From: Greg Hudson Date: Sun, 29 Jul 2012 16:03:44 +0000 (-0400) Subject: Remove eDirectory support code in LDAP KDB module X-Git-Tag: krb5-1.11-alpha1~377 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=95e9155602651e99c987cf08d52b1dfda9e67fe1;p=thirdparty%2Fkrb5.git Remove eDirectory support code in LDAP KDB module --- diff --git a/doc/rst_source/krb_admins/admin_commands/kdb5_ldap_util.rst b/doc/rst_source/krb_admins/admin_commands/kdb5_ldap_util.rst index ce39110779..e5c037db43 100644 --- a/doc/rst_source/krb_admins/admin_commands/kdb5_ldap_util.rst +++ b/doc/rst_source/krb_admins/admin_commands/kdb5_ldap_util.rst @@ -61,8 +61,6 @@ create [**-m|-P** *password*\|\ **-sf** *stashfilename*] [**-s**] [**-r** *realm*] - [**-kdcdn** *kdc_service_list*] - [**-admindn** *admin_service_list*] [**-maxtktlife** *max_ticket_life*] [**-maxrenewlife** *max_renewable_ticket_life*] [*ticket_flags*] @@ -149,8 +147,6 @@ modify [**-sscope** *search_scope*] [**-containerref** *container_reference_dn*] [**-r** *realm*] - [**-kdcdn** *kdc_service_list* | [**-clearkdcdn** *kdc_service_list*] [**-addkdcdn** *kdc_service_list*]] - [**-admindn** *admin_service_list* | [**-clearadmindn** *admin_service_list*] [**-addadmindn** *admin_service_list*]] [**-maxtktlife** *max_ticket_life*] [**-maxrenewlife** *max_renewable_ticket_life*] [*ticket_flags*] diff --git a/doc/rst_source/krb_build/options2configure.rst b/doc/rst_source/krb_build/options2configure.rst index 3df2a45c70..5c2bf1bb58 100644 --- a/doc/rst_source/krb_build/options2configure.rst +++ b/doc/rst_source/krb_build/options2configure.rst @@ -317,9 +317,6 @@ Optional packages **--with-ldap** Compile OpenLDAP database backend module. -**--with-edirectory** - Compile the eDirectory database backend module. - **--with-tcl=**\ *path* Specifies that *path* is the location of a Tcl installation. Tcl is needed for some of the tests run by 'make check'; such tests diff --git a/src/aclocal.m4 b/src/aclocal.m4 index c7aaf0c6e6..7dbee068b6 100644 --- a/src/aclocal.m4 +++ b/src/aclocal.m4 @@ -1641,15 +1641,8 @@ AC_ARG_WITH([ldap], [case "$withval" in OPENLDAP) with_ldap=yes ;; yes | no) ;; - EDIRECTORY) AC_MSG_ERROR(Option --with-ldap=EDIRECTORY is deprecated; use --with-edirectory instead.) ;; *) AC_MSG_ERROR(Invalid option value --with-ldap="$withval") ;; esac], with_ldap=no)dnl -AC_ARG_WITH([edirectory], -[ --with-edirectory compile eDirectory database backend module], -[case "$withval" in - yes | no) ;; - *) AC_MSG_ERROR(Invalid option value --with-edirectory="$withval") ;; -esac], with_edirectory=no)dnl if test $with_ldap = yes; then if test $with_edirectory = yes; then @@ -1657,13 +1650,6 @@ if test $with_ldap = yes; then fi AC_MSG_NOTICE(enabling OpenLDAP database backend module support) OPENLDAP_PLUGIN=yes -elif test $with_edirectory = yes; then - AC_MSG_NOTICE(enabling eDirectory database backend module support) - OPENLDAP_PLUGIN=yes - AC_DEFINE(HAVE_EDIRECTORY,1,[Define if LDAP KDB interface should assume eDirectory.]) -else - : # neither enabled -dnl AC_MSG_NOTICE(disabling ldap backend module support) fi ])dnl dnl diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c index 72b4f7e654..a479c6e46a 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c @@ -139,14 +139,6 @@ static krb5_error_code krb5_dbe_update_tl_data_new ( krb5_context context, krb5_ #define ADMIN_LIFETIME 60*60*3 /* 3 hours */ #define CHANGEPW_LIFETIME 60*5 /* 5 minutes */ -#ifdef HAVE_EDIRECTORY -#define FREE_DN_LIST(dnlist) if (dnlist != NULL) { \ - for (idx=0; dnlist[idx] != NULL; idx++) \ - free(dnlist[idx]); \ - free(dnlist); \ - } -#endif - static int get_ticket_policy(krb5_ldap_realm_params *rparams, int *i, char *argv[], int argc) @@ -331,9 +323,6 @@ kdb5_ldap_create(int argc, char *argv[]) int i = 0; int mask = 0, ret_mask = 0; char **list = NULL; -#ifdef HAVE_EDIRECTORY - int rightsmask = 0; -#endif memset(&master_keyblock, 0, sizeof(master_keyblock)); @@ -414,54 +403,6 @@ kdb5_ldap_create(int argc, char *argv[]) } mask |= LDAP_REALM_SEARCHSCOPE; } -#ifdef HAVE_EDIRECTORY - else if (!strcmp(argv[i], "-kdcdn")) { - if (++i > argc-1) - goto err_usage; - rparams->kdcservers = (char **)malloc( - sizeof(char *) * MAX_LIST_ENTRIES); - if (rparams->kdcservers == NULL) { - retval = ENOMEM; - goto cleanup; - } - memset(rparams->kdcservers, 0, sizeof(char*)*MAX_LIST_ENTRIES); - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, - rparams->kdcservers))) { - goto cleanup; - } - mask |= LDAP_REALM_KDCSERVERS; - } else if (!strcmp(argv[i], "-admindn")) { - if (++i > argc-1) - goto err_usage; - rparams->adminservers = (char **)malloc( - sizeof(char *) * MAX_LIST_ENTRIES); - if (rparams->adminservers == NULL) { - retval = ENOMEM; - goto cleanup; - } - memset(rparams->adminservers, 0, sizeof(char*)*MAX_LIST_ENTRIES); - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, - rparams->adminservers))) { - goto cleanup; - } - mask |= LDAP_REALM_ADMINSERVERS; - } else if (!strcmp(argv[i], "-pwddn")) { - if (++i > argc-1) - goto err_usage; - rparams->passwdservers = (char **)malloc( - sizeof(char *) * MAX_LIST_ENTRIES); - if (rparams->passwdservers == NULL) { - retval = ENOMEM; - goto cleanup; - } - memset(rparams->passwdservers, 0, sizeof(char*)*MAX_LIST_ENTRIES); - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, - rparams->passwdservers))) { - goto cleanup; - } - mask |= LDAP_REALM_PASSWDSERVERS; - } -#endif else if (!strcmp(argv[i], "-s")) { do_stash = 1; } else if ((ret_mask= get_ticket_policy(rparams,&i,argv,argc)) !=0) { @@ -554,11 +495,7 @@ kdb5_ldap_create(int argc, char *argv[]) printf(_("\nKerberos container is missing. Creating now...\n")); if (kparams.DN == NULL) { -#ifdef HAVE_EDIRECTORY - printf("Enter DN of Kerberos container [cn=Kerberos,cn=Security]: "); -#else printf(_("Enter DN of Kerberos container: ")); -#endif if (fgets(krb_location, MAX_KRB_CONTAINER_LEN, stdin) != NULL) { /* Remove the newline character at the end */ krb_location_len = strlen(krb_location); @@ -792,67 +729,6 @@ kdb5_ldap_create(int argc, char *argv[]) } } -#ifdef HAVE_EDIRECTORY - if ((mask & LDAP_REALM_KDCSERVERS) || (mask & LDAP_REALM_ADMINSERVERS) || - (mask & LDAP_REALM_PASSWDSERVERS)) { - - printf(_("Changing rights for the service object. Please wait ... ")); - fflush(stdout); - - rightsmask =0; - rightsmask |= LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; - if ((rparams != NULL) && (rparams->kdcservers != NULL)) { - for (i=0; (rparams->kdcservers[i] != NULL); i++) { - if ((retval=krb5_ldap_add_service_rights(util_context, - LDAP_KDC_SERVICE, rparams->kdcservers[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { - printf(_("failed\n")); - com_err(progname, retval, - _("while assigning rights to '%s'"), - rparams->realm_name); - goto err_nomsg; - } - } - } - - rightsmask = 0; - rightsmask |= LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; - if ((rparams != NULL) && (rparams->adminservers != NULL)) { - for (i=0; (rparams->adminservers[i] != NULL); i++) { - if ((retval=krb5_ldap_add_service_rights(util_context, - LDAP_ADMIN_SERVICE, rparams->adminservers[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { - printf(_("failed\n")); - com_err(progname, retval, - _("while assigning rights to '%s'"), - rparams->realm_name); - goto err_nomsg; - } - } - } - - rightsmask = 0; - rightsmask |= LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; - if ((rparams != NULL) && (rparams->passwdservers != NULL)) { - for (i=0; (rparams->passwdservers[i] != NULL); i++) { - if ((retval=krb5_ldap_add_service_rights(util_context, - LDAP_PASSWD_SERVICE, rparams->passwdservers[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { - printf(_("failed\n")); - com_err(progname, retval, - _("while assigning rights to '%s'"), - rparams->realm_name); - goto err_nomsg; - } - } - } - - printf(_("done\n")); - } -#endif /* The Realm creation is completed. Here is the end of transaction */ create_complete = TRUE; @@ -928,24 +804,6 @@ kdb5_ldap_modify(int argc, char *argv[]) int i = 0; int mask = 0, rmask = 0, ret_mask = 0; char **slist = {NULL}; -#ifdef HAVE_EDIRECTORY - int j = 0, idx = 0; - char *list[MAX_LIST_ENTRIES]; - int existing_entries = 0, list_entries = 0; - int newkdcdn = 0, newadmindn = 0, newpwddn = 0; - char **tempstr = NULL; - char **oldkdcdns = NULL; - char **oldadmindns = NULL; - char **oldpwddns = NULL; - char **newkdcdns = NULL; - char **newsubtrees = NULL; - char **newadmindns = NULL; - char **newpwddns = NULL; - char **oldsubtrees = NULL; - char *oldcontainerref = NULL; - int rightsmask = 0; - int subtree_changed = 0; -#endif dal_handle = util_context->dal_handle; ldap_context = (krb5_ldap_context *) dal_handle->db_context; @@ -974,20 +832,6 @@ kdb5_ldap_modify(int argc, char *argv[]) if (rmask & LDAP_REALM_SUBTREE) { if (rparams->subtree) { -#ifdef HAVE_EDIRECTORY - oldsubtrees = (char **) calloc(rparams->subtreecount+1, sizeof(char *)); - if (oldsubtrees == NULL) { - retval = ENOMEM; - goto cleanup; - } - for (k=0; rparams->subtree[k]!=NULL && rparams->subtreecount; k++) { - oldsubtrees[k] = strdup(rparams->subtree[k]); - if (oldsubtrees[k] == NULL) { - retval = ENOMEM; - goto cleanup; - } - } -#endif for (k=0; ksubtreecount && rparams->subtree[k]; k++) free(rparams->subtree[k]); rparams->subtreecount=0; @@ -1028,11 +872,6 @@ kdb5_ldap_modify(int argc, char *argv[]) global_params.realm); goto err_nomsg; } -#ifdef HAVE_EDIRECTORY - if (rparams->containerref != NULL) { - oldcontainerref = rparams->containerref; - } -#endif rparams->containerref = strdup(argv[i]); if (rparams->containerref == NULL) { retval = ENOMEM; @@ -1063,380 +902,6 @@ kdb5_ldap_modify(int argc, char *argv[]) } mask |= LDAP_REALM_SEARCHSCOPE; } -#ifdef HAVE_EDIRECTORY - else if (!strcmp(argv[i], "-kdcdn")) { - if (++i > argc-1) - goto err_usage; - - if ((rmask & LDAP_REALM_KDCSERVERS) && (rparams->kdcservers)) { - if (!oldkdcdns) { - /* Store the old kdc dns list for removing rights */ - oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (oldkdcdns == NULL) { - retval = ENOMEM; - goto cleanup; - } - - for (j=0; rparams->kdcservers[j] != NULL; j++) { - oldkdcdns[j] = strdup(rparams->kdcservers[j]); - if (oldkdcdns[j] == NULL) { - retval = ENOMEM; - goto cleanup; - } - } - oldkdcdns[j] = NULL; - } - - krb5_free_list_entries(rparams->kdcservers); - free(rparams->kdcservers); - } - - rparams->kdcservers = (char **)malloc( - sizeof(char *) * MAX_LIST_ENTRIES); - if (rparams->kdcservers == NULL) { - retval = ENOMEM; - goto cleanup; - } - memset(rparams->kdcservers, 0, sizeof(char *)*MAX_LIST_ENTRIES); - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, - rparams->kdcservers))) { - goto cleanup; - } - mask |= LDAP_REALM_KDCSERVERS; - /* Going to replace the existing value by this new value. Hence - * setting flag indicating that add or clear options will be ignored - */ - newkdcdn = 1; - } else if (!strcmp(argv[i], "-clearkdcdn")) { - if (++i > argc-1) - goto err_usage; - if ((!newkdcdn) && (rmask & LDAP_REALM_KDCSERVERS) && (rparams->kdcservers)) { - if (!oldkdcdns) { - /* Store the old kdc dns list for removing rights */ - oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (oldkdcdns == NULL) { - retval = ENOMEM; - goto cleanup; - } - - for (j=0; rparams->kdcservers[j] != NULL; j++) { - oldkdcdns[j] = strdup(rparams->kdcservers[j]); - if (oldkdcdns[j] == NULL) { - retval = ENOMEM; - goto cleanup; - } - } - oldkdcdns[j] = NULL; - } - - memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES); - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) { - goto cleanup; - } - list_modify_str_array(&rparams->kdcservers, (const char **)list, - LIST_MODE_DELETE); - mask |= LDAP_REALM_KDCSERVERS; - krb5_free_list_entries(list); - } - } else if (!strcmp(argv[i], "-addkdcdn")) { - if (++i > argc-1) - goto err_usage; - if (!newkdcdn) { - if ((rmask & LDAP_REALM_KDCSERVERS) && (rparams->kdcservers) && (!oldkdcdns)) { - /* Store the old kdc dns list for removing rights */ - oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (oldkdcdns == NULL) { - retval = ENOMEM; - goto cleanup; - } - - for (j = 0; rparams->kdcservers[j] != NULL; j++) { - oldkdcdns[j] = strdup(rparams->kdcservers[j]); - if (oldkdcdns[j] == NULL) { - retval = ENOMEM; - goto cleanup; - } - } - oldkdcdns[j] = NULL; - } - - memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES); - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) { - goto cleanup; - } - existing_entries = list_count_str_array(rparams->kdcservers); - list_entries = list_count_str_array(list); - if (rmask & LDAP_REALM_KDCSERVERS) { - tempstr = (char **)realloc( - rparams->kdcservers, - sizeof(char *) * (existing_entries+list_entries+1)); - if (tempstr == NULL) { - retval = ENOMEM; - goto cleanup; - } - rparams->kdcservers = tempstr; - } else { - rparams->kdcservers = (char **)malloc(sizeof(char *) * (list_entries+1)); - if (rparams->kdcservers == NULL) { - retval = ENOMEM; - goto cleanup; - } - memset(rparams->kdcservers, 0, sizeof(char *) * (list_entries+1)); - } - list_modify_str_array(&rparams->kdcservers, (const char **)list, - LIST_MODE_ADD); - mask |= LDAP_REALM_KDCSERVERS; - } - } else if (!strcmp(argv[i], "-admindn")) { - if (++i > argc-1) - goto err_usage; - - if ((rmask & LDAP_REALM_ADMINSERVERS) && (rparams->adminservers)) { - if (!oldadmindns) { - /* Store the old admin dns list for removing rights */ - oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (oldadmindns == NULL) { - retval = ENOMEM; - goto cleanup; - } - - for (j=0; rparams->adminservers[j] != NULL; j++) { - oldadmindns[j] = strdup(rparams->adminservers[j]); - if (oldadmindns[j] == NULL) { - retval = ENOMEM; - goto cleanup; - } - } - oldadmindns[j] = NULL; - } - - krb5_free_list_entries(rparams->adminservers); - free(rparams->adminservers); - } - - rparams->adminservers = (char **)malloc( - sizeof(char *) * MAX_LIST_ENTRIES); - if (rparams->adminservers == NULL) { - retval = ENOMEM; - goto cleanup; - } - memset(rparams->adminservers, 0, sizeof(char *)*MAX_LIST_ENTRIES); - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, - rparams->adminservers))) { - goto cleanup; - } - mask |= LDAP_REALM_ADMINSERVERS; - /* Going to replace the existing value by this new value. Hence - * setting flag indicating that add or clear options will be ignored - */ - newadmindn = 1; - } else if (!strcmp(argv[i], "-clearadmindn")) { - if (++i > argc-1) - goto err_usage; - - if ((!newadmindn) && (rmask & LDAP_REALM_ADMINSERVERS) && (rparams->adminservers)) { - if (!oldadmindns) { - /* Store the old admin dns list for removing rights */ - oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (oldadmindns == NULL) { - retval = ENOMEM; - goto cleanup; - } - - for (j=0; rparams->adminservers[j] != NULL; j++) { - oldadmindns[j] = strdup(rparams->adminservers[j]); - if (oldadmindns[j] == NULL) { - retval = ENOMEM; - goto cleanup; - } - } - oldadmindns[j] = NULL; - } - - memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES); - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) { - goto cleanup; - } - list_modify_str_array(&rparams->adminservers, (const char **)list, - LIST_MODE_DELETE); - mask |= LDAP_REALM_ADMINSERVERS; - krb5_free_list_entries(list); - } - } else if (!strcmp(argv[i], "-addadmindn")) { - if (++i > argc-1) - goto err_usage; - if (!newadmindn) { - if ((rmask & LDAP_REALM_ADMINSERVERS) && (rparams->adminservers) && (!oldadmindns)) { - /* Store the old admin dns list for removing rights */ - oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (oldadmindns == NULL) { - retval = ENOMEM; - goto cleanup; - } - - for (j=0; rparams->adminservers[j] != NULL; j++) { - oldadmindns[j] = strdup(rparams->adminservers[j]); - if (oldadmindns[j] == NULL) { - retval = ENOMEM; - goto cleanup; - } - } - oldadmindns[j] = NULL; - } - - memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES); - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) { - goto cleanup; - } - existing_entries = list_count_str_array(rparams->adminservers); - list_entries = list_count_str_array(list); - if (rmask & LDAP_REALM_ADMINSERVERS) { - tempstr = (char **)realloc( - rparams->adminservers, - sizeof(char *) * (existing_entries+list_entries+1)); - if (tempstr == NULL) { - retval = ENOMEM; - goto cleanup; - } - rparams->adminservers = tempstr; - } else { - rparams->adminservers = (char **)malloc(sizeof(char *) * (list_entries+1)); - if (rparams->adminservers == NULL) { - retval = ENOMEM; - goto cleanup; - } - memset(rparams->adminservers, 0, sizeof(char *) * (list_entries+1)); - } - list_modify_str_array(&rparams->adminservers, (const char **)list, - LIST_MODE_ADD); - mask |= LDAP_REALM_ADMINSERVERS; - } - } else if (!strcmp(argv[i], "-pwddn")) { - if (++i > argc-1) - goto err_usage; - - if ((rmask & LDAP_REALM_PASSWDSERVERS) && (rparams->passwdservers)) { - if (!oldpwddns) { - /* Store the old pwd dns list for removing rights */ - oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (oldpwddns == NULL) { - retval = ENOMEM; - goto cleanup; - } - - for (j=0; rparams->passwdservers[j] != NULL; j++) { - oldpwddns[j] = strdup(rparams->passwdservers[j]); - if (oldpwddns[j] == NULL) { - retval = ENOMEM; - goto cleanup; - } - } - oldpwddns[j] = NULL; - } - - krb5_free_list_entries(rparams->passwdservers); - free(rparams->passwdservers); - } - - rparams->passwdservers = (char **)malloc( - sizeof(char *) * MAX_LIST_ENTRIES); - if (rparams->passwdservers == NULL) { - retval = ENOMEM; - goto cleanup; - } - memset(rparams->passwdservers, 0, sizeof(char *)*MAX_LIST_ENTRIES); - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, - rparams->passwdservers))) { - goto cleanup; - } - mask |= LDAP_REALM_PASSWDSERVERS; - /* Going to replace the existing value by this new value. Hence - * setting flag indicating that add or clear options will be ignored - */ - newpwddn = 1; - } else if (!strcmp(argv[i], "-clearpwddn")) { - if (++i > argc-1) - goto err_usage; - - if ((!newpwddn) && (rmask & LDAP_REALM_PASSWDSERVERS) && (rparams->passwdservers)) { - if (!oldpwddns) { - /* Store the old pwd dns list for removing rights */ - oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (oldpwddns == NULL) { - retval = ENOMEM; - goto cleanup; - } - - for (j=0; rparams->passwdservers[j] != NULL; j++) { - oldpwddns[j] = strdup(rparams->passwdservers[j]); - if (oldpwddns[j] == NULL) { - retval = ENOMEM; - goto cleanup; - } - } - oldpwddns[j] = NULL; - } - - memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES); - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) { - goto cleanup; - } - list_modify_str_array(&rparams->passwdservers, (const char**)list, - LIST_MODE_DELETE); - mask |= LDAP_REALM_PASSWDSERVERS; - krb5_free_list_entries(list); - } - } else if (!strcmp(argv[i], "-addpwddn")) { - if (++i > argc-1) - goto err_usage; - if (!newpwddn) { - if ((rmask & LDAP_REALM_PASSWDSERVERS) && (rparams->passwdservers) && (!oldpwddns)) { - /* Store the old pwd dns list for removing rights */ - oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (oldpwddns == NULL) { - retval = ENOMEM; - goto cleanup; - } - - for (j=0; rparams->passwdservers[j] != NULL; j++) { - oldpwddns[j] = strdup(rparams->passwdservers[j]); - if (oldpwddns[j] == NULL) { - retval = ENOMEM; - goto cleanup; - } - } - oldpwddns[j] = NULL; - } - - memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES); - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) { - goto cleanup; - } - existing_entries = list_count_str_array(rparams->passwdservers); - list_entries = list_count_str_array(list); - if (rmask & LDAP_REALM_PASSWDSERVERS) { - tempstr = (char **)realloc( - rparams->passwdservers, - sizeof(char *) * (existing_entries+list_entries+1)); - if (tempstr == NULL) { - retval = ENOMEM; - goto cleanup; - } - rparams->passwdservers = tempstr; - } else { - rparams->passwdservers = (char **)malloc(sizeof(char *) * (list_entries+1)); - if (rparams->passwdservers == NULL) { - retval = ENOMEM; - goto cleanup; - } - memset(rparams->passwdservers, 0, sizeof(char *) * (list_entries+1)); - } - list_modify_str_array(&rparams->passwdservers, (const char**)list, - LIST_MODE_ADD); - mask |= LDAP_REALM_PASSWDSERVERS; - } - } -#endif else if ((ret_mask= get_ticket_policy(rparams,&i,argv,argc)) !=0) { mask|=ret_mask; } else { @@ -1450,443 +915,6 @@ kdb5_ldap_modify(int argc, char *argv[]) goto cleanup; } -#ifdef HAVE_EDIRECTORY - if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_CONTREF) || (mask & LDAP_REALM_KDCSERVERS) || - (mask & LDAP_REALM_ADMINSERVERS) || (mask & LDAP_REALM_PASSWDSERVERS)) { - - printf(_("Changing rights for the service object. Please wait ... ")); - fflush(stdout); - - if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_CONTREF)) { - subtree_changed = 1; - } - - if ((subtree_changed) || (mask & LDAP_REALM_KDCSERVERS)) { - - if (!(mask & LDAP_REALM_KDCSERVERS)) { - if (rparams->kdcservers != NULL) { - char **kdcdns = rparams->kdcservers; - /* Only subtree and/or container ref has changed */ - rightsmask =0; - /* KDCSERVERS have not changed. Realm rights need not be changed */; - rightsmask |= LDAP_SUBTREE_RIGHTS; - if ((oldsubtrees != NULL) || (oldcontainerref != NULL)) { - /* Remove the rights on the old subtrees */ - for (i=0; (kdcdns[i] != NULL); i++) { - if ((retval=krb5_ldap_delete_service_rights(util_context, - LDAP_KDC_SERVICE, kdcdns[i], - rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) { - printf(_("failed\n")); - com_err(progname, retval, - _("while assigning rights '%s'"), - rparams->realm_name); - goto err_nomsg; - } - } - } - for (i=0; (kdcdns[i] != NULL); i++) { - if ((retval=krb5_ldap_add_service_rights(util_context, - LDAP_KDC_SERVICE, kdcdns[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { - printf(_("failed\n")); - com_err(progname, retval, - _("while assigning rights '%s'"), - rparams->realm_name); - goto err_nomsg; - } - } - } - } - - if (!subtree_changed) { - char **newdns = NULL; - /* Only kdc servers have changed */ - rightsmask =0; - rightsmask = LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; - if (oldkdcdns != NULL) { - newdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (newdns == NULL) { - retval = ENOMEM; - goto cleanup; - } - - if ((rparams != NULL) && (rparams->kdcservers != NULL)) { - for (j=0; rparams->kdcservers[j]!= NULL; j++) { - newdns[j] = strdup(rparams->kdcservers[j]); - if (newdns[j] == NULL) { - FREE_DN_LIST(newdns); - retval = ENOMEM; - goto cleanup; - } - } - newdns[j] = NULL; - } - - disjoint_members(oldkdcdns, newdns); - - for (i=0; (oldkdcdns[i] != NULL); i++) { - if ((retval=krb5_ldap_delete_service_rights(util_context, - LDAP_KDC_SERVICE, oldkdcdns[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { - printf(_("failed\n")); - com_err(progname, retval, - _("while assigning rights '%s'"), - rparams->realm_name); - FREE_DN_LIST(newdns); - goto err_nomsg; - } - } - for (i=0; (newdns[i] != NULL); i++) { - if ((retval=krb5_ldap_add_service_rights(util_context, - LDAP_KDC_SERVICE, newdns[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { - printf(_("failed\n")); - com_err(progname, retval, - _("while assigning rights '%s'"), - rparams->realm_name); - FREE_DN_LIST(newdns); - goto err_nomsg; - } - } - for (i=0; (newdns[i] != NULL); i++) { - free(newdns[i]); - } - free(newdns); - } else { - newdns = rparams->kdcservers; - for (i=0; (newdns[i] != NULL); i++) { - if ((retval=krb5_ldap_add_service_rights(util_context, - LDAP_KDC_SERVICE, newdns[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { - printf(_("failed\n")); - com_err(progname, retval, - _("while assigning rights '%s'"), - rparams->realm_name); - goto err_nomsg; - } - } - } - } - - if (subtree_changed && (mask & LDAP_REALM_KDCSERVERS)) { - char **newdns = rparams->kdcservers; - - rightsmask =0; - rightsmask = LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; - if (oldkdcdns != NULL) { - for (i=0; (oldkdcdns[i] != NULL); i++) { - if ((retval=krb5_ldap_delete_service_rights(util_context, - LDAP_KDC_SERVICE, oldkdcdns[i], - rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) { - printf(_("failed\n")); - com_err(progname, retval, - _("while assigning rights '%s'"), - rparams->realm_name); - goto err_nomsg; - } - } - } - for (i=0; (newdns[i] != NULL); i++) { - if ((retval=krb5_ldap_add_service_rights(util_context, - LDAP_KDC_SERVICE, newdns[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { - printf(_("failed\n")); - com_err(progname, retval, - _("while assigning rights '%s'"), - rparams->realm_name); - goto err_nomsg; - } - } - } - } - - if (subtree_changed || (mask & LDAP_REALM_ADMINSERVERS)) { - - if (!(mask & LDAP_REALM_ADMINSERVERS)) { - if (rparams->adminservers != NULL) { - char **admindns = rparams->adminservers; - /* Only subtree and/or container ref has changed */ - rightsmask =0; - /* KADMINSERVERS have not changed. Realm rights need not be changed */; - rightsmask |= LDAP_SUBTREE_RIGHTS; - if ((oldsubtrees != NULL) || (oldcontainerref != NULL)) { - /* Remove the rights on the old subtrees */ - for (i=0; (admindns[i] != NULL); i++) { - if ((retval=krb5_ldap_delete_service_rights(util_context, - LDAP_ADMIN_SERVICE, admindns[i], - rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) { - printf(_("failed\n")); - com_err(progname, retval, - _("while assigning rights '%s'"), - rparams->realm_name); - goto err_nomsg; - } - } - } - for (i=0; (admindns[i] != NULL); i++) { - if ((retval=krb5_ldap_add_service_rights(util_context, - LDAP_ADMIN_SERVICE, admindns[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { - printf(_("failed\n")); - com_err(progname, retval, - _("while assigning rights '%s'"), - rparams->realm_name); - goto err_nomsg; - } - } - } - } - - if (!subtree_changed) { - char **newdns = NULL; - /* Only admin servers have changed */ - rightsmask =0; - rightsmask = LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; - if (oldadmindns != NULL) { - newdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (newdns == NULL) { - retval = ENOMEM; - goto cleanup; - } - - if ((rparams != NULL) && (rparams->adminservers != NULL)) { - for (j=0; rparams->adminservers[j]!= NULL; j++) { - newdns[j] = strdup(rparams->adminservers[j]); - if (newdns[j] == NULL) { - FREE_DN_LIST(newdns); - retval = ENOMEM; - goto cleanup; - } - } - newdns[j] = NULL; - } - - disjoint_members(oldadmindns, newdns); - - for (i=0; (oldadmindns[i] != NULL); i++) { - if ((retval=krb5_ldap_delete_service_rights(util_context, - LDAP_ADMIN_SERVICE, oldadmindns[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { - printf(_("failed\n")); - com_err(progname, retval, - _("while assigning rights '%s'"), - rparams->realm_name); - FREE_DN_LIST(newdns); - goto err_nomsg; - } - } - for (i=0; (newdns[i] != NULL); i++) { - if ((retval=krb5_ldap_add_service_rights(util_context, - LDAP_ADMIN_SERVICE, newdns[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { - printf(_("failed\n")); - com_err(progname, retval, - _("while assigning rights '%s'"), - rparams->realm_name); - FREE_DN_LIST(newdns); - goto err_nomsg; - } - } - for (i=0; (newdns[i] != NULL); i++) { - free(newdns[i]); - } - free(newdns); - } else { - newdns = rparams->adminservers; - for (i=0; (newdns[i] != NULL); i++) { - if ((retval=krb5_ldap_add_service_rights(util_context, - LDAP_ADMIN_SERVICE, newdns[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { - printf(_("failed\n")); - com_err(progname, retval, - _("while assigning rights '%s'"), - rparams->realm_name); - goto err_nomsg; - } - } - } - } - - if (subtree_changed && (mask & LDAP_REALM_ADMINSERVERS)) { - char **newdns = rparams->adminservers; - - rightsmask = 0; - rightsmask = LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; - if (oldadmindns != NULL) { - for (i=0; (oldadmindns[i] != NULL); i++) { - if ((retval=krb5_ldap_delete_service_rights(util_context, - LDAP_ADMIN_SERVICE, oldadmindns[i], - rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) { - printf(_("failed\n")); - com_err(progname, retval, - _("while assigning rights '%s'"), - rparams->realm_name); - goto err_nomsg; - } - } - } - for (i=0; (newdns[i] != NULL); i++) { - if ((retval=krb5_ldap_add_service_rights(util_context, - LDAP_ADMIN_SERVICE, newdns[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { - printf(_("failed\n")); - com_err(progname, retval, - _("while assigning rights '%s'"), - rparams->realm_name); - goto err_nomsg; - } - } - } - } - - if (subtree_changed || (mask & LDAP_REALM_PASSWDSERVERS)) { - - if (!(mask & LDAP_REALM_PASSWDSERVERS)) { - if (rparams->passwdservers != NULL) { - char **passwddns = rparams->passwdservers; - /* Only subtree and/or container ref has changed */ - rightsmask = 0; - /* KPASSWDSERVERS have not changed. Realm rights need not be changed */; - rightsmask |= LDAP_SUBTREE_RIGHTS; - if ((oldsubtrees != NULL) || (oldcontainerref != NULL)) { - /* Remove the rights on the old subtrees */ - for (i=0; (passwddns[i] != NULL); i++) { - if ((retval=krb5_ldap_delete_service_rights(util_context, - LDAP_PASSWD_SERVICE, passwddns[i], - rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) { - printf(_("failed\n")); - com_err(progname, retval, - _("while assigning rights '%s'"), - rparams->realm_name); - goto err_nomsg; - } - } - } - for (i=0; (passwddns[i] != NULL); i++) { - if ((retval=krb5_ldap_add_service_rights(util_context, - LDAP_PASSWD_SERVICE, passwddns[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { - printf(_("failed\n")); - com_err(progname, retval, - _("while assigning rights '%s'"), - rparams->realm_name); - goto err_nomsg; - } - } - } - } - - if (!subtree_changed) { - char **newdns = NULL; - /* Only passwd servers have changed */ - rightsmask =0; - rightsmask = LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; - if (oldpwddns != NULL) { - newdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (newdns == NULL) { - retval = ENOMEM; - goto cleanup; - } - - if ((rparams != NULL) && (rparams->passwdservers != NULL)) { - for (j=0; rparams->passwdservers[j]!= NULL; j++) { - newdns[j] = strdup(rparams->passwdservers[j]); - if (newdns[j] == NULL) { - FREE_DN_LIST(newdns); - retval = ENOMEM; - goto cleanup; - } - } - newdns[j] = NULL; - } - - disjoint_members(oldpwddns, newdns); - - for (i=0; (oldpwddns[i] != NULL); i++) { - if ((retval=krb5_ldap_delete_service_rights(util_context, - LDAP_PASSWD_SERVICE, oldpwddns[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { - printf(_("failed\n")); - com_err(progname, retval, - _("while assigning rights '%s'"), - rparams->realm_name); - FREE_DN_LIST(newdns); - goto err_nomsg; - } - } - for (i=0; (newdns[i] != NULL); i++) { - if ((retval=krb5_ldap_add_service_rights(util_context, - LDAP_PASSWD_SERVICE, newdns[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { - printf(_("failed\n")); - com_err(progname, retval, - _("while assigning rights '%s'"), - rparams->realm_name); - FREE_DN_LIST(newdns); - goto err_nomsg; - } - } - for (i=0; (newdns[i] != NULL); i++) { - free(newdns[i]); - } - free(newdns); - } else { - newdns = rparams->passwdservers; - for (i=0; (newdns[i] != NULL); i++) { - if ((retval=krb5_ldap_add_service_rights(util_context, - LDAP_PASSWD_SERVICE, newdns[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { - printf(_("failed\n")); - com_err(progname, retval, - _("while assigning rights '%s'"), - rparams->realm_name); - goto err_nomsg; - } - } - } - } - - if (subtree_changed && (mask & LDAP_REALM_PASSWDSERVERS)) { - char **newdns = rparams->passwdservers; - - rightsmask =0; - rightsmask = LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; - if (oldpwddns != NULL) { - for (i=0; (oldpwddns[i] != NULL); i++) { - if ((retval = krb5_ldap_delete_service_rights(util_context, - LDAP_PASSWD_SERVICE, oldpwddns[i], - rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) { - printf(_("failed\n")); - com_err(progname, retval, - _("while assigning rights '%s'"), - rparams->realm_name); - goto err_nomsg; - } - } - } - for (i=0; (newdns[i] != NULL); i++) { - if ((retval = krb5_ldap_add_service_rights(util_context, - LDAP_PASSWD_SERVICE, newdns[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { - printf(_("failed\n")); - com_err(progname, retval, - _("while assigning rights '%s'"), - rparams->realm_name); - goto err_nomsg; - } - } - } - } - printf(_("done\n")); - } -#endif - goto cleanup; err_usage: @@ -1898,49 +926,6 @@ err_nomsg: cleanup: krb5_ldap_free_realm_params(rparams); - -#ifdef HAVE_EDIRECTORY - if (oldkdcdns) { - for (i=0; oldkdcdns[i] != NULL; i++) - free(oldkdcdns[i]); - free(oldkdcdns); - } - if (oldpwddns) { - for (i=0; oldpwddns[i] != NULL; i++) - free(oldpwddns[i]); - free(oldpwddns); - } - if (oldadmindns) { - for (i=0; oldadmindns[i] != NULL; i++) - free(oldadmindns[i]); - free(oldadmindns); - } - if (newkdcdns) { - for (i=0; newkdcdns[i] != NULL; i++) - free(newkdcdns[i]); - free(newkdcdns); - } - if (newpwddns) { - for (i=0; newpwddns[i] != NULL; i++) - free(newpwddns[i]); - free(newpwddns); - } - if (newadmindns) { - for (i=0; newadmindns[i] != NULL; i++) - free(newadmindns[i]); - free(newadmindns); - } - if (oldsubtrees) { - for (i=0;oldsubtrees[i]!=NULL; i++) - free(oldsubtrees[i]); - free(oldsubtrees); - } - if (newsubtrees) { - for (i=0;newsubtrees[i]!=NULL; i++) - free(newsubtrees[i]); - free(oldsubtrees); - } -#endif if (print_usage) { db_usage(MODIFY_REALM); } @@ -2566,10 +1551,6 @@ kdb5_ldap_destroy(int argc, char *argv[]) int mask = 0; kdb5_dal_handle *dal_handle = NULL; krb5_ldap_context *ldap_context = NULL; -#ifdef HAVE_EDIRECTORY - int i = 0, rightsmask = 0; - krb5_ldap_realm_params *rparams = NULL; -#endif optind = 1; while ((optchar = getopt(argc, argv, "f")) != -1) { @@ -2625,65 +1606,6 @@ kdb5_ldap_destroy(int argc, char *argv[]) return; } -#ifdef HAVE_EDIRECTORY - if ((mask & LDAP_REALM_KDCSERVERS) || (mask & LDAP_REALM_ADMINSERVERS) || - (mask & LDAP_REALM_PASSWDSERVERS)) { - - printf(_("Changing rights for the service object. Please wait ... ")); - fflush(stdout); - - rparams = ldap_context->lrparams; - rightsmask = 0; - rightsmask |= LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; - if ((rparams != NULL) && (rparams->kdcservers != NULL)) { - for (i=0; (rparams->kdcservers[i] != NULL); i++) { - if ((retval = krb5_ldap_delete_service_rights(util_context, - LDAP_KDC_SERVICE, rparams->kdcservers[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { - printf(_("failed\n")); - com_err(progname, retval, - _("while assigning rights to '%s'"), - rparams->realm_name); - return; - } - } - } - rightsmask = 0; - rightsmask |= LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; - if ((rparams != NULL) && (rparams->adminservers != NULL)) { - for (i=0; (rparams->adminservers[i] != NULL); i++) { - if ((retval = krb5_ldap_delete_service_rights(util_context, - LDAP_ADMIN_SERVICE, rparams->adminservers[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { - printf(_("failed\n")); - com_err(progname, retval, - _("while assigning rights to '%s'"), - rparams->realm_name); - return; - } - } - } - rightsmask = 0; - rightsmask |= LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; - if ((rparams != NULL) && (rparams->passwdservers != NULL)) { - for (i=0; (rparams->passwdservers[i] != NULL); i++) { - if ((retval = krb5_ldap_delete_service_rights(util_context, - LDAP_PASSWD_SERVICE, rparams->passwdservers[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { - printf(_("failed\n")); - com_err(progname, retval, - _("while assigning rights to '%s'"), - rparams->realm_name); - return; - } - } - } - printf("done\n"); - } -#endif /* Delete the realm container and all the associated principals */ retval = krb5_ldap_delete_realm(util_context, global_params.realm); if (retval) { diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c index 916a4bd577..05fac49765 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c @@ -41,1843 +41,6 @@ #include "kdb5_ldap_util.h" #include "kdb5_ldap_list.h" -#ifdef HAVE_EDIRECTORY - -static krb5_error_code -convert_realm_name2dn_list(char **list, const char *krbcontainer_loc); - -static krb5_error_code -rem_service_entry_from_file(int argc, - char *argv[], - char *file_name, - char *service_object); - -static void -print_service_params(krb5_ldap_service_params *lserparams, int mask); - -extern char *yes; -extern krb5_boolean db_inited; - -static int -process_host_list(char **host_list, int servicetype) -{ - krb5_error_code retval = 0; - char *pchr = NULL; - char host_str[MAX_LEN_LIST_ENTRY] = "", proto_str[PROTOCOL_STR_LEN + 1] = "", port_str[PORT_STR_LEN + 1] = ""; - int j = 0; - - /* Protocol and port number processing */ - for (j = 0; host_list[j]; j++) { - /* Look for one hash */ - if ((pchr = strchr(host_list[j], HOST_INFO_DELIMITER))) { - unsigned int hostname_len = pchr - host_list[j]; - - /* Check input for buffer overflow */ - if (hostname_len >= MAX_LEN_LIST_ENTRY) { - retval = EINVAL; - goto cleanup; - } - - /* First copy off the host name portion */ - strncpy (host_str, host_list[j], hostname_len); - - /* Parse for the protocol string and translate to number */ - strncpy (proto_str, pchr + 1, PROTOCOL_STR_LEN); - if (!strcmp(proto_str, "udp")) - snprintf (proto_str, sizeof(proto_str), "%d", - PROTOCOL_NUM_UDP); - else if (!strcmp(proto_str, "tcp")) - snprintf (proto_str, sizeof(proto_str), "%d", - PROTOCOL_NUM_TCP); - else - proto_str[0] = '\0'; /* Make the string null if invalid */ - - /* Look for one more hash */ - if ((pchr = strchr(pchr + 1, HOST_INFO_DELIMITER))) { - /* Parse for the port string and check if it is numeric */ - strncpy (port_str, pchr + 1, PORT_STR_LEN); - if (!strtol(port_str, NULL, 10)) /* Not a valid number */ - port_str[0] = '\0'; - } else - port_str[0] = '\0'; - } else { /* We have only host name */ - strncpy (host_str, host_list[j], MAX_LEN_LIST_ENTRY - 1); - proto_str[0] = '\0'; - port_str[0] = '\0'; - } - - /* Now, based on service type, fill in suitable protocol - and port values if they are absent or not matching */ - if (servicetype == LDAP_KDC_SERVICE) { - if (proto_str[0] == '\0') - snprintf (proto_str, sizeof(proto_str), "%d", - PROTOCOL_DEFAULT_KDC); - - if (port_str[0] == '\0') - snprintf (port_str, sizeof(port_str), "%d", PORT_DEFAULT_KDC); - } else if (servicetype == LDAP_ADMIN_SERVICE) { - if (proto_str[0] == '\0') - snprintf (proto_str, sizeof(proto_str), "%d", - PROTOCOL_DEFAULT_ADM); - else if (strcmp(proto_str, "1")) { - snprintf (proto_str, sizeof(proto_str), "%d", - PROTOCOL_DEFAULT_ADM); - - /* Print warning message */ - printf ("Admin Server supports only TCP protocol, hence setting that\n"); - } - - if (port_str[0] == '\0') - snprintf (port_str, sizeof(port_str), "%d", PORT_DEFAULT_ADM); - } else if (servicetype == LDAP_PASSWD_SERVICE) { - if (proto_str[0] == '\0') - snprintf (proto_str, sizeof(proto_str), "%d", - PROTOCOL_DEFAULT_PWD); - else if (strcmp(proto_str, "0")) { - snprintf (proto_str, sizeof(proto_str), "%d", - PROTOCOL_DEFAULT_PWD); - - /* Print warning message */ - printf ("Password Server supports only UDP protocol, hence setting that\n"); - } - - if (port_str[0] == '\0') - sprintf (port_str, "%d", PORT_DEFAULT_PWD); - } - - /* Finally form back the string */ - free (host_list[j]); - host_list[j] = (char*) malloc(sizeof(char) * - (strlen(host_str) + strlen(proto_str) + strlen(port_str) + 2 + 1)); - if (host_list[j] == NULL) { - retval = ENOMEM; - goto cleanup; - } - snprintf (host_list[j], strlen(host_str) + strlen(proto_str) + strlen(port_str) + 2 + 1, - "%s#%s#%s", host_str, proto_str, port_str); - } - -cleanup: - return retval; -} - - -/* - * Given a realm name, this function will convert it to a DN by appending the - * Kerberos container location. - */ -static krb5_error_code -convert_realm_name2dn_list(char **list, const char *krbcontainer_loc) -{ - krb5_error_code retval = 0; - char temp_str[MAX_DN_CHARS] = "\0"; - char *temp_node = NULL; - int i = 0; - - if (list == NULL) { - return EINVAL; - } - - for (i = 0; (list[i] != NULL) && (i < MAX_LIST_ENTRIES); i++) { - /* Restrict copying to max. length to avoid buffer overflow */ - snprintf (temp_str, MAX_DN_CHARS, "cn=%s,%s", list[i], krbcontainer_loc); - - /* Make copy of string to temporary node */ - temp_node = strdup(temp_str); - if (list[i] == NULL) { - retval = ENOMEM; - goto cleanup; - } - - /* On success, free list node and attach new one */ - free (list[i]); - list[i] = temp_node; - temp_node = NULL; - } - -cleanup: - return retval; -} - - -/* - * This function will create a service object on the LDAP Server, with the - * specified attributes. - */ -void -kdb5_ldap_create_service(int argc, char *argv[]) -{ - char *me = progname; - krb5_error_code retval = 0; - krb5_ldap_service_params *srvparams = NULL; - krb5_boolean print_usage = FALSE; - krb5_boolean no_msg = FALSE; - int mask = 0; - char **extra_argv = NULL; - int extra_argc = 0; - int i = 0; - krb5_ldap_realm_params *rparams = NULL; - int rmask = 0; - int rightsmask =0; - char **temprdns = NULL; - char *realmName = NULL; - kdb5_dal_handle *dal_handle = NULL; - krb5_ldap_context *ldap_context=NULL; - krb5_boolean service_obj_created = FALSE; - - /* Check for number of arguments */ - if ((argc < 3) || (argc > 10)) { - exit_status++; - goto err_usage; - } - - /* Allocate memory for service parameters structure */ - srvparams = (krb5_ldap_service_params*) calloc(1, sizeof(krb5_ldap_service_params)); - if (srvparams == NULL) { - retval = ENOMEM; - goto cleanup; - } - - dal_handle = util_context->dal_handle; - ldap_context = (krb5_ldap_context *) dal_handle->db_context; - - /* Allocate memory for extra arguments to be used for setting - password -- it's OK to allocate as much as the total number - of arguments */ - extra_argv = (char **) calloc((unsigned int)argc, sizeof(char*)); - if (extra_argv == NULL) { - retval = ENOMEM; - goto cleanup; - } - - /* Set first of the extra arguments as the program name */ - extra_argv[0] = me; - extra_argc++; - - /* Read Kerberos container info, to construct realm DN from name - * and for assigning rights - */ - if ((retval = krb5_ldap_read_krbcontainer_params(util_context, - &(ldap_context->krbcontainer)))) { - com_err(me, retval, "while reading Kerberos container information"); - goto cleanup; - } - - /* Parse all arguments */ - for (i = 1; i < argc; i++) { - if (!strcmp(argv[i], "-kdc")) { - srvparams->servicetype = LDAP_KDC_SERVICE; - } else if (!strcmp(argv[i], "-admin")) { - srvparams->servicetype = LDAP_ADMIN_SERVICE; - } else if (!strcmp(argv[i], "-pwd")) { - srvparams->servicetype = LDAP_PASSWD_SERVICE; - } else if (!strcmp(argv[i], "-servicehost")) { - if (++i > argc - 1) - goto err_usage; - - srvparams->krbhostservers = (char **)calloc(MAX_LIST_ENTRIES, - sizeof(char *)); - if (srvparams->krbhostservers == NULL) { - retval = ENOMEM; - goto cleanup; - } - - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, - srvparams->krbhostservers))) { - goto cleanup; - } - - if ((retval = process_host_list (srvparams->krbhostservers, - srvparams->servicetype))) { - goto cleanup; - } - - mask |= LDAP_SERVICE_HOSTSERVER; - } else if (!strcmp(argv[i], "-realm")) { - if (++i > argc - 1) - goto err_usage; - - srvparams->krbrealmreferences = (char **)calloc(MAX_LIST_ENTRIES, - sizeof(char *)); - if (srvparams->krbrealmreferences == NULL) { - retval = ENOMEM; - goto cleanup; - } - - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, - srvparams->krbrealmreferences))) { - goto cleanup; - } - - /* Convert realm names to realm DNs */ - if ((retval = convert_realm_name2dn_list( - srvparams->krbrealmreferences, - ldap_context->krbcontainer->DN))) { - goto cleanup; - } - - mask |= LDAP_SERVICE_REALMREFERENCE; - } - /* If argument is none of the above and beginning with '-', - * it must be related to password -- collect it - * to pass onto kdb5_ldap_set_service_password() - */ - else if (*(argv[i]) == '-') { - /* Checking for options of setting the password for the - * service (by using 'setsrvpw') is not modular. --need to - * have a common function that can be shared with 'setsrvpw' - */ - if (!strcmp(argv[i], "-randpw")) { - extra_argv[extra_argc] = argv[i]; - extra_argc++; - } else if (!strcmp(argv[i], "-fileonly")) { - extra_argv[extra_argc] = argv[i]; - extra_argc++; - } - /* For '-f' option alone, pick up the following argument too */ - else if (!strcmp(argv[i], "-f")) { - extra_argv[extra_argc] = argv[i]; - extra_argc++; - - if (++i > argc - 1) - goto err_usage; - - extra_argv[extra_argc] = argv[i]; - extra_argc++; - } else { /* Any other option is invalid */ - exit_status++; - goto err_usage; - } - } else { /* Any other argument must be service DN */ - /* First check if service DN is already provided -- - * if so, there's a usage error - */ - if (srvparams->servicedn != NULL) { - com_err(me, EINVAL, "while creating service object"); - goto err_usage; - } - - /* If not present already, fill up service DN */ - srvparams->servicedn = strdup(argv[i]); - if (srvparams->servicedn == NULL) { - com_err(me, ENOMEM, "while creating service object"); - goto err_nomsg; - } - } - } - - /* No point in proceeding further if service DN value is not available */ - if (srvparams->servicedn == NULL) { - com_err(me, EINVAL, "while creating service object"); - goto err_usage; - } - - if (srvparams->servicetype == 0) { /* Not provided and hence not set */ - com_err(me, EINVAL, "while creating service object"); - goto err_usage; - } - - /* Create object with all attributes provided */ - if ((retval = krb5_ldap_create_service(util_context, srvparams, mask))) - goto cleanup; - - service_obj_created = TRUE; - - /* ** NOTE ** srvparams structure should not be modified, as it is - * used for deletion of the service object in case of any failures - * from now on. - */ - - /* Set password too */ - if (extra_argc >= 1) { - /* Set service DN as the last argument */ - extra_argv[extra_argc] = strdup(srvparams->servicedn); - if (extra_argv[extra_argc] == NULL) { - retval = ENOMEM; - goto cleanup; - } - extra_argc++; - - if ((retval = kdb5_ldap_set_service_password(extra_argc, extra_argv)) != 0) { - goto err_nomsg; - } - } - /* Rights assignment */ - if (mask & LDAP_SERVICE_REALMREFERENCE) { - - printf("%s","Changing rights for the service object. Please wait ... "); - fflush(stdout); - - rightsmask =0; - rightsmask |= LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; - - if ((srvparams != NULL) && (srvparams->krbrealmreferences != NULL)) { - for (i=0; (srvparams->krbrealmreferences[i] != NULL); i++) { - - /* Get the realm name, not the dn */ - temprdns = ldap_explode_dn(srvparams->krbrealmreferences[i], 1); - - if (temprdns[0] == NULL) { - retval = EINVAL; - goto cleanup; - } - - realmName = strdup(temprdns[0]); - if (realmName == NULL) { - retval = ENOMEM; - goto cleanup; - } - - if ((retval = krb5_ldap_read_realm_params(util_context, - realmName, &rparams, &rmask))) { - com_err(me, retval, "while reading information of realm '%s'", - realmName); - goto cleanup; - } - - if ((retval = krb5_ldap_add_service_rights(util_context, - srvparams->servicetype, srvparams->servicedn, - realmName, rparams->subtree, rparams->containerref, rightsmask))) { - printf("failed\n"); - com_err(me, retval, "while assigning rights '%s'", - srvparams->servicedn); - goto cleanup; - } - - if (rparams) - krb5_ldap_free_realm_params(rparams); - } - } - printf("done\n"); - } - goto cleanup; - -err_usage: - print_usage = TRUE; - -err_nomsg: - no_msg = TRUE; - -cleanup: - - if ((retval != 0) && (service_obj_created == TRUE)) { - /* This is for deleting the service object if something goes - * wrong in creating the service object - */ - - /* srvparams is populated from the user input and should be correct as - * we were successful in creating a service object. Reusing the same - */ - krb5_ldap_delete_service(util_context, srvparams, srvparams->servicedn); - } - - /* Clean-up structure */ - krb5_ldap_free_service (util_context, srvparams); - - if (extra_argv) { - free (extra_argv); - extra_argv = NULL; - } - if (realmName) { - free(realmName); - realmName = NULL; - } - if (print_usage) - db_usage (CREATE_SERVICE); - - if (retval) { - if (!no_msg) - com_err(me, retval, "while creating service object"); - - exit_status++; - } - - return; -} - - -/* - * This function will modify the attributes of a given service - * object on the LDAP Server - */ -void -kdb5_ldap_modify_service(int argc, char *argv[]) -{ - char *me = progname; - krb5_error_code retval = 0; - krb5_ldap_service_params *srvparams = NULL; - krb5_boolean print_usage = FALSE; - krb5_boolean no_msg = FALSE; - char *servicedn = NULL; - int i = 0; - int in_mask = 0, out_mask = 0; - int srvhost_flag = 0, realmdn_flag = 0; - char **list = NULL; - int existing_entries = 0, new_entries = 0; - char **temp_ptr = NULL; - krb5_ldap_realm_params *rparams = NULL; - int j = 0; - int rmask = 0; - int rightsmask =0; - char **oldrealmrefs = NULL; - char **newrealmrefs = NULL; - char **temprdns = NULL; - char *realmName = NULL; - kdb5_dal_handle *dal_handle = NULL; - krb5_ldap_context *ldap_context=NULL; - - /* Check for number of arguments */ - if ((argc < 3) || (argc > 10)) { - exit_status++; - goto err_usage; - } - - dal_handle = util_context->dal_handle; - ldap_context = (krb5_ldap_context *) dal_handle->db_context; - - /* Parse all arguments, only to pick up service DN (Pass 1) */ - for (i = 1; i < argc; i++) { - /* Skip arguments next to 'servicehost' - and 'realmdn' arguments */ - if (!strcmp(argv[i], "-servicehost")) { - ++i; - } else if (!strcmp(argv[i], "-clearservicehost")) { - ++i; - } else if (!strcmp(argv[i], "-addservicehost")) { - ++i; - } else if (!strcmp(argv[i], "-realm")) { - ++i; - } else if (!strcmp(argv[i], "-clearrealm")) { - ++i; - } else if (!strcmp(argv[i], "-addrealm")) { - ++i; - } else { /* Any other argument must be service DN */ - /* First check if service DN is already provided -- - if so, there's a usage error */ - if (servicedn != NULL) { - com_err(me, EINVAL, "while modifying service object"); - goto err_usage; - } - - /* If not present already, fill up service DN */ - servicedn = strdup(argv[i]); - if (servicedn == NULL) { - com_err(me, ENOMEM, "while modifying service object"); - goto err_nomsg; - } - } - } - - /* No point in proceeding further if service DN value is not available */ - if (servicedn == NULL) { - com_err(me, EINVAL, "while modifying service object"); - goto err_usage; - } - - retval = krb5_ldap_read_service(util_context, servicedn, &srvparams, &in_mask); - if (retval) { - com_err(me, retval, "while reading information of service '%s'", - servicedn); - goto err_nomsg; - } - - /* Read Kerberos container info, to construct realm DN from name - * and for assigning rights - */ - if ((retval = krb5_ldap_read_krbcontainer_params(util_context, - &(ldap_context->krbcontainer)))) { - com_err(me, retval, "while reading Kerberos container information"); - goto cleanup; - } - - /* Parse all arguments, but skip the service DN (Pass 2) */ - for (i = 1; i < argc; i++) { - if (!strcmp(argv[i], "-servicehost")) { - if (++i > argc - 1) - goto err_usage; - - /* Free the old list if available */ - if (srvparams->krbhostservers) { - krb5_free_list_entries (srvparams->krbhostservers); - free (srvparams->krbhostservers); - } - - srvparams->krbhostservers = (char **)calloc(MAX_LIST_ENTRIES, - sizeof(char *)); - if (srvparams->krbhostservers == NULL) { - retval = ENOMEM; - goto cleanup; - } - - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, - srvparams->krbhostservers))) { - goto cleanup; - } - - if ((retval = process_host_list (srvparams->krbhostservers, - srvparams->servicetype))) { - goto cleanup; - } - - out_mask |= LDAP_SERVICE_HOSTSERVER; - - /* Set flag to ignore 'add' and 'clear' */ - srvhost_flag = 1; - } else if (!strcmp(argv[i], "-clearservicehost")) { - if (++i > argc - 1) - goto err_usage; - - if (!srvhost_flag) { - /* If attribute doesn't exist, don't permit 'clear' option */ - if ((in_mask & LDAP_SERVICE_HOSTSERVER) == 0) { - /* Send out some proper error message here */ - com_err(me, EINVAL, "service host list is empty\n"); - goto err_nomsg; - } - - /* Allocate list for processing */ - list = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (list == NULL) { - retval = ENOMEM; - goto cleanup; - } - - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) - goto cleanup; - - if ((retval = process_host_list (list, srvparams->servicetype))) { - goto cleanup; - } - - list_modify_str_array(&(srvparams->krbhostservers), - (const char**)list, LIST_MODE_DELETE); - - out_mask |= LDAP_SERVICE_HOSTSERVER; - - /* Clean up */ - free (list); - list = NULL; - } - } else if (!strcmp(argv[i], "-addservicehost")) { - if (++i > argc - 1) - goto err_usage; - - if (!srvhost_flag) { - /* Allocate list for processing */ - list = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (list == NULL) { - retval = ENOMEM; - goto cleanup; - } - - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) - goto cleanup; - - if ((retval = process_host_list (list, srvparams->servicetype))) { - goto cleanup; - } - - /* Call list_modify_str_array() only if host server attribute - * exists already --Actually, it's better to handle this - * within list_modify_str_array() - */ - if (in_mask & LDAP_SERVICE_HOSTSERVER) { - /* Re-size existing list */ - existing_entries = list_count_str_array(srvparams->krbhostservers); - new_entries = list_count_str_array(list); - temp_ptr = (char **) realloc(srvparams->krbhostservers, - sizeof(char *) * (existing_entries + new_entries + 1)); - if (temp_ptr == NULL) { - retval = ENOMEM; - goto cleanup; - } - srvparams->krbhostservers = temp_ptr; - - list_modify_str_array(&(srvparams->krbhostservers), - (const char**)list, LIST_MODE_ADD); - - /* Clean up */ - free (list); - list = NULL; - } else - srvparams->krbhostservers = list; - - out_mask |= LDAP_SERVICE_HOSTSERVER; - } - } else if (!strcmp(argv[i], "-realm")) { - if (++i > argc - 1) - goto err_usage; - - if ((in_mask & LDAP_SERVICE_REALMREFERENCE) && (srvparams->krbrealmreferences)) { - if (!oldrealmrefs) { - /* Store the old realm list for removing rights */ - oldrealmrefs = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (oldrealmrefs == NULL) { - retval = ENOMEM; - goto cleanup; - } - - for (j = 0; srvparams->krbrealmreferences[j] != NULL; j++) { - oldrealmrefs[j] = strdup(srvparams->krbrealmreferences[j]); - if (oldrealmrefs[j] == NULL) { - retval = ENOMEM; - goto cleanup; - } - } - oldrealmrefs[j] = NULL; - } - - /* Free the old list if available */ - krb5_free_list_entries (srvparams->krbrealmreferences); - free (srvparams->krbrealmreferences); - } - - srvparams->krbrealmreferences = (char **)calloc(MAX_LIST_ENTRIES, - sizeof(char *)); - if (srvparams->krbrealmreferences == NULL) { - retval = ENOMEM; - goto cleanup; - } - - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, - srvparams->krbrealmreferences))) { - goto cleanup; - } - - /* Convert realm names to realm DNs */ - if ((retval = convert_realm_name2dn_list( - srvparams->krbrealmreferences, - ldap_context->krbcontainer->DN))) { - goto cleanup; - } - - out_mask |= LDAP_SERVICE_REALMREFERENCE; - - /* Set flag to ignore 'add' and 'clear' */ - realmdn_flag = 1; - } else if (!strcmp(argv[i], "-clearrealm")) { - if (++i > argc - 1) - goto err_usage; - - if (!realmdn_flag) { - /* If attribute doesn't exist, don't permit 'clear' option */ - if (((in_mask & LDAP_SERVICE_REALMREFERENCE) == 0) || (srvparams->krbrealmreferences == NULL)) { - /* Send out some proper error message here */ - goto err_nomsg; - } - - if (!oldrealmrefs) { - /* Store the old realm list for removing rights */ - oldrealmrefs = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (oldrealmrefs == NULL) { - retval = ENOMEM; - goto cleanup; - } - - for (j = 0; srvparams->krbrealmreferences[j] != NULL; j++) { - oldrealmrefs[j] = strdup(srvparams->krbrealmreferences[j]); - if (oldrealmrefs[j] == NULL) { - retval = ENOMEM; - goto cleanup; - } - } - oldrealmrefs[j] = NULL; - } - - /* Allocate list for processing */ - list = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (list == NULL) { - retval = ENOMEM; - goto cleanup; - } - - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) - goto cleanup; - - /* Convert realm names to realm DNs */ - if ((retval = convert_realm_name2dn_list(list, - ldap_context->krbcontainer->DN))) { - goto cleanup; - } - - list_modify_str_array(&(srvparams->krbrealmreferences), - (const char**)list, LIST_MODE_DELETE); - - out_mask |= LDAP_SERVICE_REALMREFERENCE; - - /* Clean up */ - free (list); - list = NULL; - } - } else if (!strcmp(argv[i], "-addrealm")) { - if (++i > argc - 1) - goto err_usage; - - if (!realmdn_flag) { - /* Allocate list for processing */ - list = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (list == NULL) { - retval = ENOMEM; - goto cleanup; - } - - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) - goto cleanup; - - /* Convert realm names to realm DNs */ - if ((retval = convert_realm_name2dn_list(list, - ldap_context->krbcontainer->DN))) { - goto cleanup; - } - - if ((in_mask & LDAP_SERVICE_REALMREFERENCE) && (srvparams->krbrealmreferences) && (!oldrealmrefs)) { - /* Store the old realm list for removing rights */ - oldrealmrefs = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (oldrealmrefs == NULL) { - retval = ENOMEM; - goto cleanup; - } - - for (j = 0; srvparams->krbrealmreferences[j] != NULL; j++) { - oldrealmrefs[j] = strdup(srvparams->krbrealmreferences[j]); - if (oldrealmrefs[j] == NULL) { - retval = ENOMEM; - goto cleanup; - } - } - oldrealmrefs[j] = NULL; - } - - /* Call list_modify_str_array() only if realm DN attribute - * exists already -- Actually, it's better to handle this - * within list_modify_str_array() */ - if (in_mask & LDAP_SERVICE_REALMREFERENCE) { - /* Re-size existing list */ - existing_entries = list_count_str_array( - srvparams->krbrealmreferences); - new_entries = list_count_str_array(list); - temp_ptr = (char **) realloc(srvparams->krbrealmreferences, - sizeof(char *) * (existing_entries + new_entries + 1)); - if (temp_ptr == NULL) { - retval = ENOMEM; - goto cleanup; - } - srvparams->krbrealmreferences = temp_ptr; - - list_modify_str_array(&(srvparams->krbrealmreferences), - (const char**)list, LIST_MODE_ADD); - - /* Clean up */ - free (list); - list = NULL; - } else - srvparams->krbrealmreferences = list; - - out_mask |= LDAP_SERVICE_REALMREFERENCE; - } - } else { - /* Any other argument must be service DN - -- skip it */ - } - } - - /* Modify attributes of object */ - if ((retval = krb5_ldap_modify_service(util_context, srvparams, out_mask))) - goto cleanup; - - /* Service rights modification code */ - if (out_mask & LDAP_SERVICE_REALMREFERENCE) { - - printf("%s","Changing rights for the service object. Please wait ... "); - fflush(stdout); - - newrealmrefs = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (newrealmrefs == NULL) { - retval = ENOMEM; - goto cleanup; - } - - if ((srvparams != NULL) && (srvparams->krbrealmreferences != NULL)) { - for (j = 0; srvparams->krbrealmreferences[j] != NULL; j++) { - newrealmrefs[j] = strdup(srvparams->krbrealmreferences[j]); - if (newrealmrefs[j] == NULL) { - retval = ENOMEM; - goto cleanup; - } - } - newrealmrefs[j] = NULL; - } - disjoint_members(oldrealmrefs, newrealmrefs); - - /* Delete the rights for the given service, on each of the realm - * container & subtree in the old realm reference list. - */ - if (oldrealmrefs) { - rightsmask = 0; - rightsmask |= LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; - - for (i = 0; (oldrealmrefs[i] != NULL); i++) { - /* Get the realm name, not the dn */ - temprdns = ldap_explode_dn(oldrealmrefs[i], 1); - - if (temprdns[0] == NULL) { - retval = EINVAL; - goto cleanup; - } - - realmName = strdup(temprdns[0]); - if (realmName == NULL) { - retval = ENOMEM; - goto cleanup; - } - - if ((retval = krb5_ldap_read_realm_params(util_context, - realmName, &rparams, &rmask))) { - com_err(me, retval, "while reading information of realm '%s'", - realmName); - goto err_nomsg; - } - - if ((retval = krb5_ldap_delete_service_rights(util_context, - srvparams->servicetype, srvparams->servicedn, - realmName, rparams->subtree, rparams->containerref, rightsmask))) { - printf("failed\n"); - com_err(me, retval, "while assigning rights '%s'", - srvparams->servicedn); - goto err_nomsg; - } - - if (rparams) - krb5_ldap_free_realm_params(rparams); - } - } - - /* Add the rights for the given service, on each of the realm - * container & subtree in the new realm reference list. - */ - if (newrealmrefs) { - rightsmask = 0; - rightsmask |= LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; - - for (i = 0; (newrealmrefs[i] != NULL); i++) { - /* Get the realm name, not the dn */ - temprdns = ldap_explode_dn(newrealmrefs[i], 1); - - if (temprdns[0] == NULL) { - retval = EINVAL; - goto cleanup; - } - - realmName = strdup(temprdns[0]); - if (realmName == NULL) { - retval = ENOMEM; - goto cleanup; - } - - if ((retval = krb5_ldap_read_krbcontainer_params(util_context, - &(ldap_context->krbcontainer)))) { - com_err(me, retval, - "while reading Kerberos container information"); - goto cleanup; - } - - if ((retval = krb5_ldap_read_realm_params(util_context, - realmName, &rparams, &rmask))) { - com_err(me, retval, "while reading information of realm '%s'", - realmName); - goto err_nomsg; - } - - if ((retval = krb5_ldap_add_service_rights(util_context, - srvparams->servicetype, srvparams->servicedn, - realmName, rparams->subtree, rparams->containerref, rightsmask))) { - printf("failed\n"); - com_err(me, retval, "while assigning rights '%s'", - srvparams->servicedn); - goto err_nomsg; - } - - if (rparams) { - krb5_ldap_free_realm_params(rparams); - rparams = NULL; - } - } - printf("done\n"); - } - } - goto cleanup; - -err_usage: - print_usage = TRUE; - -err_nomsg: - no_msg = TRUE; - -cleanup: - /* Clean-up structure */ - krb5_ldap_free_service(util_context, srvparams); - - if (servicedn) - free(servicedn); - - if (list) { - free(list); - list = NULL; - } - - if (oldrealmrefs) { - for (i = 0; oldrealmrefs[i] != NULL; i++) - free(oldrealmrefs[i]); - free(oldrealmrefs); - } - - if (newrealmrefs) { - for (i = 0; newrealmrefs[i] != NULL; i++) - free(newrealmrefs[i]); - free(newrealmrefs); - } - if (realmName) { - free(realmName); - realmName = NULL; - } - - if (print_usage) - db_usage(MODIFY_SERVICE); - - if (retval) { - if (!no_msg) - com_err(me, retval, "while modifying service object"); - exit_status++; - } - - return; -} - - -/* - * This function will delete the entry corresponding to the service object - * from the service password file. - */ -static krb5_error_code -rem_service_entry_from_file(int argc, char *argv[], char *file_name, - char *service_object) -{ - int st = EINVAL; - char *me = progname; - char *tmp_file = NULL; - int tmpfd = -1; - FILE *pfile = NULL; - unsigned int len = 0; - char line[MAX_LEN]={0}; - mode_t omask = umask(077); - - /* Check for permissions on the password file */ - if (access(file_name, W_OK) == -1) { - /* If the specified file itself is not there, no need to show error */ - if (errno == ENOENT) { - st=0; - goto cleanup; - } else { - com_err(me, errno, "while deleting entry from file %s", file_name); - goto cleanup; - } - } - - /* Create a temporary file which contains all the entries except the - entry for the given service dn */ - pfile = fopen(file_name, "r+"); - if (pfile == NULL) { - com_err(me, errno, "while deleting entry from file %s", file_name); - goto cleanup; - } - set_cloexec_file(pfile); - - /* Create a new file with the extension .tmp */ - tmp_file = (char *)malloc(strlen(file_name) + 4 + 1); - if (tmp_file == NULL) { - com_err(me, ENOMEM, "while deleting entry from file"); - fclose(pfile); - goto cleanup; - } - snprintf (tmp_file, strlen(file_name) + 4 + 1, "%s%s", file_name, ".tmp"); - - - tmpfd = creat(tmp_file, S_IRUSR|S_IWUSR); - umask(omask); - if (tmpfd == -1) { - com_err(me, errno, "while deleting entry from file\n"); - fclose(pfile); - goto cleanup; - } - - /* Copy only those lines which donot have the specified service dn */ - while (fgets(line, MAX_LEN, pfile) != NULL) { - if ((strstr(line, service_object) != NULL) && - (line[strlen(service_object)] == '#')) { - continue; - } else { - len = strlen(line); - if (write(tmpfd, line, len) != len) { - com_err(me, errno, "while deleting entry from file\n"); - close(tmpfd); - unlink(tmp_file); - fclose(pfile); - goto cleanup; - } - } - } - - fclose(pfile); - if (unlink(file_name) == 0) { - link(tmp_file, file_name); - } else { - com_err(me, errno, "while deleting entry from file\n"); - } - unlink(tmp_file); - - st=0; - -cleanup: - - if (tmp_file) - free(tmp_file); - - return st; -} - - -/* - * This function will delete the service object from the LDAP Server - * and unlink the references to the Realm objects (if any) - */ -void -kdb5_ldap_destroy_service(int argc, char *argv[]) -{ - int i = 0; - char buf[5] = {0}; - krb5_error_code retval = EINVAL; - int force = 0; - char *servicedn = NULL; - char *stashfilename = NULL; - int mask = 0; - krb5_ldap_service_params *lserparams = NULL; - krb5_boolean print_usage = FALSE; - - if ((argc < 2) || (argc > 5)) { - exit_status++; - goto err_usage; - } - - for (i=1; i < argc; i++) { - - if (strcmp(argv[i],"-force")==0) { - force++; - } else if (strcmp(argv[i],"-f")==0) { - if (argv[i+1]) { - stashfilename=strdup(argv[i+1]); - if (stashfilename == NULL) { - com_err(progname, ENOMEM, "while destroying service"); - exit_status++; - goto cleanup; - } - i++; - } else { - exit_status++; - goto err_usage; - } - } else { - if ((argv[i]) && (servicedn == NULL)) { - servicedn=strdup(argv[i]); - if (servicedn == NULL) { - com_err(progname, ENOMEM, "while destroying service"); - exit_status++; - goto cleanup; - } - } else { - exit_status++; - goto err_usage; - } - } - } - - if (!servicedn) { - exit_status++; - goto err_usage; - } - - if (!force) { - printf("This will delete the service object '%s', are you sure?\n", servicedn); - printf("(type 'yes' to confirm)? "); - if (fgets(buf, sizeof(buf), stdin) == NULL) { - exit_status++; - goto cleanup;; - } - if (strcmp(buf, yes)) { - exit_status++; - goto cleanup; - } - } - - if ((retval = krb5_ldap_read_service(util_context, servicedn, - &lserparams, &mask))) { - com_err(progname, retval, "while destroying service '%s'",servicedn); - exit_status++; - goto cleanup; - } - - retval = krb5_ldap_delete_service(util_context, lserparams, servicedn); - - if (retval) { - com_err(progname, retval, "while destroying service '%s'", servicedn); - exit_status++; - goto cleanup; - } - - if (stashfilename == NULL) { - stashfilename = strdup(DEF_SERVICE_PASSWD_FILE); - if (stashfilename == NULL) { - com_err(progname, ENOMEM, "while destroying service"); - exit_status++; - goto cleanup; - } - } - printf("** service object '%s' deleted.\n", servicedn); - retval = rem_service_entry_from_file(argc, argv, stashfilename, servicedn); - - if (retval) - printf("** error removing service object entry '%s' from password file.\n", - servicedn); - - goto cleanup; - - -err_usage: - print_usage = TRUE; - -cleanup: - - if (lserparams) { - krb5_ldap_free_service(util_context, lserparams); - } - - if (servicedn) { - free(servicedn); - } - - if (stashfilename) { - free(stashfilename); - } - - if (print_usage) { - db_usage(DESTROY_SERVICE); - } - - return; -} - - -/* - * This function will display information about the given service object - */ -void -kdb5_ldap_view_service(int argc, char *argv[]) -{ - krb5_ldap_service_params *lserparams = NULL; - krb5_error_code retval = 0; - char *servicedn = NULL; - int mask = 0; - krb5_boolean print_usage = FALSE; - - if (!(argc == 2)) { - exit_status++; - goto err_usage; - } - - servicedn=strdup(argv[1]); - if (servicedn == NULL) { - com_err(progname, ENOMEM, "while viewing service"); - exit_status++; - goto cleanup; - } - - if ((retval = krb5_ldap_read_service(util_context, servicedn, &lserparams, &mask))) { - com_err(progname, retval, "while viewing service '%s'",servicedn); - exit_status++; - goto cleanup; - } - - print_service_params(lserparams, mask); - - goto cleanup; - -err_usage: - print_usage = TRUE; - -cleanup: - - if (lserparams) { - krb5_ldap_free_service(util_context, lserparams); - } - - if (servicedn) - free(servicedn); - - if (print_usage) { - db_usage(VIEW_SERVICE); - } - - return; -} - - -/* - * This function will list the DNs of kerberos services present on - * the LDAP Server under a specific sub-tree (entire tree by default) - */ -void -kdb5_ldap_list_services(int argc, char *argv[]) -{ - char *me = progname; - krb5_error_code retval = 0; - char *basedn = NULL; - char **list = NULL; - char **plist = NULL; - krb5_boolean print_usage = FALSE; - - /* Check for number of arguments */ - if ((argc != 1) && (argc != 3)) { - exit_status++; - goto err_usage; - } - - /* Parse base DN argument if present */ - if (argc == 3) { - if (strcmp(argv[1], "-basedn")) { - retval = EINVAL; - goto err_usage; - } - - basedn = strdup(argv[2]); - if (basedn == NULL) { - com_err(me, ENOMEM, "while listing services"); - exit_status++; - goto cleanup; - } - } - - retval = krb5_ldap_list_services(util_context, basedn, &list); - if ((retval != 0) || (list == NULL)) { - exit_status++; - goto cleanup; - } - - for (plist = list; *plist != NULL; plist++) { - printf("%s\n", *plist); - } - - goto cleanup; - -err_usage: - print_usage = TRUE; - -cleanup: - if (list != NULL) { - krb5_free_list_entries (list); - free (list); - } - - if (basedn) - free (basedn); - - if (print_usage) { - db_usage(LIST_SERVICE); - } - - if (retval) { - com_err(me, retval, "while listing policy objects"); - exit_status++; - } - - return; -} - - -/* - * This function will print the service object information - * to the standard output - */ -static void -print_service_params(krb5_ldap_service_params *lserparams, int mask) -{ - int i=0; - - /* Print the service dn */ - printf("%20s%-20s\n","Service dn: ",lserparams->servicedn); - - /* Print the service type of the object to be read */ - if (lserparams->servicetype == LDAP_KDC_SERVICE) { - printf("%20s%-20s\n","Service type: ","kdc"); - } else if (lserparams->servicetype == LDAP_ADMIN_SERVICE) { - printf("%20s%-20s\n","Service type: ","admin"); - } else if (lserparams->servicetype == LDAP_PASSWD_SERVICE) { - printf("%20s%-20s\n","Service type: ","pwd"); - } - - /* Print the host server values */ - printf("%20s\n","Service host list: "); - if (mask & LDAP_SERVICE_HOSTSERVER) { - for (i=0; lserparams->krbhostservers[i] != NULL; ++i) { - printf("%20s%-50s\n","",lserparams->krbhostservers[i]); - } - } - - /* Print the realm reference dn values */ - printf("%20s\n","Realm DN list: "); - if (mask & LDAP_SERVICE_REALMREFERENCE) { - for (i=0; lserparams && lserparams->krbrealmreferences && lserparams->krbrealmreferences[i] != NULL; ++i) { - printf("%20s%-50s\n","",lserparams->krbrealmreferences[i]); - } - } - - return; -} - - -/* - * This function will generate random password of length(RANDOM_PASSWD_LEN) - * - * - * INPUT: - * ctxt - context - * - * OUTPUT: - * RANDOM_PASSWD_LEN length random password - */ -static int -generate_random_password(krb5_context ctxt, char **randpwd, - unsigned int *passlen) -{ - char *random_pwd = NULL; - int ret = 0; - krb5_data data; - int i=0; - /*int len = 0;*/ - - /* setting random password length in the range 16-32 */ - srand((unsigned int)(time(0) ^ getpid())); - - data.length = RANDOM_PASSWD_LEN; - random_pwd = (char *)malloc(data.length + 1); - if (random_pwd == NULL) { - com_err("setsrvpw", ENOMEM, "while generating random password"); - return ENOMEM; - } - memset(random_pwd, 0, data.length + 1); - data.data = random_pwd; - - ret = krb5_c_random_make_octets(ctxt, &data); - if (ret) { - com_err("setsrvpw", ret, "Error generating random password"); - free(random_pwd); - return ret; - } - - for (i=0; i 127) { - random_pwd[i] = (unsigned char)random_pwd[i] % 128; - } else if (random_pwd[i] == 0) { - random_pwd[i] = (rand()/(RAND_MAX/127 + 1))+1; - } - } - - *randpwd = random_pwd; - *passlen = data.length; - - return 0; -} - - -/* - * This function will set the password of the service object in the directory - * and/or the specified service password file. - * - * - * INPUT: - * argc - contains the number of arguments for this sub-command - * argv - array of arguments for this sub-command - * - * OUTPUT: - * void - */ -int -kdb5_ldap_set_service_password(int argc, char **argv) -{ - krb5_ldap_context *lparams = NULL; - char *file_name = NULL; - char *tmp_file = NULL; - char *me = progname; - int filelen = 0; - int random_passwd = 0; - int set_dir_pwd = 1; - krb5_boolean db_init_local = FALSE; - char *service_object = NULL; - char *passwd = NULL; - char *prompt1 = NULL; - char *prompt2 = NULL; - unsigned int passwd_len = 0; - krb5_error_code errcode = -1; - int retval = 0, i = 0; - krb5_boolean print_usage = FALSE; - FILE *pfile = NULL; - char *str = NULL; - char line[MAX_LEN]; - kdb5_dal_handle *dal_handle = NULL; - struct data encrypted_passwd = {0, NULL}; - - /* The arguments for setsrv password should contain the service object DN - * and options to specify whether the password should be updated in file only - * or both file and directory. So the possible combination of arguments are: - * setsrvpw servicedn wherein argc is 2 - * setsrvpw -fileonly servicedn wherein argc is 3 - * setsrvpw -randpw servicedn wherein argc is 3 - * setsrvpw -f filename servicedn wherein argc is 4 - * setsrvpw -fileonly -f filename servicedn wherein argc is 5 - * setsrvpw -randpw -f filename servicedn wherein argc is 5 - */ - if ((argc < 2) || (argc > 5)) { - print_usage = TRUE; - goto cleanup; - } - - dal_handle = util_context->dal_handle; - lparams = (krb5_ldap_context *) dal_handle->db_context; - - if (lparams == NULL) { - printf("%s: Invalid LDAP handle\n", me); - goto cleanup; - } - - /* Parse the arguments */ - for (i = 1; i < argc -1 ; i++) { - if (strcmp(argv[i], "-randpw") == 0) { - random_passwd = 1; - } else if (strcmp(argv[i], "-fileonly") == 0) { - set_dir_pwd = 0; - } else if (strcmp(argv[i], "-f") == 0) { - if (argv[++i] == NULL) { - print_usage = TRUE; - goto cleanup; - } - - file_name = strdup(argv[i]); - if (file_name == NULL) { - com_err(me, ENOMEM, "while setting service object password"); - goto cleanup; - } - /* Verify if the file location has the proper file name - * for eg, if the file location is a directory like /home/temp/, - * we reject it. - */ - filelen = strlen(file_name); - if ((filelen == 0) || (file_name[filelen-1] == '/')) { - printf("%s: Filename not specified for setting service object password\n", me); - print_usage = TRUE; - goto cleanup; - } - } else { - printf("%s: Invalid option specified for \"setsrvpw\" command\n", me); - print_usage = TRUE; - goto cleanup; - } - } - - if (i != argc-1) { - print_usage = TRUE; - goto cleanup; - } - - service_object = strdup(argv[i]); - if (service_object == NULL) { - com_err(me, ENOMEM, "while setting service object password"); - goto cleanup; - } - - if (strlen(service_object) == 0) { - printf("%s: Service object not specified for \"setsrvpw\" command\n", me); - print_usage = TRUE; - goto cleanup; - } - - if (service_object[0] == '-') { - print_usage = TRUE; - goto cleanup; - } - - if (file_name == NULL) { - file_name = strdup(DEF_SERVICE_PASSWD_FILE); - if (file_name == NULL) { - com_err(me, ENOMEM, "while setting service object password"); - goto cleanup; - } - } - - if (set_dir_pwd) { - if (db_inited == FALSE) { - if ((errcode = krb5_ldap_db_init(util_context, lparams))) { - com_err(me, errcode, "while initializing database"); - goto cleanup; - } - db_init_local = TRUE; - } - } - - if (random_passwd) { - if (!set_dir_pwd) { - printf("%s: Invalid option specified for \"setsrvpw\" command\n", me); - print_usage = TRUE; - goto cleanup; - } else { - /* Generate random password */ - - if ((errcode = generate_random_password(util_context, &passwd, &passwd_len))) { - printf("%s: Failed to set service object password\n", me); - goto cleanup; - } - passwd_len = strlen(passwd); - } - } else { - /* Get the service object password from the terminal */ - passwd = (char *)malloc(MAX_SERVICE_PASSWD_LEN + 1); - if (passwd == NULL) { - com_err(me, ENOMEM, "while setting service object password"); - goto cleanup; - } - memset(passwd, 0, MAX_SERVICE_PASSWD_LEN + 1); - passwd_len = MAX_SERVICE_PASSWD_LEN; - - if (asprintf(&prompt1, "Password for \"%s\"", service_object) < 0) { - com_err(me, ENOMEM, "while setting service object password"); - goto cleanup; - } - - if (asprintf(&prompt2, "Re-enter password for \"%s\"", - service_object) < 0) { - com_err(me, ENOMEM, "while setting service object password"); - free(prompt1); - goto cleanup; - } - - retval = krb5_read_password(util_context, prompt1, prompt2, passwd, &passwd_len); - free(prompt1); - free(prompt2); - if (retval) { - com_err(me, retval, "while setting service object password"); - memset(passwd, 0, MAX_SERVICE_PASSWD_LEN); - goto cleanup; - } - if (passwd_len == 0) { - printf("%s: Invalid password\n", me); - memset(passwd, 0, MAX_SERVICE_PASSWD_LEN); - goto cleanup; - } - passwd_len = strlen(passwd); - } - - /* Hex the password */ - { - krb5_data pwd, hex; - pwd.length = passwd_len; - pwd.data = passwd; - - errcode = tohex(pwd, &hex); - if (errcode != 0) { - if (hex.length != 0) { - memset(hex.data, 0, hex.length); - free(hex.data); - } - com_err(me, errcode, "Failed to convert the password to hex"); - memset(passwd, 0, passwd_len); - goto cleanup; - } - /* Password = {HEX}: */ - if (asprintf(&str, "%s#{HEX}%s\n", service_object, hex.data) < 0) { - com_err(me, ENOMEM, "while setting service object password"); - memset(passwd, 0, passwd_len); - memset(hex.data, 0, hex.length); - free(hex.data); - goto cleanup; - } - encrypted_passwd.value = (unsigned char *)str; - encrypted_passwd.len = strlen(str); - memset(hex.data, 0, hex.length); - free(hex.data); - } - - /* We should check if the file exists and we have permission to write into that file */ - if (access(file_name, W_OK) == -1) { - if (errno == ENOENT) { - mode_t omask; - int fd = -1; - - printf("File does not exist. Creating the file %s...\n", file_name); - omask = umask(077); - fd = creat(file_name, S_IRUSR|S_IWUSR); - umask(omask); - if (fd == -1) { - com_err(me, errno, "Error creating file %s", file_name); - memset(passwd, 0, passwd_len); - goto cleanup; - } - close(fd); - } else { - com_err(me, errno, "Unable to access the file %s", file_name); - memset(passwd, 0, passwd_len); - goto cleanup; - } - } - - if (set_dir_pwd) { - if ((errcode = krb5_ldap_set_service_passwd(util_context, service_object, passwd)) != 0) { - com_err(me, errcode, "Failed to set password for service object %s", service_object); - memset(passwd, 0, passwd_len); - goto cleanup; - } - } - - memset(passwd, 0, passwd_len); - - - /* TODO: file lock for the service password file */ - /* set password in the file */ - pfile = fopen(file_name, "r+"); - if (pfile == NULL) { - com_err(me, errno, "Failed to open file %s", file_name); - goto cleanup; - } - set_cloexec_file(pfile); - - while (fgets(line, MAX_LEN, pfile) != NULL) { - if ((str = strstr(line, service_object)) != NULL) { - if (line[strlen(service_object)] == '#') { - break; - } - str = NULL; - } - } - if (str == NULL) { - if (feof(pfile)) { - /* If the service object dn is not present in the service password file */ - if (fwrite(encrypted_passwd.value, (unsigned int)encrypted_passwd.len, 1, pfile) != 1) { - com_err(me, errno, "Failed to write service object password to file"); - goto cleanup; - } - } else { - com_err(me, errno, "Error reading service object password file"); - goto cleanup; - } - fclose(pfile); - pfile = NULL; - } else { - /* Password entry for the service object is already present in the file */ - /* Delete the existing entry and add the new entry */ - FILE *newfile = NULL; - mode_t omask; - - /* Create a new file with the extension .tmp */ - if (asprintf(&tmp_file,"%s.tmp",file_name) < 0) { - com_err(me, ENOMEM, "while setting service object password"); - goto cleanup; - } - - omask = umask(077); - newfile = fopen(tmp_file, "w+"); - umask(omask); - if (newfile == NULL) { - com_err(me, errno, "Error creating file %s", tmp_file); - goto cleanup; - } - set_cloexec_file(newfile); - - fseek(pfile, 0, SEEK_SET); - while (fgets(line, MAX_LEN, pfile) != NULL) { - if (((str = strstr(line, service_object)) != NULL) && (line[strlen(service_object)] == '#')) { - if (fprintf(newfile, "%s", encrypted_passwd.value) < 0) { - com_err(me, errno, "Failed to write service object password to file"); - fclose(newfile); - unlink(tmp_file); - goto cleanup; - } - } else { - if (fprintf(newfile, "%s", line) < 0) { - com_err(me, errno, "Failed to write service object password to file"); - fclose(newfile); - unlink(tmp_file); - goto cleanup; - } - } - } - - if (!feof(pfile)) { - com_err(me, errno, "Error reading service object password file"); - fclose(newfile); - unlink(tmp_file); - goto cleanup; - } - - /* TODO: file lock for the service password file */ - fclose(pfile); - pfile = NULL; - - fclose(newfile); - newfile = NULL; - - if (unlink(file_name) == 0) { - link(tmp_file, file_name); - } else { - com_err(me, errno, "Failed to write service object password to file"); - unlink(tmp_file); - goto cleanup; - } - unlink(tmp_file); - } - errcode = 0; - -cleanup: - if (db_init_local) - krb5_ldap_close(util_context); - - if (service_object) - free(service_object); - - if (file_name) - free(file_name); - - if (passwd) - free(passwd); - - if (encrypted_passwd.value) { - memset(encrypted_passwd.value, 0, encrypted_passwd.len); - free(encrypted_passwd.value); - } - - if (pfile) - fclose(pfile); - - if (tmp_file) - free(tmp_file); - - if (print_usage) - db_usage(SET_SRV_PW); - - return errcode; -} - -#else /* #ifdef HAVE_EDIRECTORY */ - /* * Convert the user supplied password into hexadecimal and stash it. Only a * little more secure than storing plain password in the file ... @@ -2147,5 +310,3 @@ cleanup: if (ret) exit_status++; } - -#endif /* #ifdef HAVE_EDIRECTORY */ diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h index d325bb71d5..0f1a1ea625 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h @@ -29,38 +29,11 @@ #include "ldap_misc.h" -#define MAX_DN_CHARS 256 -#define HOST_INFO_DELIMITER '#' -#define PROTOCOL_STR_LEN 3 -#define PROTOCOL_NUM_UDP 0 -#define PROTOCOL_NUM_TCP 1 -#define PROTOCOL_DEFAULT_KDC PROTOCOL_NUM_UDP -#define PROTOCOL_DEFAULT_ADM PROTOCOL_NUM_TCP -#define PROTOCOL_DEFAULT_PWD PROTOCOL_NUM_UDP -#define PORT_STR_LEN 5 -#define PORT_DEFAULT_KDC 88 -#define PORT_DEFAULT_ADM 749 -#define PORT_DEFAULT_PWD 464 - #define MAX_LEN 1024 #define MAX_SERVICE_PASSWD_LEN 256 -#define RANDOM_PASSWD_LEN 128 #define DEF_SERVICE_PASSWD_FILE "/usr/local/var/service_passwd" -struct data{ - int len; - unsigned char *value; -}; - -extern int enc_password(struct data pwd, struct data *enc_key, struct data *enc_pass); extern int tohex(krb5_data, krb5_data *); -extern void kdb5_ldap_create_service(int argc, char **argv); -extern void kdb5_ldap_modify_service(int argc, char **argv); -extern void kdb5_ldap_destroy_service(int argc, char **argv); -extern void kdb5_ldap_list_services(int argc, char **argv); -extern void kdb5_ldap_view_service(int argc, char **argv); -extern int kdb5_ldap_set_service_password(int argc, char **argv); -extern void kdb5_ldap_set_service_certificate(int argc, char **argv); extern void kdb5_ldap_stash_service_password(int argc, char **argv); diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c index c5f286315e..fe1b70eaa3 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c @@ -170,16 +170,7 @@ static struct _cmd_table { {"view", kdb5_ldap_view, 1}, {"destroy", kdb5_ldap_destroy, 1}, {"list", kdb5_ldap_list, 1}, -#ifdef HAVE_EDIRECTORY - {"create_service", kdb5_ldap_create_service, 1}, - {"modify_service", kdb5_ldap_modify_service, 1}, - {"view_service", kdb5_ldap_view_service, 1}, - {"destroy_service", kdb5_ldap_destroy_service, 1}, - {"list_service",kdb5_ldap_list_services,1}, - {"setsrvpw", kdb5_ldap_set_service_password, 0}, -#else {"stashsrvpw", kdb5_ldap_stash_service_password, 0}, -#endif {"create_policy", kdb5_ldap_create_policy, 1}, {"modify_policy", kdb5_ldap_modify_policy, 1}, {"view_policy", kdb5_ldap_view_policy, 1}, diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.h b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.h index b28bdd22a7..dd62631494 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.h +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.h @@ -39,16 +39,7 @@ #define DESTROY_REALM 4 #define LIST_REALM 5 -#ifdef HAVE_EDIRECTORY -# define CREATE_SERVICE 6 -# define MODIFY_SERVICE 7 -# define VIEW_SERVICE 8 -# define DESTROY_SERVICE 9 -# define LIST_SERVICE 10 -# define SET_SRV_PW 16 -#else -# define STASH_SRV_PW 17 -#endif +#define STASH_SRV_PW 17 #define CREATE_POLICY 11 #define MODIFY_POLICY 12 diff --git a/src/plugins/kdb/ldap/libkdb_ldap/Makefile.in b/src/plugins/kdb/ldap/libkdb_ldap/Makefile.in index 2126df6167..668f77329e 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/Makefile.in +++ b/src/plugins/kdb/ldap/libkdb_ldap/Makefile.in @@ -47,8 +47,6 @@ SRCS= $(srcdir)/kdb_ldap.c \ $(srcdir)/ldap_misc.c \ $(srcdir)/ldap_handle.c \ $(srcdir)/ldap_tkt_policy.c \ - $(srcdir)/ldap_services.c \ - $(srcdir)/ldap_service_rights.c \ $(srcdir)/princ_xdr.c \ $(srcdir)/ldap_service_stash.c \ $(srcdir)/kdb_xdr.c \ @@ -67,8 +65,6 @@ STLIBOBJS= kdb_ldap.o \ ldap_misc.o \ ldap_handle.o \ ldap_tkt_policy.o \ - ldap_services.o \ - ldap_service_rights.o \ princ_xdr.o \ ldap_service_stash.o \ kdb_xdr.o \ diff --git a/src/plugins/kdb/ldap/libkdb_ldap/deps b/src/plugins/kdb/ldap/libkdb_ldap/deps index c8d2f7e42e..37fea12b62 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/deps +++ b/src/plugins/kdb/ldap/libkdb_ldap/deps @@ -21,7 +21,7 @@ kdb_ldap.so kdb_ldap.po $(OUTPRE)kdb_ldap.$(OBJEXT): \ $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ $(top_srcdir)/include/socket-utils.h $(top_srcdir)/lib/kdb/kdb5.h \ kdb_ldap.c kdb_ldap.h ldap_err.h ldap_krbcontainer.h \ - ldap_misc.h ldap_realm.h ldap_services.h + ldap_misc.h ldap_realm.h kdb_ldap_conn.so kdb_ldap_conn.po $(OUTPRE)kdb_ldap_conn.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -35,7 +35,7 @@ kdb_ldap_conn.so kdb_ldap_conn.po $(OUTPRE)kdb_ldap_conn.$(OBJEXT): \ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ $(top_srcdir)/lib/kdb/kdb5.h kdb_ldap.h kdb_ldap_conn.c \ ldap_handle.h ldap_krbcontainer.h ldap_main.h ldap_misc.h \ - ldap_realm.h ldap_service_stash.h ldap_services.h + ldap_realm.h ldap_service_stash.h ldap_realm.so ldap_realm.po $(OUTPRE)ldap_realm.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -50,7 +50,7 @@ ldap_realm.so ldap_realm.po $(OUTPRE)ldap_realm.$(OBJEXT): \ $(top_srcdir)/lib/kdb/kdb5.h kdb_ldap.h ldap_err.h \ ldap_handle.h ldap_krbcontainer.h ldap_main.h ldap_misc.h \ ldap_principal.h ldap_pwd_policy.h ldap_realm.c ldap_realm.h \ - ldap_services.h ldap_tkt_policy.h + ldap_tkt_policy.h ldap_create.so ldap_create.po $(OUTPRE)ldap_create.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -64,8 +64,7 @@ ldap_create.so ldap_create.po $(OUTPRE)ldap_create.$(OBJEXT): \ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ $(top_srcdir)/lib/kdb/kdb5.h kdb_ldap.h ldap_create.c \ ldap_err.h ldap_handle.h ldap_krbcontainer.h ldap_main.h \ - ldap_misc.h ldap_principal.h ldap_realm.h ldap_services.h \ - ldap_tkt_policy.h + ldap_misc.h ldap_principal.h ldap_realm.h ldap_tkt_policy.h ldap_krbcontainer.so ldap_krbcontainer.po $(OUTPRE)ldap_krbcontainer.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -79,7 +78,7 @@ ldap_krbcontainer.so ldap_krbcontainer.po $(OUTPRE)ldap_krbcontainer.$(OBJEXT): $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ $(top_srcdir)/lib/kdb/kdb5.h kdb_ldap.h ldap_err.h \ ldap_handle.h ldap_krbcontainer.c ldap_krbcontainer.h \ - ldap_main.h ldap_misc.h ldap_realm.h ldap_services.h + ldap_main.h ldap_misc.h ldap_realm.h ldap_principal.so ldap_principal.po $(OUTPRE)ldap_principal.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \ $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/krb5/krb5.h \ @@ -100,7 +99,7 @@ ldap_principal.so ldap_principal.po $(OUTPRE)ldap_principal.$(OBJEXT): \ $(top_srcdir)/include/socket-utils.h $(top_srcdir)/lib/kdb/kdb5.h \ kdb_ldap.h ldap_err.h ldap_handle.h ldap_krbcontainer.h \ ldap_main.h ldap_misc.h ldap_principal.c ldap_principal.h \ - ldap_realm.h ldap_services.h ldap_tkt_policy.h princ_xdr.h + ldap_realm.h ldap_tkt_policy.h princ_xdr.h ldap_principal2.so ldap_principal2.po $(OUTPRE)ldap_principal2.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \ $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \ @@ -122,8 +121,7 @@ ldap_principal2.so ldap_principal2.po $(OUTPRE)ldap_principal2.$(OBJEXT): \ $(top_srcdir)/include/socket-utils.h $(top_srcdir)/lib/kdb/kdb5.h \ kdb_ldap.h ldap_err.h ldap_handle.h ldap_krbcontainer.h \ ldap_main.h ldap_misc.h ldap_principal.h ldap_principal2.c \ - ldap_pwd_policy.h ldap_realm.h ldap_services.h ldap_tkt_policy.h \ - princ_xdr.h + ldap_pwd_policy.h ldap_realm.h ldap_tkt_policy.h princ_xdr.h ldap_pwd_policy.so ldap_pwd_policy.po $(OUTPRE)ldap_pwd_policy.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -137,7 +135,7 @@ ldap_pwd_policy.so ldap_pwd_policy.po $(OUTPRE)ldap_pwd_policy.$(OBJEXT): \ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ $(top_srcdir)/lib/kdb/kdb5.h kdb_ldap.h ldap_err.h \ ldap_handle.h ldap_krbcontainer.h ldap_main.h ldap_misc.h \ - ldap_pwd_policy.c ldap_pwd_policy.h ldap_realm.h ldap_services.h + ldap_pwd_policy.c ldap_pwd_policy.h ldap_realm.h ldap_misc.so ldap_misc.po $(OUTPRE)ldap_misc.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \ $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/krb5/krb5.h \ @@ -158,7 +156,7 @@ ldap_misc.so ldap_misc.po $(OUTPRE)ldap_misc.$(OBJEXT): \ $(top_srcdir)/include/socket-utils.h $(top_srcdir)/lib/kdb/kdb5.h \ kdb_ldap.h ldap_err.h ldap_handle.h ldap_krbcontainer.h \ ldap_misc.c ldap_misc.h ldap_principal.h ldap_pwd_policy.h \ - ldap_realm.h ldap_services.h ldap_tkt_policy.h princ_xdr.h + ldap_realm.h ldap_tkt_policy.h princ_xdr.h ldap_handle.so ldap_handle.po $(OUTPRE)ldap_handle.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -172,7 +170,7 @@ ldap_handle.so ldap_handle.po $(OUTPRE)ldap_handle.$(OBJEXT): \ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ $(top_srcdir)/lib/kdb/kdb5.h kdb_ldap.h ldap_handle.c \ ldap_handle.h ldap_krbcontainer.h ldap_main.h ldap_misc.h \ - ldap_realm.h ldap_services.h + ldap_realm.h ldap_tkt_policy.so ldap_tkt_policy.po $(OUTPRE)ldap_tkt_policy.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -186,35 +184,7 @@ ldap_tkt_policy.so ldap_tkt_policy.po $(OUTPRE)ldap_tkt_policy.$(OBJEXT): \ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ $(top_srcdir)/lib/kdb/kdb5.h kdb_ldap.h ldap_err.h \ ldap_handle.h ldap_krbcontainer.h ldap_main.h ldap_misc.h \ - ldap_realm.h ldap_services.h ldap_tkt_policy.c ldap_tkt_policy.h -ldap_services.so ldap_services.po $(OUTPRE)ldap_services.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ - $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/kdb.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - $(top_srcdir)/lib/kdb/kdb5.h kdb_ldap.h ldap_err.h \ - ldap_handle.h ldap_krbcontainer.h ldap_main.h ldap_misc.h \ - ldap_realm.h ldap_services.c ldap_services.h -ldap_service_rights.so ldap_service_rights.po $(OUTPRE)ldap_service_rights.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ - $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/kdb.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - $(top_srcdir)/lib/kdb/kdb5.h kdb_ldap.h ldap_err.h \ - ldap_handle.h ldap_krbcontainer.h ldap_main.h ldap_misc.h \ - ldap_realm.h ldap_service_rights.c ldap_services.h + ldap_realm.h ldap_tkt_policy.c ldap_tkt_policy.h princ_xdr.so princ_xdr.po $(OUTPRE)princ_xdr.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \ $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \ @@ -249,7 +219,7 @@ ldap_service_stash.so ldap_service_stash.po $(OUTPRE)ldap_service_stash.$(OBJEXT $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ $(top_srcdir)/lib/kdb/kdb5.h kdb_ldap.h ldap_handle.h \ ldap_krbcontainer.h ldap_main.h ldap_misc.h ldap_realm.h \ - ldap_service_stash.c ldap_service_stash.h ldap_services.h + ldap_service_stash.c ldap_service_stash.h kdb_xdr.so kdb_xdr.po $(OUTPRE)kdb_xdr.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c index 6115bb7e64..b52d088ff6 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c @@ -422,38 +422,6 @@ krb5_ldap_open(krb5_context context, char *conf_section, char **db_args, } srv_cnt++; -#ifdef HAVE_EDIRECTORY - } else if (opt && !strcmp(opt, "cert")) { - if (val == NULL) { - status = EINVAL; - krb5_set_error_message(context, status, - _("'cert' value missing")); - free(opt); - goto clean_n_exit; - } - - if (ldap_context->root_certificate_file == NULL) { - ldap_context->root_certificate_file = strdup(val); - if (ldap_context->root_certificate_file == NULL) { - free (opt); - free (val); - status = ENOMEM; - goto clean_n_exit; - } - } else { - char *newstr; - - if (asprintf(&newstr, "%s %s", - ldap_context->root_certificate_file, val) < 0) { - free (opt); - free (val); - status = ENOMEM; - goto clean_n_exit; - } - free(ldap_context->root_certificate_file); - ldap_context->root_certificate_file = newstr; - } -#endif } else { /* ignore hash argument. Might have been passed from create */ status = EINVAL; diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h index 51a6facb78..b40600780e 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h @@ -63,11 +63,6 @@ extern struct timeval timelimit; #define DEFAULT_CONNS_PER_SERVER 5 #define REALM_READ_REFRESH_INTERVAL (5 * 60) -#ifdef HAVE_EDIRECTORY -#define SECURITY_CONTAINER "cn=Security" -#define KERBEROS_CONTAINER "cn=Kerberos,cn=Security" -#endif - #if !defined(LDAP_OPT_RESULT_CODE) && defined(LDAP_OPT_ERROR_NUMBER) #define LDAP_OPT_RESULT_CODE LDAP_OPT_ERROR_NUMBER #endif @@ -194,9 +189,6 @@ struct _krb5_ldap_server_info { krb5_ldap_server_handle *ldap_server_handles; time_t downtime; char *server_name; -#ifdef HAVE_EDIRECTORY - char *root_certificate_file; -#endif int modify_increment; struct _krb5_ldap_server_info *next; }; diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c index bfe866792b..1dc4afcf78 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c @@ -62,9 +62,6 @@ krb5_ldap_create(krb5_context context, char *conf_section, char **db_args) krb5_ldap_krbcontainer_params kparams = {0}; int srv_cnt = 0; int mask = 0; -#ifdef HAVE_EDIRECTORY - int i = 0, rightsmask = 0; -#endif /* Clear the global error string */ krb5_clear_error_message(context); @@ -180,36 +177,6 @@ krb5_ldap_create(krb5_context context, char *conf_section, char **db_args) } srv_cnt++; -#ifdef HAVE_EDIRECTORY - } else if (opt && !strcmp(opt, "cert")) { - if (val == NULL) { - status = EINVAL; - krb5_set_error_message (context, status, "'cert' value missing"); - free(opt); - goto cleanup; - } - - if (ldap_context->root_certificate_file == NULL) { - ldap_context->root_certificate_file = strdup(val); - if (ldap_context->root_certificate_file == NULL) { - free (opt); - free (val); - status = ENOMEM; - goto cleanup; - } - } else { - char *newstr; - - if (asprintf(&newstr, "%s %s", - ldap_context->root_certificate_file, val) < 0) { - free (opt); - free (val); - status = ENOMEM; - goto cleanup; - } - ldap_context->root_certificate_file = newstr; - } -#endif } else { /* ignore hash argument. Might have been passed from create */ status = EINVAL; @@ -314,51 +281,6 @@ krb5_ldap_create(krb5_context context, char *conf_section, char **db_args) &mask))) goto cleanup; -#ifdef HAVE_EDIRECTORY - if ((mask & LDAP_REALM_KDCSERVERS) || (mask & LDAP_REALM_ADMINSERVERS) || - (mask & LDAP_REALM_PASSWDSERVERS)) { - - rightsmask =0; - rightsmask |= LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; - if ((rparams != NULL) && (rparams->kdcservers != NULL)) { - for (i=0; (rparams->kdcservers[i] != NULL); i++) { - if ((status=krb5_ldap_add_service_rights(context, - LDAP_KDC_SERVICE, rparams->kdcservers[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { - goto cleanup; - } - } - } - - rightsmask = 0; - rightsmask |= LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; - if ((rparams != NULL) && (rparams->adminservers != NULL)) { - for (i=0; (rparams->adminservers[i] != NULL); i++) { - if ((status=krb5_ldap_add_service_rights(context, - LDAP_ADMIN_SERVICE, rparams->adminservers[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { - goto cleanup; - } - } - } - - rightsmask = 0; - rightsmask |= LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; - if ((rparams != NULL) && (rparams->passwdservers != NULL)) { - for (i=0; (rparams->passwdservers[i] != NULL); i++) { - if ((status=krb5_ldap_add_service_rights(context, - LDAP_PASSWD_SERVICE, rparams->passwdservers[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { - goto cleanup; - } - } - } - } -#endif - cleanup: /* If the krbcontainer/realm creation is not complete, do the roll-back here */ diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c index b52ba799b8..fabe633abb 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c @@ -112,64 +112,26 @@ krb5_ldap_read_krbcontainer_params(krb5_context context, } } -#ifndef HAVE_EDIRECTORY -/* - * In case eDirectory, we can fall back to security container if the kerberos container location - * is missing in the conf file. In openldap we will have to return an error. - */ if (cparams->DN == NULL) { st = KRB5_KDB_SERVER_INTERNAL_ERR; krb5_set_error_message(context, st, _("Kerberos container location not specified")); goto cleanup; } -#endif - - if (cparams->DN != NULL) { - /* NOTE: krbmaxtktlife, krbmaxrenewableage ... present on Kerberos Container is - * not read - */ - LDAP_SEARCH_1(cparams->DN, LDAP_SCOPE_BASE, "(objectclass=krbContainer)", policyrefattribute, IGNORE_STATUS); - if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_OBJECT) { - st = set_ldap_error(context, st, OP_SEARCH); - goto cleanup; - } - - if (st == LDAP_NO_SUCH_OBJECT) { - st = KRB5_KDB_NOENTRY; - goto cleanup; - } - } -#ifdef HAVE_EDIRECTORY - /* - * If the kerberos location in the conf file is missing or invalid, fall back to the - * security container. If the kerberos location in the security container is also missing - * then fall back to the default value + /* NOTE: krbmaxtktlife, krbmaxrenewableage ... present on Kerberos Container is + * not read */ - if ((cparams->DN == NULL) || (st == LDAP_NO_SUCH_OBJECT)) { - /* - * kerberos container can be anywhere. locate it by reading the security - * container to find the location. - */ - LDAP_SEARCH(SECURITY_CONTAINER, LDAP_SCOPE_BASE, NULL, krbcontainerrefattr); - if ((ent = ldap_first_entry(ld, result)) != NULL) { - if ((st=krb5_ldap_get_string(ld, ent, "krbcontainerreference", - &(cparams->DN), NULL)) != 0) - goto cleanup; - if (cparams->DN == NULL) { - cparams->DN = strdup(KERBEROS_CONTAINER); - CHECK_NULL(cparams->DN); - } - } - ldap_msgfree(result); + LDAP_SEARCH_1(cparams->DN, LDAP_SCOPE_BASE, "(objectclass=krbContainer)", policyrefattribute, IGNORE_STATUS); + if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_OBJECT) { + st = set_ldap_error(context, st, OP_SEARCH); + goto cleanup; + } - /* NOTE: krbmaxtktlife, krbmaxrenewableage ... attributes present on - * Kerberos Container is not read - */ - LDAP_SEARCH(cparams->DN, LDAP_SCOPE_BASE, "(objectclass=krbContainer)", policyrefattribute); + if (st == LDAP_NO_SUCH_OBJECT) { + st = KRB5_KDB_NOENTRY; + goto cleanup; } -#endif if ((ent = ldap_first_entry(ld, result))) { if ((st=krb5_ldap_get_string(ld, ent, "krbticketpolicyreference", diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c index 6719d403bb..55a8eb57e7 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c @@ -265,21 +265,6 @@ krb5_ldap_read_server_params(krb5_context context, char *conf_section, goto cleanup; } -#ifdef HAVE_EDIRECTORY - /* - * If root certificate file is not set read it from database - * module section of conf file this is the trusted root - * certificate of the Directory. - */ - if (ldap_context->root_certificate_file == NULL) { - st = prof_get_string_def (context, conf_section, - KRB5_CONF_LDAP_ROOT_CERTIFICATE_FILE, - &ldap_context->root_certificate_file); - if (st) - goto cleanup; - } -#endif - /* * If the ldap server parameter is not set read the list of ldap * servers from the database module section of the conf file. @@ -374,11 +359,6 @@ krb5_ldap_free_server_context_params(krb5_ldap_context *ldap_context) if (ldap_context->server_info_list[i]->server_name) { free (ldap_context->server_info_list[i]->server_name); } -#ifdef HAVE_EDIRECTORY - if (ldap_context->server_info_list[i]->root_certificate_file) { - free (ldap_context->server_info_list[i]->root_certificate_file); - } -#endif if (ldap_context->server_info_list[i]->ldap_server_handles) { ldap_server_handle = ldap_context->server_info_list[i]->ldap_server_handles; while (ldap_server_handle) { @@ -416,13 +396,6 @@ krb5_ldap_free_server_context_params(krb5_ldap_context *ldap_context) ldap_context->service_password_file = NULL; } -#ifdef HAVE_EDIRECTORY - if (ldap_context->root_certificate_file != NULL) { - krb5_xfree(ldap_context->root_certificate_file); - ldap_context->root_certificate_file = NULL; - } -#endif - if (ldap_context->service_cert_path != NULL) { krb5_xfree(ldap_context->service_cert_path); ldap_context->service_cert_path = NULL; @@ -2090,37 +2063,6 @@ populate_krb5_db_entry(krb5_context context, krb5_ldap_context *ldap_context, if ((st=krb5_dbe_update_tl_data(context, entry, &userinfo_tl_data)) != 0) goto cleanup; -#ifdef HAVE_EDIRECTORY - { - krb5_timestamp expiretime=0; - char *is_login_disabled=NULL; - - /* LOGIN EXPIRATION TIME */ - if ((st=krb5_ldap_get_time(ld, ent, "loginexpirationtime", &expiretime, - &attr_present)) != 0) - goto cleanup; - - if (attr_present == TRUE) { - if (mask & KDB_PRINC_EXPIRE_TIME_ATTR) { - if (expiretime < entry->expiration) - entry->expiration = expiretime; - } else { - entry->expiration = expiretime; - } - } - - /* LOGIN DISABLED */ - if ((st=krb5_ldap_get_string(ld, ent, "logindisabled", &is_login_disabled, - &attr_present)) != 0) - goto cleanup; - if (attr_present == TRUE) { - if (strcasecmp(is_login_disabled, "TRUE")== 0) - entry->attributes |= KRB5_KDB_DISALLOW_ALL_TIX; - free (is_login_disabled); - } - } -#endif - if ((st=krb5_read_tkt_policy (context, ldap_context, entry, tktpolname)) !=0) goto cleanup; diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.h b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.h index 7166cc6a6a..b1583d526b 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.h @@ -36,8 +36,6 @@ #ifndef _HAVE_LDAP_MISC_H #define _HAVE_LDAP_MISC_H 1 -#include "ldap_services.h" - /* misc functions */ krb5_error_code diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c index 54dfbdb670..7ce50b30bc 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c @@ -54,10 +54,6 @@ char *principal_attributes[] = { "krbprincipalname", "krbLastFailedAuth", "krbLoginFailedCount", "krbLastSuccessfulAuth", -#ifdef HAVE_EDIRECTORY - "loginexpirationtime", - "logindisabled", -#endif "krbLastPwdChange", "krbLastAdminUnlock", "krbExtraData", diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c index 9ab7a0398e..45649da02c 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c @@ -389,17 +389,7 @@ krb5_ldap_modify_realm(krb5_context context, krb5_ldap_realm_params *rparams, LDAP *ld=NULL; krb5_error_code st=0; char **strval=NULL, *strvalprc[5]={NULL}; -#ifdef HAVE_EDIRECTORY - char **values=NULL; - char **oldkdcservers=NULL, **oldadminservers=NULL, **oldpasswdservers=NULL; - LDAPMessage *result=NULL, *ent=NULL; - int count=0; - char errbuf[1024]; -#endif LDAPMod **mods = NULL; -#ifdef HAVE_EDIRECTORY - int i=0; -#endif int oldmask=0, objectmask=0,k=0; kdb5_dal_handle *dal_handle=NULL; krb5_ldap_context *ldap_context=NULL; @@ -421,11 +411,6 @@ krb5_ldap_modify_realm(krb5_context context, krb5_ldap_realm_params *rparams, rparams->tl_data->tl_data_contents == NULL || ((mask & LDAP_REALM_SUBTREE) && rparams->subtree == NULL) || ((mask & LDAP_REALM_CONTREF) && rparams->containerref == NULL) || -#ifdef HAVE_EDIRECTORY - ((mask & LDAP_REALM_KDCSERVERS) && rparams->kdcservers == NULL) || - ((mask & LDAP_REALM_ADMINSERVERS) && rparams->adminservers == NULL) || - ((mask & LDAP_REALM_PASSWDSERVERS) && rparams->passwdservers == NULL) || -#endif 0) { st = EINVAL; goto cleanup; @@ -518,104 +503,6 @@ krb5_ldap_modify_realm(krb5_context context, krb5_ldap_realm_params *rparams, } -#ifdef HAVE_EDIRECTORY - - /* KDCSERVERS ATTRIBUTE */ - if (mask & LDAP_REALM_KDCSERVERS) { - /* validate the server list */ - for (i=0; rparams->kdcservers[i] != NULL; ++i) { - st = checkattributevalue(ld, rparams->kdcservers[i], "objectClass", kdcclass, - &objectmask); - CHECK_CLASS_VALIDITY(st, objectmask, - _("kdc service object value: ")); - } - - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbkdcservers", LDAP_MOD_REPLACE, - rparams->kdcservers)) != 0) - goto cleanup; - } - - /* ADMINSERVERS ATTRIBUTE */ - if (mask & LDAP_REALM_ADMINSERVERS) { - /* validate the server list */ - for (i=0; rparams->adminservers[i] != NULL; ++i) { - st = checkattributevalue(ld, rparams->adminservers[i], "objectClass", adminclass, - &objectmask); - CHECK_CLASS_VALIDITY(st, objectmask, - _("admin service object value: ")); - } - - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbadmservers", LDAP_MOD_REPLACE, - rparams->adminservers)) != 0) - goto cleanup; - } - - /* PASSWDSERVERS ATTRIBUTE */ - if (mask & LDAP_REALM_PASSWDSERVERS) { - /* validate the server list */ - for (i=0; rparams->passwdservers[i] != NULL; ++i) { - st = checkattributevalue(ld, rparams->passwdservers[i], "objectClass", pwdclass, - &objectmask); - CHECK_CLASS_VALIDITY(st, objectmask, - _("password service object value: ")); - } - - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdservers", LDAP_MOD_REPLACE, - rparams->passwdservers)) != 0) - goto cleanup; - } - - /* - * Read the old values of the krbkdcservers, krbadmservers and - * krbpwdservers. This information is later used to decided the - * deletions/additions to the list. - */ - if (mask & LDAP_REALM_KDCSERVERS || mask & LDAP_REALM_ADMINSERVERS || - mask & LDAP_REALM_PASSWDSERVERS) { - char *servers[] = {"krbKdcServers", "krbAdmServers", "krbPwdServers", NULL}; - - if ((st= ldap_search_ext_s(ld, - rparams->realmdn, - LDAP_SCOPE_BASE, - 0, - servers, - 0, - NULL, - NULL, - NULL, - 0, - &result)) != LDAP_SUCCESS) { - st = set_ldap_error (context, st, OP_SEARCH); - goto cleanup; - } - - ent = ldap_first_entry(ld, result); - if (ent) { - if ((values=ldap_get_values(ld, ent, "krbKdcServers")) != NULL) { - count = ldap_count_values(values); - if ((st=copy_arrays(values, &oldkdcservers, count)) != 0) - goto cleanup; - ldap_value_free(values); - } - - if ((values=ldap_get_values(ld, ent, "krbAdmServers")) != NULL) { - count = ldap_count_values(values); - if ((st=copy_arrays(values, &oldadminservers, count)) != 0) - goto cleanup; - ldap_value_free(values); - } - - if ((values=ldap_get_values(ld, ent, "krbPwdServers")) != NULL) { - count = ldap_count_values(values); - if ((st=copy_arrays(values, &oldpasswdservers, count)) != 0) - goto cleanup; - ldap_value_free(values); - } - } - ldap_msgfree(result); - } -#endif - /* Realm modify opearation */ if (mods != NULL) { if ((st=ldap_modify_ext_s(ld, rparams->realmdn, mods, NULL, NULL)) != LDAP_SUCCESS) { @@ -624,148 +511,8 @@ krb5_ldap_modify_realm(krb5_context context, krb5_ldap_realm_params *rparams, } } -#ifdef HAVE_EDIRECTORY - /* krbRealmReferences attribute is updated here, depending on the additions/deletions - * to the 4 servers' list. - */ - if (mask & LDAP_REALM_KDCSERVERS) { - char **newkdcservers=NULL; - - count = ldap_count_values(rparams->kdcservers); - if ((st=copy_arrays(rparams->kdcservers, &newkdcservers, count)) != 0) - goto cleanup; - - /* find the deletions and additions to the server list */ - if (oldkdcservers && newkdcservers) - disjoint_members(oldkdcservers, newkdcservers); - - /* delete the krbRealmReferences attribute from the servers that are dis-associated. */ - if (oldkdcservers) - for (i=0; oldkdcservers[i]; ++i) - if ((st=deleteAttribute(ld, oldkdcservers[i], "krbRealmReferences", - rparams->realmdn)) != 0) { - snprintf(errbuf, sizeof(errbuf), - _("Error removing 'krbRealmReferences' from " - "%s: "), oldkdcservers[i]); - prepend_err_str(context, errbuf, st, st); - goto cleanup; - } - - /* add the krbRealmReferences attribute from the servers that are associated. */ - if (newkdcservers) - for (i=0; newkdcservers[i]; ++i) - if ((st=updateAttribute(ld, newkdcservers[i], "krbRealmReferences", - rparams->realmdn)) != 0) { - snprintf(errbuf, sizeof(errbuf), - _("Error adding 'krbRealmReferences' to %s: "), - newkdcservers[i]); - prepend_err_str(context, errbuf, st, st); - goto cleanup; - } - - if (newkdcservers) - ldap_value_free(newkdcservers); - } - - if (mask & LDAP_REALM_ADMINSERVERS) { - char **newadminservers=NULL; - - count = ldap_count_values(rparams->adminservers); - if ((st=copy_arrays(rparams->adminservers, &newadminservers, count)) != 0) - goto cleanup; - - /* find the deletions and additions to the server list */ - if (oldadminservers && newadminservers) - disjoint_members(oldadminservers, newadminservers); - - /* delete the krbRealmReferences attribute from the servers that are dis-associated. */ - if (oldadminservers) - for (i=0; oldadminservers[i]; ++i) - if ((st=deleteAttribute(ld, oldadminservers[i], "krbRealmReferences", - rparams->realmdn)) != 0) { - snprintf(errbuf, sizeof(errbuf), - _("Error removing 'krbRealmReferences' from " - "%s: "), oldadminservers[i]); - prepend_err_str(context, errbuf, st, st); - goto cleanup; - } - - /* add the krbRealmReferences attribute from the servers that are associated. */ - if (newadminservers) - for (i=0; newadminservers[i]; ++i) - if ((st=updateAttribute(ld, newadminservers[i], "krbRealmReferences", - rparams->realmdn)) != 0) { - snprintf(errbuf, sizeof(errbuf), - _("Error adding 'krbRealmReferences' to %s: "), - newadminservers[i]); - prepend_err_str(context, errbuf, st, st); - goto cleanup; - } - if (newadminservers) - ldap_value_free(newadminservers); - } - - if (mask & LDAP_REALM_PASSWDSERVERS) { - char **newpasswdservers=NULL; - - count = ldap_count_values(rparams->passwdservers); - if ((st=copy_arrays(rparams->passwdservers, &newpasswdservers, count)) != 0) - goto cleanup; - - /* find the deletions and additions to the server list */ - if (oldpasswdservers && newpasswdservers) - disjoint_members(oldpasswdservers, newpasswdservers); - - /* delete the krbRealmReferences attribute from the servers that are dis-associated. */ - if (oldpasswdservers) - for (i=0; oldpasswdservers[i]; ++i) - if ((st=deleteAttribute(ld, oldpasswdservers[i], "krbRealmReferences", - rparams->realmdn)) != 0) { - snprintf(errbuf, sizeof(errbuf), - _("Error removing 'krbRealmReferences' from " - "%s: "), oldpasswdservers[i]); - prepend_err_str(context, errbuf, st, st); - goto cleanup; - } - - /* add the krbRealmReferences attribute from the servers that are associated. */ - if (newpasswdservers) - for (i=0; newpasswdservers[i]; ++i) - if ((st=updateAttribute(ld, newpasswdservers[i], "krbRealmReferences", - rparams->realmdn)) != 0) { - snprintf(errbuf, sizeof(errbuf), - _("Error adding 'krbRealmReferences' to %s: "), - newpasswdservers[i]); - prepend_err_str(context, errbuf, st, st); - goto cleanup; - } - if (newpasswdservers) - ldap_value_free(newpasswdservers); - } -#endif - cleanup: -#ifdef HAVE_EDIRECTORY - if (oldkdcservers) { - for (i=0; oldkdcservers[i]; ++i) - free(oldkdcservers[i]); - free(oldkdcservers); - } - - if (oldadminservers) { - for (i=0; oldadminservers[i]; ++i) - free(oldadminservers[i]); - free(oldadminservers); - } - - if (oldpasswdservers) { - for (i=0; oldpasswdservers[i]; ++i) - free(oldpasswdservers[i]); - free(oldpasswdservers); - } -#endif - ldap_mods_free(mods, 1); krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); return st; @@ -790,9 +537,6 @@ krb5_ldap_create_krbcontainer(krb5_context context, kdb5_dal_handle *dal_handle=NULL; krb5_ldap_context *ldap_context=NULL; krb5_ldap_server_handle *ldap_server_handle=NULL; -#ifdef HAVE_EDIRECTORY - int crmask=0; -#endif SETUP_CONTEXT (); @@ -802,15 +546,10 @@ krb5_ldap_create_krbcontainer(krb5_context context, if (krbcontparams != NULL && krbcontparams->DN != NULL) { kerberoscontdn = krbcontparams->DN; } else { - /* If the user has not given, use the default cn=Kerberos,cn=Security */ -#ifdef HAVE_EDIRECTORY - kerberoscontdn = KERBEROS_CONTAINER; -#else st = EINVAL; krb5_set_error_message(context, st, _("Kerberos Container information is missing")); goto cleanup; -#endif } strval[0] = "krbContainer"; @@ -854,47 +593,6 @@ krb5_ldap_create_krbcontainer(krb5_context context, goto cleanup; } -#ifdef HAVE_EDIRECTORY - - /* free the mods array */ - ldap_mods_free(mods, 1); - mods=NULL; - - /* check whether the security container is bound to krbcontainerrefaux object class */ - if ((st=checkattributevalue(ld, SECURITY_CONTAINER, "objectClass", - krbContainerRefclass, &crmask)) != 0) { - prepend_err_str(context, _("Security Container read FAILED: "), st, - st); - /* delete Kerberos Container, status ignored intentionally */ - ldap_delete_ext_s(ld, kerberoscontdn, NULL, NULL); - goto cleanup; - } - - if (crmask == 0) { - /* Security Container is extended with krbcontainerrefaux object class */ - strval[0] = "krbContainerRefAux"; - if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0) - goto cleanup; - } - - strval[0] = kerberoscontdn; - strval[1] = NULL; - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbcontainerreference", LDAP_MOD_ADD, strval)) != 0) - goto cleanup; - - /* update the security container with krbContainerReference attribute */ - if ((st=ldap_modify_ext_s(ld, SECURITY_CONTAINER, mods, NULL, NULL)) != LDAP_SUCCESS) { - int ost = st; - st = translate_ldap_error (st, OP_MOD); - krb5_set_error_message(context, st, - _("Security Container update FAILED: %s"), - ldap_err2string(ost)); - /* delete Kerberos Container, status ignored intentionally */ - ldap_delete_ext_s(ld, kerberoscontdn, NULL, NULL); - goto cleanup; - } -#endif - cleanup: if (rdns) @@ -929,15 +627,10 @@ krb5_ldap_delete_krbcontainer(krb5_context context, if (krbcontparams != NULL && krbcontparams->DN != NULL) { kerberoscontdn = krbcontparams->DN; } else { - /* If the user has not given, use the default cn=Kerberos,cn=Security */ -#ifdef HAVE_EDIRECTORY - kerberoscontdn = KERBEROS_CONTAINER; -#else st = EINVAL; krb5_set_error_message(context, st, _("Kerberos Container information is missing")); goto cleanup; -#endif } /* delete the kerberos container */ @@ -975,9 +668,6 @@ krb5_ldap_create_realm(krb5_context context, krb5_ldap_realm_params *rparams, kdb5_dal_handle *dal_handle=NULL; krb5_ldap_context *ldap_context=NULL; krb5_ldap_server_handle *ldap_server_handle=NULL; -#ifdef HAVE_EDIRECTORY - char errbuf[1024]; -#endif char *realm_name; SETUP_CONTEXT (); @@ -990,11 +680,6 @@ krb5_ldap_create_realm(krb5_context context, krb5_ldap_realm_params *rparams, ((mask & LDAP_REALM_SUBTREE) && rparams->subtree == NULL) || ((mask & LDAP_REALM_CONTREF) && rparams->containerref == NULL) || ((mask & LDAP_REALM_POLICYREFERENCE) && rparams->policyreference == NULL) || -#ifdef HAVE_EDIRECTORY - ((mask & LDAP_REALM_KDCSERVERS) && rparams->kdcservers == NULL) || - ((mask & LDAP_REALM_ADMINSERVERS) && rparams->adminservers == NULL) || - ((mask & LDAP_REALM_PASSWDSERVERS) && rparams->passwdservers == NULL) || -#endif 0) { st = EINVAL; return st; @@ -1096,100 +781,12 @@ krb5_ldap_create_realm(krb5_context context, krb5_ldap_realm_params *rparams, } -#ifdef HAVE_EDIRECTORY - - /* KDCSERVERS ATTRIBUTE */ - if (mask & LDAP_REALM_KDCSERVERS) { - /* validate the server list */ - for (i=0; rparams->kdcservers[i] != NULL; ++i) { - st = checkattributevalue(ld, rparams->kdcservers[i], "objectClass", kdcclass, - &objectmask); - CHECK_CLASS_VALIDITY(st, objectmask, - _("kdc service object value: ")); - - } - - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbkdcservers", LDAP_MOD_ADD, - rparams->kdcservers)) != 0) - goto cleanup; - } - - /* ADMINSERVERS ATTRIBUTE */ - if (mask & LDAP_REALM_ADMINSERVERS) { - /* validate the server list */ - for (i=0; rparams->adminservers[i] != NULL; ++i) { - st = checkattributevalue(ld, rparams->adminservers[i], "objectClass", adminclass, - &objectmask); - CHECK_CLASS_VALIDITY(st, objectmask, - _("admin service object value: ")); - - } - - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbadmservers", LDAP_MOD_ADD, - rparams->adminservers)) != 0) - goto cleanup; - } - - /* PASSWDSERVERS ATTRIBUTE */ - if (mask & LDAP_REALM_PASSWDSERVERS) { - /* validate the server list */ - for (i=0; rparams->passwdservers[i] != NULL; ++i) { - st = checkattributevalue(ld, rparams->passwdservers[i], "objectClass", pwdclass, - &objectmask); - CHECK_CLASS_VALIDITY(st, objectmask, "password service object value: "); - - } - - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdservers", LDAP_MOD_ADD, - rparams->passwdservers)) != 0) - goto cleanup; - } -#endif - /* realm creation operation */ if ((st=ldap_add_ext_s(ld, dn, mods, NULL, NULL)) != LDAP_SUCCESS) { st = set_ldap_error (context, st, OP_ADD); goto cleanup; } -#ifdef HAVE_EDIRECTORY - if (mask & LDAP_REALM_KDCSERVERS) - for (i=0; rparams->kdcservers[i]; ++i) - if ((st=updateAttribute(ld, rparams->kdcservers[i], "krbRealmReferences", dn)) != 0) { - snprintf(errbuf, sizeof(errbuf), - _("Error adding 'krbRealmReferences' to %s: "), - rparams->kdcservers[i]); - prepend_err_str (context, errbuf, st, st); - /* delete Realm, status ignored intentionally */ - ldap_delete_ext_s(ld, dn, NULL, NULL); - goto cleanup; - } - - if (mask & LDAP_REALM_ADMINSERVERS) - for (i=0; rparams->adminservers[i]; ++i) - if ((st=updateAttribute(ld, rparams->adminservers[i], "krbRealmReferences", dn)) != 0) { - snprintf(errbuf, sizeof(errbuf), - _("Error adding 'krbRealmReferences' to %s: "), - rparams->adminservers[i]); - prepend_err_str (context, errbuf, st, st); - /* delete Realm, status ignored intentionally */ - ldap_delete_ext_s(ld, dn, NULL, NULL); - goto cleanup; - } - - if (mask & LDAP_REALM_PASSWDSERVERS) - for (i=0; rparams->passwdservers[i]; ++i) - if ((st=updateAttribute(ld, rparams->passwdservers[i], "krbRealmReferences", dn)) != 0) { - snprintf(errbuf, sizeof(errbuf), - _("Error adding 'krbRealmReferences' to %s: "), - rparams->passwdservers[i]); - prepend_err_str (context, errbuf, st, st); - /* delete Realm, status ignored intentionally */ - ldap_delete_ext_s(ld, dn, NULL, NULL); - goto cleanup; - } -#endif - cleanup: if (dn) @@ -1209,9 +806,6 @@ krb5_ldap_read_realm_params(krb5_context context, char *lrealm, krb5_ldap_realm_params **rlparamp, int *mask) { char **values=NULL, *krbcontDN=NULL /*, *curr=NULL */; -#ifdef HAVE_EDIRECTORY - unsigned int count=0; -#endif krb5_error_code st=0, tempst=0; LDAP *ld=NULL; LDAPMessage *result=NULL,*ent=NULL; @@ -1349,32 +943,6 @@ krb5_ldap_read_realm_params(krb5_context context, char *lrealm, ldap_value_free(values); } -#ifdef HAVE_EDIRECTORY - - if ((values=ldap_get_values(ld, ent, "krbKdcServers")) != NULL) { - count = ldap_count_values(values); - if ((st=copy_arrays(values, &(rlparams->kdcservers), (int) count)) != 0) - goto cleanup; - *mask |= LDAP_REALM_KDCSERVERS; - ldap_value_free(values); - } - - if ((values=ldap_get_values(ld, ent, "krbAdmServers")) != NULL) { - count = ldap_count_values(values); - if ((st=copy_arrays(values, &(rlparams->adminservers), (int) count)) != 0) - goto cleanup; - *mask |= LDAP_REALM_ADMINSERVERS; - ldap_value_free(values); - } - - if ((values=ldap_get_values(ld, ent, "krbPwdServers")) != NULL) { - count = ldap_count_values(values); - if ((st=copy_arrays(values, &(rlparams->passwdservers), (int) count)) != 0) - goto cleanup; - *mask |= LDAP_REALM_PASSWDSERVERS; - ldap_value_free(values); - } -#endif } ldap_msgfree(result); diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_rights.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_rights.c deleted file mode 100644 index 4bbaa567bb..0000000000 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_rights.c +++ /dev/null @@ -1,777 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* plugins/kdb/ldap/libkdb_ldap/ldap_service_rights.c */ -/* - * Copyright (c) 2004-2005, Novell, Inc. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * * Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * * Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * * The copyright holder's name is not used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#include "ldap_main.h" -#include "ldap_services.h" -#include "ldap_err.h" - -/* NOTE: add appropriate rights for krbpasswordexpiration attribute */ - -#ifdef HAVE_EDIRECTORY - -static char *kdcrights_subtree[][2] = { - {"1#subtree#","#[Entry Rights]"}, - {"2#subtree#","#ObjectClass"}, - {"2#subtree#","#krbTicketPolicyReference"}, - {"2#subtree#","#krbUPEnabled"}, - {"2#subtree#","#krbHostServer"}, - {"2#subtree#","#krbRealmReferences"}, - {"2#subtree#","#krbTicketFlags"}, - {"2#subtree#","#krbMaxTicketLife"}, - {"2#subtree#","#krbMaxRenewableAge"}, - {"2#subtree#","#krbPrincipalName"}, - {"2#subtree#","#krbPrincipalKey"}, - {"2#subtree#","#krbPrincipalExpiration"}, - {"2#subtree#","#krbPwdPolicyReference"}, - {"2#subtree#","#krbMaxPwdLife"}, - {"2#subtree#","#krbObjectReferences"}, - {"2#subtree#","#krbLastPwdChange"}, - {"2#subtree#","#krbLastAdminUnlock"}, - {"6#subtree#","#krbExtraData"}, - {"2#subtree#","#krbPasswordExpiration"}, - {"6#subtree#","#krbLastFailedAuth"}, - {"6#subtree#","#krbLoginFailedCount"}, - {"6#subtree#","#krbLastSuccessfulAuth"}, - { "", "" } -}; - -static char *adminrights_subtree[][2]={ - {"15#subtree#","#[Entry Rights]"}, - {"6#subtree#","#ObjectClass"}, - {"6#subtree#","#krbTicketPolicyReference"}, - {"6#subtree#","#krbUPEnabled"}, - {"2#subtree#","#krbHostServer"}, - {"2#subtree#","#krbRealmReferences"}, - {"6#subtree#","#krbTicketFlags"}, - {"6#subtree#","#krbMaxTicketLife"}, - {"6#subtree#","#krbMaxRenewableAge"}, - {"6#subtree#","#krbPrincipalName"}, - {"6#subtree#","#krbPrincipalKey"}, - {"6#subtree#","#krbPrincipalExpiration"}, - {"6#subtree#","#krbPwdHistoryLength"}, - {"6#subtree#","#krbMinPwdLife"}, - {"6#subtree#","#krbMaxPwdLife"}, - {"6#subtree#","#krbPwdMinDiffChars"}, - {"6#subtree#","#krbPwdMinLength"}, - {"6#subtree#","#krbPwdPolicyReference"}, - {"6#subtree#","#krbLastPwdChange"}, - {"6#subtree#","#krbLastAdminUnlock"}, - {"6#subtree#","#krbObjectReferences"}, - {"6#subtree#","#krbExtraData"}, - {"6#subtree#","#krbPasswordExpiration"}, - {"2#subtree#","#krbLastFailedAuth"}, - {"2#subtree#","#krbLoginFailedCount"}, - {"2#subtree#","#krbLastSuccessfulAuth"}, - {"6#subtree#","#krbPwdMaxFailure"}, - {"6#subtree#","#krbPwdFailureCountInterval"}, - {"6#subtree#","#krbPwdLockoutDuration"}, - { "","" } -}; - -static char *pwdrights_subtree[][2] = { - {"1#subtree#","#[Entry Rights]"}, - {"2#subtree#","#ObjectClass"}, - {"2#subtree#","#krbTicketPolicyReference"}, - {"2#subtree#","#krbUPEnabled"}, - {"2#subtree#","#krbHostServer"}, - {"2#subtree#","#krbRealmReferences"}, - {"6#subtree#","#krbTicketFlags"}, - {"2#subtree#","#krbMaxTicketLife"}, - {"2#subtree#","#krbMaxRenewableAge"}, - {"2#subtree#","#krbPrincipalName"}, - {"6#subtree#","#krbPrincipalKey"}, - {"2#subtree#","#krbPrincipalExpiration"}, - {"2#subtree#","#krbPwdHistoryLength"}, - {"2#subtree#","#krbMinPwdLife"}, - {"2#subtree#","#krbMaxPwdLife"}, - {"2#subtree#","#krbPwdMinDiffChars"}, - {"2#subtree#","#krbPwdMinLength"}, - {"2#subtree#","#krbPwdPolicyReference"}, - {"6#subtree#","#krbLastPwdChange"}, - {"6#subtree#","#krbLastAdminUnlock"}, - {"2#subtree#","#krbObjectReferences"}, - {"6#subtree#","#krbExtraData"}, - {"6#subtree#","#krbPasswordExpiration"}, - {"2#subtree#","#krbLastFailedAuth"}, - {"2#subtree#","#krbLoginFailedCount"}, - {"2#subtree#","#krbLastSuccessfulAuth"}, - {"2#subtree#","#krbPwdMaxFailure"}, - {"2#subtree#","#krbPwdFailureCountInterval"}, - {"2#subtree#","#krbPwdLockoutDuration"}, - { "", "" } -}; - -static char *kdcrights_realmcontainer[][2]={ - {"1#subtree#","#[Entry Rights]"}, - {"2#subtree#","#CN"}, - {"2#subtree#","#ObjectClass"}, - {"2#subtree#","#krbTicketPolicyReference"}, - {"2#subtree#","#krbMKey"}, - {"2#subtree#","#krbUPEnabled"}, - {"2#subtree#","#krbSubTrees"}, - {"2#subtree#","#krbPrincContainerRef"}, - {"2#subtree#","#krbSearchScope"}, - {"2#subtree#","#krbLdapServers"}, - {"2#subtree#","#krbKdcServers"}, - {"2#subtree#","#krbAdmServers"}, - {"2#subtree#","#krbPwdServers"}, - {"2#subtree#","#krbTicketFlags"}, - {"2#subtree#","#krbMaxTicketLife"}, - {"2#subtree#","#krbMaxRenewableAge"}, - {"2#subtree#","#krbPrincipalName"}, - {"2#subtree#","#krbPrincipalKey"}, - {"2#subtree#","#krbPrincipalExpiration"}, - {"2#subtree#","#krbPwdPolicyReference"}, - {"2#subtree#","#krbMaxPwdLife"}, - {"2#subtree#","#krbObjectReferences"}, - {"2#subtree#","#krbLastPwdChange"}, - {"2#subtree#","#krbLastAdminUnlock"}, - {"6#subtree#","#krbExtraData"}, - {"2#subtree#","#krbPasswordExpiration"}, - {"2#subtree#","#krbDefaultEncSaltTypes"}, - {"6#subtree#","#krbLastFailedAuth"}, - {"6#subtree#","#krbLoginFailedCount"}, - {"6#subtree#","#krbLastSuccessfulAuth"}, - { "", "" } -}; - - -static char *adminrights_realmcontainer[][2]={ - {"15#subtree#","#[Entry Rights]"}, - {"6#subtree#","#CN"}, - {"6#subtree#","#ObjectClass"}, - {"6#subtree#","#krbTicketPolicyReference"}, - {"2#subtree#","#krbMKey"}, - {"6#subtree#","#krbUPEnabled"}, - {"2#subtree#","#krbSubTrees"}, - {"2#subtree#","#krbPrincContainerRef"}, - {"2#subtree#","#krbSearchScope"}, - {"2#subtree#","#krbLdapServers"}, - {"2#subtree#","#krbKdcServers"}, - {"2#subtree#","#krbAdmServers"}, - {"2#subtree#","#krbPwdServers"}, - {"6#subtree#","#krbTicketFlags"}, - {"6#subtree#","#krbMaxTicketLife"}, - {"6#subtree#","#krbMaxRenewableAge"}, - {"6#subtree#","#krbPrincipalName"}, - {"6#subtree#","#krbPrincipalKey"}, - {"6#subtree#","#krbPrincipalExpiration"}, - {"6#subtree#","#krbPwdHistoryLength"}, - {"6#subtree#","#krbMinPwdLife"}, - {"6#subtree#","#krbMaxPwdLife"}, - {"6#subtree#","#krbPwdMinDiffChars"}, - {"6#subtree#","#krbPwdMinLength"}, - {"6#subtree#","#krbPwdPolicyReference"}, - {"6#subtree#","#krbLastPwdChange"}, - {"6#subtree#","#krbLastAdminUnlock"}, - {"6#subtree#","#krbObjectReferences"}, - {"6#subtree#","#krbExtraData"}, - {"6#subtree#","#krbPasswordExpiration"}, - {"6#subtree#","#krbDefaultEncSaltTypes"}, - {"2#subtree#","#krbLastFailedAuth"}, - {"2#subtree#","#krbLoginFailedCount"}, - {"2#subtree#","#krbLastSuccessfulAuth"}, - {"6#subtree#","#krbPwdMaxFailure"}, - {"6#subtree#","#krbPwdFailureCountInterval"}, - {"6#subtree#","#krbPwdLockoutDuration"}, - { "","" } -}; - - -static char *pwdrights_realmcontainer[][2]={ - {"1#subtree#","#[Entry Rights]"}, - {"2#subtree#","#CN"}, - {"2#subtree#","#ObjectClass"}, - {"2#subtree#","#krbTicketPolicyReference"}, - {"2#subtree#","#krbMKey"}, - {"2#subtree#","#krbUPEnabled"}, - {"2#subtree#","#krbSubTrees"}, - {"2#subtree#","#krbPrincContainerRef"}, - {"2#subtree#","#krbSearchScope"}, - {"2#subtree#","#krbLdapServers"}, - {"2#subtree#","#krbKdcServers"}, - {"2#subtree#","#krbAdmServers"}, - {"2#subtree#","#krbPwdServers"}, - {"6#subtree#","#krbTicketFlags"}, - {"2#subtree#","#krbMaxTicketLife"}, - {"2#subtree#","#krbMaxRenewableAge"}, - {"2#subtree#","#krbPrincipalName"}, - {"6#subtree#","#krbPrincipalKey"}, - {"2#subtree#","#krbPrincipalExpiration"}, - {"2#subtree#","#krbPwdHistoryLength"}, - {"2#subtree#","#krbMinPwdLife"}, - {"2#subtree#","#krbMaxPwdLife"}, - {"2#subtree#","#krbPwdMinDiffChars"}, - {"2#subtree#","#krbPwdMinLength"}, - {"2#subtree#","#krbPwdPolicyReference"}, - {"2#subtree#","#krbLastPwdChange"}, - {"2#subtree#","#krbLastAdminUnlock"}, - {"2#subtree#","#krbObjectReferences"}, - {"6#subtree#","#krbExtraData"}, - {"6#subtree#","#krbPasswordExpiration"}, - {"2#subtree#","#krbDefaultEncSaltTypes"}, - {"2#subtree#","#krbLastFailedAuth"}, - {"2#subtree#","#krbLoginFailedCount"}, - {"2#subtree#","#krbLastSuccessfulAuth"}, - {"2#subtree#","#krbPwdMaxFailure"}, - {"2#subtree#","#krbPwdFailureCountInterval"}, - {"2#subtree#","#krbPwdLockoutDuration"}, - { "", "" } -}; - -static char *security_container[][2] = { - {"1#subtree#","#[Entry Rights]"}, - {"2#subtree#","#krbContainerReference"}, - { "", "" } -}; - -static char *kerberos_container[][2] = { - {"1#subtree#","#[Entry Rights]"}, - {"2#subtree#","#krbTicketPolicyReference"}, - { "", "" } -}; - - -/* - * This will set the rights for the Kerberos service objects. - * The function will read the subtree attribute from the specified - * realm name and will the appropriate rights on both the realm - * container and the subtree. The kerberos context passed should - * have a valid ldap handle, with appropriate rights to write acl - * attributes. - * - * krb5_context - IN The Kerberos context with valid ldap handle - * - */ - -krb5_error_code -krb5_ldap_add_service_rights(krb5_context context, int servicetype, - char *serviceobjdn, char *realmname, - char **subtreeparam, char *contref, int mask) -{ - - int st=0,i=0,j=0; - char *realmacls[2]={NULL}, *subtreeacls[2]={NULL}, *seccontacls[2]={NULL}, *krbcontacls[2]={NULL}; - LDAP *ld; - LDAPMod realmclass, subtreeclass, seccontclass, krbcontclass; - LDAPMod *realmarr[3]={NULL}, *subtreearr[3]={NULL}, *seccontarr[3]={NULL}, *krbcontarr[3]={NULL}; - char *realmdn=NULL, **subtree=NULL; - kdb5_dal_handle *dal_handle=NULL; - krb5_ldap_context *ldap_context=NULL; - krb5_ldap_server_handle *ldap_server_handle=NULL; - int subtreecount=0; - - SETUP_CONTEXT(); - GET_HANDLE(); - - if ((serviceobjdn == NULL) || (realmname == NULL) || (servicetype < 0) || (servicetype > 4) - || (ldap_context->krbcontainer->DN == NULL)) { - st=-1; - goto cleanup; - } - - if (subtreeparam != NULL) { - while(subtreeparam[subtreecount]) - subtreecount++; - } - if (contref != NULL) { - subtreecount++; - } - - if (subtreecount) { - subtree = (char **) malloc(sizeof(char *) * (subtreecount + 1)); - if(subtree == NULL) { - st = ENOMEM; - goto cleanup; - } - memset(subtree, 0, sizeof(char *) * (subtreecount + 1)); - if (subtreeparam != NULL) { - for(i=0; subtreeparam[i]!=NULL; i++) { - subtree[i] = strdup(subtreeparam[i]); - if(subtree[i] == NULL) { - st = ENOMEM; - goto cleanup; - } - } - } - if (contref != NULL) { - subtree[i] = strdup(contref); - } - } - - /* Set the rights for the realm */ - if (mask & LDAP_REALM_RIGHTS) { - - /* Set the rights for the service object on the security container */ - seccontclass.mod_op = LDAP_MOD_ADD; - seccontclass.mod_type = "ACL"; - - for (i=0; strcmp(security_container[i][0], "") != 0; i++) { - - asprintf(&seccontacls[0], "%s%s%s", security_container[i][0], serviceobjdn, - security_container[i][1]); - seccontclass.mod_values = seccontacls; - - seccontarr[0] = &seccontclass; - - st = ldap_modify_ext_s(ld, - SECURITY_CONTAINER, - seccontarr, - NULL, - NULL); - if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) { - free(seccontacls[0]); - st = set_ldap_error (context, st, OP_MOD); - goto cleanup; - } - free(seccontacls[0]); - } - - - /* Set the rights for the service object on the kerberos container */ - krbcontclass.mod_op = LDAP_MOD_ADD; - krbcontclass.mod_type = "ACL"; - - for (i=0; strcmp(kerberos_container[i][0], "") != 0; i++) { - asprintf(&krbcontacls[0], "%s%s%s", kerberos_container[i][0], serviceobjdn, - kerberos_container[i][1]); - krbcontclass.mod_values = krbcontacls; - - krbcontarr[0] = &krbcontclass; - - st = ldap_modify_ext_s(ld, - ldap_context->krbcontainer->DN, - krbcontarr, - NULL, - NULL); - if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) { - free(krbcontacls[0]); - st = set_ldap_error (context, st, OP_MOD); - goto cleanup; - } - free(krbcontacls[0]); - } - - /* Construct the realm dn from realm name */ - asprintf(&realmdn,"cn=%s,%s", realmname, ldap_context->krbcontainer->DN); - - realmclass.mod_op = LDAP_MOD_ADD; - realmclass.mod_type = "ACL"; - - if (servicetype == LDAP_KDC_SERVICE) { - for (i=0; strcmp(kdcrights_realmcontainer[i][0], "") != 0; i++) { - asprintf(&realmacls[0], "%s%s%s", kdcrights_realmcontainer[i][0], serviceobjdn, - kdcrights_realmcontainer[i][1]); - realmclass.mod_values = realmacls; - - realmarr[0] = &realmclass; - - st = ldap_modify_ext_s(ld, - realmdn, - realmarr, - NULL, - NULL); - if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) { - free(realmacls[0]); - st = set_ldap_error (context, st, OP_MOD); - goto cleanup; - } - free(realmacls[0]); - } - } else if (servicetype == LDAP_ADMIN_SERVICE) { - for (i=0; strcmp(adminrights_realmcontainer[i][0], "") != 0; i++) { - asprintf(&realmacls[0], "%s%s%s", adminrights_realmcontainer[i][0], serviceobjdn, - adminrights_realmcontainer[i][1]); - realmclass.mod_values = realmacls; - - realmarr[0] = &realmclass; - - st = ldap_modify_ext_s(ld, - realmdn, - realmarr, - NULL, - NULL); - if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) { - free(realmacls[0]); - st = set_ldap_error (context, st, OP_MOD); - goto cleanup; - } - free(realmacls[0]); - } - } else if (servicetype == LDAP_PASSWD_SERVICE) { - for (i=0; strcmp(pwdrights_realmcontainer[i][0], "")!=0; i++) { - asprintf(&realmacls[0], "%s%s%s", pwdrights_realmcontainer[i][0], serviceobjdn, - pwdrights_realmcontainer[i][1]); - realmclass.mod_values = realmacls; - - realmarr[0] = &realmclass; - - - st = ldap_modify_ext_s(ld, - realmdn, - realmarr, - NULL, - NULL); - if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) { - free(realmacls[0]); - st = set_ldap_error (context, st, OP_MOD); - goto cleanup; - } - free(realmacls[0]); - } - } - } /* Realm rights settings ends here */ - - - /* Subtree rights to be set */ - if ((mask & LDAP_SUBTREE_RIGHTS) && (subtree != NULL)) { - /* Populate the acl data to be added to the subtree */ - subtreeclass.mod_op = LDAP_MOD_ADD; - subtreeclass.mod_type = "ACL"; - - if (servicetype == LDAP_KDC_SERVICE) { - for (i=0; strcmp(kdcrights_subtree[i][0], "")!=0; i++) { - asprintf(&subtreeacls[0], "%s%s%s", kdcrights_subtree[i][0], serviceobjdn, - kdcrights_subtree[i][1]); - subtreeclass.mod_values = subtreeacls; - - subtreearr[0] = &subtreeclass; - - /* set rights to a list of subtrees */ - for(j=0; subtree[j]!=NULL && j 4) - || (ldap_context->krbcontainer->DN == NULL)) { - st = -1; - goto cleanup; - } - - if (subtreeparam != NULL) { - while(subtreeparam[subtreecount]) - subtreecount++; - } - if (contref != NULL) { - subtreecount++; - } - - if (subtreecount) { - subtree = (char **) malloc(sizeof(char *) * (subtreecount + 1)); - if(subtree == NULL) { - st = ENOMEM; - goto cleanup; - } - memset(subtree, 0, sizeof(char *) * (subtreecount + 1)); - if (subtreeparam != NULL) { - for(i=0; subtreeparam[i]!=NULL; i++) { - subtree[i] = strdup(subtreeparam[i]); - if(subtree[i] == NULL) { - st = ENOMEM; - goto cleanup; - } - } - } - if (contref != NULL) { - subtree[i] = strdup(contref); - } - } - - - /* Set the rights for the realm */ - if (mask & LDAP_REALM_RIGHTS) { - - asprintf(&realmdn,"cn=%s,%s", realmname, ldap_context->krbcontainer->DN); - - realmclass.mod_op=LDAP_MOD_DELETE; - realmclass.mod_type="ACL"; - - if (servicetype == LDAP_KDC_SERVICE) { - for (i=0; strcmp(kdcrights_realmcontainer[i][0], "") != 0; i++) { - asprintf(&realmacls[0], "%s%s%s", kdcrights_realmcontainer[i][0], serviceobjdn, - kdcrights_realmcontainer[i][1]); - realmclass.mod_values= realmacls; - - realmarr[0]=&realmclass; - - st = ldap_modify_ext_s(ld, - realmdn, - realmarr, - NULL, - NULL); - if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) { - free(realmacls[0]); - st = set_ldap_error (context, st, OP_MOD); - goto cleanup; - } - free(realmacls[0]); - } - } else if (servicetype == LDAP_ADMIN_SERVICE) { - for (i=0; strcmp(adminrights_realmcontainer[i][0], "") != 0; i++) { - asprintf(&realmacls[0], "%s%s%s", adminrights_realmcontainer[i][0], serviceobjdn, - adminrights_realmcontainer[i][1]); - realmclass.mod_values= realmacls; - - realmarr[0]=&realmclass; - - st = ldap_modify_ext_s(ld, - realmdn, - realmarr, - NULL, - NULL); - if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) { - free(realmacls[0]); - st = set_ldap_error (context, st, OP_MOD); - goto cleanup; - } - free(realmacls[0]); - } - } else if (servicetype == LDAP_PASSWD_SERVICE) { - for (i=0; strcmp(pwdrights_realmcontainer[i][0], "") != 0; i++) { - asprintf(&realmacls[0], "%s%s%s", pwdrights_realmcontainer[i][0], serviceobjdn, - pwdrights_realmcontainer[i][1]); - realmclass.mod_values= realmacls; - - realmarr[0]=&realmclass; - - st = ldap_modify_ext_s(ld, - realmdn, - realmarr, - NULL, - NULL); - if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) { - free(realmacls[0]); - st = set_ldap_error (context, st, OP_MOD); - goto cleanup; - } - free(realmacls[0]); - } - } - - } /* Realm rights setting ends here */ - - - /* Set the rights for the subtree */ - if ((mask & LDAP_SUBTREE_RIGHTS) && (subtree != NULL)) { - - /* Populate the acl data to be added to the subtree */ - subtreeclass.mod_op=LDAP_MOD_DELETE; - subtreeclass.mod_type="ACL"; - - if (servicetype == LDAP_KDC_SERVICE) { - for (i=0; strcmp(kdcrights_subtree[i][0], "")!=0; i++) { - asprintf(&subtreeacls[0], "%s%s%s", kdcrights_subtree[i][0], serviceobjdn, - kdcrights_subtree[i][1]); - subtreeclass.mod_values= subtreeacls; - - subtreearr[0]=&subtreeclass; - - for(j=0; subtree[j]!=NULL && jservicedn == NULL) { - st = EINVAL; - krb5_set_error_message (context, st, "Service DN NULL"); - goto cleanup; - } - - SETUP_CONTEXT(); - GET_HANDLE(); - - /* identify the class that the object should belong to. This depends on the servicetype */ - memset(strval, 0, sizeof(strval)); - strval[0] = "krbService"; - if (service->servicetype == LDAP_KDC_SERVICE) { - strval[1] = "krbKdcService"; - realmattr = "krbKdcServers"; - } else if (service->servicetype == LDAP_ADMIN_SERVICE) { - strval[1] = "krbAdmService"; - realmattr = "krbAdmServers"; - } else if (service->servicetype == LDAP_PASSWD_SERVICE) { - strval[1] = "krbPwdService"; - realmattr = "krbPwdServers"; - } else { - strval[1] = "krbKdcService"; - realmattr = "krbKdcServers"; - } - if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0) - goto cleanup; - - rdns = ldap_explode_dn(service->servicedn, 1); - if (rdns == NULL) { - st = LDAP_INVALID_DN_SYNTAX; - goto cleanup; - } - memset(strval, 0, sizeof(strval)); - strval[0] = rdns[0]; - if ((st=krb5_add_str_mem_ldap_mod(&mods, "cn", LDAP_MOD_ADD, strval)) != 0) - goto cleanup; - - if (mask & LDAP_SERVICE_SERVICEFLAG) { - if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbserviceflags", LDAP_MOD_ADD, - service->krbserviceflags)) != 0) - goto cleanup; - } - - if (mask & LDAP_SERVICE_HOSTSERVER) { - if (service->krbhostservers != NULL) { - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbhostserver", LDAP_MOD_ADD, - service->krbhostservers)) != 0) - goto cleanup; - } else { - st = EINVAL; - krb5_set_error_message(context, st, - _("'krbhostserver' argument invalid")); - goto cleanup; - } - } - - if (mask & LDAP_SERVICE_REALMREFERENCE) { - if (service->krbrealmreferences != NULL) { - unsigned int realmmask=0; - - /* check for the validity of the values */ - for (j=0; service->krbrealmreferences[j] != NULL; ++j) { - st = checkattributevalue(ld, service->krbrealmreferences[j], "ObjectClass", - realmcontclass, &realmmask); - CHECK_CLASS_VALIDITY(st, realmmask, _("realm object value: ")); - } - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbrealmreferences", LDAP_MOD_ADD, - service->krbrealmreferences)) != 0) - goto cleanup; - } else { - st = EINVAL; - krb5_set_error_message(context, st, - _("Server has no 'krbrealmreferences'")); - goto cleanup; - } - } - - /* ldap add operation */ - if ((st=ldap_add_ext_s(ld, service->servicedn, mods, NULL, NULL)) != LDAP_SUCCESS) { - st = set_ldap_error (context, st, OP_ADD); - goto cleanup; - } - - /* - * If the service created has realm/s associated with it, then the realm should be updated - * to have a reference to the service object just created. - */ - if (mask & LDAP_SERVICE_REALMREFERENCE) { - for (i=0; service->krbrealmreferences[i]; ++i) { - if ((st=updateAttribute(ld, service->krbrealmreferences[i], realmattr, - service->servicedn)) != 0) { - snprintf(errbuf, sizeof(errbuf), - _("Error adding 'krbRealmReferences' to %s: "), - service->krbrealmreferences[i]); - prepend_err_str(context, errbuf, st, st); - /* delete service object, status ignored intentionally */ - ldap_delete_ext_s(ld, service->servicedn, NULL, NULL); - goto cleanup; - } - } - } - -cleanup: - - if (rdns) - ldap_value_free (rdns); - - ldap_mods_free(mods, 1); - krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); - return st; -} - - -/* - * modify the service object from Directory - */ - -krb5_error_code -krb5_ldap_modify_service(krb5_context context, - krb5_ldap_service_params *service, int mask) -{ - int i=0, j=0, count=0; - krb5_error_code st=0; - LDAP *ld=NULL; - char **values=NULL, *attr[] = { "krbRealmReferences", NULL}; - char *realmattr=NULL; - char **oldrealmrefs=NULL, **newrealmrefs=NULL; - LDAPMod **mods=NULL; - LDAPMessage *result=NULL, *ent=NULL; - kdb5_dal_handle *dal_handle=NULL; - krb5_ldap_context *ldap_context=NULL; - krb5_ldap_server_handle *ldap_server_handle=NULL; - - /* validate the input parameter */ - if (service == NULL || service->servicedn == NULL) { - st = EINVAL; - krb5_set_error_message(context, st, _("Service DN is NULL")); - goto cleanup; - } - - SETUP_CONTEXT(); - GET_HANDLE(); - - if (mask & LDAP_SERVICE_SERVICEFLAG) { - if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbserviceflags", LDAP_MOD_REPLACE, - service->krbserviceflags)) != 0) - goto cleanup; - } - - if (mask & LDAP_SERVICE_HOSTSERVER) { - if (service->krbhostservers != NULL) { - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbhostserver", LDAP_MOD_REPLACE, - service->krbhostservers)) != 0) - goto cleanup; - } else { - st = EINVAL; - krb5_set_error_message (context, st, "'krbhostserver' value invalid"); - goto cleanup; - } - } - - if (mask & LDAP_SERVICE_REALMREFERENCE) { - if (service->krbrealmreferences != NULL) { - unsigned int realmmask=0; - - /* check for the validity of the values */ - for (j=0; service->krbrealmreferences[j]; ++j) { - st = checkattributevalue(ld, service->krbrealmreferences[j], "ObjectClass", - realmcontclass, &realmmask); - CHECK_CLASS_VALIDITY(st, realmmask, _("realm object value: ")); - } - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbrealmreferences", LDAP_MOD_REPLACE, - service->krbrealmreferences)) != 0) - goto cleanup; - - - /* get the attribute of the realm to be set */ - if (service->servicetype == LDAP_KDC_SERVICE) - realmattr = "krbKdcServers"; - else if (service->servicetype == LDAP_ADMIN_SERVICE) - realmattr = "krbAdmservers"; - else if (service->servicetype == LDAP_PASSWD_SERVICE) - realmattr = "krbPwdServers"; - else - realmattr = "krbKdcServers"; - - /* read the existing list of krbRealmreferences. this will needed */ - if ((st = ldap_search_ext_s (ld, - service->servicedn, - LDAP_SCOPE_BASE, - 0, - attr, - 0, - NULL, - NULL, - NULL, - 0, - &result)) != LDAP_SUCCESS) { - st = set_ldap_error (context, st, OP_SEARCH); - goto cleanup; - } - - ent = ldap_first_entry(ld, result); - if (ent) { - if ((values=ldap_get_values(ld, ent, "krbRealmReferences")) != NULL) { - count = ldap_count_values(values); - if ((st=copy_arrays(values, &oldrealmrefs, count)) != 0) - goto cleanup; - ldap_value_free(values); - } - } - ldap_msgfree(result); - } else { - st = EINVAL; - krb5_set_error_message(context, st, - _("'krbRealmReferences' value invalid")); - goto cleanup; - } - } - - /* ldap modify operation */ - if ((st=ldap_modify_ext_s(ld, service->servicedn, mods, NULL, NULL)) != LDAP_SUCCESS) { - st = set_ldap_error (context, st, OP_MOD); - goto cleanup; - } - - /* - * If the service modified had realm/s associations changed, then the realm should be - * updated to reflect the changes. - */ - - if (mask & LDAP_SERVICE_REALMREFERENCE) { - /* get the count of the new list of krbrealmreferences */ - for (i=0; service->krbrealmreferences[i]; ++i) - ; - - /* make a new copy of the krbrealmreferences */ - if ((st=copy_arrays(service->krbrealmreferences, &newrealmrefs, i)) != 0) - goto cleanup; - - /* find the deletions/additions to the list of krbrealmreferences */ - if (disjoint_members(oldrealmrefs, newrealmrefs) != 0) - goto cleanup; - - /* see if some of the attributes have to be deleted */ - if (oldrealmrefs) { - - /* update the dn represented by the attribute that is to be deleted */ - for (i=0; oldrealmrefs[i]; ++i) - if ((st=deleteAttribute(ld, oldrealmrefs[i], realmattr, service->servicedn)) != 0) { - prepend_err_str(context, - _("Error deleting realm attribute:"), st, - st); - goto cleanup; - } - } - - /* see if some of the attributes have to be added */ - for (i=0; newrealmrefs[i]; ++i) - if ((st=updateAttribute(ld, newrealmrefs[i], realmattr, service->servicedn)) != 0) { - prepend_err_str(context, _("Error updating realm attribute: "), - st, st); - goto cleanup; - } - } - -cleanup: - - if (oldrealmrefs) { - for (i=0; oldrealmrefs[i]; ++i) - free (oldrealmrefs[i]); - free (oldrealmrefs); - } - - if (newrealmrefs) { - for (i=0; newrealmrefs[i]; ++i) - free (newrealmrefs[i]); - free (newrealmrefs); - } - - ldap_mods_free(mods, 1); - krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); - return st; -} - - -krb5_error_code -krb5_ldap_delete_service(krb5_context context, - krb5_ldap_service_params *service, char *servicedn) -{ - krb5_error_code st = 0; - LDAP *ld=NULL; - kdb5_dal_handle *dal_handle=NULL; - krb5_ldap_context *ldap_context=NULL; - krb5_ldap_server_handle *ldap_server_handle=NULL; - - SETUP_CONTEXT(); - GET_HANDLE(); - - st = ldap_delete_ext_s(ld, servicedn, NULL, NULL); - if (st != 0) { - st = set_ldap_error (context, st, OP_DEL); - } - - /* NOTE: This should be removed now as the backlinks are going off in OpenLDAP */ - /* time to delete krbrealmreferences. This is only for OpenLDAP */ -#ifndef HAVE_EDIRECTORY - { - int i=0; - char *attr=NULL; - - if (service) { - if (service->krbrealmreferences) { - if (service->servicetype == LDAP_KDC_SERVICE) - attr = "krbkdcservers"; - else if (service->servicetype == LDAP_ADMIN_SERVICE) - attr = "krbadmservers"; - else if (service->servicetype == LDAP_PASSWD_SERVICE) - attr = "krbpwdservers"; - - for (i=0; service->krbrealmreferences[i]; ++i) { - deleteAttribute(ld, service->krbrealmreferences[i], attr, servicedn); - } - } - } - } -#endif - -cleanup: - - krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); - return st; -} - - -/* - * This function lists service objects from Directory - */ - -krb5_error_code -krb5_ldap_list_services(krb5_context context, char *containerdn, - char ***services) -{ - return (krb5_ldap_list(context, services, "krbService", containerdn)); -} - -/* - * This function reads the service object from Directory - */ -krb5_error_code -krb5_ldap_read_service(krb5_context context, char *servicedn, - krb5_ldap_service_params **service, int *omask) -{ - char **values=NULL; - int i=0, count=0, objectmask=0; - krb5_error_code st=0, tempst=0; - LDAPMessage *result=NULL,*ent=NULL; - char *attributes[] = {"krbHostServer", "krbServiceflags", - "krbRealmReferences", "objectclass", NULL}; - char *attrvalues[] = {"krbService", NULL}; - krb5_ldap_service_params *lservice=NULL; - krb5_ldap_context *ldap_context=NULL; - kdb5_dal_handle *dal_handle=NULL; - krb5_ldap_server_handle *ldap_server_handle=NULL; - LDAP *ld = NULL; - - /* validate the input parameter */ - if (servicedn == NULL) { - st = EINVAL; - krb5_set_error_message(context, st, _("Service DN NULL")); - goto cleanup; - } - - SETUP_CONTEXT(); - GET_HANDLE(); - - *omask = 0; - - /* the policydn object should be of the krbService object class */ - st = checkattributevalue(ld, servicedn, "objectClass", attrvalues, &objectmask); - CHECK_CLASS_VALIDITY(st, objectmask, _("service object value: ")); - - /* Initialize service structure */ - lservice =(krb5_ldap_service_params *) calloc(1, sizeof(krb5_ldap_service_params)); - if (lservice == NULL) { - st = ENOMEM; - goto cleanup; - } - - /* allocate tl_data structure to store MASK information */ - lservice->tl_data = calloc (1, sizeof(*lservice->tl_data)); - if (lservice->tl_data == NULL) { - st = ENOMEM; - goto cleanup; - } - lservice->tl_data->tl_data_type = KDB_TL_USER_INFO; - - LDAP_SEARCH(servicedn, LDAP_SCOPE_BASE, "(objectclass=krbService)", attributes); - - lservice->servicedn = strdup(servicedn); - CHECK_NULL(lservice->servicedn); - - ent=ldap_first_entry(ld, result); - if (ent != NULL) { - - if ((values=ldap_get_values(ld, ent, "krbServiceFlags")) != NULL) { - lservice->krbserviceflags = atoi(values[0]); - *omask |= LDAP_SERVICE_SERVICEFLAG; - ldap_value_free(values); - } - - if ((values=ldap_get_values(ld, ent, "krbHostServer")) != NULL) { - count = ldap_count_values(values); - if ((st=copy_arrays(values, &(lservice->krbhostservers), count)) != 0) - goto cleanup; - *omask |= LDAP_SERVICE_HOSTSERVER; - ldap_value_free(values); - } - - if ((values=ldap_get_values(ld, ent, "krbRealmReferences")) != NULL) { - count = ldap_count_values(values); - if ((st=copy_arrays(values, &(lservice->krbrealmreferences), count)) != 0) - goto cleanup; - *omask |= LDAP_SERVICE_REALMREFERENCE; - ldap_value_free(values); - } - - if ((values=ldap_get_values(ld, ent, "objectClass")) != NULL) { - for (i=0; values[i]; ++i) { - if (strcasecmp(values[i], "krbKdcService") == 0) { - lservice->servicetype = LDAP_KDC_SERVICE; - break; - } - - if (strcasecmp(values[i], "krbAdmService") == 0) { - lservice->servicetype = LDAP_ADMIN_SERVICE; - break; - } - - if (strcasecmp(values[i], "krbPwdService") == 0) { - lservice->servicetype = LDAP_PASSWD_SERVICE; - break; - } - } - ldap_value_free(values); - } - } - ldap_msgfree(result); - -cleanup: - if (st != 0) { - krb5_ldap_free_service(context, lservice); - *service = NULL; - } else { - store_tl_data(lservice->tl_data, KDB_TL_MASK, omask); - *service = lservice; - } - - krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); - return st; -} - -/* - * This function frees the krb5_ldap_service_params structure members. - */ - -krb5_error_code -krb5_ldap_free_service(krb5_context context, krb5_ldap_service_params *service) -{ - int i=0; - - if (service == NULL) - return 0; - - if (service->servicedn) - free (service->servicedn); - - if (service->krbrealmreferences) { - for (i=0; service->krbrealmreferences[i]; ++i) - free (service->krbrealmreferences[i]); - free (service->krbrealmreferences); - } - - if (service->krbhostservers) { - for (i=0; service->krbhostservers[i]; ++i) - free (service->krbhostservers[i]); - free (service->krbhostservers); - } - - if (service->tl_data) { - if (service->tl_data->tl_data_contents) - free (service->tl_data->tl_data_contents); - free (service->tl_data); - } - - free (service); - return 0; -} - -krb5_error_code -krb5_ldap_set_service_passwd(krb5_context context, char *service, char *passwd) -{ - krb5_error_code st=0; - LDAPMod **mods=NULL; - char *password[2] = {NULL}; - LDAP *ld=NULL; - krb5_ldap_context *ldap_context=NULL; - kdb5_dal_handle *dal_handle=NULL; - krb5_ldap_server_handle *ldap_server_handle=NULL; - - password[0] = passwd; - - SETUP_CONTEXT(); - GET_HANDLE(); - - if ((st=krb5_add_str_mem_ldap_mod(&mods, "userPassword", LDAP_MOD_REPLACE, password)) != 0) - goto cleanup; - - st = ldap_modify_ext_s(ld, service, mods, NULL, NULL); - if (st) { - st = set_ldap_error (context, st, OP_MOD); - } - -cleanup: - ldap_mods_free(mods, 1); - krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); - return st; -} -#endif diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_services.h b/src/plugins/kdb/ldap/libkdb_ldap/ldap_services.h deleted file mode 100644 index ea40af2fd4..0000000000 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_services.h +++ /dev/null @@ -1,100 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* plugins/kdb/ldap/libkdb_ldap/ldap_services.h */ -/* - * Copyright (c) 2004-2005, Novell, Inc. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * * Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * * Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * * The copyright holder's name is not used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#ifndef _LDAP_SERVICE_H -#define _LDAP_SERVICE_H 1 - -/* service specific mask */ -#define LDAP_SERVICE_SERVICEFLAG 0x0001 -#define LDAP_SERVICE_HOSTSERVER 0x0002 -#define LDAP_SERVICE_REALMREFERENCE 0x0004 - -/* service type mask */ -#define LDAP_KDC_SERVICE 0x0001 -#define LDAP_ADMIN_SERVICE 0x0002 -#define LDAP_PASSWD_SERVICE 0x0004 - -/* rights mask */ -#define LDAP_SUBTREE_RIGHTS 0x0001 -#define LDAP_REALM_RIGHTS 0x0002 - -/* Types of service flags */ -#define SERVICE_FLAGS_AUTO_RESTART 0x0001 -#define SERVICE_FLAGS_CHECK_ADDRESSES 0x0002 -#define SERVICE_FLAGS_UNIXTIME_OLD_PATYPE 0x0004 - -/* Service protocol type */ -#define SERVICE_PROTOCOL_TYPE_UDP "0" -#define SERVICE_PROTOCOL_TYPE_TCP "1" - -typedef struct _krb5_ldap_service_params { - char *servicedn; - int servicetype; - int krbserviceflags; - char **krbhostservers; - char **krbrealmreferences; - krb5_tl_data *tl_data; -} krb5_ldap_service_params; - -#ifdef HAVE_EDIRECTORY - -krb5_error_code -krb5_ldap_read_service(krb5_context, char *, krb5_ldap_service_params **, - int *); - -krb5_error_code -krb5_ldap_create_service(krb5_context, krb5_ldap_service_params *, int); - -krb5_error_code -krb5_ldap_modify_service(krb5_context, krb5_ldap_service_params *, int); - -krb5_error_code -krb5_ldap_delete_service(krb5_context, krb5_ldap_service_params *, char *); - -krb5_error_code -krb5_ldap_list_services(krb5_context, char *, char ***); - -krb5_error_code -krb5_ldap_free_service(krb5_context, krb5_ldap_service_params *); - - -krb5_error_code -krb5_ldap_set_service_passwd(krb5_context, char *, char *); - -krb5_error_code -krb5_ldap_add_service_rights(krb5_context, int, char *, char *, char **, - char *, int); - -krb5_error_code -krb5_ldap_delete_service_rights(krb5_context, int, char *, char *, char **, - char *, int); -#endif - -#endif