PyTuple_GetItem (answer, 0);
- if (! PyString_Check (field)) {
- /* leak? */
- krb5_set_error_message(blob, -1,
- "Python script error -- first component of tuple %d is not a string",
- i);
- return -1;
- }
- hoststr = PyString_AsString (field);
- field = PyTuple_GetItem (answer, 1);
- if (PyString_Check (field)) {
- portstr = PyString_AsString (field);
- } else if (PyInt_Check (field)) {
- snprintf(portbuf, sizeof(portbuf), "%ld", PyInt_AsLong (field));
- portstr = portbuf;
- } else {
- krb5_set_error_message(blob, -1,
- "Python script error -- second component of tuple %d neither a string nor an integer",
- i);
- /* leak? */
- return -1;
- }
- field = PyTuple_GetItem (answer, 2);
- if (! PyInt_Check (field)) {
- krb5_set_error_message(blob, -1,
- "Python script error -- third component of tuple %d not an integer",
- i);
- /* leak? */
- return -1;
- }
- thissocktype = PyInt_AsLong (field);
- switch (thissocktype) {
- case SOCK_STREAM:
- case SOCK_DGRAM:
- /* okay */
- if (socktype != 0 && socktype != thissocktype) {
- krb5_set_error_message(blob, -1,
- "Python script error -- tuple %d has socket type %d, should only have %d",
- i, thissocktype, socktype);
- /* leak? */
- return -1;
- }
- break;
- default:
- /* 0 is not acceptable */
- krb5_set_error_message(blob, -1,
- "Python script error -- tuple %d has invalid socket type %d",
- i, thissocktype);
- /* leak? */
- return -1;
- }
- aihints.ai_socktype = thissocktype;
- x = getaddrinfo (hoststr, portstr, &aihints, &airesult);
- if (x != 0)
- continue;
- cbret = cbfunc(cbdata, airesult->ai_socktype, airesult->ai_addr);
- freeaddrinfo(airesult);
- if (cbret != 0)
- break;
+ answer = PyList_GetItem (py_result, i);
+ if (! PyTuple_Check (answer)) {
+ krb5_set_error_message(blob, -1,
+ "Python script error -- returned item %d not a tuple", i);
+ /* leak? */
+ return -1;
+ }
+ if (PyTuple_Size (answer) != 3) {
+ krb5_set_error_message(blob, -1,
+ "Python script error -- returned tuple %d size %d should be 3",
+ i, PyTuple_Size (answer));
+ /* leak? */
+ return -1;
+ }
+ field = PyTuple_GetItem (answer, 0);
+ if (! PyString_Check (field)) {
+ /* leak? */
+ krb5_set_error_message(blob, -1,
+ "Python script error -- first component of tuple %d is not a string",
+ i);
+ return -1;
+ }
+ hoststr = PyString_AsString (field);
+ field = PyTuple_GetItem (answer, 1);
+ if (PyString_Check (field)) {
+ portstr = PyString_AsString (field);
+ } else if (PyInt_Check (field)) {
+ snprintf(portbuf, sizeof(portbuf), "%ld", PyInt_AsLong (field));
+ portstr = portbuf;
+ } else {
+ krb5_set_error_message(blob, -1,
+ "Python script error -- second component of tuple %d neither a string nor an integer",
+ i);
+ /* leak? */
+ return -1;
+ }
+ field = PyTuple_GetItem (answer, 2);
+ if (! PyInt_Check (field)) {
+ krb5_set_error_message(blob, -1,
+ "Python script error -- third component of tuple %d not an integer",
+ i);
+ /* leak? */
+ return -1;
+ }
+ thissocktype = PyInt_AsLong (field);
+ switch (thissocktype) {
+ case SOCK_STREAM:
+ case SOCK_DGRAM:
+ /* okay */
+ if (socktype != 0 && socktype != thissocktype) {
+ krb5_set_error_message(blob, -1,
+ "Python script error -- tuple %d has socket type %d, should only have %d",
+ i, thissocktype, socktype);
+ /* leak? */
+ return -1;
+ }
+ break;
+ default:
+ /* 0 is not acceptable */
+ krb5_set_error_message(blob, -1,
+ "Python script error -- tuple %d has invalid socket type %d",
+ i, thissocktype);
+ /* leak? */
+ return -1;
+ }
+ aihints.ai_socktype = thissocktype;
+ x = getaddrinfo (hoststr, portstr, &aihints, &airesult);
+ if (x != 0)
+ continue;
+ cbret = cbfunc(cbdata, airesult->ai_socktype, airesult->ai_addr);
+ freeaddrinfo(airesult);
+ if (cbret != 0)
+ break;
}
Py_DECREF (py_result);
return 0;
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* Copyright (C) 2006 Red Hat, Inc.
* All rights reserved.
static krb5_error_code
client_process(krb5_context kcontext,
- void *client_plugin_context,
- void *client_request_context,
- krb5_get_init_creds_opt *opt,
- preauth_get_client_data_proc client_get_data_proc,
- struct _krb5_preauth_client_rock *rock,
- krb5_kdc_req *request,
- krb5_data *encoded_request_body,
- krb5_data *encoded_previous_request,
- krb5_pa_data *pa_data,
- krb5_prompter_fct prompter,
- void *prompter_data,
- preauth_get_as_key_proc gak_fct,
- void *gak_data,
- krb5_data *salt, krb5_data *s2kparams,
- krb5_keyblock *as_key,
- krb5_pa_data ***out_pa_data)
+ void *client_plugin_context,
+ void *client_request_context,
+ krb5_get_init_creds_opt *opt,
+ preauth_get_client_data_proc client_get_data_proc,
+ struct _krb5_preauth_client_rock *rock,
+ krb5_kdc_req *request,
+ krb5_data *encoded_request_body,
+ krb5_data *encoded_previous_request,
+ krb5_pa_data *pa_data,
+ krb5_prompter_fct prompter,
+ void *prompter_data,
+ preauth_get_as_key_proc gak_fct,
+ void *gak_data,
+ krb5_data *salt, krb5_data *s2kparams,
+ krb5_keyblock *as_key,
+ krb5_pa_data ***out_pa_data)
{
krb5_pa_data **send_pa;
krb5_checksum checksum;
krb5_gic_opt_pa_data *gic_info;
status = krb5_get_init_creds_opt_get_pa(kcontext, opt,
- &num_gic_info, &gic_info);
+ &num_gic_info, &gic_info);
if (status && status != ENOENT) {
#ifdef DEBUG
- fprintf(stderr, "Error from krb5_get_init_creds_opt_get_pa: %s\n",
- error_message(status));
+ fprintf(stderr, "Error from krb5_get_init_creds_opt_get_pa: %s\n",
+ error_message(status));
#endif
- return status;
+ return status;
}
#ifdef DEBUG
fprintf(stderr, "(cksum_body) Got the following gic options:\n");
#endif
for (i = 0; i < num_gic_info; i++) {
#ifdef DEBUG
- fprintf(stderr, " '%s' = '%s'\n", gic_info[i].attr, gic_info[i].value);
+ fprintf(stderr, " '%s' = '%s'\n", gic_info[i].attr, gic_info[i].value);
#endif
}
krb5_get_init_creds_opt_free_pa(kcontext, num_gic_info, gic_info);
/* Get the user's long-term key if we haven't asked for it yet. Try
* all of the encryption types which the server supports. */
if (as_key->length == 0) {
- if ((pa_data != NULL) && (pa_data->length >= 4)) {
+ if ((pa_data != NULL) && (pa_data->length >= 4)) {
#ifdef DEBUG
- fprintf(stderr, "%d bytes of preauth data.\n", pa_data->length);
+ fprintf(stderr, "%d bytes of preauth data.\n", pa_data->length);
#endif
- n_enctypes = pa_data->length / 4;
- enctypes = (krb5_int32*) pa_data->contents;
- } else {
- n_enctypes = request->nktypes;
- }
- for (i = 0; i < n_enctypes; i++) {
- if ((pa_data != NULL) && (pa_data->length >= 4)) {
- memcpy(&enctype, pa_data->contents + 4 * i, 4);
- enctype = ntohl(enctype);
- } else {
- enctype = request->ktype[i];
- }
+ n_enctypes = pa_data->length / 4;
+ enctypes = (krb5_int32*) pa_data->contents;
+ } else {
+ n_enctypes = request->nktypes;
+ }
+ for (i = 0; i < n_enctypes; i++) {
+ if ((pa_data != NULL) && (pa_data->length >= 4)) {
+ memcpy(&enctype, pa_data->contents + 4 * i, 4);
+ enctype = ntohl(enctype);
+ } else {
+ enctype = request->ktype[i];
+ }
#ifdef DEBUG
- fprintf(stderr, "Asking for AS key (type = %d).\n", enctype);
+ fprintf(stderr, "Asking for AS key (type = %d).\n", enctype);
#endif
- status = (*gak_fct)(kcontext, request->client, enctype,
- prompter, prompter_data,
- salt, s2kparams, as_key, gak_data);
- if (status == 0)
- break;
- }
- if (status != 0)
- return status;
+ status = (*gak_fct)(kcontext, request->client, enctype,
+ prompter, prompter_data,
+ salt, s2kparams, as_key, gak_data);
+ if (status == 0)
+ break;
+ }
+ if (status != 0)
+ return status;
}
#ifdef DEBUG
fprintf(stderr, "Got AS key (type = %d).\n", as_key->enctype);
cksumtype_count = 0;
cksumtypes = NULL;
status = krb5_c_keyed_checksum_types(kcontext, as_key->enctype,
- &cksumtype_count, &cksumtypes);
+ &cksumtype_count, &cksumtypes);
if (status != 0)
- return status;
+ return status;
/* Generate the checksum. */
for (i = 0; i < cksumtype_count; i++) {
- status = krb5_c_make_checksum(kcontext, cksumtypes[i], as_key,
- KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM,
- encoded_request_body,
- &checksum);
- if (status == 0) {
+ status = krb5_c_make_checksum(kcontext, cksumtypes[i], as_key,
+ KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM,
+ encoded_request_body,
+ &checksum);
+ if (status == 0) {
#ifdef DEBUG
- fprintf(stderr, "Made checksum (type = %d, %d bytes).\n",
- checksum.checksum_type, encoded_request_body->length);
+ fprintf(stderr, "Made checksum (type = %d, %d bytes).\n",
+ checksum.checksum_type, encoded_request_body->length);
#endif
- break;
- }
+ break;
+ }
}
cksumtype = htonl(cksumtypes[i]);
krb5_free_cksumtypes(kcontext, cksumtypes);
if (status != 0) {
- if (checksum.length > 0)
- krb5_free_checksum_contents(kcontext, &checksum);
- return status;
+ if (checksum.length > 0)
+ krb5_free_checksum_contents(kcontext, &checksum);
+ return status;
}
/* Allocate the preauth data structure. */
send_pa = malloc(2 * sizeof(krb5_pa_data *));
if (send_pa == NULL) {
- krb5_free_checksum_contents(kcontext, &checksum);
- return ENOMEM;
+ krb5_free_checksum_contents(kcontext, &checksum);
+ return ENOMEM;
}
- send_pa[1] = NULL; /* Terminate list */
+ send_pa[1] = NULL; /* Terminate list */
send_pa[0] = malloc(sizeof(krb5_pa_data));
if (send_pa[0] == NULL) {
- krb5_free_checksum_contents(kcontext, &checksum);
- free(send_pa);
- return ENOMEM;
+ krb5_free_checksum_contents(kcontext, &checksum);
+ free(send_pa);
+ return ENOMEM;
}
send_pa[0]->pa_type = KRB5_PADATA_CKSUM_BODY_REQ;
send_pa[0]->length = 4 + checksum.length;
send_pa[0]->contents = malloc(4 + checksum.length);
if (send_pa[0]->contents == NULL) {
- krb5_free_checksum_contents(kcontext, &checksum);
- free(send_pa[0]);
- free(send_pa);
- return ENOMEM;
+ krb5_free_checksum_contents(kcontext, &checksum);
+ free(send_pa[0]);
+ free(send_pa);
+ return ENOMEM;
}
/* Store the checksum. */
static krb5_error_code
client_gic_opt(krb5_context kcontext,
- void *plugin_context,
- krb5_get_init_creds_opt *opt,
- const char *attr,
- const char *value)
+ void *plugin_context,
+ krb5_get_init_creds_opt *opt,
+ const char *attr,
+ const char *value)
{
#ifdef DEBUG
fprintf(stderr, "(cksum_body) client_gic_opt: received '%s' = '%s'\n",
- attr, value);
+ attr, value);
#endif
return 0;
}
struct server_stats *stats;
stats = malloc(sizeof(struct server_stats));
if (stats == NULL)
- return ENOMEM;
+ return ENOMEM;
stats->successes = 0;
stats->failures = 0;
*module_context = stats;
stats = module_context;
if (stats != NULL) {
#ifdef DEBUG
- fprintf(stderr, "Total: %d clients failed, %d succeeded.\n",
- stats->failures, stats->successes);
+ fprintf(stderr, "Total: %d clients failed, %d succeeded.\n",
+ stats->failures, stats->successes);
#endif
- free(stats);
+ free(stats);
}
}
* client) which matches type data->pa_type. */
static krb5_error_code
server_get_edata(krb5_context kcontext,
- krb5_kdc_req *request,
- struct _krb5_db_entry_new *client,
- struct _krb5_db_entry_new *server,
- preauth_get_entry_data_proc server_get_entry_data,
- void *pa_module_context,
- krb5_pa_data *data)
+ krb5_kdc_req *request,
+ struct _krb5_db_entry_new *client,
+ struct _krb5_db_entry_new *server,
+ preauth_get_entry_data_proc server_get_entry_data,
+ void *pa_module_context,
+ krb5_pa_data *data)
{
krb5_data *key_data;
krb5_keyblock *keys, *key;
/* Retrieve the client's keys. */
key_data = NULL;
if ((*server_get_entry_data)(kcontext, request, client,
- krb5plugin_preauth_keys, &key_data) != 0) {
+ krb5plugin_preauth_keys, &key_data) != 0) {
#ifdef DEBUG
- fprintf(stderr, "Error retrieving client keys.\n");
+ fprintf(stderr, "Error retrieving client keys.\n");
#endif
- return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
+ return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
}
/* Count which types of keys we've got, freeing the contents, which we
keys = (krb5_keyblock *) key_data->data;
key = NULL;
for (i = 0; keys[i].enctype != 0; i++)
- krb5_free_keyblock_contents(kcontext, &keys[i]);
+ krb5_free_keyblock_contents(kcontext, &keys[i]);
/* Return the list of encryption types. */
enctypes = malloc((unsigned)i * 4);
if (enctypes == NULL) {
- krb5_free_data(kcontext, key_data);
- return ENOMEM;
+ krb5_free_data(kcontext, key_data);
+ return ENOMEM;
}
#ifdef DEBUG
fprintf(stderr, "Supported enctypes = {");
#endif
for (i = 0; keys[i].enctype != 0; i++) {
#ifdef DEBUG
- fprintf(stderr, "%s%d", (i > 0) ? ", " : "", keys[i].enctype);
+ fprintf(stderr, "%s%d", (i > 0) ? ", " : "", keys[i].enctype);
#endif
- enctype = htonl(keys[i].enctype);
- memcpy(&enctypes[i], &enctype, 4);
+ enctype = htonl(keys[i].enctype);
+ memcpy(&enctypes[i], &enctype, 4);
}
#ifdef DEBUG
fprintf(stderr, "}.\n");
/* Verify a request from a client. */
static krb5_error_code
server_verify(krb5_context kcontext,
- struct _krb5_db_entry_new *client,
- krb5_data *req_pkt,
- krb5_kdc_req *request,
- krb5_enc_tkt_part *enc_tkt_reply,
- krb5_pa_data *data,
- preauth_get_entry_data_proc server_get_entry_data,
- void *pa_module_context,
- void **pa_request_context,
- krb5_data **e_data,
- krb5_authdata ***authz_data)
+ struct _krb5_db_entry_new *client,
+ krb5_data *req_pkt,
+ krb5_kdc_req *request,
+ krb5_enc_tkt_part *enc_tkt_reply,
+ krb5_pa_data *data,
+ preauth_get_entry_data_proc server_get_entry_data,
+ void *pa_module_context,
+ void **pa_request_context,
+ krb5_data **e_data,
+ krb5_authdata ***authz_data)
{
krb5_int32 cksumtype;
krb5_checksum checksum;
#endif
/* Verify the preauth data. Start with the checksum type. */
if (data->length < 4) {
- stats->failures++;
- return KRB5KDC_ERR_PREAUTH_FAILED;
+ stats->failures++;
+ return KRB5KDC_ERR_PREAUTH_FAILED;
}
memcpy(&cksumtype, data->contents, 4);
memset(&checksum, 0, sizeof(checksum));
/* Verify that the amount of data we have left is what we expect. */
if (krb5_c_checksum_length(kcontext, checksum.checksum_type,
- &length) != 0) {
+ &length) != 0) {
#ifdef DEBUG
- fprintf(stderr, "Error determining checksum size (type = %d). "
- "Is it supported?\n", checksum.checksum_type);
+ fprintf(stderr, "Error determining checksum size (type = %d). "
+ "Is it supported?\n", checksum.checksum_type);
#endif
- stats->failures++;
- return KRB5KDC_ERR_SUMTYPE_NOSUPP;
+ stats->failures++;
+ return KRB5KDC_ERR_SUMTYPE_NOSUPP;
}
if (data->length - 4 != length) {
#ifdef DEBUG
- fprintf(stderr, "Checksum size doesn't match client packet size.\n");
+ fprintf(stderr, "Checksum size doesn't match client packet size.\n");
#endif
- stats->failures++;
- return KRB5KDC_ERR_PREAUTH_FAILED;
+ stats->failures++;
+ return KRB5KDC_ERR_PREAUTH_FAILED;
}
checksum.length = length;
/* Pull up the client's keys. */
key_data = NULL;
if ((*server_get_entry_data)(kcontext, request, client,
- krb5plugin_preauth_keys, &key_data) != 0) {
+ krb5plugin_preauth_keys, &key_data) != 0) {
#ifdef DEBUG
- fprintf(stderr, "Error retrieving client keys.\n");
+ fprintf(stderr, "Error retrieving client keys.\n");
#endif
- stats->failures++;
- return KRB5KDC_ERR_PREAUTH_FAILED;
+ stats->failures++;
+ return KRB5KDC_ERR_PREAUTH_FAILED;
}
/* Find the key which would have been used to generate the checksum. */
keys = (krb5_keyblock *) key_data->data;
key = NULL;
for (i = 0; keys[i].enctype != 0; i++) {
- key = &keys[i];
- cksumtypes_count = 0;
- cksumtypes = NULL;
- if (krb5_c_keyed_checksum_types(kcontext, key->enctype,
- &cksumtypes_count, &cksumtypes) != 0)
- continue;
- for (j = 0; j < cksumtypes_count; j++) {
- if (cksumtypes[j] == checksum.checksum_type)
- break;
- }
- if (cksumtypes != NULL)
- krb5_free_cksumtypes(kcontext, cksumtypes);
- if (j < cksumtypes_count) {
+ key = &keys[i];
+ cksumtypes_count = 0;
+ cksumtypes = NULL;
+ if (krb5_c_keyed_checksum_types(kcontext, key->enctype,
+ &cksumtypes_count, &cksumtypes) != 0)
+ continue;
+ for (j = 0; j < cksumtypes_count; j++) {
+ if (cksumtypes[j] == checksum.checksum_type)
+ break;
+ }
+ if (cksumtypes != NULL)
+ krb5_free_cksumtypes(kcontext, cksumtypes);
+ if (j < cksumtypes_count) {
#ifdef DEBUG
- fprintf(stderr, "Found checksum key.\n");
+ fprintf(stderr, "Found checksum key.\n");
#endif
- break;
- }
+ break;
+ }
}
if ((key == NULL) || (key->enctype == 0)) {
- for (i = 0; keys[i].enctype != 0; i++)
- krb5_free_keyblock_contents(kcontext, &keys[i]);
- krb5_free_data(kcontext, key_data);
- stats->failures++;
- return KRB5KDC_ERR_SUMTYPE_NOSUPP;
+ for (i = 0; keys[i].enctype != 0; i++)
+ krb5_free_keyblock_contents(kcontext, &keys[i]);
+ krb5_free_data(kcontext, key_data);
+ stats->failures++;
+ return KRB5KDC_ERR_SUMTYPE_NOSUPP;
}
/* Save a copy of the key. */
if (krb5_copy_keyblock(kcontext, &keys[i], &key) != 0) {
- for (i = 0; keys[i].enctype != 0; i++)
- krb5_free_keyblock_contents(kcontext, &keys[i]);
- krb5_free_data(kcontext, key_data);
- stats->failures++;
- return KRB5KDC_ERR_SUMTYPE_NOSUPP;
+ for (i = 0; keys[i].enctype != 0; i++)
+ krb5_free_keyblock_contents(kcontext, &keys[i]);
+ krb5_free_data(kcontext, key_data);
+ stats->failures++;
+ return KRB5KDC_ERR_SUMTYPE_NOSUPP;
}
for (i = 0; keys[i].enctype != 0; i++)
- krb5_free_keyblock_contents(kcontext, &keys[i]);
+ krb5_free_keyblock_contents(kcontext, &keys[i]);
krb5_free_data(kcontext, key_data);
/* Rebuild a copy of the client's request-body. If we were serious
* will probably work if it's us on both ends, though. */
req_body = NULL;
if ((*server_get_entry_data)(kcontext, request, client,
- krb5plugin_preauth_request_body,
- &req_body) != 0) {
- krb5_free_keyblock(kcontext, key);
- stats->failures++;
- return KRB5KDC_ERR_PREAUTH_FAILED;
+ krb5plugin_preauth_request_body,
+ &req_body) != 0) {
+ krb5_free_keyblock(kcontext, key);
+ stats->failures++;
+ return KRB5KDC_ERR_PREAUTH_FAILED;
}
#ifdef DEBUG
fprintf(stderr, "AS key type %d, checksum type %d, %d bytes.\n",
- key->enctype, checksum.checksum_type, req_body->length);
+ key->enctype, checksum.checksum_type, req_body->length);
#endif
/* Verify the checksum itself. */
checksum.contents = data->contents + 4;
valid = FALSE;
status = krb5_c_verify_checksum(kcontext, key,
- KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM,
- req_body, &checksum, &valid);
+ KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM,
+ req_body, &checksum, &valid);
/* Clean up. */
krb5_free_data(kcontext, req_body);
/* Evaluate our results. */
if ((status != 0) || (!valid)) {
#ifdef DEBUG
- if (status != 0) {
- fprintf(stderr, "Error in checksum verification.\n");
- } else {
- fprintf(stderr, "Checksum mismatch.\n");
- }
+ if (status != 0) {
+ fprintf(stderr, "Error in checksum verification.\n");
+ } else {
+ fprintf(stderr, "Checksum mismatch.\n");
+ }
#endif
- /* Return edata to exercise code that handles edata... */
- test_edata = malloc(sizeof(*test_edata));
- if (test_edata != NULL) {
- test_edata->data = malloc(20);
- if (test_edata->data == NULL) {
- free(test_edata);
- } else {
- test_edata->length = 20;
- memset(test_edata->data, 'F', 20); /* fill it with junk */
- *e_data = test_edata;
- }
- }
- stats->failures++;
- return KRB5KDC_ERR_PREAUTH_FAILED;
+ /* Return edata to exercise code that handles edata... */
+ test_edata = malloc(sizeof(*test_edata));
+ if (test_edata != NULL) {
+ test_edata->data = malloc(20);
+ if (test_edata->data == NULL) {
+ free(test_edata);
+ } else {
+ test_edata->length = 20;
+ memset(test_edata->data, 'F', 20); /* fill it with junk */
+ *e_data = test_edata;
+ }
+ }
+ stats->failures++;
+ return KRB5KDC_ERR_PREAUTH_FAILED;
}
/*
#endif
my_authz_data = malloc(2 * sizeof(*my_authz_data));
if (my_authz_data != NULL) {
- my_authz_data[1] = NULL;
- my_authz_data[0] = malloc(sizeof(krb5_authdata));
- if (my_authz_data[0] == NULL) {
- free(my_authz_data);
- return ENOMEM;
- }
- my_authz_data[0]->contents = malloc(AD_ALLOC_SIZE);
- if (my_authz_data[0]->contents == NULL) {
- free(my_authz_data[0]);
- free(my_authz_data);
- return ENOMEM;
- }
- memset(my_authz_data[0]->contents, '\0', AD_ALLOC_SIZE);
- my_authz_data[0]->magic = KV5M_AUTHDATA;
- my_authz_data[0]->ad_type = 1;
- my_authz_data[0]->length = AD_ALLOC_SIZE;
- memcpy(my_authz_data[0]->contents, ad_header, sizeof(ad_header));
- snprintf(my_authz_data[0]->contents + sizeof(ad_header),
- AD_ALLOC_SIZE - sizeof(ad_header),
- "cksum authorization data: %d bytes worth!\n", AD_ALLOC_SIZE);
- *authz_data = my_authz_data;
+ my_authz_data[1] = NULL;
+ my_authz_data[0] = malloc(sizeof(krb5_authdata));
+ if (my_authz_data[0] == NULL) {
+ free(my_authz_data);
+ return ENOMEM;
+ }
+ my_authz_data[0]->contents = malloc(AD_ALLOC_SIZE);
+ if (my_authz_data[0]->contents == NULL) {
+ free(my_authz_data[0]);
+ free(my_authz_data);
+ return ENOMEM;
+ }
+ memset(my_authz_data[0]->contents, '\0', AD_ALLOC_SIZE);
+ my_authz_data[0]->magic = KV5M_AUTHDATA;
+ my_authz_data[0]->ad_type = 1;
+ my_authz_data[0]->length = AD_ALLOC_SIZE;
+ memcpy(my_authz_data[0]->contents, ad_header, sizeof(ad_header));
+ snprintf(my_authz_data[0]->contents + sizeof(ad_header),
+ AD_ALLOC_SIZE - sizeof(ad_header),
+ "cksum authorization data: %d bytes worth!\n", AD_ALLOC_SIZE);
+ *authz_data = my_authz_data;
#ifdef DEBUG
- fprintf(stderr, "Returning %d bytes of authorization data\n",
- AD_ALLOC_SIZE);
+ fprintf(stderr, "Returning %d bytes of authorization data\n",
+ AD_ALLOC_SIZE);
#endif
}
/* Return edata to exercise code that handles edata... */
test_edata = malloc(sizeof(*test_edata));
if (test_edata != NULL) {
- test_edata->data = malloc(20);
- if (test_edata->data == NULL) {
- free(test_edata);
- } else {
- test_edata->length = 20;
- memset(test_edata->data, 'S', 20); /* fill it with junk */
- *e_data = test_edata;
- }
+ test_edata->data = malloc(20);
+ if (test_edata->data == NULL) {
+ free(test_edata);
+ } else {
+ test_edata->length = 20;
+ memset(test_edata->data, 'S', 20); /* fill it with junk */
+ *e_data = test_edata;
+ }
}
/* Return a request context to exercise code that handles it */
svr_req_ctx = malloc(sizeof(*svr_req_ctx));
if (svr_req_ctx != NULL) {
- svr_req_ctx->value1 = 111111;
- svr_req_ctx->value2 = 222222;
+ svr_req_ctx->value1 = 111111;
+ svr_req_ctx->value2 = 222222;
#ifdef DEBUG
- fprintf(stderr, "server_verify: returning context at %p\n",
- svr_req_ctx);
+ fprintf(stderr, "server_verify: returning context at %p\n",
+ svr_req_ctx);
#endif
}
*pa_request_context = svr_req_ctx;
/* Create the response for a client. */
static krb5_error_code
server_return(krb5_context kcontext,
- krb5_pa_data *padata,
- struct _krb5_db_entry_new *client,
- krb5_data *req_pkt,
- krb5_kdc_req *request,
- krb5_kdc_rep *reply,
- struct _krb5_key_data *client_key,
- krb5_keyblock *encrypting_key,
- krb5_pa_data **send_pa,
- preauth_get_entry_data_proc server_get_entry_data,
- void *pa_module_context,
- void **pa_request_context)
+ krb5_pa_data *padata,
+ struct _krb5_db_entry_new *client,
+ krb5_data *req_pkt,
+ krb5_kdc_req *request,
+ krb5_kdc_rep *reply,
+ struct _krb5_key_data *client_key,
+ krb5_keyblock *encrypting_key,
+ krb5_pa_data **send_pa,
+ preauth_get_entry_data_proc server_get_entry_data,
+ void *pa_module_context,
+ void **pa_request_context)
{
/* We don't need to send data back on the return trip. */
*send_pa = NULL;
/* Test server request context freeing */
static krb5_error_code
server_free_reqctx(krb5_context kcontext,
- void *pa_module_context,
- void **pa_request_context)
+ void *pa_module_context,
+ void **pa_request_context)
{
test_svr_req_ctx *svr_req_ctx;
#ifdef DEBUG
fprintf(stderr, "server_free_reqctx: entered!\n");
#endif
if (pa_request_context == NULL)
- return 0;
+ return 0;
svr_req_ctx = *pa_request_context;
if (svr_req_ctx == NULL)
- return 0;
+ return 0;
if (svr_req_ctx->value1 != 111111 || svr_req_ctx->value2 != 222222) {
- fprintf(stderr, "server_free_reqctx: got invalid req context "
- "at %p with values %d and %d\n",
- svr_req_ctx, svr_req_ctx->value1, svr_req_ctx->value2);
- return EINVAL;
+ fprintf(stderr, "server_free_reqctx: got invalid req context "
+ "at %p with values %d and %d\n",
+ svr_req_ctx, svr_req_ctx->value1, svr_req_ctx->value2);
+ return EINVAL;
}
#ifdef DEBUG
fprintf(stderr, "server_free_reqctx: freeing context at %p\n", svr_req_ctx);
};
struct krb5plugin_preauth_client_ftable_v1 preauthentication_client_1 = {
- "cksum_body", /* name */
- &supported_client_pa_types[0], /* pa_type_list */
- NULL, /* enctype_list */
- NULL, /* plugin init function */
- NULL, /* plugin fini function */
- client_get_flags, /* get flags function */
- NULL, /* request init function */
- NULL, /* request fini function */
- client_process, /* process function */
- NULL, /* try_again function */
- client_gic_opt /* get init creds opt function */
+ "cksum_body", /* name */
+ &supported_client_pa_types[0], /* pa_type_list */
+ NULL, /* enctype_list */
+ NULL, /* plugin init function */
+ NULL, /* plugin fini function */
+ client_get_flags, /* get flags function */
+ NULL, /* request init function */
+ NULL, /* request fini function */
+ client_process, /* process function */
+ NULL, /* try_again function */
+ client_gic_opt /* get init creds opt function */
};
struct krb5plugin_preauth_server_ftable_v1 preauthentication_server_1 = {
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* plugins/preauth/encrypted_challenge/encrypted_challenge.c
*
* or implied warranty.
*
*
- *
- * Implement EncryptedChallenge fast factor from draft-ietf-krb-wg-preauth-framework
+ * Implement Encrypted Challenge fast factor from
+ * draft-ietf-krb-wg-preauth-framework
*/
#include <k5-int.h>
#include <krb5/preauth_plugin.h>
-static int preauth_flags
-(krb5_context context, krb5_preauthtype pa_type)
+static int
+preauth_flags(krb5_context context, krb5_preauthtype pa_type)
{
return PA_REAL;
}
-static krb5_error_code process_preauth
-(krb5_context context,
- void *plugin_context,
- void *request_context,
- krb5_get_init_creds_opt *opt,
- preauth_get_client_data_proc get_data_proc,
- struct _krb5_preauth_client_rock *rock,
- krb5_kdc_req *request,
- krb5_data *encoded_request_body,
- krb5_data *encoded_previous_request,
- krb5_pa_data *padata,
- krb5_prompter_fct prompter,
- void *prompter_data,
- preauth_get_as_key_proc gak_fct,
- void *gak_data,
- krb5_data *salt,
- krb5_data *s2kparams,
- krb5_keyblock *as_key,
- krb5_pa_data ***out_padata)
+static krb5_error_code
+process_preauth(krb5_context context, void *plugin_context,
+ void *request_context, krb5_get_init_creds_opt *opt,
+ preauth_get_client_data_proc get_data_proc,
+ struct _krb5_preauth_client_rock *rock, krb5_kdc_req *request,
+ krb5_data *encoded_request_body,
+ krb5_data *encoded_previous_request, krb5_pa_data *padata,
+ krb5_prompter_fct prompter, void *prompter_data,
+ preauth_get_as_key_proc gak_fct, void *gak_data,
+ krb5_data *salt, krb5_data *s2kparams, krb5_keyblock *as_key,
+ krb5_pa_data ***out_padata)
{
krb5_error_code retval = 0;
krb5_enctype enctype = 0;
if (retval == 0)
retval = krb5_c_fx_cf2_simple(context,armor_key, "kdcchallengearmor",
as_key, "challengelongterm", &challenge_key);
- if (retval == 0)
- retval =kaccess.decode_enc_data(&scratch, &enc);
- scratch.data = NULL;
- if (retval == 0) {
- scratch.data = malloc(enc->ciphertext.length);
- scratch.length = enc->ciphertext.length;
- if (scratch.data == NULL)
- retval = ENOMEM;
- }
- if (retval == 0)
- retval = krb5_c_decrypt(context, challenge_key,
- KRB5_KEYUSAGE_ENC_CHALLENGE_KDC, NULL,
- enc, &scratch);
-/*Per draft 11 of the preauth framework, the client MAY but
- * is not required to actually check the timestamp from the KDC other than
- * to confirm it decrypts. This code does not perform that check.
- */
- if (scratch.data)
- krb5_free_data_contents(context, &scratch);
- if (retval == 0)
- fast_set_kdc_verified(context, get_data_proc, rock);
- if (enc)
- kaccess.free_enc_data(context, enc);
+ if (retval == 0)
+ retval =kaccess.decode_enc_data(&scratch, &enc);
+ scratch.data = NULL;
+ if (retval == 0) {
+ scratch.data = malloc(enc->ciphertext.length);
+ scratch.length = enc->ciphertext.length;
+ if (scratch.data == NULL)
+ retval = ENOMEM;
+ }
+ if (retval == 0)
+ retval = krb5_c_decrypt(context, challenge_key,
+ KRB5_KEYUSAGE_ENC_CHALLENGE_KDC, NULL,
+ enc, &scratch);
+ /*
+ * Per draft 11 of the preauth framework, the client MAY but is not
+ * required to actually check the timestamp from the KDC other than to
+ * confirm it decrypts. This code does not perform that check.
+ */
+ if (scratch.data)
+ krb5_free_data_contents(context, &scratch);
+ if (retval == 0)
+ fast_set_kdc_verified(context, get_data_proc, rock);
+ if (enc)
+ kaccess.free_enc_data(context, enc);
} else { /*No padata; we send*/
krb5_enc_data enc;
krb5_pa_data *pa = NULL;
if (retval == 0) {
retval = kaccess.encode_enc_data(&enc, &encoded_ts);
krb5_free_data_contents(context, &enc.ciphertext);
- }
- if (retval == 0) {
- pa = calloc(1, sizeof(krb5_pa_data));
- if (pa == NULL)
- retval = ENOMEM;
- }
- if (retval == 0) {
- pa_array = calloc(2, sizeof(krb5_pa_data *));
- if (pa_array == NULL)
- retval = ENOMEM;
- }
- if (retval == 0) {
- pa->length = encoded_ts->length;
- pa->contents = (unsigned char *) encoded_ts->data;
- pa->pa_type = KRB5_PADATA_ENCRYPTED_CHALLENGE;
- free(encoded_ts);
- encoded_ts = NULL;
- pa_array[0] = pa;
- pa = NULL;
- *out_padata = pa_array;
- pa_array = NULL;
- }
- if (pa)
- free(pa);
- if (encoded_ts)
- krb5_free_data(context, encoded_ts);
- if (pa_array)
- free(pa_array);
+ }
+ if (retval == 0) {
+ pa = calloc(1, sizeof(krb5_pa_data));
+ if (pa == NULL)
+ retval = ENOMEM;
+ }
+ if (retval == 0) {
+ pa_array = calloc(2, sizeof(krb5_pa_data *));
+ if (pa_array == NULL)
+ retval = ENOMEM;
+ }
+ if (retval == 0) {
+ pa->length = encoded_ts->length;
+ pa->contents = (unsigned char *) encoded_ts->data;
+ pa->pa_type = KRB5_PADATA_ENCRYPTED_CHALLENGE;
+ free(encoded_ts);
+ encoded_ts = NULL;
+ pa_array[0] = pa;
+ pa = NULL;
+ *out_padata = pa_array;
+ pa_array = NULL;
+ }
+ if (pa)
+ free(pa);
+ if (encoded_ts)
+ krb5_free_data(context, encoded_ts);
+ if (pa_array)
+ free(pa_array);
}
if (challenge_key)
krb5_free_keyblock(context, challenge_key);
}
-
-
-static krb5_error_code kdc_include_padata
-(krb5_context context,
- krb5_kdc_req *request,
- struct _krb5_db_entry_new *client,
- struct _krb5_db_entry_new *server,
- preauth_get_entry_data_proc get_entry_proc,
- void *pa_module_context,
- krb5_pa_data *data)
+static krb5_error_code
+kdc_include_padata(krb5_context context, krb5_kdc_req *request,
+ struct _krb5_db_entry_new *client,
+ struct _krb5_db_entry_new *server,
+ preauth_get_entry_data_proc get_entry_proc,
+ void *pa_module_context, krb5_pa_data *data)
{
krb5_error_code retval = 0;
krb5_keyblock *armor_key = NULL;
return 0;
}
-static krb5_error_code kdc_verify_preauth
-(krb5_context context,
- struct _krb5_db_entry_new *client,
- krb5_data *req_pkt,
- krb5_kdc_req *request,
- krb5_enc_tkt_part *enc_tkt_reply,
- krb5_pa_data *data,
- preauth_get_entry_data_proc get_entry_proc,
- void *pa_module_context,
- void **pa_request_context,
- krb5_data **e_data,
- krb5_authdata ***authz_data)
+static krb5_error_code
+kdc_verify_preauth(krb5_context context, struct _krb5_db_entry_new *client,
+ krb5_data *req_pkt, krb5_kdc_req *request,
+ krb5_enc_tkt_part *enc_tkt_reply, krb5_pa_data *data,
+ preauth_get_entry_data_proc get_entry_proc,
+ void *pa_module_context, void **pa_request_context,
+ krb5_data **e_data, krb5_authdata ***authz_data)
{
krb5_error_code retval = 0;
krb5_timestamp now;
retval = fast_kdc_get_armor_key(context, get_entry_proc, request, client, &armor_key);
if (retval == 0 &&armor_key == NULL) {
retval = ENOENT;
- krb5_set_error_message(context, ENOENT, "Encrypted Challenge used outside of FAST tunnel");
+ krb5_set_error_message(context, ENOENT, "Encrypted Challenge used outside of FAST tunnel");
}
scratch.data = (char *) data->contents;
scratch.length = data->length;
armor_key, "clientchallengearmor",
&client_keys[i], "challengelongterm",
&challenge_key);
- if (retval == 0)
- retval = krb5_c_decrypt(context, challenge_key,
- KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT,
- NULL, enc, &plain);
- if (challenge_key)
- krb5_free_keyblock(context, challenge_key);
- challenge_key = NULL;
- if (retval == 0)
- break;
- /*We failed to decrypt. Try next key*/
- retval = 0;
- krb5_free_keyblock_contents(context, &client_keys[i]);
- }
- if (client_keys[i].enctype == 0) {
- retval = KRB5KDC_ERR_PREAUTH_FAILED;
- krb5_set_error_message(context, retval, "Incorrect password in encrypted challenge");
- } else { /*not run out of keys*/
- int j;
- assert (retval == 0);
- for (j = i+1; client_keys[j].enctype; j++)
- krb5_free_keyblock_contents(context, &client_keys[j]);
- }
+ if (retval == 0)
+ retval = krb5_c_decrypt(context, challenge_key,
+ KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT,
+ NULL, enc, &plain);
+ if (challenge_key)
+ krb5_free_keyblock(context, challenge_key);
+ challenge_key = NULL;
+ if (retval == 0)
+ break;
+ /*We failed to decrypt. Try next key*/
+ retval = 0;
+ krb5_free_keyblock_contents(context, &client_keys[i]);
+ }
+ if (client_keys[i].enctype == 0) {
+ retval = KRB5KDC_ERR_PREAUTH_FAILED;
+ krb5_set_error_message(context, retval, "Incorrect password in encrypted challenge");
+ } else { /*not run out of keys*/
+ int j;
+ assert (retval == 0);
+ for (j = i+1; client_keys[j].enctype; j++)
+ krb5_free_keyblock_contents(context, &client_keys[j]);
+ }
}
if (retval == 0)
if (retval == 0) {
if (labs(now-ts->patimestamp) < context->clockskew) {
enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH;
- /*If this fails, we won't generate a reply to the client. That may
- * cause the client to fail, but at this point the KDC has considered
- * this a success, so the return value is ignored. */
+ /*
+ * If this fails, we won't generate a reply to the client. That
+ * may cause the client to fail, but at this point the KDC has
+ * considered this a success, so the return value is ignored.
+ */
fast_kdc_replace_reply_key(context, get_entry_proc, request);
krb5_c_fx_cf2_simple(context, armor_key, "kdcchallengearmor",
- &client_keys[i], "challengelongterm",
- (krb5_keyblock **) pa_request_context);
+ &client_keys[i], "challengelongterm",
+ (krb5_keyblock **) pa_request_context);
} else { /*skew*/
retval = KRB5KRB_AP_ERR_SKEW;
}
return retval;
}
-static krb5_error_code kdc_return_preauth
-(krb5_context context,
- krb5_pa_data * padata,
- struct _krb5_db_entry_new *client,
- krb5_data *req_pkt,
- krb5_kdc_req *request,
- krb5_kdc_rep *reply,
- struct _krb5_key_data *client_keys,
- krb5_keyblock *encrypting_key,
- krb5_pa_data **send_pa,
- preauth_get_entry_data_proc get_entry_proc,
- void *pa_module_context,
- void **pa_request_context)
+static krb5_error_code
+kdc_return_preauth(krb5_context context, krb5_pa_data *padata,
+ struct _krb5_db_entry_new *client, krb5_data *req_pkt,
+ krb5_kdc_req *request, krb5_kdc_rep *reply,
+ struct _krb5_key_data *client_keys,
+ krb5_keyblock *encrypting_key, krb5_pa_data **send_pa,
+ preauth_get_entry_data_proc get_entry_proc,
+ void *pa_module_context, void **pa_request_context)
{
krb5_error_code retval = 0;
krb5_keyblock *challenge_key = *pa_request_context;
if (challenge_key == NULL)
return 0;
* pa_request_context = NULL; /*this function will free the
- * challenge key*/
+ * challenge key*/
enc.ciphertext.data = NULL; /* In case of error pass through */
retval = krb5_us_timeofday(context, &ts.patimestamp, &ts.pausec);
retval = kaccess.encode_enc_data(&enc, &encoded);
if (retval == 0) {
pa = calloc(1, sizeof(krb5_pa_data));
- if (pa == NULL)
- retval = ENOMEM;
+ if (pa == NULL)
+ retval = ENOMEM;
}
if (retval == 0) {
pa->pa_type = KRB5_PADATA_ENCRYPTED_CHALLENGE;
return retval;
}
-static int kdc_preauth_flags
-(krb5_context context, krb5_preauthtype patype)
+static int
+kdc_preauth_flags(krb5_context context, krb5_preauthtype patype)
{
return 0;
}
-/*Returns success with a null armor_key if FAST is available but not in use.
-Returns failure if the client library does not support FAST
-*/
-static krb5_error_code fast_get_armor_key
-(krb5_context context, preauth_get_client_data_proc get_data,
- struct _krb5_preauth_client_rock *rock,
- krb5_keyblock **armor_key)
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+
+/*
+ * Returns success with a null armor_key if FAST is available but not in use.
+ * Returns failure if the client library does not support FAST.
+ */
+static krb5_error_code
+fast_get_armor_key(krb5_context context, preauth_get_client_data_proc get_data,
+ struct _krb5_preauth_client_rock *rock,
+ krb5_keyblock **armor_key)
{
krb5_error_code retval = 0;
krb5_data *data;
retval = get_data(context, rock, krb5plugin_preauth_client_fast_armor, &data);
if (retval == 0) {
- *armor_key = (krb5_keyblock *) data->data;
- data->data = NULL;
- get_data(context, rock, krb5plugin_preauth_client_free_fast_armor,
- &data);
+ *armor_key = (krb5_keyblock *) data->data;
+ data->data = NULL;
+ get_data(context, rock, krb5plugin_preauth_client_free_fast_armor,
+ &data);
}
return retval;
}
-static krb5_error_code fast_kdc_get_armor_key
-(krb5_context context, preauth_get_entry_data_proc get_entry,
- krb5_kdc_req *request,struct _krb5_db_entry_new *client,
- krb5_keyblock **armor_key)
+static krb5_error_code
+fast_kdc_get_armor_key(krb5_context context,
+ preauth_get_entry_data_proc get_entry,
+ krb5_kdc_req *request,
+ struct _krb5_db_entry_new *client,
+ krb5_keyblock **armor_key)
{
krb5_error_code retval;
krb5_data *data;
- retval = get_entry(context, request, client, krb5plugin_preauth_fast_armor,
- &data);
- if (retval == 0) {
- *armor_key = (krb5_keyblock *) data->data;
- data->data = NULL;
- get_entry(context, request, client,
- krb5plugin_preauth_free_fast_armor, &data);
- }
- return retval;
- }
+ retval = get_entry(context, request, client, krb5plugin_preauth_fast_armor,
+ &data);
+ if (retval == 0) {
+ *armor_key = (krb5_keyblock *) data->data;
+ data->data = NULL;
+ get_entry(context, request, client,
+ krb5plugin_preauth_free_fast_armor, &data);
+ }
+ return retval;
+}
- static krb5_error_code fast_kdc_replace_reply_key
- (krb5_context context, preauth_get_entry_data_proc get_data,
- krb5_kdc_req *request)
- {
- return 0;
- }
+static krb5_error_code
+fast_kdc_replace_reply_key(krb5_context context,
+ preauth_get_entry_data_proc get_data,
+ krb5_kdc_req *request)
+{
+ return 0;
+}
-static krb5_error_code fast_set_kdc_verified
-(krb5_context context, preauth_get_client_data_proc get_data,
- struct _krb5_preauth_client_rock *rock)
+static krb5_error_code
+fast_set_kdc_verified(krb5_context context,
+ preauth_get_client_data_proc get_data,
+ struct _krb5_preauth_client_rock *rock)
{
return 0;
}
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* Copyright (C) 2006 Red Hat, Inc.
* All rights reserved.
pctx = malloc(sizeof(int));
if (pctx == NULL)
- return ENOMEM;
+ return ENOMEM;
*pctx = 0;
*ctx = pctx;
return 0;
static krb5_error_code
client_process(krb5_context kcontext,
- void *plugin_context,
- void *request_context,
- krb5_get_init_creds_opt *opt,
- preauth_get_client_data_proc client_get_data_proc,
- struct _krb5_preauth_client_rock *rock,
- krb5_kdc_req *request,
- krb5_data *encoded_request_body,
- krb5_data *encoded_previous_request,
- krb5_pa_data *pa_data,
- krb5_prompter_fct prompter,
- void *prompter_data,
- preauth_get_as_key_proc gak_fct,
- void *gak_data,
- krb5_data *salt, krb5_data *s2kparams,
- krb5_keyblock *as_key,
- krb5_pa_data ***out_pa_data)
+ void *plugin_context,
+ void *request_context,
+ krb5_get_init_creds_opt *opt,
+ preauth_get_client_data_proc client_get_data_proc,
+ struct _krb5_preauth_client_rock *rock,
+ krb5_kdc_req *request,
+ krb5_data *encoded_request_body,
+ krb5_data *encoded_previous_request,
+ krb5_pa_data *pa_data,
+ krb5_prompter_fct prompter,
+ void *prompter_data,
+ preauth_get_as_key_proc gak_fct,
+ void *gak_data,
+ krb5_data *salt, krb5_data *s2kparams,
+ krb5_keyblock *as_key,
+ krb5_pa_data ***out_pa_data)
{
krb5_pa_data **send_pa;
krb5_int32 nnonce, enctype;
#ifdef DEBUG
fprintf(stderr, "%d bytes of preauthentication data (type %d)\n",
- pa_data->length, pa_data->pa_type);
+ pa_data->length, pa_data->pa_type);
#endif
pctx = plugin_context;
if (pctx) {
- (*pctx)++;
+ (*pctx)++;
}
if (pa_data->length == 0) {
- /* Create preauth data. */
- send_pa = malloc(2 * sizeof(krb5_pa_data *));
- if (send_pa == NULL)
- return ENOMEM;
- send_pa[1] = NULL; /* Terminate list */
- send_pa[0] = malloc(sizeof(krb5_pa_data));
- if (send_pa[0] == NULL) {
- free(send_pa);
- return ENOMEM;
- }
- send_pa[0]->pa_type = KRB5_PADATA_WPSE_REQ;
- send_pa[0]->length = 4;
- send_pa[0]->contents = malloc(4);
- if (send_pa[0]->contents == NULL) {
- free(send_pa[0]);
- free(send_pa);
- return ENOMEM;
- }
- /* Store the preauth data. */
- nnonce = htonl(request->nonce);
- memcpy(send_pa[0]->contents, &nnonce, 4);
- *out_pa_data = send_pa;
+ /* Create preauth data. */
+ send_pa = malloc(2 * sizeof(krb5_pa_data *));
+ if (send_pa == NULL)
+ return ENOMEM;
+ send_pa[1] = NULL; /* Terminate list */
+ send_pa[0] = malloc(sizeof(krb5_pa_data));
+ if (send_pa[0] == NULL) {
+ free(send_pa);
+ return ENOMEM;
+ }
+ send_pa[0]->pa_type = KRB5_PADATA_WPSE_REQ;
+ send_pa[0]->length = 4;
+ send_pa[0]->contents = malloc(4);
+ if (send_pa[0]->contents == NULL) {
+ free(send_pa[0]);
+ free(send_pa);
+ return ENOMEM;
+ }
+ /* Store the preauth data. */
+ nnonce = htonl(request->nonce);
+ memcpy(send_pa[0]->contents, &nnonce, 4);
+ *out_pa_data = send_pa;
} else {
- /* A reply from the KDC. Conventionally this would be
- * indicated by a different preauthentication type, but this
- * mechanism/implementation doesn't do that. */
- if (pa_data->length > 4) {
- memcpy(&enctype, pa_data->contents, 4);
- kb = NULL;
- status = krb5_init_keyblock(kcontext, ntohl(enctype),
- pa_data->length - 4, &kb);
- if (status != 0)
- return status;
- memcpy(kb->contents, pa_data->contents + 4, pa_data->length - 4);
+ /* A reply from the KDC. Conventionally this would be
+ * indicated by a different preauthentication type, but this
+ * mechanism/implementation doesn't do that. */
+ if (pa_data->length > 4) {
+ memcpy(&enctype, pa_data->contents, 4);
+ kb = NULL;
+ status = krb5_init_keyblock(kcontext, ntohl(enctype),
+ pa_data->length - 4, &kb);
+ if (status != 0)
+ return status;
+ memcpy(kb->contents, pa_data->contents + 4, pa_data->length - 4);
#ifdef DEBUG
- fprintf(stderr, "Recovered key type=%d, length=%d.\n",
- kb->enctype, kb->length);
+ fprintf(stderr, "Recovered key type=%d, length=%d.\n",
+ kb->enctype, kb->length);
#endif
- status = krb5_copy_keyblock_contents(kcontext, kb, as_key);
- krb5_free_keyblock(kcontext, kb);
- return status;
- }
- return KRB5KRB_ERR_GENERIC;
+ status = krb5_copy_keyblock_contents(kcontext, kb, as_key);
+ krb5_free_keyblock(kcontext, kb);
+ return status;
+ }
+ return KRB5KRB_ERR_GENERIC;
}
return 0;
}
* do per-request cleanup. */
ctx = (wpse_req_ctx *) malloc(sizeof(*ctx));
if (ctx == NULL)
- return;
+ return;
ctx->magic = WPSE_MAGIC;
ctx->value = 0xc0dec0de;
if (ctx) {
#ifdef DEBUG
- fprintf(stderr, "client_req_cleanup: req_ctx at %p has magic %x and value %x\n",
- ctx, ctx->magic, ctx->value);
+ fprintf(stderr, "client_req_cleanup: req_ctx at %p has magic %x and value %x\n",
+ ctx, ctx->magic, ctx->value);
#endif
- if (ctx->magic != WPSE_MAGIC) {
+ if (ctx->magic != WPSE_MAGIC) {
#ifdef DEBUG
- fprintf(stderr, "client_req_cleanup: req_context at %p has bad magic value %x\n",
- ctx, ctx->magic);
+ fprintf(stderr, "client_req_cleanup: req_context at %p has bad magic value %x\n",
+ ctx, ctx->magic);
#endif
- return;
- }
- free(ctx);
+ return;
+ }
+ free(ctx);
}
return;
}
static krb5_error_code
client_gic_opt(krb5_context kcontext,
- void *plugin_context,
- krb5_get_init_creds_opt *opt,
- const char *attr,
- const char *value)
+ void *plugin_context,
+ krb5_get_init_creds_opt *opt,
+ const char *attr,
+ const char *value)
{
#ifdef DEBUG
fprintf(stderr, "(wpse) client_gic_opt: received '%s' = '%s'\n",
- attr, value);
+ attr, value);
#endif
return 0;
}
/* Free state. */
static krb5_error_code
server_free_pa_request_context(krb5_context kcontext, void *plugin_context,
- void **request_context)
+ void **request_context)
{
if (*request_context != NULL) {
- free(*request_context);
- *request_context = NULL;
+ free(*request_context);
+ *request_context = NULL;
}
return 0;
}
* client) which matches type data->pa_type. */
static krb5_error_code
server_get_edata(krb5_context kcontext,
- krb5_kdc_req *request,
- struct _krb5_db_entry_new *client,
- struct _krb5_db_entry_new *server,
- preauth_get_entry_data_proc server_get_entry_data,
- void *pa_module_context,
- krb5_pa_data *data)
+ krb5_kdc_req *request,
+ struct _krb5_db_entry_new *client,
+ struct _krb5_db_entry_new *server,
+ preauth_get_entry_data_proc server_get_entry_data,
+ void *pa_module_context,
+ krb5_pa_data *data)
{
/* Return zero bytes of data. */
data->length = 0;
/* Verify a request from a client. */
static krb5_error_code
server_verify(krb5_context kcontext,
- struct _krb5_db_entry_new *client,
- krb5_data *req_pkt,
- krb5_kdc_req *request,
- krb5_enc_tkt_part *enc_tkt_reply,
- krb5_pa_data *data,
- preauth_get_entry_data_proc server_get_entry_data,
- void *pa_module_context,
- void **pa_request_context,
- krb5_data **e_data,
- krb5_authdata ***authz_data)
+ struct _krb5_db_entry_new *client,
+ krb5_data *req_pkt,
+ krb5_kdc_req *request,
+ krb5_enc_tkt_part *enc_tkt_reply,
+ krb5_pa_data *data,
+ preauth_get_entry_data_proc server_get_entry_data,
+ void *pa_module_context,
+ void **pa_request_context,
+ krb5_data **e_data,
+ krb5_authdata ***authz_data)
{
krb5_int32 nnonce;
krb5_data *test_edata;
#endif
/* Verify the preauth data. */
if (data->length != 4)
- return KRB5KDC_ERR_PREAUTH_FAILED;
+ return KRB5KDC_ERR_PREAUTH_FAILED;
memcpy(&nnonce, data->contents, 4);
nnonce = ntohl(nnonce);
if (memcmp(&nnonce, &request->nonce, 4) != 0)
- return KRB5KDC_ERR_PREAUTH_FAILED;
+ return KRB5KDC_ERR_PREAUTH_FAILED;
/* Note that preauthentication succeeded. */
enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH;
enc_tkt_reply->flags |= TKT_FLG_HW_AUTH;
/* Allocate a context. Useful for verifying that we do in fact do
* per-request cleanup. */
if (*pa_request_context == NULL)
- *pa_request_context = malloc(4);
+ *pa_request_context = malloc(4);
/*
* Return some junk authorization data just to exercise the
my_authz_data[0]->length = AD_ALLOC_SIZE;
memcpy(my_authz_data[0]->contents, ad_header, sizeof(ad_header));
snprintf(my_authz_data[0]->contents + sizeof(ad_header),
- AD_ALLOC_SIZE - sizeof(ad_header),
- "wpse authorization data: %d bytes worth!\n", AD_ALLOC_SIZE);
+ AD_ALLOC_SIZE - sizeof(ad_header),
+ "wpse authorization data: %d bytes worth!\n", AD_ALLOC_SIZE);
*authz_data = my_authz_data;
#ifdef DEBUG
fprintf(stderr, "Returning %d bytes of authorization data\n",
/* Return edata to exercise code that handles edata... */
test_edata = malloc(sizeof(*test_edata));
if (test_edata != NULL) {
- test_edata->data = malloc(20);
- if (test_edata->data == NULL) {
- free(test_edata);
- } else {
- test_edata->length = 20;
- memset(test_edata->data, '#', 20); /* fill it with junk */
- *e_data = test_edata;
- }
+ test_edata->data = malloc(20);
+ if (test_edata->data == NULL) {
+ free(test_edata);
+ } else {
+ test_edata->length = 20;
+ memset(test_edata->data, '#', 20); /* fill it with junk */
+ *e_data = test_edata;
+ }
}
return 0;
}
/* Create the response for a client. */
static krb5_error_code
server_return(krb5_context kcontext,
- krb5_pa_data *padata,
- struct _krb5_db_entry_new *client,
- krb5_data *req_pkt,
- krb5_kdc_req *request,
- krb5_kdc_rep *reply,
- struct _krb5_key_data *client_key,
- krb5_keyblock *encrypting_key,
- krb5_pa_data **send_pa,
- preauth_get_entry_data_proc server_get_entry_data,
- void *pa_module_context,
- void **pa_request_context)
+ krb5_pa_data *padata,
+ struct _krb5_db_entry_new *client,
+ krb5_data *req_pkt,
+ krb5_kdc_req *request,
+ krb5_kdc_rep *reply,
+ struct _krb5_key_data *client_key,
+ krb5_keyblock *encrypting_key,
+ krb5_pa_data **send_pa,
+ preauth_get_entry_data_proc server_get_entry_data,
+ void *pa_module_context,
+ void **pa_request_context)
{
/* This module does a couple of dumb things. It tags its reply with
* the same type as the initial challenge (expecting the client to sort
/* We'll want a key with the first supported enctype. */
for (i = 0; i < request->nktypes; i++) {
- kb = NULL;
- if (krb5_init_keyblock(kcontext, request->ktype[i], 0, &kb) == 0) {
- break;
- }
+ kb = NULL;
+ if (krb5_init_keyblock(kcontext, request->ktype[i], 0, &kb) == 0) {
+ break;
+ }
}
if (i >= request->nktypes) {
- /* No matching cipher type found. */
- return 0;
+ /* No matching cipher type found. */
+ return 0;
}
/* Randomize a key and save it for the client. */
if (krb5_c_make_random_key(kcontext, request->ktype[i], kb) != 0) {
- krb5_free_keyblock(kcontext, kb);
- return 0;
+ krb5_free_keyblock(kcontext, kb);
+ return 0;
}
#ifdef DEBUG
fprintf(stderr, "Generated random key, type=%d, length=%d.\n",
- kb->enctype, kb->length);
+ kb->enctype, kb->length);
#endif
*send_pa = malloc(sizeof(krb5_pa_data));
if (*send_pa == NULL) {
- krb5_free_keyblock(kcontext, kb);
- return ENOMEM;
+ krb5_free_keyblock(kcontext, kb);
+ return ENOMEM;
}
(*send_pa)->pa_type = KRB5_PADATA_WPSE_REQ;
(*send_pa)->length = 4 + kb->length;
(*send_pa)->contents = malloc(4 + kb->length);
if ((*send_pa)->contents == NULL) {
- free(*send_pa);
- *send_pa = NULL;
- krb5_free_keyblock(kcontext, kb);
- return ENOMEM;
+ free(*send_pa);
+ *send_pa = NULL;
+ krb5_free_keyblock(kcontext, kb);
+ return ENOMEM;
}
/* Store the preauth data. */
static krb5_preauthtype supported_server_pa_types[] = {KRB5_PADATA_WPSE_REQ, 0};
struct krb5plugin_preauth_client_ftable_v1 preauthentication_client_1 = {
- "wpse", /* name */
- &supported_client_pa_types[0], /* pa_type_list */
- NULL, /* enctype_list */
- client_init, /* plugin init function */
- client_fini, /* plugin fini function */
- client_get_flags, /* get flags function */
- client_req_init, /* request init function */
- client_req_cleanup, /* request fini function */
- client_process, /* process function */
- NULL, /* try_again function */
- client_gic_opt /* get init creds opts function */
+ "wpse", /* name */
+ &supported_client_pa_types[0], /* pa_type_list */
+ NULL, /* enctype_list */
+ client_init, /* plugin init function */
+ client_fini, /* plugin fini function */
+ client_get_flags, /* get flags function */
+ client_req_init, /* request init function */
+ client_req_cleanup, /* request fini function */
+ client_process, /* process function */
+ NULL, /* try_again function */
+ client_gic_opt /* get init creds opts function */
};
struct krb5plugin_preauth_server_ftable_v1 preauthentication_server_1 = {