From: Greg Hudson Date: Sun, 18 Nov 2012 18:59:48 +0000 (-0500) Subject: Simplify LDAP KDB module container DN handling X-Git-Tag: krb5-1.12-alpha1~391 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f0a14b5be4954559e1174e268bbfe097c1ab873c;p=thirdparty%2Fkrb5.git Simplify LDAP KDB module container DN handling Outside of krb5_ldap_read_krbcontainer_params and krb5_ldap_create_krbcontainer, no fields of krb5_ldap_krbcontainer_params were used except for the DN. There was code to create a krbTicketPolicyReference attribute (which would fail because the schema doesn't allow that attribute, and was never exercised because kdb5_ldap_util would never set the parameter) and to read fields like max ticket life from the referenced ticket policy, but those fields were never used. Eliminate the structure and just store the container DN in krb5_ldap_context. Continue creating the container object when creating a realm (by calling krb5_ldap_create_krbcontainer unconditionally; it now exits successfully if the container already exists), but don't ever read it. --- diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c index 73b0d2f644..6ec711f551 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c @@ -63,9 +63,9 @@ init_ldap_realm(int argc, char *argv[]) goto cleanup; } - if (ldap_context->krbcontainer == NULL) { - retval = krb5_ldap_read_krbcontainer_params (util_context, - &(ldap_context->krbcontainer)); + if (ldap_context->container_dn == NULL) { + retval = krb5_ldap_read_krbcontainer_dn(util_context, + &ldap_context->container_dn); if (retval != 0) { com_err(progname, retval, _("while reading kerberos container information")); diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c index a479c6e46a..1050fcd73e 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c @@ -467,70 +467,35 @@ kdb5_ldap_create(int argc, char *argv[]) } /* read the kerberos container */ - if ((retval=krb5_ldap_read_krbcontainer_params (util_context, - &(ldap_context->krbcontainer))) == KRB5_KDB_NOENTRY) { + retval = krb5_ldap_read_krbcontainer_dn(util_context, + &ldap_context->container_dn); + if (retval) { /* Prompt the user for entering the DN of Kerberos container */ char krb_location[MAX_KRB_CONTAINER_LEN]; - krb5_ldap_krbcontainer_params kparams; int krb_location_len = 0; - memset(&kparams, 0, sizeof(kparams)); - - /* Read the kerberos container location from configuration file */ - if (ldap_context->conf_section) { - if ((retval=profile_get_string(util_context->profile, - KDB_MODULE_SECTION, ldap_context->conf_section, - KRB5_CONF_LDAP_KERBEROS_CONTAINER_DN, NULL, - &kparams.DN)) != 0) { - goto cleanup; + + printf(_("Enter DN of Kerberos container: ")); + if (fgets(krb_location, MAX_KRB_CONTAINER_LEN, stdin) != NULL) { + /* Remove the newline character at the end */ + krb_location_len = strlen(krb_location); + if ((krb_location[krb_location_len - 1] == '\n') || + (krb_location[krb_location_len - 1] == '\r')) { + krb_location[krb_location_len - 1] = '\0'; + krb_location_len--; } - } - if (kparams.DN == NULL) { - if ((retval=profile_get_string(util_context->profile, - KDB_MODULE_DEF_SECTION, - KRB5_CONF_LDAP_KERBEROS_CONTAINER_DN, NULL, - NULL, &kparams.DN)) != 0) { + ldap_context->container_dn = strdup(krb_location); + if (ldap_context->container_dn == NULL) { + retval = ENOMEM; goto cleanup; } } + } - printf(_("\nKerberos container is missing. Creating now...\n")); - if (kparams.DN == NULL) { - printf(_("Enter DN of Kerberos container: ")); - if (fgets(krb_location, MAX_KRB_CONTAINER_LEN, stdin) != NULL) { - /* Remove the newline character at the end */ - krb_location_len = strlen(krb_location); - if ((krb_location[krb_location_len - 1] == '\n') || - (krb_location[krb_location_len - 1] == '\r')) { - krb_location[krb_location_len - 1] = '\0'; - krb_location_len--; - } - /* If the user has not given any input, take the default location */ - else if (krb_location[0] == '\0') - kparams.DN = NULL; - else - kparams.DN = krb_location; - } else - kparams.DN = NULL; - } - - /* create the kerberos container */ - retval = krb5_ldap_create_krbcontainer(util_context, - ((kparams.DN != NULL) ? &kparams : NULL)); - if (retval) - goto cleanup; - - retval = krb5_ldap_read_krbcontainer_params(util_context, - &(ldap_context->krbcontainer)); - if (retval) { - com_err(progname, retval, - _("while reading kerberos container information")); - goto cleanup; - } - } else if (retval) { - com_err(progname, retval, - _("while reading kerberos container information")); + /* create the kerberos container if it doesn't exist */ + retval = krb5_ldap_create_krbcontainer(util_context, + ldap_context->container_dn); + if (retval) goto cleanup; - } if ((retval = krb5_ldap_create_realm(util_context, /* global_params.realm, */ rparams, mask))) { @@ -812,8 +777,9 @@ kdb5_ldap_modify(int argc, char *argv[]) goto cleanup; } - if ((retval = krb5_ldap_read_krbcontainer_params(util_context, - &(ldap_context->krbcontainer)))) { + retval = krb5_ldap_read_krbcontainer_dn(util_context, + &ldap_context->container_dn); + if (retval) { com_err(progname, retval, _("while reading Kerberos container information")); goto err_nomsg; @@ -965,8 +931,9 @@ kdb5_ldap_view(int argc, char *argv[]) } /* Read the kerberos container information */ - if ((retval = krb5_ldap_read_krbcontainer_params(util_context, - &(ldap_context->krbcontainer))) != 0) { + retval = krb5_ldap_read_krbcontainer_dn(util_context, + &ldap_context->container_dn); + if (retval) { com_err(progname, retval, _("while reading kerberos container information")); exit_status++; @@ -1165,8 +1132,9 @@ kdb5_ldap_list(int argc, char *argv[]) } /* Read the kerberos container information */ - if ((retval = krb5_ldap_read_krbcontainer_params(util_context, - &(ldap_context->krbcontainer))) != 0) { + retval = krb5_ldap_read_krbcontainer_dn(util_context, + &ldap_context->container_dn); + if (retval) { com_err(progname, retval, _("while reading kerberos container information")); exit_status++; @@ -1175,24 +1143,17 @@ kdb5_ldap_list(int argc, char *argv[]) retval = krb5_ldap_list_realm(util_context, &list); if (retval != 0) { - krb5_ldap_free_krbcontainer_params(ldap_context->krbcontainer); - ldap_context->krbcontainer = NULL; com_err(progname, retval, _("while listing realms")); exit_status++; return; } /* This is to handle the case of realm not present */ - if (list == NULL) { - krb5_ldap_free_krbcontainer_params(ldap_context->krbcontainer); - ldap_context->krbcontainer = NULL; + if (list == NULL) return; - } for (plist = list; *plist != NULL; plist++) { printf("%s\n", *plist); } - krb5_ldap_free_krbcontainer_params(ldap_context->krbcontainer); - ldap_context->krbcontainer = NULL; krb5_free_list_entries(list); free(list); @@ -1589,9 +1550,10 @@ kdb5_ldap_destroy(int argc, char *argv[]) return; } - /* Read the kerberos container from the LDAP Server */ - if ((retval = krb5_ldap_read_krbcontainer_params(util_context, - &(ldap_context->krbcontainer))) != 0) { + /* Read the kerberos container DN */ + retval = krb5_ldap_read_krbcontainer_dn(util_context, + &ldap_context->container_dn); + if (retval) { com_err(progname, retval, _("while reading kerberos container information")); exit_status++; diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c index b52d088ff6..a29b3326ec 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c @@ -113,7 +113,7 @@ krb5_ldap_read_startup_information(krb5_context context) int mask = 0; SETUP_CONTEXT(); - if ((retval=krb5_ldap_read_krbcontainer_params(context, &(ldap_context->krbcontainer)))) { + if ((retval=krb5_ldap_read_krbcontainer_dn(context, &(ldap_context->container_dn)))) { prepend_err_str(context, _("Unable to read Kerberos container"), retval, retval); goto cleanup; diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h index b40600780e..30d3a4aef4 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h @@ -212,7 +212,7 @@ typedef struct _krb5_ldap_context { krb5_ldap_certificates **certificates; krb5_ui_4 cert_count; /* certificate count */ k5_mutex_t hndl_lock; - krb5_ldap_krbcontainer_params *krbcontainer; + char *container_dn; krb5_ldap_realm_params *lrparams; krb5_boolean disable_last_success; krb5_boolean disable_lockout; diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c index 5896724391..cd4b4ca355 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c @@ -334,8 +334,8 @@ krb5_ldap_free_ldap_context(krb5_ldap_context *ldap_context) if (ldap_context == NULL) return 0; - krb5_ldap_free_krbcontainer_params(ldap_context->krbcontainer); - ldap_context->krbcontainer = NULL; + free(ldap_context->container_dn); + ldap_context->container_dn = NULL; krb5_ldap_free_realm_params(ldap_context->lrparams); ldap_context->lrparams = NULL; diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c index 1dc4afcf78..86282ea2b3 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c @@ -59,7 +59,6 @@ krb5_ldap_create(krb5_context context, char *conf_section, char **db_args) krb5_ldap_context *ldap_context=NULL; krb5_boolean realm_obj_created = FALSE; krb5_boolean krbcontainer_obj_created = FALSE; - krb5_ldap_krbcontainer_params kparams = {0}; int srv_cnt = 0; int mask = 0; @@ -218,43 +217,15 @@ krb5_ldap_create(krb5_context context, char *conf_section, char **db_args) } /* read the kerberos container */ - if ((status = krb5_ldap_read_krbcontainer_params(context, - &(ldap_context->krbcontainer))) == KRB5_KDB_NOENTRY) { - - /* Read the kerberos container location from configuration file */ - if (ldap_context->conf_section) { - if ((status = profile_get_string(context->profile, - KDB_MODULE_SECTION, ldap_context->conf_section, - KRB5_CONF_LDAP_KERBEROS_CONTAINER_DN, NULL, - &kparams.DN)) != 0) { - goto cleanup; - } - } - if (kparams.DN == NULL) { - if ((status = profile_get_string(context->profile, - KDB_MODULE_DEF_SECTION, - KRB5_CONF_LDAP_KERBEROS_CONTAINER_DN, NULL, - NULL, &kparams.DN)) != 0) { - goto cleanup; - } - } - - /* create the kerberos container */ - status = krb5_ldap_create_krbcontainer(context, - ((kparams.DN != NULL) ? &kparams : NULL)); - if (status) - goto cleanup; - - krbcontainer_obj_created = TRUE; - - status = krb5_ldap_read_krbcontainer_params(context, - &(ldap_context->krbcontainer)); - if (status) - goto cleanup; + status = krb5_ldap_read_krbcontainer_dn(context, + &ldap_context->container_dn); + if (status) + goto cleanup; - } else if (status) { + status = krb5_ldap_create_krbcontainer(context, + ldap_context->container_dn); + if (status) goto cleanup; - } rparams = (krb5_ldap_realm_params *) malloc(sizeof(krb5_ldap_realm_params)); if (rparams == NULL) { @@ -287,16 +258,12 @@ cleanup: if ((krbcontainer_obj_created) && (!realm_obj_created)) { int rc; rc = krb5_ldap_delete_krbcontainer(context, - ((kparams.DN != NULL) ? &kparams : NULL)); + ldap_context->container_dn); krb5_set_error_message(context, rc, _("could not complete roll-back, error " "deleting Kerberos Container")); } - /* should call krb5_ldap_free_krbcontainer_params() but can't */ - if (kparams.DN != NULL) - krb5_xfree(kparams.DN); - if (rparams) krb5_ldap_free_realm_params(rparams); diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c index fabe633abb..e3b42f55a4 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c @@ -32,67 +32,29 @@ #include "kdb_ldap.h" #include "ldap_err.h" -char *policyrefattribute[] = {"krbTicketPolicyReference",NULL}; -char *krbcontainerrefattr[] = {"krbContainerReference", NULL}; - /* - * Free the krb5_ldap_krbcontainer_params - */ - -void -krb5_ldap_free_krbcontainer_params(krb5_ldap_krbcontainer_params *cparams) -{ - if (cparams == NULL) - return; - - if (cparams->policyreference) - krb5_xfree(cparams->policyreference); - - if (cparams->parent) - krb5_xfree(cparams->parent); - - if (cparams->DN) - krb5_xfree(cparams->DN); - - krb5_xfree(cparams); - - return; -} - -/* - * Read the kerberos container. Kerberos container dn is read from the krb5.conf file. - * In case of eDirectory, if the dn is not present in the conf file, refer Security Container - * to fetch the dn information. - * - * Reading kerberos container includes reading the policyreference attribute and the policy - * object to read the attributes associated with it. + * Read the kerberos container location from krb5.conf. */ krb5_error_code -krb5_ldap_read_krbcontainer_params(krb5_context context, - krb5_ldap_krbcontainer_params **cparamp) - +krb5_ldap_read_krbcontainer_dn(krb5_context context, char **container_dn) { - krb5_error_code st=0, tempst=0; + krb5_error_code st=0; LDAP *ld=NULL; - LDAPMessage *result=NULL, *ent=NULL; - krb5_ldap_krbcontainer_params *cparams=NULL; + char *dn=NULL; kdb5_dal_handle *dal_handle=NULL; krb5_ldap_context *ldap_context=NULL; krb5_ldap_server_handle *ldap_server_handle=NULL; + *container_dn = NULL; SETUP_CONTEXT(); GET_HANDLE(); - cparams =(krb5_ldap_krbcontainer_params *) malloc(sizeof(krb5_ldap_krbcontainer_params)); - CHECK_NULL(cparams); - memset(cparams, 0, sizeof(krb5_ldap_krbcontainer_params)); - /* read kerberos containter location from [dbmodules] section of krb5.conf file */ if (ldap_context->conf_section) { if ((st=profile_get_string(context->profile, KDB_MODULE_SECTION, ldap_context->conf_section, KRB5_CONF_LDAP_KERBEROS_CONTAINER_DN, NULL, - &cparams->DN)) != 0) { + &dn)) != 0) { krb5_set_error_message(context, st, _("Error reading kerberos container " "location from krb5.conf")); @@ -101,10 +63,10 @@ krb5_ldap_read_krbcontainer_params(krb5_context context, } /* read kerberos containter location from [dbdefaults] section of krb5.conf file */ - if (cparams->DN == NULL) { + if (dn == NULL) { if ((st=profile_get_string(context->profile, KDB_MODULE_DEF_SECTION, KRB5_CONF_LDAP_KERBEROS_CONTAINER_DN, NULL, - NULL, &cparams->DN)) != 0) { + NULL, &dn)) != 0) { krb5_set_error_message(context, st, _("Error reading kerberos container " "location from krb5.conf")); @@ -112,57 +74,16 @@ krb5_ldap_read_krbcontainer_params(krb5_context context, } } - if (cparams->DN == NULL) { + if (dn == NULL) { st = KRB5_KDB_SERVER_INTERNAL_ERR; krb5_set_error_message(context, st, _("Kerberos container location not specified")); goto cleanup; } - /* NOTE: krbmaxtktlife, krbmaxrenewableage ... present on Kerberos Container is - * not read - */ - LDAP_SEARCH_1(cparams->DN, LDAP_SCOPE_BASE, "(objectclass=krbContainer)", policyrefattribute, IGNORE_STATUS); - if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_OBJECT) { - st = set_ldap_error(context, st, OP_SEARCH); - goto cleanup; - } - - if (st == LDAP_NO_SUCH_OBJECT) { - st = KRB5_KDB_NOENTRY; - goto cleanup; - } - - if ((ent = ldap_first_entry(ld, result))) { - if ((st=krb5_ldap_get_string(ld, ent, "krbticketpolicyreference", - &(cparams->policyreference), NULL)) != 0) - goto cleanup; - } - ldap_msgfree(result); - - if (cparams->policyreference != NULL) { - LDAP_SEARCH_1(cparams->policyreference, LDAP_SCOPE_BASE, NULL, policy_attributes, IGNORE_STATUS); - if (st != LDAP_SUCCESS && st!= LDAP_NO_SUCH_OBJECT) { - st = set_ldap_error(context, st, OP_SEARCH); - goto cleanup; - } - st = LDAP_SUCCESS; /* reset the return status in case it is LDAP_NO_SUCH_OBJECT */ - - ent=ldap_first_entry(ld, result); - if (ent != NULL) { - krb5_ldap_get_value(ld, ent, "krbmaxtktlife", &(cparams->max_life)); - krb5_ldap_get_value(ld, ent, "krbmaxrenewableage", &(cparams->max_renewable_life)); - krb5_ldap_get_value(ld, ent, "krbticketflags", &(cparams->tktflags)); - } - ldap_msgfree(result); - } - *cparamp=cparams; + *container_dn = dn; cleanup: - if (st != 0) { - krb5_ldap_free_krbcontainer_params(cparams); - *cparamp=NULL; - } krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); return st; } diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.h b/src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.h index f1feb22d3e..549f8ce94b 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.h @@ -35,28 +35,13 @@ /* kerberos container structure */ -typedef struct _krb5_ldap_krbcontainer_params { - char *parent; - char *DN; - char *policyreference; - krb5_int32 max_life; - krb5_int32 max_renewable_life; - krb5_int32 tktflags; -} krb5_ldap_krbcontainer_params; - -void -krb5_ldap_free_krbcontainer_params(krb5_ldap_krbcontainer_params *); - krb5_error_code -krb5_ldap_read_krbcontainer_params(krb5_context, - krb5_ldap_krbcontainer_params **); +krb5_ldap_read_krbcontainer_dn(krb5_context, char **); krb5_error_code -krb5_ldap_create_krbcontainer(krb5_context, - const krb5_ldap_krbcontainer_params *); +krb5_ldap_create_krbcontainer(krb5_context, const char *); krb5_error_code -krb5_ldap_delete_krbcontainer(krb5_context, - const krb5_ldap_krbcontainer_params *); +krb5_ldap_delete_krbcontainer(krb5_context, const char *); #endif diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c index 00fbce1848..1e671c7ed2 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c @@ -517,7 +517,7 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry, krb5_clear_error_message(context); SETUP_CONTEXT(); - if (ldap_context->lrparams == NULL || ldap_context->krbcontainer == NULL) + if (ldap_context->lrparams == NULL || ldap_context->container_dn == NULL) return EINVAL; /* get ldap handle */ diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c index 7e0d45689d..35daf5f635 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c @@ -130,9 +130,9 @@ krb5_ldap_list_realm(krb5_context context, char ***realms) SETUP_CONTEXT (); /* get the kerberos container DN information */ - if (ldap_context->krbcontainer == NULL) { - if ((st = krb5_ldap_read_krbcontainer_params(context, - &(ldap_context->krbcontainer))) != 0) + if (ldap_context->container_dn == NULL) { + if ((st = krb5_ldap_read_krbcontainer_dn(context, + &(ldap_context->container_dn))) != 0) goto cleanup; } @@ -141,7 +141,7 @@ krb5_ldap_list_realm(krb5_context context, char ***realms) { char *cn[] = {"cn", NULL}; - LDAP_SEARCH(ldap_context->krbcontainer->DN, + LDAP_SEARCH(ldap_context->container_dn, LDAP_SCOPE_ONELEVEL, "(objectclass=krbRealmContainer)", cn); @@ -359,7 +359,7 @@ krb5_ldap_modify_realm(krb5_context context, krb5_ldap_realm_params *rparams, SETUP_CONTEXT (); /* Check validity of arguments */ - if (ldap_context->krbcontainer == NULL || + if (ldap_context->container_dn == NULL || rparams->tl_data == NULL || rparams->tl_data->tl_data_contents == NULL || ((mask & LDAP_REALM_SUBTREE) && rparams->subtree == NULL) || @@ -474,17 +474,14 @@ cleanup: /* - * Create the Kerberos container in the Directory + * Create the Kerberos container in the Directory if it does not exist */ krb5_error_code -krb5_ldap_create_krbcontainer(krb5_context context, - const - krb5_ldap_krbcontainer_params *krbcontparams) +krb5_ldap_create_krbcontainer(krb5_context context, const char *dn) { LDAP *ld=NULL; - char *strval[2]={NULL}, *kerberoscontdn=NULL, **rdns=NULL; - int pmask=0; + char *strval[2]={NULL}, **rdns=NULL; LDAPMod **mods = NULL; krb5_error_code st=0; kdb5_dal_handle *dal_handle=NULL; @@ -496,9 +493,7 @@ krb5_ldap_create_krbcontainer(krb5_context context, /* get ldap handle */ GET_HANDLE (); - if (krbcontparams != NULL && krbcontparams->DN != NULL) { - kerberoscontdn = krbcontparams->DN; - } else { + if (dn == NULL) { st = EINVAL; krb5_set_error_message(context, st, _("Kerberos Container information is missing")); @@ -510,7 +505,7 @@ krb5_ldap_create_krbcontainer(krb5_context context, if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0) goto cleanup; - rdns = ldap_explode_dn(kerberoscontdn, 1); + rdns = ldap_explode_dn(dn, 1); if (rdns == NULL) { st = EINVAL; krb5_set_error_message(context, st, @@ -523,21 +518,11 @@ krb5_ldap_create_krbcontainer(krb5_context context, if ((st=krb5_add_str_mem_ldap_mod(&mods, "cn", LDAP_MOD_ADD, strval)) != 0) goto cleanup; - /* check if the policy reference value exists and is of krbticketpolicyreference object class */ - if (krbcontparams && krbcontparams->policyreference) { - st = checkattributevalue(ld, krbcontparams->policyreference, "objectclass", policyclass, - &pmask); - CHECK_CLASS_VALIDITY(st, pmask, _("ticket policy object value: ")); - - strval[0] = krbcontparams->policyreference; - strval[1] = NULL; - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbticketpolicyreference", LDAP_MOD_ADD, - strval)) != 0) - goto cleanup; - } - /* create the kerberos container */ - if ((st = ldap_add_ext_s(ld, kerberoscontdn, mods, NULL, NULL)) != LDAP_SUCCESS) { + st = ldap_add_ext_s(ld, dn, mods, NULL, NULL); + if (st == LDAP_ALREADY_EXISTS) + st = LDAP_SUCCESS; + if (st != LDAP_SUCCESS) { int ost = st; st = translate_ldap_error (st, OP_ADD); krb5_set_error_message(context, st, @@ -561,12 +546,9 @@ cleanup: */ krb5_error_code -krb5_ldap_delete_krbcontainer(krb5_context context, - const - krb5_ldap_krbcontainer_params *krbcontparams) +krb5_ldap_delete_krbcontainer(krb5_context context, const char *dn) { LDAP *ld=NULL; - char *kerberoscontdn=NULL; krb5_error_code st=0; kdb5_dal_handle *dal_handle=NULL; krb5_ldap_context *ldap_context=NULL; @@ -577,9 +559,7 @@ krb5_ldap_delete_krbcontainer(krb5_context context, /* get ldap handle */ GET_HANDLE (); - if (krbcontparams != NULL && krbcontparams->DN != NULL) { - kerberoscontdn = krbcontparams->DN; - } else { + if (dn == NULL) { st = EINVAL; krb5_set_error_message(context, st, _("Kerberos Container information is missing")); @@ -587,7 +567,7 @@ krb5_ldap_delete_krbcontainer(krb5_context context, } /* delete the kerberos container */ - if ((st = ldap_delete_ext_s(ld, kerberoscontdn, NULL, NULL)) != LDAP_SUCCESS) { + if ((st = ldap_delete_ext_s(ld, dn, NULL, NULL)) != LDAP_SUCCESS) { int ost = st; st = translate_ldap_error (st, OP_ADD); krb5_set_error_message(context, st, @@ -626,8 +606,7 @@ krb5_ldap_create_realm(krb5_context context, krb5_ldap_realm_params *rparams, SETUP_CONTEXT (); /* Check input validity ... */ - if (ldap_context->krbcontainer == NULL || - ldap_context->krbcontainer->DN == NULL || + if (ldap_context->container_dn == NULL || rparams == NULL || rparams->realm_name == NULL || ((mask & LDAP_REALM_SUBTREE) && rparams->subtree == NULL) || @@ -638,19 +617,12 @@ krb5_ldap_create_realm(krb5_context context, krb5_ldap_realm_params *rparams, return st; } - if (ldap_context->krbcontainer == NULL) { - if ((st = krb5_ldap_read_krbcontainer_params(context, - &(ldap_context->krbcontainer))) != 0) - goto cleanup; - } - /* get ldap handle */ GET_HANDLE (); realm_name = rparams->realm_name; - if (asprintf(&dn, "cn=%s,%s", realm_name, - ldap_context->krbcontainer->DN) < 0) + if (asprintf(&dn, "cn=%s,%s", realm_name, ldap_context->container_dn) < 0) dn = NULL; CHECK_NULL(dn); @@ -758,7 +730,7 @@ krb5_error_code krb5_ldap_read_realm_params(krb5_context context, char *lrealm, krb5_ldap_realm_params **rlparamp, int *mask) { - char **values=NULL, *krbcontDN=NULL /*, *curr=NULL */; + char **values=NULL; krb5_error_code st=0, tempst=0; LDAP *ld=NULL; LDAPMessage *result=NULL,*ent=NULL; @@ -771,19 +743,11 @@ krb5_ldap_read_realm_params(krb5_context context, char *lrealm, SETUP_CONTEXT (); /* validate the input parameter */ - if (lrealm == NULL || - ldap_context->krbcontainer == NULL || - ldap_context->krbcontainer->DN == NULL) { + if (lrealm == NULL || ldap_context->container_dn == NULL) { st = EINVAL; goto cleanup; } - /* read kerberos container, if not read already */ - if (ldap_context->krbcontainer == NULL) { - if ((st = krb5_ldap_read_krbcontainer_params(context, - &(ldap_context->krbcontainer))) != 0) - goto cleanup; - } /* get ldap handle */ GET_HANDLE (); @@ -807,9 +771,8 @@ krb5_ldap_read_realm_params(krb5_context context, char *lrealm, /* set default values */ rlparams->search_scope = LDAP_SCOPE_SUBTREE; - krbcontDN = ldap_context->krbcontainer->DN; - - if (asprintf(&rlparams->realmdn, "cn=%s,%s", lrealm, krbcontDN) < 0) { + if (asprintf(&rlparams->realmdn, "cn=%s,%s", lrealm, + ldap_context->container_dn) < 0) { rlparams->realmdn = NULL; st = ENOMEM; goto cleanup; diff --git a/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports b/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports index 1467f5184c..36bde5a4fe 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports +++ b/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports @@ -11,7 +11,7 @@ krb5_ldap_get_principal krb5_ldap_delete_principal krb5_ldap_free_principal krb5_ldap_iterate -krb5_ldap_read_krbcontainer_params +krb5_ldap_read_krbcontainer_dn krb5_ldap_list_realm krb5_ldap_read_realm_params krb5_ldap_free_realm_params @@ -34,7 +34,6 @@ krb5_ldap_iterate_password_policy krb5_dbe_free_contents krb5_ldap_free_server_params krb5_ldap_free_server_context_params -krb5_ldap_free_krbcontainer_params krb5_ldap_alloc krb5_ldap_free krb5_ldap_delete_realm_1