the intermediate realms which may be used in cross-realm
authentication. It is also used by the end-service when checking the
transited field for trusted intermediate realms.
+
+.IP [dbdefaults]
+Contains default values for database specific parameters.
+
+.IP [dbmodules]
+Contains database specific parameters used by the database library.
.PP
Each of these sections will be covered in more details in the following
sections.
ATHENA.MIT.EDU = {
admin_server = KERBEROS.MIT.EDU
default_domain = MIT.EDU
+ database_module = ldapconf
v4_instance_convert = {
mit = mit.edu
lithium = lithium.lcs.mit.edu
This relation identifies the host where the administration server is
running. Typically this is the Master Kerberos server.
+.IP database_module
+This relation indicates the name of the configuration section under dbmodules
+for database specific parameters used by the loadable database library.
+
.IP default_domain
This relation identifies the default domain for which hosts in this
realm are assumed to be in. This is needed for translating V4 principal
be used with Kerberized clients and servers, but versions prior to DCE
1.1 did not fill in the transited field, and should be used with
caution.
+
+.SH DATABASE DEFAULT SECTION
+
+The [dbdefaults] section indicates default values for the database specific parameters.
+It can also specify the configuration section under dbmodules for database
+specific parameters used by the loadable database library.
+
+.PP
+The following tags are used in this section:
+.IP database_module
+This relation indicates the name of the configuration section under dbmodules
+for database specific parameters used by the loadable database library.
+
+.IP ldap_kerberos_container_dn
+This LDAP specific tag indicates the DN of the container object where the realm
+objects will be located. This value is used if no object DN is mentioned in the
+configuration section under dbmodules.
+
+.IP ldap_kdc_dn
+This LDAP specific tag indicates the default bind DN for the KDC server.
+The KDC server does a login to the directory as this object. This value is used if
+no object DN is mentioned in the configuration section under dbmodules.
+
+.IP ldap_kadmind_dn
+This LDAP specific tag indicates the default bind DN for the
+Administration server. The Administration server does a login to the directory
+as this object. This value is used if no object DN is mentioned in
+the configuration section under dbmodules.
+
+.IP ldap_service_password_file
+This LDAP specific tag indicates the file containing the stashed passwords for the
+objects used for starting the Kerberos servers. This value is used if no
+service password file is mentioned in the configuration section under dbmodules.
+
+.IP ldap_ssl_port
+This LDAP specific tag indicates the value of the SSL port for the LDAP server.
+This value is used if no SSL port is mentioned in the configuration section under dbmodules.
+
+.IP ldap_server
+This LDAP specific tag indicates the list of LDAP servers. The list of LDAP servers
+is whitespace-separated. The port value can be specified with the server separated by
+a colon. This value is used if no LDAP servers are mentioned in the configuration
+section under dbmodules.
+
+.IP ldap_conns_per_server
+This LDAP specific tag indicates the number of connections to be maintained per
+LDAP server. This value is used if the number of connections per LDAP server are not
+mentioned in the configuration section under dbmodules. The default value is 5.
+
+.SH DATABASE MODULE SECTION
+Each tag in the [dbmodules] section of the file names a configuration section
+for database specific parameters that can be referred to by a realm.
+The value of the tag is a subsection where the relations in that subsection
+define the database specific parameters.
+
+.PP
+For each section, the following tags may be specified in the subsection:
+
+.IP db_library
+This tag indicates the name of the loadable database library.
+The value should be db2 for db2 database and kldap for LDAP database.
+
+.IP ldap_kerberos_container_dn
+This LDAP specific tag indicates the DN of the container object where the realm
+objects will be located.
+
+.IP ldap_kdc_dn
+This LDAP specific tag indicates the bind DN for the KDC server.
+The KDC does a login to the directory as this object.
+
+.IP ldap_kadmind_dn
+This LDAP specific tag indicates the bind DN for the Administration server.
+The Administration server does a login to the directory
+as this object.
+
+.IP ldap_service_password_file
+This LDAP specific tag indicates the file containing the stashed passwords for the
+objects used for starting the Kerberos servers.
+
+.IP ldap_ssl_port
+This LDAP specific tag indicates the value of the SSL port for the LDAP server.
+
+.IP ldap_server
+This LDAP specific tag indicates the list of LDAP servers. The list of LDAP servers
+is whitespace-separated. The port value can be specified with the server separated by a colon.
+
+.IP ldap_conns_per_server
+This LDAP specific tag indicates the number of connections to be maintained per
+LDAP server.
.SH FILES
/etc/krb5.conf
.SH SEE ALSO
.B kadmin.local
[\fB\-r\fP \fIrealm\fP] [\fB\-p\fP \fIprincipal\fP] [\fB\-q\fP \fIquery\fP]
.br
-[\fB\-d\fP \fIdbname\fP] [\fB\-e \fI"enc:salt ..."\fP] [\fB-m\fP]
+[\fB\-d\fP \fIdbname\fP] [\fB\-e \fI"enc:salt ..."\fP] [\fB-m\fP] [\fB\-x\fP \fIdb_args\fP]
.ad b
.SH DESCRIPTION
.B kadmin
.B kadmin.local
provide identical functionalities; the difference is that
.B kadmin.local
-runs on the master KDC and does not use Kerberos to authenticate to the
-database. Except as explicitly noted otherwise, this man page will use
+runs on the master KDC if the database is db2 and
+does not use Kerberos to authenticate to the
+database. Except as explicitly noted otherwise,
+this man page will use
.B kadmin
to refer to both versions.
.B kadmin
Kerberos service ticket from the KDC, and uses that service ticket to
authenticate to KADM5.
.PP
-The local client
+If the database is db2, the local client
.BR kadmin.local ,
is intended to run directly on the master KDC without Kerberos
authentication. The local version provides all of the functionality of
.IR kdb5_util (8)
utility.
.PP
+If the database is LDAP, kadmin.local need not be run on the KDC.
.SH OPTIONS
.TP
\fB\-r\fP \fIrealm\fP
.TP
\fB\-d\fP \fIdbname\fP
Specifies the name of the Kerberos database.
+This option does not apply to the LDAP database.
.TP
\fB\-s\fP \fIadmin_server[:port]\fP
Specifies the admin server which kadmin should contact.
.TP
.B \-N
Prevent fallback to AUTH_GSSAPI authentication flavor.
+.TP
+\fB\-x\fP \fIdb_args\fP
+Specifies the database specific arguments.
+
+Options supported for LDAP database are:
+.sp
+.nf
+.RS 14
+\-x port=<port_number>
+specifies the secure port number where the LDAP server is listening.
+
+\-x host=<hostname>
+specifies the host on which the LDAP server is running.
+The <hostname> should be the same as the host name set in the LDAP server certificate.
+
+\-x binddn=<bind_dn>
+specifies the DN of the object used by the administration server to bind to the LDAP server.
+This object should have the read rights on the realm container and write rights on the subtree
+that is referenced by the realm.
+
+\-x bindpwd=<bind_password>
+specifies the password for the above mentioned binddn. It is recommended not to use this option.
+Instead, the password can be stashed using the stashsrvpw command of kdb5_ldap_util.
+.RE
+.fi
.SH DATE FORMAT
Various commands in kadmin can take a variety of date formats,
specifying durations or absolute times. Examples of valid formats are:
The options are:
.RS
.TP
+\fB\-x\fP \fIdb_princ_args\fP
+Denotes the database specific options. The options for LDAP database are:
+.sp
+.nf
+.RS
+\-x userdn=<user_dn>
+Specifies the user object with which the Kerberos user principal is to be associated.
+
+\-x containerdn=<container_dn>
+Specifies the container object under which the Kerberos service principal is to be created.
+
+\-x tktpolicydn=<policydn>
+Associates a ticket policy object to the Kerberos principal.
+
+.RE
+.fi
+.TP
\fB\-expire\fP \fIexpdate\fP
expiration date of the principal
.TP
Re-enter password for principal tlyu/admin@BLEEP.COM:
Principal "tlyu/admin@BLEEP.COM" created.
kadmin:
+
+kadmin: addprinc -x userdn=cn=mwm_user,o=org mwm_user
+WARNING: no policy specified for "mwm_user@BLEEP.COM";
+defaulting to no policy.
+Enter password for principal mwm_user@BLEEP.COM:
+Re-enter password for principal mwm_user@BLEEP.COM:
+Principal "mwm_user@BLEEP.COM" created.
+kadmin:
+
.TP
ERRORS:
KADM5_AUTH_ADD (requires "add" privilege)
.I delete
privilege. Aliased
to
-.BR delprinc .
+.BR delprinc.
.sp
.nf
.RS
.I modify
privilege. Aliased to
.BR modprinc .
-.sp
-.nf
.RS
.TP
+\fB\-x\fP \fIdb_princ_args\fP
+Denotes the database specific options. The options for LDAP database are:
+.sp
+.nf
+.RS
+\-x tktpolicydn=<policydn>
+Associates a ticket policy object to the Kerberos principal.
+.RE
+.fi
+.TP
ERRORS:
KADM5_AUTH_MODIFY (requires "modify" privilege)
KADM5_UNK_PRINC (principal does not exist)
Keeps the previous kvno's keys around. There is no
easy way to delete the old keys, and this flag is usually not
necessary except perhaps for TGS keys. Don't use this flag unless you
-know what you're doing.
+know what you're doing. This option is not supported for the LDAP database.
.nf
.TP
EXAMPLE:
sets the minimum number of character classes allowed in a password
.TP
\fB\-history\fP \fInumber\fP
-sets the number of past keys kept for a principal
+sets the number of past keys kept for a principal. This option is not supported for LDAP database
.sp
.nf
.TP
+EXAMPLES:
+kadmin: add_policy -maxlife "2 days" -minlength 5 cn=guests,o=org
+kadmin:
+.TP
ERRORS:
KADM5_AUTH_ADD (requires the add privilege)
KADM5_DUP (policy already exists)
.RE
.fi
.TP
+Note: All the policy names are in the form of DN for LDAP database.
+.TP
\fBktadd\fP [\fB\-k\fP \fIkeytab\fP] [\fB\-q\fP] [\fB\-e\fP \fIkeysaltlist\fP]
.br
[\fIprincipal\fP | \fB\-glob\fP \fIprinc-exp\fP] [\fI...\fP]
.I not
exist.
.TP
+.B Note:
+The above three files are specific to db2 database.
+.TP
kadm5.acl
file containing list of principals and their
.B kadmin
kadmind \- KADM5 administration server
.SH SYNOPSIS
.B kadmind
-[\fB-r\fP \fIrealm\fP] [\fB\-m\fP] [\fB\-nofork\fP] [\fB\-port\fP
+[\fB\-x\fP \fIdb_args\fP] [\fB-r\fP \fIrealm\fP] [\fB\-m\fP] [\fB\-nofork\fP] [\fB\-port\fP
\fIport-number\fP]
.SH DESCRIPTION
-This command starts the KADM5 administration server. The administration
-server runs on the master Kerberos server, which stores the KDC
-principal database and the KADM5 policy database.
+This command starts the KADM5 administration server. If the database is db2,
+the administration server runs on the master Kerberos server, which stores the KDC
+prinicpal database and the KADM5 policy database. If the database is LDAP,
+the administration server and the KDC server need not run on the same machine.
.B Kadmind
accepts remote requests to administer the information in these
databases. Remote requests are sent, for example, by
After the server begins running, it puts itself in the background and
disassociates itself from its controlling terminal.
.SH OPTIONS
+.TP
+\fB\-x\fP \fIdb_args\fP
+specifies the database specific arguments.
+
+Options supported for LDAP database are:
+.sp
+.nf
+.RS 12
+\-x nconns=<number_of_connections>
+specifies the number of connections to be maintained per LDAP server.
+
+\-x port=<port_number>
+specifies the secure port number where the LDAP server is listening.
+
+\-x host=<hostname>
+specifies the host on which the LDAP server is running.
+The <hostname> should be the same as the host name set in the LDAP server certificate.
+
+\-x binddn=<binddn>
+specifies the DN of the object used by the administration server to bind to the LDAP server.
+This object should have the read rights on the realm container and write rights on the subtree
+that is referenced by the realm.
+
+\-x bindpwd=<bind_password>
+specifies the password for the above mentioned binddn. It is recommended not to use this option.
+Instead, the password can be stashed using the stashsrvpw command of kdb5_ldap_util.
+.RE
+.fi
.TP
\fB\-r\fP \fIrealm\fP
specifies the default realm that kadmind will serve; if it is not
.I not
exist.
.TP
+.B Note:
+The above three files are specific to db2 database.
+.TP
kadm5.acl
file containing list of principals and their
.B kadmin
file containing dictionary of strings explicitly disallowed as
passwords.
.SH SEE ALSO
-kpasswd(1), kadmin(8), kdb5_util(8), kadm5_export(8), kadm5_import(8)
+kpasswd(1), kadmin(8), kdb5_util(8), kadm5_export(8), kadm5_import(8),
+kdb5_ldap_util(8)
+
.SH SYNOPSIS
.B krb5kdc
[
+.B \-x
+.I db_args
+] [
.B \-d
.I dbname
] [
Center (AS/KDC).
.PP
The
+.B \-x
+.I db_args
+option specifies the database specific arguments.
+
+Options supported for LDAP database are:
+.sp
+.nf
+.RS 8
+\-x nconns=<number_of_connections>
+specifies the number of connections to be maintained per LDAP server.
+
+\-x port=<port_number>
+specifies the secure port number where the LDAP server is listening.
+
+\-x host=<hostname>
+specifies the host on which the LDAP server is running.
+The <hostname> should be the same as the host name set in the LDAP server certificate.
+
+\-x binddn=<binddn>
+specifies the DN of the object used by the KDC server to bind to the LDAP server.
+This object should have the rights to read the realm container and the subtree that is referenced
+by the realm.
+
+\-x bindpwd=<bind_password>
+specifies the password for the above mentioned binddn. It is recommended not to use this option.
+Instead, the password can be stashed using the stashsrvpw command of kdb5_ldap_util.
+.RE
+.fi
+.PP
+The
.B \-r
.I realm
option specifies the realm for which the server should provide service;
.I dbname
option specifies the name under which the principal database can be found; by
default the database is in DEFAULT_DBM_FILE.
+This option does not apply to the LDAP database.
.PP
The
.B \-k
.I kdc.conf(5)
description for further details.
.SH SEE ALSO
-krb5(3), kdb5_util(8), kdc.conf(5)
+krb5(3), kdb5_util(8), kdc.conf(5), kdb5_ldap_util(8)
.SH BUGS
It should fork and go into the background when it finishes reading the
if ((retval = krb5_ldap_read_policy(util_context, policydn, &policyparams, &mask)))
goto cleanup;
-
- if ((retval = krb5_ldap_delete_policy(util_context, policydn)))
+
+
+ if ((retval = krb5_ldap_delete_policy(util_context, policydn, policyparams,&mask)))
goto cleanup;
printf("** policy object '%s' deleted.\n", policydn);
princ, enum ap_op op, struct realm_info *pblock);
+static char *strdur(time_t duration);
+static int get_ticket_policy(krb5_ldap_realm_params *rparams, int *i, char *argv[],int argc);
+
+
+static int get_ticket_policy(rparams,i,argv,argc)
+ krb5_ldap_realm_params *rparams;
+ int *i;
+ char *argv[];
+ int argc;
+{
+ time_t date;
+ time_t now;
+ time(&now);
+ int mask = 0;
+ krb5_error_code retval = 0;
+ krb5_boolean no_msg = FALSE;
+
+ krb5_boolean print_usage = FALSE;
+ char *me = argv[0];
+ if (!strcmp(argv[*i], "-maxtktlife")) {
+ if (++(*i) > argc-1)
+ goto err_usage;
+ date = get_date(argv[*i], NULL);
+ if (date == (time_t)(-1)) {
+ retval = EINVAL;
+ com_err (me, retval, "while providing time specification");
+ goto err_nomsg;
+ }
+ rparams->max_life = date-now;
+ mask |= LDAP_REALM_MAXTICKETLIFE;
+ }
+
+
+ else if (!strcmp(argv[*i], "-maxrenewlife")) {
+ if (++(*i) > argc-1)
+ goto err_usage;
+
+ date = get_date(argv[*i], NULL);
+ if (date == (time_t)(-1)) {
+ retval = EINVAL;
+ com_err (me, retval, "while providing time specification");
+ goto err_nomsg;
+ }
+ rparams->max_renewable_life = date-now;
+ mask |= LDAP_REALM_MAXRENEWLIFE;
+ }
+ else if (!strcmp((argv[*i] + 1), "allow_postdated")) {
+ if (*(argv[*i]) == '+')
+ rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_POSTDATED);
+ else if (*(argv[*i]) == '-')
+ rparams->tktflags |= KRB5_KDB_DISALLOW_POSTDATED;
+ else
+ goto err_usage;
+
+ mask |= LDAP_REALM_KRBTICKETFLAGS;
+ }
+ else if (!strcmp((argv[*i] + 1), "allow_forwardable")) {
+ if (*(argv[*i]) == '+')
+ rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_FORWARDABLE);
+
+ else if (*(argv[*i]) == '-')
+ rparams->tktflags |= KRB5_KDB_DISALLOW_FORWARDABLE;
+ else
+ goto err_usage;
+
+ mask |= LDAP_REALM_KRBTICKETFLAGS;
+ }
+ else if (!strcmp((argv[*i] + 1), "allow_renewable")) {
+ if (*(argv[*i]) == '+')
+ rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_RENEWABLE);
+ else if (*(argv[*i]) == '-')
+ rparams->tktflags |= KRB5_KDB_DISALLOW_RENEWABLE;
+ else
+ goto err_usage;
+
+ mask |= LDAP_REALM_KRBTICKETFLAGS;
+ }
+ else if (!strcmp((argv[*i] + 1), "allow_proxiable")) {
+ if (*(argv[*i]) == '+')
+ rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_PROXIABLE);
+ else if (*(argv[*i]) == '-')
+ rparams->tktflags |= KRB5_KDB_DISALLOW_PROXIABLE;
+ else
+ goto err_usage;
+
+ mask |= LDAP_REALM_KRBTICKETFLAGS;
+ }
+ else if (!strcmp((argv[*i] + 1), "allow_dup_skey")) {
+ if (*(argv[*i]) == '+')
+ rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_DUP_SKEY);
+ else if (*(argv[*i]) == '-')
+ rparams->tktflags |= KRB5_KDB_DISALLOW_DUP_SKEY;
+ else
+ goto err_usage;
+
+ mask |= LDAP_REALM_KRBTICKETFLAGS;
+ }
+
+ else if (!strcmp((argv[*i] + 1), "requires_preauth")) {
+ if (*(argv[*i]) == '+')
+ rparams->tktflags |= KRB5_KDB_REQUIRES_PRE_AUTH;
+ else if (*(argv[*i]) == '-')
+ rparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PRE_AUTH);
+ else
+ goto err_usage;
+
+ mask |= LDAP_REALM_KRBTICKETFLAGS;
+ }
+ else if (!strcmp((argv[*i] + 1), "requires_hwauth")) {
+ if (*(argv[*i]) == '+')
+ rparams->tktflags |= KRB5_KDB_REQUIRES_HW_AUTH;
+ else if (*(argv[*i]) == '-')
+ rparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_HW_AUTH);
+ else
+ goto err_usage;
+
+ mask |= LDAP_REALM_KRBTICKETFLAGS;
+ }
+ else if (!strcmp((argv[*i] + 1), "allow_svr")) {
+ if (*(argv[*i]) == '+')
+ rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_SVR);
+ else if (*(argv[*i]) == '-')
+ rparams->tktflags |= KRB5_KDB_DISALLOW_SVR;
+ else
+ goto err_usage;
+
+ mask |= LDAP_REALM_KRBTICKETFLAGS;
+ }
+ else if (!strcmp((argv[*i] + 1), "allow_tgs_req")) {
+ if (*(argv[*i]) == '+')
+ rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_TGT_BASED);
+ else if (*(argv[*i]) == '-')
+ rparams->tktflags |= KRB5_KDB_DISALLOW_TGT_BASED;
+ else
+ goto err_usage;
+
+ mask |= LDAP_REALM_KRBTICKETFLAGS;
+ }
+ else if (!strcmp((argv[*i] + 1), "allow_tix")) {
+ if (*(argv[*i]) == '+')
+ rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_ALL_TIX);
+ else if (*(argv[*i]) == '-')
+ rparams->tktflags |= KRB5_KDB_DISALLOW_ALL_TIX;
+ else
+ goto err_usage;
+
+ mask |= LDAP_REALM_KRBTICKETFLAGS;
+ }
+ else if (!strcmp((argv[*i] + 1), "needchange")) {
+ if (*(argv[*i]) == '+')
+ rparams->tktflags |= KRB5_KDB_REQUIRES_PWCHANGE;
+ else if (*(argv[*i]) == '-')
+ rparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PWCHANGE);
+ else
+ goto err_usage;
+
+ mask |= LDAP_REALM_KRBTICKETFLAGS;
+ }
+ else if (!strcmp((argv[*i] + 1), "password_changing_service")) {
+ if (*(argv[*i]) == '+')
+ rparams->tktflags |= KRB5_KDB_PWCHANGE_SERVICE;
+ else if (*(argv[*i]) == '-')
+ rparams->tktflags &= (int)(~KRB5_KDB_PWCHANGE_SERVICE);
+ else
+ goto err_usage;
+
+ mask |=LDAP_REALM_KRBTICKETFLAGS;
+ }
+err_usage:
+ print_usage = TRUE;
+
+err_nomsg:
+ no_msg = TRUE;
+
+ return mask;
+}
+
/*
* This function will create a realm on the LDAP Server, with
* the specified attributes.
char pw_str[1024];
int do_stash = 0;
int i = 0, j = 0;
- int mask = 0;
+ int mask = 0, ret_mask = 0;
+ char *me = argv[0];
#ifdef HAVE_EDIRECTORY
int rightsmask = 0;
#endif
}
mask |= LDAP_REALM_DEFSALTTYPE;
}
- else if (!strcmp(argv[i], "-policy")) {
- if (++i > argc-1)
- goto err_usage;
- rparams->policyreference = strdup(argv[i]);
- if (rparams->policyreference == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
- mask |= LDAP_REALM_POLICYREFERENCE;
- }
-#ifdef NOVELL_KDC
- else if (!strcmp(argv[i], "-up")) {
- rparams->upenabled = 1;
- mask |= LDAP_REALM_UPENABLED;
- }
-#endif
else if (!strcmp(argv[i], "-s")) {
do_stash = 1;
}
+ else if ((ret_mask= get_ticket_policy(rparams,&i,argv,argc)) !=0)
+ {
+ mask|=ret_mask;
+ }
+
else {
printf("'%s' is an invalid option\n", argv[i]);
goto err_usage;
kdb5_dal_handle *dal_handle = NULL;
krb5_ldap_context *ldap_context=NULL;
int i = 0, j = 0;
- int mask = 0, rmask = 0;
+ int mask = 0, rmask = 0, ret_mask = 0;
char *list[MAX_LIST_ENTRIES];
int tlist[MAX_LIST_ENTRIES] = {0};
int newenctypes = 0, newsalttypes = 0;
int rightsmask = 0;
int subtree_changed = 0;
#endif
+ char *me = argv[0];
dal_handle = (kdb5_dal_handle *) util_context->db_context;
ldap_context = (krb5_ldap_context *) dal_handle->db_context;
}
mask |= LDAP_REALM_DEFSALTTYPE;
}
- else if (!strcmp(argv[i], "-policy")) {
- if (++i > argc-1)
- goto err_usage;
- if (rmask & LDAP_REALM_POLICYREFERENCE)
- free(rparams->policyreference);
- rparams->policyreference = strdup(argv[i]);
- if (rparams->policyreference == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
- mask |= LDAP_REALM_POLICYREFERENCE;
- }
- else if (!strcmp(argv[i], "-clearpolicy")) {
- if (rmask & LDAP_REALM_POLICYREFERENCE) {
- if (rparams->policyreference)
- free(rparams->policyreference);
- rparams->policyreference = NULL;
- mask |= LDAP_REALM_POLICYREFERENCE;
- }
- }
-#ifdef NOVELL_KDC
- else if (!strcmp(argv[i], "-up")) {
- rparams->upenabled = 1;
- mask |= LDAP_REALM_UPENABLED;
- }
- else if (!strcmp(argv[i], "-clearup")) {
- rparams->upenabled = 0;
- mask |= LDAP_REALM_UPENABLED;
- }
-#endif
+ else if ((ret_mask= get_ticket_policy(rparams,&i,argv,argc)) !=0)
+ {
+ mask|=ret_mask;
+ }
else {
printf("'%s' is an invalid option\n", argv[i]);
goto err_usage;
return;
}
+static char *strdur(duration)
+ time_t duration;
+{
+ static char out[50];
+ int neg, days, hours, minutes, seconds;
+
+ if (duration < 0) {
+ duration *= -1;
+ neg = 1;
+ } else
+ neg = 0;
+ days = duration / (24 * 3600);
+ duration %= 24 * 3600;
+ hours = duration / 3600;
+ duration %= 3600;
+ minutes = duration / 60;
+ duration %= 60;
+ seconds = duration;
+ sprintf(out, "%s%d %s %02d:%02d:%02d", neg ? "-" : "",
+ days, days == 1 ? "day" : "days",
+ hours, minutes, seconds);
+ return out;
+}
/*
* This function prints the attributes of a given realm to the
if (num_entry_printed == 0)
printf("\n");
}
+ if (mask & LDAP_REALM_MAXTICKETLIFE) {
+ printf("%25s:", "Maximum Ticket Life");
+ printf(" %s \n", strdur(rparams->max_life));
+ }
+
+ if (mask & LDAP_REALM_MAXRENEWLIFE) {
+ printf("%25s:", "Maximum Renewable Life");
+ printf(" %s \n", strdur(rparams->max_renewable_life));
+ }
+ printf("%25s: ", "Ticket flags");
+ if (mask & LDAP_POLICY_TKTFLAGS) {
+ int ticketflags = rparams->tktflags;
+
+ if (ticketflags & KRB5_KDB_DISALLOW_POSTDATED)
+ printf("%s ","DISALLOW_POSTDATED");
+
+ if (ticketflags & KRB5_KDB_DISALLOW_FORWARDABLE)
+ printf("%s ","DISALLOW_FORWARDABLE");
+
+ if (ticketflags & KRB5_KDB_DISALLOW_RENEWABLE)
+ printf("%s ","DISALLOW_RENEWABLE");
+
+ if (ticketflags & KRB5_KDB_DISALLOW_PROXIABLE)
+ printf("%s ","DISALLOW_PROXIABLE");
+
+ if (ticketflags & KRB5_KDB_DISALLOW_DUP_SKEY)
+ printf("%s ","DISALLOW_DUP_SKEY");
+
+ if (ticketflags & KRB5_KDB_REQUIRES_PRE_AUTH)
+ printf("%s ","REQUIRES_PRE_AUTH");
+
+ if (ticketflags & KRB5_KDB_REQUIRES_HW_AUTH)
+ printf("%s ","REQUIRES_HW_AUTH");
+
+ if (ticketflags & KRB5_KDB_DISALLOW_SVR)
+ printf("%s ","DISALLOW_SVR");
+
+ if (ticketflags & KRB5_KDB_DISALLOW_TGT_BASED)
+ printf("%s ","DISALLOW_TGT_BASED");
+
+ if (ticketflags & KRB5_KDB_DISALLOW_ALL_TIX)
+ printf("%s ","DISALLOW_ALL_TIX");
+
+ if (ticketflags & KRB5_KDB_REQUIRES_PWCHANGE)
+ printf("%s ","REQUIRES_PWCHANGE");
+
+ if (ticketflags & KRB5_KDB_PWCHANGE_SERVICE)
+ printf("%s ","PWCHANGE_SERVICE");
+ }
+
if (mask & LDAP_REALM_DEFSALTTYPE) {
- retval = krb5_salttype_to_string(rparams->defsalttype, buff, BUFF_LEN);
- if (retval == 0) {
- printf("%25s: %-50s\n", "Default Salt Type", buff);
- }
+ retval = krb5_salttype_to_string(rparams->defsalttype, buff, BUFF_LEN);
+ if (retval == 0) {
+ printf("\n%25s: %-50s\n", "Default Salt Type", buff);
+ }
}
- if (mask & LDAP_REALM_POLICYREFERENCE)
- printf("%25s: %-50s\n", "Policy Reference", rparams->policyreference);
+ /* if (mask & LDAP_REALM_POLICYREFERENCE)
+ printf("%25s: %-50s\n", "Policy Reference", rparams->policyreference);*/
-#ifdef NOVELL_KDC
- if (mask & LDAP_REALM_UPENABLED)
- printf("%25s: %-50s\n", "Universal Passwd",
- (rparams->upenabled) ? "ENABLED" : "DISABLED");
-#endif
return;
}
int mask = 0;
kdb5_dal_handle *dal_handle = NULL;
krb5_ldap_context *ldap_context = NULL;
-#ifdef NOVELL_KDC
+#ifdef HAVE_EDIRECTORY
int i = 0, rightsmask = 0;
krb5_ldap_realm_params *rparams = NULL;
#endif
return;
}
-#ifdef NOVELL_KDC
+#ifdef HAVE_EDIRECTORY
if( (mask & LDAP_REALM_KDCSERVERS) || (mask & LDAP_REALM_ADMINSERVERS) ||
(mask & LDAP_REALM_PASSWDSERVERS) ) {
passwd_len = strlen(passwd);
}
-#ifdef NOVELL_KDC
- /* Encrypt the password */
- {
- struct data enc_pass, enc_key, password, hex1 = {0, NULL}, hex2 = {0, NULL};
-
- password.value = (unsigned char *)passwd;
- password.len = passwd_len;
-
- errcode = enc_password(password, &enc_key, &enc_pass);
- if (errcode != 0) {
- if (enc_pass.len != 0)
- free(enc_pass.value);
- if(enc_key.len != 0)
- free(enc_key.value);
- com_err(me, errcode, "Failed to set service object password");
- goto cleanup;
- }
-
- /* Encode the password in hexadecimal */
- errcode = tohex(enc_pass, &hex1);
- free(enc_pass.value);
- if (errcode == 0) {
- errcode = tohex(enc_key, &hex2);
- free(enc_key.value);
- }
- if (errcode != 0) {
- com_err(me, errcode, "Failed to set service object password");
- memset(passwd, 0, passwd_len);
- if (hex1.len != 0)
- free(hex1.value);
- if (hex2.len != 0)
- free(hex2.value);
- goto cleanup;
- }
-
- /* Password = {CRYPT}<encrypted password>:<encrypted key> */
- encrypted_passwd.value = (unsigned char *)malloc(strlen(service_object) + 1 + 7 + hex1.len + 1 + hex2.len + 2);
- if (encrypted_passwd.value == NULL) {
- com_err(me, ENOMEM, "while setting service object password");
- memset(passwd, 0, passwd_len);
- free(hex1.value);
- free(hex2.value);
- goto cleanup;
- }
- encrypted_passwd.value[strlen(service_object) + 1 + 7 + hex1.len + 1 + hex2.len + 1] = '\0';
- sprintf((char *)encrypted_passwd.value, "%s#{CRYPT}%s:%s\n", service_object, hex2.value, hex1.value);
- encrypted_passwd.len = strlen((char *)encrypted_passwd.value);
-
- free(hex1.value);
- free(hex2.value);
- }
-#else
/* Hex the password */
{
krb5_data pwd, hex;
sprintf((char *)encrypted_passwd.value, "%s#{HEX}%s\n", service_object, hex.data);
encrypted_passwd.len = strlen((char *)encrypted_passwd.value);
}
-#endif /* #ifdef NOVELL_KDC */
/* We should check if the file exists and we have permission to write into that file */
if (access(file_name, W_OK) == -1) {
return errcode;
}
-/*
- * This function will set the certificate of the service object in the specified
- * service password file.
- *
- *
- * INPUT:
- * argc - contains the number of arguments for this sub-command
- * argv - array of arguments for this sub-command
- *
- * OUTPUT:
- * void
- */
-
-#ifdef NOVELL_KDC
-void kdb5_ldap_set_service_certificate(argc, argv)
- int argc;
- char **argv;
-{
- char *file_name = NULL;
- char *tmp_file = NULL;
- char *me = argv[0];
- int filelen = 0;
- char *service_object = NULL;
- char *passwd = NULL;
- char *prompt1 = NULL;
- char *prompt2 = NULL;
- char *certfile = NULL;
- unsigned int passwd_len = 0;
- krb5_error_code errcode = -1;
- int retval = 0, i = 0;
- unsigned int len = 0;
- krb5_boolean print_usage = FALSE;
- FILE *pfile = NULL;
- char *str = NULL;
- char line[MAX_LEN];
- int nopass = 0;
- struct data encrypted_passwd = {0, NULL};
-
- /*
- * The format of the command is as follows.
- *
- * setsrvcert [-nopass] [-f filename] -cert certFilename service_dn
- *
- * where
- * 'service_dn' is the FDN of the service principal
- * 'filename' is the path of the stash file.
- * 'certFilename' is the path of the file containing certificate and private
- * key of 'service_dn'.
- * '-nopass' If this argument is not present, the user will be prompted for
- * the password protecting the file 'filename'.
- */
- if((argc < 4) || (argc > 7)){
- print_usage = TRUE;
- goto cleanup;
- }
-
- /* Get the stash file name */
- for(i = 0; i < argc - 1; i++)
- if(!strcmp("-f", argv[i]))
- break;
-
- if(i < argc - 1)
- file_name = argv[i + 1];
- else if(i == argc - 1){
- com_err(me, errcode, "File name missing.");
- print_usage = TRUE;
- goto cleanup;
- }
-
- filelen = strlen(file_name);
- if ((filelen == 0) || (file_name[filelen - 1] == '/')) {
- printf("%s: Filename not specified for setting service object password\n", me);
- print_usage = TRUE;
- goto cleanup;
- }
-
- if(file_name == NULL)
- file_name = DEF_SERVICE_PASSWD_FILE;
-
- /* Check if the stash file exists and we have permission to write into it */
- if(access(file_name, W_OK) == -1){
- if(errno == ENOENT){
- mode_t omask;
- int fd = -1;
-
- printf("File does not exist. Creating the file %s...\n", file_name );
- omask = umask(077);
- fd = creat(file_name, S_IRUSR|S_IWUSR);
- umask(omask);
- if(fd == -1){
- com_err(me, errno, "Error creating file %s\n", file_name);
- goto cleanup;
- }
- close(fd);
- }else if(errno == EACCES){
- com_err(me, errno, "Unable to access the file %s: Permission denied", file_name);
- goto cleanup;
- }else{
- com_err(me, errno, "Unable to access the file %s", file_name);
- goto cleanup;
- }
- }
-
- /* Find the path of the certificate file */
- for(i = 0; i < argc - 1; i++)
- if(!strcmp(argv[i], "-cert")){
- certfile = argv[i + 1];
- break;
- }
-
- if(certfile == NULL){
- com_err(me, errno, "Path of the certificate not specified");
- goto cleanup;
- }
-
- /* Is the private key in the file protected by a password ? */
- for(i = 0; i < argc; i++)
- if(!strcmp(argv[i], "-nopass")){
- nopass = 1;
- break;
- }
-
- /* Find the FDN of the service */
- for(i = 1; i < argc; i++){
- if(!strcmp(argv[i], "-nopass"))
- continue;
- if(!strcmp(argv[i], "-f")){
- i++;
- continue;
- }
- if(!strcmp(argv[i], "-cert")){
- i++;
- continue;
- }
- service_object = argv[i];
- break;
- }
-
- if(service_object == NULL){
- com_err(me, errcode, "Service object not specified for \"setsrvcert\" command");
- print_usage = TRUE;
- goto cleanup;
- }
-
- /* Prompt for the password if "-nopass" is not specified */
- if(nopass == 0){
- /* Get the service object password from the terminal */
- passwd = (char *)malloc(MAX_SERVICE_PASSWD_LEN + 1);
- if(passwd == NULL){
- com_err(me, ENOMEM, "while setting certificate password");
- goto cleanup;
- }
- passwd[0] = 0;
- passwd_len = MAX_SERVICE_PASSWD_LEN;
-
- len = strlen(service_object);
- /* size of allocation=strlen of servicedn + strlen("Password for \" \"")=20 */
- prompt1 = (char *)malloc(len + 20);
- if(prompt1 == NULL){
- com_err(me, ENOMEM, "while setting certificate password");
- goto cleanup;
- }
- sprintf(prompt1, "Password for \"%s\"", service_object);
-
- /* size of allocation=strlen of servicedn + strlen("Re-enter Password for \" \"")=30 */
- prompt2 = (char *)malloc(len + 30);
- if(prompt2 == NULL){
- com_err(me, ENOMEM, "while setting certificate password");
- free(prompt1);
- goto cleanup;
- }
- sprintf(prompt2, "Re-enter password for \"%s\"", service_object);
-
- retval = krb5_read_password(util_context, prompt1, prompt2, passwd, &passwd_len);
- free(prompt1);
- free(prompt2);
- if(retval){
- com_err(me, retval, "while setting service object password");
- memset(passwd, 0, MAX_SERVICE_PASSWD_LEN);
- goto cleanup;
- }
- if(passwd_len == 0){
- com_err(me, errcode, "Invalid password");
- memset(passwd, 0, MAX_SERVICE_PASSWD_LEN);
- goto cleanup;
- }
- }
-
- /* Encrypt the password */
- if(nopass == 0 && strlen(passwd) != 0){
- struct data enc_pass, enc_key, password, hex1, hex2;
-
- password.value = (unsigned char *)passwd;
- password.len = strlen(passwd);
-
- errcode = enc_password(password, &enc_key, &enc_pass);
-
- if(errcode != 0){
- if(enc_pass.len != 0)
- free(enc_pass.value);
- if(enc_key.len != 0)
- free(enc_key.value);
- com_err(me, errcode, "Unable to encrypt the password\n");
- goto cleanup;
- }
-
- /* Encode the password in hexadecimal */
- errcode = tohex(enc_pass, &hex1);
- free(enc_pass.value);
- if(errcode == 0){
- errcode = tohex(enc_key, &hex2);
- free(enc_key.value);
- }
- if(errcode != 0){
- com_err(me, errcode, "while encoding password in hexadecimal");
- if(hex1.len != 0)
- free(hex1.value);
- if(hex2.len != 0)
- free(hex2.value);
- goto cleanup;
- }
-
- /* Password = {FILE}<certificate file>:<encrypted password>:<encrypted key> */
- encrypted_passwd.value = (unsigned char *)malloc(strlen(service_object) + 1 + sizeof("{FILE}") + strlen(certfile) + 1 + hex1.len + 1 + hex2.len + 2);
- sprintf((char *)encrypted_passwd.value, "%s#{FILE}%s:%s:%s\n", service_object, certfile, hex2.value, hex1.value);
- encrypted_passwd.len = strlen((char *)encrypted_passwd.value);
-
- free(hex1.value);
- free(hex2.value);
- }else{
- /* Password = {FILE}<certificate file> */
- encrypted_passwd.value = (unsigned char *)malloc(strlen(service_object) + 1 + sizeof("{FILE}") + strlen(certfile) + 2);
- sprintf((char *)encrypted_passwd.value, "%s#{FILE}%s\n", service_object, certfile);
- encrypted_passwd.len = strlen((char *)encrypted_passwd.value);
- }
-
- /* Write to the stash file */
- {
- pfile = fopen(file_name, "r+");
- if(pfile == NULL){
- com_err(me, errno, "Failed to open file %s", file_name);
- goto cleanup;
- }
-
- if(ftrylockfile(pfile) != 0){
- com_err(me, errno, "Unable to lock the stash file");
- fclose(pfile);
- goto cleanup;
- }
-
- while(fgets(line, MAX_LEN, pfile) != NULL){
- if((str = strstr(line, service_object)) != NULL){
- if(line[strlen(service_object)] == '#'){
- break;
- }
- str = NULL;
- }
- }
- if(str == NULL){
- if(feof(pfile)){
- /* Service object DN not present in stash file */
- if(fwrite(encrypted_passwd.value, (unsigned int)encrypted_passwd.len, 1, pfile) != 1){
- com_err(me, errno, "Error writing service object password to file\n");
- }
- }else{
- com_err(me, errno, "Error reading service object password file\n");
- }
- funlockfile(pfile);
- fclose(pfile);
- }else{
- /* Entry for the service object exists in stash file. Replace it. */
- int tmpfd = -1;
- mode_t omask;
-
- /* Create a new file with the extension '.tmp' */
- tmp_file = (char *) malloc(sizeof(char) * (strlen(file_name) + 4 + 1));
- if(tmp_file == NULL){
- com_err(me, ENOMEM, "while setting service object password");
- funlockfile(pfile);
- fclose(pfile);
- goto cleanup;
- }
- sprintf(tmp_file,"%s.%s",file_name,"tmp");
-
- omask = umask(077);
- tmpfd = creat(tmp_file, S_IRUSR|S_IWUSR);
- umask(omask);
- if(tmpfd == -1){
- com_err(me, errno, "Error creating file %s\n", tmp_file);
- funlockfile(pfile);
- fclose(pfile);
- goto cleanup;
- }
-
- fseek(pfile, 0, SEEK_SET);
- while(fgets(line, MAX_LEN, pfile) != NULL){
- if(((str = strstr(line, service_object)) != NULL) && (line[strlen(service_object)] == '#')){
- if(write(tmpfd, encrypted_passwd.value, (unsigned int)encrypted_passwd.len) != encrypted_passwd.len){
- com_err(me, errno, "Error writing password to file\n");
- close(tmpfd);
- unlink(tmp_file);
- funlockfile(pfile);
- fclose(pfile);
- goto cleanup;
- }
- }else{
- len = strlen(line);
- if(write(tmpfd, line, len) != len){
- com_err(me, errno, "Error writing password to file\n");
- close(tmpfd);
- unlink(tmp_file);
- funlockfile(pfile);
- fclose(pfile);
- goto cleanup;
- }
- }
- }
-
- if(!feof(pfile)){
- com_err(me, errno, "Error reading service object password file\n");
- close(tmpfd);
- unlink(tmp_file);
- goto cleanup;
- }
-
- funlockfile(pfile);
- fclose(pfile);
- if(unlink(file_name) == 0){
- link(tmp_file, file_name);
- }else{
- com_err(me, errno, "Error writing password to file\n");
- }
- unlink(tmp_file);
- }
- }
-
-cleanup:
-
- if (passwd)
- free(passwd);
-
- if (encrypted_passwd.value)
- free(encrypted_passwd.value);
-
- if (tmp_file)
- free(tmp_file);
-
- if (print_usage)
- db_usage(SET_SRV_CERT);
-
- return;
-}
-#endif /* #ifdef NOVELL_KDC */
-
#else /* #ifdef HAVE_EDIRECTORY */
/*
/*
* Format:
- * stashsrvpw [-f filename] servicedn
+ * stashsrvpw [-f filename] service_dn
* where
- * 'servicedn' is the LDAP FDN of the service
+ * 'service_dn' is the DN of the service object
* 'filename' is the path of the stash file
*/
if (argc != 2 && argc != 4) {
--- /dev/null
+.TH KDB5_LDAP_UTIL 8
+.SH NAME
+kdb5_ldap_util \- Kerberos Configuration Utility
+.SH SYNOPSIS
+.B kdb5_ldap_util
+[\fB\-D\fP\ \fIuser_dn\fP [\fB\-w\fP\ \fIpasswd\fP]]
+[\fB\-h\fP\ \fIldap_server\fP] [\fB\-p\fP\ \fIldap_port\fP]
+.I command
+.I [command_options]
+.SH DESCRIPTION
+.B kdb5_ldap_util
+allows an administrator to manage realms, Kerberos services and ticket policies.
+.SH COMMAND-LINE OPTIONS
+.TP
+\fB\-D\fP\ \fIuser_dn\fP
+Specifies the Distinguished name (DN) of the user who has sufficient rights to
+perform the operation on the LDAP server.
+.TP
+\fB\-w\fP\ \fIpasswd\fP
+Specifies the password of
+.IR user_dn .
+This option is not recommended.
+.TP
+\fB\-h\fP\ \fIldap_server\fP
+Specifies the hostname or IP address of the server hosting the LDAP service for
+a Kerberos realm.
+.TP
+\fB\-p\fP\ \fIldap_port\fP
+Specifies the SSL port number of the LDAP server.
+.SH COMMANDS
+.TP
+\fBcreate\fP [\fB\-subtree\fP\ \fIsubtree_dn\fP] [\fB\-sscope\fP\ \fIsearch_scope\fP] [\fB\-enctypes\fP\ \fIsupported_enc_types\fP] [\fB\-defenctype\fP\ \fIdefault_enc_type\fP] [\fB\-salttypes\fP\ \fIsupported_salt_types\fP] [\fB\-defsalttype\fP\ \fIdefault_salt_type\fP] [\fB\-k\fP\ \fImkeytype\fP] [\fB\-m\fP|\fB\-P\fP\ \fIpassword\fP|\fB\-sf\fP\ \fIstashfilename\fP] [\fB\-r\fP\ \fIrealm\fP] [\fB\-kdcdn\fP\ \fIkdc_service_list\fP] [\fB\-admindn\fP\ \fIadmin_service_list\fP] [\fB\-pwddn\fP\ \fIpasswd_service_list\fP] [\fB\-maxtktlife\fP\ \fImax_ticket_life\fP] [\fB\-maxrenewlife\fP\ \fImax_renewable_ticket_life\fP] [\fIticket_flags\fP]
+Creates realm in directory. Options:
+.RS
+.TP
+\fB\-subtree\fP\ \fIsubtree_dn\fP
+Specifies the subtree where principals and other Kerberos objects in the realm are placed.
+.TP
+\fB\-sscope\fP\ \fIsearch_scope\fP
+Specifies the scope for searching the principals under the
+.IR subtree .
+The possible values are 1 or one (one level), 2 or sub (subtree).
+.TP
+\fB\-enctypes\fP\ \fIsupported_enc_types\fP
+Specifies the encryption types supported by the realm. This is a colon-separated list.
+.TP
+\fB\-defenctype\fP\ \fIdefault_enc_type\fP
+Specifies the default encryption type for the realm. This is also a part of supported enctypes list.
+.TP
+\fB\-salttypes\fP\ \fIsupported_salt_types\fP
+Specifies the salt types supported by the realm. This is a colon-separated list.
+.TP
+\fB\-defsalttype\fP\ \fIdefault_salt_type\fP
+Specifies the default salt types for the realm.
+.TP
+\fB\-k\fP\ \fImkeytype\fP
+Specifies the key type of the master key in the database; the default is
+that given in
+.IR kdc.conf .
+.TP
+\fB\-m\fP
+Specifies that the master database password should be read from the TTY
+rather than fetched from a file on the disk.
+.TP
+\fB\-P\fP\ \fIpassword\fP
+Specifies the master database password. This option is not recommended.
+.TP
+\fB\-sf\fP\ \fIstashfilename\fP
+Specifies the stash file of the master database password.
+.TP
+\fB\-maxtktlife\fP\ \fImax_ticket_life\fP
+Specifies maximum ticket life for principals in this realm.
+.TP
+\fB\-maxrenewlife\fP\ \fImax_renewable_ticket_life\fP
+Specifies maximum renewable life of tickets for principals in this realm.
+.TP
+\fIticket_flags\fP
+Specifies the ticket flags. If this option is not specified, by default, none of the flags are
+set. This means all the ticket options will be allowed and no restriction will be set.
+
+The various flags are:
+.TP
+{\fB\-\fP|\fB+\fP}\fBallow_postdated\fP
+.B -allow_postdated
+prohibits principals from obtaining postdated tickets. (Sets the
+.SM KRB5_KDB_DISALLOW_POSTDATED
+flag.)
+.B +allow_postdated
+clears this flag.
+.TP
+{\fB\-\fP|\fB+\fP}\fBallow_forwardable\fP
+.B -allow_forwardable
+prohibits principals from obtaining forwardable tickets. (Sets the
+.SM KRB5_KDB_DISALLOW_FORWARDABLE
+flag.)
+.B +allow_forwardable
+clears this flag.
+.TP
+{\fB\-\fP|\fB+\fP}\fBallow_renewable\fP
+.B -allow_renewable
+prohibits principals from obtaining renewable tickets. (Sets the
+.SM KRB5_KDB_DISALLOW_RENEWABLE
+flag.)
+.B +allow_renewable
+clears this flag.
+.TP
+{\fB\-\fP|\fB+\fP}\fBallow_proxiable\fP
+.B -allow_proxiable
+prohibits principals from obtaining proxiable tickets. (Sets the
+.SM KRB5_KDB_DISALLOW_PROXIABLE
+flag.)
+.B +allow_proxiable
+clears this flag.
+.TP
+{\fB\-\fP|\fB+\fP}\fBallow_dup_skey\fP
+.B -allow_dup_skey
+Disables user-to-user authentication for principals by prohibiting
+principals from obtaining a session key for another user. (Sets the
+.SM KRB5_KDB_DISALLOW_DUP_SKEY
+flag.)
+.B +allow_dup_skey
+clears this flag.
+.TP
+{\fB\-\fP|\fB+\fP}\fBrequires_preauth\fP
+.B +requires_preauth
+requires principals to preauthenticate before being allowed to
+kinit. (Sets the
+.SM KRB5_KDB_REQUIRES_PRE_AUTH
+flag.)
+.B -requires_preauth
+clears this flag.
+.TP
+{\fB\-\fP|\fB+\fP}\fBrequires_hwauth\fP
+.B +requires_hwauth
+requires principals to preauthenticate using a hardware device
+before being allowed to kinit. (Sets the
+.SM KRB5_KDB_REQUIRES_HW_AUTH
+flag.)
+.B -requires_hwauth
+clears this flag.
+.TP
+{\fB\-\fP|\fB+\fP}\fBallow_svr\fP
+.B -allow_svr
+prohibits the issuance of service tickets for principals. (Sets the
+.SM KRB5_KDB_DISALLOW_SVR
+flag.)
+.B +allow_svr
+clears this flag.
+.TP
+{\fB\-\fP|\fB+\fP}\fBallow_tgs_req\fP
+.B \-allow_tgs_req
+specifies that a Ticket-Granting Service (TGS) request for a service
+ticket for principals is not permitted. This option is useless for
+most things.
+.B +allow_tgs_req
+clears this flag. The default is
+.BR +allow_tgs_req .
+In effect,
+.B \-allow_tgs_req
+sets the
+.SM KRB5_KDB_DISALLOW_TGT_BASED
+flag on principals in the database.
+.TP
+{\fB\-\fP|\fB+\fP}\fBallow_tix\fP
+.B \-allow_tix
+forbids the issuance of any tickets for principals.
+.B +allow_tix
+clears this flag. The default is
+.BR +allow_tix .
+In effect,
+.B \-allow_tix
+sets the
+.SM KRB5_KDB_DISALLOW_ALL_TIX
+flag on principals in the database.
+.TP
+{\fB\-\fP|\fB+\fP}\fBneedchange\fP
+.B +needchange
+sets a flag in attributes field to force a password change;
+.B \-needchange
+clears it. The default is
+.BR \-needchange .
+In effect,
+.B +needchange
+sets the
+.SM KRB5_KDB_REQUIRES_PWCHANGE
+flag on principals in the database.
+.TP
+{\fB\-\fP|\fB+\fP}\fBpassword_changing_service\fP
+.B +password_changing_service
+sets a flag in the attributes field marking principal as a password change
+service principal (useless for most things).
+.B \-password_changing_service
+clears the flag. This flag intentionally has a long name. The default
+is
+.BR \-password_changing_service .
+In effect,
+.B +password_changing_service
+sets the
+.SM KRB5_KDB_PWCHANGE_SERVICE
+flag on principals in the database.
+.TP
+\fB\-r\fP\ \fIrealm\fP
+Specifies the Kerberos realm of the database; by default the realm
+returned by
+.IR krb5_default_local_realm (3)
+is used.
+.TP
+.B Command Options Specific to eDirectory
+.TP
+\fB\-kdcdn\fP\ \fIkdc_service_list\fP
+Specifies the list of KDC service objects serving the realm. The list contains the DNs of the KDC
+service objects separated by colon(:).
+.TP
+\fB\-admindn\fP\ \fIadmin_service_list\fP
+Specifies the list of Administration service objects serving the realm. The list contains the DNs
+of the Administration service objects separated by colon(:).
+.TP
+\fB\-pwddn\fP\ \fIpasswd_service_list\fP
+Specifies the list of Password service objects serving the realm. The list contains the DNs of the
+Password service objects separated by colon(:).
+.TP
+EXAMPLE:
+\fBkdb5_ldap_util -D cn=admin,o=org -h ldap-server1.mit.edu
+create -sscope SUB -enctypes des-cbc-crc:des3-cbc-sha1
+-defenctype des3-cbc-sha1 -salttypes normal:afs3 -defsalttype normal
+-r ATHENA.MIT.EDU\fP
+.nf
+Password for "cn=admin,o=org":
+Initializing database for realm 'ATHENA.MIT.EDU'
+You will be prompted for the database Master Password.
+It is important that you NOT FORGET this password.
+Enter KDC database master key:
+Re-enter KDC database master key to verify:
+.fi
+.RE
+
+.TP
+\fBmodify\fP [\fB\-subtree\fP\ \fIsubtree_dn\fP] [\fB\-sscope\fP\ \fIsearch_scope\fP] [\fB\-enctypes\fP\ \fIsupported_enc_types\fP | [\fB\-clearenctypes\fP\ \fIenc_type_list\fP] [\fB\-addenctypes\fP\ \fIenc_type_list\fP]] [\fB\-defenctype\fP\ \fIdefault_enc_type\fP] [\fB\-salttypes\fP\ \fIsupported_salt_types\fP | [\fB\-clearsalttypes\fP\ \fIsalt_type_list\fP] [\fB\-addsalttypes\fP\ \fIsalt_type_list\fP]] [\fB\-defsalttype\fP\ \fIdefault_salt_type\fP] [\fB\-r\fP\ \fIrealm\fP] [\fB\-kdcdn\fP\ \fIkdc_service_list\fP | [\fB\-clearkdcdn\fP\ \fIkdc_service_list\fP] [\fB\-addkdcdn\fP\ \fIkdc_service_list\fP]] [\fB\-admindn\fP\ \fIadmin_service_list\fP | [\fB\-clearadmindn\fP\ \fIadmin_service_list\fP] [\fB\-addadmindn\fP\ \fIadmin_service_list\fP]] [\fB\-pwddn\fP\ \fIpasswd_service_list\fP | [\fB\-clearpwddn\fP\ \fIpasswd_service_list\fP] [\fB\-addpwddn\fP\ \fIpasswd_service_list\fP]] [\fB\-maxtktlife\fP\ \fImax_ticket_life\fP] [\fB\-maxrenewlife\fP\ \fImax_renewable_ticket_life\fP] [\fIticket_flags\fP]
+
+Modifies the attributes of a realm. Options:
+.RS
+.TP
+\fB\-subtree\fP\ \fIsubtree_dn\fP
+Specifies the subtree containing principals and other Kerberos objects in the realm.
+.TP
+\fB\-sscope\fP\ \fIsearch_scope\fP
+Specifies the scope for searching the principals under the
+.IR subtree .
+The possible values are 1 or one (one level), 2 or sub (subtree).
+.TP
+\fB\-enctypes\fP\ \fIsupported_enc_types\fP
+Specifies the encryption types supported by the realm. This is a colon-separated list.
+.TP
+\fB\-clearenctypes\fP\ \fIenc_type_list\fP
+Specifies the encryption types that need to be removed from the supported encryption types
+of the realm. This is a colon-separated list.
+.TP
+\fB\-addenctypes\fP\ \fIenc_type_list\fP
+Specifies the encryption types that need to be added to the supported encryption types of the
+realm. This is a colon-separated list.
+.TP
+\fB\-defenctype\fP\ \fIdefault_enc_type\fP
+Specifies the default encryption type for the realm.
+.TP
+\fB\-salttypes\fP\ \fIsupported_salt_types\fP
+Specifies the salt types supported by the realm. This is a colon-separated list.
+.TP
+\fB\-clearsalttypes\fP\ \fIsalt_type_list\fP
+Specifies the salt types that need to be removed from the supported salt types of the realm.
+This is a colon-separated list.
+.TP
+\fB\-addsalttypes\fP\ \fIsalt_type_list\fP
+Specifies the salt types that need to be added to the supported salt types of the realm. This
+is a colon-separated list.
+.TP
+\fB\-defsalttype\fP\ \fIdefault_salt_type\fP
+Specifies the default salt type for the realm.
+.TP
+\fB\-maxtktlife\fP\ \fImax_ticket_life\fP
+Specifies maximum ticket life for principals in this realm.
+.TP
+\fB\-maxrenewlife\fP\ \fImax_renewable_ticket_life\fP
+Specifies maximum renewable life of tickets for principals in this realm.
+.TP
+\fIticket_flags\fP
+Specifies the ticket flags. If this option is not specified, by default, none of the flags are
+set. This means all the ticket options will be allowed and no restriction will be set.
+
+The various flags are:
+.TP
+{\fB\-\fP|\fB+\fP}\fBallow_postdated\fP
+.B -allow_postdated
+prohibits principals from obtaining postdated tickets. (Sets the
+.SM KRB5_KDB_DISALLOW_POSTDATED
+flag.)
+.B +allow_postdated
+clears this flag.
+.TP
+{\fB\-\fP|\fB+\fP}\fBallow_forwardable\fP
+.B -allow_forwardable
+prohibits principals from obtaining forwardable tickets. (Sets the
+.SM KRB5_KDB_DISALLOW_FORWARDABLE
+flag.)
+.B +allow_forwardable
+clears this flag.
+.TP
+{\fB\-\fP|\fB+\fP}\fBallow_renewable\fP
+.B -allow_renewable
+prohibits principals from obtaining renewable tickets. (Sets the
+.SM KRB5_KDB_DISALLOW_RENEWABLE
+flag.)
+.B +allow_renewable
+clears this flag.
+.TP
+{\fB\-\fP|\fB+\fP}\fBallow_proxiable\fP
+.B -allow_proxiable
+prohibits principals from obtaining proxiable tickets. (Sets the
+.SM KRB5_KDB_DISALLOW_PROXIABLE
+flag.)
+.B +allow_proxiable
+clears this flag.
+.TP
+{\fB\-\fP|\fB+\fP}\fBallow_dup_skey\fP
+.B -allow_dup_skey
+Disables user-to-user authentication for principals by prohibiting
+principals from obtaining a session key for another user. (Sets the
+.SM KRB5_KDB_DISALLOW_DUP_SKEY
+flag.)
+.B +allow_dup_skey
+clears this flag.
+.TP
+{\fB\-\fP|\fB+\fP}\fBrequires_preauth\fP
+.B +requires_preauth
+requires principals to preauthenticate before being allowed to
+kinit. (Sets the
+.SM KRB5_KDB_REQUIRES_PRE_AUTH
+flag.)
+.B -requires_preauth
+clears this flag.
+.TP
+{\fB\-\fP|\fB+\fP}\fBrequires_hwauth\fP
+.B +requires_hwauth
+requires principals to preauthenticate using a hardware device
+before being allowed to kinit. (Sets the
+.SM KRB5_KDB_REQUIRES_HW_AUTH
+flag.)
+.B -requires_hwauth
+clears this flag.
+.TP
+{\fB\-\fP|\fB+\fP}\fBallow_svr\fP
+.B -allow_svr
+prohibits the issuance of service tickets for principals. (Sets the
+.SM KRB5_KDB_DISALLOW_SVR
+flag.)
+.B +allow_svr
+clears this flag.
+.TP
+{\fB\-\fP|\fB+\fP}\fBallow_tgs_req\fP
+.B \-allow_tgs_req
+specifies that a Ticket-Granting Service (TGS) request for a service
+ticket for principals is not permitted. This option is useless for
+most things.
+.B +allow_tgs_req
+clears this flag. The default is
+.BR +allow_tgs_req .
+In effect,
+.B \-allow_tgs_req
+sets the
+.SM KRB5_KDB_DISALLOW_TGT_BASED
+flag on principals in the database.
+.TP
+{\fB\-\fP|\fB+\fP}\fBallow_tix\fP
+.B \-allow_tix
+forbids the issuance of any tickets for principals.
+.B +allow_tix
+clears this flag. The default is
+.BR +allow_tix .
+In effect,
+.B \-allow_tix
+sets the
+.SM KRB5_KDB_DISALLOW_ALL_TIX
+flag on principals in the database.
+.TP
+{\fB\-\fP|\fB+\fP}\fBneedchange\fP
+.B +needchange
+sets a flag in attributes field to force a password change;
+.B \-needchange
+clears it. The default is
+.BR \-needchange .
+In effect,
+.B +needchange
+sets the
+.SM KRB5_KDB_REQUIRES_PWCHANGE
+flag on principals in the database.
+.TP
+{\fB\-\fP|\fB+\fP}\fBpassword_changing_service\fP
+.B +password_changing_service
+sets a flag in the attributes field marking principal as a password change
+service principal (useless for most things).
+.B \-password_changing_service
+clears the flag. This flag intentionally has a long name. The default
+is
+.BR \-password_changing_service .
+In effect,
+.B +password_changing_service
+sets the
+.SM KRB5_KDB_PWCHANGE_SERVICE
+flag on principals in the database.
+.TP
+\fB\-r\fP\ \fIrealm\fP
+Specifies the Kerberos realm of the database; by default the realm
+returned by
+.IR krb5_default_local_realm (3)
+is used.
+.TP
+.B Command Options Specific to eDirectory
+.TP
+\fB\-kdcdn\fP\ \fIkdc_service_list\fP
+Specifies the list of KDC service objects serving the realm. The list contains the DNs of the KDC
+service objects separated by a colon (:).
+.TP
+\fB\-clearkdcdn\fP\ \fIkdc_service_list\fP
+Specifies the list of KDC service objects that need to be removed from the existing list. The list contains
+the DNs of the KDC service objects separated by a colon (:).
+.TP
+\fB\-addkdcdn\fP\ \fIkdc_service_list\fP
+Specifies the list of KDC service objects that need to be added to the existing list. The list contains the
+DNs of the KDC service objects separated by a colon (:).
+.TP
+\fB\-admindn\fP\ \fIadmin_service_list\fP
+Specifies the list of Administration service objects serving the realm. The list contains the DNs
+of the Administration service objects separated by a colon (:).
+.TP
+\fB\-clearadmindn\fP\ \fIadmin_service_list\fP
+Specifies the list of Administration service objects that need to be removed from the existing list. The list
+contains the DNs of the Administration service objects separated by a colon (:).
+.TP
+\fB\-addadmindn\fP\ \fIadmin_service_list\fP
+Specifies the list of Administration service objects that need to be added to the existing list. The list
+contains the DNs of the Administration service objects separated by a colon (:).
+.TP
+\fB\-pwddn\fP\ \fIpasswd_service_list\fP
+Specifies the list of Password service objects serving the realm. The list contains the DNs of the
+Password service objects separated by a colon (:).
+.TP
+\fB\-clearpwddn\fP\ \fIpasswd_service_list\fP
+Specifies the list of Password service objects that need to be removed from the existing list. The list
+contains the DNs of the Password service objects separated by a colon (:).
+.TP
+\fB\-addpwddn\fP\ \fIpasswd_service_list\fP
+Specifies the list of Password service objects that need to be added to the existing list. The list contains
+the DNs of the Password service objects separated by a colon (:).
+.TP
+EXAMPLE:
+\fBkdb5_ldap_util -D cn=admin,o=org modify -sscope ONE -enctypes
+des3-hmac-sha1:des-cbc-md5 -defenctype des3-hmac-sha1 -addsalttypes v4:special
+-r ATHENA.MIT.EDU \fP
+.nf
+Password for "cn=admin,o=org":
+.fi
+.RE
+.TP
+\fBview\fP [\fB\-r\fP\ \fIrealm\fP]
+Displays the attributes of a realm. Options:
+.RS
+.TP
+\fB\-r\fP\ \fIrealm\fP
+Specifies the Kerberos realm of the database; by default the realm returned by
+.IR krb5_default_local_realm (3)
+is used.
+.TP
+EXAMPLE:
+\fBkdb5_ldap_util -D cn=admin,o=org view -r ATHENA.MIT.EDU\fP
+.nf
+Password for "cn=admin,o=org":
+ Realm Name: ATHENA.MIT.EDU
+ Subtree: ou=users,o=org
+ SearchScope: ONE
+ Supported Enc Types: DES cbc mode with RSA-MD5
+ Triple DES cbc mode with HMAC/sha1
+ Default Enc Type: Triple DES cbc mode with HMAC/sha1
+ Supported Salt Types: Version 5
+ Version 4
+ Special
+ AFS version 3
+ Default Salt Type: Version 5
+ Maximum ticket life: 0 days 01:00:00
+ Maximum renewable life: 0 days 10:00:00
+ Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
+.fi
+.RE
+.TP
+\fBdestroy\fP [\fB-f\fP] [\fB\-r\fP\ \fIrealm\fP]
+Destroys an existing realm. Options:
+.RS
+.TP
+\fB\-f\fP
+If specified, will not prompt the user for confirmation.
+.TP
+\fB\-r\fP\ \fIrealm\fP
+Specifies the Kerberos realm of the database; by default the realm returned by
+.IR krb5_default_local_realm (3)
+is used.
+.TP
+EXAMPLE:
+\fBkdb5_ldap_util -D cn=admin,o=org -h ldap-server1.mit.edu destroy -r ATHENA.MIT.EDU\fP
+.nf
+Password for "cn=admin,o=org":
+Deleting KDC database of 'ATHENA.MIT.EDU', are you sure?
+(type 'yes' to confirm)? yes
+OK, deleting database of 'ATHENA.MIT.EDU'...
+.fi
+.RE
+.TP
+\fBlist\fP
+
+Lists the name of realms.
+.RS
+.nf
+.TP
+EXAMPLE:
+\fBkdb5_ldap_util -D cn=admin,o=org list\fP
+Password for "cn=admin,o=org":
+ATHENA.MIT.EDU
+MYREALM
+MEDIA-LAB.MIT.EDU
+.fi
+.RE
+.TP
+\fBstashsrvpw\fP [\fB\-f\fP\ \fIfilename\fP] \fIservicedn\fP
+Allows an administrator to store the password for service object in a file so that KDC, Administration, and
+Password server can use it to authenticate to the LDAP server. Options:
+.RS
+.TP
+\fB\-f\fP\ \fIfilename\fP
+Specifies the complete path of the service password file. By default, /usr/local/var/service_passwd is used.
+.TP
+\fIservicedn\fP
+Specifies Distinguished name (DN) of the service object whose password is to be stored in file.
+.TP
+EXAMPLE:
+\fBkdb5_ldap_util stashsrvpw -f /home/andrew/conf_keyfile cn=service-kdc,o=org\fP
+.nf
+Password for "cn=service-kdc,o=org":
+Re-enter password for "cn=service-kdc,o=org":
+.fi
+.RE
+.TP
+\fBcreate_policy\fP [\fB\-maxtktlife\fP\ \fImax_ticket_life\fP] [\fB\-maxrenewlife\fP\ \fImax_renewable_ticket_life\fP] [\fIticket_flags\fP] \fIpolicy_dn\fP
+Creates a ticket policy in directory. Options:
+.RS
+.TP
+\fB\-maxtktlife\fP\ \fImax_ticket_life\fP
+Specifies maximum ticket life for principals.
+.TP
+\fB\-maxrenewlife\fP\ \fImax_renewable_ticket_life\fP
+Specifies maximum renewable life of tickets for principals.
+.TP
+\fIticket_flags\fP
+Specifies the ticket flags. If this option is not specified, by default, none of the flags are
+set. This means all the ticket options will be allowed and no restriction will be set.
+
+The various flags are:
+.TP
+{\fB\-\fP|\fB+\fP}\fBallow_postdated\fP
+.B -allow_postdated
+prohibits principals from obtaining postdated tickets. (Sets the
+.SM KRB5_KDB_DISALLOW_POSTDATED
+flag.)
+.B +allow_postdated
+clears this flag.
+.TP
+{\fB\-\fP|\fB+\fP}\fBallow_forwardable\fP
+.B -allow_forwardable
+prohibits principals from obtaining forwardable tickets. (Sets the
+.SM KRB5_KDB_DISALLOW_FORWARDABLE
+flag.)
+.B +allow_forwardable
+clears this flag.
+.TP
+{\fB\-\fP|\fB+\fP}\fBallow_renewable\fP
+.B -allow_renewable
+prohibits principals from obtaining renewable tickets. (Sets the
+.SM KRB5_KDB_DISALLOW_RENEWABLE
+flag.)
+.B +allow_renewable
+clears this flag.
+.TP
+{\fB\-\fP|\fB+\fP}\fBallow_proxiable\fP
+.B -allow_proxiable
+prohibits principals from obtaining proxiable tickets. (Sets the
+.SM KRB5_KDB_DISALLOW_PROXIABLE
+flag.)
+.B +allow_proxiable
+clears this flag.
+.TP
+{\fB\-\fP|\fB+\fP}\fBallow_dup_skey\fP
+.B -allow_dup_skey
+Disables user-to-user authentication for principals by prohibiting
+principals from obtaining a session key for another user. (Sets the
+.SM KRB5_KDB_DISALLOW_DUP_SKEY
+flag.)
+.B +allow_dup_skey
+clears this flag.
+.TP
+{\fB\-\fP|\fB+\fP}\fBrequires_preauth\fP
+.B +requires_preauth
+requires principals to preauthenticate before being allowed to
+kinit. (Sets the
+.SM KRB5_KDB_REQUIRES_PRE_AUTH
+flag.)
+.B -requires_preauth
+clears this flag.
+.TP
+{\fB\-\fP|\fB+\fP}\fBrequires_hwauth\fP
+.B +requires_hwauth
+requires principals to preauthenticate using a hardware device
+before being allowed to kinit. (Sets the
+.SM KRB5_KDB_REQUIRES_HW_AUTH
+flag.)
+.B -requires_hwauth
+clears this flag.
+.TP
+{\fB\-\fP|\fB+\fP}\fBallow_svr\fP
+.B -allow_svr
+prohibits the issuance of service tickets for principals. (Sets the
+.SM KRB5_KDB_DISALLOW_SVR
+flag.)
+.B +allow_svr
+clears this flag.
+.TP
+{\fB\-\fP|\fB+\fP}\fBallow_tgs_req\fP
+.B \-allow_tgs_req
+specifies that a Ticket-Granting Service (TGS) request for a service
+ticket for principals is not permitted. This option is useless for
+most things.
+.B +allow_tgs_req
+clears this flag. The default is
+.BR +allow_tgs_req .
+In effect,
+.B \-allow_tgs_req
+sets the
+.SM KRB5_KDB_DISALLOW_TGT_BASED
+flag on principals in the database.
+.TP
+{\fB\-\fP|\fB+\fP}\fBallow_tix\fP
+.B \-allow_tix
+forbids the issuance of any tickets for principals.
+.B +allow_tix
+clears this flag. The default is
+.BR +allow_tix .
+In effect,
+.B \-allow_tix
+sets the
+.SM KRB5_KDB_DISALLOW_ALL_TIX
+flag on principals in the database.
+.TP
+{\fB\-\fP|\fB+\fP}\fBneedchange\fP
+.B +needchange
+sets a flag in attributes field to force a password change;
+.B \-needchange
+clears it. The default is
+.BR \-needchange .
+In effect,
+.B +needchange
+sets the
+.SM KRB5_KDB_REQUIRES_PWCHANGE
+flag on principals in the database.
+.TP
+{\fB\-\fP|\fB+\fP}\fBpassword_changing_service\fP
+.B +password_changing_service
+sets a flag in the attributes field marking principal as a password change
+service principal (useless for most things).
+.B \-password_changing_service
+clears the flag. This flag intentionally has a long name. The default
+is
+.BR \-password_changing_service .
+In effect,
+.B +password_changing_service
+sets the
+.SM KRB5_KDB_PWCHANGE_SERVICE
+flag on principals in the database.
+.TP
+\fIpolicy_dn\fP
+Specifies Distinguished name (DN) of the policy.
+.TP
+EXAMPLE:
+\fBkdb5_ldap_util -D cn=admin,o=org -h ldap-server1.mit.edu -p 636 create_policy -maxtktlife "1 day" -maxrenewlife "1 week" -allow_postdated +needchange -allow_forwardable cn=tktpolicy,o=org\fP
+.nf
+Password for "cn=admin,o=org":
+.fi
+.RE
+.TP
+\fBmodify_policy\fP [\fB\-maxtktlife\fP\ \fImax_ticket_life\fP] [\fB\-maxrenewlife\fP\ \fImax_renewable_ticket_life\fP] [\fIticket_flags\fP] \fIpolicy_dn\fP
+Modifies the attributes of a ticket policy. Options are same as
+.B create_policy.
+.RS
+.TP
+EXAMPLE:
+\fBkdb5_ldap_util -D cn=admin,o=org -h ldap-server1.mit.edu -p 636 modify_policy -maxtktlife "60 minutes" -maxrenewlife "10 hours" +allow_postdated -requires_preauth cn=tktpolicy,o=org\fP
+.nf
+Password for "cn=admin,o=org":
+.fi
+.RE
+.TP
+\fBview_policy\fP \fIpolicy_dn\fP
+Displays the attributes of a ticket policy. Options:
+.RS
+.TP
+\fIpolicy_dn\fP
+Specifies Distinguished name (DN) of the policy.
+.TP
+EXAMPLE:
+\fBkdb5_ldap_util -D cn=admin,o=org -h ldap-server1.mit.edu -p 636 view_policy cn=tktpolicy,o=org\fP
+.nf
+Password for "cn=admin,o=org":
+ Ticket policy: cn=tktpolicy,o=org
+ Maximum ticket life: 0 days 01:00:00
+ Maximum renewable life: 0 days 10:00:00
+ Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
+.fi
+.RE
+.TP
+\fBdestroy_policy\fP [\fB\-force\fP] \fIpolicy_dn\fP
+Destroys an existing ticket policy. Options:
+.RS
+.TP
+\fB\-force\fP
+Forces the deletion of the policy object. If not specified, will be prompted for confirmation while deleting the policy. Enter
+.B yes
+to confirm the deletion.
+.TP
+\fIpolicy_dn\fP
+Specifies Distinguished name (DN) of the policy.
+.TP
+EXAMPLE:
+\fBkdb5_ldap_util -D cn=admin,o=org -h ldap-server1.mit.edu -p 636 destroy_policy cn=tktpolicy,o=org\fP
+.nf
+Password for "cn=admin,o=org":
+This will delete the policy object 'cn=tktpolicy,o=org', are you sure?
+(type 'yes' to confirm)? yes
+** policy object 'cn=tktpolicy,o=org' deleted.
+.fi
+.RE
+.TP
+\fBlist_policy\fP [\fB\-basedn\fP\ \fIbase_dn\fP]
+Lists the name of ticket policies under a given base in directory. Options:
+.RS
+.TP
+\fI\-basedn\fP\ \fIbase_dn\fP
+Specifies the base DN for searching the policies, limiting the search to a particular subtree. If this option
+is not provided, LDAP Server specific search base will be used.
+For eg, in the case of OpenLDAP, value of
+.B defaultsearchbase
+from
+.I slapd.conf
+file will be used, where as in the case of eDirectory, the default value
+for the base DN is
+.B Root.
+.TP
+EXAMPLE:
+\fBkdb5_ldap_util -D cn=admin,o=org -h ldap-server1.mit.edu -p 636 list_policy
+-basedn o=org\fP
+.nf
+Password for "cn=admin,o=org":
+cn=tktpolicy,o=org
+cn=tktpolicy2,o=org
+cn=tktpolicy3,o=org
+.fi
+.RE
+
+.TP
+.B Commands Specific to eDirectory
+.TP
+\fBsetsrvpw\fP [\fB\-randpw\fP|\fB\-fileonly\fP] [\fB\-f\fP\ \fIfilename\fP] \fIservice_dn\fP
+Allows an administrator to set password for service objects such as KDC, Administration, and Password server in
+eDirectory and store them in a file. The
+.I -fileonly
+option stores the password in a file and not in the eDirectory object. Options:
+.RS
+.TP
+\fB\-randpw \fP
+Generates and sets a random password. This options can be specified to store the password both in eDirectory and a file. The
+.I -fileonly
+option can not be used if
+.I -randpw
+option is already specified.
+.TP
+\fB\-fileonly\fP
+Stores the password only in a file and not in eDirectory. The
+.I -randpw
+option can not be used when
+.I -fileonly
+options is specified.
+.TP
+\fB\-f\fP\ \fIfilename\fP
+Specifies complete path of the service password file. By default, /usr/local/var/service_passwd is used.
+.TP
+\fIservice_dn\fP
+Specifies Distinguished name (DN) of the service object whose password is to be set.
+.TP
+EXAMPLE:
+\fBkdb5_ldap_util setsrvpw -D cn=admin,o=org setsrvpw -fileonly -f /home/andrew/conf_keyfile
+cn=service-kdc,o=org\fP
+.nf
+Password for "cn=admin,o=org":
+Password for "cn=service-kdc,o=org":
+Re-enter password for "cn=service-kdc,o=org":
+.fi
+.RE
+.TP
+\fBcreate_service\fP {\fB\-kdc|\-admin|\-pwd\fP} [\fB\-servicehost\fP\ \fIservice_host_list\fP] [\fB\-realm\fP\ \fIrealm_list\fP] [\fB\-randpw|\-fileonly\fP] [\fB\-f\fP\ \fIfilename\fP] \fIservice_dn\fP
+Creates a service in directory and assigns appropriate rights. Options:
+.RS
+.TP
+\fB\-kdc\fP
+Specifies the service is a KDC service
+.TP
+\fB\-admin\fP
+Specifies the service is a Administration service
+.TP
+\fB\-pwd\fP
+Specifies the service is a Password service
+.TP
+\fB\-servicehost\fP\ \fIservice_host_list\fP
+Specifies the list of entries separated by a colon (:). Each entry consists of the hostname or IP
+address of the server hosting the service, transport protocol, and the port number of
+the service separated by a pound sign (#).
+For example,
+server1#tcp#88:server2#udp#89.
+.TP
+\fB\-realm\fP\ \fIrealm_list\fP
+Specifies the list of realms that can be serviced by Kerberos. The list contains the name of the realms
+separated by a colon (:).
+.TP
+\fB\-randpw \fP
+Generates and sets a random password. This options can be specified to store the password both in eDirectory and a file. The
+.I -fileonly
+option can not be used if
+.I -randpw
+option is already specified.
+.TP
+\fB\-fileonly\fP
+Stores the password only in a file and not in eDirectory. The
+.I -randpw
+option can not be used when
+.I -fileonly
+options is specified.
+.TP
+\fB\-f\fP\ \fIfilename\fP
+Specifies the complete path of the file where the service object password is stashed.
+.TP
+\fIservice_dn\fP
+Specifies Distinguished name (DN) of the Kerberos service to be created.
+.TP
+EXAMPLE:
+\fBkdb5_ldap_util -D cn=admin,o=org create_service -kdc -randpw -f /home/andrew/conf_keyfile cn=service-kdc,o=org\fP
+.nf
+Password for "cn=admin,o=org":
+File does not exist. Creating the file /home/andrew/conf_keyfile...
+.fi
+.RE
+.TP
+\fBmodify_service\fP [\fB\-servicehost\fP\ \fIservice_host_list\fP | [\fB\-clearservicehost\fP\ \fIservice_host_list\fP] [\fB\-addservicehost\fP\ \fIservice_host_list\fP]] [\fB\-realm\fP\ \fIrealm_list\fP | [\fB\-clearrealm\fP\ \fIrealm_list\fP] [\fB\-addrealm\fP\ \fIrealm_list\fP]] \fIservice_dn\fP
+Modifies the attributes of a service and assigns appropriate rights. Options:
+.RS
+.TP
+\fB\-servicehost\fP\ \fIservice_host_list\fP
+Specifies the list of entries separated by a colon (:). Each entry consists of a host name
+or IP Address of the Server hosting the service, transport protocol, and port
+number of the service separated by a pound sign (#).
+For example,
+server1#tcp#88:server2#udp#89
+.TP
+\fB\-clearservicehost\fP\ \fIservice_host_list\fP
+Specifies the list of servicehost entries to be removed from the existing list separated by colon (:). Each entry consists of a host name or IP Address of the server
+hosting the service, transport protocol, and port number of the service separated
+by a pound sign (#).
+.TP
+\fB\-addservicehost\fP\ \fIservice_host_list\fP
+Specifies the list of servicehost entries to be added to the existing list separated by colon (:). Each entry consists of a host name or IP Address of the
+server hosting the service, transport protocol, and port number of the service
+separated by a pound sign (#).
+.TP
+\fB\-realm\fP\ \fIrealm_list\fP
+Specifies the list of realms that are associated with this service. The list contains the name of
+the realms separated by a colon (:).
+.TP
+\fB\-clearrealm\fP\ \fIrealm_list\fP
+Specifies the list of realms to be removed from the existing list. The list contains the name of
+the realms separated by a colon (:).
+.TP
+\fB\-addrealm\fP\ \fIrealm_list\fP
+Specifies the list of realms to be added to the existing list. The list contains the name of the
+realms separated by a colon (:).
+.TP
+\fIservice_dn\fP
+Specifies Distinguished name (DN) of the Kerberos service to be modified.
+.TP
+EXAMPLE:
+\fBkdb5_ldap_util -D cn=admin,o=org modify_service -realm ATHENA.MIT.EDU
+cn=service-kdc,o=org\fP
+.nf
+Password for "cn=admin,o=org":
+Changing rights for the service object. Please wait ... done
+.fi
+.RE
+.TP
+\fBview_service\fP \fIservice_dn\fP
+Displays the attributes of a service. Options:
+.RS
+.TP
+\fIservice_dn\fP
+Specifies Distinguished name (DN) of the Kerberos service to be viewed.
+.TP
+EXAMPLE:
+\fBkdb5_ldap_util -D cn=admin,o=org view_service cn=service-kdc,o=org\fP
+.nf
+Password for "cn=admin,o=org":
+ Service dn: cn=service-kdc,o=org
+ Service type: kdc
+ Service host list:
+ Realm DN list: cn=ATHENA.MIT.EDU,cn=Kerberos,cn=Security
+.fi
+.RE
+.TP
+\fBdestroy_service\fP [\fB\-force\fP] [\fB\-f\fP\ \fIstashfilename\fP] \fIservice_dn\fP
+Destroys an existing service. Options:
+.RS
+.TP
+\fB\-force\fP
+If specified, will not prompt for user's confirmation, instead will force destruction of the service.
+.TP
+\fB\-f\fP\ \fIstashfilename\fP
+Specifies the complete path of the service password file from where the entry corresponding to the
+.I service_dn
+needs to be removed.
+.TP
+\fIservice_dn\fP
+Specifies Distinguished name (DN) of the Kerberos service to be destroyed.
+.TP
+EXAMPLE:
+\fBkdb5_ldap_util -D cn=admin,o=org destroy_service cn=service-kdc,o=org\fP
+.nf
+Password for "cn=admin,o=org":
+This will delete the service object 'cn=service-kdc,o=org', are you sure?
+(type 'yes' to confirm)? yes
+** service object 'cn=service-kdc,o=org' deleted.
+.fi
+.RE
+.TP
+\fBlist_service\fP [\fB\-basedn\fP\ \fIbase_dn\fP]
+Lists the name of services under a given base in directory. Options:
+.RS
+.TP
+\fB\-basedn\fP\ \fIbase_dn\fP
+Specifies the base DN for searching the policies, limiting the search to a particular subtree. If this option
+is not provided, LDAP Server specific search base will be used.
+For eg, in the case of OpenLDAP, value of
+.B defaultsearchbase
+from
+.I slapd.conf
+file will be used, where as in the case of eDirectory, the default value
+for the base DN is
+.B Root.
+.TP
+EXAMPLE:
+\fBkdb5_ldap_util -D cn=admin,o=org list_service\fP
+.nf
+Password for "cn=admin,o=org":
+cn=service-kdc,o=org
+cn=service-adm,o=org
+cn=service-pwd,o=org
+.fi
+.RE
+.SH SEE ALSO
+kadmin(8)
void usage()
{
fprintf(stderr, "Usage: "
-#ifdef NOVELL_KDC
-"kdb5_util [-D user_dn [-w passwd]] [-h ldap_server] [-p ldap_port]\n"
-"\t[-t trusted_cert] cmd [cmd_options]\n"
-#else
"kdb5_util [-D user_dn [-w passwd]] [-h ldap_server] [-p ldap_port]\n"
"\tcmd [cmd_options]\n"
-#endif
/* Create realm */
-# ifdef NOVELL_KDC
-"create [-subtree subtree_dn] [-sscope search_scope]\n"
-"\t[-kdcdn kdc_service_list] [-admindn admin_service_list]\n"
-"\t[-pwddn passwd_service_list]\n"
-"\t[-enctypes supported_enc_types] [-defenctype default_enc_type]\n"
-"\t[-salttypes supported_salt_types] [-defsalttype default_salt_type]\n"
-"\t[-policy policy_dn] [-up]\n"
-"\t[-k mkeytype] [-m|-P password|-sf stashfilename] [-r realm]\n"
-# else
-"create [-subtree subtree_dn] [-sscope search_scope]\n"
+"create [-subtree subtree_dn] [-sscope search_scope]\n"
#ifdef HAVE_EDIRECTORY
-"\t[-kdcdn kdc_service_list] [-admindn admin_service_list]\n"
-"\t[-pwddn passwd_service_list]\n"
+"\t\t[-kdcdn kdc_service_list] [-admindn admin_service_list]\n"
+"\t\t[-pwddn passwd_service_list]\n"
#endif
-"\t[-enctypes supported_enc_types] [-defenctype default_enc_type]\n"
-"\t[-salttypes supported_salt_types] [-defsalttype default_salt_type]\n"
-"\t[-policy policy_dn]\n"
-"\t[-k mkeytype] [-m|-P password|-sf stashfilename] [-r realm]\n"
-# endif
+"\t\t[-enctypes supported_enc_types] [-defenctype default_enc_type]\n"
+"\t\t[-salttypes supported_salt_types] [-defsalttype default_salt_type]\n"
+"\t\t[-m|-P password|-sf stashfilename] [-k mkeytype]\n"
+"\t\t[-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life]\n"
+"\t\t[ticket_flags] [-r realm]\n"
/* modify realm */
-# ifdef NOVELL_KDC
-"modify [-subtree subtree_dn] [-sscope search_scope]\n"
-"\t[-kdcdn kdc_service_list |\n"
-"\t[-clearkdcdn kdc_service_list] [-addkdcdn kdc_service_list]]\n"
-"\t[-admindn admin_service_list | [-clearadmindn admin_service_list]\n"
-"\t[-addadmindn admin_service_list]] [-pwddn passwd_service_list |\n"
-"\t[-clearpwddn passwd_service_list] [-addpwddn passwd_service_list]]\n"
-"\t[-enctypes supported_enc_types | [-clearenctypes enc_type_list]\n"
-"\t[-addenctypes enc_type_list]] [-defenctype default_enc_type]\n"
-"\t[-salttypes supported_salt_types | [-clearsalttypes salt_type_list]\n"
-"\t[-addsalttypes salt_type_list]] [-defsalttype default_salt_type]\n"
-"\t[-policy policy_dn|-clearpolicy] [-up|-clearup] [-r realm]\n"
-# else
-"modify [-subtree subtree_dn] [-sscope search_scope]\n"
+"modify [-subtree subtree_dn] [-sscope search_scope]\n"
#ifdef HAVE_EDIRECTORY
-"\t[-kdcdn kdc_service_list |\n"
-"\t[-clearkdcdn kdc_service_list] [-addkdcdn kdc_service_list]]\n"
-"\t[-admindn admin_service_list | [-clearadmindn admin_service_list]\n"
-"\t[-addadmindn admin_service_list]] [-pwddn passwd_service_list |\n"
-"\t[-clearpwddn passwd_service_list] [-addpwddn passwd_service_list]]\n"
+"\t\t[-kdcdn kdc_service_list |\n"
+"\t\t[-clearkdcdn kdc_service_list] [-addkdcdn kdc_service_list]]\n"
+"\t\t[-admindn admin_service_list | [-clearadmindn admin_service_list]\n"
+"\t\t[-addadmindn admin_service_list]] [-pwddn passwd_service_list |\n"
+"\t\t[-clearpwddn passwd_service_list] [-addpwddn passwd_service_list]]\n"
#endif
-"\t[-enctypes supported_enc_types | [-clearenctypes enc_type_list]\n"
-"\t[-addenctypes enc_type_list]] [-defenctype default_enc_type]\n"
-"\t[-salttypes supported_salt_types | [-clearsalttypes salt_type_list]\n"
-"\t[-addsalttypes salt_type_list]] [-defsalttype default_salt_type]\n"
-"\t[-policy policy_dn|-clearpolicy] [-r realm]\n"
-# endif
-
+"\t\t[-enctypes supported_enc_types | [-clearenctypes enc_type_list]\n"
+"\t\t[-addenctypes enc_type_list]] [-defenctype default_enc_type]\n"
+"\t\t[-salttypes supported_salt_types | [-clearsalttypes salt_type_list]\n"
+"\t\t[-addsalttypes salt_type_list]] [-defsalttype default_salt_type]\n"
+"\t\t[-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life]\n"
+"\t\t[ticket_flags] [-r realm]\n"
/* View realm */
-"view [-r realm]\n"
+"view [-r realm]\n"
/* Destroy realm */
-"destroy [-f] [-r realm]\n"
+"destroy [-f] [-r realm]\n"
/* List realms */
"list\n"
#else
/* Stash the service password */
-"stashsrvpw [-f filename] servicedn\n"
+"stashsrvpw [-f filename] service_dn\n"
#endif
/* List policies */
"list_policy [-basedn base_dn]\n"
-#ifdef HAVE_EDIRECTORY
-#endif
-
-#ifdef NOVELL_KDC
-/* Set service cert */
-"setsrvcert [-nopass] [-f filename] -cert certFilename service_dn\n"
-
-/* Add ldap extensions info. */
-"ldapxtn_info -add|-clear\n"
-
-/* Reset master key */
-"setmasterkey [-k mkeytype] [-m|-P password] [-r realm]\n"
-#endif /* endof NOVELL_KDC */
);
}
{"view_policy", kdb5_ldap_view_policy, 1},
{"destroy_policy", kdb5_ldap_destroy_policy, 1},
{"list_policy", kdb5_ldap_list_policies, 1},
-#ifdef NOVELL_KDC
- {"setsrvcert", kdb5_ldap_set_service_certificate, 0},
- {"ldapxtn_info", kdb5_ldap_modify_ldap_xtn_info, 0},
- {"setmasterkey", kdb5_ldap_set_mkey, 1},
-#endif
{NULL, NULL, 0},
};
char *value = NULL, *conf_section = NULL;
krb5_boolean realm_name_required = FALSE;
krb5_boolean print_help_message = FALSE;
-#ifdef NOVELL_KDC
- char *trusted_root_file = NULL;
-#endif
retval = krb5_init_context(&util_context);
set_com_err_hook(extended_com_err_fn);
goto cleanup;
}
ldapmask |= CMD_LDAP_P;
-#ifdef NOVELL_KDC
- } else if (strcmp(*argv, "-t") == 0 && ARG_VAL) {
- trusted_root_file = koptarg;
- if (trusted_root_file == NULL) {
- com_err(progname, ENOMEM, "while reading ldap parameters");
- exit_status++;
- goto cleanup;
- }
- ldapmask |= CMD_LDAP_T;
-#endif
} else if (cmd_lookup(*argv) != NULL) {
if (cmd_argv[0] == NULL)
cmd_argv[0] = *argv;
(strcmp(cmd_argv[0], "destroy") == 0) ||
(strcmp(cmd_argv[0], "modify") == 0) ||
(strcmp(cmd_argv[0], "view") == 0)
-#ifdef NOVELL_KDC
- || (strcmp(cmd_argv[0], "setmasterkey") == 0)
-#endif
) {
realm_name_required = TRUE;
}
if (ldapmask & CMD_LDAP_P) {
ldap_context->port = atoi(ldap_port);
}
-#ifdef NOVELL_KDC
- /* If trustedcert is specified, release entry filled by configuration & use this*/
- if (ldapmask & CMD_LDAP_T) {
- if (ldap_context->root_certificate_file != NULL) {
- if (strcmp(ldap_context->root_certificate_file, trusted_root_file) != 0) {
- profile_release_string(ldap_context->root_certificate_file);
- ldap_context->root_certificate_file = strdup(trusted_root_file);
- if (ldap_context->root_certificate_file == NULL) {
- com_err(argv[0], ENOMEM, "while retrieving ldap configuration");
- exit_status++;
- goto cleanup;
- }
- }
- }
- else {
- ldap_context->root_certificate_file = strdup(trusted_root_file);
- if (ldap_context->root_certificate_file == NULL) {
- com_err(argv[0], ENOMEM, "while retrieving ldap configuration");
- exit_status++;
- goto cleanup;
- }
- }
- }
-#endif
if (bind_dn) {
ldap_context->bind_dn = strdup(bind_dn);
if (ldap_context->bind_dn == NULL) {
#define DESTROY_POLICY 14
#define LIST_POLICY 15
-#ifdef NOVELL_KDC
-# define SET_SRV_CERT 18
-# define IMPORT_CERT 19
-# define ADD_LDAP_EXTN 20
-# define RESET_MASTER_KEY 21
-#endif
-
extern int exit_status;
extern krb5_context util_context;
#define CMD_LDAP_W 0x2 /* set if -w option is specified */
#define CMD_LDAP_H 0x4 /* set if -h option is specified */
#define CMD_LDAP_P 0x8 /* set if -p option is specified */
-#ifdef HAVE_EDIRECTORY
-#define CMD_LDAP_T 0x10 /* set if -t option is specified */
-#endif
#define MAX_PASSWD_LEN 1024
#define MAX_PASSWD_PROMPT_LEN 276 /* max_dn_size(=256) + strlen("Password for \" \"")=20 */
#define KDB_TL_KEYINFO 0x04
#define KDB_TL_MASK 0x05
#define KDB_TL_CONTAINERDN 0x06
+#define KDB_TL_TKTPOLICYDN 0x07
#define CHECK_LDAP_HANDLE(lcontext) if (!(ldap_context \
SINGLE-VALUE
)
+##### Ticket Policy Reference Count
+
+attributetype ( 2.16.840.1.113719.1.301.4.38
+ NAME 'krbPolicyRefCount'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE
+ )
########################################################################
# Object Class Definitions #
##### The krbPolicy object is an effective policy that is associated with a realm or a principal
objectClass (
- 2.16.840.1.113719.1.301.6.7
- NAME 'krbPolicy'
- SUP top
- MUST ( cn )
+ 2.16.840.1.113719.1.301.6.7
+ NAME 'krbPolicy'
+ SUP top
+ MUST ( cn )
+ MAY ( krbPolicyRefCount )
)
###### The principal data auxiliary class. Holds principal information
/* store the content */
STORE16_INT(curr, ivalue);
curr += 2;
- break;
+ break;
}
case KDB_TL_USERDN:
+ case KDB_TL_TKTPOLICYDN:
{
char *cptr = (char *)value;
case KDB_TL_CONTAINERDN:
case KDB_TL_USERDN:
+ case KDB_TL_TKTPOLICYDN:
/* get the length of the content */
UNSTORE16_INT(curr, sublen);
/* forward by 2 bytes */
krb5_tl_data tl_data;
void *voidptr=NULL;
- if (type != KDB_TL_USERDN && type != KDB_TL_CONTAINERDN) {
+ if (type != KDB_TL_USERDN && type != KDB_TL_CONTAINERDN && type != KDB_TL_TKTPOLICYDN) {
st = EINVAL;
goto cleanup;
}
return krb5_get_str_from_tl_data(context, entries, KDB_TL_CONTAINERDN, containerdn);
}
+krb5_error_code
+krb5_get_policydn(context, entries, policydn)
+ krb5_context context;
+ krb5_db_entry *entries;
+ char **policydn;
+{
+ *policydn = NULL;
+ return krb5_get_str_from_tl_data(context, entries, KDB_TL_TKTPOLICYDN, policydn);
+}
/*
* This function reads the attribute values (if the attribute is non-null) from the dn.
* The read attribute values is compared aganist the attrvalues passed to the function
"krbUpEnabled",
"krbpwdpolicyreference",
"krbpasswordexpiration",
+#ifdef HAVE_EDIRECTORY
+ "loginexpirationtime",
+ "logindisabled",
+#endif
"loginexpirationtime",
"logindisabled",
"modifiersname",
krb5_ldap_server_handle *ldap_server_handle=NULL;
krb5_db_entry entries;
krb5_boolean more=0;
+ char * policydn = NULL;
/* Clear the global error string */
krb5_clear_error_message(context);
((st=krb5_get_attributes_mask(context, &entries, &(attrsetmask))) != 0) ||
((st=krb5_get_princ_count(context, &entries, &(pcount))) != 0) ||
((st=krb5_get_userdn(context, &entries, &(DN))) != 0) ||
+ ((st=krb5_get_policydn(context, &entries, &policydn)) != 0) ||
((st=krb5_get_secretkeys(context, &entries, &secretkey)) != 0))
goto cleanup;
attrsetmask >>= 1;
++j;
}
-
+ if(policydn != NULL)
+ {
+ if ((st = krb5_ldap_change_count(context, policydn,2 )))
+ goto cleanup;
+
+ }
+
/* the same should be done with the objectclass attributes */
{
char *attrvalues[] = {"krbpwdpolicyrefaux", "krbpolicyaux", "krbprincipalaux", NULL};
mask |= KDB_PWD_EXPIRE_TIME_ATTR;
/* KRBPOLICYREFERENCE */
+
if ((st=krb5_ldap_get_string(ld, ent, "krbpolicyreference", &policydn, &attr_present)) != 0)
- goto cleanup;
- if (attr_present == TRUE)
- mask |= KDB_POL_REF_ATTR;
+ goto cleanup;
+
+ if(attr_present == TRUE){
+ if ((st=store_tl_data(&userinfo_tl_data, KDB_TL_TKTPOLICYDN, policydn)) != 0)
+ goto cleanup;
+ }
+ if(!(mask & KDB_MAX_LIFE_ATTR) && !(mask & KDB_MAX_RLIFE_ATTR) && !(mask & KDB_TKT_FLAGS_ATTR)){
+ if (attr_present == TRUE)
+ mask |= KDB_POL_REF_ATTR;
+ }
/* KRBPWDPOLICYREFERENCE */
if ((st=krb5_ldap_get_string(ld, ent, "krbpwdpolicyreference", &pwdpolicydn, &attr_present)) != 0)
unsigned int arg_val_len=0;
krb5_boolean uflag=FALSE, cflag=FALSE;
- xargs->ptype = KDB_SERVICE_PRINCIPAL;
if (db_args)
{
for (i=0; db_args[i]; ++i) {
krb5_ldap_server_handle *ldap_server_handle=NULL;
osa_princ_ent_rec princ_ent;
xargs_t xargs={0};
+ char *oldpolicydn = NULL;
/* Clear the global error string */
krb5_clear_error_message(context);
goto cleanup;
plen = strlen(user);
}
-
+ xargs.ptype = KDB_SERVICE_PRINCIPAL;
if (((st=krb5_get_princ_type(context, entries, &(xargs.ptype))) != 0) ||
((st=krb5_get_userdn(context, entries, &(xargs.dn))) != 0) ||
((st=krb5_get_secretkeys(context, entries, &oldkeys)) != 0))
} else {
dnlen = strlen (xargs.dn);
subtreelen = strlen(subtreelist[tre]);
- if (strcasecmp((xargs.dn + dnlen - subtreelen), subtreelist[tre]) == 0) {
+ if ((dnlen > subtreelen) && (strcasecmp((xargs.dn + dnlen - subtreelen), subtreelist[tre]) == 0)) {
outofsubtree = FALSE;
break;
}
}
if (entries->mask & KDB_PW_EXPIRATION) {
-#ifdef HAVE_EDIRECTORY /* applies only to the kerberos user principal */
- if (xargs.ptype == KDB_SERVICE_PRINCIPAL) {
- st = EINVAL;
- goto cleanup;
- }
-#endif
memset(strval, 0, sizeof(strval));
if ((strval[0]=getstringtime(entries->pw_expiration)) == NULL)
goto cleanup;
- if ((st=krb5_add_str_mem_ldap_mod(&mods,
-#ifdef HAVE_EDIRECTORY
- "passwordexpirationtime",
-#else
- "krbpasswordexpiration",
-#endif
- LDAP_MOD_REPLACE, strval)) != 0) {
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpasswordexpiration",
+ LDAP_MOD_REPLACE,
+ strval)) != 0) {
free (strval[0]);
goto cleanup;
}
if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbsecretkey",
LDAP_MOD_ADD | LDAP_MOD_BVALUES, bersecretkey)) != 0)
goto cleanup;
+
+ if (!(entries->mask & KDB_PRINCIPAL)){
+ memset(strval, 0, sizeof(strval));
+ if ((strval[0]=getstringtime(entries->pw_expiration)) == NULL)
+ goto cleanup;
+ if ((st=krb5_add_str_mem_ldap_mod(&mods,
+ "krbpasswordexpiration",
+ LDAP_MOD_REPLACE, strval)) != 0) {
+ free (strval[0]);
+ goto cleanup;
+ }
+ free (strval[0]);
+ }
} /* Modify Key data ends here */
-
+
/* Directory specific attribute */
if (xargs.tktpolicydn != NULL) {
- int tmask=0;
- if (strlen(xargs.tktpolicydn) != 0) {
- st = checkattributevalue(ld, xargs.tktpolicydn, "objectclass", policyclass, &tmask);
- CHECK_CLASS_VALIDITY(st, tmask, "ticket policy object value: ");
+ int tmask=0, tkttree = 0, subtreednlen = 0, ntre = 0, tktdnlen = 0;
- memset(strval, 0, sizeof(strval));
- strval[0] = xargs.tktpolicydn;
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpolicyreference", LDAP_MOD_REPLACE, strval)) != 0)
- goto cleanup;
- } else {
- /* if xargs.tktpolicydn is a empty string, then delete already existing krbpolicyreference attr */
- if (tktpolicy_set == FALSE) { /* if the attribute is not present then abort */
- st = EINVAL;
- krb5_set_error_message(context, st, "'ticketpolicydn' empty");
- goto cleanup;
- } else {
- memset(strval, 0, sizeof(strval));
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpolicyreference", LDAP_MOD_DELETE, strval)) != 0)
+ char *subtreednlist[2]={NULL};
+ krb5_boolean dnoutofsubtree=TRUE;
+
+ if(st=krb5_get_policydn(context, entries, &oldpolicydn) != 0)
goto cleanup;
+
+ if (strlen(xargs.tktpolicydn) != 0) {
+ st = checkattributevalue(ld, xargs.tktpolicydn, "objectclass", policyclass, &tmask);
+ CHECK_CLASS_VALIDITY(st, tmask, "ticket policy object value: ");
+
+ memset(strval, 0, sizeof(strval));
+ strval[0] = xargs.tktpolicydn;
+ if ((st = krb5_get_subtree_info(ldap_context, subtreednlist, &ntre)) != 0)
+ goto cleanup;
+
+ for( tkttree=0; tkttree<ntre; ++tkttree ) {
+ if( subtreednlist[tkttree] == NULL || strlen(subtreednlist[tkttree]) == 0 ) {
+ dnoutofsubtree = FALSE;
+ break;
+ } else {
+ tktdnlen = strlen (xargs.tktpolicydn);
+ subtreednlen = strlen(subtreednlist[tkttree]);
+
+ if ((tktdnlen > subtreednlen) && (strcasecmp((xargs.tktpolicydn + tktdnlen - subtreednlen), subtreednlist[tkttree]) == 0)) {
+ dnoutofsubtree = FALSE;
+ break;
+ }
+ }
+ }
+ for( tkttree=0; tkttree < ntre; ++tkttree ) {
+ free( subtreednlist[tkttree] );
+ }
+ if( dnoutofsubtree == TRUE ) {
+ st = EINVAL;
+ prepend_err_str(context,"Ticket Policy DN is out of the realm subtree",st,st);
+ goto cleanup;
+ }
+
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpolicyreference", LDAP_MOD_REPLACE, strval)) != 0)
+ goto cleanup;
+ if(oldpolicydn != NULL){
+ if(strncmp(xargs.tktpolicydn,oldpolicydn,strlen(xargs.tktpolicydn)) != 0)
+ {
+ if ((st = krb5_ldap_change_count(context, oldpolicydn,2 )))
+ goto cleanup;
+ }
+ }
+
+ if ((st = krb5_ldap_change_count(context, xargs.tktpolicydn,1 )))
+ goto cleanup;
+ } else {
+ /* if xargs.tktpolicydn is a empty string, then delete already existing krbpolicyreference attr */
+ if (tktpolicy_set == FALSE) { /* if the attribute is not present then abort */
+ st = EINVAL;
+ prepend_err_str(context,"'ticketpolicydn' empty",st,st);
+ goto cleanup;
+ } else {
+ memset(strval, 0, sizeof(strval));
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpolicyreference", LDAP_MOD_DELETE, strval)) != 0)
+ goto cleanup;
+ }
}
- }
+
}
-
if (dnfound == TRUE) {
+ if (mods == NULL) {
+ goto cleanup;
+ }
st=ldap_modify_s(ld, xargs.dn, mods);
if (st != LDAP_SUCCESS) {
sprintf(errbuf, "User modification failed: %s", ldap_err2string(st));
else {
st=ldap_add_s(ld, xargs.dn, mods);
if (st != LDAP_SUCCESS) {
- sprintf(errbuf, "Principal add failed: %s", ldap_err2string(st));
- st = translate_ldap_error (st, OP_ADD);
- krb5_set_error_message(context, st, "%s", errbuf);
- goto cleanup;
+ sprintf(errbuf, "Principal add failed: %s", ldap_err2string(st));
+ st = translate_ldap_error (st, OP_ADD);
+ krb5_set_error_message(context, st, "%s", errbuf);
+ goto cleanup;
}
- }
+ }
+
}
cleanup:
((mask & LDAP_REALM_DEFENCTYPE) && rparams->suppenctypes == NULL) ||
((mask & LDAP_REALM_DEFSALTTYPE) && rparams->suppsalttypes == NULL) ||
#ifdef HAVE_EDIRECTORY
- ((mask & LDAP_REALM_LDAPSERVERS) && rparams->ldapservers == NULL) ||
((mask & LDAP_REALM_KDCSERVERS) && rparams->kdcservers == NULL) ||
((mask & LDAP_REALM_ADMINSERVERS) && rparams->adminservers == NULL) ||
((mask & LDAP_REALM_PASSWDSERVERS) && rparams->passwdservers == NULL) ||
goto cleanup;
}
- /* POLICYREFERENCE ATTRIBUTE */
- if (mask & LDAP_REALM_POLICYREFERENCE) {
- if (rparams->policyreference) {
- st = checkattributevalue(ld, rparams->policyreference, "ObjectClass", policyclass,
- &objectmask);
- CHECK_CLASS_VALIDITY(st, objectmask, "ticket policy object value: ");
+ if (mask & LDAP_REALM_MAXRENEWLIFE) {
- strval[0] = rparams->policyreference;
- strval[1] = NULL;
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpolicyreference", LDAP_MOD_REPLACE,
- strval)) != 0)
- goto cleanup;
-
- } else if (oldmask & LDAP_REALM_POLICYREFERENCE) {
- /* rparams->policyreference is NULL, when the attribute is to be deleted */
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpolicyreference", LDAP_MOD_DELETE,
- NULL)) != 0)
- goto cleanup;
- }
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbMaxRenewableAge", LDAP_MOD_REPLACE,
+ rparams->max_renewable_life)) != 0)
+ goto cleanup;
+ }
+
+ /* krbMaxTicketLife ATTRIBUTE */
+
+ if (mask & LDAP_REALM_MAXTICKETLIFE) {
+
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbMaxTicketLife", LDAP_MOD_REPLACE,
+ rparams->max_life)) != 0)
+ goto cleanup;
+ }
+
+ /* krbTicketFlags ATTRIBUTE */
+
+ if (mask & LDAP_REALM_KRBTICKETFLAGS) {
+
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbTicketFlags", LDAP_MOD_REPLACE,
+ rparams->tktflags)) != 0)
+ goto cleanup;
}
+
/* DEFENCTYPE ATTRIBUTE */
if (mask & LDAP_REALM_DEFENCTYPE) {
}
#ifdef HAVE_EDIRECTORY
- /* LDAPSERVERS ATTRIBUTE */
- if (mask & LDAP_REALM_LDAPSERVERS) {
- /* validate the server list */
- for (i=0; rparams->ldapservers[i] != NULL; ++i) {
- st = checkattributevalue(ld, rparams->ldapservers[i], NULL, NULL, NULL);
- if (st != 0) {
- prepend_err_str (context, "Error reading LDAP servers: ", st, st);
- goto cleanup;
- }
- }
-
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbldapservers", LDAP_MOD_REPLACE,
- rparams->ldapservers)) != 0)
- goto cleanup;
- }
/* KDCSERVERS ATTRIBUTE */
if (mask & LDAP_REALM_KDCSERVERS) {
LDAP *ld=NULL;
krb5_error_code st=0;
char *dn=NULL;
- char *strval[3]={NULL};
+ char *strval[4]={NULL};
LDAPMod **mods = NULL;
int i=0, objectmask=0;
kdb5_dal_handle *dal_handle=NULL;
((mask & LDAP_REALM_SUPPSALTTYPE) && rparams->suppsalttypes == NULL) ||
((mask & LDAP_REALM_SUPPENCTYPE) && rparams->suppenctypes == NULL) ||
#ifdef HAVE_EDIRECTORY
- ((mask & LDAP_REALM_LDAPSERVERS) && rparams->ldapservers == NULL) ||
((mask & LDAP_REALM_KDCSERVERS) && rparams->kdcservers == NULL) ||
((mask & LDAP_REALM_ADMINSERVERS) && rparams->adminservers == NULL) ||
((mask & LDAP_REALM_PASSWDSERVERS) && rparams->passwdservers == NULL) ||
strval[0] = "top";
strval[1] = "krbrealmcontainer";
- strval[2] = NULL;
+ strval[2] = "krbpolicyaux";
+ strval[3] = NULL;
+
if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0)
goto cleanup;
rparams->search_scope : LDAP_SCOPE_SUBTREE)) != 0)
goto cleanup;
}
+ if (mask & LDAP_REALM_MAXRENEWLIFE) {
- /* POLICYREFERENCE ATTRIBUTE */
- if (mask & LDAP_REALM_POLICYREFERENCE) {
- st = checkattributevalue(ld, rparams->policyreference, "ObjectClass", policyclass,
- &objectmask);
- CHECK_CLASS_VALIDITY(st, objectmask, "ticket policy object value: ");
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbMaxRenewableAge", LDAP_MOD_ADD,
+ rparams->max_renewable_life)) != 0)
+ goto cleanup;
+ }
- strval[0] = rparams->policyreference;
- strval[1] = NULL;
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpolicyreference", LDAP_MOD_ADD,
- strval)) != 0)
- goto cleanup;
+ /* krbMaxTicketLife ATTRIBUTE */
+
+ if (mask & LDAP_REALM_MAXTICKETLIFE) {
+
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbMaxTicketLife", LDAP_MOD_ADD,
+ rparams->max_life)) != 0)
+ goto cleanup;
+ }
+
+ /* krbTicketFlags ATTRIBUTE */
+
+ if (mask & LDAP_REALM_KRBTICKETFLAGS) {
+
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbTicketFlags", LDAP_MOD_ADD,
+ rparams->tktflags)) != 0)
+ goto cleanup;
}
+
/* DEFAULTENCTYPE ATTRIBUTE */
if (mask & LDAP_REALM_DEFENCTYPE) {
/* check if the entered enctype is valid */
}
#ifdef HAVE_EDIRECTORY
- /* LDAPSERVERS ATTRIBUTE */
- if (mask & LDAP_REALM_LDAPSERVERS) {
- /* validate the server list */
- for (i=0; rparams->ldapservers[i] != NULL; ++i) {
- st = checkattributevalue(ld, rparams->ldapservers[i], NULL, NULL, NULL);
- if (st != 0) {
- prepend_err_str (context, "Error reading LDAP server object: ",
- st, st);
- goto cleanup;
- }
- }
-
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbldapservers", LDAP_MOD_ADD,
- rparams->ldapservers)) != 0)
- goto cleanup;
- }
/* KDCSERVERS ATTRIBUTE */
if (mask & LDAP_REALM_KDCSERVERS) {
*mask |= LDAP_REALM_DEFSALTTYPE;
ldap_value_free(values);
}
-
- if((values=ldap_get_values(ld, ent, "krbPolicyReference")) != NULL) {
- rlparams->policyreference = strdup(values[0]);
- if (rlparams->policyreference == NULL) {
- st = ENOMEM;
- goto cleanup;
- }
- *mask |= LDAP_REALM_POLICYREFERENCE;
- ldap_value_free(values);
- }
-
if((values=ldap_get_values(ld, ent, "krbSupportedEncTypes")) != NULL) {
count = ldap_count_values(values);
rlparams->suppenctypes = malloc (sizeof(krb5_int32) * (count + 1));
}
#ifdef HAVE_EDIRECTORY
- if((values=ldap_get_values(ld, ent, "krbLdapServers")) != NULL) {
- count = ldap_count_values(values);
- if ((st=copy_arrays(values, &(rlparams->ldapservers), (int) count)) != 0)
- goto cleanup;
- *mask |= LDAP_REALM_LDAPSERVERS;
- ldap_value_free(values);
- }
if((values=ldap_get_values(ld, ent, "krbKdcServers")) != NULL) {
count = ldap_count_values(values);
}
ldap_msgfree(result);
}
+
rlparams->mask = *mask;
*rlparamp = rlparams;
st = store_tl_data(rlparams->tl_data, KDB_TL_MASK, mask);
if (rparams->subtree)
krb5_xfree(rparams->subtree);
-
- if (rparams->policyreference)
- free(rparams->policyreference);
-
+
if (rparams->suppenctypes)
- krb5_xfree(rparams->suppenctypes);
+ krb5_xfree(rparams->suppenctypes);
if (rparams->suppsalttypes)
krb5_xfree(rparams->suppsalttypes);
- if (rparams->ldapservers){
- for (i=0; rparams->ldapservers[i]; ++i)
- krb5_xfree(rparams->ldapservers[i]);
- krb5_xfree(rparams->ldapservers);
- }
-
if (rparams->kdcservers){
for (i=0; rparams->kdcservers[i]; ++i)
krb5_xfree(rparams->kdcservers[i]);
ret->value[j] = k;
}
goto cleanup;
+ } else {
+ err = EINVAL;
+ krb5_set_error_message (0, err, "Not a hexadecimal password");
+ ret->len = 0;
+ goto cleanup;
}
cleanup:
/* Ticket policy object management */
+/*
+* This function changes the value of policyreference count for a particular ticket policy. if flag is 1 it will increment else it will reduce by one
+*/
+
+krb5_error_code
+krb5_ldap_change_count(context ,policydn ,flag)
+ krb5_context context;
+ char *policydn;
+ int flag;
+{
+
+ krb5_error_code st=0, tempst=0;
+ int objectmask=0;
+ LDAP *ld=NULL;
+ LDAPMessage *result=NULL,*ent=NULL;
+ char *attributes[] = { "krbPolicyRefCount", NULL};
+ char *attrvalues[] = { "krbPolicy", NULL};
+ krb5_ldap_policy_params *lpolicy=NULL;
+ kdb5_dal_handle *dal_handle=NULL;
+ krb5_ldap_context *ldap_context=NULL;
+ krb5_ldap_server_handle *ldap_server_handle=NULL;
+ long ref_count = 0;
+ LDAPMod *mods=NULL;
+ krb5_ldap_policy_params *policyparams=NULL;
+ int mask = 0;
+
+ /* validate the input parameters */
+ if (policydn == NULL) {
+ st = EINVAL;
+ prepend_err_str(context,"Ticket Policy Object information missing",st,st);
+ goto cleanup;
+ }
+
+ SETUP_CONTEXT();
+ GET_HANDLE();
+
+ /* the policydn object should be of the krbPolicy object class */
+ st = checkattributevalue(ld, policydn, "objectClass", attrvalues, &objectmask);
+ CHECK_CLASS_VALIDITY(st, objectmask, "ticket policy object: ");
+
+ /* Initialize ticket policy structure */
+
+ if ((st = krb5_ldap_read_policy(context, policydn, &policyparams, &mask)))
+ goto cleanup;
+ if(flag == 1){
+ /*Increment*/
+ policyparams->polrefcount +=1;
+ }
+ else{
+ /*Decrement*/
+ if(policyparams->polrefcount >0)
+ {
+ policyparams->polrefcount-=1;
+ }
+ }
+ mask |= LDAP_POLICY_COUNT;
+
+ if ((st = krb5_ldap_modify_policy(context, policyparams, mask)))
+ goto cleanup;
+
+cleanup:
+ krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
+ return st;
+}
+
/*
* create the Ticket policy object in Directory.
*/
-
krb5_error_code
krb5_ldap_create_policy(context, policy, mask)
krb5_context context;
policy->tktflags)) != 0)
goto cleanup;
}
+ /*ticket policy reference count attribute added with value 0 */
+
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbPolicyRefCount", LDAP_MOD_ADD,
+ 0)) != 0)
+ goto cleanup;
/* ldap add operation */
if ((st=ldap_add_s(ld, policy->policydn, mods)) != LDAP_SUCCESS) {
goto cleanup;
}
+ if (mask & LDAP_POLICY_COUNT) {
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpolicyrefcount", LDAP_MOD_REPLACE,
+ policy->polrefcount)) != 0)
+ goto cleanup;
+ }
if ((st=ldap_modify_s(ld, policy->policydn, mods)) != LDAP_SUCCESS) {
st = set_ldap_error (context, st, OP_MOD);
goto cleanup;
int objectmask=0;
LDAP *ld=NULL;
LDAPMessage *result=NULL,*ent=NULL;
- char *attributes[] = { "krbMaxTicketLife", "krbMaxRenewableAge", "krbTicketFlags", NULL};
+ char *attributes[] = { "krbMaxTicketLife", "krbMaxRenewableAge", "krbTicketFlags", "krbPolicyRefCount", NULL};
char *attrvalues[] = { "krbPolicy", NULL};
krb5_ldap_policy_params *lpolicy=NULL;
kdb5_dal_handle *dal_handle=NULL;
*omask |= LDAP_POLICY_MAXRENEWLIFE;
if (krb5_ldap_get_value(ld, ent, "krbticketflags", (int *) &(lpolicy->tktflags)) == 0)
- *omask |= LDAP_POLICY_TKTFLAGS;
+ *omask |= LDAP_POLICY_TKTFLAGS;
+ if (krb5_ldap_get_value(ld, ent, "krbPolicyRefCount", (int *) &(lpolicy->polrefcount)) == 0)
+ *omask |= LDAP_POLICY_COUNT;
+
}
ldap_msgfree(result);
*/
krb5_error_code
-krb5_ldap_delete_policy(context, policydn)
+krb5_ldap_delete_policy(context, policydn, policy, mask)
krb5_context context;
char *policydn;
+ krb5_ldap_policy_params *policy;
+ int mask;
{
- krb5_error_code st = 0;
- LDAP *ld = NULL;
- kdb5_dal_handle *dal_handle=NULL;
- krb5_ldap_context *ldap_context=NULL;
- krb5_ldap_server_handle *ldap_server_handle=NULL;
+ krb5_error_code st = 0;
+ LDAP *ld = NULL;
+ kdb5_dal_handle *dal_handle=NULL;
+ krb5_ldap_context *ldap_context=NULL;
+ krb5_ldap_server_handle *ldap_server_handle=NULL;
+ LDAPMessage *result=NULL,*ent=NULL;
+ char *attributes[] = { "krbPolicyRefCount", NULL};
+ char *attrvalues[] = { "krbPolicy", NULL};
+ int polref_count = 0;
+
+ if (policy == NULL || policydn==NULL) {
+ st = EINVAL;
+ prepend_err_str (context,"Ticket Policy Object DN missing",st,st);
+ goto cleanup;
+ }
- SETUP_CONTEXT();
- GET_HANDLE();
-
- if ((st=ldap_delete_s(ld, policydn)) != 0)
- {
- st = set_ldap_error (context, st, OP_DEL);
- goto cleanup;
- }
-
- cleanup:
- krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
- return st;
+
+ SETUP_CONTEXT();
+ GET_HANDLE();
+
+
+ /*checking for policy count for 0 and will not permit delete if it is greater than 0*/
+
+ if(policy->polrefcount == 0){
+
+ if ((st=ldap_delete_s(ld, policydn)) != 0)
+ {
+ prepend_err_str (context,ldap_err2string(st),st,st);
+
+ goto cleanup;
+ }
+ }
+ else {
+ st = EINVAL;
+ prepend_err_str (context,"Delete Failed: One or more Principals associated with the Ticket Policy",st,st);
+ goto cleanup;
+ }
+
+cleanup:
+ krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
+ return st;
}
#define LDAP_POLICY_MAXTKTLIFE 0x0001
#define LDAP_POLICY_MAXRENEWLIFE 0x0002
#define LDAP_POLICY_TKTFLAGS 0x0004
-
+#define LDAP_POLICY_COUNT 0x0008
/* policy object structure */
typedef struct _krb5_ldap_policy_params {
long maxtktlife;
long maxrenewlife;
long tktflags;
+ long polrefcount;
krb5_tl_data *tl_data;
}krb5_ldap_policy_params;
krb5_ldap_read_policy(krb5_context, char *, krb5_ldap_policy_params **, int *);
krb5_error_code
-krb5_ldap_delete_policy(krb5_context, char *);
+krb5_ldap_delete_policy(krb5_context, char *, krb5_ldap_policy_params *, int);
krb5_error_code
krb5_ldap_clear_policy(krb5_context, char *);
krb5_error_code
krb5_ldap_free_policy(krb5_context, krb5_ldap_policy_params *);
+krb5_error_code
+krb5_ldap_change_count(krb5_context ,char * , int);
+
#endif
tohex
+krb5_ldap_open
krb5_ldap_close
krb5_ldap_db_init
krb5_ldap_lib_init
+krb5_ldap_lib_cleanup
+krb5_ldap_db_get_age
krb5_ldap_read_server_params
krb5_ldap_put_principal
+krb5_ldap_get_principal
+krb5_ldap_delete_principal
+krb5_ldap_free_principal
+krb5_ldap_iterate
krb5_ldap_read_krbcontainer_params
krb5_ldap_list_realm
krb5_ldap_read_realm_params
krb5_ldap_modify_policy
krb5_ldap_delete_policy
krb5_ldap_create_policy
+krb5_ldap_create_password_policy
+krb5_ldap_put_password_policy
+krb5_ldap_get_password_policy
+krb5_ldap_delete_password_policy
+krb5_ldap_free_password_policy
+krb5_ldap_iterate_password_policy
krb5_dbe_free_contents
krb5_ldap_free_server_params
krb5_ldap_free_krbcontainer_params
+krb5_ldap_alloc
+krb5_ldap_free
+krb5_ldap_set_mkey
+krb5_ldap_get_mkey
disjoint_members
projects / thirdparty / krb5.git / commitdiff
