summaryrefslogtreecommitdiffstats
path: root/src/plugins
diff options
context:
space:
mode:
Diffstat (limited to 'src/plugins')
-rw-r--r--src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c673
-rw-r--r--src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c8
-rw-r--r--src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c19
-rw-r--r--src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c6
-rw-r--r--src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c17
-rw-r--r--src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c3
-rw-r--r--src/plugins/kdb/ldap/libkdb_ldap/ldap_service_rights.c235
-rw-r--r--src/plugins/kdb/ldap/libkdb_ldap/ldap_services.h4
-rw-r--r--src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports1
9 files changed, 546 insertions, 420 deletions
diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c
index 288a5a0c6b..83eb162867 100644
--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c
+++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c
@@ -139,6 +139,14 @@ static krb5_error_code krb5_dbe_update_tl_data_new ( krb5_context context, krb5_
#define ADMIN_LIFETIME 60*60*3 /* 3 hours */
#define CHANGEPW_LIFETIME 60*5 /* 5 minutes */
+#ifdef HAVE_EDIRECTORY
+#define FREE_DN_LIST(dnlist) if (dnlist != NULL) { \
+ for (idx=0; dnlist[idx] != NULL; idx++) \
+ free(dnlist[idx]); \
+ free(dnlist); \
+ }
+#endif
+
static int get_ticket_policy(rparams,i,argv,argc)
krb5_ldap_realm_params *rparams;
int *i;
@@ -346,7 +354,7 @@ void kdb5_ldap_create(argc, argv)
if (++i > argc-1)
goto err_usage;
- if(strncmp(argv[i], "", strlen(argv[i]))!=0) {
+ if (strncmp(argv[i], "", strlen(argv[i]))!=0) {
list = (char **) calloc(MAX_LIST_ENTRIES, sizeof(char *));
if (list == NULL) {
retval = ENOMEM;
@@ -359,27 +367,27 @@ void kdb5_ldap_create(argc, argv)
}
rparams->subtreecount=0;
- while(list[rparams->subtreecount]!=NULL)
+ while (list[rparams->subtreecount]!=NULL)
(rparams->subtreecount)++;
rparams->subtree = list;
- } else if(strncmp(argv[i], "", strlen(argv[i]))==0) {
- /* dont allow subtree value to be set at the root(NULL, "") of the tree */
- com_err(progname, EINVAL,
- "for subtree while creating realm '%s'",
- global_params.realm);
- goto err_nomsg;
+ } else if (strncmp(argv[i], "", strlen(argv[i]))==0) {
+ /* dont allow subtree value to be set at the root(NULL, "") of the tree */
+ com_err(progname, EINVAL,
+ "for subtree while creating realm '%s'",
+ global_params.realm);
+ goto err_nomsg;
}
rparams->subtree[rparams->subtreecount] = NULL;
mask |= LDAP_REALM_SUBTREE;
} else if (!strcmp(argv[i], "-containerref")) {
if (++i > argc-1)
goto err_usage;
- if(strncmp(argv[i], "", strlen(argv[i]))==0) {
- /* dont allow containerref value to be set at the root(NULL, "") of the tree */
- com_err(progname, EINVAL,
- "for container reference while creating realm '%s'",
- global_params.realm);
- goto err_nomsg;
+ if (strncmp(argv[i], "", strlen(argv[i]))==0) {
+ /* dont allow containerref value to be set at the root(NULL, "") of the tree */
+ com_err(progname, EINVAL,
+ "for container reference while creating realm '%s'",
+ global_params.realm);
+ goto err_nomsg;
}
rparams->containerref = strdup(argv[i]);
if (rparams->containerref == NULL) {
@@ -796,7 +804,7 @@ void kdb5_ldap_create(argc, argv)
for (i=0; (rparams->kdcservers[i] != NULL); i++) {
if ((retval=krb5_ldap_add_service_rights(util_context,
LDAP_KDC_SERVICE, rparams->kdcservers[i],
- rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
+ rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
printf("failed\n");
com_err(progname, retval, "while assigning rights to '%s'",
rparams->realm_name);
@@ -812,7 +820,7 @@ void kdb5_ldap_create(argc, argv)
for (i=0; (rparams->adminservers[i] != NULL); i++) {
if ((retval=krb5_ldap_add_service_rights(util_context,
LDAP_ADMIN_SERVICE, rparams->adminservers[i],
- rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
+ rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
printf("failed\n");
com_err(progname, retval, "while assigning rights to '%s'",
rparams->realm_name);
@@ -828,7 +836,7 @@ void kdb5_ldap_create(argc, argv)
for (i=0; (rparams->passwdservers[i] != NULL); i++) {
if ((retval=krb5_ldap_add_service_rights(util_context,
LDAP_PASSWD_SERVICE, rparams->passwdservers[i],
- rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
+ rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
printf("failed\n");
com_err(progname, retval, "while assigning rights to '%s'",
rparams->realm_name);
@@ -917,7 +925,7 @@ void kdb5_ldap_modify(argc, argv)
int mask = 0, rmask = 0, ret_mask = 0;
char **slist = {NULL};
#ifdef HAVE_EDIRECTORY
- int j = 0;
+ int j = 0, idx = 0;
char *list[MAX_LIST_ENTRIES];
int existing_entries = 0, list_entries = 0;
int newkdcdn = 0, newadmindn = 0, newpwddn = 0;
@@ -929,7 +937,8 @@ void kdb5_ldap_modify(argc, argv)
char **newsubtrees = NULL;
char **newadmindns = NULL;
char **newpwddns = NULL;
- char **oldsubtrees = {NULL};
+ char **oldsubtrees = NULL;
+ char *oldcontainerref = NULL;
int rightsmask = 0;
int subtree_changed = 0;
#endif
@@ -966,15 +975,15 @@ void kdb5_ldap_modify(argc, argv)
retval = ENOMEM;
goto cleanup;
}
- for(k=0; rparams->subtree[k]!=NULL && rparams->subtreecount; k++) {
+ for (k=0; rparams->subtree[k]!=NULL && rparams->subtreecount; k++) {
oldsubtrees[k] = strdup(rparams->subtree[k]);
- if( oldsubtrees[k] == NULL ) {
+ if (oldsubtrees[k] == NULL) {
retval = ENOMEM;
goto cleanup;
}
}
#endif
- for(k=0; k<rparams->subtreecount && rparams->subtree[k]; k++)
+ for (k=0; k<rparams->subtreecount && rparams->subtree[k]; k++)
free(rparams->subtree[k]);
rparams->subtreecount=0;
}
@@ -985,35 +994,40 @@ void kdb5_ldap_modify(argc, argv)
retval = ENOMEM;
goto cleanup;
}
- if (( retval = krb5_parse_list(argv[i], LIST_DELIMITER, slist))) {
+ if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, slist))) {
free(slist);
slist = NULL;
goto cleanup;
}
rparams->subtreecount=0;
- while(slist[rparams->subtreecount]!=NULL)
+ while (slist[rparams->subtreecount]!=NULL)
(rparams->subtreecount)++;
rparams->subtree = slist;
- } else if(strncmp(argv[i], "", strlen(argv[i]))==0) {
- /* dont allow subtree value to be set at the root(NULL, "") of the tree */
- com_err(progname, EINVAL,
- "for subtree while modifying realm '%s'",
- global_params.realm);
- goto err_nomsg;
+ } else if (strncmp(argv[i], "", strlen(argv[i]))==0) {
+ /* dont allow subtree value to be set at the root(NULL, "") of the tree */
+ com_err(progname, EINVAL,
+ "for subtree while modifying realm '%s'",
+ global_params.realm);
+ goto err_nomsg;
}
rparams->subtree[rparams->subtreecount] = NULL;
mask |= LDAP_REALM_SUBTREE;
} else if (!strncmp(argv[i], "-containerref", strlen(argv[i]))) {
if (++i > argc-1)
goto err_usage;
- if(strncmp(argv[i], "", strlen(argv[i]))==0) {
- /* dont allow containerref value to be set at the root(NULL, "") of the tree */
- com_err(progname, EINVAL,
- "for container reference while modifying realm '%s'",
- global_params.realm);
- goto err_nomsg;
+ if (strncmp(argv[i], "", strlen(argv[i]))==0) {
+ /* dont allow containerref value to be set at the root(NULL, "") of the tree */
+ com_err(progname, EINVAL,
+ "for container reference while modifying realm '%s'",
+ global_params.realm);
+ goto err_nomsg;
}
+#ifdef HAVE_EDIRECTORY
+ if (rparams->containerref != NULL) {
+ oldcontainerref = rparams->containerref;
+ }
+#endif
rparams->containerref = strdup(argv[i]);
if (rparams->containerref == NULL) {
retval = ENOMEM;
@@ -1431,299 +1445,417 @@ void kdb5_ldap_modify(argc, argv)
}
#ifdef HAVE_EDIRECTORY
- if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_KDCSERVERS) ||
+ if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_CONTREF) || (mask & LDAP_REALM_KDCSERVERS) ||
(mask & LDAP_REALM_ADMINSERVERS) || (mask & LDAP_REALM_PASSWDSERVERS)) {
printf("Changing rights for the service object. Please wait ... ");
fflush(stdout);
- if (!(mask & LDAP_REALM_SUBTREE)) {
- if (rparams->subtree != NULL) {
- for(i=0; rparams->subtree[i]!=NULL;i++) {
- oldsubtrees[i] = strdup(rparams->subtree[i]);
- if( oldsubtrees[i] == NULL ) {
- retval = ENOMEM;
- goto cleanup;
- }
- }
- }
+ if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_CONTREF)) {
+ subtree_changed = 1;
}
- if ((mask & LDAP_REALM_SUBTREE)) {
- int check_subtree = 1;
-
- newsubtrees = (char**) calloc(rparams->subtreecount, sizeof(char*));
-
- if (newsubtrees == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
-
- if ( (rparams != NULL) && (rparams->subtree != NULL) ) {
- for (j=0; j<rparams->subtreecount && rparams->subtree[j]!= NULL; j++) {
- newsubtrees[j] = strdup(rparams->subtree[j]);
- if (newsubtrees[j] == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
- }
- newsubtrees[j] = NULL;
- }
- for(j=0;oldsubtrees[j]!=NULL;j++) {
- check_subtree = 1;
- for(i=0; ( (oldsubtrees[j] && !rparams->subtree[i]) ||
- (!oldsubtrees[j] && rparams->subtree[i])); i++) {
- if(strcasecmp( oldsubtrees[j], rparams->subtree[i]) == 0) {
- check_subtree = 0;
- continue;
+ if ((subtree_changed) || (mask & LDAP_REALM_KDCSERVERS)) {
+
+ if (!(mask & LDAP_REALM_KDCSERVERS)) {
+ if (rparams->kdcservers != NULL) {
+ char **kdcdns = rparams->kdcservers;
+ /* Only subtree and/or container ref has changed */
+ rightsmask =0;
+ /* KDCSERVERS have not changed. Realm rights need not be changed */;
+ rightsmask |= LDAP_SUBTREE_RIGHTS;
+ if ((oldsubtrees != NULL) || (oldcontainerref != NULL)) {
+ /* Remove the rights on the old subtrees */
+ for (i=0; (kdcdns[i] != NULL); i++) {
+ if ((retval=krb5_ldap_delete_service_rights(util_context,
+ LDAP_KDC_SERVICE, kdcdns[i],
+ rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) {
+ printf("failed\n");
+ com_err(progname, retval, "while assigning rights '%s'",
+ rparams->realm_name);
+ goto err_nomsg;
+ }
+ }
}
- }
- if (check_subtree != 0) {
- subtree_changed=1;
- break;
- }
- }
- /* this will return list of the disjoint members */
- disjoint_members( oldsubtrees, newsubtrees);
- }
-
- if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_KDCSERVERS)) {
-
- newkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
- if (newkdcdns == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
-
- if ((rparams != NULL) && (rparams->kdcservers != NULL)) {
- for (j=0; rparams->kdcservers[j]!= NULL; j++) {
- newkdcdns[j] = strdup(rparams->kdcservers[j]);
- if (newkdcdns[j] == NULL) {
- retval = ENOMEM;
- goto cleanup;
+ for (i=0; (kdcdns[i] != NULL); i++) {
+ if ((retval=krb5_ldap_add_service_rights(util_context,
+ LDAP_KDC_SERVICE, kdcdns[i],
+ rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+ printf("failed\n");
+ com_err(progname, retval, "while assigning rights '%s'",
+ rparams->realm_name);
+ goto err_nomsg;
+ }
}
}
- newkdcdns[j] = NULL;
}
- if (!subtree_changed) {
- disjoint_members(oldkdcdns, newkdcdns);
- } else { /* Only the subtrees was changed. Remove the rights on the old subtrees. */
- if (!(mask & LDAP_REALM_KDCSERVERS)) {
-
- oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
- if (oldkdcdns == NULL) {
+ if (!subtree_changed) {
+ char **newdns = NULL;
+ /* Only kdc servers have changed */
+ rightsmask =0;
+ rightsmask = LDAP_REALM_RIGHTS;
+ rightsmask |= LDAP_SUBTREE_RIGHTS;
+ if (oldkdcdns != NULL) {
+ newdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
+ if (newdns == NULL) {
retval = ENOMEM;
goto cleanup;
}
if ((rparams != NULL) && (rparams->kdcservers != NULL)) {
for (j=0; rparams->kdcservers[j]!= NULL; j++) {
- oldkdcdns[j] = strdup(rparams->kdcservers[j]);
- if (oldkdcdns[j] == NULL) {
+ newdns[j] = strdup(rparams->kdcservers[j]);
+ if (newdns[j] == NULL) {
+ FREE_DN_LIST(newdns);
retval = ENOMEM;
goto cleanup;
}
}
- oldkdcdns[j] = NULL;
+ newdns[j] = NULL;
}
- }
- }
- rightsmask =0;
- rightsmask |= LDAP_REALM_RIGHTS;
- rightsmask |= LDAP_SUBTREE_RIGHTS;
- /* Remove the rights on the old subtrees */
- if (oldkdcdns) {
- for (i=0; (oldkdcdns[i] != NULL); i++) {
- if ((retval=krb5_ldap_delete_service_rights(util_context,
- LDAP_KDC_SERVICE, oldkdcdns[i],
- rparams->realm_name, oldsubtrees, rightsmask)) != 0) {
- printf("failed\n");
- com_err(progname, retval, "while assigning rights '%s'",
- rparams->realm_name);
- goto err_nomsg;
+ disjoint_members(oldkdcdns, newdns);
+
+ for (i=0; (oldkdcdns[i] != NULL); i++) {
+ if ((retval=krb5_ldap_delete_service_rights(util_context,
+ LDAP_KDC_SERVICE, oldkdcdns[i],
+ rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+ printf("failed\n");
+ com_err(progname, retval, "while assigning rights '%s'",
+ rparams->realm_name);
+ FREE_DN_LIST(newdns);
+ goto err_nomsg;
+ }
+ }
+ for (i=0; (newdns[i] != NULL); i++) {
+ if ((retval=krb5_ldap_add_service_rights(util_context,
+ LDAP_KDC_SERVICE, newdns[i],
+ rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+ printf("failed\n");
+ com_err(progname, retval, "while assigning rights '%s'",
+ rparams->realm_name);
+ FREE_DN_LIST(newdns);
+ goto err_nomsg;
+ }
+ }
+ for (i=0; (newdns[i] != NULL); i++) {
+ free(newdns[i]);
+ }
+ free(newdns);
+ } else {
+ newdns = rparams->kdcservers;
+ for (i=0; (newdns[i] != NULL); i++) {
+ if ((retval=krb5_ldap_add_service_rights(util_context,
+ LDAP_KDC_SERVICE, newdns[i],
+ rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+ printf("failed\n");
+ com_err(progname, retval, "while assigning rights '%s'",
+ rparams->realm_name);
+ goto err_nomsg;
+ }
}
}
- }
-
- rightsmask =0;
- rightsmask |= LDAP_REALM_RIGHTS;
- rightsmask |= LDAP_SUBTREE_RIGHTS;
- if (newkdcdns) {
- for (i=0; (newkdcdns[i] != NULL); i++) {
-
- if ((retval=krb5_ldap_add_service_rights(util_context,
- LDAP_KDC_SERVICE, newkdcdns[i], rparams->realm_name,
- rparams->subtree, rightsmask)) != 0) {
- printf("failed\n");
- com_err(progname, retval, "while assigning rights to '%s'",
- rparams->realm_name);
- goto err_nomsg;
+ }
+
+ if (subtree_changed && (mask & LDAP_REALM_KDCSERVERS)) {
+ char **newdns = rparams->kdcservers;
+
+ rightsmask =0;
+ rightsmask = LDAP_REALM_RIGHTS;
+ rightsmask |= LDAP_SUBTREE_RIGHTS;
+ if (oldkdcdns != NULL) {
+ for (i=0; (oldkdcdns[i] != NULL); i++) {
+ if ((retval=krb5_ldap_delete_service_rights(util_context,
+ LDAP_KDC_SERVICE, oldkdcdns[i],
+ rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) {
+ printf("failed\n");
+ com_err(progname, retval, "while assigning rights '%s'",
+ rparams->realm_name);
+ goto err_nomsg;
+ }
}
}
- }
- }
-
- if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_ADMINSERVERS)) {
-
- newadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
- if (newadmindns == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
-
- if ((rparams != NULL) && (rparams->adminservers != NULL)) {
- for (j=0; rparams->adminservers[j]!= NULL; j++) {
- newadmindns[j] = strdup(rparams->adminservers[j]);
- if (newadmindns[j] == NULL) {
- retval = ENOMEM;
- goto cleanup;
+ for (i=0; (newdns[i] != NULL); i++) {
+ if ((retval=krb5_ldap_add_service_rights(util_context,
+ LDAP_KDC_SERVICE, newdns[i],
+ rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+ printf("failed\n");
+ com_err(progname, retval, "while assigning rights '%s'",
+ rparams->realm_name);
+ goto err_nomsg;
+ }
+ }
+ }
+ }
+
+ if (subtree_changed || (mask & LDAP_REALM_ADMINSERVERS)) {
+
+ if (!(mask & LDAP_REALM_ADMINSERVERS)) {
+ if (rparams->adminservers != NULL) {
+ char **admindns = rparams->adminservers;
+ /* Only subtree and/or container ref has changed */
+ rightsmask =0;
+ /* KADMINSERVERS have not changed. Realm rights need not be changed */;
+ rightsmask |= LDAP_SUBTREE_RIGHTS;
+ if ((oldsubtrees != NULL) || (oldcontainerref != NULL)) {
+ /* Remove the rights on the old subtrees */
+ for (i=0; (admindns[i] != NULL); i++) {
+ if ((retval=krb5_ldap_delete_service_rights(util_context,
+ LDAP_ADMIN_SERVICE, admindns[i],
+ rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) {
+ printf("failed\n");
+ com_err(progname, retval, "while assigning rights '%s'",
+ rparams->realm_name);
+ goto err_nomsg;
+ }
+ }
+ }
+ for (i=0; (admindns[i] != NULL); i++) {
+ if ((retval=krb5_ldap_add_service_rights(util_context,
+ LDAP_ADMIN_SERVICE, admindns[i],
+ rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+ printf("failed\n");
+ com_err(progname, retval, "while assigning rights '%s'",
+ rparams->realm_name);
+ goto err_nomsg;
+ }
}
}
- newadmindns[j] = NULL;
}
- if (!subtree_changed) {
- disjoint_members(oldadmindns, newadmindns);
- } else { /* Only the subtrees was changed. Remove the rights on the old subtrees. */
- if (!(mask & LDAP_REALM_ADMINSERVERS)) {
-
- oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
- if (oldadmindns == NULL) {
+ if (!subtree_changed) {
+ char **newdns = NULL;
+ /* Only admin servers have changed */
+ rightsmask =0;
+ rightsmask = LDAP_REALM_RIGHTS;
+ rightsmask |= LDAP_SUBTREE_RIGHTS;
+ if (oldadmindns != NULL) {
+ newdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
+ if (newdns == NULL) {
retval = ENOMEM;
goto cleanup;
}
if ((rparams != NULL) && (rparams->adminservers != NULL)) {
for (j=0; rparams->adminservers[j]!= NULL; j++) {
- oldadmindns[j] = strdup(rparams->adminservers[j]);
- if (oldadmindns[j] == NULL) {
+ newdns[j] = strdup(rparams->adminservers[j]);
+ if (newdns[j] == NULL) {
+ FREE_DN_LIST(newdns);
retval = ENOMEM;
goto cleanup;
}
}
- oldadmindns[j] = NULL;
+ newdns[j] = NULL;
}
- }
- }
- rightsmask = 0;
- rightsmask |= LDAP_REALM_RIGHTS;
- rightsmask |= LDAP_SUBTREE_RIGHTS;
- /* Remove the rights on the old subtrees */
- if (oldadmindns) {
- for (i=0; (oldadmindns[i] != NULL); i++) {
-
- if ((retval=krb5_ldap_delete_service_rights(util_context,
- LDAP_ADMIN_SERVICE, oldadmindns[i],
- rparams->realm_name, oldsubtrees, rightsmask)) != 0) {
- printf("failed\n");
- com_err(progname, retval, "while assigning rights '%s'",
- rparams->realm_name);
- goto err_nomsg;
+ disjoint_members(oldadmindns, newdns);
+
+ for (i=0; (oldadmindns[i] != NULL); i++) {
+ if ((retval=krb5_ldap_delete_service_rights(util_context,
+ LDAP_ADMIN_SERVICE, oldadmindns[i],
+ rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+ printf("failed\n");
+ com_err(progname, retval, "while assigning rights '%s'",
+ rparams->realm_name);
+ FREE_DN_LIST(newdns);
+ goto err_nomsg;
+ }
+ }
+ for (i=0; (newdns[i] != NULL); i++) {
+ if ((retval=krb5_ldap_add_service_rights(util_context,
+ LDAP_ADMIN_SERVICE, newdns[i],
+ rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+ printf("failed\n");
+ com_err(progname, retval, "while assigning rights '%s'",
+ rparams->realm_name);
+ FREE_DN_LIST(newdns);
+ goto err_nomsg;
+ }
+ }
+ for (i=0; (newdns[i] != NULL); i++) {
+ free(newdns[i]);
+ }
+ free(newdns);
+ } else {
+ newdns = rparams->adminservers;
+ for (i=0; (newdns[i] != NULL); i++) {
+ if ((retval=krb5_ldap_add_service_rights(util_context,
+ LDAP_ADMIN_SERVICE, newdns[i],
+ rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+ printf("failed\n");
+ com_err(progname, retval, "while assigning rights '%s'",
+ rparams->realm_name);
+ goto err_nomsg;
+ }
}
}
- }
-
- rightsmask = 0;
- rightsmask |= LDAP_REALM_RIGHTS;
- rightsmask |= LDAP_SUBTREE_RIGHTS;
- /* Add rights on the new subtree for all the kdc dns */
- if (newadmindns) {
- for (i=0; (newadmindns[i] != NULL); i++) {
-
- if ((retval=krb5_ldap_add_service_rights(util_context,
- LDAP_ADMIN_SERVICE, newadmindns[i],
- rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
- printf("failed\n");
- com_err(progname, retval, "while assigning rights to '%s'",
- rparams->realm_name);
- goto err_nomsg;
+ }
+
+ if (subtree_changed && (mask & LDAP_REALM_ADMINSERVERS)) {
+ char **newdns = rparams->adminservers;
+
+ rightsmask = 0;
+ rightsmask = LDAP_REALM_RIGHTS;
+ rightsmask |= LDAP_SUBTREE_RIGHTS;
+ if (oldadmindns != NULL) {
+ for (i=0; (oldadmindns[i] != NULL); i++) {
+ if ((retval=krb5_ldap_delete_service_rights(util_context,
+ LDAP_ADMIN_SERVICE, oldadmindns[i],
+ rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) {
+ printf("failed\n");
+ com_err(progname, retval, "while assigning rights '%s'",
+ rparams->realm_name);
+ goto err_nomsg;
+ }
}
}
- }
- }
-
-
- if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_PASSWDSERVERS)) {
-
- newpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
- if (newpwddns == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
-
- if ((rparams != NULL) && (rparams->passwdservers != NULL)) {
- for (j=0; rparams->passwdservers[j]!= NULL; j++) {
- newpwddns[j] = strdup(rparams->passwdservers[j]);
- if (newpwddns[j] == NULL) {
- retval = ENOMEM;
- goto cleanup;
+ for (i=0; (newdns[i] != NULL); i++) {
+ if ((retval=krb5_ldap_add_service_rights(util_context,
+ LDAP_ADMIN_SERVICE, newdns[i],
+ rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+ printf("failed\n");
+ com_err(progname, retval, "while assigning rights '%s'",
+ rparams->realm_name);
+ goto err_nomsg;
+ }
+ }
+ }
+ }
+
+ if (subtree_changed || (mask & LDAP_REALM_PASSWDSERVERS)) {
+
+ if (!(mask & LDAP_REALM_PASSWDSERVERS)) {
+ if (rparams->passwdservers != NULL) {
+ char **passwddns = rparams->passwdservers;
+ /* Only subtree and/or container ref has changed */
+ rightsmask = 0;
+ /* KPASSWDSERVERS have not changed. Realm rights need not be changed */;
+ rightsmask |= LDAP_SUBTREE_RIGHTS;
+ if ((oldsubtrees != NULL) || (oldcontainerref != NULL)) {
+ /* Remove the rights on the old subtrees */
+ for (i=0; (passwddns[i] != NULL); i++) {
+ if ((retval=krb5_ldap_delete_service_rights(util_context,
+ LDAP_PASSWD_SERVICE, passwddns[i],
+ rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) {
+ printf("failed\n");
+ com_err(progname, retval, "while assigning rights '%s'",
+ rparams->realm_name);
+ goto err_nomsg;
+ }
+ }
+ }
+ for (i=0; (passwddns[i] != NULL); i++) {
+ if ((retval=krb5_ldap_add_service_rights(util_context,
+ LDAP_PASSWD_SERVICE, passwddns[i],
+ rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+ printf("failed\n");
+ com_err(progname, retval, "while assigning rights '%s'",
+ rparams->realm_name);
+ goto err_nomsg;
+ }
}
}
- newpwddns[j] = NULL;
}
- if (!subtree_changed) {
- disjoint_members(oldpwddns, newpwddns);
- } else { /* Only the subtrees was changed. Remove the rights on the old subtrees. */
- if (!(mask & LDAP_REALM_ADMINSERVERS)) {
-
- oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
- if (oldpwddns == NULL) {
+ if (!subtree_changed) {
+ char **newdns = NULL;
+ /* Only passwd servers have changed */
+ rightsmask =0;
+ rightsmask = LDAP_REALM_RIGHTS;
+ rightsmask |= LDAP_SUBTREE_RIGHTS;
+ if (oldpwddns != NULL) {
+ newdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
+ if (newdns == NULL) {
retval = ENOMEM;
goto cleanup;
}
if ((rparams != NULL) && (rparams->passwdservers != NULL)) {
for (j=0; rparams->passwdservers[j]!= NULL; j++) {
- oldpwddns[j] = strdup(rparams->passwdservers[j]);
- if (oldpwddns[j] == NULL) {
+ newdns[j] = strdup(rparams->passwdservers[j]);
+ if (newdns[j] == NULL) {
+ FREE_DN_LIST(newdns);
retval = ENOMEM;
goto cleanup;
}
}
- oldpwddns[j] = NULL;
+ newdns[j] = NULL;
}
- }
- }
- rightsmask =0;
- rightsmask |= LDAP_REALM_RIGHTS;
- rightsmask |= LDAP_SUBTREE_RIGHTS;
- /* Remove the rights on the old subtrees */
- if (oldpwddns) {
- for (i=0; (oldpwddns[i] != NULL); i++) {
- if ((retval = krb5_ldap_delete_service_rights(util_context,
- LDAP_PASSWD_SERVICE, oldpwddns[i],
- rparams->realm_name, oldsubtrees, rightsmask))) {
- printf("failed\n");
- com_err(progname, retval, "while assigning rights '%s'",
- rparams->realm_name);
- goto err_nomsg;
+ disjoint_members(oldpwddns, newdns);
+
+ for (i=0; (oldpwddns[i] != NULL); i++) {
+ if ((retval=krb5_ldap_delete_service_rights(util_context,
+ LDAP_PASSWD_SERVICE, oldpwddns[i],
+ rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+ printf("failed\n");
+ com_err(progname, retval, "while assigning rights '%s'",
+ rparams->realm_name);
+ FREE_DN_LIST(newdns);
+ goto err_nomsg;
+ }
+ }
+ for (i=0; (newdns[i] != NULL); i++) {
+ if ((retval=krb5_ldap_add_service_rights(util_context,
+ LDAP_PASSWD_SERVICE, newdns[i],
+ rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+ printf("failed\n");
+ com_err(progname, retval, "while assigning rights '%s'",
+ rparams->realm_name);
+ FREE_DN_LIST(newdns);
+ goto err_nomsg;
+ }
+ }
+ for (i=0; (newdns[i] != NULL); i++) {
+ free(newdns[i]);
+ }
+ free(newdns);
+ } else {
+ newdns = rparams->passwdservers;
+ for (i=0; (newdns[i] != NULL); i++) {
+ if ((retval=krb5_ldap_add_service_rights(util_context,
+ LDAP_PASSWD_SERVICE, newdns[i],
+ rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
+ printf("failed\n");
+ com_err(progname, retval, "while assigning rights '%s'",
+ rparams->realm_name);
+ goto err_nomsg;
+ }
}
}
- }
-
- rightsmask =0;
- rightsmask |= LDAP_REALM_RIGHTS;
- rightsmask |= LDAP_SUBTREE_RIGHTS;
- /* Add rights on the new subtree for all the kdc dns */
- if (newpwddns) {
- for (i=0; (newpwddns[i] != NULL); i++) {
+ }
+
+ if (subtree_changed && (mask & LDAP_REALM_PASSWDSERVERS)) {
+ char **newdns = rparams->passwdservers;
+
+ rightsmask =0;
+ rightsmask = LDAP_REALM_RIGHTS;
+ rightsmask |= LDAP_SUBTREE_RIGHTS;
+ if (oldpwddns != NULL) {
+ for (i=0; (oldpwddns[i] != NULL); i++) {
+ if ((retval = krb5_ldap_delete_service_rights(util_context,
+ LDAP_PASSWD_SERVICE, oldpwddns[i],
+ rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) {
+ printf("failed\n");
+ com_err(progname, retval, "while assigning rights '%s'",
+ rparams->realm_name);
+ goto err_nomsg;
+ }
+ }
+ }
+ for (i=0; (newdns[i] != NULL); i++) {
if ((retval = krb5_ldap_add_service_rights(util_context,
- LDAP_PASSWD_SERVICE, newpwddns[i],
- rparams->realm_name, rparams->subtree, rightsmask))) {
+ LDAP_PASSWD_SERVICE, newdns[i],
+ rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
printf("failed\n");
- com_err(progname, retval, "while assigning rights to '%s'",
+ com_err(progname, retval, "while assigning rights '%s'",
rparams->realm_name);
goto err_nomsg;
}
}
}
}
-
printf("done\n");
}
#endif
@@ -1936,6 +2068,7 @@ static void print_realm_params(krb5_ldap_realm_params *rparams, int mask)
if (num_entry_printed == 0)
printf("\n");
}
+
if (mask & LDAP_REALM_MAXTICKETLIFE) {
printf("%25s:", "Maximum Ticket Life");
printf(" %s \n", strdur(rparams->max_life));
@@ -2198,9 +2331,9 @@ kdb_ldap_tgt_keysalt_iterate(ksent, ptr)
/*if (!(kret = krb5_dbe_create_key_data(iargs->ctx, iargs->dbentp))) {*/
if ((entry->key_data =
- (krb5_key_data *) realloc(entry->key_data,
- (sizeof(krb5_key_data) *
- (entry->n_key_data + 1)))) == NULL)
+ (krb5_key_data *) realloc(entry->key_data,
+ (sizeof(krb5_key_data) *
+ (entry->n_key_data + 1)))) == NULL)
return (ENOMEM);
memset(entry->key_data + entry->n_key_data, 0, sizeof(krb5_key_data));
@@ -2296,7 +2429,7 @@ kdb_ldap_create_principal (context, princ, op, pblock)
if ((retval = krb5_timeofday(context, &now)))
goto cleanup;
if ((retval = krb5_dbe_update_mod_princ_data_new(context, &entry,
- now, &db_create_princ)))
+ now, &db_create_princ)))
goto cleanup;
}
entry.attributes = pblock->flags;
@@ -2316,7 +2449,7 @@ kdb_ldap_create_principal (context, princ, op, pblock)
/* Allocate memory for storing the key */
if ((entry.key_data = (krb5_key_data *) malloc(
- sizeof(krb5_key_data))) == NULL) {
+ sizeof(krb5_key_data))) == NULL) {
retval = ENOMEM;
goto cleanup;
}
@@ -2330,9 +2463,9 @@ kdb_ldap_create_principal (context, princ, op, pblock)
}
kvno = 1; /* New key is getting set */
retval = krb5_dbekd_encrypt_key_data(context,
- &ldap_context->lrparams->mkey,
- &key, NULL, kvno,
- &entry.key_data[entry.n_key_data - 1]);
+ &ldap_context->lrparams->mkey,
+ &key, NULL, kvno,
+ &entry.key_data[entry.n_key_data - 1]);
krb5_free_keyblock_contents(context, &key);
if (retval) {
goto cleanup;
@@ -2358,7 +2491,7 @@ kdb_ldap_create_principal (context, princ, op, pblock)
case MASTER_KEY:
/* Allocate memory for storing the key */
if ((entry.key_data = (krb5_key_data *) malloc(
- sizeof(krb5_key_data))) == NULL) {
+ sizeof(krb5_key_data))) == NULL) {
retval = ENOMEM;
goto cleanup;
}
@@ -2367,9 +2500,9 @@ kdb_ldap_create_principal (context, princ, op, pblock)
entry.n_key_data++;
kvno = 1; /* New key is getting set */
retval = krb5_dbekd_encrypt_key_data(context, pblock->key,
- &ldap_context->lrparams->mkey,
- NULL, kvno,
- &entry.key_data[entry.n_key_data - 1]);
+ &ldap_context->lrparams->mkey,
+ NULL, kvno,
+ &entry.key_data[entry.n_key_data - 1]);
if (retval) {
goto cleanup;
}
@@ -2481,7 +2614,7 @@ kdb5_ldap_destroy(argc, argv)
for (i=0; (rparams->kdcservers[i] != NULL); i++) {
if ((retval = krb5_ldap_delete_service_rights(util_context,
LDAP_KDC_SERVICE, rparams->kdcservers[i],
- rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
+ rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
printf("failed\n");
com_err(progname, retval, "while assigning rights to '%s'",
rparams->realm_name);
@@ -2496,7 +2629,7 @@ kdb5_ldap_destroy(argc, argv)
for (i=0; (rparams->adminservers[i] != NULL); i++) {
if ((retval = krb5_ldap_delete_service_rights(util_context,
LDAP_ADMIN_SERVICE, rparams->adminservers[i],
- rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
+ rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
printf("failed\n");
com_err(progname, retval, "while assigning rights to '%s'",
rparams->realm_name);
@@ -2511,7 +2644,7 @@ kdb5_ldap_destroy(argc, argv)
for (i=0; (rparams->passwdservers[i] != NULL); i++) {
if ((retval = krb5_ldap_delete_service_rights(util_context,
LDAP_PASSWD_SERVICE, rparams->passwdservers[i],
- rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
+ rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
printf("failed\n");
com_err(progname, retval, "while assigning rights to '%s'",
rparams->realm_name);
diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
index 34b3dc8d0a..1260131201 100644
--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
+++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
@@ -435,7 +435,7 @@ void kdb5_ldap_create_service(argc, argv)
if ((retval = krb5_ldap_add_service_rights(util_context,
srvparams->servicetype, srvparams->servicedn,
- realmName, rparams->subtree, rightsmask))) {
+ realmName, rparams->subtree, rparams->containerref, rightsmask))) {
printf("failed\n");
com_err(me, retval, "while assigning rights '%s'",
srvparams->servicedn);
@@ -940,7 +940,7 @@ void kdb5_ldap_modify_service(argc, argv)
if ((retval = krb5_ldap_delete_service_rights(util_context,
srvparams->servicetype, srvparams->servicedn,
- realmName, rparams->subtree, rightsmask))) {
+ realmName, rparams->subtree, rparams->containerref, rightsmask))) {
printf("failed\n");
com_err(me, retval, "while assigning rights '%s'",
srvparams->servicedn);
@@ -991,7 +991,7 @@ void kdb5_ldap_modify_service(argc, argv)
if ((retval = krb5_ldap_add_service_rights(util_context,
srvparams->servicetype, srvparams->servicedn,
- realmName, rparams->subtree, rightsmask))) {
+ realmName, rparams->subtree, rparams->containerref, rightsmask))) {
printf("failed\n");
com_err(me, retval, "while assigning rights '%s'",
srvparams->servicedn);
@@ -1717,7 +1717,7 @@ kdb5_ldap_set_service_password(argc, argv)
memset(passwd, 0, passwd_len);
goto cleanup;
}
- /* Password = {CRYPT}<encrypted password>:<encrypted key> */
+ /* Password = {HEX}<encrypted password>:<encrypted key> */
encrypted_passwd.value = (unsigned char *)malloc(strlen(service_object) +
1 + 5 + hex.length + 2);
if (encrypted_passwd.value == NULL) {
diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c
index 1f900e67af..9ed1f2dee4 100644
--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c
+++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c
@@ -520,7 +520,7 @@ int main(argc, argv)
exit_status++;
goto cleanup;
}
- memset(passwd, 0, sizeof(passwd));
+ memset(passwd, 0, MAX_PASSWD_LEN);
passwd_len = MAX_PASSWD_LEN - 1;
snprintf(prompt, MAX_PASSWD_PROMPT_LEN, "Password for \"%s\"", bind_dn);
@@ -536,6 +536,7 @@ int main(argc, argv)
}
ldap_context->bind_pwd = passwd;
+ passwd = NULL;
}
/* If ldaphost is specified, release entry filled by configuration & use this */
@@ -593,6 +594,7 @@ int main(argc, argv)
}
dal_handle->db_context = ldap_context;
util_context->dal_handle = dal_handle;
+ ldap_context = NULL;
db_retval = krb5_ldap_read_server_params(util_context, conf_section, KRB5_KDB_SRV_TYPE_OTHER);
if (db_retval) {
@@ -602,7 +604,7 @@ int main(argc, argv)
}
if (cmd->opendb) {
- db_retval = krb5_ldap_db_init(util_context, ldap_context);
+ db_retval = krb5_ldap_db_init(util_context, (krb5_ldap_context *)dal_handle->db_context);
if (db_retval) {
com_err(progname, db_retval, "while initializing database");
exit_status++;
@@ -615,10 +617,15 @@ int main(argc, argv)
goto cleanup;
cleanup:
- if (passwd)
- memset(passwd, 0, sizeof(passwd));
- if (ldap_context && ldap_context->bind_pwd)
- memset(ldap_context->bind_pwd, 0, sizeof(ldap_context->bind_pwd));
+ if (passwd) {
+ memset(passwd, 0, strlen(passwd));
+ free(passwd);
+ }
+
+ if (ldap_context) {
+ krb5_ldap_free_server_context_params(ldap_context);
+ free(ldap_context);
+ }
if (util_context) {
if (gp_is_static == 0)
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c
index 124396f3ff..02589b554a 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c
@@ -346,7 +346,7 @@ krb5_ldap_create (krb5_context context, char *conf_section, char **db_args)
for (i=0; (rparams->kdcservers[i] != NULL); i++) {
if ((status=krb5_ldap_add_service_rights(context,
LDAP_KDC_SERVICE, rparams->kdcservers[i],
- rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
+ rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
goto cleanup;
}
}
@@ -359,7 +359,7 @@ krb5_ldap_create (krb5_context context, char *conf_section, char **db_args)
for (i=0; (rparams->adminservers[i] != NULL); i++) {
if ((status=krb5_ldap_add_service_rights(context,
LDAP_ADMIN_SERVICE, rparams->adminservers[i],
- rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
+ rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
goto cleanup;
}
}
@@ -372,7 +372,7 @@ krb5_ldap_create (krb5_context context, char *conf_section, char **db_args)
for (i=0; (rparams->passwdservers[i] != NULL); i++) {
if ((status=krb5_ldap_add_service_rights(context,
LDAP_PASSWD_SERVICE, rparams->passwdservers[i],
- rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
+ rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
goto cleanup;
}
}
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
index 818b2e55c9..b864f4b6d8 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
@@ -318,7 +318,7 @@ cleanup:
*/
krb5_error_code
-krb5_ldap_free_server_params(ldap_context)
+krb5_ldap_free_server_context_params(ldap_context)
krb5_ldap_context *ldap_context;
{
int i=0;
@@ -366,6 +366,7 @@ krb5_ldap_free_server_params(ldap_context)
}
if (ldap_context->bind_pwd != NULL) {
+ memset(ldap_context->bind_pwd, 0, strlen(ldap_context->bind_pwd));
krb5_xfree(ldap_context->bind_pwd);
ldap_context->bind_pwd = NULL;
}
@@ -402,13 +403,23 @@ krb5_ldap_free_server_params(ldap_context)
krb5_xfree(ldap_context->certificates);
}
- k5_mutex_destroy(&ldap_context->hndl_lock);
+ return(0);
+}
+krb5_error_code
+krb5_ldap_free_server_params(ldap_context)
+ krb5_ldap_context *ldap_context;
+{
+ if (ldap_context == NULL)
+ return 0;
+
+ krb5_ldap_free_server_context_params(ldap_context);
+
+ k5_mutex_destroy(&ldap_context->hndl_lock);
krb5_xfree(ldap_context);
return(0);
}
-
/*
* check to see if the principal belongs to the default realm.
* The default realm is present in the krb5_ldap_context structure.
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
index c25804b647..ef6786c68e 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
@@ -57,9 +57,6 @@ char *principal_attributes[] = { "krbprincipalname",
"loginexpirationtime",
"logindisabled",
#endif
- "loginexpirationtime",
- "logindisabled",
- "modifytimestamp",
"krbLastPwdChange",
"krbExtraData",
"krbObjectReferences",
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_rights.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_rights.c
index b32ba91867..aed6de8c4d 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_rights.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_rights.c
@@ -38,48 +38,35 @@
static char *kdcrights_subtree[][2] = {
{"1#subtree#","#[Entry Rights]"},
- {"2#subtree#","#CN"},
- {"6#subtree#","#ObjectClass"},
+ {"2#subtree#","#ObjectClass"},
{"2#subtree#","#krbTicketPolicyReference"},
{"2#subtree#","#krbUPEnabled"},
{"2#subtree#","#krbHostServer"},
- {"2#subtree#","#krbServiceFlags"},
{"2#subtree#","#krbRealmReferences"},
{"2#subtree#","#krbTicketFlags"},
{"2#subtree#","#krbMaxTicketLife"},
{"2#subtree#","#krbMaxRenewableAge"},
{"2#subtree#","#krbPrincipalName"},
- {"6#subtree#","#krbPrincipalKey"},
+ {"2#subtree#","#krbPrincipalKey"},
{"2#subtree#","#krbPrincipalExpiration"},
{"2#subtree#","#krbPwdPolicyReference"},
{"2#subtree#","#krbMaxPwdLife"},
- {"6#subtree#","#ModifiersName"},
- {"2#subtree#","#PasswordExpirationTime"},
- {"2#subtree#","#PasswordExpirationInterval"},
- {"2#subtree#","#PasswordMinimumLength"},
- {"2#subtree#","#PasswordAllowChange"},
- {"2#subtree#","#LoginDisabled"},
- {"6#subtree#","#LastLoginTime"},
- {"2#subtree#","#LoginExpirationTime"},
- {"6#subtree#","#LoginIntruderAttempts"},
- {"2#subtree#","#IntruderAttemptResetInterval"},
- {"2#subtree#","#LoginIntruderLimit"},
- {"6#subtree#","#LoginIntruderResetTime"},
- {"2#subtree#","#DetectIntruder"},
- {"2#subtree#","#LockoutAfterDetection"},
- {"6#subtree#","#LockedByIntruder"},
- {"2#subtree#","#krbPrincipalReferences"},
+ {"2#subtree#","#krbObjectReferences"},
+ {"2#subtree#","#krbLastPwdChange"},
+ {"6#subtree#","#krbExtraData"},
+ {"2#subtree#","#krbPasswordExpiration"},
+ {"6#subtree#","#krbLastFailedAuth"},
+ {"6#subtree#","#krbLoginFailedCount"},
+ {"6#subtree#","#krbLastSuccessfulAuth"},
{ "", "" }
};
static char *adminrights_subtree[][2]={
{"15#subtree#","#[Entry Rights]"},
- {"6#subtree#","#CN"},
{"6#subtree#","#ObjectClass"},
{"6#subtree#","#krbTicketPolicyReference"},
{"6#subtree#","#krbUPEnabled"},
{"2#subtree#","#krbHostServer"},
- {"2#subtree#","#krbServiceFlags"},
{"2#subtree#","#krbRealmReferences"},
{"6#subtree#","#krbTicketFlags"},
{"6#subtree#","#krbMaxTicketLife"},
@@ -87,41 +74,28 @@ static char *adminrights_subtree[][2]={
{"6#subtree#","#krbPrincipalName"},
{"6#subtree#","#krbPrincipalKey"},
{"6#subtree#","#krbPrincipalExpiration"},
- {"6#subtree#","#ModifiersName"},
- {"6#subtree#","#PasswordExpirationTime"},
- {"2#subtree#","#PasswordExpirationInterval"},
- {"6#subtree#","#PasswordMinimumLength"},
- {"6#subtree#","#PasswordAllowChange"},
- {"6#subtree#","#LoginDisabled"},
- {"2#subtree#","#LastLoginTime"},
- {"2#subtree#","#LoginExpirationTime"},
- {"2#subtree#","#LoginIntruderAttempts"},
- {"6#subtree#","#IntruderAttemptResetInterval"},
- {"6#subtree#","#LoginIntruderLimit"},
- {"6#subtree#","#LoginIntruderResetTime"},
- {"6#subtree#","#DetectIntruder"},
- {"6#subtree#","#LockoutAfterDetection"},
- {"2#subtree#","#LockedByIntruder"},
- {"2#subtree#","#krbPrincipalReferences"},
- {"6#subtree#","#Surname"},
- {"4#subtree#","#passwordManagement"},
{"6#subtree#","#krbPwdHistoryLength"},
{"6#subtree#","#krbMinPwdLife"},
{"6#subtree#","#krbMaxPwdLife"},
{"6#subtree#","#krbPwdMinDiffChars"},
{"6#subtree#","#krbPwdMinLength"},
{"6#subtree#","#krbPwdPolicyReference"},
+ {"6#subtree#","#krbLastPwdChange"},
+ {"6#subtree#","#krbObjectReferences"},
+ {"6#subtree#","#krbExtraData"},
+ {"6#subtree#","#krbPasswordExpiration"},
+ {"2#subtree#","#krbLastFailedAuth"},
+ {"2#subtree#","#krbLoginFailedCount"},
+ {"2#subtree#","#krbLastSuccessfulAuth"},
{ "","" }
};
static char *pwdrights_subtree[][2] = {
{"1#subtree#","#[Entry Rights]"},
- {"2#subtree#","#CN"},
{"2#subtree#","#ObjectClass"},
{"2#subtree#","#krbTicketPolicyReference"},
{"2#subtree#","#krbUPEnabled"},
{"2#subtree#","#krbHostServer"},
- {"2#subtree#","#krbServiceFlags"},
{"2#subtree#","#krbRealmReferences"},
{"6#subtree#","#krbTicketFlags"},
{"2#subtree#","#krbMaxTicketLife"},
@@ -129,21 +103,26 @@ static char *pwdrights_subtree[][2] = {
{"2#subtree#","#krbPrincipalName"},
{"6#subtree#","#krbPrincipalKey"},
{"2#subtree#","#krbPrincipalExpiration"},
- {"4#subtree#","#passwordManagement"},
- {"6#subtree#","#ModifiersName"},
{"2#subtree#","#krbPwdHistoryLength"},
{"2#subtree#","#krbMinPwdLife"},
{"2#subtree#","#krbMaxPwdLife"},
{"2#subtree#","#krbPwdMinDiffChars"},
{"2#subtree#","#krbPwdMinLength"},
{"2#subtree#","#krbPwdPolicyReference"},
+ {"6#subtree#","#krbLastPwdChange"},
+ {"2#subtree#","#krbObjectReferences"},
+ {"6#subtree#","#krbExtraData"},
+ {"6#subtree#","#krbPasswordExpiration"},
+ {"2#subtree#","#krbLastFailedAuth"},
+ {"2#subtree#","#krbLoginFailedCount"},
+ {"2#subtree#","#krbLastSuccessfulAuth"},
{ "", "" }
};
static char *kdcrights_realmcontainer[][2]={
{"1#subtree#","#[Entry Rights]"},
{"2#subtree#","#CN"},
- {"6#subtree#","#ObjectClass"},
+ {"2#subtree#","#ObjectClass"},
{"2#subtree#","#krbTicketPolicyReference"},
{"2#subtree#","#krbMKey"},
{"2#subtree#","#krbUPEnabled"},
@@ -151,33 +130,25 @@ static char *kdcrights_realmcontainer[][2]={
{"2#subtree#","#krbPrincContainerRef"},
{"2#subtree#","#krbSearchScope"},
{"2#subtree#","#krbLdapServers"},
- {"2#subtree#","#krbSupportedEncSaltTypes"},
- {"2#subtree#","#krbDefaultEncSaltTypes"},
{"2#subtree#","#krbKdcServers"},
+ {"2#subtree#","#krbAdmServers"},
{"2#subtree#","#krbPwdServers"},
{"2#subtree#","#krbTicketFlags"},
{"2#subtree#","#krbMaxTicketLife"},
{"2#subtree#","#krbMaxRenewableAge"},
{"2#subtree#","#krbPrincipalName"},
- {"6#subtree#","#krbPrincipalKey"},
+ {"2#subtree#","#krbPrincipalKey"},
{"2#subtree#","#krbPrincipalExpiration"},
{"2#subtree#","#krbPwdPolicyReference"},
{"2#subtree#","#krbMaxPwdLife"},
- {"6#subtree#","#ModifiersName"},
- {"2#subtree#","#PasswordExpirationTime"},
- {"2#subtree#","#PasswordExpirationInterval"},
- {"2#subtree#","#PasswordMinimumLength"},
- {"2#subtree#","#PasswordAllowChange"},
- {"2#subtree#","#LoginDisabled"},
- {"6#subtree#","#LastLoginTime"},
- {"2#subtree#","#LoginExpirationTime"},
- {"6#subtree#","#LoginIntruderAttempts"},
- {"2#subtree#","#IntruderAttemptResetInterval"},
- {"2#subtree#","#LoginIntruderLimit"},
- {"6#subtree#","#LoginIntruderResetTime"},
- {"2#subtree#","#DetectIntruder"},
- {"2#subtree#","#LockoutAfterDetection"},
- {"6#subtree#","#LockedByIntruder"},
+ {"2#subtree#","#krbObjectReferences"},
+ {"2#subtree#","#krbLastPwdChange"},
+ {"6#subtree#","#krbExtraData"},
+ {"2#subtree#","#krbPasswordExpiration"},
+ {"2#subtree#","#krbDefaultEncSaltTypes"},
+ {"6#subtree#","#krbLastFailedAuth"},
+ {"6#subtree#","#krbLoginFailedCount"},
+ {"6#subtree#","#krbLastSuccessfulAuth"},
{ "", "" }
};
@@ -193,9 +164,8 @@ static char *adminrights_realmcontainer[][2]={
{"2#subtree#","#krbPrincContainerRef"},
{"2#subtree#","#krbSearchScope"},
{"2#subtree#","#krbLdapServers"},
- {"2#subtree#","#krbSupportedEncSaltTypes"},
- {"2#subtree#","#krbDefaultEncSaltTypes"},
{"2#subtree#","#krbKdcServers"},
+ {"2#subtree#","#krbAdmServers"},
{"2#subtree#","#krbPwdServers"},
{"6#subtree#","#krbTicketFlags"},
{"6#subtree#","#krbMaxTicketLife"},
@@ -203,28 +173,20 @@ static char *adminrights_realmcontainer[][2]={
{"6#subtree#","#krbPrincipalName"},
{"6#subtree#","#krbPrincipalKey"},
{"6#subtree#","#krbPrincipalExpiration"},
- {"6#subtree#","#ModifiersName"},
- {"6#subtree#","#PasswordExpirationTime"},
- {"2#subtree#","#PasswordExpirationInterval"},
- {"6#subtree#","#PasswordMinimumLength"},
- {"6#subtree#","#PasswordAllowChange"},
- {"6#subtree#","#LoginDisabled"},
- {"2#subtree#","#LastLoginTime"},
- {"2#subtree#","#LoginExpirationTime"},
- {"2#subtree#","#LoginIntruderAttempts"},
- {"6#subtree#","#IntruderAttemptResetInterval"},
- {"6#subtree#","#LoginIntruderLimit"},
- {"6#subtree#","#LoginIntruderResetTime"},
- {"6#subtree#","#DetectIntruder"},
- {"6#subtree#","#LockoutAfterDetection"},
- {"2#subtree#","#LockedByIntruder"},
- {"6#subtree#","#Surname"},
{"6#subtree#","#krbPwdHistoryLength"},
{"6#subtree#","#krbMinPwdLife"},
{"6#subtree#","#krbMaxPwdLife"},
{"6#subtree#","#krbPwdMinDiffChars"},
{"6#subtree#","#krbPwdMinLength"},
{"6#subtree#","#krbPwdPolicyReference"},
+ {"6#subtree#","#krbLastPwdChange"},
+ {"6#subtree#","#krbObjectReferences"},
+ {"6#subtree#","#krbExtraData"},
+ {"6#subtree#","#krbPasswordExpiration"},
+ {"6#subtree#","#krbDefaultEncSaltTypes"},
+ {"2#subtree#","#krbLastFailedAuth"},
+ {"2#subtree#","#krbLoginFailedCount"},
+ {"2#subtree#","#krbLastSuccessfulAuth"},
{ "","" }
};
@@ -240,9 +202,8 @@ static char *pwdrights_realmcontainer[][2]={
{"2#subtree#","#krbPrincContainerRef"},
{"2#subtree#","#krbSearchScope"},
{"2#subtree#","#krbLdapServers"},
- {"2#subtree#","#krbSupportedEncSaltTypes"},
- {"2#subtree#","#krbDefaultEncSaltTypes"},
{"2#subtree#","#krbKdcServers"},
+ {"2#subtree#","#krbAdmServers"},
{"2#subtree#","#krbPwdServers"},
{"6#subtree#","#krbTicketFlags"},
{"2#subtree#","#krbMaxTicketLife"},
@@ -250,13 +211,20 @@ static char *pwdrights_realmcontainer[][2]={
{"2#subtree#","#krbPrincipalName"},
{"6#subtree#","#krbPrincipalKey"},
{"2#subtree#","#krbPrincipalExpiration"},
- {"6#subtree#","#ModifiersName"},
{"2#subtree#","#krbPwdHistoryLength"},
{"2#subtree#","#krbMinPwdLife"},
{"2#subtree#","#krbMaxPwdLife"},
{"2#subtree#","#krbPwdMinDiffChars"},
{"2#subtree#","#krbPwdMinLength"},
{"2#subtree#","#krbPwdPolicyReference"},
+ {"2#subtree#","#krbLastPwdChange"},
+ {"2#subtree#","#krbObjectReferences"},
+ {"6#subtree#","#krbExtraData"},
+ {"6#subtree#","#krbPasswordExpiration"},
+ {"2#subtree#","#krbDefaultEncSaltTypes"},
+ {"2#subtree#","#krbLastFailedAuth"},
+ {"2#subtree#","#krbLoginFailedCount"},
+ {"2#subtree#","#krbLastSuccessfulAuth"},
{ "", "" }
};
@@ -286,16 +254,17 @@ static char *kerberos_container[][2] = {
*/
krb5_error_code
-krb5_ldap_add_service_rights(context, servicetype, serviceobjdn, realmname, subtreeparam, mask)
+krb5_ldap_add_service_rights(context, servicetype, serviceobjdn, realmname, subtreeparam, contref, mask)
krb5_context context;
int servicetype;
char *serviceobjdn;
char *realmname;
char **subtreeparam;
+ char *contref;
int mask;
{
- int st=0,i=0;
+ int st=0,i=0,j=0;
char *realmacls[2]={NULL}, *subtreeacls[2]={NULL}, *seccontacls[2]={NULL}, *krbcontacls[2]={NULL};
LDAP *ld;
LDAPMod realmclass, subtreeclass, seccontclass, krbcontclass;
@@ -315,23 +284,23 @@ krb5_ldap_add_service_rights(context, servicetype, serviceobjdn, realmname, subt
goto cleanup;
}
- subtreecount=ldap_context->lrparams->subtreecount;
- subtree = (char **) malloc(sizeof(char *) * (subtreecount + 1));
- if(subtree == NULL) {
- st = ENOMEM;
- goto cleanup;
+ if (subtreeparam != NULL) {
+ while(subtreeparam[subtreecount])
+ subtreecount++;
+ }
+ if (contref != NULL) {
+ subtreecount++;
}
- /* If the subtree is null, set the value to root */
- if(subtreeparam == NULL) {
- subtree[0] = strdup("");
- if(subtree[0] == NULL) {
+ if (subtreecount) {
+ subtree = (char **) malloc(sizeof(char *) * (subtreecount + 1));
+ if(subtree == NULL) {
st = ENOMEM;
goto cleanup;
}
- }
- else {
- for (i=0; subtree[i] != NULL && i<subtreecount; i++) {
+ memset(subtree, 0, sizeof(char *) * (subtreecount + 1));
+ if (subtreeparam != NULL) {
+ for(i=0; subtreeparam[i]!=NULL; i++) {
subtree[i] = strdup(subtreeparam[i]);
if(subtree[i] == NULL) {
st = ENOMEM;
@@ -339,6 +308,13 @@ krb5_ldap_add_service_rights(context, servicetype, serviceobjdn, realmname, subt
}
}
}
+ if (contref != NULL) {
+ subtree[i] = strdup(contref);
+ }
+ }
+
+ /* Set the rights for the realm */
+ if (mask & LDAP_REALM_RIGHTS) {
/* Set the rights for the service object on the security container */
seccontclass.mod_op = LDAP_MOD_ADD;
@@ -396,9 +372,6 @@ krb5_ldap_add_service_rights(context, servicetype, serviceobjdn, realmname, subt
free(krbcontacls[0]);
}
- /* Set the rights for the realm */
- if (mask & LDAP_REALM_RIGHTS) {
-
/* Construct the realm dn from realm name */
realmdn = (char *)malloc(strlen("cn=") + strlen(realmname) +
strlen(ldap_context->krbcontainer->DN) + 2);
@@ -482,7 +455,7 @@ krb5_ldap_add_service_rights(context, servicetype, serviceobjdn, realmname, subt
/* Subtree rights to be set */
- if (mask & LDAP_SUBTREE_RIGHTS) {
+ if ((mask & LDAP_SUBTREE_RIGHTS) && (subtree != NULL)) {
/* Populate the acl data to be added to the subtree */
subtreeclass.mod_op = LDAP_MOD_ADD;
subtreeclass.mod_type = "ACL";
@@ -499,9 +472,9 @@ krb5_ldap_add_service_rights(context, servicetype, serviceobjdn, realmname, subt
subtreearr[0] = &subtreeclass;
/* set rights to a list of subtrees */
- for(i=0; subtree[i]!=NULL && i<subtreecount;i++) {
+ for(j=0; subtree[j]!=NULL && j<subtreecount;j++) {
st = ldap_modify_ext_s(ld,
- subtree[i],
+ subtree[j],
subtreearr,
NULL,
NULL);
@@ -525,9 +498,9 @@ krb5_ldap_add_service_rights(context, servicetype, serviceobjdn, realmname, subt
subtreearr[0] = &subtreeclass;
/* set rights to a list of subtrees */
- for(i=0; subtree[i]!=NULL && i<subtreecount;i++) {
+ for(j=0; subtree[j]!=NULL && j<subtreecount;j++) {
st = ldap_modify_ext_s(ld,
- subtree[i],
+ subtree[j],
subtreearr,
NULL,
NULL);
@@ -551,9 +524,9 @@ krb5_ldap_add_service_rights(context, servicetype, serviceobjdn, realmname, subt
subtreearr[0] = &subtreeclass;
/* set rights to a list of subtrees */
- for(i=0; subtree[i]!=NULL && i<subtreecount;i++) {
+ for(j=0; subtree[j]!=NULL && j<subtreecount;j++) {
st = ldap_modify_ext_s(ld,
- subtree[i],
+ subtree[j],
subtreearr,
NULL,
NULL);
@@ -595,16 +568,17 @@ cleanup:
*/
krb5_error_code
-krb5_ldap_delete_service_rights(context, servicetype, serviceobjdn, realmname, subtreeparam, mask)
+krb5_ldap_delete_service_rights(context, servicetype, serviceobjdn, realmname, subtreeparam, contref, mask)
krb5_context context;
int servicetype;
char *serviceobjdn;
char *realmname;
char **subtreeparam;
+ char *contref;
int mask;
{
- int st=0,i=0;
+ int st=0,i=0,j=0;
char *realmacls[2] = { NULL }, *subtreeacls[2] = { NULL };
LDAP *ld;
LDAPMod realmclass, subtreeclass;
@@ -625,31 +599,34 @@ krb5_ldap_delete_service_rights(context, servicetype, serviceobjdn, realmname, s
goto cleanup;
}
- subtreecount = 1;
+ if (subtreeparam != NULL) {
while(subtreeparam[subtreecount])
subtreecount++;
- subtree = (char **) malloc(sizeof(char *) * subtreecount + 1);
- if(subtree == NULL) {
- st = ENOMEM;
- goto cleanup;
+ }
+ if (contref != NULL) {
+ subtreecount++;
}
- /* If the subtree is null, set the value to root */
- if(subtreeparam == NULL) {
- subtree[0] = strdup("");
- if(subtree[0] == NULL) {
+ if (subtreecount) {
+ subtree = (char **) malloc(sizeof(char *) * (subtreecount + 1));
+ if(subtree == NULL) {
st = ENOMEM;
goto cleanup;
}
- }
- else {
- for(i=0; subtreeparam[i]!=NULL && i<subtreecount; i++)
+ memset(subtree, 0, sizeof(char *) * (subtreecount + 1));
+ if (subtreeparam != NULL) {
+ for(i=0; subtreeparam[i]!=NULL; i++) {
subtree[i] = strdup(subtreeparam[i]);
if(subtree[i] == NULL) {
st = ENOMEM;
goto cleanup;
}
}
+ }
+ if (contref != NULL) {
+ subtree[i] = strdup(contref);
+ }
+ }
/* Set the rights for the realm */
@@ -738,7 +715,7 @@ krb5_ldap_delete_service_rights(context, servicetype, serviceobjdn, realmname, s
/* Set the rights for the subtree */
- if (mask & LDAP_SUBTREE_RIGHTS) {
+ if ((mask & LDAP_SUBTREE_RIGHTS) && (subtree != NULL)) {
/* Populate the acl data to be added to the subtree */
subtreeclass.mod_op=LDAP_MOD_DELETE;
@@ -755,9 +732,9 @@ krb5_ldap_delete_service_rights(context, servicetype, serviceobjdn, realmname, s
subtreearr[0]=&subtreeclass;
- for(i=0; subtree[i]!=NULL && i<subtreecount; i++) {
+ for(j=0; subtree[j]!=NULL && j<subtreecount; j++) {
st = ldap_modify_ext_s(ld,
- subtree[i],
+ subtree[j],
subtreearr,
NULL,
NULL);
@@ -780,9 +757,9 @@ krb5_ldap_delete_service_rights(context, servicetype, serviceobjdn, realmname, s
subtreearr[0]=&subtreeclass;
- for(i=0; subtree[i]!=NULL && i<subtreecount; i++) {
+ for(j=0; subtree[j]!=NULL && j<subtreecount; j++) {
st = ldap_modify_ext_s(ld,
- subtree[i],
+ subtree[j],
subtreearr,
NULL,
NULL);
@@ -805,9 +782,9 @@ krb5_ldap_delete_service_rights(context, servicetype, serviceobjdn, realmname, s
subtreearr[0]=&subtreeclass;
- for(i=0; subtree[i]!=NULL && i<subtreecount; i++) {
+ for(j=0; subtree[j]!=NULL && j<subtreecount; j++) {
st = ldap_modify_ext_s(ld,
- subtree[i],
+ subtree[j],
subtreearr,
NULL,
NULL);
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_services.h b/src/plugins/kdb/ldap/libkdb_ldap/ldap_services.h
index d4bbb077de..0ad580d13e 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_services.h
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_services.h
@@ -88,10 +88,10 @@ krb5_error_code
krb5_ldap_set_service_passwd( krb5_context, char *, char *);
krb5_error_code
-krb5_ldap_add_service_rights( krb5_context, int, char *, char *, char **, int);
+krb5_ldap_add_service_rights( krb5_context, int, char *, char *, char **, char *, int);
krb5_error_code
-krb5_ldap_delete_service_rights( krb5_context, int, char *, char *, char **, int);
+krb5_ldap_delete_service_rights( krb5_context, int, char *, char *, char **, char *, int);
#endif
#endif
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports b/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports
index bd55f0a5d4..2f6a26fe96 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports
+++ b/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports
@@ -33,6 +33,7 @@ krb5_ldap_free_password_policy
krb5_ldap_iterate_password_policy
krb5_dbe_free_contents
krb5_ldap_free_server_params
+krb5_ldap_free_server_context_params
krb5_ldap_free_krbcontainer_params
krb5_ldap_alloc
krb5_ldap_free
generated by cgit (git 2.34.1) at 2026-01-08 07:56:25 +0000