more Novell ldap patches from Nov 6 and Fix for wrong password policy reference count
authorWill Fiveash <will.fiveash@oracle.com>
Mon, 13 Nov 2006 20:25:08 +0000 (20:25 +0000)
committerWill Fiveash <will.fiveash@oracle.com>
Mon, 13 Nov 2006 20:25:08 +0000 (20:25 +0000)
This commit is to update the code with the following Novell patches from
Nov 6, 2006:

patch-ldap-kadm5-macro.diff
patch-ldap-fixes.diff
patch-ldap-key-seq-salt.diff
patch-ldap-misc.diff

And this patch from Nov 8:
patch-ldap-pwd-policy.c

ticket: new
Target_Version: krb5-1.6
Tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18799 dc483132-0cff-0310-8789-dd5450dbe970

src/lib/krb5/asn.1/ldap_key_seq.c
src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c
src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c
src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c

index c25d7afe67a9b281ac89e6017e16f6bc4ea8afb1..1fe9a548fed9ef83cd028b1e341390976b63b22a 100644 (file)
@@ -338,8 +338,10 @@ static asn1_error_code asn1_decode_key(asn1buf *buf, krb5_key_data *key)
        key->key_data_type[1] = keytype; /* XXX range check?? */
        checkerr;
 
-       ret = decode_tagged_octetstring (&slt, 1, &keylen,
-                                        &key->key_data_contents[1]); checkerr;
+       if (asn1buf_remains(&slt, 0) != 0) { /* Salt value is optional */
+           ret = decode_tagged_octetstring (&slt, 1, &keylen,
+                   &key->key_data_contents[1]); checkerr;
+       }
        safe_syncbuf (&subbuf, &slt);
        key->key_data_length[1] = keylen; /* XXX range check?? */
 
@@ -433,7 +435,7 @@ krb5_error_code asn1_decode_sequence_of_keys (krb5_data *in,
 
     /* Sequence of keys */
     {
-       int i, ret1, buflen;
+       int i, buflen;
        asn1buf keyseq;
        if (t.tagnum != 4)
            cleanup (ASN1_MISSING_FIELD);
@@ -447,7 +449,7 @@ krb5_error_code asn1_decode_sequence_of_keys (krb5_data *in,
                cleanup (ENOMEM);
            *out = tmp;
            (*out)[i - 1].key_data_kvno = kvno;
-           ret1 = asn1_decode_key(&keyseq, &(*out)[i - 1]); checkerr;
+           ret = asn1_decode_key(&keyseq, &(*out)[i - 1]); checkerr;
            (*n_key_data)++;
            if (asn1buf_remains(&keyseq, 0) == 0)
                break; /* Not freeing the last key structure */
index 7e2c71e62ef7a331b909c556254bde19e800291d..77b7e822c7f4f20fd12d7e7d3496d46b1d994e8e 100644 (file)
@@ -2206,12 +2206,12 @@ kdb_ldap_create_principal (context, princ, op, pblock)
     STORE16_INT(curr, princtype);
     curr += currlen;
 
-    mask |= KDB_PRINCIPAL;
-    mask |= KDB_ATTRIBUTES ;
-    mask |= KDB_MAX_LIFE ;
-    mask |= KDB_MAX_RLIFE ;
-    mask |= KDB_PRINC_EXPIRE_TIME ;
-    mask |= KDB_KEY_DATA;
+    mask |= KADM5_PRINCIPAL;
+    mask |= KADM5_ATTRIBUTES ;
+    mask |= KADM5_MAX_LIFE ;
+    mask |= KADM5_MAX_RLIFE ;
+    mask |= KADM5_PRINC_EXPIRE_TIME ;
+    mask |= KADM5_KEY_DATA;
 
     entry.tl_data = tl_data;
     entry.n_tl_data += 1;
index d6b479aa0bcf1c9772289099c115217860dc92a3..efcb73ee7bff3b413476e1b5d6605f86afa2ef1a 100644 (file)
@@ -1847,7 +1847,7 @@ remove_overlapping_subtrees(char **listin, char **listop, int *subtcount, int ss
                    slen-=1;
                    k-=1;
                    break;
-               } else if ((lendiff < 0) && (strcasecmp((listin[j])+lendiff, listin[k])==0)) {
+               } else if ((lendiff < 0) && (strcasecmp((listin[j])+abs(lendiff), listin[k])==0)) {
                    if (j != slen) {
                        free(listin[j]);
                        listin[j] = listin[slen];
@@ -1963,19 +1963,19 @@ populate_krb5_db_entry (krb5_context context,
                &(entry->last_success), &attr_present)) != 0)
        goto cleanup;
     if (attr_present == TRUE)
-       mask |= KDB_LAST_SUCCESS;
+       mask |= KDB_LAST_SUCCESS_ATTR;
 
     /* KRBLASTFAILEDAUTH */
     if ((st=krb5_ldap_get_time(ld, ent, "krbLastFailedAuth",
                &(entry->last_failed), &attr_present)) != 0)
        goto cleanup;
     if (attr_present == TRUE)
-       mask |= KDB_LAST_FAILED;
+       mask |= KDB_LAST_FAILED_ATTR;
 
     /* KRBLOGINFAILEDCOUNT */
     if (krb5_ldap_get_value(ld, ent, "krbLoginFailedCount",
            &(entry->fail_auth_count)) == 0)
-       mask |= KDB_FAIL_AUTH_COUNT;
+       mask |= KDB_FAIL_AUTH_COUNT_ATTR;
 
     /* KRBMAXTICKETLIFE */
     if (krb5_ldap_get_value(ld, ent, "krbmaxticketlife", &(entry->max_life)) == 0)
@@ -2010,6 +2010,7 @@ populate_krb5_db_entry (krb5_context context,
                &attr_present)) != 0)
        goto cleanup;
     if (attr_present == TRUE) {
+       mask |= KDB_POL_REF_ATTR;
        /* Ensure that the policy is inside the realm container */
        if ((st = krb5_ldap_policydn_to_name (context, policydn, &tktpolname)) != 0)
            goto cleanup;
@@ -2036,7 +2037,7 @@ populate_krb5_db_entry (krb5_context context,
 
     /* KRBSECRETKEY */
     if ((bvalues=ldap_get_values_len(ld, ent, "krbprincipalkey")) != NULL) {
-       mask |= KDB_SECRET_KEY;
+       mask |= KDB_SECRET_KEY_ATTR;
        if ((st=krb5_decode_krbsecretkey(context, entry, bvalues, &userinfo_tl_data)) != 0)
            goto cleanup;
     }
@@ -2087,7 +2088,7 @@ populate_krb5_db_entry (krb5_context context,
            ldap_value_free_len (ber_tl_data);
            if (st != 0)
                goto cleanup;
-           mask |= KDB_EXTRA_DATA;
+           mask |= KDB_EXTRA_DATA_ATTR;
        }
     }
 
index 28507a9f77e0ce4402f5aafbacc7dfad2299bb28..83ba05d4ac909768b59d88a41cb7089a32e0ef1c 100644 (file)
@@ -50,11 +50,9 @@ char     *principal_attributes[] = { "krbprincipalname",
                                     "krbUpEnabled",
                                     "krbpwdpolicyreference",
                                     "krbpasswordexpiration",
-#ifdef  KRBCONF_KDC_MODIFIES_KDB
                                      "krbLastFailedAuth",
                                      "krbLoginFailedCount",
                                      "krbLastSuccessfulAuth",
-#endif
 #ifdef HAVE_EDIRECTORY
                                     "loginexpirationtime",
                                     "logindisabled",
@@ -78,6 +76,9 @@ static char *attributes_set[] = { "krbmaxrenewableage",
                                  "krbprincipalkey",
                                   "krblastpwdchange",
                                   "krbextradata",
+                                  "krbLastSuccessfulAuth",
+                                  "krbLastFailedAuth",
+                                  "krbLoginFailedCount",
                                  NULL };
 
 void
index 7d3734bd43d2713b1ff0d89226c15871ef222a89..e932e253e7675b85136ba33065e6b78d103bbb9a 100644 (file)
 #define  KDB_SERVICE_PRINCIPAL 0x02
 #define KDB_STANDALONE_PRINCIPAL_OBJECT 0x01
 
-/* krb5_db_entry */
-#define KDB_PRINCIPAL         0x000001
-#define KDB_PRINC_EXPIRE_TIME 0x000002
-#define KDB_PW_EXPIRATION     0x000004
-#define KDB_LAST_PWD_CHANGE   0x000008
-#define KDB_ATTRIBUTES        0x000010
-#define KDB_MAX_LIFE          0x000020
-#define KDB_MOD_TIME          0x000040
-#define KDB_MOD_NAME          0x000080
-#define KDB_KVNO              0x000100
-#define KDB_MKVNO             0x000200
-#define KDB_AUX_ATTRIBUTES    0x000400
-#define KDB_POLICY            0x000800
-#define KDB_POLICY_CLR        0x001000
-#define KDB_MAX_RLIFE         0x002000
-#define KDB_LAST_SUCCESS      0x004000
-#define KDB_LAST_FAILED       0x008000
-#define KDB_FAIL_AUTH_COUNT   0x010000
-#define KDB_KEY_DATA          0x020000
-#define KDB_TL_DATA           0x040000
-#define KDB_CPW_FUNCTION      0x080000
-#define KDB_RANDKEY_USED      0x100000
-
 /* these will be consumed only by krb5_ldap_delete_principal*/
 /* these will be set by krb5_ldap_get_principal and fed into the tl_data */
 
 #define KDB_UP_FLAG_ATTR                     0x000020
 #define KDB_PWD_POL_REF_ATTR                 0x000040
 #define KDB_PWD_EXPIRE_TIME_ATTR             0x000080
-#define KDB_SECRET_KEY                       0x000100
+#define KDB_SECRET_KEY_ATTR                  0x000100
 #define KDB_LAST_PWD_CHANGE_ATTR             0x000200
-#define KDB_EXTRA_DATA                       0x000400
+#define KDB_EXTRA_DATA_ATTR                  0x000400
+#define KDB_LAST_SUCCESS_ATTR                0x000800
+#define KDB_LAST_FAILED_ATTR                 0x001000
+#define KDB_FAIL_AUTH_COUNT_ATTR             0x002000
 extern struct timeval timeout;
 extern char *policyclass[];
 
index 71200eb9ea99de271adaec19403ccf3ded0ba673..9bfef1510a1badbe6dec9d91b868ee7bf15cfd53 100644 (file)
@@ -243,22 +243,34 @@ process_db_args(context, db_args, xargs, optype)
                dptr = &xargs->tktpolicydn;
            } else {
                if (strcmp(arg, USERDN_ARG) == 0) {
-                   if (optype == MODIFY_PRINCIPAL) {
+                   if (optype == MODIFY_PRINCIPAL || 
+                       xargs->dn != NULL || xargs->containerdn != NULL || 
+                       xargs->linkdn != NULL) {
                        st = EINVAL;
-                       snprintf(errbuf, sizeof(errbuf), "%s option not supported", arg);
+                       snprintf(errbuf, sizeof(errbuf), 
+                                "%s option not supported", arg);
                        krb5_set_error_message(context, st, "%s", errbuf);
                        goto cleanup;
                    }
                    dptr = &xargs->dn;
                } else if (strcmp(arg, CONTAINERDN_ARG) == 0) {
-                   if (optype == MODIFY_PRINCIPAL) {
+                   if (optype == MODIFY_PRINCIPAL ||
+                       xargs->dn != NULL || xargs->containerdn != NULL) {
                        st = EINVAL;
-                       snprintf(errbuf, sizeof(errbuf), "%s option not supported", arg);
+                       snprintf(errbuf, sizeof(errbuf), 
+                                "%s option not supported", arg);
                        krb5_set_error_message(context, st, "%s", errbuf);
                        goto cleanup;
                    }
                    dptr = &xargs->containerdn;
                } else if (strcmp(arg, LINKDN_ARG) == 0) {
+                   if (xargs->dn != NULL || xargs->linkdn != NULL) {
+                       st = EINVAL;
+                       snprintf(errbuf, sizeof(errbuf), 
+                                "%s option not supported", arg);
+                       krb5_set_error_message(context, st, "%s", errbuf);
+                       goto cleanup;
+                   }
                    dptr = &xargs->linkdn;
                } else {
                    st = EINVAL;
@@ -266,17 +278,12 @@ process_db_args(context, db_args, xargs, optype)
                    krb5_set_error_message(context, st, "%s", errbuf);
                    goto cleanup;
                }
-
+               
                xargs->dn_from_kbd = TRUE;
-               if (xargs->dn != NULL || xargs->containerdn != NULL || xargs->linkdn != NULL) {
-                   st = EINVAL;
-                   snprintf(errbuf, sizeof(errbuf), "%s option not supported", arg);
-                   krb5_set_error_message(context, st, "%s", errbuf);
-                   goto cleanup;
-               }
                if (arg_val == NULL || strlen(arg_val) == 0) {
                    st = EINVAL;
-                   snprintf(errbuf, sizeof(errbuf), "%s option value missing", arg);
+                   snprintf(errbuf, sizeof(errbuf), 
+                            "%s option value missing", arg);
                    krb5_set_error_message(context, st, "%s", errbuf);
                    goto cleanup;
                }
@@ -284,14 +291,17 @@ process_db_args(context, db_args, xargs, optype)
 
            if (arg_val == NULL) {
                st = EINVAL;
-               snprintf(errbuf, sizeof(errbuf), "%s option value missing", arg);
+               snprintf(errbuf, sizeof(errbuf), 
+                        "%s option value missing", arg);
                krb5_set_error_message(context, st, "%s", errbuf);
                goto cleanup;
            }
            arg_val_len = strlen(arg_val) + 1;
 
            if (strcmp(arg, TKTPOLICY_ARG) == 0) {
-               if ((st = krb5_ldap_name_to_policydn (context, arg_val, dptr)) != 0)
+               if ((st = krb5_ldap_name_to_policydn (context, 
+                                                     arg_val, 
+                                                     dptr)) != 0)
                    goto cleanup;
            } else {
                *dptr = calloc (1, arg_val_len);
@@ -355,6 +365,7 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data, int n_key_data) {
     int currkvno;
     int num_versions = 1;
     int i, j, last;
+    krb5_error_code err = 0;
 
     if (n_key_data <= 0)
        return NULL;
@@ -364,7 +375,11 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data, int n_key_data) {
        if (key_data[i].key_data_kvno != key_data[i + 1].key_data_kvno)
            num_versions++;
 
-    ret = (struct berval **) malloc ((num_versions + 1) * sizeof (struct berval *));
+    ret = (struct berval **) calloc (num_versions + 1, sizeof (struct berval *));
+    if (ret == NULL) {
+       err = ENOMEM;
+       goto cleanup;
+    }
     for (i = 0, last = 0, j = 0, currkvno = key_data[0].key_data_kvno; i < n_key_data; i++) {
        krb5_data *code;
        if (i == n_key_data - 1 || key_data[i + 1].key_data_kvno != currkvno) {
@@ -373,6 +388,10 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data, int n_key_data) {
                                          0, /* For now, mkvno == 0*/
                                          &code);
            ret[j] = malloc (sizeof (struct berval));
+           if (ret[j] == NULL) {
+               err = ENOMEM;
+               goto cleanup;
+           }
            /*CHECK_NULL(ret[j]); */
            ret[j]->bv_len = code->length;
            ret[j]->bv_val = code->data;
@@ -384,6 +403,18 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data, int n_key_data) {
     }
     ret[num_versions] = NULL;
 
+cleanup:
+
+    if (err != 0) {
+       if (ret != NULL) {
+           for (i = 0; i <= num_versions; i++)
+               if (ret[i] != NULL)
+                   free (ret[i]);
+           free (ret);
+           ret = NULL;
+       }
+    }
+
     return ret;
 }
 
@@ -462,7 +493,7 @@ krb5_ldap_put_principal(context, entries, nentries, db_args)
         * hack if the entries->mask has KRB_PRINCIPAL flag set
         * then it is a add operation
         */
-       if (entries->mask & KDB_PRINCIPAL)
+       if (entries->mask & KADM5_PRINCIPAL)
            optype = ADD_PRINCIPAL;
        else
            optype = MODIFY_PRINCIPAL;
@@ -734,7 +765,7 @@ krb5_ldap_put_principal(context, entries, nentries, db_args)
             {
                 char **linkdns=NULL;
                 int  j=0;
-                                                                                                                             
+
                 if ((st=krb5_get_linkdn(context, entries, &linkdns)) != 0) {
                     snprintf(errbuf, sizeof(errbuf),
                              "Failed getting object references");
@@ -784,31 +815,31 @@ krb5_ldap_put_principal(context, entries, nentries, db_args)
                goto cleanup;
        }
 
-       if (entries->mask & KDB_MAX_LIFE) {
+       if (entries->mask & KADM5_MAX_LIFE) {
            if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxticketlife", LDAP_MOD_REPLACE, entries->max_life)) != 0)
                goto cleanup;
        }
 
-       if (entries->mask & KDB_MAX_RLIFE) {
+       if (entries->mask & KADM5_MAX_RLIFE) {
            if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxrenewableage", LDAP_MOD_REPLACE,
                                              entries->max_renewable_life)) != 0)
                goto cleanup;
        }
 
-       if (entries->mask & KDB_ATTRIBUTES) {
+       if (entries->mask & KADM5_ATTRIBUTES) {
            if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbticketflags", LDAP_MOD_REPLACE,
                                              entries->attributes)) != 0)
                goto cleanup;
        }
 
-       if (entries->mask & KDB_PRINCIPAL) {
+       if (entries->mask & KADM5_PRINCIPAL) {
            memset(strval, 0, sizeof(strval));
            strval[0] = user;
            if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalname", LDAP_MOD_REPLACE, strval)) != 0)
                goto cleanup;
        }
 
-       if (entries->mask & KDB_PRINC_EXPIRE_TIME) {
+       if (entries->mask & KADM5_PRINC_EXPIRE_TIME) {
            memset(strval, 0, sizeof(strval));
            if ((strval[0]=getstringtime(entries->expiration)) == NULL)
                goto cleanup;
@@ -819,7 +850,7 @@ krb5_ldap_put_principal(context, entries, nentries, db_args)
            free (strval[0]);
        }
 
-       if (entries->mask & KDB_PW_EXPIRATION) {
+       if (entries->mask & KADM5_PW_EXPIRATION) {
            memset(strval, 0, sizeof(strval));
            if ((strval[0]=getstringtime(entries->pw_expiration)) == NULL)
                goto cleanup;
@@ -832,7 +863,7 @@ krb5_ldap_put_principal(context, entries, nentries, db_args)
            free (strval[0]);
        }
 
-       if (entries->mask & KDB_POLICY) {
+       if (entries->mask & KADM5_POLICY) {
            memset(&princ_ent, 0, sizeof(princ_ent));
            for (tl_data=entries->tl_data; tl_data; tl_data=tl_data->tl_data_next) {
                if (tl_data->tl_data_type == KRB5_TL_KADM_DATA) {
@@ -843,7 +874,7 @@ krb5_ldap_put_principal(context, entries, nentries, db_args)
                }
            }
 
-           if (princ_ent.aux_attributes & KDB_POLICY) {
+           if (princ_ent.aux_attributes & KADM5_POLICY) {
                memset(strval, 0, sizeof(strval));
                if ((st = krb5_ldap_name_to_policydn (context, princ_ent.policy, &polname)) != 0)
                    goto cleanup;
@@ -864,12 +895,12 @@ krb5_ldap_put_principal(context, entries, nentries, db_args)
                goto cleanup;
        }
 
-       if (entries->mask & KDB_POLICY_CLR) {
+       if (entries->mask & KADM5_POLICY_CLR) {
            if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_DELETE, NULL)) != 0)
                goto cleanup;
        }
 
-       if (entries->mask & KDB_KEY_DATA || entries->mask & KDB_KVNO) {
+       if (entries->mask & KADM5_KEY_DATA || entries->mask & KADM5_KVNO) {
            bersecretkey = krb5_encode_krbsecretkey (entries->key_data,
                                                     entries->n_key_data);
 
@@ -877,7 +908,7 @@ krb5_ldap_put_principal(context, entries, nentries, db_args)
                                              LDAP_MOD_REPLACE | LDAP_MOD_BVALUES, bersecretkey)) != 0)
                goto cleanup;
 
-           if (!(entries->mask & KDB_PRINCIPAL)) {
+           if (!(entries->mask & KADM5_PRINCIPAL)) {
                memset(strval, 0, sizeof(strval));
                if ((strval[0]=getstringtime(entries->pw_expiration)) == NULL)
                    goto cleanup;
@@ -930,6 +961,10 @@ krb5_ldap_put_principal(context, entries, nentries, db_args)
                int j;
                ber_tl_data = (struct berval **) calloc (count + 1,
                                                         sizeof (struct berval*));
+               if (ber_tl_data == NULL) {
+                   st = ENOMEM;
+                   goto cleanup;
+               }
                for (j = 0, ptr = entries->tl_data; ptr != NULL; ptr = ptr->tl_data_next) {
                    /* Ignore tl_data that are stored in separate directory
                     * attributes */
@@ -1172,7 +1207,7 @@ krb5_decode_krbsecretkey(context, entries, bvalues, userinfo_tl_data)
 {
     char                        *user=NULL;
     int                         i=0, j=0, noofkeys=0;
-    krb5_key_data               *key_data=NULL;
+    krb5_key_data               *key_data=NULL, *tmp;
     krb5_error_code             st=0;
 
     if ((st=krb5_unparse_name(context, entries->princ, &user)) != 0)
@@ -1202,7 +1237,13 @@ krb5_decode_krbsecretkey(context, entries, bvalues, userinfo_tl_data)
            goto cleanup;
        }
        noofkeys += n_kd;
+       tmp = key_data;
        key_data = realloc (key_data, noofkeys * sizeof (krb5_key_data));
+       if (key_data == NULL) {
+           key_data = tmp;
+           st = ENOMEM;
+           goto cleanup;
+       }
        for (j = 0; j < n_kd; j++)
            key_data[noofkeys - n_kd + j] = kd[j];
        free (kd);
index ba77b8f23753f20a83171986a0f00aea370840bc..3c229c05529503b927bf1dc2ed21c4a998c3ca8f 100644 (file)
@@ -187,6 +187,7 @@ populate_policy(krb5_context context,
     osa_policy_ent_t pol_entry)
 {
     int st = 0;
+    char *pol_dn;
 
     pol_entry->name = strdup(pol_name);
     CHECK_NULL(pol_entry->name);
@@ -199,8 +200,10 @@ populate_policy(krb5_context context,
     krb5_ldap_get_value(ld, ent, "krbpwdhistorylength", &(pol_entry->pw_history_num));
 
     /* Get the reference count */
-    st = krb5_ldap_get_reference_count (context, pol_name, "krbPwdPolicyReference",
+    pol_dn = ldap_get_dn(ld, ent);
+    st = krb5_ldap_get_reference_count (context, pol_dn, "krbPwdPolicyReference",
            &(pol_entry->policy_refcnt), ld);
+    ldap_memfree(pol_dn);
 
 cleanup:
     return st;
index 7c9dbad1b00fbe0a454f374834b0e0346b218191..0deacd9a4f0b5a41f02439ef67fbbcf0ee4b9fd0 100644 (file)
@@ -127,6 +127,10 @@ krb5_ldap_readpassword(context, ldap_context, password)
            /*ptr = strchr(start, ':');
              if (ptr == NULL) { */
            *password = (unsigned char *)malloc(strlen(start) + 2);
+           if (*password == NULL) {
+               st = ENOMEM;
+               goto rp_exit;
+           }
            (*password)[strlen(start) + 1] = '\0';
            (*password)[strlen(start)] = '\0';
            strcpy((char *)(*password), start);
index 3aa520aa2b3770c31bd4706dacca544d16c30d78..501d263b13ab0bc68fa0dd995513d2921111ca7b 100644 (file)
@@ -1,6 +1,7 @@
 #include "kdb_ldap.h"
 #include "ldap_principal.h"
 #include "princ_xdr.h"
+#include <kadm5/admin.h>
 
 bool_t
 ldap_xdr_krb5_ui_2(XDR *xdrs, krb5_ui_2 *objp)
@@ -211,7 +212,7 @@ krb5_update_tl_kadm_data(policy_dn, new_tl_data)
 
     memset(princ_entry, 0, sizeof(osa_princ_ent_rec));
     princ_entry->admin_history_kvno = 2;
-    princ_entry->aux_attributes = KDB_POLICY;
+    princ_entry->aux_attributes = KADM5_POLICY;
     princ_entry->policy = policy_dn;
 
     xdralloc_create(&xdrs, XDR_ENCODE);