Remove count parameters from get_principal, put_principal,
authorGreg Hudson <ghudson@mit.edu>
Tue, 6 Jul 2010 21:53:23 +0000 (21:53 +0000)
committerGreg Hudson <ghudson@mit.edu>
Tue, 6 Jul 2010 21:53:23 +0000 (21:53 +0000)
free_principal, delete_principal, and get_policy.  Make get_principal
allocate the DB entry container.  Fold krb5_db_get_principal_ext into
krb5_db_get_principal.

ticket: 6749
status: open

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24175 dc483132-0cff-0310-8789-dd5450dbe970

45 files changed:
src/include/kdb.h
src/include/kdb_log.h
src/kadmin/dbutil/dump.c
src/kadmin/dbutil/kdb5_create.c
src/kadmin/dbutil/kdb5_mkey.c
src/kadmin/dbutil/kdb5_util.c
src/kadmin/dbutil/ovload.c
src/kdc/do_as_req.c
src/kdc/do_tgs_req.c
src/kdc/kdc_preauth.c
src/kdc/kdc_util.c
src/kdc/kdc_util.h
src/lib/kadm5/server_internal.h
src/lib/kadm5/srv/libkadm5srv_mit.exports
src/lib/kadm5/srv/server_kdb.c
src/lib/kadm5/srv/svr_policy.c
src/lib/kadm5/srv/svr_principal.c
src/lib/kadm5/unit-test/lock-test.c
src/lib/kdb/kdb5.c
src/lib/kdb/kdb5int.h
src/lib/kdb/kdb_convert.c
src/lib/kdb/kdb_cpw.c
src/lib/kdb/kdb_default.c
src/lib/kdb/kdb_log.c
src/lib/kdb/keytab.c
src/lib/kdb/libkdb5.exports
src/plugins/kdb/db2/adb_policy.c
src/plugins/kdb/db2/db2_exp.c
src/plugins/kdb/db2/kdb_db2.c
src/plugins/kdb/db2/kdb_db2.h
src/plugins/kdb/db2/kdb_xdr.c
src/plugins/kdb/db2/kdb_xdr.h
src/plugins/kdb/db2/lockout.c
src/plugins/kdb/db2/policy_db.h
src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c
src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.h
src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c
src/plugins/kdb/ldap/libkdb_ldap/lockout.c
src/tests/create/kdb5_mkdums.c
src/tests/verify/kdb5_verify.c

index a576eb9e3183ffff1a3f81e13fb1cb68aeb0667e..a03361e7adf9971c5bc1c9f84cced351a14c3830 100644 (file)
@@ -425,23 +425,13 @@ krb5_error_code krb5_db_lock ( krb5_context kcontext, int lock_mode );
 krb5_error_code krb5_db_unlock ( krb5_context kcontext );
 krb5_error_code krb5_db_get_principal ( krb5_context kcontext,
                                         krb5_const_principal search_for,
-                                        krb5_db_entry *entries,
-                                        int *nentries,
-                                        krb5_boolean *more );
-krb5_error_code krb5_db_get_principal_ext ( krb5_context kcontext,
-                                            krb5_const_principal search_for,
-                                            unsigned int flags,
-                                            krb5_db_entry *entries,
-                                            int *nentries,
-                                            krb5_boolean *more );
-void krb5_db_free_principal ( krb5_context kcontext, krb5_db_entry *entry,
-                              int count );
+                                        unsigned int flags,
+                                        krb5_db_entry **entry );
+void krb5_db_free_principal ( krb5_context kcontext, krb5_db_entry *entry );
 krb5_error_code krb5_db_put_principal ( krb5_context kcontext,
-                                        krb5_db_entry *entries,
-                                        int *nentries);
+                                        krb5_db_entry *entry );
 krb5_error_code krb5_db_delete_principal ( krb5_context kcontext,
-                                           krb5_principal search_for,
-                                           int *nentries );
+                                           krb5_principal search_for );
 krb5_error_code krb5_db_iterate ( krb5_context kcontext,
                                   char *match_entry,
                                   int (*func) (krb5_pointer, krb5_db_entry *),
@@ -740,8 +730,7 @@ krb5_db_create_policy( krb5_context kcontext,
 krb5_error_code
 krb5_db_get_policy ( krb5_context kcontext,
                      char *name,
-                     osa_policy_ent_t *policy,
-                     int *nentries);
+                     osa_policy_ent_t *policy );
 
 krb5_error_code
 krb5_db_put_policy( krb5_context kcontext,
@@ -916,16 +905,8 @@ typedef struct _kdb_vftabl {
     krb5_error_code (*unlock)(krb5_context kcontext);
 
     /*
-     * Mandatory: Fill in *entries with the entry for the principal search_for.
-     * The module must allocate each entry field separately, as callers may
-     * free individual fields using db_free.  If the principal is not found,
-     * set *nentries to 0 and return success.
-     *
-     * The nentries and more arguments appear to be intended to account for
-     * multiple entries for a principal, but this functionality is neither
-     * implemented nor used.  *nentries is set to 1 by all callers and should
-     * be set to 0 or 1 on return; *more sould be set to FALSE on return.
-     * Callers will typically error out if modules behave otherwise.
+     * Mandatory: Set *entry to an allocated entry for the principal
+     * search_for.  If the principal is not found, return KRB5_KDB_NOENTRY.
      *
      * The meaning of flags are as follows (some of these may be processed by
      * db_invoke methods such as KRB5_KDB_METHOD_SIGN_AUTH_DATA rather than by
@@ -980,23 +961,19 @@ typedef struct _kdb_vftabl {
     krb5_error_code (*get_principal)(krb5_context kcontext,
                                      krb5_const_principal search_for,
                                      unsigned int flags,
-                                     krb5_db_entry *entries, int *nentries,
-                                     krb5_boolean *more);
+                                     krb5_db_entry **entry);
 
     /*
-     * Mandatory: Free the memory associated with principal entries.  Do not
-     * free entry itself.  All callers ignore the return value.  Entries may
-     * have been constructed by the caller (using the db_alloc function to
-     * allocate associated memory); thus, a plugin must allocate each field
-     * of a principal entry separately.
+     * Mandatory: Free a database entry.  The entry may have been constructed
+     * by the caller (using the db_alloc function to allocate associated
+     * memory); thus, a plugin must allocate each field of a principal entry
+     * separately.
      */
-    void (*free_principal)(krb5_context kcontext, krb5_db_entry *entry,
-                           int count);
+    void (*free_principal)(krb5_context kcontext, krb5_db_entry *entry);
 
     /*
-     * Optional: Create or modify one or more principal entries.  All callers
-     * operate on a single entry.  db_args communicates command-line arguments
-     * for module-specific flags.
+     * Optional: Create or modify a principal entry.  db_args communicates
+     * command-line arguments for module-specific flags.
      *
      * The mask field of an entry indicates the changed fields.  Mask values
      * are defined in kadmin's admin.h header.  If KADM5_PRINCIPAL is set in
@@ -1006,17 +983,14 @@ typedef struct _kdb_vftabl {
      * ignore the mask and update the entire entry.
      */
     krb5_error_code (*put_principal)(krb5_context kcontext,
-                                     krb5_db_entry *entries, int *nentries,
-                                     char **db_args);
+                                     krb5_db_entry *entry, char **db_args);
 
     /*
      * Optional: Delete the entry for the principal search_for.  If the
-     * principal does not exist, set *nentries to 0 and return success; if it
-     * did exist, set *nentries to 1.
+     * principal did not exist, return KRB5_KDB_NOENTRY.
      */
     krb5_error_code (*delete_principal)(krb5_context kcontext,
-                                        krb5_const_principal search_for,
-                                        int *nentries);
+                                        krb5_const_principal search_for);
 
     /*
      * Optional: For each principal entry in the database, invoke func with the
@@ -1037,14 +1011,11 @@ typedef struct _kdb_vftabl {
                                      osa_policy_ent_t policy);
 
     /*
-     * Optional: If a password policy entry exists with the name name, allocate
-     * a policy entry in *policy, fill it in with the policy information, and
-     * set *cnt to 1.  If the entry does not exist, set *cnt to 0 and return
-     * success, or return an error (existing module implementations are not
-     * consistent).
+     * Optional: Set *policy to the policy entry of the specified name.  If the
+     * entry does not exist, return KRB5_KDB_NOENTRY.
      */
     krb5_error_code (*get_policy)(krb5_context kcontext, char *name,
-                                  osa_policy_ent_t *policy, int *cnt);
+                                  osa_policy_ent_t *policy);
 
     /*
      * Optional: Modify an existing password policy entry to match the values
index 620d90c906119446af09aeccbf76935c677644d7..51648c7e843e32d014349af90d168ebc7b8c5b1c 100644 (file)
@@ -84,12 +84,12 @@ extern krb5_error_code
 ulog_replay(krb5_context context, kdb_incr_result_t *incr_ret, char **db_args);
 
 extern krb5_error_code
-ulog_conv_2logentry(krb5_context context, krb5_db_entry *entries,
-                    kdb_incr_update_t *updates, int nentries);
+ulog_conv_2logentry(krb5_context context, krb5_db_entry *entry,
+                    kdb_incr_update_t *update);
 
 extern krb5_error_code
-ulog_conv_2dbentry(krb5_context context, krb5_db_entry *entries,
-                   kdb_incr_update_t *updates, int nentries);
+ulog_conv_2dbentry(krb5_context context, krb5_db_entry **entry,
+                   kdb_incr_update_t *update);
 
 extern void ulog_free_entries(kdb_incr_update_t *updates, int no_of_updates);
 extern krb5_error_code ulog_set_role(krb5_context ctx, iprop_role role);
index baebf4c6e1c72b034926d1d9c0ad14c62319c781..caff137a40d92ca7812508168089002511895549 100644 (file)
@@ -205,7 +205,7 @@ extern krb5_boolean     dbactive;
 extern int              exit_status;
 extern krb5_context     util_context;
 extern kadm5_config_params global_params;
-extern krb5_db_entry      master_entry;
+extern krb5_db_entry      *master_entry;
 
 /* Strings */
 
@@ -1235,7 +1235,7 @@ dump_db(argc, argv)
          * get new master key vno that will be used to protect princs, used
          * later on.
          */
-        new_mkvno = get_next_kvno(util_context, &master_entry);
+        new_mkvno = get_next_kvno(util_context, master_entry);
     }
 
     kret = 0;
@@ -1517,7 +1517,7 @@ process_k5beta_record(fname, kcontext, filep, flags, linenop)
 {
     int                 nmatched;
     int                 retval;
-    krb5_db_entry       dbent;
+    krb5_db_entry       *dbent;
     int                 name_len, mod_name_len, key_len;
     int                 alt_key_len, salt_len, alt_salt_len;
     char                *name;
@@ -1534,16 +1534,19 @@ process_k5beta_record(fname, kcontext, filep, flags, linenop)
     try2read = (char *) NULL;
     (*linenop)++;
     retval = 1;
-    memset(&dbent, 0, sizeof(dbent));
+    dbent = krb5_db_alloc(kcontext, NULL, sizeof(*dbent));
+    if (dbent == NULL)
+        return(1);
+    memset(dbent, 0, sizeof(*dbent));
 
     /* Make sure we've got key_data entries */
-    if (krb5_dbe_create_key_data(kcontext, &dbent) ||
-        krb5_dbe_create_key_data(kcontext, &dbent)) {
-        krb5_db_free_principal(kcontext, &dbent, 1);
+    if (krb5_dbe_create_key_data(kcontext, dbent) ||
+        krb5_dbe_create_key_data(kcontext, dbent)) {
+        krb5_db_free_principal(kcontext, dbent);
         return(1);
     }
-    pkey = &dbent.key_data[0];
-    akey = &dbent.key_data[1];
+    pkey = &dbent->key_data[0];
+    akey = &dbent->key_data[1];
 
     /*
      * Match the sizes.  6 tokens to match.
@@ -1618,17 +1621,17 @@ process_k5beta_record(fname, kcontext, filep, flags, linenop)
             /* Read principal attributes */
             if (!error && (fscanf(filep,
                                   "\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t",
-                                  &tmpint1, &dbent.max_life,
-                                  &dbent.max_renewable_life,
-                                  &tmpint2, &dbent.expiration,
-                                  &dbent.pw_expiration, &last_pwd_change,
-                                  &dbent.last_success, &dbent.last_failed,
+                                  &tmpint1, &dbent->max_life,
+                                  &dbent->max_renewable_life,
+                                  &tmpint2, &dbent->expiration,
+                                  &dbent->pw_expiration, &last_pwd_change,
+                                  &dbent->last_success, &dbent->last_failed,
                                   &tmpint3) != 10)) {
                 try2read = read_pr_data1;
                 error++;
             }
             pkey->key_data_kvno = tmpint1;
-            dbent.fail_auth_count = tmpint3;
+            dbent->fail_auth_count = tmpint3;
             /* Read modifier name */
             if (!error && read_string(filep,
                                       mod_name,
@@ -1639,7 +1642,7 @@ process_k5beta_record(fname, kcontext, filep, flags, linenop)
             }
             /* Read second set of attributes */
             if (!error && (fscanf(filep, "\t%u\t%u\t%u\t",
-                                  &mod_date, &dbent.attributes,
+                                  &mod_date, &dbent->attributes,
                                   &tmpint1) != 3)) {
                 try2read = read_pr_data2;
                 error++;
@@ -1718,22 +1721,20 @@ process_k5beta_record(fname, kcontext, filep, flags, linenop)
             if (!error) {
                 if (!(kret = krb5_parse_name(kcontext,
                                              name,
-                                             &dbent.princ))) {
+                                             &dbent->princ))) {
                     if (!(kret = krb5_parse_name(kcontext,
                                                  mod_name,
                                                  &mod_princ))) {
                         if (!(kret =
                               krb5_dbe_update_mod_princ_data(kcontext,
-                                                             &dbent,
+                                                             dbent,
                                                              mod_date,
                                                              mod_princ)) &&
                             !(kret =
                               krb5_dbe_update_last_pwd_change(kcontext,
-                                                              &dbent,
+                                                              dbent,
                                                               last_pwd_change))) {
-                            int one = 1;
-
-                            dbent.len = KRB5_KDB_V1_BASE_LENGTH;
+                            dbent->len = KRB5_KDB_V1_BASE_LENGTH;
                             pkey->key_data_ver = (pkey->key_data_type[1] || pkey->key_data_length[1]) ?
                                 2 : 1;
                             akey->key_data_ver = (akey->key_data_type[1] || akey->key_data_length[1]) ?
@@ -1742,22 +1743,20 @@ process_k5beta_record(fname, kcontext, filep, flags, linenop)
                                  akey->key_data_type[0]) &&
                                 (pkey->key_data_type[1] ==
                                  akey->key_data_type[1]))
-                                dbent.n_key_data--;
+                                dbent->n_key_data--;
                             else if ((akey->key_data_type[0] == 0)
                                      && (akey->key_data_length[0] == 0)
                                      && (akey->key_data_type[1] == 0)
                                      && (akey->key_data_length[1] == 0))
-                                dbent.n_key_data--;
+                                dbent->n_key_data--;
 
-                            dbent.mask = KADM5_LOAD | KADM5_PRINCIPAL | KADM5_ATTRIBUTES |
+                            dbent->mask = KADM5_LOAD | KADM5_PRINCIPAL | KADM5_ATTRIBUTES |
                                 KADM5_MAX_LIFE | KADM5_MAX_RLIFE | KADM5_KEY_DATA |
                                 KADM5_PRINC_EXPIRE_TIME | KADM5_LAST_SUCCESS |
                                 KADM5_LAST_FAILED | KADM5_FAIL_AUTH_COUNT;
 
                             if ((kret = krb5_db_put_principal(kcontext,
-                                                              &dbent,
-                                                              &one)) ||
-                                (one != 1)) {
+                                                              dbent))) {
                                 fprintf(stderr, store_err_fmt,
                                         fname, *linenop, name,
                                         error_message(kret));
@@ -1768,7 +1767,7 @@ process_k5beta_record(fname, kcontext, filep, flags, linenop)
                                     fprintf(stderr, add_princ_fmt, name);
                                 retval = 0;
                             }
-                            dbent.n_key_data = 2;
+                            dbent->n_key_data = 2;
                         }
                         krb5_free_principal(kcontext, mod_princ);
                     }
@@ -1793,7 +1792,7 @@ process_k5beta_record(fname, kcontext, filep, flags, linenop)
             fprintf(stderr, no_mem_fmt, fname, *linenop);
         }
 
-        krb5_db_free_principal(kcontext, &dbent, 1);
+        krb5_db_free_principal(kcontext, dbent);
         if (mod_name)
             free(mod_name);
         if (name)
@@ -1822,11 +1821,11 @@ process_k5beta6_record(fname, kcontext, filep, flags, linenop)
     int                 *linenop;
 {
     int                 retval;
-    krb5_db_entry       dbentry;
+    krb5_db_entry       *dbentry;
     krb5_int32          t1, t2, t3, t4, t5, t6, t7, t8, t9;
     int                 nread;
     int                 error;
-    int                 i, j, one;
+    int                 i, j;
     char                *name;
     krb5_key_data       *kp, *kdatap;
     krb5_tl_data        **tlp, *tl;
@@ -1835,7 +1834,10 @@ process_k5beta6_record(fname, kcontext, filep, flags, linenop)
     const char          *try2read;
 
     try2read = (char *) NULL;
-    memset(&dbentry, 0, sizeof(dbentry));
+    dbentry = krb5_db_alloc(kcontext, NULL, sizeof(*dbentry));
+    if (dbentry == NULL)
+        return(1);
+    memset(dbentry, 0, sizeof(*dbentry));
     (*linenop)++;
     retval = 1;
     name = (char *) NULL;
@@ -1850,12 +1852,12 @@ process_k5beta6_record(fname, kcontext, filep, flags, linenop)
             error++;
 
         /* Get memory for and form tagged data linked list */
-        tlp = &dbentry.tl_data;
+        tlp = &dbentry->tl_data;
         for (i=0; i<t3; i++) {
             if ((*tlp = (krb5_tl_data *) malloc(sizeof(krb5_tl_data)))) {
                 memset(*tlp, 0, sizeof(krb5_tl_data));
                 tlp = &((*tlp)->tl_data_next);
-                dbentry.n_tl_data++;
+                dbentry->n_tl_data++;
             }
             else {
                 error++;
@@ -1873,37 +1875,37 @@ process_k5beta6_record(fname, kcontext, filep, flags, linenop)
             error++;
 
         if (!error) {
-            dbentry.len = t1;
-            dbentry.n_key_data = t4;
-            dbentry.e_length = t5;
+            dbentry->len = t1;
+            dbentry->n_key_data = t4;
+            dbentry->e_length = t5;
             if (kp) {
                 memset(kp, 0, (size_t) (t4*sizeof(krb5_key_data)));
-                dbentry.key_data = kp;
+                dbentry->key_data = kp;
                 kp = (krb5_key_data *) NULL;
             }
             if (op) {
                 memset(op, 0, (size_t) t5);
-                dbentry.e_data = op;
+                dbentry->e_data = op;
                 op = (krb5_octet *) NULL;
             }
 
             /* Read in and parse the principal name */
             if (!read_string(filep, name, t2, linenop) &&
-                !(kret = krb5_parse_name(kcontext, name, &dbentry.princ))) {
+                !(kret = krb5_parse_name(kcontext, name, &dbentry->princ))) {
 
                 /* Get the fixed principal attributes */
                 nread = fscanf(filep, "%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t",
                                &t2, &t3, &t4, &t5, &t6, &t7, &t8, &t9);
                 if (nread == 8) {
-                    dbentry.attributes = (krb5_flags) t2;
-                    dbentry.max_life = (krb5_deltat) t3;
-                    dbentry.max_renewable_life = (krb5_deltat) t4;
-                    dbentry.expiration = (krb5_timestamp) t5;
-                    dbentry.pw_expiration = (krb5_timestamp) t6;
-                    dbentry.last_success = (krb5_timestamp) t7;
-                    dbentry.last_failed = (krb5_timestamp) t8;
-                    dbentry.fail_auth_count = (krb5_kvno) t9;
-                    dbentry.mask = KADM5_LOAD | KADM5_PRINCIPAL | KADM5_ATTRIBUTES |
+                    dbentry->attributes = (krb5_flags) t2;
+                    dbentry->max_life = (krb5_deltat) t3;
+                    dbentry->max_renewable_life = (krb5_deltat) t4;
+                    dbentry->expiration = (krb5_timestamp) t5;
+                    dbentry->pw_expiration = (krb5_timestamp) t6;
+                    dbentry->last_success = (krb5_timestamp) t7;
+                    dbentry->last_failed = (krb5_timestamp) t8;
+                    dbentry->fail_auth_count = (krb5_kvno) t9;
+                    dbentry->mask = KADM5_LOAD | KADM5_PRINCIPAL | KADM5_ATTRIBUTES |
                         KADM5_MAX_LIFE | KADM5_MAX_RLIFE |
                         KADM5_PRINC_EXPIRE_TIME | KADM5_LAST_SUCCESS |
                         KADM5_LAST_FAILED | KADM5_FAIL_AUTH_COUNT;
@@ -1922,8 +1924,8 @@ process_k5beta6_record(fname, kcontext, filep, flags, linenop)
                  * it at dump time has almost as good an effect, so
                  * that's what I did.  [krb5-admin/89]
                  */
-                if (!error && dbentry.n_tl_data) {
-                    for (tl = dbentry.tl_data; tl; tl = tl->tl_data_next) {
+                if (!error && dbentry->n_tl_data) {
+                    for (tl = dbentry->tl_data; tl; tl = tl->tl_data_next) {
                         nread = fscanf(filep, "%d\t%d\t", &t1, &t2);
                         if (nread == 2) {
                             tl->tl_data_type = (krb5_int16) t1;
@@ -1947,7 +1949,7 @@ process_k5beta6_record(fname, kcontext, filep, flags, linenop)
                                      * Assuming aux_attributes will always be
                                      * there
                                      */
-                                    dbentry.mask |= KADM5_AUX_ATTRIBUTES;
+                                    dbentry->mask |= KADM5_AUX_ATTRIBUTES;
 
                                     /* test for an actual policy reference */
                                     memset(&osa_princ_ent, 0, sizeof(osa_princ_ent));
@@ -1957,7 +1959,7 @@ process_k5beta6_record(fname, kcontext, filep, flags, linenop)
                                         (osa_princ_ent.aux_attributes & KADM5_POLICY) &&
                                         osa_princ_ent.policy != NULL) {
 
-                                        dbentry.mask |= KADM5_POLICY;
+                                        dbentry->mask |= KADM5_POLICY;
                                         kdb_free_entry(NULL, NULL, &osa_princ_ent);
                                     }
                                     xdr_destroy(&xdrs);
@@ -1980,13 +1982,13 @@ process_k5beta6_record(fname, kcontext, filep, flags, linenop)
                         }
                     }
                     if (!error)
-                        dbentry.mask |= KADM5_TL_DATA;
+                        dbentry->mask |= KADM5_TL_DATA;
                 }
 
                 /* Get the key data */
-                if (!error && dbentry.n_key_data) {
-                    for (i=0; !error && (i<dbentry.n_key_data); i++) {
-                        kdatap = &dbentry.key_data[i];
+                if (!error && dbentry->n_key_data) {
+                    for (i=0; !error && (i<dbentry->n_key_data); i++) {
+                        kdatap = &dbentry->key_data[i];
                         nread = fscanf(filep, "%d\t%d\t", &t1, &t2);
                         if (nread == 2) {
                             kdatap->key_data_ver = (krb5_int16) t1;
@@ -2028,14 +2030,14 @@ process_k5beta6_record(fname, kcontext, filep, flags, linenop)
                         }
                     }
                     if (!error)
-                        dbentry.mask |= KADM5_KEY_DATA;
+                        dbentry->mask |= KADM5_KEY_DATA;
                 }
 
                 /* Get the extra data */
-                if (!error && dbentry.e_length) {
+                if (!error && dbentry->e_length) {
                     if (read_octet_string(filep,
-                                          dbentry.e_data,
-                                          (int) dbentry.e_length)) {
+                                          dbentry->e_data,
+                                          (int) dbentry->e_length)) {
                         try2read = read_econtents;
                         error++;
                     }
@@ -2056,10 +2058,7 @@ process_k5beta6_record(fname, kcontext, filep, flags, linenop)
                  * We have either read in all the data or choked.
                  */
                 if (!error) {
-                    one = 1;
-                    if ((kret = krb5_db_put_principal(kcontext,
-                                                      &dbentry,
-                                                      &one))) {
+                    if ((kret = krb5_db_put_principal(kcontext, dbentry))) {
                         fprintf(stderr, store_err_fmt,
                                 fname, *linenop,
                                 name, error_message(kret));
@@ -2092,7 +2091,7 @@ process_k5beta6_record(fname, kcontext, filep, flags, linenop)
             free(kp);
         if (name)
             free(name);
-        krb5_db_free_principal(kcontext, &dbentry, 1);
+        krb5_db_free_principal(kcontext, dbentry);
     }
     else {
         if (nread == EOF)
index cf2f2a7f2f5a27eeda0fb3a2b8e471efebe9efc0..087c3dc712a5e8c1ece925bb289bba7139de692b 100644 (file)
@@ -421,47 +421,49 @@ add_principal(context, princ, op, pblock)
     struct realm_info *pblock;
 {
     krb5_error_code       retval;
-    krb5_db_entry         entry;
+    krb5_db_entry         *entry;
     krb5_kvno             mkey_kvno;
     krb5_timestamp        now;
     struct iterate_args   iargs;
-    int                   nentries = 1;
     krb5_actkvno_node     actkvno;
 
-    memset(&entry, 0, sizeof(entry));
+    entry = krb5_db_alloc(context, NULL, sizeof(*entry));
+    if (entry == NULL)
+        return ENOMEM;
+    memset(entry, 0, sizeof(*entry));
 
-    entry.len = KRB5_KDB_V1_BASE_LENGTH;
-    entry.attributes = pblock->flags;
-    entry.max_life = pblock->max_life;
-    entry.max_renewable_life = pblock->max_rlife;
-    entry.expiration = pblock->expiration;
+    entry->len = KRB5_KDB_V1_BASE_LENGTH;
+    entry->attributes = pblock->flags;
+    entry->max_life = pblock->max_life;
+    entry->max_renewable_life = pblock->max_rlife;
+    entry->expiration = pblock->expiration;
 
-    if ((retval = krb5_copy_principal(context, princ, &entry.princ)))
+    if ((retval = krb5_copy_principal(context, princ, &entry->princ)))
         goto error_out;
 
     if ((retval = krb5_timeofday(context, &now)))
         goto error_out;
 
-    if ((retval = krb5_dbe_update_mod_princ_data(context, &entry,
+    if ((retval = krb5_dbe_update_mod_princ_data(context, entry,
                                                  now, &db_create_princ)))
         goto error_out;
 
     switch (op) {
     case MASTER_KEY:
-        if ((entry.key_data=(krb5_key_data*)malloc(sizeof(krb5_key_data)))
+        if ((entry->key_data=(krb5_key_data*)malloc(sizeof(krb5_key_data)))
             == NULL)
             goto error_out;
-        memset(entry.key_data, 0, sizeof(krb5_key_data));
-        entry.n_key_data = 1;
+        memset(entry->key_data, 0, sizeof(krb5_key_data));
+        entry->n_key_data = 1;
 
         if (global_params.mask & KADM5_CONFIG_KVNO)
             mkey_kvno = global_params.kvno; /* user specified */
         else
             mkey_kvno = 1;  /* Default */
-        entry.attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
+        entry->attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
         if ((retval = krb5_dbe_encrypt_key_data(context, pblock->key,
                                                 &master_keyblock, NULL,
-                                                mkey_kvno, entry.key_data)))
+                                                mkey_kvno, entry->key_data)))
             return retval;
         /*
          * There should always be at least one "active" mkey so creating the
@@ -471,18 +473,18 @@ add_principal(context, princ, op, pblock)
         actkvno.act_kvno = mkey_kvno;
         /* earliest possible time in case system clock is set back */
         actkvno.act_time = 0;
-        if ((retval = krb5_dbe_update_actkvno(context, &entry, &actkvno)))
+        if ((retval = krb5_dbe_update_actkvno(context, entry, &actkvno)))
             return retval;
 
         /* so getprinc shows the right kvno */
-        if ((retval = krb5_dbe_update_mkvno(context, &entry, mkey_kvno)))
+        if ((retval = krb5_dbe_update_mkvno(context, entry, mkey_kvno)))
             return retval;
 
         break;
     case TGT_KEY:
         iargs.ctx = context;
         iargs.rblock = pblock;
-        iargs.dbentp = &entry;
+        iargs.dbentp = entry;
         /*
          * Iterate through the key/salt list, ignoring salt types.
          */
@@ -499,13 +501,13 @@ add_principal(context, princ, op, pblock)
         break;
     }
 
-    entry.mask = (KADM5_KEY_DATA | KADM5_PRINCIPAL | KADM5_ATTRIBUTES |
-                  KADM5_MAX_LIFE | KADM5_MAX_RLIFE | KADM5_TL_DATA |
-                  KADM5_PRINC_EXPIRE_TIME);
+    entry->mask = (KADM5_KEY_DATA | KADM5_PRINCIPAL | KADM5_ATTRIBUTES |
+                   KADM5_MAX_LIFE | KADM5_MAX_RLIFE | KADM5_TL_DATA |
+                   KADM5_PRINC_EXPIRE_TIME);
 
-    retval = krb5_db_put_principal(context, &entry, &nentries);
+    retval = krb5_db_put_principal(context, entry);
 
-error_out:;
-    krb5_db_free_principal(context, &entry, 1);
+error_out:
+    krb5_db_free_principal(context, entry);
     return retval;
 }
index 9c397b6ab1097901c5efd21835632528a9e75095..4bd72e50ef3602c1b719434707a2e05d57e06cf8 100644 (file)
@@ -196,14 +196,13 @@ kdb5_add_mkey(int argc, char *argv[])
     char *mkey_fullname;
     char *pw_str = 0;
     unsigned int pw_size = 0;
-    int do_stash = 0, nentries = 0;
-    krb5_boolean more = 0;
+    int do_stash = 0;
     krb5_data pwd;
     krb5_kvno new_mkey_kvno;
     krb5_keyblock new_mkeyblock;
     krb5_enctype new_master_enctype = ENCTYPE_UNKNOWN;
     char *new_mkey_password;
-    krb5_db_entry master_entry;
+    krb5_db_entry *master_entry;
     krb5_timestamp now;
 
     /*
@@ -247,26 +246,14 @@ kdb5_add_mkey(int argc, char *argv[])
         return;
     }
 
-    retval = krb5_db_get_principal(util_context, master_princ, &master_entry,
-                                   &nentries, &more);
+    retval = krb5_db_get_principal(util_context, master_princ, 0,
+                                   &master_entry);
     if (retval != 0) {
         com_err(progname, retval,
                 "while getting master key principal %s",
                 mkey_fullname);
         exit_status++;
         goto cleanup_return;
-    } else if (nentries == 0) {
-        com_err(progname, KRB5_KDB_NOENTRY,
-                "principal %s not found in Kerberos database",
-                mkey_fullname);
-        exit_status++;
-        goto cleanup_return;
-    } else if (nentries > 1) {
-        com_err(progname, KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE,
-                "principal %s has multiple entries in Kerberos database",
-                mkey_fullname);
-        exit_status++;
-        goto cleanup_return;
     }
 
     printf("Creating new master key for master key principal '%s'\n",
@@ -310,7 +297,7 @@ kdb5_add_mkey(int argc, char *argv[])
         goto cleanup_return;
     }
 
-    retval = add_new_mkey(util_context, &master_entry, &new_mkeyblock, 0);
+    retval = add_new_mkey(util_context, master_entry, &new_mkeyblock, 0);
     if (retval) {
         com_err(progname, retval, "adding new master key to master principal");
         exit_status++;
@@ -323,14 +310,14 @@ kdb5_add_mkey(int argc, char *argv[])
         goto cleanup_return;
     }
 
-    if ((retval = krb5_dbe_update_mod_princ_data(util_context, &master_entry,
+    if ((retval = krb5_dbe_update_mod_princ_data(util_context, master_entry,
                                                  now, master_princ))) {
         com_err(progname, retval, "while updating the master key principal modification time");
         exit_status++;
         goto cleanup_return;
     }
 
-    if ((retval = krb5_db_put_principal(util_context, &master_entry, &nentries))) {
+    if ((retval = krb5_db_put_principal(util_context, master_entry))) {
         (void) krb5_db_fini(util_context);
         com_err(progname, retval, "while adding master key entry to the database");
         exit_status++;
@@ -375,9 +362,7 @@ kdb5_use_mkey(int argc, char *argv[])
     krb5_timestamp now, start_time;
     krb5_actkvno_node *actkvno_list = NULL, *new_actkvno = NULL,
         *prev_actkvno, *cur_actkvno;
-    krb5_db_entry master_entry;
-    int nentries = 0;
-    krb5_boolean more = FALSE;
+    krb5_db_entry *master_entry;
     krb5_keylist_node *keylist_node;
     krb5_boolean inserted = FALSE;
 
@@ -446,29 +431,17 @@ kdb5_use_mkey(int argc, char *argv[])
         goto cleanup_return;
     }
 
-    retval = krb5_db_get_principal(util_context, master_princ, &master_entry,
-                                   &nentries, &more);
+    retval = krb5_db_get_principal(util_context, master_princ, 0,
+                                   &master_entry);
     if (retval != 0) {
         com_err(progname, retval,
                 "while getting master key principal %s",
                 mkey_fullname);
         exit_status++;
         goto cleanup_return;
-    } else if (nentries == 0) {
-        com_err(progname, KRB5_KDB_NOENTRY,
-                "principal %s not found in Kerberos database",
-                mkey_fullname);
-        exit_status++;
-        goto cleanup_return;
-    } else if (nentries > 1) {
-        com_err(progname, KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE,
-                "principal %s has multiple entries in Kerberos database",
-                mkey_fullname);
-        exit_status++;
-        goto cleanup_return;
     }
 
-    retval = krb5_dbe_lookup_actkvno(util_context, &master_entry, &actkvno_list);
+    retval = krb5_dbe_lookup_actkvno(util_context, master_entry, &actkvno_list);
     if (retval != 0) {
         com_err(progname, retval,
                 "while looking up active version of master key");
@@ -552,21 +525,21 @@ kdb5_use_mkey(int argc, char *argv[])
         goto cleanup_return;
     }
 
-    if ((retval = krb5_dbe_update_actkvno(util_context, &master_entry,
+    if ((retval = krb5_dbe_update_actkvno(util_context, master_entry,
                                           actkvno_list))) {
         com_err(progname, retval, "while updating actkvno data for master principal entry");
         exit_status++;
         goto cleanup_return;
     }
 
-    if ((retval = krb5_dbe_update_mod_princ_data(util_context, &master_entry,
+    if ((retval = krb5_dbe_update_mod_princ_data(util_context, master_entry,
                                                  now, master_princ))) {
         com_err(progname, retval, "while updating the master key principal modification time");
         exit_status++;
         goto cleanup_return;
     }
 
-    if ((retval = krb5_db_put_principal(util_context, &master_entry, &nentries))) {
+    if ((retval = krb5_db_put_principal(util_context, master_entry))) {
         (void) krb5_db_fini(util_context);
         com_err(progname, retval, "while adding master key entry to the database");
         exit_status++;
@@ -590,9 +563,7 @@ kdb5_list_mkeys(int argc, char *argv[])
     krb5_kvno  act_kvno;
     krb5_timestamp act_time;
     krb5_actkvno_node *actkvno_list = NULL, *cur_actkvno;
-    krb5_db_entry master_entry;
-    int   nentries = 0;
-    krb5_boolean more = FALSE;
+    krb5_db_entry *master_entry;
     krb5_keylist_node  *cur_kb_node;
     krb5_keyblock *act_mkey;
 
@@ -612,29 +583,17 @@ kdb5_list_mkeys(int argc, char *argv[])
         return;
     }
 
-    retval = krb5_db_get_principal(util_context, master_princ, &master_entry,
-                                   &nentries, &more);
+    retval = krb5_db_get_principal(util_context, master_princ, 0,
+                                   &master_entry);
     if (retval != 0) {
         com_err(progname, retval,
                 "while getting master key principal %s",
                 mkey_fullname);
         exit_status++;
         goto cleanup_return;
-    } else if (nentries == 0) {
-        com_err(progname, KRB5_KDB_NOENTRY,
-                "principal %s not found in Kerberos database",
-                mkey_fullname);
-        exit_status++;
-        goto cleanup_return;
-    } else if (nentries > 1) {
-        com_err(progname, KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE,
-                "principal %s has multiple entries in Kerberos database",
-                mkey_fullname);
-        exit_status++;
-        goto cleanup_return;
     }
 
-    retval = krb5_dbe_lookup_actkvno(util_context, &master_entry, &actkvno_list);
+    retval = krb5_dbe_lookup_actkvno(util_context, master_entry, &actkvno_list);
     if (retval != 0) {
         com_err(progname, retval, "while looking up active kvno list");
         exit_status++;
@@ -642,7 +601,7 @@ kdb5_list_mkeys(int argc, char *argv[])
     }
 
     if (actkvno_list == NULL) {
-        act_kvno = master_entry.key_data[0].key_data_kvno;
+        act_kvno = master_entry->key_data[0].key_data_kvno;
     } else {
         retval = krb5_dbe_find_act_mkey(util_context, master_keylist,
                                         actkvno_list, &act_kvno, &act_mkey);
@@ -834,7 +793,6 @@ update_princ_encryption_1(void *cb, krb5_db_entry *ent)
     krb5_error_code retval;
     int match;
     krb5_timestamp now;
-    int nentries = 1;
     int result;
     krb5_kvno old_mkvno;
 
@@ -905,7 +863,7 @@ update_princ_encryption_1(void *cb, krb5_db_entry *ent)
 
     ent->mask |= KADM5_KEY_DATA;
 
-    if ((retval = krb5_db_put_principal(util_context, ent, &nentries))) {
+    if ((retval = krb5_db_put_principal(util_context, ent))) {
         com_err(progname, retval,
                 "while updating principal '%s' key data in the database",
                 pname);
@@ -957,9 +915,7 @@ kdb5_update_princ_encryption(int argc, char *argv[])
     int optchar;
     krb5_error_code retval;
     krb5_actkvno_node *actkvno_list = 0;
-    krb5_db_entry master_entry;
-    int nentries = 1;
-    krb5_boolean more = FALSE;
+    krb5_db_entry *master_entry;
     char *mkey_fullname = 0;
 #ifdef BSD_REGEXPS
     char *msg;
@@ -1032,23 +988,16 @@ kdb5_update_princ_encryption(int argc, char *argv[])
         goto cleanup;
     }
 
-    retval = krb5_db_get_principal(util_context, master_princ, &master_entry,
-                                   &nentries, &more);
+    retval = krb5_db_get_principal(util_context, master_princ, 0,
+                                   &master_entry);
     if (retval != 0) {
         com_err(progname, retval, "while getting master key principal %s",
                 mkey_fullname);
         exit_status++;
         goto cleanup;
     }
-    if (nentries != 1) {
-        com_err(progname, 0,
-                "cannot find master key principal %s in database!",
-                mkey_fullname);
-        exit_status++;
-        goto cleanup;
-    }
 
-    retval = krb5_dbe_lookup_actkvno(util_context, &master_entry, &actkvno_list);
+    retval = krb5_dbe_lookup_actkvno(util_context, master_entry, &actkvno_list);
     if (retval != 0) {
         com_err(progname, retval, "while looking up active kvno list");
         exit_status++;
@@ -1058,11 +1007,11 @@ kdb5_update_princ_encryption(int argc, char *argv[])
     /* Master key is always stored encrypted in the latest version of
        itself.  */
     new_mkvno = krb5_db_get_key_data_kvno(util_context,
-                                          master_entry.n_key_data,
-                                          master_entry.key_data);
+                                          master_entry->n_key_data,
+                                          master_entry->key_data);
 
     retval = krb5_dbe_find_mkey(util_context, master_keylist,
-                                &master_entry, &tmp_keyblock);
+                                master_entry, &tmp_keyblock);
     if (retval) {
         com_err(progname, retval, "retrieving the most recent master key");
         exit_status++;
@@ -1154,9 +1103,7 @@ kdb5_purge_mkeys(int argc, char *argv[])
     krb5_error_code retval;
     char  *mkey_fullname = NULL;
     krb5_timestamp now;
-    krb5_db_entry master_entry;
-    int   nentries = 0;
-    krb5_boolean more = FALSE;
+    krb5_db_entry *master_entry;
     krb5_boolean force = FALSE, dry_run = FALSE, verbose = FALSE;
     struct purge_args args;
     char buf[5];
@@ -1205,26 +1152,14 @@ kdb5_purge_mkeys(int argc, char *argv[])
         return;
     }
 
-    retval = krb5_db_get_principal(util_context, master_princ, &master_entry,
-                                   &nentries, &more);
+    retval = krb5_db_get_principal(util_context, master_princ, 0,
+                                   &master_entry);
     if (retval != 0) {
         com_err(progname, retval,
                 "while getting master key principal %s",
                 mkey_fullname);
         exit_status++;
         goto cleanup_return;
-    } else if (nentries == 0) {
-        com_err(progname, KRB5_KDB_NOENTRY,
-                "principal %s not found in Kerberos database",
-                mkey_fullname);
-        exit_status++;
-        goto cleanup_return;
-    } else if (nentries > 1) {
-        com_err(progname, KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE,
-                "principal %s has multiple entries in Kerberos database",
-                mkey_fullname);
-        exit_status++;
-        goto cleanup_return;
     }
 
     if (!force) {
@@ -1243,13 +1178,13 @@ kdb5_purge_mkeys(int argc, char *argv[])
     }
 
     /* save the old keydata */
-    old_key_data_count = master_entry.n_key_data;
+    old_key_data_count = master_entry->n_key_data;
     if (old_key_data_count == 1) {
         if (verbose)
             printf("There is only one master key which can not be purged.\n");
         goto cleanup_return;
     }
-    old_key_data = master_entry.key_data;
+    old_key_data = master_entry->key_data;
 
     args.kvnos = (struct kvnos_in_use *) malloc(sizeof(struct kvnos_in_use) * old_key_data_count);
     if (args.kvnos == NULL) {
@@ -1264,7 +1199,7 @@ kdb5_purge_mkeys(int argc, char *argv[])
 
     /* populate the kvnos array with all the current mkvnos */
     for (i = 0; i < old_key_data_count; i++)
-        args.kvnos[i].kvno =  master_entry.key_data[i].key_data_kvno;
+        args.kvnos[i].kvno =  master_entry->key_data[i].key_data_kvno;
 
     if ((retval = krb5_db_iterate(util_context,
                                   NULL,
@@ -1310,29 +1245,29 @@ kdb5_purge_mkeys(int argc, char *argv[])
         goto cleanup_return;
     }
 
-    retval = krb5_dbe_lookup_actkvno(util_context, &master_entry, &actkvno_list);
+    retval = krb5_dbe_lookup_actkvno(util_context, master_entry, &actkvno_list);
     if (retval != 0) {
         com_err(progname, retval, "while looking up active kvno list");
         exit_status++;
         goto cleanup_return;
     }
 
-    retval = krb5_dbe_lookup_mkey_aux(util_context, &master_entry, &mkey_aux_list);
+    retval = krb5_dbe_lookup_mkey_aux(util_context, master_entry, &mkey_aux_list);
     if (retval != 0) {
         com_err(progname, retval, "while looking up mkey aux data list");
         exit_status++;
         goto cleanup_return;
     }
 
-    master_entry.key_data = (krb5_key_data *) malloc(sizeof(krb5_key_data) * num_kvnos_inuse);
-    if (master_entry.key_data == NULL) {
+    master_entry->key_data = (krb5_key_data *) malloc(sizeof(krb5_key_data) * num_kvnos_inuse);
+    if (master_entry->key_data == NULL) {
         retval = ENOMEM;
         com_err(progname, ENOMEM, "while allocating key_data");
         exit_status++;
         goto cleanup_return;
     }
-    memset(master_entry.key_data, 0, sizeof(krb5_key_data) * num_kvnos_inuse);
-    master_entry.n_key_data = num_kvnos_inuse; /* there's only 1 mkey per kvno */
+    memset(master_entry->key_data, 0, sizeof(krb5_key_data) * num_kvnos_inuse);
+    master_entry->n_key_data = num_kvnos_inuse; /* there's only 1 mkey per kvno */
 
     /*
      * Assuming that the latest mkey will not be purged because it will always
@@ -1342,7 +1277,7 @@ kdb5_purge_mkeys(int argc, char *argv[])
         for (j = 0; j < args.num_kvnos; j++) {
             if (args.kvnos[j].kvno == (krb5_kvno) old_key_data[i].key_data_kvno) {
                 if (args.kvnos[j].use_count != 0) {
-                    master_entry.key_data[k++] = old_key_data[i];
+                    master_entry->key_data[k++] = old_key_data[i];
                     break;
                 } else {
                     /* remove unused mkey */
@@ -1397,7 +1332,7 @@ kdb5_purge_mkeys(int argc, char *argv[])
     }
     assert(k == num_kvnos_inuse);
 
-    if ((retval = krb5_dbe_update_actkvno(util_context, &master_entry,
+    if ((retval = krb5_dbe_update_actkvno(util_context, master_entry,
                                           actkvno_list))) {
         com_err(progname, retval,
                 "while updating actkvno data for master principal entry");
@@ -1405,7 +1340,7 @@ kdb5_purge_mkeys(int argc, char *argv[])
         goto cleanup_return;
     }
 
-    if ((retval = krb5_dbe_update_mkey_aux(util_context, &master_entry,
+    if ((retval = krb5_dbe_update_mkey_aux(util_context, master_entry,
                                            mkey_aux_list))) {
         com_err(progname, retval,
                 "while updating mkey_aux data for master principal entry");
@@ -1419,7 +1354,7 @@ kdb5_purge_mkeys(int argc, char *argv[])
         goto cleanup_return;
     }
 
-    if ((retval = krb5_dbe_update_mod_princ_data(util_context, &master_entry,
+    if ((retval = krb5_dbe_update_mod_princ_data(util_context, master_entry,
                                                  now, master_princ))) {
         com_err(progname, retval,
                 "while updating the master key principal modification time");
@@ -1427,9 +1362,9 @@ kdb5_purge_mkeys(int argc, char *argv[])
         goto cleanup_return;
     }
 
-    master_entry.mask |= KADM5_KEY_DATA;
+    master_entry->mask |= KADM5_KEY_DATA;
 
-    if ((retval = krb5_db_put_principal(util_context, &master_entry, &nentries))) {
+    if ((retval = krb5_db_put_principal(util_context, master_entry))) {
         (void) krb5_db_fini(util_context);
         com_err(progname, retval, "while adding master key entry to the database");
         exit_status++;
index 09b0d0704cd434d4159a741d00657172bf9f0ff4..6c8e364c611ba6ae3bbbbc25c4b2624d4438242d 100644 (file)
@@ -110,7 +110,7 @@ krb5_keyblock master_keyblock;
 krb5_kvno   master_kvno; /* fetched */
 extern krb5_keylist_node *master_keylist;
 extern krb5_principal master_princ;
-krb5_db_entry master_entry;
+krb5_db_entry *master_entry = NULL;
 int     valid_master_key = 0;
 
 char *progname;
@@ -397,8 +397,6 @@ void set_dbname(argc, argv)
 static int open_db_and_mkey()
 {
     krb5_error_code retval;
-    int nentries;
-    krb5_boolean more;
     krb5_data scratch, pwd, seed;
 
     dbactive = FALSE;
@@ -421,24 +419,12 @@ static int open_db_and_mkey()
         exit_status++;
         return(1);
     }
-    nentries = 1;
-    if ((retval = krb5_db_get_principal(util_context, master_princ,
-                                        &master_entry, &nentries, &more))) {
+    if ((retval = krb5_db_get_principal(util_context, master_princ, 0,
+                                        &master_entry))) {
         com_err(progname, retval, "while retrieving master entry");
         exit_status++;
         (void) krb5_db_fini(util_context);
         return(1);
-    } else if (more) {
-        com_err(progname, KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE,
-                "while retrieving master entry");
-        exit_status++;
-        (void) krb5_db_fini(util_context);
-        return(1);
-    } else if (!nentries) {
-        com_err(progname, KRB5_KDB_NOENTRY, "while retrieving master entry");
-        exit_status++;
-        (void) krb5_db_fini(util_context);
-        return(1);
     }
 
     if (global_params.mask & KADM5_CONFIG_KVNO)
@@ -549,9 +535,7 @@ add_random_key(argc, argv)
 {
     krb5_error_code ret;
     krb5_principal princ;
-    krb5_db_entry dbent;
-    int n;
-    krb5_boolean more;
+    krb5_db_entry *dbent;
     krb5_timestamp now;
 
     krb5_key_salt_tuple *keysalts = NULL;
@@ -582,25 +566,12 @@ add_random_key(argc, argv)
         exit_status++;
         return;
     }
-    n = 1;
-    ret = krb5_db_get_principal(util_context, princ, &dbent,
-                                &n, &more);
+    ret = krb5_db_get_principal(util_context, princ, 0, &dbent);
     if (ret) {
         com_err(me, ret, "while fetching principal %s", pr_str);
         exit_status++;
         return;
     }
-    if (n != 1) {
-        fprintf(stderr, "principal %s not found\n", pr_str);
-        exit_status++;
-        return;
-    }
-    if (more) {
-        fprintf(stderr, "principal %s not unique\n", pr_str);
-        krb5_db_free_principal(util_context, &dbent, 1);
-        exit_status++;
-        return;
-    }
     ret = krb5_string_to_keysalts(ks_str,
                                   ", \t", ":.-", 0,
                                   &keysalts,
@@ -618,41 +589,40 @@ add_random_key(argc, argv)
         free_keysalts = 1;
 
     /* Find the mkey used to protect the existing keys */
-    ret = krb5_dbe_find_mkey(util_context, master_keylist, &dbent, &tmp_mkey);
+    ret = krb5_dbe_find_mkey(util_context, master_keylist, dbent, &tmp_mkey);
     if (ret) {
         com_err(me, ret, "while finding mkey");
+        krb5_db_free_principal(util_context, dbent);
         exit_status++;
         return;
     }
 
-    ret = krb5_dbe_ark(util_context, tmp_mkey,
-                       keysalts, num_keysalts,
-                       &dbent);
+    ret = krb5_dbe_ark(util_context, tmp_mkey, keysalts, num_keysalts, dbent);
     if (free_keysalts)
         free(keysalts);
     if (ret) {
         com_err(me, ret, "while randomizing principal %s", pr_str);
-        krb5_db_free_principal(util_context, &dbent, 1);
+        krb5_db_free_principal(util_context, dbent);
         exit_status++;
         return;
     }
-    dbent.attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE;
+    dbent->attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE;
     ret = krb5_timeofday(util_context, &now);
     if (ret) {
         com_err(me, ret, "while getting time");
-        krb5_db_free_principal(util_context, &dbent, 1);
+        krb5_db_free_principal(util_context, dbent);
         exit_status++;
         return;
     }
-    ret = krb5_dbe_update_last_pwd_change(util_context, &dbent, now);
+    ret = krb5_dbe_update_last_pwd_change(util_context, dbent, now);
     if (ret) {
         com_err(me, ret, "while setting changetime");
-        krb5_db_free_principal(util_context, &dbent, 1);
+        krb5_db_free_principal(util_context, dbent);
         exit_status++;
         return;
     }
-    ret = krb5_db_put_principal(util_context, &dbent, &n);
-    krb5_db_free_principal(util_context, &dbent, 1);
+    ret = krb5_db_put_principal(util_context, dbent);
+    krb5_db_free_principal(util_context, dbent);
     if (ret) {
         com_err(me, ret, "while saving principal %s", pr_str);
         exit_status++;
index e2afd58447725a7f7ca29a1b0d81721550a5bd0a..de677a25b8a5225ab1e87c8de7236b1678b99d26 100644 (file)
@@ -108,11 +108,10 @@ int process_ov_principal(fname, kcontext, filep, verbose, linenop)
     krb5_error_code         ret;
     krb5_tl_data            tl_data;
     krb5_principal          princ;
-    krb5_db_entry           kdb;
+    krb5_db_entry           *kdb = NULL;
     char                    *current = 0;
     char                    *cp;
-    int                     x, one;
-    krb5_boolean            more;
+    int                     x;
     char                    line[LINESIZE];
 
     if (fgets(line, LINESIZE, filep) == (char *) NULL) {
@@ -187,16 +186,15 @@ int process_ov_principal(fname, kcontext, filep, verbose, linenop)
     tl_data.tl_data_length = xdr_getpos(&xdrs);
     tl_data.tl_data_contents = (krb5_octet *) xdralloc_getdata(&xdrs);
 
-    one = 1;
-    ret = krb5_db_get_principal(kcontext, princ, &kdb, &one, &more);
+    ret = krb5_db_get_principal(kcontext, princ, 0, &kdb);
     if (ret)
         goto done;
 
-    ret = krb5_dbe_update_tl_data(kcontext, &kdb, &tl_data);
+    ret = krb5_dbe_update_tl_data(kcontext, kdb, &tl_data);
     if (ret)
         goto done;
 
-    ret = krb5_db_put_principal(kcontext, &kdb, &one);
+    ret = krb5_db_put_principal(kcontext, kdb);
     if (ret)
         goto done;
 
@@ -208,5 +206,6 @@ done:
     free(current);
     krb5_free_principal(kcontext, princ);
     osa_free_princ_ent(rec);
+    krb5_db_free_principal(kcontext, kdb);
     return ret;
 }
index 18ce37f2799cf72598de1ebd4da37727027c4a13..57070f517d42953a50acb90ff2aeb7bd0171ae0e 100644 (file)
@@ -93,14 +93,12 @@ krb5_error_code
 process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
                const krb5_fulladdr *from, krb5_data **response)
 {
-    krb5_db_entry client, server;
+    krb5_db_entry *client = NULL, *server = NULL;
     krb5_kdc_rep reply;
     krb5_enc_kdc_rep_part reply_encpart;
     krb5_ticket ticket_reply;
     krb5_enc_tkt_part enc_tkt_reply;
     krb5_error_code errcode;
-    int c_nprincs = 0, s_nprincs = 0;
-    krb5_boolean more;
     krb5_timestamp kdc_time, authtime = 0;
     krb5_keyblock session_key;
     const char *status;
@@ -201,33 +199,25 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     if (include_pac_p(kdc_context, request)) {
         setflag(c_flags, KRB5_KDB_FLAG_INCLUDE_PAC);
     }
-    c_nprincs = 1;
-    if ((errcode = krb5_db_get_principal_ext(kdc_context, request->client,
-                                             c_flags, &client, &c_nprincs,
-                                             &more))) {
-        status = "LOOKING_UP_CLIENT";
-        c_nprincs = 0;
-        goto errout;
-    }
-
-    if (more) {
-        status = "NON-UNIQUE_CLIENT";
-        errcode = KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE;
-        goto errout;
-    } else if (c_nprincs != 1) {
+    errcode = krb5_db_get_principal(kdc_context, request->client,
+                                    c_flags, &client);
+    if (errcode == KRB5_KDB_NOENTRY) {
         status = "CLIENT_NOT_FOUND";
         if (vague_errors)
             errcode = KRB5KRB_ERR_GENERIC;
         else
             errcode = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
         goto errout;
+    } else if (errcode) {
+        status = "LOOKING_UP_CLIENT";
+        goto errout;
     }
 
     /*
      * If the backend returned a principal that is not in the local
      * realm, then we need to refer the client to that realm.
      */
-    if (!is_local_principal(client.princ)) {
+    if (!is_local_principal(client->princ)) {
         /* Entry is a referral to another realm */
         status = "REFERRAL";
         errcode = KRB5KDC_ERR_WRONG_REALM;
@@ -239,7 +229,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
      * Turn off canonicalization if client is marked DES only
      * (unless enterprise principal name was requested)
      */
-    if (isflagset(client.attributes, KRB5_KDB_NON_MS_PRINCIPAL) &&
+    if (isflagset(client->attributes, KRB5_KDB_NON_MS_PRINCIPAL) &&
         krb5_princ_type(kdc_context,
                         request->client) != KRB5_NT_ENTERPRISE_PRINCIPAL) {
         clear(c_flags, KRB5_KDB_FLAG_CANONICALIZE);
@@ -250,21 +240,15 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE)) {
         setflag(s_flags, KRB5_KDB_FLAG_CANONICALIZE);
     }
-    s_nprincs = 1;
-    if ((errcode = krb5_db_get_principal_ext(kdc_context, request->server,
-                                             s_flags, &server,
-                                             &s_nprincs, &more))) {
-        status = "LOOKING_UP_SERVER";
-        goto errout;
-    }
-    if (more) {
-        status = "NON-UNIQUE_SERVER";
-        errcode = KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE;
-        goto errout;
-    } else if (s_nprincs != 1) {
+    errcode = krb5_db_get_principal(kdc_context, request->server,
+                                    s_flags, &server);
+    if (errcode == KRB5_KDB_NOENTRY) {
         status = "SERVER_NOT_FOUND";
         errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
         goto errout;
+    } else if (errcode) {
+        status = "LOOKING_UP_SERVER";
+        goto errout;
     }
 
     if ((errcode = krb5_timeofday(kdc_context, &kdc_time))) {
@@ -273,7 +257,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     }
     authtime = kdc_time; /* for audit_as_request() */
 
-    if ((errcode = validate_as_request(request, client, server,
+    if ((errcode = validate_as_request(request, *client, *server,
                                        kdc_time, &status, &e_data))) {
         if (!status)
             status = "UNKNOWN_REASON";
@@ -284,7 +268,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     /*
      * Select the keytype for the ticket session key.
      */
-    if ((useenctype = select_session_keytype(kdc_context, &server,
+    if ((useenctype = select_session_keytype(kdc_context, server,
                                              request->nktypes,
                                              request->ktype)) == 0) {
         /* unsupported ktype */
@@ -306,8 +290,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
      */
     if (isflagset(s_flags, KRB5_KDB_FLAG_CANONICALIZE) &&
         krb5_is_tgs_principal(request->server) &&
-        krb5_is_tgs_principal(server.princ)) {
-        ticket_reply.server = server.princ;
+        krb5_is_tgs_principal(server->princ)) {
+        ticket_reply.server = server->princ;
     } else {
         ticket_reply.server = request->server;
     }
@@ -335,11 +319,11 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
 
     enc_tkt_reply.session = &session_key;
     if (isflagset(c_flags, KRB5_KDB_FLAG_CANONICALIZE)) {
-        client_princ = *(client.princ);
+        client_princ = *(client->princ);
     } else {
         client_princ = *(request->client);
         /* The realm is always canonicalized */
-        client_princ.realm = *(krb5_princ_realm(context, client.princ));
+        client_princ.realm = *(krb5_princ_realm(context, client->princ));
     }
     enc_tkt_reply.client = &client_princ;
     enc_tkt_reply.transited.tr_type = KRB5_DOMAIN_X500_COMPRESS;
@@ -356,12 +340,12 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
                            enc_tkt_reply.times.starttime,
                            kdc_infinity,
                            request->till,
-                           &client,
-                           &server,
+                           client,
+                           server,
                            &enc_tkt_reply.times.endtime);
 
     if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE_OK) &&
-        !isflagset(client.attributes, KRB5_KDB_DISALLOW_RENEWABLE) &&
+        !isflagset(client->attributes, KRB5_KDB_DISALLOW_RENEWABLE) &&
         (enc_tkt_reply.times.endtime < request->till)) {
 
         /* we set the RENEWABLE option for later processing */
@@ -379,8 +363,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
         setflag(enc_tkt_reply.flags, TKT_FLG_RENEWABLE);
         enc_tkt_reply.times.renew_till =
             min(rtime, enc_tkt_reply.times.starttime +
-                min(client.max_renewable_life,
-                    min(server.max_renewable_life,
+                min(client->max_renewable_life,
+                    min(server->max_renewable_life,
                         max_renewable_life_for_realm)));
     } else
         enc_tkt_reply.times.renew_till = 0; /* XXX */
@@ -413,17 +397,17 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
             goto errout;
         }
         enc_tkt_reply.client = request->client;
-        setflag(client.attributes, KRB5_KDB_REQUIRES_PRE_AUTH);
+        setflag(client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH);
     }
     /*
      * Check the preauthentication if it is there.
      */
     if (request->padata) {
-        errcode = check_padata(kdc_context, &client, req_pkt, request,
+        errcode = check_padata(kdc_context, client, req_pkt, request,
                                &enc_tkt_reply, &pa_context, &e_data);
         if (errcode) {
             if (errcode == KRB5KDC_ERR_PREAUTH_FAILED)
-                get_preauth_hint_list(request, &client, &server, &e_data);
+                get_preauth_hint_list(request, client, server, &e_data);
 
             status = "PREAUTH_FAILED";
             if (vague_errors)
@@ -437,14 +421,14 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
      * preauthentication, verify that the proper kind of
      * preauthentication was carried out.
      */
-    status = missing_required_preauth(&client, &server, &enc_tkt_reply);
+    status = missing_required_preauth(client, server, &enc_tkt_reply);
     if (status) {
         errcode = KRB5KDC_ERR_PREAUTH_REQUIRED;
-        get_preauth_hint_list(request, &client, &server, &e_data);
+        get_preauth_hint_list(request, client, server, &e_data);
         goto errout;
     }
 
-    if ((errcode = validate_forwardable(request, client, server,
+    if ((errcode = validate_forwardable(request, *client, *server,
                                         kdc_time, &status))) {
         errcode += ERROR_TABLE_BASE_krb5;
         goto errout;
@@ -455,7 +439,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     /*
      * Find the server key
      */
-    if ((errcode = krb5_dbe_find_enctype(kdc_context, &server,
+    if ((errcode = krb5_dbe_find_enctype(kdc_context, server,
                                          -1, /* ignore keytype   */
                                          -1, /* Ignore salttype  */
                                          0,  /* Get highest kvno */
@@ -464,7 +448,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
         goto errout;
     }
 
-    if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, &server,
+    if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, server,
                                       &mkey_ptr))) {
         /* try refreshing master key list */
         /* XXX it would nice if we had the mkvno here for optimization */
@@ -473,7 +457,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
             krb5_dbe_free_key_list(kdc_context, master_keylist);
             master_keylist = tmp_mkey_list;
             if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist,
-                                              &server, &mkey_ptr))) {
+                                              server, &mkey_ptr))) {
                 status = "FINDING_MASTER_KEY";
                 goto errout;
             }
@@ -484,7 +468,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     }
 
     /*
-     * Convert server.key into a real key
+     * Convert server->key into a real key
      * (it may be encrypted in the database)
      *
      *  server_keyblock is later used to generate auth data signatures
@@ -506,7 +490,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
         if (!krb5_c_valid_enctype(useenctype))
             continue;
 
-        if (!krb5_dbe_find_enctype(kdc_context, &client, useenctype, -1,
+        if (!krb5_dbe_find_enctype(kdc_context, client, useenctype, -1,
                                    0, &client_key))
             break;
     }
@@ -517,7 +501,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
         goto errout;
     }
 
-    if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, &client,
+    if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, client,
                                       &mkey_ptr))) {
         /* try refreshing master key list */
         /* XXX it would nice if we had the mkvno here for optimization */
@@ -526,7 +510,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
             krb5_dbe_free_key_list(kdc_context, master_keylist);
             master_keylist = tmp_mkey_list;
             if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist,
-                                              &client, &mkey_ptr))) {
+                                              client, &mkey_ptr))) {
                 status = "FINDING_MASTER_KEY";
                 goto errout;
             }
@@ -550,12 +534,12 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     reply.client = enc_tkt_reply.client; /* post canonicalization */
     reply.ticket = &ticket_reply;
     reply_encpart.session = &session_key;
-    if ((errcode = fetch_last_req_info(&client, &reply_encpart.last_req))) {
+    if ((errcode = fetch_last_req_info(client, &reply_encpart.last_req))) {
         status = "FETCH_LAST_REQ";
         goto errout;
     }
     reply_encpart.nonce = request->nonce;
-    reply_encpart.key_exp = client.expiration;
+    reply_encpart.key_exp = client->expiration;
     reply_encpart.flags = enc_tkt_reply.flags;
     reply_encpart.server = ticket_reply.server;
 
@@ -571,7 +555,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     /* Fetch the padata info to be returned (do this before
      *  authdata to handle possible replacement of reply key
      */
-    errcode = return_padata(kdc_context, &client, req_pkt, request,
+    errcode = return_padata(kdc_context, client, req_pkt, request,
                             &reply, client_key, &client_keyblock, &pa_context);
     if (errcode) {
         status = "KDC_RETURN_PADATA";
@@ -587,9 +571,9 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
 
     errcode = handle_authdata(kdc_context,
                               c_flags,
-                              &client,
-                              &server,
-                              &server,
+                              client,
+                              server,
+                              server,
                               &client_keyblock,
                               &server_keyblock,
                               &server_keyblock,
@@ -629,7 +613,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
         goto errout;
     }
     errcode = return_enc_padata(kdc_context, req_pkt, request,
-                                as_encrypting_key, &server, &reply_encpart,
+                                as_encrypting_key, server, &reply_encpart,
                                 FALSE);
     if (errcode) {
         status = "KDC_RETURN_ENC_PADATA";
@@ -649,7 +633,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     memset(reply.enc_part.ciphertext.data, 0, reply.enc_part.ciphertext.length);
     free(reply.enc_part.ciphertext.data);
 
-    log_as_req(from, request, &reply, &client, cname, &server, sname,
+    log_as_req(from, request, &reply, client, cname, server, sname,
                authtime, 0, 0, 0);
     did_log = 1;
 
@@ -668,7 +652,7 @@ egress:
         emsg = krb5_get_error_message(kdc_context, errcode);
 
     if (status) {
-        log_as_req(from, request, &reply, &client, cname, &server, sname,
+        log_as_req(from, request, &reply, client, cname, server, sname,
                    authtime, status, errcode, emsg);
         did_log = 1;
     }
@@ -681,7 +665,7 @@ egress:
             errcode = KRB_ERR_GENERIC;
 
         errcode = prepare_error_as(state, request, errcode, &e_data,
-                                   c_nprincs ? client.princ : NULL,
+                                   (client != NULL) ? client->princ : NULL,
                                    response, status);
         status = 0;
     }
@@ -703,10 +687,8 @@ egress:
         free(cname);
     if (sname != NULL)
         free(sname);
-    if (c_nprincs)
-        krb5_db_free_principal(kdc_context, &client, c_nprincs);
-    if (s_nprincs)
-        krb5_db_free_principal(kdc_context, &server, s_nprincs);
+    krb5_db_free_principal(kdc_context, client);
+    krb5_db_free_principal(kdc_context, server);
     if (session_key.contents != NULL)
         krb5_free_keyblock_contents(kdc_context, &session_key);
     if (ticket_reply.enc_part.ciphertext.data != NULL) {
index 827f65cb309954180969673c18987a6e45213dec..eeafa071c10ae91f2311d196b9e5ab06092d552f 100644 (file)
@@ -72,9 +72,8 @@
 #include "adm_proto.h"
 #include <ctype.h>
 
-static void
-find_alternate_tgs(krb5_kdc_req *,krb5_db_entry *,
-                   krb5_boolean *,int *);
+static krb5_error_code
+find_alternate_tgs(krb5_kdc_req *,krb5_db_entry **);
 
 static krb5_error_code
 prepare_error_tgs(struct kdc_request_state *, krb5_kdc_req *,krb5_ticket *,int,
@@ -91,7 +90,7 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from,
     krb5_keyblock * subkey = 0;
     krb5_keyblock * tgskey = 0;
     krb5_kdc_req *request = 0;
-    krb5_db_entry server;
+    krb5_db_entry *server = NULL;
     krb5_kdc_rep reply;
     krb5_enc_kdc_rep_part reply_encpart;
     krb5_ticket ticket_reply, *header_ticket = 0;
@@ -101,8 +100,6 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from,
     int newtransited = 0;
     krb5_error_code retval = 0;
     krb5_keyblock encrypting_key;
-    int nprincs = 0;
-    krb5_boolean more;
     krb5_timestamp kdc_time, authtime = 0;
     krb5_keyblock session_key;
     krb5_timestamp rtime;
@@ -118,8 +115,7 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from,
     const char        *status = 0;
     krb5_enc_tkt_part *header_enc_tkt = NULL; /* TGT */
     krb5_enc_tkt_part *subject_tkt = NULL; /* TGT or evidence ticket */
-    krb5_db_entry client, krbtgt;
-    int c_nprincs = 0, k_nprincs = 0;
+    krb5_db_entry *client = NULL, *krbtgt = NULL;
     krb5_pa_s4u_x509_user *s4u_x509_user = NULL; /* protocol transition request */
     krb5_authdata **kdc_issued_auth_data = NULL; /* auth data issued by KDC */
     unsigned int c_flags = 0, s_flags = 0;       /* client/server KDB flags */
@@ -157,8 +153,7 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from,
         return retval;
     }
     errcode = kdc_process_tgs_req(request, from, pkt, &header_ticket,
-                                  &krbtgt, &k_nprincs, &tgskey,
-                                  &subkey, &pa_tgs_req);
+                                  &krbtgt, &tgskey, &subkey, &pa_tgs_req);
     if (header_ticket && header_ticket->enc_part2 &&
         (errcode2 = krb5_unparse_name(kdc_context,
                                       header_ticket->enc_part2->client,
@@ -217,30 +212,20 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from,
 
     db_ref_done = FALSE;
 ref_tgt_again:
-    nprincs = 1;
     if ((errcode = krb5_unparse_name(kdc_context, request->server, &sname))) {
         status = "UNPARSING SERVER";
         goto cleanup;
     }
     limit_string(sname);
 
-    errcode = krb5_db_get_principal_ext(kdc_context,
-                                        request->server,
-                                        s_flags,
-                                        &server,
-                                        &nprincs,
-                                        &more);
-    if (errcode) {
+    errcode = krb5_db_get_principal(kdc_context, request->server,
+                                    s_flags, &server);
+    if (errcode && errcode != KRB5_KDB_NOENTRY) {
         status = "LOOKING_UP_SERVER";
-        nprincs = 0;
         goto cleanup;
     }
 tgt_again:
-    if (more) {
-        status = "NON_UNIQUE_PRINCIPAL";
-        errcode = KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE;
-        goto cleanup;
-    } else if (nprincs != 1) {
+    if (errcode == KRB5_KDB_NOENTRY) {
         /*
          * might be a request for a TGT for some other realm; we
          * should do our best to find such a TGS in this db
@@ -256,13 +241,11 @@ tgt_again:
                     tgs_1 = krb5_princ_component(kdc_context, tgs_server, 1);
 
                     if (!tgs_1 || !data_eq(*server_1, *tgs_1)) {
-                        krb5_db_free_principal(kdc_context, &server, nprincs);
-                        find_alternate_tgs(request, &server, &more, &nprincs);
+                        errcode = find_alternate_tgs(request, &server);
                         firstpass = 0;
                         goto tgt_again;
                     }
                 }
-                krb5_db_free_principal(kdc_context, &server, nprincs);
                 status = "UNKNOWN_SERVER";
                 errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
                 goto cleanup;
@@ -283,7 +266,6 @@ tgt_again:
             }
         }
 
-        krb5_db_free_principal(kdc_context, &server, nprincs);
         status = "UNKNOWN_SERVER";
         errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
         goto cleanup;
@@ -294,7 +276,7 @@ tgt_again:
         goto cleanup;
     }
 
-    if ((retval = validate_tgs_request(request, server, header_ticket,
+    if ((retval = validate_tgs_request(request, *server, header_ticket,
                                        kdc_time, &status, &e_data))) {
         if (!status)
             status = "UNKNOWN_REASON";
@@ -305,20 +287,19 @@ tgt_again:
     if (!is_local_principal(header_enc_tkt->client))
         setflag(c_flags, KRB5_KDB_FLAG_CROSS_REALM);
 
-    is_referral = krb5_is_tgs_principal(server.princ) &&
-        !krb5_principal_compare(kdc_context, tgs_server, server.princ);
+    is_referral = krb5_is_tgs_principal(server->princ) &&
+        !krb5_principal_compare(kdc_context, tgs_server, server->princ);
 
     /* Check for protocol transition */
     errcode = kdc_process_s4u2self_req(kdc_context,
                                        request,
                                        header_enc_tkt->client,
-                                       &server,
+                                       server,
                                        subkey,
                                        header_enc_tkt->session,
                                        kdc_time,
                                        &s4u_x509_user,
                                        &client,
-                                       &c_nprincs,
                                        &status);
     if (errcode)
         goto cleanup;
@@ -342,8 +323,7 @@ tgt_again:
         krb5_keyblock  * st_sealing_key;
         krb5_kvno        st_srv_kvno;
         krb5_enctype     etype;
-        krb5_db_entry    st_client;
-        int              st_nprincs = 0;
+        krb5_db_entry    *st_client;
 
         /*
          * Get the key for the second ticket, and decrypt it.
@@ -352,7 +332,6 @@ tgt_again:
                                           c_flags,
                                           TRUE, /* match_enctype */
                                           &st_client,
-                                          &st_nprincs,
                                           &st_sealing_key,
                                           &st_srv_kvno))) {
             status = "2ND_TKT_SERVER";
@@ -363,7 +342,7 @@ tgt_again:
         krb5_free_keyblock(kdc_context, st_sealing_key);
         if (errcode) {
             status = "2ND_TKT_DECRYPT";
-            krb5_db_free_principal(kdc_context, &st_client, st_nprincs);
+            krb5_db_free_principal(kdc_context, st_client);
             goto cleanup;
         }
 
@@ -371,7 +350,7 @@ tgt_again:
         if (!krb5_c_valid_enctype(etype)) {
             status = "BAD_ETYPE_IN_2ND_TKT";
             errcode = KRB5KDC_ERR_ETYPE_NOSUPP;
-            krb5_db_free_principal(kdc_context, &st_client, st_nprincs);
+            krb5_db_free_principal(kdc_context, st_client);
             goto cleanup;
         }
 
@@ -387,7 +366,7 @@ tgt_again:
             errcode = kdc_process_s4u2proxy_req(kdc_context,
                                                 request,
                                                 request->second_ticket[st_idx]->enc_part2,
-                                                &st_client,
+                                                st_client,
                                                 header_ticket->enc_part2->client,
                                                 request->server,
                                                 &status);
@@ -398,13 +377,11 @@ tgt_again:
 
             assert(krb5_is_tgs_principal(header_ticket->server));
 
-            assert(c_nprincs == 0); /* assured by kdc_process_s4u2self_req() */
-
+            assert(client == NULL); /* assured by kdc_process_s4u2self_req() */
             client = st_client;
-            c_nprincs = st_nprincs;
         } else {
             /* "client" is not used for user2user */
-            krb5_db_free_principal(kdc_context, &st_client, st_nprincs);
+            krb5_db_free_principal(kdc_context, st_client);
         }
     }
 
@@ -412,7 +389,7 @@ tgt_again:
      * Select the keytype for the ticket session key.
      */
     if ((useenctype == 0) &&
-        (useenctype = select_session_keytype(kdc_context, &server,
+        (useenctype = select_session_keytype(kdc_context, server,
                                              request->nktypes,
                                              request->ktype)) == 0) {
         /* unsupported ktype */
@@ -443,14 +420,14 @@ tgt_again:
     authtime = subject_tkt->times.authtime;
 
     if (is_referral)
-        ticket_reply.server = server.princ;
+        ticket_reply.server = server->princ;
     else
         ticket_reply.server = request->server; /* XXX careful for realm... */
 
     enc_tkt_reply.flags = 0;
     enc_tkt_reply.times.starttime = 0;
 
-    if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE))
+    if (isflagset(server->attributes, KRB5_KDB_OK_AS_DELEGATE))
         setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE);
 
     /*
@@ -487,8 +464,8 @@ tgt_again:
              * Consider this block the S4U2Self equivalent to
              * validate_forwardable().
              */
-            if (c_nprincs &&
-                isflagset(client.attributes, KRB5_KDB_DISALLOW_FORWARDABLE))
+            if (client != NULL &&
+                isflagset(client->attributes, KRB5_KDB_DISALLOW_FORWARDABLE))
                 clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
             /*
              * Forwardable flag is propagated along referral path.
@@ -500,7 +477,7 @@ tgt_again:
              * S4U2Self in order for forwardable tickets to be returned.
              */
             else if (!is_referral &&
-                     !isflagset(server.attributes,
+                     !isflagset(server->attributes,
                                 KRB5_KDB_OK_TO_AUTH_AS_DELEGATE))
                 clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
         }
@@ -569,13 +546,9 @@ tgt_again:
         /* not a renew request */
         enc_tkt_reply.times.starttime = kdc_time;
 
-        kdc_get_ticket_endtime(kdc_context,
-                               enc_tkt_reply.times.starttime,
-                               header_enc_tkt->times.endtime,
-                               request->till,
-                               &client,
-                               &server,
-                               &enc_tkt_reply.times.endtime);
+        kdc_get_ticket_endtime(kdc_context, enc_tkt_reply.times.starttime,
+                               header_enc_tkt->times.endtime, request->till,
+                               client, server, &enc_tkt_reply.times.endtime);
 
         if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE_OK) &&
             (enc_tkt_reply.times.endtime < request->till) &&
@@ -595,7 +568,7 @@ tgt_again:
             min(rtime,
                 min(header_enc_tkt->times.renew_till,
                     enc_tkt_reply.times.starttime +
-                    min(server.max_renewable_life,
+                    min(server->max_renewable_life,
                         max_renewable_life_for_realm)));
     } else {
         enc_tkt_reply.times.renew_till = 0;
@@ -642,7 +615,7 @@ tgt_again:
         /*
          * Find the server key
          */
-        if ((errcode = krb5_dbe_find_enctype(kdc_context, &server,
+        if ((errcode = krb5_dbe_find_enctype(kdc_context, server,
                                              -1, /* ignore keytype */
                                              -1, /* Ignore salttype */
                                              0,  /* Get highest kvno */
@@ -651,7 +624,7 @@ tgt_again:
             goto cleanup;
         }
 
-        if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, &server,
+        if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, server,
                                           &mkey_ptr))) {
             krb5_keylist_node *tmp_mkey_list;
             /* try refreshing master key list */
@@ -661,7 +634,7 @@ tgt_again:
                 krb5_dbe_free_key_list(kdc_context, master_keylist);
                 master_keylist = tmp_mkey_list;
                 if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist,
-                                                  &server, &mkey_ptr))) {
+                                                  server, &mkey_ptr))) {
                     status = "FINDING_MASTER_KEY";
                     goto cleanup;
                 }
@@ -689,9 +662,9 @@ tgt_again:
          * delegation is requested. We don't want to deny the server
          * the ability to validate that delegation was used.
          */
-        clear(server.attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED);
+        clear(server->attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED);
     }
-    if (isflagset(server.attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED) == 0) {
+    if (isflagset(server->attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED) == 0) {
         /*
          * If we are not doing protocol transition/constrained delegation
          * try to lookup the client principal so plugins can add additional
@@ -706,27 +679,10 @@ tgt_again:
             /* Map principals from foreign (possibly non-AD) realms */
             setflag(c_flags, KRB5_KDB_FLAG_MAP_PRINCIPALS);
 
-            assert(c_nprincs == 0); /* should not have been looked up already */
+            assert(client == NULL); /* should not have been set already */
 
-            c_nprincs = 1;
-            errcode = krb5_db_get_principal_ext(kdc_context,
-                                                subject_tkt->client,
-                                                c_flags,
-                                                &client,
-                                                &c_nprincs,
-                                                &more);
-            /*
-             * We can ignore errors because the principal may be a
-             * valid cross-realm principal for which we have no local
-             * mapping. But we do want to check that at most one entry
-             * was returned.
-             */
-            if (errcode == 0 && (more || c_nprincs > 1)) {
-                errcode = KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE;
-                goto cleanup;
-            } else if (errcode) {
-                c_nprincs = 0;
-            }
+            errcode = krb5_db_get_principal(kdc_context, subject_tkt->client,
+                                            c_flags, &client);
         }
     }
 
@@ -740,11 +696,7 @@ tgt_again:
     enc_tkt_reply.transited.tr_type = KRB5_DOMAIN_X500_COMPRESS;
     enc_tkt_reply.transited.tr_contents = empty_string; /* equivalent of "" */
 
-    errcode = handle_authdata(kdc_context,
-                              c_flags,
-                              (c_nprincs != 0) ? &client : NULL,
-                              &server,
-                              (k_nprincs != 0) ? &krbtgt : NULL,
+    errcode = handle_authdata(kdc_context, c_flags, client, server, krbtgt,
                               subkey != NULL ? subkey :
                               header_ticket->enc_part2->session,
                               &encrypting_key, /* U2U or server key */
@@ -802,8 +754,7 @@ tgt_again:
     }
     if (isflagset(c_flags, KRB5_KDB_FLAG_CROSS_REALM)) {
         errcode = validate_transit_path(kdc_context, header_enc_tkt->client,
-                                        &server,
-                                        (k_nprincs != 0) ? &krbtgt : NULL);
+                                        server, krbtgt);
         if (errcode) {
             status = "NON_TRANSITIVE";
             goto cleanup;
@@ -953,7 +904,7 @@ tgt_again:
         goto cleanup;
     }
     errcode = return_enc_padata(kdc_context, pkt, request,
-                                reply_key, &server, &reply_encpart,
+                                reply_key, server, &reply_encpart,
                                 is_referral &&
                                 isflagset(s_flags,
                                           KRB5_KDB_FLAG_CANONICALIZE));
@@ -1005,7 +956,7 @@ cleanup:
             errcode = KRB_ERR_GENERIC;
 
         retval = prepare_error_tgs(state, request, header_ticket, errcode,
-                                   nprincs ? server.princ : NULL,
+                                   (server != NULL) ? server->princ : NULL,
                                    response, status, &e_data);
         if (got_err) {
             krb5_free_error_message (kdc_context, status);
@@ -1023,16 +974,13 @@ cleanup:
         free(cname);
     if (sname != NULL)
         free(sname);
-    if (nprincs != 0)
-        krb5_db_free_principal(kdc_context, &server, 1);
+    krb5_db_free_principal(kdc_context, server);
+    krb5_db_free_principal(kdc_context, krbtgt);
+    krb5_db_free_principal(kdc_context, client);
     if (session_key.contents != NULL)
         krb5_free_keyblock_contents(kdc_context, &session_key);
     if (newtransited)
         free(enc_tkt_reply.transited.tr_contents.data);
-    if (k_nprincs)
-        krb5_db_free_principal(kdc_context, &krbtgt, k_nprincs);
-    if (c_nprincs)
-        krb5_db_free_principal(kdc_context, &client, c_nprincs);
     if (s4u_x509_user != NULL)
         krb5_free_pa_s4u_x509_user(kdc_context, s4u_x509_user);
     if (kdc_issued_auth_data != NULL)
@@ -1108,16 +1056,15 @@ prepare_error_tgs (struct kdc_request_state *state,
  * but we don't have a ticket for the final TGS.  Try to give the requestor
  * some intermediate realm.
  */
-static void
-find_alternate_tgs(krb5_kdc_req *request, krb5_db_entry *server,
-                   krb5_boolean *more, int *nprincs)
+static krb5_error_code
+find_alternate_tgs(krb5_kdc_req *request, krb5_db_entry **server_ptr)
 {
     krb5_error_code retval;
-    krb5_principal *plist, *pl2;
+    krb5_principal *plist = NULL, *pl2, tmpprinc;
     krb5_data tmp;
+    krb5_db_entry *server = NULL;
 
-    *nprincs = 0;
-    *more = FALSE;
+    *server_ptr = NULL;
 
     /*
      * Call to krb5_princ_component is normally not safe but is so
@@ -1129,7 +1076,7 @@ find_alternate_tgs(krb5_kdc_req *request, krb5_db_entry *server,
                                        krb5_princ_realm(kdc_context, request->server),
                                        krb5_princ_component(kdc_context, request->server, 1),
                                        &plist, KRB5_REALM_BRANCH_CHAR)))
-        return;
+        return retval;
 
     /* move to the end */
     for (pl2 = plist; *pl2; pl2++);
@@ -1137,49 +1084,38 @@ find_alternate_tgs(krb5_kdc_req *request, krb5_db_entry *server,
     /* the first entry in this array is for krbtgt/local@local, so we
        ignore it */
     while (--pl2 > plist) {
-        *nprincs = 1;
         tmp = *krb5_princ_realm(kdc_context, *pl2);
         krb5_princ_set_realm(kdc_context, *pl2,
                              krb5_princ_realm(kdc_context, tgs_server));
-        retval = get_principal(kdc_context, *pl2, server, nprincs, more);
+        retval = krb5_db_get_principal(kdc_context, *pl2, 0, &server);
         krb5_princ_set_realm(kdc_context, *pl2, &tmp);
-        if (retval) {
-            *nprincs = 0;
-            *more = FALSE;
-            krb5_free_realm_tree(kdc_context, plist);
-            return;
-        }
-        if (*more) {
-            krb5_db_free_principal(kdc_context, server, *nprincs);
+        if (retval == KRB5_KDB_NOENTRY)
             continue;
-        } else if (*nprincs == 1) {
-            /* Found it! */
-            krb5_principal tmpprinc;
-
-            tmp = *krb5_princ_realm(kdc_context, *pl2);
-            krb5_princ_set_realm(kdc_context, *pl2,
-                                 krb5_princ_realm(kdc_context, tgs_server));
-            if ((retval = krb5_copy_principal(kdc_context, *pl2, &tmpprinc))) {
-                krb5_db_free_principal(kdc_context, server, *nprincs);
-                krb5_princ_set_realm(kdc_context, *pl2, &tmp);
-                continue;
-            }
-            krb5_princ_set_realm(kdc_context, *pl2, &tmp);
+        else if (retval)
+            goto cleanup;
 
-            krb5_free_principal(kdc_context, request->server);
-            request->server = tmpprinc;
-            log_tgs_alt_tgt(request->server);
-            krb5_free_realm_tree(kdc_context, plist);
-            return;
-        }
-        krb5_db_free_principal(kdc_context, server, *nprincs);
-        continue;
+        /* Found it. */
+        tmp = *krb5_princ_realm(kdc_context, *pl2);
+        krb5_princ_set_realm(kdc_context, *pl2,
+                             krb5_princ_realm(kdc_context, tgs_server));
+        retval = krb5_copy_principal(kdc_context, *pl2, &tmpprinc);
+        if (retval)
+            goto cleanup;
+        krb5_princ_set_realm(kdc_context, *pl2, &tmp);
+
+        krb5_free_principal(kdc_context, request->server);
+        request->server = tmpprinc;
+        log_tgs_alt_tgt(request->server);
+        *server_ptr = server;
+        server = NULL;
+        goto cleanup;
     }
+    retval = KRB5_KDB_NOENTRY;
 
-    *nprincs = 0;
-    *more = FALSE;
+cleanup:
     krb5_free_realm_tree(kdc_context, plist);
-    return;
+    krb5_db_free_principal(kdc_context, server);
+    return retval;
 }
 
 static krb5_int32
index d754edcf41679692a4c612db97664a3ffd3e994a..4c413d07e82f045a53a21d3dad57b3f4a90cc08c 100644 (file)
@@ -2081,9 +2081,7 @@ get_sam_edata(krb5_context context, krb5_kdc_req *request,
      */
 
     {
-        int npr = 1;
-        krb5_boolean more;
-        krb5_db_entry assoc;
+        krb5_db_entry *assoc;
         krb5_key_data  *assoc_key;
         krb5_principal newp;
         int probeslot;
@@ -2105,9 +2103,8 @@ get_sam_edata(krb5_context context, krb5_kdc_req *request,
             krb5_princ_component(kdc_context,newp,probeslot)->data = sam_ptr->name;
             krb5_princ_component(kdc_context,newp,probeslot)->length =
                 strlen(sam_ptr->name);
-            npr = 1;
-            retval = get_principal(kdc_context, newp, &assoc, &npr, &more);
-            if(!retval && npr) {
+            retval = krb5_db_get_principal(kdc_context, newp, 0, &assoc);
+            if(retval == 0) {
                 sc.sam_type = sam_ptr->sam_type;
                 break;
             }
@@ -2123,8 +2120,8 @@ get_sam_edata(krb5_context context, krb5_kdc_req *request,
         if (sc.sam_type) {
             /* so use assoc to get the key out! */
             {
-                if ((retval = krb5_dbe_find_mkey(context, master_keylist, &assoc,
-                                                 &mkey_ptr))) {
+                if ((retval = krb5_dbe_find_mkey(context, master_keylist,
+                                                 assoc, &mkey_ptr))) {
                     krb5_keylist_node *tmp_mkey_list;
                     /* try refreshing the mkey list in case it's been updated */
                     if (krb5_db_fetch_mkey_list(context, master_princ,
@@ -2133,7 +2130,7 @@ get_sam_edata(krb5_context context, krb5_kdc_req *request,
                         krb5_dbe_free_key_list(context, master_keylist);
                         master_keylist = tmp_mkey_list;
                         if ((retval = krb5_dbe_find_mkey(context, master_keylist,
-                                                         &assoc, &mkey_ptr))) {
+                                                         assoc, &mkey_ptr))) {
                             return (retval);
                         }
                     } else {
@@ -2142,7 +2139,7 @@ get_sam_edata(krb5_context context, krb5_kdc_req *request,
                 }
 
                 /* here's what do_tgs_req does */
-                retval = krb5_dbe_find_enctype(kdc_context, &assoc,
+                retval = krb5_dbe_find_enctype(kdc_context, assoc,
                                                ENCTYPE_DES_CBC_RAW,
                                                KRB5_KDB_SALTTYPE_NORMAL,
                                                0,    /* Get highest kvno */
index 61fd9b345c07e46046f35f5b07002bca1dc18ee9..3d03ca3eda89a8bf5c814550569d46a6192d7beb 100644 (file)
@@ -243,7 +243,7 @@ find_pa_data(krb5_pa_data **padata, krb5_preauthtype pa_type)
 krb5_error_code
 kdc_process_tgs_req(krb5_kdc_req *request, const krb5_fulladdr *from,
                     krb5_data *pkt, krb5_ticket **ticket,
-                    krb5_db_entry *krbtgt, int *nprincs,
+                    krb5_db_entry **krbtgt_ptr,
                     krb5_keyblock **tgskey,
                     krb5_keyblock **subkey,
                     krb5_pa_data **pa_tgs_req)
@@ -259,8 +259,9 @@ kdc_process_tgs_req(krb5_kdc_req *request, const krb5_fulladdr *from,
     krb5_authenticator  * authenticator = NULL;
     krb5_checksum       * his_cksum = NULL;
     krb5_kvno             kvno = 0;
+    krb5_db_entry       * krbtgt = NULL;
 
-    *nprincs = 0;
+    *krbtgt_ptr = NULL;
     *tgskey = NULL;
 
     tmppa = find_pa_data(request->padata, KRB5_PADATA_AP_REQ);
@@ -304,7 +305,7 @@ kdc_process_tgs_req(krb5_kdc_req *request, const krb5_fulladdr *from,
 #endif
 
     if ((retval = kdc_get_server_key(apreq->ticket, 0, foreign_server,
-                                     krbtgt, nprincs, tgskey, &kvno)))
+                                     &krbtgt, tgskey, &kvno)))
         goto cleanup_auth_context;
     /*
      * We do not use the KDB keytab because other parts of the TGS need the TGT key.
@@ -409,11 +410,15 @@ kdc_process_tgs_req(krb5_kdc_req *request, const krb5_fulladdr *from,
             if (!(retval = encode_krb5_kdc_req_body(request, &scratch)))
                 retval = comp_cksum(kdc_context, scratch, *ticket, his_cksum);
             krb5_free_data(kdc_context, scratch);
+            if (retval)
+                goto cleanup_authenticator;
         }
     }
 
-    if (retval == 0)
-        *pa_tgs_req = tmppa;
+    *pa_tgs_req = tmppa;
+    *krbtgt_ptr = krbtgt;
+    krbtgt = NULL;
+
 cleanup_authenticator:
     krb5_free_authenticator(kdc_context, authenticator);
 
@@ -430,6 +435,7 @@ cleanup:
         *tgskey = NULL;
     }
     krb5_free_ap_req(kdc_context, apreq);
+    krb5_db_free_principal(kdc_context, krbtgt);
     return retval;
 }
 
@@ -442,38 +448,30 @@ cleanup:
  */
 krb5_error_code
 kdc_get_server_key(krb5_ticket *ticket, unsigned int flags,
-                   krb5_boolean match_enctype, krb5_db_entry *server,
-                   int *nprincs, krb5_keyblock **key, krb5_kvno *kvno)
+                   krb5_boolean match_enctype, krb5_db_entry **server_ptr,
+                   krb5_keyblock **key, krb5_kvno *kvno)
 {
     krb5_error_code       retval;
-    krb5_boolean          more, similar;
+    krb5_boolean          similar;
     krb5_key_data       * server_key;
     krb5_keyblock       * mkey_ptr;
+    krb5_db_entry       * server = NULL;
 
-    *nprincs = 1;
+    *server_ptr = NULL;
 
-    retval = krb5_db_get_principal_ext(kdc_context,
-                                       ticket->server,
-                                       flags,
-                                       server,
-                                       nprincs,
-                                       &more);
-    if (retval) {
-        return(retval);
-    }
-    if (more) {
-        return(KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE);
-    } else if (*nprincs != 1) {
+    retval = krb5_db_get_principal(kdc_context, ticket->server, flags,
+                                   &server);
+    if (retval == KRB5_KDB_NOENTRY) {
         char *sname;
-
         if (!krb5_unparse_name(kdc_context, ticket->server, &sname)) {
             limit_string(sname);
             krb5_klog_syslog(LOG_ERR,"TGS_REQ: UNKNOWN SERVER: server='%s'",
                              sname);
             free(sname);
         }
-        return(KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN);
-    }
+        return KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
+    } else if (retval)
+        return retval;
     if (server->attributes & KRB5_KDB_DISALLOW_SVR ||
         server->attributes & KRB5_KDB_DISALLOW_ALL_TIX) {
         retval = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
@@ -526,12 +524,10 @@ kdc_get_server_key(krb5_ticket *ticket, unsigned int flags,
     }
     (*key)->enctype = ticket->enc_part.enctype;
     *kvno = server_key->key_data_kvno;
+    *server_ptr = server;
+    server = NULL;
 errout:
-    if (retval != 0) {
-        krb5_db_free_principal(kdc_context, server, *nprincs);
-        *nprincs = 0;
-    }
-
+    krb5_db_free_principal(kdc_context, server);
     return retval;
 }
 
@@ -1724,28 +1720,6 @@ rep_etypes2str(char *s, size_t len, krb5_kdc_rep *rep)
     return;
 }
 
-krb5_error_code
-get_principal_locked (krb5_context kcontext,
-                      krb5_const_principal search_for,
-                      krb5_db_entry *entries, int *nentries,
-                      krb5_boolean *more)
-{
-    return krb5_db_get_principal (kcontext, search_for, entries, nentries,
-                                  more);
-}
-
-krb5_error_code
-get_principal (krb5_context kcontext,
-               krb5_const_principal search_for,
-               krb5_db_entry *entries, int *nentries, krb5_boolean *more)
-{
-    /* Eventually this will be used to manage locking while looking up
-       principals in the database.  */
-    return get_principal_locked (kcontext, search_for, entries, nentries,
-                                 more);
-}
-
-
 krb5_error_code
 sign_db_authdata (krb5_context context,
                   unsigned int flags,
@@ -2122,17 +2096,15 @@ kdc_process_s4u2self_req(krb5_context context,
                          krb5_keyblock *tgs_session,
                          krb5_timestamp kdc_time,
                          krb5_pa_s4u_x509_user **s4u_x509_user,
-                         krb5_db_entry *princ,
-                         int *nprincs,
+                         krb5_db_entry **princ_ptr,
                          const char **status)
 {
     krb5_error_code             code;
     krb5_pa_data                *pa_data;
-    krb5_boolean                more;
     int                         flags;
+    krb5_db_entry               *princ;
 
-    *nprincs = 0;
-    memset(princ, 0, sizeof(*princ));
+    *princ_ptr = NULL;
 
     pa_data = find_pa_data(request->padata, KRB5_PADATA_S4U_X509_USER);
     if (pa_data != NULL) {
@@ -2227,23 +2199,14 @@ kdc_process_s4u2self_req(krb5_context context,
         krb5_data e_data;
 
         e_data.data = NULL;
-        *nprincs = 1;
-        code = krb5_db_get_principal_ext(context,
-                                         (*s4u_x509_user)->user_id.user,
-                                         KRB5_KDB_FLAG_INCLUDE_PAC,
-                                         princ, nprincs, &more);
-        if (code) {
-            *status = "LOOKING_UP_S4U2SELF_PRINCIPAL";
-            *nprincs = 0;
-            return code; /* caller can free for_user */
-        }
-
-        if (more) {
-            *status = "NON_UNIQUE_S4U2SELF_PRINCIPAL";
-            return KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE;
-        } else if (*nprincs != 1) {
+        code = krb5_db_get_principal(context, (*s4u_x509_user)->user_id.user,
+                                     KRB5_KDB_FLAG_INCLUDE_PAC, &princ);
+        if (code == KRB5_KDB_NOENTRY) {
             *status = "UNKNOWN_S4U2SELF_PRINCIPAL";
             return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
+        } else if (code) {
+            *status = "LOOKING_UP_S4U2SELF_PRINCIPAL";
+            return code; /* caller can free for_user */
         }
 
         memset(&no_server, 0, sizeof(no_server));
@@ -2251,9 +2214,12 @@ kdc_process_s4u2self_req(krb5_context context,
         code = validate_as_request(request, *princ,
                                    no_server, kdc_time, status, &e_data);
         if (code) {
+            krb5_db_free_principal(context, princ);
             krb5_free_data_contents(context, &e_data);
             return code;
         }
+
+        *princ_ptr = princ;
     }
 
     return 0;
@@ -2654,7 +2620,7 @@ kdc_get_ticket_endtime(krb5_context context,
 
     life = until - starttime;
 
-    if (client->max_life != 0)
+    if (client != NULL && client->max_life != 0)
         life = min(life, client->max_life);
     if (server->max_life != 0)
         life = min(life, server->max_life);
index d6a2d720c9f36c1b6590f6d88f5af46adc4be11b..a1bde886c1b948249d0847a23281857d1a08b402 100644 (file)
@@ -63,16 +63,14 @@ kdc_process_tgs_req (krb5_kdc_req *,
                      const krb5_fulladdr *,
                      krb5_data *,
                      krb5_ticket **,
-                     krb5_db_entry *krbtgt,
-                     int *nprincs,
+                     krb5_db_entry **krbtgt_ptr,
                      krb5_keyblock **, krb5_keyblock **,
                      krb5_pa_data **pa_tgs_req);
 
 krb5_error_code
 kdc_get_server_key (krb5_ticket *, unsigned int,
                     krb5_boolean match_enctype,
-                    krb5_db_entry *, int *,
-                    krb5_keyblock **, krb5_kvno *);
+                    krb5_db_entry **, krb5_keyblock **, krb5_kvno *);
 
 int
 validate_as_request (krb5_kdc_req *, krb5_db_entry,
@@ -236,16 +234,6 @@ void kdc_free_lookaside(krb5_context);
 /* kdc_util.c */
 void reset_for_hangup(void);
 
-krb5_error_code
-get_principal_locked (krb5_context kcontext,
-                      krb5_const_principal search_for,
-                      krb5_db_entry *entries, int *nentries,
-                      krb5_boolean *more);
-krb5_error_code
-get_principal (krb5_context kcontext,
-               krb5_const_principal search_for,
-               krb5_db_entry *entries, int *nentries, krb5_boolean *more);
-
 krb5_boolean
 include_pac_p(krb5_context context, krb5_kdc_req *request);
 
@@ -281,8 +269,7 @@ kdc_process_s4u2self_req (krb5_context context,
                           krb5_keyblock *tgs_session,
                           krb5_timestamp kdc_time,
                           krb5_pa_s4u_x509_user **s4u2self_req,
-                          krb5_db_entry *princ,
-                          int *nprincs,
+                          krb5_db_entry **princ_ptr,
                           const char **status);
 
 krb5_error_code
index 3276b2727ee82cc26fa924e2f3ca3239aff134a2..cc589fad23dcd6dcba7d11f4154ce396e79ed3f2 100644 (file)
@@ -77,8 +77,8 @@ krb5_error_code     kdb_get_hist_key(kadm5_server_handle_t handle,
                                      krb5_keyblock *hist_keyblock,
                                      krb5_kvno *hist_kvno);
 krb5_error_code     kdb_get_entry(kadm5_server_handle_t handle,
-                                  krb5_principal principal, krb5_db_entry *kdb,
-                                  osa_princ_ent_rec *adb);
+                                  krb5_principal principal,
+                                  krb5_db_entry **kdb, osa_princ_ent_rec *adb);
 krb5_error_code     kdb_free_entry(kadm5_server_handle_t handle,
                                    krb5_db_entry *kdb, osa_princ_ent_rec *adb);
 krb5_error_code     kdb_put_entry(kadm5_server_handle_t handle,
index fa8d69c51c265ec08b36d7b82db2dbf17542ae9c..6da95bd7cebdc2e9b2b3e3e26317bea06aa7dce8 100644 (file)
@@ -55,7 +55,6 @@ kadm5_setv4key_principal
 kadm5_unlock
 kdb_delete_entry
 kdb_free_entry
-kdb_get_entry
 kdb_init_hist
 kdb_init_master
 kdb_iter_entry
index d986b626e631fffa9930bad120037a5f9849773d..cb60971c05fafa791ec0b2a63bbf353f8d6a75a9 100644 (file)
@@ -175,7 +175,7 @@ kdb_get_hist_key(kadm5_server_handle_t handle, krb5_keyblock *hist_keyblock,
                  krb5_kvno *hist_kvno)
 {
     krb5_error_code ret;
-    krb5_db_entry kdb;
+    krb5_db_entry *kdb;
     krb5_keyblock *mkey;
 
     /* Fetch the history principal, creating it if necessary. */
@@ -189,27 +189,26 @@ kdb_get_hist_key(kadm5_server_handle_t handle, krb5_keyblock *hist_keyblock,
     if (ret)
         return ret;
 
-    if (kdb.n_key_data <= 0) {
+    if (kdb->n_key_data <= 0) {
         ret = KRB5_KDB_NO_MATCHING_KEY;
         krb5_set_error_message(handle->context, ret,
                                "History entry contains no key data");
         goto done;
     }
 
-    ret = krb5_dbe_find_mkey(handle->context, master_keylist, &kdb,
-                             &mkey);
+    ret = krb5_dbe_find_mkey(handle->context, master_keylist, kdb, &mkey);
     if (ret)
         goto done;
 
-    ret = krb5_dbe_decrypt_key_data(handle->context, mkey, &kdb.key_data[0],
+    ret = krb5_dbe_decrypt_key_data(handle->context, mkey, &kdb->key_data[0],
                                     hist_keyblock, NULL);
     if (ret)
         goto done;
 
-    *hist_kvno = kdb.key_data[0].key_data_kvno;
+    *hist_kvno = kdb->key_data[0].key_data_kvno;
 
 done:
-    kdb_free_entry(handle, &kdb, NULL);
+    kdb_free_entry(handle, kdb, NULL);
     return ret;
 }
 
@@ -223,7 +222,7 @@ done:
  *
  *              handle          (r) the server_handle
  *              principal       (r) the principal to get
- *              kdb             (w) krb5_db_entry to fill in
+ *              kdb             (w) krb5_db_entry to create
  *              adb             (w) osa_princ_ent_rec to fill in
  *
  * when the caller is done with kdb and adb, kdb_free_entry must be
@@ -233,27 +232,21 @@ done:
  */
 krb5_error_code
 kdb_get_entry(kadm5_server_handle_t handle,
-              krb5_principal principal, krb5_db_entry *kdb,
+              krb5_principal principal, krb5_db_entry **kdb_ptr,
               osa_princ_ent_rec *adb)
 {
     krb5_error_code ret;
-    int nprincs;
-    krb5_boolean more;
     krb5_tl_data tl_data;
     XDR xdrs;
+    krb5_db_entry *kdb;
 
-    ret = krb5_db_get_principal(handle->context, principal, kdb, &nprincs,
-                                &more);
-    if (ret)
-        return(ret);
+    *kdb_ptr = NULL;
 
-    if (more) {
-        krb5_db_free_principal(handle->context, kdb, nprincs);
-        return(KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE);
-    } else if (nprincs != 1) {
-        krb5_db_free_principal(handle->context, kdb, nprincs);
+    ret = krb5_db_get_principal(handle->context, principal, 0, &kdb);
+    if (ret == KRB5_KDB_NOENTRY)
         return(KADM5_UNK_PRINC);
-    }
+    if (ret)
+        return(ret);
 
     if (adb) {
         memset(adb, 0, sizeof(*adb));
@@ -274,7 +267,7 @@ kdb_get_entry(kadm5_server_handle_t handle,
                data will get stored correctly. */
 
             adb->admin_history_kvno = INITIAL_HIST_KVNO;
-
+            *kdb_ptr = kdb;
             return(ret);
         }
 
@@ -282,12 +275,13 @@ kdb_get_entry(kadm5_server_handle_t handle,
                       tl_data.tl_data_length, XDR_DECODE);
         if (! xdr_osa_princ_ent_rec(&xdrs, adb)) {
             xdr_destroy(&xdrs);
-            krb5_db_free_principal(handle->context, kdb, 1);
+            krb5_db_free_principal(handle->context, kdb);
             return(KADM5_XDR_FAILURE);
         }
         xdr_destroy(&xdrs);
     }
 
+    *kdb_ptr = kdb;
     return(0);
 }
 
@@ -314,7 +308,7 @@ kdb_free_entry(kadm5_server_handle_t handle,
 
 
     if (kdb)
-        krb5_db_free_principal(handle->context, kdb, 1);
+        krb5_db_free_principal(handle->context, kdb);
 
     if (adb) {
         xdrmem_create(&xdrs, NULL, 0, XDR_FREE);
@@ -351,7 +345,6 @@ kdb_put_entry(kadm5_server_handle_t handle,
     krb5_int32 now;
     XDR xdrs;
     krb5_tl_data tl_data;
-    int one;
 
     ret = krb5_timeofday(handle->context, &now);
     if (ret)
@@ -378,12 +371,10 @@ kdb_put_entry(kadm5_server_handle_t handle,
     if (ret)
         return(ret);
 
-    one = 1;
-
     /* we are always updating TL data */
     kdb->mask |= KADM5_TL_DATA;
 
-    ret = krb5_db_put_principal(handle->context, kdb, &one);
+    ret = krb5_db_put_principal(handle->context, kdb);
     if (ret)
         return(ret);
 
@@ -393,11 +384,11 @@ kdb_put_entry(kadm5_server_handle_t handle,
 krb5_error_code
 kdb_delete_entry(kadm5_server_handle_t handle, krb5_principal name)
 {
-    int one = 1;
     krb5_error_code ret;
 
-    ret = krb5_db_delete_principal(handle->context, name, &one);
-
+    ret = krb5_db_delete_principal(handle->context, name);
+    if (ret == KRB5_KDB_NOENTRY)
+        ret = 0;
     return ret;
 }
 
index 1d3ccbc666dc2e11412b5c176b6eeb17f13d04f7..65f5db1644720d0e1812b5a8e54e3968418db4f4 100644 (file)
@@ -173,7 +173,6 @@ kadm5_delete_policy(void *server_handle, kadm5_policy_t name)
     kadm5_server_handle_t handle = server_handle;
     osa_policy_ent_t            entry;
     int                         ret;
-    int                         cnt=1;
 
     CHECK_HANDLE(server_handle);
 
@@ -183,10 +182,11 @@ kadm5_delete_policy(void *server_handle, kadm5_policy_t name)
         return EINVAL;
     if(strlen(name) == 0)
         return KADM5_BAD_POLICY;
-    if((ret = krb5_db_get_policy(handle->context, name, &entry,&cnt)))
-        return ret;
-    if( cnt != 1 )
+    ret = krb5_db_get_policy(handle->context, name, &entry);
+    if (ret == KRB5_KDB_NOENTRY)
         return KADM5_UNK_POLICY;
+    else if (ret)
+        return ret;
 
     if(entry->policy_refcnt != 0) {
         krb5_db_free_policy(handle->context, entry);
@@ -220,7 +220,6 @@ kadm5_modify_policy_internal(void *server_handle,
     kadm5_server_handle_t handle = server_handle;
     osa_policy_ent_t    p;
     int                 ret;
-    int                 cnt=1;
 
     CHECK_HANDLE(server_handle);
 
@@ -231,10 +230,11 @@ kadm5_modify_policy_internal(void *server_handle,
     if((mask & KADM5_POLICY))
         return KADM5_BAD_MASK;
 
-    if ((ret = krb5_db_get_policy(handle->context, entry->policy, &p, &cnt)))
-        return ret;
-    if (cnt != 1)
+    ret = krb5_db_get_policy(handle->context, entry->policy, &p);
+    if (ret == KRB5_KDB_NOENTRY)
         return KADM5_UNK_POLICY;
+    else if (ret)
+        return ret;
 
     if ((mask & KADM5_PW_MAX_LIFE))
         p->pw_max_life = entry->pw_max_life;
@@ -289,7 +289,6 @@ kadm5_get_policy(void *server_handle, kadm5_policy_t name,
     osa_policy_ent_t            t;
     int                         ret;
     kadm5_server_handle_t handle = server_handle;
-    int                         cnt=1;
 
     CHECK_HANDLE(server_handle);
 
@@ -299,11 +298,11 @@ kadm5_get_policy(void *server_handle, kadm5_policy_t name,
         return EINVAL;
     if(strlen(name) == 0)
         return KADM5_BAD_POLICY;
-    if((ret = krb5_db_get_policy(handle->context, name, &t, &cnt)))
-        return ret;
-
-    if( cnt != 1 )
+    ret = krb5_db_get_policy(handle->context, name, &t);
+    if (ret == KRB5_KDB_NOENTRY)
         return KADM5_UNK_POLICY;
+    else if (ret)
+        return ret;
 
     if ((entry->policy = strdup(t->name)) == NULL) {
         krb5_db_free_policy(handle->context, t);
index 451e4ff020e792387959252d23b3198538df13a0..6b14d3ba6bd212e7f3dd7a7ab6cde93a4e861540 100644 (file)
@@ -224,9 +224,10 @@ kadm5_create_principal_3(void *server_handle,
                          int n_ks_tuple, krb5_key_salt_tuple *ks_tuple,
                          char *password)
 {
-    krb5_db_entry               kdb;
+    krb5_db_entry               *kdb;
     osa_princ_ent_rec           adb;
     kadm5_policy_ent_rec        polent;
+    krb5_boolean                have_polent = FALSE;
     krb5_int32                  now;
     krb5_tl_data                *tl_data_orig, *tl_data_tail;
     unsigned int                ret;
@@ -264,13 +265,16 @@ kadm5_create_principal_3(void *server_handle,
     case KADM5_UNK_PRINC:
         break;
     case 0:
-        kdb_free_entry(handle, &kdb, &adb);
+        kdb_free_entry(handle, kdb, &adb);
         return KADM5_DUP;
     default:
         return ret;
     }
 
-    memset(&kdb, 0, sizeof(krb5_db_entry));
+    kdb = krb5_db_alloc(handle->context, NULL, sizeof(*kdb));
+    if (kdb == NULL)
+        return ENOMEM;
+    memset(kdb, 0, sizeof(*kdb));
     memset(&adb, 0, sizeof(osa_princ_ent_rec));
 
     /*
@@ -280,101 +284,84 @@ kadm5_create_principal_3(void *server_handle,
     if ((mask & KADM5_POLICY)) {
         if ((ret = kadm5_get_policy(handle->lhandle, entry->policy,
                                     &polent)) != KADM5_OK) {
-            if(ret == EINVAL)
-                return KADM5_BAD_POLICY;
-            else
-                return ret;
+            if (ret == EINVAL)
+                ret = KADM5_BAD_POLICY;
+            if (ret)
+                goto cleanup;
         }
+        have_polent = TRUE;
     }
     if (password) {
-        ret = passwd_check(handle, password, (mask & KADM5_POLICY),
-                           &polent, entry->principal);
-        if (ret) {
-            if (mask & KADM5_POLICY)
-                (void) kadm5_free_policy_ent(handle->lhandle, &polent);
-            return ret;
-        }
+        ret = passwd_check(handle, password, have_polent, &polent,
+                           entry->principal);
+        if (ret)
+            goto cleanup;
     }
     /*
      * Start populating the various DB fields, using the
      * "defaults" for fields that were not specified by the
      * mask.
      */
-    if ((ret = krb5_timeofday(handle->context, &now))) {
-        if (mask & KADM5_POLICY)
-            (void) kadm5_free_policy_ent(handle->lhandle, &polent);
-        return ret;
-    }
+    if ((ret = krb5_timeofday(handle->context, &now)))
+        goto cleanup;
 
-    kdb.magic = KRB5_KDB_MAGIC_NUMBER;
-    kdb.len = KRB5_KDB_V1_BASE_LENGTH; /* gag me with a chainsaw */
+    kdb->magic = KRB5_KDB_MAGIC_NUMBER;
+    kdb->len = KRB5_KDB_V1_BASE_LENGTH; /* gag me with a chainsaw */
 
     if ((mask & KADM5_ATTRIBUTES))
-        kdb.attributes = entry->attributes;
+        kdb->attributes = entry->attributes;
     else
-        kdb.attributes = handle->params.flags;
+        kdb->attributes = handle->params.flags;
 
     if ((mask & KADM5_MAX_LIFE))
-        kdb.max_life = entry->max_life;
+        kdb->max_life = entry->max_life;
     else
-        kdb.max_life = handle->params.max_life;
+        kdb->max_life = handle->params.max_life;
 
     if (mask & KADM5_MAX_RLIFE)
-        kdb.max_renewable_life = entry->max_renewable_life;
+        kdb->max_renewable_life = entry->max_renewable_life;
     else
-        kdb.max_renewable_life = handle->params.max_rlife;
+        kdb->max_renewable_life = handle->params.max_rlife;
 
     if ((mask & KADM5_PRINC_EXPIRE_TIME))
-        kdb.expiration = entry->princ_expire_time;
+        kdb->expiration = entry->princ_expire_time;
     else
-        kdb.expiration = handle->params.expiration;
+        kdb->expiration = handle->params.expiration;
 
-    kdb.pw_expiration = 0;
-    if ((mask & KADM5_POLICY)) {
+    kdb->pw_expiration = 0;
+    if (have_polent) {
         if(polent.pw_max_life)
-            kdb.pw_expiration = now + polent.pw_max_life;
+            kdb->pw_expiration = now + polent.pw_max_life;
         else
-            kdb.pw_expiration = 0;
+            kdb->pw_expiration = 0;
     }
     if ((mask & KADM5_PW_EXPIRATION))
-        kdb.pw_expiration = entry->pw_expiration;
+        kdb->pw_expiration = entry->pw_expiration;
 
-    kdb.last_success = 0;
-    kdb.last_failed = 0;
-    kdb.fail_auth_count = 0;
+    kdb->last_success = 0;
+    kdb->last_failed = 0;
+    kdb->fail_auth_count = 0;
 
     /* this is kind of gross, but in order to free the tl data, I need
        to free the entire kdb entry, and that will try to free the
        principal. */
 
     if ((ret = kadm5_copy_principal(handle->context,
-                                    entry->principal, &(kdb.princ)))) {
-        if (mask & KADM5_POLICY)
-            (void) kadm5_free_policy_ent(handle->lhandle, &polent);
-        return(ret);
-    }
+                                    entry->principal, &(kdb->princ))))
+        goto cleanup;
 
-    if ((ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now))) {
-        krb5_db_free_principal(handle->context, &kdb, 1);
-        if (mask & KADM5_POLICY)
-            (void) kadm5_free_policy_ent(handle->lhandle, &polent);
-        return(ret);
-    }
+    if ((ret = krb5_dbe_update_last_pwd_change(handle->context, kdb, now)))
+        goto cleanup;
 
     if (mask & KADM5_TL_DATA) {
-        /* splice entry->tl_data onto the front of kdb.tl_data */
-        tl_data_orig = kdb.tl_data;
+        /* splice entry->tl_data onto the front of kdb->tl_data */
+        tl_data_orig = kdb->tl_data;
         for (tl_data_tail = entry->tl_data; tl_data_tail;
              tl_data_tail = tl_data_tail->tl_data_next)
         {
-            ret = krb5_dbe_update_tl_data(handle->context, &kdb, tl_data_tail);
+            ret = krb5_dbe_update_tl_data(handle->context, kdb, tl_data_tail);
             if( ret )
-            {
-                krb5_db_free_principal(handle->context, &kdb, 1);
-                if (mask & KADM5_POLICY)
-                    (void) kadm5_free_policy_ent(handle->lhandle, &polent);
-                return ret;
-            }
+                goto cleanup;
         }
     }
 
@@ -382,42 +369,29 @@ kadm5_create_principal_3(void *server_handle,
 
     ret = krb5_dbe_find_act_mkey(handle->context, master_keylist,
                                  active_mkey_list, &act_kvno, &act_mkey);
-    if (ret) {
-        krb5_db_free_principal(handle->context, &kdb, 1);
-        if (mask & KADM5_POLICY)
-            (void) kadm5_free_policy_ent(handle->lhandle, &polent);
-        return (ret);
-    }
+    if (ret)
+        goto cleanup;
 
     if (password) {
         ret = krb5_dbe_cpw(handle->context, act_mkey,
                            n_ks_tuple?ks_tuple:handle->params.keysalts,
                            n_ks_tuple?n_ks_tuple:handle->params.num_keysalts,
                            password, (mask & KADM5_KVNO)?entry->kvno:1,
-                           FALSE, &kdb);
+                           FALSE, kdb);
     } else {
         /* Null password means create with random key (new in 1.8). */
         ret = krb5_dbe_crk(handle->context, &master_keyblock,
                            n_ks_tuple?ks_tuple:handle->params.keysalts,
                            n_ks_tuple?n_ks_tuple:handle->params.num_keysalts,
-                           FALSE, &kdb);
-    }
-    if (ret) {
-        krb5_db_free_principal(handle->context, &kdb, 1);
-        if (mask & KADM5_POLICY)
-            (void) kadm5_free_policy_ent(handle->lhandle, &polent);
-        return(ret);
+                           FALSE, kdb);
     }
+    if (ret)
+        goto cleanup;
 
     /* Record the master key VNO used to encrypt this entry's keys */
-    ret = krb5_dbe_update_mkvno(handle->context, &kdb, act_kvno);
+    ret = krb5_dbe_update_mkvno(handle->context, kdb, act_kvno);
     if (ret)
-    {
-        krb5_db_free_principal(handle->context, &kdb, 1);
-        if (mask & KADM5_POLICY)
-            (void) kadm5_free_policy_ent(handle->lhandle, &polent);
-        return ret;
-    }
+        goto cleanup;
 
     /* populate the admin-server-specific fields.  In the OV server,
        this used to be in a separate database.  Since there's already
@@ -426,7 +400,7 @@ kadm5_create_principal_3(void *server_handle,
        single tl_data record, */
 
     adb.admin_history_kvno = INITIAL_HIST_KVNO;
-    if ((mask & KADM5_POLICY)) {
+    if (have_polent) {
         adb.aux_attributes = KADM5_POLICY;
 
         /* this does *not* need to be strdup'ed, because adb is xdr */
@@ -437,28 +411,23 @@ kadm5_create_principal_3(void *server_handle,
 
     /* increment the policy ref count, if any */
 
-    if ((mask & KADM5_POLICY)) {
+    if (have_polent) {
         polent.policy_refcnt++;
         if ((ret = kadm5_modify_policy_internal(handle->lhandle, &polent,
                                                 KADM5_REF_COUNT))
-            != KADM5_OK) {
-            krb5_db_free_principal(handle->context, &kdb, 1);
-            if (mask & KADM5_POLICY)
-                (void) kadm5_free_policy_ent(handle->lhandle, &polent);
-            return(ret);
-        }
+            != KADM5_OK)
+            goto cleanup;
     }
 
     /* In all cases key and the principal data is set, let the database provider know */
-    kdb.mask = mask | KADM5_KEY_DATA | KADM5_PRINCIPAL ;
+    kdb->mask = mask | KADM5_KEY_DATA | KADM5_PRINCIPAL ;
 
     /* store the new db entry */
-    ret = kdb_put_entry(handle, &kdb, &adb);
+    ret = kdb_put_entry(handle, kdb, &adb);
 
-    krb5_db_free_principal(handle->context, &kdb, 1);
 
     if (ret) {
-        if ((mask & KADM5_POLICY)) {
+        if (have_polent) {
             /* decrement the policy ref count */
 
             polent.policy_refcnt--;
@@ -469,16 +438,13 @@ kadm5_create_principal_3(void *server_handle,
             (void) kadm5_modify_policy_internal(handle->lhandle, &polent,
                                                 KADM5_REF_COUNT);
         }
-
-        if (mask & KADM5_POLICY)
-            (void) kadm5_free_policy_ent(handle->lhandle, &polent);
-        return(ret);
     }
 
-    if (mask & KADM5_POLICY)
+cleanup:
+    krb5_db_free_principal(handle->context, kdb);
+    if (have_polent)
         (void) kadm5_free_policy_ent(handle->lhandle, &polent);
-
-    return KADM5_OK;
+    return ret;
 }
 
 
@@ -487,7 +453,7 @@ kadm5_delete_principal(void *server_handle, krb5_principal principal)
 {
     unsigned int                ret;
     kadm5_policy_ent_rec        polent;
-    krb5_db_entry               kdb;
+    krb5_db_entry               *kdb;
     osa_princ_ent_rec           adb;
     kadm5_server_handle_t handle = server_handle;
 
@@ -510,19 +476,19 @@ kadm5_delete_principal(void *server_handle, krb5_principal principal)
                                                     KADM5_REF_COUNT))
                 != KADM5_OK) {
                 (void) kadm5_free_policy_ent(handle->lhandle, &polent);
-                kdb_free_entry(handle, &kdb, &adb);
+                kdb_free_entry(handle, kdb, &adb);
                 return(ret);
             }
         }
         if ((ret = kadm5_free_policy_ent(handle->lhandle, &polent))) {
-            kdb_free_entry(handle, &kdb, &adb);
+            kdb_free_entry(handle, kdb, &adb);
             return ret;
         }
     }
 
     ret = kdb_delete_entry(handle, principal);
 
-    kdb_free_entry(handle, &kdb, &adb);
+    kdb_free_entry(handle, kdb, &adb);
 
     return ret;
 }
@@ -534,7 +500,7 @@ kadm5_modify_principal(void *server_handle,
     int                     ret, ret2, i;
     kadm5_policy_ent_rec    npol, opol;
     int                     have_npol = 0, have_opol = 0;
-    krb5_db_entry           kdb;
+    krb5_db_entry           *kdb;
     krb5_tl_data            *tl_data_orig;
     osa_princ_ent_rec       adb;
     kadm5_server_handle_t handle = server_handle;
@@ -620,13 +586,13 @@ kadm5_modify_principal(void *server_handle,
 
         /* set pw_max_life based on new policy */
         if (npol.pw_max_life) {
-            ret = krb5_dbe_lookup_last_pwd_change(handle->context, &kdb,
-                                                  &(kdb.pw_expiration));
+            ret = krb5_dbe_lookup_last_pwd_change(handle->context, kdb,
+                                                  &(kdb->pw_expiration));
             if (ret)
                 goto done;
-            kdb.pw_expiration += npol.pw_max_life;
+            kdb->pw_expiration += npol.pw_max_life;
         } else {
-            kdb.pw_expiration = 0;
+            kdb->pw_expiration = 0;
         }
     }
 
@@ -646,7 +612,7 @@ kadm5_modify_principal(void *server_handle,
                 free(adb.policy);
             adb.policy = NULL;
             adb.aux_attributes &= ~KADM5_POLICY;
-            kdb.pw_expiration = 0;
+            kdb->pw_expiration = 0;
             opol.policy_refcnt--;
             break;
         default:
@@ -667,19 +633,19 @@ kadm5_modify_principal(void *server_handle,
         goto done;
 
     if ((mask & KADM5_ATTRIBUTES))
-        kdb.attributes = entry->attributes;
+        kdb->attributes = entry->attributes;
     if ((mask & KADM5_MAX_LIFE))
-        kdb.max_life = entry->max_life;
+        kdb->max_life = entry->max_life;
     if ((mask & KADM5_PRINC_EXPIRE_TIME))
-        kdb.expiration = entry->princ_expire_time;
+        kdb->expiration = entry->princ_expire_time;
     if (mask & KADM5_PW_EXPIRATION)
-        kdb.pw_expiration = entry->pw_expiration;
+        kdb->pw_expiration = entry->pw_expiration;
     if (mask & KADM5_MAX_RLIFE)
-        kdb.max_renewable_life = entry->max_renewable_life;
+        kdb->max_renewable_life = entry->max_renewable_life;
 
     if((mask & KADM5_KVNO)) {
-        for (i = 0; i < kdb.n_key_data; i++)
-            kdb.key_data[i].key_data_kvno = entry->kvno;
+        for (i = 0; i < kdb->n_key_data; i++)
+            kdb->key_data[i].key_data_kvno = entry->kvno;
     }
 
     if (mask & KADM5_TL_DATA) {
@@ -690,7 +656,7 @@ kadm5_modify_principal(void *server_handle,
         for (tl = entry->tl_data; tl;
              tl = tl->tl_data_next)
         {
-            ret = krb5_dbe_update_tl_data(handle->context, &kdb, tl);
+            ret = krb5_dbe_update_tl_data(handle->context, kdb, tl);
             if( ret )
             {
                 goto done;
@@ -709,13 +675,13 @@ kadm5_modify_principal(void *server_handle,
             goto done;
         }
 
-        kdb.fail_auth_count = 0;
+        kdb->fail_auth_count = 0;
     }
 
     /* let the mask propagate to the database provider */
-    kdb.mask = mask;
+    kdb->mask = mask;
 
-    ret = kdb_put_entry(handle, &kdb, &adb);
+    ret = kdb_put_entry(handle, kdb, &adb);
     if (ret) goto done;
 
     ret = KADM5_OK;
@@ -728,7 +694,7 @@ done:
         ret2 = kadm5_free_policy_ent(handle->lhandle, &npol);
         ret = ret ? ret : ret2;
     }
-    kdb_free_entry(handle, &kdb, &adb);
+    kdb_free_entry(handle, kdb, &adb);
     return ret;
 }
 
@@ -736,7 +702,7 @@ kadm5_ret_t
 kadm5_rename_principal(void *server_handle,
                        krb5_principal source, krb5_principal target)
 {
-    krb5_db_entry       kdb;
+    krb5_db_entry       *kdb;
     osa_princ_ent_rec   adb;
     int                 ret, i;
     kadm5_server_handle_t handle = server_handle;
@@ -749,7 +715,7 @@ kadm5_rename_principal(void *server_handle,
         return EINVAL;
 
     if ((ret = kdb_get_entry(handle, target, &kdb, &adb)) == 0) {
-        kdb_free_entry(handle, &kdb, &adb);
+        kdb_free_entry(handle, kdb, &adb);
         return(KADM5_DUP);
     }
 
@@ -758,28 +724,28 @@ kadm5_rename_principal(void *server_handle,
 
     /* this is kinda gross, but unavoidable */
 
-    for (i=0; i<kdb.n_key_data; i++) {
-        if ((kdb.key_data[i].key_data_ver == 1) ||
-            (kdb.key_data[i].key_data_type[1] == KRB5_KDB_SALTTYPE_NORMAL)) {
+    for (i=0; i<kdb->n_key_data; i++) {
+        if ((kdb->key_data[i].key_data_ver == 1) ||
+            (kdb->key_data[i].key_data_type[1] == KRB5_KDB_SALTTYPE_NORMAL)) {
             ret = KADM5_NO_RENAME_SALT;
             goto done;
         }
     }
 
-    kadm5_free_principal(handle->context, kdb.princ);
-    ret = kadm5_copy_principal(handle->context, target, &kdb.princ);
+    kadm5_free_principal(handle->context, kdb->princ);
+    ret = kadm5_copy_principal(handle->context, target, &kdb->princ);
     if (ret) {
-        kdb.princ = NULL; /* so freeing the dbe doesn't lose */
+        kdb->princ = NULL; /* so freeing the dbe doesn't lose */
         goto done;
     }
 
-    if ((ret = kdb_put_entry(handle, &kdb, &adb)))
+    if ((ret = kdb_put_entry(handle, kdb, &adb)))
         goto done;
 
     ret = kdb_delete_entry(handle, source);
 
 done:
-    kdb_free_entry(handle, &kdb, &adb);
+    kdb_free_entry(handle, kdb, &adb);
     return ret;
 }
 
@@ -788,7 +754,7 @@ kadm5_get_principal(void *server_handle, krb5_principal principal,
                     kadm5_principal_ent_t entry,
                     long in_mask)
 {
-    krb5_db_entry               kdb;
+    krb5_db_entry               *kdb;
     osa_princ_ent_rec           adb;
     krb5_error_code             ret = 0;
     long                        mask;
@@ -826,29 +792,29 @@ kadm5_get_principal(void *server_handle, krb5_principal principal,
         entry->aux_attributes = adb.aux_attributes;
 
     if ((mask & KADM5_PRINCIPAL) &&
-        (ret = krb5_copy_principal(handle->context, kdb.princ,
+        (ret = krb5_copy_principal(handle->context, kdb->princ,
                                    &entry->principal))) {
         goto done;
     }
 
     if (mask & KADM5_PRINC_EXPIRE_TIME)
-        entry->princ_expire_time = kdb.expiration;
+        entry->princ_expire_time = kdb->expiration;
 
     if ((mask & KADM5_LAST_PWD_CHANGE) &&
-        (ret = krb5_dbe_lookup_last_pwd_change(handle->context, &kdb,
+        (ret = krb5_dbe_lookup_last_pwd_change(handle->context, kdb,
                                                &(entry->last_pwd_change)))) {
         goto done;
     }
 
     if (mask & KADM5_PW_EXPIRATION)
-        entry->pw_expiration = kdb.pw_expiration;
+        entry->pw_expiration = kdb->pw_expiration;
     if (mask & KADM5_MAX_LIFE)
-        entry->max_life = kdb.max_life;
+        entry->max_life = kdb->max_life;
 
     /* this is a little non-sensical because the function returns two */
     /* values that must be checked separately against the mask */
     if ((mask & KADM5_MOD_NAME) || (mask & KADM5_MOD_TIME)) {
-        ret = krb5_dbe_lookup_mod_princ_data(handle->context, &kdb,
+        ret = krb5_dbe_lookup_mod_princ_data(handle->context, kdb,
                                              &(entry->mod_date),
                                              &(entry->mod_name));
         if (ret) {
@@ -864,34 +830,34 @@ kadm5_get_principal(void *server_handle, krb5_principal principal,
     }
 
     if (mask & KADM5_ATTRIBUTES)
-        entry->attributes = kdb.attributes;
+        entry->attributes = kdb->attributes;
 
     if (mask & KADM5_KVNO)
-        for (entry->kvno = 0, i=0; i<kdb.n_key_data; i++)
-            if (kdb.key_data[i].key_data_kvno > entry->kvno)
-                entry->kvno = kdb.key_data[i].key_data_kvno;
+        for (entry->kvno = 0, i=0; i<kdb->n_key_data; i++)
+            if (kdb->key_data[i].key_data_kvno > entry->kvno)
+                entry->kvno = kdb->key_data[i].key_data_kvno;
 
     if (mask & KADM5_MKVNO) {
-        ret = krb5_dbe_get_mkvno(handle->context, &kdb, master_keylist,
+        ret = krb5_dbe_get_mkvno(handle->context, kdb, master_keylist,
                                  &entry->mkvno);
         if (ret)
             goto done;
     }
 
     if (mask & KADM5_MAX_RLIFE)
-        entry->max_renewable_life = kdb.max_renewable_life;
+        entry->max_renewable_life = kdb->max_renewable_life;
     if (mask & KADM5_LAST_SUCCESS)
-        entry->last_success = kdb.last_success;
+        entry->last_success = kdb->last_success;
     if (mask & KADM5_LAST_FAILED)
-        entry->last_failed = kdb.last_failed;
+        entry->last_failed = kdb->last_failed;
     if (mask & KADM5_FAIL_AUTH_COUNT)
-        entry->fail_auth_count = kdb.fail_auth_count;
+        entry->fail_auth_count = kdb->fail_auth_count;
     if (mask & KADM5_TL_DATA) {
         krb5_tl_data *tl, *tl2;
 
         entry->tl_data = NULL;
 
-        tl = kdb.tl_data;
+        tl = kdb->tl_data;
         while (tl) {
             if (tl->tl_data_type > 255) {
                 if ((tl2 = dup_tl_data(tl)) == NULL) {
@@ -907,7 +873,7 @@ kadm5_get_principal(void *server_handle, krb5_principal principal,
         }
     }
     if (mask & KADM5_KEY_DATA) {
-        entry->n_key_data = kdb.n_key_data;
+        entry->n_key_data = kdb->n_key_data;
         if(entry->n_key_data) {
             entry->key_data = malloc(entry->n_key_data*sizeof(krb5_key_data));
             if (entry->key_data == NULL) {
@@ -919,7 +885,7 @@ kadm5_get_principal(void *server_handle, krb5_principal principal,
 
         for (i = 0; i < entry->n_key_data; i++)
             ret = krb5_copy_key_data_contents(handle->context,
-                                              &kdb.key_data[i],
+                                              &kdb->key_data[i],
                                               &entry->key_data[i]);
         if (ret)
             goto done;
@@ -932,7 +898,7 @@ done:
         krb5_free_principal(handle->context, entry->principal);
         entry->principal = NULL;
     }
-    kdb_free_entry(handle, &kdb, &adb);
+    kdb_free_entry(handle, kdb, &adb);
 
     return ret;
 }
@@ -1338,7 +1304,7 @@ kadm5_chpass_principal_3(void *server_handle,
     krb5_int32                  now;
     kadm5_policy_ent_rec        pol;
     osa_princ_ent_rec           adb;
-    krb5_db_entry               kdb, kdb_save;
+    krb5_db_entry               *kdb, *kdb_save;
     int                         ret, ret2, last_pwd, hist_added;
     int                         have_pol = 0;
     kadm5_server_handle_t       handle = server_handle;
@@ -1365,7 +1331,7 @@ kadm5_chpass_principal_3(void *server_handle,
 
     /* we are going to need the current keys after the new keys are set */
     if ((ret = kdb_get_entry(handle, principal, &kdb_save, NULL))) {
-        kdb_free_entry(handle, &kdb, &adb);
+        kdb_free_entry(handle, kdb, &adb);
         return(ret);
     }
 
@@ -1388,15 +1354,15 @@ kadm5_chpass_principal_3(void *server_handle,
                        n_ks_tuple?ks_tuple:handle->params.keysalts,
                        n_ks_tuple?n_ks_tuple:handle->params.num_keysalts,
                        password, 0 /* increment kvno */,
-                       keepold, &kdb);
+                       keepold, kdb);
     if (ret)
         goto done;
 
-    ret = krb5_dbe_update_mkvno(handle->context, &kdb, act_kvno);
+    ret = krb5_dbe_update_mkvno(handle->context, kdb, act_kvno);
     if (ret)
         goto done;
 
-    kdb.attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE;
+    kdb->attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE;
 
     ret = krb5_timeofday(handle->context, &now);
     if (ret)
@@ -1405,8 +1371,7 @@ kadm5_chpass_principal_3(void *server_handle,
     if ((adb.aux_attributes & KADM5_POLICY)) {
         /* the policy was loaded before */
 
-        ret = krb5_dbe_lookup_last_pwd_change(handle->context,
-                                              &kdb, &last_pwd);
+        ret = krb5_dbe_lookup_last_pwd_change(handle->context, kdb, &last_pwd);
         if (ret)
             goto done;
 
@@ -1418,7 +1383,7 @@ kadm5_chpass_principal_3(void *server_handle,
          * local caller implicitly has all authorization bits.
          */
         if ((now - last_pwd) < pol.pw_min_life &&
-            !(kdb.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
+            !(kdb->attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
             ret = KADM5_PASS_TOOSOON;
             goto done;
         }
@@ -1430,13 +1395,13 @@ kadm5_chpass_principal_3(void *server_handle,
 
         ret = create_history_entry(handle->context,
                                    act_mkey, &hist_keyblock,
-                                   kdb_save.n_key_data,
-                                   kdb_save.key_data, &hist);
+                                   kdb_save->n_key_data,
+                                   kdb_save->key_data, &hist);
         if (ret)
             goto done;
 
         ret = check_pw_reuse(handle->context, act_mkey, &hist_keyblock,
-                             kdb.n_key_data, kdb.key_data,
+                             kdb->n_key_data, kdb->key_data,
                              1, &hist);
         if (ret)
             goto done;
@@ -1446,7 +1411,7 @@ kadm5_chpass_principal_3(void *server_handle,
              * can't check the history. */
             if (adb.admin_history_kvno == hist_kvno) {
                 ret = check_pw_reuse(handle->context, act_mkey, &hist_keyblock,
-                                     kdb.n_key_data, kdb.key_data,
+                                     kdb->n_key_data, kdb->key_data,
                                      adb.old_key_len, adb.old_keys);
                 if (ret)
                     goto done;
@@ -1460,11 +1425,11 @@ kadm5_chpass_principal_3(void *server_handle,
         }
 
         if (pol.pw_max_life)
-            kdb.pw_expiration = now + pol.pw_max_life;
+            kdb->pw_expiration = now + pol.pw_max_life;
         else
-            kdb.pw_expiration = 0;
+            kdb->pw_expiration = 0;
     } else {
-        kdb.pw_expiration = 0;
+        kdb->pw_expiration = 0;
     }
 
 #ifdef USE_PASSWORD_SERVER
@@ -1496,28 +1461,27 @@ kadm5_chpass_principal_3(void *server_handle,
     }
 #endif
 
-    ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now);
+    ret = krb5_dbe_update_last_pwd_change(handle->context, kdb, now);
     if (ret)
         goto done;
 
     /* unlock principal on this KDC */
-    kdb.fail_auth_count = 0;
+    kdb->fail_auth_count = 0;
 
     /* key data and attributes changed, let the database provider know */
-    kdb.mask = KADM5_KEY_DATA | KADM5_ATTRIBUTES |
+    kdb->mask = KADM5_KEY_DATA | KADM5_ATTRIBUTES |
         KADM5_FAIL_AUTH_COUNT;
     /* | KADM5_CPW_FUNCTION */
 
-    if ((ret = kdb_put_entry(handle, &kdb, &adb)))
+    if ((ret = kdb_put_entry(handle, kdb, &adb)))
         goto done;
 
     ret = KADM5_OK;
 done:
     if (!hist_added && hist.key_data)
         free_history_entry(handle->context, &hist);
-    kdb_free_entry(handle, &kdb, &adb);
-    kdb_free_entry(handle, &kdb_save, NULL);
-    krb5_db_free_principal(handle->context, &kdb, 1);
+    kdb_free_entry(handle, kdb, &adb);
+    kdb_free_entry(handle, kdb_save, NULL);
     krb5_free_keyblock_contents(handle->context, &hist_keyblock);
 
     if (have_pol && (ret2 = kadm5_free_policy_ent(handle->lhandle, &pol))
@@ -1546,7 +1510,7 @@ kadm5_randkey_principal_3(void *server_handle,
                           krb5_keyblock **keyblocks,
                           int *n_keys)
 {
-    krb5_db_entry               kdb;
+    krb5_db_entry               *kdb;
     osa_princ_ent_rec           adb;
     krb5_int32                  now;
     kadm5_policy_ent_rec        pol;
@@ -1584,11 +1548,11 @@ kadm5_randkey_principal_3(void *server_handle,
                        n_ks_tuple?ks_tuple:handle->params.keysalts,
                        n_ks_tuple?n_ks_tuple:handle->params.num_keysalts,
                        keepold,
-                       &kdb);
+                       kdb);
     if (ret)
         goto done;
 
-    kdb.attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE;
+    kdb->attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE;
 
     ret = krb5_timeofday(handle->context, &now);
     if (ret)
@@ -1600,8 +1564,7 @@ kadm5_randkey_principal_3(void *server_handle,
             goto done;
         have_pol = 1;
 
-        ret = krb5_dbe_lookup_last_pwd_change(handle->context,
-                                              &kdb, &last_pwd);
+        ret = krb5_dbe_lookup_last_pwd_change(handle->context, kdb, &last_pwd);
         if (ret)
             goto done;
 
@@ -1613,45 +1576,45 @@ kadm5_randkey_principal_3(void *server_handle,
          * local caller implicitly has all authorization bits.
          */
         if((now - last_pwd) < pol.pw_min_life &&
-           !(kdb.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
+           !(kdb->attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
             ret = KADM5_PASS_TOOSOON;
             goto done;
         }
 #endif
 
         if (pol.pw_max_life)
-            kdb.pw_expiration = now + pol.pw_max_life;
+            kdb->pw_expiration = now + pol.pw_max_life;
         else
-            kdb.pw_expiration = 0;
+            kdb->pw_expiration = 0;
     } else {
-        kdb.pw_expiration = 0;
+        kdb->pw_expiration = 0;
     }
 
-    ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now);
+    ret = krb5_dbe_update_last_pwd_change(handle->context, kdb, now);
     if (ret)
         goto done;
 
     /* unlock principal on this KDC */
-    kdb.fail_auth_count = 0;
+    kdb->fail_auth_count = 0;
 
     if (keyblocks) {
         ret = decrypt_key_data(handle->context, act_mkey,
-                               kdb.n_key_data, kdb.key_data,
+                               kdb->n_key_data, kdb->key_data,
                                keyblocks, n_keys);
         if (ret)
             goto done;
     }
 
     /* key data changed, let the database provider know */
-    kdb.mask = KADM5_KEY_DATA | KADM5_FAIL_AUTH_COUNT;
+    kdb->mask = KADM5_KEY_DATA | KADM5_FAIL_AUTH_COUNT;
     /* | KADM5_RANDKEY_USED */;
 
-    if ((ret = kdb_put_entry(handle, &kdb, &adb)))
+    if ((ret = kdb_put_entry(handle, kdb, &adb)))
         goto done;
 
     ret = KADM5_OK;
 done:
-    kdb_free_entry(handle, &kdb, &adb);
+    kdb_free_entry(handle, kdb, &adb);
     if (have_pol)
         kadm5_free_policy_ent(handle->lhandle, &pol);
 
@@ -1670,7 +1633,7 @@ kadm5_setv4key_principal(void *server_handle,
                          krb5_principal principal,
                          krb5_keyblock *keyblock)
 {
-    krb5_db_entry               kdb;
+    krb5_db_entry               *kdb;
     osa_princ_ent_rec           adb;
     krb5_int32                  now;
     kadm5_policy_ent_rec        pol;
@@ -1702,18 +1665,18 @@ kadm5_setv4key_principal(void *server_handle,
     if ((ret = kdb_get_entry(handle, principal, &kdb, &adb)))
         return(ret);
 
-    for (kvno = 0, i=0; i<kdb.n_key_data; i++)
-        if (kdb.key_data[i].key_data_kvno > kvno)
-            kvno = kdb.key_data[i].key_data_kvno;
+    for (kvno = 0, i=0; i<kdb->n_key_data; i++)
+        if (kdb->key_data[i].key_data_kvno > kvno)
+            kvno = kdb->key_data[i].key_data_kvno;
 
-    if (kdb.key_data != NULL)
-        cleanup_key_data(handle->context, kdb.n_key_data, kdb.key_data);
+    if (kdb->key_data != NULL)
+        cleanup_key_data(handle->context, kdb->n_key_data, kdb->key_data);
 
-    kdb.key_data = (krb5_key_data*)krb5_db_alloc(handle->context, NULL, sizeof(krb5_key_data));
-    if (kdb.key_data == NULL)
+    kdb->key_data = (krb5_key_data*)krb5_db_alloc(handle->context, NULL, sizeof(krb5_key_data));
+    if (kdb->key_data == NULL)
         return ENOMEM;
-    memset(kdb.key_data, 0, sizeof(krb5_key_data));
-    kdb.n_key_data = 1;
+    memset(kdb->key_data, 0, sizeof(krb5_key_data));
+    kdb->n_key_data = 1;
     keysalt.type = KRB5_KDB_SALTTYPE_V4;
     /* XXX data.magic? */
     keysalt.data.length = 0;
@@ -1732,18 +1695,18 @@ kadm5_setv4key_principal(void *server_handle,
     }
 
     for (k = 0; k < tmp_key_data.key_data_ver; k++) {
-        kdb.key_data->key_data_type[k] = tmp_key_data.key_data_type[k];
-        kdb.key_data->key_data_length[k] = tmp_key_data.key_data_length[k];
+        kdb->key_data->key_data_type[k] = tmp_key_data.key_data_type[k];
+        kdb->key_data->key_data_length[k] = tmp_key_data.key_data_length[k];
         if (tmp_key_data.key_data_contents[k]) {
-            kdb.key_data->key_data_contents[k] = krb5_db_alloc(handle->context, NULL, tmp_key_data.key_data_length[k]);
-            if (kdb.key_data->key_data_contents[k] == NULL) {
-                cleanup_key_data(handle->context, kdb.n_key_data, kdb.key_data);
-                kdb.key_data = NULL;
-                kdb.n_key_data = 0;
+            kdb->key_data->key_data_contents[k] = krb5_db_alloc(handle->context, NULL, tmp_key_data.key_data_length[k]);
+            if (kdb->key_data->key_data_contents[k] == NULL) {
+                cleanup_key_data(handle->context, kdb->n_key_data, kdb->key_data);
+                kdb->key_data = NULL;
+                kdb->n_key_data = 0;
                 ret = ENOMEM;
                 goto done;
             }
-            memcpy (kdb.key_data->key_data_contents[k], tmp_key_data.key_data_contents[k], tmp_key_data.key_data_length[k]);
+            memcpy (kdb->key_data->key_data_contents[k], tmp_key_data.key_data_contents[k], tmp_key_data.key_data_length[k]);
 
             memset (tmp_key_data.key_data_contents[k], 0, tmp_key_data.key_data_length[k]);
             free (tmp_key_data.key_data_contents[k]);
@@ -1753,7 +1716,7 @@ kadm5_setv4key_principal(void *server_handle,
 
 
 
-    kdb.attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE;
+    kdb->attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE;
 
     ret = krb5_timeofday(handle->context, &now);
     if (ret)
@@ -1773,31 +1736,31 @@ kadm5_setv4key_principal(void *server_handle,
          * local caller implicitly has all authorization bits.
          */
         if (ret = krb5_dbe_lookup_last_pwd_change(handle->context,
-                                                  &kdb, &last_pwd))
+                                                  kdb, &last_pwd))
             goto done;
         if((now - last_pwd) < pol.pw_min_life &&
-           !(kdb.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
+           !(kdb->attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
             ret = KADM5_PASS_TOOSOON;
             goto done;
         }
 #endif
 
         if (pol.pw_max_life)
-            kdb.pw_expiration = now + pol.pw_max_life;
+            kdb->pw_expiration = now + pol.pw_max_life;
         else
-            kdb.pw_expiration = 0;
+            kdb->pw_expiration = 0;
     } else {
-        kdb.pw_expiration = 0;
+        kdb->pw_expiration = 0;
     }
 
-    ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now);
+    ret = krb5_dbe_update_last_pwd_change(handle->context, kdb, now);
     if (ret)
         goto done;
 
     /* unlock principal on this KDC */
-    kdb.fail_auth_count = 0;
+    kdb->fail_auth_count = 0;
 
-    if ((ret = kdb_put_entry(handle, &kdb, &adb)))
+    if ((ret = kdb_put_entry(handle, kdb, &adb)))
         goto done;
 
     ret = KADM5_OK;
@@ -1809,7 +1772,7 @@ done:
         }
     }
 
-    kdb_free_entry(handle, &kdb, &adb);
+    kdb_free_entry(handle, kdb, &adb);
     if (have_pol)
         kadm5_free_policy_ent(handle->lhandle, &pol);
 
@@ -1836,7 +1799,7 @@ kadm5_setkey_principal_3(void *server_handle,
                          krb5_keyblock *keyblocks,
                          int n_keys)
 {
-    krb5_db_entry               kdb;
+    krb5_db_entry               *kdb;
     osa_princ_ent_rec           adb;
     krb5_int32                  now;
     kadm5_policy_ent_rec        pol;
@@ -1887,29 +1850,29 @@ kadm5_setkey_principal_3(void *server_handle,
     if ((ret = kdb_get_entry(handle, principal, &kdb, &adb)))
         return(ret);
 
-    for (kvno = 0, i=0; i<kdb.n_key_data; i++)
-        if (kdb.key_data[i].key_data_kvno > kvno)
-            kvno = kdb.key_data[i].key_data_kvno;
+    for (kvno = 0, i=0; i<kdb->n_key_data; i++)
+        if (kdb->key_data[i].key_data_kvno > kvno)
+            kvno = kdb->key_data[i].key_data_kvno;
 
     if (keepold) {
-        old_key_data = kdb.key_data;
-        n_old_keys = kdb.n_key_data;
+        old_key_data = kdb->key_data;
+        n_old_keys = kdb->n_key_data;
     } else {
-        if (kdb.key_data != NULL)
-            cleanup_key_data(handle->context, kdb.n_key_data, kdb.key_data);
+        if (kdb->key_data != NULL)
+            cleanup_key_data(handle->context, kdb->n_key_data, kdb->key_data);
         n_old_keys = 0;
         old_key_data = NULL;
     }
 
-    kdb.key_data = (krb5_key_data*)krb5_db_alloc(handle->context, NULL, (n_keys+n_old_keys)
-                                                 *sizeof(krb5_key_data));
-    if (kdb.key_data == NULL) {
+    kdb->key_data = (krb5_key_data*)krb5_db_alloc(handle->context, NULL, (n_keys+n_old_keys)
+                                                  *sizeof(krb5_key_data));
+    if (kdb->key_data == NULL) {
         ret = ENOMEM;
         goto done;
     }
 
-    memset(kdb.key_data, 0, (n_keys+n_old_keys)*sizeof(krb5_key_data));
-    kdb.n_key_data = 0;
+    memset(kdb->key_data, 0, (n_keys+n_old_keys)*sizeof(krb5_key_data));
+    kdb->n_key_data = 0;
 
     for (i = 0; i < n_keys; i++) {
         if (n_ks_tuple) {
@@ -1935,7 +1898,7 @@ kadm5_setkey_principal_3(void *server_handle,
         if (ret)
             goto done;
 
-        tptr = &kdb.key_data[i];
+        tptr = &kdb->key_data[i];
         tptr->key_data_ver = tmp_key_data.key_data_ver;
         tptr->key_data_kvno = tmp_key_data.key_data_kvno;
         for (k = 0; k < tmp_key_data.key_data_ver; k++) {
@@ -1962,21 +1925,21 @@ kadm5_setkey_principal_3(void *server_handle,
                 tmp_key_data.key_data_contents[k] = NULL;
             }
         }
-        kdb.n_key_data++;
+        kdb->n_key_data++;
     }
 
     /* copy old key data if necessary */
     for (i = 0; i < n_old_keys; i++) {
-        kdb.key_data[i+n_keys] = old_key_data[i];
+        kdb->key_data[i+n_keys] = old_key_data[i];
         memset(&old_key_data[i], 0, sizeof (krb5_key_data));
-        kdb.n_key_data++;
+        kdb->n_key_data++;
     }
 
     if (old_key_data)
         krb5_db_free(handle->context, old_key_data);
 
-    /* assert(kdb.n_key_data == n_keys + n_old_keys) */
-    kdb.attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE;
+    /* assert(kdb->n_key_data == n_keys + n_old_keys) */
+    kdb->attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE;
 
     if ((ret = krb5_timeofday(handle->context, &now)))
         goto done;
@@ -1995,35 +1958,35 @@ kadm5_setkey_principal_3(void *server_handle,
          * local caller implicitly has all authorization bits.
          */
         if (ret = krb5_dbe_lookup_last_pwd_change(handle->context,
-                                                  &kdb, &last_pwd))
+                                                  kdb, &last_pwd))
             goto done;
         if((now - last_pwd) < pol.pw_min_life &&
-           !(kdb.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
+           !(kdb->attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
             ret = KADM5_PASS_TOOSOON;
             goto done;
         }
 #endif
 
         if (pol.pw_max_life)
-            kdb.pw_expiration = now + pol.pw_max_life;
+            kdb->pw_expiration = now + pol.pw_max_life;
         else
-            kdb.pw_expiration = 0;
+            kdb->pw_expiration = 0;
     } else {
-        kdb.pw_expiration = 0;
+        kdb->pw_expiration = 0;
     }
 
-    if ((ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now)))
+    if ((ret = krb5_dbe_update_last_pwd_change(handle->context, kdb, now)))
         goto done;
 
     /* unlock principal on this KDC */
-    kdb.fail_auth_count = 0;
+    kdb->fail_auth_count = 0;
 
-    if ((ret = kdb_put_entry(handle, &kdb, &adb)))
+    if ((ret = kdb_put_entry(handle, kdb, &adb)))
         goto done;
 
     ret = KADM5_OK;
 done:
-    kdb_free_entry(handle, &kdb, &adb);
+    kdb_free_entry(handle, kdb, &adb);
     if (have_pol)
         kadm5_free_policy_ent(handle->lhandle, &pol);
 
@@ -2040,7 +2003,7 @@ kadm5_get_principal_keys(void *server_handle /* IN */,
                          krb5_keyblock **keyblocks /* OUT */,
                          int *n_keys /* OUT */)
 {
-    krb5_db_entry               kdb;
+    krb5_db_entry               *kdb;
     osa_princ_ent_rec           adb;
     kadm5_ret_t                 ret;
     kadm5_server_handle_t       handle = server_handle;
@@ -2058,7 +2021,7 @@ kadm5_get_principal_keys(void *server_handle /* IN */,
         return(ret);
 
     if (keyblocks) {
-        if ((ret = krb5_dbe_find_mkey(handle->context, master_keylist, &kdb,
+        if ((ret = krb5_dbe_find_mkey(handle->context, master_keylist, kdb,
                                       &mkey_ptr))) {
             krb5_keylist_node *tmp_mkey_list;
             /* try refreshing master key list */
@@ -2069,7 +2032,7 @@ kadm5_get_principal_keys(void *server_handle /* IN */,
                 krb5_dbe_free_key_list(handle->context, master_keylist);
                 master_keylist = tmp_mkey_list;
                 if ((ret = krb5_dbe_find_mkey(handle->context, master_keylist,
-                                              &kdb, &mkey_ptr))) {
+                                              kdb, &mkey_ptr))) {
                     goto done;
                 }
             } else {
@@ -2078,7 +2041,7 @@ kadm5_get_principal_keys(void *server_handle /* IN */,
         }
 
         ret = decrypt_key_data(handle->context, mkey_ptr,
-                               kdb.n_key_data, kdb.key_data,
+                               kdb->n_key_data, kdb->key_data,
                                keyblocks, n_keys);
         if (ret)
             goto done;
@@ -2086,7 +2049,7 @@ kadm5_get_principal_keys(void *server_handle /* IN */,
 
     ret = KADM5_OK;
 done:
-    kdb_free_entry(handle, &kdb, &adb);
+    kdb_free_entry(handle, kdb, &adb);
 
     return ret;
 }
index 5a0501b277eb18f8e707286e22c496ea59246c41..59f9d2609a08cdd722a97649ca1b6de22ab983fe 100644 (file)
@@ -76,11 +76,9 @@ int main(int argc, char **argv)
             else
                 printf("released\n");
         } else if (strcmp(*argv, "get") == 0) {
-            int cnt = 1;
             argc--; argv++;
             if (!argc) usage();
-            if ((ret = krb5_db_get_policy(context, *argv,
-                                          &entry, &cnt)) ) {
+            if ((ret = krb5_db_get_policy(context, *argv, &entry))) {
                 com_err(whoami, ret, "while getting policy");
             } else {
                 printf("retrieved\n");
index 493647d017310a0df962abc2a1a3aef3cb0093bd..af81d37bf4e821bfe650e4e1d251cb424d594387 100644 (file)
@@ -698,43 +698,23 @@ krb5_db_unlock(krb5_context kcontext)
 }
 
 krb5_error_code
-krb5_db_get_principal(krb5_context kcontext,
-                      krb5_const_principal search_for,
-                      krb5_db_entry * entries,
-                      int *nentries, krb5_boolean * more)
+krb5_db_get_principal(krb5_context kcontext, krb5_const_principal search_for,
+                      unsigned int flags, krb5_db_entry **entry)
 {
     krb5_error_code status = 0;
     kdb_vftabl *v;
 
+    *entry = NULL;
     status = get_vftabl(kcontext, &v);
     if (status)
         return status;
     if (v->get_principal == NULL)
         return KRB5_PLUGIN_OP_NOTSUPP;
-    return v->get_principal(kcontext, search_for, 0, entries, nentries, more);
-}
-
-krb5_error_code
-krb5_db_get_principal_ext(krb5_context kcontext,
-                          krb5_const_principal search_for,
-                          unsigned int flags,
-                          krb5_db_entry * entries,
-                          int *nentries, krb5_boolean * more)
-{
-    krb5_error_code status = 0;
-    kdb_vftabl *v;
-
-    status = get_vftabl(kcontext, &v);
-    if (status)
-        return status;
-    if (v->get_principal == NULL)
-        return KRB5_PLUGIN_OP_NOTSUPP;
-    return v->get_principal(kcontext, search_for, flags, entries, nentries,
-                            more);
+    return v->get_principal(kcontext, search_for, flags, entry);
 }
 
 void
-krb5_db_free_principal(krb5_context kcontext, krb5_db_entry * entry, int count)
+krb5_db_free_principal(krb5_context kcontext, krb5_db_entry *entry)
 {
     krb5_error_code status = 0;
     kdb_vftabl *v;
@@ -742,7 +722,7 @@ krb5_db_free_principal(krb5_context kcontext, krb5_db_entry * entry, int count)
     status = get_vftabl(kcontext, &v);
     if (status)
         return;
-    v->free_principal(kcontext, entry, count);
+    v->free_principal(kcontext, entry);
 }
 
 static void
@@ -826,8 +806,7 @@ clean_n_exit:
 }
 
 krb5_error_code
-krb5int_put_principal_no_log(krb5_context kcontext,
-                             krb5_db_entry *entries, int *nentries)
+krb5int_put_principal_no_log(krb5_context kcontext, krb5_db_entry *entry)
 {
     kdb_vftabl *v;
     krb5_error_code status;
@@ -838,53 +817,47 @@ krb5int_put_principal_no_log(krb5_context kcontext,
         return status;
     if (v->put_principal == NULL)
         return KRB5_PLUGIN_OP_NOTSUPP;
-    status = extract_db_args_from_tl_data(kcontext, &entries->tl_data,
-                                          &entries->n_tl_data,
+    status = extract_db_args_from_tl_data(kcontext, &entry->tl_data,
+                                          &entry->n_tl_data,
                                           &db_args);
     if (status)
         return status;
-    status = v->put_principal(kcontext, entries, nentries, db_args);
+    status = v->put_principal(kcontext, entry, db_args);
     free_db_args(kcontext, db_args);
     return status;
 }
 
 krb5_error_code
-krb5_db_put_principal(krb5_context kcontext,
-                      krb5_db_entry * entries, int *nentries)
+krb5_db_put_principal(krb5_context kcontext, krb5_db_entry *entry)
 {
     krb5_error_code status = 0;
     kdb_vftabl *v;
     char  **db_args = NULL;
-    kdb_incr_update_t *upd, *fupd = 0;
+    kdb_incr_update_t *upd = NULL;
     char *princ_name = NULL;
     kdb_log_context *log_ctx;
-    int i;
     int ulog_locked = 0;
 
     log_ctx = kcontext->kdblog_context;
 
     status = get_vftabl(kcontext, &v);
     if (status)
-        goto clean_n_exit;
+        return status;
+    if (v->put_principal == NULL)
+        return KRB5_PLUGIN_OP_NOTSUPP;
 
-    status = extract_db_args_from_tl_data(kcontext, &entries->tl_data,
-                                          &entries->n_tl_data,
+    status = extract_db_args_from_tl_data(kcontext, &entry->tl_data,
+                                          &entry->n_tl_data,
                                           &db_args);
     if (status)
         goto clean_n_exit;
 
     if (log_ctx && (log_ctx->iproprole == IPROP_MASTER)) {
-        if (!(upd = (kdb_incr_update_t *)
-              malloc(sizeof (kdb_incr_update_t)* *nentries))) {
-            status = errno;
-            goto err_lock;
-        }
-        fupd = upd;
-
-        (void) memset(upd, 0, sizeof(kdb_incr_update_t)* *nentries);
-
-        if ((status = ulog_conv_2logentry(kcontext, entries, upd, *nentries)))
-            goto err_lock;
+        upd = k5alloc(sizeof(*upd), &status);
+        if (upd == NULL)
+            goto clean_n_exit;
+        if ((status = ulog_conv_2logentry(kcontext, entry, upd)))
+            goto clean_n_exit;
     }
 
     status = ulog_lock(kcontext, KRB5_LOCKMODE_EXCLUSIVE);
@@ -892,51 +865,35 @@ krb5_db_put_principal(krb5_context kcontext,
         goto err_lock;
     ulog_locked = 1;
 
-    for (i = 0; i < *nentries; i++) {
-        if (fupd) {
-            if ((status = krb5_unparse_name(kcontext, entries->princ,
-                                            &princ_name)))
-                goto err_lock;
+    if (upd != NULL) {
+        status = krb5_unparse_name(kcontext, entry->princ, &princ_name);
+        if (status != 0)
+            goto err_lock;
 
-            upd->kdb_princ_name.utf8str_t_val = princ_name;
-            upd->kdb_princ_name.utf8str_t_len = strlen(princ_name);
+        upd->kdb_princ_name.utf8str_t_val = princ_name;
+        upd->kdb_princ_name.utf8str_t_len = strlen(princ_name);
 
-            if ((status = ulog_add_update(kcontext, upd)) != 0)
-                goto err_lock;
-            upd++;
-        }
+        if ((status = ulog_add_update(kcontext, upd)) != 0)
+            goto err_lock;
     }
 
-    if (v->put_principal == NULL) {
-        status = KRB5_PLUGIN_OP_NOTSUPP;
-        goto err_lock;
-    }
+    status = v->put_principal(kcontext, entry, db_args);
+    if (status == 0 && upd != NULL)
+        (void) ulog_finish_update(kcontext, upd);
 
-    status = v->put_principal(kcontext, entries, nentries, db_args);
-    if (status == 0 && fupd) {
-        upd = fupd;
-        for (i = 0; i < *nentries; i++) {
-            (void) ulog_finish_update(kcontext, upd);
-            upd++;
-        }
-    }
 err_lock:
     if (ulog_locked)
         ulog_lock(kcontext, KRB5_LOCKMODE_UNLOCK);
 
 clean_n_exit:
     free_db_args(kcontext, db_args);
-
-    if (log_ctx && (log_ctx->iproprole == IPROP_MASTER))
-        ulog_free_entries(fupd, *nentries);
-
+    ulog_free_entries(upd, 1);
     return status;
 }
 
 krb5_error_code
 krb5int_delete_principal_no_log(krb5_context kcontext,
-                                krb5_principal search_for,
-                                int *nentries)
+                                krb5_principal search_for)
 {
     kdb_vftabl *v;
     krb5_error_code status;
@@ -946,12 +903,12 @@ krb5int_delete_principal_no_log(krb5_context kcontext,
         return status;
     if (v->delete_principal == NULL)
         return KRB5_PLUGIN_OP_NOTSUPP;
-    return v->delete_principal(kcontext, search_for, nentries);
+    return v->delete_principal(kcontext, search_for);
 }
 
 krb5_error_code
 krb5_db_delete_principal(krb5_context kcontext,
-                         krb5_principal search_for, int *nentries)
+                         krb5_principal search_for)
 {
     krb5_error_code status = 0;
     kdb_vftabl *v;
@@ -994,7 +951,7 @@ krb5_db_delete_principal(krb5_context kcontext,
     if (v->delete_principal == NULL)
         return KRB5_PLUGIN_OP_NOTSUPP;
 
-    status = v->delete_principal(kcontext, search_for, nentries);
+    status = v->delete_principal(kcontext, search_for);
 
     /*
      * We need to commit our update upon success
@@ -1168,21 +1125,15 @@ krb5_db_fetch_mkey(krb5_context    context,
          * princ.
          */
         if (kvno != NULL && *kvno == IGNORE_VNO) {
-            int nentries = 1;
-            krb5_boolean more;
             krb5_error_code rc;
-            krb5_db_entry master_entry;
-
-            rc = krb5_db_get_principal(context, mname,
-                                       &master_entry, &nentries, &more);
+            krb5_db_entry *master_entry;
 
-            if (rc == 0 && nentries == 1 && more == FALSE)
-                *kvno = (krb5_kvno) master_entry.key_data->key_data_kvno;
-            else
+            rc = krb5_db_get_principal(context, mname, 0, &master_entry);
+            if (rc == 0) {
+                *kvno = (krb5_kvno) master_entry->key_data->key_data_kvno;
+                krb5_db_free_principal(context, master_entry);
+            } else
                 *kvno = 1;
-
-            if (rc == 0 && nentries)
-                krb5_db_free_principal(context, &master_entry, nentries);
         }
 
         if (!salt)
@@ -1233,32 +1184,18 @@ krb5_dbe_fetch_act_key_list(krb5_context         context,
                             krb5_actkvno_node  **act_key_list)
 {
     krb5_error_code retval = 0;
-    krb5_db_entry entry;
-    int nprinc;
-    krb5_boolean more;
+    krb5_db_entry *entry;
 
     if (act_key_list == NULL)
         return (EINVAL);
 
-    nprinc = 1;
-    if ((retval = krb5_db_get_principal(context, princ, &entry,
-                                        &nprinc, &more))) {
-        return (retval);
-    }
-
-    if (nprinc != 1) {
-        if (nprinc) {
-            krb5_db_free_principal(context, &entry, nprinc);
-            return (KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE);
-        } else {
-            return(KRB5_KDB_NOMASTERKEY);
-        }
-    } else if (more) {
-        krb5_db_free_principal(context, &entry, nprinc);
-        return (KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE);
-    }
+    retval = krb5_db_get_principal(context, princ, 0, &entry);
+    if (retval == KRB5_KDB_NOENTRY)
+        return KRB5_KDB_NOMASTERKEY;
+    else if (retval)
+        return retval;
 
-    retval = krb5_dbe_lookup_actkvno(context, &entry, act_key_list);
+    retval = krb5_dbe_lookup_actkvno(context, entry, act_key_list);
 
     if (*act_key_list == NULL) {
         krb5_actkvno_node *tmp_actkvno;
@@ -1267,17 +1204,19 @@ krb5_dbe_fetch_act_key_list(krb5_context         context,
          */
 
         tmp_actkvno = (krb5_actkvno_node *) malloc(sizeof(krb5_actkvno_node));
-        if (tmp_actkvno == NULL)
-            return (ENOMEM);
+        if (tmp_actkvno == NULL) {
+            krb5_db_free_principal(context, entry);
+            return ENOMEM;
+        }
 
         memset(tmp_actkvno, 0, sizeof(krb5_actkvno_node));
         tmp_actkvno->act_time = 0; /* earliest time possible */
         /* use most current key */
-        tmp_actkvno->act_kvno = entry.key_data[0].key_data_kvno;
+        tmp_actkvno->act_kvno = entry->key_data[0].key_data_kvno;
         *act_key_list = tmp_actkvno;
     }
 
-    krb5_db_free_principal(context, &entry, nprinc);
+    krb5_db_free_principal(context, entry);
     return retval;
 }
 
@@ -2144,8 +2083,7 @@ krb5_db_create_policy(krb5_context kcontext, osa_policy_ent_t policy)
 }
 
 krb5_error_code
-krb5_db_get_policy(krb5_context kcontext, char *name,
-                   osa_policy_ent_t * policy, int *cnt)
+krb5_db_get_policy(krb5_context kcontext, char *name, osa_policy_ent_t *policy)
 {
     krb5_error_code status = 0;
     kdb_vftabl *v;
@@ -2155,7 +2093,7 @@ krb5_db_get_policy(krb5_context kcontext, char *name,
         return status;
     if (v->get_policy == NULL)
         return KRB5_PLUGIN_OP_NOTSUPP;
-    return v->get_policy(kcontext, name, policy, cnt);
+    return v->get_policy(kcontext, name, policy);
 }
 
 krb5_error_code
index 994f1f9317a3bcf8fc80e6f98fc676734b9af7a5..9d63ca86c177ca812d4382ba11d8a3074c1a67bb 100644 (file)
 
 krb5_error_code
 krb5int_put_principal_no_log(krb5_context kcontext,
-                             krb5_db_entry *entries, int *nentries);
+                             krb5_db_entry *entries);
 
 krb5_error_code
 krb5int_delete_principal_no_log(krb5_context kcontext,
-                                krb5_principal search_for,
-                                int *nentries);
+                                krb5_principal search_for);
 
 #endif /* __KDB5INT_H__ */
index df3019d6d16099cbf07f8c5ec7bd4ee6e2172906..20bcc31e89b6f0fa0bc205d02f1698929729a0fe 100644 (file)
@@ -291,581 +291,525 @@ error:
 
 
 /*
- * This routine converts one or more krb5 db2 records into update
- * log (ulog) entry format. Space for the update log entries should
- * be allocated prior to invocation of this routine.
+ * This routine converts a krb5 DB record into update log (ulog) entry format.
+ * Space for the update log entry should be allocated prior to invocation of
+ * this routine.
  */
 krb5_error_code
-ulog_conv_2logentry(krb5_context context, krb5_db_entry *entries,
-                    kdb_incr_update_t *updates,
-                    int nentries)
+ulog_conv_2logentry(krb5_context context, krb5_db_entry *entry,
+                    kdb_incr_update_t *update)
 {
-    int i, j, k, cnt, final, nattrs, tmpint, nprincs;
-    unsigned int more;
+    int i, j, cnt, final, nattrs, tmpint;
     krb5_principal tmpprinc;
     krb5_tl_data *newtl;
-    krb5_db_entry curr;
+    krb5_db_entry *curr;
     krb5_error_code ret;
     kdbe_attr_type_t *attr_types;
-    kdb_incr_update_t *upd;
-    krb5_db_entry *ent;
     int kadm_data_yes;
     /* always exclude non-replicated attributes, for now */
     krb5_boolean exclude_nra = TRUE;
 
-    if ((updates == NULL) || (entries == NULL))
-        return (KRB5KRB_ERR_GENERIC);
+    nattrs = tmpint = 0;
+    final = -1;
+    kadm_data_yes = 0;
+    attr_types = NULL;
 
-    upd = updates;
-    ent = entries;
+    /*
+     * XXX we rely on the good behaviour of the database not to
+     * exceed this limit.
+     */
+    if ((update->kdb_update.kdbe_t_val = (kdbe_val_t *)
+         malloc(MAXENTRY_SIZE)) == NULL) {
+        return (ENOMEM);
+    }
 
-    for (k = 0; k < nentries; k++) {
-        nprincs = nattrs = tmpint = 0;
-        final = -1;
-        kadm_data_yes = 0;
-        attr_types = NULL;
+    /*
+     * Find out which attrs have been modified
+     */
+    if ((attr_types = (kdbe_attr_type_t *)malloc(
+             sizeof (kdbe_attr_type_t) * MAXATTRS_SIZE))
+        == NULL) {
+        return (ENOMEM);
+    }
 
-        /*
-         * XXX we rely on the good behaviour of the database not to
-         * exceed this limit.
-         */
-        if ((upd->kdb_update.kdbe_t_val = (kdbe_val_t *)
-             malloc(MAXENTRY_SIZE)) == NULL) {
-            return (ENOMEM);
-        }
+    ret = krb5_db_get_principal(context, entry->princ, 0, &curr);
+    if (ret && ret != KRB5_KDB_NOENTRY) {
+        free(attr_types);
+        return (ret);
+    }
 
+    if (ret == KRB5_KDB_NOENTRY) {
         /*
-         * Find out which attrs have been modified
+         * This is a new entry to the database, hence will
+         * include all the attribute-value pairs
+         *
+         * We leave out the TL_DATA types which we model as
+         * attrs in kdbe_attr_type_t, since listing AT_TL_DATA
+         * encompasses these other types-turned-attributes
+         *
+         * So, we do *NOT* consider AT_MOD_PRINC, AT_MOD_TIME,
+         * AT_MOD_WHERE, AT_PW_LAST_CHANGE, AT_PW_POLICY,
+         * AT_PW_POLICY_SWITCH, AT_PW_HIST_KVNO and AT_PW_HIST,
+         * totalling 8 attrs.
          */
-        if ((attr_types = (kdbe_attr_type_t *)malloc(
-                 sizeof (kdbe_attr_type_t) * MAXATTRS_SIZE))
-            == NULL) {
-            return (ENOMEM);
-        }
-
-        if ((ret = krb5_db_get_principal(context, ent->princ, &curr,
-                                         &nprincs, &more))) {
-            free(attr_types);
-            return (ret);
+        while (nattrs < MAXATTRS_SIZE - 8) {
+            attr_types[nattrs] = nattrs;
+            nattrs++;
         }
+    } else {
+        find_changed_attrs(curr, entry, exclude_nra, attr_types, &nattrs);
+        krb5_db_free_principal(context, curr);
+    }
 
-        if (nprincs == 0) {
-            /*
-             * This is a new entry to the database, hence will
-             * include all the attribute-value pairs
-             *
-             * We leave out the TL_DATA types which we model as
-             * attrs in kdbe_attr_type_t, since listing AT_TL_DATA
-             * encompasses these other types-turned-attributes
-             *
-             * So, we do *NOT* consider AT_MOD_PRINC, AT_MOD_TIME,
-             * AT_MOD_WHERE, AT_PW_LAST_CHANGE, AT_PW_POLICY,
-             * AT_PW_POLICY_SWITCH, AT_PW_HIST_KVNO and AT_PW_HIST,
-             * totalling 8 attrs.
-             */
-            while (nattrs < MAXATTRS_SIZE - 8) {
-                attr_types[nattrs] = nattrs;
-                nattrs++;
+    for (i = 0; i < nattrs; i++) {
+        switch (attr_types[i]) {
+        case AT_ATTRFLAGS:
+            if (entry->attributes >= 0) {
+                ULOG_ENTRY_TYPE(update, ++final).av_type =
+                    AT_ATTRFLAGS;
+                ULOG_ENTRY(update, final).av_attrflags =
+                    (uint32_t)entry->attributes;
             }
-        } else {
-            find_changed_attrs(&curr, ent, exclude_nra, attr_types, &nattrs);
+            break;
 
-            krb5_db_free_principal(context, &curr, nprincs);
-        }
+        case AT_MAX_LIFE:
+            if (entry->max_life >= 0) {
+                ULOG_ENTRY_TYPE(update, ++final).av_type = AT_MAX_LIFE;
+                ULOG_ENTRY(update, final).av_max_life =
+                    (uint32_t)entry->max_life;
+            }
+            break;
 
-        for (i = 0; i < nattrs; i++) {
-            switch (attr_types[i]) {
-            case AT_ATTRFLAGS:
-                if (ent->attributes >= 0) {
-                    ULOG_ENTRY_TYPE(upd, ++final).av_type =
-                        AT_ATTRFLAGS;
-                    ULOG_ENTRY(upd, final).av_attrflags =
-                        (uint32_t)ent->attributes;
-                }
-                break;
+        case AT_MAX_RENEW_LIFE:
+            if (entry->max_renewable_life >= 0) {
+                ULOG_ENTRY_TYPE(update, ++final).av_type = AT_MAX_RENEW_LIFE;
+                ULOG_ENTRY(update, final).av_max_renew_life =
+                    (uint32_t)entry->max_renewable_life;
+            }
+            break;
 
-            case AT_MAX_LIFE:
-                if (ent->max_life >= 0) {
-                    ULOG_ENTRY_TYPE(upd, ++final).av_type =
-                        AT_MAX_LIFE;
-                    ULOG_ENTRY(upd, final).av_max_life =
-                        (uint32_t)ent->max_life;
-                }
-                break;
+        case AT_EXP:
+            if (entry->expiration >= 0) {
+                ULOG_ENTRY_TYPE(update, ++final).av_type = AT_EXP;
+                ULOG_ENTRY(update, final).av_exp = (uint32_t)entry->expiration;
+            }
+            break;
 
-            case AT_MAX_RENEW_LIFE:
-                if (ent->max_renewable_life >= 0) {
-                    ULOG_ENTRY_TYPE(upd, ++final).av_type =
-                        AT_MAX_RENEW_LIFE;
-                    ULOG_ENTRY(upd,
-                               final).av_max_renew_life =
-                        (uint32_t)ent->max_renewable_life;
-                }
-                break;
+        case AT_PW_EXP:
+            if (entry->pw_expiration >= 0) {
+                ULOG_ENTRY_TYPE(update, ++final).av_type = AT_PW_EXP;
+                ULOG_ENTRY(update, final).av_pw_exp =
+                    (uint32_t)entry->pw_expiration;
+            }
+            break;
 
-            case AT_EXP:
-                if (ent->expiration >= 0) {
-                    ULOG_ENTRY_TYPE(upd, ++final).av_type =
-                        AT_EXP;
-                    ULOG_ENTRY(upd, final).av_exp =
-                        (uint32_t)ent->expiration;
-                }
-                break;
+        case AT_LAST_SUCCESS:
+            if (!exclude_nra && entry->last_success >= 0) {
+                ULOG_ENTRY_TYPE(update, ++final).av_type = AT_LAST_SUCCESS;
+                ULOG_ENTRY(update, final).av_last_success =
+                    (uint32_t)entry->last_success;
+            }
+            break;
 
-            case AT_PW_EXP:
-                if (ent->pw_expiration >= 0) {
-                    ULOG_ENTRY_TYPE(upd, ++final).av_type =
-                        AT_PW_EXP;
-                    ULOG_ENTRY(upd, final).av_pw_exp =
-                        (uint32_t)ent->pw_expiration;
+        case AT_LAST_FAILED:
+            if (!exclude_nra && entry->last_failed >= 0) {
+                ULOG_ENTRY_TYPE(update, ++final).av_type = AT_LAST_FAILED;
+                ULOG_ENTRY(update, final).av_last_failed =
+                    (uint32_t)entry->last_failed;
+            }
+            break;
+
+        case AT_FAIL_AUTH_COUNT:
+            if (!exclude_nra && entry->fail_auth_count >= (krb5_kvno)0) {
+                ULOG_ENTRY_TYPE(update, ++final).av_type =
+                    AT_FAIL_AUTH_COUNT;
+                ULOG_ENTRY(update, final).av_fail_auth_count =
+                    (uint32_t)entry->fail_auth_count;
+            }
+            break;
+
+        case AT_PRINC:
+            if (entry->princ->length > 0) {
+                ULOG_ENTRY_TYPE(update, ++final).av_type = AT_PRINC;
+                if ((ret = conv_princ_2ulog(entry->princ,
+                                            update, final, REG_PRINC))) {
+                    free(attr_types);
+                    return (ret);
                 }
-                break;
+            }
+            break;
 
-            case AT_LAST_SUCCESS:
-                if (!exclude_nra && ent->last_success >= 0) {
-                    ULOG_ENTRY_TYPE(upd, ++final).av_type =
-                        AT_LAST_SUCCESS;
-                    ULOG_ENTRY(upd,
-                               final).av_last_success =
-                        (uint32_t)ent->last_success;
+        case AT_KEYDATA:
+/* BEGIN CSTYLED */
+            if (entry->n_key_data >= 0) {
+                ULOG_ENTRY_TYPE(update, ++final).av_type = AT_KEYDATA;
+                ULOG_ENTRY(update, final).av_keydata.av_keydata_len =
+                    entry->n_key_data;
+                ULOG_ENTRY(update, final).av_keydata.av_keydata_val =
+                    malloc(entry->n_key_data * sizeof (kdbe_key_t));
+                if (ULOG_ENTRY(update, final).av_keydata.av_keydata_val ==
+                    NULL) {
+                    free(attr_types);
+                    return (ENOMEM);
                 }
-                break;
 
-            case AT_LAST_FAILED:
-                if (!exclude_nra && ent->last_failed >= 0) {
-                    ULOG_ENTRY_TYPE(upd, ++final).av_type =
-                        AT_LAST_FAILED;
-                    ULOG_ENTRY(upd,
-                               final).av_last_failed =
-                        (uint32_t)ent->last_failed;
-                }
-                break;
+                for (j = 0; j < entry->n_key_data; j++) {
+                    ULOG_ENTRY_KEYVAL(update, final, j).k_ver =
+                        entry->key_data[j].key_data_ver;
+                    ULOG_ENTRY_KEYVAL(update, final, j).k_kvno =
+                        entry->key_data[j].key_data_kvno;
+                    ULOG_ENTRY_KEYVAL(update, final, j).k_enctype.k_enctype_len = entry->key_data[j].key_data_ver;
+                    ULOG_ENTRY_KEYVAL(update, final, j).k_contents.k_contents_len = entry->key_data[j].key_data_ver;
 
-            case AT_FAIL_AUTH_COUNT:
-                if (!exclude_nra && ent->fail_auth_count >= (krb5_kvno)0) {
-                    ULOG_ENTRY_TYPE(upd, ++final).av_type =
-                        AT_FAIL_AUTH_COUNT;
-                    ULOG_ENTRY(upd,
-                               final).av_fail_auth_count =
-                        (uint32_t)ent->fail_auth_count;
-                }
-                break;
-
-            case AT_PRINC:
-                if (ent->princ->length > 0) {
-                    ULOG_ENTRY_TYPE(upd, ++final).av_type =
-                        AT_PRINC;
-                    if ((ret = conv_princ_2ulog(ent->princ,
-                                                upd, final, REG_PRINC))) {
+                    ULOG_ENTRY_KEYVAL(update, final, j).k_enctype.k_enctype_val = malloc(entry->key_data[j].key_data_ver * sizeof(int32_t));
+                    if (ULOG_ENTRY_KEYVAL(update, final, j).k_enctype.k_enctype_val == NULL) {
                         free(attr_types);
-                        return (ret);
+                        return (ENOMEM);
                     }
-                }
-                break;
 
-            case AT_KEYDATA:
-/* BEGIN CSTYLED */
-                if (ent->n_key_data >= 0) {
-                    ULOG_ENTRY_TYPE(upd, ++final).av_type =
-                        AT_KEYDATA;
-                    ULOG_ENTRY(upd, final).av_keydata.av_keydata_len = ent->n_key_data;
-
-                    ULOG_ENTRY(upd, final).av_keydata.av_keydata_val = malloc(ent->n_key_data * sizeof (kdbe_key_t));
-                    if (ULOG_ENTRY(upd, final).av_keydata.av_keydata_val == NULL) {
+                    ULOG_ENTRY_KEYVAL(update, final, j).k_contents.k_contents_val = malloc(entry->key_data[j].key_data_ver * sizeof(utf8str_t));
+                    if (ULOG_ENTRY_KEYVAL(update, final, j).k_contents.k_contents_val == NULL) {
                         free(attr_types);
                         return (ENOMEM);
                     }
 
-                    for (j = 0; j < ent->n_key_data; j++) {
-                        ULOG_ENTRY_KEYVAL(upd, final, j).k_ver = ent->key_data[j].key_data_ver;
-                        ULOG_ENTRY_KEYVAL(upd, final, j).k_kvno = ent->key_data[j].key_data_kvno;
-                        ULOG_ENTRY_KEYVAL(upd, final, j).k_enctype.k_enctype_len = ent->key_data[j].key_data_ver;
-                        ULOG_ENTRY_KEYVAL(upd, final, j).k_contents.k_contents_len = ent->key_data[j].key_data_ver;
-
-                        ULOG_ENTRY_KEYVAL(upd, final, j).k_enctype.k_enctype_val = malloc(ent->key_data[j].key_data_ver * sizeof(int32_t));
-                        if (ULOG_ENTRY_KEYVAL(upd, final, j).k_enctype.k_enctype_val == NULL) {
-                            free(attr_types);
-                            return (ENOMEM);
-                        }
-
-                        ULOG_ENTRY_KEYVAL(upd, final, j).k_contents.k_contents_val = malloc(ent->key_data[j].key_data_ver * sizeof(utf8str_t));
-                        if (ULOG_ENTRY_KEYVAL(upd, final, j).k_contents.k_contents_val == NULL) {
+                    for (cnt = 0; cnt < entry->key_data[j].key_data_ver;
+                         cnt++) {
+                        ULOG_ENTRY_KEYVAL(update, final, j).k_enctype.k_enctype_val[cnt] = entry->key_data[j].key_data_type[cnt];
+                        ULOG_ENTRY_KEYVAL(update, final, j).k_contents.k_contents_val[cnt].utf8str_t_len = entry->key_data[j].key_data_length[cnt];
+                        ULOG_ENTRY_KEYVAL(update, final, j).k_contents.k_contents_val[cnt].utf8str_t_val = malloc(entry->key_data[j].key_data_length[cnt] * sizeof (char));
+                        if (ULOG_ENTRY_KEYVAL(update, final, j).k_contents.k_contents_val[cnt].utf8str_t_val == NULL) {
                             free(attr_types);
                             return (ENOMEM);
                         }
-
-                        for (cnt = 0; cnt < ent->key_data[j].key_data_ver; cnt++) {
-                            ULOG_ENTRY_KEYVAL(upd, final, j).k_enctype.k_enctype_val[cnt] = ent->key_data[j].key_data_type[cnt];
-                            ULOG_ENTRY_KEYVAL(upd, final, j).k_contents.k_contents_val[cnt].utf8str_t_len = ent->key_data[j].key_data_length[cnt];
-                            ULOG_ENTRY_KEYVAL(upd, final, j).k_contents.k_contents_val[cnt].utf8str_t_val = malloc(ent->key_data[j].key_data_length[cnt] * sizeof (char));
-                            if (ULOG_ENTRY_KEYVAL(upd, final, j).k_contents.k_contents_val[cnt].utf8str_t_val == NULL) {
-                                free(attr_types);
-                                return (ENOMEM);
-                            }
-                            (void) memcpy(ULOG_ENTRY_KEYVAL(upd, final, j).k_contents.k_contents_val[cnt].utf8str_t_val, ent->key_data[j].key_data_contents[cnt], ent->key_data[j].key_data_length[cnt]);
-                        }
+                        (void) memcpy(ULOG_ENTRY_KEYVAL(update, final, j).k_contents.k_contents_val[cnt].utf8str_t_val, entry->key_data[j].key_data_contents[cnt], entry->key_data[j].key_data_length[cnt]);
                     }
                 }
-                break;
+            }
+            break;
 
-            case AT_TL_DATA:
-                ret = krb5_dbe_lookup_last_pwd_change(context,
-                                                      ent, &tmpint);
-                if (ret == 0) {
-                    ULOG_ENTRY_TYPE(upd, ++final).av_type =
-                        AT_PW_LAST_CHANGE;
-                    ULOG_ENTRY(upd, final).av_pw_last_change = tmpint;
-                }
-                tmpint = 0;
+        case AT_TL_DATA:
+            ret = krb5_dbe_lookup_last_pwd_change(context, entry, &tmpint);
+            if (ret == 0) {
+                ULOG_ENTRY_TYPE(update, ++final).av_type = AT_PW_LAST_CHANGE;
+                ULOG_ENTRY(update, final).av_pw_last_change = tmpint;
+            }
+            tmpint = 0;
 
-                if(!(ret = krb5_dbe_lookup_mod_princ_data(
-                         context, ent, &tmpint, &tmpprinc))) {
+            if(!(ret = krb5_dbe_lookup_mod_princ_data(context, entry, &tmpint,
+                                                      &tmpprinc))) {
 
-                    ULOG_ENTRY_TYPE(upd, ++final).av_type =
-                        AT_MOD_PRINC;
+                ULOG_ENTRY_TYPE(update, ++final).av_type = AT_MOD_PRINC;
 
-                    ret = conv_princ_2ulog(tmpprinc,
-                                           upd, final, MOD_PRINC);
-                    krb5_free_principal(context, tmpprinc);
-                    if (ret) {
-                        free(attr_types);
-                        return (ret);
-                    }
-                    ULOG_ENTRY_TYPE(upd, ++final).av_type =
-                        AT_MOD_TIME;
-                    ULOG_ENTRY(upd, final).av_mod_time =
-                        tmpint;
+                ret = conv_princ_2ulog(tmpprinc, update, final, MOD_PRINC);
+                krb5_free_principal(context, tmpprinc);
+                if (ret) {
+                    free(attr_types);
+                    return (ret);
                 }
+                ULOG_ENTRY_TYPE(update, ++final).av_type = AT_MOD_TIME;
+                ULOG_ENTRY(update, final).av_mod_time =
+                    tmpint;
+            }
 
-                newtl = ent->tl_data;
-                while (newtl) {
-                    switch (newtl->tl_data_type) {
-                    case KRB5_TL_LAST_PWD_CHANGE:
-                    case KRB5_TL_MOD_PRINC:
-                        break;
-
-                    case KRB5_TL_KADM_DATA:
-                    default:
-                        if (kadm_data_yes == 0) {
-                            ULOG_ENTRY_TYPE(upd, ++final).av_type = AT_TL_DATA;
-                            ULOG_ENTRY(upd, final).av_tldata.av_tldata_len = 0;
-                            ULOG_ENTRY(upd, final).av_tldata.av_tldata_val = malloc(ent->n_tl_data * sizeof(kdbe_tl_t));
-
-                            if (ULOG_ENTRY(upd, final).av_tldata.av_tldata_val == NULL) {
-                                free(attr_types);
-                                return (ENOMEM);
-                            }
-                            kadm_data_yes = 1;
-                        }
+            newtl = entry->tl_data;
+            while (newtl) {
+                switch (newtl->tl_data_type) {
+                case KRB5_TL_LAST_PWD_CHANGE:
+                case KRB5_TL_MOD_PRINC:
+                    break;
 
-                        tmpint = ULOG_ENTRY(upd, final).av_tldata.av_tldata_len;
-                        ULOG_ENTRY(upd, final).av_tldata.av_tldata_len++;
-                        ULOG_ENTRY(upd, final).av_tldata.av_tldata_val[tmpint].tl_type = newtl->tl_data_type;
-                        ULOG_ENTRY(upd, final).av_tldata.av_tldata_val[tmpint].tl_data.tl_data_len = newtl->tl_data_length;
-                        ULOG_ENTRY(upd, final).av_tldata.av_tldata_val[tmpint].tl_data.tl_data_val = malloc(newtl->tl_data_length * sizeof (char));
-                        if (ULOG_ENTRY(upd, final).av_tldata.av_tldata_val[tmpint].tl_data.tl_data_val == NULL) {
+                case KRB5_TL_KADM_DATA:
+                default:
+                    if (kadm_data_yes == 0) {
+                        ULOG_ENTRY_TYPE(update, ++final).av_type = AT_TL_DATA;
+                        ULOG_ENTRY(update, final).av_tldata.av_tldata_len = 0;
+                        ULOG_ENTRY(update, final).av_tldata.av_tldata_val =
+                            malloc(entry->n_tl_data * sizeof(kdbe_tl_t));
+
+                        if (ULOG_ENTRY(update, final).av_tldata.av_tldata_val
+                            == NULL) {
                             free(attr_types);
                             return (ENOMEM);
                         }
-                        (void) memcpy(ULOG_ENTRY(upd, final).av_tldata.av_tldata_val[tmpint].tl_data.tl_data_val, newtl->tl_data_contents, newtl->tl_data_length);
-                        break;
+                        kadm_data_yes = 1;
                     }
-                    newtl = newtl->tl_data_next;
-                }
-                break;
-/* END CSTYLED */
 
-            case AT_LEN:
-                if (ent->len >= 0) {
-                    ULOG_ENTRY_TYPE(upd, ++final).av_type =
-                        AT_LEN;
-                    ULOG_ENTRY(upd, final).av_len =
-                        (int16_t)ent->len;
+                    tmpint = ULOG_ENTRY(update, final).av_tldata.av_tldata_len;
+                    ULOG_ENTRY(update, final).av_tldata.av_tldata_len++;
+                    ULOG_ENTRY(update, final).av_tldata.av_tldata_val[tmpint].tl_type = newtl->tl_data_type;
+                    ULOG_ENTRY(update, final).av_tldata.av_tldata_val[tmpint].tl_data.tl_data_len = newtl->tl_data_length;
+                    ULOG_ENTRY(update, final).av_tldata.av_tldata_val[tmpint].tl_data.tl_data_val = malloc(newtl->tl_data_length * sizeof (char));
+                    if (ULOG_ENTRY(update, final).av_tldata.av_tldata_val[tmpint].tl_data.tl_data_val == NULL) {
+                        free(attr_types);
+                        return (ENOMEM);
+                    }
+                    (void) memcpy(ULOG_ENTRY(update, final).av_tldata.av_tldata_val[tmpint].tl_data.tl_data_val, newtl->tl_data_contents, newtl->tl_data_length);
+                    break;
                 }
-                break;
+                newtl = newtl->tl_data_next;
+            }
+            break;
+/* END CSTYLED */
 
-            default:
-                break;
+        case AT_LEN:
+            if (entry->len >= 0) {
+                ULOG_ENTRY_TYPE(update, ++final).av_type = AT_LEN;
+                ULOG_ENTRY(update, final).av_len = (int16_t)entry->len;
             }
+            break;
 
+        default:
+            break;
         }
 
-        free(attr_types);
+    }
 
-        /*
-         * Update len field in kdb_update
-         */
-        upd->kdb_update.kdbe_t_len = ++final;
+    free(attr_types);
 
-        /*
-         * Bump up to next struct
-         */
-        upd++;
-        ent++;
-    }
+    /*
+     * Update len field in kdb_update
+     */
+    update->kdb_update.kdbe_t_len = ++final;
     return (0);
 }
 
-/*
- * This routine converts one or more update log (ulog) entries into
- * kerberos db2 records. Required memory should be allocated
- * for the db2 records (pointed to by krb5_db_entry *ent), prior
- * to calling this routine.
- */
+/* Convert an update log (ulog) entry into a kerberos record. */
 krb5_error_code
-ulog_conv_2dbentry(krb5_context context, krb5_db_entry *entries,
-                   kdb_incr_update_t *updates,
-                   int nentries)
+ulog_conv_2dbentry(krb5_context context, krb5_db_entry **entry,
+                   kdb_incr_update_t *update)
 {
-    int k;
     krb5_db_entry *ent;
-    kdb_incr_update_t *upd;
     int slave;
+    krb5_principal mod_princ = NULL;
+    int i, j, cnt = 0, mod_time = 0, nattrs;
+    krb5_principal dbprinc;
+    char *dbprincstr = NULL;
+    krb5_tl_data *newtl = NULL;
+    krb5_error_code ret;
+    unsigned int prev_n_keys = 0;
+    krb5_boolean is_add;
 
-    if ((updates == NULL) || (entries == NULL))
-        return (KRB5KRB_ERR_GENERIC);
-
-    ent = entries;
-    upd = updates;
+    *entry = NULL;
 
     slave = (context->kdblog_context != NULL) &&
         (context->kdblog_context->iproprole == IPROP_SLAVE);
 
-    for (k = 0; k < nentries; k++) {
-        krb5_principal mod_princ = NULL;
-        int i, j, cnt = 0, mod_time = 0, nattrs, nprincs = 0;
-        krb5_principal dbprinc;
-        char *dbprincstr = NULL;
-
-        krb5_tl_data *newtl = NULL;
-        krb5_error_code ret;
-        unsigned int more;
-        unsigned int prev_n_keys = 0;
-
-        /*
-         * If the ulog entry represents a DELETE update,
-         * just skip to the next entry.
-         */
-        if (upd->kdb_deleted == TRUE)
-            goto next;
-
-        /*
-         * Store the no. of changed attributes in nattrs
-         */
-        nattrs = upd->kdb_update.kdbe_t_len;
+    /*
+     * Store the no. of changed attributes in nattrs
+     */
+    nattrs = update->kdb_update.kdbe_t_len;
+
+    dbprincstr = malloc((update->kdb_princ_name.utf8str_t_len + 1)
+                        * sizeof (char));
+    if (dbprincstr == NULL)
+        return (ENOMEM);
+    strncpy(dbprincstr, (char *)update->kdb_princ_name.utf8str_t_val,
+            update->kdb_princ_name.utf8str_t_len);
+    dbprincstr[update->kdb_princ_name.utf8str_t_len] = 0;
+
+    ret = krb5_parse_name(context, dbprincstr, &dbprinc);
+    free(dbprincstr);
+    if (ret)
+        return (ret);
+
+    ret = krb5_db_get_principal(context, dbprinc, 0, &ent);
+    krb5_free_principal(context, dbprinc);
+    if (ret && ret != KRB5_KDB_NOENTRY)
+        return (ret);
+    is_add = (ret == KRB5_KDB_NOENTRY);
 
-        dbprincstr = malloc((upd->kdb_princ_name.utf8str_t_len + 1)
-                            * sizeof (char));
-        if (dbprincstr == NULL)
+    /*
+     * Set ent->n_tl_data = 0 initially, if this is an ADD update
+     */
+    if (is_add) {
+        ent = krb5_db_alloc(context, NULL, sizeof(*ent));
+        if (ent == NULL)
             return (ENOMEM);
-        strncpy(dbprincstr, (char *)upd->kdb_princ_name.utf8str_t_val,
-                upd->kdb_princ_name.utf8str_t_len);
-        dbprincstr[upd->kdb_princ_name.utf8str_t_len] = 0;
-
-        ret = krb5_parse_name(context, dbprincstr, &dbprinc);
-        free(dbprincstr);
-        if (ret)
-            return (ret);
-
-        ret = krb5_db_get_principal(context, dbprinc, ent, &nprincs,
-                                    &more);
-        krb5_free_principal(context, dbprinc);
-        if (ret)
-            return (ret);
-
-        /*
-         * Set ent->n_tl_data = 0 initially, if this is an ADD update
-         */
-        if (nprincs == 0)
-            ent->n_tl_data = 0;
-
-        for (i = 0; i < nattrs; i++) {
-            krb5_principal tmpprinc = NULL;
-
-#define u (ULOG_ENTRY(upd, i))
-            switch (ULOG_ENTRY_TYPE(upd, i).av_type) {
-            case AT_ATTRFLAGS:
-                ent->attributes = (krb5_flags) u.av_attrflags;
-                break;
-
-            case AT_MAX_LIFE:
-                ent->max_life = (krb5_deltat) u.av_max_life;
-                break;
-
-            case AT_MAX_RENEW_LIFE:
-                ent->max_renewable_life = (krb5_deltat) u.av_max_renew_life;
-                break;
-
-            case AT_EXP:
-                ent->expiration = (krb5_timestamp) u.av_exp;
-                break;
-
-            case AT_PW_EXP:
-                ent->pw_expiration = (krb5_timestamp) u.av_pw_exp;
-                break;
-
-            case AT_LAST_SUCCESS:
-                if (!slave)
-                    ent->last_success = (krb5_timestamp) u.av_last_success;
-                break;
-
-            case AT_LAST_FAILED:
-                if (!slave)
-                    ent->last_failed = (krb5_timestamp) u.av_last_failed;
-                break;
-
-            case AT_FAIL_AUTH_COUNT:
-                if (!slave)
-                    ent->fail_auth_count = (krb5_kvno) u.av_fail_auth_count;
-                break;
-
-            case AT_PRINC:
-                tmpprinc = conv_princ_2db(context, &u.av_princ);
-                if (tmpprinc == NULL)
-                    return ENOMEM;
-                if (nprincs)
-                    krb5_free_principal(context, ent->princ);
-                ent->princ = tmpprinc;
-                break;
+        memset(ent, 0, sizeof(*ent));
+        ent->n_tl_data = 0;
+    }
 
-            case AT_KEYDATA:
-                if (nprincs != 0)
-                    prev_n_keys = ent->n_key_data;
-                else
-                    prev_n_keys = 0;
-                ent->n_key_data = (krb5_int16)u.av_keydata.av_keydata_len;
-                if (nprincs == 0)
-                    ent->key_data = NULL;
-
-                ent->key_data = (krb5_key_data *)realloc(ent->key_data,
-                                                         (ent->n_key_data *
-                                                          sizeof (krb5_key_data)));
-                /* XXX Memory leak: Old key data in
-                   records eliminated by resizing to
-                   smaller size.  */
-                if (ent->key_data == NULL)
-                    /* XXX Memory leak: old storage.  */
-                    return (ENOMEM);
+    for (i = 0; i < nattrs; i++) {
+        krb5_principal tmpprinc = NULL;
+
+#define u (ULOG_ENTRY(update, i))
+        switch (ULOG_ENTRY_TYPE(update, i).av_type) {
+        case AT_ATTRFLAGS:
+            ent->attributes = (krb5_flags) u.av_attrflags;
+            break;
+
+        case AT_MAX_LIFE:
+            ent->max_life = (krb5_deltat) u.av_max_life;
+            break;
+
+        case AT_MAX_RENEW_LIFE:
+            ent->max_renewable_life = (krb5_deltat) u.av_max_renew_life;
+            break;
+
+        case AT_EXP:
+            ent->expiration = (krb5_timestamp) u.av_exp;
+            break;
+
+        case AT_PW_EXP:
+            ent->pw_expiration = (krb5_timestamp) u.av_pw_exp;
+            break;
+
+        case AT_LAST_SUCCESS:
+            if (!slave)
+                ent->last_success = (krb5_timestamp) u.av_last_success;
+            break;
+
+        case AT_LAST_FAILED:
+            if (!slave)
+                ent->last_failed = (krb5_timestamp) u.av_last_failed;
+            break;
+
+        case AT_FAIL_AUTH_COUNT:
+            if (!slave)
+                ent->fail_auth_count = (krb5_kvno) u.av_fail_auth_count;
+            break;
+
+        case AT_PRINC:
+            tmpprinc = conv_princ_2db(context, &u.av_princ);
+            if (tmpprinc == NULL)
+                return ENOMEM;
+            krb5_free_principal(context, ent->princ);
+            ent->princ = tmpprinc;
+            break;
+
+        case AT_KEYDATA:
+            if (!is_add)
+                prev_n_keys = ent->n_key_data;
+            else
+                prev_n_keys = 0;
+            ent->n_key_data = (krb5_int16)u.av_keydata.av_keydata_len;
+            if (is_add)
+                ent->key_data = NULL;
+
+            ent->key_data = (krb5_key_data *)realloc(ent->key_data,
+                                                     (ent->n_key_data *
+                                                      sizeof (krb5_key_data)));
+            /* XXX Memory leak: Old key data in
+               records eliminated by resizing to
+               smaller size.  */
+            if (ent->key_data == NULL)
+                /* XXX Memory leak: old storage.  */
+                return (ENOMEM);
 
 /* BEGIN CSTYLED */
-                for (j = prev_n_keys; j < ent->n_key_data; j++) {
-                    for (cnt = 0; cnt < 2; cnt++) {
-                        ent->key_data[j].key_data_contents[cnt] = NULL;
-                    }
+            for (j = prev_n_keys; j < ent->n_key_data; j++) {
+                for (cnt = 0; cnt < 2; cnt++) {
+                    ent->key_data[j].key_data_contents[cnt] = NULL;
                 }
-                for (j = 0; j < ent->n_key_data; j++) {
-                    krb5_key_data *kp = &ent->key_data[j];
-                    kdbe_key_t *kv = &ULOG_ENTRY_KEYVAL(upd, i, j);
-                    kp->key_data_ver = (krb5_int16)kv->k_ver;
-                    kp->key_data_kvno = (krb5_int16)kv->k_kvno;
-                    if (kp->key_data_ver > 2) {
-                        return EINVAL; /* XXX ? */
-                    }
-
-                    for (cnt = 0; cnt < kp->key_data_ver; cnt++) {
-                        void *newptr;
-                        kp->key_data_type[cnt] =  (krb5_int16)kv->k_enctype.k_enctype_val[cnt];
-                        kp->key_data_length[cnt] = (krb5_int16)kv->k_contents.k_contents_val[cnt].utf8str_t_len;
-                        newptr = realloc(kp->key_data_contents[cnt],
-                                         kp->key_data_length[cnt]);
-                        if (newptr == NULL)
-                            return ENOMEM;
-                        kp->key_data_contents[cnt] = newptr;
-
-                        (void) memset(kp->key_data_contents[cnt], 0,
-                                      kp->key_data_length[cnt]);
-                        (void) memcpy(kp->key_data_contents[cnt],
-                                      kv->k_contents.k_contents_val[cnt].utf8str_t_val,
-                                      kp->key_data_length[cnt]);
-                    }
+            }
+            for (j = 0; j < ent->n_key_data; j++) {
+                krb5_key_data *kp = &ent->key_data[j];
+                kdbe_key_t *kv = &ULOG_ENTRY_KEYVAL(update, i, j);
+                kp->key_data_ver = (krb5_int16)kv->k_ver;
+                kp->key_data_kvno = (krb5_int16)kv->k_kvno;
+                if (kp->key_data_ver > 2) {
+                    return EINVAL; /* XXX ? */
                 }
-                break;
-
-            case AT_TL_DATA: {
-                int t;
 
-                cnt = u.av_tldata.av_tldata_len;
-                newtl = calloc(cnt, sizeof (krb5_tl_data));
-                if (newtl == NULL)
+                for (cnt = 0; cnt < kp->key_data_ver; cnt++) {
+                    void *newptr;
+                    kp->key_data_type[cnt] =  (krb5_int16)kv->k_enctype.k_enctype_val[cnt];
+                    kp->key_data_length[cnt] = (krb5_int16)kv->k_contents.k_contents_val[cnt].utf8str_t_len;
+                    newptr = realloc(kp->key_data_contents[cnt],
+                                     kp->key_data_length[cnt]);
+                    if (newptr == NULL)
+                        return ENOMEM;
+                    kp->key_data_contents[cnt] = newptr;
+
+                    (void) memset(kp->key_data_contents[cnt], 0,
+                                  kp->key_data_length[cnt]);
+                    (void) memcpy(kp->key_data_contents[cnt],
+                                  kv->k_contents.k_contents_val[cnt].utf8str_t_val,
+                                  kp->key_data_length[cnt]);
+                }
+            }
+            break;
+
+        case AT_TL_DATA: {
+            int t;
+
+            cnt = u.av_tldata.av_tldata_len;
+            newtl = calloc(cnt, sizeof (krb5_tl_data));
+            if (newtl == NULL)
+                return (ENOMEM);
+
+            for (j = 0, t = 0; j < cnt; j++) {
+                newtl[t].tl_data_type = (krb5_int16)u.av_tldata.av_tldata_val[j].tl_type;
+                newtl[t].tl_data_length = (krb5_int16)u.av_tldata.av_tldata_val[j].tl_data.tl_data_len;
+                newtl[t].tl_data_contents = malloc(newtl[t].tl_data_length * sizeof (krb5_octet));
+                if (newtl[t].tl_data_contents == NULL)
+                    /* XXX Memory leak: newtl
+                       and previously
+                       allocated elements.  */
                     return (ENOMEM);
 
-                for (j = 0, t = 0; j < cnt; j++) {
-                    newtl[t].tl_data_type = (krb5_int16)u.av_tldata.av_tldata_val[j].tl_type;
-                    newtl[t].tl_data_length = (krb5_int16)u.av_tldata.av_tldata_val[j].tl_data.tl_data_len;
-                    newtl[t].tl_data_contents = malloc(newtl[t].tl_data_length * sizeof (krb5_octet));
-                    if (newtl[t].tl_data_contents == NULL)
-                        /* XXX Memory leak: newtl
-                           and previously
-                           allocated elements.  */
-                        return (ENOMEM);
-
-                    (void) memcpy(newtl[t].tl_data_contents, u.av_tldata.av_tldata_val[t].tl_data.tl_data_val, newtl[t].tl_data_length);
-                    newtl[t].tl_data_next = NULL;
-                    if (t > 0)
-                        newtl[t - 1].tl_data_next = &newtl[t];
-                    t++;
-                }
+                (void) memcpy(newtl[t].tl_data_contents, u.av_tldata.av_tldata_val[t].tl_data.tl_data_val, newtl[t].tl_data_length);
+                newtl[t].tl_data_next = NULL;
+                if (t > 0)
+                    newtl[t - 1].tl_data_next = &newtl[t];
+                t++;
+            }
 
-                if ((ret = krb5_dbe_update_tl_data(context, ent, newtl)))
-                    return (ret);
-                for (j = 0; j < t; j++)
-                    if (newtl[j].tl_data_contents) {
-                        free(newtl[j].tl_data_contents);
-                        newtl[j].tl_data_contents = NULL;
-                    }
-                if (newtl) {
-                    free(newtl);
-                    newtl = NULL;
+            if ((ret = krb5_dbe_update_tl_data(context, ent, newtl)))
+                return (ret);
+            for (j = 0; j < t; j++)
+                if (newtl[j].tl_data_contents) {
+                    free(newtl[j].tl_data_contents);
+                    newtl[j].tl_data_contents = NULL;
                 }
-                break;
-/* END CSTYLED */
+            if (newtl) {
+                free(newtl);
+                newtl = NULL;
             }
-            case AT_PW_LAST_CHANGE:
-                if ((ret = krb5_dbe_update_last_pwd_change(context, ent,
-                                                           u.av_pw_last_change)))
-                    return (ret);
-                break;
-
-            case AT_MOD_PRINC:
-                tmpprinc = conv_princ_2db(context, &u.av_mod_princ);
-                if (tmpprinc == NULL)
-                    return ENOMEM;
-                mod_princ = tmpprinc;
-                break;
+            break;
+/* END CSTYLED */
+        }
+        case AT_PW_LAST_CHANGE:
+            if ((ret = krb5_dbe_update_last_pwd_change(context, ent,
+                                                       u.av_pw_last_change)))
+                return (ret);
+            break;
 
-            case AT_MOD_TIME:
-                mod_time = u.av_mod_time;
-                break;
+        case AT_MOD_PRINC:
+            tmpprinc = conv_princ_2db(context, &u.av_mod_princ);
+            if (tmpprinc == NULL)
+                return ENOMEM;
+            mod_princ = tmpprinc;
+            break;
 
-            case AT_LEN:
-                ent->len = (krb5_int16) u.av_len;
-                break;
+        case AT_MOD_TIME:
+            mod_time = u.av_mod_time;
+            break;
 
-            default:
-                break;
-            }
-#undef u
-        }
+        case AT_LEN:
+            ent->len = (krb5_int16) u.av_len;
+            break;
 
-        /*
-         * process mod_princ_data request
-         */
-        if (mod_time && mod_princ) {
-            ret = krb5_dbe_update_mod_princ_data(context, ent,
-                                                 mod_time, mod_princ);
-            krb5_free_principal(context, mod_princ);
-            mod_princ = NULL;
-            if (ret)
-                return (ret);
+        default:
+            break;
         }
+#undef u
+    }
 
-    next:
-        /*
-         * Bump up to next struct
-         */
-        upd++;
-        ent++;
+    /*
+     * process mod_princ_data request
+     */
+    if (mod_time && mod_princ) {
+        ret = krb5_dbe_update_mod_princ_data(context, ent,
+                                             mod_time, mod_princ);
+        krb5_free_principal(context, mod_princ);
+        mod_princ = NULL;
+        if (ret)
+            return (ret);
     }
+
+    *entry = ent;
     return (0);
 }
 
index dcf00ab05a1e798a619acb955fc74cce8ee1e5a6..a2dff2ef954030bcdaa4e657f4ef1377d330d5dc 100644 (file)
@@ -105,9 +105,8 @@ add_key_rnd(context, master_key, ks_tuple, ks_tuple_count, db_entry, kvno)
 {
     krb5_principal        krbtgt_princ;
     krb5_keyblock         key;
-    krb5_db_entry         krbtgt_entry;
-    krb5_boolean          more;
-    int                   max_kvno, one, i, j, k;
+    krb5_db_entry         *krbtgt_entry;
+    int                   max_kvno, i, j, k;
     krb5_error_code       retval;
     krb5_key_data         tmp_key_data;
     krb5_key_data        *tptr;
@@ -127,22 +126,15 @@ add_key_rnd(context, master_key, ks_tuple, ks_tuple_count, db_entry, kvno)
         return retval;
 
     /* Get tgt from database */
-    retval = krb5_db_get_principal(context, krbtgt_princ, &krbtgt_entry,
-                                   &one, &more);
+    retval = krb5_db_get_principal(context, krbtgt_princ, 0, &krbtgt_entry);
     krb5_free_principal(context, krbtgt_princ); /* don't need it anymore */
     if (retval)
         return(retval);
-    if ((one > 1) || (more)) {
-        krb5_db_free_principal(context, &krbtgt_entry, one);
-        return KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE;
-    }
-    if (!one)
-        return KRB5_KDB_NOENTRY;
 
     /* Get max kvno */
-    for (max_kvno = j = 0; j < krbtgt_entry.n_key_data; j++) {
-        if (max_kvno < krbtgt_entry.key_data[j].key_data_kvno) {
-            max_kvno = krbtgt_entry.key_data[j].key_data_kvno;
+    for (max_kvno = j = 0; j < krbtgt_entry->n_key_data; j++) {
+        if (max_kvno < krbtgt_entry->key_data[j].key_data_kvno) {
+            max_kvno = krbtgt_entry->key_data[j].key_data_kvno;
         }
     }
 
@@ -224,7 +216,7 @@ add_key_rnd(context, master_key, ks_tuple, ks_tuple_count, db_entry, kvno)
     }
 
 add_key_rnd_err:
-    krb5_db_free_principal(context, &krbtgt_entry, one);
+    krb5_db_free_principal(context, krbtgt_entry);
 
     for( i = 0; i < tmp_key_data.key_data_ver; i++ )
     {
index 5f8d504a0256562846daad9bb0b8a53ce2ca4ad5..5ca749e6116944d601f20c28df53c6e1caefeffd 100644 (file)
@@ -425,9 +425,8 @@ krb5_def_fetch_mkey_list(krb5_context        context,
                          krb5_keylist_node  **mkeys_list)
 {
     krb5_error_code retval;
-    krb5_db_entry master_entry;
-    int nprinc;
-    krb5_boolean more, found_key = FALSE;
+    krb5_db_entry *master_entry;
+    krb5_boolean found_key = FALSE;
     krb5_keyblock cur_mkey;
     krb5_keylist_node *mkey_list_head = NULL, **mkey_list_node;
     krb5_key_data *key_data;
@@ -438,36 +437,28 @@ krb5_def_fetch_mkey_list(krb5_context        context,
         return (EINVAL);
 
     memset(&cur_mkey, 0, sizeof(cur_mkey));
-    memset(&master_entry, 0, sizeof(master_entry));
 
-    nprinc = 1;
-    if ((retval = krb5_db_get_principal(context, mprinc,
-                                        &master_entry, &nprinc, &more)))
+    retval = krb5_db_get_principal(context, mprinc, 0, &master_entry);
+    if (retval == KRB5_KDB_NOENTRY)
+        return (KRB5_KDB_NOMASTERKEY);
+    if (retval)
         return (retval);
 
-    if (nprinc != 1) {
-        if (nprinc)
-            krb5_db_free_principal(context, &master_entry, nprinc);
-        return(KRB5_KDB_NOMASTERKEY);
-    } else if (more) {
-        krb5_db_free_principal(context, &master_entry, nprinc);
-        return (KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE);
-    }
-
     /*
      * Check if the input mkey is the latest key and if it isn't then find the
      * latest mkey.
      */
 
-    if (mkey->enctype == master_entry.key_data[0].key_data_type[0]) {
-        if (krb5_dbe_decrypt_key_data(context, mkey, &master_entry.key_data[0],
+    if (mkey->enctype == master_entry->key_data[0].key_data_type[0]) {
+        if (krb5_dbe_decrypt_key_data(context, mkey,
+                                      &master_entry->key_data[0],
                                       &cur_mkey, NULL) == 0) {
             found_key = TRUE;
         }
     }
 
     if (!found_key) {
-        if ((retval = krb5_dbe_lookup_mkey_aux(context, &master_entry,
+        if ((retval = krb5_dbe_lookup_mkey_aux(context, master_entry,
                                                &mkey_aux_data_list)))
             goto clean_n_exit;
 
@@ -504,13 +495,13 @@ krb5_def_fetch_mkey_list(krb5_context        context,
 
     /* Set mkey_list_head to the current mkey as an optimization. */
     /* mkvno may not be latest so ... */
-    mkey_list_head->kvno = master_entry.key_data[0].key_data_kvno;
+    mkey_list_head->kvno = master_entry->key_data[0].key_data_kvno;
     /* this is the latest clear mkey (avoids a redundant decrypt) */
     mkey_list_head->keyblock = cur_mkey;
 
     /* loop through any other master keys creating a list of krb5_keylist_nodes */
     mkey_list_node = &mkey_list_head->next;
-    for (i = 1; i < master_entry.n_key_data; i++) {
+    for (i = 1; i < master_entry->n_key_data; i++) {
         if (*mkey_list_node == NULL) {
             /* *mkey_list_node points to next field of previous node */
             *mkey_list_node = (krb5_keylist_node *) malloc(sizeof(krb5_keylist_node));
@@ -520,7 +511,7 @@ krb5_def_fetch_mkey_list(krb5_context        context,
             }
             memset(*mkey_list_node, 0, sizeof(krb5_keylist_node));
         }
-        key_data = &master_entry.key_data[i];
+        key_data = &master_entry->key_data[i];
         retval = krb5_dbe_decrypt_key_data(context, &cur_mkey, key_data,
                                            &((*mkey_list_node)->keyblock),
                                            NULL);
@@ -534,7 +525,7 @@ krb5_def_fetch_mkey_list(krb5_context        context,
     *mkeys_list = mkey_list_head;
 
 clean_n_exit:
-    krb5_db_free_principal(context, &master_entry, nprinc);
+    krb5_db_free_principal(context, master_entry);
     krb5_dbe_free_mkey_aux_list(context, mkey_aux_data_list);
     if (retval != 0)
         krb5_dbe_free_key_list(context, mkey_list_head);
index fe128535cffa7a062a73f9271abafadf33fd5291..0842439a38ab586de15125eacade4cfa7fce5b9c 100644 (file)
@@ -353,8 +353,6 @@ ulog_replay(krb5_context context, kdb_incr_result_t *incr_ret, char **db_args)
         goto cleanup;
 
     for (i = 0; i < no_of_updates; i++) {
-        int nentry = 1;
-
         if (!upd->kdb_commit)
             continue;
 
@@ -379,9 +377,7 @@ ulog_replay(krb5_context context, kdb_incr_result_t *incr_ret, char **db_args)
 
             free(dbprincstr);
 
-            retval = krb5int_delete_principal_no_log(context,
-                                                     dbprinc,
-                                                     &nentry);
+            retval = krb5int_delete_principal_no_log(context, dbprinc);
 
             if (dbprinc) {
                 krb5_free_principal(context, dbprinc);
@@ -400,15 +396,13 @@ ulog_replay(krb5_context context, kdb_incr_result_t *incr_ret, char **db_args)
 
             (void) memset(entry, 0, sizeof (krb5_db_entry));
 
-            if ((retval = ulog_conv_2dbentry(context, entry, upd, 1)))
+            if ((retval = ulog_conv_2dbentry(context, &entry, upd)))
                 goto cleanup;
 
-            retval = krb5int_put_principal_no_log(context, entry,
-                                                  &nentry);
+            retval = krb5int_put_principal_no_log(context, entry);
 
             if (entry) {
-                krb5_db_free_principal(context, entry, nentry);
-                free(entry);
+                krb5_db_free_principal(context, entry);
                 entry = NULL;
             }
             if (retval)
index ae02e918f507cfb6910cd5de6d4343b0e44d1817..4d56915b999fdda74c4806e6e9ce2710b837e81f 100644 (file)
@@ -128,9 +128,7 @@ krb5_ktkdb_get_entry(in_context, id, principal, kvno, enctype, entry)
     krb5_keyblock       * master_key;
     krb5_error_code       kerror = 0;
     krb5_key_data       * key_data;
-    krb5_db_entry         db_entry;
-    krb5_boolean          more = 0;
-    int                   n = 0;
+    krb5_db_entry       * db_entry;
     int xrealm_tgt;
     krb5_boolean similar;
 
@@ -146,19 +144,14 @@ krb5_ktkdb_get_entry(in_context, id, principal, kvno, enctype, entry)
         return(kerror);
 
     /* get_principal */
-    kerror = krb5_db_get_principal(context, principal, &
-                                   db_entry, &n, &more);
-    if (kerror) {
-        /*        krb5_db_close_database(context); */
+    kerror = krb5_db_get_principal(context, principal, 0, &db_entry);
+    if (kerror == KRB5_KDB_NOENTRY)
+        return(KRB5_KT_NOTFOUND);
+    if (kerror)
         return(kerror);
-    }
-    if (n != 1) {
-        /* krb5_db_close_database(context); */
-        return KRB5_KT_NOTFOUND;
-    }
 
-    if (db_entry.attributes & KRB5_KDB_DISALLOW_SVR
-        || db_entry.attributes & KRB5_KDB_DISALLOW_ALL_TIX) {
+    if (db_entry->attributes & KRB5_KDB_DISALLOW_SVR
+        || db_entry->attributes & KRB5_KDB_DISALLOW_ALL_TIX) {
         kerror = KRB5_KT_NOTFOUND;
         goto error;
     }
@@ -168,7 +161,7 @@ krb5_ktkdb_get_entry(in_context, id, principal, kvno, enctype, entry)
     if (kerror)
         goto error;
 
-    kerror = krb5_dbe_find_mkey(context, master_keylist, &db_entry, &master_key);
+    kerror = krb5_dbe_find_mkey(context, master_keylist, db_entry, &master_key);
     if (kerror)
         goto error;
 
@@ -176,7 +169,7 @@ krb5_ktkdb_get_entry(in_context, id, principal, kvno, enctype, entry)
      * for other principals, we only match the first enctype that is
      * found.  Since the TGS and AS code do the same thing, then we
      * will only successfully decrypt  tickets we have issued.*/
-    kerror = krb5_dbe_find_enctype(context, &db_entry,
+    kerror = krb5_dbe_find_enctype(context, db_entry,
                                    xrealm_tgt?enctype:-1,
                                    -1, kvno, &key_data);
     if (kerror == KRB5_KDB_NO_MATCHING_KEY)
@@ -213,7 +206,7 @@ krb5_ktkdb_get_entry(in_context, id, principal, kvno, enctype, entry)
 
     /* Close database */
 error:
-    krb5_db_free_principal(context, &db_entry, 1);
+    krb5_db_free_principal(context, db_entry);
     /*    krb5_db_close_database(context); */
     return(kerror);
 }
index 4a2576a3007fb22d9f403355c05e5e75540050ed..4719a6431b9f6c8dad6ff1d7c5f9c53c9e47aea0 100644 (file)
@@ -16,7 +16,6 @@ krb5_db_get_key_data_kvno
 krb5_db_get_mkey_list
 krb5_db_get_context
 krb5_db_get_principal
-krb5_db_get_principal_ext
 krb5_db_invoke
 krb5_db_iterate
 krb5_db_lock
index 2b6c1214f093d682573e32629058773e323e5d91..057f1826ffa0a06b922ae0073a2580508ca0b398 100644 (file)
@@ -184,7 +184,7 @@ error:
  */
 krb5_error_code
 osa_adb_get_policy(osa_adb_policy_t db, char *name,
-                   osa_policy_ent_t *entry, int *cnt)
+                   osa_policy_ent_t *entry)
 {
     DBT                 dbkey;
     DBT                 dbdata;
@@ -194,8 +194,6 @@ osa_adb_get_policy(osa_adb_policy_t db, char *name,
 
     OPENLOCK(db, KRB5_DB_LOCKMODE_SHARED);
 
-    *cnt = 1;
-
     if(name == NULL) {
         ret = EINVAL;
         goto error;
@@ -206,8 +204,7 @@ osa_adb_get_policy(osa_adb_policy_t db, char *name,
     dbdata.size = 0;
     switch((db->db->get(db->db, &dbkey, &dbdata, 0))) {
     case 1:
-        ret = 0;
-        *cnt = 0;
+        ret = KRB5_KDB_NOENTRY;
         goto error;
     case 0:
         break;
index a78bc75109d6c9b285059127cb7de1bf677ac6e9..fe4f6e96df7df27bc51558cb98fcc707cb0ae023 100644 (file)
@@ -120,27 +120,22 @@ WRAP_K (krb5_db2_unlock, (krb5_context ctx), (ctx));
 WRAP_K (krb5_db2_get_principal,
         (krb5_context ctx,
          krb5_const_principal p,
-         unsigned int flags,
-         krb5_db_entry *d,
-         int * i,
-         krb5_boolean *b),
-        (ctx, p, d, i, b));
+         unsigned int f,
+         krb5_db_entry **d),
+        (ctx, p, f, d));
 WRAP_VOID (krb5_db2_free_principal,
            (krb5_context ctx,
-            krb5_db_entry *d,
-            int i),
-           (ctx, d, i));
+            krb5_db_entry *d),
+           (ctx, d));
 WRAP_K (krb5_db2_put_principal,
         (krb5_context ctx,
          krb5_db_entry *d,
-         int *i,
          char **db_args),
-        (ctx, d, i, db_args));
+        (ctx, d, db_args));
 WRAP_K (krb5_db2_delete_principal,
         (krb5_context context,
-         krb5_const_principal searchfor,
-         int *nentries),
-        (context, searchfor, nentries));
+         krb5_const_principal searchfor),
+        (context, searchfor));
 
 WRAP_K (krb5_db2_iterate,
         (krb5_context ctx, char *s,
@@ -155,9 +150,8 @@ WRAP_K (krb5_db2_create_policy,
 WRAP_K (krb5_db2_get_policy,
         ( krb5_context kcontext,
           char *name,
-          osa_policy_ent_t *policy,
-          int *cnt),
-        (kcontext, name, policy, cnt));
+          osa_policy_ent_t *policy),
+        (kcontext, name, policy));
 WRAP_K (krb5_db2_put_policy,
         ( krb5_context kcontext, osa_policy_ent_t policy ),
         (kcontext, policy));
index c23b8133538846dd76b0e71d2615691b34d94cd3..707bf842b6413f105d726f120c0793514f169bf5 100644 (file)
@@ -850,18 +850,9 @@ destroy_db(krb5_context context, char *dbname)
     return retval1;
 }
 
-/*
- * look up a principal in the data base.
- * returns number of entries found, and whether there were
- * more than requested.
- */
-
 krb5_error_code
-krb5_db2_get_principal(krb5_context context,
-                       krb5_const_principal searchfor,
-                       krb5_db_entry *entries, /* filled in */
-                       int *nentries, /* how much room/how many found */
-                       krb5_boolean *more) /* are there more? */
+krb5_db2_get_principal(krb5_context context, krb5_const_principal searchfor,
+                       unsigned int flags, krb5_db_entry **entry)
 {
     krb5_db2_context *db_ctx;
     krb5_error_code retval;
@@ -870,9 +861,7 @@ krb5_db2_get_principal(krb5_context context,
     krb5_data keydata, contdata;
     int     trynum, dbret;
 
-    *more = FALSE;
-    *nentries = 0;
-
+    *entry = NULL;
     if (!k5db2_inited(context))
         return KRB5_KDB_DBNOTINITED;
 
@@ -898,22 +887,20 @@ krb5_db2_get_principal(krb5_context context,
     key.size = keydata.length;
 
     db = db_ctx->db;
-    dbret = (*db->get) (db, &key, &contents, 0);
+    dbret = (*db->get)(db, &key, &contents, 0);
     retval = errno;
     krb5_free_data_contents(context, &keydata);
     switch (dbret) {
     case 1:
-        retval = 0;
+        retval = KRB5_KDB_NOENTRY;
+        /* Fall through. */
     case -1:
     default:
-        *nentries = 0;
         goto cleanup;
     case 0:
         contdata.data = contents.data;
         contdata.length = contents.size;
-        retval = krb5_decode_princ_contents(context, &contdata, entries);
-        if (!retval)
-            *nentries = 1;
+        retval = krb5_decode_princ_entry(context, &contdata, entry);
         break;
     }
 
@@ -922,34 +909,18 @@ cleanup:
     return retval;
 }
 
-/*
-  Free stuff returned by krb5_db2_get_principal.
-*/
+/* Free an entry returned by krb5_db2_get_principal. */
 void
-krb5_db2_free_principal(krb5_context context, krb5_db_entry *entries,
-                        int nentries)
+krb5_db2_free_principal(krb5_context context, krb5_db_entry *entry)
 {
-    register int i;
-    for (i = 0; i < nentries; i++)
-        krb5_dbe_free_contents(context, &entries[i]);
+    krb5_dbe_free(context, entry);
 }
 
-/*
-  Stores the *"nentries" entry structures pointed to by "entries" in the
-  database.
-
-  *"nentries" is updated upon return to reflect the number of records
-  acutally stored; the first *"nstored" records will have been stored in the
-  database (even if an error occurs).
-
-*/
-
 krb5_error_code
-krb5_db2_put_principal(krb5_context context, krb5_db_entry *entries,
-                       int *nentries, /* number of entry structs to update */
+krb5_db2_put_principal(krb5_context context, krb5_db_entry *entry,
                        char **db_args)
 {
-    int     i, n, dbret;
+    int     dbret;
     DB     *db;
     DBT     key, contents;
     krb5_data contdata, keydata;
@@ -965,8 +936,6 @@ krb5_db2_put_principal(krb5_context context, krb5_db_entry *entries,
         return EINVAL;
     }
 
-    n = *nentries;
-    *nentries = 0;
     if (!k5db2_inited(context))
         return KRB5_KDB_DBNOTINITED;
 
@@ -980,47 +949,35 @@ krb5_db2_put_principal(krb5_context context, krb5_db_entry *entries,
         return retval;
     }
 
-    /* for each one, stuff temps, and do replace/append */
-    for (i = 0; i < n; i++) {
-        retval = krb5_encode_princ_contents(context, &contdata, entries);
-        if (retval)
-            break;
-        contents.data = contdata.data;
-        contents.size = contdata.length;
-        retval = krb5_encode_princ_dbkey(context, &keydata, entries->princ);
-        if (retval) {
-            krb5_free_data_contents(context, &contdata);
-            break;
-        }
-
-        key.data = keydata.data;
-        key.size = keydata.length;
-        dbret = (*db->put) (db, &key, &contents, 0);
-        retval = dbret ? errno : 0;
-        krb5_free_data_contents(context, &keydata);
+    retval = krb5_encode_princ_entry(context, &contdata, entry);
+    if (retval)
+        goto cleanup;
+    contents.data = contdata.data;
+    contents.size = contdata.length;
+    retval = krb5_encode_princ_dbkey(context, &keydata, entry->princ);
+    if (retval) {
         krb5_free_data_contents(context, &contdata);
-        if (retval)
-            break;
-        entries++;              /* bump to next struct */
+        goto cleanup;
     }
 
+    key.data = keydata.data;
+    key.size = keydata.length;
+    dbret = (*db->put)(db, &key, &contents, 0);
+    retval = dbret ? errno : 0;
+    krb5_free_data_contents(context, &keydata);
+    krb5_free_data_contents(context, &contdata);
+
+cleanup:
     (void) krb5_db2_end_update(context);
     (void) krb5_db2_unlock(context); /* unlock database */
-    *nentries = i;
     return (retval);
 }
 
-/*
- * delete a principal from the data base.
- * returns number of entries removed
- */
-
 krb5_error_code
-krb5_db2_delete_principal(krb5_context context, krb5_const_principal searchfor,
-                          int *nentries) /* how many found & deleted */
+krb5_db2_delete_principal(krb5_context context, krb5_const_principal searchfor)
 {
     krb5_error_code retval;
-    krb5_db_entry entry;
+    krb5_db_entry *entry;
     krb5_db2_context *db_ctx;
     DB     *db;
     DBT     key, contents;
@@ -1050,31 +1007,29 @@ krb5_db2_delete_principal(krb5_context context, krb5_const_principal searchfor,
     switch (dbret) {
     case 1:
         retval = KRB5_KDB_NOENTRY;
+        /* Fall through. */
     case -1:
     default:
-        *nentries = 0;
         goto cleankey;
     case 0:
         ;
     }
-    memset(&entry, 0, sizeof(entry));
     contdata.data = contents.data;
     contdata.length = contents.size;
-    retval = krb5_decode_princ_contents(context, &contdata, &entry);
+    retval = krb5_decode_princ_entry(context, &contdata, &entry);
     if (retval)
         goto cleankey;
-    *nentries = 1;
 
     /* Clear encrypted key contents */
-    for (i = 0; i < entry.n_key_data; i++) {
-        if (entry.key_data[i].key_data_length[0]) {
-            memset(entry.key_data[i].key_data_contents[0], 0,
-                   (unsigned) entry.key_data[i].key_data_length[0]);
+    for (i = 0; i < entry->n_key_data; i++) {
+        if (entry->key_data[i].key_data_length[0]) {
+            memset(entry->key_data[i].key_data_contents[0], 0,
+                   (unsigned) entry->key_data[i].key_data_length[0]);
         }
     }
 
-    retval = krb5_encode_princ_contents(context, &contdata, &entry);
-    krb5_dbe_free_contents(context, &entry);
+    retval = krb5_encode_princ_entry(context, &contdata, entry);
+    krb5_dbe_free(context, entry);
     if (retval)
         goto cleankey;
 
@@ -1105,7 +1060,7 @@ krb5_db2_iterate_ext(krb5_context context,
     DB     *db;
     DBT     key, contents;
     krb5_data contdata;
-    krb5_db_entry entries;
+    krb5_db_entry *entry;
     krb5_error_code retval;
     int     dbret;
     void   *cookie;
@@ -1142,14 +1097,14 @@ krb5_db2_iterate_ext(krb5_context context,
 
         contdata.data = contents.data;
         contdata.length = contents.size;
-        retval = krb5_decode_princ_contents(context, &contdata, &entries);
+        retval = krb5_decode_princ_entry(context, &contdata, &entry);
         if (retval)
             break;
         retval = k5_mutex_unlock(krb5_db2_mutex);
         if (retval)
             break;
-        retval = (*func) (func_arg, &entries);
-        krb5_dbe_free_contents(context, &entries);
+        retval = (*func)(func_arg, entry);
+        krb5_dbe_free(context, entry);
         retval2 = k5_mutex_lock(krb5_db2_mutex);
         /* Note: If re-locking fails, the wrapper in db2_exp.c will
            still try to unlock it again.  That would be a bug.  Fix
@@ -1319,11 +1274,11 @@ krb5_db2_create_policy(krb5_context context, osa_policy_ent_t policy)
 
 krb5_error_code
 krb5_db2_get_policy(krb5_context context,
-                    char *name, osa_policy_ent_t * policy, int *cnt)
+                    char *name, osa_policy_ent_t *policy)
 {
     krb5_db2_context *dbc = context->dal_handle->db_context;
 
-    return osa_adb_get_policy(dbc->policy_db, name, policy, cnt);
+    return osa_adb_get_policy(dbc->policy_db, name, policy);
 }
 
 krb5_error_code
@@ -1450,9 +1405,8 @@ krb5_db2_merge_nra_iterator(krb5_pointer ptr, krb5_db_entry *entry)
     struct nra_context *nra = (struct nra_context *)ptr;
     kdb5_dal_handle *dal_handle = nra->kcontext->dal_handle;
     krb5_error_code retval;
-    int n_entries = 0, changed;
-    krb5_db_entry s_entry;
-    krb5_boolean more;
+    int changed;
+    krb5_db_entry *s_entry;
     krb5_db2_context *dst_db;
 
     memset(&s_entry, 0, sizeof(s_entry));
@@ -1461,23 +1415,21 @@ krb5_db2_merge_nra_iterator(krb5_pointer ptr, krb5_db_entry *entry)
     dal_handle->db_context = nra->db_context;
 
     /* look up the new principal in the old DB */
-    retval = krb5_db2_get_principal(nra->kcontext, entry->princ, &s_entry,
-                                    &n_entries, &more);
-    if (retval != 0 || n_entries == 0) {
+    retval = krb5_db2_get_principal(nra->kcontext, entry->princ, 0, &s_entry);
+    if (retval != 0) {
         /* principal may be newly created, so ignore */
         dal_handle->db_context = dst_db;
         return 0;
     }
 
     /* merge non-replicated attributes from the old entry in */
-    krb5_db2_merge_principal(nra->kcontext, &s_entry, entry, &changed);
+    krb5_db2_merge_principal(nra->kcontext, s_entry, entry, &changed);
 
     dal_handle->db_context = dst_db;
 
     /* if necessary, commit the modified new entry to the new DB */
     if (changed) {
-        retval = krb5_db2_put_principal(nra->kcontext, entry, &n_entries,
-                                        NULL);
+        retval = krb5_db2_put_principal(nra->kcontext, entry, NULL);
     } else {
         retval = 0;
     }
index d7ac7a4cb2e4e9db5f6483d36e0c1dedb038e9f6..6096dc4b1bb4f8e4349ff659b45a99766369dd55 100644 (file)
@@ -60,9 +60,9 @@ krb5_error_code krb5_db2_fini(krb5_context);
 krb5_error_code krb5_db2_get_age(krb5_context, char *, time_t *);
 krb5_error_code krb5_db2_rename(krb5_context, char *, char *, int );
 krb5_error_code krb5_db2_get_principal(krb5_context, krb5_const_principal,
-                                       krb5_db_entry *, int *, krb5_boolean *);
-void krb5_db2_free_principal(krb5_context, krb5_db_entry *, int);
-krb5_error_code krb5_db2_put_principal(krb5_context, krb5_db_entry *, int *,
+                                       unsigned int, krb5_db_entry **);
+void krb5_db2_free_principal(krb5_context, krb5_db_entry *);
+krb5_error_code krb5_db2_put_principal(krb5_context, krb5_db_entry *,
                                        char **db_args);
 krb5_error_code krb5_db2_iterate_ext(krb5_context,
                                      krb5_error_code (*)(krb5_pointer,
@@ -85,12 +85,8 @@ krb5_error_code
 krb5_db2_get_mkey_list(krb5_context context, krb5_keylist_node **keylist);
 
 krb5_error_code
-krb5_db2_put_principal(krb5_context context, krb5_db_entry *entries,
-                       register int *nentries, char **db_args);
-
-krb5_error_code
-krb5_db2_delete_principal(krb5_context context, krb5_const_principal searchfor,
-                          int *nentries);
+krb5_db2_delete_principal(krb5_context context,
+                          krb5_const_principal searchfor);
 
 krb5_error_code krb5_db2_lib_init(void);
 krb5_error_code krb5_db2_lib_cleanup(void);
@@ -122,8 +118,7 @@ krb5_error_code
 krb5_db2_create_policy(krb5_context context, osa_policy_ent_t entry);
 
 krb5_error_code krb5_db2_get_policy(krb5_context kcontext,
-                                    char *name, osa_policy_ent_t *policy,
-                                    int *cnt);
+                                    char *name, osa_policy_ent_t *policy);
 
 krb5_error_code krb5_db2_put_policy(krb5_context kcontext,
                                     osa_policy_ent_t policy);
index 81a3cc42619458923f9cc5053214a5187e8a689b..14b63fa045114ad04d891d47565bdaaf9a72b820 100644 (file)
@@ -47,15 +47,9 @@ krb5_encode_princ_dbkey(krb5_context context, krb5_data *key,
     return(retval);
 }
 
-void
-krb5_free_princ_dbkey(krb5_context context, krb5_data *key)
-{
-    (void) krb5_free_data_contents(context, key);
-}
-
 krb5_error_code
-krb5_encode_princ_contents(krb5_context context, krb5_data *content,
-                           krb5_db_entry *entry)
+krb5_encode_princ_entry(krb5_context context, krb5_data *content,
+                        krb5_db_entry *entry)
 {
     int                   i, j;
     unsigned int          unparse_princ_size;
@@ -229,29 +223,23 @@ epc_error:;
     return retval;
 }
 
-void
-krb5_free_princ_contents(krb5_context context, krb5_data *contents)
-{
-    krb5_free_data_contents(context, contents);
-    return;
-}
-
 krb5_error_code
-krb5_decode_princ_contents(krb5_context context, krb5_data *content,
-                           krb5_db_entry *entry)
+krb5_decode_princ_entry(krb5_context context, krb5_data *content,
+                        krb5_db_entry **entry_ptr)
 {
     int                   sizeleft, i;
     unsigned char       * nextloc;
     krb5_tl_data       ** tl_data;
     krb5_int16            i16;
-
+    krb5_db_entry       * entry;
     krb5_error_code retval;
 
-    /* Zero out entry and NULL pointers */
-    memset(entry, 0, sizeof(krb5_db_entry));
+    entry = k5alloc(sizeof(*entry), &retval);
+    if (entry == NULL)
+        return retval;
 
     /*
-     * undo the effects of encode_princ_contents.
+     * Reverse the encoding of encode_princ_entry.
      *
      * The first part is decoding the base type. If the base type is
      * bigger than the original base type then the additional fields
@@ -262,8 +250,10 @@ krb5_decode_princ_contents(krb5_context context, krb5_data *content,
     /* First do the easy stuff */
     nextloc = (unsigned char *)content->data;
     sizeleft = content->length;
-    if ((sizeleft -= KRB5_KDB_V1_BASE_LENGTH) < 0)
-        return KRB5_KDB_TRUNCATED_RECORD;
+    if ((sizeleft -= KRB5_KDB_V1_BASE_LENGTH) < 0) {
+        retval = KRB5_KDB_TRUNCATED_RECORD;
+        goto error_out;
+    }
 
     /* Base Length */
     krb5_kdb_decode_int16(nextloc, entry->len);
@@ -305,25 +295,28 @@ krb5_decode_princ_contents(krb5_context context, krb5_data *content,
     krb5_kdb_decode_int16(nextloc, entry->n_tl_data);
     nextloc += 2;
 
-    if (entry->n_tl_data < 0)
-        return KRB5_KDB_TRUNCATED_RECORD;
+    if (entry->n_tl_data < 0) {
+        retval = KRB5_KDB_TRUNCATED_RECORD;
+        goto error_out;
+    }
 
     /* # key_data strutures */
     krb5_kdb_decode_int16(nextloc, entry->n_key_data);
     nextloc += 2;
 
-    if (entry->n_key_data < 0)
-        return KRB5_KDB_TRUNCATED_RECORD;
+    if (entry->n_key_data < 0) {
+        retval = KRB5_KDB_TRUNCATED_RECORD;
+        goto error_out;
+    }
 
     /* Check for extra data */
     if (entry->len > KRB5_KDB_V1_BASE_LENGTH) {
         entry->e_length = entry->len - KRB5_KDB_V1_BASE_LENGTH;
-        if ((entry->e_data = (krb5_octet *)malloc(entry->e_length))) {
-            memcpy(entry->e_data, nextloc, entry->e_length);
-            nextloc += entry->e_length;
-        } else {
-            return ENOMEM;
-        }
+        entry->e_data = k5alloc(entry->e_length, &retval);
+        if (entry->e_data == NULL)
+            goto error_out;
+        memcpy(entry->e_data, nextloc, entry->e_length);
+        nextloc += entry->e_length;
     }
 
     /*
@@ -435,40 +428,36 @@ krb5_decode_princ_contents(krb5_context context, krb5_data *content,
             abort();
         }
     }
+    *entry_ptr = entry;
     return 0;
 
-error_out:;
-    krb5_dbe_free_contents(context, entry);
+error_out:
+    krb5_dbe_free(context, entry);
     return retval;
 }
 
 void
-krb5_dbe_free_contents(krb5_context context, krb5_db_entry *entry)
+krb5_dbe_free(krb5_context context, krb5_db_entry *entry)
 {
     krb5_tl_data        * tl_data_next;
     krb5_tl_data        * tl_data;
     int i, j;
 
-    if (entry->e_data)
-        free(entry->e_data);
-    if (entry->princ)
-        krb5_free_principal(context, entry->princ);
+    if (entry == NULL)
+        return;
+    free(entry->e_data);
+    krb5_free_principal(context, entry->princ);
     for (tl_data = entry->tl_data; tl_data; tl_data = tl_data_next) {
         tl_data_next = tl_data->tl_data_next;
-        if (tl_data->tl_data_contents)
-            free(tl_data->tl_data_contents);
+        free(tl_data->tl_data_contents);
         free(tl_data);
     }
     if (entry->key_data) {
         for (i = 0; i < entry->n_key_data; i++) {
             for (j = 0; j < entry->key_data[i].key_data_ver; j++) {
                 if (entry->key_data[i].key_data_length[j]) {
-                    if (entry->key_data[i].key_data_contents[j]) {
-                        memset(entry->key_data[i].key_data_contents[j],
-                               0,
-                               (unsigned) entry->key_data[i].key_data_length[j]);
-                        free (entry->key_data[i].key_data_contents[j]);
-                    }
+                    zapfree(entry->key_data[i].key_data_contents[j],
+                            entry->key_data[i].key_data_length[j]);
                 }
                 entry->key_data[i].key_data_contents[j] = NULL;
                 entry->key_data[i].key_data_length[j] = 0;
@@ -477,6 +466,5 @@ krb5_dbe_free_contents(krb5_context context, krb5_db_entry *entry)
         }
         free(entry->key_data);
     }
-    memset(entry, 0, sizeof(*entry));
-    return;
+    free(entry);
 }
index e4a202b37549fcb8cfb4da9851c388b23aeaac51..122605f76803c4a2cddad513ef92faaf6242e531 100644 (file)
@@ -9,20 +9,14 @@ krb5_encode_princ_dbkey(krb5_context context, krb5_data *key,
                         krb5_const_principal principal);
 
 krb5_error_code
-krb5_decode_princ_contents(krb5_context context, krb5_data *content,
-                           krb5_db_entry *entry);
+krb5_decode_princ_entry(krb5_context context, krb5_data *content,
+                        krb5_db_entry **entry);
 
 void
-krb5_dbe_free_contents(krb5_context context, krb5_db_entry *entry);
+krb5_dbe_free(krb5_context context, krb5_db_entry *entry);
 
 krb5_error_code
-krb5_encode_princ_contents(krb5_context context, krb5_data *content,
-                           krb5_db_entry *entry);
-
-void
-krb5_free_princ_dbkey(krb5_context context, krb5_data *key);
-
-void
-krb5_free_princ_contents(krb5_context context, krb5_data *contents);
+krb5_encode_princ_entry(krb5_context context, krb5_data *content,
+                        krb5_db_entry *entry);
 
 #endif
index 1e9cc11d9551d1389fd4f6157cd7119c2f0faaf2..3ba53d214c96294f900d2702c5bbbe966065b195 100644 (file)
@@ -73,17 +73,14 @@ lookup_lockout_policy(krb5_context context,
 
     if (adb.policy != NULL) {
         osa_policy_ent_t policy = NULL;
-        int count = 0;
 
-        code = krb5_db2_get_policy(context, adb.policy,
-                                   &policy, &count);
-        if (code == 0 && count == 1) {
+        code = krb5_db2_get_policy(context, adb.policy, &policy);
+        if (code == 0) {
             *pw_max_fail = policy->pw_max_fail;
             *pw_failcnt_interval = policy->pw_failcnt_interval;
             *pw_lockout_duration = policy->pw_lockout_duration;
-        }
-        if (policy != NULL)
             krb5_db2_free_policy(context, policy);
+        }
     }
 
     xdr_destroy(&xdrs);
@@ -148,7 +145,6 @@ krb5_db2_lockout_audit(krb5_context context,
     krb5_kvno max_fail = 0;
     krb5_deltat failcnt_interval = 0;
     krb5_deltat lockout_duration = 0;
-    int nentries = 1;
     krb5_db2_context *db_ctx = context->dal_handle->db_context;
     krb5_boolean need_update = FALSE;
 
@@ -198,7 +194,7 @@ krb5_db2_lockout_audit(krb5_context context,
     }
 
     if (need_update) {
-        code = krb5_db2_put_principal(context, entry, &nentries, NULL);
+        code = krb5_db2_put_principal(context, entry, NULL);
         if (code != 0)
             return code;
     }
index f2842e9560529889baff8663d4178efc5d4d5782..6c920bc44fefc0a0b3812fb8d81963398a37f060 100644 (file)
@@ -87,10 +87,8 @@ krb5_error_code osa_adb_create_policy(osa_adb_policy_t db,
                                       osa_policy_ent_t entry);
 krb5_error_code osa_adb_destroy_policy(osa_adb_policy_t db,
                                        char * name);
-krb5_error_code osa_adb_get_policy(osa_adb_policy_t db,
-                                   char * name,
-                                   osa_policy_ent_t *entry,
-                                   int *cnt);
+krb5_error_code osa_adb_get_policy(osa_adb_policy_t db, char *name,
+                                   osa_policy_ent_t *entry);
 krb5_error_code osa_adb_put_policy(osa_adb_policy_t db,
                                    osa_policy_ent_t entry);
 krb5_error_code osa_adb_iter_policy(osa_adb_policy_t db,
index 0ee57d118e23ca4a859dfef17db05ecd466bb264..97710aef8b9f9b097a8e7729b77fbb37d50d4416 100644 (file)
@@ -2345,7 +2345,6 @@ kdb_ldap_create_principal(krb5_context context, krb5_principal princ,
     unsigned char    *curr=NULL;
     krb5_tl_data     *tl_data=NULL;
     krb5_db_entry    entry;
-    int              nentry=1;
     long             mask = 0;
     krb5_keyblock    key;
     int              kvno = 0;
@@ -2497,7 +2496,7 @@ kdb_ldap_create_principal(krb5_context context, krb5_principal princ,
         break;
     } /* end of switch */
 
-    retval = krb5_ldap_put_principal(context, &entry, &nentry, NULL);
+    retval = krb5_ldap_put_principal(context, &entry, NULL);
     if (retval) {
         com_err(NULL, retval, "while adding entries to database");
         goto cleanup;
index 85c70761f3a7fe213ed0e32569a7aa382914b4da..1f3e60e926e475975a88c56a4327bf6a7f2ad230 100644 (file)
@@ -2113,13 +2113,12 @@ populate_krb5_db_entry(krb5_context context, krb5_ldap_context *ldap_context,
     /* We already know that the policy is inside the realm container. */
     if (polname) {
         osa_policy_ent_t   pwdpol;
-        int                cnt=0;
         krb5_timestamp     last_pw_changed;
         krb5_ui_4          pw_max_life;
 
         memset(&pwdpol, 0, sizeof(pwdpol));
 
-        if ((st=krb5_ldap_get_password_policy(context, polname, &pwdpol, &cnt)) != 0)
+        if ((st=krb5_ldap_get_password_policy(context, polname, &pwdpol)) != 0)
             goto cleanup;
         pw_max_life = pwdpol->pw_max_life;
         free (pwdpol);
index 9128fd5d7ea3f67d22c38d8fd916ce5ae4ad410b..68b08c51224f9f9ca782514605ce40713641ffc5 100644 (file)
@@ -123,13 +123,12 @@ krb5_dbe_free_contents(krb5_context context, krb5_db_entry *entry)
 
 
 void
-krb5_ldap_free_principal(krb5_context kcontext, krb5_db_entry *entries,
-                         int nentries)
+krb5_ldap_free_principal(krb5_context kcontext, krb5_db_entry *entry)
 {
-    register int i;
-    for (i = 0; i < nentries; i++)
-        krb5_dbe_free_contents(kcontext, &entries[i]);
-    return 0;
+    if (entry == NULL)
+        return;
+    krb5_dbe_free_contents(kcontext, entry);
+    free(entry);
 }
 
 krb5_error_code
@@ -230,7 +229,7 @@ cleanup:
  */
 krb5_error_code
 krb5_ldap_delete_principal(krb5_context context,
-                           krb5_const_principal searchfor, int *nentries)
+                           krb5_const_principal searchfor)
 {
     char                      *user=NULL, *DN=NULL, *strval[10] = {NULL};
     LDAPMod                   **mods=NULL;
@@ -242,21 +241,20 @@ krb5_ldap_delete_principal(krb5_context context,
     kdb5_dal_handle           *dal_handle=NULL;
     krb5_ldap_context         *ldap_context=NULL;
     krb5_ldap_server_handle   *ldap_server_handle=NULL;
-    krb5_db_entry             entries;
-    krb5_boolean              more=0;
+    krb5_db_entry             *entry = NULL;
 
     /* Clear the global error string */
     krb5_clear_error_message(context);
 
     SETUP_CONTEXT();
     /* get the principal info */
-    if ((st=krb5_ldap_get_principal(context, searchfor, 0, &entries, nentries, &more)) != 0 || *nentries == 0)
+    if ((st=krb5_ldap_get_principal(context, searchfor, 0, &entry)))
         goto cleanup;
 
-    if (((st=krb5_get_princ_type(context, &entries, &(ptype))) != 0) ||
-        ((st=krb5_get_attributes_mask(context, &entries, &(attrsetmask))) != 0) ||
-        ((st=krb5_get_princ_count(context, &entries, &(pcount))) != 0) ||
-        ((st=krb5_get_userdn(context, &entries, &(DN))) != 0))
+    if (((st=krb5_get_princ_type(context, entry, &(ptype))) != 0) ||
+        ((st=krb5_get_attributes_mask(context, entry, &(attrsetmask))) != 0) ||
+        ((st=krb5_get_princ_count(context, entry, &(pcount))) != 0) ||
+        ((st=krb5_get_userdn(context, entry, &(DN))) != 0))
         goto cleanup;
 
     if (DN == NULL) {
@@ -356,8 +354,7 @@ cleanup:
         free (secretkey);
     }
 
-    if (st == 0)
-        krb5_ldap_free_principal(context, &entries, *nentries);
+    krb5_ldap_free_principal(context, entry);
 
     ldap_mods_free(mods, 1);
     krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
index 805462d36edb6062e0e331740204d88fcf18e289..3942e3f4208f531159001d048b257c3111446d63 100644 (file)
@@ -95,17 +95,17 @@ extern struct timeval timeout;
 extern char *policyclass[];
 
 krb5_error_code
-krb5_ldap_put_principal(krb5_context, krb5_db_entry *, int *, char **);
+krb5_ldap_put_principal(krb5_context, krb5_db_entry *, char **);
 
 krb5_error_code
 krb5_ldap_get_principal(krb5_context , krb5_const_principal ,
-                        unsigned int, krb5_db_entry *, int *, krb5_boolean *);
+                        unsigned int, krb5_db_entry **);
 
 krb5_error_code
-krb5_ldap_delete_principal(krb5_context, krb5_const_principal, int *);
+krb5_ldap_delete_principal(krb5_context, krb5_const_principal);
 
 void
-krb5_ldap_free_principal(krb5_context, krb5_db_entry *, int );
+krb5_ldap_free_principal(krb5_context, krb5_db_entry *);
 
 krb5_error_code
 krb5_ldap_iterate(krb5_context, char *,
index 7ad31da8373794d8aefec2f246061fc5cef9a050..9b50eda72b1aafd71f6be32e25db1bfef3f05378 100644 (file)
@@ -100,8 +100,7 @@ aliases_ok(unsigned int flags)
 
 krb5_error_code
 krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor,
-                        unsigned int flags, krb5_db_entry *entries,
-                        int *nentries, krb5_boolean *more)
+                        unsigned int flags, krb5_db_entry **entry_ptr)
 {
     char                        *user=NULL, *filter=NULL, **subtree=NULL;
     unsigned int                tree=0, ntrees=1, princlen=0;
@@ -113,15 +112,14 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor,
     kdb5_dal_handle             *dal_handle=NULL;
     krb5_ldap_server_handle     *ldap_server_handle=NULL;
     krb5_principal              cprinc=NULL;
+    krb5_boolean                found=FALSE;
+    krb5_db_entry               *entry = NULL;
+
+    *entry_ptr = NULL;
 
     /* Clear the global error string */
     krb5_clear_error_message(context);
 
-    /* set initial values */
-    *nentries = 0;
-    *more = 0;
-    memset(entries, 0, sizeof(*entries));
-
     if (searchfor == NULL)
         return EINVAL;
 
@@ -131,7 +129,6 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor,
     CHECK_LDAP_HANDLE(ldap_context);
 
     if (is_principal_in_realm(ldap_context, searchfor) != 0) {
-        *more = 0;
         krb5_set_error_message (context, st, "Principal does not belong to realm");
         goto cleanup;
     }
@@ -153,10 +150,10 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor,
         goto cleanup;
 
     GET_HANDLE();
-    for (tree=0; tree < ntrees && *nentries == 0; ++tree) {
+    for (tree=0; tree < ntrees && !found; ++tree) {
 
         LDAP_SEARCH(subtree[tree], ldap_context->lrparams->search_scope, filter, principal_attributes);
-        for (ent=ldap_first_entry(ld, result); ent != NULL && *nentries == 0; ent=ldap_next_entry(ld, ent)) {
+        for (ent=ldap_first_entry(ld, result); ent != NULL && !found; ent=ldap_next_entry(ld, ent)) {
 
             /* get the associated directory user information */
             if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) {
@@ -168,13 +165,13 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor,
                  */
                 for (i=0; values[i] != NULL; ++i) {
                     if (strcmp(values[i], user) == 0) {
-                        *nentries = 1;
+                        found = TRUE;
                         break;
                     }
                 }
                 ldap_value_free(values);
 
-                if (*nentries == 0) /* no matching principal found */
+                if (!found) /* no matching principal found */
                     continue;
             }
 
@@ -189,31 +186,34 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor,
                         if (st != 0)
                             goto cleanup;
                     } else /* No canonicalization, so don't return aliases. */
-                        *nentries = 0;
+                        found = FALSE;
                 }
                 ldap_value_free(values);
-                if (*nentries == 0)
+                if (!found)
                     continue;
             }
 
+            entry = k5alloc(sizeof(*entry), &st);
+            if (entry == NULL)
+                goto cleanup;
             if ((st = populate_krb5_db_entry(context, ldap_context, ld, ent,
                                              cprinc ? cprinc : searchfor,
-                                             entries)) != 0)
+                                             entry)) != 0)
                 goto cleanup;
         }
         ldap_msgfree(result);
         result = NULL;
     } /* for (tree=0 ... */
 
-    /* once done, put back the ldap handle */
-    krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
-    ldap_server_handle = NULL;
+    if (found) {
+        *entry_ptr = entry;
+        entry = NULL;
+    } else
+        st = KRB5_KDB_NOENTRY;
 
 cleanup:
     ldap_msgfree(result);
-
-    if (*nentries == 0 || st != 0)
-        krb5_dbe_free_contents(context, entries);
+    krb5_ldap_free_principal(context, entry);
 
     if (filter)
         free (filter);
@@ -494,10 +494,10 @@ tl_data2berval (krb5_tl_data *in, struct berval **out)
 }
 
 krb5_error_code
-krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entries,
-                        int *nentries, char **db_args)
+krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
+                        char **db_args)
 {
-    int                         i=0, l=0, kerberos_principal_object_type=0;
+    int                         l=0, kerberos_principal_object_type=0;
     krb5_error_code             st=0, tempst=0;
     LDAP                        *ld=NULL;
     LDAPMessage                 *result=NULL, *ent=NULL;
@@ -529,554 +529,574 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entries,
     /* get ldap handle */
     GET_HANDLE();
 
-    for (i=0; i < *nentries; ++i, ++entries) {
-        if (is_principal_in_realm(ldap_context, entries->princ) != 0) {
-            st = EINVAL;
-            krb5_set_error_message(context, st, "Principal does not belong to the default realm");
+    if (is_principal_in_realm(ldap_context, entry->princ) != 0) {
+        st = EINVAL;
+        krb5_set_error_message(context, st, "Principal does not belong to the default realm");
+        goto cleanup;
+    }
+
+    /* get the principal information to act on */
+    if (entry->princ) {
+        if (((st=krb5_unparse_name(context, entry->princ, &user)) != 0) ||
+            ((st=krb5_ldap_unparse_principal_name(user)) != 0))
             goto cleanup;
-        }
+    }
 
-        /* get the principal information to act on */
-        if (entries->princ) {
-            if (((st=krb5_unparse_name(context, entries->princ, &user)) != 0) ||
-                ((st=krb5_ldap_unparse_principal_name(user)) != 0))
-                goto cleanup;
-        }
+    /* Identity the type of operation, it can be
+     * add principal or modify principal.
+     * hack if the entry->mask has KRB_PRINCIPAL flag set
+     * then it is a add operation
+     */
+    if (entry->mask & KADM5_PRINCIPAL)
+        optype = ADD_PRINCIPAL;
+    else
+        optype = MODIFY_PRINCIPAL;
 
-        /* Identity the type of operation, it can be
-         * add principal or modify principal.
-         * hack if the entries->mask has KRB_PRINCIPAL flag set
-         * then it is a add operation
-         */
-        if (entries->mask & KADM5_PRINCIPAL)
-            optype = ADD_PRINCIPAL;
-        else
-            optype = MODIFY_PRINCIPAL;
+    if (((st=krb5_get_princ_type(context, entry, &kerberos_principal_object_type)) != 0) ||
+        ((st=krb5_get_userdn(context, entry, &principal_dn)) != 0))
+        goto cleanup;
 
-        if (((st=krb5_get_princ_type(context, entries, &kerberos_principal_object_type)) != 0) ||
-            ((st=krb5_get_userdn(context, entries, &principal_dn)) != 0))
-            goto cleanup;
+    if ((st=process_db_args(context, db_args, &xargs, optype)) != 0)
+        goto cleanup;
+
+    if (entry->mask & KADM5_LOAD) {
+        int              tree = 0, ntrees = 0, princlen = 0, numlentries = 0;
+        char             **subtreelist = NULL, *filter = NULL;
 
-        if ((st=process_db_args(context, db_args, &xargs, optype)) != 0)
+        /*  A load operation is special, will do a mix-in (add krbprinc
+         *  attrs to a non-krb object entry) if an object exists with a
+         *  matching krbprincipalname attribute so try to find existing
+         *  object and set principal_dn.  This assumes that the
+         *  krbprincipalname attribute is unique (only one object entry has
+         *  a particular krbprincipalname attribute).
+         */
+        if (user == NULL) {
+            /* must have principal name for search */
+            st = EINVAL;
+            krb5_set_error_message(context, st, "operation can not continue, principal name not found");
             goto cleanup;
+        }
+        princlen = strlen(FILTER) + strlen(user) + 2 + 1;      /* 2 for closing brackets */
+        if ((filter = malloc(princlen)) == NULL) {
+            st = ENOMEM;
+            goto cleanup;
+        }
+        snprintf(filter, princlen, FILTER"%s))", user);
 
-        if (entries->mask & KADM5_LOAD) {
-            int              tree = 0, ntrees = 0, princlen = 0, numlentries = 0;
-            char             **subtreelist = NULL, *filter = NULL;
+        /* get the current subtree list */
+        if ((st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees)) != 0)
+            goto cleanup;
 
-            /*  A load operation is special, will do a mix-in (add krbprinc
-             *  attrs to a non-krb object entry) if an object exists with a
-             *  matching krbprincipalname attribute so try to find existing
-             *  object and set principal_dn.  This assumes that the
-             *  krbprincipalname attribute is unique (only one object entry has
-             *  a particular krbprincipalname attribute).
-             */
-            if (user == NULL) {
-                /* must have principal name for search */
-                st = EINVAL;
-                krb5_set_error_message(context, st, "operation can not continue, principal name not found");
-                goto cleanup;
-            }
-            princlen = strlen(FILTER) + strlen(user) + 2 + 1;      /* 2 for closing brackets */
-            if ((filter = malloc(princlen)) == NULL) {
-                st = ENOMEM;
-                goto cleanup;
+        found_entry = FALSE;
+        /* search for entry with matching krbprincipalname attribute */
+        for (tree = 0; found_entry == FALSE && tree < ntrees; ++tree) {
+            result = NULL;
+            if (principal_dn == NULL) {
+                LDAP_SEARCH_1(subtreelist[tree], ldap_context->lrparams->search_scope, filter, principal_attributes, IGNORE_STATUS);
+            } else {
+                /* just look for entry with principal_dn */
+                LDAP_SEARCH_1(principal_dn, LDAP_SCOPE_BASE, filter, principal_attributes, IGNORE_STATUS);
             }
-            snprintf(filter, princlen, FILTER"%s))", user);
-
-            /* get the current subtree list */
-            if ((st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees)) != 0)
-                goto cleanup;
-
-            found_entry = FALSE;
-            /* search for entry with matching krbprincipalname attribute */
-            for (tree = 0; found_entry == FALSE && tree < ntrees; ++tree) {
-                result = NULL;
-                if (principal_dn == NULL) {
-                    LDAP_SEARCH_1(subtreelist[tree], ldap_context->lrparams->search_scope, filter, principal_attributes, IGNORE_STATUS);
-                } else {
-                    /* just look for entry with principal_dn */
-                    LDAP_SEARCH_1(principal_dn, LDAP_SCOPE_BASE, filter, principal_attributes, IGNORE_STATUS);
-                }
-                if (st == LDAP_SUCCESS) {
-                    numlentries = ldap_count_entries(ld, result);
-                    if (numlentries > 1) {
-                        ldap_msgfree(result);
-                        free(filter);
-                        st = EINVAL;
-                        krb5_set_error_message(context, st,
-                                               "operation can not continue, more than one entry with principal name \"%s\" found",
-                                               user);
-                        goto cleanup;
-                    } else if (numlentries == 1) {
-                        found_entry = TRUE;
-                        if (principal_dn == NULL) {
-                            ent = ldap_first_entry(ld, result);
-                            if (ent != NULL) {
-                                /* setting principal_dn will cause that entry to be modified further down */
-                                if ((principal_dn = ldap_get_dn(ld, ent)) == NULL) {
-                                    ldap_get_option (ld, LDAP_OPT_RESULT_CODE, &st);
-                                    st = set_ldap_error (context, st, 0);
-                                    ldap_msgfree(result);
-                                    free(filter);
-                                    goto cleanup;
-                                }
+            if (st == LDAP_SUCCESS) {
+                numlentries = ldap_count_entries(ld, result);
+                if (numlentries > 1) {
+                    ldap_msgfree(result);
+                    free(filter);
+                    st = EINVAL;
+                    krb5_set_error_message(context, st,
+                                           "operation can not continue, more than one entry with principal name \"%s\" found",
+                                           user);
+                    goto cleanup;
+                } else if (numlentries == 1) {
+                    found_entry = TRUE;
+                    if (principal_dn == NULL) {
+                        ent = ldap_first_entry(ld, result);
+                        if (ent != NULL) {
+                            /* setting principal_dn will cause that entry to be modified further down */
+                            if ((principal_dn = ldap_get_dn(ld, ent)) == NULL) {
+                                ldap_get_option (ld, LDAP_OPT_RESULT_CODE, &st);
+                                st = set_ldap_error (context, st, 0);
+                                ldap_msgfree(result);
+                                free(filter);
+                                goto cleanup;
                             }
                         }
                     }
-                    if (result)
-                        ldap_msgfree(result);
-                } else if (st != LDAP_NO_SUCH_OBJECT) {
-                    /* could not perform search, return with failure */
-                    st = set_ldap_error (context, st, 0);
-                    free(filter);
-                    goto cleanup;
                 }
-                /*
-                 * If it isn't found then assume a standalone princ entry is to
-                 * be created.
-                 */
-            } /* end for (tree = 0; principal_dn == ... */
+                if (result)
+                    ldap_msgfree(result);
+            } else if (st != LDAP_NO_SUCH_OBJECT) {
+                /* could not perform search, return with failure */
+                st = set_ldap_error (context, st, 0);
+                free(filter);
+                goto cleanup;
+            }
+            /*
+             * If it isn't found then assume a standalone princ entry is to
+             * be created.
+             */
+        } /* end for (tree = 0; principal_dn == ... */
 
-            free(filter);
+        free(filter);
 
-            if (found_entry == FALSE && principal_dn != NULL) {
-                /*
-                 * if principal_dn is null then there is code further down to
-                 * deal with setting standalone_principal_dn.  Also note that
-                 * this will set create_standalone_prinicipal true for
-                 * non-mix-in entries which is okay if loading from a dump.
-                 */
-                create_standalone_prinicipal = TRUE;
-                standalone_principal_dn = strdup(principal_dn);
-                CHECK_NULL(standalone_principal_dn);
-            }
-        } /* end if (entries->mask & KADM5_LOAD */
+        if (found_entry == FALSE && principal_dn != NULL) {
+            /*
+             * if principal_dn is null then there is code further down to
+             * deal with setting standalone_principal_dn.  Also note that
+             * this will set create_standalone_prinicipal true for
+             * non-mix-in entries which is okay if loading from a dump.
+             */
+            create_standalone_prinicipal = TRUE;
+            standalone_principal_dn = strdup(principal_dn);
+            CHECK_NULL(standalone_principal_dn);
+        }
+    } /* end if (entry->mask & KADM5_LOAD */
 
-        /* time to generate the DN information with the help of
-         * containerdn, principalcontainerreference or
-         * realmcontainerdn information
-         */
-        if (principal_dn == NULL && xargs.dn == NULL) { /* creation of standalone principal */
-            /* get the subtree information */
-            if (entries->princ->length == 2 && entries->princ->data[0].length == strlen("krbtgt") &&
-                strncmp(entries->princ->data[0].data, "krbtgt", entries->princ->data[0].length) == 0) {
-                /* if the principal is a inter-realm principal, always created in the realm container */
-                subtree = strdup(ldap_context->lrparams->realmdn);
-            } else if (xargs.containerdn) {
-                if ((st=checkattributevalue(ld, xargs.containerdn, NULL, NULL, NULL)) != 0) {
-                    if (st == KRB5_KDB_NOENTRY || st == KRB5_KDB_CONSTRAINT_VIOLATION) {
-                        int ost = st;
-                        st = EINVAL;
-                        snprintf(errbuf, sizeof(errbuf), "'%s' not found: ",
-                                 xargs.containerdn);
-                        prepend_err_str(context, errbuf, st, ost);
-                    }
-                    goto cleanup;
+    /* time to generate the DN information with the help of
+     * containerdn, principalcontainerreference or
+     * realmcontainerdn information
+     */
+    if (principal_dn == NULL && xargs.dn == NULL) { /* creation of standalone principal */
+        /* get the subtree information */
+        if (entry->princ->length == 2 && entry->princ->data[0].length == strlen("krbtgt") &&
+            strncmp(entry->princ->data[0].data, "krbtgt", entry->princ->data[0].length) == 0) {
+            /* if the principal is a inter-realm principal, always created in the realm container */
+            subtree = strdup(ldap_context->lrparams->realmdn);
+        } else if (xargs.containerdn) {
+            if ((st=checkattributevalue(ld, xargs.containerdn, NULL, NULL, NULL)) != 0) {
+                if (st == KRB5_KDB_NOENTRY || st == KRB5_KDB_CONSTRAINT_VIOLATION) {
+                    int ost = st;
+                    st = EINVAL;
+                    snprintf(errbuf, sizeof(errbuf), "'%s' not found: ",
+                             xargs.containerdn);
+                    prepend_err_str(context, errbuf, st, ost);
                 }
-                subtree = strdup(xargs.containerdn);
-            } else if (ldap_context->lrparams->containerref && strlen(ldap_context->lrparams->containerref) != 0) {
-                /*
-                 * Here the subtree should be changed with
-                 * principalcontainerreference attribute value
-                 */
-                subtree = strdup(ldap_context->lrparams->containerref);
-            } else {
-                subtree = strdup(ldap_context->lrparams->realmdn);
+                goto cleanup;
             }
-            CHECK_NULL(subtree);
-
-            if (asprintf(&standalone_principal_dn, "krbprincipalname=%s,%s",
-                         user, subtree) < 0)
-                standalone_principal_dn = NULL;
-            CHECK_NULL(standalone_principal_dn);
+            subtree = strdup(xargs.containerdn);
+        } else if (ldap_context->lrparams->containerref && strlen(ldap_context->lrparams->containerref) != 0) {
             /*
-             * free subtree when you are done using the subtree
-             * set the boolean create_standalone_prinicipal to TRUE
+             * Here the subtree should be changed with
+             * principalcontainerreference attribute value
              */
-            create_standalone_prinicipal = TRUE;
-            free(subtree);
-            subtree = NULL;
+            subtree = strdup(ldap_context->lrparams->containerref);
+        } else {
+            subtree = strdup(ldap_context->lrparams->realmdn);
         }
+        CHECK_NULL(subtree);
 
+        if (asprintf(&standalone_principal_dn, "krbprincipalname=%s,%s",
+                     user, subtree) < 0)
+            standalone_principal_dn = NULL;
+        CHECK_NULL(standalone_principal_dn);
         /*
-         * If the DN information is presented by the user, time to
-         * validate the input to ensure that the DN falls under
-         * any of the subtrees
+         * free subtree when you are done using the subtree
+         * set the boolean create_standalone_prinicipal to TRUE
          */
-        if (xargs.dn_from_kbd == TRUE) {
-            /* make sure the DN falls in the subtree */
-            int              tre=0, dnlen=0, subtreelen=0, ntrees=0;
-            char             **subtreelist=NULL;
-            char             *dn=NULL;
-            krb5_boolean     outofsubtree=TRUE;
-
-            if (xargs.dn != NULL) {
-                dn = xargs.dn;
-            } else if (xargs.linkdn != NULL) {
-                dn = xargs.linkdn;
-            } else if (standalone_principal_dn != NULL) {
-                /*
-                 * Even though the standalone_principal_dn is constructed
-                 * within this function, there is the containerdn input
-                 * from the user that can become part of the it.
-                 */
-                dn = standalone_principal_dn;
-            }
+        create_standalone_prinicipal = TRUE;
+        free(subtree);
+        subtree = NULL;
+    }
 
-            /* get the current subtree list */
-            if ((st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees)) != 0)
-                goto cleanup;
+    /*
+     * If the DN information is presented by the user, time to
+     * validate the input to ensure that the DN falls under
+     * any of the subtrees
+     */
+    if (xargs.dn_from_kbd == TRUE) {
+        /* make sure the DN falls in the subtree */
+        int              tre=0, dnlen=0, subtreelen=0, ntrees=0;
+        char             **subtreelist=NULL;
+        char             *dn=NULL;
+        krb5_boolean     outofsubtree=TRUE;
+
+        if (xargs.dn != NULL) {
+            dn = xargs.dn;
+        } else if (xargs.linkdn != NULL) {
+            dn = xargs.linkdn;
+        } else if (standalone_principal_dn != NULL) {
+            /*
+             * Even though the standalone_principal_dn is constructed
+             * within this function, there is the containerdn input
+             * from the user that can become part of the it.
+             */
+            dn = standalone_principal_dn;
+        }
 
-            for (tre=0; tre<ntrees; ++tre) {
-                if (subtreelist[tre] == NULL || strlen(subtreelist[tre]) == 0) {
+        /* get the current subtree list */
+        if ((st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees)) != 0)
+            goto cleanup;
+
+        for (tre=0; tre<ntrees; ++tre) {
+            if (subtreelist[tre] == NULL || strlen(subtreelist[tre]) == 0) {
+                outofsubtree = FALSE;
+                break;
+            } else {
+                dnlen = strlen (dn);
+                subtreelen = strlen(subtreelist[tre]);
+                if ((dnlen >= subtreelen) && (strcasecmp((dn + dnlen - subtreelen), subtreelist[tre]) == 0)) {
                     outofsubtree = FALSE;
                     break;
-                } else {
-                    dnlen = strlen (dn);
-                    subtreelen = strlen(subtreelist[tre]);
-                    if ((dnlen >= subtreelen) && (strcasecmp((dn + dnlen - subtreelen), subtreelist[tre]) == 0)) {
-                        outofsubtree = FALSE;
-                        break;
-                    }
                 }
             }
+        }
 
-            for (tre=0; tre < ntrees; ++tre) {
-                free(subtreelist[tre]);
-            }
+        for (tre=0; tre < ntrees; ++tre) {
+            free(subtreelist[tre]);
+        }
 
-            if (outofsubtree == TRUE) {
-                st = EINVAL;
-                krb5_set_error_message(context, st, "DN is out of the realm subtree");
-                goto cleanup;
-            }
+        if (outofsubtree == TRUE) {
+            st = EINVAL;
+            krb5_set_error_message(context, st, "DN is out of the realm subtree");
+            goto cleanup;
+        }
+
+        /*
+         * dn value will be set either by dn, linkdn or the standalone_principal_dn
+         * In the first 2 cases, the dn should be existing and in the last case we
+         * are supposed to create the ldap object. so the below should not be
+         * executed for the last case.
+         */
 
+        if (standalone_principal_dn == NULL) {
             /*
-             * dn value will be set either by dn, linkdn or the standalone_principal_dn
-             * In the first 2 cases, the dn should be existing and in the last case we
-             * are supposed to create the ldap object. so the below should not be
-             * executed for the last case.
+             * If the ldap object is missing, this results in an error.
              */
 
-            if (standalone_principal_dn == NULL) {
-                /*
-                 * If the ldap object is missing, this results in an error.
-                 */
-
-                /*
-                 * Search for krbprincipalname attribute here.
-                 * This is to find if a kerberos identity is already present
-                 * on the ldap object, in which case adding a kerberos identity
-                 * on the ldap object should result in an error.
-                 */
-                char  *attributes[]={"krbticketpolicyreference", "krbprincipalname", NULL};
-
-                LDAP_SEARCH_1(dn, LDAP_SCOPE_BASE, 0, attributes, IGNORE_STATUS);
-                if (st == LDAP_SUCCESS) {
-                    ent = ldap_first_entry(ld, result);
-                    if (ent != NULL) {
-                        if ((values=ldap_get_values(ld, ent, "krbticketpolicyreference")) != NULL) {
-                            ldap_value_free(values);
-                        }
+            /*
+             * Search for krbprincipalname attribute here.
+             * This is to find if a kerberos identity is already present
+             * on the ldap object, in which case adding a kerberos identity
+             * on the ldap object should result in an error.
+             */
+            char  *attributes[]={"krbticketpolicyreference", "krbprincipalname", NULL};
+
+            LDAP_SEARCH_1(dn, LDAP_SCOPE_BASE, 0, attributes, IGNORE_STATUS);
+            if (st == LDAP_SUCCESS) {
+                ent = ldap_first_entry(ld, result);
+                if (ent != NULL) {
+                    if ((values=ldap_get_values(ld, ent, "krbticketpolicyreference")) != NULL) {
+                        ldap_value_free(values);
+                    }
 
-                        if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) {
-                            krb_identity_exists = TRUE;
-                            ldap_value_free(values);
-                        }
+                    if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) {
+                        krb_identity_exists = TRUE;
+                        ldap_value_free(values);
                     }
-                    ldap_msgfree(result);
-                } else {
-                    st = set_ldap_error(context, st, OP_SEARCH);
-                    goto cleanup;
                 }
+                ldap_msgfree(result);
+            } else {
+                st = set_ldap_error(context, st, OP_SEARCH);
+                goto cleanup;
             }
         }
+    }
 
+    /*
+     * If xargs.dn is set then the request is to add a
+     * kerberos principal on a ldap object, but if
+     * there is one already on the ldap object this
+     * should result in an error.
+     */
+
+    if (xargs.dn != NULL && krb_identity_exists == TRUE) {
+        st = EINVAL;
+        snprintf(errbuf, sizeof(errbuf), "ldap object is already kerberized");
+        krb5_set_error_message(context, st, "%s", errbuf);
+        goto cleanup;
+    }
+
+    if (xargs.linkdn != NULL) {
         /*
-         * If xargs.dn is set then the request is to add a
-         * kerberos principal on a ldap object, but if
-         * there is one already on the ldap object this
-         * should result in an error.
+         * link information can be changed using modprinc.
+         * However, link information can be changed only on the
+         * standalone kerberos principal objects. A standalone
+         * kerberos principal object is of type krbprincipal
+         * structural objectclass.
+         *
+         * NOTE: kerberos principals on an ldap object can't be
+         * linked to other ldap objects.
          */
-
-        if (xargs.dn != NULL && krb_identity_exists == TRUE) {
+        if (optype == MODIFY_PRINCIPAL &&
+            kerberos_principal_object_type != KDB_STANDALONE_PRINCIPAL_OBJECT) {
             st = EINVAL;
-            snprintf(errbuf, sizeof(errbuf), "ldap object is already kerberized");
+            snprintf(errbuf, sizeof(errbuf),
+                     "link information can not be set/updated as the kerberos principal belongs to an ldap object");
             krb5_set_error_message(context, st, "%s", errbuf);
             goto cleanup;
         }
+        /*
+         * Check the link information. If there is already a link
+         * existing then this operation is not allowed.
+         */
+        {
+            char **linkdns=NULL;
+            int  j=0;
 
-        if (xargs.linkdn != NULL) {
-            /*
-             * link information can be changed using modprinc.
-             * However, link information can be changed only on the
-             * standalone kerberos principal objects. A standalone
-             * kerberos principal object is of type krbprincipal
-             * structural objectclass.
-             *
-             * NOTE: kerberos principals on an ldap object can't be
-             * linked to other ldap objects.
-             */
-            if (optype == MODIFY_PRINCIPAL &&
-                kerberos_principal_object_type != KDB_STANDALONE_PRINCIPAL_OBJECT) {
+            if ((st=krb5_get_linkdn(context, entry, &linkdns)) != 0) {
+                snprintf(errbuf, sizeof(errbuf),
+                         "Failed getting object references");
+                krb5_set_error_message(context, st, "%s", errbuf);
+                goto cleanup;
+            }
+            if (linkdns != NULL) {
                 st = EINVAL;
                 snprintf(errbuf, sizeof(errbuf),
-                         "link information can not be set/updated as the kerberos principal belongs to an ldap object");
+                         "kerberos principal is already linked "
+                         "to a ldap object");
                 krb5_set_error_message(context, st, "%s", errbuf);
+                for (j=0; linkdns[j] != NULL; ++j)
+                    free (linkdns[j]);
+                free (linkdns);
                 goto cleanup;
             }
-            /*
-             * Check the link information. If there is already a link
-             * existing then this operation is not allowed.
-             */
-            {
-                char **linkdns=NULL;
-                int  j=0;
+        }
 
-                if ((st=krb5_get_linkdn(context, entries, &linkdns)) != 0) {
-                    snprintf(errbuf, sizeof(errbuf),
-                             "Failed getting object references");
-                    krb5_set_error_message(context, st, "%s", errbuf);
-                    goto cleanup;
-                }
-                if (linkdns != NULL) {
-                    st = EINVAL;
-                    snprintf(errbuf, sizeof(errbuf),
-                             "kerberos principal is already linked "
-                             "to a ldap object");
-                    krb5_set_error_message(context, st, "%s", errbuf);
-                    for (j=0; linkdns[j] != NULL; ++j)
-                        free (linkdns[j]);
-                    free (linkdns);
-                    goto cleanup;
-                }
-            }
+        establish_links = TRUE;
+    }
 
-            establish_links = TRUE;
+    if (entry->mask & KADM5_LAST_SUCCESS) {
+        memset(strval, 0, sizeof(strval));
+        if ((strval[0]=getstringtime(entry->last_success)) == NULL)
+            goto cleanup;
+        if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastSuccessfulAuth", LDAP_MOD_REPLACE, strval)) != 0) {
+            free (strval[0]);
+            goto cleanup;
         }
+        free (strval[0]);
+    }
 
-        if (entries->mask & KADM5_LAST_SUCCESS) {
-            memset(strval, 0, sizeof(strval));
-            if ((strval[0]=getstringtime(entries->last_success)) == NULL)
-                goto cleanup;
-            if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastSuccessfulAuth", LDAP_MOD_REPLACE, strval)) != 0) {
-                free (strval[0]);
-                goto cleanup;
-            }
+    if (entry->mask & KADM5_LAST_FAILED) {
+        memset(strval, 0, sizeof(strval));
+        if ((strval[0]=getstringtime(entry->last_failed)) == NULL)
+            goto cleanup;
+        if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastFailedAuth", LDAP_MOD_REPLACE, strval)) != 0) {
             free (strval[0]);
+            goto cleanup;
         }
+        free(strval[0]);
+    }
 
-        if (entries->mask & KADM5_LAST_FAILED) {
-            memset(strval, 0, sizeof(strval));
-            if ((strval[0]=getstringtime(entries->last_failed)) == NULL)
-                goto cleanup;
-            if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastFailedAuth", LDAP_MOD_REPLACE, strval)) != 0) {
-                free (strval[0]);
-                goto cleanup;
-            }
-            free(strval[0]);
-        }
+    if (entry->mask & KADM5_FAIL_AUTH_COUNT) {
+        krb5_kvno fail_auth_count;
 
-        if (entries->mask & KADM5_FAIL_AUTH_COUNT) {
-            krb5_kvno fail_auth_count;
+        fail_auth_count = entry->fail_auth_count;
+        if (entry->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT)
+            fail_auth_count++;
 
-            fail_auth_count = entries->fail_auth_count;
-            if (entries->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT)
-                fail_auth_count++;
+        st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount",
+                                       LDAP_MOD_REPLACE,
+                                       fail_auth_count);
+        if (st != 0)
+            goto cleanup;
+    } else if (entry->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT) {
+        int attr_mask = 0;
+        krb5_boolean has_fail_count;
+
+        /* Check if the krbLoginFailedCount attribute exists.  (Through
+         * krb5 1.8.1, it wasn't set in new entries.) */
+        st = krb5_get_attributes_mask(context, entry, &attr_mask);
+        if (st != 0)
+            goto cleanup;
+        has_fail_count = ((attr_mask & KDB_FAIL_AUTH_COUNT_ATTR) != 0);
 
+        /*
+         * If the client library and server supports RFC 4525,
+         * then use it to increment by one the value of the
+         * krbLoginFailedCount attribute. Otherwise, assert the
+         * (provided) old value by deleting it before adding.
+         */
+#ifdef LDAP_MOD_INCREMENT
+        if (ldap_server_handle->server_info->modify_increment &&
+            has_fail_count) {
             st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount",
-                                           LDAP_MOD_REPLACE,
-                                           fail_auth_count);
+                                           LDAP_MOD_INCREMENT, 1);
             if (st != 0)
                 goto cleanup;
-        } else if (entries->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT) {
-            int attr_mask = 0;
-            krb5_boolean has_fail_count;
-
-            /* Check if the krbLoginFailedCount attribute exists.  (Through
-             * krb5 1.8.1, it wasn't set in new entries.) */
-            st = krb5_get_attributes_mask(context, entries, &attr_mask);
-            if (st != 0)
-                goto cleanup;
-            has_fail_count = ((attr_mask & KDB_FAIL_AUTH_COUNT_ATTR) != 0);
-
-            /*
-             * If the client library and server supports RFC 4525,
-             * then use it to increment by one the value of the
-             * krbLoginFailedCount attribute. Otherwise, assert the
-             * (provided) old value by deleting it before adding.
-             */
-#ifdef LDAP_MOD_INCREMENT
-            if (ldap_server_handle->server_info->modify_increment &&
-                has_fail_count) {
-                st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount",
-                                               LDAP_MOD_INCREMENT, 1);
-                if (st != 0)
-                    goto cleanup;
-            } else {
+        } else {
 #endif /* LDAP_MOD_INCREMENT */
-                if (has_fail_count) {
-                    st = krb5_add_int_mem_ldap_mod(&mods,
-                                                   "krbLoginFailedCount",
-                                                   LDAP_MOD_DELETE,
-                                                   entries->fail_auth_count);
-                    if (st != 0)
-                        goto cleanup;
-                }
-                st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount",
-                                               LDAP_MOD_ADD,
-                                               entries->fail_auth_count + 1);
+            if (has_fail_count) {
+                st = krb5_add_int_mem_ldap_mod(&mods,
+                                               "krbLoginFailedCount",
+                                               LDAP_MOD_DELETE,
+                                               entry->fail_auth_count);
                 if (st != 0)
                     goto cleanup;
-#ifdef LDAP_MOD_INCREMENT
             }
-#endif
-        } else if (optype == ADD_PRINCIPAL) {
-            /* Initialize krbLoginFailedCount in new entries to help avoid a
-             * race during the first failed login. */
             st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount",
-                                           LDAP_MOD_ADD, 0);
-        }
-
-        if (entries->mask & KADM5_MAX_LIFE) {
-            if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxticketlife", LDAP_MOD_REPLACE, entries->max_life)) != 0)
+                                           LDAP_MOD_ADD,
+                                           entry->fail_auth_count + 1);
+            if (st != 0)
                 goto cleanup;
+#ifdef LDAP_MOD_INCREMENT
         }
+#endif
+    } else if (optype == ADD_PRINCIPAL) {
+        /* Initialize krbLoginFailedCount in new entries to help avoid a
+         * race during the first failed login. */
+        st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount",
+                                       LDAP_MOD_ADD, 0);
+    }
 
-        if (entries->mask & KADM5_MAX_RLIFE) {
-            if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxrenewableage", LDAP_MOD_REPLACE,
-                                              entries->max_renewable_life)) != 0)
-                goto cleanup;
-        }
+    if (entry->mask & KADM5_MAX_LIFE) {
+        if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxticketlife", LDAP_MOD_REPLACE, entry->max_life)) != 0)
+            goto cleanup;
+    }
 
-        if (entries->mask & KADM5_ATTRIBUTES) {
-            if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbticketflags", LDAP_MOD_REPLACE,
-                                              entries->attributes)) != 0)
-                goto cleanup;
-        }
+    if (entry->mask & KADM5_MAX_RLIFE) {
+        if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxrenewableage", LDAP_MOD_REPLACE,
+                                          entry->max_renewable_life)) != 0)
+            goto cleanup;
+    }
 
-        if (entries->mask & KADM5_PRINCIPAL) {
-            memset(strval, 0, sizeof(strval));
-            strval[0] = user;
-            if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalname", LDAP_MOD_REPLACE, strval)) != 0)
-                goto cleanup;
-        }
+    if (entry->mask & KADM5_ATTRIBUTES) {
+        if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbticketflags", LDAP_MOD_REPLACE,
+                                          entry->attributes)) != 0)
+            goto cleanup;
+    }
 
-        if (entries->mask & KADM5_PRINC_EXPIRE_TIME) {
-            memset(strval, 0, sizeof(strval));
-            if ((strval[0]=getstringtime(entries->expiration)) == NULL)
-                goto cleanup;
-            if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalexpiration", LDAP_MOD_REPLACE, strval)) != 0) {
-                free (strval[0]);
-                goto cleanup;
-            }
+    if (entry->mask & KADM5_PRINCIPAL) {
+        memset(strval, 0, sizeof(strval));
+        strval[0] = user;
+        if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalname", LDAP_MOD_REPLACE, strval)) != 0)
+            goto cleanup;
+    }
+
+    if (entry->mask & KADM5_PRINC_EXPIRE_TIME) {
+        memset(strval, 0, sizeof(strval));
+        if ((strval[0]=getstringtime(entry->expiration)) == NULL)
+            goto cleanup;
+        if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalexpiration", LDAP_MOD_REPLACE, strval)) != 0) {
             free (strval[0]);
+            goto cleanup;
         }
+        free (strval[0]);
+    }
 
-        if (entries->mask & KADM5_PW_EXPIRATION) {
-            memset(strval, 0, sizeof(strval));
-            if ((strval[0]=getstringtime(entries->pw_expiration)) == NULL)
-                goto cleanup;
-            if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpasswordexpiration",
-                                              LDAP_MOD_REPLACE,
-                                              strval)) != 0) {
-                free (strval[0]);
-                goto cleanup;
-            }
+    if (entry->mask & KADM5_PW_EXPIRATION) {
+        memset(strval, 0, sizeof(strval));
+        if ((strval[0]=getstringtime(entry->pw_expiration)) == NULL)
+            goto cleanup;
+        if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpasswordexpiration",
+                                          LDAP_MOD_REPLACE,
+                                          strval)) != 0) {
             free (strval[0]);
+            goto cleanup;
         }
+        free (strval[0]);
+    }
 
-        if (entries->mask & KADM5_POLICY) {
-            memset(&princ_ent, 0, sizeof(princ_ent));
-            for (tl_data=entries->tl_data; tl_data; tl_data=tl_data->tl_data_next) {
-                if (tl_data->tl_data_type == KRB5_TL_KADM_DATA) {
-                    /* FIX ME: I guess the princ_ent should be freed after this call */
-                    if ((st = krb5_lookup_tl_kadm_data(tl_data, &princ_ent)) != 0) {
-                        goto cleanup;
-                    }
+    if (entry->mask & KADM5_POLICY) {
+        memset(&princ_ent, 0, sizeof(princ_ent));
+        for (tl_data=entry->tl_data; tl_data; tl_data=tl_data->tl_data_next) {
+            if (tl_data->tl_data_type == KRB5_TL_KADM_DATA) {
+                /* FIX ME: I guess the princ_ent should be freed after this call */
+                if ((st = krb5_lookup_tl_kadm_data(tl_data, &princ_ent)) != 0) {
+                    goto cleanup;
                 }
             }
+        }
 
-            if (princ_ent.aux_attributes & KADM5_POLICY) {
-                memset(strval, 0, sizeof(strval));
-                if ((st = krb5_ldap_name_to_policydn (context, princ_ent.policy, &polname)) != 0)
-                    goto cleanup;
-                strval[0] = polname;
-                if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_REPLACE, strval)) != 0)
-                    goto cleanup;
-            } else {
-                st = EINVAL;
-                krb5_set_error_message(context, st, "Password policy value null");
+        if (princ_ent.aux_attributes & KADM5_POLICY) {
+            memset(strval, 0, sizeof(strval));
+            if ((st = krb5_ldap_name_to_policydn (context, princ_ent.policy, &polname)) != 0)
                 goto cleanup;
-            }
-        } else if (entries->mask & KADM5_LOAD && found_entry == TRUE) {
-            /*
-             * a load is special in that existing entries must have attrs that
-             * removed.
-             */
-
-            if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_REPLACE, NULL)) != 0)
+            strval[0] = polname;
+            if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_REPLACE, strval)) != 0)
                 goto cleanup;
+        } else {
+            st = EINVAL;
+            krb5_set_error_message(context, st, "Password policy value null");
+            goto cleanup;
         }
+    } else if (entry->mask & KADM5_LOAD && found_entry == TRUE) {
+        /*
+         * a load is special in that existing entries must have attrs that
+         * removed.
+         */
 
-        if (entries->mask & KADM5_POLICY_CLR) {
-            if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_DELETE, NULL)) != 0)
-                goto cleanup;
-        }
+        if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_REPLACE, NULL)) != 0)
+            goto cleanup;
+    }
 
-        if (entries->mask & KADM5_KEY_DATA || entries->mask & KADM5_KVNO) {
-            krb5_kvno mkvno;
+    if (entry->mask & KADM5_POLICY_CLR) {
+        if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_DELETE, NULL)) != 0)
+            goto cleanup;
+    }
 
-            if ((st=krb5_dbe_lookup_mkvno(context, entries, &mkvno)) != 0)
-                goto cleanup;
-            bersecretkey = krb5_encode_krbsecretkey (entries->key_data,
-                                                     entries->n_key_data, mkvno);
+    if (entry->mask & KADM5_KEY_DATA || entry->mask & KADM5_KVNO) {
+        krb5_kvno mkvno;
 
-            if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey",
-                                              LDAP_MOD_REPLACE | LDAP_MOD_BVALUES, bersecretkey)) != 0)
-                goto cleanup;
+        if ((st=krb5_dbe_lookup_mkvno(context, entry, &mkvno)) != 0)
+            goto cleanup;
+        bersecretkey = krb5_encode_krbsecretkey (entry->key_data,
+                                                 entry->n_key_data, mkvno);
 
-            if (!(entries->mask & KADM5_PRINCIPAL)) {
-                memset(strval, 0, sizeof(strval));
-                if ((strval[0]=getstringtime(entries->pw_expiration)) == NULL)
-                    goto cleanup;
-                if ((st=krb5_add_str_mem_ldap_mod(&mods,
-                                                  "krbpasswordexpiration",
-                                                  LDAP_MOD_REPLACE, strval)) != 0) {
-                    free (strval[0]);
-                    goto cleanup;
-                }
+        if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey",
+                                          LDAP_MOD_REPLACE | LDAP_MOD_BVALUES, bersecretkey)) != 0)
+            goto cleanup;
+
+        if (!(entry->mask & KADM5_PRINCIPAL)) {
+            memset(strval, 0, sizeof(strval));
+            if ((strval[0]=getstringtime(entry->pw_expiration)) == NULL)
+                goto cleanup;
+            if ((st=krb5_add_str_mem_ldap_mod(&mods,
+                                              "krbpasswordexpiration",
+                                              LDAP_MOD_REPLACE, strval)) != 0) {
                 free (strval[0]);
+                goto cleanup;
             }
+            free (strval[0]);
+        }
 
-            /* Update last password change whenever a new key is set */
-            {
-                krb5_timestamp last_pw_changed;
-                if ((st=krb5_dbe_lookup_last_pwd_change(context, entries,
-                                                        &last_pw_changed)) != 0)
-                    goto cleanup;
+        /* Update last password change whenever a new key is set */
+        {
+            krb5_timestamp last_pw_changed;
+            if ((st=krb5_dbe_lookup_last_pwd_change(context, entry,
+                                                    &last_pw_changed)) != 0)
+                goto cleanup;
 
-                memset(strval, 0, sizeof(strval));
-                if ((strval[0] = getstringtime(last_pw_changed)) == NULL)
-                    goto cleanup;
+            memset(strval, 0, sizeof(strval));
+            if ((strval[0] = getstringtime(last_pw_changed)) == NULL)
+                goto cleanup;
 
-                if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastPwdChange",
-                                                  LDAP_MOD_REPLACE, strval)) != 0) {
-                    free (strval[0]);
-                    goto cleanup;
-                }
+            if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastPwdChange",
+                                              LDAP_MOD_REPLACE, strval)) != 0) {
                 free (strval[0]);
+                goto cleanup;
             }
+            free (strval[0]);
+        }
 
-        } /* Modify Key data ends here */
+    } /* Modify Key data ends here */
 
-        /* Set tl_data */
-        if (entries->tl_data != NULL) {
-            int count = 0;
-            struct berval **ber_tl_data = NULL;
-            krb5_tl_data *ptr;
-            for (ptr = entries->tl_data; ptr != NULL; ptr = ptr->tl_data_next) {
+    /* Set tl_data */
+    if (entry->tl_data != NULL) {
+        int count = 0;
+        struct berval **ber_tl_data = NULL;
+        krb5_tl_data *ptr;
+        for (ptr = entry->tl_data; ptr != NULL; ptr = ptr->tl_data_next) {
+            if (ptr->tl_data_type == KRB5_TL_LAST_PWD_CHANGE
+#ifdef SECURID
+                || ptr->tl_data_type == KRB5_TL_DB_ARGS
+#endif
+                || ptr->tl_data_type == KRB5_TL_KADM_DATA
+                || ptr->tl_data_type == KDB_TL_USER_INFO
+                || ptr->tl_data_type == KRB5_TL_CONSTRAINED_DELEGATION_ACL)
+                continue;
+            count++;
+        }
+        if (count != 0) {
+            int j;
+            ber_tl_data = (struct berval **) calloc (count + 1,
+                                                     sizeof (struct berval*));
+            if (ber_tl_data == NULL) {
+                st = ENOMEM;
+                goto cleanup;
+            }
+            for (j = 0, ptr = entry->tl_data; ptr != NULL; ptr = ptr->tl_data_next) {
+                /* Ignore tl_data that are stored in separate directory
+                 * attributes */
                 if (ptr->tl_data_type == KRB5_TL_LAST_PWD_CHANGE
 #ifdef SECURID
                     || ptr->tl_data_type == KRB5_TL_DB_ARGS
@@ -1085,156 +1105,134 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entries,
                     || ptr->tl_data_type == KDB_TL_USER_INFO
                     || ptr->tl_data_type == KRB5_TL_CONSTRAINED_DELEGATION_ACL)
                     continue;
-                count++;
+                if ((st = tl_data2berval (ptr, &ber_tl_data[j])) != 0)
+                    break;
+                j++;
             }
-            if (count != 0) {
-                int j;
-                ber_tl_data = (struct berval **) calloc (count + 1,
-                                                         sizeof (struct berval*));
-                if (ber_tl_data == NULL) {
-                    st = ENOMEM;
-                    goto cleanup;
-                }
-                for (j = 0, ptr = entries->tl_data; ptr != NULL; ptr = ptr->tl_data_next) {
-                    /* Ignore tl_data that are stored in separate directory
-                     * attributes */
-                    if (ptr->tl_data_type == KRB5_TL_LAST_PWD_CHANGE
-#ifdef SECURID
-                        || ptr->tl_data_type == KRB5_TL_DB_ARGS
-#endif
-                        || ptr->tl_data_type == KRB5_TL_KADM_DATA
-                        || ptr->tl_data_type == KDB_TL_USER_INFO
-                        || ptr->tl_data_type == KRB5_TL_CONSTRAINED_DELEGATION_ACL)
-                        continue;
-                    if ((st = tl_data2berval (ptr, &ber_tl_data[j])) != 0)
-                        break;
-                    j++;
-                }
-                if (st != 0) {
-                    for (j = 0; ber_tl_data[j] != NULL; j++) {
-                        free (ber_tl_data[j]->bv_val);
-                        free (ber_tl_data[j]);
-                    }
-                    free (ber_tl_data);
-                    goto cleanup;
+            if (st != 0) {
+                for (j = 0; ber_tl_data[j] != NULL; j++) {
+                    free (ber_tl_data[j]->bv_val);
+                    free (ber_tl_data[j]);
                 }
-                ber_tl_data[count] = NULL;
-                if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbExtraData",
-                                                  LDAP_MOD_REPLACE | LDAP_MOD_BVALUES,
-                                                  ber_tl_data)) != 0)
-                    goto cleanup;
+                free (ber_tl_data);
+                goto cleanup;
             }
+            ber_tl_data[count] = NULL;
+            if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbExtraData",
+                                              LDAP_MOD_REPLACE | LDAP_MOD_BVALUES,
+                                              ber_tl_data)) != 0)
+                goto cleanup;
         }
+    }
 
-        /* Directory specific attribute */
-        if (xargs.tktpolicydn != NULL) {
-            int tmask=0;
-
-            if (strlen(xargs.tktpolicydn) != 0) {
-                st = checkattributevalue(ld, xargs.tktpolicydn, "objectclass", policyclass, &tmask);
-                CHECK_CLASS_VALIDITY(st, tmask, "ticket policy object value: ");
-
-                strval[0] = xargs.tktpolicydn;
-                strval[1] = NULL;
-                if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbticketpolicyreference", LDAP_MOD_REPLACE, strval)) != 0)
-                    goto cleanup;
+    /* Directory specific attribute */
+    if (xargs.tktpolicydn != NULL) {
+        int tmask=0;
 
-            } else {
-                /* if xargs.tktpolicydn is a empty string, then delete
-                 * already existing krbticketpolicyreference attr */
-                if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbticketpolicyreference", LDAP_MOD_DELETE, NULL)) != 0)
-                    goto cleanup;
-            }
+        if (strlen(xargs.tktpolicydn) != 0) {
+            st = checkattributevalue(ld, xargs.tktpolicydn, "objectclass", policyclass, &tmask);
+            CHECK_CLASS_VALIDITY(st, tmask, "ticket policy object value: ");
 
-        }
+            strval[0] = xargs.tktpolicydn;
+            strval[1] = NULL;
+            if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbticketpolicyreference", LDAP_MOD_REPLACE, strval)) != 0)
+                goto cleanup;
 
-        if (establish_links == TRUE) {
-            memset(strval, 0, sizeof(strval));
-            strval[0] = xargs.linkdn;
-            if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbObjectReferences", LDAP_MOD_REPLACE, strval)) != 0)
+        } else {
+            /* if xargs.tktpolicydn is a empty string, then delete
+             * already existing krbticketpolicyreference attr */
+            if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbticketpolicyreference", LDAP_MOD_DELETE, NULL)) != 0)
                 goto cleanup;
         }
 
-        /*
-         * in case mods is NULL then return
-         * not sure but can happen in a modprinc
-         * so no need to return an error
-         * addprinc will at least have the principal name
-         * and the keys passed in
-         */
-        if (mods == NULL)
+    }
+
+    if (establish_links == TRUE) {
+        memset(strval, 0, sizeof(strval));
+        strval[0] = xargs.linkdn;
+        if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbObjectReferences", LDAP_MOD_REPLACE, strval)) != 0)
             goto cleanup;
+    }
 
-        if (create_standalone_prinicipal == TRUE) {
-            memset(strval, 0, sizeof(strval));
-            strval[0] = "krbprincipal";
-            strval[1] = "krbprincipalaux";
-            strval[2] = "krbTicketPolicyAux";
+    /*
+     * in case mods is NULL then return
+     * not sure but can happen in a modprinc
+     * so no need to return an error
+     * addprinc will at least have the principal name
+     * and the keys passed in
+     */
+    if (mods == NULL)
+        goto cleanup;
 
-            if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0)
-                goto cleanup;
+    if (create_standalone_prinicipal == TRUE) {
+        memset(strval, 0, sizeof(strval));
+        strval[0] = "krbprincipal";
+        strval[1] = "krbprincipalaux";
+        strval[2] = "krbTicketPolicyAux";
 
-            st = ldap_add_ext_s(ld, standalone_principal_dn, mods, NULL, NULL);
-            if (st == LDAP_ALREADY_EXISTS && entries->mask & KADM5_LOAD) {
-                /* a load operation must replace an existing entry */
-                st = ldap_delete_ext_s(ld, standalone_principal_dn, NULL, NULL);
-                if (st != LDAP_SUCCESS) {
-                    snprintf(errbuf, sizeof(errbuf), "Principal delete failed (trying to replace entry): %s",
-                             ldap_err2string(st));
-                    st = translate_ldap_error (st, OP_ADD);
-                    krb5_set_error_message(context, st, "%s", errbuf);
-                    goto cleanup;
-                } else {
-                    st = ldap_add_ext_s(ld, standalone_principal_dn, mods, NULL, NULL);
-                }
-            }
+        if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0)
+            goto cleanup;
+
+        st = ldap_add_ext_s(ld, standalone_principal_dn, mods, NULL, NULL);
+        if (st == LDAP_ALREADY_EXISTS && entry->mask & KADM5_LOAD) {
+            /* a load operation must replace an existing entry */
+            st = ldap_delete_ext_s(ld, standalone_principal_dn, NULL, NULL);
             if (st != LDAP_SUCCESS) {
-                snprintf(errbuf, sizeof(errbuf), "Principal add failed: %s", ldap_err2string(st));
+                snprintf(errbuf, sizeof(errbuf), "Principal delete failed (trying to replace entry): %s",
+                         ldap_err2string(st));
                 st = translate_ldap_error (st, OP_ADD);
                 krb5_set_error_message(context, st, "%s", errbuf);
                 goto cleanup;
+            } else {
+                st = ldap_add_ext_s(ld, standalone_principal_dn, mods, NULL, NULL);
             }
-        } else {
-            /*
-             * Here existing ldap object is modified and can be related
-             * to any attribute, so always ensure that the ldap
-             * object is extended with all the kerberos related
-             * objectclasses so that there are no constraint
-             * violations.
-             */
-            {
-                char *attrvalues[] = {"krbprincipalaux", "krbTicketPolicyAux", NULL};
-                int p, q, r=0, amask=0;
+        }
+        if (st != LDAP_SUCCESS) {
+            snprintf(errbuf, sizeof(errbuf), "Principal add failed: %s", ldap_err2string(st));
+            st = translate_ldap_error (st, OP_ADD);
+            krb5_set_error_message(context, st, "%s", errbuf);
+            goto cleanup;
+        }
+    } else {
+        /*
+         * Here existing ldap object is modified and can be related
+         * to any attribute, so always ensure that the ldap
+         * object is extended with all the kerberos related
+         * objectclasses so that there are no constraint
+         * violations.
+         */
+        {
+            char *attrvalues[] = {"krbprincipalaux", "krbTicketPolicyAux", NULL};
+            int p, q, r=0, amask=0;
 
-                if ((st=checkattributevalue(ld, (xargs.dn) ? xargs.dn : principal_dn,
-                                            "objectclass", attrvalues, &amask)) != 0)
-                    goto cleanup;
+            if ((st=checkattributevalue(ld, (xargs.dn) ? xargs.dn : principal_dn,
+                                        "objectclass", attrvalues, &amask)) != 0)
+                goto cleanup;
 
-                memset(strval, 0, sizeof(strval));
-                for (p=1, q=0; p<=2; p<<=1, ++q) {
-                    if ((p & amask) == 0)
-                        strval[r++] = attrvalues[q];
-                }
-                if (r != 0) {
-                    if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0)
-                        goto cleanup;
-                }
+            memset(strval, 0, sizeof(strval));
+            for (p=1, q=0; p<=2; p<<=1, ++q) {
+                if ((p & amask) == 0)
+                    strval[r++] = attrvalues[q];
             }
-            if (xargs.dn != NULL)
-                st=ldap_modify_ext_s(ld, xargs.dn, mods, NULL, NULL);
-            else
-                st = ldap_modify_ext_s(ld, principal_dn, mods, NULL, NULL);
-
-            if (st != LDAP_SUCCESS) {
-                snprintf(errbuf, sizeof(errbuf), "User modification failed: %s", ldap_err2string(st));
-                st = translate_ldap_error (st, OP_MOD);
-                krb5_set_error_message(context, st, "%s", errbuf);
-                goto cleanup;
+            if (r != 0) {
+                if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0)
+                    goto cleanup;
             }
+        }
+        if (xargs.dn != NULL)
+            st=ldap_modify_ext_s(ld, xargs.dn, mods, NULL, NULL);
+        else
+            st = ldap_modify_ext_s(ld, principal_dn, mods, NULL, NULL);
 
-            if (entries->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT)
-                entries->fail_auth_count++;
+        if (st != LDAP_SUCCESS) {
+            snprintf(errbuf, sizeof(errbuf), "User modification failed: %s", ldap_err2string(st));
+            st = translate_ldap_error (st, OP_MOD);
+            krb5_set_error_message(context, st, "%s", errbuf);
+            goto cleanup;
         }
+
+        if (entry->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT)
+            entry->fail_auth_count++;
     }
 
 cleanup:
@@ -1269,7 +1267,6 @@ cleanup:
 
     ldap_mods_free(mods, 1);
     krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
-    *nentries = i;
     return(st);
 }
 
index 6d25ca1d8c3783f80913a2c3ef7d408726fd5598..d58fbe965761b815ae22762311d7c58af2d5998d 100644 (file)
@@ -226,8 +226,7 @@ cleanup:
 
 static krb5_error_code
 krb5_ldap_get_password_policy_from_dn(krb5_context context, char *pol_name,
-                                      char *pol_dn, osa_policy_ent_t *policy,
-                                      int *cnt)
+                                      char *pol_dn, osa_policy_ent_t *policy)
 {
     krb5_error_code             st=0, tempst=0;
     LDAP                        *ld=NULL;
@@ -247,7 +246,6 @@ krb5_ldap_get_password_policy_from_dn(krb5_context context, char *pol_name,
     SETUP_CONTEXT();
     GET_HANDLE();
 
-    *cnt = 0;
     *(policy) = (osa_policy_ent_t) malloc(sizeof(osa_policy_ent_rec));
     if (*policy == NULL) {
         st = ENOMEM;
@@ -256,7 +254,6 @@ krb5_ldap_get_password_policy_from_dn(krb5_context context, char *pol_name,
     memset(*policy, 0, sizeof(osa_policy_ent_rec));
 
     LDAP_SEARCH(pol_dn, LDAP_SCOPE_BASE, "(objectclass=krbPwdPolicy)", password_policy_attributes);
-    *cnt = 1;
 #if 0 /************** Begin IFDEF'ed OUT *******************************/
     (*policy)->name = strdup(name);
     CHECK_NULL((*policy)->name);
@@ -302,7 +299,7 @@ cleanup:
  */
 krb5_error_code
 krb5_ldap_get_password_policy(krb5_context context, char *name,
-                              osa_policy_ent_t *policy, int *cnt)
+                              osa_policy_ent_t *policy)
 {
     krb5_error_code             st = 0;
     char                        *policy_dn = NULL;
@@ -320,7 +317,8 @@ krb5_ldap_get_password_policy(krb5_context context, char *name,
     if (st != 0)
         goto cleanup;
 
-    st = krb5_ldap_get_password_policy_from_dn(context, name, policy_dn, policy, cnt);
+    st = krb5_ldap_get_password_policy_from_dn(context, name, policy_dn,
+                                               policy);
 
 cleanup:
     if (policy_dn != NULL)
index 12396ac122d3d8a6df123179bbd06649061b90ee..1011195537da5ef7a8ef46368788e407b98449a9 100644 (file)
@@ -33,7 +33,7 @@
 #define _LDAP_KRBPWDPOLICY_H_
 
 krb5_error_code
-krb5_ldap_get_password_policy(krb5_context, char *, osa_policy_ent_t *, int *);
+krb5_ldap_get_password_policy(krb5_context, char *, osa_policy_ent_t *);
 
 krb5_error_code
 krb5_ldap_create_password_policy(krb5_context, osa_policy_ent_t);
index 81df6292cd444ae5e20645303d227c3ff9a10b21..11ca9cdce9b5a314f02ff597a804c57a70711ec1 100644 (file)
@@ -322,9 +322,8 @@ krb5_ldap_delete_realm (krb5_context context, char *lrealm)
                 for (i = 0; values[i] != NULL; ++i) {
                     krb5_parse_name(context, values[i], &principal);
                     if (principal_in_realm_2(principal, lrealm) == 0) {
-                        int nent = 0;
-                        if ((st=krb5_ldap_delete_principal(context, principal,
-                                                           &nent)) != LDAP_SUCCESS)
+                        st=krb5_ldap_delete_principal(context, principal);
+                        if (st && st != KRB5_KDB_NOENTRY)
                             goto cleanup;
                     }
                     krb5_free_principal(context, principal);
index 323963e8dd01bfa0944a34e3e5d9c96343680153..c1a4d7ebe8db1a3c51db1b1f664d8010d5f96804 100644 (file)
@@ -71,11 +71,9 @@ lookup_lockout_policy(krb5_context context,
 
     if (adb.policy != NULL) {
         osa_policy_ent_t policy = NULL;
-        int count = 0;
 
-        code = krb5_ldap_get_password_policy(context, adb.policy,
-                                             &policy, &count);
-        if (code == 0 && count == 1) {
+        code = krb5_ldap_get_password_policy(context, adb.policy, &policy);
+        if (code == 0) {
             *pw_max_fail = policy->pw_max_fail;
             *pw_failcnt_interval = policy->pw_failcnt_interval;
             *pw_lockout_duration = policy->pw_lockout_duration;
@@ -147,7 +145,6 @@ krb5_ldap_lockout_audit(krb5_context context,
     krb5_kvno max_fail = 0;
     krb5_deltat failcnt_interval = 0;
     krb5_deltat lockout_duration = 0;
-    int nentries = 1;
 
     SETUP_CONTEXT();
 
@@ -198,7 +195,7 @@ krb5_ldap_lockout_audit(krb5_context context,
     }
 
     if (entry->mask) {
-        code = krb5_ldap_put_principal(context, entry, &nentries, NULL);
+        code = krb5_ldap_put_principal(context, entry, NULL);
         if (code != 0)
             return code;
     }
index 0d860b909117877311d08531c36600e215f83d86..f451307d714291e26d2efd4445f49477b3dca19d 100644 (file)
@@ -70,7 +70,6 @@ usage(who, status)
 int master_princ_set = 0;
 krb5_keyblock master_keyblock;
 krb5_principal master_princ;
-krb5_db_entry master_entry;
 krb5_pointer master_random;
 krb5_context test_context;
 
@@ -202,9 +201,8 @@ main(argc, argv)
         com_err(progname, retval, "while closing database");
         exit(1);
     }
-    if (master_princ_set) {
+    if (master_princ_set)
         krb5_free_principal(test_context, master_princ);
-    }
     krb5_free_context(test_context);
     exit(0);
 }
@@ -216,10 +214,15 @@ add_princ(context, str_newprinc)
 {
     krb5_error_code       retval;
     krb5_principal        newprinc;
-    krb5_db_entry         newentry;
+    krb5_db_entry         *newentry;
     char                  princ_name[4096];
 
-    memset(&newentry, 0, sizeof(newentry));
+    newentry = krb5_db_alloc(context, NULL, sizeof(*newentry));
+    if (newentry == NULL) {
+        com_err(progname, ENOMEM, "while allocating DB entry");
+        return;
+    }
+    memset(newentry, 0, sizeof(*newentry));
     snprintf(princ_name, sizeof(princ_name), "%s@%s", str_newprinc, cur_realm);
     if ((retval = krb5_parse_name(context, princ_name, &newprinc))) {
         com_err(progname, retval, "while parsing '%s'", princ_name);
@@ -227,15 +230,15 @@ add_princ(context, str_newprinc)
     }
 
     /* Add basic data */
-    newentry.len = KRB5_KDB_V1_BASE_LENGTH;
-    newentry.attributes = mblock.flags;
-    newentry.max_life = mblock.max_life;
-    newentry.max_renewable_life = mblock.max_rlife;
-    newentry.expiration = mblock.expiration;
-    newentry.pw_expiration = mblock.expiration;
+    newentry->len = KRB5_KDB_V1_BASE_LENGTH;
+    newentry->attributes = mblock.flags;
+    newentry->max_life = mblock.max_life;
+    newentry->max_renewable_life = mblock.max_rlife;
+    newentry->expiration = mblock.expiration;
+    newentry->pw_expiration = mblock.expiration;
 
     /* Add princ to db entry */
-    if ((retval = krb5_copy_principal(context, newprinc, &newentry.princ))) {
+    if ((retval = krb5_copy_principal(context, newprinc, &newentry->princ))) {
         com_err(progname, retval, "while encoding princ to db entry for '%s'",
                 princ_name);
         krb5_free_principal(context, newprinc);
@@ -252,7 +255,7 @@ add_princ(context, str_newprinc)
             krb5_free_principal(context, newprinc);
             goto error;
         }
-        retval = krb5_dbe_update_mod_princ_data(context, &newentry, now,
+        retval = krb5_dbe_update_mod_princ_data(context, newentry, now,
                                                 master_princ);
         if (retval) {
             com_err(progname, retval, "while encoding mod_princ data");
@@ -285,7 +288,7 @@ add_princ(context, str_newprinc)
         }
         krb5_free_data_contents(context, &salt);
 
-        if ((retval = krb5_dbe_create_key_data(context, &newentry))) {
+        if ((retval = krb5_dbe_create_key_data(context, newentry))) {
             com_err(progname, retval, "while creating key_data for '%s'",
                     princ_name);
             free(key.contents);
@@ -294,7 +297,7 @@ add_princ(context, str_newprinc)
 
         if ((retval = krb5_dbe_encrypt_key_data(context, &master_keyblock,
                                                 &key, NULL, 1,
-                                                newentry.key_data))) {
+                                                newentry->key_data))) {
             com_err(progname, retval, "while encrypting key for '%s'",
                     princ_name);
             free(key.contents);
@@ -303,26 +306,15 @@ add_princ(context, str_newprinc)
         free(key.contents);
     }
 
-    {
-        int one = 1;
-
-        if ((retval = krb5_db_put_principal(context, &newentry, &one))) {
-            com_err(progname, retval, "while storing principal date");
-            goto error;
-        }
-        if (one != 1) {
-            com_err(progname,0,"entry not stored in database (unknown failure)");
-            goto error;
-        }
+    if ((retval = krb5_db_put_principal(context, newentry))) {
+        com_err(progname, retval, "while storing principal date");
+        goto error;
     }
 
     fprintf(stdout, "Added %s to database\n", princ_name);
 
 error: /* Do cleanup of newentry regardless of error */
-#if 0
-    krb5_dbe_free_contents(context, &newentry);
-#endif
-    krb5_db_free_principal(context, &newentry, 1);
+    krb5_db_free_principal(context, newentry);
     return;
 }
 
@@ -332,11 +324,10 @@ set_dbname_help(pname, dbname)
     char *dbname;
 {
     krb5_error_code retval;
-    int nentries;
-    krb5_boolean more;
     krb5_data pwd, scratch;
     char *args[2];
     krb5_keylist_node *mkeys;
+    krb5_db_entry *master_entry;
 
     /* assemble & parse the master key name */
 
@@ -401,30 +392,20 @@ set_dbname_help(pname, dbname)
         return(1);
     }
     krb5_db_free_mkey_list(test_context, mkeys);
-    nentries = 1;
-    if ((retval = krb5_db_get_principal(test_context, master_princ,
-                                        &master_entry, &nentries, &more))) {
+    if ((retval = krb5_db_get_principal(test_context, master_princ, 0,
+                                        &master_entry))) {
         com_err(pname, retval, "while retrieving master entry");
         (void) krb5_db_fini(test_context);
         return(1);
-    } else if (more) {
-        com_err(pname, KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE,
-                "while retrieving master entry");
-        (void) krb5_db_fini(test_context);
-        return(1);
-    } else if (!nentries) {
-        com_err(pname, KRB5_KDB_NOENTRY, "while retrieving master entry");
-        (void) krb5_db_fini(test_context);
-        return(1);
     }
 
-    mblock.max_life = master_entry.max_life;
-    mblock.max_rlife = master_entry.max_renewable_life;
-    mblock.expiration = master_entry.expiration;
+    mblock.max_life = master_entry->max_life;
+    mblock.max_rlife = master_entry->max_renewable_life;
+    mblock.expiration = master_entry->expiration;
 
     /* don't set flags, master has some extra restrictions */
-    mblock.mkvno = master_entry.key_data[0].key_data_kvno;
+    mblock.mkvno = master_entry->key_data[0].key_data_kvno;
 
-    krb5_db_free_principal(test_context, &master_entry, nentries);
+    krb5_db_free_principal(test_context, master_entry);
     return 0;
 }
index 5fdab77c03b56760722c172866afb35ba09eb9d7..dade5cc90d45d013bfd53663441a434c5cceae12 100644 (file)
@@ -68,7 +68,6 @@ usage(who, status)
 
 krb5_keyblock master_keyblock;
 krb5_principal master_princ;
-krb5_db_entry master_entry;
 krb5_encrypt_block master_encblock;
 krb5_pointer master_random;
 char *str_master_princ;
@@ -230,12 +229,10 @@ check_princ(context, str_princ)
     char * str_princ;
 {
     krb5_error_code retval;
-    krb5_db_entry kdbe;
+    krb5_db_entry *kdbe = NULL;
     krb5_keyblock pwd_key, db_key;
     krb5_data pwd, salt;
     krb5_principal princ;
-    krb5_boolean more;
-    int nprincs = 1;
     /* char *str_mod_name; */
     char princ_name[4096];
 
@@ -267,22 +264,15 @@ check_princ(context, str_princ)
     }
     krb5_free_data_contents(context, &salt);
 
-    if ((retval = krb5_db_get_principal(context, princ, &kdbe,
-                                        &nprincs, &more))) {
+    if ((retval = krb5_db_get_principal(context, princ, 0, &kdbe))) {
         com_err(progname, retval, "while attempting to verify principal's existence");
         krb5_free_principal(context, princ);
         goto out;
     }
     krb5_free_principal(context, princ);
 
-    if (nprincs != 1) {
-        com_err(progname, 0, "Found %d entries db entry for %s.\n", nprincs,
-                princ_name);
-        goto errout;
-    }
-
     if ((retval = krb5_dbe_decrypt_key_data(context, &master_keyblock,
-                                            kdbe.key_data, &db_key, NULL))) {
+                                            kdbe->key_data, &db_key, NULL))) {
         com_err(progname, retval, "while decrypting key for '%s'", princ_name);
         goto errout;
     }
@@ -292,7 +282,7 @@ check_princ(context, str_princ)
         fprintf (stderr, "\tKey types do not agree (%d expected, %d from db)\n",
                  pwd_key.enctype, db_key.enctype);
     errout:
-        krb5_db_free_principal(context, &kdbe, nprincs);
+        krb5_db_free_principal(context, kdbe);
         return(-1);
     }
     else {
@@ -307,25 +297,25 @@ check_princ(context, str_princ)
     free(pwd_key.contents);
     free(db_key.contents);
 
-    if (kdbe.key_data[0].key_data_kvno != 1) {
+    if (kdbe->key_data[0].key_data_kvno != 1) {
         fprintf(stderr,"\tkvno did not match stored value for %s.\n", princ_name);
         goto errout;
     }
 
-    if (kdbe.max_life != mblock.max_life) {
+    if (kdbe->max_life != mblock.max_life) {
         fprintf(stderr, "\tmax life did not match stored value for %s.\n",
                 princ_name);
         goto errout;
     }
 
-    if (kdbe.max_renewable_life != mblock.max_rlife) {
+    if (kdbe->max_renewable_life != mblock.max_rlife) {
         fprintf(stderr,
                 "\tmax renewable life did not match stored value for %s.\n",
                 princ_name);
         goto errout;
     }
 
-    if (kdbe.expiration != mblock.expiration) {
+    if (kdbe->expiration != mblock.expiration) {
         fprintf(stderr, "\texpiration time did not match stored value for %s.\n",
                 princ_name);
         goto errout;
@@ -345,14 +335,14 @@ check_princ(context, str_princ)
   }
 */
 
-    if (kdbe.attributes != mblock.flags) {
+    if (kdbe->attributes != mblock.flags) {
         fprintf(stderr, "\tAttributes did not match stored value for %s.\n",
                 princ_name);
         goto errout;
     }
 
 out:
-    krb5_db_free_principal(context, &kdbe, nprincs);
+    krb5_db_free_principal(context, kdbe);
 
     return(0);
 }
@@ -364,11 +354,10 @@ set_dbname_help(context, pname, dbname)
     char *dbname;
 {
     krb5_error_code retval;
-    int nentries;
-    krb5_boolean more;
     krb5_data pwd, scratch;
     char *args[2];
     krb5_keylist_node *mkeys;
+    krb5_db_entry *master_entry;
 
     /* assemble & parse the master key name */
 
@@ -428,21 +417,11 @@ set_dbname_help(context, pname, dbname)
         return(1);
     }
     krb5_db_free_mkey_list(context, mkeys);
-    nentries = 1;
-    if ((retval = krb5_db_get_principal(context, master_princ, &master_entry,
-                                        &nentries, &more))) {
+    if ((retval = krb5_db_get_principal(context, master_princ, 0,
+                                        &master_entry))) {
         com_err(pname, retval, "while retrieving master entry");
         (void) krb5_db_fini(context);
         return(1);
-    } else if (more) {
-        com_err(pname, KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE,
-                "while retrieving master entry");
-        (void) krb5_db_fini(context);
-        return(1);
-    } else if (!nentries) {
-        com_err(pname, KRB5_KDB_NOENTRY, "while retrieving master entry");
-        (void) krb5_db_fini(context);
-        return(1);
     }
 
     if ((retval = krb5_unparse_name(context, master_princ,
@@ -466,12 +445,12 @@ set_dbname_help(context, pname, dbname)
         (void) krb5_db_fini(context);
         return(1);
     }
-    mblock.max_life = master_entry.max_life;
-    mblock.max_rlife = master_entry.max_renewable_life;
-    mblock.expiration = master_entry.expiration;
+    mblock.max_life = master_entry->max_life;
+    mblock.max_rlife = master_entry->max_renewable_life;
+    mblock.expiration = master_entry->expiration;
     /* don't set flags, master has some extra restrictions */
-    mblock.mkvno = master_entry.key_data[0].key_data_kvno;
+    mblock.mkvno = master_entry->key_data[0].key_data_kvno;
 
-    krb5_db_free_principal(context, &master_entry, nentries);
+    krb5_db_free_principal(context, master_entry);
     return 0;
 }