Remove eDirectory support code in LDAP KDB module

author Greg Hudson <ghudson@mit.edu>

Sun, 29 Jul 2012 16:03:44 +0000 (12:03 -0400)

committer Greg Hudson <ghudson@mit.edu>

Sun, 29 Jul 2012 16:03:44 +0000 (12:03 -0400)
author Greg Hudson <ghudson@mit.edu>
Sun, 29 Jul 2012 16:03:44 +0000 (12:03 -0400)
committer Greg Hudson <ghudson@mit.edu>
Sun, 29 Jul 2012 16:03:44 +0000 (12:03 -0400)
diff --git a/doc/rst_source/krb_admins/admin_commands/kdb5_ldap_util.rst b/doc/rst_source/krb_admins/admin_commands/kdb5_ldap_util.rst

index ce39110779a24375363509c1ab9cf077e653ccd8..e5c037db43a27c38074fc16fd0da3306748d0ff6 100644 (file)
--- a/doc/rst_source/krb_admins/admin_commands/kdb5_ldap_util.rst
+++ b/doc/rst_source/krb_admins/admin_commands/kdb5_ldap_util.rst
@@ -61,8 +61,6 @@ create
      [**-m|-P** *password*\|\ **-sf** *stashfilename*]
      [**-s**]
      [**-r** *realm*]
-    [**-kdcdn** *kdc_service_list*]
-    [**-admindn** *admin_service_list*]
      [**-maxtktlife** *max_ticket_life*]
      [**-maxrenewlife** *max_renewable_ticket_life*]
      [*ticket_flags*]
@@ -149,8 +147,6 @@ modify
      [**-sscope** *search_scope*]
      [**-containerref** *container_reference_dn*]
      [**-r** *realm*]
-    [**-kdcdn** *kdc_service_list* | [**-clearkdcdn** *kdc_service_list*] [**-addkdcdn** *kdc_service_list*]]
-    [**-admindn** *admin_service_list* | [**-clearadmindn** *admin_service_list*] [**-addadmindn** *admin_service_list*]]
      [**-maxtktlife** *max_ticket_life*]
      [**-maxrenewlife** *max_renewable_ticket_life*]
      [*ticket_flags*]
diff --git a/doc/rst_source/krb_build/options2configure.rst b/doc/rst_source/krb_build/options2configure.rst

index 3df2a45c709316df1aef020ad64eedaa7ae7c8dd..5c2bf1bb58a08026cb81425465065b0238a467a6 100644 (file)
--- a/doc/rst_source/krb_build/options2configure.rst
+++ b/doc/rst_source/krb_build/options2configure.rst
@@ -317,9 +317,6 @@ Optional packages
  **--with-ldap**
      Compile OpenLDAP database backend module.
  
-**--with-edirectory**
-    Compile the eDirectory database backend module.
-
  **--with-tcl=**\ *path*
      Specifies that *path* is the location of a Tcl installation.
      Tcl is needed for some of the tests run by 'make check'; such tests
diff --git a/src/aclocal.m4 b/src/aclocal.m4

index c7aaf0c6e6419bcae0a0a041357a2558136b589e..7dbee068b6c3c88dfdc86261ba8618c09e299e91 100644 (file)
--- a/src/aclocal.m4
+++ b/src/aclocal.m4
@@ -1641,15 +1641,8 @@ AC_ARG_WITH([ldap],
  [case "$withval" in
      OPENLDAP) with_ldap=yes ;;
      yes | no) ;;
-    EDIRECTORY) AC_MSG_ERROR(Option --with-ldap=EDIRECTORY is deprecated; use --with-edirectory instead.) ;;
      *)  AC_MSG_ERROR(Invalid option value --with-ldap="$withval") ;;
  esac], with_ldap=no)dnl
-AC_ARG_WITH([edirectory],
-[  --with-edirectory       compile eDirectory database backend module],
-[case "$withval" in
-    yes | no) ;;
-    *)  AC_MSG_ERROR(Invalid option value --with-edirectory="$withval") ;;
-esac], with_edirectory=no)dnl
  
  if test $with_ldap = yes; then
    if test $with_edirectory = yes; then
@@ -1657,13 +1650,6 @@ if test $with_ldap = yes; then
    fi
    AC_MSG_NOTICE(enabling OpenLDAP database backend module support)
    OPENLDAP_PLUGIN=yes
-elif test $with_edirectory = yes; then
-  AC_MSG_NOTICE(enabling eDirectory database backend module support)
-  OPENLDAP_PLUGIN=yes
-  AC_DEFINE(HAVE_EDIRECTORY,1,[Define if LDAP KDB interface should assume eDirectory.])
-else
-  : # neither enabled
-dnl  AC_MSG_NOTICE(disabling ldap backend module support)
  fi
  ])dnl
  dnl
diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c

index 72b4f7e654fe2aeb54b91f581734e79a745c08e8..a479c6e46a2f5e78c784a6b9682730c8138a1c83 100644 (file)
--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c
+++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c
@@ -139,14 +139,6 @@ static krb5_error_code krb5_dbe_update_tl_data_new ( krb5_context context, krb5_
  #define ADMIN_LIFETIME 60*60*3 /* 3 hours */
  #define CHANGEPW_LIFETIME 60*5 /* 5 minutes */
  
-#ifdef HAVE_EDIRECTORY
-#define FREE_DN_LIST(dnlist)    if (dnlist != NULL) {   \
-        for (idx=0; dnlist[idx] != NULL; idx++)         \
-            free(dnlist[idx]);                          \
-        free(dnlist);                                   \
-    }
-#endif
-
  static int
  get_ticket_policy(krb5_ldap_realm_params *rparams, int *i, char *argv[],
                    int argc)
@@ -331,9 +323,6 @@ kdb5_ldap_create(int argc, char *argv[])
      int i = 0;
      int mask = 0, ret_mask = 0;
      char **list = NULL;
-#ifdef HAVE_EDIRECTORY
-    int rightsmask = 0;
-#endif
  
      memset(&master_keyblock, 0, sizeof(master_keyblock));
  
@@ -414,54 +403,6 @@ kdb5_ldap_create(int argc, char *argv[])
              }
              mask |= LDAP_REALM_SEARCHSCOPE;
          }
-#ifdef HAVE_EDIRECTORY
-        else if (!strcmp(argv[i], "-kdcdn")) {
-            if (++i > argc-1)
-                goto err_usage;
-            rparams->kdcservers = (char **)malloc(
-                sizeof(char *) * MAX_LIST_ENTRIES);
-            if (rparams->kdcservers == NULL) {
-                retval = ENOMEM;
-                goto cleanup;
-            }
-            memset(rparams->kdcservers, 0, sizeof(char*)*MAX_LIST_ENTRIES);
-            if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
-                                          rparams->kdcservers))) {
-                goto cleanup;
-            }
-            mask |= LDAP_REALM_KDCSERVERS;
-        } else if (!strcmp(argv[i], "-admindn")) {
-            if (++i > argc-1)
-                goto err_usage;
-            rparams->adminservers = (char **)malloc(
-                sizeof(char *) * MAX_LIST_ENTRIES);
-            if (rparams->adminservers == NULL) {
-                retval = ENOMEM;
-                goto cleanup;
-            }
-            memset(rparams->adminservers, 0, sizeof(char*)*MAX_LIST_ENTRIES);
-            if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
-                                          rparams->adminservers))) {
-                goto cleanup;
-            }
-            mask |= LDAP_REALM_ADMINSERVERS;
-        } else if (!strcmp(argv[i], "-pwddn")) {
-            if (++i > argc-1)
-                goto err_usage;
-            rparams->passwdservers = (char **)malloc(
-                sizeof(char *) * MAX_LIST_ENTRIES);
-            if (rparams->passwdservers == NULL) {
-                retval = ENOMEM;
-                goto cleanup;
-            }
-            memset(rparams->passwdservers, 0, sizeof(char*)*MAX_LIST_ENTRIES);
-            if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
-                                          rparams->passwdservers))) {
-                goto cleanup;
-            }
-            mask |= LDAP_REALM_PASSWDSERVERS;
-        }
-#endif
          else if (!strcmp(argv[i], "-s")) {
              do_stash = 1;
          } else if ((ret_mask= get_ticket_policy(rparams,&i,argv,argc)) !=0) {
@@ -554,11 +495,7 @@ kdb5_ldap_create(int argc, char *argv[])
  
          printf(_("\nKerberos container is missing. Creating now...\n"));
          if (kparams.DN == NULL) {
-#ifdef HAVE_EDIRECTORY
-            printf("Enter DN of Kerberos container [cn=Kerberos,cn=Security]: ");
-#else
              printf(_("Enter DN of Kerberos container: "));
-#endif
              if (fgets(krb_location, MAX_KRB_CONTAINER_LEN, stdin) != NULL) {
                  /* Remove the newline character at the end */
                  krb_location_len = strlen(krb_location);
@@ -792,67 +729,6 @@ kdb5_ldap_create(int argc, char *argv[])
          }
      }
  
-#ifdef HAVE_EDIRECTORY
-    if ((mask & LDAP_REALM_KDCSERVERS) || (mask & LDAP_REALM_ADMINSERVERS) ||
-        (mask & LDAP_REALM_PASSWDSERVERS)) {
-
-        printf(_("Changing rights for the service object. Please wait ... "));
-        fflush(stdout);
-
-        rightsmask =0;
-        rightsmask |= LDAP_REALM_RIGHTS;
-        rightsmask |= LDAP_SUBTREE_RIGHTS;
-        if ((rparams != NULL) && (rparams->kdcservers != NULL)) {
-            for (i=0; (rparams->kdcservers[i] != NULL); i++) {
-                if ((retval=krb5_ldap_add_service_rights(util_context,
-                                                         LDAP_KDC_SERVICE, rparams->kdcservers[i],
-                                                         rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
-                    printf(_("failed\n"));
-                    com_err(progname, retval,
-                            _("while assigning rights to '%s'"),
-                            rparams->realm_name);
-                    goto err_nomsg;
-                }
-            }
-        }
-
-        rightsmask = 0;
-        rightsmask |= LDAP_REALM_RIGHTS;
-        rightsmask |= LDAP_SUBTREE_RIGHTS;
-        if ((rparams != NULL) && (rparams->adminservers != NULL)) {
-            for (i=0; (rparams->adminservers[i] != NULL); i++) {
-                if ((retval=krb5_ldap_add_service_rights(util_context,
-                                                         LDAP_ADMIN_SERVICE, rparams->adminservers[i],
-                                                         rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
-                    printf(_("failed\n"));
-                    com_err(progname, retval,
-                            _("while assigning rights to '%s'"),
-                            rparams->realm_name);
-                    goto err_nomsg;
-                }
-            }
-        }
-
-        rightsmask = 0;
-        rightsmask |= LDAP_REALM_RIGHTS;
-        rightsmask |= LDAP_SUBTREE_RIGHTS;
-        if ((rparams != NULL) && (rparams->passwdservers != NULL)) {
-            for (i=0; (rparams->passwdservers[i] != NULL); i++) {
-                if ((retval=krb5_ldap_add_service_rights(util_context,
-                                                         LDAP_PASSWD_SERVICE, rparams->passwdservers[i],
-                                                         rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
-                    printf(_("failed\n"));
-                    com_err(progname, retval,
-                            _("while assigning rights to '%s'"),
-                            rparams->realm_name);
-                    goto err_nomsg;
-                }
-            }
-        }
-
-        printf(_("done\n"));
-    }
-#endif
      /* The Realm creation is completed. Here is the end of transaction */
      create_complete = TRUE;
  
@@ -928,24 +804,6 @@ kdb5_ldap_modify(int argc, char *argv[])
      int i = 0;
      int mask = 0, rmask = 0, ret_mask = 0;
      char **slist = {NULL};
-#ifdef HAVE_EDIRECTORY
-    int j = 0, idx = 0;
-    char *list[MAX_LIST_ENTRIES];
-    int existing_entries = 0, list_entries = 0;
-    int newkdcdn = 0, newadmindn = 0, newpwddn = 0;
-    char **tempstr = NULL;
-    char **oldkdcdns = NULL;
-    char **oldadmindns = NULL;
-    char **oldpwddns = NULL;
-    char **newkdcdns = NULL;
-    char **newsubtrees = NULL;
-    char **newadmindns = NULL;
-    char **newpwddns = NULL;
-    char **oldsubtrees = NULL;
-    char *oldcontainerref = NULL;
-    int rightsmask = 0;
-    int subtree_changed = 0;
-#endif
  
      dal_handle = util_context->dal_handle;
      ldap_context = (krb5_ldap_context *) dal_handle->db_context;
@@ -974,20 +832,6 @@ kdb5_ldap_modify(int argc, char *argv[])
  
              if (rmask & LDAP_REALM_SUBTREE) {
                  if (rparams->subtree) {
-#ifdef HAVE_EDIRECTORY
-                    oldsubtrees =  (char **) calloc(rparams->subtreecount+1, sizeof(char *));
-                    if (oldsubtrees == NULL) {
-                        retval = ENOMEM;
-                        goto cleanup;
-                    }
-                    for (k=0; rparams->subtree[k]!=NULL && rparams->subtreecount; k++) {
-                        oldsubtrees[k] = strdup(rparams->subtree[k]);
-                        if (oldsubtrees[k] == NULL) {
-                            retval = ENOMEM;
-                            goto cleanup;
-                        }
-                    }
-#endif
                      for (k=0; k<rparams->subtreecount && rparams->subtree[k]; k++)
                          free(rparams->subtree[k]);
                      rparams->subtreecount=0;
@@ -1028,11 +872,6 @@ kdb5_ldap_modify(int argc, char *argv[])
                          global_params.realm);
                  goto err_nomsg;
              }
-#ifdef HAVE_EDIRECTORY
-            if (rparams->containerref != NULL) {
-                oldcontainerref = rparams->containerref;
-            }
-#endif
              rparams->containerref = strdup(argv[i]);
              if (rparams->containerref == NULL) {
                  retval = ENOMEM;
@@ -1063,380 +902,6 @@ kdb5_ldap_modify(int argc, char *argv[])
              }
              mask |= LDAP_REALM_SEARCHSCOPE;
          }
-#ifdef HAVE_EDIRECTORY
-        else if (!strcmp(argv[i], "-kdcdn")) {
-            if (++i > argc-1)
-                goto err_usage;
-
-            if ((rmask & LDAP_REALM_KDCSERVERS) && (rparams->kdcservers)) {
-                if (!oldkdcdns) {
-                    /* Store the old kdc dns list for removing rights */
-                    oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
-                    if (oldkdcdns == NULL) {
-                        retval = ENOMEM;
-                        goto cleanup;
-                    }
-
-                    for (j=0; rparams->kdcservers[j] != NULL; j++) {
-                        oldkdcdns[j] = strdup(rparams->kdcservers[j]);
-                        if (oldkdcdns[j] == NULL) {
-                            retval = ENOMEM;
-                            goto cleanup;
-                        }
-                    }
-                    oldkdcdns[j] = NULL;
-                }
-
-                krb5_free_list_entries(rparams->kdcservers);
-                free(rparams->kdcservers);
-            }
-
-            rparams->kdcservers = (char **)malloc(
-                sizeof(char *) * MAX_LIST_ENTRIES);
-            if (rparams->kdcservers == NULL) {
-                retval = ENOMEM;
-                goto cleanup;
-            }
-            memset(rparams->kdcservers, 0, sizeof(char *)*MAX_LIST_ENTRIES);
-            if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
-                                          rparams->kdcservers))) {
-                goto cleanup;
-            }
-            mask |= LDAP_REALM_KDCSERVERS;
-            /* Going to replace the existing value by this new value. Hence
-             * setting flag indicating that add or clear options will be ignored
-             */
-            newkdcdn = 1;
-        } else if (!strcmp(argv[i], "-clearkdcdn")) {
-            if (++i > argc-1)
-                goto err_usage;
-            if ((!newkdcdn) && (rmask & LDAP_REALM_KDCSERVERS) && (rparams->kdcservers)) {
-                if (!oldkdcdns) {
-                    /* Store the old kdc dns list for removing rights */
-                    oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
-                    if (oldkdcdns == NULL) {
-                        retval = ENOMEM;
-                        goto cleanup;
-                    }
-
-                    for (j=0; rparams->kdcservers[j] != NULL; j++) {
-                        oldkdcdns[j] = strdup(rparams->kdcservers[j]);
-                        if (oldkdcdns[j] == NULL) {
-                            retval = ENOMEM;
-                            goto cleanup;
-                        }
-                    }
-                    oldkdcdns[j] = NULL;
-                }
-
-                memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES);
-                if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
-                    goto cleanup;
-                }
-                list_modify_str_array(&rparams->kdcservers, (const char **)list,
-                                      LIST_MODE_DELETE);
-                mask |= LDAP_REALM_KDCSERVERS;
-                krb5_free_list_entries(list);
-            }
-        } else if (!strcmp(argv[i], "-addkdcdn")) {
-            if (++i > argc-1)
-                goto err_usage;
-            if (!newkdcdn) {
-                if ((rmask & LDAP_REALM_KDCSERVERS) && (rparams->kdcservers) && (!oldkdcdns)) {
-                    /* Store the old kdc dns list for removing rights */
-                    oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
-                    if (oldkdcdns == NULL) {
-                        retval = ENOMEM;
-                        goto cleanup;
-                    }
-
-                    for (j = 0; rparams->kdcservers[j] != NULL; j++) {
-                        oldkdcdns[j] = strdup(rparams->kdcservers[j]);
-                        if (oldkdcdns[j] == NULL) {
-                            retval = ENOMEM;
-                            goto cleanup;
-                        }
-                    }
-                    oldkdcdns[j] = NULL;
-                }
-
-                memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES);
-                if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
-                    goto cleanup;
-                }
-                existing_entries = list_count_str_array(rparams->kdcservers);
-                list_entries = list_count_str_array(list);
-                if (rmask & LDAP_REALM_KDCSERVERS) {
-                    tempstr = (char **)realloc(
-                        rparams->kdcservers,
-                        sizeof(char *) * (existing_entries+list_entries+1));
-                    if (tempstr == NULL) {
-                        retval = ENOMEM;
-                        goto cleanup;
-                    }
-                    rparams->kdcservers = tempstr;
-                } else {
-                    rparams->kdcservers = (char **)malloc(sizeof(char *) * (list_entries+1));
-                    if (rparams->kdcservers == NULL) {
-                        retval = ENOMEM;
-                        goto cleanup;
-                    }
-                    memset(rparams->kdcservers, 0, sizeof(char *) * (list_entries+1));
-                }
-                list_modify_str_array(&rparams->kdcservers, (const char **)list,
-                                      LIST_MODE_ADD);
-                mask |= LDAP_REALM_KDCSERVERS;
-            }
-        } else if (!strcmp(argv[i], "-admindn")) {
-            if (++i > argc-1)
-                goto err_usage;
-
-            if ((rmask & LDAP_REALM_ADMINSERVERS) && (rparams->adminservers)) {
-                if (!oldadmindns) {
-                    /* Store the old admin dns list for removing rights */
-                    oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
-                    if (oldadmindns == NULL) {
-                        retval = ENOMEM;
-                        goto cleanup;
-                    }
-
-                    for (j=0; rparams->adminservers[j] != NULL; j++) {
-                        oldadmindns[j] = strdup(rparams->adminservers[j]);
-                        if (oldadmindns[j] == NULL) {
-                            retval = ENOMEM;
-                            goto cleanup;
-                        }
-                    }
-                    oldadmindns[j] = NULL;
-                }
-
-                krb5_free_list_entries(rparams->adminservers);
-                free(rparams->adminservers);
-            }
-
-            rparams->adminservers = (char **)malloc(
-                sizeof(char *) * MAX_LIST_ENTRIES);
-            if (rparams->adminservers == NULL) {
-                retval = ENOMEM;
-                goto cleanup;
-            }
-            memset(rparams->adminservers, 0, sizeof(char *)*MAX_LIST_ENTRIES);
-            if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
-                                          rparams->adminservers))) {
-                goto cleanup;
-            }
-            mask |= LDAP_REALM_ADMINSERVERS;
-            /* Going to replace the existing value by this new value. Hence
-             * setting flag indicating that add or clear options will be ignored
-             */
-            newadmindn = 1;
-        } else if (!strcmp(argv[i], "-clearadmindn")) {
-            if (++i > argc-1)
-                goto err_usage;
-
-            if ((!newadmindn) && (rmask & LDAP_REALM_ADMINSERVERS) && (rparams->adminservers)) {
-                if (!oldadmindns) {
-                    /* Store the old admin dns list for removing rights */
-                    oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
-                    if (oldadmindns == NULL) {
-                        retval = ENOMEM;
-                        goto cleanup;
-                    }
-
-                    for (j=0; rparams->adminservers[j] != NULL; j++) {
-                        oldadmindns[j] = strdup(rparams->adminservers[j]);
-                        if (oldadmindns[j] == NULL) {
-                            retval = ENOMEM;
-                            goto cleanup;
-                        }
-                    }
-                    oldadmindns[j] = NULL;
-                }
-
-                memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES);
-                if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
-                    goto cleanup;
-                }
-                list_modify_str_array(&rparams->adminservers, (const char **)list,
-                                      LIST_MODE_DELETE);
-                mask |= LDAP_REALM_ADMINSERVERS;
-                krb5_free_list_entries(list);
-            }
-        } else if (!strcmp(argv[i], "-addadmindn")) {
-            if (++i > argc-1)
-                goto err_usage;
-            if (!newadmindn) {
-                if ((rmask & LDAP_REALM_ADMINSERVERS) && (rparams->adminservers) && (!oldadmindns)) {
-                    /* Store the old admin dns list for removing rights */
-                    oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
-                    if (oldadmindns == NULL) {
-                        retval = ENOMEM;
-                        goto cleanup;
-                    }
-
-                    for (j=0; rparams->adminservers[j] != NULL; j++) {
-                        oldadmindns[j] = strdup(rparams->adminservers[j]);
-                        if (oldadmindns[j] == NULL) {
-                            retval = ENOMEM;
-                            goto cleanup;
-                        }
-                    }
-                    oldadmindns[j] = NULL;
-                }
-
-                memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES);
-                if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
-                    goto cleanup;
-                }
-                existing_entries = list_count_str_array(rparams->adminservers);
-                list_entries = list_count_str_array(list);
-                if (rmask & LDAP_REALM_ADMINSERVERS) {
-                    tempstr = (char **)realloc(
-                        rparams->adminservers,
-                        sizeof(char *) * (existing_entries+list_entries+1));
-                    if (tempstr == NULL) {
-                        retval = ENOMEM;
-                        goto cleanup;
-                    }
-                    rparams->adminservers = tempstr;
-                } else {
-                    rparams->adminservers = (char **)malloc(sizeof(char *) * (list_entries+1));
-                    if (rparams->adminservers == NULL) {
-                        retval = ENOMEM;
-                        goto cleanup;
-                    }
-                    memset(rparams->adminservers, 0, sizeof(char *) * (list_entries+1));
-                }
-                list_modify_str_array(&rparams->adminservers, (const char **)list,
-                                      LIST_MODE_ADD);
-                mask |= LDAP_REALM_ADMINSERVERS;
-            }
-        } else if (!strcmp(argv[i], "-pwddn")) {
-            if (++i > argc-1)
-                goto err_usage;
-
-            if ((rmask & LDAP_REALM_PASSWDSERVERS) && (rparams->passwdservers)) {
-                if (!oldpwddns) {
-                    /* Store the old pwd dns list for removing rights */
-                    oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
-                    if (oldpwddns == NULL) {
-                        retval = ENOMEM;
-                        goto cleanup;
-                    }
-
-                    for (j=0; rparams->passwdservers[j] != NULL; j++) {
-                        oldpwddns[j] = strdup(rparams->passwdservers[j]);
-                        if (oldpwddns[j] == NULL) {
-                            retval = ENOMEM;
-                            goto cleanup;
-                        }
-                    }
-                    oldpwddns[j] = NULL;
-                }
-
-                krb5_free_list_entries(rparams->passwdservers);
-                free(rparams->passwdservers);
-            }
-
-            rparams->passwdservers = (char **)malloc(
-                sizeof(char *) * MAX_LIST_ENTRIES);
-            if (rparams->passwdservers == NULL) {
-                retval = ENOMEM;
-                goto cleanup;
-            }
-            memset(rparams->passwdservers, 0, sizeof(char *)*MAX_LIST_ENTRIES);
-            if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
-                                          rparams->passwdservers))) {
-                goto cleanup;
-            }
-            mask |= LDAP_REALM_PASSWDSERVERS;
-            /* Going to replace the existing value by this new value. Hence
-             * setting flag indicating that add or clear options will be ignored
-             */
-            newpwddn = 1;
-        } else if (!strcmp(argv[i], "-clearpwddn")) {
-            if (++i > argc-1)
-                goto err_usage;
-
-            if ((!newpwddn) && (rmask & LDAP_REALM_PASSWDSERVERS) && (rparams->passwdservers)) {
-                if (!oldpwddns) {
-                    /* Store the old pwd dns list for removing rights */
-                    oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
-                    if (oldpwddns == NULL) {
-                        retval = ENOMEM;
-                        goto cleanup;
-                    }
-
-                    for (j=0; rparams->passwdservers[j] != NULL; j++) {
-                        oldpwddns[j] = strdup(rparams->passwdservers[j]);
-                        if (oldpwddns[j] == NULL) {
-                            retval = ENOMEM;
-                            goto cleanup;
-                        }
-                    }
-                    oldpwddns[j] = NULL;
-                }
-
-                memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES);
-                if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
-                    goto cleanup;
-                }
-                list_modify_str_array(&rparams->passwdservers, (const char**)list,
-                                      LIST_MODE_DELETE);
-                mask |= LDAP_REALM_PASSWDSERVERS;
-                krb5_free_list_entries(list);
-            }
-        } else if (!strcmp(argv[i], "-addpwddn")) {
-            if (++i > argc-1)
-                goto err_usage;
-            if (!newpwddn) {
-                if ((rmask & LDAP_REALM_PASSWDSERVERS) && (rparams->passwdservers) && (!oldpwddns)) {
-                    /* Store the old pwd dns list for removing rights */
-                    oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
-                    if (oldpwddns == NULL) {
-                        retval = ENOMEM;
-                        goto cleanup;
-                    }
-
-                    for (j=0; rparams->passwdservers[j] != NULL; j++) {
-                        oldpwddns[j] = strdup(rparams->passwdservers[j]);
-                        if (oldpwddns[j] == NULL) {
-                            retval = ENOMEM;
-                            goto cleanup;
-                        }
-                    }
-                    oldpwddns[j] = NULL;
-                }
-
-                memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES);
-                if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
-                    goto cleanup;
-                }
-                existing_entries = list_count_str_array(rparams->passwdservers);
-                list_entries = list_count_str_array(list);
-                if (rmask & LDAP_REALM_PASSWDSERVERS) {
-                    tempstr = (char **)realloc(
-                        rparams->passwdservers,
-                        sizeof(char *) * (existing_entries+list_entries+1));
-                    if (tempstr == NULL) {
-                        retval = ENOMEM;
-                        goto cleanup;
-                    }
-                    rparams->passwdservers = tempstr;
-                } else {
-                    rparams->passwdservers = (char **)malloc(sizeof(char *) * (list_entries+1));
-                    if (rparams->passwdservers == NULL) {
-                        retval = ENOMEM;
-                        goto cleanup;
-                    }
-                    memset(rparams->passwdservers, 0, sizeof(char *) * (list_entries+1));
-                }
-                list_modify_str_array(&rparams->passwdservers, (const char**)list,
-                                      LIST_MODE_ADD);
-                mask |= LDAP_REALM_PASSWDSERVERS;
-            }
-        }
-#endif
          else if ((ret_mask= get_ticket_policy(rparams,&i,argv,argc)) !=0) {
              mask|=ret_mask;
          } else {
@@ -1450,443 +915,6 @@ kdb5_ldap_modify(int argc, char *argv[])
          goto cleanup;
      }
  
-#ifdef HAVE_EDIRECTORY
-    if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_CONTREF) || (mask & LDAP_REALM_KDCSERVERS) ||
-        (mask & LDAP_REALM_ADMINSERVERS) || (mask & LDAP_REALM_PASSWDSERVERS)) {
-
-        printf(_("Changing rights for the service object. Please wait ... "));
-        fflush(stdout);
-
-        if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_CONTREF)) {
-            subtree_changed = 1;
-        }
-
-        if ((subtree_changed) || (mask & LDAP_REALM_KDCSERVERS)) {
-
-            if (!(mask & LDAP_REALM_KDCSERVERS)) {
-                if (rparams->kdcservers != NULL) {
-                    char **kdcdns = rparams->kdcservers;
-                    /* Only subtree and/or container ref has changed */
-                    rightsmask =0;
-                    /*  KDCSERVERS have not changed. Realm rights need not be changed */;
-                    rightsmask |= LDAP_SUBTREE_RIGHTS;
-                    if ((oldsubtrees != NULL) || (oldcontainerref != NULL)) {
-                        /* Remove the rights on the old subtrees */
-                        for (i=0; (kdcdns[i] != NULL); i++) {
-                            if ((retval=krb5_ldap_delete_service_rights(util_context,
-                                                                        LDAP_KDC_SERVICE, kdcdns[i],
-                                                                        rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) {
-                                printf(_("failed\n"));
-                                com_err(progname, retval,
-                                        _("while assigning rights '%s'"),
-                                        rparams->realm_name);
-                                goto err_nomsg;
-                            }
-                        }
-                    }
-                    for (i=0; (kdcdns[i] != NULL); i++) {
-                        if ((retval=krb5_ldap_add_service_rights(util_context,
-                                                                 LDAP_KDC_SERVICE, kdcdns[i],
-                                                                 rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
-                            printf(_("failed\n"));
-                            com_err(progname, retval,
-                                    _("while assigning rights '%s'"),
-                                    rparams->realm_name);
-                            goto err_nomsg;
-                        }
-                    }
-                }
-            }
-
-            if (!subtree_changed) {
-                char **newdns = NULL;
-                /* Only kdc servers have changed */
-                rightsmask =0;
-                rightsmask = LDAP_REALM_RIGHTS;
-                rightsmask |= LDAP_SUBTREE_RIGHTS;
-                if (oldkdcdns != NULL) {
-                    newdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
-                    if (newdns == NULL) {
-                        retval = ENOMEM;
-                        goto cleanup;
-                    }
-
-                    if ((rparams != NULL) && (rparams->kdcservers != NULL)) {
-                        for (j=0;  rparams->kdcservers[j]!= NULL; j++) {
-                            newdns[j] = strdup(rparams->kdcservers[j]);
-                            if (newdns[j] == NULL) {
-                                FREE_DN_LIST(newdns);
-                                retval = ENOMEM;
-                                goto cleanup;
-                            }
-                        }
-                        newdns[j] = NULL;
-                    }
-
-                    disjoint_members(oldkdcdns, newdns);
-
-                    for (i=0; (oldkdcdns[i] != NULL); i++) {
-                        if ((retval=krb5_ldap_delete_service_rights(util_context,
-                                                                    LDAP_KDC_SERVICE, oldkdcdns[i],
-                                                                    rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
-                            printf(_("failed\n"));
-                            com_err(progname, retval,
-                                    _("while assigning rights '%s'"),
-                                    rparams->realm_name);
-                            FREE_DN_LIST(newdns);
-                            goto err_nomsg;
-                        }
-                    }
-                    for (i=0; (newdns[i] != NULL); i++) {
-                        if ((retval=krb5_ldap_add_service_rights(util_context,
-                                                                 LDAP_KDC_SERVICE, newdns[i],
-                                                                 rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
-                            printf(_("failed\n"));
-                            com_err(progname, retval,
-                                    _("while assigning rights '%s'"),
-                                    rparams->realm_name);
-                            FREE_DN_LIST(newdns);
-                            goto err_nomsg;
-                        }
-                    }
-                    for (i=0; (newdns[i] != NULL); i++) {
-                        free(newdns[i]);
-                    }
-                    free(newdns);
-                } else {
-                    newdns = rparams->kdcservers;
-                    for (i=0; (newdns[i] != NULL); i++) {
-                        if ((retval=krb5_ldap_add_service_rights(util_context,
-                                                                 LDAP_KDC_SERVICE, newdns[i],
-                                                                 rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
-                            printf(_("failed\n"));
-                            com_err(progname, retval,
-                                    _("while assigning rights '%s'"),
-                                    rparams->realm_name);
-                            goto err_nomsg;
-                        }
-                    }
-                }
-            }
-
-            if (subtree_changed && (mask & LDAP_REALM_KDCSERVERS)) {
-                char **newdns = rparams->kdcservers;
-
-                rightsmask =0;
-                rightsmask = LDAP_REALM_RIGHTS;
-                rightsmask |= LDAP_SUBTREE_RIGHTS;
-                if (oldkdcdns != NULL) {
-                    for (i=0; (oldkdcdns[i] != NULL); i++) {
-                        if ((retval=krb5_ldap_delete_service_rights(util_context,
-                                                                    LDAP_KDC_SERVICE, oldkdcdns[i],
-                                                                    rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) {
-                            printf(_("failed\n"));
-                            com_err(progname, retval,
-                                    _("while assigning rights '%s'"),
-                                    rparams->realm_name);
-                            goto err_nomsg;
-                        }
-                    }
-                }
-                for (i=0; (newdns[i] != NULL); i++) {
-                    if ((retval=krb5_ldap_add_service_rights(util_context,
-                                                             LDAP_KDC_SERVICE, newdns[i],
-                                                             rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
-                        printf(_("failed\n"));
-                        com_err(progname, retval,
-                                _("while assigning rights '%s'"),
-                                rparams->realm_name);
-                        goto err_nomsg;
-                    }
-                }
-            }
-        }
-
-        if (subtree_changed || (mask & LDAP_REALM_ADMINSERVERS)) {
-
-            if (!(mask & LDAP_REALM_ADMINSERVERS)) {
-                if (rparams->adminservers != NULL) {
-                    char **admindns = rparams->adminservers;
-                    /* Only subtree and/or container ref has changed */
-                    rightsmask =0;
-                    /*  KADMINSERVERS have not changed. Realm rights need not be changed */;
-                    rightsmask |= LDAP_SUBTREE_RIGHTS;
-                    if ((oldsubtrees != NULL) || (oldcontainerref != NULL)) {
-                        /* Remove the rights on the old subtrees */
-                        for (i=0; (admindns[i] != NULL); i++) {
-                            if ((retval=krb5_ldap_delete_service_rights(util_context,
-                                                                        LDAP_ADMIN_SERVICE, admindns[i],
-                                                                        rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) {
-                                printf(_("failed\n"));
-                                com_err(progname, retval,
-                                        _("while assigning rights '%s'"),
-                                        rparams->realm_name);
-                                goto err_nomsg;
-                            }
-                        }
-                    }
-                    for (i=0; (admindns[i] != NULL); i++) {
-                        if ((retval=krb5_ldap_add_service_rights(util_context,
-                                                                 LDAP_ADMIN_SERVICE, admindns[i],
-                                                                 rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
-                            printf(_("failed\n"));
-                            com_err(progname, retval,
-                                    _("while assigning rights '%s'"),
-                                    rparams->realm_name);
-                            goto err_nomsg;
-                        }
-                    }
-                }
-            }
-
-            if (!subtree_changed) {
-                char **newdns = NULL;
-                /* Only admin servers have changed */
-                rightsmask =0;
-                rightsmask = LDAP_REALM_RIGHTS;
-                rightsmask |= LDAP_SUBTREE_RIGHTS;
-                if (oldadmindns != NULL) {
-                    newdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
-                    if (newdns == NULL) {
-                        retval = ENOMEM;
-                        goto cleanup;
-                    }
-
-                    if ((rparams != NULL) && (rparams->adminservers != NULL)) {
-                        for (j=0;  rparams->adminservers[j]!= NULL; j++) {
-                            newdns[j] = strdup(rparams->adminservers[j]);
-                            if (newdns[j] == NULL) {
-                                FREE_DN_LIST(newdns);
-                                retval = ENOMEM;
-                                goto cleanup;
-                            }
-                        }
-                        newdns[j] = NULL;
-                    }
-
-                    disjoint_members(oldadmindns, newdns);
-
-                    for (i=0; (oldadmindns[i] != NULL); i++) {
-                        if ((retval=krb5_ldap_delete_service_rights(util_context,
-                                                                    LDAP_ADMIN_SERVICE, oldadmindns[i],
-                                                                    rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
-                            printf(_("failed\n"));
-                            com_err(progname, retval,
-                                    _("while assigning rights '%s'"),
-                                    rparams->realm_name);
-                            FREE_DN_LIST(newdns);
-                            goto err_nomsg;
-                        }
-                    }
-                    for (i=0; (newdns[i] != NULL); i++) {
-                        if ((retval=krb5_ldap_add_service_rights(util_context,
-                                                                 LDAP_ADMIN_SERVICE, newdns[i],
-                                                                 rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
-                            printf(_("failed\n"));
-                            com_err(progname, retval,
-                                    _("while assigning rights '%s'"),
-                                    rparams->realm_name);
-                            FREE_DN_LIST(newdns);
-                            goto err_nomsg;
-                        }
-                    }
-                    for (i=0; (newdns[i] != NULL); i++) {
-                        free(newdns[i]);
-                    }
-                    free(newdns);
-                } else {
-                    newdns = rparams->adminservers;
-                    for (i=0; (newdns[i] != NULL); i++) {
-                        if ((retval=krb5_ldap_add_service_rights(util_context,
-                                                                 LDAP_ADMIN_SERVICE, newdns[i],
-                                                                 rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
-                            printf(_("failed\n"));
-                            com_err(progname, retval,
-                                    _("while assigning rights '%s'"),
-                                    rparams->realm_name);
-                            goto err_nomsg;
-                        }
-                    }
-                }
-            }
-
-            if (subtree_changed && (mask & LDAP_REALM_ADMINSERVERS)) {
-                char **newdns = rparams->adminservers;
-
-                rightsmask = 0;
-                rightsmask = LDAP_REALM_RIGHTS;
-                rightsmask |= LDAP_SUBTREE_RIGHTS;
-                if (oldadmindns != NULL) {
-                    for (i=0; (oldadmindns[i] != NULL); i++) {
-                        if ((retval=krb5_ldap_delete_service_rights(util_context,
-                                                                    LDAP_ADMIN_SERVICE, oldadmindns[i],
-                                                                    rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) {
-                            printf(_("failed\n"));
-                            com_err(progname, retval,
-                                    _("while assigning rights '%s'"),
-                                    rparams->realm_name);
-                            goto err_nomsg;
-                        }
-                    }
-                }
-                for (i=0; (newdns[i] != NULL); i++) {
-                    if ((retval=krb5_ldap_add_service_rights(util_context,
-                                                             LDAP_ADMIN_SERVICE, newdns[i],
-                                                             rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
-                        printf(_("failed\n"));
-                        com_err(progname, retval,
-                                _("while assigning rights '%s'"),
-                                rparams->realm_name);
-                        goto err_nomsg;
-                    }
-                }
-            }
-        }
-
-        if (subtree_changed || (mask & LDAP_REALM_PASSWDSERVERS)) {
-
-            if (!(mask & LDAP_REALM_PASSWDSERVERS)) {
-                if (rparams->passwdservers != NULL) {
-                    char **passwddns = rparams->passwdservers;
-                    /* Only subtree and/or container ref has changed */
-                    rightsmask = 0;
-                    /*  KPASSWDSERVERS have not changed. Realm rights need not be changed */;
-                    rightsmask |= LDAP_SUBTREE_RIGHTS;
-                    if ((oldsubtrees != NULL) || (oldcontainerref != NULL)) {
-                        /* Remove the rights on the old subtrees */
-                        for (i=0; (passwddns[i] != NULL); i++) {
-                            if ((retval=krb5_ldap_delete_service_rights(util_context,
-                                                                        LDAP_PASSWD_SERVICE, passwddns[i],
-                                                                        rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) {
-                                printf(_("failed\n"));
-                                com_err(progname, retval,
-                                        _("while assigning rights '%s'"),
-                                        rparams->realm_name);
-                                goto err_nomsg;
-                            }
-                        }
-                    }
-                    for (i=0; (passwddns[i] != NULL); i++) {
-                        if ((retval=krb5_ldap_add_service_rights(util_context,
-                                                                 LDAP_PASSWD_SERVICE, passwddns[i],
-                                                                 rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
-                            printf(_("failed\n"));
-                            com_err(progname, retval,
-                                    _("while assigning rights '%s'"),
-                                    rparams->realm_name);
-                            goto err_nomsg;
-                        }
-                    }
-                }
-            }
-
-            if (!subtree_changed) {
-                char **newdns = NULL;
-                /* Only passwd servers have changed */
-                rightsmask =0;
-                rightsmask = LDAP_REALM_RIGHTS;
-                rightsmask |= LDAP_SUBTREE_RIGHTS;
-                if (oldpwddns != NULL) {
-                    newdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
-                    if (newdns == NULL) {
-                        retval = ENOMEM;
-                        goto cleanup;
-                    }
-
-                    if ((rparams != NULL) && (rparams->passwdservers != NULL)) {
-                        for (j=0;  rparams->passwdservers[j]!= NULL; j++) {
-                            newdns[j] = strdup(rparams->passwdservers[j]);
-                            if (newdns[j] == NULL) {
-                                FREE_DN_LIST(newdns);
-                                retval = ENOMEM;
-                                goto cleanup;
-                            }
-                        }
-                        newdns[j] = NULL;
-                    }
-
-                    disjoint_members(oldpwddns, newdns);
-
-                    for (i=0; (oldpwddns[i] != NULL); i++) {
-                        if ((retval=krb5_ldap_delete_service_rights(util_context,
-                                                                    LDAP_PASSWD_SERVICE, oldpwddns[i],
-                                                                    rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
-                            printf(_("failed\n"));
-                            com_err(progname, retval,
-                                    _("while assigning rights '%s'"),
-                                    rparams->realm_name);
-                            FREE_DN_LIST(newdns);
-                            goto err_nomsg;
-                        }
-                    }
-                    for (i=0; (newdns[i] != NULL); i++) {
-                        if ((retval=krb5_ldap_add_service_rights(util_context,
-                                                                 LDAP_PASSWD_SERVICE, newdns[i],
-                                                                 rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
-                            printf(_("failed\n"));
-                            com_err(progname, retval,
-                                    _("while assigning rights '%s'"),
-                                    rparams->realm_name);
-                            FREE_DN_LIST(newdns);
-                            goto err_nomsg;
-                        }
-                    }
-                    for (i=0; (newdns[i] != NULL); i++) {
-                        free(newdns[i]);
-                    }
-                    free(newdns);
-                } else {
-                    newdns = rparams->passwdservers;
-                    for (i=0; (newdns[i] != NULL); i++) {
-                        if ((retval=krb5_ldap_add_service_rights(util_context,
-                                                                 LDAP_PASSWD_SERVICE, newdns[i],
-                                                                 rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
-                            printf(_("failed\n"));
-                            com_err(progname, retval,
-                                    _("while assigning rights '%s'"),
-                                    rparams->realm_name);
-                            goto err_nomsg;
-                        }
-                    }
-                }
-            }
-
-            if (subtree_changed && (mask & LDAP_REALM_PASSWDSERVERS)) {
-                char **newdns = rparams->passwdservers;
-
-                rightsmask =0;
-                rightsmask = LDAP_REALM_RIGHTS;
-                rightsmask |= LDAP_SUBTREE_RIGHTS;
-                if (oldpwddns != NULL) {
-                    for (i=0; (oldpwddns[i] != NULL); i++) {
-                        if ((retval = krb5_ldap_delete_service_rights(util_context,
-                                                                      LDAP_PASSWD_SERVICE, oldpwddns[i],
-                                                                      rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) {
-                            printf(_("failed\n"));
-                            com_err(progname, retval,
-                                    _("while assigning rights '%s'"),
-                                    rparams->realm_name);
-                            goto err_nomsg;
-                        }
-                    }
-                }
-                for (i=0; (newdns[i] != NULL); i++) {
-                    if ((retval = krb5_ldap_add_service_rights(util_context,
-                                                               LDAP_PASSWD_SERVICE, newdns[i],
-                                                               rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
-                        printf(_("failed\n"));
-                        com_err(progname, retval,
-                                _("while assigning rights '%s'"),
-                                rparams->realm_name);
-                        goto err_nomsg;
-                    }
-                }
-            }
-        }
-        printf(_("done\n"));
-    }
-#endif
-
      goto cleanup;
  
  err_usage:
@@ -1898,49 +926,6 @@ err_nomsg:
  cleanup:
      krb5_ldap_free_realm_params(rparams);
  
-
-#ifdef HAVE_EDIRECTORY
-    if (oldkdcdns) {
-        for (i=0; oldkdcdns[i] != NULL; i++)
-            free(oldkdcdns[i]);
-        free(oldkdcdns);
-    }
-    if (oldpwddns) {
-        for (i=0; oldpwddns[i] != NULL; i++)
-            free(oldpwddns[i]);
-        free(oldpwddns);
-    }
-    if (oldadmindns) {
-        for (i=0; oldadmindns[i] != NULL; i++)
-            free(oldadmindns[i]);
-        free(oldadmindns);
-    }
-    if (newkdcdns) {
-        for (i=0; newkdcdns[i] != NULL; i++)
-            free(newkdcdns[i]);
-        free(newkdcdns);
-    }
-    if (newpwddns) {
-        for (i=0; newpwddns[i] != NULL; i++)
-            free(newpwddns[i]);
-        free(newpwddns);
-    }
-    if (newadmindns) {
-        for (i=0; newadmindns[i] != NULL; i++)
-            free(newadmindns[i]);
-        free(newadmindns);
-    }
-    if (oldsubtrees) {
-        for (i=0;oldsubtrees[i]!=NULL; i++)
-            free(oldsubtrees[i]);
-        free(oldsubtrees);
-    }
-    if (newsubtrees) {
-        for (i=0;newsubtrees[i]!=NULL; i++)
-            free(newsubtrees[i]);
-        free(oldsubtrees);
-    }
-#endif
      if (print_usage) {
          db_usage(MODIFY_REALM);
      }
@@ -2566,10 +1551,6 @@ kdb5_ldap_destroy(int argc, char *argv[])
      int mask = 0;
      kdb5_dal_handle *dal_handle = NULL;
      krb5_ldap_context *ldap_context = NULL;
-#ifdef HAVE_EDIRECTORY
-    int i = 0, rightsmask = 0;
-    krb5_ldap_realm_params *rparams = NULL;
-#endif
  
      optind = 1;
      while ((optchar = getopt(argc, argv, "f")) != -1) {
@@ -2625,65 +1606,6 @@ kdb5_ldap_destroy(int argc, char *argv[])
          return;
      }
  
-#ifdef HAVE_EDIRECTORY
-    if ((mask & LDAP_REALM_KDCSERVERS) || (mask & LDAP_REALM_ADMINSERVERS) ||
-        (mask & LDAP_REALM_PASSWDSERVERS)) {
-
-        printf(_("Changing rights for the service object. Please wait ... "));
-        fflush(stdout);
-
-        rparams = ldap_context->lrparams;
-        rightsmask = 0;
-        rightsmask |= LDAP_REALM_RIGHTS;
-        rightsmask |= LDAP_SUBTREE_RIGHTS;
-        if ((rparams != NULL) && (rparams->kdcservers != NULL)) {
-            for (i=0; (rparams->kdcservers[i] != NULL); i++) {
-                if ((retval = krb5_ldap_delete_service_rights(util_context,
-                                                              LDAP_KDC_SERVICE, rparams->kdcservers[i],
-                                                              rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
-                    printf(_("failed\n"));
-                    com_err(progname, retval,
-                            _("while assigning rights to '%s'"),
-                            rparams->realm_name);
-                    return;
-                }
-            }
-        }
-        rightsmask = 0;
-        rightsmask |= LDAP_REALM_RIGHTS;
-        rightsmask |= LDAP_SUBTREE_RIGHTS;
-        if ((rparams != NULL) && (rparams->adminservers != NULL)) {
-            for (i=0; (rparams->adminservers[i] != NULL); i++) {
-                if ((retval = krb5_ldap_delete_service_rights(util_context,
-                                                              LDAP_ADMIN_SERVICE, rparams->adminservers[i],
-                                                              rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
-                    printf(_("failed\n"));
-                    com_err(progname, retval,
-                            _("while assigning rights to '%s'"),
-                            rparams->realm_name);
-                    return;
-                }
-            }
-        }
-        rightsmask = 0;
-        rightsmask |= LDAP_REALM_RIGHTS;
-        rightsmask |= LDAP_SUBTREE_RIGHTS;
-        if ((rparams != NULL) && (rparams->passwdservers != NULL)) {
-            for (i=0; (rparams->passwdservers[i] != NULL); i++) {
-                if ((retval = krb5_ldap_delete_service_rights(util_context,
-                                                              LDAP_PASSWD_SERVICE, rparams->passwdservers[i],
-                                                              rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
-                    printf(_("failed\n"));
-                    com_err(progname, retval,
-                            _("while assigning rights to '%s'"),
-                            rparams->realm_name);
-                    return;
-                }
-            }
-        }
-        printf("done\n");
-    }
-#endif
      /* Delete the realm container and all the associated principals */
      retval = krb5_ldap_delete_realm(util_context, global_params.realm);
      if (retval) {
diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c

index 916a4bd577f0a10b772adc4bb1968dcd763b6013..05fac497651d5401acca089b474e1924106e1ada 100644 (file)
--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
+++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
@@ -41,1843 +41,6 @@
  #include "kdb5_ldap_util.h"
  #include "kdb5_ldap_list.h"
  
-#ifdef HAVE_EDIRECTORY
-
-static krb5_error_code
-convert_realm_name2dn_list(char **list, const char *krbcontainer_loc);
-
-static krb5_error_code
-rem_service_entry_from_file(int argc,
-                            char *argv[],
-                            char *file_name,
-                            char *service_object);
-
-static void
-print_service_params(krb5_ldap_service_params *lserparams, int mask);
-
-extern char *yes;
-extern krb5_boolean db_inited;
-
-static int
-process_host_list(char **host_list, int servicetype)
-{
-    krb5_error_code retval = 0;
-    char *pchr = NULL;
-    char host_str[MAX_LEN_LIST_ENTRY] = "", proto_str[PROTOCOL_STR_LEN + 1] = "", port_str[PORT_STR_LEN + 1] = "";
-    int j = 0;
-
-    /* Protocol and port number processing */
-    for (j = 0; host_list[j]; j++) {
-        /* Look for one hash */
-        if ((pchr = strchr(host_list[j], HOST_INFO_DELIMITER))) {
-            unsigned int hostname_len = pchr - host_list[j];
-
-            /* Check input for buffer overflow */
-            if (hostname_len >= MAX_LEN_LIST_ENTRY) {
-                retval = EINVAL;
-                goto cleanup;
-            }
-
-            /* First copy off the host name portion */
-            strncpy (host_str, host_list[j], hostname_len);
-
-            /* Parse for the protocol string and translate to number */
-            strncpy (proto_str, pchr + 1, PROTOCOL_STR_LEN);
-            if (!strcmp(proto_str, "udp"))
-                snprintf (proto_str, sizeof(proto_str), "%d",
-                          PROTOCOL_NUM_UDP);
-            else if (!strcmp(proto_str, "tcp"))
-                snprintf (proto_str, sizeof(proto_str), "%d",
-                          PROTOCOL_NUM_TCP);
-            else
-                proto_str[0] = '\0'; /* Make the string null if invalid */
-
-            /* Look for one more hash */
-            if ((pchr = strchr(pchr + 1, HOST_INFO_DELIMITER))) {
-                /* Parse for the port string and check if it is numeric */
-                strncpy (port_str, pchr + 1, PORT_STR_LEN);
-                if (!strtol(port_str, NULL, 10)) /* Not a valid number */
-                    port_str[0] = '\0';
-            } else
-                port_str[0] = '\0';
-        } else { /* We have only host name */
-            strncpy (host_str, host_list[j], MAX_LEN_LIST_ENTRY - 1);
-            proto_str[0] = '\0';
-            port_str[0] = '\0';
-        }
-
-        /* Now, based on service type, fill in suitable protocol
-           and port values if they are absent or not matching */
-        if (servicetype == LDAP_KDC_SERVICE) {
-            if (proto_str[0] == '\0')
-                snprintf (proto_str, sizeof(proto_str), "%d",
-                          PROTOCOL_DEFAULT_KDC);
-
-            if (port_str[0] == '\0')
-                snprintf (port_str, sizeof(port_str), "%d", PORT_DEFAULT_KDC);
-        } else if (servicetype == LDAP_ADMIN_SERVICE) {
-            if (proto_str[0] == '\0')
-                snprintf (proto_str, sizeof(proto_str), "%d",
-                          PROTOCOL_DEFAULT_ADM);
-            else if (strcmp(proto_str, "1")) {
-                snprintf (proto_str, sizeof(proto_str), "%d",
-                          PROTOCOL_DEFAULT_ADM);
-
-                /* Print warning message */
-                printf ("Admin Server supports only TCP protocol, hence setting that\n");
-            }
-
-            if (port_str[0] == '\0')
-                snprintf (port_str, sizeof(port_str), "%d", PORT_DEFAULT_ADM);
-        } else if (servicetype == LDAP_PASSWD_SERVICE) {
-            if (proto_str[0] == '\0')
-                snprintf (proto_str, sizeof(proto_str), "%d",
-                          PROTOCOL_DEFAULT_PWD);
-            else if (strcmp(proto_str, "0")) {
-                snprintf (proto_str, sizeof(proto_str), "%d",
-                          PROTOCOL_DEFAULT_PWD);
-
-                /* Print warning message */
-                printf ("Password Server supports only UDP protocol, hence setting that\n");
-            }
-
-            if (port_str[0] == '\0')
-                sprintf (port_str, "%d", PORT_DEFAULT_PWD);
-        }
-
-        /* Finally form back the string */
-        free (host_list[j]);
-        host_list[j] = (char*) malloc(sizeof(char) *
-                                      (strlen(host_str) + strlen(proto_str) + strlen(port_str) + 2 + 1));
-        if (host_list[j] == NULL) {
-            retval = ENOMEM;
-            goto cleanup;
-        }
-        snprintf (host_list[j], strlen(host_str) + strlen(proto_str) + strlen(port_str) + 2 + 1,
-                  "%s#%s#%s", host_str, proto_str, port_str);
-    }
-
-cleanup:
-    return retval;
-}
-
-
-/*
- * Given a realm name, this function will convert it to a DN by appending the
- * Kerberos container location.
- */
-static krb5_error_code
-convert_realm_name2dn_list(char **list, const char *krbcontainer_loc)
-{
-    krb5_error_code retval = 0;
-    char temp_str[MAX_DN_CHARS] = "\0";
-    char *temp_node = NULL;
-    int i = 0;
-
-    if (list == NULL) {
-        return EINVAL;
-    }
-
-    for (i = 0; (list[i] != NULL) && (i < MAX_LIST_ENTRIES); i++) {
-        /* Restrict copying to max. length to avoid buffer overflow */
-        snprintf (temp_str, MAX_DN_CHARS, "cn=%s,%s", list[i], krbcontainer_loc);
-
-        /* Make copy of string to temporary node */
-        temp_node = strdup(temp_str);
-        if (list[i] == NULL) {
-            retval = ENOMEM;
-            goto cleanup;
-        }
-
-        /* On success, free list node and attach new one */
-        free (list[i]);
-        list[i] = temp_node;
-        temp_node = NULL;
-    }
-
-cleanup:
-    return retval;
-}
-
-
-/*
- * This function will create a service object on the LDAP Server, with the
- * specified attributes.
- */
-void
-kdb5_ldap_create_service(int argc, char *argv[])
-{
-    char *me = progname;
-    krb5_error_code retval = 0;
-    krb5_ldap_service_params *srvparams = NULL;
-    krb5_boolean print_usage = FALSE;
-    krb5_boolean no_msg = FALSE;
-    int mask = 0;
-    char **extra_argv = NULL;
-    int extra_argc = 0;
-    int i = 0;
-    krb5_ldap_realm_params *rparams = NULL;
-    int rmask = 0;
-    int rightsmask =0;
-    char **temprdns = NULL;
-    char *realmName = NULL;
-    kdb5_dal_handle *dal_handle = NULL;
-    krb5_ldap_context *ldap_context=NULL;
-    krb5_boolean service_obj_created = FALSE;
-
-    /* Check for number of arguments */
-    if ((argc < 3) || (argc > 10)) {
-        exit_status++;
-        goto err_usage;
-    }
-
-    /* Allocate memory for service parameters structure */
-    srvparams = (krb5_ldap_service_params*) calloc(1, sizeof(krb5_ldap_service_params));
-    if (srvparams == NULL) {
-        retval = ENOMEM;
-        goto cleanup;
-    }
-
-    dal_handle = util_context->dal_handle;
-    ldap_context = (krb5_ldap_context *) dal_handle->db_context;
-
-    /* Allocate memory for extra arguments to be used for setting
-       password -- it's OK to allocate as much as the total number
-       of arguments */
-    extra_argv = (char **) calloc((unsigned int)argc, sizeof(char*));
-    if (extra_argv == NULL) {
-        retval = ENOMEM;
-        goto cleanup;
-    }
-
-    /* Set first of the extra arguments as the program name */
-    extra_argv[0] = me;
-    extra_argc++;
-
-    /* Read Kerberos container info, to construct realm DN from name
-     * and for assigning rights
-     */
-    if ((retval = krb5_ldap_read_krbcontainer_params(util_context,
-                                                     &(ldap_context->krbcontainer)))) {
-        com_err(me, retval, "while reading Kerberos container information");
-        goto cleanup;
-    }
-
-    /* Parse all arguments */
-    for (i = 1; i < argc; i++) {
-        if (!strcmp(argv[i], "-kdc")) {
-            srvparams->servicetype = LDAP_KDC_SERVICE;
-        } else if (!strcmp(argv[i], "-admin")) {
-            srvparams->servicetype = LDAP_ADMIN_SERVICE;
-        } else if (!strcmp(argv[i], "-pwd")) {
-            srvparams->servicetype = LDAP_PASSWD_SERVICE;
-        } else if (!strcmp(argv[i], "-servicehost")) {
-            if (++i > argc - 1)
-                goto err_usage;
-
-            srvparams->krbhostservers = (char **)calloc(MAX_LIST_ENTRIES,
-                                                        sizeof(char *));
-            if (srvparams->krbhostservers == NULL) {
-                retval = ENOMEM;
-                goto cleanup;
-            }
-
-            if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
-                                          srvparams->krbhostservers))) {
-                goto cleanup;
-            }
-
-            if ((retval = process_host_list (srvparams->krbhostservers,
-                                             srvparams->servicetype))) {
-                goto cleanup;
-            }
-
-            mask |= LDAP_SERVICE_HOSTSERVER;
-        } else if (!strcmp(argv[i], "-realm")) {
-            if (++i > argc - 1)
-                goto err_usage;
-
-            srvparams->krbrealmreferences = (char **)calloc(MAX_LIST_ENTRIES,
-                                                            sizeof(char *));
-            if (srvparams->krbrealmreferences == NULL) {
-                retval = ENOMEM;
-                goto cleanup;
-            }
-
-            if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
-                                          srvparams->krbrealmreferences))) {
-                goto cleanup;
-            }
-
-            /* Convert realm names to realm DNs */
-            if ((retval = convert_realm_name2dn_list(
-                     srvparams->krbrealmreferences,
-                     ldap_context->krbcontainer->DN))) {
-                goto cleanup;
-            }
-
-            mask |= LDAP_SERVICE_REALMREFERENCE;
-        }
-        /* If argument is none of the above and beginning with '-',
-         * it must be related to password -- collect it
-         * to pass onto kdb5_ldap_set_service_password()
-         */
-        else if (*(argv[i]) == '-') {
-            /* Checking for options of setting the password for the
-             * service (by using 'setsrvpw') is not modular. --need to
-             * have a common function that can be shared with 'setsrvpw'
-             */
-            if (!strcmp(argv[i], "-randpw")) {
-                extra_argv[extra_argc] = argv[i];
-                extra_argc++;
-            } else if (!strcmp(argv[i], "-fileonly")) {
-                extra_argv[extra_argc] = argv[i];
-                extra_argc++;
-            }
-            /* For '-f' option alone, pick up the following argument too */
-            else if (!strcmp(argv[i], "-f")) {
-                extra_argv[extra_argc] = argv[i];
-                extra_argc++;
-
-                if (++i > argc - 1)
-                    goto err_usage;
-
-                extra_argv[extra_argc] = argv[i];
-                extra_argc++;
-            } else { /* Any other option is invalid */
-                exit_status++;
-                goto err_usage;
-            }
-        } else { /* Any other argument must be service DN */
-            /* First check if service DN is already provided --
-             * if so, there's a usage error
-             */
-            if (srvparams->servicedn != NULL) {
-                com_err(me, EINVAL, "while creating service object");
-                goto err_usage;
-            }
-
-            /* If not present already, fill up service DN */
-            srvparams->servicedn = strdup(argv[i]);
-            if (srvparams->servicedn == NULL) {
-                com_err(me, ENOMEM, "while creating service object");
-                goto err_nomsg;
-            }
-        }
-    }
-
-    /* No point in proceeding further if service DN value is not available */
-    if (srvparams->servicedn == NULL) {
-        com_err(me, EINVAL, "while creating service object");
-        goto err_usage;
-    }
-
-    if (srvparams->servicetype == 0) { /* Not provided and hence not set */
-        com_err(me, EINVAL, "while creating service object");
-        goto err_usage;
-    }
-
-    /* Create object with all attributes provided */
-    if ((retval = krb5_ldap_create_service(util_context, srvparams, mask)))
-        goto cleanup;
-
-    service_obj_created = TRUE;
-
-    /* ** NOTE ** srvparams structure should not be modified, as it is
-     * used for deletion of the service object in case of any failures
-     * from now on.
-     */
-
-    /* Set password too */
-    if (extra_argc >= 1) {
-        /* Set service DN as the last argument */
-        extra_argv[extra_argc] = strdup(srvparams->servicedn);
-        if (extra_argv[extra_argc] == NULL) {
-            retval = ENOMEM;
-            goto cleanup;
-        }
-        extra_argc++;
-
-        if ((retval = kdb5_ldap_set_service_password(extra_argc, extra_argv)) != 0) {
-            goto err_nomsg;
-        }
-    }
-    /* Rights assignment */
-    if (mask & LDAP_SERVICE_REALMREFERENCE) {
-
-        printf("%s","Changing rights for the service object. Please wait ... ");
-        fflush(stdout);
-
-        rightsmask =0;
-        rightsmask |= LDAP_REALM_RIGHTS;
-        rightsmask |= LDAP_SUBTREE_RIGHTS;
-
-        if ((srvparams != NULL) && (srvparams->krbrealmreferences != NULL)) {
-            for (i=0; (srvparams->krbrealmreferences[i] != NULL); i++) {
-
-                /* Get the realm name, not the dn */
-                temprdns = ldap_explode_dn(srvparams->krbrealmreferences[i], 1);
-
-                if (temprdns[0] == NULL) {
-                    retval = EINVAL;
-                    goto cleanup;
-                }
-
-                realmName = strdup(temprdns[0]);
-                if (realmName == NULL) {
-                    retval = ENOMEM;
-                    goto cleanup;
-                }
-
-                if ((retval = krb5_ldap_read_realm_params(util_context,
-                                                          realmName, &rparams, &rmask))) {
-                    com_err(me, retval, "while reading information of realm '%s'",
-                            realmName);
-                    goto cleanup;
-                }
-
-                if ((retval = krb5_ldap_add_service_rights(util_context,
-                                                           srvparams->servicetype, srvparams->servicedn,
-                                                           realmName, rparams->subtree, rparams->containerref, rightsmask))) {
-                    printf("failed\n");
-                    com_err(me, retval, "while assigning rights '%s'",
-                            srvparams->servicedn);
-                    goto cleanup;
-                }
-
-                if (rparams)
-                    krb5_ldap_free_realm_params(rparams);
-            }
-        }
-        printf("done\n");
-    }
-    goto cleanup;
-
-err_usage:
-    print_usage = TRUE;
-
-err_nomsg:
-    no_msg = TRUE;
-
-cleanup:
-
-    if ((retval != 0) && (service_obj_created == TRUE)) {
-        /* This is for deleting the service object if something goes
-         * wrong in creating the service object
-         */
-
-        /* srvparams is populated from the user input and should be correct as
-         * we were successful in creating a service object. Reusing the same
-         */
-        krb5_ldap_delete_service(util_context, srvparams, srvparams->servicedn);
-    }
-
-    /* Clean-up structure */
-    krb5_ldap_free_service (util_context, srvparams);
-
-    if (extra_argv) {
-        free (extra_argv);
-        extra_argv = NULL;
-    }
-    if (realmName) {
-        free(realmName);
-        realmName = NULL;
-    }
-    if (print_usage)
-        db_usage (CREATE_SERVICE);
-
-    if (retval) {
-        if (!no_msg)
-            com_err(me, retval, "while creating service object");
-
-        exit_status++;
-    }
-
-    return;
-}
-
-
-/*
- * This function will modify the attributes of a given service
- * object on the LDAP Server
- */
-void
-kdb5_ldap_modify_service(int argc, char *argv[])
-{
-    char *me = progname;
-    krb5_error_code retval = 0;
-    krb5_ldap_service_params *srvparams = NULL;
-    krb5_boolean print_usage = FALSE;
-    krb5_boolean no_msg = FALSE;
-    char *servicedn = NULL;
-    int i = 0;
-    int in_mask = 0, out_mask = 0;
-    int srvhost_flag = 0, realmdn_flag = 0;
-    char **list = NULL;
-    int existing_entries = 0, new_entries = 0;
-    char **temp_ptr = NULL;
-    krb5_ldap_realm_params *rparams = NULL;
-    int j = 0;
-    int rmask = 0;
-    int rightsmask =0;
-    char **oldrealmrefs = NULL;
-    char **newrealmrefs = NULL;
-    char **temprdns = NULL;
-    char *realmName = NULL;
-    kdb5_dal_handle *dal_handle = NULL;
-    krb5_ldap_context *ldap_context=NULL;
-
-    /* Check for number of arguments */
-    if ((argc < 3) || (argc > 10)) {
-        exit_status++;
-        goto err_usage;
-    }
-
-    dal_handle = util_context->dal_handle;
-    ldap_context = (krb5_ldap_context *) dal_handle->db_context;
-
-    /* Parse all arguments, only to pick up service DN (Pass 1) */
-    for (i = 1; i < argc; i++) {
-        /* Skip arguments next to 'servicehost'
-           and 'realmdn' arguments */
-        if (!strcmp(argv[i], "-servicehost")) {
-            ++i;
-        } else if (!strcmp(argv[i], "-clearservicehost")) {
-            ++i;
-        } else if (!strcmp(argv[i], "-addservicehost")) {
-            ++i;
-        } else if (!strcmp(argv[i], "-realm")) {
-            ++i;
-        } else if (!strcmp(argv[i], "-clearrealm")) {
-            ++i;
-        } else if (!strcmp(argv[i], "-addrealm")) {
-            ++i;
-        } else { /* Any other argument must be service DN */
-            /* First check if service DN is already provided --
-               if so, there's a usage error */
-            if (servicedn != NULL) {
-                com_err(me, EINVAL, "while modifying service object");
-                goto err_usage;
-            }
-
-            /* If not present already, fill up service DN */
-            servicedn = strdup(argv[i]);
-            if (servicedn == NULL) {
-                com_err(me, ENOMEM, "while modifying service object");
-                goto err_nomsg;
-            }
-        }
-    }
-
-    /* No point in proceeding further if service DN value is not available */
-    if (servicedn == NULL) {
-        com_err(me, EINVAL, "while modifying service object");
-        goto err_usage;
-    }
-
-    retval = krb5_ldap_read_service(util_context, servicedn, &srvparams, &in_mask);
-    if (retval) {
-        com_err(me, retval, "while reading information of service '%s'",
-                servicedn);
-        goto err_nomsg;
-    }
-
-    /* Read Kerberos container info, to construct realm DN from name
-     * and for assigning rights
-     */
-    if ((retval = krb5_ldap_read_krbcontainer_params(util_context,
-                                                     &(ldap_context->krbcontainer)))) {
-        com_err(me, retval, "while reading Kerberos container information");
-        goto cleanup;
-    }
-
-    /* Parse all arguments, but skip the service DN (Pass 2) */
-    for (i = 1; i < argc; i++) {
-        if (!strcmp(argv[i], "-servicehost")) {
-            if (++i > argc - 1)
-                goto err_usage;
-
-            /* Free the old list if available */
-            if (srvparams->krbhostservers) {
-                krb5_free_list_entries (srvparams->krbhostservers);
-                free (srvparams->krbhostservers);
-            }
-
-            srvparams->krbhostservers = (char **)calloc(MAX_LIST_ENTRIES,
-                                                        sizeof(char *));
-            if (srvparams->krbhostservers == NULL) {
-                retval = ENOMEM;
-                goto cleanup;
-            }
-
-            if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
-                                          srvparams->krbhostservers))) {
-                goto cleanup;
-            }
-
-            if ((retval = process_host_list (srvparams->krbhostservers,
-                                             srvparams->servicetype))) {
-                goto cleanup;
-            }
-
-            out_mask |= LDAP_SERVICE_HOSTSERVER;
-
-            /* Set flag to ignore 'add' and 'clear' */
-            srvhost_flag = 1;
-        } else if (!strcmp(argv[i], "-clearservicehost")) {
-            if (++i > argc - 1)
-                goto err_usage;
-
-            if (!srvhost_flag) {
-                /* If attribute doesn't exist, don't permit 'clear' option */
-                if ((in_mask & LDAP_SERVICE_HOSTSERVER) == 0) {
-                    /* Send out some proper error message here */
-                    com_err(me, EINVAL, "service host list is empty\n");
-                    goto err_nomsg;
-                }
-
-                /* Allocate list for processing */
-                list = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
-                if (list == NULL) {
-                    retval = ENOMEM;
-                    goto cleanup;
-                }
-
-                if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list)))
-                    goto cleanup;
-
-                if ((retval = process_host_list (list, srvparams->servicetype))) {
-                    goto cleanup;
-                }
-
-                list_modify_str_array(&(srvparams->krbhostservers),
-                                      (const char**)list, LIST_MODE_DELETE);
-
-                out_mask |= LDAP_SERVICE_HOSTSERVER;
-
-                /* Clean up */
-                free (list);
-                list = NULL;
-            }
-        } else if (!strcmp(argv[i], "-addservicehost")) {
-            if (++i > argc - 1)
-                goto err_usage;
-
-            if (!srvhost_flag) {
-                /* Allocate list for processing */
-                list = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
-                if (list == NULL) {
-                    retval = ENOMEM;
-                    goto cleanup;
-                }
-
-                if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list)))
-                    goto cleanup;
-
-                if ((retval = process_host_list (list, srvparams->servicetype))) {
-                    goto cleanup;
-                }
-
-                /* Call list_modify_str_array() only if host server attribute
-                 * exists already --Actually, it's better to handle this
-                 * within list_modify_str_array()
-                 */
-                if (in_mask & LDAP_SERVICE_HOSTSERVER) {
-                    /* Re-size existing list */
-                    existing_entries = list_count_str_array(srvparams->krbhostservers);
-                    new_entries = list_count_str_array(list);
-                    temp_ptr = (char **) realloc(srvparams->krbhostservers,
-                                                 sizeof(char *) * (existing_entries + new_entries + 1));
-                    if (temp_ptr == NULL) {
-                        retval = ENOMEM;
-                        goto cleanup;
-                    }
-                    srvparams->krbhostservers = temp_ptr;
-
-                    list_modify_str_array(&(srvparams->krbhostservers),
-                                          (const char**)list, LIST_MODE_ADD);
-
-                    /* Clean up */
-                    free (list);
-                    list = NULL;
-                } else
-                    srvparams->krbhostservers = list;
-
-                out_mask |= LDAP_SERVICE_HOSTSERVER;
-            }
-        } else if (!strcmp(argv[i], "-realm")) {
-            if (++i > argc - 1)
-                goto err_usage;
-
-            if ((in_mask & LDAP_SERVICE_REALMREFERENCE) && (srvparams->krbrealmreferences)) {
-                if (!oldrealmrefs) {
-                    /* Store the old realm list for removing rights */
-                    oldrealmrefs = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
-                    if (oldrealmrefs == NULL) {
-                        retval = ENOMEM;
-                        goto cleanup;
-                    }
-
-                    for (j = 0; srvparams->krbrealmreferences[j] != NULL; j++) {
-                        oldrealmrefs[j] = strdup(srvparams->krbrealmreferences[j]);
-                        if (oldrealmrefs[j] == NULL) {
-                            retval = ENOMEM;
-                            goto cleanup;
-                        }
-                    }
-                    oldrealmrefs[j] = NULL;
-                }
-
-                /* Free the old list if available */
-                krb5_free_list_entries (srvparams->krbrealmreferences);
-                free (srvparams->krbrealmreferences);
-            }
-
-            srvparams->krbrealmreferences = (char **)calloc(MAX_LIST_ENTRIES,
-                                                            sizeof(char *));
-            if (srvparams->krbrealmreferences == NULL) {
-                retval = ENOMEM;
-                goto cleanup;
-            }
-
-            if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
-                                          srvparams->krbrealmreferences))) {
-                goto cleanup;
-            }
-
-            /* Convert realm names to realm DNs */
-            if ((retval = convert_realm_name2dn_list(
-                     srvparams->krbrealmreferences,
-                     ldap_context->krbcontainer->DN))) {
-                goto cleanup;
-            }
-
-            out_mask |= LDAP_SERVICE_REALMREFERENCE;
-
-            /* Set flag to ignore 'add' and 'clear' */
-            realmdn_flag = 1;
-        } else if (!strcmp(argv[i], "-clearrealm")) {
-            if (++i > argc - 1)
-                goto err_usage;
-
-            if (!realmdn_flag) {
-                /* If attribute doesn't exist, don't permit 'clear' option */
-                if (((in_mask & LDAP_SERVICE_REALMREFERENCE) == 0) || (srvparams->krbrealmreferences == NULL)) {
-                    /* Send out some proper error message here */
-                    goto err_nomsg;
-                }
-
-                if (!oldrealmrefs) {
-                    /* Store the old realm list for removing rights */
-                    oldrealmrefs = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
-                    if (oldrealmrefs == NULL) {
-                        retval = ENOMEM;
-                        goto cleanup;
-                    }
-
-                    for (j = 0; srvparams->krbrealmreferences[j] != NULL; j++) {
-                        oldrealmrefs[j] = strdup(srvparams->krbrealmreferences[j]);
-                        if (oldrealmrefs[j] == NULL) {
-                            retval = ENOMEM;
-                            goto cleanup;
-                        }
-                    }
-                    oldrealmrefs[j] = NULL;
-                }
-
-                /* Allocate list for processing */
-                list = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
-                if (list == NULL) {
-                    retval = ENOMEM;
-                    goto cleanup;
-                }
-
-                if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list)))
-                    goto cleanup;
-
-                /* Convert realm names to realm DNs */
-                if ((retval = convert_realm_name2dn_list(list,
-                                                         ldap_context->krbcontainer->DN))) {
-                    goto cleanup;
-                }
-
-                list_modify_str_array(&(srvparams->krbrealmreferences),
-                                      (const char**)list, LIST_MODE_DELETE);
-
-                out_mask |= LDAP_SERVICE_REALMREFERENCE;
-
-                /* Clean up */
-                free (list);
-                list = NULL;
-            }
-        } else if (!strcmp(argv[i], "-addrealm")) {
-            if (++i > argc - 1)
-                goto err_usage;
-
-            if (!realmdn_flag) {
-                /* Allocate list for processing */
-                list = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
-                if (list == NULL) {
-                    retval = ENOMEM;
-                    goto cleanup;
-                }
-
-                if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list)))
-                    goto cleanup;
-
-                /* Convert realm names to realm DNs */
-                if ((retval = convert_realm_name2dn_list(list,
-                                                         ldap_context->krbcontainer->DN))) {
-                    goto cleanup;
-                }
-
-                if ((in_mask & LDAP_SERVICE_REALMREFERENCE) && (srvparams->krbrealmreferences) && (!oldrealmrefs)) {
-                    /* Store the old realm list for removing rights */
-                    oldrealmrefs = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
-                    if (oldrealmrefs == NULL) {
-                        retval = ENOMEM;
-                        goto cleanup;
-                    }
-
-                    for (j = 0; srvparams->krbrealmreferences[j] != NULL; j++) {
-                        oldrealmrefs[j] = strdup(srvparams->krbrealmreferences[j]);
-                        if (oldrealmrefs[j] == NULL) {
-                            retval = ENOMEM;
-                            goto cleanup;
-                        }
-                    }
-                    oldrealmrefs[j] = NULL;
-                }
-
-                /* Call list_modify_str_array() only if realm DN attribute
-                 * exists already -- Actually, it's better to handle this
-                 * within list_modify_str_array() */
-                if (in_mask & LDAP_SERVICE_REALMREFERENCE) {
-                    /* Re-size existing list */
-                    existing_entries = list_count_str_array(
-                        srvparams->krbrealmreferences);
-                    new_entries = list_count_str_array(list);
-                    temp_ptr = (char **) realloc(srvparams->krbrealmreferences,
-                                                 sizeof(char *) * (existing_entries + new_entries + 1));
-                    if (temp_ptr == NULL) {
-                        retval = ENOMEM;
-                        goto cleanup;
-                    }
-                    srvparams->krbrealmreferences = temp_ptr;
-
-                    list_modify_str_array(&(srvparams->krbrealmreferences),
-                                          (const char**)list, LIST_MODE_ADD);
-
-                    /* Clean up */
-                    free (list);
-                    list = NULL;
-                } else
-                    srvparams->krbrealmreferences = list;
-
-                out_mask |= LDAP_SERVICE_REALMREFERENCE;
-            }
-        } else {
-            /* Any other argument must be service DN
-               -- skip it */
-        }
-    }
-
-    /* Modify attributes of object */
-    if ((retval = krb5_ldap_modify_service(util_context, srvparams, out_mask)))
-        goto cleanup;
-
-    /* Service rights modification code */
-    if (out_mask & LDAP_SERVICE_REALMREFERENCE) {
-
-        printf("%s","Changing rights for the service object. Please wait ... ");
-        fflush(stdout);
-
-        newrealmrefs = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
-        if (newrealmrefs == NULL) {
-            retval = ENOMEM;
-            goto cleanup;
-        }
-
-        if ((srvparams != NULL) && (srvparams->krbrealmreferences != NULL)) {
-            for (j = 0; srvparams->krbrealmreferences[j] != NULL; j++) {
-                newrealmrefs[j] = strdup(srvparams->krbrealmreferences[j]);
-                if (newrealmrefs[j] == NULL) {
-                    retval = ENOMEM;
-                    goto cleanup;
-                }
-            }
-            newrealmrefs[j] = NULL;
-        }
-        disjoint_members(oldrealmrefs, newrealmrefs);
-
-        /* Delete the rights for the given service, on each of the realm
-         * container & subtree in the old realm reference list.
-         */
-        if (oldrealmrefs) {
-            rightsmask = 0;
-            rightsmask |= LDAP_REALM_RIGHTS;
-            rightsmask |= LDAP_SUBTREE_RIGHTS;
-
-            for (i = 0; (oldrealmrefs[i] != NULL); i++) {
-                /* Get the realm name, not the dn */
-                temprdns = ldap_explode_dn(oldrealmrefs[i], 1);
-
-                if (temprdns[0] == NULL) {
-                    retval = EINVAL;
-                    goto cleanup;
-                }
-
-                realmName = strdup(temprdns[0]);
-                if (realmName == NULL) {
-                    retval = ENOMEM;
-                    goto cleanup;
-                }
-
-                if ((retval = krb5_ldap_read_realm_params(util_context,
-                                                          realmName, &rparams, &rmask))) {
-                    com_err(me, retval, "while reading information of realm '%s'",
-                            realmName);
-                    goto err_nomsg;
-                }
-
-                if ((retval = krb5_ldap_delete_service_rights(util_context,
-                                                              srvparams->servicetype, srvparams->servicedn,
-                                                              realmName, rparams->subtree, rparams->containerref, rightsmask))) {
-                    printf("failed\n");
-                    com_err(me, retval, "while assigning rights '%s'",
-                            srvparams->servicedn);
-                    goto err_nomsg;
-                }
-
-                if (rparams)
-                    krb5_ldap_free_realm_params(rparams);
-            }
-        }
-
-        /* Add the rights for the given service, on each of the realm
-         * container & subtree in the new realm reference list.
-         */
-        if (newrealmrefs) {
-            rightsmask = 0;
-            rightsmask |= LDAP_REALM_RIGHTS;
-            rightsmask |= LDAP_SUBTREE_RIGHTS;
-
-            for (i = 0; (newrealmrefs[i] != NULL); i++) {
-                /* Get the realm name, not the dn */
-                temprdns = ldap_explode_dn(newrealmrefs[i], 1);
-
-                if (temprdns[0] == NULL) {
-                    retval = EINVAL;
-                    goto cleanup;
-                }
-
-                realmName = strdup(temprdns[0]);
-                if (realmName == NULL) {
-                    retval = ENOMEM;
-                    goto cleanup;
-                }
-
-                if ((retval = krb5_ldap_read_krbcontainer_params(util_context,
-                                                                 &(ldap_context->krbcontainer)))) {
-                    com_err(me, retval,
-                            "while reading Kerberos container information");
-                    goto cleanup;
-                }
-
-                if ((retval = krb5_ldap_read_realm_params(util_context,
-                                                          realmName, &rparams, &rmask))) {
-                    com_err(me, retval, "while reading information of realm '%s'",
-                            realmName);
-                    goto err_nomsg;
-                }
-
-                if ((retval = krb5_ldap_add_service_rights(util_context,
-                                                           srvparams->servicetype, srvparams->servicedn,
-                                                           realmName, rparams->subtree, rparams->containerref, rightsmask))) {
-                    printf("failed\n");
-                    com_err(me, retval, "while assigning rights '%s'",
-                            srvparams->servicedn);
-                    goto err_nomsg;
-                }
-
-                if (rparams) {
-                    krb5_ldap_free_realm_params(rparams);
-                    rparams = NULL;
-                }
-            }
-            printf("done\n");
-        }
-    }
-    goto cleanup;
-
-err_usage:
-    print_usage = TRUE;
-
-err_nomsg:
-    no_msg = TRUE;
-
-cleanup:
-    /* Clean-up structure */
-    krb5_ldap_free_service(util_context, srvparams);
-
-    if (servicedn)
-        free(servicedn);
-
-    if (list) {
-        free(list);
-        list = NULL;
-    }
-
-    if (oldrealmrefs) {
-        for (i = 0; oldrealmrefs[i] != NULL; i++)
-            free(oldrealmrefs[i]);
-        free(oldrealmrefs);
-    }
-
-    if (newrealmrefs) {
-        for (i = 0; newrealmrefs[i] != NULL; i++)
-            free(newrealmrefs[i]);
-        free(newrealmrefs);
-    }
-    if (realmName) {
-        free(realmName);
-        realmName = NULL;
-    }
-
-    if (print_usage)
-        db_usage(MODIFY_SERVICE);
-
-    if (retval) {
-        if (!no_msg)
-            com_err(me, retval, "while modifying service object");
-        exit_status++;
-    }
-
-    return;
-}
-
-
-/*
- * This function will delete the entry corresponding to the service object
- * from the service password file.
- */
-static krb5_error_code
-rem_service_entry_from_file(int argc, char *argv[], char *file_name,
-                            char *service_object)
-{
-    int     st        = EINVAL;
-    char    *me       = progname;
-    char    *tmp_file = NULL;
-    int     tmpfd     = -1;
-    FILE    *pfile    = NULL;
-    unsigned int len  = 0;
-    char    line[MAX_LEN]={0};
-    mode_t  omask     = umask(077);
-
-    /* Check for permissions on the password file */
-    if (access(file_name, W_OK) == -1) {
-        /* If the specified file itself is not there, no need to show error */
-        if (errno == ENOENT) {
-            st=0;
-            goto cleanup;
-        } else {
-            com_err(me, errno, "while deleting entry from file %s", file_name);
-            goto cleanup;
-        }
-    }
-
-    /* Create a temporary file which contains all the entries except the
-       entry for the given service dn */
-    pfile = fopen(file_name, "r+");
-    if (pfile == NULL) {
-        com_err(me, errno, "while deleting entry from file %s", file_name);
-        goto cleanup;
-    }
-    set_cloexec_file(pfile);
-
-    /* Create a new file with the extension .tmp */
-    tmp_file = (char *)malloc(strlen(file_name) + 4 + 1);
-    if (tmp_file == NULL) {
-        com_err(me, ENOMEM, "while deleting entry from file");
-        fclose(pfile);
-        goto cleanup;
-    }
-    snprintf (tmp_file, strlen(file_name) + 4 + 1, "%s%s", file_name, ".tmp");
-
-
-    tmpfd = creat(tmp_file, S_IRUSR|S_IWUSR);
-    umask(omask);
-    if (tmpfd == -1) {
-        com_err(me, errno, "while deleting entry from file\n");
-        fclose(pfile);
-        goto cleanup;
-    }
-
-    /* Copy only those lines which donot have the specified service dn */
-    while (fgets(line, MAX_LEN, pfile) != NULL) {
-        if ((strstr(line, service_object) != NULL) &&
-            (line[strlen(service_object)] == '#')) {
-            continue;
-        } else {
-            len = strlen(line);
-            if (write(tmpfd, line, len) != len) {
-                com_err(me, errno, "while deleting entry from file\n");
-                close(tmpfd);
-                unlink(tmp_file);
-                fclose(pfile);
-                goto cleanup;
-            }
-        }
-    }
-
-    fclose(pfile);
-    if (unlink(file_name) == 0) {
-        link(tmp_file, file_name);
-    } else {
-        com_err(me, errno, "while deleting entry from file\n");
-    }
-    unlink(tmp_file);
-
-    st=0;
-
-cleanup:
-
-    if (tmp_file)
-        free(tmp_file);
-
-    return st;
-}
-
-
-/*
- * This function will delete the service object from the LDAP Server
- * and unlink the references to the Realm objects (if any)
- */
-void
-kdb5_ldap_destroy_service(int argc, char *argv[])
-{
-    int i = 0;
-    char buf[5] = {0};
-    krb5_error_code retval = EINVAL;
-    int force = 0;
-    char *servicedn = NULL;
-    char *stashfilename = NULL;
-    int mask = 0;
-    krb5_ldap_service_params *lserparams = NULL;
-    krb5_boolean print_usage = FALSE;
-
-    if ((argc < 2) || (argc > 5)) {
-        exit_status++;
-        goto err_usage;
-    }
-
-    for (i=1; i < argc; i++) {
-
-        if (strcmp(argv[i],"-force")==0) {
-            force++;
-        } else if (strcmp(argv[i],"-f")==0) {
-            if (argv[i+1]) {
-                stashfilename=strdup(argv[i+1]);
-                if (stashfilename == NULL) {
-                    com_err(progname, ENOMEM, "while destroying service");
-                    exit_status++;
-                    goto cleanup;
-                }
-                i++;
-            } else {
-                exit_status++;
-                goto err_usage;
-            }
-        } else {
-            if ((argv[i]) && (servicedn == NULL)) {
-                servicedn=strdup(argv[i]);
-                if (servicedn == NULL) {
-                    com_err(progname, ENOMEM, "while destroying service");
-                    exit_status++;
-                    goto cleanup;
-                }
-            } else {
-                exit_status++;
-                goto err_usage;
-            }
-        }
-    }
-
-    if (!servicedn) {
-        exit_status++;
-        goto err_usage;
-    }
-
-    if (!force) {
-        printf("This will delete the service object '%s', are you sure?\n", servicedn);
-        printf("(type 'yes' to confirm)? ");
-        if (fgets(buf, sizeof(buf), stdin) == NULL) {
-            exit_status++;
-            goto cleanup;;
-        }
-        if (strcmp(buf, yes)) {
-            exit_status++;
-            goto cleanup;
-        }
-    }
-
-    if ((retval = krb5_ldap_read_service(util_context, servicedn,
-                                         &lserparams, &mask))) {
-        com_err(progname, retval, "while destroying service '%s'",servicedn);
-        exit_status++;
-        goto cleanup;
-    }
-
-    retval = krb5_ldap_delete_service(util_context, lserparams, servicedn);
-
-    if (retval) {
-        com_err(progname, retval, "while destroying service '%s'", servicedn);
-        exit_status++;
-        goto cleanup;
-    }
-
-    if (stashfilename == NULL) {
-        stashfilename = strdup(DEF_SERVICE_PASSWD_FILE);
-        if (stashfilename == NULL) {
-            com_err(progname, ENOMEM, "while destroying service");
-            exit_status++;
-            goto cleanup;
-        }
-    }
-    printf("** service object '%s' deleted.\n", servicedn);
-    retval = rem_service_entry_from_file(argc, argv, stashfilename, servicedn);
-
-    if (retval)
-        printf("** error removing service object entry '%s' from password file.\n",
-               servicedn);
-
-    goto cleanup;
-
-
-err_usage:
-    print_usage = TRUE;
-
-cleanup:
-
-    if (lserparams) {
-        krb5_ldap_free_service(util_context, lserparams);
-    }
-
-    if (servicedn) {
-        free(servicedn);
-    }
-
-    if (stashfilename) {
-        free(stashfilename);
-    }
-
-    if (print_usage) {
-        db_usage(DESTROY_SERVICE);
-    }
-
-    return;
-}
-
-
-/*
- * This function will display information about the given service object
- */
-void
-kdb5_ldap_view_service(int argc, char *argv[])
-{
-    krb5_ldap_service_params *lserparams = NULL;
-    krb5_error_code retval = 0;
-    char *servicedn = NULL;
-    int mask = 0;
-    krb5_boolean print_usage = FALSE;
-
-    if (!(argc == 2)) {
-        exit_status++;
-        goto err_usage;
-    }
-
-    servicedn=strdup(argv[1]);
-    if (servicedn == NULL) {
-        com_err(progname, ENOMEM, "while viewing service");
-        exit_status++;
-        goto cleanup;
-    }
-
-    if ((retval = krb5_ldap_read_service(util_context, servicedn, &lserparams, &mask))) {
-        com_err(progname, retval, "while viewing service '%s'",servicedn);
-        exit_status++;
-        goto cleanup;
-    }
-
-    print_service_params(lserparams, mask);
-
-    goto cleanup;
-
-err_usage:
-    print_usage = TRUE;
-
-cleanup:
-
-    if (lserparams) {
-        krb5_ldap_free_service(util_context, lserparams);
-    }
-
-    if (servicedn)
-        free(servicedn);
-
-    if (print_usage) {
-        db_usage(VIEW_SERVICE);
-    }
-
-    return;
-}
-
-
-/*
- * This function will list the DNs of kerberos services present on
- * the LDAP Server under a specific sub-tree (entire tree by default)
- */
-void
-kdb5_ldap_list_services(int argc, char *argv[])
-{
-    char *me = progname;
-    krb5_error_code retval = 0;
-    char *basedn = NULL;
-    char **list = NULL;
-    char **plist = NULL;
-    krb5_boolean print_usage = FALSE;
-
-    /* Check for number of arguments */
-    if ((argc != 1) && (argc != 3)) {
-        exit_status++;
-        goto err_usage;
-    }
-
-    /* Parse base DN argument if present */
-    if (argc == 3) {
-        if (strcmp(argv[1], "-basedn")) {
-            retval = EINVAL;
-            goto err_usage;
-        }
-
-        basedn = strdup(argv[2]);
-        if (basedn == NULL) {
-            com_err(me, ENOMEM, "while listing services");
-            exit_status++;
-            goto cleanup;
-        }
-    }
-
-    retval = krb5_ldap_list_services(util_context, basedn, &list);
-    if ((retval != 0) || (list == NULL)) {
-        exit_status++;
-        goto cleanup;
-    }
-
-    for (plist = list; *plist != NULL; plist++) {
-        printf("%s\n", *plist);
-    }
-
-    goto cleanup;
-
-err_usage:
-    print_usage = TRUE;
-
-cleanup:
-    if (list != NULL) {
-        krb5_free_list_entries (list);
-        free (list);
-    }
-
-    if (basedn)
-        free (basedn);
-
-    if (print_usage) {
-        db_usage(LIST_SERVICE);
-    }
-
-    if (retval) {
-        com_err(me, retval, "while listing policy objects");
-        exit_status++;
-    }
-
-    return;
-}
-
-
-/*
- * This function will print the service object information
- * to the standard output
- */
-static void
-print_service_params(krb5_ldap_service_params *lserparams, int mask)
-{
-    int            i=0;
-
-    /* Print the service dn */
-    printf("%20s%-20s\n","Service dn: ",lserparams->servicedn);
-
-    /* Print the service type of the object to be read */
-    if (lserparams->servicetype == LDAP_KDC_SERVICE) {
-        printf("%20s%-20s\n","Service type: ","kdc");
-    } else if (lserparams->servicetype == LDAP_ADMIN_SERVICE) {
-        printf("%20s%-20s\n","Service type: ","admin");
-    } else if (lserparams->servicetype == LDAP_PASSWD_SERVICE) {
-        printf("%20s%-20s\n","Service type: ","pwd");
-    }
-
-    /* Print the host server values */
-    printf("%20s\n","Service host list: ");
-    if (mask & LDAP_SERVICE_HOSTSERVER) {
-        for (i=0; lserparams->krbhostservers[i] != NULL; ++i) {
-            printf("%20s%-50s\n","",lserparams->krbhostservers[i]);
-        }
-    }
-
-    /* Print the realm reference dn values */
-    printf("%20s\n","Realm DN list: ");
-    if (mask & LDAP_SERVICE_REALMREFERENCE) {
-        for (i=0; lserparams && lserparams->krbrealmreferences && lserparams->krbrealmreferences[i] != NULL; ++i) {
-            printf("%20s%-50s\n","",lserparams->krbrealmreferences[i]);
-        }
-    }
-
-    return;
-}
-
-
-/*
- * This function will generate random  password of length(RANDOM_PASSWD_LEN)
- *
- *
- * INPUT:
- *      ctxt - context
- *
- * OUTPUT:
- *     RANDOM_PASSWD_LEN length random password
- */
-static int
-generate_random_password(krb5_context ctxt, char **randpwd,
-                         unsigned int *passlen)
-{
-    char *random_pwd = NULL;
-    int ret = 0;
-    krb5_data data;
-    int i=0;
-    /*int len = 0;*/
-
-    /* setting random password length in the range 16-32 */
-    srand((unsigned int)(time(0) ^ getpid()));
-
-    data.length = RANDOM_PASSWD_LEN;
-    random_pwd = (char *)malloc(data.length + 1);
-    if (random_pwd == NULL) {
-        com_err("setsrvpw", ENOMEM, "while generating random password");
-        return ENOMEM;
-    }
-    memset(random_pwd, 0, data.length + 1);
-    data.data = random_pwd;
-
-    ret = krb5_c_random_make_octets(ctxt, &data);
-    if (ret) {
-        com_err("setsrvpw", ret, "Error generating random password");
-        free(random_pwd);
-        return ret;
-    }
-
-    for (i=0; i<data.length; i++) {
-        /* restricting to ascii chars. Need to change this when 8.8 supports */
-        if ((unsigned char)random_pwd[i] > 127) {
-            random_pwd[i] = (unsigned char)random_pwd[i] % 128;
-        } else if (random_pwd[i] == 0) {
-            random_pwd[i] = (rand()/(RAND_MAX/127 + 1))+1;
-        }
-    }
-
-    *randpwd = random_pwd;
-    *passlen = data.length;
-
-    return 0;
-}
-
-
-/*
- * This function will set the password of the service object in the directory
- * and/or the specified service password file.
- *
- *
- * INPUT:
- *      argc - contains the number of arguments for this sub-command
- *      argv - array of arguments for this sub-command
- *
- * OUTPUT:
- *      void
- */
-int
-kdb5_ldap_set_service_password(int argc, char **argv)
-{
-    krb5_ldap_context *lparams = NULL;
-    char *file_name = NULL;
-    char *tmp_file = NULL;
-    char *me = progname;
-    int filelen = 0;
-    int random_passwd = 0;
-    int set_dir_pwd = 1;
-    krb5_boolean db_init_local = FALSE;
-    char *service_object = NULL;
-    char *passwd = NULL;
-    char *prompt1 = NULL;
-    char *prompt2 = NULL;
-    unsigned int passwd_len = 0;
-    krb5_error_code errcode = -1;
-    int retval = 0, i = 0;
-    krb5_boolean print_usage = FALSE;
-    FILE *pfile = NULL;
-    char *str = NULL;
-    char line[MAX_LEN];
-    kdb5_dal_handle *dal_handle = NULL;
-    struct data encrypted_passwd = {0, NULL};
-
-    /* The arguments for setsrv password should contain the service object DN
-     * and options to specify whether the password should be updated in file only
-     * or both file and directory. So the possible combination of arguments are:
-     * setsrvpw servicedn                               wherein argc is 2
-     * setsrvpw -fileonly servicedn                     wherein argc is 3
-     * setsrvpw -randpw servicedn                       wherein argc is 3
-     * setsrvpw -f filename servicedn                   wherein argc is 4
-     * setsrvpw -fileonly -f filename servicedn         wherein argc is 5
-     * setsrvpw -randpw -f filename servicedn           wherein argc is 5
-     */
-    if ((argc < 2) || (argc > 5)) {
-        print_usage = TRUE;
-        goto cleanup;
-    }
-
-    dal_handle = util_context->dal_handle;
-    lparams = (krb5_ldap_context *) dal_handle->db_context;
-
-    if (lparams == NULL) {
-        printf("%s: Invalid LDAP handle\n", me);
-        goto cleanup;
-    }
-
-    /* Parse the arguments */
-    for (i = 1; i < argc -1 ; i++) {
-        if (strcmp(argv[i], "-randpw") == 0) {
-            random_passwd = 1;
-        } else if (strcmp(argv[i], "-fileonly") == 0) {
-            set_dir_pwd = 0;
-        } else if (strcmp(argv[i], "-f") == 0) {
-            if (argv[++i] == NULL) {
-                print_usage = TRUE;
-                goto cleanup;
-            }
-
-            file_name = strdup(argv[i]);
-            if (file_name == NULL) {
-                com_err(me, ENOMEM, "while setting service object password");
-                goto cleanup;
-            }
-            /* Verify if the file location has the proper file name
-             * for eg, if the file location is a directory like /home/temp/,
-             * we reject it.
-             */
-            filelen = strlen(file_name);
-            if ((filelen == 0) || (file_name[filelen-1] == '/')) {
-                printf("%s: Filename not specified for setting service object password\n", me);
-                print_usage = TRUE;
-                goto cleanup;
-            }
-        } else {
-            printf("%s: Invalid option specified for \"setsrvpw\" command\n", me);
-            print_usage = TRUE;
-            goto cleanup;
-        }
-    }
-
-    if (i != argc-1) {
-        print_usage = TRUE;
-        goto cleanup;
-    }
-
-    service_object = strdup(argv[i]);
-    if (service_object == NULL) {
-        com_err(me, ENOMEM, "while setting service object password");
-        goto cleanup;
-    }
-
-    if (strlen(service_object) == 0) {
-        printf("%s: Service object not specified for \"setsrvpw\" command\n", me);
-        print_usage = TRUE;
-        goto cleanup;
-    }
-
-    if (service_object[0] == '-') {
-        print_usage = TRUE;
-        goto cleanup;
-    }
-
-    if (file_name == NULL) {
-        file_name = strdup(DEF_SERVICE_PASSWD_FILE);
-        if (file_name == NULL) {
-            com_err(me, ENOMEM, "while setting service object password");
-            goto cleanup;
-        }
-    }
-
-    if (set_dir_pwd) {
-        if (db_inited == FALSE) {
-            if ((errcode = krb5_ldap_db_init(util_context, lparams))) {
-                com_err(me, errcode, "while initializing database");
-                goto cleanup;
-            }
-            db_init_local = TRUE;
-        }
-    }
-
-    if (random_passwd) {
-        if (!set_dir_pwd) {
-            printf("%s: Invalid option specified for \"setsrvpw\" command\n", me);
-            print_usage = TRUE;
-            goto cleanup;
-        } else {
-            /* Generate random password */
-
-            if ((errcode = generate_random_password(util_context, &passwd, &passwd_len))) {
-                printf("%s: Failed to set service object password\n", me);
-                goto cleanup;
-            }
-            passwd_len = strlen(passwd);
-        }
-    } else {
-        /* Get the service object password from the terminal */
-        passwd = (char *)malloc(MAX_SERVICE_PASSWD_LEN + 1);
-        if (passwd == NULL) {
-            com_err(me, ENOMEM, "while setting service object password");
-            goto cleanup;
-        }
-        memset(passwd, 0, MAX_SERVICE_PASSWD_LEN + 1);
-        passwd_len = MAX_SERVICE_PASSWD_LEN;
-
-        if (asprintf(&prompt1, "Password for \"%s\"", service_object) < 0) {
-            com_err(me, ENOMEM, "while setting service object password");
-            goto cleanup;
-        }
-
-        if (asprintf(&prompt2, "Re-enter password for \"%s\"",
-                     service_object) < 0) {
-            com_err(me, ENOMEM, "while setting service object password");
-            free(prompt1);
-            goto cleanup;
-        }
-
-        retval = krb5_read_password(util_context, prompt1, prompt2, passwd, &passwd_len);
-        free(prompt1);
-        free(prompt2);
-        if (retval) {
-            com_err(me, retval, "while setting service object password");
-            memset(passwd, 0, MAX_SERVICE_PASSWD_LEN);
-            goto cleanup;
-        }
-        if (passwd_len == 0) {
-            printf("%s: Invalid password\n", me);
-            memset(passwd, 0, MAX_SERVICE_PASSWD_LEN);
-            goto cleanup;
-        }
-        passwd_len = strlen(passwd);
-    }
-
-    /* Hex the password */
-    {
-        krb5_data pwd, hex;
-        pwd.length = passwd_len;
-        pwd.data = passwd;
-
-        errcode = tohex(pwd, &hex);
-        if (errcode != 0) {
-            if (hex.length != 0) {
-                memset(hex.data, 0, hex.length);
-                free(hex.data);
-            }
-            com_err(me, errcode, "Failed to convert the password to hex");
-            memset(passwd, 0, passwd_len);
-            goto cleanup;
-        }
-        /* Password = {HEX}<encrypted password>:<encrypted key> */
-        if (asprintf(&str, "%s#{HEX}%s\n", service_object, hex.data) < 0) {
-            com_err(me, ENOMEM, "while setting service object password");
-            memset(passwd, 0, passwd_len);
-            memset(hex.data, 0, hex.length);
-            free(hex.data);
-            goto cleanup;
-        }
-        encrypted_passwd.value = (unsigned char *)str;
-        encrypted_passwd.len = strlen(str);
-        memset(hex.data, 0, hex.length);
-        free(hex.data);
-    }
-
-    /* We should check if the file exists and we have permission to write into that file */
-    if (access(file_name, W_OK) == -1) {
-        if (errno == ENOENT) {
-            mode_t omask;
-            int fd = -1;
-
-            printf("File does not exist. Creating the file %s...\n", file_name);
-            omask = umask(077);
-            fd = creat(file_name, S_IRUSR|S_IWUSR);
-            umask(omask);
-            if (fd == -1) {
-                com_err(me, errno, "Error creating file %s", file_name);
-                memset(passwd, 0, passwd_len);
-                goto cleanup;
-            }
-            close(fd);
-        } else {
-            com_err(me, errno, "Unable to access the file %s", file_name);
-            memset(passwd, 0, passwd_len);
-            goto cleanup;
-        }
-    }
-
-    if (set_dir_pwd) {
-        if ((errcode = krb5_ldap_set_service_passwd(util_context, service_object, passwd)) != 0) {
-            com_err(me, errcode, "Failed to set password for service object %s", service_object);
-            memset(passwd, 0, passwd_len);
-            goto cleanup;
-        }
-    }
-
-    memset(passwd, 0, passwd_len);
-
-
-    /* TODO: file lock for the service password file */
-    /* set password in the file */
-    pfile = fopen(file_name, "r+");
-    if (pfile == NULL) {
-        com_err(me, errno, "Failed to open file %s", file_name);
-        goto cleanup;
-    }
-    set_cloexec_file(pfile);
-
-    while (fgets(line, MAX_LEN, pfile) != NULL) {
-        if ((str = strstr(line, service_object)) != NULL) {
-            if (line[strlen(service_object)] == '#') {
-                break;
-            }
-            str = NULL;
-        }
-    }
-    if (str == NULL) {
-        if (feof(pfile)) {
-            /* If the service object dn is not present in the service password file */
-            if (fwrite(encrypted_passwd.value, (unsigned int)encrypted_passwd.len, 1, pfile) != 1) {
-                com_err(me, errno, "Failed to write service object password to file");
-                goto cleanup;
-            }
-        } else {
-            com_err(me, errno, "Error reading service object password file");
-            goto cleanup;
-        }
-        fclose(pfile);
-        pfile = NULL;
-    } else {
-        /* Password entry for the service object is already present in the file */
-        /* Delete the existing entry and add the new entry */
-        FILE *newfile = NULL;
-        mode_t omask;
-
-        /* Create a new file with the extension .tmp */
-        if (asprintf(&tmp_file,"%s.tmp",file_name) < 0) {
-            com_err(me, ENOMEM, "while setting service object password");
-            goto cleanup;
-        }
-
-        omask = umask(077);
-        newfile = fopen(tmp_file, "w+");
-        umask(omask);
-        if (newfile == NULL) {
-            com_err(me, errno, "Error creating file %s", tmp_file);
-            goto cleanup;
-        }
-        set_cloexec_file(newfile);
-
-        fseek(pfile, 0, SEEK_SET);
-        while (fgets(line, MAX_LEN, pfile) != NULL) {
-            if (((str = strstr(line, service_object)) != NULL) && (line[strlen(service_object)] == '#')) {
-                if (fprintf(newfile, "%s", encrypted_passwd.value) < 0) {
-                    com_err(me, errno, "Failed to write service object password to file");
-                    fclose(newfile);
-                    unlink(tmp_file);
-                    goto cleanup;
-                }
-            } else {
-                if (fprintf(newfile, "%s", line) < 0) {
-                    com_err(me, errno, "Failed to write service object password to file");
-                    fclose(newfile);
-                    unlink(tmp_file);
-                    goto cleanup;
-                }
-            }
-        }
-
-        if (!feof(pfile)) {
-            com_err(me, errno, "Error reading service object password file");
-            fclose(newfile);
-            unlink(tmp_file);
-            goto cleanup;
-        }
-
-        /* TODO: file lock for the service password file */
-        fclose(pfile);
-        pfile = NULL;
-
-        fclose(newfile);
-        newfile = NULL;
-
-        if (unlink(file_name) == 0) {
-            link(tmp_file, file_name);
-        } else {
-            com_err(me, errno, "Failed to write service object password to file");
-            unlink(tmp_file);
-            goto cleanup;
-        }
-        unlink(tmp_file);
-    }
-    errcode = 0;
-
-cleanup:
-    if (db_init_local)
-        krb5_ldap_close(util_context);
-
-    if (service_object)
-        free(service_object);
-
-    if (file_name)
-        free(file_name);
-
-    if (passwd)
-        free(passwd);
-
-    if (encrypted_passwd.value) {
-        memset(encrypted_passwd.value, 0, encrypted_passwd.len);
-        free(encrypted_passwd.value);
-    }
-
-    if (pfile)
-        fclose(pfile);
-
-    if (tmp_file)
-        free(tmp_file);
-
-    if (print_usage)
-        db_usage(SET_SRV_PW);
-
-    return errcode;
-}
-
-#else /* #ifdef HAVE_EDIRECTORY */
-
  /*
   * Convert the user supplied password into hexadecimal and stash it. Only a
   * little more secure than storing plain password in the file ...
@@ -2147,5 +310,3 @@ cleanup:
      if (ret)
          exit_status++;
  }
-
-#endif /* #ifdef HAVE_EDIRECTORY */
diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h

index d325bb71d5351f57f51b9094ca9c63f072e55f4d..0f1a1ea62525b36a739174c8e433759c7065b935 100644 (file)
--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h
+++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h
@@ -29,38 +29,11 @@
  
  #include "ldap_misc.h"
  
-#define MAX_DN_CHARS            256
-#define HOST_INFO_DELIMITER     '#'
-#define PROTOCOL_STR_LEN        3
-#define PROTOCOL_NUM_UDP        0
-#define PROTOCOL_NUM_TCP        1
-#define PROTOCOL_DEFAULT_KDC    PROTOCOL_NUM_UDP
-#define PROTOCOL_DEFAULT_ADM    PROTOCOL_NUM_TCP
-#define PROTOCOL_DEFAULT_PWD    PROTOCOL_NUM_UDP
-#define PORT_STR_LEN            5
-#define PORT_DEFAULT_KDC        88
-#define PORT_DEFAULT_ADM        749
-#define PORT_DEFAULT_PWD        464
-
  #define MAX_LEN                 1024
  #define MAX_SERVICE_PASSWD_LEN  256
-#define RANDOM_PASSWD_LEN       128
  
  #define DEF_SERVICE_PASSWD_FILE "/usr/local/var/service_passwd"
  
-struct data{
-    int len;
-    unsigned char *value;
-};
-
-extern int enc_password(struct data pwd, struct data *enc_key, struct data *enc_pass);
  extern int tohex(krb5_data, krb5_data *);
  
-extern void kdb5_ldap_create_service(int argc, char **argv);
-extern void kdb5_ldap_modify_service(int argc, char **argv);
-extern void kdb5_ldap_destroy_service(int argc, char **argv);
-extern void kdb5_ldap_list_services(int argc, char **argv);
-extern void kdb5_ldap_view_service(int argc, char **argv);
-extern int  kdb5_ldap_set_service_password(int argc, char **argv);
-extern void kdb5_ldap_set_service_certificate(int argc, char **argv);
  extern void kdb5_ldap_stash_service_password(int argc, char **argv);
diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c

index c5f286315e10e1d08664145376420e490d884e40..fe1b70eaa391c715324ac49340743ce4211a1954 100644 (file)
--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c
+++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c
@@ -170,16 +170,7 @@ static struct _cmd_table {
      {"view", kdb5_ldap_view, 1},
      {"destroy", kdb5_ldap_destroy, 1},
      {"list", kdb5_ldap_list, 1},
-#ifdef HAVE_EDIRECTORY
-    {"create_service", kdb5_ldap_create_service, 1},
-    {"modify_service", kdb5_ldap_modify_service, 1},
-    {"view_service", kdb5_ldap_view_service, 1},
-    {"destroy_service", kdb5_ldap_destroy_service, 1},
-    {"list_service",kdb5_ldap_list_services,1},
-    {"setsrvpw", kdb5_ldap_set_service_password, 0},
-#else
      {"stashsrvpw", kdb5_ldap_stash_service_password, 0},
-#endif
      {"create_policy", kdb5_ldap_create_policy, 1},
      {"modify_policy", kdb5_ldap_modify_policy, 1},
      {"view_policy", kdb5_ldap_view_policy, 1},
diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.h b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.h

index b28bdd22a7db9576e3a69dd95b75316ae7047479..dd6263149421607261fbb33b23f7799b0dcfcadf 100644 (file)
--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.h
+++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.h
@@ -39,16 +39,7 @@
  #define DESTROY_REALM         4
  #define LIST_REALM            5
  
-#ifdef HAVE_EDIRECTORY
-# define CREATE_SERVICE        6
-# define MODIFY_SERVICE        7
-# define VIEW_SERVICE          8
-# define DESTROY_SERVICE       9
-# define LIST_SERVICE          10
-# define SET_SRV_PW            16
-#else
-# define STASH_SRV_PW          17
-#endif
+#define STASH_SRV_PW          17
  
  #define CREATE_POLICY         11
  #define MODIFY_POLICY         12
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/Makefile.in b/src/plugins/kdb/ldap/libkdb_ldap/Makefile.in

index 2126df61670699f70f63f5e7eb5ab7cba4cafa83..668f77329e8ef9906ab5530efbfe074717c05d2a 100644 (file)
--- a/src/plugins/kdb/ldap/libkdb_ldap/Makefile.in
+++ b/src/plugins/kdb/ldap/libkdb_ldap/Makefile.in
@@ -47,8 +47,6 @@ SRCS=         $(srcdir)/kdb_ldap.c \
         $(srcdir)/ldap_misc.c \
         $(srcdir)/ldap_handle.c \
         $(srcdir)/ldap_tkt_policy.c \
-       $(srcdir)/ldap_services.c \
-       $(srcdir)/ldap_service_rights.c \
         $(srcdir)/princ_xdr.c \
         $(srcdir)/ldap_service_stash.c \
         $(srcdir)/kdb_xdr.c \
@@ -67,8 +65,6 @@ STLIBOBJS= kdb_ldap.o \
         ldap_misc.o \
         ldap_handle.o \
         ldap_tkt_policy.o \
-       ldap_services.o \
-       ldap_service_rights.o \
         princ_xdr.o \
         ldap_service_stash.o \
         kdb_xdr.o \
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/deps b/src/plugins/kdb/ldap/libkdb_ldap/deps

index c8d2f7e42e505a6f80ab14c0a7822b4ee79f8456..37fea12b62ba8416741c2e80d38798ee26bcd14d 100644 (file)
--- a/src/plugins/kdb/ldap/libkdb_ldap/deps
+++ b/src/plugins/kdb/ldap/libkdb_ldap/deps
@@ -21,7 +21,7 @@ kdb_ldap.so kdb_ldap.po $(OUTPRE)kdb_ldap.$(OBJEXT): \
    $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
    $(top_srcdir)/include/socket-utils.h $(top_srcdir)/lib/kdb/kdb5.h \
    kdb_ldap.c kdb_ldap.h ldap_err.h ldap_krbcontainer.h \
-  ldap_misc.h ldap_realm.h ldap_services.h
+  ldap_misc.h ldap_realm.h
  kdb_ldap_conn.so kdb_ldap_conn.po $(OUTPRE)kdb_ldap_conn.$(OBJEXT): \
    $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
    $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -35,7 +35,7 @@ kdb_ldap_conn.so kdb_ldap_conn.po $(OUTPRE)kdb_ldap_conn.$(OBJEXT): \
    $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
    $(top_srcdir)/lib/kdb/kdb5.h kdb_ldap.h kdb_ldap_conn.c \
    ldap_handle.h ldap_krbcontainer.h ldap_main.h ldap_misc.h \
-  ldap_realm.h ldap_service_stash.h ldap_services.h
+  ldap_realm.h ldap_service_stash.h
  ldap_realm.so ldap_realm.po $(OUTPRE)ldap_realm.$(OBJEXT): \
    $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
    $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -50,7 +50,7 @@ ldap_realm.so ldap_realm.po $(OUTPRE)ldap_realm.$(OBJEXT): \
    $(top_srcdir)/lib/kdb/kdb5.h kdb_ldap.h ldap_err.h \
    ldap_handle.h ldap_krbcontainer.h ldap_main.h ldap_misc.h \
    ldap_principal.h ldap_pwd_policy.h ldap_realm.c ldap_realm.h \
-  ldap_services.h ldap_tkt_policy.h
+  ldap_tkt_policy.h
  ldap_create.so ldap_create.po $(OUTPRE)ldap_create.$(OBJEXT): \
    $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
    $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -64,8 +64,7 @@ ldap_create.so ldap_create.po $(OUTPRE)ldap_create.$(OBJEXT): \
    $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
    $(top_srcdir)/lib/kdb/kdb5.h kdb_ldap.h ldap_create.c \
    ldap_err.h ldap_handle.h ldap_krbcontainer.h ldap_main.h \
-  ldap_misc.h ldap_principal.h ldap_realm.h ldap_services.h \
-  ldap_tkt_policy.h
+  ldap_misc.h ldap_principal.h ldap_realm.h ldap_tkt_policy.h
  ldap_krbcontainer.so ldap_krbcontainer.po $(OUTPRE)ldap_krbcontainer.$(OBJEXT): \
    $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
    $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -79,7 +78,7 @@ ldap_krbcontainer.so ldap_krbcontainer.po $(OUTPRE)ldap_krbcontainer.$(OBJEXT):
    $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
    $(top_srcdir)/lib/kdb/kdb5.h kdb_ldap.h ldap_err.h \
    ldap_handle.h ldap_krbcontainer.c ldap_krbcontainer.h \
-  ldap_main.h ldap_misc.h ldap_realm.h ldap_services.h
+  ldap_main.h ldap_misc.h ldap_realm.h
  ldap_principal.so ldap_principal.po $(OUTPRE)ldap_principal.$(OBJEXT): \
    $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
    $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/krb5/krb5.h \
@@ -100,7 +99,7 @@ ldap_principal.so ldap_principal.po $(OUTPRE)ldap_principal.$(OBJEXT): \
    $(top_srcdir)/include/socket-utils.h $(top_srcdir)/lib/kdb/kdb5.h \
    kdb_ldap.h ldap_err.h ldap_handle.h ldap_krbcontainer.h \
    ldap_main.h ldap_misc.h ldap_principal.c ldap_principal.h \
-  ldap_realm.h ldap_services.h ldap_tkt_policy.h princ_xdr.h
+  ldap_realm.h ldap_tkt_policy.h princ_xdr.h
  ldap_principal2.so ldap_principal2.po $(OUTPRE)ldap_principal2.$(OBJEXT): \
    $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
    $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \
@@ -122,8 +121,7 @@ ldap_principal2.so ldap_principal2.po $(OUTPRE)ldap_principal2.$(OBJEXT): \
    $(top_srcdir)/include/socket-utils.h $(top_srcdir)/lib/kdb/kdb5.h \
    kdb_ldap.h ldap_err.h ldap_handle.h ldap_krbcontainer.h \
    ldap_main.h ldap_misc.h ldap_principal.h ldap_principal2.c \
-  ldap_pwd_policy.h ldap_realm.h ldap_services.h ldap_tkt_policy.h \
-  princ_xdr.h
+  ldap_pwd_policy.h ldap_realm.h ldap_tkt_policy.h princ_xdr.h
  ldap_pwd_policy.so ldap_pwd_policy.po $(OUTPRE)ldap_pwd_policy.$(OBJEXT): \
    $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
    $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -137,7 +135,7 @@ ldap_pwd_policy.so ldap_pwd_policy.po $(OUTPRE)ldap_pwd_policy.$(OBJEXT): \
    $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
    $(top_srcdir)/lib/kdb/kdb5.h kdb_ldap.h ldap_err.h \
    ldap_handle.h ldap_krbcontainer.h ldap_main.h ldap_misc.h \
-  ldap_pwd_policy.c ldap_pwd_policy.h ldap_realm.h ldap_services.h
+  ldap_pwd_policy.c ldap_pwd_policy.h ldap_realm.h
  ldap_misc.so ldap_misc.po $(OUTPRE)ldap_misc.$(OBJEXT): \
    $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
    $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/krb5/krb5.h \
@@ -158,7 +156,7 @@ ldap_misc.so ldap_misc.po $(OUTPRE)ldap_misc.$(OBJEXT): \
    $(top_srcdir)/include/socket-utils.h $(top_srcdir)/lib/kdb/kdb5.h \
    kdb_ldap.h ldap_err.h ldap_handle.h ldap_krbcontainer.h \
    ldap_misc.c ldap_misc.h ldap_principal.h ldap_pwd_policy.h \
-  ldap_realm.h ldap_services.h ldap_tkt_policy.h princ_xdr.h
+  ldap_realm.h ldap_tkt_policy.h princ_xdr.h
  ldap_handle.so ldap_handle.po $(OUTPRE)ldap_handle.$(OBJEXT): \
    $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
    $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -172,7 +170,7 @@ ldap_handle.so ldap_handle.po $(OUTPRE)ldap_handle.$(OBJEXT): \
    $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
    $(top_srcdir)/lib/kdb/kdb5.h kdb_ldap.h ldap_handle.c \
    ldap_handle.h ldap_krbcontainer.h ldap_main.h ldap_misc.h \
-  ldap_realm.h ldap_services.h
+  ldap_realm.h
  ldap_tkt_policy.so ldap_tkt_policy.po $(OUTPRE)ldap_tkt_policy.$(OBJEXT): \
    $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
    $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -186,35 +184,7 @@ ldap_tkt_policy.so ldap_tkt_policy.po $(OUTPRE)ldap_tkt_policy.$(OBJEXT): \
    $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
    $(top_srcdir)/lib/kdb/kdb5.h kdb_ldap.h ldap_err.h \
    ldap_handle.h ldap_krbcontainer.h ldap_main.h ldap_misc.h \
-  ldap_realm.h ldap_services.h ldap_tkt_policy.c ldap_tkt_policy.h
-ldap_services.so ldap_services.po $(OUTPRE)ldap_services.$(OBJEXT): \
-  $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
-  $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
-  $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
-  $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
-  $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
-  $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
-  $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/kdb.h \
-  $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
-  $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
-  $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
-  $(top_srcdir)/lib/kdb/kdb5.h kdb_ldap.h ldap_err.h \
-  ldap_handle.h ldap_krbcontainer.h ldap_main.h ldap_misc.h \
-  ldap_realm.h ldap_services.c ldap_services.h
-ldap_service_rights.so ldap_service_rights.po $(OUTPRE)ldap_service_rights.$(OBJEXT): \
-  $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
-  $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
-  $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
-  $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
-  $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
-  $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
-  $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/kdb.h \
-  $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
-  $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
-  $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
-  $(top_srcdir)/lib/kdb/kdb5.h kdb_ldap.h ldap_err.h \
-  ldap_handle.h ldap_krbcontainer.h ldap_main.h ldap_misc.h \
-  ldap_realm.h ldap_service_rights.c ldap_services.h
+  ldap_realm.h ldap_tkt_policy.c ldap_tkt_policy.h
  princ_xdr.so princ_xdr.po $(OUTPRE)princ_xdr.$(OBJEXT): \
    $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
    $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \
@@ -249,7 +219,7 @@ ldap_service_stash.so ldap_service_stash.po $(OUTPRE)ldap_service_stash.$(OBJEXT
    $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
    $(top_srcdir)/lib/kdb/kdb5.h kdb_ldap.h ldap_handle.h \
    ldap_krbcontainer.h ldap_main.h ldap_misc.h ldap_realm.h \
-  ldap_service_stash.c ldap_service_stash.h ldap_services.h
+  ldap_service_stash.c ldap_service_stash.h
  kdb_xdr.so kdb_xdr.po $(OUTPRE)kdb_xdr.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
    $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
    $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c

index 6115bb7e64e9157927f1530cde3ce3ac26dfecc6..b52d088ff693474113377586340f8dd88afc2ba1 100644 (file)
--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c
@@ -422,38 +422,6 @@ krb5_ldap_open(krb5_context context, char *conf_section, char **db_args,
              }
  
              srv_cnt++;
-#ifdef HAVE_EDIRECTORY
-        } else if (opt && !strcmp(opt, "cert")) {
-            if (val == NULL) {
-                status = EINVAL;
-                krb5_set_error_message(context, status,
-                                       _("'cert' value missing"));
-                free(opt);
-                goto clean_n_exit;
-            }
-
-            if (ldap_context->root_certificate_file == NULL) {
-                ldap_context->root_certificate_file = strdup(val);
-                if (ldap_context->root_certificate_file == NULL) {
-                    free (opt);
-                    free (val);
-                    status = ENOMEM;
-                    goto clean_n_exit;
-                }
-            } else {
-                char *newstr;
-
-                if (asprintf(&newstr, "%s %s",
-                             ldap_context->root_certificate_file, val) < 0) {
-                    free (opt);
-                    free (val);
-                    status = ENOMEM;
-                    goto clean_n_exit;
-                }
-                free(ldap_context->root_certificate_file);
-                ldap_context->root_certificate_file = newstr;
-            }
-#endif
          } else {
              /* ignore hash argument. Might have been passed from create */
              status = EINVAL;
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h

index 51a6facb78c4b79b2765a1ce8b9c83680596b87e..b40600780e7a378eacbab330dcee5b348bcf0c31 100644 (file)
--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
@@ -63,11 +63,6 @@ extern struct timeval timelimit;
  #define  DEFAULT_CONNS_PER_SERVER    5
  #define  REALM_READ_REFRESH_INTERVAL (5 * 60)
  
-#ifdef HAVE_EDIRECTORY
-#define  SECURITY_CONTAINER "cn=Security"
-#define  KERBEROS_CONTAINER "cn=Kerberos,cn=Security"
-#endif
-
  #if !defined(LDAP_OPT_RESULT_CODE) && defined(LDAP_OPT_ERROR_NUMBER)
  #define LDAP_OPT_RESULT_CODE LDAP_OPT_ERROR_NUMBER
  #endif
@@ -194,9 +189,6 @@ struct _krb5_ldap_server_info {
      krb5_ldap_server_handle      *ldap_server_handles;
      time_t                       downtime;
      char                        *server_name;
-#ifdef HAVE_EDIRECTORY
-    char                        *root_certificate_file;
-#endif
      int                          modify_increment;
      struct _krb5_ldap_server_info *next;
  };
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c

index bfe866792b8a6ca84ada0c65e139a80edc2ae02b..1dc4afcf78e7e05dcc779b655680c3571f9034a4 100644 (file)
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c
@@ -62,9 +62,6 @@ krb5_ldap_create(krb5_context context, char *conf_section, char **db_args)
      krb5_ldap_krbcontainer_params kparams = {0};
      int srv_cnt = 0;
      int mask = 0;
-#ifdef HAVE_EDIRECTORY
-    int i = 0, rightsmask = 0;
-#endif
  
      /* Clear the global error string */
      krb5_clear_error_message(context);
@@ -180,36 +177,6 @@ krb5_ldap_create(krb5_context context, char *conf_section, char **db_args)
              }
  
              srv_cnt++;
-#ifdef HAVE_EDIRECTORY
-        } else if (opt && !strcmp(opt, "cert")) {
-            if (val == NULL) {
-                status = EINVAL;
-                krb5_set_error_message (context, status, "'cert' value missing");
-                free(opt);
-                goto cleanup;
-            }
-
-            if (ldap_context->root_certificate_file == NULL) {
-                ldap_context->root_certificate_file = strdup(val);
-                if (ldap_context->root_certificate_file == NULL) {
-                    free (opt);
-                    free (val);
-                    status = ENOMEM;
-                    goto cleanup;
-                }
-            } else {
-                char *newstr;
-
-                if (asprintf(&newstr, "%s %s",
-                             ldap_context->root_certificate_file, val) < 0) {
-                    free (opt);
-                    free (val);
-                    status = ENOMEM;
-                    goto cleanup;
-                }
-                ldap_context->root_certificate_file = newstr;
-            }
-#endif
          } else {
              /* ignore hash argument. Might have been passed from create */
              status = EINVAL;
@@ -314,51 +281,6 @@ krb5_ldap_create(krb5_context context, char *conf_section, char **db_args)
                                                &mask)))
          goto cleanup;
  
-#ifdef HAVE_EDIRECTORY
-    if ((mask & LDAP_REALM_KDCSERVERS) || (mask & LDAP_REALM_ADMINSERVERS) ||
-        (mask & LDAP_REALM_PASSWDSERVERS)) {
-
-        rightsmask =0;
-        rightsmask |= LDAP_REALM_RIGHTS;
-        rightsmask |= LDAP_SUBTREE_RIGHTS;
-        if ((rparams != NULL) && (rparams->kdcservers != NULL)) {
-            for (i=0; (rparams->kdcservers[i] != NULL); i++) {
-                if ((status=krb5_ldap_add_service_rights(context,
-                                                         LDAP_KDC_SERVICE, rparams->kdcservers[i],
-                                                         rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
-                    goto cleanup;
-                }
-            }
-        }
-
-        rightsmask = 0;
-        rightsmask |= LDAP_REALM_RIGHTS;
-        rightsmask |= LDAP_SUBTREE_RIGHTS;
-        if ((rparams != NULL) && (rparams->adminservers != NULL)) {
-            for (i=0; (rparams->adminservers[i] != NULL); i++) {
-                if ((status=krb5_ldap_add_service_rights(context,
-                                                         LDAP_ADMIN_SERVICE, rparams->adminservers[i],
-                                                         rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
-                    goto cleanup;
-                }
-            }
-        }
-
-        rightsmask = 0;
-        rightsmask |= LDAP_REALM_RIGHTS;
-        rightsmask |= LDAP_SUBTREE_RIGHTS;
-        if ((rparams != NULL) && (rparams->passwdservers != NULL)) {
-            for (i=0; (rparams->passwdservers[i] != NULL); i++) {
-                if ((status=krb5_ldap_add_service_rights(context,
-                                                         LDAP_PASSWD_SERVICE, rparams->passwdservers[i],
-                                                         rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
-                    goto cleanup;
-                }
-            }
-        }
-    }
-#endif
-
  cleanup:
  
      /* If the krbcontainer/realm creation is not complete, do the roll-back here */
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c

index b52ba799b8557342663f75f4278ad765188c4a39..fabe633abb6899c513413b95bd7d9c2d13717dc4 100644 (file)
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c
@@ -112,64 +112,26 @@ krb5_ldap_read_krbcontainer_params(krb5_context context,
          }
      }
  
-#ifndef HAVE_EDIRECTORY
-/*
- * In case eDirectory, we can fall back to security container if the kerberos container location
- * is missing in the conf file. In openldap we will have to return an error.
- */
      if (cparams->DN == NULL) {
          st = KRB5_KDB_SERVER_INTERNAL_ERR;
          krb5_set_error_message(context, st,
                                 _("Kerberos container location not specified"));
          goto cleanup;
      }
-#endif
-
-    if (cparams->DN != NULL) {
-        /* NOTE: krbmaxtktlife, krbmaxrenewableage ... present on Kerberos Container is
-         * not read
-         */
-        LDAP_SEARCH_1(cparams->DN, LDAP_SCOPE_BASE, "(objectclass=krbContainer)", policyrefattribute, IGNORE_STATUS);
-        if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_OBJECT) {
-            st = set_ldap_error(context, st, OP_SEARCH);
-            goto cleanup;
-        }
-
-        if (st == LDAP_NO_SUCH_OBJECT) {
-            st = KRB5_KDB_NOENTRY;
-            goto cleanup;
-        }
-    }
  
-#ifdef HAVE_EDIRECTORY
-    /*
-     * If the kerberos location in the conf file is missing or invalid, fall back to the
-     * security container. If the kerberos location in the security container is also missing
-     * then fall back to the default value
+    /* NOTE: krbmaxtktlife, krbmaxrenewableage ... present on Kerberos Container is
+     * not read
       */
-    if ((cparams->DN == NULL) || (st == LDAP_NO_SUCH_OBJECT)) {
-        /*
-         * kerberos container can be anywhere. locate it by reading the security
-         * container to find the location.
-         */
-        LDAP_SEARCH(SECURITY_CONTAINER, LDAP_SCOPE_BASE, NULL, krbcontainerrefattr);
-        if ((ent = ldap_first_entry(ld, result)) != NULL) {
-            if ((st=krb5_ldap_get_string(ld, ent, "krbcontainerreference",
-                                         &(cparams->DN), NULL)) != 0)
-                goto cleanup;
-            if (cparams->DN == NULL) {
-                cparams->DN = strdup(KERBEROS_CONTAINER);
-                CHECK_NULL(cparams->DN);
-            }
-        }
-        ldap_msgfree(result);
+    LDAP_SEARCH_1(cparams->DN, LDAP_SCOPE_BASE, "(objectclass=krbContainer)", policyrefattribute, IGNORE_STATUS);
+    if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_OBJECT) {
+        st = set_ldap_error(context, st, OP_SEARCH);
+        goto cleanup;
+    }
  
-        /* NOTE: krbmaxtktlife, krbmaxrenewableage ... attributes present on
-         * Kerberos Container is not read
-         */
-        LDAP_SEARCH(cparams->DN, LDAP_SCOPE_BASE, "(objectclass=krbContainer)", policyrefattribute);
+    if (st == LDAP_NO_SUCH_OBJECT) {
+        st = KRB5_KDB_NOENTRY;
+        goto cleanup;
      }
-#endif
  
      if ((ent = ldap_first_entry(ld, result))) {
          if ((st=krb5_ldap_get_string(ld, ent, "krbticketpolicyreference",
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c

index 6719d403bbc77bdd5acf7cd22f37d2d915ea07d0..55a8eb57e76135414a478030005ce1a40f5be8ee 100644 (file)
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
@@ -265,21 +265,6 @@ krb5_ldap_read_server_params(krb5_context context, char *conf_section,
              goto cleanup;
      }
  
-#ifdef HAVE_EDIRECTORY
-    /*
-     * If root certificate file is not set read it from database
-     * module section of conf file this is the trusted root
-     * certificate of the Directory.
-     */
-    if (ldap_context->root_certificate_file == NULL) {
-        st = prof_get_string_def (context, conf_section,
-                                  KRB5_CONF_LDAP_ROOT_CERTIFICATE_FILE,
-                                  &ldap_context->root_certificate_file);
-        if (st)
-            goto cleanup;
-    }
-#endif
-
      /*
       * If the ldap server parameter is not set read the list of ldap
       * servers from the database module section of the conf file.
@@ -374,11 +359,6 @@ krb5_ldap_free_server_context_params(krb5_ldap_context *ldap_context)
              if (ldap_context->server_info_list[i]->server_name) {
                  free (ldap_context->server_info_list[i]->server_name);
              }
-#ifdef HAVE_EDIRECTORY
-            if (ldap_context->server_info_list[i]->root_certificate_file) {
-                free (ldap_context->server_info_list[i]->root_certificate_file);
-            }
-#endif
              if (ldap_context->server_info_list[i]->ldap_server_handles) {
                  ldap_server_handle = ldap_context->server_info_list[i]->ldap_server_handles;
                  while (ldap_server_handle) {
@@ -416,13 +396,6 @@ krb5_ldap_free_server_context_params(krb5_ldap_context *ldap_context)
          ldap_context->service_password_file = NULL;
      }
  
-#ifdef HAVE_EDIRECTORY
-    if (ldap_context->root_certificate_file != NULL) {
-        krb5_xfree(ldap_context->root_certificate_file);
-        ldap_context->root_certificate_file = NULL;
-    }
-#endif
-
      if (ldap_context->service_cert_path != NULL) {
          krb5_xfree(ldap_context->service_cert_path);
          ldap_context->service_cert_path = NULL;
@@ -2090,37 +2063,6 @@ populate_krb5_db_entry(krb5_context context, krb5_ldap_context *ldap_context,
      if ((st=krb5_dbe_update_tl_data(context, entry, &userinfo_tl_data)) != 0)
          goto cleanup;
  
-#ifdef HAVE_EDIRECTORY
-    {
-        krb5_timestamp              expiretime=0;
-        char                        *is_login_disabled=NULL;
-
-        /* LOGIN EXPIRATION TIME */
-        if ((st=krb5_ldap_get_time(ld, ent, "loginexpirationtime", &expiretime,
-                                   &attr_present)) != 0)
-            goto cleanup;
-
-        if (attr_present == TRUE) {
-            if (mask & KDB_PRINC_EXPIRE_TIME_ATTR) {
-                if (expiretime < entry->expiration)
-                    entry->expiration = expiretime;
-            } else {
-                entry->expiration = expiretime;
-            }
-        }
-
-        /* LOGIN DISABLED */
-        if ((st=krb5_ldap_get_string(ld, ent, "logindisabled", &is_login_disabled,
-                                     &attr_present)) != 0)
-            goto cleanup;
-        if (attr_present == TRUE) {
-            if (strcasecmp(is_login_disabled, "TRUE")== 0)
-                entry->attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
-            free (is_login_disabled);
-        }
-    }
-#endif
-
      if ((st=krb5_read_tkt_policy (context, ldap_context, entry, tktpolname)) !=0)
          goto cleanup;
  
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.h b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.h

index 7166cc6a6ab037cf50fecf2c954a880f32416174..b1583d526b3441e30e34cb925e0e967281b4454b 100644 (file)
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.h
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.h
@@ -36,8 +36,6 @@
  #ifndef _HAVE_LDAP_MISC_H
  #define _HAVE_LDAP_MISC_H 1
  
-#include "ldap_services.h"
-
  /* misc functions */
  
  krb5_error_code
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c

index 54dfbdb670e2311973809da062ef810f67b84b91..7ce50b30bc1845b7a5ab116cb94bcda58f004646 100644 (file)
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
@@ -54,10 +54,6 @@ char     *principal_attributes[] = { "krbprincipalname",
                                       "krbLastFailedAuth",
                                       "krbLoginFailedCount",
                                       "krbLastSuccessfulAuth",
-#ifdef HAVE_EDIRECTORY
-                                     "loginexpirationtime",
-                                     "logindisabled",
-#endif
                                       "krbLastPwdChange",
                                       "krbLastAdminUnlock",
                                       "krbExtraData",
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c

index 9ab7a0398e1b46a2a48eedd44ae78d70cf7cdf5c..45649da02c5a713c9de3a9de297b63f4f3b0382a 100644 (file)
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c
@@ -389,17 +389,7 @@ krb5_ldap_modify_realm(krb5_context context, krb5_ldap_realm_params *rparams,
      LDAP                  *ld=NULL;
      krb5_error_code       st=0;
      char                  **strval=NULL, *strvalprc[5]={NULL};
-#ifdef HAVE_EDIRECTORY
-    char                  **values=NULL;
-    char                  **oldkdcservers=NULL, **oldadminservers=NULL, **oldpasswdservers=NULL;
-    LDAPMessage           *result=NULL, *ent=NULL;
-    int                   count=0;
-    char errbuf[1024];
-#endif
      LDAPMod               **mods = NULL;
-#ifdef HAVE_EDIRECTORY
-    int                   i=0;
-#endif
      int                   oldmask=0, objectmask=0,k=0;
      kdb5_dal_handle       *dal_handle=NULL;
      krb5_ldap_context     *ldap_context=NULL;
@@ -421,11 +411,6 @@ krb5_ldap_modify_realm(krb5_context context, krb5_ldap_realm_params *rparams,
          rparams->tl_data->tl_data_contents == NULL ||
          ((mask & LDAP_REALM_SUBTREE) && rparams->subtree == NULL) ||
          ((mask & LDAP_REALM_CONTREF) && rparams->containerref == NULL) ||
-#ifdef HAVE_EDIRECTORY
-        ((mask & LDAP_REALM_KDCSERVERS) && rparams->kdcservers == NULL) ||
-        ((mask & LDAP_REALM_ADMINSERVERS) && rparams->adminservers == NULL) ||
-        ((mask & LDAP_REALM_PASSWDSERVERS) && rparams->passwdservers == NULL) ||
-#endif
          0) {
          st = EINVAL;
          goto cleanup;
@@ -518,104 +503,6 @@ krb5_ldap_modify_realm(krb5_context context, krb5_ldap_realm_params *rparams,
      }
  
  
-#ifdef HAVE_EDIRECTORY
-
-    /* KDCSERVERS ATTRIBUTE */
-    if (mask & LDAP_REALM_KDCSERVERS) {
-        /* validate the server list */
-        for (i=0; rparams->kdcservers[i] != NULL; ++i) {
-            st = checkattributevalue(ld, rparams->kdcservers[i], "objectClass", kdcclass,
-                                     &objectmask);
-            CHECK_CLASS_VALIDITY(st, objectmask,
-                                 _("kdc service object value: "));
-        }
-
-        if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbkdcservers", LDAP_MOD_REPLACE,
-                                          rparams->kdcservers)) != 0)
-            goto cleanup;
-    }
-
-    /* ADMINSERVERS ATTRIBUTE */
-    if (mask & LDAP_REALM_ADMINSERVERS) {
-        /* validate the server list */
-        for (i=0; rparams->adminservers[i] != NULL; ++i) {
-            st = checkattributevalue(ld, rparams->adminservers[i], "objectClass", adminclass,
-                                     &objectmask);
-            CHECK_CLASS_VALIDITY(st, objectmask,
-                                 _("admin service object value: "));
-        }
-
-        if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbadmservers", LDAP_MOD_REPLACE,
-                                          rparams->adminservers)) != 0)
-            goto cleanup;
-    }
-
-    /* PASSWDSERVERS ATTRIBUTE */
-    if (mask & LDAP_REALM_PASSWDSERVERS) {
-        /* validate the server list */
-        for (i=0; rparams->passwdservers[i] != NULL; ++i) {
-            st = checkattributevalue(ld, rparams->passwdservers[i], "objectClass", pwdclass,
-                                     &objectmask);
-            CHECK_CLASS_VALIDITY(st, objectmask,
-                                 _("password service object value: "));
-        }
-
-        if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdservers", LDAP_MOD_REPLACE,
-                                          rparams->passwdservers)) != 0)
-            goto cleanup;
-    }
-
-    /*
-     * Read the old values of the krbkdcservers, krbadmservers and
-     * krbpwdservers.  This information is later used to decided the
-     * deletions/additions to the list.
-     */
-    if (mask & LDAP_REALM_KDCSERVERS || mask & LDAP_REALM_ADMINSERVERS ||
-        mask & LDAP_REALM_PASSWDSERVERS) {
-        char *servers[] = {"krbKdcServers", "krbAdmServers", "krbPwdServers", NULL};
-
-        if ((st= ldap_search_ext_s(ld,
-                                   rparams->realmdn,
-                                   LDAP_SCOPE_BASE,
-                                   0,
-                                   servers,
-                                   0,
-                                   NULL,
-                                   NULL,
-                                   NULL,
-                                   0,
-                                   &result)) != LDAP_SUCCESS) {
-            st = set_ldap_error (context, st, OP_SEARCH);
-            goto cleanup;
-        }
-
-        ent = ldap_first_entry(ld, result);
-        if (ent) {
-            if ((values=ldap_get_values(ld, ent, "krbKdcServers")) != NULL) {
-                count = ldap_count_values(values);
-                if ((st=copy_arrays(values, &oldkdcservers, count)) != 0)
-                    goto cleanup;
-                ldap_value_free(values);
-            }
-
-            if ((values=ldap_get_values(ld, ent, "krbAdmServers")) != NULL) {
-                count = ldap_count_values(values);
-                if ((st=copy_arrays(values, &oldadminservers, count)) != 0)
-                    goto cleanup;
-                ldap_value_free(values);
-            }
-
-            if ((values=ldap_get_values(ld, ent, "krbPwdServers")) != NULL) {
-                count = ldap_count_values(values);
-                if ((st=copy_arrays(values, &oldpasswdservers, count)) != 0)
-                    goto cleanup;
-                ldap_value_free(values);
-            }
-        }
-        ldap_msgfree(result);
-    }
-#endif
-
      /* Realm modify opearation */
      if (mods != NULL) {
          if ((st=ldap_modify_ext_s(ld, rparams->realmdn, mods, NULL, NULL)) != LDAP_SUCCESS) {
@@ -624,148 +511,8 @@ krb5_ldap_modify_realm(krb5_context context, krb5_ldap_realm_params *rparams,
          }
      }
  
-#ifdef HAVE_EDIRECTORY
-    /* krbRealmReferences attribute is updated here, depending on the additions/deletions
-     * to the 4 servers' list.
-     */
-    if (mask & LDAP_REALM_KDCSERVERS) {
-        char **newkdcservers=NULL;
-
-        count = ldap_count_values(rparams->kdcservers);
-        if ((st=copy_arrays(rparams->kdcservers, &newkdcservers, count)) != 0)
-            goto cleanup;
-
-        /* find the deletions and additions to the server list */
-        if (oldkdcservers && newkdcservers)
-            disjoint_members(oldkdcservers, newkdcservers);
-
-        /* delete the krbRealmReferences attribute from the servers that are dis-associated. */
-        if (oldkdcservers)
-            for (i=0; oldkdcservers[i]; ++i)
-                if ((st=deleteAttribute(ld, oldkdcservers[i], "krbRealmReferences",
-                                        rparams->realmdn)) != 0) {
-                    snprintf(errbuf, sizeof(errbuf),
-                             _("Error removing 'krbRealmReferences' from "
-                               "%s: "), oldkdcservers[i]);
-                    prepend_err_str(context, errbuf, st, st);
-                    goto cleanup;
-                }
-
-        /* add the krbRealmReferences attribute from the servers that are associated. */
-        if (newkdcservers)
-            for (i=0; newkdcservers[i]; ++i)
-                if ((st=updateAttribute(ld, newkdcservers[i], "krbRealmReferences",
-                                        rparams->realmdn)) != 0) {
-                    snprintf(errbuf, sizeof(errbuf),
-                             _("Error adding 'krbRealmReferences' to %s: "),
-                             newkdcservers[i]);
-                    prepend_err_str(context, errbuf, st, st);
-                    goto cleanup;
-                }
-
-        if (newkdcservers)
-            ldap_value_free(newkdcservers);
-    }
-
-    if (mask & LDAP_REALM_ADMINSERVERS) {
-        char **newadminservers=NULL;
-
-        count = ldap_count_values(rparams->adminservers);
-        if ((st=copy_arrays(rparams->adminservers, &newadminservers, count)) != 0)
-            goto cleanup;
-
-        /* find the deletions and additions to the server list */
-        if (oldadminservers && newadminservers)
-            disjoint_members(oldadminservers, newadminservers);
-
-        /* delete the krbRealmReferences attribute from the servers that are dis-associated. */
-        if (oldadminservers)
-            for (i=0; oldadminservers[i]; ++i)
-                if ((st=deleteAttribute(ld, oldadminservers[i], "krbRealmReferences",
-                                        rparams->realmdn)) != 0) {
-                    snprintf(errbuf, sizeof(errbuf),
-                             _("Error removing 'krbRealmReferences' from "
-                               "%s: "), oldadminservers[i]);
-                    prepend_err_str(context, errbuf, st, st);
-                    goto cleanup;
-                }
-
-        /* add the krbRealmReferences attribute from the servers that are associated. */
-        if (newadminservers)
-            for (i=0; newadminservers[i]; ++i)
-                if ((st=updateAttribute(ld, newadminservers[i], "krbRealmReferences",
-                                        rparams->realmdn)) != 0) {
-                    snprintf(errbuf, sizeof(errbuf),
-                             _("Error adding 'krbRealmReferences' to %s: "),
-                             newadminservers[i]);
-                    prepend_err_str(context, errbuf, st, st);
-                    goto cleanup;
-                }
-        if (newadminservers)
-            ldap_value_free(newadminservers);
-    }
-
-    if (mask & LDAP_REALM_PASSWDSERVERS) {
-        char **newpasswdservers=NULL;
-
-        count = ldap_count_values(rparams->passwdservers);
-        if ((st=copy_arrays(rparams->passwdservers, &newpasswdservers, count)) != 0)
-            goto cleanup;
-
-        /* find the deletions and additions to the server list */
-        if (oldpasswdservers && newpasswdservers)
-            disjoint_members(oldpasswdservers, newpasswdservers);
-
-        /* delete the krbRealmReferences attribute from the servers that are dis-associated. */
-        if (oldpasswdservers)
-            for (i=0; oldpasswdservers[i]; ++i)
-                if ((st=deleteAttribute(ld, oldpasswdservers[i], "krbRealmReferences",
-                                        rparams->realmdn)) != 0) {
-                    snprintf(errbuf, sizeof(errbuf),
-                             _("Error removing 'krbRealmReferences' from "
-                               "%s: "), oldpasswdservers[i]);
-                    prepend_err_str(context, errbuf, st, st);
-                    goto cleanup;
-                }
-
-        /* add the krbRealmReferences attribute from the servers that are associated. */
-        if (newpasswdservers)
-            for (i=0; newpasswdservers[i]; ++i)
-                if ((st=updateAttribute(ld, newpasswdservers[i], "krbRealmReferences",
-                                        rparams->realmdn)) != 0) {
-                    snprintf(errbuf, sizeof(errbuf),
-                             _("Error adding 'krbRealmReferences' to %s: "),
-                             newpasswdservers[i]);
-                    prepend_err_str(context, errbuf, st, st);
-                    goto cleanup;
-                }
-        if (newpasswdservers)
-            ldap_value_free(newpasswdservers);
-    }
-#endif
-
  cleanup:
  
-#ifdef HAVE_EDIRECTORY
-    if (oldkdcservers) {
-        for (i=0; oldkdcservers[i]; ++i)
-            free(oldkdcservers[i]);
-        free(oldkdcservers);
-    }
-
-    if (oldadminservers) {
-        for (i=0; oldadminservers[i]; ++i)
-            free(oldadminservers[i]);
-        free(oldadminservers);
-    }
-
-    if (oldpasswdservers) {
-        for (i=0; oldpasswdservers[i]; ++i)
-            free(oldpasswdservers[i]);
-        free(oldpasswdservers);
-    }
-#endif
-
      ldap_mods_free(mods, 1);
      krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
      return st;
@@ -790,9 +537,6 @@ krb5_ldap_create_krbcontainer(krb5_context context,
      kdb5_dal_handle             *dal_handle=NULL;
      krb5_ldap_context           *ldap_context=NULL;
      krb5_ldap_server_handle     *ldap_server_handle=NULL;
-#ifdef HAVE_EDIRECTORY
-    int                         crmask=0;
-#endif
  
      SETUP_CONTEXT ();
  
@@ -802,15 +546,10 @@ krb5_ldap_create_krbcontainer(krb5_context context,
      if (krbcontparams != NULL && krbcontparams->DN != NULL) {
          kerberoscontdn = krbcontparams->DN;
      } else {
-        /* If the user has not given, use the default cn=Kerberos,cn=Security */
-#ifdef HAVE_EDIRECTORY
-        kerberoscontdn = KERBEROS_CONTAINER;
-#else
          st = EINVAL;
          krb5_set_error_message(context, st,
                                 _("Kerberos Container information is missing"));
          goto cleanup;
-#endif
      }
  
      strval[0] = "krbContainer";
@@ -854,47 +593,6 @@ krb5_ldap_create_krbcontainer(krb5_context context,
          goto cleanup;
      }
  
-#ifdef HAVE_EDIRECTORY
-
-    /* free the mods array */
-    ldap_mods_free(mods, 1);
-    mods=NULL;
-
-    /* check whether the security container is bound to krbcontainerrefaux object class */
-    if ((st=checkattributevalue(ld, SECURITY_CONTAINER, "objectClass",
-                                krbContainerRefclass, &crmask)) != 0) {
-        prepend_err_str(context, _("Security Container read FAILED: "), st,
-                        st);
-        /* delete Kerberos Container, status ignored intentionally */
-        ldap_delete_ext_s(ld, kerberoscontdn, NULL, NULL);
-        goto cleanup;
-    }
-
-    if (crmask == 0) {
-        /* Security Container is extended with krbcontainerrefaux object class */
-        strval[0] = "krbContainerRefAux";
-        if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0)
-            goto cleanup;
-    }
-
-    strval[0] = kerberoscontdn;
-    strval[1] = NULL;
-    if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbcontainerreference", LDAP_MOD_ADD, strval)) != 0)
-        goto cleanup;
-
-    /* update the security container with krbContainerReference attribute */
-    if ((st=ldap_modify_ext_s(ld, SECURITY_CONTAINER, mods, NULL, NULL)) != LDAP_SUCCESS) {
-        int ost = st;
-        st = translate_ldap_error (st, OP_MOD);
-        krb5_set_error_message(context, st,
-                               _("Security Container update FAILED: %s"),
-                               ldap_err2string(ost));
-        /* delete Kerberos Container, status ignored intentionally */
-        ldap_delete_ext_s(ld, kerberoscontdn, NULL, NULL);
-        goto cleanup;
-    }
-#endif
-
  cleanup:
  
      if (rdns)
@@ -929,15 +627,10 @@ krb5_ldap_delete_krbcontainer(krb5_context context,
      if (krbcontparams != NULL && krbcontparams->DN != NULL) {
          kerberoscontdn = krbcontparams->DN;
      } else {
-        /* If the user has not given, use the default cn=Kerberos,cn=Security */
-#ifdef HAVE_EDIRECTORY
-        kerberoscontdn = KERBEROS_CONTAINER;
-#else
          st = EINVAL;
          krb5_set_error_message(context, st,
                                 _("Kerberos Container information is missing"));
          goto cleanup;
-#endif
      }
  
      /* delete the kerberos container */
@@ -975,9 +668,6 @@ krb5_ldap_create_realm(krb5_context context, krb5_ldap_realm_params *rparams,
      kdb5_dal_handle             *dal_handle=NULL;
      krb5_ldap_context           *ldap_context=NULL;
      krb5_ldap_server_handle     *ldap_server_handle=NULL;
-#ifdef HAVE_EDIRECTORY
-    char errbuf[1024];
-#endif
      char                        *realm_name;
  
      SETUP_CONTEXT ();
@@ -990,11 +680,6 @@ krb5_ldap_create_realm(krb5_context context, krb5_ldap_realm_params *rparams,
          ((mask & LDAP_REALM_SUBTREE) && rparams->subtree  == NULL) ||
          ((mask & LDAP_REALM_CONTREF) && rparams->containerref == NULL) ||
          ((mask & LDAP_REALM_POLICYREFERENCE) && rparams->policyreference == NULL) ||
-#ifdef HAVE_EDIRECTORY
-        ((mask & LDAP_REALM_KDCSERVERS) && rparams->kdcservers == NULL) ||
-        ((mask & LDAP_REALM_ADMINSERVERS) && rparams->adminservers == NULL) ||
-        ((mask & LDAP_REALM_PASSWDSERVERS) && rparams->passwdservers == NULL) ||
-#endif
          0) {
          st = EINVAL;
          return st;
@@ -1096,100 +781,12 @@ krb5_ldap_create_realm(krb5_context context, krb5_ldap_realm_params *rparams,
      }
  
  
-#ifdef HAVE_EDIRECTORY
-
-    /* KDCSERVERS ATTRIBUTE */
-    if (mask & LDAP_REALM_KDCSERVERS) {
-        /* validate the server list */
-        for (i=0; rparams->kdcservers[i] != NULL; ++i) {
-            st = checkattributevalue(ld, rparams->kdcservers[i], "objectClass", kdcclass,
-                                     &objectmask);
-            CHECK_CLASS_VALIDITY(st, objectmask,
-                                 _("kdc service object value: "));
-
-        }
-
-        if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbkdcservers", LDAP_MOD_ADD,
-                                          rparams->kdcservers)) != 0)
-            goto cleanup;
-    }
-
-    /* ADMINSERVERS ATTRIBUTE */
-    if (mask & LDAP_REALM_ADMINSERVERS) {
-        /* validate the server list */
-        for (i=0; rparams->adminservers[i] != NULL; ++i) {
-            st = checkattributevalue(ld, rparams->adminservers[i], "objectClass", adminclass,
-                                     &objectmask);
-            CHECK_CLASS_VALIDITY(st, objectmask,
-                                 _("admin service object value: "));
-
-        }
-
-        if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbadmservers", LDAP_MOD_ADD,
-                                          rparams->adminservers)) != 0)
-            goto cleanup;
-    }
-
-    /* PASSWDSERVERS ATTRIBUTE */
-    if (mask & LDAP_REALM_PASSWDSERVERS) {
-        /* validate the server list */
-        for (i=0; rparams->passwdservers[i] != NULL; ++i) {
-            st = checkattributevalue(ld, rparams->passwdservers[i], "objectClass", pwdclass,
-                                     &objectmask);
-            CHECK_CLASS_VALIDITY(st, objectmask, "password service object value: ");
-
-        }
-
-        if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdservers", LDAP_MOD_ADD,
-                                          rparams->passwdservers)) != 0)
-            goto cleanup;
-    }
-#endif
-
      /* realm creation operation */
      if ((st=ldap_add_ext_s(ld, dn, mods, NULL, NULL)) != LDAP_SUCCESS) {
          st = set_ldap_error (context, st, OP_ADD);
          goto cleanup;
      }
  
-#ifdef HAVE_EDIRECTORY
-    if (mask & LDAP_REALM_KDCSERVERS)
-        for (i=0; rparams->kdcservers[i]; ++i)
-            if ((st=updateAttribute(ld, rparams->kdcservers[i], "krbRealmReferences", dn)) != 0) {
-                snprintf(errbuf, sizeof(errbuf),
-                         _("Error adding 'krbRealmReferences' to %s: "),
-                         rparams->kdcservers[i]);
-                prepend_err_str (context, errbuf, st, st);
-                /* delete Realm, status ignored intentionally */
-                ldap_delete_ext_s(ld, dn, NULL, NULL);
-                goto cleanup;
-            }
-
-    if (mask & LDAP_REALM_ADMINSERVERS)
-        for (i=0; rparams->adminservers[i]; ++i)
-            if ((st=updateAttribute(ld, rparams->adminservers[i], "krbRealmReferences", dn)) != 0) {
-                snprintf(errbuf, sizeof(errbuf),
-                         _("Error adding 'krbRealmReferences' to %s: "),
-                         rparams->adminservers[i]);
-                prepend_err_str (context, errbuf, st, st);
-                /* delete Realm, status ignored intentionally */
-                ldap_delete_ext_s(ld, dn, NULL, NULL);
-                goto cleanup;
-            }
-
-    if (mask & LDAP_REALM_PASSWDSERVERS)
-        for (i=0; rparams->passwdservers[i]; ++i)
-            if ((st=updateAttribute(ld, rparams->passwdservers[i], "krbRealmReferences", dn)) != 0) {
-                snprintf(errbuf, sizeof(errbuf),
-                         _("Error adding 'krbRealmReferences' to %s: "),
-                         rparams->passwdservers[i]);
-                prepend_err_str (context, errbuf, st, st);
-                /* delete Realm, status ignored intentionally */
-                ldap_delete_ext_s(ld, dn, NULL, NULL);
-                goto cleanup;
-            }
-#endif
-
  cleanup:
  
      if (dn)
@@ -1209,9 +806,6 @@ krb5_ldap_read_realm_params(krb5_context context, char *lrealm,
                              krb5_ldap_realm_params **rlparamp, int *mask)
  {
      char                   **values=NULL, *krbcontDN=NULL /*, *curr=NULL */;
-#ifdef HAVE_EDIRECTORY
-    unsigned int           count=0;
-#endif
      krb5_error_code        st=0, tempst=0;
      LDAP                   *ld=NULL;
      LDAPMessage            *result=NULL,*ent=NULL;
@@ -1349,32 +943,6 @@ krb5_ldap_read_realm_params(krb5_context context, char *lrealm,
              ldap_value_free(values);
          }
  
-#ifdef HAVE_EDIRECTORY
-
-        if ((values=ldap_get_values(ld, ent, "krbKdcServers")) != NULL) {
-            count = ldap_count_values(values);
-            if ((st=copy_arrays(values, &(rlparams->kdcservers), (int) count)) != 0)
-                goto cleanup;
-            *mask |= LDAP_REALM_KDCSERVERS;
-            ldap_value_free(values);
-        }
-
-        if ((values=ldap_get_values(ld, ent, "krbAdmServers")) != NULL) {
-            count = ldap_count_values(values);
-            if ((st=copy_arrays(values, &(rlparams->adminservers), (int) count)) != 0)
-                goto cleanup;
-            *mask |= LDAP_REALM_ADMINSERVERS;
-            ldap_value_free(values);
-        }
-
-        if ((values=ldap_get_values(ld, ent, "krbPwdServers")) != NULL) {
-            count = ldap_count_values(values);
-            if ((st=copy_arrays(values, &(rlparams->passwdservers), (int) count)) != 0)
-                goto cleanup;
-            *mask |= LDAP_REALM_PASSWDSERVERS;
-            ldap_value_free(values);
-        }
-#endif
      }
      ldap_msgfree(result);
  
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_rights.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_rights.c

deleted file mode 100644 (file)

index 4bbaa56..0000000
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_rights.c
+++ /dev/null
@@ -1,777 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* plugins/kdb/ldap/libkdb_ldap/ldap_service_rights.c */
-/*
- * Copyright (c) 2004-2005, Novell, Inc.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- *   * Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *   * Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *   * The copyright holder's name is not used to endorse or promote products
- *       derived from this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
- * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
- * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "ldap_main.h"
-#include "ldap_services.h"
-#include "ldap_err.h"
-
-/* NOTE: add appropriate rights for krbpasswordexpiration attribute */
-
-#ifdef HAVE_EDIRECTORY
-
-static char *kdcrights_subtree[][2] = {
-    {"1#subtree#","#[Entry Rights]"},
-    {"2#subtree#","#ObjectClass"},
-    {"2#subtree#","#krbTicketPolicyReference"},
-    {"2#subtree#","#krbUPEnabled"},
-    {"2#subtree#","#krbHostServer"},
-    {"2#subtree#","#krbRealmReferences"},
-    {"2#subtree#","#krbTicketFlags"},
-    {"2#subtree#","#krbMaxTicketLife"},
-    {"2#subtree#","#krbMaxRenewableAge"},
-    {"2#subtree#","#krbPrincipalName"},
-    {"2#subtree#","#krbPrincipalKey"},
-    {"2#subtree#","#krbPrincipalExpiration"},
-    {"2#subtree#","#krbPwdPolicyReference"},
-    {"2#subtree#","#krbMaxPwdLife"},
-    {"2#subtree#","#krbObjectReferences"},
-    {"2#subtree#","#krbLastPwdChange"},
-    {"2#subtree#","#krbLastAdminUnlock"},
-    {"6#subtree#","#krbExtraData"},
-    {"2#subtree#","#krbPasswordExpiration"},
-    {"6#subtree#","#krbLastFailedAuth"},
-    {"6#subtree#","#krbLoginFailedCount"},
-    {"6#subtree#","#krbLastSuccessfulAuth"},
-    { "", "" }
-};
-
-static char *adminrights_subtree[][2]={
-    {"15#subtree#","#[Entry Rights]"},
-    {"6#subtree#","#ObjectClass"},
-    {"6#subtree#","#krbTicketPolicyReference"},
-    {"6#subtree#","#krbUPEnabled"},
-    {"2#subtree#","#krbHostServer"},
-    {"2#subtree#","#krbRealmReferences"},
-    {"6#subtree#","#krbTicketFlags"},
-    {"6#subtree#","#krbMaxTicketLife"},
-    {"6#subtree#","#krbMaxRenewableAge"},
-    {"6#subtree#","#krbPrincipalName"},
-    {"6#subtree#","#krbPrincipalKey"},
-    {"6#subtree#","#krbPrincipalExpiration"},
-    {"6#subtree#","#krbPwdHistoryLength"},
-    {"6#subtree#","#krbMinPwdLife"},
-    {"6#subtree#","#krbMaxPwdLife"},
-    {"6#subtree#","#krbPwdMinDiffChars"},
-    {"6#subtree#","#krbPwdMinLength"},
-    {"6#subtree#","#krbPwdPolicyReference"},
-    {"6#subtree#","#krbLastPwdChange"},
-    {"6#subtree#","#krbLastAdminUnlock"},
-    {"6#subtree#","#krbObjectReferences"},
-    {"6#subtree#","#krbExtraData"},
-    {"6#subtree#","#krbPasswordExpiration"},
-    {"2#subtree#","#krbLastFailedAuth"},
-    {"2#subtree#","#krbLoginFailedCount"},
-    {"2#subtree#","#krbLastSuccessfulAuth"},
-    {"6#subtree#","#krbPwdMaxFailure"},
-    {"6#subtree#","#krbPwdFailureCountInterval"},
-    {"6#subtree#","#krbPwdLockoutDuration"},
-    { "","" }
-};
-
-static char *pwdrights_subtree[][2] = {
-    {"1#subtree#","#[Entry Rights]"},
-    {"2#subtree#","#ObjectClass"},
-    {"2#subtree#","#krbTicketPolicyReference"},
-    {"2#subtree#","#krbUPEnabled"},
-    {"2#subtree#","#krbHostServer"},
-    {"2#subtree#","#krbRealmReferences"},
-    {"6#subtree#","#krbTicketFlags"},
-    {"2#subtree#","#krbMaxTicketLife"},
-    {"2#subtree#","#krbMaxRenewableAge"},
-    {"2#subtree#","#krbPrincipalName"},
-    {"6#subtree#","#krbPrincipalKey"},
-    {"2#subtree#","#krbPrincipalExpiration"},
-    {"2#subtree#","#krbPwdHistoryLength"},
-    {"2#subtree#","#krbMinPwdLife"},
-    {"2#subtree#","#krbMaxPwdLife"},
-    {"2#subtree#","#krbPwdMinDiffChars"},
-    {"2#subtree#","#krbPwdMinLength"},
-    {"2#subtree#","#krbPwdPolicyReference"},
-    {"6#subtree#","#krbLastPwdChange"},
-    {"6#subtree#","#krbLastAdminUnlock"},
-    {"2#subtree#","#krbObjectReferences"},
-    {"6#subtree#","#krbExtraData"},
-    {"6#subtree#","#krbPasswordExpiration"},
-    {"2#subtree#","#krbLastFailedAuth"},
-    {"2#subtree#","#krbLoginFailedCount"},
-    {"2#subtree#","#krbLastSuccessfulAuth"},
-    {"2#subtree#","#krbPwdMaxFailure"},
-    {"2#subtree#","#krbPwdFailureCountInterval"},
-    {"2#subtree#","#krbPwdLockoutDuration"},
-    { "", "" }
-};
-
-static char *kdcrights_realmcontainer[][2]={
-    {"1#subtree#","#[Entry Rights]"},
-    {"2#subtree#","#CN"},
-    {"2#subtree#","#ObjectClass"},
-    {"2#subtree#","#krbTicketPolicyReference"},
-    {"2#subtree#","#krbMKey"},
-    {"2#subtree#","#krbUPEnabled"},
-    {"2#subtree#","#krbSubTrees"},
-    {"2#subtree#","#krbPrincContainerRef"},
-    {"2#subtree#","#krbSearchScope"},
-    {"2#subtree#","#krbLdapServers"},
-    {"2#subtree#","#krbKdcServers"},
-    {"2#subtree#","#krbAdmServers"},
-    {"2#subtree#","#krbPwdServers"},
-    {"2#subtree#","#krbTicketFlags"},
-    {"2#subtree#","#krbMaxTicketLife"},
-    {"2#subtree#","#krbMaxRenewableAge"},
-    {"2#subtree#","#krbPrincipalName"},
-    {"2#subtree#","#krbPrincipalKey"},
-    {"2#subtree#","#krbPrincipalExpiration"},
-    {"2#subtree#","#krbPwdPolicyReference"},
-    {"2#subtree#","#krbMaxPwdLife"},
-    {"2#subtree#","#krbObjectReferences"},
-    {"2#subtree#","#krbLastPwdChange"},
-    {"2#subtree#","#krbLastAdminUnlock"},
-    {"6#subtree#","#krbExtraData"},
-    {"2#subtree#","#krbPasswordExpiration"},
-    {"2#subtree#","#krbDefaultEncSaltTypes"},
-    {"6#subtree#","#krbLastFailedAuth"},
-    {"6#subtree#","#krbLoginFailedCount"},
-    {"6#subtree#","#krbLastSuccessfulAuth"},
-    { "", "" }
-};
-
-
-static char *adminrights_realmcontainer[][2]={
-    {"15#subtree#","#[Entry Rights]"},
-    {"6#subtree#","#CN"},
-    {"6#subtree#","#ObjectClass"},
-    {"6#subtree#","#krbTicketPolicyReference"},
-    {"2#subtree#","#krbMKey"},
-    {"6#subtree#","#krbUPEnabled"},
-    {"2#subtree#","#krbSubTrees"},
-    {"2#subtree#","#krbPrincContainerRef"},
-    {"2#subtree#","#krbSearchScope"},
-    {"2#subtree#","#krbLdapServers"},
-    {"2#subtree#","#krbKdcServers"},
-    {"2#subtree#","#krbAdmServers"},
-    {"2#subtree#","#krbPwdServers"},
-    {"6#subtree#","#krbTicketFlags"},
-    {"6#subtree#","#krbMaxTicketLife"},
-    {"6#subtree#","#krbMaxRenewableAge"},
-    {"6#subtree#","#krbPrincipalName"},
-    {"6#subtree#","#krbPrincipalKey"},
-    {"6#subtree#","#krbPrincipalExpiration"},
-    {"6#subtree#","#krbPwdHistoryLength"},
-    {"6#subtree#","#krbMinPwdLife"},
-    {"6#subtree#","#krbMaxPwdLife"},
-    {"6#subtree#","#krbPwdMinDiffChars"},
-    {"6#subtree#","#krbPwdMinLength"},
-    {"6#subtree#","#krbPwdPolicyReference"},
-    {"6#subtree#","#krbLastPwdChange"},
-    {"6#subtree#","#krbLastAdminUnlock"},
-    {"6#subtree#","#krbObjectReferences"},
-    {"6#subtree#","#krbExtraData"},
-    {"6#subtree#","#krbPasswordExpiration"},
-    {"6#subtree#","#krbDefaultEncSaltTypes"},
-    {"2#subtree#","#krbLastFailedAuth"},
-    {"2#subtree#","#krbLoginFailedCount"},
-    {"2#subtree#","#krbLastSuccessfulAuth"},
-    {"6#subtree#","#krbPwdMaxFailure"},
-    {"6#subtree#","#krbPwdFailureCountInterval"},
-    {"6#subtree#","#krbPwdLockoutDuration"},
-    { "","" }
-};
-
-
-static char *pwdrights_realmcontainer[][2]={
-    {"1#subtree#","#[Entry Rights]"},
-    {"2#subtree#","#CN"},
-    {"2#subtree#","#ObjectClass"},
-    {"2#subtree#","#krbTicketPolicyReference"},
-    {"2#subtree#","#krbMKey"},
-    {"2#subtree#","#krbUPEnabled"},
-    {"2#subtree#","#krbSubTrees"},
-    {"2#subtree#","#krbPrincContainerRef"},
-    {"2#subtree#","#krbSearchScope"},
-    {"2#subtree#","#krbLdapServers"},
-    {"2#subtree#","#krbKdcServers"},
-    {"2#subtree#","#krbAdmServers"},
-    {"2#subtree#","#krbPwdServers"},
-    {"6#subtree#","#krbTicketFlags"},
-    {"2#subtree#","#krbMaxTicketLife"},
-    {"2#subtree#","#krbMaxRenewableAge"},
-    {"2#subtree#","#krbPrincipalName"},
-    {"6#subtree#","#krbPrincipalKey"},
-    {"2#subtree#","#krbPrincipalExpiration"},
-    {"2#subtree#","#krbPwdHistoryLength"},
-    {"2#subtree#","#krbMinPwdLife"},
-    {"2#subtree#","#krbMaxPwdLife"},
-    {"2#subtree#","#krbPwdMinDiffChars"},
-    {"2#subtree#","#krbPwdMinLength"},
-    {"2#subtree#","#krbPwdPolicyReference"},
-    {"2#subtree#","#krbLastPwdChange"},
-    {"2#subtree#","#krbLastAdminUnlock"},
-    {"2#subtree#","#krbObjectReferences"},
-    {"6#subtree#","#krbExtraData"},
-    {"6#subtree#","#krbPasswordExpiration"},
-    {"2#subtree#","#krbDefaultEncSaltTypes"},
-    {"2#subtree#","#krbLastFailedAuth"},
-    {"2#subtree#","#krbLoginFailedCount"},
-    {"2#subtree#","#krbLastSuccessfulAuth"},
-    {"2#subtree#","#krbPwdMaxFailure"},
-    {"2#subtree#","#krbPwdFailureCountInterval"},
-    {"2#subtree#","#krbPwdLockoutDuration"},
-    { "", "" }
-};
-
-static char *security_container[][2] = {
-    {"1#subtree#","#[Entry Rights]"},
-    {"2#subtree#","#krbContainerReference"},
-    { "", "" }
-};
-
-static char *kerberos_container[][2] = {
-    {"1#subtree#","#[Entry Rights]"},
-    {"2#subtree#","#krbTicketPolicyReference"},
-    { "", "" }
-};
-
-
-/*
- * This will set the rights for the Kerberos service objects.
- * The function will read the subtree attribute from the specified
- * realm name and will the appropriate rights on both the realm
- * container and the subtree. The kerberos context passed should
- * have a valid ldap handle, with appropriate rights to write acl
- * attributes.
- *
- * krb5_context - IN The Kerberos context with valid ldap handle
- *
- */
-
-krb5_error_code
-krb5_ldap_add_service_rights(krb5_context context, int servicetype,
-                             char *serviceobjdn, char *realmname,
-                             char **subtreeparam, char *contref, int mask)
-{
-
-    int                    st=0,i=0,j=0;
-    char                   *realmacls[2]={NULL}, *subtreeacls[2]={NULL}, *seccontacls[2]={NULL}, *krbcontacls[2]={NULL};
-    LDAP                   *ld;
-    LDAPMod                realmclass, subtreeclass, seccontclass, krbcontclass;
-    LDAPMod                *realmarr[3]={NULL}, *subtreearr[3]={NULL}, *seccontarr[3]={NULL}, *krbcontarr[3]={NULL};
-    char                   *realmdn=NULL, **subtree=NULL;
-    kdb5_dal_handle        *dal_handle=NULL;
-    krb5_ldap_context      *ldap_context=NULL;
-    krb5_ldap_server_handle *ldap_server_handle=NULL;
-    int                     subtreecount=0;
-
-    SETUP_CONTEXT();
-    GET_HANDLE();
-
-    if ((serviceobjdn == NULL) || (realmname == NULL) || (servicetype < 0) || (servicetype > 4)
-        || (ldap_context->krbcontainer->DN == NULL)) {
-        st=-1;
-        goto cleanup;
-    }
-
-    if (subtreeparam != NULL) {
-        while(subtreeparam[subtreecount])
-            subtreecount++;
-    }
-    if (contref != NULL) {
-        subtreecount++;
-    }
-
-    if (subtreecount) {
-        subtree = (char **) malloc(sizeof(char *) * (subtreecount + 1));
-        if(subtree == NULL) {
-            st = ENOMEM;
-            goto cleanup;
-        }
-        memset(subtree, 0, sizeof(char *) * (subtreecount + 1));
-        if (subtreeparam != NULL) {
-            for(i=0; subtreeparam[i]!=NULL; i++) {
-                subtree[i] = strdup(subtreeparam[i]);
-                if(subtree[i] == NULL) {
-                    st = ENOMEM;
-                    goto cleanup;
-                }
-            }
-        }
-        if (contref != NULL) {
-            subtree[i] = strdup(contref);
-        }
-    }
-
-    /* Set the rights for the realm */
-    if (mask & LDAP_REALM_RIGHTS) {
-
-        /* Set the rights for the service object on the security container */
-        seccontclass.mod_op = LDAP_MOD_ADD;
-        seccontclass.mod_type = "ACL";
-
-        for (i=0; strcmp(security_container[i][0], "") != 0; i++) {
-
-            asprintf(&seccontacls[0], "%s%s%s", security_container[i][0], serviceobjdn,
-                     security_container[i][1]);
-            seccontclass.mod_values = seccontacls;
-
-            seccontarr[0] = &seccontclass;
-
-            st = ldap_modify_ext_s(ld,
-                                   SECURITY_CONTAINER,
-                                   seccontarr,
-                                   NULL,
-                                   NULL);
-            if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
-                free(seccontacls[0]);
-                st = set_ldap_error (context, st, OP_MOD);
-                goto cleanup;
-            }
-            free(seccontacls[0]);
-        }
-
-
-        /* Set the rights for the service object on the kerberos container */
-        krbcontclass.mod_op = LDAP_MOD_ADD;
-        krbcontclass.mod_type = "ACL";
-
-        for (i=0; strcmp(kerberos_container[i][0], "") != 0; i++) {
-            asprintf(&krbcontacls[0], "%s%s%s", kerberos_container[i][0], serviceobjdn,
-                     kerberos_container[i][1]);
-            krbcontclass.mod_values = krbcontacls;
-
-            krbcontarr[0] = &krbcontclass;
-
-            st = ldap_modify_ext_s(ld,
-                                   ldap_context->krbcontainer->DN,
-                                   krbcontarr,
-                                   NULL,
-                                   NULL);
-            if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
-                free(krbcontacls[0]);
-                st = set_ldap_error (context, st, OP_MOD);
-                goto cleanup;
-            }
-            free(krbcontacls[0]);
-        }
-
-        /* Construct the realm dn from realm name */
-        asprintf(&realmdn,"cn=%s,%s", realmname, ldap_context->krbcontainer->DN);
-
-        realmclass.mod_op = LDAP_MOD_ADD;
-        realmclass.mod_type = "ACL";
-
-        if (servicetype == LDAP_KDC_SERVICE) {
-            for (i=0; strcmp(kdcrights_realmcontainer[i][0], "") != 0; i++) {
-                asprintf(&realmacls[0], "%s%s%s", kdcrights_realmcontainer[i][0], serviceobjdn,
-                         kdcrights_realmcontainer[i][1]);
-                realmclass.mod_values = realmacls;
-
-                realmarr[0] = &realmclass;
-
-                st = ldap_modify_ext_s(ld,
-                                       realmdn,
-                                       realmarr,
-                                       NULL,
-                                       NULL);
-                if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
-                    free(realmacls[0]);
-                    st = set_ldap_error (context, st, OP_MOD);
-                    goto cleanup;
-                }
-                free(realmacls[0]);
-            }
-        } else if (servicetype == LDAP_ADMIN_SERVICE) {
-            for (i=0; strcmp(adminrights_realmcontainer[i][0], "") != 0; i++) {
-                asprintf(&realmacls[0], "%s%s%s", adminrights_realmcontainer[i][0], serviceobjdn,
-                         adminrights_realmcontainer[i][1]);
-                realmclass.mod_values = realmacls;
-
-                realmarr[0] = &realmclass;
-
-                st = ldap_modify_ext_s(ld,
-                                       realmdn,
-                                       realmarr,
-                                       NULL,
-                                       NULL);
-                if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
-                    free(realmacls[0]);
-                    st = set_ldap_error (context, st, OP_MOD);
-                    goto cleanup;
-                }
-                free(realmacls[0]);
-            }
-        } else if (servicetype == LDAP_PASSWD_SERVICE) {
-            for (i=0; strcmp(pwdrights_realmcontainer[i][0], "")!=0; i++) {
-                asprintf(&realmacls[0], "%s%s%s", pwdrights_realmcontainer[i][0], serviceobjdn,
-                         pwdrights_realmcontainer[i][1]);
-                realmclass.mod_values = realmacls;
-
-                realmarr[0] = &realmclass;
-
-
-                st = ldap_modify_ext_s(ld,
-                                       realmdn,
-                                       realmarr,
-                                       NULL,
-                                       NULL);
-                if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
-                    free(realmacls[0]);
-                    st = set_ldap_error (context, st, OP_MOD);
-                    goto cleanup;
-                }
-                free(realmacls[0]);
-            }
-        }
-    } /* Realm rights settings ends here */
-
-
-    /* Subtree rights to be set */
-    if ((mask & LDAP_SUBTREE_RIGHTS) && (subtree != NULL)) {
-        /* Populate the acl data to be added to the subtree */
-        subtreeclass.mod_op = LDAP_MOD_ADD;
-        subtreeclass.mod_type = "ACL";
-
-        if (servicetype == LDAP_KDC_SERVICE) {
-            for (i=0; strcmp(kdcrights_subtree[i][0], "")!=0; i++) {
-                asprintf(&subtreeacls[0], "%s%s%s", kdcrights_subtree[i][0], serviceobjdn,
-                         kdcrights_subtree[i][1]);
-                subtreeclass.mod_values = subtreeacls;
-
-                subtreearr[0] = &subtreeclass;
-
-                /* set rights to a list of subtrees */
-                for(j=0; subtree[j]!=NULL && j<subtreecount;j++) {
-                    st = ldap_modify_ext_s(ld,
-                                           subtree[j],
-                                           subtreearr,
-                                           NULL,
-                                           NULL);
-                    if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
-                        free(subtreeacls[0]);
-                        st = set_ldap_error (context, st, OP_MOD);
-                        goto cleanup;
-                    }
-                }
-                free(subtreeacls[0]);
-            }
-        } else if (servicetype == LDAP_ADMIN_SERVICE) {
-            for (i=0; strcmp(adminrights_subtree[i][0], "")!=0; i++) {
-                asprintf(&subtreeacls[0], "%s%s%s", adminrights_subtree[i][0], serviceobjdn,
-                         adminrights_subtree[i][1]);
-                subtreeclass.mod_values = subtreeacls;
-
-                subtreearr[0] = &subtreeclass;
-
-                /* set rights to a list of subtrees */
-                for(j=0; subtree[j]!=NULL && j<subtreecount;j++) {
-                    st = ldap_modify_ext_s(ld,
-                                           subtree[j],
-                                           subtreearr,
-                                           NULL,
-                                           NULL);
-                    if (st != LDAP_SUCCESS && st !=LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
-                        free(subtreeacls[0]);
-                        st = set_ldap_error (context, st, OP_MOD);
-                        goto cleanup;
-                    }
-                }
-                free(subtreeacls[0]);
-            }
-        } else if (servicetype == LDAP_PASSWD_SERVICE) {
-            for (i=0; strcmp(pwdrights_subtree[i][0], "") != 0; i++) {
-                asprintf(&subtreeacls[0], "%s%s%s", pwdrights_subtree[i][0], serviceobjdn,
-                         pwdrights_subtree[i][1]);
-                subtreeclass.mod_values = subtreeacls;
-
-                subtreearr[0] = &subtreeclass;
-
-                /* set rights to a list of subtrees */
-                for(j=0; subtree[j]!=NULL && j<subtreecount;j++) {
-                    st = ldap_modify_ext_s(ld,
-                                           subtree[j],
-                                           subtreearr,
-                                           NULL,
-                                           NULL);
-                    if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
-                        free(subtreeacls[0]);
-                        st = set_ldap_error (context, st, OP_MOD);
-                        goto cleanup;
-                    }
-                }
-                free(subtreeacls[0]);
-            }
-        }
-    } /* Subtree rights settings ends here */
-    st = 0;
-
-cleanup:
-
-    if (realmdn)
-        free(realmdn);
-
-    if (subtree)
-        free(subtree);
-
-    krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
-    return st;
-}
-
-
-/*
-  This will set the rights for the Kerberos service objects.
-  The function will read the subtree attribute from the specified
-  realm name and will the appropriate rights on both the realm
-  container and the subtree. The kerberos context passed should
-  have a valid ldap handle, with appropriate rights to write acl
-  attributes.
-
-  krb5_context - IN The Kerberos context with valid ldap handle
-
-*/
-
-krb5_error_code
-krb5_ldap_delete_service_rights(krb5_context context, int servicetype,
-                                char *serviceobjdn, char *realmname,
-                                char **subtreeparam, char *contref, int mask)
-{
-
-    int                    st=0,i=0,j=0;
-    char                   *realmacls[2] = { NULL }, *subtreeacls[2] = { NULL };
-    LDAP                   *ld;
-    LDAPMod                realmclass, subtreeclass;
-    LDAPMod                *realmarr[3] = { NULL }, *subtreearr[3] = { NULL };
-    char                   *realmdn=NULL;
-    char                   **subtree=NULL;
-    kdb5_dal_handle        *dal_handle=NULL;
-    krb5_ldap_context      *ldap_context=NULL;
-    krb5_ldap_server_handle *ldap_server_handle=NULL;
-    int                     subtreecount = 0;
-
-    SETUP_CONTEXT();
-    GET_HANDLE();
-
-    if ((serviceobjdn == NULL) || (realmname == NULL) || (servicetype < 0) || (servicetype > 4)
-        || (ldap_context->krbcontainer->DN == NULL)) {
-        st = -1;
-        goto cleanup;
-    }
-
-    if (subtreeparam != NULL) {
-        while(subtreeparam[subtreecount])
-            subtreecount++;
-    }
-    if (contref != NULL) {
-        subtreecount++;
-    }
-
-    if (subtreecount) {
-        subtree = (char **) malloc(sizeof(char *) * (subtreecount + 1));
-        if(subtree == NULL) {
-            st = ENOMEM;
-            goto cleanup;
-        }
-        memset(subtree, 0, sizeof(char *) * (subtreecount + 1));
-        if (subtreeparam != NULL) {
-            for(i=0; subtreeparam[i]!=NULL; i++) {
-                subtree[i] = strdup(subtreeparam[i]);
-                if(subtree[i] == NULL) {
-                    st = ENOMEM;
-                    goto cleanup;
-                }
-            }
-        }
-        if (contref != NULL) {
-            subtree[i] = strdup(contref);
-        }
-    }
-
-
-    /* Set the rights for the realm */
-    if (mask & LDAP_REALM_RIGHTS) {
-
-        asprintf(&realmdn,"cn=%s,%s", realmname, ldap_context->krbcontainer->DN);
-
-        realmclass.mod_op=LDAP_MOD_DELETE;
-        realmclass.mod_type="ACL";
-
-        if (servicetype == LDAP_KDC_SERVICE) {
-            for (i=0; strcmp(kdcrights_realmcontainer[i][0], "") != 0; i++) {
-                asprintf(&realmacls[0], "%s%s%s", kdcrights_realmcontainer[i][0], serviceobjdn,
-                         kdcrights_realmcontainer[i][1]);
-                realmclass.mod_values= realmacls;
-
-                realmarr[0]=&realmclass;
-
-                st = ldap_modify_ext_s(ld,
-                                       realmdn,
-                                       realmarr,
-                                       NULL,
-                                       NULL);
-                if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
-                    free(realmacls[0]);
-                    st = set_ldap_error (context, st, OP_MOD);
-                    goto cleanup;
-                }
-                free(realmacls[0]);
-            }
-        } else if (servicetype == LDAP_ADMIN_SERVICE) {
-            for (i=0; strcmp(adminrights_realmcontainer[i][0], "") != 0; i++) {
-                asprintf(&realmacls[0], "%s%s%s", adminrights_realmcontainer[i][0], serviceobjdn,
-                         adminrights_realmcontainer[i][1]);
-                realmclass.mod_values= realmacls;
-
-                realmarr[0]=&realmclass;
-
-                st = ldap_modify_ext_s(ld,
-                                       realmdn,
-                                       realmarr,
-                                       NULL,
-                                       NULL);
-                if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
-                    free(realmacls[0]);
-                    st = set_ldap_error (context, st, OP_MOD);
-                    goto cleanup;
-                }
-                free(realmacls[0]);
-            }
-        } else if (servicetype == LDAP_PASSWD_SERVICE) {
-            for (i=0; strcmp(pwdrights_realmcontainer[i][0], "") != 0; i++) {
-                asprintf(&realmacls[0], "%s%s%s", pwdrights_realmcontainer[i][0], serviceobjdn,
-                         pwdrights_realmcontainer[i][1]);
-                realmclass.mod_values= realmacls;
-
-                realmarr[0]=&realmclass;
-
-                st = ldap_modify_ext_s(ld,
-                                       realmdn,
-                                       realmarr,
-                                       NULL,
-                                       NULL);
-                if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
-                    free(realmacls[0]);
-                    st = set_ldap_error (context, st, OP_MOD);
-                    goto cleanup;
-                }
-                free(realmacls[0]);
-            }
-        }
-
-    } /* Realm rights setting ends here */
-
-
-    /* Set the rights for the subtree */
-    if ((mask & LDAP_SUBTREE_RIGHTS) && (subtree != NULL)) {
-
-        /* Populate the acl data to be added to the subtree */
-        subtreeclass.mod_op=LDAP_MOD_DELETE;
-        subtreeclass.mod_type="ACL";
-
-        if (servicetype == LDAP_KDC_SERVICE) {
-            for (i=0; strcmp(kdcrights_subtree[i][0], "")!=0; i++) {
-                asprintf(&subtreeacls[0], "%s%s%s", kdcrights_subtree[i][0], serviceobjdn,
-                         kdcrights_subtree[i][1]);
-                subtreeclass.mod_values= subtreeacls;
-
-                subtreearr[0]=&subtreeclass;
-
-                for(j=0; subtree[j]!=NULL && j<subtreecount; j++) {
-                    st = ldap_modify_ext_s(ld,
-                                           subtree[j],
-                                           subtreearr,
-                                           NULL,
-                                           NULL);
-                    if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
-                        free(subtreeacls[0]);
-                        st = set_ldap_error (context, st, OP_MOD);
-                        goto cleanup;
-                    }
-                }
-                free(subtreeacls[0]);
-            }
-        } else if (servicetype == LDAP_ADMIN_SERVICE) {
-            for (i=0; strcmp(adminrights_subtree[i][0], "") != 0; i++) {
-                asprintf(&subtreeacls[0], "%s%s%s", adminrights_subtree[i][0], serviceobjdn,
-                         adminrights_subtree[i][1]);
-                subtreeclass.mod_values= subtreeacls;
-
-                subtreearr[0]=&subtreeclass;
-
-                for(j=0; subtree[j]!=NULL && j<subtreecount; j++) {
-                    st = ldap_modify_ext_s(ld,
-                                           subtree[j],
-                                           subtreearr,
-                                           NULL,
-                                           NULL);
-                    if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
-                        free(subtreeacls[0]);
-                        st = set_ldap_error (context, st, OP_MOD);
-                        goto cleanup;
-                    }
-                }
-                free(subtreeacls[0]);
-            }
-        } else if (servicetype == LDAP_PASSWD_SERVICE) {
-            for (i=0; strcmp(pwdrights_subtree[i][0], "") != 0; i++) {
-                asprintf(&subtreeacls[0], "%s%s%s", pwdrights_subtree[i][0], serviceobjdn,
-                         pwdrights_subtree[i][1]);
-                subtreeclass.mod_values= subtreeacls;
-
-                subtreearr[0]=&subtreeclass;
-
-                for(j=0; subtree[j]!=NULL && j<subtreecount; j++) {
-                    st = ldap_modify_ext_s(ld,
-                                           subtree[j],
-                                           subtreearr,
-                                           NULL,
-                                           NULL);
-                    if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
-                        free(subtreeacls[0]);
-                        st = set_ldap_error (context, st, OP_MOD);
-                        goto cleanup;
-                    }
-                }
-                free(subtreeacls[0]);
-            }
-        }
-    } /* Subtree rights setting ends here */
-
-    st = 0;
-
-cleanup:
-
-    if (realmdn)
-        free(realmdn);
-
-    if (subtree)
-        free(subtree);
-
-    krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
-    return st;
-}
-
-#endif
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_services.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_services.c

deleted file mode 100644 (file)

index 13abd0d..0000000
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_services.c
+++ /dev/null
@@ -1,588 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* plugins/kdb/ldap/libkdb_ldap/ldap_services.c */
-/*
- * Copyright (c) 2004-2005, Novell, Inc.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- *   * Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *   * Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *   * The copyright holder's name is not used to endorse or promote products
- *       derived from this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
- * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
- * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "ldap_main.h"
-#include "kdb_ldap.h"
-#include "ldap_services.h"
-#include "ldap_err.h"
-
-#if defined(HAVE_EDIRECTORY)
-
-static char *realmcontclass[] = {"krbRealmContainer", NULL};
-
-/*
- * create the service object from Directory
- */
-
-krb5_error_code
-krb5_ldap_create_service(krb5_context context,
-                         krb5_ldap_service_params *service, int mask)
-{
-    int                         i=0, j=0;
-    krb5_error_code             st=0;
-    LDAP                        *ld=NULL;
-    char                        **rdns=NULL, *realmattr=NULL, *strval[3]={NULL};
-    LDAPMod                     **mods=NULL;
-    kdb5_dal_handle             *dal_handle=NULL;
-    krb5_ldap_context           *ldap_context=NULL;
-    krb5_ldap_server_handle     *ldap_server_handle=NULL;
-    char                        errbuf[1024];
-
-    /* validate the input parameter */
-    if (service == NULL || service->servicedn == NULL) {
-        st = EINVAL;
-        krb5_set_error_message (context, st, "Service DN NULL");
-        goto cleanup;
-    }
-
-    SETUP_CONTEXT();
-    GET_HANDLE();
-
-    /* identify the class that the object should belong to. This depends on the servicetype */
-    memset(strval, 0, sizeof(strval));
-    strval[0] = "krbService";
-    if (service->servicetype == LDAP_KDC_SERVICE) {
-        strval[1] = "krbKdcService";
-        realmattr = "krbKdcServers";
-    } else if (service->servicetype == LDAP_ADMIN_SERVICE) {
-        strval[1] = "krbAdmService";
-        realmattr = "krbAdmServers";
-    } else if (service->servicetype == LDAP_PASSWD_SERVICE) {
-        strval[1] = "krbPwdService";
-        realmattr = "krbPwdServers";
-    } else {
-        strval[1] = "krbKdcService";
-        realmattr = "krbKdcServers";
-    }
-    if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0)
-        goto cleanup;
-
-    rdns = ldap_explode_dn(service->servicedn, 1);
-    if (rdns == NULL) {
-        st = LDAP_INVALID_DN_SYNTAX;
-        goto cleanup;
-    }
-    memset(strval, 0, sizeof(strval));
-    strval[0] = rdns[0];
-    if ((st=krb5_add_str_mem_ldap_mod(&mods, "cn", LDAP_MOD_ADD, strval)) != 0)
-        goto cleanup;
-
-    if (mask & LDAP_SERVICE_SERVICEFLAG) {
-        if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbserviceflags", LDAP_MOD_ADD,
-                                          service->krbserviceflags)) != 0)
-            goto cleanup;
-    }
-
-    if (mask & LDAP_SERVICE_HOSTSERVER) {
-        if (service->krbhostservers != NULL) {
-            if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbhostserver", LDAP_MOD_ADD,
-                                              service->krbhostservers)) != 0)
-                goto cleanup;
-        } else {
-            st = EINVAL;
-            krb5_set_error_message(context, st,
-                                   _("'krbhostserver' argument invalid"));
-            goto cleanup;
-        }
-    }
-
-    if (mask & LDAP_SERVICE_REALMREFERENCE) {
-        if (service->krbrealmreferences != NULL) {
-            unsigned int realmmask=0;
-
-            /* check for the validity of the values */
-            for (j=0; service->krbrealmreferences[j] != NULL; ++j) {
-                st = checkattributevalue(ld, service->krbrealmreferences[j], "ObjectClass",
-                                         realmcontclass, &realmmask);
-                CHECK_CLASS_VALIDITY(st, realmmask, _("realm object value: "));
-            }
-            if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbrealmreferences", LDAP_MOD_ADD,
-                                              service->krbrealmreferences)) != 0)
-                goto cleanup;
-        } else {
-            st = EINVAL;
-            krb5_set_error_message(context, st,
-                                   _("Server has no 'krbrealmreferences'"));
-            goto cleanup;
-        }
-    }
-
-    /* ldap add operation */
-    if ((st=ldap_add_ext_s(ld, service->servicedn, mods, NULL, NULL)) != LDAP_SUCCESS) {
-        st = set_ldap_error (context, st, OP_ADD);
-        goto cleanup;
-    }
-
-    /*
-     * If the service created has realm/s associated with it, then the realm should be updated
-     * to have a reference to the service object just created.
-     */
-    if (mask & LDAP_SERVICE_REALMREFERENCE) {
-        for (i=0; service->krbrealmreferences[i]; ++i) {
-            if ((st=updateAttribute(ld, service->krbrealmreferences[i], realmattr,
-                                    service->servicedn)) != 0) {
-                snprintf(errbuf, sizeof(errbuf),
-                         _("Error adding 'krbRealmReferences' to %s: "),
-                         service->krbrealmreferences[i]);
-                prepend_err_str(context, errbuf, st, st);
-                /* delete service object, status ignored intentionally */
-                ldap_delete_ext_s(ld, service->servicedn, NULL, NULL);
-                goto cleanup;
-            }
-        }
-    }
-
-cleanup:
-
-    if (rdns)
-        ldap_value_free (rdns);
-
-    ldap_mods_free(mods, 1);
-    krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
-    return st;
-}
-
-
-/*
- * modify the service object from Directory
- */
-
-krb5_error_code
-krb5_ldap_modify_service(krb5_context context,
-                         krb5_ldap_service_params *service, int mask)
-{
-    int                         i=0, j=0, count=0;
-    krb5_error_code             st=0;
-    LDAP                        *ld=NULL;
-    char                        **values=NULL, *attr[] = { "krbRealmReferences", NULL};
-    char                        *realmattr=NULL;
-    char                        **oldrealmrefs=NULL, **newrealmrefs=NULL;
-    LDAPMod                     **mods=NULL;
-    LDAPMessage                 *result=NULL, *ent=NULL;
-    kdb5_dal_handle             *dal_handle=NULL;
-    krb5_ldap_context           *ldap_context=NULL;
-    krb5_ldap_server_handle     *ldap_server_handle=NULL;
-
-    /* validate the input parameter */
-    if (service == NULL || service->servicedn == NULL) {
-        st = EINVAL;
-        krb5_set_error_message(context, st, _("Service DN is NULL"));
-        goto cleanup;
-    }
-
-    SETUP_CONTEXT();
-    GET_HANDLE();
-
-    if (mask & LDAP_SERVICE_SERVICEFLAG) {
-        if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbserviceflags", LDAP_MOD_REPLACE,
-                                          service->krbserviceflags)) != 0)
-            goto cleanup;
-    }
-
-    if (mask & LDAP_SERVICE_HOSTSERVER) {
-        if (service->krbhostservers != NULL) {
-            if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbhostserver", LDAP_MOD_REPLACE,
-                                              service->krbhostservers)) != 0)
-                goto cleanup;
-        } else {
-            st = EINVAL;
-            krb5_set_error_message (context, st, "'krbhostserver' value invalid");
-            goto cleanup;
-        }
-    }
-
-    if (mask & LDAP_SERVICE_REALMREFERENCE) {
-        if (service->krbrealmreferences != NULL) {
-            unsigned int realmmask=0;
-
-            /* check for the validity of the values */
-            for (j=0; service->krbrealmreferences[j]; ++j) {
-                st = checkattributevalue(ld, service->krbrealmreferences[j], "ObjectClass",
-                                         realmcontclass, &realmmask);
-                CHECK_CLASS_VALIDITY(st, realmmask, _("realm object value: "));
-            }
-            if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbrealmreferences", LDAP_MOD_REPLACE,
-                                              service->krbrealmreferences)) != 0)
-                goto cleanup;
-
-
-            /* get the attribute of the realm to be set */
-            if (service->servicetype == LDAP_KDC_SERVICE)
-                realmattr = "krbKdcServers";
-            else if (service->servicetype == LDAP_ADMIN_SERVICE)
-                realmattr = "krbAdmservers";
-            else if (service->servicetype == LDAP_PASSWD_SERVICE)
-                realmattr = "krbPwdServers";
-            else
-                realmattr = "krbKdcServers";
-
-            /* read the existing list of krbRealmreferences. this will needed  */
-            if ((st = ldap_search_ext_s (ld,
-                                         service->servicedn,
-                                         LDAP_SCOPE_BASE,
-                                         0,
-                                         attr,
-                                         0,
-                                         NULL,
-                                         NULL,
-                                         NULL,
-                                         0,
-                                         &result)) != LDAP_SUCCESS) {
-                st = set_ldap_error (context, st, OP_SEARCH);
-                goto cleanup;
-            }
-
-            ent = ldap_first_entry(ld, result);
-            if (ent) {
-                if ((values=ldap_get_values(ld, ent, "krbRealmReferences")) != NULL) {
-                    count = ldap_count_values(values);
-                    if ((st=copy_arrays(values, &oldrealmrefs, count)) != 0)
-                        goto cleanup;
-                    ldap_value_free(values);
-                }
-            }
-            ldap_msgfree(result);
-        } else {
-            st = EINVAL;
-            krb5_set_error_message(context, st,
-                                   _("'krbRealmReferences' value invalid"));
-            goto cleanup;
-        }
-    }
-
-    /* ldap modify operation */
-    if ((st=ldap_modify_ext_s(ld, service->servicedn, mods, NULL, NULL)) != LDAP_SUCCESS) {
-        st = set_ldap_error (context, st, OP_MOD);
-        goto cleanup;
-    }
-
-    /*
-     * If the service modified had realm/s associations changed, then the realm should be
-     * updated to reflect the changes.
-     */
-
-    if (mask & LDAP_SERVICE_REALMREFERENCE) {
-        /* get the count of the new list of krbrealmreferences */
-        for (i=0; service->krbrealmreferences[i]; ++i)
-            ;
-
-        /* make a new copy of the krbrealmreferences */
-        if ((st=copy_arrays(service->krbrealmreferences, &newrealmrefs, i)) != 0)
-            goto cleanup;
-
-        /* find the deletions/additions to the list of krbrealmreferences */
-        if (disjoint_members(oldrealmrefs, newrealmrefs) != 0)
-            goto cleanup;
-
-        /* see if some of the attributes have to be deleted */
-        if (oldrealmrefs) {
-
-            /* update the dn represented by the attribute that is to be deleted */
-            for (i=0; oldrealmrefs[i]; ++i)
-                if ((st=deleteAttribute(ld, oldrealmrefs[i], realmattr, service->servicedn)) != 0) {
-                    prepend_err_str(context,
-                                    _("Error deleting realm attribute:"), st,
-                                    st);
-                    goto cleanup;
-                }
-        }
-
-        /* see if some of the attributes have to be added */
-        for (i=0; newrealmrefs[i]; ++i)
-            if ((st=updateAttribute(ld, newrealmrefs[i], realmattr, service->servicedn)) != 0) {
-                prepend_err_str(context, _("Error updating realm attribute: "),
-                                st, st);
-                goto cleanup;
-            }
-    }
-
-cleanup:
-
-    if (oldrealmrefs) {
-        for (i=0; oldrealmrefs[i]; ++i)
-            free (oldrealmrefs[i]);
-        free (oldrealmrefs);
-    }
-
-    if (newrealmrefs) {
-        for (i=0; newrealmrefs[i]; ++i)
-            free (newrealmrefs[i]);
-        free (newrealmrefs);
-    }
-
-    ldap_mods_free(mods, 1);
-    krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
-    return st;
-}
-
-
-krb5_error_code
-krb5_ldap_delete_service(krb5_context context,
-                         krb5_ldap_service_params *service, char *servicedn)
-{
-    krb5_error_code             st = 0;
-    LDAP                        *ld=NULL;
-    kdb5_dal_handle             *dal_handle=NULL;
-    krb5_ldap_context           *ldap_context=NULL;
-    krb5_ldap_server_handle     *ldap_server_handle=NULL;
-
-    SETUP_CONTEXT();
-    GET_HANDLE();
-
-    st = ldap_delete_ext_s(ld, servicedn, NULL, NULL);
-    if (st != 0) {
-        st = set_ldap_error (context, st, OP_DEL);
-    }
-
-    /* NOTE: This should be removed now as the backlinks are going off in OpenLDAP */
-    /* time to delete krbrealmreferences. This is only for OpenLDAP */
-#ifndef HAVE_EDIRECTORY
-    {
-        int                         i=0;
-        char                        *attr=NULL;
-
-        if (service) {
-            if (service->krbrealmreferences) {
-                if (service->servicetype == LDAP_KDC_SERVICE)
-                    attr = "krbkdcservers";
-                else if (service->servicetype == LDAP_ADMIN_SERVICE)
-                    attr = "krbadmservers";
-                else if (service->servicetype == LDAP_PASSWD_SERVICE)
-                    attr = "krbpwdservers";
-
-                for (i=0; service->krbrealmreferences[i]; ++i) {
-                    deleteAttribute(ld, service->krbrealmreferences[i], attr, servicedn);
-                }
-            }
-        }
-    }
-#endif
-
-cleanup:
-
-    krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
-    return st;
-}
-
-
-/*
- * This function lists service objects from Directory
- */
-
-krb5_error_code
-krb5_ldap_list_services(krb5_context context, char *containerdn,
-                        char ***services)
-{
-    return (krb5_ldap_list(context, services, "krbService", containerdn));
-}
-
-/*
- * This function reads the service object from Directory
- */
-krb5_error_code
-krb5_ldap_read_service(krb5_context context, char *servicedn,
-                       krb5_ldap_service_params **service, int *omask)
-{
-    char                        **values=NULL;
-    int                         i=0, count=0, objectmask=0;
-    krb5_error_code             st=0, tempst=0;
-    LDAPMessage                 *result=NULL,*ent=NULL;
-    char                        *attributes[] = {"krbHostServer", "krbServiceflags",
-                                                 "krbRealmReferences", "objectclass", NULL};
-    char                        *attrvalues[] = {"krbService", NULL};
-    krb5_ldap_service_params    *lservice=NULL;
-    krb5_ldap_context           *ldap_context=NULL;
-    kdb5_dal_handle             *dal_handle=NULL;
-    krb5_ldap_server_handle     *ldap_server_handle=NULL;
-    LDAP                        *ld = NULL;
-
-    /* validate the input parameter */
-    if (servicedn == NULL) {
-        st = EINVAL;
-        krb5_set_error_message(context, st, _("Service DN NULL"));
-        goto cleanup;
-    }
-
-    SETUP_CONTEXT();
-    GET_HANDLE();
-
-    *omask = 0;
-
-    /* the policydn object should be of the krbService object class */
-    st = checkattributevalue(ld, servicedn, "objectClass", attrvalues, &objectmask);
-    CHECK_CLASS_VALIDITY(st, objectmask, _("service object value: "));
-
-    /* Initialize service structure */
-    lservice =(krb5_ldap_service_params *) calloc(1, sizeof(krb5_ldap_service_params));
-    if (lservice == NULL) {
-        st = ENOMEM;
-        goto cleanup;
-    }
-
-    /* allocate tl_data structure to store MASK information */
-    lservice->tl_data = calloc (1, sizeof(*lservice->tl_data));
-    if (lservice->tl_data == NULL) {
-        st = ENOMEM;
-        goto cleanup;
-    }
-    lservice->tl_data->tl_data_type = KDB_TL_USER_INFO;
-
-    LDAP_SEARCH(servicedn, LDAP_SCOPE_BASE, "(objectclass=krbService)", attributes);
-
-    lservice->servicedn = strdup(servicedn);
-    CHECK_NULL(lservice->servicedn);
-
-    ent=ldap_first_entry(ld, result);
-    if (ent != NULL) {
-
-        if ((values=ldap_get_values(ld, ent, "krbServiceFlags")) != NULL) {
-            lservice->krbserviceflags = atoi(values[0]);
-            *omask |= LDAP_SERVICE_SERVICEFLAG;
-            ldap_value_free(values);
-        }
-
-        if ((values=ldap_get_values(ld, ent, "krbHostServer")) != NULL) {
-            count = ldap_count_values(values);
-            if ((st=copy_arrays(values, &(lservice->krbhostservers), count)) != 0)
-                goto cleanup;
-            *omask |= LDAP_SERVICE_HOSTSERVER;
-            ldap_value_free(values);
-        }
-
-        if ((values=ldap_get_values(ld, ent, "krbRealmReferences")) != NULL) {
-            count = ldap_count_values(values);
-            if ((st=copy_arrays(values, &(lservice->krbrealmreferences), count)) != 0)
-                goto cleanup;
-            *omask |= LDAP_SERVICE_REALMREFERENCE;
-            ldap_value_free(values);
-        }
-
-        if ((values=ldap_get_values(ld, ent, "objectClass")) != NULL) {
-            for (i=0; values[i]; ++i) {
-                if (strcasecmp(values[i], "krbKdcService") == 0) {
-                    lservice->servicetype = LDAP_KDC_SERVICE;
-                    break;
-                }
-
-                if (strcasecmp(values[i], "krbAdmService") == 0) {
-                    lservice->servicetype = LDAP_ADMIN_SERVICE;
-                    break;
-                }
-
-                if (strcasecmp(values[i], "krbPwdService") == 0) {
-                    lservice->servicetype = LDAP_PASSWD_SERVICE;
-                    break;
-                }
-            }
-            ldap_value_free(values);
-        }
-    }
-    ldap_msgfree(result);
-
-cleanup:
-    if (st != 0) {
-        krb5_ldap_free_service(context, lservice);
-        *service = NULL;
-    } else {
-        store_tl_data(lservice->tl_data, KDB_TL_MASK, omask);
-        *service = lservice;
-    }
-
-    krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
-    return st;
-}
-
-/*
- * This function frees the krb5_ldap_service_params structure members.
- */
-
-krb5_error_code
-krb5_ldap_free_service(krb5_context context, krb5_ldap_service_params *service)
-{
-    int                         i=0;
-
-    if (service == NULL)
-        return 0;
-
-    if (service->servicedn)
-        free (service->servicedn);
-
-    if (service->krbrealmreferences) {
-        for (i=0; service->krbrealmreferences[i]; ++i)
-            free (service->krbrealmreferences[i]);
-        free (service->krbrealmreferences);
-    }
-
-    if (service->krbhostservers) {
-        for (i=0; service->krbhostservers[i]; ++i)
-            free (service->krbhostservers[i]);
-        free (service->krbhostservers);
-    }
-
-    if (service->tl_data) {
-        if (service->tl_data->tl_data_contents)
-            free (service->tl_data->tl_data_contents);
-        free (service->tl_data);
-    }
-
-    free (service);
-    return 0;
-}
-
-krb5_error_code
-krb5_ldap_set_service_passwd(krb5_context context, char *service, char *passwd)
-{
-    krb5_error_code             st=0;
-    LDAPMod                     **mods=NULL;
-    char                        *password[2] = {NULL};
-    LDAP                        *ld=NULL;
-    krb5_ldap_context           *ldap_context=NULL;
-    kdb5_dal_handle             *dal_handle=NULL;
-    krb5_ldap_server_handle     *ldap_server_handle=NULL;
-
-    password[0] = passwd;
-
-    SETUP_CONTEXT();
-    GET_HANDLE();
-
-    if ((st=krb5_add_str_mem_ldap_mod(&mods, "userPassword", LDAP_MOD_REPLACE, password)) != 0)
-        goto cleanup;
-
-    st = ldap_modify_ext_s(ld, service, mods, NULL, NULL);
-    if (st) {
-        st = set_ldap_error (context, st, OP_MOD);
-    }
-
-cleanup:
-    ldap_mods_free(mods, 1);
-    krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
-    return st;
-}
-#endif
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_services.h b/src/plugins/kdb/ldap/libkdb_ldap/ldap_services.h

deleted file mode 100644 (file)

index ea40af2..0000000
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_services.h
+++ /dev/null
@@ -1,100 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* plugins/kdb/ldap/libkdb_ldap/ldap_services.h */
-/*
- * Copyright (c) 2004-2005, Novell, Inc.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- *   * Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *   * Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *   * The copyright holder's name is not used to endorse or promote products
- *       derived from this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
- * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
- * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-#ifndef _LDAP_SERVICE_H
-#define _LDAP_SERVICE_H 1
-
-/* service specific mask */
-#define LDAP_SERVICE_SERVICEFLAG      0x0001
-#define LDAP_SERVICE_HOSTSERVER       0x0002
-#define LDAP_SERVICE_REALMREFERENCE   0x0004
-
-/* service type mask */
-#define LDAP_KDC_SERVICE              0x0001
-#define LDAP_ADMIN_SERVICE            0x0002
-#define LDAP_PASSWD_SERVICE           0x0004
-
-/* rights mask */
-#define LDAP_SUBTREE_RIGHTS           0x0001
-#define LDAP_REALM_RIGHTS             0x0002
-
-/* Types of service flags */
-#define SERVICE_FLAGS_AUTO_RESTART          0x0001
-#define SERVICE_FLAGS_CHECK_ADDRESSES       0x0002
-#define SERVICE_FLAGS_UNIXTIME_OLD_PATYPE   0x0004
-
-/* Service protocol type */
-#define SERVICE_PROTOCOL_TYPE_UDP     "0"
-#define SERVICE_PROTOCOL_TYPE_TCP     "1"
-
-typedef struct _krb5_ldap_service_params {
-    char            *servicedn;
-    int             servicetype;
-    int             krbserviceflags;
-    char            **krbhostservers;
-    char            **krbrealmreferences;
-    krb5_tl_data    *tl_data;
-} krb5_ldap_service_params;
-
-#ifdef HAVE_EDIRECTORY
-
-krb5_error_code
-krb5_ldap_read_service(krb5_context, char *, krb5_ldap_service_params **,
-                       int *);
-
-krb5_error_code
-krb5_ldap_create_service(krb5_context, krb5_ldap_service_params *, int);
-
-krb5_error_code
-krb5_ldap_modify_service(krb5_context, krb5_ldap_service_params *, int);
-
-krb5_error_code
-krb5_ldap_delete_service(krb5_context, krb5_ldap_service_params *, char *);
-
-krb5_error_code
-krb5_ldap_list_services(krb5_context, char *, char ***);
-
-krb5_error_code
-krb5_ldap_free_service(krb5_context, krb5_ldap_service_params *);
-
-
-krb5_error_code
-krb5_ldap_set_service_passwd(krb5_context, char *, char *);
-
-krb5_error_code
-krb5_ldap_add_service_rights(krb5_context, int, char *, char *, char **,
-                             char *, int);
-
-krb5_error_code
-krb5_ldap_delete_service_rights(krb5_context, int, char *, char *, char **,
-                                char *, int);
-#endif
-
-#endif
author	Greg Hudson <ghudson@mit.edu>
	Sun, 29 Jul 2012 16:03:44 +0000 (12:03 -0400)
committer	Greg Hudson <ghudson@mit.edu>
	Sun, 29 Jul 2012 16:03:44 +0000 (12:03 -0400)
doc/rst_source/krb_admins/admin_commands/kdb5_ldap_util.rst		patch \| blob \| blame \| history
doc/rst_source/krb_build/options2configure.rst		patch \| blob \| blame \| history
src/aclocal.m4		patch \| blob \| blame \| history
src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c		patch \| blob \| blame \| history
src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c		patch \| blob \| blame \| history
src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h		patch \| blob \| blame \| history
src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c		patch \| blob \| blame \| history
src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.h		patch \| blob \| blame \| history
src/plugins/kdb/ldap/libkdb_ldap/Makefile.in		patch \| blob \| blame \| history
src/plugins/kdb/ldap/libkdb_ldap/deps		patch \| blob \| blame \| history
src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c		patch \| blob \| blame \| history
src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h		patch \| blob \| blame \| history
src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c		patch \| blob \| blame \| history
src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c		patch \| blob \| blame \| history
src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c		patch \| blob \| blame \| history
src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.h		patch \| blob \| blame \| history
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c		patch \| blob \| blame \| history
src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c		patch \| blob \| blame \| history
src/plugins/kdb/ldap/libkdb_ldap/ldap_service_rights.c	[deleted file]	patch \| blob \| blame \| history
src/plugins/kdb/ldap/libkdb_ldap/ldap_services.c	[deleted file]	patch \| blob \| blame \| history
src/plugins/kdb/ldap/libkdb_ldap/ldap_services.h	[deleted file]	patch \| blob \| blame \| history