From: Ken Raeburn Date: Tue, 29 Aug 2006 22:54:46 +0000 (+0000) Subject: Some mechanical changes (mainly whitespace) to match up better with X-Git-Tag: krb5-1.6-alpha1~158 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=deed916f6e70e827d81813846bcf3b6404a04d58;p=krb5.git Some mechanical changes (mainly whitespace) to match up better with MIT coding style. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18551 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c index 7c3622425..b2798b9f2 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c @@ -39,25 +39,20 @@ #include static krb5_error_code -krb5_ldap_get_db_opt( char *input, char **opt, char **val ) +krb5_ldap_get_db_opt(char *input, char **opt, char **val) { char *pos = strchr(input, '='); *val = NULL; - if (pos == NULL) - { + if (pos == NULL) { *opt = strdup(input); - if (*opt == NULL) - { + if (*opt == NULL) { return ENOMEM; } - } - else - { + } else { int len = pos - input; *opt = malloc((unsigned) len + 1); - if (!*opt) - { + if (!*opt) { return ENOMEM; } memcpy(*opt, input, (unsigned) len); @@ -65,14 +60,13 @@ krb5_ldap_get_db_opt( char *input, char **opt, char **val ) while (isblank((*opt)[len-1])) --len; (*opt)[len] = '\0'; - + pos += 1; /* move past '=' */ while (isblank(*pos)) /* ignore leading blanks */ pos += 1; if (*pos != '\0') { *val = strdup (pos); - if (!*val) - { + if (!*val) { free (*opt); return ENOMEM; } @@ -106,19 +100,19 @@ krb5_ldap_read_startup_information(krb5_context context) kdb5_dal_handle *dal_handle=NULL; krb5_ldap_context *ldap_context=NULL; int mask=0; - + SETUP_CONTEXT(); if ((retval=krb5_ldap_read_krbcontainer_params(context, &(ldap_context->krbcontainer)))) { - prepend_err_str (context, "Unable to read Kerberos container", retval, retval); + prepend_err_str (context, "Unable to read Kerberos container", retval, retval); goto cleanup; } if ((retval=krb5_ldap_read_realm_params(context, context->default_realm, &(ldap_context->lrparams), &mask))) { - prepend_err_str (context, "Unable to read Realm", retval, retval); + prepend_err_str (context, "Unable to read Realm", retval, retval); goto cleanup; } - - cleanup: + +cleanup: return retval; } @@ -132,10 +126,10 @@ krb5_ldap_read_startup_information(krb5_context context) #define ERR_MSG1 "Unable to check if SASL EXTERNAL mechanism is supported by LDAP server. Proceeding anyway ..." #define ERR_MSG2 "SASL EXTERNAL mechanism not supported by LDAP server. Can't perform certificate-based bind." -int +int has_sasl_external_mech(context, ldap_server) - krb5_context context; - char *ldap_server; + krb5_context context; + char *ldap_server; { int i=0, flag=0, ret=0, retval=0; char *attrs[]={"supportedSASLMechanisms", NULL}, **values=NULL; @@ -143,7 +137,7 @@ has_sasl_external_mech(context, ldap_server) LDAPMessage *msg=NULL, *res=NULL; ld = ldap_open(ldap_server, 389); /* Should the port number be configurable ? */ - if(ld == NULL){ + if (ld == NULL) { krb5_set_error_message(context, 2, "%s", ERR_MSG1); ret = 2; /* Don't know */ goto cleanup; @@ -151,40 +145,40 @@ has_sasl_external_mech(context, ldap_server) /* Anonymous bind */ retval = ldap_simple_bind_s(ld, NULL, NULL); - if(retval != LDAP_SUCCESS){ + if (retval != LDAP_SUCCESS) { krb5_set_error_message(context, 2, "%s", ERR_MSG1); ret = 2; /* Don't know */ goto cleanup; } retval = ldap_search_s(ld, "", LDAP_SCOPE_BASE, NULL, attrs, 0, &res); - if(retval != LDAP_SUCCESS){ + if (retval != LDAP_SUCCESS) { krb5_set_error_message(context, 2, "%s", ERR_MSG1); ret = 2; /* Don't know */ goto cleanup; } msg = ldap_first_message(ld, res); - if(msg == NULL){ + if (msg == NULL) { krb5_set_error_message(context, 2, "%s", ERR_MSG1); ret = 2; /* Don't know */ goto cleanup; } values = ldap_get_values(ld, msg, "supportedSASLMechanisms"); - if(values == NULL){ + if (values == NULL) { krb5_set_error_message(context, 1, "%s", ERR_MSG2); ret = 1; /* Not supported */ goto cleanup; } - for(i = 0; values[i] != NULL; i++){ - if(strcmp(values[i], "EXTERNAL")) + for (i = 0; values[i] != NULL; i++) { + if (strcmp(values[i], "EXTERNAL")) continue; flag = 1; } - if(flag != 1){ + if (flag != 1) { krb5_set_error_message(context, 1, "%s", ERR_MSG2); ret = 1; /* Not supported */ goto cleanup; @@ -192,33 +186,33 @@ has_sasl_external_mech(context, ldap_server) cleanup: - if(values != NULL) + if (values != NULL) ldap_value_free(values); - if(res != NULL) + if (res != NULL) ldap_msgfree(res); - if(ld != NULL) + if (ld != NULL) ldap_unbind_s(ld); return ret; } -void * krb5_ldap_alloc( krb5_context context, void *ptr, size_t size ) +void * krb5_ldap_alloc(krb5_context context, void *ptr, size_t size) { return realloc(ptr, size); } -void krb5_ldap_free( krb5_context context, void *ptr ) +void krb5_ldap_free(krb5_context context, void *ptr) { free(ptr); } -krb5_error_code krb5_ldap_open( krb5_context context, - char *conf_section, - char **db_args, - int mode ) +krb5_error_code krb5_ldap_open(krb5_context context, + char *conf_section, + char **db_args, + int mode) { krb5_error_code status = 0; char **t_ptr = db_args; @@ -230,104 +224,87 @@ krb5_error_code krb5_ldap_open( krb5_context context, krb5_clear_error_message(context); ldap_context = calloc(1, sizeof(krb5_ldap_context)); - if (ldap_context == NULL) - { + if (ldap_context == NULL) { status = ENOMEM; goto clean_n_exit; } - + ldap_context->kcontext = context; - while ( t_ptr && *t_ptr ) - { + while (t_ptr && *t_ptr) { char *opt = NULL, *val = NULL; - if( (status = krb5_ldap_get_db_opt( *t_ptr, &opt, &val )) != 0 ) - { + if ((status = krb5_ldap_get_db_opt(*t_ptr, &opt, &val)) != 0) { goto clean_n_exit; } - if( opt && !strcmp( opt, "binddn" ) ) - { - if( ldap_context->bind_dn ) - { + if (opt && !strcmp(opt, "binddn")) { + if (ldap_context->bind_dn) { free (opt); free (val); status = EINVAL; - krb5_set_error_message (context, status, "'binddn' missing"); + krb5_set_error_message (context, status, "'binddn' missing"); goto clean_n_exit; } - if( val == NULL ) - { + if (val == NULL) { status = EINVAL; - krb5_set_error_message (context, status, "'binddn' value missing"); + krb5_set_error_message (context, status, "'binddn' value missing"); free(opt); goto clean_n_exit; } ldap_context->bind_dn = strdup(val); - if (ldap_context->bind_dn == NULL) { + if (ldap_context->bind_dn == NULL) { free (opt); free (val); status = ENOMEM; goto clean_n_exit; } - } - else if( opt && !strcmp( opt, "nconns" ) ) - { - if( ldap_context->max_server_conns ) - { + } else if (opt && !strcmp(opt, "nconns")) { + if (ldap_context->max_server_conns) { free (opt); free (val); status = EINVAL; - krb5_set_error_message (context, status, "'nconns' missing"); + krb5_set_error_message (context, status, "'nconns' missing"); goto clean_n_exit; } - if( val == NULL ) - { + if (val == NULL) { status = EINVAL; - krb5_set_error_message (context, status, "'nconns' value missing"); + krb5_set_error_message (context, status, "'nconns' value missing"); free(opt); goto clean_n_exit; } ldap_context->max_server_conns = atoi(val) ? atoi(val) : DEFAULT_CONNS_PER_SERVER; - } - else if( opt && !strcmp( opt, "bindpwd" ) ) - { - if( ldap_context->bind_pwd ) - { + } else if (opt && !strcmp(opt, "bindpwd")) { + if (ldap_context->bind_pwd) { free (opt); free (val); status = EINVAL; - krb5_set_error_message (context, status, "'bindpwd' missing"); + krb5_set_error_message (context, status, "'bindpwd' missing"); goto clean_n_exit; } - if( val == NULL ) - { + if (val == NULL) { status = EINVAL; - krb5_set_error_message (context, status, "'bindpwd' value missing"); + krb5_set_error_message (context, status, "'bindpwd' value missing"); free(opt); goto clean_n_exit; } ldap_context->bind_pwd = strdup(val); - if (ldap_context->bind_pwd == NULL) { + if (ldap_context->bind_pwd == NULL) { free (opt); free (val); status = ENOMEM; goto clean_n_exit; } - } - else if( opt && !strcmp( opt, "host" ) ) - { + } else if (opt && !strcmp(opt, "host")) { char *port = NULL; - if( val == NULL ) - { + if (val == NULL) { status = EINVAL; - krb5_set_error_message (context, status, "'host' value missing"); + krb5_set_error_message (context, status, "'host' value missing"); free(opt); goto clean_n_exit; } - if (ldap_context->server_info_list == NULL) - ldap_context->server_info_list = (krb5_ldap_server_info **) calloc (SERV_COUNT+1, sizeof (krb5_ldap_server_info *)) ; + if (ldap_context->server_info_list == NULL) + ldap_context->server_info_list = (krb5_ldap_server_info **) calloc (SERV_COUNT+1, sizeof (krb5_ldap_server_info *)) ; if (ldap_context->server_info_list == NULL) { free (opt); @@ -335,7 +312,7 @@ krb5_error_code krb5_ldap_open( krb5_context context, status = ENOMEM; goto clean_n_exit; } - + ldap_context->server_info_list[srv_cnt] = (krb5_ldap_server_info *) calloc (1, sizeof (krb5_ldap_server_info)); if (ldap_context->server_info_list[srv_cnt] == NULL) { free (opt); @@ -345,69 +322,58 @@ krb5_error_code krb5_ldap_open( krb5_context context, } ldap_context->server_info_list[srv_cnt]->server_status = NOTSET; - + val = strtok_r(val, ":", &port); - ldap_context->server_info_list[srv_cnt]->server_name = strdup(val); + ldap_context->server_info_list[srv_cnt]->server_name = strdup(val); if (ldap_context->server_info_list[srv_cnt]->server_name == NULL) { free (opt); free (val); status = ENOMEM; goto clean_n_exit; } - + if (port) { - ldap_context->server_info_list[srv_cnt]->port = atoi(port); + ldap_context->server_info_list[srv_cnt]->port = atoi(port); } srv_cnt++; - } - else if( opt && !strcmp( opt, "port" ) ) - { - if( ldap_context->port ) - { + } else if (opt && !strcmp(opt, "port")) { + if (ldap_context->port) { free (opt); free (val); status = EINVAL; - krb5_set_error_message (context, status, "'port' missing"); + krb5_set_error_message (context, status, "'port' missing"); goto clean_n_exit; } - if( val == NULL ) - { + if (val == NULL) { status = EINVAL; - krb5_set_error_message (context, status, "'port' value missing"); + krb5_set_error_message (context, status, "'port' value missing"); free(opt); goto clean_n_exit; } - ldap_context->port = atoi(val); - } - else if( opt && !strcmp( opt, "cert" ) ) - { - if( val == NULL ) - { + ldap_context->port = atoi(val); + } else if (opt && !strcmp(opt, "cert")) { + if (val == NULL) { status = EINVAL; - krb5_set_error_message (context, status, "'cert' value missing"); + krb5_set_error_message (context, status, "'cert' value missing"); free(opt); goto clean_n_exit; } - if( ldap_context->root_certificate_file == NULL ) - { + if (ldap_context->root_certificate_file == NULL) { ldap_context->root_certificate_file = strdup(val); - if (ldap_context->root_certificate_file == NULL) { + if (ldap_context->root_certificate_file == NULL) { free (opt); free (val); status = ENOMEM; goto clean_n_exit; } - } - else - { + } else { void *tmp=NULL; char *oldstr = NULL; unsigned int len=0; oldstr = strdup(ldap_context->root_certificate_file); - if (oldstr == NULL) - { + if (oldstr == NULL) { free (opt); free (val); status = ENOMEM; @@ -418,7 +384,7 @@ krb5_error_code krb5_ldap_open( krb5_context context, len = strlen(ldap_context->root_certificate_file) + 2 + strlen(val); ldap_context->root_certificate_file = realloc(ldap_context->root_certificate_file, len); - if (ldap_context->root_certificate_file == NULL) { + if (ldap_context->root_certificate_file == NULL) { free (tmp); free (opt); free (val); @@ -429,12 +395,11 @@ krb5_error_code krb5_ldap_open( krb5_context context, sprintf(ldap_context->root_certificate_file,"%s %s", oldstr, val); free (oldstr); } - } + } /* ignore hash argument. Might have been passed from create */ - else - { + else { status = EINVAL; - krb5_set_error_message (context, status, "unknown option \'%s\'", + krb5_set_error_message (context, status, "unknown option \'%s\'", opt?opt:val); free(opt); free(val); @@ -452,10 +417,10 @@ krb5_error_code krb5_ldap_open( krb5_context context, if (status) { ldap_context = NULL; dal_handle->db_context = NULL; - prepend_err_str (context, "Error reading LDAP server params: ", status, status); + prepend_err_str (context, "Error reading LDAP server params: ", status, status); goto clean_n_exit; } - if ((status=krb5_ldap_db_init( context, ldap_context)) != 0) { + if ((status=krb5_ldap_db_init(context, ldap_context)) != 0) { goto clean_n_exit; } @@ -463,7 +428,7 @@ krb5_error_code krb5_ldap_open( krb5_context context, goto clean_n_exit; } - clean_n_exit: +clean_n_exit: /* may be clearing up is not required db_fini might do it for us, check out */ if (status) { krb5_ldap_close(context); diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h index 2bb3b8574..295ba263b 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h @@ -146,8 +146,8 @@ extern void prepend_err_str (krb5_context ctx, const char *s, krb5_error_code er /* To be used later */ typedef struct _krb5_ldap_certificates{ - char *certificate; - int certtype; + char *certificate; + int certtype; }krb5_ldap_certificates; /* ldap server info structure */ @@ -158,25 +158,24 @@ typedef enum _server_status {OFF, ON, NOTSET} krb5_ldap_server_status; typedef struct _krb5_ldap_server_info krb5_ldap_server_info; -typedef struct _krb5_ldap_server_handle{ - int msgid; - LDAP *ldap_handle; - krb5_boolean server_info_update_pending; - krb5_ldap_server_info *server_info; - struct _krb5_ldap_server_handle *next; - -}krb5_ldap_server_handle; +typedef struct _krb5_ldap_server_handle { + int msgid; + LDAP *ldap_handle; + krb5_boolean server_info_update_pending; + krb5_ldap_server_info *server_info; + struct _krb5_ldap_server_handle *next; +} krb5_ldap_server_handle; struct _krb5_ldap_server_info { - krb5_ldap_server_type server_type; - krb5_ldap_server_status server_status; - krb5_ui_4 num_conns; - krb5_ldap_server_handle *ldap_server_handles; - time_t downtime; - char *server_name; - krb5_ui_4 port; - char *root_certificate_file; - struct _krb5_ldap_server_info *next; + krb5_ldap_server_type server_type; + krb5_ldap_server_status server_status; + krb5_ui_4 num_conns; + krb5_ldap_server_handle *ldap_server_handles; + time_t downtime; + char *server_name; + krb5_ui_4 port; + char *root_certificate_file; + struct _krb5_ldap_server_info *next; }; diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c index e808e350f..3b1dd996f 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c @@ -42,13 +42,13 @@ krb5_validate_ldap_context(krb5_context context, krb5_ldap_context *ldap_context { krb5_error_code st=0; unsigned char *password=NULL; - + if (ldap_context->bind_dn == NULL) { - st = EINVAL; + st = EINVAL; krb5_set_error_message(context, st, "LDAP bind dn value missing "); goto err_out; } - + if (ldap_context->bind_pwd == NULL && ldap_context->service_password_file == NULL) { st = EINVAL; krb5_set_error_message(context, st, "LDAP bind password value missing "); @@ -56,12 +56,12 @@ krb5_validate_ldap_context(krb5_context context, krb5_ldap_context *ldap_context } if (ldap_context->bind_pwd == NULL && ldap_context->service_password_file != - NULL && ldap_context->service_cert_path == NULL) { + NULL && ldap_context->service_cert_path == NULL) { if ((st=krb5_ldap_readpassword(context, ldap_context, &password)) != 0) { - prepend_err_str(context, "Error reading password from stash: ", st, st); + prepend_err_str(context, "Error reading password from stash: ", st, st); goto err_out; - } - + } + /* Check if the returned 'password' is actually the path of a certificate */ if (!strncmp("{FILE}", (char *)password, 6)) { /* 'password' format: \0 */ @@ -69,14 +69,14 @@ krb5_validate_ldap_context(krb5_context context, krb5_ldap_context *ldap_context if (password[strlen((char *)password) + 1] == '\0') ldap_context->service_cert_pass = NULL; else - ldap_context->service_cert_pass = strdup((char *)password + + ldap_context->service_cert_pass = strdup((char *)password + strlen((char *)password) + 1); free(password); } else { ldap_context->bind_pwd = (char *)password; if (ldap_context->bind_pwd == NULL) { st = EINVAL; - krb5_set_error_message(context, st, "Error reading password from stash"); + krb5_set_error_message(context, st, "Error reading password from stash"); goto err_out; } } @@ -85,7 +85,7 @@ krb5_validate_ldap_context(krb5_context context, krb5_ldap_context *ldap_context /* NULL password not allowed */ if (ldap_context->bind_pwd != NULL && strlen(ldap_context->bind_pwd) == 0) { st = EINVAL; - krb5_set_error_message(context, st, "Service password length is zero"); + krb5_set_error_message(context, st, "Service password length is zero"); goto err_out; } @@ -94,47 +94,47 @@ err_out: } /* - * Internal Functions called by init functions. + * Internal Functions called by init functions. */ -static krb5_error_code +static krb5_error_code krb5_ldap_bind(ldap_context, ldap_server_handle) krb5_ldap_context *ldap_context; krb5_ldap_server_handle *ldap_server_handle; { krb5_error_code st=0; struct berval bv={0, NULL}, *servercreds=NULL; - - if(ldap_context->service_cert_path != NULL){ + + if (ldap_context->service_cert_path != NULL) { /* Certificate based bind (SASL EXTERNAL mechanism) */ - - st = ldap_sasl_bind_s(ldap_server_handle->ldap_handle, + + st = ldap_sasl_bind_s(ldap_server_handle->ldap_handle, NULL, /* Authenticating dn */ "EXTERNAL", /* Method used for authentication */ - &bv, - NULL, - NULL, - &servercreds); - + &bv, + NULL, + NULL, + &servercreds); + if (st == LDAP_SASL_BIND_IN_PROGRESS) { - st = ldap_sasl_bind_s( ldap_server_handle->ldap_handle, - NULL, - "EXTERNAL", - servercreds, - NULL, - NULL, - &servercreds); + st = ldap_sasl_bind_s(ldap_server_handle->ldap_handle, + NULL, + "EXTERNAL", + servercreds, + NULL, + NULL, + &servercreds); } } else { /* password based simple bind */ - st = ldap_simple_bind_s(ldap_server_handle->ldap_handle, - ldap_context->bind_dn, + st = ldap_simple_bind_s(ldap_server_handle->ldap_handle, + ldap_context->bind_dn, ldap_context->bind_pwd); } return st; } -static krb5_error_code +static krb5_error_code krb5_ldap_initialize(ldap_context, server_info) krb5_ldap_context *ldap_context; krb5_ldap_server_info *server_info; @@ -149,34 +149,34 @@ krb5_ldap_initialize(ldap_context, server_info) port = ldap_context->port; else port = LDAPS_PORT; - - + + ldap_server_handle = calloc(1, sizeof(krb5_ldap_server_handle)); if (ldap_server_handle == NULL) { st = ENOMEM; goto err_out; } - + /* ldap init */ - if((ldap_server_handle->ldap_handle=ldap_init(server_info->server_name, - port)) == NULL) { - st = KRB5_KDB_ACCESS_ERROR; - if (ldap_context->kcontext) + if ((ldap_server_handle->ldap_handle=ldap_init(server_info->server_name, + port)) == NULL) { + st = KRB5_KDB_ACCESS_ERROR; + if (ldap_context->kcontext) krb5_set_error_message (ldap_context->kcontext, st, "%s", strerror(errno)); goto err_out; } - + if ((st=krb5_ldap_bind(ldap_context, ldap_server_handle)) == 0) { ldap_server_handle->server_info_update_pending = FALSE; server_info->server_status = ON; krb5_update_ldap_handle(ldap_server_handle, server_info); } else { - if (ldap_context->kcontext) - krb5_set_error_message (ldap_context->kcontext, + if (ldap_context->kcontext) + krb5_set_error_message (ldap_context->kcontext, KRB5_KDB_ACCESS_ERROR, "%s", ldap_err2string(st)); - st = KRB5_KDB_ACCESS_ERROR; + st = KRB5_KDB_ACCESS_ERROR; server_info->server_status = OFF; time(&server_info->downtime); /* ldap_unbind_s(ldap_server_handle->ldap_handle); */ @@ -201,53 +201,53 @@ krb5_ldap_db_init(krb5_context context, krb5_ldap_context *ldap_context) if ((st=krb5_validate_ldap_context(context, ldap_context)) != 0) goto err_out; - + ldap_set_option(NULL, LDAP_OPT_PROTOCOL_VERSION, &version); ldap_set_option(NULL, LDAP_OPT_NETWORK_TIMEOUT, &local_timelimit); ldap_set_option(NULL, LDAP_OPT_X_TLS, &tlsoption); - + HNDL_LOCK(ldap_context); while (ldap_context->server_info_list[cnt] != NULL) { krb5_ldap_server_info *server_info=NULL; - + server_info = ldap_context->server_info_list[cnt]; - + if (server_info->server_status == NOTSET) { int conns=0; - + /* * Check if the server has to perform certificate-based authentication */ - if(ldap_context->service_cert_path != NULL){ + if (ldap_context->service_cert_path != NULL) { /* Find out if the server supports SASL EXTERNAL mechanism */ - if(has_sasl_external_mech(context, server_info->server_name) == 1){ + if (has_sasl_external_mech(context, server_info->server_name) == 1) { cnt++; sasl_mech_supported = FALSE; continue; /* Check the next LDAP server */ } sasl_mech_supported = TRUE; } - - krb5_clear_error_message(context); - + + krb5_clear_error_message(context); + for (conns=0; conns < ldap_context->max_server_conns; ++conns) { - if ((st=krb5_ldap_initialize(ldap_context, server_info)) != 0) - break; + if ((st=krb5_ldap_initialize(ldap_context, server_info)) != 0) + break; } /* for (conn= ... */ - if (server_info->server_status == ON) + if (server_info->server_status == ON) break; /* server init successful, so break */ } ++cnt; } HNDL_UNLOCK(ldap_context); - err_out: +err_out: if (sasl_mech_supported == FALSE) { - st = KRB5_KDB_ACCESS_ERROR; - krb5_set_error_message (context, st, - "Certificate based authentication requested but " - "not supported by LDAP servers"); + st = KRB5_KDB_ACCESS_ERROR; + krb5_set_error_message (context, st, + "Certificate based authentication requested but " + "not supported by LDAP servers"); } return (st); } @@ -268,25 +268,25 @@ krb5_ldap_db_single_init(krb5_ldap_context *ldap_context) server_info = ldap_context->server_info_list[cnt]; if ((server_info->server_status == NOTSET || server_info->server_status == ON)) { if (server_info->num_conns < ldap_context->max_server_conns-1) { - st = krb5_ldap_initialize(ldap_context, server_info); - if (st == LDAP_SUCCESS) - goto cleanup; + st = krb5_ldap_initialize(ldap_context, server_info); + if (st == LDAP_SUCCESS) + goto cleanup; } } ++cnt; } /* If we are here, try to connect to all the servers */ - + cnt = 0; while (ldap_context->server_info_list[cnt] != NULL) { server_info = ldap_context->server_info_list[cnt]; st = krb5_ldap_initialize(ldap_context, server_info); - if (st == LDAP_SUCCESS) + if (st == LDAP_SUCCESS) goto cleanup; ++cnt; } - cleanup: +cleanup: return (st); } @@ -304,7 +304,7 @@ krb5_ldap_rebind(ldap_context, ldap_server_handle) port = ldap_context->port; else port = LDAPS_PORT; - + if ((handle->ldap_handle=ldap_init(handle->server_info->server_name, port)) == NULL || krb5_ldap_bind(ldap_context, handle) != LDAP_SUCCESS) return krb5_ldap_request_next_handle_from_pool(ldap_context, ldap_server_handle); @@ -327,24 +327,24 @@ krb5_error_code krb5_ldap_lib_cleanup() -krb5_error_code -krb5_ldap_close( krb5_context context) +krb5_error_code +krb5_ldap_close(krb5_context context) { kdb5_dal_handle *dal_handle=NULL; krb5_ldap_context *ldap_context=NULL; - if (context == NULL || - context->db_context == NULL || + if (context == NULL || + context->db_context == NULL || ((kdb5_dal_handle *)context->db_context)->db_context == NULL) - return 0; - + return 0; + dal_handle = (kdb5_dal_handle *) context->db_context; ldap_context = (krb5_ldap_context *) dal_handle->db_context; dal_handle->db_context = NULL; if (ldap_context == NULL) return 0; - + krb5_ldap_free_krbcontainer_params(ldap_context->krbcontainer); ldap_context->krbcontainer = NULL; @@ -355,6 +355,3 @@ krb5_ldap_close( krb5_context context) return 0; } - - - diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_xdr.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_xdr.c index 1f0462967..d4c6ac832 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_xdr.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_xdr.c @@ -1,14 +1,14 @@ /* * lib/kdb/kdb_ldap/kdb_xdr.c * - * Copyright 1995 by the Massachusetts Institute of Technology. + * Copyright 1995 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +22,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * */ #include @@ -90,7 +90,7 @@ krb5_dbe_lookup_tl_data(context, entry, ret_tl_data) krb5_tl_data *tl_data; for (tl_data = entry->tl_data; tl_data; tl_data = tl_data->tl_data_next) { - if (tl_data->tl_data_type == ret_tl_data->tl_data_type) { + if (tl_data->tl_data_type == ret_tl_data->tl_data_type) { *ret_tl_data = *tl_data; return(0); } @@ -115,7 +115,7 @@ krb5_dbe_update_last_pwd_change(context, entry, stamp) krb5_octet buf[4]; /* this is the encoded size of an int32 */ tl_data.tl_data_type = KRB5_TL_LAST_PWD_CHANGE; - tl_data.tl_data_length = sizeof(buf); + tl_data.tl_data_length = sizeof(buf); krb5_kdb_encode_int32((krb5_int32) stamp, buf); tl_data.tl_data_contents = buf; @@ -136,7 +136,7 @@ krb5_dbe_lookup_last_pwd_change(context, entry, stamp) if ((code = krb5_dbe_lookup_tl_data(context, entry, &tl_data))) return(code); - + if (tl_data.tl_data_length != 4) { *stamp = 0; return(0); @@ -166,7 +166,7 @@ krb5_dbe_update_mod_princ_data(context, entry, mod_date, mod_princ) char * unparse_mod_princ = 0; unsigned int unparse_mod_princ_size; - if ((retval = krb5_unparse_name(context, mod_princ, + if ((retval = krb5_unparse_name(context, mod_princ, &unparse_mod_princ))) return(retval); @@ -210,7 +210,7 @@ krb5_dbe_lookup_mod_princ_data(context, entry, mod_time, mod_princ) if ((code = krb5_dbe_lookup_tl_data(context, entry, &tl_data))) return(code); - + if ((tl_data.tl_data_length < 5) || (tl_data.tl_data_contents[tl_data.tl_data_length-1] != '\0')) return(KRB5_KDB_TRUNCATED_RECORD); @@ -226,4 +226,3 @@ krb5_dbe_lookup_mod_princ_data(context, entry, mod_time, mod_princ) return(0); } - diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_err.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_err.c index e10c5dbf0..d925c5f1a 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_err.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_err.c @@ -36,133 +36,133 @@ * OP_ABANDON => ldap_abandon */ -int translate_ldap_error(int err, int op){ +int translate_ldap_error(int err, int op) { switch (err) { - case LDAP_SUCCESS: - return 0; - - case LDAP_OPERATIONS_ERROR: - /* LDAP_OPERATIONS_ERROR: Indicates an internal error. The server is - * unable to respond with a more specific error and is also unable - * to properly respond to a request */ - case LDAP_UNAVAILABLE_CRITICAL_EXTENSION: - /* LDAP server was unable to satisfy a request because one or more - * critical extensions were not available */ + case LDAP_SUCCESS: + return 0; + + case LDAP_OPERATIONS_ERROR: + /* LDAP_OPERATIONS_ERROR: Indicates an internal error. The server is + * unable to respond with a more specific error and is also unable + * to properly respond to a request */ + case LDAP_UNAVAILABLE_CRITICAL_EXTENSION: + /* LDAP server was unable to satisfy a request because one or more + * critical extensions were not available */ /* This might mean that the schema was not extended ... */ - case LDAP_UNDEFINED_TYPE: - /* The attribute specified in the modify or add operation does not - * exist in the LDAP server's schema. */ - return KRB5_KDB_INTERNAL_ERROR; - - - case LDAP_INAPPROPRIATE_MATCHING: - /* The matching rule specified in the search filter does not match a - * rule defined for the attribute's syntax */ - return KRB5_KDB_UK_RERROR; - - case LDAP_CONSTRAINT_VIOLATION: - /* The attribute value specified in a modify, add, or modify DN - * operation violates constraints placed on the attribute */ - case LDAP_TYPE_OR_VALUE_EXISTS: - /* The attribute value specified in a modify or add operation - * already exists as a value for that attribute */ + case LDAP_UNDEFINED_TYPE: + /* The attribute specified in the modify or add operation does not + * exist in the LDAP server's schema. */ + return KRB5_KDB_INTERNAL_ERROR; + + + case LDAP_INAPPROPRIATE_MATCHING: + /* The matching rule specified in the search filter does not match a + * rule defined for the attribute's syntax */ + return KRB5_KDB_UK_RERROR; + + case LDAP_CONSTRAINT_VIOLATION: + /* The attribute value specified in a modify, add, or modify DN + * operation violates constraints placed on the attribute */ + case LDAP_TYPE_OR_VALUE_EXISTS: + /* The attribute value specified in a modify or add operation + * already exists as a value for that attribute */ + return KRB5_KDB_UK_SERROR; + + case LDAP_INVALID_SYNTAX: + /* The attribute value specified in an add, compare, or modify + * operation is an unrecognized or invalid syntax for the attribute */ + if (op == OP_ADD || op == OP_MOD) return KRB5_KDB_UK_SERROR; - - case LDAP_INVALID_SYNTAX: - /* The attribute value specified in an add, compare, or modify - * operation is an unrecognized or invalid syntax for the attribute */ - if (op == OP_ADD || op == OP_MOD) - return KRB5_KDB_UK_SERROR; - else /* OP_CMP */ - return KRB5_KDB_UK_RERROR; + else /* OP_CMP */ + return KRB5_KDB_UK_RERROR; /* Ensure that the following don't occur in the DAL-LDAP code. * Don't rely on the LDAP server to catch it */ - case LDAP_SASL_BIND_IN_PROGRESS: - /* This is not an error. So, this function should not be called */ - case LDAP_COMPARE_FALSE: - case LDAP_COMPARE_TRUE: - /* LDAP_COMPARE_FALSE and LDAP_COMPARE_TRUE are not errors. This - * function should not be invoked for them */ - case LDAP_RESULTS_TOO_LARGE: /* CLDAP */ - case LDAP_TIMELIMIT_EXCEEDED: - case LDAP_SIZELIMIT_EXCEEDED: - return KRB5_KDB_SERVER_INTERNAL_ERR; - - case LDAP_INVALID_DN_SYNTAX: - /* The syntax of the DN is incorrect */ - return EINVAL; - - case LDAP_PROTOCOL_ERROR: - /* LDAP_PROTOCOL_ERROR: Indicates that the server has received an - * invalid or malformed request from the client */ - case LDAP_CONFIDENTIALITY_REQUIRED: + case LDAP_SASL_BIND_IN_PROGRESS: + /* This is not an error. So, this function should not be called */ + case LDAP_COMPARE_FALSE: + case LDAP_COMPARE_TRUE: + /* LDAP_COMPARE_FALSE and LDAP_COMPARE_TRUE are not errors. This + * function should not be invoked for them */ + case LDAP_RESULTS_TOO_LARGE: /* CLDAP */ + case LDAP_TIMELIMIT_EXCEEDED: + case LDAP_SIZELIMIT_EXCEEDED: + return KRB5_KDB_SERVER_INTERNAL_ERR; + + case LDAP_INVALID_DN_SYNTAX: + /* The syntax of the DN is incorrect */ + return EINVAL; + + case LDAP_PROTOCOL_ERROR: + /* LDAP_PROTOCOL_ERROR: Indicates that the server has received an + * invalid or malformed request from the client */ + case LDAP_CONFIDENTIALITY_REQUIRED: /* Bind problems ... */ - case LDAP_AUTH_METHOD_NOT_SUPPORTED: -// case LDAP_STRONG_AUTH_NOT_SUPPORTED: // Is this a bind error ? - case LDAP_INAPPROPRIATE_AUTH: - case LDAP_INVALID_CREDENTIALS: - case LDAP_UNAVAILABLE: + case LDAP_AUTH_METHOD_NOT_SUPPORTED: +/* case LDAP_STRONG_AUTH_NOT_SUPPORTED: // Is this a bind error ? */ + case LDAP_INAPPROPRIATE_AUTH: + case LDAP_INVALID_CREDENTIALS: + case LDAP_UNAVAILABLE: + return KRB5_KDB_ACCESS_ERROR; + + case LDAP_STRONG_AUTH_REQUIRED: + if (op == OP_BIND) /* the LDAP server accepts only strong authentication. */ return KRB5_KDB_ACCESS_ERROR; + else /* Client requested an operation such that requires strong authentication */ + return KRB5_KDB_CONSTRAINT_VIOLATION; - case LDAP_STRONG_AUTH_REQUIRED: - if (op == OP_BIND) /* the LDAP server accepts only strong authentication. */ - return KRB5_KDB_ACCESS_ERROR; - else /* Client requested an operation such that requires strong authentication */ - return KRB5_KDB_CONSTRAINT_VIOLATION; + case LDAP_REFERRAL: + return KRB5_KDB_NOENTRY; - case LDAP_REFERRAL: - return KRB5_KDB_NOENTRY; - - case LDAP_ADMINLIMIT_EXCEEDED: - /* An LDAP server limit set by an administrative authority has been - * exceeded */ - return KRB5_KDB_CONSTRAINT_VIOLATION; - case LDAP_UNWILLING_TO_PERFORM: - /* The LDAP server cannot process the request because of - * server-defined restrictions */ - return KRB5_KDB_CONSTRAINT_VIOLATION; + case LDAP_ADMINLIMIT_EXCEEDED: + /* An LDAP server limit set by an administrative authority has been + * exceeded */ + return KRB5_KDB_CONSTRAINT_VIOLATION; + case LDAP_UNWILLING_TO_PERFORM: + /* The LDAP server cannot process the request because of + * server-defined restrictions */ + return KRB5_KDB_CONSTRAINT_VIOLATION; - case LDAP_NO_SUCH_ATTRIBUTE: - /* Indicates that the attribute specified in the modify or compare - * operation does not exist in the entry */ - if (op == OP_MOD) - return KRB5_KDB_UK_SERROR; - else /* OP_CMP */ - return KRB5_KDB_TRUNCATED_RECORD; + case LDAP_NO_SUCH_ATTRIBUTE: + /* Indicates that the attribute specified in the modify or compare + * operation does not exist in the entry */ + if (op == OP_MOD) + return KRB5_KDB_UK_SERROR; + else /* OP_CMP */ + return KRB5_KDB_TRUNCATED_RECORD; - case LDAP_ALIAS_DEREF_PROBLEM: - /* Either the client does not have access rights to read the aliased - * object's name or dereferencing is not allowed */ - case LDAP_PROXY_AUTHZ_FAILURE: // Is this correct ? - case LDAP_INSUFFICIENT_ACCESS: - /* Caller does not have sufficient rights to perform the requested - * operation */ - return KRB5_KDB_UNAUTH; + case LDAP_ALIAS_DEREF_PROBLEM: + /* Either the client does not have access rights to read the aliased + * object's name or dereferencing is not allowed */ + case LDAP_PROXY_AUTHZ_FAILURE: // Is this correct ? + case LDAP_INSUFFICIENT_ACCESS: + /* Caller does not have sufficient rights to perform the requested + * operation */ + return KRB5_KDB_UNAUTH; - case LDAP_LOOP_DETECT: - /* Client discovered an alias or referral loop */ - return KRB5_KDB_DB_CORRUPT; + case LDAP_LOOP_DETECT: + /* Client discovered an alias or referral loop */ + return KRB5_KDB_DB_CORRUPT; - default: + default: - if (LDAP_NAME_ERROR (err)) - return KRB5_KDB_NOENTRY; + if (LDAP_NAME_ERROR (err)) + return KRB5_KDB_NOENTRY; - if (LDAP_SECURITY_ERROR (err)) - return KRB5_KDB_UNAUTH; + if (LDAP_SECURITY_ERROR (err)) + return KRB5_KDB_UNAUTH; - if (LDAP_SERVICE_ERROR (err) || LDAP_API_ERROR (err) || LDAP_X_ERROR (err)) - return KRB5_KDB_ACCESS_ERROR; + if (LDAP_SERVICE_ERROR (err) || LDAP_API_ERROR (err) || LDAP_X_ERROR (err)) + return KRB5_KDB_ACCESS_ERROR; - if (LDAP_UPDATE_ERROR(err)) - return KRB5_KDB_UK_SERROR; + if (LDAP_UPDATE_ERROR(err)) + return KRB5_KDB_UK_SERROR; - /* LDAP_OTHER */ - return KRB5_KDB_SERVER_INTERNAL_ERR; + /* LDAP_OTHER */ + return KRB5_KDB_SERVER_INTERNAL_ERR; } } diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_fetch_mkey.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_fetch_mkey.c index 795358296..c159f0014 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_fetch_mkey.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_fetch_mkey.c @@ -35,11 +35,11 @@ * get the master key from the database specific context */ -krb5_error_code +krb5_error_code krb5_ldap_get_mkey (context, key) - krb5_context context; - krb5_keyblock **key; - + krb5_context context; + krb5_keyblock **key; + { kdb5_dal_handle *dal_handle=NULL; krb5_ldap_context *ldap_context=NULL; @@ -49,8 +49,8 @@ krb5_ldap_get_mkey (context, key) dal_handle = (kdb5_dal_handle *) context->db_context; ldap_context = (krb5_ldap_context *) dal_handle->db_context; - - if ( ldap_context == NULL || ldap_context->lrparams == NULL) + + if (ldap_context == NULL || ldap_context->lrparams == NULL) return KRB5_KDB_DBNOTINITED; *key = &ldap_context->lrparams->mkey; @@ -62,7 +62,7 @@ krb5_ldap_get_mkey (context, key) * set the master key into the database specific context */ -krb5_error_code +krb5_error_code krb5_ldap_set_mkey (context, pwd, key) krb5_context context; char *pwd; @@ -77,10 +77,10 @@ krb5_ldap_set_mkey (context, pwd, key) dal_handle = (kdb5_dal_handle *) context->db_context; ldap_context = (krb5_ldap_context *) dal_handle->db_context; - - if ( ldap_context == NULL || ldap_context->lrparams == NULL) - return KRB5_KDB_DBNOTINITED; - + + if (ldap_context == NULL || ldap_context->lrparams == NULL) + return KRB5_KDB_DBNOTINITED; + r_params = ldap_context->lrparams; if (r_params->mkey.contents) { @@ -92,9 +92,9 @@ krb5_ldap_set_mkey (context, pwd, key) r_params->mkey.enctype = key->enctype; r_params->mkey.length = key->length; r_params->mkey.contents = malloc(key->length); - if (r_params->mkey.contents == NULL) + if (r_params->mkey.contents == NULL) return ENOMEM; - + memcpy(r_params->mkey.contents, key->contents, key->length); return 0; } diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_handle.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_handle.c index 4cc945f4a..6f8e73d0e 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_handle.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_handle.c @@ -35,14 +35,14 @@ /* * Update the server info structure. In case of an asynchronous bind, - * this function is called to check the bind status. A flag + * this function is called to check the bind status. A flag * server_info_upate_pending is refered before calling this function. - * This function sets the server_status to either ON or OFF and - * sets the server_info_udpate_pending to OFF. - * Do not lock the mutex here. The caller should lock it + * This function sets the server_status to either ON or OFF and + * sets the server_info_udpate_pending to OFF. + * Do not lock the mutex here. The caller should lock it */ -static krb5_error_code +static krb5_error_code krb5_update_server_info(ldap_server_handle, server_info) krb5_ldap_server_handle *ldap_server_handle; krb5_ldap_server_info *server_info; @@ -53,9 +53,9 @@ krb5_update_server_info(ldap_server_handle, server_info) if (ldap_server_handle == NULL || server_info == NULL) return -1; - + while (st == 0) { - st = ldap_result(ldap_server_handle->ldap_handle, ldap_server_handle->msgid, + st = ldap_result(ldap_server_handle->ldap_handle, ldap_server_handle->msgid, LDAP_MSG_ALL, &ztime, &result); switch (st) { case -1: @@ -66,18 +66,18 @@ krb5_update_server_info(ldap_server_handle, server_info) case 0: continue; break; - + case LDAP_RES_BIND: if ((st=ldap_result2error(ldap_server_handle->ldap_handle, result, 1)) == LDAP_SUCCESS) { server_info->server_status = ON; } else { -/* ?? */ krb5_set_error_message(0, 0, "%s", ldap_err2string(st)); + /* ?? */ krb5_set_error_message(0, 0, "%s", ldap_err2string(st)); server_info->server_status = OFF; time(&server_info->downtime); } ldap_msgfree(result); break; - default: + default: ldap_msgfree(result); continue; break; @@ -88,9 +88,9 @@ krb5_update_server_info(ldap_server_handle, server_info) } #endif -/* - * Return ldap server handle from the pool. If the pool is exhausted return NULL. - * Do not lock the mutex, caller should lock it +/* + * Return ldap server handle from the pool. If the pool is exhausted return NULL. + * Do not lock the mutex, caller should lock it */ static krb5_ldap_server_handle * @@ -100,7 +100,7 @@ krb5_get_ldap_handle(ldap_context) krb5_ldap_server_handle *ldap_server_handle=NULL; krb5_ldap_server_info *ldap_server_info=NULL; int cnt=0; - + while (ldap_context->server_info_list[cnt] != NULL) { ldap_server_info = ldap_context->server_info_list[cnt]; if (ldap_server_info->server_status != OFF) { @@ -110,7 +110,7 @@ krb5_get_ldap_handle(ldap_context) break; #ifdef ASYNC_BIND if (ldap_server_handle->server_info_update_pending == TRUE) { - krb5_update_server_info(context, ldap_server_handle, + krb5_update_server_info(context, ldap_server_handle, ldap_server_info); } @@ -127,58 +127,58 @@ krb5_get_ldap_handle(ldap_context) return ldap_server_handle; } -/* - * This is called incase krb5_get_ldap_handle returns NULL. +/* + * This is called incase krb5_get_ldap_handle returns NULL. * Try getting a single connection (handle) and return the same by * calling krb5_get_ldap_handle function. - * Do not lock the mutex here. The caller should lock it + * Do not lock the mutex here. The caller should lock it */ -static krb5_ldap_server_handle * +static krb5_ldap_server_handle * krb5_retry_get_ldap_handle(ldap_context, st) krb5_ldap_context *ldap_context; krb5_error_code *st; { - krb5_ldap_server_handle *ldap_server_handle=NULL; + krb5_ldap_server_handle *ldap_server_handle=NULL; - if ((*st=krb5_ldap_db_single_init(ldap_context)) != 0) + if ((*st=krb5_ldap_db_single_init(ldap_context)) != 0) return NULL; - + ldap_server_handle = krb5_get_ldap_handle(ldap_context); return ldap_server_handle; } /* - * Put back the ldap server handle to the front of the list of handles of the + * Put back the ldap server handle to the front of the list of handles of the * ldap server info structure. - * Do not lock the mutex here. The caller should lock it. + * Do not lock the mutex here. The caller should lock it. */ -static krb5_error_code +static krb5_error_code krb5_put_ldap_handle(ldap_server_handle) krb5_ldap_server_handle *ldap_server_handle; { if (ldap_server_handle == NULL) return 0; - + ldap_server_handle->next = ldap_server_handle->server_info->ldap_server_handles; ldap_server_handle->server_info->ldap_server_handles = ldap_server_handle; return 0; } -/* +/* * Add a new ldap server handle structure to the server info structure. * This function name can be changed to krb5_insert_ldap_handle. - * Do not lock the mutex here. The caller should lock it + * Do not lock the mutex here. The caller should lock it */ -krb5_error_code +krb5_error_code krb5_update_ldap_handle(ldap_server_handle, server_info) krb5_ldap_server_handle *ldap_server_handle; krb5_ldap_server_info *server_info; { - + if (ldap_server_handle == NULL || server_info == NULL) return 0; @@ -190,7 +190,7 @@ krb5_update_ldap_handle(ldap_server_handle, server_info) } /* - * Free up all the ldap server handles of the server info. + * Free up all the ldap server handles of the server info. * This function is called when the ldap server returns LDAP_SERVER_DOWN. */ @@ -199,13 +199,13 @@ krb5_ldap_cleanup_handles(ldap_server_info) krb5_ldap_server_info *ldap_server_info; { krb5_ldap_server_handle *ldap_server_handle = NULL; - + while (ldap_server_info->ldap_server_handles != NULL) { ldap_server_handle = ldap_server_info->ldap_server_handles; ldap_server_info->ldap_server_handles = ldap_server_handle->next; /* ldap_unbind_s(ldap_server_handle); */ free (ldap_server_handle); - ldap_server_handle = NULL; + ldap_server_handle = NULL; } return 0; } @@ -214,13 +214,13 @@ krb5_ldap_cleanup_handles(ldap_server_info) * wrapper function called from outside to get a handle. */ -krb5_error_code +krb5_error_code krb5_ldap_request_handle_from_pool(ldap_context, ldap_server_handle) krb5_ldap_context *ldap_context; krb5_ldap_server_handle **ldap_server_handle; { krb5_error_code st=0; - + *ldap_server_handle = NULL; HNDL_LOCK(ldap_context); @@ -231,21 +231,21 @@ krb5_ldap_request_handle_from_pool(ldap_context, ldap_server_handle) } /* - * wrapper function wrapper called to get the next ldap server handle, when the current + * wrapper function wrapper called to get the next ldap server handle, when the current * ldap server handle returns LDAP_SERVER_DOWN. */ -krb5_error_code +krb5_error_code krb5_ldap_request_next_handle_from_pool(ldap_context, ldap_server_handle) krb5_ldap_context *ldap_context; krb5_ldap_server_handle **ldap_server_handle; { krb5_error_code st=0; - + HNDL_LOCK(ldap_context); (*ldap_server_handle)->server_info->server_status = OFF; time(&(*ldap_server_handle)->server_info->downtime); - krb5_put_ldap_handle(*ldap_server_handle); + krb5_put_ldap_handle(*ldap_server_handle); krb5_ldap_cleanup_handles((*ldap_server_handle)->server_info); if (((*ldap_server_handle)=krb5_get_ldap_handle(ldap_context)) == NULL) @@ -263,7 +263,7 @@ krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle) krb5_ldap_context *ldap_context; krb5_ldap_server_handle *ldap_server_handle; { - + if (ldap_server_handle != NULL) { HNDL_LOCK(ldap_context); krb5_put_ldap_handle(ldap_server_handle); diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c index 35e81cd4e..d784e0ff5 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c @@ -39,39 +39,39 @@ char *krbcontainerrefattr[] = {"krbContainerReference", NULL}; * Free the krb5_ldap_krbcontainer_params */ -void +void krb5_ldap_free_krbcontainer_params(krb5_ldap_krbcontainer_params *cparams) { - if(cparams == NULL) + if (cparams == NULL) return; - + if (cparams->policyreference) krb5_xfree(cparams->policyreference); - + if (cparams->parent) krb5_xfree(cparams->parent); - + if (cparams->DN) krb5_xfree(cparams->DN); - + krb5_xfree(cparams); - + return; } /* * Read the kerberos container. Kerberos container dn is read from the krb5.conf file. * In case of eDirectory, if the dn is not present in the conf file, refer Security Container - * to fetch the dn information. - * - * Reading kerberos container includes reading the policyreference attribute and the policy + * to fetch the dn information. + * + * Reading kerberos container includes reading the policyreference attribute and the policy * object to read the attributes associated with it. */ krb5_error_code -krb5_ldap_read_krbcontainer_params( krb5_context context, - krb5_ldap_krbcontainer_params **cparamp) - +krb5_ldap_read_krbcontainer_params(krb5_context context, + krb5_ldap_krbcontainer_params **cparamp) + { krb5_error_code st=0, tempst=0; LDAP *ld=NULL; @@ -91,85 +91,85 @@ krb5_ldap_read_krbcontainer_params( krb5_context context, /* read kerberos containter location from [dbmodules] section of krb5.conf file */ if (ldap_context->conf_section) { if ((st=profile_get_string(context->profile, KDB_MODULE_SECTION, ldap_context->conf_section, - "ldap_kerberos_container_dn", NULL, + "ldap_kerberos_container_dn", NULL, &cparams->DN)) != 0) { - krb5_set_error_message(context, st, "Error reading kerberos container location " - "from krb5.conf"); + krb5_set_error_message(context, st, "Error reading kerberos container location " + "from krb5.conf"); goto cleanup; } } - + /* read kerberos containter location from [dbdefaults] section of krb5.conf file */ if (cparams->DN == NULL) { - if ((st=profile_get_string(context->profile, KDB_MODULE_DEF_SECTION, - "ldap_kerberos_container_dn", NULL, + if ((st=profile_get_string(context->profile, KDB_MODULE_DEF_SECTION, + "ldap_kerberos_container_dn", NULL, NULL, &cparams->DN)) != 0) { - krb5_set_error_message(context, st, "Error reading kerberos container location " - "from krb5.conf"); + krb5_set_error_message(context, st, "Error reading kerberos container location " + "from krb5.conf"); goto cleanup; } } #ifndef HAVE_EDIRECTORY /* - * In case eDirectory, we can fall back to security container if the kerberos container location + * In case eDirectory, we can fall back to security container if the kerberos container location * is missing in the conf file. In openldap we will have to return an error. */ if (cparams->DN == NULL) { - st = KRB5_KDB_SERVER_INTERNAL_ERR; - krb5_set_error_message(context, st, "Kerberos container location not specified"); - goto cleanup; + st = KRB5_KDB_SERVER_INTERNAL_ERR; + krb5_set_error_message(context, st, "Kerberos container location not specified"); + goto cleanup; } #endif if (cparams->DN != NULL) { - /* NOTE: krbmaxtktlife, krbmaxrenewableage ... present on Kerberos Container is + /* NOTE: krbmaxtktlife, krbmaxrenewableage ... present on Kerberos Container is * not read */ LDAP_SEARCH_1(cparams->DN, LDAP_SCOPE_BASE, "(objectclass=krbContainer)", policyrefattribute, IGNORE_STATUS); if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_OBJECT) { - st = set_ldap_error(context, st, OP_SEARCH); + st = set_ldap_error(context, st, OP_SEARCH); goto cleanup; } - + if (st == LDAP_NO_SUCH_OBJECT) { - st = KRB5_KDB_NOENTRY; - goto cleanup; + st = KRB5_KDB_NOENTRY; + goto cleanup; } } - + #ifdef HAVE_EDIRECTORY /* - * If the kerberos location in the conf file is missing or invalid, fall back to the + * If the kerberos location in the conf file is missing or invalid, fall back to the * security container. If the kerberos location in the security container is also missing * then fall back to the default value */ if ((cparams->DN == NULL) || (st == LDAP_NO_SUCH_OBJECT)) { - /* + /* * kerberos container can be anywhere. locate it by reading the security * container to find the location. */ LDAP_SEARCH(SECURITY_CONTAINER, LDAP_SCOPE_BASE, NULL, krbcontainerrefattr); if ((ent = ldap_first_entry(ld, result)) != NULL) { - if ((st=krb5_ldap_get_string(ld, ent, "krbcontainerreference", + if ((st=krb5_ldap_get_string(ld, ent, "krbcontainerreference", &(cparams->DN), NULL)) != 0) goto cleanup; if (cparams->DN == NULL) { cparams->DN = strdup(KERBEROS_CONTAINER); CHECK_NULL(cparams->DN); } - } + } ldap_msgfree(result); - - /* NOTE: krbmaxtktlife, krbmaxrenewableage ... attributes present on + + /* NOTE: krbmaxtktlife, krbmaxrenewableage ... attributes present on * Kerberos Container is not read */ LDAP_SEARCH(cparams->DN, LDAP_SCOPE_BASE, "(objectclass=krbContainer)", policyrefattribute); } #endif - - if ((ent = ldap_first_entry(ld, result))) { - if ((st=krb5_ldap_get_string(ld, ent, "krbpolicyreference", + + if ((ent = ldap_first_entry(ld, result))) { + if ((st=krb5_ldap_get_string(ld, ent, "krbpolicyreference", &(cparams->policyreference), NULL)) != 0) goto cleanup; } @@ -183,21 +183,21 @@ krb5_ldap_read_krbcontainer_params( krb5_context context, } st = LDAP_SUCCESS; /* reset the return status in case it is LDAP_NO_SUCH_OBJECT */ - ent=ldap_first_entry(ld, result); + ent=ldap_first_entry(ld, result); if (ent != NULL) { krb5_ldap_get_value(ld, ent, "krbmaxtktlife", &(cparams->max_life)); krb5_ldap_get_value(ld, ent, "krbmaxrenewableage", &(cparams->max_renewable_life)); - krb5_ldap_get_value(ld, ent, "krbticketflags", &(cparams->tktflags)); + krb5_ldap_get_value(ld, ent, "krbticketflags", &(cparams->tktflags)); } ldap_msgfree(result); } - *cparamp=cparams; + *cparamp=cparams; - cleanup: - if(st != 0) { +cleanup: + if (st != 0) { krb5_ldap_free_krbcontainer_params(cparams); *cparamp=NULL; } - krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); + krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); return st; } diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c index a13d1c7a5..41cea5ff2 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c @@ -40,12 +40,12 @@ */ krb5_error_code krb5_ldap_read_server_params(context, conf_section, srv_type) - krb5_context context; - char *conf_section; - int srv_type; + krb5_context context; + char *conf_section; + int srv_type; { char *tempval=NULL, *save_ptr=NULL; - const char *delims="\t\n\f\v\r ,"; + const char *delims="\t\n\f\v\r ,"; krb5_error_code st=0; kdb5_dal_handle *dal_handle=NULL; krb5_ldap_context *ldap_context=NULL; @@ -56,16 +56,16 @@ krb5_ldap_read_server_params(context, conf_section, srv_type) /* copy the conf_section into ldap_context for later use */ if (conf_section) { - ldap_context->conf_section = strdup (conf_section); - if (ldap_context->conf_section == NULL) { - st = ENOMEM; - goto cleanup; - } + ldap_context->conf_section = strdup (conf_section); + if (ldap_context->conf_section == NULL) { + st = ENOMEM; + goto cleanup; + } } /* initialize the mutexs and condition variable */ /* this portion logically doesn't fit here should be moved appropriately */ - + /* this mutex is used in ldap reconnection pool */ if (k5_mutex_init(&(ldap_context->hndl_lock)) != 0) { st = KRB5_KDB_SERVER_INTERNAL_ERR; @@ -79,105 +79,103 @@ krb5_ldap_read_server_params(context, conf_section, srv_type) * this parameter defines maximum ldap connections per ldap server */ if (ldap_context->max_server_conns == 0) { - if ((st=profile_get_integer(context->profile, KDB_MODULE_SECTION, conf_section, - "ldap_conns_per_server", 0, + if ((st=profile_get_integer(context->profile, KDB_MODULE_SECTION, conf_section, + "ldap_conns_per_server", 0, (int *) &ldap_context->max_server_conns)) != 0) { - krb5_set_error_message (context, st, "Error reading 'ldap_conns_per_server' " - "attribute"); + krb5_set_error_message (context, st, "Error reading 'ldap_conns_per_server' " + "attribute"); goto cleanup; } } - + /* if ldap port is not set read it from database module section of conf file */ if (ldap_context->port == 0) { - if ((st=profile_get_integer(context->profile, KDB_MODULE_SECTION, conf_section, - "ldap_ssl_port", 0, + if ((st=profile_get_integer(context->profile, KDB_MODULE_SECTION, conf_section, + "ldap_ssl_port", 0, (int *) &ldap_context->port)) != 0) { - krb5_set_error_message (context, st, "Error reading 'ldap_ssl_port' attribute"); + krb5_set_error_message (context, st, "Error reading 'ldap_ssl_port' attribute"); goto cleanup; } } - - /* if the bind dn is not set read it from the database module section of conf file - * this paramter is populated by one of the KDC, ADMIN or PASSWD dn to be used to connect + + /* if the bind dn is not set read it from the database module section of conf file + * this paramter is populated by one of the KDC, ADMIN or PASSWD dn to be used to connect * to LDAP server. the srv_type decides which dn to read. */ - if( ldap_context->bind_dn == NULL ) { - + if (ldap_context->bind_dn == NULL) { + if (srv_type == KRB5_KDB_SRV_TYPE_KDC) { - if ((st=profile_get_string(context->profile, KDB_MODULE_SECTION, conf_section, + if ((st=profile_get_string(context->profile, KDB_MODULE_SECTION, conf_section, "ldap_kdc_dn", NULL, &ldap_context->bind_dn)) != 0) { - krb5_set_error_message (context, st, "Error reading 'ldap_kdc_dn' attribute"); + krb5_set_error_message (context, st, "Error reading 'ldap_kdc_dn' attribute"); goto cleanup; } - } - else if (srv_type == KRB5_KDB_SRV_TYPE_ADMIN) { - if ((st=profile_get_string(context->profile, KDB_MODULE_SECTION, conf_section, + } else if (srv_type == KRB5_KDB_SRV_TYPE_ADMIN) { + if ((st=profile_get_string(context->profile, KDB_MODULE_SECTION, conf_section, "ldap_kadmind_dn", NULL, &ldap_context->bind_dn)) != 0) { - krb5_set_error_message (context, st, "Error reading 'ldap_kadmind_dn' attribute"); + krb5_set_error_message (context, st, "Error reading 'ldap_kadmind_dn' attribute"); goto cleanup; } - } - else if (srv_type == KRB5_KDB_SRV_TYPE_PASSWD) { - if ((st=profile_get_string(context->profile, KDB_MODULE_SECTION, conf_section, + } else if (srv_type == KRB5_KDB_SRV_TYPE_PASSWD) { + if ((st=profile_get_string(context->profile, KDB_MODULE_SECTION, conf_section, "ldap_kpasswdd_dn", NULL, &ldap_context->bind_dn)) != 0) { - krb5_set_error_message (context, st, "Error reading 'ldap_kpasswdd_dn' attribute"); + krb5_set_error_message (context, st, "Error reading 'ldap_kpasswdd_dn' attribute"); goto cleanup; } } } /* read service_password_file parameter from database module section of conf file - * this file contains stashed passwords of the KDC, ADMIN and PASSWD dns. + * this file contains stashed passwords of the KDC, ADMIN and PASSWD dns. */ if (ldap_context->service_password_file == NULL) { - if ((st=profile_get_string(context->profile, KDB_MODULE_SECTION, conf_section, - "ldap_service_password_file", NULL, + if ((st=profile_get_string(context->profile, KDB_MODULE_SECTION, conf_section, + "ldap_service_password_file", NULL, &ldap_context->service_password_file)) != 0) { - krb5_set_error_message (context, st, "Error reading 'ldap_service_password_file' attribute"); + krb5_set_error_message (context, st, "Error reading 'ldap_service_password_file' attribute"); goto cleanup; } } - + /* if root certificate file is not set read it from database module section of conf file * this is the trusted root certificate of the Directory. - */ + */ if (ldap_context->root_certificate_file == NULL) { - if ((st=profile_get_string(context->profile, KDB_MODULE_SECTION, conf_section, - "ldap_root_certificate_file", NULL, + if ((st=profile_get_string(context->profile, KDB_MODULE_SECTION, conf_section, + "ldap_root_certificate_file", NULL, &ldap_context->root_certificate_file)) != 0) { - krb5_set_error_message (context, st, "Error reading 'ldap_root_certificate_file' attribute"); + krb5_set_error_message (context, st, "Error reading 'ldap_root_certificate_file' attribute"); goto cleanup; } } - - /* if the ldap server parameter is not set read the list of ldap servers:port from the - * database module section of the conf file + + /* if the ldap server parameter is not set read the list of ldap servers:port from the + * database module section of the conf file */ - + if (ldap_context->server_info_list == NULL) { unsigned int ele=0; - + server_info = &(ldap_context->server_info_list); - *server_info = (krb5_ldap_server_info **) calloc (SERV_COUNT+1, + *server_info = (krb5_ldap_server_info **) calloc (SERV_COUNT+1, sizeof (krb5_ldap_server_info *)); - + if (*server_info == NULL) { st = ENOMEM; goto cleanup; } - - if ((st=profile_get_string(context->profile, KDB_MODULE_SECTION, conf_section, + + if ((st=profile_get_string(context->profile, KDB_MODULE_SECTION, conf_section, "ldap_servers", NULL, &tempval)) != 0) { - krb5_set_error_message (context, st, "Error reading 'ldap_servers' attribute"); + krb5_set_error_message (context, st, "Error reading 'ldap_servers' attribute"); goto cleanup; } - + if (tempval == NULL) { - - (*server_info)[ele] = (krb5_ldap_server_info *)calloc(1, + + (*server_info)[ele] = (krb5_ldap_server_info *)calloc(1, sizeof(krb5_ldap_server_info)); - + (*server_info)[ele]->server_name = strdup("localhost"); if ((*server_info)[ele]->server_name == NULL) { st = ENOMEM; @@ -186,10 +184,10 @@ krb5_ldap_read_server_params(context, conf_section, srv_type) (*server_info)[ele]->server_status = NOTSET; } else { char *port=NULL, *server=NULL, *item=NULL; - + item = strtok_r(tempval,delims,&save_ptr); - while(item != NULL && elemax_server_conns == 0) { - if ((st=profile_get_integer(context->profile, KDB_MODULE_DEF_SECTION, - "ldap_conns_per_server", NULL, DEFAULT_CONNS_PER_SERVER, + if ((st=profile_get_integer(context->profile, KDB_MODULE_DEF_SECTION, + "ldap_conns_per_server", NULL, DEFAULT_CONNS_PER_SERVER, (int *) &ldap_context->max_server_conns)) != 0) { - krb5_set_error_message (context, st, "Error reading 'ldap_conns_per_server' attribute"); + krb5_set_error_message (context, st, "Error reading 'ldap_conns_per_server' attribute"); goto cleanup; } } @@ -231,36 +229,34 @@ krb5_ldap_read_server_params(context, conf_section, srv_type) krb5_set_error_message (context, st, "Minimum connections required per server is 2"); goto cleanup; } - + if (ldap_context->port == 0) { - if ((st=profile_get_integer(context->profile, KDB_MODULE_DEF_SECTION, "ldap_ssl_port", + if ((st=profile_get_integer(context->profile, KDB_MODULE_DEF_SECTION, "ldap_ssl_port", NULL, LDAPS_PORT, &ldap_context->port)) != 0) { - krb5_set_error_message (context, st, "Error reading 'ldap_ssl_port' attribute"); + krb5_set_error_message (context, st, "Error reading 'ldap_ssl_port' attribute"); goto cleanup; } } - if( ldap_context->bind_dn == NULL ) { + if (ldap_context->bind_dn == NULL) { if (srv_type == KRB5_KDB_SRV_TYPE_KDC) { - if ((st=profile_get_string(context->profile, KDB_MODULE_DEF_SECTION, "ldap_kdc_dn", + if ((st=profile_get_string(context->profile, KDB_MODULE_DEF_SECTION, "ldap_kdc_dn", NULL, NULL, &ldap_context->bind_dn)) != 0) { - krb5_set_error_message (context, st, "Error reading 'ldap_kdc_dn' attribute"); + krb5_set_error_message (context, st, "Error reading 'ldap_kdc_dn' attribute"); goto cleanup; } - } - else if (srv_type == KRB5_KDB_SRV_TYPE_ADMIN) { - if ((st=profile_get_string(context->profile, KDB_MODULE_DEF_SECTION, - "ldap_kadmind_dn", NULL, NULL, + } else if (srv_type == KRB5_KDB_SRV_TYPE_ADMIN) { + if ((st=profile_get_string(context->profile, KDB_MODULE_DEF_SECTION, + "ldap_kadmind_dn", NULL, NULL, &ldap_context->bind_dn)) != 0) { - krb5_set_error_message (context, st, "Error reading 'ldap_kadmind_dn' attribute"); + krb5_set_error_message (context, st, "Error reading 'ldap_kadmind_dn' attribute"); goto cleanup; } - } - else if (srv_type == KRB5_KDB_SRV_TYPE_PASSWD) { - if ((st=profile_get_string(context->profile, KDB_MODULE_DEF_SECTION, - "ldap_kpasswdd_dn", NULL, NULL, + } else if (srv_type == KRB5_KDB_SRV_TYPE_PASSWD) { + if ((st=profile_get_string(context->profile, KDB_MODULE_DEF_SECTION, + "ldap_kpasswdd_dn", NULL, NULL, &ldap_context->bind_dn)) != 0) { - krb5_set_error_message (context, st, "Error reading 'ldap_kpasswdd_dn' attribute"); + krb5_set_error_message (context, st, "Error reading 'ldap_kpasswdd_dn' attribute"); goto cleanup; } } @@ -268,25 +264,25 @@ krb5_ldap_read_server_params(context, conf_section, srv_type) /* read service_password_file value */ if (ldap_context->service_password_file == NULL) { - if ((st=profile_get_string(context->profile, KDB_MODULE_DEF_SECTION, - "ldap_service_password_file", NULL, NULL, + if ((st=profile_get_string(context->profile, KDB_MODULE_DEF_SECTION, + "ldap_service_password_file", NULL, NULL, &ldap_context->service_password_file)) != 0) { - krb5_set_error_message (context, st, "Error reading 'ldap_service_passwd_file' attribute"); + krb5_set_error_message (context, st, "Error reading 'ldap_service_passwd_file' attribute"); goto cleanup; } } - + /* read root certificate file value */ if (ldap_context->root_certificate_file == NULL) { - if ((st=profile_get_string(context->profile, KDB_MODULE_DEF_SECTION, - "ldap_root_certificate_file", NULL, NULL, + if ((st=profile_get_string(context->profile, KDB_MODULE_DEF_SECTION, + "ldap_root_certificate_file", NULL, NULL, &ldap_context->root_certificate_file)) != 0) { - krb5_set_error_message (context, st, "Error reading 'ldap_root_certificate_file' attribute"); + krb5_set_error_message (context, st, "Error reading 'ldap_root_certificate_file' attribute"); goto cleanup; } } - - cleanup: + +cleanup: return(st); } @@ -303,9 +299,9 @@ krb5_ldap_free_server_params(ldap_context) if (ldap_context == NULL) return 0; - + /* free all ldap servers list and the ldap handles associated with the ldap server */ - if(ldap_context->server_info_list) { + if (ldap_context->server_info_list) { while (ldap_context->server_info_list[i]) { if (ldap_context->server_info_list[i]->server_name) { free (ldap_context->server_info_list[i]->server_name); @@ -328,7 +324,7 @@ krb5_ldap_free_server_params(ldap_context) } krb5_xfree(ldap_context->server_info_list); } - + if (ldap_context->conf_section != NULL) { krb5_xfree(ldap_context->conf_section); ldap_context->conf_section = NULL; @@ -391,36 +387,36 @@ krb5_ldap_free_server_params(ldap_context) krb5_error_code is_principal_in_realm(ldap_context, searchfor) - krb5_ldap_context *ldap_context; - krb5_const_principal searchfor; + krb5_ldap_context *ldap_context; + krb5_const_principal searchfor; { int defrealmlen=0; char *defrealm=NULL; - + #define FIND_MAX(a,b) ((a) > (b) ? (a) : (b)) defrealmlen = strlen(ldap_context->lrparams->realm_name); defrealm = ldap_context->lrparams->realm_name; - + /* care should be taken for inter-realm principals as the default realm can exist in the - * realm part of the principal name or can also exist in the second portion of the name part. - * However, if the default realm exist in the second part of the principal portion, then the - * first portion of the principal name SHOULD be "krbtgt". All this check is done in the + * realm part of the principal name or can also exist in the second portion of the name part. + * However, if the default realm exist in the second part of the principal portion, then the + * first portion of the principal name SHOULD be "krbtgt". All this check is done in the * immediate block. */ - if (searchfor->length == 2) - if ((strncasecmp(searchfor->data[0].data, "krbtgt", - FIND_MAX(searchfor->data[0].length, strlen("krbtgt"))) == 0) && - (strncasecmp(searchfor->data[1].data, defrealm, - FIND_MAX(searchfor->data[1].length, defrealmlen)) == 0)) + if (searchfor->length == 2) + if ((strncasecmp(searchfor->data[0].data, "krbtgt", + FIND_MAX(searchfor->data[0].length, strlen("krbtgt"))) == 0) && + (strncasecmp(searchfor->data[1].data, defrealm, + FIND_MAX(searchfor->data[1].length, defrealmlen)) == 0)) return 0; - + /* first check the length, if they are not equal, then they are not same */ if (strlen(defrealm) != searchfor->realm.length) return 1; - + /* if the length is equal, check for the contents */ - if (strncmp(defrealm, searchfor->realm.data, + if (strncmp(defrealm, searchfor->realm.data, searchfor->realm.length) != 0) return 1; /* if we are here, then the realm portions match, return 0 */ @@ -429,8 +425,8 @@ is_principal_in_realm(ldap_context, searchfor) /* - * Deduce the subtree information from the context. A realm can have atmost 2 subtrees. - * 1. the Realm container + * Deduce the subtree information from the context. A realm can have atmost 2 subtrees. + * 1. the Realm container * 2. the actual subtree associated with the Realm * * However, there are some conditions to be considered to deduce the actual subtree/s associated @@ -439,7 +435,7 @@ is_principal_in_realm(ldap_context, searchfor) * the realm has only one subtree i.e [Root], i.e. whole of the tree. * 2. If the subtree information of the Realm is missing/absent, then the realm has only one * i.e. the Realm container. NOTE: In call cases Realm container SHOULD be the one among the - * subtrees or the only one subtree. + * subtrees or the only one subtree. * 3. The subtree information of the realm is overlapping the realm container of the realm, then * the realm has only one subtree and it is the subtree information associated with the realm. */ @@ -455,38 +451,38 @@ krb5_get_subtree_info(ldap_context, subtreearr, ntree) subtree = ldap_context->lrparams->subtree; realm_cont_dn = ldap_context->lrparams->realmdn; - /* - * if subtree attribute value is [Root] of the tree which is represented by a "" + /* + * if subtree attribute value is [Root] of the tree which is represented by a "" * (null) string, set the ntree value as 1 and do not fill the subtreearr value. * In eDirectory the [Root] can be represented as a "" (null) string, however this - * representation throws a "No such object" error in OpenLDAP. + * representation throws a "No such object" error in OpenLDAP. * Representing [Root] of the tree as NULL pointer (i.e. no value) works in both case. */ if (subtree == NULL || strcasecmp(subtree, "") == 0) { *ntree = 1; return 0; } - - /* - * the subtree attribute value of the realm can be same as the realm container or can - * even overlap. If the check is successful, then the subtree attribute value alone is + + /* + * the subtree attribute value of the realm can be same as the realm container or can + * even overlap. If the check is successful, then the subtree attribute value alone is * copied to the subtreearr array and the ntree value is set to 1. */ lendiff = strlen(realm_cont_dn) - strlen(subtree); if (lendiff >= 0 && (strcasecmp(realm_cont_dn+lendiff, subtree)==0)) { subtreearr[0] = strdup(subtree); - if (subtreearr[0] == NULL) + if (subtreearr[0] == NULL) return ENOMEM; *ntree = 1; return 0; - } - + } + /* * if the subtree attribute value of the realm and the realm container are different, * then both of the values are copied to subtreearr and ntree value is set to 2. */ subtreearr[0] = strdup(realm_cont_dn); - if (subtreearr[0] == NULL) + if (subtreearr[0] == NULL) return ENOMEM; subtreearr[1] = strdup(subtree); if (subtreearr[1] == NULL) { @@ -500,7 +496,7 @@ krb5_get_subtree_info(ldap_context, subtreearr, ntree) /* * This function appends the content with a type into the tl_data structure. Based on the type - * the length of the content is either pre-defined or computed from the content. + * the length of the content is either pre-defined or computed from the content. * Returns 0 in case of success and 1 if the type associated with the content is undefined. */ @@ -513,116 +509,115 @@ store_tl_data(tl_data, tl_type, value) unsigned int currlen=0, tldatalen=0; char *curr=NULL; void *reallocptr=NULL; - + tl_data->tl_data_type = KDB_TL_USER_INFO; - switch(tl_type) - { + switch (tl_type) { case KDB_TL_PRINCCOUNT: case KDB_TL_PRINCTYPE: case KDB_TL_MASK: { - int *iptr = (int *)value; - int ivalue = *iptr; - - currlen = tl_data->tl_data_length; - tl_data->tl_data_length += 1 + 2 + 2; + int *iptr = (int *)value; + int ivalue = *iptr; + + currlen = tl_data->tl_data_length; + tl_data->tl_data_length += 1 + 2 + 2; /* allocate required memory */ - reallocptr = tl_data->tl_data_contents; - tl_data->tl_data_contents = realloc(tl_data->tl_data_contents, - tl_data->tl_data_length); - if (tl_data->tl_data_contents == NULL) { - if (reallocptr) - free (reallocptr); - return ENOMEM; - } - curr = (char *) (tl_data->tl_data_contents + currlen); - + reallocptr = tl_data->tl_data_contents; + tl_data->tl_data_contents = realloc(tl_data->tl_data_contents, + tl_data->tl_data_length); + if (tl_data->tl_data_contents == NULL) { + if (reallocptr) + free (reallocptr); + return ENOMEM; + } + curr = (char *) (tl_data->tl_data_contents + currlen); + /* store the tl_type value */ - memset(curr, tl_type, 1); - curr += 1; + memset(curr, tl_type, 1); + curr += 1; /* store the content length */ - tldatalen = 2; - STORE16_INT(curr, tldatalen); - curr += 2; + tldatalen = 2; + STORE16_INT(curr, tldatalen); + curr += 2; /* store the content */ - STORE16_INT(curr, ivalue); - curr += 2; + STORE16_INT(curr, ivalue); + curr += 2; break; } case KDB_TL_USERDN: case KDB_TL_TKTPOLICYDN: { - char *cptr = (char *)value; - - currlen = tl_data->tl_data_length; - tl_data->tl_data_length += 1 + 2 + strlen(cptr); - /* allocate required memory */ - reallocptr = tl_data->tl_data_contents; - tl_data->tl_data_contents = realloc(tl_data->tl_data_contents, - tl_data->tl_data_length); - if (tl_data->tl_data_contents == NULL) { - if (reallocptr) - free (reallocptr); - return ENOMEM; - } - curr = (char *) (tl_data->tl_data_contents + currlen); - + char *cptr = (char *)value; + + currlen = tl_data->tl_data_length; + tl_data->tl_data_length += 1 + 2 + strlen(cptr); + /* allocate required memory */ + reallocptr = tl_data->tl_data_contents; + tl_data->tl_data_contents = realloc(tl_data->tl_data_contents, + tl_data->tl_data_length); + if (tl_data->tl_data_contents == NULL) { + if (reallocptr) + free (reallocptr); + return ENOMEM; + } + curr = (char *) (tl_data->tl_data_contents + currlen); + /* store the tl_type value */ - memset(curr, tl_type, 1); - curr += 1; + memset(curr, tl_type, 1); + curr += 1; /* store the content length */ - tldatalen = strlen(cptr); - STORE16_INT(curr, tldatalen); - curr += 2; + tldatalen = strlen(cptr); + STORE16_INT(curr, tldatalen); + curr += 2; /* store the content */ - memcpy(curr, cptr, tldatalen); - curr += tldatalen; - break; + memcpy(curr, cptr, tldatalen); + curr += tldatalen; + break; } case KDB_TL_KEYINFO: { - struct berval *key = (struct berval *)value; - - currlen = tl_data->tl_data_length; - tl_data->tl_data_length += 1 + 2 + key->bv_len; + struct berval *key = (struct berval *)value; + + currlen = tl_data->tl_data_length; + tl_data->tl_data_length += 1 + 2 + key->bv_len; /* allocate required memory */ - reallocptr = tl_data->tl_data_contents; - tl_data->tl_data_contents = realloc(tl_data->tl_data_contents, - tl_data->tl_data_length); - if (tl_data->tl_data_contents == NULL) { - if (reallocptr) - free (reallocptr); - return ENOMEM; - } - curr = (char *) (tl_data->tl_data_contents + currlen); - + reallocptr = tl_data->tl_data_contents; + tl_data->tl_data_contents = realloc(tl_data->tl_data_contents, + tl_data->tl_data_length); + if (tl_data->tl_data_contents == NULL) { + if (reallocptr) + free (reallocptr); + return ENOMEM; + } + curr = (char *) (tl_data->tl_data_contents + currlen); + /* store the tl_type value */ - memset(curr, tl_type, 1); - curr += 1; + memset(curr, tl_type, 1); + curr += 1; /* store the content length */ - tldatalen = key->bv_len; - STORE16_INT(curr, tldatalen); - curr += 2; + tldatalen = key->bv_len; + STORE16_INT(curr, tldatalen); + curr += 2; /* store the content */ - memcpy(curr, key->bv_val, key->bv_len); - curr += tldatalen; - break; + memcpy(curr, key->bv_val, key->bv_len); + curr += tldatalen; + break; } - + default: return 1; - + } return 0; } /* - * This function scans the tl_data structure to get the value of a type defined by the tl_type - * (second parameter). The tl_data structure has all the data in the tl_data_contents member. + * This function scans the tl_data structure to get the value of a type defined by the tl_type + * (second parameter). The tl_data structure has all the data in the tl_data_contents member. * The format of the tl_data_contents is as follows. - * The first byte defines the type of the content that follows. The next 2 bytes define the + * The first byte defines the type of the content that follows. The next 2 bytes define the * size n (in terms of bytes) of the content that follows. The next n bytes define the content * itself. */ @@ -638,22 +633,22 @@ decode_tl_data(tl_data, tl_type, data) unsigned char *curr=NULL; int *intptr=NULL; long *longptr=NULL; - char *DN=NULL; + char *DN=NULL; krb5_boolean keyfound=FALSE; KEY *secretkey = NULL; *data = NULL; curr = tl_data->tl_data_contents; - while(curr < (tl_data->tl_data_contents + tl_data->tl_data_length)) { + while (curr < (tl_data->tl_data_contents + tl_data->tl_data_length)) { /* get the type of the content */ subtype = (int) curr[0]; /* forward by 1 byte*/ curr += 1; - + if (subtype == tl_type) { - switch(subtype) { + switch (subtype) { case KDB_TL_PRINCCOUNT: case KDB_TL_PRINCTYPE: @@ -664,16 +659,16 @@ decode_tl_data(tl_data, tl_type, data) curr += 2; /* get the actual content */ if (sublen == 2) { - /* intptr = malloc(sublen); */ + /* intptr = malloc(sublen); */ intptr = malloc(sizeof(krb5_int32)); - if (intptr == NULL) + if (intptr == NULL) return ENOMEM; memset(intptr, 0, sublen); UNSTORE16_INT(curr, (*intptr)); *data = intptr; - } else { - longptr = malloc(sublen); - if (longptr == NULL) + } else { + longptr = malloc(sublen); + if (longptr == NULL) return ENOMEM; memset(longptr, 0, sublen); UNSTORE32_INT(curr, (*longptr)); @@ -712,18 +707,18 @@ decode_tl_data(tl_data, tl_type, data) return ENOMEM; secretkey->nkey = 0; secretkey->keys = NULL; - secretkey->keys = realloc(secretkey->keys, - sizeof(*(secretkey->keys)) * (limit)); + secretkey->keys = realloc(secretkey->keys, + sizeof(*(secretkey->keys)) * (limit)); if (secretkey->keys == NULL) return ENOMEM; memset(secretkey->keys, 0, sizeof (*(secretkey->keys)) * (limit)); } - if ( i == limit-1) { + if (i == limit-1) { limit *= 2; - secretkey->keys = realloc(secretkey->keys, + secretkey->keys = realloc(secretkey->keys, sizeof(*(secretkey->keys)) * (limit)); if (secretkey->keys == NULL) - return ENOMEM; + return ENOMEM; memset(secretkey->keys+i, 0, sizeof (*(secretkey->keys)) * (limit-i)); } @@ -751,13 +746,13 @@ decode_tl_data(tl_data, tl_type, data) if (tl_type == KDB_TL_KEYINFO) { if (keyfound) return 0; - else + else return EINVAL; } return EINVAL; } -/* +/* * wrapper routines for decode_tl_data */ static krb5_error_code @@ -771,23 +766,23 @@ krb5_get_int_from_tl_data(context, entries, type, intval) krb5_tl_data tl_data; void *voidptr=NULL; int *intptr=NULL; - + tl_data.tl_data_type = KDB_TL_USER_INFO; if (((st=krb5_dbe_lookup_tl_data(context, entries, &tl_data)) != 0) || tl_data.tl_data_length == 0) goto cleanup; - + if (decode_tl_data(&tl_data, type, &voidptr) == 0) { intptr = (int *) voidptr; *intval = *intptr; free(intptr); } - cleanup: +cleanup: return st; } /* - * get the mask representing the attributes set on the directory object (user, policy ...) + * get the mask representing the attributes set on the directory object (user, policy ...) */ krb5_error_code krb5_get_attributes_mask(context, entries, mask) @@ -825,16 +820,16 @@ krb5_get_secretkeys(context, entries, secretkey) krb5_error_code st=0; krb5_tl_data tl_data; void *voidptr=NULL; - + tl_data.tl_data_type = KDB_TL_USER_INFO; if (((st=krb5_dbe_lookup_tl_data(context, entries, &tl_data)) != 0) || tl_data.tl_data_length == 0) goto cleanup; - + if (decode_tl_data(&tl_data, KDB_TL_KEYINFO, &voidptr) == 0) { *secretkey = (KEY *) voidptr; } - cleanup: +cleanup: return st; } @@ -848,7 +843,7 @@ krb5_get_str_from_tl_data(context, entries, type, strval) krb5_error_code st=0; krb5_tl_data tl_data; void *voidptr=NULL; - + if (type != KDB_TL_USERDN && type != KDB_TL_CONTAINERDN && type != KDB_TL_TKTPOLICYDN) { st = EINVAL; goto cleanup; @@ -857,12 +852,12 @@ krb5_get_str_from_tl_data(context, entries, type, strval) tl_data.tl_data_type = KDB_TL_USER_INFO; if (((st=krb5_dbe_lookup_tl_data(context, entries, &tl_data)) != 0) || tl_data.tl_data_length == 0) goto cleanup; - + if (decode_tl_data(&tl_data, type, &voidptr) == 0) { *strval = (char *) voidptr; } - cleanup: +cleanup: return st; } @@ -896,10 +891,10 @@ krb5_get_policydn(context, entries, policydn) return krb5_get_str_from_tl_data(context, entries, KDB_TL_TKTPOLICYDN, policydn); } /* - * This function reads the attribute values (if the attribute is non-null) from the dn. + * This function reads the attribute values (if the attribute is non-null) from the dn. * The read attribute values is compared aganist the attrvalues passed to the function * and a bit mask is set for all the matching attributes (attributes existing in both list). - * The bit to be set is selected such that the index of the attribute in the attrvalues + * The bit to be set is selected such that the index of the attribute in the attrvalues * parameter is the position of the bit. * For ex: the first element in the attrvalues is present in both list shall set the LSB of the * bit mask. @@ -917,16 +912,16 @@ checkattributevalue (ld, dn, attribute, attrvalues, mask) int *mask; { int st=0, one=1; - char **values=NULL, *attributes[2] = {NULL}; + char **values=NULL, *attributes[2] = {NULL}; LDAPMessage *result=NULL, *entry=NULL; - + if (strlen(dn) == 0) - return LDAP_NO_SUCH_OBJECT; + return LDAP_NO_SUCH_OBJECT; attributes[0] = attribute; /* read the attribute values from the dn */ - if((st = ldap_search_ext_s( ld, + if ((st = ldap_search_ext_s(ld, dn, LDAP_SCOPE_BASE, 0, @@ -937,11 +932,11 @@ checkattributevalue (ld, dn, attribute, attrvalues, mask) &timelimit, LDAP_NO_LIMIT, &result)) != LDAP_SUCCESS) { - st = set_ldap_error(0, st, OP_SEARCH); + st = set_ldap_error(0, st, OP_SEARCH); return st; } - - /* + + /* * If the attribute/attrvalues is NULL, then check for the existence of the object alone */ if (attribute == NULL || attrvalues == NULL) @@ -950,17 +945,17 @@ checkattributevalue (ld, dn, attribute, attrvalues, mask) /* reset the bit mask */ *mask = 0; - if((entry=ldap_first_entry(ld, result)) != NULL) { + if ((entry=ldap_first_entry(ld, result)) != NULL) { /* read the attribute values */ - if((values=ldap_get_values(ld, entry, attribute)) != NULL) { + if ((values=ldap_get_values(ld, entry, attribute)) != NULL) { int i,j; - - /* compare the read attribute values with the attrvalues array and set the - * appropriate bit mask + + /* compare the read attribute values with the attrvalues array and set the + * appropriate bit mask */ - for(j=0; attrvalues[j]; ++j) { - for(i=0; values[i]; ++i) { - if(strcasecmp(values[i], attrvalues[j]) == 0) { + for (j=0; attrvalues[j]; ++j) { + for (i=0; values[i]; ++i) { + if (strcasecmp(values[i], attrvalues[j]) == 0) { *mask |= (one<mod_type = strdup(attribute); if ((*mods)[i]->mod_type == NULL) - return ENOMEM; + return ENOMEM; (*mods)[i]->mod_op = op; if (values != NULL) { - for (j=0; values[j] != NULL; ++j) - ; - (*mods)[i]->mod_values = malloc (sizeof(char *) * (j+1)); - if ((*mods)[i]->mod_values == NULL) - return ENOMEM; - - for (j=0; values[j] != NULL; ++j) { - (*mods)[i]->mod_values[j] = strdup(values[j]); - if ((*mods)[i]->mod_values[j] == NULL) + for (j=0; values[j] != NULL; ++j) + ; + (*mods)[i]->mod_values = malloc (sizeof(char *) * (j+1)); + if ((*mods)[i]->mod_values == NULL) return ENOMEM; - } - (*mods)[i]->mod_values[j] = NULL; + + for (j=0; values[j] != NULL; ++j) { + (*mods)[i]->mod_values[j] = strdup(values[j]); + if ((*mods)[i]->mod_values[j] == NULL) + return ENOMEM; + } + (*mods)[i]->mod_values[j] = NULL; } return 0; } krb5_error_code -krb5_add_ber_mem_ldap_mod(mods, attribute, op, ber_values) - LDAPMod ***mods; - char *attribute; - int op; - struct berval **ber_values; +krb5_add_ber_mem_ldap_mod(mods, attribute, op, ber_values) + LDAPMod ***mods; + char *attribute; + int op; + struct berval **ber_values; { int i=0, j=0; krb5_error_code st=0; if ((st=krb5_add_member(mods, &i)) != 0) - return st; - + return st; + (*mods)[i]->mod_type = strdup(attribute); if ((*mods)[i]->mod_type == NULL) - return ENOMEM; + return ENOMEM; (*mods)[i]->mod_op = op; for (j=0; ber_values[j] != NULL; ++j) - ; - (*mods)[i]->mod_bvalues = malloc (sizeof(struct berval *) * (j+1)); + ; + (*mods)[i]->mod_bvalues = malloc (sizeof(struct berval *) * (j+1)); if ((*mods)[i]->mod_bvalues == NULL) return ENOMEM; - + for (j=0; ber_values[j] != NULL; ++j) { (*mods)[i]->mod_bvalues[j] = calloc(1, sizeof(struct berval)); if ((*mods)[i]->mod_bvalues[j] == NULL) return ENOMEM; - (*mods)[i]->mod_bvalues[j]->bv_len = ber_values[j]->bv_len; + (*mods)[i]->mod_bvalues[j]->bv_len = ber_values[j]->bv_len; (*mods)[i]->mod_bvalues[j]->bv_val = malloc((*mods)[i]->mod_bvalues[j]->bv_len); if ((*mods)[i]->mod_bvalues[j]->bv_val == NULL) return ENOMEM; - memcpy((*mods)[i]->mod_bvalues[j]->bv_val, ber_values[j]->bv_val, + memcpy((*mods)[i]->mod_bvalues[j]->bv_val, ber_values[j]->bv_val, ber_values[j]->bv_len); } (*mods)[i]->mod_bvalues[j] = NULL; @@ -1414,29 +1409,29 @@ format_d (int val) } krb5_error_code -krb5_add_int_arr_mem_ldap_mod(mods, attribute, op, value) - LDAPMod ***mods; - char *attribute; - int op; - int *value; +krb5_add_int_arr_mem_ldap_mod(mods, attribute, op, value) + LDAPMod ***mods; + char *attribute; + int op; + int *value; { int i=0, j=0; krb5_error_code st=0; if ((st=krb5_add_member(mods, &i)) != 0) - return st; + return st; (*mods)[i]->mod_type = strdup(attribute); if ((*mods)[i]->mod_type == NULL) - return ENOMEM; + return ENOMEM; (*mods)[i]->mod_op = op; for (j=0; value[j] != -1; ++j) - ; + ; + + (*mods)[i]->mod_values = malloc(sizeof(char *) * (j+1)); - (*mods)[i]->mod_values = malloc(sizeof(char *) * (j+1)); - for (j=0; value[j] != -1; ++j) { if (((*mods)[i]->mod_values[j] = format_d(value[j])) == NULL) return ENOMEM; @@ -1446,22 +1441,22 @@ krb5_add_int_arr_mem_ldap_mod(mods, attribute, op, value) } krb5_error_code -krb5_add_int_mem_ldap_mod(mods, attribute, op, value) - LDAPMod ***mods; - char *attribute; - int op; - int value; +krb5_add_int_mem_ldap_mod(mods, attribute, op, value) + LDAPMod ***mods; + char *attribute; + int op; + int value; { int i=0; krb5_error_code st=0; if ((st=krb5_add_member(mods, &i)) != 0) - return st; - + return st; + (*mods)[i]->mod_type = strdup(attribute); if ((*mods)[i]->mod_type == NULL) - return ENOMEM; + return ENOMEM; (*mods)[i]->mod_op = op; (*mods)[i]->mod_values = calloc (2, sizeof(char *)); @@ -1471,50 +1466,50 @@ krb5_add_int_mem_ldap_mod(mods, attribute, op, value) } krb5_error_code -krb5_ldap_set_option( krb5_context kcontext, int option, void *value ) +krb5_ldap_set_option(krb5_context kcontext, int option, void *value) { krb5_error_code status = KRB5_PLUGIN_OP_NOTSUPP; - krb5_set_error_message( kcontext, status, "LDAP %s", error_message( status ) ); + krb5_set_error_message(kcontext, status, "LDAP %s", error_message(status)); return status; } krb5_error_code -krb5_ldap_lock( krb5_context kcontext, int mode ) +krb5_ldap_lock(krb5_context kcontext, int mode) { krb5_error_code status = KRB5_PLUGIN_OP_NOTSUPP; - krb5_set_error_message( kcontext, status, "LDAP %s", error_message( status ) ); + krb5_set_error_message(kcontext, status, "LDAP %s", error_message(status)); return status; } krb5_error_code -krb5_ldap_unlock( krb5_context kcontext ) +krb5_ldap_unlock(krb5_context kcontext) { krb5_error_code status = KRB5_PLUGIN_OP_NOTSUPP; - krb5_set_error_message( kcontext, status, "LDAP %s", error_message( status ) ); + krb5_set_error_message(kcontext, status, "LDAP %s", error_message(status)); return status; } krb5_error_code -krb5_ldap_supported_realms( krb5_context kcontext, char **realms ) +krb5_ldap_supported_realms(krb5_context kcontext, char **realms) { krb5_error_code status = KRB5_PLUGIN_OP_NOTSUPP; - krb5_set_error_message( kcontext, status, "LDAP %s", error_message( status ) ); + krb5_set_error_message(kcontext, status, "LDAP %s", error_message(status)); return status; } krb5_error_code -krb5_ldap_free_supported_realms( krb5_context kcontext, char **realms ) +krb5_ldap_free_supported_realms(krb5_context kcontext, char **realms) { krb5_error_code status = KRB5_PLUGIN_OP_NOTSUPP; - krb5_set_error_message( kcontext, status, "LDAP %s", error_message( status ) ); + krb5_set_error_message(kcontext, status, "LDAP %s", error_message(status)); return status; } krb5_error_code -krb5_ldap_errcode_2_string( krb5_context kcontext, long err_code ) +krb5_ldap_errcode_2_string(krb5_context kcontext, long err_code) { krb5_error_code status = KRB5_PLUGIN_OP_NOTSUPP; - krb5_set_error_message( kcontext, status, "LDAP %s", error_message( status ) ); + krb5_set_error_message(kcontext, status, "LDAP %s", error_message(status)); return status; } diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c index 15dcd8dc7..b646fe8e1 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c @@ -37,11 +37,11 @@ struct timeval timelimit = {300, 0}; /* 5 minutes */ char *principal_attributes[] = { "krbprincipalname", "objectclass", - "krbsecretkey", - "krbmaxrenewableage", - "krbmaxticketlife", + "krbsecretkey", + "krbmaxrenewableage", + "krbmaxticketlife", "krbticketflags", - "krbprincipalexpiration", + "krbprincipalexpiration", "krbpolicyreference", "krbUpEnabled", "krbpwdpolicyreference", @@ -50,16 +50,16 @@ char *principal_attributes[] = { "krbprincipalname", "loginexpirationtime", "logindisabled", #endif - "loginexpirationtime", + "loginexpirationtime", "logindisabled", "modifiersname", "modifytimestamp", NULL }; -static char *attributes_set[] = { "krbmaxrenewableage", - "krbmaxticketlife", +static char *attributes_set[] = { "krbmaxrenewableage", + "krbmaxticketlife", "krbticketflags", - "krbprincipalexpiration", + "krbprincipalexpiration", "krbpolicyreference", "krbUpEnabled", "krbpwdpolicyreference", @@ -69,7 +69,7 @@ static char *attributes_set[] = { "krbmaxrenewableage", void krb5_dbe_free_contents(context, entry) - krb5_context context; + krb5_context context; krb5_db_entry *entry; { krb5_tl_data *tl_data_next=NULL; @@ -91,8 +91,8 @@ krb5_dbe_free_contents(context, entry) for (j = 0; j < entry->key_data[i].key_data_ver; j++) { if (entry->key_data[i].key_data_length[j]) { if (entry->key_data[i].key_data_contents[j]) { - memset(entry->key_data[i].key_data_contents[j], - 0, + memset(entry->key_data[i].key_data_contents[j], + 0, (unsigned) entry->key_data[i].key_data_length[j]); free (entry->key_data[i].key_data_contents[j]); } @@ -119,7 +119,7 @@ krb5_ldap_free_principal(kcontext , entries, nentries) for (i = 0; i < nentries; i++) krb5_dbe_free_contents(kcontext, &entries[i]); return 0; -} +} krb5_error_code @@ -146,12 +146,12 @@ krb5_ldap_iterate(context, match_expr, func, func_arg) memset(&entry, 0, sizeof(krb5_db_entry)); SETUP_CONTEXT(); - + realm = ldap_context->lrparams->realm_name; if (realm == NULL) { realm = context->default_realm; if (realm == NULL) { - st = EINVAL; + st = EINVAL; krb5_set_error_message(context, st, "Default realm not set"); goto cleanup; } @@ -169,11 +169,11 @@ krb5_ldap_iterate(context, match_expr, func, func_arg) GET_HANDLE(); for (tree=0; treelrparams->search_scope, filter, krbprincipal_attr); - for(ent=ldap_first_entry(ld, result); ent != NULL; ent=ldap_next_entry(ld, ent)) { + for (ent=ldap_first_entry(ld, result); ent != NULL; ent=ldap_next_entry(ld, ent)) { if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) { - for(i=0; values[i] != NULL; ++i) { + for (i=0; values[i] != NULL; ++i) { if (krb5_ldap_parse_principal_name(values[i], &princ_name) != 0) continue; if (krb5_parse_name(context, princ_name, &principal) != 0) @@ -183,23 +183,23 @@ krb5_ldap_iterate(context, match_expr, func, func_arg) (*func)(func_arg, &entry); } krb5_free_principal(context, principal); - if (princ_name) + if (princ_name) free(princ_name); } ldap_value_free(values); } - } /* end of for(ent= ... */ + } /* end of for (ent= ... */ ldap_msgfree(result); - } /* end of for(tree= ... */ - - cleanup: + } /* end of for (tree= ... */ + +cleanup: if (filter) free (filter); - - for ( ;ntree; --ntree) + + for (;ntree; --ntree) if (subtree[ntree-1]) free (subtree[ntree-1]); - + krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); return st; } @@ -218,7 +218,7 @@ krb5_ldap_delete_principal(context, searchfor, nentries) LDAPMod **mods=NULL; LDAP *ld=NULL; int j=0, ptype=KDB_USER_PRINCIPAL, pcount=0, attrsetmask=0; - krb5_error_code st=0; + krb5_error_code st=0; krb5_boolean singleentry=FALSE; KEY *secretkey=NULL; kdb5_dal_handle *dal_handle=NULL; @@ -241,9 +241,9 @@ krb5_ldap_delete_principal(context, searchfor, nentries) ((st=krb5_get_princ_count(context, &entries, &(pcount))) != 0) || ((st=krb5_get_userdn(context, &entries, &(DN))) != 0) || ((st=krb5_get_policydn(context, &entries, &policydn)) != 0) || - ((st=krb5_get_secretkeys(context, &entries, &secretkey)) != 0)) + ((st=krb5_get_secretkeys(context, &entries, &secretkey)) != 0)) goto cleanup; - + if (DN == NULL) { st = EINVAL; krb5_set_error_message(context, st, "DN information missing"); @@ -254,16 +254,16 @@ krb5_ldap_delete_principal(context, searchfor, nentries) if (ptype == KDB_USER_PRINCIPAL) { - if(((st=krb5_unparse_name(context, searchfor, &user)) != 0) - || ((st=krb5_ldap_unparse_principal_name(user)) != 0)) - goto cleanup; - + if (((st=krb5_unparse_name(context, searchfor, &user)) != 0) + || ((st=krb5_ldap_unparse_principal_name(user)) != 0)) + goto cleanup; + memset(strval, 0, sizeof(strval)); strval[0] = user; - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalname", LDAP_MOD_DELETE, + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalname", LDAP_MOD_DELETE, strval)) != 0) goto cleanup; - + singleentry = (pcount == 1) ? TRUE: FALSE; if (singleentry == FALSE) { if (secretkey != NULL) { @@ -272,13 +272,13 @@ krb5_ldap_delete_principal(context, searchfor, nentries) goto cleanup; } } else { - /* + /* * If the Kerberos user principal to be deleted happens to be the last one associated - * with the directory user object, then it is time to delete the other kerberos + * with the directory user object, then it is time to delete the other kerberos * specific attributes like krbmaxticketlife, i.e, unkerberize the directory user. - * From the attrsetmask value, identify the attributes set on the directory user + * From the attrsetmask value, identify the attributes set on the directory user * object and delete them. - * NOTE: krbsecretkey attribute has per principal entries. There can be chances that the + * NOTE: krbsecretkey attribute has per principal entries. There can be chances that the * other principals' keys are exisiting/left-over. So delete all the values. */ while (attrsetmask) { @@ -290,10 +290,9 @@ krb5_ldap_delete_principal(context, searchfor, nentries) attrsetmask >>= 1; ++j; } - if(policydn != NULL) - { - if ((st = krb5_ldap_change_count(context, policydn,2 ))) - goto cleanup; + if (policydn != NULL) { + if ((st = krb5_ldap_change_count(context, policydn,2))) + goto cleanup; } @@ -305,7 +304,7 @@ krb5_ldap_delete_principal(context, searchfor, nentries) if ((st=checkattributevalue(ld, DN, "objectclass", attrvalues, &amask)) != 0) goto cleanup; memset(strval, 0, sizeof(strval)); - for(p=1, q=0; p<=4; p<<=1, ++q) + for (p=1, q=0; p<=4; p<<=1, ++q) if (p & amask) strval[r++] = attrvalues[q]; strval[r] = NULL; @@ -317,23 +316,22 @@ krb5_ldap_delete_principal(context, searchfor, nentries) } } st=ldap_modify_s(ld, DN, mods); - if (st != LDAP_SUCCESS) { + if (st != LDAP_SUCCESS) { st = set_ldap_error(context, st, OP_MOD); goto cleanup; - } - } - else if (ptype == KDB_SERVICE_PRINCIPAL) { + } + } else if (ptype == KDB_SERVICE_PRINCIPAL) { st = ldap_delete_s(ld, DN); if (st != LDAP_SUCCESS) { st = set_ldap_error (context, st, OP_DEL); goto cleanup; - } + } } - - cleanup: + +cleanup: if (user) free (user); - + if (DN) free (DN); @@ -364,45 +362,38 @@ krb5_ldap_delete_principal(context, searchfor, nentries) * in the principal name component. * * Arguments: - * user_name (input/output) Principal name - * + * user_name (input/output) Principal name + * */ krb5_error_code krb5_ldap_unparse_principal_name(char *user_name) { char *tmp_princ_name=NULL, *princ_name=NULL, *tmp=NULL; - int l=0; + int l=0; krb5_error_code st=0; - if(strstr(user_name, "\\@")) - { + if (strstr(user_name, "\\@")) { tmp_princ_name = strdup(user_name); - if( !tmp_princ_name ) - { + if (!tmp_princ_name) { st = ENOMEM; goto cleanup; } tmp = tmp_princ_name; princ_name = (char *) malloc (strlen(user_name)); - if( !princ_name ) - { + if (!princ_name) { st = ENOMEM; goto cleanup; } memset(princ_name, 0, strlen(user_name)); l = 0; - while(*tmp_princ_name) - { - if((*tmp_princ_name == '\\') && (*(tmp_princ_name+1) == '@')) - { + while (*tmp_princ_name) { + if ((*tmp_princ_name == '\\') && (*(tmp_princ_name+1) == '@')) { tmp_princ_name += 1; - } - else - { + } else { *(princ_name + l) = *tmp_princ_name++; l++; } @@ -412,7 +403,7 @@ krb5_ldap_unparse_principal_name(char *user_name) sprintf(user_name, "%s", princ_name); } - cleanup: +cleanup: if (tmp) { free(tmp); tmp = NULL; @@ -430,13 +421,13 @@ krb5_ldap_unparse_principal_name(char *user_name) /* * Function: krb5_ldap_parse_principal_name * - * Purpose: Inserts '\\' before every occurence of '@' + * Purpose: Inserts '\\' before every occurence of '@' * in the principal name component. * * Arguments: * i_princ_name (input) Principal name without '\\' * o_princ_name (output) Principal name with '\\' - * + * * Note: The caller has to free the memory allocated for o_princ_name. */ @@ -451,39 +442,32 @@ krb5_ldap_parse_principal_name(i_princ_name, o_princ_name) at_rlm_name = strrchr(i_princ_name, '@'); - if(!at_rlm_name) - { + if (!at_rlm_name) { *o_princ_name = strdup(i_princ_name); - if( !o_princ_name ) - { + if (!o_princ_name) { st = ENOMEM; goto cleanup; } - } - else - { + } else { tmp_princ_name_len = at_rlm_name - i_princ_name; tmp_princ_name = (char *) malloc ((unsigned) tmp_princ_name_len + 1); - if( !tmp_princ_name ) - { + if (!tmp_princ_name) { st = ENOMEM; goto cleanup; } memset(tmp_princ_name, 0, (unsigned) tmp_princ_name_len + 1); - memcpy( tmp_princ_name, i_princ_name, (unsigned) tmp_princ_name_len); + memcpy(tmp_princ_name, i_princ_name, (unsigned) tmp_princ_name_len); l = 0; - while(tmp_princ_name[l]) - { - if(tmp_princ_name[l++] == '@') + while (tmp_princ_name[l]) { + if (tmp_princ_name[l++] == '@') at_count++; } princ_name_len = strlen(i_princ_name) + at_count + 1; princ_name = (char *) malloc ((unsigned) princ_name_len); - if( !princ_name ) - { + if (!princ_name) { st = ENOMEM; goto cleanup; } @@ -491,9 +475,8 @@ krb5_ldap_parse_principal_name(i_princ_name, o_princ_name) l = 0; m = 0; - while(tmp_princ_name[l]) - { - if(tmp_princ_name[l] == '@'){ + while (tmp_princ_name[l]) { + if (tmp_princ_name[l] == '@') { princ_name[m++]='\\'; } princ_name[m++]=tmp_princ_name[l++]; @@ -503,7 +486,7 @@ krb5_ldap_parse_principal_name(i_princ_name, o_princ_name) *o_princ_name = princ_name; } - cleanup: +cleanup: if (tmp_princ_name) { free(tmp_princ_name); diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c index 52c113cd5..d54453cc1 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c @@ -39,7 +39,7 @@ extern char* principal_attributes[]; extern char* max_pwd_life_attr[]; -#if !defined( LDAP_OPT_RESULT_CODE) && defined(LDAP_OPT_ERROR_NUMBER) +#if !defined(LDAP_OPT_RESULT_CODE) && defined(LDAP_OPT_ERROR_NUMBER) #define LDAP_OPT_RESULT_CODE LDAP_OPT_ERROR_NUMBER #endif @@ -50,7 +50,7 @@ static krb5_error_code krb5_read_tkt_policyreference(krb5_context, krb5_ldap_context *, krb5_db_entry *, char *); static char * -getstringtime(krb5_timestamp ); +getstringtime(krb5_timestamp); /* * look up a principal in the directory. @@ -84,10 +84,10 @@ krb5_ldap_get_principal(context, searchfor, entries, nentries, more) /* set initial values */ *nentries = 0; - *more = 0; + *more = 0; memset(entries, 0, sizeof(*entries)); - - if (searchfor == NULL) + + if (searchfor == NULL) return EINVAL; dal_handle = (kdb5_dal_handle *) context->db_context; @@ -99,14 +99,14 @@ krb5_ldap_get_principal(context, searchfor, entries, nentries, more) *more = 0; krb5_set_error_message (context, st, "Principal does not belong to realm"); goto cleanup; - } - + } + if ((st=krb5_unparse_name(context, searchfor, &user)) != 0) - goto cleanup; + goto cleanup; if ((st=krb5_ldap_unparse_principal_name(user)) != 0) - goto cleanup; - + goto cleanup; + princlen = strlen(FILTER) + strlen(user) + 2 + 1; /* 2 for closing brackets */ if ((filter=malloc(princlen)) == NULL) { st = ENOMEM; @@ -122,12 +122,12 @@ krb5_ldap_get_principal(context, searchfor, entries, nentries, more) LDAP_SEARCH(subtree[tree], ldap_context->lrparams->search_scope, filter, principal_attributes); for (ent=ldap_first_entry(ld, result); ent != NULL && *nentries == 0; ent=ldap_next_entry(ld, ent)) { - + /* get the associated directory user information */ if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) { int i=0, pcount=0, ptype=KDB_USER_PRINCIPAL; - - /* a wild-card in a principal name can return a list of kerberos principals. + + /* a wild-card in a principal name can return a list of kerberos principals. * Make sure that the correct principal is returned. * NOTE: a principalname k* in ldap server will return all the principals starting with a k */ @@ -139,32 +139,32 @@ krb5_ldap_get_principal(context, searchfor, entries, nentries, more) } } ldap_value_free(values); - + if (*nentries == 0) /* no matching principal found */ continue; if ((DN = ldap_get_dn(ld, ent)) == NULL) { - ldap_get_option (ld, LDAP_OPT_RESULT_CODE, &st); + ldap_get_option (ld, LDAP_OPT_RESULT_CODE, &st); st = set_ldap_error (context, st, 0); goto cleanup; } - - if ((values=ldap_get_values(ld, ent, "objectclass")) != NULL) { - for(i=0; values[i] != NULL; ++i) + + if ((values=ldap_get_values(ld, ent, "objectclass")) != NULL) { + for (i=0; values[i] != NULL; ++i) if (strcasecmp(values[i], "krbprincipal") == 0) { ptype = KDB_SERVICE_PRINCIPAL; break; } ldap_value_free(values); } - + /* add principalcount, DN and principaltype user information to tl_data */ if (((st=store_tl_data(&userinfo_tl_data, KDB_TL_PRINCCOUNT, &pcount)) != 0) || ((st=store_tl_data(&userinfo_tl_data, KDB_TL_USERDN, DN)) != 0) || ((st=store_tl_data(&userinfo_tl_data, KDB_TL_PRINCTYPE, &ptype)) != 0)) goto cleanup; } - + /* populate entries->princ with searchfor value */ if ((st=krb5_copy_principal(context, searchfor, &(entries->princ))) != 0) goto cleanup; @@ -174,7 +174,7 @@ krb5_ldap_get_principal(context, searchfor, entries, nentries, more) /* KRBMAXTICKETLIFE */ if (krb5_ldap_get_value(ld, ent, "krbmaxticketlife", &(entries->max_life)) == 0) mask |= KDB_MAX_LIFE_ATTR; - + /* KRBMAXRENEWABLEAGE */ if (krb5_ldap_get_value(ld, ent, "krbmaxrenewableage", &(entries->max_renewable_life)) == 0) mask |= KDB_MAX_RLIFE_ATTR; @@ -184,14 +184,14 @@ krb5_ldap_get_principal(context, searchfor, entries, nentries, more) mask |= KDB_TKT_FLAGS_ATTR; /* PRINCIPAL EXPIRATION TIME */ - if ((st=krb5_ldap_get_time(ld, ent, "krbprincipalexpiration", &(entries->expiration), + if ((st=krb5_ldap_get_time(ld, ent, "krbprincipalexpiration", &(entries->expiration), &attr_present)) != 0) goto cleanup; if (attr_present == TRUE) mask |= KDB_PRINC_EXPIRE_TIME_ATTR; - + /* PASSWORD EXPIRATION TIME */ - if ((st=krb5_ldap_get_time(ld, ent, "krbpasswordexpiration", &(entries->pw_expiration), + if ((st=krb5_ldap_get_time(ld, ent, "krbpasswordexpiration", &(entries->pw_expiration), &attr_present)) != 0) goto cleanup; if (attr_present == TRUE) @@ -200,12 +200,12 @@ krb5_ldap_get_principal(context, searchfor, entries, nentries, more) /* KRBPOLICYREFERENCE */ if ((st=krb5_ldap_get_string(ld, ent, "krbpolicyreference", &policydn, &attr_present)) != 0) - goto cleanup; + goto cleanup; - if(attr_present == TRUE){ - if ((st=store_tl_data(&userinfo_tl_data, KDB_TL_TKTPOLICYDN, policydn)) != 0) - goto cleanup; - mask |= KDB_POL_REF_ATTR; + if (attr_present == TRUE) { + if ((st=store_tl_data(&userinfo_tl_data, KDB_TL_TKTPOLICYDN, policydn)) != 0) + goto cleanup; + mask |= KDB_POL_REF_ATTR; } /* KRBPWDPOLICYREFERENCE */ @@ -215,19 +215,19 @@ krb5_ldap_get_principal(context, searchfor, entries, nentries, more) krb5_tl_data kadm_tl_data; mask |= KDB_PWD_POL_REF_ATTR; - if((st = krb5_update_tl_kadm_data(pwdpolicydn, &kadm_tl_data)) != 0){ + if ((st = krb5_update_tl_kadm_data(pwdpolicydn, &kadm_tl_data)) != 0) { goto cleanup; } krb5_dbe_update_tl_data(context, entries, &kadm_tl_data); } /* KRBSECRETKEY */ - if((bvalues=ldap_get_values_len(ld, ent, "krbsecretkey")) != NULL) { + if ((bvalues=ldap_get_values_len(ld, ent, "krbsecretkey")) != NULL) { mask |= KDB_SECRET_KEY; if ((st=krb5_decode_krbsecretkey(context, entries, bvalues, &userinfo_tl_data)) != 0) goto cleanup; } - + /* MODIFY TIMESTAMP */ if ((st=krb5_ldap_get_time(ld, ent, "modifytimestamp", &modtime, &attr_present)) != 0) goto cleanup; @@ -248,17 +248,17 @@ krb5_ldap_get_principal(context, searchfor, entries, nentries, more) goto cleanup; if ((st=krb5_dbe_update_tl_data(context, entries, &userinfo_tl_data)) != 0) goto cleanup; - + #ifdef HAVE_EDIRECTORY { krb5_timestamp expiretime=0; char *is_login_disabled=NULL; /* LOGIN EXPIRATION TIME */ - if ((st=krb5_ldap_get_time(ld, ent, "loginexpirationtime", &expiretime, + if ((st=krb5_ldap_get_time(ld, ent, "loginexpirationtime", &expiretime, &attr_present)) != 0) goto cleanup; - + if (attr_present == TRUE) { if ((mask & KDB_PRINC_EXPIRE_TIME_ATTR) == 1) { if (expiretime < entries->expiration) @@ -267,13 +267,13 @@ krb5_ldap_get_principal(context, searchfor, entries, nentries, more) entries->expiration = expiretime; } } - - /* LOGIN DISABLED */ + + /* LOGIN DISABLED */ if ((st=krb5_ldap_get_string(ld, ent, "logindisabled", &is_login_disabled, &attr_present)) != 0) goto cleanup; if (attr_present == TRUE) { if (strcasecmp(is_login_disabled,"TRUE")== 0) - entries->attributes |= KRB5_KDB_DISALLOW_ALL_TIX; + entries->attributes |= KRB5_KDB_DISALLOW_ALL_TIX; free (is_login_disabled); } } @@ -281,27 +281,27 @@ krb5_ldap_get_principal(context, searchfor, entries, nentries, more) } ldap_msgfree(result); result = NULL; - } /* for(tree=0 ... */ - + } /* for (tree=0 ... */ + /* once done, put back the ldap handle */ krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); ldap_server_handle = NULL; - + /* if principal not found */ if (*nentries == 0) goto cleanup; - + if ((st=krb5_read_tkt_policyreference(context, ldap_context, entries, policydn)) !=0) goto cleanup; - + if (pwdpolicydn) { osa_policy_ent_t pwdpol; int cnt=0; krb5_timestamp last_pw_changed; - krb5_ui_4 pw_max_life; + krb5_ui_4 pw_max_life; memset(&pwdpol, 0, sizeof(pwdpol)); - + if ((st=krb5_ldap_get_password_policy(context, pwdpolicydn, &pwdpol, &cnt)) != 0) goto cleanup; pw_max_life = pwdpol->pw_max_life; @@ -311,42 +311,42 @@ krb5_ldap_get_principal(context, searchfor, entries, nentries, more) if ((st=krb5_dbe_lookup_last_pwd_change(context, entries, &last_pw_changed)) != 0) goto cleanup; - if ((mask & KDB_PWD_EXPIRE_TIME_ATTR) == 1) { + if ((mask & KDB_PWD_EXPIRE_TIME_ATTR) == 1) { if ((last_pw_changed + pw_max_life) < entries->pw_expiration) entries->pw_expiration = last_pw_changed + pw_max_life; } else entries->pw_expiration = last_pw_changed + pw_max_life; } } - - cleanup: + +cleanup: ldap_msgfree(result); - + if (*nentries == 0 || st != 0) krb5_dbe_free_contents(context, entries); - if (filter) + if (filter) free (filter); if (DN) ldap_memfree (DN); for (; ntrees; --ntrees) - if (subtree[ntrees-1]) + if (subtree[ntrees-1]) free (subtree[ntrees-1]); if (userinfo_tl_data.tl_data_contents) free(userinfo_tl_data.tl_data_contents); - - if (ldap_server_handle) - krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); + + if (ldap_server_handle) + krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); if (user) free(user); - + if (modname) free(modname); - + if (parsed_mod_name) krb5_free_principal(context, parsed_mod_name); @@ -367,7 +367,7 @@ typedef struct _xargs_t { char *tktpolicydn; }xargs_t; -static void +static void free_xargs(xargs) xargs_t xargs; { @@ -379,7 +379,7 @@ free_xargs(xargs) free (xargs.tktpolicydn); } -static krb5_error_code +static krb5_error_code process_db_args(context, db_args, xargs) krb5_context context; char **db_args; @@ -391,22 +391,21 @@ process_db_args(context, db_args, xargs) char *arg=NULL, *arg_val=NULL; unsigned int arg_val_len=0; krb5_boolean uflag=FALSE, cflag=FALSE; - - if (db_args) - { + + if (db_args) { for (i=0; db_args[i]; ++i) { arg = strtok_r(db_args[i], "=", &arg_val); - if(strcmp(arg, USERDN_ARG) == 0) { + if (strcmp(arg, USERDN_ARG) == 0) { if (cflag == TRUE) { st = EINVAL; - krb5_set_error_message(context, st, "'containerdn' and 'userdn' can not both " - "be specified"); + krb5_set_error_message(context, st, "'containerdn' and 'userdn' can not both " + "be specified"); goto cleanup; } if (xargs->dn != NULL || xargs->containerdn != NULL) { st = EINVAL; - snprintf(errbuf, sizeof(errbuf), "%s option not supported", arg); - krb5_set_error_message(context, st, "%s", errbuf); + snprintf(errbuf, sizeof(errbuf), "%s option not supported", arg); + krb5_set_error_message(context, st, "%s", errbuf); goto cleanup; } if (strcmp(arg_val, "") == 0 || arg_val == NULL) { @@ -428,14 +427,14 @@ process_db_args(context, db_args, xargs) } else if (strcmp(arg, CONTAINERDN_ARG) == 0) { if (uflag == TRUE) { st = EINVAL; - krb5_set_error_message(context, st, "'containerdn' and 'userdn' can not both " - "be specified"); + krb5_set_error_message(context, st, "'containerdn' and 'userdn' can not both " + "be specified"); goto cleanup; } if (xargs->dn != NULL || xargs->containerdn != NULL) { st = EINVAL; - snprintf(errbuf, sizeof(errbuf), "%s option not supported", arg); - krb5_set_error_message(context, st, "%s", errbuf); + snprintf(errbuf, sizeof(errbuf), "%s option not supported", arg); + krb5_set_error_message(context, st, "%s", errbuf); goto cleanup; } if (strcmp(arg_val, "") == 0 || arg_val == NULL) { @@ -468,7 +467,7 @@ process_db_args(context, db_args, xargs) goto cleanup; } memcpy(xargs->tktpolicydn, arg_val, arg_val_len); - + } else { st = EINVAL; snprintf(errbuf, sizeof(errbuf), "unknown option: %s", arg); @@ -477,7 +476,7 @@ process_db_args(context, db_args, xargs) } } } - cleanup: +cleanup: return st; } @@ -502,7 +501,7 @@ krb5_ldap_put_principal(context, entries, nentries, db_args) KEY *oldkeys=NULL; kdb5_dal_handle *dal_handle=NULL; krb5_ldap_context *ldap_context=NULL; - krb5_ldap_server_handle *ldap_server_handle=NULL; + krb5_ldap_server_handle *ldap_server_handle=NULL; osa_princ_ent_rec princ_ent; xargs_t xargs={0}; char *oldpolicydn = NULL; @@ -513,17 +512,17 @@ krb5_ldap_put_principal(context, entries, nentries, db_args) SETUP_CONTEXT(); if (ldap_context->lrparams == NULL || ldap_context->krbcontainer == NULL) return EINVAL; - + /* get ldap handle */ GET_HANDLE(); - + for (i=0; i < *nentries; ++i, ++entries) { if (is_principal_in_realm(ldap_context, entries->princ) != 0) { - st = EINVAL; - krb5_set_error_message(context, st, "Principal does not belong to the default realm"); + st = EINVAL; + krb5_set_error_message(context, st, "Principal does not belong to the default realm"); goto cleanup; } - + /* get the principal information to act on */ if (entries->princ) { if (((st=krb5_unparse_name(context,entries->princ, &user)) !=0) || @@ -534,9 +533,9 @@ krb5_ldap_put_principal(context, entries, nentries, db_args) xargs.ptype = KDB_SERVICE_PRINCIPAL; if (((st=krb5_get_princ_type(context, entries, &(xargs.ptype))) != 0) || ((st=krb5_get_userdn(context, entries, &(xargs.dn))) != 0) || - ((st=krb5_get_secretkeys(context, entries, &oldkeys)) != 0)) + ((st=krb5_get_secretkeys(context, entries, &oldkeys)) != 0)) goto cleanup; - + if ((st=process_db_args(context, db_args, &xargs)) != 0) goto cleanup; @@ -546,20 +545,20 @@ krb5_ldap_put_principal(context, entries, nentries, db_args) krb5_set_error_message(context, st, "User DN is missing"); goto cleanup; } - - /* get the subtree information */ - if (entries->princ->length == 2 && entries->princ->data[0].length == strlen("krbtgt") && + + /* get the subtree information */ + if (entries->princ->length == 2 && entries->princ->data[0].length == strlen("krbtgt") && strncmp(entries->princ->data[0].data, "krbtgt", entries->princ->data[0].length) == 0) { /* if the principal is a inter-realm principal, always created in the realm container */ subtree = strdup(ldap_context->lrparams->realmdn); } else if (xargs.containerdn) { if ((st=checkattributevalue(ld, xargs.containerdn, NULL, NULL, NULL)) != 0) { - if (st == KRB5_KDB_NOENTRY || st == KRB5_KDB_CONSTRAINT_VIOLATION) { + if (st == KRB5_KDB_NOENTRY || st == KRB5_KDB_CONSTRAINT_VIOLATION) { int ost = st; - st = EINVAL; - sprintf(errbuf, "'%s' not found: ", xargs.containerdn); - prepend_err_str(context, errbuf, st, ost); - } + st = EINVAL; + sprintf(errbuf, "'%s' not found: ", xargs.containerdn); + prepend_err_str(context, errbuf, st, ost); + } goto cleanup; } subtree = strdup(xargs.containerdn); @@ -570,25 +569,25 @@ krb5_ldap_put_principal(context, entries, nentries, db_args) } CHECK_NULL(subtree); - xargs.dn = malloc(strlen("krbprincipalname=") + strlen(user) + strlen(",") + + xargs.dn = malloc(strlen("krbprincipalname=") + strlen(user) + strlen(",") + strlen(subtree) + 1); CHECK_NULL(xargs.dn); sprintf(xargs.dn, "krbprincipalname=%s,%s", user, subtree); } - + if (xargs.dn_from_kbd == TRUE) { /* make sure the DN falls in the subtree */ int tre=0, dnlen=0, subtreelen=0, ntrees=0; char *subtreelist[2]={NULL}; krb5_boolean outofsubtree=TRUE; - + /* get the current subtree list */ if ((st = krb5_get_subtree_info(ldap_context, subtreelist, &ntrees)) != 0) goto cleanup; - - for( tre=0; tremask & KDB_MAX_LIFE) { + + if (entries->mask & KDB_MAX_LIFE) { if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxticketlife", LDAP_MOD_REPLACE, entries->max_life)) != 0) goto cleanup; } - + if (entries->mask & KDB_MAX_RLIFE) { if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxrenewableage", LDAP_MOD_REPLACE, entries->max_renewable_life)) != 0) goto cleanup; } - + if (entries->mask & KDB_ATTRIBUTES) { if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbticketflags", LDAP_MOD_REPLACE, entries->attributes)) != 0) goto cleanup; } - + if (entries->mask & KDB_PRINCIPAL) { memset(strval, 0, sizeof(strval)); strval[0] = user; @@ -725,32 +724,32 @@ krb5_ldap_put_principal(context, entries, nentries, db_args) } free (strval[0]); } - + if (entries->mask & KDB_PW_EXPIRATION) { memset(strval, 0, sizeof(strval)); if ((strval[0]=getstringtime(entries->pw_expiration)) == NULL) goto cleanup; if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpasswordexpiration", - LDAP_MOD_REPLACE, + LDAP_MOD_REPLACE, strval)) != 0) { free (strval[0]); goto cleanup; } free (strval[0]); } - + if (entries->mask & KDB_POLICY) { - for(tl_data=entries->tl_data; tl_data; tl_data=tl_data->tl_data_next) { + for (tl_data=entries->tl_data; tl_data; tl_data=tl_data->tl_data_next) { if (tl_data->tl_data_type == KRB5_TL_KADM_DATA) { memset(&princ_ent, 0, sizeof(princ_ent)); /* FIX ME: I guess the princ_ent should be freed after this call */ - if((st = krb5_lookup_tl_kadm_data(tl_data, &princ_ent)) != 0) { + if ((st = krb5_lookup_tl_kadm_data(tl_data, &princ_ent)) != 0) { goto cleanup; } } } - - if(princ_ent.aux_attributes & KDB_POLICY) { + + if (princ_ent.aux_attributes & KDB_POLICY) { memset(strval, 0, sizeof(strval)); strval[0] = princ_ent.policy; if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_REPLACE, strval)) != 0) @@ -761,20 +760,20 @@ krb5_ldap_put_principal(context, entries, nentries, db_args) goto cleanup; } } - + if (entries->mask & KDB_POLICY_CLR) { memset(strval, 0, sizeof(strval)); if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_DELETE, strval)) != 0) goto cleanup; } - + if (entries->mask & KDB_KEY_DATA || entries->mask & KDB_KVNO) { int kcount=0, zero=0, salttype=0, totalkeys=0; char *currpos=NULL, *krbsecretkey=NULL; - + /* delete the old keys */ if (oldkeys) { - if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbsecretkey", LDAP_MOD_DELETE | LDAP_MOD_BVALUES, + if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbsecretkey", LDAP_MOD_DELETE | LDAP_MOD_BVALUES, oldkeys->keys)) != 0) goto cleanup; } @@ -789,7 +788,7 @@ krb5_ldap_put_principal(context, entries, nentries, db_args) for (kcount=0; kcount < entries->n_key_data; ++kcount) keys[kcount] = entries->key_data+kcount; totalkeys = entries->n_key_data; - + kcount = 0; while (totalkeys) { int noofkeys=0, currkvno=0, currkvno_org=0, rlen=0; @@ -800,11 +799,11 @@ krb5_ldap_put_principal(context, entries, nentries, db_args) memset(krbsecretkey, 0, MAX_KEY_LENGTH); currpos = krbsecretkey; rlen = MAX_KEY_LENGTH; - + STORE16_INT(currpos, plen); /* principal len */ currpos +=2; rlen -=2; - + for (l=0; l < entries->n_key_data; ++l) if (keys[l] != NULL) { currkvno = keys[l]->key_data_kvno; @@ -815,88 +814,88 @@ krb5_ldap_put_principal(context, entries, nentries, db_args) STORE16_INT(currpos, currkvno); /* principal key version */ currpos +=2; rlen -=2; - + memset(currpos, 0, 2); /* master key version */ currpos +=2; rlen -=2; - + if ((st=krb5_dbe_lookup_last_pwd_change(context, entries, &last_pw_changed)) != 0) goto cleanup; STORE32_INT(currpos, last_pw_changed); /* last pwd change */ currpos += 4; rlen -=4; - + for (noofkeys=0; l < entries->n_key_data; ++l) if (keys[l] && keys[l]->key_data_kvno == currkvno_org) ++noofkeys; - + STORE16_INT(currpos, noofkeys); /* number of keys */ currpos +=2; rlen -=2; - + /* key type, key length, salt type and salt type */ for (l=0; ln_key_data; ++l) { - if ( keys[l] && keys[l]->key_data_kvno == currkvno_org) { + if (keys[l] && keys[l]->key_data_kvno == currkvno_org) { STORE16_INT(currpos, keys[l]->key_data_type[0]); currpos +=2; - rlen -=2; + rlen -=2; STORE16_INT(currpos, keys[l]->key_data_length[0]); currpos +=2; - rlen -=2; - - STORE16_INT(currpos, keys[l]->key_data_type[1]); + rlen -=2; + + STORE16_INT(currpos, keys[l]->key_data_type[1]); currpos +=2; - rlen -=2; + rlen -=2; salttype = keys[l]->key_data_type[1]; if (salttype==KRB5_KDB_SALTTYPE_NOREALM || salttype==KRB5_KDB_SALTTYPE_ONLYREALM) { - STORE16_INT(currpos, zero); + STORE16_INT(currpos, zero); } else { STORE16_INT(currpos, keys[l]->key_data_length[1]); } currpos +=2; - rlen -=2; - } + rlen -=2; + } + } + if (plen > rlen) { + st = EINVAL; + snprintf(errbuf, sizeof(errbuf), "Insufficient buffer while storing the key of principal %s", user); + krb5_set_error_message(context, st, "%s", errbuf); + goto cleanup; } - if (plen > rlen) { - st = EINVAL; - snprintf(errbuf, sizeof(errbuf), "Insufficient buffer while storing the key of principal %s", user); - krb5_set_error_message(context, st, "%s", errbuf); - goto cleanup; - } memcpy(currpos, user, (unsigned int)plen); /* principal name */ currpos +=plen; rlen -=plen; - + /* key value, salt value */ - for(l=0; ln_key_data; ++l) { + for (l=0; ln_key_data; ++l) { if (keys[l] && keys[l]->key_data_kvno == currkvno_org) { if (keys[l]->key_data_length[0]) { - if (keys[l]->key_data_length[0] > rlen) { - st = EINVAL; - snprintf(errbuf, sizeof(errbuf), "Insufficient buffer while storing the key of principal %s", user); - krb5_set_error_message(context, st, "%s", errbuf); - goto cleanup; - } + if (keys[l]->key_data_length[0] > rlen) { + st = EINVAL; + snprintf(errbuf, sizeof(errbuf), "Insufficient buffer while storing the key of principal %s", user); + krb5_set_error_message(context, st, "%s", errbuf); + goto cleanup; + } memcpy(currpos, keys[l]->key_data_contents[0], keys[l]->key_data_length[0]); currpos += keys[l]->key_data_length[0]; - rlen -= keys[l]->key_data_length[0]; - } - + rlen -= keys[l]->key_data_length[0]; + } + salttype = keys[l]->key_data_type[1]; - if (keys[l]->key_data_length[1] && (!(salttype==KRB5_KDB_SALTTYPE_NOREALM + if (keys[l]->key_data_length[1] && (!(salttype==KRB5_KDB_SALTTYPE_NOREALM || salttype==KRB5_KDB_SALTTYPE_ONLYREALM))) { - if (keys[l]->key_data_length[1] > rlen) { - st = EINVAL; - snprintf(errbuf, sizeof(errbuf), "Insufficient buffer while storing the key of principal %s", user); - krb5_set_error_message(context, st, "%s", errbuf); - goto cleanup; - } + if (keys[l]->key_data_length[1] > rlen) { + st = EINVAL; + snprintf(errbuf, sizeof(errbuf), "Insufficient buffer while storing the key of principal %s", user); + krb5_set_error_message(context, st, "%s", errbuf); + goto cleanup; + } memcpy(currpos, keys[l]->key_data_contents[1], keys[l]->key_data_length[1]); currpos += keys[l]->key_data_length[1]; - rlen -= keys[l]->key_data_length[1]; + rlen -= keys[l]->key_data_length[1]; } keys[l] = NULL; - } + } } bersecretkey[kcount] = malloc (sizeof (struct berval)); CHECK_NULL(bersecretkey[kcount]); @@ -904,125 +903,123 @@ krb5_ldap_put_principal(context, entries, nentries, db_args) bersecretkey[kcount++]->bv_val = krbsecretkey; totalkeys = totalkeys - noofkeys; } - if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbsecretkey", + if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbsecretkey", LDAP_MOD_ADD | LDAP_MOD_BVALUES, bersecretkey)) != 0) goto cleanup; - if (!(entries->mask & KDB_PRINCIPAL)){ - memset(strval, 0, sizeof(strval)); - if ((strval[0]=getstringtime(entries->pw_expiration)) == NULL) - goto cleanup; - if ((st=krb5_add_str_mem_ldap_mod(&mods, - "krbpasswordexpiration", - LDAP_MOD_REPLACE, strval)) != 0) { - free (strval[0]); - goto cleanup; - } + if (!(entries->mask & KDB_PRINCIPAL)) { + memset(strval, 0, sizeof(strval)); + if ((strval[0]=getstringtime(entries->pw_expiration)) == NULL) + goto cleanup; + if ((st=krb5_add_str_mem_ldap_mod(&mods, + "krbpasswordexpiration", + LDAP_MOD_REPLACE, strval)) != 0) { + free (strval[0]); + goto cleanup; + } free (strval[0]); } } /* Modify Key data ends here */ /* Directory specific attribute */ if (xargs.tktpolicydn != NULL) { - int tmask=0, tkttree = 0, subtreednlen = 0, ntre = 0, tktdnlen = 0; + int tmask=0, tkttree = 0, subtreednlen = 0, ntre = 0, tktdnlen = 0; - char *subtreednlist[2]={NULL}; - krb5_boolean dnoutofsubtree=TRUE; + char *subtreednlist[2]={NULL}; + krb5_boolean dnoutofsubtree=TRUE; - if ((st=krb5_get_policydn(context, entries, &oldpolicydn)) != 0) - goto cleanup; - - if (strlen(xargs.tktpolicydn) != 0) { - st = checkattributevalue(ld, xargs.tktpolicydn, "objectclass", policyclass, &tmask); - CHECK_CLASS_VALIDITY(st, tmask, "ticket policy object value: "); - - memset(strval, 0, sizeof(strval)); - strval[0] = xargs.tktpolicydn; - if ((st = krb5_get_subtree_info(ldap_context, subtreednlist, &ntre)) != 0) - goto cleanup; + if ((st=krb5_get_policydn(context, entries, &oldpolicydn)) != 0) + goto cleanup; - for( tkttree=0; tkttree subtreednlen) && (strcasecmp((xargs.tktpolicydn + tktdnlen - subtreednlen), subtreednlist[tkttree]) == 0)) { - dnoutofsubtree = FALSE; - break; - } - } - } - for( tkttree=0; tkttree < ntre; ++tkttree ) { - free( subtreednlist[tkttree] ); - } - if( dnoutofsubtree == TRUE ) { - st = EINVAL; - prepend_err_str(context,"Ticket Policy DN is out of the realm subtree",st,st); - goto cleanup; - } + if (strlen(xargs.tktpolicydn) != 0) { + st = checkattributevalue(ld, xargs.tktpolicydn, "objectclass", policyclass, &tmask); + CHECK_CLASS_VALIDITY(st, tmask, "ticket policy object value: "); - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpolicyreference", LDAP_MOD_REPLACE, strval)) != 0) - goto cleanup; - if(oldpolicydn != NULL){ - if(strncmp(xargs.tktpolicydn,oldpolicydn,strlen(xargs.tktpolicydn)) != 0) - { - if ((st = krb5_ldap_change_count(context, oldpolicydn,2 ))) - goto cleanup; - } + memset(strval, 0, sizeof(strval)); + strval[0] = xargs.tktpolicydn; + if ((st = krb5_get_subtree_info(ldap_context, subtreednlist, &ntre)) != 0) + goto cleanup; + + for (tkttree=0; tkttree subtreednlen) && (strcasecmp((xargs.tktpolicydn + tktdnlen - subtreednlen), subtreednlist[tkttree]) == 0)) { + dnoutofsubtree = FALSE; + break; } + } + } + for (tkttree=0; tkttree < ntre; ++tkttree) { + free(subtreednlist[tkttree]); + } + if (dnoutofsubtree == TRUE) { + st = EINVAL; + prepend_err_str(context,"Ticket Policy DN is out of the realm subtree",st,st); + goto cleanup; + } - if ((st = krb5_ldap_change_count(context, xargs.tktpolicydn,1 ))) - goto cleanup; + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpolicyreference", LDAP_MOD_REPLACE, strval)) != 0) + goto cleanup; + if (oldpolicydn != NULL) { + if (strncmp(xargs.tktpolicydn,oldpolicydn,strlen(xargs.tktpolicydn)) != 0) { + if ((st = krb5_ldap_change_count(context, oldpolicydn,2))) + goto cleanup; + } + } + + if ((st = krb5_ldap_change_count(context, xargs.tktpolicydn,1))) + goto cleanup; + } else { + /* if xargs.tktpolicydn is a empty string, then delete already existing krbpolicyreference attr */ + if (tktpolicy_set == FALSE) { /* if the attribute is not present then abort */ + st = EINVAL; + prepend_err_str(context,"'ticketpolicydn' empty",st,st); + goto cleanup; } else { - /* if xargs.tktpolicydn is a empty string, then delete already existing krbpolicyreference attr */ - if (tktpolicy_set == FALSE) { /* if the attribute is not present then abort */ - st = EINVAL; - prepend_err_str(context,"'ticketpolicydn' empty",st,st); - goto cleanup; - } else { - memset(strval, 0, sizeof(strval)); - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpolicyreference", LDAP_MOD_DELETE, strval)) != 0) - goto cleanup; - } + memset(strval, 0, sizeof(strval)); + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpolicyreference", LDAP_MOD_DELETE, strval)) != 0) + goto cleanup; } - + } + } if (dnfound == TRUE) { - if (mods == NULL) { - goto cleanup; - } + if (mods == NULL) { + goto cleanup; + } st=ldap_modify_s(ld, xargs.dn, mods); - if (st != LDAP_SUCCESS) { - sprintf(errbuf, "User modification failed: %s", ldap_err2string(st)); - st = translate_ldap_error (st, OP_MOD); - krb5_set_error_message(context, st, "%s", errbuf); - goto cleanup; - } - } - else { - st=ldap_add_s(ld, xargs.dn, mods); if (st != LDAP_SUCCESS) { - sprintf(errbuf, "Principal add failed: %s", ldap_err2string(st)); - st = translate_ldap_error (st, OP_ADD); - krb5_set_error_message(context, st, "%s", errbuf); - goto cleanup; + sprintf(errbuf, "User modification failed: %s", ldap_err2string(st)); + st = translate_ldap_error (st, OP_MOD); + krb5_set_error_message(context, st, "%s", errbuf); + goto cleanup; + } + } else { + st=ldap_add_s(ld, xargs.dn, mods); + if (st != LDAP_SUCCESS) { + sprintf(errbuf, "Principal add failed: %s", ldap_err2string(st)); + st = translate_ldap_error (st, OP_ADD); + krb5_set_error_message(context, st, "%s", errbuf); + goto cleanup; } } } - - cleanup: - if (user) + +cleanup: + if (user) free(user); - + free_xargs(xargs); if (subtree) free (subtree); - + if (bersecretkey) { for (l=0; bersecretkey[l]; ++l) { if (bersecretkey[l]->bv_val) @@ -1031,10 +1028,10 @@ krb5_ldap_put_principal(context, entries, nentries, db_args) } free (bersecretkey); } - + if (keys) free (keys); - + if (oldkeys) { for (l=0; l < oldkeys->nkey; ++l) { if (oldkeys->keys[l]->bv_val) @@ -1060,7 +1057,7 @@ krb5_read_tkt_policyreference(context, ldap_context, entries, policydn) krb5_error_code st=0; unsigned int mask=0, omask=0; int tkt_mask=(KDB_MAX_LIFE_ATTR | KDB_MAX_RLIFE_ATTR | KDB_TKT_FLAGS_ATTR); - krb5_ldap_policy_params *tktpoldnparam=NULL; + krb5_ldap_policy_params *tktpoldnparam=NULL; if ((st=krb5_get_attributes_mask(context, entries, &mask)) != 0) goto cleanup; @@ -1069,47 +1066,47 @@ krb5_read_tkt_policyreference(context, ldap_context, entries, policydn) if (policydn != NULL) { st = krb5_ldap_read_policy(context, policydn, &tktpoldnparam, &omask); if (st && st != KRB5_KDB_NOENTRY) { - prepend_err_str(context, "Error reading ticket policy. ", st, st); + prepend_err_str(context, "Error reading ticket policy. ", st, st); goto cleanup; - } - + } + st = 0; /* reset the return status */ } - + if ((mask & KDB_MAX_LIFE_ATTR) == 0) { if ((omask & KDB_MAX_LIFE_ATTR) == KDB_MAX_LIFE_ATTR) entries->max_life = tktpoldnparam->maxtktlife; else if (ldap_context->lrparams->max_life) entries->max_life = ldap_context->lrparams->max_life; - else if(ldap_context->krbcontainer->max_life) + else if (ldap_context->krbcontainer->max_life) entries->max_life = ldap_context->krbcontainer->max_life; else - entries->max_life = KRB5_KDB_MAX_LIFE; + entries->max_life = KRB5_KDB_MAX_LIFE; } - + if ((mask & KDB_MAX_RLIFE_ATTR) == 0) { if ((omask & KDB_MAX_RLIFE_ATTR) == KDB_MAX_RLIFE_ATTR) entries->max_renewable_life = tktpoldnparam->maxrenewlife; else if (ldap_context->lrparams->max_renewable_life) entries->max_renewable_life = ldap_context->lrparams->max_renewable_life; - else if(ldap_context->krbcontainer->max_renewable_life) + else if (ldap_context->krbcontainer->max_renewable_life) entries->max_renewable_life = ldap_context->krbcontainer->max_renewable_life; else entries->max_renewable_life = KRB5_KDB_MAX_RLIFE; } - + if ((mask & KDB_TKT_FLAGS_ATTR) == 0) { if ((omask & KDB_TKT_FLAGS_ATTR) == KDB_TKT_FLAGS_ATTR) entries->attributes = tktpoldnparam->tktflags; else if (ldap_context->lrparams->tktflags) entries->attributes |= ldap_context->lrparams->tktflags; - else if(ldap_context->krbcontainer->tktflags) + else if (ldap_context->krbcontainer->tktflags) entries->attributes |= ldap_context->krbcontainer->tktflags; } krb5_ldap_free_policy(context, tktpoldnparam); } - - cleanup: + +cleanup: return st; } @@ -1126,62 +1123,62 @@ krb5_decode_krbsecretkey(context, entries, bvalues, userinfo_tl_data) krb5_key_data *key_data=NULL; krb5_error_code st=0; krb5_timestamp last_pw_changed=0; - + if ((st=krb5_unparse_name(context, entries->princ, &user)) != 0) - goto cleanup; - - for(i=0; bvalues[i] != NULL; ++i) { + goto cleanup; + + for (i=0; bvalues[i] != NULL; ++i) { + + ptr = (char *) bvalues[i]->bv_val; - ptr = (char *) bvalues[i]->bv_val; - /* check the consistency of the key */ - - if(bvalues[i]->bv_len < KEYHEADER) /* key smaller than the header size */ - continue; - + + if (bvalues[i]->bv_len < KEYHEADER) /* key smaller than the header size */ + continue; + plen = PRINCIPALLEN(ptr); if (NOOFKEYS(ptr) == 0) continue; - + keylen = KEYHEADER + (8 * NOOFKEYS(ptr)); - if (bvalues[i]->bv_len < keylen) /* key or salt header info corrupted*/ + if (bvalues[i]->bv_len < keylen) /* key or salt header info corrupted*/ continue; - + keylen += plen; - if (bvalues[i]->bv_len < keylen) /* principal info corrupted */ + if (bvalues[i]->bv_len < keylen) /* principal info corrupted */ continue; - - for(k=0; kbv_len < keylen) /* key or salt values corrupted */ continue; pname = PRINCIPALNAME(ptr); /* set pname to principalName field */ - + /* key doesn't belong to the principal */ if (strncmp(user, pname, (unsigned) plen) != 0) continue; /* Number of Principal Keys */ noofkeys += NOOFKEYS(ptr); - + if ((st=store_tl_data(userinfo_tl_data, KDB_TL_KEYINFO, bvalues[i])) != 0) goto cleanup; - + pkeyver = PKEYVER(ptr); /* Principal Key Version */ mkeyver = MKEYVER(ptr); /* Master Key Version */ if (ist_pkeyver == 0 || pkeyver >= ist_pkeyver) { ist_pkeyver = pkeyver; - /* last password changed */ + /* last password changed */ last_pw_changed = 0; last_pw_changed += (ptr[6] & 0xFF) << 24; last_pw_changed += (ptr[7] & 0xFF) << 16; last_pw_changed += (ptr[8] & 0xFF) << 8; last_pw_changed += (ptr[9] & 0xFF) << 0; - - if ((st=krb5_dbe_update_last_pwd_change(context, entries, + + if ((st=krb5_dbe_update_last_pwd_change(context, entries, last_pw_changed)) != 0) goto cleanup; } @@ -1195,23 +1192,23 @@ krb5_decode_krbsecretkey(context, entries, bvalues, userinfo_tl_data) currentkey = KEYBODY(ptr); for (k=0; jprinc->realm.data; key_data[j].key_data_length[1] = strlen (def_realm); @@ -1239,13 +1236,13 @@ krb5_decode_krbsecretkey(context, entries, bvalues, userinfo_tl_data) st = ENOMEM; goto cleanup; } - memcpy(key_data[j].key_data_contents[1], + memcpy(key_data[j].key_data_contents[1], def_realm, key_data[j].key_data_length[1]); break; - + case KRB5_KDB_SALTTYPE_NOREALM: memset(&norealmval, 0, sizeof(krb5_data)); - if ((st = krb5_principal2salt_norealm(context, entries->princ, + if ((st = krb5_principal2salt_norealm(context, entries->princ, &norealmval)) != 0) { goto cleanup; } @@ -1256,7 +1253,7 @@ krb5_decode_krbsecretkey(context, entries, bvalues, userinfo_tl_data) } } else if (key_data[j].key_data_type[1] == KRB5_KDB_SALTTYPE_V4) { key_data[j].key_data_contents[1] = NULL; - key_data[j].key_data_ver = 2; + key_data[j].key_data_ver = 2; } else { key_data[j].key_data_contents[1] = NULL; } @@ -1266,8 +1263,8 @@ krb5_decode_krbsecretkey(context, entries, bvalues, userinfo_tl_data) entries->key_data = key_data; } - cleanup: - ldap_value_free_len(bvalues); +cleanup: + ldap_value_free_len(bvalues); free (user); return st; } @@ -1279,14 +1276,14 @@ getstringtime(epochtime) struct tm tme; char *strtime=NULL; time_t posixtime = epochtime; - + strtime = calloc (50, 1); if (strtime == NULL) return NULL; - + if (gmtime_r(&posixtime, &tme) == NULL) return NULL; - + strftime(strtime, 50, "%Y%m%d%H%M%SZ", &tme); return strtime; } diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c index 2cbb444e7..074f24752 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c @@ -34,11 +34,11 @@ #include "ldap_err.h" static char *password_policy_attributes[] = { "krbmaxpwdlife", "krbminpwdlife", "krbpwdmindiffchars", - "krbpwdminlength", "krbpwdhistorylength", "krbpwdpolicyrefcount", + "krbpwdminlength", "krbpwdhistorylength", "krbpwdpolicyrefcount", NULL }; /* - * Function to create password policy object. + * Function to create password policy object. */ krb5_error_code @@ -58,7 +58,7 @@ krb5_ldap_create_password_policy (context, policy) krb5_clear_error_message(context); /* validate the input parameters */ - if (policy == NULL || policy->name == NULL) + if (policy == NULL || policy->name == NULL) return EINVAL; SETUP_CONTEXT(); @@ -67,21 +67,21 @@ krb5_ldap_create_password_policy (context, policy) /* get the first component of the dn to set the cn attribute */ rdns = ldap_explode_dn(policy->name, 1); if (rdns == NULL) { - st = EINVAL; - krb5_set_error_message(context, st, "Invalid password policy DN syntax"); + st = EINVAL; + krb5_set_error_message(context, st, "Invalid password policy DN syntax"); goto cleanup; } - + strval[0] = rdns[0]; if ((st=krb5_add_str_mem_ldap_mod(&mods, "cn", LDAP_MOD_ADD, strval)) != 0) - goto cleanup; - + goto cleanup; + strval[0] = "krbPwdPolicy"; if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0) - goto cleanup; - - if (((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxpwdlife", LDAP_MOD_ADD, - (signed) policy->pw_max_life)) != 0) + goto cleanup; + + if (((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxpwdlife", LDAP_MOD_ADD, + (signed) policy->pw_max_life)) != 0) || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbminpwdlife", LDAP_MOD_ADD, (signed) policy->pw_min_life)) != 0) || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdmindiffchars", LDAP_MOD_ADD, @@ -96,11 +96,11 @@ krb5_ldap_create_password_policy (context, policy) /* password policy object creation */ if ((st=ldap_add_s(ld, policy->name, mods)) != LDAP_SUCCESS) { - st = set_ldap_error (context, st, OP_ADD); + st = set_ldap_error (context, st, OP_ADD); goto cleanup; } - - cleanup: + +cleanup: if (rdns) ldap_value_free(rdns); @@ -129,7 +129,7 @@ krb5_ldap_put_password_policy (context, policy) krb5_clear_error_message(context); /* validate the input parameters */ - if (policy == NULL || policy->name == NULL) + if (policy == NULL || policy->name == NULL) return EINVAL; SETUP_CONTEXT(); @@ -148,20 +148,20 @@ krb5_ldap_put_password_policy (context, policy) || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdpolicyrefcount", LDAP_MOD_REPLACE, (signed) policy->policy_refcnt)) != 0)) goto cleanup; - + /* modify the password policy object. */ if ((st=ldap_modify_s(ld, policy->name, mods)) != LDAP_SUCCESS) { - st = set_ldap_error (context, st, OP_MOD); + st = set_ldap_error (context, st, OP_MOD); goto cleanup; } - - cleanup: + +cleanup: ldap_mods_free(mods, 1); - krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); + krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); return(st); } -krb5_error_code +krb5_error_code krb5_ldap_get_password_policy (context, name, policy, cnt) krb5_context context; char *name; @@ -170,7 +170,7 @@ krb5_ldap_get_password_policy (context, name, policy, cnt) { krb5_error_code st=0, tempst=0; LDAP *ld=NULL; - LDAPMessage *result=NULL,*ent=NULL; + LDAPMessage *result=NULL,*ent=NULL; kdb5_dal_handle *dal_handle=NULL; krb5_ldap_context *ldap_context=NULL; krb5_ldap_server_handle *ldap_server_handle=NULL; @@ -179,17 +179,17 @@ krb5_ldap_get_password_policy (context, name, policy, cnt) krb5_clear_error_message(context); /* validate the input parameters */ - if(name == NULL) + if (name == NULL) return EINVAL; - + SETUP_CONTEXT(); GET_HANDLE(); *cnt = 0; *(policy) = (osa_policy_ent_t) malloc(sizeof(osa_policy_ent_rec)); if (*policy == NULL) { - st = ENOMEM; - goto cleanup; + st = ENOMEM; + goto cleanup; } memset(*policy, 0, sizeof(osa_policy_ent_rec)); @@ -235,15 +235,15 @@ krb5_ldap_delete_password_policy (context, policy) krb5_clear_error_message(context); /* validate the input parameters */ - if(policy == NULL) - return EINVAL; + if (policy == NULL) + return EINVAL; SETUP_CONTEXT(); GET_HANDLE(); - if((st=ldap_delete_s(ld, policy)) != LDAP_SUCCESS) { - st = set_ldap_error (context, st, OP_DEL); - goto cleanup; + if ((st=ldap_delete_s(ld, policy)) != LDAP_SUCCESS) { + st = set_ldap_error (context, st, OP_DEL); + goto cleanup; } cleanup: @@ -252,10 +252,10 @@ cleanup: } krb5_error_code -krb5_ldap_iterate_password_policy(context, match_expr, func, func_arg) +krb5_ldap_iterate_password_policy(context, match_expr, func, func_arg) krb5_context context; char *match_expr; - void (*func) (krb5_pointer, osa_policy_ent_t ); + void (*func) (krb5_pointer, osa_policy_ent_t); krb5_pointer func_arg; { osa_policy_ent_rec *entry=NULL; @@ -279,7 +279,7 @@ krb5_ldap_iterate_password_policy(context, match_expr, func, func_arg) memset(entry, 0, sizeof(osa_policy_ent_rec)); LDAP_SEARCH(NULL, LDAP_SCOPE_SUBTREE, "(objectclass=krbpwdpolicy)", attrs); - for(ent=ldap_first_entry(ld, result); ent != NULL; ent=ldap_next_entry(ld, ent)) { + for (ent=ldap_first_entry(ld, result); ent != NULL; ent=ldap_next_entry(ld, ent)) { if ((policy_dn=ldap_get_dn(ld, ent)) == NULL) continue; entry->name = policy_dn; @@ -287,21 +287,21 @@ krb5_ldap_iterate_password_policy(context, match_expr, func, func_arg) ldap_memfree(policy_dn); } ldap_msgfree(result); - - cleanup: + +cleanup: if (entry) free (entry); - + krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); return st; } -void +void krb5_ldap_free_password_policy (context, entry) krb5_context context; osa_policy_ent_t entry; { - if(entry) - free(entry); + if (entry) + free(entry); return; } diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c index d2ed2d9e5..438df718f 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c @@ -36,18 +36,18 @@ #define END_OF_LIST -1 char *realm_attributes[] = {"krbSearchScope","krbSubTree", "krbMaxTicketLife", "krbMaxRenewableAge", - "krbTicketFlags", "krbDefaultEncType", - "krbDefaultSaltType", "krbUpEnabled", - "krbPolicyReference", "krbSupportedEncTypes", - "krbSupportedSaltTypes", "krbLdapServers", - "krbKdcServers", "krbAdmServers", + "krbTicketFlags", "krbDefaultEncType", + "krbDefaultSaltType", "krbUpEnabled", + "krbPolicyReference", "krbSupportedEncTypes", + "krbSupportedSaltTypes", "krbLdapServers", + "krbKdcServers", "krbAdmServers", "krbPwdServers", NULL}; char *policy_attributes[] = { "krbMaxTicketLife", - "krbMaxRenewableAge", - "krbTicketFlags", - NULL }; + "krbMaxRenewableAge", + "krbTicketFlags", + NULL }; @@ -55,16 +55,16 @@ char *policyclass[] = { "krbPolicy", NULL }; char *kdcclass[] = { "krbKdcService", NULL }; char *adminclass[] = { "krbAdmService", NULL }; char *pwdclass[] = { "krbPwdService", NULL }; -char *subtreeclass[] = { "Organization", "OrganizationalUnit", "Domain", +char *subtreeclass[] = { "Organization", "OrganizationalUnit", "Domain", "Country", "Locality", NULL }; int supportedenctypes[] = { ENCTYPE_DES_CBC_CRC, ENCTYPE_DES_CBC_MD4, ENCTYPE_DES_CBC_MD5, - ENCTYPE_DES3_CBC_SHA1, ENCTYPE_AES128_CTS_HMAC_SHA1_96, - ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_ARCFOUR_HMAC, -1}; + ENCTYPE_DES3_CBC_SHA1, ENCTYPE_AES128_CTS_HMAC_SHA1_96, + ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_ARCFOUR_HMAC, -1}; int supportedsalttypes[] = { KRB5_KDB_SALTTYPE_NORMAL, KRB5_KDB_SALTTYPE_V4, - KRB5_KDB_SALTTYPE_NOREALM, KRB5_KDB_SALTTYPE_ONLYREALM, - KRB5_KDB_SALTTYPE_SPECIAL, -1}; + KRB5_KDB_SALTTYPE_NOREALM, KRB5_KDB_SALTTYPE_ONLYREALM, + KRB5_KDB_SALTTYPE_SPECIAL, -1}; char *krbContainerRefclass[] = { "krbContainerRefAux", NULL}; @@ -75,10 +75,10 @@ ignore_duplicates(int_list) int *int_list; { int i=0, j=0, scount=0; - + for (i=0; int_list[i] != END_OF_LIST; scount=i++) ; - + for (i=0; i <= scount; ++i) { if (i > 0 && int_list[i] == int_list[i-1]) { for (j=i; j<=scount; ++j) @@ -99,12 +99,12 @@ ignore_duplicates(int_list) * Function to remove all special characters from a string (rfc2254). * Use whenever exact matching is to be done ... */ -static char * +static char * ldap_filter_correct (unsigned char *in, unsigned int len) { int i, count; char *out, *ptr; - + for (i = 0, count = 0; i < len; i++) switch (in[i]) { case '*': @@ -114,7 +114,7 @@ ldap_filter_correct (unsigned char *in, unsigned int len) case '\0': count ++; } - + out = (char *)malloc((len + (count * 2) + 1) * sizeof (char)); assert (out != NULL); memset(out, 0, len + (count * 2) + 1); @@ -182,7 +182,7 @@ static int principal_in_realm_2(krb5_principal principal, char *realm) { /* * Lists the realms in the Directory. - */ + */ krb5_error_code krb5_ldap_list_realm(context, realms) @@ -191,9 +191,9 @@ krb5_ldap_list_realm(context, realms) { char **values = NULL; unsigned int i = 0, count = 0; - krb5_error_code st = 0, tempst = 0; + krb5_error_code st = 0, tempst = 0; LDAP *ld = NULL; - LDAPMessage *result = NULL, *ent = NULL; + LDAPMessage *result = NULL, *ent = NULL; kdb5_dal_handle *dal_handle = NULL; krb5_ldap_context *ldap_context = NULL; krb5_ldap_server_handle *ldap_server_handle = NULL; @@ -202,7 +202,7 @@ krb5_ldap_list_realm(context, realms) /* get the kerberos container DN information */ if (ldap_context->krbcontainer == NULL) { - if ((st = krb5_ldap_read_krbcontainer_params(context, + if ((st = krb5_ldap_read_krbcontainer_params(context, &(ldap_context->krbcontainer))) != 0) goto cleanup; } @@ -221,7 +221,7 @@ krb5_ldap_list_realm(context, realms) *realms = NULL; count = ldap_count_entries (ld, result); - if(count == -1){ + if (count == -1) { ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &st); st = set_ldap_error (context, st, OP_SEARCH); goto cleanup; @@ -244,7 +244,7 @@ krb5_ldap_list_realm(context, realms) } /* for (ent= ... */ ldap_msgfree(result); - cleanup: +cleanup: /* some error, free up all the memory */ if (st != 0) { @@ -266,7 +266,7 @@ krb5_ldap_list_realm(context, realms) /* * Delete the realm along with the principals belonging to the realm in the Directory. - */ + */ krb5_error_code krb5_ldap_delete_realm (context, lrealm) @@ -315,7 +315,7 @@ krb5_ldap_delete_realm (context, lrealm) lcontext.lrparams = rparam; if ((st=krb5_get_subtree_info(&lcontext, subtrees, &ntree)) != 0) goto cleanup; - + for (l=0; l < ntree; ++l) { LDAP_SEARCH(subtrees[l], rparam->search_scope, filter, attr); result_arr[l] = result; @@ -323,20 +323,20 @@ krb5_ldap_delete_realm (context, lrealm) } /* NOTE: Here all the principals should be cached and the ldap handle should be freed, - * as a DAL-LDAP interface is called right down here. Caching might be constrained by + * as a DAL-LDAP interface is called right down here. Caching might be constrained by * availability of the memory. The caching is not done, however there would be limit * on the minimum number of handles for a server and it is 2. As the DAL-LDAP is not * thread-safe this should suffice. */ for (j=0; (result=result_arr[j]) != NULL; ++j) { - for(ent = ldap_first_entry (ld, result); ent != NULL; - ent = ldap_next_entry (ld, ent)) { + for (ent = ldap_first_entry (ld, result); ent != NULL; + ent = ldap_next_entry (ld, ent)) { if ((values = ldap_get_values(ld, ent, "krbPrincipalName")) != NULL) { for (i = 0; values[i] != NULL; ++i) { krb5_parse_name(context, values[i], &principal); if (principal_in_realm_2(principal, lrealm) == 0) { int nent = 0; - if ((st=krb5_ldap_delete_principal(context, principal, + if ((st=krb5_ldap_delete_principal(context, principal, &nent)) != LDAP_SUCCESS) goto cleanup; } @@ -351,12 +351,12 @@ krb5_ldap_delete_realm (context, lrealm) /* Delete the realm object */ if ((st=ldap_delete_s(ld, ldap_context->lrparams->realmdn)) != LDAP_SUCCESS) { int ost = st; - st = translate_ldap_error (st, OP_DEL); - krb5_set_error_message (context, st, "Realm Delete FAILED: %s", + st = translate_ldap_error (st, OP_DEL); + krb5_set_error_message (context, st, "Realm Delete FAILED: %s", ldap_err2string(ost)); } - cleanup: +cleanup: for (l=0; l < ntree; ++l) { if (subtrees[l]) free (subtrees[l]); @@ -379,7 +379,7 @@ static int compare (const void *i, const void *j) { /* * Modify the realm attributes in the Directory. - */ + */ krb5_error_code krb5_ldap_modify_realm(context, rparams, mask) @@ -390,7 +390,7 @@ krb5_ldap_modify_realm(context, rparams, mask) LDAP *ld=NULL; krb5_error_code st=0; char *strval[5]={NULL}; -#ifdef HAVE_EDIRECTORY +#ifdef HAVE_EDIRECTORY char **values=NULL; char **oldkdcservers=NULL, **oldadminservers=NULL, **oldpasswdservers=NULL; LDAPMessage *result=NULL, *ent=NULL; @@ -405,12 +405,12 @@ krb5_ldap_modify_realm(context, rparams, mask) if (mask == 0) return 0; - + if (rparams == NULL) { st = EINVAL; return st; } - + SETUP_CONTEXT (); /* Check validity of arguments */ @@ -454,12 +454,12 @@ krb5_ldap_modify_realm(context, rparams, mask) */ { if ((mask & LDAP_REALM_SUPPENCTYPE) && rparams->suppenctypes) { - for (i = 0; rparams->suppenctypes [i] != END_OF_LIST; i++){ + for (i = 0; rparams->suppenctypes [i] != END_OF_LIST; i++) { } qsort ((void *)rparams->suppenctypes, (unsigned) i, sizeof(krb5_int32), compare); } if ((mask & LDAP_REALM_SUPPSALTTYPE) && rparams->suppsalttypes) { - for (i = 0; rparams->suppenctypes [i] != END_OF_LIST; i++){ + for (i = 0; rparams->suppenctypes [i] != END_OF_LIST; i++) { } qsort ((void *)rparams->suppsalttypes, (unsigned) i, sizeof(krb5_int32), compare); } @@ -474,53 +474,53 @@ krb5_ldap_modify_realm(context, rparams, mask) } memset(strval, 0, sizeof(strval)); strval[0] = rparams->subtree; - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbsubtree", LDAP_MOD_REPLACE, + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbsubtree", LDAP_MOD_REPLACE, strval)) != 0) goto cleanup; } /* SEARCHSCOPE ATTRIBUTE */ - if (mask & LDAP_REALM_SEARCHSCOPE) { - if((st=krb5_add_int_mem_ldap_mod(&mods, "krbsearchscope", LDAP_MOD_REPLACE, - (rparams->search_scope == LDAP_SCOPE_ONELEVEL - || rparams->search_scope == LDAP_SCOPE_SUBTREE) ? - rparams->search_scope : LDAP_SCOPE_SUBTREE)) != 0) + if (mask & LDAP_REALM_SEARCHSCOPE) { + if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbsearchscope", LDAP_MOD_REPLACE, + (rparams->search_scope == LDAP_SCOPE_ONELEVEL + || rparams->search_scope == LDAP_SCOPE_SUBTREE) ? + rparams->search_scope : LDAP_SCOPE_SUBTREE)) != 0) goto cleanup; } - + if (mask & LDAP_REALM_MAXRENEWLIFE) { - if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbMaxRenewableAge", LDAP_MOD_REPLACE, - rparams->max_renewable_life)) != 0) - goto cleanup; + if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbMaxRenewableAge", LDAP_MOD_REPLACE, + rparams->max_renewable_life)) != 0) + goto cleanup; } /* krbMaxTicketLife ATTRIBUTE */ if (mask & LDAP_REALM_MAXTICKETLIFE) { - if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbMaxTicketLife", LDAP_MOD_REPLACE, - rparams->max_life)) != 0) - goto cleanup; + if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbMaxTicketLife", LDAP_MOD_REPLACE, + rparams->max_life)) != 0) + goto cleanup; } /* krbTicketFlags ATTRIBUTE */ if (mask & LDAP_REALM_KRBTICKETFLAGS) { - if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbTicketFlags", LDAP_MOD_REPLACE, - rparams->tktflags)) != 0) - goto cleanup; + if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbTicketFlags", LDAP_MOD_REPLACE, + rparams->tktflags)) != 0) + goto cleanup; } - + /* DEFENCTYPE ATTRIBUTE */ if (mask & LDAP_REALM_DEFENCTYPE) { /* check if the entered enctype is valid */ if (krb5_c_valid_enctype(rparams->defenctype)) { /* check if the defenctype exists in the suppenctypes list */ - for(i = 0; rparams->suppenctypes[i] != END_OF_LIST; ++i) + for (i = 0; rparams->suppenctypes[i] != END_OF_LIST; ++i) if (rparams->defenctype == rparams->suppenctypes[i]) break; @@ -531,8 +531,8 @@ krb5_ldap_modify_realm(context, rparams, mask) goto cleanup; } - if((st=krb5_add_int_mem_ldap_mod(&mods, "krbdefaultenctype", LDAP_MOD_REPLACE, - rparams->defenctype)) != 0) + if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbdefaultenctype", LDAP_MOD_REPLACE, + rparams->defenctype)) != 0) goto cleanup; } else { st = EINVAL; @@ -544,10 +544,10 @@ krb5_ldap_modify_realm(context, rparams, mask) /* DEFSALTTYPE ATTRIBUTE */ if (mask & LDAP_REALM_DEFSALTTYPE) { /* check if the entered salttype is valid */ - if (rparams->defsalttype>=0 && rparams->defsalttype<6) { + if (rparams->defsalttype>=0 && rparams->defsalttype<6) { /* check if the defsalttype exists in the suppsalttypes list */ - for(i = 0; rparams->suppsalttypes[i] != END_OF_LIST; ++i) + for (i = 0; rparams->suppsalttypes[i] != END_OF_LIST; ++i) if (rparams->defsalttype == rparams->suppsalttypes[i]) break; @@ -558,8 +558,8 @@ krb5_ldap_modify_realm(context, rparams, mask) goto cleanup; } - if((st=krb5_add_int_mem_ldap_mod(&mods, "krbdefaultsalttype", - LDAP_MOD_REPLACE, rparams->defsalttype)) != 0) + if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbdefaultsalttype", + LDAP_MOD_REPLACE, rparams->defsalttype)) != 0) goto cleanup; } else { @@ -577,7 +577,7 @@ krb5_ldap_modify_realm(context, rparams, mask) /* check if the salttypes entered is valid */ if (!(rparams->suppsalttypes[i]>=0 && rparams->suppsalttypes[i]<6)) { st = EINVAL; - krb5_set_error_message (context, st, "salttype %d not valid", rparams->suppsalttypes[i]); + krb5_set_error_message (context, st, "salttype %d not valid", rparams->suppsalttypes[i]); goto cleanup; } @@ -590,34 +590,34 @@ krb5_ldap_modify_realm(context, rparams, mask) if (flag == FALSE) { /* Default salt type is not supported */ st = EINVAL; - krb5_set_error_message (context, st, "Default salttype not in the supported list"); + krb5_set_error_message (context, st, "Default salttype not in the supported list"); goto cleanup; } ignore_duplicates(rparams->suppsalttypes); - - if((st=krb5_add_int_arr_mem_ldap_mod(&mods, "krbsupportedsalttypes", - LDAP_MOD_REPLACE, rparams->suppsalttypes)) != 0) - goto cleanup; + + if ((st=krb5_add_int_arr_mem_ldap_mod(&mods, "krbsupportedsalttypes", + LDAP_MOD_REPLACE, rparams->suppsalttypes)) != 0) + goto cleanup; } - + /* SUPPENCTYPE ATTRIBUTE */ - if (mask & LDAP_REALM_SUPPENCTYPE) { + if (mask & LDAP_REALM_SUPPENCTYPE) { krb5_boolean flag=FALSE; - for(i=0; rparams->suppenctypes[i] != END_OF_LIST; ++i) { + for (i=0; rparams->suppenctypes[i] != END_OF_LIST; ++i) { /* check if the enctypes entered is valid */ if (krb5_c_valid_enctype(rparams->suppenctypes[i]) == 0) { st = EINVAL; - krb5_set_error_message (context, st, "Enctype %d not valid", rparams->suppenctypes[i]); + krb5_set_error_message (context, st, "Enctype %d not valid", rparams->suppenctypes[i]); goto cleanup; } /* Ensure that the default encryption type is supported */ if ((oldmask & LDAP_REALM_DEFENCTYPE || - mask & LDAP_REALM_DEFENCTYPE) && + mask & LDAP_REALM_DEFENCTYPE) && rparams->defenctype == rparams->suppenctypes[i]) - flag = TRUE; + flag = TRUE; } if (flag == FALSE) { /* Default encryption type is not supported */ @@ -627,9 +627,9 @@ krb5_ldap_modify_realm(context, rparams, mask) } ignore_duplicates(rparams->suppenctypes); - if((st=krb5_add_int_arr_mem_ldap_mod(&mods, "krbsupportedenctypes", - LDAP_MOD_REPLACE, rparams->suppenctypes)) != 0) - goto cleanup; + if ((st=krb5_add_int_arr_mem_ldap_mod(&mods, "krbsupportedenctypes", + LDAP_MOD_REPLACE, rparams->suppenctypes)) != 0) + goto cleanup; } #ifdef HAVE_EDIRECTORY @@ -684,7 +684,7 @@ krb5_ldap_modify_realm(context, rparams, mask) if (mask & LDAP_REALM_KDCSERVERS || mask & LDAP_REALM_ADMINSERVERS || mask & LDAP_REALM_PASSWDSERVERS) { char *servers[] = {"krbKdcServers", "krbAdmServers", "krbPwdServers", NULL}; - + if ((st= ldap_search_s(ld, rparams->realmdn, LDAP_SCOPE_BASE, @@ -692,10 +692,10 @@ krb5_ldap_modify_realm(context, rparams, mask) servers, 0, &result)) != LDAP_SUCCESS) { - st = set_ldap_error (context, st, OP_SEARCH); + st = set_ldap_error (context, st, OP_SEARCH); goto cleanup; } - + ent = ldap_first_entry(ld, result); if (ent) { if ((values=ldap_get_values(ld, ent, "krbKdcServers")) != NULL) { @@ -725,7 +725,7 @@ krb5_ldap_modify_realm(context, rparams, mask) /* Realm modify opearation */ if ((st=ldap_modify_s(ld, rparams->realmdn, mods)) != LDAP_SUCCESS) { - st = set_ldap_error (context, st, OP_MOD); + st = set_ldap_error (context, st, OP_MOD); goto cleanup; } @@ -739,109 +739,103 @@ krb5_ldap_modify_realm(context, rparams, mask) count = ldap_count_values(rparams->kdcservers); if ((st=copy_arrays(rparams->kdcservers, &newkdcservers, count)) != 0) goto cleanup; - + /* find the deletions and additions to the server list */ if (oldkdcservers && newkdcservers) disjoint_members(oldkdcservers, newkdcservers); - + /* delete the krbRealmReferences attribute from the servers that are dis-associated. */ if (oldkdcservers) for (i=0; oldkdcservers[i]; ++i) - if ((st=deleteAttribute(ld, oldkdcservers[i], "krbRealmReferences", - rparams->realmdn)) != 0) - { + if ((st=deleteAttribute(ld, oldkdcservers[i], "krbRealmReferences", + rparams->realmdn)) != 0) { sprintf (errbuf, "Error removing 'krbRealmReferences' from %s: ", oldkdcservers[i]); - prepend_err_str (context, errbuf, st, st); + prepend_err_str (context, errbuf, st, st); goto cleanup; } - + /* add the krbRealmReferences attribute from the servers that are associated. */ if (newkdcservers) for (i=0; newkdcservers[i]; ++i) - if ((st=updateAttribute(ld, newkdcservers[i], "krbRealmReferences", - rparams->realmdn)) != 0) - { + if ((st=updateAttribute(ld, newkdcservers[i], "krbRealmReferences", + rparams->realmdn)) != 0) { sprintf (errbuf, "Error adding 'krbRealmReferences' to %s: ", newkdcservers[i]); - prepend_err_str (context, errbuf, st, st); + prepend_err_str (context, errbuf, st, st); goto cleanup; } if (newkdcservers) ldap_value_free(newkdcservers); } - + if (mask & LDAP_REALM_ADMINSERVERS) { char **newadminservers=NULL; count = ldap_count_values(rparams->adminservers); if ((st=copy_arrays(rparams->adminservers, &newadminservers, count)) != 0) goto cleanup; - - /* find the deletions and additions to the server list */ + + /* find the deletions and additions to the server list */ if (oldadminservers && newadminservers) disjoint_members(oldadminservers, newadminservers); - - /* delete the krbRealmReferences attribute from the servers that are dis-associated. */ + + /* delete the krbRealmReferences attribute from the servers that are dis-associated. */ if (oldadminservers) for (i=0; oldadminservers[i]; ++i) - if ((st=deleteAttribute(ld, oldadminservers[i], "krbRealmReferences", - rparams->realmdn)) != 0) - { + if ((st=deleteAttribute(ld, oldadminservers[i], "krbRealmReferences", + rparams->realmdn)) != 0) { sprintf(errbuf, "Error removing 'krbRealmReferences' from " - "%s: ", oldadminservers[i]); - prepend_err_str (context, errbuf, st, st); + "%s: ", oldadminservers[i]); + prepend_err_str (context, errbuf, st, st); goto cleanup; } - /* add the krbRealmReferences attribute from the servers that are associated. */ - if (newadminservers) + /* add the krbRealmReferences attribute from the servers that are associated. */ + if (newadminservers) for (i=0; newadminservers[i]; ++i) - if ((st=updateAttribute(ld, newadminservers[i], "krbRealmReferences", - rparams->realmdn)) != 0) - { + if ((st=updateAttribute(ld, newadminservers[i], "krbRealmReferences", + rparams->realmdn)) != 0) { sprintf(errbuf, "Error adding 'krbRealmReferences' to %s: ", - newadminservers[i]); - prepend_err_str (context, errbuf, st, st); + newadminservers[i]); + prepend_err_str (context, errbuf, st, st); goto cleanup; } if (newadminservers) ldap_value_free(newadminservers); } - + if (mask & LDAP_REALM_PASSWDSERVERS) { char **newpasswdservers=NULL; - + count = ldap_count_values(rparams->passwdservers); if ((st=copy_arrays(rparams->passwdservers, &newpasswdservers, count)) != 0) goto cleanup; - /* find the deletions and additions to the server list */ + /* find the deletions and additions to the server list */ if (oldpasswdservers && newpasswdservers) disjoint_members(oldpasswdservers, newpasswdservers); - /* delete the krbRealmReferences attribute from the servers that are dis-associated. */ + /* delete the krbRealmReferences attribute from the servers that are dis-associated. */ if (oldpasswdservers) for (i=0; oldpasswdservers[i]; ++i) - if ((st=deleteAttribute(ld, oldpasswdservers[i], "krbRealmReferences", - rparams->realmdn)) != 0) - { + if ((st=deleteAttribute(ld, oldpasswdservers[i], "krbRealmReferences", + rparams->realmdn)) != 0) { sprintf(errbuf, "Error removing 'krbRealmReferences' from " - "%s: ", oldpasswdservers[i]); - prepend_err_str (context, errbuf, st, st); + "%s: ", oldpasswdservers[i]); + prepend_err_str (context, errbuf, st, st); goto cleanup; } - /* add the krbRealmReferences attribute from the servers that are associated. */ + /* add the krbRealmReferences attribute from the servers that are associated. */ if (newpasswdservers) for (i=0; newpasswdservers[i]; ++i) - if ((st=updateAttribute(ld, newpasswdservers[i], "krbRealmReferences", - rparams->realmdn)) != 0) - { + if ((st=updateAttribute(ld, newpasswdservers[i], "krbRealmReferences", + rparams->realmdn)) != 0) { sprintf(errbuf, "Error adding 'krbRealmReferences' to %s: ", - newpasswdservers[i]); - prepend_err_str (context, errbuf, st, st); + newpasswdservers[i]); + prepend_err_str (context, errbuf, st, st); goto cleanup; } if (newpasswdservers) @@ -849,23 +843,23 @@ krb5_ldap_modify_realm(context, rparams, mask) } #endif - cleanup: +cleanup: #ifdef HAVE_EDIRECTORY if (oldkdcservers) { - for(i=0; oldkdcservers[i]; ++i) + for (i=0; oldkdcservers[i]; ++i) free(oldkdcservers[i]); free(oldkdcservers); } if (oldadminservers) { - for(i=0; oldadminservers[i]; ++i) + for (i=0; oldadminservers[i]; ++i) free(oldadminservers[i]); free(oldadminservers); } if (oldpasswdservers) { - for(i=0; oldpasswdservers[i]; ++i) + for (i=0; oldpasswdservers[i]; ++i) free(oldpasswdservers[i]); free(oldpasswdservers); } @@ -905,15 +899,15 @@ krb5_ldap_create_krbcontainer(context, krbcontparams) GET_HANDLE (); if (krbcontparams != NULL && krbcontparams->DN != NULL) { - kerberoscontdn = krbcontparams->DN; + kerberoscontdn = krbcontparams->DN; } else { /* If the user has not given, use the default cn=Kerberos,cn=Security */ #ifdef HAVE_EDIRECTORY - kerberoscontdn = KERBEROS_CONTAINER; + kerberoscontdn = KERBEROS_CONTAINER; #else st = EINVAL; krb5_set_error_message (context, st, "Kerberos Container information is missing"); - goto cleanup; + goto cleanup; #endif } @@ -925,24 +919,24 @@ krb5_ldap_create_krbcontainer(context, krbcontparams) rdns = ldap_explode_dn(kerberoscontdn, 1); if (rdns == NULL) { st = EINVAL; - krb5_set_error_message(context, st, "Invalid Kerberos container DN"); + krb5_set_error_message(context, st, "Invalid Kerberos container DN"); goto cleanup; } strval[0] = rdns[0]; strval[1] = NULL; if ((st=krb5_add_str_mem_ldap_mod(&mods, "cn", LDAP_MOD_ADD, strval)) != 0) - goto cleanup; + goto cleanup; /* check if the policy reference value exists and is of krbpolicyreference object class */ if (krbcontparams && krbcontparams->policyreference) { - st = checkattributevalue(ld, krbcontparams->policyreference, "objectclass", policyclass, + st = checkattributevalue(ld, krbcontparams->policyreference, "objectclass", policyclass, &pmask); CHECK_CLASS_VALIDITY(st, pmask, "ticket policy object value: "); strval[0] = krbcontparams->policyreference; strval[1] = NULL; - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpolicyreference", LDAP_MOD_ADD, + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpolicyreference", LDAP_MOD_ADD, strval)) != 0) goto cleanup; } @@ -950,10 +944,10 @@ krb5_ldap_create_krbcontainer(context, krbcontparams) /* create the kerberos container */ if ((st = ldap_add_s(ld, kerberoscontdn, mods)) != LDAP_SUCCESS) { int ost = st; - st = translate_ldap_error (st, OP_ADD); - krb5_set_error_message (context, st, "Kerberos Container create FAILED: %s", ldap_err2string(ost)); + st = translate_ldap_error (st, OP_ADD); + krb5_set_error_message (context, st, "Kerberos Container create FAILED: %s", ldap_err2string(ost)); goto cleanup; - } + } #ifdef HAVE_EDIRECTORY @@ -962,12 +956,11 @@ krb5_ldap_create_krbcontainer(context, krbcontparams) mods=NULL; /* check whether the security container is bound to krbcontainerrefaux object class */ - if ((st=checkattributevalue(ld, SECURITY_CONTAINER, "objectClass", - krbContainerRefclass, &crmask)) != 0) - { + if ((st=checkattributevalue(ld, SECURITY_CONTAINER, "objectClass", + krbContainerRefclass, &crmask)) != 0) { prepend_err_str (context, "Security Container read FAILED: ", st, st); /* delete Kerberos Container, status ignored intentionally */ - ldap_delete_s(ld, kerberoscontdn); + ldap_delete_s(ld, kerberoscontdn); goto cleanup; } @@ -986,15 +979,15 @@ krb5_ldap_create_krbcontainer(context, krbcontparams) /* update the security container with krbContainerReference attribute */ if ((st=ldap_modify_s(ld, SECURITY_CONTAINER, mods)) != LDAP_SUCCESS) { int ost = st; - st = translate_ldap_error (st, OP_MOD); + st = translate_ldap_error (st, OP_MOD); krb5_set_error_message (context, st, "Security Container update FAILED: %s", ldap_err2string(ost)); /* delete Kerberos Container, status ignored intentionally */ - ldap_delete_s(ld, kerberoscontdn); + ldap_delete_s(ld, kerberoscontdn); goto cleanup; } #endif - cleanup: +cleanup: if (rdns) ldap_value_free (rdns); @@ -1006,7 +999,7 @@ krb5_ldap_create_krbcontainer(context, krbcontparams) /* - * Create Realm in eDirectory. This is used by kdb5_util + * Create Realm in eDirectory. This is used by kdb5_util */ krb5_error_code @@ -1051,7 +1044,7 @@ krb5_ldap_create_realm(context, rparams, mask) } if (ldap_context->krbcontainer == NULL) { - if ((st = krb5_ldap_read_krbcontainer_params(context, + if ((st = krb5_ldap_read_krbcontainer_params(context, &(ldap_context->krbcontainer))) != 0) goto cleanup; } @@ -1064,12 +1057,12 @@ krb5_ldap_create_realm(context, rparams, mask) dn = malloc(strlen("cn=") + strlen(realm_name) + strlen(ldap_context->krbcontainer->DN) + 2); CHECK_NULL(dn); sprintf(dn, "cn=%s,%s", realm_name, ldap_context->krbcontainer->DN); - + strval[0] = realm_name; strval[1] = NULL; if ((st=krb5_add_str_mem_ldap_mod(&mods, "cn", LDAP_MOD_ADD, strval)) != 0) goto cleanup; - + strval[0] = "top"; strval[1] = "krbrealmcontainer"; strval[2] = "krbpolicyaux"; @@ -1077,53 +1070,53 @@ krb5_ldap_create_realm(context, rparams, mask) if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0) goto cleanup; - + /* SUBTREE ATTRIBUTE */ if (mask & LDAP_REALM_SUBTREE) { if (strlen(rparams->subtree) != 0) { - st = checkattributevalue(ld, rparams->subtree, "Objectclass", subtreeclass, + st = checkattributevalue(ld, rparams->subtree, "Objectclass", subtreeclass, &objectmask); CHECK_CLASS_VALIDITY(st, objectmask, "realm object value: "); } strval[0] = rparams->subtree; strval[1] = NULL; - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbsubtree", LDAP_MOD_ADD, + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbsubtree", LDAP_MOD_ADD, strval)) != 0) goto cleanup; } /* SEARCHSCOPE ATTRIBUTE */ if (mask & LDAP_REALM_SEARCHSCOPE) { - if((st=krb5_add_int_mem_ldap_mod(&mods, "krbsearchscope", LDAP_MOD_ADD, - (rparams->search_scope == LDAP_SCOPE_ONELEVEL - || rparams->search_scope == LDAP_SCOPE_SUBTREE) ? - rparams->search_scope : LDAP_SCOPE_SUBTREE)) != 0) - goto cleanup; + if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbsearchscope", LDAP_MOD_ADD, + (rparams->search_scope == LDAP_SCOPE_ONELEVEL + || rparams->search_scope == LDAP_SCOPE_SUBTREE) ? + rparams->search_scope : LDAP_SCOPE_SUBTREE)) != 0) + goto cleanup; } if (mask & LDAP_REALM_MAXRENEWLIFE) { - if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbMaxRenewableAge", LDAP_MOD_ADD, - rparams->max_renewable_life)) != 0) - goto cleanup; + if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbMaxRenewableAge", LDAP_MOD_ADD, + rparams->max_renewable_life)) != 0) + goto cleanup; } /* krbMaxTicketLife ATTRIBUTE */ if (mask & LDAP_REALM_MAXTICKETLIFE) { - if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbMaxTicketLife", LDAP_MOD_ADD, - rparams->max_life)) != 0) - goto cleanup; + if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbMaxTicketLife", LDAP_MOD_ADD, + rparams->max_life)) != 0) + goto cleanup; } /* krbTicketFlags ATTRIBUTE */ if (mask & LDAP_REALM_KRBTICKETFLAGS) { - if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbTicketFlags", LDAP_MOD_ADD, - rparams->tktflags)) != 0) - goto cleanup; + if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbTicketFlags", LDAP_MOD_ADD, + rparams->tktflags)) != 0) + goto cleanup; } @@ -1134,19 +1127,19 @@ krb5_ldap_create_realm(context, rparams, mask) /* check if the defenctype exists in the suppenctypes list */ if (mask & LDAP_REALM_SUPPENCTYPE) { - for(i=0; rparams->suppenctypes[i] != END_OF_LIST; ++i) + for (i=0; rparams->suppenctypes[i] != END_OF_LIST; ++i) if (rparams->defenctype == rparams->suppenctypes[i]) break; - + if (rparams->suppenctypes[i] == END_OF_LIST) { st = EINVAL; krb5_set_error_message (context, st, "Default enctype not in the " - "supported list"); + "supported list"); goto cleanup; } } - if((st=krb5_add_int_mem_ldap_mod(&mods, "krbdefaultenctype", LDAP_MOD_ADD, - rparams->defenctype)) != 0) + if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbdefaultenctype", LDAP_MOD_ADD, + rparams->defenctype)) != 0) goto cleanup; } else { st = EINVAL; @@ -1162,20 +1155,20 @@ krb5_ldap_create_realm(context, rparams, mask) /* check if the defsalttype exists in the suppsalttypes list */ if (mask & LDAP_REALM_SUPPSALTTYPE) { - for(i=0; rparams->suppsalttypes[i] != END_OF_LIST; ++i) + for (i=0; rparams->suppsalttypes[i] != END_OF_LIST; ++i) if (rparams->defsalttype == rparams->suppsalttypes[i]) break; - + if (rparams->suppsalttypes[i] == END_OF_LIST) { st = EINVAL; krb5_set_error_message (context, st, - "Default salttype not in the supported list"); + "Default salttype not in the supported list"); goto cleanup; } } - if((st=krb5_add_int_mem_ldap_mod(&mods, "krbdefaultsalttype", LDAP_MOD_ADD, - rparams->defsalttype)) != 0) + if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbdefaultsalttype", LDAP_MOD_ADD, + rparams->defsalttype)) != 0) goto cleanup; } else { st = EINVAL; @@ -1186,49 +1179,49 @@ krb5_ldap_create_realm(context, rparams, mask) /* SUPPORTEDSALTTYPE ATTRIBUTE */ if (mask & LDAP_REALM_SUPPSALTTYPE) { - for(i=0; rparams->suppsalttypes[i] != END_OF_LIST; ++i) { + for (i=0; rparams->suppsalttypes[i] != END_OF_LIST; ++i) { /* check if the salttypes entered is valid */ if (!(rparams->suppsalttypes[i]>=0 && rparams->suppsalttypes[i]<6)) { st = EINVAL; - krb5_set_error_message (context, st, "Salttype %d not valid", + krb5_set_error_message (context, st, "Salttype %d not valid", rparams->suppsalttypes[i]); goto cleanup; } } ignore_duplicates(rparams->suppsalttypes); - if((st=krb5_add_int_arr_mem_ldap_mod(&mods, "krbsupportedsalttypes", LDAP_MOD_ADD, - rparams->suppsalttypes)) != 0) + if ((st=krb5_add_int_arr_mem_ldap_mod(&mods, "krbsupportedsalttypes", LDAP_MOD_ADD, + rparams->suppsalttypes)) != 0) goto cleanup; } else { /* set all the salt types as the suppsalttypes */ - if((st=krb5_add_int_arr_mem_ldap_mod(&mods, "krbsupportedsalttypes", LDAP_MOD_ADD, - supportedsalttypes)) != 0) - goto cleanup; + if ((st=krb5_add_int_arr_mem_ldap_mod(&mods, "krbsupportedsalttypes", LDAP_MOD_ADD, + supportedsalttypes)) != 0) + goto cleanup; } /* SUPPORTEDENCTYPE ATTRIBUTE */ if (mask & LDAP_REALM_SUPPENCTYPE) { - for(i=0; rparams->suppenctypes[i] != -1; ++i) { + for (i=0; rparams->suppenctypes[i] != -1; ++i) { - /* check if the enctypes entered is valid */ + /* check if the enctypes entered is valid */ if (krb5_c_valid_enctype(rparams->suppenctypes[i]) == 0) { st = EINVAL; - krb5_set_error_message (context, st, "Enctype %d not valid", + krb5_set_error_message (context, st, "Enctype %d not valid", rparams->suppenctypes[i]); goto cleanup; } } ignore_duplicates(rparams->suppenctypes); - if((st=krb5_add_int_arr_mem_ldap_mod(&mods, "krbsupportedenctypes", LDAP_MOD_ADD, - rparams->suppenctypes)) != 0) - goto cleanup; + if ((st=krb5_add_int_arr_mem_ldap_mod(&mods, "krbsupportedenctypes", LDAP_MOD_ADD, + rparams->suppenctypes)) != 0) + goto cleanup; } else { /* set all the enc types as the suppenctypes */ - if((st=krb5_add_int_arr_mem_ldap_mod(&mods, "krbsupportedenctypes", LDAP_MOD_ADD, - supportedenctypes)) != 0) - goto cleanup; + if ((st=krb5_add_int_arr_mem_ldap_mod(&mods, "krbsupportedenctypes", LDAP_MOD_ADD, + supportedenctypes)) != 0) + goto cleanup; } #ifdef HAVE_EDIRECTORY @@ -1281,29 +1274,27 @@ krb5_ldap_create_realm(context, rparams, mask) /* realm creation operation */ if ((st=ldap_add_s(ld, dn, mods)) != LDAP_SUCCESS) { - st = set_ldap_error (context, st, OP_ADD); + st = set_ldap_error (context, st, OP_ADD); goto cleanup; } #ifdef HAVE_EDIRECTORY if (mask & LDAP_REALM_KDCSERVERS) for (i=0; rparams->kdcservers[i]; ++i) - if ((st=updateAttribute(ld, rparams->kdcservers[i], "krbRealmReferences", dn)) != 0) - { + if ((st=updateAttribute(ld, rparams->kdcservers[i], "krbRealmReferences", dn)) != 0) { sprintf(errbuf, "Error adding 'krbRealmReferences' to %s: ", - rparams->kdcservers[i]); - prepend_err_str (context, errbuf, st, st); + rparams->kdcservers[i]); + prepend_err_str (context, errbuf, st, st); /* delete Realm, status ignored intentionally */ ldap_delete_s(ld, dn); goto cleanup; } - + if (mask & LDAP_REALM_ADMINSERVERS) for (i=0; rparams->adminservers[i]; ++i) - if ((st=updateAttribute(ld, rparams->adminservers[i], "krbRealmReferences", dn)) != 0) - { + if ((st=updateAttribute(ld, rparams->adminservers[i], "krbRealmReferences", dn)) != 0) { sprintf(errbuf, "Error adding 'krbRealmReferences' to %s: ", - rparams->adminservers[i]); + rparams->adminservers[i]); prepend_err_str (context, errbuf, st, st); /* delete Realm, status ignored intentionally */ ldap_delete_s(ld, dn); @@ -1312,18 +1303,17 @@ krb5_ldap_create_realm(context, rparams, mask) if (mask & LDAP_REALM_PASSWDSERVERS) for (i=0; rparams->passwdservers[i]; ++i) - if ((st=updateAttribute(ld, rparams->passwdservers[i], "krbRealmReferences", dn)) != 0) - { + if ((st=updateAttribute(ld, rparams->passwdservers[i], "krbRealmReferences", dn)) != 0) { sprintf(errbuf, "Error adding 'krbRealmReferences' to %s: ", - rparams->passwdservers[i]); - prepend_err_str (context, errbuf, st, st); + rparams->passwdservers[i]); + prepend_err_str (context, errbuf, st, st); /* delete Realm, status ignored intentionally */ ldap_delete_s(ld, dn); goto cleanup; } #endif - cleanup: +cleanup: if (dn) free(dn); @@ -1348,7 +1338,7 @@ krb5_ldap_read_realm_params(context, lrealm, rlparamp, mask) unsigned int i=0, /* masklen=4, */ count=0; krb5_error_code st=0, tempst=0; LDAP *ld=NULL; - LDAPMessage *result=NULL,*ent=NULL; + LDAPMessage *result=NULL,*ent=NULL; krb5_ldap_realm_params *rlparams=NULL; kdb5_dal_handle *dal_handle=NULL; krb5_ldap_context *ldap_context=NULL; @@ -1366,7 +1356,7 @@ krb5_ldap_read_realm_params(context, lrealm, rlparamp, mask) /* read kerberos container, if not read already */ if (ldap_context->krbcontainer == NULL) { - if ((st = krb5_ldap_read_krbcontainer_params(context, + if ((st = krb5_ldap_read_krbcontainer_params(context, &(ldap_context->krbcontainer))) != 0) goto cleanup; } @@ -1386,10 +1376,10 @@ krb5_ldap_read_realm_params(context, lrealm, rlparamp, mask) } memset((char *) rlparams->tl_data, 0, sizeof(krb5_tl_data)); rlparams->tl_data->tl_data_type = KDB_TL_USER_INFO; - + /* set the mask parameter to 0 */ *mask = 0; - + /* set default values */ rlparams->search_scope = LDAP_SCOPE_SUBTREE; @@ -1401,7 +1391,7 @@ krb5_ldap_read_realm_params(context, lrealm, rlparamp, mask) goto cleanup; } sprintf(rlparams->realmdn, "cn=%s,%s", lrealm, krbcontDN); - + /* populate the realm name in the structure */ rlparams->realm_name = strdup(lrealm); CHECK_NULL(rlparams->realm_name); @@ -1420,44 +1410,44 @@ krb5_ldap_read_realm_params(context, lrealm, rlparamp, mask) /* Read the attributes */ { - if((values=ldap_get_values(ld, ent, "krbSubTree")) != NULL) { + if ((values=ldap_get_values(ld, ent, "krbSubTree")) != NULL) { rlparams->subtree = strdup(values[0]); - if(rlparams->subtree==NULL) { + if (rlparams->subtree==NULL) { st = ENOMEM; goto cleanup; } *mask |= LDAP_REALM_SUBTREE; ldap_value_free(values); - } + } - if((values=ldap_get_values(ld, ent, "krbSearchScope")) != NULL) { + if ((values=ldap_get_values(ld, ent, "krbSearchScope")) != NULL) { rlparams->search_scope=atoi(values[0]); /* searchscope can be ONE-LEVEL or SUBTREE, else default to SUBTREE */ if (!(rlparams->search_scope==1 || rlparams->search_scope==2)) rlparams->search_scope = LDAP_SCOPE_SUBTREE; *mask |= LDAP_REALM_SEARCHSCOPE; ldap_value_free(values); - } + } - if((values=ldap_get_values(ld, ent, "krbMaxTicketLife")) != NULL) { + if ((values=ldap_get_values(ld, ent, "krbMaxTicketLife")) != NULL) { rlparams->max_life = atoi(values[0]); *mask |= LDAP_REALM_MAXTICKETLIFE; ldap_value_free(values); - } + } - if((values=ldap_get_values(ld, ent, "krbMaxRenewableAge")) != NULL) { + if ((values=ldap_get_values(ld, ent, "krbMaxRenewableAge")) != NULL) { rlparams->max_renewable_life = atoi(values[0]); *mask |= LDAP_REALM_MAXRENEWLIFE; ldap_value_free(values); - } + } - if((values=ldap_get_values(ld, ent, "krbTicketFlags")) != NULL) { + if ((values=ldap_get_values(ld, ent, "krbTicketFlags")) != NULL) { rlparams->tktflags = atoi(values[0]); *mask |= LDAP_REALM_KRBTICKETFLAGS; ldap_value_free(values); } - if((values=ldap_get_values(ld, ent, "krbDefaultEncType")) != NULL) { + if ((values=ldap_get_values(ld, ent, "krbDefaultEncType")) != NULL) { rlparams->defenctype = atoi(values[0]); if (krb5_c_valid_enctype(rlparams->defenctype) == 0) rlparams->defenctype = ENCTYPE_DES3_CBC_SHA1; @@ -1465,35 +1455,35 @@ krb5_ldap_read_realm_params(context, lrealm, rlparamp, mask) ldap_value_free(values); } - if((values=ldap_get_values(ld, ent, "krbDefaultSaltType")) != NULL) { + if ((values=ldap_get_values(ld, ent, "krbDefaultSaltType")) != NULL) { rlparams->defsalttype = atoi(values[0]); if (!(rlparams->defsalttype>=0 && rlparams->defsalttype<6)) rlparams->defsalttype = KRB5_KDB_SALTTYPE_NORMAL; *mask |= LDAP_REALM_DEFSALTTYPE; ldap_value_free(values); } - if((values=ldap_get_values(ld, ent, "krbSupportedEncTypes")) != NULL) { + if ((values=ldap_get_values(ld, ent, "krbSupportedEncTypes")) != NULL) { count = ldap_count_values(values); - rlparams->suppenctypes = malloc (sizeof(krb5_int32) * (count + 1)); + rlparams->suppenctypes = malloc (sizeof(krb5_int32) * (count + 1)); if (rlparams->suppenctypes == NULL) { st = ENOMEM; goto cleanup; } - for(i=0; isuppenctypes[i] = atoi(values[i]); rlparams->suppenctypes[count] = -1; *mask |= LDAP_REALM_SUPPENCTYPE; ldap_value_free(values); } - if((values=ldap_get_values(ld, ent, "krbSupportedSaltTypes")) != NULL) { + if ((values=ldap_get_values(ld, ent, "krbSupportedSaltTypes")) != NULL) { count = ldap_count_values(values); - rlparams->suppsalttypes = malloc (sizeof(krb5_int32) * (count + 1)); + rlparams->suppsalttypes = malloc (sizeof(krb5_int32) * (count + 1)); if (rlparams->suppsalttypes == NULL) { st = ENOMEM; goto cleanup; } - for(i=0; isuppsalttypes[i] = atoi(values[i]); rlparams->suppsalttypes[count] = -1; *mask |= LDAP_REALM_SUPPSALTTYPE; @@ -1502,7 +1492,7 @@ krb5_ldap_read_realm_params(context, lrealm, rlparamp, mask) #ifdef HAVE_EDIRECTORY - if((values=ldap_get_values(ld, ent, "krbKdcServers")) != NULL) { + if ((values=ldap_get_values(ld, ent, "krbKdcServers")) != NULL) { count = ldap_count_values(values); if ((st=copy_arrays(values, &(rlparams->kdcservers), (int) count)) != 0) goto cleanup; @@ -1510,15 +1500,15 @@ krb5_ldap_read_realm_params(context, lrealm, rlparamp, mask) ldap_value_free(values); } - if((values=ldap_get_values(ld, ent, "krbAdmServers")) != NULL) { + if ((values=ldap_get_values(ld, ent, "krbAdmServers")) != NULL) { count = ldap_count_values(values); if ((st=copy_arrays(values, &(rlparams->adminservers), (int) count)) != 0) goto cleanup; *mask |= LDAP_REALM_ADMINSERVERS; ldap_value_free(values); - } + } - if((values=ldap_get_values(ld, ent, "krbPwdServers")) != NULL) { + if ((values=ldap_get_values(ld, ent, "krbPwdServers")) != NULL) { count = ldap_count_values(values); if ((st=copy_arrays(values, &(rlparams->passwdservers), (int) count)) != 0) goto cleanup; @@ -1532,56 +1522,56 @@ krb5_ldap_read_realm_params(context, lrealm, rlparamp, mask) /* * If all of maxtktlife, maxrenewlife and ticketflags are not directly * available, use the policy dn from the policy reference attribute, if - * available, to fetch the missing. + * available, to fetch the missing. */ - if ((!(*mask & LDAP_REALM_MAXTICKETLIFE && *mask & LDAP_REALM_MAXRENEWLIFE && + if ((!(*mask & LDAP_REALM_MAXTICKETLIFE && *mask & LDAP_REALM_MAXRENEWLIFE && *mask & LDAP_REALM_KRBTICKETFLAGS)) && rlparams->policyreference) { LDAP_SEARCH_1(rlparams->policyreference, LDAP_SCOPE_BASE, NULL, policy_attributes, IGNORE_STATUS); if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_OBJECT) { - int ost = st; - st = translate_ldap_error (st, OP_SEARCH); - krb5_set_error_message (context, st, "Policy object read failed: %s", ldap_err2string(ost)); + int ost = st; + st = translate_ldap_error (st, OP_SEARCH); + krb5_set_error_message (context, st, "Policy object read failed: %s", ldap_err2string(ost)); goto cleanup; } ent = ldap_first_entry (ld, result); if (ent != NULL) { if ((*mask & LDAP_REALM_MAXTICKETLIFE) == 0) { - if((values=ldap_get_values(ld, ent, "krbmaxticketlife")) != NULL) { + if ((values=ldap_get_values(ld, ent, "krbmaxticketlife")) != NULL) { rlparams->max_life = atoi(values[0]); - *mask |= LDAP_REALM_MAXTICKETLIFE; + *mask |= LDAP_REALM_MAXTICKETLIFE; ldap_value_free(values); } } - + if ((*mask & LDAP_REALM_MAXRENEWLIFE) == 0) { - if((values=ldap_get_values(ld, ent, "krbmaxrenewableage")) != NULL) { + if ((values=ldap_get_values(ld, ent, "krbmaxrenewableage")) != NULL) { rlparams->max_renewable_life = atoi(values[0]); - *mask |= LDAP_REALM_MAXRENEWLIFE; + *mask |= LDAP_REALM_MAXRENEWLIFE; ldap_value_free(values); } } if ((*mask & LDAP_REALM_KRBTICKETFLAGS) == 0) { - if((values=ldap_get_values(ld, ent, "krbticketflags")) != NULL) { + if ((values=ldap_get_values(ld, ent, "krbticketflags")) != NULL) { rlparams->tktflags = atoi(values[0]); - *mask |= LDAP_REALM_KRBTICKETFLAGS; + *mask |= LDAP_REALM_KRBTICKETFLAGS; ldap_value_free(values); } } } ldap_msgfree(result); } - + rlparams->mask = *mask; *rlparamp = rlparams; st = store_tl_data(rlparams->tl_data, KDB_TL_MASK, mask); - cleanup: +cleanup: /* if there is an error, free allocated structures */ - if(st != 0) { + if (st != 0) { krb5_ldap_free_realm_params(rlparams); *rlparamp=NULL; } @@ -1593,13 +1583,13 @@ krb5_ldap_read_realm_params(context, lrealm, rlparamp, mask) /* Free the krb5_ldap_realm_params. */ -void +void krb5_ldap_free_realm_params(rparams) krb5_ldap_realm_params *rparams; { int i=0; - - if(rparams) { + + if (rparams) { if (rparams->realmdn) free(rparams->realmdn); @@ -1608,26 +1598,26 @@ krb5_ldap_free_realm_params(rparams) if (rparams->subtree) krb5_xfree(rparams->subtree); - + if (rparams->suppenctypes) - krb5_xfree(rparams->suppenctypes); + krb5_xfree(rparams->suppenctypes); if (rparams->suppsalttypes) krb5_xfree(rparams->suppsalttypes); - if (rparams->kdcservers){ + if (rparams->kdcservers) { for (i=0; rparams->kdcservers[i]; ++i) krb5_xfree(rparams->kdcservers[i]); krb5_xfree(rparams->kdcservers); } - if (rparams->adminservers){ + if (rparams->adminservers) { for (i=0; rparams->adminservers[i]; ++i) krb5_xfree(rparams->adminservers[i]); krb5_xfree(rparams->adminservers); } - if (rparams->passwdservers){ + if (rparams->passwdservers) { for (i=0; rparams->passwdservers[i]; ++i) krb5_xfree(rparams->passwdservers[i]); krb5_xfree(rparams->passwdservers); @@ -1643,7 +1633,7 @@ krb5_ldap_free_realm_params(rparams) memset(rparams->mkey.contents, 0, rparams->mkey.length); krb5_xfree(rparams->mkey.contents); } - + krb5_xfree(rparams); } return; @@ -1655,7 +1645,7 @@ krb5_error_code krb5_ldap_create_realm_1(krb5_context kcontext, char *conf_section, char **db_args) { krb5_error_code status = KRB5_PLUGIN_OP_NOTSUPP; - krb5_set_error_message( kcontext, status, "LDAP %s", error_message( status ) ); + krb5_set_error_message(kcontext, status, "LDAP %s", error_message(status)); return status; } @@ -1663,6 +1653,6 @@ krb5_error_code krb5_ldap_delete_realm_1(krb5_context kcontext, char *conf_section, char **db_args) { krb5_error_code status = KRB5_PLUGIN_OP_NOTSUPP; - krb5_set_error_message( kcontext, status, "LDAP %s", error_message( status ) ); + krb5_set_error_message(kcontext, status, "LDAP %s", error_message(status)); return status; } diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_rights.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_rights.c index 296e36d2d..01045ce32 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_rights.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_rights.c @@ -222,7 +222,7 @@ static char *adminrights_realmcontainer[][2]={ {"6#subtree#","#DetectIntruder"}, {"6#subtree#","#LockoutAfterDetection"}, {"2#subtree#","#LockedByIntruder"}, - {"6#subtree#","#Surname"}, + {"6#subtree#","#Surname"}, {"6#subtree#","#krbPwdHistoryLength"}, {"6#subtree#","#krbMinPwdLife"}, {"6#subtree#","#krbMaxPwdLife"}, @@ -280,20 +280,20 @@ static char *kerberos_container[][2] = { }; -/* +/* * This will set the rights for the Kerberos service objects. * The function will read the subtree attribute from the specified * realm name and will the appropriate rights on both the realm - * container and the subtree. The kerberos context passed should + * container and the subtree. The kerberos context passed should * have a valid ldap handle, with appropriate rights to write acl - * attributes. - * + * attributes. + * * krb5_context - IN The Kerberos context with valid ldap handle * */ -krb5_error_code -krb5_ldap_add_service_rights( context, servicetype, serviceobjdn, realmname, subtreeparam, mask) +krb5_error_code +krb5_ldap_add_service_rights(context, servicetype, serviceobjdn, realmname, subtreeparam, mask) krb5_context context; int servicetype; char *serviceobjdn; @@ -301,7 +301,7 @@ krb5_ldap_add_service_rights( context, servicetype, serviceobjdn, realmname, sub char *subtreeparam; int mask; { - + int st=0,i=0; char *realmacls[2]={NULL}, *subtreeacls[2]={NULL}, *seccontacls[2]={NULL}, *krbcontacls[2]={NULL}; LDAP *ld; @@ -311,43 +311,43 @@ krb5_ldap_add_service_rights( context, servicetype, serviceobjdn, realmname, sub kdb5_dal_handle *dal_handle=NULL; krb5_ldap_context *ldap_context=NULL; krb5_ldap_server_handle *ldap_server_handle=NULL; - + SETUP_CONTEXT(); GET_HANDLE(); - if ((serviceobjdn == NULL) || (realmname == NULL) || (servicetype < 0) || (servicetype > 4) - || (ldap_context->krbcontainer->DN == NULL) ) { + if ((serviceobjdn == NULL) || (realmname == NULL) || (servicetype < 0) || (servicetype > 4) + || (ldap_context->krbcontainer->DN == NULL)) { st=-1; goto cleanup; } - + /* If the subtree is null, set the value to root */ - if(subtreeparam== NULL) + if (subtreeparam== NULL) subtree=strdup(""); else subtree=strdup(subtreeparam); - - if( subtree == NULL ) { + + if (subtree == NULL) { st = ENOMEM; goto cleanup; } - + /* Set the rights for the service object on the security container */ seccontclass.mod_op = LDAP_MOD_ADD; seccontclass.mod_type = "ACL"; - + for (i=0; strcmp(security_container[i][0], "") != 0; i++) { - seccontacls[0] = (char *)malloc( strlen(security_container[i][0]) + - strlen(serviceobjdn) + - strlen(security_container[i][1]) + 1); + seccontacls[0] = (char *)malloc(strlen(security_container[i][0]) + + strlen(serviceobjdn) + + strlen(security_container[i][1]) + 1); - sprintf( seccontacls[0], "%s%s%s", security_container[i][0], serviceobjdn, - security_container[i][1]); + sprintf(seccontacls[0], "%s%s%s", security_container[i][0], serviceobjdn, + security_container[i][1]); seccontclass.mod_values = seccontacls; - + seccontarr[0] = &seccontclass; - + st = ldap_modify_ext_s(ld, SECURITY_CONTAINER, seccontarr, @@ -355,26 +355,26 @@ krb5_ldap_add_service_rights( context, servicetype, serviceobjdn, realmname, sub NULL); if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) { free(seccontacls[0]); - st = set_ldap_error (context, st, OP_MOD); + st = set_ldap_error (context, st, OP_MOD); goto cleanup; } free(seccontacls[0]); } - + /* Set the rights for the service object on the kerberos container */ krbcontclass.mod_op = LDAP_MOD_ADD; krbcontclass.mod_type = "ACL"; - + for (i=0; strcmp(kerberos_container[i][0], "") != 0; i++) { - krbcontacls[0] = (char *)malloc( strlen(kerberos_container[i][0]) + strlen(serviceobjdn) - + strlen(kerberos_container[i][1]) + 1); - sprintf(krbcontacls[0], "%s%s%s", kerberos_container[i][0], serviceobjdn, - kerberos_container[i][1]); + krbcontacls[0] = (char *)malloc(strlen(kerberos_container[i][0]) + strlen(serviceobjdn) + + strlen(kerberos_container[i][1]) + 1); + sprintf(krbcontacls[0], "%s%s%s", kerberos_container[i][0], serviceobjdn, + kerberos_container[i][1]); krbcontclass.mod_values = krbcontacls; - + krbcontarr[0] = &krbcontclass; - + st = ldap_modify_ext_s(ld, ldap_context->krbcontainer->DN, krbcontarr, @@ -382,34 +382,34 @@ krb5_ldap_add_service_rights( context, servicetype, serviceobjdn, realmname, sub NULL); if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) { free(krbcontacls[0]); - st = set_ldap_error (context, st, OP_MOD); + st = set_ldap_error (context, st, OP_MOD); goto cleanup; } free(krbcontacls[0]); } - + /* Set the rights for the realm */ if (mask & LDAP_REALM_RIGHTS) { - + /* Construct the realm dn from realm name */ - realmdn = (char * )malloc(strlen("cn=") + strlen(realmname) + - strlen(ldap_context->krbcontainer->DN) + 2); + realmdn = (char *)malloc(strlen("cn=") + strlen(realmname) + + strlen(ldap_context->krbcontainer->DN) + 2); sprintf(realmdn,"cn=%s,%s", realmname, ldap_context->krbcontainer->DN); realmclass.mod_op = LDAP_MOD_ADD; realmclass.mod_type = "ACL"; - + if (servicetype == LDAP_KDC_SERVICE) { - for (i=0; strcmp(kdcrights_realmcontainer[i][0], "") != 0; i++) { - realmacls[0] = (char *)malloc(strlen(kdcrights_realmcontainer[i][0]) - + strlen(serviceobjdn) + - strlen(kdcrights_realmcontainer[i][1]) + 1); - sprintf(realmacls[0], "%s%s%s", kdcrights_realmcontainer[i][0], serviceobjdn, + for (i=0; strcmp(kdcrights_realmcontainer[i][0], "") != 0; i++) { + realmacls[0] = (char *)malloc(strlen(kdcrights_realmcontainer[i][0]) + + strlen(serviceobjdn) + + strlen(kdcrights_realmcontainer[i][1]) + 1); + sprintf(realmacls[0], "%s%s%s", kdcrights_realmcontainer[i][0], serviceobjdn, kdcrights_realmcontainer[i][1]); realmclass.mod_values = realmacls; - + realmarr[0] = &realmclass; - + st = ldap_modify_ext_s(ld, realmdn, realmarr, @@ -417,22 +417,22 @@ krb5_ldap_add_service_rights( context, servicetype, serviceobjdn, realmname, sub NULL); if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) { free(realmacls[0]); - st = set_ldap_error (context, st, OP_MOD); + st = set_ldap_error (context, st, OP_MOD); goto cleanup; } free(realmacls[0]); } - } else if(servicetype == LDAP_ADMIN_SERVICE){ - for( i=0; strcmp(adminrights_realmcontainer[i][0], "") != 0; i++) { - realmacls[0] = (char *) malloc(strlen(adminrights_realmcontainer[i][0]) + - strlen(serviceobjdn) + - strlen(adminrights_realmcontainer[i][1]) + 1); - sprintf(realmacls[0], "%s%s%s", adminrights_realmcontainer[i][0], serviceobjdn, + } else if (servicetype == LDAP_ADMIN_SERVICE) { + for (i=0; strcmp(adminrights_realmcontainer[i][0], "") != 0; i++) { + realmacls[0] = (char *) malloc(strlen(adminrights_realmcontainer[i][0]) + + strlen(serviceobjdn) + + strlen(adminrights_realmcontainer[i][1]) + 1); + sprintf(realmacls[0], "%s%s%s", adminrights_realmcontainer[i][0], serviceobjdn, adminrights_realmcontainer[i][1]); realmclass.mod_values = realmacls; - + realmarr[0] = &realmclass; - + st = ldap_modify_ext_s(ld, realmdn, realmarr, @@ -440,23 +440,23 @@ krb5_ldap_add_service_rights( context, servicetype, serviceobjdn, realmname, sub NULL); if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) { free(realmacls[0]); - st = set_ldap_error (context, st, OP_MOD); + st = set_ldap_error (context, st, OP_MOD); goto cleanup; } - free(realmacls[0]); + free(realmacls[0]); } } else if (servicetype == LDAP_PASSWD_SERVICE) { for (i=0; strcmp(pwdrights_realmcontainer[i][0], "")!=0; i++) { - realmacls[0] = (char *) malloc( strlen(pwdrights_realmcontainer[i][0]) + - strlen(serviceobjdn) + - strlen(pwdrights_realmcontainer[i][1]) + 1); - sprintf( realmacls[0], "%s%s%s", pwdrights_realmcontainer[i][0], serviceobjdn, - pwdrights_realmcontainer[i][1]); + realmacls[0] = (char *) malloc(strlen(pwdrights_realmcontainer[i][0]) + + strlen(serviceobjdn) + + strlen(pwdrights_realmcontainer[i][1]) + 1); + sprintf(realmacls[0], "%s%s%s", pwdrights_realmcontainer[i][0], serviceobjdn, + pwdrights_realmcontainer[i][1]); realmclass.mod_values = realmacls; - + realmarr[0] = &realmclass; - - + + st = ldap_modify_ext_s(ld, realmdn, realmarr, @@ -464,7 +464,7 @@ krb5_ldap_add_service_rights( context, servicetype, serviceobjdn, realmname, sub NULL); if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) { free(realmacls[0]); - st = set_ldap_error (context, st, OP_MOD); + st = set_ldap_error (context, st, OP_MOD); goto cleanup; } free(realmacls[0]); @@ -478,18 +478,18 @@ krb5_ldap_add_service_rights( context, servicetype, serviceobjdn, realmname, sub /* Populate the acl data to be added to the subtree */ subtreeclass.mod_op = LDAP_MOD_ADD; subtreeclass.mod_type = "ACL"; - + if (servicetype == LDAP_KDC_SERVICE) { for (i=0; strcmp(kdcrights_subtree[i][0], "")!=0; i++) { - subtreeacls[0] = (char *) malloc( strlen(kdcrights_subtree[i][0]) + - strlen(serviceobjdn) + - strlen(kdcrights_subtree[i][1]) + 1); - sprintf( subtreeacls[0], "%s%s%s", kdcrights_subtree[i][0], serviceobjdn, - kdcrights_subtree[i][1]); + subtreeacls[0] = (char *) malloc(strlen(kdcrights_subtree[i][0]) + + strlen(serviceobjdn) + + strlen(kdcrights_subtree[i][1]) + 1); + sprintf(subtreeacls[0], "%s%s%s", kdcrights_subtree[i][0], serviceobjdn, + kdcrights_subtree[i][1]); subtreeclass.mod_values = subtreeacls; - + subtreearr[0] = &subtreeclass; - + st = ldap_modify_ext_s(ld, subtree, subtreearr, @@ -497,22 +497,22 @@ krb5_ldap_add_service_rights( context, servicetype, serviceobjdn, realmname, sub NULL); if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) { free(subtreeacls[0]); - st = set_ldap_error (context, st, OP_MOD); + st = set_ldap_error (context, st, OP_MOD); goto cleanup; } free(subtreeacls[0]); } } else if (servicetype == LDAP_ADMIN_SERVICE) { for (i=0; strcmp(adminrights_subtree[i][0], "")!=0; i++) { - subtreeacls[0] = (char *) malloc(strlen(adminrights_subtree[i][0]) - + strlen(serviceobjdn) + subtreeacls[0] = (char *) malloc(strlen(adminrights_subtree[i][0]) + + strlen(serviceobjdn) + strlen(adminrights_subtree[i][1]) + 1); - sprintf( subtreeacls[0], "%s%s%s", adminrights_subtree[i][0], serviceobjdn, - adminrights_subtree[i][1]); + sprintf(subtreeacls[0], "%s%s%s", adminrights_subtree[i][0], serviceobjdn, + adminrights_subtree[i][1]); subtreeclass.mod_values = subtreeacls; - + subtreearr[0] = &subtreeclass; - + st = ldap_modify_ext_s(ld, subtree, subtreearr, @@ -520,22 +520,22 @@ krb5_ldap_add_service_rights( context, servicetype, serviceobjdn, realmname, sub NULL); if (st != LDAP_SUCCESS && st !=LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) { free(subtreeacls[0]); - st = set_ldap_error (context, st, OP_MOD); + st = set_ldap_error (context, st, OP_MOD); goto cleanup; } free(subtreeacls[0]); } } else if (servicetype == LDAP_PASSWD_SERVICE) { for (i=0; strcmp(pwdrights_subtree[i][0], "") != 0; i++) { - subtreeacls[0] = (char *)malloc( strlen(pwdrights_subtree[i][0]) - + strlen(serviceobjdn) - + strlen(pwdrights_subtree[i][1]) + 1); - sprintf( subtreeacls[0], "%s%s%s", pwdrights_subtree[i][0], serviceobjdn, - pwdrights_subtree[i][1]); + subtreeacls[0] = (char *)malloc(strlen(pwdrights_subtree[i][0]) + + strlen(serviceobjdn) + + strlen(pwdrights_subtree[i][1]) + 1); + sprintf(subtreeacls[0], "%s%s%s", pwdrights_subtree[i][0], serviceobjdn, + pwdrights_subtree[i][1]); subtreeclass.mod_values = subtreeacls; - + subtreearr[0] = &subtreeclass; - + st = ldap_modify_ext_s(ld, subtree, subtreearr, @@ -543,7 +543,7 @@ krb5_ldap_add_service_rights( context, servicetype, serviceobjdn, realmname, sub NULL); if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) { free(subtreeacls[0]); - st = set_ldap_error (context, st, OP_MOD); + st = set_ldap_error (context, st, OP_MOD); goto cleanup; } free(subtreeacls[0]); @@ -551,13 +551,13 @@ krb5_ldap_add_service_rights( context, servicetype, serviceobjdn, realmname, sub } } /* Subtree rights settings ends here */ st = 0; - - cleanup: - - if(realmdn) + +cleanup: + + if (realmdn) free(realmdn); - if(subtree) + if (subtree) free(subtree); krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); @@ -565,20 +565,20 @@ krb5_ldap_add_service_rights( context, servicetype, serviceobjdn, realmname, sub } -/* - This will set the rights for the Kerberos service objects. - The function will read the subtree attribute from the specified - realm name and will the appropriate rights on both the realm - container and the subtree. The kerberos context passed should - have a valid ldap handle, with appropriate rights to write acl - attributes. - - krb5_context - IN The Kerberos context with valid ldap handle +/* + This will set the rights for the Kerberos service objects. + The function will read the subtree attribute from the specified + realm name and will the appropriate rights on both the realm + container and the subtree. The kerberos context passed should + have a valid ldap handle, with appropriate rights to write acl + attributes. + + krb5_context - IN The Kerberos context with valid ldap handle */ krb5_error_code -krb5_ldap_delete_service_rights( context, servicetype, serviceobjdn, realmname, subtreeparam, mask) +krb5_ldap_delete_service_rights(context, servicetype, serviceobjdn, realmname, subtreeparam, mask) krb5_context context; int servicetype; char *serviceobjdn; @@ -597,50 +597,50 @@ krb5_ldap_delete_service_rights( context, servicetype, serviceobjdn, realmname, kdb5_dal_handle *dal_handle=NULL; krb5_ldap_context *ldap_context=NULL; krb5_ldap_server_handle *ldap_server_handle=NULL; - + SETUP_CONTEXT(); GET_HANDLE(); - if((serviceobjdn == NULL) || (realmname == NULL) || (servicetype < 0) || (servicetype > 4) - || (ldap_context->krbcontainer->DN == NULL) ) { + if ((serviceobjdn == NULL) || (realmname == NULL) || (servicetype < 0) || (servicetype > 4) + || (ldap_context->krbcontainer->DN == NULL)) { st=-1; goto cleanup; } /* If the subtree is null, set the value to root */ - if(subtreeparam== NULL) + if (subtreeparam== NULL) subtree=strdup(""); else subtree=strdup(subtreeparam); - - if( subtree == NULL ) { + + if (subtree == NULL) { st = ENOMEM; goto cleanup; } /* Set the rights for the realm */ - if( mask & LDAP_REALM_RIGHTS ) { - + if (mask & LDAP_REALM_RIGHTS) { + /* Construct the realm dn from realm name */ - realmdn = (char *) malloc( strlen("cn=") + strlen(realmname) + - strlen(ldap_context->krbcontainer->DN) + 2 ); + realmdn = (char *) malloc(strlen("cn=") + strlen(realmname) + + strlen(ldap_context->krbcontainer->DN) + 2); sprintf(realmdn,"cn=%s,%s", realmname, ldap_context->krbcontainer->DN); realmclass.mod_op=LDAP_MOD_DELETE; realmclass.mod_type="ACL"; - + if (servicetype == LDAP_KDC_SERVICE) { for (i=0; strcmp(kdcrights_realmcontainer[i][0], "") != 0; i++) { - realmacls[0] = (char *) malloc(strlen(kdcrights_realmcontainer[i][0]) - + strlen(serviceobjdn) + + realmacls[0] = (char *) malloc(strlen(kdcrights_realmcontainer[i][0]) + + strlen(serviceobjdn) + strlen(kdcrights_realmcontainer[i][1]) + 1); - sprintf( realmacls[0], "%s%s%s", kdcrights_realmcontainer[i][0], serviceobjdn, - kdcrights_realmcontainer[i][1]); + sprintf(realmacls[0], "%s%s%s", kdcrights_realmcontainer[i][0], serviceobjdn, + kdcrights_realmcontainer[i][1]); realmclass.mod_values= realmacls; - + realmarr[0]=&realmclass; - + st = ldap_modify_ext_s(ld, realmdn, realmarr, @@ -648,22 +648,22 @@ krb5_ldap_delete_service_rights( context, servicetype, serviceobjdn, realmname, NULL); if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) { free(realmacls[0]); - st = set_ldap_error (context, st, OP_MOD); + st = set_ldap_error (context, st, OP_MOD); goto cleanup; } free(realmacls[0]); } } else if (servicetype == LDAP_ADMIN_SERVICE) { for (i=0; strcmp(adminrights_realmcontainer[i][0], "") != 0; i++) { - realmacls[0] = (char *) malloc( strlen(adminrights_realmcontainer[i][0]) + - strlen(serviceobjdn) + - strlen(adminrights_realmcontainer[i][1]) + 1); - sprintf(realmacls[0], "%s%s%s", adminrights_realmcontainer[i][0], serviceobjdn, + realmacls[0] = (char *) malloc(strlen(adminrights_realmcontainer[i][0]) + + strlen(serviceobjdn) + + strlen(adminrights_realmcontainer[i][1]) + 1); + sprintf(realmacls[0], "%s%s%s", adminrights_realmcontainer[i][0], serviceobjdn, adminrights_realmcontainer[i][1]); realmclass.mod_values= realmacls; - + realmarr[0]=&realmclass; - + st = ldap_modify_ext_s(ld, realmdn, realmarr, @@ -671,22 +671,22 @@ krb5_ldap_delete_service_rights( context, servicetype, serviceobjdn, realmname, NULL); if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) { free(realmacls[0]); - st = set_ldap_error (context, st, OP_MOD); + st = set_ldap_error (context, st, OP_MOD); goto cleanup; } free(realmacls[0]); } } else if (servicetype == LDAP_PASSWD_SERVICE) { for (i=0; strcmp(pwdrights_realmcontainer[i][0], "") != 0; i++) { - realmacls[0]=(char *)malloc( strlen(pwdrights_realmcontainer[i][0]) - + strlen(serviceobjdn) - + strlen(pwdrights_realmcontainer[i][1]) + 1); - sprintf( realmacls[0], "%s%s%s", pwdrights_realmcontainer[i][0], serviceobjdn, - pwdrights_realmcontainer[i][1]); + realmacls[0]=(char *)malloc(strlen(pwdrights_realmcontainer[i][0]) + + strlen(serviceobjdn) + + strlen(pwdrights_realmcontainer[i][1]) + 1); + sprintf(realmacls[0], "%s%s%s", pwdrights_realmcontainer[i][0], serviceobjdn, + pwdrights_realmcontainer[i][1]); realmclass.mod_values= realmacls; - + realmarr[0]=&realmclass; - + st = ldap_modify_ext_s(ld, realmdn, realmarr, @@ -700,9 +700,9 @@ krb5_ldap_delete_service_rights( context, servicetype, serviceobjdn, realmname, free(realmacls[0]); } } - + } /* Realm rights setting ends here */ - + /* Set the rights for the subtree */ if (mask & LDAP_SUBTREE_RIGHTS) { @@ -710,18 +710,18 @@ krb5_ldap_delete_service_rights( context, servicetype, serviceobjdn, realmname, /* Populate the acl data to be added to the subtree */ subtreeclass.mod_op=LDAP_MOD_DELETE; subtreeclass.mod_type="ACL"; - - if(servicetype == LDAP_KDC_SERVICE){ + + if (servicetype == LDAP_KDC_SERVICE) { for (i=0; strcmp(kdcrights_subtree[i][0], "")!=0; i++) { - subtreeacls[0] = (char *) malloc( strlen(kdcrights_subtree[i][0]) - + strlen(serviceobjdn) - + strlen(kdcrights_subtree[i][1]) + 1); - sprintf( subtreeacls[0], "%s%s%s", kdcrights_subtree[i][0], serviceobjdn, - kdcrights_subtree[i][1]); + subtreeacls[0] = (char *) malloc(strlen(kdcrights_subtree[i][0]) + + strlen(serviceobjdn) + + strlen(kdcrights_subtree[i][1]) + 1); + sprintf(subtreeacls[0], "%s%s%s", kdcrights_subtree[i][0], serviceobjdn, + kdcrights_subtree[i][1]); subtreeclass.mod_values= subtreeacls; - + subtreearr[0]=&subtreeclass; - + st = ldap_modify_ext_s(ld, subtree, subtreearr, @@ -736,39 +736,38 @@ krb5_ldap_delete_service_rights( context, servicetype, serviceobjdn, realmname, } } else if (servicetype == LDAP_ADMIN_SERVICE) { for (i=0; strcmp(adminrights_subtree[i][0], "") != 0; i++) { - subtreeacls[0] = (char *) malloc(strlen(adminrights_subtree[i][0]) - + strlen(serviceobjdn) - + strlen(adminrights_subtree[i][1]) + 1); - sprintf(subtreeacls[0], "%s%s%s", adminrights_subtree[i][0], serviceobjdn, + subtreeacls[0] = (char *) malloc(strlen(adminrights_subtree[i][0]) + + strlen(serviceobjdn) + + strlen(adminrights_subtree[i][1]) + 1); + sprintf(subtreeacls[0], "%s%s%s", adminrights_subtree[i][0], serviceobjdn, adminrights_subtree[i][1]); subtreeclass.mod_values= subtreeacls; - + subtreearr[0]=&subtreeclass; - + st = ldap_modify_ext_s(ld, subtree, subtreearr, NULL, NULL); - if ( st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) { + if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) { free(subtreeacls[0]); st = set_ldap_error (context, st, OP_MOD); goto cleanup; } free(subtreeacls[0]); } - } - else if (servicetype == LDAP_PASSWD_SERVICE) { + } else if (servicetype == LDAP_PASSWD_SERVICE) { for (i=0; strcmp(pwdrights_subtree[i][0], "") != 0; i++) { - subtreeacls[0] = (char *) malloc(strlen(pwdrights_subtree[i][0]) - + strlen(serviceobjdn) + subtreeacls[0] = (char *) malloc(strlen(pwdrights_subtree[i][0]) + + strlen(serviceobjdn) + strlen(pwdrights_subtree[i][1]) + 1); - sprintf(subtreeacls[0], "%s%s%s", pwdrights_subtree[i][0], serviceobjdn, + sprintf(subtreeacls[0], "%s%s%s", pwdrights_subtree[i][0], serviceobjdn, pwdrights_subtree[i][1]); subtreeclass.mod_values= subtreeacls; - + subtreearr[0]=&subtreeclass; - + st = ldap_modify_ext_s(ld, subtree, subtreearr, @@ -783,15 +782,15 @@ krb5_ldap_delete_service_rights( context, servicetype, serviceobjdn, realmname, } } } /* Subtree rights setting ends here */ - + st = 0; - cleanup: - - if(realmdn) +cleanup: + + if (realmdn) free(realmdn); - if(subtree) + if (subtree) free(subtree); krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c index 702f548c5..7c9dbad1b 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c @@ -48,7 +48,7 @@ krb5_ldap_readpassword(context, ldap_context, password) *password = NULL; if (ldap_context->service_password_file) - file = ldap_context->service_password_file; + file = ldap_context->service_password_file; #ifndef HAVE_STRERROR_R # undef strerror_r @@ -57,133 +57,133 @@ krb5_ldap_readpassword(context, ldap_context, password) /* check whether file exists */ if (access(file, F_OK) < 0) { - st = errno; + st = errno; strerror_r(errno, errbuf, sizeof(errbuf)); - krb5_set_error_message (context, st, "%s", errbuf); - goto rp_exit; + krb5_set_error_message (context, st, "%s", errbuf); + goto rp_exit; } /* check read access */ if (access(file, R_OK) < 0) { - st = errno; + st = errno; strerror_r(errno, errbuf, sizeof(errbuf)); - krb5_set_error_message (context, st, "%s", errbuf); - goto rp_exit; + krb5_set_error_message (context, st, "%s", errbuf); + goto rp_exit; } - if((fptr=fopen(file, "r")) == NULL) { - st = errno; + if ((fptr=fopen(file, "r")) == NULL) { + st = errno; strerror_r(errno, errbuf, sizeof(errbuf)); - krb5_set_error_message (context, st, "%s", errbuf); - goto rp_exit; + krb5_set_error_message (context, st, "%s", errbuf); + goto rp_exit; } - + /* get the record from the file */ - while(fgets(line, RECORDLEN, fptr)!= NULL) { - char tmp[RECORDLEN]; + while (fgets(line, RECORDLEN, fptr)!= NULL) { + char tmp[RECORDLEN]; - tmp[0] = '\0'; - /* Handle leading white-spaces */ - for(start = line; isspace(*start); ++start); + tmp[0] = '\0'; + /* Handle leading white-spaces */ + for (start = line; isspace(*start); ++start); - /* Handle comment lines */ - if (*start == '!' || *start == '#') - continue; - sscanf(line, "%*[ \t]%[^#]", tmp); - if(tmp[0] == '\0') - sscanf(line, "%[^#]", tmp); - if(strcasecmp(tmp, ldap_context->bind_dn) == 0) { - entryfound = 1; /* service_dn record found !!! */ - break; - } + /* Handle comment lines */ + if (*start == '!' || *start == '#') + continue; + sscanf(line, "%*[ \t]%[^#]", tmp); + if (tmp[0] == '\0') + sscanf(line, "%[^#]", tmp); + if (strcasecmp(tmp, ldap_context->bind_dn) == 0) { + entryfound = 1; /* service_dn record found !!! */ + break; + } } fclose (fptr); if (entryfound == 0) { st = KRB5_KDB_SERVER_INTERNAL_ERR; krb5_set_error_message (context, st, "Bind DN entry missing in stash file"); - goto rp_exit; + goto rp_exit; } /* replace the \n with \0 */ start = strchr(line, '\n'); if (start) - *start = '\0'; + *start = '\0'; start = strchr(line, '#'); - if (start == NULL ) { - /* password field missing */ + if (start == NULL) { + /* password field missing */ st = KRB5_KDB_SERVER_INTERNAL_ERR; - krb5_set_error_message (context, st, "Stash file entry corrupt"); - goto rp_exit; + krb5_set_error_message (context, st, "Stash file entry corrupt"); + goto rp_exit; } ++ start; /* Extract the plain password / certificate file information */ { - struct data PT, CT; + struct data PT, CT; - /* Check if the entry has the path of a certificate */ - if(!strncmp(start, "{FILE}", strlen("{FILE}"))) { + /* Check if the entry has the path of a certificate */ + if (!strncmp(start, "{FILE}", strlen("{FILE}"))) { /* Set *password = {FILE}\0 */ - /*ptr = strchr(start, ':'); - if(ptr == NULL){ */ + /*ptr = strchr(start, ':'); + if (ptr == NULL) { */ *password = (unsigned char *)malloc(strlen(start) + 2); (*password)[strlen(start) + 1] = '\0'; (*password)[strlen(start)] = '\0'; strcpy((char *)(*password), start); goto got_password; - } else { + } else { CT.value = (unsigned char *)start; CT.len = strlen((char *)CT.value); st = dec_password(CT, &PT); - if(st != 0){ - switch (st) { - case ERR_NO_MEM: - st = ENOMEM; - break; - case ERR_PWD_ZERO: - st = EINVAL; - krb5_set_error_message(context, st, "Password has zero length"); - break; - case ERR_PWD_BAD: - st = EINVAL; - krb5_set_error_message(context, st, "Password corrupted"); - break; - case ERR_PWD_NOT_HEX: - st = EINVAL; - krb5_set_error_message(context, st, "Not a hexadecimal password"); - break; - default: - st = KRB5_KDB_SERVER_INTERNAL_ERR; - break; - } + if (st != 0) { + switch (st) { + case ERR_NO_MEM: + st = ENOMEM; + break; + case ERR_PWD_ZERO: + st = EINVAL; + krb5_set_error_message(context, st, "Password has zero length"); + break; + case ERR_PWD_BAD: + st = EINVAL; + krb5_set_error_message(context, st, "Password corrupted"); + break; + case ERR_PWD_NOT_HEX: + st = EINVAL; + krb5_set_error_message(context, st, "Not a hexadecimal password"); + break; + default: + st = KRB5_KDB_SERVER_INTERNAL_ERR; + break; + } goto rp_exit; } *password = PT.value; - } + } } - got_password: +got_password: - rp_exit: +rp_exit: if (st) { - if (*password) - free (*password); - *password = NULL; + if (*password) + free (*password); + *password = NULL; } return st; } /* Encodes a sequence of bytes in hexadecimal */ -int +int tohex(in, ret) - krb5_data in; - krb5_data *ret; + krb5_data in; + krb5_data *ret; { int i=0, j=0, err = 0; - + ret->length = 0; ret->data = NULL; - + ret->data = (unsigned char *)malloc((unsigned int)in.length * 2 + 1 /*Null termination */); if (ret->data == NULL) { err = ENOMEM; @@ -191,19 +191,19 @@ tohex(in, ret) } ret->length = in.length * 2; ret->data[ret->length] = 0; - + for (i = 0, j = 0; i < in.length; i++, j += 2) { sprintf((char *)ret->data + j, "%x", in.data[i] >> 4); sprintf((char *)ret->data + j + 1, "%x", in.data[i] & 0xf); } - - cleanup: - + +cleanup: + if (ret->length == 0) { free(ret->data); ret->data = NULL; } - + return err; } @@ -219,31 +219,31 @@ tohex(in, ret) * ERR_PWD_NOT_HEX - Not a hexadecimal password */ -int dec_password(struct data pwd, struct data *ret){ +int dec_password(struct data pwd, struct data *ret) { int err=0; int i=0, j=0; - + ret->len = 0; ret->value = NULL; - + if (pwd.len == 0) { - err = ERR_PWD_ZERO; - ret->len = 0; - goto cleanup; + err = ERR_PWD_ZERO; + ret->len = 0; + goto cleanup; } - + /* Check if it is a hexadecimal encoded password */ - if (pwd.len >= strlen("{HEX}") && + if (pwd.len >= strlen("{HEX}") && strncmp((char *)pwd.value, "{HEX}", strlen("{HEX}")) == 0) { - - if((pwd.len - strlen("{HEX}")) % 2 != 0){ + + if ((pwd.len - strlen("{HEX}")) % 2 != 0) { /* A hexadecimal encoded password should have even length */ - err = ERR_PWD_BAD; + err = ERR_PWD_BAD; ret->len = 0; goto cleanup; } ret->value = (unsigned char *)malloc((pwd.len - strlen("{HEX}")) / 2 + 1); - if(ret->value == NULL){ + if (ret->value == NULL) { err = ERR_NO_MEM; ret->len = 0; goto cleanup; @@ -254,26 +254,25 @@ int dec_password(struct data pwd, struct data *ret){ int k; /* Check if it is a hexadecimal number */ if (isxdigit(pwd.value[i]) == 0 || isxdigit(pwd.value[i + 1]) == 0) { - err = ERR_PWD_NOT_HEX; - ret->len = 0; - goto cleanup; + err = ERR_PWD_NOT_HEX; + ret->len = 0; + goto cleanup; } sscanf((char *)pwd.value + i, "%2x", &k); ret->value[j] = k; } goto cleanup; } else { - err = ERR_PWD_NOT_HEX; - ret->len = 0; - goto cleanup; + err = ERR_PWD_NOT_HEX; + ret->len = 0; + goto cleanup; } - - cleanup: - - if(ret->len == 0) { + +cleanup: + + if (ret->len == 0) { free(ret->value); ret->value = NULL; } return(err); } - diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_services.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_services.c index fa1bdd7b3..4fde33037 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_services.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_services.c @@ -47,7 +47,7 @@ krb5_ldap_create_service(context, service, mask) krb5_ldap_service_params *service; int mask; { - int i=0, j=0; + int i=0, j=0; krb5_error_code st=0; LDAP *ld=NULL; char **rdns=NULL, *realmattr=NULL, *strval[3]={NULL}; @@ -74,7 +74,7 @@ krb5_ldap_create_service(context, service, mask) strval[1] = "krbKdcService"; realmattr = "krbKdcServers"; } else if (service->servicetype == LDAP_ADMIN_SERVICE) { - strval[1] = "krbAdmService"; + strval[1] = "krbAdmService"; realmattr = "krbAdmServers"; } else if (service->servicetype == LDAP_PASSWD_SERVICE) { strval[1] = "krbPwdService"; @@ -84,21 +84,21 @@ krb5_ldap_create_service(context, service, mask) realmattr = "krbKdcServers"; } if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0) - goto cleanup; - + goto cleanup; + rdns = ldap_explode_dn(service->servicedn, 1); if (rdns == NULL) { - st = LDAP_INVALID_DN_SYNTAX; - goto cleanup; + st = LDAP_INVALID_DN_SYNTAX; + goto cleanup; } memset(strval, 0, sizeof(strval)); strval[0] = rdns[0]; if ((st=krb5_add_str_mem_ldap_mod(&mods, "cn", LDAP_MOD_ADD, strval)) != 0) - goto cleanup; - + goto cleanup; + if (mask & LDAP_SERVICE_SERVICEFLAG) { - if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbserviceflags", LDAP_MOD_ADD, - service->krbserviceflags)) != 0) + if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbserviceflags", LDAP_MOD_ADD, + service->krbserviceflags)) != 0) goto cleanup; } @@ -110,17 +110,17 @@ krb5_ldap_create_service(context, service, mask) } else { st = EINVAL; krb5_set_error_message (context, st, "'krbhostserver' argument invalid"); - goto cleanup; + goto cleanup; } } - + if (mask & LDAP_SERVICE_REALMREFERENCE) { if (service->krbrealmreferences != NULL) { unsigned int realmmask=0; - + /* check for the validity of the values */ for (j=0; service->krbrealmreferences[j] != NULL; ++j) { - st = checkattributevalue(ld, service->krbrealmreferences[j], "ObjectClass", + st = checkattributevalue(ld, service->krbrealmreferences[j], "ObjectClass", realmcontclass, &realmmask); CHECK_CLASS_VALIDITY(st, realmmask, "realm object value: "); } @@ -128,40 +128,40 @@ krb5_ldap_create_service(context, service, mask) service->krbrealmreferences)) != 0) goto cleanup; } else { - st = EINVAL; + st = EINVAL; krb5_set_error_message (context, st, "Server has no 'krbrealmreferences'"); - goto cleanup; + goto cleanup; } } - + /* ldap add operation */ if ((st=ldap_add_s(ld, service->servicedn, mods)) != LDAP_SUCCESS) { - st = set_ldap_error (context, st, OP_ADD); + st = set_ldap_error (context, st, OP_ADD); goto cleanup; } - - /* + + /* * If the service created has realm/s associated with it, then the realm should be updated * to have a reference to the service object just created. */ if (mask & LDAP_SERVICE_REALMREFERENCE) { for (i=0; service->krbrealmreferences[i]; ++i) { - if((st=updateAttribute(ld, service->krbrealmreferences[i], realmattr, - service->servicedn)) != 0) { + if ((st=updateAttribute(ld, service->krbrealmreferences[i], realmattr, + service->servicedn)) != 0) { sprintf (errbuf, "Error adding 'krbRealmReferences' to %s: ", service->krbrealmreferences[i]); - prepend_err_str (context, errbuf, st, st); + prepend_err_str (context, errbuf, st, st); /* delete service object, status ignored intentionally */ ldap_delete_s(ld, service->servicedn); goto cleanup; } } } - - cleanup: + +cleanup: if (rdns) - ldap_value_free (rdns); + ldap_value_free (rdns); ldap_mods_free(mods, 1); krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); @@ -193,69 +193,69 @@ krb5_ldap_modify_service(context, service, mask) /* validate the input parameter */ if (service == NULL || service->servicedn == NULL) { - st = EINVAL; + st = EINVAL; krb5_set_error_message (context, st, "Service DN is NULL"); - goto cleanup; + goto cleanup; } SETUP_CONTEXT(); GET_HANDLE(); if (mask & LDAP_SERVICE_SERVICEFLAG) { - if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbserviceflags", LDAP_MOD_REPLACE, - service->krbserviceflags)) != 0) + if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbserviceflags", LDAP_MOD_REPLACE, + service->krbserviceflags)) != 0) goto cleanup; } if (mask & LDAP_SERVICE_HOSTSERVER) { if (service->krbhostservers != NULL) { if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbhostserver", LDAP_MOD_REPLACE, - service->krbhostservers)) != 0) - goto cleanup; + service->krbhostservers)) != 0) + goto cleanup; } else { - st = EINVAL; + st = EINVAL; krb5_set_error_message (context, st, "'krbhostserver' value invalid"); - goto cleanup; + goto cleanup; } } - + if (mask & LDAP_SERVICE_REALMREFERENCE) { if (service->krbrealmreferences != NULL) { unsigned int realmmask=0; - + /* check for the validity of the values */ for (j=0; service->krbrealmreferences[j]; ++j) { - st = checkattributevalue(ld, service->krbrealmreferences[j], "ObjectClass", - realmcontclass, &realmmask); + st = checkattributevalue(ld, service->krbrealmreferences[j], "ObjectClass", + realmcontclass, &realmmask); CHECK_CLASS_VALIDITY(st, realmmask, "realm object value: "); } - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbrealmreferences", LDAP_MOD_REPLACE, - service->krbrealmreferences)) != 0) - goto cleanup; - - + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbrealmreferences", LDAP_MOD_REPLACE, + service->krbrealmreferences)) != 0) + goto cleanup; + + /* get the attribute of the realm to be set */ if (service->servicetype == LDAP_KDC_SERVICE) realmattr = "krbKdcServers"; else if (service->servicetype == LDAP_ADMIN_SERVICE) - realmattr = "krbAdmservers"; + realmattr = "krbAdmservers"; else if (service->servicetype == LDAP_PASSWD_SERVICE) realmattr = "krbPwdServers"; else realmattr = "krbKdcServers"; - + /* read the existing list of krbRealmreferences. this will needed */ - if ((st = ldap_search_s (ld, - service->servicedn, + if ((st = ldap_search_s (ld, + service->servicedn, LDAP_SCOPE_BASE, 0, attr, 0, &result)) != LDAP_SUCCESS) { - st = set_ldap_error (context, st, OP_SEARCH); + st = set_ldap_error (context, st, OP_SEARCH); goto cleanup; } - + ent = ldap_first_entry(ld, result); if (ent) { if ((values=ldap_get_values(ld, ent, "krbRealmReferences")) != NULL) { @@ -267,20 +267,20 @@ krb5_ldap_modify_service(context, service, mask) } ldap_msgfree(result); } else { - st = EINVAL; + st = EINVAL; krb5_set_error_message (context, st, "'krbRealmReferences' value invalid"); - goto cleanup; + goto cleanup; } } - + /* ldap modify operation */ if ((st=ldap_modify_s(ld, service->servicedn, mods)) != LDAP_SUCCESS) { - st = set_ldap_error (context, st, OP_MOD); + st = set_ldap_error (context, st, OP_MOD); goto cleanup; } - - /* - * If the service modified had realm/s associations changed, then the realm should be + + /* + * If the service modified had realm/s associations changed, then the realm should be * updated to reflect the changes. */ @@ -288,44 +288,42 @@ krb5_ldap_modify_service(context, service, mask) /* get the count of the new list of krbrealmreferences */ for (i=0; service->krbrealmreferences[i]; ++i) ; - + /* make a new copy of the krbrealmreferences */ if ((st=copy_arrays(service->krbrealmreferences, &newrealmrefs, i)) != 0) goto cleanup; - + /* find the deletions/additions to the list of krbrealmreferences */ if (disjoint_members(oldrealmrefs, newrealmrefs) != 0) goto cleanup; - /* see if some of the attributes have to be deleted */ + /* see if some of the attributes have to be deleted */ if (oldrealmrefs) { - + /* update the dn represented by the attribute that is to be deleted */ - for (i=0; oldrealmrefs[i]; ++i) - if((st=deleteAttribute(ld, oldrealmrefs[i], realmattr, service->servicedn)) != 0) - { + for (i=0; oldrealmrefs[i]; ++i) + if ((st=deleteAttribute(ld, oldrealmrefs[i], realmattr, service->servicedn)) != 0) { prepend_err_str (context, "Error deleting realm attribute:", st, st); - goto cleanup; + goto cleanup; } } - - /* see if some of the attributes have to be added */ - for (i=0; newrealmrefs[i]; ++i) - if((st=updateAttribute(ld, newrealmrefs[i], realmattr, service->servicedn)) != 0) - { + + /* see if some of the attributes have to be added */ + for (i=0; newrealmrefs[i]; ++i) + if ((st=updateAttribute(ld, newrealmrefs[i], realmattr, service->servicedn)) != 0) { prepend_err_str (context, "Error updating realm attribute: ", st, st); goto cleanup; } } - - cleanup: + +cleanup: if (oldrealmrefs) { for (i=0; oldrealmrefs[i]; ++i) free (oldrealmrefs[i]); free (oldrealmrefs); } - + if (newrealmrefs) { for (i=0; newrealmrefs[i]; ++i) free (newrealmrefs[i]); @@ -352,10 +350,10 @@ krb5_ldap_delete_service(context, service, servicedn) SETUP_CONTEXT(); GET_HANDLE(); - + st = ldap_delete_s(ld, servicedn); if (st != 0) { - st = set_ldap_error (context, st, OP_DEL); + st = set_ldap_error (context, st, OP_DEL); } /* NOTE: This should be removed now as the backlinks are going off in OpenLDAP */ @@ -364,16 +362,16 @@ krb5_ldap_delete_service(context, service, servicedn) { int i=0; char *attr=NULL; - + if (service) { if (service->krbrealmreferences) { if (service->servicetype == LDAP_KDC_SERVICE) - attr = "krbkdcservers"; + attr = "krbkdcservers"; else if (service->servicetype == LDAP_ADMIN_SERVICE) attr = "krbadmservers"; else if (service->servicetype == LDAP_PASSWD_SERVICE) attr = "krbpwdservers"; - + for (i=0; service->krbrealmreferences[i]; ++i) { deleteAttribute(ld, service->krbrealmreferences[i], attr, servicedn); } @@ -382,7 +380,7 @@ krb5_ldap_delete_service(context, service, servicedn) } #endif - cleanup: +cleanup: krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); return st; @@ -415,8 +413,8 @@ krb5_ldap_read_service(context, servicedn, service, omask) char **values=NULL; int i=0, count=0, objectmask=0; krb5_error_code st=0, tempst=0; - LDAPMessage *result=NULL,*ent=NULL; - char *attributes[] = {"krbHostServer", "krbServiceflags", + LDAPMessage *result=NULL,*ent=NULL; + char *attributes[] = {"krbHostServer", "krbServiceflags", "krbRealmReferences", "objectclass", NULL}; char *attrvalues[] = {"krbService", NULL}; krb5_ldap_service_params *lservice=NULL; @@ -424,23 +422,23 @@ krb5_ldap_read_service(context, servicedn, service, omask) kdb5_dal_handle *dal_handle=NULL; krb5_ldap_server_handle *ldap_server_handle=NULL; LDAP *ld = NULL; - + /* validate the input parameter */ if (servicedn == NULL) { st = EINVAL; krb5_set_error_message (context, st, "Service DN NULL"); goto cleanup; } - + SETUP_CONTEXT(); GET_HANDLE(); *omask = 0; - + /* the policydn object should be of the krbService object class */ st = checkattributevalue(ld, servicedn, "objectClass", attrvalues, &objectmask); CHECK_CLASS_VALIDITY(st, objectmask, "service object value: "); - + /* Initialize service structure */ lservice =(krb5_ldap_service_params *) calloc(1, sizeof(krb5_ldap_service_params)); if (lservice == NULL) { @@ -455,30 +453,30 @@ krb5_ldap_read_service(context, servicedn, service, omask) goto cleanup; } lservice->tl_data->tl_data_type = KDB_TL_USER_INFO; - + LDAP_SEARCH(servicedn, LDAP_SCOPE_BASE, "(objectclass=krbService)", attributes); lservice->servicedn = strdup(servicedn); CHECK_NULL(lservice->servicedn); - ent=ldap_first_entry(ld, result); + ent=ldap_first_entry(ld, result); if (ent != NULL) { - if((values=ldap_get_values(ld, ent, "krbServiceFlags")) != NULL) { + if ((values=ldap_get_values(ld, ent, "krbServiceFlags")) != NULL) { lservice->krbserviceflags = atoi(values[0]); *omask |= LDAP_SERVICE_SERVICEFLAG; ldap_value_free(values); - } + } - if((values=ldap_get_values(ld, ent, "krbHostServer")) != NULL) { + if ((values=ldap_get_values(ld, ent, "krbHostServer")) != NULL) { count = ldap_count_values(values); if ((st=copy_arrays(values, &(lservice->krbhostservers), count)) != 0) goto cleanup; *omask |= LDAP_SERVICE_HOSTSERVER; ldap_value_free(values); - } + } - if((values=ldap_get_values(ld, ent, "krbRealmReferences")) != NULL) { + if ((values=ldap_get_values(ld, ent, "krbRealmReferences")) != NULL) { count = ldap_count_values(values); if ((st=copy_arrays(values, &(lservice->krbrealmreferences), count)) != 0) goto cleanup; @@ -486,17 +484,17 @@ krb5_ldap_read_service(context, servicedn, service, omask) ldap_value_free(values); } - if((values=ldap_get_values(ld, ent, "objectClass")) != NULL) { - for (i=0; values[i]; ++i){ + if ((values=ldap_get_values(ld, ent, "objectClass")) != NULL) { + for (i=0; values[i]; ++i) { if (strcasecmp(values[i], "krbKdcService") == 0) { lservice->servicetype = LDAP_KDC_SERVICE; break; - } + } if (strcasecmp(values[i], "krbAdmService") == 0) { lservice->servicetype = LDAP_ADMIN_SERVICE; break; - } + } if (strcasecmp(values[i], "krbPwdService") == 0) { lservice->servicetype = LDAP_PASSWD_SERVICE; @@ -507,9 +505,9 @@ krb5_ldap_read_service(context, servicedn, service, omask) } } ldap_msgfree(result); - - cleanup: - if(st != 0) { + +cleanup: + if (st != 0) { krb5_ldap_free_service(context, lservice); *service = NULL; } else { @@ -524,7 +522,7 @@ krb5_ldap_read_service(context, servicedn, service, omask) /* * This function frees the krb5_ldap_service_params structure members. */ - + krb5_error_code krb5_ldap_free_service(context, service) krb5_context context; @@ -549,13 +547,13 @@ krb5_ldap_free_service(context, service) free (service->krbhostservers[i]); free (service->krbhostservers); } - + if (service->tl_data) { if (service->tl_data->tl_data_contents) free (service->tl_data->tl_data_contents); free (service->tl_data); } - + free (service); return 0; } @@ -581,13 +579,13 @@ krb5_ldap_set_service_passwd(context, service, passwd) if ((st=krb5_add_str_mem_ldap_mod(&mods, "userPassword", LDAP_MOD_REPLACE, password)) != 0) goto cleanup; - + st = ldap_modify_s(ld, service, mods); if (st) { - st = set_ldap_error (context, st, OP_MOD); + st = set_ldap_error (context, st, OP_MOD); } - cleanup: +cleanup: ldap_mods_free(mods, 1); krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); return st; diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c index f5948786f..78601e5b9 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c @@ -35,64 +35,64 @@ /* Ticket policy object management */ -/* -* This function changes the value of policyreference count for a particular ticket policy. if flag is 1 it will increment else it will reduce by one -*/ +/* + * This function changes the value of policyreference count for a + * particular ticket policy. If flag is 1 it will increment else it + * will reduce by one. + */ krb5_error_code krb5_ldap_change_count(context ,policydn ,flag) - krb5_context context; - char *policydn; - int flag; + krb5_context context; + char *policydn; + int flag; { - krb5_error_code st=0; - int objectmask=0; - LDAP *ld=NULL; - char *attrvalues[] = { "krbPolicy", NULL}; - kdb5_dal_handle *dal_handle=NULL; - krb5_ldap_context *ldap_context=NULL; - krb5_ldap_server_handle *ldap_server_handle=NULL; - krb5_ldap_policy_params *policyparams=NULL; - int mask = 0; - - /* validate the input parameters */ - if (policydn == NULL) { - st = EINVAL; - prepend_err_str(context,"Ticket Policy Object information missing",st,st); - goto cleanup; - } + krb5_error_code st=0; + int objectmask=0; + LDAP *ld=NULL; + char *attrvalues[] = { "krbPolicy", NULL}; + kdb5_dal_handle *dal_handle=NULL; + krb5_ldap_context *ldap_context=NULL; + krb5_ldap_server_handle *ldap_server_handle=NULL; + krb5_ldap_policy_params *policyparams=NULL; + int mask = 0; + + /* validate the input parameters */ + if (policydn == NULL) { + st = EINVAL; + prepend_err_str(context,"Ticket Policy Object information missing",st,st); + goto cleanup; + } - SETUP_CONTEXT(); - GET_HANDLE(); + SETUP_CONTEXT(); + GET_HANDLE(); - /* the policydn object should be of the krbPolicy object class */ - st = checkattributevalue(ld, policydn, "objectClass", attrvalues, &objectmask); - CHECK_CLASS_VALIDITY(st, objectmask, "ticket policy object: "); + /* the policydn object should be of the krbPolicy object class */ + st = checkattributevalue(ld, policydn, "objectClass", attrvalues, &objectmask); + CHECK_CLASS_VALIDITY(st, objectmask, "ticket policy object: "); - /* Initialize ticket policy structure */ + /* Initialize ticket policy structure */ - if ((st = krb5_ldap_read_policy(context, policydn, &policyparams, &mask))) - goto cleanup; - if(flag == 1){ - /*Increment*/ - policyparams->polrefcount +=1; - } - else{ - /*Decrement*/ - if(policyparams->polrefcount >0) - { - policyparams->polrefcount-=1; - } + if ((st = krb5_ldap_read_policy(context, policydn, &policyparams, &mask))) + goto cleanup; + if (flag == 1) { + /*Increment*/ + policyparams->polrefcount +=1; + } else{ + /*Decrement*/ + if (policyparams->polrefcount >0) { + policyparams->polrefcount-=1; } - mask |= LDAP_POLICY_COUNT; + } + mask |= LDAP_POLICY_COUNT; - if ((st = krb5_ldap_modify_policy(context, policyparams, mask))) - goto cleanup; + if ((st = krb5_ldap_modify_policy(context, policyparams, mask))) + goto cleanup; cleanup: - krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); - return st; + krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); + return st; } /* @@ -114,7 +114,7 @@ krb5_ldap_create_policy(context, policy, mask) /* validate the input parameters */ if (policy == NULL || policy->policydn==NULL) { - st = EINVAL; + st = EINVAL; krb5_set_error_message (context, st, "Ticket Policy Object DN missing"); goto cleanup; } @@ -127,12 +127,12 @@ krb5_ldap_create_policy(context, policy, mask) st = LDAP_INVALID_DN_SYNTAX; goto cleanup; } - + memset(strval, 0, sizeof(strval)); strval[0] = rdns[0]; if ((st=krb5_add_str_mem_ldap_mod(&mods, "cn", LDAP_MOD_ADD, strval)) != 0) goto cleanup; - + memset(strval, 0, sizeof(strval)); strval[0] = "krbPolicy"; strval[1] = "krbPolicyaux"; @@ -140,37 +140,37 @@ krb5_ldap_create_policy(context, policy, mask) goto cleanup; if (mask & LDAP_POLICY_MAXTKTLIFE) { - if((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxticketlife", LDAP_MOD_ADD, - policy->maxtktlife)) != 0) + if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxticketlife", LDAP_MOD_ADD, + policy->maxtktlife)) != 0) goto cleanup; } if (mask & LDAP_POLICY_MAXRENEWLIFE) { - if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxrenewableage", LDAP_MOD_ADD, + if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxrenewableage", LDAP_MOD_ADD, policy->maxrenewlife)) != 0) goto cleanup; } - + if (mask & LDAP_POLICY_TKTFLAGS) { - if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbticketflags", LDAP_MOD_ADD, + if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbticketflags", LDAP_MOD_ADD, policy->tktflags)) != 0) goto cleanup; } /*ticket policy reference count attribute added with value 0 */ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbPolicyRefCount", LDAP_MOD_ADD, - 0)) != 0) - goto cleanup; + 0)) != 0) + goto cleanup; /* ldap add operation */ if ((st=ldap_add_s(ld, policy->policydn, mods)) != LDAP_SUCCESS) { - st = set_ldap_error (context, st, OP_ADD); + st = set_ldap_error (context, st, OP_ADD); goto cleanup; } - - cleanup: + +cleanup: if (rdns) - ldap_value_free(rdns); + ldap_value_free(rdns); ldap_mods_free(mods, 1); krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); @@ -183,7 +183,7 @@ krb5_ldap_create_policy(context, policy, mask) */ krb5_error_code -krb5_ldap_modify_policy(context, policy, mask) +krb5_ldap_modify_policy(context, policy, mask) krb5_context context; krb5_ldap_policy_params *policy; int mask; @@ -201,7 +201,7 @@ krb5_ldap_modify_policy(context, policy, mask) if (policy == NULL || policy->policydn==NULL) { st = EINVAL; krb5_set_error_message (context, st, "Ticket Policy Object DN missing"); - goto cleanup; + goto cleanup; } SETUP_CONTEXT(); @@ -210,7 +210,7 @@ krb5_ldap_modify_policy(context, policy, mask) /* the policydn object should be of the krbPolicy object class */ st = checkattributevalue(ld, policy->policydn, "objectClass", attrvalues, &objectmask); CHECK_CLASS_VALIDITY(st, objectmask, "ticket policy object: "); - + if ((objectmask & 0x02) == 0) { /* add krbpolicyaux to the object class list */ memset(strval, 0, sizeof(strval)); strval[0] = "krbPolicyAux"; @@ -219,34 +219,34 @@ krb5_ldap_modify_policy(context, policy, mask) } if (mask & LDAP_POLICY_MAXTKTLIFE) { - if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxticketlife", LDAP_MOD_REPLACE, + if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxticketlife", LDAP_MOD_REPLACE, policy->maxtktlife)) != 0) goto cleanup; } if (mask & LDAP_POLICY_MAXRENEWLIFE) { - if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxrenewableage", LDAP_MOD_REPLACE, - policy->maxrenewlife)) != 0) + if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxrenewableage", LDAP_MOD_REPLACE, + policy->maxrenewlife)) != 0) goto cleanup; } - + if (mask & LDAP_POLICY_TKTFLAGS) { - if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbticketflags", LDAP_MOD_REPLACE, + if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbticketflags", LDAP_MOD_REPLACE, policy->tktflags)) != 0) goto cleanup; } if (mask & LDAP_POLICY_COUNT) { - if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpolicyrefcount", LDAP_MOD_REPLACE, + if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpolicyrefcount", LDAP_MOD_REPLACE, policy->polrefcount)) != 0) goto cleanup; } if ((st=ldap_modify_s(ld, policy->policydn, mods)) != LDAP_SUCCESS) { - st = set_ldap_error (context, st, OP_MOD); + st = set_ldap_error (context, st, OP_MOD); goto cleanup; } - - cleanup: + +cleanup: ldap_mods_free(mods, 1); krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); return st; @@ -254,7 +254,7 @@ krb5_ldap_modify_policy(context, policy, mask) /* - * Read the policy object from the Directory and populate the krb5_ldap_policy_params + * Read the policy object from the Directory and populate the krb5_ldap_policy_params * structure. */ @@ -268,19 +268,19 @@ krb5_ldap_read_policy(context, policydn, policy, omask) krb5_error_code st=0, tempst=0; int objectmask=0; LDAP *ld=NULL; - LDAPMessage *result=NULL,*ent=NULL; + LDAPMessage *result=NULL,*ent=NULL; char *attributes[] = { "krbMaxTicketLife", "krbMaxRenewableAge", "krbTicketFlags", "krbPolicyRefCount", NULL}; char *attrvalues[] = { "krbPolicy", NULL}; krb5_ldap_policy_params *lpolicy=NULL; kdb5_dal_handle *dal_handle=NULL; krb5_ldap_context *ldap_context=NULL; krb5_ldap_server_handle *ldap_server_handle=NULL; - + /* validate the input parameters */ if (policydn == NULL || policy == NULL) { st = EINVAL; krb5_set_error_message(context, st, "Ticket Policy Object information missing"); - goto cleanup; + goto cleanup; } SETUP_CONTEXT(); @@ -305,18 +305,18 @@ krb5_ldap_read_policy(context, policydn, policy, omask) lpolicy->policydn = strdup(policydn); CHECK_NULL(lpolicy->policydn); - ent=ldap_first_entry(ld, result); + ent=ldap_first_entry(ld, result); if (ent != NULL) { if (krb5_ldap_get_value(ld, ent, "krbmaxticketlife", (int *) &(lpolicy->maxtktlife)) == 0) *omask |= LDAP_POLICY_MAXTKTLIFE; - + if (krb5_ldap_get_value(ld, ent, "krbmaxrenewableage", (int *) &(lpolicy->maxrenewlife)) == 0) *omask |= LDAP_POLICY_MAXRENEWLIFE; if (krb5_ldap_get_value(ld, ent, "krbticketflags", (int *) &(lpolicy->tktflags)) == 0) - *omask |= LDAP_POLICY_TKTFLAGS; + *omask |= LDAP_POLICY_TKTFLAGS; if (krb5_ldap_get_value(ld, ent, "krbPolicyRefCount", (int *) &(lpolicy->polrefcount)) == 0) - *omask |= LDAP_POLICY_COUNT; + *omask |= LDAP_POLICY_COUNT; } ldap_msgfree(result); @@ -325,26 +325,29 @@ krb5_ldap_read_policy(context, policydn, policy, omask) store_tl_data(lpolicy->tl_data, KDB_TL_MASK, omask); *policy = lpolicy; - cleanup: +cleanup: if (st != 0) { krb5_ldap_free_policy(context, lpolicy); *policy = NULL; - } + } krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); return st; } -/* - * function to delete ticket policy object from the directory. Before calling this function krb5_ldap_read_policy - * should be called to check the existence of the object. This serves one major purpose, i.e. if the object to be - * is anything other than the ticket policy object then the krb5_ldap_read_policy returns an error and thus is not - * accidently deleted in this function. +/* + * Function to delete ticket policy object from the directory. Before + * calling this function krb5_ldap_read_policy should be called to + * check the existence of the object. This serves one major purpose, + * i.e., if the object to be is anything other than the ticket policy + * object then the krb5_ldap_read_policy returns an error and thus is + * not accidently deleted in this function. * - * NOTE: Other kerberos objects (user/realm object) might be having references to the - * policy object to be deleted. This situation is not handled here, instead is taken care - * of at all the places where the deleted policy object is read, to ignore a return status - * of LDAP_NO_SUCH_OBJECT and continue. + * NOTE: Other kerberos objects (user/realm object) might be having + * references to the policy object to be deleted. This situation is + * not handled here, instead is taken care of at all the places where + * the deleted policy object is read, to ignore a return status of + * LDAP_NO_SUCH_OBJECT and continue. */ krb5_error_code @@ -354,43 +357,42 @@ krb5_ldap_delete_policy(context, policydn, policy, mask) krb5_ldap_policy_params *policy; int mask; { - krb5_error_code st = 0; - LDAP *ld = NULL; - kdb5_dal_handle *dal_handle=NULL; - krb5_ldap_context *ldap_context=NULL; - krb5_ldap_server_handle *ldap_server_handle=NULL; - - if (policy == NULL || policydn==NULL) { - st = EINVAL; - prepend_err_str (context,"Ticket Policy Object DN missing",st,st); - goto cleanup; - } + krb5_error_code st = 0; + LDAP *ld = NULL; + kdb5_dal_handle *dal_handle=NULL; + krb5_ldap_context *ldap_context=NULL; + krb5_ldap_server_handle *ldap_server_handle=NULL; + if (policy == NULL || policydn==NULL) { + st = EINVAL; + prepend_err_str (context,"Ticket Policy Object DN missing",st,st); + goto cleanup; + } - SETUP_CONTEXT(); - GET_HANDLE(); - - /*checking for policy count for 0 and will not permit delete if it is greater than 0*/ + SETUP_CONTEXT(); + GET_HANDLE(); - if(policy->polrefcount == 0){ - if ((st=ldap_delete_s(ld, policydn)) != 0) - { - prepend_err_str (context,ldap_err2string(st),st,st); - - goto cleanup; - } - } - else { - st = EINVAL; - prepend_err_str (context,"Delete Failed: One or more Principals associated with the Ticket Policy",st,st); - goto cleanup; + /* Checking for policy count for 0 and will not permit delete if + * it is greater than 0. */ + + if (policy->polrefcount == 0) { + + if ((st=ldap_delete_s(ld, policydn)) != 0) { + prepend_err_str (context,ldap_err2string(st),st,st); + + goto cleanup; } + } else { + st = EINVAL; + prepend_err_str (context,"Delete Failed: One or more Principals associated with the Ticket Policy",st,st); + goto cleanup; + } cleanup: - krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); - return st; + krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); + return st; } @@ -407,15 +409,15 @@ krb5_ldap_list_policy(context, containerdn, policy) krb5_error_code st=0; st = krb5_ldap_list(context, policy, "krbPolicy", containerdn); - + return st; } /* * Function to free the ticket policy object structure. - * Note: this function assumes that memory of the policy structure is dynamically allocated and hence the whole + * Note: this function assumes that memory of the policy structure is dynamically allocated and hence the whole * structure is freed up. Care should be taken not to call this function on a static structure - */ + */ krb5_error_code krb5_ldap_free_policy(context, policy) @@ -424,10 +426,10 @@ krb5_ldap_free_policy(context, policy) { krb5_error_code st=0; - + if (policy == NULL) return st; - + if (policy->policydn) free (policy->policydn); @@ -442,8 +444,8 @@ krb5_ldap_free_policy(context, policy) } /* - * This function is general object listing routine. It is currently used for ticket policy - * object listing. + * This function is general object listing routine. It is currently + * used for ticket policy object listing. */ krb5_error_code @@ -457,7 +459,7 @@ krb5_ldap_list(context, list, objectclass, containerdn) krb5_error_code st=0, tempst=0; int i=0, count=0, filterlen=0; LDAP *ld=NULL; - LDAPMessage *result=NULL,*ent=NULL; + LDAPMessage *result=NULL,*ent=NULL; kdb5_dal_handle *dal_handle=NULL; krb5_ldap_context *ldap_context=NULL; krb5_ldap_server_handle *ldap_server_handle=NULL; @@ -472,7 +474,7 @@ krb5_ldap_list(context, list, objectclass, containerdn) goto cleanup; } } - + /* set the filter for the search operation */ filterlen = strlen("(objectclass=") + strlen(objectclass) + 1 + 1; filter = malloc ((unsigned) filterlen); @@ -496,7 +498,7 @@ krb5_ldap_list(context, list, objectclass, containerdn) goto cleanup; } - for(ent=ldap_first_entry(ld, result), count=0; ent != NULL; ent=ldap_next_entry(ld, ent), ++count) { + for (ent=ldap_first_entry(ld, result), count=0; ent != NULL; ent=ldap_next_entry(ld, ent), ++count) { if ((dn=ldap_get_dn(ld, ent)) == NULL) continue; if (((*list)[count] = strdup(dn)) == NULL) { @@ -507,11 +509,11 @@ krb5_ldap_list(context, list, objectclass, containerdn) ldap_memfree(dn); } ldap_msgfree(result); - - cleanup: + +cleanup: if (filter) free (filter); - + /* some error, free up all the memory */ if (st != 0) { if (*list) { @@ -520,7 +522,7 @@ krb5_ldap_list(context, list, objectclass, containerdn) free (*list); *list = NULL; } - } + } krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); return st; } diff --git a/src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c b/src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c index e089c8f7d..3aa520aa2 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c @@ -30,7 +30,7 @@ ldap_xdr_krb5_int16(XDR *xdrs, krb5_int16 *objp) return(TRUE); } -bool_t +bool_t ldap_xdr_nullstring(XDR *xdrs, char **objp) { u_int size; @@ -206,7 +206,7 @@ krb5_update_tl_kadm_data(policy_dn, new_tl_data) XDR xdrs; osa_princ_ent_t princ_entry; - if((princ_entry = (osa_princ_ent_t) malloc(sizeof(osa_princ_ent_rec))) == NULL) + if ((princ_entry = (osa_princ_ent_t) malloc(sizeof(osa_princ_ent_rec))) == NULL) return ENOMEM; memset(princ_entry, 0, sizeof(osa_princ_ent_rec)); @@ -215,14 +215,14 @@ krb5_update_tl_kadm_data(policy_dn, new_tl_data) princ_entry->policy = policy_dn; xdralloc_create(&xdrs, XDR_ENCODE); - if(! ldap_xdr_osa_princ_ent_rec(&xdrs, princ_entry)) { + if (! ldap_xdr_osa_princ_ent_rec(&xdrs, princ_entry)) { xdr_destroy(&xdrs); return(KADM5_XDR_FAILURE); } new_tl_data->tl_data_type = KRB5_TL_KADM_DATA; new_tl_data->tl_data_length = xdr_getpos(&xdrs); new_tl_data->tl_data_contents = (krb5_octet *)xdralloc_getdata(&xdrs); - + /* xdr_destroy(&xdrs); ldap_osa_free_princ_ent(princ_entry);