From 9ea7dbddd2e7bfc54650de3933fadc18bd27b6e9 Mon Sep 17 00:00:00 2001 From: Ken Raeburn Date: Tue, 29 Aug 2006 19:52:38 +0000 Subject: [PATCH] Patch from Savitha R: ldap_util 1. Kdb5_ldap_util interface Removed supp enctypes, suppsalttypes from create realm and modify realm since they are currently not used 2. memset passwd strings to zero when not used any more 3. Using krb5_sname_to_principal in place of gethostbyname while creating the kadmin principal with hostname. libkdb_ldap 1. Added mandatory functions which were missing in the LDAP plug-in 2. Error handling changes - Setting the error message in the kerberos context when decryption of the service passwd fails or connection to the LDAP server fails during initialization. Additional changes: libkdb_ldap: Link against com_err library, to provide error_message(). git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18548 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/krb5/error_tables/kdb5_err.et | 1 + src/plugins/kdb/ldap/ldap_exp.c | 18 +- .../kdb/ldap/ldap_util/kdb5_ldap_realm.c | 431 +----------------- .../kdb/ldap/ldap_util/kdb5_ldap_services.c | 24 +- .../kdb/ldap/ldap_util/kdb5_ldap_util.M | 52 +-- .../kdb/ldap/ldap_util/kdb5_ldap_util.c | 10 +- src/plugins/kdb/ldap/libkdb_ldap/Makefile.in | 2 +- src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c | 1 + src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h | 21 + .../kdb/ldap/libkdb_ldap/kdb_ldap_conn.c | 6 +- src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c | 49 ++ .../kdb/ldap/libkdb_ldap/ldap_principal2.c | 7 +- src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c | 18 + src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.h | 7 +- .../kdb/ldap/libkdb_ldap/ldap_service_stash.c | 39 +- .../kdb/ldap/libkdb_ldap/ldap_service_stash.h | 5 + .../kdb/ldap/libkdb_ldap/libkdb_ldap.exports | 8 + 17 files changed, 204 insertions(+), 495 deletions(-) diff --git a/src/lib/krb5/error_tables/kdb5_err.et b/src/lib/krb5/error_tables/kdb5_err.et index d6014acec..953fff328 100644 --- a/src/lib/krb5/error_tables/kdb5_err.et +++ b/src/lib/krb5/error_tables/kdb5_err.et @@ -75,6 +75,7 @@ ec KRB5_KDB_SERVER_INTERNAL_ERR, "Server error" ec KRB5_KDB_ACCESS_ERROR, "Unable to access Kerberos database" ec KRB5_KDB_INTERNAL_ERROR, "Kerberos database internal error" ec KRB5_KDB_CONSTRAINT_VIOLATION, "Kerberos database constraints violated" +ec KRB5_KDB_PLUGIN_OP_NOTSUPP, "Plugin does not support the operaton" end diff --git a/src/plugins/kdb/ldap/ldap_exp.c b/src/plugins/kdb/ldap/ldap_exp.c index 15aea0a60..6c5a37077 100644 --- a/src/plugins/kdb/ldap/ldap_exp.c +++ b/src/plugins/kdb/ldap/ldap_exp.c @@ -40,6 +40,7 @@ #include "ldap_principal.h" #include "ldap_pwd_policy.h" + /* * Exposed API */ @@ -51,12 +52,12 @@ kdb_vftabl kdb_function_table = { /* fini_library */ krb5_ldap_lib_cleanup, /* init_module */ krb5_ldap_open, /* fini_module */ krb5_ldap_close, - /* db_create */ NULL, - /* db_destroy */ NULL, + /* db_create */ krb5_ldap_create_realm_1, + /* db_destroy */ krb5_ldap_delete_realm_1, /* db_get_age */ krb5_ldap_db_get_age, - /* db_set_option */ NULL, - /* db_lock */ NULL, - /* db_unlock */ NULL, + /* db_set_option */ krb5_ldap_set_option, + /* db_lock */ krb5_ldap_lock, + /* db_unlock */ krb5_ldap_unlock, /* db_get_principal */ krb5_ldap_get_principal, /* db_free_principal */ krb5_ldap_free_principal, /* db_put_principal */ krb5_ldap_put_principal, @@ -68,11 +69,12 @@ kdb_vftabl kdb_function_table = { /* db_iter_policy */ krb5_ldap_iterate_password_policy, /* db_delete_policy */ krb5_ldap_delete_password_policy, /* db_free_policy */ krb5_ldap_free_password_policy, - /* db_supported_realms */ NULL, - /* db_free_supported_realms */ NULL, - /* errcode_2_string */ NULL, + /* db_supported_realms */ krb5_ldap_supported_realms, + /* db_free_supported_realms */ krb5_ldap_free_supported_realms, + /* errcode_2_string */ krb5_ldap_errcode_2_string, /* db_alloc */ krb5_ldap_alloc, /* db_free */ krb5_ldap_free, + /* optional functions */ /* set_master_key */ krb5_ldap_set_mkey, /* get_master_key */ krb5_ldap_get_mkey, /* setup_master_key_name */ NULL, diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c index 2c62522af..55b0690ec 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c @@ -427,91 +427,6 @@ void kdb5_ldap_create(argc, argv) mask |= LDAP_REALM_PASSWDSERVERS; } #endif - else if (!strcmp(argv[i], "-enctypes")) { - char *tlist[MAX_LIST_ENTRIES] = {NULL}; - - if (++i > argc-1) - goto err_usage; - rparams->suppenctypes = (krb5_enctype *)malloc( - sizeof(krb5_enctype) * MAX_LIST_ENTRIES); - if (rparams->suppenctypes == NULL) { - retval = ENOMEM; - goto cleanup; - } - memset(rparams->suppenctypes, 0, sizeof(krb5_enctype) * MAX_LIST_ENTRIES); - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, tlist)) != 0) { - goto cleanup; - } - for(j = 0; tlist[j] != NULL; j++) { - if ((retval = krb5_string_to_enctype(tlist[j], - &rparams->suppenctypes[j]))) { - com_err(argv[0], retval, "Invalid encryption type '%s'", - tlist[j]); - krb5_free_list_entries(tlist); - goto err_nomsg; - } - } - rparams->suppenctypes[j] = END_OF_LIST; - qsort(rparams->suppenctypes, (size_t)j, sizeof(krb5_enctype), - compare_int); - mask |= LDAP_REALM_SUPPENCTYPE; - krb5_free_list_entries(tlist); - } - else if (!strcmp(argv[i], "-defenctype")) { - if (++i > argc-1) - goto err_usage; - if ((retval = krb5_string_to_enctype(argv[i], - &rparams->defenctype))) { - com_err(argv[0], retval, "'%s' specified for defenctype, " - "while creating realm '%s'", - argv[i], global_params.realm); - goto err_nomsg; - } - mask |= LDAP_REALM_DEFENCTYPE; - } - else if (!strcmp(argv[i], "-salttypes")) { - char *tlist[MAX_LIST_ENTRIES] = {NULL}; - - if (++i > argc-1) - goto err_usage; - rparams->suppsalttypes = (krb5_int32 *)malloc( - sizeof(krb5_int32) * MAX_LIST_ENTRIES); - if (rparams->suppsalttypes == NULL) { - retval = ENOMEM; - goto cleanup; - } - memset(rparams->suppsalttypes, 0, sizeof(krb5_int32) * MAX_LIST_ENTRIES); - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, tlist))) { - goto cleanup; - } - for(j = 0; tlist[j] != NULL; j++) { - if ((retval = krb5_string_to_salttype(tlist[j], - &rparams->suppsalttypes[j]))) { - com_err(argv[0], retval, "'%s' specified for salttypes, " - "while creating realm '%s'", - tlist[j], global_params.realm); - krb5_free_list_entries(tlist); - goto err_nomsg; - } - } - rparams->suppsalttypes[j] = END_OF_LIST; - qsort(rparams->suppsalttypes, (size_t)j, sizeof(krb5_int32), - compare_int); - mask |= LDAP_REALM_SUPPSALTTYPE; - krb5_free_list_entries(tlist); - } - else if (!strcmp(argv[i], "-defsalttype")) { - if (++i > argc-1) - goto err_usage; - if ((retval = krb5_string_to_salttype(argv[i], - &rparams->defsalttype))) { - com_err(argv[0], retval, "'%s' specified for defsalttype, " - "while creating realm '%s'", - argv[i], global_params.realm); - goto err_nomsg; - } - mask |= LDAP_REALM_DEFSALTTYPE; - } else if (!strcmp(argv[i], "-s")) { do_stash = 1; } @@ -530,43 +445,6 @@ void kdb5_ldap_create(argc, argv) * default values and also add to the list of supported * enctypes/salttype */ - if ( !(mask & LDAP_REALM_DEFENCTYPE) && (rparams != NULL)) { - rparams->defenctype = ENCTYPE_DES3_CBC_SHA1; - mask |= LDAP_REALM_DEFENCTYPE; - printf("Default enctype not specified: \"des3-cbc-sha1\" " - "will be added as the default enctype and to the " - "list of supported enctypes.\n"); - - /* Now, add this to the list of supported enctypes. The - * duplicate values will be removed in DAL-LDAP - */ - if (mask & LDAP_REALM_SUPPENCTYPE) { - for (i=0; rparams->suppenctypes[i] != END_OF_LIST; i++) - ; - assert (i < END_OF_LIST - 1); - rparams->suppenctypes[i] = ENCTYPE_DES3_CBC_SHA1; - rparams->suppenctypes[i + 1] = END_OF_LIST; - } - } - - if ( !(mask & LDAP_REALM_DEFSALTTYPE) && (rparams != NULL)) { - rparams->defsalttype = KRB5_KDB_SALTTYPE_NORMAL; - mask |= LDAP_REALM_DEFSALTTYPE; - printf("Default salttype not specified: \"normal\" will be " - "added as the default salttype and to the list of " - "supported salttypes.\n"); - - /* Now, add this to the list of supported salttypes. The - * duplicate values will be removed in DAL-LDAP - */ - if (mask & LDAP_REALM_SUPPSALTTYPE) { - for (i=0; rparams->suppsalttypes[i] != END_OF_LIST; i++) - ; - assert (i < END_OF_LIST - 1); - rparams->suppsalttypes[i] = KRB5_KDB_SALTTYPE_NORMAL; - rparams->suppsalttypes[i + 1] = END_OF_LIST; - } - } rblock.max_life = global_params.max_life; rblock.max_rlife = global_params.max_rlife; @@ -761,7 +639,7 @@ void kdb5_ldap_create(argc, argv) /* Create special principals inside the realm subtree */ { - char princ_name[MAX_PRINC_SIZE], localname[MAXHOSTNAMELEN]; + char princ_name[MAX_PRINC_SIZE]; struct hostent *hp = NULL; krb5_principal_data tgt_princ = { 0, /* magic number */ @@ -770,7 +648,7 @@ void kdb5_ldap_create(argc, argv) 2, /* int length */ KRB5_NT_SRV_INST /* int type */ }; - krb5_principal p; + krb5_principal p, temp_p=NULL; krb5_princ_set_realm_data(util_context, &tgt_princ, global_params.realm); krb5_princ_set_realm_length(util_context, &tgt_princ, strlen(global_params.realm)); @@ -842,31 +720,32 @@ void kdb5_ldap_create(argc, argv) krb5_free_principal(util_context, p); /* Create 'kadmin/' ... */ - if (gethostname(localname, sizeof(localname))) { - retval = errno; - com_err(argv[0], retval, "gethostname, while adding entries to the database"); - goto err_nomsg; + if ((retval=krb5_sname_to_principal(util_context, NULL, "kadmin", KRB5_NT_SRV_HST, &p))) { + com_err(argv[0], retval, "krb5_sname_to_principal, while adding entries to the database"); + goto err_nomsg; } - hp = gethostbyname(localname); - if (hp == NULL) { - retval = errno; - com_err(argv[0], retval, "gethostbyname, while adding entries to the database"); - goto err_nomsg; + + if((retval=krb5_copy_principal(util_context, p, &temp_p))) { + com_err(argv[0], retval, "krb5_copy_principal, while adding entries to the database"); + goto err_nomsg; } - assert (sizeof(princ_name) >= strlen(hp->h_name) + strlen(global_params.realm) + 9); - /* snprintf(princ_name, MAXHOSTNAMELEN + 8, "kadmin/%s", hp->h_name); */ - snprintf(princ_name, sizeof(princ_name), "kadmin/%s@%s", hp->h_name, global_params.realm); - if ((retval = krb5_parse_name(util_context, princ_name, &p))) { - com_err(argv[0], retval, "while adding entries to the database"); - goto err_nomsg; + + /* change the realm portion to the default realm */ + free( temp_p->realm.data ); + temp_p->realm.length = strlen( util_context->default_realm ); + temp_p->realm.data = strdup( util_context->default_realm ); + if( temp_p->realm.data == NULL ) { + com_err(argv[0], ENOMEM, "while adding entries to the database"); + goto err_nomsg; } rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED; - if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) { + if ((retval = kdb_ldap_create_principal(util_context, temp_p, TGT_KEY, &rblock))) { krb5_free_principal(util_context, p); com_err(argv[0], retval, "while adding entries to the database"); goto err_nomsg; } + krb5_free_principal(util_context, temp_p); krb5_free_principal(util_context, p); if (ldap_context->lrparams->subtree != NULL) @@ -1472,220 +1351,6 @@ void kdb5_ldap_modify(argc, argv) } } #endif - else if (!strcmp(argv[i], "-enctypes")) { - if (++i > argc-1) - goto err_usage; - if (rmask & LDAP_REALM_SUPPENCTYPE) - free(rparams->suppenctypes); - rparams->suppenctypes = (krb5_enctype *)malloc( - sizeof(krb5_enctype) * MAX_LIST_ENTRIES); - if (rparams->suppenctypes == NULL) { - retval = ENOMEM; - goto cleanup; - } - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) - goto cleanup; - - for(j = 0; list[j] != NULL; j++) { - if ((retval = krb5_string_to_enctype(list[j], - &rparams->suppenctypes[j]))) { - com_err(argv[0], retval, "'%s' specified for enctypes, " - "while modifying information of realm '%s'", - list[j], global_params.realm); - goto err_nomsg; - } - } - rparams->suppenctypes[j] = END_OF_LIST; - qsort(rparams->suppenctypes, (size_t)j, sizeof(krb5_enctype), - compare_int); - mask |= LDAP_REALM_SUPPENCTYPE; - /* Going to replace the existing value by this new value. Hence - * setting flag indicating that add or clear options will be ignored - */ - newenctypes = 1; - krb5_free_list_entries(list); - } - else if (!strcmp(argv[i], "-clearenctypes")) { - if (++i > argc-1) - goto err_usage; - if ((!newenctypes) && (rparams->suppenctypes != NULL)) { - - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) - goto cleanup; - - memset(tlist, END_OF_LIST, sizeof(int) * MAX_LIST_ENTRIES); - for(j = 0; list[j] != NULL; j++) { - if ((retval = krb5_string_to_enctype(list[j], &tlist[j]))) { - com_err(argv[0], retval, "'%s' specified for clearenctypes, " - "while modifying information of realm '%s'", - list[j], global_params.realm); - goto err_nomsg; - } - } - tlist[j] = END_OF_LIST; - j = list_modify_int_array(rparams->suppenctypes, (const int*)tlist, - LIST_MODE_DELETE); - qsort(rparams->suppenctypes, (size_t)j, sizeof(krb5_enctype), - compare_int); - mask |= LDAP_REALM_SUPPENCTYPE; - krb5_free_list_entries(list); - } - } - else if (!strcmp(argv[i], "-addenctypes")) { - if (++i > argc-1) - goto err_usage; - if (!newenctypes) { - int *tmp; - - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) - goto cleanup; - - existing_entries = list_count_int_array(rparams->suppenctypes); - list_entries = list_count_str_array(list); - - tmp = (krb5_enctype *) realloc (rparams->suppenctypes, - sizeof(krb5_enctype) * (existing_entries+list_entries+1)); - if (tmp == NULL) { - retval = ENOMEM; - goto cleanup; - } - rparams->suppenctypes = tmp; - - for(j = 0; list[j] != NULL; j++) { - if ((retval = krb5_string_to_enctype(list[j], &tlist[j]))) { - com_err(argv[0], retval, "'%s' specified for addenctypes, " - "while modifying information of realm '%s'", - list[j], global_params.realm); - goto err_nomsg; - } - } - tlist[j] = END_OF_LIST; - - j = list_modify_int_array(rparams->suppenctypes, (const int*)tlist, - LIST_MODE_ADD); - qsort(rparams->suppenctypes, (size_t)j, sizeof(krb5_enctype), - compare_int); - mask |= LDAP_REALM_SUPPENCTYPE; - krb5_free_list_entries(list); - } - } - else if (!strcmp(argv[i], "-defenctype")) { - if (++i > argc-1) - goto err_usage; - if ((retval = krb5_string_to_enctype(argv[i], - &rparams->defenctype))) { - com_err(argv[0], retval, "'%s' specified for defenctype, " - "while modifying information of realm '%s'", - argv[i], global_params.realm); - goto err_nomsg; - } - mask |= LDAP_REALM_DEFENCTYPE; - } - else if (!strcmp(argv[i], "-salttypes")) { - if (++i > argc-1) - goto err_usage; - if (rmask & LDAP_REALM_SUPPSALTTYPE) - free(rparams->suppsalttypes); - rparams->suppsalttypes = (krb5_int32 *)malloc( - sizeof(krb5_int32) * MAX_LIST_ENTRIES); - if (rparams->suppsalttypes == NULL) { - retval = ENOMEM; - goto cleanup; - } - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) - goto cleanup; - - for(j = 0; list[j] != NULL; j++) { - if ((retval = krb5_string_to_salttype(list[j], - &rparams->suppsalttypes[j]))) { - com_err(argv[0], retval, "'%s' specified for salttypes, " - "while modifying information of realm '%s'", - list[j], global_params.realm); - goto err_nomsg; - } - } - rparams->suppsalttypes[j] = END_OF_LIST; - qsort(rparams->suppsalttypes, (size_t)j, sizeof(krb5_int32), - compare_int); - mask |= LDAP_REALM_SUPPSALTTYPE; - /* Going to replace the existing value by this new value. Hence - * setting flag indicating that add or clear options will be ignored - */ - newsalttypes = 1; - krb5_free_list_entries(list); - } - else if (!strcmp(argv[i], "-clearsalttypes")) { - if (++i > argc-1) - goto err_usage; - if ((!newsalttypes) && (rparams->suppsalttypes != NULL)) { - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) - goto cleanup; - - for(j = 0; list[j] != NULL; j++) { - if ((retval = krb5_string_to_salttype(list[j], &tlist[j]))) { - com_err(argv[0], retval, "'%s' specified for clearsalttypes, " - "while modifying information of realm '%s'", - list[j], global_params.realm); - goto err_nomsg; - } - } - tlist[j] = END_OF_LIST; - j = list_modify_int_array(rparams->suppsalttypes, (const int*)tlist, - LIST_MODE_DELETE); - qsort(rparams->suppsalttypes, (size_t)j, sizeof(krb5_int32), - compare_int); - mask |= LDAP_REALM_SUPPSALTTYPE; - krb5_free_list_entries(list); - } - } - else if (!strcmp(argv[i], "-addsalttypes")) { - if (++i > argc-1) - goto err_usage; - if (!newsalttypes) { - int *tmp; - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) - goto cleanup; - - existing_entries = list_count_int_array(rparams->suppsalttypes); - list_entries = list_count_str_array(list); - - tmp = (krb5_int32 *) realloc (rparams->suppsalttypes, - sizeof(krb5_int32) * (existing_entries+list_entries+1)); - if (tmp == NULL) { - retval = ENOMEM; - goto cleanup; - } - rparams->suppsalttypes = tmp; - - for(j = 0; list[j] != NULL; j++) { - if ((retval = krb5_string_to_salttype(list[j], &tlist[j]))) { - com_err(argv[0], retval, "'%s' specified for addsalttypes, " - "while modifying information of realm '%s'", - list[j], global_params.realm); - goto err_nomsg; - } - } - tlist[j] = END_OF_LIST; - j = list_modify_int_array(rparams->suppsalttypes, (const int*)tlist, - LIST_MODE_ADD); - qsort(rparams->suppsalttypes, (size_t)j, sizeof(krb5_int32), - compare_int); - mask |= LDAP_REALM_SUPPSALTTYPE; - krb5_free_list_entries(list); - } - } - else if (!strcmp(argv[i], "-defsalttype")) { - if (++i > argc-1) - goto err_usage; - if ((retval = krb5_string_to_salttype(argv[i], - &rparams->defsalttype))) { - com_err(argv[0], retval, "'%s' specified for defsalttype, " - "while modifying information of realm '%s'", - argv[i], global_params.realm); - goto err_nomsg; - } - mask |= LDAP_REALM_DEFSALTTYPE; - } else if ((ret_mask= get_ticket_policy(rparams,&i,argv,argc)) !=0) { mask|=ret_mask; @@ -2169,50 +1834,6 @@ static void print_realm_params(krb5_ldap_realm_params *rparams, int mask) if (num_entry_printed == 0) printf("\n"); } - if (mask & LDAP_REALM_SUPPENCTYPE) { - printf("%25s:", "Supported Enc Types"); - if (rparams->suppenctypes != NULL) { - num_entry_printed = 0; - for(tmplist = rparams->suppenctypes; *tmplist != END_OF_LIST; - tmplist++) { - retval = krb5_enctype_to_string(*tmplist, buff, BUFF_LEN); - if (retval == 0) { - if (num_entry_printed) - printf(" %25s %-50s\n", " ", buff); - else - printf(" %-50s\n", buff); - num_entry_printed++; - } - } - } - if (num_entry_printed == 0) - printf("\n"); - } - if (mask & LDAP_REALM_DEFENCTYPE) { - retval = krb5_enctype_to_string(rparams->defenctype, buff, BUFF_LEN); - if (retval == 0) { - printf("%25s: %-50s\n", "Default Enc Type", buff); - } - } - if (mask & LDAP_REALM_SUPPSALTTYPE) { - printf("%25s:", "Supported Salt Types"); - if (rparams->suppsalttypes != NULL) { - num_entry_printed = 0; - for(tmplist = rparams->suppsalttypes; *tmplist != END_OF_LIST; - tmplist++) { - retval = krb5_salttype_to_string(*tmplist, buff, BUFF_LEN); - if (retval == 0) { - if (num_entry_printed) - printf(" %25s %-50s\n", " ", buff); - else - printf(" %-50s\n", buff); - num_entry_printed++; - } - } - } - if (num_entry_printed == 0) - printf("\n"); - } if (mask & LDAP_REALM_MAXTICKETLIFE) { printf("%25s:", "Maximum Ticket Life"); printf(" %s \n", strdur(rparams->max_life)); @@ -2222,10 +1843,11 @@ static void print_realm_params(krb5_ldap_realm_params *rparams, int mask) printf("%25s:", "Maximum Renewable Life"); printf(" %s \n", strdur(rparams->max_renewable_life)); } - printf("%25s: ", "Ticket flags"); - if (mask & LDAP_POLICY_TKTFLAGS) { + + if (mask & LDAP_REALM_KRBTICKETFLAGS) { int ticketflags = rparams->tktflags; + printf("%25s: ", "Ticket flags"); if (ticketflags & KRB5_KDB_DISALLOW_POSTDATED) printf("%s ","DISALLOW_POSTDATED"); @@ -2261,16 +1883,9 @@ static void print_realm_params(krb5_ldap_realm_params *rparams, int mask) if (ticketflags & KRB5_KDB_PWCHANGE_SERVICE) printf("%s ","PWCHANGE_SERVICE"); - } - if (mask & LDAP_REALM_DEFSALTTYPE) { - retval = krb5_salttype_to_string(rparams->defsalttype, buff, BUFF_LEN); - if (retval == 0) { - printf("\n%25s: %-50s\n", "Default Salt Type", buff); - } + printf("\n"); } - /* if (mask & LDAP_REALM_POLICYREFERENCE) - printf("%25s: %-50s\n", "Policy Reference", rparams->policyreference);*/ return; diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c index 69e3b7694..1ce08feb2 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c @@ -1743,9 +1743,12 @@ kdb5_ldap_set_service_password(argc, argv) errcode = tohex(pwd, &hex); if (errcode != 0) { - if(hex.length != 0) + if(hex.length != 0) { + memset(hex.data, 0, hex.length); free(hex.data); + } com_err(me, errcode, "Failed to convert the password to hex"); + memset(passwd, 0, passwd_len); goto cleanup; } /* Password = {CRYPT}: */ @@ -1754,6 +1757,7 @@ kdb5_ldap_set_service_password(argc, argv) if (encrypted_passwd.value == NULL) { com_err(me, ENOMEM, "while setting service object password"); memset(passwd, 0, passwd_len); + memset(hex.data, 0, hex.length); free(hex.data); goto cleanup; } @@ -1761,6 +1765,8 @@ kdb5_ldap_set_service_password(argc, argv) 1 + 5 + hex.length + 1] = '\0'; sprintf((char *)encrypted_passwd.value, "%s#{HEX}%s\n", service_object, hex.data); encrypted_passwd.len = strlen((char *)encrypted_passwd.value); + memset(hex.data, 0, hex.length); + free(hex.data); } /* We should check if the file exists and we have permission to write into that file */ @@ -1912,8 +1918,10 @@ cleanup: if (passwd) free(passwd); - if (encrypted_passwd.value) + if (encrypted_passwd.value) { + memset(encrypted_passwd.value, 0, encrypted_passwd.len); free(encrypted_passwd.value); + } if (pfile) fclose(pfile); @@ -1949,6 +1957,7 @@ kdb5_ldap_stash_service_password(argc, argv) FILE *pfile = NULL; krb5_boolean print_usage = FALSE; krb5_data hexpasswd = {0, 0, NULL}; + mode_t old_mode = 0; /* * Format: @@ -2047,16 +2056,17 @@ done: ret = tohex(pwd, &hexpasswd); if(ret != 0){ - if(hexpasswd.length != 0) - free(hexpasswd.data); com_err(me, ret, "Failed to convert the password to hexadecimal"); + memset(passwd, 0, passwd_len); goto cleanup; } } + memset(passwd, 0, passwd_len); /* TODO: file lock for the service passowrd file */ /* set password in the file */ + old_mode = umask(0177); pfile = fopen(file_name, "a+"); if (pfile == NULL) { com_err(me, errno, "Failed to open file %s: %s", file_name, @@ -2064,6 +2074,7 @@ done: goto cleanup; } rewind (pfile); + umask(old_mode); while (fgets (line, MAX_LEN, pfile) != NULL) { if ((str = strstr (line, service_object)) != NULL) { @@ -2162,6 +2173,11 @@ done: cleanup: + if(hexpasswd.length != 0) { + memset(hexpasswd.data, 0, hexpasswd.length); + free(hexpasswd.data); + } + if (service_object) free(service_object); diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M index 20dc3e726..5ff7615f1 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M @@ -29,7 +29,7 @@ a Kerberos realm. Specifies the SSL port number of the LDAP server. .SH COMMANDS .TP -\fBcreate\fP [\fB\-subtree\fP\ \fIsubtree_dn\fP] [\fB\-sscope\fP\ \fIsearch_scope\fP] [\fB\-enctypes\fP\ \fIsupported_enc_types\fP] [\fB\-defenctype\fP\ \fIdefault_enc_type\fP] [\fB\-salttypes\fP\ \fIsupported_salt_types\fP] [\fB\-defsalttype\fP\ \fIdefault_salt_type\fP] [\fB\-k\fP\ \fImkeytype\fP] [\fB\-m\fP|\fB\-P\fP\ \fIpassword\fP|\fB\-sf\fP\ \fIstashfilename\fP] [\fB\-r\fP\ \fIrealm\fP] [\fB\-kdcdn\fP\ \fIkdc_service_list\fP] [\fB\-admindn\fP\ \fIadmin_service_list\fP] [\fB\-pwddn\fP\ \fIpasswd_service_list\fP] [\fB\-maxtktlife\fP\ \fImax_ticket_life\fP] [\fB\-maxrenewlife\fP\ \fImax_renewable_ticket_life\fP] [\fIticket_flags\fP] +\fBcreate\fP [\fB\-subtree\fP\ \fIsubtree_dn\fP] [\fB\-sscope\fP\ \fIsearch_scope\fP] [\fB\-k\fP\ \fImkeytype\fP] [\fB\-m\fP|\fB\-P\fP\ \fIpassword\fP|\fB\-sf\fP\ \fIstashfilename\fP] [\fB\-r\fP\ \fIrealm\fP] [\fB\-kdcdn\fP\ \fIkdc_service_list\fP] [\fB\-admindn\fP\ \fIadmin_service_list\fP] [\fB\-pwddn\fP\ \fIpasswd_service_list\fP] [\fB\-maxtktlife\fP\ \fImax_ticket_life\fP] [\fB\-maxrenewlife\fP\ \fImax_renewable_ticket_life\fP] [\fIticket_flags\fP] Creates realm in directory. Options: .RS .TP @@ -41,18 +41,6 @@ Specifies the scope for searching the principals under the .IR subtree . The possible values are 1 or one (one level), 2 or sub (subtree). .TP -\fB\-enctypes\fP\ \fIsupported_enc_types\fP -Specifies the encryption types supported by the realm. This is a colon-separated list. -.TP -\fB\-defenctype\fP\ \fIdefault_enc_type\fP -Specifies the default encryption type for the realm. This is also a part of supported enctypes list. -.TP -\fB\-salttypes\fP\ \fIsupported_salt_types\fP -Specifies the salt types supported by the realm. This is a colon-separated list. -.TP -\fB\-defsalttype\fP\ \fIdefault_salt_type\fP -Specifies the default salt types for the realm. -.TP \fB\-k\fP\ \fImkeytype\fP Specifies the key type of the master key in the database; the default is that given in @@ -235,7 +223,7 @@ Re-enter KDC database master key to verify: .RE .TP -\fBmodify\fP [\fB\-subtree\fP\ \fIsubtree_dn\fP] [\fB\-sscope\fP\ \fIsearch_scope\fP] [\fB\-enctypes\fP\ \fIsupported_enc_types\fP | [\fB\-clearenctypes\fP\ \fIenc_type_list\fP] [\fB\-addenctypes\fP\ \fIenc_type_list\fP]] [\fB\-defenctype\fP\ \fIdefault_enc_type\fP] [\fB\-salttypes\fP\ \fIsupported_salt_types\fP | [\fB\-clearsalttypes\fP\ \fIsalt_type_list\fP] [\fB\-addsalttypes\fP\ \fIsalt_type_list\fP]] [\fB\-defsalttype\fP\ \fIdefault_salt_type\fP] [\fB\-r\fP\ \fIrealm\fP] [\fB\-kdcdn\fP\ \fIkdc_service_list\fP | [\fB\-clearkdcdn\fP\ \fIkdc_service_list\fP] [\fB\-addkdcdn\fP\ \fIkdc_service_list\fP]] [\fB\-admindn\fP\ \fIadmin_service_list\fP | [\fB\-clearadmindn\fP\ \fIadmin_service_list\fP] [\fB\-addadmindn\fP\ \fIadmin_service_list\fP]] [\fB\-pwddn\fP\ \fIpasswd_service_list\fP | [\fB\-clearpwddn\fP\ \fIpasswd_service_list\fP] [\fB\-addpwddn\fP\ \fIpasswd_service_list\fP]] [\fB\-maxtktlife\fP\ \fImax_ticket_life\fP] [\fB\-maxrenewlife\fP\ \fImax_renewable_ticket_life\fP] [\fIticket_flags\fP] +\fBmodify\fP [\fB\-subtree\fP\ \fIsubtree_dn\fP] [\fB\-sscope\fP\ \fIsearch_scope\fP] [\fB\-r\fP\ \fIrealm\fP] [\fB\-kdcdn\fP\ \fIkdc_service_list\fP | [\fB\-clearkdcdn\fP\ \fIkdc_service_list\fP] [\fB\-addkdcdn\fP\ \fIkdc_service_list\fP]] [\fB\-admindn\fP\ \fIadmin_service_list\fP | [\fB\-clearadmindn\fP\ \fIadmin_service_list\fP] [\fB\-addadmindn\fP\ \fIadmin_service_list\fP]] [\fB\-pwddn\fP\ \fIpasswd_service_list\fP | [\fB\-clearpwddn\fP\ \fIpasswd_service_list\fP] [\fB\-addpwddn\fP\ \fIpasswd_service_list\fP]] [\fB\-maxtktlife\fP\ \fImax_ticket_life\fP] [\fB\-maxrenewlife\fP\ \fImax_renewable_ticket_life\fP] [\fIticket_flags\fP] Modifies the attributes of a realm. Options: .RS @@ -248,34 +236,6 @@ Specifies the scope for searching the principals under the .IR subtree . The possible values are 1 or one (one level), 2 or sub (subtree). .TP -\fB\-enctypes\fP\ \fIsupported_enc_types\fP -Specifies the encryption types supported by the realm. This is a colon-separated list. -.TP -\fB\-clearenctypes\fP\ \fIenc_type_list\fP -Specifies the encryption types that need to be removed from the supported encryption types -of the realm. This is a colon-separated list. -.TP -\fB\-addenctypes\fP\ \fIenc_type_list\fP -Specifies the encryption types that need to be added to the supported encryption types of the -realm. This is a colon-separated list. -.TP -\fB\-defenctype\fP\ \fIdefault_enc_type\fP -Specifies the default encryption type for the realm. -.TP -\fB\-salttypes\fP\ \fIsupported_salt_types\fP -Specifies the salt types supported by the realm. This is a colon-separated list. -.TP -\fB\-clearsalttypes\fP\ \fIsalt_type_list\fP -Specifies the salt types that need to be removed from the supported salt types of the realm. -This is a colon-separated list. -.TP -\fB\-addsalttypes\fP\ \fIsalt_type_list\fP -Specifies the salt types that need to be added to the supported salt types of the realm. This -is a colon-separated list. -.TP -\fB\-defsalttype\fP\ \fIdefault_salt_type\fP -Specifies the default salt type for the realm. -.TP \fB\-maxtktlife\fP\ \fImax_ticket_life\fP Specifies maximum ticket life for principals in this realm. .TP @@ -476,14 +436,6 @@ Password for "cn=admin,o=org": Realm Name: ATHENA.MIT.EDU Subtree: ou=users,o=org SearchScope: ONE - Supported Enc Types: DES cbc mode with RSA-MD5 - Triple DES cbc mode with HMAC/sha1 - Default Enc Type: Triple DES cbc mode with HMAC/sha1 - Supported Salt Types: Version 5 - Version 4 - Special - AFS version 3 - Default Salt Type: Version 5 Maximum ticket life: 0 days 01:00:00 Maximum renewable life: 0 days 10:00:00 Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c index 889151531..4b07b2754 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c @@ -107,7 +107,7 @@ krb5_boolean manual_mkey = FALSE; void usage() { fprintf(stderr, "Usage: " -"kdb5_util [-D user_dn [-w passwd]] [-h ldap_server] [-p ldap_port]\n" +"kdb5_ldap_util [-D user_dn [-w passwd]] [-h ldap_server] [-p ldap_port]\n" "\tcmd [cmd_options]\n" /* Create realm */ @@ -116,8 +116,6 @@ void usage() "\t\t[-kdcdn kdc_service_list] [-admindn admin_service_list]\n" "\t\t[-pwddn passwd_service_list]\n" #endif -"\t\t[-enctypes supported_enc_types] [-defenctype default_enc_type]\n" -"\t\t[-salttypes supported_salt_types] [-defsalttype default_salt_type]\n" "\t\t[-m|-P password|-sf stashfilename] [-k mkeytype]\n" "\t\t[-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life]\n" "\t\t[ticket_flags] [-r realm]\n" @@ -131,10 +129,6 @@ void usage() "\t\t[-addadmindn admin_service_list]] [-pwddn passwd_service_list |\n" "\t\t[-clearpwddn passwd_service_list] [-addpwddn passwd_service_list]]\n" #endif -"\t\t[-enctypes supported_enc_types | [-clearenctypes enc_type_list]\n" -"\t\t[-addenctypes enc_type_list]] [-defenctype default_enc_type]\n" -"\t\t[-salttypes supported_salt_types | [-clearsalttypes salt_type_list]\n" -"\t\t[-addsalttypes salt_type_list]] [-defsalttype default_salt_type]\n" "\t\t[-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life]\n" "\t\t[ticket_flags] [-r realm]\n" /* View realm */ @@ -508,6 +502,8 @@ int main(argc, argv) goto cleanup; } + ldap_context->kcontext = util_context; + /* If LDAP parameters are specified, replace them with the values from config */ if (ldapmask & CMD_LDAP_D) { /* If password is not specified, prompt for it */ diff --git a/src/plugins/kdb/ldap/libkdb_ldap/Makefile.in b/src/plugins/kdb/ldap/libkdb_ldap/Makefile.in index 1b650c530..c6cec5752 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/Makefile.in +++ b/src/plugins/kdb/ldap/libkdb_ldap/Makefile.in @@ -31,7 +31,7 @@ SHLIB_EXPDEPS = \ $(TOPLIBD)/libk5crypto$(SHLIBEXT) \ $(SUPPORT_DEPLIB) \ $(TOPLIBD)/libkrb5$(SHLIBEXT) -SHLIB_EXPLIBS= $(GSSRPC_LIBS) -lkrb5 -lk5crypto $(SUPPORT_LIB) -lldap -llber $(LIBS) +SHLIB_EXPLIBS= $(GSSRPC_LIBS) -lkrb5 -lk5crypto $(COM_ERR_LIB) $(SUPPORT_LIB) -lldap -llber $(LIBS) SHLIB_DIRS=-L$(TOPLIBD) SHLIB_RDIRS=$(KRB5_LIBDIR) diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c index 358bf152f..7c3622425 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c @@ -236,6 +236,7 @@ krb5_error_code krb5_ldap_open( krb5_context context, goto clean_n_exit; } + ldap_context->kcontext = context; while ( t_ptr && *t_ptr ) { diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h index 888fed0c5..2bb3b8574 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h @@ -201,6 +201,7 @@ typedef struct _krb5_ldap_context { k5_mutex_t hndl_lock; krb5_ldap_krbcontainer_params *krbcontainer; krb5_ldap_realm_params *lrparams; + krb5_context kcontext; /* to set the error code and message */ } krb5_ldap_context; @@ -259,4 +260,24 @@ krb5_ldap_read_startup_information(krb5_context ); int has_sasl_external_mech(krb5_context, char *); +/* DAL functions */ + +krb5_error_code +krb5_ldap_set_option( krb5_context, int, void * ); + +krb5_error_code +krb5_ldap_lock( krb5_context, int ); + +krb5_error_code +krb5_ldap_unlock( krb5_context ); + +krb5_error_code +krb5_ldap_supported_realms( krb5_context, char ** ); + +krb5_error_code +krb5_ldap_free_supported_realms( krb5_context, char ** ); + +krb5_error_code +krb5_ldap_errcode_2_string( krb5_context, long ); + #endif diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c index b0902d23c..5832554ad 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c @@ -161,7 +161,8 @@ krb5_ldap_initialize(ldap_context, server_info) if((ldap_server_handle->ldap_handle=ldap_init(server_info->server_name, port)) == NULL) { st = KRB5_KDB_ACCESS_ERROR; - krb5_set_error_message (0, st, "%s", strerror(errno)); + if (ldap_context->kcontext) + krb5_set_error_message (ldap_context->kcontext, st, "%s", strerror(errno)); goto err_out; } @@ -170,7 +171,8 @@ krb5_ldap_initialize(ldap_context, server_info) server_info->server_status = ON; krb5_update_ldap_handle(ldap_server_handle, server_info); } else { - krb5_set_error_message (0, KRB5_KDB_ACCESS_ERROR, "%s", + if (ldap_context->kcontext) + krb5_set_error_message (ldap_context->kcontext, KRB5_KDB_ACCESS_ERROR, "%s", ldap_err2string(st)); st = KRB5_KDB_ACCESS_ERROR; server_info->server_status = OFF; diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c index 153a3c63e..af061640b 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c @@ -1469,3 +1469,52 @@ krb5_add_int_mem_ldap_mod(mods, attribute, op, value) return ENOMEM; return 0; } + +krb5_error_code +krb5_ldap_set_option( krb5_context kcontext, int option, void *value ) +{ + krb5_error_code status = KRB5_KDB_PLUGIN_OP_NOTSUPP; + krb5_set_error_message( kcontext, status, "LDAP %s", error_message( status ) ); + return status; +} + +krb5_error_code +krb5_ldap_lock( krb5_context kcontext, int mode ) +{ + krb5_error_code status = KRB5_KDB_PLUGIN_OP_NOTSUPP; + krb5_set_error_message( kcontext, status, "LDAP %s", error_message( status ) ); + return status; +} + +krb5_error_code +krb5_ldap_unlock( krb5_context kcontext ) +{ + krb5_error_code status = KRB5_KDB_PLUGIN_OP_NOTSUPP; + krb5_set_error_message( kcontext, status, "LDAP %s", error_message( status ) ); + return status; +} + +krb5_error_code +krb5_ldap_supported_realms( krb5_context kcontext, char **realms ) +{ + krb5_error_code status = KRB5_KDB_PLUGIN_OP_NOTSUPP; + krb5_set_error_message( kcontext, status, "LDAP %s", error_message( status ) ); + return status; +} + +krb5_error_code +krb5_ldap_free_supported_realms( krb5_context kcontext, char **realms ) +{ + krb5_error_code status = KRB5_KDB_PLUGIN_OP_NOTSUPP; + krb5_set_error_message( kcontext, status, "LDAP %s", error_message( status ) ); + return status; +} + +krb5_error_code +krb5_ldap_errcode_2_string( krb5_context kcontext, long err_code ) +{ + krb5_error_code status = KRB5_KDB_PLUGIN_OP_NOTSUPP; + krb5_set_error_message( kcontext, status, "LDAP %s", error_message( status ) ); + return status; +} + diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c index 6509ff9e7..52c113cd5 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c @@ -205,10 +205,7 @@ krb5_ldap_get_principal(context, searchfor, entries, nentries, more) if(attr_present == TRUE){ if ((st=store_tl_data(&userinfo_tl_data, KDB_TL_TKTPOLICYDN, policydn)) != 0) goto cleanup; - } - if(!(mask & KDB_MAX_LIFE_ATTR) && !(mask & KDB_MAX_RLIFE_ATTR) && !(mask & KDB_TKT_FLAGS_ATTR)){ - if (attr_present == TRUE) - mask |= KDB_POL_REF_ATTR; + mask |= KDB_POL_REF_ATTR; } /* KRBPWDPOLICYREFERENCE */ @@ -1068,7 +1065,7 @@ krb5_read_tkt_policyreference(context, ldap_context, entries, policydn) if ((st=krb5_get_attributes_mask(context, entries, &mask)) != 0) goto cleanup; - if ((mask & tkt_mask) != tkt_mask) { + if ((mask & tkt_mask) == 0) { if (policydn != NULL) { st = krb5_ldap_read_policy(context, policydn, &tktpoldnparam, &omask); if (st && st != KRB5_KDB_NOENTRY) { diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c index 2ac8219c1..87f619c9d 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c @@ -1648,3 +1648,21 @@ krb5_ldap_free_realm_params(rparams) } return; } + +/* DAL functions */ + +krb5_error_code +krb5_ldap_create_realm_1(krb5_context kcontext, char *conf_section, char **db_args) +{ + krb5_error_code status = KRB5_KDB_PLUGIN_OP_NOTSUPP; + krb5_set_error_message( kcontext, status, "LDAP %s", error_message( status ) ); + return status; +} + +krb5_error_code +krb5_ldap_delete_realm_1(krb5_context kcontext, char *conf_section, char **db_args) +{ + krb5_error_code status = KRB5_KDB_PLUGIN_OP_NOTSUPP; + krb5_set_error_message( kcontext, status, "LDAP %s", error_message( status ) ); + return status; +} diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.h b/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.h index fabc316ca..21d7d877c 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.h @@ -68,7 +68,6 @@ typedef struct _krb5_ldap_realm_params { krb5_int32 defsalttype; krb5_enctype *suppenctypes; krb5_int32 *suppsalttypes; - char **ldapservers; char **kdcservers; char **adminservers; char **passwdservers; @@ -96,4 +95,10 @@ krb5_ldap_read_realm_params(krb5_context , char *, krb5_ldap_realm_params **, in void krb5_ldap_free_realm_params(krb5_ldap_realm_params *); +krb5_error_code +krb5_ldap_create_realm_1(krb5_context, char *, char **); + +krb5_error_code +krb5_ldap_delete_realm_1(krb5_context, char *, char **); + #endif diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c index 865fe21a1..702f548c5 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c @@ -136,6 +136,26 @@ krb5_ldap_readpassword(context, ldap_context, password) CT.len = strlen((char *)CT.value); st = dec_password(CT, &PT); if(st != 0){ + switch (st) { + case ERR_NO_MEM: + st = ENOMEM; + break; + case ERR_PWD_ZERO: + st = EINVAL; + krb5_set_error_message(context, st, "Password has zero length"); + break; + case ERR_PWD_BAD: + st = EINVAL; + krb5_set_error_message(context, st, "Password corrupted"); + break; + case ERR_PWD_NOT_HEX: + st = EINVAL; + krb5_set_error_message(context, st, "Not a hexadecimal password"); + break; + default: + st = KRB5_KDB_SERVER_INTERNAL_ERR; + break; + } goto rp_exit; } *password = PT.value; @@ -192,6 +212,11 @@ tohex(in, ret) * := {HEX} * * is the actual eDirectory password of the service + * Return values: + * ERR_NO_MEM - No Memory + * ERR_PWD_ZERO - Password has zero length + * ERR_PWD_BAD - Passowrd corrupted + * ERR_PWD_NOT_HEX - Not a hexadecimal password */ int dec_password(struct data pwd, struct data *ret){ @@ -202,8 +227,7 @@ int dec_password(struct data pwd, struct data *ret){ ret->value = NULL; if (pwd.len == 0) { - err = EINVAL; - krb5_set_error_message (0, err, "Password has zero length"); + err = ERR_PWD_ZERO; ret->len = 0; goto cleanup; } @@ -214,14 +238,13 @@ int dec_password(struct data pwd, struct data *ret){ if((pwd.len - strlen("{HEX}")) % 2 != 0){ /* A hexadecimal encoded password should have even length */ - err = EINVAL; - krb5_set_error_message (0, err, "Password corrupted"); + err = ERR_PWD_BAD; ret->len = 0; goto cleanup; } ret->value = (unsigned char *)malloc((pwd.len - strlen("{HEX}")) / 2 + 1); if(ret->value == NULL){ - err = ENOMEM; + err = ERR_NO_MEM; ret->len = 0; goto cleanup; } @@ -231,8 +254,7 @@ int dec_password(struct data pwd, struct data *ret){ int k; /* Check if it is a hexadecimal number */ if (isxdigit(pwd.value[i]) == 0 || isxdigit(pwd.value[i + 1]) == 0) { - err = EINVAL; - krb5_set_error_message (0, err, "Not a hexadecimal password"); + err = ERR_PWD_NOT_HEX; ret->len = 0; goto cleanup; } @@ -241,8 +263,7 @@ int dec_password(struct data pwd, struct data *ret){ } goto cleanup; } else { - err = EINVAL; - krb5_set_error_message (0, err, "Not a hexadecimal password"); + err = ERR_PWD_NOT_HEX; ret->len = 0; goto cleanup; } diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.h b/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.h index c51d1a172..bd7e3dc63 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.h @@ -37,6 +37,11 @@ struct data{ unsigned char *value; }; +#define ERR_NO_MEM 1 +#define ERR_PWD_ZERO 2 +#define ERR_PWD_BAD 3 +#define ERR_PWD_NOT_HEX 4 + int dec_password(struct data, struct data *); diff --git a/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports b/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports index 2e75b7eae..8178271ea 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports +++ b/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports @@ -39,3 +39,11 @@ krb5_ldap_free krb5_ldap_set_mkey krb5_ldap_get_mkey disjoint_members +krb5_ldap_create_realm_1 +krb5_ldap_delete_realm_1 +krb5_ldap_set_option +krb5_ldap_lock +krb5_ldap_unlock +krb5_ldap_supported_realms +krb5_ldap_free_supported_realms +krb5_ldap_errcode_2_string -- 2.26.2