1 files changed, 110 insertions, 55 deletions

diff --git a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
index 076314a12..471860146 100644
--- a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
+++ b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
@@ -34,7 +34,7 @@ char *std_pwdpolicy_attrs[] = {
     "krbpwdmaxfailure",
     "krbpwdfailurecountinterval",
     "krbpwdlockoutduration",
-
+    "cn",
     NULL
 };
 
@@ -133,62 +133,40 @@ krb5_error_code ipadb_create_pwd_policy(krb5_context kcontext,
     return KRB5_PLUGIN_OP_NOTSUPP;
 }
 
-krb5_error_code ipadb_get_pwd_policy(krb5_context kcontext, char *name,
-                                     osa_policy_ent_t *policy)
+void ipadb_free_pwd_policy(krb5_context kcontext, osa_policy_ent_t val)
+{
+    if (val) {
+        free(val->name);
+        free(val->allowed_keysalts);
+        free(val);
+    }
+}
+
+krb5_error_code ipadb_parse_pwd_policy_entry(struct ipadb_context *ipactx,
+                                             LDAPMessage *lentry,
+                                             osa_policy_ent_t *policy)
 {
-    struct ipadb_context *ipactx;
-    char *esc_name = NULL;
-    char *src_filter = NULL;
-    krb5_error_code kerr;
-    LDAPMessage *res = NULL;
-    LDAPMessage *lentry;
     osa_policy_ent_t pentry = NULL;
+    krb5_error_code kerr;
     uint32_t result;
     int ret;
 
-    ipactx = ipadb_get_context(kcontext);
-    if (!ipactx) {
-        return KRB5_KDB_DBNOTINITED;
-    }
-
-    esc_name = ipadb_filter_escape(name, true);
-    if (!esc_name) {
-        return ENOMEM;
-    }
-
-    ret = asprintf(&src_filter, POLICY_SEARCH_FILTER, esc_name);
-    if (ret == -1) {
-        kerr = KRB5_KDB_INTERNAL_ERROR;
-        goto done;
-    }
-
-    kerr = ipadb_simple_search(ipactx,
-                               ipactx->realm_base, LDAP_SCOPE_SUBTREE,
-                               src_filter, std_pwdpolicy_attrs, &res);
-    if (kerr) {
-        goto done;
-    }
-
-    lentry = ldap_first_entry(ipactx->lcontext, res);
-    if (!lentry) {
-        kerr = KRB5_KDB_INTERNAL_ERROR;
-        goto done;
-    }
-
     pentry = calloc(1, sizeof(osa_policy_ent_rec));
     if (!pentry) {
         kerr = ENOMEM;
         goto done;
     }
     pentry->version = 1;
-    pentry->name = strdup(name);
-    if (!pentry->name) {
-        kerr = ENOMEM;
-        goto done;
-    }
 
     /* FIXME: what to do with missing attributes ? */
 
+    ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
+                                 "cn", &pentry->name);
+    if (ret != 0) {
+        kerr = KRB5_KDB_INTERNAL_ERROR;
+        goto done;
+    }
+
     ret = ipadb_ldap_attr_to_uint32(ipactx->lcontext, lentry,
                                     "krbMinPwdLife", &result);
     if (ret == 0) {
@@ -245,18 +223,76 @@ krb5_error_code ipadb_get_pwd_policy(krb5_context kcontext, char *name,
     }
 
     *policy = pentry;
+    kerr = 0;
 
 done:
     if (kerr) {
-        free(pentry);
+        ipadb_free_pwd_policy(NULL, pentry);
+    }
+
+    return kerr;
+}
+
+static krb5_error_code search_pwd_policy_entry(struct ipadb_context *ipactx,
+                                               char *match_entry, bool exact,
+                                               LDAPMessage **res)
+{
+    char *src_filter = NULL;
+    char *esc_name = NULL;
+    krb5_error_code kerr;
+    int ret;
+
+    esc_name = ipadb_filter_escape((match_entry ? match_entry : "*"), exact);
+    if (!esc_name) {
+        return ENOMEM;
     }
+
+    ret = asprintf(&src_filter, POLICY_SEARCH_FILTER, esc_name);
+    if (ret == -1) {
+        kerr = KRB5_KDB_INTERNAL_ERROR;
+        goto done;
+    }
+
+    kerr = ipadb_simple_search(ipactx,
+                               ipactx->realm_base, LDAP_SCOPE_SUBTREE,
+                               src_filter, std_pwdpolicy_attrs, res);
+
+done:
     free(esc_name);
     free(src_filter);
-    ldap_msgfree(res);
 
     return kerr;
 }
 
+krb5_error_code ipadb_get_pwd_policy(krb5_context kcontext, char *name,
+                                     osa_policy_ent_t *policy)
+{
+    struct ipadb_context *ipactx;
+    krb5_error_code kerr;
+    LDAPMessage *res = NULL;
+    LDAPMessage *lentry;
+
+    ipactx = ipadb_get_context(kcontext);
+    if (!ipactx) {
+        return KRB5_KDB_DBNOTINITED;
+    }
+
+    kerr = search_pwd_policy_entry(ipactx, name, true, &res);
+    if (kerr) return kerr;
+
+    lentry = ldap_first_entry(ipactx->lcontext, res);
+    if (!lentry) {
+        kerr = KRB5_KDB_INTERNAL_ERROR;
+        goto done;
+    }
+
+    kerr = ipadb_parse_pwd_policy_entry(ipactx, lentry, policy);
+
+done:
+    ldap_msgfree(res);
+    return kerr;
+}
+
 krb5_error_code ipadb_put_pwd_policy(krb5_context kcontext,
                                      osa_policy_ent_t policy)
 {
@@ -268,7 +304,35 @@ krb5_error_code ipadb_iterate_pwd_policy(krb5_context kcontext,
                                          osa_adb_iter_policy_func func,
                                          void *data)
 {
-    return KRB5_PLUGIN_OP_NOTSUPP;
+    struct ipadb_context *ipactx;
+    krb5_error_code kerr;
+    LDAPMessage *res = NULL;
+    LDAPMessage *lentry;
+    osa_policy_ent_t policy;
+
+    ipactx = ipadb_get_context(kcontext);
+    if (!ipactx) {
+        return KRB5_KDB_DBNOTINITED;
+    }
+
+    kerr = search_pwd_policy_entry(ipactx, match_entry, false, &res);
+    if (kerr) return kerr;
+
+    lentry = ldap_first_entry(ipactx->lcontext, res);
+    while (lentry) {
+        policy = NULL;
+
+        kerr = ipadb_parse_pwd_policy_entry(ipactx, lentry, &policy);
+        if (kerr == 0) {
+            func(data, policy);
+        }
+        ipadb_free_pwd_policy(kcontext, policy);
+
+        lentry = ldap_next_entry(ipactx->lcontext, lentry);
+    }
+
+    ldap_msgfree(res);
+    return kerr;
 }
 
 krb5_error_code ipadb_delete_pwd_policy(krb5_context kcontext,
@@ -277,15 +341,6 @@ krb5_error_code ipadb_delete_pwd_policy(krb5_context kcontext,
     return KRB5_PLUGIN_OP_NOTSUPP;
 }
 
-void ipadb_free_pwd_policy(krb5_context kcontext, osa_policy_ent_t val)
-{
-    if (val) {
-        free(val->name);
-        free(val->allowed_keysalts);
-        free(val);
-    }
-}
-
 krb5_error_code ipadb_check_policy_as(krb5_context kcontext,
                                       krb5_kdc_req *request,
                                       krb5_db_entry *client,