objects used for starting the Kerberos servers. This value is used if no
service password file is mentioned in the configuration section under dbmodules.
-.IP ldap_ssl_port
-This LDAP specific tag indicates the value of the SSL port for the LDAP server.
-This value is used if no SSL port is mentioned in the configuration section under dbmodules.
-
.IP ldap_server
This LDAP specific tag indicates the list of LDAP servers. The list of LDAP servers
-is whitespace-separated. The port value can be specified with the server separated by
-a colon. This value is used if no LDAP servers are mentioned in the configuration
+is whitespace-separated. The LDAP server is specified by a LDAP URI.
+This value is used if no LDAP servers are mentioned in the configuration
section under dbmodules.
.IP ldap_conns_per_server
This LDAP specific tag indicates the file containing the stashed passwords for the
objects used for starting the Kerberos servers.
-.IP ldap_ssl_port
-This LDAP specific tag indicates the value of the SSL port for the LDAP server.
-
.IP ldap_server
This LDAP specific tag indicates the list of LDAP servers. The list of LDAP servers
-is whitespace-separated. The port value can be specified with the server separated by a colon.
+is whitespace-separated. The LDAP server is specified by a LDAP URI.
.IP ldap_conns_per_server
This LDAP specific tag indicates the number of connections to be maintained per
\-x nconns=<number_of_connections>
specifies the number of connections to be maintained per LDAP server.
-\-x port=<port_number>
-specifies the secure port number where the LDAP server is listening.
-
-\-x host=<hostname>
-specifies the host on which the LDAP server is running.
-The <hostname> should be the same as the host name set in the LDAP server certificate.
+\-x host=<ldapuri>
+specifies the LDAP server to connect to by a LDAP URI.
\-x binddn=<binddn>
specifies the DN of the object used by the administration server to bind to the LDAP server.
\-x nconns=<number_of_connections>
specifies the number of connections to be maintained per LDAP server.
-\-x port=<port_number>
-specifies the secure port number where the LDAP server is listening.
-
-\-x host=<hostname>
-specifies the host on which the LDAP server is running.
-The <hostname> should be the same as the host name set in the LDAP server certificate.
+\-x host=<ldapuri>
+specifies the LDAP server to connect to by a LDAP URI.
\-x binddn=<binddn>
specifies the DN of the object used by the KDC server to bind to the LDAP server.
.SH SYNOPSIS
.B kdb5_ldap_util
[\fB\-D\fP\ \fIuser_dn\fP [\fB\-w\fP\ \fIpasswd\fP]]
-[\fB\-h\fP\ \fIldap_server\fP] [\fB\-p\fP\ \fIldap_port\fP]
+[\fB\-H\fP\ \fIldapuri\fP]
.I command
.I [command_options]
.SH DESCRIPTION
.IR user_dn .
This option is not recommended.
.TP
-\fB\-h\fP\ \fIldap_server\fP
-Specifies the hostname or IP address of the server hosting the LDAP service for
-a Kerberos realm.
-.TP
-\fB\-p\fP\ \fIldap_port\fP
-Specifies the SSL port number of the LDAP server.
+\fB\-H\fP\ \fIldapuri\fP
+Specifies the URI of the LDAP server.
.SH COMMANDS
.TP
\fBcreate\fP [\fB\-subtree\fP\ \fIsubtree_dn\fP] [\fB\-sscope\fP\ \fIsearch_scope\fP] [\fB\-k\fP\ \fImkeytype\fP] [\fB\-m\fP|\fB\-P\fP\ \fIpassword\fP|\fB\-sf\fP\ \fIstashfilename\fP] [\fB\-r\fP\ \fIrealm\fP] [\fB\-kdcdn\fP\ \fIkdc_service_list\fP] [\fB\-admindn\fP\ \fIadmin_service_list\fP] [\fB\-pwddn\fP\ \fIpasswd_service_list\fP] [\fB\-maxtktlife\fP\ \fImax_ticket_life\fP] [\fB\-maxrenewlife\fP\ \fImax_renewable_ticket_life\fP] [\fIticket_flags\fP]
void usage()
{
fprintf(stderr, "Usage: "
-"kdb5_ldap_util [-D user_dn [-w passwd]] [-h ldap_server] [-p ldap_port]\n"
+"kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldapuri]\n"
"\tcmd [cmd_options]\n"
/* Create realm */
"\t\t[-kdcdn kdc_service_list] [-admindn admin_service_list]\n"
"\t\t[-pwddn passwd_service_list]\n"
#endif
-"\t\t[-m|-P password|-sf stashfilename] [-k mkeytype]\n"
+"\t\t[-m|-P password|-sf stashfilename] [-k mkeytype] [-s]\n"
"\t\t[-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life]\n"
"\t\t[ticket_flags] [-r realm]\n"
goto cleanup;
}
ldapmask |= CMD_LDAP_W;
- } else if (strcmp(*argv, "-h") == 0 && ARG_VAL) {
+ } else if (strcmp(*argv, "-H") == 0 && ARG_VAL) {
ldap_server = koptarg;
if (ldap_server == NULL) {
com_err(progname, ENOMEM, "while reading ldap parameters");
goto cleanup;
}
ldapmask |= CMD_LDAP_H;
- } else if (strcmp(*argv, "-p") == 0 && ARG_VAL) {
- ldap_port = koptarg;
- if (ldap_port == NULL) {
- com_err(progname, ENOMEM, "while reading ldap parameters");
- exit_status++;
- goto cleanup;
- }
- ldapmask |= CMD_LDAP_P;
} else if (cmd_lookup(*argv) != NULL) {
if (cmd_argv[0] == NULL)
cmd_argv[0] = *argv;
goto cleanup;
}
}
- /* If ldapport is specified, release entry filled by configuration & use this*/
- if (ldapmask & CMD_LDAP_P) {
- ldap_context->port = atoi(ldap_port);
- }
if (bind_dn) {
ldap_context->bind_dn = strdup(bind_dn);
if (ldap_context->bind_dn == NULL) {
LDAP *ld=NULL;
LDAPMessage *msg=NULL, *res=NULL;
- ld = ldap_open(ldap_server, 389); /* Should the port number be configurable ? */
- if (ld == NULL) {
+ retval = ldap_initialize(&ld, ldap_server);
+ if (retval != LDAP_SUCCESS) {
krb5_set_error_message(context, 2, "%s", ERR_MSG1);
ret = 2; /* Don't know */
goto cleanup;
}
/* Anonymous bind */
- retval = ldap_simple_bind_s(ld, NULL, NULL);
+ retval = ldap_sasl_bind_s(ld, NULL, NULL, NULL, NULL, NULL, NULL);
if (retval != LDAP_SUCCESS) {
krb5_set_error_message(context, 2, "%s", ERR_MSG1);
ret = 2; /* Don't know */
goto cleanup;
}
- retval = ldap_search_s(ld, "", LDAP_SCOPE_BASE, NULL, attrs, 0, &res);
+ retval = ldap_search_ext_s(ld, "", LDAP_SCOPE_BASE, NULL, attrs, 0, NULL, NULL, NULL, 0, &res);
if (retval != LDAP_SUCCESS) {
krb5_set_error_message(context, 2, "%s", ERR_MSG1);
ret = 2; /* Don't know */
ldap_msgfree(res);
if (ld != NULL)
- ldap_unbind_s(ld);
+ ldap_unbind_ext_s(ld, NULL, NULL);
return ret;
}
goto clean_n_exit;
}
} else if (opt && !strcmp(opt, "host")) {
- char *port = NULL;
-
if (val == NULL) {
status = EINVAL;
krb5_set_error_message (context, status, "'host' value missing");
ldap_context->server_info_list[srv_cnt]->server_status = NOTSET;
- val = strtok_r(val, ":", &port);
ldap_context->server_info_list[srv_cnt]->server_name = strdup(val);
if (ldap_context->server_info_list[srv_cnt]->server_name == NULL) {
free (opt);
goto clean_n_exit;
}
- if (port) {
- ldap_context->server_info_list[srv_cnt]->port = atoi(port);
- }
srv_cnt++;
- } else if (opt && !strcmp(opt, "port")) {
- if (ldap_context->port) {
- free (opt);
- free (val);
- status = EINVAL;
- krb5_set_error_message (context, status, "'port' missing");
- goto clean_n_exit;
- }
- if (val == NULL) {
- status = EINVAL;
- krb5_set_error_message (context, status, "'port' value missing");
- free(opt);
- goto clean_n_exit;
- }
- ldap_context->port = atoi(val);
} else if (opt && !strcmp(opt, "cert")) {
if (val == NULL) {
status = EINVAL;
}
} else {
/* password based simple bind */
- st = ldap_simple_bind_s(ldap_server_handle->ldap_handle,
- ldap_context->bind_dn,
- ldap_context->bind_pwd);
+ bv.bv_val = ldap_context->bind_pwd;
+ bv.bv_len = strlen(ldap_context->bind_pwd);
+ st = ldap_sasl_bind_s(ldap_server_handle->ldap_handle,
+ ldap_context->bind_dn,
+ NULL, &bv, NULL,
+ NULL, NULL);
}
return st;
}
krb5_ldap_context *ldap_context;
krb5_ldap_server_info *server_info;
{
- int port=0;
krb5_error_code st=0;
krb5_ldap_server_handle *ldap_server_handle=NULL;
- if (server_info->port)
- port = server_info->port;
- else if (ldap_context->port)
- port = ldap_context->port;
- else
- port = LDAPS_PORT;
-
ldap_server_handle = calloc(1, sizeof(krb5_ldap_server_handle));
if (ldap_server_handle == NULL) {
}
/* ldap init */
- if ((ldap_server_handle->ldap_handle=ldap_init(server_info->server_name,
- port)) == NULL) {
- st = KRB5_KDB_ACCESS_ERROR;
+ if ((st = ldap_initialize(&ldap_server_handle->ldap_handle, server_info->server_name)) != 0) {
if (ldap_context->kcontext)
- krb5_set_error_message (ldap_context->kcontext, st, "%s",
- strerror(errno));
+ krb5_set_error_message (ldap_context->kcontext, KRB5_KDB_ACCESS_ERROR, "%s",
+ ldap_err2string(st));
+ st = KRB5_KDB_ACCESS_ERROR;
goto err_out;
}
krb5_boolean sasl_mech_supported=TRUE;
int cnt=0, version=LDAP_VERSION3;
struct timeval local_timelimit = {10,0};
-#ifdef LDAP_OPT_X_TLS_HARD
- int tlsoption=LDAP_OPT_X_TLS_HARD;
-#endif
if ((st=krb5_validate_ldap_context(context, ldap_context)) != 0)
goto err_out;
#elif defined LDAP_X_OPT_CONNECT_TIMEOUT
ldap_set_option(NULL, LDAP_X_OPT_CONNECT_TIMEOUT, &local_timelimit);
#endif
-#ifdef LDAP_OPT_X_TLS_HARD
- ldap_set_option(NULL, LDAP_OPT_X_TLS, &tlsoption);
-#endif
HNDL_LOCK(ldap_context);
while (ldap_context->server_info_list[cnt] != NULL) {
krb5_ldap_server_handle **ldap_server_handle;
{
krb5_ldap_server_handle *handle = *ldap_server_handle;
- int port=0;
-
- if (handle->server_info->port)
- port = handle->server_info->port;
- else if (ldap_context->port)
- port = ldap_context->port;
- else
- port = LDAPS_PORT;
- if ((handle->ldap_handle=ldap_init(handle->server_info->server_name, port)) == NULL
- || krb5_ldap_bind(ldap_context, handle) != LDAP_SUCCESS)
+ if ((ldap_initialize(&handle->ldap_handle, handle->server_info->server_name) != LDAP_SUCCESS)
+ || (krb5_ldap_bind(ldap_context, handle) != LDAP_SUCCESS))
return krb5_ldap_request_next_handle_from_pool(ldap_context, ldap_server_handle);
return LDAP_SUCCESS;
}
/*
* This function reads the parameters from the krb5.conf file. The
* parameters read here are DAL-LDAP specific attributes. Some of
- * these are ldap_port, ldap_server ....
+ * these are ldap_server ....
*/
krb5_error_code
krb5_ldap_read_server_params(context, conf_section, srv_type)
goto cleanup;
}
- /* If ldap port is not set read it from database module section of
- conf file. */
- if (ldap_context->port == 0) {
- st = prof_get_integer_def (context, conf_section,
- "ldap_ssl_port",
- LDAPS_PORT, &ldap_context->port);
- if (st)
- goto cleanup;
- }
-
/*
* If the bind dn is not set read it from the database module
* section of conf file this paramter is populated by one of the
/*
* If the ldap server parameter is not set read the list of ldap
- * servers:port from the database module section of the conf file.
+ * servers from the database module section of the conf file.
*/
if (ldap_context->server_info_list == NULL) {
}
(*server_info)[ele]->server_status = NOTSET;
} else {
- char *port=NULL, *server=NULL, *item=NULL;
+ char *server=NULL, *item=NULL;
item = strtok_r(tempval,delims,&save_ptr);
while (item != NULL && ele<SERV_COUNT) {
st = ENOMEM;
goto cleanup;
}
- server=strtok_r(item, ":", &port);
-
- (*server_info)[ele]->server_name = strdup(server);
+ (*server_info)[ele]->server_name = strdup(item);
if ((*server_info)[ele]->server_name == NULL) {
st = ENOMEM;
goto cleanup;
}
- if (port) {
- (*server_info)[ele]->port = atoi(port);
- }
(*server_info)[ele]->server_status = NOTSET;
item = strtok_r(NULL,delims,&save_ptr);
++ele;
if (ldap_context->server_info_list[i]->ldap_server_handles) {
ldap_server_handle = ldap_context->server_info_list[i]->ldap_server_handles;
while (ldap_server_handle) {
- ldap_unbind_s(ldap_server_handle->ldap_handle);
+ ldap_unbind_ext_s(ldap_server_handle->ldap_handle, NULL, NULL);
ldap_server_handle->ldap_handle = NULL;
next_ldap_server_handle = ldap_server_handle->next;
krb5_xfree(ldap_server_handle);
mods[0] = &modAttr;
/* ldap modify operation */
- st = ldap_modify_s(ld, dn, mods);
+ st = ldap_modify_ext_s(ld, dn, mods, NULL, NULL);
/* if the {attr,attrval} combination is already present return a success
* LDAP_ALREADY_EXISTS is for single-valued attribute
mods[0] = &modAttr;
/* ldap modify operation */
- st = ldap_modify_s(ld, dn, mods);
+ st = ldap_modify_ext_s(ld, dn, mods, NULL, NULL);
/* if either the attribute or the attribute value is missing return a success */
if (st == LDAP_NO_SUCH_ATTRIBUTE || st == LDAP_UNDEFINED_TYPE)
}
}
}
- st=ldap_modify_s(ld, DN, mods);
+ st=ldap_modify_ext_s(ld, DN, mods, NULL, NULL);
if (st != LDAP_SUCCESS) {
st = set_ldap_error(context, st, OP_MOD);
goto cleanup;
}
} else if (ptype == KDB_SERVICE_PRINCIPAL) {
- st = ldap_delete_s(ld, DN);
+ st = ldap_delete_ext_s(ld, DN, NULL, NULL);
if (st != LDAP_SUCCESS) {
st = set_ldap_error (context, st, OP_DEL);
goto cleanup;
if (mods == NULL) {
goto cleanup;
}
- st=ldap_modify_s(ld, xargs.dn, mods);
+ st=ldap_modify_ext_s(ld, xargs.dn, mods, NULL, NULL);
if (st != LDAP_SUCCESS) {
sprintf(errbuf, "User modification failed: %s", ldap_err2string(st));
st = translate_ldap_error (st, OP_MOD);
goto cleanup;
}
} else {
- st=ldap_add_s(ld, xargs.dn, mods);
+ st=ldap_add_ext_s(ld, xargs.dn, mods, NULL, NULL);
if (st != LDAP_SUCCESS) {
sprintf(errbuf, "Principal add failed: %s", ldap_err2string(st));
st = translate_ldap_error (st, OP_ADD);
goto cleanup;
/* password policy object creation */
- if ((st=ldap_add_s(ld, policy->name, mods)) != LDAP_SUCCESS) {
+ if ((st=ldap_add_ext_s(ld, policy->name, mods, NULL, NULL)) != LDAP_SUCCESS) {
st = set_ldap_error (context, st, OP_ADD);
goto cleanup;
}
goto cleanup;
/* modify the password policy object. */
- if ((st=ldap_modify_s(ld, policy->name, mods)) != LDAP_SUCCESS) {
+ if ((st=ldap_modify_ext_s(ld, policy->name, mods, NULL, NULL)) != LDAP_SUCCESS) {
st = set_ldap_error (context, st, OP_MOD);
goto cleanup;
}
SETUP_CONTEXT();
GET_HANDLE();
- if ((st=ldap_delete_s(ld, policy)) != LDAP_SUCCESS) {
+ if ((st=ldap_delete_ext_s(ld, policy, NULL, NULL)) != LDAP_SUCCESS) {
st = set_ldap_error (context, st, OP_DEL);
goto cleanup;
}
}
/* Delete the realm object */
- if ((st=ldap_delete_s(ld, ldap_context->lrparams->realmdn)) != LDAP_SUCCESS) {
+ if ((st=ldap_delete_ext_s(ld, ldap_context->lrparams->realmdn, NULL, NULL)) != LDAP_SUCCESS) {
int ost = st;
st = translate_ldap_error (st, OP_DEL);
krb5_set_error_message (context, st, "Realm Delete FAILED: %s",
mask & LDAP_REALM_PASSWDSERVERS) {
char *servers[] = {"krbKdcServers", "krbAdmServers", "krbPwdServers", NULL};
- if ((st= ldap_search_s(ld,
+ if ((st= ldap_search_ext_s(ld,
rparams->realmdn,
LDAP_SCOPE_BASE,
0,
servers,
0,
+ NULL,
+ NULL,
+ NULL,
+ 0,
&result)) != LDAP_SUCCESS) {
st = set_ldap_error (context, st, OP_SEARCH);
goto cleanup;
#endif
/* Realm modify opearation */
- if ((st=ldap_modify_s(ld, rparams->realmdn, mods)) != LDAP_SUCCESS) {
+ if ((st=ldap_modify_ext_s(ld, rparams->realmdn, mods, NULL, NULL)) != LDAP_SUCCESS) {
st = set_ldap_error (context, st, OP_MOD);
goto cleanup;
}
}
/* create the kerberos container */
- if ((st = ldap_add_s(ld, kerberoscontdn, mods)) != LDAP_SUCCESS) {
+ if ((st = ldap_add_ext_s(ld, kerberoscontdn, mods, NULL, NULL)) != LDAP_SUCCESS) {
int ost = st;
st = translate_ldap_error (st, OP_ADD);
krb5_set_error_message (context, st, "Kerberos Container create FAILED: %s", ldap_err2string(ost));
krbContainerRefclass, &crmask)) != 0) {
prepend_err_str (context, "Security Container read FAILED: ", st, st);
/* delete Kerberos Container, status ignored intentionally */
- ldap_delete_s(ld, kerberoscontdn);
+ ldap_delete_ext_s(ld, kerberoscontdn, NULL, NULL);
goto cleanup;
}
goto cleanup;
/* update the security container with krbContainerReference attribute */
- if ((st=ldap_modify_s(ld, SECURITY_CONTAINER, mods)) != LDAP_SUCCESS) {
+ if ((st=ldap_modify_ext_s(ld, SECURITY_CONTAINER, mods, NULL, NULL)) != LDAP_SUCCESS) {
int ost = st;
st = translate_ldap_error (st, OP_MOD);
krb5_set_error_message (context, st, "Security Container update FAILED: %s", ldap_err2string(ost));
/* delete Kerberos Container, status ignored intentionally */
- ldap_delete_s(ld, kerberoscontdn);
+ ldap_delete_ext_s(ld, kerberoscontdn, NULL, NULL);
goto cleanup;
}
#endif
#endif
/* realm creation operation */
- if ((st=ldap_add_s(ld, dn, mods)) != LDAP_SUCCESS) {
+ if ((st=ldap_add_ext_s(ld, dn, mods, NULL, NULL)) != LDAP_SUCCESS) {
st = set_ldap_error (context, st, OP_ADD);
goto cleanup;
}
rparams->kdcservers[i]);
prepend_err_str (context, errbuf, st, st);
/* delete Realm, status ignored intentionally */
- ldap_delete_s(ld, dn);
+ ldap_delete_ext_s(ld, dn, NULL, NULL);
goto cleanup;
}
rparams->adminservers[i]);
prepend_err_str (context, errbuf, st, st);
/* delete Realm, status ignored intentionally */
- ldap_delete_s(ld, dn);
+ ldap_delete_ext_s(ld, dn, NULL, NULL);
goto cleanup;
}
rparams->passwdservers[i]);
prepend_err_str (context, errbuf, st, st);
/* delete Realm, status ignored intentionally */
- ldap_delete_s(ld, dn);
+ ldap_delete_ext_s(ld, dn, NULL, NULL);
goto cleanup;
}
#endif
}
/* ldap add operation */
- if ((st=ldap_add_s(ld, service->servicedn, mods)) != LDAP_SUCCESS) {
+ if ((st=ldap_add_ext_s(ld, service->servicedn, mods, NULL, NULL)) != LDAP_SUCCESS) {
st = set_ldap_error (context, st, OP_ADD);
goto cleanup;
}
service->krbrealmreferences[i]);
prepend_err_str (context, errbuf, st, st);
/* delete service object, status ignored intentionally */
- ldap_delete_s(ld, service->servicedn);
+ ldap_delete_ext_s(ld, service->servicedn, NULL, NULL);
goto cleanup;
}
}
realmattr = "krbKdcServers";
/* read the existing list of krbRealmreferences. this will needed */
- if ((st = ldap_search_s (ld,
+ if ((st = ldap_search_ext_s (ld,
service->servicedn,
LDAP_SCOPE_BASE,
0,
attr,
0,
+ NULL,
+ NULL,
+ NULL,
+ 0,
&result)) != LDAP_SUCCESS) {
st = set_ldap_error (context, st, OP_SEARCH);
goto cleanup;
}
/* ldap modify operation */
- if ((st=ldap_modify_s(ld, service->servicedn, mods)) != LDAP_SUCCESS) {
+ if ((st=ldap_modify_ext_s(ld, service->servicedn, mods, NULL, NULL)) != LDAP_SUCCESS) {
st = set_ldap_error (context, st, OP_MOD);
goto cleanup;
}
SETUP_CONTEXT();
GET_HANDLE();
- st = ldap_delete_s(ld, servicedn);
+ st = ldap_delete_ext_s(ld, servicedn, NULL, NULL);
if (st != 0) {
st = set_ldap_error (context, st, OP_DEL);
}
if ((st=krb5_add_str_mem_ldap_mod(&mods, "userPassword", LDAP_MOD_REPLACE, password)) != 0)
goto cleanup;
- st = ldap_modify_s(ld, service, mods);
+ st = ldap_modify_ext_s(ld, service, mods, NULL, NULL);
if (st) {
st = set_ldap_error (context, st, OP_MOD);
}
goto cleanup;
/* ldap add operation */
- if ((st=ldap_add_s(ld, policy->policydn, mods)) != LDAP_SUCCESS) {
+ if ((st=ldap_add_ext_s(ld, policy->policydn, mods, NULL, NULL)) != LDAP_SUCCESS) {
st = set_ldap_error (context, st, OP_ADD);
goto cleanup;
}
policy->polrefcount)) != 0)
goto cleanup;
}
- if ((st=ldap_modify_s(ld, policy->policydn, mods)) != LDAP_SUCCESS) {
+ if ((st=ldap_modify_ext_s(ld, policy->policydn, mods, NULL, NULL)) != LDAP_SUCCESS) {
st = set_ldap_error (context, st, OP_MOD);
goto cleanup;
}
if (policy->polrefcount == 0) {
- if ((st=ldap_delete_s(ld, policydn)) != 0) {
+ if ((st=ldap_delete_ext_s(ld, policydn, NULL, NULL)) != 0) {
prepend_err_str (context,ldap_err2string(st),st,st);
goto cleanup;