From 1db2647c62d10cccadadabacba7224eb565ec042 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Tue, 24 Nov 2009 23:52:25 +0000 Subject: [PATCH] Mark and reindent plugins, except for pkinit, which needs a little cleanup first. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23353 dc483132-0cff-0310-8789-dd5450dbe970 --- src/Makefile.in | 12 +- src/plugins/authdata/greet/greet_auth.c | 27 +- src/plugins/authdata/greet_client/greet.c | 13 +- .../authdata/greet_server/greet_auth.c | 3 +- src/plugins/kdb/db2/adb_openclose.c | 742 ++-- src/plugins/kdb/db2/adb_policy.c | 327 +- src/plugins/kdb/db2/db2_exp.c | 297 +- src/plugins/kdb/db2/kdb_db2.c | 1261 +++---- src/plugins/kdb/db2/kdb_db2.h | 188 +- src/plugins/kdb/db2/kdb_ext.c | 2 +- src/plugins/kdb/db2/kdb_xdr.c | 427 ++- src/plugins/kdb/db2/kdb_xdr.h | 26 +- src/plugins/kdb/db2/lockout.c | 2 +- src/plugins/kdb/db2/policy_db.h | 87 +- src/plugins/kdb/hdb/kdb_hdb.c | 16 +- src/plugins/kdb/hdb/kdb_hdb.h | 14 +- src/plugins/kdb/hdb/kdb_marshal.c | 10 +- src/plugins/kdb/hdb/kdb_windc.c | 4 +- src/plugins/kdb/ldap/ldap_exp.c | 93 +- .../kdb/ldap/ldap_util/kdb5_ldap_list.c | 237 +- .../kdb/ldap/ldap_util/kdb5_ldap_list.h | 13 +- .../kdb/ldap/ldap_util/kdb5_ldap_policy.c | 870 +++-- .../kdb/ldap/ldap_util/kdb5_ldap_policy.h | 1 + .../kdb/ldap/ldap_util/kdb5_ldap_realm.c | 3177 ++++++++--------- .../kdb/ldap/ldap_util/kdb5_ldap_realm.h | 27 +- .../kdb/ldap/ldap_util/kdb5_ldap_services.c | 2695 +++++++------- .../kdb/ldap/ldap_util/kdb5_ldap_services.h | 35 +- .../kdb/ldap/ldap_util/kdb5_ldap_util.c | 552 +-- .../kdb/ldap/ldap_util/kdb5_ldap_util.h | 9 +- src/plugins/kdb/ldap/libkdb_ldap/kdb_ext.c | 2 +- src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c | 470 ++- src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h | 157 +- .../kdb/ldap/libkdb_ldap/kdb_ldap_conn.c | 283 +- src/plugins/kdb/ldap/libkdb_ldap/kdb_xdr.c | 115 +- src/plugins/kdb/ldap/libkdb_ldap/kdb_xdr.h | 31 +- .../kdb/ldap/libkdb_ldap/ldap_create.c | 493 +-- src/plugins/kdb/ldap/libkdb_ldap/ldap_err.c | 148 +- src/plugins/kdb/ldap/libkdb_ldap/ldap_err.h | 1 + .../kdb/ldap/libkdb_ldap/ldap_fetch_mkey.c | 28 +- .../kdb/ldap/libkdb_ldap/ldap_handle.c | 168 +- .../kdb/ldap/libkdb_ldap/ldap_handle.h | 1 + .../kdb/ldap/libkdb_ldap/ldap_krbcontainer.c | 151 +- .../kdb/ldap/libkdb_ldap/ldap_krbcontainer.h | 23 +- src/plugins/kdb/ldap/libkdb_ldap/ldap_main.h | 1 + src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c | 1975 +++++----- src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.h | 11 +- .../kdb/ldap/libkdb_ldap/ldap_principal.c | 409 ++- .../kdb/ldap/libkdb_ldap/ldap_principal.h | 35 +- .../kdb/ldap/libkdb_ldap/ldap_principal2.c | 1922 +++++----- .../kdb/ldap/libkdb_ldap/ldap_pwd_policy.c | 312 +- .../kdb/ldap/libkdb_ldap/ldap_pwd_policy.h | 15 +- src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c | 1411 ++++---- src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.h | 42 +- .../ldap/libkdb_ldap/ldap_service_rights.c | 663 ++-- .../kdb/ldap/libkdb_ldap/ldap_service_stash.c | 267 +- .../kdb/ldap/libkdb_ldap/ldap_service_stash.h | 1 + .../kdb/ldap/libkdb_ldap/ldap_services.c | 541 ++- .../kdb/ldap/libkdb_ldap/ldap_services.h | 34 +- .../kdb/ldap/libkdb_ldap/ldap_tkt_policy.c | 246 +- .../kdb/ldap/libkdb_ldap/ldap_tkt_policy.h | 15 +- src/plugins/kdb/ldap/libkdb_ldap/lockout.c | 2 +- src/plugins/locate/python/py-locate.c | 235 +- .../preauth/cksum_body/cksum_body_main.c | 471 +-- .../encrypted_challenge_main.c | 266 +- src/plugins/preauth/fast_factor.h | 75 +- src/plugins/preauth/wpse/wpse_main.c | 285 +- 66 files changed, 11100 insertions(+), 11372 deletions(-) diff --git a/src/Makefile.in b/src/Makefile.in index 9a5c4acec..05b13d974 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -667,6 +667,7 @@ INDENTDIRS = \ lib/kadm5 \ lib/kdb \ lib/krb5 \ + plugins \ prototype \ slave @@ -688,7 +689,16 @@ OTHEREXCLUDES = \ include/k5-platform.h \ include/gssrpc \ lib/krb5/krb/deltat.c \ - lib/krb5/unicode + lib/krb5/unicode \ + plugins/kdb/db2/libdb2 \ + plugins/kdb/db2/pol_xdr.c \ + plugins/kdb/hdb/hdb.h \ + plugins/kdb/hdb/hdb_asn1.h \ + plugins/kdb/hdb/hdb_err.h \ + plugins/kdb/hdb/windc_plugin.h \ + plugins/kdb/ldap/libkdb_ldap/princ_xdr.c \ + plugins/kdb/ldap/libkdb_ldap/princ_xdr.h \ + plugins/preauth/pkinit EXCLUDES = `for i in $(BSDFILES) $(OTHEREXCLUDES); do echo $$i; done | $(AWK) '{ print "-path", $$1, "-o" }'` -path /dev/null diff --git a/src/plugins/authdata/greet/greet_auth.c b/src/plugins/authdata/greet/greet_auth.c index e759128e7..1c88b2cc7 100644 --- a/src/plugins/authdata/greet/greet_auth.c +++ b/src/plugins/authdata/greet/greet_auth.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * plugins/authdata/greet/ * @@ -46,9 +47,9 @@ greet_fini(krb5_context ctx, void *blob) static krb5_error_code greet_authdata(krb5_context ctx, krb5_db_entry *client, - krb5_data *req_pkt, - krb5_kdc_req *request, - krb5_enc_tkt_part * enc_tkt_reply) + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_enc_tkt_part * enc_tkt_reply) { #define GREET_SIZE (20) @@ -61,9 +62,9 @@ greet_authdata(krb5_context ctx, krb5_db_entry *client, a = calloc(1, sizeof(*a)); if (p == NULL || a == NULL) { - free(p); - free(a); - return ENOMEM; + free(p); + free(a); + return ENOMEM; } strncpy(p, "hello there", GREET_SIZE-1); a->magic = KV5M_AUTHDATA; @@ -71,17 +72,17 @@ greet_authdata(krb5_context ctx, krb5_db_entry *client, a->length = GREET_SIZE; a->contents = (unsigned char *)p; if (enc_tkt_reply->authorization_data == 0) { - count = 0; + count = 0; } else { - for (count = 0; enc_tkt_reply->authorization_data[count] != 0; count++) - ; + for (count = 0; enc_tkt_reply->authorization_data[count] != 0; count++) + ; } new_ad = realloc(enc_tkt_reply->authorization_data, - (count+2) * sizeof(krb5_authdata *)); + (count+2) * sizeof(krb5_authdata *)); if (new_ad == NULL) { - free(p); - free(a); - return ENOMEM; + free(p); + free(a); + return ENOMEM; } enc_tkt_reply->authorization_data = new_ad; new_ad[count] = a; diff --git a/src/plugins/authdata/greet_client/greet.c b/src/plugins/authdata/greet_client/greet.c index 4c7af82b8..8a49471b9 100644 --- a/src/plugins/authdata/greet_client/greet.c +++ b/src/plugins/authdata/greet_client/greet.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * plugins/authdata/greet_client/ * @@ -242,10 +243,10 @@ greet_set_attribute(krb5_context kcontext, static krb5_error_code greet_delete_attribute(krb5_context kcontext, - krb5_authdata_context context, - void *plugin_context, - void *request_context, - const krb5_data *attribute) + krb5_authdata_context context, + void *plugin_context, + void *request_context, + const krb5_data *attribute) { struct greet_context *greet = (struct greet_context *)request_context; @@ -265,8 +266,8 @@ greet_size(krb5_context kcontext, struct greet_context *greet = (struct greet_context *)request_context; *sizep += sizeof(krb5_int32) + - greet->greeting.length + - sizeof(krb5_int32); + greet->greeting.length + + sizeof(krb5_int32); return 0; } diff --git a/src/plugins/authdata/greet_server/greet_auth.c b/src/plugins/authdata/greet_server/greet_auth.c index fad044a55..0048af4b4 100644 --- a/src/plugins/authdata/greet_server/greet_auth.c +++ b/src/plugins/authdata/greet_server/greet_auth.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * plugins/authdata/greet_server/ * @@ -174,7 +175,7 @@ greet_authdata(krb5_context context, krb5_data *greeting = NULL; if (request->msg_type != KRB5_TGS_REQ) - return 0; + return 0; code = greet_hello(context, &greeting); if (code != 0) diff --git a/src/plugins/kdb/db2/adb_openclose.c b/src/plugins/kdb/db2/adb_openclose.c index 58c49328c..5c09a9bb3 100644 --- a/src/plugins/kdb/db2/adb_openclose.c +++ b/src/plugins/kdb/db2/adb_openclose.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * @@ -8,409 +9,416 @@ static char *rcsid = "$Header$"; #endif -#include -#include -#include +#include +#include +#include #include -#include "policy_db.h" -#include +#include "policy_db.h" +#include #include #define MAX_LOCK_TRIES 5 struct _locklist { - osa_adb_lock_ent lockinfo; - struct _locklist *next; + osa_adb_lock_ent lockinfo; + struct _locklist *next; }; -krb5_error_code osa_adb_create_db(char *filename, char *lockfilename, - int magic) +krb5_error_code +osa_adb_create_db(char *filename, char *lockfilename, int magic) { - int lf; - DB *db; - BTREEINFO btinfo; - - memset(&btinfo, 0, sizeof(btinfo)); - btinfo.flags = 0; - btinfo.cachesize = 0; - btinfo.psize = 4096; - btinfo.lorder = 0; - btinfo.minkeypage = 0; - btinfo.compare = NULL; - btinfo.prefix = NULL; - db = dbopen(filename, O_RDWR | O_CREAT | O_EXCL, 0600, DB_BTREE, &btinfo); - if (db == NULL) - return errno; - if (db->close(db) < 0) - return errno; - - /* only create the lock file if we successfully created the db */ - lf = THREEPARAMOPEN(lockfilename, O_RDWR | O_CREAT | O_EXCL, 0600); - if (lf == -1) - return errno; - (void) close(lf); - - return OSA_ADB_OK; + int lf; + DB *db; + BTREEINFO btinfo; + + memset(&btinfo, 0, sizeof(btinfo)); + btinfo.flags = 0; + btinfo.cachesize = 0; + btinfo.psize = 4096; + btinfo.lorder = 0; + btinfo.minkeypage = 0; + btinfo.compare = NULL; + btinfo.prefix = NULL; + db = dbopen(filename, O_RDWR | O_CREAT | O_EXCL, 0600, DB_BTREE, &btinfo); + if (db == NULL) + return errno; + if (db->close(db) < 0) + return errno; + + /* only create the lock file if we successfully created the db */ + lf = THREEPARAMOPEN(lockfilename, O_RDWR | O_CREAT | O_EXCL, 0600); + if (lf == -1) + return errno; + (void) close(lf); + + return OSA_ADB_OK; } -krb5_error_code osa_adb_destroy_db(char *filename, char *lockfilename, - int magic) +krb5_error_code +osa_adb_destroy_db(char *filename, char *lockfilename, int magic) { - /* the admin databases do not contain security-critical data */ - if (unlink(filename) < 0 || - unlink(lockfilename) < 0) - return errno; - return OSA_ADB_OK; + /* the admin databases do not contain security-critical data */ + if (unlink(filename) < 0 || + unlink(lockfilename) < 0) + return errno; + return OSA_ADB_OK; } -krb5_error_code osa_adb_rename_db(char *filefrom, char *lockfrom, - char *fileto, char *lockto, int magic) +krb5_error_code +osa_adb_rename_db(char *filefrom, char *lockfrom, char *fileto, char *lockto, + int magic) { - osa_adb_db_t fromdb, todb; - krb5_error_code ret; - - /* make sure todb exists */ - if ((ret = osa_adb_create_db(fileto, lockto, magic)) && - ret != EEXIST) - return ret; - - if ((ret = osa_adb_init_db(&fromdb, filefrom, lockfrom, magic))) - return ret; - if ((ret = osa_adb_init_db(&todb, fileto, lockto, magic))) { - (void) osa_adb_fini_db(fromdb, magic); - return ret; - } - if ((ret = osa_adb_get_lock(fromdb, KRB5_DB_LOCKMODE_PERMANENT))) { - (void) osa_adb_fini_db(fromdb, magic); - (void) osa_adb_fini_db(todb, magic); - return ret; - } - if ((ret = osa_adb_get_lock(todb, KRB5_DB_LOCKMODE_PERMANENT))) { - (void) osa_adb_fini_db(fromdb, magic); - (void) osa_adb_fini_db(todb, magic); - return ret; - } - if ((rename(filefrom, fileto) < 0)) { - (void) osa_adb_fini_db(fromdb, magic); - (void) osa_adb_fini_db(todb, magic); - return errno; - } - /* - * Do not release the lock on fromdb because it is being renamed - * out of existence; no one can ever use it again. - */ - if ((ret = osa_adb_release_lock(todb))) { - (void) osa_adb_fini_db(fromdb, magic); - (void) osa_adb_fini_db(todb, magic); - return ret; - } - - (void) osa_adb_fini_db(fromdb, magic); - (void) osa_adb_fini_db(todb, magic); - return 0; + osa_adb_db_t fromdb, todb; + krb5_error_code ret; + + /* make sure todb exists */ + if ((ret = osa_adb_create_db(fileto, lockto, magic)) && + ret != EEXIST) + return ret; + + if ((ret = osa_adb_init_db(&fromdb, filefrom, lockfrom, magic))) + return ret; + if ((ret = osa_adb_init_db(&todb, fileto, lockto, magic))) { + (void) osa_adb_fini_db(fromdb, magic); + return ret; + } + if ((ret = osa_adb_get_lock(fromdb, KRB5_DB_LOCKMODE_PERMANENT))) { + (void) osa_adb_fini_db(fromdb, magic); + (void) osa_adb_fini_db(todb, magic); + return ret; + } + if ((ret = osa_adb_get_lock(todb, KRB5_DB_LOCKMODE_PERMANENT))) { + (void) osa_adb_fini_db(fromdb, magic); + (void) osa_adb_fini_db(todb, magic); + return ret; + } + if ((rename(filefrom, fileto) < 0)) { + (void) osa_adb_fini_db(fromdb, magic); + (void) osa_adb_fini_db(todb, magic); + return errno; + } + /* + * Do not release the lock on fromdb because it is being renamed + * out of existence; no one can ever use it again. + */ + if ((ret = osa_adb_release_lock(todb))) { + (void) osa_adb_fini_db(fromdb, magic); + (void) osa_adb_fini_db(todb, magic); + return ret; + } + + (void) osa_adb_fini_db(fromdb, magic); + (void) osa_adb_fini_db(todb, magic); + return 0; } -krb5_error_code osa_adb_init_db(osa_adb_db_t *dbp, char *filename, - char *lockfilename, int magic) +krb5_error_code +osa_adb_init_db(osa_adb_db_t *dbp, char *filename, char *lockfilename, + int magic) { - osa_adb_db_t db; - static struct _locklist *locklist = NULL; - struct _locklist *lockp; - krb5_error_code code; - - if (dbp == NULL || filename == NULL) - return EINVAL; - - db = (osa_adb_princ_t) malloc(sizeof(osa_adb_db_ent)); - if (db == NULL) - return ENOMEM; - - memset(db, 0, sizeof(*db)); - db->info.hash = NULL; - db->info.bsize = 256; - db->info.ffactor = 8; - db->info.nelem = 25000; - db->info.lorder = 0; - - db->btinfo.flags = 0; - db->btinfo.cachesize = 0; - db->btinfo.psize = 4096; - db->btinfo.lorder = 0; - db->btinfo.minkeypage = 0; - db->btinfo.compare = NULL; - db->btinfo.prefix = NULL; - /* - * A process is allowed to open the same database multiple times - * and access it via different handles. If the handles use - * distinct lockinfo structures, things get confused: lock(A), - * lock(B), release(B) will result in the kernel unlocking the - * lock file but handle A will still think the file is locked. - * Therefore, all handles using the same lock file must share a - * single lockinfo structure. - * - * It is not sufficient to have a single lockinfo structure, - * however, because a single process may also wish to open - * multiple different databases simultaneously, with different - * lock files. This code used to use a single static lockinfo - * structure, which means that the second database opened used - * the first database's lock file. This was Bad. - * - * We now maintain a linked list of lockinfo structures, keyed by - * lockfilename. An entry is added when this function is called - * with a new lockfilename, and all subsequent calls with that - * lockfilename use the existing entry, updating the refcnt. - * When the database is closed with fini_db(), the refcnt is - * decremented, and when it is zero the lockinfo structure is - * freed and reset. The entry in the linked list, however, is - * never removed; it will just be reinitialized the next time - * init_db is called with the right lockfilename. - */ - - /* find or create the lockinfo structure for lockfilename */ - lockp = locklist; - while (lockp) { - if (strcmp(lockp->lockinfo.filename, lockfilename) == 0) - break; - else - lockp = lockp->next; - } - if (lockp == NULL) { - /* doesn't exist, create it, add to list */ - lockp = (struct _locklist *) malloc(sizeof(*lockp)); - if (lockp == NULL) { - free(db); - return ENOMEM; - } - memset(lockp, 0, sizeof(*lockp)); - lockp->next = locklist; - locklist = lockp; - } - - /* now initialize lockp->lockinfo if necessary */ - if (lockp->lockinfo.lockfile == NULL) { - if ((code = krb5int_init_context_kdc(&lockp->lockinfo.context))) { - free(db); - return((krb5_error_code) code); - } - - /* - * needs be open read/write so that write locking can work with - * POSIX systems - */ - lockp->lockinfo.filename = strdup(lockfilename); - if ((lockp->lockinfo.lockfile = fopen(lockfilename, "r+")) == NULL) { - /* - * maybe someone took away write permission so we could only - * get shared locks? - */ - if ((lockp->lockinfo.lockfile = fopen(lockfilename, "r")) - == NULL) { - free(db); - return OSA_ADB_NOLOCKFILE; - } - } - set_cloexec_file(lockp->lockinfo.lockfile); - lockp->lockinfo.lockmode = lockp->lockinfo.lockcnt = 0; - } - - /* lockp is set, lockinfo is initialized, update the reference count */ - db->lock = &lockp->lockinfo; - db->lock->refcnt++; - - db->opencnt = 0; - db->filename = strdup(filename); - db->magic = magic; - - *dbp = db; - - return OSA_ADB_OK; + osa_adb_db_t db; + static struct _locklist *locklist = NULL; + struct _locklist *lockp; + krb5_error_code code; + + if (dbp == NULL || filename == NULL) + return EINVAL; + + db = (osa_adb_princ_t) malloc(sizeof(osa_adb_db_ent)); + if (db == NULL) + return ENOMEM; + + memset(db, 0, sizeof(*db)); + db->info.hash = NULL; + db->info.bsize = 256; + db->info.ffactor = 8; + db->info.nelem = 25000; + db->info.lorder = 0; + + db->btinfo.flags = 0; + db->btinfo.cachesize = 0; + db->btinfo.psize = 4096; + db->btinfo.lorder = 0; + db->btinfo.minkeypage = 0; + db->btinfo.compare = NULL; + db->btinfo.prefix = NULL; + /* + * A process is allowed to open the same database multiple times + * and access it via different handles. If the handles use + * distinct lockinfo structures, things get confused: lock(A), + * lock(B), release(B) will result in the kernel unlocking the + * lock file but handle A will still think the file is locked. + * Therefore, all handles using the same lock file must share a + * single lockinfo structure. + * + * It is not sufficient to have a single lockinfo structure, + * however, because a single process may also wish to open + * multiple different databases simultaneously, with different + * lock files. This code used to use a single static lockinfo + * structure, which means that the second database opened used + * the first database's lock file. This was Bad. + * + * We now maintain a linked list of lockinfo structures, keyed by + * lockfilename. An entry is added when this function is called + * with a new lockfilename, and all subsequent calls with that + * lockfilename use the existing entry, updating the refcnt. + * When the database is closed with fini_db(), the refcnt is + * decremented, and when it is zero the lockinfo structure is + * freed and reset. The entry in the linked list, however, is + * never removed; it will just be reinitialized the next time + * init_db is called with the right lockfilename. + */ + + /* find or create the lockinfo structure for lockfilename */ + lockp = locklist; + while (lockp) { + if (strcmp(lockp->lockinfo.filename, lockfilename) == 0) + break; + else + lockp = lockp->next; + } + if (lockp == NULL) { + /* doesn't exist, create it, add to list */ + lockp = (struct _locklist *) malloc(sizeof(*lockp)); + if (lockp == NULL) { + free(db); + return ENOMEM; + } + memset(lockp, 0, sizeof(*lockp)); + lockp->next = locklist; + locklist = lockp; + } + + /* now initialize lockp->lockinfo if necessary */ + if (lockp->lockinfo.lockfile == NULL) { + if ((code = krb5int_init_context_kdc(&lockp->lockinfo.context))) { + free(db); + return((krb5_error_code) code); + } + + /* + * needs be open read/write so that write locking can work with + * POSIX systems + */ + lockp->lockinfo.filename = strdup(lockfilename); + if ((lockp->lockinfo.lockfile = fopen(lockfilename, "r+")) == NULL) { + /* + * maybe someone took away write permission so we could only + * get shared locks? + */ + if ((lockp->lockinfo.lockfile = fopen(lockfilename, "r")) + == NULL) { + free(db); + return OSA_ADB_NOLOCKFILE; + } + } + set_cloexec_file(lockp->lockinfo.lockfile); + lockp->lockinfo.lockmode = lockp->lockinfo.lockcnt = 0; + } + + /* lockp is set, lockinfo is initialized, update the reference count */ + db->lock = &lockp->lockinfo; + db->lock->refcnt++; + + db->opencnt = 0; + db->filename = strdup(filename); + db->magic = magic; + + *dbp = db; + + return OSA_ADB_OK; } -krb5_error_code osa_adb_fini_db(osa_adb_db_t db, int magic) +krb5_error_code +osa_adb_fini_db(osa_adb_db_t db, int magic) { - if (db->magic != magic) - return EINVAL; - if (db->lock->refcnt == 0) { - /* barry says this can't happen */ - return OSA_ADB_FAILURE; - } else { - db->lock->refcnt--; - } - - if (db->lock->refcnt == 0) { - /* - * Don't free db->lock->filename, it is used as a key to - * find the lockinfo entry in the linked list. If the - * lockfile doesn't exist, we must be closing the database - * after trashing it. This has to be allowed, so don't - * generate an error. - */ - if (db->lock->lockmode != KRB5_DB_LOCKMODE_PERMANENT) - (void) fclose(db->lock->lockfile); - db->lock->lockfile = NULL; - krb5_free_context(db->lock->context); - } - - db->magic = 0; - free(db->filename); - free(db); - return OSA_ADB_OK; + if (db->magic != magic) + return EINVAL; + if (db->lock->refcnt == 0) { + /* barry says this can't happen */ + return OSA_ADB_FAILURE; + } else { + db->lock->refcnt--; + } + + if (db->lock->refcnt == 0) { + /* + * Don't free db->lock->filename, it is used as a key to + * find the lockinfo entry in the linked list. If the + * lockfile doesn't exist, we must be closing the database + * after trashing it. This has to be allowed, so don't + * generate an error. + */ + if (db->lock->lockmode != KRB5_DB_LOCKMODE_PERMANENT) + (void) fclose(db->lock->lockfile); + db->lock->lockfile = NULL; + krb5_free_context(db->lock->context); + } + + db->magic = 0; + free(db->filename); + free(db); + return OSA_ADB_OK; } -krb5_error_code osa_adb_get_lock(osa_adb_db_t db, int mode) +krb5_error_code +osa_adb_get_lock(osa_adb_db_t db, int mode) { - int tries, gotlock, perm, krb5_mode, ret = 0; - - if (db->lock->lockmode >= mode) { - /* No need to upgrade lock, just incr refcnt and return */ - db->lock->lockcnt++; - return(OSA_ADB_OK); - } - - perm = 0; - switch (mode) { - case KRB5_DB_LOCKMODE_PERMANENT: - perm = 1; - case KRB5_DB_LOCKMODE_EXCLUSIVE: - krb5_mode = KRB5_LOCKMODE_EXCLUSIVE; - break; - case KRB5_DB_LOCKMODE_SHARED: - krb5_mode = KRB5_LOCKMODE_SHARED; - break; - default: - return(EINVAL); - } - - for (gotlock = tries = 0; tries < MAX_LOCK_TRIES; tries++) { - if ((ret = krb5_lock_file(db->lock->context, - fileno(db->lock->lockfile), - krb5_mode|KRB5_LOCKMODE_DONTBLOCK)) == 0) { - gotlock++; - break; - } else if (ret == EBADF && mode == KRB5_DB_LOCKMODE_EXCLUSIVE) - /* tried to exclusive-lock something we don't have */ - /* write access to */ - return OSA_ADB_NOEXCL_PERM; - - sleep(1); - } - - /* test for all the likely "can't get lock" error codes */ - if (ret == EACCES || ret == EAGAIN || ret == EWOULDBLOCK) - return OSA_ADB_CANTLOCK_DB; - else if (ret != 0) - return ret; - - /* - * If the file no longer exists, someone acquired a permanent - * lock. If that process terminates its exclusive lock is lost, - * but if we already had the file open we can (probably) lock it - * even though it has been unlinked. So we need to insist that - * it exist. - */ - if (access(db->lock->filename, F_OK) < 0) { - (void) krb5_lock_file(db->lock->context, - fileno(db->lock->lockfile), - KRB5_LOCKMODE_UNLOCK); - return OSA_ADB_NOLOCKFILE; - } - - /* we have the shared/exclusive lock */ - - if (perm) { - if (unlink(db->lock->filename) < 0) { - /* somehow we can't delete the file, but we already */ - /* have the lock, so release it and return */ - - ret = errno; - (void) krb5_lock_file(db->lock->context, - fileno(db->lock->lockfile), - KRB5_LOCKMODE_UNLOCK); - - /* maybe we should return CANTLOCK_DB.. but that would */ - /* look just like the db was already locked */ - return ret; - } - - /* this releases our exclusive lock.. which is okay because */ - /* now no one else can get one either */ - (void) fclose(db->lock->lockfile); - } - - db->lock->lockmode = mode; - db->lock->lockcnt++; - return OSA_ADB_OK; + int tries, gotlock, perm, krb5_mode, ret = 0; + + if (db->lock->lockmode >= mode) { + /* No need to upgrade lock, just incr refcnt and return */ + db->lock->lockcnt++; + return(OSA_ADB_OK); + } + + perm = 0; + switch (mode) { + case KRB5_DB_LOCKMODE_PERMANENT: + perm = 1; + case KRB5_DB_LOCKMODE_EXCLUSIVE: + krb5_mode = KRB5_LOCKMODE_EXCLUSIVE; + break; + case KRB5_DB_LOCKMODE_SHARED: + krb5_mode = KRB5_LOCKMODE_SHARED; + break; + default: + return(EINVAL); + } + + for (gotlock = tries = 0; tries < MAX_LOCK_TRIES; tries++) { + if ((ret = krb5_lock_file(db->lock->context, + fileno(db->lock->lockfile), + krb5_mode|KRB5_LOCKMODE_DONTBLOCK)) == 0) { + gotlock++; + break; + } else if (ret == EBADF && mode == KRB5_DB_LOCKMODE_EXCLUSIVE) + /* tried to exclusive-lock something we don't have */ + /* write access to */ + return OSA_ADB_NOEXCL_PERM; + + sleep(1); + } + + /* test for all the likely "can't get lock" error codes */ + if (ret == EACCES || ret == EAGAIN || ret == EWOULDBLOCK) + return OSA_ADB_CANTLOCK_DB; + else if (ret != 0) + return ret; + + /* + * If the file no longer exists, someone acquired a permanent + * lock. If that process terminates its exclusive lock is lost, + * but if we already had the file open we can (probably) lock it + * even though it has been unlinked. So we need to insist that + * it exist. + */ + if (access(db->lock->filename, F_OK) < 0) { + (void) krb5_lock_file(db->lock->context, + fileno(db->lock->lockfile), + KRB5_LOCKMODE_UNLOCK); + return OSA_ADB_NOLOCKFILE; + } + + /* we have the shared/exclusive lock */ + + if (perm) { + if (unlink(db->lock->filename) < 0) { + /* somehow we can't delete the file, but we already */ + /* have the lock, so release it and return */ + + ret = errno; + (void) krb5_lock_file(db->lock->context, + fileno(db->lock->lockfile), + KRB5_LOCKMODE_UNLOCK); + + /* maybe we should return CANTLOCK_DB.. but that would */ + /* look just like the db was already locked */ + return ret; + } + + /* this releases our exclusive lock.. which is okay because */ + /* now no one else can get one either */ + (void) fclose(db->lock->lockfile); + } + + db->lock->lockmode = mode; + db->lock->lockcnt++; + return OSA_ADB_OK; } -krb5_error_code osa_adb_release_lock(osa_adb_db_t db) +krb5_error_code +osa_adb_release_lock(osa_adb_db_t db) { - int ret, fd; - - if (!db->lock->lockcnt) /* lock already unlocked */ - return OSA_ADB_NOTLOCKED; - - if (--db->lock->lockcnt == 0) { - if (db->lock->lockmode == KRB5_DB_LOCKMODE_PERMANENT) { - /* now we need to create the file since it does not exist */ - fd = THREEPARAMOPEN(db->lock->filename,O_RDWR | O_CREAT | O_EXCL, - 0600); - if (fd < 0) - return OSA_ADB_NOLOCKFILE; - set_cloexec_fd(fd); - if ((db->lock->lockfile = fdopen(fd, "w+")) == NULL) - return OSA_ADB_NOLOCKFILE; - } else if ((ret = krb5_lock_file(db->lock->context, - fileno(db->lock->lockfile), - KRB5_LOCKMODE_UNLOCK))) - return ret; - - db->lock->lockmode = 0; - } - return OSA_ADB_OK; + int ret, fd; + + if (!db->lock->lockcnt) /* lock already unlocked */ + return OSA_ADB_NOTLOCKED; + + if (--db->lock->lockcnt == 0) { + if (db->lock->lockmode == KRB5_DB_LOCKMODE_PERMANENT) { + /* now we need to create the file since it does not exist */ + fd = THREEPARAMOPEN(db->lock->filename,O_RDWR | O_CREAT | O_EXCL, + 0600); + if (fd < 0) + return OSA_ADB_NOLOCKFILE; + set_cloexec_fd(fd); + if ((db->lock->lockfile = fdopen(fd, "w+")) == NULL) + return OSA_ADB_NOLOCKFILE; + } else if ((ret = krb5_lock_file(db->lock->context, + fileno(db->lock->lockfile), + KRB5_LOCKMODE_UNLOCK))) + return ret; + + db->lock->lockmode = 0; + } + return OSA_ADB_OK; } -krb5_error_code osa_adb_open_and_lock(osa_adb_princ_t db, int locktype) +krb5_error_code +osa_adb_open_and_lock(osa_adb_princ_t db, int locktype) { - int ret; - - ret = osa_adb_get_lock(db, locktype); - if (ret != OSA_ADB_OK) - return ret; - if (db->opencnt) - goto open_ok; - - db->db = dbopen(db->filename, O_RDWR, 0600, DB_BTREE, &db->btinfo); - if (db->db != NULL) - goto open_ok; - switch (errno) { + int ret; + + ret = osa_adb_get_lock(db, locktype); + if (ret != OSA_ADB_OK) + return ret; + if (db->opencnt) + goto open_ok; + + db->db = dbopen(db->filename, O_RDWR, 0600, DB_BTREE, &db->btinfo); + if (db->db != NULL) + goto open_ok; + switch (errno) { #ifdef EFTYPE - case EFTYPE: + case EFTYPE: #endif - case EINVAL: - db->db = dbopen(db->filename, O_RDWR, 0600, DB_HASH, &db->info); - if (db->db != NULL) - goto open_ok; - default: - (void) osa_adb_release_lock(db); - if (errno == EINVAL) - return OSA_ADB_BAD_DB; - return errno; - } + case EINVAL: + db->db = dbopen(db->filename, O_RDWR, 0600, DB_HASH, &db->info); + if (db->db != NULL) + goto open_ok; + default: + (void) osa_adb_release_lock(db); + if (errno == EINVAL) + return OSA_ADB_BAD_DB; + return errno; + } open_ok: - db->opencnt++; - return OSA_ADB_OK; + db->opencnt++; + return OSA_ADB_OK; } -krb5_error_code osa_adb_close_and_unlock(osa_adb_princ_t db) +krb5_error_code +osa_adb_close_and_unlock(osa_adb_princ_t db) { - if (--db->opencnt) - return osa_adb_release_lock(db); - if(db->db != NULL && db->db->close(db->db) == -1) { - (void) osa_adb_release_lock(db); - return OSA_ADB_FAILURE; - } + if (--db->opencnt) + return osa_adb_release_lock(db); + if(db->db != NULL && db->db->close(db->db) == -1) { + (void) osa_adb_release_lock(db); + return OSA_ADB_FAILURE; + } - db->db = NULL; + db->db = NULL; - return(osa_adb_release_lock(db)); + return(osa_adb_release_lock(db)); } diff --git a/src/plugins/kdb/db2/adb_policy.c b/src/plugins/kdb/db2/adb_policy.c index d585c0852..2b6c1214f 100644 --- a/src/plugins/kdb/db2/adb_policy.c +++ b/src/plugins/kdb/db2/adb_policy.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * @@ -8,30 +9,30 @@ static char *rcsid = "$Header$"; #endif -#include -#include -#include "policy_db.h" -#include -#include +#include +#include +#include "policy_db.h" +#include +#include #include -#define OPENLOCK(db, mode) \ -{ \ - int olret; \ - if (db == NULL) \ - return EINVAL; \ - else if (db->magic != OSA_ADB_POLICY_DB_MAGIC) \ - return OSA_ADB_DBINIT; \ - else if ((olret = osa_adb_open_and_lock(db, mode)) != OSA_ADB_OK) \ - return olret; \ - } - -#define CLOSELOCK(db) \ -{ \ - int cl_ret; \ - if ((cl_ret = osa_adb_close_and_unlock(db)) != OSA_ADB_OK) \ - return cl_ret; \ -} +#define OPENLOCK(db, mode) \ + { \ + int olret; \ + if (db == NULL) \ + return EINVAL; \ + else if (db->magic != OSA_ADB_POLICY_DB_MAGIC) \ + return OSA_ADB_DBINIT; \ + else if ((olret = osa_adb_open_and_lock(db, mode)) != OSA_ADB_OK) \ + return olret; \ + } + +#define CLOSELOCK(db) \ + { \ + int cl_ret; \ + if ((cl_ret = osa_adb_close_and_unlock(db)) != OSA_ADB_OK) \ + return cl_ret; \ + } /* @@ -40,66 +41,66 @@ static char *rcsid = "$Header$"; * Purpose: create a policy entry in the policy db. * * Arguments: - * entry (input) pointer to the entry to be added - * OSA_ADB_OK on success, else error code. + * entry (input) pointer to the entry to be added + * OSA_ADB_OK on success, else error code. * * Requires: - * entry have a valid name. + * entry have a valid name. * * Effects: - * creates the entry in the db + * creates the entry in the db * * Modifies: - * the policy db. + * the policy db. * */ krb5_error_code osa_adb_create_policy(osa_adb_policy_t db, osa_policy_ent_t entry) { - DBT dbkey; - DBT dbdata; - XDR xdrs; - int ret; + DBT dbkey; + DBT dbdata; + XDR xdrs; + int ret; OPENLOCK(db, KRB5_DB_LOCKMODE_EXCLUSIVE); if(entry->name == NULL) { - ret = EINVAL; - goto error; + ret = EINVAL; + goto error; } dbkey.data = entry->name; dbkey.size = (strlen(entry->name) + 1); switch(db->db->get(db->db, &dbkey, &dbdata, 0)) { case 0: - ret = OSA_ADB_DUP; - goto error; + ret = OSA_ADB_DUP; + goto error; case 1: - break; + break; default: - ret = errno; - goto error; + ret = errno; + goto error; } xdralloc_create(&xdrs, XDR_ENCODE); if(!xdr_osa_policy_ent_rec(&xdrs, entry)) { - xdr_destroy(&xdrs); - ret = OSA_ADB_XDR_FAILURE; - goto error; + xdr_destroy(&xdrs); + ret = OSA_ADB_XDR_FAILURE; + goto error; } dbdata.data = xdralloc_getdata(&xdrs); dbdata.size = xdr_getpos(&xdrs); switch(db->db->put(db->db, &dbkey, &dbdata, R_NOOVERWRITE)) { case 0: - if((db->db->sync(db->db, 0)) == -1) - ret = OSA_ADB_FAILURE; - ret = OSA_ADB_OK; - break; + if((db->db->sync(db->db, 0)) == -1) + ret = OSA_ADB_FAILURE; + ret = OSA_ADB_OK; + break; case 1: - ret = OSA_ADB_DUP; - break; + ret = OSA_ADB_DUP; + break; default: - ret = OSA_ADB_FAILURE; - break; + ret = OSA_ADB_FAILURE; + break; } xdr_destroy(&xdrs); @@ -114,31 +115,31 @@ error: * Purpose: destroy a policy entry * * Arguments: - * db (input) database handle - * name (input) name of policy - * OSA_ADB_OK on success, or error code. + * db (input) database handle + * name (input) name of policy + * OSA_ADB_OK on success, or error code. * * Requires: - * db being valid. - * name being non-null. + * db being valid. + * name being non-null. * Effects: - * deletes policy from db. + * deletes policy from db. * * Modifies: - * policy db. + * policy db. * */ krb5_error_code osa_adb_destroy_policy(osa_adb_policy_t db, char *name) { - DBT dbkey; - int status, ret; + DBT dbkey; + int status, ret; OPENLOCK(db, KRB5_DB_LOCKMODE_EXCLUSIVE); if(name == NULL) { - ret = EINVAL; - goto error; + ret = EINVAL; + goto error; } dbkey.data = name; dbkey.size = (strlen(name) + 1); @@ -146,18 +147,18 @@ osa_adb_destroy_policy(osa_adb_policy_t db, char *name) status = db->db->del(db->db, &dbkey, 0); switch(status) { case 1: - ret = OSA_ADB_NOENT; - goto error; + ret = OSA_ADB_NOENT; + goto error; case 0: - if ((db->db->sync(db->db, 0)) == -1) { - ret = OSA_ADB_FAILURE; - goto error; - } - ret = OSA_ADB_OK; - break; + if ((db->db->sync(db->db, 0)) == -1) { + ret = OSA_ADB_FAILURE; + goto error; + } + ret = OSA_ADB_OK; + break; default: - ret = OSA_ADB_FAILURE; - goto error; + ret = OSA_ADB_FAILURE; + goto error; } error: @@ -171,11 +172,11 @@ error: * Purpose: retrieve policy * * Arguments: - * db (input) db handle - * name (input) name of policy - * entry (output) policy entry + * db (input) db handle + * name (input) name of policy + * entry (output) policy entry * cnt (inout) Number of entries - * 0 on success, error code on failure. + * 0 on success, error code on failure. * * Requires: * Effects: @@ -183,21 +184,21 @@ error: */ krb5_error_code osa_adb_get_policy(osa_adb_policy_t db, char *name, - osa_policy_ent_t *entry, int *cnt) + osa_policy_ent_t *entry, int *cnt) { - DBT dbkey; - DBT dbdata; - XDR xdrs; - int ret; - char *aligned_data; + DBT dbkey; + DBT dbdata; + XDR xdrs; + int ret; + char *aligned_data; OPENLOCK(db, KRB5_DB_LOCKMODE_SHARED); *cnt = 1; if(name == NULL) { - ret = EINVAL; - goto error; + ret = EINVAL; + goto error; } dbkey.data = name; dbkey.size = (strlen(dbkey.data) + 1); @@ -205,28 +206,28 @@ osa_adb_get_policy(osa_adb_policy_t db, char *name, dbdata.size = 0; switch((db->db->get(db->db, &dbkey, &dbdata, 0))) { case 1: - ret = 0; - *cnt = 0; - goto error; + ret = 0; + *cnt = 0; + goto error; case 0: - break; + break; default: - ret = OSA_ADB_FAILURE; - goto error; + ret = OSA_ADB_FAILURE; + goto error; } if (!(*(entry) = (osa_policy_ent_t)malloc(sizeof(osa_policy_ent_rec)))) { - ret = ENOMEM; - goto error; + ret = ENOMEM; + goto error; } if (!(aligned_data = (char *) malloc(dbdata.size))) { - ret = ENOMEM; - goto error; + ret = ENOMEM; + goto error; } memcpy(aligned_data, dbdata.data, dbdata.size); memset(*entry, 0, sizeof(osa_policy_ent_rec)); xdrmem_create(&xdrs, aligned_data, dbdata.size, XDR_DECODE); if (!xdr_osa_policy_ent_rec(&xdrs, *entry)) - ret = OSA_ADB_FAILURE; + ret = OSA_ADB_FAILURE; else ret = OSA_ADB_OK; xdr_destroy(&xdrs); free(aligned_data); @@ -242,64 +243,64 @@ error: * Purpose: update a policy in the dababase * * Arguments: - * db (input) db handle - * entry (input) policy entry - * 0 on success error code on failure. + * db (input) db handle + * entry (input) policy entry + * 0 on success error code on failure. * * Requires: - * [requires] + * [requires] * * Effects: - * [effects] + * [effects] * * Modifies: - * [modifies] + * [modifies] * */ krb5_error_code osa_adb_put_policy(osa_adb_policy_t db, osa_policy_ent_t entry) { - DBT dbkey; - DBT dbdata; - DBT tmpdb; - XDR xdrs; - int ret; + DBT dbkey; + DBT dbdata; + DBT tmpdb; + XDR xdrs; + int ret; OPENLOCK(db, KRB5_DB_LOCKMODE_EXCLUSIVE); if(entry->name == NULL) { - ret = EINVAL; - goto error; + ret = EINVAL; + goto error; } dbkey.data = entry->name; dbkey.size = (strlen(entry->name) + 1); switch(db->db->get(db->db, &dbkey, &tmpdb, 0)) { case 0: - break; + break; case 1: - ret = OSA_ADB_NOENT; - goto error; + ret = OSA_ADB_NOENT; + goto error; default: - ret = OSA_ADB_FAILURE; - goto error; + ret = OSA_ADB_FAILURE; + goto error; } xdralloc_create(&xdrs, XDR_ENCODE); if(!xdr_osa_policy_ent_rec(&xdrs, entry)) { - xdr_destroy(&xdrs); - ret = OSA_ADB_XDR_FAILURE; - goto error; + xdr_destroy(&xdrs); + ret = OSA_ADB_XDR_FAILURE; + goto error; } dbdata.data = xdralloc_getdata(&xdrs); dbdata.size = xdr_getpos(&xdrs); switch(db->db->put(db->db, &dbkey, &dbdata, 0)) { case 0: - if((db->db->sync(db->db, 0)) == -1) - ret = OSA_ADB_FAILURE; - ret = OSA_ADB_OK; - break; + if((db->db->sync(db->db, 0)) == -1) + ret = OSA_ADB_FAILURE; + ret = OSA_ADB_OK; + break; default: - ret = OSA_ADB_FAILURE; - break; + ret = OSA_ADB_FAILURE; + break; } xdr_destroy(&xdrs); @@ -314,10 +315,10 @@ error: * Purpose: iterate over the policy database. * * Arguments: - * db (input) db handle - * func (input) fucntion pointer to call - * data opaque data type - * 0 on success error code on failure + * db (input) db handle + * func (input) fucntion pointer to call + * data opaque data type + * 0 on success error code on failure * * Requires: * Effects: @@ -325,51 +326,51 @@ error: */ krb5_error_code osa_adb_iter_policy(osa_adb_policy_t db, osa_adb_iter_policy_func func, - void *data) + void *data) { - DBT dbkey, - dbdata; - XDR xdrs; - int ret; - osa_policy_ent_t entry; - char *aligned_data; + DBT dbkey, + dbdata; + XDR xdrs; + int ret; + osa_policy_ent_t entry; + char *aligned_data; OPENLOCK(db, KRB5_DB_LOCKMODE_EXCLUSIVE); /* hmmm */ if((ret = db->db->seq(db->db, &dbkey, &dbdata, R_FIRST)) == -1) { - ret = errno; - goto error; + ret = errno; + goto error; } while (ret == 0) { - if (!(entry = (osa_policy_ent_t) malloc(sizeof(osa_policy_ent_rec)))) { - ret = ENOMEM; - goto error; - } - - if(!(aligned_data = (char *) malloc(dbdata.size))) { - ret = ENOMEM; - goto error; - } - memcpy(aligned_data, dbdata.data, dbdata.size); - - memset(entry, 0, sizeof(osa_policy_ent_rec)); - xdrmem_create(&xdrs, aligned_data, dbdata.size, XDR_DECODE); - if(!xdr_osa_policy_ent_rec(&xdrs, entry)) { - xdr_destroy(&xdrs); - free(aligned_data); - osa_free_policy_ent(entry); - ret = OSA_ADB_FAILURE; - goto error; - } - (*func)(data, entry); - xdr_destroy(&xdrs); - free(aligned_data); - osa_free_policy_ent(entry); - ret = db->db->seq(db->db, &dbkey, &dbdata, R_NEXT); + if (!(entry = (osa_policy_ent_t) malloc(sizeof(osa_policy_ent_rec)))) { + ret = ENOMEM; + goto error; + } + + if(!(aligned_data = (char *) malloc(dbdata.size))) { + ret = ENOMEM; + goto error; + } + memcpy(aligned_data, dbdata.data, dbdata.size); + + memset(entry, 0, sizeof(osa_policy_ent_rec)); + xdrmem_create(&xdrs, aligned_data, dbdata.size, XDR_DECODE); + if(!xdr_osa_policy_ent_rec(&xdrs, entry)) { + xdr_destroy(&xdrs); + free(aligned_data); + osa_free_policy_ent(entry); + ret = OSA_ADB_FAILURE; + goto error; + } + (*func)(data, entry); + xdr_destroy(&xdrs); + free(aligned_data); + osa_free_policy_ent(entry); + ret = db->db->seq(db->db, &dbkey, &dbdata, R_NEXT); } if(ret == -1) - ret = errno; + ret = errno; else ret = OSA_ADB_OK; error: @@ -380,11 +381,11 @@ error: void osa_free_policy_ent(osa_policy_ent_t val) { - XDR xdrs; + XDR xdrs; - xdrmem_create(&xdrs, NULL, 0, XDR_FREE); + xdrmem_create(&xdrs, NULL, 0, XDR_FREE); - xdr_osa_policy_ent_rec(&xdrs, val); + xdr_osa_policy_ent_rec(&xdrs, val); - free(val); + free(val); } diff --git a/src/plugins/kdb/db2/db2_exp.c b/src/plugins/kdb/db2/db2_exp.c index 356f6dfca..f96c1a4dd 100644 --- a/src/plugins/kdb/db2/db2_exp.c +++ b/src/plugins/kdb/db2/db2_exp.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright 2006 by the Massachusetts Institute of Technology. * All Rights Reserved. @@ -23,14 +24,14 @@ */ /********************************************************************** -* -* C %name: db2_exp.c % -* Instance: idc_sec_2 -* Description: -* %created_by: spradeep % -* %date_created: Tue Apr 5 11:44:00 2005 % -* -**********************************************************************/ + * + * C %name: db2_exp.c % + * Instance: idc_sec_2 + * Description: + * %created_by: spradeep % + * %date_created: Tue Apr 5 11:44:00 2005 % + * + **********************************************************************/ #ifndef lint static char *_csrc = "@(#) %filespec: db2_exp.c~5 % (%full_filespec: db2_exp.c~5:csrc:idc_sec#2 %)"; #endif @@ -61,148 +62,148 @@ static char *_csrc = "@(#) %filespec: db2_exp.c~5 % (%full_filespec: db2_exp.c~ k5_mutex_t *krb5_db2_mutex; -#define WRAP(NAME,TYPE,ARGLIST,ARGNAMES,ERROR_RESULT) \ - static TYPE wrap_##NAME ARGLIST \ - { \ - TYPE result; \ - int code = k5_mutex_lock (krb5_db2_mutex); \ - if (code) { return ERROR_RESULT; } \ - result = NAME ARGNAMES; \ - k5_mutex_unlock (krb5_db2_mutex); \ - return result; \ - } \ - /* hack: decl to allow a following ";" */ \ - static TYPE wrap_##NAME () +#define WRAP(NAME,TYPE,ARGLIST,ARGNAMES,ERROR_RESULT) \ + static TYPE wrap_##NAME ARGLIST \ + { \ + TYPE result; \ + int code = k5_mutex_lock (krb5_db2_mutex); \ + if (code) { return ERROR_RESULT; } \ + result = NAME ARGNAMES; \ + k5_mutex_unlock (krb5_db2_mutex); \ + return result; \ + } \ + /* hack: decl to allow a following ";" */ \ + static TYPE wrap_##NAME () /* Two special cases: void (can't assign result), and krb5_error_code (return error from locking code). */ -#define WRAP_VOID(NAME,ARGLIST,ARGNAMES) \ - static void wrap_##NAME ARGLIST \ - { \ - int code = k5_mutex_lock (krb5_db2_mutex); \ - if (code) { return; } \ - NAME ARGNAMES; \ - k5_mutex_unlock (krb5_db2_mutex); \ - } \ - /* hack: decl to allow a following ";" */ \ - static void wrap_##NAME () +#define WRAP_VOID(NAME,ARGLIST,ARGNAMES) \ + static void wrap_##NAME ARGLIST \ + { \ + int code = k5_mutex_lock (krb5_db2_mutex); \ + if (code) { return; } \ + NAME ARGNAMES; \ + k5_mutex_unlock (krb5_db2_mutex); \ + } \ + /* hack: decl to allow a following ";" */ \ + static void wrap_##NAME () -#define WRAP_K(NAME,ARGLIST,ARGNAMES) \ - WRAP(NAME,krb5_error_code,ARGLIST,ARGNAMES,code) +#define WRAP_K(NAME,ARGLIST,ARGNAMES) \ + WRAP(NAME,krb5_error_code,ARGLIST,ARGNAMES,code) WRAP_K (krb5_db2_open, - ( krb5_context kcontext, - char *conf_section, - char **db_args, - int mode ), - (kcontext, conf_section, db_args, mode)); + ( krb5_context kcontext, + char *conf_section, + char **db_args, + int mode ), + (kcontext, conf_section, db_args, mode)); WRAP_K (krb5_db2_db_fini, (krb5_context ctx), (ctx)); WRAP_K (krb5_db2_create, - ( krb5_context kcontext, char *conf_section, char **db_args ), - (kcontext, conf_section, db_args)); + ( krb5_context kcontext, char *conf_section, char **db_args ), + (kcontext, conf_section, db_args)); WRAP_K (krb5_db2_destroy, - ( krb5_context kcontext, char *conf_section, char **db_args ), - (kcontext, conf_section, db_args)); + ( krb5_context kcontext, char *conf_section, char **db_args ), + (kcontext, conf_section, db_args)); WRAP_K (krb5_db2_db_get_age, - (krb5_context ctx, - char *s, - time_t *t), - (ctx, s, t)); + (krb5_context ctx, + char *s, + time_t *t), + (ctx, s, t)); WRAP_K (krb5_db2_db_set_option, - ( krb5_context kcontext, - int option, - void *value ), - (kcontext, option, value)); + ( krb5_context kcontext, + int option, + void *value ), + (kcontext, option, value)); WRAP_K (krb5_db2_db_lock, - ( krb5_context context, - int in_mode), - (context, in_mode)); + ( krb5_context context, + int in_mode), + (context, in_mode)); WRAP_K (krb5_db2_db_unlock, (krb5_context ctx), (ctx)); WRAP_K (krb5_db2_db_get_principal, - (krb5_context ctx, - krb5_const_principal p, - unsigned int flags, - krb5_db_entry *d, - int * i, - krb5_boolean *b), - (ctx, p, d, i, b)); + (krb5_context ctx, + krb5_const_principal p, + unsigned int flags, + krb5_db_entry *d, + int * i, + krb5_boolean *b), + (ctx, p, d, i, b)); WRAP_K (krb5_db2_db_free_principal, - (krb5_context ctx, - krb5_db_entry *d, - int i), - (ctx, d, i)); + (krb5_context ctx, + krb5_db_entry *d, + int i), + (ctx, d, i)); WRAP_K (krb5_db2_db_put_principal, - (krb5_context ctx, - krb5_db_entry *d, - int *i, - char **db_args), - (ctx, d, i, db_args)); + (krb5_context ctx, + krb5_db_entry *d, + int *i, + char **db_args), + (ctx, d, i, db_args)); WRAP_K (krb5_db2_db_delete_principal, - (krb5_context context, - krb5_const_principal searchfor, - int *nentries), - (context, searchfor, nentries)); + (krb5_context context, + krb5_const_principal searchfor, + int *nentries), + (context, searchfor, nentries)); WRAP_K (krb5_db2_db_iterate, - (krb5_context ctx, char *s, - krb5_error_code (*f) (krb5_pointer, - krb5_db_entry *), - krb5_pointer p), - (ctx, s, f, p)); + (krb5_context ctx, char *s, + krb5_error_code (*f) (krb5_pointer, + krb5_db_entry *), + krb5_pointer p), + (ctx, s, f, p)); WRAP_K (krb5_db2_create_policy, - (krb5_context context, osa_policy_ent_t entry), - (context, entry)); + (krb5_context context, osa_policy_ent_t entry), + (context, entry)); WRAP_K (krb5_db2_get_policy, - ( krb5_context kcontext, - char *name, - osa_policy_ent_t *policy, - int *cnt), - (kcontext, name, policy, cnt)); + ( krb5_context kcontext, + char *name, + osa_policy_ent_t *policy, + int *cnt), + (kcontext, name, policy, cnt)); WRAP_K (krb5_db2_put_policy, - ( krb5_context kcontext, osa_policy_ent_t policy ), - (kcontext, policy)); + ( krb5_context kcontext, osa_policy_ent_t policy ), + (kcontext, policy)); WRAP_K (krb5_db2_iter_policy, - ( krb5_context kcontext, - char *match_entry, - osa_adb_iter_policy_func func, - void *data ), - (kcontext, match_entry, func, data)); + ( krb5_context kcontext, + char *match_entry, + osa_adb_iter_policy_func func, + void *data ), + (kcontext, match_entry, func, data)); WRAP_K (krb5_db2_delete_policy, - ( krb5_context kcontext, char *policy ), - (kcontext, policy)); + ( krb5_context kcontext, char *policy ), + (kcontext, policy)); WRAP_VOID (krb5_db2_free_policy, - ( krb5_context kcontext, osa_policy_ent_t entry ), - (kcontext, entry)); + ( krb5_context kcontext, osa_policy_ent_t entry ), + (kcontext, entry)); WRAP_K (krb5_db2_set_master_key_ext, - ( krb5_context kcontext, char *pwd, krb5_keyblock *key), - (kcontext, pwd, key)); + ( krb5_context kcontext, char *pwd, krb5_keyblock *key), + (kcontext, pwd, key)); WRAP_K (krb5_db2_db_get_mkey, - ( krb5_context context, krb5_keyblock **key), - (context, key)); + ( krb5_context context, krb5_keyblock **key), + (context, key)); WRAP_K (krb5_db2_db_set_mkey_list, - ( krb5_context kcontext, krb5_keylist_node *keylist), - (kcontext, keylist)); + ( krb5_context kcontext, krb5_keylist_node *keylist), + (kcontext, keylist)); WRAP_K (krb5_db2_db_get_mkey_list, - ( krb5_context context, krb5_keylist_node **keylist), - (context, keylist)); + ( krb5_context context, krb5_keylist_node **keylist), + (context, keylist)); WRAP_K (krb5_db2_promote_db, - ( krb5_context kcontext, char *conf_section, char **db_args ), - (kcontext, conf_section, db_args)); + ( krb5_context kcontext, char *conf_section, char **db_args ), + (kcontext, conf_section, db_args)); WRAP_K (krb5_db2_invoke, - (krb5_context kcontext, - unsigned int method, - const krb5_data *request, - krb5_data *response), - (kcontext, method, request, response)); + (krb5_context kcontext, + unsigned int method, + const krb5_data *request, + krb5_data *response), + (kcontext, method, request, response)); static krb5_error_code hack_init () @@ -210,7 +211,7 @@ hack_init () krb5_error_code c; c = krb5int_mutex_alloc (&krb5_db2_mutex); if (c) - return c; + return c; return krb5_db2_lib_init (); } @@ -228,41 +229,41 @@ hack_cleanup (void) */ kdb_vftabl PLUGIN_SYMBOL_NAME(krb5_db2, kdb_function_table) = { - 1, /* major version number 1 */ - 0, /* minor version number 0 */ - /* init_library */ hack_init, - /* fini_library */ hack_cleanup, - /* init_module */ wrap_krb5_db2_open, - /* fini_module */ wrap_krb5_db2_db_fini, - /* db_create */ wrap_krb5_db2_create, - /* db_destroy */ wrap_krb5_db2_destroy, - /* db_get_age */ wrap_krb5_db2_db_get_age, - /* db_set_option */ wrap_krb5_db2_db_set_option, - /* db_lock */ wrap_krb5_db2_db_lock, - /* db_unlock */ wrap_krb5_db2_db_unlock, - /* db_get_principal */ wrap_krb5_db2_db_get_principal, - /* db_free_principal */ wrap_krb5_db2_db_free_principal, - /* db_put_principal */ wrap_krb5_db2_db_put_principal, - /* db_delete_principal */ wrap_krb5_db2_db_delete_principal, - /* db_iterate */ wrap_krb5_db2_db_iterate, - /* db_create_policy */ wrap_krb5_db2_create_policy, - /* db_get_policy */ wrap_krb5_db2_get_policy, - /* db_put_policy */ wrap_krb5_db2_put_policy, - /* db_iter_policy */ wrap_krb5_db2_iter_policy, - /* db_delete_policy */ wrap_krb5_db2_delete_policy, - /* db_free_policy */ wrap_krb5_db2_free_policy, - /* db_supported_realms */ NULL, - /* db_free_supported_realms */ NULL, - /* errcode_2_string */ NULL, - /* release_errcode_string */ NULL, - /* db_alloc */ krb5_db2_alloc, - /* db_free */ krb5_db2_free, - /* set_master_key */ wrap_krb5_db2_set_master_key_ext, - /* get_master_key */ wrap_krb5_db2_db_get_mkey, - /* set_master_key_list */ wrap_krb5_db2_db_set_mkey_list, - /* get_master_key_list */ wrap_krb5_db2_db_get_mkey_list, - /* blah blah blah */ 0,0,0,0,0,0,0,0, - /* promote_db */ wrap_krb5_db2_promote_db, - 0, 0, - /* invoke */ wrap_krb5_db2_invoke + 1, /* major version number 1 */ + 0, /* minor version number 0 */ + /* init_library */ hack_init, + /* fini_library */ hack_cleanup, + /* init_module */ wrap_krb5_db2_open, + /* fini_module */ wrap_krb5_db2_db_fini, + /* db_create */ wrap_krb5_db2_create, + /* db_destroy */ wrap_krb5_db2_destroy, + /* db_get_age */ wrap_krb5_db2_db_get_age, + /* db_set_option */ wrap_krb5_db2_db_set_option, + /* db_lock */ wrap_krb5_db2_db_lock, + /* db_unlock */ wrap_krb5_db2_db_unlock, + /* db_get_principal */ wrap_krb5_db2_db_get_principal, + /* db_free_principal */ wrap_krb5_db2_db_free_principal, + /* db_put_principal */ wrap_krb5_db2_db_put_principal, + /* db_delete_principal */ wrap_krb5_db2_db_delete_principal, + /* db_iterate */ wrap_krb5_db2_db_iterate, + /* db_create_policy */ wrap_krb5_db2_create_policy, + /* db_get_policy */ wrap_krb5_db2_get_policy, + /* db_put_policy */ wrap_krb5_db2_put_policy, + /* db_iter_policy */ wrap_krb5_db2_iter_policy, + /* db_delete_policy */ wrap_krb5_db2_delete_policy, + /* db_free_policy */ wrap_krb5_db2_free_policy, + /* db_supported_realms */ NULL, + /* db_free_supported_realms */ NULL, + /* errcode_2_string */ NULL, + /* release_errcode_string */ NULL, + /* db_alloc */ krb5_db2_alloc, + /* db_free */ krb5_db2_free, + /* set_master_key */ wrap_krb5_db2_set_master_key_ext, + /* get_master_key */ wrap_krb5_db2_db_get_mkey, + /* set_master_key_list */ wrap_krb5_db2_db_set_mkey_list, + /* get_master_key_list */ wrap_krb5_db2_db_get_mkey_list, + /* blah blah blah */ 0,0,0,0,0,0,0,0, + /* promote_db */ wrap_krb5_db2_promote_db, + 0, 0, + /* invoke */ wrap_krb5_db2_invoke }; diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c index 363a1f3d1..042649e49 100644 --- a/src/plugins/kdb/db2/kdb_db2.c +++ b/src/plugins/kdb/db2/kdb_db2.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/kdb/kdb_db2.c * @@ -130,8 +131,8 @@ static char default_db_name[] = DEFAULT_KDB_FILE; /* * Routines to deal with context. */ -#define k5db2_inited(c) (c && c->dal_handle \ - && c->dal_handle->db_context \ +#define k5db2_inited(c) (c && c->dal_handle \ + && c->dal_handle->db_context \ && ((krb5_db2_context *) c->dal_handle->db_context)->db_inited) static krb5_error_code @@ -139,23 +140,23 @@ krb5_db2_get_db_opt(char *input, char **opt, char **val) { char *pos = strchr(input, '='); if (pos == NULL) { - *opt = NULL; - *val = strdup(input); - if (*val == NULL) { - return ENOMEM; - } + *opt = NULL; + *val = strdup(input); + if (*val == NULL) { + return ENOMEM; + } } else { - *opt = malloc((pos - input) + 1); - *val = strdup(pos + 1); - if (!*opt || !*val) { - free(*opt); - *opt = NULL; - free(*val); - *val = NULL; - return ENOMEM; - } - memcpy(*opt, input, pos - input); - (*opt)[pos - input] = '\0'; + *opt = malloc((pos - input) + 1); + *val = strdup(pos + 1); + if (!*opt || !*val) { + free(*opt); + *opt = NULL; + free(*val); + *val = NULL; + return ENOMEM; + } + memcpy(*opt, input, pos - input); + (*opt)[pos - input] = '\0'; } return (0); @@ -172,9 +173,9 @@ k5db2_clear_context(krb5_db2_context *dbctx) * are the caller's problem. */ if (dbctx->db_lf_name) - free(dbctx->db_lf_name); + free(dbctx->db_lf_name); if (dbctx->db_name && (dbctx->db_name != default_db_name)) - free(dbctx->db_name); + free(dbctx->db_name); /* * Clear the structure and reset the defaults. */ @@ -193,14 +194,14 @@ k5db2_init_context(krb5_context context) dal_handle = context->dal_handle; if (dal_handle->db_context == NULL) { - db_ctx = (krb5_db2_context *) malloc(sizeof(krb5_db2_context)); - if (db_ctx == NULL) - return ENOMEM; - else { - memset(db_ctx, 0, sizeof(krb5_db2_context)); - k5db2_clear_context((krb5_db2_context *) db_ctx); - dal_handle->db_context = (void *) db_ctx; - } + db_ctx = (krb5_db2_context *) malloc(sizeof(krb5_db2_context)); + if (db_ctx == NULL) + return ENOMEM; + else { + memset(db_ctx, 0, sizeof(krb5_db2_context)); + k5db2_clear_context((krb5_db2_context *) db_ctx); + dal_handle->db_context = (void *) db_ctx; + } } return (0); } @@ -215,10 +216,10 @@ gen_dbsuffix(char *db_name, char *sfx) char *dbsuffix; if (sfx == NULL) - return ((char *) NULL); + return ((char *) NULL); if (asprintf(&dbsuffix, "%s%s", db_name, sfx) < 0) - return (0); + return (0); return dbsuffix; } @@ -237,14 +238,14 @@ k5db2_dbopen(krb5_db2_context *dbc, char *fname, int flags, int mode, int tempdb bti.prefix = NULL; if (tempdb) { - fname = gen_dbsuffix(fname, "~"); + fname = gen_dbsuffix(fname, "~"); } else { - fname = strdup(fname); + fname = strdup(fname); } if (fname == NULL) { - errno = ENOMEM; - return NULL; + errno = ENOMEM; + return NULL; } @@ -256,25 +257,25 @@ k5db2_dbopen(krb5_db2_context *dbc, char *fname, int flags, int mode, int tempdb hashi.nelem = 1; db = dbopen(fname, flags, mode, - dbc->hashfirst ? DB_HASH : DB_BTREE, - dbc->hashfirst ? (void *) &hashi : (void *) &bti); + dbc->hashfirst ? DB_HASH : DB_BTREE, + dbc->hashfirst ? (void *) &hashi : (void *) &bti); if (db != NULL) { - free(fname); - return db; + free(fname); + return db; } switch (errno) { #ifdef EFTYPE case EFTYPE: #endif case EINVAL: - db = dbopen(fname, flags, mode, - dbc->hashfirst ? DB_BTREE : DB_HASH, - dbc->hashfirst ? (void *) &bti : (void *) &hashi); - if (db != NULL) - dbc->hashfirst = !dbc->hashfirst; + db = dbopen(fname, flags, mode, + dbc->hashfirst ? DB_BTREE : DB_HASH, + dbc->hashfirst ? (void *) &bti : (void *) &hashi); + if (db != NULL) + dbc->hashfirst = !dbc->hashfirst; default: - free(fname); - return db; + free(fname); + return db; } } @@ -285,7 +286,7 @@ krb5_db2_db_set_hashfirst(krb5_context context, int hashfirst) kdb5_dal_handle *dal_handle; if (k5db2_inited(context)) - return KRB5_KDB_DBNOTINITED; + return KRB5_KDB_DBNOTINITED; dal_handle = context->dal_handle; dbc = (krb5_db2_context *) dal_handle->db_context; dbc->hashfirst = hashfirst; @@ -306,51 +307,51 @@ krb5_db2_db_init(krb5_context context) char policy_db_name[1024], policy_lock_name[1024]; if (k5db2_inited(context)) - return 0; + return 0; /* Check for presence of our context, if not present, allocate one. */ if ((retval = k5db2_init_context(context))) - return (retval); + return (retval); dal_handle = context->dal_handle; db_ctx = dal_handle->db_context; db_ctx->db = NULL; if (!(filename = gen_dbsuffix(db_ctx->db_name, db_ctx->tempdb - ?KDB2_TEMP_LOCK_EXT:KDB2_LOCK_EXT))) - return ENOMEM; - db_ctx->db_lf_name = filename; /* so it gets freed by clear_context */ + ?KDB2_TEMP_LOCK_EXT:KDB2_LOCK_EXT))) + return ENOMEM; + db_ctx->db_lf_name = filename; /* so it gets freed by clear_context */ /* * should be opened read/write so that write locking can work with * POSIX systems */ if ((db_ctx->db_lf_file = open(filename, O_RDWR, 0666)) < 0) { - if ((db_ctx->db_lf_file = open(filename, O_RDONLY, 0666)) < 0) { - retval = errno; - goto err_out; - } + if ((db_ctx->db_lf_file = open(filename, O_RDONLY, 0666)) < 0) { + retval = errno; + goto err_out; + } } set_cloexec_fd(db_ctx->db_lf_file); db_ctx->db_inited++; if ((retval = krb5_db2_db_get_age(context, NULL, &db_ctx->db_lf_time))) - goto err_out; + goto err_out; snprintf(policy_db_name, sizeof(policy_db_name), - db_ctx->tempdb ? "%s~.kadm5" : "%s.kadm5", - db_ctx->db_name); + db_ctx->tempdb ? "%s~.kadm5" : "%s.kadm5", + db_ctx->db_name); snprintf(policy_lock_name, sizeof(policy_lock_name), - "%s.lock", policy_db_name); + "%s.lock", policy_db_name); if ((retval = osa_adb_init_db(&db_ctx->policy_db, policy_db_name, - policy_lock_name, OSA_ADB_POLICY_DB_MAGIC))) + policy_lock_name, OSA_ADB_POLICY_DB_MAGIC))) { - goto err_out; + goto err_out; } return 0; - err_out: +err_out: db_ctx->db = NULL; k5db2_clear_context(db_ctx); return (retval); @@ -369,28 +370,28 @@ krb5_db2_db_fini(krb5_context context) dal_handle = context->dal_handle; if (dal_handle == NULL) { - return 0; + return 0; } db_ctx = (krb5_db2_context *) dal_handle->db_context; if (k5db2_inited(context)) { - if (close(db_ctx->db_lf_file)) - retval = errno; - else - retval = 0; + if (close(db_ctx->db_lf_file)) + retval = errno; + else + retval = 0; } if (db_ctx) { - if (db_ctx->policy_db) { - retval = - osa_adb_fini_db(db_ctx->policy_db, OSA_ADB_POLICY_DB_MAGIC); - if (retval) - return retval; - } + if (db_ctx->policy_db) { + retval = + osa_adb_fini_db(db_ctx->policy_db, OSA_ADB_POLICY_DB_MAGIC); + if (retval) + return retval; + } - k5db2_clear_context(db_ctx); - /* free(dal_handle->db_context); */ - dal_handle->db_context = NULL; + k5db2_clear_context(db_ctx); + /* free(dal_handle->db_context); */ + dal_handle->db_context = NULL; } return retval; } @@ -405,7 +406,7 @@ krb5_db2_db_set_mkey(krb5_context context, krb5_keyblock *key) kdb5_dal_handle *dal_handle; if (!k5db2_inited(context)) - return (KRB5_KDB_DBNOTINITED); + return (KRB5_KDB_DBNOTINITED); dal_handle = context->dal_handle; db_ctx = dal_handle->db_context; @@ -420,7 +421,7 @@ krb5_db2_db_get_mkey(krb5_context context, krb5_keyblock **key) kdb5_dal_handle *dal_handle; if (!k5db2_inited(context)) - return (KRB5_KDB_DBNOTINITED); + return (KRB5_KDB_DBNOTINITED); dal_handle = context->dal_handle; db_ctx = dal_handle->db_context; @@ -436,7 +437,7 @@ krb5_db2_db_set_mkey_list(krb5_context context, krb5_keylist_node *key_list) kdb5_dal_handle *dal_handle; if (!k5db2_inited(context)) - return (KRB5_KDB_DBNOTINITED); + return (KRB5_KDB_DBNOTINITED); dal_handle = context->dal_handle; db_ctx = dal_handle->db_context; @@ -451,7 +452,7 @@ krb5_db2_db_get_mkey_list(krb5_context context, krb5_keylist_node **key_list) kdb5_dal_handle *dal_handle; if (!k5db2_inited(context)) - return (KRB5_KDB_DBNOTINITED); + return (KRB5_KDB_DBNOTINITED); dal_handle = context->dal_handle; db_ctx = dal_handle->db_context; @@ -478,21 +479,21 @@ krb5_db2_db_set_name(krb5_context context, char *name, int tempdb) kdb5_dal_handle *dal_handle; if (k5db2_inited(context)) - return KRB5_KDB_DBINITED; + return KRB5_KDB_DBINITED; /* Check for presence of our context, if not present, allocate one. */ if ((kret = k5db2_init_context(context))) - return (kret); + return (kret); if (name == NULL) - name = default_db_name; + name = default_db_name; dal_handle = context->dal_handle; db_ctx = dal_handle->db_context; db_ctx->tempdb = tempdb; db = k5db2_dbopen(db_ctx, name, O_RDONLY, 0, tempdb); if (db == NULL) - return errno; + return errno; db_ctx->db_name = strdup(name); (*db->close) (db); @@ -513,14 +514,14 @@ krb5_db2_db_get_age(krb5_context context, char *db_name, time_t *age) struct stat st; if (!k5db2_inited(context)) - return (KRB5_KDB_DBNOTINITED); + return (KRB5_KDB_DBNOTINITED); dal_handle = context->dal_handle; db_ctx = (krb5_db2_context *) dal_handle->db_context; if (fstat(db_ctx->db_lf_file, &st) < 0) - *age = -1; + *age = -1; else - *age = st.st_mtime; + *age = st.st_mtime; return 0; } @@ -549,29 +550,29 @@ krb5_db2_db_end_update(krb5_context context) struct utimbuf utbuf; if (!k5db2_inited(context)) - return (KRB5_KDB_DBNOTINITED); + return (KRB5_KDB_DBNOTINITED); retval = 0; dal_handle = context->dal_handle; db_ctx = dal_handle->db_context; now = time((time_t *) NULL); if (fstat(db_ctx->db_lf_file, &st) == 0) { - if (st.st_mtime >= now) { - utbuf.actime = st.st_mtime + 1; - utbuf.modtime = st.st_mtime + 1; - if (utime(db_ctx->db_lf_name, &utbuf)) - retval = errno; - } else { - if (utime(db_ctx->db_lf_name, (struct utimbuf *) NULL)) - retval = errno; - } + if (st.st_mtime >= now) { + utbuf.actime = st.st_mtime + 1; + utbuf.modtime = st.st_mtime + 1; + if (utime(db_ctx->db_lf_name, &utbuf)) + retval = errno; + } else { + if (utime(db_ctx->db_lf_name, (struct utimbuf *) NULL)) + retval = errno; + } } else - retval = errno; + retval = errno; if (!retval) { - if (fstat(db_ctx->db_lf_file, &st) == 0) - db_ctx->db_lf_time = st.st_mtime; - else - retval = errno; + if (fstat(db_ctx->db_lf_file, &st) == 0) + db_ctx->db_lf_time = st.st_mtime; + else + retval = errno; } return (retval); } @@ -591,76 +592,76 @@ krb5_db2_db_lock(krb5_context context, int in_mode) switch (in_mode) { case KRB5_DB_LOCKMODE_PERMANENT: - mode = KRB5_DB_LOCKMODE_EXCLUSIVE; - break; + mode = KRB5_DB_LOCKMODE_EXCLUSIVE; + break; case KRB5_DB_LOCKMODE_EXCLUSIVE: - mode = KRB5_LOCKMODE_EXCLUSIVE; - break; + mode = KRB5_LOCKMODE_EXCLUSIVE; + break; case KRB5_DB_LOCKMODE_SHARED: - mode = KRB5_LOCKMODE_SHARED; - break; + mode = KRB5_LOCKMODE_SHARED; + break; default: - return EINVAL; + return EINVAL; } if (!k5db2_inited(context)) - return KRB5_KDB_DBNOTINITED; + return KRB5_KDB_DBNOTINITED; dal_handle = context->dal_handle; db_ctx = (krb5_db2_context *) dal_handle->db_context; if (db_ctx->db_locks_held && (db_ctx->db_lock_mode >= mode)) { - /* No need to upgrade lock, just return */ - db_ctx->db_locks_held++; - goto policy_lock; + /* No need to upgrade lock, just return */ + db_ctx->db_locks_held++; + goto policy_lock; } if ((mode != KRB5_LOCKMODE_SHARED) && (mode != KRB5_LOCKMODE_EXCLUSIVE)) - return KRB5_KDB_BADLOCKMODE; + return KRB5_KDB_BADLOCKMODE; krb5_lock_mode = mode | KRB5_LOCKMODE_DONTBLOCK; for (gotlock = tries = 0; tries < MAX_LOCK_TRIES; tries++) { - retval = krb5_lock_file(context, db_ctx->db_lf_file, krb5_lock_mode); - if (retval == 0) { - gotlock++; - break; - } else if (retval == EBADF && mode == KRB5_DB_LOCKMODE_EXCLUSIVE) - /* tried to exclusive-lock something we don't have */ - /* write access to */ - return KRB5_KDB_CANTLOCK_DB; - sleep(1); + retval = krb5_lock_file(context, db_ctx->db_lf_file, krb5_lock_mode); + if (retval == 0) { + gotlock++; + break; + } else if (retval == EBADF && mode == KRB5_DB_LOCKMODE_EXCLUSIVE) + /* tried to exclusive-lock something we don't have */ + /* write access to */ + return KRB5_KDB_CANTLOCK_DB; + sleep(1); } if (retval == EACCES) - return KRB5_KDB_CANTLOCK_DB; + return KRB5_KDB_CANTLOCK_DB; else if (retval == EAGAIN || retval == EWOULDBLOCK) - return OSA_ADB_CANTLOCK_DB; + return OSA_ADB_CANTLOCK_DB; else if (retval != 0) - return retval; + return retval; if ((retval = krb5_db2_db_get_age(context, NULL, &mod_time))) - goto lock_error; + goto lock_error; db = k5db2_dbopen(db_ctx, db_ctx->db_name, - mode == KRB5_LOCKMODE_SHARED ? O_RDONLY : O_RDWR, 0600, db_ctx->tempdb); + mode == KRB5_LOCKMODE_SHARED ? O_RDONLY : O_RDWR, 0600, db_ctx->tempdb); if (db) { - db_ctx->db_lf_time = mod_time; - db_ctx->db = db; + db_ctx->db_lf_time = mod_time; + db_ctx->db = db; } else { - retval = errno; - db_ctx->db = NULL; - goto lock_error; + retval = errno; + db_ctx->db = NULL; + goto lock_error; } db_ctx->db_lock_mode = mode; db_ctx->db_locks_held++; - policy_lock: +policy_lock: if ((retval = osa_adb_get_lock(db_ctx->policy_db, in_mode))) { - krb5_db2_db_unlock(context); + krb5_db2_db_unlock(context); } return retval; - lock_error:; +lock_error:; db_ctx->db_lock_mode = 0; db_ctx->db_locks_held = 0; krb5_db2_db_unlock(context); @@ -676,26 +677,26 @@ krb5_db2_db_unlock(krb5_context context) krb5_error_code retval; if (!k5db2_inited(context)) - return KRB5_KDB_DBNOTINITED; + return KRB5_KDB_DBNOTINITED; dal_handle = context->dal_handle; db_ctx = (krb5_db2_context *) dal_handle->db_context; if ((retval = osa_adb_release_lock(db_ctx->policy_db))) { - return retval; + return retval; } - if (!db_ctx->db_locks_held) /* lock already unlocked */ - return KRB5_KDB_NOTLOCKED; + if (!db_ctx->db_locks_held) /* lock already unlocked */ + return KRB5_KDB_NOTLOCKED; db = db_ctx->db; if (--(db_ctx->db_locks_held) == 0) { - (*db->close) (db); - db_ctx->db = NULL; + (*db->close) (db); + db_ctx->db = NULL; - retval = krb5_lock_file(context, db_ctx->db_lf_file, - KRB5_LOCKMODE_UNLOCK); - db_ctx->db_lock_mode = 0; - return (retval); + retval = krb5_lock_file(context, db_ctx->db_lf_file, + KRB5_LOCKMODE_UNLOCK); + db_ctx->db_lock_mode = 0; + return (retval); } return 0; } @@ -716,49 +717,49 @@ krb5_db2_db_create(krb5_context context, char *db_name, krb5_int32 flags) char policy_db_name[1024], policy_lock_name[1024]; if ((retval = k5db2_init_context(context))) - return (retval); + return (retval); dal_handle = context->dal_handle; db_ctx = (krb5_db2_context *) dal_handle->db_context; switch (flags) { case KRB5_KDB_CREATE_HASH: - if ((retval = krb5_db2_db_set_hashfirst(context, TRUE))) - return retval; - break; + if ((retval = krb5_db2_db_set_hashfirst(context, TRUE))) + return retval; + break; case KRB5_KDB_CREATE_BTREE: case 0: - if ((retval = krb5_db2_db_set_hashfirst(context, FALSE))) - return retval; - break; + if ((retval = krb5_db2_db_set_hashfirst(context, FALSE))) + return retval; + break; default: - return KRB5_KDB_BAD_CREATEFLAGS; + return KRB5_KDB_BAD_CREATEFLAGS; } db = k5db2_dbopen(db_ctx, db_name, O_RDWR | O_CREAT | O_EXCL, 0600, db_ctx->tempdb); if (db == NULL) - return errno; + return errno; (*db->close) (db); db_name2 = db_ctx->tempdb ? gen_dbsuffix(db_name, "~") : strdup(db_name); if (db_name2 == NULL) - return ENOMEM; + return ENOMEM; okname = gen_dbsuffix(db_name2, KDB2_LOCK_EXT); if (!okname) - retval = ENOMEM; + retval = ENOMEM; else { - fd = open(okname, O_CREAT | O_RDWR | O_TRUNC, 0600); - if (fd < 0) - retval = errno; - else - close(fd); - free_dbsuffix(okname); + fd = open(okname, O_CREAT | O_RDWR | O_TRUNC, 0600); + if (fd < 0) + retval = errno; + else + close(fd); + free_dbsuffix(okname); } snprintf(policy_db_name, sizeof(policy_db_name), "%s.kadm5", db_name2); snprintf(policy_lock_name, sizeof(policy_lock_name), - "%s.lock", policy_db_name); + "%s.lock", policy_db_name); retval = osa_adb_create_db(policy_db_name, - policy_lock_name, OSA_ADB_POLICY_DB_MAGIC); + policy_lock_name, OSA_ADB_POLICY_DB_MAGIC); free(db_name2); return retval; } @@ -772,7 +773,7 @@ destroy_file_suffix(char *dbname, char *suffix) char *filename; struct stat statb; int nb, fd; - int j; + int j; off_t pos; char buf[BUFSIZ]; char zbuf[BUFSIZ]; @@ -780,19 +781,19 @@ destroy_file_suffix(char *dbname, char *suffix) filename = gen_dbsuffix(dbname, suffix); if (filename == 0) - return ENOMEM; + return ENOMEM; if ((fd = open(filename, O_RDWR, 0)) < 0) { - free(filename); - return errno; + free(filename); + return errno; } set_cloexec_fd(fd); /* fstat() will probably not fail unless using a remote filesystem * (which is inappropriate for the kerberos database) so this check * is mostly paranoia. */ if (fstat(fd, &statb) == -1) { - int retval = errno; - free(filename); - return retval; + int retval = errno; + free(filename); + return retval; } /* * Stroll through the file, reading in BUFSIZ chunks. If everything @@ -805,31 +806,31 @@ destroy_file_suffix(char *dbname, char *suffix) memset(zbuf, 0, BUFSIZ); pos = 0; while (pos < statb.st_size) { - dowrite = 0; - nb = read(fd, buf, BUFSIZ); - if (nb < 0) { - int retval = errno; - free(filename); - return retval; - } - for (j = 0; j < nb; j++) { - if (buf[j] != '\0') { - dowrite = 1; - break; - } - } - /* For signedness */ - j = nb; - if (dowrite) { - lseek(fd, pos, SEEK_SET); - nb = write(fd, zbuf, j); - if (nb < 0) { - int retval = errno; - free(filename); - return retval; - } - } - pos += nb; + dowrite = 0; + nb = read(fd, buf, BUFSIZ); + if (nb < 0) { + int retval = errno; + free(filename); + return retval; + } + for (j = 0; j < nb; j++) { + if (buf[j] != '\0') { + dowrite = 1; + break; + } + } + /* For signedness */ + j = nb; + if (dowrite) { + lseek(fd, pos, SEEK_SET); + nb = write(fd, zbuf, j); + if (nb < 0) { + int retval = errno; + free(filename); + return retval; + } + } + pos += nb; } /* ??? Is fsync really needed? I don't know of any non-networked * filesystem which will discard queued writes to disk if a file @@ -840,8 +841,8 @@ destroy_file_suffix(char *dbname, char *suffix) close(fd); if (unlink(filename)) { - free(filename); - return (errno); + free(filename); + return (errno); } free(filename); return (0); @@ -866,10 +867,10 @@ krb5_db2_db_destroy(krb5_context context, char *dbname) tmpcontext = 0; if (!context->dal_handle - || !context->dal_handle->db_context) { - tmpcontext = 1; - if ((retval1 = k5db2_init_context(context))) - return (retval1); + || !context->dal_handle->db_context) { + tmpcontext = 1; + if ((retval1 = k5db2_init_context(context))) + return (retval1); } retval1 = retval2 = 0; @@ -877,20 +878,20 @@ krb5_db2_db_destroy(krb5_context context, char *dbname) retval2 = destroy_file_suffix(dbname, KDB2_LOCK_EXT); if (tmpcontext) { - k5db2_clear_context((krb5_db2_context *) context->dal_handle->db_context); - free(context->dal_handle->db_context); - context->dal_handle->db_context = NULL; + k5db2_clear_context((krb5_db2_context *) context->dal_handle->db_context); + free(context->dal_handle->db_context); + context->dal_handle->db_context = NULL; } if (retval1 || retval2) - return (retval1 ? retval1 : retval2); + return (retval1 ? retval1 : retval2); snprintf(policy_db_name, sizeof(policy_db_name), "%s.kadm5", dbname); snprintf(policy_lock_name, sizeof(policy_lock_name), - "%s.lock", policy_db_name); + "%s.lock", policy_db_name); retval1 = osa_adb_destroy_db(policy_db_name, - policy_lock_name, OSA_ADB_POLICY_DB_MAGIC); + policy_lock_name, OSA_ADB_POLICY_DB_MAGIC); return retval1; } @@ -903,10 +904,10 @@ krb5_db2_db_destroy(krb5_context context, char *dbname) krb5_error_code krb5_db2_db_get_principal(krb5_context context, - krb5_const_principal searchfor, - krb5_db_entry *entries, /* filled in */ - int *nentries, /* how much room/how many found */ - krb5_boolean *more) /* are there more? */ + krb5_const_principal searchfor, + krb5_db_entry *entries, /* filled in */ + int *nentries, /* how much room/how many found */ + krb5_boolean *more) /* are there more? */ { krb5_db2_context *db_ctx; krb5_error_code retval; @@ -920,27 +921,27 @@ krb5_db2_db_get_principal(krb5_context context, *nentries = 0; if (!k5db2_inited(context)) - return KRB5_KDB_DBNOTINITED; + return KRB5_KDB_DBNOTINITED; dal_handle = context->dal_handle; db_ctx = (krb5_db2_context *) dal_handle->db_context; for (trynum = 0; trynum < KRB5_DB2_MAX_RETRY; trynum++) { - if ((retval = krb5_db2_db_lock(context, KRB5_LOCKMODE_SHARED))) { - if (db_ctx->db_nb_locks) - return (retval); - sleep(1); - continue; - } - break; + if ((retval = krb5_db2_db_lock(context, KRB5_LOCKMODE_SHARED))) { + if (db_ctx->db_nb_locks) + return (retval); + sleep(1); + continue; + } + break; } if (trynum == KRB5_DB2_MAX_RETRY) - return KRB5_KDB_DB_INUSE; + return KRB5_KDB_DB_INUSE; /* XXX deal with wildcard lookups */ retval = krb5_encode_princ_dbkey(context, &keydata, searchfor); if (retval) - goto cleanup; + goto cleanup; key.data = keydata.data; key.size = keydata.length; @@ -950,35 +951,35 @@ krb5_db2_db_get_principal(krb5_context context, krb5_free_data_contents(context, &keydata); switch (dbret) { case 1: - retval = 0; + retval = 0; case -1: default: - *nentries = 0; - goto cleanup; + *nentries = 0; + goto cleanup; case 0: - contdata.data = contents.data; - contdata.length = contents.size; - retval = krb5_decode_princ_contents(context, &contdata, entries); - if (!retval) - *nentries = 1; - break; + contdata.data = contents.data; + contdata.length = contents.size; + retval = krb5_decode_princ_contents(context, &contdata, entries); + if (!retval) + *nentries = 1; + break; } - cleanup: - (void) krb5_db2_db_unlock(context); /* unlock read lock */ +cleanup: + (void) krb5_db2_db_unlock(context); /* unlock read lock */ return retval; } /* Free stuff returned by krb5_db2_db_get_principal. - */ +*/ krb5_error_code krb5_db2_db_free_principal(krb5_context context, krb5_db_entry *entries, - int nentries) + int nentries) { register int i; for (i = 0; i < nentries; i++) - krb5_dbe_free_contents(context, &entries[i]); + krb5_dbe_free_contents(context, &entries[i]); return 0; } @@ -990,13 +991,13 @@ krb5_db2_db_free_principal(krb5_context context, krb5_db_entry *entries, acutally stored; the first *"nstored" records will have been stored in the database (even if an error occurs). - */ +*/ krb5_error_code krb5_db2_db_put_principal(krb5_context context, - krb5_db_entry *entries, - int *nentries, /* number of entry structs to update */ - char **db_args) + krb5_db_entry *entries, + int *nentries, /* number of entry structs to update */ + char **db_args) { int i, n, dbret; DB *db; @@ -1008,55 +1009,55 @@ krb5_db2_db_put_principal(krb5_context context, krb5_clear_error_message (context); if (db_args) { - /* DB2 does not support db_args DB arguments for principal */ - krb5_set_error_message(context, EINVAL, - "Unsupported argument \"%s\" for db2", - db_args[0]); - return EINVAL; + /* DB2 does not support db_args DB arguments for principal */ + krb5_set_error_message(context, EINVAL, + "Unsupported argument \"%s\" for db2", + db_args[0]); + return EINVAL; } n = *nentries; *nentries = 0; if (!k5db2_inited(context)) - return KRB5_KDB_DBNOTINITED; + return KRB5_KDB_DBNOTINITED; dal_handle = context->dal_handle; db_ctx = (krb5_db2_context *) dal_handle->db_context; if ((retval = krb5_db2_db_lock(context, KRB5_LOCKMODE_EXCLUSIVE))) - return retval; + return retval; db = db_ctx->db; if ((retval = krb5_db2_db_start_update(context))) { - (void) krb5_db2_db_unlock(context); - return retval; + (void) krb5_db2_db_unlock(context); + return retval; } /* for each one, stuff temps, and do replace/append */ for (i = 0; i < n; i++) { - retval = krb5_encode_princ_contents(context, &contdata, entries); - if (retval) - break; - contents.data = contdata.data; - contents.size = contdata.length; - retval = krb5_encode_princ_dbkey(context, &keydata, entries->princ); - if (retval) { - krb5_free_data_contents(context, &contdata); - break; - } - - key.data = keydata.data; - key.size = keydata.length; - dbret = (*db->put) (db, &key, &contents, 0); - retval = dbret ? errno : 0; - krb5_free_data_contents(context, &keydata); - krb5_free_data_contents(context, &contdata); - if (retval) - break; - entries++; /* bump to next struct */ + retval = krb5_encode_princ_contents(context, &contdata, entries); + if (retval) + break; + contents.data = contdata.data; + contents.size = contdata.length; + retval = krb5_encode_princ_dbkey(context, &keydata, entries->princ); + if (retval) { + krb5_free_data_contents(context, &contdata); + break; + } + + key.data = keydata.data; + key.size = keydata.length; + dbret = (*db->put) (db, &key, &contents, 0); + retval = dbret ? errno : 0; + krb5_free_data_contents(context, &keydata); + krb5_free_data_contents(context, &contdata); + if (retval) + break; + entries++; /* bump to next struct */ } (void) krb5_db2_db_end_update(context); - (void) krb5_db2_db_unlock(context); /* unlock database */ + (void) krb5_db2_db_unlock(context); /* unlock database */ *nentries = i; return (retval); } @@ -1068,8 +1069,8 @@ krb5_db2_db_put_principal(krb5_context context, krb5_error_code krb5_db2_db_delete_principal(krb5_context context, - krb5_const_principal searchfor, - int *nentries) /* how many found & deleted */ + krb5_const_principal searchfor, + int *nentries) /* how many found & deleted */ { krb5_error_code retval; krb5_db_entry entry; @@ -1081,20 +1082,20 @@ krb5_db2_db_delete_principal(krb5_context context, kdb5_dal_handle *dal_handle; if (!k5db2_inited(context)) - return KRB5_KDB_DBNOTINITED; + return KRB5_KDB_DBNOTINITED; dal_handle = context->dal_handle; db_ctx = (krb5_db2_context *) dal_handle->db_context; if ((retval = krb5_db2_db_lock(context, KRB5_LOCKMODE_EXCLUSIVE))) - return (retval); + return (retval); if ((retval = krb5_db2_db_start_update(context))) { - (void) krb5_db2_db_unlock(context); /* unlock write lock */ - return (retval); + (void) krb5_db2_db_unlock(context); /* unlock write lock */ + return (retval); } if ((retval = krb5_encode_princ_dbkey(context, &keydata, searchfor))) - goto cleanup; + goto cleanup; key.data = keydata.data; key.size = keydata.length; @@ -1103,34 +1104,34 @@ krb5_db2_db_delete_principal(krb5_context context, retval = errno; switch (dbret) { case 1: - retval = KRB5_KDB_NOENTRY; + retval = KRB5_KDB_NOENTRY; case -1: default: - *nentries = 0; - goto cleankey; + *nentries = 0; + goto cleankey; case 0: - ; + ; } memset(&entry, 0, sizeof(entry)); contdata.data = contents.data; contdata.length = contents.size; retval = krb5_decode_princ_contents(context, &contdata, &entry); if (retval) - goto cleankey; + goto cleankey; *nentries = 1; /* Clear encrypted key contents */ for (i = 0; i < entry.n_key_data; i++) { - if (entry.key_data[i].key_data_length[0]) { - memset(entry.key_data[i].key_data_contents[0], 0, - (unsigned) entry.key_data[i].key_data_length[0]); - } + if (entry.key_data[i].key_data_length[0]) { + memset(entry.key_data[i].key_data_contents[0], 0, + (unsigned) entry.key_data[i].key_data_length[0]); + } } retval = krb5_encode_princ_contents(context, &contdata, &entry); krb5_dbe_free_contents(context, &entry); if (retval) - goto cleankey; + goto cleankey; contents.data = contdata.data; contents.size = contdata.length; @@ -1138,23 +1139,23 @@ krb5_db2_db_delete_principal(krb5_context context, retval = dbret ? errno : 0; krb5_free_data_contents(context, &contdata); if (retval) - goto cleankey; + goto cleankey; dbret = (*db->del) (db, &key, 0); retval = dbret ? errno : 0; - cleankey: +cleankey: krb5_free_data_contents(context, &keydata); - cleanup: +cleanup: (void) krb5_db2_db_end_update(context); - (void) krb5_db2_db_unlock(context); /* unlock write lock */ + (void) krb5_db2_db_unlock(context); /* unlock write lock */ return retval; } krb5_error_code krb5_db2_db_iterate_ext(krb5_context context, - krb5_error_code(*func) (krb5_pointer, krb5_db_entry *), - krb5_pointer func_arg, - int backwards, int recursive) + krb5_error_code(*func) (krb5_pointer, krb5_db_entry *), + krb5_pointer func_arg, + int backwards, int recursive) { krb5_db2_context *db_ctx; DB *db; @@ -1168,75 +1169,75 @@ krb5_db2_db_iterate_ext(krb5_context context, cookie = NULL; if (!k5db2_inited(context)) - return KRB5_KDB_DBNOTINITED; + return KRB5_KDB_DBNOTINITED; dal_handle = context->dal_handle; db_ctx = (krb5_db2_context *) dal_handle->db_context; retval = krb5_db2_db_lock(context, KRB5_LOCKMODE_SHARED); if (retval) - return retval; + return retval; db = db_ctx->db; if (recursive && db->type != DB_BTREE) { - (void) krb5_db2_db_unlock(context); - return KRB5_KDB_UK_RERROR; /* Not optimal, but close enough. */ + (void) krb5_db2_db_unlock(context); + return KRB5_KDB_UK_RERROR; /* Not optimal, but close enough. */ } if (!recursive) { - dbret = (*db->seq) (db, &key, &contents, backwards ? R_LAST : R_FIRST); + dbret = (*db->seq) (db, &key, &contents, backwards ? R_LAST : R_FIRST); } else { #ifdef HAVE_BT_RSEQ - dbret = bt_rseq(db, &key, &contents, &cookie, - backwards ? R_LAST : R_FIRST); + dbret = bt_rseq(db, &key, &contents, &cookie, + backwards ? R_LAST : R_FIRST); #else - (void) krb5_db2_db_unlock(context); - return KRB5_KDB_UK_RERROR; /* Not optimal, but close enough. */ + (void) krb5_db2_db_unlock(context); + return KRB5_KDB_UK_RERROR; /* Not optimal, but close enough. */ #endif } while (dbret == 0) { - krb5_error_code retval2; - - contdata.data = contents.data; - contdata.length = contents.size; - retval = krb5_decode_princ_contents(context, &contdata, &entries); - if (retval) - break; - retval = k5_mutex_unlock(krb5_db2_mutex); - if (retval) - break; - retval = (*func) (func_arg, &entries); - krb5_dbe_free_contents(context, &entries); - retval2 = k5_mutex_lock(krb5_db2_mutex); - /* Note: If re-locking fails, the wrapper in db2_exp.c will - still try to unlock it again. That would be a bug. Fix - when integrating the locking better. */ - if (retval) - break; - if (retval2) { - retval = retval2; - break; - } - if (!recursive) { - dbret = (*db->seq) (db, &key, &contents, - backwards ? R_PREV : R_NEXT); - } else { + krb5_error_code retval2; + + contdata.data = contents.data; + contdata.length = contents.size; + retval = krb5_decode_princ_contents(context, &contdata, &entries); + if (retval) + break; + retval = k5_mutex_unlock(krb5_db2_mutex); + if (retval) + break; + retval = (*func) (func_arg, &entries); + krb5_dbe_free_contents(context, &entries); + retval2 = k5_mutex_lock(krb5_db2_mutex); + /* Note: If re-locking fails, the wrapper in db2_exp.c will + still try to unlock it again. That would be a bug. Fix + when integrating the locking better. */ + if (retval) + break; + if (retval2) { + retval = retval2; + break; + } + if (!recursive) { + dbret = (*db->seq) (db, &key, &contents, + backwards ? R_PREV : R_NEXT); + } else { #ifdef HAVE_BT_RSEQ - dbret = bt_rseq(db, &key, &contents, &cookie, - backwards ? R_PREV : R_NEXT); + dbret = bt_rseq(db, &key, &contents, &cookie, + backwards ? R_PREV : R_NEXT); #else - (void) krb5_db2_db_unlock(context); - return KRB5_KDB_UK_RERROR; /* Not optimal, but close enough. */ + (void) krb5_db2_db_unlock(context); + return KRB5_KDB_UK_RERROR; /* Not optimal, but close enough. */ #endif - } + } } switch (dbret) { case 1: case 0: - break; + break; case -1: default: - retval = errno; + retval = errno; } (void) krb5_db2_db_unlock(context); return retval; @@ -1244,9 +1245,9 @@ krb5_db2_db_iterate_ext(krb5_context context, krb5_error_code krb5_db2_db_iterate(krb5_context context, - char *match_expr, - krb5_error_code(*func) (krb5_pointer, krb5_db_entry *), - krb5_pointer func_arg) + char *match_expr, + krb5_error_code(*func) (krb5_pointer, krb5_db_entry *), + krb5_pointer func_arg) { return krb5_db2_db_iterate_ext(context, func, func_arg, 0, 0); } @@ -1261,8 +1262,8 @@ krb5_db2_db_set_lockmode(krb5_context context, krb5_boolean mode) dal_handle = context->dal_handle; old = mode; if (dal_handle && (db_ctx = (krb5_db2_context *) dal_handle->db_context)) { - old = db_ctx->db_nb_locks; - db_ctx->db_nb_locks = mode; + old = db_ctx->db_nb_locks; + db_ctx->db_nb_locks = mode; } return old; } @@ -1285,7 +1286,7 @@ krb5_db2_lib_cleanup() krb5_error_code krb5_db2_open(krb5_context kcontext, - char *conf_section, char **db_args, int mode) + char *conf_section, char **db_args, int mode) { krb5_error_code status = 0; char **t_ptr = db_args; @@ -1295,75 +1296,75 @@ krb5_db2_open(krb5_context kcontext, krb5_clear_error_message (kcontext); if (k5db2_inited(kcontext)) - return 0; + return 0; while (t_ptr && *t_ptr) { - char *opt = NULL, *val = NULL; - - krb5_db2_get_db_opt(*t_ptr, &opt, &val); - if (opt && !strcmp(opt, "dbname")) { - if (dbname) free(dbname); - dbname = strdup(val); - if (dbname == NULL) { - free(opt); - free(val); - return ENOMEM; - } - } - else if (!opt && !strcmp(val, "temporary") ) { - tempdb = 1; - } - else if (!opt && !strcmp(val, "merge_nra")) { - ; - } - /* ignore hash argument. Might have been passed from create */ - else if (!opt || strcmp(opt, "hash")) { - krb5_set_error_message(kcontext, EINVAL, - "Unsupported argument \"%s\" for db2", - opt ? opt : val); - free(opt); - free(val); - return EINVAL; - } - - free(opt); - free(val); - t_ptr++; + char *opt = NULL, *val = NULL; + + krb5_db2_get_db_opt(*t_ptr, &opt, &val); + if (opt && !strcmp(opt, "dbname")) { + if (dbname) free(dbname); + dbname = strdup(val); + if (dbname == NULL) { + free(opt); + free(val); + return ENOMEM; + } + } + else if (!opt && !strcmp(val, "temporary") ) { + tempdb = 1; + } + else if (!opt && !strcmp(val, "merge_nra")) { + ; + } + /* ignore hash argument. Might have been passed from create */ + else if (!opt || strcmp(opt, "hash")) { + krb5_set_error_message(kcontext, EINVAL, + "Unsupported argument \"%s\" for db2", + opt ? opt : val); + free(opt); + free(val); + return EINVAL; + } + + free(opt); + free(val); + t_ptr++; } if(dbname) { - status = krb5_db2_db_set_name(kcontext, dbname, tempdb); - free(dbname); - if (status) { - goto clean_n_exit; - } - db_name_set = 1; + status = krb5_db2_db_set_name(kcontext, dbname, tempdb); + free(dbname); + if (status) { + goto clean_n_exit; + } + db_name_set = 1; } if (!db_name_set) { - char *value = NULL; - status = profile_get_string(KRB5_DB_GET_PROFILE(kcontext), KDB_MODULE_SECTION, conf_section, KDB_DB2_DATABASE_NAME, /* under given conf section */ - NULL, &value); + char *value = NULL; + status = profile_get_string(KRB5_DB_GET_PROFILE(kcontext), KDB_MODULE_SECTION, conf_section, KDB_DB2_DATABASE_NAME, /* under given conf section */ + NULL, &value); - if (value == NULL) { - /* special case for db2. We might actually be looking at old type config file where database is specified as part of realm */ - status = profile_get_string(KRB5_DB_GET_PROFILE(kcontext), KDB_REALM_SECTION, KRB5_DB_GET_REALM(kcontext), KDB_DB2_DATABASE_NAME, /* under given realm */ - default_db_name, &value); - if (status) { - goto clean_n_exit; - } - } + if (value == NULL) { + /* special case for db2. We might actually be looking at old type config file where database is specified as part of realm */ + status = profile_get_string(KRB5_DB_GET_PROFILE(kcontext), KDB_REALM_SECTION, KRB5_DB_GET_REALM(kcontext), KDB_DB2_DATABASE_NAME, /* under given realm */ + default_db_name, &value); + if (status) { + goto clean_n_exit; + } + } - status = krb5_db2_db_set_name(kcontext, value, tempdb); - profile_release_string(value); - if (status) { - goto clean_n_exit; - } + status = krb5_db2_db_set_name(kcontext, value, tempdb); + profile_release_string(value); + if (status) { + goto clean_n_exit; + } } status = krb5_db2_db_init(kcontext); - clean_n_exit: +clean_n_exit: return status; } @@ -1379,97 +1380,97 @@ krb5_db2_create(krb5_context kcontext, char *conf_section, char **db_args) krb5_clear_error_message (kcontext); if (k5db2_inited(kcontext)) - return 0; + return 0; while (t_ptr && *t_ptr) { - char *opt = NULL, *val = NULL; - - krb5_db2_get_db_opt(*t_ptr, &opt, &val); - if (opt && !strcmp(opt, "dbname")) { - db_name = strdup(val); - if (db_name == NULL) { - free(opt); - free(val); - return ENOMEM; - } - } - else if (!opt && !strcmp(val, "temporary")) { - tempdb = 1; - } else if (!opt && !strcmp(val, "merge_nra")) { - ; - } else if (opt && !strcmp(opt, "hash")) { - flags = KRB5_KDB_CREATE_HASH; - } else { - krb5_set_error_message(kcontext, EINVAL, - "Unsupported argument \"%s\" for db2", - opt ? opt : val); - free(opt); - free(val); - return EINVAL; - } - - free(opt); - free(val); - t_ptr++; + char *opt = NULL, *val = NULL; + + krb5_db2_get_db_opt(*t_ptr, &opt, &val); + if (opt && !strcmp(opt, "dbname")) { + db_name = strdup(val); + if (db_name == NULL) { + free(opt); + free(val); + return ENOMEM; + } + } + else if (!opt && !strcmp(val, "temporary")) { + tempdb = 1; + } else if (!opt && !strcmp(val, "merge_nra")) { + ; + } else if (opt && !strcmp(opt, "hash")) { + flags = KRB5_KDB_CREATE_HASH; + } else { + krb5_set_error_message(kcontext, EINVAL, + "Unsupported argument \"%s\" for db2", + opt ? opt : val); + free(opt); + free(val); + return EINVAL; + } + + free(opt); + free(val); + t_ptr++; } if (db_name) { - status = krb5_db2_db_set_name(kcontext, db_name, tempdb); - if (!status) { - status = EEXIST; - goto clean_n_exit; - } - db_name_set = 1; + status = krb5_db2_db_set_name(kcontext, db_name, tempdb); + if (!status) { + status = EEXIST; + goto clean_n_exit; + } + db_name_set = 1; } if (!db_name_set) { - char *value = NULL; - status = profile_get_string(KRB5_DB_GET_PROFILE(kcontext), - KDB_MODULE_SECTION, conf_section, - /* under given conf section */ - KDB_DB2_DATABASE_NAME, NULL, &value); - - if (value == NULL) { - /* Special case for db2. We might actually be looking at - * old type config file where database is specified as - * part of realm. */ - status = profile_get_string(KRB5_DB_GET_PROFILE(kcontext), - KDB_REALM_SECTION, - KRB5_DB_GET_REALM(kcontext), - /* under given realm */ - KDB_DB2_DATABASE_NAME, - default_db_name, &value); - if (status) { - goto clean_n_exit; - } - } - - db_name = strdup(value); - if (db_name == NULL) { - status = ENOMEM; - profile_release_string(value); - goto clean_n_exit; - } - status = krb5_db2_db_set_name(kcontext, value, tempdb); - profile_release_string(value); - if (!status) { - status = EEXIST; - goto clean_n_exit; - } + char *value = NULL; + status = profile_get_string(KRB5_DB_GET_PROFILE(kcontext), + KDB_MODULE_SECTION, conf_section, + /* under given conf section */ + KDB_DB2_DATABASE_NAME, NULL, &value); + + if (value == NULL) { + /* Special case for db2. We might actually be looking at + * old type config file where database is specified as + * part of realm. */ + status = profile_get_string(KRB5_DB_GET_PROFILE(kcontext), + KDB_REALM_SECTION, + KRB5_DB_GET_REALM(kcontext), + /* under given realm */ + KDB_DB2_DATABASE_NAME, + default_db_name, &value); + if (status) { + goto clean_n_exit; + } + } + + db_name = strdup(value); + if (db_name == NULL) { + status = ENOMEM; + profile_release_string(value); + goto clean_n_exit; + } + status = krb5_db2_db_set_name(kcontext, value, tempdb); + profile_release_string(value); + if (!status) { + status = EEXIST; + goto clean_n_exit; + } } status = krb5_db2_db_create(kcontext, db_name, flags); if (status) - goto clean_n_exit; + goto clean_n_exit; /* db2 has a problem of needing to close and open the database again. This removes that need */ status = krb5_db2_db_fini(kcontext); if (status) - goto clean_n_exit; + goto clean_n_exit; status = krb5_db2_open(kcontext, conf_section, db_args, KRB5_KDB_OPEN_RW); - clean_n_exit: +clean_n_exit: if (db_name) - free(db_name); + free(db_name); return status; } @@ -1482,77 +1483,77 @@ krb5_db2_destroy(krb5_context kcontext, char *conf_section, char **db_args) char *db_name = NULL; while (t_ptr && *t_ptr) { - char *opt = NULL, *val = NULL; - - krb5_db2_get_db_opt(*t_ptr, &opt, &val); - if (opt && !strcmp(opt, "dbname")) { - db_name = strdup(val); - if (db_name == NULL) { - free(opt); - free(val); - return ENOMEM; - } - } - else if (!opt && !strcmp(val, "temporary")) { - tempdb = 1; - } - /* ignore hash argument. Might have been passed from create */ - else if (!opt || strcmp(opt, "hash")) { - free(opt); - free(val); - return EINVAL; - } - - free(opt); - free(val); - t_ptr++; + char *opt = NULL, *val = NULL; + + krb5_db2_get_db_opt(*t_ptr, &opt, &val); + if (opt && !strcmp(opt, "dbname")) { + db_name = strdup(val); + if (db_name == NULL) { + free(opt); + free(val); + return ENOMEM; + } + } + else if (!opt && !strcmp(val, "temporary")) { + tempdb = 1; + } + /* ignore hash argument. Might have been passed from create */ + else if (!opt || strcmp(opt, "hash")) { + free(opt); + free(val); + return EINVAL; + } + + free(opt); + free(val); + t_ptr++; } if (db_name) { - status = krb5_db2_db_set_name(kcontext, db_name, tempdb); - if (status) { - goto clean_n_exit; - } - db_name_set = 1; + status = krb5_db2_db_set_name(kcontext, db_name, tempdb); + if (status) { + goto clean_n_exit; + } + db_name_set = 1; } if (!db_name_set) { - char *value = NULL; - status = profile_get_string(KRB5_DB_GET_PROFILE(kcontext), KDB_MODULE_SECTION, conf_section, KDB_DB2_DATABASE_NAME, /* under given conf section */ - NULL, &value); - - if (value == NULL) { - /* special case for db2. We might actually be looking at old type config file where database is specified as part of realm */ - status = profile_get_string(KRB5_DB_GET_PROFILE(kcontext), KDB_REALM_SECTION, KRB5_DB_GET_REALM(kcontext), KDB_DB2_DATABASE_NAME, /* under given realm */ - default_db_name, &value); - if (status) { - goto clean_n_exit; - } - } - - db_name = strdup(value); - if (db_name == NULL) { - status = ENOMEM; - goto clean_n_exit; - } - status = krb5_db2_db_set_name(kcontext, value, tempdb); - profile_release_string(value); - if (status) { - goto clean_n_exit; - } + char *value = NULL; + status = profile_get_string(KRB5_DB_GET_PROFILE(kcontext), KDB_MODULE_SECTION, conf_section, KDB_DB2_DATABASE_NAME, /* under given conf section */ + NULL, &value); + + if (value == NULL) { + /* special case for db2. We might actually be looking at old type config file where database is specified as part of realm */ + status = profile_get_string(KRB5_DB_GET_PROFILE(kcontext), KDB_REALM_SECTION, KRB5_DB_GET_REALM(kcontext), KDB_DB2_DATABASE_NAME, /* under given realm */ + default_db_name, &value); + if (status) { + goto clean_n_exit; + } + } + + db_name = strdup(value); + if (db_name == NULL) { + status = ENOMEM; + goto clean_n_exit; + } + status = krb5_db2_db_set_name(kcontext, value, tempdb); + profile_release_string(value); + if (status) { + goto clean_n_exit; + } } status = krb5_db2_db_destroy(kcontext, db_name); - clean_n_exit: +clean_n_exit: if (db_name) - free(db_name); + free(db_name); return status; } krb5_error_code krb5_db2_set_master_key_ext(krb5_context kcontext, - char *pwd, krb5_keyblock * key) + char *pwd, krb5_keyblock * key) { return krb5_db2_db_set_mkey(kcontext, key); } @@ -1566,7 +1567,7 @@ krb5_db2_db_set_option(krb5_context kcontext, int option, void *value) kdb5_dal_handle *dal_handle; if (!k5db2_inited(kcontext)) - return KRB5_KDB_DBNOTINITED; + return KRB5_KDB_DBNOTINITED; dal_handle = kcontext->dal_handle; db_ctx = (krb5_db2_context *) dal_handle->db_context; @@ -1574,17 +1575,17 @@ krb5_db2_db_set_option(krb5_context kcontext, int option, void *value) switch (option) { case KRB5_KDB_OPT_SET_DB_NAME: - status = krb5_db2_db_set_name(kcontext, (char *) value, db_ctx->tempdb); - break; + status = krb5_db2_db_set_name(kcontext, (char *) value, db_ctx->tempdb); + break; case KRB5_KDB_OPT_SET_LOCK_MODE: - oldval = krb5_db2_db_set_lockmode(kcontext, *((krb5_boolean *) value)); - *((krb5_boolean *) value) = oldval; - break; + oldval = krb5_db2_db_set_lockmode(kcontext, *((krb5_boolean *) value)); + *((krb5_boolean *) value) = oldval; + break; default: - status = -1; /* TBD */ - break; + status = -1; /* TBD */ + break; } return status; @@ -1617,7 +1618,7 @@ krb5_db2_create_policy(krb5_context kcontext, osa_policy_ent_t policy) krb5_error_code krb5_db2_get_policy(krb5_context kcontext, - char *name, osa_policy_ent_t * policy, int *cnt) + char *name, osa_policy_ent_t * policy, int *cnt) { kdb5_dal_handle *dal_handle; krb5_db2_context *dbc; @@ -1642,8 +1643,8 @@ krb5_db2_put_policy(krb5_context kcontext, osa_policy_ent_t policy) krb5_error_code krb5_db2_iter_policy(krb5_context kcontext, - char *match_entry, - osa_adb_iter_policy_func func, void *data) + char *match_entry, + osa_adb_iter_policy_func func, void *data) { kdb5_dal_handle *dal_handle; krb5_db2_context *dbc; @@ -1687,38 +1688,38 @@ krb5_db2_promote_db(krb5_context kcontext, char *conf_section, char **db_args) krb5_clear_error_message (kcontext); { - kdb5_dal_handle *dal_handle = kcontext->dal_handle; - krb5_db2_context *db_ctx = dal_handle->db_context; - db_name = strdup(db_ctx->db_name); - if (db_name == NULL) { - status = ENOMEM; - goto clean_n_exit; - } + kdb5_dal_handle *dal_handle = kcontext->dal_handle; + krb5_db2_context *db_ctx = dal_handle->db_context; + db_name = strdup(db_ctx->db_name); + if (db_name == NULL) { + status = ENOMEM; + goto clean_n_exit; + } } assert(kcontext->dal_handle != NULL); temp_db_name = gen_dbsuffix(db_name, "~"); if (temp_db_name == NULL) { - status = ENOMEM; - goto clean_n_exit; + status = ENOMEM; + goto clean_n_exit; } for (db_argp = db_args; *db_argp; db_argp++) { - if (!strcmp(*db_argp, "merge_nra")) { - merge_nra++; - break; - } + if (!strcmp(*db_argp, "merge_nra")) { + merge_nra++; + break; + } } status = krb5_db2_db_rename (kcontext, temp_db_name, db_name, merge_nra); if (status) - goto clean_n_exit; + goto clean_n_exit; clean_n_exit: if (db_name) - free(db_name); + free(db_name); if (temp_db_name) - free(temp_db_name); + free(temp_db_name); return status; } @@ -1731,25 +1732,25 @@ clean_n_exit: */ static krb5_error_code krb5_db2_merge_principal(krb5_context kcontext, - krb5_db_entry *src, - krb5_db_entry *dst, - int *changed) + krb5_db_entry *src, + krb5_db_entry *dst, + int *changed) { *changed = 0; if (dst->last_success != src->last_success) { - dst->last_success = src->last_success; - (*changed)++; + dst->last_success = src->last_success; + (*changed)++; } if (dst->last_failed != src->last_failed) { - dst->last_failed = src->last_failed; - (*changed)++; + dst->last_failed = src->last_failed; + (*changed)++; } if (dst->fail_auth_count != src->fail_auth_count) { - dst->fail_auth_count = src->fail_auth_count; - (*changed)++; + dst->fail_auth_count = src->fail_auth_count; + (*changed)++; } return 0; @@ -1782,14 +1783,14 @@ krb5_db2_merge_nra_iterator(krb5_pointer ptr, krb5_db_entry *entry) /* look up the new principal in the old DB */ retval = krb5_db2_db_get_principal(nra->kcontext, - entry->princ, - &s_entry, - &n_entries, - &more); + entry->princ, + &s_entry, + &n_entries, + &more); if (retval != 0 || n_entries == 0) { - /* principal may be newly created, so ignore */ - dal_handle->db_context = dst_db; - return 0; + /* principal may be newly created, so ignore */ + dal_handle->db_context = dst_db; + return 0; } /* merge non-replicated attributes from the old entry in */ @@ -1799,12 +1800,12 @@ krb5_db2_merge_nra_iterator(krb5_pointer ptr, krb5_db_entry *entry) /* if necessary, commit the modified new entry to the new DB */ if (changed) { - retval = krb5_db2_db_put_principal(nra->kcontext, - entry, - &n_entries, - NULL); + retval = krb5_db2_db_put_principal(nra->kcontext, + entry, + &n_entries, + NULL); } else { - retval = 0; + retval = 0; } return retval; @@ -1819,8 +1820,8 @@ krb5_db2_merge_nra_iterator(krb5_pointer ptr, krb5_db_entry *entry) */ static krb5_error_code krb5_db2_begin_nra_merge(krb5_context kcontext, - krb5_db2_context *src_db, - krb5_db2_context *dst_db) + krb5_db2_context *src_db, + krb5_db2_context *dst_db) { krb5_error_code retval; kdb5_dal_handle *dal_handle = kcontext->dal_handle; @@ -1834,17 +1835,17 @@ krb5_db2_begin_nra_merge(krb5_context kcontext, retval = krb5_db2_db_lock(kcontext, KRB5_LOCKMODE_EXCLUSIVE); if (retval) { - dal_handle->db_context = dst_db; - return retval; + dal_handle->db_context = dst_db; + return retval; } retval = krb5_db2_db_iterate_ext(kcontext, - krb5_db2_merge_nra_iterator, - &nra, - 0, - 0); + krb5_db2_merge_nra_iterator, + &nra, + 0, + 0); if (retval != 0) - (void) krb5_db2_db_unlock(kcontext); + (void) krb5_db2_db_unlock(kcontext); dal_handle->db_context = dst_db; @@ -1857,8 +1858,8 @@ krb5_db2_begin_nra_merge(krb5_context kcontext, */ static krb5_error_code krb5_db2_end_nra_merge(krb5_context kcontext, - krb5_db2_context *src_db, - krb5_db2_context *dst_db) + krb5_db2_context *src_db, + krb5_db2_context *dst_db) { krb5_error_code retval; kdb5_dal_handle *dal_handle = kcontext->dal_handle; @@ -1896,7 +1897,7 @@ krb5_db2_db_rename(context, from, to, merge_nra) s_context = dal_handle->db_context; dal_handle->db_context = NULL; if ((retval = k5db2_init_context(context))) - return retval; + return retval; db_ctx = (krb5_db2_context *) dal_handle->db_context; /* @@ -1906,7 +1907,7 @@ krb5_db2_db_rename(context, from, to, merge_nra) */ retval = krb5_db2_db_create(context, to, 0); if (retval != 0 && retval != EEXIST) - goto errout; + goto errout; /* * Set the database to the target, so that other processes sharing @@ -1914,21 +1915,21 @@ krb5_db2_db_rename(context, from, to, merge_nra) */ retval = krb5_db2_db_set_name(context, to, 0); if (retval) - goto errout; + goto errout; retval = krb5_db2_db_init(context); if (retval) - goto errout; + goto errout; db_ctx->db_lf_name = gen_dbsuffix(db_ctx->db_name, KDB2_LOCK_EXT); if (db_ctx->db_lf_name == NULL) { - retval = ENOMEM; - goto errout; + retval = ENOMEM; + goto errout; } db_ctx->db_lf_file = open(db_ctx->db_lf_name, O_RDWR|O_CREAT, 0600); if (db_ctx->db_lf_file < 0) { - retval = errno; - goto errout; + retval = errno; + goto errout; } set_cloexec_fd(db_ctx->db_lf_file); @@ -1936,76 +1937,76 @@ krb5_db2_db_rename(context, from, to, merge_nra) retval = krb5_db2_db_get_age(context, NULL, &db_ctx->db_lf_time); if (retval) - goto errout; + goto errout; fromok = gen_dbsuffix(from, KDB2_LOCK_EXT); if (fromok == NULL) { - retval = ENOMEM; - goto errout; + retval = ENOMEM; + goto errout; } if ((retval = krb5_db2_db_lock(context, KRB5_LOCKMODE_EXCLUSIVE))) - goto errfromok; + goto errfromok; if ((retval = krb5_db2_db_start_update(context))) - goto errfromok; + goto errfromok; if (merge_nra) { - if ((retval = krb5_db2_begin_nra_merge(context, s_context, db_ctx))) - goto errfromok; + if ((retval = krb5_db2_begin_nra_merge(context, s_context, db_ctx))) + goto errfromok; } if (rename(from, to)) { - retval = errno; - goto errfromok; + retval = errno; + goto errfromok; } if (unlink(fromok)) { - retval = errno; - goto errfromok; + retval = errno; + goto errfromok; } if (merge_nra) { - krb5_db2_end_nra_merge(context, s_context, db_ctx); + krb5_db2_end_nra_merge(context, s_context, db_ctx); } retval = krb5_db2_db_end_update(context); if (retval) - goto errfromok; + goto errfromok; { - /* XXX moved so that NRA merge works */ - /* Ugly brute force hack. - - Should be going through nice friendly helper routines for - this, but it's a mess of jumbled so-called interfaces right - now. */ - char policy[2048], new_policy[2048]; - assert (strlen(db_ctx->db_name) < 2000); - snprintf(policy, sizeof(policy), "%s.kadm5", db_ctx->db_name); - snprintf(new_policy, sizeof(new_policy), - "%s~.kadm5", db_ctx->db_name); - if (0 != rename(new_policy, policy)) { - retval = errno; - goto errfromok; - } - strlcat(new_policy, ".lock",sizeof(new_policy)); - (void) unlink(new_policy); + /* XXX moved so that NRA merge works */ + /* Ugly brute force hack. + + Should be going through nice friendly helper routines for + this, but it's a mess of jumbled so-called interfaces right + now. */ + char policy[2048], new_policy[2048]; + assert (strlen(db_ctx->db_name) < 2000); + snprintf(policy, sizeof(policy), "%s.kadm5", db_ctx->db_name); + snprintf(new_policy, sizeof(new_policy), + "%s~.kadm5", db_ctx->db_name); + if (0 != rename(new_policy, policy)) { + retval = errno; + goto errfromok; + } + strlcat(new_policy, ".lock",sizeof(new_policy)); + (void) unlink(new_policy); } errfromok: free_dbsuffix(fromok); errout: if (dal_handle->db_context) { - if (db_ctx->db_lf_file >= 0) { - krb5_db2_db_unlock(context); - close(db_ctx->db_lf_file); - } - k5db2_clear_context((krb5_db2_context *) dal_handle->db_context); - free(dal_handle->db_context); + if (db_ctx->db_lf_file >= 0) { + krb5_db2_db_unlock(context); + close(db_ctx->db_lf_file); + } + k5db2_clear_context((krb5_db2_context *) dal_handle->db_context); + free(dal_handle->db_context); } dal_handle->db_context = s_context; - (void) krb5_db2_db_unlock(context); /* unlock saved context db */ + (void) krb5_db2_db_unlock(context); /* unlock saved context db */ return retval; } diff --git a/src/plugins/kdb/db2/kdb_db2.h b/src/plugins/kdb/db2/kdb_db2.h index 9f3cbc5c9..7e6fea13d 100644 --- a/src/plugins/kdb/db2/kdb_db2.h +++ b/src/plugins/kdb/db2/kdb_db2.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/kdb/kdb_db2.h * @@ -34,8 +35,8 @@ typedef struct _krb5_db2_context { krb5_boolean db_inited; /* Context initialized */ char * db_name; /* Name of database */ - DB * db; /* DB handle */ - krb5_boolean hashfirst; /* Try hash database type first */ + DB * db; /* DB handle */ + krb5_boolean hashfirst; /* Try hash database type first */ char * db_lf_name; /* Name of lock file */ int db_lf_file; /* File descriptor of lock file */ time_t db_lf_time; /* Time last updated */ @@ -53,169 +54,102 @@ typedef struct _krb5_db2_context { #define KDB2_LOCK_EXT ".ok" #define KDB2_TEMP_LOCK_EXT "~.ok" -krb5_error_code krb5_db2_db_init - (krb5_context); -krb5_error_code krb5_db2_db_fini - (krb5_context); -krb5_error_code krb5_db2_db_get_age - (krb5_context, - char *, - time_t * ); -krb5_error_code krb5_db2_db_create - (krb5_context, - char *, - krb5_int32); -krb5_error_code krb5_db2_db_destroy - (krb5_context, - char * ); -krb5_error_code krb5_db2_db_rename - (krb5_context, - char *, - char *, - int ); -krb5_error_code krb5_db2_db_get_principal - (krb5_context, - krb5_const_principal, - krb5_db_entry *, - int *, - krb5_boolean * ); -krb5_error_code krb5_db2_db_free_principal - (krb5_context, - krb5_db_entry *, - int ); -krb5_error_code krb5_db2_db_put_principal - (krb5_context, - krb5_db_entry *, - int *, - char **db_args - ); -krb5_error_code krb5_db2_db_iterate_ext - (krb5_context, - krb5_error_code (*) (krb5_pointer, - krb5_db_entry *), - krb5_pointer, int, int ); -krb5_error_code krb5_db2_db_iterate -(krb5_context,char *, - krb5_error_code (*) (krb5_pointer, - krb5_db_entry *), - krb5_pointer ); -krb5_error_code krb5_db2_db_set_nonblocking - (krb5_context, - krb5_boolean, - krb5_boolean * ); -krb5_boolean krb5_db2_db_set_lockmode - (krb5_context, - krb5_boolean ); -krb5_error_code krb5_db2_db_open_database - (krb5_context); -krb5_error_code krb5_db2_db_close_database - (krb5_context); +krb5_error_code krb5_db2_db_init(krb5_context); +krb5_error_code krb5_db2_db_fini(krb5_context); +krb5_error_code krb5_db2_db_get_age(krb5_context, char *, time_t *); +krb5_error_code krb5_db2_db_create(krb5_context, char *, krb5_int32); +krb5_error_code krb5_db2_db_destroy(krb5_context, char *); +krb5_error_code krb5_db2_db_rename(krb5_context, char *, char *, int ); +krb5_error_code krb5_db2_db_get_principal(krb5_context, krb5_const_principal, + krb5_db_entry *, int *, + krb5_boolean *); +krb5_error_code krb5_db2_db_free_principal(krb5_context, krb5_db_entry *, int); +krb5_error_code krb5_db2_db_put_principal(krb5_context, krb5_db_entry *, + int *, char **db_args); +krb5_error_code krb5_db2_db_iterate_ext(krb5_context, + krb5_error_code (*)(krb5_pointer, + krb5_db_entry *), + krb5_pointer, int, int); +krb5_error_code krb5_db2_db_iterate(krb5_context, char *, + krb5_error_code (*)(krb5_pointer, + krb5_db_entry *), + krb5_pointer); +krb5_error_code krb5_db2_db_set_nonblocking(krb5_context, krb5_boolean, + krb5_boolean *); +krb5_boolean krb5_db2_db_set_lockmode(krb5_context, krb5_boolean); +krb5_error_code krb5_db2_db_open_database(krb5_context); +krb5_error_code krb5_db2_db_close_database(krb5_context); krb5_error_code -krb5_db2_set_master_key_ext ( krb5_context kcontext, - char *pwd, - krb5_keyblock *key); +krb5_db2_set_master_key_ext(krb5_context kcontext, char *pwd, + krb5_keyblock *key); krb5_error_code -krb5_db2_db_set_mkey( krb5_context context, - krb5_keyblock *key); +krb5_db2_db_set_mkey(krb5_context context, krb5_keyblock *key); krb5_error_code -krb5_db2_db_get_mkey( krb5_context context, - krb5_keyblock **key); +krb5_db2_db_get_mkey(krb5_context context, krb5_keyblock **key); + krb5_error_code -krb5_db2_db_set_mkey_list( krb5_context context, - krb5_keylist_node *keylist); +krb5_db2_db_set_mkey_list(krb5_context context, krb5_keylist_node *keylist); krb5_error_code -krb5_db2_db_get_mkey_list( krb5_context context, - krb5_keylist_node **keylist); +krb5_db2_db_get_mkey_list(krb5_context context, krb5_keylist_node **keylist); krb5_error_code -krb5_db2_db_put_principal( krb5_context context, - krb5_db_entry *entries, - register int *nentries, - char **db_args); +krb5_db2_db_put_principal(krb5_context context, krb5_db_entry *entries, + register int *nentries, char **db_args); krb5_error_code krb5_db2_db_delete_principal(krb5_context context, - krb5_const_principal searchfor, - int *nentries); + krb5_const_principal searchfor, int *nentries); krb5_error_code krb5_db2_lib_init(void); - krb5_error_code krb5_db2_lib_cleanup(void); +krb5_error_code krb5_db2_db_unlock(krb5_context); krb5_error_code -krb5_db2_db_unlock(krb5_context); +krb5_db2_promote_db(krb5_context kcontext, char *conf_section, char **db_args); krb5_error_code -krb5_db2_promote_db(krb5_context kcontext, - char *conf_section, - char **db_args); +krb5_db2_db_set_option(krb5_context kcontext, int option, void *value ); krb5_error_code -krb5_db2_db_set_option ( krb5_context kcontext, - int option, - void *value ); - -krb5_error_code -krb5_db2_db_lock( krb5_context context, - int in_mode); - +krb5_db2_db_lock(krb5_context context, int in_mode); krb5_error_code -krb5_db2_open( krb5_context kcontext, - char *conf_section, - char **db_args, - int mode ); - -krb5_error_code krb5_db2_create( krb5_context kcontext, - char *conf_section, - char **db_args ); - -krb5_error_code krb5_db2_destroy( krb5_context kcontext, - char *conf_section, - char **db_args ); - -const char * krb5_db2_err2str( krb5_context kcontext, - long err_code ); - -void * -krb5_db2_alloc( krb5_context kcontext, - void *ptr, - size_t size ); - -void -krb5_db2_free( krb5_context kcontext, - void *ptr ); +krb5_db2_open(krb5_context kcontext, char *conf_section, char **db_args, + int mode); +krb5_error_code krb5_db2_create(krb5_context kcontext, char *conf_section, + char **db_args); +krb5_error_code krb5_db2_destroy(krb5_context kcontext, char *conf_section, + char **db_args); +const char *krb5_db2_err2str(krb5_context kcontext, long err_code); +void *krb5_db2_alloc(krb5_context kcontext, void *ptr, size_t size); +void krb5_db2_free(krb5_context kcontext, void *ptr); /* policy management functions */ krb5_error_code krb5_db2_create_policy(krb5_context context, osa_policy_ent_t entry); -krb5_error_code krb5_db2_get_policy ( krb5_context kcontext, - char *name, - osa_policy_ent_t *policy, - int *cnt); +krb5_error_code krb5_db2_get_policy(krb5_context kcontext, + char *name, osa_policy_ent_t *policy, + int *cnt); -krb5_error_code krb5_db2_put_policy ( krb5_context kcontext, - osa_policy_ent_t policy ); +krb5_error_code krb5_db2_put_policy(krb5_context kcontext, + osa_policy_ent_t policy); -krb5_error_code krb5_db2_iter_policy ( krb5_context kcontext, - char *match_entry, - osa_adb_iter_policy_func func, - void *data ); +krb5_error_code krb5_db2_iter_policy(krb5_context kcontext, char *match_entry, + osa_adb_iter_policy_func func, + void *data); -krb5_error_code krb5_db2_delete_policy ( krb5_context kcontext, - char *policy ); +krb5_error_code krb5_db2_delete_policy(krb5_context kcontext, char *policy); -void krb5_db2_free_policy( krb5_context kcontext, - osa_policy_ent_t entry ); +void krb5_db2_free_policy(krb5_context kcontext, osa_policy_ent_t entry); /* Thread-safety wrapper slapped on top of original implementation. */ extern k5_mutex_t *krb5_db2_mutex; diff --git a/src/plugins/kdb/db2/kdb_ext.c b/src/plugins/kdb/db2/kdb_ext.c index 69c5522ac..d000e4230 100644 --- a/src/plugins/kdb/db2/kdb_ext.c +++ b/src/plugins/kdb/db2/kdb_ext.c @@ -1,4 +1,4 @@ -/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * plugins/kdb/db2/kdb_ext.c * diff --git a/src/plugins/kdb/db2/kdb_xdr.c b/src/plugins/kdb/db2/kdb_xdr.c index 38dc658fd..81a3cc426 100644 --- a/src/plugins/kdb/db2/kdb_xdr.c +++ b/src/plugins/kdb/db2/kdb_xdr.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/kdb/kdb_xdr.c * @@ -32,10 +33,8 @@ #include "kdb_xdr.h" krb5_error_code -krb5_encode_princ_dbkey(context, key, principal) - krb5_context context; - krb5_data *key; - krb5_const_principal principal; +krb5_encode_princ_dbkey(krb5_context context, krb5_data *key, + krb5_const_principal principal) { char *princ_name; krb5_error_code retval; @@ -49,26 +48,22 @@ krb5_encode_princ_dbkey(context, key, principal) } void -krb5_free_princ_dbkey(context, key) - krb5_context context; - krb5_data *key; +krb5_free_princ_dbkey(krb5_context context, krb5_data *key) { (void) krb5_free_data_contents(context, key); } krb5_error_code -krb5_encode_princ_contents(context, content, entry) - krb5_context context; - krb5_data * content; - krb5_db_entry * entry; +krb5_encode_princ_contents(krb5_context context, krb5_data *content, + krb5_db_entry *entry) { - int i, j; - unsigned int unparse_princ_size; - char * unparse_princ; - unsigned char * nextloc; - krb5_tl_data * tl_data; - krb5_error_code retval; - krb5_int16 psize16; + int i, j; + unsigned int unparse_princ_size; + char * unparse_princ; + unsigned char * nextloc; + krb5_tl_data * tl_data; + krb5_error_code retval; + krb5_int16 psize16; /* * Generate one lump of data from the krb5_db_entry. @@ -81,7 +76,7 @@ krb5_encode_princ_contents(context, content, entry) * Need 2 bytes for the length of the base structure * then 36 [ 8 * 4 + 2 * 2] bytes for the base information * [ attributes, max_life, max_renewable_life, expiration, - * pw_expiration, last_success, last_failed, fail_auth_count ] + * pw_expiration, last_success, last_failed, fail_auth_count ] * [ n_key_data, n_tl_data ] * then XX bytes [ e_length ] for the extra data [ e_data ] * then XX bytes [ 2 for length + length for string ] for the principal, @@ -91,7 +86,7 @@ krb5_encode_princ_contents(context, content, entry) content->length = entry->len + entry->e_length; if ((retval = krb5_unparse_name(context, entry->princ, &unparse_princ))) - return(retval); + return(retval); unparse_princ_size = strlen(unparse_princ) + 1; content->length += unparse_princ_size; @@ -100,28 +95,28 @@ krb5_encode_princ_contents(context, content, entry) i = 0; /* tl_data is a linked list */ for (tl_data = entry->tl_data; tl_data; tl_data = tl_data->tl_data_next) { - content->length += tl_data->tl_data_length; - content->length += 4; /* type, length */ - i++; + content->length += tl_data->tl_data_length; + content->length += 4; /* type, length */ + i++; } if (i != entry->n_tl_data) { - retval = KRB5_KDB_TRUNCATED_RECORD; - goto epc_error; + retval = KRB5_KDB_TRUNCATED_RECORD; + goto epc_error; } /* key_data is an array */ for (i = 0; i < entry->n_key_data; i++) { - content->length += 4; /* Version, KVNO */ - for (j = 0; j < entry->key_data[i].key_data_ver; j++) { - content->length += entry->key_data[i].key_data_length[j]; - content->length += 4; /* type + length */ - } + content->length += 4; /* Version, KVNO */ + for (j = 0; j < entry->key_data[i].key_data_ver; j++) { + content->length += entry->key_data[i].key_data_length[j]; + content->length += 4; /* type + length */ + } } if ((content->data = malloc(content->length)) == NULL) { - retval = ENOMEM; - goto epc_error; + retval = ENOMEM; + goto epc_error; } /* @@ -130,103 +125,103 @@ krb5_encode_princ_contents(context, content, entry) */ nextloc = (unsigned char *)content->data; - /* Base Length */ + /* Base Length */ krb5_kdb_encode_int16(entry->len, nextloc); nextloc += 2; - /* Attributes */ + /* Attributes */ krb5_kdb_encode_int32(entry->attributes, nextloc); nextloc += 4; - /* Max Life */ + /* Max Life */ krb5_kdb_encode_int32(entry->max_life, nextloc); nextloc += 4; - /* Max Renewable Life */ + /* Max Renewable Life */ krb5_kdb_encode_int32(entry->max_renewable_life, nextloc); nextloc += 4; - /* When the client expires */ + /* When the client expires */ krb5_kdb_encode_int32(entry->expiration, nextloc); nextloc += 4; - /* When its passwd expires */ + /* When its passwd expires */ krb5_kdb_encode_int32(entry->pw_expiration, nextloc); nextloc += 4; - /* Last successful passwd */ + /* Last successful passwd */ krb5_kdb_encode_int32(entry->last_success, nextloc); nextloc += 4; - /* Last failed passwd attempt */ + /* Last failed passwd attempt */ krb5_kdb_encode_int32(entry->last_failed, nextloc); nextloc += 4; - /* # of failed passwd attempt */ + /* # of failed passwd attempt */ krb5_kdb_encode_int32(entry->fail_auth_count, nextloc); nextloc += 4; - /* # tl_data strutures */ + /* # tl_data strutures */ krb5_kdb_encode_int16(entry->n_tl_data, nextloc); nextloc += 2; - /* # key_data strutures */ + /* # key_data strutures */ krb5_kdb_encode_int16(entry->n_key_data, nextloc); nextloc += 2; - /* Put extended fields here */ + /* Put extended fields here */ if (entry->len != KRB5_KDB_V1_BASE_LENGTH) - abort(); + abort(); - /* Any extra data that this version doesn't understand. */ + /* Any extra data that this version doesn't understand. */ if (entry->e_length) { - memcpy(nextloc, entry->e_data, entry->e_length); - nextloc += entry->e_length; + memcpy(nextloc, entry->e_data, entry->e_length); + nextloc += entry->e_length; } - /* - * Now we get to the principal. - * To squeze a few extra bytes out it is always assumed to come - * after the base type. - */ + /* + * Now we get to the principal. + * To squeze a few extra bytes out it is always assumed to come + * after the base type. + */ psize16 = (krb5_int16) unparse_princ_size; krb5_kdb_encode_int16(psize16, nextloc); nextloc += 2; (void) memcpy(nextloc, unparse_princ, unparse_princ_size); nextloc += unparse_princ_size; - /* tl_data is a linked list, of type, legth, contents */ + /* tl_data is a linked list, of type, legth, contents */ for (tl_data = entry->tl_data; tl_data; tl_data = tl_data->tl_data_next) { - krb5_kdb_encode_int16(tl_data->tl_data_type, nextloc); - nextloc += 2; - krb5_kdb_encode_int16(tl_data->tl_data_length, nextloc); - nextloc += 2; + krb5_kdb_encode_int16(tl_data->tl_data_type, nextloc); + nextloc += 2; + krb5_kdb_encode_int16(tl_data->tl_data_length, nextloc); + nextloc += 2; - memcpy(nextloc, tl_data->tl_data_contents, tl_data->tl_data_length); - nextloc += tl_data->tl_data_length; + memcpy(nextloc, tl_data->tl_data_contents, tl_data->tl_data_length); + nextloc += tl_data->tl_data_length; } - /* key_data is an array */ + /* key_data is an array */ for (i = 0; i < entry->n_key_data; i++) { - krb5_kdb_encode_int16(entry->key_data[i].key_data_ver, nextloc); - nextloc += 2; - krb5_kdb_encode_int16(entry->key_data[i].key_data_kvno, nextloc); - nextloc += 2; - - for (j = 0; j < entry->key_data[i].key_data_ver; j++) { - krb5_int16 type = entry->key_data[i].key_data_type[j]; - krb5_ui_2 length = entry->key_data[i].key_data_length[j]; - - krb5_kdb_encode_int16(type, nextloc); - nextloc += 2; - krb5_kdb_encode_int16(length, nextloc); - nextloc += 2; - - if (length) { - memcpy(nextloc, entry->key_data[i].key_data_contents[j],length); - nextloc += length; - } - } + krb5_kdb_encode_int16(entry->key_data[i].key_data_ver, nextloc); + nextloc += 2; + krb5_kdb_encode_int16(entry->key_data[i].key_data_kvno, nextloc); + nextloc += 2; + + for (j = 0; j < entry->key_data[i].key_data_ver; j++) { + krb5_int16 type = entry->key_data[i].key_data_type[j]; + krb5_ui_2 length = entry->key_data[i].key_data_length[j]; + + krb5_kdb_encode_int16(type, nextloc); + nextloc += 2; + krb5_kdb_encode_int16(length, nextloc); + nextloc += 2; + + if (length) { + memcpy(nextloc, entry->key_data[i].key_data_contents[j],length); + nextloc += length; + } + } } epc_error:; @@ -235,24 +230,20 @@ epc_error:; } void -krb5_free_princ_contents(context, contents) - krb5_context context; - krb5_data *contents; +krb5_free_princ_contents(krb5_context context, krb5_data *contents) { krb5_free_data_contents(context, contents); return; } krb5_error_code -krb5_decode_princ_contents(context, content, entry) - krb5_context context; - krb5_data * content; - krb5_db_entry * entry; +krb5_decode_princ_contents(krb5_context context, krb5_data *content, + krb5_db_entry *entry) { - int sizeleft, i; - unsigned char * nextloc; + int sizeleft, i; + unsigned char * nextloc; krb5_tl_data ** tl_data; - krb5_int16 i16; + krb5_int16 i16; krb5_error_code retval; @@ -272,67 +263,67 @@ krb5_decode_princ_contents(context, content, entry) nextloc = (unsigned char *)content->data; sizeleft = content->length; if ((sizeleft -= KRB5_KDB_V1_BASE_LENGTH) < 0) - return KRB5_KDB_TRUNCATED_RECORD; + return KRB5_KDB_TRUNCATED_RECORD; - /* Base Length */ + /* Base Length */ krb5_kdb_decode_int16(nextloc, entry->len); nextloc += 2; - /* Attributes */ + /* Attributes */ krb5_kdb_decode_int32(nextloc, entry->attributes); nextloc += 4; - /* Max Life */ + /* Max Life */ krb5_kdb_decode_int32(nextloc, entry->max_life); nextloc += 4; - /* Max Renewable Life */ + /* Max Renewable Life */ krb5_kdb_decode_int32(nextloc, entry->max_renewable_life); nextloc += 4; - /* When the client expires */ + /* When the client expires */ krb5_kdb_decode_int32(nextloc, entry->expiration); nextloc += 4; - /* When its passwd expires */ + /* When its passwd expires */ krb5_kdb_decode_int32(nextloc, entry->pw_expiration); nextloc += 4; - /* Last successful passwd */ + /* Last successful passwd */ krb5_kdb_decode_int32(nextloc, entry->last_success); nextloc += 4; - /* Last failed passwd attempt */ + /* Last failed passwd attempt */ krb5_kdb_decode_int32(nextloc, entry->last_failed); nextloc += 4; - /* # of failed passwd attempt */ + /* # of failed passwd attempt */ krb5_kdb_decode_int32(nextloc, entry->fail_auth_count); nextloc += 4; - /* # tl_data strutures */ + /* # tl_data strutures */ krb5_kdb_decode_int16(nextloc, entry->n_tl_data); nextloc += 2; if (entry->n_tl_data < 0) - return KRB5_KDB_TRUNCATED_RECORD; + return KRB5_KDB_TRUNCATED_RECORD; - /* # key_data strutures */ + /* # key_data strutures */ krb5_kdb_decode_int16(nextloc, entry->n_key_data); nextloc += 2; if (entry->n_key_data < 0) - return KRB5_KDB_TRUNCATED_RECORD; + return KRB5_KDB_TRUNCATED_RECORD; - /* Check for extra data */ + /* Check for extra data */ if (entry->len > KRB5_KDB_V1_BASE_LENGTH) { - entry->e_length = entry->len - KRB5_KDB_V1_BASE_LENGTH; - if ((entry->e_data = (krb5_octet *)malloc(entry->e_length))) { - memcpy(entry->e_data, nextloc, entry->e_length); - nextloc += entry->e_length; - } else { - return ENOMEM; - } + entry->e_length = entry->len - KRB5_KDB_V1_BASE_LENGTH; + if ((entry->e_data = (krb5_octet *)malloc(entry->e_length))) { + memcpy(entry->e_data, nextloc, entry->e_length); + nextloc += entry->e_length; + } else { + return ENOMEM; + } } /* @@ -340,8 +331,8 @@ krb5_decode_princ_contents(context, content, entry) * (stored as a string which gets unparsed.) */ if ((sizeleft -= 2) < 0) { - retval = KRB5_KDB_TRUNCATED_RECORD; - goto error_out; + retval = KRB5_KDB_TRUNCATED_RECORD; + goto error_out; } i = 0; @@ -350,99 +341,99 @@ krb5_decode_princ_contents(context, content, entry) nextloc += 2; if ((retval = krb5_parse_name(context, (char *)nextloc, &(entry->princ)))) - goto error_out; + goto error_out; if (((size_t) i != (strlen((char *)nextloc) + 1)) || (sizeleft < i)) { - retval = KRB5_KDB_TRUNCATED_RECORD; - goto error_out; + retval = KRB5_KDB_TRUNCATED_RECORD; + goto error_out; } sizeleft -= i; nextloc += i; - /* tl_data is a linked list */ + /* tl_data is a linked list */ tl_data = &entry->tl_data; for (i = 0; i < entry->n_tl_data; i++) { - if ((sizeleft -= 4) < 0) { - retval = KRB5_KDB_TRUNCATED_RECORD; - goto error_out; - } - if ((*tl_data = (krb5_tl_data *) - malloc(sizeof(krb5_tl_data))) == NULL) { - retval = ENOMEM; - goto error_out; - } - (*tl_data)->tl_data_next = NULL; - (*tl_data)->tl_data_contents = NULL; - krb5_kdb_decode_int16(nextloc, (*tl_data)->tl_data_type); - nextloc += 2; - krb5_kdb_decode_int16(nextloc, (*tl_data)->tl_data_length); - nextloc += 2; - - if ((sizeleft -= (*tl_data)->tl_data_length) < 0) { - retval = KRB5_KDB_TRUNCATED_RECORD; - goto error_out; - } - if (((*tl_data)->tl_data_contents = (krb5_octet *) - malloc((*tl_data)->tl_data_length)) == NULL) { - retval = ENOMEM; - goto error_out; - } - memcpy((*tl_data)->tl_data_contents,nextloc,(*tl_data)->tl_data_length); - nextloc += (*tl_data)->tl_data_length; - tl_data = &((*tl_data)->tl_data_next); + if ((sizeleft -= 4) < 0) { + retval = KRB5_KDB_TRUNCATED_RECORD; + goto error_out; + } + if ((*tl_data = (krb5_tl_data *) + malloc(sizeof(krb5_tl_data))) == NULL) { + retval = ENOMEM; + goto error_out; + } + (*tl_data)->tl_data_next = NULL; + (*tl_data)->tl_data_contents = NULL; + krb5_kdb_decode_int16(nextloc, (*tl_data)->tl_data_type); + nextloc += 2; + krb5_kdb_decode_int16(nextloc, (*tl_data)->tl_data_length); + nextloc += 2; + + if ((sizeleft -= (*tl_data)->tl_data_length) < 0) { + retval = KRB5_KDB_TRUNCATED_RECORD; + goto error_out; + } + if (((*tl_data)->tl_data_contents = (krb5_octet *) + malloc((*tl_data)->tl_data_length)) == NULL) { + retval = ENOMEM; + goto error_out; + } + memcpy((*tl_data)->tl_data_contents,nextloc,(*tl_data)->tl_data_length); + nextloc += (*tl_data)->tl_data_length; + tl_data = &((*tl_data)->tl_data_next); } - /* key_data is an array */ + /* key_data is an array */ if (entry->n_key_data && ((entry->key_data = (krb5_key_data *) - malloc(sizeof(krb5_key_data) * entry->n_key_data)) == NULL)) { + malloc(sizeof(krb5_key_data) * entry->n_key_data)) == NULL)) { retval = ENOMEM; - goto error_out; + goto error_out; } for (i = 0; i < entry->n_key_data; i++) { - krb5_key_data * key_data; + krb5_key_data * key_data; int j; - if ((sizeleft -= 4) < 0) { - retval = KRB5_KDB_TRUNCATED_RECORD; - goto error_out; - } - key_data = entry->key_data + i; - memset(key_data, 0, sizeof(krb5_key_data)); - krb5_kdb_decode_int16(nextloc, key_data->key_data_ver); - nextloc += 2; - krb5_kdb_decode_int16(nextloc, key_data->key_data_kvno); - nextloc += 2; - - /* key_data_ver determins number of elements and how to unparse them. */ - if (key_data->key_data_ver <= KRB5_KDB_V1_KEY_DATA_ARRAY) { - for (j = 0; j < key_data->key_data_ver; j++) { - if ((sizeleft -= 4) < 0) { - retval = KRB5_KDB_TRUNCATED_RECORD; - goto error_out; - } - krb5_kdb_decode_int16(nextloc, key_data->key_data_type[j]); - nextloc += 2; - krb5_kdb_decode_int16(nextloc, key_data->key_data_length[j]); - nextloc += 2; - - if ((sizeleft -= key_data->key_data_length[j]) < 0) { - retval = KRB5_KDB_TRUNCATED_RECORD; - goto error_out; - } - if (key_data->key_data_length[j]) { - if ((key_data->key_data_contents[j] = (krb5_octet *) - malloc(key_data->key_data_length[j])) == NULL) { - retval = ENOMEM; - goto error_out; - } - memcpy(key_data->key_data_contents[j], nextloc, - key_data->key_data_length[j]); - nextloc += key_data->key_data_length[j]; - } - } - } else { - /* This isn't right. I'll fix it later */ - abort(); - } + if ((sizeleft -= 4) < 0) { + retval = KRB5_KDB_TRUNCATED_RECORD; + goto error_out; + } + key_data = entry->key_data + i; + memset(key_data, 0, sizeof(krb5_key_data)); + krb5_kdb_decode_int16(nextloc, key_data->key_data_ver); + nextloc += 2; + krb5_kdb_decode_int16(nextloc, key_data->key_data_kvno); + nextloc += 2; + + /* key_data_ver determins number of elements and how to unparse them. */ + if (key_data->key_data_ver <= KRB5_KDB_V1_KEY_DATA_ARRAY) { + for (j = 0; j < key_data->key_data_ver; j++) { + if ((sizeleft -= 4) < 0) { + retval = KRB5_KDB_TRUNCATED_RECORD; + goto error_out; + } + krb5_kdb_decode_int16(nextloc, key_data->key_data_type[j]); + nextloc += 2; + krb5_kdb_decode_int16(nextloc, key_data->key_data_length[j]); + nextloc += 2; + + if ((sizeleft -= key_data->key_data_length[j]) < 0) { + retval = KRB5_KDB_TRUNCATED_RECORD; + goto error_out; + } + if (key_data->key_data_length[j]) { + if ((key_data->key_data_contents[j] = (krb5_octet *) + malloc(key_data->key_data_length[j])) == NULL) { + retval = ENOMEM; + goto error_out; + } + memcpy(key_data->key_data_contents[j], nextloc, + key_data->key_data_length[j]); + nextloc += key_data->key_data_length[j]; + } + } + } else { + /* This isn't right. I'll fix it later */ + abort(); + } } return 0; @@ -452,41 +443,39 @@ error_out:; } void -krb5_dbe_free_contents(context, entry) - krb5_context context; - krb5_db_entry * entry; +krb5_dbe_free_contents(krb5_context context, krb5_db_entry *entry) { - krb5_tl_data * tl_data_next; - krb5_tl_data * tl_data; + krb5_tl_data * tl_data_next; + krb5_tl_data * tl_data; int i, j; if (entry->e_data) - free(entry->e_data); + free(entry->e_data); if (entry->princ) - krb5_free_principal(context, entry->princ); + krb5_free_principal(context, entry->princ); for (tl_data = entry->tl_data; tl_data; tl_data = tl_data_next) { - tl_data_next = tl_data->tl_data_next; - if (tl_data->tl_data_contents) - free(tl_data->tl_data_contents); - free(tl_data); + tl_data_next = tl_data->tl_data_next; + if (tl_data->tl_data_contents) + free(tl_data->tl_data_contents); + free(tl_data); } if (entry->key_data) { - for (i = 0; i < entry->n_key_data; i++) { - for (j = 0; j < entry->key_data[i].key_data_ver; j++) { - if (entry->key_data[i].key_data_length[j]) { - if (entry->key_data[i].key_data_contents[j]) { - memset(entry->key_data[i].key_data_contents[j], - 0, - (unsigned) entry->key_data[i].key_data_length[j]); - free (entry->key_data[i].key_data_contents[j]); - } - } - entry->key_data[i].key_data_contents[j] = NULL; - entry->key_data[i].key_data_length[j] = 0; - entry->key_data[i].key_data_type[j] = 0; - } - } - free(entry->key_data); + for (i = 0; i < entry->n_key_data; i++) { + for (j = 0; j < entry->key_data[i].key_data_ver; j++) { + if (entry->key_data[i].key_data_length[j]) { + if (entry->key_data[i].key_data_contents[j]) { + memset(entry->key_data[i].key_data_contents[j], + 0, + (unsigned) entry->key_data[i].key_data_length[j]); + free (entry->key_data[i].key_data_contents[j]); + } + } + entry->key_data[i].key_data_contents[j] = NULL; + entry->key_data[i].key_data_length[j] = 0; + entry->key_data[i].key_data_type[j] = 0; + } + } + free(entry->key_data); } memset(entry, 0, sizeof(*entry)); return; diff --git a/src/plugins/kdb/db2/kdb_xdr.h b/src/plugins/kdb/db2/kdb_xdr.h index bd01ead27..e4a202b37 100644 --- a/src/plugins/kdb/db2/kdb_xdr.h +++ b/src/plugins/kdb/db2/kdb_xdr.h @@ -1,34 +1,28 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #ifndef _KDB2_XDR_H #define _KDB2_XDR_H #include "kdb.h" krb5_error_code -krb5_encode_princ_dbkey( krb5_context context, - krb5_data *key, - krb5_const_principal principal); +krb5_encode_princ_dbkey(krb5_context context, krb5_data *key, + krb5_const_principal principal); krb5_error_code -krb5_decode_princ_contents( krb5_context context, - krb5_data * content, - krb5_db_entry * entry); +krb5_decode_princ_contents(krb5_context context, krb5_data *content, + krb5_db_entry *entry); void -krb5_dbe_free_contents( krb5_context context, - krb5_db_entry * entry); +krb5_dbe_free_contents(krb5_context context, krb5_db_entry *entry); krb5_error_code -krb5_encode_princ_contents( krb5_context context, - krb5_data * content, - krb5_db_entry * entry); - +krb5_encode_princ_contents(krb5_context context, krb5_data *content, + krb5_db_entry *entry); void -krb5_free_princ_dbkey( krb5_context context, - krb5_data *key); +krb5_free_princ_dbkey(krb5_context context, krb5_data *key); void -krb5_free_princ_contents( krb5_context context, - krb5_data *contents); +krb5_free_princ_contents(krb5_context context, krb5_data *contents); #endif diff --git a/src/plugins/kdb/db2/lockout.c b/src/plugins/kdb/db2/lockout.c index e6c4b65e0..498c0dea6 100644 --- a/src/plugins/kdb/db2/lockout.c +++ b/src/plugins/kdb/db2/lockout.c @@ -1,4 +1,4 @@ -/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * plugins/kdb/db2/lockout.c * diff --git a/src/plugins/kdb/db2/policy_db.h b/src/plugins/kdb/db2/policy_db.h index 54af70cd6..f2842e956 100644 --- a/src/plugins/kdb/db2/policy_db.h +++ b/src/plugins/kdb/db2/policy_db.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Data Types for policy and principal information that * exists in the respective databases. @@ -33,70 +34,70 @@ #include "adb_err.h" #include -typedef long osa_adb_ret_t; +typedef long osa_adb_ret_t; -#define OSA_ADB_POLICY_DB_MAGIC 0x12345A00 +#define OSA_ADB_POLICY_DB_MAGIC 0x12345A00 -#define OSA_ADB_POLICY_VERSION_MASK 0x12345D00 -#define OSA_ADB_POLICY_VERSION_1 0x12345D01 -#define OSA_ADB_POLICY_VERSION_2 0x12345D02 +#define OSA_ADB_POLICY_VERSION_MASK 0x12345D00 +#define OSA_ADB_POLICY_VERSION_1 0x12345D01 +#define OSA_ADB_POLICY_VERSION_2 0x12345D02 typedef struct _osa_adb_db_lock_ent_t { - FILE *lockfile; - char *filename; - int refcnt, lockmode, lockcnt; - krb5_context context; + FILE *lockfile; + char *filename; + int refcnt, lockmode, lockcnt; + krb5_context context; } osa_adb_lock_ent, *osa_adb_lock_t; typedef struct _osa_adb_db_ent_t { - int magic; - DB *db; - HASHINFO info; - BTREEINFO btinfo; - char *filename; - osa_adb_lock_t lock; - int opencnt; + int magic; + DB *db; + HASHINFO info; + BTREEINFO btinfo; + char *filename; + osa_adb_lock_t lock; + int opencnt; } osa_adb_db_ent, *osa_adb_db_t, *osa_adb_princ_t, *osa_adb_policy_t; /* * Return Code (the rest are in adb_err.h) */ -#define OSA_ADB_OK 0 +#define OSA_ADB_OK 0 /* * Functions */ -krb5_error_code osa_adb_create_db(char *filename, char *lockfile, int magic); -krb5_error_code osa_adb_destroy_db(char *filename, char *lockfile, int magic); -krb5_error_code osa_adb_rename_db(char *filefrom, char *lockfrom, - char *fileto, char *lockto, int magic); -krb5_error_code osa_adb_init_db(osa_adb_db_t *dbp, char *filename, - char *lockfile, int magic); -krb5_error_code osa_adb_fini_db(osa_adb_db_t db, int magic); -krb5_error_code osa_adb_get_lock(osa_adb_db_t db, int mode); -krb5_error_code osa_adb_release_lock(osa_adb_db_t db); +krb5_error_code osa_adb_create_db(char *filename, char *lockfile, int magic); +krb5_error_code osa_adb_destroy_db(char *filename, char *lockfile, int magic); +krb5_error_code osa_adb_rename_db(char *filefrom, char *lockfrom, + char *fileto, char *lockto, int magic); +krb5_error_code osa_adb_init_db(osa_adb_db_t *dbp, char *filename, + char *lockfile, int magic); +krb5_error_code osa_adb_fini_db(osa_adb_db_t db, int magic); +krb5_error_code osa_adb_get_lock(osa_adb_db_t db, int mode); +krb5_error_code osa_adb_release_lock(osa_adb_db_t db); krb5_error_code osa_adb_open_and_lock(osa_adb_princ_t db, int locktype); krb5_error_code osa_adb_close_and_unlock(osa_adb_princ_t db); -krb5_error_code osa_adb_close_policy(osa_adb_policy_t db); -krb5_error_code osa_adb_create_policy(osa_adb_policy_t db, - osa_policy_ent_t entry); -krb5_error_code osa_adb_destroy_policy(osa_adb_policy_t db, - char * name); -krb5_error_code osa_adb_get_policy(osa_adb_policy_t db, - char * name, - osa_policy_ent_t *entry, - int *cnt); -krb5_error_code osa_adb_put_policy(osa_adb_policy_t db, - osa_policy_ent_t entry); -krb5_error_code osa_adb_iter_policy(osa_adb_policy_t db, - osa_adb_iter_policy_func func, - void * data); -void osa_free_policy_ent(osa_policy_ent_t val); - -bool_t xdr_osa_policy_ent_rec(XDR *xdrs, osa_policy_ent_t objp); +krb5_error_code osa_adb_close_policy(osa_adb_policy_t db); +krb5_error_code osa_adb_create_policy(osa_adb_policy_t db, + osa_policy_ent_t entry); +krb5_error_code osa_adb_destroy_policy(osa_adb_policy_t db, + char * name); +krb5_error_code osa_adb_get_policy(osa_adb_policy_t db, + char * name, + osa_policy_ent_t *entry, + int *cnt); +krb5_error_code osa_adb_put_policy(osa_adb_policy_t db, + osa_policy_ent_t entry); +krb5_error_code osa_adb_iter_policy(osa_adb_policy_t db, + osa_adb_iter_policy_func func, + void * data); +void osa_free_policy_ent(osa_policy_ent_t val); + +bool_t xdr_osa_policy_ent_rec(XDR *xdrs, osa_policy_ent_t objp); #endif /* __ADB_H__ */ diff --git a/src/plugins/kdb/hdb/kdb_hdb.c b/src/plugins/kdb/hdb/kdb_hdb.c index e42b05586..f3668fa30 100644 --- a/src/plugins/kdb/hdb/kdb_hdb.c +++ b/src/plugins/kdb/hdb/kdb_hdb.c @@ -1,4 +1,4 @@ -/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * plugins/kdb/hdb/kdb_hdb.c * @@ -153,11 +153,11 @@ kh_db_context_init(krb5_context context, goto cleanup; } -#define GET_PLUGIN_FUNC(_lib, _sym, _member) do { \ - code = krb5int_get_plugin_func(kh->_lib, _sym, \ - (void (**)())&kh->_member, &errinfo); \ - if (code != 0) \ - goto cleanup; \ +#define GET_PLUGIN_FUNC(_lib, _sym, _member) do { \ + code = krb5int_get_plugin_func(kh->_lib, _sym, \ + (void (**)())&kh->_member, &errinfo); \ + if (code != 0) \ + goto cleanup; \ } while (0) /* libkrb5 */ @@ -568,8 +568,8 @@ kh_db_get_age(krb5_context context, static krb5_error_code kh_db_set_option(krb5_context context, - int option, - void *value) + int option, + void *value) { return KRB5_KDB_DBTYPE_NOSUP; } diff --git a/src/plugins/kdb/hdb/kdb_hdb.h b/src/plugins/kdb/hdb/kdb_hdb.h index 6ba5fbcb5..0d04059b5 100644 --- a/src/plugins/kdb/hdb/kdb_hdb.h +++ b/src/plugins/kdb/hdb/kdb_hdb.h @@ -1,4 +1,4 @@ -/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * plugins/kdb/hdb/kdb_hdb.c * @@ -74,10 +74,10 @@ typedef struct _kh_db_context { void *windc_ctx; } kh_db_context; -#define KH_DB_CONTEXT(_context) \ +#define KH_DB_CONTEXT(_context) \ ((kh_db_context *)(_context)->dal_handle->db_context) -#define KH_DB_ENTRY(_entry) \ +#define KH_DB_ENTRY(_entry) \ ((hdb_entry_ex *)(_entry)->e_data) /* kdb_hdb.c */ @@ -111,10 +111,10 @@ kh_hdb_free_entry(krb5_context context, /* kdb_marshal.c */ -#define KH_MARSHAL_KEY(_kkey, _hkey) do { \ - (_hkey)->keytype = (_kkey)->enctype; \ - (_hkey)->keyvalue.data = (_kkey)->contents; \ - (_hkey)->keyvalue.length = (_kkey)->length; \ +#define KH_MARSHAL_KEY(_kkey, _hkey) do { \ + (_hkey)->keytype = (_kkey)->enctype; \ + (_hkey)->keyvalue.data = (_kkey)->contents; \ + (_hkey)->keyvalue.length = (_kkey)->length; \ } while (0) krb5_error_code diff --git a/src/plugins/kdb/hdb/kdb_marshal.c b/src/plugins/kdb/hdb/kdb_marshal.c index d5e469347..624b17fc7 100644 --- a/src/plugins/kdb/hdb/kdb_marshal.c +++ b/src/plugins/kdb/hdb/kdb_marshal.c @@ -1,4 +1,4 @@ -/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * plugins/kdb/hdb/kdb_marshal.c * @@ -69,8 +69,8 @@ kh_free_HostAddresses(krb5_context context, #if 0 static krb5_error_code kh_marshal_octet_string(krb5_context context, - const krb5_data *in_data, - heim_octet_string *out_data) + const krb5_data *in_data, + heim_octet_string *out_data) { out_data->data = malloc(in_data->length); if (out_data->data == NULL) @@ -198,7 +198,7 @@ kh_marshal_Principal(krb5_context context, } for (i = 0; i < kprinc->length; i++) { code = kh_marshal_general_string(context, &kprinc->data[i], - &hprinc->name.name_string.val[i]); + &hprinc->name.name_string.val[i]); if (code != 0) { kh_free_Principal(context, hprinc); return code; @@ -778,7 +778,7 @@ kh_unmarshal_hdb_entry(krb5_context context, code = kh_unmarshal_Event(context, hentry->modified_by ? hentry->modified_by : - &hentry->created_by, + &hentry->created_by, kentry); if (code != 0) goto cleanup; diff --git a/src/plugins/kdb/hdb/kdb_windc.c b/src/plugins/kdb/hdb/kdb_windc.c index 9481876c6..6c8db85ff 100644 --- a/src/plugins/kdb/hdb/kdb_windc.c +++ b/src/plugins/kdb/hdb/kdb_windc.c @@ -1,4 +1,4 @@ -/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * plugins/kdb/hdb/kdb_windc.c * @@ -311,7 +311,7 @@ kh_db_sign_auth_data(krb5_context context, code = kh_windc_pac_verify(context, kh, client_hprinc, req->client ? - KH_DB_ENTRY(req->client) : NULL, + KH_DB_ENTRY(req->client) : NULL, KH_DB_ENTRY(req->server), &hpac); if (code != 0) diff --git a/src/plugins/kdb/ldap/ldap_exp.c b/src/plugins/kdb/ldap/ldap_exp.c index 742e3ce50..8deaf3737 100644 --- a/src/plugins/kdb/ldap/ldap_exp.c +++ b/src/plugins/kdb/ldap/ldap_exp.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/kdb/kdb_ldap/ldap_exp.c * @@ -46,51 +47,51 @@ */ kdb_vftabl PLUGIN_SYMBOL_NAME(krb5_ldap, kdb_function_table) = { - 1, /* major version number 1 */ - 0, /* minor version number 0 */ - /* init_library */ krb5_ldap_lib_init, - /* fini_library */ krb5_ldap_lib_cleanup, - /* init_module */ krb5_ldap_open, - /* fini_module */ krb5_ldap_close, - /* db_create */ krb5_ldap_create, - /* db_destroy */ krb5_ldap_delete_realm_1, - /* db_get_age */ krb5_ldap_db_get_age, - /* db_set_option */ krb5_ldap_set_option, - /* db_lock */ krb5_ldap_lock, - /* db_unlock */ krb5_ldap_unlock, - /* db_get_principal */ krb5_ldap_get_principal, - /* db_free_principal */ krb5_ldap_free_principal, - /* db_put_principal */ krb5_ldap_put_principal, - /* db_delete_principal */ krb5_ldap_delete_principal, - /* db_iterate */ krb5_ldap_iterate, - /* db_create_policy */ krb5_ldap_create_password_policy, - /* db_get_policy */ krb5_ldap_get_password_policy, - /* db_put_policy */ krb5_ldap_put_password_policy, - /* db_iter_policy */ krb5_ldap_iterate_password_policy, - /* db_delete_policy */ krb5_ldap_delete_password_policy, - /* db_free_policy */ krb5_ldap_free_password_policy, - /* db_supported_realms */ krb5_ldap_supported_realms, - /* db_free_supported_realms */ krb5_ldap_free_supported_realms, - /* errcode_2_string */ krb5_ldap_errcode_2_string, - /* release_errcode_string */ krb5_ldap_release_errcode_string, - /* db_alloc */ krb5_ldap_alloc, - /* db_free */ krb5_ldap_free, - /* optional functions */ - /* set_master_key */ krb5_ldap_set_mkey, - /* get_master_key */ krb5_ldap_get_mkey, - /* set_master_key_list */ krb5_ldap_set_mkey_list, - /* get_master_key_list */ krb5_ldap_get_mkey_list, - /* setup_master_key_name */ NULL, - /* store_master_key */ NULL, - /* fetch_master_key */ NULL /* krb5_ldap_fetch_mkey */, - /* verify_master_key */ NULL /* krb5_ldap_verify_master_key */, - /* fetch_master_key_list */ NULL, - /* store_master_key_list */ NULL, - /* Search enc type */ NULL, - /* Change pwd */ NULL, - /* promote_db */ NULL, - /* dbekd_decrypt_key_data */ NULL, - /* dbekd_encrypt_key_data */ NULL, - /* db_invoke */ krb5_ldap_invoke, + 1, /* major version number 1 */ + 0, /* minor version number 0 */ + /* init_library */ krb5_ldap_lib_init, + /* fini_library */ krb5_ldap_lib_cleanup, + /* init_module */ krb5_ldap_open, + /* fini_module */ krb5_ldap_close, + /* db_create */ krb5_ldap_create, + /* db_destroy */ krb5_ldap_delete_realm_1, + /* db_get_age */ krb5_ldap_db_get_age, + /* db_set_option */ krb5_ldap_set_option, + /* db_lock */ krb5_ldap_lock, + /* db_unlock */ krb5_ldap_unlock, + /* db_get_principal */ krb5_ldap_get_principal, + /* db_free_principal */ krb5_ldap_free_principal, + /* db_put_principal */ krb5_ldap_put_principal, + /* db_delete_principal */ krb5_ldap_delete_principal, + /* db_iterate */ krb5_ldap_iterate, + /* db_create_policy */ krb5_ldap_create_password_policy, + /* db_get_policy */ krb5_ldap_get_password_policy, + /* db_put_policy */ krb5_ldap_put_password_policy, + /* db_iter_policy */ krb5_ldap_iterate_password_policy, + /* db_delete_policy */ krb5_ldap_delete_password_policy, + /* db_free_policy */ krb5_ldap_free_password_policy, + /* db_supported_realms */ krb5_ldap_supported_realms, + /* db_free_supported_realms */ krb5_ldap_free_supported_realms, + /* errcode_2_string */ krb5_ldap_errcode_2_string, + /* release_errcode_string */ krb5_ldap_release_errcode_string, + /* db_alloc */ krb5_ldap_alloc, + /* db_free */ krb5_ldap_free, + /* optional functions */ + /* set_master_key */ krb5_ldap_set_mkey, + /* get_master_key */ krb5_ldap_get_mkey, + /* set_master_key_list */ krb5_ldap_set_mkey_list, + /* get_master_key_list */ krb5_ldap_get_mkey_list, + /* setup_master_key_name */ NULL, + /* store_master_key */ NULL, + /* fetch_master_key */ NULL /* krb5_ldap_fetch_mkey */, + /* verify_master_key */ NULL /* krb5_ldap_verify_master_key */, + /* fetch_master_key_list */ NULL, + /* store_master_key_list */ NULL, + /* Search enc type */ NULL, + /* Change pwd */ NULL, + /* promote_db */ NULL, + /* dbekd_decrypt_key_data */ NULL, + /* dbekd_encrypt_key_data */ NULL, + /* db_invoke */ krb5_ldap_invoke, }; diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_list.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_list.c index 09b50797d..f8dce07b3 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_list.c +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_list.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * kadmin/ldap_util/kdb5_ldap_list.c */ @@ -39,15 +40,16 @@ /* * Counts the number of entries in the given array of strings */ -int list_count_str_array(char **list) +int +list_count_str_array(char **list) { int i = 0; if (list == NULL) - return 0; + return 0; for (i = 0; *list != NULL; list++) { - i++; + i++; } return i; @@ -57,15 +59,16 @@ int list_count_str_array(char **list) /* * Counts the number of entries in the given array of integers */ -int list_count_int_array(int *list) +int +list_count_int_array(int *list) { int i = 0; if (list == NULL) - return 0; + return 0; for (i = 0; *list != END_OF_LIST; list++) { - i++; + i++; } return i; @@ -75,14 +78,14 @@ int list_count_int_array(int *list) /* * Frees the entries in a given list and not the list pointer */ -void krb5_free_list_entries(list) - char **list; +void +krb5_free_list_entries(char **list) { if (list == NULL) - return; + return; for (; *list != NULL; list++) { - free(*list); - *list = NULL; + free(*list); + *list = NULL; } return; @@ -94,10 +97,7 @@ void krb5_free_list_entries(list) * and return the result as a list */ krb5_error_code -krb5_parse_list(buffer, delimiter, list) - char *buffer; - char *delimiter; - char **list; +krb5_parse_list(char *buffer, char *delimiter, char **list) { char *str = NULL; char *token = NULL; @@ -107,40 +107,39 @@ krb5_parse_list(buffer, delimiter, list) int count = 0; if ((buffer == NULL) || (list == NULL) || (delimiter == NULL)) { - return EINVAL; + return EINVAL; } str = strdup(buffer); if (str == NULL) - return ENOMEM; + return ENOMEM; token = strtok_r(str, delimiter, &ptrptr); for (count = 1; ((token != NULL) && (count < MAX_LIST_ENTRIES)); - plist++, count++) { - *plist = strdup(token); - if (*plist == NULL) { - retval = ENOMEM; - goto cleanup; - } - token = strtok_r(NULL, delimiter, &ptrptr); + plist++, count++) { + *plist = strdup(token); + if (*plist == NULL) { + retval = ENOMEM; + goto cleanup; + } + token = strtok_r(NULL, delimiter, &ptrptr); } *plist = NULL; cleanup: if (str) { - free(str); - str = NULL; + free(str); + str = NULL; } if (retval) - krb5_free_list_entries(list); + krb5_free_list_entries(list); return retval; } -int compare_int(m1, m2) - const void *m1; - const void *m2; +int +compare_int(const void *m1, const void *m2) { int mi1 = *(const int *)m1; int mi2 = *(const int *)m2; @@ -154,10 +153,8 @@ int compare_int(m1, m2) * entries present in the source list, depending on the mode * (ADD or DELETE). */ -void list_modify_str_array(destlist, sourcelist, mode) - char ***destlist; - const char **sourcelist; - int mode; +void +list_modify_str_array(char ***destlist, const char **sourcelist, int mode) { char **dlist = NULL, **tmplist = NULL; const char **slist = NULL; @@ -165,52 +162,52 @@ void list_modify_str_array(destlist, sourcelist, mode) int found = 0; if ((destlist == NULL) || (*destlist == NULL) || (sourcelist == NULL)) - return; + return; /* We need to add every entry present in the source list to * the destination list */ if (mode == LIST_MODE_ADD) { - /* Traverse throught the end of destlist for appending */ - for (dlist = *destlist, dcount = 0; *dlist != NULL; - dlist++, dcount++) { - ; /* NULL statement */ - } - /* Count the number of entries in the source list */ - for (slist = sourcelist, scount = 0; *slist != NULL; - slist++, scount++) { - ; /* NULL statement */ - } - /* Reset the slist pointer to the start of source list */ - slist = sourcelist; - - /* Now append the source list to the existing destlist */ - if ((dcount + scount) < MAX_LIST_ENTRIES) - copycount = scount; - else - /* Leave the last entry for list terminator(=NULL) */ - copycount = (MAX_LIST_ENTRIES -1) - dcount; - - memcpy(dlist, slist, (sizeof(char *) * copycount)); - dlist += copycount; - *dlist = NULL; + /* Traverse throught the end of destlist for appending */ + for (dlist = *destlist, dcount = 0; *dlist != NULL; + dlist++, dcount++) { + ; /* NULL statement */ + } + /* Count the number of entries in the source list */ + for (slist = sourcelist, scount = 0; *slist != NULL; + slist++, scount++) { + ; /* NULL statement */ + } + /* Reset the slist pointer to the start of source list */ + slist = sourcelist; + + /* Now append the source list to the existing destlist */ + if ((dcount + scount) < MAX_LIST_ENTRIES) + copycount = scount; + else + /* Leave the last entry for list terminator(=NULL) */ + copycount = (MAX_LIST_ENTRIES -1) - dcount; + + memcpy(dlist, slist, (sizeof(char *) * copycount)); + dlist += copycount; + *dlist = NULL; } else if (mode == LIST_MODE_DELETE) { - /* We need to delete every entry present in the source list - * from the destination list */ - for (slist = sourcelist; *slist != NULL; slist++) { - for (dlist = *destlist; *dlist != NULL; dlist++) { - found = 0; /* value not found */ - /* DN is case insensitive string */ - if (strcasecmp(*dlist, *slist) == 0) { - found = 1; - free(*dlist); - /* Advance the rest of the entries by one */ - for (tmplist = dlist; *tmplist != NULL; tmplist++) { - *tmplist = *(tmplist+1); - } - break; - } - } - } + /* We need to delete every entry present in the source list + * from the destination list */ + for (slist = sourcelist; *slist != NULL; slist++) { + for (dlist = *destlist; *dlist != NULL; dlist++) { + found = 0; /* value not found */ + /* DN is case insensitive string */ + if (strcasecmp(*dlist, *slist) == 0) { + found = 1; + free(*dlist); + /* Advance the rest of the entries by one */ + for (tmplist = dlist; *tmplist != NULL; tmplist++) { + *tmplist = *(tmplist+1); + } + break; + } + } + } } return; @@ -222,10 +219,8 @@ void list_modify_str_array(destlist, sourcelist, mode) * entries present in the source list, depending on the mode * (ADD or DELETE). where the list is array of integers. */ -int list_modify_int_array(destlist, sourcelist, mode) - int *destlist; - const int *sourcelist; - int mode; +int +list_modify_int_array(int *destlist, const int *sourcelist, int mode) { int *dlist = NULL, *tmplist = NULL; const int *slist = NULL; @@ -233,53 +228,53 @@ int list_modify_int_array(destlist, sourcelist, mode) int tcount = 0; if ((destlist == NULL) || (sourcelist == NULL)) - return 0; + return 0; /* We need to add every entry present in the source list to the * destination list */ if (mode == LIST_MODE_ADD) { - /* Traverse throught the end of destlist for appending */ - for (dlist = destlist, dcount = 0; *dlist != END_OF_LIST; - dlist++, dcount++) - ; /* NULL statement */ - - /* Count the number of entries in the source list */ - for (slist = sourcelist, scount = 0; *slist != END_OF_LIST; - slist++, scount++) - ; /* NULL statement */ - - /* Reset the slist pointer to the start of source list */ - slist = sourcelist; - - /* Now append the source list to the existing destlist */ - if ((dcount + scount) < MAX_LIST_ENTRIES) - copycount = scount; - else - /* Leave the last entry for list terminator(=NULL) */ - copycount = (MAX_LIST_ENTRIES -1) - dcount; - - memcpy(dlist, slist, (sizeof(int) * copycount)); - dlist += copycount; - *dlist = END_OF_LIST; - tcount = dcount + copycount; + /* Traverse throught the end of destlist for appending */ + for (dlist = destlist, dcount = 0; *dlist != END_OF_LIST; + dlist++, dcount++) + ; /* NULL statement */ + + /* Count the number of entries in the source list */ + for (slist = sourcelist, scount = 0; *slist != END_OF_LIST; + slist++, scount++) + ; /* NULL statement */ + + /* Reset the slist pointer to the start of source list */ + slist = sourcelist; + + /* Now append the source list to the existing destlist */ + if ((dcount + scount) < MAX_LIST_ENTRIES) + copycount = scount; + else + /* Leave the last entry for list terminator(=NULL) */ + copycount = (MAX_LIST_ENTRIES -1) - dcount; + + memcpy(dlist, slist, (sizeof(int) * copycount)); + dlist += copycount; + *dlist = END_OF_LIST; + tcount = dcount + copycount; } else if (mode == LIST_MODE_DELETE) { - /* We need to delete every entry present in the source list from - * the destination list */ - for (slist = sourcelist; *slist != END_OF_LIST; slist++) { - for (dlist = destlist; *dlist != END_OF_LIST; dlist++) { - if (*dlist == *slist) { - /* Advance the rest of the entries by one */ - for (tmplist = dlist; *tmplist != END_OF_LIST; tmplist++) { - *tmplist = *(tmplist+1); - } - break; - } - } - } - /* count the number of entries */ - for (dlist = destlist, tcount = 0; *dlist != END_OF_LIST; dlist++) { - tcount++; - } + /* We need to delete every entry present in the source list from + * the destination list */ + for (slist = sourcelist; *slist != END_OF_LIST; slist++) { + for (dlist = destlist; *dlist != END_OF_LIST; dlist++) { + if (*dlist == *slist) { + /* Advance the rest of the entries by one */ + for (tmplist = dlist; *tmplist != END_OF_LIST; tmplist++) { + *tmplist = *(tmplist+1); + } + break; + } + } + } + /* count the number of entries */ + for (dlist = destlist, tcount = 0; *dlist != END_OF_LIST; dlist++) { + tcount++; + } } return tcount; diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_list.h b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_list.h index a251fde3f..ff6bde2f5 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_list.h +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_list.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * kadmin/ldap_util/kdb5_ldap_list.h */ @@ -30,12 +31,12 @@ */ -#define MAX_LIST_ENTRIES 64 -#define END_OF_LIST -1 /* End of List */ -#define LIST_DELIMITER ":" /* List entry separator */ -#define LIST_MODE_ADD 0x701 /* Add to the List */ -#define LIST_MODE_DELETE 0x702 /* Delete from the list */ -#define MAX_LEN_LIST_ENTRY 512 /* Max len of an entry */ +#define MAX_LIST_ENTRIES 64 +#define END_OF_LIST -1 /* End of List */ +#define LIST_DELIMITER ":" /* List entry separator */ +#define LIST_MODE_ADD 0x701 /* Add to the List */ +#define LIST_MODE_DELETE 0x702 /* Delete from the list */ +#define MAX_LEN_LIST_ENTRY 512 /* Max len of an entry */ extern krb5_error_code krb5_parse_list(char *buffer, char *delimiter, char **list); extern void krb5_free_list_entries(char **list); diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c index b22e63184..4cb3c46ad 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * kadmin/ldap_util/kdb5_ldap_policy.c */ @@ -48,7 +49,9 @@ static char *strdur(time_t duration); extern char *yes; extern kadm5_config_params global_params; -static krb5_error_code init_ldap_realm (int argc, char *argv[]) { +static krb5_error_code +init_ldap_realm(int argc, char *argv[]) +{ /* This operation is being performed in the context of a realm. So, * initialize the realm */ int mask = 0; @@ -65,7 +68,7 @@ static krb5_error_code init_ldap_realm (int argc, char *argv[]) { if (ldap_context->krbcontainer == NULL) { retval = krb5_ldap_read_krbcontainer_params (util_context, - &(ldap_context->krbcontainer)); + &(ldap_context->krbcontainer)); if (retval != 0) { com_err(progname, retval, "while reading kerberos container information"); goto cleanup; @@ -74,9 +77,9 @@ static krb5_error_code init_ldap_realm (int argc, char *argv[]) { if (ldap_context->lrparams == NULL) { retval = krb5_ldap_read_realm_params(util_context, - global_params.realm, - &(ldap_context->lrparams), - &mask); + global_params.realm, + &(ldap_context->lrparams), + &mask); if (retval != 0) { goto cleanup; @@ -91,9 +94,7 @@ cleanup: * specified attributes. */ void -kdb5_ldap_create_policy(argc, argv) - int argc; - char *argv[]; +kdb5_ldap_create_policy(int argc, char *argv[]) { char *me = progname; krb5_error_code retval = 0; @@ -107,14 +108,14 @@ kdb5_ldap_create_policy(argc, argv) /* Check for number of arguments */ if ((argc < 2) || (argc > 16)) { - goto err_usage; + goto err_usage; } /* Allocate memory for policy parameters structure */ policyparams = (krb5_ldap_policy_params*) calloc(1, sizeof(krb5_ldap_policy_params)); if (policyparams == NULL) { - retval = ENOMEM; - goto cleanup; + retval = ENOMEM; + goto cleanup; } /* Get current time */ @@ -122,161 +123,161 @@ kdb5_ldap_create_policy(argc, argv) /* Parse all arguments */ for (i = 1; i < argc; i++) { - if (!strcmp(argv[i], "-maxtktlife")) { - if (++i > argc - 1) - goto err_usage; - - date = get_date(argv[i]); - if (date == (time_t)(-1)) { - retval = EINVAL; - com_err (me, retval, "while providing time specification"); - goto err_nomsg; - } - - policyparams->maxtktlife = date - now; - - mask |= LDAP_POLICY_MAXTKTLIFE; - } else if (!strcmp(argv[i], "-maxrenewlife")) { - if (++i > argc - 1) - goto err_usage; - - date = get_date(argv[i]); - if (date == (time_t)(-1)) { - retval = EINVAL; - com_err (me, retval, "while providing time specification"); - goto err_nomsg; - } - - policyparams->maxrenewlife = date - now; - - mask |= LDAP_POLICY_MAXRENEWLIFE; - } else if (!strcmp((argv[i] + 1), "allow_postdated")) { - if (*(argv[i]) == '+') - policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_POSTDATED); - else if (*(argv[i]) == '-') - policyparams->tktflags |= KRB5_KDB_DISALLOW_POSTDATED; - else - goto err_usage; - - mask |= LDAP_POLICY_TKTFLAGS; - } else if (!strcmp((argv[i] + 1), "allow_forwardable")) { - if (*(argv[i]) == '+') - policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_FORWARDABLE); - else if (*(argv[i]) == '-') - policyparams->tktflags |= KRB5_KDB_DISALLOW_FORWARDABLE; - else - goto err_usage; - - mask |= LDAP_POLICY_TKTFLAGS; - } else if (!strcmp((argv[i] + 1), "allow_renewable")) { - if (*(argv[i]) == '+') - policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_RENEWABLE); - else if (*(argv[i]) == '-') - policyparams->tktflags |= KRB5_KDB_DISALLOW_RENEWABLE; - else - goto err_usage; - - mask |= LDAP_POLICY_TKTFLAGS; - } else if (!strcmp((argv[i] + 1), "allow_proxiable")) { - if (*(argv[i]) == '+') - policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_PROXIABLE); - else if (*(argv[i]) == '-') - policyparams->tktflags |= KRB5_KDB_DISALLOW_PROXIABLE; - else - goto err_usage; - - mask |= LDAP_POLICY_TKTFLAGS; - } else if (!strcmp((argv[i] + 1), "allow_dup_skey")) { - if (*(argv[i]) == '+') - policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_DUP_SKEY); - else if (*(argv[i]) == '-') - policyparams->tktflags |= KRB5_KDB_DISALLOW_DUP_SKEY; - else - goto err_usage; - - mask |= LDAP_POLICY_TKTFLAGS; - } else if (!strcmp((argv[i] + 1), "requires_preauth")) { - if (*(argv[i]) == '+') - policyparams->tktflags |= KRB5_KDB_REQUIRES_PRE_AUTH; - else if (*(argv[i]) == '-') - policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PRE_AUTH); - else - goto err_usage; - - mask |= LDAP_POLICY_TKTFLAGS; - } else if (!strcmp((argv[i] + 1), "requires_hwauth")) { - if (*(argv[i]) == '+') - policyparams->tktflags |= KRB5_KDB_REQUIRES_HW_AUTH; - else if (*(argv[i]) == '-') - policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_HW_AUTH); - else - goto err_usage; - - mask |= LDAP_POLICY_TKTFLAGS; - } else if (!strcmp((argv[i] + 1), "allow_svr")) { - if (*(argv[i]) == '+') - policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_SVR); - else if (*(argv[i]) == '-') - policyparams->tktflags |= KRB5_KDB_DISALLOW_SVR; - else - goto err_usage; - - mask |= LDAP_POLICY_TKTFLAGS; - } else if (!strcmp((argv[i] + 1), "allow_tgs_req")) { - if (*(argv[i]) == '+') - policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_TGT_BASED); - else if (*(argv[i]) == '-') - policyparams->tktflags |= KRB5_KDB_DISALLOW_TGT_BASED; - else - goto err_usage; - - mask |= LDAP_POLICY_TKTFLAGS; - } else if (!strcmp((argv[i] + 1), "allow_tix")) { - if (*(argv[i]) == '+') - policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_ALL_TIX); - else if (*(argv[i]) == '-') - policyparams->tktflags |= KRB5_KDB_DISALLOW_ALL_TIX; - else - goto err_usage; - - mask |= LDAP_POLICY_TKTFLAGS; - } else if (!strcmp((argv[i] + 1), "needchange")) { - if (*(argv[i]) == '+') - policyparams->tktflags |= KRB5_KDB_REQUIRES_PWCHANGE; - else if (*(argv[i]) == '-') - policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PWCHANGE); - else - goto err_usage; - - mask |= LDAP_POLICY_TKTFLAGS; - } else if (!strcmp((argv[i] + 1), "password_changing_service")) { - if (*(argv[i]) == '+') - policyparams->tktflags |= KRB5_KDB_PWCHANGE_SERVICE; - else if (*(argv[i]) == '-') - policyparams->tktflags &= (int)(~KRB5_KDB_PWCHANGE_SERVICE); - else - goto err_usage; - - mask |= LDAP_POLICY_TKTFLAGS; - } else { /* Any other argument must be policy DN */ - /* First check if policy DN is already provided -- - if so, there's a usage error */ + if (!strcmp(argv[i], "-maxtktlife")) { + if (++i > argc - 1) + goto err_usage; + + date = get_date(argv[i]); + if (date == (time_t)(-1)) { + retval = EINVAL; + com_err (me, retval, "while providing time specification"); + goto err_nomsg; + } + + policyparams->maxtktlife = date - now; + + mask |= LDAP_POLICY_MAXTKTLIFE; + } else if (!strcmp(argv[i], "-maxrenewlife")) { + if (++i > argc - 1) + goto err_usage; + + date = get_date(argv[i]); + if (date == (time_t)(-1)) { + retval = EINVAL; + com_err (me, retval, "while providing time specification"); + goto err_nomsg; + } + + policyparams->maxrenewlife = date - now; + + mask |= LDAP_POLICY_MAXRENEWLIFE; + } else if (!strcmp((argv[i] + 1), "allow_postdated")) { + if (*(argv[i]) == '+') + policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_POSTDATED); + else if (*(argv[i]) == '-') + policyparams->tktflags |= KRB5_KDB_DISALLOW_POSTDATED; + else + goto err_usage; + + mask |= LDAP_POLICY_TKTFLAGS; + } else if (!strcmp((argv[i] + 1), "allow_forwardable")) { + if (*(argv[i]) == '+') + policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_FORWARDABLE); + else if (*(argv[i]) == '-') + policyparams->tktflags |= KRB5_KDB_DISALLOW_FORWARDABLE; + else + goto err_usage; + + mask |= LDAP_POLICY_TKTFLAGS; + } else if (!strcmp((argv[i] + 1), "allow_renewable")) { + if (*(argv[i]) == '+') + policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_RENEWABLE); + else if (*(argv[i]) == '-') + policyparams->tktflags |= KRB5_KDB_DISALLOW_RENEWABLE; + else + goto err_usage; + + mask |= LDAP_POLICY_TKTFLAGS; + } else if (!strcmp((argv[i] + 1), "allow_proxiable")) { + if (*(argv[i]) == '+') + policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_PROXIABLE); + else if (*(argv[i]) == '-') + policyparams->tktflags |= KRB5_KDB_DISALLOW_PROXIABLE; + else + goto err_usage; + + mask |= LDAP_POLICY_TKTFLAGS; + } else if (!strcmp((argv[i] + 1), "allow_dup_skey")) { + if (*(argv[i]) == '+') + policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_DUP_SKEY); + else if (*(argv[i]) == '-') + policyparams->tktflags |= KRB5_KDB_DISALLOW_DUP_SKEY; + else + goto err_usage; + + mask |= LDAP_POLICY_TKTFLAGS; + } else if (!strcmp((argv[i] + 1), "requires_preauth")) { + if (*(argv[i]) == '+') + policyparams->tktflags |= KRB5_KDB_REQUIRES_PRE_AUTH; + else if (*(argv[i]) == '-') + policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PRE_AUTH); + else + goto err_usage; + + mask |= LDAP_POLICY_TKTFLAGS; + } else if (!strcmp((argv[i] + 1), "requires_hwauth")) { + if (*(argv[i]) == '+') + policyparams->tktflags |= KRB5_KDB_REQUIRES_HW_AUTH; + else if (*(argv[i]) == '-') + policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_HW_AUTH); + else + goto err_usage; + + mask |= LDAP_POLICY_TKTFLAGS; + } else if (!strcmp((argv[i] + 1), "allow_svr")) { + if (*(argv[i]) == '+') + policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_SVR); + else if (*(argv[i]) == '-') + policyparams->tktflags |= KRB5_KDB_DISALLOW_SVR; + else + goto err_usage; + + mask |= LDAP_POLICY_TKTFLAGS; + } else if (!strcmp((argv[i] + 1), "allow_tgs_req")) { + if (*(argv[i]) == '+') + policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_TGT_BASED); + else if (*(argv[i]) == '-') + policyparams->tktflags |= KRB5_KDB_DISALLOW_TGT_BASED; + else + goto err_usage; + + mask |= LDAP_POLICY_TKTFLAGS; + } else if (!strcmp((argv[i] + 1), "allow_tix")) { + if (*(argv[i]) == '+') + policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_ALL_TIX); + else if (*(argv[i]) == '-') + policyparams->tktflags |= KRB5_KDB_DISALLOW_ALL_TIX; + else + goto err_usage; + + mask |= LDAP_POLICY_TKTFLAGS; + } else if (!strcmp((argv[i] + 1), "needchange")) { + if (*(argv[i]) == '+') + policyparams->tktflags |= KRB5_KDB_REQUIRES_PWCHANGE; + else if (*(argv[i]) == '-') + policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PWCHANGE); + else + goto err_usage; + + mask |= LDAP_POLICY_TKTFLAGS; + } else if (!strcmp((argv[i] + 1), "password_changing_service")) { + if (*(argv[i]) == '+') + policyparams->tktflags |= KRB5_KDB_PWCHANGE_SERVICE; + else if (*(argv[i]) == '-') + policyparams->tktflags &= (int)(~KRB5_KDB_PWCHANGE_SERVICE); + else + goto err_usage; + + mask |= LDAP_POLICY_TKTFLAGS; + } else { /* Any other argument must be policy DN */ + /* First check if policy DN is already provided -- + if so, there's a usage error */ if (policyparams->policy != NULL) - goto err_usage; + goto err_usage; - /* If not present already, fill up policy DN */ + /* If not present already, fill up policy DN */ policyparams->policy = strdup(argv[i]); if (policyparams->policy == NULL) { - retval = ENOMEM; - com_err(me, retval, "while creating policy object"); - goto err_nomsg; - } - } + retval = ENOMEM; + com_err(me, retval, "while creating policy object"); + goto err_nomsg; + } + } } /* policy DN is a mandatory argument. If not provided, print usage */ if (policyparams->policy == NULL) - goto err_usage; + goto err_usage; if ((retval = init_ldap_realm (argc, argv))) { com_err(me, retval, "while reading realm information"); @@ -285,7 +286,7 @@ kdb5_ldap_create_policy(argc, argv) /* Create object with all attributes provided */ if ((retval = krb5_ldap_create_policy(util_context, policyparams, mask)) != 0) - goto cleanup; + goto cleanup; goto cleanup; @@ -300,13 +301,13 @@ cleanup: krb5_ldap_free_policy (util_context, policyparams); if (print_usage) - db_usage(CREATE_POLICY); + db_usage(CREATE_POLICY); if (retval) { - if (!no_msg) - com_err(me, retval, "while creating policy object"); + if (!no_msg) + com_err(me, retval, "while creating policy object"); - exit_status++; + exit_status++; } return; @@ -318,9 +319,7 @@ cleanup: * object interactively, unless forced through an option. */ void -kdb5_ldap_destroy_policy(argc, argv) - int argc; - char *argv[]; +kdb5_ldap_destroy_policy(int argc, char *argv[]) { char *me = progname; krb5_error_code retval = 0; @@ -334,55 +333,55 @@ kdb5_ldap_destroy_policy(argc, argv) int i = 0; if ((argc < 2) || (argc > 3)) { - goto err_usage; + goto err_usage; } for (i = 1; i < argc; i++) { - if (strcmp(argv[i], "-force") == 0) { - force++; - } else { /* Any other argument must be policy DN */ - /* First check if policy DN is already provided -- - if so, there's a usage error */ + if (strcmp(argv[i], "-force") == 0) { + force++; + } else { /* Any other argument must be policy DN */ + /* First check if policy DN is already provided -- + if so, there's a usage error */ if (policy != NULL) - goto err_usage; + goto err_usage; - /* If not present already, fill up policy DN */ + /* If not present already, fill up policy DN */ policy = strdup(argv[i]); if (policy == NULL) { - retval = ENOMEM; - com_err(me, retval, "while destroying policy object"); - goto err_nomsg; - } - } + retval = ENOMEM; + com_err(me, retval, "while destroying policy object"); + goto err_nomsg; + } + } } if (policy == NULL) - goto err_usage; + goto err_usage; if (!force) { printf("This will delete the policy object '%s', are you sure?\n", policy); - printf("(type 'yes' to confirm)? "); + printf("(type 'yes' to confirm)? "); - if (fgets(buf, sizeof(buf), stdin) == NULL) { - retval = EINVAL; - goto cleanup; - } + if (fgets(buf, sizeof(buf), stdin) == NULL) { + retval = EINVAL; + goto cleanup; + } - if (strcmp(buf, yes)) { - exit_status++; - goto cleanup; - } + if (strcmp(buf, yes)) { + exit_status++; + goto cleanup; + } } if ((retval = init_ldap_realm (argc, argv))) goto err_nomsg; if ((retval = krb5_ldap_read_policy(util_context, policy, &policyparams, &mask))) - goto cleanup; + goto cleanup; if ((retval = krb5_ldap_delete_policy(util_context, policy))) - goto cleanup; + goto cleanup; printf("** policy object '%s' deleted.\n", policy); goto cleanup; @@ -399,18 +398,18 @@ cleanup: krb5_ldap_free_policy (util_context, policyparams); if (policy) { - free (policy); + free (policy); } if (print_usage) { - db_usage(DESTROY_POLICY); + db_usage(DESTROY_POLICY); } if (retval) { - if (!no_msg) - com_err(me, retval, "while destroying policy object"); + if (!no_msg) + com_err(me, retval, "while destroying policy object"); - exit_status++; + exit_status++; } return; @@ -422,9 +421,7 @@ cleanup: * policy object. */ void -kdb5_ldap_modify_policy(argc, argv) - int argc; - char *argv[]; +kdb5_ldap_modify_policy(int argc, char *argv[]) { char *me = progname; krb5_error_code retval = 0; @@ -441,57 +438,57 @@ kdb5_ldap_modify_policy(argc, argv) since atleast one parameter should be given in addition to 'modify_policy' and policy DN */ if ((argc < 3) || (argc > 16)) { - goto err_usage; + goto err_usage; } /* Parse all arguments, only to pick up policy DN (Pass 1) */ for (i = 1; i < argc; i++) { - /* Skip arguments next to 'maxtktlife' - and 'maxrenewlife' arguments */ - if (!strcmp(argv[i], "-maxtktlife")) { - ++i; - } else if (!strcmp(argv[i], "-maxrenewlife")) { - ++i; - } - /* Do nothing for ticket flag arguments */ - else if (!strcmp((argv[i] + 1), "allow_postdated") || - !strcmp((argv[i] + 1), "allow_forwardable") || - !strcmp((argv[i] + 1), "allow_renewable") || - !strcmp((argv[i] + 1), "allow_proxiable") || - !strcmp((argv[i] + 1), "allow_dup_skey") || - !strcmp((argv[i] + 1), "requires_preauth") || - !strcmp((argv[i] + 1), "requires_hwauth") || - !strcmp((argv[i] + 1), "allow_svr") || - !strcmp((argv[i] + 1), "allow_tgs_req") || - !strcmp((argv[i] + 1), "allow_tix") || - !strcmp((argv[i] + 1), "needchange") || - !strcmp((argv[i] + 1), "password_changing_service")) { - } else { /* Any other argument must be policy DN */ - /* First check if policy DN is already provided -- - if so, there's a usage error */ + /* Skip arguments next to 'maxtktlife' + and 'maxrenewlife' arguments */ + if (!strcmp(argv[i], "-maxtktlife")) { + ++i; + } else if (!strcmp(argv[i], "-maxrenewlife")) { + ++i; + } + /* Do nothing for ticket flag arguments */ + else if (!strcmp((argv[i] + 1), "allow_postdated") || + !strcmp((argv[i] + 1), "allow_forwardable") || + !strcmp((argv[i] + 1), "allow_renewable") || + !strcmp((argv[i] + 1), "allow_proxiable") || + !strcmp((argv[i] + 1), "allow_dup_skey") || + !strcmp((argv[i] + 1), "requires_preauth") || + !strcmp((argv[i] + 1), "requires_hwauth") || + !strcmp((argv[i] + 1), "allow_svr") || + !strcmp((argv[i] + 1), "allow_tgs_req") || + !strcmp((argv[i] + 1), "allow_tix") || + !strcmp((argv[i] + 1), "needchange") || + !strcmp((argv[i] + 1), "password_changing_service")) { + } else { /* Any other argument must be policy DN */ + /* First check if policy DN is already provided -- + if so, there's a usage error */ if (policy != NULL) - goto err_usage; + goto err_usage; - /* If not present already, fill up policy DN */ + /* If not present already, fill up policy DN */ policy = strdup(argv[i]); if (policy == NULL) { - retval = ENOMEM; - com_err(me, retval, "while modifying policy object"); - goto err_nomsg; - } - } + retval = ENOMEM; + com_err(me, retval, "while modifying policy object"); + goto err_nomsg; + } + } } if (policy == NULL) - goto err_usage; + goto err_usage; if ((retval = init_ldap_realm (argc, argv))) - goto cleanup; + goto cleanup; retval = krb5_ldap_read_policy(util_context, policy, &policyparams, &in_mask); if (retval) { com_err(me, retval, "while reading information of policy '%s'", policy); - goto err_nomsg; + goto err_nomsg; } /* Get current time */ @@ -499,151 +496,151 @@ kdb5_ldap_modify_policy(argc, argv) /* Parse all arguments, but skip policy DN (Pass 2) */ for (i = 1; i < argc; i++) { - if (!strcmp(argv[i], "-maxtktlife")) { - if (++i > argc - 1) - goto err_usage; - - date = get_date(argv[i]); - if (date == (time_t)(-1)) { - retval = EINVAL; - com_err (me, retval, "while providing time specification"); - goto err_nomsg; - } - - policyparams->maxtktlife = date - now; - - out_mask |= LDAP_POLICY_MAXTKTLIFE; - } else if (!strcmp(argv[i], "-maxrenewlife")) { - if (++i > argc - 1) - goto err_usage; - - date = get_date(argv[i]); - if (date == (time_t)(-1)) { - retval = EINVAL; - com_err (me, retval, "while providing time specification"); - goto err_nomsg; - } - - policyparams->maxrenewlife = date - now; - - out_mask |= LDAP_POLICY_MAXRENEWLIFE; - } else if (!strcmp((argv[i] + 1), "allow_postdated")) { - if (*(argv[i]) == '+') - policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_POSTDATED); - else if (*(argv[i]) == '-') - policyparams->tktflags |= KRB5_KDB_DISALLOW_POSTDATED; - else - goto err_usage; - - out_mask |= LDAP_POLICY_TKTFLAGS; - } else if (!strcmp((argv[i] + 1), "allow_forwardable")) { - if (*(argv[i]) == '+') - policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_FORWARDABLE); - else if (*(argv[i]) == '-') - policyparams->tktflags |= KRB5_KDB_DISALLOW_FORWARDABLE; - else - goto err_usage; - - out_mask |= LDAP_POLICY_TKTFLAGS; - } else if (!strcmp((argv[i] + 1), "allow_renewable")) { - if (*(argv[i]) == '+') - policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_RENEWABLE); - else if (*(argv[i]) == '-') - policyparams->tktflags |= KRB5_KDB_DISALLOW_RENEWABLE; - else - goto err_usage; - - out_mask |= LDAP_POLICY_TKTFLAGS; - } else if (!strcmp((argv[i] + 1), "allow_proxiable")) { - if (*(argv[i]) == '+') - policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_PROXIABLE); - else if (*(argv[i]) == '-') - policyparams->tktflags |= KRB5_KDB_DISALLOW_PROXIABLE; - else - goto err_usage; - - out_mask |= LDAP_POLICY_TKTFLAGS; - } else if (!strcmp((argv[i] + 1), "allow_dup_skey")) { - if (*(argv[i]) == '+') - policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_DUP_SKEY); - else if (*(argv[i]) == '-') - policyparams->tktflags |= KRB5_KDB_DISALLOW_DUP_SKEY; - else - goto err_usage; - - out_mask |= LDAP_POLICY_TKTFLAGS; - } else if (!strcmp((argv[i] + 1), "requires_preauth")) { - if (*(argv[i]) == '+') - policyparams->tktflags |= KRB5_KDB_REQUIRES_PRE_AUTH; - else if (*(argv[i]) == '-') - policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PRE_AUTH); - else - goto err_usage; - - out_mask |= LDAP_POLICY_TKTFLAGS; - } else if (!strcmp((argv[i] + 1), "requires_hwauth")) { - if (*(argv[i]) == '+') - policyparams->tktflags |= KRB5_KDB_REQUIRES_HW_AUTH; - else if (*(argv[i]) == '-') - policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_HW_AUTH); - else - goto err_usage; - - out_mask |= LDAP_POLICY_TKTFLAGS; - } else if (!strcmp((argv[i] + 1), "allow_svr")) { - if (*(argv[i]) == '+') - policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_SVR); - else if (*(argv[i]) == '-') - policyparams->tktflags |= KRB5_KDB_DISALLOW_SVR; - else - goto err_usage; - - out_mask |= LDAP_POLICY_TKTFLAGS; - } else if (!strcmp((argv[i] + 1), "allow_tgs_req")) { - if (*(argv[i]) == '+') - policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_TGT_BASED); - else if (*(argv[i]) == '-') - policyparams->tktflags |= KRB5_KDB_DISALLOW_TGT_BASED; - else - goto err_usage; - - out_mask |= LDAP_POLICY_TKTFLAGS; - } else if (!strcmp((argv[i] + 1), "allow_tix")) { - if (*(argv[i]) == '+') - policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_ALL_TIX); - else if (*(argv[i]) == '-') - policyparams->tktflags |= KRB5_KDB_DISALLOW_ALL_TIX; - else - goto err_usage; - - out_mask |= LDAP_POLICY_TKTFLAGS; - } else if (!strcmp((argv[i] + 1), "needchange")) { - if (*(argv[i]) == '+') - policyparams->tktflags |= KRB5_KDB_REQUIRES_PWCHANGE; - else if (*(argv[i]) == '-') - policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PWCHANGE); - else - goto err_usage; - - out_mask |= LDAP_POLICY_TKTFLAGS; - } else if (!strcmp((argv[i] + 1), "password_changing_service")) { - if (*(argv[i]) == '+') - policyparams->tktflags |= KRB5_KDB_PWCHANGE_SERVICE; - else if (*(argv[i]) == '-') - policyparams->tktflags &= (int)(~KRB5_KDB_PWCHANGE_SERVICE); - else - goto err_usage; - - out_mask |= LDAP_POLICY_TKTFLAGS; - } else { - /* Any other argument must be policy DN - -- skip it */ - } + if (!strcmp(argv[i], "-maxtktlife")) { + if (++i > argc - 1) + goto err_usage; + + date = get_date(argv[i]); + if (date == (time_t)(-1)) { + retval = EINVAL; + com_err (me, retval, "while providing time specification"); + goto err_nomsg; + } + + policyparams->maxtktlife = date - now; + + out_mask |= LDAP_POLICY_MAXTKTLIFE; + } else if (!strcmp(argv[i], "-maxrenewlife")) { + if (++i > argc - 1) + goto err_usage; + + date = get_date(argv[i]); + if (date == (time_t)(-1)) { + retval = EINVAL; + com_err (me, retval, "while providing time specification"); + goto err_nomsg; + } + + policyparams->maxrenewlife = date - now; + + out_mask |= LDAP_POLICY_MAXRENEWLIFE; + } else if (!strcmp((argv[i] + 1), "allow_postdated")) { + if (*(argv[i]) == '+') + policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_POSTDATED); + else if (*(argv[i]) == '-') + policyparams->tktflags |= KRB5_KDB_DISALLOW_POSTDATED; + else + goto err_usage; + + out_mask |= LDAP_POLICY_TKTFLAGS; + } else if (!strcmp((argv[i] + 1), "allow_forwardable")) { + if (*(argv[i]) == '+') + policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_FORWARDABLE); + else if (*(argv[i]) == '-') + policyparams->tktflags |= KRB5_KDB_DISALLOW_FORWARDABLE; + else + goto err_usage; + + out_mask |= LDAP_POLICY_TKTFLAGS; + } else if (!strcmp((argv[i] + 1), "allow_renewable")) { + if (*(argv[i]) == '+') + policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_RENEWABLE); + else if (*(argv[i]) == '-') + policyparams->tktflags |= KRB5_KDB_DISALLOW_RENEWABLE; + else + goto err_usage; + + out_mask |= LDAP_POLICY_TKTFLAGS; + } else if (!strcmp((argv[i] + 1), "allow_proxiable")) { + if (*(argv[i]) == '+') + policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_PROXIABLE); + else if (*(argv[i]) == '-') + policyparams->tktflags |= KRB5_KDB_DISALLOW_PROXIABLE; + else + goto err_usage; + + out_mask |= LDAP_POLICY_TKTFLAGS; + } else if (!strcmp((argv[i] + 1), "allow_dup_skey")) { + if (*(argv[i]) == '+') + policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_DUP_SKEY); + else if (*(argv[i]) == '-') + policyparams->tktflags |= KRB5_KDB_DISALLOW_DUP_SKEY; + else + goto err_usage; + + out_mask |= LDAP_POLICY_TKTFLAGS; + } else if (!strcmp((argv[i] + 1), "requires_preauth")) { + if (*(argv[i]) == '+') + policyparams->tktflags |= KRB5_KDB_REQUIRES_PRE_AUTH; + else if (*(argv[i]) == '-') + policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PRE_AUTH); + else + goto err_usage; + + out_mask |= LDAP_POLICY_TKTFLAGS; + } else if (!strcmp((argv[i] + 1), "requires_hwauth")) { + if (*(argv[i]) == '+') + policyparams->tktflags |= KRB5_KDB_REQUIRES_HW_AUTH; + else if (*(argv[i]) == '-') + policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_HW_AUTH); + else + goto err_usage; + + out_mask |= LDAP_POLICY_TKTFLAGS; + } else if (!strcmp((argv[i] + 1), "allow_svr")) { + if (*(argv[i]) == '+') + policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_SVR); + else if (*(argv[i]) == '-') + policyparams->tktflags |= KRB5_KDB_DISALLOW_SVR; + else + goto err_usage; + + out_mask |= LDAP_POLICY_TKTFLAGS; + } else if (!strcmp((argv[i] + 1), "allow_tgs_req")) { + if (*(argv[i]) == '+') + policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_TGT_BASED); + else if (*(argv[i]) == '-') + policyparams->tktflags |= KRB5_KDB_DISALLOW_TGT_BASED; + else + goto err_usage; + + out_mask |= LDAP_POLICY_TKTFLAGS; + } else if (!strcmp((argv[i] + 1), "allow_tix")) { + if (*(argv[i]) == '+') + policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_ALL_TIX); + else if (*(argv[i]) == '-') + policyparams->tktflags |= KRB5_KDB_DISALLOW_ALL_TIX; + else + goto err_usage; + + out_mask |= LDAP_POLICY_TKTFLAGS; + } else if (!strcmp((argv[i] + 1), "needchange")) { + if (*(argv[i]) == '+') + policyparams->tktflags |= KRB5_KDB_REQUIRES_PWCHANGE; + else if (*(argv[i]) == '-') + policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PWCHANGE); + else + goto err_usage; + + out_mask |= LDAP_POLICY_TKTFLAGS; + } else if (!strcmp((argv[i] + 1), "password_changing_service")) { + if (*(argv[i]) == '+') + policyparams->tktflags |= KRB5_KDB_PWCHANGE_SERVICE; + else if (*(argv[i]) == '-') + policyparams->tktflags &= (int)(~KRB5_KDB_PWCHANGE_SERVICE); + else + goto err_usage; + + out_mask |= LDAP_POLICY_TKTFLAGS; + } else { + /* Any other argument must be policy DN + -- skip it */ + } } /* Modify attributes of object */ if ((retval = krb5_ldap_modify_policy(util_context, policyparams, out_mask))) - goto cleanup; + goto cleanup; goto cleanup; @@ -661,13 +658,13 @@ cleanup: free (policy); if (print_usage) - db_usage(MODIFY_POLICY); + db_usage(MODIFY_POLICY); if (retval) { - if (!no_msg) - com_err(me, retval, "while modifying policy object"); + if (!no_msg) + com_err(me, retval, "while modifying policy object"); - exit_status++; + exit_status++; } return; @@ -679,9 +676,7 @@ cleanup: * fetching the information from the LDAP Server. */ void -kdb5_ldap_view_policy(argc, argv) - int argc; - char *argv[]; +kdb5_ldap_view_policy(int argc, char *argv[]) { char *me = progname; krb5_ldap_policy_params *policyparams = NULL; @@ -691,23 +686,23 @@ kdb5_ldap_view_policy(argc, argv) int mask = 0; if (argc != 2) { - goto err_usage; + goto err_usage; } policy = strdup(argv[1]); if (policy == NULL) { - com_err(me, ENOMEM, "while viewing policy"); - exit_status++; - goto cleanup; + com_err(me, ENOMEM, "while viewing policy"); + exit_status++; + goto cleanup; } if ((retval = init_ldap_realm (argc, argv))) goto cleanup; if ((retval = krb5_ldap_read_policy(util_context, policy, &policyparams, &mask))) { - com_err(me, retval, "while viewing policy '%s'", policy); - exit_status++; - goto cleanup; + com_err(me, retval, "while viewing policy '%s'", policy); + exit_status++; + goto cleanup; } print_policy_params (policyparams, mask); @@ -721,10 +716,10 @@ cleanup: krb5_ldap_free_policy (util_context, policyparams); if (policy) - free (policy); + free (policy); if (print_usage) { - db_usage(VIEW_POLICY); + db_usage(VIEW_POLICY); } return; @@ -736,59 +731,57 @@ cleanup: * standard output. */ static void -print_policy_params(policyparams, mask) - krb5_ldap_policy_params *policyparams; - int mask; +print_policy_params(krb5_ldap_policy_params *policyparams, int mask) { /* Print the policy DN */ printf("%25s: %s\n", "Ticket policy", policyparams->policy); /* Print max. ticket life and max. renewable life, if present */ if (mask & LDAP_POLICY_MAXTKTLIFE) - printf("%25s: %s\n", "Maximum ticket life", strdur(policyparams->maxtktlife)); + printf("%25s: %s\n", "Maximum ticket life", strdur(policyparams->maxtktlife)); if (mask & LDAP_POLICY_MAXRENEWLIFE) - printf("%25s: %s\n", "Maximum renewable life", strdur(policyparams->maxrenewlife)); + printf("%25s: %s\n", "Maximum renewable life", strdur(policyparams->maxrenewlife)); /* Service flags are printed */ printf("%25s: ", "Ticket flags"); if (mask & LDAP_POLICY_TKTFLAGS) { - int ticketflags = policyparams->tktflags; + int ticketflags = policyparams->tktflags; - if (ticketflags & KRB5_KDB_DISALLOW_POSTDATED) - printf("%s ","DISALLOW_POSTDATED"); + if (ticketflags & KRB5_KDB_DISALLOW_POSTDATED) + printf("%s ","DISALLOW_POSTDATED"); - if (ticketflags & KRB5_KDB_DISALLOW_FORWARDABLE) - printf("%s ","DISALLOW_FORWARDABLE"); + if (ticketflags & KRB5_KDB_DISALLOW_FORWARDABLE) + printf("%s ","DISALLOW_FORWARDABLE"); - if (ticketflags & KRB5_KDB_DISALLOW_RENEWABLE) - printf("%s ","DISALLOW_RENEWABLE"); + if (ticketflags & KRB5_KDB_DISALLOW_RENEWABLE) + printf("%s ","DISALLOW_RENEWABLE"); - if (ticketflags & KRB5_KDB_DISALLOW_PROXIABLE) - printf("%s ","DISALLOW_PROXIABLE"); + if (ticketflags & KRB5_KDB_DISALLOW_PROXIABLE) + printf("%s ","DISALLOW_PROXIABLE"); - if (ticketflags & KRB5_KDB_DISALLOW_DUP_SKEY) - printf("%s ","DISALLOW_DUP_SKEY"); + if (ticketflags & KRB5_KDB_DISALLOW_DUP_SKEY) + printf("%s ","DISALLOW_DUP_SKEY"); - if (ticketflags & KRB5_KDB_REQUIRES_PRE_AUTH) - printf("%s ","REQUIRES_PRE_AUTH"); + if (ticketflags & KRB5_KDB_REQUIRES_PRE_AUTH) + printf("%s ","REQUIRES_PRE_AUTH"); - if (ticketflags & KRB5_KDB_REQUIRES_HW_AUTH) - printf("%s ","REQUIRES_HW_AUTH"); + if (ticketflags & KRB5_KDB_REQUIRES_HW_AUTH) + printf("%s ","REQUIRES_HW_AUTH"); - if (ticketflags & KRB5_KDB_DISALLOW_SVR) - printf("%s ","DISALLOW_SVR"); + if (ticketflags & KRB5_KDB_DISALLOW_SVR) + printf("%s ","DISALLOW_SVR"); - if (ticketflags & KRB5_KDB_DISALLOW_TGT_BASED) - printf("%s ","DISALLOW_TGT_BASED"); + if (ticketflags & KRB5_KDB_DISALLOW_TGT_BASED) + printf("%s ","DISALLOW_TGT_BASED"); - if (ticketflags & KRB5_KDB_DISALLOW_ALL_TIX) - printf("%s ","DISALLOW_ALL_TIX"); + if (ticketflags & KRB5_KDB_DISALLOW_ALL_TIX) + printf("%s ","DISALLOW_ALL_TIX"); - if (ticketflags & KRB5_KDB_REQUIRES_PWCHANGE) - printf("%s ","REQUIRES_PWCHANGE"); + if (ticketflags & KRB5_KDB_REQUIRES_PWCHANGE) + printf("%s ","REQUIRES_PWCHANGE"); - if (ticketflags & KRB5_KDB_PWCHANGE_SERVICE) - printf("%s ","PWCHANGE_SERVICE"); + if (ticketflags & KRB5_KDB_PWCHANGE_SERVICE) + printf("%s ","PWCHANGE_SERVICE"); } printf("\n"); @@ -800,9 +793,8 @@ print_policy_params(policyparams, mask) * This function will list the DNs of policy objects under a specific * sub-tree (entire tree by default) */ -void kdb5_ldap_list_policies(argc, argv) - int argc; - char *argv[]; +void +kdb5_ldap_list_policies(int argc, char *argv[]) { char *me = progname; krb5_error_code retval = 0; @@ -813,18 +805,18 @@ void kdb5_ldap_list_policies(argc, argv) /* Check for number of arguments */ if ((argc != 1) && (argc != 3)) { - goto err_usage; + goto err_usage; } if ((retval = init_ldap_realm (argc, argv))) - goto cleanup; + goto cleanup; retval = krb5_ldap_list_policy(util_context, basedn, &list); if ((retval != 0) || (list == NULL)) - goto cleanup; + goto cleanup; for (plist = list; *plist != NULL; plist++) { - printf("%s\n", *plist); + printf("%s\n", *plist); } goto cleanup; @@ -834,20 +826,20 @@ err_usage: cleanup: if (list != NULL) { - krb5_free_list_entries (list); - free (list); + krb5_free_list_entries (list); + free (list); } if (basedn) - free (basedn); + free (basedn); if (print_usage) { - db_usage(LIST_POLICY); + db_usage(LIST_POLICY); } if (retval) { - com_err(me, retval, "while listing policy objects"); - exit_status++; + com_err(me, retval, "while listing policy objects"); + exit_status++; } return; @@ -856,17 +848,17 @@ cleanup: /* Reproduced from kadmin.c, instead of linking the entire kadmin.o */ -static char *strdur(duration) - time_t duration; +static char * +strdur(time_t duration) { static char out[50]; int neg, days, hours, minutes, seconds; if (duration < 0) { - duration *= -1; - neg = 1; + duration *= -1; + neg = 1; } else - neg = 0; + neg = 0; days = duration / (24 * 3600); duration %= 24 * 3600; hours = duration / 3600; @@ -875,6 +867,6 @@ static char *strdur(duration) duration %= 60; seconds = duration; snprintf(out, sizeof(out), "%s%d %s %02d:%02d:%02d", neg ? "-" : "", - days, days == 1 ? "day" : "days", hours, minutes, seconds); + days, days == 1 ? "day" : "days", hours, minutes, seconds); return out; } diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.h b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.h index 105b0a06b..a176a9fac 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.h +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * kadmin/ldap_util/kdb5_ldap_policy.h */ diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c index 017a5cddf..d96ce0fb1 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * kadmin/ldap_util/kdb5_ldap_realm.c * @@ -116,11 +117,11 @@ krb5_data db_creator_entries[] = { static krb5_principal_data db_create_princ = { - 0, /* magic number */ - {0, 0, 0}, /* krb5_data realm */ - db_creator_entries, /* krb5_data *data */ - 1, /* int length */ - KRB5_NT_SRV_INST /* int type */ + 0, /* magic number */ + {0, 0, 0}, /* krb5_data realm */ + db_creator_entries, /* krb5_data *data */ + 1, /* int length */ + KRB5_NT_SRV_INST /* int type */ }; extern char *mkey_password; @@ -129,7 +130,7 @@ extern kadm5_config_params global_params; static void print_realm_params(krb5_ldap_realm_params *rparams, int mask); static int kdb_ldap_create_principal (krb5_context context, krb5_principal - princ, enum ap_op op, struct realm_info *pblock); + princ, enum ap_op op, struct realm_info *pblock); static char *strdur(time_t duration); @@ -141,18 +142,16 @@ static krb5_error_code krb5_dbe_update_tl_data_new ( krb5_context context, krb5_ #define CHANGEPW_LIFETIME 60*5 /* 5 minutes */ #ifdef HAVE_EDIRECTORY -#define FREE_DN_LIST(dnlist) if (dnlist != NULL) { \ - for (idx=0; dnlist[idx] != NULL; idx++) \ - free(dnlist[idx]); \ - free(dnlist); \ - } +#define FREE_DN_LIST(dnlist) if (dnlist != NULL) { \ + for (idx=0; dnlist[idx] != NULL; idx++) \ + free(dnlist[idx]); \ + free(dnlist); \ + } #endif -static int get_ticket_policy(rparams,i,argv,argc) - krb5_ldap_realm_params *rparams; - int *i; - char *argv[]; - int argc; +static int +get_ticket_policy(krb5_ldap_realm_params *rparams, int *i, char *argv[], + int argc) { time_t date; time_t now; @@ -165,142 +164,142 @@ static int get_ticket_policy(rparams,i,argv,argc) time(&now); if (!strcmp(argv[*i], "-maxtktlife")) { - if (++(*i) > argc-1) - goto err_usage; - date = get_date(argv[*i]); - if (date == (time_t)(-1)) { - retval = EINVAL; - com_err (me, retval, "while providing time specification"); - goto err_nomsg; - } - rparams->max_life = date-now; - mask |= LDAP_REALM_MAXTICKETLIFE; + if (++(*i) > argc-1) + goto err_usage; + date = get_date(argv[*i]); + if (date == (time_t)(-1)) { + retval = EINVAL; + com_err (me, retval, "while providing time specification"); + goto err_nomsg; + } + rparams->max_life = date-now; + mask |= LDAP_REALM_MAXTICKETLIFE; } else if (!strcmp(argv[*i], "-maxrenewlife")) { - if (++(*i) > argc-1) - goto err_usage; - - date = get_date(argv[*i]); - if (date == (time_t)(-1)) { - retval = EINVAL; - com_err (me, retval, "while providing time specification"); - goto err_nomsg; - } - rparams->max_renewable_life = date-now; - mask |= LDAP_REALM_MAXRENEWLIFE; + if (++(*i) > argc-1) + goto err_usage; + + date = get_date(argv[*i]); + if (date == (time_t)(-1)) { + retval = EINVAL; + com_err (me, retval, "while providing time specification"); + goto err_nomsg; + } + rparams->max_renewable_life = date-now; + mask |= LDAP_REALM_MAXRENEWLIFE; } else if (!strcmp((argv[*i] + 1), "allow_postdated")) { - if (*(argv[*i]) == '+') - rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_POSTDATED); - else if (*(argv[*i]) == '-') - rparams->tktflags |= KRB5_KDB_DISALLOW_POSTDATED; - else - goto err_usage; - - mask |= LDAP_REALM_KRBTICKETFLAGS; + if (*(argv[*i]) == '+') + rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_POSTDATED); + else if (*(argv[*i]) == '-') + rparams->tktflags |= KRB5_KDB_DISALLOW_POSTDATED; + else + goto err_usage; + + mask |= LDAP_REALM_KRBTICKETFLAGS; } else if (!strcmp((argv[*i] + 1), "allow_forwardable")) { - if (*(argv[*i]) == '+') - rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_FORWARDABLE); + if (*(argv[*i]) == '+') + rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_FORWARDABLE); - else if (*(argv[*i]) == '-') - rparams->tktflags |= KRB5_KDB_DISALLOW_FORWARDABLE; - else - goto err_usage; + else if (*(argv[*i]) == '-') + rparams->tktflags |= KRB5_KDB_DISALLOW_FORWARDABLE; + else + goto err_usage; - mask |= LDAP_REALM_KRBTICKETFLAGS; + mask |= LDAP_REALM_KRBTICKETFLAGS; } else if (!strcmp((argv[*i] + 1), "allow_renewable")) { - if (*(argv[*i]) == '+') - rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_RENEWABLE); - else if (*(argv[*i]) == '-') - rparams->tktflags |= KRB5_KDB_DISALLOW_RENEWABLE; - else - goto err_usage; - - mask |= LDAP_REALM_KRBTICKETFLAGS; + if (*(argv[*i]) == '+') + rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_RENEWABLE); + else if (*(argv[*i]) == '-') + rparams->tktflags |= KRB5_KDB_DISALLOW_RENEWABLE; + else + goto err_usage; + + mask |= LDAP_REALM_KRBTICKETFLAGS; } else if (!strcmp((argv[*i] + 1), "allow_proxiable")) { - if (*(argv[*i]) == '+') - rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_PROXIABLE); - else if (*(argv[*i]) == '-') - rparams->tktflags |= KRB5_KDB_DISALLOW_PROXIABLE; - else - goto err_usage; - - mask |= LDAP_REALM_KRBTICKETFLAGS; + if (*(argv[*i]) == '+') + rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_PROXIABLE); + else if (*(argv[*i]) == '-') + rparams->tktflags |= KRB5_KDB_DISALLOW_PROXIABLE; + else + goto err_usage; + + mask |= LDAP_REALM_KRBTICKETFLAGS; } else if (!strcmp((argv[*i] + 1), "allow_dup_skey")) { - if (*(argv[*i]) == '+') - rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_DUP_SKEY); - else if (*(argv[*i]) == '-') - rparams->tktflags |= KRB5_KDB_DISALLOW_DUP_SKEY; - else - goto err_usage; + if (*(argv[*i]) == '+') + rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_DUP_SKEY); + else if (*(argv[*i]) == '-') + rparams->tktflags |= KRB5_KDB_DISALLOW_DUP_SKEY; + else + goto err_usage; - mask |= LDAP_REALM_KRBTICKETFLAGS; + mask |= LDAP_REALM_KRBTICKETFLAGS; } else if (!strcmp((argv[*i] + 1), "requires_preauth")) { - if (*(argv[*i]) == '+') - rparams->tktflags |= KRB5_KDB_REQUIRES_PRE_AUTH; - else if (*(argv[*i]) == '-') - rparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PRE_AUTH); - else - goto err_usage; - - mask |= LDAP_REALM_KRBTICKETFLAGS; + if (*(argv[*i]) == '+') + rparams->tktflags |= KRB5_KDB_REQUIRES_PRE_AUTH; + else if (*(argv[*i]) == '-') + rparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PRE_AUTH); + else + goto err_usage; + + mask |= LDAP_REALM_KRBTICKETFLAGS; } else if (!strcmp((argv[*i] + 1), "requires_hwauth")) { - if (*(argv[*i]) == '+') - rparams->tktflags |= KRB5_KDB_REQUIRES_HW_AUTH; - else if (*(argv[*i]) == '-') - rparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_HW_AUTH); - else - goto err_usage; - - mask |= LDAP_REALM_KRBTICKETFLAGS; + if (*(argv[*i]) == '+') + rparams->tktflags |= KRB5_KDB_REQUIRES_HW_AUTH; + else if (*(argv[*i]) == '-') + rparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_HW_AUTH); + else + goto err_usage; + + mask |= LDAP_REALM_KRBTICKETFLAGS; } else if (!strcmp((argv[*i] + 1), "allow_svr")) { - if (*(argv[*i]) == '+') - rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_SVR); - else if (*(argv[*i]) == '-') - rparams->tktflags |= KRB5_KDB_DISALLOW_SVR; - else - goto err_usage; - - mask |= LDAP_REALM_KRBTICKETFLAGS; + if (*(argv[*i]) == '+') + rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_SVR); + else if (*(argv[*i]) == '-') + rparams->tktflags |= KRB5_KDB_DISALLOW_SVR; + else + goto err_usage; + + mask |= LDAP_REALM_KRBTICKETFLAGS; } else if (!strcmp((argv[*i] + 1), "allow_tgs_req")) { - if (*(argv[*i]) == '+') - rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_TGT_BASED); - else if (*(argv[*i]) == '-') - rparams->tktflags |= KRB5_KDB_DISALLOW_TGT_BASED; - else - goto err_usage; - - mask |= LDAP_REALM_KRBTICKETFLAGS; + if (*(argv[*i]) == '+') + rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_TGT_BASED); + else if (*(argv[*i]) == '-') + rparams->tktflags |= KRB5_KDB_DISALLOW_TGT_BASED; + else + goto err_usage; + + mask |= LDAP_REALM_KRBTICKETFLAGS; } else if (!strcmp((argv[*i] + 1), "allow_tix")) { - if (*(argv[*i]) == '+') - rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_ALL_TIX); - else if (*(argv[*i]) == '-') - rparams->tktflags |= KRB5_KDB_DISALLOW_ALL_TIX; - else - goto err_usage; - - mask |= LDAP_REALM_KRBTICKETFLAGS; + if (*(argv[*i]) == '+') + rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_ALL_TIX); + else if (*(argv[*i]) == '-') + rparams->tktflags |= KRB5_KDB_DISALLOW_ALL_TIX; + else + goto err_usage; + + mask |= LDAP_REALM_KRBTICKETFLAGS; } else if (!strcmp((argv[*i] + 1), "needchange")) { - if (*(argv[*i]) == '+') - rparams->tktflags |= KRB5_KDB_REQUIRES_PWCHANGE; - else if (*(argv[*i]) == '-') - rparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PWCHANGE); - else - goto err_usage; - - mask |= LDAP_REALM_KRBTICKETFLAGS; + if (*(argv[*i]) == '+') + rparams->tktflags |= KRB5_KDB_REQUIRES_PWCHANGE; + else if (*(argv[*i]) == '-') + rparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PWCHANGE); + else + goto err_usage; + + mask |= LDAP_REALM_KRBTICKETFLAGS; } else if (!strcmp((argv[*i] + 1), "password_changing_service")) { - if (*(argv[*i]) == '+') - rparams->tktflags |= KRB5_KDB_PWCHANGE_SERVICE; - else if (*(argv[*i]) == '-') - rparams->tktflags &= (int)(~KRB5_KDB_PWCHANGE_SERVICE); - else - goto err_usage; + if (*(argv[*i]) == '+') + rparams->tktflags |= KRB5_KDB_PWCHANGE_SERVICE; + else if (*(argv[*i]) == '-') + rparams->tktflags &= (int)(~KRB5_KDB_PWCHANGE_SERVICE); + else + goto err_usage; - mask |=LDAP_REALM_KRBTICKETFLAGS; + mask |=LDAP_REALM_KRBTICKETFLAGS; } err_usage: print_usage = TRUE; @@ -315,9 +314,8 @@ err_nomsg: * This function will create a realm on the LDAP Server, with * the specified attributes. */ -void kdb5_ldap_create(argc, argv) - int argc; - char *argv[]; +void +kdb5_ldap_create(int argc, char *argv[]) { krb5_error_code retval = 0; krb5_keyblock master_keyblock; @@ -342,140 +340,140 @@ void kdb5_ldap_create(argc, argv) memset(&master_keyblock, 0, sizeof(master_keyblock)); rparams = (krb5_ldap_realm_params *)malloc( - sizeof(krb5_ldap_realm_params)); + sizeof(krb5_ldap_realm_params)); if (rparams == NULL) { - retval = ENOMEM; - goto cleanup; + retval = ENOMEM; + goto cleanup; } memset(rparams, 0, sizeof(krb5_ldap_realm_params)); /* Parse the arguments */ for (i = 1; i < argc; i++) { - if (!strcmp(argv[i], "-subtrees")) { - if (++i > argc-1) - goto err_usage; - - if (strncmp(argv[i], "", strlen(argv[i]))!=0) { - list = (char **) calloc(MAX_LIST_ENTRIES, sizeof(char *)); - if (list == NULL) { - retval = ENOMEM; - goto cleanup; - } - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) { - free(list); - list = NULL; - goto cleanup; - } - - rparams->subtreecount=0; - while (list[rparams->subtreecount]!=NULL) - (rparams->subtreecount)++; - rparams->subtree = list; - } else if (strncmp(argv[i], "", strlen(argv[i]))==0) { - /* dont allow subtree value to be set at the root(NULL, "") of the tree */ - com_err(progname, EINVAL, - "for subtree while creating realm '%s'", - global_params.realm); - goto err_nomsg; - } - rparams->subtree[rparams->subtreecount] = NULL; - mask |= LDAP_REALM_SUBTREE; - } else if (!strcmp(argv[i], "-containerref")) { - if (++i > argc-1) - goto err_usage; - if (strncmp(argv[i], "", strlen(argv[i]))==0) { - /* dont allow containerref value to be set at the root(NULL, "") of the tree */ - com_err(progname, EINVAL, - "for container reference while creating realm '%s'", - global_params.realm); - goto err_nomsg; - } - rparams->containerref = strdup(argv[i]); - if (rparams->containerref == NULL) { - retval = ENOMEM; - goto cleanup; - } - mask |= LDAP_REALM_CONTREF; - } else if (!strcmp(argv[i], "-sscope")) { - if (++i > argc-1) - goto err_usage; - /* Possible values for search scope are - * one (or 1) and sub (or 2) - */ - if (!strcasecmp(argv[i], "one")) { - rparams->search_scope = 1; - } else if (!strcasecmp(argv[i], "sub")) { - rparams->search_scope = 2; - } else { - rparams->search_scope = atoi(argv[i]); - if ((rparams->search_scope != 1) && - (rparams->search_scope != 2)) { - com_err(progname, EINVAL, - "invalid search scope while creating realm '%s'", - global_params.realm); - goto err_nomsg; - } - } - mask |= LDAP_REALM_SEARCHSCOPE; - } + if (!strcmp(argv[i], "-subtrees")) { + if (++i > argc-1) + goto err_usage; + + if (strncmp(argv[i], "", strlen(argv[i]))!=0) { + list = (char **) calloc(MAX_LIST_ENTRIES, sizeof(char *)); + if (list == NULL) { + retval = ENOMEM; + goto cleanup; + } + if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) { + free(list); + list = NULL; + goto cleanup; + } + + rparams->subtreecount=0; + while (list[rparams->subtreecount]!=NULL) + (rparams->subtreecount)++; + rparams->subtree = list; + } else if (strncmp(argv[i], "", strlen(argv[i]))==0) { + /* dont allow subtree value to be set at the root(NULL, "") of the tree */ + com_err(progname, EINVAL, + "for subtree while creating realm '%s'", + global_params.realm); + goto err_nomsg; + } + rparams->subtree[rparams->subtreecount] = NULL; + mask |= LDAP_REALM_SUBTREE; + } else if (!strcmp(argv[i], "-containerref")) { + if (++i > argc-1) + goto err_usage; + if (strncmp(argv[i], "", strlen(argv[i]))==0) { + /* dont allow containerref value to be set at the root(NULL, "") of the tree */ + com_err(progname, EINVAL, + "for container reference while creating realm '%s'", + global_params.realm); + goto err_nomsg; + } + rparams->containerref = strdup(argv[i]); + if (rparams->containerref == NULL) { + retval = ENOMEM; + goto cleanup; + } + mask |= LDAP_REALM_CONTREF; + } else if (!strcmp(argv[i], "-sscope")) { + if (++i > argc-1) + goto err_usage; + /* Possible values for search scope are + * one (or 1) and sub (or 2) + */ + if (!strcasecmp(argv[i], "one")) { + rparams->search_scope = 1; + } else if (!strcasecmp(argv[i], "sub")) { + rparams->search_scope = 2; + } else { + rparams->search_scope = atoi(argv[i]); + if ((rparams->search_scope != 1) && + (rparams->search_scope != 2)) { + com_err(progname, EINVAL, + "invalid search scope while creating realm '%s'", + global_params.realm); + goto err_nomsg; + } + } + mask |= LDAP_REALM_SEARCHSCOPE; + } #ifdef HAVE_EDIRECTORY - else if (!strcmp(argv[i], "-kdcdn")) { - if (++i > argc-1) - goto err_usage; - rparams->kdcservers = (char **)malloc( - sizeof(char *) * MAX_LIST_ENTRIES); - if (rparams->kdcservers == NULL) { - retval = ENOMEM; - goto cleanup; - } - memset(rparams->kdcservers, 0, sizeof(char*)*MAX_LIST_ENTRIES); - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, - rparams->kdcservers))) { - goto cleanup; - } - mask |= LDAP_REALM_KDCSERVERS; - } else if (!strcmp(argv[i], "-admindn")) { - if (++i > argc-1) - goto err_usage; - rparams->adminservers = (char **)malloc( - sizeof(char *) * MAX_LIST_ENTRIES); - if (rparams->adminservers == NULL) { - retval = ENOMEM; - goto cleanup; - } - memset(rparams->adminservers, 0, sizeof(char*)*MAX_LIST_ENTRIES); - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, - rparams->adminservers))) { - goto cleanup; - } - mask |= LDAP_REALM_ADMINSERVERS; - } else if (!strcmp(argv[i], "-pwddn")) { - if (++i > argc-1) - goto err_usage; - rparams->passwdservers = (char **)malloc( - sizeof(char *) * MAX_LIST_ENTRIES); - if (rparams->passwdservers == NULL) { - retval = ENOMEM; - goto cleanup; - } - memset(rparams->passwdservers, 0, sizeof(char*)*MAX_LIST_ENTRIES); - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, - rparams->passwdservers))) { - goto cleanup; - } - mask |= LDAP_REALM_PASSWDSERVERS; - } + else if (!strcmp(argv[i], "-kdcdn")) { + if (++i > argc-1) + goto err_usage; + rparams->kdcservers = (char **)malloc( + sizeof(char *) * MAX_LIST_ENTRIES); + if (rparams->kdcservers == NULL) { + retval = ENOMEM; + goto cleanup; + } + memset(rparams->kdcservers, 0, sizeof(char*)*MAX_LIST_ENTRIES); + if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, + rparams->kdcservers))) { + goto cleanup; + } + mask |= LDAP_REALM_KDCSERVERS; + } else if (!strcmp(argv[i], "-admindn")) { + if (++i > argc-1) + goto err_usage; + rparams->adminservers = (char **)malloc( + sizeof(char *) * MAX_LIST_ENTRIES); + if (rparams->adminservers == NULL) { + retval = ENOMEM; + goto cleanup; + } + memset(rparams->adminservers, 0, sizeof(char*)*MAX_LIST_ENTRIES); + if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, + rparams->adminservers))) { + goto cleanup; + } + mask |= LDAP_REALM_ADMINSERVERS; + } else if (!strcmp(argv[i], "-pwddn")) { + if (++i > argc-1) + goto err_usage; + rparams->passwdservers = (char **)malloc( + sizeof(char *) * MAX_LIST_ENTRIES); + if (rparams->passwdservers == NULL) { + retval = ENOMEM; + goto cleanup; + } + memset(rparams->passwdservers, 0, sizeof(char*)*MAX_LIST_ENTRIES); + if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, + rparams->passwdservers))) { + goto cleanup; + } + mask |= LDAP_REALM_PASSWDSERVERS; + } #endif - else if (!strcmp(argv[i], "-s")) { - do_stash = 1; - } else if ((ret_mask= get_ticket_policy(rparams,&i,argv,argc)) !=0) { - mask|=ret_mask; - } + else if (!strcmp(argv[i], "-s")) { + do_stash = 1; + } else if ((ret_mask= get_ticket_policy(rparams,&i,argv,argc)) !=0) { + mask|=ret_mask; + } - else { - printf("'%s' is an invalid option\n", argv[i]); - goto err_usage; - } + else { + printf("'%s' is an invalid option\n", argv[i]); + goto err_usage; + } } /* If the default enctype/salttype is not provided, use the @@ -496,21 +494,21 @@ void kdb5_ldap_create(argc, argv) printf("Initializing database for realm '%s'\n", global_params.realm); if (!mkey_password) { - unsigned int pw_size; - printf("You will be prompted for the database Master Password.\n"); - printf("It is important that you NOT FORGET this password.\n"); - fflush(stdout); - - pw_size = sizeof (pw_str); - memset(pw_str, 0, pw_size); - - retval = krb5_read_password(util_context, KRB5_KDC_MKEY_1, KRB5_KDC_MKEY_2, - pw_str, &pw_size); - if (retval) { - com_err(progname, retval, "while reading master key from keyboard"); - goto err_nomsg; - } - mkey_password = pw_str; + unsigned int pw_size; + printf("You will be prompted for the database Master Password.\n"); + printf("It is important that you NOT FORGET this password.\n"); + fflush(stdout); + + pw_size = sizeof (pw_str); + memset(pw_str, 0, pw_size); + + retval = krb5_read_password(util_context, KRB5_KDC_MKEY_1, KRB5_KDC_MKEY_2, + pw_str, &pw_size); + if (retval) { + com_err(progname, retval, "while reading master key from keyboard"); + goto err_nomsg; + } + mkey_password = pw_str; } rparams->mkey.enctype = global_params.enctype; @@ -518,335 +516,335 @@ void kdb5_ldap_create(argc, argv) rparams->mkey.length = strlen(mkey_password) + 1; rparams->mkey.contents = (krb5_octet *)strdup(mkey_password); if (rparams->mkey.contents == NULL) { - retval = ENOMEM; - goto cleanup; + retval = ENOMEM; + goto cleanup; } rparams->realm_name = strdup(global_params.realm); if (rparams->realm_name == NULL) { - retval = ENOMEM; - com_err(progname, ENOMEM, "while creating realm '%s'", - global_params.realm); - goto err_nomsg; + retval = ENOMEM; + com_err(progname, ENOMEM, "while creating realm '%s'", + global_params.realm); + goto err_nomsg; } dal_handle = util_context->dal_handle; ldap_context = (krb5_ldap_context *) dal_handle->db_context; if (!ldap_context) { - retval = EINVAL; - goto cleanup; + retval = EINVAL; + goto cleanup; } /* read the kerberos container */ if ((retval=krb5_ldap_read_krbcontainer_params (util_context, - &(ldap_context->krbcontainer))) == KRB5_KDB_NOENTRY) { - /* Prompt the user for entering the DN of Kerberos container */ - char krb_location[MAX_KRB_CONTAINER_LEN]; - krb5_ldap_krbcontainer_params kparams; - int krb_location_len = 0; - memset(&kparams, 0, sizeof(kparams)); - - /* Read the kerberos container location from configuration file */ - if (ldap_context->conf_section) { - if ((retval=profile_get_string(util_context->profile, - KDB_MODULE_SECTION, ldap_context->conf_section, - "ldap_kerberos_container_dn", NULL, - &kparams.DN)) != 0) { - goto cleanup; - } - } - if (kparams.DN == NULL) { - if ((retval=profile_get_string(util_context->profile, - KDB_MODULE_DEF_SECTION, - "ldap_kerberos_container_dn", NULL, - NULL, &kparams.DN)) != 0) { - goto cleanup; - } - } - - printf("\nKerberos container is missing. Creating now...\n"); - if (kparams.DN == NULL) { + &(ldap_context->krbcontainer))) == KRB5_KDB_NOENTRY) { + /* Prompt the user for entering the DN of Kerberos container */ + char krb_location[MAX_KRB_CONTAINER_LEN]; + krb5_ldap_krbcontainer_params kparams; + int krb_location_len = 0; + memset(&kparams, 0, sizeof(kparams)); + + /* Read the kerberos container location from configuration file */ + if (ldap_context->conf_section) { + if ((retval=profile_get_string(util_context->profile, + KDB_MODULE_SECTION, ldap_context->conf_section, + "ldap_kerberos_container_dn", NULL, + &kparams.DN)) != 0) { + goto cleanup; + } + } + if (kparams.DN == NULL) { + if ((retval=profile_get_string(util_context->profile, + KDB_MODULE_DEF_SECTION, + "ldap_kerberos_container_dn", NULL, + NULL, &kparams.DN)) != 0) { + goto cleanup; + } + } + + printf("\nKerberos container is missing. Creating now...\n"); + if (kparams.DN == NULL) { #ifdef HAVE_EDIRECTORY - printf("Enter DN of Kerberos container [cn=Kerberos,cn=Security]: "); + printf("Enter DN of Kerberos container [cn=Kerberos,cn=Security]: "); #else - printf("Enter DN of Kerberos container: "); + printf("Enter DN of Kerberos container: "); #endif - if (fgets(krb_location, MAX_KRB_CONTAINER_LEN, stdin) != NULL) { - /* Remove the newline character at the end */ - krb_location_len = strlen(krb_location); - if ((krb_location[krb_location_len - 1] == '\n') || - (krb_location[krb_location_len - 1] == '\r')) { - krb_location[krb_location_len - 1] = '\0'; - krb_location_len--; - } - /* If the user has not given any input, take the default location */ - else if (krb_location[0] == '\0') - kparams.DN = NULL; - else - kparams.DN = krb_location; - } else - kparams.DN = NULL; - } - - /* create the kerberos container */ - retval = krb5_ldap_create_krbcontainer(util_context, - ((kparams.DN != NULL) ? &kparams : NULL)); - if (retval) - goto cleanup; - - retval = krb5_ldap_read_krbcontainer_params(util_context, - &(ldap_context->krbcontainer)); - if (retval) { - com_err(progname, retval, "while reading kerberos container information"); - goto cleanup; - } + if (fgets(krb_location, MAX_KRB_CONTAINER_LEN, stdin) != NULL) { + /* Remove the newline character at the end */ + krb_location_len = strlen(krb_location); + if ((krb_location[krb_location_len - 1] == '\n') || + (krb_location[krb_location_len - 1] == '\r')) { + krb_location[krb_location_len - 1] = '\0'; + krb_location_len--; + } + /* If the user has not given any input, take the default location */ + else if (krb_location[0] == '\0') + kparams.DN = NULL; + else + kparams.DN = krb_location; + } else + kparams.DN = NULL; + } + + /* create the kerberos container */ + retval = krb5_ldap_create_krbcontainer(util_context, + ((kparams.DN != NULL) ? &kparams : NULL)); + if (retval) + goto cleanup; + + retval = krb5_ldap_read_krbcontainer_params(util_context, + &(ldap_context->krbcontainer)); + if (retval) { + com_err(progname, retval, "while reading kerberos container information"); + goto cleanup; + } } else if (retval) { - com_err(progname, retval, "while reading kerberos container information"); - goto cleanup; + com_err(progname, retval, "while reading kerberos container information"); + goto cleanup; } if ((retval = krb5_ldap_create_realm(util_context, - /* global_params.realm, */ rparams, mask))) { - goto cleanup; + /* global_params.realm, */ rparams, mask))) { + goto cleanup; } /* We just created the Realm container. Here starts our transaction tracking */ realm_obj_created = TRUE; if ((retval = krb5_ldap_read_realm_params(util_context, - global_params.realm, - &(ldap_context->lrparams), - &mask))) { - com_err(progname, retval, "while reading information of realm '%s'", - global_params.realm); - goto err_nomsg; + global_params.realm, + &(ldap_context->lrparams), + &mask))) { + com_err(progname, retval, "while reading information of realm '%s'", + global_params.realm); + goto err_nomsg; } ldap_context->lrparams->realm_name = strdup(global_params.realm); if (ldap_context->lrparams->realm_name == NULL) { - retval = ENOMEM; - goto cleanup; + retval = ENOMEM; + goto cleanup; } /* assemble & parse the master key name */ if ((retval = krb5_db_setup_mkey_name(util_context, - global_params.mkey_name, - global_params.realm, - 0, &master_princ))) { - com_err(progname, retval, "while setting up master key name"); - goto err_nomsg; + global_params.mkey_name, + global_params.realm, + 0, &master_princ))) { + com_err(progname, retval, "while setting up master key name"); + goto err_nomsg; } /* Obtain master key from master password */ { - krb5_data master_salt, pwd; - - pwd.data = mkey_password; - pwd.length = strlen(mkey_password); - retval = krb5_principal2salt(util_context, master_princ, &master_salt); - if (retval) { - com_err(progname, retval, "while calculating master key salt"); - goto err_nomsg; - } + krb5_data master_salt, pwd; + + pwd.data = mkey_password; + pwd.length = strlen(mkey_password); + retval = krb5_principal2salt(util_context, master_princ, &master_salt); + if (retval) { + com_err(progname, retval, "while calculating master key salt"); + goto err_nomsg; + } - retval = krb5_c_string_to_key(util_context, rparams->mkey.enctype, - &pwd, &master_salt, &master_keyblock); + retval = krb5_c_string_to_key(util_context, rparams->mkey.enctype, + &pwd, &master_salt, &master_keyblock); - if (master_salt.data) - free(master_salt.data); + if (master_salt.data) + free(master_salt.data); - if (retval) { - com_err(progname, retval, "while transforming master key from password"); - goto err_nomsg; - } + if (retval) { + com_err(progname, retval, "while transforming master key from password"); + goto err_nomsg; + } } rblock.key = &master_keyblock; ldap_context->lrparams->mkey = master_keyblock; ldap_context->lrparams->mkey.contents = (krb5_octet *) malloc - (master_keyblock.length); + (master_keyblock.length); if (ldap_context->lrparams->mkey.contents == NULL) { - retval = ENOMEM; - goto cleanup; + retval = ENOMEM; + goto cleanup; } memcpy (ldap_context->lrparams->mkey.contents, master_keyblock.contents, - master_keyblock.length); + master_keyblock.length); /* Create special principals inside the realm subtree */ { - char princ_name[MAX_PRINC_SIZE]; - krb5_principal_data tgt_princ = { - 0, /* magic number */ - {0, 0, 0}, /* krb5_data realm */ - tgt_princ_entries, /* krb5_data *data */ - 2, /* int length */ - KRB5_NT_SRV_INST /* int type */ - }; - krb5_principal p, temp_p=NULL; - - krb5_princ_set_realm_data(util_context, &tgt_princ, global_params.realm); - krb5_princ_set_realm_length(util_context, &tgt_princ, strlen(global_params.realm)); - krb5_princ_component(util_context, &tgt_princ,1)->data = global_params.realm; - krb5_princ_component(util_context, &tgt_princ,1)->length = strlen(global_params.realm); - /* The container reference value is set to NULL, to avoid service principals - * getting created within the container reference at realm creation */ - if (ldap_context->lrparams->containerref != NULL) { - oldcontainerref = ldap_context->lrparams->containerref; - ldap_context->lrparams->containerref = NULL; - } - - /* Create 'K/M' ... */ - rblock.flags |= KRB5_KDB_DISALLOW_ALL_TIX; - if ((retval = kdb_ldap_create_principal(util_context, master_princ, MASTER_KEY, &rblock))) { - com_err(progname, retval, "while adding entries to the database"); - goto err_nomsg; - } - - /* Create 'krbtgt' ... */ - rblock.flags = 0; /* reset the flags */ - if ((retval = kdb_ldap_create_principal(util_context, &tgt_princ, TGT_KEY, &rblock))) { - com_err(progname, retval, "while adding entries to the database"); - goto err_nomsg; - } - - /* Create 'kadmin/admin' ... */ - snprintf(princ_name, sizeof(princ_name), "%s@%s", KADM5_ADMIN_SERVICE, global_params.realm); - if ((retval = krb5_parse_name(util_context, princ_name, &p))) { - com_err(progname, retval, "while adding entries to the database"); - goto err_nomsg; - } - rblock.max_life = ADMIN_LIFETIME; - rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED; - if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) { - krb5_free_principal(util_context, p); - com_err(progname, retval, "while adding entries to the database"); - goto err_nomsg; - } - krb5_free_principal(util_context, p); - - /* Create 'kadmin/changepw' ... */ - snprintf(princ_name, sizeof(princ_name), "%s@%s", KADM5_CHANGEPW_SERVICE, global_params.realm); - if ((retval = krb5_parse_name(util_context, princ_name, &p))) { - com_err(progname, retval, "while adding entries to the database"); - goto err_nomsg; - } - rblock.max_life = CHANGEPW_LIFETIME; - rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED | - KRB5_KDB_PWCHANGE_SERVICE; - if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) { - krb5_free_principal(util_context, p); - com_err(progname, retval, "while adding entries to the database"); - goto err_nomsg; - } - krb5_free_principal(util_context, p); - - /* Create 'kadmin/history' ... */ - snprintf(princ_name, sizeof(princ_name), "%s@%s", KADM5_HIST_PRINCIPAL, global_params.realm); - if ((retval = krb5_parse_name(util_context, princ_name, &p))) { - com_err(progname, retval, "while adding entries to the database"); - goto err_nomsg; - } - rblock.max_life = global_params.max_life; - rblock.flags = 0; - if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) { - krb5_free_principal(util_context, p); - com_err(progname, retval, "while adding entries to the database"); - goto err_nomsg; - } - krb5_free_principal(util_context, p); - - /* Create 'kadmin/' ... */ - if ((retval=krb5_sname_to_principal(util_context, NULL, "kadmin", KRB5_NT_SRV_HST, &p))) { - com_err(progname, retval, "krb5_sname_to_principal, while adding entries to the database"); - goto err_nomsg; - } - - if ((retval=krb5_copy_principal(util_context, p, &temp_p))) { - com_err(progname, retval, "krb5_copy_principal, while adding entries to the database"); - goto err_nomsg; - } - - /* change the realm portion to the default realm */ - free(temp_p->realm.data); - temp_p->realm.length = strlen(util_context->default_realm); - temp_p->realm.data = strdup(util_context->default_realm); - if (temp_p->realm.data == NULL) { - com_err(progname, ENOMEM, "while adding entries to the database"); - goto err_nomsg; - } - - rblock.max_life = ADMIN_LIFETIME; - rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED; - if ((retval = kdb_ldap_create_principal(util_context, temp_p, TGT_KEY, &rblock))) { - krb5_free_principal(util_context, p); - com_err(progname, retval, "while adding entries to the database"); - goto err_nomsg; - } - krb5_free_principal(util_context, temp_p); - krb5_free_principal(util_context, p); - - if (oldcontainerref != NULL) { - ldap_context->lrparams->containerref = oldcontainerref; - oldcontainerref=NULL; - } + char princ_name[MAX_PRINC_SIZE]; + krb5_principal_data tgt_princ = { + 0, /* magic number */ + {0, 0, 0}, /* krb5_data realm */ + tgt_princ_entries, /* krb5_data *data */ + 2, /* int length */ + KRB5_NT_SRV_INST /* int type */ + }; + krb5_principal p, temp_p=NULL; + + krb5_princ_set_realm_data(util_context, &tgt_princ, global_params.realm); + krb5_princ_set_realm_length(util_context, &tgt_princ, strlen(global_params.realm)); + krb5_princ_component(util_context, &tgt_princ,1)->data = global_params.realm; + krb5_princ_component(util_context, &tgt_princ,1)->length = strlen(global_params.realm); + /* The container reference value is set to NULL, to avoid service principals + * getting created within the container reference at realm creation */ + if (ldap_context->lrparams->containerref != NULL) { + oldcontainerref = ldap_context->lrparams->containerref; + ldap_context->lrparams->containerref = NULL; + } + + /* Create 'K/M' ... */ + rblock.flags |= KRB5_KDB_DISALLOW_ALL_TIX; + if ((retval = kdb_ldap_create_principal(util_context, master_princ, MASTER_KEY, &rblock))) { + com_err(progname, retval, "while adding entries to the database"); + goto err_nomsg; + } + + /* Create 'krbtgt' ... */ + rblock.flags = 0; /* reset the flags */ + if ((retval = kdb_ldap_create_principal(util_context, &tgt_princ, TGT_KEY, &rblock))) { + com_err(progname, retval, "while adding entries to the database"); + goto err_nomsg; + } + + /* Create 'kadmin/admin' ... */ + snprintf(princ_name, sizeof(princ_name), "%s@%s", KADM5_ADMIN_SERVICE, global_params.realm); + if ((retval = krb5_parse_name(util_context, princ_name, &p))) { + com_err(progname, retval, "while adding entries to the database"); + goto err_nomsg; + } + rblock.max_life = ADMIN_LIFETIME; + rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED; + if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) { + krb5_free_principal(util_context, p); + com_err(progname, retval, "while adding entries to the database"); + goto err_nomsg; + } + krb5_free_principal(util_context, p); + + /* Create 'kadmin/changepw' ... */ + snprintf(princ_name, sizeof(princ_name), "%s@%s", KADM5_CHANGEPW_SERVICE, global_params.realm); + if ((retval = krb5_parse_name(util_context, princ_name, &p))) { + com_err(progname, retval, "while adding entries to the database"); + goto err_nomsg; + } + rblock.max_life = CHANGEPW_LIFETIME; + rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED | + KRB5_KDB_PWCHANGE_SERVICE; + if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) { + krb5_free_principal(util_context, p); + com_err(progname, retval, "while adding entries to the database"); + goto err_nomsg; + } + krb5_free_principal(util_context, p); + + /* Create 'kadmin/history' ... */ + snprintf(princ_name, sizeof(princ_name), "%s@%s", KADM5_HIST_PRINCIPAL, global_params.realm); + if ((retval = krb5_parse_name(util_context, princ_name, &p))) { + com_err(progname, retval, "while adding entries to the database"); + goto err_nomsg; + } + rblock.max_life = global_params.max_life; + rblock.flags = 0; + if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) { + krb5_free_principal(util_context, p); + com_err(progname, retval, "while adding entries to the database"); + goto err_nomsg; + } + krb5_free_principal(util_context, p); + + /* Create 'kadmin/' ... */ + if ((retval=krb5_sname_to_principal(util_context, NULL, "kadmin", KRB5_NT_SRV_HST, &p))) { + com_err(progname, retval, "krb5_sname_to_principal, while adding entries to the database"); + goto err_nomsg; + } + + if ((retval=krb5_copy_principal(util_context, p, &temp_p))) { + com_err(progname, retval, "krb5_copy_principal, while adding entries to the database"); + goto err_nomsg; + } + + /* change the realm portion to the default realm */ + free(temp_p->realm.data); + temp_p->realm.length = strlen(util_context->default_realm); + temp_p->realm.data = strdup(util_context->default_realm); + if (temp_p->realm.data == NULL) { + com_err(progname, ENOMEM, "while adding entries to the database"); + goto err_nomsg; + } + + rblock.max_life = ADMIN_LIFETIME; + rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED; + if ((retval = kdb_ldap_create_principal(util_context, temp_p, TGT_KEY, &rblock))) { + krb5_free_principal(util_context, p); + com_err(progname, retval, "while adding entries to the database"); + goto err_nomsg; + } + krb5_free_principal(util_context, temp_p); + krb5_free_principal(util_context, p); + + if (oldcontainerref != NULL) { + ldap_context->lrparams->containerref = oldcontainerref; + oldcontainerref=NULL; + } } #ifdef HAVE_EDIRECTORY if ((mask & LDAP_REALM_KDCSERVERS) || (mask & LDAP_REALM_ADMINSERVERS) || - (mask & LDAP_REALM_PASSWDSERVERS)) { - - printf("Changing rights for the service object. Please wait ... "); - fflush(stdout); - - rightsmask =0; - rightsmask |= LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; - if ((rparams != NULL) && (rparams->kdcservers != NULL)) { - for (i=0; (rparams->kdcservers[i] != NULL); i++) { - if ((retval=krb5_ldap_add_service_rights(util_context, - LDAP_KDC_SERVICE, rparams->kdcservers[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { - printf("failed\n"); - com_err(progname, retval, "while assigning rights to '%s'", - rparams->realm_name); - goto err_nomsg; - } - } - } - - rightsmask = 0; - rightsmask |= LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; - if ((rparams != NULL) && (rparams->adminservers != NULL)) { - for (i=0; (rparams->adminservers[i] != NULL); i++) { - if ((retval=krb5_ldap_add_service_rights(util_context, - LDAP_ADMIN_SERVICE, rparams->adminservers[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { - printf("failed\n"); - com_err(progname, retval, "while assigning rights to '%s'", - rparams->realm_name); - goto err_nomsg; - } - } - } - - rightsmask = 0; - rightsmask |= LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; - if ((rparams != NULL) && (rparams->passwdservers != NULL)) { - for (i=0; (rparams->passwdservers[i] != NULL); i++) { - if ((retval=krb5_ldap_add_service_rights(util_context, - LDAP_PASSWD_SERVICE, rparams->passwdservers[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { - printf("failed\n"); - com_err(progname, retval, "while assigning rights to '%s'", - rparams->realm_name); - goto err_nomsg; - } - } - } - - printf("done\n"); + (mask & LDAP_REALM_PASSWDSERVERS)) { + + printf("Changing rights for the service object. Please wait ... "); + fflush(stdout); + + rightsmask =0; + rightsmask |= LDAP_REALM_RIGHTS; + rightsmask |= LDAP_SUBTREE_RIGHTS; + if ((rparams != NULL) && (rparams->kdcservers != NULL)) { + for (i=0; (rparams->kdcservers[i] != NULL); i++) { + if ((retval=krb5_ldap_add_service_rights(util_context, + LDAP_KDC_SERVICE, rparams->kdcservers[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + printf("failed\n"); + com_err(progname, retval, "while assigning rights to '%s'", + rparams->realm_name); + goto err_nomsg; + } + } + } + + rightsmask = 0; + rightsmask |= LDAP_REALM_RIGHTS; + rightsmask |= LDAP_SUBTREE_RIGHTS; + if ((rparams != NULL) && (rparams->adminservers != NULL)) { + for (i=0; (rparams->adminservers[i] != NULL); i++) { + if ((retval=krb5_ldap_add_service_rights(util_context, + LDAP_ADMIN_SERVICE, rparams->adminservers[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + printf("failed\n"); + com_err(progname, retval, "while assigning rights to '%s'", + rparams->realm_name); + goto err_nomsg; + } + } + } + + rightsmask = 0; + rightsmask |= LDAP_REALM_RIGHTS; + rightsmask |= LDAP_SUBTREE_RIGHTS; + if ((rparams != NULL) && (rparams->passwdservers != NULL)) { + for (i=0; (rparams->passwdservers[i] != NULL); i++) { + if ((retval=krb5_ldap_add_service_rights(util_context, + LDAP_PASSWD_SERVICE, rparams->passwdservers[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + printf("failed\n"); + com_err(progname, retval, "while assigning rights to '%s'", + rparams->realm_name); + goto err_nomsg; + } + } + } + + printf("done\n"); } #endif /* The Realm creation is completed. Here is the end of transaction */ @@ -864,15 +862,15 @@ void kdb5_ldap_create(argc, argv) else mkey_kvno = 1; /* Default */ - retval = krb5_def_store_mkey(util_context, - global_params.stash_file, - master_princ, + retval = krb5_def_store_mkey(util_context, + global_params.stash_file, + master_princ, mkey_kvno, - &master_keyblock, NULL); - if (retval) { - com_err(progname, errno, "while storing key"); - printf("Warning: couldn't stash master key.\n"); - } + &master_keyblock, NULL); + if (retval) { + com_err(progname, errno, "while storing key"); + printf("Warning: couldn't stash master key.\n"); + } } goto cleanup; @@ -887,22 +885,22 @@ err_nomsg: cleanup: /* If the Realm creation is not complete, do the roll-back here */ if ((realm_obj_created) && (!create_complete)) - krb5_ldap_delete_realm(util_context, global_params.realm); + krb5_ldap_delete_realm(util_context, global_params.realm); if (rparams) - krb5_ldap_free_realm_params(rparams); + krb5_ldap_free_realm_params(rparams); memset (pw_str, 0, sizeof (pw_str)); if (print_usage) - db_usage(CREATE_REALM); + db_usage(CREATE_REALM); if (retval) { - if (!no_msg) { - com_err(progname, retval, "while creating realm '%s'", - global_params.realm); - } - exit_status++; + if (!no_msg) { + com_err(progname, retval, "while creating realm '%s'", + global_params.realm); + } + exit_status++; } return; @@ -912,9 +910,8 @@ cleanup: /* * This function will modify the attributes of a given realm object */ -void kdb5_ldap_modify(argc, argv) - int argc; - char *argv[]; +void +kdb5_ldap_modify(int argc, char *argv[]) { krb5_error_code retval = 0; krb5_ldap_realm_params *rparams = NULL; @@ -947,514 +944,514 @@ void kdb5_ldap_modify(argc, argv) dal_handle = util_context->dal_handle; ldap_context = (krb5_ldap_context *) dal_handle->db_context; if (!(ldap_context)) { - retval = EINVAL; - goto cleanup; + retval = EINVAL; + goto cleanup; } if ((retval = krb5_ldap_read_krbcontainer_params(util_context, - &(ldap_context->krbcontainer)))) { - com_err(progname, retval, "while reading Kerberos container information"); - goto err_nomsg; + &(ldap_context->krbcontainer)))) { + com_err(progname, retval, "while reading Kerberos container information"); + goto err_nomsg; } retval = krb5_ldap_read_realm_params(util_context, - global_params.realm, &rparams, &rmask); + global_params.realm, &rparams, &rmask); if (retval) - goto cleanup; + goto cleanup; /* Parse the arguments */ for (i = 1; i < argc; i++) { - int k = 0; - if (!strcmp(argv[i], "-subtrees")) { - if (++i > argc-1) - goto err_usage; + int k = 0; + if (!strcmp(argv[i], "-subtrees")) { + if (++i > argc-1) + goto err_usage; - if (rmask & LDAP_REALM_SUBTREE) { - if (rparams->subtree) { + if (rmask & LDAP_REALM_SUBTREE) { + if (rparams->subtree) { #ifdef HAVE_EDIRECTORY - oldsubtrees = (char **) calloc(rparams->subtreecount+1, sizeof(char *)); - if (oldsubtrees == NULL) { - retval = ENOMEM; - goto cleanup; - } - for (k=0; rparams->subtree[k]!=NULL && rparams->subtreecount; k++) { - oldsubtrees[k] = strdup(rparams->subtree[k]); - if (oldsubtrees[k] == NULL) { - retval = ENOMEM; - goto cleanup; - } - } + oldsubtrees = (char **) calloc(rparams->subtreecount+1, sizeof(char *)); + if (oldsubtrees == NULL) { + retval = ENOMEM; + goto cleanup; + } + for (k=0; rparams->subtree[k]!=NULL && rparams->subtreecount; k++) { + oldsubtrees[k] = strdup(rparams->subtree[k]); + if (oldsubtrees[k] == NULL) { + retval = ENOMEM; + goto cleanup; + } + } #endif - for (k=0; ksubtreecount && rparams->subtree[k]; k++) - free(rparams->subtree[k]); - rparams->subtreecount=0; - } - } - if (strncmp(argv[i] ,"", strlen(argv[i]))!=0) { - slist = (char **) calloc(MAX_LIST_ENTRIES, sizeof(char *)); - if (slist == NULL) { - retval = ENOMEM; - goto cleanup; - } - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, slist))) { - free(slist); - slist = NULL; - goto cleanup; - } - - rparams->subtreecount=0; - while (slist[rparams->subtreecount]!=NULL) - (rparams->subtreecount)++; - rparams->subtree = slist; - } else if (strncmp(argv[i], "", strlen(argv[i]))==0) { - /* dont allow subtree value to be set at the root(NULL, "") of the tree */ - com_err(progname, EINVAL, - "for subtree while modifying realm '%s'", - global_params.realm); - goto err_nomsg; - } - rparams->subtree[rparams->subtreecount] = NULL; - mask |= LDAP_REALM_SUBTREE; - } else if (!strncmp(argv[i], "-containerref", strlen(argv[i]))) { - if (++i > argc-1) - goto err_usage; - if (strncmp(argv[i], "", strlen(argv[i]))==0) { - /* dont allow containerref value to be set at the root(NULL, "") of the tree */ - com_err(progname, EINVAL, - "for container reference while modifying realm '%s'", - global_params.realm); - goto err_nomsg; - } + for (k=0; ksubtreecount && rparams->subtree[k]; k++) + free(rparams->subtree[k]); + rparams->subtreecount=0; + } + } + if (strncmp(argv[i] ,"", strlen(argv[i]))!=0) { + slist = (char **) calloc(MAX_LIST_ENTRIES, sizeof(char *)); + if (slist == NULL) { + retval = ENOMEM; + goto cleanup; + } + if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, slist))) { + free(slist); + slist = NULL; + goto cleanup; + } + + rparams->subtreecount=0; + while (slist[rparams->subtreecount]!=NULL) + (rparams->subtreecount)++; + rparams->subtree = slist; + } else if (strncmp(argv[i], "", strlen(argv[i]))==0) { + /* dont allow subtree value to be set at the root(NULL, "") of the tree */ + com_err(progname, EINVAL, + "for subtree while modifying realm '%s'", + global_params.realm); + goto err_nomsg; + } + rparams->subtree[rparams->subtreecount] = NULL; + mask |= LDAP_REALM_SUBTREE; + } else if (!strncmp(argv[i], "-containerref", strlen(argv[i]))) { + if (++i > argc-1) + goto err_usage; + if (strncmp(argv[i], "", strlen(argv[i]))==0) { + /* dont allow containerref value to be set at the root(NULL, "") of the tree */ + com_err(progname, EINVAL, + "for container reference while modifying realm '%s'", + global_params.realm); + goto err_nomsg; + } #ifdef HAVE_EDIRECTORY if (rparams->containerref != NULL) { oldcontainerref = rparams->containerref; } #endif - rparams->containerref = strdup(argv[i]); - if (rparams->containerref == NULL) { - retval = ENOMEM; - goto cleanup; - } - mask |= LDAP_REALM_CONTREF; - } else if (!strcmp(argv[i], "-sscope")) { - if (++i > argc-1) - goto err_usage; - /* Possible values for search scope are - * one (or 1) and sub (or 2) - */ - if (strcasecmp(argv[i], "one") == 0) { - rparams->search_scope = 1; - } else if (strcasecmp(argv[i], "sub") == 0) { - rparams->search_scope = 2; - } else { - rparams->search_scope = atoi(argv[i]); - if ((rparams->search_scope != 1) && - (rparams->search_scope != 2)) { - retval = EINVAL; - com_err(progname, retval, - "specified for search scope while modifying information of realm '%s'", - global_params.realm); - goto err_nomsg; - } - } - mask |= LDAP_REALM_SEARCHSCOPE; - } + rparams->containerref = strdup(argv[i]); + if (rparams->containerref == NULL) { + retval = ENOMEM; + goto cleanup; + } + mask |= LDAP_REALM_CONTREF; + } else if (!strcmp(argv[i], "-sscope")) { + if (++i > argc-1) + goto err_usage; + /* Possible values for search scope are + * one (or 1) and sub (or 2) + */ + if (strcasecmp(argv[i], "one") == 0) { + rparams->search_scope = 1; + } else if (strcasecmp(argv[i], "sub") == 0) { + rparams->search_scope = 2; + } else { + rparams->search_scope = atoi(argv[i]); + if ((rparams->search_scope != 1) && + (rparams->search_scope != 2)) { + retval = EINVAL; + com_err(progname, retval, + "specified for search scope while modifying information of realm '%s'", + global_params.realm); + goto err_nomsg; + } + } + mask |= LDAP_REALM_SEARCHSCOPE; + } #ifdef HAVE_EDIRECTORY - else if (!strcmp(argv[i], "-kdcdn")) { - if (++i > argc-1) - goto err_usage; - - if ((rmask & LDAP_REALM_KDCSERVERS) && (rparams->kdcservers)) { - if (!oldkdcdns) { - /* Store the old kdc dns list for removing rights */ - oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (oldkdcdns == NULL) { - retval = ENOMEM; - goto cleanup; - } - - for (j=0; rparams->kdcservers[j] != NULL; j++) { - oldkdcdns[j] = strdup(rparams->kdcservers[j]); - if (oldkdcdns[j] == NULL) { - retval = ENOMEM; - goto cleanup; - } - } - oldkdcdns[j] = NULL; - } - - krb5_free_list_entries(rparams->kdcservers); - free(rparams->kdcservers); - } - - rparams->kdcservers = (char **)malloc( - sizeof(char *) * MAX_LIST_ENTRIES); - if (rparams->kdcservers == NULL) { - retval = ENOMEM; - goto cleanup; - } - memset(rparams->kdcservers, 0, sizeof(char *)*MAX_LIST_ENTRIES); - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, - rparams->kdcservers))) { - goto cleanup; - } - mask |= LDAP_REALM_KDCSERVERS; - /* Going to replace the existing value by this new value. Hence - * setting flag indicating that add or clear options will be ignored - */ - newkdcdn = 1; - } else if (!strcmp(argv[i], "-clearkdcdn")) { - if (++i > argc-1) - goto err_usage; - if ((!newkdcdn) && (rmask & LDAP_REALM_KDCSERVERS) && (rparams->kdcservers)) { - if (!oldkdcdns) { - /* Store the old kdc dns list for removing rights */ - oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (oldkdcdns == NULL) { - retval = ENOMEM; - goto cleanup; - } - - for (j=0; rparams->kdcservers[j] != NULL; j++) { - oldkdcdns[j] = strdup(rparams->kdcservers[j]); - if (oldkdcdns[j] == NULL) { - retval = ENOMEM; - goto cleanup; - } - } - oldkdcdns[j] = NULL; - } - - memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES); - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) { - goto cleanup; - } - list_modify_str_array(&rparams->kdcservers, (const char **)list, - LIST_MODE_DELETE); - mask |= LDAP_REALM_KDCSERVERS; - krb5_free_list_entries(list); - } - } else if (!strcmp(argv[i], "-addkdcdn")) { - if (++i > argc-1) - goto err_usage; - if (!newkdcdn) { - if ((rmask & LDAP_REALM_KDCSERVERS) && (rparams->kdcservers) && (!oldkdcdns)) { - /* Store the old kdc dns list for removing rights */ - oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (oldkdcdns == NULL) { - retval = ENOMEM; - goto cleanup; - } - - for (j = 0; rparams->kdcservers[j] != NULL; j++) { - oldkdcdns[j] = strdup(rparams->kdcservers[j]); - if (oldkdcdns[j] == NULL) { - retval = ENOMEM; - goto cleanup; - } - } - oldkdcdns[j] = NULL; - } - - memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES); - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) { - goto cleanup; - } - existing_entries = list_count_str_array(rparams->kdcservers); - list_entries = list_count_str_array(list); - if (rmask & LDAP_REALM_KDCSERVERS) { - tempstr = (char **)realloc( - rparams->kdcservers, - sizeof(char *) * (existing_entries+list_entries+1)); - if (tempstr == NULL) { - retval = ENOMEM; - goto cleanup; - } - rparams->kdcservers = tempstr; - } else { - rparams->kdcservers = (char **)malloc(sizeof(char *) * (list_entries+1)); - if (rparams->kdcservers == NULL) { - retval = ENOMEM; - goto cleanup; - } - memset(rparams->kdcservers, 0, sizeof(char *) * (list_entries+1)); - } - list_modify_str_array(&rparams->kdcservers, (const char **)list, - LIST_MODE_ADD); - mask |= LDAP_REALM_KDCSERVERS; - } - } else if (!strcmp(argv[i], "-admindn")) { - if (++i > argc-1) - goto err_usage; - - if ((rmask & LDAP_REALM_ADMINSERVERS) && (rparams->adminservers)) { - if (!oldadmindns) { - /* Store the old admin dns list for removing rights */ - oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (oldadmindns == NULL) { - retval = ENOMEM; - goto cleanup; - } - - for (j=0; rparams->adminservers[j] != NULL; j++) { - oldadmindns[j] = strdup(rparams->adminservers[j]); - if (oldadmindns[j] == NULL) { - retval = ENOMEM; - goto cleanup; - } - } - oldadmindns[j] = NULL; - } - - krb5_free_list_entries(rparams->adminservers); - free(rparams->adminservers); - } - - rparams->adminservers = (char **)malloc( - sizeof(char *) * MAX_LIST_ENTRIES); - if (rparams->adminservers == NULL) { - retval = ENOMEM; - goto cleanup; - } - memset(rparams->adminservers, 0, sizeof(char *)*MAX_LIST_ENTRIES); - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, - rparams->adminservers))) { - goto cleanup; - } - mask |= LDAP_REALM_ADMINSERVERS; - /* Going to replace the existing value by this new value. Hence - * setting flag indicating that add or clear options will be ignored - */ - newadmindn = 1; - } else if (!strcmp(argv[i], "-clearadmindn")) { - if (++i > argc-1) - goto err_usage; - - if ((!newadmindn) && (rmask & LDAP_REALM_ADMINSERVERS) && (rparams->adminservers)) { - if (!oldadmindns) { - /* Store the old admin dns list for removing rights */ - oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (oldadmindns == NULL) { - retval = ENOMEM; - goto cleanup; - } - - for (j=0; rparams->adminservers[j] != NULL; j++) { - oldadmindns[j] = strdup(rparams->adminservers[j]); - if (oldadmindns[j] == NULL) { - retval = ENOMEM; - goto cleanup; - } - } - oldadmindns[j] = NULL; - } - - memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES); - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) { - goto cleanup; - } - list_modify_str_array(&rparams->adminservers, (const char **)list, - LIST_MODE_DELETE); - mask |= LDAP_REALM_ADMINSERVERS; - krb5_free_list_entries(list); - } - } else if (!strcmp(argv[i], "-addadmindn")) { - if (++i > argc-1) - goto err_usage; - if (!newadmindn) { - if ((rmask & LDAP_REALM_ADMINSERVERS) && (rparams->adminservers) && (!oldadmindns)) { - /* Store the old admin dns list for removing rights */ - oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (oldadmindns == NULL) { - retval = ENOMEM; - goto cleanup; - } - - for (j=0; rparams->adminservers[j] != NULL; j++) { - oldadmindns[j] = strdup(rparams->adminservers[j]); - if (oldadmindns[j] == NULL) { - retval = ENOMEM; - goto cleanup; - } - } - oldadmindns[j] = NULL; - } - - memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES); - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) { - goto cleanup; - } - existing_entries = list_count_str_array(rparams->adminservers); - list_entries = list_count_str_array(list); - if (rmask & LDAP_REALM_ADMINSERVERS) { - tempstr = (char **)realloc( - rparams->adminservers, - sizeof(char *) * (existing_entries+list_entries+1)); - if (tempstr == NULL) { - retval = ENOMEM; - goto cleanup; - } - rparams->adminservers = tempstr; - } else { - rparams->adminservers = (char **)malloc(sizeof(char *) * (list_entries+1)); - if (rparams->adminservers == NULL) { - retval = ENOMEM; - goto cleanup; - } - memset(rparams->adminservers, 0, sizeof(char *) * (list_entries+1)); - } - list_modify_str_array(&rparams->adminservers, (const char **)list, - LIST_MODE_ADD); - mask |= LDAP_REALM_ADMINSERVERS; - } - } else if (!strcmp(argv[i], "-pwddn")) { - if (++i > argc-1) - goto err_usage; - - if ((rmask & LDAP_REALM_PASSWDSERVERS) && (rparams->passwdservers)) { - if (!oldpwddns) { - /* Store the old pwd dns list for removing rights */ - oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (oldpwddns == NULL) { - retval = ENOMEM; - goto cleanup; - } - - for (j=0; rparams->passwdservers[j] != NULL; j++) { - oldpwddns[j] = strdup(rparams->passwdservers[j]); - if (oldpwddns[j] == NULL) { - retval = ENOMEM; - goto cleanup; - } - } - oldpwddns[j] = NULL; - } - - krb5_free_list_entries(rparams->passwdservers); - free(rparams->passwdservers); - } - - rparams->passwdservers = (char **)malloc( - sizeof(char *) * MAX_LIST_ENTRIES); - if (rparams->passwdservers == NULL) { - retval = ENOMEM; - goto cleanup; - } - memset(rparams->passwdservers, 0, sizeof(char *)*MAX_LIST_ENTRIES); - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, - rparams->passwdservers))) { - goto cleanup; - } - mask |= LDAP_REALM_PASSWDSERVERS; - /* Going to replace the existing value by this new value. Hence - * setting flag indicating that add or clear options will be ignored - */ - newpwddn = 1; - } else if (!strcmp(argv[i], "-clearpwddn")) { - if (++i > argc-1) - goto err_usage; - - if ((!newpwddn) && (rmask & LDAP_REALM_PASSWDSERVERS) && (rparams->passwdservers)) { - if (!oldpwddns) { - /* Store the old pwd dns list for removing rights */ - oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (oldpwddns == NULL) { - retval = ENOMEM; - goto cleanup; - } - - for (j=0; rparams->passwdservers[j] != NULL; j++) { - oldpwddns[j] = strdup(rparams->passwdservers[j]); - if (oldpwddns[j] == NULL) { - retval = ENOMEM; - goto cleanup; - } - } - oldpwddns[j] = NULL; - } - - memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES); - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) { - goto cleanup; - } - list_modify_str_array(&rparams->passwdservers, (const char**)list, - LIST_MODE_DELETE); - mask |= LDAP_REALM_PASSWDSERVERS; - krb5_free_list_entries(list); - } - } else if (!strcmp(argv[i], "-addpwddn")) { - if (++i > argc-1) - goto err_usage; - if (!newpwddn) { - if ((rmask & LDAP_REALM_PASSWDSERVERS) && (rparams->passwdservers) && (!oldpwddns)) { - /* Store the old pwd dns list for removing rights */ - oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (oldpwddns == NULL) { - retval = ENOMEM; - goto cleanup; - } - - for (j=0; rparams->passwdservers[j] != NULL; j++) { - oldpwddns[j] = strdup(rparams->passwdservers[j]); - if (oldpwddns[j] == NULL) { - retval = ENOMEM; - goto cleanup; - } - } - oldpwddns[j] = NULL; - } - - memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES); - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) { - goto cleanup; - } - existing_entries = list_count_str_array(rparams->passwdservers); - list_entries = list_count_str_array(list); - if (rmask & LDAP_REALM_PASSWDSERVERS) { - tempstr = (char **)realloc( - rparams->passwdservers, - sizeof(char *) * (existing_entries+list_entries+1)); - if (tempstr == NULL) { - retval = ENOMEM; - goto cleanup; - } - rparams->passwdservers = tempstr; - } else { - rparams->passwdservers = (char **)malloc(sizeof(char *) * (list_entries+1)); - if (rparams->passwdservers == NULL) { - retval = ENOMEM; - goto cleanup; - } - memset(rparams->passwdservers, 0, sizeof(char *) * (list_entries+1)); - } - list_modify_str_array(&rparams->passwdservers, (const char**)list, - LIST_MODE_ADD); - mask |= LDAP_REALM_PASSWDSERVERS; - } - } + else if (!strcmp(argv[i], "-kdcdn")) { + if (++i > argc-1) + goto err_usage; + + if ((rmask & LDAP_REALM_KDCSERVERS) && (rparams->kdcservers)) { + if (!oldkdcdns) { + /* Store the old kdc dns list for removing rights */ + oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); + if (oldkdcdns == NULL) { + retval = ENOMEM; + goto cleanup; + } + + for (j=0; rparams->kdcservers[j] != NULL; j++) { + oldkdcdns[j] = strdup(rparams->kdcservers[j]); + if (oldkdcdns[j] == NULL) { + retval = ENOMEM; + goto cleanup; + } + } + oldkdcdns[j] = NULL; + } + + krb5_free_list_entries(rparams->kdcservers); + free(rparams->kdcservers); + } + + rparams->kdcservers = (char **)malloc( + sizeof(char *) * MAX_LIST_ENTRIES); + if (rparams->kdcservers == NULL) { + retval = ENOMEM; + goto cleanup; + } + memset(rparams->kdcservers, 0, sizeof(char *)*MAX_LIST_ENTRIES); + if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, + rparams->kdcservers))) { + goto cleanup; + } + mask |= LDAP_REALM_KDCSERVERS; + /* Going to replace the existing value by this new value. Hence + * setting flag indicating that add or clear options will be ignored + */ + newkdcdn = 1; + } else if (!strcmp(argv[i], "-clearkdcdn")) { + if (++i > argc-1) + goto err_usage; + if ((!newkdcdn) && (rmask & LDAP_REALM_KDCSERVERS) && (rparams->kdcservers)) { + if (!oldkdcdns) { + /* Store the old kdc dns list for removing rights */ + oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); + if (oldkdcdns == NULL) { + retval = ENOMEM; + goto cleanup; + } + + for (j=0; rparams->kdcservers[j] != NULL; j++) { + oldkdcdns[j] = strdup(rparams->kdcservers[j]); + if (oldkdcdns[j] == NULL) { + retval = ENOMEM; + goto cleanup; + } + } + oldkdcdns[j] = NULL; + } + + memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES); + if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) { + goto cleanup; + } + list_modify_str_array(&rparams->kdcservers, (const char **)list, + LIST_MODE_DELETE); + mask |= LDAP_REALM_KDCSERVERS; + krb5_free_list_entries(list); + } + } else if (!strcmp(argv[i], "-addkdcdn")) { + if (++i > argc-1) + goto err_usage; + if (!newkdcdn) { + if ((rmask & LDAP_REALM_KDCSERVERS) && (rparams->kdcservers) && (!oldkdcdns)) { + /* Store the old kdc dns list for removing rights */ + oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); + if (oldkdcdns == NULL) { + retval = ENOMEM; + goto cleanup; + } + + for (j = 0; rparams->kdcservers[j] != NULL; j++) { + oldkdcdns[j] = strdup(rparams->kdcservers[j]); + if (oldkdcdns[j] == NULL) { + retval = ENOMEM; + goto cleanup; + } + } + oldkdcdns[j] = NULL; + } + + memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES); + if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) { + goto cleanup; + } + existing_entries = list_count_str_array(rparams->kdcservers); + list_entries = list_count_str_array(list); + if (rmask & LDAP_REALM_KDCSERVERS) { + tempstr = (char **)realloc( + rparams->kdcservers, + sizeof(char *) * (existing_entries+list_entries+1)); + if (tempstr == NULL) { + retval = ENOMEM; + goto cleanup; + } + rparams->kdcservers = tempstr; + } else { + rparams->kdcservers = (char **)malloc(sizeof(char *) * (list_entries+1)); + if (rparams->kdcservers == NULL) { + retval = ENOMEM; + goto cleanup; + } + memset(rparams->kdcservers, 0, sizeof(char *) * (list_entries+1)); + } + list_modify_str_array(&rparams->kdcservers, (const char **)list, + LIST_MODE_ADD); + mask |= LDAP_REALM_KDCSERVERS; + } + } else if (!strcmp(argv[i], "-admindn")) { + if (++i > argc-1) + goto err_usage; + + if ((rmask & LDAP_REALM_ADMINSERVERS) && (rparams->adminservers)) { + if (!oldadmindns) { + /* Store the old admin dns list for removing rights */ + oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); + if (oldadmindns == NULL) { + retval = ENOMEM; + goto cleanup; + } + + for (j=0; rparams->adminservers[j] != NULL; j++) { + oldadmindns[j] = strdup(rparams->adminservers[j]); + if (oldadmindns[j] == NULL) { + retval = ENOMEM; + goto cleanup; + } + } + oldadmindns[j] = NULL; + } + + krb5_free_list_entries(rparams->adminservers); + free(rparams->adminservers); + } + + rparams->adminservers = (char **)malloc( + sizeof(char *) * MAX_LIST_ENTRIES); + if (rparams->adminservers == NULL) { + retval = ENOMEM; + goto cleanup; + } + memset(rparams->adminservers, 0, sizeof(char *)*MAX_LIST_ENTRIES); + if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, + rparams->adminservers))) { + goto cleanup; + } + mask |= LDAP_REALM_ADMINSERVERS; + /* Going to replace the existing value by this new value. Hence + * setting flag indicating that add or clear options will be ignored + */ + newadmindn = 1; + } else if (!strcmp(argv[i], "-clearadmindn")) { + if (++i > argc-1) + goto err_usage; + + if ((!newadmindn) && (rmask & LDAP_REALM_ADMINSERVERS) && (rparams->adminservers)) { + if (!oldadmindns) { + /* Store the old admin dns list for removing rights */ + oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); + if (oldadmindns == NULL) { + retval = ENOMEM; + goto cleanup; + } + + for (j=0; rparams->adminservers[j] != NULL; j++) { + oldadmindns[j] = strdup(rparams->adminservers[j]); + if (oldadmindns[j] == NULL) { + retval = ENOMEM; + goto cleanup; + } + } + oldadmindns[j] = NULL; + } + + memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES); + if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) { + goto cleanup; + } + list_modify_str_array(&rparams->adminservers, (const char **)list, + LIST_MODE_DELETE); + mask |= LDAP_REALM_ADMINSERVERS; + krb5_free_list_entries(list); + } + } else if (!strcmp(argv[i], "-addadmindn")) { + if (++i > argc-1) + goto err_usage; + if (!newadmindn) { + if ((rmask & LDAP_REALM_ADMINSERVERS) && (rparams->adminservers) && (!oldadmindns)) { + /* Store the old admin dns list for removing rights */ + oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); + if (oldadmindns == NULL) { + retval = ENOMEM; + goto cleanup; + } + + for (j=0; rparams->adminservers[j] != NULL; j++) { + oldadmindns[j] = strdup(rparams->adminservers[j]); + if (oldadmindns[j] == NULL) { + retval = ENOMEM; + goto cleanup; + } + } + oldadmindns[j] = NULL; + } + + memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES); + if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) { + goto cleanup; + } + existing_entries = list_count_str_array(rparams->adminservers); + list_entries = list_count_str_array(list); + if (rmask & LDAP_REALM_ADMINSERVERS) { + tempstr = (char **)realloc( + rparams->adminservers, + sizeof(char *) * (existing_entries+list_entries+1)); + if (tempstr == NULL) { + retval = ENOMEM; + goto cleanup; + } + rparams->adminservers = tempstr; + } else { + rparams->adminservers = (char **)malloc(sizeof(char *) * (list_entries+1)); + if (rparams->adminservers == NULL) { + retval = ENOMEM; + goto cleanup; + } + memset(rparams->adminservers, 0, sizeof(char *) * (list_entries+1)); + } + list_modify_str_array(&rparams->adminservers, (const char **)list, + LIST_MODE_ADD); + mask |= LDAP_REALM_ADMINSERVERS; + } + } else if (!strcmp(argv[i], "-pwddn")) { + if (++i > argc-1) + goto err_usage; + + if ((rmask & LDAP_REALM_PASSWDSERVERS) && (rparams->passwdservers)) { + if (!oldpwddns) { + /* Store the old pwd dns list for removing rights */ + oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); + if (oldpwddns == NULL) { + retval = ENOMEM; + goto cleanup; + } + + for (j=0; rparams->passwdservers[j] != NULL; j++) { + oldpwddns[j] = strdup(rparams->passwdservers[j]); + if (oldpwddns[j] == NULL) { + retval = ENOMEM; + goto cleanup; + } + } + oldpwddns[j] = NULL; + } + + krb5_free_list_entries(rparams->passwdservers); + free(rparams->passwdservers); + } + + rparams->passwdservers = (char **)malloc( + sizeof(char *) * MAX_LIST_ENTRIES); + if (rparams->passwdservers == NULL) { + retval = ENOMEM; + goto cleanup; + } + memset(rparams->passwdservers, 0, sizeof(char *)*MAX_LIST_ENTRIES); + if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, + rparams->passwdservers))) { + goto cleanup; + } + mask |= LDAP_REALM_PASSWDSERVERS; + /* Going to replace the existing value by this new value. Hence + * setting flag indicating that add or clear options will be ignored + */ + newpwddn = 1; + } else if (!strcmp(argv[i], "-clearpwddn")) { + if (++i > argc-1) + goto err_usage; + + if ((!newpwddn) && (rmask & LDAP_REALM_PASSWDSERVERS) && (rparams->passwdservers)) { + if (!oldpwddns) { + /* Store the old pwd dns list for removing rights */ + oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); + if (oldpwddns == NULL) { + retval = ENOMEM; + goto cleanup; + } + + for (j=0; rparams->passwdservers[j] != NULL; j++) { + oldpwddns[j] = strdup(rparams->passwdservers[j]); + if (oldpwddns[j] == NULL) { + retval = ENOMEM; + goto cleanup; + } + } + oldpwddns[j] = NULL; + } + + memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES); + if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) { + goto cleanup; + } + list_modify_str_array(&rparams->passwdservers, (const char**)list, + LIST_MODE_DELETE); + mask |= LDAP_REALM_PASSWDSERVERS; + krb5_free_list_entries(list); + } + } else if (!strcmp(argv[i], "-addpwddn")) { + if (++i > argc-1) + goto err_usage; + if (!newpwddn) { + if ((rmask & LDAP_REALM_PASSWDSERVERS) && (rparams->passwdservers) && (!oldpwddns)) { + /* Store the old pwd dns list for removing rights */ + oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); + if (oldpwddns == NULL) { + retval = ENOMEM; + goto cleanup; + } + + for (j=0; rparams->passwdservers[j] != NULL; j++) { + oldpwddns[j] = strdup(rparams->passwdservers[j]); + if (oldpwddns[j] == NULL) { + retval = ENOMEM; + goto cleanup; + } + } + oldpwddns[j] = NULL; + } + + memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES); + if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) { + goto cleanup; + } + existing_entries = list_count_str_array(rparams->passwdservers); + list_entries = list_count_str_array(list); + if (rmask & LDAP_REALM_PASSWDSERVERS) { + tempstr = (char **)realloc( + rparams->passwdservers, + sizeof(char *) * (existing_entries+list_entries+1)); + if (tempstr == NULL) { + retval = ENOMEM; + goto cleanup; + } + rparams->passwdservers = tempstr; + } else { + rparams->passwdservers = (char **)malloc(sizeof(char *) * (list_entries+1)); + if (rparams->passwdservers == NULL) { + retval = ENOMEM; + goto cleanup; + } + memset(rparams->passwdservers, 0, sizeof(char *) * (list_entries+1)); + } + list_modify_str_array(&rparams->passwdservers, (const char**)list, + LIST_MODE_ADD); + mask |= LDAP_REALM_PASSWDSERVERS; + } + } #endif - else if ((ret_mask= get_ticket_policy(rparams,&i,argv,argc)) !=0) { - mask|=ret_mask; - } else { - printf("'%s' is an invalid option\n", argv[i]); - goto err_usage; - } + else if ((ret_mask= get_ticket_policy(rparams,&i,argv,argc)) !=0) { + mask|=ret_mask; + } else { + printf("'%s' is an invalid option\n", argv[i]); + goto err_usage; + } } if ((retval = krb5_ldap_modify_realm(util_context, - /* global_params.realm, */ rparams, mask))) { - goto cleanup; + /* global_params.realm, */ rparams, mask))) { + goto cleanup; } #ifdef HAVE_EDIRECTORY if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_CONTREF) || (mask & LDAP_REALM_KDCSERVERS) || - (mask & LDAP_REALM_ADMINSERVERS) || (mask & LDAP_REALM_PASSWDSERVERS)) { + (mask & LDAP_REALM_ADMINSERVERS) || (mask & LDAP_REALM_PASSWDSERVERS)) { - printf("Changing rights for the service object. Please wait ... "); - fflush(stdout); + printf("Changing rights for the service object. Please wait ... "); + fflush(stdout); if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_CONTREF)) { subtree_changed = 1; - } + } if ((subtree_changed) || (mask & LDAP_REALM_KDCSERVERS)) { @@ -1469,27 +1466,27 @@ void kdb5_ldap_modify(argc, argv) /* Remove the rights on the old subtrees */ for (i=0; (kdcdns[i] != NULL); i++) { if ((retval=krb5_ldap_delete_service_rights(util_context, - LDAP_KDC_SERVICE, kdcdns[i], - rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) { + LDAP_KDC_SERVICE, kdcdns[i], + rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) { printf("failed\n"); com_err(progname, retval, "while assigning rights '%s'", - rparams->realm_name); + rparams->realm_name); goto err_nomsg; - } - } - } + } + } + } for (i=0; (kdcdns[i] != NULL); i++) { if ((retval=krb5_ldap_add_service_rights(util_context, - LDAP_KDC_SERVICE, kdcdns[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + LDAP_KDC_SERVICE, kdcdns[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { printf("failed\n"); com_err(progname, retval, "while assigning rights '%s'", - rparams->realm_name); + rparams->realm_name); goto err_nomsg; - } - } - } - } + } + } + } + } if (!subtree_changed) { char **newdns = NULL; @@ -1500,45 +1497,45 @@ void kdb5_ldap_modify(argc, argv) if (oldkdcdns != NULL) { newdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); if (newdns == NULL) { - retval = ENOMEM; - goto cleanup; - } + retval = ENOMEM; + goto cleanup; + } - if ((rparams != NULL) && (rparams->kdcservers != NULL)) { - for (j=0; rparams->kdcservers[j]!= NULL; j++) { + if ((rparams != NULL) && (rparams->kdcservers != NULL)) { + for (j=0; rparams->kdcservers[j]!= NULL; j++) { newdns[j] = strdup(rparams->kdcservers[j]); if (newdns[j] == NULL) { FREE_DN_LIST(newdns); - retval = ENOMEM; - goto cleanup; - } - } + retval = ENOMEM; + goto cleanup; + } + } newdns[j] = NULL; - } + } disjoint_members(oldkdcdns, newdns); for (i=0; (oldkdcdns[i] != NULL); i++) { if ((retval=krb5_ldap_delete_service_rights(util_context, - LDAP_KDC_SERVICE, oldkdcdns[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + LDAP_KDC_SERVICE, oldkdcdns[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { printf("failed\n"); com_err(progname, retval, "while assigning rights '%s'", - rparams->realm_name); + rparams->realm_name); FREE_DN_LIST(newdns); goto err_nomsg; - } - } + } + } for (i=0; (newdns[i] != NULL); i++) { if ((retval=krb5_ldap_add_service_rights(util_context, - LDAP_KDC_SERVICE, newdns[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + LDAP_KDC_SERVICE, newdns[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { printf("failed\n"); com_err(progname, retval, "while assigning rights '%s'", - rparams->realm_name); + rparams->realm_name); FREE_DN_LIST(newdns); goto err_nomsg; - } + } } for (i=0; (newdns[i] != NULL); i++) { free(newdns[i]); @@ -1548,42 +1545,42 @@ void kdb5_ldap_modify(argc, argv) newdns = rparams->kdcservers; for (i=0; (newdns[i] != NULL); i++) { if ((retval=krb5_ldap_add_service_rights(util_context, - LDAP_KDC_SERVICE, newdns[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + LDAP_KDC_SERVICE, newdns[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { printf("failed\n"); com_err(progname, retval, "while assigning rights '%s'", - rparams->realm_name); + rparams->realm_name); goto err_nomsg; - } - } - } + } + } + } } if (subtree_changed && (mask & LDAP_REALM_KDCSERVERS)) { char **newdns = rparams->kdcservers; - rightsmask =0; + rightsmask =0; rightsmask = LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; + rightsmask |= LDAP_SUBTREE_RIGHTS; if (oldkdcdns != NULL) { - for (i=0; (oldkdcdns[i] != NULL); i++) { - if ((retval=krb5_ldap_delete_service_rights(util_context, - LDAP_KDC_SERVICE, oldkdcdns[i], - rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) { - printf("failed\n"); - com_err(progname, retval, "while assigning rights '%s'", - rparams->realm_name); - goto err_nomsg; - } - } - } + for (i=0; (oldkdcdns[i] != NULL); i++) { + if ((retval=krb5_ldap_delete_service_rights(util_context, + LDAP_KDC_SERVICE, oldkdcdns[i], + rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) { + printf("failed\n"); + com_err(progname, retval, "while assigning rights '%s'", + rparams->realm_name); + goto err_nomsg; + } + } + } for (i=0; (newdns[i] != NULL); i++) { if ((retval=krb5_ldap_add_service_rights(util_context, - LDAP_KDC_SERVICE, newdns[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + LDAP_KDC_SERVICE, newdns[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { printf("failed\n"); com_err(progname, retval, "while assigning rights '%s'", - rparams->realm_name); + rparams->realm_name); goto err_nomsg; } } @@ -1596,34 +1593,34 @@ void kdb5_ldap_modify(argc, argv) if (rparams->adminservers != NULL) { char **admindns = rparams->adminservers; /* Only subtree and/or container ref has changed */ - rightsmask =0; + rightsmask =0; /* KADMINSERVERS have not changed. Realm rights need not be changed */; - rightsmask |= LDAP_SUBTREE_RIGHTS; + rightsmask |= LDAP_SUBTREE_RIGHTS; if ((oldsubtrees != NULL) || (oldcontainerref != NULL)) { /* Remove the rights on the old subtrees */ for (i=0; (admindns[i] != NULL); i++) { if ((retval=krb5_ldap_delete_service_rights(util_context, - LDAP_ADMIN_SERVICE, admindns[i], - rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) { + LDAP_ADMIN_SERVICE, admindns[i], + rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) { printf("failed\n"); com_err(progname, retval, "while assigning rights '%s'", - rparams->realm_name); + rparams->realm_name); goto err_nomsg; } } } for (i=0; (admindns[i] != NULL); i++) { - if ((retval=krb5_ldap_add_service_rights(util_context, - LDAP_ADMIN_SERVICE, admindns[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { - printf("failed\n"); + if ((retval=krb5_ldap_add_service_rights(util_context, + LDAP_ADMIN_SERVICE, admindns[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + printf("failed\n"); com_err(progname, retval, "while assigning rights '%s'", - rparams->realm_name); - goto err_nomsg; - } - } - } - } + rparams->realm_name); + goto err_nomsg; + } + } + } + } if (!subtree_changed) { char **newdns = NULL; @@ -1634,46 +1631,46 @@ void kdb5_ldap_modify(argc, argv) if (oldadmindns != NULL) { newdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); if (newdns == NULL) { - retval = ENOMEM; - goto cleanup; - } + retval = ENOMEM; + goto cleanup; + } - if ((rparams != NULL) && (rparams->adminservers != NULL)) { - for (j=0; rparams->adminservers[j]!= NULL; j++) { + if ((rparams != NULL) && (rparams->adminservers != NULL)) { + for (j=0; rparams->adminservers[j]!= NULL; j++) { newdns[j] = strdup(rparams->adminservers[j]); if (newdns[j] == NULL) { FREE_DN_LIST(newdns); - retval = ENOMEM; - goto cleanup; - } - } + retval = ENOMEM; + goto cleanup; + } + } newdns[j] = NULL; - } + } disjoint_members(oldadmindns, newdns); for (i=0; (oldadmindns[i] != NULL); i++) { if ((retval=krb5_ldap_delete_service_rights(util_context, - LDAP_ADMIN_SERVICE, oldadmindns[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + LDAP_ADMIN_SERVICE, oldadmindns[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { printf("failed\n"); com_err(progname, retval, "while assigning rights '%s'", - rparams->realm_name); + rparams->realm_name); FREE_DN_LIST(newdns); goto err_nomsg; - } + } } for (i=0; (newdns[i] != NULL); i++) { if ((retval=krb5_ldap_add_service_rights(util_context, - LDAP_ADMIN_SERVICE, newdns[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + LDAP_ADMIN_SERVICE, newdns[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { printf("failed\n"); com_err(progname, retval, "while assigning rights '%s'", - rparams->realm_name); + rparams->realm_name); FREE_DN_LIST(newdns); goto err_nomsg; - } - } + } + } for (i=0; (newdns[i] != NULL); i++) { free(newdns[i]); } @@ -1682,42 +1679,42 @@ void kdb5_ldap_modify(argc, argv) newdns = rparams->adminservers; for (i=0; (newdns[i] != NULL); i++) { if ((retval=krb5_ldap_add_service_rights(util_context, - LDAP_ADMIN_SERVICE, newdns[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + LDAP_ADMIN_SERVICE, newdns[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { printf("failed\n"); com_err(progname, retval, "while assigning rights '%s'", - rparams->realm_name); + rparams->realm_name); goto err_nomsg; - } - } - } + } + } + } } if (subtree_changed && (mask & LDAP_REALM_ADMINSERVERS)) { char **newdns = rparams->adminservers; - rightsmask = 0; + rightsmask = 0; rightsmask = LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; + rightsmask |= LDAP_SUBTREE_RIGHTS; if (oldadmindns != NULL) { - for (i=0; (oldadmindns[i] != NULL); i++) { - if ((retval=krb5_ldap_delete_service_rights(util_context, - LDAP_ADMIN_SERVICE, oldadmindns[i], - rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) { - printf("failed\n"); - com_err(progname, retval, "while assigning rights '%s'", - rparams->realm_name); - goto err_nomsg; - } - } - } + for (i=0; (oldadmindns[i] != NULL); i++) { + if ((retval=krb5_ldap_delete_service_rights(util_context, + LDAP_ADMIN_SERVICE, oldadmindns[i], + rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) { + printf("failed\n"); + com_err(progname, retval, "while assigning rights '%s'", + rparams->realm_name); + goto err_nomsg; + } + } + } for (i=0; (newdns[i] != NULL); i++) { if ((retval=krb5_ldap_add_service_rights(util_context, - LDAP_ADMIN_SERVICE, newdns[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + LDAP_ADMIN_SERVICE, newdns[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { printf("failed\n"); com_err(progname, retval, "while assigning rights '%s'", - rparams->realm_name); + rparams->realm_name); goto err_nomsg; } } @@ -1730,34 +1727,34 @@ void kdb5_ldap_modify(argc, argv) if (rparams->passwdservers != NULL) { char **passwddns = rparams->passwdservers; /* Only subtree and/or container ref has changed */ - rightsmask = 0; + rightsmask = 0; /* KPASSWDSERVERS have not changed. Realm rights need not be changed */; - rightsmask |= LDAP_SUBTREE_RIGHTS; + rightsmask |= LDAP_SUBTREE_RIGHTS; if ((oldsubtrees != NULL) || (oldcontainerref != NULL)) { /* Remove the rights on the old subtrees */ for (i=0; (passwddns[i] != NULL); i++) { if ((retval=krb5_ldap_delete_service_rights(util_context, - LDAP_PASSWD_SERVICE, passwddns[i], - rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) { + LDAP_PASSWD_SERVICE, passwddns[i], + rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) { printf("failed\n"); com_err(progname, retval, "while assigning rights '%s'", - rparams->realm_name); + rparams->realm_name); goto err_nomsg; } } } for (i=0; (passwddns[i] != NULL); i++) { - if ((retval=krb5_ldap_add_service_rights(util_context, - LDAP_PASSWD_SERVICE, passwddns[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { - printf("failed\n"); + if ((retval=krb5_ldap_add_service_rights(util_context, + LDAP_PASSWD_SERVICE, passwddns[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + printf("failed\n"); com_err(progname, retval, "while assigning rights '%s'", - rparams->realm_name); - goto err_nomsg; - } - } - } - } + rparams->realm_name); + goto err_nomsg; + } + } + } + } if (!subtree_changed) { char **newdns = NULL; @@ -1768,45 +1765,45 @@ void kdb5_ldap_modify(argc, argv) if (oldpwddns != NULL) { newdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); if (newdns == NULL) { - retval = ENOMEM; - goto cleanup; - } + retval = ENOMEM; + goto cleanup; + } - if ((rparams != NULL) && (rparams->passwdservers != NULL)) { - for (j=0; rparams->passwdservers[j]!= NULL; j++) { + if ((rparams != NULL) && (rparams->passwdservers != NULL)) { + for (j=0; rparams->passwdservers[j]!= NULL; j++) { newdns[j] = strdup(rparams->passwdservers[j]); if (newdns[j] == NULL) { FREE_DN_LIST(newdns); - retval = ENOMEM; - goto cleanup; - } - } + retval = ENOMEM; + goto cleanup; + } + } newdns[j] = NULL; - } + } disjoint_members(oldpwddns, newdns); for (i=0; (oldpwddns[i] != NULL); i++) { if ((retval=krb5_ldap_delete_service_rights(util_context, - LDAP_PASSWD_SERVICE, oldpwddns[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + LDAP_PASSWD_SERVICE, oldpwddns[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { printf("failed\n"); com_err(progname, retval, "while assigning rights '%s'", - rparams->realm_name); + rparams->realm_name); FREE_DN_LIST(newdns); goto err_nomsg; - } - } + } + } for (i=0; (newdns[i] != NULL); i++) { if ((retval=krb5_ldap_add_service_rights(util_context, - LDAP_PASSWD_SERVICE, newdns[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + LDAP_PASSWD_SERVICE, newdns[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { printf("failed\n"); com_err(progname, retval, "while assigning rights '%s'", - rparams->realm_name); + rparams->realm_name); FREE_DN_LIST(newdns); goto err_nomsg; - } + } } for (i=0; (newdns[i] != NULL); i++) { free(newdns[i]); @@ -1816,48 +1813,48 @@ void kdb5_ldap_modify(argc, argv) newdns = rparams->passwdservers; for (i=0; (newdns[i] != NULL); i++) { if ((retval=krb5_ldap_add_service_rights(util_context, - LDAP_PASSWD_SERVICE, newdns[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + LDAP_PASSWD_SERVICE, newdns[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { printf("failed\n"); com_err(progname, retval, "while assigning rights '%s'", - rparams->realm_name); + rparams->realm_name); goto err_nomsg; - } - } - } + } + } + } } if (subtree_changed && (mask & LDAP_REALM_PASSWDSERVERS)) { char **newdns = rparams->passwdservers; - rightsmask =0; + rightsmask =0; rightsmask = LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; + rightsmask |= LDAP_SUBTREE_RIGHTS; if (oldpwddns != NULL) { - for (i=0; (oldpwddns[i] != NULL); i++) { - if ((retval = krb5_ldap_delete_service_rights(util_context, - LDAP_PASSWD_SERVICE, oldpwddns[i], - rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) { - printf("failed\n"); - com_err(progname, retval, "while assigning rights '%s'", - rparams->realm_name); - goto err_nomsg; - } - } - } + for (i=0; (oldpwddns[i] != NULL); i++) { + if ((retval = krb5_ldap_delete_service_rights(util_context, + LDAP_PASSWD_SERVICE, oldpwddns[i], + rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) { + printf("failed\n"); + com_err(progname, retval, "while assigning rights '%s'", + rparams->realm_name); + goto err_nomsg; + } + } + } for (i=0; (newdns[i] != NULL); i++) { - if ((retval = krb5_ldap_add_service_rights(util_context, - LDAP_PASSWD_SERVICE, newdns[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { - printf("failed\n"); + if ((retval = krb5_ldap_add_service_rights(util_context, + LDAP_PASSWD_SERVICE, newdns[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + printf("failed\n"); com_err(progname, retval, "while assigning rights '%s'", - rparams->realm_name); - goto err_nomsg; - } - } - } - } - printf("done\n"); + rparams->realm_name); + goto err_nomsg; + } + } + } + } + printf("done\n"); } #endif @@ -1875,55 +1872,55 @@ cleanup: #ifdef HAVE_EDIRECTORY if (oldkdcdns) { - for (i=0; oldkdcdns[i] != NULL; i++) - free(oldkdcdns[i]); - free(oldkdcdns); + for (i=0; oldkdcdns[i] != NULL; i++) + free(oldkdcdns[i]); + free(oldkdcdns); } if (oldpwddns) { - for (i=0; oldpwddns[i] != NULL; i++) - free(oldpwddns[i]); - free(oldpwddns); + for (i=0; oldpwddns[i] != NULL; i++) + free(oldpwddns[i]); + free(oldpwddns); } if (oldadmindns) { - for (i=0; oldadmindns[i] != NULL; i++) - free(oldadmindns[i]); - free(oldadmindns); + for (i=0; oldadmindns[i] != NULL; i++) + free(oldadmindns[i]); + free(oldadmindns); } if (newkdcdns) { - for (i=0; newkdcdns[i] != NULL; i++) - free(newkdcdns[i]); - free(newkdcdns); + for (i=0; newkdcdns[i] != NULL; i++) + free(newkdcdns[i]); + free(newkdcdns); } if (newpwddns) { - for (i=0; newpwddns[i] != NULL; i++) - free(newpwddns[i]); - free(newpwddns); + for (i=0; newpwddns[i] != NULL; i++) + free(newpwddns[i]); + free(newpwddns); } if (newadmindns) { - for (i=0; newadmindns[i] != NULL; i++) - free(newadmindns[i]); - free(newadmindns); + for (i=0; newadmindns[i] != NULL; i++) + free(newadmindns[i]); + free(newadmindns); } if (oldsubtrees) { - for (i=0;oldsubtrees[i]!=NULL; i++) - free(oldsubtrees[i]); - free(oldsubtrees); + for (i=0;oldsubtrees[i]!=NULL; i++) + free(oldsubtrees[i]); + free(oldsubtrees); } if (newsubtrees) { - for (i=0;newsubtrees[i]!=NULL; i++) - free(newsubtrees[i]); - free(oldsubtrees); + for (i=0;newsubtrees[i]!=NULL; i++) + free(newsubtrees[i]); + free(oldsubtrees); } #endif if (print_usage) { - db_usage(MODIFY_REALM); + db_usage(MODIFY_REALM); } if (retval) { - if (!no_msg) - com_err(progname, retval, "while modifying information of realm '%s'", - global_params.realm); - exit_status++; + if (!no_msg) + com_err(progname, retval, "while modifying information of realm '%s'", + global_params.realm); + exit_status++; } return; @@ -1934,9 +1931,8 @@ cleanup: /* * This function displays the attributes of a Realm */ -void kdb5_ldap_view(argc, argv) - int argc; - char *argv[]; +void +kdb5_ldap_view(int argc, char *argv[]) { krb5_ldap_realm_params *rparams = NULL; krb5_error_code retval = 0; @@ -1947,26 +1943,26 @@ void kdb5_ldap_view(argc, argv) dal_handle = util_context->dal_handle; ldap_context = (krb5_ldap_context *) dal_handle->db_context; if (!(ldap_context)) { - retval = EINVAL; - com_err(progname, retval, "while initializing database"); - exit_status++; - return; + retval = EINVAL; + com_err(progname, retval, "while initializing database"); + exit_status++; + return; } /* Read the kerberos container information */ if ((retval = krb5_ldap_read_krbcontainer_params(util_context, - &(ldap_context->krbcontainer))) != 0) { - com_err(progname, retval, "while reading kerberos container information"); - exit_status++; - return; + &(ldap_context->krbcontainer))) != 0) { + com_err(progname, retval, "while reading kerberos container information"); + exit_status++; + return; } if ((retval = krb5_ldap_read_realm_params(util_context, - global_params.realm, &rparams, &mask)) || (!rparams)) { - com_err(progname, retval, "while reading information of realm '%s'", - global_params.realm); - exit_status++; - return; + global_params.realm, &rparams, &mask)) || (!rparams)) { + com_err(progname, retval, "while reading information of realm '%s'", + global_params.realm); + exit_status++; + return; } print_realm_params(rparams, mask); krb5_ldap_free_realm_params(rparams); @@ -1974,17 +1970,17 @@ void kdb5_ldap_view(argc, argv) return; } -static char *strdur(duration) - time_t duration; +static char * +strdur(time_t duration) { static char out[50]; int neg, days, hours, minutes, seconds; if (duration < 0) { - duration *= -1; - neg = 1; + duration *= -1; + neg = 1; } else - neg = 0; + neg = 0; days = duration / (24 * 3600); duration %= 24 * 3600; hours = duration / 3600; @@ -1993,8 +1989,8 @@ static char *strdur(duration) duration %= 60; seconds = duration; snprintf(out, sizeof(out), "%s%d %s %02d:%02d:%02d", neg ? "-" : "", - days, days == 1 ? "day" : "days", - hours, minutes, seconds); + days, days == 1 ? "day" : "days", + hours, minutes, seconds); return out; } @@ -2002,7 +1998,8 @@ static char *strdur(duration) * This function prints the attributes of a given realm to the * standard output. */ -static void print_realm_params(krb5_ldap_realm_params *rparams, int mask) +static void +print_realm_params(krb5_ldap_realm_params *rparams, int mask) { char **slist = NULL; unsigned int num_entry_printed = 0, i = 0; @@ -2010,117 +2007,117 @@ static void print_realm_params(krb5_ldap_realm_params *rparams, int mask) /* Print the Realm Attributes on the standard output */ printf("%25s: %-50s\n", "Realm Name", global_params.realm); if (mask & LDAP_REALM_SUBTREE) { - for (i=0; rparams->subtree[i]!=NULL; i++) - printf("%25s: %-50s\n", "Subtree", rparams->subtree[i]); + for (i=0; rparams->subtree[i]!=NULL; i++) + printf("%25s: %-50s\n", "Subtree", rparams->subtree[i]); } if (mask & LDAP_REALM_CONTREF) - printf("%25s: %-50s\n", "Principal Container Reference", rparams->containerref); + printf("%25s: %-50s\n", "Principal Container Reference", rparams->containerref); if (mask & LDAP_REALM_SEARCHSCOPE) { - if ((rparams->search_scope != 1) && - (rparams->search_scope != 2)) { - printf("%25s: %-50s\n", "SearchScope", "Invalid !"); - } else { - printf("%25s: %-50s\n", "SearchScope", - (rparams->search_scope == 1) ? "ONE" : "SUB"); - } + if ((rparams->search_scope != 1) && + (rparams->search_scope != 2)) { + printf("%25s: %-50s\n", "SearchScope", "Invalid !"); + } else { + printf("%25s: %-50s\n", "SearchScope", + (rparams->search_scope == 1) ? "ONE" : "SUB"); + } } if (mask & LDAP_REALM_KDCSERVERS) { - printf("%25s:", "KDC Services"); - if (rparams->kdcservers != NULL) { - num_entry_printed = 0; - for (slist = rparams->kdcservers; *slist != NULL; slist++) { - if (num_entry_printed) - printf(" %25s %-50s\n", " ", *slist); - else - printf(" %-50s\n", *slist); - num_entry_printed++; - } - } - if (num_entry_printed == 0) - printf("\n"); + printf("%25s:", "KDC Services"); + if (rparams->kdcservers != NULL) { + num_entry_printed = 0; + for (slist = rparams->kdcservers; *slist != NULL; slist++) { + if (num_entry_printed) + printf(" %25s %-50s\n", " ", *slist); + else + printf(" %-50s\n", *slist); + num_entry_printed++; + } + } + if (num_entry_printed == 0) + printf("\n"); } if (mask & LDAP_REALM_ADMINSERVERS) { - printf("%25s:", "Admin Services"); - if (rparams->adminservers != NULL) { - num_entry_printed = 0; - for (slist = rparams->adminservers; *slist != NULL; slist++) { - if (num_entry_printed) - printf(" %25s %-50s\n", " ", *slist); - else - printf(" %-50s\n", *slist); - num_entry_printed++; - } - } - if (num_entry_printed == 0) - printf("\n"); + printf("%25s:", "Admin Services"); + if (rparams->adminservers != NULL) { + num_entry_printed = 0; + for (slist = rparams->adminservers; *slist != NULL; slist++) { + if (num_entry_printed) + printf(" %25s %-50s\n", " ", *slist); + else + printf(" %-50s\n", *slist); + num_entry_printed++; + } + } + if (num_entry_printed == 0) + printf("\n"); } if (mask & LDAP_REALM_PASSWDSERVERS) { - printf("%25s:", "Passwd Services"); - if (rparams->passwdservers != NULL) { - num_entry_printed = 0; - for (slist = rparams->passwdservers; *slist != NULL; slist++) { - if (num_entry_printed) - printf(" %25s %-50s\n", " ", *slist); - else - printf(" %-50s\n", *slist); - num_entry_printed++; - } - } - if (num_entry_printed == 0) - printf("\n"); + printf("%25s:", "Passwd Services"); + if (rparams->passwdservers != NULL) { + num_entry_printed = 0; + for (slist = rparams->passwdservers; *slist != NULL; slist++) { + if (num_entry_printed) + printf(" %25s %-50s\n", " ", *slist); + else + printf(" %-50s\n", *slist); + num_entry_printed++; + } + } + if (num_entry_printed == 0) + printf("\n"); } if (mask & LDAP_REALM_MAXTICKETLIFE) { - printf("%25s:", "Maximum Ticket Life"); - printf(" %s \n", strdur(rparams->max_life)); + printf("%25s:", "Maximum Ticket Life"); + printf(" %s \n", strdur(rparams->max_life)); } if (mask & LDAP_REALM_MAXRENEWLIFE) { - printf("%25s:", "Maximum Renewable Life"); - printf(" %s \n", strdur(rparams->max_renewable_life)); + printf("%25s:", "Maximum Renewable Life"); + printf(" %s \n", strdur(rparams->max_renewable_life)); } if (mask & LDAP_REALM_KRBTICKETFLAGS) { - int ticketflags = rparams->tktflags; + int ticketflags = rparams->tktflags; - printf("%25s: ", "Ticket flags"); - if (ticketflags & KRB5_KDB_DISALLOW_POSTDATED) - printf("%s ","DISALLOW_POSTDATED"); + printf("%25s: ", "Ticket flags"); + if (ticketflags & KRB5_KDB_DISALLOW_POSTDATED) + printf("%s ","DISALLOW_POSTDATED"); - if (ticketflags & KRB5_KDB_DISALLOW_FORWARDABLE) - printf("%s ","DISALLOW_FORWARDABLE"); + if (ticketflags & KRB5_KDB_DISALLOW_FORWARDABLE) + printf("%s ","DISALLOW_FORWARDABLE"); - if (ticketflags & KRB5_KDB_DISALLOW_RENEWABLE) - printf("%s ","DISALLOW_RENEWABLE"); + if (ticketflags & KRB5_KDB_DISALLOW_RENEWABLE) + printf("%s ","DISALLOW_RENEWABLE"); - if (ticketflags & KRB5_KDB_DISALLOW_PROXIABLE) - printf("%s ","DISALLOW_PROXIABLE"); + if (ticketflags & KRB5_KDB_DISALLOW_PROXIABLE) + printf("%s ","DISALLOW_PROXIABLE"); - if (ticketflags & KRB5_KDB_DISALLOW_DUP_SKEY) - printf("%s ","DISALLOW_DUP_SKEY"); + if (ticketflags & KRB5_KDB_DISALLOW_DUP_SKEY) + printf("%s ","DISALLOW_DUP_SKEY"); - if (ticketflags & KRB5_KDB_REQUIRES_PRE_AUTH) - printf("%s ","REQUIRES_PRE_AUTH"); + if (ticketflags & KRB5_KDB_REQUIRES_PRE_AUTH) + printf("%s ","REQUIRES_PRE_AUTH"); - if (ticketflags & KRB5_KDB_REQUIRES_HW_AUTH) - printf("%s ","REQUIRES_HW_AUTH"); + if (ticketflags & KRB5_KDB_REQUIRES_HW_AUTH) + printf("%s ","REQUIRES_HW_AUTH"); - if (ticketflags & KRB5_KDB_DISALLOW_SVR) - printf("%s ","DISALLOW_SVR"); + if (ticketflags & KRB5_KDB_DISALLOW_SVR) + printf("%s ","DISALLOW_SVR"); - if (ticketflags & KRB5_KDB_DISALLOW_TGT_BASED) - printf("%s ","DISALLOW_TGT_BASED"); + if (ticketflags & KRB5_KDB_DISALLOW_TGT_BASED) + printf("%s ","DISALLOW_TGT_BASED"); - if (ticketflags & KRB5_KDB_DISALLOW_ALL_TIX) - printf("%s ","DISALLOW_ALL_TIX"); + if (ticketflags & KRB5_KDB_DISALLOW_ALL_TIX) + printf("%s ","DISALLOW_ALL_TIX"); - if (ticketflags & KRB5_KDB_REQUIRES_PWCHANGE) - printf("%s ","REQUIRES_PWCHANGE"); + if (ticketflags & KRB5_KDB_REQUIRES_PWCHANGE) + printf("%s ","REQUIRES_PWCHANGE"); - if (ticketflags & KRB5_KDB_PWCHANGE_SERVICE) - printf("%s ","PWCHANGE_SERVICE"); + if (ticketflags & KRB5_KDB_PWCHANGE_SERVICE) + printf("%s ","PWCHANGE_SERVICE"); - printf("\n"); + printf("\n"); } @@ -2133,9 +2130,8 @@ static void print_realm_params(krb5_ldap_realm_params *rparams, int mask) * This function lists the Realm(s) present under the Kerberos container * on the LDAP Server. */ -void kdb5_ldap_list(argc, argv) - int argc; - char *argv[]; +void +kdb5_ldap_list(int argc, char *argv[]) { char **list = NULL; char **plist = NULL; @@ -2146,36 +2142,36 @@ void kdb5_ldap_list(argc, argv) dal_handle = util_context->dal_handle; ldap_context = (krb5_ldap_context *) dal_handle->db_context; if (!(ldap_context)) { - retval = EINVAL; - exit_status++; - return; + retval = EINVAL; + exit_status++; + return; } /* Read the kerberos container information */ if ((retval = krb5_ldap_read_krbcontainer_params(util_context, - &(ldap_context->krbcontainer))) != 0) { - com_err(progname, retval, "while reading kerberos container information"); - exit_status++; - return; + &(ldap_context->krbcontainer))) != 0) { + com_err(progname, retval, "while reading kerberos container information"); + exit_status++; + return; } retval = krb5_ldap_list_realm(util_context, &list); if (retval != 0) { - krb5_ldap_free_krbcontainer_params(ldap_context->krbcontainer); - ldap_context->krbcontainer = NULL; - com_err (progname, retval, "while listing realms"); - exit_status++; - return; + krb5_ldap_free_krbcontainer_params(ldap_context->krbcontainer); + ldap_context->krbcontainer = NULL; + com_err (progname, retval, "while listing realms"); + exit_status++; + return; } /* This is to handle the case of realm not present */ if (list == NULL) { - krb5_ldap_free_krbcontainer_params(ldap_context->krbcontainer); - ldap_context->krbcontainer = NULL; - return; + krb5_ldap_free_krbcontainer_params(ldap_context->krbcontainer); + ldap_context->krbcontainer = NULL; + return; } for (plist = list; *plist != NULL; plist++) { - printf("%s\n", *plist); + printf("%s\n", *plist); } krb5_ldap_free_krbcontainer_params(ldap_context->krbcontainer); ldap_context->krbcontainer = NULL; @@ -2197,10 +2193,8 @@ void kdb5_ldap_list(argc, argv) /* Start duplicate code ... */ static krb5_error_code -krb5_dbe_update_tl_data_new(context, entry, new_tl_data) - krb5_context context; - krb5_db_entry *entry; - krb5_tl_data *new_tl_data; +krb5_dbe_update_tl_data_new(krb5_context context, krb5_db_entry *entry, + krb5_tl_data *new_tl_data) { krb5_tl_data *tl_data = NULL; krb5_octet *tmp; @@ -2208,46 +2202,46 @@ krb5_dbe_update_tl_data_new(context, entry, new_tl_data) /* copy the new data first, so we can fail cleanly if malloc() * fails */ /* - if ((tmp = - (krb5_octet *) krb5_db_alloc(context, NULL, - new_tl_data->tl_data_length)) == NULL) + if ((tmp = + (krb5_octet *) krb5_db_alloc(context, NULL, + new_tl_data->tl_data_length)) == NULL) */ if ((tmp = (krb5_octet *) malloc (new_tl_data->tl_data_length)) == NULL) - return (ENOMEM); + return (ENOMEM); /* Find an existing entry of the specified type and point at * it, or NULL if not found */ - if (new_tl_data->tl_data_type != KRB5_TL_DB_ARGS) { /* db_args can be multiple */ - for (tl_data = entry->tl_data; tl_data; - tl_data = tl_data->tl_data_next) - if (tl_data->tl_data_type == new_tl_data->tl_data_type) - break; + if (new_tl_data->tl_data_type != KRB5_TL_DB_ARGS) { /* db_args can be multiple */ + for (tl_data = entry->tl_data; tl_data; + tl_data = tl_data->tl_data_next) + if (tl_data->tl_data_type == new_tl_data->tl_data_type) + break; } /* if necessary, chain a new record in the beginning and point at it */ if (!tl_data) { /* - if ((tl_data = - (krb5_tl_data *) krb5_db_alloc(context, NULL, - sizeof(krb5_tl_data))) - == NULL) { + if ((tl_data = + (krb5_tl_data *) krb5_db_alloc(context, NULL, + sizeof(krb5_tl_data))) + == NULL) { */ - if ((tl_data = (krb5_tl_data *) malloc (sizeof(krb5_tl_data))) == NULL) { - free(tmp); - return (ENOMEM); - } - memset(tl_data, 0, sizeof(krb5_tl_data)); - tl_data->tl_data_next = entry->tl_data; - entry->tl_data = tl_data; - entry->n_tl_data++; + if ((tl_data = (krb5_tl_data *) malloc (sizeof(krb5_tl_data))) == NULL) { + free(tmp); + return (ENOMEM); + } + memset(tl_data, 0, sizeof(krb5_tl_data)); + tl_data->tl_data_next = entry->tl_data; + entry->tl_data = tl_data; + entry->n_tl_data++; } /* fill in the record */ if (tl_data->tl_data_contents) - krb5_db_free(context, tl_data->tl_data_contents); + krb5_db_free(context, tl_data->tl_data_contents); tl_data->tl_data_type = new_tl_data->tl_data_type; tl_data->tl_data_length = new_tl_data->tl_data_length; @@ -2258,29 +2252,27 @@ krb5_dbe_update_tl_data_new(context, entry, new_tl_data) } static krb5_error_code -krb5_dbe_update_mod_princ_data_new(context, entry, mod_date, mod_princ) - krb5_context context; - krb5_db_entry * entry; - krb5_timestamp mod_date; - krb5_const_principal mod_princ; +krb5_dbe_update_mod_princ_data_new(krb5_context context, krb5_db_entry *entry, + krb5_timestamp mod_date, + krb5_const_principal mod_princ) { krb5_tl_data tl_data; - krb5_error_code retval = 0; - krb5_octet * nextloc = 0; - char * unparse_mod_princ = 0; - unsigned int unparse_mod_princ_size; + krb5_error_code retval = 0; + krb5_octet * nextloc = 0; + char * unparse_mod_princ = 0; + unsigned int unparse_mod_princ_size; if ((retval = krb5_unparse_name(context, mod_princ, - &unparse_mod_princ))) - return(retval); + &unparse_mod_princ))) + return(retval); unparse_mod_princ_size = strlen(unparse_mod_princ) + 1; if ((nextloc = (krb5_octet *) malloc(unparse_mod_princ_size + 4)) - == NULL) { - free(unparse_mod_princ); - return(ENOMEM); + == NULL) { + free(unparse_mod_princ); + return(ENOMEM); } tl_data.tl_data_type = KRB5_TL_MOD_PRINC; @@ -2302,9 +2294,7 @@ krb5_dbe_update_mod_princ_data_new(context, entry, mod_date, mod_princ) } static krb5_error_code -kdb_ldap_tgt_keysalt_iterate(ksent, ptr) - krb5_key_salt_tuple *ksent; - krb5_pointer ptr; +kdb_ldap_tgt_keysalt_iterate(krb5_key_salt_tuple *ksent, krb5_pointer ptr) { krb5_context context; krb5_error_code kret; @@ -2328,27 +2318,27 @@ kdb_ldap_tgt_keysalt_iterate(ksent, ptr) pwd.length = strlen(mkey_password); kret = krb5_c_random_seed(context, &pwd); if (kret) - return kret; + return kret; /*if (!(kret = krb5_dbe_create_key_data(iargs->ctx, iargs->dbentp))) {*/ if ((entry->key_data = - (krb5_key_data *) realloc(entry->key_data, - (sizeof(krb5_key_data) * - (entry->n_key_data + 1)))) == NULL) - return (ENOMEM); + (krb5_key_data *) realloc(entry->key_data, + (sizeof(krb5_key_data) * + (entry->n_key_data + 1)))) == NULL) + return (ENOMEM); memset(entry->key_data + entry->n_key_data, 0, sizeof(krb5_key_data)); ind = entry->n_key_data++; if (!(kret = krb5_c_make_random_key(context, ksent->ks_enctype, - &key))) { - kret = krb5_dbekd_encrypt_key_data(context, - iargs->rblock->key, - &key, - NULL, - 1, - &entry->key_data[ind]); - krb5_free_keyblock_contents(context, &key); + &key))) { + kret = krb5_dbekd_encrypt_key_data(context, + iargs->rblock->key, + &key, + NULL, + 1, + &entry->key_data[ind]); + krb5_free_keyblock_contents(context, &key); } /*}*/ @@ -2361,11 +2351,8 @@ kdb_ldap_tgt_keysalt_iterate(ksent, ptr) * creating the realm object. */ static int -kdb_ldap_create_principal (context, princ, op, pblock) - krb5_context context; - krb5_principal princ; - enum ap_op op; - struct realm_info *pblock; +kdb_ldap_create_principal(krb5_context context, krb5_principal princ, + enum ap_op op, struct realm_info *pblock) { int retval=0, currlen=0, princtype = 2 /* Service Principal */; unsigned char *curr=NULL; @@ -2383,30 +2370,30 @@ kdb_ldap_create_principal (context, princ, op, pblock) krb5_actkvno_node actkvno; if ((pblock == NULL) || (context == NULL)) { - retval = EINVAL; - goto cleanup; + retval = EINVAL; + goto cleanup; } dal_handle = context->dal_handle; ldap_context = (krb5_ldap_context *) dal_handle->db_context; if (!(ldap_context)) { - retval = EINVAL; - goto cleanup; + retval = EINVAL; + goto cleanup; } memset(&entry, 0, sizeof(entry)); tl_data = malloc(sizeof(*tl_data)); if (tl_data == NULL) { - retval = ENOMEM; - goto cleanup; + retval = ENOMEM; + goto cleanup; } memset(tl_data, 0, sizeof(*tl_data)); tl_data->tl_data_length = 1 + 2 + 2 + 1 + 2 + 4; tl_data->tl_data_type = 7; /* KDB_TL_USER_INFO */ curr = tl_data->tl_data_contents = malloc(tl_data->tl_data_length); if (tl_data->tl_data_contents == NULL) { - retval = ENOMEM; - goto cleanup; + retval = ENOMEM; + goto cleanup; } memset(curr, 1, 1); /* Passing the mask as principal type */ @@ -2439,74 +2426,74 @@ kdb_ldap_create_principal (context, princ, op, pblock) entry.expiration = pblock->expiration; entry.mask = mask; if ((retval = krb5_copy_principal(context, princ, &entry.princ))) - goto cleanup; + goto cleanup; switch (op) { case TGT_KEY: - if ((pdata = krb5_princ_component(context, princ, 1)) && - pdata->length == strlen("history") && - !memcmp(pdata->data, "history", strlen("history"))) { - - /* Allocate memory for storing the key */ - if ((entry.key_data = (krb5_key_data *) malloc( - sizeof(krb5_key_data))) == NULL) { - retval = ENOMEM; - goto cleanup; - } - - memset(entry.key_data, 0, sizeof(krb5_key_data)); - entry.n_key_data++; - - retval = krb5_c_make_random_key(context, global_params.enctype, &key); - if (retval) { - goto cleanup; - } - kvno = 1; /* New key is getting set */ - retval = krb5_dbekd_encrypt_key_data(context, - &ldap_context->lrparams->mkey, - &key, NULL, kvno, - &entry.key_data[entry.n_key_data - 1]); - krb5_free_keyblock_contents(context, &key); - if (retval) { - goto cleanup; - } - } else { - /*retval = krb5_c_make_random_key(context, 16, &key) ;*/ - iargs.ctx = context; - iargs.rblock = pblock; - iargs.dbentp = &entry; - - /* - * Iterate through the key/salt list, ignoring salt types. - */ - if ((retval = krb5_keysalt_iterate(pblock->kslist, - pblock->nkslist, - 1, - kdb_ldap_tgt_keysalt_iterate, - (krb5_pointer) &iargs))) - return retval; - } - break; + if ((pdata = krb5_princ_component(context, princ, 1)) && + pdata->length == strlen("history") && + !memcmp(pdata->data, "history", strlen("history"))) { + + /* Allocate memory for storing the key */ + if ((entry.key_data = (krb5_key_data *) malloc( + sizeof(krb5_key_data))) == NULL) { + retval = ENOMEM; + goto cleanup; + } + + memset(entry.key_data, 0, sizeof(krb5_key_data)); + entry.n_key_data++; + + retval = krb5_c_make_random_key(context, global_params.enctype, &key); + if (retval) { + goto cleanup; + } + kvno = 1; /* New key is getting set */ + retval = krb5_dbekd_encrypt_key_data(context, + &ldap_context->lrparams->mkey, + &key, NULL, kvno, + &entry.key_data[entry.n_key_data - 1]); + krb5_free_keyblock_contents(context, &key); + if (retval) { + goto cleanup; + } + } else { + /*retval = krb5_c_make_random_key(context, 16, &key) ;*/ + iargs.ctx = context; + iargs.rblock = pblock; + iargs.dbentp = &entry; + + /* + * Iterate through the key/salt list, ignoring salt types. + */ + if ((retval = krb5_keysalt_iterate(pblock->kslist, + pblock->nkslist, + 1, + kdb_ldap_tgt_keysalt_iterate, + (krb5_pointer) &iargs))) + return retval; + } + break; case MASTER_KEY: - /* Allocate memory for storing the key */ - if ((entry.key_data = (krb5_key_data *) malloc( - sizeof(krb5_key_data))) == NULL) { - retval = ENOMEM; - goto cleanup; - } - - memset(entry.key_data, 0, sizeof(krb5_key_data)); - entry.n_key_data++; - kvno = 1; /* New key is getting set */ - retval = krb5_dbekd_encrypt_key_data(context, pblock->key, - &ldap_context->lrparams->mkey, - NULL, kvno, - &entry.key_data[entry.n_key_data - 1]); - if (retval) { - goto cleanup; - } + /* Allocate memory for storing the key */ + if ((entry.key_data = (krb5_key_data *) malloc( + sizeof(krb5_key_data))) == NULL) { + retval = ENOMEM; + goto cleanup; + } + + memset(entry.key_data, 0, sizeof(krb5_key_data)); + entry.n_key_data++; + kvno = 1; /* New key is getting set */ + retval = krb5_dbekd_encrypt_key_data(context, pblock->key, + &ldap_context->lrparams->mkey, + NULL, kvno, + &entry.key_data[entry.n_key_data - 1]); + if (retval) { + goto cleanup; + } /* * There should always be at least one "active" mkey so creating the * KRB5_TL_ACTKVNO entry now so the initial mkey is active. @@ -2515,20 +2502,20 @@ kdb_ldap_create_principal (context, princ, op, pblock) actkvno.act_kvno = kvno; actkvno.act_time = now; retval = krb5_dbe_update_actkvno(context, &entry, &actkvno); - if (retval) - goto cleanup; + if (retval) + goto cleanup; - break; + break; case NULL_KEY: default: - break; + break; } /* end of switch */ retval = krb5_ldap_put_principal(context, &entry, &nentry, NULL); if (retval) { - com_err(NULL, retval, "while adding entries to database"); - goto cleanup; + com_err(NULL, retval, "while adding entries to database"); + goto cleanup; } cleanup: @@ -2541,9 +2528,7 @@ cleanup: * This function destroys the realm object and the associated principals */ void -kdb5_ldap_destroy(argc, argv) - int argc; - char *argv[]; +kdb5_ldap_destroy(int argc, char *argv[]) { extern char *optarg; extern int optind; @@ -2561,118 +2546,118 @@ kdb5_ldap_destroy(argc, argv) optind = 1; while ((optchar = getopt(argc, argv, "f")) != -1) { - switch (optchar) { - case 'f': - force++; - break; - case '?': - default: - db_usage(DESTROY_REALM); - return; - /*NOTREACHED*/ - } + switch (optchar) { + case 'f': + force++; + break; + case '?': + default: + db_usage(DESTROY_REALM); + return; + /*NOTREACHED*/ + } } if (!force) { - printf("Deleting KDC database of '%s', are you sure?\n", global_params.realm); - printf("(type 'yes' to confirm)? "); - if (fgets(buf, sizeof(buf), stdin) == NULL) { - exit_status++; - return; - } - if (strcmp(buf, yes)) { - exit_status++; - return; - } - printf("OK, deleting database of '%s'...\n", global_params.realm); + printf("Deleting KDC database of '%s', are you sure?\n", global_params.realm); + printf("(type 'yes' to confirm)? "); + if (fgets(buf, sizeof(buf), stdin) == NULL) { + exit_status++; + return; + } + if (strcmp(buf, yes)) { + exit_status++; + return; + } + printf("OK, deleting database of '%s'...\n", global_params.realm); } dal_handle = util_context->dal_handle; ldap_context = (krb5_ldap_context *) dal_handle->db_context; if (!(ldap_context)) { - com_err(progname, EINVAL, "while initializing database"); - exit_status++; - return; + com_err(progname, EINVAL, "while initializing database"); + exit_status++; + return; } /* Read the kerberos container from the LDAP Server */ if ((retval = krb5_ldap_read_krbcontainer_params(util_context, - &(ldap_context->krbcontainer))) != 0) { - com_err(progname, retval, "while reading kerberos container information"); - exit_status++; - return; + &(ldap_context->krbcontainer))) != 0) { + com_err(progname, retval, "while reading kerberos container information"); + exit_status++; + return; } /* Read the Realm information from the LDAP Server */ if ((retval = krb5_ldap_read_realm_params(util_context, global_params.realm, - &(ldap_context->lrparams), &mask)) != 0) { - com_err(progname, retval, "while reading realm information"); - exit_status++; - return; + &(ldap_context->lrparams), &mask)) != 0) { + com_err(progname, retval, "while reading realm information"); + exit_status++; + return; } #ifdef HAVE_EDIRECTORY if ((mask & LDAP_REALM_KDCSERVERS) || (mask & LDAP_REALM_ADMINSERVERS) || - (mask & LDAP_REALM_PASSWDSERVERS)) { - - printf("Changing rights for the service object. Please wait ... "); - fflush(stdout); - - rparams = ldap_context->lrparams; - rightsmask = 0; - rightsmask |= LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; - if ((rparams != NULL) && (rparams->kdcservers != NULL)) { - for (i=0; (rparams->kdcservers[i] != NULL); i++) { - if ((retval = krb5_ldap_delete_service_rights(util_context, - LDAP_KDC_SERVICE, rparams->kdcservers[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { - printf("failed\n"); - com_err(progname, retval, "while assigning rights to '%s'", - rparams->realm_name); - return; - } - } - } - rightsmask = 0; - rightsmask |= LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; - if ((rparams != NULL) && (rparams->adminservers != NULL)) { - for (i=0; (rparams->adminservers[i] != NULL); i++) { - if ((retval = krb5_ldap_delete_service_rights(util_context, - LDAP_ADMIN_SERVICE, rparams->adminservers[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { - printf("failed\n"); - com_err(progname, retval, "while assigning rights to '%s'", - rparams->realm_name); - return; - } - } - } - rightsmask = 0; - rightsmask |= LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; - if ((rparams != NULL) && (rparams->passwdservers != NULL)) { - for (i=0; (rparams->passwdservers[i] != NULL); i++) { - if ((retval = krb5_ldap_delete_service_rights(util_context, - LDAP_PASSWD_SERVICE, rparams->passwdservers[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { - printf("failed\n"); - com_err(progname, retval, "while assigning rights to '%s'", - rparams->realm_name); - return; - } - } - } - printf("done\n"); + (mask & LDAP_REALM_PASSWDSERVERS)) { + + printf("Changing rights for the service object. Please wait ... "); + fflush(stdout); + + rparams = ldap_context->lrparams; + rightsmask = 0; + rightsmask |= LDAP_REALM_RIGHTS; + rightsmask |= LDAP_SUBTREE_RIGHTS; + if ((rparams != NULL) && (rparams->kdcservers != NULL)) { + for (i=0; (rparams->kdcservers[i] != NULL); i++) { + if ((retval = krb5_ldap_delete_service_rights(util_context, + LDAP_KDC_SERVICE, rparams->kdcservers[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + printf("failed\n"); + com_err(progname, retval, "while assigning rights to '%s'", + rparams->realm_name); + return; + } + } + } + rightsmask = 0; + rightsmask |= LDAP_REALM_RIGHTS; + rightsmask |= LDAP_SUBTREE_RIGHTS; + if ((rparams != NULL) && (rparams->adminservers != NULL)) { + for (i=0; (rparams->adminservers[i] != NULL); i++) { + if ((retval = krb5_ldap_delete_service_rights(util_context, + LDAP_ADMIN_SERVICE, rparams->adminservers[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + printf("failed\n"); + com_err(progname, retval, "while assigning rights to '%s'", + rparams->realm_name); + return; + } + } + } + rightsmask = 0; + rightsmask |= LDAP_REALM_RIGHTS; + rightsmask |= LDAP_SUBTREE_RIGHTS; + if ((rparams != NULL) && (rparams->passwdservers != NULL)) { + for (i=0; (rparams->passwdservers[i] != NULL); i++) { + if ((retval = krb5_ldap_delete_service_rights(util_context, + LDAP_PASSWD_SERVICE, rparams->passwdservers[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + printf("failed\n"); + com_err(progname, retval, "while assigning rights to '%s'", + rparams->realm_name); + return; + } + } + } + printf("done\n"); } #endif /* Delete the realm container and all the associated principals */ retval = krb5_ldap_delete_realm(util_context, global_params.realm); if (retval) { - com_err(progname, retval, "deleting database of '%s'", global_params.realm); - exit_status++; - return; + com_err(progname, retval, "deleting database of '%s'", global_params.realm); + exit_status++; + return; } printf("** Database of '%s' destroyed.\n", global_params.realm); diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.h b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.h index 9a2972a5a..a8225210f 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.h +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * kadmin/ldap_util/kdb5_ldap_realm.h */ @@ -29,13 +30,13 @@ * POSSIBILITY OF SUCH DAMAGE. */ -#define BUFF_LEN 64 /* Max len of enctype string */ -#define MAX_PRINC_SIZE 256 +#define BUFF_LEN 64 /* Max len of enctype string */ +#define MAX_PRINC_SIZE 256 enum ap_op { - NULL_KEY, /* setup null keys */ - MASTER_KEY, /* use master key as new key */ - TGT_KEY /* special handling for tgt key */ + NULL_KEY, /* setup null keys */ + MASTER_KEY, /* use master key as new key */ + TGT_KEY /* special handling for tgt key */ }; struct realm_info { @@ -49,13 +50,13 @@ struct realm_info { }; struct iterate_args { - krb5_context ctx; - struct realm_info *rblock; - krb5_db_entry *dbentp; + krb5_context ctx; + struct realm_info *rblock; + krb5_db_entry *dbentp; }; -extern void kdb5_ldap_create (int argc, char **argv); -extern void kdb5_ldap_destroy (int argc, char **argv); -extern void kdb5_ldap_modify (int argc, char **argv); -extern void kdb5_ldap_view (int argc, char **argv); -extern void kdb5_ldap_list (int argc, char **argv); +extern void kdb5_ldap_create(int argc, char **argv); +extern void kdb5_ldap_destroy(int argc, char **argv); +extern void kdb5_ldap_modify(int argc, char **argv); +extern void kdb5_ldap_view(int argc, char **argv); +extern void kdb5_ldap_list(int argc, char **argv); diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c index 48cbe5a88..fb384d381 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * kadmin/ldap_util/kdb5_ldap_services.c */ @@ -50,9 +51,9 @@ convert_realm_name2dn_list(char **list, const char *krbcontainer_loc); static krb5_error_code rem_service_entry_from_file(int argc, - char *argv[], - char *file_name, - char *service_object); + char *argv[], + char *file_name, + char *service_object); static void print_service_params(krb5_ldap_service_params *lserparams, int mask); @@ -60,7 +61,8 @@ print_service_params(krb5_ldap_service_params *lserparams, int mask); extern char *yes; extern krb5_boolean db_inited; -static int process_host_list(char **host_list, int servicetype) +static int +process_host_list(char **host_list, int servicetype) { krb5_error_code retval = 0; char *pchr = NULL; @@ -69,93 +71,93 @@ static int process_host_list(char **host_list, int servicetype) /* Protocol and port number processing */ for (j = 0; host_list[j]; j++) { - /* Look for one hash */ - if ((pchr = strchr(host_list[j], HOST_INFO_DELIMITER))) { - unsigned int hostname_len = pchr - host_list[j]; - - /* Check input for buffer overflow */ - if (hostname_len >= MAX_LEN_LIST_ENTRY) { - retval = EINVAL; - goto cleanup; - } - - /* First copy off the host name portion */ - strncpy (host_str, host_list[j], hostname_len); - - /* Parse for the protocol string and translate to number */ - strncpy (proto_str, pchr + 1, PROTOCOL_STR_LEN); - if (!strcmp(proto_str, "udp")) - snprintf (proto_str, sizeof(proto_str), "%d", - PROTOCOL_NUM_UDP); - else if (!strcmp(proto_str, "tcp")) - snprintf (proto_str, sizeof(proto_str), "%d", - PROTOCOL_NUM_TCP); - else - proto_str[0] = '\0'; /* Make the string null if invalid */ - - /* Look for one more hash */ - if ((pchr = strchr(pchr + 1, HOST_INFO_DELIMITER))) { - /* Parse for the port string and check if it is numeric */ - strncpy (port_str, pchr + 1, PORT_STR_LEN); - if (!strtol(port_str, NULL, 10)) /* Not a valid number */ - port_str[0] = '\0'; - } else - port_str[0] = '\0'; - } else { /* We have only host name */ - strncpy (host_str, host_list[j], MAX_LEN_LIST_ENTRY - 1); - proto_str[0] = '\0'; - port_str[0] = '\0'; - } - - /* Now, based on service type, fill in suitable protocol - and port values if they are absent or not matching */ - if (servicetype == LDAP_KDC_SERVICE) { - if (proto_str[0] == '\0') - snprintf (proto_str, sizeof(proto_str), "%d", - PROTOCOL_DEFAULT_KDC); - - if (port_str[0] == '\0') - snprintf (port_str, sizeof(port_str), "%d", PORT_DEFAULT_KDC); - } else if (servicetype == LDAP_ADMIN_SERVICE) { - if (proto_str[0] == '\0') - snprintf (proto_str, sizeof(proto_str), "%d", - PROTOCOL_DEFAULT_ADM); - else if (strcmp(proto_str, "1")) { - snprintf (proto_str, sizeof(proto_str), "%d", - PROTOCOL_DEFAULT_ADM); - - /* Print warning message */ - printf ("Admin Server supports only TCP protocol, hence setting that\n"); - } - - if (port_str[0] == '\0') - snprintf (port_str, sizeof(port_str), "%d", PORT_DEFAULT_ADM); - } else if (servicetype == LDAP_PASSWD_SERVICE) { - if (proto_str[0] == '\0') - snprintf (proto_str, sizeof(proto_str), "%d", - PROTOCOL_DEFAULT_PWD); - else if (strcmp(proto_str, "0")) { - snprintf (proto_str, sizeof(proto_str), "%d", - PROTOCOL_DEFAULT_PWD); - - /* Print warning message */ - printf ("Password Server supports only UDP protocol, hence setting that\n"); - } - - if (port_str[0] == '\0') - sprintf (port_str, "%d", PORT_DEFAULT_PWD); - } - - /* Finally form back the string */ - free (host_list[j]); - host_list[j] = (char*) malloc(sizeof(char) * - (strlen(host_str) + strlen(proto_str) + strlen(port_str) + 2 + 1)); - if (host_list[j] == NULL) { - retval = ENOMEM; - goto cleanup; - } - snprintf (host_list[j], strlen(host_str) + strlen(proto_str) + strlen(port_str) + 2 + 1, - "%s#%s#%s", host_str, proto_str, port_str); + /* Look for one hash */ + if ((pchr = strchr(host_list[j], HOST_INFO_DELIMITER))) { + unsigned int hostname_len = pchr - host_list[j]; + + /* Check input for buffer overflow */ + if (hostname_len >= MAX_LEN_LIST_ENTRY) { + retval = EINVAL; + goto cleanup; + } + + /* First copy off the host name portion */ + strncpy (host_str, host_list[j], hostname_len); + + /* Parse for the protocol string and translate to number */ + strncpy (proto_str, pchr + 1, PROTOCOL_STR_LEN); + if (!strcmp(proto_str, "udp")) + snprintf (proto_str, sizeof(proto_str), "%d", + PROTOCOL_NUM_UDP); + else if (!strcmp(proto_str, "tcp")) + snprintf (proto_str, sizeof(proto_str), "%d", + PROTOCOL_NUM_TCP); + else + proto_str[0] = '\0'; /* Make the string null if invalid */ + + /* Look for one more hash */ + if ((pchr = strchr(pchr + 1, HOST_INFO_DELIMITER))) { + /* Parse for the port string and check if it is numeric */ + strncpy (port_str, pchr + 1, PORT_STR_LEN); + if (!strtol(port_str, NULL, 10)) /* Not a valid number */ + port_str[0] = '\0'; + } else + port_str[0] = '\0'; + } else { /* We have only host name */ + strncpy (host_str, host_list[j], MAX_LEN_LIST_ENTRY - 1); + proto_str[0] = '\0'; + port_str[0] = '\0'; + } + + /* Now, based on service type, fill in suitable protocol + and port values if they are absent or not matching */ + if (servicetype == LDAP_KDC_SERVICE) { + if (proto_str[0] == '\0') + snprintf (proto_str, sizeof(proto_str), "%d", + PROTOCOL_DEFAULT_KDC); + + if (port_str[0] == '\0') + snprintf (port_str, sizeof(port_str), "%d", PORT_DEFAULT_KDC); + } else if (servicetype == LDAP_ADMIN_SERVICE) { + if (proto_str[0] == '\0') + snprintf (proto_str, sizeof(proto_str), "%d", + PROTOCOL_DEFAULT_ADM); + else if (strcmp(proto_str, "1")) { + snprintf (proto_str, sizeof(proto_str), "%d", + PROTOCOL_DEFAULT_ADM); + + /* Print warning message */ + printf ("Admin Server supports only TCP protocol, hence setting that\n"); + } + + if (port_str[0] == '\0') + snprintf (port_str, sizeof(port_str), "%d", PORT_DEFAULT_ADM); + } else if (servicetype == LDAP_PASSWD_SERVICE) { + if (proto_str[0] == '\0') + snprintf (proto_str, sizeof(proto_str), "%d", + PROTOCOL_DEFAULT_PWD); + else if (strcmp(proto_str, "0")) { + snprintf (proto_str, sizeof(proto_str), "%d", + PROTOCOL_DEFAULT_PWD); + + /* Print warning message */ + printf ("Password Server supports only UDP protocol, hence setting that\n"); + } + + if (port_str[0] == '\0') + sprintf (port_str, "%d", PORT_DEFAULT_PWD); + } + + /* Finally form back the string */ + free (host_list[j]); + host_list[j] = (char*) malloc(sizeof(char) * + (strlen(host_str) + strlen(proto_str) + strlen(port_str) + 2 + 1)); + if (host_list[j] == NULL) { + retval = ENOMEM; + goto cleanup; + } + snprintf (host_list[j], strlen(host_str) + strlen(proto_str) + strlen(port_str) + 2 + 1, + "%s#%s#%s", host_str, proto_str, port_str); } cleanup: @@ -168,9 +170,7 @@ cleanup: * Kerberos container location. */ static krb5_error_code -convert_realm_name2dn_list(list, krbcontainer_loc) - char **list; - const char *krbcontainer_loc; +convert_realm_name2dn_list(char **list, const char *krbcontainer_loc) { krb5_error_code retval = 0; char temp_str[MAX_DN_CHARS] = "\0"; @@ -178,24 +178,24 @@ convert_realm_name2dn_list(list, krbcontainer_loc) int i = 0; if (list == NULL) { - return EINVAL; + return EINVAL; } for (i = 0; (list[i] != NULL) && (i < MAX_LIST_ENTRIES); i++) { - /* Restrict copying to max. length to avoid buffer overflow */ - snprintf (temp_str, MAX_DN_CHARS, "cn=%s,%s", list[i], krbcontainer_loc); + /* Restrict copying to max. length to avoid buffer overflow */ + snprintf (temp_str, MAX_DN_CHARS, "cn=%s,%s", list[i], krbcontainer_loc); - /* Make copy of string to temporary node */ - temp_node = strdup(temp_str); - if (list[i] == NULL) { - retval = ENOMEM; - goto cleanup; - } + /* Make copy of string to temporary node */ + temp_node = strdup(temp_str); + if (list[i] == NULL) { + retval = ENOMEM; + goto cleanup; + } - /* On success, free list node and attach new one */ - free (list[i]); - list[i] = temp_node; - temp_node = NULL; + /* On success, free list node and attach new one */ + free (list[i]); + list[i] = temp_node; + temp_node = NULL; } cleanup: @@ -207,9 +207,8 @@ cleanup: * This function will create a service object on the LDAP Server, with the * specified attributes. */ -void kdb5_ldap_create_service(argc, argv) - int argc; - char *argv[]; +void +kdb5_ldap_create_service(int argc, char *argv[]) { char *me = progname; krb5_error_code retval = 0; @@ -231,15 +230,15 @@ void kdb5_ldap_create_service(argc, argv) /* Check for number of arguments */ if ((argc < 3) || (argc > 10)) { - exit_status++; - goto err_usage; + exit_status++; + goto err_usage; } /* Allocate memory for service parameters structure */ srvparams = (krb5_ldap_service_params*) calloc(1, sizeof(krb5_ldap_service_params)); if (srvparams == NULL) { - retval = ENOMEM; - goto cleanup; + retval = ENOMEM; + goto cleanup; } dal_handle = util_context->dal_handle; @@ -250,8 +249,8 @@ void kdb5_ldap_create_service(argc, argv) of arguments */ extra_argv = (char **) calloc((unsigned int)argc, sizeof(char*)); if (extra_argv == NULL) { - retval = ENOMEM; - goto cleanup; + retval = ENOMEM; + goto cleanup; } /* Set first of the extra arguments as the program name */ @@ -262,128 +261,128 @@ void kdb5_ldap_create_service(argc, argv) * and for assigning rights */ if ((retval = krb5_ldap_read_krbcontainer_params(util_context, - &(ldap_context->krbcontainer)))) { - com_err(me, retval, "while reading Kerberos container information"); - goto cleanup; + &(ldap_context->krbcontainer)))) { + com_err(me, retval, "while reading Kerberos container information"); + goto cleanup; } /* Parse all arguments */ for (i = 1; i < argc; i++) { - if (!strcmp(argv[i], "-kdc")) { - srvparams->servicetype = LDAP_KDC_SERVICE; - } else if (!strcmp(argv[i], "-admin")) { - srvparams->servicetype = LDAP_ADMIN_SERVICE; - } else if (!strcmp(argv[i], "-pwd")) { - srvparams->servicetype = LDAP_PASSWD_SERVICE; - } else if (!strcmp(argv[i], "-servicehost")) { - if (++i > argc - 1) - goto err_usage; - - srvparams->krbhostservers = (char **)calloc(MAX_LIST_ENTRIES, - sizeof(char *)); - if (srvparams->krbhostservers == NULL) { - retval = ENOMEM; - goto cleanup; - } - - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, - srvparams->krbhostservers))) { - goto cleanup; - } - - if ((retval = process_host_list (srvparams->krbhostservers, - srvparams->servicetype))) { - goto cleanup; - } - - mask |= LDAP_SERVICE_HOSTSERVER; - } else if (!strcmp(argv[i], "-realm")) { - if (++i > argc - 1) - goto err_usage; - - srvparams->krbrealmreferences = (char **)calloc(MAX_LIST_ENTRIES, - sizeof(char *)); - if (srvparams->krbrealmreferences == NULL) { - retval = ENOMEM; - goto cleanup; - } - - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, - srvparams->krbrealmreferences))) { - goto cleanup; - } - - /* Convert realm names to realm DNs */ - if ((retval = convert_realm_name2dn_list( - srvparams->krbrealmreferences, - ldap_context->krbcontainer->DN))) { - goto cleanup; - } - - mask |= LDAP_SERVICE_REALMREFERENCE; - } - /* If argument is none of the above and beginning with '-', - * it must be related to password -- collect it - * to pass onto kdb5_ldap_set_service_password() - */ - else if (*(argv[i]) == '-') { - /* Checking for options of setting the password for the - * service (by using 'setsrvpw') is not modular. --need to - * have a common function that can be shared with 'setsrvpw' - */ - if (!strcmp(argv[i], "-randpw")) { - extra_argv[extra_argc] = argv[i]; - extra_argc++; - } else if (!strcmp(argv[i], "-fileonly")) { - extra_argv[extra_argc] = argv[i]; - extra_argc++; - } - /* For '-f' option alone, pick up the following argument too */ - else if (!strcmp(argv[i], "-f")) { - extra_argv[extra_argc] = argv[i]; - extra_argc++; - - if (++i > argc - 1) - goto err_usage; - - extra_argv[extra_argc] = argv[i]; - extra_argc++; - } else { /* Any other option is invalid */ - exit_status++; - goto err_usage; - } - } else { /* Any other argument must be service DN */ - /* First check if service DN is already provided -- - * if so, there's a usage error - */ - if (srvparams->servicedn != NULL) { - com_err(me, EINVAL, "while creating service object"); - goto err_usage; - } - - /* If not present already, fill up service DN */ - srvparams->servicedn = strdup(argv[i]); - if (srvparams->servicedn == NULL) { - com_err(me, ENOMEM, "while creating service object"); - goto err_nomsg; - } - } + if (!strcmp(argv[i], "-kdc")) { + srvparams->servicetype = LDAP_KDC_SERVICE; + } else if (!strcmp(argv[i], "-admin")) { + srvparams->servicetype = LDAP_ADMIN_SERVICE; + } else if (!strcmp(argv[i], "-pwd")) { + srvparams->servicetype = LDAP_PASSWD_SERVICE; + } else if (!strcmp(argv[i], "-servicehost")) { + if (++i > argc - 1) + goto err_usage; + + srvparams->krbhostservers = (char **)calloc(MAX_LIST_ENTRIES, + sizeof(char *)); + if (srvparams->krbhostservers == NULL) { + retval = ENOMEM; + goto cleanup; + } + + if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, + srvparams->krbhostservers))) { + goto cleanup; + } + + if ((retval = process_host_list (srvparams->krbhostservers, + srvparams->servicetype))) { + goto cleanup; + } + + mask |= LDAP_SERVICE_HOSTSERVER; + } else if (!strcmp(argv[i], "-realm")) { + if (++i > argc - 1) + goto err_usage; + + srvparams->krbrealmreferences = (char **)calloc(MAX_LIST_ENTRIES, + sizeof(char *)); + if (srvparams->krbrealmreferences == NULL) { + retval = ENOMEM; + goto cleanup; + } + + if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, + srvparams->krbrealmreferences))) { + goto cleanup; + } + + /* Convert realm names to realm DNs */ + if ((retval = convert_realm_name2dn_list( + srvparams->krbrealmreferences, + ldap_context->krbcontainer->DN))) { + goto cleanup; + } + + mask |= LDAP_SERVICE_REALMREFERENCE; + } + /* If argument is none of the above and beginning with '-', + * it must be related to password -- collect it + * to pass onto kdb5_ldap_set_service_password() + */ + else if (*(argv[i]) == '-') { + /* Checking for options of setting the password for the + * service (by using 'setsrvpw') is not modular. --need to + * have a common function that can be shared with 'setsrvpw' + */ + if (!strcmp(argv[i], "-randpw")) { + extra_argv[extra_argc] = argv[i]; + extra_argc++; + } else if (!strcmp(argv[i], "-fileonly")) { + extra_argv[extra_argc] = argv[i]; + extra_argc++; + } + /* For '-f' option alone, pick up the following argument too */ + else if (!strcmp(argv[i], "-f")) { + extra_argv[extra_argc] = argv[i]; + extra_argc++; + + if (++i > argc - 1) + goto err_usage; + + extra_argv[extra_argc] = argv[i]; + extra_argc++; + } else { /* Any other option is invalid */ + exit_status++; + goto err_usage; + } + } else { /* Any other argument must be service DN */ + /* First check if service DN is already provided -- + * if so, there's a usage error + */ + if (srvparams->servicedn != NULL) { + com_err(me, EINVAL, "while creating service object"); + goto err_usage; + } + + /* If not present already, fill up service DN */ + srvparams->servicedn = strdup(argv[i]); + if (srvparams->servicedn == NULL) { + com_err(me, ENOMEM, "while creating service object"); + goto err_nomsg; + } + } } /* No point in proceeding further if service DN value is not available */ if (srvparams->servicedn == NULL) { - com_err(me, EINVAL, "while creating service object"); - goto err_usage; + com_err(me, EINVAL, "while creating service object"); + goto err_usage; } if (srvparams->servicetype == 0) { /* Not provided and hence not set */ - com_err(me, EINVAL, "while creating service object"); - goto err_usage; + com_err(me, EINVAL, "while creating service object"); + goto err_usage; } /* Create object with all attributes provided */ if ((retval = krb5_ldap_create_service(util_context, srvparams, mask))) - goto cleanup; + goto cleanup; service_obj_created = TRUE; @@ -394,66 +393,66 @@ void kdb5_ldap_create_service(argc, argv) /* Set password too */ if (extra_argc >= 1) { - /* Set service DN as the last argument */ - extra_argv[extra_argc] = strdup(srvparams->servicedn); - if (extra_argv[extra_argc] == NULL) { + /* Set service DN as the last argument */ + extra_argv[extra_argc] = strdup(srvparams->servicedn); + if (extra_argv[extra_argc] == NULL) { retval = ENOMEM; goto cleanup; } - extra_argc++; + extra_argc++; - if ((retval = kdb5_ldap_set_service_password(extra_argc, extra_argv)) != 0) { - goto err_nomsg; - } + if ((retval = kdb5_ldap_set_service_password(extra_argc, extra_argv)) != 0) { + goto err_nomsg; + } } /* Rights assignment */ if (mask & LDAP_SERVICE_REALMREFERENCE) { - printf("%s","Changing rights for the service object. Please wait ... "); - fflush(stdout); - - rightsmask =0; - rightsmask |= LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; - - if ((srvparams != NULL) && (srvparams->krbrealmreferences != NULL)) { - for (i=0; (srvparams->krbrealmreferences[i] != NULL); i++) { - - /* Get the realm name, not the dn */ - temprdns = ldap_explode_dn(srvparams->krbrealmreferences[i], 1); - - if (temprdns[0] == NULL) { - retval = EINVAL; - goto cleanup; - } - - realmName = strdup(temprdns[0]); - if (realmName == NULL) { - retval = ENOMEM; - goto cleanup; - } - - if ((retval = krb5_ldap_read_realm_params(util_context, - realmName, &rparams, &rmask))) { - com_err(me, retval, "while reading information of realm '%s'", - realmName); - goto cleanup; - } - - if ((retval = krb5_ldap_add_service_rights(util_context, - srvparams->servicetype, srvparams->servicedn, - realmName, rparams->subtree, rparams->containerref, rightsmask))) { - printf("failed\n"); - com_err(me, retval, "while assigning rights '%s'", - srvparams->servicedn); - goto cleanup; - } - - if (rparams) - krb5_ldap_free_realm_params(rparams); - } - } - printf("done\n"); + printf("%s","Changing rights for the service object. Please wait ... "); + fflush(stdout); + + rightsmask =0; + rightsmask |= LDAP_REALM_RIGHTS; + rightsmask |= LDAP_SUBTREE_RIGHTS; + + if ((srvparams != NULL) && (srvparams->krbrealmreferences != NULL)) { + for (i=0; (srvparams->krbrealmreferences[i] != NULL); i++) { + + /* Get the realm name, not the dn */ + temprdns = ldap_explode_dn(srvparams->krbrealmreferences[i], 1); + + if (temprdns[0] == NULL) { + retval = EINVAL; + goto cleanup; + } + + realmName = strdup(temprdns[0]); + if (realmName == NULL) { + retval = ENOMEM; + goto cleanup; + } + + if ((retval = krb5_ldap_read_realm_params(util_context, + realmName, &rparams, &rmask))) { + com_err(me, retval, "while reading information of realm '%s'", + realmName); + goto cleanup; + } + + if ((retval = krb5_ldap_add_service_rights(util_context, + srvparams->servicetype, srvparams->servicedn, + realmName, rparams->subtree, rparams->containerref, rightsmask))) { + printf("failed\n"); + com_err(me, retval, "while assigning rights '%s'", + srvparams->servicedn); + goto cleanup; + } + + if (rparams) + krb5_ldap_free_realm_params(rparams); + } + } + printf("done\n"); } goto cleanup; @@ -466,35 +465,35 @@ err_nomsg: cleanup: if ((retval != 0) && (service_obj_created == TRUE)) { - /* This is for deleting the service object if something goes - * wrong in creating the service object - */ + /* This is for deleting the service object if something goes + * wrong in creating the service object + */ - /* srvparams is populated from the user input and should be correct as - * we were successful in creating a service object. Reusing the same - */ - krb5_ldap_delete_service(util_context, srvparams, srvparams->servicedn); + /* srvparams is populated from the user input and should be correct as + * we were successful in creating a service object. Reusing the same + */ + krb5_ldap_delete_service(util_context, srvparams, srvparams->servicedn); } /* Clean-up structure */ krb5_ldap_free_service (util_context, srvparams); if (extra_argv) { - free (extra_argv); - extra_argv = NULL; + free (extra_argv); + extra_argv = NULL; } if (realmName) { - free(realmName); - realmName = NULL; + free(realmName); + realmName = NULL; } if (print_usage) - db_usage (CREATE_SERVICE); + db_usage (CREATE_SERVICE); if (retval) { - if (!no_msg) - com_err(me, retval, "while creating service object"); + if (!no_msg) + com_err(me, retval, "while creating service object"); - exit_status++; + exit_status++; } return; @@ -505,9 +504,8 @@ cleanup: * This function will modify the attributes of a given service * object on the LDAP Server */ -void kdb5_ldap_modify_service(argc, argv) - int argc; - char *argv[]; +void +kdb5_ldap_modify_service(int argc, char *argv[]) { char *me = progname; krb5_error_code retval = 0; @@ -534,8 +532,8 @@ void kdb5_ldap_modify_service(argc, argv) /* Check for number of arguments */ if ((argc < 3) || (argc > 10)) { - exit_status++; - goto err_usage; + exit_status++; + goto err_usage; } dal_handle = util_context->dal_handle; @@ -543,475 +541,475 @@ void kdb5_ldap_modify_service(argc, argv) /* Parse all arguments, only to pick up service DN (Pass 1) */ for (i = 1; i < argc; i++) { - /* Skip arguments next to 'servicehost' - and 'realmdn' arguments */ - if (!strcmp(argv[i], "-servicehost")) { - ++i; - } else if (!strcmp(argv[i], "-clearservicehost")) { - ++i; - } else if (!strcmp(argv[i], "-addservicehost")) { - ++i; - } else if (!strcmp(argv[i], "-realm")) { - ++i; - } else if (!strcmp(argv[i], "-clearrealm")) { - ++i; - } else if (!strcmp(argv[i], "-addrealm")) { - ++i; - } else { /* Any other argument must be service DN */ - /* First check if service DN is already provided -- - if so, there's a usage error */ - if (servicedn != NULL) { - com_err(me, EINVAL, "while modifying service object"); - goto err_usage; - } - - /* If not present already, fill up service DN */ - servicedn = strdup(argv[i]); - if (servicedn == NULL) { - com_err(me, ENOMEM, "while modifying service object"); - goto err_nomsg; - } - } + /* Skip arguments next to 'servicehost' + and 'realmdn' arguments */ + if (!strcmp(argv[i], "-servicehost")) { + ++i; + } else if (!strcmp(argv[i], "-clearservicehost")) { + ++i; + } else if (!strcmp(argv[i], "-addservicehost")) { + ++i; + } else if (!strcmp(argv[i], "-realm")) { + ++i; + } else if (!strcmp(argv[i], "-clearrealm")) { + ++i; + } else if (!strcmp(argv[i], "-addrealm")) { + ++i; + } else { /* Any other argument must be service DN */ + /* First check if service DN is already provided -- + if so, there's a usage error */ + if (servicedn != NULL) { + com_err(me, EINVAL, "while modifying service object"); + goto err_usage; + } + + /* If not present already, fill up service DN */ + servicedn = strdup(argv[i]); + if (servicedn == NULL) { + com_err(me, ENOMEM, "while modifying service object"); + goto err_nomsg; + } + } } /* No point in proceeding further if service DN value is not available */ if (servicedn == NULL) { - com_err(me, EINVAL, "while modifying service object"); - goto err_usage; + com_err(me, EINVAL, "while modifying service object"); + goto err_usage; } retval = krb5_ldap_read_service(util_context, servicedn, &srvparams, &in_mask); if (retval) { - com_err(me, retval, "while reading information of service '%s'", - servicedn); - goto err_nomsg; + com_err(me, retval, "while reading information of service '%s'", + servicedn); + goto err_nomsg; } /* Read Kerberos container info, to construct realm DN from name * and for assigning rights */ if ((retval = krb5_ldap_read_krbcontainer_params(util_context, - &(ldap_context->krbcontainer)))) { - com_err(me, retval, "while reading Kerberos container information"); - goto cleanup; + &(ldap_context->krbcontainer)))) { + com_err(me, retval, "while reading Kerberos container information"); + goto cleanup; } /* Parse all arguments, but skip the service DN (Pass 2) */ for (i = 1; i < argc; i++) { - if (!strcmp(argv[i], "-servicehost")) { - if (++i > argc - 1) - goto err_usage; - - /* Free the old list if available */ - if (srvparams->krbhostservers) { - krb5_free_list_entries (srvparams->krbhostservers); - free (srvparams->krbhostservers); - } - - srvparams->krbhostservers = (char **)calloc(MAX_LIST_ENTRIES, - sizeof(char *)); - if (srvparams->krbhostservers == NULL) { - retval = ENOMEM; - goto cleanup; - } - - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, - srvparams->krbhostservers))) { - goto cleanup; - } - - if ((retval = process_host_list (srvparams->krbhostservers, - srvparams->servicetype))) { - goto cleanup; - } - - out_mask |= LDAP_SERVICE_HOSTSERVER; - - /* Set flag to ignore 'add' and 'clear' */ - srvhost_flag = 1; - } else if (!strcmp(argv[i], "-clearservicehost")) { - if (++i > argc - 1) - goto err_usage; - - if (!srvhost_flag) { - /* If attribute doesn't exist, don't permit 'clear' option */ - if ((in_mask & LDAP_SERVICE_HOSTSERVER) == 0) { - /* Send out some proper error message here */ - com_err(me, EINVAL, "service host list is empty\n"); - goto err_nomsg; - } - - /* Allocate list for processing */ - list = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (list == NULL) { - retval = ENOMEM; - goto cleanup; - } - - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) - goto cleanup; - - if ((retval = process_host_list (list, srvparams->servicetype))) { - goto cleanup; - } - - list_modify_str_array(&(srvparams->krbhostservers), - (const char**)list, LIST_MODE_DELETE); - - out_mask |= LDAP_SERVICE_HOSTSERVER; - - /* Clean up */ - free (list); - list = NULL; - } - } else if (!strcmp(argv[i], "-addservicehost")) { - if (++i > argc - 1) - goto err_usage; - - if (!srvhost_flag) { - /* Allocate list for processing */ - list = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (list == NULL) { - retval = ENOMEM; - goto cleanup; - } - - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) - goto cleanup; - - if ((retval = process_host_list (list, srvparams->servicetype))) { - goto cleanup; - } - - /* Call list_modify_str_array() only if host server attribute - * exists already --Actually, it's better to handle this - * within list_modify_str_array() - */ - if (in_mask & LDAP_SERVICE_HOSTSERVER) { - /* Re-size existing list */ - existing_entries = list_count_str_array(srvparams->krbhostservers); - new_entries = list_count_str_array(list); - temp_ptr = (char **) realloc(srvparams->krbhostservers, - sizeof(char *) * (existing_entries + new_entries + 1)); - if (temp_ptr == NULL) { - retval = ENOMEM; - goto cleanup; - } - srvparams->krbhostservers = temp_ptr; - - list_modify_str_array(&(srvparams->krbhostservers), - (const char**)list, LIST_MODE_ADD); - - /* Clean up */ - free (list); - list = NULL; - } else - srvparams->krbhostservers = list; - - out_mask |= LDAP_SERVICE_HOSTSERVER; - } - } else if (!strcmp(argv[i], "-realm")) { - if (++i > argc - 1) - goto err_usage; - - if ((in_mask & LDAP_SERVICE_REALMREFERENCE) && (srvparams->krbrealmreferences)) { - if (!oldrealmrefs) { - /* Store the old realm list for removing rights */ - oldrealmrefs = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (oldrealmrefs == NULL) { - retval = ENOMEM; - goto cleanup; - } - - for (j = 0; srvparams->krbrealmreferences[j] != NULL; j++) { - oldrealmrefs[j] = strdup(srvparams->krbrealmreferences[j]); - if (oldrealmrefs[j] == NULL) { - retval = ENOMEM; - goto cleanup; - } - } - oldrealmrefs[j] = NULL; - } - - /* Free the old list if available */ - krb5_free_list_entries (srvparams->krbrealmreferences); - free (srvparams->krbrealmreferences); - } - - srvparams->krbrealmreferences = (char **)calloc(MAX_LIST_ENTRIES, - sizeof(char *)); - if (srvparams->krbrealmreferences == NULL) { - retval = ENOMEM; - goto cleanup; - } - - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, - srvparams->krbrealmreferences))) { - goto cleanup; - } - - /* Convert realm names to realm DNs */ - if ((retval = convert_realm_name2dn_list( - srvparams->krbrealmreferences, - ldap_context->krbcontainer->DN))) { - goto cleanup; - } - - out_mask |= LDAP_SERVICE_REALMREFERENCE; - - /* Set flag to ignore 'add' and 'clear' */ - realmdn_flag = 1; - } else if (!strcmp(argv[i], "-clearrealm")) { - if (++i > argc - 1) - goto err_usage; - - if (!realmdn_flag) { - /* If attribute doesn't exist, don't permit 'clear' option */ - if (((in_mask & LDAP_SERVICE_REALMREFERENCE) == 0) || (srvparams->krbrealmreferences == NULL)) { - /* Send out some proper error message here */ - goto err_nomsg; - } - - if (!oldrealmrefs) { - /* Store the old realm list for removing rights */ - oldrealmrefs = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (oldrealmrefs == NULL) { - retval = ENOMEM; - goto cleanup; - } - - for (j = 0; srvparams->krbrealmreferences[j] != NULL; j++) { - oldrealmrefs[j] = strdup(srvparams->krbrealmreferences[j]); - if (oldrealmrefs[j] == NULL) { - retval = ENOMEM; - goto cleanup; - } - } - oldrealmrefs[j] = NULL; - } - - /* Allocate list for processing */ - list = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (list == NULL) { - retval = ENOMEM; - goto cleanup; - } - - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) - goto cleanup; - - /* Convert realm names to realm DNs */ - if ((retval = convert_realm_name2dn_list(list, - ldap_context->krbcontainer->DN))) { - goto cleanup; - } - - list_modify_str_array(&(srvparams->krbrealmreferences), - (const char**)list, LIST_MODE_DELETE); - - out_mask |= LDAP_SERVICE_REALMREFERENCE; - - /* Clean up */ - free (list); - list = NULL; - } - } else if (!strcmp(argv[i], "-addrealm")) { - if (++i > argc - 1) - goto err_usage; - - if (!realmdn_flag) { - /* Allocate list for processing */ - list = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (list == NULL) { - retval = ENOMEM; - goto cleanup; - } - - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) - goto cleanup; - - /* Convert realm names to realm DNs */ - if ((retval = convert_realm_name2dn_list(list, - ldap_context->krbcontainer->DN))) { - goto cleanup; - } - - if ((in_mask & LDAP_SERVICE_REALMREFERENCE) && (srvparams->krbrealmreferences) && (!oldrealmrefs)) { - /* Store the old realm list for removing rights */ - oldrealmrefs = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (oldrealmrefs == NULL) { - retval = ENOMEM; - goto cleanup; - } - - for (j = 0; srvparams->krbrealmreferences[j] != NULL; j++) { - oldrealmrefs[j] = strdup(srvparams->krbrealmreferences[j]); - if (oldrealmrefs[j] == NULL) { - retval = ENOMEM; - goto cleanup; - } - } - oldrealmrefs[j] = NULL; - } - - /* Call list_modify_str_array() only if realm DN attribute - * exists already -- Actually, it's better to handle this - * within list_modify_str_array() */ - if (in_mask & LDAP_SERVICE_REALMREFERENCE) { - /* Re-size existing list */ - existing_entries = list_count_str_array( - srvparams->krbrealmreferences); - new_entries = list_count_str_array(list); - temp_ptr = (char **) realloc(srvparams->krbrealmreferences, - sizeof(char *) * (existing_entries + new_entries + 1)); - if (temp_ptr == NULL) { - retval = ENOMEM; - goto cleanup; - } - srvparams->krbrealmreferences = temp_ptr; - - list_modify_str_array(&(srvparams->krbrealmreferences), - (const char**)list, LIST_MODE_ADD); - - /* Clean up */ - free (list); - list = NULL; - } else - srvparams->krbrealmreferences = list; - - out_mask |= LDAP_SERVICE_REALMREFERENCE; - } - } else { - /* Any other argument must be service DN - -- skip it */ - } + if (!strcmp(argv[i], "-servicehost")) { + if (++i > argc - 1) + goto err_usage; + + /* Free the old list if available */ + if (srvparams->krbhostservers) { + krb5_free_list_entries (srvparams->krbhostservers); + free (srvparams->krbhostservers); + } + + srvparams->krbhostservers = (char **)calloc(MAX_LIST_ENTRIES, + sizeof(char *)); + if (srvparams->krbhostservers == NULL) { + retval = ENOMEM; + goto cleanup; + } + + if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, + srvparams->krbhostservers))) { + goto cleanup; + } + + if ((retval = process_host_list (srvparams->krbhostservers, + srvparams->servicetype))) { + goto cleanup; + } + + out_mask |= LDAP_SERVICE_HOSTSERVER; + + /* Set flag to ignore 'add' and 'clear' */ + srvhost_flag = 1; + } else if (!strcmp(argv[i], "-clearservicehost")) { + if (++i > argc - 1) + goto err_usage; + + if (!srvhost_flag) { + /* If attribute doesn't exist, don't permit 'clear' option */ + if ((in_mask & LDAP_SERVICE_HOSTSERVER) == 0) { + /* Send out some proper error message here */ + com_err(me, EINVAL, "service host list is empty\n"); + goto err_nomsg; + } + + /* Allocate list for processing */ + list = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); + if (list == NULL) { + retval = ENOMEM; + goto cleanup; + } + + if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) + goto cleanup; + + if ((retval = process_host_list (list, srvparams->servicetype))) { + goto cleanup; + } + + list_modify_str_array(&(srvparams->krbhostservers), + (const char**)list, LIST_MODE_DELETE); + + out_mask |= LDAP_SERVICE_HOSTSERVER; + + /* Clean up */ + free (list); + list = NULL; + } + } else if (!strcmp(argv[i], "-addservicehost")) { + if (++i > argc - 1) + goto err_usage; + + if (!srvhost_flag) { + /* Allocate list for processing */ + list = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); + if (list == NULL) { + retval = ENOMEM; + goto cleanup; + } + + if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) + goto cleanup; + + if ((retval = process_host_list (list, srvparams->servicetype))) { + goto cleanup; + } + + /* Call list_modify_str_array() only if host server attribute + * exists already --Actually, it's better to handle this + * within list_modify_str_array() + */ + if (in_mask & LDAP_SERVICE_HOSTSERVER) { + /* Re-size existing list */ + existing_entries = list_count_str_array(srvparams->krbhostservers); + new_entries = list_count_str_array(list); + temp_ptr = (char **) realloc(srvparams->krbhostservers, + sizeof(char *) * (existing_entries + new_entries + 1)); + if (temp_ptr == NULL) { + retval = ENOMEM; + goto cleanup; + } + srvparams->krbhostservers = temp_ptr; + + list_modify_str_array(&(srvparams->krbhostservers), + (const char**)list, LIST_MODE_ADD); + + /* Clean up */ + free (list); + list = NULL; + } else + srvparams->krbhostservers = list; + + out_mask |= LDAP_SERVICE_HOSTSERVER; + } + } else if (!strcmp(argv[i], "-realm")) { + if (++i > argc - 1) + goto err_usage; + + if ((in_mask & LDAP_SERVICE_REALMREFERENCE) && (srvparams->krbrealmreferences)) { + if (!oldrealmrefs) { + /* Store the old realm list for removing rights */ + oldrealmrefs = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); + if (oldrealmrefs == NULL) { + retval = ENOMEM; + goto cleanup; + } + + for (j = 0; srvparams->krbrealmreferences[j] != NULL; j++) { + oldrealmrefs[j] = strdup(srvparams->krbrealmreferences[j]); + if (oldrealmrefs[j] == NULL) { + retval = ENOMEM; + goto cleanup; + } + } + oldrealmrefs[j] = NULL; + } + + /* Free the old list if available */ + krb5_free_list_entries (srvparams->krbrealmreferences); + free (srvparams->krbrealmreferences); + } + + srvparams->krbrealmreferences = (char **)calloc(MAX_LIST_ENTRIES, + sizeof(char *)); + if (srvparams->krbrealmreferences == NULL) { + retval = ENOMEM; + goto cleanup; + } + + if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, + srvparams->krbrealmreferences))) { + goto cleanup; + } + + /* Convert realm names to realm DNs */ + if ((retval = convert_realm_name2dn_list( + srvparams->krbrealmreferences, + ldap_context->krbcontainer->DN))) { + goto cleanup; + } + + out_mask |= LDAP_SERVICE_REALMREFERENCE; + + /* Set flag to ignore 'add' and 'clear' */ + realmdn_flag = 1; + } else if (!strcmp(argv[i], "-clearrealm")) { + if (++i > argc - 1) + goto err_usage; + + if (!realmdn_flag) { + /* If attribute doesn't exist, don't permit 'clear' option */ + if (((in_mask & LDAP_SERVICE_REALMREFERENCE) == 0) || (srvparams->krbrealmreferences == NULL)) { + /* Send out some proper error message here */ + goto err_nomsg; + } + + if (!oldrealmrefs) { + /* Store the old realm list for removing rights */ + oldrealmrefs = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); + if (oldrealmrefs == NULL) { + retval = ENOMEM; + goto cleanup; + } + + for (j = 0; srvparams->krbrealmreferences[j] != NULL; j++) { + oldrealmrefs[j] = strdup(srvparams->krbrealmreferences[j]); + if (oldrealmrefs[j] == NULL) { + retval = ENOMEM; + goto cleanup; + } + } + oldrealmrefs[j] = NULL; + } + + /* Allocate list for processing */ + list = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); + if (list == NULL) { + retval = ENOMEM; + goto cleanup; + } + + if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) + goto cleanup; + + /* Convert realm names to realm DNs */ + if ((retval = convert_realm_name2dn_list(list, + ldap_context->krbcontainer->DN))) { + goto cleanup; + } + + list_modify_str_array(&(srvparams->krbrealmreferences), + (const char**)list, LIST_MODE_DELETE); + + out_mask |= LDAP_SERVICE_REALMREFERENCE; + + /* Clean up */ + free (list); + list = NULL; + } + } else if (!strcmp(argv[i], "-addrealm")) { + if (++i > argc - 1) + goto err_usage; + + if (!realmdn_flag) { + /* Allocate list for processing */ + list = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); + if (list == NULL) { + retval = ENOMEM; + goto cleanup; + } + + if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) + goto cleanup; + + /* Convert realm names to realm DNs */ + if ((retval = convert_realm_name2dn_list(list, + ldap_context->krbcontainer->DN))) { + goto cleanup; + } + + if ((in_mask & LDAP_SERVICE_REALMREFERENCE) && (srvparams->krbrealmreferences) && (!oldrealmrefs)) { + /* Store the old realm list for removing rights */ + oldrealmrefs = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); + if (oldrealmrefs == NULL) { + retval = ENOMEM; + goto cleanup; + } + + for (j = 0; srvparams->krbrealmreferences[j] != NULL; j++) { + oldrealmrefs[j] = strdup(srvparams->krbrealmreferences[j]); + if (oldrealmrefs[j] == NULL) { + retval = ENOMEM; + goto cleanup; + } + } + oldrealmrefs[j] = NULL; + } + + /* Call list_modify_str_array() only if realm DN attribute + * exists already -- Actually, it's better to handle this + * within list_modify_str_array() */ + if (in_mask & LDAP_SERVICE_REALMREFERENCE) { + /* Re-size existing list */ + existing_entries = list_count_str_array( + srvparams->krbrealmreferences); + new_entries = list_count_str_array(list); + temp_ptr = (char **) realloc(srvparams->krbrealmreferences, + sizeof(char *) * (existing_entries + new_entries + 1)); + if (temp_ptr == NULL) { + retval = ENOMEM; + goto cleanup; + } + srvparams->krbrealmreferences = temp_ptr; + + list_modify_str_array(&(srvparams->krbrealmreferences), + (const char**)list, LIST_MODE_ADD); + + /* Clean up */ + free (list); + list = NULL; + } else + srvparams->krbrealmreferences = list; + + out_mask |= LDAP_SERVICE_REALMREFERENCE; + } + } else { + /* Any other argument must be service DN + -- skip it */ + } } /* Modify attributes of object */ if ((retval = krb5_ldap_modify_service(util_context, srvparams, out_mask))) - goto cleanup; + goto cleanup; /* Service rights modification code */ if (out_mask & LDAP_SERVICE_REALMREFERENCE) { - printf("%s","Changing rights for the service object. Please wait ... "); - fflush(stdout); - - newrealmrefs = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (newrealmrefs == NULL) { - retval = ENOMEM; - goto cleanup; - } - - if ((srvparams != NULL) && (srvparams->krbrealmreferences != NULL)) { - for (j = 0; srvparams->krbrealmreferences[j] != NULL; j++) { - newrealmrefs[j] = strdup(srvparams->krbrealmreferences[j]); - if (newrealmrefs[j] == NULL) { - retval = ENOMEM; - goto cleanup; - } - } - newrealmrefs[j] = NULL; - } - disjoint_members(oldrealmrefs, newrealmrefs); - - /* Delete the rights for the given service, on each of the realm - * container & subtree in the old realm reference list. - */ - if (oldrealmrefs) { - rightsmask = 0; - rightsmask |= LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; - - for (i = 0; (oldrealmrefs[i] != NULL); i++) { - /* Get the realm name, not the dn */ - temprdns = ldap_explode_dn(oldrealmrefs[i], 1); - - if (temprdns[0] == NULL) { - retval = EINVAL; - goto cleanup; - } - - realmName = strdup(temprdns[0]); - if (realmName == NULL) { - retval = ENOMEM; - goto cleanup; - } - - if ((retval = krb5_ldap_read_realm_params(util_context, - realmName, &rparams, &rmask))) { - com_err(me, retval, "while reading information of realm '%s'", - realmName); - goto err_nomsg; - } - - if ((retval = krb5_ldap_delete_service_rights(util_context, - srvparams->servicetype, srvparams->servicedn, - realmName, rparams->subtree, rparams->containerref, rightsmask))) { - printf("failed\n"); - com_err(me, retval, "while assigning rights '%s'", - srvparams->servicedn); - goto err_nomsg; - } - - if (rparams) - krb5_ldap_free_realm_params(rparams); - } - } - - /* Add the rights for the given service, on each of the realm - * container & subtree in the new realm reference list. - */ - if (newrealmrefs) { - rightsmask = 0; - rightsmask |= LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; - - for (i = 0; (newrealmrefs[i] != NULL); i++) { - /* Get the realm name, not the dn */ - temprdns = ldap_explode_dn(newrealmrefs[i], 1); - - if (temprdns[0] == NULL) { - retval = EINVAL; - goto cleanup; - } - - realmName = strdup(temprdns[0]); - if (realmName == NULL) { - retval = ENOMEM; - goto cleanup; - } - - if ((retval = krb5_ldap_read_krbcontainer_params(util_context, - &(ldap_context->krbcontainer)))) { - com_err(me, retval, - "while reading Kerberos container information"); - goto cleanup; - } - - if ((retval = krb5_ldap_read_realm_params(util_context, - realmName, &rparams, &rmask))) { - com_err(me, retval, "while reading information of realm '%s'", - realmName); - goto err_nomsg; - } - - if ((retval = krb5_ldap_add_service_rights(util_context, - srvparams->servicetype, srvparams->servicedn, - realmName, rparams->subtree, rparams->containerref, rightsmask))) { - printf("failed\n"); - com_err(me, retval, "while assigning rights '%s'", - srvparams->servicedn); - goto err_nomsg; - } - - if (rparams) { - krb5_ldap_free_realm_params(rparams); - rparams = NULL; - } - } - printf("done\n"); - } + printf("%s","Changing rights for the service object. Please wait ... "); + fflush(stdout); + + newrealmrefs = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); + if (newrealmrefs == NULL) { + retval = ENOMEM; + goto cleanup; + } + + if ((srvparams != NULL) && (srvparams->krbrealmreferences != NULL)) { + for (j = 0; srvparams->krbrealmreferences[j] != NULL; j++) { + newrealmrefs[j] = strdup(srvparams->krbrealmreferences[j]); + if (newrealmrefs[j] == NULL) { + retval = ENOMEM; + goto cleanup; + } + } + newrealmrefs[j] = NULL; + } + disjoint_members(oldrealmrefs, newrealmrefs); + + /* Delete the rights for the given service, on each of the realm + * container & subtree in the old realm reference list. + */ + if (oldrealmrefs) { + rightsmask = 0; + rightsmask |= LDAP_REALM_RIGHTS; + rightsmask |= LDAP_SUBTREE_RIGHTS; + + for (i = 0; (oldrealmrefs[i] != NULL); i++) { + /* Get the realm name, not the dn */ + temprdns = ldap_explode_dn(oldrealmrefs[i], 1); + + if (temprdns[0] == NULL) { + retval = EINVAL; + goto cleanup; + } + + realmName = strdup(temprdns[0]); + if (realmName == NULL) { + retval = ENOMEM; + goto cleanup; + } + + if ((retval = krb5_ldap_read_realm_params(util_context, + realmName, &rparams, &rmask))) { + com_err(me, retval, "while reading information of realm '%s'", + realmName); + goto err_nomsg; + } + + if ((retval = krb5_ldap_delete_service_rights(util_context, + srvparams->servicetype, srvparams->servicedn, + realmName, rparams->subtree, rparams->containerref, rightsmask))) { + printf("failed\n"); + com_err(me, retval, "while assigning rights '%s'", + srvparams->servicedn); + goto err_nomsg; + } + + if (rparams) + krb5_ldap_free_realm_params(rparams); + } + } + + /* Add the rights for the given service, on each of the realm + * container & subtree in the new realm reference list. + */ + if (newrealmrefs) { + rightsmask = 0; + rightsmask |= LDAP_REALM_RIGHTS; + rightsmask |= LDAP_SUBTREE_RIGHTS; + + for (i = 0; (newrealmrefs[i] != NULL); i++) { + /* Get the realm name, not the dn */ + temprdns = ldap_explode_dn(newrealmrefs[i], 1); + + if (temprdns[0] == NULL) { + retval = EINVAL; + goto cleanup; + } + + realmName = strdup(temprdns[0]); + if (realmName == NULL) { + retval = ENOMEM; + goto cleanup; + } + + if ((retval = krb5_ldap_read_krbcontainer_params(util_context, + &(ldap_context->krbcontainer)))) { + com_err(me, retval, + "while reading Kerberos container information"); + goto cleanup; + } + + if ((retval = krb5_ldap_read_realm_params(util_context, + realmName, &rparams, &rmask))) { + com_err(me, retval, "while reading information of realm '%s'", + realmName); + goto err_nomsg; + } + + if ((retval = krb5_ldap_add_service_rights(util_context, + srvparams->servicetype, srvparams->servicedn, + realmName, rparams->subtree, rparams->containerref, rightsmask))) { + printf("failed\n"); + com_err(me, retval, "while assigning rights '%s'", + srvparams->servicedn); + goto err_nomsg; + } + + if (rparams) { + krb5_ldap_free_realm_params(rparams); + rparams = NULL; + } + } + printf("done\n"); + } } goto cleanup; @@ -1026,36 +1024,36 @@ cleanup: krb5_ldap_free_service(util_context, srvparams); if (servicedn) - free(servicedn); + free(servicedn); if (list) { - free(list); - list = NULL; + free(list); + list = NULL; } if (oldrealmrefs) { - for (i = 0; oldrealmrefs[i] != NULL; i++) - free(oldrealmrefs[i]); - free(oldrealmrefs); + for (i = 0; oldrealmrefs[i] != NULL; i++) + free(oldrealmrefs[i]); + free(oldrealmrefs); } if (newrealmrefs) { - for (i = 0; newrealmrefs[i] != NULL; i++) - free(newrealmrefs[i]); - free(newrealmrefs); + for (i = 0; newrealmrefs[i] != NULL; i++) + free(newrealmrefs[i]); + free(newrealmrefs); } if (realmName) { - free(realmName); - realmName = NULL; + free(realmName); + realmName = NULL; } if (print_usage) - db_usage(MODIFY_SERVICE); + db_usage(MODIFY_SERVICE); if (retval) { - if (!no_msg) - com_err(me, retval, "while modifying service object"); - exit_status++; + if (!no_msg) + com_err(me, retval, "while modifying service object"); + exit_status++; } return; @@ -1067,11 +1065,8 @@ cleanup: * from the service password file. */ static krb5_error_code -rem_service_entry_from_file(argc, argv, file_name, service_object) - int argc; - char *argv[]; - char *file_name; - char *service_object; +rem_service_entry_from_file(int argc, char *argv[], char *file_name, + char *service_object) { int st = EINVAL; char *me = progname; @@ -1084,31 +1079,31 @@ rem_service_entry_from_file(argc, argv, file_name, service_object) /* Check for permissions on the password file */ if (access(file_name, W_OK) == -1) { - /* If the specified file itself is not there, no need to show error */ - if (errno == ENOENT) { - st=0; - goto cleanup; - } else { - com_err(me, errno, "while deleting entry from file %s", file_name); - goto cleanup; - } + /* If the specified file itself is not there, no need to show error */ + if (errno == ENOENT) { + st=0; + goto cleanup; + } else { + com_err(me, errno, "while deleting entry from file %s", file_name); + goto cleanup; + } } /* Create a temporary file which contains all the entries except the entry for the given service dn */ pfile = fopen(file_name, "r+"); if (pfile == NULL) { - com_err(me, errno, "while deleting entry from file %s", file_name); - goto cleanup; + com_err(me, errno, "while deleting entry from file %s", file_name); + goto cleanup; } set_cloexec_file(pfile); /* Create a new file with the extension .tmp */ tmp_file = (char *)malloc(strlen(file_name) + 4 + 1); if (tmp_file == NULL) { - com_err(me, ENOMEM, "while deleting entry from file"); - fclose(pfile); - goto cleanup; + com_err(me, ENOMEM, "while deleting entry from file"); + fclose(pfile); + goto cleanup; } snprintf (tmp_file, strlen(file_name) + 4 + 1, "%s%s", file_name, ".tmp"); @@ -1116,33 +1111,33 @@ rem_service_entry_from_file(argc, argv, file_name, service_object) tmpfd = creat(tmp_file, S_IRUSR|S_IWUSR); umask(omask); if (tmpfd == -1) { - com_err(me, errno, "while deleting entry from file\n"); - fclose(pfile); - goto cleanup; + com_err(me, errno, "while deleting entry from file\n"); + fclose(pfile); + goto cleanup; } /* Copy only those lines which donot have the specified service dn */ while (fgets(line, MAX_LEN, pfile) != NULL) { - if ((strstr(line, service_object) != NULL) && - (line[strlen(service_object)] == '#')) { - continue; - } else { - len = strlen(line); - if (write(tmpfd, line, len) != len) { - com_err(me, errno, "while deleting entry from file\n"); - close(tmpfd); - unlink(tmp_file); - fclose(pfile); - goto cleanup; - } - } + if ((strstr(line, service_object) != NULL) && + (line[strlen(service_object)] == '#')) { + continue; + } else { + len = strlen(line); + if (write(tmpfd, line, len) != len) { + com_err(me, errno, "while deleting entry from file\n"); + close(tmpfd); + unlink(tmp_file); + fclose(pfile); + goto cleanup; + } + } } fclose(pfile); if (unlink(file_name) == 0) { - link(tmp_file, file_name); + link(tmp_file, file_name); } else { - com_err(me, errno, "while deleting entry from file\n"); + com_err(me, errno, "while deleting entry from file\n"); } unlink(tmp_file); @@ -1151,7 +1146,7 @@ rem_service_entry_from_file(argc, argv, file_name, service_object) cleanup: if (tmp_file) - free(tmp_file); + free(tmp_file); return st; } @@ -1162,9 +1157,7 @@ cleanup: * and unlink the references to the Realm objects (if any) */ void -kdb5_ldap_destroy_service(argc, argv) - int argc; - char *argv[]; +kdb5_ldap_destroy_service(int argc, char *argv[]) { int i = 0; char buf[5] = {0}; @@ -1177,89 +1170,89 @@ kdb5_ldap_destroy_service(argc, argv) krb5_boolean print_usage = FALSE; if ((argc < 2) || (argc > 5)) { - exit_status++; - goto err_usage; + exit_status++; + goto err_usage; } for (i=1; i < argc; i++) { - if (strcmp(argv[i],"-force")==0) { - force++; - } else if (strcmp(argv[i],"-f")==0) { - if (argv[i+1]) { - stashfilename=strdup(argv[i+1]); - if (stashfilename == NULL) { - com_err(progname, ENOMEM, "while destroying service"); - exit_status++; - goto cleanup; - } - i++; - } else { - exit_status++; - goto err_usage; - } - } else { - if ((argv[i]) && (servicedn == NULL)) { - servicedn=strdup(argv[i]); - if (servicedn == NULL) { - com_err(progname, ENOMEM, "while destroying service"); - exit_status++; - goto cleanup; - } - } else { - exit_status++; - goto err_usage; - } - } + if (strcmp(argv[i],"-force")==0) { + force++; + } else if (strcmp(argv[i],"-f")==0) { + if (argv[i+1]) { + stashfilename=strdup(argv[i+1]); + if (stashfilename == NULL) { + com_err(progname, ENOMEM, "while destroying service"); + exit_status++; + goto cleanup; + } + i++; + } else { + exit_status++; + goto err_usage; + } + } else { + if ((argv[i]) && (servicedn == NULL)) { + servicedn=strdup(argv[i]); + if (servicedn == NULL) { + com_err(progname, ENOMEM, "while destroying service"); + exit_status++; + goto cleanup; + } + } else { + exit_status++; + goto err_usage; + } + } } if (!servicedn) { - exit_status++; - goto err_usage; + exit_status++; + goto err_usage; } if (!force) { - printf("This will delete the service object '%s', are you sure?\n", servicedn); - printf("(type 'yes' to confirm)? "); - if (fgets(buf, sizeof(buf), stdin) == NULL) { - exit_status++; - goto cleanup;; - } - if (strcmp(buf, yes)) { - exit_status++; - goto cleanup; - } + printf("This will delete the service object '%s', are you sure?\n", servicedn); + printf("(type 'yes' to confirm)? "); + if (fgets(buf, sizeof(buf), stdin) == NULL) { + exit_status++; + goto cleanup;; + } + if (strcmp(buf, yes)) { + exit_status++; + goto cleanup; + } } if ((retval = krb5_ldap_read_service(util_context, servicedn, - &lserparams, &mask))) { - com_err(progname, retval, "while destroying service '%s'",servicedn); - exit_status++; - goto cleanup; + &lserparams, &mask))) { + com_err(progname, retval, "while destroying service '%s'",servicedn); + exit_status++; + goto cleanup; } retval = krb5_ldap_delete_service(util_context, lserparams, servicedn); if (retval) { - com_err(progname, retval, "while destroying service '%s'", servicedn); - exit_status++; - goto cleanup; + com_err(progname, retval, "while destroying service '%s'", servicedn); + exit_status++; + goto cleanup; } if (stashfilename == NULL) { - stashfilename = strdup(DEF_SERVICE_PASSWD_FILE); - if (stashfilename == NULL) { - com_err(progname, ENOMEM, "while destroying service"); - exit_status++; - goto cleanup; - } + stashfilename = strdup(DEF_SERVICE_PASSWD_FILE); + if (stashfilename == NULL) { + com_err(progname, ENOMEM, "while destroying service"); + exit_status++; + goto cleanup; + } } printf("** service object '%s' deleted.\n", servicedn); retval = rem_service_entry_from_file(argc, argv, stashfilename, servicedn); if (retval) - printf("** error removing service object entry '%s' from password file.\n", - servicedn); + printf("** error removing service object entry '%s' from password file.\n", + servicedn); goto cleanup; @@ -1270,19 +1263,19 @@ err_usage: cleanup: if (lserparams) { - krb5_ldap_free_service(util_context, lserparams); + krb5_ldap_free_service(util_context, lserparams); } if (servicedn) { - free(servicedn); + free(servicedn); } if (stashfilename) { - free(stashfilename); + free(stashfilename); } if (print_usage) { - db_usage(DESTROY_SERVICE); + db_usage(DESTROY_SERVICE); } return; @@ -1292,9 +1285,8 @@ cleanup: /* * This function will display information about the given service object */ -void kdb5_ldap_view_service(argc, argv) - int argc; - char *argv[]; +void +kdb5_ldap_view_service(int argc, char *argv[]) { krb5_ldap_service_params *lserparams = NULL; krb5_error_code retval = 0; @@ -1303,21 +1295,21 @@ void kdb5_ldap_view_service(argc, argv) krb5_boolean print_usage = FALSE; if (!(argc == 2)) { - exit_status++; - goto err_usage; + exit_status++; + goto err_usage; } servicedn=strdup(argv[1]); if (servicedn == NULL) { - com_err(progname, ENOMEM, "while viewing service"); - exit_status++; - goto cleanup; + com_err(progname, ENOMEM, "while viewing service"); + exit_status++; + goto cleanup; } if ((retval = krb5_ldap_read_service(util_context, servicedn, &lserparams, &mask))) { - com_err(progname, retval, "while viewing service '%s'",servicedn); - exit_status++; - goto cleanup; + com_err(progname, retval, "while viewing service '%s'",servicedn); + exit_status++; + goto cleanup; } print_service_params(lserparams, mask); @@ -1330,14 +1322,14 @@ err_usage: cleanup: if (lserparams) { - krb5_ldap_free_service(util_context, lserparams); + krb5_ldap_free_service(util_context, lserparams); } if (servicedn) - free(servicedn); + free(servicedn); if (print_usage) { - db_usage(VIEW_SERVICE); + db_usage(VIEW_SERVICE); } return; @@ -1348,9 +1340,8 @@ cleanup: * This function will list the DNs of kerberos services present on * the LDAP Server under a specific sub-tree (entire tree by default) */ -void kdb5_ldap_list_services(argc, argv) - int argc; - char *argv[]; +void +kdb5_ldap_list_services(int argc, char *argv[]) { char *me = progname; krb5_error_code retval = 0; @@ -1361,33 +1352,33 @@ void kdb5_ldap_list_services(argc, argv) /* Check for number of arguments */ if ((argc != 1) && (argc != 3)) { - exit_status++; - goto err_usage; + exit_status++; + goto err_usage; } /* Parse base DN argument if present */ if (argc == 3) { - if (strcmp(argv[1], "-basedn")) { - retval = EINVAL; - goto err_usage; - } + if (strcmp(argv[1], "-basedn")) { + retval = EINVAL; + goto err_usage; + } - basedn = strdup(argv[2]); - if (basedn == NULL) { - com_err(me, ENOMEM, "while listing services"); - exit_status++; - goto cleanup; - } + basedn = strdup(argv[2]); + if (basedn == NULL) { + com_err(me, ENOMEM, "while listing services"); + exit_status++; + goto cleanup; + } } retval = krb5_ldap_list_services(util_context, basedn, &list); if ((retval != 0) || (list == NULL)) { - exit_status++; - goto cleanup; + exit_status++; + goto cleanup; } for (plist = list; *plist != NULL; plist++) { - printf("%s\n", *plist); + printf("%s\n", *plist); } goto cleanup; @@ -1397,20 +1388,20 @@ err_usage: cleanup: if (list != NULL) { - krb5_free_list_entries (list); - free (list); + krb5_free_list_entries (list); + free (list); } if (basedn) - free (basedn); + free (basedn); if (print_usage) { - db_usage(LIST_SERVICE); + db_usage(LIST_SERVICE); } if (retval) { - com_err(me, retval, "while listing policy objects"); - exit_status++; + com_err(me, retval, "while listing policy objects"); + exit_status++; } return; @@ -1422,9 +1413,7 @@ cleanup: * to the standard output */ static void -print_service_params(lserparams, mask) - krb5_ldap_service_params *lserparams; - int mask; +print_service_params(krb5_ldap_service_params *lserparams, int mask) { int i=0; @@ -1433,27 +1422,27 @@ print_service_params(lserparams, mask) /* Print the service type of the object to be read */ if (lserparams->servicetype == LDAP_KDC_SERVICE) { - printf("%20s%-20s\n","Service type: ","kdc"); + printf("%20s%-20s\n","Service type: ","kdc"); } else if (lserparams->servicetype == LDAP_ADMIN_SERVICE) { - printf("%20s%-20s\n","Service type: ","admin"); + printf("%20s%-20s\n","Service type: ","admin"); } else if (lserparams->servicetype == LDAP_PASSWD_SERVICE) { - printf("%20s%-20s\n","Service type: ","pwd"); + printf("%20s%-20s\n","Service type: ","pwd"); } /* Print the host server values */ printf("%20s\n","Service host list: "); if (mask & LDAP_SERVICE_HOSTSERVER) { - for (i=0; lserparams->krbhostservers[i] != NULL; ++i) { - printf("%20s%-50s\n","",lserparams->krbhostservers[i]); - } + for (i=0; lserparams->krbhostservers[i] != NULL; ++i) { + printf("%20s%-50s\n","",lserparams->krbhostservers[i]); + } } /* Print the realm reference dn values */ printf("%20s\n","Realm DN list: "); if (mask & LDAP_SERVICE_REALMREFERENCE) { - for (i=0; lserparams && lserparams->krbrealmreferences && lserparams->krbrealmreferences[i] != NULL; ++i) { - printf("%20s%-50s\n","",lserparams->krbrealmreferences[i]); - } + for (i=0; lserparams && lserparams->krbrealmreferences && lserparams->krbrealmreferences[i] != NULL; ++i) { + printf("%20s%-50s\n","",lserparams->krbrealmreferences[i]); + } } return; @@ -1470,7 +1459,9 @@ print_service_params(lserparams, mask) * OUTPUT: * RANDOM_PASSWD_LEN length random password */ -static int generate_random_password(krb5_context ctxt, char **randpwd, unsigned int *passlen) +static int +generate_random_password(krb5_context ctxt, char **randpwd, + unsigned int *passlen) { char *random_pwd = NULL; int ret = 0; @@ -1484,26 +1475,26 @@ static int generate_random_password(krb5_context ctxt, char **randpwd, unsigned data.length = RANDOM_PASSWD_LEN; random_pwd = (char *)malloc(data.length + 1); if (random_pwd == NULL) { - com_err("setsrvpw", ENOMEM, "while generating random password"); - return ENOMEM; + com_err("setsrvpw", ENOMEM, "while generating random password"); + return ENOMEM; } memset(random_pwd, 0, data.length + 1); data.data = random_pwd; ret = krb5_c_random_make_octets(ctxt, &data); if (ret) { - com_err("setsrvpw", ret, "Error generating random password"); - free(random_pwd); - return ret; + com_err("setsrvpw", ret, "Error generating random password"); + free(random_pwd); + return ret; } for (i=0; i 127) { - random_pwd[i] = (unsigned char)random_pwd[i] % 128; - } else if (random_pwd[i] == 0) { - random_pwd[i] = (rand()/(RAND_MAX/127 + 1))+1; - } + /* restricting to ascii chars. Need to change this when 8.8 supports */ + if ((unsigned char)random_pwd[i] > 127) { + random_pwd[i] = (unsigned char)random_pwd[i] % 128; + } else if (random_pwd[i] == 0) { + random_pwd[i] = (rand()/(RAND_MAX/127 + 1))+1; + } } *randpwd = random_pwd; @@ -1526,9 +1517,7 @@ static int generate_random_password(krb5_context ctxt, char **randpwd, unsigned * void */ int -kdb5_ldap_set_service_password(argc, argv) - int argc; - char **argv; +kdb5_ldap_set_service_password(int argc, char **argv) { krb5_ldap_context *lparams = NULL; char *file_name = NULL; @@ -1555,211 +1544,211 @@ kdb5_ldap_set_service_password(argc, argv) /* The arguments for setsrv password should contain the service object DN * and options to specify whether the password should be updated in file only * or both file and directory. So the possible combination of arguments are: - * setsrvpw servicedn wherein argc is 2 - * setsrvpw -fileonly servicedn wherein argc is 3 - * setsrvpw -randpw servicedn wherein argc is 3 - * setsrvpw -f filename servicedn wherein argc is 4 - * setsrvpw -fileonly -f filename servicedn wherein argc is 5 - * setsrvpw -randpw -f filename servicedn wherein argc is 5 + * setsrvpw servicedn wherein argc is 2 + * setsrvpw -fileonly servicedn wherein argc is 3 + * setsrvpw -randpw servicedn wherein argc is 3 + * setsrvpw -f filename servicedn wherein argc is 4 + * setsrvpw -fileonly -f filename servicedn wherein argc is 5 + * setsrvpw -randpw -f filename servicedn wherein argc is 5 */ if ((argc < 2) || (argc > 5)) { - print_usage = TRUE; - goto cleanup; + print_usage = TRUE; + goto cleanup; } dal_handle = util_context->dal_handle; lparams = (krb5_ldap_context *) dal_handle->db_context; if (lparams == NULL) { - printf("%s: Invalid LDAP handle\n", me); - goto cleanup; + printf("%s: Invalid LDAP handle\n", me); + goto cleanup; } /* Parse the arguments */ for (i = 1; i < argc -1 ; i++) { - if (strcmp(argv[i], "-randpw") == 0) { - random_passwd = 1; - } else if (strcmp(argv[i], "-fileonly") == 0) { - set_dir_pwd = 0; - } else if (strcmp(argv[i], "-f") == 0) { - if (argv[++i] == NULL) { - print_usage = TRUE; - goto cleanup; - } - - file_name = strdup(argv[i]); - if (file_name == NULL) { - com_err(me, ENOMEM, "while setting service object password"); - goto cleanup; - } - /* Verify if the file location has the proper file name - * for eg, if the file location is a directory like /home/temp/, - * we reject it. - */ - filelen = strlen(file_name); - if ((filelen == 0) || (file_name[filelen-1] == '/')) { - printf("%s: Filename not specified for setting service object password\n", me); - print_usage = TRUE; - goto cleanup; - } - } else { - printf("%s: Invalid option specified for \"setsrvpw\" command\n", me); - print_usage = TRUE; - goto cleanup; - } + if (strcmp(argv[i], "-randpw") == 0) { + random_passwd = 1; + } else if (strcmp(argv[i], "-fileonly") == 0) { + set_dir_pwd = 0; + } else if (strcmp(argv[i], "-f") == 0) { + if (argv[++i] == NULL) { + print_usage = TRUE; + goto cleanup; + } + + file_name = strdup(argv[i]); + if (file_name == NULL) { + com_err(me, ENOMEM, "while setting service object password"); + goto cleanup; + } + /* Verify if the file location has the proper file name + * for eg, if the file location is a directory like /home/temp/, + * we reject it. + */ + filelen = strlen(file_name); + if ((filelen == 0) || (file_name[filelen-1] == '/')) { + printf("%s: Filename not specified for setting service object password\n", me); + print_usage = TRUE; + goto cleanup; + } + } else { + printf("%s: Invalid option specified for \"setsrvpw\" command\n", me); + print_usage = TRUE; + goto cleanup; + } } if (i != argc-1) { - print_usage = TRUE; - goto cleanup; + print_usage = TRUE; + goto cleanup; } service_object = strdup(argv[i]); if (service_object == NULL) { - com_err(me, ENOMEM, "while setting service object password"); - goto cleanup; + com_err(me, ENOMEM, "while setting service object password"); + goto cleanup; } if (strlen(service_object) == 0) { - printf("%s: Service object not specified for \"setsrvpw\" command\n", me); - print_usage = TRUE; - goto cleanup; + printf("%s: Service object not specified for \"setsrvpw\" command\n", me); + print_usage = TRUE; + goto cleanup; } if (service_object[0] == '-') { - print_usage = TRUE; - goto cleanup; + print_usage = TRUE; + goto cleanup; } if (file_name == NULL) { - file_name = strdup(DEF_SERVICE_PASSWD_FILE); - if (file_name == NULL) { - com_err(me, ENOMEM, "while setting service object password"); - goto cleanup; - } + file_name = strdup(DEF_SERVICE_PASSWD_FILE); + if (file_name == NULL) { + com_err(me, ENOMEM, "while setting service object password"); + goto cleanup; + } } if (set_dir_pwd) { - if (db_inited == FALSE) { - if ((errcode = krb5_ldap_db_init(util_context, lparams))) { - com_err(me, errcode, "while initializing database"); - goto cleanup; - } - db_init_local = TRUE; - } + if (db_inited == FALSE) { + if ((errcode = krb5_ldap_db_init(util_context, lparams))) { + com_err(me, errcode, "while initializing database"); + goto cleanup; + } + db_init_local = TRUE; + } } if (random_passwd) { - if (!set_dir_pwd) { - printf("%s: Invalid option specified for \"setsrvpw\" command\n", me); - print_usage = TRUE; - goto cleanup; - } else { - /* Generate random password */ - - if ((errcode = generate_random_password(util_context, &passwd, &passwd_len))) { - printf("%s: Failed to set service object password\n", me); - goto cleanup; - } - passwd_len = strlen(passwd); - } + if (!set_dir_pwd) { + printf("%s: Invalid option specified for \"setsrvpw\" command\n", me); + print_usage = TRUE; + goto cleanup; + } else { + /* Generate random password */ + + if ((errcode = generate_random_password(util_context, &passwd, &passwd_len))) { + printf("%s: Failed to set service object password\n", me); + goto cleanup; + } + passwd_len = strlen(passwd); + } } else { - /* Get the service object password from the terminal */ - passwd = (char *)malloc(MAX_SERVICE_PASSWD_LEN + 1); - if (passwd == NULL) { - com_err(me, ENOMEM, "while setting service object password"); - goto cleanup; - } - memset(passwd, 0, MAX_SERVICE_PASSWD_LEN + 1); - passwd_len = MAX_SERVICE_PASSWD_LEN; - - if (asprintf(&prompt1, "Password for \"%s\"", service_object) < 0) { - com_err(me, ENOMEM, "while setting service object password"); - goto cleanup; - } - - if (asprintf(&prompt2, "Re-enter password for \"%s\"", - service_object) < 0) { - com_err(me, ENOMEM, "while setting service object password"); - free(prompt1); - goto cleanup; - } - - retval = krb5_read_password(util_context, prompt1, prompt2, passwd, &passwd_len); - free(prompt1); - free(prompt2); - if (retval) { - com_err(me, retval, "while setting service object password"); - memset(passwd, 0, MAX_SERVICE_PASSWD_LEN); - goto cleanup; - } - if (passwd_len == 0) { - printf("%s: Invalid password\n", me); - memset(passwd, 0, MAX_SERVICE_PASSWD_LEN); - goto cleanup; - } - passwd_len = strlen(passwd); + /* Get the service object password from the terminal */ + passwd = (char *)malloc(MAX_SERVICE_PASSWD_LEN + 1); + if (passwd == NULL) { + com_err(me, ENOMEM, "while setting service object password"); + goto cleanup; + } + memset(passwd, 0, MAX_SERVICE_PASSWD_LEN + 1); + passwd_len = MAX_SERVICE_PASSWD_LEN; + + if (asprintf(&prompt1, "Password for \"%s\"", service_object) < 0) { + com_err(me, ENOMEM, "while setting service object password"); + goto cleanup; + } + + if (asprintf(&prompt2, "Re-enter password for \"%s\"", + service_object) < 0) { + com_err(me, ENOMEM, "while setting service object password"); + free(prompt1); + goto cleanup; + } + + retval = krb5_read_password(util_context, prompt1, prompt2, passwd, &passwd_len); + free(prompt1); + free(prompt2); + if (retval) { + com_err(me, retval, "while setting service object password"); + memset(passwd, 0, MAX_SERVICE_PASSWD_LEN); + goto cleanup; + } + if (passwd_len == 0) { + printf("%s: Invalid password\n", me); + memset(passwd, 0, MAX_SERVICE_PASSWD_LEN); + goto cleanup; + } + passwd_len = strlen(passwd); } /* Hex the password */ { - krb5_data pwd, hex; - pwd.length = passwd_len; - pwd.data = passwd; - - errcode = tohex(pwd, &hex); - if (errcode != 0) { - if (hex.length != 0) { - memset(hex.data, 0, hex.length); - free(hex.data); - } - com_err(me, errcode, "Failed to convert the password to hex"); - memset(passwd, 0, passwd_len); - goto cleanup; - } - /* Password = {HEX}: */ - if (asprintf(&str, "%s#{HEX}%s\n", service_object, hex.data) < 0) { - com_err(me, ENOMEM, "while setting service object password"); - memset(passwd, 0, passwd_len); - memset(hex.data, 0, hex.length); - free(hex.data); - goto cleanup; - } - encrypted_passwd.value = (unsigned char *)str; - encrypted_passwd.len = strlen(str); - memset(hex.data, 0, hex.length); - free(hex.data); + krb5_data pwd, hex; + pwd.length = passwd_len; + pwd.data = passwd; + + errcode = tohex(pwd, &hex); + if (errcode != 0) { + if (hex.length != 0) { + memset(hex.data, 0, hex.length); + free(hex.data); + } + com_err(me, errcode, "Failed to convert the password to hex"); + memset(passwd, 0, passwd_len); + goto cleanup; + } + /* Password = {HEX}: */ + if (asprintf(&str, "%s#{HEX}%s\n", service_object, hex.data) < 0) { + com_err(me, ENOMEM, "while setting service object password"); + memset(passwd, 0, passwd_len); + memset(hex.data, 0, hex.length); + free(hex.data); + goto cleanup; + } + encrypted_passwd.value = (unsigned char *)str; + encrypted_passwd.len = strlen(str); + memset(hex.data, 0, hex.length); + free(hex.data); } /* We should check if the file exists and we have permission to write into that file */ if (access(file_name, W_OK) == -1) { - if (errno == ENOENT) { - mode_t omask; - int fd = -1; - - printf("File does not exist. Creating the file %s...\n", file_name); - omask = umask(077); - fd = creat(file_name, S_IRUSR|S_IWUSR); - umask(omask); - if (fd == -1) { - com_err(me, errno, "Error creating file %s", file_name); - memset(passwd, 0, passwd_len); - goto cleanup; - } - close(fd); - } else { - com_err(me, errno, "Unable to access the file %s", file_name); - memset(passwd, 0, passwd_len); - goto cleanup; - } + if (errno == ENOENT) { + mode_t omask; + int fd = -1; + + printf("File does not exist. Creating the file %s...\n", file_name); + omask = umask(077); + fd = creat(file_name, S_IRUSR|S_IWUSR); + umask(omask); + if (fd == -1) { + com_err(me, errno, "Error creating file %s", file_name); + memset(passwd, 0, passwd_len); + goto cleanup; + } + close(fd); + } else { + com_err(me, errno, "Unable to access the file %s", file_name); + memset(passwd, 0, passwd_len); + goto cleanup; + } } if (set_dir_pwd) { - if ((errcode = krb5_ldap_set_service_passwd(util_context, service_object, passwd)) != 0) { - com_err(me, errcode, "Failed to set password for service object %s", service_object); - memset(passwd, 0, passwd_len); - goto cleanup; - } + if ((errcode = krb5_ldap_set_service_passwd(util_context, service_object, passwd)) != 0) { + com_err(me, errcode, "Failed to set password for service object %s", service_object); + memset(passwd, 0, passwd_len); + goto cleanup; + } } memset(passwd, 0, passwd_len); @@ -1769,123 +1758,123 @@ kdb5_ldap_set_service_password(argc, argv) /* set password in the file */ pfile = fopen(file_name, "r+"); if (pfile == NULL) { - com_err(me, errno, "Failed to open file %s", file_name); - goto cleanup; + com_err(me, errno, "Failed to open file %s", file_name); + goto cleanup; } set_cloexec_file(pfile); while (fgets(line, MAX_LEN, pfile) != NULL) { - if ((str = strstr(line, service_object)) != NULL) { - if (line[strlen(service_object)] == '#') { - break; - } - str = NULL; - } + if ((str = strstr(line, service_object)) != NULL) { + if (line[strlen(service_object)] == '#') { + break; + } + str = NULL; + } } if (str == NULL) { - if (feof(pfile)) { - /* If the service object dn is not present in the service password file */ - if (fwrite(encrypted_passwd.value, (unsigned int)encrypted_passwd.len, 1, pfile) != 1) { - com_err(me, errno, "Failed to write service object password to file"); - goto cleanup; - } - } else { - com_err(me, errno, "Error reading service object password file"); - goto cleanup; - } - fclose(pfile); - pfile = NULL; + if (feof(pfile)) { + /* If the service object dn is not present in the service password file */ + if (fwrite(encrypted_passwd.value, (unsigned int)encrypted_passwd.len, 1, pfile) != 1) { + com_err(me, errno, "Failed to write service object password to file"); + goto cleanup; + } + } else { + com_err(me, errno, "Error reading service object password file"); + goto cleanup; + } + fclose(pfile); + pfile = NULL; } else { - /* Password entry for the service object is already present in the file */ - /* Delete the existing entry and add the new entry */ - FILE *newfile = NULL; - mode_t omask; - - /* Create a new file with the extension .tmp */ - if (asprintf(&tmp_file,"%s.tmp",file_name) < 0) { - com_err(me, ENOMEM, "while setting service object password"); - goto cleanup; - } - - omask = umask(077); - newfile = fopen(tmp_file, "w+"); - umask(omask); - if (newfile == NULL) { - com_err(me, errno, "Error creating file %s", tmp_file); - goto cleanup; - } - set_cloexec_file(newfile); - - fseek(pfile, 0, SEEK_SET); - while (fgets(line, MAX_LEN, pfile) != NULL) { - if (((str = strstr(line, service_object)) != NULL) && (line[strlen(service_object)] == '#')) { - if (fprintf(newfile, "%s", encrypted_passwd.value) < 0) { - com_err(me, errno, "Failed to write service object password to file"); - fclose(newfile); - unlink(tmp_file); - goto cleanup; - } - } else { - if (fprintf(newfile, "%s", line) < 0) { - com_err(me, errno, "Failed to write service object password to file"); - fclose(newfile); - unlink(tmp_file); - goto cleanup; - } - } - } - - if (!feof(pfile)) { - com_err(me, errno, "Error reading service object password file"); - fclose(newfile); - unlink(tmp_file); - goto cleanup; - } - - /* TODO: file lock for the service password file */ - fclose(pfile); - pfile = NULL; - - fclose(newfile); - newfile = NULL; - - if (unlink(file_name) == 0) { - link(tmp_file, file_name); - } else { - com_err(me, errno, "Failed to write service object password to file"); - unlink(tmp_file); - goto cleanup; - } - unlink(tmp_file); + /* Password entry for the service object is already present in the file */ + /* Delete the existing entry and add the new entry */ + FILE *newfile = NULL; + mode_t omask; + + /* Create a new file with the extension .tmp */ + if (asprintf(&tmp_file,"%s.tmp",file_name) < 0) { + com_err(me, ENOMEM, "while setting service object password"); + goto cleanup; + } + + omask = umask(077); + newfile = fopen(tmp_file, "w+"); + umask(omask); + if (newfile == NULL) { + com_err(me, errno, "Error creating file %s", tmp_file); + goto cleanup; + } + set_cloexec_file(newfile); + + fseek(pfile, 0, SEEK_SET); + while (fgets(line, MAX_LEN, pfile) != NULL) { + if (((str = strstr(line, service_object)) != NULL) && (line[strlen(service_object)] == '#')) { + if (fprintf(newfile, "%s", encrypted_passwd.value) < 0) { + com_err(me, errno, "Failed to write service object password to file"); + fclose(newfile); + unlink(tmp_file); + goto cleanup; + } + } else { + if (fprintf(newfile, "%s", line) < 0) { + com_err(me, errno, "Failed to write service object password to file"); + fclose(newfile); + unlink(tmp_file); + goto cleanup; + } + } + } + + if (!feof(pfile)) { + com_err(me, errno, "Error reading service object password file"); + fclose(newfile); + unlink(tmp_file); + goto cleanup; + } + + /* TODO: file lock for the service password file */ + fclose(pfile); + pfile = NULL; + + fclose(newfile); + newfile = NULL; + + if (unlink(file_name) == 0) { + link(tmp_file, file_name); + } else { + com_err(me, errno, "Failed to write service object password to file"); + unlink(tmp_file); + goto cleanup; + } + unlink(tmp_file); } errcode = 0; cleanup: if (db_init_local) - krb5_ldap_close(util_context); + krb5_ldap_close(util_context); if (service_object) - free(service_object); + free(service_object); if (file_name) - free(file_name); + free(file_name); if (passwd) - free(passwd); + free(passwd); if (encrypted_passwd.value) { - memset(encrypted_passwd.value, 0, encrypted_passwd.len); - free(encrypted_passwd.value); + memset(encrypted_passwd.value, 0, encrypted_passwd.len); + free(encrypted_passwd.value); } if (pfile) - fclose(pfile); + fclose(pfile); if (tmp_file) - free(tmp_file); + free(tmp_file); if (print_usage) - db_usage(SET_SRV_PW); + db_usage(SET_SRV_PW); return errcode; } @@ -1897,9 +1886,7 @@ cleanup: * little more secure than storing plain password in the file ... */ void -kdb5_ldap_stash_service_password(argc, argv) - int argc; - char **argv; +kdb5_ldap_stash_service_password(int argc, char **argv) { int ret = 0; unsigned int passwd_len = 0; @@ -1922,109 +1909,109 @@ kdb5_ldap_stash_service_password(argc, argv) * 'filename' is the path of the stash file */ if (argc != 2 && argc != 4) { - print_usage = TRUE; - goto cleanup; + print_usage = TRUE; + goto cleanup; } if (argc == 4) { - /* Find the stash file name */ - if (strcmp (argv[1], "-f") == 0) { - if (((file_name = strdup (argv[2])) == NULL) || - ((service_object = strdup (argv[3])) == NULL)) { - com_err(me, ENOMEM, "while setting service object password"); - goto cleanup; - } - } else if (strcmp (argv[2], "-f") == 0) { - if (((file_name = strdup (argv[3])) == NULL) || - ((service_object = strdup (argv[1])) == NULL)) { - com_err(me, ENOMEM, "while setting service object password"); - goto cleanup; - } - } else { - print_usage = TRUE; - goto cleanup; - } - if (file_name == NULL) { - com_err(me, ENOMEM, "while setting service object password"); - goto cleanup; - } + /* Find the stash file name */ + if (strcmp (argv[1], "-f") == 0) { + if (((file_name = strdup (argv[2])) == NULL) || + ((service_object = strdup (argv[3])) == NULL)) { + com_err(me, ENOMEM, "while setting service object password"); + goto cleanup; + } + } else if (strcmp (argv[2], "-f") == 0) { + if (((file_name = strdup (argv[3])) == NULL) || + ((service_object = strdup (argv[1])) == NULL)) { + com_err(me, ENOMEM, "while setting service object password"); + goto cleanup; + } + } else { + print_usage = TRUE; + goto cleanup; + } + if (file_name == NULL) { + com_err(me, ENOMEM, "while setting service object password"); + goto cleanup; + } } else { /* argc == 2 */ - char *section; - - service_object = strdup (argv[1]); - if (service_object == NULL) { - com_err(me, ENOMEM, "while setting service object password"); - goto cleanup; - } - - /* Pick up the stash-file name from krb5.conf */ - profile_get_string(util_context->profile, KDB_REALM_SECTION, - util_context->default_realm, KDB_MODULE_POINTER, NULL, §ion); - - if (section == NULL) { - profile_get_string(util_context->profile, KDB_MODULE_DEF_SECTION, - KDB_MODULE_POINTER, NULL, NULL, §ion); - if (section == NULL) { - /* Stash file path neither in krb5.conf nor on command line */ - file_name = strdup(DEF_SERVICE_PASSWD_FILE); - if (file_name == NULL) { - com_err(me, ENOMEM, "while setting service object password"); - goto cleanup; - } - goto done; - } - } - - profile_get_string (util_context->profile, KDB_MODULE_SECTION, section, - "ldap_service_password_file", NULL, &file_name); + char *section; + + service_object = strdup (argv[1]); + if (service_object == NULL) { + com_err(me, ENOMEM, "while setting service object password"); + goto cleanup; + } + + /* Pick up the stash-file name from krb5.conf */ + profile_get_string(util_context->profile, KDB_REALM_SECTION, + util_context->default_realm, KDB_MODULE_POINTER, NULL, §ion); + + if (section == NULL) { + profile_get_string(util_context->profile, KDB_MODULE_DEF_SECTION, + KDB_MODULE_POINTER, NULL, NULL, §ion); + if (section == NULL) { + /* Stash file path neither in krb5.conf nor on command line */ + file_name = strdup(DEF_SERVICE_PASSWD_FILE); + if (file_name == NULL) { + com_err(me, ENOMEM, "while setting service object password"); + goto cleanup; + } + goto done; + } + } + + profile_get_string (util_context->profile, KDB_MODULE_SECTION, section, + "ldap_service_password_file", NULL, &file_name); } done: /* Get password from user */ { - char prompt1[256], prompt2[256]; - - /* Get the service object password from the terminal */ - memset(passwd, 0, sizeof (passwd)); - passwd_len = sizeof (passwd); - - /* size of prompt = strlen of servicedn + strlen("Password for \" \"") */ - assert (sizeof (prompt1) > (strlen (service_object) - + sizeof ("Password for \" \""))); - snprintf(prompt1, sizeof(prompt1), "Password for \"%s\"", service_object); - - /* size of prompt = strlen of servicedn + strlen("Re-enter Password for \" \"") */ - assert (sizeof (prompt2) > (strlen (service_object) - + sizeof ("Re-enter Password for \" \""))); - snprintf(prompt2, sizeof(prompt2), "Re-enter password for \"%s\"", service_object); - - ret = krb5_read_password(util_context, prompt1, prompt2, passwd, &passwd_len); - if (ret != 0) { - com_err(me, ret, "while setting service object password"); - memset(passwd, 0, sizeof (passwd)); - goto cleanup; - } + char prompt1[256], prompt2[256]; + + /* Get the service object password from the terminal */ + memset(passwd, 0, sizeof (passwd)); + passwd_len = sizeof (passwd); + + /* size of prompt = strlen of servicedn + strlen("Password for \" \"") */ + assert (sizeof (prompt1) > (strlen (service_object) + + sizeof ("Password for \" \""))); + snprintf(prompt1, sizeof(prompt1), "Password for \"%s\"", service_object); + + /* size of prompt = strlen of servicedn + strlen("Re-enter Password for \" \"") */ + assert (sizeof (prompt2) > (strlen (service_object) + + sizeof ("Re-enter Password for \" \""))); + snprintf(prompt2, sizeof(prompt2), "Re-enter password for \"%s\"", service_object); + + ret = krb5_read_password(util_context, prompt1, prompt2, passwd, &passwd_len); + if (ret != 0) { + com_err(me, ret, "while setting service object password"); + memset(passwd, 0, sizeof (passwd)); + goto cleanup; + } - if (passwd_len == 0) { - printf("%s: Invalid password\n", me); - memset(passwd, 0, MAX_SERVICE_PASSWD_LEN); - goto cleanup; - } + if (passwd_len == 0) { + printf("%s: Invalid password\n", me); + memset(passwd, 0, MAX_SERVICE_PASSWD_LEN); + goto cleanup; + } } /* Convert the password to hexadecimal */ { - krb5_data pwd; + krb5_data pwd; - pwd.length = passwd_len; - pwd.data = passwd; + pwd.length = passwd_len; + pwd.data = passwd; - ret = tohex(pwd, &hexpasswd); - if (ret != 0) { - com_err(me, ret, "Failed to convert the password to hexadecimal"); - memset(passwd, 0, passwd_len); - goto cleanup; - } + ret = tohex(pwd, &hexpasswd); + if (ret != 0) { + com_err(me, ret, "Failed to convert the password to hexadecimal"); + memset(passwd, 0, passwd_len); + goto cleanup; + } } memset(passwd, 0, passwd_len); @@ -2034,129 +2021,129 @@ done: old_mode = umask(0177); pfile = fopen(file_name, "a+"); if (pfile == NULL) { - com_err(me, errno, "Failed to open file %s: %s", file_name, - strerror (errno)); - goto cleanup; + com_err(me, errno, "Failed to open file %s: %s", file_name, + strerror (errno)); + goto cleanup; } set_cloexec_file(pfile); rewind (pfile); umask(old_mode); while (fgets (line, MAX_LEN, pfile) != NULL) { - if ((str = strstr (line, service_object)) != NULL) { - /* White spaces not allowed */ - if (line [strlen (service_object)] == '#') - break; - str = NULL; - } + if ((str = strstr (line, service_object)) != NULL) { + /* White spaces not allowed */ + if (line [strlen (service_object)] == '#') + break; + str = NULL; + } } if (str == NULL) { - if (feof(pfile)) { - /* If the service object dn is not present in the service password file */ - if (fprintf(pfile, "%s#{HEX}%s\n", service_object, hexpasswd.data) < 0) { - com_err(me, errno, "Failed to write service object password to file"); - fclose(pfile); - goto cleanup; - } - } else { - com_err(me, errno, "Error reading service object password file"); - fclose(pfile); - goto cleanup; - } - fclose(pfile); + if (feof(pfile)) { + /* If the service object dn is not present in the service password file */ + if (fprintf(pfile, "%s#{HEX}%s\n", service_object, hexpasswd.data) < 0) { + com_err(me, errno, "Failed to write service object password to file"); + fclose(pfile); + goto cleanup; + } + } else { + com_err(me, errno, "Error reading service object password file"); + fclose(pfile); + goto cleanup; + } + fclose(pfile); } else { - /* - * Password entry for the service object is already present in the file - * Delete the existing entry and add the new entry - */ - FILE *newfile; - - mode_t omask; - - /* Create a new file with the extension .tmp */ - if (asprintf(&tmp_file,"%s.tmp",file_name) < 0) { - com_err(me, ENOMEM, "while setting service object password"); - fclose(pfile); - goto cleanup; - } - - omask = umask(077); - newfile = fopen(tmp_file, "w"); - umask (omask); - if (newfile == NULL) { - com_err(me, errno, "Error creating file %s", tmp_file); - fclose(pfile); - goto cleanup; - } - set_cloexec_file(newfile); - - fseek(pfile, 0, SEEK_SET); - while (fgets(line, MAX_LEN, pfile) != NULL) { - if (((str = strstr(line, service_object)) != NULL) && - (line[strlen(service_object)] == '#')) { - if (fprintf(newfile, "%s#{HEX}%s\n", service_object, hexpasswd.data) < 0) { - com_err(me, errno, "Failed to write service object password to file"); - fclose(newfile); - unlink(tmp_file); - fclose(pfile); - goto cleanup; - } - } else { - if (fprintf (newfile, "%s", line) < 0) { - com_err(me, errno, "Failed to write service object password to file"); - fclose(newfile); - unlink(tmp_file); - fclose(pfile); - goto cleanup; - } - } - } - - if (!feof(pfile)) { - com_err(me, errno, "Error reading service object password file"); - fclose(newfile); - unlink(tmp_file); - fclose(pfile); - goto cleanup; - } - - /* TODO: file lock for the service passowrd file */ - - fclose(pfile); - fclose(newfile); - - ret = rename(tmp_file, file_name); - if (ret != 0) { - com_err(me, errno, "Failed to write service object password to " - "file"); - goto cleanup; - } + /* + * Password entry for the service object is already present in the file + * Delete the existing entry and add the new entry + */ + FILE *newfile; + + mode_t omask; + + /* Create a new file with the extension .tmp */ + if (asprintf(&tmp_file,"%s.tmp",file_name) < 0) { + com_err(me, ENOMEM, "while setting service object password"); + fclose(pfile); + goto cleanup; + } + + omask = umask(077); + newfile = fopen(tmp_file, "w"); + umask (omask); + if (newfile == NULL) { + com_err(me, errno, "Error creating file %s", tmp_file); + fclose(pfile); + goto cleanup; + } + set_cloexec_file(newfile); + + fseek(pfile, 0, SEEK_SET); + while (fgets(line, MAX_LEN, pfile) != NULL) { + if (((str = strstr(line, service_object)) != NULL) && + (line[strlen(service_object)] == '#')) { + if (fprintf(newfile, "%s#{HEX}%s\n", service_object, hexpasswd.data) < 0) { + com_err(me, errno, "Failed to write service object password to file"); + fclose(newfile); + unlink(tmp_file); + fclose(pfile); + goto cleanup; + } + } else { + if (fprintf (newfile, "%s", line) < 0) { + com_err(me, errno, "Failed to write service object password to file"); + fclose(newfile); + unlink(tmp_file); + fclose(pfile); + goto cleanup; + } + } + } + + if (!feof(pfile)) { + com_err(me, errno, "Error reading service object password file"); + fclose(newfile); + unlink(tmp_file); + fclose(pfile); + goto cleanup; + } + + /* TODO: file lock for the service passowrd file */ + + fclose(pfile); + fclose(newfile); + + ret = rename(tmp_file, file_name); + if (ret != 0) { + com_err(me, errno, "Failed to write service object password to " + "file"); + goto cleanup; + } } ret = 0; cleanup: if (hexpasswd.length != 0) { - memset(hexpasswd.data, 0, hexpasswd.length); - free(hexpasswd.data); + memset(hexpasswd.data, 0, hexpasswd.length); + free(hexpasswd.data); } if (service_object) - free(service_object); + free(service_object); if (file_name) - free(file_name); + free(file_name); if (tmp_file) - free(tmp_file); + free(tmp_file); if (print_usage) - usage(); -/* db_usage(STASH_SRV_PW); */ + usage(); +/* db_usage(STASH_SRV_PW); */ if (ret) - exit_status++; + exit_status++; } #endif /* #ifdef HAVE_EDIRECTORY */ diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h index 0322558cc..a2816d864 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * kadmin/ldap_util/kdb5_services.h */ @@ -31,22 +32,22 @@ #include "ldap_misc.h" -#define MAX_DN_CHARS 256 -#define HOST_INFO_DELIMITER '#' -#define PROTOCOL_STR_LEN 3 -#define PROTOCOL_NUM_UDP 0 -#define PROTOCOL_NUM_TCP 1 -#define PROTOCOL_DEFAULT_KDC PROTOCOL_NUM_UDP -#define PROTOCOL_DEFAULT_ADM PROTOCOL_NUM_TCP -#define PROTOCOL_DEFAULT_PWD PROTOCOL_NUM_UDP -#define PORT_STR_LEN 5 -#define PORT_DEFAULT_KDC 88 -#define PORT_DEFAULT_ADM 749 -#define PORT_DEFAULT_PWD 464 +#define MAX_DN_CHARS 256 +#define HOST_INFO_DELIMITER '#' +#define PROTOCOL_STR_LEN 3 +#define PROTOCOL_NUM_UDP 0 +#define PROTOCOL_NUM_TCP 1 +#define PROTOCOL_DEFAULT_KDC PROTOCOL_NUM_UDP +#define PROTOCOL_DEFAULT_ADM PROTOCOL_NUM_TCP +#define PROTOCOL_DEFAULT_PWD PROTOCOL_NUM_UDP +#define PORT_STR_LEN 5 +#define PORT_DEFAULT_KDC 88 +#define PORT_DEFAULT_ADM 749 +#define PORT_DEFAULT_PWD 464 -#define MAX_LEN 1024 -#define MAX_SERVICE_PASSWD_LEN 256 -#define RANDOM_PASSWD_LEN 128 +#define MAX_LEN 1024 +#define MAX_SERVICE_PASSWD_LEN 256 +#define RANDOM_PASSWD_LEN 128 #define DEF_SERVICE_PASSWD_FILE "/usr/local/var/service_passwd" @@ -58,8 +59,8 @@ struct data{ extern int enc_password(struct data pwd, struct data *enc_key, struct data *enc_pass); extern int tohex(krb5_data, krb5_data *); -extern void kdb5_ldap_create_service (int argc, char **argv); -extern void kdb5_ldap_modify_service (int argc, char **argv); +extern void kdb5_ldap_create_service(int argc, char **argv); +extern void kdb5_ldap_modify_service(int argc, char **argv); extern void kdb5_ldap_destroy_service(int argc, char **argv); extern void kdb5_ldap_list_services(int argc, char **argv); extern void kdb5_ldap_view_service(int argc, char **argv); diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c index 0c9929562..9357cc411 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * kadmin/ldap_util/kdb5_ldap_util.c * @@ -104,95 +105,98 @@ krb5_boolean manual_mkey = FALSE; * This function prints the usage of kdb5_ldap_util, which is * the LDAP configuration utility. */ -void usage(void) +void +usage(void) { fprintf(stderr, "Usage: " -"kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldapuri]\n" -"\tcmd [cmd_options]\n" + "kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldapuri]\n" + "\tcmd [cmd_options]\n" /* Create realm */ -"create [-subtrees subtree_dn_list] [-sscope search_scope] [-containerref container_reference_dn]\n" + "create [-subtrees subtree_dn_list] [-sscope search_scope] [-containerref container_reference_dn]\n" #ifdef HAVE_EDIRECTORY -"\t\t[-kdcdn kdc_service_list] [-admindn admin_service_list]\n" -"\t\t[-pwddn passwd_service_list]\n" + "\t\t[-kdcdn kdc_service_list] [-admindn admin_service_list]\n" + "\t\t[-pwddn passwd_service_list]\n" #endif -"\t\t[-m|-P password|-sf stashfilename] [-k mkeytype] [-kv mkeyVNO] [-s]\n" -"\t\t[-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life]\n" -"\t\t[ticket_flags] [-r realm]\n" + "\t\t[-m|-P password|-sf stashfilename] [-k mkeytype] [-kv mkeyVNO] [-s]\n" + "\t\t[-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life]\n" + "\t\t[ticket_flags] [-r realm]\n" /* modify realm */ -"modify [-subtrees subtree_dn_list] [-sscope search_scope] [-containerref container_reference_dn]\n" + "modify [-subtrees subtree_dn_list] [-sscope search_scope] [-containerref container_reference_dn]\n" #ifdef HAVE_EDIRECTORY -"\t\t[-kdcdn kdc_service_list |\n" -"\t\t[-clearkdcdn kdc_service_list] [-addkdcdn kdc_service_list]]\n" -"\t\t[-admindn admin_service_list | [-clearadmindn admin_service_list]\n" -"\t\t[-addadmindn admin_service_list]] [-pwddn passwd_service_list |\n" -"\t\t[-clearpwddn passwd_service_list] [-addpwddn passwd_service_list]]\n" + "\t\t[-kdcdn kdc_service_list |\n" + "\t\t[-clearkdcdn kdc_service_list] [-addkdcdn kdc_service_list]]\n" + "\t\t[-admindn admin_service_list | [-clearadmindn admin_service_list]\n" + "\t\t[-addadmindn admin_service_list]] [-pwddn passwd_service_list |\n" + "\t\t[-clearpwddn passwd_service_list] [-addpwddn passwd_service_list]]\n" #endif -"\t\t[-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life]\n" -"\t\t[ticket_flags] [-r realm]\n" + "\t\t[-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life]\n" + "\t\t[ticket_flags] [-r realm]\n" /* View realm */ -"view [-r realm]\n" + "view [-r realm]\n" /* Destroy realm */ -"destroy [-f] [-r realm]\n" + "destroy [-f] [-r realm]\n" /* List realms */ -"list\n" + "list\n" #ifdef HAVE_EDIRECTORY /* Create Service */ -"create_service {-kdc|-admin|-pwd} [-servicehost service_host_list]\n" -"\t\t[-realm realm_list] \n" -"\t\t[-randpw|-fileonly] [-f filename] service_dn\n" + "create_service {-kdc|-admin|-pwd} [-servicehost service_host_list]\n" + "\t\t[-realm realm_list] \n" + "\t\t[-randpw|-fileonly] [-f filename] service_dn\n" /* Modify service */ -"modify_service [-servicehost service_host_list |\n" -"\t\t[-clearservicehost service_host_list]\n" -"\t\t[-addservicehost service_host_list]]\n" -"\t\t[-realm realm_list | [-clearrealm realm_list]\n" -"\t\t[-addrealm realm_list]] service_dn\n" + "modify_service [-servicehost service_host_list |\n" + "\t\t[-clearservicehost service_host_list]\n" + "\t\t[-addservicehost service_host_list]]\n" + "\t\t[-realm realm_list | [-clearrealm realm_list]\n" + "\t\t[-addrealm realm_list]] service_dn\n" /* View Service */ -"view_service service_dn\n" + "view_service service_dn\n" /* Destroy Service */ -"destroy_service [-force] [-f stashfilename] service_dn\n" + "destroy_service [-force] [-f stashfilename] service_dn\n" /* List services */ -"list_service [-basedn base_dn]\n" + "list_service [-basedn base_dn]\n" /* Set Service password */ -"setsrvpw [-randpw|-fileonly] [-f filename] service_dn\n" + "setsrvpw [-randpw|-fileonly] [-f filename] service_dn\n" #else /* Stash the service password */ -"stashsrvpw [-f filename] service_dn\n" + "stashsrvpw [-f filename] service_dn\n" #endif /* Create policy */ -"create_policy [-r realm] [-maxtktlife max_ticket_life]\n" -"\t\t[-maxrenewlife max_renewable_ticket_life] [ticket_flags] policy\n" + "create_policy [-r realm] [-maxtktlife max_ticket_life]\n" + "\t\t[-maxrenewlife max_renewable_ticket_life] [ticket_flags] policy\n" /* Modify policy */ -"modify_policy [-r realm] [-maxtktlife max_ticket_life]\n" -"\t\t[-maxrenewlife max_renewable_ticket_life] [ticket_flags] policy\n" + "modify_policy [-r realm] [-maxtktlife max_ticket_life]\n" + "\t\t[-maxrenewlife max_renewable_ticket_life] [ticket_flags] policy\n" /* View policy */ -"view_policy [-r realm] policy\n" + "view_policy [-r realm] policy\n" /* Destroy policy */ -"destroy_policy [-r realm] [-force] policy\n" + "destroy_policy [-r realm] [-force] policy\n" /* List policies */ -"list_policy [-r realm]\n" + "list_policy [-r realm]\n" - ); + ); } -void db_usage (int type) { +void +db_usage(int type) +{ /* * This should print usage of 'type' command. For now, we will print usage * of all commands. @@ -242,8 +246,8 @@ static struct _cmd_table *cmd_lookup(name) int i; for (i = 0; cmd_table[i].name != NULL; i++) - if (strcmp(cmd_table[i].name, name) == 0) - return &cmd_table[i]; + if (strcmp(cmd_table[i].name, name) == 0) + return &cmd_table[i]; return NULL; } @@ -254,23 +258,24 @@ static struct _cmd_table *cmd_lookup(name) * in the command table, which can be used to get the corresponding * help from the help message table. */ -int cmd_index(name) - char *name; +int +cmd_index(char *name) { int i; if (name == NULL) - return -1; + return -1; for (i = 0; cmd_table[i].name != NULL; i++) - if (strcmp(cmd_table[i].name, name) == 0) - return i; + if (strcmp(cmd_table[i].name, name) == 0) + return i; return -1; } -static void extended_com_err_fn (const char *myprog, errcode_t code, - const char *fmt, va_list args) +static void +extended_com_err_fn(const char *myprog, errcode_t code, const char *fmt, + va_list args) { const char *emsg; emsg = krb5_get_error_message (util_context, code); @@ -280,9 +285,8 @@ static void extended_com_err_fn (const char *myprog, errcode_t code, fprintf (stderr, "\n"); } -int main(argc, argv) - int argc; - char *argv[]; +int +main(int argc, char *argv[]) { struct _cmd_table *cmd = NULL; char *koptarg = NULL, **cmd_argv = NULL; @@ -310,16 +314,16 @@ int main(argc, argv) retval = krb5_init_context(&util_context); set_com_err_hook(extended_com_err_fn); if (retval) { - com_err (progname, retval, "while initializing Kerberos code"); - exit_status++; - goto cleanup; + com_err (progname, retval, "while initializing Kerberos code"); + exit_status++; + goto cleanup; } cmd_argv = (char **) malloc(sizeof(char *)*argc); if (cmd_argv == NULL) { - com_err(progname, ENOMEM, "while creating sub-command arguments"); - exit_status++; - goto cleanup; + com_err(progname, ENOMEM, "while creating sub-command arguments"); + exit_status++; + goto cleanup; } memset(cmd_argv, 0, sizeof(char *)*argc); cmd_argc = 1; @@ -328,101 +332,101 @@ int main(argc, argv) argv++; argc--; while (*argv) { - if (strcmp(*argv, "--help") == 0) { - print_help_message = TRUE; - } - if (strcmp(*argv, "-P") == 0 && ARG_VAL) { - mkey_password = koptarg; - manual_mkey = TRUE; - } else if (strcmp(*argv, "-r") == 0 && ARG_VAL) { - global_params.realm = koptarg; - global_params.mask |= KADM5_CONFIG_REALM; - /* not sure this is really necessary */ - if ((retval = krb5_set_default_realm(util_context, - global_params.realm))) { - com_err(progname, retval, "while setting default realm name"); - exit_status++; - goto cleanup; - } - } else if (strcmp(*argv, "-k") == 0 && ARG_VAL) { - if (krb5_string_to_enctype(koptarg, &global_params.enctype)) { - com_err(progname, EINVAL, ": %s is an invalid enctype", koptarg); - exit_status++; - goto cleanup; + if (strcmp(*argv, "--help") == 0) { + print_help_message = TRUE; + } + if (strcmp(*argv, "-P") == 0 && ARG_VAL) { + mkey_password = koptarg; + manual_mkey = TRUE; + } else if (strcmp(*argv, "-r") == 0 && ARG_VAL) { + global_params.realm = koptarg; + global_params.mask |= KADM5_CONFIG_REALM; + /* not sure this is really necessary */ + if ((retval = krb5_set_default_realm(util_context, + global_params.realm))) { + com_err(progname, retval, "while setting default realm name"); + exit_status++; + goto cleanup; + } + } else if (strcmp(*argv, "-k") == 0 && ARG_VAL) { + if (krb5_string_to_enctype(koptarg, &global_params.enctype)) { + com_err(progname, EINVAL, ": %s is an invalid enctype", koptarg); + exit_status++; + goto cleanup; } else - global_params.mask |= KADM5_CONFIG_ENCTYPE; - } else if (strcmp(*argv, "-kv") == 0 && ARG_VAL) { - global_params.kvno = (krb5_kvno) atoi(koptarg); + global_params.mask |= KADM5_CONFIG_ENCTYPE; + } else if (strcmp(*argv, "-kv") == 0 && ARG_VAL) { + global_params.kvno = (krb5_kvno) atoi(koptarg); if (global_params.kvno == IGNORE_VNO) { com_err(progname, EINVAL, ": %s is an invalid mkeyVNO", koptarg); - exit_status++; - goto cleanup; + exit_status++; + goto cleanup; } else global_params.mask |= KADM5_CONFIG_KVNO; - } else if (strcmp(*argv, "-M") == 0 && ARG_VAL) { - global_params.mkey_name = koptarg; - global_params.mask |= KADM5_CONFIG_MKEY_NAME; - } else if (strcmp(*argv, "-sf") == 0 && ARG_VAL) { - global_params.stash_file = koptarg; - global_params.mask |= KADM5_CONFIG_STASH_FILE; - } else if (strcmp(*argv, "-m") == 0) { - manual_mkey = TRUE; - global_params.mkey_from_kbd = 1; - global_params.mask |= KADM5_CONFIG_MKEY_FROM_KBD; - } else if (strcmp(*argv, "-D") == 0 && ARG_VAL) { - bind_dn = koptarg; - if (bind_dn == NULL) { - com_err(progname, ENOMEM, "while reading ldap parameters"); - exit_status++; - goto cleanup; - } - ldapmask |= CMD_LDAP_D; - } else if (strcmp(*argv, "-w") == 0 && ARG_VAL) { - passwd = strdup(koptarg); - if (passwd == NULL) { - com_err(progname, ENOMEM, "while reading ldap parameters"); - exit_status++; - goto cleanup; - } - ldapmask |= CMD_LDAP_W; - } else if (strcmp(*argv, "-H") == 0 && ARG_VAL) { - ldap_server = koptarg; - if (ldap_server == NULL) { - com_err(progname, ENOMEM, "while reading ldap parameters"); - exit_status++; - goto cleanup; - } - ldapmask |= CMD_LDAP_H; - } else if (cmd_lookup(*argv) != NULL) { - if (cmd_argv[0] == NULL) - cmd_argv[0] = *argv; - else { - free(cmd_argv); - cmd_argv = NULL; - usage(); - goto cleanup; - } - } else { - cmd_argv[cmd_argc++] = *argv; - } - argv++; argc--; + } else if (strcmp(*argv, "-M") == 0 && ARG_VAL) { + global_params.mkey_name = koptarg; + global_params.mask |= KADM5_CONFIG_MKEY_NAME; + } else if (strcmp(*argv, "-sf") == 0 && ARG_VAL) { + global_params.stash_file = koptarg; + global_params.mask |= KADM5_CONFIG_STASH_FILE; + } else if (strcmp(*argv, "-m") == 0) { + manual_mkey = TRUE; + global_params.mkey_from_kbd = 1; + global_params.mask |= KADM5_CONFIG_MKEY_FROM_KBD; + } else if (strcmp(*argv, "-D") == 0 && ARG_VAL) { + bind_dn = koptarg; + if (bind_dn == NULL) { + com_err(progname, ENOMEM, "while reading ldap parameters"); + exit_status++; + goto cleanup; + } + ldapmask |= CMD_LDAP_D; + } else if (strcmp(*argv, "-w") == 0 && ARG_VAL) { + passwd = strdup(koptarg); + if (passwd == NULL) { + com_err(progname, ENOMEM, "while reading ldap parameters"); + exit_status++; + goto cleanup; + } + ldapmask |= CMD_LDAP_W; + } else if (strcmp(*argv, "-H") == 0 && ARG_VAL) { + ldap_server = koptarg; + if (ldap_server == NULL) { + com_err(progname, ENOMEM, "while reading ldap parameters"); + exit_status++; + goto cleanup; + } + ldapmask |= CMD_LDAP_H; + } else if (cmd_lookup(*argv) != NULL) { + if (cmd_argv[0] == NULL) + cmd_argv[0] = *argv; + else { + free(cmd_argv); + cmd_argv = NULL; + usage(); + goto cleanup; + } + } else { + cmd_argv[cmd_argc++] = *argv; + } + argv++; argc--; } if (cmd_argv[0] == NULL) { - free(cmd_argv); - cmd_argv = NULL; - usage(); - goto cleanup; + free(cmd_argv); + cmd_argv = NULL; + usage(); + goto cleanup; } /* if we need to print the help message (because of --help option) * we will print the help corresponding to the sub-command. */ if (print_help_message) { - free(cmd_argv); - cmd_argv = NULL; - usage(); - goto cleanup; + free(cmd_argv); + cmd_argv = NULL; + usage(); + goto cleanup; } /* We need to check for the presence of default realm name only in @@ -434,153 +438,153 @@ int main(argc, argv) } if (!util_context->default_realm) { - char *temp = NULL; - retval = krb5_get_default_realm(util_context, &temp); - if (retval) { - if (realm_name_required) { - com_err (progname, retval, "while getting default realm"); - exit_status++; - goto cleanup; - } - } else - util_context->default_realm = temp; + char *temp = NULL; + retval = krb5_get_default_realm(util_context, &temp); + if (retval) { + if (realm_name_required) { + com_err (progname, retval, "while getting default realm"); + exit_status++; + goto cleanup; + } + } else + util_context->default_realm = temp; } /* If we have the realm name, we can safely say that * realm_name is required so that we don't neglect any information. */ else - realm_name_required = TRUE; + realm_name_required = TRUE; retval = profile_get_string(util_context->profile, KDB_REALM_SECTION, - util_context->default_realm, KDB_MODULE_POINTER, - NULL, - &value); + util_context->default_realm, KDB_MODULE_POINTER, + NULL, + &value); if (!(value)) { - retval = profile_get_string(util_context->profile, KDB_MODULE_DEF_SECTION, - KDB_MODULE_POINTER, NULL, - NULL, - &value); - if (!(value)) { - if (util_context->default_realm) - conf_section = strdup(util_context->default_realm); - } else { - conf_section = strdup(value); - free(value); - } + retval = profile_get_string(util_context->profile, KDB_MODULE_DEF_SECTION, + KDB_MODULE_POINTER, NULL, + NULL, + &value); + if (!(value)) { + if (util_context->default_realm) + conf_section = strdup(util_context->default_realm); + } else { + conf_section = strdup(value); + free(value); + } } else { - conf_section = strdup(value); - free(value); + conf_section = strdup(value); + free(value); } if (realm_name_required) { - retval = kadm5_get_config_params(util_context, 1, - &global_params, &global_params); - if (retval) { - com_err(progname, retval, "while retreiving configuration parameters"); - exit_status++; - goto cleanup; - } - gp_is_static = 0; + retval = kadm5_get_config_params(util_context, 1, + &global_params, &global_params); + if (retval) { + com_err(progname, retval, "while retreiving configuration parameters"); + exit_status++; + goto cleanup; + } + gp_is_static = 0; } if ((retval = krb5_ldap_lib_init()) != 0) { - com_err(progname, retval, "while initializing error handling"); - exit_status++; - goto cleanup; + com_err(progname, retval, "while initializing error handling"); + exit_status++; + goto cleanup; } /* Initialize the ldap context */ ldap_context = calloc(sizeof(krb5_ldap_context), 1); if (ldap_context == NULL) { - com_err(progname, ENOMEM, "while initializing ldap handle"); - exit_status++; - goto cleanup; + com_err(progname, ENOMEM, "while initializing ldap handle"); + exit_status++; + goto cleanup; } ldap_context->kcontext = util_context; /* If LDAP parameters are specified, replace them with the values from config */ if (ldapmask & CMD_LDAP_D) { - /* If password is not specified, prompt for it */ - if (passwd == NULL) { - passwd = (char *)malloc(MAX_PASSWD_LEN); - if (passwd == NULL) { - com_err(progname, ENOMEM, "while retrieving ldap configuration"); - exit_status++; - goto cleanup; - } - prompt = (char *)malloc(MAX_PASSWD_PROMPT_LEN); - if (prompt == NULL) { - free(passwd); - passwd = NULL; - com_err(progname, ENOMEM, "while retrieving ldap configuration"); - exit_status++; - goto cleanup; - } - memset(passwd, 0, MAX_PASSWD_LEN); - passwd_len = MAX_PASSWD_LEN - 1; - snprintf(prompt, MAX_PASSWD_PROMPT_LEN, "Password for \"%s\"", bind_dn); - - db_retval = krb5_read_password(util_context, prompt, NULL, passwd, &passwd_len); - - if ((db_retval) || (passwd_len == 0)) { - com_err(progname, ENOMEM, "while retrieving ldap configuration"); - free(passwd); - passwd = NULL; - exit_status++; - goto cleanup; - } - } - - ldap_context->bind_pwd = passwd; - passwd = NULL; + /* If password is not specified, prompt for it */ + if (passwd == NULL) { + passwd = (char *)malloc(MAX_PASSWD_LEN); + if (passwd == NULL) { + com_err(progname, ENOMEM, "while retrieving ldap configuration"); + exit_status++; + goto cleanup; + } + prompt = (char *)malloc(MAX_PASSWD_PROMPT_LEN); + if (prompt == NULL) { + free(passwd); + passwd = NULL; + com_err(progname, ENOMEM, "while retrieving ldap configuration"); + exit_status++; + goto cleanup; + } + memset(passwd, 0, MAX_PASSWD_LEN); + passwd_len = MAX_PASSWD_LEN - 1; + snprintf(prompt, MAX_PASSWD_PROMPT_LEN, "Password for \"%s\"", bind_dn); + + db_retval = krb5_read_password(util_context, prompt, NULL, passwd, &passwd_len); + + if ((db_retval) || (passwd_len == 0)) { + com_err(progname, ENOMEM, "while retrieving ldap configuration"); + free(passwd); + passwd = NULL; + exit_status++; + goto cleanup; + } + } + + ldap_context->bind_pwd = passwd; + passwd = NULL; } /* If ldaphost is specified, release entry filled by configuration & use this */ if (ldapmask & CMD_LDAP_H) { - ldap_context->server_info_list = (krb5_ldap_server_info **) calloc (2, sizeof (krb5_ldap_server_info *)) ; - if (ldap_context->server_info_list == NULL) { - com_err(progname, ENOMEM, "while initializing server list"); - exit_status++; - goto cleanup; - } - - ldap_context->server_info_list[0] = (krb5_ldap_server_info *) calloc (1, sizeof (krb5_ldap_server_info)); - if (ldap_context->server_info_list[0] == NULL) { - com_err(progname, ENOMEM, "while initializing server list"); - exit_status++; - goto cleanup; - } - - ldap_context->server_info_list[0]->server_status = NOTSET; - - ldap_context->server_info_list[0]->server_name = strdup(ldap_server); - if (ldap_context->server_info_list[0]->server_name == NULL) { - com_err(progname, ENOMEM, "while initializing server list"); - exit_status++; - goto cleanup; - } + ldap_context->server_info_list = (krb5_ldap_server_info **) calloc (2, sizeof (krb5_ldap_server_info *)) ; + if (ldap_context->server_info_list == NULL) { + com_err(progname, ENOMEM, "while initializing server list"); + exit_status++; + goto cleanup; + } + + ldap_context->server_info_list[0] = (krb5_ldap_server_info *) calloc (1, sizeof (krb5_ldap_server_info)); + if (ldap_context->server_info_list[0] == NULL) { + com_err(progname, ENOMEM, "while initializing server list"); + exit_status++; + goto cleanup; + } + + ldap_context->server_info_list[0]->server_status = NOTSET; + + ldap_context->server_info_list[0]->server_name = strdup(ldap_server); + if (ldap_context->server_info_list[0]->server_name == NULL) { + com_err(progname, ENOMEM, "while initializing server list"); + exit_status++; + goto cleanup; + } } if (bind_dn) { - ldap_context->bind_dn = strdup(bind_dn); - if (ldap_context->bind_dn == NULL) { - com_err(progname, ENOMEM, "while retrieving ldap configuration"); - exit_status++; - goto cleanup; - } + ldap_context->bind_dn = strdup(bind_dn); + if (ldap_context->bind_dn == NULL) { + com_err(progname, ENOMEM, "while retrieving ldap configuration"); + exit_status++; + goto cleanup; + } } else - ldap_context->bind_dn = NULL; + ldap_context->bind_dn = NULL; ldap_context->service_type = SERVICE_DN_TYPE_CLIENT; if (realm_name_required) { - if ((global_params.enctype != ENCTYPE_UNKNOWN) && - (!krb5_c_valid_enctype(global_params.enctype))) { - com_err(progname, KRB5_PROG_KEYTYPE_NOSUPP, - "while setting up enctype %d", global_params.enctype); - } + if ((global_params.enctype != ENCTYPE_UNKNOWN) && + (!krb5_c_valid_enctype(global_params.enctype))) { + com_err(progname, KRB5_PROG_KEYTYPE_NOSUPP, + "while setting up enctype %d", global_params.enctype); + } } cmd = cmd_lookup(cmd_argv[0]); @@ -588,28 +592,28 @@ int main(argc, argv) /* Setup DAL handle to access the database */ db_retval = krb5_db_setup_lib_handle(util_context); if (db_retval) { - com_err(progname, db_retval, "while setting up lib handle"); - exit_status++; - goto cleanup; + com_err(progname, db_retval, "while setting up lib handle"); + exit_status++; + goto cleanup; } util_context->dal_handle->db_context = ldap_context; ldap_context = NULL; db_retval = krb5_ldap_read_server_params(util_context, conf_section, KRB5_KDB_SRV_TYPE_OTHER); if (db_retval) { - com_err(progname, db_retval, "while reading ldap configuration"); - exit_status++; - goto cleanup; + com_err(progname, db_retval, "while reading ldap configuration"); + exit_status++; + goto cleanup; } if (cmd->opendb) { - db_retval = krb5_ldap_db_init(util_context, (krb5_ldap_context *)util_context->dal_handle->db_context); - if (db_retval) { - com_err(progname, db_retval, "while initializing database"); - exit_status++; - goto cleanup; - } - db_inited = TRUE; + db_retval = krb5_ldap_db_init(util_context, (krb5_ldap_context *)util_context->dal_handle->db_context); + if (db_retval) { + com_err(progname, db_retval, "while initializing database"); + exit_status++; + goto cleanup; + } + db_inited = TRUE; } (*cmd->func)(cmd_argc, cmd_argv); @@ -617,31 +621,31 @@ int main(argc, argv) cleanup: if (passwd) { - memset(passwd, 0, strlen(passwd)); - free(passwd); + memset(passwd, 0, strlen(passwd)); + free(passwd); } if (ldap_context) { - krb5_ldap_free_server_context_params(ldap_context); - free(ldap_context); + krb5_ldap_free_server_context_params(ldap_context); + free(ldap_context); } if (util_context) { - if (gp_is_static == 0) - kadm5_free_config_params(util_context, &global_params); - krb5_ldap_close(util_context); - krb5_free_context(util_context); + if (gp_is_static == 0) + kadm5_free_config_params(util_context, &global_params); + krb5_ldap_close(util_context); + krb5_free_context(util_context); } if (cmd_argv) - free(cmd_argv); + free(cmd_argv); if (prompt) - free(prompt); + free(prompt); if (conf_section) - free(conf_section); + free(conf_section); if (usage_print) { - usage(); + usage(); } return exit_status; diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.h b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.h index 8eb65af5d..572236bd2 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.h +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * kadmin/ldap_util/kdb5_ldap_util.h */ @@ -71,10 +72,10 @@ extern void db_usage(int); /* Following are the bitmaps that indicate which of the options among -D, -w, -h, -p & -t * were specified on the command line. */ -#define CMD_LDAP_D 0x1 /* set if -D option is specified */ -#define CMD_LDAP_W 0x2 /* set if -w option is specified */ -#define CMD_LDAP_H 0x4 /* set if -h option is specified */ -#define CMD_LDAP_P 0x8 /* set if -p option is specified */ +#define CMD_LDAP_D 0x1 /* set if -D option is specified */ +#define CMD_LDAP_W 0x2 /* set if -w option is specified */ +#define CMD_LDAP_H 0x4 /* set if -h option is specified */ +#define CMD_LDAP_P 0x8 /* set if -p option is specified */ #define MAX_PASSWD_LEN 1024 #define MAX_PASSWD_PROMPT_LEN 276 /* max_dn_size(=256) + strlen("Password for \" \"")=20 */ diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ext.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ext.c index 27f094f82..d443f8d87 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ext.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ext.c @@ -1,4 +1,4 @@ -/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * plugins/kdb/ldap/kdb_ext.c * diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c index 8f7e3bdd3..1966aa970 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/kdb/kdb_ldap/kdb_ldap.c * @@ -50,32 +51,32 @@ krb5_ldap_get_db_opt(char *input, char **opt, char **val) *val = NULL; if (pos == NULL) { - *opt = strdup(input); - if (*opt == NULL) { - return ENOMEM; - } + *opt = strdup(input); + if (*opt == NULL) { + return ENOMEM; + } } else { - int len = pos - input; - *opt = malloc((unsigned) len + 1); - if (!*opt) { - return ENOMEM; - } - memcpy(*opt, input, (unsigned) len); - /* ignore trailing blanks */ - while (isblank((*opt)[len-1])) - --len; - (*opt)[len] = '\0'; - - pos += 1; /* move past '=' */ - while (isblank(*pos)) /* ignore leading blanks */ - pos += 1; - if (*pos != '\0') { - *val = strdup (pos); - if (!*val) { - free (*opt); - return ENOMEM; - } - } + int len = pos - input; + *opt = malloc((unsigned) len + 1); + if (!*opt) { + return ENOMEM; + } + memcpy(*opt, input, (unsigned) len); + /* ignore trailing blanks */ + while (isblank((*opt)[len-1])) + --len; + (*opt)[len] = '\0'; + + pos += 1; /* move past '=' */ + while (isblank(*pos)) /* ignore leading blanks */ + pos += 1; + if (*pos != '\0') { + *val = strdup (pos); + if (!*val) { + free (*opt); + return ENOMEM; + } + } } return (0); @@ -108,17 +109,17 @@ krb5_ldap_read_startup_information(krb5_context context) SETUP_CONTEXT(); if ((retval=krb5_ldap_read_krbcontainer_params(context, &(ldap_context->krbcontainer)))) { - prepend_err_str (context, "Unable to read Kerberos container", retval, retval); - goto cleanup; + prepend_err_str (context, "Unable to read Kerberos container", retval, retval); + goto cleanup; } if ((retval=krb5_ldap_read_realm_params(context, context->default_realm, &(ldap_context->lrparams), &mask))) { - prepend_err_str (context, "Unable to read Realm", retval, retval); - goto cleanup; + prepend_err_str (context, "Unable to read Realm", retval, retval); + goto cleanup; } if (((mask & LDAP_REALM_MAXTICKETLIFE) == 0) || ((mask & LDAP_REALM_MAXRENEWLIFE) == 0) - || ((mask & LDAP_REALM_KRBTICKETFLAGS) == 0)) { + || ((mask & LDAP_REALM_KRBTICKETFLAGS) == 0)) { kadm5_config_params params_in, params_out; memset(¶ms_in, 0, sizeof(params_in)); @@ -167,11 +168,8 @@ cleanup: * value assertion. */ static int -has_rootdse_ava(context, ldap_server, attribute, value) - krb5_context context; - char *ldap_server; - char *attribute; - char *value; +has_rootdse_ava(krb5_context context, char *ldap_server, char *attribute, + char *value) { int i=0, flag=0, ret=0, retval=0; char *attrs[2], **values=NULL; @@ -184,8 +182,8 @@ has_rootdse_ava(context, ldap_server, attribute, value) retval = ldap_initialize(&ld, ldap_server); if (retval != LDAP_SUCCESS) { - ret = 2; /* Don't know */ - goto cleanup; + ret = 2; /* Don't know */ + goto cleanup; } cred.bv_val = ""; @@ -194,50 +192,50 @@ has_rootdse_ava(context, ldap_server, attribute, value) /* Anonymous bind */ retval = ldap_sasl_bind_s(ld, "", NULL, &cred, NULL, NULL, NULL); if (retval != LDAP_SUCCESS) { - ret = 2; /* Don't know */ - goto cleanup; + ret = 2; /* Don't know */ + goto cleanup; } retval = ldap_search_ext_s(ld, "", LDAP_SCOPE_BASE, NULL, attrs, 0, NULL, NULL, NULL, 0, &res); if (retval != LDAP_SUCCESS) { - ret = 2; /* Don't know */ - goto cleanup; + ret = 2; /* Don't know */ + goto cleanup; } msg = ldap_first_message(ld, res); if (msg == NULL) { - ret = 2; /* Don't know */ - goto cleanup; + ret = 2; /* Don't know */ + goto cleanup; } values = ldap_get_values(ld, msg, attribute); if (values == NULL) { - ret = 1; /* Not supported */ - goto cleanup; + ret = 1; /* Not supported */ + goto cleanup; } for (i = 0; values[i] != NULL; i++) { - if (strcmp(values[i], value) == 0) { - flag = 1; - break; - } + if (strcmp(values[i], value) == 0) { + flag = 1; + break; + } } if (flag != 1) { - ret = 1; /* Not supported */ - goto cleanup; + ret = 1; /* Not supported */ + goto cleanup; } cleanup: if (values != NULL) - ldap_value_free(values); + ldap_value_free(values); if (res != NULL) - ldap_msgfree(res); + ldap_msgfree(res); if (ld != NULL) - ldap_unbind_ext_s(ld, NULL, NULL); + ldap_unbind_ext_s(ld, NULL, NULL); return ret; } @@ -252,23 +250,21 @@ cleanup: * 2 => don't know */ int -has_sasl_external_mech(context, ldap_server) - krb5_context context; - char *ldap_server; +has_sasl_external_mech(krb5_context context, char *ldap_server) { int ret; ret = has_rootdse_ava(context, ldap_server, - "supportedSASLMechanisms", "EXTERNAL"); + "supportedSASLMechanisms", "EXTERNAL"); switch (ret) { case 1: /* not supported */ - krb5_set_error_message(context, 1, "%s", ERR_MSG2); - break; + krb5_set_error_message(context, 1, "%s", ERR_MSG2); + break; case 2: /* don't know */ - krb5_set_error_message(context, 1, "%s", ERR_MSG1); - break; + krb5_set_error_message(context, 1, "%s", ERR_MSG1); + break; default: - break; + break; } return ret; @@ -280,24 +276,24 @@ has_modify_increment(context, ldap_server) char *ldap_server; { return has_rootdse_ava(context, ldap_server, - "supportedFeatures", "1.3.6.1.1.14"); + "supportedFeatures", "1.3.6.1.1.14"); } -void * krb5_ldap_alloc(krb5_context context, void *ptr, size_t size) +void * +krb5_ldap_alloc(krb5_context context, void *ptr, size_t size) { return realloc(ptr, size); } -void krb5_ldap_free(krb5_context context, void *ptr) - +void +krb5_ldap_free(krb5_context context, void *ptr) { free(ptr); } -krb5_error_code krb5_ldap_open(krb5_context context, - char *conf_section, - char **db_args, - int mode) +krb5_error_code +krb5_ldap_open(krb5_context context, char *conf_section, char **db_args, + int mode) { krb5_error_code status = 0; char **t_ptr = db_args; @@ -310,196 +306,196 @@ krb5_error_code krb5_ldap_open(krb5_context context, ldap_context = calloc(1, sizeof(krb5_ldap_context)); if (ldap_context == NULL) { - status = ENOMEM; - goto clean_n_exit; + status = ENOMEM; + goto clean_n_exit; } ldap_context->kcontext = context; while (t_ptr && *t_ptr) { - char *opt = NULL, *val = NULL; - - if ((status = krb5_ldap_get_db_opt(*t_ptr, &opt, &val)) != 0) { - goto clean_n_exit; - } - if (opt && !strcmp(opt, "binddn")) { - if (ldap_context->bind_dn) { - free (opt); - free (val); - status = EINVAL; - krb5_set_error_message (context, status, "'binddn' missing"); - goto clean_n_exit; - } - if (val == NULL) { - status = EINVAL; - krb5_set_error_message (context, status, "'binddn' value missing"); - free(opt); - goto clean_n_exit; - } - ldap_context->bind_dn = strdup(val); - if (ldap_context->bind_dn == NULL) { - free (opt); - free (val); - status = ENOMEM; - goto clean_n_exit; - } - } else if (opt && !strcmp(opt, "nconns")) { - if (ldap_context->max_server_conns) { - free (opt); - free (val); - status = EINVAL; - krb5_set_error_message (context, status, "'nconns' missing"); - goto clean_n_exit; - } - if (val == NULL) { - status = EINVAL; - krb5_set_error_message (context, status, "'nconns' value missing"); - free(opt); - goto clean_n_exit; - } - ldap_context->max_server_conns = atoi(val) ? atoi(val) : DEFAULT_CONNS_PER_SERVER; - } else if (opt && !strcmp(opt, "bindpwd")) { - if (ldap_context->bind_pwd) { - free (opt); - free (val); - status = EINVAL; - krb5_set_error_message (context, status, "'bindpwd' missing"); - goto clean_n_exit; - } - if (val == NULL) { - status = EINVAL; - krb5_set_error_message (context, status, "'bindpwd' value missing"); - free(opt); - goto clean_n_exit; - } - ldap_context->bind_pwd = strdup(val); - if (ldap_context->bind_pwd == NULL) { - free (opt); - free (val); - status = ENOMEM; - goto clean_n_exit; - } - } else if (opt && !strcmp(opt, "host")) { - if (val == NULL) { - status = EINVAL; - krb5_set_error_message (context, status, "'host' value missing"); - free(opt); - goto clean_n_exit; - } - if (ldap_context->server_info_list == NULL) - ldap_context->server_info_list = (krb5_ldap_server_info **) calloc (SERV_COUNT+1, sizeof (krb5_ldap_server_info *)) ; - - if (ldap_context->server_info_list == NULL) { - free (opt); - free (val); - status = ENOMEM; - goto clean_n_exit; - } - - ldap_context->server_info_list[srv_cnt] = (krb5_ldap_server_info *) calloc (1, sizeof (krb5_ldap_server_info)); - if (ldap_context->server_info_list[srv_cnt] == NULL) { - free (opt); - free (val); - status = ENOMEM; - goto clean_n_exit; - } - - ldap_context->server_info_list[srv_cnt]->server_status = NOTSET; - - ldap_context->server_info_list[srv_cnt]->server_name = strdup(val); - if (ldap_context->server_info_list[srv_cnt]->server_name == NULL) { - free (opt); - free (val); - status = ENOMEM; - goto clean_n_exit; - } - - srv_cnt++; + char *opt = NULL, *val = NULL; + + if ((status = krb5_ldap_get_db_opt(*t_ptr, &opt, &val)) != 0) { + goto clean_n_exit; + } + if (opt && !strcmp(opt, "binddn")) { + if (ldap_context->bind_dn) { + free (opt); + free (val); + status = EINVAL; + krb5_set_error_message (context, status, "'binddn' missing"); + goto clean_n_exit; + } + if (val == NULL) { + status = EINVAL; + krb5_set_error_message (context, status, "'binddn' value missing"); + free(opt); + goto clean_n_exit; + } + ldap_context->bind_dn = strdup(val); + if (ldap_context->bind_dn == NULL) { + free (opt); + free (val); + status = ENOMEM; + goto clean_n_exit; + } + } else if (opt && !strcmp(opt, "nconns")) { + if (ldap_context->max_server_conns) { + free (opt); + free (val); + status = EINVAL; + krb5_set_error_message (context, status, "'nconns' missing"); + goto clean_n_exit; + } + if (val == NULL) { + status = EINVAL; + krb5_set_error_message (context, status, "'nconns' value missing"); + free(opt); + goto clean_n_exit; + } + ldap_context->max_server_conns = atoi(val) ? atoi(val) : DEFAULT_CONNS_PER_SERVER; + } else if (opt && !strcmp(opt, "bindpwd")) { + if (ldap_context->bind_pwd) { + free (opt); + free (val); + status = EINVAL; + krb5_set_error_message (context, status, "'bindpwd' missing"); + goto clean_n_exit; + } + if (val == NULL) { + status = EINVAL; + krb5_set_error_message (context, status, "'bindpwd' value missing"); + free(opt); + goto clean_n_exit; + } + ldap_context->bind_pwd = strdup(val); + if (ldap_context->bind_pwd == NULL) { + free (opt); + free (val); + status = ENOMEM; + goto clean_n_exit; + } + } else if (opt && !strcmp(opt, "host")) { + if (val == NULL) { + status = EINVAL; + krb5_set_error_message (context, status, "'host' value missing"); + free(opt); + goto clean_n_exit; + } + if (ldap_context->server_info_list == NULL) + ldap_context->server_info_list = (krb5_ldap_server_info **) calloc (SERV_COUNT+1, sizeof (krb5_ldap_server_info *)) ; + + if (ldap_context->server_info_list == NULL) { + free (opt); + free (val); + status = ENOMEM; + goto clean_n_exit; + } + + ldap_context->server_info_list[srv_cnt] = (krb5_ldap_server_info *) calloc (1, sizeof (krb5_ldap_server_info)); + if (ldap_context->server_info_list[srv_cnt] == NULL) { + free (opt); + free (val); + status = ENOMEM; + goto clean_n_exit; + } + + ldap_context->server_info_list[srv_cnt]->server_status = NOTSET; + + ldap_context->server_info_list[srv_cnt]->server_name = strdup(val); + if (ldap_context->server_info_list[srv_cnt]->server_name == NULL) { + free (opt); + free (val); + status = ENOMEM; + goto clean_n_exit; + } + + srv_cnt++; #ifdef HAVE_EDIRECTORY - } else if (opt && !strcmp(opt, "cert")) { - if (val == NULL) { - status = EINVAL; - krb5_set_error_message (context, status, "'cert' value missing"); - free(opt); - goto clean_n_exit; - } - - if (ldap_context->root_certificate_file == NULL) { - ldap_context->root_certificate_file = strdup(val); - if (ldap_context->root_certificate_file == NULL) { - free (opt); - free (val); - status = ENOMEM; - goto clean_n_exit; - } - } else { - char *newstr; - - if (asprintf(&newstr, "%s %s", - ldap_context->root_certificate_file, val) < 0) { - free (opt); - free (val); - status = ENOMEM; - goto clean_n_exit; - } - free(ldap_context->root_certificate_file); - ldap_context->root_certificate_file = newstr; - } + } else if (opt && !strcmp(opt, "cert")) { + if (val == NULL) { + status = EINVAL; + krb5_set_error_message (context, status, "'cert' value missing"); + free(opt); + goto clean_n_exit; + } + + if (ldap_context->root_certificate_file == NULL) { + ldap_context->root_certificate_file = strdup(val); + if (ldap_context->root_certificate_file == NULL) { + free (opt); + free (val); + status = ENOMEM; + goto clean_n_exit; + } + } else { + char *newstr; + + if (asprintf(&newstr, "%s %s", + ldap_context->root_certificate_file, val) < 0) { + free (opt); + free (val); + status = ENOMEM; + goto clean_n_exit; + } + free(ldap_context->root_certificate_file); + ldap_context->root_certificate_file = newstr; + } #endif - } else { - /* ignore hash argument. Might have been passed from create */ - status = EINVAL; - if (opt && !strcmp(opt, "temporary")) { - /* - * temporary is passed in when kdb5_util load without -update is done. - * This is unsupported by the LDAP plugin. - */ - krb5_set_error_message (context, status, - "open of LDAP directory aborted, plugin requires -update argument"); - } else { - krb5_set_error_message (context, status, "unknown option \'%s\'", - opt?opt:val); - } - free(opt); - free(val); - goto clean_n_exit; - } - - free(opt); - free(val); - t_ptr++; + } else { + /* ignore hash argument. Might have been passed from create */ + status = EINVAL; + if (opt && !strcmp(opt, "temporary")) { + /* + * temporary is passed in when kdb5_util load without -update is done. + * This is unsupported by the LDAP plugin. + */ + krb5_set_error_message (context, status, + "open of LDAP directory aborted, plugin requires -update argument"); + } else { + krb5_set_error_message (context, status, "unknown option \'%s\'", + opt?opt:val); + } + free(opt); + free(val); + goto clean_n_exit; + } + + free(opt); + free(val); + t_ptr++; } dal_handle = context->dal_handle; dal_handle->db_context = ldap_context; status = krb5_ldap_read_server_params(context, conf_section, mode & 0x0300); if (status) { - if (ldap_context) - krb5_ldap_free_ldap_context(ldap_context); - ldap_context = NULL; - dal_handle->db_context = NULL; - prepend_err_str (context, "Error reading LDAP server params: ", status, status); - goto clean_n_exit; + if (ldap_context) + krb5_ldap_free_ldap_context(ldap_context); + ldap_context = NULL; + dal_handle->db_context = NULL; + prepend_err_str (context, "Error reading LDAP server params: ", status, status); + goto clean_n_exit; } if ((status=krb5_ldap_db_init(context, ldap_context)) != 0) { - goto clean_n_exit; + goto clean_n_exit; } if ((status=krb5_ldap_read_startup_information(context)) != 0) { - goto clean_n_exit; + goto clean_n_exit; } clean_n_exit: /* may be clearing up is not required db_fini might do it for us, check out */ if (status) { - krb5_ldap_close(context); + krb5_ldap_close(context); } return status; } #include "ldap_err.h" int -set_ldap_error (krb5_context ctx, int st, int op) +set_ldap_error(krb5_context ctx, int st, int op) { int translated_st = translate_ldap_error(st, op); krb5_set_error_message(ctx, translated_st, "%s", ldap_err2string(st)); @@ -507,8 +503,8 @@ set_ldap_error (krb5_context ctx, int st, int op) } void -prepend_err_str (krb5_context ctx, const char *str, krb5_error_code err, - krb5_error_code oerr) +prepend_err_str(krb5_context ctx, const char *str, krb5_error_code err, + krb5_error_code oerr) { const char *omsg; if (oerr == 0) oerr = err; @@ -519,13 +515,15 @@ prepend_err_str (krb5_context ctx, const char *str, krb5_error_code err, extern krb5int_access accessor; MAKE_INIT_FUNCTION(kldap_init_fn); -int kldap_init_fn(void) +int +kldap_init_fn(void) { /* Global (per-module) initialization. */ return krb5int_accessor (&accessor, KRB5INT_ACCESS_VERSION); } -int kldap_ensure_initialized(void) +int +kldap_ensure_initialized(void) { return CALL_INIT_FUNCTION (kldap_init_fn); } diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h index ea6d3706a..1ca09b499 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/kdb/kdb_ldap/kdb_ldap.h * @@ -78,21 +79,21 @@ extern struct timeval timelimit; #define CHECK_STATUS 1 #define SETUP_CONTEXT() if (context == NULL || context->dal_handle == NULL \ - || context->dal_handle->db_context == NULL) { \ - return EINVAL; \ - } \ - dal_handle = context->dal_handle; \ - ldap_context = (krb5_ldap_context *) dal_handle->db_context; \ + || context->dal_handle->db_context == NULL) { \ + return EINVAL; \ + } \ + dal_handle = context->dal_handle; \ + ldap_context = (krb5_ldap_context *) dal_handle->db_context; \ if (ldap_context == NULL || ldap_context->server_info_list == NULL) \ return KRB5_KDB_DBNOTINITED; -#define GET_HANDLE() ld = NULL; \ +#define GET_HANDLE() ld = NULL; \ st = krb5_ldap_request_handle_from_pool(ldap_context, &ldap_server_handle); \ - if (st != 0) { \ + if (st != 0) { \ prepend_err_str(context, "LDAP handle unavailable: ", KRB5_KDB_ACCESS_ERROR, st); \ - st = KRB5_KDB_ACCESS_ERROR; \ - goto cleanup; \ - } \ + st = KRB5_KDB_ACCESS_ERROR; \ + goto cleanup; \ + } \ ld = ldap_server_handle->ldap_handle; extern int set_ldap_error (krb5_context ctx, int st, int op); @@ -100,44 +101,44 @@ extern void prepend_err_str (krb5_context ctx, const char *s, krb5_error_code er #define LDAP_SEARCH(base, scope, filter, attrs) LDAP_SEARCH_1(base, scope, filter, attrs, CHECK_STATUS) -#define LDAP_SEARCH_1(base, scope, filter, attrs, status_check) \ - do { \ - st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL, NULL, &timelimit, LDAP_NO_LIMIT, &result); \ - if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \ - tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle); \ - if (ldap_server_handle) \ - ld = ldap_server_handle->ldap_handle; \ - } \ - }while (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR && tempst == 0); \ - \ - if (status_check != IGNORE_STATUS) { \ - if (tempst != 0) { \ +#define LDAP_SEARCH_1(base, scope, filter, attrs, status_check) \ + do { \ + st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL, NULL, &timelimit, LDAP_NO_LIMIT, &result); \ + if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \ + tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle); \ + if (ldap_server_handle) \ + ld = ldap_server_handle->ldap_handle; \ + } \ + }while (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR && tempst == 0); \ + \ + if (status_check != IGNORE_STATUS) { \ + if (tempst != 0) { \ prepend_err_str(context, "LDAP handle unavailable: ", KRB5_KDB_ACCESS_ERROR, st); \ - st = KRB5_KDB_ACCESS_ERROR; \ - goto cleanup; \ - } \ - if (st != LDAP_SUCCESS) { \ - st = set_ldap_error(context, st, OP_SEARCH); \ - goto cleanup; \ - } \ - } - - -#define CHECK_CLASS_VALIDITY(st, mask, str) \ - if (st != 0 || mask == 0) { \ - if (st == 0 && mask == 0) { \ - st = set_ldap_error(context, LDAP_OBJECT_CLASS_VIOLATION, OP_SEARCH); \ - } \ - prepend_err_str(context, str, st, st); \ - goto cleanup; \ - } - -#define CHECK_NULL(ptr) if (ptr == NULL) { \ - st = ENOMEM; \ - goto cleanup; \ - } - -#define STORE16_INT(ptr, val) store_16_be(val, ptr) + st = KRB5_KDB_ACCESS_ERROR; \ + goto cleanup; \ + } \ + if (st != LDAP_SUCCESS) { \ + st = set_ldap_error(context, st, OP_SEARCH); \ + goto cleanup; \ + } \ + } + + +#define CHECK_CLASS_VALIDITY(st, mask, str) \ + if (st != 0 || mask == 0) { \ + if (st == 0 && mask == 0) { \ + st = set_ldap_error(context, LDAP_OBJECT_CLASS_VIOLATION, OP_SEARCH); \ + } \ + prepend_err_str(context, str, st, st); \ + goto cleanup; \ + } + +#define CHECK_NULL(ptr) if (ptr == NULL) { \ + st = ENOMEM; \ + goto cleanup; \ + } + +#define STORE16_INT(ptr, val) store_16_be(val, ptr) #define STORE32_INT(ptr, val) store_32_be(val, ptr) #define UNSTORE16_INT(ptr, val) (val = load_16_be(ptr)) #define UNSTORE32_INT(ptr, val) (val = load_32_be(ptr)) @@ -157,10 +158,10 @@ extern void prepend_err_str (krb5_context ctx, const char *s, krb5_error_code er #define KDB_TL_LINKDN 0x07 -#define CHECK_LDAP_HANDLE(lcontext) if (!(ldap_context \ - && ldap_context->server_info_list)) { \ - return KRB5_KDB_DBNOTINITED; \ - } +#define CHECK_LDAP_HANDLE(lcontext) if (!(ldap_context \ + && ldap_context->server_info_list)) { \ + return KRB5_KDB_DBNOTINITED; \ + } #define HNDL_LOCK(lcontext) k5_mutex_lock(&lcontext->hndl_lock) #define HNDL_UNLOCK(lcontext) k5_mutex_unlock(&lcontext->hndl_lock) @@ -188,16 +189,16 @@ typedef struct _krb5_ldap_server_handle { } krb5_ldap_server_handle; struct _krb5_ldap_server_info { - krb5_ldap_server_type server_type; + krb5_ldap_server_type server_type; krb5_ldap_server_status server_status; krb5_ui_4 num_conns; krb5_ldap_server_handle *ldap_server_handles; time_t downtime; - char *server_name; + char *server_name; #ifdef HAVE_EDIRECTORY - char *root_certificate_file; + char *root_certificate_file; #endif - int modify_increment; + int modify_increment; struct _krb5_ldap_server_info *next; }; @@ -207,33 +208,33 @@ struct _krb5_ldap_server_info { typedef enum {SERVICE_DN_TYPE_SERVER, SERVICE_DN_TYPE_CLIENT} krb5_ldap_servicetype; typedef struct _krb5_ldap_context { - krb5_ldap_servicetype service_type; - krb5_ldap_server_info **server_info_list; - krb5_ui_4 max_server_conns; - char *conf_section; - char *bind_dn; - char *bind_pwd; - char *service_password_file; - char *root_certificate_file; - char *service_cert_path; - char *service_cert_pass; - krb5_ldap_certificates **certificates; - krb5_ui_4 cert_count; /* certificate count */ - k5_mutex_t hndl_lock; - krb5_ldap_krbcontainer_params *krbcontainer; - krb5_ldap_realm_params *lrparams; - krb5_context kcontext; /* to set the error code and message */ + krb5_ldap_servicetype service_type; + krb5_ldap_server_info **server_info_list; + krb5_ui_4 max_server_conns; + char *conf_section; + char *bind_dn; + char *bind_pwd; + char *service_password_file; + char *root_certificate_file; + char *service_cert_path; + char *service_cert_pass; + krb5_ldap_certificates **certificates; + krb5_ui_4 cert_count; /* certificate count */ + k5_mutex_t hndl_lock; + krb5_ldap_krbcontainer_params *krbcontainer; + krb5_ldap_realm_params *lrparams; + krb5_context kcontext; /* to set the error code and message */ } krb5_ldap_context; typedef struct { - int nkey; - struct berval **keys; + int nkey; + struct berval **keys; }KEY; -#define k5ldap_inited(c) (c && c->db_context \ - && ((kdb5_dal_handle*)c->db_context)->db_context \ - && ((krb5_ldap_context *) ((kdb5_dal_handle*)c->db_context)->db_context)) +#define k5ldap_inited(c) (c && c->db_context \ + && ((kdb5_dal_handle*)c->db_context)->db_context \ + && ((krb5_ldap_context *) ((kdb5_dal_handle*)c->db_context)->db_context)) /* misc functions */ @@ -278,8 +279,8 @@ krb5_ldap_create(krb5_context , char *, char **); krb5_error_code krb5_ldap_open( krb5_context , char *, - char **db_args, - int mode ); + char **db_args, + int mode ); krb5_error_code krb5_ldap_close( krb5_context ); diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c index d757a6ee3..82b0333cd 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/kdb/kdb_ldap/kdb_ldap_conn.c * @@ -38,55 +39,56 @@ #include static krb5_error_code -krb5_validate_ldap_context(krb5_context context, krb5_ldap_context *ldap_context) +krb5_validate_ldap_context(krb5_context context, + krb5_ldap_context *ldap_context) { krb5_error_code st=0; unsigned char *password=NULL; if (ldap_context->bind_dn == NULL) { - st = EINVAL; - krb5_set_error_message(context, st, "LDAP bind dn value missing "); - goto err_out; + st = EINVAL; + krb5_set_error_message(context, st, "LDAP bind dn value missing "); + goto err_out; } if (ldap_context->bind_pwd == NULL && ldap_context->service_password_file == NULL) { - st = EINVAL; - krb5_set_error_message(context, st, "LDAP bind password value missing "); - goto err_out; + st = EINVAL; + krb5_set_error_message(context, st, "LDAP bind password value missing "); + goto err_out; } if (ldap_context->bind_pwd == NULL && ldap_context->service_password_file != - NULL && ldap_context->service_cert_path == NULL) { - if ((st=krb5_ldap_readpassword(context, ldap_context, &password)) != 0) { - prepend_err_str(context, "Error reading password from stash: ", st, st); - goto err_out; - } - - /* Check if the returned 'password' is actually the path of a certificate */ - if (!strncmp("{FILE}", (char *)password, 6)) { - /* 'password' format: \0 */ - ldap_context->service_cert_path = strdup((char *)password + strlen("{FILE}")); - if (password[strlen((char *)password) + 1] == '\0') - ldap_context->service_cert_pass = NULL; - else - ldap_context->service_cert_pass = strdup((char *)password + - strlen((char *)password) + 1); - free(password); - } else { - ldap_context->bind_pwd = (char *)password; - if (ldap_context->bind_pwd == NULL) { - st = EINVAL; - krb5_set_error_message(context, st, "Error reading password from stash"); - goto err_out; - } - } + NULL && ldap_context->service_cert_path == NULL) { + if ((st=krb5_ldap_readpassword(context, ldap_context, &password)) != 0) { + prepend_err_str(context, "Error reading password from stash: ", st, st); + goto err_out; + } + + /* Check if the returned 'password' is actually the path of a certificate */ + if (!strncmp("{FILE}", (char *)password, 6)) { + /* 'password' format: \0 */ + ldap_context->service_cert_path = strdup((char *)password + strlen("{FILE}")); + if (password[strlen((char *)password) + 1] == '\0') + ldap_context->service_cert_pass = NULL; + else + ldap_context->service_cert_pass = strdup((char *)password + + strlen((char *)password) + 1); + free(password); + } else { + ldap_context->bind_pwd = (char *)password; + if (ldap_context->bind_pwd == NULL) { + st = EINVAL; + krb5_set_error_message(context, st, "Error reading password from stash"); + goto err_out; + } + } } /* NULL password not allowed */ if (ldap_context->bind_pwd != NULL && strlen(ldap_context->bind_pwd) == 0) { - st = EINVAL; - krb5_set_error_message(context, st, "Service password length is zero"); - goto err_out; + st = EINVAL; + krb5_set_error_message(context, st, "Service password length is zero"); + goto err_out; } err_out: @@ -98,49 +100,47 @@ err_out: */ static krb5_error_code -krb5_ldap_bind(ldap_context, ldap_server_handle) - krb5_ldap_context *ldap_context; - krb5_ldap_server_handle *ldap_server_handle; +krb5_ldap_bind(krb5_ldap_context *ldap_context, + krb5_ldap_server_handle *ldap_server_handle) { krb5_error_code st=0; struct berval bv={0, NULL}, *servercreds=NULL; if (ldap_context->service_cert_path != NULL) { - /* Certificate based bind (SASL EXTERNAL mechanism) */ - - st = ldap_sasl_bind_s(ldap_server_handle->ldap_handle, - NULL, /* Authenticating dn */ - "EXTERNAL", /* Method used for authentication */ - &bv, - NULL, - NULL, - &servercreds); - - if (st == LDAP_SASL_BIND_IN_PROGRESS) { - st = ldap_sasl_bind_s(ldap_server_handle->ldap_handle, - NULL, - "EXTERNAL", - servercreds, - NULL, - NULL, - &servercreds); - } + /* Certificate based bind (SASL EXTERNAL mechanism) */ + + st = ldap_sasl_bind_s(ldap_server_handle->ldap_handle, + NULL, /* Authenticating dn */ + "EXTERNAL", /* Method used for authentication */ + &bv, + NULL, + NULL, + &servercreds); + + if (st == LDAP_SASL_BIND_IN_PROGRESS) { + st = ldap_sasl_bind_s(ldap_server_handle->ldap_handle, + NULL, + "EXTERNAL", + servercreds, + NULL, + NULL, + &servercreds); + } } else { - /* password based simple bind */ + /* password based simple bind */ bv.bv_val = ldap_context->bind_pwd; bv.bv_len = strlen(ldap_context->bind_pwd); st = ldap_sasl_bind_s(ldap_server_handle->ldap_handle, - ldap_context->bind_dn, - NULL, &bv, NULL, - NULL, NULL); + ldap_context->bind_dn, + NULL, &bv, NULL, + NULL, NULL); } return st; } static krb5_error_code -krb5_ldap_initialize(ldap_context, server_info) - krb5_ldap_context *ldap_context; - krb5_ldap_server_info *server_info; +krb5_ldap_initialize(krb5_ldap_context *ldap_context, + krb5_ldap_server_info *server_info) { krb5_error_code st=0; krb5_ldap_server_handle *ldap_server_handle=NULL; @@ -148,33 +148,33 @@ krb5_ldap_initialize(ldap_context, server_info) ldap_server_handle = calloc(1, sizeof(krb5_ldap_server_handle)); if (ldap_server_handle == NULL) { - st = ENOMEM; - goto err_out; + st = ENOMEM; + goto err_out; } /* ldap init */ if ((st = ldap_initialize(&ldap_server_handle->ldap_handle, server_info->server_name)) != 0) { - if (ldap_context->kcontext) - krb5_set_error_message (ldap_context->kcontext, KRB5_KDB_ACCESS_ERROR, "%s", - ldap_err2string(st)); - st = KRB5_KDB_ACCESS_ERROR; - goto err_out; + if (ldap_context->kcontext) + krb5_set_error_message (ldap_context->kcontext, KRB5_KDB_ACCESS_ERROR, "%s", + ldap_err2string(st)); + st = KRB5_KDB_ACCESS_ERROR; + goto err_out; } if ((st=krb5_ldap_bind(ldap_context, ldap_server_handle)) == 0) { - ldap_server_handle->server_info_update_pending = FALSE; - server_info->server_status = ON; - krb5_update_ldap_handle(ldap_server_handle, server_info); + ldap_server_handle->server_info_update_pending = FALSE; + server_info->server_status = ON; + krb5_update_ldap_handle(ldap_server_handle, server_info); } else { - if (ldap_context->kcontext) - krb5_set_error_message (ldap_context->kcontext, - KRB5_KDB_ACCESS_ERROR, "%s", - ldap_err2string(st)); - st = KRB5_KDB_ACCESS_ERROR; - server_info->server_status = OFF; - time(&server_info->downtime); - /* ldap_unbind_s(ldap_server_handle->ldap_handle); */ - free(ldap_server_handle); + if (ldap_context->kcontext) + krb5_set_error_message (ldap_context->kcontext, + KRB5_KDB_ACCESS_ERROR, "%s", + ldap_err2string(st)); + st = KRB5_KDB_ACCESS_ERROR; + server_info->server_status = OFF; + time(&server_info->downtime); + /* ldap_unbind_s(ldap_server_handle->ldap_handle); */ + free(ldap_server_handle); } err_out: @@ -194,7 +194,7 @@ krb5_ldap_db_init(krb5_context context, krb5_ldap_context *ldap_context) struct timeval local_timelimit = {10,0}; if ((st=krb5_validate_ldap_context(context, ldap_context)) != 0) - goto err_out; + goto err_out; ldap_set_option(NULL, LDAP_OPT_PROTOCOL_VERSION, &version); #ifdef LDAP_OPT_NETWORK_TIMEOUT @@ -205,55 +205,55 @@ krb5_ldap_db_init(krb5_context context, krb5_ldap_context *ldap_context) st = HNDL_LOCK(ldap_context); if (st) - return st; + return st; while (ldap_context->server_info_list[cnt] != NULL) { - krb5_ldap_server_info *server_info=NULL; + krb5_ldap_server_info *server_info=NULL; - server_info = ldap_context->server_info_list[cnt]; + server_info = ldap_context->server_info_list[cnt]; - if (server_info->server_status == NOTSET) { - unsigned int conns=0; + if (server_info->server_status == NOTSET) { + unsigned int conns=0; - /* - * Check if the server has to perform certificate-based authentication - */ - if (ldap_context->service_cert_path != NULL) { - /* Find out if the server supports SASL EXTERNAL mechanism */ - if (has_sasl_external_mech(context, server_info->server_name) == 1) { - cnt++; - sasl_mech_supported = FALSE; - continue; /* Check the next LDAP server */ - } - sasl_mech_supported = TRUE; - } + /* + * Check if the server has to perform certificate-based authentication + */ + if (ldap_context->service_cert_path != NULL) { + /* Find out if the server supports SASL EXTERNAL mechanism */ + if (has_sasl_external_mech(context, server_info->server_name) == 1) { + cnt++; + sasl_mech_supported = FALSE; + continue; /* Check the next LDAP server */ + } + sasl_mech_supported = TRUE; + } - krb5_clear_error_message(context); + krb5_clear_error_message(context); #ifdef LDAP_MOD_INCREMENT - server_info->modify_increment = - (has_modify_increment(context, server_info->server_name) == 0); + server_info->modify_increment = + (has_modify_increment(context, server_info->server_name) == 0); #else - server_info->modify_increment = 0; + server_info->modify_increment = 0; #endif /* LDAP_MOD_INCREMENT */ - for (conns=0; conns < ldap_context->max_server_conns; ++conns) { - if ((st=krb5_ldap_initialize(ldap_context, server_info)) != 0) - break; - } /* for (conn= ... */ + for (conns=0; conns < ldap_context->max_server_conns; ++conns) { + if ((st=krb5_ldap_initialize(ldap_context, server_info)) != 0) + break; + } /* for (conn= ... */ - if (server_info->server_status == ON) - break; /* server init successful, so break */ - } - ++cnt; + if (server_info->server_status == ON) + break; /* server init successful, so break */ + } + ++cnt; } HNDL_UNLOCK(ldap_context); err_out: if (sasl_mech_supported == FALSE) { - st = KRB5_KDB_ACCESS_ERROR; - krb5_set_error_message (context, st, - "Certificate based authentication requested but " - "not supported by LDAP servers"); + st = KRB5_KDB_ACCESS_ERROR; + krb5_set_error_message (context, st, + "Certificate based authentication requested but " + "not supported by LDAP servers"); } return (st); } @@ -271,53 +271,54 @@ krb5_ldap_db_single_init(krb5_ldap_context *ldap_context) krb5_ldap_server_info *server_info=NULL; while (ldap_context->server_info_list[cnt] != NULL) { - server_info = ldap_context->server_info_list[cnt]; - if ((server_info->server_status == NOTSET || server_info->server_status == ON)) { - if (server_info->num_conns < ldap_context->max_server_conns-1) { - st = krb5_ldap_initialize(ldap_context, server_info); - if (st == LDAP_SUCCESS) - goto cleanup; - } - } - ++cnt; + server_info = ldap_context->server_info_list[cnt]; + if ((server_info->server_status == NOTSET || server_info->server_status == ON)) { + if (server_info->num_conns < ldap_context->max_server_conns-1) { + st = krb5_ldap_initialize(ldap_context, server_info); + if (st == LDAP_SUCCESS) + goto cleanup; + } + } + ++cnt; } /* If we are here, try to connect to all the servers */ cnt = 0; while (ldap_context->server_info_list[cnt] != NULL) { - server_info = ldap_context->server_info_list[cnt]; - st = krb5_ldap_initialize(ldap_context, server_info); - if (st == LDAP_SUCCESS) - goto cleanup; - ++cnt; + server_info = ldap_context->server_info_list[cnt]; + st = krb5_ldap_initialize(ldap_context, server_info); + if (st == LDAP_SUCCESS) + goto cleanup; + ++cnt; } cleanup: return (st); } krb5_error_code -krb5_ldap_rebind(ldap_context, ldap_server_handle) - krb5_ldap_context *ldap_context; - krb5_ldap_server_handle **ldap_server_handle; +krb5_ldap_rebind(krb5_ldap_context *ldap_context, + krb5_ldap_server_handle **ldap_server_handle) { krb5_ldap_server_handle *handle = *ldap_server_handle; if ((ldap_initialize(&handle->ldap_handle, handle->server_info->server_name) != LDAP_SUCCESS) - || (krb5_ldap_bind(ldap_context, handle) != LDAP_SUCCESS)) - return krb5_ldap_request_next_handle_from_pool(ldap_context, ldap_server_handle); + || (krb5_ldap_bind(ldap_context, handle) != LDAP_SUCCESS)) + return krb5_ldap_request_next_handle_from_pool(ldap_context, ldap_server_handle); return LDAP_SUCCESS; } /* * DAL API functions */ -krb5_error_code krb5_ldap_lib_init() +krb5_error_code +krb5_ldap_lib_init() { return 0; } -krb5_error_code krb5_ldap_lib_cleanup() +krb5_error_code +krb5_ldap_lib_cleanup() { /* right now, no cleanup required */ return 0; @@ -327,7 +328,7 @@ krb5_error_code krb5_ldap_free_ldap_context(krb5_ldap_context *ldap_context) { if (ldap_context == NULL) - return 0; + return 0; krb5_ldap_free_krbcontainer_params(ldap_context->krbcontainer); ldap_context->krbcontainer = NULL; @@ -347,9 +348,9 @@ krb5_ldap_close(krb5_context context) krb5_ldap_context *ldap_context=NULL; if (context == NULL || - context->dal_handle == NULL || - context->dal_handle->db_context == NULL) - return 0; + context->dal_handle == NULL || + context->dal_handle->db_context == NULL) + return 0; dal_handle = context->dal_handle; ldap_context = (krb5_ldap_context *) dal_handle->db_context; diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_xdr.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_xdr.c index d4c6ac832..6085efb6a 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_xdr.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_xdr.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/kdb/kdb_ldap/kdb_xdr.c * @@ -34,10 +35,8 @@ #define safe_realloc(p,n) ((p)?(realloc(p,n)):(malloc(n))) krb5_error_code -krb5_dbe_update_tl_data(context, entry, new_tl_data) - krb5_context context; - krb5_db_entry * entry; - krb5_tl_data * new_tl_data; +krb5_dbe_update_tl_data(krb5_context context, krb5_db_entry *entry, + krb5_tl_data *new_tl_data) { krb5_tl_data * tl_data; krb5_octet * tmp; @@ -46,32 +45,32 @@ krb5_dbe_update_tl_data(context, entry, new_tl_data) fails */ if ((tmp = (krb5_octet *) malloc(new_tl_data->tl_data_length)) == NULL) - return(ENOMEM); + return(ENOMEM); /* Find an existing entry of the specified type and point at it, or NULL if not found */ for (tl_data = entry->tl_data; tl_data; tl_data = tl_data->tl_data_next) - if (tl_data->tl_data_type == new_tl_data->tl_data_type) - break; + if (tl_data->tl_data_type == new_tl_data->tl_data_type) + break; /* if necessary, chain a new record in the beginning and point at it */ if (!tl_data) { - if ((tl_data = (krb5_tl_data *) calloc(1, sizeof(krb5_tl_data))) - == NULL) { - free(tmp); - return(ENOMEM); - } - tl_data->tl_data_next = entry->tl_data; - entry->tl_data = tl_data; - entry->n_tl_data++; + if ((tl_data = (krb5_tl_data *) calloc(1, sizeof(krb5_tl_data))) + == NULL) { + free(tmp); + return(ENOMEM); + } + tl_data->tl_data_next = entry->tl_data; + entry->tl_data = tl_data; + entry->n_tl_data++; } /* fill in the record */ if (tl_data->tl_data_contents) - free(tl_data->tl_data_contents); + free(tl_data->tl_data_contents); tl_data->tl_data_type = new_tl_data->tl_data_type; tl_data->tl_data_length = new_tl_data->tl_data_length; @@ -82,18 +81,16 @@ krb5_dbe_update_tl_data(context, entry, new_tl_data) } krb5_error_code -krb5_dbe_lookup_tl_data(context, entry, ret_tl_data) - krb5_context context; - krb5_db_entry * entry; - krb5_tl_data * ret_tl_data; +krb5_dbe_lookup_tl_data(krb5_context context, krb5_db_entry *entry, + krb5_tl_data *ret_tl_data) { krb5_tl_data *tl_data; for (tl_data = entry->tl_data; tl_data; tl_data = tl_data->tl_data_next) { - if (tl_data->tl_data_type == ret_tl_data->tl_data_type) { - *ret_tl_data = *tl_data; - return(0); - } + if (tl_data->tl_data_type == ret_tl_data->tl_data_type) { + *ret_tl_data = *tl_data; + return(0); + } } /* if the requested record isn't found, return zero bytes. @@ -106,10 +103,8 @@ krb5_dbe_lookup_tl_data(context, entry, ret_tl_data) } krb5_error_code -krb5_dbe_update_last_pwd_change(context, entry, stamp) - krb5_context context; - krb5_db_entry * entry; - krb5_timestamp stamp; +krb5_dbe_update_last_pwd_change(krb5_context context, krb5_db_entry *entry, + krb5_timestamp stamp) { krb5_tl_data tl_data; krb5_octet buf[4]; /* this is the encoded size of an int32 */ @@ -123,23 +118,21 @@ krb5_dbe_update_last_pwd_change(context, entry, stamp) } krb5_error_code -krb5_dbe_lookup_last_pwd_change(context, entry, stamp) - krb5_context context; - krb5_db_entry * entry; - krb5_timestamp * stamp; +krb5_dbe_lookup_last_pwd_change(krb5_context context, krb5_db_entry *entry, + krb5_timestamp *stamp) { krb5_tl_data tl_data; - krb5_error_code code; - krb5_int32 tmp; + krb5_error_code code; + krb5_int32 tmp; tl_data.tl_data_type = KRB5_TL_LAST_PWD_CHANGE; if ((code = krb5_dbe_lookup_tl_data(context, entry, &tl_data))) - return(code); + return(code); if (tl_data.tl_data_length != 4) { - *stamp = 0; - return(0); + *stamp = 0; + return(0); } krb5_kdb_decode_int32(tl_data.tl_data_contents, tmp); @@ -153,29 +146,27 @@ krb5_dbe_lookup_last_pwd_change(context, entry, stamp) I need one, I'll add one */ krb5_error_code -krb5_dbe_update_mod_princ_data(context, entry, mod_date, mod_princ) - krb5_context context; - krb5_db_entry * entry; - krb5_timestamp mod_date; - krb5_const_principal mod_princ; +krb5_dbe_update_mod_princ_data(krb5_context context, krb5_db_entry *entry, + krb5_timestamp mod_date, + krb5_const_principal mod_princ) { krb5_tl_data tl_data; - krb5_error_code retval = 0; - krb5_octet * nextloc = 0; - char * unparse_mod_princ = 0; - unsigned int unparse_mod_princ_size; + krb5_error_code retval = 0; + krb5_octet * nextloc = 0; + char * unparse_mod_princ = 0; + unsigned int unparse_mod_princ_size; if ((retval = krb5_unparse_name(context, mod_princ, - &unparse_mod_princ))) - return(retval); + &unparse_mod_princ))) + return(retval); unparse_mod_princ_size = strlen(unparse_mod_princ) + 1; if ((nextloc = (krb5_octet *) malloc(unparse_mod_princ_size + 4)) - == NULL) { - free(unparse_mod_princ); - return(ENOMEM); + == NULL) { + free(unparse_mod_princ); + return(ENOMEM); } tl_data.tl_data_type = KRB5_TL_MOD_PRINC; @@ -197,32 +188,30 @@ krb5_dbe_update_mod_princ_data(context, entry, mod_date, mod_princ) } krb5_error_code -krb5_dbe_lookup_mod_princ_data(context, entry, mod_time, mod_princ) - krb5_context context; - krb5_db_entry * entry; - krb5_timestamp * mod_time; - krb5_principal * mod_princ; +krb5_dbe_lookup_mod_princ_data(krb5_context context, krb5_db_entry *entry, + krb5_timestamp *mod_time, + krb5_principal *mod_princ) { krb5_tl_data tl_data; - krb5_error_code code; + krb5_error_code code; tl_data.tl_data_type = KRB5_TL_MOD_PRINC; if ((code = krb5_dbe_lookup_tl_data(context, entry, &tl_data))) - return(code); + return(code); if ((tl_data.tl_data_length < 5) || - (tl_data.tl_data_contents[tl_data.tl_data_length-1] != '\0')) - return(KRB5_KDB_TRUNCATED_RECORD); + (tl_data.tl_data_contents[tl_data.tl_data_length-1] != '\0')) + return(KRB5_KDB_TRUNCATED_RECORD); /* Mod Date */ krb5_kdb_decode_int32(tl_data.tl_data_contents, *mod_time); /* Mod Princ */ if ((code = krb5_parse_name(context, - (const char *) (tl_data.tl_data_contents+4), - mod_princ))) - return(code); + (const char *) (tl_data.tl_data_contents+4), + mod_princ))) + return(code); return(0); } diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_xdr.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_xdr.h index bd01ead27..7e45710b8 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_xdr.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_xdr.h @@ -1,34 +1,35 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #ifndef _KDB2_XDR_H #define _KDB2_XDR_H #include "kdb.h" krb5_error_code -krb5_encode_princ_dbkey( krb5_context context, - krb5_data *key, - krb5_const_principal principal); +krb5_encode_princ_dbkey(krb5_context context, + krb5_data *key, + krb5_const_principal principal); krb5_error_code -krb5_decode_princ_contents( krb5_context context, - krb5_data * content, - krb5_db_entry * entry); +krb5_decode_princ_contents(krb5_context context, + krb5_data *content, + krb5_db_entry *entry); void -krb5_dbe_free_contents( krb5_context context, - krb5_db_entry * entry); +krb5_dbe_free_contents(krb5_context context, + krb5_db_entry *entry); krb5_error_code -krb5_encode_princ_contents( krb5_context context, - krb5_data * content, - krb5_db_entry * entry); +krb5_encode_princ_contents(krb5_context context, + krb5_data *content, + krb5_db_entry *entry); void -krb5_free_princ_dbkey( krb5_context context, - krb5_data *key); +krb5_free_princ_dbkey(krb5_context context, + krb5_data *key); void -krb5_free_princ_contents( krb5_context context, - krb5_data *contents); +krb5_free_princ_contents(krb5_context context, + krb5_data *contents); #endif diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c index 9974b1721..3027316e9 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/kdb/kdb_ldap/ldap_create.c * @@ -50,7 +51,7 @@ * the specified attributes. */ krb5_error_code -krb5_ldap_create (krb5_context context, char *conf_section, char **db_args) +krb5_ldap_create(krb5_context context, char *conf_section, char **db_args) { krb5_error_code status = 0; char **t_ptr = db_args; @@ -71,8 +72,8 @@ krb5_ldap_create (krb5_context context, char *conf_section, char **db_args) ldap_context = malloc(sizeof(krb5_ldap_context)); if (ldap_context == NULL) { - status = ENOMEM; - goto cleanup; + status = ENOMEM; + goto cleanup; } memset(ldap_context, 0, sizeof(*ldap_context)); @@ -80,158 +81,158 @@ krb5_ldap_create (krb5_context context, char *conf_section, char **db_args) /* populate ldap_context with ldap specific options */ while (t_ptr && *t_ptr) { - char *opt = NULL, *val = NULL; - - if ((status = krb5_ldap_get_db_opt(*t_ptr, &opt, &val)) != 0) { - goto cleanup; - } - if (opt && !strcmp(opt, "binddn")) { - if (ldap_context->bind_dn) { - free (opt); - free (val); - status = EINVAL; - krb5_set_error_message (context, status, "'binddn' missing"); - goto cleanup; - } - if (val == NULL) { - status = EINVAL; - krb5_set_error_message (context, status, "'binddn' value missing"); - free(opt); - goto cleanup; - } - ldap_context->bind_dn = strdup(val); - if (ldap_context->bind_dn == NULL) { - free (opt); - free (val); - status = ENOMEM; - goto cleanup; - } - } else if (opt && !strcmp(opt, "nconns")) { - if (ldap_context->max_server_conns) { - free (opt); - free (val); - status = EINVAL; - krb5_set_error_message (context, status, "'nconns' missing"); - goto cleanup; - } - if (val == NULL) { - status = EINVAL; - krb5_set_error_message (context, status, "'nconns' value missing"); - free(opt); - goto cleanup; - } - ldap_context->max_server_conns = atoi(val) ? atoi(val) : DEFAULT_CONNS_PER_SERVER; - } else if (opt && !strcmp(opt, "bindpwd")) { - if (ldap_context->bind_pwd) { - free (opt); - free (val); - status = EINVAL; - krb5_set_error_message (context, status, "'bindpwd' missing"); - goto cleanup; - } - if (val == NULL) { - status = EINVAL; - krb5_set_error_message (context, status, "'bindpwd' value missing"); - free(opt); - goto cleanup; - } - ldap_context->bind_pwd = strdup(val); - if (ldap_context->bind_pwd == NULL) { - free (opt); - free (val); - status = ENOMEM; - goto cleanup; - } - } else if (opt && !strcmp(opt, "host")) { - if (val == NULL) { - status = EINVAL; - krb5_set_error_message (context, status, "'host' value missing"); - free(opt); - goto cleanup; - } - if (ldap_context->server_info_list == NULL) - ldap_context->server_info_list = - (krb5_ldap_server_info **) calloc(SERV_COUNT+1, sizeof(krb5_ldap_server_info *)); - - if (ldap_context->server_info_list == NULL) { - free (opt); - free (val); - status = ENOMEM; - goto cleanup; - } - - ldap_context->server_info_list[srv_cnt] = - (krb5_ldap_server_info *) calloc(1, sizeof(krb5_ldap_server_info)); - if (ldap_context->server_info_list[srv_cnt] == NULL) { - free (opt); - free (val); - status = ENOMEM; - goto cleanup; - } - - ldap_context->server_info_list[srv_cnt]->server_status = NOTSET; - - ldap_context->server_info_list[srv_cnt]->server_name = strdup(val); - if (ldap_context->server_info_list[srv_cnt]->server_name == NULL) { - free (opt); - free (val); - status = ENOMEM; - goto cleanup; - } - - srv_cnt++; + char *opt = NULL, *val = NULL; + + if ((status = krb5_ldap_get_db_opt(*t_ptr, &opt, &val)) != 0) { + goto cleanup; + } + if (opt && !strcmp(opt, "binddn")) { + if (ldap_context->bind_dn) { + free (opt); + free (val); + status = EINVAL; + krb5_set_error_message (context, status, "'binddn' missing"); + goto cleanup; + } + if (val == NULL) { + status = EINVAL; + krb5_set_error_message (context, status, "'binddn' value missing"); + free(opt); + goto cleanup; + } + ldap_context->bind_dn = strdup(val); + if (ldap_context->bind_dn == NULL) { + free (opt); + free (val); + status = ENOMEM; + goto cleanup; + } + } else if (opt && !strcmp(opt, "nconns")) { + if (ldap_context->max_server_conns) { + free (opt); + free (val); + status = EINVAL; + krb5_set_error_message (context, status, "'nconns' missing"); + goto cleanup; + } + if (val == NULL) { + status = EINVAL; + krb5_set_error_message (context, status, "'nconns' value missing"); + free(opt); + goto cleanup; + } + ldap_context->max_server_conns = atoi(val) ? atoi(val) : DEFAULT_CONNS_PER_SERVER; + } else if (opt && !strcmp(opt, "bindpwd")) { + if (ldap_context->bind_pwd) { + free (opt); + free (val); + status = EINVAL; + krb5_set_error_message (context, status, "'bindpwd' missing"); + goto cleanup; + } + if (val == NULL) { + status = EINVAL; + krb5_set_error_message (context, status, "'bindpwd' value missing"); + free(opt); + goto cleanup; + } + ldap_context->bind_pwd = strdup(val); + if (ldap_context->bind_pwd == NULL) { + free (opt); + free (val); + status = ENOMEM; + goto cleanup; + } + } else if (opt && !strcmp(opt, "host")) { + if (val == NULL) { + status = EINVAL; + krb5_set_error_message (context, status, "'host' value missing"); + free(opt); + goto cleanup; + } + if (ldap_context->server_info_list == NULL) + ldap_context->server_info_list = + (krb5_ldap_server_info **) calloc(SERV_COUNT+1, sizeof(krb5_ldap_server_info *)); + + if (ldap_context->server_info_list == NULL) { + free (opt); + free (val); + status = ENOMEM; + goto cleanup; + } + + ldap_context->server_info_list[srv_cnt] = + (krb5_ldap_server_info *) calloc(1, sizeof(krb5_ldap_server_info)); + if (ldap_context->server_info_list[srv_cnt] == NULL) { + free (opt); + free (val); + status = ENOMEM; + goto cleanup; + } + + ldap_context->server_info_list[srv_cnt]->server_status = NOTSET; + + ldap_context->server_info_list[srv_cnt]->server_name = strdup(val); + if (ldap_context->server_info_list[srv_cnt]->server_name == NULL) { + free (opt); + free (val); + status = ENOMEM; + goto cleanup; + } + + srv_cnt++; #ifdef HAVE_EDIRECTORY - } else if (opt && !strcmp(opt, "cert")) { - if (val == NULL) { - status = EINVAL; - krb5_set_error_message (context, status, "'cert' value missing"); - free(opt); - goto cleanup; - } - - if (ldap_context->root_certificate_file == NULL) { - ldap_context->root_certificate_file = strdup(val); - if (ldap_context->root_certificate_file == NULL) { - free (opt); - free (val); - status = ENOMEM; - goto cleanup; - } - } else { - char *newstr; - - if (asprintf(&newstr, "%s %s", - ldap_context->root_certificate_file, val) < 0) { - free (opt); - free (val); - status = ENOMEM; - goto cleanup; - } - ldap_context->root_certificate_file = newstr; - } + } else if (opt && !strcmp(opt, "cert")) { + if (val == NULL) { + status = EINVAL; + krb5_set_error_message (context, status, "'cert' value missing"); + free(opt); + goto cleanup; + } + + if (ldap_context->root_certificate_file == NULL) { + ldap_context->root_certificate_file = strdup(val); + if (ldap_context->root_certificate_file == NULL) { + free (opt); + free (val); + status = ENOMEM; + goto cleanup; + } + } else { + char *newstr; + + if (asprintf(&newstr, "%s %s", + ldap_context->root_certificate_file, val) < 0) { + free (opt); + free (val); + status = ENOMEM; + goto cleanup; + } + ldap_context->root_certificate_file = newstr; + } #endif - } else { - /* ignore hash argument. Might have been passed from create */ - status = EINVAL; - if (opt && !strcmp(opt, "temporary")) { - /* - * temporary is passed in when kdb5_util load without -update is done. - * This is unsupported by the LDAP plugin. - */ - krb5_set_error_message (context, status, - "creation of LDAP entries aborted, plugin requires -update argument"); - } else { - krb5_set_error_message (context, status, "unknown option \'%s\'", - opt?opt:val); - } - free(opt); - free(val); - goto cleanup; - } - - free(opt); - free(val); - t_ptr++; + } else { + /* ignore hash argument. Might have been passed from create */ + status = EINVAL; + if (opt && !strcmp(opt, "temporary")) { + /* + * temporary is passed in when kdb5_util load without -update is done. + * This is unsupported by the LDAP plugin. + */ + krb5_set_error_message (context, status, + "creation of LDAP entries aborted, plugin requires -update argument"); + } else { + krb5_set_error_message (context, status, "unknown option \'%s\'", + opt?opt:val); + } + free(opt); + free(val); + goto cleanup; + } + + free(opt); + free(val); + t_ptr++; } dal_handle = context->dal_handle; @@ -239,121 +240,121 @@ krb5_ldap_create (krb5_context context, char *conf_section, char **db_args) status = krb5_ldap_read_server_params(context, conf_section, KRB5_KDB_SRV_TYPE_ADMIN); if (status) { - dal_handle->db_context = NULL; - prepend_err_str (context, "Error reading LDAP server params: ", status, status); - goto cleanup; + dal_handle->db_context = NULL; + prepend_err_str (context, "Error reading LDAP server params: ", status, status); + goto cleanup; } status = krb5_ldap_db_init(context, ldap_context); if (status) { - goto cleanup; + goto cleanup; } /* read the kerberos container */ if ((status = krb5_ldap_read_krbcontainer_params(context, - &(ldap_context->krbcontainer))) == KRB5_KDB_NOENTRY) { - - /* Read the kerberos container location from configuration file */ - if (ldap_context->conf_section) { - if ((status = profile_get_string(context->profile, - KDB_MODULE_SECTION, ldap_context->conf_section, - "ldap_kerberos_container_dn", NULL, - &kparams.DN)) != 0) { - goto cleanup; - } - } - if (kparams.DN == NULL) { - if ((status = profile_get_string(context->profile, - KDB_MODULE_DEF_SECTION, - "ldap_kerberos_container_dn", NULL, - NULL, &kparams.DN)) != 0) { - goto cleanup; - } - } - - /* create the kerberos container */ - status = krb5_ldap_create_krbcontainer(context, - ((kparams.DN != NULL) ? &kparams : NULL)); - if (status) - goto cleanup; - - krbcontainer_obj_created = TRUE; - - status = krb5_ldap_read_krbcontainer_params(context, - &(ldap_context->krbcontainer)); - if (status) - goto cleanup; + &(ldap_context->krbcontainer))) == KRB5_KDB_NOENTRY) { + + /* Read the kerberos container location from configuration file */ + if (ldap_context->conf_section) { + if ((status = profile_get_string(context->profile, + KDB_MODULE_SECTION, ldap_context->conf_section, + "ldap_kerberos_container_dn", NULL, + &kparams.DN)) != 0) { + goto cleanup; + } + } + if (kparams.DN == NULL) { + if ((status = profile_get_string(context->profile, + KDB_MODULE_DEF_SECTION, + "ldap_kerberos_container_dn", NULL, + NULL, &kparams.DN)) != 0) { + goto cleanup; + } + } + + /* create the kerberos container */ + status = krb5_ldap_create_krbcontainer(context, + ((kparams.DN != NULL) ? &kparams : NULL)); + if (status) + goto cleanup; + + krbcontainer_obj_created = TRUE; + + status = krb5_ldap_read_krbcontainer_params(context, + &(ldap_context->krbcontainer)); + if (status) + goto cleanup; } else if (status) { - goto cleanup; + goto cleanup; } rparams = (krb5_ldap_realm_params *) malloc(sizeof(krb5_ldap_realm_params)); if (rparams == NULL) { - status = ENOMEM; - goto cleanup; + status = ENOMEM; + goto cleanup; } memset(rparams, 0, sizeof(*rparams)); rparams->realm_name = strdup(context->default_realm); if (rparams->realm_name == NULL) { - status = ENOMEM; - goto cleanup; + status = ENOMEM; + goto cleanup; } if ((status = krb5_ldap_create_realm(context, rparams, mask))) - goto cleanup; + goto cleanup; /* We just created the Realm container. Here starts our transaction tracking */ realm_obj_created = TRUE; /* verify realm object */ if ((status = krb5_ldap_read_realm_params(context, - rparams->realm_name, - &(ldap_context->lrparams), - &mask))) - goto cleanup; + rparams->realm_name, + &(ldap_context->lrparams), + &mask))) + goto cleanup; #ifdef HAVE_EDIRECTORY if ((mask & LDAP_REALM_KDCSERVERS) || (mask & LDAP_REALM_ADMINSERVERS) || - (mask & LDAP_REALM_PASSWDSERVERS)) { - - rightsmask =0; - rightsmask |= LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; - if ((rparams != NULL) && (rparams->kdcservers != NULL)) { - for (i=0; (rparams->kdcservers[i] != NULL); i++) { - if ((status=krb5_ldap_add_service_rights(context, - LDAP_KDC_SERVICE, rparams->kdcservers[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { - goto cleanup; - } - } - } - - rightsmask = 0; - rightsmask |= LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; - if ((rparams != NULL) && (rparams->adminservers != NULL)) { - for (i=0; (rparams->adminservers[i] != NULL); i++) { - if ((status=krb5_ldap_add_service_rights(context, - LDAP_ADMIN_SERVICE, rparams->adminservers[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { - goto cleanup; - } - } - } - - rightsmask = 0; - rightsmask |= LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; - if ((rparams != NULL) && (rparams->passwdservers != NULL)) { - for (i=0; (rparams->passwdservers[i] != NULL); i++) { - if ((status=krb5_ldap_add_service_rights(context, - LDAP_PASSWD_SERVICE, rparams->passwdservers[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { - goto cleanup; - } - } - } + (mask & LDAP_REALM_PASSWDSERVERS)) { + + rightsmask =0; + rightsmask |= LDAP_REALM_RIGHTS; + rightsmask |= LDAP_SUBTREE_RIGHTS; + if ((rparams != NULL) && (rparams->kdcservers != NULL)) { + for (i=0; (rparams->kdcservers[i] != NULL); i++) { + if ((status=krb5_ldap_add_service_rights(context, + LDAP_KDC_SERVICE, rparams->kdcservers[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + goto cleanup; + } + } + } + + rightsmask = 0; + rightsmask |= LDAP_REALM_RIGHTS; + rightsmask |= LDAP_SUBTREE_RIGHTS; + if ((rparams != NULL) && (rparams->adminservers != NULL)) { + for (i=0; (rparams->adminservers[i] != NULL); i++) { + if ((status=krb5_ldap_add_service_rights(context, + LDAP_ADMIN_SERVICE, rparams->adminservers[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + goto cleanup; + } + } + } + + rightsmask = 0; + rightsmask |= LDAP_REALM_RIGHTS; + rightsmask |= LDAP_SUBTREE_RIGHTS; + if ((rparams != NULL) && (rparams->passwdservers != NULL)) { + for (i=0; (rparams->passwdservers[i] != NULL); i++) { + if ((status=krb5_ldap_add_service_rights(context, + LDAP_PASSWD_SERVICE, rparams->passwdservers[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + goto cleanup; + } + } + } } #endif @@ -361,19 +362,19 @@ cleanup: /* If the krbcontainer/realm creation is not complete, do the roll-back here */ if ((krbcontainer_obj_created) && (!realm_obj_created)) { - int rc; - rc = krb5_ldap_delete_krbcontainer(context, - ((kparams.DN != NULL) ? &kparams : NULL)); - krb5_set_error_message(context, rc, - "could not complete roll-back, error deleting Kerberos Container"); + int rc; + rc = krb5_ldap_delete_krbcontainer(context, + ((kparams.DN != NULL) ? &kparams : NULL)); + krb5_set_error_message(context, rc, + "could not complete roll-back, error deleting Kerberos Container"); } /* should call krb5_ldap_free_krbcontainer_params() but can't */ if (kparams.DN != NULL) - krb5_xfree(kparams.DN); + krb5_xfree(kparams.DN); if (rparams) - krb5_ldap_free_realm_params(rparams); + krb5_ldap_free_realm_params(rparams); return(status); } diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_err.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_err.c index 5bfaa7801..16f9dccd5 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_err.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_err.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #include #include #include @@ -59,135 +60,136 @@ * OP_ABANDON => ldap_abandon */ -int translate_ldap_error(int err, int op) { +int +translate_ldap_error(int err, int op) { switch (err) { case LDAP_SUCCESS: - return 0; + return 0; case LDAP_OPERATIONS_ERROR: - /* LDAP_OPERATIONS_ERROR: Indicates an internal error. The server is - * unable to respond with a more specific error and is also unable - * to properly respond to a request */ + /* LDAP_OPERATIONS_ERROR: Indicates an internal error. The server is + * unable to respond with a more specific error and is also unable + * to properly respond to a request */ case LDAP_UNAVAILABLE_CRITICAL_EXTENSION: - /* LDAP server was unable to satisfy a request because one or more - * critical extensions were not available */ - /* This might mean that the schema was not extended ... */ + /* LDAP server was unable to satisfy a request because one or more + * critical extensions were not available */ + /* This might mean that the schema was not extended ... */ case LDAP_UNDEFINED_TYPE: - /* The attribute specified in the modify or add operation does not - * exist in the LDAP server's schema. */ - return KRB5_KDB_INTERNAL_ERROR; + /* The attribute specified in the modify or add operation does not + * exist in the LDAP server's schema. */ + return KRB5_KDB_INTERNAL_ERROR; case LDAP_INAPPROPRIATE_MATCHING: - /* The matching rule specified in the search filter does not match a - * rule defined for the attribute's syntax */ - return KRB5_KDB_UK_RERROR; + /* The matching rule specified in the search filter does not match a + * rule defined for the attribute's syntax */ + return KRB5_KDB_UK_RERROR; case LDAP_CONSTRAINT_VIOLATION: - /* The attribute value specified in a modify, add, or modify DN - * operation violates constraints placed on the attribute */ + /* The attribute value specified in a modify, add, or modify DN + * operation violates constraints placed on the attribute */ case LDAP_TYPE_OR_VALUE_EXISTS: - /* The attribute value specified in a modify or add operation - * already exists as a value for that attribute */ - return KRB5_KDB_UK_SERROR; + /* The attribute value specified in a modify or add operation + * already exists as a value for that attribute */ + return KRB5_KDB_UK_SERROR; case LDAP_INVALID_SYNTAX: - /* The attribute value specified in an add, compare, or modify - * operation is an unrecognized or invalid syntax for the attribute */ - if (op == OP_ADD || op == OP_MOD) - return KRB5_KDB_UK_SERROR; - else /* OP_CMP */ - return KRB5_KDB_UK_RERROR; - - /* Ensure that the following don't occur in the DAL-LDAP code. - * Don't rely on the LDAP server to catch it */ + /* The attribute value specified in an add, compare, or modify + * operation is an unrecognized or invalid syntax for the attribute */ + if (op == OP_ADD || op == OP_MOD) + return KRB5_KDB_UK_SERROR; + else /* OP_CMP */ + return KRB5_KDB_UK_RERROR; + + /* Ensure that the following don't occur in the DAL-LDAP code. + * Don't rely on the LDAP server to catch it */ case LDAP_SASL_BIND_IN_PROGRESS: - /* This is not an error. So, this function should not be called */ + /* This is not an error. So, this function should not be called */ case LDAP_COMPARE_FALSE: case LDAP_COMPARE_TRUE: - /* LDAP_COMPARE_FALSE and LDAP_COMPARE_TRUE are not errors. This - * function should not be invoked for them */ + /* LDAP_COMPARE_FALSE and LDAP_COMPARE_TRUE are not errors. This + * function should not be invoked for them */ case LDAP_RESULTS_TOO_LARGE: /* CLDAP */ case LDAP_TIMELIMIT_EXCEEDED: case LDAP_SIZELIMIT_EXCEEDED: - return KRB5_KDB_SERVER_INTERNAL_ERR; + return KRB5_KDB_SERVER_INTERNAL_ERR; case LDAP_INVALID_DN_SYNTAX: - /* The syntax of the DN is incorrect */ - return EINVAL; + /* The syntax of the DN is incorrect */ + return EINVAL; case LDAP_PROTOCOL_ERROR: - /* LDAP_PROTOCOL_ERROR: Indicates that the server has received an - * invalid or malformed request from the client */ + /* LDAP_PROTOCOL_ERROR: Indicates that the server has received an + * invalid or malformed request from the client */ case LDAP_CONFIDENTIALITY_REQUIRED: - /* Bind problems ... */ + /* Bind problems ... */ case LDAP_AUTH_METHOD_NOT_SUPPORTED: -/* case LDAP_STRONG_AUTH_NOT_SUPPORTED: // Is this a bind error ? */ +/* case LDAP_STRONG_AUTH_NOT_SUPPORTED: // Is this a bind error ? */ case LDAP_INAPPROPRIATE_AUTH: case LDAP_INVALID_CREDENTIALS: case LDAP_UNAVAILABLE: - return KRB5_KDB_ACCESS_ERROR; + return KRB5_KDB_ACCESS_ERROR; case LDAP_STRONG_AUTH_REQUIRED: - if (op == OP_BIND) /* the LDAP server accepts only strong authentication. */ - return KRB5_KDB_ACCESS_ERROR; - else /* Client requested an operation such that requires strong authentication */ - return KRB5_KDB_CONSTRAINT_VIOLATION; + if (op == OP_BIND) /* the LDAP server accepts only strong authentication. */ + return KRB5_KDB_ACCESS_ERROR; + else /* Client requested an operation such that requires strong authentication */ + return KRB5_KDB_CONSTRAINT_VIOLATION; case LDAP_REFERRAL: - return KRB5_KDB_NOENTRY; + return KRB5_KDB_NOENTRY; case LDAP_ADMINLIMIT_EXCEEDED: - /* An LDAP server limit set by an administrative authority has been - * exceeded */ - return KRB5_KDB_CONSTRAINT_VIOLATION; + /* An LDAP server limit set by an administrative authority has been + * exceeded */ + return KRB5_KDB_CONSTRAINT_VIOLATION; case LDAP_UNWILLING_TO_PERFORM: - /* The LDAP server cannot process the request because of - * server-defined restrictions */ - return KRB5_KDB_CONSTRAINT_VIOLATION; + /* The LDAP server cannot process the request because of + * server-defined restrictions */ + return KRB5_KDB_CONSTRAINT_VIOLATION; case LDAP_NO_SUCH_ATTRIBUTE: - /* Indicates that the attribute specified in the modify or compare - * operation does not exist in the entry */ - if (op == OP_MOD) - return KRB5_KDB_UK_SERROR; - else /* OP_CMP */ - return KRB5_KDB_TRUNCATED_RECORD; + /* Indicates that the attribute specified in the modify or compare + * operation does not exist in the entry */ + if (op == OP_MOD) + return KRB5_KDB_UK_SERROR; + else /* OP_CMP */ + return KRB5_KDB_TRUNCATED_RECORD; case LDAP_ALIAS_DEREF_PROBLEM: - /* Either the client does not have access rights to read the aliased - * object's name or dereferencing is not allowed */ + /* Either the client does not have access rights to read the aliased + * object's name or dereferencing is not allowed */ #ifdef LDAP_PROXY_AUTHZ_FAILURE case LDAP_PROXY_AUTHZ_FAILURE: // Is this correct ? #endif case LDAP_INSUFFICIENT_ACCESS: - /* Caller does not have sufficient rights to perform the requested - * operation */ - return KRB5_KDB_UNAUTH; + /* Caller does not have sufficient rights to perform the requested + * operation */ + return KRB5_KDB_UNAUTH; case LDAP_LOOP_DETECT: - /* Client discovered an alias or referral loop */ - return KRB5_KDB_DB_CORRUPT; + /* Client discovered an alias or referral loop */ + return KRB5_KDB_DB_CORRUPT; default: - if (LDAP_NAME_ERROR (err)) - return KRB5_KDB_NOENTRY; + if (LDAP_NAME_ERROR (err)) + return KRB5_KDB_NOENTRY; - if (LDAP_SECURITY_ERROR (err)) - return KRB5_KDB_UNAUTH; + if (LDAP_SECURITY_ERROR (err)) + return KRB5_KDB_UNAUTH; - if (LDAP_SERVICE_ERROR (err) || LDAP_API_ERROR (err) || LDAP_X_ERROR (err)) - return KRB5_KDB_ACCESS_ERROR; + if (LDAP_SERVICE_ERROR (err) || LDAP_API_ERROR (err) || LDAP_X_ERROR (err)) + return KRB5_KDB_ACCESS_ERROR; - if (LDAP_UPDATE_ERROR(err)) - return KRB5_KDB_UK_SERROR; + if (LDAP_UPDATE_ERROR(err)) + return KRB5_KDB_UK_SERROR; - /* LDAP_OTHER */ - return KRB5_KDB_SERVER_INTERNAL_ERR; + /* LDAP_OTHER */ + return KRB5_KDB_SERVER_INTERNAL_ERR; } } diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_err.h b/src/plugins/kdb/ldap/libkdb_ldap/ldap_err.h index f83e583dd..1f8669252 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_err.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_err.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #define OP_INIT 1 #define OP_BIND 2 #define OP_UNBIND 3 diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_fetch_mkey.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_fetch_mkey.c index ad90109da..ca4fc7de6 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_fetch_mkey.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_fetch_mkey.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/kdb/kdb_ldap/ldap_fetch_mkey.c * @@ -36,10 +37,7 @@ */ krb5_error_code -krb5_ldap_get_mkey (context, key) - krb5_context context; - krb5_keyblock **key; - +krb5_ldap_get_mkey(krb5_context context, krb5_keyblock **key) { kdb5_dal_handle *dal_handle=NULL; krb5_ldap_context *ldap_context=NULL; @@ -51,7 +49,7 @@ krb5_ldap_get_mkey (context, key) ldap_context = (krb5_ldap_context *) dal_handle->db_context; if (ldap_context == NULL || ldap_context->lrparams == NULL) - return KRB5_KDB_DBNOTINITED; + return KRB5_KDB_DBNOTINITED; *key = &ldap_context->lrparams->mkey; return 0; @@ -63,10 +61,7 @@ krb5_ldap_get_mkey (context, key) */ krb5_error_code -krb5_ldap_set_mkey (context, pwd, key) - krb5_context context; - char *pwd; - krb5_keyblock *key; +krb5_ldap_set_mkey(krb5_context context, char *pwd, krb5_keyblock *key) { kdb5_dal_handle *dal_handle=NULL; krb5_ldap_context *ldap_context=NULL; @@ -79,13 +74,13 @@ krb5_ldap_set_mkey (context, pwd, key) ldap_context = (krb5_ldap_context *) dal_handle->db_context; if (ldap_context == NULL || ldap_context->lrparams == NULL) - return KRB5_KDB_DBNOTINITED; + return KRB5_KDB_DBNOTINITED; r_params = ldap_context->lrparams; if (r_params->mkey.contents) { - free (r_params->mkey.contents); - r_params->mkey.contents=NULL; + free (r_params->mkey.contents); + r_params->mkey.contents=NULL; } r_params->mkey.magic = key->magic; @@ -93,15 +88,14 @@ krb5_ldap_set_mkey (context, pwd, key) r_params->mkey.length = key->length; r_params->mkey.contents = malloc(key->length); if (r_params->mkey.contents == NULL) - return ENOMEM; + return ENOMEM; memcpy(r_params->mkey.contents, key->contents, key->length); return 0; } krb5_error_code -krb5_ldap_get_mkey_list (krb5_context context, krb5_keylist_node **key_list) - +krb5_ldap_get_mkey_list(krb5_context context, krb5_keylist_node **key_list) { kdb5_dal_handle *dal_handle=NULL; krb5_ldap_context *ldap_context=NULL; @@ -113,7 +107,7 @@ krb5_ldap_get_mkey_list (krb5_context context, krb5_keylist_node **key_list) ldap_context = (krb5_ldap_context *) dal_handle->db_context; if (ldap_context == NULL || ldap_context->lrparams == NULL) - return KRB5_KDB_DBNOTINITED; + return KRB5_KDB_DBNOTINITED; *key_list = ldap_context->lrparams->mkey_list; return 0; @@ -133,7 +127,7 @@ krb5_ldap_set_mkey_list(krb5_context context, krb5_keylist_node *key_list) ldap_context = (krb5_ldap_context *) dal_handle->db_context; if (ldap_context == NULL || ldap_context->lrparams == NULL) - return KRB5_KDB_DBNOTINITED; + return KRB5_KDB_DBNOTINITED; r_params = ldap_context->lrparams; r_params->mkey_list = key_list; diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_handle.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_handle.c index 8187cdc02..90359493e 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_handle.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_handle.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/kdb/kdb_ldap/ldap_handle.c * @@ -43,45 +44,44 @@ */ static krb5_error_code -krb5_update_server_info(ldap_server_handle, server_info) - krb5_ldap_server_handle *ldap_server_handle; - krb5_ldap_server_info *server_info; +krb5_update_server_info(krb5_ldap_server_handle *ldap_server_handle, + krb5_ldap_server_info *server_info) { krb5_error_code st=0; struct timeval ztime={0, 0}; LDAPMessage *result=NULL; if (ldap_server_handle == NULL || server_info == NULL) - return -1; + return -1; while (st == 0) { - st = ldap_result(ldap_server_handle->ldap_handle, ldap_server_handle->msgid, - LDAP_MSG_ALL, &ztime, &result); - switch (st) { - case -1: - server_info->server_status = OFF; - time(&server_info->downtime); - break; - - case 0: - continue; - break; - - case LDAP_RES_BIND: - if ((st=ldap_result2error(ldap_server_handle->ldap_handle, result, 1)) == LDAP_SUCCESS) { - server_info->server_status = ON; - } else { - /* ?? */ krb5_set_error_message(0, 0, "%s", ldap_err2string(st)); - server_info->server_status = OFF; - time(&server_info->downtime); - } - ldap_msgfree(result); - break; - default: - ldap_msgfree(result); - continue; - break; - } + st = ldap_result(ldap_server_handle->ldap_handle, ldap_server_handle->msgid, + LDAP_MSG_ALL, &ztime, &result); + switch (st) { + case -1: + server_info->server_status = OFF; + time(&server_info->downtime); + break; + + case 0: + continue; + break; + + case LDAP_RES_BIND: + if ((st=ldap_result2error(ldap_server_handle->ldap_handle, result, 1)) == LDAP_SUCCESS) { + server_info->server_status = ON; + } else { + /* ?? */ krb5_set_error_message(0, 0, "%s", ldap_err2string(st)); + server_info->server_status = OFF; + time(&server_info->downtime); + } + ldap_msgfree(result); + break; + default: + ldap_msgfree(result); + continue; + break; + } } ldap_server_handle->server_info_update_pending = FALSE; return 0; @@ -94,35 +94,34 @@ krb5_update_server_info(ldap_server_handle, server_info) */ static krb5_ldap_server_handle * -krb5_get_ldap_handle(ldap_context) - krb5_ldap_context *ldap_context; +krb5_get_ldap_handle(krb5_ldap_context *ldap_context) { krb5_ldap_server_handle *ldap_server_handle=NULL; krb5_ldap_server_info *ldap_server_info=NULL; int cnt=0; while (ldap_context->server_info_list[cnt] != NULL) { - ldap_server_info = ldap_context->server_info_list[cnt]; - if (ldap_server_info->server_status != OFF) { - if (ldap_server_info->ldap_server_handles != NULL) { - ldap_server_handle = ldap_server_info->ldap_server_handles; - ldap_server_info->ldap_server_handles = ldap_server_handle->next; - break; + ldap_server_info = ldap_context->server_info_list[cnt]; + if (ldap_server_info->server_status != OFF) { + if (ldap_server_info->ldap_server_handles != NULL) { + ldap_server_handle = ldap_server_info->ldap_server_handles; + ldap_server_info->ldap_server_handles = ldap_server_handle->next; + break; #ifdef ASYNC_BIND - if (ldap_server_handle->server_info_update_pending == TRUE) { - krb5_update_server_info(context, ldap_server_handle, - ldap_server_info); - } - - if (ldap_server_info->server_status == ON) { - ldap_server_info->ldap_server_handles = ldap_server_handle->next; - break; - } else - ldap_server_handle = NULL; + if (ldap_server_handle->server_info_update_pending == TRUE) { + krb5_update_server_info(context, ldap_server_handle, + ldap_server_info); + } + + if (ldap_server_info->server_status == ON) { + ldap_server_info->ldap_server_handles = ldap_server_handle->next; + break; + } else + ldap_server_handle = NULL; #endif - } - } - ++cnt; + } + } + ++cnt; } return ldap_server_handle; } @@ -135,14 +134,13 @@ krb5_get_ldap_handle(ldap_context) */ static krb5_ldap_server_handle * -krb5_retry_get_ldap_handle(ldap_context, st) - krb5_ldap_context *ldap_context; - krb5_error_code *st; +krb5_retry_get_ldap_handle(krb5_ldap_context *ldap_context, + krb5_error_code *st) { krb5_ldap_server_handle *ldap_server_handle=NULL; if ((*st=krb5_ldap_db_single_init(ldap_context)) != 0) - return NULL; + return NULL; ldap_server_handle = krb5_get_ldap_handle(ldap_context); return ldap_server_handle; @@ -155,12 +153,11 @@ krb5_retry_get_ldap_handle(ldap_context, st) */ static krb5_error_code -krb5_put_ldap_handle(ldap_server_handle) - krb5_ldap_server_handle *ldap_server_handle; +krb5_put_ldap_handle(krb5_ldap_server_handle *ldap_server_handle) { if (ldap_server_handle == NULL) - return 0; + return 0; ldap_server_handle->next = ldap_server_handle->server_info->ldap_server_handles; ldap_server_handle->server_info->ldap_server_handles = ldap_server_handle; @@ -174,13 +171,12 @@ krb5_put_ldap_handle(ldap_server_handle) */ krb5_error_code -krb5_update_ldap_handle(ldap_server_handle, server_info) - krb5_ldap_server_handle *ldap_server_handle; - krb5_ldap_server_info *server_info; +krb5_update_ldap_handle(krb5_ldap_server_handle *ldap_server_handle, + krb5_ldap_server_info *server_info) { if (ldap_server_handle == NULL || server_info == NULL) - return 0; + return 0; ldap_server_handle->next = server_info->ldap_server_handles; server_info->ldap_server_handles = ldap_server_handle; @@ -195,17 +191,16 @@ krb5_update_ldap_handle(ldap_server_handle, server_info) */ static krb5_error_code -krb5_ldap_cleanup_handles(ldap_server_info) - krb5_ldap_server_info *ldap_server_info; +krb5_ldap_cleanup_handles(krb5_ldap_server_info *ldap_server_info) { krb5_ldap_server_handle *ldap_server_handle = NULL; while (ldap_server_info->ldap_server_handles != NULL) { - ldap_server_handle = ldap_server_info->ldap_server_handles; - ldap_server_info->ldap_server_handles = ldap_server_handle->next; - /* ldap_unbind_s(ldap_server_handle); */ - free (ldap_server_handle); - ldap_server_handle = NULL; + ldap_server_handle = ldap_server_info->ldap_server_handles; + ldap_server_info->ldap_server_handles = ldap_server_handle->next; + /* ldap_unbind_s(ldap_server_handle); */ + free (ldap_server_handle); + ldap_server_handle = NULL; } return 0; } @@ -215,9 +210,9 @@ krb5_ldap_cleanup_handles(ldap_server_info) */ krb5_error_code -krb5_ldap_request_handle_from_pool(ldap_context, ldap_server_handle) - krb5_ldap_context *ldap_context; - krb5_ldap_server_handle **ldap_server_handle; +krb5_ldap_request_handle_from_pool(krb5_ldap_context *ldap_context, + krb5_ldap_server_handle ** + ldap_server_handle) { krb5_error_code st=0; @@ -225,9 +220,9 @@ krb5_ldap_request_handle_from_pool(ldap_context, ldap_server_handle) st = HNDL_LOCK(ldap_context); if (st) - return st; + return st; if (((*ldap_server_handle)=krb5_get_ldap_handle(ldap_context)) == NULL) - (*ldap_server_handle)=krb5_retry_get_ldap_handle(ldap_context, &st); + (*ldap_server_handle)=krb5_retry_get_ldap_handle(ldap_context, &st); HNDL_UNLOCK(ldap_context); return st; } @@ -238,22 +233,22 @@ krb5_ldap_request_handle_from_pool(ldap_context, ldap_server_handle) */ krb5_error_code -krb5_ldap_request_next_handle_from_pool(ldap_context, ldap_server_handle) - krb5_ldap_context *ldap_context; - krb5_ldap_server_handle **ldap_server_handle; +krb5_ldap_request_next_handle_from_pool(krb5_ldap_context *ldap_context, + krb5_ldap_server_handle ** + ldap_server_handle) { krb5_error_code st=0; st = HNDL_LOCK(ldap_context); if (st) - return st; + return st; (*ldap_server_handle)->server_info->server_status = OFF; time(&(*ldap_server_handle)->server_info->downtime); krb5_put_ldap_handle(*ldap_server_handle); krb5_ldap_cleanup_handles((*ldap_server_handle)->server_info); if (((*ldap_server_handle)=krb5_get_ldap_handle(ldap_context)) == NULL) - (*ldap_server_handle)=krb5_retry_get_ldap_handle(ldap_context, &st); + (*ldap_server_handle)=krb5_retry_get_ldap_handle(ldap_context, &st); HNDL_UNLOCK(ldap_context); return st; } @@ -263,15 +258,14 @@ krb5_ldap_request_next_handle_from_pool(ldap_context, ldap_server_handle) */ void -krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle) - krb5_ldap_context *ldap_context; - krb5_ldap_server_handle *ldap_server_handle; +krb5_ldap_put_handle_to_pool(krb5_ldap_context *ldap_context, + krb5_ldap_server_handle *ldap_server_handle) { if (ldap_server_handle != NULL) { - if (HNDL_LOCK(ldap_context) == 0) { - krb5_put_ldap_handle(ldap_server_handle); - HNDL_UNLOCK(ldap_context); - } + if (HNDL_LOCK(ldap_context) == 0) { + krb5_put_ldap_handle(ldap_server_handle); + HNDL_UNLOCK(ldap_context); + } } return; } diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_handle.h b/src/plugins/kdb/ldap/libkdb_ldap/ldap_handle.h index c351c1fd7..4f289c84c 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_handle.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_handle.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/kdb/kdb_ldap/ldap_handle.h * diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c index 5b9fa5ce6..0b5f099f8 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/kdb/kdb_ldap/ldap_krbcontainer.c * @@ -43,16 +44,16 @@ void krb5_ldap_free_krbcontainer_params(krb5_ldap_krbcontainer_params *cparams) { if (cparams == NULL) - return; + return; if (cparams->policyreference) - krb5_xfree(cparams->policyreference); + krb5_xfree(cparams->policyreference); if (cparams->parent) - krb5_xfree(cparams->parent); + krb5_xfree(cparams->parent); if (cparams->DN) - krb5_xfree(cparams->DN); + krb5_xfree(cparams->DN); krb5_xfree(cparams); @@ -69,8 +70,8 @@ krb5_ldap_free_krbcontainer_params(krb5_ldap_krbcontainer_params *cparams) */ krb5_error_code -krb5_ldap_read_krbcontainer_params(krb5_context context, - krb5_ldap_krbcontainer_params **cparamp) +krb5_ldap_read_krbcontainer_params(krb5_context context, + krb5_ldap_krbcontainer_params **cparamp) { krb5_error_code st=0, tempst=0; @@ -90,24 +91,24 @@ krb5_ldap_read_krbcontainer_params(krb5_context context, /* read kerberos containter location from [dbmodules] section of krb5.conf file */ if (ldap_context->conf_section) { - if ((st=profile_get_string(context->profile, KDB_MODULE_SECTION, ldap_context->conf_section, - "ldap_kerberos_container_dn", NULL, - &cparams->DN)) != 0) { - krb5_set_error_message(context, st, "Error reading kerberos container location " - "from krb5.conf"); - goto cleanup; - } + if ((st=profile_get_string(context->profile, KDB_MODULE_SECTION, ldap_context->conf_section, + "ldap_kerberos_container_dn", NULL, + &cparams->DN)) != 0) { + krb5_set_error_message(context, st, "Error reading kerberos container location " + "from krb5.conf"); + goto cleanup; + } } /* read kerberos containter location from [dbdefaults] section of krb5.conf file */ if (cparams->DN == NULL) { - if ((st=profile_get_string(context->profile, KDB_MODULE_DEF_SECTION, - "ldap_kerberos_container_dn", NULL, - NULL, &cparams->DN)) != 0) { - krb5_set_error_message(context, st, "Error reading kerberos container location " - "from krb5.conf"); - goto cleanup; - } + if ((st=profile_get_string(context->profile, KDB_MODULE_DEF_SECTION, + "ldap_kerberos_container_dn", NULL, + NULL, &cparams->DN)) != 0) { + krb5_set_error_message(context, st, "Error reading kerberos container location " + "from krb5.conf"); + goto cleanup; + } } #ifndef HAVE_EDIRECTORY @@ -116,26 +117,26 @@ krb5_ldap_read_krbcontainer_params(krb5_context context, * is missing in the conf file. In openldap we will have to return an error. */ if (cparams->DN == NULL) { - st = KRB5_KDB_SERVER_INTERNAL_ERR; - krb5_set_error_message(context, st, "Kerberos container location not specified"); - goto cleanup; + st = KRB5_KDB_SERVER_INTERNAL_ERR; + krb5_set_error_message(context, st, "Kerberos container location not specified"); + goto cleanup; } #endif if (cparams->DN != NULL) { - /* NOTE: krbmaxtktlife, krbmaxrenewableage ... present on Kerberos Container is - * not read - */ - LDAP_SEARCH_1(cparams->DN, LDAP_SCOPE_BASE, "(objectclass=krbContainer)", policyrefattribute, IGNORE_STATUS); - if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_OBJECT) { - st = set_ldap_error(context, st, OP_SEARCH); - goto cleanup; - } - - if (st == LDAP_NO_SUCH_OBJECT) { - st = KRB5_KDB_NOENTRY; - goto cleanup; - } + /* NOTE: krbmaxtktlife, krbmaxrenewableage ... present on Kerberos Container is + * not read + */ + LDAP_SEARCH_1(cparams->DN, LDAP_SCOPE_BASE, "(objectclass=krbContainer)", policyrefattribute, IGNORE_STATUS); + if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_OBJECT) { + st = set_ldap_error(context, st, OP_SEARCH); + goto cleanup; + } + + if (st == LDAP_NO_SUCH_OBJECT) { + st = KRB5_KDB_NOENTRY; + goto cleanup; + } } #ifdef HAVE_EDIRECTORY @@ -145,58 +146,58 @@ krb5_ldap_read_krbcontainer_params(krb5_context context, * then fall back to the default value */ if ((cparams->DN == NULL) || (st == LDAP_NO_SUCH_OBJECT)) { - /* - * kerberos container can be anywhere. locate it by reading the security - * container to find the location. - */ - LDAP_SEARCH(SECURITY_CONTAINER, LDAP_SCOPE_BASE, NULL, krbcontainerrefattr); - if ((ent = ldap_first_entry(ld, result)) != NULL) { - if ((st=krb5_ldap_get_string(ld, ent, "krbcontainerreference", - &(cparams->DN), NULL)) != 0) - goto cleanup; - if (cparams->DN == NULL) { - cparams->DN = strdup(KERBEROS_CONTAINER); - CHECK_NULL(cparams->DN); - } - } - ldap_msgfree(result); - - /* NOTE: krbmaxtktlife, krbmaxrenewableage ... attributes present on - * Kerberos Container is not read - */ - LDAP_SEARCH(cparams->DN, LDAP_SCOPE_BASE, "(objectclass=krbContainer)", policyrefattribute); + /* + * kerberos container can be anywhere. locate it by reading the security + * container to find the location. + */ + LDAP_SEARCH(SECURITY_CONTAINER, LDAP_SCOPE_BASE, NULL, krbcontainerrefattr); + if ((ent = ldap_first_entry(ld, result)) != NULL) { + if ((st=krb5_ldap_get_string(ld, ent, "krbcontainerreference", + &(cparams->DN), NULL)) != 0) + goto cleanup; + if (cparams->DN == NULL) { + cparams->DN = strdup(KERBEROS_CONTAINER); + CHECK_NULL(cparams->DN); + } + } + ldap_msgfree(result); + + /* NOTE: krbmaxtktlife, krbmaxrenewableage ... attributes present on + * Kerberos Container is not read + */ + LDAP_SEARCH(cparams->DN, LDAP_SCOPE_BASE, "(objectclass=krbContainer)", policyrefattribute); } #endif if ((ent = ldap_first_entry(ld, result))) { - if ((st=krb5_ldap_get_string(ld, ent, "krbticketpolicyreference", - &(cparams->policyreference), NULL)) != 0) - goto cleanup; + if ((st=krb5_ldap_get_string(ld, ent, "krbticketpolicyreference", + &(cparams->policyreference), NULL)) != 0) + goto cleanup; } ldap_msgfree(result); if (cparams->policyreference != NULL) { - LDAP_SEARCH_1(cparams->policyreference, LDAP_SCOPE_BASE, NULL, policy_attributes, IGNORE_STATUS); - if (st != LDAP_SUCCESS && st!= LDAP_NO_SUCH_OBJECT) { - st = set_ldap_error(context, st, OP_SEARCH); - goto cleanup; - } - st = LDAP_SUCCESS; /* reset the return status in case it is LDAP_NO_SUCH_OBJECT */ - - ent=ldap_first_entry(ld, result); - if (ent != NULL) { - krb5_ldap_get_value(ld, ent, "krbmaxtktlife", &(cparams->max_life)); - krb5_ldap_get_value(ld, ent, "krbmaxrenewableage", &(cparams->max_renewable_life)); - krb5_ldap_get_value(ld, ent, "krbticketflags", &(cparams->tktflags)); - } - ldap_msgfree(result); + LDAP_SEARCH_1(cparams->policyreference, LDAP_SCOPE_BASE, NULL, policy_attributes, IGNORE_STATUS); + if (st != LDAP_SUCCESS && st!= LDAP_NO_SUCH_OBJECT) { + st = set_ldap_error(context, st, OP_SEARCH); + goto cleanup; + } + st = LDAP_SUCCESS; /* reset the return status in case it is LDAP_NO_SUCH_OBJECT */ + + ent=ldap_first_entry(ld, result); + if (ent != NULL) { + krb5_ldap_get_value(ld, ent, "krbmaxtktlife", &(cparams->max_life)); + krb5_ldap_get_value(ld, ent, "krbmaxrenewableage", &(cparams->max_renewable_life)); + krb5_ldap_get_value(ld, ent, "krbticketflags", &(cparams->tktflags)); + } + ldap_msgfree(result); } *cparamp=cparams; cleanup: if (st != 0) { - krb5_ldap_free_krbcontainer_params(cparams); - *cparamp=NULL; + krb5_ldap_free_krbcontainer_params(cparams); + *cparamp=NULL; } krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); return st; diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.h b/src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.h index f4510d69c..3b89aea3a 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/kdb/kdb_ldap/ldap_krbcontainer.h * @@ -31,30 +32,32 @@ #ifndef _LDAP_KRBCONTAINER_H_ #define _LDAP_KRBCONTAINER_H_ 1 -#define MAX_KRB_CONTAINER_LEN 256 +#define MAX_KRB_CONTAINER_LEN 256 /* kerberos container structure */ typedef struct _krb5_ldap_krbcontainer_params { - char *parent; - char *DN; - char *policyreference; - krb5_int32 max_life; - krb5_int32 max_renewable_life; - krb5_int32 tktflags; + char *parent; + char *DN; + char *policyreference; + krb5_int32 max_life; + krb5_int32 max_renewable_life; + krb5_int32 tktflags; } krb5_ldap_krbcontainer_params; void krb5_ldap_free_krbcontainer_params(krb5_ldap_krbcontainer_params *); krb5_error_code -krb5_ldap_read_krbcontainer_params(krb5_context , krb5_ldap_krbcontainer_params **); +krb5_ldap_read_krbcontainer_params(krb5_context, + krb5_ldap_krbcontainer_params **); krb5_error_code -krb5_ldap_create_krbcontainer(krb5_context, const krb5_ldap_krbcontainer_params *); +krb5_ldap_create_krbcontainer(krb5_context, + const krb5_ldap_krbcontainer_params *); krb5_error_code krb5_ldap_delete_krbcontainer(krb5_context, - const krb5_ldap_krbcontainer_params *); + const krb5_ldap_krbcontainer_params *); #endif diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_main.h b/src/plugins/kdb/ldap/libkdb_ldap/ldap_main.h index 95a837929..878c6f360 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_main.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_main.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/kdb/kdb_ldap/ldap_main.h * diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c index a5ab6598a..f549e2393 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/kdb/kdb_ldap/ldap_misc.c * @@ -47,26 +48,27 @@ extern char *strptime (const char *, const char *, struct tm *); static krb5_error_code remove_overlapping_subtrees(char **listin, char **listop, int *subtcount, - int sscope); + int sscope); /* Linux (GNU Libc) provides a length-limited variant of strdup. But all the world's not Linux. */ #undef strndup #define strndup my_strndup #ifdef HAVE_LDAP_STR2DN -static char *my_strndup (const char *input, size_t limit) +static char * +my_strndup(const char *input, size_t limit) { size_t len = strlen(input); char *result; if (len > limit) { - result = malloc(1 + limit); - if (result != NULL) { - memcpy(result, input, limit); - result[limit] = 0; - } - return result; + result = malloc(1 + limit); + if (result != NULL) { + memcpy(result, input, limit); + result[limit] = 0; + } + return result; } else - return strdup(input); + return strdup(input); } #endif @@ -74,30 +76,30 @@ static char *my_strndup (const char *input, size_t limit) to the default section, then to hard-coded values. */ static errcode_t prof_get_integer_def(krb5_context ctx, const char *conf_section, - const char *name, int dfl, krb5_ui_4 *out) + const char *name, int dfl, krb5_ui_4 *out) { errcode_t err; int out_temp = 0; err = profile_get_integer (ctx->profile, - KDB_MODULE_SECTION, conf_section, name, - 0, &out_temp); + KDB_MODULE_SECTION, conf_section, name, + 0, &out_temp); if (err) { - krb5_set_error_message (ctx, err, "Error reading '%s' attribute: %s", - name, error_message(err)); - return err; + krb5_set_error_message (ctx, err, "Error reading '%s' attribute: %s", + name, error_message(err)); + return err; } if (out_temp != 0) { - *out = out_temp; - return 0; + *out = out_temp; + return 0; } err = profile_get_integer (ctx->profile, - KDB_MODULE_DEF_SECTION, name, 0, - dfl, &out_temp); + KDB_MODULE_DEF_SECTION, name, 0, + dfl, &out_temp); if (err) { - krb5_set_error_message (ctx, err, "Error reading '%s' attribute: %s", - name, error_message(err)); - return err; + krb5_set_error_message (ctx, err, "Error reading '%s' attribute: %s", + name, error_message(err)); + return err; } *out = out_temp; return 0; @@ -107,27 +109,27 @@ prof_get_integer_def(krb5_context ctx, const char *conf_section, bother with the extra argument. */ static errcode_t prof_get_string_def(krb5_context ctx, const char *conf_section, - const char *name, char **out) + const char *name, char **out) { errcode_t err; err = profile_get_string (ctx->profile, - KDB_MODULE_SECTION, conf_section, name, - 0, out); + KDB_MODULE_SECTION, conf_section, name, + 0, out); if (err) { - krb5_set_error_message (ctx, err, "Error reading '%s' attribute: %s", - name, error_message(err)); - return err; + krb5_set_error_message (ctx, err, "Error reading '%s' attribute: %s", + name, error_message(err)); + return err; } if (*out != 0) - return 0; + return 0; err = profile_get_string (ctx->profile, - KDB_MODULE_DEF_SECTION, name, 0, - 0, out); + KDB_MODULE_DEF_SECTION, name, 0, + 0, out); if (err) { - krb5_set_error_message (ctx, err, "Error reading '%s' attribute: %s", - name, error_message(err)); - return err; + krb5_set_error_message (ctx, err, "Error reading '%s' attribute: %s", + name, error_message(err)); + return err; } return 0; } @@ -140,10 +142,8 @@ prof_get_string_def(krb5_context ctx, const char *conf_section, * these are ldap_server .... */ krb5_error_code -krb5_ldap_read_server_params(context, conf_section, srv_type) - krb5_context context; - char *conf_section; - int srv_type; +krb5_ldap_read_server_params(krb5_context context, char *conf_section, + int srv_type) { char *tempval=NULL, *save_ptr=NULL; const char *delims="\t\n\f\v\r ,"; @@ -157,11 +157,11 @@ krb5_ldap_read_server_params(context, conf_section, srv_type) /* copy the conf_section into ldap_context for later use */ if (conf_section) { - ldap_context->conf_section = strdup (conf_section); - if (ldap_context->conf_section == NULL) { - st = ENOMEM; - goto cleanup; - } + ldap_context->conf_section = strdup (conf_section); + if (ldap_context->conf_section == NULL) { + st = ENOMEM; + goto cleanup; + } } /* initialize the mutexs and condition variable */ @@ -169,13 +169,13 @@ krb5_ldap_read_server_params(context, conf_section, srv_type) /* this mutex is used in ldap reconnection pool */ if (k5_mutex_init(&(ldap_context->hndl_lock)) != 0) { - st = KRB5_KDB_SERVER_INTERNAL_ERR; + st = KRB5_KDB_SERVER_INTERNAL_ERR; #if 0 - st = -1; - krb5_ldap_dal_err_funcp(context, krb5_err_have_str, st, - "k5_mutex_init failed"); + st = -1; + krb5_ldap_dal_err_funcp(context, krb5_err_have_str, st, + "k5_mutex_init failed"); #endif - goto cleanup; + goto cleanup; } /* @@ -184,19 +184,19 @@ krb5_ldap_read_server_params(context, conf_section, srv_type) * connections per ldap server. */ if (ldap_context->max_server_conns == 0) { - st = prof_get_integer_def (context, conf_section, - KRB5_CONF_LDAP_CONNS_PER_SERVER, - DEFAULT_CONNS_PER_SERVER, - &ldap_context->max_server_conns); - if (st) - goto cleanup; + st = prof_get_integer_def (context, conf_section, + KRB5_CONF_LDAP_CONNS_PER_SERVER, + DEFAULT_CONNS_PER_SERVER, + &ldap_context->max_server_conns); + if (st) + goto cleanup; } if (ldap_context->max_server_conns < 2) { - st = EINVAL; - krb5_set_error_message (context, st, - "Minimum connections required per server is 2"); - goto cleanup; + st = EINVAL; + krb5_set_error_message (context, st, + "Minimum connections required per server is 2"); + goto cleanup; } /* @@ -206,20 +206,20 @@ krb5_ldap_read_server_params(context, conf_section, srv_type) * server. The srv_type decides which dn to read. */ if (ldap_context->bind_dn == NULL) { - char *name = 0; - if (srv_type == KRB5_KDB_SRV_TYPE_KDC) - name = KRB5_CONF_LDAP_KDC_DN; - else if (srv_type == KRB5_KDB_SRV_TYPE_ADMIN) - name = KRB5_CONF_LDAP_KADMIN_DN; - else if (srv_type == KRB5_KDB_SRV_TYPE_PASSWD) - name = "ldap_kpasswdd_dn"; - - if (name) { - st = prof_get_string_def (context, conf_section, name, - &ldap_context->bind_dn); - if (st) - goto cleanup; - } + char *name = 0; + if (srv_type == KRB5_KDB_SRV_TYPE_KDC) + name = KRB5_CONF_LDAP_KDC_DN; + else if (srv_type == KRB5_KDB_SRV_TYPE_ADMIN) + name = KRB5_CONF_LDAP_KADMIN_DN; + else if (srv_type == KRB5_KDB_SRV_TYPE_PASSWD) + name = "ldap_kpasswdd_dn"; + + if (name) { + st = prof_get_string_def (context, conf_section, name, + &ldap_context->bind_dn); + if (st) + goto cleanup; + } } /* @@ -228,11 +228,11 @@ krb5_ldap_read_server_params(context, conf_section, srv_type) * the KDC, ADMIN and PASSWD dns. */ if (ldap_context->service_password_file == NULL) { - st = prof_get_string_def (context, conf_section, - KRB5_CONF_LDAP_SERVICE_PASSWORD_FILE, - &ldap_context->service_password_file); - if (st) - goto cleanup; + st = prof_get_string_def (context, conf_section, + KRB5_CONF_LDAP_SERVICE_PASSWORD_FILE, + &ldap_context->service_password_file); + if (st) + goto cleanup; } #ifdef HAVE_EDIRECTORY @@ -242,11 +242,11 @@ krb5_ldap_read_server_params(context, conf_section, srv_type) * certificate of the Directory. */ if (ldap_context->root_certificate_file == NULL) { - st = prof_get_string_def (context, conf_section, - KRB5_CONF_LDAP_ROOT_CERTIFICATE_FILE, - &ldap_context->root_certificate_file); - if (st) - goto cleanup; + st = prof_get_string_def (context, conf_section, + KRB5_CONF_LDAP_ROOT_CERTIFICATE_FILE, + &ldap_context->root_certificate_file); + if (st) + goto cleanup; } #endif @@ -256,57 +256,57 @@ krb5_ldap_read_server_params(context, conf_section, srv_type) */ if (ldap_context->server_info_list == NULL) { - unsigned int ele=0; - - server_info = &(ldap_context->server_info_list); - *server_info = (krb5_ldap_server_info **) calloc (SERV_COUNT+1, - sizeof (krb5_ldap_server_info *)); - - if (*server_info == NULL) { - st = ENOMEM; - goto cleanup; - } - - if ((st=profile_get_string(context->profile, KDB_MODULE_SECTION, conf_section, - KRB5_CONF_LDAP_SERVERS, NULL, &tempval)) != 0) { - krb5_set_error_message (context, st, "Error reading 'ldap_servers' attribute"); - goto cleanup; - } - - if (tempval == NULL) { - - (*server_info)[ele] = (krb5_ldap_server_info *)calloc(1, - sizeof(krb5_ldap_server_info)); - - (*server_info)[ele]->server_name = strdup("ldapi://"); - if ((*server_info)[ele]->server_name == NULL) { - st = ENOMEM; - goto cleanup; - } - (*server_info)[ele]->server_status = NOTSET; - } else { - char *item=NULL; - - item = strtok_r(tempval,delims,&save_ptr); - while (item != NULL && eleserver_name = strdup(item); - if ((*server_info)[ele]->server_name == NULL) { - st = ENOMEM; - goto cleanup; - } - - (*server_info)[ele]->server_status = NOTSET; - item = strtok_r(NULL,delims,&save_ptr); - ++ele; - } - profile_release_string(tempval); - } + unsigned int ele=0; + + server_info = &(ldap_context->server_info_list); + *server_info = (krb5_ldap_server_info **) calloc (SERV_COUNT+1, + sizeof (krb5_ldap_server_info *)); + + if (*server_info == NULL) { + st = ENOMEM; + goto cleanup; + } + + if ((st=profile_get_string(context->profile, KDB_MODULE_SECTION, conf_section, + KRB5_CONF_LDAP_SERVERS, NULL, &tempval)) != 0) { + krb5_set_error_message (context, st, "Error reading 'ldap_servers' attribute"); + goto cleanup; + } + + if (tempval == NULL) { + + (*server_info)[ele] = (krb5_ldap_server_info *)calloc(1, + sizeof(krb5_ldap_server_info)); + + (*server_info)[ele]->server_name = strdup("ldapi://"); + if ((*server_info)[ele]->server_name == NULL) { + st = ENOMEM; + goto cleanup; + } + (*server_info)[ele]->server_status = NOTSET; + } else { + char *item=NULL; + + item = strtok_r(tempval,delims,&save_ptr); + while (item != NULL && eleserver_name = strdup(item); + if ((*server_info)[ele]->server_name == NULL) { + st = ENOMEM; + goto cleanup; + } + + (*server_info)[ele]->server_status = NOTSET; + item = strtok_r(NULL,delims,&save_ptr); + ++ele; + } + profile_release_string(tempval); + } } cleanup: @@ -318,97 +318,95 @@ cleanup: */ krb5_error_code -krb5_ldap_free_server_context_params(ldap_context) - krb5_ldap_context *ldap_context; +krb5_ldap_free_server_context_params(krb5_ldap_context *ldap_context) { int i=0; krb5_ldap_server_handle *ldap_server_handle=NULL, *next_ldap_server_handle=NULL; if (ldap_context == NULL) - return 0; + return 0; /* Free all ldap servers list and the ldap handles associated with the ldap server. */ if (ldap_context->server_info_list) { - while (ldap_context->server_info_list[i]) { - if (ldap_context->server_info_list[i]->server_name) { - free (ldap_context->server_info_list[i]->server_name); - } + while (ldap_context->server_info_list[i]) { + if (ldap_context->server_info_list[i]->server_name) { + free (ldap_context->server_info_list[i]->server_name); + } #ifdef HAVE_EDIRECTORY - if (ldap_context->server_info_list[i]->root_certificate_file) { - free (ldap_context->server_info_list[i]->root_certificate_file); - } + if (ldap_context->server_info_list[i]->root_certificate_file) { + free (ldap_context->server_info_list[i]->root_certificate_file); + } #endif - if (ldap_context->server_info_list[i]->ldap_server_handles) { - ldap_server_handle = ldap_context->server_info_list[i]->ldap_server_handles; - while (ldap_server_handle) { - ldap_unbind_ext_s(ldap_server_handle->ldap_handle, NULL, NULL); - ldap_server_handle->ldap_handle = NULL; - next_ldap_server_handle = ldap_server_handle->next; - krb5_xfree(ldap_server_handle); - ldap_server_handle = next_ldap_server_handle; - } - } - krb5_xfree(ldap_context->server_info_list[i]); - i++; - } - krb5_xfree(ldap_context->server_info_list); + if (ldap_context->server_info_list[i]->ldap_server_handles) { + ldap_server_handle = ldap_context->server_info_list[i]->ldap_server_handles; + while (ldap_server_handle) { + ldap_unbind_ext_s(ldap_server_handle->ldap_handle, NULL, NULL); + ldap_server_handle->ldap_handle = NULL; + next_ldap_server_handle = ldap_server_handle->next; + krb5_xfree(ldap_server_handle); + ldap_server_handle = next_ldap_server_handle; + } + } + krb5_xfree(ldap_context->server_info_list[i]); + i++; + } + krb5_xfree(ldap_context->server_info_list); } if (ldap_context->conf_section != NULL) { - krb5_xfree(ldap_context->conf_section); - ldap_context->conf_section = NULL; + krb5_xfree(ldap_context->conf_section); + ldap_context->conf_section = NULL; } if (ldap_context->bind_dn != NULL) { - krb5_xfree(ldap_context->bind_dn); - ldap_context->bind_dn = NULL; + krb5_xfree(ldap_context->bind_dn); + ldap_context->bind_dn = NULL; } if (ldap_context->bind_pwd != NULL) { - memset(ldap_context->bind_pwd, 0, strlen(ldap_context->bind_pwd)); - krb5_xfree(ldap_context->bind_pwd); - ldap_context->bind_pwd = NULL; + memset(ldap_context->bind_pwd, 0, strlen(ldap_context->bind_pwd)); + krb5_xfree(ldap_context->bind_pwd); + ldap_context->bind_pwd = NULL; } if (ldap_context->service_password_file != NULL) { - krb5_xfree(ldap_context->service_password_file); - ldap_context->service_password_file = NULL; + krb5_xfree(ldap_context->service_password_file); + ldap_context->service_password_file = NULL; } #ifdef HAVE_EDIRECTORY if (ldap_context->root_certificate_file != NULL) { - krb5_xfree(ldap_context->root_certificate_file); - ldap_context->root_certificate_file = NULL; + krb5_xfree(ldap_context->root_certificate_file); + ldap_context->root_certificate_file = NULL; } #endif if (ldap_context->service_cert_path != NULL) { - krb5_xfree(ldap_context->service_cert_path); - ldap_context->service_cert_path = NULL; + krb5_xfree(ldap_context->service_cert_path); + ldap_context->service_cert_path = NULL; } if (ldap_context->service_cert_pass != NULL) { - krb5_xfree(ldap_context->service_cert_pass); - ldap_context->service_cert_pass = NULL; + krb5_xfree(ldap_context->service_cert_pass); + ldap_context->service_cert_pass = NULL; } if (ldap_context->certificates) { - i=0; - while (ldap_context->certificates[i] != NULL) { - krb5_xfree(ldap_context->certificates[i]->certificate); - krb5_xfree(ldap_context->certificates[i]); - ++i; - } - krb5_xfree(ldap_context->certificates); + i=0; + while (ldap_context->certificates[i] != NULL) { + krb5_xfree(ldap_context->certificates[i]->certificate); + krb5_xfree(ldap_context->certificates[i]); + ++i; + } + krb5_xfree(ldap_context->certificates); } return(0); } krb5_error_code -krb5_ldap_free_server_params(ldap_context) - krb5_ldap_context *ldap_context; +krb5_ldap_free_server_params(krb5_ldap_context *ldap_context) { if (ldap_context == NULL) return 0; @@ -429,9 +427,8 @@ krb5_ldap_free_server_params(ldap_context) */ krb5_error_code -is_principal_in_realm(ldap_context, searchfor) - krb5_ldap_context *ldap_context; - krb5_const_principal searchfor; +is_principal_in_realm(krb5_ldap_context *ldap_context, + krb5_const_principal searchfor) { size_t defrealmlen=0; char *defrealm=NULL; @@ -450,20 +447,20 @@ is_principal_in_realm(ldap_context, searchfor) * "krbtgt". All this check is done in the immediate block. */ if (searchfor->length == 2) - if ((strncasecmp(searchfor->data[0].data, "krbtgt", - FIND_MAX(searchfor->data[0].length, strlen("krbtgt"))) == 0) && - (strncasecmp(searchfor->data[1].data, defrealm, - FIND_MAX(searchfor->data[1].length, defrealmlen)) == 0)) - return 0; + if ((strncasecmp(searchfor->data[0].data, "krbtgt", + FIND_MAX(searchfor->data[0].length, strlen("krbtgt"))) == 0) && + (strncasecmp(searchfor->data[1].data, defrealm, + FIND_MAX(searchfor->data[1].length, defrealmlen)) == 0)) + return 0; /* first check the length, if they are not equal, then they are not same */ if (strlen(defrealm) != searchfor->realm.length) - return 1; + return 1; /* if the length is equal, check for the contents */ if (strncmp(defrealm, searchfor->realm.data, - searchfor->realm.length) != 0) - return 1; + searchfor->realm.length) != 0) + return 1; /* if we are here, then the realm portions match, return 0 */ return 0; } @@ -490,17 +487,15 @@ is_principal_in_realm(ldap_context, searchfor) * it is the subtree information associated with the realm. */ krb5_error_code -krb5_get_subtree_info(ldap_context, subtreearr, ntree) - krb5_ldap_context *ldap_context; - char ***subtreearr; - unsigned int *ntree; +krb5_get_subtree_info(krb5_ldap_context *ldap_context, char ***subtreearr, + unsigned int *ntree) { int st=0, i=0, subtreecount=0; - int ncount=0, search_scope=0; + int ncount=0, search_scope=0; char **subtree=NULL, *realm_cont_dn=NULL; char **subtarr=NULL; char *containerref=NULL; - char **newsubtree=NULL; + char **newsubtree=NULL; containerref = ldap_context->lrparams->containerref; subtree = ldap_context->lrparams->subtree; @@ -510,32 +505,32 @@ krb5_get_subtree_info(ldap_context, subtreearr, ntree) subtarr = (char **) malloc(sizeof(char *) * (subtreecount + 1 /*realm dn*/ + 1 /*containerref*/ + 1)); if (subtarr == NULL) { - st = ENOMEM; - goto cleanup; + st = ENOMEM; + goto cleanup; } memset(subtarr, 0, (sizeof(char *) * (subtreecount+1+1+1))); /* get the complete subtree list */ for (i=0; itl_data_length; - tl_data->tl_data_length += 1 + 2 + 2; - /* allocate required memory */ - reallocptr = tl_data->tl_data_contents; - tl_data->tl_data_contents = realloc(tl_data->tl_data_contents, - tl_data->tl_data_length); - if (tl_data->tl_data_contents == NULL) { - if (reallocptr) - free (reallocptr); - return ENOMEM; - } - curr = (tl_data->tl_data_contents + currlen); - - /* store the tl_type value */ - memset(curr, tl_type, 1); - curr += 1; - /* store the content length */ - tldatalen = 2; - STORE16_INT(curr, tldatalen); - curr += 2; - /* store the content */ - STORE16_INT(curr, ivalue); - curr += 2; - break; + int *iptr = (int *)value; + int ivalue = *iptr; + + currlen = tl_data->tl_data_length; + tl_data->tl_data_length += 1 + 2 + 2; + /* allocate required memory */ + reallocptr = tl_data->tl_data_contents; + tl_data->tl_data_contents = realloc(tl_data->tl_data_contents, + tl_data->tl_data_length); + if (tl_data->tl_data_contents == NULL) { + if (reallocptr) + free (reallocptr); + return ENOMEM; + } + curr = (tl_data->tl_data_contents + currlen); + + /* store the tl_type value */ + memset(curr, tl_type, 1); + curr += 1; + /* store the content length */ + tldatalen = 2; + STORE16_INT(curr, tldatalen); + curr += 2; + /* store the content */ + STORE16_INT(curr, ivalue); + curr += 2; + break; } case KDB_TL_USERDN: case KDB_TL_LINKDN: { - char *cptr = (char *)value; - - currlen = tl_data->tl_data_length; - tl_data->tl_data_length += 1 + 2 + strlen(cptr); - /* allocate required memory */ - reallocptr = tl_data->tl_data_contents; - tl_data->tl_data_contents = realloc(tl_data->tl_data_contents, - tl_data->tl_data_length); - if (tl_data->tl_data_contents == NULL) { - if (reallocptr) - free (reallocptr); - return ENOMEM; - } - curr = (tl_data->tl_data_contents + currlen); - - /* store the tl_type value */ - memset(curr, tl_type, 1); - curr += 1; - /* store the content length */ - tldatalen = strlen(cptr); - STORE16_INT(curr, tldatalen); - curr += 2; - /* store the content */ - memcpy(curr, cptr, tldatalen); - curr += tldatalen; - break; + char *cptr = (char *)value; + + currlen = tl_data->tl_data_length; + tl_data->tl_data_length += 1 + 2 + strlen(cptr); + /* allocate required memory */ + reallocptr = tl_data->tl_data_contents; + tl_data->tl_data_contents = realloc(tl_data->tl_data_contents, + tl_data->tl_data_length); + if (tl_data->tl_data_contents == NULL) { + if (reallocptr) + free (reallocptr); + return ENOMEM; + } + curr = (tl_data->tl_data_contents + currlen); + + /* store the tl_type value */ + memset(curr, tl_type, 1); + curr += 1; + /* store the content length */ + tldatalen = strlen(cptr); + STORE16_INT(curr, tldatalen); + curr += 2; + /* store the content */ + memcpy(curr, cptr, tldatalen); + curr += tldatalen; + break; } default: - return 1; + return 1; } return 0; @@ -671,10 +663,7 @@ store_tl_data(tl_data, tl_type, value) */ krb5_error_code -decode_tl_data(tl_data, tl_type, data) - krb5_tl_data *tl_data; - int tl_type; - void **data; +decode_tl_data(krb5_tl_data *tl_data, int tl_type, void **data) { int subtype=0, i=0, limit=10; unsigned int sublen=0; @@ -689,93 +678,93 @@ decode_tl_data(tl_data, tl_type, data) curr = tl_data->tl_data_contents; while (curr < (tl_data->tl_data_contents + tl_data->tl_data_length)) { - /* get the type of the content */ - subtype = (int) curr[0]; - /* forward by 1 byte*/ - curr += 1; - - if (subtype == tl_type) { - switch (subtype) { - - case KDB_TL_PRINCCOUNT: - case KDB_TL_PRINCTYPE: - case KDB_TL_MASK: - /* get the length of the content */ - UNSTORE16_INT(curr, sublen); - /* forward by 2 bytes */ - curr += 2; - /* get the actual content */ - if (sublen == 2) { - /* intptr = malloc(sublen); */ - intptr = malloc(sizeof(krb5_int32)); - if (intptr == NULL) - return ENOMEM; - memset(intptr, 0, sublen); - UNSTORE16_INT(curr, (*intptr)); - *data = intptr; - } else { - longptr = malloc(sublen); - if (longptr == NULL) - return ENOMEM; - memset(longptr, 0, sublen); - UNSTORE32_INT(curr, (*longptr)); - *data = longptr; - } - curr += sublen; - st = 0; - return st; - break; - - case KDB_TL_CONTAINERDN: - case KDB_TL_USERDN: - /* get the length of the content */ - UNSTORE16_INT(curr, sublen); - /* forward by 2 bytes */ - curr += 2; - DN = malloc (sublen + 1); - if (DN == NULL) - return ENOMEM; - memcpy(DN, curr, sublen); - DN[sublen] = 0; - *data = DN; - curr += sublen; - st = 0; - return st; - break; - - case KDB_TL_LINKDN: - if (DNarr == NULL) { - DNarr = calloc(limit, sizeof(char *)); - if (DNarr == NULL) - return ENOMEM; - } - if (i == limit-1) { - limit *= 2; - DNarr = realloc(DNarr, sizeof(char *) * (limit)); - if (DNarr == NULL) - return ENOMEM; - } - - /* get the length of the content */ - UNSTORE16_INT(curr, sublen); - /* forward by 2 bytes */ - curr += 2; - DNarr[i] = malloc (sublen + 1); - if (DNarr[i] == NULL) - return ENOMEM; - memcpy(DNarr[i], curr, sublen); - DNarr[i][sublen] = 0; - ++i; - curr += sublen; - *data = DNarr; - st=0; - break; - } - } else { - /* move to the current content block */ - UNSTORE16_INT(curr, sublen); - curr += 2 + sublen; - } + /* get the type of the content */ + subtype = (int) curr[0]; + /* forward by 1 byte*/ + curr += 1; + + if (subtype == tl_type) { + switch (subtype) { + + case KDB_TL_PRINCCOUNT: + case KDB_TL_PRINCTYPE: + case KDB_TL_MASK: + /* get the length of the content */ + UNSTORE16_INT(curr, sublen); + /* forward by 2 bytes */ + curr += 2; + /* get the actual content */ + if (sublen == 2) { + /* intptr = malloc(sublen); */ + intptr = malloc(sizeof(krb5_int32)); + if (intptr == NULL) + return ENOMEM; + memset(intptr, 0, sublen); + UNSTORE16_INT(curr, (*intptr)); + *data = intptr; + } else { + longptr = malloc(sublen); + if (longptr == NULL) + return ENOMEM; + memset(longptr, 0, sublen); + UNSTORE32_INT(curr, (*longptr)); + *data = longptr; + } + curr += sublen; + st = 0; + return st; + break; + + case KDB_TL_CONTAINERDN: + case KDB_TL_USERDN: + /* get the length of the content */ + UNSTORE16_INT(curr, sublen); + /* forward by 2 bytes */ + curr += 2; + DN = malloc (sublen + 1); + if (DN == NULL) + return ENOMEM; + memcpy(DN, curr, sublen); + DN[sublen] = 0; + *data = DN; + curr += sublen; + st = 0; + return st; + break; + + case KDB_TL_LINKDN: + if (DNarr == NULL) { + DNarr = calloc(limit, sizeof(char *)); + if (DNarr == NULL) + return ENOMEM; + } + if (i == limit-1) { + limit *= 2; + DNarr = realloc(DNarr, sizeof(char *) * (limit)); + if (DNarr == NULL) + return ENOMEM; + } + + /* get the length of the content */ + UNSTORE16_INT(curr, sublen); + /* forward by 2 bytes */ + curr += 2; + DNarr[i] = malloc (sublen + 1); + if (DNarr[i] == NULL) + return ENOMEM; + memcpy(DNarr[i], curr, sublen); + DNarr[i][sublen] = 0; + ++i; + curr += sublen; + *data = DNarr; + st=0; + break; + } + } else { + /* move to the current content block */ + UNSTORE16_INT(curr, sublen); + curr += 2 + sublen; + } } return st; } @@ -784,11 +773,8 @@ decode_tl_data(tl_data, tl_type, data) * wrapper routines for decode_tl_data */ static krb5_error_code -krb5_get_int_from_tl_data(context, entries, type, intval) - krb5_context context; - krb5_db_entry *entries; - int type; - int *intval; +krb5_get_int_from_tl_data(krb5_context context, krb5_db_entry *entries, + int type, int *intval) { krb5_error_code st=0; krb5_tl_data tl_data; @@ -797,12 +783,12 @@ krb5_get_int_from_tl_data(context, entries, type, intval) tl_data.tl_data_type = KDB_TL_USER_INFO; if (((st=krb5_dbe_lookup_tl_data(context, entries, &tl_data)) != 0) || tl_data.tl_data_length == 0) - goto cleanup; + goto cleanup; if (decode_tl_data(&tl_data, type, &voidptr) == 0) { - intptr = (int *) voidptr; - *intval = *intptr; - free(intptr); + intptr = (int *) voidptr; + *intval = *intptr; + free(intptr); } cleanup: @@ -814,37 +800,26 @@ cleanup: * object (user, policy ...). */ krb5_error_code -krb5_get_attributes_mask(context, entries, mask) - krb5_context context; - krb5_db_entry *entries; - int *mask; +krb5_get_attributes_mask(krb5_context context, krb5_db_entry *entries, + int *mask) { return krb5_get_int_from_tl_data(context, entries, KDB_TL_MASK, mask); } krb5_error_code -krb5_get_princ_type(context, entries, ptype) - krb5_context context; - krb5_db_entry *entries; - int *ptype; +krb5_get_princ_type(krb5_context context, krb5_db_entry *entries, int *ptype) { return krb5_get_int_from_tl_data(context, entries, KDB_TL_PRINCTYPE, ptype); } krb5_error_code -krb5_get_princ_count(context, entries, pcount) - krb5_context context; - krb5_db_entry *entries; - int *pcount; +krb5_get_princ_count(krb5_context context, krb5_db_entry *entries, int *pcount) { return krb5_get_int_from_tl_data(context, entries, KDB_TL_PRINCCOUNT, pcount); } krb5_error_code -krb5_get_linkdn(context, entries, link_dn) - krb5_context context; - krb5_db_entry *entries; - char ***link_dn; +krb5_get_linkdn(krb5_context context, krb5_db_entry *entries, char ***link_dn) { krb5_error_code st=0; krb5_tl_data tl_data; @@ -853,10 +828,10 @@ krb5_get_linkdn(context, entries, link_dn) *link_dn = NULL; tl_data.tl_data_type = KDB_TL_USER_INFO; if (((st=krb5_dbe_lookup_tl_data(context, entries, &tl_data)) != 0) || tl_data.tl_data_length == 0) - goto cleanup; + goto cleanup; if (decode_tl_data(&tl_data, KDB_TL_LINKDN, &voidptr) == 0) { - *link_dn = (char **) voidptr; + *link_dn = (char **) voidptr; } cleanup: @@ -864,27 +839,24 @@ cleanup: } static krb5_error_code -krb5_get_str_from_tl_data(context, entries, type, strval) - krb5_context context; - krb5_db_entry *entries; - int type; - char **strval; +krb5_get_str_from_tl_data(krb5_context context, krb5_db_entry *entries, + int type, char **strval) { krb5_error_code st=0; krb5_tl_data tl_data; void *voidptr=NULL; if (type != KDB_TL_USERDN && type != KDB_TL_CONTAINERDN) { - st = EINVAL; - goto cleanup; + st = EINVAL; + goto cleanup; } tl_data.tl_data_type = KDB_TL_USER_INFO; if (((st=krb5_dbe_lookup_tl_data(context, entries, &tl_data)) != 0) || tl_data.tl_data_length == 0) - goto cleanup; + goto cleanup; if (decode_tl_data(&tl_data, type, &voidptr) == 0) { - *strval = (char *) voidptr; + *strval = (char *) voidptr; } cleanup: @@ -892,20 +864,15 @@ cleanup: } krb5_error_code -krb5_get_userdn(context, entries, userdn) - krb5_context context; - krb5_db_entry *entries; - char **userdn; +krb5_get_userdn(krb5_context context, krb5_db_entry *entries, char **userdn) { *userdn = NULL; return krb5_get_str_from_tl_data(context, entries, KDB_TL_USERDN, userdn); } krb5_error_code -krb5_get_containerdn(context, entries, containerdn) - krb5_context context; - krb5_db_entry *entries; - char **containerdn; +krb5_get_containerdn(krb5_context context, krb5_db_entry *entries, + char **containerdn) { *containerdn = NULL; return krb5_get_str_from_tl_data(context, entries, KDB_TL_CONTAINERDN, containerdn); @@ -927,38 +894,34 @@ krb5_get_containerdn(context, entries, containerdn) */ krb5_error_code -checkattributevalue (ld, dn, attribute, attrvalues, mask) - LDAP *ld; - char *dn; - char *attribute; - char **attrvalues; - int *mask; +checkattributevalue(LDAP *ld, char *dn, char *attribute, char **attrvalues, + int *mask) { int st=0, one=1; char **values=NULL, *attributes[2] = {NULL}; LDAPMessage *result=NULL, *entry=NULL; if (strlen(dn) == 0) { - st = set_ldap_error(0, LDAP_NO_SUCH_OBJECT, OP_SEARCH); - return st; + st = set_ldap_error(0, LDAP_NO_SUCH_OBJECT, OP_SEARCH); + return st; } attributes[0] = attribute; /* read the attribute values from the dn */ if ((st = ldap_search_ext_s(ld, - dn, - LDAP_SCOPE_BASE, - 0, - attributes, - 0, - NULL, - NULL, - &timelimit, - LDAP_NO_LIMIT, - &result)) != LDAP_SUCCESS) { - st = set_ldap_error(0, st, OP_SEARCH); - return st; + dn, + LDAP_SCOPE_BASE, + 0, + attributes, + 0, + NULL, + NULL, + &timelimit, + LDAP_NO_LIMIT, + &result)) != LDAP_SUCCESS) { + st = set_ldap_error(0, st, OP_SEARCH); + return st; } /* @@ -966,30 +929,30 @@ checkattributevalue (ld, dn, attribute, attrvalues, mask) * existence of the object alone. */ if (attribute == NULL || attrvalues == NULL) - goto cleanup; + goto cleanup; /* reset the bit mask */ *mask = 0; if ((entry=ldap_first_entry(ld, result)) != NULL) { - /* read the attribute values */ - if ((values=ldap_get_values(ld, entry, attribute)) != NULL) { - int i,j; - - /* - * Compare the read attribute values with the attrvalues - * array and set the appropriate bit mask. - */ - for (j=0; attrvalues[j]; ++j) { - for (i=0; values[i]; ++i) { - if (strcasecmp(values[i], attrvalues[j]) == 0) { - *mask |= (one<mod_type = strdup(attribute); if ((*mods)[i]->mod_type == NULL) - return ENOMEM; + return ENOMEM; (*mods)[i]->mod_op = op; (*mods)[i]->mod_values = NULL; if (values != NULL) { - for (j=0; values[j] != NULL; ++j) - ; - (*mods)[i]->mod_values = malloc (sizeof(char *) * (j+1)); - if ((*mods)[i]->mod_values == NULL) - return ENOMEM; - - for (j=0; values[j] != NULL; ++j) { - (*mods)[i]->mod_values[j] = strdup(values[j]); - if ((*mods)[i]->mod_values[j] == NULL) - return ENOMEM; - } - (*mods)[i]->mod_values[j] = NULL; + for (j=0; values[j] != NULL; ++j) + ; + (*mods)[i]->mod_values = malloc (sizeof(char *) * (j+1)); + if ((*mods)[i]->mod_values == NULL) + return ENOMEM; + + for (j=0; values[j] != NULL; ++j) { + (*mods)[i]->mod_values[j] = strdup(values[j]); + if ((*mods)[i]->mod_values[j] == NULL) + return ENOMEM; + } + (*mods)[i]->mod_values[j] = NULL; } return 0; } krb5_error_code -krb5_add_ber_mem_ldap_mod(mods, attribute, op, ber_values) - LDAPMod ***mods; - char *attribute; - int op; - struct berval **ber_values; - +krb5_add_ber_mem_ldap_mod(LDAPMod ***mods, char *attribute, int op, + struct berval **ber_values) { int i=0, j=0; krb5_error_code st=0; if ((st=krb5_add_member(mods, &i)) != 0) - return st; + return st; (*mods)[i]->mod_type = strdup(attribute); if ((*mods)[i]->mod_type == NULL) - return ENOMEM; + return ENOMEM; (*mods)[i]->mod_op = op; for (j=0; ber_values[j] != NULL; ++j) - ; + ; (*mods)[i]->mod_bvalues = malloc (sizeof(struct berval *) * (j+1)); if ((*mods)[i]->mod_bvalues == NULL) - return ENOMEM; + return ENOMEM; for (j=0; ber_values[j] != NULL; ++j) { - (*mods)[i]->mod_bvalues[j] = calloc(1, sizeof(struct berval)); - if ((*mods)[i]->mod_bvalues[j] == NULL) - return ENOMEM; + (*mods)[i]->mod_bvalues[j] = calloc(1, sizeof(struct berval)); + if ((*mods)[i]->mod_bvalues[j] == NULL) + return ENOMEM; - (*mods)[i]->mod_bvalues[j]->bv_len = ber_values[j]->bv_len; - (*mods)[i]->mod_bvalues[j]->bv_val = malloc((*mods)[i]->mod_bvalues[j]->bv_len); - if ((*mods)[i]->mod_bvalues[j]->bv_val == NULL) - return ENOMEM; + (*mods)[i]->mod_bvalues[j]->bv_len = ber_values[j]->bv_len; + (*mods)[i]->mod_bvalues[j]->bv_val = malloc((*mods)[i]->mod_bvalues[j]->bv_len); + if ((*mods)[i]->mod_bvalues[j]->bv_val == NULL) + return ENOMEM; - memcpy((*mods)[i]->mod_bvalues[j]->bv_val, ber_values[j]->bv_val, - ber_values[j]->bv_len); + memcpy((*mods)[i]->mod_bvalues[j]->bv_val, ber_values[j]->bv_val, + ber_values[j]->bv_len); } (*mods)[i]->mod_bvalues[j] = NULL; return 0; @@ -1504,59 +1426,50 @@ format_d (int val) } krb5_error_code -krb5_add_int_arr_mem_ldap_mod(mods, attribute, op, value) - LDAPMod ***mods; - char *attribute; - int op; - int *value; - +krb5_add_int_arr_mem_ldap_mod(LDAPMod ***mods, char *attribute, int op, + int *value) { int i=0, j=0; krb5_error_code st=0; if ((st=krb5_add_member(mods, &i)) != 0) - return st; + return st; (*mods)[i]->mod_type = strdup(attribute); if ((*mods)[i]->mod_type == NULL) - return ENOMEM; + return ENOMEM; (*mods)[i]->mod_op = op; for (j=0; value[j] != -1; ++j) - ; + ; (*mods)[i]->mod_values = malloc(sizeof(char *) * (j+1)); for (j=0; value[j] != -1; ++j) { - if (((*mods)[i]->mod_values[j] = format_d(value[j])) == NULL) - return ENOMEM; + if (((*mods)[i]->mod_values[j] = format_d(value[j])) == NULL) + return ENOMEM; } (*mods)[i]->mod_values[j] = NULL; return 0; } krb5_error_code -krb5_add_int_mem_ldap_mod(mods, attribute, op, value) - LDAPMod ***mods; - char *attribute; - int op; - int value; - +krb5_add_int_mem_ldap_mod(LDAPMod ***mods, char *attribute, int op, int value) { int i=0; krb5_error_code st=0; if ((st=krb5_add_member(mods, &i)) != 0) - return st; + return st; (*mods)[i]->mod_type = strdup(attribute); if ((*mods)[i]->mod_type == NULL) - return ENOMEM; + return ENOMEM; (*mods)[i]->mod_op = op; (*mods)[i]->mod_values = calloc (2, sizeof(char *)); if (((*mods)[i]->mod_values[0] = format_d(value)) == NULL) - return ENOMEM; + return ENOMEM; return 0; } @@ -1621,11 +1534,11 @@ krb5_ldap_release_errcode_string(krb5_context kcontext, const char *msg) * are a limited number of LDAP handles. */ krb5_error_code -krb5_ldap_get_reference_count (krb5_context context, char *dn, char *refattr, - int *count, LDAP *ld) +krb5_ldap_get_reference_count(krb5_context context, char *dn, char *refattr, + int *count, LDAP *ld) { int st = 0, tempst = 0, gothandle = 0; - unsigned int i, ntrees; + unsigned int i, ntrees; char *refcntattr[2]; char *filter = NULL; char **subtree = NULL, *ptr = NULL; @@ -1636,14 +1549,14 @@ krb5_ldap_get_reference_count (krb5_context context, char *dn, char *refattr, if (dn == NULL || refattr == NULL) { - st = EINVAL; - goto cleanup; + st = EINVAL; + goto cleanup; } SETUP_CONTEXT(); if (ld == NULL) { - GET_HANDLE(); - gothandle = 1; + GET_HANDLE(); + gothandle = 1; } refcntattr [0] = refattr; @@ -1651,60 +1564,60 @@ krb5_ldap_get_reference_count (krb5_context context, char *dn, char *refattr, ptr = ldap_filter_correct (dn); if (ptr == NULL) { - st = ENOMEM; - goto cleanup; + st = ENOMEM; + goto cleanup; } if (asprintf (&filter, "%s=%s", refattr, ptr) < 0) { - filter = NULL; - st = ENOMEM; - goto cleanup; + filter = NULL; + st = ENOMEM; + goto cleanup; } if ((st = krb5_get_subtree_info(ldap_context, &subtree, &ntrees)) != 0) - goto cleanup; + goto cleanup; for (i = 0, *count = 0; i < ntrees; i++) { - int n; - - LDAP_SEARCH(subtree[i], - LDAP_SCOPE_SUBTREE, - filter, - refcntattr); - n = ldap_count_entries (ld, result); - if (n == -1) { - int ret, errcode = 0; - ret = ldap_parse_result (ld, result, &errcode, NULL, NULL, NULL, NULL, 0); - if (ret != LDAP_SUCCESS) - errcode = ret; - st = translate_ldap_error (errcode, OP_SEARCH); - goto cleanup; - } + int n; + + LDAP_SEARCH(subtree[i], + LDAP_SCOPE_SUBTREE, + filter, + refcntattr); + n = ldap_count_entries (ld, result); + if (n == -1) { + int ret, errcode = 0; + ret = ldap_parse_result (ld, result, &errcode, NULL, NULL, NULL, NULL, 0); + if (ret != LDAP_SUCCESS) + errcode = ret; + st = translate_ldap_error (errcode, OP_SEARCH); + goto cleanup; + } - ldap_msgfree(result); - result = NULL; + ldap_msgfree(result); + result = NULL; - *count += n; + *count += n; } cleanup: if (filter != NULL) - free (filter); + free (filter); if (result != NULL) - ldap_msgfree (result); + ldap_msgfree (result); if (subtree != NULL) { - for (i = 0; i < ntrees; i++) - free (subtree[i]); - free (subtree); + for (i = 0; i < ntrees; i++) + free (subtree[i]); + free (subtree); } if (ptr != NULL) - free (ptr); + free (ptr); if (gothandle == 1) - krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); + krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); return st; } @@ -1713,10 +1626,8 @@ cleanup: * For now, policy objects are expected to be directly under the realm * container. */ -krb5_error_code krb5_ldap_policydn_to_name (context, policy_dn, name) - krb5_context context; - char *policy_dn; - char **name; +krb5_error_code +krb5_ldap_policydn_to_name(krb5_context context, char *policy_dn, char **name) { int len1, len2; krb5_error_code st = 0; @@ -1726,59 +1637,59 @@ krb5_error_code krb5_ldap_policydn_to_name (context, policy_dn, name) SETUP_CONTEXT(); if (ldap_context->lrparams->realmdn == NULL) { - st = EINVAL; - goto cleanup; + st = EINVAL; + goto cleanup; } len1 = strlen (ldap_context->lrparams->realmdn); len2 = strlen (policy_dn); if (len1 == 0 || len2 == 0 || len1 > len2) { - st = EINVAL; - goto cleanup; + st = EINVAL; + goto cleanup; } if (strcmp (ldap_context->lrparams->realmdn, policy_dn + (len2 - len1)) != 0) { - st = EINVAL; - goto cleanup; + st = EINVAL; + goto cleanup; } #if defined HAVE_LDAP_STR2DN { - char *rdn; - LDAPDN dn; - rdn = strndup(policy_dn, len2 - len1 - 1); /* 1 character for ',' */ - - if (ldap_str2dn (rdn, &dn, LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PEDANTIC) != 0) { - st = EINVAL; - goto cleanup; - } - if (dn[0] == NULL || dn[1] != NULL) - st = EINVAL; - else if (strcasecmp (dn[0][0]->la_attr.bv_val, "cn") != 0) - st = EINVAL; - else { - *name = strndup(dn[0][0]->la_value.bv_val, dn[0][0]->la_value.bv_len); - if (*name == NULL) - st = EINVAL; - } - - ldap_memfree (dn); + char *rdn; + LDAPDN dn; + rdn = strndup(policy_dn, len2 - len1 - 1); /* 1 character for ',' */ + + if (ldap_str2dn (rdn, &dn, LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PEDANTIC) != 0) { + st = EINVAL; + goto cleanup; + } + if (dn[0] == NULL || dn[1] != NULL) + st = EINVAL; + else if (strcasecmp (dn[0][0]->la_attr.bv_val, "cn") != 0) + st = EINVAL; + else { + *name = strndup(dn[0][0]->la_value.bv_val, dn[0][0]->la_value.bv_len); + if (*name == NULL) + st = EINVAL; + } + + ldap_memfree (dn); } #elif defined HAVE_LDAP_EXPLODE_DN { - char **parsed_dn; - - /* 1 = return DN components without type prefix */ - parsed_dn = ldap_explode_dn(policy_dn, 1); - if (parsed_dn == NULL) { - st = EINVAL; - } else { - *name = strdup(parsed_dn[0]); - if (*name == NULL) - st = EINVAL; - - ldap_value_free(parsed_dn); - } + char **parsed_dn; + + /* 1 = return DN components without type prefix */ + parsed_dn = ldap_explode_dn(policy_dn, 1); + if (parsed_dn == NULL) { + st = EINVAL; + } else { + *name = strdup(parsed_dn[0]); + if (*name == NULL) + st = EINVAL; + + ldap_value_free(parsed_dn); + } } #else st = EINVAL; @@ -1788,10 +1699,8 @@ cleanup: return st; } -krb5_error_code krb5_ldap_name_to_policydn (context, name, policy_dn) - krb5_context context; - char *name; - char **policy_dn; +krb5_error_code +krb5_ldap_name_to_policydn(krb5_context context, char *name, char **policy_dn) { int len; char *ptr = NULL; @@ -1803,29 +1712,29 @@ krb5_error_code krb5_ldap_name_to_policydn (context, name, policy_dn) /* validate the input parameters */ if (name == NULL) { - st = EINVAL; - goto cleanup; + st = EINVAL; + goto cleanup; } /* Used for removing policy reference from an object */ if (name[0] == '\0') { - if ((*policy_dn = strdup ("")) == NULL) - st = ENOMEM; - goto cleanup; + if ((*policy_dn = strdup ("")) == NULL) + st = ENOMEM; + goto cleanup; } SETUP_CONTEXT(); if (ldap_context->lrparams->realmdn == NULL) { - st = EINVAL; - goto cleanup; + st = EINVAL; + goto cleanup; } len = strlen (ldap_context->lrparams->realmdn); ptr = ldap_filter_correct (name); if (ptr == NULL) { - st = ENOMEM; - goto cleanup; + st = ENOMEM; + goto cleanup; } len += strlen (ptr); @@ -1833,21 +1742,22 @@ krb5_error_code krb5_ldap_name_to_policydn (context, name, policy_dn) *policy_dn = (char *) malloc (len); if (*policy_dn == NULL) { - st = ENOMEM; - goto cleanup; + st = ENOMEM; + goto cleanup; } sprintf (*policy_dn, "cn=%s,%s", ptr, ldap_context->lrparams->realmdn); cleanup: if (ptr != NULL) - free (ptr); + free (ptr); return st; } /* remove overlapping and repeated subtree entries from the list of subtrees */ static krb5_error_code -remove_overlapping_subtrees(char **listin, char **listop, int *subtcount, int sscope) +remove_overlapping_subtrees(char **listin, char **listop, int *subtcount, + int sscope) { int slen=0, k=0, j=0, lendiff=0; int count = *subtcount; @@ -1855,54 +1765,54 @@ remove_overlapping_subtrees(char **listin, char **listop, int *subtcount, int ss slen = count-1; for (k=0; k<=slen && listin[k]!=NULL ; k++) { - for (j=k+1; j<=slen && listin[j]!=NULL ;j++) { - lendiff = strlen(listin[k]) - strlen(listin[j]); - if (sscope == 2) { - if ((lendiff > 0) && (strcasecmp((listin[k])+lendiff, listin[j])==0)) { - if (k != slen) { - free(listin[k]); - listin[k] = listin[slen]; - listin[slen] = NULL; - } else { - free(listin[k]); - listin[k] = NULL; - } - slen-=1; - k-=1; - break; - } else if ((lendiff < 0) && (strcasecmp((listin[j])+abs(lendiff), listin[k])==0)) { - if (j != slen) { - free(listin[j]); - listin[j] = listin[slen]; - listin[slen]=NULL; - } else { - free(listin[j]); - listin[j] = NULL; - } - slen-=1; - j-=1; - } - } - if ((lendiff == 0) && (strcasecmp(listin[j], listin[k])==0)) { - if (j != slen) { - free(listin[j]); - listin[j] = listin[slen]; - listin[slen]=NULL; - } else { - free(listin[j]); - listin[j] = NULL; - } - slen -=1; - j-=1; - } - } + for (j=k+1; j<=slen && listin[j]!=NULL ;j++) { + lendiff = strlen(listin[k]) - strlen(listin[j]); + if (sscope == 2) { + if ((lendiff > 0) && (strcasecmp((listin[k])+lendiff, listin[j])==0)) { + if (k != slen) { + free(listin[k]); + listin[k] = listin[slen]; + listin[slen] = NULL; + } else { + free(listin[k]); + listin[k] = NULL; + } + slen-=1; + k-=1; + break; + } else if ((lendiff < 0) && (strcasecmp((listin[j])+abs(lendiff), listin[k])==0)) { + if (j != slen) { + free(listin[j]); + listin[j] = listin[slen]; + listin[slen]=NULL; + } else { + free(listin[j]); + listin[j] = NULL; + } + slen-=1; + j-=1; + } + } + if ((lendiff == 0) && (strcasecmp(listin[j], listin[k])==0)) { + if (j != slen) { + free(listin[j]); + listin[j] = listin[slen]; + listin[slen]=NULL; + } else { + free(listin[j]); + listin[j] = NULL; + } + slen -=1; + j-=1; + } + } } *subtcount=slen+1; for (k=0; k<*subtcount && listin[k]!=NULL; k++) { - subtree[k] = strdup(listin[k]); - if (subtree[k] == NULL) { - return ENOMEM; - } + subtree[k] = strdup(listin[k]); + if (subtree[k] == NULL) { + return ENOMEM; + } } return 0; } @@ -1912,12 +1822,9 @@ remove_overlapping_subtrees(char **listin, char **listop, int *subtcount, int ss * the results of a principal search of the directory. */ krb5_error_code -populate_krb5_db_entry (krb5_context context, - krb5_ldap_context *ldap_context, - LDAP *ld, - LDAPMessage *ent, - krb5_const_principal princ, - krb5_db_entry *entry) +populate_krb5_db_entry(krb5_context context, krb5_ldap_context *ldap_context, + LDAP *ld, LDAPMessage *ent, krb5_const_principal princ, + krb5_db_entry *entry) { krb5_error_code st = 0; unsigned int mask = 0; @@ -1930,140 +1837,140 @@ populate_krb5_db_entry (krb5_context context, char *DN = NULL; if (princ == NULL) { - /* XXX WAF probably should just extract princ from ldap result */ - st = EINVAL; - goto cleanup; + /* XXX WAF probably should just extract princ from ldap result */ + st = EINVAL; + goto cleanup; } else { - if ((st=krb5_copy_principal(context, princ, &(entry->princ))) != 0) - goto cleanup; + if ((st=krb5_copy_principal(context, princ, &(entry->princ))) != 0) + goto cleanup; } /* get the associated directory user information */ if ((values = ldap_get_values(ld, ent, "krbprincipalname")) != NULL) { - int i, pcount=0, kerberos_principal_object_type=0; - char *user; - - if ((st=krb5_unparse_name(context, princ, &user)) != 0) - goto cleanup; - - for (i=0; values[i] != NULL; ++i) { - if (strcasecmp(values[i], user) == 0) { - pcount = ldap_count_values(values); - break; - } - } - ldap_value_free(values); - free(user); - - if ((DN = ldap_get_dn(ld, ent)) == NULL) { - ldap_get_option(ld, LDAP_OPT_RESULT_CODE, &st); - st = set_ldap_error(context, st, 0); - goto cleanup; - } - - if ((values=ldap_get_values(ld, ent, "objectclass")) != NULL) { - for (i=0; values[i] != NULL; ++i) - if (strcasecmp(values[i], "krbprincipal") == 0) { - kerberos_principal_object_type = KDB_STANDALONE_PRINCIPAL_OBJECT; - if ((st=store_tl_data(&userinfo_tl_data, KDB_TL_PRINCTYPE, - &kerberos_principal_object_type)) != 0) - goto cleanup; - break; - } - ldap_value_free(values); - } - - /* add principalcount, DN and principaltype user information to tl_data */ - if (((st=store_tl_data(&userinfo_tl_data, KDB_TL_PRINCCOUNT, &pcount)) != 0) || - ((st=store_tl_data(&userinfo_tl_data, KDB_TL_USERDN, DN)) != 0)) - goto cleanup; + int i, pcount=0, kerberos_principal_object_type=0; + char *user; + + if ((st=krb5_unparse_name(context, princ, &user)) != 0) + goto cleanup; + + for (i=0; values[i] != NULL; ++i) { + if (strcasecmp(values[i], user) == 0) { + pcount = ldap_count_values(values); + break; + } + } + ldap_value_free(values); + free(user); + + if ((DN = ldap_get_dn(ld, ent)) == NULL) { + ldap_get_option(ld, LDAP_OPT_RESULT_CODE, &st); + st = set_ldap_error(context, st, 0); + goto cleanup; + } + + if ((values=ldap_get_values(ld, ent, "objectclass")) != NULL) { + for (i=0; values[i] != NULL; ++i) + if (strcasecmp(values[i], "krbprincipal") == 0) { + kerberos_principal_object_type = KDB_STANDALONE_PRINCIPAL_OBJECT; + if ((st=store_tl_data(&userinfo_tl_data, KDB_TL_PRINCTYPE, + &kerberos_principal_object_type)) != 0) + goto cleanup; + break; + } + ldap_value_free(values); + } + + /* add principalcount, DN and principaltype user information to tl_data */ + if (((st=store_tl_data(&userinfo_tl_data, KDB_TL_PRINCCOUNT, &pcount)) != 0) || + ((st=store_tl_data(&userinfo_tl_data, KDB_TL_USERDN, DN)) != 0)) + goto cleanup; } /* read all the kerberos attributes */ /* KRBLASTSUCCESSFULAUTH */ if ((st=krb5_ldap_get_time(ld, ent, "krbLastSuccessfulAuth", - &(entry->last_success), &attr_present)) != 0) - goto cleanup; + &(entry->last_success), &attr_present)) != 0) + goto cleanup; if (attr_present == TRUE) - mask |= KDB_LAST_SUCCESS_ATTR; + mask |= KDB_LAST_SUCCESS_ATTR; /* KRBLASTFAILEDAUTH */ if ((st=krb5_ldap_get_time(ld, ent, "krbLastFailedAuth", - &(entry->last_failed), &attr_present)) != 0) - goto cleanup; + &(entry->last_failed), &attr_present)) != 0) + goto cleanup; if (attr_present == TRUE) - mask |= KDB_LAST_FAILED_ATTR; + mask |= KDB_LAST_FAILED_ATTR; /* KRBLOGINFAILEDCOUNT */ if (krb5_ldap_get_value(ld, ent, "krbLoginFailedCount", - &(entry->fail_auth_count)) == 0) - mask |= KDB_FAIL_AUTH_COUNT_ATTR; + &(entry->fail_auth_count)) == 0) + mask |= KDB_FAIL_AUTH_COUNT_ATTR; /* KRBMAXTICKETLIFE */ if (krb5_ldap_get_value(ld, ent, "krbmaxticketlife", &(entry->max_life)) == 0) - mask |= KDB_MAX_LIFE_ATTR; + mask |= KDB_MAX_LIFE_ATTR; /* KRBMAXRENEWABLEAGE */ if (krb5_ldap_get_value(ld, ent, "krbmaxrenewableage", - &(entry->max_renewable_life)) == 0) - mask |= KDB_MAX_RLIFE_ATTR; + &(entry->max_renewable_life)) == 0) + mask |= KDB_MAX_RLIFE_ATTR; /* KRBTICKETFLAGS */ if (krb5_ldap_get_value(ld, ent, "krbticketflags", &(entry->attributes)) == 0) - mask |= KDB_TKT_FLAGS_ATTR; + mask |= KDB_TKT_FLAGS_ATTR; /* PRINCIPAL EXPIRATION TIME */ if ((st=krb5_ldap_get_time(ld, ent, "krbprincipalexpiration", &(entry->expiration), - &attr_present)) != 0) - goto cleanup; + &attr_present)) != 0) + goto cleanup; if (attr_present == TRUE) - mask |= KDB_PRINC_EXPIRE_TIME_ATTR; + mask |= KDB_PRINC_EXPIRE_TIME_ATTR; /* PASSWORD EXPIRATION TIME */ if ((st=krb5_ldap_get_time(ld, ent, "krbpasswordexpiration", &(entry->pw_expiration), - &attr_present)) != 0) - goto cleanup; + &attr_present)) != 0) + goto cleanup; if (attr_present == TRUE) - mask |= KDB_PWD_EXPIRE_TIME_ATTR; + mask |= KDB_PWD_EXPIRE_TIME_ATTR; /* KRBPOLICYREFERENCE */ if ((st=krb5_ldap_get_string(ld, ent, "krbticketpolicyreference", &policydn, - &attr_present)) != 0) - goto cleanup; + &attr_present)) != 0) + goto cleanup; if (attr_present == TRUE) { - mask |= KDB_POL_REF_ATTR; - /* Ensure that the policy is inside the realm container */ - if ((st = krb5_ldap_policydn_to_name (context, policydn, &tktpolname)) != 0) - goto cleanup; + mask |= KDB_POL_REF_ATTR; + /* Ensure that the policy is inside the realm container */ + if ((st = krb5_ldap_policydn_to_name (context, policydn, &tktpolname)) != 0) + goto cleanup; } /* KRBPWDPOLICYREFERENCE */ if ((st=krb5_ldap_get_string(ld, ent, "krbpwdpolicyreference", &pwdpolicydn, - &attr_present)) != 0) - goto cleanup; + &attr_present)) != 0) + goto cleanup; if (attr_present == TRUE) { - krb5_tl_data kadm_tl_data; + krb5_tl_data kadm_tl_data; - mask |= KDB_PWD_POL_REF_ATTR; + mask |= KDB_PWD_POL_REF_ATTR; - /* Ensure that the policy is inside the realm container */ - if ((st = krb5_ldap_policydn_to_name (context, pwdpolicydn, &polname)) != 0) - goto cleanup; + /* Ensure that the policy is inside the realm container */ + if ((st = krb5_ldap_policydn_to_name (context, pwdpolicydn, &polname)) != 0) + goto cleanup; - if ((st = krb5_update_tl_kadm_data(polname, &kadm_tl_data)) != 0) { - goto cleanup; - } - krb5_dbe_update_tl_data(context, entry, &kadm_tl_data); + if ((st = krb5_update_tl_kadm_data(polname, &kadm_tl_data)) != 0) { + goto cleanup; + } + krb5_dbe_update_tl_data(context, entry, &kadm_tl_data); } /* KRBSECRETKEY */ if ((bvalues=ldap_get_values_len(ld, ent, "krbprincipalkey")) != NULL) { krb5_kvno mkvno = 0; - mask |= KDB_SECRET_KEY_ATTR; - if ((st=krb5_decode_krbsecretkey(context, entry, bvalues, &userinfo_tl_data, &mkvno)) != 0) - goto cleanup; + mask |= KDB_SECRET_KEY_ATTR; + if ((st=krb5_decode_krbsecretkey(context, entry, bvalues, &userinfo_tl_data, &mkvno)) != 0) + goto cleanup; if (mkvno != 0) { /* don't add the tl data if mkvno == 0 */ if ((st=krb5_dbe_update_mkvno(context, entry, mkvno)) != 0) @@ -2073,155 +1980,155 @@ populate_krb5_db_entry (krb5_context context, /* LAST PASSWORD CHANGE */ { - krb5_timestamp lstpwdchng=0; - if ((st=krb5_ldap_get_time(ld, ent, "krbLastPwdChange", - &lstpwdchng, &attr_present)) != 0) - goto cleanup; - if (attr_present == TRUE) { - if ((st=krb5_dbe_update_last_pwd_change(context, entry, - lstpwdchng))) - goto cleanup; - mask |= KDB_LAST_PWD_CHANGE_ATTR; - } + krb5_timestamp lstpwdchng=0; + if ((st=krb5_ldap_get_time(ld, ent, "krbLastPwdChange", + &lstpwdchng, &attr_present)) != 0) + goto cleanup; + if (attr_present == TRUE) { + if ((st=krb5_dbe_update_last_pwd_change(context, entry, + lstpwdchng))) + goto cleanup; + mask |= KDB_LAST_PWD_CHANGE_ATTR; + } } /* ALLOWED TO DELEGATE TO */ { - char **a2d2 = NULL; - int i; - krb5_tl_data **tlp; - - st = krb5_ldap_get_strings(ld, ent, "krbAllowedToDelegateTo", - &a2d2, &attr_present); - if (st != 0) - goto cleanup; - - if (attr_present == TRUE) { - for (tlp = &entry->tl_data; *tlp; tlp = &(*tlp)->tl_data_next) - ; - for (i = 0; a2d2[i] != NULL; i++) { - krb5_tl_data *tl = k5alloc(sizeof(*tl), &st); - if (st != 0) { - ldap_value_free(a2d2); - goto cleanup; - } - tl->tl_data_type = KRB5_TL_CONSTRAINED_DELEGATION_ACL; - tl->tl_data_length = strlen(a2d2[i]); - tl->tl_data_contents = (krb5_octet *)strdup(a2d2[i]); - if (tl->tl_data_contents == NULL) { - st = ENOMEM; - ldap_value_free(a2d2); - free(tl); - goto cleanup; - } - tl->tl_data_next = NULL; - *tlp = tl; - tlp = &tl->tl_data_next; - } - ldap_value_free(a2d2); - } + char **a2d2 = NULL; + int i; + krb5_tl_data **tlp; + + st = krb5_ldap_get_strings(ld, ent, "krbAllowedToDelegateTo", + &a2d2, &attr_present); + if (st != 0) + goto cleanup; + + if (attr_present == TRUE) { + for (tlp = &entry->tl_data; *tlp; tlp = &(*tlp)->tl_data_next) + ; + for (i = 0; a2d2[i] != NULL; i++) { + krb5_tl_data *tl = k5alloc(sizeof(*tl), &st); + if (st != 0) { + ldap_value_free(a2d2); + goto cleanup; + } + tl->tl_data_type = KRB5_TL_CONSTRAINED_DELEGATION_ACL; + tl->tl_data_length = strlen(a2d2[i]); + tl->tl_data_contents = (krb5_octet *)strdup(a2d2[i]); + if (tl->tl_data_contents == NULL) { + st = ENOMEM; + ldap_value_free(a2d2); + free(tl); + goto cleanup; + } + tl->tl_data_next = NULL; + *tlp = tl; + tlp = &tl->tl_data_next; + } + ldap_value_free(a2d2); + } } /* KRBOBJECTREFERENCES */ { - int i=0; - - if ((st = krb5_ldap_get_strings(ld, ent, "krbobjectreferences", - &link_references, &attr_present)) != 0) - goto cleanup; - if (link_references != NULL) { - for (i=0; link_references[i] != NULL; ++i) { - if ((st = store_tl_data(&userinfo_tl_data, KDB_TL_LINKDN, - link_references[i])) != 0) - goto cleanup; - } - } + int i=0; + + if ((st = krb5_ldap_get_strings(ld, ent, "krbobjectreferences", + &link_references, &attr_present)) != 0) + goto cleanup; + if (link_references != NULL) { + for (i=0; link_references[i] != NULL; ++i) { + if ((st = store_tl_data(&userinfo_tl_data, KDB_TL_LINKDN, + link_references[i])) != 0) + goto cleanup; + } + } } /* Set tl_data */ { - int i; - struct berval **ber_tl_data = NULL; - krb5_tl_data *ptr = NULL; - - if ((ber_tl_data = ldap_get_values_len (ld, ent, "krbExtraData")) != NULL) { - for (i = 0; ber_tl_data[i] != NULL; i++) { - if ((st = berval2tl_data (ber_tl_data[i] , &ptr)) != 0) - break; - if ((st = krb5_dbe_update_tl_data(context, entry, ptr)) != 0) - break; - } - ldap_value_free_len (ber_tl_data); - if (st != 0) - goto cleanup; - mask |= KDB_EXTRA_DATA_ATTR; - } + int i; + struct berval **ber_tl_data = NULL; + krb5_tl_data *ptr = NULL; + + if ((ber_tl_data = ldap_get_values_len (ld, ent, "krbExtraData")) != NULL) { + for (i = 0; ber_tl_data[i] != NULL; i++) { + if ((st = berval2tl_data (ber_tl_data[i] , &ptr)) != 0) + break; + if ((st = krb5_dbe_update_tl_data(context, entry, ptr)) != 0) + break; + } + ldap_value_free_len (ber_tl_data); + if (st != 0) + goto cleanup; + mask |= KDB_EXTRA_DATA_ATTR; + } } /* update the mask of attributes present on the directory object to the tl_data */ if ((st=store_tl_data(&userinfo_tl_data, KDB_TL_MASK, &mask)) != 0) - goto cleanup; + goto cleanup; if ((st=krb5_dbe_update_tl_data(context, entry, &userinfo_tl_data)) != 0) - goto cleanup; + goto cleanup; #ifdef HAVE_EDIRECTORY { - krb5_timestamp expiretime=0; - char *is_login_disabled=NULL; - - /* LOGIN EXPIRATION TIME */ - if ((st=krb5_ldap_get_time(ld, ent, "loginexpirationtime", &expiretime, - &attr_present)) != 0) - goto cleanup; - - if (attr_present == TRUE) { - if ((mask & KDB_PRINC_EXPIRE_TIME_ATTR) == 1) { - if (expiretime < entry->expiration) - entry->expiration = expiretime; - } else { - entry->expiration = expiretime; - } - } - - /* LOGIN DISABLED */ - if ((st=krb5_ldap_get_string(ld, ent, "logindisabled", &is_login_disabled, - &attr_present)) != 0) - goto cleanup; - if (attr_present == TRUE) { - if (strcasecmp(is_login_disabled, "TRUE")== 0) - entry->attributes |= KRB5_KDB_DISALLOW_ALL_TIX; - free (is_login_disabled); - } + krb5_timestamp expiretime=0; + char *is_login_disabled=NULL; + + /* LOGIN EXPIRATION TIME */ + if ((st=krb5_ldap_get_time(ld, ent, "loginexpirationtime", &expiretime, + &attr_present)) != 0) + goto cleanup; + + if (attr_present == TRUE) { + if ((mask & KDB_PRINC_EXPIRE_TIME_ATTR) == 1) { + if (expiretime < entry->expiration) + entry->expiration = expiretime; + } else { + entry->expiration = expiretime; + } + } + + /* LOGIN DISABLED */ + if ((st=krb5_ldap_get_string(ld, ent, "logindisabled", &is_login_disabled, + &attr_present)) != 0) + goto cleanup; + if (attr_present == TRUE) { + if (strcasecmp(is_login_disabled, "TRUE")== 0) + entry->attributes |= KRB5_KDB_DISALLOW_ALL_TIX; + free (is_login_disabled); + } } #endif if ((st=krb5_read_tkt_policy (context, ldap_context, entry, tktpolname)) !=0) - goto cleanup; + goto cleanup; /* We already know that the policy is inside the realm container. */ if (polname) { - osa_policy_ent_t pwdpol; - int cnt=0; - krb5_timestamp last_pw_changed; - krb5_ui_4 pw_max_life; + osa_policy_ent_t pwdpol; + int cnt=0; + krb5_timestamp last_pw_changed; + krb5_ui_4 pw_max_life; - memset(&pwdpol, 0, sizeof(pwdpol)); + memset(&pwdpol, 0, sizeof(pwdpol)); - if ((st=krb5_ldap_get_password_policy(context, polname, &pwdpol, &cnt)) != 0) - goto cleanup; - pw_max_life = pwdpol->pw_max_life; - free (pwdpol); + if ((st=krb5_ldap_get_password_policy(context, polname, &pwdpol, &cnt)) != 0) + goto cleanup; + pw_max_life = pwdpol->pw_max_life; + free (pwdpol); - if (pw_max_life > 0) { - if ((st=krb5_dbe_lookup_last_pwd_change(context, entry, &last_pw_changed)) != 0) - goto cleanup; + if (pw_max_life > 0) { + if ((st=krb5_dbe_lookup_last_pwd_change(context, entry, &last_pw_changed)) != 0) + goto cleanup; - if ((mask & KDB_PWD_EXPIRE_TIME_ATTR) == 1) { - if ((last_pw_changed + pw_max_life) < entry->pw_expiration) - entry->pw_expiration = last_pw_changed + pw_max_life; - } else - entry->pw_expiration = last_pw_changed + pw_max_life; - } + if ((mask & KDB_PWD_EXPIRE_TIME_ATTR) == 1) { + if ((last_pw_changed + pw_max_life) < entry->pw_expiration) + entry->pw_expiration = last_pw_changed + pw_max_life; + } else + entry->pw_expiration = last_pw_changed + pw_max_life; + } } /* XXX so krb5_encode_princ_contents() will be happy */ entry->len = KRB5_KDB_V1_BASE_LENGTH; @@ -2229,22 +2136,22 @@ populate_krb5_db_entry (krb5_context context, cleanup: if (DN != NULL) - ldap_memfree(DN); + ldap_memfree(DN); if (userinfo_tl_data.tl_data_contents != NULL) - free(userinfo_tl_data.tl_data_contents); + free(userinfo_tl_data.tl_data_contents); if (pwdpolicydn != NULL) - free(pwdpolicydn); + free(pwdpolicydn); if (polname != NULL) - free(polname); + free(polname); if (tktpolname != NULL) - free (tktpolname); + free (tktpolname); if (policydn != NULL) - free(policydn); + free(policydn); if (link_references) { int i; @@ -2282,18 +2189,18 @@ ldap_initialize(LDAP **ldp, char *url) #endif if (rc == 0) { - ld = ldap_init(ludp->lud_host, ludp->lud_port); - if (ld != NULL) { - *ldp = ld; + ld = ldap_init(ludp->lud_host, ludp->lud_port); + if (ld != NULL) { + *ldp = ld; #if 0 - printf("lud_host %s lud_port %d\n", ludp->lud_host, - ludp->lud_port); + printf("lud_host %s lud_port %d\n", ludp->lud_host, + ludp->lud_port); #endif - } - else - rc = KRB5_KDB_ACCESS_ERROR; + } + else + rc = KRB5_KDB_ACCESS_ERROR; - ldap_free_urldesc(ludp); + ldap_free_urldesc(ludp); } return rc; } diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.h b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.h index 27531a8da..a1d7edc15 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/kdb/kdb_ldap/ldap_misc.h * @@ -144,11 +145,11 @@ krb5_ldap_get_db_opt(char *, char **, char **); krb5_error_code populate_krb5_db_entry(krb5_context context, - krb5_ldap_context *ldap_context, - LDAP *ld, - LDAPMessage *ent, - krb5_const_principal princ, - krb5_db_entry *entry); + krb5_ldap_context *ldap_context, + LDAP *ld, + LDAPMessage *ent, + krb5_const_principal princ, + krb5_db_entry *entry); int kldap_ensure_initialized (void); diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c index c59944406..5fcc92b68 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/kdb/kdb_ldap/ldap_principal.c * @@ -40,83 +41,81 @@ struct timeval timelimit = {300, 0}; /* 5 minutes */ char *principal_attributes[] = { "krbprincipalname", - "krbcanonicalname", - "objectclass", - "krbprincipalkey", - "krbmaxrenewableage", - "krbmaxticketlife", - "krbticketflags", - "krbprincipalexpiration", - "krbticketpolicyreference", - "krbUpEnabled", - "krbpwdpolicyreference", - "krbpasswordexpiration", + "krbcanonicalname", + "objectclass", + "krbprincipalkey", + "krbmaxrenewableage", + "krbmaxticketlife", + "krbticketflags", + "krbprincipalexpiration", + "krbticketpolicyreference", + "krbUpEnabled", + "krbpwdpolicyreference", + "krbpasswordexpiration", "krbLastFailedAuth", "krbLoginFailedCount", "krbLastSuccessfulAuth", #ifdef HAVE_EDIRECTORY - "loginexpirationtime", - "logindisabled", + "loginexpirationtime", + "logindisabled", #endif - "krbLastPwdChange", - "krbExtraData", - "krbObjectReferences", - "krbAllowedToDelegateTo", - NULL }; + "krbLastPwdChange", + "krbExtraData", + "krbObjectReferences", + "krbAllowedToDelegateTo", + NULL }; /* Must match KDB_*_ATTR macros in ldap_principal.h. */ static char *attributes_set[] = { "krbmaxticketlife", - "krbmaxrenewableage", - "krbticketflags", - "krbprincipalexpiration", - "krbticketpolicyreference", - "krbUpEnabled", - "krbpwdpolicyreference", - "krbpasswordexpiration", - "krbprincipalkey", + "krbmaxrenewableage", + "krbticketflags", + "krbprincipalexpiration", + "krbticketpolicyreference", + "krbUpEnabled", + "krbpwdpolicyreference", + "krbpasswordexpiration", + "krbprincipalkey", "krblastpwdchange", "krbextradata", "krbLastSuccessfulAuth", "krbLastFailedAuth", "krbLoginFailedCount", - NULL }; + NULL }; void -krb5_dbe_free_contents(context, entry) - krb5_context context; - krb5_db_entry *entry; +krb5_dbe_free_contents(krb5_context context, krb5_db_entry *entry) { - krb5_tl_data *tl_data_next=NULL; - krb5_tl_data *tl_data=NULL; + krb5_tl_data *tl_data_next=NULL; + krb5_tl_data *tl_data=NULL; int i, j; if (entry->e_data) - free(entry->e_data); + free(entry->e_data); if (entry->princ) - krb5_free_principal(context, entry->princ); + krb5_free_principal(context, entry->princ); for (tl_data = entry->tl_data; tl_data; tl_data = tl_data_next) { - tl_data_next = tl_data->tl_data_next; - if (tl_data->tl_data_contents) - free(tl_data->tl_data_contents); - free(tl_data); + tl_data_next = tl_data->tl_data_next; + if (tl_data->tl_data_contents) + free(tl_data->tl_data_contents); + free(tl_data); } if (entry->key_data) { - for (i = 0; i < entry->n_key_data; i++) { - for (j = 0; j < entry->key_data[i].key_data_ver; j++) { - if (entry->key_data[i].key_data_length[j]) { - if (entry->key_data[i].key_data_contents[j]) { - memset(entry->key_data[i].key_data_contents[j], - 0, - (unsigned) entry->key_data[i].key_data_length[j]); - free (entry->key_data[i].key_data_contents[j]); - } - } - entry->key_data[i].key_data_contents[j] = NULL; - entry->key_data[i].key_data_length[j] = 0; - entry->key_data[i].key_data_type[j] = 0; - } - } - free(entry->key_data); + for (i = 0; i < entry->n_key_data; i++) { + for (j = 0; j < entry->key_data[i].key_data_ver; j++) { + if (entry->key_data[i].key_data_length[j]) { + if (entry->key_data[i].key_data_contents[j]) { + memset(entry->key_data[i].key_data_contents[j], + 0, + (unsigned) entry->key_data[i].key_data_length[j]); + free (entry->key_data[i].key_data_contents[j]); + } + } + entry->key_data[i].key_data_contents[j] = NULL; + entry->key_data[i].key_data_length[j] = 0; + entry->key_data[i].key_data_type[j] = 0; + } + } + free(entry->key_data); } memset(entry, 0, sizeof(*entry)); return; @@ -124,23 +123,19 @@ krb5_dbe_free_contents(context, entry) krb5_error_code -krb5_ldap_free_principal(kcontext , entries, nentries) - krb5_context kcontext; - krb5_db_entry *entries; - int nentries; +krb5_ldap_free_principal(krb5_context kcontext, krb5_db_entry *entries, + int nentries) { register int i; for (i = 0; i < nentries; i++) - krb5_dbe_free_contents(kcontext, &entries[i]); + krb5_dbe_free_contents(kcontext, &entries[i]); return 0; } krb5_error_code -krb5_ldap_iterate(context, match_expr, func, func_arg) - krb5_context context; - char *match_expr; - krb5_error_code (*func) (krb5_pointer, krb5_db_entry *); - krb5_pointer func_arg; +krb5_ldap_iterate(krb5_context context, char *match_expr, + krb5_error_code (*func)(krb5_pointer, krb5_db_entry *), + krb5_pointer func_arg) { krb5_db_entry entry; krb5_principal principal; @@ -162,68 +157,68 @@ krb5_ldap_iterate(context, match_expr, func, func_arg) realm = ldap_context->lrparams->realm_name; if (realm == NULL) { - realm = context->default_realm; - if (realm == NULL) { - st = EINVAL; - krb5_set_error_message(context, st, "Default realm not set"); - goto cleanup; - } + realm = context->default_realm; + if (realm == NULL) { + st = EINVAL; + krb5_set_error_message(context, st, "Default realm not set"); + goto cleanup; + } } /* * If no match_expr then iterate through all krb princs like the db2 plugin */ if (match_expr == NULL) - match_expr = default_match_expr; + match_expr = default_match_expr; if (asprintf(&filter, FILTER"%s))", match_expr) < 0) - filter = NULL; + filter = NULL; CHECK_NULL(filter); if ((st = krb5_get_subtree_info(ldap_context, &subtree, &ntree)) != 0) - goto cleanup; + goto cleanup; GET_HANDLE(); for (tree=0; tree < ntree; ++tree) { - LDAP_SEARCH(subtree[tree], ldap_context->lrparams->search_scope, filter, principal_attributes); - for (ent=ldap_first_entry(ld, result); ent != NULL; ent=ldap_next_entry(ld, ent)) { - values=ldap_get_values(ld, ent, "krbcanonicalname"); - if (values == NULL) - values=ldap_get_values(ld, ent, "krbprincipalname"); - if (values != NULL) { - for (i=0; values[i] != NULL; ++i) { - if (krb5_ldap_parse_principal_name(values[i], &princ_name) != 0) - continue; - if (krb5_parse_name(context, princ_name, &principal) != 0) - continue; - if (is_principal_in_realm(ldap_context, principal) == 0) { - if ((st = populate_krb5_db_entry(context, ldap_context, ld, ent, principal, - &entry)) != 0) - goto cleanup; - (*func)(func_arg, &entry); - krb5_dbe_free_contents(context, &entry); - (void) krb5_free_principal(context, principal); - free(princ_name); - break; - } - (void) krb5_free_principal(context, principal); - free(princ_name); - } - ldap_value_free(values); - } - } /* end of for (ent= ... */ - ldap_msgfree(result); + LDAP_SEARCH(subtree[tree], ldap_context->lrparams->search_scope, filter, principal_attributes); + for (ent=ldap_first_entry(ld, result); ent != NULL; ent=ldap_next_entry(ld, ent)) { + values=ldap_get_values(ld, ent, "krbcanonicalname"); + if (values == NULL) + values=ldap_get_values(ld, ent, "krbprincipalname"); + if (values != NULL) { + for (i=0; values[i] != NULL; ++i) { + if (krb5_ldap_parse_principal_name(values[i], &princ_name) != 0) + continue; + if (krb5_parse_name(context, princ_name, &principal) != 0) + continue; + if (is_principal_in_realm(ldap_context, principal) == 0) { + if ((st = populate_krb5_db_entry(context, ldap_context, ld, ent, principal, + &entry)) != 0) + goto cleanup; + (*func)(func_arg, &entry); + krb5_dbe_free_contents(context, &entry); + (void) krb5_free_principal(context, principal); + free(princ_name); + break; + } + (void) krb5_free_principal(context, principal); + free(princ_name); + } + ldap_value_free(values); + } + } /* end of for (ent= ... */ + ldap_msgfree(result); } /* end of for (tree= ... */ cleanup: if (filter) - free (filter); + free (filter); for (;ntree; --ntree) - if (subtree[ntree-1]) - free (subtree[ntree-1]); + if (subtree[ntree-1]) + free (subtree[ntree-1]); krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); return st; @@ -234,15 +229,13 @@ cleanup: * delete a principal from the directory. */ krb5_error_code -krb5_ldap_delete_principal(context, searchfor, nentries) - krb5_context context; - krb5_const_principal searchfor; - int *nentries; /* how many found & deleted */ +krb5_ldap_delete_principal(krb5_context context, + krb5_const_principal searchfor, int *nentries) { char *user=NULL, *DN=NULL, *strval[10] = {NULL}; LDAPMod **mods=NULL; LDAP *ld=NULL; - int j=0, ptype=0, pcount=0, attrsetmask=0; + int j=0, ptype=0, pcount=0, attrsetmask=0; krb5_error_code st=0; krb5_boolean singleentry=FALSE; KEY *secretkey=NULL; @@ -258,18 +251,18 @@ krb5_ldap_delete_principal(context, searchfor, nentries) SETUP_CONTEXT(); /* get the principal info */ if ((st=krb5_ldap_get_principal(context, searchfor, 0, &entries, nentries, &more)) != 0 || *nentries == 0) - goto cleanup; + goto cleanup; if (((st=krb5_get_princ_type(context, &entries, &(ptype))) != 0) || - ((st=krb5_get_attributes_mask(context, &entries, &(attrsetmask))) != 0) || - ((st=krb5_get_princ_count(context, &entries, &(pcount))) != 0) || - ((st=krb5_get_userdn(context, &entries, &(DN))) != 0)) - goto cleanup; + ((st=krb5_get_attributes_mask(context, &entries, &(attrsetmask))) != 0) || + ((st=krb5_get_princ_count(context, &entries, &(pcount))) != 0) || + ((st=krb5_get_userdn(context, &entries, &(DN))) != 0)) + goto cleanup; if (DN == NULL) { - st = EINVAL; - krb5_set_error_message(context, st, "DN information missing"); - goto cleanup; + st = EINVAL; + krb5_set_error_message(context, st, "DN information missing"); + goto cleanup; } GET_HANDLE(); @@ -281,90 +274,90 @@ krb5_ldap_delete_principal(context, searchfor, nentries) goto cleanup; } } else { - if (((st=krb5_unparse_name(context, searchfor, &user)) != 0) - || ((st=krb5_ldap_unparse_principal_name(user)) != 0)) - goto cleanup; - - memset(strval, 0, sizeof(strval)); - strval[0] = user; - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalname", LDAP_MOD_DELETE, - strval)) != 0) - goto cleanup; - - singleentry = (pcount == 1) ? TRUE: FALSE; - if (singleentry == FALSE) { - if (secretkey != NULL) { - if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey", LDAP_MOD_DELETE | LDAP_MOD_BVALUES, - secretkey->keys)) != 0) - goto cleanup; - } - } else { - /* - * If the Kerberos user principal to be deleted happens to be the last one associated - * with the directory user object, then it is time to delete the other kerberos - * specific attributes like krbmaxticketlife, i.e, unkerberize the directory user. - * From the attrsetmask value, identify the attributes set on the directory user - * object and delete them. - * NOTE: krbsecretkey attribute has per principal entries. There can be chances that the - * other principals' keys are exisiting/left-over. So delete all the values. - */ - while (attrsetmask) { - if (attrsetmask & 1) { - if ((st=krb5_add_str_mem_ldap_mod(&mods, attributes_set[j], LDAP_MOD_DELETE, - NULL)) != 0) - goto cleanup; - } - attrsetmask >>= 1; - ++j; - } - - /* the same should be done with the objectclass attributes */ - { - char *attrvalues[] = {"krbticketpolicyaux", "krbprincipalaux", NULL}; -/* char *attrvalues[] = {"krbpwdpolicyrefaux", "krbticketpolicyaux", "krbprincipalaux", NULL}; */ - int p, q, r=0, amask=0; - - if ((st=checkattributevalue(ld, DN, "objectclass", attrvalues, &amask)) != 0) - goto cleanup; - memset(strval, 0, sizeof(strval)); - for (p=1, q=0; p<=4; p<<=1, ++q) - if (p & amask) - strval[r++] = attrvalues[q]; - strval[r] = NULL; - if (r > 0) { - if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_DELETE, - strval)) != 0) - goto cleanup; - } - } - } - st=ldap_modify_ext_s(ld, DN, mods, NULL, NULL); - if (st != LDAP_SUCCESS) { - st = set_ldap_error(context, st, OP_MOD); - goto cleanup; - } + if (((st=krb5_unparse_name(context, searchfor, &user)) != 0) + || ((st=krb5_ldap_unparse_principal_name(user)) != 0)) + goto cleanup; + + memset(strval, 0, sizeof(strval)); + strval[0] = user; + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalname", LDAP_MOD_DELETE, + strval)) != 0) + goto cleanup; + + singleentry = (pcount == 1) ? TRUE: FALSE; + if (singleentry == FALSE) { + if (secretkey != NULL) { + if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey", LDAP_MOD_DELETE | LDAP_MOD_BVALUES, + secretkey->keys)) != 0) + goto cleanup; + } + } else { + /* + * If the Kerberos user principal to be deleted happens to be the last one associated + * with the directory user object, then it is time to delete the other kerberos + * specific attributes like krbmaxticketlife, i.e, unkerberize the directory user. + * From the attrsetmask value, identify the attributes set on the directory user + * object and delete them. + * NOTE: krbsecretkey attribute has per principal entries. There can be chances that the + * other principals' keys are exisiting/left-over. So delete all the values. + */ + while (attrsetmask) { + if (attrsetmask & 1) { + if ((st=krb5_add_str_mem_ldap_mod(&mods, attributes_set[j], LDAP_MOD_DELETE, + NULL)) != 0) + goto cleanup; + } + attrsetmask >>= 1; + ++j; + } + + /* the same should be done with the objectclass attributes */ + { + char *attrvalues[] = {"krbticketpolicyaux", "krbprincipalaux", NULL}; +/* char *attrvalues[] = {"krbpwdpolicyrefaux", "krbticketpolicyaux", "krbprincipalaux", NULL}; */ + int p, q, r=0, amask=0; + + if ((st=checkattributevalue(ld, DN, "objectclass", attrvalues, &amask)) != 0) + goto cleanup; + memset(strval, 0, sizeof(strval)); + for (p=1, q=0; p<=4; p<<=1, ++q) + if (p & amask) + strval[r++] = attrvalues[q]; + strval[r] = NULL; + if (r > 0) { + if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_DELETE, + strval)) != 0) + goto cleanup; + } + } + } + st=ldap_modify_ext_s(ld, DN, mods, NULL, NULL); + if (st != LDAP_SUCCESS) { + st = set_ldap_error(context, st, OP_MOD); + goto cleanup; + } } cleanup: if (user) - free (user); + free (user); if (DN) - free (DN); + free (DN); if (secretkey != NULL) { - int i=0; - while (i < secretkey->nkey) { - free (secretkey->keys[i]->bv_val); - free (secretkey->keys[i]); - ++i; - } - free (secretkey->keys); - free (secretkey); + int i=0; + while (i < secretkey->nkey) { + free (secretkey->keys[i]->bv_val); + free (secretkey->keys[i]); + ++i; + } + free (secretkey->keys); + free (secretkey); } if (st == 0) - krb5_ldap_free_principal(context, &entries, *nentries); + krb5_ldap_free_principal(context, &entries, *nentries); ldap_mods_free(mods, 1); krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); @@ -390,9 +383,9 @@ krb5_ldap_unparse_principal_name(char *user_name) out = user_name; for (in = user_name; *in; in++) { - if (*in == '\\' && *(in + 1) == '@') - continue; - *out++ = *in; + if (*in == '\\' && *(in + 1) == '@') + continue; + *out++ = *in; } *out = '\0'; @@ -414,29 +407,27 @@ krb5_ldap_unparse_principal_name(char *user_name) */ krb5_error_code -krb5_ldap_parse_principal_name(i_princ_name, o_princ_name) - char *i_princ_name; - char **o_princ_name; +krb5_ldap_parse_principal_name(char *i_princ_name, char **o_princ_name) { const char *at_rlm_name, *p; struct k5buf buf; at_rlm_name = strrchr(i_princ_name, '@'); if (!at_rlm_name) { - *o_princ_name = strdup(i_princ_name); - if (!o_princ_name) - return ENOMEM; + *o_princ_name = strdup(i_princ_name); + if (!o_princ_name) + return ENOMEM; } else { - krb5int_buf_init_dynamic(&buf); - for (p = i_princ_name; p < at_rlm_name; p++) { - if (*p == '@') - krb5int_buf_add(&buf, "\\"); - krb5int_buf_add_len(&buf, p, 1); - } - krb5int_buf_add(&buf, at_rlm_name); - *o_princ_name = krb5int_buf_data(&buf); - if (!*o_princ_name) - return ENOMEM; + krb5int_buf_init_dynamic(&buf); + for (p = i_princ_name; p < at_rlm_name; p++) { + if (*p == '@') + krb5int_buf_add(&buf, "\\"); + krb5int_buf_add_len(&buf, p, 1); + } + krb5int_buf_add(&buf, at_rlm_name); + *o_princ_name = krb5int_buf_data(&buf); + if (!*o_princ_name) + return ENOMEM; } return 0; } diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h index abc27f114..9969d532a 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/kdb/kdb_ldap/ldap_principal.h * @@ -35,20 +36,20 @@ #define KEYHEADER 12 -#define NOOFKEYS(ptr) ((ptr[10]<<8) | ptr[11]) +#define NOOFKEYS(ptr) ((ptr[10]<<8) | ptr[11]) -#define PRINCIPALLEN(ptr) ((ptr[0]<<8) | ptr[1]) -#define PRINCIPALNAME(ptr) (ptr + KEYHEADER + (NOOFKEYS(ptr) *8)) +#define PRINCIPALLEN(ptr) ((ptr[0]<<8) | ptr[1]) +#define PRINCIPALNAME(ptr) (ptr + KEYHEADER + (NOOFKEYS(ptr) *8)) -#define KEYBODY(ptr) PRINCIPALNAME(ptr) + PRINCIPALLEN(ptr) +#define KEYBODY(ptr) PRINCIPALNAME(ptr) + PRINCIPALLEN(ptr) -#define PKEYVER(ptr) ((ptr[2]<<8) | ptr[3]) -#define MKEYVER(ptr) ((ptr[4]<<8) | ptr[5]) +#define PKEYVER(ptr) ((ptr[2]<<8) | ptr[3]) +#define MKEYVER(ptr) ((ptr[4]<<8) | ptr[5]) -#define KEYTYPE(ptr,j) ((ptr[KEYHEADER+(j*8)]<<8) | ptr[KEYHEADER+1+(j*8)]) -#define KEYLENGTH(ptr,j) ((ptr[KEYHEADER+2+(j*8)]<<8) | ptr[KEYHEADER+3+(j*8)]) -#define SALTTYPE(ptr,j) ((ptr[KEYHEADER+4+(j*8)]<<8) | ptr[KEYHEADER+5+(j*8)]) -#define SALTLENGTH(ptr,j) ((ptr[KEYHEADER+6+(j*8)]<<8) | ptr[KEYHEADER+7+(j*8)]) +#define KEYTYPE(ptr,j) ((ptr[KEYHEADER+(j*8)]<<8) | ptr[KEYHEADER+1+(j*8)]) +#define KEYLENGTH(ptr,j) ((ptr[KEYHEADER+2+(j*8)]<<8) | ptr[KEYHEADER+3+(j*8)]) +#define SALTTYPE(ptr,j) ((ptr[KEYHEADER+4+(j*8)]<<8) | ptr[KEYHEADER+5+(j*8)]) +#define SALTLENGTH(ptr,j) ((ptr[KEYHEADER+6+(j*8)]<<8) | ptr[KEYHEADER+7+(j*8)]) #define MAX_KEY_LENGTH 1024 #define CONTAINERDN_ARG "containerdn" @@ -57,7 +58,7 @@ #define LINKDN_ARG "linkdn" /* #define FILTER "(&(objectclass=krbprincipalaux)(krbprincipalname=" */ - #define FILTER "(&(|(objectclass=krbprincipalaux)(objectclass=krbprincipal))(krbprincipalname=" +#define FILTER "(&(|(objectclass=krbprincipalaux)(objectclass=krbprincipal))(krbprincipalname=" #define KDB_USER_PRINCIPAL 0x01 #define KDB_SERVICE_PRINCIPAL 0x02 @@ -88,7 +89,7 @@ * and krb5_ldap_put_principal(). If present, it means that the * krbPwdMaxFailure attribute should be incremented by one. */ -#define KADM5_FAIL_AUTH_COUNT_INCREMENT 0x080000 /* KADM5_CPW_FUNCTION */ +#define KADM5_FAIL_AUTH_COUNT_INCREMENT 0x080000 /* KADM5_CPW_FUNCTION */ extern struct timeval timeout; extern char *policyclass[]; @@ -98,7 +99,7 @@ krb5_ldap_put_principal(krb5_context, krb5_db_entry *, int *, char **); krb5_error_code krb5_ldap_get_principal(krb5_context , krb5_const_principal , - unsigned int, krb5_db_entry *,int *, krb5_boolean *); + unsigned int, krb5_db_entry *, int *, krb5_boolean *); krb5_error_code krb5_ldap_delete_principal(krb5_context, krb5_const_principal, int *); @@ -107,7 +108,8 @@ krb5_error_code krb5_ldap_free_principal(krb5_context, krb5_db_entry *, int ); krb5_error_code -krb5_ldap_iterate(krb5_context, char *, krb5_error_code (*) (krb5_pointer, krb5_db_entry *), +krb5_ldap_iterate(krb5_context, char *, + krb5_error_code (*)(krb5_pointer, krb5_db_entry *), krb5_pointer/*, int */); void @@ -121,11 +123,12 @@ krb5_ldap_parse_principal_name(char *, char **); krb5_error_code krb5_decode_krbsecretkey(krb5_context, krb5_db_entry *, struct berval **, - krb5_tl_data *, krb5_kvno *); + krb5_tl_data *, krb5_kvno *); krb5_error_code berval2tl_data(struct berval *in, krb5_tl_data **out); krb5_error_code -krb5_read_tkt_policy (krb5_context, krb5_ldap_context *, krb5_db_entry *, char *); +krb5_read_tkt_policy(krb5_context, krb5_ldap_context *, krb5_db_entry *, + char *); #endif diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c index 3474b7cda..220602ac9 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/kdb/kdb_ldap/ldap_principal2.c * @@ -53,14 +54,14 @@ berval2tl_data(struct berval *in, krb5_tl_data **out) { *out = (krb5_tl_data *) malloc (sizeof (krb5_tl_data)); if (*out == NULL) - return ENOMEM; + return ENOMEM; (*out)->tl_data_length = in->bv_len - 2; (*out)->tl_data_contents = (krb5_octet *) malloc - ((*out)->tl_data_length * sizeof (krb5_octet)); + ((*out)->tl_data_length * sizeof (krb5_octet)); if ((*out)->tl_data_contents == NULL) { - free (*out); - return ENOMEM; + free (*out); + return ENOMEM; } UNSTORE16_INT (in->bv_val, (*out)->tl_data_type); @@ -87,9 +88,9 @@ aliases_ok(unsigned int flags) * okay. */ if (!(flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY)) - return TRUE; + return TRUE; if (flags & KRB5_KDB_FLAG_CANONICALIZE) - return TRUE; + return TRUE; return FALSE; } @@ -98,24 +99,20 @@ aliases_ok(unsigned int flags) */ krb5_error_code -krb5_ldap_get_principal(context, searchfor, flags, entries, nentries, more) - krb5_context context; - krb5_const_principal searchfor; - unsigned int flags; - krb5_db_entry *entries; /* filled in */ - int *nentries; /* how much room/how many found */ - krb5_boolean *more; /* are there more? */ +krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor, + unsigned int flags, krb5_db_entry *entries, + int *nentries, krb5_boolean *more) { char *user=NULL, *filter=NULL, **subtree=NULL; unsigned int tree=0, ntrees=1, princlen=0; - krb5_error_code tempst=0, st=0; + krb5_error_code tempst=0, st=0; char **values=NULL, *cname=NULL; - LDAP *ld=NULL; - LDAPMessage *result=NULL, *ent=NULL; + LDAP *ld=NULL; + LDAPMessage *result=NULL, *ent=NULL; krb5_ldap_context *ldap_context=NULL; kdb5_dal_handle *dal_handle=NULL; krb5_ldap_server_handle *ldap_server_handle=NULL; - krb5_principal cprinc=NULL; + krb5_principal cprinc=NULL; /* Clear the global error string */ krb5_clear_error_message(context); @@ -126,7 +123,7 @@ krb5_ldap_get_principal(context, searchfor, flags, entries, nentries, more) memset(entries, 0, sizeof(*entries)); if (searchfor == NULL) - return EINVAL; + return EINVAL; dal_handle = context->dal_handle; ldap_context = (krb5_ldap_context *) dal_handle->db_context; @@ -134,78 +131,78 @@ krb5_ldap_get_principal(context, searchfor, flags, entries, nentries, more) CHECK_LDAP_HANDLE(ldap_context); if (is_principal_in_realm(ldap_context, searchfor) != 0) { - *more = 0; - krb5_set_error_message (context, st, "Principal does not belong to realm"); - goto cleanup; + *more = 0; + krb5_set_error_message (context, st, "Principal does not belong to realm"); + goto cleanup; } if ((st=krb5_unparse_name(context, searchfor, &user)) != 0) - goto cleanup; + goto cleanup; if ((st=krb5_ldap_unparse_principal_name(user)) != 0) - goto cleanup; + goto cleanup; princlen = strlen(FILTER) + strlen(user) + 2 + 1; /* 2 for closing brackets */ if ((filter = malloc(princlen)) == NULL) { - st = ENOMEM; - goto cleanup; + st = ENOMEM; + goto cleanup; } snprintf(filter, princlen, FILTER"%s))", user); if ((st = krb5_get_subtree_info(ldap_context, &subtree, &ntrees)) != 0) - goto cleanup; + goto cleanup; GET_HANDLE(); for (tree=0; tree < ntrees && *nentries == 0; ++tree) { - LDAP_SEARCH(subtree[tree], ldap_context->lrparams->search_scope, filter, principal_attributes); - for (ent=ldap_first_entry(ld, result); ent != NULL && *nentries == 0; ent=ldap_next_entry(ld, ent)) { - - /* get the associated directory user information */ - if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) { - int i; - - /* a wild-card in a principal name can return a list of kerberos principals. - * Make sure that the correct principal is returned. - * NOTE: a principalname k* in ldap server will return all the principals starting with a k - */ - for (i=0; values[i] != NULL; ++i) { - if (strcmp(values[i], user) == 0) { - *nentries = 1; - break; - } - } - ldap_value_free(values); - - if (*nentries == 0) /* no matching principal found */ - continue; - } - - if ((values=ldap_get_values(ld, ent, "krbcanonicalname")) != NULL) { - if (values[0] && strcmp(values[0], user) != 0) { - /* We matched an alias, not the canonical name. */ - if (aliases_ok(flags)) { - st = krb5_ldap_parse_principal_name(values[0], &cname); - if (st != 0) - goto cleanup; - st = krb5_parse_name(context, cname, &cprinc); - if (st != 0) - goto cleanup; - } else /* No canonicalization, so don't return aliases. */ - *nentries = 0; - } - ldap_value_free(values); - if (*nentries == 0) - continue; - } - - if ((st = populate_krb5_db_entry(context, ldap_context, ld, ent, - cprinc ? cprinc : searchfor, - entries)) != 0) - goto cleanup; - } - ldap_msgfree(result); - result = NULL; + LDAP_SEARCH(subtree[tree], ldap_context->lrparams->search_scope, filter, principal_attributes); + for (ent=ldap_first_entry(ld, result); ent != NULL && *nentries == 0; ent=ldap_next_entry(ld, ent)) { + + /* get the associated directory user information */ + if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) { + int i; + + /* a wild-card in a principal name can return a list of kerberos principals. + * Make sure that the correct principal is returned. + * NOTE: a principalname k* in ldap server will return all the principals starting with a k + */ + for (i=0; values[i] != NULL; ++i) { + if (strcmp(values[i], user) == 0) { + *nentries = 1; + break; + } + } + ldap_value_free(values); + + if (*nentries == 0) /* no matching principal found */ + continue; + } + + if ((values=ldap_get_values(ld, ent, "krbcanonicalname")) != NULL) { + if (values[0] && strcmp(values[0], user) != 0) { + /* We matched an alias, not the canonical name. */ + if (aliases_ok(flags)) { + st = krb5_ldap_parse_principal_name(values[0], &cname); + if (st != 0) + goto cleanup; + st = krb5_parse_name(context, cname, &cprinc); + if (st != 0) + goto cleanup; + } else /* No canonicalization, so don't return aliases. */ + *nentries = 0; + } + ldap_value_free(values); + if (*nentries == 0) + continue; + } + + if ((st = populate_krb5_db_entry(context, ldap_context, ld, ent, + cprinc ? cprinc : searchfor, + entries)) != 0) + goto cleanup; + } + ldap_msgfree(result); + result = NULL; } /* for (tree=0 ... */ /* once done, put back the ldap handle */ @@ -216,29 +213,29 @@ cleanup: ldap_msgfree(result); if (*nentries == 0 || st != 0) - krb5_dbe_free_contents(context, entries); + krb5_dbe_free_contents(context, entries); if (filter) - free (filter); + free (filter); if (subtree) { - for (; ntrees; --ntrees) - if (subtree[ntrees-1]) - free (subtree[ntrees-1]); - free (subtree); + for (; ntrees; --ntrees) + if (subtree[ntrees-1]) + free (subtree[ntrees-1]); + free (subtree); } if (ldap_server_handle) - krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); + krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); if (user) - free(user); + free(user); if (cname) - free(cname); + free(cname); if (cprinc) - krb5_free_principal(context, cprinc); + krb5_free_principal(context, cprinc); return st; } @@ -260,25 +257,21 @@ typedef struct _xargs_t { }xargs_t; static void -free_xargs(xargs) - xargs_t xargs; +free_xargs(xargs_t xargs) { if (xargs.dn) - free (xargs.dn); + free (xargs.dn); if (xargs.linkdn) - free(xargs.linkdn); + free(xargs.linkdn); if (xargs.containerdn) - free (xargs.containerdn); + free (xargs.containerdn); if (xargs.tktpolicydn) - free (xargs.tktpolicydn); + free (xargs.tktpolicydn); } static krb5_error_code -process_db_args(context, db_args, xargs, optype) - krb5_context context; - char **db_args; - xargs_t *xargs; - OPERATION optype; +process_db_args(krb5_context context, char **db_args, xargs_t *xargs, + OPERATION optype) { int i=0; krb5_error_code st=0; @@ -288,81 +281,81 @@ process_db_args(context, db_args, xargs, optype) unsigned int arg_val_len=0; if (db_args) { - for (i=0; db_args[i]; ++i) { - arg = strtok_r(db_args[i], "=", &arg_val); - if (strcmp(arg, TKTPOLICY_ARG) == 0) { - dptr = &xargs->tktpolicydn; - } else { - if (strcmp(arg, USERDN_ARG) == 0) { - if (optype == MODIFY_PRINCIPAL || - xargs->dn != NULL || xargs->containerdn != NULL || - xargs->linkdn != NULL) { - st = EINVAL; - snprintf(errbuf, sizeof(errbuf), - "%s option not supported", arg); - krb5_set_error_message(context, st, "%s", errbuf); - goto cleanup; - } - dptr = &xargs->dn; - } else if (strcmp(arg, CONTAINERDN_ARG) == 0) { - if (optype == MODIFY_PRINCIPAL || - xargs->dn != NULL || xargs->containerdn != NULL) { - st = EINVAL; - snprintf(errbuf, sizeof(errbuf), - "%s option not supported", arg); - krb5_set_error_message(context, st, "%s", errbuf); - goto cleanup; - } - dptr = &xargs->containerdn; - } else if (strcmp(arg, LINKDN_ARG) == 0) { - if (xargs->dn != NULL || xargs->linkdn != NULL) { - st = EINVAL; - snprintf(errbuf, sizeof(errbuf), - "%s option not supported", arg); - krb5_set_error_message(context, st, "%s", errbuf); - goto cleanup; - } - dptr = &xargs->linkdn; - } else { - st = EINVAL; - snprintf(errbuf, sizeof(errbuf), "unknown option: %s", arg); - krb5_set_error_message(context, st, "%s", errbuf); - goto cleanup; - } - - xargs->dn_from_kbd = TRUE; - if (arg_val == NULL || strlen(arg_val) == 0) { - st = EINVAL; - snprintf(errbuf, sizeof(errbuf), - "%s option value missing", arg); - krb5_set_error_message(context, st, "%s", errbuf); - goto cleanup; - } - } - - if (arg_val == NULL) { - st = EINVAL; - snprintf(errbuf, sizeof(errbuf), - "%s option value missing", arg); - krb5_set_error_message(context, st, "%s", errbuf); - goto cleanup; - } - arg_val_len = strlen(arg_val) + 1; - - if (strcmp(arg, TKTPOLICY_ARG) == 0) { - if ((st = krb5_ldap_name_to_policydn (context, - arg_val, - dptr)) != 0) - goto cleanup; - } else { - *dptr = calloc (1, arg_val_len); - if (*dptr == NULL) { - st = ENOMEM; - goto cleanup; - } - memcpy(*dptr, arg_val, arg_val_len); - } - } + for (i=0; db_args[i]; ++i) { + arg = strtok_r(db_args[i], "=", &arg_val); + if (strcmp(arg, TKTPOLICY_ARG) == 0) { + dptr = &xargs->tktpolicydn; + } else { + if (strcmp(arg, USERDN_ARG) == 0) { + if (optype == MODIFY_PRINCIPAL || + xargs->dn != NULL || xargs->containerdn != NULL || + xargs->linkdn != NULL) { + st = EINVAL; + snprintf(errbuf, sizeof(errbuf), + "%s option not supported", arg); + krb5_set_error_message(context, st, "%s", errbuf); + goto cleanup; + } + dptr = &xargs->dn; + } else if (strcmp(arg, CONTAINERDN_ARG) == 0) { + if (optype == MODIFY_PRINCIPAL || + xargs->dn != NULL || xargs->containerdn != NULL) { + st = EINVAL; + snprintf(errbuf, sizeof(errbuf), + "%s option not supported", arg); + krb5_set_error_message(context, st, "%s", errbuf); + goto cleanup; + } + dptr = &xargs->containerdn; + } else if (strcmp(arg, LINKDN_ARG) == 0) { + if (xargs->dn != NULL || xargs->linkdn != NULL) { + st = EINVAL; + snprintf(errbuf, sizeof(errbuf), + "%s option not supported", arg); + krb5_set_error_message(context, st, "%s", errbuf); + goto cleanup; + } + dptr = &xargs->linkdn; + } else { + st = EINVAL; + snprintf(errbuf, sizeof(errbuf), "unknown option: %s", arg); + krb5_set_error_message(context, st, "%s", errbuf); + goto cleanup; + } + + xargs->dn_from_kbd = TRUE; + if (arg_val == NULL || strlen(arg_val) == 0) { + st = EINVAL; + snprintf(errbuf, sizeof(errbuf), + "%s option value missing", arg); + krb5_set_error_message(context, st, "%s", errbuf); + goto cleanup; + } + } + + if (arg_val == NULL) { + st = EINVAL; + snprintf(errbuf, sizeof(errbuf), + "%s option value missing", arg); + krb5_set_error_message(context, st, "%s", errbuf); + goto cleanup; + } + arg_val_len = strlen(arg_val) + 1; + + if (strcmp(arg, TKTPOLICY_ARG) == 0) { + if ((st = krb5_ldap_name_to_policydn (context, + arg_val, + dptr)) != 0) + goto cleanup; + } else { + *dptr = calloc (1, arg_val_len); + if (*dptr == NULL) { + st = ENOMEM; + goto cleanup; + } + memcpy(*dptr, arg_val, arg_val_len); + } + } } cleanup: @@ -372,8 +365,8 @@ cleanup: krb5int_access accessor; static krb5_error_code -asn1_encode_sequence_of_keys (krb5_key_data *key_data, krb5_int16 n_key_data, - krb5_int32 mkvno, krb5_data **code) +asn1_encode_sequence_of_keys(krb5_key_data *key_data, krb5_int16 n_key_data, + krb5_int32 mkvno, krb5_data **code) { krb5_error_code err; ldap_seqof_key_data val; @@ -384,7 +377,7 @@ asn1_encode_sequence_of_keys (krb5_key_data *key_data, krb5_int16 n_key_data, */ err = kldap_ensure_initialized (); if (err) - return err; + return err; val.key_data = key_data; val.n_key_data = n_key_data; @@ -394,8 +387,8 @@ asn1_encode_sequence_of_keys (krb5_key_data *key_data, krb5_int16 n_key_data, } static krb5_error_code -asn1_decode_sequence_of_keys (krb5_data *in, krb5_key_data **out, - krb5_int16 *n_key_data, krb5_kvno *mkvno) +asn1_decode_sequence_of_keys(krb5_data *in, krb5_key_data **out, + krb5_int16 *n_key_data, krb5_kvno *mkvno) { krb5_error_code err; ldap_seqof_key_data *p; @@ -406,11 +399,11 @@ asn1_decode_sequence_of_keys (krb5_data *in, krb5_key_data **out, */ err = kldap_ensure_initialized (); if (err) - return err; + return err; err = accessor.asn1_ldap_decode_sequence_of_keys(in, &p); if (err) - return err; + return err; *out = p->key_data; *n_key_data = p->n_key_data; *mkvno = p->mkvno; @@ -421,7 +414,8 @@ asn1_decode_sequence_of_keys (krb5_data *in, krb5_key_data **out, /* Decoding ASN.1 encoded key */ static struct berval ** -krb5_encode_krbsecretkey(krb5_key_data *key_data, int n_key_data, krb5_kvno mkvno) { +krb5_encode_krbsecretkey(krb5_key_data *key_data, int n_key_data, + krb5_kvno mkvno) { struct berval **ret = NULL; int currkvno; int num_versions = 1; @@ -429,66 +423,68 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data, int n_key_data, krb5_kvno mkvn krb5_error_code err = 0; if (n_key_data <= 0) - return NULL; + return NULL; /* Find the number of key versions */ for (i = 0; i < n_key_data - 1; i++) - if (key_data[i].key_data_kvno != key_data[i + 1].key_data_kvno) - num_versions++; + if (key_data[i].key_data_kvno != key_data[i + 1].key_data_kvno) + num_versions++; ret = (struct berval **) calloc (num_versions + 1, sizeof (struct berval *)); if (ret == NULL) { - err = ENOMEM; - goto cleanup; + err = ENOMEM; + goto cleanup; } for (i = 0, last = 0, j = 0, currkvno = key_data[0].key_data_kvno; i < n_key_data; i++) { - krb5_data *code; - if (i == n_key_data - 1 || key_data[i + 1].key_data_kvno != currkvno) { - asn1_encode_sequence_of_keys (key_data+last, - (krb5_int16) i - last + 1, - mkvno, - &code); - ret[j] = malloc (sizeof (struct berval)); - if (ret[j] == NULL) { - err = ENOMEM; - goto cleanup; - } - /*CHECK_NULL(ret[j]); */ - ret[j]->bv_len = code->length; - ret[j]->bv_val = code->data; - j++; - last = i + 1; - - currkvno = key_data[i].key_data_kvno; - } + krb5_data *code; + if (i == n_key_data - 1 || key_data[i + 1].key_data_kvno != currkvno) { + asn1_encode_sequence_of_keys (key_data+last, + (krb5_int16) i - last + 1, + mkvno, + &code); + ret[j] = malloc (sizeof (struct berval)); + if (ret[j] == NULL) { + err = ENOMEM; + goto cleanup; + } + /*CHECK_NULL(ret[j]); */ + ret[j]->bv_len = code->length; + ret[j]->bv_val = code->data; + j++; + last = i + 1; + + currkvno = key_data[i].key_data_kvno; + } } ret[num_versions] = NULL; cleanup: if (err != 0) { - if (ret != NULL) { - for (i = 0; i <= num_versions; i++) - if (ret[i] != NULL) - free (ret[i]); - free (ret); - ret = NULL; - } + if (ret != NULL) { + for (i = 0; i <= num_versions; i++) + if (ret[i] != NULL) + free (ret[i]); + free (ret); + ret = NULL; + } } return ret; } -static krb5_error_code tl_data2berval (krb5_tl_data *in, struct berval **out) { +static krb5_error_code +tl_data2berval (krb5_tl_data *in, struct berval **out) +{ *out = (struct berval *) malloc (sizeof (struct berval)); if (*out == NULL) - return ENOMEM; + return ENOMEM; (*out)->bv_len = in->tl_data_length + 2; (*out)->bv_val = (char *) malloc ((*out)->bv_len); if ((*out)->bv_val == NULL) { - free (*out); - return ENOMEM; + free (*out); + return ENOMEM; } STORE16_INT((*out)->bv_val, in->tl_data_type); @@ -498,20 +494,17 @@ static krb5_error_code tl_data2berval (krb5_tl_data *in, struct berval **out) { } krb5_error_code -krb5_ldap_put_principal(context, entries, nentries, db_args) - krb5_context context; - krb5_db_entry *entries; - register int *nentries; /* number of entry structs to update */ - char **db_args; +krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entries, + int *nentries, char **db_args) { - int i=0, l=0, kerberos_principal_object_type=0; - krb5_error_code st=0, tempst=0; - LDAP *ld=NULL; + int i=0, l=0, kerberos_principal_object_type=0; + krb5_error_code st=0, tempst=0; + LDAP *ld=NULL; LDAPMessage *result=NULL, *ent=NULL; char *user=NULL, *subtree=NULL, *principal_dn=NULL; char **values=NULL, *strval[10]={NULL}, errbuf[1024]; - struct berval **bersecretkey=NULL; - LDAPMod **mods=NULL; + struct berval **bersecretkey=NULL; + LDAPMod **mods=NULL; krb5_boolean create_standalone_prinicipal=FALSE; krb5_boolean krb_identity_exists=FALSE, establish_links=FALSE; char *standalone_principal_dn=NULL; @@ -520,319 +513,319 @@ krb5_ldap_put_principal(context, entries, nentries, db_args) kdb5_dal_handle *dal_handle=NULL; krb5_ldap_context *ldap_context=NULL; krb5_ldap_server_handle *ldap_server_handle=NULL; - osa_princ_ent_rec princ_ent; + osa_princ_ent_rec princ_ent; xargs_t xargs = {0}; char *polname = NULL; OPERATION optype; - krb5_boolean found_entry = FALSE; + krb5_boolean found_entry = FALSE; /* Clear the global error string */ krb5_clear_error_message(context); SETUP_CONTEXT(); if (ldap_context->lrparams == NULL || ldap_context->krbcontainer == NULL) - return EINVAL; + return EINVAL; /* get ldap handle */ GET_HANDLE(); for (i=0; i < *nentries; ++i, ++entries) { - if (is_principal_in_realm(ldap_context, entries->princ) != 0) { - st = EINVAL; - krb5_set_error_message(context, st, "Principal does not belong to the default realm"); - goto cleanup; - } - - /* get the principal information to act on */ - if (entries->princ) { - if (((st=krb5_unparse_name(context, entries->princ, &user)) != 0) || - ((st=krb5_ldap_unparse_principal_name(user)) != 0)) - goto cleanup; - } - - /* Identity the type of operation, it can be - * add principal or modify principal. - * hack if the entries->mask has KRB_PRINCIPAL flag set - * then it is a add operation - */ - if (entries->mask & KADM5_PRINCIPAL) - optype = ADD_PRINCIPAL; - else - optype = MODIFY_PRINCIPAL; - - if (((st=krb5_get_princ_type(context, entries, &kerberos_principal_object_type)) != 0) || - ((st=krb5_get_userdn(context, entries, &principal_dn)) != 0)) - goto cleanup; - - if ((st=process_db_args(context, db_args, &xargs, optype)) != 0) - goto cleanup; - - if (entries->mask & KADM5_LOAD) { - int tree = 0, ntrees = 0, princlen = 0, numlentries = 0; - char **subtreelist = NULL, *filter = NULL; - - /* A load operation is special, will do a mix-in (add krbprinc - * attrs to a non-krb object entry) if an object exists with a - * matching krbprincipalname attribute so try to find existing - * object and set principal_dn. This assumes that the - * krbprincipalname attribute is unique (only one object entry has - * a particular krbprincipalname attribute). - */ - if (user == NULL) { - /* must have principal name for search */ - st = EINVAL; - krb5_set_error_message(context, st, "operation can not continue, principal name not found"); - goto cleanup; - } - princlen = strlen(FILTER) + strlen(user) + 2 + 1; /* 2 for closing brackets */ - if ((filter = malloc(princlen)) == NULL) { - st = ENOMEM; - goto cleanup; - } - snprintf(filter, princlen, FILTER"%s))", user); - - /* get the current subtree list */ - if ((st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees)) != 0) - goto cleanup; - - found_entry = FALSE; - /* search for entry with matching krbprincipalname attribute */ - for (tree = 0; found_entry == FALSE && tree < ntrees; ++tree) { - result = NULL; - if (principal_dn == NULL) { - LDAP_SEARCH_1(subtreelist[tree], ldap_context->lrparams->search_scope, filter, principal_attributes, IGNORE_STATUS); - } else { - /* just look for entry with principal_dn */ - LDAP_SEARCH_1(principal_dn, LDAP_SCOPE_BASE, filter, principal_attributes, IGNORE_STATUS); - } - if (st == LDAP_SUCCESS) { - numlentries = ldap_count_entries(ld, result); - if (numlentries > 1) { - ldap_msgfree(result); - free(filter); - st = EINVAL; - krb5_set_error_message(context, st, - "operation can not continue, more than one entry with principal name \"%s\" found", - user); - goto cleanup; - } else if (numlentries == 1) { - found_entry = TRUE; - if (principal_dn == NULL) { - ent = ldap_first_entry(ld, result); - if (ent != NULL) { - /* setting principal_dn will cause that entry to be modified further down */ - if ((principal_dn = ldap_get_dn(ld, ent)) == NULL) { - ldap_get_option (ld, LDAP_OPT_RESULT_CODE, &st); - st = set_ldap_error (context, st, 0); - ldap_msgfree(result); - free(filter); - goto cleanup; - } - } - } - } - if (result) - ldap_msgfree(result); - } else if (st != LDAP_NO_SUCH_OBJECT) { - /* could not perform search, return with failure */ - st = set_ldap_error (context, st, 0); - free(filter); - goto cleanup; - } - /* - * If it isn't found then assume a standalone princ entry is to - * be created. - */ - } /* end for (tree = 0; principal_dn == ... */ - - free(filter); - - if (found_entry == FALSE && principal_dn != NULL) { - /* - * if principal_dn is null then there is code further down to - * deal with setting standalone_principal_dn. Also note that - * this will set create_standalone_prinicipal true for - * non-mix-in entries which is okay if loading from a dump. - */ - create_standalone_prinicipal = TRUE; - standalone_principal_dn = strdup(principal_dn); - CHECK_NULL(standalone_principal_dn); - } - } /* end if (entries->mask & KADM5_LOAD */ - - /* time to generate the DN information with the help of - * containerdn, principalcontainerreference or - * realmcontainerdn information - */ - if (principal_dn == NULL && xargs.dn == NULL) { /* creation of standalone principal */ - /* get the subtree information */ - if (entries->princ->length == 2 && entries->princ->data[0].length == strlen("krbtgt") && - strncmp(entries->princ->data[0].data, "krbtgt", entries->princ->data[0].length) == 0) { - /* if the principal is a inter-realm principal, always created in the realm container */ - subtree = strdup(ldap_context->lrparams->realmdn); - } else if (xargs.containerdn) { - if ((st=checkattributevalue(ld, xargs.containerdn, NULL, NULL, NULL)) != 0) { - if (st == KRB5_KDB_NOENTRY || st == KRB5_KDB_CONSTRAINT_VIOLATION) { - int ost = st; - st = EINVAL; - snprintf(errbuf, sizeof(errbuf), "'%s' not found: ", - xargs.containerdn); - prepend_err_str(context, errbuf, st, ost); - } - goto cleanup; - } - subtree = strdup(xargs.containerdn); - } else if (ldap_context->lrparams->containerref && strlen(ldap_context->lrparams->containerref) != 0) { - /* - * Here the subtree should be changed with - * principalcontainerreference attribute value - */ - subtree = strdup(ldap_context->lrparams->containerref); - } else { - subtree = strdup(ldap_context->lrparams->realmdn); - } - CHECK_NULL(subtree); - - if (asprintf(&standalone_principal_dn, "krbprincipalname=%s,%s", - user, subtree) < 0) - standalone_principal_dn = NULL; - CHECK_NULL(standalone_principal_dn); - /* - * free subtree when you are done using the subtree - * set the boolean create_standalone_prinicipal to TRUE - */ - create_standalone_prinicipal = TRUE; - free(subtree); - subtree = NULL; - } - - /* - * If the DN information is presented by the user, time to - * validate the input to ensure that the DN falls under - * any of the subtrees - */ - if (xargs.dn_from_kbd == TRUE) { - /* make sure the DN falls in the subtree */ - int tre=0, dnlen=0, subtreelen=0, ntrees=0; - char **subtreelist=NULL; - char *dn=NULL; - krb5_boolean outofsubtree=TRUE; - - if (xargs.dn != NULL) { - dn = xargs.dn; - } else if (xargs.linkdn != NULL) { - dn = xargs.linkdn; - } else if (standalone_principal_dn != NULL) { - /* - * Even though the standalone_principal_dn is constructed - * within this function, there is the containerdn input - * from the user that can become part of the it. - */ - dn = standalone_principal_dn; - } - - /* get the current subtree list */ - if ((st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees)) != 0) - goto cleanup; - - for (tre=0; tre= subtreelen) && (strcasecmp((dn + dnlen - subtreelen), subtreelist[tre]) == 0)) { - outofsubtree = FALSE; - break; - } - } - } - - for (tre=0; tre < ntrees; ++tre) { - free(subtreelist[tre]); - } - - if (outofsubtree == TRUE) { - st = EINVAL; - krb5_set_error_message(context, st, "DN is out of the realm subtree"); - goto cleanup; - } - - /* - * dn value will be set either by dn, linkdn or the standalone_principal_dn - * In the first 2 cases, the dn should be existing and in the last case we - * are supposed to create the ldap object. so the below should not be - * executed for the last case. - */ - - if (standalone_principal_dn == NULL) { - /* - * If the ldap object is missing, this results in an error. - */ - - /* - * Search for krbprincipalname attribute here. - * This is to find if a kerberos identity is already present - * on the ldap object, in which case adding a kerberos identity - * on the ldap object should result in an error. - */ - char *attributes[]={"krbticketpolicyreference", "krbprincipalname", NULL}; - - LDAP_SEARCH_1(dn, LDAP_SCOPE_BASE, 0, attributes, IGNORE_STATUS); - if (st == LDAP_SUCCESS) { - ent = ldap_first_entry(ld, result); - if (ent != NULL) { - if ((values=ldap_get_values(ld, ent, "krbticketpolicyreference")) != NULL) { - ldap_value_free(values); - } - - if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) { - krb_identity_exists = TRUE; - ldap_value_free(values); - } - } - ldap_msgfree(result); - } else { - st = set_ldap_error(context, st, OP_SEARCH); - goto cleanup; - } - } - } - - /* - * If xargs.dn is set then the request is to add a - * kerberos principal on a ldap object, but if - * there is one already on the ldap object this - * should result in an error. - */ - - if (xargs.dn != NULL && krb_identity_exists == TRUE) { - st = EINVAL; - snprintf(errbuf, sizeof(errbuf), "ldap object is already kerberized"); - krb5_set_error_message(context, st, "%s", errbuf); - goto cleanup; - } - - if (xargs.linkdn != NULL) { - /* - * link information can be changed using modprinc. - * However, link information can be changed only on the - * standalone kerberos principal objects. A standalone - * kerberos principal object is of type krbprincipal - * structural objectclass. - * - * NOTE: kerberos principals on an ldap object can't be - * linked to other ldap objects. - */ - if (optype == MODIFY_PRINCIPAL && - kerberos_principal_object_type != KDB_STANDALONE_PRINCIPAL_OBJECT) { - st = EINVAL; - snprintf(errbuf, sizeof(errbuf), - "link information can not be set/updated as the kerberos principal belongs to an ldap object"); - krb5_set_error_message(context, st, "%s", errbuf); - goto cleanup; - } + if (is_principal_in_realm(ldap_context, entries->princ) != 0) { + st = EINVAL; + krb5_set_error_message(context, st, "Principal does not belong to the default realm"); + goto cleanup; + } + + /* get the principal information to act on */ + if (entries->princ) { + if (((st=krb5_unparse_name(context, entries->princ, &user)) != 0) || + ((st=krb5_ldap_unparse_principal_name(user)) != 0)) + goto cleanup; + } + + /* Identity the type of operation, it can be + * add principal or modify principal. + * hack if the entries->mask has KRB_PRINCIPAL flag set + * then it is a add operation + */ + if (entries->mask & KADM5_PRINCIPAL) + optype = ADD_PRINCIPAL; + else + optype = MODIFY_PRINCIPAL; + + if (((st=krb5_get_princ_type(context, entries, &kerberos_principal_object_type)) != 0) || + ((st=krb5_get_userdn(context, entries, &principal_dn)) != 0)) + goto cleanup; + + if ((st=process_db_args(context, db_args, &xargs, optype)) != 0) + goto cleanup; + + if (entries->mask & KADM5_LOAD) { + int tree = 0, ntrees = 0, princlen = 0, numlentries = 0; + char **subtreelist = NULL, *filter = NULL; + + /* A load operation is special, will do a mix-in (add krbprinc + * attrs to a non-krb object entry) if an object exists with a + * matching krbprincipalname attribute so try to find existing + * object and set principal_dn. This assumes that the + * krbprincipalname attribute is unique (only one object entry has + * a particular krbprincipalname attribute). + */ + if (user == NULL) { + /* must have principal name for search */ + st = EINVAL; + krb5_set_error_message(context, st, "operation can not continue, principal name not found"); + goto cleanup; + } + princlen = strlen(FILTER) + strlen(user) + 2 + 1; /* 2 for closing brackets */ + if ((filter = malloc(princlen)) == NULL) { + st = ENOMEM; + goto cleanup; + } + snprintf(filter, princlen, FILTER"%s))", user); + + /* get the current subtree list */ + if ((st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees)) != 0) + goto cleanup; + + found_entry = FALSE; + /* search for entry with matching krbprincipalname attribute */ + for (tree = 0; found_entry == FALSE && tree < ntrees; ++tree) { + result = NULL; + if (principal_dn == NULL) { + LDAP_SEARCH_1(subtreelist[tree], ldap_context->lrparams->search_scope, filter, principal_attributes, IGNORE_STATUS); + } else { + /* just look for entry with principal_dn */ + LDAP_SEARCH_1(principal_dn, LDAP_SCOPE_BASE, filter, principal_attributes, IGNORE_STATUS); + } + if (st == LDAP_SUCCESS) { + numlentries = ldap_count_entries(ld, result); + if (numlentries > 1) { + ldap_msgfree(result); + free(filter); + st = EINVAL; + krb5_set_error_message(context, st, + "operation can not continue, more than one entry with principal name \"%s\" found", + user); + goto cleanup; + } else if (numlentries == 1) { + found_entry = TRUE; + if (principal_dn == NULL) { + ent = ldap_first_entry(ld, result); + if (ent != NULL) { + /* setting principal_dn will cause that entry to be modified further down */ + if ((principal_dn = ldap_get_dn(ld, ent)) == NULL) { + ldap_get_option (ld, LDAP_OPT_RESULT_CODE, &st); + st = set_ldap_error (context, st, 0); + ldap_msgfree(result); + free(filter); + goto cleanup; + } + } + } + } + if (result) + ldap_msgfree(result); + } else if (st != LDAP_NO_SUCH_OBJECT) { + /* could not perform search, return with failure */ + st = set_ldap_error (context, st, 0); + free(filter); + goto cleanup; + } + /* + * If it isn't found then assume a standalone princ entry is to + * be created. + */ + } /* end for (tree = 0; principal_dn == ... */ + + free(filter); + + if (found_entry == FALSE && principal_dn != NULL) { + /* + * if principal_dn is null then there is code further down to + * deal with setting standalone_principal_dn. Also note that + * this will set create_standalone_prinicipal true for + * non-mix-in entries which is okay if loading from a dump. + */ + create_standalone_prinicipal = TRUE; + standalone_principal_dn = strdup(principal_dn); + CHECK_NULL(standalone_principal_dn); + } + } /* end if (entries->mask & KADM5_LOAD */ + + /* time to generate the DN information with the help of + * containerdn, principalcontainerreference or + * realmcontainerdn information + */ + if (principal_dn == NULL && xargs.dn == NULL) { /* creation of standalone principal */ + /* get the subtree information */ + if (entries->princ->length == 2 && entries->princ->data[0].length == strlen("krbtgt") && + strncmp(entries->princ->data[0].data, "krbtgt", entries->princ->data[0].length) == 0) { + /* if the principal is a inter-realm principal, always created in the realm container */ + subtree = strdup(ldap_context->lrparams->realmdn); + } else if (xargs.containerdn) { + if ((st=checkattributevalue(ld, xargs.containerdn, NULL, NULL, NULL)) != 0) { + if (st == KRB5_KDB_NOENTRY || st == KRB5_KDB_CONSTRAINT_VIOLATION) { + int ost = st; + st = EINVAL; + snprintf(errbuf, sizeof(errbuf), "'%s' not found: ", + xargs.containerdn); + prepend_err_str(context, errbuf, st, ost); + } + goto cleanup; + } + subtree = strdup(xargs.containerdn); + } else if (ldap_context->lrparams->containerref && strlen(ldap_context->lrparams->containerref) != 0) { + /* + * Here the subtree should be changed with + * principalcontainerreference attribute value + */ + subtree = strdup(ldap_context->lrparams->containerref); + } else { + subtree = strdup(ldap_context->lrparams->realmdn); + } + CHECK_NULL(subtree); + + if (asprintf(&standalone_principal_dn, "krbprincipalname=%s,%s", + user, subtree) < 0) + standalone_principal_dn = NULL; + CHECK_NULL(standalone_principal_dn); + /* + * free subtree when you are done using the subtree + * set the boolean create_standalone_prinicipal to TRUE + */ + create_standalone_prinicipal = TRUE; + free(subtree); + subtree = NULL; + } + + /* + * If the DN information is presented by the user, time to + * validate the input to ensure that the DN falls under + * any of the subtrees + */ + if (xargs.dn_from_kbd == TRUE) { + /* make sure the DN falls in the subtree */ + int tre=0, dnlen=0, subtreelen=0, ntrees=0; + char **subtreelist=NULL; + char *dn=NULL; + krb5_boolean outofsubtree=TRUE; + + if (xargs.dn != NULL) { + dn = xargs.dn; + } else if (xargs.linkdn != NULL) { + dn = xargs.linkdn; + } else if (standalone_principal_dn != NULL) { + /* + * Even though the standalone_principal_dn is constructed + * within this function, there is the containerdn input + * from the user that can become part of the it. + */ + dn = standalone_principal_dn; + } + + /* get the current subtree list */ + if ((st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees)) != 0) + goto cleanup; + + for (tre=0; tre= subtreelen) && (strcasecmp((dn + dnlen - subtreelen), subtreelist[tre]) == 0)) { + outofsubtree = FALSE; + break; + } + } + } + + for (tre=0; tre < ntrees; ++tre) { + free(subtreelist[tre]); + } + + if (outofsubtree == TRUE) { + st = EINVAL; + krb5_set_error_message(context, st, "DN is out of the realm subtree"); + goto cleanup; + } + + /* + * dn value will be set either by dn, linkdn or the standalone_principal_dn + * In the first 2 cases, the dn should be existing and in the last case we + * are supposed to create the ldap object. so the below should not be + * executed for the last case. + */ + + if (standalone_principal_dn == NULL) { + /* + * If the ldap object is missing, this results in an error. + */ + + /* + * Search for krbprincipalname attribute here. + * This is to find if a kerberos identity is already present + * on the ldap object, in which case adding a kerberos identity + * on the ldap object should result in an error. + */ + char *attributes[]={"krbticketpolicyreference", "krbprincipalname", NULL}; + + LDAP_SEARCH_1(dn, LDAP_SCOPE_BASE, 0, attributes, IGNORE_STATUS); + if (st == LDAP_SUCCESS) { + ent = ldap_first_entry(ld, result); + if (ent != NULL) { + if ((values=ldap_get_values(ld, ent, "krbticketpolicyreference")) != NULL) { + ldap_value_free(values); + } + + if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) { + krb_identity_exists = TRUE; + ldap_value_free(values); + } + } + ldap_msgfree(result); + } else { + st = set_ldap_error(context, st, OP_SEARCH); + goto cleanup; + } + } + } + + /* + * If xargs.dn is set then the request is to add a + * kerberos principal on a ldap object, but if + * there is one already on the ldap object this + * should result in an error. + */ + + if (xargs.dn != NULL && krb_identity_exists == TRUE) { + st = EINVAL; + snprintf(errbuf, sizeof(errbuf), "ldap object is already kerberized"); + krb5_set_error_message(context, st, "%s", errbuf); + goto cleanup; + } + + if (xargs.linkdn != NULL) { + /* + * link information can be changed using modprinc. + * However, link information can be changed only on the + * standalone kerberos principal objects. A standalone + * kerberos principal object is of type krbprincipal + * structural objectclass. + * + * NOTE: kerberos principals on an ldap object can't be + * linked to other ldap objects. + */ + if (optype == MODIFY_PRINCIPAL && + kerberos_principal_object_type != KDB_STANDALONE_PRINCIPAL_OBJECT) { + st = EINVAL; + snprintf(errbuf, sizeof(errbuf), + "link information can not be set/updated as the kerberos principal belongs to an ldap object"); + krb5_set_error_message(context, st, "%s", errbuf); + goto cleanup; + } /* * Check the link information. If there is already a link * existing then this operation is not allowed. @@ -860,412 +853,412 @@ krb5_ldap_put_principal(context, entries, nentries, db_args) } } - establish_links = TRUE; - } - - if (entries->mask & KADM5_LAST_SUCCESS) { - memset(strval, 0, sizeof(strval)); - if ((strval[0]=getstringtime(entries->last_success)) == NULL) - goto cleanup; - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastSuccessfulAuth", LDAP_MOD_REPLACE, strval)) != 0) { - free (strval[0]); - goto cleanup; - } - free (strval[0]); - } - - if (entries->mask & KADM5_LAST_FAILED) { - memset(strval, 0, sizeof(strval)); - if ((strval[0]=getstringtime(entries->last_failed)) == NULL) - goto cleanup; - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastFailedAuth", LDAP_MOD_REPLACE, strval)) != 0) { - free (strval[0]); - goto cleanup; - } - free(strval[0]); - } - - if (entries->mask & KADM5_FAIL_AUTH_COUNT) { - krb5_kvno fail_auth_count; - - fail_auth_count = entries->fail_auth_count; - if (entries->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT) - fail_auth_count++; - - st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount", - LDAP_MOD_REPLACE, - fail_auth_count); - if (st != 0) - goto cleanup; - } else if (entries->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT) { - /* - * If the client library and server supports RFC 4525, - * then use it to increment by one the value of the - * krbLoginFailedCount attribute. Otherwise, assert the - * (provided) old value by deleting it before adding. - */ + establish_links = TRUE; + } + + if (entries->mask & KADM5_LAST_SUCCESS) { + memset(strval, 0, sizeof(strval)); + if ((strval[0]=getstringtime(entries->last_success)) == NULL) + goto cleanup; + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastSuccessfulAuth", LDAP_MOD_REPLACE, strval)) != 0) { + free (strval[0]); + goto cleanup; + } + free (strval[0]); + } + + if (entries->mask & KADM5_LAST_FAILED) { + memset(strval, 0, sizeof(strval)); + if ((strval[0]=getstringtime(entries->last_failed)) == NULL) + goto cleanup; + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastFailedAuth", LDAP_MOD_REPLACE, strval)) != 0) { + free (strval[0]); + goto cleanup; + } + free(strval[0]); + } + + if (entries->mask & KADM5_FAIL_AUTH_COUNT) { + krb5_kvno fail_auth_count; + + fail_auth_count = entries->fail_auth_count; + if (entries->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT) + fail_auth_count++; + + st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount", + LDAP_MOD_REPLACE, + fail_auth_count); + if (st != 0) + goto cleanup; + } else if (entries->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT) { + /* + * If the client library and server supports RFC 4525, + * then use it to increment by one the value of the + * krbLoginFailedCount attribute. Otherwise, assert the + * (provided) old value by deleting it before adding. + */ #ifdef LDAP_MOD_INCREMENT - if (ldap_server_handle->server_info->modify_increment) { - st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount", - LDAP_MOD_INCREMENT, 1); - if (st != 0) - goto cleanup; - } else + if (ldap_server_handle->server_info->modify_increment) { + st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount", + LDAP_MOD_INCREMENT, 1); + if (st != 0) + goto cleanup; + } else #endif /* LDAP_MOD_INCREMENT */ - if (entries->fail_auth_count == 0) { - /* - * Unfortunately we have no way of distinguishing between - * an absent and a zero-valued attribute by the time we are - * called here. So, although this creates a race condition, - * it appears impossible to assert the old value as that - * would fail were the attribute absent. - */ - st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount", - LDAP_MOD_REPLACE, 1); - if (st != 0) - goto cleanup; - } else { - st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount", - LDAP_MOD_DELETE, - entries->fail_auth_count); - if (st != 0) - goto cleanup; - - st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount", - LDAP_MOD_ADD, - entries->fail_auth_count + 1); - if (st != 0) - goto cleanup; - } - } - - if (entries->mask & KADM5_MAX_LIFE) { - if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxticketlife", LDAP_MOD_REPLACE, entries->max_life)) != 0) - goto cleanup; - } - - if (entries->mask & KADM5_MAX_RLIFE) { - if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxrenewableage", LDAP_MOD_REPLACE, - entries->max_renewable_life)) != 0) - goto cleanup; - } - - if (entries->mask & KADM5_ATTRIBUTES) { - if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbticketflags", LDAP_MOD_REPLACE, - entries->attributes)) != 0) - goto cleanup; - } - - if (entries->mask & KADM5_PRINCIPAL) { - memset(strval, 0, sizeof(strval)); - strval[0] = user; - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalname", LDAP_MOD_REPLACE, strval)) != 0) - goto cleanup; - } - - if (entries->mask & KADM5_PRINC_EXPIRE_TIME) { - memset(strval, 0, sizeof(strval)); - if ((strval[0]=getstringtime(entries->expiration)) == NULL) - goto cleanup; - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalexpiration", LDAP_MOD_REPLACE, strval)) != 0) { - free (strval[0]); - goto cleanup; - } - free (strval[0]); - } - - if (entries->mask & KADM5_PW_EXPIRATION) { - memset(strval, 0, sizeof(strval)); - if ((strval[0]=getstringtime(entries->pw_expiration)) == NULL) - goto cleanup; - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpasswordexpiration", - LDAP_MOD_REPLACE, - strval)) != 0) { - free (strval[0]); - goto cleanup; - } - free (strval[0]); - } - - if (entries->mask & KADM5_POLICY) { - memset(&princ_ent, 0, sizeof(princ_ent)); - for (tl_data=entries->tl_data; tl_data; tl_data=tl_data->tl_data_next) { - if (tl_data->tl_data_type == KRB5_TL_KADM_DATA) { - /* FIX ME: I guess the princ_ent should be freed after this call */ - if ((st = krb5_lookup_tl_kadm_data(tl_data, &princ_ent)) != 0) { - goto cleanup; - } - } - } - - if (princ_ent.aux_attributes & KADM5_POLICY) { - memset(strval, 0, sizeof(strval)); - if ((st = krb5_ldap_name_to_policydn (context, princ_ent.policy, &polname)) != 0) - goto cleanup; - strval[0] = polname; - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_REPLACE, strval)) != 0) - goto cleanup; - } else { - st = EINVAL; - krb5_set_error_message(context, st, "Password policy value null"); - goto cleanup; - } - } else if (entries->mask & KADM5_LOAD && found_entry == TRUE) { - /* - * a load is special in that existing entries must have attrs that - * removed. - */ - - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_REPLACE, NULL)) != 0) - goto cleanup; - } - - if (entries->mask & KADM5_POLICY_CLR) { - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_DELETE, NULL)) != 0) - goto cleanup; - } - - if (entries->mask & KADM5_KEY_DATA || entries->mask & KADM5_KVNO) { + if (entries->fail_auth_count == 0) { + /* + * Unfortunately we have no way of distinguishing between + * an absent and a zero-valued attribute by the time we are + * called here. So, although this creates a race condition, + * it appears impossible to assert the old value as that + * would fail were the attribute absent. + */ + st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount", + LDAP_MOD_REPLACE, 1); + if (st != 0) + goto cleanup; + } else { + st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount", + LDAP_MOD_DELETE, + entries->fail_auth_count); + if (st != 0) + goto cleanup; + + st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount", + LDAP_MOD_ADD, + entries->fail_auth_count + 1); + if (st != 0) + goto cleanup; + } + } + + if (entries->mask & KADM5_MAX_LIFE) { + if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxticketlife", LDAP_MOD_REPLACE, entries->max_life)) != 0) + goto cleanup; + } + + if (entries->mask & KADM5_MAX_RLIFE) { + if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxrenewableage", LDAP_MOD_REPLACE, + entries->max_renewable_life)) != 0) + goto cleanup; + } + + if (entries->mask & KADM5_ATTRIBUTES) { + if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbticketflags", LDAP_MOD_REPLACE, + entries->attributes)) != 0) + goto cleanup; + } + + if (entries->mask & KADM5_PRINCIPAL) { + memset(strval, 0, sizeof(strval)); + strval[0] = user; + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalname", LDAP_MOD_REPLACE, strval)) != 0) + goto cleanup; + } + + if (entries->mask & KADM5_PRINC_EXPIRE_TIME) { + memset(strval, 0, sizeof(strval)); + if ((strval[0]=getstringtime(entries->expiration)) == NULL) + goto cleanup; + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalexpiration", LDAP_MOD_REPLACE, strval)) != 0) { + free (strval[0]); + goto cleanup; + } + free (strval[0]); + } + + if (entries->mask & KADM5_PW_EXPIRATION) { + memset(strval, 0, sizeof(strval)); + if ((strval[0]=getstringtime(entries->pw_expiration)) == NULL) + goto cleanup; + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpasswordexpiration", + LDAP_MOD_REPLACE, + strval)) != 0) { + free (strval[0]); + goto cleanup; + } + free (strval[0]); + } + + if (entries->mask & KADM5_POLICY) { + memset(&princ_ent, 0, sizeof(princ_ent)); + for (tl_data=entries->tl_data; tl_data; tl_data=tl_data->tl_data_next) { + if (tl_data->tl_data_type == KRB5_TL_KADM_DATA) { + /* FIX ME: I guess the princ_ent should be freed after this call */ + if ((st = krb5_lookup_tl_kadm_data(tl_data, &princ_ent)) != 0) { + goto cleanup; + } + } + } + + if (princ_ent.aux_attributes & KADM5_POLICY) { + memset(strval, 0, sizeof(strval)); + if ((st = krb5_ldap_name_to_policydn (context, princ_ent.policy, &polname)) != 0) + goto cleanup; + strval[0] = polname; + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_REPLACE, strval)) != 0) + goto cleanup; + } else { + st = EINVAL; + krb5_set_error_message(context, st, "Password policy value null"); + goto cleanup; + } + } else if (entries->mask & KADM5_LOAD && found_entry == TRUE) { + /* + * a load is special in that existing entries must have attrs that + * removed. + */ + + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_REPLACE, NULL)) != 0) + goto cleanup; + } + + if (entries->mask & KADM5_POLICY_CLR) { + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_DELETE, NULL)) != 0) + goto cleanup; + } + + if (entries->mask & KADM5_KEY_DATA || entries->mask & KADM5_KVNO) { krb5_kvno mkvno; if ((st=krb5_dbe_lookup_mkvno(context, entries, &mkvno)) != 0) goto cleanup; - bersecretkey = krb5_encode_krbsecretkey (entries->key_data, - entries->n_key_data, mkvno); - - if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey", - LDAP_MOD_REPLACE | LDAP_MOD_BVALUES, bersecretkey)) != 0) - goto cleanup; - - if (!(entries->mask & KADM5_PRINCIPAL)) { - memset(strval, 0, sizeof(strval)); - if ((strval[0]=getstringtime(entries->pw_expiration)) == NULL) - goto cleanup; - if ((st=krb5_add_str_mem_ldap_mod(&mods, - "krbpasswordexpiration", - LDAP_MOD_REPLACE, strval)) != 0) { - free (strval[0]); - goto cleanup; - } - free (strval[0]); - } - - /* Update last password change whenever a new key is set */ - { - krb5_timestamp last_pw_changed; - if ((st=krb5_dbe_lookup_last_pwd_change(context, entries, - &last_pw_changed)) != 0) - goto cleanup; - - memset(strval, 0, sizeof(strval)); - if ((strval[0] = getstringtime(last_pw_changed)) == NULL) - goto cleanup; - - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastPwdChange", - LDAP_MOD_REPLACE, strval)) != 0) { - free (strval[0]); - goto cleanup; - } - free (strval[0]); - } - - } /* Modify Key data ends here */ - - /* Set tl_data */ - if (entries->tl_data != NULL) { - int count = 0; - struct berval **ber_tl_data = NULL; - krb5_tl_data *ptr; - for (ptr = entries->tl_data; ptr != NULL; ptr = ptr->tl_data_next) { - if (ptr->tl_data_type == KRB5_TL_LAST_PWD_CHANGE + bersecretkey = krb5_encode_krbsecretkey (entries->key_data, + entries->n_key_data, mkvno); + + if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey", + LDAP_MOD_REPLACE | LDAP_MOD_BVALUES, bersecretkey)) != 0) + goto cleanup; + + if (!(entries->mask & KADM5_PRINCIPAL)) { + memset(strval, 0, sizeof(strval)); + if ((strval[0]=getstringtime(entries->pw_expiration)) == NULL) + goto cleanup; + if ((st=krb5_add_str_mem_ldap_mod(&mods, + "krbpasswordexpiration", + LDAP_MOD_REPLACE, strval)) != 0) { + free (strval[0]); + goto cleanup; + } + free (strval[0]); + } + + /* Update last password change whenever a new key is set */ + { + krb5_timestamp last_pw_changed; + if ((st=krb5_dbe_lookup_last_pwd_change(context, entries, + &last_pw_changed)) != 0) + goto cleanup; + + memset(strval, 0, sizeof(strval)); + if ((strval[0] = getstringtime(last_pw_changed)) == NULL) + goto cleanup; + + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastPwdChange", + LDAP_MOD_REPLACE, strval)) != 0) { + free (strval[0]); + goto cleanup; + } + free (strval[0]); + } + + } /* Modify Key data ends here */ + + /* Set tl_data */ + if (entries->tl_data != NULL) { + int count = 0; + struct berval **ber_tl_data = NULL; + krb5_tl_data *ptr; + for (ptr = entries->tl_data; ptr != NULL; ptr = ptr->tl_data_next) { + if (ptr->tl_data_type == KRB5_TL_LAST_PWD_CHANGE #ifdef SECURID - || ptr->tl_data_type == KRB5_TL_DB_ARGS + || ptr->tl_data_type == KRB5_TL_DB_ARGS #endif - || ptr->tl_data_type == KRB5_TL_KADM_DATA - || ptr->tl_data_type == KDB_TL_USER_INFO - || ptr->tl_data_type == KRB5_TL_CONSTRAINED_DELEGATION_ACL) - continue; - count++; - } - if (count != 0) { - int j; - ber_tl_data = (struct berval **) calloc (count + 1, - sizeof (struct berval*)); - if (ber_tl_data == NULL) { - st = ENOMEM; - goto cleanup; - } - for (j = 0, ptr = entries->tl_data; ptr != NULL; ptr = ptr->tl_data_next) { - /* Ignore tl_data that are stored in separate directory - * attributes */ - if (ptr->tl_data_type == KRB5_TL_LAST_PWD_CHANGE + || ptr->tl_data_type == KRB5_TL_KADM_DATA + || ptr->tl_data_type == KDB_TL_USER_INFO + || ptr->tl_data_type == KRB5_TL_CONSTRAINED_DELEGATION_ACL) + continue; + count++; + } + if (count != 0) { + int j; + ber_tl_data = (struct berval **) calloc (count + 1, + sizeof (struct berval*)); + if (ber_tl_data == NULL) { + st = ENOMEM; + goto cleanup; + } + for (j = 0, ptr = entries->tl_data; ptr != NULL; ptr = ptr->tl_data_next) { + /* Ignore tl_data that are stored in separate directory + * attributes */ + if (ptr->tl_data_type == KRB5_TL_LAST_PWD_CHANGE #ifdef SECURID - || ptr->tl_data_type == KRB5_TL_DB_ARGS + || ptr->tl_data_type == KRB5_TL_DB_ARGS #endif - || ptr->tl_data_type == KRB5_TL_KADM_DATA - || ptr->tl_data_type == KDB_TL_USER_INFO - || ptr->tl_data_type == KRB5_TL_CONSTRAINED_DELEGATION_ACL) - continue; - if ((st = tl_data2berval (ptr, &ber_tl_data[j])) != 0) - break; - j++; - } - if (st != 0) { - for (j = 0; ber_tl_data[j] != NULL; j++) { - free (ber_tl_data[j]->bv_val); - free (ber_tl_data[j]); - } - free (ber_tl_data); - goto cleanup; - } - ber_tl_data[count] = NULL; - if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbExtraData", - LDAP_MOD_REPLACE | LDAP_MOD_BVALUES, - ber_tl_data)) != 0) - goto cleanup; - } - } - - /* Directory specific attribute */ - if (xargs.tktpolicydn != NULL) { - int tmask=0; - - if (strlen(xargs.tktpolicydn) != 0) { - st = checkattributevalue(ld, xargs.tktpolicydn, "objectclass", policyclass, &tmask); - CHECK_CLASS_VALIDITY(st, tmask, "ticket policy object value: "); - - strval[0] = xargs.tktpolicydn; - strval[1] = NULL; - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbticketpolicyreference", LDAP_MOD_REPLACE, strval)) != 0) - goto cleanup; - - } else { - /* if xargs.tktpolicydn is a empty string, then delete - * already existing krbticketpolicyreference attr */ - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbticketpolicyreference", LDAP_MOD_DELETE, NULL)) != 0) - goto cleanup; - } - - } - - if (establish_links == TRUE) { - memset(strval, 0, sizeof(strval)); - strval[0] = xargs.linkdn; - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbObjectReferences", LDAP_MOD_REPLACE, strval)) != 0) - goto cleanup; - } - - /* - * in case mods is NULL then return - * not sure but can happen in a modprinc - * so no need to return an error - * addprinc will at least have the principal name - * and the keys passed in - */ - if (mods == NULL) - goto cleanup; - - if (create_standalone_prinicipal == TRUE) { - memset(strval, 0, sizeof(strval)); - strval[0] = "krbprincipal"; - strval[1] = "krbprincipalaux"; - strval[2] = "krbTicketPolicyAux"; - - if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0) - goto cleanup; - - st = ldap_add_ext_s(ld, standalone_principal_dn, mods, NULL, NULL); - if (st == LDAP_ALREADY_EXISTS && entries->mask & KADM5_LOAD) { - /* a load operation must replace an existing entry */ - st = ldap_delete_ext_s(ld, standalone_principal_dn, NULL, NULL); - if (st != LDAP_SUCCESS) { - snprintf(errbuf, sizeof(errbuf), "Principal delete failed (trying to replace entry): %s", - ldap_err2string(st)); - st = translate_ldap_error (st, OP_ADD); - krb5_set_error_message(context, st, "%s", errbuf); - goto cleanup; - } else { - st = ldap_add_ext_s(ld, standalone_principal_dn, mods, NULL, NULL); - } - } - if (st != LDAP_SUCCESS) { - snprintf(errbuf, sizeof(errbuf), "Principal add failed: %s", ldap_err2string(st)); - st = translate_ldap_error (st, OP_ADD); - krb5_set_error_message(context, st, "%s", errbuf); - goto cleanup; - } - } else { - /* - * Here existing ldap object is modified and can be related - * to any attribute, so always ensure that the ldap - * object is extended with all the kerberos related - * objectclasses so that there are no constraint - * violations. - */ - { - char *attrvalues[] = {"krbprincipalaux", "krbTicketPolicyAux", NULL}; - int p, q, r=0, amask=0; - - if ((st=checkattributevalue(ld, (xargs.dn) ? xargs.dn : principal_dn, - "objectclass", attrvalues, &amask)) != 0) - goto cleanup; - - memset(strval, 0, sizeof(strval)); - for (p=1, q=0; p<=2; p<<=1, ++q) { - if ((p & amask) == 0) - strval[r++] = attrvalues[q]; - } - if (r != 0) { - if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0) - goto cleanup; - } - } - if (xargs.dn != NULL) - st=ldap_modify_ext_s(ld, xargs.dn, mods, NULL, NULL); - else - st = ldap_modify_ext_s(ld, principal_dn, mods, NULL, NULL); - - if (st != LDAP_SUCCESS) { - snprintf(errbuf, sizeof(errbuf), "User modification failed: %s", ldap_err2string(st)); - st = translate_ldap_error (st, OP_MOD); - krb5_set_error_message(context, st, "%s", errbuf); - goto cleanup; - } - - if (entries->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT) - entries->fail_auth_count++; - } + || ptr->tl_data_type == KRB5_TL_KADM_DATA + || ptr->tl_data_type == KDB_TL_USER_INFO + || ptr->tl_data_type == KRB5_TL_CONSTRAINED_DELEGATION_ACL) + continue; + if ((st = tl_data2berval (ptr, &ber_tl_data[j])) != 0) + break; + j++; + } + if (st != 0) { + for (j = 0; ber_tl_data[j] != NULL; j++) { + free (ber_tl_data[j]->bv_val); + free (ber_tl_data[j]); + } + free (ber_tl_data); + goto cleanup; + } + ber_tl_data[count] = NULL; + if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbExtraData", + LDAP_MOD_REPLACE | LDAP_MOD_BVALUES, + ber_tl_data)) != 0) + goto cleanup; + } + } + + /* Directory specific attribute */ + if (xargs.tktpolicydn != NULL) { + int tmask=0; + + if (strlen(xargs.tktpolicydn) != 0) { + st = checkattributevalue(ld, xargs.tktpolicydn, "objectclass", policyclass, &tmask); + CHECK_CLASS_VALIDITY(st, tmask, "ticket policy object value: "); + + strval[0] = xargs.tktpolicydn; + strval[1] = NULL; + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbticketpolicyreference", LDAP_MOD_REPLACE, strval)) != 0) + goto cleanup; + + } else { + /* if xargs.tktpolicydn is a empty string, then delete + * already existing krbticketpolicyreference attr */ + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbticketpolicyreference", LDAP_MOD_DELETE, NULL)) != 0) + goto cleanup; + } + + } + + if (establish_links == TRUE) { + memset(strval, 0, sizeof(strval)); + strval[0] = xargs.linkdn; + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbObjectReferences", LDAP_MOD_REPLACE, strval)) != 0) + goto cleanup; + } + + /* + * in case mods is NULL then return + * not sure but can happen in a modprinc + * so no need to return an error + * addprinc will at least have the principal name + * and the keys passed in + */ + if (mods == NULL) + goto cleanup; + + if (create_standalone_prinicipal == TRUE) { + memset(strval, 0, sizeof(strval)); + strval[0] = "krbprincipal"; + strval[1] = "krbprincipalaux"; + strval[2] = "krbTicketPolicyAux"; + + if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0) + goto cleanup; + + st = ldap_add_ext_s(ld, standalone_principal_dn, mods, NULL, NULL); + if (st == LDAP_ALREADY_EXISTS && entries->mask & KADM5_LOAD) { + /* a load operation must replace an existing entry */ + st = ldap_delete_ext_s(ld, standalone_principal_dn, NULL, NULL); + if (st != LDAP_SUCCESS) { + snprintf(errbuf, sizeof(errbuf), "Principal delete failed (trying to replace entry): %s", + ldap_err2string(st)); + st = translate_ldap_error (st, OP_ADD); + krb5_set_error_message(context, st, "%s", errbuf); + goto cleanup; + } else { + st = ldap_add_ext_s(ld, standalone_principal_dn, mods, NULL, NULL); + } + } + if (st != LDAP_SUCCESS) { + snprintf(errbuf, sizeof(errbuf), "Principal add failed: %s", ldap_err2string(st)); + st = translate_ldap_error (st, OP_ADD); + krb5_set_error_message(context, st, "%s", errbuf); + goto cleanup; + } + } else { + /* + * Here existing ldap object is modified and can be related + * to any attribute, so always ensure that the ldap + * object is extended with all the kerberos related + * objectclasses so that there are no constraint + * violations. + */ + { + char *attrvalues[] = {"krbprincipalaux", "krbTicketPolicyAux", NULL}; + int p, q, r=0, amask=0; + + if ((st=checkattributevalue(ld, (xargs.dn) ? xargs.dn : principal_dn, + "objectclass", attrvalues, &amask)) != 0) + goto cleanup; + + memset(strval, 0, sizeof(strval)); + for (p=1, q=0; p<=2; p<<=1, ++q) { + if ((p & amask) == 0) + strval[r++] = attrvalues[q]; + } + if (r != 0) { + if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0) + goto cleanup; + } + } + if (xargs.dn != NULL) + st=ldap_modify_ext_s(ld, xargs.dn, mods, NULL, NULL); + else + st = ldap_modify_ext_s(ld, principal_dn, mods, NULL, NULL); + + if (st != LDAP_SUCCESS) { + snprintf(errbuf, sizeof(errbuf), "User modification failed: %s", ldap_err2string(st)); + st = translate_ldap_error (st, OP_MOD); + krb5_set_error_message(context, st, "%s", errbuf); + goto cleanup; + } + + if (entries->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT) + entries->fail_auth_count++; + } } cleanup: if (user) - free(user); + free(user); free_xargs(xargs); if (standalone_principal_dn) - free(standalone_principal_dn); + free(standalone_principal_dn); if (principal_dn) - free (principal_dn); + free (principal_dn); if (polname != NULL) - free(polname); + free(polname); if (subtree) - free (subtree); + free (subtree); if (bersecretkey) { - for (l=0; bersecretkey[l]; ++l) { - if (bersecretkey[l]->bv_val) - free (bersecretkey[l]->bv_val); - free (bersecretkey[l]); - } - free (bersecretkey); + for (l=0; bersecretkey[l]; ++l) { + if (bersecretkey[l]->bv_val) + free (bersecretkey[l]->bv_val); + free (bersecretkey[l]); + } + free (bersecretkey); } if (keys) - free (keys); + free (keys); ldap_mods_free(mods, 1); krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); @@ -1274,11 +1267,8 @@ cleanup: } krb5_error_code -krb5_read_tkt_policy (context, ldap_context, entries, policy) - krb5_context context; - krb5_ldap_context *ldap_context; - krb5_db_entry *entries; - char *policy; +krb5_read_tkt_policy(krb5_context context, krb5_ldap_context *ldap_context, + krb5_db_entry *entries, char *policy) { krb5_error_code st=0; unsigned int mask=0, omask=0; @@ -1286,40 +1276,40 @@ krb5_read_tkt_policy (context, ldap_context, entries, policy) krb5_ldap_policy_params *tktpoldnparam=NULL; if ((st=krb5_get_attributes_mask(context, entries, &mask)) != 0) - goto cleanup; + goto cleanup; if ((mask & tkt_mask) == tkt_mask) - goto cleanup; + goto cleanup; if (policy != NULL) { - st = krb5_ldap_read_policy(context, policy, &tktpoldnparam, &omask); - if (st && st != KRB5_KDB_NOENTRY) { - prepend_err_str(context, "Error reading ticket policy. ", st, st); - goto cleanup; - } + st = krb5_ldap_read_policy(context, policy, &tktpoldnparam, &omask); + if (st && st != KRB5_KDB_NOENTRY) { + prepend_err_str(context, "Error reading ticket policy. ", st, st); + goto cleanup; + } - st = 0; /* reset the return status */ + st = 0; /* reset the return status */ } if ((mask & KDB_MAX_LIFE_ATTR) == 0) { - if ((omask & KDB_MAX_LIFE_ATTR) == KDB_MAX_LIFE_ATTR) - entries->max_life = tktpoldnparam->maxtktlife; - else if (ldap_context->lrparams->max_life) - entries->max_life = ldap_context->lrparams->max_life; + if ((omask & KDB_MAX_LIFE_ATTR) == KDB_MAX_LIFE_ATTR) + entries->max_life = tktpoldnparam->maxtktlife; + else if (ldap_context->lrparams->max_life) + entries->max_life = ldap_context->lrparams->max_life; } if ((mask & KDB_MAX_RLIFE_ATTR) == 0) { - if ((omask & KDB_MAX_RLIFE_ATTR) == KDB_MAX_RLIFE_ATTR) - entries->max_renewable_life = tktpoldnparam->maxrenewlife; - else if (ldap_context->lrparams->max_renewable_life) - entries->max_renewable_life = ldap_context->lrparams->max_renewable_life; + if ((omask & KDB_MAX_RLIFE_ATTR) == KDB_MAX_RLIFE_ATTR) + entries->max_renewable_life = tktpoldnparam->maxrenewlife; + else if (ldap_context->lrparams->max_renewable_life) + entries->max_renewable_life = ldap_context->lrparams->max_renewable_life; } if ((mask & KDB_TKT_FLAGS_ATTR) == 0) { - if ((omask & KDB_TKT_FLAGS_ATTR) == KDB_TKT_FLAGS_ATTR) - entries->attributes = tktpoldnparam->tktflags; - else if (ldap_context->lrparams->tktflags) - entries->attributes |= ldap_context->lrparams->tktflags; + if ((omask & KDB_TKT_FLAGS_ATTR) == KDB_TKT_FLAGS_ATTR) + entries->attributes = tktpoldnparam->tktflags; + else if (ldap_context->lrparams->tktflags) + entries->attributes |= ldap_context->lrparams->tktflags; } krb5_ldap_free_policy(context, tktpoldnparam); @@ -1328,12 +1318,9 @@ cleanup: } krb5_error_code -krb5_decode_krbsecretkey(context, entries, bvalues, userinfo_tl_data, mkvno) - krb5_context context; - krb5_db_entry *entries; - struct berval **bvalues; - krb5_tl_data *userinfo_tl_data; - krb5_kvno *mkvno; +krb5_decode_krbsecretkey(krb5_context context, krb5_db_entry *entries, + struct berval **bvalues, + krb5_tl_data *userinfo_tl_data, krb5_kvno *mkvno) { char *user=NULL; int i=0, j=0, noofkeys=0; @@ -1341,41 +1328,41 @@ krb5_decode_krbsecretkey(context, entries, bvalues, userinfo_tl_data, mkvno) krb5_error_code st=0; if ((st=krb5_unparse_name(context, entries->princ, &user)) != 0) - goto cleanup; + goto cleanup; for (i=0; bvalues[i] != NULL; ++i) { - krb5_int16 n_kd; - krb5_key_data *kd; - krb5_data in; - - if (bvalues[i]->bv_len == 0) - continue; - in.length = bvalues[i]->bv_len; - in.data = bvalues[i]->bv_val; - - st = asn1_decode_sequence_of_keys (&in, - &kd, - &n_kd, - mkvno); - - if (st != 0) { - const char *msg = error_message(st); - st = -1; /* Something more appropriate ? */ - krb5_set_error_message (context, st, - "unable to decode stored principal key data (%s)", msg); - goto cleanup; - } - noofkeys += n_kd; - tmp = key_data; - key_data = realloc (key_data, noofkeys * sizeof (krb5_key_data)); - if (key_data == NULL) { - key_data = tmp; - st = ENOMEM; - goto cleanup; - } - for (j = 0; j < n_kd; j++) - key_data[noofkeys - n_kd + j] = kd[j]; - free (kd); + krb5_int16 n_kd; + krb5_key_data *kd; + krb5_data in; + + if (bvalues[i]->bv_len == 0) + continue; + in.length = bvalues[i]->bv_len; + in.data = bvalues[i]->bv_val; + + st = asn1_decode_sequence_of_keys (&in, + &kd, + &n_kd, + mkvno); + + if (st != 0) { + const char *msg = error_message(st); + st = -1; /* Something more appropriate ? */ + krb5_set_error_message (context, st, + "unable to decode stored principal key data (%s)", msg); + goto cleanup; + } + noofkeys += n_kd; + tmp = key_data; + key_data = realloc (key_data, noofkeys * sizeof (krb5_key_data)); + if (key_data == NULL) { + key_data = tmp; + st = ENOMEM; + goto cleanup; + } + for (j = 0; j < n_kd; j++) + key_data[noofkeys - n_kd + j] = kd[j]; + free (kd); } entries->n_key_data = noofkeys; @@ -1388,19 +1375,18 @@ cleanup: } static char * -getstringtime(epochtime) - krb5_timestamp epochtime; +getstringtime(krb5_timestamp epochtime) { struct tm tme; char *strtime=NULL; - time_t posixtime = epochtime; + time_t posixtime = epochtime; strtime = calloc (50, 1); if (strtime == NULL) - return NULL; + return NULL; if (gmtime_r(&posixtime, &tme) == NULL) - return NULL; + return NULL; strftime(strtime, 50, "%Y%m%d%H%M%SZ", &tme); return strtime; diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c index ed63e0812..6d25ca1d8 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/kdb/kdb_ldap/ldap_pwd_policy.c * @@ -38,23 +39,21 @@ #include "ldap_err.h" static char *password_policy_attributes[] = { "cn", "krbmaxpwdlife", "krbminpwdlife", - "krbpwdmindiffchars", "krbpwdminlength", - "krbpwdhistorylength", "krbpwdmaxfailure", - "krbpwdfailurecountinterval", - "krbpwdlockoutduration", NULL }; + "krbpwdmindiffchars", "krbpwdminlength", + "krbpwdhistorylength", "krbpwdmaxfailure", + "krbpwdfailurecountinterval", + "krbpwdlockoutduration", NULL }; /* * Function to create password policy object. */ krb5_error_code -krb5_ldap_create_password_policy (context, policy) - krb5_context context; - osa_policy_ent_t policy; +krb5_ldap_create_password_policy(krb5_context context, osa_policy_ent_t policy) { - krb5_error_code st=0; - LDAP *ld=NULL; - LDAPMod **mods={NULL}; + krb5_error_code st=0; + LDAP *ld=NULL; + LDAPMod **mods={NULL}; kdb5_dal_handle *dal_handle=NULL; krb5_ldap_context *ldap_context=NULL; krb5_ldap_server_handle *ldap_server_handle=NULL; @@ -65,61 +64,61 @@ krb5_ldap_create_password_policy (context, policy) /* validate the input parameters */ if (policy == NULL || policy->name == NULL) - return EINVAL; + return EINVAL; SETUP_CONTEXT(); GET_HANDLE(); st = krb5_ldap_name_to_policydn (context, policy->name, &policy_dn); if (st != 0) - goto cleanup; + goto cleanup; /* get the first component of the dn to set the cn attribute */ rdns = ldap_explode_dn(policy_dn, 1); if (rdns == NULL) { - st = EINVAL; - krb5_set_error_message(context, st, "Invalid password policy DN syntax"); - goto cleanup; + st = EINVAL; + krb5_set_error_message(context, st, "Invalid password policy DN syntax"); + goto cleanup; } strval[0] = rdns[0]; if ((st=krb5_add_str_mem_ldap_mod(&mods, "cn", LDAP_MOD_ADD, strval)) != 0) - goto cleanup; + goto cleanup; strval[0] = "krbPwdPolicy"; if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0) - goto cleanup; + goto cleanup; if (((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxpwdlife", LDAP_MOD_ADD, - (signed) policy->pw_max_life)) != 0) - || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbminpwdlife", LDAP_MOD_ADD, - (signed) policy->pw_min_life)) != 0) - || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdmindiffchars", LDAP_MOD_ADD, - (signed) policy->pw_min_classes)) != 0) - || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdminlength", LDAP_MOD_ADD, - (signed) policy->pw_min_length)) != 0) - || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdhistorylength", LDAP_MOD_ADD, - (signed) policy->pw_history_num)) != 0) - || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdmaxfailure", LDAP_MOD_ADD, - (signed) policy->pw_max_fail)) != 0) - || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdfailurecountinterval", LDAP_MOD_ADD, - (signed) policy->pw_failcnt_interval)) != 0) - || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdlockoutduration", LDAP_MOD_ADD, - (signed) policy->pw_lockout_duration)) != 0)) - goto cleanup; + (signed) policy->pw_max_life)) != 0) + || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbminpwdlife", LDAP_MOD_ADD, + (signed) policy->pw_min_life)) != 0) + || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdmindiffchars", LDAP_MOD_ADD, + (signed) policy->pw_min_classes)) != 0) + || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdminlength", LDAP_MOD_ADD, + (signed) policy->pw_min_length)) != 0) + || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdhistorylength", LDAP_MOD_ADD, + (signed) policy->pw_history_num)) != 0) + || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdmaxfailure", LDAP_MOD_ADD, + (signed) policy->pw_max_fail)) != 0) + || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdfailurecountinterval", LDAP_MOD_ADD, + (signed) policy->pw_failcnt_interval)) != 0) + || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdlockoutduration", LDAP_MOD_ADD, + (signed) policy->pw_lockout_duration)) != 0)) + goto cleanup; /* password policy object creation */ if ((st=ldap_add_ext_s(ld, policy_dn, mods, NULL, NULL)) != LDAP_SUCCESS) { - st = set_ldap_error (context, st, OP_ADD); - goto cleanup; + st = set_ldap_error (context, st, OP_ADD); + goto cleanup; } cleanup: if (rdns) - ldap_value_free(rdns); + ldap_value_free(rdns); if (policy_dn != NULL) - free (policy_dn); + free (policy_dn); ldap_mods_free(mods, 1); krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); return(st); @@ -130,14 +129,12 @@ cleanup: */ krb5_error_code -krb5_ldap_put_password_policy (context, policy) - krb5_context context; - osa_policy_ent_t policy; +krb5_ldap_put_password_policy(krb5_context context, osa_policy_ent_t policy) { char *policy_dn; - krb5_error_code st=0; - LDAP *ld=NULL; - LDAPMod **mods=NULL; + krb5_error_code st=0; + LDAP *ld=NULL; + LDAPMod **mods=NULL; kdb5_dal_handle *dal_handle=NULL; krb5_ldap_context *ldap_context=NULL; krb5_ldap_server_handle *ldap_server_handle=NULL; @@ -147,32 +144,32 @@ krb5_ldap_put_password_policy (context, policy) /* validate the input parameters */ if (policy == NULL || policy->name == NULL) - return EINVAL; + return EINVAL; SETUP_CONTEXT(); GET_HANDLE(); st = krb5_ldap_name_to_policydn (context, policy->name, &policy_dn); if (st != 0) - goto cleanup; + goto cleanup; if (((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxpwdlife", LDAP_MOD_REPLACE, - (signed) policy->pw_max_life)) != 0) - || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbminpwdlife", LDAP_MOD_REPLACE, - (signed) policy->pw_min_life)) != 0) - || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdmindiffchars", LDAP_MOD_REPLACE, - (signed) policy->pw_min_classes)) != 0) - || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdminlength", LDAP_MOD_REPLACE, - (signed) policy->pw_min_length)) != 0) - || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdhistorylength", LDAP_MOD_REPLACE, - (signed) policy->pw_history_num)) != 0) - || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdmaxfailure", LDAP_MOD_REPLACE, - (signed) policy->pw_max_fail)) != 0) - || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdfailurecountinterval", LDAP_MOD_REPLACE, - (signed) policy->pw_failcnt_interval)) != 0) - || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdlockoutduration", LDAP_MOD_REPLACE, - (signed) policy->pw_lockout_duration)) != 0)) - goto cleanup; + (signed) policy->pw_max_life)) != 0) + || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbminpwdlife", LDAP_MOD_REPLACE, + (signed) policy->pw_min_life)) != 0) + || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdmindiffchars", LDAP_MOD_REPLACE, + (signed) policy->pw_min_classes)) != 0) + || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdminlength", LDAP_MOD_REPLACE, + (signed) policy->pw_min_length)) != 0) + || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdhistorylength", LDAP_MOD_REPLACE, + (signed) policy->pw_history_num)) != 0) + || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdmaxfailure", LDAP_MOD_REPLACE, + (signed) policy->pw_max_fail)) != 0) + || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdfailurecountinterval", LDAP_MOD_REPLACE, + (signed) policy->pw_failcnt_interval)) != 0) + || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdlockoutduration", LDAP_MOD_REPLACE, + (signed) policy->pw_lockout_duration)) != 0)) + goto cleanup; /* modify the password policy object. */ /* @@ -181,13 +178,13 @@ krb5_ldap_put_password_policy (context, policy) * management of only such policy objects. */ if ((st=ldap_modify_ext_s(ld, policy_dn, mods, NULL, NULL)) != LDAP_SUCCESS) { - st = set_ldap_error (context, st, OP_MOD); - goto cleanup; + st = set_ldap_error (context, st, OP_MOD); + goto cleanup; } cleanup: if (policy_dn != NULL) - free (policy_dn); + free (policy_dn); ldap_mods_free(mods, 1); krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); return(st); @@ -195,10 +192,10 @@ cleanup: static krb5_error_code populate_policy(krb5_context context, - LDAP *ld, - LDAPMessage *ent, - char *pol_name, - osa_policy_ent_t pol_entry) + LDAP *ld, + LDAPMessage *ent, + char *pol_name, + osa_policy_ent_t pol_entry) { int st = 0; char *pol_dn; @@ -220,7 +217,7 @@ populate_policy(krb5_context context, /* Get the reference count */ pol_dn = ldap_get_dn(ld, ent); st = krb5_ldap_get_reference_count (context, pol_dn, "krbPwdPolicyReference", - &(pol_entry->policy_refcnt), ld); + &(pol_entry->policy_refcnt), ld); ldap_memfree(pol_dn); cleanup: @@ -228,14 +225,12 @@ cleanup: } static krb5_error_code -krb5_ldap_get_password_policy_from_dn (krb5_context context, - char *pol_name, - char *pol_dn, - osa_policy_ent_t *policy, - int *cnt) +krb5_ldap_get_password_policy_from_dn(krb5_context context, char *pol_name, + char *pol_dn, osa_policy_ent_t *policy, + int *cnt) { krb5_error_code st=0, tempst=0; - LDAP *ld=NULL; + LDAP *ld=NULL; LDAPMessage *result=NULL,*ent=NULL; kdb5_dal_handle *dal_handle=NULL; krb5_ldap_context *ldap_context=NULL; @@ -246,7 +241,7 @@ krb5_ldap_get_password_policy_from_dn (krb5_context context, /* validate the input parameters */ if (pol_dn == NULL) - return EINVAL; + return EINVAL; *policy = NULL; SETUP_CONTEXT(); @@ -255,8 +250,8 @@ krb5_ldap_get_password_policy_from_dn (krb5_context context, *cnt = 0; *(policy) = (osa_policy_ent_t) malloc(sizeof(osa_policy_ent_rec)); if (*policy == NULL) { - st = ENOMEM; - goto cleanup; + st = ENOMEM; + goto cleanup; } memset(*policy, 0, sizeof(osa_policy_ent_rec)); @@ -270,31 +265,31 @@ krb5_ldap_get_password_policy_from_dn (krb5_context context, ent=ldap_first_entry(ld, result); if (ent != NULL) { - if ((st = populate_policy(context, ld, ent, pol_name, *policy)) != 0) - goto cleanup; + if ((st = populate_policy(context, ld, ent, pol_name, *policy)) != 0) + goto cleanup; #if 0 /************** Begin IFDEF'ed OUT *******************************/ - krb5_ldap_get_value(ld, ent, "krbmaxpwdlife", &((*policy)->pw_max_life)); - krb5_ldap_get_value(ld, ent, "krbminpwdlife", &((*policy)->pw_min_life)); - krb5_ldap_get_value(ld, ent, "krbpwdmindiffchars", &((*policy)->pw_min_classes)); - krb5_ldap_get_value(ld, ent, "krbpwdminlength", &((*policy)->pw_min_length)); - krb5_ldap_get_value(ld, ent, "krbpwdhistorylength", &((*policy)->pw_history_num)); - - /* Get the reference count */ - st = krb5_ldap_get_reference_count (context, - name, - "krbPwdPolicyReference", - &(*policy)->policy_refcnt, - ld); + krb5_ldap_get_value(ld, ent, "krbmaxpwdlife", &((*policy)->pw_max_life)); + krb5_ldap_get_value(ld, ent, "krbminpwdlife", &((*policy)->pw_min_life)); + krb5_ldap_get_value(ld, ent, "krbpwdmindiffchars", &((*policy)->pw_min_classes)); + krb5_ldap_get_value(ld, ent, "krbpwdminlength", &((*policy)->pw_min_length)); + krb5_ldap_get_value(ld, ent, "krbpwdhistorylength", &((*policy)->pw_history_num)); + + /* Get the reference count */ + st = krb5_ldap_get_reference_count (context, + name, + "krbPwdPolicyReference", + &(*policy)->policy_refcnt, + ld); #endif /**************** END IFDEF'ed OUT *******************************/ } cleanup: ldap_msgfree(result); if (st != 0) { - if (*policy != NULL) { - krb5_ldap_free_password_policy(context, *policy); - *policy = NULL; - } + if (*policy != NULL) { + krb5_ldap_free_password_policy(context, *policy); + *policy = NULL; + } } krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); @@ -306,11 +301,8 @@ cleanup: * 'krb5_ldap_get_password_policy_from_dn' */ krb5_error_code -krb5_ldap_get_password_policy (context, name, policy, cnt) - krb5_context context; - char *name; - osa_policy_ent_t *policy; - int *cnt; +krb5_ldap_get_password_policy(krb5_context context, char *name, + osa_policy_ent_t *policy, int *cnt) { krb5_error_code st = 0; char *policy_dn = NULL; @@ -320,26 +312,24 @@ krb5_ldap_get_password_policy (context, name, policy, cnt) /* validate the input parameters */ if (name == NULL) { - st = EINVAL; - goto cleanup; + st = EINVAL; + goto cleanup; } st = krb5_ldap_name_to_policydn(context, name, &policy_dn); if (st != 0) - goto cleanup; + goto cleanup; st = krb5_ldap_get_password_policy_from_dn(context, name, policy_dn, policy, cnt); cleanup: if (policy_dn != NULL) - free (policy_dn); + free (policy_dn); return st; } krb5_error_code -krb5_ldap_delete_password_policy (context, policy) - krb5_context context; - char *policy; +krb5_ldap_delete_password_policy(krb5_context context, char *policy) { int mask = 0; char *policy_dn = NULL, *class[] = {"krbpwdpolicy", NULL}; @@ -354,49 +344,47 @@ krb5_ldap_delete_password_policy (context, policy) /* validate the input parameters */ if (policy == NULL) - return EINVAL; + return EINVAL; SETUP_CONTEXT(); GET_HANDLE(); st = krb5_ldap_name_to_policydn (context, policy, &policy_dn); if (st != 0) - goto cleanup; + goto cleanup; /* Ensure that the object is a password policy */ if ((st=checkattributevalue(ld, policy_dn, "objectclass", class, &mask)) != 0) - goto cleanup; + goto cleanup; if (mask == 0) { - st = KRB5_KDB_NOENTRY; - goto cleanup; + st = KRB5_KDB_NOENTRY; + goto cleanup; } if ((st=ldap_delete_ext_s(ld, policy_dn, NULL, NULL)) != LDAP_SUCCESS) { - st = set_ldap_error (context, st, OP_DEL); - goto cleanup; + st = set_ldap_error (context, st, OP_DEL); + goto cleanup; } cleanup: krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); if (policy_dn != NULL) - free (policy_dn); + free (policy_dn); return st; } krb5_error_code -krb5_ldap_iterate_password_policy(context, match_expr, func, func_arg) - krb5_context context; - char *match_expr; - void (*func) (krb5_pointer, osa_policy_ent_t); - krb5_pointer func_arg; +krb5_ldap_iterate_password_policy(krb5_context context, char *match_expr, + void (*func)(krb5_pointer, osa_policy_ent_t), + krb5_pointer func_arg) { osa_policy_ent_rec *entry=NULL; - char *policy=NULL; + char *policy=NULL; krb5_error_code st=0, tempst=0; - LDAP *ld=NULL; - LDAPMessage *result=NULL, *ent=NULL; + LDAP *ld=NULL; + LDAPMessage *result=NULL, *ent=NULL; kdb5_dal_handle *dal_handle=NULL; krb5_ldap_context *ldap_context=NULL; krb5_ldap_server_handle *ldap_server_handle=NULL; @@ -408,53 +396,53 @@ krb5_ldap_iterate_password_policy(context, match_expr, func, func_arg) GET_HANDLE(); if (ldap_context->lrparams->realmdn == NULL) { - st = EINVAL; - goto cleanup; + st = EINVAL; + goto cleanup; } LDAP_SEARCH(ldap_context->lrparams->realmdn, LDAP_SCOPE_ONELEVEL, "(objectclass=krbpwdpolicy)", password_policy_attributes); for (ent=ldap_first_entry(ld, result); ent != NULL; ent=ldap_next_entry(ld, ent)) { - krb5_boolean attr_present; - - st = krb5_ldap_get_string(ld, ent, "cn", &policy, &attr_present); - if (st != 0) - goto cleanup; - if (attr_present == FALSE) - continue; - - entry = (osa_policy_ent_t) malloc(sizeof(osa_policy_ent_rec)); - CHECK_NULL(entry); - memset(entry, 0, sizeof(osa_policy_ent_rec)); - if ((st = populate_policy(context, ld, ent, policy, entry)) != 0) - goto cleanup; + krb5_boolean attr_present; + + st = krb5_ldap_get_string(ld, ent, "cn", &policy, &attr_present); + if (st != 0) + goto cleanup; + if (attr_present == FALSE) + continue; + + entry = (osa_policy_ent_t) malloc(sizeof(osa_policy_ent_rec)); + CHECK_NULL(entry); + memset(entry, 0, sizeof(osa_policy_ent_rec)); + if ((st = populate_policy(context, ld, ent, policy, entry)) != 0) + goto cleanup; #if 0 /************** Begin IFDEF'ed OUT *******************************/ - entry->name = policy; - entry->version = 1; - - krb5_ldap_get_value(ld, ent, "krbmaxpwdlife", &(entry->pw_max_life)); - krb5_ldap_get_value(ld, ent, "krbminpwdlife", &(entry->pw_min_life)); - krb5_ldap_get_value(ld, ent, "krbpwdmindiffchars", &(entry->pw_min_classes)); - krb5_ldap_get_value(ld, ent, "krbpwdminlength", &(entry->pw_min_length)); - krb5_ldap_get_value(ld, ent, "krbpwdhistorylength", &(entry->pw_history_num)); - - /* Get the reference count */ - st = krb5_ldap_get_reference_count (context, - policy, - "krbPwdPolicyReference", - &(entry->policy_refcnt), - ld); + entry->name = policy; + entry->version = 1; + + krb5_ldap_get_value(ld, ent, "krbmaxpwdlife", &(entry->pw_max_life)); + krb5_ldap_get_value(ld, ent, "krbminpwdlife", &(entry->pw_min_life)); + krb5_ldap_get_value(ld, ent, "krbpwdmindiffchars", &(entry->pw_min_classes)); + krb5_ldap_get_value(ld, ent, "krbpwdminlength", &(entry->pw_min_length)); + krb5_ldap_get_value(ld, ent, "krbpwdhistorylength", &(entry->pw_history_num)); + + /* Get the reference count */ + st = krb5_ldap_get_reference_count (context, + policy, + "krbPwdPolicyReference", + &(entry->policy_refcnt), + ld); #endif /**************** END IFDEF'ed OUT *******************************/ - (*func)(func_arg, entry); - /* XXX this will free policy so don't free it */ - krb5_ldap_free_password_policy(context, entry); - entry = NULL; + (*func)(func_arg, entry); + /* XXX this will free policy so don't free it */ + krb5_ldap_free_password_policy(context, entry); + entry = NULL; } ldap_msgfree(result); cleanup: if (entry) - free (entry); + free (entry); krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); return st; @@ -466,9 +454,9 @@ krb5_ldap_free_password_policy (context, entry) osa_policy_ent_t entry; { if (entry) { - if (entry->name) - free(entry->name); - free(entry); + if (entry->name) + free(entry->name); + free(entry); } return; } diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.h b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.h index 846014eb6..12396ac12 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/kdb/kdb_ldap/ldap_pwd_policy.h * @@ -32,23 +33,23 @@ #define _LDAP_KRBPWDPOLICY_H_ krb5_error_code -krb5_ldap_get_password_policy (krb5_context , char *, osa_policy_ent_t *, int *); +krb5_ldap_get_password_policy(krb5_context, char *, osa_policy_ent_t *, int *); krb5_error_code -krb5_ldap_create_password_policy (krb5_context , osa_policy_ent_t ); +krb5_ldap_create_password_policy(krb5_context, osa_policy_ent_t); krb5_error_code -krb5_ldap_put_password_policy ( krb5_context kcontext, osa_policy_ent_t policy ); +krb5_ldap_put_password_policy(krb5_context kcontext, osa_policy_ent_t policy); krb5_error_code -krb5_ldap_delete_password_policy ( krb5_context kcontext, char *policy ); +krb5_ldap_delete_password_policy (krb5_context kcontext, char *policy); krb5_error_code krb5_ldap_iterate_password_policy(krb5_context, char *, - void (*) (krb5_pointer, osa_policy_ent_t ), - krb5_pointer); + void (*)(krb5_pointer, osa_policy_ent_t), + krb5_pointer); void -krb5_ldap_free_password_policy( krb5_context kcontext, osa_policy_ent_t entry ); +krb5_ldap_free_password_policy(krb5_context kcontext, osa_policy_ent_t entry); #endif diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c index fc84019e5..7096c0b23 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/kdb/kdb_ldap/ldap_realm.c * @@ -41,18 +42,18 @@ #define END_OF_LIST -1 char *realm_attributes[] = {"krbSearchScope","krbSubTrees", "krbPrincContainerRef", - "krbMaxTicketLife", "krbMaxRenewableAge", - "krbTicketFlags", "krbUpEnabled", - "krbTicketPolicyReference", - "krbLdapServers", - "krbKdcServers", "krbAdmServers", - "krbPwdServers", NULL}; + "krbMaxTicketLife", "krbMaxRenewableAge", + "krbTicketFlags", "krbUpEnabled", + "krbTicketPolicyReference", + "krbLdapServers", + "krbKdcServers", "krbAdmServers", + "krbPwdServers", NULL}; char *policy_attributes[] = { "krbMaxTicketLife", - "krbMaxRenewableAge", - "krbTicketFlags", - NULL }; + "krbMaxRenewableAge", + "krbTicketFlags", + NULL }; @@ -74,83 +75,85 @@ char *krbContainerRefclass[] = { "krbContainerRefAux", NULL}; * Function to remove all special characters from a string (rfc2254). * Use whenever exact matching is to be done ... */ -char *ldap_filter_correct (char *in) +char * +ldap_filter_correct (char *in) { size_t i, count; char *out, *ptr; size_t len = strlen(in); for (i = 0, count = 0; i < len; i++) - switch (in[i]) { - case '*': - case '(': - case ')': - case '\\': - case '\0': - count ++; - } + switch (in[i]) { + case '*': + case '(': + case ')': + case '\\': + case '\0': + count ++; + } out = (char *)malloc((len + (count * 2) + 1) * sizeof (char)); assert (out != NULL); memset(out, 0, len + (count * 2) + 1); for (i = 0, ptr = out; i < len; i++) - switch (in[i]) { - case '*': - ptr[0] = '\\'; - ptr[1] = '2'; - ptr[2] = 'a'; - ptr += 3; - break; - case '(': - ptr[0] = '\\'; - ptr[1] = '2'; - ptr[2] = '8'; - ptr += 3; - break; - case ')': - ptr[0] = '\\'; - ptr[1] = '2'; - ptr[2] = '9'; - ptr += 3; - break; - case '\\': - ptr[0] = '\\'; - ptr[1] = '5'; - ptr[2] = 'c'; - ptr += 3; - break; - case '\0': - ptr[0] = '\\'; - ptr[1] = '0'; - ptr[2] = '0'; - ptr += 3; - break; - default: - ptr[0] = in[i]; - ptr += 1; - break; - } + switch (in[i]) { + case '*': + ptr[0] = '\\'; + ptr[1] = '2'; + ptr[2] = 'a'; + ptr += 3; + break; + case '(': + ptr[0] = '\\'; + ptr[1] = '2'; + ptr[2] = '8'; + ptr += 3; + break; + case ')': + ptr[0] = '\\'; + ptr[1] = '2'; + ptr[2] = '9'; + ptr += 3; + break; + case '\\': + ptr[0] = '\\'; + ptr[1] = '5'; + ptr[2] = 'c'; + ptr += 3; + break; + case '\0': + ptr[0] = '\\'; + ptr[1] = '0'; + ptr[2] = '0'; + ptr += 3; + break; + default: + ptr[0] = in[i]; + ptr += 1; + break; + } /* ptr[count - 1] = '\0'; */ return out; } -static int principal_in_realm_2(krb5_principal principal, char *realm) { +static int +principal_in_realm_2(krb5_principal principal, char *realm) { /* Cross realm trust ... */ if (principal->length == 2 && - principal->data[0].length == sizeof ("krbtgt") && - strncasecmp (principal->data[0].data, "krbtgt", sizeof ("krbtgt")) && - principal->data[1].length == strlen (realm) && - strncasecmp (principal->data[1].data, realm, strlen (realm))) - return 0; + principal->data[0].length == sizeof ("krbtgt") && + strncasecmp (principal->data[0].data, "krbtgt", sizeof ("krbtgt")) && + principal->data[1].length == strlen (realm) && + strncasecmp (principal->data[1].data, realm, strlen (realm))) + return 0; if (strlen(realm) != principal->realm.length) - return 1; + return 1; if (strncasecmp(realm, principal->realm.data, principal->realm.length) != 0) - return 1; + return 1; return 0; } @@ -160,13 +163,11 @@ static int principal_in_realm_2(krb5_principal principal, char *realm) { */ krb5_error_code -krb5_ldap_list_realm(context, realms) - krb5_context context; - char ***realms; +krb5_ldap_list_realm(krb5_context context, char ***realms) { char **values = NULL; unsigned int i = 0; - int count = 0; + int count = 0; krb5_error_code st = 0, tempst = 0; LDAP *ld = NULL; LDAPMessage *result = NULL, *ent = NULL; @@ -178,45 +179,45 @@ krb5_ldap_list_realm(context, realms) /* get the kerberos container DN information */ if (ldap_context->krbcontainer == NULL) { - if ((st = krb5_ldap_read_krbcontainer_params(context, - &(ldap_context->krbcontainer))) != 0) - goto cleanup; + if ((st = krb5_ldap_read_krbcontainer_params(context, + &(ldap_context->krbcontainer))) != 0) + goto cleanup; } /* get ldap handle */ GET_HANDLE (); { - char *cn[] = {"cn", NULL}; - LDAP_SEARCH(ldap_context->krbcontainer->DN, - LDAP_SCOPE_ONELEVEL, - "(objectclass=krbRealmContainer)", - cn); + char *cn[] = {"cn", NULL}; + LDAP_SEARCH(ldap_context->krbcontainer->DN, + LDAP_SCOPE_ONELEVEL, + "(objectclass=krbRealmContainer)", + cn); } *realms = NULL; count = ldap_count_entries (ld, result); if (count == -1) { - ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &st); - st = set_ldap_error (context, st, OP_SEARCH); - goto cleanup; + ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &st); + st = set_ldap_error (context, st, OP_SEARCH); + goto cleanup; } *realms = calloc((unsigned int) count+1, sizeof (char *)); CHECK_NULL(*realms); for (ent = ldap_first_entry(ld, result), count = 0; ent != NULL; - ent = ldap_next_entry(ld, ent)) { + ent = ldap_next_entry(ld, ent)) { - if ((values = ldap_get_values (ld, ent, "cn")) != NULL) { + if ((values = ldap_get_values (ld, ent, "cn")) != NULL) { - (*realms)[count] = strdup(values[0]); - CHECK_NULL((*realms)[count]); - count += 1; + (*realms)[count] = strdup(values[0]); + CHECK_NULL((*realms)[count]); + count += 1; - ldap_value_free(values); - } + ldap_value_free(values); + } } /* for (ent= ... */ ldap_msgfree(result); @@ -224,13 +225,13 @@ cleanup: /* some error, free up all the memory */ if (st != 0) { - if (*realms) { - for (i=0; (*realms)[i] != NULL; ++i) { - free ((*realms)[i]); - } - free (*realms); - *realms = NULL; - } + if (*realms) { + for (i=0; (*realms)[i] != NULL; ++i) { + free ((*realms)[i]); + } + free (*realms); + *realms = NULL; + } } /* If there are no elements, still return a NULL terminated array */ @@ -250,9 +251,7 @@ delete_password_policy (krb5_pointer ptr, osa_policy_ent_t pol) } krb5_error_code -krb5_ldap_delete_realm (context, lrealm) - krb5_context context; - char *lrealm; +krb5_ldap_delete_realm (krb5_context context, char *lrealm) { LDAP *ld = NULL; krb5_error_code st = 0, tempst=0; @@ -268,46 +267,46 @@ krb5_ldap_delete_realm (context, lrealm) SETUP_CONTEXT (); if (lrealm == NULL) { - st = EINVAL; - krb5_set_error_message (context, st, "Realm information not available"); - goto cleanup; + st = EINVAL; + krb5_set_error_message (context, st, "Realm information not available"); + goto cleanup; } if ((st=krb5_ldap_read_realm_params(context, lrealm, &rparam, &mask)) != 0) - goto cleanup; + goto cleanup; /* get ldap handle */ GET_HANDLE (); /* delete all the principals belonging to the realm in the tree */ { - char *attr[] = {"krbprincipalname", NULL}, *realm=NULL, filter[256]; - krb5_ldap_context lcontext; + char *attr[] = {"krbprincipalname", NULL}, *realm=NULL, filter[256]; + krb5_ldap_context lcontext; - realm = ldap_filter_correct (lrealm); - assert (sizeof (filter) >= sizeof ("(krbprincipalname=)") + - strlen (realm) + 2 /* "*@" */ + 1); + realm = ldap_filter_correct (lrealm); + assert (sizeof (filter) >= sizeof ("(krbprincipalname=)") + + strlen (realm) + 2 /* "*@" */ + 1); - snprintf (filter, sizeof(filter), "(krbprincipalname=*@%s)", realm); - free (realm); + snprintf (filter, sizeof(filter), "(krbprincipalname=*@%s)", realm); + free (realm); - /* LDAP_SEARCH(NULL, LDAP_SCOPE_SUBTREE, filter, attr); */ - memset(&lcontext, 0, sizeof(krb5_ldap_context)); - lcontext.lrparams = rparam; - if ((st=krb5_get_subtree_info(&lcontext, &subtrees, &ntree)) != 0) - goto cleanup; + /* LDAP_SEARCH(NULL, LDAP_SCOPE_SUBTREE, filter, attr); */ + memset(&lcontext, 0, sizeof(krb5_ldap_context)); + lcontext.lrparams = rparam; + if ((st=krb5_get_subtree_info(&lcontext, &subtrees, &ntree)) != 0) + goto cleanup; result_arr = (LDAPMessage **) calloc((unsigned int)ntree+1, - sizeof(LDAPMessage *)); + sizeof(LDAPMessage *)); if (result_arr == NULL) { st = ENOMEM; goto cleanup; } - for (l=0; l < ntree; ++l) { - LDAP_SEARCH(subtrees[l], rparam->search_scope, filter, attr); - result_arr[l] = result; - } + for (l=0; l < ntree; ++l) { + LDAP_SEARCH(subtrees[l], rparam->search_scope, filter, attr); + result_arr[l] = result; + } } /* NOTE: Here all the principals should be cached and the ldap handle should be freed, @@ -317,23 +316,23 @@ krb5_ldap_delete_realm (context, lrealm) * thread-safe this should suffice. */ for (j=0; (result=result_arr[j]) != NULL; ++j) { - for (ent = ldap_first_entry (ld, result); ent != NULL; - ent = ldap_next_entry (ld, ent)) { - if ((values = ldap_get_values(ld, ent, "krbPrincipalName")) != NULL) { - for (i = 0; values[i] != NULL; ++i) { - krb5_parse_name(context, values[i], &principal); - if (principal_in_realm_2(principal, lrealm) == 0) { - int nent = 0; - if ((st=krb5_ldap_delete_principal(context, principal, - &nent)) != LDAP_SUCCESS) - goto cleanup; - } - krb5_free_principal(context, principal); - } - ldap_value_free(values); - } - } - ldap_msgfree(result); + for (ent = ldap_first_entry (ld, result); ent != NULL; + ent = ldap_next_entry (ld, ent)) { + if ((values = ldap_get_values(ld, ent, "krbPrincipalName")) != NULL) { + for (i = 0; values[i] != NULL; ++i) { + krb5_parse_name(context, values[i], &principal); + if (principal_in_realm_2(principal, lrealm) == 0) { + int nent = 0; + if ((st=krb5_ldap_delete_principal(context, principal, + &nent)) != LDAP_SUCCESS) + goto cleanup; + } + krb5_free_principal(context, principal); + } + ldap_value_free(values); + } + } + ldap_msgfree(result); } /* Delete all password policies */ @@ -341,36 +340,36 @@ krb5_ldap_delete_realm (context, lrealm) /* Delete all ticket policies */ { - if ((st = krb5_ldap_list_policy (context, ldap_context->lrparams->realmdn, &policy)) != 0) { - prepend_err_str (context, "Error reading ticket policy: ", st, st); - goto cleanup; - } + if ((st = krb5_ldap_list_policy (context, ldap_context->lrparams->realmdn, &policy)) != 0) { + prepend_err_str (context, "Error reading ticket policy: ", st, st); + goto cleanup; + } - for (i = 0; policy [i] != NULL; i++) - krb5_ldap_delete_policy(context, policy[i]); + for (i = 0; policy [i] != NULL; i++) + krb5_ldap_delete_policy(context, policy[i]); } /* Delete the realm object */ if ((st=ldap_delete_ext_s(ld, ldap_context->lrparams->realmdn, NULL, NULL)) != LDAP_SUCCESS) { - int ost = st; - st = translate_ldap_error (st, OP_DEL); - krb5_set_error_message (context, st, "Realm Delete FAILED: %s", - ldap_err2string(ost)); + int ost = st; + st = translate_ldap_error (st, OP_DEL); + krb5_set_error_message (context, st, "Realm Delete FAILED: %s", + ldap_err2string(ost)); } cleanup: if (subtrees) { - for (l=0; l < ntree; ++l) { - if (subtrees[l]) - free (subtrees[l]); + for (l=0; l < ntree; ++l) { + if (subtrees[l]) + free (subtrees[l]); } - free (subtrees); + free (subtrees); } if (policy != NULL) { - for (i = 0; policy[i] != NULL; i++) - free (policy[i]); - free (policy); + for (i = 0; policy[i] != NULL; i++) + free (policy[i]); + free (policy); } krb5_ldap_free_realm_params(rparam); @@ -384,10 +383,8 @@ cleanup: */ krb5_error_code -krb5_ldap_modify_realm(context, rparams, mask) - krb5_context context; - krb5_ldap_realm_params *rparams; - int mask; +krb5_ldap_modify_realm(krb5_context context, krb5_ldap_realm_params *rparams, + int mask) { LDAP *ld=NULL; krb5_error_code st=0; @@ -409,29 +406,29 @@ krb5_ldap_modify_realm(context, rparams, mask) krb5_ldap_server_handle *ldap_server_handle=NULL; if (mask == 0) - return 0; + return 0; if (rparams == NULL) { - st = EINVAL; - return st; + st = EINVAL; + return st; } SETUP_CONTEXT (); /* Check validity of arguments */ if (ldap_context->krbcontainer == NULL || - rparams->tl_data == NULL || - rparams->tl_data->tl_data_contents == NULL || - ((mask & LDAP_REALM_SUBTREE) && rparams->subtree == NULL) || - ((mask & LDAP_REALM_CONTREF) && rparams->containerref == NULL) || + rparams->tl_data == NULL || + rparams->tl_data->tl_data_contents == NULL || + ((mask & LDAP_REALM_SUBTREE) && rparams->subtree == NULL) || + ((mask & LDAP_REALM_CONTREF) && rparams->containerref == NULL) || #ifdef HAVE_EDIRECTORY - ((mask & LDAP_REALM_KDCSERVERS) && rparams->kdcservers == NULL) || - ((mask & LDAP_REALM_ADMINSERVERS) && rparams->adminservers == NULL) || - ((mask & LDAP_REALM_PASSWDSERVERS) && rparams->passwdservers == NULL) || + ((mask & LDAP_REALM_KDCSERVERS) && rparams->kdcservers == NULL) || + ((mask & LDAP_REALM_ADMINSERVERS) && rparams->adminservers == NULL) || + ((mask & LDAP_REALM_PASSWDSERVERS) && rparams->passwdservers == NULL) || #endif - 0) { - st = EINVAL; - goto cleanup; + 0) { + st = EINVAL; + goto cleanup; } /* get ldap handle */ @@ -439,16 +436,16 @@ krb5_ldap_modify_realm(context, rparams, mask) /* get the oldmask obtained from the krb5_ldap_read_realm_params */ { - void *voidptr=NULL; - - if ((st=decode_tl_data(rparams->tl_data, KDB_TL_MASK, &voidptr)) == 0) { - oldmask = *((int *) voidptr); - free (voidptr); - } else { - st = EINVAL; - krb5_set_error_message (context, st, "tl_data not available"); - return st; - } + void *voidptr=NULL; + + if ((st=decode_tl_data(rparams->tl_data, KDB_TL_MASK, &voidptr)) == 0) { + oldmask = *((int *) voidptr); + free (voidptr); + } else { + st = EINVAL; + krb5_set_error_message (context, st, "tl_data not available"); + return st; + } } @@ -457,17 +454,17 @@ krb5_ldap_modify_realm(context, rparams, mask) if ( rparams->subtree!=NULL) { /*replace the subtrees with the present if the subtrees are present*/ for(k=0;ksubtreecount && rparams->subtree[k]!=NULL;k++) { - if (strlen(rparams->subtree[k]) != 0) { - st = checkattributevalue(ld, rparams->subtree[k], "Objectclass", subtreeclass, - &objectmask); - CHECK_CLASS_VALIDITY(st, objectmask, "subtree value: "); - } + if (strlen(rparams->subtree[k]) != 0) { + st = checkattributevalue(ld, rparams->subtree[k], "Objectclass", subtreeclass, + &objectmask); + CHECK_CLASS_VALIDITY(st, objectmask, "subtree value: "); + } + } + strval = rparams->subtree; + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbsubtrees", LDAP_MOD_REPLACE, + strval)) != 0) { + goto cleanup; } - strval = rparams->subtree; - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbsubtrees", LDAP_MOD_REPLACE, - strval)) != 0) { - goto cleanup; - } } } @@ -475,48 +472,48 @@ krb5_ldap_modify_realm(context, rparams, mask) if (mask & LDAP_REALM_CONTREF) { if (strlen(rparams->containerref) != 0 ) { st = checkattributevalue(ld, rparams->containerref, "Objectclass", subtreeclass, - &objectmask); + &objectmask); CHECK_CLASS_VALIDITY(st, objectmask, "container reference value: "); strvalprc[0] = rparams->containerref; strvalprc[1] = NULL; if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbPrincContainerRef", LDAP_MOD_REPLACE, - strvalprc)) != 0) + strvalprc)) != 0) goto cleanup; } } /* SEARCHSCOPE ATTRIBUTE */ if (mask & LDAP_REALM_SEARCHSCOPE) { - if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbsearchscope", LDAP_MOD_REPLACE, - (rparams->search_scope == LDAP_SCOPE_ONELEVEL - || rparams->search_scope == LDAP_SCOPE_SUBTREE) ? - rparams->search_scope : LDAP_SCOPE_SUBTREE)) != 0) - goto cleanup; + if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbsearchscope", LDAP_MOD_REPLACE, + (rparams->search_scope == LDAP_SCOPE_ONELEVEL + || rparams->search_scope == LDAP_SCOPE_SUBTREE) ? + rparams->search_scope : LDAP_SCOPE_SUBTREE)) != 0) + goto cleanup; } if (mask & LDAP_REALM_MAXRENEWLIFE) { - if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbMaxRenewableAge", LDAP_MOD_REPLACE, - rparams->max_renewable_life)) != 0) - goto cleanup; + if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbMaxRenewableAge", LDAP_MOD_REPLACE, + rparams->max_renewable_life)) != 0) + goto cleanup; } /* krbMaxTicketLife ATTRIBUTE */ if (mask & LDAP_REALM_MAXTICKETLIFE) { - if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbMaxTicketLife", LDAP_MOD_REPLACE, - rparams->max_life)) != 0) - goto cleanup; + if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbMaxTicketLife", LDAP_MOD_REPLACE, + rparams->max_life)) != 0) + goto cleanup; } /* krbTicketFlags ATTRIBUTE */ if (mask & LDAP_REALM_KRBTICKETFLAGS) { - if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbTicketFlags", LDAP_MOD_REPLACE, - rparams->tktflags)) != 0) - goto cleanup; + if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbTicketFlags", LDAP_MOD_REPLACE, + rparams->tktflags)) != 0) + goto cleanup; } @@ -524,44 +521,44 @@ krb5_ldap_modify_realm(context, rparams, mask) /* KDCSERVERS ATTRIBUTE */ if (mask & LDAP_REALM_KDCSERVERS) { - /* validate the server list */ - for (i=0; rparams->kdcservers[i] != NULL; ++i) { - st = checkattributevalue(ld, rparams->kdcservers[i], "objectClass", kdcclass, - &objectmask); - CHECK_CLASS_VALIDITY(st, objectmask, "kdc service object value: "); - } - - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbkdcservers", LDAP_MOD_REPLACE, - rparams->kdcservers)) != 0) - goto cleanup; + /* validate the server list */ + for (i=0; rparams->kdcservers[i] != NULL; ++i) { + st = checkattributevalue(ld, rparams->kdcservers[i], "objectClass", kdcclass, + &objectmask); + CHECK_CLASS_VALIDITY(st, objectmask, "kdc service object value: "); + } + + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbkdcservers", LDAP_MOD_REPLACE, + rparams->kdcservers)) != 0) + goto cleanup; } /* ADMINSERVERS ATTRIBUTE */ if (mask & LDAP_REALM_ADMINSERVERS) { - /* validate the server list */ - for (i=0; rparams->adminservers[i] != NULL; ++i) { - st = checkattributevalue(ld, rparams->adminservers[i], "objectClass", adminclass, - &objectmask); - CHECK_CLASS_VALIDITY(st, objectmask, "admin service object value: "); - } - - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbadmservers", LDAP_MOD_REPLACE, - rparams->adminservers)) != 0) - goto cleanup; + /* validate the server list */ + for (i=0; rparams->adminservers[i] != NULL; ++i) { + st = checkattributevalue(ld, rparams->adminservers[i], "objectClass", adminclass, + &objectmask); + CHECK_CLASS_VALIDITY(st, objectmask, "admin service object value: "); + } + + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbadmservers", LDAP_MOD_REPLACE, + rparams->adminservers)) != 0) + goto cleanup; } /* PASSWDSERVERS ATTRIBUTE */ if (mask & LDAP_REALM_PASSWDSERVERS) { - /* validate the server list */ - for (i=0; rparams->passwdservers[i] != NULL; ++i) { - st = checkattributevalue(ld, rparams->passwdservers[i], "objectClass", pwdclass, - &objectmask); - CHECK_CLASS_VALIDITY(st, objectmask, "password service object value: "); - } - - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdservers", LDAP_MOD_REPLACE, - rparams->passwdservers)) != 0) - goto cleanup; + /* validate the server list */ + for (i=0; rparams->passwdservers[i] != NULL; ++i) { + st = checkattributevalue(ld, rparams->passwdservers[i], "objectClass", pwdclass, + &objectmask); + CHECK_CLASS_VALIDITY(st, objectmask, "password service object value: "); + } + + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdservers", LDAP_MOD_REPLACE, + rparams->passwdservers)) != 0) + goto cleanup; } /* @@ -570,56 +567,56 @@ krb5_ldap_modify_realm(context, rparams, mask) * deletions/additions to the list. */ if (mask & LDAP_REALM_KDCSERVERS || mask & LDAP_REALM_ADMINSERVERS || - mask & LDAP_REALM_PASSWDSERVERS) { - char *servers[] = {"krbKdcServers", "krbAdmServers", "krbPwdServers", NULL}; - - if ((st= ldap_search_ext_s(ld, - rparams->realmdn, - LDAP_SCOPE_BASE, - 0, - servers, - 0, - NULL, - NULL, - NULL, - 0, - &result)) != LDAP_SUCCESS) { - st = set_ldap_error (context, st, OP_SEARCH); - goto cleanup; - } - - ent = ldap_first_entry(ld, result); - if (ent) { - if ((values=ldap_get_values(ld, ent, "krbKdcServers")) != NULL) { - count = ldap_count_values(values); - if ((st=copy_arrays(values, &oldkdcservers, count)) != 0) - goto cleanup; - ldap_value_free(values); - } - - if ((values=ldap_get_values(ld, ent, "krbAdmServers")) != NULL) { - count = ldap_count_values(values); - if ((st=copy_arrays(values, &oldadminservers, count)) != 0) - goto cleanup; - ldap_value_free(values); - } - - if ((values=ldap_get_values(ld, ent, "krbPwdServers")) != NULL) { - count = ldap_count_values(values); - if ((st=copy_arrays(values, &oldpasswdservers, count)) != 0) - goto cleanup; - ldap_value_free(values); - } - } - ldap_msgfree(result); + mask & LDAP_REALM_PASSWDSERVERS) { + char *servers[] = {"krbKdcServers", "krbAdmServers", "krbPwdServers", NULL}; + + if ((st= ldap_search_ext_s(ld, + rparams->realmdn, + LDAP_SCOPE_BASE, + 0, + servers, + 0, + NULL, + NULL, + NULL, + 0, + &result)) != LDAP_SUCCESS) { + st = set_ldap_error (context, st, OP_SEARCH); + goto cleanup; + } + + ent = ldap_first_entry(ld, result); + if (ent) { + if ((values=ldap_get_values(ld, ent, "krbKdcServers")) != NULL) { + count = ldap_count_values(values); + if ((st=copy_arrays(values, &oldkdcservers, count)) != 0) + goto cleanup; + ldap_value_free(values); + } + + if ((values=ldap_get_values(ld, ent, "krbAdmServers")) != NULL) { + count = ldap_count_values(values); + if ((st=copy_arrays(values, &oldadminservers, count)) != 0) + goto cleanup; + ldap_value_free(values); + } + + if ((values=ldap_get_values(ld, ent, "krbPwdServers")) != NULL) { + count = ldap_count_values(values); + if ((st=copy_arrays(values, &oldpasswdservers, count)) != 0) + goto cleanup; + ldap_value_free(values); + } + } + ldap_msgfree(result); } #endif /* Realm modify opearation */ if (mods != NULL) { if ((st=ldap_modify_ext_s(ld, rparams->realmdn, mods, NULL, NULL)) != LDAP_SUCCESS) { - st = set_ldap_error (context, st, OP_MOD); - goto cleanup; + st = set_ldap_error (context, st, OP_MOD); + goto cleanup; } } @@ -628,112 +625,112 @@ krb5_ldap_modify_realm(context, rparams, mask) * to the 4 servers' list. */ if (mask & LDAP_REALM_KDCSERVERS) { - char **newkdcservers=NULL; - - count = ldap_count_values(rparams->kdcservers); - if ((st=copy_arrays(rparams->kdcservers, &newkdcservers, count)) != 0) - goto cleanup; - - /* find the deletions and additions to the server list */ - if (oldkdcservers && newkdcservers) - disjoint_members(oldkdcservers, newkdcservers); - - /* delete the krbRealmReferences attribute from the servers that are dis-associated. */ - if (oldkdcservers) - for (i=0; oldkdcservers[i]; ++i) - if ((st=deleteAttribute(ld, oldkdcservers[i], "krbRealmReferences", - rparams->realmdn)) != 0) { - snprintf (errbuf, sizeof(errbuf), "Error removing 'krbRealmReferences' from %s: ", - oldkdcservers[i]); - prepend_err_str (context, errbuf, st, st); - goto cleanup; - } - - /* add the krbRealmReferences attribute from the servers that are associated. */ - if (newkdcservers) - for (i=0; newkdcservers[i]; ++i) - if ((st=updateAttribute(ld, newkdcservers[i], "krbRealmReferences", - rparams->realmdn)) != 0) { - snprintf (errbuf, sizeof(errbuf), "Error adding 'krbRealmReferences' to %s: ", - newkdcservers[i]); - prepend_err_str (context, errbuf, st, st); - goto cleanup; - } - - if (newkdcservers) - ldap_value_free(newkdcservers); + char **newkdcservers=NULL; + + count = ldap_count_values(rparams->kdcservers); + if ((st=copy_arrays(rparams->kdcservers, &newkdcservers, count)) != 0) + goto cleanup; + + /* find the deletions and additions to the server list */ + if (oldkdcservers && newkdcservers) + disjoint_members(oldkdcservers, newkdcservers); + + /* delete the krbRealmReferences attribute from the servers that are dis-associated. */ + if (oldkdcservers) + for (i=0; oldkdcservers[i]; ++i) + if ((st=deleteAttribute(ld, oldkdcservers[i], "krbRealmReferences", + rparams->realmdn)) != 0) { + snprintf (errbuf, sizeof(errbuf), "Error removing 'krbRealmReferences' from %s: ", + oldkdcservers[i]); + prepend_err_str (context, errbuf, st, st); + goto cleanup; + } + + /* add the krbRealmReferences attribute from the servers that are associated. */ + if (newkdcservers) + for (i=0; newkdcservers[i]; ++i) + if ((st=updateAttribute(ld, newkdcservers[i], "krbRealmReferences", + rparams->realmdn)) != 0) { + snprintf (errbuf, sizeof(errbuf), "Error adding 'krbRealmReferences' to %s: ", + newkdcservers[i]); + prepend_err_str (context, errbuf, st, st); + goto cleanup; + } + + if (newkdcservers) + ldap_value_free(newkdcservers); } if (mask & LDAP_REALM_ADMINSERVERS) { - char **newadminservers=NULL; - - count = ldap_count_values(rparams->adminservers); - if ((st=copy_arrays(rparams->adminservers, &newadminservers, count)) != 0) - goto cleanup; - - /* find the deletions and additions to the server list */ - if (oldadminservers && newadminservers) - disjoint_members(oldadminservers, newadminservers); - - /* delete the krbRealmReferences attribute from the servers that are dis-associated. */ - if (oldadminservers) - for (i=0; oldadminservers[i]; ++i) - if ((st=deleteAttribute(ld, oldadminservers[i], "krbRealmReferences", - rparams->realmdn)) != 0) { - snprintf(errbuf, sizeof(errbuf), "Error removing 'krbRealmReferences' from " - "%s: ", oldadminservers[i]); - prepend_err_str (context, errbuf, st, st); - goto cleanup; - } - - /* add the krbRealmReferences attribute from the servers that are associated. */ - if (newadminservers) - for (i=0; newadminservers[i]; ++i) - if ((st=updateAttribute(ld, newadminservers[i], "krbRealmReferences", - rparams->realmdn)) != 0) { - snprintf(errbuf, sizeof(errbuf), "Error adding 'krbRealmReferences' to %s: ", - newadminservers[i]); - prepend_err_str (context, errbuf, st, st); - goto cleanup; - } - if (newadminservers) - ldap_value_free(newadminservers); + char **newadminservers=NULL; + + count = ldap_count_values(rparams->adminservers); + if ((st=copy_arrays(rparams->adminservers, &newadminservers, count)) != 0) + goto cleanup; + + /* find the deletions and additions to the server list */ + if (oldadminservers && newadminservers) + disjoint_members(oldadminservers, newadminservers); + + /* delete the krbRealmReferences attribute from the servers that are dis-associated. */ + if (oldadminservers) + for (i=0; oldadminservers[i]; ++i) + if ((st=deleteAttribute(ld, oldadminservers[i], "krbRealmReferences", + rparams->realmdn)) != 0) { + snprintf(errbuf, sizeof(errbuf), "Error removing 'krbRealmReferences' from " + "%s: ", oldadminservers[i]); + prepend_err_str (context, errbuf, st, st); + goto cleanup; + } + + /* add the krbRealmReferences attribute from the servers that are associated. */ + if (newadminservers) + for (i=0; newadminservers[i]; ++i) + if ((st=updateAttribute(ld, newadminservers[i], "krbRealmReferences", + rparams->realmdn)) != 0) { + snprintf(errbuf, sizeof(errbuf), "Error adding 'krbRealmReferences' to %s: ", + newadminservers[i]); + prepend_err_str (context, errbuf, st, st); + goto cleanup; + } + if (newadminservers) + ldap_value_free(newadminservers); } if (mask & LDAP_REALM_PASSWDSERVERS) { - char **newpasswdservers=NULL; - - count = ldap_count_values(rparams->passwdservers); - if ((st=copy_arrays(rparams->passwdservers, &newpasswdservers, count)) != 0) - goto cleanup; - - /* find the deletions and additions to the server list */ - if (oldpasswdservers && newpasswdservers) - disjoint_members(oldpasswdservers, newpasswdservers); - - /* delete the krbRealmReferences attribute from the servers that are dis-associated. */ - if (oldpasswdservers) - for (i=0; oldpasswdservers[i]; ++i) - if ((st=deleteAttribute(ld, oldpasswdservers[i], "krbRealmReferences", - rparams->realmdn)) != 0) { - snprintf(errbuf, sizeof(errbuf), "Error removing 'krbRealmReferences' from " - "%s: ", oldpasswdservers[i]); - prepend_err_str (context, errbuf, st, st); - goto cleanup; - } - - /* add the krbRealmReferences attribute from the servers that are associated. */ - if (newpasswdservers) - for (i=0; newpasswdservers[i]; ++i) - if ((st=updateAttribute(ld, newpasswdservers[i], "krbRealmReferences", - rparams->realmdn)) != 0) { - snprintf(errbuf, sizeof(errbuf), "Error adding 'krbRealmReferences' to %s: ", - newpasswdservers[i]); - prepend_err_str (context, errbuf, st, st); - goto cleanup; - } - if (newpasswdservers) - ldap_value_free(newpasswdservers); + char **newpasswdservers=NULL; + + count = ldap_count_values(rparams->passwdservers); + if ((st=copy_arrays(rparams->passwdservers, &newpasswdservers, count)) != 0) + goto cleanup; + + /* find the deletions and additions to the server list */ + if (oldpasswdservers && newpasswdservers) + disjoint_members(oldpasswdservers, newpasswdservers); + + /* delete the krbRealmReferences attribute from the servers that are dis-associated. */ + if (oldpasswdservers) + for (i=0; oldpasswdservers[i]; ++i) + if ((st=deleteAttribute(ld, oldpasswdservers[i], "krbRealmReferences", + rparams->realmdn)) != 0) { + snprintf(errbuf, sizeof(errbuf), "Error removing 'krbRealmReferences' from " + "%s: ", oldpasswdservers[i]); + prepend_err_str (context, errbuf, st, st); + goto cleanup; + } + + /* add the krbRealmReferences attribute from the servers that are associated. */ + if (newpasswdservers) + for (i=0; newpasswdservers[i]; ++i) + if ((st=updateAttribute(ld, newpasswdservers[i], "krbRealmReferences", + rparams->realmdn)) != 0) { + snprintf(errbuf, sizeof(errbuf), "Error adding 'krbRealmReferences' to %s: ", + newpasswdservers[i]); + prepend_err_str (context, errbuf, st, st); + goto cleanup; + } + if (newpasswdservers) + ldap_value_free(newpasswdservers); } #endif @@ -741,21 +738,21 @@ cleanup: #ifdef HAVE_EDIRECTORY if (oldkdcservers) { - for (i=0; oldkdcservers[i]; ++i) - free(oldkdcservers[i]); - free(oldkdcservers); + for (i=0; oldkdcservers[i]; ++i) + free(oldkdcservers[i]); + free(oldkdcservers); } if (oldadminservers) { - for (i=0; oldadminservers[i]; ++i) - free(oldadminservers[i]); - free(oldadminservers); + for (i=0; oldadminservers[i]; ++i) + free(oldadminservers[i]); + free(oldadminservers); } if (oldpasswdservers) { - for (i=0; oldpasswdservers[i]; ++i) - free(oldpasswdservers[i]); - free(oldpasswdservers); + for (i=0; oldpasswdservers[i]; ++i) + free(oldpasswdservers[i]); + free(oldpasswdservers); } #endif @@ -771,9 +768,9 @@ cleanup: */ krb5_error_code -krb5_ldap_create_krbcontainer(context, krbcontparams) - krb5_context context; - const krb5_ldap_krbcontainer_params *krbcontparams; +krb5_ldap_create_krbcontainer(krb5_context context, + const + krb5_ldap_krbcontainer_params *krbcontparams) { LDAP *ld=NULL; char *strval[2]={NULL}, *kerberoscontdn=NULL, **rdns=NULL; @@ -793,54 +790,54 @@ krb5_ldap_create_krbcontainer(context, krbcontparams) GET_HANDLE (); if (krbcontparams != NULL && krbcontparams->DN != NULL) { - kerberoscontdn = krbcontparams->DN; + kerberoscontdn = krbcontparams->DN; } else { - /* If the user has not given, use the default cn=Kerberos,cn=Security */ + /* If the user has not given, use the default cn=Kerberos,cn=Security */ #ifdef HAVE_EDIRECTORY - kerberoscontdn = KERBEROS_CONTAINER; + kerberoscontdn = KERBEROS_CONTAINER; #else - st = EINVAL; - krb5_set_error_message (context, st, "Kerberos Container information is missing"); - goto cleanup; + st = EINVAL; + krb5_set_error_message (context, st, "Kerberos Container information is missing"); + goto cleanup; #endif } strval[0] = "krbContainer"; strval[1] = NULL; if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0) - goto cleanup; + goto cleanup; rdns = ldap_explode_dn(kerberoscontdn, 1); if (rdns == NULL) { - st = EINVAL; - krb5_set_error_message(context, st, "Invalid Kerberos container DN"); - goto cleanup; + st = EINVAL; + krb5_set_error_message(context, st, "Invalid Kerberos container DN"); + goto cleanup; } strval[0] = rdns[0]; strval[1] = NULL; if ((st=krb5_add_str_mem_ldap_mod(&mods, "cn", LDAP_MOD_ADD, strval)) != 0) - goto cleanup; + goto cleanup; /* check if the policy reference value exists and is of krbticketpolicyreference object class */ if (krbcontparams && krbcontparams->policyreference) { - st = checkattributevalue(ld, krbcontparams->policyreference, "objectclass", policyclass, - &pmask); - CHECK_CLASS_VALIDITY(st, pmask, "ticket policy object value: "); - - strval[0] = krbcontparams->policyreference; - strval[1] = NULL; - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbticketpolicyreference", LDAP_MOD_ADD, - strval)) != 0) - goto cleanup; + st = checkattributevalue(ld, krbcontparams->policyreference, "objectclass", policyclass, + &pmask); + CHECK_CLASS_VALIDITY(st, pmask, "ticket policy object value: "); + + strval[0] = krbcontparams->policyreference; + strval[1] = NULL; + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbticketpolicyreference", LDAP_MOD_ADD, + strval)) != 0) + goto cleanup; } /* create the kerberos container */ if ((st = ldap_add_ext_s(ld, kerberoscontdn, mods, NULL, NULL)) != LDAP_SUCCESS) { - int ost = st; - st = translate_ldap_error (st, OP_ADD); - krb5_set_error_message (context, st, "Kerberos Container create FAILED: %s", ldap_err2string(ost)); - goto cleanup; + int ost = st; + st = translate_ldap_error (st, OP_ADD); + krb5_set_error_message (context, st, "Kerberos Container create FAILED: %s", ldap_err2string(ost)); + goto cleanup; } #ifdef HAVE_EDIRECTORY @@ -851,40 +848,40 @@ krb5_ldap_create_krbcontainer(context, krbcontparams) /* check whether the security container is bound to krbcontainerrefaux object class */ if ((st=checkattributevalue(ld, SECURITY_CONTAINER, "objectClass", - krbContainerRefclass, &crmask)) != 0) { - prepend_err_str (context, "Security Container read FAILED: ", st, st); - /* delete Kerberos Container, status ignored intentionally */ - ldap_delete_ext_s(ld, kerberoscontdn, NULL, NULL); - goto cleanup; + krbContainerRefclass, &crmask)) != 0) { + prepend_err_str (context, "Security Container read FAILED: ", st, st); + /* delete Kerberos Container, status ignored intentionally */ + ldap_delete_ext_s(ld, kerberoscontdn, NULL, NULL); + goto cleanup; } if (crmask == 0) { - /* Security Container is extended with krbcontainerrefaux object class */ - strval[0] = "krbContainerRefAux"; - if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0) - goto cleanup; + /* Security Container is extended with krbcontainerrefaux object class */ + strval[0] = "krbContainerRefAux"; + if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0) + goto cleanup; } strval[0] = kerberoscontdn; strval[1] = NULL; if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbcontainerreference", LDAP_MOD_ADD, strval)) != 0) - goto cleanup; + goto cleanup; /* update the security container with krbContainerReference attribute */ if ((st=ldap_modify_ext_s(ld, SECURITY_CONTAINER, mods, NULL, NULL)) != LDAP_SUCCESS) { - int ost = st; - st = translate_ldap_error (st, OP_MOD); - krb5_set_error_message (context, st, "Security Container update FAILED: %s", ldap_err2string(ost)); - /* delete Kerberos Container, status ignored intentionally */ - ldap_delete_ext_s(ld, kerberoscontdn, NULL, NULL); - goto cleanup; + int ost = st; + st = translate_ldap_error (st, OP_MOD); + krb5_set_error_message (context, st, "Security Container update FAILED: %s", ldap_err2string(ost)); + /* delete Kerberos Container, status ignored intentionally */ + ldap_delete_ext_s(ld, kerberoscontdn, NULL, NULL); + goto cleanup; } #endif cleanup: if (rdns) - ldap_value_free (rdns); + ldap_value_free (rdns); ldap_mods_free(mods, 1); krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); @@ -897,7 +894,8 @@ cleanup: krb5_error_code krb5_ldap_delete_krbcontainer(krb5_context context, - const krb5_ldap_krbcontainer_params *krbcontparams) + const + krb5_ldap_krbcontainer_params *krbcontparams) { LDAP *ld=NULL; char *kerberoscontdn=NULL; @@ -912,24 +910,24 @@ krb5_ldap_delete_krbcontainer(krb5_context context, GET_HANDLE (); if (krbcontparams != NULL && krbcontparams->DN != NULL) { - kerberoscontdn = krbcontparams->DN; + kerberoscontdn = krbcontparams->DN; } else { - /* If the user has not given, use the default cn=Kerberos,cn=Security */ + /* If the user has not given, use the default cn=Kerberos,cn=Security */ #ifdef HAVE_EDIRECTORY - kerberoscontdn = KERBEROS_CONTAINER; + kerberoscontdn = KERBEROS_CONTAINER; #else - st = EINVAL; - krb5_set_error_message (context, st, "Kerberos Container information is missing"); - goto cleanup; + st = EINVAL; + krb5_set_error_message (context, st, "Kerberos Container information is missing"); + goto cleanup; #endif } /* delete the kerberos container */ if ((st = ldap_delete_ext_s(ld, kerberoscontdn, NULL, NULL)) != LDAP_SUCCESS) { - int ost = st; - st = translate_ldap_error (st, OP_ADD); - krb5_set_error_message (context, st, "Kerberos Container delete FAILED: %s", ldap_err2string(ost)); - goto cleanup; + int ost = st; + st = translate_ldap_error (st, OP_ADD); + krb5_set_error_message (context, st, "Kerberos Container delete FAILED: %s", ldap_err2string(ost)); + goto cleanup; } cleanup: @@ -944,16 +942,14 @@ cleanup: */ krb5_error_code -krb5_ldap_create_realm(context, rparams, mask) - krb5_context context; - krb5_ldap_realm_params *rparams; - int mask; +krb5_ldap_create_realm(krb5_context context, krb5_ldap_realm_params *rparams, + int mask) { LDAP *ld=NULL; krb5_error_code st=0; char *dn=NULL; char *strval[4]={NULL}; - char *contref[2]={NULL}; + char *contref[2]={NULL}; LDAPMod **mods = NULL; int i=0, objectmask=0, subtreecount=0; kdb5_dal_handle *dal_handle=NULL; @@ -968,26 +964,26 @@ krb5_ldap_create_realm(context, rparams, mask) /* Check input validity ... */ if (ldap_context->krbcontainer == NULL || - ldap_context->krbcontainer->DN == NULL || - rparams == NULL || - rparams->realm_name == NULL || - ((mask & LDAP_REALM_SUBTREE) && rparams->subtree == NULL) || - ((mask & LDAP_REALM_CONTREF) && rparams->containerref == NULL) || - ((mask & LDAP_REALM_POLICYREFERENCE) && rparams->policyreference == NULL) || + ldap_context->krbcontainer->DN == NULL || + rparams == NULL || + rparams->realm_name == NULL || + ((mask & LDAP_REALM_SUBTREE) && rparams->subtree == NULL) || + ((mask & LDAP_REALM_CONTREF) && rparams->containerref == NULL) || + ((mask & LDAP_REALM_POLICYREFERENCE) && rparams->policyreference == NULL) || #ifdef HAVE_EDIRECTORY - ((mask & LDAP_REALM_KDCSERVERS) && rparams->kdcservers == NULL) || - ((mask & LDAP_REALM_ADMINSERVERS) && rparams->adminservers == NULL) || - ((mask & LDAP_REALM_PASSWDSERVERS) && rparams->passwdservers == NULL) || + ((mask & LDAP_REALM_KDCSERVERS) && rparams->kdcservers == NULL) || + ((mask & LDAP_REALM_ADMINSERVERS) && rparams->adminservers == NULL) || + ((mask & LDAP_REALM_PASSWDSERVERS) && rparams->passwdservers == NULL) || #endif - 0) { - st = EINVAL; - return st; + 0) { + st = EINVAL; + return st; } if (ldap_context->krbcontainer == NULL) { - if ((st = krb5_ldap_read_krbcontainer_params(context, - &(ldap_context->krbcontainer))) != 0) - goto cleanup; + if ((st = krb5_ldap_read_krbcontainer_params(context, + &(ldap_context->krbcontainer))) != 0) + goto cleanup; } /* get ldap handle */ @@ -996,14 +992,14 @@ krb5_ldap_create_realm(context, rparams, mask) realm_name = rparams->realm_name; if (asprintf(&dn, "cn=%s,%s", realm_name, - ldap_context->krbcontainer->DN) < 0) - dn = NULL; + ldap_context->krbcontainer->DN) < 0) + dn = NULL; CHECK_NULL(dn); strval[0] = realm_name; strval[1] = NULL; if ((st=krb5_add_str_mem_ldap_mod(&mods, "cn", LDAP_MOD_ADD, strval)) != 0) - goto cleanup; + goto cleanup; strval[0] = "top"; strval[1] = "krbrealmcontainer"; @@ -1011,31 +1007,31 @@ krb5_ldap_create_realm(context, rparams, mask) strval[3] = NULL; if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0) - goto cleanup; + goto cleanup; /* SUBTREE ATTRIBUTE */ if (mask & LDAP_REALM_SUBTREE) { if ( rparams->subtree!=NULL) { - subtreecount = rparams->subtreecount; - for (i=0; rparams->subtree[i]!=NULL && isubtree[i]) != 0) { - st = checkattributevalue(ld, rparams->subtree[i], "Objectclass", subtreeclass, - &objectmask); - CHECK_CLASS_VALIDITY(st, objectmask, "realm object value: "); - } - } - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbsubtrees", LDAP_MOD_ADD, - rparams->subtree)) != 0) { - goto cleanup; - } - } + subtreecount = rparams->subtreecount; + for (i=0; rparams->subtree[i]!=NULL && isubtree[i]) != 0) { + st = checkattributevalue(ld, rparams->subtree[i], "Objectclass", subtreeclass, + &objectmask); + CHECK_CLASS_VALIDITY(st, objectmask, "realm object value: "); + } + } + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbsubtrees", LDAP_MOD_ADD, + rparams->subtree)) != 0) { + goto cleanup; + } + } } /* CONTAINER REFERENCE ATTRIBUTE */ if (mask & LDAP_REALM_CONTREF) { if (strlen(rparams->containerref) != 0 ) { st = checkattributevalue(ld, rparams->containerref, "Objectclass", subtreeclass, - &objectmask); + &objectmask); CHECK_CLASS_VALIDITY(st, objectmask, "realm object value: "); contref[0] = rparams->containerref; contref[1] = NULL; @@ -1047,35 +1043,35 @@ krb5_ldap_create_realm(context, rparams, mask) /* SEARCHSCOPE ATTRIBUTE */ if (mask & LDAP_REALM_SEARCHSCOPE) { - if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbsearchscope", LDAP_MOD_ADD, - (rparams->search_scope == LDAP_SCOPE_ONELEVEL - || rparams->search_scope == LDAP_SCOPE_SUBTREE) ? - rparams->search_scope : LDAP_SCOPE_SUBTREE)) != 0) - goto cleanup; + if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbsearchscope", LDAP_MOD_ADD, + (rparams->search_scope == LDAP_SCOPE_ONELEVEL + || rparams->search_scope == LDAP_SCOPE_SUBTREE) ? + rparams->search_scope : LDAP_SCOPE_SUBTREE)) != 0) + goto cleanup; } if (mask & LDAP_REALM_MAXRENEWLIFE) { - if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbMaxRenewableAge", LDAP_MOD_ADD, - rparams->max_renewable_life)) != 0) - goto cleanup; + if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbMaxRenewableAge", LDAP_MOD_ADD, + rparams->max_renewable_life)) != 0) + goto cleanup; } /* krbMaxTicketLife ATTRIBUTE */ if (mask & LDAP_REALM_MAXTICKETLIFE) { - if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbMaxTicketLife", LDAP_MOD_ADD, - rparams->max_life)) != 0) - goto cleanup; + if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbMaxTicketLife", LDAP_MOD_ADD, + rparams->max_life)) != 0) + goto cleanup; } /* krbTicketFlags ATTRIBUTE */ if (mask & LDAP_REALM_KRBTICKETFLAGS) { - if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbTicketFlags", LDAP_MOD_ADD, - rparams->tktflags)) != 0) - goto cleanup; + if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbTicketFlags", LDAP_MOD_ADD, + rparams->tktflags)) != 0) + goto cleanup; } @@ -1083,95 +1079,95 @@ krb5_ldap_create_realm(context, rparams, mask) /* KDCSERVERS ATTRIBUTE */ if (mask & LDAP_REALM_KDCSERVERS) { - /* validate the server list */ - for (i=0; rparams->kdcservers[i] != NULL; ++i) { - st = checkattributevalue(ld, rparams->kdcservers[i], "objectClass", kdcclass, - &objectmask); - CHECK_CLASS_VALIDITY(st, objectmask, "kdc service object value: "); + /* validate the server list */ + for (i=0; rparams->kdcservers[i] != NULL; ++i) { + st = checkattributevalue(ld, rparams->kdcservers[i], "objectClass", kdcclass, + &objectmask); + CHECK_CLASS_VALIDITY(st, objectmask, "kdc service object value: "); - } + } - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbkdcservers", LDAP_MOD_ADD, - rparams->kdcservers)) != 0) - goto cleanup; + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbkdcservers", LDAP_MOD_ADD, + rparams->kdcservers)) != 0) + goto cleanup; } /* ADMINSERVERS ATTRIBUTE */ if (mask & LDAP_REALM_ADMINSERVERS) { - /* validate the server list */ - for (i=0; rparams->adminservers[i] != NULL; ++i) { - st = checkattributevalue(ld, rparams->adminservers[i], "objectClass", adminclass, - &objectmask); - CHECK_CLASS_VALIDITY(st, objectmask, "admin service object value: "); + /* validate the server list */ + for (i=0; rparams->adminservers[i] != NULL; ++i) { + st = checkattributevalue(ld, rparams->adminservers[i], "objectClass", adminclass, + &objectmask); + CHECK_CLASS_VALIDITY(st, objectmask, "admin service object value: "); - } + } - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbadmservers", LDAP_MOD_ADD, - rparams->adminservers)) != 0) - goto cleanup; + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbadmservers", LDAP_MOD_ADD, + rparams->adminservers)) != 0) + goto cleanup; } /* PASSWDSERVERS ATTRIBUTE */ if (mask & LDAP_REALM_PASSWDSERVERS) { - /* validate the server list */ - for (i=0; rparams->passwdservers[i] != NULL; ++i) { - st = checkattributevalue(ld, rparams->passwdservers[i], "objectClass", pwdclass, - &objectmask); - CHECK_CLASS_VALIDITY(st, objectmask, "password service object value: "); + /* validate the server list */ + for (i=0; rparams->passwdservers[i] != NULL; ++i) { + st = checkattributevalue(ld, rparams->passwdservers[i], "objectClass", pwdclass, + &objectmask); + CHECK_CLASS_VALIDITY(st, objectmask, "password service object value: "); - } + } - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdservers", LDAP_MOD_ADD, - rparams->passwdservers)) != 0) - goto cleanup; + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdservers", LDAP_MOD_ADD, + rparams->passwdservers)) != 0) + goto cleanup; } #endif /* realm creation operation */ if ((st=ldap_add_ext_s(ld, dn, mods, NULL, NULL)) != LDAP_SUCCESS) { - st = set_ldap_error (context, st, OP_ADD); - goto cleanup; + st = set_ldap_error (context, st, OP_ADD); + goto cleanup; } #ifdef HAVE_EDIRECTORY if (mask & LDAP_REALM_KDCSERVERS) - for (i=0; rparams->kdcservers[i]; ++i) - if ((st=updateAttribute(ld, rparams->kdcservers[i], "krbRealmReferences", dn)) != 0) { - snprintf(errbuf, sizeof(errbuf), "Error adding 'krbRealmReferences' to %s: ", - rparams->kdcservers[i]); - prepend_err_str (context, errbuf, st, st); - /* delete Realm, status ignored intentionally */ - ldap_delete_ext_s(ld, dn, NULL, NULL); - goto cleanup; - } + for (i=0; rparams->kdcservers[i]; ++i) + if ((st=updateAttribute(ld, rparams->kdcservers[i], "krbRealmReferences", dn)) != 0) { + snprintf(errbuf, sizeof(errbuf), "Error adding 'krbRealmReferences' to %s: ", + rparams->kdcservers[i]); + prepend_err_str (context, errbuf, st, st); + /* delete Realm, status ignored intentionally */ + ldap_delete_ext_s(ld, dn, NULL, NULL); + goto cleanup; + } if (mask & LDAP_REALM_ADMINSERVERS) - for (i=0; rparams->adminservers[i]; ++i) - if ((st=updateAttribute(ld, rparams->adminservers[i], "krbRealmReferences", dn)) != 0) { - snprintf(errbuf, sizeof(errbuf), "Error adding 'krbRealmReferences' to %s: ", - rparams->adminservers[i]); - prepend_err_str (context, errbuf, st, st); - /* delete Realm, status ignored intentionally */ - ldap_delete_ext_s(ld, dn, NULL, NULL); - goto cleanup; - } + for (i=0; rparams->adminservers[i]; ++i) + if ((st=updateAttribute(ld, rparams->adminservers[i], "krbRealmReferences", dn)) != 0) { + snprintf(errbuf, sizeof(errbuf), "Error adding 'krbRealmReferences' to %s: ", + rparams->adminservers[i]); + prepend_err_str (context, errbuf, st, st); + /* delete Realm, status ignored intentionally */ + ldap_delete_ext_s(ld, dn, NULL, NULL); + goto cleanup; + } if (mask & LDAP_REALM_PASSWDSERVERS) - for (i=0; rparams->passwdservers[i]; ++i) - if ((st=updateAttribute(ld, rparams->passwdservers[i], "krbRealmReferences", dn)) != 0) { - snprintf(errbuf, sizeof(errbuf), "Error adding 'krbRealmReferences' to %s: ", - rparams->passwdservers[i]); - prepend_err_str (context, errbuf, st, st); - /* delete Realm, status ignored intentionally */ - ldap_delete_ext_s(ld, dn, NULL, NULL); - goto cleanup; - } + for (i=0; rparams->passwdservers[i]; ++i) + if ((st=updateAttribute(ld, rparams->passwdservers[i], "krbRealmReferences", dn)) != 0) { + snprintf(errbuf, sizeof(errbuf), "Error adding 'krbRealmReferences' to %s: ", + rparams->passwdservers[i]); + prepend_err_str (context, errbuf, st, st); + /* delete Realm, status ignored intentionally */ + ldap_delete_ext_s(ld, dn, NULL, NULL); + goto cleanup; + } #endif cleanup: if (dn) - free(dn); + free(dn); ldap_mods_free(mods, 1); krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); @@ -1183,11 +1179,8 @@ cleanup: */ krb5_error_code -krb5_ldap_read_realm_params(context, lrealm, rlparamp, mask) - krb5_context context; - char *lrealm; - krb5_ldap_realm_params **rlparamp; - int *mask; +krb5_ldap_read_realm_params(krb5_context context, char *lrealm, + krb5_ldap_realm_params **rlparamp, int *mask) { char **values=NULL, *krbcontDN=NULL /*, *curr=NULL */; #ifdef HAVE_EDIRECTORY @@ -1206,17 +1199,17 @@ krb5_ldap_read_realm_params(context, lrealm, rlparamp, mask) /* validate the input parameter */ if (lrealm == NULL || - ldap_context->krbcontainer == NULL || - ldap_context->krbcontainer->DN == NULL) { - st = EINVAL; - goto cleanup; + ldap_context->krbcontainer == NULL || + ldap_context->krbcontainer->DN == NULL) { + st = EINVAL; + goto cleanup; } /* read kerberos container, if not read already */ if (ldap_context->krbcontainer == NULL) { - if ((st = krb5_ldap_read_krbcontainer_params(context, - &(ldap_context->krbcontainer))) != 0) - goto cleanup; + if ((st = krb5_ldap_read_krbcontainer_params(context, + &(ldap_context->krbcontainer))) != 0) + goto cleanup; } /* get ldap handle */ GET_HANDLE (); @@ -1229,8 +1222,8 @@ krb5_ldap_read_realm_params(context, lrealm, rlparamp, mask) /* allocate tl_data structure to store MASK information */ rlparams->tl_data = malloc (sizeof(krb5_tl_data)); if (rlparams->tl_data == NULL) { - st = ENOMEM; - goto cleanup; + st = ENOMEM; + goto cleanup; } memset(rlparams->tl_data, 0, sizeof(krb5_tl_data)); rlparams->tl_data->tl_data_type = KDB_TL_USER_INFO; @@ -1244,9 +1237,9 @@ krb5_ldap_read_realm_params(context, lrealm, rlparamp, mask) krbcontDN = ldap_context->krbcontainer->DN; if (asprintf(&rlparams->realmdn, "cn=%s,%s", lrealm, krbcontDN) < 0) { - rlparams->realmdn = NULL; - st = ENOMEM; - goto cleanup; + rlparams->realmdn = NULL; + st = ENOMEM; + goto cleanup; } /* populate the realm name in the structure */ @@ -1265,33 +1258,33 @@ krb5_ldap_read_realm_params(context, lrealm, rlparamp, mask) ent = ldap_first_entry (ld, result); if (ent == NULL) { - ldap_get_option (ld, LDAP_OPT_ERROR_NUMBER, (void *) &st); + ldap_get_option (ld, LDAP_OPT_ERROR_NUMBER, (void *) &st); #if 0 - st = translate_ldap_error(st, OP_SEARCH); + st = translate_ldap_error(st, OP_SEARCH); #endif - goto cleanup; + goto cleanup; } /* Read the attributes */ { - if ((values=ldap_get_values(ld, ent, "krbSubTrees")) != NULL) { + if ((values=ldap_get_values(ld, ent, "krbSubTrees")) != NULL) { rlparams->subtreecount = ldap_count_values(values); rlparams->subtree = (char **) malloc(sizeof(char *) * (rlparams->subtreecount + 1)); - if (rlparams->subtree == NULL) { - st = ENOMEM; - goto cleanup; - } + if (rlparams->subtree == NULL) { + st = ENOMEM; + goto cleanup; + } for (x=0; xsubtreecount; x++) { rlparams->subtree[x] = strdup(values[x]); - if (rlparams->subtree[x] == NULL) { - st = ENOMEM; - goto cleanup; - } + if (rlparams->subtree[x] == NULL) { + st = ENOMEM; + goto cleanup; + } } rlparams->subtree[rlparams->subtreecount] = NULL; - *mask |= LDAP_REALM_SUBTREE; - ldap_value_free(values); - } + *mask |= LDAP_REALM_SUBTREE; + ldap_value_free(values); + } if((values=ldap_get_values(ld, ent, "krbPrincContainerRef")) != NULL) { rlparams->containerref = strdup(values[0]); @@ -1303,58 +1296,58 @@ krb5_ldap_read_realm_params(context, lrealm, rlparamp, mask) ldap_value_free(values); } - if ((values=ldap_get_values(ld, ent, "krbSearchScope")) != NULL) { - rlparams->search_scope=atoi(values[0]); - /* searchscope can be ONE-LEVEL or SUBTREE, else default to SUBTREE */ - if (!(rlparams->search_scope==1 || rlparams->search_scope==2)) - rlparams->search_scope = LDAP_SCOPE_SUBTREE; - *mask |= LDAP_REALM_SEARCHSCOPE; - ldap_value_free(values); - } - - if ((values=ldap_get_values(ld, ent, "krbMaxTicketLife")) != NULL) { - rlparams->max_life = atoi(values[0]); - *mask |= LDAP_REALM_MAXTICKETLIFE; - ldap_value_free(values); - } - - if ((values=ldap_get_values(ld, ent, "krbMaxRenewableAge")) != NULL) { - rlparams->max_renewable_life = atoi(values[0]); - *mask |= LDAP_REALM_MAXRENEWLIFE; - ldap_value_free(values); - } - - if ((values=ldap_get_values(ld, ent, "krbTicketFlags")) != NULL) { - rlparams->tktflags = atoi(values[0]); - *mask |= LDAP_REALM_KRBTICKETFLAGS; - ldap_value_free(values); - } + if ((values=ldap_get_values(ld, ent, "krbSearchScope")) != NULL) { + rlparams->search_scope=atoi(values[0]); + /* searchscope can be ONE-LEVEL or SUBTREE, else default to SUBTREE */ + if (!(rlparams->search_scope==1 || rlparams->search_scope==2)) + rlparams->search_scope = LDAP_SCOPE_SUBTREE; + *mask |= LDAP_REALM_SEARCHSCOPE; + ldap_value_free(values); + } + + if ((values=ldap_get_values(ld, ent, "krbMaxTicketLife")) != NULL) { + rlparams->max_life = atoi(values[0]); + *mask |= LDAP_REALM_MAXTICKETLIFE; + ldap_value_free(values); + } + + if ((values=ldap_get_values(ld, ent, "krbMaxRenewableAge")) != NULL) { + rlparams->max_renewable_life = atoi(values[0]); + *mask |= LDAP_REALM_MAXRENEWLIFE; + ldap_value_free(values); + } + + if ((values=ldap_get_values(ld, ent, "krbTicketFlags")) != NULL) { + rlparams->tktflags = atoi(values[0]); + *mask |= LDAP_REALM_KRBTICKETFLAGS; + ldap_value_free(values); + } #ifdef HAVE_EDIRECTORY - if ((values=ldap_get_values(ld, ent, "krbKdcServers")) != NULL) { - count = ldap_count_values(values); - if ((st=copy_arrays(values, &(rlparams->kdcservers), (int) count)) != 0) - goto cleanup; - *mask |= LDAP_REALM_KDCSERVERS; - ldap_value_free(values); - } - - if ((values=ldap_get_values(ld, ent, "krbAdmServers")) != NULL) { - count = ldap_count_values(values); - if ((st=copy_arrays(values, &(rlparams->adminservers), (int) count)) != 0) - goto cleanup; - *mask |= LDAP_REALM_ADMINSERVERS; - ldap_value_free(values); - } - - if ((values=ldap_get_values(ld, ent, "krbPwdServers")) != NULL) { - count = ldap_count_values(values); - if ((st=copy_arrays(values, &(rlparams->passwdservers), (int) count)) != 0) - goto cleanup; - *mask |= LDAP_REALM_PASSWDSERVERS; - ldap_value_free(values); - } + if ((values=ldap_get_values(ld, ent, "krbKdcServers")) != NULL) { + count = ldap_count_values(values); + if ((st=copy_arrays(values, &(rlparams->kdcservers), (int) count)) != 0) + goto cleanup; + *mask |= LDAP_REALM_KDCSERVERS; + ldap_value_free(values); + } + + if ((values=ldap_get_values(ld, ent, "krbAdmServers")) != NULL) { + count = ldap_count_values(values); + if ((st=copy_arrays(values, &(rlparams->adminservers), (int) count)) != 0) + goto cleanup; + *mask |= LDAP_REALM_ADMINSERVERS; + ldap_value_free(values); + } + + if ((values=ldap_get_values(ld, ent, "krbPwdServers")) != NULL) { + count = ldap_count_values(values); + if ((st=copy_arrays(values, &(rlparams->passwdservers), (int) count)) != 0) + goto cleanup; + *mask |= LDAP_REALM_PASSWDSERVERS; + ldap_value_free(values); + } #endif } ldap_msgfree(result); @@ -1366,42 +1359,42 @@ krb5_ldap_read_realm_params(context, lrealm, rlparamp, mask) */ if ((!(*mask & LDAP_REALM_MAXTICKETLIFE && *mask & LDAP_REALM_MAXRENEWLIFE && - *mask & LDAP_REALM_KRBTICKETFLAGS)) && rlparams->policyreference) { - - LDAP_SEARCH_1(rlparams->policyreference, LDAP_SCOPE_BASE, NULL, policy_attributes, IGNORE_STATUS); - if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_OBJECT) { - int ost = st; - st = translate_ldap_error (st, OP_SEARCH); - krb5_set_error_message (context, st, "Policy object read failed: %s", ldap_err2string(ost)); - goto cleanup; - } - ent = ldap_first_entry (ld, result); - if (ent != NULL) { - if ((*mask & LDAP_REALM_MAXTICKETLIFE) == 0) { - if ((values=ldap_get_values(ld, ent, "krbmaxticketlife")) != NULL) { - rlparams->max_life = atoi(values[0]); - *mask |= LDAP_REALM_MAXTICKETLIFE; - ldap_value_free(values); - } - } - - if ((*mask & LDAP_REALM_MAXRENEWLIFE) == 0) { - if ((values=ldap_get_values(ld, ent, "krbmaxrenewableage")) != NULL) { - rlparams->max_renewable_life = atoi(values[0]); - *mask |= LDAP_REALM_MAXRENEWLIFE; - ldap_value_free(values); - } - } - - if ((*mask & LDAP_REALM_KRBTICKETFLAGS) == 0) { - if ((values=ldap_get_values(ld, ent, "krbticketflags")) != NULL) { - rlparams->tktflags = atoi(values[0]); - *mask |= LDAP_REALM_KRBTICKETFLAGS; - ldap_value_free(values); - } - } - } - ldap_msgfree(result); + *mask & LDAP_REALM_KRBTICKETFLAGS)) && rlparams->policyreference) { + + LDAP_SEARCH_1(rlparams->policyreference, LDAP_SCOPE_BASE, NULL, policy_attributes, IGNORE_STATUS); + if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_OBJECT) { + int ost = st; + st = translate_ldap_error (st, OP_SEARCH); + krb5_set_error_message (context, st, "Policy object read failed: %s", ldap_err2string(ost)); + goto cleanup; + } + ent = ldap_first_entry (ld, result); + if (ent != NULL) { + if ((*mask & LDAP_REALM_MAXTICKETLIFE) == 0) { + if ((values=ldap_get_values(ld, ent, "krbmaxticketlife")) != NULL) { + rlparams->max_life = atoi(values[0]); + *mask |= LDAP_REALM_MAXTICKETLIFE; + ldap_value_free(values); + } + } + + if ((*mask & LDAP_REALM_MAXRENEWLIFE) == 0) { + if ((values=ldap_get_values(ld, ent, "krbmaxrenewableage")) != NULL) { + rlparams->max_renewable_life = atoi(values[0]); + *mask |= LDAP_REALM_MAXRENEWLIFE; + ldap_value_free(values); + } + } + + if ((*mask & LDAP_REALM_KRBTICKETFLAGS) == 0) { + if ((values=ldap_get_values(ld, ent, "krbticketflags")) != NULL) { + rlparams->tktflags = atoi(values[0]); + *mask |= LDAP_REALM_KRBTICKETFLAGS; + ldap_value_free(values); + } + } + } + ldap_msgfree(result); } rlparams->mask = *mask; @@ -1412,8 +1405,8 @@ cleanup: /* if there is an error, free allocated structures */ if (st != 0) { - krb5_ldap_free_realm_params(rlparams); - *rlparamp=NULL; + krb5_ldap_free_realm_params(rlparams); + *rlparamp=NULL; } krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); return st; @@ -1424,54 +1417,53 @@ cleanup: Free the krb5_ldap_realm_params. */ void -krb5_ldap_free_realm_params(rparams) - krb5_ldap_realm_params *rparams; +krb5_ldap_free_realm_params(krb5_ldap_realm_params *rparams) { int i=0; if (rparams) { - if (rparams->realmdn) - free(rparams->realmdn); + if (rparams->realmdn) + free(rparams->realmdn); - if (rparams->realm_name) - krb5_xfree(rparams->realm_name); + if (rparams->realm_name) + krb5_xfree(rparams->realm_name); + + if (rparams->subtree) { + for (i=0; isubtreecount && rparams->subtree[i] ; i++) + krb5_xfree(rparams->subtree[i]); + krb5_xfree(rparams->subtree); + } + + if (rparams->kdcservers) { + for (i=0; rparams->kdcservers[i]; ++i) + krb5_xfree(rparams->kdcservers[i]); + krb5_xfree(rparams->kdcservers); + } + + if (rparams->adminservers) { + for (i=0; rparams->adminservers[i]; ++i) + krb5_xfree(rparams->adminservers[i]); + krb5_xfree(rparams->adminservers); + } + + if (rparams->passwdservers) { + for (i=0; rparams->passwdservers[i]; ++i) + krb5_xfree(rparams->passwdservers[i]); + krb5_xfree(rparams->passwdservers); + } + + if (rparams->tl_data) { + if (rparams->tl_data->tl_data_contents) + krb5_xfree(rparams->tl_data->tl_data_contents); + krb5_xfree(rparams->tl_data); + } - if (rparams->subtree) { - for (i=0; isubtreecount && rparams->subtree[i] ; i++) - krb5_xfree(rparams->subtree[i]); - krb5_xfree(rparams->subtree); + if (rparams->mkey.contents) { + memset(rparams->mkey.contents, 0, rparams->mkey.length); + krb5_xfree(rparams->mkey.contents); } - if (rparams->kdcservers) { - for (i=0; rparams->kdcservers[i]; ++i) - krb5_xfree(rparams->kdcservers[i]); - krb5_xfree(rparams->kdcservers); - } - - if (rparams->adminservers) { - for (i=0; rparams->adminservers[i]; ++i) - krb5_xfree(rparams->adminservers[i]); - krb5_xfree(rparams->adminservers); - } - - if (rparams->passwdservers) { - for (i=0; rparams->passwdservers[i]; ++i) - krb5_xfree(rparams->passwdservers[i]); - krb5_xfree(rparams->passwdservers); - } - - if (rparams->tl_data) { - if (rparams->tl_data->tl_data_contents) - krb5_xfree(rparams->tl_data->tl_data_contents); - krb5_xfree(rparams->tl_data); - } - - if (rparams->mkey.contents) { - memset(rparams->mkey.contents, 0, rparams->mkey.length); - krb5_xfree(rparams->mkey.contents); - } - - krb5_xfree(rparams); + krb5_xfree(rparams); } return; } @@ -1483,7 +1475,8 @@ krb5_ldap_free_realm_params(rparams) */ krb5_error_code -krb5_ldap_delete_realm_1(krb5_context kcontext, char *conf_section, char **db_args) +krb5_ldap_delete_realm_1(krb5_context kcontext, char *conf_section, + char **db_args) { krb5_error_code status = KRB5_PLUGIN_OP_NOTSUPP; krb5_set_error_message(kcontext, status, "LDAP %s", error_message(status)); diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.h b/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.h index cfdf39c55..dcb3fcb3d 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/kdb/kdb_ldap/ldap_realm.h * @@ -43,7 +44,7 @@ #define LDAP_REALM_MAXTICKETLIFE 0x0100 #define LDAP_REALM_MAXRENEWLIFE 0x0200 #define LDAP_REALM_KRBTICKETFLAGS 0x0400 -#define LDAP_REALM_CONTREF 0x0800 +#define LDAP_REALM_CONTREF 0x0800 extern char *policy_attributes[]; @@ -52,24 +53,24 @@ extern char *realm_attributes[]; /* realm container structure */ typedef struct _krb5_ldap_realm_params { - char *realmdn; - char *realm_name; - char **subtree; - char *containerref; - char *policyreference; - int search_scope; - int upenabled; - int subtreecount; - krb5_int32 max_life; - krb5_int32 max_renewable_life; - krb5_int32 tktflags; - char **kdcservers; - char **adminservers; - char **passwdservers; - krb5_tl_data *tl_data; - krb5_keyblock mkey; - krb5_keylist_node *mkey_list; /* all master keys in use for the realm */ - long mask; + char *realmdn; + char *realm_name; + char **subtree; + char *containerref; + char *policyreference; + int search_scope; + int upenabled; + int subtreecount; + krb5_int32 max_life; + krb5_int32 max_renewable_life; + krb5_int32 tktflags; + char **kdcservers; + char **adminservers; + char **passwdservers; + krb5_tl_data *tl_data; + krb5_keyblock mkey; + krb5_keylist_node *mkey_list; /* all master keys in use for the realm */ + long mask; } krb5_ldap_realm_params; @@ -86,7 +87,8 @@ krb5_error_code krb5_ldap_create_realm(krb5_context, krb5_ldap_realm_params *, int); krb5_error_code -krb5_ldap_read_realm_params(krb5_context , char *, krb5_ldap_realm_params **, int *); +krb5_ldap_read_realm_params(krb5_context, char *, krb5_ldap_realm_params **, + int *); void krb5_ldap_free_realm_params(krb5_ldap_realm_params *); diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_rights.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_rights.c index 8d87d46ac..be01f394a 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_rights.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_rights.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/kdb/kdb_ldap/ldap_service_rights.c * @@ -266,14 +267,9 @@ static char *kerberos_container[][2] = { */ krb5_error_code -krb5_ldap_add_service_rights(context, servicetype, serviceobjdn, realmname, subtreeparam, contref, mask) - krb5_context context; - int servicetype; - char *serviceobjdn; - char *realmname; - char **subtreeparam; - char *contref; - int mask; +krb5_ldap_add_service_rights(krb5_context context, int servicetype, + char *serviceobjdn, char *realmname, + char **subtreeparam, char *contref, int mask) { int st=0,i=0,j=0; @@ -291,9 +287,9 @@ krb5_ldap_add_service_rights(context, servicetype, serviceobjdn, realmname, subt GET_HANDLE(); if ((serviceobjdn == NULL) || (realmname == NULL) || (servicetype < 0) || (servicetype > 4) - || (ldap_context->krbcontainer->DN == NULL)) { - st=-1; - goto cleanup; + || (ldap_context->krbcontainer->DN == NULL)) { + st=-1; + goto cleanup; } if (subtreeparam != NULL) { @@ -313,13 +309,13 @@ krb5_ldap_add_service_rights(context, servicetype, serviceobjdn, realmname, subt memset(subtree, 0, sizeof(char *) * (subtreecount + 1)); if (subtreeparam != NULL) { for(i=0; subtreeparam[i]!=NULL; i++) { - subtree[i] = strdup(subtreeparam[i]); - if(subtree[i] == NULL) { - st = ENOMEM; - goto cleanup; + subtree[i] = strdup(subtreeparam[i]); + if(subtree[i] == NULL) { + st = ENOMEM; + goto cleanup; + } } } - } if (contref != NULL) { subtree[i] = strdup(contref); } @@ -328,213 +324,213 @@ krb5_ldap_add_service_rights(context, servicetype, serviceobjdn, realmname, subt /* Set the rights for the realm */ if (mask & LDAP_REALM_RIGHTS) { - /* Set the rights for the service object on the security container */ - seccontclass.mod_op = LDAP_MOD_ADD; - seccontclass.mod_type = "ACL"; - - for (i=0; strcmp(security_container[i][0], "") != 0; i++) { - - asprintf(&seccontacls[0], "%s%s%s", security_container[i][0], serviceobjdn, - security_container[i][1]); - seccontclass.mod_values = seccontacls; - - seccontarr[0] = &seccontclass; - - st = ldap_modify_ext_s(ld, - SECURITY_CONTAINER, - seccontarr, - NULL, - NULL); - if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) { - free(seccontacls[0]); - st = set_ldap_error (context, st, OP_MOD); - goto cleanup; - } - free(seccontacls[0]); - } + /* Set the rights for the service object on the security container */ + seccontclass.mod_op = LDAP_MOD_ADD; + seccontclass.mod_type = "ACL"; + for (i=0; strcmp(security_container[i][0], "") != 0; i++) { - /* Set the rights for the service object on the kerberos container */ - krbcontclass.mod_op = LDAP_MOD_ADD; - krbcontclass.mod_type = "ACL"; - - for (i=0; strcmp(kerberos_container[i][0], "") != 0; i++) { - asprintf(&krbcontacls[0], "%s%s%s", kerberos_container[i][0], serviceobjdn, - kerberos_container[i][1]); - krbcontclass.mod_values = krbcontacls; - - krbcontarr[0] = &krbcontclass; - - st = ldap_modify_ext_s(ld, - ldap_context->krbcontainer->DN, - krbcontarr, - NULL, - NULL); - if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) { - free(krbcontacls[0]); - st = set_ldap_error (context, st, OP_MOD); - goto cleanup; - } - free(krbcontacls[0]); - } + asprintf(&seccontacls[0], "%s%s%s", security_container[i][0], serviceobjdn, + security_container[i][1]); + seccontclass.mod_values = seccontacls; + + seccontarr[0] = &seccontclass; + + st = ldap_modify_ext_s(ld, + SECURITY_CONTAINER, + seccontarr, + NULL, + NULL); + if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) { + free(seccontacls[0]); + st = set_ldap_error (context, st, OP_MOD); + goto cleanup; + } + free(seccontacls[0]); + } + + + /* Set the rights for the service object on the kerberos container */ + krbcontclass.mod_op = LDAP_MOD_ADD; + krbcontclass.mod_type = "ACL"; + + for (i=0; strcmp(kerberos_container[i][0], "") != 0; i++) { + asprintf(&krbcontacls[0], "%s%s%s", kerberos_container[i][0], serviceobjdn, + kerberos_container[i][1]); + krbcontclass.mod_values = krbcontacls; + + krbcontarr[0] = &krbcontclass; - /* Construct the realm dn from realm name */ - asprintf(&realmdn,"cn=%s,%s", realmname, ldap_context->krbcontainer->DN); - - realmclass.mod_op = LDAP_MOD_ADD; - realmclass.mod_type = "ACL"; - - if (servicetype == LDAP_KDC_SERVICE) { - for (i=0; strcmp(kdcrights_realmcontainer[i][0], "") != 0; i++) { - asprintf(&realmacls[0], "%s%s%s", kdcrights_realmcontainer[i][0], serviceobjdn, - kdcrights_realmcontainer[i][1]); - realmclass.mod_values = realmacls; - - realmarr[0] = &realmclass; - - st = ldap_modify_ext_s(ld, - realmdn, - realmarr, - NULL, - NULL); - if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) { - free(realmacls[0]); - st = set_ldap_error (context, st, OP_MOD); - goto cleanup; - } - free(realmacls[0]); - } - } else if (servicetype == LDAP_ADMIN_SERVICE) { - for (i=0; strcmp(adminrights_realmcontainer[i][0], "") != 0; i++) { - asprintf(&realmacls[0], "%s%s%s", adminrights_realmcontainer[i][0], serviceobjdn, - adminrights_realmcontainer[i][1]); - realmclass.mod_values = realmacls; - - realmarr[0] = &realmclass; - - st = ldap_modify_ext_s(ld, - realmdn, - realmarr, - NULL, - NULL); - if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) { - free(realmacls[0]); - st = set_ldap_error (context, st, OP_MOD); - goto cleanup; - } - free(realmacls[0]); - } - } else if (servicetype == LDAP_PASSWD_SERVICE) { - for (i=0; strcmp(pwdrights_realmcontainer[i][0], "")!=0; i++) { - asprintf(&realmacls[0], "%s%s%s", pwdrights_realmcontainer[i][0], serviceobjdn, - pwdrights_realmcontainer[i][1]); - realmclass.mod_values = realmacls; - - realmarr[0] = &realmclass; - - - st = ldap_modify_ext_s(ld, - realmdn, - realmarr, - NULL, - NULL); - if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) { - free(realmacls[0]); - st = set_ldap_error (context, st, OP_MOD); - goto cleanup; - } - free(realmacls[0]); - } - } + st = ldap_modify_ext_s(ld, + ldap_context->krbcontainer->DN, + krbcontarr, + NULL, + NULL); + if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) { + free(krbcontacls[0]); + st = set_ldap_error (context, st, OP_MOD); + goto cleanup; + } + free(krbcontacls[0]); + } + + /* Construct the realm dn from realm name */ + asprintf(&realmdn,"cn=%s,%s", realmname, ldap_context->krbcontainer->DN); + + realmclass.mod_op = LDAP_MOD_ADD; + realmclass.mod_type = "ACL"; + + if (servicetype == LDAP_KDC_SERVICE) { + for (i=0; strcmp(kdcrights_realmcontainer[i][0], "") != 0; i++) { + asprintf(&realmacls[0], "%s%s%s", kdcrights_realmcontainer[i][0], serviceobjdn, + kdcrights_realmcontainer[i][1]); + realmclass.mod_values = realmacls; + + realmarr[0] = &realmclass; + + st = ldap_modify_ext_s(ld, + realmdn, + realmarr, + NULL, + NULL); + if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) { + free(realmacls[0]); + st = set_ldap_error (context, st, OP_MOD); + goto cleanup; + } + free(realmacls[0]); + } + } else if (servicetype == LDAP_ADMIN_SERVICE) { + for (i=0; strcmp(adminrights_realmcontainer[i][0], "") != 0; i++) { + asprintf(&realmacls[0], "%s%s%s", adminrights_realmcontainer[i][0], serviceobjdn, + adminrights_realmcontainer[i][1]); + realmclass.mod_values = realmacls; + + realmarr[0] = &realmclass; + + st = ldap_modify_ext_s(ld, + realmdn, + realmarr, + NULL, + NULL); + if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) { + free(realmacls[0]); + st = set_ldap_error (context, st, OP_MOD); + goto cleanup; + } + free(realmacls[0]); + } + } else if (servicetype == LDAP_PASSWD_SERVICE) { + for (i=0; strcmp(pwdrights_realmcontainer[i][0], "")!=0; i++) { + asprintf(&realmacls[0], "%s%s%s", pwdrights_realmcontainer[i][0], serviceobjdn, + pwdrights_realmcontainer[i][1]); + realmclass.mod_values = realmacls; + + realmarr[0] = &realmclass; + + + st = ldap_modify_ext_s(ld, + realmdn, + realmarr, + NULL, + NULL); + if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) { + free(realmacls[0]); + st = set_ldap_error (context, st, OP_MOD); + goto cleanup; + } + free(realmacls[0]); + } + } } /* Realm rights settings ends here */ /* Subtree rights to be set */ if ((mask & LDAP_SUBTREE_RIGHTS) && (subtree != NULL)) { - /* Populate the acl data to be added to the subtree */ - subtreeclass.mod_op = LDAP_MOD_ADD; - subtreeclass.mod_type = "ACL"; + /* Populate the acl data to be added to the subtree */ + subtreeclass.mod_op = LDAP_MOD_ADD; + subtreeclass.mod_type = "ACL"; - if (servicetype == LDAP_KDC_SERVICE) { - for (i=0; strcmp(kdcrights_subtree[i][0], "")!=0; i++) { - asprintf(&subtreeacls[0], "%s%s%s", kdcrights_subtree[i][0], serviceobjdn, - kdcrights_subtree[i][1]); - subtreeclass.mod_values = subtreeacls; + if (servicetype == LDAP_KDC_SERVICE) { + for (i=0; strcmp(kdcrights_subtree[i][0], "")!=0; i++) { + asprintf(&subtreeacls[0], "%s%s%s", kdcrights_subtree[i][0], serviceobjdn, + kdcrights_subtree[i][1]); + subtreeclass.mod_values = subtreeacls; - subtreearr[0] = &subtreeclass; + subtreearr[0] = &subtreeclass; /* set rights to a list of subtrees */ for(j=0; subtree[j]!=NULL && j 4) - || (ldap_context->krbcontainer->DN == NULL)) { - st = -1; - goto cleanup; + || (ldap_context->krbcontainer->DN == NULL)) { + st = -1; + goto cleanup; } if (subtreeparam != NULL) { - while(subtreeparam[subtreecount]) - subtreecount++; + while(subtreeparam[subtreecount]) + subtreecount++; } if (contref != NULL) { subtreecount++; @@ -602,12 +593,12 @@ krb5_ldap_delete_service_rights(context, servicetype, serviceobjdn, realmname, s memset(subtree, 0, sizeof(char *) * (subtreecount + 1)); if (subtreeparam != NULL) { for(i=0; subtreeparam[i]!=NULL; i++) { - subtree[i] = strdup(subtreeparam[i]); - if(subtree[i] == NULL) { - st = ENOMEM; - goto cleanup; - } - } + subtree[i] = strdup(subtreeparam[i]); + if(subtree[i] == NULL) { + st = ENOMEM; + goto cleanup; + } + } } if (contref != NULL) { subtree[i] = strdup(contref); @@ -618,72 +609,72 @@ krb5_ldap_delete_service_rights(context, servicetype, serviceobjdn, realmname, s /* Set the rights for the realm */ if (mask & LDAP_REALM_RIGHTS) { - asprintf(&realmdn,"cn=%s,%s", realmname, ldap_context->krbcontainer->DN); - - realmclass.mod_op=LDAP_MOD_DELETE; - realmclass.mod_type="ACL"; - - if (servicetype == LDAP_KDC_SERVICE) { - for (i=0; strcmp(kdcrights_realmcontainer[i][0], "") != 0; i++) { - asprintf(&realmacls[0], "%s%s%s", kdcrights_realmcontainer[i][0], serviceobjdn, - kdcrights_realmcontainer[i][1]); - realmclass.mod_values= realmacls; - - realmarr[0]=&realmclass; - - st = ldap_modify_ext_s(ld, - realmdn, - realmarr, - NULL, - NULL); - if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) { - free(realmacls[0]); - st = set_ldap_error (context, st, OP_MOD); - goto cleanup; - } - free(realmacls[0]); - } - } else if (servicetype == LDAP_ADMIN_SERVICE) { - for (i=0; strcmp(adminrights_realmcontainer[i][0], "") != 0; i++) { - asprintf(&realmacls[0], "%s%s%s", adminrights_realmcontainer[i][0], serviceobjdn, - adminrights_realmcontainer[i][1]); - realmclass.mod_values= realmacls; - - realmarr[0]=&realmclass; - - st = ldap_modify_ext_s(ld, - realmdn, - realmarr, - NULL, - NULL); - if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) { - free(realmacls[0]); - st = set_ldap_error (context, st, OP_MOD); - goto cleanup; - } - free(realmacls[0]); - } - } else if (servicetype == LDAP_PASSWD_SERVICE) { - for (i=0; strcmp(pwdrights_realmcontainer[i][0], "") != 0; i++) { - asprintf(&realmacls[0], "%s%s%s", pwdrights_realmcontainer[i][0], serviceobjdn, - pwdrights_realmcontainer[i][1]); - realmclass.mod_values= realmacls; - - realmarr[0]=&realmclass; - - st = ldap_modify_ext_s(ld, - realmdn, - realmarr, - NULL, - NULL); - if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) { - free(realmacls[0]); - st = set_ldap_error (context, st, OP_MOD); - goto cleanup; - } - free(realmacls[0]); - } - } + asprintf(&realmdn,"cn=%s,%s", realmname, ldap_context->krbcontainer->DN); + + realmclass.mod_op=LDAP_MOD_DELETE; + realmclass.mod_type="ACL"; + + if (servicetype == LDAP_KDC_SERVICE) { + for (i=0; strcmp(kdcrights_realmcontainer[i][0], "") != 0; i++) { + asprintf(&realmacls[0], "%s%s%s", kdcrights_realmcontainer[i][0], serviceobjdn, + kdcrights_realmcontainer[i][1]); + realmclass.mod_values= realmacls; + + realmarr[0]=&realmclass; + + st = ldap_modify_ext_s(ld, + realmdn, + realmarr, + NULL, + NULL); + if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) { + free(realmacls[0]); + st = set_ldap_error (context, st, OP_MOD); + goto cleanup; + } + free(realmacls[0]); + } + } else if (servicetype == LDAP_ADMIN_SERVICE) { + for (i=0; strcmp(adminrights_realmcontainer[i][0], "") != 0; i++) { + asprintf(&realmacls[0], "%s%s%s", adminrights_realmcontainer[i][0], serviceobjdn, + adminrights_realmcontainer[i][1]); + realmclass.mod_values= realmacls; + + realmarr[0]=&realmclass; + + st = ldap_modify_ext_s(ld, + realmdn, + realmarr, + NULL, + NULL); + if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) { + free(realmacls[0]); + st = set_ldap_error (context, st, OP_MOD); + goto cleanup; + } + free(realmacls[0]); + } + } else if (servicetype == LDAP_PASSWD_SERVICE) { + for (i=0; strcmp(pwdrights_realmcontainer[i][0], "") != 0; i++) { + asprintf(&realmacls[0], "%s%s%s", pwdrights_realmcontainer[i][0], serviceobjdn, + pwdrights_realmcontainer[i][1]); + realmclass.mod_values= realmacls; + + realmarr[0]=&realmclass; + + st = ldap_modify_ext_s(ld, + realmdn, + realmarr, + NULL, + NULL); + if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) { + free(realmacls[0]); + st = set_ldap_error (context, st, OP_MOD); + goto cleanup; + } + free(realmacls[0]); + } + } } /* Realm rights setting ends here */ @@ -691,77 +682,77 @@ krb5_ldap_delete_service_rights(context, servicetype, serviceobjdn, realmname, s /* Set the rights for the subtree */ if ((mask & LDAP_SUBTREE_RIGHTS) && (subtree != NULL)) { - /* Populate the acl data to be added to the subtree */ - subtreeclass.mod_op=LDAP_MOD_DELETE; - subtreeclass.mod_type="ACL"; + /* Populate the acl data to be added to the subtree */ + subtreeclass.mod_op=LDAP_MOD_DELETE; + subtreeclass.mod_type="ACL"; - if (servicetype == LDAP_KDC_SERVICE) { - for (i=0; strcmp(kdcrights_subtree[i][0], "")!=0; i++) { - asprintf(&subtreeacls[0], "%s%s%s", kdcrights_subtree[i][0], serviceobjdn, - kdcrights_subtree[i][1]); - subtreeclass.mod_values= subtreeacls; + if (servicetype == LDAP_KDC_SERVICE) { + for (i=0; strcmp(kdcrights_subtree[i][0], "")!=0; i++) { + asprintf(&subtreeacls[0], "%s%s%s", kdcrights_subtree[i][0], serviceobjdn, + kdcrights_subtree[i][1]); + subtreeclass.mod_values= subtreeacls; - subtreearr[0]=&subtreeclass; + subtreearr[0]=&subtreeclass; for(j=0; subtree[j]!=NULL && jservice_password_file) - file = ldap_context->service_password_file; + file = ldap_context->service_password_file; #ifndef HAVE_STRERROR_R # undef strerror_r @@ -57,122 +56,122 @@ krb5_ldap_readpassword(context, ldap_context, password) /* check whether file exists */ if (access(file, F_OK) < 0) { - st = errno; - strerror_r(errno, errbuf, sizeof(errbuf)); - krb5_set_error_message (context, st, "%s", errbuf); - goto rp_exit; + st = errno; + strerror_r(errno, errbuf, sizeof(errbuf)); + krb5_set_error_message (context, st, "%s", errbuf); + goto rp_exit; } /* check read access */ if (access(file, R_OK) < 0) { - st = errno; - strerror_r(errno, errbuf, sizeof(errbuf)); - krb5_set_error_message (context, st, "%s", errbuf); - goto rp_exit; + st = errno; + strerror_r(errno, errbuf, sizeof(errbuf)); + krb5_set_error_message (context, st, "%s", errbuf); + goto rp_exit; } if ((fptr=fopen(file, "r")) == NULL) { - st = errno; - strerror_r(errno, errbuf, sizeof(errbuf)); - krb5_set_error_message (context, st, "%s", errbuf); - goto rp_exit; + st = errno; + strerror_r(errno, errbuf, sizeof(errbuf)); + krb5_set_error_message (context, st, "%s", errbuf); + goto rp_exit; } set_cloexec_file(fptr); /* get the record from the file */ while (fgets(line, RECORDLEN, fptr)!= NULL) { - char tmp[RECORDLEN]; - - tmp[0] = '\0'; - /* Handle leading white-spaces */ - for (start = line; isspace(*start); ++start); - - /* Handle comment lines */ - if (*start == '!' || *start == '#') - continue; - sscanf(line, "%*[ \t]%[^#]", tmp); - if (tmp[0] == '\0') - sscanf(line, "%[^#]", tmp); - if (strcasecmp(tmp, ldap_context->bind_dn) == 0) { - entryfound = 1; /* service_dn record found !!! */ - break; - } + char tmp[RECORDLEN]; + + tmp[0] = '\0'; + /* Handle leading white-spaces */ + for (start = line; isspace(*start); ++start); + + /* Handle comment lines */ + if (*start == '!' || *start == '#') + continue; + sscanf(line, "%*[ \t]%[^#]", tmp); + if (tmp[0] == '\0') + sscanf(line, "%[^#]", tmp); + if (strcasecmp(tmp, ldap_context->bind_dn) == 0) { + entryfound = 1; /* service_dn record found !!! */ + break; + } } fclose (fptr); if (entryfound == 0) { - st = KRB5_KDB_SERVER_INTERNAL_ERR; - krb5_set_error_message (context, st, "Bind DN entry missing in stash file"); - goto rp_exit; + st = KRB5_KDB_SERVER_INTERNAL_ERR; + krb5_set_error_message (context, st, "Bind DN entry missing in stash file"); + goto rp_exit; } /* replace the \n with \0 */ start = strchr(line, '\n'); if (start) - *start = '\0'; + *start = '\0'; start = strchr(line, '#'); if (start == NULL) { - /* password field missing */ - st = KRB5_KDB_SERVER_INTERNAL_ERR; - krb5_set_error_message (context, st, "Stash file entry corrupt"); - goto rp_exit; + /* password field missing */ + st = KRB5_KDB_SERVER_INTERNAL_ERR; + krb5_set_error_message (context, st, "Stash file entry corrupt"); + goto rp_exit; } ++ start; /* Extract the plain password / certificate file information */ { - struct data PT, CT; - - /* Check if the entry has the path of a certificate */ - if (!strncmp(start, "{FILE}", strlen("{FILE}"))) { - /* Set *password = {FILE}\0 */ - size_t len = strlen(start); - - *password = (unsigned char *)malloc(len + 2); - if (*password == NULL) { - st = ENOMEM; - goto rp_exit; - } - memcpy(*password, start, len); - (*password)[len] = '\0'; - (*password)[len + 1] = '\0'; - goto got_password; - } else { - CT.value = (unsigned char *)start; - CT.len = strlen((char *)CT.value); - st = dec_password(CT, &PT); - if (st != 0) { - switch (st) { - case ERR_NO_MEM: - st = ENOMEM; - break; - case ERR_PWD_ZERO: - st = EINVAL; - krb5_set_error_message(context, st, "Password has zero length"); - break; - case ERR_PWD_BAD: - st = EINVAL; - krb5_set_error_message(context, st, "Password corrupted"); - break; - case ERR_PWD_NOT_HEX: - st = EINVAL; - krb5_set_error_message(context, st, "Not a hexadecimal password"); - break; - default: - st = KRB5_KDB_SERVER_INTERNAL_ERR; - break; - } - goto rp_exit; - } - *password = PT.value; - } + struct data PT, CT; + + /* Check if the entry has the path of a certificate */ + if (!strncmp(start, "{FILE}", strlen("{FILE}"))) { + /* Set *password = {FILE}\0 */ + size_t len = strlen(start); + + *password = (unsigned char *)malloc(len + 2); + if (*password == NULL) { + st = ENOMEM; + goto rp_exit; + } + memcpy(*password, start, len); + (*password)[len] = '\0'; + (*password)[len + 1] = '\0'; + goto got_password; + } else { + CT.value = (unsigned char *)start; + CT.len = strlen((char *)CT.value); + st = dec_password(CT, &PT); + if (st != 0) { + switch (st) { + case ERR_NO_MEM: + st = ENOMEM; + break; + case ERR_PWD_ZERO: + st = EINVAL; + krb5_set_error_message(context, st, "Password has zero length"); + break; + case ERR_PWD_BAD: + st = EINVAL; + krb5_set_error_message(context, st, "Password corrupted"); + break; + case ERR_PWD_NOT_HEX: + st = EINVAL; + krb5_set_error_message(context, st, "Not a hexadecimal password"); + break; + default: + st = KRB5_KDB_SERVER_INTERNAL_ERR; + break; + } + goto rp_exit; + } + *password = PT.value; + } } got_password: rp_exit: if (st) { - if (*password) - free (*password); - *password = NULL; + if (*password) + free (*password); + *password = NULL; } return st; } @@ -180,9 +179,7 @@ rp_exit: /* Encodes a sequence of bytes in hexadecimal */ int -tohex(in, ret) - krb5_data in; - krb5_data *ret; +tohex(krb5_data in, krb5_data *ret) { int i=0, err = 0; @@ -191,20 +188,20 @@ tohex(in, ret) ret->data = malloc((unsigned int)in.length * 2 + 1 /*Null termination */); if (ret->data == NULL) { - err = ENOMEM; - goto cleanup; + err = ENOMEM; + goto cleanup; } ret->length = in.length * 2; ret->data[ret->length] = 0; for (i = 0; i < in.length; i++) - snprintf(ret->data + 2 * i, 3, "%02x", in.data[i] & 0xff); + snprintf(ret->data + 2 * i, 3, "%02x", in.data[i] & 0xff); cleanup: if (ret->length == 0) { - free(ret->data); - ret->data = NULL; + free(ret->data); + ret->data = NULL; } return err; @@ -222,7 +219,9 @@ cleanup: * ERR_PWD_NOT_HEX - Not a hexadecimal password */ -int dec_password(struct data pwd, struct data *ret) { +int +dec_password(struct data pwd, struct data *ret) +{ int err=0; int i=0, j=0; @@ -230,52 +229,52 @@ int dec_password(struct data pwd, struct data *ret) { ret->value = NULL; if (pwd.len == 0) { - err = ERR_PWD_ZERO; - ret->len = 0; - goto cleanup; + err = ERR_PWD_ZERO; + ret->len = 0; + goto cleanup; } /* Check if it is a hexadecimal encoded password */ if (pwd.len >= strlen("{HEX}") && - strncmp((char *)pwd.value, "{HEX}", strlen("{HEX}")) == 0) { - - if ((pwd.len - strlen("{HEX}")) % 2 != 0) { - /* A hexadecimal encoded password should have even length */ - err = ERR_PWD_BAD; - ret->len = 0; - goto cleanup; - } - ret->value = (unsigned char *)malloc((pwd.len - strlen("{HEX}")) / 2 + 1); - if (ret->value == NULL) { - err = ERR_NO_MEM; - ret->len = 0; - goto cleanup; - } - ret->len = (pwd.len - strlen("{HEX}")) / 2; - ret->value[ret->len] = '\0'; - for (i = strlen("{HEX}"), j = 0; i < pwd.len; i += 2, j++) { - unsigned int k; - /* Check if it is a hexadecimal number */ - if (isxdigit(pwd.value[i]) == 0 || isxdigit(pwd.value[i + 1]) == 0) { - err = ERR_PWD_NOT_HEX; - ret->len = 0; - goto cleanup; - } - sscanf((char *)pwd.value + i, "%2x", &k); - ret->value[j] = k; - } - goto cleanup; + strncmp((char *)pwd.value, "{HEX}", strlen("{HEX}")) == 0) { + + if ((pwd.len - strlen("{HEX}")) % 2 != 0) { + /* A hexadecimal encoded password should have even length */ + err = ERR_PWD_BAD; + ret->len = 0; + goto cleanup; + } + ret->value = (unsigned char *)malloc((pwd.len - strlen("{HEX}")) / 2 + 1); + if (ret->value == NULL) { + err = ERR_NO_MEM; + ret->len = 0; + goto cleanup; + } + ret->len = (pwd.len - strlen("{HEX}")) / 2; + ret->value[ret->len] = '\0'; + for (i = strlen("{HEX}"), j = 0; i < pwd.len; i += 2, j++) { + unsigned int k; + /* Check if it is a hexadecimal number */ + if (isxdigit(pwd.value[i]) == 0 || isxdigit(pwd.value[i + 1]) == 0) { + err = ERR_PWD_NOT_HEX; + ret->len = 0; + goto cleanup; + } + sscanf((char *)pwd.value + i, "%2x", &k); + ret->value[j] = k; + } + goto cleanup; } else { - err = ERR_PWD_NOT_HEX; - ret->len = 0; - goto cleanup; + err = ERR_PWD_NOT_HEX; + ret->len = 0; + goto cleanup; } cleanup: if (ret->len == 0) { - free(ret->value); - ret->value = NULL; + free(ret->value); + ret->value = NULL; } return(err); } diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.h b/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.h index 05dd40a95..aecaa4942 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/kdb/kdb_ldap/ldap_service_stash.h * diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_services.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_services.c index 11f78efb1..9be977246 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_services.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_services.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/kdb/kdb_ldap/ldap_services.c * @@ -42,10 +43,8 @@ static char *realmcontclass[] = {"krbRealmContainer", NULL}; */ krb5_error_code -krb5_ldap_create_service(context, service, mask) - krb5_context context; - krb5_ldap_service_params *service; - int mask; +krb5_ldap_create_service(krb5_context context, + krb5_ldap_service_params *service, int mask) { int i=0, j=0; krb5_error_code st=0; @@ -59,9 +58,9 @@ krb5_ldap_create_service(context, service, mask) /* validate the input parameter */ if (service == NULL || service->servicedn == NULL) { - st = EINVAL; - krb5_set_error_message (context, st, "Service DN NULL"); - goto cleanup; + st = EINVAL; + krb5_set_error_message (context, st, "Service DN NULL"); + goto cleanup; } SETUP_CONTEXT(); @@ -71,73 +70,73 @@ krb5_ldap_create_service(context, service, mask) memset(strval, 0, sizeof(strval)); strval[0] = "krbService"; if (service->servicetype == LDAP_KDC_SERVICE) { - strval[1] = "krbKdcService"; - realmattr = "krbKdcServers"; + strval[1] = "krbKdcService"; + realmattr = "krbKdcServers"; } else if (service->servicetype == LDAP_ADMIN_SERVICE) { - strval[1] = "krbAdmService"; - realmattr = "krbAdmServers"; + strval[1] = "krbAdmService"; + realmattr = "krbAdmServers"; } else if (service->servicetype == LDAP_PASSWD_SERVICE) { - strval[1] = "krbPwdService"; - realmattr = "krbPwdServers"; + strval[1] = "krbPwdService"; + realmattr = "krbPwdServers"; } else { - strval[1] = "krbKdcService"; - realmattr = "krbKdcServers"; + strval[1] = "krbKdcService"; + realmattr = "krbKdcServers"; } if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0) - goto cleanup; + goto cleanup; rdns = ldap_explode_dn(service->servicedn, 1); if (rdns == NULL) { - st = LDAP_INVALID_DN_SYNTAX; - goto cleanup; + st = LDAP_INVALID_DN_SYNTAX; + goto cleanup; } memset(strval, 0, sizeof(strval)); strval[0] = rdns[0]; if ((st=krb5_add_str_mem_ldap_mod(&mods, "cn", LDAP_MOD_ADD, strval)) != 0) - goto cleanup; + goto cleanup; if (mask & LDAP_SERVICE_SERVICEFLAG) { - if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbserviceflags", LDAP_MOD_ADD, - service->krbserviceflags)) != 0) - goto cleanup; + if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbserviceflags", LDAP_MOD_ADD, + service->krbserviceflags)) != 0) + goto cleanup; } if (mask & LDAP_SERVICE_HOSTSERVER) { - if (service->krbhostservers != NULL) { - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbhostserver", LDAP_MOD_ADD, - service->krbhostservers)) != 0) - goto cleanup; - } else { - st = EINVAL; - krb5_set_error_message (context, st, "'krbhostserver' argument invalid"); - goto cleanup; - } + if (service->krbhostservers != NULL) { + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbhostserver", LDAP_MOD_ADD, + service->krbhostservers)) != 0) + goto cleanup; + } else { + st = EINVAL; + krb5_set_error_message (context, st, "'krbhostserver' argument invalid"); + goto cleanup; + } } if (mask & LDAP_SERVICE_REALMREFERENCE) { - if (service->krbrealmreferences != NULL) { - unsigned int realmmask=0; - - /* check for the validity of the values */ - for (j=0; service->krbrealmreferences[j] != NULL; ++j) { - st = checkattributevalue(ld, service->krbrealmreferences[j], "ObjectClass", - realmcontclass, &realmmask); - CHECK_CLASS_VALIDITY(st, realmmask, "realm object value: "); - } - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbrealmreferences", LDAP_MOD_ADD, - service->krbrealmreferences)) != 0) - goto cleanup; - } else { - st = EINVAL; - krb5_set_error_message (context, st, "Server has no 'krbrealmreferences'"); - goto cleanup; - } + if (service->krbrealmreferences != NULL) { + unsigned int realmmask=0; + + /* check for the validity of the values */ + for (j=0; service->krbrealmreferences[j] != NULL; ++j) { + st = checkattributevalue(ld, service->krbrealmreferences[j], "ObjectClass", + realmcontclass, &realmmask); + CHECK_CLASS_VALIDITY(st, realmmask, "realm object value: "); + } + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbrealmreferences", LDAP_MOD_ADD, + service->krbrealmreferences)) != 0) + goto cleanup; + } else { + st = EINVAL; + krb5_set_error_message (context, st, "Server has no 'krbrealmreferences'"); + goto cleanup; + } } /* ldap add operation */ if ((st=ldap_add_ext_s(ld, service->servicedn, mods, NULL, NULL)) != LDAP_SUCCESS) { - st = set_ldap_error (context, st, OP_ADD); - goto cleanup; + st = set_ldap_error (context, st, OP_ADD); + goto cleanup; } /* @@ -145,24 +144,24 @@ krb5_ldap_create_service(context, service, mask) * to have a reference to the service object just created. */ if (mask & LDAP_SERVICE_REALMREFERENCE) { - for (i=0; service->krbrealmreferences[i]; ++i) { - if ((st=updateAttribute(ld, service->krbrealmreferences[i], realmattr, - service->servicedn)) != 0) { - snprintf (errbuf, sizeof(errbuf), - "Error adding 'krbRealmReferences' to %s: ", - service->krbrealmreferences[i]); - prepend_err_str (context, errbuf, st, st); - /* delete service object, status ignored intentionally */ - ldap_delete_ext_s(ld, service->servicedn, NULL, NULL); - goto cleanup; - } - } + for (i=0; service->krbrealmreferences[i]; ++i) { + if ((st=updateAttribute(ld, service->krbrealmreferences[i], realmattr, + service->servicedn)) != 0) { + snprintf (errbuf, sizeof(errbuf), + "Error adding 'krbRealmReferences' to %s: ", + service->krbrealmreferences[i]); + prepend_err_str (context, errbuf, st, st); + /* delete service object, status ignored intentionally */ + ldap_delete_ext_s(ld, service->servicedn, NULL, NULL); + goto cleanup; + } + } } cleanup: if (rdns) - ldap_value_free (rdns); + ldap_value_free (rdns); ldap_mods_free(mods, 1); krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); @@ -175,10 +174,8 @@ cleanup: */ krb5_error_code -krb5_ldap_modify_service(context, service, mask) - krb5_context context; - krb5_ldap_service_params *service; - int mask; +krb5_ldap_modify_service(krb5_context context, + krb5_ldap_service_params *service, int mask) { int i=0, j=0, count=0; krb5_error_code st=0; @@ -194,94 +191,94 @@ krb5_ldap_modify_service(context, service, mask) /* validate the input parameter */ if (service == NULL || service->servicedn == NULL) { - st = EINVAL; - krb5_set_error_message (context, st, "Service DN is NULL"); - goto cleanup; + st = EINVAL; + krb5_set_error_message (context, st, "Service DN is NULL"); + goto cleanup; } SETUP_CONTEXT(); GET_HANDLE(); if (mask & LDAP_SERVICE_SERVICEFLAG) { - if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbserviceflags", LDAP_MOD_REPLACE, - service->krbserviceflags)) != 0) - goto cleanup; + if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbserviceflags", LDAP_MOD_REPLACE, + service->krbserviceflags)) != 0) + goto cleanup; } if (mask & LDAP_SERVICE_HOSTSERVER) { - if (service->krbhostservers != NULL) { - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbhostserver", LDAP_MOD_REPLACE, - service->krbhostservers)) != 0) - goto cleanup; - } else { - st = EINVAL; - krb5_set_error_message (context, st, "'krbhostserver' value invalid"); - goto cleanup; - } + if (service->krbhostservers != NULL) { + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbhostserver", LDAP_MOD_REPLACE, + service->krbhostservers)) != 0) + goto cleanup; + } else { + st = EINVAL; + krb5_set_error_message (context, st, "'krbhostserver' value invalid"); + goto cleanup; + } } if (mask & LDAP_SERVICE_REALMREFERENCE) { - if (service->krbrealmreferences != NULL) { - unsigned int realmmask=0; - - /* check for the validity of the values */ - for (j=0; service->krbrealmreferences[j]; ++j) { - st = checkattributevalue(ld, service->krbrealmreferences[j], "ObjectClass", - realmcontclass, &realmmask); - CHECK_CLASS_VALIDITY(st, realmmask, "realm object value: "); - } - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbrealmreferences", LDAP_MOD_REPLACE, - service->krbrealmreferences)) != 0) - goto cleanup; - - - /* get the attribute of the realm to be set */ - if (service->servicetype == LDAP_KDC_SERVICE) - realmattr = "krbKdcServers"; - else if (service->servicetype == LDAP_ADMIN_SERVICE) - realmattr = "krbAdmservers"; - else if (service->servicetype == LDAP_PASSWD_SERVICE) - realmattr = "krbPwdServers"; - else - realmattr = "krbKdcServers"; - - /* read the existing list of krbRealmreferences. this will needed */ - if ((st = ldap_search_ext_s (ld, - service->servicedn, - LDAP_SCOPE_BASE, - 0, - attr, - 0, - NULL, - NULL, - NULL, - 0, - &result)) != LDAP_SUCCESS) { - st = set_ldap_error (context, st, OP_SEARCH); - goto cleanup; - } - - ent = ldap_first_entry(ld, result); - if (ent) { - if ((values=ldap_get_values(ld, ent, "krbRealmReferences")) != NULL) { - count = ldap_count_values(values); - if ((st=copy_arrays(values, &oldrealmrefs, count)) != 0) - goto cleanup; - ldap_value_free(values); - } - } - ldap_msgfree(result); - } else { - st = EINVAL; - krb5_set_error_message (context, st, "'krbRealmReferences' value invalid"); - goto cleanup; - } + if (service->krbrealmreferences != NULL) { + unsigned int realmmask=0; + + /* check for the validity of the values */ + for (j=0; service->krbrealmreferences[j]; ++j) { + st = checkattributevalue(ld, service->krbrealmreferences[j], "ObjectClass", + realmcontclass, &realmmask); + CHECK_CLASS_VALIDITY(st, realmmask, "realm object value: "); + } + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbrealmreferences", LDAP_MOD_REPLACE, + service->krbrealmreferences)) != 0) + goto cleanup; + + + /* get the attribute of the realm to be set */ + if (service->servicetype == LDAP_KDC_SERVICE) + realmattr = "krbKdcServers"; + else if (service->servicetype == LDAP_ADMIN_SERVICE) + realmattr = "krbAdmservers"; + else if (service->servicetype == LDAP_PASSWD_SERVICE) + realmattr = "krbPwdServers"; + else + realmattr = "krbKdcServers"; + + /* read the existing list of krbRealmreferences. this will needed */ + if ((st = ldap_search_ext_s (ld, + service->servicedn, + LDAP_SCOPE_BASE, + 0, + attr, + 0, + NULL, + NULL, + NULL, + 0, + &result)) != LDAP_SUCCESS) { + st = set_ldap_error (context, st, OP_SEARCH); + goto cleanup; + } + + ent = ldap_first_entry(ld, result); + if (ent) { + if ((values=ldap_get_values(ld, ent, "krbRealmReferences")) != NULL) { + count = ldap_count_values(values); + if ((st=copy_arrays(values, &oldrealmrefs, count)) != 0) + goto cleanup; + ldap_value_free(values); + } + } + ldap_msgfree(result); + } else { + st = EINVAL; + krb5_set_error_message (context, st, "'krbRealmReferences' value invalid"); + goto cleanup; + } } /* ldap modify operation */ if ((st=ldap_modify_ext_s(ld, service->servicedn, mods, NULL, NULL)) != LDAP_SUCCESS) { - st = set_ldap_error (context, st, OP_MOD); - goto cleanup; + st = set_ldap_error (context, st, OP_MOD); + goto cleanup; } /* @@ -290,49 +287,49 @@ krb5_ldap_modify_service(context, service, mask) */ if (mask & LDAP_SERVICE_REALMREFERENCE) { - /* get the count of the new list of krbrealmreferences */ - for (i=0; service->krbrealmreferences[i]; ++i) - ; - - /* make a new copy of the krbrealmreferences */ - if ((st=copy_arrays(service->krbrealmreferences, &newrealmrefs, i)) != 0) - goto cleanup; - - /* find the deletions/additions to the list of krbrealmreferences */ - if (disjoint_members(oldrealmrefs, newrealmrefs) != 0) - goto cleanup; - - /* see if some of the attributes have to be deleted */ - if (oldrealmrefs) { - - /* update the dn represented by the attribute that is to be deleted */ - for (i=0; oldrealmrefs[i]; ++i) - if ((st=deleteAttribute(ld, oldrealmrefs[i], realmattr, service->servicedn)) != 0) { - prepend_err_str (context, "Error deleting realm attribute:", st, st); - goto cleanup; - } - } - - /* see if some of the attributes have to be added */ - for (i=0; newrealmrefs[i]; ++i) - if ((st=updateAttribute(ld, newrealmrefs[i], realmattr, service->servicedn)) != 0) { - prepend_err_str (context, "Error updating realm attribute: ", st, st); - goto cleanup; - } + /* get the count of the new list of krbrealmreferences */ + for (i=0; service->krbrealmreferences[i]; ++i) + ; + + /* make a new copy of the krbrealmreferences */ + if ((st=copy_arrays(service->krbrealmreferences, &newrealmrefs, i)) != 0) + goto cleanup; + + /* find the deletions/additions to the list of krbrealmreferences */ + if (disjoint_members(oldrealmrefs, newrealmrefs) != 0) + goto cleanup; + + /* see if some of the attributes have to be deleted */ + if (oldrealmrefs) { + + /* update the dn represented by the attribute that is to be deleted */ + for (i=0; oldrealmrefs[i]; ++i) + if ((st=deleteAttribute(ld, oldrealmrefs[i], realmattr, service->servicedn)) != 0) { + prepend_err_str (context, "Error deleting realm attribute:", st, st); + goto cleanup; + } + } + + /* see if some of the attributes have to be added */ + for (i=0; newrealmrefs[i]; ++i) + if ((st=updateAttribute(ld, newrealmrefs[i], realmattr, service->servicedn)) != 0) { + prepend_err_str (context, "Error updating realm attribute: ", st, st); + goto cleanup; + } } cleanup: if (oldrealmrefs) { - for (i=0; oldrealmrefs[i]; ++i) - free (oldrealmrefs[i]); - free (oldrealmrefs); + for (i=0; oldrealmrefs[i]; ++i) + free (oldrealmrefs[i]); + free (oldrealmrefs); } if (newrealmrefs) { - for (i=0; newrealmrefs[i]; ++i) - free (newrealmrefs[i]); - free (newrealmrefs); + for (i=0; newrealmrefs[i]; ++i) + free (newrealmrefs[i]); + free (newrealmrefs); } ldap_mods_free(mods, 1); @@ -342,10 +339,8 @@ cleanup: krb5_error_code -krb5_ldap_delete_service(context, service, servicedn) - krb5_context context; - krb5_ldap_service_params *service; - char *servicedn; +krb5_ldap_delete_service(krb5_context context, + krb5_ldap_service_params *service, char *servicedn) { krb5_error_code st = 0; LDAP *ld=NULL; @@ -358,30 +353,30 @@ krb5_ldap_delete_service(context, service, servicedn) st = ldap_delete_ext_s(ld, servicedn, NULL, NULL); if (st != 0) { - st = set_ldap_error (context, st, OP_DEL); + st = set_ldap_error (context, st, OP_DEL); } /* NOTE: This should be removed now as the backlinks are going off in OpenLDAP */ /* time to delete krbrealmreferences. This is only for OpenLDAP */ #ifndef HAVE_EDIRECTORY { - int i=0; - char *attr=NULL; - - if (service) { - if (service->krbrealmreferences) { - if (service->servicetype == LDAP_KDC_SERVICE) - attr = "krbkdcservers"; - else if (service->servicetype == LDAP_ADMIN_SERVICE) - attr = "krbadmservers"; - else if (service->servicetype == LDAP_PASSWD_SERVICE) - attr = "krbpwdservers"; - - for (i=0; service->krbrealmreferences[i]; ++i) { - deleteAttribute(ld, service->krbrealmreferences[i], attr, servicedn); - } - } - } + int i=0; + char *attr=NULL; + + if (service) { + if (service->krbrealmreferences) { + if (service->servicetype == LDAP_KDC_SERVICE) + attr = "krbkdcservers"; + else if (service->servicetype == LDAP_ADMIN_SERVICE) + attr = "krbadmservers"; + else if (service->servicetype == LDAP_PASSWD_SERVICE) + attr = "krbpwdservers"; + + for (i=0; service->krbrealmreferences[i]; ++i) { + deleteAttribute(ld, service->krbrealmreferences[i], attr, servicedn); + } + } + } } #endif @@ -397,10 +392,8 @@ cleanup: */ krb5_error_code -krb5_ldap_list_services(context, containerdn, services) - krb5_context context; - char *containerdn; - char ***services; +krb5_ldap_list_services(krb5_context context, char *containerdn, + char ***services) { return (krb5_ldap_list(context, services, "krbService", containerdn)); } @@ -409,18 +402,15 @@ krb5_ldap_list_services(context, containerdn, services) * This function reads the service object from Directory */ krb5_error_code -krb5_ldap_read_service(context, servicedn, service, omask) - krb5_context context; - char *servicedn; - krb5_ldap_service_params **service; - int *omask; +krb5_ldap_read_service(krb5_context context, char *servicedn, + krb5_ldap_service_params **service, int *omask) { char **values=NULL; int i=0, count=0, objectmask=0; krb5_error_code st=0, tempst=0; LDAPMessage *result=NULL,*ent=NULL; char *attributes[] = {"krbHostServer", "krbServiceflags", - "krbRealmReferences", "objectclass", NULL}; + "krbRealmReferences", "objectclass", NULL}; char *attrvalues[] = {"krbService", NULL}; krb5_ldap_service_params *lservice=NULL; krb5_ldap_context *ldap_context=NULL; @@ -430,9 +420,9 @@ krb5_ldap_read_service(context, servicedn, service, omask) /* validate the input parameter */ if (servicedn == NULL) { - st = EINVAL; - krb5_set_error_message (context, st, "Service DN NULL"); - goto cleanup; + st = EINVAL; + krb5_set_error_message (context, st, "Service DN NULL"); + goto cleanup; } SETUP_CONTEXT(); @@ -447,15 +437,15 @@ krb5_ldap_read_service(context, servicedn, service, omask) /* Initialize service structure */ lservice =(krb5_ldap_service_params *) calloc(1, sizeof(krb5_ldap_service_params)); if (lservice == NULL) { - st = ENOMEM; - goto cleanup; + st = ENOMEM; + goto cleanup; } /* allocate tl_data structure to store MASK information */ lservice->tl_data = calloc (1, sizeof(*lservice->tl_data)); if (lservice->tl_data == NULL) { - st = ENOMEM; - goto cleanup; + st = ENOMEM; + goto cleanup; } lservice->tl_data->tl_data_type = KDB_TL_USER_INFO; @@ -467,57 +457,57 @@ krb5_ldap_read_service(context, servicedn, service, omask) ent=ldap_first_entry(ld, result); if (ent != NULL) { - if ((values=ldap_get_values(ld, ent, "krbServiceFlags")) != NULL) { - lservice->krbserviceflags = atoi(values[0]); - *omask |= LDAP_SERVICE_SERVICEFLAG; - ldap_value_free(values); - } - - if ((values=ldap_get_values(ld, ent, "krbHostServer")) != NULL) { - count = ldap_count_values(values); - if ((st=copy_arrays(values, &(lservice->krbhostservers), count)) != 0) - goto cleanup; - *omask |= LDAP_SERVICE_HOSTSERVER; - ldap_value_free(values); - } - - if ((values=ldap_get_values(ld, ent, "krbRealmReferences")) != NULL) { - count = ldap_count_values(values); - if ((st=copy_arrays(values, &(lservice->krbrealmreferences), count)) != 0) - goto cleanup; - *omask |= LDAP_SERVICE_REALMREFERENCE; - ldap_value_free(values); - } - - if ((values=ldap_get_values(ld, ent, "objectClass")) != NULL) { - for (i=0; values[i]; ++i) { - if (strcasecmp(values[i], "krbKdcService") == 0) { - lservice->servicetype = LDAP_KDC_SERVICE; - break; - } - - if (strcasecmp(values[i], "krbAdmService") == 0) { - lservice->servicetype = LDAP_ADMIN_SERVICE; - break; - } - - if (strcasecmp(values[i], "krbPwdService") == 0) { - lservice->servicetype = LDAP_PASSWD_SERVICE; - break; - } - } - ldap_value_free(values); - } + if ((values=ldap_get_values(ld, ent, "krbServiceFlags")) != NULL) { + lservice->krbserviceflags = atoi(values[0]); + *omask |= LDAP_SERVICE_SERVICEFLAG; + ldap_value_free(values); + } + + if ((values=ldap_get_values(ld, ent, "krbHostServer")) != NULL) { + count = ldap_count_values(values); + if ((st=copy_arrays(values, &(lservice->krbhostservers), count)) != 0) + goto cleanup; + *omask |= LDAP_SERVICE_HOSTSERVER; + ldap_value_free(values); + } + + if ((values=ldap_get_values(ld, ent, "krbRealmReferences")) != NULL) { + count = ldap_count_values(values); + if ((st=copy_arrays(values, &(lservice->krbrealmreferences), count)) != 0) + goto cleanup; + *omask |= LDAP_SERVICE_REALMREFERENCE; + ldap_value_free(values); + } + + if ((values=ldap_get_values(ld, ent, "objectClass")) != NULL) { + for (i=0; values[i]; ++i) { + if (strcasecmp(values[i], "krbKdcService") == 0) { + lservice->servicetype = LDAP_KDC_SERVICE; + break; + } + + if (strcasecmp(values[i], "krbAdmService") == 0) { + lservice->servicetype = LDAP_ADMIN_SERVICE; + break; + } + + if (strcasecmp(values[i], "krbPwdService") == 0) { + lservice->servicetype = LDAP_PASSWD_SERVICE; + break; + } + } + ldap_value_free(values); + } } ldap_msgfree(result); cleanup: if (st != 0) { - krb5_ldap_free_service(context, lservice); - *service = NULL; + krb5_ldap_free_service(context, lservice); + *service = NULL; } else { - store_tl_data(lservice->tl_data, KDB_TL_MASK, omask); - *service = lservice; + store_tl_data(lservice->tl_data, KDB_TL_MASK, omask); + *service = lservice; } krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); @@ -529,34 +519,32 @@ cleanup: */ krb5_error_code -krb5_ldap_free_service(context, service) - krb5_context context; - krb5_ldap_service_params *service; +krb5_ldap_free_service(krb5_context context, krb5_ldap_service_params *service) { int i=0; if (service == NULL) - return 0; + return 0; if (service->servicedn) - free (service->servicedn); + free (service->servicedn); if (service->krbrealmreferences) { - for (i=0; service->krbrealmreferences[i]; ++i) - free (service->krbrealmreferences[i]); - free (service->krbrealmreferences); + for (i=0; service->krbrealmreferences[i]; ++i) + free (service->krbrealmreferences[i]); + free (service->krbrealmreferences); } if (service->krbhostservers) { - for (i=0; service->krbhostservers[i]; ++i) - free (service->krbhostservers[i]); - free (service->krbhostservers); + for (i=0; service->krbhostservers[i]; ++i) + free (service->krbhostservers[i]); + free (service->krbhostservers); } if (service->tl_data) { - if (service->tl_data->tl_data_contents) - free (service->tl_data->tl_data_contents); - free (service->tl_data); + if (service->tl_data->tl_data_contents) + free (service->tl_data->tl_data_contents); + free (service->tl_data); } free (service); @@ -564,10 +552,7 @@ krb5_ldap_free_service(context, service) } krb5_error_code -krb5_ldap_set_service_passwd(context, service, passwd) - krb5_context context; - char *service; - char *passwd; +krb5_ldap_set_service_passwd(krb5_context context, char *service, char *passwd) { krb5_error_code st=0; LDAPMod **mods=NULL; @@ -583,11 +568,11 @@ krb5_ldap_set_service_passwd(context, service, passwd) GET_HANDLE(); if ((st=krb5_add_str_mem_ldap_mod(&mods, "userPassword", LDAP_MOD_REPLACE, password)) != 0) - goto cleanup; + goto cleanup; st = ldap_modify_ext_s(ld, service, mods, NULL, NULL); if (st) { - st = set_ldap_error (context, st, OP_MOD); + st = set_ldap_error (context, st, OP_MOD); } cleanup: diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_services.h b/src/plugins/kdb/ldap/libkdb_ldap/ldap_services.h index 5f0b1d7e6..5c9f524e8 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_services.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_services.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/kdb/kdb_ldap/ldap_services.h * @@ -55,43 +56,46 @@ #define SERVICE_PROTOCOL_TYPE_TCP "1" typedef struct _krb5_ldap_service_params { - char *servicedn; - int servicetype; - int krbserviceflags; - char **krbhostservers; - char **krbrealmreferences; - krb5_tl_data *tl_data; + char *servicedn; + int servicetype; + int krbserviceflags; + char **krbhostservers; + char **krbrealmreferences; + krb5_tl_data *tl_data; } krb5_ldap_service_params; #ifdef HAVE_EDIRECTORY krb5_error_code -krb5_ldap_read_service( krb5_context, char *, krb5_ldap_service_params **, int *); +krb5_ldap_read_service(krb5_context, char *, krb5_ldap_service_params **, + int *); krb5_error_code -krb5_ldap_create_service( krb5_context, krb5_ldap_service_params *,int); +krb5_ldap_create_service(krb5_context, krb5_ldap_service_params *, int); krb5_error_code -krb5_ldap_modify_service( krb5_context, krb5_ldap_service_params *, int); +krb5_ldap_modify_service(krb5_context, krb5_ldap_service_params *, int); krb5_error_code -krb5_ldap_delete_service( krb5_context, krb5_ldap_service_params *, char *); +krb5_ldap_delete_service(krb5_context, krb5_ldap_service_params *, char *); krb5_error_code -krb5_ldap_list_services( krb5_context, char *, char ***); +krb5_ldap_list_services(krb5_context, char *, char ***); krb5_error_code -krb5_ldap_free_service( krb5_context, krb5_ldap_service_params *); +krb5_ldap_free_service(krb5_context, krb5_ldap_service_params *); krb5_error_code -krb5_ldap_set_service_passwd( krb5_context, char *, char *); +krb5_ldap_set_service_passwd(krb5_context, char *, char *); krb5_error_code -krb5_ldap_add_service_rights( krb5_context, int, char *, char *, char **, char *, int); +krb5_ldap_add_service_rights(krb5_context, int, char *, char *, char **, + char *, int); krb5_error_code -krb5_ldap_delete_service_rights( krb5_context, int, char *, char *, char **, char *, int); +krb5_ldap_delete_service_rights(krb5_context, int, char *, char *, char **, + char *, int); #endif #endif diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c index face03859..e8f1c57f0 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/kdb/kdb_ldap/ldap_tkt_policy.c * @@ -39,10 +40,8 @@ * create the Ticket policy object in Directory. */ krb5_error_code -krb5_ldap_create_policy(context, policy, mask) - krb5_context context; - krb5_ldap_policy_params *policy; - int mask; +krb5_ldap_create_policy(krb5_context context, krb5_ldap_policy_params *policy, + int mask) { krb5_error_code st=0; LDAP *ld=NULL; @@ -54,55 +53,55 @@ krb5_ldap_create_policy(context, policy, mask) /* validate the input parameters */ if (policy == NULL || policy->policy == NULL) { - st = EINVAL; - krb5_set_error_message (context, st, "Ticket Policy Name missing"); - goto cleanup; + st = EINVAL; + krb5_set_error_message (context, st, "Ticket Policy Name missing"); + goto cleanup; } SETUP_CONTEXT(); GET_HANDLE(); if ((st = krb5_ldap_name_to_policydn (context, policy->policy, &policy_dn)) != 0) - goto cleanup; + goto cleanup; memset(strval, 0, sizeof(strval)); strval[0] = policy->policy; if ((st=krb5_add_str_mem_ldap_mod(&mods, "cn", LDAP_MOD_ADD, strval)) != 0) - goto cleanup; + goto cleanup; memset(strval, 0, sizeof(strval)); strval[0] = "krbTicketPolicy"; strval[1] = "krbTicketPolicyaux"; if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0) - goto cleanup; + goto cleanup; if (mask & LDAP_POLICY_MAXTKTLIFE) { - if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxticketlife", LDAP_MOD_ADD, - policy->maxtktlife)) != 0) - goto cleanup; + if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxticketlife", LDAP_MOD_ADD, + policy->maxtktlife)) != 0) + goto cleanup; } if (mask & LDAP_POLICY_MAXRENEWLIFE) { - if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxrenewableage", LDAP_MOD_ADD, - policy->maxrenewlife)) != 0) - goto cleanup; + if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxrenewableage", LDAP_MOD_ADD, + policy->maxrenewlife)) != 0) + goto cleanup; } if (mask & LDAP_POLICY_TKTFLAGS) { - if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbticketflags", LDAP_MOD_ADD, - policy->tktflags)) != 0) - goto cleanup; + if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbticketflags", LDAP_MOD_ADD, + policy->tktflags)) != 0) + goto cleanup; } /* ldap add operation */ if ((st=ldap_add_ext_s(ld, policy_dn, mods, NULL, NULL)) != LDAP_SUCCESS) { - st = set_ldap_error (context, st, OP_ADD); - goto cleanup; + st = set_ldap_error (context, st, OP_ADD); + goto cleanup; } cleanup: if (policy_dn != NULL) - free(policy_dn); + free(policy_dn); ldap_mods_free(mods, 1); krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); @@ -115,10 +114,8 @@ cleanup: */ krb5_error_code -krb5_ldap_modify_policy(context, policy, mask) - krb5_context context; - krb5_ldap_policy_params *policy; - int mask; +krb5_ldap_modify_policy(krb5_context context, krb5_ldap_policy_params *policy, + int mask) { int objectmask=0; krb5_error_code st=0; @@ -132,49 +129,49 @@ krb5_ldap_modify_policy(context, policy, mask) /* validate the input parameters */ if (policy == NULL || policy->policy==NULL) { - st = EINVAL; - krb5_set_error_message (context, st, "Ticket Policy Name missing"); - goto cleanup; + st = EINVAL; + krb5_set_error_message (context, st, "Ticket Policy Name missing"); + goto cleanup; } SETUP_CONTEXT(); GET_HANDLE(); if ((st = krb5_ldap_name_to_policydn (context, policy->policy, &policy_dn)) != 0) - goto cleanup; + goto cleanup; /* the policydn object should be of the krbTicketPolicy object class */ st = checkattributevalue(ld, policy_dn, "objectClass", attrvalues, &objectmask); CHECK_CLASS_VALIDITY(st, objectmask, "ticket policy object: "); if ((objectmask & 0x02) == 0) { /* add krbticketpolicyaux to the object class list */ - memset(strval, 0, sizeof(strval)); - strval[0] = "krbTicketPolicyAux"; - if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0) - goto cleanup; + memset(strval, 0, sizeof(strval)); + strval[0] = "krbTicketPolicyAux"; + if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0) + goto cleanup; } if (mask & LDAP_POLICY_MAXTKTLIFE) { - if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxticketlife", LDAP_MOD_REPLACE, - policy->maxtktlife)) != 0) - goto cleanup; + if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxticketlife", LDAP_MOD_REPLACE, + policy->maxtktlife)) != 0) + goto cleanup; } if (mask & LDAP_POLICY_MAXRENEWLIFE) { - if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxrenewableage", LDAP_MOD_REPLACE, - policy->maxrenewlife)) != 0) - goto cleanup; + if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxrenewableage", LDAP_MOD_REPLACE, + policy->maxrenewlife)) != 0) + goto cleanup; } if (mask & LDAP_POLICY_TKTFLAGS) { - if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbticketflags", LDAP_MOD_REPLACE, - policy->tktflags)) != 0) - goto cleanup; + if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbticketflags", LDAP_MOD_REPLACE, + policy->tktflags)) != 0) + goto cleanup; } if ((st=ldap_modify_ext_s(ld, policy_dn, mods, NULL, NULL)) != LDAP_SUCCESS) { - st = set_ldap_error (context, st, OP_MOD); - goto cleanup; + st = set_ldap_error (context, st, OP_MOD); + goto cleanup; } cleanup: @@ -193,11 +190,8 @@ cleanup: */ krb5_error_code -krb5_ldap_read_policy(context, policyname, policy, omask) - krb5_context context; - char *policyname; - krb5_ldap_policy_params **policy; - int *omask; +krb5_ldap_read_policy(krb5_context context, char *policyname, + krb5_ldap_policy_params **policy, int *omask) { krb5_error_code st=0, tempst=0; int objectmask=0; @@ -212,16 +206,16 @@ krb5_ldap_read_policy(context, policyname, policy, omask) /* validate the input parameters */ if (policyname == NULL || policy == NULL) { - st = EINVAL; - krb5_set_error_message(context, st, "Ticket Policy Object information missing"); - goto cleanup; + st = EINVAL; + krb5_set_error_message(context, st, "Ticket Policy Object information missing"); + goto cleanup; } SETUP_CONTEXT(); GET_HANDLE(); if ((st = krb5_ldap_name_to_policydn (context, policyname, &policy_dn)) != 0) - goto cleanup; + goto cleanup; /* the policydn object should be of the krbTicketPolicy object class */ st = checkattributevalue(ld, policy_dn, "objectClass", attrvalues, &objectmask); @@ -233,8 +227,8 @@ krb5_ldap_read_policy(context, policyname, policy, omask) memset(lpolicy, 0, sizeof(krb5_ldap_policy_params)); if ((lpolicy->policy = strdup (policyname)) == NULL) { - st = ENOMEM; - goto cleanup; + st = ENOMEM; + goto cleanup; } lpolicy->tl_data = calloc (1, sizeof(*lpolicy->tl_data)); @@ -247,14 +241,14 @@ krb5_ldap_read_policy(context, policyname, policy, omask) ent=ldap_first_entry(ld, result); if (ent != NULL) { - if (krb5_ldap_get_value(ld, ent, "krbmaxticketlife", (int *) &(lpolicy->maxtktlife)) == 0) - *omask |= LDAP_POLICY_MAXTKTLIFE; + if (krb5_ldap_get_value(ld, ent, "krbmaxticketlife", (int *) &(lpolicy->maxtktlife)) == 0) + *omask |= LDAP_POLICY_MAXTKTLIFE; - if (krb5_ldap_get_value(ld, ent, "krbmaxrenewableage", (int *) &(lpolicy->maxrenewlife)) == 0) - *omask |= LDAP_POLICY_MAXRENEWLIFE; + if (krb5_ldap_get_value(ld, ent, "krbmaxrenewableage", (int *) &(lpolicy->maxrenewlife)) == 0) + *omask |= LDAP_POLICY_MAXRENEWLIFE; - if (krb5_ldap_get_value(ld, ent, "krbticketflags", (int *) &(lpolicy->tktflags)) == 0) - *omask |= LDAP_POLICY_TKTFLAGS; + if (krb5_ldap_get_value(ld, ent, "krbticketflags", (int *) &(lpolicy->tktflags)) == 0) + *omask |= LDAP_POLICY_TKTFLAGS; } ldap_msgfree(result); @@ -264,8 +258,8 @@ krb5_ldap_read_policy(context, policyname, policy, omask) cleanup: if (st != 0) { - krb5_ldap_free_policy(context, lpolicy); - *policy = NULL; + krb5_ldap_free_policy(context, lpolicy); + *policy = NULL; } krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); return st; @@ -288,22 +282,20 @@ cleanup: */ krb5_error_code -krb5_ldap_delete_policy(context, policyname) - krb5_context context; - char *policyname; +krb5_ldap_delete_policy(krb5_context context, char *policyname) { - int refcount = 0; - char *policy_dn = NULL; + int refcount = 0; + char *policy_dn = NULL; krb5_error_code st = 0; LDAP *ld = NULL; kdb5_dal_handle *dal_handle=NULL; krb5_ldap_context *ldap_context=NULL; krb5_ldap_server_handle *ldap_server_handle=NULL; - if (policyname == NULL) { - st = EINVAL; - prepend_err_str (context,"Ticket Policy Object DN missing",st,st); - goto cleanup; + if (policyname == NULL) { + st = EINVAL; + prepend_err_str (context,"Ticket Policy Object DN missing",st,st); + goto cleanup; } @@ -317,19 +309,19 @@ krb5_ldap_delete_policy(context, policyname) * it is greater than 0. */ if ((st = krb5_ldap_get_reference_count (context, policy_dn, - "krbTicketPolicyReference", &refcount, ld)) != 0) + "krbTicketPolicyReference", &refcount, ld)) != 0) goto cleanup; if (refcount == 0) { - if ((st=ldap_delete_ext_s(ld, policy_dn, NULL, NULL)) != 0) { - prepend_err_str (context,ldap_err2string(st),st,st); + if ((st=ldap_delete_ext_s(ld, policy_dn, NULL, NULL)) != 0) { + prepend_err_str (context,ldap_err2string(st),st,st); - goto cleanup; - } + goto cleanup; + } } else { - st = EINVAL; - prepend_err_str (context,"Delete Failed: One or more Principals associated with the Ticket Policy",st,st); - goto cleanup; + st = EINVAL; + prepend_err_str (context,"Delete Failed: One or more Principals associated with the Ticket Policy",st,st); + goto cleanup; } cleanup: @@ -345,10 +337,7 @@ cleanup: */ krb5_error_code -krb5_ldap_list_policy(context, containerdn, policy) - krb5_context context; - char *containerdn; - char ***policy; +krb5_ldap_list_policy(krb5_context context, char *containerdn, char ***policy) { int i, j, count; char **list = NULL; @@ -363,7 +352,7 @@ krb5_ldap_list_policy(context, containerdn, policy) } if ((st = krb5_ldap_list(context, &list, "krbTicketPolicy", policycontainerdn)) != 0) - goto cleanup; + goto cleanup; for (i = 0; list[i] != NULL; i++); @@ -371,15 +360,15 @@ krb5_ldap_list_policy(context, containerdn, policy) *policy = (char **) calloc ((unsigned) count + 1, sizeof(char *)); if (*policy == NULL) { - st = ENOMEM; - goto cleanup; + st = ENOMEM; + goto cleanup; } for (i = 0, j = 0; list[i] != NULL; i++, j++) { - int ret; - ret = krb5_ldap_policydn_to_name (context, list[i], &(*policy)[i]); - if (ret != 0) - j--; + int ret; + ret = krb5_ldap_policydn_to_name (context, list[i], &(*policy)[i]); + if (ret != 0) + j--; } cleanup: @@ -393,23 +382,21 @@ cleanup: */ krb5_error_code -krb5_ldap_free_policy(context, policy) - krb5_context context; - krb5_ldap_policy_params *policy; +krb5_ldap_free_policy(krb5_context context, krb5_ldap_policy_params *policy) { krb5_error_code st=0; if (policy == NULL) - return st; + return st; if (policy->policy) - free (policy->policy); + free (policy->policy); if (policy->tl_data) { - if (policy->tl_data->tl_data_contents) - free (policy->tl_data->tl_data_contents); - free (policy->tl_data); + if (policy->tl_data->tl_data_contents) + free (policy->tl_data->tl_data_contents); + free (policy->tl_data); } free (policy); @@ -422,11 +409,8 @@ krb5_ldap_free_policy(context, policy) */ krb5_error_code -krb5_ldap_list(context, list, objectclass, containerdn) - krb5_context context; - char ***list; - char *objectclass; - char *containerdn; +krb5_ldap_list(krb5_context context, char ***list, char *objectclass, + char *containerdn) { char *filter=NULL, *dn=NULL; krb5_error_code st=0, tempst=0; @@ -442,18 +426,18 @@ krb5_ldap_list(context, list, objectclass, containerdn) /* check if the containerdn exists */ if (containerdn) { - if ((st=checkattributevalue(ld, containerdn, NULL, NULL, NULL)) != 0) { - prepend_err_str (context, "Error reading container object: ", st, st); - goto cleanup; - } + if ((st=checkattributevalue(ld, containerdn, NULL, NULL, NULL)) != 0) { + prepend_err_str (context, "Error reading container object: ", st, st); + goto cleanup; + } } /* set the filter for the search operation */ filterlen = strlen("(objectclass=") + strlen(objectclass) + 1 + 1; filter = malloc ((unsigned) filterlen); if (filter == NULL) { - st = ENOMEM; - goto cleanup; + st = ENOMEM; + goto cleanup; } snprintf(filter, (unsigned) filterlen,"(objectclass=%s)",objectclass); @@ -461,40 +445,40 @@ krb5_ldap_list(context, list, objectclass, containerdn) count = ldap_count_entries(ld, result); if (count == -1) { - ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &st); - st = set_ldap_error(context, st, OP_SEARCH); - goto cleanup; + ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &st); + st = set_ldap_error(context, st, OP_SEARCH); + goto cleanup; } *list = (char **) calloc ((unsigned) count+1, sizeof(char *)); if (*list == NULL) { - st = ENOMEM; - goto cleanup; + st = ENOMEM; + goto cleanup; } for (ent=ldap_first_entry(ld, result), count=0; ent != NULL; ent=ldap_next_entry(ld, ent), ++count) { - if ((dn=ldap_get_dn(ld, ent)) == NULL) - continue; - if (((*list)[count] = strdup(dn)) == NULL) { - ldap_memfree (dn); - st = ENOMEM; - goto cleanup; - } - ldap_memfree(dn); + if ((dn=ldap_get_dn(ld, ent)) == NULL) + continue; + if (((*list)[count] = strdup(dn)) == NULL) { + ldap_memfree (dn); + st = ENOMEM; + goto cleanup; + } + ldap_memfree(dn); } ldap_msgfree(result); cleanup: if (filter) - free (filter); + free (filter); /* some error, free up all the memory */ if (st != 0) { - if (*list) { - for (i=0; (*list)[i]; ++i) - free ((*list)[i]); - free (*list); - *list = NULL; - } + if (*list) { + for (i=0; (*list)[i]; ++i) + free ((*list)[i]); + free (*list); + *list = NULL; + } } krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); return st; diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.h b/src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.h index 9a1f2ea11..fceb83216 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/kdb/kdb_ldap/ldap_tkt_policy.h * @@ -40,12 +41,12 @@ /* policy object structure */ typedef struct _krb5_ldap_policy_params { - char *policy; - long mask; - long maxtktlife; - long maxrenewlife; - long tktflags; - krb5_tl_data *tl_data; + char *policy; + long mask; + long maxtktlife; + long maxrenewlife; + long tktflags; + krb5_tl_data *tl_data; }krb5_ldap_policy_params; krb5_error_code @@ -70,6 +71,6 @@ krb5_error_code krb5_ldap_free_policy(krb5_context, krb5_ldap_policy_params *); krb5_error_code -krb5_ldap_change_count(krb5_context ,char * , int); +krb5_ldap_change_count(krb5_context, char *, int); #endif diff --git a/src/plugins/kdb/ldap/libkdb_ldap/lockout.c b/src/plugins/kdb/ldap/libkdb_ldap/lockout.c index 6b2d49e82..020c77a94 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/lockout.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/lockout.c @@ -1,4 +1,4 @@ -/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * plugins/kdb/ldap/lockout.c * diff --git a/src/plugins/locate/python/py-locate.c b/src/plugins/locate/python/py-locate.c index 6f4943a75..ca6dcba56 100644 --- a/src/plugins/locate/python/py-locate.c +++ b/src/plugins/locate/python/py-locate.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * plugins/locate/python/py-locate.c * @@ -72,26 +73,26 @@ #error "Where's the Python header file?" #endif #include -#include "k5-platform.h" /* for init/fini macros */ +#include "k5-platform.h" /* for init/fini macros */ #include "fake-addrinfo.h" #include -#define LIBDIR "/tmp" /* should be imported from configure */ -#define SCRIPT_PATH LIBDIR "/krb5/locate-service.py" -#define LOOKUP_FUNC_NAME "locate" +#define LIBDIR "/tmp" /* should be imported from configure */ +#define SCRIPT_PATH LIBDIR "/krb5/locate-service.py" +#define LOOKUP_FUNC_NAME "locate" static PyObject *locatefn; MAKE_INIT_FUNCTION(my_init); MAKE_FINI_FUNCTION(my_fini); -#define F (strchr(__FILE__, '/') ? 1 + strrchr(__FILE__, '/') : __FILE__) +#define F (strchr(__FILE__, '/') ? 1 + strrchr(__FILE__, '/') : __FILE__) -static krb5_context sctx; /* XXX ugly hack! */ +static krb5_context sctx; /* XXX ugly hack! */ int -my_init (void) +my_init(void) { PyObject *mainmodule; FILE *f; @@ -100,11 +101,11 @@ my_init (void) // fprintf(stderr, "trying to load %s\n", SCRIPT_PATH); f = fopen(SCRIPT_PATH, "r"); if (f == NULL) { - if (sctx) - krb5_set_error_message(sctx, -1, - "couldn't open Python script %s (%s)", - SCRIPT_PATH, strerror(errno)); - return -1; + if (sctx) + krb5_set_error_message(sctx, -1, + "couldn't open Python script %s (%s)", + SCRIPT_PATH, strerror(errno)); + return -1; } set_cloexec_file(f); PyRun_SimpleFile (f, SCRIPT_PATH); @@ -115,29 +116,29 @@ my_init (void) if (PyErr_Occurred()) { fprintf(stderr,"%s:%d: python error\n", F, __LINE__); PyErr_Print(); return -1; } /* Don't DECREF mainmodule, it's sometimes causing crashes. */ if (locatefn == 0) - return -1; + return -1; if (!PyCallable_Check (locatefn)) { - Py_DECREF (locatefn); - locatefn = 0; - return -1; + Py_DECREF (locatefn); + locatefn = 0; + return -1; } if (PyErr_Occurred()) { fprintf(stderr,"%s:%d: python error\n", F, __LINE__); PyErr_Print(); return -1; } return 0; } void -my_fini (void) +my_fini(void) { // fprintf(stderr, "%s:%d: Python module finalization\n", F, __LINE__); if (! INITIALIZER_RAN (my_init)) - return; + return; Py_DECREF (locatefn); locatefn = 0; Py_Finalize (); } static krb5_error_code -ctxinit (krb5_context ctx, void **blobptr) +ctxinit(krb5_context ctx, void **blobptr) { /* If we wanted to create a separate Python interpreter instance, look up the pathname of the script in the config file used for @@ -150,7 +151,7 @@ ctxinit (krb5_context ctx, void **blobptr) } static void -ctxfini (void *blob) +ctxfini(void *blob) { } @@ -170,9 +171,9 @@ ctxfini (void *blob) isn't going to be very useful to the caller.) */ static krb5_error_code -lookup (void *blob, enum locate_service_type svc, const char *realm, - int socktype, int family, - int (*cbfunc)(void *, int, struct sockaddr *), void *cbdata) +lookup(void *blob, enum locate_service_type svc, const char *realm, + int socktype, int family, + int (*cbfunc)(void *, int, struct sockaddr *), void *cbdata) { PyObject *py_result, *svcarg, *realmarg, *arglist; int listsize, i, x; @@ -180,17 +181,17 @@ lookup (void *blob, enum locate_service_type svc, const char *realm, int thissocktype; // fprintf(stderr, "%s:%d: lookup(%d,%s,%d,%d)\n", F, __LINE__, -// svc, realm, socktype, family); - sctx = blob; /* XXX: Not thread safe! */ +// svc, realm, socktype, family); + sctx = blob; /* XXX: Not thread safe! */ i = CALL_INIT_FUNCTION (my_init); if (i) { #if 0 - fprintf(stderr, "%s:%d: module initialization failed\n", F, __LINE__); + fprintf(stderr, "%s:%d: module initialization failed\n", F, __LINE__); #endif - return i; + return i; } if (locatefn == 0) - return KRB5_PLUGIN_NO_HANDLE; + return KRB5_PLUGIN_NO_HANDLE; svcarg = PyInt_FromLong (svc); /* error? */ realmarg = PyString_FromString ((char *) realm); @@ -207,24 +208,24 @@ lookup (void *blob, enum locate_service_type svc, const char *realm, py_result = PyObject_CallObject (locatefn, arglist); Py_DECREF (arglist); if (PyErr_Occurred()) { - fprintf(stderr,"%s:%d: python error\n", F, __LINE__); - PyErr_Print(); - krb5_set_error_message(blob, -1, - "Python evaluation error, see stderr"); - return -1; + fprintf(stderr,"%s:%d: python error\n", F, __LINE__); + PyErr_Print(); + krb5_set_error_message(blob, -1, + "Python evaluation error, see stderr"); + return -1; } if (py_result == 0) { - fprintf(stderr, "%s:%d: returned null object\n", F, __LINE__); - return -1; + fprintf(stderr, "%s:%d: returned null object\n", F, __LINE__); + return -1; } if (py_result == Py_False) - return KRB5_PLUGIN_NO_HANDLE; + return KRB5_PLUGIN_NO_HANDLE; if (! PyList_Check (py_result)) { - Py_DECREF (py_result); - fprintf(stderr, "%s:%d: returned non-list, non-False\n", F, __LINE__); - krb5_set_error_message(blob, -1, - "Python script error -- returned non-list, non-False result"); - return -1; + Py_DECREF (py_result); + fprintf(stderr, "%s:%d: returned non-list, non-False\n", F, __LINE__); + krb5_set_error_message(blob, -1, + "Python script error -- returned non-list, non-False result"); + return -1; } listsize = PyList_Size (py_result); /* allocate */ @@ -232,83 +233,83 @@ lookup (void *blob, enum locate_service_type svc, const char *realm, aihints.ai_flags = AI_NUMERICHOST; aihints.ai_family = family; for (i = 0; i < listsize; i++) { - PyObject *answer, *field; - char *hoststr, *portstr, portbuf[3*sizeof(long) + 4]; - int cbret; + PyObject *answer, *field; + char *hoststr, *portstr, portbuf[3*sizeof(long) + 4]; + int cbret; - answer = PyList_GetItem (py_result, i); - if (! PyTuple_Check (answer)) { - krb5_set_error_message(blob, -1, - "Python script error -- returned item %d not a tuple", i); - /* leak? */ - return -1; - } - if (PyTuple_Size (answer) != 3) { - krb5_set_error_message(blob, -1, - "Python script error -- returned tuple %d size %d should be 3", - i, PyTuple_Size (answer)); - /* leak? */ - return -1; - } - field = PyTuple_GetItem (answer, 0); - if (! PyString_Check (field)) { - /* leak? */ - krb5_set_error_message(blob, -1, - "Python script error -- first component of tuple %d is not a string", - i); - return -1; - } - hoststr = PyString_AsString (field); - field = PyTuple_GetItem (answer, 1); - if (PyString_Check (field)) { - portstr = PyString_AsString (field); - } else if (PyInt_Check (field)) { - snprintf(portbuf, sizeof(portbuf), "%ld", PyInt_AsLong (field)); - portstr = portbuf; - } else { - krb5_set_error_message(blob, -1, - "Python script error -- second component of tuple %d neither a string nor an integer", - i); - /* leak? */ - return -1; - } - field = PyTuple_GetItem (answer, 2); - if (! PyInt_Check (field)) { - krb5_set_error_message(blob, -1, - "Python script error -- third component of tuple %d not an integer", - i); - /* leak? */ - return -1; - } - thissocktype = PyInt_AsLong (field); - switch (thissocktype) { - case SOCK_STREAM: - case SOCK_DGRAM: - /* okay */ - if (socktype != 0 && socktype != thissocktype) { - krb5_set_error_message(blob, -1, - "Python script error -- tuple %d has socket type %d, should only have %d", - i, thissocktype, socktype); - /* leak? */ - return -1; - } - break; - default: - /* 0 is not acceptable */ - krb5_set_error_message(blob, -1, - "Python script error -- tuple %d has invalid socket type %d", - i, thissocktype); - /* leak? */ - return -1; - } - aihints.ai_socktype = thissocktype; - x = getaddrinfo (hoststr, portstr, &aihints, &airesult); - if (x != 0) - continue; - cbret = cbfunc(cbdata, airesult->ai_socktype, airesult->ai_addr); - freeaddrinfo(airesult); - if (cbret != 0) - break; + answer = PyList_GetItem (py_result, i); + if (! PyTuple_Check (answer)) { + krb5_set_error_message(blob, -1, + "Python script error -- returned item %d not a tuple", i); + /* leak? */ + return -1; + } + if (PyTuple_Size (answer) != 3) { + krb5_set_error_message(blob, -1, + "Python script error -- returned tuple %d size %d should be 3", + i, PyTuple_Size (answer)); + /* leak? */ + return -1; + } + field = PyTuple_GetItem (answer, 0); + if (! PyString_Check (field)) { + /* leak? */ + krb5_set_error_message(blob, -1, + "Python script error -- first component of tuple %d is not a string", + i); + return -1; + } + hoststr = PyString_AsString (field); + field = PyTuple_GetItem (answer, 1); + if (PyString_Check (field)) { + portstr = PyString_AsString (field); + } else if (PyInt_Check (field)) { + snprintf(portbuf, sizeof(portbuf), "%ld", PyInt_AsLong (field)); + portstr = portbuf; + } else { + krb5_set_error_message(blob, -1, + "Python script error -- second component of tuple %d neither a string nor an integer", + i); + /* leak? */ + return -1; + } + field = PyTuple_GetItem (answer, 2); + if (! PyInt_Check (field)) { + krb5_set_error_message(blob, -1, + "Python script error -- third component of tuple %d not an integer", + i); + /* leak? */ + return -1; + } + thissocktype = PyInt_AsLong (field); + switch (thissocktype) { + case SOCK_STREAM: + case SOCK_DGRAM: + /* okay */ + if (socktype != 0 && socktype != thissocktype) { + krb5_set_error_message(blob, -1, + "Python script error -- tuple %d has socket type %d, should only have %d", + i, thissocktype, socktype); + /* leak? */ + return -1; + } + break; + default: + /* 0 is not acceptable */ + krb5_set_error_message(blob, -1, + "Python script error -- tuple %d has invalid socket type %d", + i, thissocktype); + /* leak? */ + return -1; + } + aihints.ai_socktype = thissocktype; + x = getaddrinfo (hoststr, portstr, &aihints, &airesult); + if (x != 0) + continue; + cbret = cbfunc(cbdata, airesult->ai_socktype, airesult->ai_addr); + freeaddrinfo(airesult); + if (cbret != 0) + break; } Py_DECREF (py_result); return 0; diff --git a/src/plugins/preauth/cksum_body/cksum_body_main.c b/src/plugins/preauth/cksum_body/cksum_body_main.c index 77de0a8b6..b03a29a18 100644 --- a/src/plugins/preauth/cksum_body/cksum_body_main.c +++ b/src/plugins/preauth/cksum_body/cksum_body_main.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright (C) 2006 Red Hat, Inc. * All rights reserved. @@ -79,22 +80,22 @@ client_get_flags(krb5_context kcontext, krb5_preauthtype pa_type) static krb5_error_code client_process(krb5_context kcontext, - void *client_plugin_context, - void *client_request_context, - krb5_get_init_creds_opt *opt, - preauth_get_client_data_proc client_get_data_proc, - struct _krb5_preauth_client_rock *rock, - krb5_kdc_req *request, - krb5_data *encoded_request_body, - krb5_data *encoded_previous_request, - krb5_pa_data *pa_data, - krb5_prompter_fct prompter, - void *prompter_data, - preauth_get_as_key_proc gak_fct, - void *gak_data, - krb5_data *salt, krb5_data *s2kparams, - krb5_keyblock *as_key, - krb5_pa_data ***out_pa_data) + void *client_plugin_context, + void *client_request_context, + krb5_get_init_creds_opt *opt, + preauth_get_client_data_proc client_get_data_proc, + struct _krb5_preauth_client_rock *rock, + krb5_kdc_req *request, + krb5_data *encoded_request_body, + krb5_data *encoded_previous_request, + krb5_pa_data *pa_data, + krb5_prompter_fct prompter, + void *prompter_data, + preauth_get_as_key_proc gak_fct, + void *gak_data, + krb5_data *salt, krb5_data *s2kparams, + krb5_keyblock *as_key, + krb5_pa_data ***out_pa_data) { krb5_pa_data **send_pa; krb5_checksum checksum; @@ -107,20 +108,20 @@ client_process(krb5_context kcontext, krb5_gic_opt_pa_data *gic_info; status = krb5_get_init_creds_opt_get_pa(kcontext, opt, - &num_gic_info, &gic_info); + &num_gic_info, &gic_info); if (status && status != ENOENT) { #ifdef DEBUG - fprintf(stderr, "Error from krb5_get_init_creds_opt_get_pa: %s\n", - error_message(status)); + fprintf(stderr, "Error from krb5_get_init_creds_opt_get_pa: %s\n", + error_message(status)); #endif - return status; + return status; } #ifdef DEBUG fprintf(stderr, "(cksum_body) Got the following gic options:\n"); #endif for (i = 0; i < num_gic_info; i++) { #ifdef DEBUG - fprintf(stderr, " '%s' = '%s'\n", gic_info[i].attr, gic_info[i].value); + fprintf(stderr, " '%s' = '%s'\n", gic_info[i].attr, gic_info[i].value); #endif } krb5_get_init_creds_opt_free_pa(kcontext, num_gic_info, gic_info); @@ -130,33 +131,33 @@ client_process(krb5_context kcontext, /* Get the user's long-term key if we haven't asked for it yet. Try * all of the encryption types which the server supports. */ if (as_key->length == 0) { - if ((pa_data != NULL) && (pa_data->length >= 4)) { + if ((pa_data != NULL) && (pa_data->length >= 4)) { #ifdef DEBUG - fprintf(stderr, "%d bytes of preauth data.\n", pa_data->length); + fprintf(stderr, "%d bytes of preauth data.\n", pa_data->length); #endif - n_enctypes = pa_data->length / 4; - enctypes = (krb5_int32*) pa_data->contents; - } else { - n_enctypes = request->nktypes; - } - for (i = 0; i < n_enctypes; i++) { - if ((pa_data != NULL) && (pa_data->length >= 4)) { - memcpy(&enctype, pa_data->contents + 4 * i, 4); - enctype = ntohl(enctype); - } else { - enctype = request->ktype[i]; - } + n_enctypes = pa_data->length / 4; + enctypes = (krb5_int32*) pa_data->contents; + } else { + n_enctypes = request->nktypes; + } + for (i = 0; i < n_enctypes; i++) { + if ((pa_data != NULL) && (pa_data->length >= 4)) { + memcpy(&enctype, pa_data->contents + 4 * i, 4); + enctype = ntohl(enctype); + } else { + enctype = request->ktype[i]; + } #ifdef DEBUG - fprintf(stderr, "Asking for AS key (type = %d).\n", enctype); + fprintf(stderr, "Asking for AS key (type = %d).\n", enctype); #endif - status = (*gak_fct)(kcontext, request->client, enctype, - prompter, prompter_data, - salt, s2kparams, as_key, gak_data); - if (status == 0) - break; - } - if (status != 0) - return status; + status = (*gak_fct)(kcontext, request->client, enctype, + prompter, prompter_data, + salt, s2kparams, as_key, gak_data); + if (status == 0) + break; + } + if (status != 0) + return status; } #ifdef DEBUG fprintf(stderr, "Got AS key (type = %d).\n", as_key->enctype); @@ -166,53 +167,53 @@ client_process(krb5_context kcontext, cksumtype_count = 0; cksumtypes = NULL; status = krb5_c_keyed_checksum_types(kcontext, as_key->enctype, - &cksumtype_count, &cksumtypes); + &cksumtype_count, &cksumtypes); if (status != 0) - return status; + return status; /* Generate the checksum. */ for (i = 0; i < cksumtype_count; i++) { - status = krb5_c_make_checksum(kcontext, cksumtypes[i], as_key, - KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, - encoded_request_body, - &checksum); - if (status == 0) { + status = krb5_c_make_checksum(kcontext, cksumtypes[i], as_key, + KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, + encoded_request_body, + &checksum); + if (status == 0) { #ifdef DEBUG - fprintf(stderr, "Made checksum (type = %d, %d bytes).\n", - checksum.checksum_type, encoded_request_body->length); + fprintf(stderr, "Made checksum (type = %d, %d bytes).\n", + checksum.checksum_type, encoded_request_body->length); #endif - break; - } + break; + } } cksumtype = htonl(cksumtypes[i]); krb5_free_cksumtypes(kcontext, cksumtypes); if (status != 0) { - if (checksum.length > 0) - krb5_free_checksum_contents(kcontext, &checksum); - return status; + if (checksum.length > 0) + krb5_free_checksum_contents(kcontext, &checksum); + return status; } /* Allocate the preauth data structure. */ send_pa = malloc(2 * sizeof(krb5_pa_data *)); if (send_pa == NULL) { - krb5_free_checksum_contents(kcontext, &checksum); - return ENOMEM; + krb5_free_checksum_contents(kcontext, &checksum); + return ENOMEM; } - send_pa[1] = NULL; /* Terminate list */ + send_pa[1] = NULL; /* Terminate list */ send_pa[0] = malloc(sizeof(krb5_pa_data)); if (send_pa[0] == NULL) { - krb5_free_checksum_contents(kcontext, &checksum); - free(send_pa); - return ENOMEM; + krb5_free_checksum_contents(kcontext, &checksum); + free(send_pa); + return ENOMEM; } send_pa[0]->pa_type = KRB5_PADATA_CKSUM_BODY_REQ; send_pa[0]->length = 4 + checksum.length; send_pa[0]->contents = malloc(4 + checksum.length); if (send_pa[0]->contents == NULL) { - krb5_free_checksum_contents(kcontext, &checksum); - free(send_pa[0]); - free(send_pa); - return ENOMEM; + krb5_free_checksum_contents(kcontext, &checksum); + free(send_pa[0]); + free(send_pa); + return ENOMEM; } /* Store the checksum. */ @@ -228,14 +229,14 @@ client_process(krb5_context kcontext, static krb5_error_code client_gic_opt(krb5_context kcontext, - void *plugin_context, - krb5_get_init_creds_opt *opt, - const char *attr, - const char *value) + void *plugin_context, + krb5_get_init_creds_opt *opt, + const char *attr, + const char *value) { #ifdef DEBUG fprintf(stderr, "(cksum_body) client_gic_opt: received '%s' = '%s'\n", - attr, value); + attr, value); #endif return 0; } @@ -247,7 +248,7 @@ server_init(krb5_context kcontext, void **module_context, const char **realmname struct server_stats *stats; stats = malloc(sizeof(struct server_stats)); if (stats == NULL) - return ENOMEM; + return ENOMEM; stats->successes = 0; stats->failures = 0; *module_context = stats; @@ -260,10 +261,10 @@ server_fini(krb5_context kcontext, void *module_context) stats = module_context; if (stats != NULL) { #ifdef DEBUG - fprintf(stderr, "Total: %d clients failed, %d succeeded.\n", - stats->failures, stats->successes); + fprintf(stderr, "Total: %d clients failed, %d succeeded.\n", + stats->failures, stats->successes); #endif - free(stats); + free(stats); } } @@ -271,12 +272,12 @@ server_fini(krb5_context kcontext, void *module_context) * client) which matches type data->pa_type. */ static krb5_error_code server_get_edata(krb5_context kcontext, - krb5_kdc_req *request, - struct _krb5_db_entry_new *client, - struct _krb5_db_entry_new *server, - preauth_get_entry_data_proc server_get_entry_data, - void *pa_module_context, - krb5_pa_data *data) + krb5_kdc_req *request, + struct _krb5_db_entry_new *client, + struct _krb5_db_entry_new *server, + preauth_get_entry_data_proc server_get_entry_data, + void *pa_module_context, + krb5_pa_data *data) { krb5_data *key_data; krb5_keyblock *keys, *key; @@ -286,11 +287,11 @@ server_get_edata(krb5_context kcontext, /* Retrieve the client's keys. */ key_data = NULL; if ((*server_get_entry_data)(kcontext, request, client, - krb5plugin_preauth_keys, &key_data) != 0) { + krb5plugin_preauth_keys, &key_data) != 0) { #ifdef DEBUG - fprintf(stderr, "Error retrieving client keys.\n"); + fprintf(stderr, "Error retrieving client keys.\n"); #endif - return KRB5KDC_ERR_PADATA_TYPE_NOSUPP; + return KRB5KDC_ERR_PADATA_TYPE_NOSUPP; } /* Count which types of keys we've got, freeing the contents, which we @@ -298,23 +299,23 @@ server_get_edata(krb5_context kcontext, keys = (krb5_keyblock *) key_data->data; key = NULL; for (i = 0; keys[i].enctype != 0; i++) - krb5_free_keyblock_contents(kcontext, &keys[i]); + krb5_free_keyblock_contents(kcontext, &keys[i]); /* Return the list of encryption types. */ enctypes = malloc((unsigned)i * 4); if (enctypes == NULL) { - krb5_free_data(kcontext, key_data); - return ENOMEM; + krb5_free_data(kcontext, key_data); + return ENOMEM; } #ifdef DEBUG fprintf(stderr, "Supported enctypes = {"); #endif for (i = 0; keys[i].enctype != 0; i++) { #ifdef DEBUG - fprintf(stderr, "%s%d", (i > 0) ? ", " : "", keys[i].enctype); + fprintf(stderr, "%s%d", (i > 0) ? ", " : "", keys[i].enctype); #endif - enctype = htonl(keys[i].enctype); - memcpy(&enctypes[i], &enctype, 4); + enctype = htonl(keys[i].enctype); + memcpy(&enctypes[i], &enctype, 4); } #ifdef DEBUG fprintf(stderr, "}.\n"); @@ -329,16 +330,16 @@ server_get_edata(krb5_context kcontext, /* Verify a request from a client. */ static krb5_error_code server_verify(krb5_context kcontext, - struct _krb5_db_entry_new *client, - krb5_data *req_pkt, - krb5_kdc_req *request, - krb5_enc_tkt_part *enc_tkt_reply, - krb5_pa_data *data, - preauth_get_entry_data_proc server_get_entry_data, - void *pa_module_context, - void **pa_request_context, - krb5_data **e_data, - krb5_authdata ***authz_data) + struct _krb5_db_entry_new *client, + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_enc_tkt_part *enc_tkt_reply, + krb5_pa_data *data, + preauth_get_entry_data_proc server_get_entry_data, + void *pa_module_context, + void **pa_request_context, + krb5_data **e_data, + krb5_authdata ***authz_data) { krb5_int32 cksumtype; krb5_checksum checksum; @@ -362,8 +363,8 @@ server_verify(krb5_context kcontext, #endif /* Verify the preauth data. Start with the checksum type. */ if (data->length < 4) { - stats->failures++; - return KRB5KDC_ERR_PREAUTH_FAILED; + stats->failures++; + return KRB5KDC_ERR_PREAUTH_FAILED; } memcpy(&cksumtype, data->contents, 4); memset(&checksum, 0, sizeof(checksum)); @@ -371,75 +372,75 @@ server_verify(krb5_context kcontext, /* Verify that the amount of data we have left is what we expect. */ if (krb5_c_checksum_length(kcontext, checksum.checksum_type, - &length) != 0) { + &length) != 0) { #ifdef DEBUG - fprintf(stderr, "Error determining checksum size (type = %d). " - "Is it supported?\n", checksum.checksum_type); + fprintf(stderr, "Error determining checksum size (type = %d). " + "Is it supported?\n", checksum.checksum_type); #endif - stats->failures++; - return KRB5KDC_ERR_SUMTYPE_NOSUPP; + stats->failures++; + return KRB5KDC_ERR_SUMTYPE_NOSUPP; } if (data->length - 4 != length) { #ifdef DEBUG - fprintf(stderr, "Checksum size doesn't match client packet size.\n"); + fprintf(stderr, "Checksum size doesn't match client packet size.\n"); #endif - stats->failures++; - return KRB5KDC_ERR_PREAUTH_FAILED; + stats->failures++; + return KRB5KDC_ERR_PREAUTH_FAILED; } checksum.length = length; /* Pull up the client's keys. */ key_data = NULL; if ((*server_get_entry_data)(kcontext, request, client, - krb5plugin_preauth_keys, &key_data) != 0) { + krb5plugin_preauth_keys, &key_data) != 0) { #ifdef DEBUG - fprintf(stderr, "Error retrieving client keys.\n"); + fprintf(stderr, "Error retrieving client keys.\n"); #endif - stats->failures++; - return KRB5KDC_ERR_PREAUTH_FAILED; + stats->failures++; + return KRB5KDC_ERR_PREAUTH_FAILED; } /* Find the key which would have been used to generate the checksum. */ keys = (krb5_keyblock *) key_data->data; key = NULL; for (i = 0; keys[i].enctype != 0; i++) { - key = &keys[i]; - cksumtypes_count = 0; - cksumtypes = NULL; - if (krb5_c_keyed_checksum_types(kcontext, key->enctype, - &cksumtypes_count, &cksumtypes) != 0) - continue; - for (j = 0; j < cksumtypes_count; j++) { - if (cksumtypes[j] == checksum.checksum_type) - break; - } - if (cksumtypes != NULL) - krb5_free_cksumtypes(kcontext, cksumtypes); - if (j < cksumtypes_count) { + key = &keys[i]; + cksumtypes_count = 0; + cksumtypes = NULL; + if (krb5_c_keyed_checksum_types(kcontext, key->enctype, + &cksumtypes_count, &cksumtypes) != 0) + continue; + for (j = 0; j < cksumtypes_count; j++) { + if (cksumtypes[j] == checksum.checksum_type) + break; + } + if (cksumtypes != NULL) + krb5_free_cksumtypes(kcontext, cksumtypes); + if (j < cksumtypes_count) { #ifdef DEBUG - fprintf(stderr, "Found checksum key.\n"); + fprintf(stderr, "Found checksum key.\n"); #endif - break; - } + break; + } } if ((key == NULL) || (key->enctype == 0)) { - for (i = 0; keys[i].enctype != 0; i++) - krb5_free_keyblock_contents(kcontext, &keys[i]); - krb5_free_data(kcontext, key_data); - stats->failures++; - return KRB5KDC_ERR_SUMTYPE_NOSUPP; + for (i = 0; keys[i].enctype != 0; i++) + krb5_free_keyblock_contents(kcontext, &keys[i]); + krb5_free_data(kcontext, key_data); + stats->failures++; + return KRB5KDC_ERR_SUMTYPE_NOSUPP; } /* Save a copy of the key. */ if (krb5_copy_keyblock(kcontext, &keys[i], &key) != 0) { - for (i = 0; keys[i].enctype != 0; i++) - krb5_free_keyblock_contents(kcontext, &keys[i]); - krb5_free_data(kcontext, key_data); - stats->failures++; - return KRB5KDC_ERR_SUMTYPE_NOSUPP; + for (i = 0; keys[i].enctype != 0; i++) + krb5_free_keyblock_contents(kcontext, &keys[i]); + krb5_free_data(kcontext, key_data); + stats->failures++; + return KRB5KDC_ERR_SUMTYPE_NOSUPP; } for (i = 0; keys[i].enctype != 0; i++) - krb5_free_keyblock_contents(kcontext, &keys[i]); + krb5_free_keyblock_contents(kcontext, &keys[i]); krb5_free_data(kcontext, key_data); /* Rebuild a copy of the client's request-body. If we were serious @@ -448,24 +449,24 @@ server_verify(krb5_context kcontext, * will probably work if it's us on both ends, though. */ req_body = NULL; if ((*server_get_entry_data)(kcontext, request, client, - krb5plugin_preauth_request_body, - &req_body) != 0) { - krb5_free_keyblock(kcontext, key); - stats->failures++; - return KRB5KDC_ERR_PREAUTH_FAILED; + krb5plugin_preauth_request_body, + &req_body) != 0) { + krb5_free_keyblock(kcontext, key); + stats->failures++; + return KRB5KDC_ERR_PREAUTH_FAILED; } #ifdef DEBUG fprintf(stderr, "AS key type %d, checksum type %d, %d bytes.\n", - key->enctype, checksum.checksum_type, req_body->length); + key->enctype, checksum.checksum_type, req_body->length); #endif /* Verify the checksum itself. */ checksum.contents = data->contents + 4; valid = FALSE; status = krb5_c_verify_checksum(kcontext, key, - KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, - req_body, &checksum, &valid); + KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, + req_body, &checksum, &valid); /* Clean up. */ krb5_free_data(kcontext, req_body); @@ -474,26 +475,26 @@ server_verify(krb5_context kcontext, /* Evaluate our results. */ if ((status != 0) || (!valid)) { #ifdef DEBUG - if (status != 0) { - fprintf(stderr, "Error in checksum verification.\n"); - } else { - fprintf(stderr, "Checksum mismatch.\n"); - } + if (status != 0) { + fprintf(stderr, "Error in checksum verification.\n"); + } else { + fprintf(stderr, "Checksum mismatch.\n"); + } #endif - /* Return edata to exercise code that handles edata... */ - test_edata = malloc(sizeof(*test_edata)); - if (test_edata != NULL) { - test_edata->data = malloc(20); - if (test_edata->data == NULL) { - free(test_edata); - } else { - test_edata->length = 20; - memset(test_edata->data, 'F', 20); /* fill it with junk */ - *e_data = test_edata; - } - } - stats->failures++; - return KRB5KDC_ERR_PREAUTH_FAILED; + /* Return edata to exercise code that handles edata... */ + test_edata = malloc(sizeof(*test_edata)); + if (test_edata != NULL) { + test_edata->data = malloc(20); + if (test_edata->data == NULL) { + free(test_edata); + } else { + test_edata->length = 20; + memset(test_edata->data, 'F', 20); /* fill it with junk */ + *e_data = test_edata; + } + } + stats->failures++; + return KRB5KDC_ERR_PREAUTH_FAILED; } /* @@ -518,54 +519,54 @@ server_verify(krb5_context kcontext, #endif my_authz_data = malloc(2 * sizeof(*my_authz_data)); if (my_authz_data != NULL) { - my_authz_data[1] = NULL; - my_authz_data[0] = malloc(sizeof(krb5_authdata)); - if (my_authz_data[0] == NULL) { - free(my_authz_data); - return ENOMEM; - } - my_authz_data[0]->contents = malloc(AD_ALLOC_SIZE); - if (my_authz_data[0]->contents == NULL) { - free(my_authz_data[0]); - free(my_authz_data); - return ENOMEM; - } - memset(my_authz_data[0]->contents, '\0', AD_ALLOC_SIZE); - my_authz_data[0]->magic = KV5M_AUTHDATA; - my_authz_data[0]->ad_type = 1; - my_authz_data[0]->length = AD_ALLOC_SIZE; - memcpy(my_authz_data[0]->contents, ad_header, sizeof(ad_header)); - snprintf(my_authz_data[0]->contents + sizeof(ad_header), - AD_ALLOC_SIZE - sizeof(ad_header), - "cksum authorization data: %d bytes worth!\n", AD_ALLOC_SIZE); - *authz_data = my_authz_data; + my_authz_data[1] = NULL; + my_authz_data[0] = malloc(sizeof(krb5_authdata)); + if (my_authz_data[0] == NULL) { + free(my_authz_data); + return ENOMEM; + } + my_authz_data[0]->contents = malloc(AD_ALLOC_SIZE); + if (my_authz_data[0]->contents == NULL) { + free(my_authz_data[0]); + free(my_authz_data); + return ENOMEM; + } + memset(my_authz_data[0]->contents, '\0', AD_ALLOC_SIZE); + my_authz_data[0]->magic = KV5M_AUTHDATA; + my_authz_data[0]->ad_type = 1; + my_authz_data[0]->length = AD_ALLOC_SIZE; + memcpy(my_authz_data[0]->contents, ad_header, sizeof(ad_header)); + snprintf(my_authz_data[0]->contents + sizeof(ad_header), + AD_ALLOC_SIZE - sizeof(ad_header), + "cksum authorization data: %d bytes worth!\n", AD_ALLOC_SIZE); + *authz_data = my_authz_data; #ifdef DEBUG - fprintf(stderr, "Returning %d bytes of authorization data\n", - AD_ALLOC_SIZE); + fprintf(stderr, "Returning %d bytes of authorization data\n", + AD_ALLOC_SIZE); #endif } /* Return edata to exercise code that handles edata... */ test_edata = malloc(sizeof(*test_edata)); if (test_edata != NULL) { - test_edata->data = malloc(20); - if (test_edata->data == NULL) { - free(test_edata); - } else { - test_edata->length = 20; - memset(test_edata->data, 'S', 20); /* fill it with junk */ - *e_data = test_edata; - } + test_edata->data = malloc(20); + if (test_edata->data == NULL) { + free(test_edata); + } else { + test_edata->length = 20; + memset(test_edata->data, 'S', 20); /* fill it with junk */ + *e_data = test_edata; + } } /* Return a request context to exercise code that handles it */ svr_req_ctx = malloc(sizeof(*svr_req_ctx)); if (svr_req_ctx != NULL) { - svr_req_ctx->value1 = 111111; - svr_req_ctx->value2 = 222222; + svr_req_ctx->value1 = 111111; + svr_req_ctx->value2 = 222222; #ifdef DEBUG - fprintf(stderr, "server_verify: returning context at %p\n", - svr_req_ctx); + fprintf(stderr, "server_verify: returning context at %p\n", + svr_req_ctx); #endif } *pa_request_context = svr_req_ctx; @@ -579,17 +580,17 @@ server_verify(krb5_context kcontext, /* Create the response for a client. */ static krb5_error_code server_return(krb5_context kcontext, - krb5_pa_data *padata, - struct _krb5_db_entry_new *client, - krb5_data *req_pkt, - krb5_kdc_req *request, - krb5_kdc_rep *reply, - struct _krb5_key_data *client_key, - krb5_keyblock *encrypting_key, - krb5_pa_data **send_pa, - preauth_get_entry_data_proc server_get_entry_data, - void *pa_module_context, - void **pa_request_context) + krb5_pa_data *padata, + struct _krb5_db_entry_new *client, + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_kdc_rep *reply, + struct _krb5_key_data *client_key, + krb5_keyblock *encrypting_key, + krb5_pa_data **send_pa, + preauth_get_entry_data_proc server_get_entry_data, + void *pa_module_context, + void **pa_request_context) { /* We don't need to send data back on the return trip. */ *send_pa = NULL; @@ -599,25 +600,25 @@ server_return(krb5_context kcontext, /* Test server request context freeing */ static krb5_error_code server_free_reqctx(krb5_context kcontext, - void *pa_module_context, - void **pa_request_context) + void *pa_module_context, + void **pa_request_context) { test_svr_req_ctx *svr_req_ctx; #ifdef DEBUG fprintf(stderr, "server_free_reqctx: entered!\n"); #endif if (pa_request_context == NULL) - return 0; + return 0; svr_req_ctx = *pa_request_context; if (svr_req_ctx == NULL) - return 0; + return 0; if (svr_req_ctx->value1 != 111111 || svr_req_ctx->value2 != 222222) { - fprintf(stderr, "server_free_reqctx: got invalid req context " - "at %p with values %d and %d\n", - svr_req_ctx, svr_req_ctx->value1, svr_req_ctx->value2); - return EINVAL; + fprintf(stderr, "server_free_reqctx: got invalid req context " + "at %p with values %d and %d\n", + svr_req_ctx, svr_req_ctx->value1, svr_req_ctx->value2); + return EINVAL; } #ifdef DEBUG fprintf(stderr, "server_free_reqctx: freeing context at %p\n", svr_req_ctx); @@ -641,17 +642,17 @@ static krb5_preauthtype supported_server_pa_types[] = { }; struct krb5plugin_preauth_client_ftable_v1 preauthentication_client_1 = { - "cksum_body", /* name */ - &supported_client_pa_types[0], /* pa_type_list */ - NULL, /* enctype_list */ - NULL, /* plugin init function */ - NULL, /* plugin fini function */ - client_get_flags, /* get flags function */ - NULL, /* request init function */ - NULL, /* request fini function */ - client_process, /* process function */ - NULL, /* try_again function */ - client_gic_opt /* get init creds opt function */ + "cksum_body", /* name */ + &supported_client_pa_types[0], /* pa_type_list */ + NULL, /* enctype_list */ + NULL, /* plugin init function */ + NULL, /* plugin fini function */ + client_get_flags, /* get flags function */ + NULL, /* request init function */ + NULL, /* request fini function */ + client_process, /* process function */ + NULL, /* try_again function */ + client_gic_opt /* get init creds opt function */ }; struct krb5plugin_preauth_server_ftable_v1 preauthentication_server_1 = { diff --git a/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c b/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c index 45b309d8b..614ee47f2 100644 --- a/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c +++ b/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * plugins/preauth/encrypted_challenge/encrypted_challenge.c * @@ -24,8 +25,8 @@ * or implied warranty. * * - * - * Implement EncryptedChallenge fast factor from draft-ietf-krb-wg-preauth-framework + * Implement Encrypted Challenge fast factor from + * draft-ietf-krb-wg-preauth-framework */ #include @@ -33,31 +34,23 @@ #include -static int preauth_flags -(krb5_context context, krb5_preauthtype pa_type) +static int +preauth_flags(krb5_context context, krb5_preauthtype pa_type) { return PA_REAL; } -static krb5_error_code process_preauth -(krb5_context context, - void *plugin_context, - void *request_context, - krb5_get_init_creds_opt *opt, - preauth_get_client_data_proc get_data_proc, - struct _krb5_preauth_client_rock *rock, - krb5_kdc_req *request, - krb5_data *encoded_request_body, - krb5_data *encoded_previous_request, - krb5_pa_data *padata, - krb5_prompter_fct prompter, - void *prompter_data, - preauth_get_as_key_proc gak_fct, - void *gak_data, - krb5_data *salt, - krb5_data *s2kparams, - krb5_keyblock *as_key, - krb5_pa_data ***out_padata) +static krb5_error_code +process_preauth(krb5_context context, void *plugin_context, + void *request_context, krb5_get_init_creds_opt *opt, + preauth_get_client_data_proc get_data_proc, + struct _krb5_preauth_client_rock *rock, krb5_kdc_req *request, + krb5_data *encoded_request_body, + krb5_data *encoded_previous_request, krb5_pa_data *padata, + krb5_prompter_fct prompter, void *prompter_data, + preauth_get_as_key_proc gak_fct, void *gak_data, + krb5_data *salt, krb5_data *s2kparams, krb5_keyblock *as_key, + krb5_pa_data ***out_padata) { krb5_error_code retval = 0; krb5_enctype enctype = 0; @@ -87,29 +80,30 @@ static krb5_error_code process_preauth if (retval == 0) retval = krb5_c_fx_cf2_simple(context,armor_key, "kdcchallengearmor", as_key, "challengelongterm", &challenge_key); - if (retval == 0) - retval =kaccess.decode_enc_data(&scratch, &enc); - scratch.data = NULL; - if (retval == 0) { - scratch.data = malloc(enc->ciphertext.length); - scratch.length = enc->ciphertext.length; - if (scratch.data == NULL) - retval = ENOMEM; - } - if (retval == 0) - retval = krb5_c_decrypt(context, challenge_key, - KRB5_KEYUSAGE_ENC_CHALLENGE_KDC, NULL, - enc, &scratch); -/*Per draft 11 of the preauth framework, the client MAY but - * is not required to actually check the timestamp from the KDC other than - * to confirm it decrypts. This code does not perform that check. - */ - if (scratch.data) - krb5_free_data_contents(context, &scratch); - if (retval == 0) - fast_set_kdc_verified(context, get_data_proc, rock); - if (enc) - kaccess.free_enc_data(context, enc); + if (retval == 0) + retval =kaccess.decode_enc_data(&scratch, &enc); + scratch.data = NULL; + if (retval == 0) { + scratch.data = malloc(enc->ciphertext.length); + scratch.length = enc->ciphertext.length; + if (scratch.data == NULL) + retval = ENOMEM; + } + if (retval == 0) + retval = krb5_c_decrypt(context, challenge_key, + KRB5_KEYUSAGE_ENC_CHALLENGE_KDC, NULL, + enc, &scratch); + /* + * Per draft 11 of the preauth framework, the client MAY but is not + * required to actually check the timestamp from the KDC other than to + * confirm it decrypts. This code does not perform that check. + */ + if (scratch.data) + krb5_free_data_contents(context, &scratch); + if (retval == 0) + fast_set_kdc_verified(context, get_data_proc, rock); + if (enc) + kaccess.free_enc_data(context, enc); } else { /*No padata; we send*/ krb5_enc_data enc; krb5_pa_data *pa = NULL; @@ -136,34 +130,34 @@ static krb5_error_code process_preauth if (retval == 0) { retval = kaccess.encode_enc_data(&enc, &encoded_ts); krb5_free_data_contents(context, &enc.ciphertext); - } - if (retval == 0) { - pa = calloc(1, sizeof(krb5_pa_data)); - if (pa == NULL) - retval = ENOMEM; - } - if (retval == 0) { - pa_array = calloc(2, sizeof(krb5_pa_data *)); - if (pa_array == NULL) - retval = ENOMEM; - } - if (retval == 0) { - pa->length = encoded_ts->length; - pa->contents = (unsigned char *) encoded_ts->data; - pa->pa_type = KRB5_PADATA_ENCRYPTED_CHALLENGE; - free(encoded_ts); - encoded_ts = NULL; - pa_array[0] = pa; - pa = NULL; - *out_padata = pa_array; - pa_array = NULL; - } - if (pa) - free(pa); - if (encoded_ts) - krb5_free_data(context, encoded_ts); - if (pa_array) - free(pa_array); + } + if (retval == 0) { + pa = calloc(1, sizeof(krb5_pa_data)); + if (pa == NULL) + retval = ENOMEM; + } + if (retval == 0) { + pa_array = calloc(2, sizeof(krb5_pa_data *)); + if (pa_array == NULL) + retval = ENOMEM; + } + if (retval == 0) { + pa->length = encoded_ts->length; + pa->contents = (unsigned char *) encoded_ts->data; + pa->pa_type = KRB5_PADATA_ENCRYPTED_CHALLENGE; + free(encoded_ts); + encoded_ts = NULL; + pa_array[0] = pa; + pa = NULL; + *out_padata = pa_array; + pa_array = NULL; + } + if (pa) + free(pa); + if (encoded_ts) + krb5_free_data(context, encoded_ts); + if (pa_array) + free(pa_array); } if (challenge_key) krb5_free_keyblock(context, challenge_key); @@ -176,16 +170,12 @@ static krb5_error_code process_preauth } - - -static krb5_error_code kdc_include_padata -(krb5_context context, - krb5_kdc_req *request, - struct _krb5_db_entry_new *client, - struct _krb5_db_entry_new *server, - preauth_get_entry_data_proc get_entry_proc, - void *pa_module_context, - krb5_pa_data *data) +static krb5_error_code +kdc_include_padata(krb5_context context, krb5_kdc_req *request, + struct _krb5_db_entry_new *client, + struct _krb5_db_entry_new *server, + preauth_get_entry_data_proc get_entry_proc, + void *pa_module_context, krb5_pa_data *data) { krb5_error_code retval = 0; krb5_keyblock *armor_key = NULL; @@ -198,18 +188,13 @@ static krb5_error_code kdc_include_padata return 0; } -static krb5_error_code kdc_verify_preauth -(krb5_context context, - struct _krb5_db_entry_new *client, - krb5_data *req_pkt, - krb5_kdc_req *request, - krb5_enc_tkt_part *enc_tkt_reply, - krb5_pa_data *data, - preauth_get_entry_data_proc get_entry_proc, - void *pa_module_context, - void **pa_request_context, - krb5_data **e_data, - krb5_authdata ***authz_data) +static krb5_error_code +kdc_verify_preauth(krb5_context context, struct _krb5_db_entry_new *client, + krb5_data *req_pkt, krb5_kdc_req *request, + krb5_enc_tkt_part *enc_tkt_reply, krb5_pa_data *data, + preauth_get_entry_data_proc get_entry_proc, + void *pa_module_context, void **pa_request_context, + krb5_data **e_data, krb5_authdata ***authz_data) { krb5_error_code retval = 0; krb5_timestamp now; @@ -230,7 +215,7 @@ static krb5_error_code kdc_verify_preauth retval = fast_kdc_get_armor_key(context, get_entry_proc, request, client, &armor_key); if (retval == 0 &&armor_key == NULL) { retval = ENOENT; - krb5_set_error_message(context, ENOENT, "Encrypted Challenge used outside of FAST tunnel"); + krb5_set_error_message(context, ENOENT, "Encrypted Challenge used outside of FAST tunnel"); } scratch.data = (char *) data->contents; scratch.length = data->length; @@ -252,28 +237,28 @@ static krb5_error_code kdc_verify_preauth armor_key, "clientchallengearmor", &client_keys[i], "challengelongterm", &challenge_key); - if (retval == 0) - retval = krb5_c_decrypt(context, challenge_key, - KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT, - NULL, enc, &plain); - if (challenge_key) - krb5_free_keyblock(context, challenge_key); - challenge_key = NULL; - if (retval == 0) - break; - /*We failed to decrypt. Try next key*/ - retval = 0; - krb5_free_keyblock_contents(context, &client_keys[i]); - } - if (client_keys[i].enctype == 0) { - retval = KRB5KDC_ERR_PREAUTH_FAILED; - krb5_set_error_message(context, retval, "Incorrect password in encrypted challenge"); - } else { /*not run out of keys*/ - int j; - assert (retval == 0); - for (j = i+1; client_keys[j].enctype; j++) - krb5_free_keyblock_contents(context, &client_keys[j]); - } + if (retval == 0) + retval = krb5_c_decrypt(context, challenge_key, + KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT, + NULL, enc, &plain); + if (challenge_key) + krb5_free_keyblock(context, challenge_key); + challenge_key = NULL; + if (retval == 0) + break; + /*We failed to decrypt. Try next key*/ + retval = 0; + krb5_free_keyblock_contents(context, &client_keys[i]); + } + if (client_keys[i].enctype == 0) { + retval = KRB5KDC_ERR_PREAUTH_FAILED; + krb5_set_error_message(context, retval, "Incorrect password in encrypted challenge"); + } else { /*not run out of keys*/ + int j; + assert (retval == 0); + for (j = i+1; client_keys[j].enctype; j++) + krb5_free_keyblock_contents(context, &client_keys[j]); + } } if (retval == 0) @@ -283,13 +268,15 @@ static krb5_error_code kdc_verify_preauth if (retval == 0) { if (labs(now-ts->patimestamp) < context->clockskew) { enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH; - /*If this fails, we won't generate a reply to the client. That may - * cause the client to fail, but at this point the KDC has considered - * this a success, so the return value is ignored. */ + /* + * If this fails, we won't generate a reply to the client. That + * may cause the client to fail, but at this point the KDC has + * considered this a success, so the return value is ignored. + */ fast_kdc_replace_reply_key(context, get_entry_proc, request); krb5_c_fx_cf2_simple(context, armor_key, "kdcchallengearmor", - &client_keys[i], "challengelongterm", - (krb5_keyblock **) pa_request_context); + &client_keys[i], "challengelongterm", + (krb5_keyblock **) pa_request_context); } else { /*skew*/ retval = KRB5KRB_AP_ERR_SKEW; } @@ -310,19 +297,14 @@ static krb5_error_code kdc_verify_preauth return retval; } -static krb5_error_code kdc_return_preauth -(krb5_context context, - krb5_pa_data * padata, - struct _krb5_db_entry_new *client, - krb5_data *req_pkt, - krb5_kdc_req *request, - krb5_kdc_rep *reply, - struct _krb5_key_data *client_keys, - krb5_keyblock *encrypting_key, - krb5_pa_data **send_pa, - preauth_get_entry_data_proc get_entry_proc, - void *pa_module_context, - void **pa_request_context) +static krb5_error_code +kdc_return_preauth(krb5_context context, krb5_pa_data *padata, + struct _krb5_db_entry_new *client, krb5_data *req_pkt, + krb5_kdc_req *request, krb5_kdc_rep *reply, + struct _krb5_key_data *client_keys, + krb5_keyblock *encrypting_key, krb5_pa_data **send_pa, + preauth_get_entry_data_proc get_entry_proc, + void *pa_module_context, void **pa_request_context) { krb5_error_code retval = 0; krb5_keyblock *challenge_key = *pa_request_context; @@ -338,7 +320,7 @@ static krb5_error_code kdc_return_preauth if (challenge_key == NULL) return 0; * pa_request_context = NULL; /*this function will free the - * challenge key*/ + * challenge key*/ enc.ciphertext.data = NULL; /* In case of error pass through */ retval = krb5_us_timeofday(context, &ts.patimestamp, &ts.pausec); @@ -352,8 +334,8 @@ static krb5_error_code kdc_return_preauth retval = kaccess.encode_enc_data(&enc, &encoded); if (retval == 0) { pa = calloc(1, sizeof(krb5_pa_data)); - if (pa == NULL) - retval = ENOMEM; + if (pa == NULL) + retval = ENOMEM; } if (retval == 0) { pa->pa_type = KRB5_PADATA_ENCRYPTED_CHALLENGE; @@ -374,8 +356,8 @@ static krb5_error_code kdc_return_preauth return retval; } -static int kdc_preauth_flags -(krb5_context context, krb5_preauthtype patype) +static int +kdc_preauth_flags(krb5_context context, krb5_preauthtype patype) { return 0; } diff --git a/src/plugins/preauth/fast_factor.h b/src/plugins/preauth/fast_factor.h index 1e7696f02..0789c1ad1 100644 --- a/src/plugins/preauth/fast_factor.h +++ b/src/plugins/preauth/fast_factor.h @@ -1,53 +1,60 @@ -/*Returns success with a null armor_key if FAST is available but not in use. -Returns failure if the client library does not support FAST -*/ -static krb5_error_code fast_get_armor_key -(krb5_context context, preauth_get_client_data_proc get_data, - struct _krb5_preauth_client_rock *rock, - krb5_keyblock **armor_key) +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ + +/* + * Returns success with a null armor_key if FAST is available but not in use. + * Returns failure if the client library does not support FAST. + */ +static krb5_error_code +fast_get_armor_key(krb5_context context, preauth_get_client_data_proc get_data, + struct _krb5_preauth_client_rock *rock, + krb5_keyblock **armor_key) { krb5_error_code retval = 0; krb5_data *data; retval = get_data(context, rock, krb5plugin_preauth_client_fast_armor, &data); if (retval == 0) { - *armor_key = (krb5_keyblock *) data->data; - data->data = NULL; - get_data(context, rock, krb5plugin_preauth_client_free_fast_armor, - &data); + *armor_key = (krb5_keyblock *) data->data; + data->data = NULL; + get_data(context, rock, krb5plugin_preauth_client_free_fast_armor, + &data); } return retval; } -static krb5_error_code fast_kdc_get_armor_key -(krb5_context context, preauth_get_entry_data_proc get_entry, - krb5_kdc_req *request,struct _krb5_db_entry_new *client, - krb5_keyblock **armor_key) +static krb5_error_code +fast_kdc_get_armor_key(krb5_context context, + preauth_get_entry_data_proc get_entry, + krb5_kdc_req *request, + struct _krb5_db_entry_new *client, + krb5_keyblock **armor_key) { krb5_error_code retval; krb5_data *data; - retval = get_entry(context, request, client, krb5plugin_preauth_fast_armor, - &data); - if (retval == 0) { - *armor_key = (krb5_keyblock *) data->data; - data->data = NULL; - get_entry(context, request, client, - krb5plugin_preauth_free_fast_armor, &data); - } - return retval; - } + retval = get_entry(context, request, client, krb5plugin_preauth_fast_armor, + &data); + if (retval == 0) { + *armor_key = (krb5_keyblock *) data->data; + data->data = NULL; + get_entry(context, request, client, + krb5plugin_preauth_free_fast_armor, &data); + } + return retval; +} - static krb5_error_code fast_kdc_replace_reply_key - (krb5_context context, preauth_get_entry_data_proc get_data, - krb5_kdc_req *request) - { - return 0; - } +static krb5_error_code +fast_kdc_replace_reply_key(krb5_context context, + preauth_get_entry_data_proc get_data, + krb5_kdc_req *request) +{ + return 0; +} -static krb5_error_code fast_set_kdc_verified -(krb5_context context, preauth_get_client_data_proc get_data, - struct _krb5_preauth_client_rock *rock) +static krb5_error_code +fast_set_kdc_verified(krb5_context context, + preauth_get_client_data_proc get_data, + struct _krb5_preauth_client_rock *rock) { return 0; } diff --git a/src/plugins/preauth/wpse/wpse_main.c b/src/plugins/preauth/wpse/wpse_main.c index 655f2b949..5576a0837 100644 --- a/src/plugins/preauth/wpse/wpse_main.c +++ b/src/plugins/preauth/wpse/wpse_main.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright (C) 2006 Red Hat, Inc. * All rights reserved. @@ -64,7 +65,7 @@ client_init(krb5_context kcontext, void **ctx) pctx = malloc(sizeof(int)); if (pctx == NULL) - return ENOMEM; + return ENOMEM; *pctx = 0; *ctx = pctx; return 0; @@ -86,22 +87,22 @@ client_fini(krb5_context kcontext, void *ctx) static krb5_error_code client_process(krb5_context kcontext, - void *plugin_context, - void *request_context, - krb5_get_init_creds_opt *opt, - preauth_get_client_data_proc client_get_data_proc, - struct _krb5_preauth_client_rock *rock, - krb5_kdc_req *request, - krb5_data *encoded_request_body, - krb5_data *encoded_previous_request, - krb5_pa_data *pa_data, - krb5_prompter_fct prompter, - void *prompter_data, - preauth_get_as_key_proc gak_fct, - void *gak_data, - krb5_data *salt, krb5_data *s2kparams, - krb5_keyblock *as_key, - krb5_pa_data ***out_pa_data) + void *plugin_context, + void *request_context, + krb5_get_init_creds_opt *opt, + preauth_get_client_data_proc client_get_data_proc, + struct _krb5_preauth_client_rock *rock, + krb5_kdc_req *request, + krb5_data *encoded_request_body, + krb5_data *encoded_previous_request, + krb5_pa_data *pa_data, + krb5_prompter_fct prompter, + void *prompter_data, + preauth_get_as_key_proc gak_fct, + void *gak_data, + krb5_data *salt, krb5_data *s2kparams, + krb5_keyblock *as_key, + krb5_pa_data ***out_pa_data) { krb5_pa_data **send_pa; krb5_int32 nnonce, enctype; @@ -111,58 +112,58 @@ client_process(krb5_context kcontext, #ifdef DEBUG fprintf(stderr, "%d bytes of preauthentication data (type %d)\n", - pa_data->length, pa_data->pa_type); + pa_data->length, pa_data->pa_type); #endif pctx = plugin_context; if (pctx) { - (*pctx)++; + (*pctx)++; } if (pa_data->length == 0) { - /* Create preauth data. */ - send_pa = malloc(2 * sizeof(krb5_pa_data *)); - if (send_pa == NULL) - return ENOMEM; - send_pa[1] = NULL; /* Terminate list */ - send_pa[0] = malloc(sizeof(krb5_pa_data)); - if (send_pa[0] == NULL) { - free(send_pa); - return ENOMEM; - } - send_pa[0]->pa_type = KRB5_PADATA_WPSE_REQ; - send_pa[0]->length = 4; - send_pa[0]->contents = malloc(4); - if (send_pa[0]->contents == NULL) { - free(send_pa[0]); - free(send_pa); - return ENOMEM; - } - /* Store the preauth data. */ - nnonce = htonl(request->nonce); - memcpy(send_pa[0]->contents, &nnonce, 4); - *out_pa_data = send_pa; + /* Create preauth data. */ + send_pa = malloc(2 * sizeof(krb5_pa_data *)); + if (send_pa == NULL) + return ENOMEM; + send_pa[1] = NULL; /* Terminate list */ + send_pa[0] = malloc(sizeof(krb5_pa_data)); + if (send_pa[0] == NULL) { + free(send_pa); + return ENOMEM; + } + send_pa[0]->pa_type = KRB5_PADATA_WPSE_REQ; + send_pa[0]->length = 4; + send_pa[0]->contents = malloc(4); + if (send_pa[0]->contents == NULL) { + free(send_pa[0]); + free(send_pa); + return ENOMEM; + } + /* Store the preauth data. */ + nnonce = htonl(request->nonce); + memcpy(send_pa[0]->contents, &nnonce, 4); + *out_pa_data = send_pa; } else { - /* A reply from the KDC. Conventionally this would be - * indicated by a different preauthentication type, but this - * mechanism/implementation doesn't do that. */ - if (pa_data->length > 4) { - memcpy(&enctype, pa_data->contents, 4); - kb = NULL; - status = krb5_init_keyblock(kcontext, ntohl(enctype), - pa_data->length - 4, &kb); - if (status != 0) - return status; - memcpy(kb->contents, pa_data->contents + 4, pa_data->length - 4); + /* A reply from the KDC. Conventionally this would be + * indicated by a different preauthentication type, but this + * mechanism/implementation doesn't do that. */ + if (pa_data->length > 4) { + memcpy(&enctype, pa_data->contents, 4); + kb = NULL; + status = krb5_init_keyblock(kcontext, ntohl(enctype), + pa_data->length - 4, &kb); + if (status != 0) + return status; + memcpy(kb->contents, pa_data->contents + 4, pa_data->length - 4); #ifdef DEBUG - fprintf(stderr, "Recovered key type=%d, length=%d.\n", - kb->enctype, kb->length); + fprintf(stderr, "Recovered key type=%d, length=%d.\n", + kb->enctype, kb->length); #endif - status = krb5_copy_keyblock_contents(kcontext, kb, as_key); - krb5_free_keyblock(kcontext, kb); - return status; - } - return KRB5KRB_ERR_GENERIC; + status = krb5_copy_keyblock_contents(kcontext, kb, as_key); + krb5_free_keyblock(kcontext, kb); + return status; + } + return KRB5KRB_ERR_GENERIC; } return 0; } @@ -185,7 +186,7 @@ client_req_init(krb5_context kcontext, void *plugin_context, void **req_context_ * do per-request cleanup. */ ctx = (wpse_req_ctx *) malloc(sizeof(*ctx)); if (ctx == NULL) - return; + return; ctx->magic = WPSE_MAGIC; ctx->value = 0xc0dec0de; @@ -199,31 +200,31 @@ client_req_cleanup(krb5_context kcontext, void *plugin_context, void *req_contex if (ctx) { #ifdef DEBUG - fprintf(stderr, "client_req_cleanup: req_ctx at %p has magic %x and value %x\n", - ctx, ctx->magic, ctx->value); + fprintf(stderr, "client_req_cleanup: req_ctx at %p has magic %x and value %x\n", + ctx, ctx->magic, ctx->value); #endif - if (ctx->magic != WPSE_MAGIC) { + if (ctx->magic != WPSE_MAGIC) { #ifdef DEBUG - fprintf(stderr, "client_req_cleanup: req_context at %p has bad magic value %x\n", - ctx, ctx->magic); + fprintf(stderr, "client_req_cleanup: req_context at %p has bad magic value %x\n", + ctx, ctx->magic); #endif - return; - } - free(ctx); + return; + } + free(ctx); } return; } static krb5_error_code client_gic_opt(krb5_context kcontext, - void *plugin_context, - krb5_get_init_creds_opt *opt, - const char *attr, - const char *value) + void *plugin_context, + krb5_get_init_creds_opt *opt, + const char *attr, + const char *value) { #ifdef DEBUG fprintf(stderr, "(wpse) client_gic_opt: received '%s' = '%s'\n", - attr, value); + attr, value); #endif return 0; } @@ -232,11 +233,11 @@ client_gic_opt(krb5_context kcontext, /* Free state. */ static krb5_error_code server_free_pa_request_context(krb5_context kcontext, void *plugin_context, - void **request_context) + void **request_context) { if (*request_context != NULL) { - free(*request_context); - *request_context = NULL; + free(*request_context); + *request_context = NULL; } return 0; } @@ -245,12 +246,12 @@ server_free_pa_request_context(krb5_context kcontext, void *plugin_context, * client) which matches type data->pa_type. */ static krb5_error_code server_get_edata(krb5_context kcontext, - krb5_kdc_req *request, - struct _krb5_db_entry_new *client, - struct _krb5_db_entry_new *server, - preauth_get_entry_data_proc server_get_entry_data, - void *pa_module_context, - krb5_pa_data *data) + krb5_kdc_req *request, + struct _krb5_db_entry_new *client, + struct _krb5_db_entry_new *server, + preauth_get_entry_data_proc server_get_entry_data, + void *pa_module_context, + krb5_pa_data *data) { /* Return zero bytes of data. */ data->length = 0; @@ -261,16 +262,16 @@ server_get_edata(krb5_context kcontext, /* Verify a request from a client. */ static krb5_error_code server_verify(krb5_context kcontext, - struct _krb5_db_entry_new *client, - krb5_data *req_pkt, - krb5_kdc_req *request, - krb5_enc_tkt_part *enc_tkt_reply, - krb5_pa_data *data, - preauth_get_entry_data_proc server_get_entry_data, - void *pa_module_context, - void **pa_request_context, - krb5_data **e_data, - krb5_authdata ***authz_data) + struct _krb5_db_entry_new *client, + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_enc_tkt_part *enc_tkt_reply, + krb5_pa_data *data, + preauth_get_entry_data_proc server_get_entry_data, + void *pa_module_context, + void **pa_request_context, + krb5_data **e_data, + krb5_authdata ***authz_data) { krb5_int32 nnonce; krb5_data *test_edata; @@ -281,18 +282,18 @@ server_verify(krb5_context kcontext, #endif /* Verify the preauth data. */ if (data->length != 4) - return KRB5KDC_ERR_PREAUTH_FAILED; + return KRB5KDC_ERR_PREAUTH_FAILED; memcpy(&nnonce, data->contents, 4); nnonce = ntohl(nnonce); if (memcmp(&nnonce, &request->nonce, 4) != 0) - return KRB5KDC_ERR_PREAUTH_FAILED; + return KRB5KDC_ERR_PREAUTH_FAILED; /* Note that preauthentication succeeded. */ enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH; enc_tkt_reply->flags |= TKT_FLG_HW_AUTH; /* Allocate a context. Useful for verifying that we do in fact do * per-request cleanup. */ if (*pa_request_context == NULL) - *pa_request_context = malloc(4); + *pa_request_context = malloc(4); /* * Return some junk authorization data just to exercise the @@ -334,8 +335,8 @@ server_verify(krb5_context kcontext, my_authz_data[0]->length = AD_ALLOC_SIZE; memcpy(my_authz_data[0]->contents, ad_header, sizeof(ad_header)); snprintf(my_authz_data[0]->contents + sizeof(ad_header), - AD_ALLOC_SIZE - sizeof(ad_header), - "wpse authorization data: %d bytes worth!\n", AD_ALLOC_SIZE); + AD_ALLOC_SIZE - sizeof(ad_header), + "wpse authorization data: %d bytes worth!\n", AD_ALLOC_SIZE); *authz_data = my_authz_data; #ifdef DEBUG fprintf(stderr, "Returning %d bytes of authorization data\n", @@ -346,14 +347,14 @@ server_verify(krb5_context kcontext, /* Return edata to exercise code that handles edata... */ test_edata = malloc(sizeof(*test_edata)); if (test_edata != NULL) { - test_edata->data = malloc(20); - if (test_edata->data == NULL) { - free(test_edata); - } else { - test_edata->length = 20; - memset(test_edata->data, '#', 20); /* fill it with junk */ - *e_data = test_edata; - } + test_edata->data = malloc(20); + if (test_edata->data == NULL) { + free(test_edata); + } else { + test_edata->length = 20; + memset(test_edata->data, '#', 20); /* fill it with junk */ + *e_data = test_edata; + } } return 0; } @@ -361,17 +362,17 @@ server_verify(krb5_context kcontext, /* Create the response for a client. */ static krb5_error_code server_return(krb5_context kcontext, - krb5_pa_data *padata, - struct _krb5_db_entry_new *client, - krb5_data *req_pkt, - krb5_kdc_req *request, - krb5_kdc_rep *reply, - struct _krb5_key_data *client_key, - krb5_keyblock *encrypting_key, - krb5_pa_data **send_pa, - preauth_get_entry_data_proc server_get_entry_data, - void *pa_module_context, - void **pa_request_context) + krb5_pa_data *padata, + struct _krb5_db_entry_new *client, + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_kdc_rep *reply, + struct _krb5_key_data *client_key, + krb5_keyblock *encrypting_key, + krb5_pa_data **send_pa, + preauth_get_entry_data_proc server_get_entry_data, + void *pa_module_context, + void **pa_request_context) { /* This module does a couple of dumb things. It tags its reply with * the same type as the initial challenge (expecting the client to sort @@ -385,39 +386,39 @@ server_return(krb5_context kcontext, /* We'll want a key with the first supported enctype. */ for (i = 0; i < request->nktypes; i++) { - kb = NULL; - if (krb5_init_keyblock(kcontext, request->ktype[i], 0, &kb) == 0) { - break; - } + kb = NULL; + if (krb5_init_keyblock(kcontext, request->ktype[i], 0, &kb) == 0) { + break; + } } if (i >= request->nktypes) { - /* No matching cipher type found. */ - return 0; + /* No matching cipher type found. */ + return 0; } /* Randomize a key and save it for the client. */ if (krb5_c_make_random_key(kcontext, request->ktype[i], kb) != 0) { - krb5_free_keyblock(kcontext, kb); - return 0; + krb5_free_keyblock(kcontext, kb); + return 0; } #ifdef DEBUG fprintf(stderr, "Generated random key, type=%d, length=%d.\n", - kb->enctype, kb->length); + kb->enctype, kb->length); #endif *send_pa = malloc(sizeof(krb5_pa_data)); if (*send_pa == NULL) { - krb5_free_keyblock(kcontext, kb); - return ENOMEM; + krb5_free_keyblock(kcontext, kb); + return ENOMEM; } (*send_pa)->pa_type = KRB5_PADATA_WPSE_REQ; (*send_pa)->length = 4 + kb->length; (*send_pa)->contents = malloc(4 + kb->length); if ((*send_pa)->contents == NULL) { - free(*send_pa); - *send_pa = NULL; - krb5_free_keyblock(kcontext, kb); - return ENOMEM; + free(*send_pa); + *send_pa = NULL; + krb5_free_keyblock(kcontext, kb); + return ENOMEM; } /* Store the preauth data. */ @@ -444,17 +445,17 @@ static krb5_preauthtype supported_client_pa_types[] = {KRB5_PADATA_WPSE_REQ, 0}; static krb5_preauthtype supported_server_pa_types[] = {KRB5_PADATA_WPSE_REQ, 0}; struct krb5plugin_preauth_client_ftable_v1 preauthentication_client_1 = { - "wpse", /* name */ - &supported_client_pa_types[0], /* pa_type_list */ - NULL, /* enctype_list */ - client_init, /* plugin init function */ - client_fini, /* plugin fini function */ - client_get_flags, /* get flags function */ - client_req_init, /* request init function */ - client_req_cleanup, /* request fini function */ - client_process, /* process function */ - NULL, /* try_again function */ - client_gic_opt /* get init creds opts function */ + "wpse", /* name */ + &supported_client_pa_types[0], /* pa_type_list */ + NULL, /* enctype_list */ + client_init, /* plugin init function */ + client_fini, /* plugin fini function */ + client_get_flags, /* get flags function */ + client_req_init, /* request init function */ + client_req_cleanup, /* request fini function */ + client_process, /* process function */ + NULL, /* try_again function */ + client_gic_opt /* get init creds opts function */ }; struct krb5plugin_preauth_server_ftable_v1 preauthentication_server_1 = { -- 2.26.2