Merge three patches from Novell, with some updates related to work in
authorKen Raeburn <raeburn@mit.edu>
Mon, 22 Sep 2008 18:17:38 +0000 (18:17 +0000)
committerKen Raeburn <raeburn@mit.edu>
Mon, 22 Sep 2008 18:17:38 +0000 (18:17 +0000)
our tree since they were submitted, and reindenting for one source
file that got particularly ugly in the process.

From Savitha R on 2008-02-18 (yes, it was sitting in my queue a while):

Attached patches have fixes for some issues in LDAP backend.

1. patch-mem-pwd.txt
This patch clears the password in memory, fixes some memory leaks (in
common code) and a segfault in eDirectory specific code.

2. patch-princ-attrs.txt
This patch removes some eDirectory specific attributes from the common
code

3. patch-edir-rights.txt
This patch is specific to eDirectory code and fixes some rights issue.
It adds and deletes rights to service objects as required on the kerberos
attributes.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20744 dc483132-0cff-0310-8789-dd5450dbe970

src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c
src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c
src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c
src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
src/plugins/kdb/ldap/libkdb_ldap/ldap_service_rights.c
src/plugins/kdb/ldap/libkdb_ldap/ldap_services.h
src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports

index 288a5a0c6b35fe4103db13a792731e7dba816fe6..83eb162867f205e0c9470cdcbe0b699788e01e79 100644 (file)
@@ -139,6 +139,14 @@ static krb5_error_code krb5_dbe_update_tl_data_new ( krb5_context context, krb5_
 #define ADMIN_LIFETIME 60*60*3 /* 3 hours */
 #define CHANGEPW_LIFETIME 60*5 /* 5 minutes */
 
+#ifdef HAVE_EDIRECTORY
+#define FREE_DN_LIST(dnlist)    if (dnlist != NULL) { \
+                                   for (idx=0; dnlist[idx] != NULL; idx++) \
+                                        free(dnlist[idx]); \
+                                   free(dnlist); \
+                                }
+#endif
+
 static int get_ticket_policy(rparams,i,argv,argc)
     krb5_ldap_realm_params *rparams;
     int *i;
@@ -346,7 +354,7 @@ void kdb5_ldap_create(argc, argv)
            if (++i > argc-1)
                goto err_usage;
 
-           if(strncmp(argv[i], "", strlen(argv[i]))!=0) {
+           if (strncmp(argv[i], "", strlen(argv[i]))!=0) {
                list = (char **) calloc(MAX_LIST_ENTRIES, sizeof(char *));
                if (list == NULL) {
                    retval = ENOMEM;
@@ -359,27 +367,27 @@ void kdb5_ldap_create(argc, argv)
                }
 
                rparams->subtreecount=0;
-               while(list[rparams->subtreecount]!=NULL)
+               while (list[rparams->subtreecount]!=NULL)
                    (rparams->subtreecount)++;
                rparams->subtree = list;
-           } else if(strncmp(argv[i], "", strlen(argv[i]))==0) {
-                /* dont allow subtree value to be set at the root(NULL, "") of the tree */
-                com_err(progname, EINVAL,
-                         "for subtree while creating realm '%s'",
-                          global_params.realm);
-                goto err_nomsg;
+           } else if (strncmp(argv[i], "", strlen(argv[i]))==0) {
+               /* dont allow subtree value to be set at the root(NULL, "") of the tree */
+               com_err(progname, EINVAL,
+                       "for subtree while creating realm '%s'",
+                       global_params.realm);
+               goto err_nomsg;
            }
            rparams->subtree[rparams->subtreecount] = NULL;
            mask |= LDAP_REALM_SUBTREE;
        } else if (!strcmp(argv[i], "-containerref")) {
            if (++i > argc-1)
                goto err_usage;
-           if(strncmp(argv[i], "", strlen(argv[i]))==0) {
-                /* dont allow containerref value to be set at the root(NULL, "") of the tree */
-                com_err(progname, EINVAL,
-                         "for container reference while creating realm '%s'",
-                          global_params.realm);
-                goto err_nomsg;
+           if (strncmp(argv[i], "", strlen(argv[i]))==0) {
+               /* dont allow containerref value to be set at the root(NULL, "") of the tree */
+               com_err(progname, EINVAL,
+                       "for container reference while creating realm '%s'",
+                       global_params.realm);
+               goto err_nomsg;
            }
            rparams->containerref = strdup(argv[i]);
            if (rparams->containerref == NULL) {
@@ -796,7 +804,7 @@ void kdb5_ldap_create(argc, argv)
            for (i=0; (rparams->kdcservers[i] != NULL); i++) {
                if ((retval=krb5_ldap_add_service_rights(util_context,
                                                         LDAP_KDC_SERVICE, rparams->kdcservers[i],
-                                                        rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
+                                                        rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
                    printf("failed\n");
                    com_err(progname, retval, "while assigning rights to '%s'",
                            rparams->realm_name);
@@ -812,7 +820,7 @@ void kdb5_ldap_create(argc, argv)
            for (i=0; (rparams->adminservers[i] != NULL); i++) {
                if ((retval=krb5_ldap_add_service_rights(util_context,
                                                         LDAP_ADMIN_SERVICE, rparams->adminservers[i],
-                                                        rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
+                                                        rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
                    printf("failed\n");
                    com_err(progname, retval, "while assigning rights to '%s'",
                            rparams->realm_name);
@@ -828,7 +836,7 @@ void kdb5_ldap_create(argc, argv)
            for (i=0; (rparams->passwdservers[i] != NULL); i++) {
                if ((retval=krb5_ldap_add_service_rights(util_context,
                                                         LDAP_PASSWD_SERVICE, rparams->passwdservers[i],
-                                                        rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
+                                                        rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
                    printf("failed\n");
                    com_err(progname, retval, "while assigning rights to '%s'",
                            rparams->realm_name);
@@ -917,7 +925,7 @@ void kdb5_ldap_modify(argc, argv)
     int mask = 0, rmask = 0, ret_mask = 0;
     char **slist = {NULL};
 #ifdef HAVE_EDIRECTORY
-    int j = 0;
+    int j = 0, idx = 0;
     char *list[MAX_LIST_ENTRIES];
     int existing_entries = 0, list_entries = 0;
     int newkdcdn = 0, newadmindn = 0, newpwddn = 0;
@@ -929,7 +937,8 @@ void kdb5_ldap_modify(argc, argv)
     char **newsubtrees = NULL;
     char **newadmindns = NULL;
     char **newpwddns = NULL;
-    char **oldsubtrees = {NULL};
+    char **oldsubtrees = NULL;
+    char *oldcontainerref = NULL; 
     int rightsmask = 0;
     int subtree_changed = 0;
 #endif
@@ -966,15 +975,15 @@ void kdb5_ldap_modify(argc, argv)
                        retval = ENOMEM;
                        goto cleanup;
                    }
-                   for(k=0; rparams->subtree[k]!=NULL && rparams->subtreecount; k++) {
+                   for (k=0; rparams->subtree[k]!=NULL && rparams->subtreecount; k++) {
                        oldsubtrees[k] = strdup(rparams->subtree[k]);
-                       if( oldsubtrees[k] == NULL ) {
+                       if (oldsubtrees[k] == NULL) {
                            retval = ENOMEM;
                            goto cleanup;
                        }
                    }
 #endif
-                   for(k=0; k<rparams->subtreecount && rparams->subtree[k]; k++)
+                   for (k=0; k<rparams->subtreecount && rparams->subtree[k]; k++)
                        free(rparams->subtree[k]);
                    rparams->subtreecount=0;
                }
@@ -985,35 +994,40 @@ void kdb5_ldap_modify(argc, argv)
                    retval = ENOMEM;
                    goto cleanup;
                }
-               if (( retval = krb5_parse_list(argv[i], LIST_DELIMITER, slist))) {
+               if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, slist))) {
                    free(slist);
                    slist = NULL;
                    goto cleanup;
                }
 
                rparams->subtreecount=0;
-               while(slist[rparams->subtreecount]!=NULL)
+               while (slist[rparams->subtreecount]!=NULL)
                    (rparams->subtreecount)++;
                rparams->subtree =  slist;
-           } else if(strncmp(argv[i], "", strlen(argv[i]))==0) {
-                /* dont allow subtree value to be set at the root(NULL, "") of the tree */
-                   com_err(progname, EINVAL,
-                           "for subtree while modifying realm '%s'",
-                           global_params.realm);
-                   goto err_nomsg;
+           } else if (strncmp(argv[i], "", strlen(argv[i]))==0) {
+               /* dont allow subtree value to be set at the root(NULL, "") of the tree */
+               com_err(progname, EINVAL,
+                       "for subtree while modifying realm '%s'",
+                       global_params.realm);
+               goto err_nomsg;
            }
            rparams->subtree[rparams->subtreecount] = NULL;
            mask |= LDAP_REALM_SUBTREE;
        } else if (!strncmp(argv[i], "-containerref", strlen(argv[i]))) {
            if (++i > argc-1)
                goto err_usage;
-           if(strncmp(argv[i], "", strlen(argv[i]))==0) {
-                /* dont allow containerref value to be set at the root(NULL, "") of the tree */
-                com_err(progname, EINVAL,
-                         "for container reference while modifying realm '%s'",
-                          global_params.realm);
-                goto err_nomsg;
+           if (strncmp(argv[i], "", strlen(argv[i]))==0) {
+               /* dont allow containerref value to be set at the root(NULL, "") of the tree */
+               com_err(progname, EINVAL,
+                       "for container reference while modifying realm '%s'",
+                       global_params.realm);
+               goto err_nomsg;
            }
+#ifdef HAVE_EDIRECTORY
+            if (rparams->containerref != NULL) {
+                oldcontainerref = rparams->containerref;
+            }
+#endif
            rparams->containerref = strdup(argv[i]);
            if (rparams->containerref == NULL) {
                retval = ENOMEM;
@@ -1431,299 +1445,417 @@ void kdb5_ldap_modify(argc, argv)
     }
 
 #ifdef HAVE_EDIRECTORY
-    if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_KDCSERVERS) ||
+    if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_CONTREF) || (mask & LDAP_REALM_KDCSERVERS) ||
        (mask & LDAP_REALM_ADMINSERVERS) || (mask & LDAP_REALM_PASSWDSERVERS)) {
 
        printf("Changing rights for the service object. Please wait ... ");
        fflush(stdout);
 
-       if (!(mask & LDAP_REALM_SUBTREE)) {
-           if (rparams->subtree != NULL) {
-               for(i=0; rparams->subtree[i]!=NULL;i++) {
-                   oldsubtrees[i] = strdup(rparams->subtree[i]);
-                   if( oldsubtrees[i] == NULL ) {
-                       retval = ENOMEM;
-                       goto cleanup;
-                   }
-               }
-           }
+        if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_CONTREF)) {
+            subtree_changed = 1;
        }
 
-       if ((mask & LDAP_REALM_SUBTREE)) {
-           int check_subtree = 1;
-
-           newsubtrees = (char**) calloc(rparams->subtreecount, sizeof(char*));
-
-           if (newsubtrees == NULL) {
-               retval = ENOMEM;
-               goto cleanup;
-           }
-
-           if ( (rparams != NULL) && (rparams->subtree != NULL) ) {
-               for (j=0; j<rparams->subtreecount && rparams->subtree[j]!= NULL; j++) {
-                   newsubtrees[j] = strdup(rparams->subtree[j]);
-                   if (newsubtrees[j] == NULL) {
-                       retval = ENOMEM;
-                       goto cleanup;
-                   }
-               }
-               newsubtrees[j] = NULL;
-           }
-           for(j=0;oldsubtrees[j]!=NULL;j++) {
-               check_subtree = 1;
-               for(i=0; ( (oldsubtrees[j] && !rparams->subtree[i]) ||
-                       (!oldsubtrees[j] && rparams->subtree[i])); i++) {
-                   if(strcasecmp( oldsubtrees[j], rparams->subtree[i]) == 0) {
-                       check_subtree = 0;
-                       continue;
+        if ((subtree_changed) || (mask & LDAP_REALM_KDCSERVERS)) {
+
+            if (!(mask & LDAP_REALM_KDCSERVERS)) {
+                if (rparams->kdcservers != NULL) {
+                    char **kdcdns = rparams->kdcservers;
+                    /* Only subtree and/or container ref has changed */
+                    rightsmask =0;
+                    /*  KDCSERVERS have not changed. Realm rights need not be changed */;
+                    rightsmask |= LDAP_SUBTREE_RIGHTS;
+                    if ((oldsubtrees != NULL) || (oldcontainerref != NULL)) {
+                        /* Remove the rights on the old subtrees */
+                        for (i=0; (kdcdns[i] != NULL); i++) {
+                            if ((retval=krb5_ldap_delete_service_rights(util_context,
+                                                                       LDAP_KDC_SERVICE, kdcdns[i],
+                                                                       rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) {
+                                printf("failed\n");
+                                com_err(progname, retval, "while assigning rights '%s'",
+                                       rparams->realm_name);
+                                goto err_nomsg;
+                           }
+                       }
                    }
-               }
-               if (check_subtree != 0) {
-                   subtree_changed=1;
-                   break;
-               }
-           }
-           /* this will return list of the disjoint members */
-           disjoint_members( oldsubtrees, newsubtrees);
-       }
-
-       if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_KDCSERVERS)) {
-
-           newkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
-           if (newkdcdns == NULL) {
-               retval = ENOMEM;
-               goto cleanup;
-           }
-
-           if ((rparams != NULL) && (rparams->kdcservers != NULL)) {
-               for (j=0;  rparams->kdcservers[j]!= NULL; j++) {
-                   newkdcdns[j] = strdup(rparams->kdcservers[j]);
-                   if (newkdcdns[j] == NULL) {
-                       retval = ENOMEM;
-                       goto cleanup;
+                    for (i=0; (kdcdns[i] != NULL); i++) {
+                        if ((retval=krb5_ldap_add_service_rights(util_context,
+                                                                LDAP_KDC_SERVICE, kdcdns[i],
+                                                                rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+                            printf("failed\n");
+                            com_err(progname, retval, "while assigning rights '%s'",
+                                   rparams->realm_name);
+                            goto err_nomsg;
+                       }
                    }
                }
-               newkdcdns[j] = NULL;
            }
 
-           if (!subtree_changed) {
-               disjoint_members(oldkdcdns, newkdcdns);
-           } else { /* Only the subtrees was changed. Remove the rights on the old subtrees. */
-               if (!(mask & LDAP_REALM_KDCSERVERS)) {
-
-                   oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
-                   if (oldkdcdns == NULL) {
+            if (!subtree_changed) {
+                char **newdns = NULL;
+                /* Only kdc servers have changed */
+                rightsmask =0;
+                rightsmask = LDAP_REALM_RIGHTS;
+                rightsmask |= LDAP_SUBTREE_RIGHTS;
+                if (oldkdcdns != NULL) {
+                    newdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
+                    if (newdns == NULL) {
                        retval = ENOMEM;
                        goto cleanup;
                    }
 
                    if ((rparams != NULL) && (rparams->kdcservers != NULL)) {
                        for (j=0;  rparams->kdcservers[j]!= NULL; j++) {
-                           oldkdcdns[j] = strdup(rparams->kdcservers[j]);
-                           if (oldkdcdns[j] == NULL) {
+                            newdns[j] = strdup(rparams->kdcservers[j]);
+                            if (newdns[j] == NULL) {
+                                FREE_DN_LIST(newdns);
                                retval = ENOMEM;
                                goto cleanup;
                            }
                        }
-                       oldkdcdns[j] = NULL;
+                        newdns[j] = NULL;
                    }
-               }
-           }
 
-           rightsmask =0;
-           rightsmask |= LDAP_REALM_RIGHTS;
-           rightsmask |= LDAP_SUBTREE_RIGHTS;
-           /* Remove the rights on the old subtrees */
-           if (oldkdcdns) {
-               for (i=0; (oldkdcdns[i] != NULL); i++) {
-                   if ((retval=krb5_ldap_delete_service_rights(util_context,
-                                                               LDAP_KDC_SERVICE, oldkdcdns[i],
-                                                               rparams->realm_name, oldsubtrees, rightsmask)) != 0) {
-                       printf("failed\n");
-                       com_err(progname, retval, "while assigning rights '%s'",
-                               rparams->realm_name);
-                       goto err_nomsg;
+                    disjoint_members(oldkdcdns, newdns);
+
+                    for (i=0; (oldkdcdns[i] != NULL); i++) {
+                        if ((retval=krb5_ldap_delete_service_rights(util_context,
+                                                                   LDAP_KDC_SERVICE, oldkdcdns[i],
+                                                                   rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+                            printf("failed\n");
+                            com_err(progname, retval, "while assigning rights '%s'",
+                                   rparams->realm_name);
+                            FREE_DN_LIST(newdns);
+                            goto err_nomsg;
+                       }
+                   }
+                    for (i=0; (newdns[i] != NULL); i++) {
+                        if ((retval=krb5_ldap_add_service_rights(util_context,
+                                                                LDAP_KDC_SERVICE, newdns[i],
+                                                                rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+                            printf("failed\n");
+                            com_err(progname, retval, "while assigning rights '%s'",
+                                   rparams->realm_name);
+                            FREE_DN_LIST(newdns);
+                            goto err_nomsg;
+                       }
+                    }
+                    for (i=0; (newdns[i] != NULL); i++) {
+                        free(newdns[i]);
+                    }
+                    free(newdns);
+                } else {
+                    newdns = rparams->kdcservers;
+                    for (i=0; (newdns[i] != NULL); i++) {
+                        if ((retval=krb5_ldap_add_service_rights(util_context,
+                                                                LDAP_KDC_SERVICE, newdns[i],
+                                                                rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+                            printf("failed\n");
+                            com_err(progname, retval, "while assigning rights '%s'",
+                                   rparams->realm_name);
+                            goto err_nomsg;
+                       }
                    }
                }
-           }
-
-           rightsmask =0;
-           rightsmask |= LDAP_REALM_RIGHTS;
-           rightsmask |= LDAP_SUBTREE_RIGHTS;
-           if (newkdcdns) {
-               for (i=0; (newkdcdns[i] != NULL); i++) {
-
-                   if ((retval=krb5_ldap_add_service_rights(util_context,
-                                                            LDAP_KDC_SERVICE, newkdcdns[i], rparams->realm_name,
-                                                            rparams->subtree, rightsmask)) != 0) {
-                       printf("failed\n");
-                       com_err(progname, retval, "while assigning rights to '%s'",
-                               rparams->realm_name);
-                       goto err_nomsg;
+            }
+                                                                                                                             
+            if (subtree_changed && (mask & LDAP_REALM_KDCSERVERS)) {
+                char **newdns = rparams->kdcservers;
+
+               rightsmask =0;
+                rightsmask = LDAP_REALM_RIGHTS;
+               rightsmask |= LDAP_SUBTREE_RIGHTS;
+                if (oldkdcdns != NULL) {
+                   for (i=0; (oldkdcdns[i] != NULL); i++) {
+                       if ((retval=krb5_ldap_delete_service_rights(util_context,
+                                                                   LDAP_KDC_SERVICE, oldkdcdns[i],
+                                                                   rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) {
+                           printf("failed\n");
+                           com_err(progname, retval, "while assigning rights '%s'",
+                                   rparams->realm_name);
+                           goto err_nomsg;
+                       }
                    }
                }
-           }
-       }
-
-       if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_ADMINSERVERS)) {
-
-           newadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
-           if (newadmindns == NULL) {
-               retval = ENOMEM;
-               goto cleanup;
-           }
-
-           if ((rparams != NULL) && (rparams->adminservers != NULL)) {
-               for (j=0;  rparams->adminservers[j]!= NULL; j++) {
-                   newadmindns[j] = strdup(rparams->adminservers[j]);
-                   if (newadmindns[j] == NULL) {
-                       retval = ENOMEM;
-                       goto cleanup;
+                for (i=0; (newdns[i] != NULL); i++) {
+                    if ((retval=krb5_ldap_add_service_rights(util_context,
+                                                            LDAP_KDC_SERVICE, newdns[i],
+                                                            rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+                        printf("failed\n");
+                        com_err(progname, retval, "while assigning rights '%s'",
+                               rparams->realm_name);
+                        goto err_nomsg;
+                    }
+                }
+            }
+        }
+
+        if (subtree_changed || (mask & LDAP_REALM_ADMINSERVERS)) {
+                                                                                                                             
+            if (!(mask & LDAP_REALM_ADMINSERVERS)) {
+                if (rparams->adminservers != NULL) {
+                    char **admindns = rparams->adminservers;
+                    /* Only subtree and/or container ref has changed */
+                   rightsmask =0;
+                    /*  KADMINSERVERS have not changed. Realm rights need not be changed */;
+                   rightsmask |= LDAP_SUBTREE_RIGHTS;
+                    if ((oldsubtrees != NULL) || (oldcontainerref != NULL)) {
+                        /* Remove the rights on the old subtrees */
+                        for (i=0; (admindns[i] != NULL); i++) {
+                            if ((retval=krb5_ldap_delete_service_rights(util_context,
+                                                                       LDAP_ADMIN_SERVICE, admindns[i],
+                                                                       rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) {
+                                printf("failed\n");
+                                com_err(progname, retval, "while assigning rights '%s'",
+                                       rparams->realm_name);
+                                goto err_nomsg;
+                            }
+                        }
+                    }
+                    for (i=0; (admindns[i] != NULL); i++) {
+                       if ((retval=krb5_ldap_add_service_rights(util_context,
+                                                                LDAP_ADMIN_SERVICE, admindns[i],
+                                                                rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+                           printf("failed\n");
+                            com_err(progname, retval, "while assigning rights '%s'",
+                                   rparams->realm_name);
+                           goto err_nomsg;
+                       }
                    }
                }
-               newadmindns[j] = NULL;
            }
 
-           if (!subtree_changed) {
-               disjoint_members(oldadmindns, newadmindns);
-           } else { /* Only the subtrees was changed. Remove the rights on the old subtrees. */
-               if (!(mask & LDAP_REALM_ADMINSERVERS)) {
-
-                   oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
-                   if (oldadmindns == NULL) {
+            if (!subtree_changed) {
+                char **newdns = NULL;
+                /* Only admin servers have changed */
+                rightsmask =0;
+                rightsmask = LDAP_REALM_RIGHTS;
+                rightsmask |= LDAP_SUBTREE_RIGHTS;
+                if (oldadmindns != NULL) {
+                    newdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
+                    if (newdns == NULL) {
                        retval = ENOMEM;
                        goto cleanup;
                    }
 
                    if ((rparams != NULL) && (rparams->adminservers != NULL)) {
                        for (j=0;  rparams->adminservers[j]!= NULL; j++) {
-                           oldadmindns[j] = strdup(rparams->adminservers[j]);
-                           if (oldadmindns[j] == NULL) {
+                            newdns[j] = strdup(rparams->adminservers[j]);
+                            if (newdns[j] == NULL) {
+                                FREE_DN_LIST(newdns);
                                retval = ENOMEM;
                                goto cleanup;
                            }
                        }
-                       oldadmindns[j] = NULL;
+                        newdns[j] = NULL;
                    }
-               }
-           }
 
-           rightsmask = 0;
-           rightsmask |= LDAP_REALM_RIGHTS;
-           rightsmask |= LDAP_SUBTREE_RIGHTS;
-           /* Remove the rights on the old subtrees */
-           if (oldadmindns) {
-               for (i=0; (oldadmindns[i] != NULL); i++) {
-
-                   if ((retval=krb5_ldap_delete_service_rights(util_context,
-                                                               LDAP_ADMIN_SERVICE, oldadmindns[i],
-                                                               rparams->realm_name, oldsubtrees, rightsmask)) != 0) {
-                       printf("failed\n");
-                       com_err(progname, retval, "while assigning rights '%s'",
-                               rparams->realm_name);
-                       goto err_nomsg;
+                    disjoint_members(oldadmindns, newdns);
+
+                    for (i=0; (oldadmindns[i] != NULL); i++) {
+                        if ((retval=krb5_ldap_delete_service_rights(util_context,
+                                                                   LDAP_ADMIN_SERVICE, oldadmindns[i],
+                                                                   rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+                            printf("failed\n");
+                            com_err(progname, retval, "while assigning rights '%s'",
+                                   rparams->realm_name);
+                            FREE_DN_LIST(newdns);
+                            goto err_nomsg;
+                       }
+                    }
+                    for (i=0; (newdns[i] != NULL); i++) {
+                        if ((retval=krb5_ldap_add_service_rights(util_context,
+                                                                LDAP_ADMIN_SERVICE, newdns[i],
+                                                                rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+                            printf("failed\n");
+                            com_err(progname, retval, "while assigning rights '%s'",
+                                   rparams->realm_name);
+                            FREE_DN_LIST(newdns);
+                            goto err_nomsg;
+                       }
+                   }
+                    for (i=0; (newdns[i] != NULL); i++) {
+                        free(newdns[i]);
+                    }
+                    free(newdns);
+                } else {
+                    newdns = rparams->adminservers;
+                    for (i=0; (newdns[i] != NULL); i++) {
+                        if ((retval=krb5_ldap_add_service_rights(util_context,
+                                                                LDAP_ADMIN_SERVICE, newdns[i],
+                                                                rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+                            printf("failed\n");
+                            com_err(progname, retval, "while assigning rights '%s'",
+                                   rparams->realm_name);
+                            goto err_nomsg;
+                       }
                    }
                }
-           }
-
-           rightsmask = 0;
-           rightsmask |= LDAP_REALM_RIGHTS;
-           rightsmask |= LDAP_SUBTREE_RIGHTS;
-           /* Add rights on the new subtree for all the kdc dns */
-           if (newadmindns) {
-               for (i=0; (newadmindns[i] != NULL); i++) {
-
-                   if ((retval=krb5_ldap_add_service_rights(util_context,
-                                                            LDAP_ADMIN_SERVICE, newadmindns[i],
-                                                            rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
-                       printf("failed\n");
-                       com_err(progname, retval, "while assigning rights to '%s'",
-                               rparams->realm_name);
-                       goto err_nomsg;
+            }
+                                                                                                                             
+            if (subtree_changed && (mask & LDAP_REALM_ADMINSERVERS)) {
+                char **newdns = rparams->adminservers;
+
+               rightsmask = 0;
+                rightsmask = LDAP_REALM_RIGHTS;
+               rightsmask |= LDAP_SUBTREE_RIGHTS;
+                if (oldadmindns != NULL) {
+                   for (i=0; (oldadmindns[i] != NULL); i++) {
+                       if ((retval=krb5_ldap_delete_service_rights(util_context,
+                                                                   LDAP_ADMIN_SERVICE, oldadmindns[i],
+                                                                   rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) {
+                           printf("failed\n");
+                           com_err(progname, retval, "while assigning rights '%s'",
+                                   rparams->realm_name);
+                           goto err_nomsg;
+                       }
                    }
                }
-           }
-       }
-
-
-       if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_PASSWDSERVERS)) {
-
-           newpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
-           if (newpwddns == NULL) {
-               retval = ENOMEM;
-               goto cleanup;
-           }
-
-           if ((rparams != NULL) && (rparams->passwdservers != NULL)) {
-               for (j=0;  rparams->passwdservers[j]!= NULL; j++) {
-                   newpwddns[j] = strdup(rparams->passwdservers[j]);
-                   if (newpwddns[j] == NULL) {
-                       retval = ENOMEM;
-                       goto cleanup;
+                for (i=0; (newdns[i] != NULL); i++) {
+                    if ((retval=krb5_ldap_add_service_rights(util_context,
+                                                            LDAP_ADMIN_SERVICE, newdns[i],
+                                                            rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+                        printf("failed\n");
+                        com_err(progname, retval, "while assigning rights '%s'",
+                               rparams->realm_name);
+                        goto err_nomsg;
+                    }
+                }
+            }
+        }
+
+        if (subtree_changed || (mask & LDAP_REALM_PASSWDSERVERS)) {
+                                                                                                                             
+            if (!(mask & LDAP_REALM_PASSWDSERVERS)) {
+                if (rparams->passwdservers != NULL) {
+                    char **passwddns = rparams->passwdservers;
+                    /* Only subtree and/or container ref has changed */
+                   rightsmask = 0;
+                    /*  KPASSWDSERVERS have not changed. Realm rights need not be changed */;
+                   rightsmask |= LDAP_SUBTREE_RIGHTS;
+                    if ((oldsubtrees != NULL) || (oldcontainerref != NULL)) {
+                        /* Remove the rights on the old subtrees */
+                        for (i=0; (passwddns[i] != NULL); i++) {
+                            if ((retval=krb5_ldap_delete_service_rights(util_context,
+                                                                       LDAP_PASSWD_SERVICE, passwddns[i],
+                                                                       rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) {
+                                printf("failed\n");
+                                com_err(progname, retval, "while assigning rights '%s'",
+                                       rparams->realm_name);
+                                goto err_nomsg;
+                            }
+                        }
+                    }
+                    for (i=0; (passwddns[i] != NULL); i++) {
+                       if ((retval=krb5_ldap_add_service_rights(util_context,
+                                                                LDAP_PASSWD_SERVICE, passwddns[i],
+                                                                rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+                           printf("failed\n");
+                            com_err(progname, retval, "while assigning rights '%s'",
+                                   rparams->realm_name);
+                           goto err_nomsg;
+                       }
                    }
                }
-               newpwddns[j] = NULL;
            }
 
-           if (!subtree_changed) {
-               disjoint_members(oldpwddns, newpwddns);
-           } else { /* Only the subtrees was changed. Remove the rights on the old subtrees. */
-               if (!(mask & LDAP_REALM_ADMINSERVERS)) {
-
-                   oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
-                   if (oldpwddns == NULL) {
+            if (!subtree_changed) {
+                char **newdns = NULL;
+                /* Only passwd servers have changed */
+                rightsmask =0;
+                rightsmask = LDAP_REALM_RIGHTS;
+                rightsmask |= LDAP_SUBTREE_RIGHTS;
+                if (oldpwddns != NULL) {
+                    newdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
+                    if (newdns == NULL) {
                        retval = ENOMEM;
                        goto cleanup;
                    }
 
                    if ((rparams != NULL) && (rparams->passwdservers != NULL)) {
                        for (j=0;  rparams->passwdservers[j]!= NULL; j++) {
-                           oldpwddns[j] = strdup(rparams->passwdservers[j]);
-                           if (oldpwddns[j] == NULL) {
+                            newdns[j] = strdup(rparams->passwdservers[j]);
+                            if (newdns[j] == NULL) {
+                                FREE_DN_LIST(newdns);
                                retval = ENOMEM;
                                goto cleanup;
                            }
                        }
-                       oldpwddns[j] = NULL;
+                        newdns[j] = NULL;
                    }
-               }
-           }
 
-           rightsmask =0;
-           rightsmask |= LDAP_REALM_RIGHTS;
-           rightsmask |= LDAP_SUBTREE_RIGHTS;
-           /* Remove the rights on the old subtrees */
-           if (oldpwddns) {
-               for (i=0; (oldpwddns[i] != NULL); i++) {
-                   if ((retval = krb5_ldap_delete_service_rights(util_context,
-                                                                 LDAP_PASSWD_SERVICE, oldpwddns[i],
-                                                                 rparams->realm_name, oldsubtrees, rightsmask))) {
-                       printf("failed\n");
-                       com_err(progname, retval, "while assigning rights '%s'",
-                               rparams->realm_name);
-                       goto err_nomsg;
+                    disjoint_members(oldpwddns, newdns);
+
+                    for (i=0; (oldpwddns[i] != NULL); i++) {
+                        if ((retval=krb5_ldap_delete_service_rights(util_context,
+                                                                   LDAP_PASSWD_SERVICE, oldpwddns[i],
+                                                                   rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+                            printf("failed\n");
+                            com_err(progname, retval, "while assigning rights '%s'",
+                                   rparams->realm_name);
+                            FREE_DN_LIST(newdns);
+                            goto err_nomsg;
+                       }
+                   }
+                    for (i=0; (newdns[i] != NULL); i++) {
+                        if ((retval=krb5_ldap_add_service_rights(util_context,
+                                                                LDAP_PASSWD_SERVICE, newdns[i],
+                                                                rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+                            printf("failed\n");
+                            com_err(progname, retval, "while assigning rights '%s'",
+                                   rparams->realm_name);
+                            FREE_DN_LIST(newdns);
+                            goto err_nomsg;
+                       }
+                    }
+                    for (i=0; (newdns[i] != NULL); i++) {
+                        free(newdns[i]);
+                    }
+                    free(newdns);
+                } else {
+                    newdns = rparams->passwdservers;
+                    for (i=0; (newdns[i] != NULL); i++) {
+                        if ((retval=krb5_ldap_add_service_rights(util_context,
+                                                                LDAP_PASSWD_SERVICE, newdns[i],
+                                                                rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+                            printf("failed\n");
+                            com_err(progname, retval, "while assigning rights '%s'",
+                                   rparams->realm_name);
+                            goto err_nomsg;
+                       }
                    }
                }
-           }
-
-           rightsmask =0;
-           rightsmask |= LDAP_REALM_RIGHTS;
-           rightsmask |= LDAP_SUBTREE_RIGHTS;
-           /* Add rights on the new subtree for all the kdc dns */
-           if (newpwddns) {
-               for (i=0; (newpwddns[i] != NULL); i++) {
+            }
+                                                                                                                             
+            if (subtree_changed && (mask & LDAP_REALM_PASSWDSERVERS)) {
+                char **newdns = rparams->passwdservers;
+
+               rightsmask =0;
+                rightsmask = LDAP_REALM_RIGHTS;
+               rightsmask |= LDAP_SUBTREE_RIGHTS;
+                if (oldpwddns != NULL) {
+                   for (i=0; (oldpwddns[i] != NULL); i++) {
+                       if ((retval = krb5_ldap_delete_service_rights(util_context,
+                                                                     LDAP_PASSWD_SERVICE, oldpwddns[i],
+                                                                     rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) {
+                           printf("failed\n");
+                           com_err(progname, retval, "while assigning rights '%s'",
+                                   rparams->realm_name);
+                           goto err_nomsg;
+                       }
+                   }
+               }
+                for (i=0; (newdns[i] != NULL); i++) {
                    if ((retval = krb5_ldap_add_service_rights(util_context,
-                                                              LDAP_PASSWD_SERVICE, newpwddns[i],
-                                                              rparams->realm_name, rparams->subtree, rightsmask))) {
+                                                              LDAP_PASSWD_SERVICE, newdns[i],
+                                                              rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
                        printf("failed\n");
-                       com_err(progname, retval, "while assigning rights to '%s'",
+                        com_err(progname, retval, "while assigning rights '%s'",
                                rparams->realm_name);
                        goto err_nomsg;
                    }
                }
            }
        }
-
        printf("done\n");
     }
 #endif
@@ -1936,6 +2068,7 @@ static void print_realm_params(krb5_ldap_realm_params *rparams, int mask)
        if (num_entry_printed == 0)
            printf("\n");
     }
+
     if (mask & LDAP_REALM_MAXTICKETLIFE) {
        printf("%25s:", "Maximum Ticket Life");
        printf(" %s \n", strdur(rparams->max_life));
@@ -2198,9 +2331,9 @@ kdb_ldap_tgt_keysalt_iterate(ksent, ptr)
 
     /*if (!(kret = krb5_dbe_create_key_data(iargs->ctx, iargs->dbentp))) {*/
     if ((entry->key_data =
-            (krb5_key_data *) realloc(entry->key_data,
-                                           (sizeof(krb5_key_data) *
-                                           (entry->n_key_data + 1)))) == NULL)
+        (krb5_key_data *) realloc(entry->key_data,
+                                  (sizeof(krb5_key_data) *
+                                   (entry->n_key_data + 1)))) == NULL)
        return (ENOMEM);
 
     memset(entry->key_data + entry->n_key_data, 0, sizeof(krb5_key_data));
@@ -2296,7 +2429,7 @@ kdb_ldap_create_principal (context, princ, op, pblock)
        if ((retval = krb5_timeofday(context, &now)))
            goto cleanup;
        if ((retval = krb5_dbe_update_mod_princ_data_new(context, &entry,
-                       now, &db_create_princ)))
+                                                        now, &db_create_princ)))
            goto cleanup;
     }
     entry.attributes = pblock->flags;
@@ -2316,7 +2449,7 @@ kdb_ldap_create_principal (context, princ, op, pblock)
 
            /* Allocate memory for storing the key */
            if ((entry.key_data = (krb5_key_data *) malloc(
-                                             sizeof(krb5_key_data))) == NULL) {
+                    sizeof(krb5_key_data))) == NULL) {
                retval = ENOMEM;
                goto cleanup;
            }
@@ -2330,9 +2463,9 @@ kdb_ldap_create_principal (context, princ, op, pblock)
            }
            kvno = 1; /* New key is getting set */
            retval = krb5_dbekd_encrypt_key_data(context,
-                                       &ldap_context->lrparams->mkey,
-                                       &key, NULL, kvno,
-                                       &entry.key_data[entry.n_key_data - 1]);
+                                                &ldap_context->lrparams->mkey,
+                                                &key, NULL, kvno,
+                                                &entry.key_data[entry.n_key_data - 1]);
            krb5_free_keyblock_contents(context, &key);
            if (retval) {
                goto cleanup;
@@ -2358,7 +2491,7 @@ kdb_ldap_create_principal (context, princ, op, pblock)
     case MASTER_KEY:
        /* Allocate memory for storing the key */
        if ((entry.key_data = (krb5_key_data *) malloc(
-                                             sizeof(krb5_key_data))) == NULL) {
+                sizeof(krb5_key_data))) == NULL) {
            retval = ENOMEM;
            goto cleanup;
        }
@@ -2367,9 +2500,9 @@ kdb_ldap_create_principal (context, princ, op, pblock)
        entry.n_key_data++;
        kvno = 1; /* New key is getting set */
        retval = krb5_dbekd_encrypt_key_data(context, pblock->key,
-                                        &ldap_context->lrparams->mkey,
-                                        NULL, kvno,
-                                        &entry.key_data[entry.n_key_data - 1]);
+                                            &ldap_context->lrparams->mkey,
+                                            NULL, kvno,
+                                            &entry.key_data[entry.n_key_data - 1]);
        if (retval) {
            goto cleanup;
        }
@@ -2481,7 +2614,7 @@ kdb5_ldap_destroy(argc, argv)
            for (i=0; (rparams->kdcservers[i] != NULL); i++) {
                if ((retval = krb5_ldap_delete_service_rights(util_context,
                                                              LDAP_KDC_SERVICE, rparams->kdcservers[i],
-                                                             rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
+                                                             rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
                    printf("failed\n");
                    com_err(progname, retval, "while assigning rights to '%s'",
                            rparams->realm_name);
@@ -2496,7 +2629,7 @@ kdb5_ldap_destroy(argc, argv)
            for (i=0; (rparams->adminservers[i] != NULL); i++) {
                if ((retval = krb5_ldap_delete_service_rights(util_context,
                                                              LDAP_ADMIN_SERVICE, rparams->adminservers[i],
-                                                             rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
+                                                             rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
                    printf("failed\n");
                    com_err(progname, retval, "while assigning rights to '%s'",
                            rparams->realm_name);
@@ -2511,7 +2644,7 @@ kdb5_ldap_destroy(argc, argv)
            for (i=0; (rparams->passwdservers[i] != NULL); i++) {
                if ((retval = krb5_ldap_delete_service_rights(util_context,
                                                              LDAP_PASSWD_SERVICE, rparams->passwdservers[i],
-                                                             rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
+                                                             rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
                    printf("failed\n");
                    com_err(progname, retval, "while assigning rights to '%s'",
                            rparams->realm_name);
index 34b3dc8d0a7549466272ecb13abcd77f8cdee8c7..1260131201fd5fe43a99e3d42a06d497368413a0 100644 (file)
@@ -435,7 +435,7 @@ void kdb5_ldap_create_service(argc, argv)
 
                if ((retval = krb5_ldap_add_service_rights(util_context,
                                                           srvparams->servicetype, srvparams->servicedn,
-                                                          realmName, rparams->subtree, rightsmask))) {
+                                                          realmName, rparams->subtree, rparams->containerref, rightsmask))) {
                    printf("failed\n");
                    com_err(me, retval, "while assigning rights '%s'",
                            srvparams->servicedn);
@@ -940,7 +940,7 @@ void kdb5_ldap_modify_service(argc, argv)
 
                if ((retval = krb5_ldap_delete_service_rights(util_context,
                                                              srvparams->servicetype, srvparams->servicedn,
-                                                             realmName, rparams->subtree, rightsmask))) {
+                                                             realmName, rparams->subtree, rparams->containerref, rightsmask))) {
                    printf("failed\n");
                    com_err(me, retval, "while assigning rights '%s'",
                            srvparams->servicedn);
@@ -991,7 +991,7 @@ void kdb5_ldap_modify_service(argc, argv)
 
                if ((retval = krb5_ldap_add_service_rights(util_context,
                                                           srvparams->servicetype, srvparams->servicedn,
-                                                          realmName, rparams->subtree, rightsmask))) {
+                                                          realmName, rparams->subtree, rparams->containerref, rightsmask))) {
                    printf("failed\n");
                    com_err(me, retval, "while assigning rights '%s'",
                            srvparams->servicedn);
@@ -1717,7 +1717,7 @@ kdb5_ldap_set_service_password(argc, argv)
            memset(passwd, 0, passwd_len);
            goto cleanup;
        }
-       /* Password = {CRYPT}<encrypted password>:<encrypted key> */
+       /* Password = {HEX}<encrypted password>:<encrypted key> */
        encrypted_passwd.value = (unsigned char *)malloc(strlen(service_object) +
                                                         1 + 5 + hex.length + 2);
        if (encrypted_passwd.value == NULL) {
index 1f900e67af04da3136d816439d4b006ba8ca4019..9ed1f2dee4075ebe1ba35aaa7e1764e6dacd8b2d 100644 (file)
@@ -520,7 +520,7 @@ int main(argc, argv)
                exit_status++;
                goto cleanup;
            }
-           memset(passwd, 0, sizeof(passwd));
+           memset(passwd, 0, MAX_PASSWD_LEN);
            passwd_len = MAX_PASSWD_LEN - 1;
            snprintf(prompt, MAX_PASSWD_PROMPT_LEN, "Password for \"%s\"", bind_dn);
 
@@ -536,6 +536,7 @@ int main(argc, argv)
        }
 
        ldap_context->bind_pwd = passwd;
+       passwd = NULL;
     }
 
     /* If ldaphost is specified, release entry filled by configuration & use this */
@@ -593,6 +594,7 @@ int main(argc, argv)
     }
     dal_handle->db_context = ldap_context;
     util_context->dal_handle = dal_handle;
+    ldap_context = NULL;
 
     db_retval = krb5_ldap_read_server_params(util_context, conf_section, KRB5_KDB_SRV_TYPE_OTHER);
     if (db_retval) {
@@ -602,7 +604,7 @@ int main(argc, argv)
     }
 
     if (cmd->opendb) {
-       db_retval = krb5_ldap_db_init(util_context, ldap_context);
+       db_retval = krb5_ldap_db_init(util_context, (krb5_ldap_context *)dal_handle->db_context);
        if (db_retval) {
            com_err(progname, db_retval, "while initializing database");
            exit_status++;
@@ -615,10 +617,15 @@ int main(argc, argv)
     goto cleanup;
 
 cleanup:
-    if (passwd)
-       memset(passwd, 0, sizeof(passwd));
-    if (ldap_context && ldap_context->bind_pwd)
-       memset(ldap_context->bind_pwd, 0, sizeof(ldap_context->bind_pwd));
+    if (passwd) {
+       memset(passwd, 0, strlen(passwd));
+       free(passwd);
+    }
+
+    if (ldap_context) {
+       krb5_ldap_free_server_context_params(ldap_context);
+       free(ldap_context);
+    }
 
     if (util_context) {
        if (gp_is_static == 0)
index 124396f3ff1ea88787ee8a32ab403abda0e594eb..02589b554a80980b8b3fab768b4d16b5f4614914 100644 (file)
@@ -346,7 +346,7 @@ krb5_ldap_create (krb5_context context, char *conf_section, char **db_args)
            for (i=0; (rparams->kdcservers[i] != NULL); i++) {
                if ((status=krb5_ldap_add_service_rights(context,
                                     LDAP_KDC_SERVICE, rparams->kdcservers[i],
-                                    rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
+                                    rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
                    goto cleanup;
                }
            }
@@ -359,7 +359,7 @@ krb5_ldap_create (krb5_context context, char *conf_section, char **db_args)
            for (i=0; (rparams->adminservers[i] != NULL); i++) {
                if ((status=krb5_ldap_add_service_rights(context,
                                     LDAP_ADMIN_SERVICE, rparams->adminservers[i],
-                                    rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
+                                    rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
                    goto cleanup;
                }
            }
@@ -372,7 +372,7 @@ krb5_ldap_create (krb5_context context, char *conf_section, char **db_args)
            for (i=0; (rparams->passwdservers[i] != NULL); i++) {
                if ((status=krb5_ldap_add_service_rights(context,
                                     LDAP_PASSWD_SERVICE, rparams->passwdservers[i],
-                                    rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
+                                    rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
                    goto cleanup;
                }
            }
index 818b2e55c9a5e71484f9c2eee0ccbcf0ef52bde0..b864f4b6d86afc830c976815f50d76be332749a8 100644 (file)
@@ -318,7 +318,7 @@ cleanup:
  */
 
 krb5_error_code
-krb5_ldap_free_server_params(ldap_context)
+krb5_ldap_free_server_context_params(ldap_context)
     krb5_ldap_context           *ldap_context;
 {
     int                         i=0;
@@ -366,6 +366,7 @@ krb5_ldap_free_server_params(ldap_context)
     }
 
     if (ldap_context->bind_pwd != NULL) {
+       memset(ldap_context->bind_pwd, 0, strlen(ldap_context->bind_pwd));
        krb5_xfree(ldap_context->bind_pwd);
        ldap_context->bind_pwd = NULL;
     }
@@ -402,13 +403,23 @@ krb5_ldap_free_server_params(ldap_context)
        krb5_xfree(ldap_context->certificates);
     }
 
-    k5_mutex_destroy(&ldap_context->hndl_lock);
+    return(0);
+}
 
+krb5_error_code
+krb5_ldap_free_server_params(ldap_context)
+    krb5_ldap_context           *ldap_context;
+{
+    if (ldap_context == NULL)
+        return 0;
+
+    krb5_ldap_free_server_context_params(ldap_context);
+
+    k5_mutex_destroy(&ldap_context->hndl_lock);
     krb5_xfree(ldap_context);
     return(0);
 }
 
-
 /*
  * check to see if the principal belongs to the default realm.
  * The default realm is present in the krb5_ldap_context structure.
index c25804b647741ffb12492b39e632fc8b3bb048ed..ef6786c68ebecebb5be013c6324c1b35680e279d 100644 (file)
@@ -57,9 +57,6 @@ char     *principal_attributes[] = { "krbprincipalname",
                                     "loginexpirationtime",
                                     "logindisabled",
 #endif
-                                    "loginexpirationtime",
-                                    "logindisabled",
-                                    "modifytimestamp",
                                     "krbLastPwdChange",
                                     "krbExtraData",
                                     "krbObjectReferences",
index b32ba91867cba1502b73d6470c37cf294bf7ab33..aed6de8c4db6503439133180ab42067c5eb26dc8 100644 (file)
 
 static char *kdcrights_subtree[][2] = {
     {"1#subtree#","#[Entry Rights]"},
-    {"2#subtree#","#CN"},
-    {"6#subtree#","#ObjectClass"},
+    {"2#subtree#","#ObjectClass"},
     {"2#subtree#","#krbTicketPolicyReference"},
     {"2#subtree#","#krbUPEnabled"},
     {"2#subtree#","#krbHostServer"},
-    {"2#subtree#","#krbServiceFlags"},
     {"2#subtree#","#krbRealmReferences"},
     {"2#subtree#","#krbTicketFlags"},
     {"2#subtree#","#krbMaxTicketLife"},
     {"2#subtree#","#krbMaxRenewableAge"},
     {"2#subtree#","#krbPrincipalName"},
-    {"6#subtree#","#krbPrincipalKey"},
+    {"2#subtree#","#krbPrincipalKey"},
     {"2#subtree#","#krbPrincipalExpiration"},
     {"2#subtree#","#krbPwdPolicyReference"},
     {"2#subtree#","#krbMaxPwdLife"},
-    {"6#subtree#","#ModifiersName"},
-    {"2#subtree#","#PasswordExpirationTime"},
-    {"2#subtree#","#PasswordExpirationInterval"},
-    {"2#subtree#","#PasswordMinimumLength"},
-    {"2#subtree#","#PasswordAllowChange"},
-    {"2#subtree#","#LoginDisabled"},
-    {"6#subtree#","#LastLoginTime"},
-    {"2#subtree#","#LoginExpirationTime"},
-    {"6#subtree#","#LoginIntruderAttempts"},
-    {"2#subtree#","#IntruderAttemptResetInterval"},
-    {"2#subtree#","#LoginIntruderLimit"},
-    {"6#subtree#","#LoginIntruderResetTime"},
-    {"2#subtree#","#DetectIntruder"},
-    {"2#subtree#","#LockoutAfterDetection"},
-    {"6#subtree#","#LockedByIntruder"},
-    {"2#subtree#","#krbPrincipalReferences"},
+    {"2#subtree#","#krbObjectReferences"},
+    {"2#subtree#","#krbLastPwdChange"},
+    {"6#subtree#","#krbExtraData"},
+    {"2#subtree#","#krbPasswordExpiration"},
+    {"6#subtree#","#krbLastFailedAuth"},
+    {"6#subtree#","#krbLoginFailedCount"},
+    {"6#subtree#","#krbLastSuccessfulAuth"},
     { "", "" }
 };
 
 static char *adminrights_subtree[][2]={
     {"15#subtree#","#[Entry Rights]"},
-    {"6#subtree#","#CN"},
     {"6#subtree#","#ObjectClass"},
     {"6#subtree#","#krbTicketPolicyReference"},
     {"6#subtree#","#krbUPEnabled"},
     {"2#subtree#","#krbHostServer"},
-    {"2#subtree#","#krbServiceFlags"},
     {"2#subtree#","#krbRealmReferences"},
     {"6#subtree#","#krbTicketFlags"},
     {"6#subtree#","#krbMaxTicketLife"},
@@ -87,41 +74,28 @@ static char *adminrights_subtree[][2]={
     {"6#subtree#","#krbPrincipalName"},
     {"6#subtree#","#krbPrincipalKey"},
     {"6#subtree#","#krbPrincipalExpiration"},
-    {"6#subtree#","#ModifiersName"},
-    {"6#subtree#","#PasswordExpirationTime"},
-    {"2#subtree#","#PasswordExpirationInterval"},
-    {"6#subtree#","#PasswordMinimumLength"},
-    {"6#subtree#","#PasswordAllowChange"},
-    {"6#subtree#","#LoginDisabled"},
-    {"2#subtree#","#LastLoginTime"},
-    {"2#subtree#","#LoginExpirationTime"},
-    {"2#subtree#","#LoginIntruderAttempts"},
-    {"6#subtree#","#IntruderAttemptResetInterval"},
-    {"6#subtree#","#LoginIntruderLimit"},
-    {"6#subtree#","#LoginIntruderResetTime"},
-    {"6#subtree#","#DetectIntruder"},
-    {"6#subtree#","#LockoutAfterDetection"},
-    {"2#subtree#","#LockedByIntruder"},
-    {"2#subtree#","#krbPrincipalReferences"},
-    {"6#subtree#","#Surname"},
-    {"4#subtree#","#passwordManagement"},
     {"6#subtree#","#krbPwdHistoryLength"},
     {"6#subtree#","#krbMinPwdLife"},
     {"6#subtree#","#krbMaxPwdLife"},
     {"6#subtree#","#krbPwdMinDiffChars"},
     {"6#subtree#","#krbPwdMinLength"},
     {"6#subtree#","#krbPwdPolicyReference"},
+    {"6#subtree#","#krbLastPwdChange"},
+    {"6#subtree#","#krbObjectReferences"},
+    {"6#subtree#","#krbExtraData"},
+    {"6#subtree#","#krbPasswordExpiration"},
+    {"2#subtree#","#krbLastFailedAuth"},
+    {"2#subtree#","#krbLoginFailedCount"},
+    {"2#subtree#","#krbLastSuccessfulAuth"},
     { "","" }
 };
 
 static char *pwdrights_subtree[][2] = {
     {"1#subtree#","#[Entry Rights]"},
-    {"2#subtree#","#CN"},
     {"2#subtree#","#ObjectClass"},
     {"2#subtree#","#krbTicketPolicyReference"},
     {"2#subtree#","#krbUPEnabled"},
     {"2#subtree#","#krbHostServer"},
-    {"2#subtree#","#krbServiceFlags"},
     {"2#subtree#","#krbRealmReferences"},
     {"6#subtree#","#krbTicketFlags"},
     {"2#subtree#","#krbMaxTicketLife"},
@@ -129,21 +103,26 @@ static char *pwdrights_subtree[][2] = {
     {"2#subtree#","#krbPrincipalName"},
     {"6#subtree#","#krbPrincipalKey"},
     {"2#subtree#","#krbPrincipalExpiration"},
-    {"4#subtree#","#passwordManagement"},
-    {"6#subtree#","#ModifiersName"},
     {"2#subtree#","#krbPwdHistoryLength"},
     {"2#subtree#","#krbMinPwdLife"},
     {"2#subtree#","#krbMaxPwdLife"},
     {"2#subtree#","#krbPwdMinDiffChars"},
     {"2#subtree#","#krbPwdMinLength"},
     {"2#subtree#","#krbPwdPolicyReference"},
+    {"6#subtree#","#krbLastPwdChange"},
+    {"2#subtree#","#krbObjectReferences"},
+    {"6#subtree#","#krbExtraData"},
+    {"6#subtree#","#krbPasswordExpiration"},
+    {"2#subtree#","#krbLastFailedAuth"},
+    {"2#subtree#","#krbLoginFailedCount"},
+    {"2#subtree#","#krbLastSuccessfulAuth"},
     { "", "" }
 };
 
 static char *kdcrights_realmcontainer[][2]={
     {"1#subtree#","#[Entry Rights]"},
     {"2#subtree#","#CN"},
-    {"6#subtree#","#ObjectClass"},
+    {"2#subtree#","#ObjectClass"},
     {"2#subtree#","#krbTicketPolicyReference"},
     {"2#subtree#","#krbMKey"},
     {"2#subtree#","#krbUPEnabled"},
@@ -151,33 +130,25 @@ static char *kdcrights_realmcontainer[][2]={
     {"2#subtree#","#krbPrincContainerRef"}, 
     {"2#subtree#","#krbSearchScope"},
     {"2#subtree#","#krbLdapServers"},
-    {"2#subtree#","#krbSupportedEncSaltTypes"},
-    {"2#subtree#","#krbDefaultEncSaltTypes"},
     {"2#subtree#","#krbKdcServers"},
+    {"2#subtree#","#krbAdmServers"},
     {"2#subtree#","#krbPwdServers"},
     {"2#subtree#","#krbTicketFlags"},
     {"2#subtree#","#krbMaxTicketLife"},
     {"2#subtree#","#krbMaxRenewableAge"},
     {"2#subtree#","#krbPrincipalName"},
-    {"6#subtree#","#krbPrincipalKey"},
+    {"2#subtree#","#krbPrincipalKey"},
     {"2#subtree#","#krbPrincipalExpiration"},
     {"2#subtree#","#krbPwdPolicyReference"},
     {"2#subtree#","#krbMaxPwdLife"},
-    {"6#subtree#","#ModifiersName"},
-    {"2#subtree#","#PasswordExpirationTime"},
-    {"2#subtree#","#PasswordExpirationInterval"},
-    {"2#subtree#","#PasswordMinimumLength"},
-    {"2#subtree#","#PasswordAllowChange"},
-    {"2#subtree#","#LoginDisabled"},
-    {"6#subtree#","#LastLoginTime"},
-    {"2#subtree#","#LoginExpirationTime"},
-    {"6#subtree#","#LoginIntruderAttempts"},
-    {"2#subtree#","#IntruderAttemptResetInterval"},
-    {"2#subtree#","#LoginIntruderLimit"},
-    {"6#subtree#","#LoginIntruderResetTime"},
-    {"2#subtree#","#DetectIntruder"},
-    {"2#subtree#","#LockoutAfterDetection"},
-    {"6#subtree#","#LockedByIntruder"},
+    {"2#subtree#","#krbObjectReferences"},
+    {"2#subtree#","#krbLastPwdChange"},
+    {"6#subtree#","#krbExtraData"},
+    {"2#subtree#","#krbPasswordExpiration"},
+    {"2#subtree#","#krbDefaultEncSaltTypes"},
+    {"6#subtree#","#krbLastFailedAuth"},
+    {"6#subtree#","#krbLoginFailedCount"},
+    {"6#subtree#","#krbLastSuccessfulAuth"},
     { "", "" }
 };
 
@@ -193,9 +164,8 @@ static char *adminrights_realmcontainer[][2]={
     {"2#subtree#","#krbPrincContainerRef"}, 
     {"2#subtree#","#krbSearchScope"},
     {"2#subtree#","#krbLdapServers"},
-    {"2#subtree#","#krbSupportedEncSaltTypes"},
-    {"2#subtree#","#krbDefaultEncSaltTypes"},
     {"2#subtree#","#krbKdcServers"},
+    {"2#subtree#","#krbAdmServers"},
     {"2#subtree#","#krbPwdServers"},
     {"6#subtree#","#krbTicketFlags"},
     {"6#subtree#","#krbMaxTicketLife"},
@@ -203,28 +173,20 @@ static char *adminrights_realmcontainer[][2]={
     {"6#subtree#","#krbPrincipalName"},
     {"6#subtree#","#krbPrincipalKey"},
     {"6#subtree#","#krbPrincipalExpiration"},
-    {"6#subtree#","#ModifiersName"},
-    {"6#subtree#","#PasswordExpirationTime"},
-    {"2#subtree#","#PasswordExpirationInterval"},
-    {"6#subtree#","#PasswordMinimumLength"},
-    {"6#subtree#","#PasswordAllowChange"},
-    {"6#subtree#","#LoginDisabled"},
-    {"2#subtree#","#LastLoginTime"},
-    {"2#subtree#","#LoginExpirationTime"},
-    {"2#subtree#","#LoginIntruderAttempts"},
-    {"6#subtree#","#IntruderAttemptResetInterval"},
-    {"6#subtree#","#LoginIntruderLimit"},
-    {"6#subtree#","#LoginIntruderResetTime"},
-    {"6#subtree#","#DetectIntruder"},
-    {"6#subtree#","#LockoutAfterDetection"},
-    {"2#subtree#","#LockedByIntruder"},
-    {"6#subtree#","#Surname"},
     {"6#subtree#","#krbPwdHistoryLength"},
     {"6#subtree#","#krbMinPwdLife"},
     {"6#subtree#","#krbMaxPwdLife"},
     {"6#subtree#","#krbPwdMinDiffChars"},
     {"6#subtree#","#krbPwdMinLength"},
     {"6#subtree#","#krbPwdPolicyReference"},
+    {"6#subtree#","#krbLastPwdChange"},
+    {"6#subtree#","#krbObjectReferences"},
+    {"6#subtree#","#krbExtraData"},
+    {"6#subtree#","#krbPasswordExpiration"},
+    {"6#subtree#","#krbDefaultEncSaltTypes"},
+    {"2#subtree#","#krbLastFailedAuth"},
+    {"2#subtree#","#krbLoginFailedCount"},
+    {"2#subtree#","#krbLastSuccessfulAuth"},
     { "","" }
 };
 
@@ -240,9 +202,8 @@ static char *pwdrights_realmcontainer[][2]={
     {"2#subtree#","#krbPrincContainerRef"}, 
     {"2#subtree#","#krbSearchScope"},
     {"2#subtree#","#krbLdapServers"},
-    {"2#subtree#","#krbSupportedEncSaltTypes"},
-    {"2#subtree#","#krbDefaultEncSaltTypes"},
     {"2#subtree#","#krbKdcServers"},
+    {"2#subtree#","#krbAdmServers"},
     {"2#subtree#","#krbPwdServers"},
     {"6#subtree#","#krbTicketFlags"},
     {"2#subtree#","#krbMaxTicketLife"},
@@ -250,13 +211,20 @@ static char *pwdrights_realmcontainer[][2]={
     {"2#subtree#","#krbPrincipalName"},
     {"6#subtree#","#krbPrincipalKey"},
     {"2#subtree#","#krbPrincipalExpiration"},
-    {"6#subtree#","#ModifiersName"},
     {"2#subtree#","#krbPwdHistoryLength"},
     {"2#subtree#","#krbMinPwdLife"},
     {"2#subtree#","#krbMaxPwdLife"},
     {"2#subtree#","#krbPwdMinDiffChars"},
     {"2#subtree#","#krbPwdMinLength"},
     {"2#subtree#","#krbPwdPolicyReference"},
+    {"2#subtree#","#krbLastPwdChange"},
+    {"2#subtree#","#krbObjectReferences"},
+    {"6#subtree#","#krbExtraData"},
+    {"6#subtree#","#krbPasswordExpiration"},
+    {"2#subtree#","#krbDefaultEncSaltTypes"},
+    {"2#subtree#","#krbLastFailedAuth"},
+    {"2#subtree#","#krbLoginFailedCount"},
+    {"2#subtree#","#krbLastSuccessfulAuth"},
     { "", "" }
 };
 
@@ -286,16 +254,17 @@ static char *kerberos_container[][2] = {
  */
 
 krb5_error_code
-krb5_ldap_add_service_rights(context, servicetype, serviceobjdn, realmname, subtreeparam, mask)
+krb5_ldap_add_service_rights(context, servicetype, serviceobjdn, realmname, subtreeparam, contref, mask)
     krb5_context       context;
     int                 servicetype;
     char                *serviceobjdn;
     char                *realmname;
     char                **subtreeparam;                         
+    char                *contref;                         
     int                 mask;
 {
 
-    int                    st=0,i=0;
+    int                    st=0,i=0,j=0;
     char                   *realmacls[2]={NULL}, *subtreeacls[2]={NULL}, *seccontacls[2]={NULL}, *krbcontacls[2]={NULL};
     LDAP                   *ld;
     LDAPMod                realmclass, subtreeclass, seccontclass, krbcontclass;
@@ -315,23 +284,23 @@ krb5_ldap_add_service_rights(context, servicetype, serviceobjdn, realmname, subt
        goto cleanup;
     }
 
-    subtreecount=ldap_context->lrparams->subtreecount;
-    subtree = (char **) malloc(sizeof(char *) * (subtreecount + 1));
-    if(subtree == NULL) {
-        st = ENOMEM;
-        goto cleanup;
+    if (subtreeparam != NULL) {
+        while(subtreeparam[subtreecount])
+            subtreecount++;
+    }
+    if (contref != NULL) {
+        subtreecount++;
     }
 
-    /* If the subtree is null, set the value to root */
-    if(subtreeparam == NULL) {
-        subtree[0] = strdup("");
-        if(subtree[0] == NULL) {
+    if (subtreecount) {
+        subtree = (char **) malloc(sizeof(char *) * (subtreecount + 1));
+        if(subtree == NULL) {
             st = ENOMEM;
             goto cleanup;
         }
-    }
-    else {
-        for (i=0; subtree[i] != NULL && i<subtreecount; i++) {
+        memset(subtree, 0, sizeof(char *) * (subtreecount + 1));
+        if (subtreeparam != NULL) {
+            for(i=0; subtreeparam[i]!=NULL; i++) {
             subtree[i] = strdup(subtreeparam[i]);
             if(subtree[i] == NULL) {
                 st = ENOMEM;
@@ -339,6 +308,13 @@ krb5_ldap_add_service_rights(context, servicetype, serviceobjdn, realmname, subt
             }
         }
     }
+        if (contref != NULL) {
+            subtree[i] = strdup(contref);
+        }
+    }
+
+    /* Set the rights for the realm */
+    if (mask & LDAP_REALM_RIGHTS) {
 
     /* Set the rights for the service object on the security container */
     seccontclass.mod_op = LDAP_MOD_ADD;
@@ -396,9 +372,6 @@ krb5_ldap_add_service_rights(context, servicetype, serviceobjdn, realmname, subt
        free(krbcontacls[0]);
     }
 
-    /* Set the rights for the realm */
-    if (mask & LDAP_REALM_RIGHTS) {
-
        /* Construct the realm dn from realm name */
        realmdn = (char *)malloc(strlen("cn=") + strlen(realmname) +
                                 strlen(ldap_context->krbcontainer->DN) + 2);
@@ -482,7 +455,7 @@ krb5_ldap_add_service_rights(context, servicetype, serviceobjdn, realmname, subt
 
 
     /* Subtree rights to be set */
-    if (mask & LDAP_SUBTREE_RIGHTS) {
+    if ((mask & LDAP_SUBTREE_RIGHTS) && (subtree != NULL)) {
        /* Populate the acl data to be added to the subtree */
        subtreeclass.mod_op = LDAP_MOD_ADD;
        subtreeclass.mod_type = "ACL";
@@ -499,9 +472,9 @@ krb5_ldap_add_service_rights(context, servicetype, serviceobjdn, realmname, subt
                subtreearr[0] = &subtreeclass;
 
                 /* set rights to a list of subtrees */
-                for(i=0; subtree[i]!=NULL && i<subtreecount;i++) {
+                for(j=0; subtree[j]!=NULL && j<subtreecount;j++) {
                    st = ldap_modify_ext_s(ld,
-                                            subtree[i],
+                                            subtree[j],
                                             subtreearr,
                                             NULL,
                                             NULL);
@@ -525,9 +498,9 @@ krb5_ldap_add_service_rights(context, servicetype, serviceobjdn, realmname, subt
                subtreearr[0] = &subtreeclass;
 
                 /* set rights to a list of subtrees */
-                for(i=0; subtree[i]!=NULL && i<subtreecount;i++) {
+                for(j=0; subtree[j]!=NULL && j<subtreecount;j++) {
                    st = ldap_modify_ext_s(ld,
-                                            subtree[i],
+                                            subtree[j],
                                             subtreearr,
                                             NULL,
                                             NULL);
@@ -551,9 +524,9 @@ krb5_ldap_add_service_rights(context, servicetype, serviceobjdn, realmname, subt
                subtreearr[0] = &subtreeclass;
 
                 /* set rights to a list of subtrees */
-                for(i=0; subtree[i]!=NULL && i<subtreecount;i++) {
+                for(j=0; subtree[j]!=NULL && j<subtreecount;j++) {
                    st = ldap_modify_ext_s(ld,
-                                            subtree[i],
+                                            subtree[j],
                                             subtreearr,
                                             NULL,
                                             NULL);
@@ -595,16 +568,17 @@ cleanup:
 */
 
 krb5_error_code
-krb5_ldap_delete_service_rights(context, servicetype, serviceobjdn, realmname, subtreeparam, mask)
+krb5_ldap_delete_service_rights(context, servicetype, serviceobjdn, realmname, subtreeparam, contref, mask)
     krb5_context       context;
     int             servicetype;
     char            *serviceobjdn;
     char            *realmname;
     char            **subtreeparam; 
+    char            *contref;
     int             mask;
 {
 
-    int                    st=0,i=0;
+    int                    st=0,i=0,j=0;
     char                   *realmacls[2] = { NULL }, *subtreeacls[2] = { NULL };
     LDAP                   *ld;
     LDAPMod                realmclass, subtreeclass;
@@ -625,31 +599,34 @@ krb5_ldap_delete_service_rights(context, servicetype, serviceobjdn, realmname, s
        goto cleanup;
     }
 
-    subtreecount = 1;
+    if (subtreeparam != NULL) {
     while(subtreeparam[subtreecount])
         subtreecount++;
-    subtree = (char **) malloc(sizeof(char *) * subtreecount + 1);
-    if(subtree == NULL) {
-        st = ENOMEM;
-        goto cleanup;
+    }
+    if (contref != NULL) {
+        subtreecount++;
     }
 
-    /* If the subtree is null, set the value to root */
-    if(subtreeparam == NULL) {
-        subtree[0] = strdup("");
-        if(subtree[0] == NULL) {
+    if (subtreecount) {
+        subtree = (char **) malloc(sizeof(char *) * (subtreecount + 1));
+        if(subtree == NULL) {
             st = ENOMEM;
             goto cleanup;
         }
-    }
-    else {
-        for(i=0; subtreeparam[i]!=NULL && i<subtreecount; i++)
+        memset(subtree, 0, sizeof(char *) * (subtreecount + 1));
+        if (subtreeparam != NULL) {
+            for(i=0; subtreeparam[i]!=NULL; i++) {
         subtree[i] = strdup(subtreeparam[i]);
         if(subtree[i] == NULL) {
             st = ENOMEM;
             goto cleanup;
         }
     }
+        }
+        if (contref != NULL) {
+            subtree[i] = strdup(contref);
+        }
+    }
 
 
     /* Set the rights for the realm */
@@ -738,7 +715,7 @@ krb5_ldap_delete_service_rights(context, servicetype, serviceobjdn, realmname, s
 
 
     /* Set the rights for the subtree */
-    if (mask & LDAP_SUBTREE_RIGHTS) {
+    if ((mask & LDAP_SUBTREE_RIGHTS) && (subtree != NULL)) {
 
        /* Populate the acl data to be added to the subtree */
        subtreeclass.mod_op=LDAP_MOD_DELETE;
@@ -755,9 +732,9 @@ krb5_ldap_delete_service_rights(context, servicetype, serviceobjdn, realmname, s
 
                subtreearr[0]=&subtreeclass;
 
-                for(i=0; subtree[i]!=NULL && i<subtreecount; i++) {
+                for(j=0; subtree[j]!=NULL && j<subtreecount; j++) {
                    st = ldap_modify_ext_s(ld,
-                                            subtree[i],
+                                            subtree[j],
                                             subtreearr,
                                             NULL,
                                             NULL);
@@ -780,9 +757,9 @@ krb5_ldap_delete_service_rights(context, servicetype, serviceobjdn, realmname, s
 
                subtreearr[0]=&subtreeclass;
 
-                for(i=0; subtree[i]!=NULL && i<subtreecount; i++) {
+                for(j=0; subtree[j]!=NULL && j<subtreecount; j++) {
                    st = ldap_modify_ext_s(ld,
-                                            subtree[i],
+                                            subtree[j],
                                             subtreearr,
                                             NULL,
                                             NULL);
@@ -805,9 +782,9 @@ krb5_ldap_delete_service_rights(context, servicetype, serviceobjdn, realmname, s
 
                subtreearr[0]=&subtreeclass;
 
-                for(i=0; subtree[i]!=NULL && i<subtreecount; i++) {
+                for(j=0; subtree[j]!=NULL && j<subtreecount; j++) {
                    st = ldap_modify_ext_s(ld,
-                                            subtree[i],
+                                            subtree[j],
                                             subtreearr,
                                             NULL,
                                             NULL);
index d4bbb077de6407aa5f001757f7825e593db59794..0ad580d13ec2e6abe3254924482b51957d658168 100644 (file)
@@ -88,10 +88,10 @@ krb5_error_code
 krb5_ldap_set_service_passwd( krb5_context, char *, char *);
 
 krb5_error_code 
-krb5_ldap_add_service_rights( krb5_context, int, char *, char *, char **, int);
+krb5_ldap_add_service_rights( krb5_context, int, char *, char *, char **, char *, int);
 
 krb5_error_code
-krb5_ldap_delete_service_rights( krb5_context, int, char *, char *, char **, int);
+krb5_ldap_delete_service_rights( krb5_context, int, char *, char *, char **, char *, int);
 #endif
 
 #endif
index bd55f0a5d49bf12bb64c43acf7d30efdc877867c..2f6a26fe96ca1f3b52c4ee87e69757123f378690 100644 (file)
@@ -33,6 +33,7 @@ krb5_ldap_free_password_policy
 krb5_ldap_iterate_password_policy
 krb5_dbe_free_contents
 krb5_ldap_free_server_params
+krb5_ldap_free_server_context_params
 krb5_ldap_free_krbcontainer_params
 krb5_ldap_alloc
 krb5_ldap_free