summaryrefslogtreecommitdiff
path: root/kerberosV
diff options
context:
space:
mode:
authorRay Lai <ray@cvs.openbsd.org>2006-09-30 17:48:23 +0000
committerRay Lai <ray@cvs.openbsd.org>2006-09-30 17:48:23 +0000
commit1712168a6ac665f19edb6d85b784cf03df89d00b (patch)
tree37ee55661b3e83ab8c4a02cf12a744d2d4cb2c00 /kerberosV
parent2089d60b1455bbcc181a25b376999406ea4bccd8 (diff)
Clear errno before calling the strtol functions.
From Paul Stoeber <x0001 at x dot de1 dot cc>. OK deraadt@.
Diffstat (limited to 'kerberosV')
-rw-r--r--kerberosV/src/appl/login/limits_conf.c1
-rw-r--r--kerberosV/src/lib/hdb/hdb-ldap.c1677
2 files changed, 1044 insertions, 634 deletions
diff --git a/kerberosV/src/appl/login/limits_conf.c b/kerberosV/src/appl/login/limits_conf.c
index ef193b38863..6e51f8959be 100644
--- a/kerberosV/src/appl/login/limits_conf.c
+++ b/kerberosV/src/appl/login/limits_conf.c
@@ -153,6 +153,7 @@ read_limits_conf(const char *file, const struct passwd *pwd)
if(strcmp(args[3], "-") == 0) {
value = RLIM_INFINITY;
} else {
+ errno = 0;
value = strtol(args[3], &end, 10);
if(*end != '\0') {
syslog(LOG_ERR, "%s: line %d: bad value %s", file, lineno, args[3]);
diff --git a/kerberosV/src/lib/hdb/hdb-ldap.c b/kerberosV/src/lib/hdb/hdb-ldap.c
index 8db3e736e49..6a1679c39be 100644
--- a/kerberosV/src/lib/hdb/hdb-ldap.c
+++ b/kerberosV/src/lib/hdb/hdb-ldap.c
@@ -1,5 +1,7 @@
/*
- * Copyright (c) 1999 - 2001, PADL Software Pty Ltd.
+ * Copyright (c) 1999-2001, 2003, PADL Software Pty Ltd.
+ * Copyright (c) 2004, Andrew Bartlett.
+ * Copyright (c) 2003 - 2004, Kungliga Tekniska Högskolan.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -32,99 +34,202 @@
#include "hdb_locl.h"
-RCSID("$KTH: hdb-ldap.c,v 1.7 2001/01/30 16:59:08 assar Exp $");
+RCSID("$KTH: hdb-ldap.c,v 1.49 2005/04/18 08:03:54 lha Exp $");
#ifdef OPENLDAP
-#include <ldap.h>
#include <lber.h>
-#include <ctype.h>
+#include <ldap.h>
#include <sys/un.h>
+#include <hex.h>
-static krb5_error_code LDAP__connect(krb5_context context, HDB * db);
+static krb5_error_code LDAP__connect(krb5_context context, HDB *);
+static krb5_error_code LDAP_close(krb5_context context, HDB *);
static krb5_error_code
LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
hdb_entry * ent);
-static char *krb5kdcentry_attrs[] =
- { "krb5PrincipalName", "cn", "krb5PrincipalRealm",
- "krb5KeyVersionNumber", "krb5Key",
- "krb5ValidStart", "krb5ValidEnd", "krb5PasswordEnd",
- "krb5MaxLife", "krb5MaxRenew", "krb5KDCFlags", "krb5EncryptionType",
- "modifiersName", "modifyTimestamp", "creatorsName", "createTimestamp",
+static const char *default_structural_object = "account";
+static char *structural_object;
+static krb5_boolean samba_forwardable;
+
+struct hdbldapdb {
+ LDAP *h_lp;
+ int h_msgid;
+ char *h_base;
+ char *h_createbase;
+};
+
+#define HDB2LDAP(db) (((struct hdbldapdb *)(db)->hdb_db)->h_lp)
+#define HDB2MSGID(db) (((struct hdbldapdb *)(db)->hdb_db)->h_msgid)
+#define HDBSETMSGID(db,msgid) \
+ do { ((struct hdbldapdb *)(db)->hdb_db)->h_msgid = msgid; } while(0)
+#define HDB2BASE(dn) (((struct hdbldapdb *)(db)->hdb_db)->h_base)
+#define HDB2CREATE(db) (((struct hdbldapdb *)(db)->hdb_db)->h_createbase)
+
+/*
+ *
+ */
+
+static char * krb5kdcentry_attrs[] = {
+ "cn",
+ "createTimestamp",
+ "creatorsName",
+ "krb5EncryptionType",
+ "krb5KDCFlags",
+ "krb5Key",
+ "krb5KeyVersionNumber",
+ "krb5MaxLife",
+ "krb5MaxRenew",
+ "krb5PasswordEnd",
+ "krb5PrincipalName",
+ "krb5PrincipalRealm",
+ "krb5ValidEnd",
+ "krb5ValidStart",
+ "modifiersName",
+ "modifyTimestamp",
+ "objectClass",
+ "sambaAcctFlags",
+ "sambaKickoffTime",
+ "sambaNTPassword",
+ "sambaPwdLastSet",
+ "sambaPwdMustChange",
+ "uid",
NULL
};
-static char *krb5principal_attrs[] =
- { "krb5PrincipalName", "cn", "krb5PrincipalRealm",
- "modifiersName", "modifyTimestamp", "creatorsName", "createTimestamp",
+static char *krb5principal_attrs[] = {
+ "cn",
+ "createTimestamp",
+ "creatorsName",
+ "krb5PrincipalName",
+ "krb5PrincipalRealm",
+ "modifiersName",
+ "modifyTimestamp",
+ "objectClass",
+ "uid",
NULL
};
-/* based on samba: source/passdb/ldap.c */
+static int
+LDAP_no_size_limit(krb5_context context, LDAP *lp)
+{
+ int ret, limit = LDAP_NO_LIMIT;
+
+ ret = ldap_set_option(lp, LDAP_OPT_SIZELIMIT, (const void *)&limit);
+ if (ret != LDAP_SUCCESS) {
+ krb5_set_error_string(context, "ldap_set_option: %s",
+ ldap_err2string(ret));
+ return HDB_ERR_BADVERSION;
+ }
+ return 0;
+}
+
+static int
+check_ldap(krb5_context context, HDB *db, int ret)
+{
+ switch (ret) {
+ case LDAP_SUCCESS:
+ return 0;
+ case LDAP_SERVER_DOWN:
+ LDAP_close(context, db);
+ return 1;
+ default:
+ return 1;
+ }
+}
+
static krb5_error_code
-LDAP_addmod_len(LDAPMod *** modlist, int modop, const char *attribute,
- unsigned char *value, size_t len)
+LDAP__setmod(LDAPMod *** modlist, int modop, const char *attribute,
+ int *pIndex)
{
- LDAPMod **mods = *modlist;
- int i, j;
+ int cMods;
- if (mods == NULL) {
- mods = (LDAPMod **) calloc(1, sizeof(LDAPMod *));
- if (mods == NULL) {
+ if (*modlist == NULL) {
+ *modlist = (LDAPMod **)ber_memcalloc(1, sizeof(LDAPMod *));
+ if (*modlist == NULL)
return ENOMEM;
- }
- mods[0] = NULL;
}
- for (i = 0; mods[i] != NULL; ++i) {
- if ((mods[i]->mod_op & (~LDAP_MOD_BVALUES)) == modop
- && (!strcasecmp(mods[i]->mod_type, attribute))) {
+ for (cMods = 0; (*modlist)[cMods] != NULL; cMods++) {
+ if ((*modlist)[cMods]->mod_op == modop &&
+ strcasecmp((*modlist)[cMods]->mod_type, attribute) == 0) {
break;
}
}
- if (mods[i] == NULL) {
- mods = (LDAPMod **) realloc(mods, (i + 2) * sizeof(LDAPMod *));
- if (mods == NULL) {
+ *pIndex = cMods;
+
+ if ((*modlist)[cMods] == NULL) {
+ LDAPMod *mod;
+
+ *modlist = (LDAPMod **)ber_memrealloc(*modlist,
+ (cMods + 2) * sizeof(LDAPMod *));
+ if (*modlist == NULL)
return ENOMEM;
- }
- mods[i] = (LDAPMod *) malloc(sizeof(LDAPMod));
- if (mods[i] == NULL) {
+
+ (*modlist)[cMods] = (LDAPMod *)ber_memalloc(sizeof(LDAPMod));
+ if ((*modlist)[cMods] == NULL)
return ENOMEM;
- }
- mods[i]->mod_op = modop | LDAP_MOD_BVALUES;
- mods[i]->mod_bvalues = NULL;
- mods[i]->mod_type = strdup(attribute);
- if (mods[i]->mod_type == NULL) {
+
+ mod = (*modlist)[cMods];
+ mod->mod_op = modop;
+ mod->mod_type = ber_strdup(attribute);
+ if (mod->mod_type == NULL) {
+ ber_memfree(mod);
+ (*modlist)[cMods] = NULL;
return ENOMEM;
}
- mods[i + 1] = NULL;
+
+ if (modop & LDAP_MOD_BVALUES) {
+ mod->mod_bvalues = NULL;
+ } else {
+ mod->mod_values = NULL;
+ }
+
+ (*modlist)[cMods + 1] = NULL;
}
+ return 0;
+}
+
+static krb5_error_code
+LDAP_addmod_len(LDAPMod *** modlist, int modop, const char *attribute,
+ unsigned char *value, size_t len)
+{
+ krb5_error_code ret;
+ int cMods, i = 0;
+
+ ret = LDAP__setmod(modlist, modop | LDAP_MOD_BVALUES, attribute, &cMods);
+ if (ret)
+ return ret;
+
if (value != NULL) {
- j = 0;
- if (mods[i]->mod_bvalues != NULL) {
- for (; mods[i]->mod_bvalues[j] != NULL; j++);
- }
- mods[i]->mod_bvalues =
- (struct berval **) realloc(mods[i]->mod_bvalues,
- (j + 2) * sizeof(struct berval *));
- if (mods[i]->mod_bvalues == NULL) {
+ struct berval **bv;
+
+ bv = (*modlist)[cMods]->mod_bvalues;
+ if (bv != NULL) {
+ for (i = 0; bv[i] != NULL; i++)
+ ;
+ bv = ber_memrealloc(bv, (i + 2) * sizeof(*bv));
+ } else
+ bv = ber_memalloc(2 * sizeof(*bv));
+ if (bv == NULL)
return ENOMEM;
- }
- /* Caller allocates memory on our behalf, unlike LDAP_addmod. */
- mods[i]->mod_bvalues[j] =
- (struct berval *) malloc(sizeof(struct berval));
- if (mods[i]->mod_bvalues[j] == NULL) {
+
+ (*modlist)[cMods]->mod_bvalues = bv;
+
+ bv[i] = ber_memalloc(sizeof(*bv));;
+ if (bv[i] == NULL)
return ENOMEM;
- }
- mods[i]->mod_bvalues[j]->bv_val = value;
- mods[i]->mod_bvalues[j]->bv_len = len;
- mods[i]->mod_bvalues[j + 1] = NULL;
+
+ bv[i]->bv_val = value;
+ bv[i]->bv_len = len;
+
+ bv[i + 1] = NULL;
}
- *modlist = mods;
+
return 0;
}
@@ -132,59 +237,35 @@ static krb5_error_code
LDAP_addmod(LDAPMod *** modlist, int modop, const char *attribute,
const char *value)
{
- LDAPMod **mods = *modlist;
- int i, j;
+ int cMods, i = 0;
+ krb5_error_code ret;
+
+ ret = LDAP__setmod(modlist, modop, attribute, &cMods);
+ if (ret)
+ return ret;
- if (mods == NULL) {
- mods = (LDAPMod **) calloc(1, sizeof(LDAPMod *));
- if (mods == NULL) {
+ if (value != NULL) {
+ char **bv;
+
+ bv = (*modlist)[cMods]->mod_values;
+ if (bv != NULL) {
+ for (i = 0; bv[i] != NULL; i++)
+ ;
+ bv = ber_memrealloc(bv, (i + 2) * sizeof(*bv));
+ } else
+ bv = ber_memalloc(2 * sizeof(*bv));
+ if (bv == NULL)
return ENOMEM;
- }
- mods[0] = NULL;
- }
- for (i = 0; mods[i] != NULL; ++i) {
- if (mods[i]->mod_op == modop
- && (!strcasecmp(mods[i]->mod_type, attribute))) {
- break;
- }
- }
+ (*modlist)[cMods]->mod_values = bv;
- if (mods[i] == NULL) {
- mods = (LDAPMod **) realloc(mods, (i + 2) * sizeof(LDAPMod *));
- if (mods == NULL) {
- return ENOMEM;
- }
- mods[i] = (LDAPMod *) malloc(sizeof(LDAPMod));
- if (mods[i] == NULL) {
- return ENOMEM;
- }
- mods[i]->mod_op = modop;
- mods[i]->mod_values = NULL;
- mods[i]->mod_type = strdup(attribute);
- if (mods[i]->mod_type == NULL) {
+ bv[i] = ber_strdup(value);
+ if (bv[i] == NULL)
return ENOMEM;
- }
- mods[i + 1] = NULL;
- }
- if (value != NULL) {
- j = 0;
- if (mods[i]->mod_values != NULL) {
- for (; mods[i]->mod_values[j] != NULL; j++);
- }
- mods[i]->mod_values = (char **) realloc(mods[i]->mod_values,
- (j + 2) * sizeof(char *));
- if (mods[i]->mod_values == NULL) {
- return ENOMEM;
- }
- mods[i]->mod_values[j] = strdup(value);
- if (mods[i]->mod_values[j] == NULL) {
- return ENOMEM;
- }
- mods[i]->mod_values[j + 1] = NULL;
+ bv[i + 1] = NULL;
}
- *modlist = mods;
+
return 0;
}
@@ -203,22 +284,41 @@ LDAP_addmod_generalized_time(LDAPMod *** mods, int modop,
}
static krb5_error_code
+LDAP_addmod_integer(krb5_context context,
+ LDAPMod *** mods, int modop,
+ const char *attribute, unsigned long l)
+{
+ krb5_error_code ret;
+ char *buf;
+
+ ret = asprintf(&buf, "%ld", l);
+ if (ret < 0) {
+ krb5_set_error_string(context, "asprintf: out of memory:");
+ return ret;
+ }
+ ret = LDAP_addmod(mods, modop, attribute, buf);
+ free (buf);
+ return ret;
+}
+
+static krb5_error_code
LDAP_get_string_value(HDB * db, LDAPMessage * entry,
const char *attribute, char **ptr)
{
char **vals;
int ret;
- vals = ldap_get_values((LDAP *) db->db, entry, (char *) attribute);
+ vals = ldap_get_values(HDB2LDAP(db), entry, (char *) attribute);
if (vals == NULL) {
+ *ptr = NULL;
return HDB_ERR_NOENTRY;
}
+
*ptr = strdup(vals[0]);
- if (*ptr == NULL) {
+ if (*ptr == NULL)
ret = ENOMEM;
- } else {
+ else
ret = 0;
- }
ldap_value_free(vals);
@@ -231,10 +331,10 @@ LDAP_get_integer_value(HDB * db, LDAPMessage * entry,
{
char **vals;
- vals = ldap_get_values((LDAP *) db->db, entry, (char *) attribute);
- if (vals == NULL) {
+ vals = ldap_get_values(HDB2LDAP(db), entry, (char *) attribute);
+ if (vals == NULL)
return HDB_ERR_NOENTRY;
- }
+
*ptr = atoi(vals[0]);
ldap_value_free(vals);
return 0;
@@ -251,9 +351,8 @@ LDAP_get_generalized_time_value(HDB * db, LDAPMessage * entry,
*kt = 0;
ret = LDAP_get_string_value(db, entry, attribute, &gentime);
- if (ret != 0) {
+ if (ret)
return ret;
- }
tmp = strptime(gentime, "%Y%m%d%H%M%SZ", &tm);
if (tmp == NULL) {
@@ -274,228 +373,321 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry * ent,
{
krb5_error_code ret;
krb5_boolean is_new_entry;
- int rc, i;
char *tmp = NULL;
LDAPMod **mods = NULL;
hdb_entry orig;
unsigned long oflags, nflags;
+ int i;
+
+ krb5_boolean is_samba_account = FALSE;
+ krb5_boolean is_account = FALSE;
+ krb5_boolean is_heimdal_entry = FALSE;
+ krb5_boolean is_heimdal_principal = FALSE;
+
+ char **values;
+
+ *pmods = NULL;
if (msg != NULL) {
+
ret = LDAP_message2entry(context, db, msg, &orig);
- if (ret != 0) {
+ if (ret)
goto out;
- }
+
is_new_entry = FALSE;
- } else {
+
+ values = ldap_get_values(HDB2LDAP(db), msg, "objectClass");
+ if (values) {
+ int num_objectclasses = ldap_count_values(values);
+ for (i=0; i < num_objectclasses; i++) {
+ if (strcasecmp(values[i], "sambaSamAccount") == 0) {
+ is_samba_account = TRUE;
+ } else if (strcasecmp(values[i], structural_object) == 0) {
+ is_account = TRUE;
+ } else if (strcasecmp(values[i], "krb5Principal") == 0) {
+ is_heimdal_principal = TRUE;
+ } else if (strcasecmp(values[i], "krb5KDCEntry") == 0) {
+ is_heimdal_entry = TRUE;
+ }
+ }
+ ldap_value_free(values);
+ }
+
+ /*
+ * If this is just a "account" entry and no other objectclass
+ * is hanging on this entry, its really a new entry.
+ */
+ if (is_samba_account == FALSE && is_heimdal_principal == FALSE &&
+ is_heimdal_entry == FALSE) {
+ if (is_account == TRUE) {
+ is_new_entry = TRUE;
+ } else {
+ ret = HDB_ERR_NOENTRY;
+ goto out;
+ }
+ }
+ } else
+ is_new_entry = TRUE;
+
+ if (is_new_entry) {
+
/* to make it perfectly obvious we're depending on
* orig being intiialized to zero */
memset(&orig, 0, sizeof(orig));
- is_new_entry = TRUE;
- }
- if (is_new_entry) {
ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass", "top");
- if (ret != 0) {
- goto out;
- }
- /* person is the structural object class */
- ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass", "person");
- if (ret != 0) {
+ if (ret)
goto out;
+
+ /* account is the structural object class */
+ if (is_account == FALSE) {
+ ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass",
+ structural_object);
+ is_account = TRUE;
+ if (ret)
+ goto out;
}
- ret =
- LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass",
- "krb5Principal");
- if (ret != 0) {
+
+ ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass", "krb5Principal");
+ is_heimdal_principal = TRUE;
+ if (ret)
goto out;
- }
- ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass",
- "krb5KDCEntry");
- if (ret != 0) {
+
+ ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass", "krb5KDCEntry");
+ is_heimdal_entry = TRUE;
+ if (ret)
goto out;
- }
}
- if (is_new_entry ||
- krb5_principal_compare(context, ent->principal, orig.principal) ==
- FALSE) {
- ret = krb5_unparse_name(context, ent->principal, &tmp);
- if (ret != 0) {
- goto out;
+ if (is_new_entry ||
+ krb5_principal_compare(context, ent->principal, orig.principal)
+ == FALSE)
+ {
+ if (is_heimdal_principal || is_heimdal_entry) {
+
+ ret = krb5_unparse_name(context, ent->principal, &tmp);
+ if (ret)
+ goto out;
+
+ ret = LDAP_addmod(&mods, LDAP_MOD_REPLACE,
+ "krb5PrincipalName", tmp);
+ if (ret) {
+ free(tmp);
+ goto out;
+ }
+ free(tmp);
}
- ret =
- LDAP_addmod(&mods, LDAP_MOD_REPLACE, "krb5PrincipalName", tmp);
- if (ret != 0) {
+
+ if (is_account || is_samba_account) {
+ ret = krb5_unparse_name_short(context, ent->principal, &tmp);
+ if (ret)
+ goto out;
+ ret = LDAP_addmod(&mods, LDAP_MOD_REPLACE, "uid", tmp);
+ if (ret) {
+ free(tmp);
+ goto out;
+ }
free(tmp);
- goto out;
}
- free(tmp);
}
- if (ent->kvno != orig.kvno) {
- rc = asprintf(&tmp, "%d", ent->kvno);
- if (rc < 0) {
- ret = ENOMEM;
+ if (is_heimdal_entry && (ent->kvno != orig.kvno || is_new_entry)) {
+ ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
+ "krb5KeyVersionNumber",
+ ent->kvno);
+ if (ret)
goto out;
- }
- ret =
- LDAP_addmod(&mods, LDAP_MOD_REPLACE, "krb5KeyVersionNumber",
- tmp);
- free(tmp);
- if (ret != 0) {
- goto out;
- }
}
- if (ent->valid_start) {
+ if (is_heimdal_entry && ent->valid_start) {
if (orig.valid_end == NULL
|| (*(ent->valid_start) != *(orig.valid_start))) {
- ret =
- LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE,
- "krb5ValidStart",
- ent->valid_start);
- if (ret != 0) {
+ ret = LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE,
+ "krb5ValidStart",
+ ent->valid_start);
+ if (ret)
goto out;
- }
}
}
if (ent->valid_end) {
- if (orig.valid_end == NULL
- || (*(ent->valid_end) != *(orig.valid_end))) {
- ret =
- LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE,
- "krb5ValidEnd",
- ent->valid_end);
- if (ret != 0) {
- goto out;
+ if (orig.valid_end == NULL || (*(ent->valid_end) != *(orig.valid_end))) {
+ if (is_heimdal_entry) {
+ ret = LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE,
+ "krb5ValidEnd",
+ ent->valid_end);
+ if (ret)
+ goto out;
+ }
+ if (is_samba_account) {
+ ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
+ "sambaKickoffTime",
+ *(ent->valid_end));
+ if (ret)
+ goto out;
}
- }
+ }
}
if (ent->pw_end) {
if (orig.pw_end == NULL || (*(ent->pw_end) != *(orig.pw_end))) {
- ret =
- LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE,
- "krb5PasswordEnd",
- ent->pw_end);
- if (ret != 0) {
- goto out;
+ if (is_heimdal_entry) {
+ ret = LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE,
+ "krb5PasswordEnd",
+ ent->pw_end);
+ if (ret)
+ goto out;
+ }
+
+ if (is_samba_account) {
+ ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
+ "sambaPwdMustChange",
+ *(ent->pw_end));
+ if (ret)
+ goto out;
}
}
}
- if (ent->max_life) {
+
+#if 0 /* we we have last_pw_change */
+ if (is_samba_account && ent->last_pw_change) {
+ if (orig.last_pw_change == NULL || (*(ent->last_pw_change) != *(orig.last_pw_change))) {
+ ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
+ "sambaPwdLastSet",
+ *(ent->last_pw_change));
+ if (ret)
+ goto out;
+ }
+ }
+#endif
+
+ if (is_heimdal_entry && ent->max_life) {
if (orig.max_life == NULL
|| (*(ent->max_life) != *(orig.max_life))) {
- rc = asprintf(&tmp, "%d", *(ent->max_life));
- if (rc < 0) {
- ret = ENOMEM;
- goto out;
- }
- ret = LDAP_addmod(&mods, LDAP_MOD_REPLACE, "krb5MaxLife", tmp);
- free(tmp);
- if (ret != 0) {
+
+ ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
+ "krb5MaxLife",
+ *(ent->max_life));
+ if (ret)
goto out;
- }
}
}
- if (ent->max_renew) {
+ if (is_heimdal_entry && ent->max_renew) {
if (orig.max_renew == NULL
|| (*(ent->max_renew) != *(orig.max_renew))) {
- rc = asprintf(&tmp, "%d", *(ent->max_renew));
- if (rc < 0) {
- ret = ENOMEM;
- goto out;
- }
- ret =
- LDAP_addmod(&mods, LDAP_MOD_REPLACE, "krb5MaxRenew", tmp);
- free(tmp);
- if (ret != 0) {
+
+ ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
+ "krb5MaxRenew",
+ *(ent->max_renew));
+ if (ret)
goto out;
- }
}
}
- memset(&oflags, 0, sizeof(oflags));
- memcpy(&oflags, &orig.flags, sizeof(HDBFlags));
- memset(&nflags, 0, sizeof(nflags));
- memcpy(&nflags, &ent->flags, sizeof(HDBFlags));
+ oflags = HDBFlags2int(orig.flags);
+ nflags = HDBFlags2int(ent->flags);
- if (memcmp(&oflags, &nflags, sizeof(HDBFlags))) {
- rc = asprintf(&tmp, "%lu", nflags);
- if (rc < 0) {
- ret = ENOMEM;
- goto out;
- }
- ret = LDAP_addmod(&mods, LDAP_MOD_REPLACE, "krb5KDCFlags", tmp);
- free(tmp);
- if (ret != 0) {
+ if (is_heimdal_entry && oflags != nflags) {
+
+ ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
+ "krb5KDCFlags",
+ nflags);
+ if (ret)
goto out;
- }
}
- if (is_new_entry == FALSE && orig.keys.len > 0) {
- /* for the moment, clobber and replace keys. */
- ret = LDAP_addmod(&mods, LDAP_MOD_DELETE, "krb5Key", NULL);
- if (ret != 0) {
- goto out;
+ /* Remove keys if they exists, and then replace keys. */
+ if (!is_new_entry && orig.keys.len > 0) {
+ values = ldap_get_values(HDB2LDAP(db), msg, "krb5Key");
+ if (values) {
+ ldap_value_free(values);
+
+ ret = LDAP_addmod(&mods, LDAP_MOD_DELETE, "krb5Key", NULL);
+ if (ret)
+ goto out;
}
}
for (i = 0; i < ent->keys.len; i++) {
- unsigned char *buf;
- size_t len;
- Key new;
- ret = copy_Key(&ent->keys.val[i], &new);
- if (ret != 0) {
- goto out;
- }
-
- len = length_Key(&new);
- buf = malloc(len);
- if (buf == NULL) {
- ret = ENOMEM;
- free_Key(&new);
- goto out;
- }
+ if (is_samba_account
+ && ent->keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5) {
+ char *ntHexPassword;
+ char *nt;
+
+ /* the key might have been 'sealed', but samba passwords
+ are clear in the directory */
+ ret = hdb_unseal_key(context, db, &ent->keys.val[i]);
+ if (ret)
+ goto out;
+
+ nt = ent->keys.val[i].key.keyvalue.data;
+ /* store in ntPassword, not krb5key */
+ ret = hex_encode(nt, 16, &ntHexPassword);
+ if (ret < 0) {
+ krb5_set_error_string(context, "hdb-ldap: failed to "
+ "hex encode key");
+ ret = ENOMEM;
+ goto out;
+ }
+ ret = LDAP_addmod(&mods, LDAP_MOD_REPLACE, "sambaNTPassword",
+ ntHexPassword);
+ free(ntHexPassword);
+ if (ret)
+ goto out;
+
+ /* have to kill the LM passwod if it exists */
+ values = ldap_get_values(HDB2LDAP(db), msg, "sambaLMPassword");
+ if (values) {
+ ldap_value_free(values);
+ ret = LDAP_addmod(&mods, LDAP_MOD_DELETE,
+ "sambaLMPassword", NULL);
+ if (ret)
+ goto out;
+ }
+
+ } else if (is_heimdal_entry) {
+ unsigned char *buf;
+ size_t len, buf_size;
- ret = encode_Key(buf + len - 1, len, &new, &len);
- if (ret != 0) {
- free(buf);
- free_Key(&new);
- goto out;
- }
- free_Key(&new);
+ ASN1_MALLOC_ENCODE(Key, buf, buf_size, &ent->keys.val[i], &len, ret);
+ if (ret)
+ goto out;
+ if(buf_size != len)
+ krb5_abortx(context, "internal error in ASN.1 encoder");
- /* addmod_len _owns_ the key, doesn't need to copy it */
- ret = LDAP_addmod_len(&mods, LDAP_MOD_ADD, "krb5Key", buf, len);
- if (ret != 0) {
- goto out;
+ /* addmod_len _owns_ the key, doesn't need to copy it */
+ ret = LDAP_addmod_len(&mods, LDAP_MOD_ADD, "krb5Key", buf, len);
+ if (ret)
+ goto out;
}
}
if (ent->etypes) {
/* clobber and replace encryption types. */
- if (is_new_entry == FALSE) {
- ret =
- LDAP_addmod(&mods, LDAP_MOD_DELETE, "krb5EncryptionType",
- NULL);
+ if (!is_new_entry) {
+ values = ldap_get_values(HDB2LDAP(db), msg, "krb5EncryptionType");
+ if (values) {
+ ldap_value_free(values);
+ ret = LDAP_addmod(&mods, LDAP_MOD_DELETE, "krb5EncryptionType",
+ NULL);
+ if (ret)
+ goto out;
+ }
}
for (i = 0; i < ent->etypes->len; i++) {
- rc = asprintf(&tmp, "%d", ent->etypes->val[i]);
- if (rc < 0) {
- ret = ENOMEM;
- goto out;
- }
- free(tmp);
- ret =
- LDAP_addmod(&mods, LDAP_MOD_ADD, "krb5EncryptionType",
- tmp);
- if (ret != 0) {
- goto out;
+ if (is_samba_account &&
+ ent->keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5)
+ {
+ ;
+ } else if (is_heimdal_entry) {
+ ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_ADD,
+ "krb5EncryptionType",
+ ent->etypes->val[i]);
+ if (ret)
+ goto out;
}
}
}
@@ -503,18 +695,17 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry * ent,
/* for clarity */
ret = 0;
- out:
+ out:
- if (ret == 0) {
+ if (ret == 0)
*pmods = mods;
- } else if (mods != NULL) {
+ else if (mods != NULL) {
ldap_mods_free(mods, 1);
*pmods = NULL;
}
- if (msg != NULL) {
+ if (msg)
hdb_free_entry(context, &orig);
- }
return ret;
}
@@ -528,24 +719,27 @@ LDAP_dn2principal(krb5_context context, HDB * db, const char *dn,
char **values;
LDAPMessage *res = NULL, *e;
- rc = 1;
- (void) ldap_set_option((LDAP *) db->db, LDAP_OPT_SIZELIMIT, &rc);
- rc = ldap_search_s((LDAP *) db->db, db->name, LDAP_SCOPE_BASE,
- "(objectclass=krb5Principal)", krb5principal_attrs,
- 0, &res);
+ ret = LDAP_no_size_limit(context, HDB2LDAP(db));
+ if (ret)
+ goto out;
- if (rc != LDAP_SUCCESS) {
+ rc = ldap_search_s(HDB2LDAP(db), dn, LDAP_SCOPE_SUBTREE,
+ "(objectClass=krb5Principal)", krb5principal_attrs,
+ 0, &res);
+ if (check_ldap(context, db, rc)) {
+ krb5_set_error_string(context, "ldap_search_s: %s",
+ ldap_err2string(rc));
ret = HDB_ERR_NOENTRY;
goto out;
}
- e = ldap_first_entry((LDAP *) db->db, res);
+ e = ldap_first_entry(HDB2LDAP(db), res);
if (e == NULL) {
ret = HDB_ERR_NOENTRY;
goto out;
}
- values = ldap_get_values((LDAP *) db->db, e, "krb5PrincipalName");
+ values = ldap_get_values(HDB2LDAP(db), e, "krb5PrincipalName");
if (values == NULL) {
ret = HDB_ERR_NOENTRY;
goto out;
@@ -555,47 +749,84 @@ LDAP_dn2principal(krb5_context context, HDB * db, const char *dn,
ldap_value_free(values);
out:
- if (res != NULL) {
+ if (res)
ldap_msgfree(res);
- }
+
return ret;
}
static krb5_error_code
-LDAP__lookup_princ(krb5_context context, HDB * db, const char *princname,
- LDAPMessage ** msg)
+LDAP__lookup_princ(krb5_context context,
+ HDB *db,
+ const char *princname,
+ const char *userid,
+ LDAPMessage **msg)
{
krb5_error_code ret;
int rc;
char *filter = NULL;
- (void) LDAP__connect(context, db);
+ ret = LDAP__connect(context, db);
+ if (ret)
+ return ret;
- rc =
- asprintf(&filter,
- "(&(objectclass=krb5KDCEntry)(krb5PrincipalName=%s))",
- princname);
+ rc = asprintf(&filter,
+ "(&(objectClass=krb5Principal)(krb5PrincipalName=%s))",
+ princname);
if (rc < 0) {
+ krb5_set_error_string(context, "asprintf: out of memory");
ret = ENOMEM;
goto out;
}
- rc = 1;
- (void) ldap_set_option((LDAP *) db->db, LDAP_OPT_SIZELIMIT, (void *) &rc);
+ ret = LDAP_no_size_limit(context, HDB2LDAP(db));
+ if (ret)
+ goto out;
- rc = ldap_search_s((LDAP *) db->db, db->name, LDAP_SCOPE_ONELEVEL, filter,
+ rc = ldap_search_s(HDB2LDAP(db), HDB2BASE(db), LDAP_SCOPE_SUBTREE, filter,
krb5kdcentry_attrs, 0, msg);
- if (rc != LDAP_SUCCESS) {
+ if (check_ldap(context, db, rc)) {
+ krb5_set_error_string(context, "ldap_search_s: %s",
+ ldap_err2string(rc));
ret = HDB_ERR_NOENTRY;
goto out;
}
+ if (userid && ldap_count_entries(HDB2LDAP(db), *msg) == 0) {
+ free(filter);
+ filter = NULL;
+ ldap_msgfree(*msg);
+ *msg = NULL;
+
+ rc = asprintf(&filter,
+ "(&(|(objectClass=sambaSamAccount)(objectClass=%s))(uid=%s))",
+ structural_object, userid);
+ if (rc < 0) {
+ krb5_set_error_string(context, "asprintf: out of memory");
+ ret = ENOMEM;
+ goto out;
+ }
+
+ ret = LDAP_no_size_limit(context, HDB2LDAP(db));
+ if (ret)
+ goto out;
+
+ rc = ldap_search_s(HDB2LDAP(db), HDB2BASE(db), LDAP_SCOPE_SUBTREE,
+ filter, krb5kdcentry_attrs, 0, msg);
+ if (check_ldap(context, db, rc)) {
+ krb5_set_error_string(context, "ldap_search_s: %s",
+ ldap_err2string(rc));
+ ret = HDB_ERR_NOENTRY;
+ goto out;
+ }
+ }
+
ret = 0;
out:
- if (filter != NULL) {
+ if (filter)
free(filter);
- }
+
return ret;
}
@@ -603,16 +834,37 @@ static krb5_error_code
LDAP_principal2message(krb5_context context, HDB * db,
krb5_principal princ, LDAPMessage ** msg)
{
- char *princname = NULL;
+ char *name, *name_short = NULL;
krb5_error_code ret;
+ krb5_realm *r, *r0;
+
+ *msg = NULL;
- ret = krb5_unparse_name(context, princ, &princname);
- if (ret != 0) {
+ ret = krb5_unparse_name(context, princ, &name);
+ if (ret)
+ return ret;
+
+ ret = krb5_get_default_realms(context, &r0);
+ if(ret) {
+ free(name);
return ret;
}
+ for (r = r0; *r != NULL; r++) {
+ if(strcmp(krb5_principal_get_realm(context, princ), *r) == 0) {
+ ret = krb5_unparse_name_short(context, princ, &name_short);
+ if (ret) {
+ krb5_free_host_realm(context, r0);
+ free(name);
+ return ret;
+ }
+ break;
+ }
+ }
+ krb5_free_host_realm(context, r0);
- ret = LDAP__lookup_princ(context, db, princname, msg);
- free(princname);
+ ret = LDAP__lookup_princ(context, db, name, name_short, msg);
+ free(name);
+ free(name_short);
return ret;
}
@@ -624,41 +876,53 @@ static krb5_error_code
LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
hdb_entry * ent)
{
- char *unparsed_name = NULL, *dn = NULL;
+ char *unparsed_name = NULL, *dn = NULL, *ntPasswordIN = NULL;
+ char *samba_acct_flags = NULL;
int ret;
unsigned long tmp;
struct berval **keys;
char **values;
+ int tmp_time;
memset(ent, 0, sizeof(*ent));
- memset(&ent->flags, 0, sizeof(HDBFlags));
+ ent->flags = int2HDBFlags(0);
- ret =
- LDAP_get_string_value(db, msg, "krb5PrincipalName",
- &unparsed_name);
- if (ret != 0) {
- return ret;
- }
-
- ret = krb5_parse_name(context, unparsed_name, &ent->principal);
- if (ret != 0) {
- goto out;
+ ret = LDAP_get_string_value(db, msg, "krb5PrincipalName", &unparsed_name);
+ if (ret == 0) {
+ ret = krb5_parse_name(context, unparsed_name, &ent->principal);
+ if (ret)
+ goto out;
+ } else {
+ ret = LDAP_get_string_value(db, msg, "uid",
+ &unparsed_name);
+ if (ret == 0) {
+ ret = krb5_parse_name(context, unparsed_name, &ent->principal);
+ if (ret)
+ goto out;
+ } else {
+ krb5_set_error_string(context, "hdb-ldap: ldap entry missing"
+ "principal name");
+ return HDB_ERR_NOENTRY;
+ }
}
- ret =
- LDAP_get_integer_value(db, msg, "krb5KeyVersionNumber",
- &ent->kvno);
- if (ret != 0) {
+ ret = LDAP_get_integer_value(db, msg, "krb5KeyVersionNumber",
+ &ent->kvno);
+ if (ret)
ent->kvno = 0;
- }
- keys = ldap_get_values_len((LDAP *) db->db, msg, "krb5Key");
+ keys = ldap_get_values_len(HDB2LDAP(db), msg, "krb5Key");
if (keys != NULL) {
int i;
size_t l;
ent->keys.len = ldap_count_values_len(keys);
ent->keys.val = (Key *) calloc(ent->keys.len, sizeof(Key));
+ if (ent->keys.val == NULL) {
+ krb5_set_error_string(context, "calloc: out of memory");
+ ret = ENOMEM;
+ goto out;
+ }
for (i = 0; i < ent->keys.len; i++) {
decode_Key((unsigned char *) keys[i]->bv_val,
(size_t) keys[i]->bv_len, &ent->keys.val[i], &l);
@@ -679,13 +943,85 @@ LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
#endif
}
- ret =
- LDAP_get_generalized_time_value(db, msg, "createTimestamp",
- &ent->created_by.time);
- if (ret != 0) {
- ent->created_by.time = time(NULL);
+ values = ldap_get_values(HDB2LDAP(db), msg, "krb5EncryptionType");
+ if (values != NULL) {
+ int i;
+
+ ent->etypes = malloc(sizeof(*(ent->etypes)));
+ if (ent->etypes == NULL) {
+ krb5_set_error_string(context, "malloc: out of memory");
+ ret = ENOMEM;
+ goto out;
+ }
+ ent->etypes->len = ldap_count_values(values);
+ ent->etypes->val = calloc(ent->etypes->len, sizeof(int));
+ if (ent->etypes->val == NULL) {
+ krb5_set_error_string(context, "malloc: out of memory");
+ ret = ENOMEM;
+ goto out;
+ }
+ for (i = 0; i < ent->etypes->len; i++) {
+ ent->etypes->val[i] = atoi(values[i]);
+ }
+ ldap_value_free(values);
}
+ /* manually construct the NT (type 23) key */
+ ret = LDAP_get_string_value(db, msg, "sambaNTPassword", &ntPasswordIN);
+ if (ret == 0) {
+ int *etypes;
+ Key *keys;
+
+ keys = realloc(ent->keys.val,
+ (ent->keys.len + 1) * sizeof(ent->keys.val[0]));
+ if (keys == NULL) {
+ free(ntPasswordIN);
+ krb5_set_error_string(context, "malloc: out of memory");
+ ret = ENOMEM;
+ goto out;
+ }
+ ent->keys.val = keys;
+ memset(&ent->keys.val[ent->keys.len], 0, sizeof(Key));
+ ent->keys.val[ent->keys.len].key.keytype = ETYPE_ARCFOUR_HMAC_MD5;
+ ret = krb5_data_alloc (&ent->keys.val[ent->keys.len].key.keyvalue, 16);
+ if (ret) {
+ krb5_set_error_string(context, "malloc: out of memory");
+ free(ntPasswordIN);
+ ret = ENOMEM;
+ goto out;
+ }
+ ret = hex_decode(ntPasswordIN,
+ ent->keys.val[ent->keys.len].key.keyvalue.data, 16);
+ ent->keys.len++;
+
+ if (ent->etypes == NULL) {
+ ent->etypes = malloc(sizeof(*(ent->etypes)));
+ if (ent->etypes == NULL) {
+ krb5_set_error_string(context, "malloc: out of memory");
+ ret = ENOMEM;
+ goto out;
+ }
+ ent->etypes->val = NULL;
+ ent->etypes->len = 0;
+ }
+
+ etypes = realloc(ent->etypes->val,
+ (ent->etypes->len + 1) * sizeof(ent->etypes->val[0]));
+ if (etypes == NULL) {
+ krb5_set_error_string(context, "malloc: out of memory");
+ ret = ENOMEM;
+ goto out;
+ }
+ ent->etypes->val = etypes;
+ ent->etypes->val[ent->etypes->len] = ETYPE_ARCFOUR_HMAC_MD5;
+ ent->etypes->len++;
+ }
+
+ ret = LDAP_get_generalized_time_value(db, msg, "createTimestamp",
+ &ent->created_by.time);
+ if (ret)
+ ent->created_by.time = time(NULL);
+
ent->created_by.principal = NULL;
ret = LDAP_get_string_value(db, msg, "creatorsName", &dn);
@@ -699,136 +1035,246 @@ LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
ent->modified_by = (Event *) malloc(sizeof(Event));
if (ent->modified_by == NULL) {
+ krb5_set_error_string(context, "malloc: out of memory");
ret = ENOMEM;
goto out;
}
- ret =
- LDAP_get_generalized_time_value(db, msg, "modifyTimestamp",
- &ent->modified_by->time);
+ ret = LDAP_get_generalized_time_value(db, msg, "modifyTimestamp",
+ &ent->modified_by->time);
if (ret == 0) {
ret = LDAP_get_string_value(db, msg, "modifiersName", &dn);
- if (LDAP_dn2principal
- (context, db, dn, &ent->modified_by->principal) != 0) {
+ if (LDAP_dn2principal(context, db, dn, &ent->modified_by->principal))
ent->modified_by->principal = NULL;
- }
free(dn);
} else {
free(ent->modified_by);
ent->modified_by = NULL;
}
- if ((ent->valid_start = (KerberosTime *) malloc(sizeof(KerberosTime)))
- == NULL) {
+ ent->valid_start = malloc(sizeof(*ent->valid_start));
+ if (ent->valid_start == NULL) {
+ krb5_set_error_string(context, "malloc: out of memory");
ret = ENOMEM;
goto out;
}
- ret =
- LDAP_get_generalized_time_value(db, msg, "krb5ValidStart",
- ent->valid_start);
- if (ret != 0) {
+ ret = LDAP_get_generalized_time_value(db, msg, "krb5ValidStart",
+ ent->valid_start);
+ if (ret) {
/* OPTIONAL */
free(ent->valid_start);
ent->valid_start = NULL;
}
-
- if ((ent->valid_end = (KerberosTime *) malloc(sizeof(KerberosTime))) ==
- NULL) {ret = ENOMEM;
+
+ ent->valid_end = malloc(sizeof(*ent->valid_end));
+ if (ent->valid_end == NULL) {
+ krb5_set_error_string(context, "malloc: out of memory");
+ ret = ENOMEM;
goto out;
}
- ret =
- LDAP_get_generalized_time_value(db, msg, "krb5ValidEnd",
- ent->valid_end);
- if (ret != 0) {
+ ret = LDAP_get_generalized_time_value(db, msg, "krb5ValidEnd",
+ ent->valid_end);
+ if (ret) {
/* OPTIONAL */
free(ent->valid_end);
ent->valid_end = NULL;
}
- if ((ent->pw_end = (KerberosTime *) malloc(sizeof(KerberosTime))) ==
- NULL) {ret = ENOMEM;
+ ret = LDAP_get_integer_value(db, msg, "sambaKickoffTime", &tmp_time);
+ if (ret == 0) {
+ if (ent->valid_end == NULL) {
+ ent->valid_end = malloc(sizeof(*ent->valid_end));
+ if (ent->valid_end == NULL) {
+ krb5_set_error_string(context, "malloc: out of memory");
+ ret = ENOMEM;
+ goto out;
+ }
+ }
+ *ent->valid_end = tmp_time;
+ }
+
+ ent->pw_end = malloc(sizeof(*ent->pw_end));
+ if (ent->pw_end == NULL) {
+ krb5_set_error_string(context, "malloc: out of memory");
+ ret = ENOMEM;
goto out;
}
- ret =
- LDAP_get_generalized_time_value(db, msg, "krb5PasswordEnd",
- ent->pw_end);
- if (ret != 0) {
+ ret = LDAP_get_generalized_time_value(db, msg, "krb5PasswordEnd",
+ ent->pw_end);
+ if (ret) {
/* OPTIONAL */
free(ent->pw_end);
ent->pw_end = NULL;
}
- ent->max_life = (int *) malloc(sizeof(int));
+ ret = LDAP_get_integer_value(db, msg, "sambaPwdMustChange", &tmp_time);
+ if (ret == 0) {
+ if (ent->pw_end == NULL) {
+ ent->pw_end = malloc(sizeof(*ent->pw_end));
+ if (ent->pw_end == NULL) {
+ krb5_set_error_string(context, "malloc: out of memory");
+ ret = ENOMEM;
+ goto out;
+ }
+ }
+ *ent->pw_end = tmp_time;
+ }
+
+#if 0 /* we we have last_pw_change */
+ ent->last_pw_change = malloc(sizeof(*ent->last_pw_change));
+ if (ent->last_pw_change == NULL) {
+ krb5_set_error_string(context, "malloc: out of memory");
+ ret = ENOMEM;
+ goto out;
+ }
+ ret = LDAP_get_integer_value(db, msg, "sambaPwdLastSet",
+ &tmp_time);
+ if (ret) {
+ /* OPTIONAL */
+ free(ent->last_pw_change);
+ ent->last_pw_change = NULL;
+ } else
+ *ent->last_pw_change = tmp_time;
+#endif
+
+ ent->max_life = malloc(sizeof(*ent->max_life));
if (ent->max_life == NULL) {
+ krb5_set_error_string(context, "malloc: out of memory");
ret = ENOMEM;
goto out;
}
ret = LDAP_get_integer_value(db, msg, "krb5MaxLife", ent->max_life);
- if (ret != 0) {
+ if (ret) {
free(ent->max_life);
ent->max_life = NULL;
}
- ent->max_renew = (int *) malloc(sizeof(int));
+ ent->max_renew = malloc(sizeof(*ent->max_renew));
if (ent->max_renew == NULL) {
+ krb5_set_error_string(context, "malloc: out of memory");
ret = ENOMEM;
goto out;
}
ret = LDAP_get_integer_value(db, msg, "krb5MaxRenew", ent->max_renew);
- if (ret != 0) {
+ if (ret) {
free(ent->max_renew);
ent->max_renew = NULL;
}
- values = ldap_get_values((LDAP *) db->db, msg, "krb5KDCFlags");
+ values = ldap_get_values(HDB2LDAP(db), msg, "krb5KDCFlags");
if (values != NULL) {
+ errno = 0;
tmp = strtoul(values[0], (char **) NULL, 10);
if (tmp == ULONG_MAX && errno == ERANGE) {
+ krb5_set_error_string(context, "strtoul: could not convert flag");
ret = ERANGE;
goto out;
}
} else {
tmp = 0;
}
- memcpy(&ent->flags, &tmp, sizeof(HDBFlags));
- values = ldap_get_values((LDAP *) db->db, msg, "krb5EncryptionType");
- if (values != NULL) {
+ ent->flags = int2HDBFlags(tmp);
+
+ /* Try and find Samba flags to put into the mix */
+ ret = LDAP_get_string_value(db, msg, "sambaAcctFlags", &samba_acct_flags);
+ if (ret == 0) {
+ /* parse the [UXW...] string:
+
+ 'N' No password
+ 'D' Disabled
+ 'H' Homedir required
+ 'T' Temp account.
+ 'U' User account (normal)
+ 'M' MNS logon user account - what is this ?
+ 'W' Workstation account
+ 'S' Server account
+ 'L' Locked account
+ 'X' No Xpiry on password
+ 'I' Interdomain trust account
+
+ */
+
int i;
+ int flags_len = strlen(samba_acct_flags);
- ent->etypes = malloc(sizeof(*(ent->etypes)));
- if (ent->etypes == NULL) {
- ret = ENOMEM;
- goto out;
- }
- ent->etypes->len = ldap_count_values(values);
- ent->etypes->val = calloc(ent->etypes->len, sizeof(int));
- for (i = 0; i < ent->etypes->len; i++) {
- ent->etypes->val[i] = atoi(values[i]);
+ if (flags_len < 2)
+ goto out2;
+
+ if (samba_acct_flags[0] != '['
+ || samba_acct_flags[flags_len - 1] != ']')
+ goto out2;
+
+ /* Allow forwarding */
+ if (samba_forwardable)
+ ent->flags.forwardable = TRUE;
+
+ for (i=0; i < flags_len; i++) {
+ switch (samba_acct_flags[i]) {
+ case ' ':
+ case '[':
+ case ']':
+ break;
+ case 'N':
+ /* how to handle no password in kerberos? */
+ break;
+ case 'D':
+ ent->flags.invalid = TRUE;
+ break;
+ case 'H':
+ break;
+ case 'T':
+ /* temp duplicate */
+ ent->flags.invalid = TRUE;
+ break;
+ case 'U':
+ ent->flags.client = TRUE;
+ break;
+ case 'M':
+ break;
+ case 'W':
+ case 'S':
+ ent->flags.server = TRUE;
+ ent->flags.client = TRUE;
+ break;
+ case 'L':
+ ent->flags.invalid = TRUE;
+ break;
+ case 'X':
+ if (ent->pw_end) {
+ free(ent->pw_end);
+ ent->pw_end = NULL;
+ }
+ break;
+ case 'I':
+ ent->flags.server = TRUE;
+ ent->flags.client = TRUE;
+ break;
+ }
}
- ldap_value_free(values);
+ out2:
+ free(samba_acct_flags);
}
ret = 0;
- out:
- if (unparsed_name != NULL) {
+ out:
+ if (unparsed_name)
free(unparsed_name);
- }
- if (ret != 0) {
- /* I don't think this frees ent itself. */
+ if (ret)
hdb_free_entry(context, ent);
- }
return ret;
}
-static krb5_error_code LDAP_close(krb5_context context, HDB * db)
+static krb5_error_code
+LDAP_close(krb5_context context, HDB * db)
{
- LDAP *ld = (LDAP *) db->db;
-
- ldap_unbind(ld);
- db->db = NULL;
+ if (HDB2LDAP(db)) {
+ ldap_unbind_ext(HDB2LDAP(db), NULL, NULL);
+ ((struct hdbldapdb *)db->hdb_db)->h_lp = NULL;
+ }
+
return 0;
}
@@ -838,7 +1284,8 @@ LDAP_lock(krb5_context context, HDB * db, int operation)
return 0;
}
-static krb5_error_code LDAP_unlock(krb5_context context, HDB * db)
+static krb5_error_code
+LDAP_unlock(krb5_context context, HDB * db)
{
return 0;
}
@@ -850,14 +1297,17 @@ LDAP_seq(krb5_context context, HDB * db, unsigned flags, hdb_entry * entry)
krb5_error_code ret;
LDAPMessage *e;
- msgid = db->openp; /* BOGUS OVERLOADING */
- if (msgid < 0) {
+ msgid = HDB2MSGID(db);
+ if (msgid < 0)
return HDB_ERR_NOENTRY;
- }
do {
- rc = ldap_result((LDAP *) db->db, msgid, LDAP_MSG_ONE, NULL, &e);
+ rc = ldap_result(HDB2LDAP(db), msgid, LDAP_MSG_ONE, NULL, &e);
switch (rc) {
+ case LDAP_RES_SEARCH_REFERENCE:
+ ldap_msgfree(e);
+ ret = 0;
+ break;
case LDAP_RES_SEARCH_ENTRY:
/* We have an entry. Parse it. */
ret = LDAP_message2entry(context, db, e, entry);
@@ -866,29 +1316,35 @@ LDAP_seq(krb5_context context, HDB * db, unsigned flags, hdb_entry * entry)
case LDAP_RES_SEARCH_RESULT:
/* We're probably at the end of the results. If not, abandon. */
parserc =
- ldap_parse_result((LDAP *) db->db, e, NULL, NULL, NULL,
+ ldap_parse_result(HDB2LDAP(db), e, NULL, NULL, NULL,
NULL, NULL, 1);
if (parserc != LDAP_SUCCESS
&& parserc != LDAP_MORE_RESULTS_TO_RETURN) {
- ldap_abandon((LDAP *) db->db, msgid);
+ krb5_set_error_string(context, "ldap_parse_result: %s",
+ ldap_err2string(parserc));
+ ldap_abandon(HDB2LDAP(db), msgid);
}
ret = HDB_ERR_NOENTRY;
- db->openp = -1;
+ HDBSETMSGID(db, -1);
+ break;
+ case LDAP_SERVER_DOWN:
+ ldap_msgfree(e);
+ LDAP_close(context, db);
+ HDBSETMSGID(db, -1);
+ ret = ENETDOWN;
break;
- case 0:
- case -1:
default:
/* Some unspecified error (timeout?). Abandon. */
ldap_msgfree(e);
- ldap_abandon((LDAP *) db->db, msgid);
+ ldap_abandon(HDB2LDAP(db), msgid);
ret = HDB_ERR_NOENTRY;
- db->openp = -1;
+ HDBSETMSGID(db, -1);
break;
}
} while (rc == LDAP_RES_SEARCH_REFERENCE);
if (ret == 0) {
- if (db->master_key_set && (flags & HDB_F_DECRYPT)) {
+ if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
ret = hdb_unseal_keys(context, db, entry);
if (ret)
hdb_free_entry(context,entry);
@@ -899,24 +1355,28 @@ LDAP_seq(krb5_context context, HDB * db, unsigned flags, hdb_entry * entry)
}
static krb5_error_code
-LDAP_firstkey(krb5_context context, HDB * db, unsigned flags,
- hdb_entry * entry)
+LDAP_firstkey(krb5_context context, HDB *db, unsigned flags,
+ hdb_entry *entry)
{
+ krb5_error_code ret;
int msgid;
- (void) LDAP__connect(context, db);
+ ret = LDAP__connect(context, db);
+ if (ret)
+ return ret;
- msgid = LDAP_NO_LIMIT;
- (void) ldap_set_option((LDAP *) db->db, LDAP_OPT_SIZELIMIT, &msgid);
+ ret = LDAP_no_size_limit(context, HDB2LDAP(db));
+ if (ret)
+ return ret;
- msgid = ldap_search((LDAP *) db->db, db->name,
- LDAP_SCOPE_ONELEVEL, "(objectclass=krb5KDCEntry)",
+ msgid = ldap_search(HDB2LDAP(db), HDB2BASE(db),
+ LDAP_SCOPE_SUBTREE,
+ "(|(objectClass=krb5Principal)(objectClass=sambaSamAccount))",
krb5kdcentry_attrs, 0);
- if (msgid < 0) {
+ if (msgid < 0)
return HDB_ERR_NOENTRY;
- }
- db->openp = msgid;
+ HDBSETMSGID(db, msgid);
return LDAP_seq(context, db, flags, entry);
}
@@ -934,159 +1394,79 @@ LDAP_rename(krb5_context context, HDB * db, const char *new_name)
return HDB_ERR_DB_INUSE;
}
-static krb5_boolean LDAP__is_user_namingcontext(const char *ctx,
- char *const *subschema)
-{
- char *const *p;
-
- if (!strcasecmp(ctx, "CN=MONITOR")
- || !strcasecmp(ctx, "CN=CONFIG")) {
- return FALSE;
- }
-
- if (subschema != NULL) {
- for (p = subschema; *p != NULL; p++) {
- if (!strcasecmp(ctx, *p)) {
- return FALSE;
- }
- }
- }
-
- return TRUE;
-}
-
-static krb5_error_code LDAP__connect(krb5_context context, HDB * db)
+static krb5_error_code
+LDAP__connect(krb5_context context, HDB * db)
{
- int rc;
- krb5_error_code ret;
- char *attrs[] = { "namingContexts", "subschemaSubentry", NULL };
- LDAPMessage *res = NULL, *e;
-
- if (db->db != NULL) {
+ int rc, version = LDAP_VERSION3;
+ /*
+ * Empty credentials to do a SASL bind with LDAP. Note that empty
+ * different from NULL credentials. If you provide NULL
+ * credentials instead of empty credentials you will get a SASL
+ * bind in progress message.
+ */
+ struct berval bv = { 0, "" };
+
+ if (HDB2LDAP(db)) {
/* connection has been opened. ping server. */
struct sockaddr_un addr;
- socklen_t len;
+ socklen_t len = sizeof(addr);
int sd;
- if (ldap_get_option((LDAP *) db->db, LDAP_OPT_DESC, &sd) == 0 &&
+ if (ldap_get_option(HDB2LDAP(db), LDAP_OPT_DESC, &sd) == 0 &&
getpeername(sd, (struct sockaddr *) &addr, &len) < 0) {
/* the other end has died. reopen. */
LDAP_close(context, db);
}
}
- if (db->db != NULL) {
- /* server is UP */
+ if (HDB2LDAP(db) != NULL) /* server is UP */
return 0;
- }
- rc = ldap_initialize((LDAP **) & db->db, "ldapi:///");
+ rc = ldap_initialize(&((struct hdbldapdb *)db->hdb_db)->h_lp, "ldapi:///");
if (rc != LDAP_SUCCESS) {
+ krb5_set_error_string(context, "ldap_initialize: %s",
+ ldap_err2string(rc));
return HDB_ERR_NOENTRY;
}
- rc = LDAP_VERSION3;
- (void) ldap_set_option((LDAP *) db->db, LDAP_OPT_PROTOCOL_VERSION, &rc);
-
- /* XXX set db->name to the search base */
- rc = ldap_search_s((LDAP *) db->db, "", LDAP_SCOPE_BASE,
- "(objectclass=*)", attrs, 0, &res);
+ rc = ldap_set_option(HDB2LDAP(db), LDAP_OPT_PROTOCOL_VERSION,
+ (const void *)&version);
if (rc != LDAP_SUCCESS) {
- ret = HDB_ERR_BADVERSION;
- goto out;
- }
-
- e = ldap_first_entry((LDAP *) db->db, res);
- if (e == NULL) {
- ret = HDB_ERR_NOENTRY;
- goto out;
+ krb5_set_error_string(context, "ldap_set_option: %s",
+ ldap_err2string(rc));
+ LDAP_close(context, db);
+ return HDB_ERR_BADVERSION;
}
- if (db->name == NULL) {
- char **contexts = NULL, **schema_contexts, **p;
-
- contexts = ldap_get_values((LDAP *) db->db, e, "namingContexts");
- if (contexts == NULL) {
- ret = HDB_ERR_NOENTRY;
- goto out;
- }
-
- schema_contexts =
- ldap_get_values((LDAP *) db->db, e, "subschemaSubentry");
-
- if (db->name != NULL) {
- free(db->name);
- db->name = NULL;
- }
-
- for (p = contexts; *p != NULL; p++) {
- if (LDAP__is_user_namingcontext(*p, schema_contexts)) {
- break;
- }
- }
-
- db->name = strdup(*p);
- if (db->name == NULL) {
- ldap_value_free(contexts);
- ret = ENOMEM;
- goto out;
- }
-
- ldap_value_free(contexts);
- if (schema_contexts != NULL) {
- ldap_value_free(schema_contexts);
- }
- }
-
- ret = 0;
-
- out:
-
- if (res != NULL) {
- ldap_msgfree(res);
- }
-
- if (ret != 0) {
- if (db->db != NULL) {
- ldap_unbind((LDAP *) db->db);
- db->db = NULL;
- }
+ rc = ldap_sasl_bind_s(HDB2LDAP(db), NULL, "EXTERNAL", &bv,
+ NULL, NULL, NULL);
+ if (rc != LDAP_SUCCESS) {
+ krb5_set_error_string(context, "ldap_sasl_bind_s: %s",
+ ldap_err2string(rc));
+ LDAP_close(context, db);
+ return HDB_ERR_BADVERSION;
}
- return ret;
+ return 0;
}
static krb5_error_code
LDAP_open(krb5_context context, HDB * db, int flags, mode_t mode)
{
- krb5_error_code ret;
-
/* Not the right place for this. */
#ifdef HAVE_SIGACTION
- {
- struct sigaction sa;
+ struct sigaction sa;
- sa.sa_flags = 0;
- sa.sa_handler = SIG_IGN;
- sigemptyset(&sa.sa_mask);
+ sa.sa_flags = 0;
+ sa.sa_handler = SIG_IGN;
+ sigemptyset(&sa.sa_mask);
- sigaction(SIGPIPE, &sa, NULL);
- }
+ sigaction(SIGPIPE, &sa, NULL);
#else
signal(SIGPIPE, SIG_IGN);
-#endif
-
- if (db->name != NULL) {
- free(db->name);
- db->name = NULL;
- }
+#endif /* HAVE_SIGACTION */
- ret = LDAP__connect(context, db);
- if (ret != 0) {
- return ret;
- }
-
- return ret;
+ return LDAP__connect(context, db);
}
static krb5_error_code
@@ -1097,11 +1477,10 @@ LDAP_fetch(krb5_context context, HDB * db, unsigned flags,
krb5_error_code ret;
ret = LDAP_principal2message(context, db, entry->principal, &msg);
- if (ret != 0) {
+ if (ret)
return ret;
- }
- e = ldap_first_entry((LDAP *) db->db, msg);
+ e = ldap_first_entry(HDB2LDAP(db), msg);
if (e == NULL) {
ret = HDB_ERR_NOENTRY;
goto out;
@@ -1109,7 +1488,7 @@ LDAP_fetch(krb5_context context, HDB * db, unsigned flags,
ret = LDAP_message2entry(context, db, e, entry);
if (ret == 0) {
- if (db->master_key_set && (flags & HDB_F_DECRYPT)) {
+ if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
ret = hdb_unseal_keys(context, db, entry);
if (ret)
hdb_free_entry(context,entry);
@@ -1128,17 +1507,19 @@ LDAP_store(krb5_context context, HDB * db, unsigned flags,
{
LDAPMod **mods = NULL;
krb5_error_code ret;
+ const char *errfn;
+ int rc;
LDAPMessage *msg = NULL, *e = NULL;
char *dn = NULL, *name = NULL;
- ret = krb5_unparse_name(context, entry->principal, &name);
- if (ret != 0) {
- goto out;
- }
+ ret = LDAP_principal2message(context, db, entry->principal, &msg);
+ if (ret == 0)
+ e = ldap_first_entry(HDB2LDAP(db), msg);
- ret = LDAP__lookup_princ(context, db, name, &msg);
- if (ret == 0) {
- e = ldap_first_entry((LDAP *) db->db, msg);
+ ret = krb5_unparse_name(context, entry->principal, &name);
+ if (ret) {
+ free(name);
+ return ret;
}
ret = hdb_seal_keys(context, db, entry);
@@ -1147,45 +1528,19 @@ LDAP_store(krb5_context context, HDB * db, unsigned flags,
/* turn new entry into LDAPMod array */
ret = LDAP_entry2mods(context, db, entry, e, &mods);
- if (ret != 0) {
+ if (ret)
goto out;
- }
if (e == NULL) {
- /* Doesn't exist yet. */
- char *p;
-
- e = NULL;
-
- /* normalize the naming attribute */
- for (p = name; *p != '\0'; p++) {
- *p = (char) tolower((int) *p);
- }
-
- /*
- * We could do getpwnam() on the local component of
- * the principal to find cn/sn but that's probably
- * bad thing to do from inside a KDC. Better leave
- * it to management tools.
- */
- ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "cn", name);
- if (ret < 0) {
- goto out;
- }
-
- ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "sn", name);
- if (ret < 0) {
- goto out;
- }
-
- ret = asprintf(&dn, "cn=%s,%s", name, db->name);
+ ret = asprintf(&dn, "krb5PrincipalName=%s,%s", name, HDB2CREATE(db));
if (ret < 0) {
+ krb5_set_error_string(context, "asprintf: out of memory");
ret = ENOMEM;
goto out;
}
} else if (flags & HDB_F_REPLACE) {
/* Entry exists, and we're allowed to replace it. */
- dn = ldap_get_dn((LDAP *) db->db, e);
+ dn = ldap_get_dn(HDB2LDAP(db), e);
} else {
/* Entry exists, but we're not allowed to replace it. Bail. */
ret = HDB_ERR_EXISTS;
@@ -1195,35 +1550,34 @@ LDAP_store(krb5_context context, HDB * db, unsigned flags,
/* write entry into directory */
if (e == NULL) {
/* didn't exist before */
- ret = ldap_add_s((LDAP *) db->db, dn, mods);
+ rc = ldap_add_s(HDB2LDAP(db), dn, mods);
+ errfn = "ldap_add_s";
} else {
/* already existed, send deltas only */
- ret = ldap_modify_s((LDAP *) db->db, dn, mods);
+ rc = ldap_modify_s(HDB2LDAP(db), dn, mods);
+ errfn = "ldap_modify_s";
}
- if (ret == LDAP_SUCCESS) {
- ret = 0;
- } else {
+ if (check_ldap(context, db, rc)) {
+ char *ld_error = NULL;
+ ldap_get_option(HDB2LDAP(db), LDAP_OPT_ERROR_STRING,
+ &ld_error);
+ krb5_set_error_string(context, "%s: %s (dn=%s) %s: %s",
+ errfn, name, dn, ldap_err2string(rc), ld_error);
ret = HDB_ERR_CANT_LOCK_DB;
- }
+ } else
+ ret = 0;
out:
/* free stuff */
- if (dn != NULL) {
+ if (dn)
free(dn);
- }
-
- if (msg != NULL) {
+ if (msg)
ldap_msgfree(msg);
- }
-
- if (mods != NULL) {
+ if (mods)
ldap_mods_free(mods, 1);
- }
-
- if (name != NULL) {
+ if (name)
free(name);
- }
return ret;
}
@@ -1234,111 +1588,166 @@ LDAP_remove(krb5_context context, HDB * db, hdb_entry * entry)
krb5_error_code ret;
LDAPMessage *msg, *e;
char *dn = NULL;
+ int rc, limit = LDAP_NO_LIMIT;
ret = LDAP_principal2message(context, db, entry->principal, &msg);
- if (ret != 0) {
+ if (ret)
goto out;
- }
- e = ldap_first_entry((LDAP *) db->db, msg);
+ e = ldap_first_entry(HDB2LDAP(db), msg);
if (e == NULL) {
ret = HDB_ERR_NOENTRY;
goto out;
}
- dn = ldap_get_dn((LDAP *) db->db, e);
+ dn = ldap_get_dn(HDB2LDAP(db), e);
if (dn == NULL) {
ret = HDB_ERR_NOENTRY;
goto out;
}
- ret = LDAP_NO_LIMIT;
- (void) ldap_set_option((LDAP *) db->db, LDAP_OPT_SIZELIMIT, &ret);
+ rc = ldap_set_option(HDB2LDAP(db), LDAP_OPT_SIZELIMIT, (const void *)&limit);
+ if (rc != LDAP_SUCCESS) {
+ krb5_set_error_string(context, "ldap_set_option: %s",
+ ldap_err2string(rc));
+ ret = HDB_ERR_BADVERSION;
+ goto out;
+ }
- ret = ldap_delete_s((LDAP *) db->db, dn);
- if (ret == LDAP_SUCCESS) {
- ret = 0;
- } else {
+ rc = ldap_delete_s(HDB2LDAP(db), dn);
+ if (check_ldap(context, db, rc)) {
+ krb5_set_error_string(context, "ldap_delete_s: %s",
+ ldap_err2string(rc));
ret = HDB_ERR_CANT_LOCK_DB;
- }
+ } else
+ ret = 0;
out:
- if (dn != NULL) {
+ if (dn != NULL)
free(dn);
- }
-
- if (msg != NULL) {
+ if (msg != NULL)
ldap_msgfree(msg);
- }
return ret;
}
static krb5_error_code
-LDAP__get(krb5_context context, HDB * db, krb5_data key, krb5_data * reply)
-{
- fprintf(stderr, "LDAP__get not implemented\n");
- abort();
- return 0;
-}
-
-static krb5_error_code
-LDAP__put(krb5_context context, HDB * db, int replace,
- krb5_data key, krb5_data value)
-{
- fprintf(stderr, "LDAP__put not implemented\n");
- abort();
- return 0;
-}
-
-static krb5_error_code
-LDAP__del(krb5_context context, HDB * db, krb5_data key)
-{
- fprintf(stderr, "LDAP__del not implemented\n");
- abort();
- return 0;
-}
-
-static krb5_error_code LDAP_destroy(krb5_context context, HDB * db)
+LDAP_destroy(krb5_context context, HDB * db)
{
krb5_error_code ret;
+ LDAP_close(context, db);
+
ret = hdb_clear_master_key(context, db);
- free(db->name);
+ if (HDB2BASE(db))
+ free(HDB2BASE(db));
+ if (HDB2CREATE(db))
+ free(HDB2CREATE(db));
+ if (db->hdb_name)
+ free(db->hdb_name);
+ free(db->hdb_db);
free(db);
return ret;
}
krb5_error_code
-hdb_ldap_create(krb5_context context, HDB ** db, const char *filename)
+hdb_ldap_create(krb5_context context, HDB ** db, const char *arg)
{
+ struct hdbldapdb *h;
+ const char *create_base = NULL;
+
+ if (arg == NULL && arg[0] == '\0') {
+ krb5_set_error_string(context, "ldap search base not configured");
+ return ENOMEM; /* XXX */
+ }
+
+ if (structural_object == NULL) {
+ const char *p;
+
+ p = krb5_config_get_string(context, NULL, "kdc",
+ "hdb-ldap-structural-object", NULL);
+ if (p == NULL)
+ p = default_structural_object;
+ structural_object = strdup(p);
+ if (structural_object == NULL) {
+ krb5_set_error_string(context, "malloc: out of memory");
+ return ENOMEM;
+ }
+ }
+
+ samba_forwardable =
+ krb5_config_get_bool_default(context, NULL, TRUE,
+ "kdc", "hdb-samba-forwardable", NULL);
+
*db = malloc(sizeof(**db));
- if (*db == NULL)
+ if (*db == NULL) {
+ krb5_set_error_string(context, "malloc: out of memory");
return ENOMEM;
+ }
+ memset(*db, 0, sizeof(**db));
- (*db)->db = NULL;
-/* (*db)->name = strdup(filename); */
- (*db)->name = NULL;
- (*db)->master_key_set = 0;
- (*db)->openp = 0;
- (*db)->open = LDAP_open;
- (*db)->close = LDAP_close;
- (*db)->fetch = LDAP_fetch;
- (*db)->store = LDAP_store;
- (*db)->remove = LDAP_remove;
- (*db)->firstkey = LDAP_firstkey;
- (*db)->nextkey = LDAP_nextkey;
- (*db)->lock = LDAP_lock;
- (*db)->unlock = LDAP_unlock;
- (*db)->rename = LDAP_rename;
- /* can we ditch these? */
- (*db)->_get = LDAP__get;
- (*db)->_put = LDAP__put;
- (*db)->_del = LDAP__del;
- (*db)->destroy = LDAP_destroy;
+ h = malloc(sizeof(*h));
+ if (h == NULL) {
+ krb5_set_error_string(context, "malloc: out of memory");
+ free(*db);
+ *db = NULL;
+ return ENOMEM;
+ }
+ memset(h, 0, sizeof(*h));
+
+ asprintf(&(*db)->hdb_name, "ldap:%s", arg);
+
+ (*db)->hdb_db = h;
+ h->h_base = strdup(arg);
+ if (h->h_base == NULL) {
+ LDAP_destroy(context, *db);
+ krb5_set_error_string(context, "strdup: out of memory");
+ *db = NULL;
+ return ENOMEM;
+ }
+
+ create_base = krb5_config_get_string(context, NULL, "kdc",
+ "hdb-ldap-create-base", NULL);
+ if (create_base == NULL)
+ create_base = h->h_base;
+
+ h->h_createbase = strdup(create_base);
+ if (h->h_createbase == NULL) {
+ LDAP_destroy(context, *db);
+ krb5_set_error_string(context, "strdup: out of memory");
+ *db = NULL;
+ return ENOMEM;
+ }
+
+ (*db)->hdb_master_key_set = 0;
+ (*db)->hdb_openp = 0;
+ (*db)->hdb_open = LDAP_open;
+ (*db)->hdb_close = LDAP_close;
+ (*db)->hdb_fetch = LDAP_fetch;
+ (*db)->hdb_store = LDAP_store;
+ (*db)->hdb_remove = LDAP_remove;
+ (*db)->hdb_firstkey = LDAP_firstkey;
+ (*db)->hdb_nextkey = LDAP_nextkey;
+ (*db)->hdb_lock = LDAP_lock;
+ (*db)->hdb_unlock = LDAP_unlock;
+ (*db)->hdb_rename = LDAP_rename;
+ (*db)->hdb__get = NULL;
+ (*db)->hdb__put = NULL;
+ (*db)->hdb__del = NULL;
+ (*db)->hdb_destroy = LDAP_destroy;
return 0;
}
+#ifdef OPENLDAP_MODULE
+
+struct hdb_so_method hdb_ldap_interface = {
+ HDB_INTERFACE_VERSION,
+ "ldap",
+ hdb_ldap_create
+};
+
+#endif
+
#endif /* OPENLDAP */
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-22 09:11:33 +0000