#include <kdb5.h>
static krb5_error_code
-krb5_ldap_get_db_opt( char *input, char **opt, char **val )
+krb5_ldap_get_db_opt(char *input, char **opt, char **val)
{
char *pos = strchr(input, '=');
*val = NULL;
- if (pos == NULL)
- {
+ if (pos == NULL) {
*opt = strdup(input);
- if (*opt == NULL)
- {
+ if (*opt == NULL) {
return ENOMEM;
}
- }
- else
- {
+ } else {
int len = pos - input;
*opt = malloc((unsigned) len + 1);
- if (!*opt)
- {
+ if (!*opt) {
return ENOMEM;
}
memcpy(*opt, input, (unsigned) len);
while (isblank((*opt)[len-1]))
--len;
(*opt)[len] = '\0';
-
+
pos += 1; /* move past '=' */
while (isblank(*pos)) /* ignore leading blanks */
pos += 1;
if (*pos != '\0') {
*val = strdup (pos);
- if (!*val)
- {
+ if (!*val) {
free (*opt);
return ENOMEM;
}
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_context *ldap_context=NULL;
int mask=0;
-
+
SETUP_CONTEXT();
if ((retval=krb5_ldap_read_krbcontainer_params(context, &(ldap_context->krbcontainer)))) {
- prepend_err_str (context, "Unable to read Kerberos container", retval, retval);
+ prepend_err_str (context, "Unable to read Kerberos container", retval, retval);
goto cleanup;
}
if ((retval=krb5_ldap_read_realm_params(context, context->default_realm, &(ldap_context->lrparams), &mask))) {
- prepend_err_str (context, "Unable to read Realm", retval, retval);
+ prepend_err_str (context, "Unable to read Realm", retval, retval);
goto cleanup;
}
-
- cleanup:
+
+cleanup:
return retval;
}
#define ERR_MSG1 "Unable to check if SASL EXTERNAL mechanism is supported by LDAP server. Proceeding anyway ..."
#define ERR_MSG2 "SASL EXTERNAL mechanism not supported by LDAP server. Can't perform certificate-based bind."
-int
+int
has_sasl_external_mech(context, ldap_server)
- krb5_context context;
- char *ldap_server;
+ krb5_context context;
+ char *ldap_server;
{
int i=0, flag=0, ret=0, retval=0;
char *attrs[]={"supportedSASLMechanisms", NULL}, **values=NULL;
LDAPMessage *msg=NULL, *res=NULL;
ld = ldap_open(ldap_server, 389); /* Should the port number be configurable ? */
- if(ld == NULL){
+ if (ld == NULL) {
krb5_set_error_message(context, 2, "%s", ERR_MSG1);
ret = 2; /* Don't know */
goto cleanup;
/* Anonymous bind */
retval = ldap_simple_bind_s(ld, NULL, NULL);
- if(retval != LDAP_SUCCESS){
+ if (retval != LDAP_SUCCESS) {
krb5_set_error_message(context, 2, "%s", ERR_MSG1);
ret = 2; /* Don't know */
goto cleanup;
}
retval = ldap_search_s(ld, "", LDAP_SCOPE_BASE, NULL, attrs, 0, &res);
- if(retval != LDAP_SUCCESS){
+ if (retval != LDAP_SUCCESS) {
krb5_set_error_message(context, 2, "%s", ERR_MSG1);
ret = 2; /* Don't know */
goto cleanup;
}
msg = ldap_first_message(ld, res);
- if(msg == NULL){
+ if (msg == NULL) {
krb5_set_error_message(context, 2, "%s", ERR_MSG1);
ret = 2; /* Don't know */
goto cleanup;
}
values = ldap_get_values(ld, msg, "supportedSASLMechanisms");
- if(values == NULL){
+ if (values == NULL) {
krb5_set_error_message(context, 1, "%s", ERR_MSG2);
ret = 1; /* Not supported */
goto cleanup;
}
- for(i = 0; values[i] != NULL; i++){
- if(strcmp(values[i], "EXTERNAL"))
+ for (i = 0; values[i] != NULL; i++) {
+ if (strcmp(values[i], "EXTERNAL"))
continue;
flag = 1;
}
- if(flag != 1){
+ if (flag != 1) {
krb5_set_error_message(context, 1, "%s", ERR_MSG2);
ret = 1; /* Not supported */
goto cleanup;
cleanup:
- if(values != NULL)
+ if (values != NULL)
ldap_value_free(values);
- if(res != NULL)
+ if (res != NULL)
ldap_msgfree(res);
- if(ld != NULL)
+ if (ld != NULL)
ldap_unbind_s(ld);
return ret;
}
-void * krb5_ldap_alloc( krb5_context context, void *ptr, size_t size )
+void * krb5_ldap_alloc(krb5_context context, void *ptr, size_t size)
{
return realloc(ptr, size);
}
-void krb5_ldap_free( krb5_context context, void *ptr )
+void krb5_ldap_free(krb5_context context, void *ptr)
{
free(ptr);
}
-krb5_error_code krb5_ldap_open( krb5_context context,
- char *conf_section,
- char **db_args,
- int mode )
+krb5_error_code krb5_ldap_open(krb5_context context,
+ char *conf_section,
+ char **db_args,
+ int mode)
{
krb5_error_code status = 0;
char **t_ptr = db_args;
krb5_clear_error_message(context);
ldap_context = calloc(1, sizeof(krb5_ldap_context));
- if (ldap_context == NULL)
- {
+ if (ldap_context == NULL) {
status = ENOMEM;
goto clean_n_exit;
}
-
+
ldap_context->kcontext = context;
- while ( t_ptr && *t_ptr )
- {
+ while (t_ptr && *t_ptr) {
char *opt = NULL, *val = NULL;
- if( (status = krb5_ldap_get_db_opt( *t_ptr, &opt, &val )) != 0 )
- {
+ if ((status = krb5_ldap_get_db_opt(*t_ptr, &opt, &val)) != 0) {
goto clean_n_exit;
}
- if( opt && !strcmp( opt, "binddn" ) )
- {
- if( ldap_context->bind_dn )
- {
+ if (opt && !strcmp(opt, "binddn")) {
+ if (ldap_context->bind_dn) {
free (opt);
free (val);
status = EINVAL;
- krb5_set_error_message (context, status, "'binddn' missing");
+ krb5_set_error_message (context, status, "'binddn' missing");
goto clean_n_exit;
}
- if( val == NULL )
- {
+ if (val == NULL) {
status = EINVAL;
- krb5_set_error_message (context, status, "'binddn' value missing");
+ krb5_set_error_message (context, status, "'binddn' value missing");
free(opt);
goto clean_n_exit;
}
ldap_context->bind_dn = strdup(val);
- if (ldap_context->bind_dn == NULL) {
+ if (ldap_context->bind_dn == NULL) {
free (opt);
free (val);
status = ENOMEM;
goto clean_n_exit;
}
- }
- else if( opt && !strcmp( opt, "nconns" ) )
- {
- if( ldap_context->max_server_conns )
- {
+ } else if (opt && !strcmp(opt, "nconns")) {
+ if (ldap_context->max_server_conns) {
free (opt);
free (val);
status = EINVAL;
- krb5_set_error_message (context, status, "'nconns' missing");
+ krb5_set_error_message (context, status, "'nconns' missing");
goto clean_n_exit;
}
- if( val == NULL )
- {
+ if (val == NULL) {
status = EINVAL;
- krb5_set_error_message (context, status, "'nconns' value missing");
+ krb5_set_error_message (context, status, "'nconns' value missing");
free(opt);
goto clean_n_exit;
}
ldap_context->max_server_conns = atoi(val) ? atoi(val) : DEFAULT_CONNS_PER_SERVER;
- }
- else if( opt && !strcmp( opt, "bindpwd" ) )
- {
- if( ldap_context->bind_pwd )
- {
+ } else if (opt && !strcmp(opt, "bindpwd")) {
+ if (ldap_context->bind_pwd) {
free (opt);
free (val);
status = EINVAL;
- krb5_set_error_message (context, status, "'bindpwd' missing");
+ krb5_set_error_message (context, status, "'bindpwd' missing");
goto clean_n_exit;
}
- if( val == NULL )
- {
+ if (val == NULL) {
status = EINVAL;
- krb5_set_error_message (context, status, "'bindpwd' value missing");
+ krb5_set_error_message (context, status, "'bindpwd' value missing");
free(opt);
goto clean_n_exit;
}
ldap_context->bind_pwd = strdup(val);
- if (ldap_context->bind_pwd == NULL) {
+ if (ldap_context->bind_pwd == NULL) {
free (opt);
free (val);
status = ENOMEM;
goto clean_n_exit;
}
- }
- else if( opt && !strcmp( opt, "host" ) )
- {
+ } else if (opt && !strcmp(opt, "host")) {
char *port = NULL;
- if( val == NULL )
- {
+ if (val == NULL) {
status = EINVAL;
- krb5_set_error_message (context, status, "'host' value missing");
+ krb5_set_error_message (context, status, "'host' value missing");
free(opt);
goto clean_n_exit;
}
- if (ldap_context->server_info_list == NULL)
- ldap_context->server_info_list = (krb5_ldap_server_info **) calloc (SERV_COUNT+1, sizeof (krb5_ldap_server_info *)) ;
+ if (ldap_context->server_info_list == NULL)
+ ldap_context->server_info_list = (krb5_ldap_server_info **) calloc (SERV_COUNT+1, sizeof (krb5_ldap_server_info *)) ;
if (ldap_context->server_info_list == NULL) {
free (opt);
status = ENOMEM;
goto clean_n_exit;
}
-
+
ldap_context->server_info_list[srv_cnt] = (krb5_ldap_server_info *) calloc (1, sizeof (krb5_ldap_server_info));
if (ldap_context->server_info_list[srv_cnt] == NULL) {
free (opt);
}
ldap_context->server_info_list[srv_cnt]->server_status = NOTSET;
-
+
val = strtok_r(val, ":", &port);
- ldap_context->server_info_list[srv_cnt]->server_name = strdup(val);
+ ldap_context->server_info_list[srv_cnt]->server_name = strdup(val);
if (ldap_context->server_info_list[srv_cnt]->server_name == NULL) {
free (opt);
free (val);
status = ENOMEM;
goto clean_n_exit;
}
-
+
if (port) {
- ldap_context->server_info_list[srv_cnt]->port = atoi(port);
+ ldap_context->server_info_list[srv_cnt]->port = atoi(port);
}
srv_cnt++;
- }
- else if( opt && !strcmp( opt, "port" ) )
- {
- if( ldap_context->port )
- {
+ } else if (opt && !strcmp(opt, "port")) {
+ if (ldap_context->port) {
free (opt);
free (val);
status = EINVAL;
- krb5_set_error_message (context, status, "'port' missing");
+ krb5_set_error_message (context, status, "'port' missing");
goto clean_n_exit;
}
- if( val == NULL )
- {
+ if (val == NULL) {
status = EINVAL;
- krb5_set_error_message (context, status, "'port' value missing");
+ krb5_set_error_message (context, status, "'port' value missing");
free(opt);
goto clean_n_exit;
}
- ldap_context->port = atoi(val);
- }
- else if( opt && !strcmp( opt, "cert" ) )
- {
- if( val == NULL )
- {
+ ldap_context->port = atoi(val);
+ } else if (opt && !strcmp(opt, "cert")) {
+ if (val == NULL) {
status = EINVAL;
- krb5_set_error_message (context, status, "'cert' value missing");
+ krb5_set_error_message (context, status, "'cert' value missing");
free(opt);
goto clean_n_exit;
}
- if( ldap_context->root_certificate_file == NULL )
- {
+ if (ldap_context->root_certificate_file == NULL) {
ldap_context->root_certificate_file = strdup(val);
- if (ldap_context->root_certificate_file == NULL) {
+ if (ldap_context->root_certificate_file == NULL) {
free (opt);
free (val);
status = ENOMEM;
goto clean_n_exit;
}
- }
- else
- {
+ } else {
void *tmp=NULL;
char *oldstr = NULL;
unsigned int len=0;
oldstr = strdup(ldap_context->root_certificate_file);
- if (oldstr == NULL)
- {
+ if (oldstr == NULL) {
free (opt);
free (val);
status = ENOMEM;
len = strlen(ldap_context->root_certificate_file) + 2 + strlen(val);
ldap_context->root_certificate_file = realloc(ldap_context->root_certificate_file,
len);
- if (ldap_context->root_certificate_file == NULL) {
+ if (ldap_context->root_certificate_file == NULL) {
free (tmp);
free (opt);
free (val);
sprintf(ldap_context->root_certificate_file,"%s %s", oldstr, val);
free (oldstr);
}
- }
+ }
/* ignore hash argument. Might have been passed from create */
- else
- {
+ else {
status = EINVAL;
- krb5_set_error_message (context, status, "unknown option \'%s\'",
+ krb5_set_error_message (context, status, "unknown option \'%s\'",
opt?opt:val);
free(opt);
free(val);
if (status) {
ldap_context = NULL;
dal_handle->db_context = NULL;
- prepend_err_str (context, "Error reading LDAP server params: ", status, status);
+ prepend_err_str (context, "Error reading LDAP server params: ", status, status);
goto clean_n_exit;
}
- if ((status=krb5_ldap_db_init( context, ldap_context)) != 0) {
+ if ((status=krb5_ldap_db_init(context, ldap_context)) != 0) {
goto clean_n_exit;
}
goto clean_n_exit;
}
- clean_n_exit:
+clean_n_exit:
/* may be clearing up is not required db_fini might do it for us, check out */
if (status) {
krb5_ldap_close(context);
/* To be used later */
typedef struct _krb5_ldap_certificates{
- char *certificate;
- int certtype;
+ char *certificate;
+ int certtype;
}krb5_ldap_certificates;
/* ldap server info structure */
typedef struct _krb5_ldap_server_info krb5_ldap_server_info;
-typedef struct _krb5_ldap_server_handle{
- int msgid;
- LDAP *ldap_handle;
- krb5_boolean server_info_update_pending;
- krb5_ldap_server_info *server_info;
- struct _krb5_ldap_server_handle *next;
-
-}krb5_ldap_server_handle;
+typedef struct _krb5_ldap_server_handle {
+ int msgid;
+ LDAP *ldap_handle;
+ krb5_boolean server_info_update_pending;
+ krb5_ldap_server_info *server_info;
+ struct _krb5_ldap_server_handle *next;
+} krb5_ldap_server_handle;
struct _krb5_ldap_server_info {
- krb5_ldap_server_type server_type;
- krb5_ldap_server_status server_status;
- krb5_ui_4 num_conns;
- krb5_ldap_server_handle *ldap_server_handles;
- time_t downtime;
- char *server_name;
- krb5_ui_4 port;
- char *root_certificate_file;
- struct _krb5_ldap_server_info *next;
+ krb5_ldap_server_type server_type;
+ krb5_ldap_server_status server_status;
+ krb5_ui_4 num_conns;
+ krb5_ldap_server_handle *ldap_server_handles;
+ time_t downtime;
+ char *server_name;
+ krb5_ui_4 port;
+ char *root_certificate_file;
+ struct _krb5_ldap_server_info *next;
};
{
krb5_error_code st=0;
unsigned char *password=NULL;
-
+
if (ldap_context->bind_dn == NULL) {
- st = EINVAL;
+ st = EINVAL;
krb5_set_error_message(context, st, "LDAP bind dn value missing ");
goto err_out;
}
-
+
if (ldap_context->bind_pwd == NULL && ldap_context->service_password_file == NULL) {
st = EINVAL;
krb5_set_error_message(context, st, "LDAP bind password value missing ");
}
if (ldap_context->bind_pwd == NULL && ldap_context->service_password_file !=
- NULL && ldap_context->service_cert_path == NULL) {
+ NULL && ldap_context->service_cert_path == NULL) {
if ((st=krb5_ldap_readpassword(context, ldap_context, &password)) != 0) {
- prepend_err_str(context, "Error reading password from stash: ", st, st);
+ prepend_err_str(context, "Error reading password from stash: ", st, st);
goto err_out;
- }
-
+ }
+
/* Check if the returned 'password' is actually the path of a certificate */
if (!strncmp("{FILE}", (char *)password, 6)) {
/* 'password' format: <path>\0<password> */
if (password[strlen((char *)password) + 1] == '\0')
ldap_context->service_cert_pass = NULL;
else
- ldap_context->service_cert_pass = strdup((char *)password +
+ ldap_context->service_cert_pass = strdup((char *)password +
strlen((char *)password) + 1);
free(password);
} else {
ldap_context->bind_pwd = (char *)password;
if (ldap_context->bind_pwd == NULL) {
st = EINVAL;
- krb5_set_error_message(context, st, "Error reading password from stash");
+ krb5_set_error_message(context, st, "Error reading password from stash");
goto err_out;
}
}
/* NULL password not allowed */
if (ldap_context->bind_pwd != NULL && strlen(ldap_context->bind_pwd) == 0) {
st = EINVAL;
- krb5_set_error_message(context, st, "Service password length is zero");
+ krb5_set_error_message(context, st, "Service password length is zero");
goto err_out;
}
}
/*
- * Internal Functions called by init functions.
+ * Internal Functions called by init functions.
*/
-static krb5_error_code
+static krb5_error_code
krb5_ldap_bind(ldap_context, ldap_server_handle)
krb5_ldap_context *ldap_context;
krb5_ldap_server_handle *ldap_server_handle;
{
krb5_error_code st=0;
struct berval bv={0, NULL}, *servercreds=NULL;
-
- if(ldap_context->service_cert_path != NULL){
+
+ if (ldap_context->service_cert_path != NULL) {
/* Certificate based bind (SASL EXTERNAL mechanism) */
-
- st = ldap_sasl_bind_s(ldap_server_handle->ldap_handle,
+
+ st = ldap_sasl_bind_s(ldap_server_handle->ldap_handle,
NULL, /* Authenticating dn */
"EXTERNAL", /* Method used for authentication */
- &bv,
- NULL,
- NULL,
- &servercreds);
-
+ &bv,
+ NULL,
+ NULL,
+ &servercreds);
+
if (st == LDAP_SASL_BIND_IN_PROGRESS) {
- st = ldap_sasl_bind_s( ldap_server_handle->ldap_handle,
- NULL,
- "EXTERNAL",
- servercreds,
- NULL,
- NULL,
- &servercreds);
+ st = ldap_sasl_bind_s(ldap_server_handle->ldap_handle,
+ NULL,
+ "EXTERNAL",
+ servercreds,
+ NULL,
+ NULL,
+ &servercreds);
}
} else {
/* password based simple bind */
- st = ldap_simple_bind_s(ldap_server_handle->ldap_handle,
- ldap_context->bind_dn,
+ st = ldap_simple_bind_s(ldap_server_handle->ldap_handle,
+ ldap_context->bind_dn,
ldap_context->bind_pwd);
}
return st;
}
-static krb5_error_code
+static krb5_error_code
krb5_ldap_initialize(ldap_context, server_info)
krb5_ldap_context *ldap_context;
krb5_ldap_server_info *server_info;
port = ldap_context->port;
else
port = LDAPS_PORT;
-
-
+
+
ldap_server_handle = calloc(1, sizeof(krb5_ldap_server_handle));
if (ldap_server_handle == NULL) {
st = ENOMEM;
goto err_out;
}
-
+
/* ldap init */
- if((ldap_server_handle->ldap_handle=ldap_init(server_info->server_name,
- port)) == NULL) {
- st = KRB5_KDB_ACCESS_ERROR;
- if (ldap_context->kcontext)
+ if ((ldap_server_handle->ldap_handle=ldap_init(server_info->server_name,
+ port)) == NULL) {
+ st = KRB5_KDB_ACCESS_ERROR;
+ if (ldap_context->kcontext)
krb5_set_error_message (ldap_context->kcontext, st, "%s",
strerror(errno));
goto err_out;
}
-
+
if ((st=krb5_ldap_bind(ldap_context, ldap_server_handle)) == 0) {
ldap_server_handle->server_info_update_pending = FALSE;
server_info->server_status = ON;
krb5_update_ldap_handle(ldap_server_handle, server_info);
} else {
- if (ldap_context->kcontext)
- krb5_set_error_message (ldap_context->kcontext,
+ if (ldap_context->kcontext)
+ krb5_set_error_message (ldap_context->kcontext,
KRB5_KDB_ACCESS_ERROR, "%s",
ldap_err2string(st));
- st = KRB5_KDB_ACCESS_ERROR;
+ st = KRB5_KDB_ACCESS_ERROR;
server_info->server_status = OFF;
time(&server_info->downtime);
/* ldap_unbind_s(ldap_server_handle->ldap_handle); */
if ((st=krb5_validate_ldap_context(context, ldap_context)) != 0)
goto err_out;
-
+
ldap_set_option(NULL, LDAP_OPT_PROTOCOL_VERSION, &version);
ldap_set_option(NULL, LDAP_OPT_NETWORK_TIMEOUT, &local_timelimit);
ldap_set_option(NULL, LDAP_OPT_X_TLS, &tlsoption);
-
+
HNDL_LOCK(ldap_context);
while (ldap_context->server_info_list[cnt] != NULL) {
krb5_ldap_server_info *server_info=NULL;
-
+
server_info = ldap_context->server_info_list[cnt];
-
+
if (server_info->server_status == NOTSET) {
int conns=0;
-
+
/*
* Check if the server has to perform certificate-based authentication
*/
- if(ldap_context->service_cert_path != NULL){
+ if (ldap_context->service_cert_path != NULL) {
/* Find out if the server supports SASL EXTERNAL mechanism */
- if(has_sasl_external_mech(context, server_info->server_name) == 1){
+ if (has_sasl_external_mech(context, server_info->server_name) == 1) {
cnt++;
sasl_mech_supported = FALSE;
continue; /* Check the next LDAP server */
}
sasl_mech_supported = TRUE;
}
-
- krb5_clear_error_message(context);
-
+
+ krb5_clear_error_message(context);
+
for (conns=0; conns < ldap_context->max_server_conns; ++conns) {
- if ((st=krb5_ldap_initialize(ldap_context, server_info)) != 0)
- break;
+ if ((st=krb5_ldap_initialize(ldap_context, server_info)) != 0)
+ break;
} /* for (conn= ... */
- if (server_info->server_status == ON)
+ if (server_info->server_status == ON)
break; /* server init successful, so break */
}
++cnt;
}
HNDL_UNLOCK(ldap_context);
- err_out:
+err_out:
if (sasl_mech_supported == FALSE) {
- st = KRB5_KDB_ACCESS_ERROR;
- krb5_set_error_message (context, st,
- "Certificate based authentication requested but "
- "not supported by LDAP servers");
+ st = KRB5_KDB_ACCESS_ERROR;
+ krb5_set_error_message (context, st,
+ "Certificate based authentication requested but "
+ "not supported by LDAP servers");
}
return (st);
}
server_info = ldap_context->server_info_list[cnt];
if ((server_info->server_status == NOTSET || server_info->server_status == ON)) {
if (server_info->num_conns < ldap_context->max_server_conns-1) {
- st = krb5_ldap_initialize(ldap_context, server_info);
- if (st == LDAP_SUCCESS)
- goto cleanup;
+ st = krb5_ldap_initialize(ldap_context, server_info);
+ if (st == LDAP_SUCCESS)
+ goto cleanup;
}
}
++cnt;
}
/* If we are here, try to connect to all the servers */
-
+
cnt = 0;
while (ldap_context->server_info_list[cnt] != NULL) {
server_info = ldap_context->server_info_list[cnt];
st = krb5_ldap_initialize(ldap_context, server_info);
- if (st == LDAP_SUCCESS)
+ if (st == LDAP_SUCCESS)
goto cleanup;
++cnt;
}
- cleanup:
+cleanup:
return (st);
}
port = ldap_context->port;
else
port = LDAPS_PORT;
-
+
if ((handle->ldap_handle=ldap_init(handle->server_info->server_name, port)) == NULL
|| krb5_ldap_bind(ldap_context, handle) != LDAP_SUCCESS)
return krb5_ldap_request_next_handle_from_pool(ldap_context, ldap_server_handle);
-krb5_error_code
-krb5_ldap_close( krb5_context context)
+krb5_error_code
+krb5_ldap_close(krb5_context context)
{
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_context *ldap_context=NULL;
- if (context == NULL ||
- context->db_context == NULL ||
+ if (context == NULL ||
+ context->db_context == NULL ||
((kdb5_dal_handle *)context->db_context)->db_context == NULL)
- return 0;
-
+ return 0;
+
dal_handle = (kdb5_dal_handle *) context->db_context;
ldap_context = (krb5_ldap_context *) dal_handle->db_context;
dal_handle->db_context = NULL;
if (ldap_context == NULL)
return 0;
-
+
krb5_ldap_free_krbcontainer_params(ldap_context->krbcontainer);
ldap_context->krbcontainer = NULL;
return 0;
}
-
-
-
/*
* lib/kdb/kdb_ldap/kdb_xdr.c
*
- * Copyright 1995 by the Massachusetts Institute of Technology.
+ * Copyright 1995 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
*/
#include <k5-int.h>
krb5_tl_data *tl_data;
for (tl_data = entry->tl_data; tl_data; tl_data = tl_data->tl_data_next) {
- if (tl_data->tl_data_type == ret_tl_data->tl_data_type) {
+ if (tl_data->tl_data_type == ret_tl_data->tl_data_type) {
*ret_tl_data = *tl_data;
return(0);
}
krb5_octet buf[4]; /* this is the encoded size of an int32 */
tl_data.tl_data_type = KRB5_TL_LAST_PWD_CHANGE;
- tl_data.tl_data_length = sizeof(buf);
+ tl_data.tl_data_length = sizeof(buf);
krb5_kdb_encode_int32((krb5_int32) stamp, buf);
tl_data.tl_data_contents = buf;
if ((code = krb5_dbe_lookup_tl_data(context, entry, &tl_data)))
return(code);
-
+
if (tl_data.tl_data_length != 4) {
*stamp = 0;
return(0);
char * unparse_mod_princ = 0;
unsigned int unparse_mod_princ_size;
- if ((retval = krb5_unparse_name(context, mod_princ,
+ if ((retval = krb5_unparse_name(context, mod_princ,
&unparse_mod_princ)))
return(retval);
if ((code = krb5_dbe_lookup_tl_data(context, entry, &tl_data)))
return(code);
-
+
if ((tl_data.tl_data_length < 5) ||
(tl_data.tl_data_contents[tl_data.tl_data_length-1] != '\0'))
return(KRB5_KDB_TRUNCATED_RECORD);
return(0);
}
-
* OP_ABANDON => ldap_abandon
*/
-int translate_ldap_error(int err, int op){
+int translate_ldap_error(int err, int op) {
switch (err) {
- case LDAP_SUCCESS:
- return 0;
-
- case LDAP_OPERATIONS_ERROR:
- /* LDAP_OPERATIONS_ERROR: Indicates an internal error. The server is
- * unable to respond with a more specific error and is also unable
- * to properly respond to a request */
- case LDAP_UNAVAILABLE_CRITICAL_EXTENSION:
- /* LDAP server was unable to satisfy a request because one or more
- * critical extensions were not available */
+ case LDAP_SUCCESS:
+ return 0;
+
+ case LDAP_OPERATIONS_ERROR:
+ /* LDAP_OPERATIONS_ERROR: Indicates an internal error. The server is
+ * unable to respond with a more specific error and is also unable
+ * to properly respond to a request */
+ case LDAP_UNAVAILABLE_CRITICAL_EXTENSION:
+ /* LDAP server was unable to satisfy a request because one or more
+ * critical extensions were not available */
/* This might mean that the schema was not extended ... */
- case LDAP_UNDEFINED_TYPE:
- /* The attribute specified in the modify or add operation does not
- * exist in the LDAP server's schema. */
- return KRB5_KDB_INTERNAL_ERROR;
-
-
- case LDAP_INAPPROPRIATE_MATCHING:
- /* The matching rule specified in the search filter does not match a
- * rule defined for the attribute's syntax */
- return KRB5_KDB_UK_RERROR;
-
- case LDAP_CONSTRAINT_VIOLATION:
- /* The attribute value specified in a modify, add, or modify DN
- * operation violates constraints placed on the attribute */
- case LDAP_TYPE_OR_VALUE_EXISTS:
- /* The attribute value specified in a modify or add operation
- * already exists as a value for that attribute */
+ case LDAP_UNDEFINED_TYPE:
+ /* The attribute specified in the modify or add operation does not
+ * exist in the LDAP server's schema. */
+ return KRB5_KDB_INTERNAL_ERROR;
+
+
+ case LDAP_INAPPROPRIATE_MATCHING:
+ /* The matching rule specified in the search filter does not match a
+ * rule defined for the attribute's syntax */
+ return KRB5_KDB_UK_RERROR;
+
+ case LDAP_CONSTRAINT_VIOLATION:
+ /* The attribute value specified in a modify, add, or modify DN
+ * operation violates constraints placed on the attribute */
+ case LDAP_TYPE_OR_VALUE_EXISTS:
+ /* The attribute value specified in a modify or add operation
+ * already exists as a value for that attribute */
+ return KRB5_KDB_UK_SERROR;
+
+ case LDAP_INVALID_SYNTAX:
+ /* The attribute value specified in an add, compare, or modify
+ * operation is an unrecognized or invalid syntax for the attribute */
+ if (op == OP_ADD || op == OP_MOD)
return KRB5_KDB_UK_SERROR;
-
- case LDAP_INVALID_SYNTAX:
- /* The attribute value specified in an add, compare, or modify
- * operation is an unrecognized or invalid syntax for the attribute */
- if (op == OP_ADD || op == OP_MOD)
- return KRB5_KDB_UK_SERROR;
- else /* OP_CMP */
- return KRB5_KDB_UK_RERROR;
+ else /* OP_CMP */
+ return KRB5_KDB_UK_RERROR;
/* Ensure that the following don't occur in the DAL-LDAP code.
* Don't rely on the LDAP server to catch it */
- case LDAP_SASL_BIND_IN_PROGRESS:
- /* This is not an error. So, this function should not be called */
- case LDAP_COMPARE_FALSE:
- case LDAP_COMPARE_TRUE:
- /* LDAP_COMPARE_FALSE and LDAP_COMPARE_TRUE are not errors. This
- * function should not be invoked for them */
- case LDAP_RESULTS_TOO_LARGE: /* CLDAP */
- case LDAP_TIMELIMIT_EXCEEDED:
- case LDAP_SIZELIMIT_EXCEEDED:
- return KRB5_KDB_SERVER_INTERNAL_ERR;
-
- case LDAP_INVALID_DN_SYNTAX:
- /* The syntax of the DN is incorrect */
- return EINVAL;
-
- case LDAP_PROTOCOL_ERROR:
- /* LDAP_PROTOCOL_ERROR: Indicates that the server has received an
- * invalid or malformed request from the client */
- case LDAP_CONFIDENTIALITY_REQUIRED:
+ case LDAP_SASL_BIND_IN_PROGRESS:
+ /* This is not an error. So, this function should not be called */
+ case LDAP_COMPARE_FALSE:
+ case LDAP_COMPARE_TRUE:
+ /* LDAP_COMPARE_FALSE and LDAP_COMPARE_TRUE are not errors. This
+ * function should not be invoked for them */
+ case LDAP_RESULTS_TOO_LARGE: /* CLDAP */
+ case LDAP_TIMELIMIT_EXCEEDED:
+ case LDAP_SIZELIMIT_EXCEEDED:
+ return KRB5_KDB_SERVER_INTERNAL_ERR;
+
+ case LDAP_INVALID_DN_SYNTAX:
+ /* The syntax of the DN is incorrect */
+ return EINVAL;
+
+ case LDAP_PROTOCOL_ERROR:
+ /* LDAP_PROTOCOL_ERROR: Indicates that the server has received an
+ * invalid or malformed request from the client */
+ case LDAP_CONFIDENTIALITY_REQUIRED:
/* Bind problems ... */
- case LDAP_AUTH_METHOD_NOT_SUPPORTED:
-// case LDAP_STRONG_AUTH_NOT_SUPPORTED: // Is this a bind error ?
- case LDAP_INAPPROPRIATE_AUTH:
- case LDAP_INVALID_CREDENTIALS:
- case LDAP_UNAVAILABLE:
+ case LDAP_AUTH_METHOD_NOT_SUPPORTED:
+/* case LDAP_STRONG_AUTH_NOT_SUPPORTED: // Is this a bind error ? */
+ case LDAP_INAPPROPRIATE_AUTH:
+ case LDAP_INVALID_CREDENTIALS:
+ case LDAP_UNAVAILABLE:
+ return KRB5_KDB_ACCESS_ERROR;
+
+ case LDAP_STRONG_AUTH_REQUIRED:
+ if (op == OP_BIND) /* the LDAP server accepts only strong authentication. */
return KRB5_KDB_ACCESS_ERROR;
+ else /* Client requested an operation such that requires strong authentication */
+ return KRB5_KDB_CONSTRAINT_VIOLATION;
- case LDAP_STRONG_AUTH_REQUIRED:
- if (op == OP_BIND) /* the LDAP server accepts only strong authentication. */
- return KRB5_KDB_ACCESS_ERROR;
- else /* Client requested an operation such that requires strong authentication */
- return KRB5_KDB_CONSTRAINT_VIOLATION;
+ case LDAP_REFERRAL:
+ return KRB5_KDB_NOENTRY;
- case LDAP_REFERRAL:
- return KRB5_KDB_NOENTRY;
-
- case LDAP_ADMINLIMIT_EXCEEDED:
- /* An LDAP server limit set by an administrative authority has been
- * exceeded */
- return KRB5_KDB_CONSTRAINT_VIOLATION;
- case LDAP_UNWILLING_TO_PERFORM:
- /* The LDAP server cannot process the request because of
- * server-defined restrictions */
- return KRB5_KDB_CONSTRAINT_VIOLATION;
+ case LDAP_ADMINLIMIT_EXCEEDED:
+ /* An LDAP server limit set by an administrative authority has been
+ * exceeded */
+ return KRB5_KDB_CONSTRAINT_VIOLATION;
+ case LDAP_UNWILLING_TO_PERFORM:
+ /* The LDAP server cannot process the request because of
+ * server-defined restrictions */
+ return KRB5_KDB_CONSTRAINT_VIOLATION;
- case LDAP_NO_SUCH_ATTRIBUTE:
- /* Indicates that the attribute specified in the modify or compare
- * operation does not exist in the entry */
- if (op == OP_MOD)
- return KRB5_KDB_UK_SERROR;
- else /* OP_CMP */
- return KRB5_KDB_TRUNCATED_RECORD;
+ case LDAP_NO_SUCH_ATTRIBUTE:
+ /* Indicates that the attribute specified in the modify or compare
+ * operation does not exist in the entry */
+ if (op == OP_MOD)
+ return KRB5_KDB_UK_SERROR;
+ else /* OP_CMP */
+ return KRB5_KDB_TRUNCATED_RECORD;
- case LDAP_ALIAS_DEREF_PROBLEM:
- /* Either the client does not have access rights to read the aliased
- * object's name or dereferencing is not allowed */
- case LDAP_PROXY_AUTHZ_FAILURE: // Is this correct ?
- case LDAP_INSUFFICIENT_ACCESS:
- /* Caller does not have sufficient rights to perform the requested
- * operation */
- return KRB5_KDB_UNAUTH;
+ case LDAP_ALIAS_DEREF_PROBLEM:
+ /* Either the client does not have access rights to read the aliased
+ * object's name or dereferencing is not allowed */
+ case LDAP_PROXY_AUTHZ_FAILURE: // Is this correct ?
+ case LDAP_INSUFFICIENT_ACCESS:
+ /* Caller does not have sufficient rights to perform the requested
+ * operation */
+ return KRB5_KDB_UNAUTH;
- case LDAP_LOOP_DETECT:
- /* Client discovered an alias or referral loop */
- return KRB5_KDB_DB_CORRUPT;
+ case LDAP_LOOP_DETECT:
+ /* Client discovered an alias or referral loop */
+ return KRB5_KDB_DB_CORRUPT;
- default:
+ default:
- if (LDAP_NAME_ERROR (err))
- return KRB5_KDB_NOENTRY;
+ if (LDAP_NAME_ERROR (err))
+ return KRB5_KDB_NOENTRY;
- if (LDAP_SECURITY_ERROR (err))
- return KRB5_KDB_UNAUTH;
+ if (LDAP_SECURITY_ERROR (err))
+ return KRB5_KDB_UNAUTH;
- if (LDAP_SERVICE_ERROR (err) || LDAP_API_ERROR (err) || LDAP_X_ERROR (err))
- return KRB5_KDB_ACCESS_ERROR;
+ if (LDAP_SERVICE_ERROR (err) || LDAP_API_ERROR (err) || LDAP_X_ERROR (err))
+ return KRB5_KDB_ACCESS_ERROR;
- if (LDAP_UPDATE_ERROR(err))
- return KRB5_KDB_UK_SERROR;
+ if (LDAP_UPDATE_ERROR(err))
+ return KRB5_KDB_UK_SERROR;
- /* LDAP_OTHER */
- return KRB5_KDB_SERVER_INTERNAL_ERR;
+ /* LDAP_OTHER */
+ return KRB5_KDB_SERVER_INTERNAL_ERR;
}
}
* get the master key from the database specific context
*/
-krb5_error_code
+krb5_error_code
krb5_ldap_get_mkey (context, key)
- krb5_context context;
- krb5_keyblock **key;
-
+ krb5_context context;
+ krb5_keyblock **key;
+
{
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_context *ldap_context=NULL;
dal_handle = (kdb5_dal_handle *) context->db_context;
ldap_context = (krb5_ldap_context *) dal_handle->db_context;
-
- if ( ldap_context == NULL || ldap_context->lrparams == NULL)
+
+ if (ldap_context == NULL || ldap_context->lrparams == NULL)
return KRB5_KDB_DBNOTINITED;
*key = &ldap_context->lrparams->mkey;
* set the master key into the database specific context
*/
-krb5_error_code
+krb5_error_code
krb5_ldap_set_mkey (context, pwd, key)
krb5_context context;
char *pwd;
dal_handle = (kdb5_dal_handle *) context->db_context;
ldap_context = (krb5_ldap_context *) dal_handle->db_context;
-
- if ( ldap_context == NULL || ldap_context->lrparams == NULL)
- return KRB5_KDB_DBNOTINITED;
-
+
+ if (ldap_context == NULL || ldap_context->lrparams == NULL)
+ return KRB5_KDB_DBNOTINITED;
+
r_params = ldap_context->lrparams;
if (r_params->mkey.contents) {
r_params->mkey.enctype = key->enctype;
r_params->mkey.length = key->length;
r_params->mkey.contents = malloc(key->length);
- if (r_params->mkey.contents == NULL)
+ if (r_params->mkey.contents == NULL)
return ENOMEM;
-
+
memcpy(r_params->mkey.contents, key->contents, key->length);
return 0;
}
/*
* Update the server info structure. In case of an asynchronous bind,
- * this function is called to check the bind status. A flag
+ * this function is called to check the bind status. A flag
* server_info_upate_pending is refered before calling this function.
- * This function sets the server_status to either ON or OFF and
- * sets the server_info_udpate_pending to OFF.
- * Do not lock the mutex here. The caller should lock it
+ * This function sets the server_status to either ON or OFF and
+ * sets the server_info_udpate_pending to OFF.
+ * Do not lock the mutex here. The caller should lock it
*/
-static krb5_error_code
+static krb5_error_code
krb5_update_server_info(ldap_server_handle, server_info)
krb5_ldap_server_handle *ldap_server_handle;
krb5_ldap_server_info *server_info;
if (ldap_server_handle == NULL || server_info == NULL)
return -1;
-
+
while (st == 0) {
- st = ldap_result(ldap_server_handle->ldap_handle, ldap_server_handle->msgid,
+ st = ldap_result(ldap_server_handle->ldap_handle, ldap_server_handle->msgid,
LDAP_MSG_ALL, &ztime, &result);
switch (st) {
case -1:
case 0:
continue;
break;
-
+
case LDAP_RES_BIND:
if ((st=ldap_result2error(ldap_server_handle->ldap_handle, result, 1)) == LDAP_SUCCESS) {
server_info->server_status = ON;
} else {
-/* ?? */ krb5_set_error_message(0, 0, "%s", ldap_err2string(st));
+ /* ?? */ krb5_set_error_message(0, 0, "%s", ldap_err2string(st));
server_info->server_status = OFF;
time(&server_info->downtime);
}
ldap_msgfree(result);
break;
- default:
+ default:
ldap_msgfree(result);
continue;
break;
}
#endif
-/*
- * Return ldap server handle from the pool. If the pool is exhausted return NULL.
- * Do not lock the mutex, caller should lock it
+/*
+ * Return ldap server handle from the pool. If the pool is exhausted return NULL.
+ * Do not lock the mutex, caller should lock it
*/
static krb5_ldap_server_handle *
krb5_ldap_server_handle *ldap_server_handle=NULL;
krb5_ldap_server_info *ldap_server_info=NULL;
int cnt=0;
-
+
while (ldap_context->server_info_list[cnt] != NULL) {
ldap_server_info = ldap_context->server_info_list[cnt];
if (ldap_server_info->server_status != OFF) {
break;
#ifdef ASYNC_BIND
if (ldap_server_handle->server_info_update_pending == TRUE) {
- krb5_update_server_info(context, ldap_server_handle,
+ krb5_update_server_info(context, ldap_server_handle,
ldap_server_info);
}
return ldap_server_handle;
}
-/*
- * This is called incase krb5_get_ldap_handle returns NULL.
+/*
+ * This is called incase krb5_get_ldap_handle returns NULL.
* Try getting a single connection (handle) and return the same by
* calling krb5_get_ldap_handle function.
- * Do not lock the mutex here. The caller should lock it
+ * Do not lock the mutex here. The caller should lock it
*/
-static krb5_ldap_server_handle *
+static krb5_ldap_server_handle *
krb5_retry_get_ldap_handle(ldap_context, st)
krb5_ldap_context *ldap_context;
krb5_error_code *st;
{
- krb5_ldap_server_handle *ldap_server_handle=NULL;
+ krb5_ldap_server_handle *ldap_server_handle=NULL;
- if ((*st=krb5_ldap_db_single_init(ldap_context)) != 0)
+ if ((*st=krb5_ldap_db_single_init(ldap_context)) != 0)
return NULL;
-
+
ldap_server_handle = krb5_get_ldap_handle(ldap_context);
return ldap_server_handle;
}
/*
- * Put back the ldap server handle to the front of the list of handles of the
+ * Put back the ldap server handle to the front of the list of handles of the
* ldap server info structure.
- * Do not lock the mutex here. The caller should lock it.
+ * Do not lock the mutex here. The caller should lock it.
*/
-static krb5_error_code
+static krb5_error_code
krb5_put_ldap_handle(ldap_server_handle)
krb5_ldap_server_handle *ldap_server_handle;
{
if (ldap_server_handle == NULL)
return 0;
-
+
ldap_server_handle->next = ldap_server_handle->server_info->ldap_server_handles;
ldap_server_handle->server_info->ldap_server_handles = ldap_server_handle;
return 0;
}
-/*
+/*
* Add a new ldap server handle structure to the server info structure.
* This function name can be changed to krb5_insert_ldap_handle.
- * Do not lock the mutex here. The caller should lock it
+ * Do not lock the mutex here. The caller should lock it
*/
-krb5_error_code
+krb5_error_code
krb5_update_ldap_handle(ldap_server_handle, server_info)
krb5_ldap_server_handle *ldap_server_handle;
krb5_ldap_server_info *server_info;
{
-
+
if (ldap_server_handle == NULL || server_info == NULL)
return 0;
}
/*
- * Free up all the ldap server handles of the server info.
+ * Free up all the ldap server handles of the server info.
* This function is called when the ldap server returns LDAP_SERVER_DOWN.
*/
krb5_ldap_server_info *ldap_server_info;
{
krb5_ldap_server_handle *ldap_server_handle = NULL;
-
+
while (ldap_server_info->ldap_server_handles != NULL) {
ldap_server_handle = ldap_server_info->ldap_server_handles;
ldap_server_info->ldap_server_handles = ldap_server_handle->next;
/* ldap_unbind_s(ldap_server_handle); */
free (ldap_server_handle);
- ldap_server_handle = NULL;
+ ldap_server_handle = NULL;
}
return 0;
}
* wrapper function called from outside to get a handle.
*/
-krb5_error_code
+krb5_error_code
krb5_ldap_request_handle_from_pool(ldap_context, ldap_server_handle)
krb5_ldap_context *ldap_context;
krb5_ldap_server_handle **ldap_server_handle;
{
krb5_error_code st=0;
-
+
*ldap_server_handle = NULL;
HNDL_LOCK(ldap_context);
}
/*
- * wrapper function wrapper called to get the next ldap server handle, when the current
+ * wrapper function wrapper called to get the next ldap server handle, when the current
* ldap server handle returns LDAP_SERVER_DOWN.
*/
-krb5_error_code
+krb5_error_code
krb5_ldap_request_next_handle_from_pool(ldap_context, ldap_server_handle)
krb5_ldap_context *ldap_context;
krb5_ldap_server_handle **ldap_server_handle;
{
krb5_error_code st=0;
-
+
HNDL_LOCK(ldap_context);
(*ldap_server_handle)->server_info->server_status = OFF;
time(&(*ldap_server_handle)->server_info->downtime);
- krb5_put_ldap_handle(*ldap_server_handle);
+ krb5_put_ldap_handle(*ldap_server_handle);
krb5_ldap_cleanup_handles((*ldap_server_handle)->server_info);
if (((*ldap_server_handle)=krb5_get_ldap_handle(ldap_context)) == NULL)
krb5_ldap_context *ldap_context;
krb5_ldap_server_handle *ldap_server_handle;
{
-
+
if (ldap_server_handle != NULL) {
HNDL_LOCK(ldap_context);
krb5_put_ldap_handle(ldap_server_handle);
* Free the krb5_ldap_krbcontainer_params
*/
-void
+void
krb5_ldap_free_krbcontainer_params(krb5_ldap_krbcontainer_params *cparams)
{
- if(cparams == NULL)
+ if (cparams == NULL)
return;
-
+
if (cparams->policyreference)
krb5_xfree(cparams->policyreference);
-
+
if (cparams->parent)
krb5_xfree(cparams->parent);
-
+
if (cparams->DN)
krb5_xfree(cparams->DN);
-
+
krb5_xfree(cparams);
-
+
return;
}
/*
* Read the kerberos container. Kerberos container dn is read from the krb5.conf file.
* In case of eDirectory, if the dn is not present in the conf file, refer Security Container
- * to fetch the dn information.
- *
- * Reading kerberos container includes reading the policyreference attribute and the policy
+ * to fetch the dn information.
+ *
+ * Reading kerberos container includes reading the policyreference attribute and the policy
* object to read the attributes associated with it.
*/
krb5_error_code
-krb5_ldap_read_krbcontainer_params( krb5_context context,
- krb5_ldap_krbcontainer_params **cparamp)
-
+krb5_ldap_read_krbcontainer_params(krb5_context context,
+ krb5_ldap_krbcontainer_params **cparamp)
+
{
krb5_error_code st=0, tempst=0;
LDAP *ld=NULL;
/* read kerberos containter location from [dbmodules] section of krb5.conf file */
if (ldap_context->conf_section) {
if ((st=profile_get_string(context->profile, KDB_MODULE_SECTION, ldap_context->conf_section,
- "ldap_kerberos_container_dn", NULL,
+ "ldap_kerberos_container_dn", NULL,
&cparams->DN)) != 0) {
- krb5_set_error_message(context, st, "Error reading kerberos container location "
- "from krb5.conf");
+ krb5_set_error_message(context, st, "Error reading kerberos container location "
+ "from krb5.conf");
goto cleanup;
}
}
-
+
/* read kerberos containter location from [dbdefaults] section of krb5.conf file */
if (cparams->DN == NULL) {
- if ((st=profile_get_string(context->profile, KDB_MODULE_DEF_SECTION,
- "ldap_kerberos_container_dn", NULL,
+ if ((st=profile_get_string(context->profile, KDB_MODULE_DEF_SECTION,
+ "ldap_kerberos_container_dn", NULL,
NULL, &cparams->DN)) != 0) {
- krb5_set_error_message(context, st, "Error reading kerberos container location "
- "from krb5.conf");
+ krb5_set_error_message(context, st, "Error reading kerberos container location "
+ "from krb5.conf");
goto cleanup;
}
}
#ifndef HAVE_EDIRECTORY
/*
- * In case eDirectory, we can fall back to security container if the kerberos container location
+ * In case eDirectory, we can fall back to security container if the kerberos container location
* is missing in the conf file. In openldap we will have to return an error.
*/
if (cparams->DN == NULL) {
- st = KRB5_KDB_SERVER_INTERNAL_ERR;
- krb5_set_error_message(context, st, "Kerberos container location not specified");
- goto cleanup;
+ st = KRB5_KDB_SERVER_INTERNAL_ERR;
+ krb5_set_error_message(context, st, "Kerberos container location not specified");
+ goto cleanup;
}
#endif
if (cparams->DN != NULL) {
- /* NOTE: krbmaxtktlife, krbmaxrenewableage ... present on Kerberos Container is
+ /* NOTE: krbmaxtktlife, krbmaxrenewableage ... present on Kerberos Container is
* not read
*/
LDAP_SEARCH_1(cparams->DN, LDAP_SCOPE_BASE, "(objectclass=krbContainer)", policyrefattribute, IGNORE_STATUS);
if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_OBJECT) {
- st = set_ldap_error(context, st, OP_SEARCH);
+ st = set_ldap_error(context, st, OP_SEARCH);
goto cleanup;
}
-
+
if (st == LDAP_NO_SUCH_OBJECT) {
- st = KRB5_KDB_NOENTRY;
- goto cleanup;
+ st = KRB5_KDB_NOENTRY;
+ goto cleanup;
}
}
-
+
#ifdef HAVE_EDIRECTORY
/*
- * If the kerberos location in the conf file is missing or invalid, fall back to the
+ * If the kerberos location in the conf file is missing or invalid, fall back to the
* security container. If the kerberos location in the security container is also missing
* then fall back to the default value
*/
if ((cparams->DN == NULL) || (st == LDAP_NO_SUCH_OBJECT)) {
- /*
+ /*
* kerberos container can be anywhere. locate it by reading the security
* container to find the location.
*/
LDAP_SEARCH(SECURITY_CONTAINER, LDAP_SCOPE_BASE, NULL, krbcontainerrefattr);
if ((ent = ldap_first_entry(ld, result)) != NULL) {
- if ((st=krb5_ldap_get_string(ld, ent, "krbcontainerreference",
+ if ((st=krb5_ldap_get_string(ld, ent, "krbcontainerreference",
&(cparams->DN), NULL)) != 0)
goto cleanup;
if (cparams->DN == NULL) {
cparams->DN = strdup(KERBEROS_CONTAINER);
CHECK_NULL(cparams->DN);
}
- }
+ }
ldap_msgfree(result);
-
- /* NOTE: krbmaxtktlife, krbmaxrenewableage ... attributes present on
+
+ /* NOTE: krbmaxtktlife, krbmaxrenewableage ... attributes present on
* Kerberos Container is not read
*/
LDAP_SEARCH(cparams->DN, LDAP_SCOPE_BASE, "(objectclass=krbContainer)", policyrefattribute);
}
#endif
-
- if ((ent = ldap_first_entry(ld, result))) {
- if ((st=krb5_ldap_get_string(ld, ent, "krbpolicyreference",
+
+ if ((ent = ldap_first_entry(ld, result))) {
+ if ((st=krb5_ldap_get_string(ld, ent, "krbpolicyreference",
&(cparams->policyreference), NULL)) != 0)
goto cleanup;
}
}
st = LDAP_SUCCESS; /* reset the return status in case it is LDAP_NO_SUCH_OBJECT */
- ent=ldap_first_entry(ld, result);
+ ent=ldap_first_entry(ld, result);
if (ent != NULL) {
krb5_ldap_get_value(ld, ent, "krbmaxtktlife", &(cparams->max_life));
krb5_ldap_get_value(ld, ent, "krbmaxrenewableage", &(cparams->max_renewable_life));
- krb5_ldap_get_value(ld, ent, "krbticketflags", &(cparams->tktflags));
+ krb5_ldap_get_value(ld, ent, "krbticketflags", &(cparams->tktflags));
}
ldap_msgfree(result);
}
- *cparamp=cparams;
+ *cparamp=cparams;
- cleanup:
- if(st != 0) {
+cleanup:
+ if (st != 0) {
krb5_ldap_free_krbcontainer_params(cparams);
*cparamp=NULL;
}
- krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
+ krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
return st;
}
*/
krb5_error_code
krb5_ldap_read_server_params(context, conf_section, srv_type)
- krb5_context context;
- char *conf_section;
- int srv_type;
+ krb5_context context;
+ char *conf_section;
+ int srv_type;
{
char *tempval=NULL, *save_ptr=NULL;
- const char *delims="\t\n\f\v\r ,";
+ const char *delims="\t\n\f\v\r ,";
krb5_error_code st=0;
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_context *ldap_context=NULL;
/* copy the conf_section into ldap_context for later use */
if (conf_section) {
- ldap_context->conf_section = strdup (conf_section);
- if (ldap_context->conf_section == NULL) {
- st = ENOMEM;
- goto cleanup;
- }
+ ldap_context->conf_section = strdup (conf_section);
+ if (ldap_context->conf_section == NULL) {
+ st = ENOMEM;
+ goto cleanup;
+ }
}
/* initialize the mutexs and condition variable */
/* this portion logically doesn't fit here should be moved appropriately */
-
+
/* this mutex is used in ldap reconnection pool */
if (k5_mutex_init(&(ldap_context->hndl_lock)) != 0) {
st = KRB5_KDB_SERVER_INTERNAL_ERR;
* this parameter defines maximum ldap connections per ldap server
*/
if (ldap_context->max_server_conns == 0) {
- if ((st=profile_get_integer(context->profile, KDB_MODULE_SECTION, conf_section,
- "ldap_conns_per_server", 0,
+ if ((st=profile_get_integer(context->profile, KDB_MODULE_SECTION, conf_section,
+ "ldap_conns_per_server", 0,
(int *) &ldap_context->max_server_conns)) != 0) {
- krb5_set_error_message (context, st, "Error reading 'ldap_conns_per_server' "
- "attribute");
+ krb5_set_error_message (context, st, "Error reading 'ldap_conns_per_server' "
+ "attribute");
goto cleanup;
}
}
-
+
/* if ldap port is not set read it from database module section of conf file */
if (ldap_context->port == 0) {
- if ((st=profile_get_integer(context->profile, KDB_MODULE_SECTION, conf_section,
- "ldap_ssl_port", 0,
+ if ((st=profile_get_integer(context->profile, KDB_MODULE_SECTION, conf_section,
+ "ldap_ssl_port", 0,
(int *) &ldap_context->port)) != 0) {
- krb5_set_error_message (context, st, "Error reading 'ldap_ssl_port' attribute");
+ krb5_set_error_message (context, st, "Error reading 'ldap_ssl_port' attribute");
goto cleanup;
}
}
-
- /* if the bind dn is not set read it from the database module section of conf file
- * this paramter is populated by one of the KDC, ADMIN or PASSWD dn to be used to connect
+
+ /* if the bind dn is not set read it from the database module section of conf file
+ * this paramter is populated by one of the KDC, ADMIN or PASSWD dn to be used to connect
* to LDAP server. the srv_type decides which dn to read.
*/
- if( ldap_context->bind_dn == NULL ) {
-
+ if (ldap_context->bind_dn == NULL) {
+
if (srv_type == KRB5_KDB_SRV_TYPE_KDC) {
- if ((st=profile_get_string(context->profile, KDB_MODULE_SECTION, conf_section,
+ if ((st=profile_get_string(context->profile, KDB_MODULE_SECTION, conf_section,
"ldap_kdc_dn", NULL, &ldap_context->bind_dn)) != 0) {
- krb5_set_error_message (context, st, "Error reading 'ldap_kdc_dn' attribute");
+ krb5_set_error_message (context, st, "Error reading 'ldap_kdc_dn' attribute");
goto cleanup;
}
- }
- else if (srv_type == KRB5_KDB_SRV_TYPE_ADMIN) {
- if ((st=profile_get_string(context->profile, KDB_MODULE_SECTION, conf_section,
+ } else if (srv_type == KRB5_KDB_SRV_TYPE_ADMIN) {
+ if ((st=profile_get_string(context->profile, KDB_MODULE_SECTION, conf_section,
"ldap_kadmind_dn", NULL, &ldap_context->bind_dn)) != 0) {
- krb5_set_error_message (context, st, "Error reading 'ldap_kadmind_dn' attribute");
+ krb5_set_error_message (context, st, "Error reading 'ldap_kadmind_dn' attribute");
goto cleanup;
}
- }
- else if (srv_type == KRB5_KDB_SRV_TYPE_PASSWD) {
- if ((st=profile_get_string(context->profile, KDB_MODULE_SECTION, conf_section,
+ } else if (srv_type == KRB5_KDB_SRV_TYPE_PASSWD) {
+ if ((st=profile_get_string(context->profile, KDB_MODULE_SECTION, conf_section,
"ldap_kpasswdd_dn", NULL, &ldap_context->bind_dn)) != 0) {
- krb5_set_error_message (context, st, "Error reading 'ldap_kpasswdd_dn' attribute");
+ krb5_set_error_message (context, st, "Error reading 'ldap_kpasswdd_dn' attribute");
goto cleanup;
}
}
}
/* read service_password_file parameter from database module section of conf file
- * this file contains stashed passwords of the KDC, ADMIN and PASSWD dns.
+ * this file contains stashed passwords of the KDC, ADMIN and PASSWD dns.
*/
if (ldap_context->service_password_file == NULL) {
- if ((st=profile_get_string(context->profile, KDB_MODULE_SECTION, conf_section,
- "ldap_service_password_file", NULL,
+ if ((st=profile_get_string(context->profile, KDB_MODULE_SECTION, conf_section,
+ "ldap_service_password_file", NULL,
&ldap_context->service_password_file)) != 0) {
- krb5_set_error_message (context, st, "Error reading 'ldap_service_password_file' attribute");
+ krb5_set_error_message (context, st, "Error reading 'ldap_service_password_file' attribute");
goto cleanup;
}
}
-
+
/* if root certificate file is not set read it from database module section of conf file
* this is the trusted root certificate of the Directory.
- */
+ */
if (ldap_context->root_certificate_file == NULL) {
- if ((st=profile_get_string(context->profile, KDB_MODULE_SECTION, conf_section,
- "ldap_root_certificate_file", NULL,
+ if ((st=profile_get_string(context->profile, KDB_MODULE_SECTION, conf_section,
+ "ldap_root_certificate_file", NULL,
&ldap_context->root_certificate_file)) != 0) {
- krb5_set_error_message (context, st, "Error reading 'ldap_root_certificate_file' attribute");
+ krb5_set_error_message (context, st, "Error reading 'ldap_root_certificate_file' attribute");
goto cleanup;
}
}
-
- /* if the ldap server parameter is not set read the list of ldap servers:port from the
- * database module section of the conf file
+
+ /* if the ldap server parameter is not set read the list of ldap servers:port from the
+ * database module section of the conf file
*/
-
+
if (ldap_context->server_info_list == NULL) {
unsigned int ele=0;
-
+
server_info = &(ldap_context->server_info_list);
- *server_info = (krb5_ldap_server_info **) calloc (SERV_COUNT+1,
+ *server_info = (krb5_ldap_server_info **) calloc (SERV_COUNT+1,
sizeof (krb5_ldap_server_info *));
-
+
if (*server_info == NULL) {
st = ENOMEM;
goto cleanup;
}
-
- if ((st=profile_get_string(context->profile, KDB_MODULE_SECTION, conf_section,
+
+ if ((st=profile_get_string(context->profile, KDB_MODULE_SECTION, conf_section,
"ldap_servers", NULL, &tempval)) != 0) {
- krb5_set_error_message (context, st, "Error reading 'ldap_servers' attribute");
+ krb5_set_error_message (context, st, "Error reading 'ldap_servers' attribute");
goto cleanup;
}
-
+
if (tempval == NULL) {
-
- (*server_info)[ele] = (krb5_ldap_server_info *)calloc(1,
+
+ (*server_info)[ele] = (krb5_ldap_server_info *)calloc(1,
sizeof(krb5_ldap_server_info));
-
+
(*server_info)[ele]->server_name = strdup("localhost");
if ((*server_info)[ele]->server_name == NULL) {
st = ENOMEM;
(*server_info)[ele]->server_status = NOTSET;
} else {
char *port=NULL, *server=NULL, *item=NULL;
-
+
item = strtok_r(tempval,delims,&save_ptr);
- while(item != NULL && ele<SERV_COUNT){
- (*server_info)[ele] = (krb5_ldap_server_info *)calloc(1,
+ while (item != NULL && ele<SERV_COUNT) {
+ (*server_info)[ele] = (krb5_ldap_server_info *)calloc(1,
sizeof(krb5_ldap_server_info));
if ((*server_info)[ele] == NULL) {
st = ENOMEM;
}
}
- /* the same set of all the above parameters can be obtained from the dbdefaults section of
+ /* the same set of all the above parameters can be obtained from the dbdefaults section of
* conf file. Here read the missing parameters from [dbdefaults] section */
if (ldap_context->max_server_conns == 0) {
- if ((st=profile_get_integer(context->profile, KDB_MODULE_DEF_SECTION,
- "ldap_conns_per_server", NULL, DEFAULT_CONNS_PER_SERVER,
+ if ((st=profile_get_integer(context->profile, KDB_MODULE_DEF_SECTION,
+ "ldap_conns_per_server", NULL, DEFAULT_CONNS_PER_SERVER,
(int *) &ldap_context->max_server_conns)) != 0) {
- krb5_set_error_message (context, st, "Error reading 'ldap_conns_per_server' attribute");
+ krb5_set_error_message (context, st, "Error reading 'ldap_conns_per_server' attribute");
goto cleanup;
}
}
krb5_set_error_message (context, st, "Minimum connections required per server is 2");
goto cleanup;
}
-
+
if (ldap_context->port == 0) {
- if ((st=profile_get_integer(context->profile, KDB_MODULE_DEF_SECTION, "ldap_ssl_port",
+ if ((st=profile_get_integer(context->profile, KDB_MODULE_DEF_SECTION, "ldap_ssl_port",
NULL, LDAPS_PORT, &ldap_context->port)) != 0) {
- krb5_set_error_message (context, st, "Error reading 'ldap_ssl_port' attribute");
+ krb5_set_error_message (context, st, "Error reading 'ldap_ssl_port' attribute");
goto cleanup;
}
}
- if( ldap_context->bind_dn == NULL ) {
+ if (ldap_context->bind_dn == NULL) {
if (srv_type == KRB5_KDB_SRV_TYPE_KDC) {
- if ((st=profile_get_string(context->profile, KDB_MODULE_DEF_SECTION, "ldap_kdc_dn",
+ if ((st=profile_get_string(context->profile, KDB_MODULE_DEF_SECTION, "ldap_kdc_dn",
NULL, NULL, &ldap_context->bind_dn)) != 0) {
- krb5_set_error_message (context, st, "Error reading 'ldap_kdc_dn' attribute");
+ krb5_set_error_message (context, st, "Error reading 'ldap_kdc_dn' attribute");
goto cleanup;
}
- }
- else if (srv_type == KRB5_KDB_SRV_TYPE_ADMIN) {
- if ((st=profile_get_string(context->profile, KDB_MODULE_DEF_SECTION,
- "ldap_kadmind_dn", NULL, NULL,
+ } else if (srv_type == KRB5_KDB_SRV_TYPE_ADMIN) {
+ if ((st=profile_get_string(context->profile, KDB_MODULE_DEF_SECTION,
+ "ldap_kadmind_dn", NULL, NULL,
&ldap_context->bind_dn)) != 0) {
- krb5_set_error_message (context, st, "Error reading 'ldap_kadmind_dn' attribute");
+ krb5_set_error_message (context, st, "Error reading 'ldap_kadmind_dn' attribute");
goto cleanup;
}
- }
- else if (srv_type == KRB5_KDB_SRV_TYPE_PASSWD) {
- if ((st=profile_get_string(context->profile, KDB_MODULE_DEF_SECTION,
- "ldap_kpasswdd_dn", NULL, NULL,
+ } else if (srv_type == KRB5_KDB_SRV_TYPE_PASSWD) {
+ if ((st=profile_get_string(context->profile, KDB_MODULE_DEF_SECTION,
+ "ldap_kpasswdd_dn", NULL, NULL,
&ldap_context->bind_dn)) != 0) {
- krb5_set_error_message (context, st, "Error reading 'ldap_kpasswdd_dn' attribute");
+ krb5_set_error_message (context, st, "Error reading 'ldap_kpasswdd_dn' attribute");
goto cleanup;
}
}
/* read service_password_file value */
if (ldap_context->service_password_file == NULL) {
- if ((st=profile_get_string(context->profile, KDB_MODULE_DEF_SECTION,
- "ldap_service_password_file", NULL, NULL,
+ if ((st=profile_get_string(context->profile, KDB_MODULE_DEF_SECTION,
+ "ldap_service_password_file", NULL, NULL,
&ldap_context->service_password_file)) != 0) {
- krb5_set_error_message (context, st, "Error reading 'ldap_service_passwd_file' attribute");
+ krb5_set_error_message (context, st, "Error reading 'ldap_service_passwd_file' attribute");
goto cleanup;
}
}
-
+
/* read root certificate file value */
if (ldap_context->root_certificate_file == NULL) {
- if ((st=profile_get_string(context->profile, KDB_MODULE_DEF_SECTION,
- "ldap_root_certificate_file", NULL, NULL,
+ if ((st=profile_get_string(context->profile, KDB_MODULE_DEF_SECTION,
+ "ldap_root_certificate_file", NULL, NULL,
&ldap_context->root_certificate_file)) != 0) {
- krb5_set_error_message (context, st, "Error reading 'ldap_root_certificate_file' attribute");
+ krb5_set_error_message (context, st, "Error reading 'ldap_root_certificate_file' attribute");
goto cleanup;
}
}
-
- cleanup:
+
+cleanup:
return(st);
}
if (ldap_context == NULL)
return 0;
-
+
/* free all ldap servers list and the ldap handles associated with the ldap server */
- if(ldap_context->server_info_list) {
+ if (ldap_context->server_info_list) {
while (ldap_context->server_info_list[i]) {
if (ldap_context->server_info_list[i]->server_name) {
free (ldap_context->server_info_list[i]->server_name);
}
krb5_xfree(ldap_context->server_info_list);
}
-
+
if (ldap_context->conf_section != NULL) {
krb5_xfree(ldap_context->conf_section);
ldap_context->conf_section = NULL;
krb5_error_code
is_principal_in_realm(ldap_context, searchfor)
- krb5_ldap_context *ldap_context;
- krb5_const_principal searchfor;
+ krb5_ldap_context *ldap_context;
+ krb5_const_principal searchfor;
{
int defrealmlen=0;
char *defrealm=NULL;
-
+
#define FIND_MAX(a,b) ((a) > (b) ? (a) : (b))
defrealmlen = strlen(ldap_context->lrparams->realm_name);
defrealm = ldap_context->lrparams->realm_name;
-
+
/* care should be taken for inter-realm principals as the default realm can exist in the
- * realm part of the principal name or can also exist in the second portion of the name part.
- * However, if the default realm exist in the second part of the principal portion, then the
- * first portion of the principal name SHOULD be "krbtgt". All this check is done in the
+ * realm part of the principal name or can also exist in the second portion of the name part.
+ * However, if the default realm exist in the second part of the principal portion, then the
+ * first portion of the principal name SHOULD be "krbtgt". All this check is done in the
* immediate block.
*/
- if (searchfor->length == 2)
- if ((strncasecmp(searchfor->data[0].data, "krbtgt",
- FIND_MAX(searchfor->data[0].length, strlen("krbtgt"))) == 0) &&
- (strncasecmp(searchfor->data[1].data, defrealm,
- FIND_MAX(searchfor->data[1].length, defrealmlen)) == 0))
+ if (searchfor->length == 2)
+ if ((strncasecmp(searchfor->data[0].data, "krbtgt",
+ FIND_MAX(searchfor->data[0].length, strlen("krbtgt"))) == 0) &&
+ (strncasecmp(searchfor->data[1].data, defrealm,
+ FIND_MAX(searchfor->data[1].length, defrealmlen)) == 0))
return 0;
-
+
/* first check the length, if they are not equal, then they are not same */
if (strlen(defrealm) != searchfor->realm.length)
return 1;
-
+
/* if the length is equal, check for the contents */
- if (strncmp(defrealm, searchfor->realm.data,
+ if (strncmp(defrealm, searchfor->realm.data,
searchfor->realm.length) != 0)
return 1;
/* if we are here, then the realm portions match, return 0 */
/*
- * Deduce the subtree information from the context. A realm can have atmost 2 subtrees.
- * 1. the Realm container
+ * Deduce the subtree information from the context. A realm can have atmost 2 subtrees.
+ * 1. the Realm container
* 2. the actual subtree associated with the Realm
*
* However, there are some conditions to be considered to deduce the actual subtree/s associated
* the realm has only one subtree i.e [Root], i.e. whole of the tree.
* 2. If the subtree information of the Realm is missing/absent, then the realm has only one
* i.e. the Realm container. NOTE: In call cases Realm container SHOULD be the one among the
- * subtrees or the only one subtree.
+ * subtrees or the only one subtree.
* 3. The subtree information of the realm is overlapping the realm container of the realm, then
* the realm has only one subtree and it is the subtree information associated with the realm.
*/
subtree = ldap_context->lrparams->subtree;
realm_cont_dn = ldap_context->lrparams->realmdn;
- /*
- * if subtree attribute value is [Root] of the tree which is represented by a ""
+ /*
+ * if subtree attribute value is [Root] of the tree which is represented by a ""
* (null) string, set the ntree value as 1 and do not fill the subtreearr value.
* In eDirectory the [Root] can be represented as a "" (null) string, however this
- * representation throws a "No such object" error in OpenLDAP.
+ * representation throws a "No such object" error in OpenLDAP.
* Representing [Root] of the tree as NULL pointer (i.e. no value) works in both case.
*/
if (subtree == NULL || strcasecmp(subtree, "") == 0) {
*ntree = 1;
return 0;
}
-
- /*
- * the subtree attribute value of the realm can be same as the realm container or can
- * even overlap. If the check is successful, then the subtree attribute value alone is
+
+ /*
+ * the subtree attribute value of the realm can be same as the realm container or can
+ * even overlap. If the check is successful, then the subtree attribute value alone is
* copied to the subtreearr array and the ntree value is set to 1.
*/
lendiff = strlen(realm_cont_dn) - strlen(subtree);
if (lendiff >= 0 && (strcasecmp(realm_cont_dn+lendiff, subtree)==0)) {
subtreearr[0] = strdup(subtree);
- if (subtreearr[0] == NULL)
+ if (subtreearr[0] == NULL)
return ENOMEM;
*ntree = 1;
return 0;
- }
-
+ }
+
/*
* if the subtree attribute value of the realm and the realm container are different,
* then both of the values are copied to subtreearr and ntree value is set to 2.
*/
subtreearr[0] = strdup(realm_cont_dn);
- if (subtreearr[0] == NULL)
+ if (subtreearr[0] == NULL)
return ENOMEM;
subtreearr[1] = strdup(subtree);
if (subtreearr[1] == NULL) {
/*
* This function appends the content with a type into the tl_data structure. Based on the type
- * the length of the content is either pre-defined or computed from the content.
+ * the length of the content is either pre-defined or computed from the content.
* Returns 0 in case of success and 1 if the type associated with the content is undefined.
*/
unsigned int currlen=0, tldatalen=0;
char *curr=NULL;
void *reallocptr=NULL;
-
+
tl_data->tl_data_type = KDB_TL_USER_INFO;
- switch(tl_type)
- {
+ switch (tl_type) {
case KDB_TL_PRINCCOUNT:
case KDB_TL_PRINCTYPE:
case KDB_TL_MASK:
{
- int *iptr = (int *)value;
- int ivalue = *iptr;
-
- currlen = tl_data->tl_data_length;
- tl_data->tl_data_length += 1 + 2 + 2;
+ int *iptr = (int *)value;
+ int ivalue = *iptr;
+
+ currlen = tl_data->tl_data_length;
+ tl_data->tl_data_length += 1 + 2 + 2;
/* allocate required memory */
- reallocptr = tl_data->tl_data_contents;
- tl_data->tl_data_contents = realloc(tl_data->tl_data_contents,
- tl_data->tl_data_length);
- if (tl_data->tl_data_contents == NULL) {
- if (reallocptr)
- free (reallocptr);
- return ENOMEM;
- }
- curr = (char *) (tl_data->tl_data_contents + currlen);
-
+ reallocptr = tl_data->tl_data_contents;
+ tl_data->tl_data_contents = realloc(tl_data->tl_data_contents,
+ tl_data->tl_data_length);
+ if (tl_data->tl_data_contents == NULL) {
+ if (reallocptr)
+ free (reallocptr);
+ return ENOMEM;
+ }
+ curr = (char *) (tl_data->tl_data_contents + currlen);
+
/* store the tl_type value */
- memset(curr, tl_type, 1);
- curr += 1;
+ memset(curr, tl_type, 1);
+ curr += 1;
/* store the content length */
- tldatalen = 2;
- STORE16_INT(curr, tldatalen);
- curr += 2;
+ tldatalen = 2;
+ STORE16_INT(curr, tldatalen);
+ curr += 2;
/* store the content */
- STORE16_INT(curr, ivalue);
- curr += 2;
+ STORE16_INT(curr, ivalue);
+ curr += 2;
break;
}
case KDB_TL_USERDN:
case KDB_TL_TKTPOLICYDN:
{
- char *cptr = (char *)value;
-
- currlen = tl_data->tl_data_length;
- tl_data->tl_data_length += 1 + 2 + strlen(cptr);
- /* allocate required memory */
- reallocptr = tl_data->tl_data_contents;
- tl_data->tl_data_contents = realloc(tl_data->tl_data_contents,
- tl_data->tl_data_length);
- if (tl_data->tl_data_contents == NULL) {
- if (reallocptr)
- free (reallocptr);
- return ENOMEM;
- }
- curr = (char *) (tl_data->tl_data_contents + currlen);
-
+ char *cptr = (char *)value;
+
+ currlen = tl_data->tl_data_length;
+ tl_data->tl_data_length += 1 + 2 + strlen(cptr);
+ /* allocate required memory */
+ reallocptr = tl_data->tl_data_contents;
+ tl_data->tl_data_contents = realloc(tl_data->tl_data_contents,
+ tl_data->tl_data_length);
+ if (tl_data->tl_data_contents == NULL) {
+ if (reallocptr)
+ free (reallocptr);
+ return ENOMEM;
+ }
+ curr = (char *) (tl_data->tl_data_contents + currlen);
+
/* store the tl_type value */
- memset(curr, tl_type, 1);
- curr += 1;
+ memset(curr, tl_type, 1);
+ curr += 1;
/* store the content length */
- tldatalen = strlen(cptr);
- STORE16_INT(curr, tldatalen);
- curr += 2;
+ tldatalen = strlen(cptr);
+ STORE16_INT(curr, tldatalen);
+ curr += 2;
/* store the content */
- memcpy(curr, cptr, tldatalen);
- curr += tldatalen;
- break;
+ memcpy(curr, cptr, tldatalen);
+ curr += tldatalen;
+ break;
}
case KDB_TL_KEYINFO:
{
- struct berval *key = (struct berval *)value;
-
- currlen = tl_data->tl_data_length;
- tl_data->tl_data_length += 1 + 2 + key->bv_len;
+ struct berval *key = (struct berval *)value;
+
+ currlen = tl_data->tl_data_length;
+ tl_data->tl_data_length += 1 + 2 + key->bv_len;
/* allocate required memory */
- reallocptr = tl_data->tl_data_contents;
- tl_data->tl_data_contents = realloc(tl_data->tl_data_contents,
- tl_data->tl_data_length);
- if (tl_data->tl_data_contents == NULL) {
- if (reallocptr)
- free (reallocptr);
- return ENOMEM;
- }
- curr = (char *) (tl_data->tl_data_contents + currlen);
-
+ reallocptr = tl_data->tl_data_contents;
+ tl_data->tl_data_contents = realloc(tl_data->tl_data_contents,
+ tl_data->tl_data_length);
+ if (tl_data->tl_data_contents == NULL) {
+ if (reallocptr)
+ free (reallocptr);
+ return ENOMEM;
+ }
+ curr = (char *) (tl_data->tl_data_contents + currlen);
+
/* store the tl_type value */
- memset(curr, tl_type, 1);
- curr += 1;
+ memset(curr, tl_type, 1);
+ curr += 1;
/* store the content length */
- tldatalen = key->bv_len;
- STORE16_INT(curr, tldatalen);
- curr += 2;
+ tldatalen = key->bv_len;
+ STORE16_INT(curr, tldatalen);
+ curr += 2;
/* store the content */
- memcpy(curr, key->bv_val, key->bv_len);
- curr += tldatalen;
- break;
+ memcpy(curr, key->bv_val, key->bv_len);
+ curr += tldatalen;
+ break;
}
-
+
default:
return 1;
-
+
}
return 0;
}
/*
- * This function scans the tl_data structure to get the value of a type defined by the tl_type
- * (second parameter). The tl_data structure has all the data in the tl_data_contents member.
+ * This function scans the tl_data structure to get the value of a type defined by the tl_type
+ * (second parameter). The tl_data structure has all the data in the tl_data_contents member.
* The format of the tl_data_contents is as follows.
- * The first byte defines the type of the content that follows. The next 2 bytes define the
+ * The first byte defines the type of the content that follows. The next 2 bytes define the
* size n (in terms of bytes) of the content that follows. The next n bytes define the content
* itself.
*/
unsigned char *curr=NULL;
int *intptr=NULL;
long *longptr=NULL;
- char *DN=NULL;
+ char *DN=NULL;
krb5_boolean keyfound=FALSE;
KEY *secretkey = NULL;
*data = NULL;
curr = tl_data->tl_data_contents;
- while(curr < (tl_data->tl_data_contents + tl_data->tl_data_length)) {
+ while (curr < (tl_data->tl_data_contents + tl_data->tl_data_length)) {
/* get the type of the content */
subtype = (int) curr[0];
/* forward by 1 byte*/
curr += 1;
-
+
if (subtype == tl_type) {
- switch(subtype) {
+ switch (subtype) {
case KDB_TL_PRINCCOUNT:
case KDB_TL_PRINCTYPE:
curr += 2;
/* get the actual content */
if (sublen == 2) {
- /* intptr = malloc(sublen); */
+ /* intptr = malloc(sublen); */
intptr = malloc(sizeof(krb5_int32));
- if (intptr == NULL)
+ if (intptr == NULL)
return ENOMEM;
memset(intptr, 0, sublen);
UNSTORE16_INT(curr, (*intptr));
*data = intptr;
- } else {
- longptr = malloc(sublen);
- if (longptr == NULL)
+ } else {
+ longptr = malloc(sublen);
+ if (longptr == NULL)
return ENOMEM;
memset(longptr, 0, sublen);
UNSTORE32_INT(curr, (*longptr));
return ENOMEM;
secretkey->nkey = 0;
secretkey->keys = NULL;
- secretkey->keys = realloc(secretkey->keys,
- sizeof(*(secretkey->keys)) * (limit));
+ secretkey->keys = realloc(secretkey->keys,
+ sizeof(*(secretkey->keys)) * (limit));
if (secretkey->keys == NULL)
return ENOMEM;
memset(secretkey->keys, 0, sizeof (*(secretkey->keys)) * (limit));
}
- if ( i == limit-1) {
+ if (i == limit-1) {
limit *= 2;
- secretkey->keys = realloc(secretkey->keys,
+ secretkey->keys = realloc(secretkey->keys,
sizeof(*(secretkey->keys)) * (limit));
if (secretkey->keys == NULL)
- return ENOMEM;
+ return ENOMEM;
memset(secretkey->keys+i, 0, sizeof (*(secretkey->keys)) * (limit-i));
}
if (tl_type == KDB_TL_KEYINFO) {
if (keyfound)
return 0;
- else
+ else
return EINVAL;
}
return EINVAL;
}
-/*
+/*
* wrapper routines for decode_tl_data
*/
static krb5_error_code
krb5_tl_data tl_data;
void *voidptr=NULL;
int *intptr=NULL;
-
+
tl_data.tl_data_type = KDB_TL_USER_INFO;
if (((st=krb5_dbe_lookup_tl_data(context, entries, &tl_data)) != 0) || tl_data.tl_data_length == 0)
goto cleanup;
-
+
if (decode_tl_data(&tl_data, type, &voidptr) == 0) {
intptr = (int *) voidptr;
*intval = *intptr;
free(intptr);
}
- cleanup:
+cleanup:
return st;
}
/*
- * get the mask representing the attributes set on the directory object (user, policy ...)
+ * get the mask representing the attributes set on the directory object (user, policy ...)
*/
krb5_error_code
krb5_get_attributes_mask(context, entries, mask)
krb5_error_code st=0;
krb5_tl_data tl_data;
void *voidptr=NULL;
-
+
tl_data.tl_data_type = KDB_TL_USER_INFO;
if (((st=krb5_dbe_lookup_tl_data(context, entries, &tl_data)) != 0) || tl_data.tl_data_length == 0)
goto cleanup;
-
+
if (decode_tl_data(&tl_data, KDB_TL_KEYINFO, &voidptr) == 0) {
*secretkey = (KEY *) voidptr;
}
- cleanup:
+cleanup:
return st;
}
krb5_error_code st=0;
krb5_tl_data tl_data;
void *voidptr=NULL;
-
+
if (type != KDB_TL_USERDN && type != KDB_TL_CONTAINERDN && type != KDB_TL_TKTPOLICYDN) {
st = EINVAL;
goto cleanup;
tl_data.tl_data_type = KDB_TL_USER_INFO;
if (((st=krb5_dbe_lookup_tl_data(context, entries, &tl_data)) != 0) || tl_data.tl_data_length == 0)
goto cleanup;
-
+
if (decode_tl_data(&tl_data, type, &voidptr) == 0) {
*strval = (char *) voidptr;
}
- cleanup:
+cleanup:
return st;
}
return krb5_get_str_from_tl_data(context, entries, KDB_TL_TKTPOLICYDN, policydn);
}
/*
- * This function reads the attribute values (if the attribute is non-null) from the dn.
+ * This function reads the attribute values (if the attribute is non-null) from the dn.
* The read attribute values is compared aganist the attrvalues passed to the function
* and a bit mask is set for all the matching attributes (attributes existing in both list).
- * The bit to be set is selected such that the index of the attribute in the attrvalues
+ * The bit to be set is selected such that the index of the attribute in the attrvalues
* parameter is the position of the bit.
* For ex: the first element in the attrvalues is present in both list shall set the LSB of the
* bit mask.
int *mask;
{
int st=0, one=1;
- char **values=NULL, *attributes[2] = {NULL};
+ char **values=NULL, *attributes[2] = {NULL};
LDAPMessage *result=NULL, *entry=NULL;
-
+
if (strlen(dn) == 0)
- return LDAP_NO_SUCH_OBJECT;
+ return LDAP_NO_SUCH_OBJECT;
attributes[0] = attribute;
/* read the attribute values from the dn */
- if((st = ldap_search_ext_s( ld,
+ if ((st = ldap_search_ext_s(ld,
dn,
LDAP_SCOPE_BASE,
0,
&timelimit,
LDAP_NO_LIMIT,
&result)) != LDAP_SUCCESS) {
- st = set_ldap_error(0, st, OP_SEARCH);
+ st = set_ldap_error(0, st, OP_SEARCH);
return st;
}
-
- /*
+
+ /*
* If the attribute/attrvalues is NULL, then check for the existence of the object alone
*/
if (attribute == NULL || attrvalues == NULL)
/* reset the bit mask */
*mask = 0;
- if((entry=ldap_first_entry(ld, result)) != NULL) {
+ if ((entry=ldap_first_entry(ld, result)) != NULL) {
/* read the attribute values */
- if((values=ldap_get_values(ld, entry, attribute)) != NULL) {
+ if ((values=ldap_get_values(ld, entry, attribute)) != NULL) {
int i,j;
-
- /* compare the read attribute values with the attrvalues array and set the
- * appropriate bit mask
+
+ /* compare the read attribute values with the attrvalues array and set the
+ * appropriate bit mask
*/
- for(j=0; attrvalues[j]; ++j) {
- for(i=0; values[i]; ++i) {
- if(strcasecmp(values[i], attrvalues[j]) == 0) {
+ for (j=0; attrvalues[j]; ++j) {
+ for (i=0; values[i]; ++i) {
+ if (strcasecmp(values[i], attrvalues[j]) == 0) {
*mask |= (one<<j);
break;
}
ldap_value_free(values);
}
}
-
- cleanup:
+
+cleanup:
ldap_msgfree(result);
return st;
}
/*
- * This function updates a single attribute with a single value of a specified dn.
+ * This function updates a single attribute with a single value of a specified dn.
* This function is mainly used to update krbRealmReferences, krbKdcServers, krbAdminServers...
* when KDC, ADMIN, PASSWD servers are associated with some realms or vice versa.
*/
-krb5_error_code
+krb5_error_code
updateAttribute (ld, dn, attribute, value)
LDAP *ld;
char *dn;
{
int st=0;
LDAPMod modAttr, *mods[2]={NULL};
- char *values[2]={NULL};
+ char *values[2]={NULL};
values[0] = value;
modAttr.mod_op = LDAP_MOD_ADD;
modAttr.mod_values = values;
mods[0] = &modAttr;
-
+
/* ldap modify operation */
st = ldap_modify_s(ld, dn, mods);
- /* if the {attr,attrval} combination is already present return a success
+ /* if the {attr,attrval} combination is already present return a success
* LDAP_ALREADY_EXISTS is for single-valued attribute
* LDAP_TYPE_OR_VALUE_EXISTS is for multi-valued attribute
*/
st = 0;
if (st != 0) {
- st = set_ldap_error (0, st, OP_MOD);
+ st = set_ldap_error (0, st, OP_MOD);
}
-
+
return st;
}
-
+
/*
- * This function deletes a single attribute with a single value of a specified dn.
+ * This function deletes a single attribute with a single value of a specified dn.
* This function is mainly used to delete krbRealmReferences, krbKdcServers, krbAdminServers...
* when KDC, ADMIN, PASSWD servers are disassociated with some realms or vice versa.
*/
-krb5_error_code
+krb5_error_code
deleteAttribute (ld, dn, attribute, value)
LDAP *ld;
char *dn;
{
krb5_error_code st=0;
LDAPMod modAttr, *mods[2]={NULL};
- char *values[2]={NULL};
+ char *values[2]={NULL};
values[0] = value;
modAttr.mod_op = LDAP_MOD_DELETE;
modAttr.mod_values = values;
mods[0] = &modAttr;
-
+
/* ldap modify operation */
st = ldap_modify_s(ld, dn, mods);
-
+
/* if either the attribute or the attribute value is missing return a success */
if (st == LDAP_NO_SUCH_ATTRIBUTE || st == LDAP_UNDEFINED_TYPE)
st = 0;
-
+
if (st != 0) {
st = set_ldap_error (0, st, OP_MOD);
}
-
+
return st;
}
/*
- * This function takes in 2 string arrays, compares them to remove the matching entries.
+ * This function takes in 2 string arrays, compares them to remove the matching entries.
* The first array is the original list and the second array is the modified list. Removing
* the matching entries will result in a reduced array, where the left over first array elements
* are the deleted entries and the left over second array elements are the added entries.
/* validate the input parameters */
if (src == NULL || dest == NULL)
return 0;
-
+
/* compute the first array length */
- for (i=0;src[i]; ++i)
+ for (i=0;src[i]; ++i)
;
-
+
/* return if the length is 0 */
- if (i==0)
+ if (i==0)
return 0;
/* index of the last element and also the length of the array */
slen = i-1;
/* compute the second array length */
- for (i=0;dest[i]; ++i)
+ for (i=0;dest[i]; ++i)
;
/* return if the length is 0 */
if (i==0)
return 0;
-
+
/* index of the last element and also the length of the array */
dlen = i-1;
-
+
/* check for the similar elements and delete them from both the arrays */
- for(i=0; src[i]; ++i) {
+ for (i=0; src[i]; ++i) {
- for(j=0; dest[j]; ++j) {
+ for (j=0; dest[j]; ++j) {
/* if the element are same */
if (strcasecmp(src[i], dest[j]) == 0) {
}
/* reduce the array length by 1 */
slen -= 1;
-
+
/* repeat the same processing for the second array too */
if (j != dlen) {
free(dest[j]);
dest[j] = dest[dlen];
dest[dlen] = NULL;
- } else {
+ } else {
free(dest[j]);
dest[j] = NULL;
}
dlen -=1;
- /* the source array is reduced by 1, so reduce the index variable used for
+ /* the source array is reduced by 1, so reduce the index variable used for
* source array by 1. No need to adjust the second array index variable as
* it is reset while entering the inner loop
*/
* for later use.
*/
-krb5_error_code
+krb5_error_code
copy_arrays(src, dest, count)
char **src;
char ***dest;
/* validate the input parameters */
if (src == NULL || dest == NULL)
- return 0;
-
+ return 0;
+
/* allocate memory for the dest array */
*dest = (char **) calloc((unsigned) count+1, sizeof(char *));
if (*dest == NULL) {
}
}
- cleanup:
+cleanup:
/* in case of error free up everything and return */
if (st != 0) {
if (*dest != NULL) {
- for(i=0; (*dest)[i]; ++i) {
+ for (i=0; (*dest)[i]; ++i) {
free ((*dest)[i]);
(*dest)[i] = NULL;
}
* The retval is 0 if the attribute is missing.
*/
-krb5_error_code
+krb5_error_code
krb5_ldap_get_value(ld, ent, attribute, retval)
LDAP *ld;
LDAPMessage *ent;
}
/*
- * krb5_ldap_get_string() - Returns the first string of the attribute. Intended to
+ * krb5_ldap_get_string() - Returns the first string of the attribute. Intended to
*
*
*/
-krb5_error_code
+krb5_error_code
krb5_ldap_get_string(ld, ent, attribute, retstr, attr_present)
LDAP *ld;
LDAPMessage *ent;
*retstr = NULL;
if (attr_present != NULL)
- *attr_present = FALSE;
+ *attr_present = FALSE;
values=ldap_get_values(ld, ent, attribute);
if (values != NULL) {
return st;
}
-krb5_error_code
+krb5_error_code
krb5_ldap_get_time(ld, ent, attribute, rettime, attr_present)
LDAP *ld;
LDAPMessage *ent;
/*
* Function to allocate, set the values of LDAPMod structure. The LDAPMod structure is then
- * added to the array at the ind
+ * added to the array at the ind
*/
-krb5_error_code
+krb5_error_code
krb5_add_member(mods, count)
- LDAPMod ***mods;
- int *count;
+ LDAPMod ***mods;
+ int *count;
{
int i=0;
LDAPMod **lmods=NULL;
-
+
if ((*mods) != NULL) {
- for (;(*mods)[i] != NULL; ++i)
- ;
- }
+ for (;(*mods)[i] != NULL; ++i)
+ ;
+ }
lmods = (LDAPMod **) realloc((*mods), (2+i) * sizeof(LDAPMod *));
if (lmods == NULL)
- return ENOMEM;
+ return ENOMEM;
*mods = lmods;
(*mods)[i+1] = NULL;
}
krb5_error_code
-krb5_add_str_mem_ldap_mod(mods, attribute, op, values)
- LDAPMod ***mods;
- char *attribute;
- int op;
- char **values;
+krb5_add_str_mem_ldap_mod(mods, attribute, op, values)
+ LDAPMod ***mods;
+ char *attribute;
+ int op;
+ char **values;
{
int i=0, j=0;
krb5_error_code st=0;
if ((st=krb5_add_member(mods, &i)) != 0)
- return st;
-
+ return st;
+
(*mods)[i]->mod_type = strdup(attribute);
if ((*mods)[i]->mod_type == NULL)
- return ENOMEM;
+ return ENOMEM;
(*mods)[i]->mod_op = op;
if (values != NULL) {
- for (j=0; values[j] != NULL; ++j)
- ;
- (*mods)[i]->mod_values = malloc (sizeof(char *) * (j+1));
- if ((*mods)[i]->mod_values == NULL)
- return ENOMEM;
-
- for (j=0; values[j] != NULL; ++j) {
- (*mods)[i]->mod_values[j] = strdup(values[j]);
- if ((*mods)[i]->mod_values[j] == NULL)
+ for (j=0; values[j] != NULL; ++j)
+ ;
+ (*mods)[i]->mod_values = malloc (sizeof(char *) * (j+1));
+ if ((*mods)[i]->mod_values == NULL)
return ENOMEM;
- }
- (*mods)[i]->mod_values[j] = NULL;
+
+ for (j=0; values[j] != NULL; ++j) {
+ (*mods)[i]->mod_values[j] = strdup(values[j]);
+ if ((*mods)[i]->mod_values[j] == NULL)
+ return ENOMEM;
+ }
+ (*mods)[i]->mod_values[j] = NULL;
}
return 0;
}
krb5_error_code
-krb5_add_ber_mem_ldap_mod(mods, attribute, op, ber_values)
- LDAPMod ***mods;
- char *attribute;
- int op;
- struct berval **ber_values;
+krb5_add_ber_mem_ldap_mod(mods, attribute, op, ber_values)
+ LDAPMod ***mods;
+ char *attribute;
+ int op;
+ struct berval **ber_values;
{
int i=0, j=0;
krb5_error_code st=0;
if ((st=krb5_add_member(mods, &i)) != 0)
- return st;
-
+ return st;
+
(*mods)[i]->mod_type = strdup(attribute);
if ((*mods)[i]->mod_type == NULL)
- return ENOMEM;
+ return ENOMEM;
(*mods)[i]->mod_op = op;
for (j=0; ber_values[j] != NULL; ++j)
- ;
- (*mods)[i]->mod_bvalues = malloc (sizeof(struct berval *) * (j+1));
+ ;
+ (*mods)[i]->mod_bvalues = malloc (sizeof(struct berval *) * (j+1));
if ((*mods)[i]->mod_bvalues == NULL)
return ENOMEM;
-
+
for (j=0; ber_values[j] != NULL; ++j) {
(*mods)[i]->mod_bvalues[j] = calloc(1, sizeof(struct berval));
if ((*mods)[i]->mod_bvalues[j] == NULL)
return ENOMEM;
- (*mods)[i]->mod_bvalues[j]->bv_len = ber_values[j]->bv_len;
+ (*mods)[i]->mod_bvalues[j]->bv_len = ber_values[j]->bv_len;
(*mods)[i]->mod_bvalues[j]->bv_val = malloc((*mods)[i]->mod_bvalues[j]->bv_len);
if ((*mods)[i]->mod_bvalues[j]->bv_val == NULL)
return ENOMEM;
- memcpy((*mods)[i]->mod_bvalues[j]->bv_val, ber_values[j]->bv_val,
+ memcpy((*mods)[i]->mod_bvalues[j]->bv_val, ber_values[j]->bv_val,
ber_values[j]->bv_len);
}
(*mods)[i]->mod_bvalues[j] = NULL;
}
krb5_error_code
-krb5_add_int_arr_mem_ldap_mod(mods, attribute, op, value)
- LDAPMod ***mods;
- char *attribute;
- int op;
- int *value;
+krb5_add_int_arr_mem_ldap_mod(mods, attribute, op, value)
+ LDAPMod ***mods;
+ char *attribute;
+ int op;
+ int *value;
{
int i=0, j=0;
krb5_error_code st=0;
if ((st=krb5_add_member(mods, &i)) != 0)
- return st;
+ return st;
(*mods)[i]->mod_type = strdup(attribute);
if ((*mods)[i]->mod_type == NULL)
- return ENOMEM;
+ return ENOMEM;
(*mods)[i]->mod_op = op;
for (j=0; value[j] != -1; ++j)
- ;
+ ;
+
+ (*mods)[i]->mod_values = malloc(sizeof(char *) * (j+1));
- (*mods)[i]->mod_values = malloc(sizeof(char *) * (j+1));
-
for (j=0; value[j] != -1; ++j) {
if (((*mods)[i]->mod_values[j] = format_d(value[j])) == NULL)
return ENOMEM;
}
krb5_error_code
-krb5_add_int_mem_ldap_mod(mods, attribute, op, value)
- LDAPMod ***mods;
- char *attribute;
- int op;
- int value;
+krb5_add_int_mem_ldap_mod(mods, attribute, op, value)
+ LDAPMod ***mods;
+ char *attribute;
+ int op;
+ int value;
{
int i=0;
krb5_error_code st=0;
if ((st=krb5_add_member(mods, &i)) != 0)
- return st;
-
+ return st;
+
(*mods)[i]->mod_type = strdup(attribute);
if ((*mods)[i]->mod_type == NULL)
- return ENOMEM;
+ return ENOMEM;
(*mods)[i]->mod_op = op;
(*mods)[i]->mod_values = calloc (2, sizeof(char *));
}
krb5_error_code
-krb5_ldap_set_option( krb5_context kcontext, int option, void *value )
+krb5_ldap_set_option(krb5_context kcontext, int option, void *value)
{
krb5_error_code status = KRB5_PLUGIN_OP_NOTSUPP;
- krb5_set_error_message( kcontext, status, "LDAP %s", error_message( status ) );
+ krb5_set_error_message(kcontext, status, "LDAP %s", error_message(status));
return status;
}
krb5_error_code
-krb5_ldap_lock( krb5_context kcontext, int mode )
+krb5_ldap_lock(krb5_context kcontext, int mode)
{
krb5_error_code status = KRB5_PLUGIN_OP_NOTSUPP;
- krb5_set_error_message( kcontext, status, "LDAP %s", error_message( status ) );
+ krb5_set_error_message(kcontext, status, "LDAP %s", error_message(status));
return status;
}
krb5_error_code
-krb5_ldap_unlock( krb5_context kcontext )
+krb5_ldap_unlock(krb5_context kcontext)
{
krb5_error_code status = KRB5_PLUGIN_OP_NOTSUPP;
- krb5_set_error_message( kcontext, status, "LDAP %s", error_message( status ) );
+ krb5_set_error_message(kcontext, status, "LDAP %s", error_message(status));
return status;
}
krb5_error_code
-krb5_ldap_supported_realms( krb5_context kcontext, char **realms )
+krb5_ldap_supported_realms(krb5_context kcontext, char **realms)
{
krb5_error_code status = KRB5_PLUGIN_OP_NOTSUPP;
- krb5_set_error_message( kcontext, status, "LDAP %s", error_message( status ) );
+ krb5_set_error_message(kcontext, status, "LDAP %s", error_message(status));
return status;
}
krb5_error_code
-krb5_ldap_free_supported_realms( krb5_context kcontext, char **realms )
+krb5_ldap_free_supported_realms(krb5_context kcontext, char **realms)
{
krb5_error_code status = KRB5_PLUGIN_OP_NOTSUPP;
- krb5_set_error_message( kcontext, status, "LDAP %s", error_message( status ) );
+ krb5_set_error_message(kcontext, status, "LDAP %s", error_message(status));
return status;
}
krb5_error_code
-krb5_ldap_errcode_2_string( krb5_context kcontext, long err_code )
+krb5_ldap_errcode_2_string(krb5_context kcontext, long err_code)
{
krb5_error_code status = KRB5_PLUGIN_OP_NOTSUPP;
- krb5_set_error_message( kcontext, status, "LDAP %s", error_message( status ) );
+ krb5_set_error_message(kcontext, status, "LDAP %s", error_message(status));
return status;
}
struct timeval timelimit = {300, 0}; /* 5 minutes */
char *principal_attributes[] = { "krbprincipalname",
"objectclass",
- "krbsecretkey",
- "krbmaxrenewableage",
- "krbmaxticketlife",
+ "krbsecretkey",
+ "krbmaxrenewableage",
+ "krbmaxticketlife",
"krbticketflags",
- "krbprincipalexpiration",
+ "krbprincipalexpiration",
"krbpolicyreference",
"krbUpEnabled",
"krbpwdpolicyreference",
"loginexpirationtime",
"logindisabled",
#endif
- "loginexpirationtime",
+ "loginexpirationtime",
"logindisabled",
"modifiersname",
"modifytimestamp",
NULL };
-static char *attributes_set[] = { "krbmaxrenewableage",
- "krbmaxticketlife",
+static char *attributes_set[] = { "krbmaxrenewableage",
+ "krbmaxticketlife",
"krbticketflags",
- "krbprincipalexpiration",
+ "krbprincipalexpiration",
"krbpolicyreference",
"krbUpEnabled",
"krbpwdpolicyreference",
void
krb5_dbe_free_contents(context, entry)
- krb5_context context;
+ krb5_context context;
krb5_db_entry *entry;
{
krb5_tl_data *tl_data_next=NULL;
for (j = 0; j < entry->key_data[i].key_data_ver; j++) {
if (entry->key_data[i].key_data_length[j]) {
if (entry->key_data[i].key_data_contents[j]) {
- memset(entry->key_data[i].key_data_contents[j],
- 0,
+ memset(entry->key_data[i].key_data_contents[j],
+ 0,
(unsigned) entry->key_data[i].key_data_length[j]);
free (entry->key_data[i].key_data_contents[j]);
}
for (i = 0; i < nentries; i++)
krb5_dbe_free_contents(kcontext, &entries[i]);
return 0;
-}
+}
krb5_error_code
memset(&entry, 0, sizeof(krb5_db_entry));
SETUP_CONTEXT();
-
+
realm = ldap_context->lrparams->realm_name;
if (realm == NULL) {
realm = context->default_realm;
if (realm == NULL) {
- st = EINVAL;
+ st = EINVAL;
krb5_set_error_message(context, st, "Default realm not set");
goto cleanup;
}
GET_HANDLE();
for (tree=0; tree<ntree; ++tree) {
-
+
LDAP_SEARCH(subtree[tree], ldap_context->lrparams->search_scope, filter, krbprincipal_attr);
- for(ent=ldap_first_entry(ld, result); ent != NULL; ent=ldap_next_entry(ld, ent)) {
+ for (ent=ldap_first_entry(ld, result); ent != NULL; ent=ldap_next_entry(ld, ent)) {
if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) {
- for(i=0; values[i] != NULL; ++i) {
+ for (i=0; values[i] != NULL; ++i) {
if (krb5_ldap_parse_principal_name(values[i], &princ_name) != 0)
continue;
if (krb5_parse_name(context, princ_name, &principal) != 0)
(*func)(func_arg, &entry);
}
krb5_free_principal(context, principal);
- if (princ_name)
+ if (princ_name)
free(princ_name);
}
ldap_value_free(values);
}
- } /* end of for(ent= ... */
+ } /* end of for (ent= ... */
ldap_msgfree(result);
- } /* end of for(tree= ... */
-
- cleanup:
+ } /* end of for (tree= ... */
+
+cleanup:
if (filter)
free (filter);
-
- for ( ;ntree; --ntree)
+
+ for (;ntree; --ntree)
if (subtree[ntree-1])
free (subtree[ntree-1]);
-
+
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
return st;
}
LDAPMod **mods=NULL;
LDAP *ld=NULL;
int j=0, ptype=KDB_USER_PRINCIPAL, pcount=0, attrsetmask=0;
- krb5_error_code st=0;
+ krb5_error_code st=0;
krb5_boolean singleentry=FALSE;
KEY *secretkey=NULL;
kdb5_dal_handle *dal_handle=NULL;
((st=krb5_get_princ_count(context, &entries, &(pcount))) != 0) ||
((st=krb5_get_userdn(context, &entries, &(DN))) != 0) ||
((st=krb5_get_policydn(context, &entries, &policydn)) != 0) ||
- ((st=krb5_get_secretkeys(context, &entries, &secretkey)) != 0))
+ ((st=krb5_get_secretkeys(context, &entries, &secretkey)) != 0))
goto cleanup;
-
+
if (DN == NULL) {
st = EINVAL;
krb5_set_error_message(context, st, "DN information missing");
if (ptype == KDB_USER_PRINCIPAL) {
- if(((st=krb5_unparse_name(context, searchfor, &user)) != 0)
- || ((st=krb5_ldap_unparse_principal_name(user)) != 0))
- goto cleanup;
-
+ if (((st=krb5_unparse_name(context, searchfor, &user)) != 0)
+ || ((st=krb5_ldap_unparse_principal_name(user)) != 0))
+ goto cleanup;
+
memset(strval, 0, sizeof(strval));
strval[0] = user;
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalname", LDAP_MOD_DELETE,
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalname", LDAP_MOD_DELETE,
strval)) != 0)
goto cleanup;
-
+
singleentry = (pcount == 1) ? TRUE: FALSE;
if (singleentry == FALSE) {
if (secretkey != NULL) {
goto cleanup;
}
} else {
- /*
+ /*
* If the Kerberos user principal to be deleted happens to be the last one associated
- * with the directory user object, then it is time to delete the other kerberos
+ * with the directory user object, then it is time to delete the other kerberos
* specific attributes like krbmaxticketlife, i.e, unkerberize the directory user.
- * From the attrsetmask value, identify the attributes set on the directory user
+ * From the attrsetmask value, identify the attributes set on the directory user
* object and delete them.
- * NOTE: krbsecretkey attribute has per principal entries. There can be chances that the
+ * NOTE: krbsecretkey attribute has per principal entries. There can be chances that the
* other principals' keys are exisiting/left-over. So delete all the values.
*/
while (attrsetmask) {
attrsetmask >>= 1;
++j;
}
- if(policydn != NULL)
- {
- if ((st = krb5_ldap_change_count(context, policydn,2 )))
- goto cleanup;
+ if (policydn != NULL) {
+ if ((st = krb5_ldap_change_count(context, policydn,2)))
+ goto cleanup;
}
if ((st=checkattributevalue(ld, DN, "objectclass", attrvalues, &amask)) != 0)
goto cleanup;
memset(strval, 0, sizeof(strval));
- for(p=1, q=0; p<=4; p<<=1, ++q)
+ for (p=1, q=0; p<=4; p<<=1, ++q)
if (p & amask)
strval[r++] = attrvalues[q];
strval[r] = NULL;
}
}
st=ldap_modify_s(ld, DN, mods);
- if (st != LDAP_SUCCESS) {
+ if (st != LDAP_SUCCESS) {
st = set_ldap_error(context, st, OP_MOD);
goto cleanup;
- }
- }
- else if (ptype == KDB_SERVICE_PRINCIPAL) {
+ }
+ } else if (ptype == KDB_SERVICE_PRINCIPAL) {
st = ldap_delete_s(ld, DN);
if (st != LDAP_SUCCESS) {
st = set_ldap_error (context, st, OP_DEL);
goto cleanup;
- }
+ }
}
-
- cleanup:
+
+cleanup:
if (user)
free (user);
-
+
if (DN)
free (DN);
* in the principal name component.
*
* Arguments:
- * user_name (input/output) Principal name
- *
+ * user_name (input/output) Principal name
+ *
*/
krb5_error_code
krb5_ldap_unparse_principal_name(char *user_name)
{
char *tmp_princ_name=NULL, *princ_name=NULL, *tmp=NULL;
- int l=0;
+ int l=0;
krb5_error_code st=0;
- if(strstr(user_name, "\\@"))
- {
+ if (strstr(user_name, "\\@")) {
tmp_princ_name = strdup(user_name);
- if( !tmp_princ_name )
- {
+ if (!tmp_princ_name) {
st = ENOMEM;
goto cleanup;
}
tmp = tmp_princ_name;
princ_name = (char *) malloc (strlen(user_name));
- if( !princ_name )
- {
+ if (!princ_name) {
st = ENOMEM;
goto cleanup;
}
memset(princ_name, 0, strlen(user_name));
l = 0;
- while(*tmp_princ_name)
- {
- if((*tmp_princ_name == '\\') && (*(tmp_princ_name+1) == '@'))
- {
+ while (*tmp_princ_name) {
+ if ((*tmp_princ_name == '\\') && (*(tmp_princ_name+1) == '@')) {
tmp_princ_name += 1;
- }
- else
- {
+ } else {
*(princ_name + l) = *tmp_princ_name++;
l++;
}
sprintf(user_name, "%s", princ_name);
}
- cleanup:
+cleanup:
if (tmp) {
free(tmp);
tmp = NULL;
/*
* Function: krb5_ldap_parse_principal_name
*
- * Purpose: Inserts '\\' before every occurence of '@'
+ * Purpose: Inserts '\\' before every occurence of '@'
* in the principal name component.
*
* Arguments:
* i_princ_name (input) Principal name without '\\'
* o_princ_name (output) Principal name with '\\'
- *
+ *
* Note: The caller has to free the memory allocated for o_princ_name.
*/
at_rlm_name = strrchr(i_princ_name, '@');
- if(!at_rlm_name)
- {
+ if (!at_rlm_name) {
*o_princ_name = strdup(i_princ_name);
- if( !o_princ_name )
- {
+ if (!o_princ_name) {
st = ENOMEM;
goto cleanup;
}
- }
- else
- {
+ } else {
tmp_princ_name_len = at_rlm_name - i_princ_name;
tmp_princ_name = (char *) malloc ((unsigned) tmp_princ_name_len + 1);
- if( !tmp_princ_name )
- {
+ if (!tmp_princ_name) {
st = ENOMEM;
goto cleanup;
}
memset(tmp_princ_name, 0, (unsigned) tmp_princ_name_len + 1);
- memcpy( tmp_princ_name, i_princ_name, (unsigned) tmp_princ_name_len);
+ memcpy(tmp_princ_name, i_princ_name, (unsigned) tmp_princ_name_len);
l = 0;
- while(tmp_princ_name[l])
- {
- if(tmp_princ_name[l++] == '@')
+ while (tmp_princ_name[l]) {
+ if (tmp_princ_name[l++] == '@')
at_count++;
}
princ_name_len = strlen(i_princ_name) + at_count + 1;
princ_name = (char *) malloc ((unsigned) princ_name_len);
- if( !princ_name )
- {
+ if (!princ_name) {
st = ENOMEM;
goto cleanup;
}
l = 0;
m = 0;
- while(tmp_princ_name[l])
- {
- if(tmp_princ_name[l] == '@'){
+ while (tmp_princ_name[l]) {
+ if (tmp_princ_name[l] == '@') {
princ_name[m++]='\\';
}
princ_name[m++]=tmp_princ_name[l++];
*o_princ_name = princ_name;
}
- cleanup:
+cleanup:
if (tmp_princ_name) {
free(tmp_princ_name);
extern char* principal_attributes[];
extern char* max_pwd_life_attr[];
-#if !defined( LDAP_OPT_RESULT_CODE) && defined(LDAP_OPT_ERROR_NUMBER)
+#if !defined(LDAP_OPT_RESULT_CODE) && defined(LDAP_OPT_ERROR_NUMBER)
#define LDAP_OPT_RESULT_CODE LDAP_OPT_ERROR_NUMBER
#endif
krb5_read_tkt_policyreference(krb5_context, krb5_ldap_context *, krb5_db_entry *, char *);
static char *
-getstringtime(krb5_timestamp );
+getstringtime(krb5_timestamp);
/*
* look up a principal in the directory.
/* set initial values */
*nentries = 0;
- *more = 0;
+ *more = 0;
memset(entries, 0, sizeof(*entries));
-
- if (searchfor == NULL)
+
+ if (searchfor == NULL)
return EINVAL;
dal_handle = (kdb5_dal_handle *) context->db_context;
*more = 0;
krb5_set_error_message (context, st, "Principal does not belong to realm");
goto cleanup;
- }
-
+ }
+
if ((st=krb5_unparse_name(context, searchfor, &user)) != 0)
- goto cleanup;
+ goto cleanup;
if ((st=krb5_ldap_unparse_principal_name(user)) != 0)
- goto cleanup;
-
+ goto cleanup;
+
princlen = strlen(FILTER) + strlen(user) + 2 + 1; /* 2 for closing brackets */
if ((filter=malloc(princlen)) == NULL) {
st = ENOMEM;
LDAP_SEARCH(subtree[tree], ldap_context->lrparams->search_scope, filter, principal_attributes);
for (ent=ldap_first_entry(ld, result); ent != NULL && *nentries == 0; ent=ldap_next_entry(ld, ent)) {
-
+
/* get the associated directory user information */
if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) {
int i=0, pcount=0, ptype=KDB_USER_PRINCIPAL;
-
- /* a wild-card in a principal name can return a list of kerberos principals.
+
+ /* a wild-card in a principal name can return a list of kerberos principals.
* Make sure that the correct principal is returned.
* NOTE: a principalname k* in ldap server will return all the principals starting with a k
*/
}
}
ldap_value_free(values);
-
+
if (*nentries == 0) /* no matching principal found */
continue;
if ((DN = ldap_get_dn(ld, ent)) == NULL) {
- ldap_get_option (ld, LDAP_OPT_RESULT_CODE, &st);
+ ldap_get_option (ld, LDAP_OPT_RESULT_CODE, &st);
st = set_ldap_error (context, st, 0);
goto cleanup;
}
-
- if ((values=ldap_get_values(ld, ent, "objectclass")) != NULL) {
- for(i=0; values[i] != NULL; ++i)
+
+ if ((values=ldap_get_values(ld, ent, "objectclass")) != NULL) {
+ for (i=0; values[i] != NULL; ++i)
if (strcasecmp(values[i], "krbprincipal") == 0) {
ptype = KDB_SERVICE_PRINCIPAL;
break;
}
ldap_value_free(values);
}
-
+
/* add principalcount, DN and principaltype user information to tl_data */
if (((st=store_tl_data(&userinfo_tl_data, KDB_TL_PRINCCOUNT, &pcount)) != 0) ||
((st=store_tl_data(&userinfo_tl_data, KDB_TL_USERDN, DN)) != 0) ||
((st=store_tl_data(&userinfo_tl_data, KDB_TL_PRINCTYPE, &ptype)) != 0))
goto cleanup;
}
-
+
/* populate entries->princ with searchfor value */
if ((st=krb5_copy_principal(context, searchfor, &(entries->princ))) != 0)
goto cleanup;
/* KRBMAXTICKETLIFE */
if (krb5_ldap_get_value(ld, ent, "krbmaxticketlife", &(entries->max_life)) == 0)
mask |= KDB_MAX_LIFE_ATTR;
-
+
/* KRBMAXRENEWABLEAGE */
if (krb5_ldap_get_value(ld, ent, "krbmaxrenewableage", &(entries->max_renewable_life)) == 0)
mask |= KDB_MAX_RLIFE_ATTR;
mask |= KDB_TKT_FLAGS_ATTR;
/* PRINCIPAL EXPIRATION TIME */
- if ((st=krb5_ldap_get_time(ld, ent, "krbprincipalexpiration", &(entries->expiration),
+ if ((st=krb5_ldap_get_time(ld, ent, "krbprincipalexpiration", &(entries->expiration),
&attr_present)) != 0)
goto cleanup;
if (attr_present == TRUE)
mask |= KDB_PRINC_EXPIRE_TIME_ATTR;
-
+
/* PASSWORD EXPIRATION TIME */
- if ((st=krb5_ldap_get_time(ld, ent, "krbpasswordexpiration", &(entries->pw_expiration),
+ if ((st=krb5_ldap_get_time(ld, ent, "krbpasswordexpiration", &(entries->pw_expiration),
&attr_present)) != 0)
goto cleanup;
if (attr_present == TRUE)
/* KRBPOLICYREFERENCE */
if ((st=krb5_ldap_get_string(ld, ent, "krbpolicyreference", &policydn, &attr_present)) != 0)
- goto cleanup;
+ goto cleanup;
- if(attr_present == TRUE){
- if ((st=store_tl_data(&userinfo_tl_data, KDB_TL_TKTPOLICYDN, policydn)) != 0)
- goto cleanup;
- mask |= KDB_POL_REF_ATTR;
+ if (attr_present == TRUE) {
+ if ((st=store_tl_data(&userinfo_tl_data, KDB_TL_TKTPOLICYDN, policydn)) != 0)
+ goto cleanup;
+ mask |= KDB_POL_REF_ATTR;
}
/* KRBPWDPOLICYREFERENCE */
krb5_tl_data kadm_tl_data;
mask |= KDB_PWD_POL_REF_ATTR;
- if((st = krb5_update_tl_kadm_data(pwdpolicydn, &kadm_tl_data)) != 0){
+ if ((st = krb5_update_tl_kadm_data(pwdpolicydn, &kadm_tl_data)) != 0) {
goto cleanup;
}
krb5_dbe_update_tl_data(context, entries, &kadm_tl_data);
}
/* KRBSECRETKEY */
- if((bvalues=ldap_get_values_len(ld, ent, "krbsecretkey")) != NULL) {
+ if ((bvalues=ldap_get_values_len(ld, ent, "krbsecretkey")) != NULL) {
mask |= KDB_SECRET_KEY;
if ((st=krb5_decode_krbsecretkey(context, entries, bvalues, &userinfo_tl_data)) != 0)
goto cleanup;
}
-
+
/* MODIFY TIMESTAMP */
if ((st=krb5_ldap_get_time(ld, ent, "modifytimestamp", &modtime, &attr_present)) != 0)
goto cleanup;
goto cleanup;
if ((st=krb5_dbe_update_tl_data(context, entries, &userinfo_tl_data)) != 0)
goto cleanup;
-
+
#ifdef HAVE_EDIRECTORY
{
krb5_timestamp expiretime=0;
char *is_login_disabled=NULL;
/* LOGIN EXPIRATION TIME */
- if ((st=krb5_ldap_get_time(ld, ent, "loginexpirationtime", &expiretime,
+ if ((st=krb5_ldap_get_time(ld, ent, "loginexpirationtime", &expiretime,
&attr_present)) != 0)
goto cleanup;
-
+
if (attr_present == TRUE) {
if ((mask & KDB_PRINC_EXPIRE_TIME_ATTR) == 1) {
if (expiretime < entries->expiration)
entries->expiration = expiretime;
}
}
-
- /* LOGIN DISABLED */
+
+ /* LOGIN DISABLED */
if ((st=krb5_ldap_get_string(ld, ent, "logindisabled", &is_login_disabled, &attr_present)) != 0)
goto cleanup;
if (attr_present == TRUE) {
if (strcasecmp(is_login_disabled,"TRUE")== 0)
- entries->attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
+ entries->attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
free (is_login_disabled);
}
}
}
ldap_msgfree(result);
result = NULL;
- } /* for(tree=0 ... */
-
+ } /* for (tree=0 ... */
+
/* once done, put back the ldap handle */
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
ldap_server_handle = NULL;
-
+
/* if principal not found */
if (*nentries == 0)
goto cleanup;
-
+
if ((st=krb5_read_tkt_policyreference(context, ldap_context, entries, policydn)) !=0)
goto cleanup;
-
+
if (pwdpolicydn) {
osa_policy_ent_t pwdpol;
int cnt=0;
krb5_timestamp last_pw_changed;
- krb5_ui_4 pw_max_life;
+ krb5_ui_4 pw_max_life;
memset(&pwdpol, 0, sizeof(pwdpol));
-
+
if ((st=krb5_ldap_get_password_policy(context, pwdpolicydn, &pwdpol, &cnt)) != 0)
goto cleanup;
pw_max_life = pwdpol->pw_max_life;
if ((st=krb5_dbe_lookup_last_pwd_change(context, entries, &last_pw_changed)) != 0)
goto cleanup;
- if ((mask & KDB_PWD_EXPIRE_TIME_ATTR) == 1) {
+ if ((mask & KDB_PWD_EXPIRE_TIME_ATTR) == 1) {
if ((last_pw_changed + pw_max_life) < entries->pw_expiration)
entries->pw_expiration = last_pw_changed + pw_max_life;
} else
entries->pw_expiration = last_pw_changed + pw_max_life;
}
}
-
- cleanup:
+
+cleanup:
ldap_msgfree(result);
-
+
if (*nentries == 0 || st != 0)
krb5_dbe_free_contents(context, entries);
- if (filter)
+ if (filter)
free (filter);
if (DN)
ldap_memfree (DN);
for (; ntrees; --ntrees)
- if (subtree[ntrees-1])
+ if (subtree[ntrees-1])
free (subtree[ntrees-1]);
if (userinfo_tl_data.tl_data_contents)
free(userinfo_tl_data.tl_data_contents);
-
- if (ldap_server_handle)
- krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
+
+ if (ldap_server_handle)
+ krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
if (user)
free(user);
-
+
if (modname)
free(modname);
-
+
if (parsed_mod_name)
krb5_free_principal(context, parsed_mod_name);
char *tktpolicydn;
}xargs_t;
-static void
+static void
free_xargs(xargs)
xargs_t xargs;
{
free (xargs.tktpolicydn);
}
-static krb5_error_code
+static krb5_error_code
process_db_args(context, db_args, xargs)
krb5_context context;
char **db_args;
char *arg=NULL, *arg_val=NULL;
unsigned int arg_val_len=0;
krb5_boolean uflag=FALSE, cflag=FALSE;
-
- if (db_args)
- {
+
+ if (db_args) {
for (i=0; db_args[i]; ++i) {
arg = strtok_r(db_args[i], "=", &arg_val);
- if(strcmp(arg, USERDN_ARG) == 0) {
+ if (strcmp(arg, USERDN_ARG) == 0) {
if (cflag == TRUE) {
st = EINVAL;
- krb5_set_error_message(context, st, "'containerdn' and 'userdn' can not both "
- "be specified");
+ krb5_set_error_message(context, st, "'containerdn' and 'userdn' can not both "
+ "be specified");
goto cleanup;
}
if (xargs->dn != NULL || xargs->containerdn != NULL) {
st = EINVAL;
- snprintf(errbuf, sizeof(errbuf), "%s option not supported", arg);
- krb5_set_error_message(context, st, "%s", errbuf);
+ snprintf(errbuf, sizeof(errbuf), "%s option not supported", arg);
+ krb5_set_error_message(context, st, "%s", errbuf);
goto cleanup;
}
if (strcmp(arg_val, "") == 0 || arg_val == NULL) {
} else if (strcmp(arg, CONTAINERDN_ARG) == 0) {
if (uflag == TRUE) {
st = EINVAL;
- krb5_set_error_message(context, st, "'containerdn' and 'userdn' can not both "
- "be specified");
+ krb5_set_error_message(context, st, "'containerdn' and 'userdn' can not both "
+ "be specified");
goto cleanup;
}
if (xargs->dn != NULL || xargs->containerdn != NULL) {
st = EINVAL;
- snprintf(errbuf, sizeof(errbuf), "%s option not supported", arg);
- krb5_set_error_message(context, st, "%s", errbuf);
+ snprintf(errbuf, sizeof(errbuf), "%s option not supported", arg);
+ krb5_set_error_message(context, st, "%s", errbuf);
goto cleanup;
}
if (strcmp(arg_val, "") == 0 || arg_val == NULL) {
goto cleanup;
}
memcpy(xargs->tktpolicydn, arg_val, arg_val_len);
-
+
} else {
st = EINVAL;
snprintf(errbuf, sizeof(errbuf), "unknown option: %s", arg);
}
}
}
- cleanup:
+cleanup:
return st;
}
KEY *oldkeys=NULL;
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_context *ldap_context=NULL;
- krb5_ldap_server_handle *ldap_server_handle=NULL;
+ krb5_ldap_server_handle *ldap_server_handle=NULL;
osa_princ_ent_rec princ_ent;
xargs_t xargs={0};
char *oldpolicydn = NULL;
SETUP_CONTEXT();
if (ldap_context->lrparams == NULL || ldap_context->krbcontainer == NULL)
return EINVAL;
-
+
/* get ldap handle */
GET_HANDLE();
-
+
for (i=0; i < *nentries; ++i, ++entries) {
if (is_principal_in_realm(ldap_context, entries->princ) != 0) {
- st = EINVAL;
- krb5_set_error_message(context, st, "Principal does not belong to the default realm");
+ st = EINVAL;
+ krb5_set_error_message(context, st, "Principal does not belong to the default realm");
goto cleanup;
}
-
+
/* get the principal information to act on */
if (entries->princ) {
if (((st=krb5_unparse_name(context,entries->princ, &user)) !=0) ||
xargs.ptype = KDB_SERVICE_PRINCIPAL;
if (((st=krb5_get_princ_type(context, entries, &(xargs.ptype))) != 0) ||
((st=krb5_get_userdn(context, entries, &(xargs.dn))) != 0) ||
- ((st=krb5_get_secretkeys(context, entries, &oldkeys)) != 0))
+ ((st=krb5_get_secretkeys(context, entries, &oldkeys)) != 0))
goto cleanup;
-
+
if ((st=process_db_args(context, db_args, &xargs)) != 0)
goto cleanup;
krb5_set_error_message(context, st, "User DN is missing");
goto cleanup;
}
-
- /* get the subtree information */
- if (entries->princ->length == 2 && entries->princ->data[0].length == strlen("krbtgt") &&
+
+ /* get the subtree information */
+ if (entries->princ->length == 2 && entries->princ->data[0].length == strlen("krbtgt") &&
strncmp(entries->princ->data[0].data, "krbtgt", entries->princ->data[0].length) == 0) {
/* if the principal is a inter-realm principal, always created in the realm container */
subtree = strdup(ldap_context->lrparams->realmdn);
} else if (xargs.containerdn) {
if ((st=checkattributevalue(ld, xargs.containerdn, NULL, NULL, NULL)) != 0) {
- if (st == KRB5_KDB_NOENTRY || st == KRB5_KDB_CONSTRAINT_VIOLATION) {
+ if (st == KRB5_KDB_NOENTRY || st == KRB5_KDB_CONSTRAINT_VIOLATION) {
int ost = st;
- st = EINVAL;
- sprintf(errbuf, "'%s' not found: ", xargs.containerdn);
- prepend_err_str(context, errbuf, st, ost);
- }
+ st = EINVAL;
+ sprintf(errbuf, "'%s' not found: ", xargs.containerdn);
+ prepend_err_str(context, errbuf, st, ost);
+ }
goto cleanup;
}
subtree = strdup(xargs.containerdn);
}
CHECK_NULL(subtree);
- xargs.dn = malloc(strlen("krbprincipalname=") + strlen(user) + strlen(",") +
+ xargs.dn = malloc(strlen("krbprincipalname=") + strlen(user) + strlen(",") +
strlen(subtree) + 1);
CHECK_NULL(xargs.dn);
sprintf(xargs.dn, "krbprincipalname=%s,%s", user, subtree);
}
-
+
if (xargs.dn_from_kbd == TRUE) {
/* make sure the DN falls in the subtree */
int tre=0, dnlen=0, subtreelen=0, ntrees=0;
char *subtreelist[2]={NULL};
krb5_boolean outofsubtree=TRUE;
-
+
/* get the current subtree list */
if ((st = krb5_get_subtree_info(ldap_context, subtreelist, &ntrees)) != 0)
goto cleanup;
-
- for( tre=0; tre<ntrees; ++tre ) {
- if( subtreelist[tre] == NULL || strlen(subtreelist[tre]) == 0 ) {
+
+ for (tre=0; tre<ntrees; ++tre) {
+ if (subtreelist[tre] == NULL || strlen(subtreelist[tre]) == 0) {
outofsubtree = FALSE;
break;
} else {
}
}
}
-
- for( tre=0; tre < ntrees; ++tre ) {
- free( subtreelist[tre] );
+
+ for (tre=0; tre < ntrees; ++tre) {
+ free(subtreelist[tre]);
}
-
- if( outofsubtree == TRUE ) {
+
+ if (outofsubtree == TRUE) {
st = EINVAL;
krb5_set_error_message(context, st, "DN is out of the realm subtree");
goto cleanup;
}
}
-
+
/* check if the DN exists */
{
char *attributes[]={"krbpolicyreference", NULL};
-
+
LDAP_SEARCH_1(xargs.dn, LDAP_SCOPE_BASE, 0, attributes,IGNORE_STATUS);
if (st == LDAP_NO_SUCH_OBJECT) {
dnfound = FALSE;
st = LDAP_SUCCESS;
- } else if (st == LDAP_SUCCESS) {
+ } else if (st == LDAP_SUCCESS) {
ent = ldap_first_entry(ld, result);
if (ent != NULL) {
if ((values=ldap_get_values(ld, ent, "krbpolicyreference")) != NULL) {
goto cleanup;
}
}
-
+
if (dnfound == FALSE) { /* create a new object */
if (xargs.ptype == KDB_USER_PRINCIPAL) {
memset(strval, 0, sizeof(strval));
goto cleanup;
values = ldap_explode_dn(xargs.dn, 1);
if (values == NULL) {
- st = EINVAL;
- krb5_set_error_message(context, st, "Invalid DN");
+ st = EINVAL;
+ krb5_set_error_message(context, st, "Invalid DN");
goto cleanup;
}
memset(strval, 0, sizeof(strval));
goto cleanup;
}
ldap_value_free(values);
- } else {
+ } else {
memset(strval, 0, sizeof(strval));
strval[0] = "krbprincipal";
strval[1] = "krbprincipalaux";
} else { /* update the objectclass attribute if any of these is missing */
char *attrvalues[] = {"krbprincipalaux", "krbpolicyaux", "krbpwdpolicyrefaux", NULL};
int p, q, r=0, amask=0;
-
+
if ((st=checkattributevalue(ld, xargs.dn, "objectclass", attrvalues, &amask)) != 0) {
- st = KRB5_KDB_UK_RERROR;
+ st = KRB5_KDB_UK_RERROR;
goto cleanup;
}
memset(strval, 0, sizeof(strval));
- for(p=1, q=0; p<=4; p<<=1, ++q) {
+ for (p=1, q=0; p<=4; p<<=1, ++q) {
if ((p & amask) == 0)
strval[r++] = attrvalues[q];
}
goto cleanup;
}
}
-
- if (entries->mask & KDB_MAX_LIFE) {
+
+ if (entries->mask & KDB_MAX_LIFE) {
if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxticketlife", LDAP_MOD_REPLACE, entries->max_life)) != 0)
goto cleanup;
}
-
+
if (entries->mask & KDB_MAX_RLIFE) {
if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxrenewableage", LDAP_MOD_REPLACE,
entries->max_renewable_life)) != 0)
goto cleanup;
}
-
+
if (entries->mask & KDB_ATTRIBUTES) {
if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbticketflags", LDAP_MOD_REPLACE,
entries->attributes)) != 0)
goto cleanup;
}
-
+
if (entries->mask & KDB_PRINCIPAL) {
memset(strval, 0, sizeof(strval));
strval[0] = user;
}
free (strval[0]);
}
-
+
if (entries->mask & KDB_PW_EXPIRATION) {
memset(strval, 0, sizeof(strval));
if ((strval[0]=getstringtime(entries->pw_expiration)) == NULL)
goto cleanup;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpasswordexpiration",
- LDAP_MOD_REPLACE,
+ LDAP_MOD_REPLACE,
strval)) != 0) {
free (strval[0]);
goto cleanup;
}
free (strval[0]);
}
-
+
if (entries->mask & KDB_POLICY) {
- for(tl_data=entries->tl_data; tl_data; tl_data=tl_data->tl_data_next) {
+ for (tl_data=entries->tl_data; tl_data; tl_data=tl_data->tl_data_next) {
if (tl_data->tl_data_type == KRB5_TL_KADM_DATA) {
memset(&princ_ent, 0, sizeof(princ_ent));
/* FIX ME: I guess the princ_ent should be freed after this call */
- if((st = krb5_lookup_tl_kadm_data(tl_data, &princ_ent)) != 0) {
+ if ((st = krb5_lookup_tl_kadm_data(tl_data, &princ_ent)) != 0) {
goto cleanup;
}
}
}
-
- if(princ_ent.aux_attributes & KDB_POLICY) {
+
+ if (princ_ent.aux_attributes & KDB_POLICY) {
memset(strval, 0, sizeof(strval));
strval[0] = princ_ent.policy;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_REPLACE, strval)) != 0)
goto cleanup;
}
}
-
+
if (entries->mask & KDB_POLICY_CLR) {
memset(strval, 0, sizeof(strval));
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_DELETE, strval)) != 0)
goto cleanup;
}
-
+
if (entries->mask & KDB_KEY_DATA || entries->mask & KDB_KVNO) {
int kcount=0, zero=0, salttype=0, totalkeys=0;
char *currpos=NULL, *krbsecretkey=NULL;
-
+
/* delete the old keys */
if (oldkeys) {
- if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbsecretkey", LDAP_MOD_DELETE | LDAP_MOD_BVALUES,
+ if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbsecretkey", LDAP_MOD_DELETE | LDAP_MOD_BVALUES,
oldkeys->keys)) != 0)
goto cleanup;
}
for (kcount=0; kcount < entries->n_key_data; ++kcount)
keys[kcount] = entries->key_data+kcount;
totalkeys = entries->n_key_data;
-
+
kcount = 0;
while (totalkeys) {
int noofkeys=0, currkvno=0, currkvno_org=0, rlen=0;
memset(krbsecretkey, 0, MAX_KEY_LENGTH);
currpos = krbsecretkey;
rlen = MAX_KEY_LENGTH;
-
+
STORE16_INT(currpos, plen); /* principal len */
currpos +=2;
rlen -=2;
-
+
for (l=0; l < entries->n_key_data; ++l)
if (keys[l] != NULL) {
currkvno = keys[l]->key_data_kvno;
STORE16_INT(currpos, currkvno); /* principal key version */
currpos +=2;
rlen -=2;
-
+
memset(currpos, 0, 2); /* master key version */
currpos +=2;
rlen -=2;
-
+
if ((st=krb5_dbe_lookup_last_pwd_change(context, entries, &last_pw_changed)) != 0)
goto cleanup;
STORE32_INT(currpos, last_pw_changed); /* last pwd change */
currpos += 4;
rlen -=4;
-
+
for (noofkeys=0; l < entries->n_key_data; ++l)
if (keys[l] && keys[l]->key_data_kvno == currkvno_org)
++noofkeys;
-
+
STORE16_INT(currpos, noofkeys); /* number of keys */
currpos +=2;
rlen -=2;
-
+
/* key type, key length, salt type and salt type */
for (l=0; l<entries->n_key_data; ++l) {
- if ( keys[l] && keys[l]->key_data_kvno == currkvno_org) {
+ if (keys[l] && keys[l]->key_data_kvno == currkvno_org) {
STORE16_INT(currpos, keys[l]->key_data_type[0]);
currpos +=2;
- rlen -=2;
+ rlen -=2;
STORE16_INT(currpos, keys[l]->key_data_length[0]);
currpos +=2;
- rlen -=2;
-
- STORE16_INT(currpos, keys[l]->key_data_type[1]);
+ rlen -=2;
+
+ STORE16_INT(currpos, keys[l]->key_data_type[1]);
currpos +=2;
- rlen -=2;
+ rlen -=2;
salttype = keys[l]->key_data_type[1];
if (salttype==KRB5_KDB_SALTTYPE_NOREALM || salttype==KRB5_KDB_SALTTYPE_ONLYREALM) {
- STORE16_INT(currpos, zero);
+ STORE16_INT(currpos, zero);
} else {
STORE16_INT(currpos, keys[l]->key_data_length[1]);
}
currpos +=2;
- rlen -=2;
- }
+ rlen -=2;
+ }
+ }
+ if (plen > rlen) {
+ st = EINVAL;
+ snprintf(errbuf, sizeof(errbuf), "Insufficient buffer while storing the key of principal %s", user);
+ krb5_set_error_message(context, st, "%s", errbuf);
+ goto cleanup;
}
- if (plen > rlen) {
- st = EINVAL;
- snprintf(errbuf, sizeof(errbuf), "Insufficient buffer while storing the key of principal %s", user);
- krb5_set_error_message(context, st, "%s", errbuf);
- goto cleanup;
- }
memcpy(currpos, user, (unsigned int)plen); /* principal name */
currpos +=plen;
rlen -=plen;
-
+
/* key value, salt value */
- for(l=0; l<entries->n_key_data; ++l) {
+ for (l=0; l<entries->n_key_data; ++l) {
if (keys[l] && keys[l]->key_data_kvno == currkvno_org) {
if (keys[l]->key_data_length[0]) {
- if (keys[l]->key_data_length[0] > rlen) {
- st = EINVAL;
- snprintf(errbuf, sizeof(errbuf), "Insufficient buffer while storing the key of principal %s", user);
- krb5_set_error_message(context, st, "%s", errbuf);
- goto cleanup;
- }
+ if (keys[l]->key_data_length[0] > rlen) {
+ st = EINVAL;
+ snprintf(errbuf, sizeof(errbuf), "Insufficient buffer while storing the key of principal %s", user);
+ krb5_set_error_message(context, st, "%s", errbuf);
+ goto cleanup;
+ }
memcpy(currpos, keys[l]->key_data_contents[0], keys[l]->key_data_length[0]);
currpos += keys[l]->key_data_length[0];
- rlen -= keys[l]->key_data_length[0];
- }
-
+ rlen -= keys[l]->key_data_length[0];
+ }
+
salttype = keys[l]->key_data_type[1];
- if (keys[l]->key_data_length[1] && (!(salttype==KRB5_KDB_SALTTYPE_NOREALM
+ if (keys[l]->key_data_length[1] && (!(salttype==KRB5_KDB_SALTTYPE_NOREALM
|| salttype==KRB5_KDB_SALTTYPE_ONLYREALM))) {
- if (keys[l]->key_data_length[1] > rlen) {
- st = EINVAL;
- snprintf(errbuf, sizeof(errbuf), "Insufficient buffer while storing the key of principal %s", user);
- krb5_set_error_message(context, st, "%s", errbuf);
- goto cleanup;
- }
+ if (keys[l]->key_data_length[1] > rlen) {
+ st = EINVAL;
+ snprintf(errbuf, sizeof(errbuf), "Insufficient buffer while storing the key of principal %s", user);
+ krb5_set_error_message(context, st, "%s", errbuf);
+ goto cleanup;
+ }
memcpy(currpos, keys[l]->key_data_contents[1], keys[l]->key_data_length[1]);
currpos += keys[l]->key_data_length[1];
- rlen -= keys[l]->key_data_length[1];
+ rlen -= keys[l]->key_data_length[1];
}
keys[l] = NULL;
- }
+ }
}
bersecretkey[kcount] = malloc (sizeof (struct berval));
CHECK_NULL(bersecretkey[kcount]);
bersecretkey[kcount++]->bv_val = krbsecretkey;
totalkeys = totalkeys - noofkeys;
}
- if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbsecretkey",
+ if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbsecretkey",
LDAP_MOD_ADD | LDAP_MOD_BVALUES, bersecretkey)) != 0)
goto cleanup;
- if (!(entries->mask & KDB_PRINCIPAL)){
- memset(strval, 0, sizeof(strval));
- if ((strval[0]=getstringtime(entries->pw_expiration)) == NULL)
- goto cleanup;
- if ((st=krb5_add_str_mem_ldap_mod(&mods,
- "krbpasswordexpiration",
- LDAP_MOD_REPLACE, strval)) != 0) {
- free (strval[0]);
- goto cleanup;
- }
+ if (!(entries->mask & KDB_PRINCIPAL)) {
+ memset(strval, 0, sizeof(strval));
+ if ((strval[0]=getstringtime(entries->pw_expiration)) == NULL)
+ goto cleanup;
+ if ((st=krb5_add_str_mem_ldap_mod(&mods,
+ "krbpasswordexpiration",
+ LDAP_MOD_REPLACE, strval)) != 0) {
+ free (strval[0]);
+ goto cleanup;
+ }
free (strval[0]);
}
} /* Modify Key data ends here */
/* Directory specific attribute */
if (xargs.tktpolicydn != NULL) {
- int tmask=0, tkttree = 0, subtreednlen = 0, ntre = 0, tktdnlen = 0;
+ int tmask=0, tkttree = 0, subtreednlen = 0, ntre = 0, tktdnlen = 0;
- char *subtreednlist[2]={NULL};
- krb5_boolean dnoutofsubtree=TRUE;
+ char *subtreednlist[2]={NULL};
+ krb5_boolean dnoutofsubtree=TRUE;
- if ((st=krb5_get_policydn(context, entries, &oldpolicydn)) != 0)
- goto cleanup;
-
- if (strlen(xargs.tktpolicydn) != 0) {
- st = checkattributevalue(ld, xargs.tktpolicydn, "objectclass", policyclass, &tmask);
- CHECK_CLASS_VALIDITY(st, tmask, "ticket policy object value: ");
-
- memset(strval, 0, sizeof(strval));
- strval[0] = xargs.tktpolicydn;
- if ((st = krb5_get_subtree_info(ldap_context, subtreednlist, &ntre)) != 0)
- goto cleanup;
+ if ((st=krb5_get_policydn(context, entries, &oldpolicydn)) != 0)
+ goto cleanup;
- for( tkttree=0; tkttree<ntre; ++tkttree ) {
- if( subtreednlist[tkttree] == NULL || strlen(subtreednlist[tkttree]) == 0 ) {
- dnoutofsubtree = FALSE;
- break;
- } else {
- tktdnlen = strlen (xargs.tktpolicydn);
- subtreednlen = strlen(subtreednlist[tkttree]);
-
- if ((tktdnlen > subtreednlen) && (strcasecmp((xargs.tktpolicydn + tktdnlen - subtreednlen), subtreednlist[tkttree]) == 0)) {
- dnoutofsubtree = FALSE;
- break;
- }
- }
- }
- for( tkttree=0; tkttree < ntre; ++tkttree ) {
- free( subtreednlist[tkttree] );
- }
- if( dnoutofsubtree == TRUE ) {
- st = EINVAL;
- prepend_err_str(context,"Ticket Policy DN is out of the realm subtree",st,st);
- goto cleanup;
- }
+ if (strlen(xargs.tktpolicydn) != 0) {
+ st = checkattributevalue(ld, xargs.tktpolicydn, "objectclass", policyclass, &tmask);
+ CHECK_CLASS_VALIDITY(st, tmask, "ticket policy object value: ");
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpolicyreference", LDAP_MOD_REPLACE, strval)) != 0)
- goto cleanup;
- if(oldpolicydn != NULL){
- if(strncmp(xargs.tktpolicydn,oldpolicydn,strlen(xargs.tktpolicydn)) != 0)
- {
- if ((st = krb5_ldap_change_count(context, oldpolicydn,2 )))
- goto cleanup;
- }
+ memset(strval, 0, sizeof(strval));
+ strval[0] = xargs.tktpolicydn;
+ if ((st = krb5_get_subtree_info(ldap_context, subtreednlist, &ntre)) != 0)
+ goto cleanup;
+
+ for (tkttree=0; tkttree<ntre; ++tkttree) {
+ if (subtreednlist[tkttree] == NULL || strlen(subtreednlist[tkttree]) == 0) {
+ dnoutofsubtree = FALSE;
+ break;
+ } else {
+ tktdnlen = strlen (xargs.tktpolicydn);
+ subtreednlen = strlen(subtreednlist[tkttree]);
+
+ if ((tktdnlen > subtreednlen) && (strcasecmp((xargs.tktpolicydn + tktdnlen - subtreednlen), subtreednlist[tkttree]) == 0)) {
+ dnoutofsubtree = FALSE;
+ break;
}
+ }
+ }
+ for (tkttree=0; tkttree < ntre; ++tkttree) {
+ free(subtreednlist[tkttree]);
+ }
+ if (dnoutofsubtree == TRUE) {
+ st = EINVAL;
+ prepend_err_str(context,"Ticket Policy DN is out of the realm subtree",st,st);
+ goto cleanup;
+ }
- if ((st = krb5_ldap_change_count(context, xargs.tktpolicydn,1 )))
- goto cleanup;
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpolicyreference", LDAP_MOD_REPLACE, strval)) != 0)
+ goto cleanup;
+ if (oldpolicydn != NULL) {
+ if (strncmp(xargs.tktpolicydn,oldpolicydn,strlen(xargs.tktpolicydn)) != 0) {
+ if ((st = krb5_ldap_change_count(context, oldpolicydn,2)))
+ goto cleanup;
+ }
+ }
+
+ if ((st = krb5_ldap_change_count(context, xargs.tktpolicydn,1)))
+ goto cleanup;
+ } else {
+ /* if xargs.tktpolicydn is a empty string, then delete already existing krbpolicyreference attr */
+ if (tktpolicy_set == FALSE) { /* if the attribute is not present then abort */
+ st = EINVAL;
+ prepend_err_str(context,"'ticketpolicydn' empty",st,st);
+ goto cleanup;
} else {
- /* if xargs.tktpolicydn is a empty string, then delete already existing krbpolicyreference attr */
- if (tktpolicy_set == FALSE) { /* if the attribute is not present then abort */
- st = EINVAL;
- prepend_err_str(context,"'ticketpolicydn' empty",st,st);
- goto cleanup;
- } else {
- memset(strval, 0, sizeof(strval));
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpolicyreference", LDAP_MOD_DELETE, strval)) != 0)
- goto cleanup;
- }
+ memset(strval, 0, sizeof(strval));
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpolicyreference", LDAP_MOD_DELETE, strval)) != 0)
+ goto cleanup;
}
-
+ }
+
}
if (dnfound == TRUE) {
- if (mods == NULL) {
- goto cleanup;
- }
+ if (mods == NULL) {
+ goto cleanup;
+ }
st=ldap_modify_s(ld, xargs.dn, mods);
- if (st != LDAP_SUCCESS) {
- sprintf(errbuf, "User modification failed: %s", ldap_err2string(st));
- st = translate_ldap_error (st, OP_MOD);
- krb5_set_error_message(context, st, "%s", errbuf);
- goto cleanup;
- }
- }
- else {
- st=ldap_add_s(ld, xargs.dn, mods);
if (st != LDAP_SUCCESS) {
- sprintf(errbuf, "Principal add failed: %s", ldap_err2string(st));
- st = translate_ldap_error (st, OP_ADD);
- krb5_set_error_message(context, st, "%s", errbuf);
- goto cleanup;
+ sprintf(errbuf, "User modification failed: %s", ldap_err2string(st));
+ st = translate_ldap_error (st, OP_MOD);
+ krb5_set_error_message(context, st, "%s", errbuf);
+ goto cleanup;
+ }
+ } else {
+ st=ldap_add_s(ld, xargs.dn, mods);
+ if (st != LDAP_SUCCESS) {
+ sprintf(errbuf, "Principal add failed: %s", ldap_err2string(st));
+ st = translate_ldap_error (st, OP_ADD);
+ krb5_set_error_message(context, st, "%s", errbuf);
+ goto cleanup;
}
}
}
-
- cleanup:
- if (user)
+
+cleanup:
+ if (user)
free(user);
-
+
free_xargs(xargs);
if (subtree)
free (subtree);
-
+
if (bersecretkey) {
for (l=0; bersecretkey[l]; ++l) {
if (bersecretkey[l]->bv_val)
}
free (bersecretkey);
}
-
+
if (keys)
free (keys);
-
+
if (oldkeys) {
for (l=0; l < oldkeys->nkey; ++l) {
if (oldkeys->keys[l]->bv_val)
krb5_error_code st=0;
unsigned int mask=0, omask=0;
int tkt_mask=(KDB_MAX_LIFE_ATTR | KDB_MAX_RLIFE_ATTR | KDB_TKT_FLAGS_ATTR);
- krb5_ldap_policy_params *tktpoldnparam=NULL;
+ krb5_ldap_policy_params *tktpoldnparam=NULL;
if ((st=krb5_get_attributes_mask(context, entries, &mask)) != 0)
goto cleanup;
if (policydn != NULL) {
st = krb5_ldap_read_policy(context, policydn, &tktpoldnparam, &omask);
if (st && st != KRB5_KDB_NOENTRY) {
- prepend_err_str(context, "Error reading ticket policy. ", st, st);
+ prepend_err_str(context, "Error reading ticket policy. ", st, st);
goto cleanup;
- }
-
+ }
+
st = 0; /* reset the return status */
}
-
+
if ((mask & KDB_MAX_LIFE_ATTR) == 0) {
if ((omask & KDB_MAX_LIFE_ATTR) == KDB_MAX_LIFE_ATTR)
entries->max_life = tktpoldnparam->maxtktlife;
else if (ldap_context->lrparams->max_life)
entries->max_life = ldap_context->lrparams->max_life;
- else if(ldap_context->krbcontainer->max_life)
+ else if (ldap_context->krbcontainer->max_life)
entries->max_life = ldap_context->krbcontainer->max_life;
else
- entries->max_life = KRB5_KDB_MAX_LIFE;
+ entries->max_life = KRB5_KDB_MAX_LIFE;
}
-
+
if ((mask & KDB_MAX_RLIFE_ATTR) == 0) {
if ((omask & KDB_MAX_RLIFE_ATTR) == KDB_MAX_RLIFE_ATTR)
entries->max_renewable_life = tktpoldnparam->maxrenewlife;
else if (ldap_context->lrparams->max_renewable_life)
entries->max_renewable_life = ldap_context->lrparams->max_renewable_life;
- else if(ldap_context->krbcontainer->max_renewable_life)
+ else if (ldap_context->krbcontainer->max_renewable_life)
entries->max_renewable_life = ldap_context->krbcontainer->max_renewable_life;
else
entries->max_renewable_life = KRB5_KDB_MAX_RLIFE;
}
-
+
if ((mask & KDB_TKT_FLAGS_ATTR) == 0) {
if ((omask & KDB_TKT_FLAGS_ATTR) == KDB_TKT_FLAGS_ATTR)
entries->attributes = tktpoldnparam->tktflags;
else if (ldap_context->lrparams->tktflags)
entries->attributes |= ldap_context->lrparams->tktflags;
- else if(ldap_context->krbcontainer->tktflags)
+ else if (ldap_context->krbcontainer->tktflags)
entries->attributes |= ldap_context->krbcontainer->tktflags;
}
krb5_ldap_free_policy(context, tktpoldnparam);
}
-
- cleanup:
+
+cleanup:
return st;
}
krb5_key_data *key_data=NULL;
krb5_error_code st=0;
krb5_timestamp last_pw_changed=0;
-
+
if ((st=krb5_unparse_name(context, entries->princ, &user)) != 0)
- goto cleanup;
-
- for(i=0; bvalues[i] != NULL; ++i) {
+ goto cleanup;
+
+ for (i=0; bvalues[i] != NULL; ++i) {
+
+ ptr = (char *) bvalues[i]->bv_val;
- ptr = (char *) bvalues[i]->bv_val;
-
/* check the consistency of the key */
-
- if(bvalues[i]->bv_len < KEYHEADER) /* key smaller than the header size */
- continue;
-
+
+ if (bvalues[i]->bv_len < KEYHEADER) /* key smaller than the header size */
+ continue;
+
plen = PRINCIPALLEN(ptr);
if (NOOFKEYS(ptr) == 0)
continue;
-
+
keylen = KEYHEADER + (8 * NOOFKEYS(ptr));
- if (bvalues[i]->bv_len < keylen) /* key or salt header info corrupted*/
+ if (bvalues[i]->bv_len < keylen) /* key or salt header info corrupted*/
continue;
-
+
keylen += plen;
- if (bvalues[i]->bv_len < keylen) /* principal info corrupted */
+ if (bvalues[i]->bv_len < keylen) /* principal info corrupted */
continue;
-
- for(k=0; k<NOOFKEYS(ptr); ++k)
+
+ for (k=0; k<NOOFKEYS(ptr); ++k)
keylen += KEYLENGTH(ptr, k) + SALTLENGTH(ptr, k);
-
+
if (bvalues[i]->bv_len < keylen) /* key or salt values corrupted */
continue;
pname = PRINCIPALNAME(ptr); /* set pname to principalName field */
-
+
/* key doesn't belong to the principal */
if (strncmp(user, pname, (unsigned) plen) != 0)
continue;
/* Number of Principal Keys */
noofkeys += NOOFKEYS(ptr);
-
+
if ((st=store_tl_data(userinfo_tl_data, KDB_TL_KEYINFO, bvalues[i])) != 0)
goto cleanup;
-
+
pkeyver = PKEYVER(ptr); /* Principal Key Version */
mkeyver = MKEYVER(ptr); /* Master Key Version */
if (ist_pkeyver == 0 || pkeyver >= ist_pkeyver) {
ist_pkeyver = pkeyver;
- /* last password changed */
+ /* last password changed */
last_pw_changed = 0;
last_pw_changed += (ptr[6] & 0xFF) << 24;
last_pw_changed += (ptr[7] & 0xFF) << 16;
last_pw_changed += (ptr[8] & 0xFF) << 8;
last_pw_changed += (ptr[9] & 0xFF) << 0;
-
- if ((st=krb5_dbe_update_last_pwd_change(context, entries,
+
+ if ((st=krb5_dbe_update_last_pwd_change(context, entries,
last_pw_changed)) != 0)
goto cleanup;
}
currentkey = KEYBODY(ptr);
for (k=0; j<noofkeys; ++k, ++j) {
-
- key_data[j].key_data_ver = 1;
+
+ key_data[j].key_data_ver = 1;
key_data[j].key_data_kvno = pkeyver;
-
+
key_data[j].key_data_type[0] = KEYTYPE(ptr,k); /* get key type */
key_data[j].key_data_length[0] = KEYLENGTH(ptr,k); /* get key length */
key_data[j].key_data_type[1] = SALTTYPE(ptr,k); /* get salt type */
key_data[j].key_data_length[1] = SALTLENGTH(ptr,k); /* get salt length */
-
+
key_data[j].key_data_contents[0] = malloc(key_data[j].key_data_length[0]);
if (key_data[j].key_data_contents[0] == NULL) {
st = ENOMEM;
goto cleanup;
}
- memcpy(key_data[j].key_data_contents[0], currentkey,
+ memcpy(key_data[j].key_data_contents[0], currentkey,
key_data[j].key_data_length[0]);
-
+
currentsalt = currentkey + key_data[j].key_data_length[0];
if (key_data[j].key_data_length[1] != 0) {
st = ENOMEM;
goto cleanup;
}
- memcpy(key_data[j].key_data_contents[1], currentsalt,
+ memcpy(key_data[j].key_data_contents[1], currentsalt,
key_data[j].key_data_length[1]);
} else if (key_data[j].key_data_type[1] == KRB5_KDB_SALTTYPE_NOREALM ||
key_data[j].key_data_type[1] == KRB5_KDB_SALTTYPE_ONLYREALM) {
char *def_realm = NULL;
krb5_data norealmval;
-
- key_data[j].key_data_ver = 2;
- switch(key_data[j].key_data_type[1]) {
+
+ key_data[j].key_data_ver = 2;
+ switch (key_data[j].key_data_type[1]) {
case KRB5_KDB_SALTTYPE_ONLYREALM:
def_realm = entries->princ->realm.data;
key_data[j].key_data_length[1] = strlen (def_realm);
st = ENOMEM;
goto cleanup;
}
- memcpy(key_data[j].key_data_contents[1],
+ memcpy(key_data[j].key_data_contents[1],
def_realm, key_data[j].key_data_length[1]);
break;
-
+
case KRB5_KDB_SALTTYPE_NOREALM:
memset(&norealmval, 0, sizeof(krb5_data));
- if ((st = krb5_principal2salt_norealm(context, entries->princ,
+ if ((st = krb5_principal2salt_norealm(context, entries->princ,
&norealmval)) != 0) {
goto cleanup;
}
}
} else if (key_data[j].key_data_type[1] == KRB5_KDB_SALTTYPE_V4) {
key_data[j].key_data_contents[1] = NULL;
- key_data[j].key_data_ver = 2;
+ key_data[j].key_data_ver = 2;
} else {
key_data[j].key_data_contents[1] = NULL;
}
entries->key_data = key_data;
}
- cleanup:
- ldap_value_free_len(bvalues);
+cleanup:
+ ldap_value_free_len(bvalues);
free (user);
return st;
}
struct tm tme;
char *strtime=NULL;
time_t posixtime = epochtime;
-
+
strtime = calloc (50, 1);
if (strtime == NULL)
return NULL;
-
+
if (gmtime_r(&posixtime, &tme) == NULL)
return NULL;
-
+
strftime(strtime, 50, "%Y%m%d%H%M%SZ", &tme);
return strtime;
}
#include "ldap_err.h"
static char *password_policy_attributes[] = { "krbmaxpwdlife", "krbminpwdlife", "krbpwdmindiffchars",
- "krbpwdminlength", "krbpwdhistorylength", "krbpwdpolicyrefcount",
+ "krbpwdminlength", "krbpwdhistorylength", "krbpwdpolicyrefcount",
NULL };
/*
- * Function to create password policy object.
+ * Function to create password policy object.
*/
krb5_error_code
krb5_clear_error_message(context);
/* validate the input parameters */
- if (policy == NULL || policy->name == NULL)
+ if (policy == NULL || policy->name == NULL)
return EINVAL;
SETUP_CONTEXT();
/* get the first component of the dn to set the cn attribute */
rdns = ldap_explode_dn(policy->name, 1);
if (rdns == NULL) {
- st = EINVAL;
- krb5_set_error_message(context, st, "Invalid password policy DN syntax");
+ st = EINVAL;
+ krb5_set_error_message(context, st, "Invalid password policy DN syntax");
goto cleanup;
}
-
+
strval[0] = rdns[0];
if ((st=krb5_add_str_mem_ldap_mod(&mods, "cn", LDAP_MOD_ADD, strval)) != 0)
- goto cleanup;
-
+ goto cleanup;
+
strval[0] = "krbPwdPolicy";
if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0)
- goto cleanup;
-
- if (((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxpwdlife", LDAP_MOD_ADD,
- (signed) policy->pw_max_life)) != 0)
+ goto cleanup;
+
+ if (((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxpwdlife", LDAP_MOD_ADD,
+ (signed) policy->pw_max_life)) != 0)
|| ((st=krb5_add_int_mem_ldap_mod(&mods, "krbminpwdlife", LDAP_MOD_ADD,
(signed) policy->pw_min_life)) != 0)
|| ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdmindiffchars", LDAP_MOD_ADD,
/* password policy object creation */
if ((st=ldap_add_s(ld, policy->name, mods)) != LDAP_SUCCESS) {
- st = set_ldap_error (context, st, OP_ADD);
+ st = set_ldap_error (context, st, OP_ADD);
goto cleanup;
}
-
- cleanup:
+
+cleanup:
if (rdns)
ldap_value_free(rdns);
krb5_clear_error_message(context);
/* validate the input parameters */
- if (policy == NULL || policy->name == NULL)
+ if (policy == NULL || policy->name == NULL)
return EINVAL;
SETUP_CONTEXT();
|| ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdpolicyrefcount", LDAP_MOD_REPLACE,
(signed) policy->policy_refcnt)) != 0))
goto cleanup;
-
+
/* modify the password policy object. */
if ((st=ldap_modify_s(ld, policy->name, mods)) != LDAP_SUCCESS) {
- st = set_ldap_error (context, st, OP_MOD);
+ st = set_ldap_error (context, st, OP_MOD);
goto cleanup;
}
-
- cleanup:
+
+cleanup:
ldap_mods_free(mods, 1);
- krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
+ krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
return(st);
}
-krb5_error_code
+krb5_error_code
krb5_ldap_get_password_policy (context, name, policy, cnt)
krb5_context context;
char *name;
{
krb5_error_code st=0, tempst=0;
LDAP *ld=NULL;
- LDAPMessage *result=NULL,*ent=NULL;
+ LDAPMessage *result=NULL,*ent=NULL;
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_context *ldap_context=NULL;
krb5_ldap_server_handle *ldap_server_handle=NULL;
krb5_clear_error_message(context);
/* validate the input parameters */
- if(name == NULL)
+ if (name == NULL)
return EINVAL;
-
+
SETUP_CONTEXT();
GET_HANDLE();
*cnt = 0;
*(policy) = (osa_policy_ent_t) malloc(sizeof(osa_policy_ent_rec));
if (*policy == NULL) {
- st = ENOMEM;
- goto cleanup;
+ st = ENOMEM;
+ goto cleanup;
}
memset(*policy, 0, sizeof(osa_policy_ent_rec));
krb5_clear_error_message(context);
/* validate the input parameters */
- if(policy == NULL)
- return EINVAL;
+ if (policy == NULL)
+ return EINVAL;
SETUP_CONTEXT();
GET_HANDLE();
- if((st=ldap_delete_s(ld, policy)) != LDAP_SUCCESS) {
- st = set_ldap_error (context, st, OP_DEL);
- goto cleanup;
+ if ((st=ldap_delete_s(ld, policy)) != LDAP_SUCCESS) {
+ st = set_ldap_error (context, st, OP_DEL);
+ goto cleanup;
}
cleanup:
}
krb5_error_code
-krb5_ldap_iterate_password_policy(context, match_expr, func, func_arg)
+krb5_ldap_iterate_password_policy(context, match_expr, func, func_arg)
krb5_context context;
char *match_expr;
- void (*func) (krb5_pointer, osa_policy_ent_t );
+ void (*func) (krb5_pointer, osa_policy_ent_t);
krb5_pointer func_arg;
{
osa_policy_ent_rec *entry=NULL;
memset(entry, 0, sizeof(osa_policy_ent_rec));
LDAP_SEARCH(NULL, LDAP_SCOPE_SUBTREE, "(objectclass=krbpwdpolicy)", attrs);
- for(ent=ldap_first_entry(ld, result); ent != NULL; ent=ldap_next_entry(ld, ent)) {
+ for (ent=ldap_first_entry(ld, result); ent != NULL; ent=ldap_next_entry(ld, ent)) {
if ((policy_dn=ldap_get_dn(ld, ent)) == NULL)
continue;
entry->name = policy_dn;
ldap_memfree(policy_dn);
}
ldap_msgfree(result);
-
- cleanup:
+
+cleanup:
if (entry)
free (entry);
-
+
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
return st;
}
-void
+void
krb5_ldap_free_password_policy (context, entry)
krb5_context context;
osa_policy_ent_t entry;
{
- if(entry)
- free(entry);
+ if (entry)
+ free(entry);
return;
}
#define END_OF_LIST -1
char *realm_attributes[] = {"krbSearchScope","krbSubTree",
"krbMaxTicketLife", "krbMaxRenewableAge",
- "krbTicketFlags", "krbDefaultEncType",
- "krbDefaultSaltType", "krbUpEnabled",
- "krbPolicyReference", "krbSupportedEncTypes",
- "krbSupportedSaltTypes", "krbLdapServers",
- "krbKdcServers", "krbAdmServers",
+ "krbTicketFlags", "krbDefaultEncType",
+ "krbDefaultSaltType", "krbUpEnabled",
+ "krbPolicyReference", "krbSupportedEncTypes",
+ "krbSupportedSaltTypes", "krbLdapServers",
+ "krbKdcServers", "krbAdmServers",
"krbPwdServers", NULL};
char *policy_attributes[] = { "krbMaxTicketLife",
- "krbMaxRenewableAge",
- "krbTicketFlags",
- NULL };
+ "krbMaxRenewableAge",
+ "krbTicketFlags",
+ NULL };
char *kdcclass[] = { "krbKdcService", NULL };
char *adminclass[] = { "krbAdmService", NULL };
char *pwdclass[] = { "krbPwdService", NULL };
-char *subtreeclass[] = { "Organization", "OrganizationalUnit", "Domain",
+char *subtreeclass[] = { "Organization", "OrganizationalUnit", "Domain",
"Country", "Locality", NULL };
int supportedenctypes[] = { ENCTYPE_DES_CBC_CRC, ENCTYPE_DES_CBC_MD4, ENCTYPE_DES_CBC_MD5,
- ENCTYPE_DES3_CBC_SHA1, ENCTYPE_AES128_CTS_HMAC_SHA1_96,
- ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_ARCFOUR_HMAC, -1};
+ ENCTYPE_DES3_CBC_SHA1, ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+ ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_ARCFOUR_HMAC, -1};
int supportedsalttypes[] = { KRB5_KDB_SALTTYPE_NORMAL, KRB5_KDB_SALTTYPE_V4,
- KRB5_KDB_SALTTYPE_NOREALM, KRB5_KDB_SALTTYPE_ONLYREALM,
- KRB5_KDB_SALTTYPE_SPECIAL, -1};
+ KRB5_KDB_SALTTYPE_NOREALM, KRB5_KDB_SALTTYPE_ONLYREALM,
+ KRB5_KDB_SALTTYPE_SPECIAL, -1};
char *krbContainerRefclass[] = { "krbContainerRefAux", NULL};
int *int_list;
{
int i=0, j=0, scount=0;
-
+
for (i=0; int_list[i] != END_OF_LIST; scount=i++)
;
-
+
for (i=0; i <= scount; ++i) {
if (i > 0 && int_list[i] == int_list[i-1]) {
for (j=i; j<=scount; ++j)
* Function to remove all special characters from a string (rfc2254).
* Use whenever exact matching is to be done ...
*/
-static char *
+static char *
ldap_filter_correct (unsigned char *in, unsigned int len)
{
int i, count;
char *out, *ptr;
-
+
for (i = 0, count = 0; i < len; i++)
switch (in[i]) {
case '*':
case '\0':
count ++;
}
-
+
out = (char *)malloc((len + (count * 2) + 1) * sizeof (char));
assert (out != NULL);
memset(out, 0, len + (count * 2) + 1);
/*
* Lists the realms in the Directory.
- */
+ */
krb5_error_code
krb5_ldap_list_realm(context, realms)
{
char **values = NULL;
unsigned int i = 0, count = 0;
- krb5_error_code st = 0, tempst = 0;
+ krb5_error_code st = 0, tempst = 0;
LDAP *ld = NULL;
- LDAPMessage *result = NULL, *ent = NULL;
+ LDAPMessage *result = NULL, *ent = NULL;
kdb5_dal_handle *dal_handle = NULL;
krb5_ldap_context *ldap_context = NULL;
krb5_ldap_server_handle *ldap_server_handle = NULL;
/* get the kerberos container DN information */
if (ldap_context->krbcontainer == NULL) {
- if ((st = krb5_ldap_read_krbcontainer_params(context,
+ if ((st = krb5_ldap_read_krbcontainer_params(context,
&(ldap_context->krbcontainer))) != 0)
goto cleanup;
}
*realms = NULL;
count = ldap_count_entries (ld, result);
- if(count == -1){
+ if (count == -1) {
ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &st);
st = set_ldap_error (context, st, OP_SEARCH);
goto cleanup;
} /* for (ent= ... */
ldap_msgfree(result);
- cleanup:
+cleanup:
/* some error, free up all the memory */
if (st != 0) {
/*
* Delete the realm along with the principals belonging to the realm in the Directory.
- */
+ */
krb5_error_code
krb5_ldap_delete_realm (context, lrealm)
lcontext.lrparams = rparam;
if ((st=krb5_get_subtree_info(&lcontext, subtrees, &ntree)) != 0)
goto cleanup;
-
+
for (l=0; l < ntree; ++l) {
LDAP_SEARCH(subtrees[l], rparam->search_scope, filter, attr);
result_arr[l] = result;
}
/* NOTE: Here all the principals should be cached and the ldap handle should be freed,
- * as a DAL-LDAP interface is called right down here. Caching might be constrained by
+ * as a DAL-LDAP interface is called right down here. Caching might be constrained by
* availability of the memory. The caching is not done, however there would be limit
* on the minimum number of handles for a server and it is 2. As the DAL-LDAP is not
* thread-safe this should suffice.
*/
for (j=0; (result=result_arr[j]) != NULL; ++j) {
- for(ent = ldap_first_entry (ld, result); ent != NULL;
- ent = ldap_next_entry (ld, ent)) {
+ for (ent = ldap_first_entry (ld, result); ent != NULL;
+ ent = ldap_next_entry (ld, ent)) {
if ((values = ldap_get_values(ld, ent, "krbPrincipalName")) != NULL) {
for (i = 0; values[i] != NULL; ++i) {
krb5_parse_name(context, values[i], &principal);
if (principal_in_realm_2(principal, lrealm) == 0) {
int nent = 0;
- if ((st=krb5_ldap_delete_principal(context, principal,
+ if ((st=krb5_ldap_delete_principal(context, principal,
&nent)) != LDAP_SUCCESS)
goto cleanup;
}
/* Delete the realm object */
if ((st=ldap_delete_s(ld, ldap_context->lrparams->realmdn)) != LDAP_SUCCESS) {
int ost = st;
- st = translate_ldap_error (st, OP_DEL);
- krb5_set_error_message (context, st, "Realm Delete FAILED: %s",
+ st = translate_ldap_error (st, OP_DEL);
+ krb5_set_error_message (context, st, "Realm Delete FAILED: %s",
ldap_err2string(ost));
}
- cleanup:
+cleanup:
for (l=0; l < ntree; ++l) {
if (subtrees[l])
free (subtrees[l]);
/*
* Modify the realm attributes in the Directory.
- */
+ */
krb5_error_code
krb5_ldap_modify_realm(context, rparams, mask)
LDAP *ld=NULL;
krb5_error_code st=0;
char *strval[5]={NULL};
-#ifdef HAVE_EDIRECTORY
+#ifdef HAVE_EDIRECTORY
char **values=NULL;
char **oldkdcservers=NULL, **oldadminservers=NULL, **oldpasswdservers=NULL;
LDAPMessage *result=NULL, *ent=NULL;
if (mask == 0)
return 0;
-
+
if (rparams == NULL) {
st = EINVAL;
return st;
}
-
+
SETUP_CONTEXT ();
/* Check validity of arguments */
*/
{
if ((mask & LDAP_REALM_SUPPENCTYPE) && rparams->suppenctypes) {
- for (i = 0; rparams->suppenctypes [i] != END_OF_LIST; i++){
+ for (i = 0; rparams->suppenctypes [i] != END_OF_LIST; i++) {
}
qsort ((void *)rparams->suppenctypes, (unsigned) i, sizeof(krb5_int32), compare);
}
if ((mask & LDAP_REALM_SUPPSALTTYPE) && rparams->suppsalttypes) {
- for (i = 0; rparams->suppenctypes [i] != END_OF_LIST; i++){
+ for (i = 0; rparams->suppenctypes [i] != END_OF_LIST; i++) {
}
qsort ((void *)rparams->suppsalttypes, (unsigned) i, sizeof(krb5_int32), compare);
}
}
memset(strval, 0, sizeof(strval));
strval[0] = rparams->subtree;
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbsubtree", LDAP_MOD_REPLACE,
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbsubtree", LDAP_MOD_REPLACE,
strval)) != 0)
goto cleanup;
}
/* SEARCHSCOPE ATTRIBUTE */
- if (mask & LDAP_REALM_SEARCHSCOPE) {
- if((st=krb5_add_int_mem_ldap_mod(&mods, "krbsearchscope", LDAP_MOD_REPLACE,
- (rparams->search_scope == LDAP_SCOPE_ONELEVEL
- || rparams->search_scope == LDAP_SCOPE_SUBTREE) ?
- rparams->search_scope : LDAP_SCOPE_SUBTREE)) != 0)
+ if (mask & LDAP_REALM_SEARCHSCOPE) {
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbsearchscope", LDAP_MOD_REPLACE,
+ (rparams->search_scope == LDAP_SCOPE_ONELEVEL
+ || rparams->search_scope == LDAP_SCOPE_SUBTREE) ?
+ rparams->search_scope : LDAP_SCOPE_SUBTREE)) != 0)
goto cleanup;
}
-
+
if (mask & LDAP_REALM_MAXRENEWLIFE) {
- if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbMaxRenewableAge", LDAP_MOD_REPLACE,
- rparams->max_renewable_life)) != 0)
- goto cleanup;
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbMaxRenewableAge", LDAP_MOD_REPLACE,
+ rparams->max_renewable_life)) != 0)
+ goto cleanup;
}
/* krbMaxTicketLife ATTRIBUTE */
if (mask & LDAP_REALM_MAXTICKETLIFE) {
- if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbMaxTicketLife", LDAP_MOD_REPLACE,
- rparams->max_life)) != 0)
- goto cleanup;
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbMaxTicketLife", LDAP_MOD_REPLACE,
+ rparams->max_life)) != 0)
+ goto cleanup;
}
/* krbTicketFlags ATTRIBUTE */
if (mask & LDAP_REALM_KRBTICKETFLAGS) {
- if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbTicketFlags", LDAP_MOD_REPLACE,
- rparams->tktflags)) != 0)
- goto cleanup;
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbTicketFlags", LDAP_MOD_REPLACE,
+ rparams->tktflags)) != 0)
+ goto cleanup;
}
-
+
/* DEFENCTYPE ATTRIBUTE */
if (mask & LDAP_REALM_DEFENCTYPE) {
/* check if the entered enctype is valid */
if (krb5_c_valid_enctype(rparams->defenctype)) {
/* check if the defenctype exists in the suppenctypes list */
- for(i = 0; rparams->suppenctypes[i] != END_OF_LIST; ++i)
+ for (i = 0; rparams->suppenctypes[i] != END_OF_LIST; ++i)
if (rparams->defenctype == rparams->suppenctypes[i])
break;
goto cleanup;
}
- if((st=krb5_add_int_mem_ldap_mod(&mods, "krbdefaultenctype", LDAP_MOD_REPLACE,
- rparams->defenctype)) != 0)
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbdefaultenctype", LDAP_MOD_REPLACE,
+ rparams->defenctype)) != 0)
goto cleanup;
} else {
st = EINVAL;
/* DEFSALTTYPE ATTRIBUTE */
if (mask & LDAP_REALM_DEFSALTTYPE) {
/* check if the entered salttype is valid */
- if (rparams->defsalttype>=0 && rparams->defsalttype<6) {
+ if (rparams->defsalttype>=0 && rparams->defsalttype<6) {
/* check if the defsalttype exists in the suppsalttypes list */
- for(i = 0; rparams->suppsalttypes[i] != END_OF_LIST; ++i)
+ for (i = 0; rparams->suppsalttypes[i] != END_OF_LIST; ++i)
if (rparams->defsalttype == rparams->suppsalttypes[i])
break;
goto cleanup;
}
- if((st=krb5_add_int_mem_ldap_mod(&mods, "krbdefaultsalttype",
- LDAP_MOD_REPLACE, rparams->defsalttype)) != 0)
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbdefaultsalttype",
+ LDAP_MOD_REPLACE, rparams->defsalttype)) != 0)
goto cleanup;
} else {
/* check if the salttypes entered is valid */
if (!(rparams->suppsalttypes[i]>=0 && rparams->suppsalttypes[i]<6)) {
st = EINVAL;
- krb5_set_error_message (context, st, "salttype %d not valid", rparams->suppsalttypes[i]);
+ krb5_set_error_message (context, st, "salttype %d not valid", rparams->suppsalttypes[i]);
goto cleanup;
}
if (flag == FALSE) { /* Default salt type is not supported */
st = EINVAL;
- krb5_set_error_message (context, st, "Default salttype not in the supported list");
+ krb5_set_error_message (context, st, "Default salttype not in the supported list");
goto cleanup;
}
ignore_duplicates(rparams->suppsalttypes);
-
- if((st=krb5_add_int_arr_mem_ldap_mod(&mods, "krbsupportedsalttypes",
- LDAP_MOD_REPLACE, rparams->suppsalttypes)) != 0)
- goto cleanup;
+
+ if ((st=krb5_add_int_arr_mem_ldap_mod(&mods, "krbsupportedsalttypes",
+ LDAP_MOD_REPLACE, rparams->suppsalttypes)) != 0)
+ goto cleanup;
}
-
+
/* SUPPENCTYPE ATTRIBUTE */
- if (mask & LDAP_REALM_SUPPENCTYPE) {
+ if (mask & LDAP_REALM_SUPPENCTYPE) {
krb5_boolean flag=FALSE;
- for(i=0; rparams->suppenctypes[i] != END_OF_LIST; ++i) {
+ for (i=0; rparams->suppenctypes[i] != END_OF_LIST; ++i) {
/* check if the enctypes entered is valid */
if (krb5_c_valid_enctype(rparams->suppenctypes[i]) == 0) {
st = EINVAL;
- krb5_set_error_message (context, st, "Enctype %d not valid", rparams->suppenctypes[i]);
+ krb5_set_error_message (context, st, "Enctype %d not valid", rparams->suppenctypes[i]);
goto cleanup;
}
/* Ensure that the default encryption type is supported */
if ((oldmask & LDAP_REALM_DEFENCTYPE ||
- mask & LDAP_REALM_DEFENCTYPE) &&
+ mask & LDAP_REALM_DEFENCTYPE) &&
rparams->defenctype == rparams->suppenctypes[i])
- flag = TRUE;
+ flag = TRUE;
}
if (flag == FALSE) { /* Default encryption type is not supported */
}
ignore_duplicates(rparams->suppenctypes);
- if((st=krb5_add_int_arr_mem_ldap_mod(&mods, "krbsupportedenctypes",
- LDAP_MOD_REPLACE, rparams->suppenctypes)) != 0)
- goto cleanup;
+ if ((st=krb5_add_int_arr_mem_ldap_mod(&mods, "krbsupportedenctypes",
+ LDAP_MOD_REPLACE, rparams->suppenctypes)) != 0)
+ goto cleanup;
}
#ifdef HAVE_EDIRECTORY
if (mask & LDAP_REALM_KDCSERVERS || mask & LDAP_REALM_ADMINSERVERS ||
mask & LDAP_REALM_PASSWDSERVERS) {
char *servers[] = {"krbKdcServers", "krbAdmServers", "krbPwdServers", NULL};
-
+
if ((st= ldap_search_s(ld,
rparams->realmdn,
LDAP_SCOPE_BASE,
servers,
0,
&result)) != LDAP_SUCCESS) {
- st = set_ldap_error (context, st, OP_SEARCH);
+ st = set_ldap_error (context, st, OP_SEARCH);
goto cleanup;
}
-
+
ent = ldap_first_entry(ld, result);
if (ent) {
if ((values=ldap_get_values(ld, ent, "krbKdcServers")) != NULL) {
/* Realm modify opearation */
if ((st=ldap_modify_s(ld, rparams->realmdn, mods)) != LDAP_SUCCESS) {
- st = set_ldap_error (context, st, OP_MOD);
+ st = set_ldap_error (context, st, OP_MOD);
goto cleanup;
}
count = ldap_count_values(rparams->kdcservers);
if ((st=copy_arrays(rparams->kdcservers, &newkdcservers, count)) != 0)
goto cleanup;
-
+
/* find the deletions and additions to the server list */
if (oldkdcservers && newkdcservers)
disjoint_members(oldkdcservers, newkdcservers);
-
+
/* delete the krbRealmReferences attribute from the servers that are dis-associated. */
if (oldkdcservers)
for (i=0; oldkdcservers[i]; ++i)
- if ((st=deleteAttribute(ld, oldkdcservers[i], "krbRealmReferences",
- rparams->realmdn)) != 0)
- {
+ if ((st=deleteAttribute(ld, oldkdcservers[i], "krbRealmReferences",
+ rparams->realmdn)) != 0) {
sprintf (errbuf, "Error removing 'krbRealmReferences' from %s: ",
oldkdcservers[i]);
- prepend_err_str (context, errbuf, st, st);
+ prepend_err_str (context, errbuf, st, st);
goto cleanup;
}
-
+
/* add the krbRealmReferences attribute from the servers that are associated. */
if (newkdcservers)
for (i=0; newkdcservers[i]; ++i)
- if ((st=updateAttribute(ld, newkdcservers[i], "krbRealmReferences",
- rparams->realmdn)) != 0)
- {
+ if ((st=updateAttribute(ld, newkdcservers[i], "krbRealmReferences",
+ rparams->realmdn)) != 0) {
sprintf (errbuf, "Error adding 'krbRealmReferences' to %s: ",
newkdcservers[i]);
- prepend_err_str (context, errbuf, st, st);
+ prepend_err_str (context, errbuf, st, st);
goto cleanup;
}
if (newkdcservers)
ldap_value_free(newkdcservers);
}
-
+
if (mask & LDAP_REALM_ADMINSERVERS) {
char **newadminservers=NULL;
count = ldap_count_values(rparams->adminservers);
if ((st=copy_arrays(rparams->adminservers, &newadminservers, count)) != 0)
goto cleanup;
-
- /* find the deletions and additions to the server list */
+
+ /* find the deletions and additions to the server list */
if (oldadminservers && newadminservers)
disjoint_members(oldadminservers, newadminservers);
-
- /* delete the krbRealmReferences attribute from the servers that are dis-associated. */
+
+ /* delete the krbRealmReferences attribute from the servers that are dis-associated. */
if (oldadminservers)
for (i=0; oldadminservers[i]; ++i)
- if ((st=deleteAttribute(ld, oldadminservers[i], "krbRealmReferences",
- rparams->realmdn)) != 0)
- {
+ if ((st=deleteAttribute(ld, oldadminservers[i], "krbRealmReferences",
+ rparams->realmdn)) != 0) {
sprintf(errbuf, "Error removing 'krbRealmReferences' from "
- "%s: ", oldadminservers[i]);
- prepend_err_str (context, errbuf, st, st);
+ "%s: ", oldadminservers[i]);
+ prepend_err_str (context, errbuf, st, st);
goto cleanup;
}
- /* add the krbRealmReferences attribute from the servers that are associated. */
- if (newadminservers)
+ /* add the krbRealmReferences attribute from the servers that are associated. */
+ if (newadminservers)
for (i=0; newadminservers[i]; ++i)
- if ((st=updateAttribute(ld, newadminservers[i], "krbRealmReferences",
- rparams->realmdn)) != 0)
- {
+ if ((st=updateAttribute(ld, newadminservers[i], "krbRealmReferences",
+ rparams->realmdn)) != 0) {
sprintf(errbuf, "Error adding 'krbRealmReferences' to %s: ",
- newadminservers[i]);
- prepend_err_str (context, errbuf, st, st);
+ newadminservers[i]);
+ prepend_err_str (context, errbuf, st, st);
goto cleanup;
}
if (newadminservers)
ldap_value_free(newadminservers);
}
-
+
if (mask & LDAP_REALM_PASSWDSERVERS) {
char **newpasswdservers=NULL;
-
+
count = ldap_count_values(rparams->passwdservers);
if ((st=copy_arrays(rparams->passwdservers, &newpasswdservers, count)) != 0)
goto cleanup;
- /* find the deletions and additions to the server list */
+ /* find the deletions and additions to the server list */
if (oldpasswdservers && newpasswdservers)
disjoint_members(oldpasswdservers, newpasswdservers);
- /* delete the krbRealmReferences attribute from the servers that are dis-associated. */
+ /* delete the krbRealmReferences attribute from the servers that are dis-associated. */
if (oldpasswdservers)
for (i=0; oldpasswdservers[i]; ++i)
- if ((st=deleteAttribute(ld, oldpasswdservers[i], "krbRealmReferences",
- rparams->realmdn)) != 0)
- {
+ if ((st=deleteAttribute(ld, oldpasswdservers[i], "krbRealmReferences",
+ rparams->realmdn)) != 0) {
sprintf(errbuf, "Error removing 'krbRealmReferences' from "
- "%s: ", oldpasswdservers[i]);
- prepend_err_str (context, errbuf, st, st);
+ "%s: ", oldpasswdservers[i]);
+ prepend_err_str (context, errbuf, st, st);
goto cleanup;
}
- /* add the krbRealmReferences attribute from the servers that are associated. */
+ /* add the krbRealmReferences attribute from the servers that are associated. */
if (newpasswdservers)
for (i=0; newpasswdservers[i]; ++i)
- if ((st=updateAttribute(ld, newpasswdservers[i], "krbRealmReferences",
- rparams->realmdn)) != 0)
- {
+ if ((st=updateAttribute(ld, newpasswdservers[i], "krbRealmReferences",
+ rparams->realmdn)) != 0) {
sprintf(errbuf, "Error adding 'krbRealmReferences' to %s: ",
- newpasswdservers[i]);
- prepend_err_str (context, errbuf, st, st);
+ newpasswdservers[i]);
+ prepend_err_str (context, errbuf, st, st);
goto cleanup;
}
if (newpasswdservers)
}
#endif
- cleanup:
+cleanup:
#ifdef HAVE_EDIRECTORY
if (oldkdcservers) {
- for(i=0; oldkdcservers[i]; ++i)
+ for (i=0; oldkdcservers[i]; ++i)
free(oldkdcservers[i]);
free(oldkdcservers);
}
if (oldadminservers) {
- for(i=0; oldadminservers[i]; ++i)
+ for (i=0; oldadminservers[i]; ++i)
free(oldadminservers[i]);
free(oldadminservers);
}
if (oldpasswdservers) {
- for(i=0; oldpasswdservers[i]; ++i)
+ for (i=0; oldpasswdservers[i]; ++i)
free(oldpasswdservers[i]);
free(oldpasswdservers);
}
GET_HANDLE ();
if (krbcontparams != NULL && krbcontparams->DN != NULL) {
- kerberoscontdn = krbcontparams->DN;
+ kerberoscontdn = krbcontparams->DN;
} else {
/* If the user has not given, use the default cn=Kerberos,cn=Security */
#ifdef HAVE_EDIRECTORY
- kerberoscontdn = KERBEROS_CONTAINER;
+ kerberoscontdn = KERBEROS_CONTAINER;
#else
st = EINVAL;
krb5_set_error_message (context, st, "Kerberos Container information is missing");
- goto cleanup;
+ goto cleanup;
#endif
}
rdns = ldap_explode_dn(kerberoscontdn, 1);
if (rdns == NULL) {
st = EINVAL;
- krb5_set_error_message(context, st, "Invalid Kerberos container DN");
+ krb5_set_error_message(context, st, "Invalid Kerberos container DN");
goto cleanup;
}
strval[0] = rdns[0];
strval[1] = NULL;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "cn", LDAP_MOD_ADD, strval)) != 0)
- goto cleanup;
+ goto cleanup;
/* check if the policy reference value exists and is of krbpolicyreference object class */
if (krbcontparams && krbcontparams->policyreference) {
- st = checkattributevalue(ld, krbcontparams->policyreference, "objectclass", policyclass,
+ st = checkattributevalue(ld, krbcontparams->policyreference, "objectclass", policyclass,
&pmask);
CHECK_CLASS_VALIDITY(st, pmask, "ticket policy object value: ");
strval[0] = krbcontparams->policyreference;
strval[1] = NULL;
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpolicyreference", LDAP_MOD_ADD,
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpolicyreference", LDAP_MOD_ADD,
strval)) != 0)
goto cleanup;
}
/* create the kerberos container */
if ((st = ldap_add_s(ld, kerberoscontdn, mods)) != LDAP_SUCCESS) {
int ost = st;
- st = translate_ldap_error (st, OP_ADD);
- krb5_set_error_message (context, st, "Kerberos Container create FAILED: %s", ldap_err2string(ost));
+ st = translate_ldap_error (st, OP_ADD);
+ krb5_set_error_message (context, st, "Kerberos Container create FAILED: %s", ldap_err2string(ost));
goto cleanup;
- }
+ }
#ifdef HAVE_EDIRECTORY
mods=NULL;
/* check whether the security container is bound to krbcontainerrefaux object class */
- if ((st=checkattributevalue(ld, SECURITY_CONTAINER, "objectClass",
- krbContainerRefclass, &crmask)) != 0)
- {
+ if ((st=checkattributevalue(ld, SECURITY_CONTAINER, "objectClass",
+ krbContainerRefclass, &crmask)) != 0) {
prepend_err_str (context, "Security Container read FAILED: ", st, st);
/* delete Kerberos Container, status ignored intentionally */
- ldap_delete_s(ld, kerberoscontdn);
+ ldap_delete_s(ld, kerberoscontdn);
goto cleanup;
}
/* update the security container with krbContainerReference attribute */
if ((st=ldap_modify_s(ld, SECURITY_CONTAINER, mods)) != LDAP_SUCCESS) {
int ost = st;
- st = translate_ldap_error (st, OP_MOD);
+ st = translate_ldap_error (st, OP_MOD);
krb5_set_error_message (context, st, "Security Container update FAILED: %s", ldap_err2string(ost));
/* delete Kerberos Container, status ignored intentionally */
- ldap_delete_s(ld, kerberoscontdn);
+ ldap_delete_s(ld, kerberoscontdn);
goto cleanup;
}
#endif
- cleanup:
+cleanup:
if (rdns)
ldap_value_free (rdns);
/*
- * Create Realm in eDirectory. This is used by kdb5_util
+ * Create Realm in eDirectory. This is used by kdb5_util
*/
krb5_error_code
}
if (ldap_context->krbcontainer == NULL) {
- if ((st = krb5_ldap_read_krbcontainer_params(context,
+ if ((st = krb5_ldap_read_krbcontainer_params(context,
&(ldap_context->krbcontainer))) != 0)
goto cleanup;
}
dn = malloc(strlen("cn=") + strlen(realm_name) + strlen(ldap_context->krbcontainer->DN) + 2);
CHECK_NULL(dn);
sprintf(dn, "cn=%s,%s", realm_name, ldap_context->krbcontainer->DN);
-
+
strval[0] = realm_name;
strval[1] = NULL;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "cn", LDAP_MOD_ADD, strval)) != 0)
goto cleanup;
-
+
strval[0] = "top";
strval[1] = "krbrealmcontainer";
strval[2] = "krbpolicyaux";
if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0)
goto cleanup;
-
+
/* SUBTREE ATTRIBUTE */
if (mask & LDAP_REALM_SUBTREE) {
if (strlen(rparams->subtree) != 0) {
- st = checkattributevalue(ld, rparams->subtree, "Objectclass", subtreeclass,
+ st = checkattributevalue(ld, rparams->subtree, "Objectclass", subtreeclass,
&objectmask);
CHECK_CLASS_VALIDITY(st, objectmask, "realm object value: ");
}
strval[0] = rparams->subtree;
strval[1] = NULL;
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbsubtree", LDAP_MOD_ADD,
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbsubtree", LDAP_MOD_ADD,
strval)) != 0)
goto cleanup;
}
/* SEARCHSCOPE ATTRIBUTE */
if (mask & LDAP_REALM_SEARCHSCOPE) {
- if((st=krb5_add_int_mem_ldap_mod(&mods, "krbsearchscope", LDAP_MOD_ADD,
- (rparams->search_scope == LDAP_SCOPE_ONELEVEL
- || rparams->search_scope == LDAP_SCOPE_SUBTREE) ?
- rparams->search_scope : LDAP_SCOPE_SUBTREE)) != 0)
- goto cleanup;
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbsearchscope", LDAP_MOD_ADD,
+ (rparams->search_scope == LDAP_SCOPE_ONELEVEL
+ || rparams->search_scope == LDAP_SCOPE_SUBTREE) ?
+ rparams->search_scope : LDAP_SCOPE_SUBTREE)) != 0)
+ goto cleanup;
}
if (mask & LDAP_REALM_MAXRENEWLIFE) {
- if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbMaxRenewableAge", LDAP_MOD_ADD,
- rparams->max_renewable_life)) != 0)
- goto cleanup;
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbMaxRenewableAge", LDAP_MOD_ADD,
+ rparams->max_renewable_life)) != 0)
+ goto cleanup;
}
/* krbMaxTicketLife ATTRIBUTE */
if (mask & LDAP_REALM_MAXTICKETLIFE) {
- if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbMaxTicketLife", LDAP_MOD_ADD,
- rparams->max_life)) != 0)
- goto cleanup;
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbMaxTicketLife", LDAP_MOD_ADD,
+ rparams->max_life)) != 0)
+ goto cleanup;
}
/* krbTicketFlags ATTRIBUTE */
if (mask & LDAP_REALM_KRBTICKETFLAGS) {
- if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbTicketFlags", LDAP_MOD_ADD,
- rparams->tktflags)) != 0)
- goto cleanup;
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbTicketFlags", LDAP_MOD_ADD,
+ rparams->tktflags)) != 0)
+ goto cleanup;
}
/* check if the defenctype exists in the suppenctypes list */
if (mask & LDAP_REALM_SUPPENCTYPE) {
- for(i=0; rparams->suppenctypes[i] != END_OF_LIST; ++i)
+ for (i=0; rparams->suppenctypes[i] != END_OF_LIST; ++i)
if (rparams->defenctype == rparams->suppenctypes[i])
break;
-
+
if (rparams->suppenctypes[i] == END_OF_LIST) {
st = EINVAL;
krb5_set_error_message (context, st, "Default enctype not in the "
- "supported list");
+ "supported list");
goto cleanup;
}
}
- if((st=krb5_add_int_mem_ldap_mod(&mods, "krbdefaultenctype", LDAP_MOD_ADD,
- rparams->defenctype)) != 0)
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbdefaultenctype", LDAP_MOD_ADD,
+ rparams->defenctype)) != 0)
goto cleanup;
} else {
st = EINVAL;
/* check if the defsalttype exists in the suppsalttypes list */
if (mask & LDAP_REALM_SUPPSALTTYPE) {
- for(i=0; rparams->suppsalttypes[i] != END_OF_LIST; ++i)
+ for (i=0; rparams->suppsalttypes[i] != END_OF_LIST; ++i)
if (rparams->defsalttype == rparams->suppsalttypes[i])
break;
-
+
if (rparams->suppsalttypes[i] == END_OF_LIST) {
st = EINVAL;
krb5_set_error_message (context, st,
- "Default salttype not in the supported list");
+ "Default salttype not in the supported list");
goto cleanup;
}
}
- if((st=krb5_add_int_mem_ldap_mod(&mods, "krbdefaultsalttype", LDAP_MOD_ADD,
- rparams->defsalttype)) != 0)
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbdefaultsalttype", LDAP_MOD_ADD,
+ rparams->defsalttype)) != 0)
goto cleanup;
} else {
st = EINVAL;
/* SUPPORTEDSALTTYPE ATTRIBUTE */
if (mask & LDAP_REALM_SUPPSALTTYPE) {
- for(i=0; rparams->suppsalttypes[i] != END_OF_LIST; ++i) {
+ for (i=0; rparams->suppsalttypes[i] != END_OF_LIST; ++i) {
/* check if the salttypes entered is valid */
if (!(rparams->suppsalttypes[i]>=0 && rparams->suppsalttypes[i]<6)) {
st = EINVAL;
- krb5_set_error_message (context, st, "Salttype %d not valid",
+ krb5_set_error_message (context, st, "Salttype %d not valid",
rparams->suppsalttypes[i]);
goto cleanup;
}
}
ignore_duplicates(rparams->suppsalttypes);
- if((st=krb5_add_int_arr_mem_ldap_mod(&mods, "krbsupportedsalttypes", LDAP_MOD_ADD,
- rparams->suppsalttypes)) != 0)
+ if ((st=krb5_add_int_arr_mem_ldap_mod(&mods, "krbsupportedsalttypes", LDAP_MOD_ADD,
+ rparams->suppsalttypes)) != 0)
goto cleanup;
} else {
/* set all the salt types as the suppsalttypes */
- if((st=krb5_add_int_arr_mem_ldap_mod(&mods, "krbsupportedsalttypes", LDAP_MOD_ADD,
- supportedsalttypes)) != 0)
- goto cleanup;
+ if ((st=krb5_add_int_arr_mem_ldap_mod(&mods, "krbsupportedsalttypes", LDAP_MOD_ADD,
+ supportedsalttypes)) != 0)
+ goto cleanup;
}
/* SUPPORTEDENCTYPE ATTRIBUTE */
if (mask & LDAP_REALM_SUPPENCTYPE) {
- for(i=0; rparams->suppenctypes[i] != -1; ++i) {
+ for (i=0; rparams->suppenctypes[i] != -1; ++i) {
- /* check if the enctypes entered is valid */
+ /* check if the enctypes entered is valid */
if (krb5_c_valid_enctype(rparams->suppenctypes[i]) == 0) {
st = EINVAL;
- krb5_set_error_message (context, st, "Enctype %d not valid",
+ krb5_set_error_message (context, st, "Enctype %d not valid",
rparams->suppenctypes[i]);
goto cleanup;
}
}
ignore_duplicates(rparams->suppenctypes);
- if((st=krb5_add_int_arr_mem_ldap_mod(&mods, "krbsupportedenctypes", LDAP_MOD_ADD,
- rparams->suppenctypes)) != 0)
- goto cleanup;
+ if ((st=krb5_add_int_arr_mem_ldap_mod(&mods, "krbsupportedenctypes", LDAP_MOD_ADD,
+ rparams->suppenctypes)) != 0)
+ goto cleanup;
} else {
/* set all the enc types as the suppenctypes */
- if((st=krb5_add_int_arr_mem_ldap_mod(&mods, "krbsupportedenctypes", LDAP_MOD_ADD,
- supportedenctypes)) != 0)
- goto cleanup;
+ if ((st=krb5_add_int_arr_mem_ldap_mod(&mods, "krbsupportedenctypes", LDAP_MOD_ADD,
+ supportedenctypes)) != 0)
+ goto cleanup;
}
#ifdef HAVE_EDIRECTORY
/* realm creation operation */
if ((st=ldap_add_s(ld, dn, mods)) != LDAP_SUCCESS) {
- st = set_ldap_error (context, st, OP_ADD);
+ st = set_ldap_error (context, st, OP_ADD);
goto cleanup;
}
#ifdef HAVE_EDIRECTORY
if (mask & LDAP_REALM_KDCSERVERS)
for (i=0; rparams->kdcservers[i]; ++i)
- if ((st=updateAttribute(ld, rparams->kdcservers[i], "krbRealmReferences", dn)) != 0)
- {
+ if ((st=updateAttribute(ld, rparams->kdcservers[i], "krbRealmReferences", dn)) != 0) {
sprintf(errbuf, "Error adding 'krbRealmReferences' to %s: ",
- rparams->kdcservers[i]);
- prepend_err_str (context, errbuf, st, st);
+ rparams->kdcservers[i]);
+ prepend_err_str (context, errbuf, st, st);
/* delete Realm, status ignored intentionally */
ldap_delete_s(ld, dn);
goto cleanup;
}
-
+
if (mask & LDAP_REALM_ADMINSERVERS)
for (i=0; rparams->adminservers[i]; ++i)
- if ((st=updateAttribute(ld, rparams->adminservers[i], "krbRealmReferences", dn)) != 0)
- {
+ if ((st=updateAttribute(ld, rparams->adminservers[i], "krbRealmReferences", dn)) != 0) {
sprintf(errbuf, "Error adding 'krbRealmReferences' to %s: ",
- rparams->adminservers[i]);
+ rparams->adminservers[i]);
prepend_err_str (context, errbuf, st, st);
/* delete Realm, status ignored intentionally */
ldap_delete_s(ld, dn);
if (mask & LDAP_REALM_PASSWDSERVERS)
for (i=0; rparams->passwdservers[i]; ++i)
- if ((st=updateAttribute(ld, rparams->passwdservers[i], "krbRealmReferences", dn)) != 0)
- {
+ if ((st=updateAttribute(ld, rparams->passwdservers[i], "krbRealmReferences", dn)) != 0) {
sprintf(errbuf, "Error adding 'krbRealmReferences' to %s: ",
- rparams->passwdservers[i]);
- prepend_err_str (context, errbuf, st, st);
+ rparams->passwdservers[i]);
+ prepend_err_str (context, errbuf, st, st);
/* delete Realm, status ignored intentionally */
ldap_delete_s(ld, dn);
goto cleanup;
}
#endif
- cleanup:
+cleanup:
if (dn)
free(dn);
unsigned int i=0, /* masklen=4, */ count=0;
krb5_error_code st=0, tempst=0;
LDAP *ld=NULL;
- LDAPMessage *result=NULL,*ent=NULL;
+ LDAPMessage *result=NULL,*ent=NULL;
krb5_ldap_realm_params *rlparams=NULL;
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_context *ldap_context=NULL;
/* read kerberos container, if not read already */
if (ldap_context->krbcontainer == NULL) {
- if ((st = krb5_ldap_read_krbcontainer_params(context,
+ if ((st = krb5_ldap_read_krbcontainer_params(context,
&(ldap_context->krbcontainer))) != 0)
goto cleanup;
}
}
memset((char *) rlparams->tl_data, 0, sizeof(krb5_tl_data));
rlparams->tl_data->tl_data_type = KDB_TL_USER_INFO;
-
+
/* set the mask parameter to 0 */
*mask = 0;
-
+
/* set default values */
rlparams->search_scope = LDAP_SCOPE_SUBTREE;
goto cleanup;
}
sprintf(rlparams->realmdn, "cn=%s,%s", lrealm, krbcontDN);
-
+
/* populate the realm name in the structure */
rlparams->realm_name = strdup(lrealm);
CHECK_NULL(rlparams->realm_name);
/* Read the attributes */
{
- if((values=ldap_get_values(ld, ent, "krbSubTree")) != NULL) {
+ if ((values=ldap_get_values(ld, ent, "krbSubTree")) != NULL) {
rlparams->subtree = strdup(values[0]);
- if(rlparams->subtree==NULL) {
+ if (rlparams->subtree==NULL) {
st = ENOMEM;
goto cleanup;
}
*mask |= LDAP_REALM_SUBTREE;
ldap_value_free(values);
- }
+ }
- if((values=ldap_get_values(ld, ent, "krbSearchScope")) != NULL) {
+ if ((values=ldap_get_values(ld, ent, "krbSearchScope")) != NULL) {
rlparams->search_scope=atoi(values[0]);
/* searchscope can be ONE-LEVEL or SUBTREE, else default to SUBTREE */
if (!(rlparams->search_scope==1 || rlparams->search_scope==2))
rlparams->search_scope = LDAP_SCOPE_SUBTREE;
*mask |= LDAP_REALM_SEARCHSCOPE;
ldap_value_free(values);
- }
+ }
- if((values=ldap_get_values(ld, ent, "krbMaxTicketLife")) != NULL) {
+ if ((values=ldap_get_values(ld, ent, "krbMaxTicketLife")) != NULL) {
rlparams->max_life = atoi(values[0]);
*mask |= LDAP_REALM_MAXTICKETLIFE;
ldap_value_free(values);
- }
+ }
- if((values=ldap_get_values(ld, ent, "krbMaxRenewableAge")) != NULL) {
+ if ((values=ldap_get_values(ld, ent, "krbMaxRenewableAge")) != NULL) {
rlparams->max_renewable_life = atoi(values[0]);
*mask |= LDAP_REALM_MAXRENEWLIFE;
ldap_value_free(values);
- }
+ }
- if((values=ldap_get_values(ld, ent, "krbTicketFlags")) != NULL) {
+ if ((values=ldap_get_values(ld, ent, "krbTicketFlags")) != NULL) {
rlparams->tktflags = atoi(values[0]);
*mask |= LDAP_REALM_KRBTICKETFLAGS;
ldap_value_free(values);
}
- if((values=ldap_get_values(ld, ent, "krbDefaultEncType")) != NULL) {
+ if ((values=ldap_get_values(ld, ent, "krbDefaultEncType")) != NULL) {
rlparams->defenctype = atoi(values[0]);
if (krb5_c_valid_enctype(rlparams->defenctype) == 0)
rlparams->defenctype = ENCTYPE_DES3_CBC_SHA1;
ldap_value_free(values);
}
- if((values=ldap_get_values(ld, ent, "krbDefaultSaltType")) != NULL) {
+ if ((values=ldap_get_values(ld, ent, "krbDefaultSaltType")) != NULL) {
rlparams->defsalttype = atoi(values[0]);
if (!(rlparams->defsalttype>=0 && rlparams->defsalttype<6))
rlparams->defsalttype = KRB5_KDB_SALTTYPE_NORMAL;
*mask |= LDAP_REALM_DEFSALTTYPE;
ldap_value_free(values);
}
- if((values=ldap_get_values(ld, ent, "krbSupportedEncTypes")) != NULL) {
+ if ((values=ldap_get_values(ld, ent, "krbSupportedEncTypes")) != NULL) {
count = ldap_count_values(values);
- rlparams->suppenctypes = malloc (sizeof(krb5_int32) * (count + 1));
+ rlparams->suppenctypes = malloc (sizeof(krb5_int32) * (count + 1));
if (rlparams->suppenctypes == NULL) {
st = ENOMEM;
goto cleanup;
}
- for(i=0; i<count; ++i)
+ for (i=0; i<count; ++i)
rlparams->suppenctypes[i] = atoi(values[i]);
rlparams->suppenctypes[count] = -1;
*mask |= LDAP_REALM_SUPPENCTYPE;
ldap_value_free(values);
}
- if((values=ldap_get_values(ld, ent, "krbSupportedSaltTypes")) != NULL) {
+ if ((values=ldap_get_values(ld, ent, "krbSupportedSaltTypes")) != NULL) {
count = ldap_count_values(values);
- rlparams->suppsalttypes = malloc (sizeof(krb5_int32) * (count + 1));
+ rlparams->suppsalttypes = malloc (sizeof(krb5_int32) * (count + 1));
if (rlparams->suppsalttypes == NULL) {
st = ENOMEM;
goto cleanup;
}
- for(i=0; i<count; ++i)
+ for (i=0; i<count; ++i)
rlparams->suppsalttypes[i] = atoi(values[i]);
rlparams->suppsalttypes[count] = -1;
*mask |= LDAP_REALM_SUPPSALTTYPE;
#ifdef HAVE_EDIRECTORY
- if((values=ldap_get_values(ld, ent, "krbKdcServers")) != NULL) {
+ if ((values=ldap_get_values(ld, ent, "krbKdcServers")) != NULL) {
count = ldap_count_values(values);
if ((st=copy_arrays(values, &(rlparams->kdcservers), (int) count)) != 0)
goto cleanup;
ldap_value_free(values);
}
- if((values=ldap_get_values(ld, ent, "krbAdmServers")) != NULL) {
+ if ((values=ldap_get_values(ld, ent, "krbAdmServers")) != NULL) {
count = ldap_count_values(values);
if ((st=copy_arrays(values, &(rlparams->adminservers), (int) count)) != 0)
goto cleanup;
*mask |= LDAP_REALM_ADMINSERVERS;
ldap_value_free(values);
- }
+ }
- if((values=ldap_get_values(ld, ent, "krbPwdServers")) != NULL) {
+ if ((values=ldap_get_values(ld, ent, "krbPwdServers")) != NULL) {
count = ldap_count_values(values);
if ((st=copy_arrays(values, &(rlparams->passwdservers), (int) count)) != 0)
goto cleanup;
/*
* If all of maxtktlife, maxrenewlife and ticketflags are not directly
* available, use the policy dn from the policy reference attribute, if
- * available, to fetch the missing.
+ * available, to fetch the missing.
*/
- if ((!(*mask & LDAP_REALM_MAXTICKETLIFE && *mask & LDAP_REALM_MAXRENEWLIFE &&
+ if ((!(*mask & LDAP_REALM_MAXTICKETLIFE && *mask & LDAP_REALM_MAXRENEWLIFE &&
*mask & LDAP_REALM_KRBTICKETFLAGS)) && rlparams->policyreference) {
LDAP_SEARCH_1(rlparams->policyreference, LDAP_SCOPE_BASE, NULL, policy_attributes, IGNORE_STATUS);
if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_OBJECT) {
- int ost = st;
- st = translate_ldap_error (st, OP_SEARCH);
- krb5_set_error_message (context, st, "Policy object read failed: %s", ldap_err2string(ost));
+ int ost = st;
+ st = translate_ldap_error (st, OP_SEARCH);
+ krb5_set_error_message (context, st, "Policy object read failed: %s", ldap_err2string(ost));
goto cleanup;
}
ent = ldap_first_entry (ld, result);
if (ent != NULL) {
if ((*mask & LDAP_REALM_MAXTICKETLIFE) == 0) {
- if((values=ldap_get_values(ld, ent, "krbmaxticketlife")) != NULL) {
+ if ((values=ldap_get_values(ld, ent, "krbmaxticketlife")) != NULL) {
rlparams->max_life = atoi(values[0]);
- *mask |= LDAP_REALM_MAXTICKETLIFE;
+ *mask |= LDAP_REALM_MAXTICKETLIFE;
ldap_value_free(values);
}
}
-
+
if ((*mask & LDAP_REALM_MAXRENEWLIFE) == 0) {
- if((values=ldap_get_values(ld, ent, "krbmaxrenewableage")) != NULL) {
+ if ((values=ldap_get_values(ld, ent, "krbmaxrenewableage")) != NULL) {
rlparams->max_renewable_life = atoi(values[0]);
- *mask |= LDAP_REALM_MAXRENEWLIFE;
+ *mask |= LDAP_REALM_MAXRENEWLIFE;
ldap_value_free(values);
}
}
if ((*mask & LDAP_REALM_KRBTICKETFLAGS) == 0) {
- if((values=ldap_get_values(ld, ent, "krbticketflags")) != NULL) {
+ if ((values=ldap_get_values(ld, ent, "krbticketflags")) != NULL) {
rlparams->tktflags = atoi(values[0]);
- *mask |= LDAP_REALM_KRBTICKETFLAGS;
+ *mask |= LDAP_REALM_KRBTICKETFLAGS;
ldap_value_free(values);
}
}
}
ldap_msgfree(result);
}
-
+
rlparams->mask = *mask;
*rlparamp = rlparams;
st = store_tl_data(rlparams->tl_data, KDB_TL_MASK, mask);
- cleanup:
+cleanup:
/* if there is an error, free allocated structures */
- if(st != 0) {
+ if (st != 0) {
krb5_ldap_free_realm_params(rlparams);
*rlparamp=NULL;
}
/*
Free the krb5_ldap_realm_params.
*/
-void
+void
krb5_ldap_free_realm_params(rparams)
krb5_ldap_realm_params *rparams;
{
int i=0;
-
- if(rparams) {
+
+ if (rparams) {
if (rparams->realmdn)
free(rparams->realmdn);
if (rparams->subtree)
krb5_xfree(rparams->subtree);
-
+
if (rparams->suppenctypes)
- krb5_xfree(rparams->suppenctypes);
+ krb5_xfree(rparams->suppenctypes);
if (rparams->suppsalttypes)
krb5_xfree(rparams->suppsalttypes);
- if (rparams->kdcservers){
+ if (rparams->kdcservers) {
for (i=0; rparams->kdcservers[i]; ++i)
krb5_xfree(rparams->kdcservers[i]);
krb5_xfree(rparams->kdcservers);
}
- if (rparams->adminservers){
+ if (rparams->adminservers) {
for (i=0; rparams->adminservers[i]; ++i)
krb5_xfree(rparams->adminservers[i]);
krb5_xfree(rparams->adminservers);
}
- if (rparams->passwdservers){
+ if (rparams->passwdservers) {
for (i=0; rparams->passwdservers[i]; ++i)
krb5_xfree(rparams->passwdservers[i]);
krb5_xfree(rparams->passwdservers);
memset(rparams->mkey.contents, 0, rparams->mkey.length);
krb5_xfree(rparams->mkey.contents);
}
-
+
krb5_xfree(rparams);
}
return;
krb5_ldap_create_realm_1(krb5_context kcontext, char *conf_section, char **db_args)
{
krb5_error_code status = KRB5_PLUGIN_OP_NOTSUPP;
- krb5_set_error_message( kcontext, status, "LDAP %s", error_message( status ) );
+ krb5_set_error_message(kcontext, status, "LDAP %s", error_message(status));
return status;
}
krb5_ldap_delete_realm_1(krb5_context kcontext, char *conf_section, char **db_args)
{
krb5_error_code status = KRB5_PLUGIN_OP_NOTSUPP;
- krb5_set_error_message( kcontext, status, "LDAP %s", error_message( status ) );
+ krb5_set_error_message(kcontext, status, "LDAP %s", error_message(status));
return status;
}
{"6#subtree#","#DetectIntruder"},
{"6#subtree#","#LockoutAfterDetection"},
{"2#subtree#","#LockedByIntruder"},
- {"6#subtree#","#Surname"},
+ {"6#subtree#","#Surname"},
{"6#subtree#","#krbPwdHistoryLength"},
{"6#subtree#","#krbMinPwdLife"},
{"6#subtree#","#krbMaxPwdLife"},
};
-/*
+/*
* This will set the rights for the Kerberos service objects.
* The function will read the subtree attribute from the specified
* realm name and will the appropriate rights on both the realm
- * container and the subtree. The kerberos context passed should
+ * container and the subtree. The kerberos context passed should
* have a valid ldap handle, with appropriate rights to write acl
- * attributes.
- *
+ * attributes.
+ *
* krb5_context - IN The Kerberos context with valid ldap handle
*
*/
-krb5_error_code
-krb5_ldap_add_service_rights( context, servicetype, serviceobjdn, realmname, subtreeparam, mask)
+krb5_error_code
+krb5_ldap_add_service_rights(context, servicetype, serviceobjdn, realmname, subtreeparam, mask)
krb5_context context;
int servicetype;
char *serviceobjdn;
char *subtreeparam;
int mask;
{
-
+
int st=0,i=0;
char *realmacls[2]={NULL}, *subtreeacls[2]={NULL}, *seccontacls[2]={NULL}, *krbcontacls[2]={NULL};
LDAP *ld;
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_context *ldap_context=NULL;
krb5_ldap_server_handle *ldap_server_handle=NULL;
-
+
SETUP_CONTEXT();
GET_HANDLE();
- if ((serviceobjdn == NULL) || (realmname == NULL) || (servicetype < 0) || (servicetype > 4)
- || (ldap_context->krbcontainer->DN == NULL) ) {
+ if ((serviceobjdn == NULL) || (realmname == NULL) || (servicetype < 0) || (servicetype > 4)
+ || (ldap_context->krbcontainer->DN == NULL)) {
st=-1;
goto cleanup;
}
-
+
/* If the subtree is null, set the value to root */
- if(subtreeparam== NULL)
+ if (subtreeparam== NULL)
subtree=strdup("");
else
subtree=strdup(subtreeparam);
-
- if( subtree == NULL ) {
+
+ if (subtree == NULL) {
st = ENOMEM;
goto cleanup;
}
-
+
/* Set the rights for the service object on the security container */
seccontclass.mod_op = LDAP_MOD_ADD;
seccontclass.mod_type = "ACL";
-
+
for (i=0; strcmp(security_container[i][0], "") != 0; i++) {
- seccontacls[0] = (char *)malloc( strlen(security_container[i][0]) +
- strlen(serviceobjdn) +
- strlen(security_container[i][1]) + 1);
+ seccontacls[0] = (char *)malloc(strlen(security_container[i][0]) +
+ strlen(serviceobjdn) +
+ strlen(security_container[i][1]) + 1);
- sprintf( seccontacls[0], "%s%s%s", security_container[i][0], serviceobjdn,
- security_container[i][1]);
+ sprintf(seccontacls[0], "%s%s%s", security_container[i][0], serviceobjdn,
+ security_container[i][1]);
seccontclass.mod_values = seccontacls;
-
+
seccontarr[0] = &seccontclass;
-
+
st = ldap_modify_ext_s(ld,
SECURITY_CONTAINER,
seccontarr,
NULL);
if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
free(seccontacls[0]);
- st = set_ldap_error (context, st, OP_MOD);
+ st = set_ldap_error (context, st, OP_MOD);
goto cleanup;
}
free(seccontacls[0]);
}
-
+
/* Set the rights for the service object on the kerberos container */
krbcontclass.mod_op = LDAP_MOD_ADD;
krbcontclass.mod_type = "ACL";
-
+
for (i=0; strcmp(kerberos_container[i][0], "") != 0; i++) {
- krbcontacls[0] = (char *)malloc( strlen(kerberos_container[i][0]) + strlen(serviceobjdn)
- + strlen(kerberos_container[i][1]) + 1);
- sprintf(krbcontacls[0], "%s%s%s", kerberos_container[i][0], serviceobjdn,
- kerberos_container[i][1]);
+ krbcontacls[0] = (char *)malloc(strlen(kerberos_container[i][0]) + strlen(serviceobjdn)
+ + strlen(kerberos_container[i][1]) + 1);
+ sprintf(krbcontacls[0], "%s%s%s", kerberos_container[i][0], serviceobjdn,
+ kerberos_container[i][1]);
krbcontclass.mod_values = krbcontacls;
-
+
krbcontarr[0] = &krbcontclass;
-
+
st = ldap_modify_ext_s(ld,
ldap_context->krbcontainer->DN,
krbcontarr,
NULL);
if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
free(krbcontacls[0]);
- st = set_ldap_error (context, st, OP_MOD);
+ st = set_ldap_error (context, st, OP_MOD);
goto cleanup;
}
free(krbcontacls[0]);
}
-
+
/* Set the rights for the realm */
if (mask & LDAP_REALM_RIGHTS) {
-
+
/* Construct the realm dn from realm name */
- realmdn = (char * )malloc(strlen("cn=") + strlen(realmname) +
- strlen(ldap_context->krbcontainer->DN) + 2);
+ realmdn = (char *)malloc(strlen("cn=") + strlen(realmname) +
+ strlen(ldap_context->krbcontainer->DN) + 2);
sprintf(realmdn,"cn=%s,%s", realmname, ldap_context->krbcontainer->DN);
realmclass.mod_op = LDAP_MOD_ADD;
realmclass.mod_type = "ACL";
-
+
if (servicetype == LDAP_KDC_SERVICE) {
- for (i=0; strcmp(kdcrights_realmcontainer[i][0], "") != 0; i++) {
- realmacls[0] = (char *)malloc(strlen(kdcrights_realmcontainer[i][0])
- + strlen(serviceobjdn) +
- strlen(kdcrights_realmcontainer[i][1]) + 1);
- sprintf(realmacls[0], "%s%s%s", kdcrights_realmcontainer[i][0], serviceobjdn,
+ for (i=0; strcmp(kdcrights_realmcontainer[i][0], "") != 0; i++) {
+ realmacls[0] = (char *)malloc(strlen(kdcrights_realmcontainer[i][0])
+ + strlen(serviceobjdn) +
+ strlen(kdcrights_realmcontainer[i][1]) + 1);
+ sprintf(realmacls[0], "%s%s%s", kdcrights_realmcontainer[i][0], serviceobjdn,
kdcrights_realmcontainer[i][1]);
realmclass.mod_values = realmacls;
-
+
realmarr[0] = &realmclass;
-
+
st = ldap_modify_ext_s(ld,
realmdn,
realmarr,
NULL);
if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
free(realmacls[0]);
- st = set_ldap_error (context, st, OP_MOD);
+ st = set_ldap_error (context, st, OP_MOD);
goto cleanup;
}
free(realmacls[0]);
}
- } else if(servicetype == LDAP_ADMIN_SERVICE){
- for( i=0; strcmp(adminrights_realmcontainer[i][0], "") != 0; i++) {
- realmacls[0] = (char *) malloc(strlen(adminrights_realmcontainer[i][0]) +
- strlen(serviceobjdn) +
- strlen(adminrights_realmcontainer[i][1]) + 1);
- sprintf(realmacls[0], "%s%s%s", adminrights_realmcontainer[i][0], serviceobjdn,
+ } else if (servicetype == LDAP_ADMIN_SERVICE) {
+ for (i=0; strcmp(adminrights_realmcontainer[i][0], "") != 0; i++) {
+ realmacls[0] = (char *) malloc(strlen(adminrights_realmcontainer[i][0]) +
+ strlen(serviceobjdn) +
+ strlen(adminrights_realmcontainer[i][1]) + 1);
+ sprintf(realmacls[0], "%s%s%s", adminrights_realmcontainer[i][0], serviceobjdn,
adminrights_realmcontainer[i][1]);
realmclass.mod_values = realmacls;
-
+
realmarr[0] = &realmclass;
-
+
st = ldap_modify_ext_s(ld,
realmdn,
realmarr,
NULL);
if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
free(realmacls[0]);
- st = set_ldap_error (context, st, OP_MOD);
+ st = set_ldap_error (context, st, OP_MOD);
goto cleanup;
}
- free(realmacls[0]);
+ free(realmacls[0]);
}
} else if (servicetype == LDAP_PASSWD_SERVICE) {
for (i=0; strcmp(pwdrights_realmcontainer[i][0], "")!=0; i++) {
- realmacls[0] = (char *) malloc( strlen(pwdrights_realmcontainer[i][0]) +
- strlen(serviceobjdn) +
- strlen(pwdrights_realmcontainer[i][1]) + 1);
- sprintf( realmacls[0], "%s%s%s", pwdrights_realmcontainer[i][0], serviceobjdn,
- pwdrights_realmcontainer[i][1]);
+ realmacls[0] = (char *) malloc(strlen(pwdrights_realmcontainer[i][0]) +
+ strlen(serviceobjdn) +
+ strlen(pwdrights_realmcontainer[i][1]) + 1);
+ sprintf(realmacls[0], "%s%s%s", pwdrights_realmcontainer[i][0], serviceobjdn,
+ pwdrights_realmcontainer[i][1]);
realmclass.mod_values = realmacls;
-
+
realmarr[0] = &realmclass;
-
-
+
+
st = ldap_modify_ext_s(ld,
realmdn,
realmarr,
NULL);
if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
free(realmacls[0]);
- st = set_ldap_error (context, st, OP_MOD);
+ st = set_ldap_error (context, st, OP_MOD);
goto cleanup;
}
free(realmacls[0]);
/* Populate the acl data to be added to the subtree */
subtreeclass.mod_op = LDAP_MOD_ADD;
subtreeclass.mod_type = "ACL";
-
+
if (servicetype == LDAP_KDC_SERVICE) {
for (i=0; strcmp(kdcrights_subtree[i][0], "")!=0; i++) {
- subtreeacls[0] = (char *) malloc( strlen(kdcrights_subtree[i][0]) +
- strlen(serviceobjdn) +
- strlen(kdcrights_subtree[i][1]) + 1);
- sprintf( subtreeacls[0], "%s%s%s", kdcrights_subtree[i][0], serviceobjdn,
- kdcrights_subtree[i][1]);
+ subtreeacls[0] = (char *) malloc(strlen(kdcrights_subtree[i][0]) +
+ strlen(serviceobjdn) +
+ strlen(kdcrights_subtree[i][1]) + 1);
+ sprintf(subtreeacls[0], "%s%s%s", kdcrights_subtree[i][0], serviceobjdn,
+ kdcrights_subtree[i][1]);
subtreeclass.mod_values = subtreeacls;
-
+
subtreearr[0] = &subtreeclass;
-
+
st = ldap_modify_ext_s(ld,
subtree,
subtreearr,
NULL);
if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
free(subtreeacls[0]);
- st = set_ldap_error (context, st, OP_MOD);
+ st = set_ldap_error (context, st, OP_MOD);
goto cleanup;
}
free(subtreeacls[0]);
}
} else if (servicetype == LDAP_ADMIN_SERVICE) {
for (i=0; strcmp(adminrights_subtree[i][0], "")!=0; i++) {
- subtreeacls[0] = (char *) malloc(strlen(adminrights_subtree[i][0])
- + strlen(serviceobjdn)
+ subtreeacls[0] = (char *) malloc(strlen(adminrights_subtree[i][0])
+ + strlen(serviceobjdn)
+ strlen(adminrights_subtree[i][1]) + 1);
- sprintf( subtreeacls[0], "%s%s%s", adminrights_subtree[i][0], serviceobjdn,
- adminrights_subtree[i][1]);
+ sprintf(subtreeacls[0], "%s%s%s", adminrights_subtree[i][0], serviceobjdn,
+ adminrights_subtree[i][1]);
subtreeclass.mod_values = subtreeacls;
-
+
subtreearr[0] = &subtreeclass;
-
+
st = ldap_modify_ext_s(ld,
subtree,
subtreearr,
NULL);
if (st != LDAP_SUCCESS && st !=LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
free(subtreeacls[0]);
- st = set_ldap_error (context, st, OP_MOD);
+ st = set_ldap_error (context, st, OP_MOD);
goto cleanup;
}
free(subtreeacls[0]);
}
} else if (servicetype == LDAP_PASSWD_SERVICE) {
for (i=0; strcmp(pwdrights_subtree[i][0], "") != 0; i++) {
- subtreeacls[0] = (char *)malloc( strlen(pwdrights_subtree[i][0])
- + strlen(serviceobjdn)
- + strlen(pwdrights_subtree[i][1]) + 1);
- sprintf( subtreeacls[0], "%s%s%s", pwdrights_subtree[i][0], serviceobjdn,
- pwdrights_subtree[i][1]);
+ subtreeacls[0] = (char *)malloc(strlen(pwdrights_subtree[i][0])
+ + strlen(serviceobjdn)
+ + strlen(pwdrights_subtree[i][1]) + 1);
+ sprintf(subtreeacls[0], "%s%s%s", pwdrights_subtree[i][0], serviceobjdn,
+ pwdrights_subtree[i][1]);
subtreeclass.mod_values = subtreeacls;
-
+
subtreearr[0] = &subtreeclass;
-
+
st = ldap_modify_ext_s(ld,
subtree,
subtreearr,
NULL);
if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
free(subtreeacls[0]);
- st = set_ldap_error (context, st, OP_MOD);
+ st = set_ldap_error (context, st, OP_MOD);
goto cleanup;
}
free(subtreeacls[0]);
}
} /* Subtree rights settings ends here */
st = 0;
-
- cleanup:
-
- if(realmdn)
+
+cleanup:
+
+ if (realmdn)
free(realmdn);
- if(subtree)
+ if (subtree)
free(subtree);
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
}
-/*
- This will set the rights for the Kerberos service objects.
- The function will read the subtree attribute from the specified
- realm name and will the appropriate rights on both the realm
- container and the subtree. The kerberos context passed should
- have a valid ldap handle, with appropriate rights to write acl
- attributes.
-
- krb5_context - IN The Kerberos context with valid ldap handle
+/*
+ This will set the rights for the Kerberos service objects.
+ The function will read the subtree attribute from the specified
+ realm name and will the appropriate rights on both the realm
+ container and the subtree. The kerberos context passed should
+ have a valid ldap handle, with appropriate rights to write acl
+ attributes.
+
+ krb5_context - IN The Kerberos context with valid ldap handle
*/
krb5_error_code
-krb5_ldap_delete_service_rights( context, servicetype, serviceobjdn, realmname, subtreeparam, mask)
+krb5_ldap_delete_service_rights(context, servicetype, serviceobjdn, realmname, subtreeparam, mask)
krb5_context context;
int servicetype;
char *serviceobjdn;
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_context *ldap_context=NULL;
krb5_ldap_server_handle *ldap_server_handle=NULL;
-
+
SETUP_CONTEXT();
GET_HANDLE();
- if((serviceobjdn == NULL) || (realmname == NULL) || (servicetype < 0) || (servicetype > 4)
- || (ldap_context->krbcontainer->DN == NULL) ) {
+ if ((serviceobjdn == NULL) || (realmname == NULL) || (servicetype < 0) || (servicetype > 4)
+ || (ldap_context->krbcontainer->DN == NULL)) {
st=-1;
goto cleanup;
}
/* If the subtree is null, set the value to root */
- if(subtreeparam== NULL)
+ if (subtreeparam== NULL)
subtree=strdup("");
else
subtree=strdup(subtreeparam);
-
- if( subtree == NULL ) {
+
+ if (subtree == NULL) {
st = ENOMEM;
goto cleanup;
}
/* Set the rights for the realm */
- if( mask & LDAP_REALM_RIGHTS ) {
-
+ if (mask & LDAP_REALM_RIGHTS) {
+
/* Construct the realm dn from realm name */
- realmdn = (char *) malloc( strlen("cn=") + strlen(realmname) +
- strlen(ldap_context->krbcontainer->DN) + 2 );
+ realmdn = (char *) malloc(strlen("cn=") + strlen(realmname) +
+ strlen(ldap_context->krbcontainer->DN) + 2);
sprintf(realmdn,"cn=%s,%s", realmname, ldap_context->krbcontainer->DN);
realmclass.mod_op=LDAP_MOD_DELETE;
realmclass.mod_type="ACL";
-
+
if (servicetype == LDAP_KDC_SERVICE) {
for (i=0; strcmp(kdcrights_realmcontainer[i][0], "") != 0; i++) {
- realmacls[0] = (char *) malloc(strlen(kdcrights_realmcontainer[i][0])
- + strlen(serviceobjdn) +
+ realmacls[0] = (char *) malloc(strlen(kdcrights_realmcontainer[i][0])
+ + strlen(serviceobjdn) +
strlen(kdcrights_realmcontainer[i][1]) + 1);
- sprintf( realmacls[0], "%s%s%s", kdcrights_realmcontainer[i][0], serviceobjdn,
- kdcrights_realmcontainer[i][1]);
+ sprintf(realmacls[0], "%s%s%s", kdcrights_realmcontainer[i][0], serviceobjdn,
+ kdcrights_realmcontainer[i][1]);
realmclass.mod_values= realmacls;
-
+
realmarr[0]=&realmclass;
-
+
st = ldap_modify_ext_s(ld,
realmdn,
realmarr,
NULL);
if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
free(realmacls[0]);
- st = set_ldap_error (context, st, OP_MOD);
+ st = set_ldap_error (context, st, OP_MOD);
goto cleanup;
}
free(realmacls[0]);
}
} else if (servicetype == LDAP_ADMIN_SERVICE) {
for (i=0; strcmp(adminrights_realmcontainer[i][0], "") != 0; i++) {
- realmacls[0] = (char *) malloc( strlen(adminrights_realmcontainer[i][0]) +
- strlen(serviceobjdn) +
- strlen(adminrights_realmcontainer[i][1]) + 1);
- sprintf(realmacls[0], "%s%s%s", adminrights_realmcontainer[i][0], serviceobjdn,
+ realmacls[0] = (char *) malloc(strlen(adminrights_realmcontainer[i][0]) +
+ strlen(serviceobjdn) +
+ strlen(adminrights_realmcontainer[i][1]) + 1);
+ sprintf(realmacls[0], "%s%s%s", adminrights_realmcontainer[i][0], serviceobjdn,
adminrights_realmcontainer[i][1]);
realmclass.mod_values= realmacls;
-
+
realmarr[0]=&realmclass;
-
+
st = ldap_modify_ext_s(ld,
realmdn,
realmarr,
NULL);
if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
free(realmacls[0]);
- st = set_ldap_error (context, st, OP_MOD);
+ st = set_ldap_error (context, st, OP_MOD);
goto cleanup;
}
free(realmacls[0]);
}
} else if (servicetype == LDAP_PASSWD_SERVICE) {
for (i=0; strcmp(pwdrights_realmcontainer[i][0], "") != 0; i++) {
- realmacls[0]=(char *)malloc( strlen(pwdrights_realmcontainer[i][0])
- + strlen(serviceobjdn)
- + strlen(pwdrights_realmcontainer[i][1]) + 1);
- sprintf( realmacls[0], "%s%s%s", pwdrights_realmcontainer[i][0], serviceobjdn,
- pwdrights_realmcontainer[i][1]);
+ realmacls[0]=(char *)malloc(strlen(pwdrights_realmcontainer[i][0])
+ + strlen(serviceobjdn)
+ + strlen(pwdrights_realmcontainer[i][1]) + 1);
+ sprintf(realmacls[0], "%s%s%s", pwdrights_realmcontainer[i][0], serviceobjdn,
+ pwdrights_realmcontainer[i][1]);
realmclass.mod_values= realmacls;
-
+
realmarr[0]=&realmclass;
-
+
st = ldap_modify_ext_s(ld,
realmdn,
realmarr,
free(realmacls[0]);
}
}
-
+
} /* Realm rights setting ends here */
-
+
/* Set the rights for the subtree */
if (mask & LDAP_SUBTREE_RIGHTS) {
/* Populate the acl data to be added to the subtree */
subtreeclass.mod_op=LDAP_MOD_DELETE;
subtreeclass.mod_type="ACL";
-
- if(servicetype == LDAP_KDC_SERVICE){
+
+ if (servicetype == LDAP_KDC_SERVICE) {
for (i=0; strcmp(kdcrights_subtree[i][0], "")!=0; i++) {
- subtreeacls[0] = (char *) malloc( strlen(kdcrights_subtree[i][0])
- + strlen(serviceobjdn)
- + strlen(kdcrights_subtree[i][1]) + 1);
- sprintf( subtreeacls[0], "%s%s%s", kdcrights_subtree[i][0], serviceobjdn,
- kdcrights_subtree[i][1]);
+ subtreeacls[0] = (char *) malloc(strlen(kdcrights_subtree[i][0])
+ + strlen(serviceobjdn)
+ + strlen(kdcrights_subtree[i][1]) + 1);
+ sprintf(subtreeacls[0], "%s%s%s", kdcrights_subtree[i][0], serviceobjdn,
+ kdcrights_subtree[i][1]);
subtreeclass.mod_values= subtreeacls;
-
+
subtreearr[0]=&subtreeclass;
-
+
st = ldap_modify_ext_s(ld,
subtree,
subtreearr,
}
} else if (servicetype == LDAP_ADMIN_SERVICE) {
for (i=0; strcmp(adminrights_subtree[i][0], "") != 0; i++) {
- subtreeacls[0] = (char *) malloc(strlen(adminrights_subtree[i][0])
- + strlen(serviceobjdn)
- + strlen(adminrights_subtree[i][1]) + 1);
- sprintf(subtreeacls[0], "%s%s%s", adminrights_subtree[i][0], serviceobjdn,
+ subtreeacls[0] = (char *) malloc(strlen(adminrights_subtree[i][0])
+ + strlen(serviceobjdn)
+ + strlen(adminrights_subtree[i][1]) + 1);
+ sprintf(subtreeacls[0], "%s%s%s", adminrights_subtree[i][0], serviceobjdn,
adminrights_subtree[i][1]);
subtreeclass.mod_values= subtreeacls;
-
+
subtreearr[0]=&subtreeclass;
-
+
st = ldap_modify_ext_s(ld,
subtree,
subtreearr,
NULL,
NULL);
- if ( st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
+ if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
free(subtreeacls[0]);
st = set_ldap_error (context, st, OP_MOD);
goto cleanup;
}
free(subtreeacls[0]);
}
- }
- else if (servicetype == LDAP_PASSWD_SERVICE) {
+ } else if (servicetype == LDAP_PASSWD_SERVICE) {
for (i=0; strcmp(pwdrights_subtree[i][0], "") != 0; i++) {
- subtreeacls[0] = (char *) malloc(strlen(pwdrights_subtree[i][0])
- + strlen(serviceobjdn)
+ subtreeacls[0] = (char *) malloc(strlen(pwdrights_subtree[i][0])
+ + strlen(serviceobjdn)
+ strlen(pwdrights_subtree[i][1]) + 1);
- sprintf(subtreeacls[0], "%s%s%s", pwdrights_subtree[i][0], serviceobjdn,
+ sprintf(subtreeacls[0], "%s%s%s", pwdrights_subtree[i][0], serviceobjdn,
pwdrights_subtree[i][1]);
subtreeclass.mod_values= subtreeacls;
-
+
subtreearr[0]=&subtreeclass;
-
+
st = ldap_modify_ext_s(ld,
subtree,
subtreearr,
}
}
} /* Subtree rights setting ends here */
-
+
st = 0;
- cleanup:
-
- if(realmdn)
+cleanup:
+
+ if (realmdn)
free(realmdn);
- if(subtree)
+ if (subtree)
free(subtree);
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
*password = NULL;
if (ldap_context->service_password_file)
- file = ldap_context->service_password_file;
+ file = ldap_context->service_password_file;
#ifndef HAVE_STRERROR_R
# undef strerror_r
/* check whether file exists */
if (access(file, F_OK) < 0) {
- st = errno;
+ st = errno;
strerror_r(errno, errbuf, sizeof(errbuf));
- krb5_set_error_message (context, st, "%s", errbuf);
- goto rp_exit;
+ krb5_set_error_message (context, st, "%s", errbuf);
+ goto rp_exit;
}
/* check read access */
if (access(file, R_OK) < 0) {
- st = errno;
+ st = errno;
strerror_r(errno, errbuf, sizeof(errbuf));
- krb5_set_error_message (context, st, "%s", errbuf);
- goto rp_exit;
+ krb5_set_error_message (context, st, "%s", errbuf);
+ goto rp_exit;
}
- if((fptr=fopen(file, "r")) == NULL) {
- st = errno;
+ if ((fptr=fopen(file, "r")) == NULL) {
+ st = errno;
strerror_r(errno, errbuf, sizeof(errbuf));
- krb5_set_error_message (context, st, "%s", errbuf);
- goto rp_exit;
+ krb5_set_error_message (context, st, "%s", errbuf);
+ goto rp_exit;
}
-
+
/* get the record from the file */
- while(fgets(line, RECORDLEN, fptr)!= NULL) {
- char tmp[RECORDLEN];
+ while (fgets(line, RECORDLEN, fptr)!= NULL) {
+ char tmp[RECORDLEN];
- tmp[0] = '\0';
- /* Handle leading white-spaces */
- for(start = line; isspace(*start); ++start);
+ tmp[0] = '\0';
+ /* Handle leading white-spaces */
+ for (start = line; isspace(*start); ++start);
- /* Handle comment lines */
- if (*start == '!' || *start == '#')
- continue;
- sscanf(line, "%*[ \t]%[^#]", tmp);
- if(tmp[0] == '\0')
- sscanf(line, "%[^#]", tmp);
- if(strcasecmp(tmp, ldap_context->bind_dn) == 0) {
- entryfound = 1; /* service_dn record found !!! */
- break;
- }
+ /* Handle comment lines */
+ if (*start == '!' || *start == '#')
+ continue;
+ sscanf(line, "%*[ \t]%[^#]", tmp);
+ if (tmp[0] == '\0')
+ sscanf(line, "%[^#]", tmp);
+ if (strcasecmp(tmp, ldap_context->bind_dn) == 0) {
+ entryfound = 1; /* service_dn record found !!! */
+ break;
+ }
}
fclose (fptr);
if (entryfound == 0) {
st = KRB5_KDB_SERVER_INTERNAL_ERR;
krb5_set_error_message (context, st, "Bind DN entry missing in stash file");
- goto rp_exit;
+ goto rp_exit;
}
/* replace the \n with \0 */
start = strchr(line, '\n');
if (start)
- *start = '\0';
+ *start = '\0';
start = strchr(line, '#');
- if (start == NULL ) {
- /* password field missing */
+ if (start == NULL) {
+ /* password field missing */
st = KRB5_KDB_SERVER_INTERNAL_ERR;
- krb5_set_error_message (context, st, "Stash file entry corrupt");
- goto rp_exit;
+ krb5_set_error_message (context, st, "Stash file entry corrupt");
+ goto rp_exit;
}
++ start;
/* Extract the plain password / certificate file information */
{
- struct data PT, CT;
+ struct data PT, CT;
- /* Check if the entry has the path of a certificate */
- if(!strncmp(start, "{FILE}", strlen("{FILE}"))) {
+ /* Check if the entry has the path of a certificate */
+ if (!strncmp(start, "{FILE}", strlen("{FILE}"))) {
/* Set *password = {FILE}<path to cert>\0<cert password> */
- /*ptr = strchr(start, ':');
- if(ptr == NULL){ */
+ /*ptr = strchr(start, ':');
+ if (ptr == NULL) { */
*password = (unsigned char *)malloc(strlen(start) + 2);
(*password)[strlen(start) + 1] = '\0';
(*password)[strlen(start)] = '\0';
strcpy((char *)(*password), start);
goto got_password;
- } else {
+ } else {
CT.value = (unsigned char *)start;
CT.len = strlen((char *)CT.value);
st = dec_password(CT, &PT);
- if(st != 0){
- switch (st) {
- case ERR_NO_MEM:
- st = ENOMEM;
- break;
- case ERR_PWD_ZERO:
- st = EINVAL;
- krb5_set_error_message(context, st, "Password has zero length");
- break;
- case ERR_PWD_BAD:
- st = EINVAL;
- krb5_set_error_message(context, st, "Password corrupted");
- break;
- case ERR_PWD_NOT_HEX:
- st = EINVAL;
- krb5_set_error_message(context, st, "Not a hexadecimal password");
- break;
- default:
- st = KRB5_KDB_SERVER_INTERNAL_ERR;
- break;
- }
+ if (st != 0) {
+ switch (st) {
+ case ERR_NO_MEM:
+ st = ENOMEM;
+ break;
+ case ERR_PWD_ZERO:
+ st = EINVAL;
+ krb5_set_error_message(context, st, "Password has zero length");
+ break;
+ case ERR_PWD_BAD:
+ st = EINVAL;
+ krb5_set_error_message(context, st, "Password corrupted");
+ break;
+ case ERR_PWD_NOT_HEX:
+ st = EINVAL;
+ krb5_set_error_message(context, st, "Not a hexadecimal password");
+ break;
+ default:
+ st = KRB5_KDB_SERVER_INTERNAL_ERR;
+ break;
+ }
goto rp_exit;
}
*password = PT.value;
- }
+ }
}
- got_password:
+got_password:
- rp_exit:
+rp_exit:
if (st) {
- if (*password)
- free (*password);
- *password = NULL;
+ if (*password)
+ free (*password);
+ *password = NULL;
}
return st;
}
/* Encodes a sequence of bytes in hexadecimal */
-int
+int
tohex(in, ret)
- krb5_data in;
- krb5_data *ret;
+ krb5_data in;
+ krb5_data *ret;
{
int i=0, j=0, err = 0;
-
+
ret->length = 0;
ret->data = NULL;
-
+
ret->data = (unsigned char *)malloc((unsigned int)in.length * 2 + 1 /*Null termination */);
if (ret->data == NULL) {
err = ENOMEM;
}
ret->length = in.length * 2;
ret->data[ret->length] = 0;
-
+
for (i = 0, j = 0; i < in.length; i++, j += 2) {
sprintf((char *)ret->data + j, "%x", in.data[i] >> 4);
sprintf((char *)ret->data + j + 1, "%x", in.data[i] & 0xf);
}
-
- cleanup:
-
+
+cleanup:
+
if (ret->length == 0) {
free(ret->data);
ret->data = NULL;
}
-
+
return err;
}
* ERR_PWD_NOT_HEX - Not a hexadecimal password
*/
-int dec_password(struct data pwd, struct data *ret){
+int dec_password(struct data pwd, struct data *ret) {
int err=0;
int i=0, j=0;
-
+
ret->len = 0;
ret->value = NULL;
-
+
if (pwd.len == 0) {
- err = ERR_PWD_ZERO;
- ret->len = 0;
- goto cleanup;
+ err = ERR_PWD_ZERO;
+ ret->len = 0;
+ goto cleanup;
}
-
+
/* Check if it is a hexadecimal encoded password */
- if (pwd.len >= strlen("{HEX}") &&
+ if (pwd.len >= strlen("{HEX}") &&
strncmp((char *)pwd.value, "{HEX}", strlen("{HEX}")) == 0) {
-
- if((pwd.len - strlen("{HEX}")) % 2 != 0){
+
+ if ((pwd.len - strlen("{HEX}")) % 2 != 0) {
/* A hexadecimal encoded password should have even length */
- err = ERR_PWD_BAD;
+ err = ERR_PWD_BAD;
ret->len = 0;
goto cleanup;
}
ret->value = (unsigned char *)malloc((pwd.len - strlen("{HEX}")) / 2 + 1);
- if(ret->value == NULL){
+ if (ret->value == NULL) {
err = ERR_NO_MEM;
ret->len = 0;
goto cleanup;
int k;
/* Check if it is a hexadecimal number */
if (isxdigit(pwd.value[i]) == 0 || isxdigit(pwd.value[i + 1]) == 0) {
- err = ERR_PWD_NOT_HEX;
- ret->len = 0;
- goto cleanup;
+ err = ERR_PWD_NOT_HEX;
+ ret->len = 0;
+ goto cleanup;
}
sscanf((char *)pwd.value + i, "%2x", &k);
ret->value[j] = k;
}
goto cleanup;
} else {
- err = ERR_PWD_NOT_HEX;
- ret->len = 0;
- goto cleanup;
+ err = ERR_PWD_NOT_HEX;
+ ret->len = 0;
+ goto cleanup;
}
-
- cleanup:
-
- if(ret->len == 0) {
+
+cleanup:
+
+ if (ret->len == 0) {
free(ret->value);
ret->value = NULL;
}
return(err);
}
-
krb5_ldap_service_params *service;
int mask;
{
- int i=0, j=0;
+ int i=0, j=0;
krb5_error_code st=0;
LDAP *ld=NULL;
char **rdns=NULL, *realmattr=NULL, *strval[3]={NULL};
strval[1] = "krbKdcService";
realmattr = "krbKdcServers";
} else if (service->servicetype == LDAP_ADMIN_SERVICE) {
- strval[1] = "krbAdmService";
+ strval[1] = "krbAdmService";
realmattr = "krbAdmServers";
} else if (service->servicetype == LDAP_PASSWD_SERVICE) {
strval[1] = "krbPwdService";
realmattr = "krbKdcServers";
}
if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0)
- goto cleanup;
-
+ goto cleanup;
+
rdns = ldap_explode_dn(service->servicedn, 1);
if (rdns == NULL) {
- st = LDAP_INVALID_DN_SYNTAX;
- goto cleanup;
+ st = LDAP_INVALID_DN_SYNTAX;
+ goto cleanup;
}
memset(strval, 0, sizeof(strval));
strval[0] = rdns[0];
if ((st=krb5_add_str_mem_ldap_mod(&mods, "cn", LDAP_MOD_ADD, strval)) != 0)
- goto cleanup;
-
+ goto cleanup;
+
if (mask & LDAP_SERVICE_SERVICEFLAG) {
- if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbserviceflags", LDAP_MOD_ADD,
- service->krbserviceflags)) != 0)
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbserviceflags", LDAP_MOD_ADD,
+ service->krbserviceflags)) != 0)
goto cleanup;
}
} else {
st = EINVAL;
krb5_set_error_message (context, st, "'krbhostserver' argument invalid");
- goto cleanup;
+ goto cleanup;
}
}
-
+
if (mask & LDAP_SERVICE_REALMREFERENCE) {
if (service->krbrealmreferences != NULL) {
unsigned int realmmask=0;
-
+
/* check for the validity of the values */
for (j=0; service->krbrealmreferences[j] != NULL; ++j) {
- st = checkattributevalue(ld, service->krbrealmreferences[j], "ObjectClass",
+ st = checkattributevalue(ld, service->krbrealmreferences[j], "ObjectClass",
realmcontclass, &realmmask);
CHECK_CLASS_VALIDITY(st, realmmask, "realm object value: ");
}
service->krbrealmreferences)) != 0)
goto cleanup;
} else {
- st = EINVAL;
+ st = EINVAL;
krb5_set_error_message (context, st, "Server has no 'krbrealmreferences'");
- goto cleanup;
+ goto cleanup;
}
}
-
+
/* ldap add operation */
if ((st=ldap_add_s(ld, service->servicedn, mods)) != LDAP_SUCCESS) {
- st = set_ldap_error (context, st, OP_ADD);
+ st = set_ldap_error (context, st, OP_ADD);
goto cleanup;
}
-
- /*
+
+ /*
* If the service created has realm/s associated with it, then the realm should be updated
* to have a reference to the service object just created.
*/
if (mask & LDAP_SERVICE_REALMREFERENCE) {
for (i=0; service->krbrealmreferences[i]; ++i) {
- if((st=updateAttribute(ld, service->krbrealmreferences[i], realmattr,
- service->servicedn)) != 0) {
+ if ((st=updateAttribute(ld, service->krbrealmreferences[i], realmattr,
+ service->servicedn)) != 0) {
sprintf (errbuf, "Error adding 'krbRealmReferences' to %s: ",
service->krbrealmreferences[i]);
- prepend_err_str (context, errbuf, st, st);
+ prepend_err_str (context, errbuf, st, st);
/* delete service object, status ignored intentionally */
ldap_delete_s(ld, service->servicedn);
goto cleanup;
}
}
}
-
- cleanup:
+
+cleanup:
if (rdns)
- ldap_value_free (rdns);
+ ldap_value_free (rdns);
ldap_mods_free(mods, 1);
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
/* validate the input parameter */
if (service == NULL || service->servicedn == NULL) {
- st = EINVAL;
+ st = EINVAL;
krb5_set_error_message (context, st, "Service DN is NULL");
- goto cleanup;
+ goto cleanup;
}
SETUP_CONTEXT();
GET_HANDLE();
if (mask & LDAP_SERVICE_SERVICEFLAG) {
- if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbserviceflags", LDAP_MOD_REPLACE,
- service->krbserviceflags)) != 0)
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbserviceflags", LDAP_MOD_REPLACE,
+ service->krbserviceflags)) != 0)
goto cleanup;
}
if (mask & LDAP_SERVICE_HOSTSERVER) {
if (service->krbhostservers != NULL) {
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbhostserver", LDAP_MOD_REPLACE,
- service->krbhostservers)) != 0)
- goto cleanup;
+ service->krbhostservers)) != 0)
+ goto cleanup;
} else {
- st = EINVAL;
+ st = EINVAL;
krb5_set_error_message (context, st, "'krbhostserver' value invalid");
- goto cleanup;
+ goto cleanup;
}
}
-
+
if (mask & LDAP_SERVICE_REALMREFERENCE) {
if (service->krbrealmreferences != NULL) {
unsigned int realmmask=0;
-
+
/* check for the validity of the values */
for (j=0; service->krbrealmreferences[j]; ++j) {
- st = checkattributevalue(ld, service->krbrealmreferences[j], "ObjectClass",
- realmcontclass, &realmmask);
+ st = checkattributevalue(ld, service->krbrealmreferences[j], "ObjectClass",
+ realmcontclass, &realmmask);
CHECK_CLASS_VALIDITY(st, realmmask, "realm object value: ");
}
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbrealmreferences", LDAP_MOD_REPLACE,
- service->krbrealmreferences)) != 0)
- goto cleanup;
-
-
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbrealmreferences", LDAP_MOD_REPLACE,
+ service->krbrealmreferences)) != 0)
+ goto cleanup;
+
+
/* get the attribute of the realm to be set */
if (service->servicetype == LDAP_KDC_SERVICE)
realmattr = "krbKdcServers";
else if (service->servicetype == LDAP_ADMIN_SERVICE)
- realmattr = "krbAdmservers";
+ realmattr = "krbAdmservers";
else if (service->servicetype == LDAP_PASSWD_SERVICE)
realmattr = "krbPwdServers";
else
realmattr = "krbKdcServers";
-
+
/* read the existing list of krbRealmreferences. this will needed */
- if ((st = ldap_search_s (ld,
- service->servicedn,
+ if ((st = ldap_search_s (ld,
+ service->servicedn,
LDAP_SCOPE_BASE,
0,
attr,
0,
&result)) != LDAP_SUCCESS) {
- st = set_ldap_error (context, st, OP_SEARCH);
+ st = set_ldap_error (context, st, OP_SEARCH);
goto cleanup;
}
-
+
ent = ldap_first_entry(ld, result);
if (ent) {
if ((values=ldap_get_values(ld, ent, "krbRealmReferences")) != NULL) {
}
ldap_msgfree(result);
} else {
- st = EINVAL;
+ st = EINVAL;
krb5_set_error_message (context, st, "'krbRealmReferences' value invalid");
- goto cleanup;
+ goto cleanup;
}
}
-
+
/* ldap modify operation */
if ((st=ldap_modify_s(ld, service->servicedn, mods)) != LDAP_SUCCESS) {
- st = set_ldap_error (context, st, OP_MOD);
+ st = set_ldap_error (context, st, OP_MOD);
goto cleanup;
}
-
- /*
- * If the service modified had realm/s associations changed, then the realm should be
+
+ /*
+ * If the service modified had realm/s associations changed, then the realm should be
* updated to reflect the changes.
*/
/* get the count of the new list of krbrealmreferences */
for (i=0; service->krbrealmreferences[i]; ++i)
;
-
+
/* make a new copy of the krbrealmreferences */
if ((st=copy_arrays(service->krbrealmreferences, &newrealmrefs, i)) != 0)
goto cleanup;
-
+
/* find the deletions/additions to the list of krbrealmreferences */
if (disjoint_members(oldrealmrefs, newrealmrefs) != 0)
goto cleanup;
- /* see if some of the attributes have to be deleted */
+ /* see if some of the attributes have to be deleted */
if (oldrealmrefs) {
-
+
/* update the dn represented by the attribute that is to be deleted */
- for (i=0; oldrealmrefs[i]; ++i)
- if((st=deleteAttribute(ld, oldrealmrefs[i], realmattr, service->servicedn)) != 0)
- {
+ for (i=0; oldrealmrefs[i]; ++i)
+ if ((st=deleteAttribute(ld, oldrealmrefs[i], realmattr, service->servicedn)) != 0) {
prepend_err_str (context, "Error deleting realm attribute:", st, st);
- goto cleanup;
+ goto cleanup;
}
}
-
- /* see if some of the attributes have to be added */
- for (i=0; newrealmrefs[i]; ++i)
- if((st=updateAttribute(ld, newrealmrefs[i], realmattr, service->servicedn)) != 0)
- {
+
+ /* see if some of the attributes have to be added */
+ for (i=0; newrealmrefs[i]; ++i)
+ if ((st=updateAttribute(ld, newrealmrefs[i], realmattr, service->servicedn)) != 0) {
prepend_err_str (context, "Error updating realm attribute: ", st, st);
goto cleanup;
}
}
-
- cleanup:
+
+cleanup:
if (oldrealmrefs) {
for (i=0; oldrealmrefs[i]; ++i)
free (oldrealmrefs[i]);
free (oldrealmrefs);
}
-
+
if (newrealmrefs) {
for (i=0; newrealmrefs[i]; ++i)
free (newrealmrefs[i]);
SETUP_CONTEXT();
GET_HANDLE();
-
+
st = ldap_delete_s(ld, servicedn);
if (st != 0) {
- st = set_ldap_error (context, st, OP_DEL);
+ st = set_ldap_error (context, st, OP_DEL);
}
/* NOTE: This should be removed now as the backlinks are going off in OpenLDAP */
{
int i=0;
char *attr=NULL;
-
+
if (service) {
if (service->krbrealmreferences) {
if (service->servicetype == LDAP_KDC_SERVICE)
- attr = "krbkdcservers";
+ attr = "krbkdcservers";
else if (service->servicetype == LDAP_ADMIN_SERVICE)
attr = "krbadmservers";
else if (service->servicetype == LDAP_PASSWD_SERVICE)
attr = "krbpwdservers";
-
+
for (i=0; service->krbrealmreferences[i]; ++i) {
deleteAttribute(ld, service->krbrealmreferences[i], attr, servicedn);
}
}
#endif
- cleanup:
+cleanup:
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
return st;
char **values=NULL;
int i=0, count=0, objectmask=0;
krb5_error_code st=0, tempst=0;
- LDAPMessage *result=NULL,*ent=NULL;
- char *attributes[] = {"krbHostServer", "krbServiceflags",
+ LDAPMessage *result=NULL,*ent=NULL;
+ char *attributes[] = {"krbHostServer", "krbServiceflags",
"krbRealmReferences", "objectclass", NULL};
char *attrvalues[] = {"krbService", NULL};
krb5_ldap_service_params *lservice=NULL;
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_server_handle *ldap_server_handle=NULL;
LDAP *ld = NULL;
-
+
/* validate the input parameter */
if (servicedn == NULL) {
st = EINVAL;
krb5_set_error_message (context, st, "Service DN NULL");
goto cleanup;
}
-
+
SETUP_CONTEXT();
GET_HANDLE();
*omask = 0;
-
+
/* the policydn object should be of the krbService object class */
st = checkattributevalue(ld, servicedn, "objectClass", attrvalues, &objectmask);
CHECK_CLASS_VALIDITY(st, objectmask, "service object value: ");
-
+
/* Initialize service structure */
lservice =(krb5_ldap_service_params *) calloc(1, sizeof(krb5_ldap_service_params));
if (lservice == NULL) {
goto cleanup;
}
lservice->tl_data->tl_data_type = KDB_TL_USER_INFO;
-
+
LDAP_SEARCH(servicedn, LDAP_SCOPE_BASE, "(objectclass=krbService)", attributes);
lservice->servicedn = strdup(servicedn);
CHECK_NULL(lservice->servicedn);
- ent=ldap_first_entry(ld, result);
+ ent=ldap_first_entry(ld, result);
if (ent != NULL) {
- if((values=ldap_get_values(ld, ent, "krbServiceFlags")) != NULL) {
+ if ((values=ldap_get_values(ld, ent, "krbServiceFlags")) != NULL) {
lservice->krbserviceflags = atoi(values[0]);
*omask |= LDAP_SERVICE_SERVICEFLAG;
ldap_value_free(values);
- }
+ }
- if((values=ldap_get_values(ld, ent, "krbHostServer")) != NULL) {
+ if ((values=ldap_get_values(ld, ent, "krbHostServer")) != NULL) {
count = ldap_count_values(values);
if ((st=copy_arrays(values, &(lservice->krbhostservers), count)) != 0)
goto cleanup;
*omask |= LDAP_SERVICE_HOSTSERVER;
ldap_value_free(values);
- }
+ }
- if((values=ldap_get_values(ld, ent, "krbRealmReferences")) != NULL) {
+ if ((values=ldap_get_values(ld, ent, "krbRealmReferences")) != NULL) {
count = ldap_count_values(values);
if ((st=copy_arrays(values, &(lservice->krbrealmreferences), count)) != 0)
goto cleanup;
ldap_value_free(values);
}
- if((values=ldap_get_values(ld, ent, "objectClass")) != NULL) {
- for (i=0; values[i]; ++i){
+ if ((values=ldap_get_values(ld, ent, "objectClass")) != NULL) {
+ for (i=0; values[i]; ++i) {
if (strcasecmp(values[i], "krbKdcService") == 0) {
lservice->servicetype = LDAP_KDC_SERVICE;
break;
- }
+ }
if (strcasecmp(values[i], "krbAdmService") == 0) {
lservice->servicetype = LDAP_ADMIN_SERVICE;
break;
- }
+ }
if (strcasecmp(values[i], "krbPwdService") == 0) {
lservice->servicetype = LDAP_PASSWD_SERVICE;
}
}
ldap_msgfree(result);
-
- cleanup:
- if(st != 0) {
+
+cleanup:
+ if (st != 0) {
krb5_ldap_free_service(context, lservice);
*service = NULL;
} else {
/*
* This function frees the krb5_ldap_service_params structure members.
*/
-
+
krb5_error_code
krb5_ldap_free_service(context, service)
krb5_context context;
free (service->krbhostservers[i]);
free (service->krbhostservers);
}
-
+
if (service->tl_data) {
if (service->tl_data->tl_data_contents)
free (service->tl_data->tl_data_contents);
free (service->tl_data);
}
-
+
free (service);
return 0;
}
if ((st=krb5_add_str_mem_ldap_mod(&mods, "userPassword", LDAP_MOD_REPLACE, password)) != 0)
goto cleanup;
-
+
st = ldap_modify_s(ld, service, mods);
if (st) {
- st = set_ldap_error (context, st, OP_MOD);
+ st = set_ldap_error (context, st, OP_MOD);
}
- cleanup:
+cleanup:
ldap_mods_free(mods, 1);
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
return st;
/* Ticket policy object management */
-/*
-* This function changes the value of policyreference count for a particular ticket policy. if flag is 1 it will increment else it will reduce by one
-*/
+/*
+ * This function changes the value of policyreference count for a
+ * particular ticket policy. If flag is 1 it will increment else it
+ * will reduce by one.
+ */
krb5_error_code
krb5_ldap_change_count(context ,policydn ,flag)
- krb5_context context;
- char *policydn;
- int flag;
+ krb5_context context;
+ char *policydn;
+ int flag;
{
- krb5_error_code st=0;
- int objectmask=0;
- LDAP *ld=NULL;
- char *attrvalues[] = { "krbPolicy", NULL};
- kdb5_dal_handle *dal_handle=NULL;
- krb5_ldap_context *ldap_context=NULL;
- krb5_ldap_server_handle *ldap_server_handle=NULL;
- krb5_ldap_policy_params *policyparams=NULL;
- int mask = 0;
-
- /* validate the input parameters */
- if (policydn == NULL) {
- st = EINVAL;
- prepend_err_str(context,"Ticket Policy Object information missing",st,st);
- goto cleanup;
- }
+ krb5_error_code st=0;
+ int objectmask=0;
+ LDAP *ld=NULL;
+ char *attrvalues[] = { "krbPolicy", NULL};
+ kdb5_dal_handle *dal_handle=NULL;
+ krb5_ldap_context *ldap_context=NULL;
+ krb5_ldap_server_handle *ldap_server_handle=NULL;
+ krb5_ldap_policy_params *policyparams=NULL;
+ int mask = 0;
+
+ /* validate the input parameters */
+ if (policydn == NULL) {
+ st = EINVAL;
+ prepend_err_str(context,"Ticket Policy Object information missing",st,st);
+ goto cleanup;
+ }
- SETUP_CONTEXT();
- GET_HANDLE();
+ SETUP_CONTEXT();
+ GET_HANDLE();
- /* the policydn object should be of the krbPolicy object class */
- st = checkattributevalue(ld, policydn, "objectClass", attrvalues, &objectmask);
- CHECK_CLASS_VALIDITY(st, objectmask, "ticket policy object: ");
+ /* the policydn object should be of the krbPolicy object class */
+ st = checkattributevalue(ld, policydn, "objectClass", attrvalues, &objectmask);
+ CHECK_CLASS_VALIDITY(st, objectmask, "ticket policy object: ");
- /* Initialize ticket policy structure */
+ /* Initialize ticket policy structure */
- if ((st = krb5_ldap_read_policy(context, policydn, &policyparams, &mask)))
- goto cleanup;
- if(flag == 1){
- /*Increment*/
- policyparams->polrefcount +=1;
- }
- else{
- /*Decrement*/
- if(policyparams->polrefcount >0)
- {
- policyparams->polrefcount-=1;
- }
+ if ((st = krb5_ldap_read_policy(context, policydn, &policyparams, &mask)))
+ goto cleanup;
+ if (flag == 1) {
+ /*Increment*/
+ policyparams->polrefcount +=1;
+ } else{
+ /*Decrement*/
+ if (policyparams->polrefcount >0) {
+ policyparams->polrefcount-=1;
}
- mask |= LDAP_POLICY_COUNT;
+ }
+ mask |= LDAP_POLICY_COUNT;
- if ((st = krb5_ldap_modify_policy(context, policyparams, mask)))
- goto cleanup;
+ if ((st = krb5_ldap_modify_policy(context, policyparams, mask)))
+ goto cleanup;
cleanup:
- krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
- return st;
+ krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
+ return st;
}
/*
/* validate the input parameters */
if (policy == NULL || policy->policydn==NULL) {
- st = EINVAL;
+ st = EINVAL;
krb5_set_error_message (context, st, "Ticket Policy Object DN missing");
goto cleanup;
}
st = LDAP_INVALID_DN_SYNTAX;
goto cleanup;
}
-
+
memset(strval, 0, sizeof(strval));
strval[0] = rdns[0];
if ((st=krb5_add_str_mem_ldap_mod(&mods, "cn", LDAP_MOD_ADD, strval)) != 0)
goto cleanup;
-
+
memset(strval, 0, sizeof(strval));
strval[0] = "krbPolicy";
strval[1] = "krbPolicyaux";
goto cleanup;
if (mask & LDAP_POLICY_MAXTKTLIFE) {
- if((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxticketlife", LDAP_MOD_ADD,
- policy->maxtktlife)) != 0)
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxticketlife", LDAP_MOD_ADD,
+ policy->maxtktlife)) != 0)
goto cleanup;
}
if (mask & LDAP_POLICY_MAXRENEWLIFE) {
- if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxrenewableage", LDAP_MOD_ADD,
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxrenewableage", LDAP_MOD_ADD,
policy->maxrenewlife)) != 0)
goto cleanup;
}
-
+
if (mask & LDAP_POLICY_TKTFLAGS) {
- if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbticketflags", LDAP_MOD_ADD,
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbticketflags", LDAP_MOD_ADD,
policy->tktflags)) != 0)
goto cleanup;
}
/*ticket policy reference count attribute added with value 0 */
if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbPolicyRefCount", LDAP_MOD_ADD,
- 0)) != 0)
- goto cleanup;
+ 0)) != 0)
+ goto cleanup;
/* ldap add operation */
if ((st=ldap_add_s(ld, policy->policydn, mods)) != LDAP_SUCCESS) {
- st = set_ldap_error (context, st, OP_ADD);
+ st = set_ldap_error (context, st, OP_ADD);
goto cleanup;
}
-
- cleanup:
+
+cleanup:
if (rdns)
- ldap_value_free(rdns);
+ ldap_value_free(rdns);
ldap_mods_free(mods, 1);
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
*/
krb5_error_code
-krb5_ldap_modify_policy(context, policy, mask)
+krb5_ldap_modify_policy(context, policy, mask)
krb5_context context;
krb5_ldap_policy_params *policy;
int mask;
if (policy == NULL || policy->policydn==NULL) {
st = EINVAL;
krb5_set_error_message (context, st, "Ticket Policy Object DN missing");
- goto cleanup;
+ goto cleanup;
}
SETUP_CONTEXT();
/* the policydn object should be of the krbPolicy object class */
st = checkattributevalue(ld, policy->policydn, "objectClass", attrvalues, &objectmask);
CHECK_CLASS_VALIDITY(st, objectmask, "ticket policy object: ");
-
+
if ((objectmask & 0x02) == 0) { /* add krbpolicyaux to the object class list */
memset(strval, 0, sizeof(strval));
strval[0] = "krbPolicyAux";
}
if (mask & LDAP_POLICY_MAXTKTLIFE) {
- if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxticketlife", LDAP_MOD_REPLACE,
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxticketlife", LDAP_MOD_REPLACE,
policy->maxtktlife)) != 0)
goto cleanup;
}
if (mask & LDAP_POLICY_MAXRENEWLIFE) {
- if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxrenewableage", LDAP_MOD_REPLACE,
- policy->maxrenewlife)) != 0)
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxrenewableage", LDAP_MOD_REPLACE,
+ policy->maxrenewlife)) != 0)
goto cleanup;
}
-
+
if (mask & LDAP_POLICY_TKTFLAGS) {
- if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbticketflags", LDAP_MOD_REPLACE,
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbticketflags", LDAP_MOD_REPLACE,
policy->tktflags)) != 0)
goto cleanup;
}
if (mask & LDAP_POLICY_COUNT) {
- if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpolicyrefcount", LDAP_MOD_REPLACE,
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpolicyrefcount", LDAP_MOD_REPLACE,
policy->polrefcount)) != 0)
goto cleanup;
}
if ((st=ldap_modify_s(ld, policy->policydn, mods)) != LDAP_SUCCESS) {
- st = set_ldap_error (context, st, OP_MOD);
+ st = set_ldap_error (context, st, OP_MOD);
goto cleanup;
}
-
- cleanup:
+
+cleanup:
ldap_mods_free(mods, 1);
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
return st;
/*
- * Read the policy object from the Directory and populate the krb5_ldap_policy_params
+ * Read the policy object from the Directory and populate the krb5_ldap_policy_params
* structure.
*/
krb5_error_code st=0, tempst=0;
int objectmask=0;
LDAP *ld=NULL;
- LDAPMessage *result=NULL,*ent=NULL;
+ LDAPMessage *result=NULL,*ent=NULL;
char *attributes[] = { "krbMaxTicketLife", "krbMaxRenewableAge", "krbTicketFlags", "krbPolicyRefCount", NULL};
char *attrvalues[] = { "krbPolicy", NULL};
krb5_ldap_policy_params *lpolicy=NULL;
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_context *ldap_context=NULL;
krb5_ldap_server_handle *ldap_server_handle=NULL;
-
+
/* validate the input parameters */
if (policydn == NULL || policy == NULL) {
st = EINVAL;
krb5_set_error_message(context, st, "Ticket Policy Object information missing");
- goto cleanup;
+ goto cleanup;
}
SETUP_CONTEXT();
lpolicy->policydn = strdup(policydn);
CHECK_NULL(lpolicy->policydn);
- ent=ldap_first_entry(ld, result);
+ ent=ldap_first_entry(ld, result);
if (ent != NULL) {
if (krb5_ldap_get_value(ld, ent, "krbmaxticketlife", (int *) &(lpolicy->maxtktlife)) == 0)
*omask |= LDAP_POLICY_MAXTKTLIFE;
-
+
if (krb5_ldap_get_value(ld, ent, "krbmaxrenewableage", (int *) &(lpolicy->maxrenewlife)) == 0)
*omask |= LDAP_POLICY_MAXRENEWLIFE;
if (krb5_ldap_get_value(ld, ent, "krbticketflags", (int *) &(lpolicy->tktflags)) == 0)
- *omask |= LDAP_POLICY_TKTFLAGS;
+ *omask |= LDAP_POLICY_TKTFLAGS;
if (krb5_ldap_get_value(ld, ent, "krbPolicyRefCount", (int *) &(lpolicy->polrefcount)) == 0)
- *omask |= LDAP_POLICY_COUNT;
+ *omask |= LDAP_POLICY_COUNT;
}
ldap_msgfree(result);
store_tl_data(lpolicy->tl_data, KDB_TL_MASK, omask);
*policy = lpolicy;
- cleanup:
+cleanup:
if (st != 0) {
krb5_ldap_free_policy(context, lpolicy);
*policy = NULL;
- }
+ }
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
return st;
}
-/*
- * function to delete ticket policy object from the directory. Before calling this function krb5_ldap_read_policy
- * should be called to check the existence of the object. This serves one major purpose, i.e. if the object to be
- * is anything other than the ticket policy object then the krb5_ldap_read_policy returns an error and thus is not
- * accidently deleted in this function.
+/*
+ * Function to delete ticket policy object from the directory. Before
+ * calling this function krb5_ldap_read_policy should be called to
+ * check the existence of the object. This serves one major purpose,
+ * i.e., if the object to be is anything other than the ticket policy
+ * object then the krb5_ldap_read_policy returns an error and thus is
+ * not accidently deleted in this function.
*
- * NOTE: Other kerberos objects (user/realm object) might be having references to the
- * policy object to be deleted. This situation is not handled here, instead is taken care
- * of at all the places where the deleted policy object is read, to ignore a return status
- * of LDAP_NO_SUCH_OBJECT and continue.
+ * NOTE: Other kerberos objects (user/realm object) might be having
+ * references to the policy object to be deleted. This situation is
+ * not handled here, instead is taken care of at all the places where
+ * the deleted policy object is read, to ignore a return status of
+ * LDAP_NO_SUCH_OBJECT and continue.
*/
krb5_error_code
krb5_ldap_policy_params *policy;
int mask;
{
- krb5_error_code st = 0;
- LDAP *ld = NULL;
- kdb5_dal_handle *dal_handle=NULL;
- krb5_ldap_context *ldap_context=NULL;
- krb5_ldap_server_handle *ldap_server_handle=NULL;
-
- if (policy == NULL || policydn==NULL) {
- st = EINVAL;
- prepend_err_str (context,"Ticket Policy Object DN missing",st,st);
- goto cleanup;
- }
+ krb5_error_code st = 0;
+ LDAP *ld = NULL;
+ kdb5_dal_handle *dal_handle=NULL;
+ krb5_ldap_context *ldap_context=NULL;
+ krb5_ldap_server_handle *ldap_server_handle=NULL;
+ if (policy == NULL || policydn==NULL) {
+ st = EINVAL;
+ prepend_err_str (context,"Ticket Policy Object DN missing",st,st);
+ goto cleanup;
+ }
- SETUP_CONTEXT();
- GET_HANDLE();
-
- /*checking for policy count for 0 and will not permit delete if it is greater than 0*/
+ SETUP_CONTEXT();
+ GET_HANDLE();
- if(policy->polrefcount == 0){
- if ((st=ldap_delete_s(ld, policydn)) != 0)
- {
- prepend_err_str (context,ldap_err2string(st),st,st);
-
- goto cleanup;
- }
- }
- else {
- st = EINVAL;
- prepend_err_str (context,"Delete Failed: One or more Principals associated with the Ticket Policy",st,st);
- goto cleanup;
+ /* Checking for policy count for 0 and will not permit delete if
+ * it is greater than 0. */
+
+ if (policy->polrefcount == 0) {
+
+ if ((st=ldap_delete_s(ld, policydn)) != 0) {
+ prepend_err_str (context,ldap_err2string(st),st,st);
+
+ goto cleanup;
}
+ } else {
+ st = EINVAL;
+ prepend_err_str (context,"Delete Failed: One or more Principals associated with the Ticket Policy",st,st);
+ goto cleanup;
+ }
cleanup:
- krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
- return st;
+ krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
+ return st;
}
krb5_error_code st=0;
st = krb5_ldap_list(context, policy, "krbPolicy", containerdn);
-
+
return st;
}
/*
* Function to free the ticket policy object structure.
- * Note: this function assumes that memory of the policy structure is dynamically allocated and hence the whole
+ * Note: this function assumes that memory of the policy structure is dynamically allocated and hence the whole
* structure is freed up. Care should be taken not to call this function on a static structure
- */
+ */
krb5_error_code
krb5_ldap_free_policy(context, policy)
{
krb5_error_code st=0;
-
+
if (policy == NULL)
return st;
-
+
if (policy->policydn)
free (policy->policydn);
}
/*
- * This function is general object listing routine. It is currently used for ticket policy
- * object listing.
+ * This function is general object listing routine. It is currently
+ * used for ticket policy object listing.
*/
krb5_error_code
krb5_error_code st=0, tempst=0;
int i=0, count=0, filterlen=0;
LDAP *ld=NULL;
- LDAPMessage *result=NULL,*ent=NULL;
+ LDAPMessage *result=NULL,*ent=NULL;
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_context *ldap_context=NULL;
krb5_ldap_server_handle *ldap_server_handle=NULL;
goto cleanup;
}
}
-
+
/* set the filter for the search operation */
filterlen = strlen("(objectclass=") + strlen(objectclass) + 1 + 1;
filter = malloc ((unsigned) filterlen);
goto cleanup;
}
- for(ent=ldap_first_entry(ld, result), count=0; ent != NULL; ent=ldap_next_entry(ld, ent), ++count) {
+ for (ent=ldap_first_entry(ld, result), count=0; ent != NULL; ent=ldap_next_entry(ld, ent), ++count) {
if ((dn=ldap_get_dn(ld, ent)) == NULL)
continue;
if (((*list)[count] = strdup(dn)) == NULL) {
ldap_memfree(dn);
}
ldap_msgfree(result);
-
- cleanup:
+
+cleanup:
if (filter)
free (filter);
-
+
/* some error, free up all the memory */
if (st != 0) {
if (*list) {
free (*list);
*list = NULL;
}
- }
+ }
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
return st;
}
return(TRUE);
}
-bool_t
+bool_t
ldap_xdr_nullstring(XDR *xdrs, char **objp)
{
u_int size;
XDR xdrs;
osa_princ_ent_t princ_entry;
- if((princ_entry = (osa_princ_ent_t) malloc(sizeof(osa_princ_ent_rec))) == NULL)
+ if ((princ_entry = (osa_princ_ent_t) malloc(sizeof(osa_princ_ent_rec))) == NULL)
return ENOMEM;
memset(princ_entry, 0, sizeof(osa_princ_ent_rec));
princ_entry->policy = policy_dn;
xdralloc_create(&xdrs, XDR_ENCODE);
- if(! ldap_xdr_osa_princ_ent_rec(&xdrs, princ_entry)) {
+ if (! ldap_xdr_osa_princ_ent_rec(&xdrs, princ_entry)) {
xdr_destroy(&xdrs);
return(KADM5_XDR_FAILURE);
}
new_tl_data->tl_data_type = KRB5_TL_KADM_DATA;
new_tl_data->tl_data_length = xdr_getpos(&xdrs);
new_tl_data->tl_data_contents = (krb5_octet *)xdralloc_getdata(&xdrs);
-
+
/*
xdr_destroy(&xdrs);
ldap_osa_free_princ_ent(princ_entry);