Patch from Savitha R:
authorKen Raeburn <raeburn@mit.edu>
Tue, 29 Aug 2006 19:52:38 +0000 (19:52 +0000)
committerKen Raeburn <raeburn@mit.edu>
Tue, 29 Aug 2006 19:52:38 +0000 (19:52 +0000)
    ldap_util
    1. Kdb5_ldap_util interface
    Removed supp enctypes, suppsalttypes from create realm and modify
    realm since they are currently not used
    2. memset passwd strings to zero when not used any more
    3. Using krb5_sname_to_principal in place of gethostbyname while
    creating the kadmin principal with hostname.

    libkdb_ldap
    1. Added mandatory functions which were missing in the LDAP plug-in
    2. Error handling changes - Setting the error message in the
    kerberos context when decryption of the service passwd fails or
    connection to the LDAP server fails during initialization.

Additional changes:

libkdb_ldap: Link against com_err library, to provide error_message().

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18548 dc483132-0cff-0310-8789-dd5450dbe970

17 files changed:
src/lib/krb5/error_tables/kdb5_err.et
src/plugins/kdb/ldap/ldap_exp.c
src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c
src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M
src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c
src/plugins/kdb/ldap/libkdb_ldap/Makefile.in
src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c
src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c
src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.h
src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c
src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.h
src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports

index d6014acec2e4f530db4796943d927fa767c79ecb..953fff328a9f3404492dabf8115cd239223d5cc0 100644 (file)
@@ -75,6 +75,7 @@ ec KRB5_KDB_SERVER_INTERNAL_ERR,   "Server error"
 ec KRB5_KDB_ACCESS_ERROR,       "Unable to access Kerberos database"
 ec KRB5_KDB_INTERNAL_ERROR,     "Kerberos database internal error"
 ec KRB5_KDB_CONSTRAINT_VIOLATION,  "Kerberos database constraints violated"
+ec KRB5_KDB_PLUGIN_OP_NOTSUPP,  "Plugin does not support the operaton"
 
 
 end
index 15aea0a609ed9ca89ffdf5295606b93a470092d1..6c5a370779129864049c33516c8b852eeef0002c 100644 (file)
@@ -40,6 +40,7 @@
 #include "ldap_principal.h"
 #include "ldap_pwd_policy.h"
 
+
 /*
  *      Exposed API
  */
@@ -51,12 +52,12 @@ kdb_vftabl kdb_function_table = {
   /* fini_library */                          krb5_ldap_lib_cleanup,
   /* init_module */                           krb5_ldap_open,
   /* fini_module */                           krb5_ldap_close,
-  /* db_create */                             NULL,
-  /* db_destroy */                            NULL,
+  /* db_create */                             krb5_ldap_create_realm_1,
+  /* db_destroy */                            krb5_ldap_delete_realm_1,
   /* db_get_age */                             krb5_ldap_db_get_age,
-  /* db_set_option */                         NULL,
-  /* db_lock */                                       NULL,
-  /* db_unlock */                             NULL,
+  /* db_set_option */                         krb5_ldap_set_option,
+  /* db_lock */                                       krb5_ldap_lock,
+  /* db_unlock */                             krb5_ldap_unlock,
   /* db_get_principal */                      krb5_ldap_get_principal,
   /* db_free_principal */                     krb5_ldap_free_principal,
   /* db_put_principal */                      krb5_ldap_put_principal,
@@ -68,11 +69,12 @@ kdb_vftabl kdb_function_table = {
   /* db_iter_policy */                         krb5_ldap_iterate_password_policy,
   /* db_delete_policy */                       krb5_ldap_delete_password_policy,
   /* db_free_policy */                         krb5_ldap_free_password_policy,
-  /* db_supported_realms */                   NULL,
-  /* db_free_supported_realms */              NULL,
-  /* errcode_2_string */                       NULL,
+  /* db_supported_realms */                   krb5_ldap_supported_realms,
+  /* db_free_supported_realms */              krb5_ldap_free_supported_realms,
+  /* errcode_2_string */                       krb5_ldap_errcode_2_string,
   /* db_alloc */                               krb5_ldap_alloc,
   /* db_free */                                krb5_ldap_free,
+            /* optional functions */
   /* set_master_key */                        krb5_ldap_set_mkey,
   /* get_master_key */                        krb5_ldap_get_mkey,
   /* setup_master_key_name */                 NULL,
index 2c62522af3907a7a1be871c22b0e7fb7f25b1aa7..55b0690ecae1d70ca80f39767a9e9cb9d6d2d733 100644 (file)
@@ -427,91 +427,6 @@ void kdb5_ldap_create(argc, argv)
             mask |= LDAP_REALM_PASSWDSERVERS;
         }
 #endif
-        else if (!strcmp(argv[i], "-enctypes")) {
-            char *tlist[MAX_LIST_ENTRIES] = {NULL};
-
-            if (++i > argc-1)
-                goto err_usage;
-            rparams->suppenctypes = (krb5_enctype *)malloc(
-                            sizeof(krb5_enctype) * MAX_LIST_ENTRIES);
-            if (rparams->suppenctypes == NULL) {
-                retval = ENOMEM;
-                goto cleanup;
-            }
-            memset(rparams->suppenctypes, 0, sizeof(krb5_enctype) * MAX_LIST_ENTRIES);
-            if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, tlist)) != 0) {
-                goto cleanup;
-            }
-            for(j = 0; tlist[j] != NULL; j++) {
-                if ((retval = krb5_string_to_enctype(tlist[j],
-                            &rparams->suppenctypes[j]))) {
-                   com_err(argv[0], retval, "Invalid encryption type '%s'",
-                           tlist[j]);
-                    krb5_free_list_entries(tlist);
-                    goto err_nomsg;
-                }
-            }
-            rparams->suppenctypes[j] = END_OF_LIST;
-            qsort(rparams->suppenctypes, (size_t)j, sizeof(krb5_enctype),
-                             compare_int);
-            mask |= LDAP_REALM_SUPPENCTYPE;
-            krb5_free_list_entries(tlist);
-        }
-        else if (!strcmp(argv[i], "-defenctype")) {
-            if (++i > argc-1)
-                goto err_usage;
-            if ((retval = krb5_string_to_enctype(argv[i], 
-                            &rparams->defenctype))) {
-                com_err(argv[0], retval, "'%s' specified for defenctype, "
-                            "while creating realm '%s'", 
-                            argv[i], global_params.realm);
-                goto err_nomsg;
-            }
-            mask |= LDAP_REALM_DEFENCTYPE;
-        }
-        else if (!strcmp(argv[i], "-salttypes")) {
-            char *tlist[MAX_LIST_ENTRIES] = {NULL};
-
-            if (++i > argc-1)
-                goto err_usage;
-            rparams->suppsalttypes = (krb5_int32 *)malloc(
-                            sizeof(krb5_int32) * MAX_LIST_ENTRIES);
-            if (rparams->suppsalttypes == NULL) {
-                retval = ENOMEM;
-                goto cleanup;
-            }
-            memset(rparams->suppsalttypes, 0, sizeof(krb5_int32) * MAX_LIST_ENTRIES);
-            if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, tlist))) {
-                goto cleanup;
-            }
-            for(j = 0; tlist[j] != NULL; j++) {
-                if ((retval = krb5_string_to_salttype(tlist[j],
-                            &rparams->suppsalttypes[j]))) {
-                    com_err(argv[0], retval, "'%s' specified for salttypes, "
-                            "while creating realm '%s'", 
-                            tlist[j], global_params.realm);
-                    krb5_free_list_entries(tlist);
-                    goto err_nomsg;
-                }
-            }
-            rparams->suppsalttypes[j] = END_OF_LIST;
-            qsort(rparams->suppsalttypes, (size_t)j, sizeof(krb5_int32), 
-                            compare_int);
-            mask |= LDAP_REALM_SUPPSALTTYPE;
-            krb5_free_list_entries(tlist);
-        }
-        else if (!strcmp(argv[i], "-defsalttype")) {
-            if (++i > argc-1)
-                goto err_usage;
-            if ((retval = krb5_string_to_salttype(argv[i], 
-                            &rparams->defsalttype))) {
-                com_err(argv[0], retval, "'%s' specified for defsalttype, "
-                            "while creating realm '%s'", 
-                            argv[i], global_params.realm);
-                goto err_nomsg;
-            }
-            mask |= LDAP_REALM_DEFSALTTYPE;
-        }
         else if (!strcmp(argv[i], "-s")) {
             do_stash = 1;
         }
@@ -530,43 +445,6 @@ void kdb5_ldap_create(argc, argv)
      * default values and also add to the list of supported
      * enctypes/salttype
      */
-    if ( !(mask & LDAP_REALM_DEFENCTYPE) && (rparams != NULL)) {
-       rparams->defenctype = ENCTYPE_DES3_CBC_SHA1;
-       mask |= LDAP_REALM_DEFENCTYPE;
-       printf("Default enctype not specified: \"des3-cbc-sha1\" "
-               "will be added as the default enctype and to the "
-               "list of supported enctypes.\n");
-       
-       /* Now, add this to the list of supported enctypes. The 
-        * duplicate values will be removed in DAL-LDAP
-        */
-       if (mask & LDAP_REALM_SUPPENCTYPE) {
-           for (i=0; rparams->suppenctypes[i] != END_OF_LIST; i++)
-                ;
-           assert (i < END_OF_LIST - 1);
-           rparams->suppenctypes[i] = ENCTYPE_DES3_CBC_SHA1;
-           rparams->suppenctypes[i + 1] = END_OF_LIST;
-       }
-    }
-
-    if ( !(mask & LDAP_REALM_DEFSALTTYPE) && (rparams != NULL)) {
-       rparams->defsalttype = KRB5_KDB_SALTTYPE_NORMAL;
-       mask |= LDAP_REALM_DEFSALTTYPE;
-       printf("Default salttype not specified: \"normal\" will be "
-               "added as the default salttype and to the list of "
-               "supported salttypes.\n");
-       
-       /* Now, add this to the list of supported salttypes. The 
-        * duplicate values will be removed in DAL-LDAP
-        */
-       if (mask & LDAP_REALM_SUPPSALTTYPE) {
-           for (i=0; rparams->suppsalttypes[i] != END_OF_LIST; i++)
-               ;
-           assert (i < END_OF_LIST - 1);
-           rparams->suppsalttypes[i] = KRB5_KDB_SALTTYPE_NORMAL;
-           rparams->suppsalttypes[i + 1] = END_OF_LIST;
-       }
-    }
 
     rblock.max_life = global_params.max_life;
     rblock.max_rlife = global_params.max_rlife;
@@ -761,7 +639,7 @@ void kdb5_ldap_create(argc, argv)
 
     /* Create special principals inside the realm subtree */
     {
-       char princ_name[MAX_PRINC_SIZE], localname[MAXHOSTNAMELEN];
+        char princ_name[MAX_PRINC_SIZE];
        struct hostent *hp = NULL;
        krb5_principal_data tgt_princ = {
            0,                                  /* magic number */
@@ -770,7 +648,7 @@ void kdb5_ldap_create(argc, argv)
            2,                                  /* int length */
            KRB5_NT_SRV_INST                    /* int type */
        };
-       krb5_principal p;
+       krb5_principal p, temp_p=NULL;
 
        krb5_princ_set_realm_data(util_context, &tgt_princ, global_params.realm);
        krb5_princ_set_realm_length(util_context, &tgt_princ, strlen(global_params.realm));
@@ -842,31 +720,32 @@ void kdb5_ldap_create(argc, argv)
        krb5_free_principal(util_context, p);
 
        /* Create 'kadmin/<hostname>' ... */
-       if (gethostname(localname, sizeof(localname))) {
-           retval = errno;
-           com_err(argv[0], retval, "gethostname, while adding entries to the database");
-           goto err_nomsg;
+       if ((retval=krb5_sname_to_principal(util_context, NULL, "kadmin", KRB5_NT_SRV_HST, &p))) {
+            com_err(argv[0], retval, "krb5_sname_to_principal, while adding entries to the database");
+            goto err_nomsg;
        }
-       hp = gethostbyname(localname);
-       if (hp == NULL) {
-           retval = errno;
-           com_err(argv[0], retval, "gethostbyname, while adding entries to the database");
-           goto err_nomsg;
+
+       if((retval=krb5_copy_principal(util_context, p, &temp_p))) {
+            com_err(argv[0], retval, "krb5_copy_principal, while adding entries to the database");
+            goto err_nomsg;
        }
-       assert (sizeof(princ_name) >= strlen(hp->h_name) + strlen(global_params.realm) + 9);
-       /* snprintf(princ_name, MAXHOSTNAMELEN + 8, "kadmin/%s", hp->h_name); */
-       snprintf(princ_name, sizeof(princ_name), "kadmin/%s@%s", hp->h_name, global_params.realm);      
-       if ((retval = krb5_parse_name(util_context, princ_name, &p))) {
-           com_err(argv[0], retval, "while adding entries to the database");
-           goto err_nomsg;
+       
+       /* change the realm portion to the default realm */
+       free( temp_p->realm.data );
+       temp_p->realm.length = strlen( util_context->default_realm );
+       temp_p->realm.data = strdup( util_context->default_realm );
+       if( temp_p->realm.data == NULL ) {
+            com_err(argv[0], ENOMEM, "while adding entries to the database");
+            goto err_nomsg;
        }
 
        rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED;
-       if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) {
+       if ((retval = kdb_ldap_create_principal(util_context, temp_p, TGT_KEY, &rblock))) {
            krb5_free_principal(util_context, p);
            com_err(argv[0], retval, "while adding entries to the database");
            goto err_nomsg;
        }
+       krb5_free_principal(util_context, temp_p);
        krb5_free_principal(util_context, p);
 
        if (ldap_context->lrparams->subtree != NULL)
@@ -1472,220 +1351,6 @@ void kdb5_ldap_modify(argc, argv)
             }
         }
 #endif
-        else if (!strcmp(argv[i], "-enctypes")) {
-            if (++i > argc-1)
-                goto err_usage;
-            if (rmask & LDAP_REALM_SUPPENCTYPE)
-                free(rparams->suppenctypes);
-            rparams->suppenctypes = (krb5_enctype *)malloc(
-                            sizeof(krb5_enctype) * MAX_LIST_ENTRIES);
-            if (rparams->suppenctypes == NULL) {
-                retval = ENOMEM;
-                goto cleanup;
-            }
-            if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list)))
-                goto cleanup;
-
-            for(j = 0; list[j] != NULL; j++) {
-                if ((retval = krb5_string_to_enctype(list[j], 
-                            &rparams->suppenctypes[j]))) {
-                    com_err(argv[0], retval, "'%s' specified for enctypes, "
-                            "while modifying information of realm '%s'", 
-                            list[j], global_params.realm);
-                    goto err_nomsg;
-                }
-            }
-            rparams->suppenctypes[j] = END_OF_LIST;
-            qsort(rparams->suppenctypes, (size_t)j, sizeof(krb5_enctype),
-                            compare_int);
-            mask |= LDAP_REALM_SUPPENCTYPE;
-            /* Going to replace the existing value by this new value. Hence
-             * setting flag indicating that add or clear options will be ignored
-             */
-            newenctypes = 1;
-            krb5_free_list_entries(list);
-        }
-        else if (!strcmp(argv[i], "-clearenctypes")) {
-            if (++i > argc-1)
-                goto err_usage;
-            if ((!newenctypes) && (rparams->suppenctypes != NULL)) {
-
-                if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list)))
-                    goto cleanup;
-
-                memset(tlist, END_OF_LIST, sizeof(int) * MAX_LIST_ENTRIES);
-                for(j = 0; list[j] != NULL; j++) {
-                    if ((retval = krb5_string_to_enctype(list[j], &tlist[j]))) {
-                        com_err(argv[0], retval, "'%s' specified for clearenctypes, "
-                            "while modifying information of realm '%s'", 
-                            list[j], global_params.realm);
-                        goto err_nomsg;
-                    }
-                }
-                tlist[j] = END_OF_LIST;
-                j = list_modify_int_array(rparams->suppenctypes, (const int*)tlist,
-                    LIST_MODE_DELETE);
-                qsort(rparams->suppenctypes, (size_t)j, sizeof(krb5_enctype),
-                            compare_int);
-                mask |= LDAP_REALM_SUPPENCTYPE;
-                krb5_free_list_entries(list);
-            }
-        }
-        else if (!strcmp(argv[i], "-addenctypes")) {
-            if (++i > argc-1)
-                goto err_usage;
-            if (!newenctypes) {
-               int *tmp;
-
-                if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list)))
-                    goto cleanup;
-
-                existing_entries = list_count_int_array(rparams->suppenctypes);
-                list_entries = list_count_str_array(list);
-
-               tmp = (krb5_enctype *) realloc (rparams->suppenctypes, 
-                       sizeof(krb5_enctype) * (existing_entries+list_entries+1));
-               if (tmp == NULL) {
-                   retval = ENOMEM;
-                   goto cleanup;
-               }
-               rparams->suppenctypes = tmp;
-
-                for(j = 0; list[j] != NULL; j++) {
-                    if ((retval = krb5_string_to_enctype(list[j], &tlist[j]))) {
-                        com_err(argv[0], retval, "'%s' specified for addenctypes, "
-                            "while modifying information of realm '%s'", 
-                            list[j], global_params.realm);
-                        goto err_nomsg;
-                    }
-                }
-                tlist[j] = END_OF_LIST;
-
-                j = list_modify_int_array(rparams->suppenctypes, (const int*)tlist,
-                    LIST_MODE_ADD);
-                qsort(rparams->suppenctypes, (size_t)j, sizeof(krb5_enctype),
-                            compare_int);
-                mask |= LDAP_REALM_SUPPENCTYPE;
-                krb5_free_list_entries(list);
-            }
-        }
-        else if (!strcmp(argv[i], "-defenctype")) {
-            if (++i > argc-1)
-                goto err_usage;
-            if ((retval = krb5_string_to_enctype(argv[i], 
-                            &rparams->defenctype))) {
-                com_err(argv[0], retval, "'%s' specified for defenctype, "
-                            "while modifying information of realm '%s'", 
-                            argv[i], global_params.realm);
-                goto err_nomsg;
-            }
-            mask |= LDAP_REALM_DEFENCTYPE;
-        }
-        else if (!strcmp(argv[i], "-salttypes")) {
-            if (++i > argc-1)
-                goto err_usage;
-            if (rmask & LDAP_REALM_SUPPSALTTYPE)
-                free(rparams->suppsalttypes);
-            rparams->suppsalttypes = (krb5_int32 *)malloc(
-                            sizeof(krb5_int32) * MAX_LIST_ENTRIES);
-            if (rparams->suppsalttypes == NULL) {
-                retval = ENOMEM;
-                goto cleanup;
-            }
-            if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list)))
-                goto cleanup;
-
-            for(j = 0; list[j] != NULL; j++) {
-                if ((retval = krb5_string_to_salttype(list[j], 
-                            &rparams->suppsalttypes[j]))) {
-                    com_err(argv[0], retval, "'%s' specified for salttypes, "
-                            "while modifying information of realm '%s'", 
-                            list[j], global_params.realm);
-                    goto err_nomsg;
-                }
-            }
-            rparams->suppsalttypes[j] = END_OF_LIST;
-            qsort(rparams->suppsalttypes, (size_t)j, sizeof(krb5_int32),
-                            compare_int);
-            mask |= LDAP_REALM_SUPPSALTTYPE;
-            /* Going to replace the existing value by this new value. Hence
-             * setting flag indicating that add or clear options will be ignored
-             */
-            newsalttypes = 1;
-            krb5_free_list_entries(list);
-        }
-        else if (!strcmp(argv[i], "-clearsalttypes")) {
-            if (++i > argc-1)
-                goto err_usage;
-            if ((!newsalttypes) && (rparams->suppsalttypes != NULL)) {
-                if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list)))
-                    goto cleanup;
-
-                for(j = 0; list[j] != NULL; j++) {
-                    if ((retval = krb5_string_to_salttype(list[j], &tlist[j]))) {
-                        com_err(argv[0], retval, "'%s' specified for clearsalttypes, "
-                            "while modifying information of realm '%s'", 
-                            list[j], global_params.realm);
-                        goto err_nomsg;
-                    }
-                }
-                tlist[j] = END_OF_LIST;
-                j = list_modify_int_array(rparams->suppsalttypes, (const int*)tlist,
-                    LIST_MODE_DELETE);
-                qsort(rparams->suppsalttypes, (size_t)j, sizeof(krb5_int32),
-                            compare_int);
-                mask |= LDAP_REALM_SUPPSALTTYPE;
-                krb5_free_list_entries(list);
-            }
-        }
-        else if (!strcmp(argv[i], "-addsalttypes")) {
-            if (++i > argc-1)
-                goto err_usage;
-            if (!newsalttypes) {
-               int *tmp;
-                if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list)))
-                    goto cleanup;
-
-                existing_entries = list_count_int_array(rparams->suppsalttypes);
-                list_entries = list_count_str_array(list);
-
-               tmp = (krb5_int32 *) realloc (rparams->suppsalttypes,
-                       sizeof(krb5_int32) * (existing_entries+list_entries+1));
-               if (tmp == NULL) {
-                   retval = ENOMEM;
-                   goto cleanup;
-               }
-               rparams->suppsalttypes = tmp;
-
-                for(j = 0; list[j] != NULL; j++) {
-                    if ((retval = krb5_string_to_salttype(list[j], &tlist[j]))) {
-                        com_err(argv[0], retval, "'%s' specified for addsalttypes, "
-                            "while modifying information of realm '%s'",
-                            list[j], global_params.realm);
-                        goto err_nomsg;
-                    }
-                }
-                tlist[j] = END_OF_LIST;
-                j = list_modify_int_array(rparams->suppsalttypes, (const int*)tlist,
-                    LIST_MODE_ADD);
-                qsort(rparams->suppsalttypes, (size_t)j, sizeof(krb5_int32),
-                            compare_int);
-                mask |= LDAP_REALM_SUPPSALTTYPE;
-                krb5_free_list_entries(list);
-            }
-        }
-        else if (!strcmp(argv[i], "-defsalttype")) {
-            if (++i > argc-1)
-                goto err_usage;
-            if ((retval = krb5_string_to_salttype(argv[i], 
-                            &rparams->defsalttype))) {
-                com_err(argv[0], retval, "'%s' specified for defsalttype, "
-                            "while modifying information of realm '%s'", 
-                            argv[i], global_params.realm);
-                goto err_nomsg;
-            }
-            mask |= LDAP_REALM_DEFSALTTYPE;
-        }
        else if ((ret_mask= get_ticket_policy(rparams,&i,argv,argc)) !=0)
        {
                mask|=ret_mask;
@@ -2169,50 +1834,6 @@ static void print_realm_params(krb5_ldap_realm_params *rparams, int mask)
         if (num_entry_printed == 0)
             printf("\n");
     }
-    if (mask & LDAP_REALM_SUPPENCTYPE) {
-        printf("%25s:", "Supported Enc Types");
-        if (rparams->suppenctypes != NULL) {
-            num_entry_printed = 0;
-            for(tmplist = rparams->suppenctypes; *tmplist != END_OF_LIST;
-                 tmplist++) {
-                retval = krb5_enctype_to_string(*tmplist, buff, BUFF_LEN);
-                if (retval == 0) {
-                    if (num_entry_printed)
-                        printf(" %25s %-50s\n", " ", buff);
-                    else
-                        printf(" %-50s\n", buff);
-                    num_entry_printed++;
-                }
-            }
-        }
-        if (num_entry_printed == 0)
-            printf("\n");
-    }
-    if (mask & LDAP_REALM_DEFENCTYPE) {
-        retval = krb5_enctype_to_string(rparams->defenctype, buff, BUFF_LEN);
-        if (retval == 0) {
-            printf("%25s: %-50s\n", "Default Enc Type", buff);
-        }
-    }
-    if (mask & LDAP_REALM_SUPPSALTTYPE) {
-        printf("%25s:", "Supported Salt Types");
-        if (rparams->suppsalttypes != NULL) {
-            num_entry_printed = 0;
-            for(tmplist = rparams->suppsalttypes; *tmplist != END_OF_LIST;
-                 tmplist++) {
-                retval = krb5_salttype_to_string(*tmplist, buff, BUFF_LEN);
-                if (retval == 0) {
-                    if (num_entry_printed)
-                        printf(" %25s %-50s\n", " ", buff);
-                    else
-                        printf(" %-50s\n", buff);
-                    num_entry_printed++;
-                }
-            }
-        }
-        if (num_entry_printed == 0)
-            printf("\n");
-    }
     if (mask & LDAP_REALM_MAXTICKETLIFE) {
            printf("%25s:", "Maximum Ticket Life");
            printf(" %s \n", strdur(rparams->max_life));
@@ -2222,10 +1843,11 @@ static void print_realm_params(krb5_ldap_realm_params *rparams, int mask)
            printf("%25s:", "Maximum Renewable Life");
            printf(" %s \n", strdur(rparams->max_renewable_life));
     }
-    printf("%25s: ", "Ticket flags");
-    if (mask & LDAP_POLICY_TKTFLAGS) {
+
+    if (mask & LDAP_REALM_KRBTICKETFLAGS) {
         int ticketflags = rparams->tktflags;
 
+        printf("%25s: ", "Ticket flags");
         if (ticketflags & KRB5_KDB_DISALLOW_POSTDATED)
             printf("%s ","DISALLOW_POSTDATED");
 
@@ -2261,16 +1883,9 @@ static void print_realm_params(krb5_ldap_realm_params *rparams, int mask)
 
         if (ticketflags & KRB5_KDB_PWCHANGE_SERVICE)
             printf("%s ","PWCHANGE_SERVICE");
-    }
 
-    if (mask & LDAP_REALM_DEFSALTTYPE) {
-           retval = krb5_salttype_to_string(rparams->defsalttype, buff, BUFF_LEN);
-           if (retval == 0) {
-                   printf("\n%25s: %-50s\n", "Default Salt Type", buff);
-           }
+        printf("\n");
     }
-    /* if (mask & LDAP_REALM_POLICYREFERENCE)
-        printf("%25s: %-50s\n", "Policy Reference", rparams->policyreference);*/
 
 
     return;
index 69e3b7694dc111e3fbcd817991580be2085427d1..1ce08feb28e8e8c9a7982257bfde178d84bd9378 100644 (file)
@@ -1743,9 +1743,12 @@ kdb5_ldap_set_service_password(argc, argv)
 
         errcode = tohex(pwd, &hex);
         if (errcode != 0) {
-            if(hex.length != 0)
+            if(hex.length != 0) {
+                memset(hex.data, 0, hex.length);
                 free(hex.data);
+            }
             com_err(me, errcode, "Failed to convert the password to hex");
+            memset(passwd, 0, passwd_len);
             goto cleanup;
         }
         /* Password = {CRYPT}<encrypted password>:<encrypted key> */
@@ -1754,6 +1757,7 @@ kdb5_ldap_set_service_password(argc, argv)
         if (encrypted_passwd.value == NULL) {
             com_err(me, ENOMEM, "while setting service object password");
             memset(passwd, 0, passwd_len);
+            memset(hex.data, 0, hex.length);
             free(hex.data);
             goto cleanup;
         }
@@ -1761,6 +1765,8 @@ kdb5_ldap_set_service_password(argc, argv)
                               1 + 5 + hex.length + 1] = '\0';
         sprintf((char *)encrypted_passwd.value, "%s#{HEX}%s\n", service_object, hex.data);
         encrypted_passwd.len = strlen((char *)encrypted_passwd.value);
+        memset(hex.data, 0, hex.length);
+        free(hex.data);
     }
 
     /* We should check if the file exists and we have permission to write into that file */
@@ -1912,8 +1918,10 @@ cleanup:
     if (passwd)
         free(passwd);
 
-    if (encrypted_passwd.value)
+    if (encrypted_passwd.value) {
+        memset(encrypted_passwd.value, 0, encrypted_passwd.len);
         free(encrypted_passwd.value);
+    }
 
     if (pfile)
         fclose(pfile);
@@ -1949,6 +1957,7 @@ kdb5_ldap_stash_service_password(argc, argv)
     FILE *pfile = NULL;
     krb5_boolean print_usage = FALSE;
     krb5_data hexpasswd = {0, 0, NULL};
+    mode_t old_mode = 0;
 
     /*
      * Format:
@@ -2047,16 +2056,17 @@ done:
 
        ret = tohex(pwd, &hexpasswd);
        if(ret != 0){
-           if(hexpasswd.length != 0)
-               free(hexpasswd.data);
            com_err(me, ret, "Failed to convert the password to hexadecimal");
+            memset(passwd, 0, passwd_len);
            goto cleanup;
        }
     }
+    memset(passwd, 0, passwd_len);
 
     /* TODO: file lock for the service passowrd file */
 
     /* set password in the file */
+    old_mode = umask(0177);
     pfile = fopen(file_name, "a+");
     if (pfile == NULL) {
        com_err(me, errno, "Failed to open file %s: %s", file_name,
@@ -2064,6 +2074,7 @@ done:
        goto cleanup;
     }
     rewind (pfile);
+    umask(old_mode);
 
     while (fgets (line, MAX_LEN, pfile) != NULL) {
        if ((str = strstr (line, service_object)) != NULL) {
@@ -2162,6 +2173,11 @@ done:
 
 cleanup:
 
+    if(hexpasswd.length != 0) {
+        memset(hexpasswd.data, 0, hexpasswd.length);
+       free(hexpasswd.data);
+    }
+
     if (service_object)
        free(service_object);
 
index 20dc3e72661c25f768da183229c22989c22d8928..5ff7615f126fd41cd6348d73e32e72ce52f44b44 100644 (file)
@@ -29,7 +29,7 @@ a Kerberos realm.
 Specifies the SSL port number of the LDAP server.
 .SH COMMANDS
 .TP
-\fBcreate\fP [\fB\-subtree\fP\ \fIsubtree_dn\fP] [\fB\-sscope\fP\ \fIsearch_scope\fP] [\fB\-enctypes\fP\ \fIsupported_enc_types\fP] [\fB\-defenctype\fP\ \fIdefault_enc_type\fP] [\fB\-salttypes\fP\ \fIsupported_salt_types\fP] [\fB\-defsalttype\fP\ \fIdefault_salt_type\fP] [\fB\-k\fP\ \fImkeytype\fP] [\fB\-m\fP|\fB\-P\fP\ \fIpassword\fP|\fB\-sf\fP\ \fIstashfilename\fP] [\fB\-r\fP\ \fIrealm\fP] [\fB\-kdcdn\fP\ \fIkdc_service_list\fP] [\fB\-admindn\fP\ \fIadmin_service_list\fP] [\fB\-pwddn\fP\ \fIpasswd_service_list\fP] [\fB\-maxtktlife\fP\ \fImax_ticket_life\fP] [\fB\-maxrenewlife\fP\ \fImax_renewable_ticket_life\fP] [\fIticket_flags\fP]
+\fBcreate\fP [\fB\-subtree\fP\ \fIsubtree_dn\fP] [\fB\-sscope\fP\ \fIsearch_scope\fP] [\fB\-k\fP\ \fImkeytype\fP] [\fB\-m\fP|\fB\-P\fP\ \fIpassword\fP|\fB\-sf\fP\ \fIstashfilename\fP] [\fB\-r\fP\ \fIrealm\fP] [\fB\-kdcdn\fP\ \fIkdc_service_list\fP] [\fB\-admindn\fP\ \fIadmin_service_list\fP] [\fB\-pwddn\fP\ \fIpasswd_service_list\fP] [\fB\-maxtktlife\fP\ \fImax_ticket_life\fP] [\fB\-maxrenewlife\fP\ \fImax_renewable_ticket_life\fP] [\fIticket_flags\fP]
 Creates realm in directory. Options:
 .RS
 .TP
@@ -41,18 +41,6 @@ Specifies the scope for searching the principals under the
 .IR subtree .
 The possible values are 1 or one (one level), 2 or sub (subtree).
 .TP
-\fB\-enctypes\fP\ \fIsupported_enc_types\fP
-Specifies the encryption types supported by the realm. This is a colon-separated list.
-.TP
-\fB\-defenctype\fP\ \fIdefault_enc_type\fP
-Specifies the default encryption type for the realm. This is also a part of supported enctypes list.
-.TP
-\fB\-salttypes\fP\ \fIsupported_salt_types\fP
-Specifies the salt types supported by the realm. This is a colon-separated list.
-.TP
-\fB\-defsalttype\fP\ \fIdefault_salt_type\fP
-Specifies the default salt types for the realm.
-.TP
 \fB\-k\fP\ \fImkeytype\fP
 Specifies the key type of the master key in the database; the default is
 that given in
@@ -235,7 +223,7 @@ Re-enter KDC database master key to verify:
 .RE
 
 .TP
-\fBmodify\fP [\fB\-subtree\fP\ \fIsubtree_dn\fP] [\fB\-sscope\fP\ \fIsearch_scope\fP] [\fB\-enctypes\fP\ \fIsupported_enc_types\fP | [\fB\-clearenctypes\fP\ \fIenc_type_list\fP] [\fB\-addenctypes\fP\ \fIenc_type_list\fP]] [\fB\-defenctype\fP\ \fIdefault_enc_type\fP] [\fB\-salttypes\fP\ \fIsupported_salt_types\fP | [\fB\-clearsalttypes\fP\ \fIsalt_type_list\fP] [\fB\-addsalttypes\fP\ \fIsalt_type_list\fP]] [\fB\-defsalttype\fP\ \fIdefault_salt_type\fP] [\fB\-r\fP\ \fIrealm\fP] [\fB\-kdcdn\fP\ \fIkdc_service_list\fP | [\fB\-clearkdcdn\fP\ \fIkdc_service_list\fP] [\fB\-addkdcdn\fP\ \fIkdc_service_list\fP]] [\fB\-admindn\fP\ \fIadmin_service_list\fP | [\fB\-clearadmindn\fP\ \fIadmin_service_list\fP] [\fB\-addadmindn\fP\ \fIadmin_service_list\fP]] [\fB\-pwddn\fP\ \fIpasswd_service_list\fP | [\fB\-clearpwddn\fP\ \fIpasswd_service_list\fP] [\fB\-addpwddn\fP\ \fIpasswd_service_list\fP]] [\fB\-maxtktlife\fP\ \fImax_ticket_life\fP] [\fB\-maxrenewlife\fP\ \fImax_renewable_ticket_life\fP] [\fIticket_flags\fP]
+\fBmodify\fP [\fB\-subtree\fP\ \fIsubtree_dn\fP] [\fB\-sscope\fP\ \fIsearch_scope\fP] [\fB\-r\fP\ \fIrealm\fP] [\fB\-kdcdn\fP\ \fIkdc_service_list\fP | [\fB\-clearkdcdn\fP\ \fIkdc_service_list\fP] [\fB\-addkdcdn\fP\ \fIkdc_service_list\fP]] [\fB\-admindn\fP\ \fIadmin_service_list\fP | [\fB\-clearadmindn\fP\ \fIadmin_service_list\fP] [\fB\-addadmindn\fP\ \fIadmin_service_list\fP]] [\fB\-pwddn\fP\ \fIpasswd_service_list\fP | [\fB\-clearpwddn\fP\ \fIpasswd_service_list\fP] [\fB\-addpwddn\fP\ \fIpasswd_service_list\fP]] [\fB\-maxtktlife\fP\ \fImax_ticket_life\fP] [\fB\-maxrenewlife\fP\ \fImax_renewable_ticket_life\fP] [\fIticket_flags\fP]
 
 Modifies the attributes of a realm. Options:
 .RS
@@ -248,34 +236,6 @@ Specifies the scope for searching the principals under the
 .IR subtree .
 The possible values are 1 or one (one level), 2 or sub (subtree).
 .TP
-\fB\-enctypes\fP\ \fIsupported_enc_types\fP
-Specifies the encryption types supported by the realm. This is a colon-separated list.
-.TP
-\fB\-clearenctypes\fP\ \fIenc_type_list\fP
-Specifies the encryption types that need to be removed from the supported encryption types 
-of the realm. This is a colon-separated list.
-.TP
-\fB\-addenctypes\fP\ \fIenc_type_list\fP
-Specifies the encryption types that need to be added to the supported encryption types of the
-realm. This is a colon-separated list.
-.TP
-\fB\-defenctype\fP\ \fIdefault_enc_type\fP
-Specifies the default encryption type for the realm.
-.TP
-\fB\-salttypes\fP\ \fIsupported_salt_types\fP
-Specifies the salt types supported by the realm. This is a colon-separated list.
-.TP
-\fB\-clearsalttypes\fP\ \fIsalt_type_list\fP
-Specifies the salt types that need to be removed from the supported salt types of the realm.
-This is a colon-separated list.
-.TP
-\fB\-addsalttypes\fP\ \fIsalt_type_list\fP
-Specifies the salt types that need to be added to the supported salt types of the realm. This
-is a colon-separated list.
-.TP
-\fB\-defsalttype\fP\ \fIdefault_salt_type\fP
-Specifies the default salt type for the realm.
-.TP
 \fB\-maxtktlife\fP\ \fImax_ticket_life\fP
 Specifies maximum ticket life for principals in this realm.
 .TP
@@ -476,14 +436,6 @@ Password for "cn=admin,o=org":
                Realm Name: ATHENA.MIT.EDU
                   Subtree: ou=users,o=org
               SearchScope: ONE
-      Supported Enc Types: DES cbc mode with RSA-MD5
-                           Triple DES cbc mode with HMAC/sha1
-         Default Enc Type: Triple DES cbc mode with HMAC/sha1
-     Supported Salt Types: Version 5
-                           Version 4
-                           Special
-                           AFS version 3
-        Default Salt Type: Version 5
       Maximum ticket life: 0 days 01:00:00
    Maximum renewable life: 0 days 10:00:00
              Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
index 889151531d9880755848756706f390b20d373630..4b07b27546a1b741a9e7069706aef51d5dedccf6 100644 (file)
@@ -107,7 +107,7 @@ krb5_boolean manual_mkey = FALSE;
 void usage()
 {
      fprintf(stderr, "Usage: "
-"kdb5_util [-D user_dn [-w passwd]] [-h ldap_server] [-p ldap_port]\n"
+"kdb5_ldap_util [-D user_dn [-w passwd]] [-h ldap_server] [-p ldap_port]\n"
 "\tcmd [cmd_options]\n"
 
 /* Create realm */
@@ -116,8 +116,6 @@ void usage()
 "\t\t[-kdcdn kdc_service_list] [-admindn admin_service_list]\n"
 "\t\t[-pwddn passwd_service_list]\n"
 #endif
-"\t\t[-enctypes supported_enc_types] [-defenctype default_enc_type]\n"
-"\t\t[-salttypes supported_salt_types] [-defsalttype default_salt_type]\n"
 "\t\t[-m|-P password|-sf stashfilename] [-k mkeytype]\n"
 "\t\t[-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life]\n"
 "\t\t[ticket_flags] [-r realm]\n"
@@ -131,10 +129,6 @@ void usage()
 "\t\t[-addadmindn admin_service_list]] [-pwddn passwd_service_list |\n"
 "\t\t[-clearpwddn passwd_service_list] [-addpwddn passwd_service_list]]\n"
 #endif
-"\t\t[-enctypes supported_enc_types | [-clearenctypes enc_type_list]\n"
-"\t\t[-addenctypes enc_type_list]] [-defenctype default_enc_type]\n"
-"\t\t[-salttypes supported_salt_types | [-clearsalttypes salt_type_list]\n"
-"\t\t[-addsalttypes salt_type_list]] [-defsalttype default_salt_type]\n"
 "\t\t[-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life]\n"
 "\t\t[ticket_flags] [-r realm]\n"
 /* View realm */
@@ -508,6 +502,8 @@ int main(argc, argv)
        goto cleanup;
     }
 
+    ldap_context->kcontext = util_context;
+
     /* If LDAP parameters are specified, replace them with the values from config */
     if (ldapmask & CMD_LDAP_D) {
         /* If password is not specified, prompt for it */
index 1b650c53012209a3ca5c29df48b9a6b22ba446bd..c6cec5752495ae379f9eb3982d16ee6dd9b331f4 100644 (file)
@@ -31,7 +31,7 @@ SHLIB_EXPDEPS = \
        $(TOPLIBD)/libk5crypto$(SHLIBEXT) \
        $(SUPPORT_DEPLIB) \
        $(TOPLIBD)/libkrb5$(SHLIBEXT)
-SHLIB_EXPLIBS= $(GSSRPC_LIBS) -lkrb5 -lk5crypto $(SUPPORT_LIB) -lldap -llber $(LIBS)
+SHLIB_EXPLIBS= $(GSSRPC_LIBS) -lkrb5 -lk5crypto $(COM_ERR_LIB) $(SUPPORT_LIB) -lldap -llber $(LIBS)
 SHLIB_DIRS=-L$(TOPLIBD)
 SHLIB_RDIRS=$(KRB5_LIBDIR)
 
index 358bf152fc8ccdf289df7206773ee7eda746a1a5..7c3622425950c7c0a878295e9670601c51dc7d39 100644 (file)
@@ -236,6 +236,7 @@ krb5_error_code krb5_ldap_open( krb5_context context,
        goto clean_n_exit;
     }
     
+    ldap_context->kcontext = context;
 
     while ( t_ptr && *t_ptr )
     {
index 888fed0c51fc7d22765dd748fcb687c6d426e620..2bb3b8574fa831d177b98b9a19276812630d6a5a 100644 (file)
@@ -201,6 +201,7 @@ typedef struct _krb5_ldap_context {
   k5_mutex_t                    hndl_lock;
   krb5_ldap_krbcontainer_params *krbcontainer;
   krb5_ldap_realm_params        *lrparams;
+  krb5_context                  kcontext;   /* to set the error code and message */
 } krb5_ldap_context;
 
 
@@ -259,4 +260,24 @@ krb5_ldap_read_startup_information(krb5_context );
 int
 has_sasl_external_mech(krb5_context, char *);
 
+/* DAL functions */
+
+krb5_error_code
+krb5_ldap_set_option( krb5_context, int, void * );
+
+krb5_error_code
+krb5_ldap_lock( krb5_context, int );
+
+krb5_error_code
+krb5_ldap_unlock( krb5_context );
+
+krb5_error_code
+krb5_ldap_supported_realms( krb5_context, char ** );
+
+krb5_error_code
+krb5_ldap_free_supported_realms( krb5_context, char ** );
+
+krb5_error_code
+krb5_ldap_errcode_2_string( krb5_context, long );
+
 #endif
index b0902d23cade83f593dfccdae742273c7d9e910e..5832554ad1b26fdcc61bbd71a3b21b014c398853 100644 (file)
@@ -161,7 +161,8 @@ krb5_ldap_initialize(ldap_context, server_info)
     if((ldap_server_handle->ldap_handle=ldap_init(server_info->server_name, 
                                                  port)) == NULL) {
         st = KRB5_KDB_ACCESS_ERROR;
-        krb5_set_error_message (0, st, "%s", strerror(errno));
+        if (ldap_context->kcontext)
+            krb5_set_error_message (ldap_context->kcontext, st, "%s", strerror(errno));
        goto err_out;
     }
     
@@ -170,7 +171,8 @@ krb5_ldap_initialize(ldap_context, server_info)
        server_info->server_status = ON;
        krb5_update_ldap_handle(ldap_server_handle, server_info);
     } else {
-        krb5_set_error_message (0, KRB5_KDB_ACCESS_ERROR, "%s",
+        if (ldap_context->kcontext)
+            krb5_set_error_message (ldap_context->kcontext, KRB5_KDB_ACCESS_ERROR, "%s",
                                ldap_err2string(st));
         st = KRB5_KDB_ACCESS_ERROR;
        server_info->server_status = OFF;
index 153a3c63e674128dea9b6e10c5f59e09b6773431..af061640bf1d4c7e58d1d4f52d2c6c811b951347 100644 (file)
@@ -1469,3 +1469,52 @@ krb5_add_int_mem_ldap_mod(mods, attribute, op, value)
        return ENOMEM;
     return 0;
 }
+
+krb5_error_code
+krb5_ldap_set_option( krb5_context kcontext, int option, void *value )
+{
+    krb5_error_code status = KRB5_KDB_PLUGIN_OP_NOTSUPP;
+    krb5_set_error_message( kcontext, status, "LDAP %s", error_message( status ) );
+    return status;
+}
+
+krb5_error_code
+krb5_ldap_lock( krb5_context kcontext, int mode )
+{
+    krb5_error_code status = KRB5_KDB_PLUGIN_OP_NOTSUPP;
+    krb5_set_error_message( kcontext, status, "LDAP %s", error_message( status ) );
+    return status;
+}
+
+krb5_error_code
+krb5_ldap_unlock( krb5_context kcontext )
+{
+    krb5_error_code status = KRB5_KDB_PLUGIN_OP_NOTSUPP;
+    krb5_set_error_message( kcontext, status, "LDAP %s", error_message( status ) );
+    return status;
+}
+
+krb5_error_code
+krb5_ldap_supported_realms( krb5_context kcontext, char **realms )
+{
+    krb5_error_code status = KRB5_KDB_PLUGIN_OP_NOTSUPP;
+    krb5_set_error_message( kcontext, status, "LDAP %s", error_message( status ) );
+    return status;
+}
+
+krb5_error_code
+krb5_ldap_free_supported_realms( krb5_context kcontext, char **realms )
+{
+    krb5_error_code status = KRB5_KDB_PLUGIN_OP_NOTSUPP;
+    krb5_set_error_message( kcontext, status, "LDAP %s", error_message( status ) );
+    return status;
+}
+
+krb5_error_code
+krb5_ldap_errcode_2_string( krb5_context kcontext, long err_code )
+{
+    krb5_error_code status = KRB5_KDB_PLUGIN_OP_NOTSUPP;
+    krb5_set_error_message( kcontext, status, "LDAP %s", error_message( status ) );
+    return status;
+}
+
index 6509ff9e7f1053bedfad2dc5d2921c4aa7d78fcf..52c113cd5f37a37d57ac9792137ed4817d0beab7 100644 (file)
@@ -205,10 +205,7 @@ krb5_ldap_get_principal(context, searchfor, entries, nentries, more)
            if(attr_present == TRUE){
                    if ((st=store_tl_data(&userinfo_tl_data, KDB_TL_TKTPOLICYDN, policydn)) != 0)
                            goto cleanup;
-           }
-           if(!(mask & KDB_MAX_LIFE_ATTR) && !(mask & KDB_MAX_RLIFE_ATTR) && !(mask & KDB_TKT_FLAGS_ATTR)){
-                   if (attr_present == TRUE)
-                           mask |= KDB_POL_REF_ATTR;
+                   mask |= KDB_POL_REF_ATTR;
            }
 
            /* KRBPWDPOLICYREFERENCE */
@@ -1068,7 +1065,7 @@ krb5_read_tkt_policyreference(context, ldap_context, entries, policydn)
     if ((st=krb5_get_attributes_mask(context, entries, &mask)) != 0)
        goto cleanup;
 
-    if ((mask & tkt_mask) != tkt_mask) {
+    if ((mask & tkt_mask) == 0) {
        if (policydn != NULL) {
            st = krb5_ldap_read_policy(context, policydn, &tktpoldnparam, &omask);
            if (st && st != KRB5_KDB_NOENTRY) {
index 2ac8219c1f64d4621bf821bd52d014e2ab898fcc..87f619c9d513b90f529768f530bd7f79dbd69db9 100644 (file)
@@ -1648,3 +1648,21 @@ krb5_ldap_free_realm_params(rparams)
     }
     return;
 }
+
+/* DAL functions */
+
+krb5_error_code
+krb5_ldap_create_realm_1(krb5_context kcontext, char *conf_section, char **db_args)
+{
+    krb5_error_code status = KRB5_KDB_PLUGIN_OP_NOTSUPP;
+    krb5_set_error_message( kcontext, status, "LDAP %s", error_message( status ) );
+    return status;
+}
+
+krb5_error_code
+krb5_ldap_delete_realm_1(krb5_context kcontext, char *conf_section, char **db_args)
+{
+    krb5_error_code status = KRB5_KDB_PLUGIN_OP_NOTSUPP;
+    krb5_set_error_message( kcontext, status, "LDAP %s", error_message( status ) );
+    return status;
+}
index fabc316ca6c4e1ec7a68c1e96a260661181fd56d..21d7d877c6384ec0790afe4813ae51a6b4d57dbb 100644 (file)
@@ -68,7 +68,6 @@ typedef struct _krb5_ldap_realm_params {
   krb5_int32    defsalttype;
   krb5_enctype  *suppenctypes;
   krb5_int32    *suppsalttypes;
-  char          **ldapservers;
   char          **kdcservers;
   char          **adminservers;
   char          **passwdservers;
@@ -96,4 +95,10 @@ krb5_ldap_read_realm_params(krb5_context , char *, krb5_ldap_realm_params **, in
 void
 krb5_ldap_free_realm_params(krb5_ldap_realm_params *);
 
+krb5_error_code
+krb5_ldap_create_realm_1(krb5_context, char *, char **);
+
+krb5_error_code
+krb5_ldap_delete_realm_1(krb5_context, char *, char **);
+
 #endif
index 865fe21a184f12b14db00f89910867a1cf9de589..702f548c503f1a3bf3b68c16d1fe13177c66faa4 100644 (file)
@@ -136,6 +136,26 @@ krb5_ldap_readpassword(context, ldap_context, password)
            CT.len = strlen((char *)CT.value);
            st = dec_password(CT, &PT);
            if(st != 0){
+                switch (st) {
+                    case ERR_NO_MEM:
+                        st = ENOMEM;
+                        break;
+                    case ERR_PWD_ZERO:
+                        st = EINVAL;
+                        krb5_set_error_message(context, st, "Password has zero length");
+                        break;
+                    case ERR_PWD_BAD:
+                        st = EINVAL;
+                        krb5_set_error_message(context, st, "Password corrupted");
+                        break;
+                    case ERR_PWD_NOT_HEX:
+                        st = EINVAL;
+                        krb5_set_error_message(context, st, "Not a hexadecimal password");
+                        break;
+                    default:
+                       st = KRB5_KDB_SERVER_INTERNAL_ERR;
+                        break;
+                }
                goto rp_exit;
            }
            *password = PT.value;
@@ -192,6 +212,11 @@ tohex(in, ret)
  *   <secret> := {HEX}<password in hexadecimal>
  *
  * <password> is the actual eDirectory password of the service
+ * Return values:
+ * ERR_NO_MEM      - No Memory
+ * ERR_PWD_ZERO    - Password has zero length
+ * ERR_PWD_BAD     - Passowrd corrupted
+ * ERR_PWD_NOT_HEX - Not a hexadecimal password
  */
 
 int dec_password(struct data pwd, struct data *ret){
@@ -202,8 +227,7 @@ int dec_password(struct data pwd, struct data *ret){
     ret->value = NULL;
     
     if (pwd.len == 0) {
-       err = EINVAL;
-        krb5_set_error_message (0, err, "Password has zero length");
+        err = ERR_PWD_ZERO;
         ret->len = 0;
         goto cleanup;
     }
@@ -214,14 +238,13 @@ int dec_password(struct data pwd, struct data *ret){
        
        if((pwd.len - strlen("{HEX}")) % 2 != 0){
            /* A hexadecimal encoded password should have even length */
-           err = EINVAL;
-           krb5_set_error_message (0, err, "Password corrupted");
+            err = ERR_PWD_BAD;
            ret->len = 0;
            goto cleanup;
        }
        ret->value = (unsigned char *)malloc((pwd.len - strlen("{HEX}")) / 2 + 1);
        if(ret->value == NULL){
-           err = ENOMEM;
+           err = ERR_NO_MEM;
            ret->len = 0;
            goto cleanup;
        }
@@ -231,8 +254,7 @@ int dec_password(struct data pwd, struct data *ret){
            int k;
            /* Check if it is a hexadecimal number */
            if (isxdigit(pwd.value[i]) == 0 || isxdigit(pwd.value[i + 1]) == 0) {
-               err = EINVAL;
-                krb5_set_error_message (0, err, "Not a hexadecimal password");
+                err = ERR_PWD_NOT_HEX;
                 ret->len = 0;
                 goto cleanup;
            }
@@ -241,8 +263,7 @@ int dec_password(struct data pwd, struct data *ret){
        }
        goto cleanup;
     } else {
-       err = EINVAL;
-        krb5_set_error_message (0, err, "Not a hexadecimal password");
+        err = ERR_PWD_NOT_HEX;
         ret->len = 0;
         goto cleanup;
     }
index c51d1a172ba2144ac445128d191ccc0e79a0ed01..bd7e3dc6364d9dac5a6cd1c6f158bd07f855aba9 100644 (file)
@@ -37,6 +37,11 @@ struct data{
     unsigned char *value;
 };
 
+#define ERR_NO_MEM      1
+#define ERR_PWD_ZERO    2
+#define ERR_PWD_BAD     3
+#define ERR_PWD_NOT_HEX 4
+
 int 
 dec_password(struct data, struct data *);
 
index 2e75b7eae8c78916dcd7c5eb554bf318876db5cc..8178271ea09e977185fad8dad18d2124656702f9 100644 (file)
@@ -39,3 +39,11 @@ krb5_ldap_free
 krb5_ldap_set_mkey
 krb5_ldap_get_mkey
 disjoint_members
+krb5_ldap_create_realm_1
+krb5_ldap_delete_realm_1
+krb5_ldap_set_option
+krb5_ldap_lock
+krb5_ldap_unlock
+krb5_ldap_supported_realms
+krb5_ldap_free_supported_realms
+krb5_ldap_errcode_2_string