diff options
| author | Greg Hudson <ghudson@mit.edu> | 2009-11-24 23:52:25 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2009-11-24 23:52:25 +0000 |
| commit | 1db2647c62d10cccadadabacba7224eb565ec042 (patch) | |
| tree | 850eea7750db1c0247652069637ce2df2d94396e /src/plugins/kdb/ldap/ldap_util | |
| parent | b4fef608040800e4927c10146d6d386f97335e06 (diff) | |
| download | krb5-1db2647c62d10cccadadabacba7224eb565ec042.tar.gz krb5-1db2647c62d10cccadadabacba7224eb565ec042.tar.xz krb5-1db2647c62d10cccadadabacba7224eb565ec042.zip | |
Mark and reindent plugins, except for pkinit, which needs a little
cleanup first.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23353 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/plugins/kdb/ldap/ldap_util')
| -rw-r--r-- | src/plugins/kdb/ldap/ldap_util/kdb5_ldap_list.c | 237 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/ldap_util/kdb5_ldap_list.h | 13 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c | 870 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.h | 1 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c | 3177 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.h | 27 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c | 2695 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h | 35 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c | 552 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.h | 9 |
10 files changed, 3792 insertions, 3824 deletions
diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_list.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_list.c index 09b50797d..f8dce07b3 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_list.c +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_list.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * kadmin/ldap_util/kdb5_ldap_list.c */ @@ -39,15 +40,16 @@ /* * Counts the number of entries in the given array of strings */ -int list_count_str_array(char **list) +int +list_count_str_array(char **list) { int i = 0; if (list == NULL) - return 0; + return 0; for (i = 0; *list != NULL; list++) { - i++; + i++; } return i; @@ -57,15 +59,16 @@ int list_count_str_array(char **list) /* * Counts the number of entries in the given array of integers */ -int list_count_int_array(int *list) +int +list_count_int_array(int *list) { int i = 0; if (list == NULL) - return 0; + return 0; for (i = 0; *list != END_OF_LIST; list++) { - i++; + i++; } return i; @@ -75,14 +78,14 @@ int list_count_int_array(int *list) /* * Frees the entries in a given list and not the list pointer */ -void krb5_free_list_entries(list) - char **list; +void +krb5_free_list_entries(char **list) { if (list == NULL) - return; + return; for (; *list != NULL; list++) { - free(*list); - *list = NULL; + free(*list); + *list = NULL; } return; @@ -94,10 +97,7 @@ void krb5_free_list_entries(list) * and return the result as a list */ krb5_error_code -krb5_parse_list(buffer, delimiter, list) - char *buffer; - char *delimiter; - char **list; +krb5_parse_list(char *buffer, char *delimiter, char **list) { char *str = NULL; char *token = NULL; @@ -107,40 +107,39 @@ krb5_parse_list(buffer, delimiter, list) int count = 0; if ((buffer == NULL) || (list == NULL) || (delimiter == NULL)) { - return EINVAL; + return EINVAL; } str = strdup(buffer); if (str == NULL) - return ENOMEM; + return ENOMEM; token = strtok_r(str, delimiter, &ptrptr); for (count = 1; ((token != NULL) && (count < MAX_LIST_ENTRIES)); - plist++, count++) { - *plist = strdup(token); - if (*plist == NULL) { - retval = ENOMEM; - goto cleanup; - } - token = strtok_r(NULL, delimiter, &ptrptr); + plist++, count++) { + *plist = strdup(token); + if (*plist == NULL) { + retval = ENOMEM; + goto cleanup; + } + token = strtok_r(NULL, delimiter, &ptrptr); } *plist = NULL; cleanup: if (str) { - free(str); - str = NULL; + free(str); + str = NULL; } if (retval) - krb5_free_list_entries(list); + krb5_free_list_entries(list); return retval; } -int compare_int(m1, m2) - const void *m1; - const void *m2; +int +compare_int(const void *m1, const void *m2) { int mi1 = *(const int *)m1; int mi2 = *(const int *)m2; @@ -154,10 +153,8 @@ int compare_int(m1, m2) * entries present in the source list, depending on the mode * (ADD or DELETE). */ -void list_modify_str_array(destlist, sourcelist, mode) - char ***destlist; - const char **sourcelist; - int mode; +void +list_modify_str_array(char ***destlist, const char **sourcelist, int mode) { char **dlist = NULL, **tmplist = NULL; const char **slist = NULL; @@ -165,52 +162,52 @@ void list_modify_str_array(destlist, sourcelist, mode) int found = 0; if ((destlist == NULL) || (*destlist == NULL) || (sourcelist == NULL)) - return; + return; /* We need to add every entry present in the source list to * the destination list */ if (mode == LIST_MODE_ADD) { - /* Traverse throught the end of destlist for appending */ - for (dlist = *destlist, dcount = 0; *dlist != NULL; - dlist++, dcount++) { - ; /* NULL statement */ - } - /* Count the number of entries in the source list */ - for (slist = sourcelist, scount = 0; *slist != NULL; - slist++, scount++) { - ; /* NULL statement */ - } - /* Reset the slist pointer to the start of source list */ - slist = sourcelist; - - /* Now append the source list to the existing destlist */ - if ((dcount + scount) < MAX_LIST_ENTRIES) - copycount = scount; - else - /* Leave the last entry for list terminator(=NULL) */ - copycount = (MAX_LIST_ENTRIES -1) - dcount; - - memcpy(dlist, slist, (sizeof(char *) * copycount)); - dlist += copycount; - *dlist = NULL; + /* Traverse throught the end of destlist for appending */ + for (dlist = *destlist, dcount = 0; *dlist != NULL; + dlist++, dcount++) { + ; /* NULL statement */ + } + /* Count the number of entries in the source list */ + for (slist = sourcelist, scount = 0; *slist != NULL; + slist++, scount++) { + ; /* NULL statement */ + } + /* Reset the slist pointer to the start of source list */ + slist = sourcelist; + + /* Now append the source list to the existing destlist */ + if ((dcount + scount) < MAX_LIST_ENTRIES) + copycount = scount; + else + /* Leave the last entry for list terminator(=NULL) */ + copycount = (MAX_LIST_ENTRIES -1) - dcount; + + memcpy(dlist, slist, (sizeof(char *) * copycount)); + dlist += copycount; + *dlist = NULL; } else if (mode == LIST_MODE_DELETE) { - /* We need to delete every entry present in the source list - * from the destination list */ - for (slist = sourcelist; *slist != NULL; slist++) { - for (dlist = *destlist; *dlist != NULL; dlist++) { - found = 0; /* value not found */ - /* DN is case insensitive string */ - if (strcasecmp(*dlist, *slist) == 0) { - found = 1; - free(*dlist); - /* Advance the rest of the entries by one */ - for (tmplist = dlist; *tmplist != NULL; tmplist++) { - *tmplist = *(tmplist+1); - } - break; - } - } - } + /* We need to delete every entry present in the source list + * from the destination list */ + for (slist = sourcelist; *slist != NULL; slist++) { + for (dlist = *destlist; *dlist != NULL; dlist++) { + found = 0; /* value not found */ + /* DN is case insensitive string */ + if (strcasecmp(*dlist, *slist) == 0) { + found = 1; + free(*dlist); + /* Advance the rest of the entries by one */ + for (tmplist = dlist; *tmplist != NULL; tmplist++) { + *tmplist = *(tmplist+1); + } + break; + } + } + } } return; @@ -222,10 +219,8 @@ void list_modify_str_array(destlist, sourcelist, mode) * entries present in the source list, depending on the mode * (ADD or DELETE). where the list is array of integers. */ -int list_modify_int_array(destlist, sourcelist, mode) - int *destlist; - const int *sourcelist; - int mode; +int +list_modify_int_array(int *destlist, const int *sourcelist, int mode) { int *dlist = NULL, *tmplist = NULL; const int *slist = NULL; @@ -233,53 +228,53 @@ int list_modify_int_array(destlist, sourcelist, mode) int tcount = 0; if ((destlist == NULL) || (sourcelist == NULL)) - return 0; + return 0; /* We need to add every entry present in the source list to the * destination list */ if (mode == LIST_MODE_ADD) { - /* Traverse throught the end of destlist for appending */ - for (dlist = destlist, dcount = 0; *dlist != END_OF_LIST; - dlist++, dcount++) - ; /* NULL statement */ - - /* Count the number of entries in the source list */ - for (slist = sourcelist, scount = 0; *slist != END_OF_LIST; - slist++, scount++) - ; /* NULL statement */ - - /* Reset the slist pointer to the start of source list */ - slist = sourcelist; - - /* Now append the source list to the existing destlist */ - if ((dcount + scount) < MAX_LIST_ENTRIES) - copycount = scount; - else - /* Leave the last entry for list terminator(=NULL) */ - copycount = (MAX_LIST_ENTRIES -1) - dcount; - - memcpy(dlist, slist, (sizeof(int) * copycount)); - dlist += copycount; - *dlist = END_OF_LIST; - tcount = dcount + copycount; + /* Traverse throught the end of destlist for appending */ + for (dlist = destlist, dcount = 0; *dlist != END_OF_LIST; + dlist++, dcount++) + ; /* NULL statement */ + + /* Count the number of entries in the source list */ + for (slist = sourcelist, scount = 0; *slist != END_OF_LIST; + slist++, scount++) + ; /* NULL statement */ + + /* Reset the slist pointer to the start of source list */ + slist = sourcelist; + + /* Now append the source list to the existing destlist */ + if ((dcount + scount) < MAX_LIST_ENTRIES) + copycount = scount; + else + /* Leave the last entry for list terminator(=NULL) */ + copycount = (MAX_LIST_ENTRIES -1) - dcount; + + memcpy(dlist, slist, (sizeof(int) * copycount)); + dlist += copycount; + *dlist = END_OF_LIST; + tcount = dcount + copycount; } else if (mode == LIST_MODE_DELETE) { - /* We need to delete every entry present in the source list from - * the destination list */ - for (slist = sourcelist; *slist != END_OF_LIST; slist++) { - for (dlist = destlist; *dlist != END_OF_LIST; dlist++) { - if (*dlist == *slist) { - /* Advance the rest of the entries by one */ - for (tmplist = dlist; *tmplist != END_OF_LIST; tmplist++) { - *tmplist = *(tmplist+1); - } - break; - } - } - } - /* count the number of entries */ - for (dlist = destlist, tcount = 0; *dlist != END_OF_LIST; dlist++) { - tcount++; - } + /* We need to delete every entry present in the source list from + * the destination list */ + for (slist = sourcelist; *slist != END_OF_LIST; slist++) { + for (dlist = destlist; *dlist != END_OF_LIST; dlist++) { + if (*dlist == *slist) { + /* Advance the rest of the entries by one */ + for (tmplist = dlist; *tmplist != END_OF_LIST; tmplist++) { + *tmplist = *(tmplist+1); + } + break; + } + } + } + /* count the number of entries */ + for (dlist = destlist, tcount = 0; *dlist != END_OF_LIST; dlist++) { + tcount++; + } } return tcount; diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_list.h b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_list.h index a251fde3f..ff6bde2f5 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_list.h +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_list.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * kadmin/ldap_util/kdb5_ldap_list.h */ @@ -30,12 +31,12 @@ */ -#define MAX_LIST_ENTRIES 64 -#define END_OF_LIST -1 /* End of List */ -#define LIST_DELIMITER ":" /* List entry separator */ -#define LIST_MODE_ADD 0x701 /* Add to the List */ -#define LIST_MODE_DELETE 0x702 /* Delete from the list */ -#define MAX_LEN_LIST_ENTRY 512 /* Max len of an entry */ +#define MAX_LIST_ENTRIES 64 +#define END_OF_LIST -1 /* End of List */ +#define LIST_DELIMITER ":" /* List entry separator */ +#define LIST_MODE_ADD 0x701 /* Add to the List */ +#define LIST_MODE_DELETE 0x702 /* Delete from the list */ +#define MAX_LEN_LIST_ENTRY 512 /* Max len of an entry */ extern krb5_error_code krb5_parse_list(char *buffer, char *delimiter, char **list); extern void krb5_free_list_entries(char **list); diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c index b22e63184..4cb3c46ad 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * kadmin/ldap_util/kdb5_ldap_policy.c */ @@ -48,7 +49,9 @@ static char *strdur(time_t duration); extern char *yes; extern kadm5_config_params global_params; -static krb5_error_code init_ldap_realm (int argc, char *argv[]) { +static krb5_error_code +init_ldap_realm(int argc, char *argv[]) +{ /* This operation is being performed in the context of a realm. So, * initialize the realm */ int mask = 0; @@ -65,7 +68,7 @@ static krb5_error_code init_ldap_realm (int argc, char *argv[]) { if (ldap_context->krbcontainer == NULL) { retval = krb5_ldap_read_krbcontainer_params (util_context, - &(ldap_context->krbcontainer)); + &(ldap_context->krbcontainer)); if (retval != 0) { com_err(progname, retval, "while reading kerberos container information"); goto cleanup; @@ -74,9 +77,9 @@ static krb5_error_code init_ldap_realm (int argc, char *argv[]) { if (ldap_context->lrparams == NULL) { retval = krb5_ldap_read_realm_params(util_context, - global_params.realm, - &(ldap_context->lrparams), - &mask); + global_params.realm, + &(ldap_context->lrparams), + &mask); if (retval != 0) { goto cleanup; @@ -91,9 +94,7 @@ cleanup: * specified attributes. */ void -kdb5_ldap_create_policy(argc, argv) - int argc; - char *argv[]; +kdb5_ldap_create_policy(int argc, char *argv[]) { char *me = progname; krb5_error_code retval = 0; @@ -107,14 +108,14 @@ kdb5_ldap_create_policy(argc, argv) /* Check for number of arguments */ if ((argc < 2) || (argc > 16)) { - goto err_usage; + goto err_usage; } /* Allocate memory for policy parameters structure */ policyparams = (krb5_ldap_policy_params*) calloc(1, sizeof(krb5_ldap_policy_params)); if (policyparams == NULL) { - retval = ENOMEM; - goto cleanup; + retval = ENOMEM; + goto cleanup; } /* Get current time */ @@ -122,161 +123,161 @@ kdb5_ldap_create_policy(argc, argv) /* Parse all arguments */ for (i = 1; i < argc; i++) { - if (!strcmp(argv[i], "-maxtktlife")) { - if (++i > argc - 1) - goto err_usage; - - date = get_date(argv[i]); - if (date == (time_t)(-1)) { - retval = EINVAL; - com_err (me, retval, "while providing time specification"); - goto err_nomsg; - } - - policyparams->maxtktlife = date - now; - - mask |= LDAP_POLICY_MAXTKTLIFE; - } else if (!strcmp(argv[i], "-maxrenewlife")) { - if (++i > argc - 1) - goto err_usage; - - date = get_date(argv[i]); - if (date == (time_t)(-1)) { - retval = EINVAL; - com_err (me, retval, "while providing time specification"); - goto err_nomsg; - } - - policyparams->maxrenewlife = date - now; - - mask |= LDAP_POLICY_MAXRENEWLIFE; - } else if (!strcmp((argv[i] + 1), "allow_postdated")) { - if (*(argv[i]) == '+') - policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_POSTDATED); - else if (*(argv[i]) == '-') - policyparams->tktflags |= KRB5_KDB_DISALLOW_POSTDATED; - else - goto err_usage; - - mask |= LDAP_POLICY_TKTFLAGS; - } else if (!strcmp((argv[i] + 1), "allow_forwardable")) { - if (*(argv[i]) == '+') - policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_FORWARDABLE); - else if (*(argv[i]) == '-') - policyparams->tktflags |= KRB5_KDB_DISALLOW_FORWARDABLE; - else - goto err_usage; - - mask |= LDAP_POLICY_TKTFLAGS; - } else if (!strcmp((argv[i] + 1), "allow_renewable")) { - if (*(argv[i]) == '+') - policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_RENEWABLE); - else if (*(argv[i]) == '-') - policyparams->tktflags |= KRB5_KDB_DISALLOW_RENEWABLE; - else - goto err_usage; - - mask |= LDAP_POLICY_TKTFLAGS; - } else if (!strcmp((argv[i] + 1), "allow_proxiable")) { - if (*(argv[i]) == '+') - policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_PROXIABLE); - else if (*(argv[i]) == '-') - policyparams->tktflags |= KRB5_KDB_DISALLOW_PROXIABLE; - else - goto err_usage; - - mask |= LDAP_POLICY_TKTFLAGS; - } else if (!strcmp((argv[i] + 1), "allow_dup_skey")) { - if (*(argv[i]) == '+') - policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_DUP_SKEY); - else if (*(argv[i]) == '-') - policyparams->tktflags |= KRB5_KDB_DISALLOW_DUP_SKEY; - else - goto err_usage; - - mask |= LDAP_POLICY_TKTFLAGS; - } else if (!strcmp((argv[i] + 1), "requires_preauth")) { - if (*(argv[i]) == '+') - policyparams->tktflags |= KRB5_KDB_REQUIRES_PRE_AUTH; - else if (*(argv[i]) == '-') - policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PRE_AUTH); - else - goto err_usage; - - mask |= LDAP_POLICY_TKTFLAGS; - } else if (!strcmp((argv[i] + 1), "requires_hwauth")) { - if (*(argv[i]) == '+') - policyparams->tktflags |= KRB5_KDB_REQUIRES_HW_AUTH; - else if (*(argv[i]) == '-') - policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_HW_AUTH); - else - goto err_usage; - - mask |= LDAP_POLICY_TKTFLAGS; - } else if (!strcmp((argv[i] + 1), "allow_svr")) { - if (*(argv[i]) == '+') - policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_SVR); - else if (*(argv[i]) == '-') - policyparams->tktflags |= KRB5_KDB_DISALLOW_SVR; - else - goto err_usage; - - mask |= LDAP_POLICY_TKTFLAGS; - } else if (!strcmp((argv[i] + 1), "allow_tgs_req")) { - if (*(argv[i]) == '+') - policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_TGT_BASED); - else if (*(argv[i]) == '-') - policyparams->tktflags |= KRB5_KDB_DISALLOW_TGT_BASED; - else - goto err_usage; - - mask |= LDAP_POLICY_TKTFLAGS; - } else if (!strcmp((argv[i] + 1), "allow_tix")) { - if (*(argv[i]) == '+') - policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_ALL_TIX); - else if (*(argv[i]) == '-') - policyparams->tktflags |= KRB5_KDB_DISALLOW_ALL_TIX; - else - goto err_usage; - - mask |= LDAP_POLICY_TKTFLAGS; - } else if (!strcmp((argv[i] + 1), "needchange")) { - if (*(argv[i]) == '+') - policyparams->tktflags |= KRB5_KDB_REQUIRES_PWCHANGE; - else if (*(argv[i]) == '-') - policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PWCHANGE); - else - goto err_usage; - - mask |= LDAP_POLICY_TKTFLAGS; - } else if (!strcmp((argv[i] + 1), "password_changing_service")) { - if (*(argv[i]) == '+') - policyparams->tktflags |= KRB5_KDB_PWCHANGE_SERVICE; - else if (*(argv[i]) == '-') - policyparams->tktflags &= (int)(~KRB5_KDB_PWCHANGE_SERVICE); - else - goto err_usage; - - mask |= LDAP_POLICY_TKTFLAGS; - } else { /* Any other argument must be policy DN */ - /* First check if policy DN is already provided -- - if so, there's a usage error */ + if (!strcmp(argv[i], "-maxtktlife")) { + if (++i > argc - 1) + goto err_usage; + + date = get_date(argv[i]); + if (date == (time_t)(-1)) { + retval = EINVAL; + com_err (me, retval, "while providing time specification"); + goto err_nomsg; + } + + policyparams->maxtktlife = date - now; + + mask |= LDAP_POLICY_MAXTKTLIFE; + } else if (!strcmp(argv[i], "-maxrenewlife")) { + if (++i > argc - 1) + goto err_usage; + + date = get_date(argv[i]); + if (date == (time_t)(-1)) { + retval = EINVAL; + com_err (me, retval, "while providing time specification"); + goto err_nomsg; + } + + policyparams->maxrenewlife = date - now; + + mask |= LDAP_POLICY_MAXRENEWLIFE; + } else if (!strcmp((argv[i] + 1), "allow_postdated")) { + if (*(argv[i]) == '+') + policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_POSTDATED); + else if (*(argv[i]) == '-') + policyparams->tktflags |= KRB5_KDB_DISALLOW_POSTDATED; + else + goto err_usage; + + mask |= LDAP_POLICY_TKTFLAGS; + } else if (!strcmp((argv[i] + 1), "allow_forwardable")) { + if (*(argv[i]) == '+') + policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_FORWARDABLE); + else if (*(argv[i]) == '-') + policyparams->tktflags |= KRB5_KDB_DISALLOW_FORWARDABLE; + else + goto err_usage; + + mask |= LDAP_POLICY_TKTFLAGS; + } else if (!strcmp((argv[i] + 1), "allow_renewable")) { + if (*(argv[i]) == '+') + policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_RENEWABLE); + else if (*(argv[i]) == '-') + policyparams->tktflags |= KRB5_KDB_DISALLOW_RENEWABLE; + else + goto err_usage; + + mask |= LDAP_POLICY_TKTFLAGS; + } else if (!strcmp((argv[i] + 1), "allow_proxiable")) { + if (*(argv[i]) == '+') + policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_PROXIABLE); + else if (*(argv[i]) == '-') + policyparams->tktflags |= KRB5_KDB_DISALLOW_PROXIABLE; + else + goto err_usage; + + mask |= LDAP_POLICY_TKTFLAGS; + } else if (!strcmp((argv[i] + 1), "allow_dup_skey")) { + if (*(argv[i]) == '+') + policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_DUP_SKEY); + else if (*(argv[i]) == '-') + policyparams->tktflags |= KRB5_KDB_DISALLOW_DUP_SKEY; + else + goto err_usage; + + mask |= LDAP_POLICY_TKTFLAGS; + } else if (!strcmp((argv[i] + 1), "requires_preauth")) { + if (*(argv[i]) == '+') + policyparams->tktflags |= KRB5_KDB_REQUIRES_PRE_AUTH; + else if (*(argv[i]) == '-') + policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PRE_AUTH); + else + goto err_usage; + + mask |= LDAP_POLICY_TKTFLAGS; + } else if (!strcmp((argv[i] + 1), "requires_hwauth")) { + if (*(argv[i]) == '+') + policyparams->tktflags |= KRB5_KDB_REQUIRES_HW_AUTH; + else if (*(argv[i]) == '-') + policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_HW_AUTH); + else + goto err_usage; + + mask |= LDAP_POLICY_TKTFLAGS; + } else if (!strcmp((argv[i] + 1), "allow_svr")) { + if (*(argv[i]) == '+') + policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_SVR); + else if (*(argv[i]) == '-') + policyparams->tktflags |= KRB5_KDB_DISALLOW_SVR; + else + goto err_usage; + + mask |= LDAP_POLICY_TKTFLAGS; + } else if (!strcmp((argv[i] + 1), "allow_tgs_req")) { + if (*(argv[i]) == '+') + policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_TGT_BASED); + else if (*(argv[i]) == '-') + policyparams->tktflags |= KRB5_KDB_DISALLOW_TGT_BASED; + else + goto err_usage; + + mask |= LDAP_POLICY_TKTFLAGS; + } else if (!strcmp((argv[i] + 1), "allow_tix")) { + if (*(argv[i]) == '+') + policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_ALL_TIX); + else if (*(argv[i]) == '-') + policyparams->tktflags |= KRB5_KDB_DISALLOW_ALL_TIX; + else + goto err_usage; + + mask |= LDAP_POLICY_TKTFLAGS; + } else if (!strcmp((argv[i] + 1), "needchange")) { + if (*(argv[i]) == '+') + policyparams->tktflags |= KRB5_KDB_REQUIRES_PWCHANGE; + else if (*(argv[i]) == '-') + policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PWCHANGE); + else + goto err_usage; + + mask |= LDAP_POLICY_TKTFLAGS; + } else if (!strcmp((argv[i] + 1), "password_changing_service")) { + if (*(argv[i]) == '+') + policyparams->tktflags |= KRB5_KDB_PWCHANGE_SERVICE; + else if (*(argv[i]) == '-') + policyparams->tktflags &= (int)(~KRB5_KDB_PWCHANGE_SERVICE); + else + goto err_usage; + + mask |= LDAP_POLICY_TKTFLAGS; + } else { /* Any other argument must be policy DN */ + /* First check if policy DN is already provided -- + if so, there's a usage error */ if (policyparams->policy != NULL) - goto err_usage; + goto err_usage; - /* If not present already, fill up policy DN */ + /* If not present already, fill up policy DN */ policyparams->policy = strdup(argv[i]); if (policyparams->policy == NULL) { - retval = ENOMEM; - com_err(me, retval, "while creating policy object"); - goto err_nomsg; - } - } + retval = ENOMEM; + com_err(me, retval, "while creating policy object"); + goto err_nomsg; + } + } } /* policy DN is a mandatory argument. If not provided, print usage */ if (policyparams->policy == NULL) - goto err_usage; + goto err_usage; if ((retval = init_ldap_realm (argc, argv))) { com_err(me, retval, "while reading realm information"); @@ -285,7 +286,7 @@ kdb5_ldap_create_policy(argc, argv) /* Create object with all attributes provided */ if ((retval = krb5_ldap_create_policy(util_context, policyparams, mask)) != 0) - goto cleanup; + goto cleanup; goto cleanup; @@ -300,13 +301,13 @@ cleanup: krb5_ldap_free_policy (util_context, policyparams); if (print_usage) - db_usage(CREATE_POLICY); + db_usage(CREATE_POLICY); if (retval) { - if (!no_msg) - com_err(me, retval, "while creating policy object"); + if (!no_msg) + com_err(me, retval, "while creating policy object"); - exit_status++; + exit_status++; } return; @@ -318,9 +319,7 @@ cleanup: * object interactively, unless forced through an option. */ void -kdb5_ldap_destroy_policy(argc, argv) - int argc; - char *argv[]; +kdb5_ldap_destroy_policy(int argc, char *argv[]) { char *me = progname; krb5_error_code retval = 0; @@ -334,55 +333,55 @@ kdb5_ldap_destroy_policy(argc, argv) int i = 0; if ((argc < 2) || (argc > 3)) { - goto err_usage; + goto err_usage; } for (i = 1; i < argc; i++) { - if (strcmp(argv[i], "-force") == 0) { - force++; - } else { /* Any other argument must be policy DN */ - /* First check if policy DN is already provided -- - if so, there's a usage error */ + if (strcmp(argv[i], "-force") == 0) { + force++; + } else { /* Any other argument must be policy DN */ + /* First check if policy DN is already provided -- + if so, there's a usage error */ if (policy != NULL) - goto err_usage; + goto err_usage; - /* If not present already, fill up policy DN */ + /* If not present already, fill up policy DN */ policy = strdup(argv[i]); if (policy == NULL) { - retval = ENOMEM; - com_err(me, retval, "while destroying policy object"); - goto err_nomsg; - } - } + retval = ENOMEM; + com_err(me, retval, "while destroying policy object"); + goto err_nomsg; + } + } } if (policy == NULL) - goto err_usage; + goto err_usage; if (!force) { printf("This will delete the policy object '%s', are you sure?\n", policy); - printf("(type 'yes' to confirm)? "); + printf("(type 'yes' to confirm)? "); - if (fgets(buf, sizeof(buf), stdin) == NULL) { - retval = EINVAL; - goto cleanup; - } + if (fgets(buf, sizeof(buf), stdin) == NULL) { + retval = EINVAL; + goto cleanup; + } - if (strcmp(buf, yes)) { - exit_status++; - goto cleanup; - } + if (strcmp(buf, yes)) { + exit_status++; + goto cleanup; + } } if ((retval = init_ldap_realm (argc, argv))) goto err_nomsg; if ((retval = krb5_ldap_read_policy(util_context, policy, &policyparams, &mask))) - goto cleanup; + goto cleanup; if ((retval = krb5_ldap_delete_policy(util_context, policy))) - goto cleanup; + goto cleanup; printf("** policy object '%s' deleted.\n", policy); goto cleanup; @@ -399,18 +398,18 @@ cleanup: krb5_ldap_free_policy (util_context, policyparams); if (policy) { - free (policy); + free (policy); } if (print_usage) { - db_usage(DESTROY_POLICY); + db_usage(DESTROY_POLICY); } if (retval) { - if (!no_msg) - com_err(me, retval, "while destroying policy object"); + if (!no_msg) + com_err(me, retval, "while destroying policy object"); - exit_status++; + exit_status++; } return; @@ -422,9 +421,7 @@ cleanup: * policy object. */ void -kdb5_ldap_modify_policy(argc, argv) - int argc; - char *argv[]; +kdb5_ldap_modify_policy(int argc, char *argv[]) { char *me = progname; krb5_error_code retval = 0; @@ -441,57 +438,57 @@ kdb5_ldap_modify_policy(argc, argv) since atleast one parameter should be given in addition to 'modify_policy' and policy DN */ if ((argc < 3) || (argc > 16)) { - goto err_usage; + goto err_usage; } /* Parse all arguments, only to pick up policy DN (Pass 1) */ for (i = 1; i < argc; i++) { - /* Skip arguments next to 'maxtktlife' - and 'maxrenewlife' arguments */ - if (!strcmp(argv[i], "-maxtktlife")) { - ++i; - } else if (!strcmp(argv[i], "-maxrenewlife")) { - ++i; - } - /* Do nothing for ticket flag arguments */ - else if (!strcmp((argv[i] + 1), "allow_postdated") || - !strcmp((argv[i] + 1), "allow_forwardable") || - !strcmp((argv[i] + 1), "allow_renewable") || - !strcmp((argv[i] + 1), "allow_proxiable") || - !strcmp((argv[i] + 1), "allow_dup_skey") || - !strcmp((argv[i] + 1), "requires_preauth") || - !strcmp((argv[i] + 1), "requires_hwauth") || - !strcmp((argv[i] + 1), "allow_svr") || - !strcmp((argv[i] + 1), "allow_tgs_req") || - !strcmp((argv[i] + 1), "allow_tix") || - !strcmp((argv[i] + 1), "needchange") || - !strcmp((argv[i] + 1), "password_changing_service")) { - } else { /* Any other argument must be policy DN */ - /* First check if policy DN is already provided -- - if so, there's a usage error */ + /* Skip arguments next to 'maxtktlife' + and 'maxrenewlife' arguments */ + if (!strcmp(argv[i], "-maxtktlife")) { + ++i; + } else if (!strcmp(argv[i], "-maxrenewlife")) { + ++i; + } + /* Do nothing for ticket flag arguments */ + else if (!strcmp((argv[i] + 1), "allow_postdated") || + !strcmp((argv[i] + 1), "allow_forwardable") || + !strcmp((argv[i] + 1), "allow_renewable") || + !strcmp((argv[i] + 1), "allow_proxiable") || + !strcmp((argv[i] + 1), "allow_dup_skey") || + !strcmp((argv[i] + 1), "requires_preauth") || + !strcmp((argv[i] + 1), "requires_hwauth") || + !strcmp((argv[i] + 1), "allow_svr") || + !strcmp((argv[i] + 1), "allow_tgs_req") || + !strcmp((argv[i] + 1), "allow_tix") || + !strcmp((argv[i] + 1), "needchange") || + !strcmp((argv[i] + 1), "password_changing_service")) { + } else { /* Any other argument must be policy DN */ + /* First check if policy DN is already provided -- + if so, there's a usage error */ if (policy != NULL) - goto err_usage; + goto err_usage; - /* If not present already, fill up policy DN */ + /* If not present already, fill up policy DN */ policy = strdup(argv[i]); if (policy == NULL) { - retval = ENOMEM; - com_err(me, retval, "while modifying policy object"); - goto err_nomsg; - } - } + retval = ENOMEM; + com_err(me, retval, "while modifying policy object"); + goto err_nomsg; + } + } } if (policy == NULL) - goto err_usage; + goto err_usage; if ((retval = init_ldap_realm (argc, argv))) - goto cleanup; + goto cleanup; retval = krb5_ldap_read_policy(util_context, policy, &policyparams, &in_mask); if (retval) { com_err(me, retval, "while reading information of policy '%s'", policy); - goto err_nomsg; + goto err_nomsg; } /* Get current time */ @@ -499,151 +496,151 @@ kdb5_ldap_modify_policy(argc, argv) /* Parse all arguments, but skip policy DN (Pass 2) */ for (i = 1; i < argc; i++) { - if (!strcmp(argv[i], "-maxtktlife")) { - if (++i > argc - 1) - goto err_usage; - - date = get_date(argv[i]); - if (date == (time_t)(-1)) { - retval = EINVAL; - com_err (me, retval, "while providing time specification"); - goto err_nomsg; - } - - policyparams->maxtktlife = date - now; - - out_mask |= LDAP_POLICY_MAXTKTLIFE; - } else if (!strcmp(argv[i], "-maxrenewlife")) { - if (++i > argc - 1) - goto err_usage; - - date = get_date(argv[i]); - if (date == (time_t)(-1)) { - retval = EINVAL; - com_err (me, retval, "while providing time specification"); - goto err_nomsg; - } - - policyparams->maxrenewlife = date - now; - - out_mask |= LDAP_POLICY_MAXRENEWLIFE; - } else if (!strcmp((argv[i] + 1), "allow_postdated")) { - if (*(argv[i]) == '+') - policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_POSTDATED); - else if (*(argv[i]) == '-') - policyparams->tktflags |= KRB5_KDB_DISALLOW_POSTDATED; - else - goto err_usage; - - out_mask |= LDAP_POLICY_TKTFLAGS; - } else if (!strcmp((argv[i] + 1), "allow_forwardable")) { - if (*(argv[i]) == '+') - policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_FORWARDABLE); - else if (*(argv[i]) == '-') - policyparams->tktflags |= KRB5_KDB_DISALLOW_FORWARDABLE; - else - goto err_usage; - - out_mask |= LDAP_POLICY_TKTFLAGS; - } else if (!strcmp((argv[i] + 1), "allow_renewable")) { - if (*(argv[i]) == '+') - policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_RENEWABLE); - else if (*(argv[i]) == '-') - policyparams->tktflags |= KRB5_KDB_DISALLOW_RENEWABLE; - else - goto err_usage; - - out_mask |= LDAP_POLICY_TKTFLAGS; - } else if (!strcmp((argv[i] + 1), "allow_proxiable")) { - if (*(argv[i]) == '+') - policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_PROXIABLE); - else if (*(argv[i]) == '-') - policyparams->tktflags |= KRB5_KDB_DISALLOW_PROXIABLE; - else - goto err_usage; - - out_mask |= LDAP_POLICY_TKTFLAGS; - } else if (!strcmp((argv[i] + 1), "allow_dup_skey")) { - if (*(argv[i]) == '+') - policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_DUP_SKEY); - else if (*(argv[i]) == '-') - policyparams->tktflags |= KRB5_KDB_DISALLOW_DUP_SKEY; - else - goto err_usage; - - out_mask |= LDAP_POLICY_TKTFLAGS; - } else if (!strcmp((argv[i] + 1), "requires_preauth")) { - if (*(argv[i]) == '+') - policyparams->tktflags |= KRB5_KDB_REQUIRES_PRE_AUTH; - else if (*(argv[i]) == '-') - policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PRE_AUTH); - else - goto err_usage; - - out_mask |= LDAP_POLICY_TKTFLAGS; - } else if (!strcmp((argv[i] + 1), "requires_hwauth")) { - if (*(argv[i]) == '+') - policyparams->tktflags |= KRB5_KDB_REQUIRES_HW_AUTH; - else if (*(argv[i]) == '-') - policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_HW_AUTH); - else - goto err_usage; - - out_mask |= LDAP_POLICY_TKTFLAGS; - } else if (!strcmp((argv[i] + 1), "allow_svr")) { - if (*(argv[i]) == '+') - policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_SVR); - else if (*(argv[i]) == '-') - policyparams->tktflags |= KRB5_KDB_DISALLOW_SVR; - else - goto err_usage; - - out_mask |= LDAP_POLICY_TKTFLAGS; - } else if (!strcmp((argv[i] + 1), "allow_tgs_req")) { - if (*(argv[i]) == '+') - policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_TGT_BASED); - else if (*(argv[i]) == '-') - policyparams->tktflags |= KRB5_KDB_DISALLOW_TGT_BASED; - else - goto err_usage; - - out_mask |= LDAP_POLICY_TKTFLAGS; - } else if (!strcmp((argv[i] + 1), "allow_tix")) { - if (*(argv[i]) == '+') - policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_ALL_TIX); - else if (*(argv[i]) == '-') - policyparams->tktflags |= KRB5_KDB_DISALLOW_ALL_TIX; - else - goto err_usage; - - out_mask |= LDAP_POLICY_TKTFLAGS; - } else if (!strcmp((argv[i] + 1), "needchange")) { - if (*(argv[i]) == '+') - policyparams->tktflags |= KRB5_KDB_REQUIRES_PWCHANGE; - else if (*(argv[i]) == '-') - policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PWCHANGE); - else - goto err_usage; - - out_mask |= LDAP_POLICY_TKTFLAGS; - } else if (!strcmp((argv[i] + 1), "password_changing_service")) { - if (*(argv[i]) == '+') - policyparams->tktflags |= KRB5_KDB_PWCHANGE_SERVICE; - else if (*(argv[i]) == '-') - policyparams->tktflags &= (int)(~KRB5_KDB_PWCHANGE_SERVICE); - else - goto err_usage; - - out_mask |= LDAP_POLICY_TKTFLAGS; - } else { - /* Any other argument must be policy DN - -- skip it */ - } + if (!strcmp(argv[i], "-maxtktlife")) { + if (++i > argc - 1) + goto err_usage; + + date = get_date(argv[i]); + if (date == (time_t)(-1)) { + retval = EINVAL; + com_err (me, retval, "while providing time specification"); + goto err_nomsg; + } + + policyparams->maxtktlife = date - now; + + out_mask |= LDAP_POLICY_MAXTKTLIFE; + } else if (!strcmp(argv[i], "-maxrenewlife")) { + if (++i > argc - 1) + goto err_usage; + + date = get_date(argv[i]); + if (date == (time_t)(-1)) { + retval = EINVAL; + com_err (me, retval, "while providing time specification"); + goto err_nomsg; + } + + policyparams->maxrenewlife = date - now; + + out_mask |= LDAP_POLICY_MAXRENEWLIFE; + } else if (!strcmp((argv[i] + 1), "allow_postdated")) { + if (*(argv[i]) == '+') + policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_POSTDATED); + else if (*(argv[i]) == '-') + policyparams->tktflags |= KRB5_KDB_DISALLOW_POSTDATED; + else + goto err_usage; + + out_mask |= LDAP_POLICY_TKTFLAGS; + } else if (!strcmp((argv[i] + 1), "allow_forwardable")) { + if (*(argv[i]) == '+') + policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_FORWARDABLE); + else if (*(argv[i]) == '-') + policyparams->tktflags |= KRB5_KDB_DISALLOW_FORWARDABLE; + else + goto err_usage; + + out_mask |= LDAP_POLICY_TKTFLAGS; + } else if (!strcmp((argv[i] + 1), "allow_renewable")) { + if (*(argv[i]) == '+') + policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_RENEWABLE); + else if (*(argv[i]) == '-') + policyparams->tktflags |= KRB5_KDB_DISALLOW_RENEWABLE; + else + goto err_usage; + + out_mask |= LDAP_POLICY_TKTFLAGS; + } else if (!strcmp((argv[i] + 1), "allow_proxiable")) { + if (*(argv[i]) == '+') + policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_PROXIABLE); + else if (*(argv[i]) == '-') + policyparams->tktflags |= KRB5_KDB_DISALLOW_PROXIABLE; + else + goto err_usage; + + out_mask |= LDAP_POLICY_TKTFLAGS; + } else if (!strcmp((argv[i] + 1), "allow_dup_skey")) { + if (*(argv[i]) == '+') + policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_DUP_SKEY); + else if (*(argv[i]) == '-') + policyparams->tktflags |= KRB5_KDB_DISALLOW_DUP_SKEY; + else + goto err_usage; + + out_mask |= LDAP_POLICY_TKTFLAGS; + } else if (!strcmp((argv[i] + 1), "requires_preauth")) { + if (*(argv[i]) == '+') + policyparams->tktflags |= KRB5_KDB_REQUIRES_PRE_AUTH; + else if (*(argv[i]) == '-') + policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PRE_AUTH); + else + goto err_usage; + + out_mask |= LDAP_POLICY_TKTFLAGS; + } else if (!strcmp((argv[i] + 1), "requires_hwauth")) { + if (*(argv[i]) == '+') + policyparams->tktflags |= KRB5_KDB_REQUIRES_HW_AUTH; + else if (*(argv[i]) == '-') + policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_HW_AUTH); + else + goto err_usage; + + out_mask |= LDAP_POLICY_TKTFLAGS; + } else if (!strcmp((argv[i] + 1), "allow_svr")) { + if (*(argv[i]) == '+') + policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_SVR); + else if (*(argv[i]) == '-') + policyparams->tktflags |= KRB5_KDB_DISALLOW_SVR; + else + goto err_usage; + + out_mask |= LDAP_POLICY_TKTFLAGS; + } else if (!strcmp((argv[i] + 1), "allow_tgs_req")) { + if (*(argv[i]) == '+') + policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_TGT_BASED); + else if (*(argv[i]) == '-') + policyparams->tktflags |= KRB5_KDB_DISALLOW_TGT_BASED; + else + goto err_usage; + + out_mask |= LDAP_POLICY_TKTFLAGS; + } else if (!strcmp((argv[i] + 1), "allow_tix")) { + if (*(argv[i]) == '+') + policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_ALL_TIX); + else if (*(argv[i]) == '-') + policyparams->tktflags |= KRB5_KDB_DISALLOW_ALL_TIX; + else + goto err_usage; + + out_mask |= LDAP_POLICY_TKTFLAGS; + } else if (!strcmp((argv[i] + 1), "needchange")) { + if (*(argv[i]) == '+') + policyparams->tktflags |= KRB5_KDB_REQUIRES_PWCHANGE; + else if (*(argv[i]) == '-') + policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PWCHANGE); + else + goto err_usage; + + out_mask |= LDAP_POLICY_TKTFLAGS; + } else if (!strcmp((argv[i] + 1), "password_changing_service")) { + if (*(argv[i]) == '+') + policyparams->tktflags |= KRB5_KDB_PWCHANGE_SERVICE; + else if (*(argv[i]) == '-') + policyparams->tktflags &= (int)(~KRB5_KDB_PWCHANGE_SERVICE); + else + goto err_usage; + + out_mask |= LDAP_POLICY_TKTFLAGS; + } else { + /* Any other argument must be policy DN + -- skip it */ + } } /* Modify attributes of object */ if ((retval = krb5_ldap_modify_policy(util_context, policyparams, out_mask))) - goto cleanup; + goto cleanup; goto cleanup; @@ -661,13 +658,13 @@ cleanup: free (policy); if (print_usage) - db_usage(MODIFY_POLICY); + db_usage(MODIFY_POLICY); if (retval) { - if (!no_msg) - com_err(me, retval, "while modifying policy object"); + if (!no_msg) + com_err(me, retval, "while modifying policy object"); - exit_status++; + exit_status++; } return; @@ -679,9 +676,7 @@ cleanup: * fetching the information from the LDAP Server. */ void -kdb5_ldap_view_policy(argc, argv) - int argc; - char *argv[]; +kdb5_ldap_view_policy(int argc, char *argv[]) { char *me = progname; krb5_ldap_policy_params *policyparams = NULL; @@ -691,23 +686,23 @@ kdb5_ldap_view_policy(argc, argv) int mask = 0; if (argc != 2) { - goto err_usage; + goto err_usage; } policy = strdup(argv[1]); if (policy == NULL) { - com_err(me, ENOMEM, "while viewing policy"); - exit_status++; - goto cleanup; + com_err(me, ENOMEM, "while viewing policy"); + exit_status++; + goto cleanup; } if ((retval = init_ldap_realm (argc, argv))) goto cleanup; if ((retval = krb5_ldap_read_policy(util_context, policy, &policyparams, &mask))) { - com_err(me, retval, "while viewing policy '%s'", policy); - exit_status++; - goto cleanup; + com_err(me, retval, "while viewing policy '%s'", policy); + exit_status++; + goto cleanup; } print_policy_params (policyparams, mask); @@ -721,10 +716,10 @@ cleanup: krb5_ldap_free_policy (util_context, policyparams); if (policy) - free (policy); + free (policy); if (print_usage) { - db_usage(VIEW_POLICY); + db_usage(VIEW_POLICY); } return; @@ -736,59 +731,57 @@ cleanup: * standard output. */ static void -print_policy_params(policyparams, mask) - krb5_ldap_policy_params *policyparams; - int mask; +print_policy_params(krb5_ldap_policy_params *policyparams, int mask) { /* Print the policy DN */ printf("%25s: %s\n", "Ticket policy", policyparams->policy); /* Print max. ticket life and max. renewable life, if present */ if (mask & LDAP_POLICY_MAXTKTLIFE) - printf("%25s: %s\n", "Maximum ticket life", strdur(policyparams->maxtktlife)); + printf("%25s: %s\n", "Maximum ticket life", strdur(policyparams->maxtktlife)); if (mask & LDAP_POLICY_MAXRENEWLIFE) - printf("%25s: %s\n", "Maximum renewable life", strdur(policyparams->maxrenewlife)); + printf("%25s: %s\n", "Maximum renewable life", strdur(policyparams->maxrenewlife)); /* Service flags are printed */ printf("%25s: ", "Ticket flags"); if (mask & LDAP_POLICY_TKTFLAGS) { - int ticketflags = policyparams->tktflags; + int ticketflags = policyparams->tktflags; - if (ticketflags & KRB5_KDB_DISALLOW_POSTDATED) - printf("%s ","DISALLOW_POSTDATED"); + if (ticketflags & KRB5_KDB_DISALLOW_POSTDATED) + printf("%s ","DISALLOW_POSTDATED"); - if (ticketflags & KRB5_KDB_DISALLOW_FORWARDABLE) - printf("%s ","DISALLOW_FORWARDABLE"); + if (ticketflags & KRB5_KDB_DISALLOW_FORWARDABLE) + printf("%s ","DISALLOW_FORWARDABLE"); - if (ticketflags & KRB5_KDB_DISALLOW_RENEWABLE) - printf("%s ","DISALLOW_RENEWABLE"); + if (ticketflags & KRB5_KDB_DISALLOW_RENEWABLE) + printf("%s ","DISALLOW_RENEWABLE"); - if (ticketflags & KRB5_KDB_DISALLOW_PROXIABLE) - printf("%s ","DISALLOW_PROXIABLE"); + if (ticketflags & KRB5_KDB_DISALLOW_PROXIABLE) + printf("%s ","DISALLOW_PROXIABLE"); - if (ticketflags & KRB5_KDB_DISALLOW_DUP_SKEY) - printf("%s ","DISALLOW_DUP_SKEY"); + if (ticketflags & KRB5_KDB_DISALLOW_DUP_SKEY) + printf("%s ","DISALLOW_DUP_SKEY"); - if (ticketflags & KRB5_KDB_REQUIRES_PRE_AUTH) - printf("%s ","REQUIRES_PRE_AUTH"); + if (ticketflags & KRB5_KDB_REQUIRES_PRE_AUTH) + printf("%s ","REQUIRES_PRE_AUTH"); - if (ticketflags & KRB5_KDB_REQUIRES_HW_AUTH) - printf("%s ","REQUIRES_HW_AUTH"); + if (ticketflags & KRB5_KDB_REQUIRES_HW_AUTH) + printf("%s ","REQUIRES_HW_AUTH"); - if (ticketflags & KRB5_KDB_DISALLOW_SVR) - printf("%s ","DISALLOW_SVR"); + if (ticketflags & KRB5_KDB_DISALLOW_SVR) + printf("%s ","DISALLOW_SVR"); - if (ticketflags & KRB5_KDB_DISALLOW_TGT_BASED) - printf("%s ","DISALLOW_TGT_BASED"); + if (ticketflags & KRB5_KDB_DISALLOW_TGT_BASED) + printf("%s ","DISALLOW_TGT_BASED"); - if (ticketflags & KRB5_KDB_DISALLOW_ALL_TIX) - printf("%s ","DISALLOW_ALL_TIX"); + if (ticketflags & KRB5_KDB_DISALLOW_ALL_TIX) + printf("%s ","DISALLOW_ALL_TIX"); - if (ticketflags & KRB5_KDB_REQUIRES_PWCHANGE) - printf("%s ","REQUIRES_PWCHANGE"); + if (ticketflags & KRB5_KDB_REQUIRES_PWCHANGE) + printf("%s ","REQUIRES_PWCHANGE"); - if (ticketflags & KRB5_KDB_PWCHANGE_SERVICE) - printf("%s ","PWCHANGE_SERVICE"); + if (ticketflags & KRB5_KDB_PWCHANGE_SERVICE) + printf("%s ","PWCHANGE_SERVICE"); } printf("\n"); @@ -800,9 +793,8 @@ print_policy_params(policyparams, mask) * This function will list the DNs of policy objects under a specific * sub-tree (entire tree by default) */ -void kdb5_ldap_list_policies(argc, argv) - int argc; - char *argv[]; +void +kdb5_ldap_list_policies(int argc, char *argv[]) { char *me = progname; krb5_error_code retval = 0; @@ -813,18 +805,18 @@ void kdb5_ldap_list_policies(argc, argv) /* Check for number of arguments */ if ((argc != 1) && (argc != 3)) { - goto err_usage; + goto err_usage; } if ((retval = init_ldap_realm (argc, argv))) - goto cleanup; + goto cleanup; retval = krb5_ldap_list_policy(util_context, basedn, &list); if ((retval != 0) || (list == NULL)) - goto cleanup; + goto cleanup; for (plist = list; *plist != NULL; plist++) { - printf("%s\n", *plist); + printf("%s\n", *plist); } goto cleanup; @@ -834,20 +826,20 @@ err_usage: cleanup: if (list != NULL) { - krb5_free_list_entries (list); - free (list); + krb5_free_list_entries (list); + free (list); } if (basedn) - free (basedn); + free (basedn); if (print_usage) { - db_usage(LIST_POLICY); + db_usage(LIST_POLICY); } if (retval) { - com_err(me, retval, "while listing policy objects"); - exit_status++; + com_err(me, retval, "while listing policy objects"); + exit_status++; } return; @@ -856,17 +848,17 @@ cleanup: /* Reproduced from kadmin.c, instead of linking the entire kadmin.o */ -static char *strdur(duration) - time_t duration; +static char * +strdur(time_t duration) { static char out[50]; int neg, days, hours, minutes, seconds; if (duration < 0) { - duration *= -1; - neg = 1; + duration *= -1; + neg = 1; } else - neg = 0; + neg = 0; days = duration / (24 * 3600); duration %= 24 * 3600; hours = duration / 3600; @@ -875,6 +867,6 @@ static char *strdur(duration) duration %= 60; seconds = duration; snprintf(out, sizeof(out), "%s%d %s %02d:%02d:%02d", neg ? "-" : "", - days, days == 1 ? "day" : "days", hours, minutes, seconds); + days, days == 1 ? "day" : "days", hours, minutes, seconds); return out; } diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.h b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.h index 105b0a06b..a176a9fac 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.h +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * kadmin/ldap_util/kdb5_ldap_policy.h */ diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c index 017a5cddf..d96ce0fb1 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * kadmin/ldap_util/kdb5_ldap_realm.c * @@ -116,11 +117,11 @@ krb5_data db_creator_entries[] = { static krb5_principal_data db_create_princ = { - 0, /* magic number */ - {0, 0, 0}, /* krb5_data realm */ - db_creator_entries, /* krb5_data *data */ - 1, /* int length */ - KRB5_NT_SRV_INST /* int type */ + 0, /* magic number */ + {0, 0, 0}, /* krb5_data realm */ + db_creator_entries, /* krb5_data *data */ + 1, /* int length */ + KRB5_NT_SRV_INST /* int type */ }; extern char *mkey_password; @@ -129,7 +130,7 @@ extern kadm5_config_params global_params; static void print_realm_params(krb5_ldap_realm_params *rparams, int mask); static int kdb_ldap_create_principal (krb5_context context, krb5_principal - princ, enum ap_op op, struct realm_info *pblock); + princ, enum ap_op op, struct realm_info *pblock); static char *strdur(time_t duration); @@ -141,18 +142,16 @@ static krb5_error_code krb5_dbe_update_tl_data_new ( krb5_context context, krb5_ #define CHANGEPW_LIFETIME 60*5 /* 5 minutes */ #ifdef HAVE_EDIRECTORY -#define FREE_DN_LIST(dnlist) if (dnlist != NULL) { \ - for (idx=0; dnlist[idx] != NULL; idx++) \ - free(dnlist[idx]); \ - free(dnlist); \ - } +#define FREE_DN_LIST(dnlist) if (dnlist != NULL) { \ + for (idx=0; dnlist[idx] != NULL; idx++) \ + free(dnlist[idx]); \ + free(dnlist); \ + } #endif -static int get_ticket_policy(rparams,i,argv,argc) - krb5_ldap_realm_params *rparams; - int *i; - char *argv[]; - int argc; +static int +get_ticket_policy(krb5_ldap_realm_params *rparams, int *i, char *argv[], + int argc) { time_t date; time_t now; @@ -165,142 +164,142 @@ static int get_ticket_policy(rparams,i,argv,argc) time(&now); if (!strcmp(argv[*i], "-maxtktlife")) { - if (++(*i) > argc-1) - goto err_usage; - date = get_date(argv[*i]); - if (date == (time_t)(-1)) { - retval = EINVAL; - com_err (me, retval, "while providing time specification"); - goto err_nomsg; - } - rparams->max_life = date-now; - mask |= LDAP_REALM_MAXTICKETLIFE; + if (++(*i) > argc-1) + goto err_usage; + date = get_date(argv[*i]); + if (date == (time_t)(-1)) { + retval = EINVAL; + com_err (me, retval, "while providing time specification"); + goto err_nomsg; + } + rparams->max_life = date-now; + mask |= LDAP_REALM_MAXTICKETLIFE; } else if (!strcmp(argv[*i], "-maxrenewlife")) { - if (++(*i) > argc-1) - goto err_usage; - - date = get_date(argv[*i]); - if (date == (time_t)(-1)) { - retval = EINVAL; - com_err (me, retval, "while providing time specification"); - goto err_nomsg; - } - rparams->max_renewable_life = date-now; - mask |= LDAP_REALM_MAXRENEWLIFE; + if (++(*i) > argc-1) + goto err_usage; + + date = get_date(argv[*i]); + if (date == (time_t)(-1)) { + retval = EINVAL; + com_err (me, retval, "while providing time specification"); + goto err_nomsg; + } + rparams->max_renewable_life = date-now; + mask |= LDAP_REALM_MAXRENEWLIFE; } else if (!strcmp((argv[*i] + 1), "allow_postdated")) { - if (*(argv[*i]) == '+') - rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_POSTDATED); - else if (*(argv[*i]) == '-') - rparams->tktflags |= KRB5_KDB_DISALLOW_POSTDATED; - else - goto err_usage; - - mask |= LDAP_REALM_KRBTICKETFLAGS; + if (*(argv[*i]) == '+') + rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_POSTDATED); + else if (*(argv[*i]) == '-') + rparams->tktflags |= KRB5_KDB_DISALLOW_POSTDATED; + else + goto err_usage; + + mask |= LDAP_REALM_KRBTICKETFLAGS; } else if (!strcmp((argv[*i] + 1), "allow_forwardable")) { - if (*(argv[*i]) == '+') - rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_FORWARDABLE); + if (*(argv[*i]) == '+') + rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_FORWARDABLE); - else if (*(argv[*i]) == '-') - rparams->tktflags |= KRB5_KDB_DISALLOW_FORWARDABLE; - else - goto err_usage; + else if (*(argv[*i]) == '-') + rparams->tktflags |= KRB5_KDB_DISALLOW_FORWARDABLE; + else + goto err_usage; - mask |= LDAP_REALM_KRBTICKETFLAGS; + mask |= LDAP_REALM_KRBTICKETFLAGS; } else if (!strcmp((argv[*i] + 1), "allow_renewable")) { - if (*(argv[*i]) == '+') - rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_RENEWABLE); - else if (*(argv[*i]) == '-') - rparams->tktflags |= KRB5_KDB_DISALLOW_RENEWABLE; - else - goto err_usage; - - mask |= LDAP_REALM_KRBTICKETFLAGS; + if (*(argv[*i]) == '+') + rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_RENEWABLE); + else if (*(argv[*i]) == '-') + rparams->tktflags |= KRB5_KDB_DISALLOW_RENEWABLE; + else + goto err_usage; + + mask |= LDAP_REALM_KRBTICKETFLAGS; } else if (!strcmp((argv[*i] + 1), "allow_proxiable")) { - if (*(argv[*i]) == '+') - rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_PROXIABLE); - else if (*(argv[*i]) == '-') - rparams->tktflags |= KRB5_KDB_DISALLOW_PROXIABLE; - else - goto err_usage; - - mask |= LDAP_REALM_KRBTICKETFLAGS; + if (*(argv[*i]) == '+') + rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_PROXIABLE); + else if (*(argv[*i]) == '-') + rparams->tktflags |= KRB5_KDB_DISALLOW_PROXIABLE; + else + goto err_usage; + + mask |= LDAP_REALM_KRBTICKETFLAGS; } else if (!strcmp((argv[*i] + 1), "allow_dup_skey")) { - if (*(argv[*i]) == '+') - rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_DUP_SKEY); - else if (*(argv[*i]) == '-') - rparams->tktflags |= KRB5_KDB_DISALLOW_DUP_SKEY; - else - goto err_usage; + if (*(argv[*i]) == '+') + rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_DUP_SKEY); + else if (*(argv[*i]) == '-') + rparams->tktflags |= KRB5_KDB_DISALLOW_DUP_SKEY; + else + goto err_usage; - mask |= LDAP_REALM_KRBTICKETFLAGS; + mask |= LDAP_REALM_KRBTICKETFLAGS; } else if (!strcmp((argv[*i] + 1), "requires_preauth")) { - if (*(argv[*i]) == '+') - rparams->tktflags |= KRB5_KDB_REQUIRES_PRE_AUTH; - else if (*(argv[*i]) == '-') - rparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PRE_AUTH); - else - goto err_usage; - - mask |= LDAP_REALM_KRBTICKETFLAGS; + if (*(argv[*i]) == '+') + rparams->tktflags |= KRB5_KDB_REQUIRES_PRE_AUTH; + else if (*(argv[*i]) == '-') + rparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PRE_AUTH); + else + goto err_usage; + + mask |= LDAP_REALM_KRBTICKETFLAGS; } else if (!strcmp((argv[*i] + 1), "requires_hwauth")) { - if (*(argv[*i]) == '+') - rparams->tktflags |= KRB5_KDB_REQUIRES_HW_AUTH; - else if (*(argv[*i]) == '-') - rparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_HW_AUTH); - else - goto err_usage; - - mask |= LDAP_REALM_KRBTICKETFLAGS; + if (*(argv[*i]) == '+') + rparams->tktflags |= KRB5_KDB_REQUIRES_HW_AUTH; + else if (*(argv[*i]) == '-') + rparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_HW_AUTH); + else + goto err_usage; + + mask |= LDAP_REALM_KRBTICKETFLAGS; } else if (!strcmp((argv[*i] + 1), "allow_svr")) { - if (*(argv[*i]) == '+') - rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_SVR); - else if (*(argv[*i]) == '-') - rparams->tktflags |= KRB5_KDB_DISALLOW_SVR; - else - goto err_usage; - - mask |= LDAP_REALM_KRBTICKETFLAGS; + if (*(argv[*i]) == '+') + rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_SVR); + else if (*(argv[*i]) == '-') + rparams->tktflags |= KRB5_KDB_DISALLOW_SVR; + else + goto err_usage; + + mask |= LDAP_REALM_KRBTICKETFLAGS; } else if (!strcmp((argv[*i] + 1), "allow_tgs_req")) { - if (*(argv[*i]) == '+') - rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_TGT_BASED); - else if (*(argv[*i]) == '-') - rparams->tktflags |= KRB5_KDB_DISALLOW_TGT_BASED; - else - goto err_usage; - - mask |= LDAP_REALM_KRBTICKETFLAGS; + if (*(argv[*i]) == '+') + rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_TGT_BASED); + else if (*(argv[*i]) == '-') + rparams->tktflags |= KRB5_KDB_DISALLOW_TGT_BASED; + else + goto err_usage; + + mask |= LDAP_REALM_KRBTICKETFLAGS; } else if (!strcmp((argv[*i] + 1), "allow_tix")) { - if (*(argv[*i]) == '+') - rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_ALL_TIX); - else if (*(argv[*i]) == '-') - rparams->tktflags |= KRB5_KDB_DISALLOW_ALL_TIX; - else - goto err_usage; - - mask |= LDAP_REALM_KRBTICKETFLAGS; + if (*(argv[*i]) == '+') + rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_ALL_TIX); + else if (*(argv[*i]) == '-') + rparams->tktflags |= KRB5_KDB_DISALLOW_ALL_TIX; + else + goto err_usage; + + mask |= LDAP_REALM_KRBTICKETFLAGS; } else if (!strcmp((argv[*i] + 1), "needchange")) { - if (*(argv[*i]) == '+') - rparams->tktflags |= KRB5_KDB_REQUIRES_PWCHANGE; - else if (*(argv[*i]) == '-') - rparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PWCHANGE); - else - goto err_usage; - - mask |= LDAP_REALM_KRBTICKETFLAGS; + if (*(argv[*i]) == '+') + rparams->tktflags |= KRB5_KDB_REQUIRES_PWCHANGE; + else if (*(argv[*i]) == '-') + rparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PWCHANGE); + else + goto err_usage; + + mask |= LDAP_REALM_KRBTICKETFLAGS; } else if (!strcmp((argv[*i] + 1), "password_changing_service")) { - if (*(argv[*i]) == '+') - rparams->tktflags |= KRB5_KDB_PWCHANGE_SERVICE; - else if (*(argv[*i]) == '-') - rparams->tktflags &= (int)(~KRB5_KDB_PWCHANGE_SERVICE); - else - goto err_usage; + if (*(argv[*i]) == '+') + rparams->tktflags |= KRB5_KDB_PWCHANGE_SERVICE; + else if (*(argv[*i]) == '-') + rparams->tktflags &= (int)(~KRB5_KDB_PWCHANGE_SERVICE); + else + goto err_usage; - mask |=LDAP_REALM_KRBTICKETFLAGS; + mask |=LDAP_REALM_KRBTICKETFLAGS; } err_usage: print_usage = TRUE; @@ -315,9 +314,8 @@ err_nomsg: * This function will create a realm on the LDAP Server, with * the specified attributes. */ -void kdb5_ldap_create(argc, argv) - int argc; - char *argv[]; +void +kdb5_ldap_create(int argc, char *argv[]) { krb5_error_code retval = 0; krb5_keyblock master_keyblock; @@ -342,140 +340,140 @@ void kdb5_ldap_create(argc, argv) memset(&master_keyblock, 0, sizeof(master_keyblock)); rparams = (krb5_ldap_realm_params *)malloc( - sizeof(krb5_ldap_realm_params)); + sizeof(krb5_ldap_realm_params)); if (rparams == NULL) { - retval = ENOMEM; - goto cleanup; + retval = ENOMEM; + goto cleanup; } memset(rparams, 0, sizeof(krb5_ldap_realm_params)); /* Parse the arguments */ for (i = 1; i < argc; i++) { - if (!strcmp(argv[i], "-subtrees")) { - if (++i > argc-1) - goto err_usage; - - if (strncmp(argv[i], "", strlen(argv[i]))!=0) { - list = (char **) calloc(MAX_LIST_ENTRIES, sizeof(char *)); - if (list == NULL) { - retval = ENOMEM; - goto cleanup; - } - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) { - free(list); - list = NULL; - goto cleanup; - } - - rparams->subtreecount=0; - while (list[rparams->subtreecount]!=NULL) - (rparams->subtreecount)++; - rparams->subtree = list; - } else if (strncmp(argv[i], "", strlen(argv[i]))==0) { - /* dont allow subtree value to be set at the root(NULL, "") of the tree */ - com_err(progname, EINVAL, - "for subtree while creating realm '%s'", - global_params.realm); - goto err_nomsg; - } - rparams->subtree[rparams->subtreecount] = NULL; - mask |= LDAP_REALM_SUBTREE; - } else if (!strcmp(argv[i], "-containerref")) { - if (++i > argc-1) - goto err_usage; - if (strncmp(argv[i], "", strlen(argv[i]))==0) { - /* dont allow containerref value to be set at the root(NULL, "") of the tree */ - com_err(progname, EINVAL, - "for container reference while creating realm '%s'", - global_params.realm); - goto err_nomsg; - } - rparams->containerref = strdup(argv[i]); - if (rparams->containerref == NULL) { - retval = ENOMEM; - goto cleanup; - } - mask |= LDAP_REALM_CONTREF; - } else if (!strcmp(argv[i], "-sscope")) { - if (++i > argc-1) - goto err_usage; - /* Possible values for search scope are - * one (or 1) and sub (or 2) - */ - if (!strcasecmp(argv[i], "one")) { - rparams->search_scope = 1; - } else if (!strcasecmp(argv[i], "sub")) { - rparams->search_scope = 2; - } else { - rparams->search_scope = atoi(argv[i]); - if ((rparams->search_scope != 1) && - (rparams->search_scope != 2)) { - com_err(progname, EINVAL, - "invalid search scope while creating realm '%s'", - global_params.realm); - goto err_nomsg; - } - } - mask |= LDAP_REALM_SEARCHSCOPE; - } + if (!strcmp(argv[i], "-subtrees")) { + if (++i > argc-1) + goto err_usage; + + if (strncmp(argv[i], "", strlen(argv[i]))!=0) { + list = (char **) calloc(MAX_LIST_ENTRIES, sizeof(char *)); + if (list == NULL) { + retval = ENOMEM; + goto cleanup; + } + if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) { + free(list); + list = NULL; + goto cleanup; + } + + rparams->subtreecount=0; + while (list[rparams->subtreecount]!=NULL) + (rparams->subtreecount)++; + rparams->subtree = list; + } else if (strncmp(argv[i], "", strlen(argv[i]))==0) { + /* dont allow subtree value to be set at the root(NULL, "") of the tree */ + com_err(progname, EINVAL, + "for subtree while creating realm '%s'", + global_params.realm); + goto err_nomsg; + } + rparams->subtree[rparams->subtreecount] = NULL; + mask |= LDAP_REALM_SUBTREE; + } else if (!strcmp(argv[i], "-containerref")) { + if (++i > argc-1) + goto err_usage; + if (strncmp(argv[i], "", strlen(argv[i]))==0) { + /* dont allow containerref value to be set at the root(NULL, "") of the tree */ + com_err(progname, EINVAL, + "for container reference while creating realm '%s'", + global_params.realm); + goto err_nomsg; + } + rparams->containerref = strdup(argv[i]); + if (rparams->containerref == NULL) { + retval = ENOMEM; + goto cleanup; + } + mask |= LDAP_REALM_CONTREF; + } else if (!strcmp(argv[i], "-sscope")) { + if (++i > argc-1) + goto err_usage; + /* Possible values for search scope are + * one (or 1) and sub (or 2) + */ + if (!strcasecmp(argv[i], "one")) { + rparams->search_scope = 1; + } else if (!strcasecmp(argv[i], "sub")) { + rparams->search_scope = 2; + } else { + rparams->search_scope = atoi(argv[i]); + if ((rparams->search_scope != 1) && + (rparams->search_scope != 2)) { + com_err(progname, EINVAL, + "invalid search scope while creating realm '%s'", + global_params.realm); + goto err_nomsg; + } + } + mask |= LDAP_REALM_SEARCHSCOPE; + } #ifdef HAVE_EDIRECTORY - else if (!strcmp(argv[i], "-kdcdn")) { - if (++i > argc-1) - goto err_usage; - rparams->kdcservers = (char **)malloc( - sizeof(char *) * MAX_LIST_ENTRIES); - if (rparams->kdcservers == NULL) { - retval = ENOMEM; - goto cleanup; - } - memset(rparams->kdcservers, 0, sizeof(char*)*MAX_LIST_ENTRIES); - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, - rparams->kdcservers))) { - goto cleanup; - } - mask |= LDAP_REALM_KDCSERVERS; - } else if (!strcmp(argv[i], "-admindn")) { - if (++i > argc-1) - goto err_usage; - rparams->adminservers = (char **)malloc( - sizeof(char *) * MAX_LIST_ENTRIES); - if (rparams->adminservers == NULL) { - retval = ENOMEM; - goto cleanup; - } - memset(rparams->adminservers, 0, sizeof(char*)*MAX_LIST_ENTRIES); - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, - rparams->adminservers))) { - goto cleanup; - } - mask |= LDAP_REALM_ADMINSERVERS; - } else if (!strcmp(argv[i], "-pwddn")) { - if (++i > argc-1) - goto err_usage; - rparams->passwdservers = (char **)malloc( - sizeof(char *) * MAX_LIST_ENTRIES); - if (rparams->passwdservers == NULL) { - retval = ENOMEM; - goto cleanup; - } - memset(rparams->passwdservers, 0, sizeof(char*)*MAX_LIST_ENTRIES); - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, - rparams->passwdservers))) { - goto cleanup; - } - mask |= LDAP_REALM_PASSWDSERVERS; - } + else if (!strcmp(argv[i], "-kdcdn")) { + if (++i > argc-1) + goto err_usage; + rparams->kdcservers = (char **)malloc( + sizeof(char *) * MAX_LIST_ENTRIES); + if (rparams->kdcservers == NULL) { + retval = ENOMEM; + goto cleanup; + } + memset(rparams->kdcservers, 0, sizeof(char*)*MAX_LIST_ENTRIES); + if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, + rparams->kdcservers))) { + goto cleanup; + } + mask |= LDAP_REALM_KDCSERVERS; + } else if (!strcmp(argv[i], "-admindn")) { + if (++i > argc-1) + goto err_usage; + rparams->adminservers = (char **)malloc( + sizeof(char *) * MAX_LIST_ENTRIES); + if (rparams->adminservers == NULL) { + retval = ENOMEM; + goto cleanup; + } + memset(rparams->adminservers, 0, sizeof(char*)*MAX_LIST_ENTRIES); + if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, + rparams->adminservers))) { + goto cleanup; + } + mask |= LDAP_REALM_ADMINSERVERS; + } else if (!strcmp(argv[i], "-pwddn")) { + if (++i > argc-1) + goto err_usage; + rparams->passwdservers = (char **)malloc( + sizeof(char *) * MAX_LIST_ENTRIES); + if (rparams->passwdservers == NULL) { + retval = ENOMEM; + goto cleanup; + } + memset(rparams->passwdservers, 0, sizeof(char*)*MAX_LIST_ENTRIES); + if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, + rparams->passwdservers))) { + goto cleanup; + } + mask |= LDAP_REALM_PASSWDSERVERS; + } #endif - else if (!strcmp(argv[i], "-s")) { - do_stash = 1; - } else if ((ret_mask= get_ticket_policy(rparams,&i,argv,argc)) !=0) { - mask|=ret_mask; - } + else if (!strcmp(argv[i], "-s")) { + do_stash = 1; + } else if ((ret_mask= get_ticket_policy(rparams,&i,argv,argc)) !=0) { + mask|=ret_mask; + } - else { - printf("'%s' is an invalid option\n", argv[i]); - goto err_usage; - } + else { + printf("'%s' is an invalid option\n", argv[i]); + goto err_usage; + } } /* If the default enctype/salttype is not provided, use the @@ -496,21 +494,21 @@ void kdb5_ldap_create(argc, argv) printf("Initializing database for realm '%s'\n", global_params.realm); if (!mkey_password) { - unsigned int pw_size; - printf("You will be prompted for the database Master Password.\n"); - printf("It is important that you NOT FORGET this password.\n"); - fflush(stdout); - - pw_size = sizeof (pw_str); - memset(pw_str, 0, pw_size); - - retval = krb5_read_password(util_context, KRB5_KDC_MKEY_1, KRB5_KDC_MKEY_2, - pw_str, &pw_size); - if (retval) { - com_err(progname, retval, "while reading master key from keyboard"); - goto err_nomsg; - } - mkey_password = pw_str; + unsigned int pw_size; + printf("You will be prompted for the database Master Password.\n"); + printf("It is important that you NOT FORGET this password.\n"); + fflush(stdout); + + pw_size = sizeof (pw_str); + memset(pw_str, 0, pw_size); + + retval = krb5_read_password(util_context, KRB5_KDC_MKEY_1, KRB5_KDC_MKEY_2, + pw_str, &pw_size); + if (retval) { + com_err(progname, retval, "while reading master key from keyboard"); + goto err_nomsg; + } + mkey_password = pw_str; } rparams->mkey.enctype = global_params.enctype; @@ -518,335 +516,335 @@ void kdb5_ldap_create(argc, argv) rparams->mkey.length = strlen(mkey_password) + 1; rparams->mkey.contents = (krb5_octet *)strdup(mkey_password); if (rparams->mkey.contents == NULL) { - retval = ENOMEM; - goto cleanup; + retval = ENOMEM; + goto cleanup; } rparams->realm_name = strdup(global_params.realm); if (rparams->realm_name == NULL) { - retval = ENOMEM; - com_err(progname, ENOMEM, "while creating realm '%s'", - global_params.realm); - goto err_nomsg; + retval = ENOMEM; + com_err(progname, ENOMEM, "while creating realm '%s'", + global_params.realm); + goto err_nomsg; } dal_handle = util_context->dal_handle; ldap_context = (krb5_ldap_context *) dal_handle->db_context; if (!ldap_context) { - retval = EINVAL; - goto cleanup; + retval = EINVAL; + goto cleanup; } /* read the kerberos container */ if ((retval=krb5_ldap_read_krbcontainer_params (util_context, - &(ldap_context->krbcontainer))) == KRB5_KDB_NOENTRY) { - /* Prompt the user for entering the DN of Kerberos container */ - char krb_location[MAX_KRB_CONTAINER_LEN]; - krb5_ldap_krbcontainer_params kparams; - int krb_location_len = 0; - memset(&kparams, 0, sizeof(kparams)); - - /* Read the kerberos container location from configuration file */ - if (ldap_context->conf_section) { - if ((retval=profile_get_string(util_context->profile, - KDB_MODULE_SECTION, ldap_context->conf_section, - "ldap_kerberos_container_dn", NULL, - &kparams.DN)) != 0) { - goto cleanup; - } - } - if (kparams.DN == NULL) { - if ((retval=profile_get_string(util_context->profile, - KDB_MODULE_DEF_SECTION, - "ldap_kerberos_container_dn", NULL, - NULL, &kparams.DN)) != 0) { - goto cleanup; - } - } - - printf("\nKerberos container is missing. Creating now...\n"); - if (kparams.DN == NULL) { + &(ldap_context->krbcontainer))) == KRB5_KDB_NOENTRY) { + /* Prompt the user for entering the DN of Kerberos container */ + char krb_location[MAX_KRB_CONTAINER_LEN]; + krb5_ldap_krbcontainer_params kparams; + int krb_location_len = 0; + memset(&kparams, 0, sizeof(kparams)); + + /* Read the kerberos container location from configuration file */ + if (ldap_context->conf_section) { + if ((retval=profile_get_string(util_context->profile, + KDB_MODULE_SECTION, ldap_context->conf_section, + "ldap_kerberos_container_dn", NULL, + &kparams.DN)) != 0) { + goto cleanup; + } + } + if (kparams.DN == NULL) { + if ((retval=profile_get_string(util_context->profile, + KDB_MODULE_DEF_SECTION, + "ldap_kerberos_container_dn", NULL, + NULL, &kparams.DN)) != 0) { + goto cleanup; + } + } + + printf("\nKerberos container is missing. Creating now...\n"); + if (kparams.DN == NULL) { #ifdef HAVE_EDIRECTORY - printf("Enter DN of Kerberos container [cn=Kerberos,cn=Security]: "); + printf("Enter DN of Kerberos container [cn=Kerberos,cn=Security]: "); #else - printf("Enter DN of Kerberos container: "); + printf("Enter DN of Kerberos container: "); #endif - if (fgets(krb_location, MAX_KRB_CONTAINER_LEN, stdin) != NULL) { - /* Remove the newline character at the end */ - krb_location_len = strlen(krb_location); - if ((krb_location[krb_location_len - 1] == '\n') || - (krb_location[krb_location_len - 1] == '\r')) { - krb_location[krb_location_len - 1] = '\0'; - krb_location_len--; - } - /* If the user has not given any input, take the default location */ - else if (krb_location[0] == '\0') - kparams.DN = NULL; - else - kparams.DN = krb_location; - } else - kparams.DN = NULL; - } - - /* create the kerberos container */ - retval = krb5_ldap_create_krbcontainer(util_context, - ((kparams.DN != NULL) ? &kparams : NULL)); - if (retval) - goto cleanup; - - retval = krb5_ldap_read_krbcontainer_params(util_context, - &(ldap_context->krbcontainer)); - if (retval) { - com_err(progname, retval, "while reading kerberos container information"); - goto cleanup; - } + if (fgets(krb_location, MAX_KRB_CONTAINER_LEN, stdin) != NULL) { + /* Remove the newline character at the end */ + krb_location_len = strlen(krb_location); + if ((krb_location[krb_location_len - 1] == '\n') || + (krb_location[krb_location_len - 1] == '\r')) { + krb_location[krb_location_len - 1] = '\0'; + krb_location_len--; + } + /* If the user has not given any input, take the default location */ + else if (krb_location[0] == '\0') + kparams.DN = NULL; + else + kparams.DN = krb_location; + } else + kparams.DN = NULL; + } + + /* create the kerberos container */ + retval = krb5_ldap_create_krbcontainer(util_context, + ((kparams.DN != NULL) ? &kparams : NULL)); + if (retval) + goto cleanup; + + retval = krb5_ldap_read_krbcontainer_params(util_context, + &(ldap_context->krbcontainer)); + if (retval) { + com_err(progname, retval, "while reading kerberos container information"); + goto cleanup; + } } else if (retval) { - com_err(progname, retval, "while reading kerberos container information"); - goto cleanup; + com_err(progname, retval, "while reading kerberos container information"); + goto cleanup; } if ((retval = krb5_ldap_create_realm(util_context, - /* global_params.realm, */ rparams, mask))) { - goto cleanup; + /* global_params.realm, */ rparams, mask))) { + goto cleanup; } /* We just created the Realm container. Here starts our transaction tracking */ realm_obj_created = TRUE; if ((retval = krb5_ldap_read_realm_params(util_context, - global_params.realm, - &(ldap_context->lrparams), - &mask))) { - com_err(progname, retval, "while reading information of realm '%s'", - global_params.realm); - goto err_nomsg; + global_params.realm, + &(ldap_context->lrparams), + &mask))) { + com_err(progname, retval, "while reading information of realm '%s'", + global_params.realm); + goto err_nomsg; } ldap_context->lrparams->realm_name = strdup(global_params.realm); if (ldap_context->lrparams->realm_name == NULL) { - retval = ENOMEM; - goto cleanup; + retval = ENOMEM; + goto cleanup; } /* assemble & parse the master key name */ if ((retval = krb5_db_setup_mkey_name(util_context, - global_params.mkey_name, - global_params.realm, - 0, &master_princ))) { - com_err(progname, retval, "while setting up master key name"); - goto err_nomsg; + global_params.mkey_name, + global_params.realm, + 0, &master_princ))) { + com_err(progname, retval, "while setting up master key name"); + goto err_nomsg; } /* Obtain master key from master password */ { - krb5_data master_salt, pwd; - - pwd.data = mkey_password; - pwd.length = strlen(mkey_password); - retval = krb5_principal2salt(util_context, master_princ, &master_salt); - if (retval) { - com_err(progname, retval, "while calculating master key salt"); - goto err_nomsg; - } + krb5_data master_salt, pwd; + + pwd.data = mkey_password; + pwd.length = strlen(mkey_password); + retval = krb5_principal2salt(util_context, master_princ, &master_salt); + if (retval) { + com_err(progname, retval, "while calculating master key salt"); + goto err_nomsg; + } - retval = krb5_c_string_to_key(util_context, rparams->mkey.enctype, - &pwd, &master_salt, &master_keyblock); + retval = krb5_c_string_to_key(util_context, rparams->mkey.enctype, + &pwd, &master_salt, &master_keyblock); - if (master_salt.data) - free(master_salt.data); + if (master_salt.data) + free(master_salt.data); - if (retval) { - com_err(progname, retval, "while transforming master key from password"); - goto err_nomsg; - } + if (retval) { + com_err(progname, retval, "while transforming master key from password"); + goto err_nomsg; + } } rblock.key = &master_keyblock; ldap_context->lrparams->mkey = master_keyblock; ldap_context->lrparams->mkey.contents = (krb5_octet *) malloc - (master_keyblock.length); + (master_keyblock.length); if (ldap_context->lrparams->mkey.contents == NULL) { - retval = ENOMEM; - goto cleanup; + retval = ENOMEM; + goto cleanup; } memcpy (ldap_context->lrparams->mkey.contents, master_keyblock.contents, - master_keyblock.length); + master_keyblock.length); /* Create special principals inside the realm subtree */ { - char princ_name[MAX_PRINC_SIZE]; - krb5_principal_data tgt_princ = { - 0, /* magic number */ - {0, 0, 0}, /* krb5_data realm */ - tgt_princ_entries, /* krb5_data *data */ - 2, /* int length */ - KRB5_NT_SRV_INST /* int type */ - }; - krb5_principal p, temp_p=NULL; - - krb5_princ_set_realm_data(util_context, &tgt_princ, global_params.realm); - krb5_princ_set_realm_length(util_context, &tgt_princ, strlen(global_params.realm)); - krb5_princ_component(util_context, &tgt_princ,1)->data = global_params.realm; - krb5_princ_component(util_context, &tgt_princ,1)->length = strlen(global_params.realm); - /* The container reference value is set to NULL, to avoid service principals - * getting created within the container reference at realm creation */ - if (ldap_context->lrparams->containerref != NULL) { - oldcontainerref = ldap_context->lrparams->containerref; - ldap_context->lrparams->containerref = NULL; - } - - /* Create 'K/M' ... */ - rblock.flags |= KRB5_KDB_DISALLOW_ALL_TIX; - if ((retval = kdb_ldap_create_principal(util_context, master_princ, MASTER_KEY, &rblock))) { - com_err(progname, retval, "while adding entries to the database"); - goto err_nomsg; - } - - /* Create 'krbtgt' ... */ - rblock.flags = 0; /* reset the flags */ - if ((retval = kdb_ldap_create_principal(util_context, &tgt_princ, TGT_KEY, &rblock))) { - com_err(progname, retval, "while adding entries to the database"); - goto err_nomsg; - } - - /* Create 'kadmin/admin' ... */ - snprintf(princ_name, sizeof(princ_name), "%s@%s", KADM5_ADMIN_SERVICE, global_params.realm); - if ((retval = krb5_parse_name(util_context, princ_name, &p))) { - com_err(progname, retval, "while adding entries to the database"); - goto err_nomsg; - } - rblock.max_life = ADMIN_LIFETIME; - rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED; - if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) { - krb5_free_principal(util_context, p); - com_err(progname, retval, "while adding entries to the database"); - goto err_nomsg; - } - krb5_free_principal(util_context, p); - - /* Create 'kadmin/changepw' ... */ - snprintf(princ_name, sizeof(princ_name), "%s@%s", KADM5_CHANGEPW_SERVICE, global_params.realm); - if ((retval = krb5_parse_name(util_context, princ_name, &p))) { - com_err(progname, retval, "while adding entries to the database"); - goto err_nomsg; - } - rblock.max_life = CHANGEPW_LIFETIME; - rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED | - KRB5_KDB_PWCHANGE_SERVICE; - if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) { - krb5_free_principal(util_context, p); - com_err(progname, retval, "while adding entries to the database"); - goto err_nomsg; - } - krb5_free_principal(util_context, p); - - /* Create 'kadmin/history' ... */ - snprintf(princ_name, sizeof(princ_name), "%s@%s", KADM5_HIST_PRINCIPAL, global_params.realm); - if ((retval = krb5_parse_name(util_context, princ_name, &p))) { - com_err(progname, retval, "while adding entries to the database"); - goto err_nomsg; - } - rblock.max_life = global_params.max_life; - rblock.flags = 0; - if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) { - krb5_free_principal(util_context, p); - com_err(progname, retval, "while adding entries to the database"); - goto err_nomsg; - } - krb5_free_principal(util_context, p); - - /* Create 'kadmin/<hostname>' ... */ - if ((retval=krb5_sname_to_principal(util_context, NULL, "kadmin", KRB5_NT_SRV_HST, &p))) { - com_err(progname, retval, "krb5_sname_to_principal, while adding entries to the database"); - goto err_nomsg; - } - - if ((retval=krb5_copy_principal(util_context, p, &temp_p))) { - com_err(progname, retval, "krb5_copy_principal, while adding entries to the database"); - goto err_nomsg; - } - - /* change the realm portion to the default realm */ - free(temp_p->realm.data); - temp_p->realm.length = strlen(util_context->default_realm); - temp_p->realm.data = strdup(util_context->default_realm); - if (temp_p->realm.data == NULL) { - com_err(progname, ENOMEM, "while adding entries to the database"); - goto err_nomsg; - } - - rblock.max_life = ADMIN_LIFETIME; - rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED; - if ((retval = kdb_ldap_create_principal(util_context, temp_p, TGT_KEY, &rblock))) { - krb5_free_principal(util_context, p); - com_err(progname, retval, "while adding entries to the database"); - goto err_nomsg; - } - krb5_free_principal(util_context, temp_p); - krb5_free_principal(util_context, p); - - if (oldcontainerref != NULL) { - ldap_context->lrparams->containerref = oldcontainerref; - oldcontainerref=NULL; - } + char princ_name[MAX_PRINC_SIZE]; + krb5_principal_data tgt_princ = { + 0, /* magic number */ + {0, 0, 0}, /* krb5_data realm */ + tgt_princ_entries, /* krb5_data *data */ + 2, /* int length */ + KRB5_NT_SRV_INST /* int type */ + }; + krb5_principal p, temp_p=NULL; + + krb5_princ_set_realm_data(util_context, &tgt_princ, global_params.realm); + krb5_princ_set_realm_length(util_context, &tgt_princ, strlen(global_params.realm)); + krb5_princ_component(util_context, &tgt_princ,1)->data = global_params.realm; + krb5_princ_component(util_context, &tgt_princ,1)->length = strlen(global_params.realm); + /* The container reference value is set to NULL, to avoid service principals + * getting created within the container reference at realm creation */ + if (ldap_context->lrparams->containerref != NULL) { + oldcontainerref = ldap_context->lrparams->containerref; + ldap_context->lrparams->containerref = NULL; + } + + /* Create 'K/M' ... */ + rblock.flags |= KRB5_KDB_DISALLOW_ALL_TIX; + if ((retval = kdb_ldap_create_principal(util_context, master_princ, MASTER_KEY, &rblock))) { + com_err(progname, retval, "while adding entries to the database"); + goto err_nomsg; + } + + /* Create 'krbtgt' ... */ + rblock.flags = 0; /* reset the flags */ + if ((retval = kdb_ldap_create_principal(util_context, &tgt_princ, TGT_KEY, &rblock))) { + com_err(progname, retval, "while adding entries to the database"); + goto err_nomsg; + } + + /* Create 'kadmin/admin' ... */ + snprintf(princ_name, sizeof(princ_name), "%s@%s", KADM5_ADMIN_SERVICE, global_params.realm); + if ((retval = krb5_parse_name(util_context, princ_name, &p))) { + com_err(progname, retval, "while adding entries to the database"); + goto err_nomsg; + } + rblock.max_life = ADMIN_LIFETIME; + rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED; + if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) { + krb5_free_principal(util_context, p); + com_err(progname, retval, "while adding entries to the database"); + goto err_nomsg; + } + krb5_free_principal(util_context, p); + + /* Create 'kadmin/changepw' ... */ + snprintf(princ_name, sizeof(princ_name), "%s@%s", KADM5_CHANGEPW_SERVICE, global_params.realm); + if ((retval = krb5_parse_name(util_context, princ_name, &p))) { + com_err(progname, retval, "while adding entries to the database"); + goto err_nomsg; + } + rblock.max_life = CHANGEPW_LIFETIME; + rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED | + KRB5_KDB_PWCHANGE_SERVICE; + if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) { + krb5_free_principal(util_context, p); + com_err(progname, retval, "while adding entries to the database"); + goto err_nomsg; + } + krb5_free_principal(util_context, p); + + /* Create 'kadmin/history' ... */ + snprintf(princ_name, sizeof(princ_name), "%s@%s", KADM5_HIST_PRINCIPAL, global_params.realm); + if ((retval = krb5_parse_name(util_context, princ_name, &p))) { + com_err(progname, retval, "while adding entries to the database"); + goto err_nomsg; + } + rblock.max_life = global_params.max_life; + rblock.flags = 0; + if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) { + krb5_free_principal(util_context, p); + com_err(progname, retval, "while adding entries to the database"); + goto err_nomsg; + } + krb5_free_principal(util_context, p); + + /* Create 'kadmin/<hostname>' ... */ + if ((retval=krb5_sname_to_principal(util_context, NULL, "kadmin", KRB5_NT_SRV_HST, &p))) { + com_err(progname, retval, "krb5_sname_to_principal, while adding entries to the database"); + goto err_nomsg; + } + + if ((retval=krb5_copy_principal(util_context, p, &temp_p))) { + com_err(progname, retval, "krb5_copy_principal, while adding entries to the database"); + goto err_nomsg; + } + + /* change the realm portion to the default realm */ + free(temp_p->realm.data); + temp_p->realm.length = strlen(util_context->default_realm); + temp_p->realm.data = strdup(util_context->default_realm); + if (temp_p->realm.data == NULL) { + com_err(progname, ENOMEM, "while adding entries to the database"); + goto err_nomsg; + } + + rblock.max_life = ADMIN_LIFETIME; + rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED; + if ((retval = kdb_ldap_create_principal(util_context, temp_p, TGT_KEY, &rblock))) { + krb5_free_principal(util_context, p); + com_err(progname, retval, "while adding entries to the database"); + goto err_nomsg; + } + krb5_free_principal(util_context, temp_p); + krb5_free_principal(util_context, p); + + if (oldcontainerref != NULL) { + ldap_context->lrparams->containerref = oldcontainerref; + oldcontainerref=NULL; + } } #ifdef HAVE_EDIRECTORY if ((mask & LDAP_REALM_KDCSERVERS) || (mask & LDAP_REALM_ADMINSERVERS) || - (mask & LDAP_REALM_PASSWDSERVERS)) { - - printf("Changing rights for the service object. Please wait ... "); - fflush(stdout); - - rightsmask =0; - rightsmask |= LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; - if ((rparams != NULL) && (rparams->kdcservers != NULL)) { - for (i=0; (rparams->kdcservers[i] != NULL); i++) { - if ((retval=krb5_ldap_add_service_rights(util_context, - LDAP_KDC_SERVICE, rparams->kdcservers[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { - printf("failed\n"); - com_err(progname, retval, "while assigning rights to '%s'", - rparams->realm_name); - goto err_nomsg; - } - } - } - - rightsmask = 0; - rightsmask |= LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; - if ((rparams != NULL) && (rparams->adminservers != NULL)) { - for (i=0; (rparams->adminservers[i] != NULL); i++) { - if ((retval=krb5_ldap_add_service_rights(util_context, - LDAP_ADMIN_SERVICE, rparams->adminservers[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { - printf("failed\n"); - com_err(progname, retval, "while assigning rights to '%s'", - rparams->realm_name); - goto err_nomsg; - } - } - } - - rightsmask = 0; - rightsmask |= LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; - if ((rparams != NULL) && (rparams->passwdservers != NULL)) { - for (i=0; (rparams->passwdservers[i] != NULL); i++) { - if ((retval=krb5_ldap_add_service_rights(util_context, - LDAP_PASSWD_SERVICE, rparams->passwdservers[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { - printf("failed\n"); - com_err(progname, retval, "while assigning rights to '%s'", - rparams->realm_name); - goto err_nomsg; - } - } - } - - printf("done\n"); + (mask & LDAP_REALM_PASSWDSERVERS)) { + + printf("Changing rights for the service object. Please wait ... "); + fflush(stdout); + + rightsmask =0; + rightsmask |= LDAP_REALM_RIGHTS; + rightsmask |= LDAP_SUBTREE_RIGHTS; + if ((rparams != NULL) && (rparams->kdcservers != NULL)) { + for (i=0; (rparams->kdcservers[i] != NULL); i++) { + if ((retval=krb5_ldap_add_service_rights(util_context, + LDAP_KDC_SERVICE, rparams->kdcservers[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + printf("failed\n"); + com_err(progname, retval, "while assigning rights to '%s'", + rparams->realm_name); + goto err_nomsg; + } + } + } + + rightsmask = 0; + rightsmask |= LDAP_REALM_RIGHTS; + rightsmask |= LDAP_SUBTREE_RIGHTS; + if ((rparams != NULL) && (rparams->adminservers != NULL)) { + for (i=0; (rparams->adminservers[i] != NULL); i++) { + if ((retval=krb5_ldap_add_service_rights(util_context, + LDAP_ADMIN_SERVICE, rparams->adminservers[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + printf("failed\n"); + com_err(progname, retval, "while assigning rights to '%s'", + rparams->realm_name); + goto err_nomsg; + } + } + } + + rightsmask = 0; + rightsmask |= LDAP_REALM_RIGHTS; + rightsmask |= LDAP_SUBTREE_RIGHTS; + if ((rparams != NULL) && (rparams->passwdservers != NULL)) { + for (i=0; (rparams->passwdservers[i] != NULL); i++) { + if ((retval=krb5_ldap_add_service_rights(util_context, + LDAP_PASSWD_SERVICE, rparams->passwdservers[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + printf("failed\n"); + com_err(progname, retval, "while assigning rights to '%s'", + rparams->realm_name); + goto err_nomsg; + } + } + } + + printf("done\n"); } #endif /* The Realm creation is completed. Here is the end of transaction */ @@ -864,15 +862,15 @@ void kdb5_ldap_create(argc, argv) else mkey_kvno = 1; /* Default */ - retval = krb5_def_store_mkey(util_context, - global_params.stash_file, - master_princ, + retval = krb5_def_store_mkey(util_context, + global_params.stash_file, + master_princ, mkey_kvno, - &master_keyblock, NULL); - if (retval) { - com_err(progname, errno, "while storing key"); - printf("Warning: couldn't stash master key.\n"); - } + &master_keyblock, NULL); + if (retval) { + com_err(progname, errno, "while storing key"); + printf("Warning: couldn't stash master key.\n"); + } } goto cleanup; @@ -887,22 +885,22 @@ err_nomsg: cleanup: /* If the Realm creation is not complete, do the roll-back here */ if ((realm_obj_created) && (!create_complete)) - krb5_ldap_delete_realm(util_context, global_params.realm); + krb5_ldap_delete_realm(util_context, global_params.realm); if (rparams) - krb5_ldap_free_realm_params(rparams); + krb5_ldap_free_realm_params(rparams); memset (pw_str, 0, sizeof (pw_str)); if (print_usage) - db_usage(CREATE_REALM); + db_usage(CREATE_REALM); if (retval) { - if (!no_msg) { - com_err(progname, retval, "while creating realm '%s'", - global_params.realm); - } - exit_status++; + if (!no_msg) { + com_err(progname, retval, "while creating realm '%s'", + global_params.realm); + } + exit_status++; } return; @@ -912,9 +910,8 @@ cleanup: /* * This function will modify the attributes of a given realm object */ -void kdb5_ldap_modify(argc, argv) - int argc; - char *argv[]; +void +kdb5_ldap_modify(int argc, char *argv[]) { krb5_error_code retval = 0; krb5_ldap_realm_params *rparams = NULL; @@ -947,514 +944,514 @@ void kdb5_ldap_modify(argc, argv) dal_handle = util_context->dal_handle; ldap_context = (krb5_ldap_context *) dal_handle->db_context; if (!(ldap_context)) { - retval = EINVAL; - goto cleanup; + retval = EINVAL; + goto cleanup; } if ((retval = krb5_ldap_read_krbcontainer_params(util_context, - &(ldap_context->krbcontainer)))) { - com_err(progname, retval, "while reading Kerberos container information"); - goto err_nomsg; + &(ldap_context->krbcontainer)))) { + com_err(progname, retval, "while reading Kerberos container information"); + goto err_nomsg; } retval = krb5_ldap_read_realm_params(util_context, - global_params.realm, &rparams, &rmask); + global_params.realm, &rparams, &rmask); if (retval) - goto cleanup; + goto cleanup; /* Parse the arguments */ for (i = 1; i < argc; i++) { - int k = 0; - if (!strcmp(argv[i], "-subtrees")) { - if (++i > argc-1) - goto err_usage; + int k = 0; + if (!strcmp(argv[i], "-subtrees")) { + if (++i > argc-1) + goto err_usage; - if (rmask & LDAP_REALM_SUBTREE) { - if (rparams->subtree) { + if (rmask & LDAP_REALM_SUBTREE) { + if (rparams->subtree) { #ifdef HAVE_EDIRECTORY - oldsubtrees = (char **) calloc(rparams->subtreecount+1, sizeof(char *)); - if (oldsubtrees == NULL) { - retval = ENOMEM; - goto cleanup; - } - for (k=0; rparams->subtree[k]!=NULL && rparams->subtreecount; k++) { - oldsubtrees[k] = strdup(rparams->subtree[k]); - if (oldsubtrees[k] == NULL) { - retval = ENOMEM; - goto cleanup; - } - } + oldsubtrees = (char **) calloc(rparams->subtreecount+1, sizeof(char *)); + if (oldsubtrees == NULL) { + retval = ENOMEM; + goto cleanup; + } + for (k=0; rparams->subtree[k]!=NULL && rparams->subtreecount; k++) { + oldsubtrees[k] = strdup(rparams->subtree[k]); + if (oldsubtrees[k] == NULL) { + retval = ENOMEM; + goto cleanup; + } + } #endif - for (k=0; k<rparams->subtreecount && rparams->subtree[k]; k++) - free(rparams->subtree[k]); - rparams->subtreecount=0; - } - } - if (strncmp(argv[i] ,"", strlen(argv[i]))!=0) { - slist = (char **) calloc(MAX_LIST_ENTRIES, sizeof(char *)); - if (slist == NULL) { - retval = ENOMEM; - goto cleanup; - } - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, slist))) { - free(slist); - slist = NULL; - goto cleanup; - } - - rparams->subtreecount=0; - while (slist[rparams->subtreecount]!=NULL) - (rparams->subtreecount)++; - rparams->subtree = slist; - } else if (strncmp(argv[i], "", strlen(argv[i]))==0) { - /* dont allow subtree value to be set at the root(NULL, "") of the tree */ - com_err(progname, EINVAL, - "for subtree while modifying realm '%s'", - global_params.realm); - goto err_nomsg; - } - rparams->subtree[rparams->subtreecount] = NULL; - mask |= LDAP_REALM_SUBTREE; - } else if (!strncmp(argv[i], "-containerref", strlen(argv[i]))) { - if (++i > argc-1) - goto err_usage; - if (strncmp(argv[i], "", strlen(argv[i]))==0) { - /* dont allow containerref value to be set at the root(NULL, "") of the tree */ - com_err(progname, EINVAL, - "for container reference while modifying realm '%s'", - global_params.realm); - goto err_nomsg; - } + for (k=0; k<rparams->subtreecount && rparams->subtree[k]; k++) + free(rparams->subtree[k]); + rparams->subtreecount=0; + } + } + if (strncmp(argv[i] ,"", strlen(argv[i]))!=0) { + slist = (char **) calloc(MAX_LIST_ENTRIES, sizeof(char *)); + if (slist == NULL) { + retval = ENOMEM; + goto cleanup; + } + if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, slist))) { + free(slist); + slist = NULL; + goto cleanup; + } + + rparams->subtreecount=0; + while (slist[rparams->subtreecount]!=NULL) + (rparams->subtreecount)++; + rparams->subtree = slist; + } else if (strncmp(argv[i], "", strlen(argv[i]))==0) { + /* dont allow subtree value to be set at the root(NULL, "") of the tree */ + com_err(progname, EINVAL, + "for subtree while modifying realm '%s'", + global_params.realm); + goto err_nomsg; + } + rparams->subtree[rparams->subtreecount] = NULL; + mask |= LDAP_REALM_SUBTREE; + } else if (!strncmp(argv[i], "-containerref", strlen(argv[i]))) { + if (++i > argc-1) + goto err_usage; + if (strncmp(argv[i], "", strlen(argv[i]))==0) { + /* dont allow containerref value to be set at the root(NULL, "") of the tree */ + com_err(progname, EINVAL, + "for container reference while modifying realm '%s'", + global_params.realm); + goto err_nomsg; + } #ifdef HAVE_EDIRECTORY if (rparams->containerref != NULL) { oldcontainerref = rparams->containerref; } #endif - rparams->containerref = strdup(argv[i]); - if (rparams->containerref == NULL) { - retval = ENOMEM; - goto cleanup; - } - mask |= LDAP_REALM_CONTREF; - } else if (!strcmp(argv[i], "-sscope")) { - if (++i > argc-1) - goto err_usage; - /* Possible values for search scope are - * one (or 1) and sub (or 2) - */ - if (strcasecmp(argv[i], "one") == 0) { - rparams->search_scope = 1; - } else if (strcasecmp(argv[i], "sub") == 0) { - rparams->search_scope = 2; - } else { - rparams->search_scope = atoi(argv[i]); - if ((rparams->search_scope != 1) && - (rparams->search_scope != 2)) { - retval = EINVAL; - com_err(progname, retval, - "specified for search scope while modifying information of realm '%s'", - global_params.realm); - goto err_nomsg; - } - } - mask |= LDAP_REALM_SEARCHSCOPE; - } + rparams->containerref = strdup(argv[i]); + if (rparams->containerref == NULL) { + retval = ENOMEM; + goto cleanup; + } + mask |= LDAP_REALM_CONTREF; + } else if (!strcmp(argv[i], "-sscope")) { + if (++i > argc-1) + goto err_usage; + /* Possible values for search scope are + * one (or 1) and sub (or 2) + */ + if (strcasecmp(argv[i], "one") == 0) { + rparams->search_scope = 1; + } else if (strcasecmp(argv[i], "sub") == 0) { + rparams->search_scope = 2; + } else { + rparams->search_scope = atoi(argv[i]); + if ((rparams->search_scope != 1) && + (rparams->search_scope != 2)) { + retval = EINVAL; + com_err(progname, retval, + "specified for search scope while modifying information of realm '%s'", + global_params.realm); + goto err_nomsg; + } + } + mask |= LDAP_REALM_SEARCHSCOPE; + } #ifdef HAVE_EDIRECTORY - else if (!strcmp(argv[i], "-kdcdn")) { - if (++i > argc-1) - goto err_usage; - - if ((rmask & LDAP_REALM_KDCSERVERS) && (rparams->kdcservers)) { - if (!oldkdcdns) { - /* Store the old kdc dns list for removing rights */ - oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (oldkdcdns == NULL) { - retval = ENOMEM; - goto cleanup; - } - - for (j=0; rparams->kdcservers[j] != NULL; j++) { - oldkdcdns[j] = strdup(rparams->kdcservers[j]); - if (oldkdcdns[j] == NULL) { - retval = ENOMEM; - goto cleanup; - } - } - oldkdcdns[j] = NULL; - } - - krb5_free_list_entries(rparams->kdcservers); - free(rparams->kdcservers); - } - - rparams->kdcservers = (char **)malloc( - sizeof(char *) * MAX_LIST_ENTRIES); - if (rparams->kdcservers == NULL) { - retval = ENOMEM; - goto cleanup; - } - memset(rparams->kdcservers, 0, sizeof(char *)*MAX_LIST_ENTRIES); - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, - rparams->kdcservers))) { - goto cleanup; - } - mask |= LDAP_REALM_KDCSERVERS; - /* Going to replace the existing value by this new value. Hence - * setting flag indicating that add or clear options will be ignored - */ - newkdcdn = 1; - } else if (!strcmp(argv[i], "-clearkdcdn")) { - if (++i > argc-1) - goto err_usage; - if ((!newkdcdn) && (rmask & LDAP_REALM_KDCSERVERS) && (rparams->kdcservers)) { - if (!oldkdcdns) { - /* Store the old kdc dns list for removing rights */ - oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (oldkdcdns == NULL) { - retval = ENOMEM; - goto cleanup; - } - - for (j=0; rparams->kdcservers[j] != NULL; j++) { - oldkdcdns[j] = strdup(rparams->kdcservers[j]); - if (oldkdcdns[j] == NULL) { - retval = ENOMEM; - goto cleanup; - } - } - oldkdcdns[j] = NULL; - } - - memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES); - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) { - goto cleanup; - } - list_modify_str_array(&rparams->kdcservers, (const char **)list, - LIST_MODE_DELETE); - mask |= LDAP_REALM_KDCSERVERS; - krb5_free_list_entries(list); - } - } else if (!strcmp(argv[i], "-addkdcdn")) { - if (++i > argc-1) - goto err_usage; - if (!newkdcdn) { - if ((rmask & LDAP_REALM_KDCSERVERS) && (rparams->kdcservers) && (!oldkdcdns)) { - /* Store the old kdc dns list for removing rights */ - oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (oldkdcdns == NULL) { - retval = ENOMEM; - goto cleanup; - } - - for (j = 0; rparams->kdcservers[j] != NULL; j++) { - oldkdcdns[j] = strdup(rparams->kdcservers[j]); - if (oldkdcdns[j] == NULL) { - retval = ENOMEM; - goto cleanup; - } - } - oldkdcdns[j] = NULL; - } - - memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES); - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) { - goto cleanup; - } - existing_entries = list_count_str_array(rparams->kdcservers); - list_entries = list_count_str_array(list); - if (rmask & LDAP_REALM_KDCSERVERS) { - tempstr = (char **)realloc( - rparams->kdcservers, - sizeof(char *) * (existing_entries+list_entries+1)); - if (tempstr == NULL) { - retval = ENOMEM; - goto cleanup; - } - rparams->kdcservers = tempstr; - } else { - rparams->kdcservers = (char **)malloc(sizeof(char *) * (list_entries+1)); - if (rparams->kdcservers == NULL) { - retval = ENOMEM; - goto cleanup; - } - memset(rparams->kdcservers, 0, sizeof(char *) * (list_entries+1)); - } - list_modify_str_array(&rparams->kdcservers, (const char **)list, - LIST_MODE_ADD); - mask |= LDAP_REALM_KDCSERVERS; - } - } else if (!strcmp(argv[i], "-admindn")) { - if (++i > argc-1) - goto err_usage; - - if ((rmask & LDAP_REALM_ADMINSERVERS) && (rparams->adminservers)) { - if (!oldadmindns) { - /* Store the old admin dns list for removing rights */ - oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (oldadmindns == NULL) { - retval = ENOMEM; - goto cleanup; - } - - for (j=0; rparams->adminservers[j] != NULL; j++) { - oldadmindns[j] = strdup(rparams->adminservers[j]); - if (oldadmindns[j] == NULL) { - retval = ENOMEM; - goto cleanup; - } - } - oldadmindns[j] = NULL; - } - - krb5_free_list_entries(rparams->adminservers); - free(rparams->adminservers); - } - - rparams->adminservers = (char **)malloc( - sizeof(char *) * MAX_LIST_ENTRIES); - if (rparams->adminservers == NULL) { - retval = ENOMEM; - goto cleanup; - } - memset(rparams->adminservers, 0, sizeof(char *)*MAX_LIST_ENTRIES); - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, - rparams->adminservers))) { - goto cleanup; - } - mask |= LDAP_REALM_ADMINSERVERS; - /* Going to replace the existing value by this new value. Hence - * setting flag indicating that add or clear options will be ignored - */ - newadmindn = 1; - } else if (!strcmp(argv[i], "-clearadmindn")) { - if (++i > argc-1) - goto err_usage; - - if ((!newadmindn) && (rmask & LDAP_REALM_ADMINSERVERS) && (rparams->adminservers)) { - if (!oldadmindns) { - /* Store the old admin dns list for removing rights */ - oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (oldadmindns == NULL) { - retval = ENOMEM; - goto cleanup; - } - - for (j=0; rparams->adminservers[j] != NULL; j++) { - oldadmindns[j] = strdup(rparams->adminservers[j]); - if (oldadmindns[j] == NULL) { - retval = ENOMEM; - goto cleanup; - } - } - oldadmindns[j] = NULL; - } - - memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES); - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) { - goto cleanup; - } - list_modify_str_array(&rparams->adminservers, (const char **)list, - LIST_MODE_DELETE); - mask |= LDAP_REALM_ADMINSERVERS; - krb5_free_list_entries(list); - } - } else if (!strcmp(argv[i], "-addadmindn")) { - if (++i > argc-1) - goto err_usage; - if (!newadmindn) { - if ((rmask & LDAP_REALM_ADMINSERVERS) && (rparams->adminservers) && (!oldadmindns)) { - /* Store the old admin dns list for removing rights */ - oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (oldadmindns == NULL) { - retval = ENOMEM; - goto cleanup; - } - - for (j=0; rparams->adminservers[j] != NULL; j++) { - oldadmindns[j] = strdup(rparams->adminservers[j]); - if (oldadmindns[j] == NULL) { - retval = ENOMEM; - goto cleanup; - } - } - oldadmindns[j] = NULL; - } - - memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES); - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) { - goto cleanup; - } - existing_entries = list_count_str_array(rparams->adminservers); - list_entries = list_count_str_array(list); - if (rmask & LDAP_REALM_ADMINSERVERS) { - tempstr = (char **)realloc( - rparams->adminservers, - sizeof(char *) * (existing_entries+list_entries+1)); - if (tempstr == NULL) { - retval = ENOMEM; - goto cleanup; - } - rparams->adminservers = tempstr; - } else { - rparams->adminservers = (char **)malloc(sizeof(char *) * (list_entries+1)); - if (rparams->adminservers == NULL) { - retval = ENOMEM; - goto cleanup; - } - memset(rparams->adminservers, 0, sizeof(char *) * (list_entries+1)); - } - list_modify_str_array(&rparams->adminservers, (const char **)list, - LIST_MODE_ADD); - mask |= LDAP_REALM_ADMINSERVERS; - } - } else if (!strcmp(argv[i], "-pwddn")) { - if (++i > argc-1) - goto err_usage; - - if ((rmask & LDAP_REALM_PASSWDSERVERS) && (rparams->passwdservers)) { - if (!oldpwddns) { - /* Store the old pwd dns list for removing rights */ - oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (oldpwddns == NULL) { - retval = ENOMEM; - goto cleanup; - } - - for (j=0; rparams->passwdservers[j] != NULL; j++) { - oldpwddns[j] = strdup(rparams->passwdservers[j]); - if (oldpwddns[j] == NULL) { - retval = ENOMEM; - goto cleanup; - } - } - oldpwddns[j] = NULL; - } - - krb5_free_list_entries(rparams->passwdservers); - free(rparams->passwdservers); - } - - rparams->passwdservers = (char **)malloc( - sizeof(char *) * MAX_LIST_ENTRIES); - if (rparams->passwdservers == NULL) { - retval = ENOMEM; - goto cleanup; - } - memset(rparams->passwdservers, 0, sizeof(char *)*MAX_LIST_ENTRIES); - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, - rparams->passwdservers))) { - goto cleanup; - } - mask |= LDAP_REALM_PASSWDSERVERS; - /* Going to replace the existing value by this new value. Hence - * setting flag indicating that add or clear options will be ignored - */ - newpwddn = 1; - } else if (!strcmp(argv[i], "-clearpwddn")) { - if (++i > argc-1) - goto err_usage; - - if ((!newpwddn) && (rmask & LDAP_REALM_PASSWDSERVERS) && (rparams->passwdservers)) { - if (!oldpwddns) { - /* Store the old pwd dns list for removing rights */ - oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (oldpwddns == NULL) { - retval = ENOMEM; - goto cleanup; - } - - for (j=0; rparams->passwdservers[j] != NULL; j++) { - oldpwddns[j] = strdup(rparams->passwdservers[j]); - if (oldpwddns[j] == NULL) { - retval = ENOMEM; - goto cleanup; - } - } - oldpwddns[j] = NULL; - } - - memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES); - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) { - goto cleanup; - } - list_modify_str_array(&rparams->passwdservers, (const char**)list, - LIST_MODE_DELETE); - mask |= LDAP_REALM_PASSWDSERVERS; - krb5_free_list_entries(list); - } - } else if (!strcmp(argv[i], "-addpwddn")) { - if (++i > argc-1) - goto err_usage; - if (!newpwddn) { - if ((rmask & LDAP_REALM_PASSWDSERVERS) && (rparams->passwdservers) && (!oldpwddns)) { - /* Store the old pwd dns list for removing rights */ - oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (oldpwddns == NULL) { - retval = ENOMEM; - goto cleanup; - } - - for (j=0; rparams->passwdservers[j] != NULL; j++) { - oldpwddns[j] = strdup(rparams->passwdservers[j]); - if (oldpwddns[j] == NULL) { - retval = ENOMEM; - goto cleanup; - } - } - oldpwddns[j] = NULL; - } - - memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES); - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) { - goto cleanup; - } - existing_entries = list_count_str_array(rparams->passwdservers); - list_entries = list_count_str_array(list); - if (rmask & LDAP_REALM_PASSWDSERVERS) { - tempstr = (char **)realloc( - rparams->passwdservers, - sizeof(char *) * (existing_entries+list_entries+1)); - if (tempstr == NULL) { - retval = ENOMEM; - goto cleanup; - } - rparams->passwdservers = tempstr; - } else { - rparams->passwdservers = (char **)malloc(sizeof(char *) * (list_entries+1)); - if (rparams->passwdservers == NULL) { - retval = ENOMEM; - goto cleanup; - } - memset(rparams->passwdservers, 0, sizeof(char *) * (list_entries+1)); - } - list_modify_str_array(&rparams->passwdservers, (const char**)list, - LIST_MODE_ADD); - mask |= LDAP_REALM_PASSWDSERVERS; - } - } + else if (!strcmp(argv[i], "-kdcdn")) { + if (++i > argc-1) + goto err_usage; + + if ((rmask & LDAP_REALM_KDCSERVERS) && (rparams->kdcservers)) { + if (!oldkdcdns) { + /* Store the old kdc dns list for removing rights */ + oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); + if (oldkdcdns == NULL) { + retval = ENOMEM; + goto cleanup; + } + + for (j=0; rparams->kdcservers[j] != NULL; j++) { + oldkdcdns[j] = strdup(rparams->kdcservers[j]); + if (oldkdcdns[j] == NULL) { + retval = ENOMEM; + goto cleanup; + } + } + oldkdcdns[j] = NULL; + } + + krb5_free_list_entries(rparams->kdcservers); + free(rparams->kdcservers); + } + + rparams->kdcservers = (char **)malloc( + sizeof(char *) * MAX_LIST_ENTRIES); + if (rparams->kdcservers == NULL) { + retval = ENOMEM; + goto cleanup; + } + memset(rparams->kdcservers, 0, sizeof(char *)*MAX_LIST_ENTRIES); + if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, + rparams->kdcservers))) { + goto cleanup; + } + mask |= LDAP_REALM_KDCSERVERS; + /* Going to replace the existing value by this new value. Hence + * setting flag indicating that add or clear options will be ignored + */ + newkdcdn = 1; + } else if (!strcmp(argv[i], "-clearkdcdn")) { + if (++i > argc-1) + goto err_usage; + if ((!newkdcdn) && (rmask & LDAP_REALM_KDCSERVERS) && (rparams->kdcservers)) { + if (!oldkdcdns) { + /* Store the old kdc dns list for removing rights */ + oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); + if (oldkdcdns == NULL) { + retval = ENOMEM; + goto cleanup; + } + + for (j=0; rparams->kdcservers[j] != NULL; j++) { + oldkdcdns[j] = strdup(rparams->kdcservers[j]); + if (oldkdcdns[j] == NULL) { + retval = ENOMEM; + goto cleanup; + } + } + oldkdcdns[j] = NULL; + } + + memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES); + if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) { + goto cleanup; + } + list_modify_str_array(&rparams->kdcservers, (const char **)list, + LIST_MODE_DELETE); + mask |= LDAP_REALM_KDCSERVERS; + krb5_free_list_entries(list); + } + } else if (!strcmp(argv[i], "-addkdcdn")) { + if (++i > argc-1) + goto err_usage; + if (!newkdcdn) { + if ((rmask & LDAP_REALM_KDCSERVERS) && (rparams->kdcservers) && (!oldkdcdns)) { + /* Store the old kdc dns list for removing rights */ + oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); + if (oldkdcdns == NULL) { + retval = ENOMEM; + goto cleanup; + } + + for (j = 0; rparams->kdcservers[j] != NULL; j++) { + oldkdcdns[j] = strdup(rparams->kdcservers[j]); + if (oldkdcdns[j] == NULL) { + retval = ENOMEM; + goto cleanup; + } + } + oldkdcdns[j] = NULL; + } + + memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES); + if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) { + goto cleanup; + } + existing_entries = list_count_str_array(rparams->kdcservers); + list_entries = list_count_str_array(list); + if (rmask & LDAP_REALM_KDCSERVERS) { + tempstr = (char **)realloc( + rparams->kdcservers, + sizeof(char *) * (existing_entries+list_entries+1)); + if (tempstr == NULL) { + retval = ENOMEM; + goto cleanup; + } + rparams->kdcservers = tempstr; + } else { + rparams->kdcservers = (char **)malloc(sizeof(char *) * (list_entries+1)); + if (rparams->kdcservers == NULL) { + retval = ENOMEM; + goto cleanup; + } + memset(rparams->kdcservers, 0, sizeof(char *) * (list_entries+1)); + } + list_modify_str_array(&rparams->kdcservers, (const char **)list, + LIST_MODE_ADD); + mask |= LDAP_REALM_KDCSERVERS; + } + } else if (!strcmp(argv[i], "-admindn")) { + if (++i > argc-1) + goto err_usage; + + if ((rmask & LDAP_REALM_ADMINSERVERS) && (rparams->adminservers)) { + if (!oldadmindns) { + /* Store the old admin dns list for removing rights */ + oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); + if (oldadmindns == NULL) { + retval = ENOMEM; + goto cleanup; + } + + for (j=0; rparams->adminservers[j] != NULL; j++) { + oldadmindns[j] = strdup(rparams->adminservers[j]); + if (oldadmindns[j] == NULL) { + retval = ENOMEM; + goto cleanup; + } + } + oldadmindns[j] = NULL; + } + + krb5_free_list_entries(rparams->adminservers); + free(rparams->adminservers); + } + + rparams->adminservers = (char **)malloc( + sizeof(char *) * MAX_LIST_ENTRIES); + if (rparams->adminservers == NULL) { + retval = ENOMEM; + goto cleanup; + } + memset(rparams->adminservers, 0, sizeof(char *)*MAX_LIST_ENTRIES); + if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, + rparams->adminservers))) { + goto cleanup; + } + mask |= LDAP_REALM_ADMINSERVERS; + /* Going to replace the existing value by this new value. Hence + * setting flag indicating that add or clear options will be ignored + */ + newadmindn = 1; + } else if (!strcmp(argv[i], "-clearadmindn")) { + if (++i > argc-1) + goto err_usage; + + if ((!newadmindn) && (rmask & LDAP_REALM_ADMINSERVERS) && (rparams->adminservers)) { + if (!oldadmindns) { + /* Store the old admin dns list for removing rights */ + oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); + if (oldadmindns == NULL) { + retval = ENOMEM; + goto cleanup; + } + + for (j=0; rparams->adminservers[j] != NULL; j++) { + oldadmindns[j] = strdup(rparams->adminservers[j]); + if (oldadmindns[j] == NULL) { + retval = ENOMEM; + goto cleanup; + } + } + oldadmindns[j] = NULL; + } + + memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES); + if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) { + goto cleanup; + } + list_modify_str_array(&rparams->adminservers, (const char **)list, + LIST_MODE_DELETE); + mask |= LDAP_REALM_ADMINSERVERS; + krb5_free_list_entries(list); + } + } else if (!strcmp(argv[i], "-addadmindn")) { + if (++i > argc-1) + goto err_usage; + if (!newadmindn) { + if ((rmask & LDAP_REALM_ADMINSERVERS) && (rparams->adminservers) && (!oldadmindns)) { + /* Store the old admin dns list for removing rights */ + oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); + if (oldadmindns == NULL) { + retval = ENOMEM; + goto cleanup; + } + + for (j=0; rparams->adminservers[j] != NULL; j++) { + oldadmindns[j] = strdup(rparams->adminservers[j]); + if (oldadmindns[j] == NULL) { + retval = ENOMEM; + goto cleanup; + } + } + oldadmindns[j] = NULL; + } + + memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES); + if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) { + goto cleanup; + } + existing_entries = list_count_str_array(rparams->adminservers); + list_entries = list_count_str_array(list); + if (rmask & LDAP_REALM_ADMINSERVERS) { + tempstr = (char **)realloc( + rparams->adminservers, + sizeof(char *) * (existing_entries+list_entries+1)); + if (tempstr == NULL) { + retval = ENOMEM; + goto cleanup; + } + rparams->adminservers = tempstr; + } else { + rparams->adminservers = (char **)malloc(sizeof(char *) * (list_entries+1)); + if (rparams->adminservers == NULL) { + retval = ENOMEM; + goto cleanup; + } + memset(rparams->adminservers, 0, sizeof(char *) * (list_entries+1)); + } + list_modify_str_array(&rparams->adminservers, (const char **)list, + LIST_MODE_ADD); + mask |= LDAP_REALM_ADMINSERVERS; + } + } else if (!strcmp(argv[i], "-pwddn")) { + if (++i > argc-1) + goto err_usage; + + if ((rmask & LDAP_REALM_PASSWDSERVERS) && (rparams->passwdservers)) { + if (!oldpwddns) { + /* Store the old pwd dns list for removing rights */ + oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); + if (oldpwddns == NULL) { + retval = ENOMEM; + goto cleanup; + } + + for (j=0; rparams->passwdservers[j] != NULL; j++) { + oldpwddns[j] = strdup(rparams->passwdservers[j]); + if (oldpwddns[j] == NULL) { + retval = ENOMEM; + goto cleanup; + } + } + oldpwddns[j] = NULL; + } + + krb5_free_list_entries(rparams->passwdservers); + free(rparams->passwdservers); + } + + rparams->passwdservers = (char **)malloc( + sizeof(char *) * MAX_LIST_ENTRIES); + if (rparams->passwdservers == NULL) { + retval = ENOMEM; + goto cleanup; + } + memset(rparams->passwdservers, 0, sizeof(char *)*MAX_LIST_ENTRIES); + if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, + rparams->passwdservers))) { + goto cleanup; + } + mask |= LDAP_REALM_PASSWDSERVERS; + /* Going to replace the existing value by this new value. Hence + * setting flag indicating that add or clear options will be ignored + */ + newpwddn = 1; + } else if (!strcmp(argv[i], "-clearpwddn")) { + if (++i > argc-1) + goto err_usage; + + if ((!newpwddn) && (rmask & LDAP_REALM_PASSWDSERVERS) && (rparams->passwdservers)) { + if (!oldpwddns) { + /* Store the old pwd dns list for removing rights */ + oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); + if (oldpwddns == NULL) { + retval = ENOMEM; + goto cleanup; + } + + for (j=0; rparams->passwdservers[j] != NULL; j++) { + oldpwddns[j] = strdup(rparams->passwdservers[j]); + if (oldpwddns[j] == NULL) { + retval = ENOMEM; + goto cleanup; + } + } + oldpwddns[j] = NULL; + } + + memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES); + if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) { + goto cleanup; + } + list_modify_str_array(&rparams->passwdservers, (const char**)list, + LIST_MODE_DELETE); + mask |= LDAP_REALM_PASSWDSERVERS; + krb5_free_list_entries(list); + } + } else if (!strcmp(argv[i], "-addpwddn")) { + if (++i > argc-1) + goto err_usage; + if (!newpwddn) { + if ((rmask & LDAP_REALM_PASSWDSERVERS) && (rparams->passwdservers) && (!oldpwddns)) { + /* Store the old pwd dns list for removing rights */ + oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); + if (oldpwddns == NULL) { + retval = ENOMEM; + goto cleanup; + } + + for (j=0; rparams->passwdservers[j] != NULL; j++) { + oldpwddns[j] = strdup(rparams->passwdservers[j]); + if (oldpwddns[j] == NULL) { + retval = ENOMEM; + goto cleanup; + } + } + oldpwddns[j] = NULL; + } + + memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES); + if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) { + goto cleanup; + } + existing_entries = list_count_str_array(rparams->passwdservers); + list_entries = list_count_str_array(list); + if (rmask & LDAP_REALM_PASSWDSERVERS) { + tempstr = (char **)realloc( + rparams->passwdservers, + sizeof(char *) * (existing_entries+list_entries+1)); + if (tempstr == NULL) { + retval = ENOMEM; + goto cleanup; + } + rparams->passwdservers = tempstr; + } else { + rparams->passwdservers = (char **)malloc(sizeof(char *) * (list_entries+1)); + if (rparams->passwdservers == NULL) { + retval = ENOMEM; + goto cleanup; + } + memset(rparams->passwdservers, 0, sizeof(char *) * (list_entries+1)); + } + list_modify_str_array(&rparams->passwdservers, (const char**)list, + LIST_MODE_ADD); + mask |= LDAP_REALM_PASSWDSERVERS; + } + } #endif - else if ((ret_mask= get_ticket_policy(rparams,&i,argv,argc)) !=0) { - mask|=ret_mask; - } else { - printf("'%s' is an invalid option\n", argv[i]); - goto err_usage; - } + else if ((ret_mask= get_ticket_policy(rparams,&i,argv,argc)) !=0) { + mask|=ret_mask; + } else { + printf("'%s' is an invalid option\n", argv[i]); + goto err_usage; + } } if ((retval = krb5_ldap_modify_realm(util_context, - /* global_params.realm, */ rparams, mask))) { - goto cleanup; + /* global_params.realm, */ rparams, mask))) { + goto cleanup; } #ifdef HAVE_EDIRECTORY if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_CONTREF) || (mask & LDAP_REALM_KDCSERVERS) || - (mask & LDAP_REALM_ADMINSERVERS) || (mask & LDAP_REALM_PASSWDSERVERS)) { + (mask & LDAP_REALM_ADMINSERVERS) || (mask & LDAP_REALM_PASSWDSERVERS)) { - printf("Changing rights for the service object. Please wait ... "); - fflush(stdout); + printf("Changing rights for the service object. Please wait ... "); + fflush(stdout); if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_CONTREF)) { subtree_changed = 1; - } + } if ((subtree_changed) || (mask & LDAP_REALM_KDCSERVERS)) { @@ -1469,27 +1466,27 @@ void kdb5_ldap_modify(argc, argv) /* Remove the rights on the old subtrees */ for (i=0; (kdcdns[i] != NULL); i++) { if ((retval=krb5_ldap_delete_service_rights(util_context, - LDAP_KDC_SERVICE, kdcdns[i], - rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) { + LDAP_KDC_SERVICE, kdcdns[i], + rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) { printf("failed\n"); com_err(progname, retval, "while assigning rights '%s'", - rparams->realm_name); + rparams->realm_name); goto err_nomsg; - } - } - } + } + } + } for (i=0; (kdcdns[i] != NULL); i++) { if ((retval=krb5_ldap_add_service_rights(util_context, - LDAP_KDC_SERVICE, kdcdns[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + LDAP_KDC_SERVICE, kdcdns[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { printf("failed\n"); com_err(progname, retval, "while assigning rights '%s'", - rparams->realm_name); + rparams->realm_name); goto err_nomsg; - } - } - } - } + } + } + } + } if (!subtree_changed) { char **newdns = NULL; @@ -1500,45 +1497,45 @@ void kdb5_ldap_modify(argc, argv) if (oldkdcdns != NULL) { newdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); if (newdns == NULL) { - retval = ENOMEM; - goto cleanup; - } + retval = ENOMEM; + goto cleanup; + } - if ((rparams != NULL) && (rparams->kdcservers != NULL)) { - for (j=0; rparams->kdcservers[j]!= NULL; j++) { + if ((rparams != NULL) && (rparams->kdcservers != NULL)) { + for (j=0; rparams->kdcservers[j]!= NULL; j++) { newdns[j] = strdup(rparams->kdcservers[j]); if (newdns[j] == NULL) { FREE_DN_LIST(newdns); - retval = ENOMEM; - goto cleanup; - } - } + retval = ENOMEM; + goto cleanup; + } + } newdns[j] = NULL; - } + } disjoint_members(oldkdcdns, newdns); for (i=0; (oldkdcdns[i] != NULL); i++) { if ((retval=krb5_ldap_delete_service_rights(util_context, - LDAP_KDC_SERVICE, oldkdcdns[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + LDAP_KDC_SERVICE, oldkdcdns[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { printf("failed\n"); com_err(progname, retval, "while assigning rights '%s'", - rparams->realm_name); + rparams->realm_name); FREE_DN_LIST(newdns); goto err_nomsg; - } - } + } + } for (i=0; (newdns[i] != NULL); i++) { if ((retval=krb5_ldap_add_service_rights(util_context, - LDAP_KDC_SERVICE, newdns[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + LDAP_KDC_SERVICE, newdns[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { printf("failed\n"); com_err(progname, retval, "while assigning rights '%s'", - rparams->realm_name); + rparams->realm_name); FREE_DN_LIST(newdns); goto err_nomsg; - } + } } for (i=0; (newdns[i] != NULL); i++) { free(newdns[i]); @@ -1548,42 +1545,42 @@ void kdb5_ldap_modify(argc, argv) newdns = rparams->kdcservers; for (i=0; (newdns[i] != NULL); i++) { if ((retval=krb5_ldap_add_service_rights(util_context, - LDAP_KDC_SERVICE, newdns[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + LDAP_KDC_SERVICE, newdns[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { printf("failed\n"); com_err(progname, retval, "while assigning rights '%s'", - rparams->realm_name); + rparams->realm_name); goto err_nomsg; - } - } - } + } + } + } } if (subtree_changed && (mask & LDAP_REALM_KDCSERVERS)) { char **newdns = rparams->kdcservers; - rightsmask =0; + rightsmask =0; rightsmask = LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; + rightsmask |= LDAP_SUBTREE_RIGHTS; if (oldkdcdns != NULL) { - for (i=0; (oldkdcdns[i] != NULL); i++) { - if ((retval=krb5_ldap_delete_service_rights(util_context, - LDAP_KDC_SERVICE, oldkdcdns[i], - rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) { - printf("failed\n"); - com_err(progname, retval, "while assigning rights '%s'", - rparams->realm_name); - goto err_nomsg; - } - } - } + for (i=0; (oldkdcdns[i] != NULL); i++) { + if ((retval=krb5_ldap_delete_service_rights(util_context, + LDAP_KDC_SERVICE, oldkdcdns[i], + rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) { + printf("failed\n"); + com_err(progname, retval, "while assigning rights '%s'", + rparams->realm_name); + goto err_nomsg; + } + } + } for (i=0; (newdns[i] != NULL); i++) { if ((retval=krb5_ldap_add_service_rights(util_context, - LDAP_KDC_SERVICE, newdns[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + LDAP_KDC_SERVICE, newdns[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { printf("failed\n"); com_err(progname, retval, "while assigning rights '%s'", - rparams->realm_name); + rparams->realm_name); goto err_nomsg; } } @@ -1596,34 +1593,34 @@ void kdb5_ldap_modify(argc, argv) if (rparams->adminservers != NULL) { char **admindns = rparams->adminservers; /* Only subtree and/or container ref has changed */ - rightsmask =0; + rightsmask =0; /* KADMINSERVERS have not changed. Realm rights need not be changed */; - rightsmask |= LDAP_SUBTREE_RIGHTS; + rightsmask |= LDAP_SUBTREE_RIGHTS; if ((oldsubtrees != NULL) || (oldcontainerref != NULL)) { /* Remove the rights on the old subtrees */ for (i=0; (admindns[i] != NULL); i++) { if ((retval=krb5_ldap_delete_service_rights(util_context, - LDAP_ADMIN_SERVICE, admindns[i], - rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) { + LDAP_ADMIN_SERVICE, admindns[i], + rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) { printf("failed\n"); com_err(progname, retval, "while assigning rights '%s'", - rparams->realm_name); + rparams->realm_name); goto err_nomsg; } } } for (i=0; (admindns[i] != NULL); i++) { - if ((retval=krb5_ldap_add_service_rights(util_context, - LDAP_ADMIN_SERVICE, admindns[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { - printf("failed\n"); + if ((retval=krb5_ldap_add_service_rights(util_context, + LDAP_ADMIN_SERVICE, admindns[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + printf("failed\n"); com_err(progname, retval, "while assigning rights '%s'", - rparams->realm_name); - goto err_nomsg; - } - } - } - } + rparams->realm_name); + goto err_nomsg; + } + } + } + } if (!subtree_changed) { char **newdns = NULL; @@ -1634,46 +1631,46 @@ void kdb5_ldap_modify(argc, argv) if (oldadmindns != NULL) { newdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); if (newdns == NULL) { - retval = ENOMEM; - goto cleanup; - } + retval = ENOMEM; + goto cleanup; + } - if ((rparams != NULL) && (rparams->adminservers != NULL)) { - for (j=0; rparams->adminservers[j]!= NULL; j++) { + if ((rparams != NULL) && (rparams->adminservers != NULL)) { + for (j=0; rparams->adminservers[j]!= NULL; j++) { newdns[j] = strdup(rparams->adminservers[j]); if (newdns[j] == NULL) { FREE_DN_LIST(newdns); - retval = ENOMEM; - goto cleanup; - } - } + retval = ENOMEM; + goto cleanup; + } + } newdns[j] = NULL; - } + } disjoint_members(oldadmindns, newdns); for (i=0; (oldadmindns[i] != NULL); i++) { if ((retval=krb5_ldap_delete_service_rights(util_context, - LDAP_ADMIN_SERVICE, oldadmindns[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + LDAP_ADMIN_SERVICE, oldadmindns[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { printf("failed\n"); com_err(progname, retval, "while assigning rights '%s'", - rparams->realm_name); + rparams->realm_name); FREE_DN_LIST(newdns); goto err_nomsg; - } + } } for (i=0; (newdns[i] != NULL); i++) { if ((retval=krb5_ldap_add_service_rights(util_context, - LDAP_ADMIN_SERVICE, newdns[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + LDAP_ADMIN_SERVICE, newdns[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { printf("failed\n"); com_err(progname, retval, "while assigning rights '%s'", - rparams->realm_name); + rparams->realm_name); FREE_DN_LIST(newdns); goto err_nomsg; - } - } + } + } for (i=0; (newdns[i] != NULL); i++) { free(newdns[i]); } @@ -1682,42 +1679,42 @@ void kdb5_ldap_modify(argc, argv) newdns = rparams->adminservers; for (i=0; (newdns[i] != NULL); i++) { if ((retval=krb5_ldap_add_service_rights(util_context, - LDAP_ADMIN_SERVICE, newdns[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + LDAP_ADMIN_SERVICE, newdns[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { printf("failed\n"); com_err(progname, retval, "while assigning rights '%s'", - rparams->realm_name); + rparams->realm_name); goto err_nomsg; - } - } - } + } + } + } } if (subtree_changed && (mask & LDAP_REALM_ADMINSERVERS)) { char **newdns = rparams->adminservers; - rightsmask = 0; + rightsmask = 0; rightsmask = LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; + rightsmask |= LDAP_SUBTREE_RIGHTS; if (oldadmindns != NULL) { - for (i=0; (oldadmindns[i] != NULL); i++) { - if ((retval=krb5_ldap_delete_service_rights(util_context, - LDAP_ADMIN_SERVICE, oldadmindns[i], - rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) { - printf("failed\n"); - com_err(progname, retval, "while assigning rights '%s'", - rparams->realm_name); - goto err_nomsg; - } - } - } + for (i=0; (oldadmindns[i] != NULL); i++) { + if ((retval=krb5_ldap_delete_service_rights(util_context, + LDAP_ADMIN_SERVICE, oldadmindns[i], + rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) { + printf("failed\n"); + com_err(progname, retval, "while assigning rights '%s'", + rparams->realm_name); + goto err_nomsg; + } + } + } for (i=0; (newdns[i] != NULL); i++) { if ((retval=krb5_ldap_add_service_rights(util_context, - LDAP_ADMIN_SERVICE, newdns[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + LDAP_ADMIN_SERVICE, newdns[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { printf("failed\n"); com_err(progname, retval, "while assigning rights '%s'", - rparams->realm_name); + rparams->realm_name); goto err_nomsg; } } @@ -1730,34 +1727,34 @@ void kdb5_ldap_modify(argc, argv) if (rparams->passwdservers != NULL) { char **passwddns = rparams->passwdservers; /* Only subtree and/or container ref has changed */ - rightsmask = 0; + rightsmask = 0; /* KPASSWDSERVERS have not changed. Realm rights need not be changed */; - rightsmask |= LDAP_SUBTREE_RIGHTS; + rightsmask |= LDAP_SUBTREE_RIGHTS; if ((oldsubtrees != NULL) || (oldcontainerref != NULL)) { /* Remove the rights on the old subtrees */ for (i=0; (passwddns[i] != NULL); i++) { if ((retval=krb5_ldap_delete_service_rights(util_context, - LDAP_PASSWD_SERVICE, passwddns[i], - rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) { + LDAP_PASSWD_SERVICE, passwddns[i], + rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) { printf("failed\n"); com_err(progname, retval, "while assigning rights '%s'", - rparams->realm_name); + rparams->realm_name); goto err_nomsg; } } } for (i=0; (passwddns[i] != NULL); i++) { - if ((retval=krb5_ldap_add_service_rights(util_context, - LDAP_PASSWD_SERVICE, passwddns[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { - printf("failed\n"); + if ((retval=krb5_ldap_add_service_rights(util_context, + LDAP_PASSWD_SERVICE, passwddns[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + printf("failed\n"); com_err(progname, retval, "while assigning rights '%s'", - rparams->realm_name); - goto err_nomsg; - } - } - } - } + rparams->realm_name); + goto err_nomsg; + } + } + } + } if (!subtree_changed) { char **newdns = NULL; @@ -1768,45 +1765,45 @@ void kdb5_ldap_modify(argc, argv) if (oldpwddns != NULL) { newdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); if (newdns == NULL) { - retval = ENOMEM; - goto cleanup; - } + retval = ENOMEM; + goto cleanup; + } - if ((rparams != NULL) && (rparams->passwdservers != NULL)) { - for (j=0; rparams->passwdservers[j]!= NULL; j++) { + if ((rparams != NULL) && (rparams->passwdservers != NULL)) { + for (j=0; rparams->passwdservers[j]!= NULL; j++) { newdns[j] = strdup(rparams->passwdservers[j]); if (newdns[j] == NULL) { FREE_DN_LIST(newdns); - retval = ENOMEM; - goto cleanup; - } - } + retval = ENOMEM; + goto cleanup; + } + } newdns[j] = NULL; - } + } disjoint_members(oldpwddns, newdns); for (i=0; (oldpwddns[i] != NULL); i++) { if ((retval=krb5_ldap_delete_service_rights(util_context, - LDAP_PASSWD_SERVICE, oldpwddns[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + LDAP_PASSWD_SERVICE, oldpwddns[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { printf("failed\n"); com_err(progname, retval, "while assigning rights '%s'", - rparams->realm_name); + rparams->realm_name); FREE_DN_LIST(newdns); goto err_nomsg; - } - } + } + } for (i=0; (newdns[i] != NULL); i++) { if ((retval=krb5_ldap_add_service_rights(util_context, - LDAP_PASSWD_SERVICE, newdns[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + LDAP_PASSWD_SERVICE, newdns[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { printf("failed\n"); com_err(progname, retval, "while assigning rights '%s'", - rparams->realm_name); + rparams->realm_name); FREE_DN_LIST(newdns); goto err_nomsg; - } + } } for (i=0; (newdns[i] != NULL); i++) { free(newdns[i]); @@ -1816,48 +1813,48 @@ void kdb5_ldap_modify(argc, argv) newdns = rparams->passwdservers; for (i=0; (newdns[i] != NULL); i++) { if ((retval=krb5_ldap_add_service_rights(util_context, - LDAP_PASSWD_SERVICE, newdns[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + LDAP_PASSWD_SERVICE, newdns[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { printf("failed\n"); com_err(progname, retval, "while assigning rights '%s'", - rparams->realm_name); + rparams->realm_name); goto err_nomsg; - } - } - } + } + } + } } if (subtree_changed && (mask & LDAP_REALM_PASSWDSERVERS)) { char **newdns = rparams->passwdservers; - rightsmask =0; + rightsmask =0; rightsmask = LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; + rightsmask |= LDAP_SUBTREE_RIGHTS; if (oldpwddns != NULL) { - for (i=0; (oldpwddns[i] != NULL); i++) { - if ((retval = krb5_ldap_delete_service_rights(util_context, - LDAP_PASSWD_SERVICE, oldpwddns[i], - rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) { - printf("failed\n"); - com_err(progname, retval, "while assigning rights '%s'", - rparams->realm_name); - goto err_nomsg; - } - } - } + for (i=0; (oldpwddns[i] != NULL); i++) { + if ((retval = krb5_ldap_delete_service_rights(util_context, + LDAP_PASSWD_SERVICE, oldpwddns[i], + rparams->realm_name, oldsubtrees, oldcontainerref, rightsmask)) != 0) { + printf("failed\n"); + com_err(progname, retval, "while assigning rights '%s'", + rparams->realm_name); + goto err_nomsg; + } + } + } for (i=0; (newdns[i] != NULL); i++) { - if ((retval = krb5_ldap_add_service_rights(util_context, - LDAP_PASSWD_SERVICE, newdns[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { - printf("failed\n"); + if ((retval = krb5_ldap_add_service_rights(util_context, + LDAP_PASSWD_SERVICE, newdns[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + printf("failed\n"); com_err(progname, retval, "while assigning rights '%s'", - rparams->realm_name); - goto err_nomsg; - } - } - } - } - printf("done\n"); + rparams->realm_name); + goto err_nomsg; + } + } + } + } + printf("done\n"); } #endif @@ -1875,55 +1872,55 @@ cleanup: #ifdef HAVE_EDIRECTORY if (oldkdcdns) { - for (i=0; oldkdcdns[i] != NULL; i++) - free(oldkdcdns[i]); - free(oldkdcdns); + for (i=0; oldkdcdns[i] != NULL; i++) + free(oldkdcdns[i]); + free(oldkdcdns); } if (oldpwddns) { - for (i=0; oldpwddns[i] != NULL; i++) - free(oldpwddns[i]); - free(oldpwddns); + for (i=0; oldpwddns[i] != NULL; i++) + free(oldpwddns[i]); + free(oldpwddns); } if (oldadmindns) { - for (i=0; oldadmindns[i] != NULL; i++) - free(oldadmindns[i]); - free(oldadmindns); + for (i=0; oldadmindns[i] != NULL; i++) + free(oldadmindns[i]); + free(oldadmindns); } if (newkdcdns) { - for (i=0; newkdcdns[i] != NULL; i++) - free(newkdcdns[i]); - free(newkdcdns); + for (i=0; newkdcdns[i] != NULL; i++) + free(newkdcdns[i]); + free(newkdcdns); } if (newpwddns) { - for (i=0; newpwddns[i] != NULL; i++) - free(newpwddns[i]); - free(newpwddns); + for (i=0; newpwddns[i] != NULL; i++) + free(newpwddns[i]); + free(newpwddns); } if (newadmindns) { - for (i=0; newadmindns[i] != NULL; i++) - free(newadmindns[i]); - free(newadmindns); + for (i=0; newadmindns[i] != NULL; i++) + free(newadmindns[i]); + free(newadmindns); } if (oldsubtrees) { - for (i=0;oldsubtrees[i]!=NULL; i++) - free(oldsubtrees[i]); - free(oldsubtrees); + for (i=0;oldsubtrees[i]!=NULL; i++) + free(oldsubtrees[i]); + free(oldsubtrees); } if (newsubtrees) { - for (i=0;newsubtrees[i]!=NULL; i++) - free(newsubtrees[i]); - free(oldsubtrees); + for (i=0;newsubtrees[i]!=NULL; i++) + free(newsubtrees[i]); + free(oldsubtrees); } #endif if (print_usage) { - db_usage(MODIFY_REALM); + db_usage(MODIFY_REALM); } if (retval) { - if (!no_msg) - com_err(progname, retval, "while modifying information of realm '%s'", - global_params.realm); - exit_status++; + if (!no_msg) + com_err(progname, retval, "while modifying information of realm '%s'", + global_params.realm); + exit_status++; } return; @@ -1934,9 +1931,8 @@ cleanup: /* * This function displays the attributes of a Realm */ -void kdb5_ldap_view(argc, argv) - int argc; - char *argv[]; +void +kdb5_ldap_view(int argc, char *argv[]) { krb5_ldap_realm_params *rparams = NULL; krb5_error_code retval = 0; @@ -1947,26 +1943,26 @@ void kdb5_ldap_view(argc, argv) dal_handle = util_context->dal_handle; ldap_context = (krb5_ldap_context *) dal_handle->db_context; if (!(ldap_context)) { - retval = EINVAL; - com_err(progname, retval, "while initializing database"); - exit_status++; - return; + retval = EINVAL; + com_err(progname, retval, "while initializing database"); + exit_status++; + return; } /* Read the kerberos container information */ if ((retval = krb5_ldap_read_krbcontainer_params(util_context, - &(ldap_context->krbcontainer))) != 0) { - com_err(progname, retval, "while reading kerberos container information"); - exit_status++; - return; + &(ldap_context->krbcontainer))) != 0) { + com_err(progname, retval, "while reading kerberos container information"); + exit_status++; + return; } if ((retval = krb5_ldap_read_realm_params(util_context, - global_params.realm, &rparams, &mask)) || (!rparams)) { - com_err(progname, retval, "while reading information of realm '%s'", - global_params.realm); - exit_status++; - return; + global_params.realm, &rparams, &mask)) || (!rparams)) { + com_err(progname, retval, "while reading information of realm '%s'", + global_params.realm); + exit_status++; + return; } print_realm_params(rparams, mask); krb5_ldap_free_realm_params(rparams); @@ -1974,17 +1970,17 @@ void kdb5_ldap_view(argc, argv) return; } -static char *strdur(duration) - time_t duration; +static char * +strdur(time_t duration) { static char out[50]; int neg, days, hours, minutes, seconds; if (duration < 0) { - duration *= -1; - neg = 1; + duration *= -1; + neg = 1; } else - neg = 0; + neg = 0; days = duration / (24 * 3600); duration %= 24 * 3600; hours = duration / 3600; @@ -1993,8 +1989,8 @@ static char *strdur(duration) duration %= 60; seconds = duration; snprintf(out, sizeof(out), "%s%d %s %02d:%02d:%02d", neg ? "-" : "", - days, days == 1 ? "day" : "days", - hours, minutes, seconds); + days, days == 1 ? "day" : "days", + hours, minutes, seconds); return out; } @@ -2002,7 +1998,8 @@ static char *strdur(duration) * This function prints the attributes of a given realm to the * standard output. */ -static void print_realm_params(krb5_ldap_realm_params *rparams, int mask) +static void +print_realm_params(krb5_ldap_realm_params *rparams, int mask) { char **slist = NULL; unsigned int num_entry_printed = 0, i = 0; @@ -2010,117 +2007,117 @@ static void print_realm_params(krb5_ldap_realm_params *rparams, int mask) /* Print the Realm Attributes on the standard output */ printf("%25s: %-50s\n", "Realm Name", global_params.realm); if (mask & LDAP_REALM_SUBTREE) { - for (i=0; rparams->subtree[i]!=NULL; i++) - printf("%25s: %-50s\n", "Subtree", rparams->subtree[i]); + for (i=0; rparams->subtree[i]!=NULL; i++) + printf("%25s: %-50s\n", "Subtree", rparams->subtree[i]); } if (mask & LDAP_REALM_CONTREF) - printf("%25s: %-50s\n", "Principal Container Reference", rparams->containerref); + printf("%25s: %-50s\n", "Principal Container Reference", rparams->containerref); if (mask & LDAP_REALM_SEARCHSCOPE) { - if ((rparams->search_scope != 1) && - (rparams->search_scope != 2)) { - printf("%25s: %-50s\n", "SearchScope", "Invalid !"); - } else { - printf("%25s: %-50s\n", "SearchScope", - (rparams->search_scope == 1) ? "ONE" : "SUB"); - } + if ((rparams->search_scope != 1) && + (rparams->search_scope != 2)) { + printf("%25s: %-50s\n", "SearchScope", "Invalid !"); + } else { + printf("%25s: %-50s\n", "SearchScope", + (rparams->search_scope == 1) ? "ONE" : "SUB"); + } } if (mask & LDAP_REALM_KDCSERVERS) { - printf("%25s:", "KDC Services"); - if (rparams->kdcservers != NULL) { - num_entry_printed = 0; - for (slist = rparams->kdcservers; *slist != NULL; slist++) { - if (num_entry_printed) - printf(" %25s %-50s\n", " ", *slist); - else - printf(" %-50s\n", *slist); - num_entry_printed++; - } - } - if (num_entry_printed == 0) - printf("\n"); + printf("%25s:", "KDC Services"); + if (rparams->kdcservers != NULL) { + num_entry_printed = 0; + for (slist = rparams->kdcservers; *slist != NULL; slist++) { + if (num_entry_printed) + printf(" %25s %-50s\n", " ", *slist); + else + printf(" %-50s\n", *slist); + num_entry_printed++; + } + } + if (num_entry_printed == 0) + printf("\n"); } if (mask & LDAP_REALM_ADMINSERVERS) { - printf("%25s:", "Admin Services"); - if (rparams->adminservers != NULL) { - num_entry_printed = 0; - for (slist = rparams->adminservers; *slist != NULL; slist++) { - if (num_entry_printed) - printf(" %25s %-50s\n", " ", *slist); - else - printf(" %-50s\n", *slist); - num_entry_printed++; - } - } - if (num_entry_printed == 0) - printf("\n"); + printf("%25s:", "Admin Services"); + if (rparams->adminservers != NULL) { + num_entry_printed = 0; + for (slist = rparams->adminservers; *slist != NULL; slist++) { + if (num_entry_printed) + printf(" %25s %-50s\n", " ", *slist); + else + printf(" %-50s\n", *slist); + num_entry_printed++; + } + } + if (num_entry_printed == 0) + printf("\n"); } if (mask & LDAP_REALM_PASSWDSERVERS) { - printf("%25s:", "Passwd Services"); - if (rparams->passwdservers != NULL) { - num_entry_printed = 0; - for (slist = rparams->passwdservers; *slist != NULL; slist++) { - if (num_entry_printed) - printf(" %25s %-50s\n", " ", *slist); - else - printf(" %-50s\n", *slist); - num_entry_printed++; - } - } - if (num_entry_printed == 0) - printf("\n"); + printf("%25s:", "Passwd Services"); + if (rparams->passwdservers != NULL) { + num_entry_printed = 0; + for (slist = rparams->passwdservers; *slist != NULL; slist++) { + if (num_entry_printed) + printf(" %25s %-50s\n", " ", *slist); + else + printf(" %-50s\n", *slist); + num_entry_printed++; + } + } + if (num_entry_printed == 0) + printf("\n"); } if (mask & LDAP_REALM_MAXTICKETLIFE) { - printf("%25s:", "Maximum Ticket Life"); - printf(" %s \n", strdur(rparams->max_life)); + printf("%25s:", "Maximum Ticket Life"); + printf(" %s \n", strdur(rparams->max_life)); } if (mask & LDAP_REALM_MAXRENEWLIFE) { - printf("%25s:", "Maximum Renewable Life"); - printf(" %s \n", strdur(rparams->max_renewable_life)); + printf("%25s:", "Maximum Renewable Life"); + printf(" %s \n", strdur(rparams->max_renewable_life)); } if (mask & LDAP_REALM_KRBTICKETFLAGS) { - int ticketflags = rparams->tktflags; + int ticketflags = rparams->tktflags; - printf("%25s: ", "Ticket flags"); - if (ticketflags & KRB5_KDB_DISALLOW_POSTDATED) - printf("%s ","DISALLOW_POSTDATED"); + printf("%25s: ", "Ticket flags"); + if (ticketflags & KRB5_KDB_DISALLOW_POSTDATED) + printf("%s ","DISALLOW_POSTDATED"); - if (ticketflags & KRB5_KDB_DISALLOW_FORWARDABLE) - printf("%s ","DISALLOW_FORWARDABLE"); + if (ticketflags & KRB5_KDB_DISALLOW_FORWARDABLE) + printf("%s ","DISALLOW_FORWARDABLE"); - if (ticketflags & KRB5_KDB_DISALLOW_RENEWABLE) - printf("%s ","DISALLOW_RENEWABLE"); + if (ticketflags & KRB5_KDB_DISALLOW_RENEWABLE) + printf("%s ","DISALLOW_RENEWABLE"); - if (ticketflags & KRB5_KDB_DISALLOW_PROXIABLE) - printf("%s ","DISALLOW_PROXIABLE"); + if (ticketflags & KRB5_KDB_DISALLOW_PROXIABLE) + printf("%s ","DISALLOW_PROXIABLE"); - if (ticketflags & KRB5_KDB_DISALLOW_DUP_SKEY) - printf("%s ","DISALLOW_DUP_SKEY"); + if (ticketflags & KRB5_KDB_DISALLOW_DUP_SKEY) + printf("%s ","DISALLOW_DUP_SKEY"); - if (ticketflags & KRB5_KDB_REQUIRES_PRE_AUTH) - printf("%s ","REQUIRES_PRE_AUTH"); + if (ticketflags & KRB5_KDB_REQUIRES_PRE_AUTH) + printf("%s ","REQUIRES_PRE_AUTH"); - if (ticketflags & KRB5_KDB_REQUIRES_HW_AUTH) - printf("%s ","REQUIRES_HW_AUTH"); + if (ticketflags & KRB5_KDB_REQUIRES_HW_AUTH) + printf("%s ","REQUIRES_HW_AUTH"); - if (ticketflags & KRB5_KDB_DISALLOW_SVR) - printf("%s ","DISALLOW_SVR"); + if (ticketflags & KRB5_KDB_DISALLOW_SVR) + printf("%s ","DISALLOW_SVR"); - if (ticketflags & KRB5_KDB_DISALLOW_TGT_BASED) - printf("%s ","DISALLOW_TGT_BASED"); + if (ticketflags & KRB5_KDB_DISALLOW_TGT_BASED) + printf("%s ","DISALLOW_TGT_BASED"); - if (ticketflags & KRB5_KDB_DISALLOW_ALL_TIX) - printf("%s ","DISALLOW_ALL_TIX"); + if (ticketflags & KRB5_KDB_DISALLOW_ALL_TIX) + printf("%s ","DISALLOW_ALL_TIX"); - if (ticketflags & KRB5_KDB_REQUIRES_PWCHANGE) - printf("%s ","REQUIRES_PWCHANGE"); + if (ticketflags & KRB5_KDB_REQUIRES_PWCHANGE) + printf("%s ","REQUIRES_PWCHANGE"); - if (ticketflags & KRB5_KDB_PWCHANGE_SERVICE) - printf("%s ","PWCHANGE_SERVICE"); + if (ticketflags & KRB5_KDB_PWCHANGE_SERVICE) + printf("%s ","PWCHANGE_SERVICE"); - printf("\n"); + printf("\n"); } @@ -2133,9 +2130,8 @@ static void print_realm_params(krb5_ldap_realm_params *rparams, int mask) * This function lists the Realm(s) present under the Kerberos container * on the LDAP Server. */ -void kdb5_ldap_list(argc, argv) - int argc; - char *argv[]; +void +kdb5_ldap_list(int argc, char *argv[]) { char **list = NULL; char **plist = NULL; @@ -2146,36 +2142,36 @@ void kdb5_ldap_list(argc, argv) dal_handle = util_context->dal_handle; ldap_context = (krb5_ldap_context *) dal_handle->db_context; if (!(ldap_context)) { - retval = EINVAL; - exit_status++; - return; + retval = EINVAL; + exit_status++; + return; } /* Read the kerberos container information */ if ((retval = krb5_ldap_read_krbcontainer_params(util_context, - &(ldap_context->krbcontainer))) != 0) { - com_err(progname, retval, "while reading kerberos container information"); - exit_status++; - return; + &(ldap_context->krbcontainer))) != 0) { + com_err(progname, retval, "while reading kerberos container information"); + exit_status++; + return; } retval = krb5_ldap_list_realm(util_context, &list); if (retval != 0) { - krb5_ldap_free_krbcontainer_params(ldap_context->krbcontainer); - ldap_context->krbcontainer = NULL; - com_err (progname, retval, "while listing realms"); - exit_status++; - return; + krb5_ldap_free_krbcontainer_params(ldap_context->krbcontainer); + ldap_context->krbcontainer = NULL; + com_err (progname, retval, "while listing realms"); + exit_status++; + return; } /* This is to handle the case of realm not present */ if (list == NULL) { - krb5_ldap_free_krbcontainer_params(ldap_context->krbcontainer); - ldap_context->krbcontainer = NULL; - return; + krb5_ldap_free_krbcontainer_params(ldap_context->krbcontainer); + ldap_context->krbcontainer = NULL; + return; } for (plist = list; *plist != NULL; plist++) { - printf("%s\n", *plist); + printf("%s\n", *plist); } krb5_ldap_free_krbcontainer_params(ldap_context->krbcontainer); ldap_context->krbcontainer = NULL; @@ -2197,10 +2193,8 @@ void kdb5_ldap_list(argc, argv) /* Start duplicate code ... */ static krb5_error_code -krb5_dbe_update_tl_data_new(context, entry, new_tl_data) - krb5_context context; - krb5_db_entry *entry; - krb5_tl_data *new_tl_data; +krb5_dbe_update_tl_data_new(krb5_context context, krb5_db_entry *entry, + krb5_tl_data *new_tl_data) { krb5_tl_data *tl_data = NULL; krb5_octet *tmp; @@ -2208,46 +2202,46 @@ krb5_dbe_update_tl_data_new(context, entry, new_tl_data) /* copy the new data first, so we can fail cleanly if malloc() * fails */ /* - if ((tmp = - (krb5_octet *) krb5_db_alloc(context, NULL, - new_tl_data->tl_data_length)) == NULL) + if ((tmp = + (krb5_octet *) krb5_db_alloc(context, NULL, + new_tl_data->tl_data_length)) == NULL) */ if ((tmp = (krb5_octet *) malloc (new_tl_data->tl_data_length)) == NULL) - return (ENOMEM); + return (ENOMEM); /* Find an existing entry of the specified type and point at * it, or NULL if not found */ - if (new_tl_data->tl_data_type != KRB5_TL_DB_ARGS) { /* db_args can be multiple */ - for (tl_data = entry->tl_data; tl_data; - tl_data = tl_data->tl_data_next) - if (tl_data->tl_data_type == new_tl_data->tl_data_type) - break; + if (new_tl_data->tl_data_type != KRB5_TL_DB_ARGS) { /* db_args can be multiple */ + for (tl_data = entry->tl_data; tl_data; + tl_data = tl_data->tl_data_next) + if (tl_data->tl_data_type == new_tl_data->tl_data_type) + break; } /* if necessary, chain a new record in the beginning and point at it */ if (!tl_data) { /* - if ((tl_data = - (krb5_tl_data *) krb5_db_alloc(context, NULL, - sizeof(krb5_tl_data))) - == NULL) { + if ((tl_data = + (krb5_tl_data *) krb5_db_alloc(context, NULL, + sizeof(krb5_tl_data))) + == NULL) { */ - if ((tl_data = (krb5_tl_data *) malloc (sizeof(krb5_tl_data))) == NULL) { - free(tmp); - return (ENOMEM); - } - memset(tl_data, 0, sizeof(krb5_tl_data)); - tl_data->tl_data_next = entry->tl_data; - entry->tl_data = tl_data; - entry->n_tl_data++; + if ((tl_data = (krb5_tl_data *) malloc (sizeof(krb5_tl_data))) == NULL) { + free(tmp); + return (ENOMEM); + } + memset(tl_data, 0, sizeof(krb5_tl_data)); + tl_data->tl_data_next = entry->tl_data; + entry->tl_data = tl_data; + entry->n_tl_data++; } /* fill in the record */ if (tl_data->tl_data_contents) - krb5_db_free(context, tl_data->tl_data_contents); + krb5_db_free(context, tl_data->tl_data_contents); tl_data->tl_data_type = new_tl_data->tl_data_type; tl_data->tl_data_length = new_tl_data->tl_data_length; @@ -2258,29 +2252,27 @@ krb5_dbe_update_tl_data_new(context, entry, new_tl_data) } static krb5_error_code -krb5_dbe_update_mod_princ_data_new(context, entry, mod_date, mod_princ) - krb5_context context; - krb5_db_entry * entry; - krb5_timestamp mod_date; - krb5_const_principal mod_princ; +krb5_dbe_update_mod_princ_data_new(krb5_context context, krb5_db_entry *entry, + krb5_timestamp mod_date, + krb5_const_principal mod_princ) { krb5_tl_data tl_data; - krb5_error_code retval = 0; - krb5_octet * nextloc = 0; - char * unparse_mod_princ = 0; - unsigned int unparse_mod_princ_size; + krb5_error_code retval = 0; + krb5_octet * nextloc = 0; + char * unparse_mod_princ = 0; + unsigned int unparse_mod_princ_size; if ((retval = krb5_unparse_name(context, mod_princ, - &unparse_mod_princ))) - return(retval); + &unparse_mod_princ))) + return(retval); unparse_mod_princ_size = strlen(unparse_mod_princ) + 1; if ((nextloc = (krb5_octet *) malloc(unparse_mod_princ_size + 4)) - == NULL) { - free(unparse_mod_princ); - return(ENOMEM); + == NULL) { + free(unparse_mod_princ); + return(ENOMEM); } tl_data.tl_data_type = KRB5_TL_MOD_PRINC; @@ -2302,9 +2294,7 @@ krb5_dbe_update_mod_princ_data_new(context, entry, mod_date, mod_princ) } static krb5_error_code -kdb_ldap_tgt_keysalt_iterate(ksent, ptr) - krb5_key_salt_tuple *ksent; - krb5_pointer ptr; +kdb_ldap_tgt_keysalt_iterate(krb5_key_salt_tuple *ksent, krb5_pointer ptr) { krb5_context context; krb5_error_code kret; @@ -2328,27 +2318,27 @@ kdb_ldap_tgt_keysalt_iterate(ksent, ptr) pwd.length = strlen(mkey_password); kret = krb5_c_random_seed(context, &pwd); if (kret) - return kret; + return kret; /*if (!(kret = krb5_dbe_create_key_data(iargs->ctx, iargs->dbentp))) {*/ if ((entry->key_data = - (krb5_key_data *) realloc(entry->key_data, - (sizeof(krb5_key_data) * - (entry->n_key_data + 1)))) == NULL) - return (ENOMEM); + (krb5_key_data *) realloc(entry->key_data, + (sizeof(krb5_key_data) * + (entry->n_key_data + 1)))) == NULL) + return (ENOMEM); memset(entry->key_data + entry->n_key_data, 0, sizeof(krb5_key_data)); ind = entry->n_key_data++; if (!(kret = krb5_c_make_random_key(context, ksent->ks_enctype, - &key))) { - kret = krb5_dbekd_encrypt_key_data(context, - iargs->rblock->key, - &key, - NULL, - 1, - &entry->key_data[ind]); - krb5_free_keyblock_contents(context, &key); + &key))) { + kret = krb5_dbekd_encrypt_key_data(context, + iargs->rblock->key, + &key, + NULL, + 1, + &entry->key_data[ind]); + krb5_free_keyblock_contents(context, &key); } /*}*/ @@ -2361,11 +2351,8 @@ kdb_ldap_tgt_keysalt_iterate(ksent, ptr) * creating the realm object. */ static int -kdb_ldap_create_principal (context, princ, op, pblock) - krb5_context context; - krb5_principal princ; - enum ap_op op; - struct realm_info *pblock; +kdb_ldap_create_principal(krb5_context context, krb5_principal princ, + enum ap_op op, struct realm_info *pblock) { int retval=0, currlen=0, princtype = 2 /* Service Principal */; unsigned char *curr=NULL; @@ -2383,30 +2370,30 @@ kdb_ldap_create_principal (context, princ, op, pblock) krb5_actkvno_node actkvno; if ((pblock == NULL) || (context == NULL)) { - retval = EINVAL; - goto cleanup; + retval = EINVAL; + goto cleanup; } dal_handle = context->dal_handle; ldap_context = (krb5_ldap_context *) dal_handle->db_context; if (!(ldap_context)) { - retval = EINVAL; - goto cleanup; + retval = EINVAL; + goto cleanup; } memset(&entry, 0, sizeof(entry)); tl_data = malloc(sizeof(*tl_data)); if (tl_data == NULL) { - retval = ENOMEM; - goto cleanup; + retval = ENOMEM; + goto cleanup; } memset(tl_data, 0, sizeof(*tl_data)); tl_data->tl_data_length = 1 + 2 + 2 + 1 + 2 + 4; tl_data->tl_data_type = 7; /* KDB_TL_USER_INFO */ curr = tl_data->tl_data_contents = malloc(tl_data->tl_data_length); if (tl_data->tl_data_contents == NULL) { - retval = ENOMEM; - goto cleanup; + retval = ENOMEM; + goto cleanup; } memset(curr, 1, 1); /* Passing the mask as principal type */ @@ -2439,74 +2426,74 @@ kdb_ldap_create_principal (context, princ, op, pblock) entry.expiration = pblock->expiration; entry.mask = mask; if ((retval = krb5_copy_principal(context, princ, &entry.princ))) - goto cleanup; + goto cleanup; switch (op) { case TGT_KEY: - if ((pdata = krb5_princ_component(context, princ, 1)) && - pdata->length == strlen("history") && - !memcmp(pdata->data, "history", strlen("history"))) { - - /* Allocate memory for storing the key */ - if ((entry.key_data = (krb5_key_data *) malloc( - sizeof(krb5_key_data))) == NULL) { - retval = ENOMEM; - goto cleanup; - } - - memset(entry.key_data, 0, sizeof(krb5_key_data)); - entry.n_key_data++; - - retval = krb5_c_make_random_key(context, global_params.enctype, &key); - if (retval) { - goto cleanup; - } - kvno = 1; /* New key is getting set */ - retval = krb5_dbekd_encrypt_key_data(context, - &ldap_context->lrparams->mkey, - &key, NULL, kvno, - &entry.key_data[entry.n_key_data - 1]); - krb5_free_keyblock_contents(context, &key); - if (retval) { - goto cleanup; - } - } else { - /*retval = krb5_c_make_random_key(context, 16, &key) ;*/ - iargs.ctx = context; - iargs.rblock = pblock; - iargs.dbentp = &entry; - - /* - * Iterate through the key/salt list, ignoring salt types. - */ - if ((retval = krb5_keysalt_iterate(pblock->kslist, - pblock->nkslist, - 1, - kdb_ldap_tgt_keysalt_iterate, - (krb5_pointer) &iargs))) - return retval; - } - break; + if ((pdata = krb5_princ_component(context, princ, 1)) && + pdata->length == strlen("history") && + !memcmp(pdata->data, "history", strlen("history"))) { + + /* Allocate memory for storing the key */ + if ((entry.key_data = (krb5_key_data *) malloc( + sizeof(krb5_key_data))) == NULL) { + retval = ENOMEM; + goto cleanup; + } + + memset(entry.key_data, 0, sizeof(krb5_key_data)); + entry.n_key_data++; + + retval = krb5_c_make_random_key(context, global_params.enctype, &key); + if (retval) { + goto cleanup; + } + kvno = 1; /* New key is getting set */ + retval = krb5_dbekd_encrypt_key_data(context, + &ldap_context->lrparams->mkey, + &key, NULL, kvno, + &entry.key_data[entry.n_key_data - 1]); + krb5_free_keyblock_contents(context, &key); + if (retval) { + goto cleanup; + } + } else { + /*retval = krb5_c_make_random_key(context, 16, &key) ;*/ + iargs.ctx = context; + iargs.rblock = pblock; + iargs.dbentp = &entry; + + /* + * Iterate through the key/salt list, ignoring salt types. + */ + if ((retval = krb5_keysalt_iterate(pblock->kslist, + pblock->nkslist, + 1, + kdb_ldap_tgt_keysalt_iterate, + (krb5_pointer) &iargs))) + return retval; + } + break; case MASTER_KEY: - /* Allocate memory for storing the key */ - if ((entry.key_data = (krb5_key_data *) malloc( - sizeof(krb5_key_data))) == NULL) { - retval = ENOMEM; - goto cleanup; - } - - memset(entry.key_data, 0, sizeof(krb5_key_data)); - entry.n_key_data++; - kvno = 1; /* New key is getting set */ - retval = krb5_dbekd_encrypt_key_data(context, pblock->key, - &ldap_context->lrparams->mkey, - NULL, kvno, - &entry.key_data[entry.n_key_data - 1]); - if (retval) { - goto cleanup; - } + /* Allocate memory for storing the key */ + if ((entry.key_data = (krb5_key_data *) malloc( + sizeof(krb5_key_data))) == NULL) { + retval = ENOMEM; + goto cleanup; + } + + memset(entry.key_data, 0, sizeof(krb5_key_data)); + entry.n_key_data++; + kvno = 1; /* New key is getting set */ + retval = krb5_dbekd_encrypt_key_data(context, pblock->key, + &ldap_context->lrparams->mkey, + NULL, kvno, + &entry.key_data[entry.n_key_data - 1]); + if (retval) { + goto cleanup; + } /* * There should always be at least one "active" mkey so creating the * KRB5_TL_ACTKVNO entry now so the initial mkey is active. @@ -2515,20 +2502,20 @@ kdb_ldap_create_principal (context, princ, op, pblock) actkvno.act_kvno = kvno; actkvno.act_time = now; retval = krb5_dbe_update_actkvno(context, &entry, &actkvno); - if (retval) - goto cleanup; + if (retval) + goto cleanup; - break; + break; case NULL_KEY: default: - break; + break; } /* end of switch */ retval = krb5_ldap_put_principal(context, &entry, &nentry, NULL); if (retval) { - com_err(NULL, retval, "while adding entries to database"); - goto cleanup; + com_err(NULL, retval, "while adding entries to database"); + goto cleanup; } cleanup: @@ -2541,9 +2528,7 @@ cleanup: * This function destroys the realm object and the associated principals */ void -kdb5_ldap_destroy(argc, argv) - int argc; - char *argv[]; +kdb5_ldap_destroy(int argc, char *argv[]) { extern char *optarg; extern int optind; @@ -2561,118 +2546,118 @@ kdb5_ldap_destroy(argc, argv) optind = 1; while ((optchar = getopt(argc, argv, "f")) != -1) { - switch (optchar) { - case 'f': - force++; - break; - case '?': - default: - db_usage(DESTROY_REALM); - return; - /*NOTREACHED*/ - } + switch (optchar) { + case 'f': + force++; + break; + case '?': + default: + db_usage(DESTROY_REALM); + return; + /*NOTREACHED*/ + } } if (!force) { - printf("Deleting KDC database of '%s', are you sure?\n", global_params.realm); - printf("(type 'yes' to confirm)? "); - if (fgets(buf, sizeof(buf), stdin) == NULL) { - exit_status++; - return; - } - if (strcmp(buf, yes)) { - exit_status++; - return; - } - printf("OK, deleting database of '%s'...\n", global_params.realm); + printf("Deleting KDC database of '%s', are you sure?\n", global_params.realm); + printf("(type 'yes' to confirm)? "); + if (fgets(buf, sizeof(buf), stdin) == NULL) { + exit_status++; + return; + } + if (strcmp(buf, yes)) { + exit_status++; + return; + } + printf("OK, deleting database of '%s'...\n", global_params.realm); } dal_handle = util_context->dal_handle; ldap_context = (krb5_ldap_context *) dal_handle->db_context; if (!(ldap_context)) { - com_err(progname, EINVAL, "while initializing database"); - exit_status++; - return; + com_err(progname, EINVAL, "while initializing database"); + exit_status++; + return; } /* Read the kerberos container from the LDAP Server */ if ((retval = krb5_ldap_read_krbcontainer_params(util_context, - &(ldap_context->krbcontainer))) != 0) { - com_err(progname, retval, "while reading kerberos container information"); - exit_status++; - return; + &(ldap_context->krbcontainer))) != 0) { + com_err(progname, retval, "while reading kerberos container information"); + exit_status++; + return; } /* Read the Realm information from the LDAP Server */ if ((retval = krb5_ldap_read_realm_params(util_context, global_params.realm, - &(ldap_context->lrparams), &mask)) != 0) { - com_err(progname, retval, "while reading realm information"); - exit_status++; - return; + &(ldap_context->lrparams), &mask)) != 0) { + com_err(progname, retval, "while reading realm information"); + exit_status++; + return; } #ifdef HAVE_EDIRECTORY if ((mask & LDAP_REALM_KDCSERVERS) || (mask & LDAP_REALM_ADMINSERVERS) || - (mask & LDAP_REALM_PASSWDSERVERS)) { - - printf("Changing rights for the service object. Please wait ... "); - fflush(stdout); - - rparams = ldap_context->lrparams; - rightsmask = 0; - rightsmask |= LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; - if ((rparams != NULL) && (rparams->kdcservers != NULL)) { - for (i=0; (rparams->kdcservers[i] != NULL); i++) { - if ((retval = krb5_ldap_delete_service_rights(util_context, - LDAP_KDC_SERVICE, rparams->kdcservers[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { - printf("failed\n"); - com_err(progname, retval, "while assigning rights to '%s'", - rparams->realm_name); - return; - } - } - } - rightsmask = 0; - rightsmask |= LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; - if ((rparams != NULL) && (rparams->adminservers != NULL)) { - for (i=0; (rparams->adminservers[i] != NULL); i++) { - if ((retval = krb5_ldap_delete_service_rights(util_context, - LDAP_ADMIN_SERVICE, rparams->adminservers[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { - printf("failed\n"); - com_err(progname, retval, "while assigning rights to '%s'", - rparams->realm_name); - return; - } - } - } - rightsmask = 0; - rightsmask |= LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; - if ((rparams != NULL) && (rparams->passwdservers != NULL)) { - for (i=0; (rparams->passwdservers[i] != NULL); i++) { - if ((retval = krb5_ldap_delete_service_rights(util_context, - LDAP_PASSWD_SERVICE, rparams->passwdservers[i], - rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { - printf("failed\n"); - com_err(progname, retval, "while assigning rights to '%s'", - rparams->realm_name); - return; - } - } - } - printf("done\n"); + (mask & LDAP_REALM_PASSWDSERVERS)) { + + printf("Changing rights for the service object. Please wait ... "); + fflush(stdout); + + rparams = ldap_context->lrparams; + rightsmask = 0; + rightsmask |= LDAP_REALM_RIGHTS; + rightsmask |= LDAP_SUBTREE_RIGHTS; + if ((rparams != NULL) && (rparams->kdcservers != NULL)) { + for (i=0; (rparams->kdcservers[i] != NULL); i++) { + if ((retval = krb5_ldap_delete_service_rights(util_context, + LDAP_KDC_SERVICE, rparams->kdcservers[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + printf("failed\n"); + com_err(progname, retval, "while assigning rights to '%s'", + rparams->realm_name); + return; + } + } + } + rightsmask = 0; + rightsmask |= LDAP_REALM_RIGHTS; + rightsmask |= LDAP_SUBTREE_RIGHTS; + if ((rparams != NULL) && (rparams->adminservers != NULL)) { + for (i=0; (rparams->adminservers[i] != NULL); i++) { + if ((retval = krb5_ldap_delete_service_rights(util_context, + LDAP_ADMIN_SERVICE, rparams->adminservers[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + printf("failed\n"); + com_err(progname, retval, "while assigning rights to '%s'", + rparams->realm_name); + return; + } + } + } + rightsmask = 0; + rightsmask |= LDAP_REALM_RIGHTS; + rightsmask |= LDAP_SUBTREE_RIGHTS; + if ((rparams != NULL) && (rparams->passwdservers != NULL)) { + for (i=0; (rparams->passwdservers[i] != NULL); i++) { + if ((retval = krb5_ldap_delete_service_rights(util_context, + LDAP_PASSWD_SERVICE, rparams->passwdservers[i], + rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) { + printf("failed\n"); + com_err(progname, retval, "while assigning rights to '%s'", + rparams->realm_name); + return; + } + } + } + printf("done\n"); } #endif /* Delete the realm container and all the associated principals */ retval = krb5_ldap_delete_realm(util_context, global_params.realm); if (retval) { - com_err(progname, retval, "deleting database of '%s'", global_params.realm); - exit_status++; - return; + com_err(progname, retval, "deleting database of '%s'", global_params.realm); + exit_status++; + return; } printf("** Database of '%s' destroyed.\n", global_params.realm); diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.h b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.h index 9a2972a5a..a8225210f 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.h +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * kadmin/ldap_util/kdb5_ldap_realm.h */ @@ -29,13 +30,13 @@ * POSSIBILITY OF SUCH DAMAGE. */ -#define BUFF_LEN 64 /* Max len of enctype string */ -#define MAX_PRINC_SIZE 256 +#define BUFF_LEN 64 /* Max len of enctype string */ +#define MAX_PRINC_SIZE 256 enum ap_op { - NULL_KEY, /* setup null keys */ - MASTER_KEY, /* use master key as new key */ - TGT_KEY /* special handling for tgt key */ + NULL_KEY, /* setup null keys */ + MASTER_KEY, /* use master key as new key */ + TGT_KEY /* special handling for tgt key */ }; struct realm_info { @@ -49,13 +50,13 @@ struct realm_info { }; struct iterate_args { - krb5_context ctx; - struct realm_info *rblock; - krb5_db_entry *dbentp; + krb5_context ctx; + struct realm_info *rblock; + krb5_db_entry *dbentp; }; -extern void kdb5_ldap_create (int argc, char **argv); -extern void kdb5_ldap_destroy (int argc, char **argv); -extern void kdb5_ldap_modify (int argc, char **argv); -extern void kdb5_ldap_view (int argc, char **argv); -extern void kdb5_ldap_list (int argc, char **argv); +extern void kdb5_ldap_create(int argc, char **argv); +extern void kdb5_ldap_destroy(int argc, char **argv); +extern void kdb5_ldap_modify(int argc, char **argv); +extern void kdb5_ldap_view(int argc, char **argv); +extern void kdb5_ldap_list(int argc, char **argv); diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c index 48cbe5a88..fb384d381 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * kadmin/ldap_util/kdb5_ldap_services.c */ @@ -50,9 +51,9 @@ convert_realm_name2dn_list(char **list, const char *krbcontainer_loc); static krb5_error_code rem_service_entry_from_file(int argc, - char *argv[], - char *file_name, - char *service_object); + char *argv[], + char *file_name, + char *service_object); static void print_service_params(krb5_ldap_service_params *lserparams, int mask); @@ -60,7 +61,8 @@ print_service_params(krb5_ldap_service_params *lserparams, int mask); extern char *yes; extern krb5_boolean db_inited; -static int process_host_list(char **host_list, int servicetype) +static int +process_host_list(char **host_list, int servicetype) { krb5_error_code retval = 0; char *pchr = NULL; @@ -69,93 +71,93 @@ static int process_host_list(char **host_list, int servicetype) /* Protocol and port number processing */ for (j = 0; host_list[j]; j++) { - /* Look for one hash */ - if ((pchr = strchr(host_list[j], HOST_INFO_DELIMITER))) { - unsigned int hostname_len = pchr - host_list[j]; - - /* Check input for buffer overflow */ - if (hostname_len >= MAX_LEN_LIST_ENTRY) { - retval = EINVAL; - goto cleanup; - } - - /* First copy off the host name portion */ - strncpy (host_str, host_list[j], hostname_len); - - /* Parse for the protocol string and translate to number */ - strncpy (proto_str, pchr + 1, PROTOCOL_STR_LEN); - if (!strcmp(proto_str, "udp")) - snprintf (proto_str, sizeof(proto_str), "%d", - PROTOCOL_NUM_UDP); - else if (!strcmp(proto_str, "tcp")) - snprintf (proto_str, sizeof(proto_str), "%d", - PROTOCOL_NUM_TCP); - else - proto_str[0] = '\0'; /* Make the string null if invalid */ - - /* Look for one more hash */ - if ((pchr = strchr(pchr + 1, HOST_INFO_DELIMITER))) { - /* Parse for the port string and check if it is numeric */ - strncpy (port_str, pchr + 1, PORT_STR_LEN); - if (!strtol(port_str, NULL, 10)) /* Not a valid number */ - port_str[0] = '\0'; - } else - port_str[0] = '\0'; - } else { /* We have only host name */ - strncpy (host_str, host_list[j], MAX_LEN_LIST_ENTRY - 1); - proto_str[0] = '\0'; - port_str[0] = '\0'; - } - - /* Now, based on service type, fill in suitable protocol - and port values if they are absent or not matching */ - if (servicetype == LDAP_KDC_SERVICE) { - if (proto_str[0] == '\0') - snprintf (proto_str, sizeof(proto_str), "%d", - PROTOCOL_DEFAULT_KDC); - - if (port_str[0] == '\0') - snprintf (port_str, sizeof(port_str), "%d", PORT_DEFAULT_KDC); - } else if (servicetype == LDAP_ADMIN_SERVICE) { - if (proto_str[0] == '\0') - snprintf (proto_str, sizeof(proto_str), "%d", - PROTOCOL_DEFAULT_ADM); - else if (strcmp(proto_str, "1")) { - snprintf (proto_str, sizeof(proto_str), "%d", - PROTOCOL_DEFAULT_ADM); - - /* Print warning message */ - printf ("Admin Server supports only TCP protocol, hence setting that\n"); - } - - if (port_str[0] == '\0') - snprintf (port_str, sizeof(port_str), "%d", PORT_DEFAULT_ADM); - } else if (servicetype == LDAP_PASSWD_SERVICE) { - if (proto_str[0] == '\0') - snprintf (proto_str, sizeof(proto_str), "%d", - PROTOCOL_DEFAULT_PWD); - else if (strcmp(proto_str, "0")) { - snprintf (proto_str, sizeof(proto_str), "%d", - PROTOCOL_DEFAULT_PWD); - - /* Print warning message */ - printf ("Password Server supports only UDP protocol, hence setting that\n"); - } - - if (port_str[0] == '\0') - sprintf (port_str, "%d", PORT_DEFAULT_PWD); - } - - /* Finally form back the string */ - free (host_list[j]); - host_list[j] = (char*) malloc(sizeof(char) * - (strlen(host_str) + strlen(proto_str) + strlen(port_str) + 2 + 1)); - if (host_list[j] == NULL) { - retval = ENOMEM; - goto cleanup; - } - snprintf (host_list[j], strlen(host_str) + strlen(proto_str) + strlen(port_str) + 2 + 1, - "%s#%s#%s", host_str, proto_str, port_str); + /* Look for one hash */ + if ((pchr = strchr(host_list[j], HOST_INFO_DELIMITER))) { + unsigned int hostname_len = pchr - host_list[j]; + + /* Check input for buffer overflow */ + if (hostname_len >= MAX_LEN_LIST_ENTRY) { + retval = EINVAL; + goto cleanup; + } + + /* First copy off the host name portion */ + strncpy (host_str, host_list[j], hostname_len); + + /* Parse for the protocol string and translate to number */ + strncpy (proto_str, pchr + 1, PROTOCOL_STR_LEN); + if (!strcmp(proto_str, "udp")) + snprintf (proto_str, sizeof(proto_str), "%d", + PROTOCOL_NUM_UDP); + else if (!strcmp(proto_str, "tcp")) + snprintf (proto_str, sizeof(proto_str), "%d", + PROTOCOL_NUM_TCP); + else + proto_str[0] = '\0'; /* Make the string null if invalid */ + + /* Look for one more hash */ + if ((pchr = strchr(pchr + 1, HOST_INFO_DELIMITER))) { + /* Parse for the port string and check if it is numeric */ + strncpy (port_str, pchr + 1, PORT_STR_LEN); + if (!strtol(port_str, NULL, 10)) /* Not a valid number */ + port_str[0] = '\0'; + } else + port_str[0] = '\0'; + } else { /* We have only host name */ + strncpy (host_str, host_list[j], MAX_LEN_LIST_ENTRY - 1); + proto_str[0] = '\0'; + port_str[0] = '\0'; + } + + /* Now, based on service type, fill in suitable protocol + and port values if they are absent or not matching */ + if (servicetype == LDAP_KDC_SERVICE) { + if (proto_str[0] == '\0') + snprintf (proto_str, sizeof(proto_str), "%d", + PROTOCOL_DEFAULT_KDC); + + if (port_str[0] == '\0') + snprintf (port_str, sizeof(port_str), "%d", PORT_DEFAULT_KDC); + } else if (servicetype == LDAP_ADMIN_SERVICE) { + if (proto_str[0] == '\0') + snprintf (proto_str, sizeof(proto_str), "%d", + PROTOCOL_DEFAULT_ADM); + else if (strcmp(proto_str, "1")) { + snprintf (proto_str, sizeof(proto_str), "%d", + PROTOCOL_DEFAULT_ADM); + + /* Print warning message */ + printf ("Admin Server supports only TCP protocol, hence setting that\n"); + } + + if (port_str[0] == '\0') + snprintf (port_str, sizeof(port_str), "%d", PORT_DEFAULT_ADM); + } else if (servicetype == LDAP_PASSWD_SERVICE) { + if (proto_str[0] == '\0') + snprintf (proto_str, sizeof(proto_str), "%d", + PROTOCOL_DEFAULT_PWD); + else if (strcmp(proto_str, "0")) { + snprintf (proto_str, sizeof(proto_str), "%d", + PROTOCOL_DEFAULT_PWD); + + /* Print warning message */ + printf ("Password Server supports only UDP protocol, hence setting that\n"); + } + + if (port_str[0] == '\0') + sprintf (port_str, "%d", PORT_DEFAULT_PWD); + } + + /* Finally form back the string */ + free (host_list[j]); + host_list[j] = (char*) malloc(sizeof(char) * + (strlen(host_str) + strlen(proto_str) + strlen(port_str) + 2 + 1)); + if (host_list[j] == NULL) { + retval = ENOMEM; + goto cleanup; + } + snprintf (host_list[j], strlen(host_str) + strlen(proto_str) + strlen(port_str) + 2 + 1, + "%s#%s#%s", host_str, proto_str, port_str); } cleanup: @@ -168,9 +170,7 @@ cleanup: * Kerberos container location. */ static krb5_error_code -convert_realm_name2dn_list(list, krbcontainer_loc) - char **list; - const char *krbcontainer_loc; +convert_realm_name2dn_list(char **list, const char *krbcontainer_loc) { krb5_error_code retval = 0; char temp_str[MAX_DN_CHARS] = "\0"; @@ -178,24 +178,24 @@ convert_realm_name2dn_list(list, krbcontainer_loc) int i = 0; if (list == NULL) { - return EINVAL; + return EINVAL; } for (i = 0; (list[i] != NULL) && (i < MAX_LIST_ENTRIES); i++) { - /* Restrict copying to max. length to avoid buffer overflow */ - snprintf (temp_str, MAX_DN_CHARS, "cn=%s,%s", list[i], krbcontainer_loc); + /* Restrict copying to max. length to avoid buffer overflow */ + snprintf (temp_str, MAX_DN_CHARS, "cn=%s,%s", list[i], krbcontainer_loc); - /* Make copy of string to temporary node */ - temp_node = strdup(temp_str); - if (list[i] == NULL) { - retval = ENOMEM; - goto cleanup; - } + /* Make copy of string to temporary node */ + temp_node = strdup(temp_str); + if (list[i] == NULL) { + retval = ENOMEM; + goto cleanup; + } - /* On success, free list node and attach new one */ - free (list[i]); - list[i] = temp_node; - temp_node = NULL; + /* On success, free list node and attach new one */ + free (list[i]); + list[i] = temp_node; + temp_node = NULL; } cleanup: @@ -207,9 +207,8 @@ cleanup: * This function will create a service object on the LDAP Server, with the * specified attributes. */ -void kdb5_ldap_create_service(argc, argv) - int argc; - char *argv[]; +void +kdb5_ldap_create_service(int argc, char *argv[]) { char *me = progname; krb5_error_code retval = 0; @@ -231,15 +230,15 @@ void kdb5_ldap_create_service(argc, argv) /* Check for number of arguments */ if ((argc < 3) || (argc > 10)) { - exit_status++; - goto err_usage; + exit_status++; + goto err_usage; } /* Allocate memory for service parameters structure */ srvparams = (krb5_ldap_service_params*) calloc(1, sizeof(krb5_ldap_service_params)); if (srvparams == NULL) { - retval = ENOMEM; - goto cleanup; + retval = ENOMEM; + goto cleanup; } dal_handle = util_context->dal_handle; @@ -250,8 +249,8 @@ void kdb5_ldap_create_service(argc, argv) of arguments */ extra_argv = (char **) calloc((unsigned int)argc, sizeof(char*)); if (extra_argv == NULL) { - retval = ENOMEM; - goto cleanup; + retval = ENOMEM; + goto cleanup; } /* Set first of the extra arguments as the program name */ @@ -262,128 +261,128 @@ void kdb5_ldap_create_service(argc, argv) * and for assigning rights */ if ((retval = krb5_ldap_read_krbcontainer_params(util_context, - &(ldap_context->krbcontainer)))) { - com_err(me, retval, "while reading Kerberos container information"); - goto cleanup; + &(ldap_context->krbcontainer)))) { + com_err(me, retval, "while reading Kerberos container information"); + goto cleanup; } /* Parse all arguments */ for (i = 1; i < argc; i++) { - if (!strcmp(argv[i], "-kdc")) { - srvparams->servicetype = LDAP_KDC_SERVICE; - } else if (!strcmp(argv[i], "-admin")) { - srvparams->servicetype = LDAP_ADMIN_SERVICE; - } else if (!strcmp(argv[i], "-pwd")) { - srvparams->servicetype = LDAP_PASSWD_SERVICE; - } else if (!strcmp(argv[i], "-servicehost")) { - if (++i > argc - 1) - goto err_usage; - - srvparams->krbhostservers = (char **)calloc(MAX_LIST_ENTRIES, - sizeof(char *)); - if (srvparams->krbhostservers == NULL) { - retval = ENOMEM; - goto cleanup; - } - - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, - srvparams->krbhostservers))) { - goto cleanup; - } - - if ((retval = process_host_list (srvparams->krbhostservers, - srvparams->servicetype))) { - goto cleanup; - } - - mask |= LDAP_SERVICE_HOSTSERVER; - } else if (!strcmp(argv[i], "-realm")) { - if (++i > argc - 1) - goto err_usage; - - srvparams->krbrealmreferences = (char **)calloc(MAX_LIST_ENTRIES, - sizeof(char *)); - if (srvparams->krbrealmreferences == NULL) { - retval = ENOMEM; - goto cleanup; - } - - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, - srvparams->krbrealmreferences))) { - goto cleanup; - } - - /* Convert realm names to realm DNs */ - if ((retval = convert_realm_name2dn_list( - srvparams->krbrealmreferences, - ldap_context->krbcontainer->DN))) { - goto cleanup; - } - - mask |= LDAP_SERVICE_REALMREFERENCE; - } - /* If argument is none of the above and beginning with '-', - * it must be related to password -- collect it - * to pass onto kdb5_ldap_set_service_password() - */ - else if (*(argv[i]) == '-') { - /* Checking for options of setting the password for the - * service (by using 'setsrvpw') is not modular. --need to - * have a common function that can be shared with 'setsrvpw' - */ - if (!strcmp(argv[i], "-randpw")) { - extra_argv[extra_argc] = argv[i]; - extra_argc++; - } else if (!strcmp(argv[i], "-fileonly")) { - extra_argv[extra_argc] = argv[i]; - extra_argc++; - } - /* For '-f' option alone, pick up the following argument too */ - else if (!strcmp(argv[i], "-f")) { - extra_argv[extra_argc] = argv[i]; - extra_argc++; - - if (++i > argc - 1) - goto err_usage; - - extra_argv[extra_argc] = argv[i]; - extra_argc++; - } else { /* Any other option is invalid */ - exit_status++; - goto err_usage; - } - } else { /* Any other argument must be service DN */ - /* First check if service DN is already provided -- - * if so, there's a usage error - */ - if (srvparams->servicedn != NULL) { - com_err(me, EINVAL, "while creating service object"); - goto err_usage; - } - - /* If not present already, fill up service DN */ - srvparams->servicedn = strdup(argv[i]); - if (srvparams->servicedn == NULL) { - com_err(me, ENOMEM, "while creating service object"); - goto err_nomsg; - } - } + if (!strcmp(argv[i], "-kdc")) { + srvparams->servicetype = LDAP_KDC_SERVICE; + } else if (!strcmp(argv[i], "-admin")) { + srvparams->servicetype = LDAP_ADMIN_SERVICE; + } else if (!strcmp(argv[i], "-pwd")) { + srvparams->servicetype = LDAP_PASSWD_SERVICE; + } else if (!strcmp(argv[i], "-servicehost")) { + if (++i > argc - 1) + goto err_usage; + + srvparams->krbhostservers = (char **)calloc(MAX_LIST_ENTRIES, + sizeof(char *)); + if (srvparams->krbhostservers == NULL) { + retval = ENOMEM; + goto cleanup; + } + + if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, + srvparams->krbhostservers))) { + goto cleanup; + } + + if ((retval = process_host_list (srvparams->krbhostservers, + srvparams->servicetype))) { + goto cleanup; + } + + mask |= LDAP_SERVICE_HOSTSERVER; + } else if (!strcmp(argv[i], "-realm")) { + if (++i > argc - 1) + goto err_usage; + + srvparams->krbrealmreferences = (char **)calloc(MAX_LIST_ENTRIES, + sizeof(char *)); + if (srvparams->krbrealmreferences == NULL) { + retval = ENOMEM; + goto cleanup; + } + + if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, + srvparams->krbrealmreferences))) { + goto cleanup; + } + + /* Convert realm names to realm DNs */ + if ((retval = convert_realm_name2dn_list( + srvparams->krbrealmreferences, + ldap_context->krbcontainer->DN))) { + goto cleanup; + } + + mask |= LDAP_SERVICE_REALMREFERENCE; + } + /* If argument is none of the above and beginning with '-', + * it must be related to password -- collect it + * to pass onto kdb5_ldap_set_service_password() + */ + else if (*(argv[i]) == '-') { + /* Checking for options of setting the password for the + * service (by using 'setsrvpw') is not modular. --need to + * have a common function that can be shared with 'setsrvpw' + */ + if (!strcmp(argv[i], "-randpw")) { + extra_argv[extra_argc] = argv[i]; + extra_argc++; + } else if (!strcmp(argv[i], "-fileonly")) { + extra_argv[extra_argc] = argv[i]; + extra_argc++; + } + /* For '-f' option alone, pick up the following argument too */ + else if (!strcmp(argv[i], "-f")) { + extra_argv[extra_argc] = argv[i]; + extra_argc++; + + if (++i > argc - 1) + goto err_usage; + + extra_argv[extra_argc] = argv[i]; + extra_argc++; + } else { /* Any other option is invalid */ + exit_status++; + goto err_usage; + } + } else { /* Any other argument must be service DN */ + /* First check if service DN is already provided -- + * if so, there's a usage error + */ + if (srvparams->servicedn != NULL) { + com_err(me, EINVAL, "while creating service object"); + goto err_usage; + } + + /* If not present already, fill up service DN */ + srvparams->servicedn = strdup(argv[i]); + if (srvparams->servicedn == NULL) { + com_err(me, ENOMEM, "while creating service object"); + goto err_nomsg; + } + } } /* No point in proceeding further if service DN value is not available */ if (srvparams->servicedn == NULL) { - com_err(me, EINVAL, "while creating service object"); - goto err_usage; + com_err(me, EINVAL, "while creating service object"); + goto err_usage; } if (srvparams->servicetype == 0) { /* Not provided and hence not set */ - com_err(me, EINVAL, "while creating service object"); - goto err_usage; + com_err(me, EINVAL, "while creating service object"); + goto err_usage; } /* Create object with all attributes provided */ if ((retval = krb5_ldap_create_service(util_context, srvparams, mask))) - goto cleanup; + goto cleanup; service_obj_created = TRUE; @@ -394,66 +393,66 @@ void kdb5_ldap_create_service(argc, argv) /* Set password too */ if (extra_argc >= 1) { - /* Set service DN as the last argument */ - extra_argv[extra_argc] = strdup(srvparams->servicedn); - if (extra_argv[extra_argc] == NULL) { + /* Set service DN as the last argument */ + extra_argv[extra_argc] = strdup(srvparams->servicedn); + if (extra_argv[extra_argc] == NULL) { retval = ENOMEM; goto cleanup; } - extra_argc++; + extra_argc++; - if ((retval = kdb5_ldap_set_service_password(extra_argc, extra_argv)) != 0) { - goto err_nomsg; - } + if ((retval = kdb5_ldap_set_service_password(extra_argc, extra_argv)) != 0) { + goto err_nomsg; + } } /* Rights assignment */ if (mask & LDAP_SERVICE_REALMREFERENCE) { - printf("%s","Changing rights for the service object. Please wait ... "); - fflush(stdout); - - rightsmask =0; - rightsmask |= LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; - - if ((srvparams != NULL) && (srvparams->krbrealmreferences != NULL)) { - for (i=0; (srvparams->krbrealmreferences[i] != NULL); i++) { - - /* Get the realm name, not the dn */ - temprdns = ldap_explode_dn(srvparams->krbrealmreferences[i], 1); - - if (temprdns[0] == NULL) { - retval = EINVAL; - goto cleanup; - } - - realmName = strdup(temprdns[0]); - if (realmName == NULL) { - retval = ENOMEM; - goto cleanup; - } - - if ((retval = krb5_ldap_read_realm_params(util_context, - realmName, &rparams, &rmask))) { - com_err(me, retval, "while reading information of realm '%s'", - realmName); - goto cleanup; - } - - if ((retval = krb5_ldap_add_service_rights(util_context, - srvparams->servicetype, srvparams->servicedn, - realmName, rparams->subtree, rparams->containerref, rightsmask))) { - printf("failed\n"); - com_err(me, retval, "while assigning rights '%s'", - srvparams->servicedn); - goto cleanup; - } - - if (rparams) - krb5_ldap_free_realm_params(rparams); - } - } - printf("done\n"); + printf("%s","Changing rights for the service object. Please wait ... "); + fflush(stdout); + + rightsmask =0; + rightsmask |= LDAP_REALM_RIGHTS; + rightsmask |= LDAP_SUBTREE_RIGHTS; + + if ((srvparams != NULL) && (srvparams->krbrealmreferences != NULL)) { + for (i=0; (srvparams->krbrealmreferences[i] != NULL); i++) { + + /* Get the realm name, not the dn */ + temprdns = ldap_explode_dn(srvparams->krbrealmreferences[i], 1); + + if (temprdns[0] == NULL) { + retval = EINVAL; + goto cleanup; + } + + realmName = strdup(temprdns[0]); + if (realmName == NULL) { + retval = ENOMEM; + goto cleanup; + } + + if ((retval = krb5_ldap_read_realm_params(util_context, + realmName, &rparams, &rmask))) { + com_err(me, retval, "while reading information of realm '%s'", + realmName); + goto cleanup; + } + + if ((retval = krb5_ldap_add_service_rights(util_context, + srvparams->servicetype, srvparams->servicedn, + realmName, rparams->subtree, rparams->containerref, rightsmask))) { + printf("failed\n"); + com_err(me, retval, "while assigning rights '%s'", + srvparams->servicedn); + goto cleanup; + } + + if (rparams) + krb5_ldap_free_realm_params(rparams); + } + } + printf("done\n"); } goto cleanup; @@ -466,35 +465,35 @@ err_nomsg: cleanup: if ((retval != 0) && (service_obj_created == TRUE)) { - /* This is for deleting the service object if something goes - * wrong in creating the service object - */ + /* This is for deleting the service object if something goes + * wrong in creating the service object + */ - /* srvparams is populated from the user input and should be correct as - * we were successful in creating a service object. Reusing the same - */ - krb5_ldap_delete_service(util_context, srvparams, srvparams->servicedn); + /* srvparams is populated from the user input and should be correct as + * we were successful in creating a service object. Reusing the same + */ + krb5_ldap_delete_service(util_context, srvparams, srvparams->servicedn); } /* Clean-up structure */ krb5_ldap_free_service (util_context, srvparams); if (extra_argv) { - free (extra_argv); - extra_argv = NULL; + free (extra_argv); + extra_argv = NULL; } if (realmName) { - free(realmName); - realmName = NULL; + free(realmName); + realmName = NULL; } if (print_usage) - db_usage (CREATE_SERVICE); + db_usage (CREATE_SERVICE); if (retval) { - if (!no_msg) - com_err(me, retval, "while creating service object"); + if (!no_msg) + com_err(me, retval, "while creating service object"); - exit_status++; + exit_status++; } return; @@ -505,9 +504,8 @@ cleanup: * This function will modify the attributes of a given service * object on the LDAP Server */ -void kdb5_ldap_modify_service(argc, argv) - int argc; - char *argv[]; +void +kdb5_ldap_modify_service(int argc, char *argv[]) { char *me = progname; krb5_error_code retval = 0; @@ -534,8 +532,8 @@ void kdb5_ldap_modify_service(argc, argv) /* Check for number of arguments */ if ((argc < 3) || (argc > 10)) { - exit_status++; - goto err_usage; + exit_status++; + goto err_usage; } dal_handle = util_context->dal_handle; @@ -543,475 +541,475 @@ void kdb5_ldap_modify_service(argc, argv) /* Parse all arguments, only to pick up service DN (Pass 1) */ for (i = 1; i < argc; i++) { - /* Skip arguments next to 'servicehost' - and 'realmdn' arguments */ - if (!strcmp(argv[i], "-servicehost")) { - ++i; - } else if (!strcmp(argv[i], "-clearservicehost")) { - ++i; - } else if (!strcmp(argv[i], "-addservicehost")) { - ++i; - } else if (!strcmp(argv[i], "-realm")) { - ++i; - } else if (!strcmp(argv[i], "-clearrealm")) { - ++i; - } else if (!strcmp(argv[i], "-addrealm")) { - ++i; - } else { /* Any other argument must be service DN */ - /* First check if service DN is already provided -- - if so, there's a usage error */ - if (servicedn != NULL) { - com_err(me, EINVAL, "while modifying service object"); - goto err_usage; - } - - /* If not present already, fill up service DN */ - servicedn = strdup(argv[i]); - if (servicedn == NULL) { - com_err(me, ENOMEM, "while modifying service object"); - goto err_nomsg; - } - } + /* Skip arguments next to 'servicehost' + and 'realmdn' arguments */ + if (!strcmp(argv[i], "-servicehost")) { + ++i; + } else if (!strcmp(argv[i], "-clearservicehost")) { + ++i; + } else if (!strcmp(argv[i], "-addservicehost")) { + ++i; + } else if (!strcmp(argv[i], "-realm")) { + ++i; + } else if (!strcmp(argv[i], "-clearrealm")) { + ++i; + } else if (!strcmp(argv[i], "-addrealm")) { + ++i; + } else { /* Any other argument must be service DN */ + /* First check if service DN is already provided -- + if so, there's a usage error */ + if (servicedn != NULL) { + com_err(me, EINVAL, "while modifying service object"); + goto err_usage; + } + + /* If not present already, fill up service DN */ + servicedn = strdup(argv[i]); + if (servicedn == NULL) { + com_err(me, ENOMEM, "while modifying service object"); + goto err_nomsg; + } + } } /* No point in proceeding further if service DN value is not available */ if (servicedn == NULL) { - com_err(me, EINVAL, "while modifying service object"); - goto err_usage; + com_err(me, EINVAL, "while modifying service object"); + goto err_usage; } retval = krb5_ldap_read_service(util_context, servicedn, &srvparams, &in_mask); if (retval) { - com_err(me, retval, "while reading information of service '%s'", - servicedn); - goto err_nomsg; + com_err(me, retval, "while reading information of service '%s'", + servicedn); + goto err_nomsg; } /* Read Kerberos container info, to construct realm DN from name * and for assigning rights */ if ((retval = krb5_ldap_read_krbcontainer_params(util_context, - &(ldap_context->krbcontainer)))) { - com_err(me, retval, "while reading Kerberos container information"); - goto cleanup; + &(ldap_context->krbcontainer)))) { + com_err(me, retval, "while reading Kerberos container information"); + goto cleanup; } /* Parse all arguments, but skip the service DN (Pass 2) */ for (i = 1; i < argc; i++) { - if (!strcmp(argv[i], "-servicehost")) { - if (++i > argc - 1) - goto err_usage; - - /* Free the old list if available */ - if (srvparams->krbhostservers) { - krb5_free_list_entries (srvparams->krbhostservers); - free (srvparams->krbhostservers); - } - - srvparams->krbhostservers = (char **)calloc(MAX_LIST_ENTRIES, - sizeof(char *)); - if (srvparams->krbhostservers == NULL) { - retval = ENOMEM; - goto cleanup; - } - - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, - srvparams->krbhostservers))) { - goto cleanup; - } - - if ((retval = process_host_list (srvparams->krbhostservers, - srvparams->servicetype))) { - goto cleanup; - } - - out_mask |= LDAP_SERVICE_HOSTSERVER; - - /* Set flag to ignore 'add' and 'clear' */ - srvhost_flag = 1; - } else if (!strcmp(argv[i], "-clearservicehost")) { - if (++i > argc - 1) - goto err_usage; - - if (!srvhost_flag) { - /* If attribute doesn't exist, don't permit 'clear' option */ - if ((in_mask & LDAP_SERVICE_HOSTSERVER) == 0) { - /* Send out some proper error message here */ - com_err(me, EINVAL, "service host list is empty\n"); - goto err_nomsg; - } - - /* Allocate list for processing */ - list = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (list == NULL) { - retval = ENOMEM; - goto cleanup; - } - - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) - goto cleanup; - - if ((retval = process_host_list (list, srvparams->servicetype))) { - goto cleanup; - } - - list_modify_str_array(&(srvparams->krbhostservers), - (const char**)list, LIST_MODE_DELETE); - - out_mask |= LDAP_SERVICE_HOSTSERVER; - - /* Clean up */ - free (list); - list = NULL; - } - } else if (!strcmp(argv[i], "-addservicehost")) { - if (++i > argc - 1) - goto err_usage; - - if (!srvhost_flag) { - /* Allocate list for processing */ - list = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (list == NULL) { - retval = ENOMEM; - goto cleanup; - } - - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) - goto cleanup; - - if ((retval = process_host_list (list, srvparams->servicetype))) { - goto cleanup; - } - - /* Call list_modify_str_array() only if host server attribute - * exists already --Actually, it's better to handle this - * within list_modify_str_array() - */ - if (in_mask & LDAP_SERVICE_HOSTSERVER) { - /* Re-size existing list */ - existing_entries = list_count_str_array(srvparams->krbhostservers); - new_entries = list_count_str_array(list); - temp_ptr = (char **) realloc(srvparams->krbhostservers, - sizeof(char *) * (existing_entries + new_entries + 1)); - if (temp_ptr == NULL) { - retval = ENOMEM; - goto cleanup; - } - srvparams->krbhostservers = temp_ptr; - - list_modify_str_array(&(srvparams->krbhostservers), - (const char**)list, LIST_MODE_ADD); - - /* Clean up */ - free (list); - list = NULL; - } else - srvparams->krbhostservers = list; - - out_mask |= LDAP_SERVICE_HOSTSERVER; - } - } else if (!strcmp(argv[i], "-realm")) { - if (++i > argc - 1) - goto err_usage; - - if ((in_mask & LDAP_SERVICE_REALMREFERENCE) && (srvparams->krbrealmreferences)) { - if (!oldrealmrefs) { - /* Store the old realm list for removing rights */ - oldrealmrefs = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (oldrealmrefs == NULL) { - retval = ENOMEM; - goto cleanup; - } - - for (j = 0; srvparams->krbrealmreferences[j] != NULL; j++) { - oldrealmrefs[j] = strdup(srvparams->krbrealmreferences[j]); - if (oldrealmrefs[j] == NULL) { - retval = ENOMEM; - goto cleanup; - } - } - oldrealmrefs[j] = NULL; - } - - /* Free the old list if available */ - krb5_free_list_entries (srvparams->krbrealmreferences); - free (srvparams->krbrealmreferences); - } - - srvparams->krbrealmreferences = (char **)calloc(MAX_LIST_ENTRIES, - sizeof(char *)); - if (srvparams->krbrealmreferences == NULL) { - retval = ENOMEM; - goto cleanup; - } - - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, - srvparams->krbrealmreferences))) { - goto cleanup; - } - - /* Convert realm names to realm DNs */ - if ((retval = convert_realm_name2dn_list( - srvparams->krbrealmreferences, - ldap_context->krbcontainer->DN))) { - goto cleanup; - } - - out_mask |= LDAP_SERVICE_REALMREFERENCE; - - /* Set flag to ignore 'add' and 'clear' */ - realmdn_flag = 1; - } else if (!strcmp(argv[i], "-clearrealm")) { - if (++i > argc - 1) - goto err_usage; - - if (!realmdn_flag) { - /* If attribute doesn't exist, don't permit 'clear' option */ - if (((in_mask & LDAP_SERVICE_REALMREFERENCE) == 0) || (srvparams->krbrealmreferences == NULL)) { - /* Send out some proper error message here */ - goto err_nomsg; - } - - if (!oldrealmrefs) { - /* Store the old realm list for removing rights */ - oldrealmrefs = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (oldrealmrefs == NULL) { - retval = ENOMEM; - goto cleanup; - } - - for (j = 0; srvparams->krbrealmreferences[j] != NULL; j++) { - oldrealmrefs[j] = strdup(srvparams->krbrealmreferences[j]); - if (oldrealmrefs[j] == NULL) { - retval = ENOMEM; - goto cleanup; - } - } - oldrealmrefs[j] = NULL; - } - - /* Allocate list for processing */ - list = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (list == NULL) { - retval = ENOMEM; - goto cleanup; - } - - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) - goto cleanup; - - /* Convert realm names to realm DNs */ - if ((retval = convert_realm_name2dn_list(list, - ldap_context->krbcontainer->DN))) { - goto cleanup; - } - - list_modify_str_array(&(srvparams->krbrealmreferences), - (const char**)list, LIST_MODE_DELETE); - - out_mask |= LDAP_SERVICE_REALMREFERENCE; - - /* Clean up */ - free (list); - list = NULL; - } - } else if (!strcmp(argv[i], "-addrealm")) { - if (++i > argc - 1) - goto err_usage; - - if (!realmdn_flag) { - /* Allocate list for processing */ - list = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (list == NULL) { - retval = ENOMEM; - goto cleanup; - } - - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) - goto cleanup; - - /* Convert realm names to realm DNs */ - if ((retval = convert_realm_name2dn_list(list, - ldap_context->krbcontainer->DN))) { - goto cleanup; - } - - if ((in_mask & LDAP_SERVICE_REALMREFERENCE) && (srvparams->krbrealmreferences) && (!oldrealmrefs)) { - /* Store the old realm list for removing rights */ - oldrealmrefs = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (oldrealmrefs == NULL) { - retval = ENOMEM; - goto cleanup; - } - - for (j = 0; srvparams->krbrealmreferences[j] != NULL; j++) { - oldrealmrefs[j] = strdup(srvparams->krbrealmreferences[j]); - if (oldrealmrefs[j] == NULL) { - retval = ENOMEM; - goto cleanup; - } - } - oldrealmrefs[j] = NULL; - } - - /* Call list_modify_str_array() only if realm DN attribute - * exists already -- Actually, it's better to handle this - * within list_modify_str_array() */ - if (in_mask & LDAP_SERVICE_REALMREFERENCE) { - /* Re-size existing list */ - existing_entries = list_count_str_array( - srvparams->krbrealmreferences); - new_entries = list_count_str_array(list); - temp_ptr = (char **) realloc(srvparams->krbrealmreferences, - sizeof(char *) * (existing_entries + new_entries + 1)); - if (temp_ptr == NULL) { - retval = ENOMEM; - goto cleanup; - } - srvparams->krbrealmreferences = temp_ptr; - - list_modify_str_array(&(srvparams->krbrealmreferences), - (const char**)list, LIST_MODE_ADD); - - /* Clean up */ - free (list); - list = NULL; - } else - srvparams->krbrealmreferences = list; - - out_mask |= LDAP_SERVICE_REALMREFERENCE; - } - } else { - /* Any other argument must be service DN - -- skip it */ - } + if (!strcmp(argv[i], "-servicehost")) { + if (++i > argc - 1) + goto err_usage; + + /* Free the old list if available */ + if (srvparams->krbhostservers) { + krb5_free_list_entries (srvparams->krbhostservers); + free (srvparams->krbhostservers); + } + + srvparams->krbhostservers = (char **)calloc(MAX_LIST_ENTRIES, + sizeof(char *)); + if (srvparams->krbhostservers == NULL) { + retval = ENOMEM; + goto cleanup; + } + + if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, + srvparams->krbhostservers))) { + goto cleanup; + } + + if ((retval = process_host_list (srvparams->krbhostservers, + srvparams->servicetype))) { + goto cleanup; + } + + out_mask |= LDAP_SERVICE_HOSTSERVER; + + /* Set flag to ignore 'add' and 'clear' */ + srvhost_flag = 1; + } else if (!strcmp(argv[i], "-clearservicehost")) { + if (++i > argc - 1) + goto err_usage; + + if (!srvhost_flag) { + /* If attribute doesn't exist, don't permit 'clear' option */ + if ((in_mask & LDAP_SERVICE_HOSTSERVER) == 0) { + /* Send out some proper error message here */ + com_err(me, EINVAL, "service host list is empty\n"); + goto err_nomsg; + } + + /* Allocate list for processing */ + list = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); + if (list == NULL) { + retval = ENOMEM; + goto cleanup; + } + + if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) + goto cleanup; + + if ((retval = process_host_list (list, srvparams->servicetype))) { + goto cleanup; + } + + list_modify_str_array(&(srvparams->krbhostservers), + (const char**)list, LIST_MODE_DELETE); + + out_mask |= LDAP_SERVICE_HOSTSERVER; + + /* Clean up */ + free (list); + list = NULL; + } + } else if (!strcmp(argv[i], "-addservicehost")) { + if (++i > argc - 1) + goto err_usage; + + if (!srvhost_flag) { + /* Allocate list for processing */ + list = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); + if (list == NULL) { + retval = ENOMEM; + goto cleanup; + } + + if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) + goto cleanup; + + if ((retval = process_host_list (list, srvparams->servicetype))) { + goto cleanup; + } + + /* Call list_modify_str_array() only if host server attribute + * exists already --Actually, it's better to handle this + * within list_modify_str_array() + */ + if (in_mask & LDAP_SERVICE_HOSTSERVER) { + /* Re-size existing list */ + existing_entries = list_count_str_array(srvparams->krbhostservers); + new_entries = list_count_str_array(list); + temp_ptr = (char **) realloc(srvparams->krbhostservers, + sizeof(char *) * (existing_entries + new_entries + 1)); + if (temp_ptr == NULL) { + retval = ENOMEM; + goto cleanup; + } + srvparams->krbhostservers = temp_ptr; + + list_modify_str_array(&(srvparams->krbhostservers), + (const char**)list, LIST_MODE_ADD); + + /* Clean up */ + free (list); + list = NULL; + } else + srvparams->krbhostservers = list; + + out_mask |= LDAP_SERVICE_HOSTSERVER; + } + } else if (!strcmp(argv[i], "-realm")) { + if (++i > argc - 1) + goto err_usage; + + if ((in_mask & LDAP_SERVICE_REALMREFERENCE) && (srvparams->krbrealmreferences)) { + if (!oldrealmrefs) { + /* Store the old realm list for removing rights */ + oldrealmrefs = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); + if (oldrealmrefs == NULL) { + retval = ENOMEM; + goto cleanup; + } + + for (j = 0; srvparams->krbrealmreferences[j] != NULL; j++) { + oldrealmrefs[j] = strdup(srvparams->krbrealmreferences[j]); + if (oldrealmrefs[j] == NULL) { + retval = ENOMEM; + goto cleanup; + } + } + oldrealmrefs[j] = NULL; + } + + /* Free the old list if available */ + krb5_free_list_entries (srvparams->krbrealmreferences); + free (srvparams->krbrealmreferences); + } + + srvparams->krbrealmreferences = (char **)calloc(MAX_LIST_ENTRIES, + sizeof(char *)); + if (srvparams->krbrealmreferences == NULL) { + retval = ENOMEM; + goto cleanup; + } + + if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, + srvparams->krbrealmreferences))) { + goto cleanup; + } + + /* Convert realm names to realm DNs */ + if ((retval = convert_realm_name2dn_list( + srvparams->krbrealmreferences, + ldap_context->krbcontainer->DN))) { + goto cleanup; + } + + out_mask |= LDAP_SERVICE_REALMREFERENCE; + + /* Set flag to ignore 'add' and 'clear' */ + realmdn_flag = 1; + } else if (!strcmp(argv[i], "-clearrealm")) { + if (++i > argc - 1) + goto err_usage; + + if (!realmdn_flag) { + /* If attribute doesn't exist, don't permit 'clear' option */ + if (((in_mask & LDAP_SERVICE_REALMREFERENCE) == 0) || (srvparams->krbrealmreferences == NULL)) { + /* Send out some proper error message here */ + goto err_nomsg; + } + + if (!oldrealmrefs) { + /* Store the old realm list for removing rights */ + oldrealmrefs = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); + if (oldrealmrefs == NULL) { + retval = ENOMEM; + goto cleanup; + } + + for (j = 0; srvparams->krbrealmreferences[j] != NULL; j++) { + oldrealmrefs[j] = strdup(srvparams->krbrealmreferences[j]); + if (oldrealmrefs[j] == NULL) { + retval = ENOMEM; + goto cleanup; + } + } + oldrealmrefs[j] = NULL; + } + + /* Allocate list for processing */ + list = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); + if (list == NULL) { + retval = ENOMEM; + goto cleanup; + } + + if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) + goto cleanup; + + /* Convert realm names to realm DNs */ + if ((retval = convert_realm_name2dn_list(list, + ldap_context->krbcontainer->DN))) { + goto cleanup; + } + + list_modify_str_array(&(srvparams->krbrealmreferences), + (const char**)list, LIST_MODE_DELETE); + + out_mask |= LDAP_SERVICE_REALMREFERENCE; + + /* Clean up */ + free (list); + list = NULL; + } + } else if (!strcmp(argv[i], "-addrealm")) { + if (++i > argc - 1) + goto err_usage; + + if (!realmdn_flag) { + /* Allocate list for processing */ + list = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); + if (list == NULL) { + retval = ENOMEM; + goto cleanup; + } + + if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) + goto cleanup; + + /* Convert realm names to realm DNs */ + if ((retval = convert_realm_name2dn_list(list, + ldap_context->krbcontainer->DN))) { + goto cleanup; + } + + if ((in_mask & LDAP_SERVICE_REALMREFERENCE) && (srvparams->krbrealmreferences) && (!oldrealmrefs)) { + /* Store the old realm list for removing rights */ + oldrealmrefs = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); + if (oldrealmrefs == NULL) { + retval = ENOMEM; + goto cleanup; + } + + for (j = 0; srvparams->krbrealmreferences[j] != NULL; j++) { + oldrealmrefs[j] = strdup(srvparams->krbrealmreferences[j]); + if (oldrealmrefs[j] == NULL) { + retval = ENOMEM; + goto cleanup; + } + } + oldrealmrefs[j] = NULL; + } + + /* Call list_modify_str_array() only if realm DN attribute + * exists already -- Actually, it's better to handle this + * within list_modify_str_array() */ + if (in_mask & LDAP_SERVICE_REALMREFERENCE) { + /* Re-size existing list */ + existing_entries = list_count_str_array( + srvparams->krbrealmreferences); + new_entries = list_count_str_array(list); + temp_ptr = (char **) realloc(srvparams->krbrealmreferences, + sizeof(char *) * (existing_entries + new_entries + 1)); + if (temp_ptr == NULL) { + retval = ENOMEM; + goto cleanup; + } + srvparams->krbrealmreferences = temp_ptr; + + list_modify_str_array(&(srvparams->krbrealmreferences), + (const char**)list, LIST_MODE_ADD); + + /* Clean up */ + free (list); + list = NULL; + } else + srvparams->krbrealmreferences = list; + + out_mask |= LDAP_SERVICE_REALMREFERENCE; + } + } else { + /* Any other argument must be service DN + -- skip it */ + } } /* Modify attributes of object */ if ((retval = krb5_ldap_modify_service(util_context, srvparams, out_mask))) - goto cleanup; + goto cleanup; /* Service rights modification code */ if (out_mask & LDAP_SERVICE_REALMREFERENCE) { - printf("%s","Changing rights for the service object. Please wait ... "); - fflush(stdout); - - newrealmrefs = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); - if (newrealmrefs == NULL) { - retval = ENOMEM; - goto cleanup; - } - - if ((srvparams != NULL) && (srvparams->krbrealmreferences != NULL)) { - for (j = 0; srvparams->krbrealmreferences[j] != NULL; j++) { - newrealmrefs[j] = strdup(srvparams->krbrealmreferences[j]); - if (newrealmrefs[j] == NULL) { - retval = ENOMEM; - goto cleanup; - } - } - newrealmrefs[j] = NULL; - } - disjoint_members(oldrealmrefs, newrealmrefs); - - /* Delete the rights for the given service, on each of the realm - * container & subtree in the old realm reference list. - */ - if (oldrealmrefs) { - rightsmask = 0; - rightsmask |= LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; - - for (i = 0; (oldrealmrefs[i] != NULL); i++) { - /* Get the realm name, not the dn */ - temprdns = ldap_explode_dn(oldrealmrefs[i], 1); - - if (temprdns[0] == NULL) { - retval = EINVAL; - goto cleanup; - } - - realmName = strdup(temprdns[0]); - if (realmName == NULL) { - retval = ENOMEM; - goto cleanup; - } - - if ((retval = krb5_ldap_read_realm_params(util_context, - realmName, &rparams, &rmask))) { - com_err(me, retval, "while reading information of realm '%s'", - realmName); - goto err_nomsg; - } - - if ((retval = krb5_ldap_delete_service_rights(util_context, - srvparams->servicetype, srvparams->servicedn, - realmName, rparams->subtree, rparams->containerref, rightsmask))) { - printf("failed\n"); - com_err(me, retval, "while assigning rights '%s'", - srvparams->servicedn); - goto err_nomsg; - } - - if (rparams) - krb5_ldap_free_realm_params(rparams); - } - } - - /* Add the rights for the given service, on each of the realm - * container & subtree in the new realm reference list. - */ - if (newrealmrefs) { - rightsmask = 0; - rightsmask |= LDAP_REALM_RIGHTS; - rightsmask |= LDAP_SUBTREE_RIGHTS; - - for (i = 0; (newrealmrefs[i] != NULL); i++) { - /* Get the realm name, not the dn */ - temprdns = ldap_explode_dn(newrealmrefs[i], 1); - - if (temprdns[0] == NULL) { - retval = EINVAL; - goto cleanup; - } - - realmName = strdup(temprdns[0]); - if (realmName == NULL) { - retval = ENOMEM; - goto cleanup; - } - - if ((retval = krb5_ldap_read_krbcontainer_params(util_context, - &(ldap_context->krbcontainer)))) { - com_err(me, retval, - "while reading Kerberos container information"); - goto cleanup; - } - - if ((retval = krb5_ldap_read_realm_params(util_context, - realmName, &rparams, &rmask))) { - com_err(me, retval, "while reading information of realm '%s'", - realmName); - goto err_nomsg; - } - - if ((retval = krb5_ldap_add_service_rights(util_context, - srvparams->servicetype, srvparams->servicedn, - realmName, rparams->subtree, rparams->containerref, rightsmask))) { - printf("failed\n"); - com_err(me, retval, "while assigning rights '%s'", - srvparams->servicedn); - goto err_nomsg; - } - - if (rparams) { - krb5_ldap_free_realm_params(rparams); - rparams = NULL; - } - } - printf("done\n"); - } + printf("%s","Changing rights for the service object. Please wait ... "); + fflush(stdout); + + newrealmrefs = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); + if (newrealmrefs == NULL) { + retval = ENOMEM; + goto cleanup; + } + + if ((srvparams != NULL) && (srvparams->krbrealmreferences != NULL)) { + for (j = 0; srvparams->krbrealmreferences[j] != NULL; j++) { + newrealmrefs[j] = strdup(srvparams->krbrealmreferences[j]); + if (newrealmrefs[j] == NULL) { + retval = ENOMEM; + goto cleanup; + } + } + newrealmrefs[j] = NULL; + } + disjoint_members(oldrealmrefs, newrealmrefs); + + /* Delete the rights for the given service, on each of the realm + * container & subtree in the old realm reference list. + */ + if (oldrealmrefs) { + rightsmask = 0; + rightsmask |= LDAP_REALM_RIGHTS; + rightsmask |= LDAP_SUBTREE_RIGHTS; + + for (i = 0; (oldrealmrefs[i] != NULL); i++) { + /* Get the realm name, not the dn */ + temprdns = ldap_explode_dn(oldrealmrefs[i], 1); + + if (temprdns[0] == NULL) { + retval = EINVAL; + goto cleanup; + } + + realmName = strdup(temprdns[0]); + if (realmName == NULL) { + retval = ENOMEM; + goto cleanup; + } + + if ((retval = krb5_ldap_read_realm_params(util_context, + realmName, &rparams, &rmask))) { + com_err(me, retval, "while reading information of realm '%s'", + realmName); + goto err_nomsg; + } + + if ((retval = krb5_ldap_delete_service_rights(util_context, + srvparams->servicetype, srvparams->servicedn, + realmName, rparams->subtree, rparams->containerref, rightsmask))) { + printf("failed\n"); + com_err(me, retval, "while assigning rights '%s'", + srvparams->servicedn); + goto err_nomsg; + } + + if (rparams) + krb5_ldap_free_realm_params(rparams); + } + } + + /* Add the rights for the given service, on each of the realm + * container & subtree in the new realm reference list. + */ + if (newrealmrefs) { + rightsmask = 0; + rightsmask |= LDAP_REALM_RIGHTS; + rightsmask |= LDAP_SUBTREE_RIGHTS; + + for (i = 0; (newrealmrefs[i] != NULL); i++) { + /* Get the realm name, not the dn */ + temprdns = ldap_explode_dn(newrealmrefs[i], 1); + + if (temprdns[0] == NULL) { + retval = EINVAL; + goto cleanup; + } + + realmName = strdup(temprdns[0]); + if (realmName == NULL) { + retval = ENOMEM; + goto cleanup; + } + + if ((retval = krb5_ldap_read_krbcontainer_params(util_context, + &(ldap_context->krbcontainer)))) { + com_err(me, retval, + "while reading Kerberos container information"); + goto cleanup; + } + + if ((retval = krb5_ldap_read_realm_params(util_context, + realmName, &rparams, &rmask))) { + com_err(me, retval, "while reading information of realm '%s'", + realmName); + goto err_nomsg; + } + + if ((retval = krb5_ldap_add_service_rights(util_context, + srvparams->servicetype, srvparams->servicedn, + realmName, rparams->subtree, rparams->containerref, rightsmask))) { + printf("failed\n"); + com_err(me, retval, "while assigning rights '%s'", + srvparams->servicedn); + goto err_nomsg; + } + + if (rparams) { + krb5_ldap_free_realm_params(rparams); + rparams = NULL; + } + } + printf("done\n"); + } } goto cleanup; @@ -1026,36 +1024,36 @@ cleanup: krb5_ldap_free_service(util_context, srvparams); if (servicedn) - free(servicedn); + free(servicedn); if (list) { - free(list); - list = NULL; + free(list); + list = NULL; } if (oldrealmrefs) { - for (i = 0; oldrealmrefs[i] != NULL; i++) - free(oldrealmrefs[i]); - free(oldrealmrefs); + for (i = 0; oldrealmrefs[i] != NULL; i++) + free(oldrealmrefs[i]); + free(oldrealmrefs); } if (newrealmrefs) { - for (i = 0; newrealmrefs[i] != NULL; i++) - free(newrealmrefs[i]); - free(newrealmrefs); + for (i = 0; newrealmrefs[i] != NULL; i++) + free(newrealmrefs[i]); + free(newrealmrefs); } if (realmName) { - free(realmName); - realmName = NULL; + free(realmName); + realmName = NULL; } if (print_usage) - db_usage(MODIFY_SERVICE); + db_usage(MODIFY_SERVICE); if (retval) { - if (!no_msg) - com_err(me, retval, "while modifying service object"); - exit_status++; + if (!no_msg) + com_err(me, retval, "while modifying service object"); + exit_status++; } return; @@ -1067,11 +1065,8 @@ cleanup: * from the service password file. */ static krb5_error_code -rem_service_entry_from_file(argc, argv, file_name, service_object) - int argc; - char *argv[]; - char *file_name; - char *service_object; +rem_service_entry_from_file(int argc, char *argv[], char *file_name, + char *service_object) { int st = EINVAL; char *me = progname; @@ -1084,31 +1079,31 @@ rem_service_entry_from_file(argc, argv, file_name, service_object) /* Check for permissions on the password file */ if (access(file_name, W_OK) == -1) { - /* If the specified file itself is not there, no need to show error */ - if (errno == ENOENT) { - st=0; - goto cleanup; - } else { - com_err(me, errno, "while deleting entry from file %s", file_name); - goto cleanup; - } + /* If the specified file itself is not there, no need to show error */ + if (errno == ENOENT) { + st=0; + goto cleanup; + } else { + com_err(me, errno, "while deleting entry from file %s", file_name); + goto cleanup; + } } /* Create a temporary file which contains all the entries except the entry for the given service dn */ pfile = fopen(file_name, "r+"); if (pfile == NULL) { - com_err(me, errno, "while deleting entry from file %s", file_name); - goto cleanup; + com_err(me, errno, "while deleting entry from file %s", file_name); + goto cleanup; } set_cloexec_file(pfile); /* Create a new file with the extension .tmp */ tmp_file = (char *)malloc(strlen(file_name) + 4 + 1); if (tmp_file == NULL) { - com_err(me, ENOMEM, "while deleting entry from file"); - fclose(pfile); - goto cleanup; + com_err(me, ENOMEM, "while deleting entry from file"); + fclose(pfile); + goto cleanup; } snprintf (tmp_file, strlen(file_name) + 4 + 1, "%s%s", file_name, ".tmp"); @@ -1116,33 +1111,33 @@ rem_service_entry_from_file(argc, argv, file_name, service_object) tmpfd = creat(tmp_file, S_IRUSR|S_IWUSR); umask(omask); if (tmpfd == -1) { - com_err(me, errno, "while deleting entry from file\n"); - fclose(pfile); - goto cleanup; + com_err(me, errno, "while deleting entry from file\n"); + fclose(pfile); + goto cleanup; } /* Copy only those lines which donot have the specified service dn */ while (fgets(line, MAX_LEN, pfile) != NULL) { - if ((strstr(line, service_object) != NULL) && - (line[strlen(service_object)] == '#')) { - continue; - } else { - len = strlen(line); - if (write(tmpfd, line, len) != len) { - com_err(me, errno, "while deleting entry from file\n"); - close(tmpfd); - unlink(tmp_file); - fclose(pfile); - goto cleanup; - } - } + if ((strstr(line, service_object) != NULL) && + (line[strlen(service_object)] == '#')) { + continue; + } else { + len = strlen(line); + if (write(tmpfd, line, len) != len) { + com_err(me, errno, "while deleting entry from file\n"); + close(tmpfd); + unlink(tmp_file); + fclose(pfile); + goto cleanup; + } + } } fclose(pfile); if (unlink(file_name) == 0) { - link(tmp_file, file_name); + link(tmp_file, file_name); } else { - com_err(me, errno, "while deleting entry from file\n"); + com_err(me, errno, "while deleting entry from file\n"); } unlink(tmp_file); @@ -1151,7 +1146,7 @@ rem_service_entry_from_file(argc, argv, file_name, service_object) cleanup: if (tmp_file) - free(tmp_file); + free(tmp_file); return st; } @@ -1162,9 +1157,7 @@ cleanup: * and unlink the references to the Realm objects (if any) */ void -kdb5_ldap_destroy_service(argc, argv) - int argc; - char *argv[]; +kdb5_ldap_destroy_service(int argc, char *argv[]) { int i = 0; char buf[5] = {0}; @@ -1177,89 +1170,89 @@ kdb5_ldap_destroy_service(argc, argv) krb5_boolean print_usage = FALSE; if ((argc < 2) || (argc > 5)) { - exit_status++; - goto err_usage; + exit_status++; + goto err_usage; } for (i=1; i < argc; i++) { - if (strcmp(argv[i],"-force")==0) { - force++; - } else if (strcmp(argv[i],"-f")==0) { - if (argv[i+1]) { - stashfilename=strdup(argv[i+1]); - if (stashfilename == NULL) { - com_err(progname, ENOMEM, "while destroying service"); - exit_status++; - goto cleanup; - } - i++; - } else { - exit_status++; - goto err_usage; - } - } else { - if ((argv[i]) && (servicedn == NULL)) { - servicedn=strdup(argv[i]); - if (servicedn == NULL) { - com_err(progname, ENOMEM, "while destroying service"); - exit_status++; - goto cleanup; - } - } else { - exit_status++; - goto err_usage; - } - } + if (strcmp(argv[i],"-force")==0) { + force++; + } else if (strcmp(argv[i],"-f")==0) { + if (argv[i+1]) { + stashfilename=strdup(argv[i+1]); + if (stashfilename == NULL) { + com_err(progname, ENOMEM, "while destroying service"); + exit_status++; + goto cleanup; + } + i++; + } else { + exit_status++; + goto err_usage; + } + } else { + if ((argv[i]) && (servicedn == NULL)) { + servicedn=strdup(argv[i]); + if (servicedn == NULL) { + com_err(progname, ENOMEM, "while destroying service"); + exit_status++; + goto cleanup; + } + } else { + exit_status++; + goto err_usage; + } + } } if (!servicedn) { - exit_status++; - goto err_usage; + exit_status++; + goto err_usage; } if (!force) { - printf("This will delete the service object '%s', are you sure?\n", servicedn); - printf("(type 'yes' to confirm)? "); - if (fgets(buf, sizeof(buf), stdin) == NULL) { - exit_status++; - goto cleanup;; - } - if (strcmp(buf, yes)) { - exit_status++; - goto cleanup; - } + printf("This will delete the service object '%s', are you sure?\n", servicedn); + printf("(type 'yes' to confirm)? "); + if (fgets(buf, sizeof(buf), stdin) == NULL) { + exit_status++; + goto cleanup;; + } + if (strcmp(buf, yes)) { + exit_status++; + goto cleanup; + } } if ((retval = krb5_ldap_read_service(util_context, servicedn, - &lserparams, &mask))) { - com_err(progname, retval, "while destroying service '%s'",servicedn); - exit_status++; - goto cleanup; + &lserparams, &mask))) { + com_err(progname, retval, "while destroying service '%s'",servicedn); + exit_status++; + goto cleanup; } retval = krb5_ldap_delete_service(util_context, lserparams, servicedn); if (retval) { - com_err(progname, retval, "while destroying service '%s'", servicedn); - exit_status++; - goto cleanup; + com_err(progname, retval, "while destroying service '%s'", servicedn); + exit_status++; + goto cleanup; } if (stashfilename == NULL) { - stashfilename = strdup(DEF_SERVICE_PASSWD_FILE); - if (stashfilename == NULL) { - com_err(progname, ENOMEM, "while destroying service"); - exit_status++; - goto cleanup; - } + stashfilename = strdup(DEF_SERVICE_PASSWD_FILE); + if (stashfilename == NULL) { + com_err(progname, ENOMEM, "while destroying service"); + exit_status++; + goto cleanup; + } } printf("** service object '%s' deleted.\n", servicedn); retval = rem_service_entry_from_file(argc, argv, stashfilename, servicedn); if (retval) - printf("** error removing service object entry '%s' from password file.\n", - servicedn); + printf("** error removing service object entry '%s' from password file.\n", + servicedn); goto cleanup; @@ -1270,19 +1263,19 @@ err_usage: cleanup: if (lserparams) { - krb5_ldap_free_service(util_context, lserparams); + krb5_ldap_free_service(util_context, lserparams); } if (servicedn) { - free(servicedn); + free(servicedn); } if (stashfilename) { - free(stashfilename); + free(stashfilename); } if (print_usage) { - db_usage(DESTROY_SERVICE); + db_usage(DESTROY_SERVICE); } return; @@ -1292,9 +1285,8 @@ cleanup: /* * This function will display information about the given service object */ -void kdb5_ldap_view_service(argc, argv) - int argc; - char *argv[]; +void +kdb5_ldap_view_service(int argc, char *argv[]) { krb5_ldap_service_params *lserparams = NULL; krb5_error_code retval = 0; @@ -1303,21 +1295,21 @@ void kdb5_ldap_view_service(argc, argv) krb5_boolean print_usage = FALSE; if (!(argc == 2)) { - exit_status++; - goto err_usage; + exit_status++; + goto err_usage; } servicedn=strdup(argv[1]); if (servicedn == NULL) { - com_err(progname, ENOMEM, "while viewing service"); - exit_status++; - goto cleanup; + com_err(progname, ENOMEM, "while viewing service"); + exit_status++; + goto cleanup; } if ((retval = krb5_ldap_read_service(util_context, servicedn, &lserparams, &mask))) { - com_err(progname, retval, "while viewing service '%s'",servicedn); - exit_status++; - goto cleanup; + com_err(progname, retval, "while viewing service '%s'",servicedn); + exit_status++; + goto cleanup; } print_service_params(lserparams, mask); @@ -1330,14 +1322,14 @@ err_usage: cleanup: if (lserparams) { - krb5_ldap_free_service(util_context, lserparams); + krb5_ldap_free_service(util_context, lserparams); } if (servicedn) - free(servicedn); + free(servicedn); if (print_usage) { - db_usage(VIEW_SERVICE); + db_usage(VIEW_SERVICE); } return; @@ -1348,9 +1340,8 @@ cleanup: * This function will list the DNs of kerberos services present on * the LDAP Server under a specific sub-tree (entire tree by default) */ -void kdb5_ldap_list_services(argc, argv) - int argc; - char *argv[]; +void +kdb5_ldap_list_services(int argc, char *argv[]) { char *me = progname; krb5_error_code retval = 0; @@ -1361,33 +1352,33 @@ void kdb5_ldap_list_services(argc, argv) /* Check for number of arguments */ if ((argc != 1) && (argc != 3)) { - exit_status++; - goto err_usage; + exit_status++; + goto err_usage; } /* Parse base DN argument if present */ if (argc == 3) { - if (strcmp(argv[1], "-basedn")) { - retval = EINVAL; - goto err_usage; - } + if (strcmp(argv[1], "-basedn")) { + retval = EINVAL; + goto err_usage; + } - basedn = strdup(argv[2]); - if (basedn == NULL) { - com_err(me, ENOMEM, "while listing services"); - exit_status++; - goto cleanup; - } + basedn = strdup(argv[2]); + if (basedn == NULL) { + com_err(me, ENOMEM, "while listing services"); + exit_status++; + goto cleanup; + } } retval = krb5_ldap_list_services(util_context, basedn, &list); if ((retval != 0) || (list == NULL)) { - exit_status++; - goto cleanup; + exit_status++; + goto cleanup; } for (plist = list; *plist != NULL; plist++) { - printf("%s\n", *plist); + printf("%s\n", *plist); } goto cleanup; @@ -1397,20 +1388,20 @@ err_usage: cleanup: if (list != NULL) { - krb5_free_list_entries (list); - free (list); + krb5_free_list_entries (list); + free (list); } if (basedn) - free (basedn); + free (basedn); if (print_usage) { - db_usage(LIST_SERVICE); + db_usage(LIST_SERVICE); } if (retval) { - com_err(me, retval, "while listing policy objects"); - exit_status++; + com_err(me, retval, "while listing policy objects"); + exit_status++; } return; @@ -1422,9 +1413,7 @@ cleanup: * to the standard output */ static void -print_service_params(lserparams, mask) - krb5_ldap_service_params *lserparams; - int mask; +print_service_params(krb5_ldap_service_params *lserparams, int mask) { int i=0; @@ -1433,27 +1422,27 @@ print_service_params(lserparams, mask) /* Print the service type of the object to be read */ if (lserparams->servicetype == LDAP_KDC_SERVICE) { - printf("%20s%-20s\n","Service type: ","kdc"); + printf("%20s%-20s\n","Service type: ","kdc"); } else if (lserparams->servicetype == LDAP_ADMIN_SERVICE) { - printf("%20s%-20s\n","Service type: ","admin"); + printf("%20s%-20s\n","Service type: ","admin"); } else if (lserparams->servicetype == LDAP_PASSWD_SERVICE) { - printf("%20s%-20s\n","Service type: ","pwd"); + printf("%20s%-20s\n","Service type: ","pwd"); } /* Print the host server values */ printf("%20s\n","Service host list: "); if (mask & LDAP_SERVICE_HOSTSERVER) { - for (i=0; lserparams->krbhostservers[i] != NULL; ++i) { - printf("%20s%-50s\n","",lserparams->krbhostservers[i]); - } + for (i=0; lserparams->krbhostservers[i] != NULL; ++i) { + printf("%20s%-50s\n","",lserparams->krbhostservers[i]); + } } /* Print the realm reference dn values */ printf("%20s\n","Realm DN list: "); if (mask & LDAP_SERVICE_REALMREFERENCE) { - for (i=0; lserparams && lserparams->krbrealmreferences && lserparams->krbrealmreferences[i] != NULL; ++i) { - printf("%20s%-50s\n","",lserparams->krbrealmreferences[i]); - } + for (i=0; lserparams && lserparams->krbrealmreferences && lserparams->krbrealmreferences[i] != NULL; ++i) { + printf("%20s%-50s\n","",lserparams->krbrealmreferences[i]); + } } return; @@ -1470,7 +1459,9 @@ print_service_params(lserparams, mask) * OUTPUT: * RANDOM_PASSWD_LEN length random password */ -static int generate_random_password(krb5_context ctxt, char **randpwd, unsigned int *passlen) +static int +generate_random_password(krb5_context ctxt, char **randpwd, + unsigned int *passlen) { char *random_pwd = NULL; int ret = 0; @@ -1484,26 +1475,26 @@ static int generate_random_password(krb5_context ctxt, char **randpwd, unsigned data.length = RANDOM_PASSWD_LEN; random_pwd = (char *)malloc(data.length + 1); if (random_pwd == NULL) { - com_err("setsrvpw", ENOMEM, "while generating random password"); - return ENOMEM; + com_err("setsrvpw", ENOMEM, "while generating random password"); + return ENOMEM; } memset(random_pwd, 0, data.length + 1); data.data = random_pwd; ret = krb5_c_random_make_octets(ctxt, &data); if (ret) { - com_err("setsrvpw", ret, "Error generating random password"); - free(random_pwd); - return ret; + com_err("setsrvpw", ret, "Error generating random password"); + free(random_pwd); + return ret; } for (i=0; i<data.length; i++) { - /* restricting to ascii chars. Need to change this when 8.8 supports */ - if ((unsigned char)random_pwd[i] > 127) { - random_pwd[i] = (unsigned char)random_pwd[i] % 128; - } else if (random_pwd[i] == 0) { - random_pwd[i] = (rand()/(RAND_MAX/127 + 1))+1; - } + /* restricting to ascii chars. Need to change this when 8.8 supports */ + if ((unsigned char)random_pwd[i] > 127) { + random_pwd[i] = (unsigned char)random_pwd[i] % 128; + } else if (random_pwd[i] == 0) { + random_pwd[i] = (rand()/(RAND_MAX/127 + 1))+1; + } } *randpwd = random_pwd; @@ -1526,9 +1517,7 @@ static int generate_random_password(krb5_context ctxt, char **randpwd, unsigned * void */ int -kdb5_ldap_set_service_password(argc, argv) - int argc; - char **argv; +kdb5_ldap_set_service_password(int argc, char **argv) { krb5_ldap_context *lparams = NULL; char *file_name = NULL; @@ -1555,211 +1544,211 @@ kdb5_ldap_set_service_password(argc, argv) /* The arguments for setsrv password should contain the service object DN * and options to specify whether the password should be updated in file only * or both file and directory. So the possible combination of arguments are: - * setsrvpw servicedn wherein argc is 2 - * setsrvpw -fileonly servicedn wherein argc is 3 - * setsrvpw -randpw servicedn wherein argc is 3 - * setsrvpw -f filename servicedn wherein argc is 4 - * setsrvpw -fileonly -f filename servicedn wherein argc is 5 - * setsrvpw -randpw -f filename servicedn wherein argc is 5 + * setsrvpw servicedn wherein argc is 2 + * setsrvpw -fileonly servicedn wherein argc is 3 + * setsrvpw -randpw servicedn wherein argc is 3 + * setsrvpw -f filename servicedn wherein argc is 4 + * setsrvpw -fileonly -f filename servicedn wherein argc is 5 + * setsrvpw -randpw -f filename servicedn wherein argc is 5 */ if ((argc < 2) || (argc > 5)) { - print_usage = TRUE; - goto cleanup; + print_usage = TRUE; + goto cleanup; } dal_handle = util_context->dal_handle; lparams = (krb5_ldap_context *) dal_handle->db_context; if (lparams == NULL) { - printf("%s: Invalid LDAP handle\n", me); - goto cleanup; + printf("%s: Invalid LDAP handle\n", me); + goto cleanup; } /* Parse the arguments */ for (i = 1; i < argc -1 ; i++) { - if (strcmp(argv[i], "-randpw") == 0) { - random_passwd = 1; - } else if (strcmp(argv[i], "-fileonly") == 0) { - set_dir_pwd = 0; - } else if (strcmp(argv[i], "-f") == 0) { - if (argv[++i] == NULL) { - print_usage = TRUE; - goto cleanup; - } - - file_name = strdup(argv[i]); - if (file_name == NULL) { - com_err(me, ENOMEM, "while setting service object password"); - goto cleanup; - } - /* Verify if the file location has the proper file name - * for eg, if the file location is a directory like /home/temp/, - * we reject it. - */ - filelen = strlen(file_name); - if ((filelen == 0) || (file_name[filelen-1] == '/')) { - printf("%s: Filename not specified for setting service object password\n", me); - print_usage = TRUE; - goto cleanup; - } - } else { - printf("%s: Invalid option specified for \"setsrvpw\" command\n", me); - print_usage = TRUE; - goto cleanup; - } + if (strcmp(argv[i], "-randpw") == 0) { + random_passwd = 1; + } else if (strcmp(argv[i], "-fileonly") == 0) { + set_dir_pwd = 0; + } else if (strcmp(argv[i], "-f") == 0) { + if (argv[++i] == NULL) { + print_usage = TRUE; + goto cleanup; + } + + file_name = strdup(argv[i]); + if (file_name == NULL) { + com_err(me, ENOMEM, "while setting service object password"); + goto cleanup; + } + /* Verify if the file location has the proper file name + * for eg, if the file location is a directory like /home/temp/, + * we reject it. + */ + filelen = strlen(file_name); + if ((filelen == 0) || (file_name[filelen-1] == '/')) { + printf("%s: Filename not specified for setting service object password\n", me); + print_usage = TRUE; + goto cleanup; + } + } else { + printf("%s: Invalid option specified for \"setsrvpw\" command\n", me); + print_usage = TRUE; + goto cleanup; + } } if (i != argc-1) { - print_usage = TRUE; - goto cleanup; + print_usage = TRUE; + goto cleanup; } service_object = strdup(argv[i]); if (service_object == NULL) { - com_err(me, ENOMEM, "while setting service object password"); - goto cleanup; + com_err(me, ENOMEM, "while setting service object password"); + goto cleanup; } if (strlen(service_object) == 0) { - printf("%s: Service object not specified for \"setsrvpw\" command\n", me); - print_usage = TRUE; - goto cleanup; + printf("%s: Service object not specified for \"setsrvpw\" command\n", me); + print_usage = TRUE; + goto cleanup; } if (service_object[0] == '-') { - print_usage = TRUE; - goto cleanup; + print_usage = TRUE; + goto cleanup; } if (file_name == NULL) { - file_name = strdup(DEF_SERVICE_PASSWD_FILE); - if (file_name == NULL) { - com_err(me, ENOMEM, "while setting service object password"); - goto cleanup; - } + file_name = strdup(DEF_SERVICE_PASSWD_FILE); + if (file_name == NULL) { + com_err(me, ENOMEM, "while setting service object password"); + goto cleanup; + } } if (set_dir_pwd) { - if (db_inited == FALSE) { - if ((errcode = krb5_ldap_db_init(util_context, lparams))) { - com_err(me, errcode, "while initializing database"); - goto cleanup; - } - db_init_local = TRUE; - } + if (db_inited == FALSE) { + if ((errcode = krb5_ldap_db_init(util_context, lparams))) { + com_err(me, errcode, "while initializing database"); + goto cleanup; + } + db_init_local = TRUE; + } } if (random_passwd) { - if (!set_dir_pwd) { - printf("%s: Invalid option specified for \"setsrvpw\" command\n", me); - print_usage = TRUE; - goto cleanup; - } else { - /* Generate random password */ - - if ((errcode = generate_random_password(util_context, &passwd, &passwd_len))) { - printf("%s: Failed to set service object password\n", me); - goto cleanup; - } - passwd_len = strlen(passwd); - } + if (!set_dir_pwd) { + printf("%s: Invalid option specified for \"setsrvpw\" command\n", me); + print_usage = TRUE; + goto cleanup; + } else { + /* Generate random password */ + + if ((errcode = generate_random_password(util_context, &passwd, &passwd_len))) { + printf("%s: Failed to set service object password\n", me); + goto cleanup; + } + passwd_len = strlen(passwd); + } } else { - /* Get the service object password from the terminal */ - passwd = (char *)malloc(MAX_SERVICE_PASSWD_LEN + 1); - if (passwd == NULL) { - com_err(me, ENOMEM, "while setting service object password"); - goto cleanup; - } - memset(passwd, 0, MAX_SERVICE_PASSWD_LEN + 1); - passwd_len = MAX_SERVICE_PASSWD_LEN; - - if (asprintf(&prompt1, "Password for \"%s\"", service_object) < 0) { - com_err(me, ENOMEM, "while setting service object password"); - goto cleanup; - } - - if (asprintf(&prompt2, "Re-enter password for \"%s\"", - service_object) < 0) { - com_err(me, ENOMEM, "while setting service object password"); - free(prompt1); - goto cleanup; - } - - retval = krb5_read_password(util_context, prompt1, prompt2, passwd, &passwd_len); - free(prompt1); - free(prompt2); - if (retval) { - com_err(me, retval, "while setting service object password"); - memset(passwd, 0, MAX_SERVICE_PASSWD_LEN); - goto cleanup; - } - if (passwd_len == 0) { - printf("%s: Invalid password\n", me); - memset(passwd, 0, MAX_SERVICE_PASSWD_LEN); - goto cleanup; - } - passwd_len = strlen(passwd); + /* Get the service object password from the terminal */ + passwd = (char *)malloc(MAX_SERVICE_PASSWD_LEN + 1); + if (passwd == NULL) { + com_err(me, ENOMEM, "while setting service object password"); + goto cleanup; + } + memset(passwd, 0, MAX_SERVICE_PASSWD_LEN + 1); + passwd_len = MAX_SERVICE_PASSWD_LEN; + + if (asprintf(&prompt1, "Password for \"%s\"", service_object) < 0) { + com_err(me, ENOMEM, "while setting service object password"); + goto cleanup; + } + + if (asprintf(&prompt2, "Re-enter password for \"%s\"", + service_object) < 0) { + com_err(me, ENOMEM, "while setting service object password"); + free(prompt1); + goto cleanup; + } + + retval = krb5_read_password(util_context, prompt1, prompt2, passwd, &passwd_len); + free(prompt1); + free(prompt2); + if (retval) { + com_err(me, retval, "while setting service object password"); + memset(passwd, 0, MAX_SERVICE_PASSWD_LEN); + goto cleanup; + } + if (passwd_len == 0) { + printf("%s: Invalid password\n", me); + memset(passwd, 0, MAX_SERVICE_PASSWD_LEN); + goto cleanup; + } + passwd_len = strlen(passwd); } /* Hex the password */ { - krb5_data pwd, hex; - pwd.length = passwd_len; - pwd.data = passwd; - - errcode = tohex(pwd, &hex); - if (errcode != 0) { - if (hex.length != 0) { - memset(hex.data, 0, hex.length); - free(hex.data); - } - com_err(me, errcode, "Failed to convert the password to hex"); - memset(passwd, 0, passwd_len); - goto cleanup; - } - /* Password = {HEX}<encrypted password>:<encrypted key> */ - if (asprintf(&str, "%s#{HEX}%s\n", service_object, hex.data) < 0) { - com_err(me, ENOMEM, "while setting service object password"); - memset(passwd, 0, passwd_len); - memset(hex.data, 0, hex.length); - free(hex.data); - goto cleanup; - } - encrypted_passwd.value = (unsigned char *)str; - encrypted_passwd.len = strlen(str); - memset(hex.data, 0, hex.length); - free(hex.data); + krb5_data pwd, hex; + pwd.length = passwd_len; + pwd.data = passwd; + + errcode = tohex(pwd, &hex); + if (errcode != 0) { + if (hex.length != 0) { + memset(hex.data, 0, hex.length); + free(hex.data); + } + com_err(me, errcode, "Failed to convert the password to hex"); + memset(passwd, 0, passwd_len); + goto cleanup; + } + /* Password = {HEX}<encrypted password>:<encrypted key> */ + if (asprintf(&str, "%s#{HEX}%s\n", service_object, hex.data) < 0) { + com_err(me, ENOMEM, "while setting service object password"); + memset(passwd, 0, passwd_len); + memset(hex.data, 0, hex.length); + free(hex.data); + goto cleanup; + } + encrypted_passwd.value = (unsigned char *)str; + encrypted_passwd.len = strlen(str); + memset(hex.data, 0, hex.length); + free(hex.data); } /* We should check if the file exists and we have permission to write into that file */ if (access(file_name, W_OK) == -1) { - if (errno == ENOENT) { - mode_t omask; - int fd = -1; - - printf("File does not exist. Creating the file %s...\n", file_name); - omask = umask(077); - fd = creat(file_name, S_IRUSR|S_IWUSR); - umask(omask); - if (fd == -1) { - com_err(me, errno, "Error creating file %s", file_name); - memset(passwd, 0, passwd_len); - goto cleanup; - } - close(fd); - } else { - com_err(me, errno, "Unable to access the file %s", file_name); - memset(passwd, 0, passwd_len); - goto cleanup; - } + if (errno == ENOENT) { + mode_t omask; + int fd = -1; + + printf("File does not exist. Creating the file %s...\n", file_name); + omask = umask(077); + fd = creat(file_name, S_IRUSR|S_IWUSR); + umask(omask); + if (fd == -1) { + com_err(me, errno, "Error creating file %s", file_name); + memset(passwd, 0, passwd_len); + goto cleanup; + } + close(fd); + } else { + com_err(me, errno, "Unable to access the file %s", file_name); + memset(passwd, 0, passwd_len); + goto cleanup; + } } if (set_dir_pwd) { - if ((errcode = krb5_ldap_set_service_passwd(util_context, service_object, passwd)) != 0) { - com_err(me, errcode, "Failed to set password for service object %s", service_object); - memset(passwd, 0, passwd_len); - goto cleanup; - } + if ((errcode = krb5_ldap_set_service_passwd(util_context, service_object, passwd)) != 0) { + com_err(me, errcode, "Failed to set password for service object %s", service_object); + memset(passwd, 0, passwd_len); + goto cleanup; + } } memset(passwd, 0, passwd_len); @@ -1769,123 +1758,123 @@ kdb5_ldap_set_service_password(argc, argv) /* set password in the file */ pfile = fopen(file_name, "r+"); if (pfile == NULL) { - com_err(me, errno, "Failed to open file %s", file_name); - goto cleanup; + com_err(me, errno, "Failed to open file %s", file_name); + goto cleanup; } set_cloexec_file(pfile); while (fgets(line, MAX_LEN, pfile) != NULL) { - if ((str = strstr(line, service_object)) != NULL) { - if (line[strlen(service_object)] == '#') { - break; - } - str = NULL; - } + if ((str = strstr(line, service_object)) != NULL) { + if (line[strlen(service_object)] == '#') { + break; + } + str = NULL; + } } if (str == NULL) { - if (feof(pfile)) { - /* If the service object dn is not present in the service password file */ - if (fwrite(encrypted_passwd.value, (unsigned int)encrypted_passwd.len, 1, pfile) != 1) { - com_err(me, errno, "Failed to write service object password to file"); - goto cleanup; - } - } else { - com_err(me, errno, "Error reading service object password file"); - goto cleanup; - } - fclose(pfile); - pfile = NULL; + if (feof(pfile)) { + /* If the service object dn is not present in the service password file */ + if (fwrite(encrypted_passwd.value, (unsigned int)encrypted_passwd.len, 1, pfile) != 1) { + com_err(me, errno, "Failed to write service object password to file"); + goto cleanup; + } + } else { + com_err(me, errno, "Error reading service object password file"); + goto cleanup; + } + fclose(pfile); + pfile = NULL; } else { - /* Password entry for the service object is already present in the file */ - /* Delete the existing entry and add the new entry */ - FILE *newfile = NULL; - mode_t omask; - - /* Create a new file with the extension .tmp */ - if (asprintf(&tmp_file,"%s.tmp",file_name) < 0) { - com_err(me, ENOMEM, "while setting service object password"); - goto cleanup; - } - - omask = umask(077); - newfile = fopen(tmp_file, "w+"); - umask(omask); - if (newfile == NULL) { - com_err(me, errno, "Error creating file %s", tmp_file); - goto cleanup; - } - set_cloexec_file(newfile); - - fseek(pfile, 0, SEEK_SET); - while (fgets(line, MAX_LEN, pfile) != NULL) { - if (((str = strstr(line, service_object)) != NULL) && (line[strlen(service_object)] == '#')) { - if (fprintf(newfile, "%s", encrypted_passwd.value) < 0) { - com_err(me, errno, "Failed to write service object password to file"); - fclose(newfile); - unlink(tmp_file); - goto cleanup; - } - } else { - if (fprintf(newfile, "%s", line) < 0) { - com_err(me, errno, "Failed to write service object password to file"); - fclose(newfile); - unlink(tmp_file); - goto cleanup; - } - } - } - - if (!feof(pfile)) { - com_err(me, errno, "Error reading service object password file"); - fclose(newfile); - unlink(tmp_file); - goto cleanup; - } - - /* TODO: file lock for the service password file */ - fclose(pfile); - pfile = NULL; - - fclose(newfile); - newfile = NULL; - - if (unlink(file_name) == 0) { - link(tmp_file, file_name); - } else { - com_err(me, errno, "Failed to write service object password to file"); - unlink(tmp_file); - goto cleanup; - } - unlink(tmp_file); + /* Password entry for the service object is already present in the file */ + /* Delete the existing entry and add the new entry */ + FILE *newfile = NULL; + mode_t omask; + + /* Create a new file with the extension .tmp */ + if (asprintf(&tmp_file,"%s.tmp",file_name) < 0) { + com_err(me, ENOMEM, "while setting service object password"); + goto cleanup; + } + + omask = umask(077); + newfile = fopen(tmp_file, "w+"); + umask(omask); + if (newfile == NULL) { + com_err(me, errno, "Error creating file %s", tmp_file); + goto cleanup; + } + set_cloexec_file(newfile); + + fseek(pfile, 0, SEEK_SET); + while (fgets(line, MAX_LEN, pfile) != NULL) { + if (((str = strstr(line, service_object)) != NULL) && (line[strlen(service_object)] == '#')) { + if (fprintf(newfile, "%s", encrypted_passwd.value) < 0) { + com_err(me, errno, "Failed to write service object password to file"); + fclose(newfile); + unlink(tmp_file); + goto cleanup; + } + } else { + if (fprintf(newfile, "%s", line) < 0) { + com_err(me, errno, "Failed to write service object password to file"); + fclose(newfile); + unlink(tmp_file); + goto cleanup; + } + } + } + + if (!feof(pfile)) { + com_err(me, errno, "Error reading service object password file"); + fclose(newfile); + unlink(tmp_file); + goto cleanup; + } + + /* TODO: file lock for the service password file */ + fclose(pfile); + pfile = NULL; + + fclose(newfile); + newfile = NULL; + + if (unlink(file_name) == 0) { + link(tmp_file, file_name); + } else { + com_err(me, errno, "Failed to write service object password to file"); + unlink(tmp_file); + goto cleanup; + } + unlink(tmp_file); } errcode = 0; cleanup: if (db_init_local) - krb5_ldap_close(util_context); + krb5_ldap_close(util_context); if (service_object) - free(service_object); + free(service_object); if (file_name) - free(file_name); + free(file_name); if (passwd) - free(passwd); + free(passwd); if (encrypted_passwd.value) { - memset(encrypted_passwd.value, 0, encrypted_passwd.len); - free(encrypted_passwd.value); + memset(encrypted_passwd.value, 0, encrypted_passwd.len); + free(encrypted_passwd.value); } if (pfile) - fclose(pfile); + fclose(pfile); if (tmp_file) - free(tmp_file); + free(tmp_file); if (print_usage) - db_usage(SET_SRV_PW); + db_usage(SET_SRV_PW); return errcode; } @@ -1897,9 +1886,7 @@ cleanup: * little more secure than storing plain password in the file ... */ void -kdb5_ldap_stash_service_password(argc, argv) - int argc; - char **argv; +kdb5_ldap_stash_service_password(int argc, char **argv) { int ret = 0; unsigned int passwd_len = 0; @@ -1922,109 +1909,109 @@ kdb5_ldap_stash_service_password(argc, argv) * 'filename' is the path of the stash file */ if (argc != 2 && argc != 4) { - print_usage = TRUE; - goto cleanup; + print_usage = TRUE; + goto cleanup; } if (argc == 4) { - /* Find the stash file name */ - if (strcmp (argv[1], "-f") == 0) { - if (((file_name = strdup (argv[2])) == NULL) || - ((service_object = strdup (argv[3])) == NULL)) { - com_err(me, ENOMEM, "while setting service object password"); - goto cleanup; - } - } else if (strcmp (argv[2], "-f") == 0) { - if (((file_name = strdup (argv[3])) == NULL) || - ((service_object = strdup (argv[1])) == NULL)) { - com_err(me, ENOMEM, "while setting service object password"); - goto cleanup; - } - } else { - print_usage = TRUE; - goto cleanup; - } - if (file_name == NULL) { - com_err(me, ENOMEM, "while setting service object password"); - goto cleanup; - } + /* Find the stash file name */ + if (strcmp (argv[1], "-f") == 0) { + if (((file_name = strdup (argv[2])) == NULL) || + ((service_object = strdup (argv[3])) == NULL)) { + com_err(me, ENOMEM, "while setting service object password"); + goto cleanup; + } + } else if (strcmp (argv[2], "-f") == 0) { + if (((file_name = strdup (argv[3])) == NULL) || + ((service_object = strdup (argv[1])) == NULL)) { + com_err(me, ENOMEM, "while setting service object password"); + goto cleanup; + } + } else { + print_usage = TRUE; + goto cleanup; + } + if (file_name == NULL) { + com_err(me, ENOMEM, "while setting service object password"); + goto cleanup; + } } else { /* argc == 2 */ - char *section; - - service_object = strdup (argv[1]); - if (service_object == NULL) { - com_err(me, ENOMEM, "while setting service object password"); - goto cleanup; - } - - /* Pick up the stash-file name from krb5.conf */ - profile_get_string(util_context->profile, KDB_REALM_SECTION, - util_context->default_realm, KDB_MODULE_POINTER, NULL, §ion); - - if (section == NULL) { - profile_get_string(util_context->profile, KDB_MODULE_DEF_SECTION, - KDB_MODULE_POINTER, NULL, NULL, §ion); - if (section == NULL) { - /* Stash file path neither in krb5.conf nor on command line */ - file_name = strdup(DEF_SERVICE_PASSWD_FILE); - if (file_name == NULL) { - com_err(me, ENOMEM, "while setting service object password"); - goto cleanup; - } - goto done; - } - } - - profile_get_string (util_context->profile, KDB_MODULE_SECTION, section, - "ldap_service_password_file", NULL, &file_name); + char *section; + + service_object = strdup (argv[1]); + if (service_object == NULL) { + com_err(me, ENOMEM, "while setting service object password"); + goto cleanup; + } + + /* Pick up the stash-file name from krb5.conf */ + profile_get_string(util_context->profile, KDB_REALM_SECTION, + util_context->default_realm, KDB_MODULE_POINTER, NULL, §ion); + + if (section == NULL) { + profile_get_string(util_context->profile, KDB_MODULE_DEF_SECTION, + KDB_MODULE_POINTER, NULL, NULL, §ion); + if (section == NULL) { + /* Stash file path neither in krb5.conf nor on command line */ + file_name = strdup(DEF_SERVICE_PASSWD_FILE); + if (file_name == NULL) { + com_err(me, ENOMEM, "while setting service object password"); + goto cleanup; + } + goto done; + } + } + + profile_get_string (util_context->profile, KDB_MODULE_SECTION, section, + "ldap_service_password_file", NULL, &file_name); } done: /* Get password from user */ { - char prompt1[256], prompt2[256]; - - /* Get the service object password from the terminal */ - memset(passwd, 0, sizeof (passwd)); - passwd_len = sizeof (passwd); - - /* size of prompt = strlen of servicedn + strlen("Password for \" \"") */ - assert (sizeof (prompt1) > (strlen (service_object) - + sizeof ("Password for \" \""))); - snprintf(prompt1, sizeof(prompt1), "Password for \"%s\"", service_object); - - /* size of prompt = strlen of servicedn + strlen("Re-enter Password for \" \"") */ - assert (sizeof (prompt2) > (strlen (service_object) - + sizeof ("Re-enter Password for \" \""))); - snprintf(prompt2, sizeof(prompt2), "Re-enter password for \"%s\"", service_object); - - ret = krb5_read_password(util_context, prompt1, prompt2, passwd, &passwd_len); - if (ret != 0) { - com_err(me, ret, "while setting service object password"); - memset(passwd, 0, sizeof (passwd)); - goto cleanup; - } + char prompt1[256], prompt2[256]; + + /* Get the service object password from the terminal */ + memset(passwd, 0, sizeof (passwd)); + passwd_len = sizeof (passwd); + + /* size of prompt = strlen of servicedn + strlen("Password for \" \"") */ + assert (sizeof (prompt1) > (strlen (service_object) + + sizeof ("Password for \" \""))); + snprintf(prompt1, sizeof(prompt1), "Password for \"%s\"", service_object); + + /* size of prompt = strlen of servicedn + strlen("Re-enter Password for \" \"") */ + assert (sizeof (prompt2) > (strlen (service_object) + + sizeof ("Re-enter Password for \" \""))); + snprintf(prompt2, sizeof(prompt2), "Re-enter password for \"%s\"", service_object); + + ret = krb5_read_password(util_context, prompt1, prompt2, passwd, &passwd_len); + if (ret != 0) { + com_err(me, ret, "while setting service object password"); + memset(passwd, 0, sizeof (passwd)); + goto cleanup; + } - if (passwd_len == 0) { - printf("%s: Invalid password\n", me); - memset(passwd, 0, MAX_SERVICE_PASSWD_LEN); - goto cleanup; - } + if (passwd_len == 0) { + printf("%s: Invalid password\n", me); + memset(passwd, 0, MAX_SERVICE_PASSWD_LEN); + goto cleanup; + } } /* Convert the password to hexadecimal */ { - krb5_data pwd; + krb5_data pwd; - pwd.length = passwd_len; - pwd.data = passwd; + pwd.length = passwd_len; + pwd.data = passwd; - ret = tohex(pwd, &hexpasswd); - if (ret != 0) { - com_err(me, ret, "Failed to convert the password to hexadecimal"); - memset(passwd, 0, passwd_len); - goto cleanup; - } + ret = tohex(pwd, &hexpasswd); + if (ret != 0) { + com_err(me, ret, "Failed to convert the password to hexadecimal"); + memset(passwd, 0, passwd_len); + goto cleanup; + } } memset(passwd, 0, passwd_len); @@ -2034,129 +2021,129 @@ done: old_mode = umask(0177); pfile = fopen(file_name, "a+"); if (pfile == NULL) { - com_err(me, errno, "Failed to open file %s: %s", file_name, - strerror (errno)); - goto cleanup; + com_err(me, errno, "Failed to open file %s: %s", file_name, + strerror (errno)); + goto cleanup; } set_cloexec_file(pfile); rewind (pfile); umask(old_mode); while (fgets (line, MAX_LEN, pfile) != NULL) { - if ((str = strstr (line, service_object)) != NULL) { - /* White spaces not allowed */ - if (line [strlen (service_object)] == '#') - break; - str = NULL; - } + if ((str = strstr (line, service_object)) != NULL) { + /* White spaces not allowed */ + if (line [strlen (service_object)] == '#') + break; + str = NULL; + } } if (str == NULL) { - if (feof(pfile)) { - /* If the service object dn is not present in the service password file */ - if (fprintf(pfile, "%s#{HEX}%s\n", service_object, hexpasswd.data) < 0) { - com_err(me, errno, "Failed to write service object password to file"); - fclose(pfile); - goto cleanup; - } - } else { - com_err(me, errno, "Error reading service object password file"); - fclose(pfile); - goto cleanup; - } - fclose(pfile); + if (feof(pfile)) { + /* If the service object dn is not present in the service password file */ + if (fprintf(pfile, "%s#{HEX}%s\n", service_object, hexpasswd.data) < 0) { + com_err(me, errno, "Failed to write service object password to file"); + fclose(pfile); + goto cleanup; + } + } else { + com_err(me, errno, "Error reading service object password file"); + fclose(pfile); + goto cleanup; + } + fclose(pfile); } else { - /* - * Password entry for the service object is already present in the file - * Delete the existing entry and add the new entry - */ - FILE *newfile; - - mode_t omask; - - /* Create a new file with the extension .tmp */ - if (asprintf(&tmp_file,"%s.tmp",file_name) < 0) { - com_err(me, ENOMEM, "while setting service object password"); - fclose(pfile); - goto cleanup; - } - - omask = umask(077); - newfile = fopen(tmp_file, "w"); - umask (omask); - if (newfile == NULL) { - com_err(me, errno, "Error creating file %s", tmp_file); - fclose(pfile); - goto cleanup; - } - set_cloexec_file(newfile); - - fseek(pfile, 0, SEEK_SET); - while (fgets(line, MAX_LEN, pfile) != NULL) { - if (((str = strstr(line, service_object)) != NULL) && - (line[strlen(service_object)] == '#')) { - if (fprintf(newfile, "%s#{HEX}%s\n", service_object, hexpasswd.data) < 0) { - com_err(me, errno, "Failed to write service object password to file"); - fclose(newfile); - unlink(tmp_file); - fclose(pfile); - goto cleanup; - } - } else { - if (fprintf (newfile, "%s", line) < 0) { - com_err(me, errno, "Failed to write service object password to file"); - fclose(newfile); - unlink(tmp_file); - fclose(pfile); - goto cleanup; - } - } - } - - if (!feof(pfile)) { - com_err(me, errno, "Error reading service object password file"); - fclose(newfile); - unlink(tmp_file); - fclose(pfile); - goto cleanup; - } - - /* TODO: file lock for the service passowrd file */ - - fclose(pfile); - fclose(newfile); - - ret = rename(tmp_file, file_name); - if (ret != 0) { - com_err(me, errno, "Failed to write service object password to " - "file"); - goto cleanup; - } + /* + * Password entry for the service object is already present in the file + * Delete the existing entry and add the new entry + */ + FILE *newfile; + + mode_t omask; + + /* Create a new file with the extension .tmp */ + if (asprintf(&tmp_file,"%s.tmp",file_name) < 0) { + com_err(me, ENOMEM, "while setting service object password"); + fclose(pfile); + goto cleanup; + } + + omask = umask(077); + newfile = fopen(tmp_file, "w"); + umask (omask); + if (newfile == NULL) { + com_err(me, errno, "Error creating file %s", tmp_file); + fclose(pfile); + goto cleanup; + } + set_cloexec_file(newfile); + + fseek(pfile, 0, SEEK_SET); + while (fgets(line, MAX_LEN, pfile) != NULL) { + if (((str = strstr(line, service_object)) != NULL) && + (line[strlen(service_object)] == '#')) { + if (fprintf(newfile, "%s#{HEX}%s\n", service_object, hexpasswd.data) < 0) { + com_err(me, errno, "Failed to write service object password to file"); + fclose(newfile); + unlink(tmp_file); + fclose(pfile); + goto cleanup; + } + } else { + if (fprintf (newfile, "%s", line) < 0) { + com_err(me, errno, "Failed to write service object password to file"); + fclose(newfile); + unlink(tmp_file); + fclose(pfile); + goto cleanup; + } + } + } + + if (!feof(pfile)) { + com_err(me, errno, "Error reading service object password file"); + fclose(newfile); + unlink(tmp_file); + fclose(pfile); + goto cleanup; + } + + /* TODO: file lock for the service passowrd file */ + + fclose(pfile); + fclose(newfile); + + ret = rename(tmp_file, file_name); + if (ret != 0) { + com_err(me, errno, "Failed to write service object password to " + "file"); + goto cleanup; + } } ret = 0; cleanup: if (hexpasswd.length != 0) { - memset(hexpasswd.data, 0, hexpasswd.length); - free(hexpasswd.data); + memset(hexpasswd.data, 0, hexpasswd.length); + free(hexpasswd.data); } if (service_object) - free(service_object); + free(service_object); if (file_name) - free(file_name); + free(file_name); if (tmp_file) - free(tmp_file); + free(tmp_file); if (print_usage) - usage(); -/* db_usage(STASH_SRV_PW); */ + usage(); +/* db_usage(STASH_SRV_PW); */ if (ret) - exit_status++; + exit_status++; } #endif /* #ifdef HAVE_EDIRECTORY */ diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h index 0322558cc..a2816d864 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * kadmin/ldap_util/kdb5_services.h */ @@ -31,22 +32,22 @@ #include "ldap_misc.h" -#define MAX_DN_CHARS 256 -#define HOST_INFO_DELIMITER '#' -#define PROTOCOL_STR_LEN 3 -#define PROTOCOL_NUM_UDP 0 -#define PROTOCOL_NUM_TCP 1 -#define PROTOCOL_DEFAULT_KDC PROTOCOL_NUM_UDP -#define PROTOCOL_DEFAULT_ADM PROTOCOL_NUM_TCP -#define PROTOCOL_DEFAULT_PWD PROTOCOL_NUM_UDP -#define PORT_STR_LEN 5 -#define PORT_DEFAULT_KDC 88 -#define PORT_DEFAULT_ADM 749 -#define PORT_DEFAULT_PWD 464 +#define MAX_DN_CHARS 256 +#define HOST_INFO_DELIMITER '#' +#define PROTOCOL_STR_LEN 3 +#define PROTOCOL_NUM_UDP 0 +#define PROTOCOL_NUM_TCP 1 +#define PROTOCOL_DEFAULT_KDC PROTOCOL_NUM_UDP +#define PROTOCOL_DEFAULT_ADM PROTOCOL_NUM_TCP +#define PROTOCOL_DEFAULT_PWD PROTOCOL_NUM_UDP +#define PORT_STR_LEN 5 +#define PORT_DEFAULT_KDC 88 +#define PORT_DEFAULT_ADM 749 +#define PORT_DEFAULT_PWD 464 -#define MAX_LEN 1024 -#define MAX_SERVICE_PASSWD_LEN 256 -#define RANDOM_PASSWD_LEN 128 +#define MAX_LEN 1024 +#define MAX_SERVICE_PASSWD_LEN 256 +#define RANDOM_PASSWD_LEN 128 #define DEF_SERVICE_PASSWD_FILE "/usr/local/var/service_passwd" @@ -58,8 +59,8 @@ struct data{ extern int enc_password(struct data pwd, struct data *enc_key, struct data *enc_pass); extern int tohex(krb5_data, krb5_data *); -extern void kdb5_ldap_create_service (int argc, char **argv); -extern void kdb5_ldap_modify_service (int argc, char **argv); +extern void kdb5_ldap_create_service(int argc, char **argv); +extern void kdb5_ldap_modify_service(int argc, char **argv); extern void kdb5_ldap_destroy_service(int argc, char **argv); extern void kdb5_ldap_list_services(int argc, char **argv); extern void kdb5_ldap_view_service(int argc, char **argv); diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c index 0c9929562..9357cc411 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * kadmin/ldap_util/kdb5_ldap_util.c * @@ -104,95 +105,98 @@ krb5_boolean manual_mkey = FALSE; * This function prints the usage of kdb5_ldap_util, which is * the LDAP configuration utility. */ -void usage(void) +void +usage(void) { fprintf(stderr, "Usage: " -"kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldapuri]\n" -"\tcmd [cmd_options]\n" + "kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldapuri]\n" + "\tcmd [cmd_options]\n" /* Create realm */ -"create [-subtrees subtree_dn_list] [-sscope search_scope] [-containerref container_reference_dn]\n" + "create [-subtrees subtree_dn_list] [-sscope search_scope] [-containerref container_reference_dn]\n" #ifdef HAVE_EDIRECTORY -"\t\t[-kdcdn kdc_service_list] [-admindn admin_service_list]\n" -"\t\t[-pwddn passwd_service_list]\n" + "\t\t[-kdcdn kdc_service_list] [-admindn admin_service_list]\n" + "\t\t[-pwddn passwd_service_list]\n" #endif -"\t\t[-m|-P password|-sf stashfilename] [-k mkeytype] [-kv mkeyVNO] [-s]\n" -"\t\t[-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life]\n" -"\t\t[ticket_flags] [-r realm]\n" + "\t\t[-m|-P password|-sf stashfilename] [-k mkeytype] [-kv mkeyVNO] [-s]\n" + "\t\t[-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life]\n" + "\t\t[ticket_flags] [-r realm]\n" /* modify realm */ -"modify [-subtrees subtree_dn_list] [-sscope search_scope] [-containerref container_reference_dn]\n" + "modify [-subtrees subtree_dn_list] [-sscope search_scope] [-containerref container_reference_dn]\n" #ifdef HAVE_EDIRECTORY -"\t\t[-kdcdn kdc_service_list |\n" -"\t\t[-clearkdcdn kdc_service_list] [-addkdcdn kdc_service_list]]\n" -"\t\t[-admindn admin_service_list | [-clearadmindn admin_service_list]\n" -"\t\t[-addadmindn admin_service_list]] [-pwddn passwd_service_list |\n" -"\t\t[-clearpwddn passwd_service_list] [-addpwddn passwd_service_list]]\n" + "\t\t[-kdcdn kdc_service_list |\n" + "\t\t[-clearkdcdn kdc_service_list] [-addkdcdn kdc_service_list]]\n" + "\t\t[-admindn admin_service_list | [-clearadmindn admin_service_list]\n" + "\t\t[-addadmindn admin_service_list]] [-pwddn passwd_service_list |\n" + "\t\t[-clearpwddn passwd_service_list] [-addpwddn passwd_service_list]]\n" #endif -"\t\t[-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life]\n" -"\t\t[ticket_flags] [-r realm]\n" + "\t\t[-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life]\n" + "\t\t[ticket_flags] [-r realm]\n" /* View realm */ -"view [-r realm]\n" + "view [-r realm]\n" /* Destroy realm */ -"destroy [-f] [-r realm]\n" + "destroy [-f] [-r realm]\n" /* List realms */ -"list\n" + "list\n" #ifdef HAVE_EDIRECTORY /* Create Service */ -"create_service {-kdc|-admin|-pwd} [-servicehost service_host_list]\n" -"\t\t[-realm realm_list] \n" -"\t\t[-randpw|-fileonly] [-f filename] service_dn\n" + "create_service {-kdc|-admin|-pwd} [-servicehost service_host_list]\n" + "\t\t[-realm realm_list] \n" + "\t\t[-randpw|-fileonly] [-f filename] service_dn\n" /* Modify service */ -"modify_service [-servicehost service_host_list |\n" -"\t\t[-clearservicehost service_host_list]\n" -"\t\t[-addservicehost service_host_list]]\n" -"\t\t[-realm realm_list | [-clearrealm realm_list]\n" -"\t\t[-addrealm realm_list]] service_dn\n" + "modify_service [-servicehost service_host_list |\n" + "\t\t[-clearservicehost service_host_list]\n" + "\t\t[-addservicehost service_host_list]]\n" + "\t\t[-realm realm_list | [-clearrealm realm_list]\n" + "\t\t[-addrealm realm_list]] service_dn\n" /* View Service */ -"view_service service_dn\n" + "view_service service_dn\n" /* Destroy Service */ -"destroy_service [-force] [-f stashfilename] service_dn\n" + "destroy_service [-force] [-f stashfilename] service_dn\n" /* List services */ -"list_service [-basedn base_dn]\n" + "list_service [-basedn base_dn]\n" /* Set Service password */ -"setsrvpw [-randpw|-fileonly] [-f filename] service_dn\n" + "setsrvpw [-randpw|-fileonly] [-f filename] service_dn\n" #else /* Stash the service password */ -"stashsrvpw [-f filename] service_dn\n" + "stashsrvpw [-f filename] service_dn\n" #endif /* Create policy */ -"create_policy [-r realm] [-maxtktlife max_ticket_life]\n" -"\t\t[-maxrenewlife max_renewable_ticket_life] [ticket_flags] policy\n" + "create_policy [-r realm] [-maxtktlife max_ticket_life]\n" + "\t\t[-maxrenewlife max_renewable_ticket_life] [ticket_flags] policy\n" /* Modify policy */ -"modify_policy [-r realm] [-maxtktlife max_ticket_life]\n" -"\t\t[-maxrenewlife max_renewable_ticket_life] [ticket_flags] policy\n" + "modify_policy [-r realm] [-maxtktlife max_ticket_life]\n" + "\t\t[-maxrenewlife max_renewable_ticket_life] [ticket_flags] policy\n" /* View policy */ -"view_policy [-r realm] policy\n" + "view_policy [-r realm] policy\n" /* Destroy policy */ -"destroy_policy [-r realm] [-force] policy\n" + "destroy_policy [-r realm] [-force] policy\n" /* List policies */ -"list_policy [-r realm]\n" + "list_policy [-r realm]\n" - ); + ); } -void db_usage (int type) { +void +db_usage(int type) +{ /* * This should print usage of 'type' command. For now, we will print usage * of all commands. @@ -242,8 +246,8 @@ static struct _cmd_table *cmd_lookup(name) int i; for (i = 0; cmd_table[i].name != NULL; i++) - if (strcmp(cmd_table[i].name, name) == 0) - return &cmd_table[i]; + if (strcmp(cmd_table[i].name, name) == 0) + return &cmd_table[i]; return NULL; } @@ -254,23 +258,24 @@ static struct _cmd_table *cmd_lookup(name) * in the command table, which can be used to get the corresponding * help from the help message table. */ -int cmd_index(name) - char *name; +int +cmd_index(char *name) { int i; if (name == NULL) - return -1; + return -1; for (i = 0; cmd_table[i].name != NULL; i++) - if (strcmp(cmd_table[i].name, name) == 0) - return i; + if (strcmp(cmd_table[i].name, name) == 0) + return i; return -1; } -static void extended_com_err_fn (const char *myprog, errcode_t code, - const char *fmt, va_list args) +static void +extended_com_err_fn(const char *myprog, errcode_t code, const char *fmt, + va_list args) { const char *emsg; emsg = krb5_get_error_message (util_context, code); @@ -280,9 +285,8 @@ static void extended_com_err_fn (const char *myprog, errcode_t code, fprintf (stderr, "\n"); } -int main(argc, argv) - int argc; - char *argv[]; +int +main(int argc, char *argv[]) { struct _cmd_table *cmd = NULL; char *koptarg = NULL, **cmd_argv = NULL; @@ -310,16 +314,16 @@ int main(argc, argv) retval = krb5_init_context(&util_context); set_com_err_hook(extended_com_err_fn); if (retval) { - com_err (progname, retval, "while initializing Kerberos code"); - exit_status++; - goto cleanup; + com_err (progname, retval, "while initializing Kerberos code"); + exit_status++; + goto cleanup; } cmd_argv = (char **) malloc(sizeof(char *)*argc); if (cmd_argv == NULL) { - com_err(progname, ENOMEM, "while creating sub-command arguments"); - exit_status++; - goto cleanup; + com_err(progname, ENOMEM, "while creating sub-command arguments"); + exit_status++; + goto cleanup; } memset(cmd_argv, 0, sizeof(char *)*argc); cmd_argc = 1; @@ -328,101 +332,101 @@ int main(argc, argv) argv++; argc--; while (*argv) { - if (strcmp(*argv, "--help") == 0) { - print_help_message = TRUE; - } - if (strcmp(*argv, "-P") == 0 && ARG_VAL) { - mkey_password = koptarg; - manual_mkey = TRUE; - } else if (strcmp(*argv, "-r") == 0 && ARG_VAL) { - global_params.realm = koptarg; - global_params.mask |= KADM5_CONFIG_REALM; - /* not sure this is really necessary */ - if ((retval = krb5_set_default_realm(util_context, - global_params.realm))) { - com_err(progname, retval, "while setting default realm name"); - exit_status++; - goto cleanup; - } - } else if (strcmp(*argv, "-k") == 0 && ARG_VAL) { - if (krb5_string_to_enctype(koptarg, &global_params.enctype)) { - com_err(progname, EINVAL, ": %s is an invalid enctype", koptarg); - exit_status++; - goto cleanup; + if (strcmp(*argv, "--help") == 0) { + print_help_message = TRUE; + } + if (strcmp(*argv, "-P") == 0 && ARG_VAL) { + mkey_password = koptarg; + manual_mkey = TRUE; + } else if (strcmp(*argv, "-r") == 0 && ARG_VAL) { + global_params.realm = koptarg; + global_params.mask |= KADM5_CONFIG_REALM; + /* not sure this is really necessary */ + if ((retval = krb5_set_default_realm(util_context, + global_params.realm))) { + com_err(progname, retval, "while setting default realm name"); + exit_status++; + goto cleanup; + } + } else if (strcmp(*argv, "-k") == 0 && ARG_VAL) { + if (krb5_string_to_enctype(koptarg, &global_params.enctype)) { + com_err(progname, EINVAL, ": %s is an invalid enctype", koptarg); + exit_status++; + goto cleanup; } else - global_params.mask |= KADM5_CONFIG_ENCTYPE; - } else if (strcmp(*argv, "-kv") == 0 && ARG_VAL) { - global_params.kvno = (krb5_kvno) atoi(koptarg); + global_params.mask |= KADM5_CONFIG_ENCTYPE; + } else if (strcmp(*argv, "-kv") == 0 && ARG_VAL) { + global_params.kvno = (krb5_kvno) atoi(koptarg); if (global_params.kvno == IGNORE_VNO) { com_err(progname, EINVAL, ": %s is an invalid mkeyVNO", koptarg); - exit_status++; - goto cleanup; + exit_status++; + goto cleanup; } else global_params.mask |= KADM5_CONFIG_KVNO; - } else if (strcmp(*argv, "-M") == 0 && ARG_VAL) { - global_params.mkey_name = koptarg; - global_params.mask |= KADM5_CONFIG_MKEY_NAME; - } else if (strcmp(*argv, "-sf") == 0 && ARG_VAL) { - global_params.stash_file = koptarg; - global_params.mask |= KADM5_CONFIG_STASH_FILE; - } else if (strcmp(*argv, "-m") == 0) { - manual_mkey = TRUE; - global_params.mkey_from_kbd = 1; - global_params.mask |= KADM5_CONFIG_MKEY_FROM_KBD; - } else if (strcmp(*argv, "-D") == 0 && ARG_VAL) { - bind_dn = koptarg; - if (bind_dn == NULL) { - com_err(progname, ENOMEM, "while reading ldap parameters"); - exit_status++; - goto cleanup; - } - ldapmask |= CMD_LDAP_D; - } else if (strcmp(*argv, "-w") == 0 && ARG_VAL) { - passwd = strdup(koptarg); - if (passwd == NULL) { - com_err(progname, ENOMEM, "while reading ldap parameters"); - exit_status++; - goto cleanup; - } - ldapmask |= CMD_LDAP_W; - } else if (strcmp(*argv, "-H") == 0 && ARG_VAL) { - ldap_server = koptarg; - if (ldap_server == NULL) { - com_err(progname, ENOMEM, "while reading ldap parameters"); - exit_status++; - goto cleanup; - } - ldapmask |= CMD_LDAP_H; - } else if (cmd_lookup(*argv) != NULL) { - if (cmd_argv[0] == NULL) - cmd_argv[0] = *argv; - else { - free(cmd_argv); - cmd_argv = NULL; - usage(); - goto cleanup; - } - } else { - cmd_argv[cmd_argc++] = *argv; - } - argv++; argc--; + } else if (strcmp(*argv, "-M") == 0 && ARG_VAL) { + global_params.mkey_name = koptarg; + global_params.mask |= KADM5_CONFIG_MKEY_NAME; + } else if (strcmp(*argv, "-sf") == 0 && ARG_VAL) { + global_params.stash_file = koptarg; + global_params.mask |= KADM5_CONFIG_STASH_FILE; + } else if (strcmp(*argv, "-m") == 0) { + manual_mkey = TRUE; + global_params.mkey_from_kbd = 1; + global_params.mask |= KADM5_CONFIG_MKEY_FROM_KBD; + } else if (strcmp(*argv, "-D") == 0 && ARG_VAL) { + bind_dn = koptarg; + if (bind_dn == NULL) { + com_err(progname, ENOMEM, "while reading ldap parameters"); + exit_status++; + goto cleanup; + } + ldapmask |= CMD_LDAP_D; + } else if (strcmp(*argv, "-w") == 0 && ARG_VAL) { + passwd = strdup(koptarg); + if (passwd == NULL) { + com_err(progname, ENOMEM, "while reading ldap parameters"); + exit_status++; + goto cleanup; + } + ldapmask |= CMD_LDAP_W; + } else if (strcmp(*argv, "-H") == 0 && ARG_VAL) { + ldap_server = koptarg; + if (ldap_server == NULL) { + com_err(progname, ENOMEM, "while reading ldap parameters"); + exit_status++; + goto cleanup; + } + ldapmask |= CMD_LDAP_H; + } else if (cmd_lookup(*argv) != NULL) { + if (cmd_argv[0] == NULL) + cmd_argv[0] = *argv; + else { + free(cmd_argv); + cmd_argv = NULL; + usage(); + goto cleanup; + } + } else { + cmd_argv[cmd_argc++] = *argv; + } + argv++; argc--; } if (cmd_argv[0] == NULL) { - free(cmd_argv); - cmd_argv = NULL; - usage(); - goto cleanup; + free(cmd_argv); + cmd_argv = NULL; + usage(); + goto cleanup; } /* if we need to print the help message (because of --help option) * we will print the help corresponding to the sub-command. */ if (print_help_message) { - free(cmd_argv); - cmd_argv = NULL; - usage(); - goto cleanup; + free(cmd_argv); + cmd_argv = NULL; + usage(); + goto cleanup; } /* We need to check for the presence of default realm name only in @@ -434,153 +438,153 @@ int main(argc, argv) } if (!util_context->default_realm) { - char *temp = NULL; - retval = krb5_get_default_realm(util_context, &temp); - if (retval) { - if (realm_name_required) { - com_err (progname, retval, "while getting default realm"); - exit_status++; - goto cleanup; - } - } else - util_context->default_realm = temp; + char *temp = NULL; + retval = krb5_get_default_realm(util_context, &temp); + if (retval) { + if (realm_name_required) { + com_err (progname, retval, "while getting default realm"); + exit_status++; + goto cleanup; + } + } else + util_context->default_realm = temp; } /* If we have the realm name, we can safely say that * realm_name is required so that we don't neglect any information. */ else - realm_name_required = TRUE; + realm_name_required = TRUE; retval = profile_get_string(util_context->profile, KDB_REALM_SECTION, - util_context->default_realm, KDB_MODULE_POINTER, - NULL, - &value); + util_context->default_realm, KDB_MODULE_POINTER, + NULL, + &value); if (!(value)) { - retval = profile_get_string(util_context->profile, KDB_MODULE_DEF_SECTION, - KDB_MODULE_POINTER, NULL, - NULL, - &value); - if (!(value)) { - if (util_context->default_realm) - conf_section = strdup(util_context->default_realm); - } else { - conf_section = strdup(value); - free(value); - } + retval = profile_get_string(util_context->profile, KDB_MODULE_DEF_SECTION, + KDB_MODULE_POINTER, NULL, + NULL, + &value); + if (!(value)) { + if (util_context->default_realm) + conf_section = strdup(util_context->default_realm); + } else { + conf_section = strdup(value); + free(value); + } } else { - conf_section = strdup(value); - free(value); + conf_section = strdup(value); + free(value); } if (realm_name_required) { - retval = kadm5_get_config_params(util_context, 1, - &global_params, &global_params); - if (retval) { - com_err(progname, retval, "while retreiving configuration parameters"); - exit_status++; - goto cleanup; - } - gp_is_static = 0; + retval = kadm5_get_config_params(util_context, 1, + &global_params, &global_params); + if (retval) { + com_err(progname, retval, "while retreiving configuration parameters"); + exit_status++; + goto cleanup; + } + gp_is_static = 0; } if ((retval = krb5_ldap_lib_init()) != 0) { - com_err(progname, retval, "while initializing error handling"); - exit_status++; - goto cleanup; + com_err(progname, retval, "while initializing error handling"); + exit_status++; + goto cleanup; } /* Initialize the ldap context */ ldap_context = calloc(sizeof(krb5_ldap_context), 1); if (ldap_context == NULL) { - com_err(progname, ENOMEM, "while initializing ldap handle"); - exit_status++; - goto cleanup; + com_err(progname, ENOMEM, "while initializing ldap handle"); + exit_status++; + goto cleanup; } ldap_context->kcontext = util_context; /* If LDAP parameters are specified, replace them with the values from config */ if (ldapmask & CMD_LDAP_D) { - /* If password is not specified, prompt for it */ - if (passwd == NULL) { - passwd = (char *)malloc(MAX_PASSWD_LEN); - if (passwd == NULL) { - com_err(progname, ENOMEM, "while retrieving ldap configuration"); - exit_status++; - goto cleanup; - } - prompt = (char *)malloc(MAX_PASSWD_PROMPT_LEN); - if (prompt == NULL) { - free(passwd); - passwd = NULL; - com_err(progname, ENOMEM, "while retrieving ldap configuration"); - exit_status++; - goto cleanup; - } - memset(passwd, 0, MAX_PASSWD_LEN); - passwd_len = MAX_PASSWD_LEN - 1; - snprintf(prompt, MAX_PASSWD_PROMPT_LEN, "Password for \"%s\"", bind_dn); - - db_retval = krb5_read_password(util_context, prompt, NULL, passwd, &passwd_len); - - if ((db_retval) || (passwd_len == 0)) { - com_err(progname, ENOMEM, "while retrieving ldap configuration"); - free(passwd); - passwd = NULL; - exit_status++; - goto cleanup; - } - } - - ldap_context->bind_pwd = passwd; - passwd = NULL; + /* If password is not specified, prompt for it */ + if (passwd == NULL) { + passwd = (char *)malloc(MAX_PASSWD_LEN); + if (passwd == NULL) { + com_err(progname, ENOMEM, "while retrieving ldap configuration"); + exit_status++; + goto cleanup; + } + prompt = (char *)malloc(MAX_PASSWD_PROMPT_LEN); + if (prompt == NULL) { + free(passwd); + passwd = NULL; + com_err(progname, ENOMEM, "while retrieving ldap configuration"); + exit_status++; + goto cleanup; + } + memset(passwd, 0, MAX_PASSWD_LEN); + passwd_len = MAX_PASSWD_LEN - 1; + snprintf(prompt, MAX_PASSWD_PROMPT_LEN, "Password for \"%s\"", bind_dn); + + db_retval = krb5_read_password(util_context, prompt, NULL, passwd, &passwd_len); + + if ((db_retval) || (passwd_len == 0)) { + com_err(progname, ENOMEM, "while retrieving ldap configuration"); + free(passwd); + passwd = NULL; + exit_status++; + goto cleanup; + } + } + + ldap_context->bind_pwd = passwd; + passwd = NULL; } /* If ldaphost is specified, release entry filled by configuration & use this */ if (ldapmask & CMD_LDAP_H) { - ldap_context->server_info_list = (krb5_ldap_server_info **) calloc (2, sizeof (krb5_ldap_server_info *)) ; - if (ldap_context->server_info_list == NULL) { - com_err(progname, ENOMEM, "while initializing server list"); - exit_status++; - goto cleanup; - } - - ldap_context->server_info_list[0] = (krb5_ldap_server_info *) calloc (1, sizeof (krb5_ldap_server_info)); - if (ldap_context->server_info_list[0] == NULL) { - com_err(progname, ENOMEM, "while initializing server list"); - exit_status++; - goto cleanup; - } - - ldap_context->server_info_list[0]->server_status = NOTSET; - - ldap_context->server_info_list[0]->server_name = strdup(ldap_server); - if (ldap_context->server_info_list[0]->server_name == NULL) { - com_err(progname, ENOMEM, "while initializing server list"); - exit_status++; - goto cleanup; - } + ldap_context->server_info_list = (krb5_ldap_server_info **) calloc (2, sizeof (krb5_ldap_server_info *)) ; + if (ldap_context->server_info_list == NULL) { + com_err(progname, ENOMEM, "while initializing server list"); + exit_status++; + goto cleanup; + } + + ldap_context->server_info_list[0] = (krb5_ldap_server_info *) calloc (1, sizeof (krb5_ldap_server_info)); + if (ldap_context->server_info_list[0] == NULL) { + com_err(progname, ENOMEM, "while initializing server list"); + exit_status++; + goto cleanup; + } + + ldap_context->server_info_list[0]->server_status = NOTSET; + + ldap_context->server_info_list[0]->server_name = strdup(ldap_server); + if (ldap_context->server_info_list[0]->server_name == NULL) { + com_err(progname, ENOMEM, "while initializing server list"); + exit_status++; + goto cleanup; + } } if (bind_dn) { - ldap_context->bind_dn = strdup(bind_dn); - if (ldap_context->bind_dn == NULL) { - com_err(progname, ENOMEM, "while retrieving ldap configuration"); - exit_status++; - goto cleanup; - } + ldap_context->bind_dn = strdup(bind_dn); + if (ldap_context->bind_dn == NULL) { + com_err(progname, ENOMEM, "while retrieving ldap configuration"); + exit_status++; + goto cleanup; + } } else - ldap_context->bind_dn = NULL; + ldap_context->bind_dn = NULL; ldap_context->service_type = SERVICE_DN_TYPE_CLIENT; if (realm_name_required) { - if ((global_params.enctype != ENCTYPE_UNKNOWN) && - (!krb5_c_valid_enctype(global_params.enctype))) { - com_err(progname, KRB5_PROG_KEYTYPE_NOSUPP, - "while setting up enctype %d", global_params.enctype); - } + if ((global_params.enctype != ENCTYPE_UNKNOWN) && + (!krb5_c_valid_enctype(global_params.enctype))) { + com_err(progname, KRB5_PROG_KEYTYPE_NOSUPP, + "while setting up enctype %d", global_params.enctype); + } } cmd = cmd_lookup(cmd_argv[0]); @@ -588,28 +592,28 @@ int main(argc, argv) /* Setup DAL handle to access the database */ db_retval = krb5_db_setup_lib_handle(util_context); if (db_retval) { - com_err(progname, db_retval, "while setting up lib handle"); - exit_status++; - goto cleanup; + com_err(progname, db_retval, "while setting up lib handle"); + exit_status++; + goto cleanup; } util_context->dal_handle->db_context = ldap_context; ldap_context = NULL; db_retval = krb5_ldap_read_server_params(util_context, conf_section, KRB5_KDB_SRV_TYPE_OTHER); if (db_retval) { - com_err(progname, db_retval, "while reading ldap configuration"); - exit_status++; - goto cleanup; + com_err(progname, db_retval, "while reading ldap configuration"); + exit_status++; + goto cleanup; } if (cmd->opendb) { - db_retval = krb5_ldap_db_init(util_context, (krb5_ldap_context *)util_context->dal_handle->db_context); - if (db_retval) { - com_err(progname, db_retval, "while initializing database"); - exit_status++; - goto cleanup; - } - db_inited = TRUE; + db_retval = krb5_ldap_db_init(util_context, (krb5_ldap_context *)util_context->dal_handle->db_context); + if (db_retval) { + com_err(progname, db_retval, "while initializing database"); + exit_status++; + goto cleanup; + } + db_inited = TRUE; } (*cmd->func)(cmd_argc, cmd_argv); @@ -617,31 +621,31 @@ int main(argc, argv) cleanup: if (passwd) { - memset(passwd, 0, strlen(passwd)); - free(passwd); + memset(passwd, 0, strlen(passwd)); + free(passwd); } if (ldap_context) { - krb5_ldap_free_server_context_params(ldap_context); - free(ldap_context); + krb5_ldap_free_server_context_params(ldap_context); + free(ldap_context); } if (util_context) { - if (gp_is_static == 0) - kadm5_free_config_params(util_context, &global_params); - krb5_ldap_close(util_context); - krb5_free_context(util_context); + if (gp_is_static == 0) + kadm5_free_config_params(util_context, &global_params); + krb5_ldap_close(util_context); + krb5_free_context(util_context); } if (cmd_argv) - free(cmd_argv); + free(cmd_argv); if (prompt) - free(prompt); + free(prompt); if (conf_section) - free(conf_section); + free(conf_section); if (usage_print) { - usage(); + usage(); } return exit_status; diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.h b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.h index 8eb65af5d..572236bd2 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.h +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * kadmin/ldap_util/kdb5_ldap_util.h */ @@ -71,10 +72,10 @@ extern void db_usage(int); /* Following are the bitmaps that indicate which of the options among -D, -w, -h, -p & -t * were specified on the command line. */ -#define CMD_LDAP_D 0x1 /* set if -D option is specified */ -#define CMD_LDAP_W 0x2 /* set if -w option is specified */ -#define CMD_LDAP_H 0x4 /* set if -h option is specified */ -#define CMD_LDAP_P 0x8 /* set if -p option is specified */ +#define CMD_LDAP_D 0x1 /* set if -D option is specified */ +#define CMD_LDAP_W 0x2 /* set if -w option is specified */ +#define CMD_LDAP_H 0x4 /* set if -h option is specified */ +#define CMD_LDAP_P 0x8 /* set if -p option is specified */ #define MAX_PASSWD_LEN 1024 #define MAX_PASSWD_PROMPT_LEN 276 /* max_dn_size(=256) + strlen("Password for \" \"")=20 */ |