char *realm_attributes[] = {"krbSearchScope","krbSubTrees", "krbPrincContainerRef",
"krbMaxTicketLife", "krbMaxRenewableAge",
"krbTicketFlags", "krbUpEnabled",
- "krbTicketPolicyReference",
"krbLdapServers",
"krbKdcServers", "krbAdmServers",
"krbPwdServers", NULL};
* list realms from eDirectory
*/
-/*
- * Function to remove all special characters from a string (rfc2254).
- * Use whenever exact matching is to be done ...
- */
+/* Return a copy of in, quoting all characters which are special in an LDAP
+ * filter (RFC 4515) or DN string (RFC 4514). Return NULL on failure. */
char *
ldap_filter_correct (char *in)
{
- size_t i, count;
- char *out, *ptr;
- size_t len = strlen(in);
-
- for (i = 0, count = 0; i < len; i++)
- switch (in[i]) {
- case '*':
- case '(':
- case ')':
- case '\\':
- case '\0':
- count ++;
- }
-
- out = (char *)malloc((len + (count * 2) + 1) * sizeof (char));
- assert (out != NULL);
- memset(out, 0, len + (count * 2) + 1);
-
- for (i = 0, ptr = out; i < len; i++)
- switch (in[i]) {
- case '*':
- ptr[0] = '\\';
- ptr[1] = '2';
- ptr[2] = 'a';
- ptr += 3;
- break;
- case '(':
- ptr[0] = '\\';
- ptr[1] = '2';
- ptr[2] = '8';
- ptr += 3;
- break;
- case ')':
- ptr[0] = '\\';
- ptr[1] = '2';
- ptr[2] = '9';
- ptr += 3;
- break;
- case '\\':
- ptr[0] = '\\';
- ptr[1] = '5';
- ptr[2] = 'c';
- ptr += 3;
+ size_t count;
+ const char special[] = "*()\\ #\"+,;<>";
+ struct k5buf buf;
+
+ k5_buf_init_dynamic(&buf);
+ while (TRUE) {
+ count = strcspn(in, special);
+ k5_buf_add_len(&buf, in, count);
+ in += count;
+ if (*in == '\0')
break;
- case '\0':
- ptr[0] = '\\';
- ptr[1] = '0';
- ptr[2] = '0';
- ptr += 3;
- break;
- default:
- ptr[0] = in[i];
- ptr += 1;
- break;
- }
-
- /* ptr[count - 1] = '\0'; */
-
- return out;
+ k5_buf_add_fmt(&buf, "\\%2x", (unsigned char)*in++);
+ }
+ return buf.data;
}
static int
SETUP_CONTEXT ();
/* get the kerberos container DN information */
- if (ldap_context->krbcontainer == NULL) {
- if ((st = krb5_ldap_read_krbcontainer_params(context,
- &(ldap_context->krbcontainer))) != 0)
+ if (ldap_context->container_dn == NULL) {
+ if ((st = krb5_ldap_read_krbcontainer_dn(context,
+ &(ldap_context->container_dn))) != 0)
goto cleanup;
}
{
char *cn[] = {"cn", NULL};
- LDAP_SEARCH(ldap_context->krbcontainer->DN,
+ LDAP_SEARCH(ldap_context->container_dn,
LDAP_SCOPE_ONELEVEL,
"(objectclass=krbRealmContainer)",
cn);
ldap_value_free(values);
}
} /* for (ent= ... */
- ldap_msgfree(result);
cleanup:
/* If there are no elements, still return a NULL terminated array */
+ ldap_msgfree(result);
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
return st;
}
char **values=NULL, **subtrees=NULL, **policy=NULL;
LDAPMessage **result_arr=NULL, *result = NULL, *ent = NULL;
krb5_principal principal;
- int l=0, ntree=0, i=0, j=0, mask=0;
+ unsigned int l=0, ntree=0;
+ int i=0, j=0, mask=0;
kdb5_dal_handle *dal_handle = NULL;
krb5_ldap_context *ldap_context = NULL;
krb5_ldap_server_handle *ldap_server_handle = NULL;
if (lrealm == NULL) {
st = EINVAL;
- krb5_set_error_message(context, st,
- _("Realm information not available"));
+ k5_setmsg(context, st, _("Realm information not available"));
goto cleanup;
}
ldap_value_free(values);
}
}
- ldap_msgfree(result);
}
/* Delete all password policies */
/* Delete all ticket policies */
{
if ((st = krb5_ldap_list_policy (context, ldap_context->lrparams->realmdn, &policy)) != 0) {
- prepend_err_str(context, _("Error reading ticket policy: "), st,
- st);
+ k5_prependmsg(context, st, _("Error reading ticket policy"));
goto cleanup;
}
if ((st=ldap_delete_ext_s(ld, ldap_context->lrparams->realmdn, NULL, NULL)) != LDAP_SUCCESS) {
int ost = st;
st = translate_ldap_error (st, OP_DEL);
- krb5_set_error_message(context, st, _("Realm Delete FAILED: %s"),
- ldap_err2string(ost));
+ k5_setmsg(context, st, _("Realm Delete FAILED: %s"),
+ ldap_err2string(ost));
}
cleanup:
free (subtrees);
}
+ if (result_arr != NULL) {
+ for (l = 0; l < ntree; l++)
+ ldap_msgfree(result_arr[l]);
+ free(result_arr);
+ }
+
if (policy != NULL) {
for (i = 0; policy[i] != NULL; i++)
free (policy[i]);
LDAP *ld=NULL;
krb5_error_code st=0;
char **strval=NULL, *strvalprc[5]={NULL};
-#ifdef HAVE_EDIRECTORY
- char **values=NULL;
- char **oldkdcservers=NULL, **oldadminservers=NULL, **oldpasswdservers=NULL;
- LDAPMessage *result=NULL, *ent=NULL;
- int count=0;
- char errbuf[1024];
-#endif
LDAPMod **mods = NULL;
-#ifdef HAVE_EDIRECTORY
- int i=0;
-#endif
- int oldmask=0, objectmask=0,k=0;
+ int objectmask=0,k=0;
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_context *ldap_context=NULL;
krb5_ldap_server_handle *ldap_server_handle=NULL;
SETUP_CONTEXT ();
/* Check validity of arguments */
- if (ldap_context->krbcontainer == NULL ||
+ if (ldap_context->container_dn == NULL ||
rparams->tl_data == NULL ||
rparams->tl_data->tl_data_contents == NULL ||
((mask & LDAP_REALM_SUBTREE) && rparams->subtree == NULL) ||
((mask & LDAP_REALM_CONTREF) && rparams->containerref == NULL) ||
-#ifdef HAVE_EDIRECTORY
- ((mask & LDAP_REALM_KDCSERVERS) && rparams->kdcservers == NULL) ||
- ((mask & LDAP_REALM_ADMINSERVERS) && rparams->adminservers == NULL) ||
- ((mask & LDAP_REALM_PASSWDSERVERS) && rparams->passwdservers == NULL) ||
-#endif
0) {
st = EINVAL;
goto cleanup;
/* get ldap handle */
GET_HANDLE ();
- /* get the oldmask obtained from the krb5_ldap_read_realm_params */
- {
- void *voidptr=NULL;
-
- if ((st=decode_tl_data(rparams->tl_data, KDB_TL_MASK, &voidptr)) == 0) {
- oldmask = *((int *) voidptr);
- free (voidptr);
- } else {
- st = EINVAL;
- krb5_set_error_message(context, st, _("tl_data not available"));
- return st;
- }
- }
-
-
/* SUBTREE ATTRIBUTE */
if (mask & LDAP_REALM_SUBTREE) {
if ( rparams->subtree!=NULL) {
}
-#ifdef HAVE_EDIRECTORY
-
- /* KDCSERVERS ATTRIBUTE */
- if (mask & LDAP_REALM_KDCSERVERS) {
- /* validate the server list */
- for (i=0; rparams->kdcservers[i] != NULL; ++i) {
- st = checkattributevalue(ld, rparams->kdcservers[i], "objectClass", kdcclass,
- &objectmask);
- CHECK_CLASS_VALIDITY(st, objectmask,
- _("kdc service object value: "));
- }
-
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbkdcservers", LDAP_MOD_REPLACE,
- rparams->kdcservers)) != 0)
- goto cleanup;
- }
-
- /* ADMINSERVERS ATTRIBUTE */
- if (mask & LDAP_REALM_ADMINSERVERS) {
- /* validate the server list */
- for (i=0; rparams->adminservers[i] != NULL; ++i) {
- st = checkattributevalue(ld, rparams->adminservers[i], "objectClass", adminclass,
- &objectmask);
- CHECK_CLASS_VALIDITY(st, objectmask,
- _("admin service object value: "));
- }
-
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbadmservers", LDAP_MOD_REPLACE,
- rparams->adminservers)) != 0)
- goto cleanup;
- }
-
- /* PASSWDSERVERS ATTRIBUTE */
- if (mask & LDAP_REALM_PASSWDSERVERS) {
- /* validate the server list */
- for (i=0; rparams->passwdservers[i] != NULL; ++i) {
- st = checkattributevalue(ld, rparams->passwdservers[i], "objectClass", pwdclass,
- &objectmask);
- CHECK_CLASS_VALIDITY(st, objectmask,
- _("password service object value: "));
- }
-
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdservers", LDAP_MOD_REPLACE,
- rparams->passwdservers)) != 0)
- goto cleanup;
- }
-
- /*
- * Read the old values of the krbkdcservers, krbadmservers and
- * krbpwdservers. This information is later used to decided the
- * deletions/additions to the list.
- */
- if (mask & LDAP_REALM_KDCSERVERS || mask & LDAP_REALM_ADMINSERVERS ||
- mask & LDAP_REALM_PASSWDSERVERS) {
- char *servers[] = {"krbKdcServers", "krbAdmServers", "krbPwdServers", NULL};
-
- if ((st= ldap_search_ext_s(ld,
- rparams->realmdn,
- LDAP_SCOPE_BASE,
- 0,
- servers,
- 0,
- NULL,
- NULL,
- NULL,
- 0,
- &result)) != LDAP_SUCCESS) {
- st = set_ldap_error (context, st, OP_SEARCH);
- goto cleanup;
- }
-
- ent = ldap_first_entry(ld, result);
- if (ent) {
- if ((values=ldap_get_values(ld, ent, "krbKdcServers")) != NULL) {
- count = ldap_count_values(values);
- if ((st=copy_arrays(values, &oldkdcservers, count)) != 0)
- goto cleanup;
- ldap_value_free(values);
- }
-
- if ((values=ldap_get_values(ld, ent, "krbAdmServers")) != NULL) {
- count = ldap_count_values(values);
- if ((st=copy_arrays(values, &oldadminservers, count)) != 0)
- goto cleanup;
- ldap_value_free(values);
- }
-
- if ((values=ldap_get_values(ld, ent, "krbPwdServers")) != NULL) {
- count = ldap_count_values(values);
- if ((st=copy_arrays(values, &oldpasswdservers, count)) != 0)
- goto cleanup;
- ldap_value_free(values);
- }
- }
- ldap_msgfree(result);
- }
-#endif
-
/* Realm modify opearation */
if (mods != NULL) {
if ((st=ldap_modify_ext_s(ld, rparams->realmdn, mods, NULL, NULL)) != LDAP_SUCCESS) {
}
}
-#ifdef HAVE_EDIRECTORY
- /* krbRealmReferences attribute is updated here, depending on the additions/deletions
- * to the 4 servers' list.
- */
- if (mask & LDAP_REALM_KDCSERVERS) {
- char **newkdcservers=NULL;
-
- count = ldap_count_values(rparams->kdcservers);
- if ((st=copy_arrays(rparams->kdcservers, &newkdcservers, count)) != 0)
- goto cleanup;
-
- /* find the deletions and additions to the server list */
- if (oldkdcservers && newkdcservers)
- disjoint_members(oldkdcservers, newkdcservers);
-
- /* delete the krbRealmReferences attribute from the servers that are dis-associated. */
- if (oldkdcservers)
- for (i=0; oldkdcservers[i]; ++i)
- if ((st=deleteAttribute(ld, oldkdcservers[i], "krbRealmReferences",
- rparams->realmdn)) != 0) {
- snprintf(errbuf, sizeof(errbuf),
- _("Error removing 'krbRealmReferences' from "
- "%s: "), oldkdcservers[i]);
- prepend_err_str(context, errbuf, st, st);
- goto cleanup;
- }
-
- /* add the krbRealmReferences attribute from the servers that are associated. */
- if (newkdcservers)
- for (i=0; newkdcservers[i]; ++i)
- if ((st=updateAttribute(ld, newkdcservers[i], "krbRealmReferences",
- rparams->realmdn)) != 0) {
- snprintf(errbuf, sizeof(errbuf),
- _("Error adding 'krbRealmReferences' to %s: "),
- newkdcservers[i]);
- prepend_err_str(context, errbuf, st, st);
- goto cleanup;
- }
-
- if (newkdcservers)
- ldap_value_free(newkdcservers);
- }
-
- if (mask & LDAP_REALM_ADMINSERVERS) {
- char **newadminservers=NULL;
-
- count = ldap_count_values(rparams->adminservers);
- if ((st=copy_arrays(rparams->adminservers, &newadminservers, count)) != 0)
- goto cleanup;
-
- /* find the deletions and additions to the server list */
- if (oldadminservers && newadminservers)
- disjoint_members(oldadminservers, newadminservers);
-
- /* delete the krbRealmReferences attribute from the servers that are dis-associated. */
- if (oldadminservers)
- for (i=0; oldadminservers[i]; ++i)
- if ((st=deleteAttribute(ld, oldadminservers[i], "krbRealmReferences",
- rparams->realmdn)) != 0) {
- snprintf(errbuf, sizeof(errbuf),
- _("Error removing 'krbRealmReferences' from "
- "%s: "), oldadminservers[i]);
- prepend_err_str(context, errbuf, st, st);
- goto cleanup;
- }
-
- /* add the krbRealmReferences attribute from the servers that are associated. */
- if (newadminservers)
- for (i=0; newadminservers[i]; ++i)
- if ((st=updateAttribute(ld, newadminservers[i], "krbRealmReferences",
- rparams->realmdn)) != 0) {
- snprintf(errbuf, sizeof(errbuf),
- _("Error adding 'krbRealmReferences' to %s: "),
- newadminservers[i]);
- prepend_err_str(context, errbuf, st, st);
- goto cleanup;
- }
- if (newadminservers)
- ldap_value_free(newadminservers);
- }
-
- if (mask & LDAP_REALM_PASSWDSERVERS) {
- char **newpasswdservers=NULL;
-
- count = ldap_count_values(rparams->passwdservers);
- if ((st=copy_arrays(rparams->passwdservers, &newpasswdservers, count)) != 0)
- goto cleanup;
-
- /* find the deletions and additions to the server list */
- if (oldpasswdservers && newpasswdservers)
- disjoint_members(oldpasswdservers, newpasswdservers);
-
- /* delete the krbRealmReferences attribute from the servers that are dis-associated. */
- if (oldpasswdservers)
- for (i=0; oldpasswdservers[i]; ++i)
- if ((st=deleteAttribute(ld, oldpasswdservers[i], "krbRealmReferences",
- rparams->realmdn)) != 0) {
- snprintf(errbuf, sizeof(errbuf),
- _("Error removing 'krbRealmReferences' from "
- "%s: "), oldpasswdservers[i]);
- prepend_err_str(context, errbuf, st, st);
- goto cleanup;
- }
-
- /* add the krbRealmReferences attribute from the servers that are associated. */
- if (newpasswdservers)
- for (i=0; newpasswdservers[i]; ++i)
- if ((st=updateAttribute(ld, newpasswdservers[i], "krbRealmReferences",
- rparams->realmdn)) != 0) {
- snprintf(errbuf, sizeof(errbuf),
- _("Error adding 'krbRealmReferences' to %s: "),
- newpasswdservers[i]);
- prepend_err_str(context, errbuf, st, st);
- goto cleanup;
- }
- if (newpasswdservers)
- ldap_value_free(newpasswdservers);
- }
-#endif
-
cleanup:
-#ifdef HAVE_EDIRECTORY
- if (oldkdcservers) {
- for (i=0; oldkdcservers[i]; ++i)
- free(oldkdcservers[i]);
- free(oldkdcservers);
- }
-
- if (oldadminservers) {
- for (i=0; oldadminservers[i]; ++i)
- free(oldadminservers[i]);
- free(oldadminservers);
- }
-
- if (oldpasswdservers) {
- for (i=0; oldpasswdservers[i]; ++i)
- free(oldpasswdservers[i]);
- free(oldpasswdservers);
- }
-#endif
-
ldap_mods_free(mods, 1);
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
return st;
/*
- * Create the Kerberos container in the Directory
+ * Create the Kerberos container in the Directory if it does not exist
*/
krb5_error_code
-krb5_ldap_create_krbcontainer(krb5_context context,
- const
- krb5_ldap_krbcontainer_params *krbcontparams)
+krb5_ldap_create_krbcontainer(krb5_context context, const char *dn)
{
LDAP *ld=NULL;
- char *strval[2]={NULL}, *kerberoscontdn=NULL, **rdns=NULL;
- int pmask=0;
+ char *strval[2]={NULL}, **rdns=NULL;
LDAPMod **mods = NULL;
krb5_error_code st=0;
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_context *ldap_context=NULL;
krb5_ldap_server_handle *ldap_server_handle=NULL;
-#ifdef HAVE_EDIRECTORY
- int crmask=0;
-#endif
SETUP_CONTEXT ();
/* get ldap handle */
GET_HANDLE ();
- if (krbcontparams != NULL && krbcontparams->DN != NULL) {
- kerberoscontdn = krbcontparams->DN;
- } else {
- /* If the user has not given, use the default cn=Kerberos,cn=Security */
-#ifdef HAVE_EDIRECTORY
- kerberoscontdn = KERBEROS_CONTAINER;
-#else
+ if (dn == NULL) {
st = EINVAL;
- krb5_set_error_message(context, st,
- _("Kerberos Container information is missing"));
+ k5_setmsg(context, st, _("Kerberos Container information is missing"));
goto cleanup;
-#endif
}
strval[0] = "krbContainer";
if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0)
goto cleanup;
- rdns = ldap_explode_dn(kerberoscontdn, 1);
+ rdns = ldap_explode_dn(dn, 1);
if (rdns == NULL) {
st = EINVAL;
- krb5_set_error_message(context, st,
- _("Invalid Kerberos container DN"));
+ k5_setmsg(context, st, _("Invalid Kerberos container DN"));
goto cleanup;
}
if ((st=krb5_add_str_mem_ldap_mod(&mods, "cn", LDAP_MOD_ADD, strval)) != 0)
goto cleanup;
- /* check if the policy reference value exists and is of krbticketpolicyreference object class */
- if (krbcontparams && krbcontparams->policyreference) {
- st = checkattributevalue(ld, krbcontparams->policyreference, "objectclass", policyclass,
- &pmask);
- CHECK_CLASS_VALIDITY(st, pmask, _("ticket policy object value: "));
-
- strval[0] = krbcontparams->policyreference;
- strval[1] = NULL;
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbticketpolicyreference", LDAP_MOD_ADD,
- strval)) != 0)
- goto cleanup;
- }
-
/* create the kerberos container */
- if ((st = ldap_add_ext_s(ld, kerberoscontdn, mods, NULL, NULL)) != LDAP_SUCCESS) {
+ st = ldap_add_ext_s(ld, dn, mods, NULL, NULL);
+ if (st == LDAP_ALREADY_EXISTS)
+ st = LDAP_SUCCESS;
+ if (st != LDAP_SUCCESS) {
int ost = st;
st = translate_ldap_error (st, OP_ADD);
- krb5_set_error_message(context, st,
- _("Kerberos Container create FAILED: %s"),
- ldap_err2string(ost));
- goto cleanup;
- }
-
-#ifdef HAVE_EDIRECTORY
-
- /* free the mods array */
- ldap_mods_free(mods, 1);
- mods=NULL;
-
- /* check whether the security container is bound to krbcontainerrefaux object class */
- if ((st=checkattributevalue(ld, SECURITY_CONTAINER, "objectClass",
- krbContainerRefclass, &crmask)) != 0) {
- prepend_err_str(context, _("Security Container read FAILED: "), st,
- st);
- /* delete Kerberos Container, status ignored intentionally */
- ldap_delete_ext_s(ld, kerberoscontdn, NULL, NULL);
+ k5_setmsg(context, st, _("Kerberos Container create FAILED: %s"),
+ ldap_err2string(ost));
goto cleanup;
}
- if (crmask == 0) {
- /* Security Container is extended with krbcontainerrefaux object class */
- strval[0] = "krbContainerRefAux";
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0)
- goto cleanup;
- }
-
- strval[0] = kerberoscontdn;
- strval[1] = NULL;
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbcontainerreference", LDAP_MOD_ADD, strval)) != 0)
- goto cleanup;
-
- /* update the security container with krbContainerReference attribute */
- if ((st=ldap_modify_ext_s(ld, SECURITY_CONTAINER, mods, NULL, NULL)) != LDAP_SUCCESS) {
- int ost = st;
- st = translate_ldap_error (st, OP_MOD);
- krb5_set_error_message(context, st,
- _("Security Container update FAILED: %s"),
- ldap_err2string(ost));
- /* delete Kerberos Container, status ignored intentionally */
- ldap_delete_ext_s(ld, kerberoscontdn, NULL, NULL);
- goto cleanup;
- }
-#endif
-
cleanup:
if (rdns)
*/
krb5_error_code
-krb5_ldap_delete_krbcontainer(krb5_context context,
- const
- krb5_ldap_krbcontainer_params *krbcontparams)
+krb5_ldap_delete_krbcontainer(krb5_context context, const char *dn)
{
LDAP *ld=NULL;
- char *kerberoscontdn=NULL;
krb5_error_code st=0;
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_context *ldap_context=NULL;
/* get ldap handle */
GET_HANDLE ();
- if (krbcontparams != NULL && krbcontparams->DN != NULL) {
- kerberoscontdn = krbcontparams->DN;
- } else {
- /* If the user has not given, use the default cn=Kerberos,cn=Security */
-#ifdef HAVE_EDIRECTORY
- kerberoscontdn = KERBEROS_CONTAINER;
-#else
+ if (dn == NULL) {
st = EINVAL;
- krb5_set_error_message(context, st,
- _("Kerberos Container information is missing"));
+ k5_setmsg(context, st, _("Kerberos Container information is missing"));
goto cleanup;
-#endif
}
/* delete the kerberos container */
- if ((st = ldap_delete_ext_s(ld, kerberoscontdn, NULL, NULL)) != LDAP_SUCCESS) {
+ if ((st = ldap_delete_ext_s(ld, dn, NULL, NULL)) != LDAP_SUCCESS) {
int ost = st;
st = translate_ldap_error (st, OP_ADD);
- krb5_set_error_message(context, st,
- _("Kerberos Container delete FAILED: %s"),
- ldap_err2string(ost));
+ k5_setmsg(context, st, _("Kerberos Container delete FAILED: %s"),
+ ldap_err2string(ost));
goto cleanup;
}
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_context *ldap_context=NULL;
krb5_ldap_server_handle *ldap_server_handle=NULL;
-#ifdef HAVE_EDIRECTORY
- char errbuf[1024];
-#endif
char *realm_name;
SETUP_CONTEXT ();
/* Check input validity ... */
- if (ldap_context->krbcontainer == NULL ||
- ldap_context->krbcontainer->DN == NULL ||
+ if (ldap_context->container_dn == NULL ||
rparams == NULL ||
rparams->realm_name == NULL ||
((mask & LDAP_REALM_SUBTREE) && rparams->subtree == NULL) ||
((mask & LDAP_REALM_CONTREF) && rparams->containerref == NULL) ||
- ((mask & LDAP_REALM_POLICYREFERENCE) && rparams->policyreference == NULL) ||
-#ifdef HAVE_EDIRECTORY
- ((mask & LDAP_REALM_KDCSERVERS) && rparams->kdcservers == NULL) ||
- ((mask & LDAP_REALM_ADMINSERVERS) && rparams->adminservers == NULL) ||
- ((mask & LDAP_REALM_PASSWDSERVERS) && rparams->passwdservers == NULL) ||
-#endif
0) {
st = EINVAL;
return st;
}
- if (ldap_context->krbcontainer == NULL) {
- if ((st = krb5_ldap_read_krbcontainer_params(context,
- &(ldap_context->krbcontainer))) != 0)
- goto cleanup;
- }
-
/* get ldap handle */
GET_HANDLE ();
realm_name = rparams->realm_name;
- if (asprintf(&dn, "cn=%s,%s", realm_name,
- ldap_context->krbcontainer->DN) < 0)
+ if (asprintf(&dn, "cn=%s,%s", realm_name, ldap_context->container_dn) < 0)
dn = NULL;
CHECK_NULL(dn);
}
-#ifdef HAVE_EDIRECTORY
-
- /* KDCSERVERS ATTRIBUTE */
- if (mask & LDAP_REALM_KDCSERVERS) {
- /* validate the server list */
- for (i=0; rparams->kdcservers[i] != NULL; ++i) {
- st = checkattributevalue(ld, rparams->kdcservers[i], "objectClass", kdcclass,
- &objectmask);
- CHECK_CLASS_VALIDITY(st, objectmask,
- _("kdc service object value: "));
-
- }
-
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbkdcservers", LDAP_MOD_ADD,
- rparams->kdcservers)) != 0)
- goto cleanup;
- }
-
- /* ADMINSERVERS ATTRIBUTE */
- if (mask & LDAP_REALM_ADMINSERVERS) {
- /* validate the server list */
- for (i=0; rparams->adminservers[i] != NULL; ++i) {
- st = checkattributevalue(ld, rparams->adminservers[i], "objectClass", adminclass,
- &objectmask);
- CHECK_CLASS_VALIDITY(st, objectmask,
- _("admin service object value: "));
-
- }
-
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbadmservers", LDAP_MOD_ADD,
- rparams->adminservers)) != 0)
- goto cleanup;
- }
-
- /* PASSWDSERVERS ATTRIBUTE */
- if (mask & LDAP_REALM_PASSWDSERVERS) {
- /* validate the server list */
- for (i=0; rparams->passwdservers[i] != NULL; ++i) {
- st = checkattributevalue(ld, rparams->passwdservers[i], "objectClass", pwdclass,
- &objectmask);
- CHECK_CLASS_VALIDITY(st, objectmask, "password service object value: ");
-
- }
-
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdservers", LDAP_MOD_ADD,
- rparams->passwdservers)) != 0)
- goto cleanup;
- }
-#endif
-
/* realm creation operation */
if ((st=ldap_add_ext_s(ld, dn, mods, NULL, NULL)) != LDAP_SUCCESS) {
st = set_ldap_error (context, st, OP_ADD);
goto cleanup;
}
-#ifdef HAVE_EDIRECTORY
- if (mask & LDAP_REALM_KDCSERVERS)
- for (i=0; rparams->kdcservers[i]; ++i)
- if ((st=updateAttribute(ld, rparams->kdcservers[i], "krbRealmReferences", dn)) != 0) {
- snprintf(errbuf, sizeof(errbuf),
- _("Error adding 'krbRealmReferences' to %s: "),
- rparams->kdcservers[i]);
- prepend_err_str (context, errbuf, st, st);
- /* delete Realm, status ignored intentionally */
- ldap_delete_ext_s(ld, dn, NULL, NULL);
- goto cleanup;
- }
-
- if (mask & LDAP_REALM_ADMINSERVERS)
- for (i=0; rparams->adminservers[i]; ++i)
- if ((st=updateAttribute(ld, rparams->adminservers[i], "krbRealmReferences", dn)) != 0) {
- snprintf(errbuf, sizeof(errbuf),
- _("Error adding 'krbRealmReferences' to %s: "),
- rparams->adminservers[i]);
- prepend_err_str (context, errbuf, st, st);
- /* delete Realm, status ignored intentionally */
- ldap_delete_ext_s(ld, dn, NULL, NULL);
- goto cleanup;
- }
-
- if (mask & LDAP_REALM_PASSWDSERVERS)
- for (i=0; rparams->passwdservers[i]; ++i)
- if ((st=updateAttribute(ld, rparams->passwdservers[i], "krbRealmReferences", dn)) != 0) {
- snprintf(errbuf, sizeof(errbuf),
- _("Error adding 'krbRealmReferences' to %s: "),
- rparams->passwdservers[i]);
- prepend_err_str (context, errbuf, st, st);
- /* delete Realm, status ignored intentionally */
- ldap_delete_ext_s(ld, dn, NULL, NULL);
- goto cleanup;
- }
-#endif
-
cleanup:
if (dn)
krb5_ldap_read_realm_params(krb5_context context, char *lrealm,
krb5_ldap_realm_params **rlparamp, int *mask)
{
- char **values=NULL, *krbcontDN=NULL /*, *curr=NULL */;
-#ifdef HAVE_EDIRECTORY
- unsigned int count=0;
-#endif
+ char **values=NULL;
krb5_error_code st=0, tempst=0;
LDAP *ld=NULL;
LDAPMessage *result=NULL,*ent=NULL;
SETUP_CONTEXT ();
/* validate the input parameter */
- if (lrealm == NULL ||
- ldap_context->krbcontainer == NULL ||
- ldap_context->krbcontainer->DN == NULL) {
+ if (lrealm == NULL || ldap_context->container_dn == NULL) {
st = EINVAL;
goto cleanup;
}
- /* read kerberos container, if not read already */
- if (ldap_context->krbcontainer == NULL) {
- if ((st = krb5_ldap_read_krbcontainer_params(context,
- &(ldap_context->krbcontainer))) != 0)
- goto cleanup;
- }
/* get ldap handle */
GET_HANDLE ();
/* set default values */
rlparams->search_scope = LDAP_SCOPE_SUBTREE;
- krbcontDN = ldap_context->krbcontainer->DN;
-
- if (asprintf(&rlparams->realmdn, "cn=%s,%s", lrealm, krbcontDN) < 0) {
+ if (asprintf(&rlparams->realmdn, "cn=%s,%s", lrealm,
+ ldap_context->container_dn) < 0) {
rlparams->realmdn = NULL;
st = ENOMEM;
goto cleanup;
ldap_value_free(values);
}
-#ifdef HAVE_EDIRECTORY
-
- if ((values=ldap_get_values(ld, ent, "krbKdcServers")) != NULL) {
- count = ldap_count_values(values);
- if ((st=copy_arrays(values, &(rlparams->kdcservers), (int) count)) != 0)
- goto cleanup;
- *mask |= LDAP_REALM_KDCSERVERS;
- ldap_value_free(values);
- }
-
- if ((values=ldap_get_values(ld, ent, "krbAdmServers")) != NULL) {
- count = ldap_count_values(values);
- if ((st=copy_arrays(values, &(rlparams->adminservers), (int) count)) != 0)
- goto cleanup;
- *mask |= LDAP_REALM_ADMINSERVERS;
- ldap_value_free(values);
- }
-
- if ((values=ldap_get_values(ld, ent, "krbPwdServers")) != NULL) {
- count = ldap_count_values(values);
- if ((st=copy_arrays(values, &(rlparams->passwdservers), (int) count)) != 0)
- goto cleanup;
- *mask |= LDAP_REALM_PASSWDSERVERS;
- ldap_value_free(values);
- }
-#endif
- }
- ldap_msgfree(result);
-
- /*
- * If all of maxtktlife, maxrenewlife and ticketflags are not directly
- * available, use the policy dn from the policy reference attribute, if
- * available, to fetch the missing.
- */
-
- if ((!(*mask & LDAP_REALM_MAXTICKETLIFE && *mask & LDAP_REALM_MAXRENEWLIFE &&
- *mask & LDAP_REALM_KRBTICKETFLAGS)) && rlparams->policyreference) {
-
- LDAP_SEARCH_1(rlparams->policyreference, LDAP_SCOPE_BASE, NULL, policy_attributes, IGNORE_STATUS);
- if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_OBJECT) {
- int ost = st;
- st = translate_ldap_error (st, OP_SEARCH);
- krb5_set_error_message(context, st,
- _("Policy object read failed: %s"),
- ldap_err2string(ost));
- goto cleanup;
- }
- ent = ldap_first_entry (ld, result);
- if (ent != NULL) {
- if ((*mask & LDAP_REALM_MAXTICKETLIFE) == 0) {
- if ((values=ldap_get_values(ld, ent, "krbmaxticketlife")) != NULL) {
- rlparams->max_life = atoi(values[0]);
- *mask |= LDAP_REALM_MAXTICKETLIFE;
- ldap_value_free(values);
- }
- }
-
- if ((*mask & LDAP_REALM_MAXRENEWLIFE) == 0) {
- if ((values=ldap_get_values(ld, ent, "krbmaxrenewableage")) != NULL) {
- rlparams->max_renewable_life = atoi(values[0]);
- *mask |= LDAP_REALM_MAXRENEWLIFE;
- ldap_value_free(values);
- }
- }
-
- if ((*mask & LDAP_REALM_KRBTICKETFLAGS) == 0) {
- if ((values=ldap_get_values(ld, ent, "krbticketflags")) != NULL) {
- rlparams->tktflags = atoi(values[0]);
- *mask |= LDAP_REALM_KRBTICKETFLAGS;
- ldap_value_free(values);
- }
- }
- }
- ldap_msgfree(result);
}
rlparams->mask = *mask;
krb5_ldap_free_realm_params(rlparams);
*rlparamp=NULL;
}
+ ldap_msgfree(result);
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
return st;
}
free(rparams->realmdn);
if (rparams->realm_name)
- krb5_xfree(rparams->realm_name);
+ free(rparams->realm_name);
if (rparams->subtree) {
for (i=0; i<rparams->subtreecount && rparams->subtree[i] ; i++)
- krb5_xfree(rparams->subtree[i]);
- krb5_xfree(rparams->subtree);
+ free(rparams->subtree[i]);
+ free(rparams->subtree);
}
+ if (rparams->containerref)
+ free(rparams->containerref);
+
if (rparams->kdcservers) {
for (i=0; rparams->kdcservers[i]; ++i)
- krb5_xfree(rparams->kdcservers[i]);
- krb5_xfree(rparams->kdcservers);
+ free(rparams->kdcservers[i]);
+ free(rparams->kdcservers);
}
if (rparams->adminservers) {
for (i=0; rparams->adminservers[i]; ++i)
- krb5_xfree(rparams->adminservers[i]);
- krb5_xfree(rparams->adminservers);
+ free(rparams->adminservers[i]);
+ free(rparams->adminservers);
}
if (rparams->passwdservers) {
for (i=0; rparams->passwdservers[i]; ++i)
- krb5_xfree(rparams->passwdservers[i]);
- krb5_xfree(rparams->passwdservers);
+ free(rparams->passwdservers[i]);
+ free(rparams->passwdservers);
}
if (rparams->tl_data) {
if (rparams->tl_data->tl_data_contents)
- krb5_xfree(rparams->tl_data->tl_data_contents);
- krb5_xfree(rparams->tl_data);
+ free(rparams->tl_data->tl_data_contents);
+ free(rparams->tl_data);
}
- krb5_xfree(rparams);
+ free(rparams);
}
return;
}
char **db_args)
{
krb5_error_code status = KRB5_PLUGIN_OP_NOTSUPP;
- krb5_set_error_message(kcontext, status, "LDAP %s", error_message(status));
+ k5_setmsg(kcontext, status, "LDAP %s", error_message(status));
return status;
}