From: Tom Yu Date: Tue, 14 Nov 2006 22:47:08 +0000 (+0000) Subject: pull up r18799 from trunk X-Git-Tag: krb5-1.6-alpha1~6 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=5d1249098274979c09dccac0dee13620773369f7;p=krb5.git pull up r18799 from trunk r18799@cathode-dark-space: wfiveash | 2006-11-13 15:25:08 -0500 ticket: new subject: more Novell ldap patches from Nov 6 and Fix for wrong password policy reference count Target_Version: krb5-1.6 Tags: pullup This commit is to update the code with the following Novell patches from Nov 6, 2006: patch-ldap-kadm5-macro.diff patch-ldap-fixes.diff patch-ldap-key-seq-salt.diff patch-ldap-misc.diff And this patch from Nov 8: patch-ldap-pwd-policy.c ticket: 4735 version_fixed: 1.6 git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@18802 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/lib/krb5/asn.1/ldap_key_seq.c b/src/lib/krb5/asn.1/ldap_key_seq.c index c25d7afe6..1fe9a548f 100644 --- a/src/lib/krb5/asn.1/ldap_key_seq.c +++ b/src/lib/krb5/asn.1/ldap_key_seq.c @@ -338,8 +338,10 @@ static asn1_error_code asn1_decode_key(asn1buf *buf, krb5_key_data *key) key->key_data_type[1] = keytype; /* XXX range check?? */ checkerr; - ret = decode_tagged_octetstring (&slt, 1, &keylen, - &key->key_data_contents[1]); checkerr; + if (asn1buf_remains(&slt, 0) != 0) { /* Salt value is optional */ + ret = decode_tagged_octetstring (&slt, 1, &keylen, + &key->key_data_contents[1]); checkerr; + } safe_syncbuf (&subbuf, &slt); key->key_data_length[1] = keylen; /* XXX range check?? */ @@ -433,7 +435,7 @@ krb5_error_code asn1_decode_sequence_of_keys (krb5_data *in, /* Sequence of keys */ { - int i, ret1, buflen; + int i, buflen; asn1buf keyseq; if (t.tagnum != 4) cleanup (ASN1_MISSING_FIELD); @@ -447,7 +449,7 @@ krb5_error_code asn1_decode_sequence_of_keys (krb5_data *in, cleanup (ENOMEM); *out = tmp; (*out)[i - 1].key_data_kvno = kvno; - ret1 = asn1_decode_key(&keyseq, &(*out)[i - 1]); checkerr; + ret = asn1_decode_key(&keyseq, &(*out)[i - 1]); checkerr; (*n_key_data)++; if (asn1buf_remains(&keyseq, 0) == 0) break; /* Not freeing the last key structure */ diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c index 7e2c71e62..77b7e822c 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c @@ -2206,12 +2206,12 @@ kdb_ldap_create_principal (context, princ, op, pblock) STORE16_INT(curr, princtype); curr += currlen; - mask |= KDB_PRINCIPAL; - mask |= KDB_ATTRIBUTES ; - mask |= KDB_MAX_LIFE ; - mask |= KDB_MAX_RLIFE ; - mask |= KDB_PRINC_EXPIRE_TIME ; - mask |= KDB_KEY_DATA; + mask |= KADM5_PRINCIPAL; + mask |= KADM5_ATTRIBUTES ; + mask |= KADM5_MAX_LIFE ; + mask |= KADM5_MAX_RLIFE ; + mask |= KADM5_PRINC_EXPIRE_TIME ; + mask |= KADM5_KEY_DATA; entry.tl_data = tl_data; entry.n_tl_data += 1; diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c index d6b479aa0..efcb73ee7 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c @@ -1847,7 +1847,7 @@ remove_overlapping_subtrees(char **listin, char **listop, int *subtcount, int ss slen-=1; k-=1; break; - } else if ((lendiff < 0) && (strcasecmp((listin[j])+lendiff, listin[k])==0)) { + } else if ((lendiff < 0) && (strcasecmp((listin[j])+abs(lendiff), listin[k])==0)) { if (j != slen) { free(listin[j]); listin[j] = listin[slen]; @@ -1963,19 +1963,19 @@ populate_krb5_db_entry (krb5_context context, &(entry->last_success), &attr_present)) != 0) goto cleanup; if (attr_present == TRUE) - mask |= KDB_LAST_SUCCESS; + mask |= KDB_LAST_SUCCESS_ATTR; /* KRBLASTFAILEDAUTH */ if ((st=krb5_ldap_get_time(ld, ent, "krbLastFailedAuth", &(entry->last_failed), &attr_present)) != 0) goto cleanup; if (attr_present == TRUE) - mask |= KDB_LAST_FAILED; + mask |= KDB_LAST_FAILED_ATTR; /* KRBLOGINFAILEDCOUNT */ if (krb5_ldap_get_value(ld, ent, "krbLoginFailedCount", &(entry->fail_auth_count)) == 0) - mask |= KDB_FAIL_AUTH_COUNT; + mask |= KDB_FAIL_AUTH_COUNT_ATTR; /* KRBMAXTICKETLIFE */ if (krb5_ldap_get_value(ld, ent, "krbmaxticketlife", &(entry->max_life)) == 0) @@ -2010,6 +2010,7 @@ populate_krb5_db_entry (krb5_context context, &attr_present)) != 0) goto cleanup; if (attr_present == TRUE) { + mask |= KDB_POL_REF_ATTR; /* Ensure that the policy is inside the realm container */ if ((st = krb5_ldap_policydn_to_name (context, policydn, &tktpolname)) != 0) goto cleanup; @@ -2036,7 +2037,7 @@ populate_krb5_db_entry (krb5_context context, /* KRBSECRETKEY */ if ((bvalues=ldap_get_values_len(ld, ent, "krbprincipalkey")) != NULL) { - mask |= KDB_SECRET_KEY; + mask |= KDB_SECRET_KEY_ATTR; if ((st=krb5_decode_krbsecretkey(context, entry, bvalues, &userinfo_tl_data)) != 0) goto cleanup; } @@ -2087,7 +2088,7 @@ populate_krb5_db_entry (krb5_context context, ldap_value_free_len (ber_tl_data); if (st != 0) goto cleanup; - mask |= KDB_EXTRA_DATA; + mask |= KDB_EXTRA_DATA_ATTR; } } diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c index 28507a9f7..83ba05d4a 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c @@ -50,11 +50,9 @@ char *principal_attributes[] = { "krbprincipalname", "krbUpEnabled", "krbpwdpolicyreference", "krbpasswordexpiration", -#ifdef KRBCONF_KDC_MODIFIES_KDB "krbLastFailedAuth", "krbLoginFailedCount", "krbLastSuccessfulAuth", -#endif #ifdef HAVE_EDIRECTORY "loginexpirationtime", "logindisabled", @@ -78,6 +76,9 @@ static char *attributes_set[] = { "krbmaxrenewableage", "krbprincipalkey", "krblastpwdchange", "krbextradata", + "krbLastSuccessfulAuth", + "krbLastFailedAuth", + "krbLoginFailedCount", NULL }; void diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h index 7d3734bd4..e932e253e 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h @@ -63,29 +63,6 @@ #define KDB_SERVICE_PRINCIPAL 0x02 #define KDB_STANDALONE_PRINCIPAL_OBJECT 0x01 -/* krb5_db_entry */ -#define KDB_PRINCIPAL 0x000001 -#define KDB_PRINC_EXPIRE_TIME 0x000002 -#define KDB_PW_EXPIRATION 0x000004 -#define KDB_LAST_PWD_CHANGE 0x000008 -#define KDB_ATTRIBUTES 0x000010 -#define KDB_MAX_LIFE 0x000020 -#define KDB_MOD_TIME 0x000040 -#define KDB_MOD_NAME 0x000080 -#define KDB_KVNO 0x000100 -#define KDB_MKVNO 0x000200 -#define KDB_AUX_ATTRIBUTES 0x000400 -#define KDB_POLICY 0x000800 -#define KDB_POLICY_CLR 0x001000 -#define KDB_MAX_RLIFE 0x002000 -#define KDB_LAST_SUCCESS 0x004000 -#define KDB_LAST_FAILED 0x008000 -#define KDB_FAIL_AUTH_COUNT 0x010000 -#define KDB_KEY_DATA 0x020000 -#define KDB_TL_DATA 0x040000 -#define KDB_CPW_FUNCTION 0x080000 -#define KDB_RANDKEY_USED 0x100000 - /* these will be consumed only by krb5_ldap_delete_principal*/ /* these will be set by krb5_ldap_get_principal and fed into the tl_data */ @@ -97,9 +74,12 @@ #define KDB_UP_FLAG_ATTR 0x000020 #define KDB_PWD_POL_REF_ATTR 0x000040 #define KDB_PWD_EXPIRE_TIME_ATTR 0x000080 -#define KDB_SECRET_KEY 0x000100 +#define KDB_SECRET_KEY_ATTR 0x000100 #define KDB_LAST_PWD_CHANGE_ATTR 0x000200 -#define KDB_EXTRA_DATA 0x000400 +#define KDB_EXTRA_DATA_ATTR 0x000400 +#define KDB_LAST_SUCCESS_ATTR 0x000800 +#define KDB_LAST_FAILED_ATTR 0x001000 +#define KDB_FAIL_AUTH_COUNT_ATTR 0x002000 extern struct timeval timeout; extern char *policyclass[]; diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c index 71200eb9e..9bfef1510 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c @@ -243,22 +243,34 @@ process_db_args(context, db_args, xargs, optype) dptr = &xargs->tktpolicydn; } else { if (strcmp(arg, USERDN_ARG) == 0) { - if (optype == MODIFY_PRINCIPAL) { + if (optype == MODIFY_PRINCIPAL || + xargs->dn != NULL || xargs->containerdn != NULL || + xargs->linkdn != NULL) { st = EINVAL; - snprintf(errbuf, sizeof(errbuf), "%s option not supported", arg); + snprintf(errbuf, sizeof(errbuf), + "%s option not supported", arg); krb5_set_error_message(context, st, "%s", errbuf); goto cleanup; } dptr = &xargs->dn; } else if (strcmp(arg, CONTAINERDN_ARG) == 0) { - if (optype == MODIFY_PRINCIPAL) { + if (optype == MODIFY_PRINCIPAL || + xargs->dn != NULL || xargs->containerdn != NULL) { st = EINVAL; - snprintf(errbuf, sizeof(errbuf), "%s option not supported", arg); + snprintf(errbuf, sizeof(errbuf), + "%s option not supported", arg); krb5_set_error_message(context, st, "%s", errbuf); goto cleanup; } dptr = &xargs->containerdn; } else if (strcmp(arg, LINKDN_ARG) == 0) { + if (xargs->dn != NULL || xargs->linkdn != NULL) { + st = EINVAL; + snprintf(errbuf, sizeof(errbuf), + "%s option not supported", arg); + krb5_set_error_message(context, st, "%s", errbuf); + goto cleanup; + } dptr = &xargs->linkdn; } else { st = EINVAL; @@ -266,17 +278,12 @@ process_db_args(context, db_args, xargs, optype) krb5_set_error_message(context, st, "%s", errbuf); goto cleanup; } - + xargs->dn_from_kbd = TRUE; - if (xargs->dn != NULL || xargs->containerdn != NULL || xargs->linkdn != NULL) { - st = EINVAL; - snprintf(errbuf, sizeof(errbuf), "%s option not supported", arg); - krb5_set_error_message(context, st, "%s", errbuf); - goto cleanup; - } if (arg_val == NULL || strlen(arg_val) == 0) { st = EINVAL; - snprintf(errbuf, sizeof(errbuf), "%s option value missing", arg); + snprintf(errbuf, sizeof(errbuf), + "%s option value missing", arg); krb5_set_error_message(context, st, "%s", errbuf); goto cleanup; } @@ -284,14 +291,17 @@ process_db_args(context, db_args, xargs, optype) if (arg_val == NULL) { st = EINVAL; - snprintf(errbuf, sizeof(errbuf), "%s option value missing", arg); + snprintf(errbuf, sizeof(errbuf), + "%s option value missing", arg); krb5_set_error_message(context, st, "%s", errbuf); goto cleanup; } arg_val_len = strlen(arg_val) + 1; if (strcmp(arg, TKTPOLICY_ARG) == 0) { - if ((st = krb5_ldap_name_to_policydn (context, arg_val, dptr)) != 0) + if ((st = krb5_ldap_name_to_policydn (context, + arg_val, + dptr)) != 0) goto cleanup; } else { *dptr = calloc (1, arg_val_len); @@ -355,6 +365,7 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data, int n_key_data) { int currkvno; int num_versions = 1; int i, j, last; + krb5_error_code err = 0; if (n_key_data <= 0) return NULL; @@ -364,7 +375,11 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data, int n_key_data) { if (key_data[i].key_data_kvno != key_data[i + 1].key_data_kvno) num_versions++; - ret = (struct berval **) malloc ((num_versions + 1) * sizeof (struct berval *)); + ret = (struct berval **) calloc (num_versions + 1, sizeof (struct berval *)); + if (ret == NULL) { + err = ENOMEM; + goto cleanup; + } for (i = 0, last = 0, j = 0, currkvno = key_data[0].key_data_kvno; i < n_key_data; i++) { krb5_data *code; if (i == n_key_data - 1 || key_data[i + 1].key_data_kvno != currkvno) { @@ -373,6 +388,10 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data, int n_key_data) { 0, /* For now, mkvno == 0*/ &code); ret[j] = malloc (sizeof (struct berval)); + if (ret[j] == NULL) { + err = ENOMEM; + goto cleanup; + } /*CHECK_NULL(ret[j]); */ ret[j]->bv_len = code->length; ret[j]->bv_val = code->data; @@ -384,6 +403,18 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data, int n_key_data) { } ret[num_versions] = NULL; +cleanup: + + if (err != 0) { + if (ret != NULL) { + for (i = 0; i <= num_versions; i++) + if (ret[i] != NULL) + free (ret[i]); + free (ret); + ret = NULL; + } + } + return ret; } @@ -462,7 +493,7 @@ krb5_ldap_put_principal(context, entries, nentries, db_args) * hack if the entries->mask has KRB_PRINCIPAL flag set * then it is a add operation */ - if (entries->mask & KDB_PRINCIPAL) + if (entries->mask & KADM5_PRINCIPAL) optype = ADD_PRINCIPAL; else optype = MODIFY_PRINCIPAL; @@ -734,7 +765,7 @@ krb5_ldap_put_principal(context, entries, nentries, db_args) { char **linkdns=NULL; int j=0; - + if ((st=krb5_get_linkdn(context, entries, &linkdns)) != 0) { snprintf(errbuf, sizeof(errbuf), "Failed getting object references"); @@ -784,31 +815,31 @@ krb5_ldap_put_principal(context, entries, nentries, db_args) goto cleanup; } - if (entries->mask & KDB_MAX_LIFE) { + if (entries->mask & KADM5_MAX_LIFE) { if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxticketlife", LDAP_MOD_REPLACE, entries->max_life)) != 0) goto cleanup; } - if (entries->mask & KDB_MAX_RLIFE) { + if (entries->mask & KADM5_MAX_RLIFE) { if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxrenewableage", LDAP_MOD_REPLACE, entries->max_renewable_life)) != 0) goto cleanup; } - if (entries->mask & KDB_ATTRIBUTES) { + if (entries->mask & KADM5_ATTRIBUTES) { if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbticketflags", LDAP_MOD_REPLACE, entries->attributes)) != 0) goto cleanup; } - if (entries->mask & KDB_PRINCIPAL) { + if (entries->mask & KADM5_PRINCIPAL) { memset(strval, 0, sizeof(strval)); strval[0] = user; if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalname", LDAP_MOD_REPLACE, strval)) != 0) goto cleanup; } - if (entries->mask & KDB_PRINC_EXPIRE_TIME) { + if (entries->mask & KADM5_PRINC_EXPIRE_TIME) { memset(strval, 0, sizeof(strval)); if ((strval[0]=getstringtime(entries->expiration)) == NULL) goto cleanup; @@ -819,7 +850,7 @@ krb5_ldap_put_principal(context, entries, nentries, db_args) free (strval[0]); } - if (entries->mask & KDB_PW_EXPIRATION) { + if (entries->mask & KADM5_PW_EXPIRATION) { memset(strval, 0, sizeof(strval)); if ((strval[0]=getstringtime(entries->pw_expiration)) == NULL) goto cleanup; @@ -832,7 +863,7 @@ krb5_ldap_put_principal(context, entries, nentries, db_args) free (strval[0]); } - if (entries->mask & KDB_POLICY) { + if (entries->mask & KADM5_POLICY) { memset(&princ_ent, 0, sizeof(princ_ent)); for (tl_data=entries->tl_data; tl_data; tl_data=tl_data->tl_data_next) { if (tl_data->tl_data_type == KRB5_TL_KADM_DATA) { @@ -843,7 +874,7 @@ krb5_ldap_put_principal(context, entries, nentries, db_args) } } - if (princ_ent.aux_attributes & KDB_POLICY) { + if (princ_ent.aux_attributes & KADM5_POLICY) { memset(strval, 0, sizeof(strval)); if ((st = krb5_ldap_name_to_policydn (context, princ_ent.policy, &polname)) != 0) goto cleanup; @@ -864,12 +895,12 @@ krb5_ldap_put_principal(context, entries, nentries, db_args) goto cleanup; } - if (entries->mask & KDB_POLICY_CLR) { + if (entries->mask & KADM5_POLICY_CLR) { if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_DELETE, NULL)) != 0) goto cleanup; } - if (entries->mask & KDB_KEY_DATA || entries->mask & KDB_KVNO) { + if (entries->mask & KADM5_KEY_DATA || entries->mask & KADM5_KVNO) { bersecretkey = krb5_encode_krbsecretkey (entries->key_data, entries->n_key_data); @@ -877,7 +908,7 @@ krb5_ldap_put_principal(context, entries, nentries, db_args) LDAP_MOD_REPLACE | LDAP_MOD_BVALUES, bersecretkey)) != 0) goto cleanup; - if (!(entries->mask & KDB_PRINCIPAL)) { + if (!(entries->mask & KADM5_PRINCIPAL)) { memset(strval, 0, sizeof(strval)); if ((strval[0]=getstringtime(entries->pw_expiration)) == NULL) goto cleanup; @@ -930,6 +961,10 @@ krb5_ldap_put_principal(context, entries, nentries, db_args) int j; ber_tl_data = (struct berval **) calloc (count + 1, sizeof (struct berval*)); + if (ber_tl_data == NULL) { + st = ENOMEM; + goto cleanup; + } for (j = 0, ptr = entries->tl_data; ptr != NULL; ptr = ptr->tl_data_next) { /* Ignore tl_data that are stored in separate directory * attributes */ @@ -1172,7 +1207,7 @@ krb5_decode_krbsecretkey(context, entries, bvalues, userinfo_tl_data) { char *user=NULL; int i=0, j=0, noofkeys=0; - krb5_key_data *key_data=NULL; + krb5_key_data *key_data=NULL, *tmp; krb5_error_code st=0; if ((st=krb5_unparse_name(context, entries->princ, &user)) != 0) @@ -1202,7 +1237,13 @@ krb5_decode_krbsecretkey(context, entries, bvalues, userinfo_tl_data) goto cleanup; } noofkeys += n_kd; + tmp = key_data; key_data = realloc (key_data, noofkeys * sizeof (krb5_key_data)); + if (key_data == NULL) { + key_data = tmp; + st = ENOMEM; + goto cleanup; + } for (j = 0; j < n_kd; j++) key_data[noofkeys - n_kd + j] = kd[j]; free (kd); diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c index ba77b8f23..3c229c055 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c @@ -187,6 +187,7 @@ populate_policy(krb5_context context, osa_policy_ent_t pol_entry) { int st = 0; + char *pol_dn; pol_entry->name = strdup(pol_name); CHECK_NULL(pol_entry->name); @@ -199,8 +200,10 @@ populate_policy(krb5_context context, krb5_ldap_get_value(ld, ent, "krbpwdhistorylength", &(pol_entry->pw_history_num)); /* Get the reference count */ - st = krb5_ldap_get_reference_count (context, pol_name, "krbPwdPolicyReference", + pol_dn = ldap_get_dn(ld, ent); + st = krb5_ldap_get_reference_count (context, pol_dn, "krbPwdPolicyReference", &(pol_entry->policy_refcnt), ld); + ldap_memfree(pol_dn); cleanup: return st; diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c index 7c9dbad1b..0deacd9a4 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c @@ -127,6 +127,10 @@ krb5_ldap_readpassword(context, ldap_context, password) /*ptr = strchr(start, ':'); if (ptr == NULL) { */ *password = (unsigned char *)malloc(strlen(start) + 2); + if (*password == NULL) { + st = ENOMEM; + goto rp_exit; + } (*password)[strlen(start) + 1] = '\0'; (*password)[strlen(start)] = '\0'; strcpy((char *)(*password), start); diff --git a/src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c b/src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c index 3aa520aa2..501d263b1 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c @@ -1,6 +1,7 @@ #include "kdb_ldap.h" #include "ldap_principal.h" #include "princ_xdr.h" +#include bool_t ldap_xdr_krb5_ui_2(XDR *xdrs, krb5_ui_2 *objp) @@ -211,7 +212,7 @@ krb5_update_tl_kadm_data(policy_dn, new_tl_data) memset(princ_entry, 0, sizeof(osa_princ_ent_rec)); princ_entry->admin_history_kvno = 2; - princ_entry->aux_attributes = KDB_POLICY; + princ_entry->aux_attributes = KADM5_POLICY; princ_entry->policy = policy_dn; xdralloc_create(&xdrs, XDR_ENCODE);