From: Ken Raeburn Date: Mon, 22 Sep 2008 18:17:38 +0000 (+0000) Subject: Merge three patches from Novell, with some updates related to work in X-Git-Tag: krb5-1.7-alpha1~427 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=b0949adbc1a11eeb7123062861b236b950acaf46;p=krb5.git Merge three patches from Novell, with some updates related to work in our tree since they were submitted, and reindenting for one source file that got particularly ugly in the process. From Savitha R on 2008-02-18 (yes, it was sitting in my queue a while): Attached patches have fixes for some issues in LDAP backend. 1. patch-mem-pwd.txt This patch clears the password in memory, fixes some memory leaks (in common code) and a segfault in eDirectory specific code. 2. patch-princ-attrs.txt This patch removes some eDirectory specific attributes from the common code 3. patch-edir-rights.txt This patch is specific to eDirectory code and fixes some rights issue. It adds and deletes rights to service objects as required on the kerberos attributes. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20744 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c index 288a5a0c6..83eb16286 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c @@ -139,6 +139,14 @@ static krb5_error_code krb5_dbe_update_tl_data_new ( krb5_context context, krb5_ #define ADMIN_LIFETIME 60*60*3 /* 3 hours */ #define CHANGEPW_LIFETIME 60*5 /* 5 minutes */ +#ifdef HAVE_EDIRECTORY +#define FREE_DN_LIST(dnlist) if (dnlist != NULL) { \ + for (idx=0; dnlist[idx] != NULL; idx++) \ + free(dnlist[idx]); \ + free(dnlist); \ + } +#endif + static int get_ticket_policy(rparams,i,argv,argc) krb5_ldap_realm_params *rparams; int *i; @@ -346,7 +354,7 @@ void kdb5_ldap_create(argc, argv) if (++i > argc-1) goto err_usage; - if(strncmp(argv[i], "", strlen(argv[i]))!=0) { + if (strncmp(argv[i], "", strlen(argv[i]))!=0) { list = (char **) calloc(MAX_LIST_ENTRIES, sizeof(char *)); if (list == NULL) { retval = ENOMEM; @@ -359,27 +367,27 @@ void kdb5_ldap_create(argc, argv) } rparams->subtreecount=0; - while(list[rparams->subtreecount]!=NULL) + while (list[rparams->subtreecount]!=NULL) (rparams->subtreecount)++; rparams->subtree = list; - } else if(strncmp(argv[i], "", strlen(argv[i]))==0) { - /* dont allow subtree value to be set at the root(NULL, "") of the tree */ - com_err(progname, EINVAL, - "for subtree while creating realm '%s'", - global_params.realm); - goto err_nomsg; + } else if (strncmp(argv[i], "", strlen(argv[i]))==0) { + /* dont allow subtree value to be set at the root(NULL, "") of the tree */ + com_err(progname, EINVAL, + "for subtree while creating realm '%s'", + global_params.realm); + goto err_nomsg; } rparams->subtree[rparams->subtreecount] = NULL; mask |= LDAP_REALM_SUBTREE; } else if (!strcmp(argv[i], "-containerref")) { if (++i > argc-1) goto err_usage; - if(strncmp(argv[i], "", strlen(argv[i]))==0) { - /* dont allow containerref value to be set at the root(NULL, "") of the tree */ - com_err(progname, EINVAL, - "for container reference while creating realm '%s'", - global_params.realm); - goto err_nomsg; + if (strncmp(argv[i], "", strlen(argv[i]))==0) { + /* dont allow containerref value to be set at the root(NULL, "") of the tree */ + com_err(progname, EINVAL, + "for container reference while creating realm '%s'", + global_params.realm); + goto err_nomsg; } rparams->containerref = strdup(argv[i]); if (rparams->containerref == NULL) { @@ -796,7 +804,7 @@ void kdb5_ldap_create(argc, argv) for (i=0; (rparams->kdcservers[i] != NULL); i++) { if ((retval=krb5_ldap_add_service_rights(util_context, LDAP_KDC_SERVICE, rparams->kdcservers[i], - rparams->realm_name, rparams->subtree, rightsmask)) != 0) { + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { printf("failed\n"); com_err(progname, retval, "while assigning rights to '%s'", rparams->realm_name); @@ -812,7 +820,7 @@ void kdb5_ldap_create(argc, argv) for (i=0; (rparams->adminservers[i] != NULL); i++) { if ((retval=krb5_ldap_add_service_rights(util_context, LDAP_ADMIN_SERVICE, rparams->adminservers[i], - rparams->realm_name, rparams->subtree, rightsmask)) != 0) { + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { printf("failed\n"); com_err(progname, retval, "while assigning rights to '%s'", rparams->realm_name); @@ -828,7 +836,7 @@ void kdb5_ldap_create(argc, argv) for (i=0; (rparams->passwdservers[i] != NULL); i++) { if ((retval=krb5_ldap_add_service_rights(util_context, LDAP_PASSWD_SERVICE, rparams->passwdservers[i], - rparams->realm_name, rparams->subtree, rightsmask)) != 0) { + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { printf("failed\n"); com_err(progname, retval, "while assigning rights to '%s'", rparams->realm_name); @@ -917,7 +925,7 @@ void kdb5_ldap_modify(argc, argv) int mask = 0, rmask = 0, ret_mask = 0; char **slist = {NULL}; #ifdef HAVE_EDIRECTORY - int j = 0; + int j = 0, idx = 0; char *list[MAX_LIST_ENTRIES]; int existing_entries = 0, list_entries = 0; int newkdcdn = 0, newadmindn = 0, newpwddn = 0; @@ -929,7 +937,8 @@ void kdb5_ldap_modify(argc, argv) char **newsubtrees = NULL; char **newadmindns = NULL; char **newpwddns = NULL; - char **oldsubtrees = {NULL}; + char **oldsubtrees = NULL; + char *oldcontainerref = NULL; int rightsmask = 0; int subtree_changed = 0; #endif @@ -966,15 +975,15 @@ void kdb5_ldap_modify(argc, argv) retval = ENOMEM; goto cleanup; } - for(k=0; rparams->subtree[k]!=NULL && rparams->subtreecount; k++) { + for (k=0; rparams->subtree[k]!=NULL && rparams->subtreecount; k++) { oldsubtrees[k] = strdup(rparams->subtree[k]); - if( oldsubtrees[k] == NULL ) { + if (oldsubtrees[k] == NULL) { retval = ENOMEM; goto cleanup; } } #endif - for(k=0; ksubtreecount && rparams->subtree[k]; k++) + for (k=0; ksubtreecount && rparams->subtree[k]; k++) free(rparams->subtree[k]); rparams->subtreecount=0; } @@ -985,35 +994,40 @@ void kdb5_ldap_modify(argc, argv) retval = ENOMEM; goto cleanup; } - if (( retval = krb5_parse_list(argv[i], LIST_DELIMITER, slist))) { + if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, slist))) { free(slist); slist = NULL; goto cleanup; } rparams->subtreecount=0; - while(slist[rparams->subtreecount]!=NULL) + while (slist[rparams->subtreecount]!=NULL) (rparams->subtreecount)++; rparams->subtree = slist; - } else if(strncmp(argv[i], "", strlen(argv[i]))==0) { - /* dont allow subtree value to be set at the root(NULL, "") of the tree */ - com_err(progname, EINVAL, - "for subtree while modifying realm '%s'", - global_params.realm); - goto err_nomsg; + } else if (strncmp(argv[i], "", strlen(argv[i]))==0) { + /* dont allow subtree value to be set at the root(NULL, "") of the tree */ + com_err(progname, EINVAL, + "for subtree while modifying realm '%s'", + global_params.realm); + goto err_nomsg; } rparams->subtree[rparams->subtreecount] = NULL; mask |= LDAP_REALM_SUBTREE; } else if (!strncmp(argv[i], "-containerref", strlen(argv[i]))) { if (++i > argc-1) goto err_usage; - if(strncmp(argv[i], "", strlen(argv[i]))==0) { - /* dont allow containerref value to be set at the root(NULL, "") of the tree */ - com_err(progname, EINVAL, - "for container reference while modifying realm '%s'", - global_params.realm); - goto err_nomsg; + if (strncmp(argv[i], "", strlen(argv[i]))==0) { + /* dont allow containerref value to be set at the root(NULL, "") of the tree */ + com_err(progname, EINVAL, + "for container reference while modifying realm '%s'", + global_params.realm); + goto err_nomsg; } +#ifdef HAVE_EDIRECTORY + if (rparams->containerref != NULL) { + oldcontainerref = rparams->containerref; + } +#endif rparams->containerref = strdup(argv[i]); if (rparams->containerref == NULL) { retval = ENOMEM; @@ -1431,299 +1445,417 @@ void kdb5_ldap_modify(argc, argv) } #ifdef HAVE_EDIRECTORY - if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_KDCSERVERS) || + if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_CONTREF) || (mask & LDAP_REALM_KDCSERVERS) || (mask & LDAP_REALM_ADMINSERVERS) || (mask & LDAP_REALM_PASSWDSERVERS)) { printf("Changing rights for the service object. Please wait ... "); fflush(stdout); - if (!(mask & LDAP_REALM_SUBTREE)) { - if (rparams->subtree != NULL) { - for(i=0; rparams->subtree[i]!=NULL;i++) { - oldsubtrees[i] = strdup(rparams->subtree[i]); - if( oldsubtrees[i] == NULL ) { - retval = ENOMEM; - goto cleanup; - } - } - } + if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_CONTREF)) { + subtree_changed = 1; } - if ((mask & LDAP_REALM_SUBTREE)) { - int check_subtree = 1; - - newsubtrees = (char**) calloc(rparams->subtreecount, sizeof(char*)); - - if (newsubtrees == NULL) { - retval = ENOMEM; - goto cleanup; - } - - if ( (rparams != NULL) && (rparams->subtree != NULL) ) { - for (j=0; jsubtreecount && rparams->subtree[j]!= NULL; j++) { - newsubtrees[j] = strdup(rparams->subtree[j]); - if (newsubtrees[j] == NULL) { - retval = ENOMEM; - goto cleanup; - } - } - newsubtrees[j] = NULL; - } - for(j=0;oldsubtrees[j]!=NULL;j++) { - check_subtree = 1; - for(i=0; ( (oldsubtrees[j] && !rparams->subtree[i]) || - (!oldsubtrees[j] && rparams->subtree[i])); i++) { - if(strcasecmp( oldsubtrees[j], rparams->subtree[i]) == 0) { - check_subtree = 0; - continue; + if ((subtree_changed) || (mask & LDAP_REALM_KDCSERVERS)) { + + if (!(mask & LDAP_REALM_KDCSERVERS)) { + if (rparams->kdcservers != NULL) { + char **kdcdns = rparams->kdcservers; + /* Only subtree and/or container ref has changed */ + rightsmask =0; + /* KDCSERVERS have not changed. Realm rights need not be changed */; + rightsmask |= LDAP_SUBTREE_RIGHTS; + if ((oldsubtrees != NULL) || (oldcontainerref != NULL)) { + /* Remove the rights on the old subtrees */ + for (i=0; (kdcdns[i] != NULL); i++) { + if ((retval=krb5_ldap_delete_service_rights(util_context, + LDAP_KDC_SERVICE, kdcdns[i], + rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) { + printf("failed\n"); + com_err(progname, retval, "while assigning rights '%s'", + rparams->realm_name); + goto err_nomsg; + } + } } - } - if (check_subtree != 0) { - subtree_changed=1; - break; - } - } - /* this will return list of the disjoint members */ - disjoint_members( oldsubtrees, newsubtrees); - } - - if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_KDCSERVERS)) { - - newkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (newkdcdns == NULL) { - retval = ENOMEM; - goto cleanup; - } - - if ((rparams != NULL) && (rparams->kdcservers != NULL)) { - for (j=0; rparams->kdcservers[j]!= NULL; j++) { - newkdcdns[j] = strdup(rparams->kdcservers[j]); - if (newkdcdns[j] == NULL) { - retval = ENOMEM; - goto cleanup; + for (i=0; (kdcdns[i] != NULL); i++) { + if ((retval=krb5_ldap_add_service_rights(util_context, + LDAP_KDC_SERVICE, kdcdns[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + printf("failed\n"); + com_err(progname, retval, "while assigning rights '%s'", + rparams->realm_name); + goto err_nomsg; + } } } - newkdcdns[j] = NULL; } - if (!subtree_changed) { - disjoint_members(oldkdcdns, newkdcdns); - } else { /* Only the subtrees was changed. Remove the rights on the old subtrees. */ - if (!(mask & LDAP_REALM_KDCSERVERS)) { - - oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (oldkdcdns == NULL) { + if (!subtree_changed) { + char **newdns = NULL; + /* Only kdc servers have changed */ + rightsmask =0; + rightsmask = LDAP_REALM_RIGHTS; + rightsmask |= LDAP_SUBTREE_RIGHTS; + if (oldkdcdns != NULL) { + newdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); + if (newdns == NULL) { retval = ENOMEM; goto cleanup; } if ((rparams != NULL) && (rparams->kdcservers != NULL)) { for (j=0; rparams->kdcservers[j]!= NULL; j++) { - oldkdcdns[j] = strdup(rparams->kdcservers[j]); - if (oldkdcdns[j] == NULL) { + newdns[j] = strdup(rparams->kdcservers[j]); + if (newdns[j] == NULL) { + FREE_DN_LIST(newdns); retval = ENOMEM; goto cleanup; } } - oldkdcdns[j] = NULL; + newdns[j] = NULL; } - } - } - rightsmask =0; - rightsmask |= LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; - /* Remove the rights on the old subtrees */ - if (oldkdcdns) { - for (i=0; (oldkdcdns[i] != NULL); i++) { - if ((retval=krb5_ldap_delete_service_rights(util_context, - LDAP_KDC_SERVICE, oldkdcdns[i], - rparams->realm_name, oldsubtrees, rightsmask)) != 0) { - printf("failed\n"); - com_err(progname, retval, "while assigning rights '%s'", - rparams->realm_name); - goto err_nomsg; + disjoint_members(oldkdcdns, newdns); + + for (i=0; (oldkdcdns[i] != NULL); i++) { + if ((retval=krb5_ldap_delete_service_rights(util_context, + LDAP_KDC_SERVICE, oldkdcdns[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + printf("failed\n"); + com_err(progname, retval, "while assigning rights '%s'", + rparams->realm_name); + FREE_DN_LIST(newdns); + goto err_nomsg; + } + } + for (i=0; (newdns[i] != NULL); i++) { + if ((retval=krb5_ldap_add_service_rights(util_context, + LDAP_KDC_SERVICE, newdns[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + printf("failed\n"); + com_err(progname, retval, "while assigning rights '%s'", + rparams->realm_name); + FREE_DN_LIST(newdns); + goto err_nomsg; + } + } + for (i=0; (newdns[i] != NULL); i++) { + free(newdns[i]); + } + free(newdns); + } else { + newdns = rparams->kdcservers; + for (i=0; (newdns[i] != NULL); i++) { + if ((retval=krb5_ldap_add_service_rights(util_context, + LDAP_KDC_SERVICE, newdns[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + printf("failed\n"); + com_err(progname, retval, "while assigning rights '%s'", + rparams->realm_name); + goto err_nomsg; + } } } - } - - rightsmask =0; - rightsmask |= LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; - if (newkdcdns) { - for (i=0; (newkdcdns[i] != NULL); i++) { - - if ((retval=krb5_ldap_add_service_rights(util_context, - LDAP_KDC_SERVICE, newkdcdns[i], rparams->realm_name, - rparams->subtree, rightsmask)) != 0) { - printf("failed\n"); - com_err(progname, retval, "while assigning rights to '%s'", - rparams->realm_name); - goto err_nomsg; + } + + if (subtree_changed && (mask & LDAP_REALM_KDCSERVERS)) { + char **newdns = rparams->kdcservers; + + rightsmask =0; + rightsmask = LDAP_REALM_RIGHTS; + rightsmask |= LDAP_SUBTREE_RIGHTS; + if (oldkdcdns != NULL) { + for (i=0; (oldkdcdns[i] != NULL); i++) { + if ((retval=krb5_ldap_delete_service_rights(util_context, + LDAP_KDC_SERVICE, oldkdcdns[i], + rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) { + printf("failed\n"); + com_err(progname, retval, "while assigning rights '%s'", + rparams->realm_name); + goto err_nomsg; + } } } - } - } - - if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_ADMINSERVERS)) { - - newadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (newadmindns == NULL) { - retval = ENOMEM; - goto cleanup; - } - - if ((rparams != NULL) && (rparams->adminservers != NULL)) { - for (j=0; rparams->adminservers[j]!= NULL; j++) { - newadmindns[j] = strdup(rparams->adminservers[j]); - if (newadmindns[j] == NULL) { - retval = ENOMEM; - goto cleanup; + for (i=0; (newdns[i] != NULL); i++) { + if ((retval=krb5_ldap_add_service_rights(util_context, + LDAP_KDC_SERVICE, newdns[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + printf("failed\n"); + com_err(progname, retval, "while assigning rights '%s'", + rparams->realm_name); + goto err_nomsg; + } + } + } + } + + if (subtree_changed || (mask & LDAP_REALM_ADMINSERVERS)) { + + if (!(mask & LDAP_REALM_ADMINSERVERS)) { + if (rparams->adminservers != NULL) { + char **admindns = rparams->adminservers; + /* Only subtree and/or container ref has changed */ + rightsmask =0; + /* KADMINSERVERS have not changed. Realm rights need not be changed */; + rightsmask |= LDAP_SUBTREE_RIGHTS; + if ((oldsubtrees != NULL) || (oldcontainerref != NULL)) { + /* Remove the rights on the old subtrees */ + for (i=0; (admindns[i] != NULL); i++) { + if ((retval=krb5_ldap_delete_service_rights(util_context, + LDAP_ADMIN_SERVICE, admindns[i], + rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) { + printf("failed\n"); + com_err(progname, retval, "while assigning rights '%s'", + rparams->realm_name); + goto err_nomsg; + } + } + } + for (i=0; (admindns[i] != NULL); i++) { + if ((retval=krb5_ldap_add_service_rights(util_context, + LDAP_ADMIN_SERVICE, admindns[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + printf("failed\n"); + com_err(progname, retval, "while assigning rights '%s'", + rparams->realm_name); + goto err_nomsg; + } } } - newadmindns[j] = NULL; } - if (!subtree_changed) { - disjoint_members(oldadmindns, newadmindns); - } else { /* Only the subtrees was changed. Remove the rights on the old subtrees. */ - if (!(mask & LDAP_REALM_ADMINSERVERS)) { - - oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (oldadmindns == NULL) { + if (!subtree_changed) { + char **newdns = NULL; + /* Only admin servers have changed */ + rightsmask =0; + rightsmask = LDAP_REALM_RIGHTS; + rightsmask |= LDAP_SUBTREE_RIGHTS; + if (oldadmindns != NULL) { + newdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); + if (newdns == NULL) { retval = ENOMEM; goto cleanup; } if ((rparams != NULL) && (rparams->adminservers != NULL)) { for (j=0; rparams->adminservers[j]!= NULL; j++) { - oldadmindns[j] = strdup(rparams->adminservers[j]); - if (oldadmindns[j] == NULL) { + newdns[j] = strdup(rparams->adminservers[j]); + if (newdns[j] == NULL) { + FREE_DN_LIST(newdns); retval = ENOMEM; goto cleanup; } } - oldadmindns[j] = NULL; + newdns[j] = NULL; } - } - } - rightsmask = 0; - rightsmask |= LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; - /* Remove the rights on the old subtrees */ - if (oldadmindns) { - for (i=0; (oldadmindns[i] != NULL); i++) { - - if ((retval=krb5_ldap_delete_service_rights(util_context, - LDAP_ADMIN_SERVICE, oldadmindns[i], - rparams->realm_name, oldsubtrees, rightsmask)) != 0) { - printf("failed\n"); - com_err(progname, retval, "while assigning rights '%s'", - rparams->realm_name); - goto err_nomsg; + disjoint_members(oldadmindns, newdns); + + for (i=0; (oldadmindns[i] != NULL); i++) { + if ((retval=krb5_ldap_delete_service_rights(util_context, + LDAP_ADMIN_SERVICE, oldadmindns[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + printf("failed\n"); + com_err(progname, retval, "while assigning rights '%s'", + rparams->realm_name); + FREE_DN_LIST(newdns); + goto err_nomsg; + } + } + for (i=0; (newdns[i] != NULL); i++) { + if ((retval=krb5_ldap_add_service_rights(util_context, + LDAP_ADMIN_SERVICE, newdns[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + printf("failed\n"); + com_err(progname, retval, "while assigning rights '%s'", + rparams->realm_name); + FREE_DN_LIST(newdns); + goto err_nomsg; + } + } + for (i=0; (newdns[i] != NULL); i++) { + free(newdns[i]); + } + free(newdns); + } else { + newdns = rparams->adminservers; + for (i=0; (newdns[i] != NULL); i++) { + if ((retval=krb5_ldap_add_service_rights(util_context, + LDAP_ADMIN_SERVICE, newdns[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + printf("failed\n"); + com_err(progname, retval, "while assigning rights '%s'", + rparams->realm_name); + goto err_nomsg; + } } } - } - - rightsmask = 0; - rightsmask |= LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; - /* Add rights on the new subtree for all the kdc dns */ - if (newadmindns) { - for (i=0; (newadmindns[i] != NULL); i++) { - - if ((retval=krb5_ldap_add_service_rights(util_context, - LDAP_ADMIN_SERVICE, newadmindns[i], - rparams->realm_name, rparams->subtree, rightsmask)) != 0) { - printf("failed\n"); - com_err(progname, retval, "while assigning rights to '%s'", - rparams->realm_name); - goto err_nomsg; + } + + if (subtree_changed && (mask & LDAP_REALM_ADMINSERVERS)) { + char **newdns = rparams->adminservers; + + rightsmask = 0; + rightsmask = LDAP_REALM_RIGHTS; + rightsmask |= LDAP_SUBTREE_RIGHTS; + if (oldadmindns != NULL) { + for (i=0; (oldadmindns[i] != NULL); i++) { + if ((retval=krb5_ldap_delete_service_rights(util_context, + LDAP_ADMIN_SERVICE, oldadmindns[i], + rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) { + printf("failed\n"); + com_err(progname, retval, "while assigning rights '%s'", + rparams->realm_name); + goto err_nomsg; + } } } - } - } - - - if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_PASSWDSERVERS)) { - - newpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (newpwddns == NULL) { - retval = ENOMEM; - goto cleanup; - } - - if ((rparams != NULL) && (rparams->passwdservers != NULL)) { - for (j=0; rparams->passwdservers[j]!= NULL; j++) { - newpwddns[j] = strdup(rparams->passwdservers[j]); - if (newpwddns[j] == NULL) { - retval = ENOMEM; - goto cleanup; + for (i=0; (newdns[i] != NULL); i++) { + if ((retval=krb5_ldap_add_service_rights(util_context, + LDAP_ADMIN_SERVICE, newdns[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + printf("failed\n"); + com_err(progname, retval, "while assigning rights '%s'", + rparams->realm_name); + goto err_nomsg; + } + } + } + } + + if (subtree_changed || (mask & LDAP_REALM_PASSWDSERVERS)) { + + if (!(mask & LDAP_REALM_PASSWDSERVERS)) { + if (rparams->passwdservers != NULL) { + char **passwddns = rparams->passwdservers; + /* Only subtree and/or container ref has changed */ + rightsmask = 0; + /* KPASSWDSERVERS have not changed. Realm rights need not be changed */; + rightsmask |= LDAP_SUBTREE_RIGHTS; + if ((oldsubtrees != NULL) || (oldcontainerref != NULL)) { + /* Remove the rights on the old subtrees */ + for (i=0; (passwddns[i] != NULL); i++) { + if ((retval=krb5_ldap_delete_service_rights(util_context, + LDAP_PASSWD_SERVICE, passwddns[i], + rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) { + printf("failed\n"); + com_err(progname, retval, "while assigning rights '%s'", + rparams->realm_name); + goto err_nomsg; + } + } + } + for (i=0; (passwddns[i] != NULL); i++) { + if ((retval=krb5_ldap_add_service_rights(util_context, + LDAP_PASSWD_SERVICE, passwddns[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + printf("failed\n"); + com_err(progname, retval, "while assigning rights '%s'", + rparams->realm_name); + goto err_nomsg; + } } } - newpwddns[j] = NULL; } - if (!subtree_changed) { - disjoint_members(oldpwddns, newpwddns); - } else { /* Only the subtrees was changed. Remove the rights on the old subtrees. */ - if (!(mask & LDAP_REALM_ADMINSERVERS)) { - - oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (oldpwddns == NULL) { + if (!subtree_changed) { + char **newdns = NULL; + /* Only passwd servers have changed */ + rightsmask =0; + rightsmask = LDAP_REALM_RIGHTS; + rightsmask |= LDAP_SUBTREE_RIGHTS; + if (oldpwddns != NULL) { + newdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); + if (newdns == NULL) { retval = ENOMEM; goto cleanup; } if ((rparams != NULL) && (rparams->passwdservers != NULL)) { for (j=0; rparams->passwdservers[j]!= NULL; j++) { - oldpwddns[j] = strdup(rparams->passwdservers[j]); - if (oldpwddns[j] == NULL) { + newdns[j] = strdup(rparams->passwdservers[j]); + if (newdns[j] == NULL) { + FREE_DN_LIST(newdns); retval = ENOMEM; goto cleanup; } } - oldpwddns[j] = NULL; + newdns[j] = NULL; } - } - } - rightsmask =0; - rightsmask |= LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; - /* Remove the rights on the old subtrees */ - if (oldpwddns) { - for (i=0; (oldpwddns[i] != NULL); i++) { - if ((retval = krb5_ldap_delete_service_rights(util_context, - LDAP_PASSWD_SERVICE, oldpwddns[i], - rparams->realm_name, oldsubtrees, rightsmask))) { - printf("failed\n"); - com_err(progname, retval, "while assigning rights '%s'", - rparams->realm_name); - goto err_nomsg; + disjoint_members(oldpwddns, newdns); + + for (i=0; (oldpwddns[i] != NULL); i++) { + if ((retval=krb5_ldap_delete_service_rights(util_context, + LDAP_PASSWD_SERVICE, oldpwddns[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + printf("failed\n"); + com_err(progname, retval, "while assigning rights '%s'", + rparams->realm_name); + FREE_DN_LIST(newdns); + goto err_nomsg; + } + } + for (i=0; (newdns[i] != NULL); i++) { + if ((retval=krb5_ldap_add_service_rights(util_context, + LDAP_PASSWD_SERVICE, newdns[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + printf("failed\n"); + com_err(progname, retval, "while assigning rights '%s'", + rparams->realm_name); + FREE_DN_LIST(newdns); + goto err_nomsg; + } + } + for (i=0; (newdns[i] != NULL); i++) { + free(newdns[i]); + } + free(newdns); + } else { + newdns = rparams->passwdservers; + for (i=0; (newdns[i] != NULL); i++) { + if ((retval=krb5_ldap_add_service_rights(util_context, + LDAP_PASSWD_SERVICE, newdns[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + printf("failed\n"); + com_err(progname, retval, "while assigning rights '%s'", + rparams->realm_name); + goto err_nomsg; + } } } - } - - rightsmask =0; - rightsmask |= LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; - /* Add rights on the new subtree for all the kdc dns */ - if (newpwddns) { - for (i=0; (newpwddns[i] != NULL); i++) { + } + + if (subtree_changed && (mask & LDAP_REALM_PASSWDSERVERS)) { + char **newdns = rparams->passwdservers; + + rightsmask =0; + rightsmask = LDAP_REALM_RIGHTS; + rightsmask |= LDAP_SUBTREE_RIGHTS; + if (oldpwddns != NULL) { + for (i=0; (oldpwddns[i] != NULL); i++) { + if ((retval = krb5_ldap_delete_service_rights(util_context, + LDAP_PASSWD_SERVICE, oldpwddns[i], + rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) { + printf("failed\n"); + com_err(progname, retval, "while assigning rights '%s'", + rparams->realm_name); + goto err_nomsg; + } + } + } + for (i=0; (newdns[i] != NULL); i++) { if ((retval = krb5_ldap_add_service_rights(util_context, - LDAP_PASSWD_SERVICE, newpwddns[i], - rparams->realm_name, rparams->subtree, rightsmask))) { + LDAP_PASSWD_SERVICE, newdns[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { printf("failed\n"); - com_err(progname, retval, "while assigning rights to '%s'", + com_err(progname, retval, "while assigning rights '%s'", rparams->realm_name); goto err_nomsg; } } } } - printf("done\n"); } #endif @@ -1936,6 +2068,7 @@ static void print_realm_params(krb5_ldap_realm_params *rparams, int mask) if (num_entry_printed == 0) printf("\n"); } + if (mask & LDAP_REALM_MAXTICKETLIFE) { printf("%25s:", "Maximum Ticket Life"); printf(" %s \n", strdur(rparams->max_life)); @@ -2198,9 +2331,9 @@ kdb_ldap_tgt_keysalt_iterate(ksent, ptr) /*if (!(kret = krb5_dbe_create_key_data(iargs->ctx, iargs->dbentp))) {*/ if ((entry->key_data = - (krb5_key_data *) realloc(entry->key_data, - (sizeof(krb5_key_data) * - (entry->n_key_data + 1)))) == NULL) + (krb5_key_data *) realloc(entry->key_data, + (sizeof(krb5_key_data) * + (entry->n_key_data + 1)))) == NULL) return (ENOMEM); memset(entry->key_data + entry->n_key_data, 0, sizeof(krb5_key_data)); @@ -2296,7 +2429,7 @@ kdb_ldap_create_principal (context, princ, op, pblock) if ((retval = krb5_timeofday(context, &now))) goto cleanup; if ((retval = krb5_dbe_update_mod_princ_data_new(context, &entry, - now, &db_create_princ))) + now, &db_create_princ))) goto cleanup; } entry.attributes = pblock->flags; @@ -2316,7 +2449,7 @@ kdb_ldap_create_principal (context, princ, op, pblock) /* Allocate memory for storing the key */ if ((entry.key_data = (krb5_key_data *) malloc( - sizeof(krb5_key_data))) == NULL) { + sizeof(krb5_key_data))) == NULL) { retval = ENOMEM; goto cleanup; } @@ -2330,9 +2463,9 @@ kdb_ldap_create_principal (context, princ, op, pblock) } kvno = 1; /* New key is getting set */ retval = krb5_dbekd_encrypt_key_data(context, - &ldap_context->lrparams->mkey, - &key, NULL, kvno, - &entry.key_data[entry.n_key_data - 1]); + &ldap_context->lrparams->mkey, + &key, NULL, kvno, + &entry.key_data[entry.n_key_data - 1]); krb5_free_keyblock_contents(context, &key); if (retval) { goto cleanup; @@ -2358,7 +2491,7 @@ kdb_ldap_create_principal (context, princ, op, pblock) case MASTER_KEY: /* Allocate memory for storing the key */ if ((entry.key_data = (krb5_key_data *) malloc( - sizeof(krb5_key_data))) == NULL) { + sizeof(krb5_key_data))) == NULL) { retval = ENOMEM; goto cleanup; } @@ -2367,9 +2500,9 @@ kdb_ldap_create_principal (context, princ, op, pblock) entry.n_key_data++; kvno = 1; /* New key is getting set */ retval = krb5_dbekd_encrypt_key_data(context, pblock->key, - &ldap_context->lrparams->mkey, - NULL, kvno, - &entry.key_data[entry.n_key_data - 1]); + &ldap_context->lrparams->mkey, + NULL, kvno, + &entry.key_data[entry.n_key_data - 1]); if (retval) { goto cleanup; } @@ -2481,7 +2614,7 @@ kdb5_ldap_destroy(argc, argv) for (i=0; (rparams->kdcservers[i] != NULL); i++) { if ((retval = krb5_ldap_delete_service_rights(util_context, LDAP_KDC_SERVICE, rparams->kdcservers[i], - rparams->realm_name, rparams->subtree, rightsmask)) != 0) { + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { printf("failed\n"); com_err(progname, retval, "while assigning rights to '%s'", rparams->realm_name); @@ -2496,7 +2629,7 @@ kdb5_ldap_destroy(argc, argv) for (i=0; (rparams->adminservers[i] != NULL); i++) { if ((retval = krb5_ldap_delete_service_rights(util_context, LDAP_ADMIN_SERVICE, rparams->adminservers[i], - rparams->realm_name, rparams->subtree, rightsmask)) != 0) { + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { printf("failed\n"); com_err(progname, retval, "while assigning rights to '%s'", rparams->realm_name); @@ -2511,7 +2644,7 @@ kdb5_ldap_destroy(argc, argv) for (i=0; (rparams->passwdservers[i] != NULL); i++) { if ((retval = krb5_ldap_delete_service_rights(util_context, LDAP_PASSWD_SERVICE, rparams->passwdservers[i], - rparams->realm_name, rparams->subtree, rightsmask)) != 0) { + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { printf("failed\n"); com_err(progname, retval, "while assigning rights to '%s'", rparams->realm_name); diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c index 34b3dc8d0..126013120 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c @@ -435,7 +435,7 @@ void kdb5_ldap_create_service(argc, argv) if ((retval = krb5_ldap_add_service_rights(util_context, srvparams->servicetype, srvparams->servicedn, - realmName, rparams->subtree, rightsmask))) { + realmName, rparams->subtree, rparams->containerref, rightsmask))) { printf("failed\n"); com_err(me, retval, "while assigning rights '%s'", srvparams->servicedn); @@ -940,7 +940,7 @@ void kdb5_ldap_modify_service(argc, argv) if ((retval = krb5_ldap_delete_service_rights(util_context, srvparams->servicetype, srvparams->servicedn, - realmName, rparams->subtree, rightsmask))) { + realmName, rparams->subtree, rparams->containerref, rightsmask))) { printf("failed\n"); com_err(me, retval, "while assigning rights '%s'", srvparams->servicedn); @@ -991,7 +991,7 @@ void kdb5_ldap_modify_service(argc, argv) if ((retval = krb5_ldap_add_service_rights(util_context, srvparams->servicetype, srvparams->servicedn, - realmName, rparams->subtree, rightsmask))) { + realmName, rparams->subtree, rparams->containerref, rightsmask))) { printf("failed\n"); com_err(me, retval, "while assigning rights '%s'", srvparams->servicedn); @@ -1717,7 +1717,7 @@ kdb5_ldap_set_service_password(argc, argv) memset(passwd, 0, passwd_len); goto cleanup; } - /* Password = {CRYPT}: */ + /* Password = {HEX}: */ encrypted_passwd.value = (unsigned char *)malloc(strlen(service_object) + 1 + 5 + hex.length + 2); if (encrypted_passwd.value == NULL) { diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c index 1f900e67a..9ed1f2dee 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c @@ -520,7 +520,7 @@ int main(argc, argv) exit_status++; goto cleanup; } - memset(passwd, 0, sizeof(passwd)); + memset(passwd, 0, MAX_PASSWD_LEN); passwd_len = MAX_PASSWD_LEN - 1; snprintf(prompt, MAX_PASSWD_PROMPT_LEN, "Password for \"%s\"", bind_dn); @@ -536,6 +536,7 @@ int main(argc, argv) } ldap_context->bind_pwd = passwd; + passwd = NULL; } /* If ldaphost is specified, release entry filled by configuration & use this */ @@ -593,6 +594,7 @@ int main(argc, argv) } dal_handle->db_context = ldap_context; util_context->dal_handle = dal_handle; + ldap_context = NULL; db_retval = krb5_ldap_read_server_params(util_context, conf_section, KRB5_KDB_SRV_TYPE_OTHER); if (db_retval) { @@ -602,7 +604,7 @@ int main(argc, argv) } if (cmd->opendb) { - db_retval = krb5_ldap_db_init(util_context, ldap_context); + db_retval = krb5_ldap_db_init(util_context, (krb5_ldap_context *)dal_handle->db_context); if (db_retval) { com_err(progname, db_retval, "while initializing database"); exit_status++; @@ -615,10 +617,15 @@ int main(argc, argv) goto cleanup; cleanup: - if (passwd) - memset(passwd, 0, sizeof(passwd)); - if (ldap_context && ldap_context->bind_pwd) - memset(ldap_context->bind_pwd, 0, sizeof(ldap_context->bind_pwd)); + if (passwd) { + memset(passwd, 0, strlen(passwd)); + free(passwd); + } + + if (ldap_context) { + krb5_ldap_free_server_context_params(ldap_context); + free(ldap_context); + } if (util_context) { if (gp_is_static == 0) diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c index 124396f3f..02589b554 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c @@ -346,7 +346,7 @@ krb5_ldap_create (krb5_context context, char *conf_section, char **db_args) for (i=0; (rparams->kdcservers[i] != NULL); i++) { if ((status=krb5_ldap_add_service_rights(context, LDAP_KDC_SERVICE, rparams->kdcservers[i], - rparams->realm_name, rparams->subtree, rightsmask)) != 0) { + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { goto cleanup; } } @@ -359,7 +359,7 @@ krb5_ldap_create (krb5_context context, char *conf_section, char **db_args) for (i=0; (rparams->adminservers[i] != NULL); i++) { if ((status=krb5_ldap_add_service_rights(context, LDAP_ADMIN_SERVICE, rparams->adminservers[i], - rparams->realm_name, rparams->subtree, rightsmask)) != 0) { + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { goto cleanup; } } @@ -372,7 +372,7 @@ krb5_ldap_create (krb5_context context, char *conf_section, char **db_args) for (i=0; (rparams->passwdservers[i] != NULL); i++) { if ((status=krb5_ldap_add_service_rights(context, LDAP_PASSWD_SERVICE, rparams->passwdservers[i], - rparams->realm_name, rparams->subtree, rightsmask)) != 0) { + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { goto cleanup; } } diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c index 818b2e55c..b864f4b6d 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c @@ -318,7 +318,7 @@ cleanup: */ krb5_error_code -krb5_ldap_free_server_params(ldap_context) +krb5_ldap_free_server_context_params(ldap_context) krb5_ldap_context *ldap_context; { int i=0; @@ -366,6 +366,7 @@ krb5_ldap_free_server_params(ldap_context) } if (ldap_context->bind_pwd != NULL) { + memset(ldap_context->bind_pwd, 0, strlen(ldap_context->bind_pwd)); krb5_xfree(ldap_context->bind_pwd); ldap_context->bind_pwd = NULL; } @@ -402,13 +403,23 @@ krb5_ldap_free_server_params(ldap_context) krb5_xfree(ldap_context->certificates); } - k5_mutex_destroy(&ldap_context->hndl_lock); + return(0); +} +krb5_error_code +krb5_ldap_free_server_params(ldap_context) + krb5_ldap_context *ldap_context; +{ + if (ldap_context == NULL) + return 0; + + krb5_ldap_free_server_context_params(ldap_context); + + k5_mutex_destroy(&ldap_context->hndl_lock); krb5_xfree(ldap_context); return(0); } - /* * check to see if the principal belongs to the default realm. * The default realm is present in the krb5_ldap_context structure. diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c index c25804b64..ef6786c68 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c @@ -57,9 +57,6 @@ char *principal_attributes[] = { "krbprincipalname", "loginexpirationtime", "logindisabled", #endif - "loginexpirationtime", - "logindisabled", - "modifytimestamp", "krbLastPwdChange", "krbExtraData", "krbObjectReferences", diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_rights.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_rights.c index b32ba9186..aed6de8c4 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_rights.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_rights.c @@ -38,48 +38,35 @@ static char *kdcrights_subtree[][2] = { {"1#subtree#","#[Entry Rights]"}, - {"2#subtree#","#CN"}, - {"6#subtree#","#ObjectClass"}, + {"2#subtree#","#ObjectClass"}, {"2#subtree#","#krbTicketPolicyReference"}, {"2#subtree#","#krbUPEnabled"}, {"2#subtree#","#krbHostServer"}, - {"2#subtree#","#krbServiceFlags"}, {"2#subtree#","#krbRealmReferences"}, {"2#subtree#","#krbTicketFlags"}, {"2#subtree#","#krbMaxTicketLife"}, {"2#subtree#","#krbMaxRenewableAge"}, {"2#subtree#","#krbPrincipalName"}, - {"6#subtree#","#krbPrincipalKey"}, + {"2#subtree#","#krbPrincipalKey"}, {"2#subtree#","#krbPrincipalExpiration"}, {"2#subtree#","#krbPwdPolicyReference"}, {"2#subtree#","#krbMaxPwdLife"}, - {"6#subtree#","#ModifiersName"}, - {"2#subtree#","#PasswordExpirationTime"}, - {"2#subtree#","#PasswordExpirationInterval"}, - {"2#subtree#","#PasswordMinimumLength"}, - {"2#subtree#","#PasswordAllowChange"}, - {"2#subtree#","#LoginDisabled"}, - {"6#subtree#","#LastLoginTime"}, - {"2#subtree#","#LoginExpirationTime"}, - {"6#subtree#","#LoginIntruderAttempts"}, - {"2#subtree#","#IntruderAttemptResetInterval"}, - {"2#subtree#","#LoginIntruderLimit"}, - {"6#subtree#","#LoginIntruderResetTime"}, - {"2#subtree#","#DetectIntruder"}, - {"2#subtree#","#LockoutAfterDetection"}, - {"6#subtree#","#LockedByIntruder"}, - {"2#subtree#","#krbPrincipalReferences"}, + {"2#subtree#","#krbObjectReferences"}, + {"2#subtree#","#krbLastPwdChange"}, + {"6#subtree#","#krbExtraData"}, + {"2#subtree#","#krbPasswordExpiration"}, + {"6#subtree#","#krbLastFailedAuth"}, + {"6#subtree#","#krbLoginFailedCount"}, + {"6#subtree#","#krbLastSuccessfulAuth"}, { "", "" } }; static char *adminrights_subtree[][2]={ {"15#subtree#","#[Entry Rights]"}, - {"6#subtree#","#CN"}, {"6#subtree#","#ObjectClass"}, {"6#subtree#","#krbTicketPolicyReference"}, {"6#subtree#","#krbUPEnabled"}, {"2#subtree#","#krbHostServer"}, - {"2#subtree#","#krbServiceFlags"}, {"2#subtree#","#krbRealmReferences"}, {"6#subtree#","#krbTicketFlags"}, {"6#subtree#","#krbMaxTicketLife"}, @@ -87,41 +74,28 @@ static char *adminrights_subtree[][2]={ {"6#subtree#","#krbPrincipalName"}, {"6#subtree#","#krbPrincipalKey"}, {"6#subtree#","#krbPrincipalExpiration"}, - {"6#subtree#","#ModifiersName"}, - {"6#subtree#","#PasswordExpirationTime"}, - {"2#subtree#","#PasswordExpirationInterval"}, - {"6#subtree#","#PasswordMinimumLength"}, - {"6#subtree#","#PasswordAllowChange"}, - {"6#subtree#","#LoginDisabled"}, - {"2#subtree#","#LastLoginTime"}, - {"2#subtree#","#LoginExpirationTime"}, - {"2#subtree#","#LoginIntruderAttempts"}, - {"6#subtree#","#IntruderAttemptResetInterval"}, - {"6#subtree#","#LoginIntruderLimit"}, - {"6#subtree#","#LoginIntruderResetTime"}, - {"6#subtree#","#DetectIntruder"}, - {"6#subtree#","#LockoutAfterDetection"}, - {"2#subtree#","#LockedByIntruder"}, - {"2#subtree#","#krbPrincipalReferences"}, - {"6#subtree#","#Surname"}, - {"4#subtree#","#passwordManagement"}, {"6#subtree#","#krbPwdHistoryLength"}, {"6#subtree#","#krbMinPwdLife"}, {"6#subtree#","#krbMaxPwdLife"}, {"6#subtree#","#krbPwdMinDiffChars"}, {"6#subtree#","#krbPwdMinLength"}, {"6#subtree#","#krbPwdPolicyReference"}, + {"6#subtree#","#krbLastPwdChange"}, + {"6#subtree#","#krbObjectReferences"}, + {"6#subtree#","#krbExtraData"}, + {"6#subtree#","#krbPasswordExpiration"}, + {"2#subtree#","#krbLastFailedAuth"}, + {"2#subtree#","#krbLoginFailedCount"}, + {"2#subtree#","#krbLastSuccessfulAuth"}, { "","" } }; static char *pwdrights_subtree[][2] = { {"1#subtree#","#[Entry Rights]"}, - {"2#subtree#","#CN"}, {"2#subtree#","#ObjectClass"}, {"2#subtree#","#krbTicketPolicyReference"}, {"2#subtree#","#krbUPEnabled"}, {"2#subtree#","#krbHostServer"}, - {"2#subtree#","#krbServiceFlags"}, {"2#subtree#","#krbRealmReferences"}, {"6#subtree#","#krbTicketFlags"}, {"2#subtree#","#krbMaxTicketLife"}, @@ -129,21 +103,26 @@ static char *pwdrights_subtree[][2] = { {"2#subtree#","#krbPrincipalName"}, {"6#subtree#","#krbPrincipalKey"}, {"2#subtree#","#krbPrincipalExpiration"}, - {"4#subtree#","#passwordManagement"}, - {"6#subtree#","#ModifiersName"}, {"2#subtree#","#krbPwdHistoryLength"}, {"2#subtree#","#krbMinPwdLife"}, {"2#subtree#","#krbMaxPwdLife"}, {"2#subtree#","#krbPwdMinDiffChars"}, {"2#subtree#","#krbPwdMinLength"}, {"2#subtree#","#krbPwdPolicyReference"}, + {"6#subtree#","#krbLastPwdChange"}, + {"2#subtree#","#krbObjectReferences"}, + {"6#subtree#","#krbExtraData"}, + {"6#subtree#","#krbPasswordExpiration"}, + {"2#subtree#","#krbLastFailedAuth"}, + {"2#subtree#","#krbLoginFailedCount"}, + {"2#subtree#","#krbLastSuccessfulAuth"}, { "", "" } }; static char *kdcrights_realmcontainer[][2]={ {"1#subtree#","#[Entry Rights]"}, {"2#subtree#","#CN"}, - {"6#subtree#","#ObjectClass"}, + {"2#subtree#","#ObjectClass"}, {"2#subtree#","#krbTicketPolicyReference"}, {"2#subtree#","#krbMKey"}, {"2#subtree#","#krbUPEnabled"}, @@ -151,33 +130,25 @@ static char *kdcrights_realmcontainer[][2]={ {"2#subtree#","#krbPrincContainerRef"}, {"2#subtree#","#krbSearchScope"}, {"2#subtree#","#krbLdapServers"}, - {"2#subtree#","#krbSupportedEncSaltTypes"}, - {"2#subtree#","#krbDefaultEncSaltTypes"}, {"2#subtree#","#krbKdcServers"}, + {"2#subtree#","#krbAdmServers"}, {"2#subtree#","#krbPwdServers"}, {"2#subtree#","#krbTicketFlags"}, {"2#subtree#","#krbMaxTicketLife"}, {"2#subtree#","#krbMaxRenewableAge"}, {"2#subtree#","#krbPrincipalName"}, - {"6#subtree#","#krbPrincipalKey"}, + {"2#subtree#","#krbPrincipalKey"}, {"2#subtree#","#krbPrincipalExpiration"}, {"2#subtree#","#krbPwdPolicyReference"}, {"2#subtree#","#krbMaxPwdLife"}, - {"6#subtree#","#ModifiersName"}, - {"2#subtree#","#PasswordExpirationTime"}, - {"2#subtree#","#PasswordExpirationInterval"}, - {"2#subtree#","#PasswordMinimumLength"}, - {"2#subtree#","#PasswordAllowChange"}, - {"2#subtree#","#LoginDisabled"}, - {"6#subtree#","#LastLoginTime"}, - {"2#subtree#","#LoginExpirationTime"}, - {"6#subtree#","#LoginIntruderAttempts"}, - {"2#subtree#","#IntruderAttemptResetInterval"}, - {"2#subtree#","#LoginIntruderLimit"}, - {"6#subtree#","#LoginIntruderResetTime"}, - {"2#subtree#","#DetectIntruder"}, - {"2#subtree#","#LockoutAfterDetection"}, - {"6#subtree#","#LockedByIntruder"}, + {"2#subtree#","#krbObjectReferences"}, + {"2#subtree#","#krbLastPwdChange"}, + {"6#subtree#","#krbExtraData"}, + {"2#subtree#","#krbPasswordExpiration"}, + {"2#subtree#","#krbDefaultEncSaltTypes"}, + {"6#subtree#","#krbLastFailedAuth"}, + {"6#subtree#","#krbLoginFailedCount"}, + {"6#subtree#","#krbLastSuccessfulAuth"}, { "", "" } }; @@ -193,9 +164,8 @@ static char *adminrights_realmcontainer[][2]={ {"2#subtree#","#krbPrincContainerRef"}, {"2#subtree#","#krbSearchScope"}, {"2#subtree#","#krbLdapServers"}, - {"2#subtree#","#krbSupportedEncSaltTypes"}, - {"2#subtree#","#krbDefaultEncSaltTypes"}, {"2#subtree#","#krbKdcServers"}, + {"2#subtree#","#krbAdmServers"}, {"2#subtree#","#krbPwdServers"}, {"6#subtree#","#krbTicketFlags"}, {"6#subtree#","#krbMaxTicketLife"}, @@ -203,28 +173,20 @@ static char *adminrights_realmcontainer[][2]={ {"6#subtree#","#krbPrincipalName"}, {"6#subtree#","#krbPrincipalKey"}, {"6#subtree#","#krbPrincipalExpiration"}, - {"6#subtree#","#ModifiersName"}, - {"6#subtree#","#PasswordExpirationTime"}, - {"2#subtree#","#PasswordExpirationInterval"}, - {"6#subtree#","#PasswordMinimumLength"}, - {"6#subtree#","#PasswordAllowChange"}, - {"6#subtree#","#LoginDisabled"}, - {"2#subtree#","#LastLoginTime"}, - {"2#subtree#","#LoginExpirationTime"}, - {"2#subtree#","#LoginIntruderAttempts"}, - {"6#subtree#","#IntruderAttemptResetInterval"}, - {"6#subtree#","#LoginIntruderLimit"}, - {"6#subtree#","#LoginIntruderResetTime"}, - {"6#subtree#","#DetectIntruder"}, - {"6#subtree#","#LockoutAfterDetection"}, - {"2#subtree#","#LockedByIntruder"}, - {"6#subtree#","#Surname"}, {"6#subtree#","#krbPwdHistoryLength"}, {"6#subtree#","#krbMinPwdLife"}, {"6#subtree#","#krbMaxPwdLife"}, {"6#subtree#","#krbPwdMinDiffChars"}, {"6#subtree#","#krbPwdMinLength"}, {"6#subtree#","#krbPwdPolicyReference"}, + {"6#subtree#","#krbLastPwdChange"}, + {"6#subtree#","#krbObjectReferences"}, + {"6#subtree#","#krbExtraData"}, + {"6#subtree#","#krbPasswordExpiration"}, + {"6#subtree#","#krbDefaultEncSaltTypes"}, + {"2#subtree#","#krbLastFailedAuth"}, + {"2#subtree#","#krbLoginFailedCount"}, + {"2#subtree#","#krbLastSuccessfulAuth"}, { "","" } }; @@ -240,9 +202,8 @@ static char *pwdrights_realmcontainer[][2]={ {"2#subtree#","#krbPrincContainerRef"}, {"2#subtree#","#krbSearchScope"}, {"2#subtree#","#krbLdapServers"}, - {"2#subtree#","#krbSupportedEncSaltTypes"}, - {"2#subtree#","#krbDefaultEncSaltTypes"}, {"2#subtree#","#krbKdcServers"}, + {"2#subtree#","#krbAdmServers"}, {"2#subtree#","#krbPwdServers"}, {"6#subtree#","#krbTicketFlags"}, {"2#subtree#","#krbMaxTicketLife"}, @@ -250,13 +211,20 @@ static char *pwdrights_realmcontainer[][2]={ {"2#subtree#","#krbPrincipalName"}, {"6#subtree#","#krbPrincipalKey"}, {"2#subtree#","#krbPrincipalExpiration"}, - {"6#subtree#","#ModifiersName"}, {"2#subtree#","#krbPwdHistoryLength"}, {"2#subtree#","#krbMinPwdLife"}, {"2#subtree#","#krbMaxPwdLife"}, {"2#subtree#","#krbPwdMinDiffChars"}, {"2#subtree#","#krbPwdMinLength"}, {"2#subtree#","#krbPwdPolicyReference"}, + {"2#subtree#","#krbLastPwdChange"}, + {"2#subtree#","#krbObjectReferences"}, + {"6#subtree#","#krbExtraData"}, + {"6#subtree#","#krbPasswordExpiration"}, + {"2#subtree#","#krbDefaultEncSaltTypes"}, + {"2#subtree#","#krbLastFailedAuth"}, + {"2#subtree#","#krbLoginFailedCount"}, + {"2#subtree#","#krbLastSuccessfulAuth"}, { "", "" } }; @@ -286,16 +254,17 @@ static char *kerberos_container[][2] = { */ krb5_error_code -krb5_ldap_add_service_rights(context, servicetype, serviceobjdn, realmname, subtreeparam, mask) +krb5_ldap_add_service_rights(context, servicetype, serviceobjdn, realmname, subtreeparam, contref, mask) krb5_context context; int servicetype; char *serviceobjdn; char *realmname; char **subtreeparam; + char *contref; int mask; { - int st=0,i=0; + int st=0,i=0,j=0; char *realmacls[2]={NULL}, *subtreeacls[2]={NULL}, *seccontacls[2]={NULL}, *krbcontacls[2]={NULL}; LDAP *ld; LDAPMod realmclass, subtreeclass, seccontclass, krbcontclass; @@ -315,23 +284,23 @@ krb5_ldap_add_service_rights(context, servicetype, serviceobjdn, realmname, subt goto cleanup; } - subtreecount=ldap_context->lrparams->subtreecount; - subtree = (char **) malloc(sizeof(char *) * (subtreecount + 1)); - if(subtree == NULL) { - st = ENOMEM; - goto cleanup; + if (subtreeparam != NULL) { + while(subtreeparam[subtreecount]) + subtreecount++; + } + if (contref != NULL) { + subtreecount++; } - /* If the subtree is null, set the value to root */ - if(subtreeparam == NULL) { - subtree[0] = strdup(""); - if(subtree[0] == NULL) { + if (subtreecount) { + subtree = (char **) malloc(sizeof(char *) * (subtreecount + 1)); + if(subtree == NULL) { st = ENOMEM; goto cleanup; } - } - else { - for (i=0; subtree[i] != NULL && i