summaryrefslogtreecommitdiffstats
path: root/src/plugins/kdb/ldap/ldap_util
diff options
context:
space:
mode:
authorKen Raeburn <raeburn@mit.edu>2006-08-29 19:52:38 +0000
committerKen Raeburn <raeburn@mit.edu>2006-08-29 19:52:38 +0000
commit9ea7dbddd2e7bfc54650de3933fadc18bd27b6e9 (patch)
tree3befcfac58d545f39230a8807a3955a1157556a9 /src/plugins/kdb/ldap/ldap_util
parent7d5184becee74e2b908e60c7c58eec6fcf8dd2d2 (diff)
downloadkrb5-9ea7dbddd2e7bfc54650de3933fadc18bd27b6e9.tar.gz
krb5-9ea7dbddd2e7bfc54650de3933fadc18bd27b6e9.tar.xz
krb5-9ea7dbddd2e7bfc54650de3933fadc18bd27b6e9.zip
Patch from Savitha R:
ldap_util 1. Kdb5_ldap_util interface Removed supp enctypes, suppsalttypes from create realm and modify realm since they are currently not used 2. memset passwd strings to zero when not used any more 3. Using krb5_sname_to_principal in place of gethostbyname while creating the kadmin principal with hostname. libkdb_ldap 1. Added mandatory functions which were missing in the LDAP plug-in 2. Error handling changes - Setting the error message in the kerberos context when decryption of the service passwd fails or connection to the LDAP server fails during initialization. Additional changes: libkdb_ldap: Link against com_err library, to provide error_message(). git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18548 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/plugins/kdb/ldap/ldap_util')
-rw-r--r--src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c431
-rw-r--r--src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c24
-rw-r--r--src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M52
-rw-r--r--src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c10
4 files changed, 48 insertions, 469 deletions
diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c
index 2c62522af..55b0690ec 100644
--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c
+++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c
@@ -427,91 +427,6 @@ void kdb5_ldap_create(argc, argv)
mask |= LDAP_REALM_PASSWDSERVERS;
}
#endif
- else if (!strcmp(argv[i], "-enctypes")) {
- char *tlist[MAX_LIST_ENTRIES] = {NULL};
-
- if (++i > argc-1)
- goto err_usage;
- rparams->suppenctypes = (krb5_enctype *)malloc(
- sizeof(krb5_enctype) * MAX_LIST_ENTRIES);
- if (rparams->suppenctypes == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
- memset(rparams->suppenctypes, 0, sizeof(krb5_enctype) * MAX_LIST_ENTRIES);
- if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, tlist)) != 0) {
- goto cleanup;
- }
- for(j = 0; tlist[j] != NULL; j++) {
- if ((retval = krb5_string_to_enctype(tlist[j],
- &rparams->suppenctypes[j]))) {
- com_err(argv[0], retval, "Invalid encryption type '%s'",
- tlist[j]);
- krb5_free_list_entries(tlist);
- goto err_nomsg;
- }
- }
- rparams->suppenctypes[j] = END_OF_LIST;
- qsort(rparams->suppenctypes, (size_t)j, sizeof(krb5_enctype),
- compare_int);
- mask |= LDAP_REALM_SUPPENCTYPE;
- krb5_free_list_entries(tlist);
- }
- else if (!strcmp(argv[i], "-defenctype")) {
- if (++i > argc-1)
- goto err_usage;
- if ((retval = krb5_string_to_enctype(argv[i],
- &rparams->defenctype))) {
- com_err(argv[0], retval, "'%s' specified for defenctype, "
- "while creating realm '%s'",
- argv[i], global_params.realm);
- goto err_nomsg;
- }
- mask |= LDAP_REALM_DEFENCTYPE;
- }
- else if (!strcmp(argv[i], "-salttypes")) {
- char *tlist[MAX_LIST_ENTRIES] = {NULL};
-
- if (++i > argc-1)
- goto err_usage;
- rparams->suppsalttypes = (krb5_int32 *)malloc(
- sizeof(krb5_int32) * MAX_LIST_ENTRIES);
- if (rparams->suppsalttypes == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
- memset(rparams->suppsalttypes, 0, sizeof(krb5_int32) * MAX_LIST_ENTRIES);
- if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, tlist))) {
- goto cleanup;
- }
- for(j = 0; tlist[j] != NULL; j++) {
- if ((retval = krb5_string_to_salttype(tlist[j],
- &rparams->suppsalttypes[j]))) {
- com_err(argv[0], retval, "'%s' specified for salttypes, "
- "while creating realm '%s'",
- tlist[j], global_params.realm);
- krb5_free_list_entries(tlist);
- goto err_nomsg;
- }
- }
- rparams->suppsalttypes[j] = END_OF_LIST;
- qsort(rparams->suppsalttypes, (size_t)j, sizeof(krb5_int32),
- compare_int);
- mask |= LDAP_REALM_SUPPSALTTYPE;
- krb5_free_list_entries(tlist);
- }
- else if (!strcmp(argv[i], "-defsalttype")) {
- if (++i > argc-1)
- goto err_usage;
- if ((retval = krb5_string_to_salttype(argv[i],
- &rparams->defsalttype))) {
- com_err(argv[0], retval, "'%s' specified for defsalttype, "
- "while creating realm '%s'",
- argv[i], global_params.realm);
- goto err_nomsg;
- }
- mask |= LDAP_REALM_DEFSALTTYPE;
- }
else if (!strcmp(argv[i], "-s")) {
do_stash = 1;
}
@@ -530,43 +445,6 @@ void kdb5_ldap_create(argc, argv)
* default values and also add to the list of supported
* enctypes/salttype
*/
- if ( !(mask & LDAP_REALM_DEFENCTYPE) && (rparams != NULL)) {
- rparams->defenctype = ENCTYPE_DES3_CBC_SHA1;
- mask |= LDAP_REALM_DEFENCTYPE;
- printf("Default enctype not specified: \"des3-cbc-sha1\" "
- "will be added as the default enctype and to the "
- "list of supported enctypes.\n");
-
- /* Now, add this to the list of supported enctypes. The
- * duplicate values will be removed in DAL-LDAP
- */
- if (mask & LDAP_REALM_SUPPENCTYPE) {
- for (i=0; rparams->suppenctypes[i] != END_OF_LIST; i++)
- ;
- assert (i < END_OF_LIST - 1);
- rparams->suppenctypes[i] = ENCTYPE_DES3_CBC_SHA1;
- rparams->suppenctypes[i + 1] = END_OF_LIST;
- }
- }
-
- if ( !(mask & LDAP_REALM_DEFSALTTYPE) && (rparams != NULL)) {
- rparams->defsalttype = KRB5_KDB_SALTTYPE_NORMAL;
- mask |= LDAP_REALM_DEFSALTTYPE;
- printf("Default salttype not specified: \"normal\" will be "
- "added as the default salttype and to the list of "
- "supported salttypes.\n");
-
- /* Now, add this to the list of supported salttypes. The
- * duplicate values will be removed in DAL-LDAP
- */
- if (mask & LDAP_REALM_SUPPSALTTYPE) {
- for (i=0; rparams->suppsalttypes[i] != END_OF_LIST; i++)
- ;
- assert (i < END_OF_LIST - 1);
- rparams->suppsalttypes[i] = KRB5_KDB_SALTTYPE_NORMAL;
- rparams->suppsalttypes[i + 1] = END_OF_LIST;
- }
- }
rblock.max_life = global_params.max_life;
rblock.max_rlife = global_params.max_rlife;
@@ -761,7 +639,7 @@ void kdb5_ldap_create(argc, argv)
/* Create special principals inside the realm subtree */
{
- char princ_name[MAX_PRINC_SIZE], localname[MAXHOSTNAMELEN];
+ char princ_name[MAX_PRINC_SIZE];
struct hostent *hp = NULL;
krb5_principal_data tgt_princ = {
0, /* magic number */
@@ -770,7 +648,7 @@ void kdb5_ldap_create(argc, argv)
2, /* int length */
KRB5_NT_SRV_INST /* int type */
};
- krb5_principal p;
+ krb5_principal p, temp_p=NULL;
krb5_princ_set_realm_data(util_context, &tgt_princ, global_params.realm);
krb5_princ_set_realm_length(util_context, &tgt_princ, strlen(global_params.realm));
@@ -842,31 +720,32 @@ void kdb5_ldap_create(argc, argv)
krb5_free_principal(util_context, p);
/* Create 'kadmin/<hostname>' ... */
- if (gethostname(localname, sizeof(localname))) {
- retval = errno;
- com_err(argv[0], retval, "gethostname, while adding entries to the database");
- goto err_nomsg;
+ if ((retval=krb5_sname_to_principal(util_context, NULL, "kadmin", KRB5_NT_SRV_HST, &p))) {
+ com_err(argv[0], retval, "krb5_sname_to_principal, while adding entries to the database");
+ goto err_nomsg;
}
- hp = gethostbyname(localname);
- if (hp == NULL) {
- retval = errno;
- com_err(argv[0], retval, "gethostbyname, while adding entries to the database");
- goto err_nomsg;
+
+ if((retval=krb5_copy_principal(util_context, p, &temp_p))) {
+ com_err(argv[0], retval, "krb5_copy_principal, while adding entries to the database");
+ goto err_nomsg;
}
- assert (sizeof(princ_name) >= strlen(hp->h_name) + strlen(global_params.realm) + 9);
- /* snprintf(princ_name, MAXHOSTNAMELEN + 8, "kadmin/%s", hp->h_name); */
- snprintf(princ_name, sizeof(princ_name), "kadmin/%s@%s", hp->h_name, global_params.realm);
- if ((retval = krb5_parse_name(util_context, princ_name, &p))) {
- com_err(argv[0], retval, "while adding entries to the database");
- goto err_nomsg;
+
+ /* change the realm portion to the default realm */
+ free( temp_p->realm.data );
+ temp_p->realm.length = strlen( util_context->default_realm );
+ temp_p->realm.data = strdup( util_context->default_realm );
+ if( temp_p->realm.data == NULL ) {
+ com_err(argv[0], ENOMEM, "while adding entries to the database");
+ goto err_nomsg;
}
rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED;
- if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) {
+ if ((retval = kdb_ldap_create_principal(util_context, temp_p, TGT_KEY, &rblock))) {
krb5_free_principal(util_context, p);
com_err(argv[0], retval, "while adding entries to the database");
goto err_nomsg;
}
+ krb5_free_principal(util_context, temp_p);
krb5_free_principal(util_context, p);
if (ldap_context->lrparams->subtree != NULL)
@@ -1472,220 +1351,6 @@ void kdb5_ldap_modify(argc, argv)
}
}
#endif
- else if (!strcmp(argv[i], "-enctypes")) {
- if (++i > argc-1)
- goto err_usage;
- if (rmask & LDAP_REALM_SUPPENCTYPE)
- free(rparams->suppenctypes);
- rparams->suppenctypes = (krb5_enctype *)malloc(
- sizeof(krb5_enctype) * MAX_LIST_ENTRIES);
- if (rparams->suppenctypes == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
- if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list)))
- goto cleanup;
-
- for(j = 0; list[j] != NULL; j++) {
- if ((retval = krb5_string_to_enctype(list[j],
- &rparams->suppenctypes[j]))) {
- com_err(argv[0], retval, "'%s' specified for enctypes, "
- "while modifying information of realm '%s'",
- list[j], global_params.realm);
- goto err_nomsg;
- }
- }
- rparams->suppenctypes[j] = END_OF_LIST;
- qsort(rparams->suppenctypes, (size_t)j, sizeof(krb5_enctype),
- compare_int);
- mask |= LDAP_REALM_SUPPENCTYPE;
- /* Going to replace the existing value by this new value. Hence
- * setting flag indicating that add or clear options will be ignored
- */
- newenctypes = 1;
- krb5_free_list_entries(list);
- }
- else if (!strcmp(argv[i], "-clearenctypes")) {
- if (++i > argc-1)
- goto err_usage;
- if ((!newenctypes) && (rparams->suppenctypes != NULL)) {
-
- if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list)))
- goto cleanup;
-
- memset(tlist, END_OF_LIST, sizeof(int) * MAX_LIST_ENTRIES);
- for(j = 0; list[j] != NULL; j++) {
- if ((retval = krb5_string_to_enctype(list[j], &tlist[j]))) {
- com_err(argv[0], retval, "'%s' specified for clearenctypes, "
- "while modifying information of realm '%s'",
- list[j], global_params.realm);
- goto err_nomsg;
- }
- }
- tlist[j] = END_OF_LIST;
- j = list_modify_int_array(rparams->suppenctypes, (const int*)tlist,
- LIST_MODE_DELETE);
- qsort(rparams->suppenctypes, (size_t)j, sizeof(krb5_enctype),
- compare_int);
- mask |= LDAP_REALM_SUPPENCTYPE;
- krb5_free_list_entries(list);
- }
- }
- else if (!strcmp(argv[i], "-addenctypes")) {
- if (++i > argc-1)
- goto err_usage;
- if (!newenctypes) {
- int *tmp;
-
- if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list)))
- goto cleanup;
-
- existing_entries = list_count_int_array(rparams->suppenctypes);
- list_entries = list_count_str_array(list);
-
- tmp = (krb5_enctype *) realloc (rparams->suppenctypes,
- sizeof(krb5_enctype) * (existing_entries+list_entries+1));
- if (tmp == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
- rparams->suppenctypes = tmp;
-
- for(j = 0; list[j] != NULL; j++) {
- if ((retval = krb5_string_to_enctype(list[j], &tlist[j]))) {
- com_err(argv[0], retval, "'%s' specified for addenctypes, "
- "while modifying information of realm '%s'",
- list[j], global_params.realm);
- goto err_nomsg;
- }
- }
- tlist[j] = END_OF_LIST;
-
- j = list_modify_int_array(rparams->suppenctypes, (const int*)tlist,
- LIST_MODE_ADD);
- qsort(rparams->suppenctypes, (size_t)j, sizeof(krb5_enctype),
- compare_int);
- mask |= LDAP_REALM_SUPPENCTYPE;
- krb5_free_list_entries(list);
- }
- }
- else if (!strcmp(argv[i], "-defenctype")) {
- if (++i > argc-1)
- goto err_usage;
- if ((retval = krb5_string_to_enctype(argv[i],
- &rparams->defenctype))) {
- com_err(argv[0], retval, "'%s' specified for defenctype, "
- "while modifying information of realm '%s'",
- argv[i], global_params.realm);
- goto err_nomsg;
- }
- mask |= LDAP_REALM_DEFENCTYPE;
- }
- else if (!strcmp(argv[i], "-salttypes")) {
- if (++i > argc-1)
- goto err_usage;
- if (rmask & LDAP_REALM_SUPPSALTTYPE)
- free(rparams->suppsalttypes);
- rparams->suppsalttypes = (krb5_int32 *)malloc(
- sizeof(krb5_int32) * MAX_LIST_ENTRIES);
- if (rparams->suppsalttypes == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
- if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list)))
- goto cleanup;
-
- for(j = 0; list[j] != NULL; j++) {
- if ((retval = krb5_string_to_salttype(list[j],
- &rparams->suppsalttypes[j]))) {
- com_err(argv[0], retval, "'%s' specified for salttypes, "
- "while modifying information of realm '%s'",
- list[j], global_params.realm);
- goto err_nomsg;
- }
- }
- rparams->suppsalttypes[j] = END_OF_LIST;
- qsort(rparams->suppsalttypes, (size_t)j, sizeof(krb5_int32),
- compare_int);
- mask |= LDAP_REALM_SUPPSALTTYPE;
- /* Going to replace the existing value by this new value. Hence
- * setting flag indicating that add or clear options will be ignored
- */
- newsalttypes = 1;
- krb5_free_list_entries(list);
- }
- else if (!strcmp(argv[i], "-clearsalttypes")) {
- if (++i > argc-1)
- goto err_usage;
- if ((!newsalttypes) && (rparams->suppsalttypes != NULL)) {
- if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list)))
- goto cleanup;
-
- for(j = 0; list[j] != NULL; j++) {
- if ((retval = krb5_string_to_salttype(list[j], &tlist[j]))) {
- com_err(argv[0], retval, "'%s' specified for clearsalttypes, "
- "while modifying information of realm '%s'",
- list[j], global_params.realm);
- goto err_nomsg;
- }
- }
- tlist[j] = END_OF_LIST;
- j = list_modify_int_array(rparams->suppsalttypes, (const int*)tlist,
- LIST_MODE_DELETE);
- qsort(rparams->suppsalttypes, (size_t)j, sizeof(krb5_int32),
- compare_int);
- mask |= LDAP_REALM_SUPPSALTTYPE;
- krb5_free_list_entries(list);
- }
- }
- else if (!strcmp(argv[i], "-addsalttypes")) {
- if (++i > argc-1)
- goto err_usage;
- if (!newsalttypes) {
- int *tmp;
- if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list)))
- goto cleanup;
-
- existing_entries = list_count_int_array(rparams->suppsalttypes);
- list_entries = list_count_str_array(list);
-
- tmp = (krb5_int32 *) realloc (rparams->suppsalttypes,
- sizeof(krb5_int32) * (existing_entries+list_entries+1));
- if (tmp == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
- rparams->suppsalttypes = tmp;
-
- for(j = 0; list[j] != NULL; j++) {
- if ((retval = krb5_string_to_salttype(list[j], &tlist[j]))) {
- com_err(argv[0], retval, "'%s' specified for addsalttypes, "
- "while modifying information of realm '%s'",
- list[j], global_params.realm);
- goto err_nomsg;
- }
- }
- tlist[j] = END_OF_LIST;
- j = list_modify_int_array(rparams->suppsalttypes, (const int*)tlist,
- LIST_MODE_ADD);
- qsort(rparams->suppsalttypes, (size_t)j, sizeof(krb5_int32),
- compare_int);
- mask |= LDAP_REALM_SUPPSALTTYPE;
- krb5_free_list_entries(list);
- }
- }
- else if (!strcmp(argv[i], "-defsalttype")) {
- if (++i > argc-1)
- goto err_usage;
- if ((retval = krb5_string_to_salttype(argv[i],
- &rparams->defsalttype))) {
- com_err(argv[0], retval, "'%s' specified for defsalttype, "
- "while modifying information of realm '%s'",
- argv[i], global_params.realm);
- goto err_nomsg;
- }
- mask |= LDAP_REALM_DEFSALTTYPE;
- }
else if ((ret_mask= get_ticket_policy(rparams,&i,argv,argc)) !=0)
{
mask|=ret_mask;
@@ -2169,50 +1834,6 @@ static void print_realm_params(krb5_ldap_realm_params *rparams, int mask)
if (num_entry_printed == 0)
printf("\n");
}
- if (mask & LDAP_REALM_SUPPENCTYPE) {
- printf("%25s:", "Supported Enc Types");
- if (rparams->suppenctypes != NULL) {
- num_entry_printed = 0;
- for(tmplist = rparams->suppenctypes; *tmplist != END_OF_LIST;
- tmplist++) {
- retval = krb5_enctype_to_string(*tmplist, buff, BUFF_LEN);
- if (retval == 0) {
- if (num_entry_printed)
- printf(" %25s %-50s\n", " ", buff);
- else
- printf(" %-50s\n", buff);
- num_entry_printed++;
- }
- }
- }
- if (num_entry_printed == 0)
- printf("\n");
- }
- if (mask & LDAP_REALM_DEFENCTYPE) {
- retval = krb5_enctype_to_string(rparams->defenctype, buff, BUFF_LEN);
- if (retval == 0) {
- printf("%25s: %-50s\n", "Default Enc Type", buff);
- }
- }
- if (mask & LDAP_REALM_SUPPSALTTYPE) {
- printf("%25s:", "Supported Salt Types");
- if (rparams->suppsalttypes != NULL) {
- num_entry_printed = 0;
- for(tmplist = rparams->suppsalttypes; *tmplist != END_OF_LIST;
- tmplist++) {
- retval = krb5_salttype_to_string(*tmplist, buff, BUFF_LEN);
- if (retval == 0) {
- if (num_entry_printed)
- printf(" %25s %-50s\n", " ", buff);
- else
- printf(" %-50s\n", buff);
- num_entry_printed++;
- }
- }
- }
- if (num_entry_printed == 0)
- printf("\n");
- }
if (mask & LDAP_REALM_MAXTICKETLIFE) {
printf("%25s:", "Maximum Ticket Life");
printf(" %s \n", strdur(rparams->max_life));
@@ -2222,10 +1843,11 @@ static void print_realm_params(krb5_ldap_realm_params *rparams, int mask)
printf("%25s:", "Maximum Renewable Life");
printf(" %s \n", strdur(rparams->max_renewable_life));
}
- printf("%25s: ", "Ticket flags");
- if (mask & LDAP_POLICY_TKTFLAGS) {
+
+ if (mask & LDAP_REALM_KRBTICKETFLAGS) {
int ticketflags = rparams->tktflags;
+ printf("%25s: ", "Ticket flags");
if (ticketflags & KRB5_KDB_DISALLOW_POSTDATED)
printf("%s ","DISALLOW_POSTDATED");
@@ -2261,16 +1883,9 @@ static void print_realm_params(krb5_ldap_realm_params *rparams, int mask)
if (ticketflags & KRB5_KDB_PWCHANGE_SERVICE)
printf("%s ","PWCHANGE_SERVICE");
- }
- if (mask & LDAP_REALM_DEFSALTTYPE) {
- retval = krb5_salttype_to_string(rparams->defsalttype, buff, BUFF_LEN);
- if (retval == 0) {
- printf("\n%25s: %-50s\n", "Default Salt Type", buff);
- }
+ printf("\n");
}
- /* if (mask & LDAP_REALM_POLICYREFERENCE)
- printf("%25s: %-50s\n", "Policy Reference", rparams->policyreference);*/
return;
diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
index 69e3b7694..1ce08feb2 100644
--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
+++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
@@ -1743,9 +1743,12 @@ kdb5_ldap_set_service_password(argc, argv)
errcode = tohex(pwd, &hex);
if (errcode != 0) {
- if(hex.length != 0)
+ if(hex.length != 0) {
+ memset(hex.data, 0, hex.length);
free(hex.data);
+ }
com_err(me, errcode, "Failed to convert the password to hex");
+ memset(passwd, 0, passwd_len);
goto cleanup;
}
/* Password = {CRYPT}<encrypted password>:<encrypted key> */
@@ -1754,6 +1757,7 @@ kdb5_ldap_set_service_password(argc, argv)
if (encrypted_passwd.value == NULL) {
com_err(me, ENOMEM, "while setting service object password");
memset(passwd, 0, passwd_len);
+ memset(hex.data, 0, hex.length);
free(hex.data);
goto cleanup;
}
@@ -1761,6 +1765,8 @@ kdb5_ldap_set_service_password(argc, argv)
1 + 5 + hex.length + 1] = '\0';
sprintf((char *)encrypted_passwd.value, "%s#{HEX}%s\n", service_object, hex.data);
encrypted_passwd.len = strlen((char *)encrypted_passwd.value);
+ memset(hex.data, 0, hex.length);
+ free(hex.data);
}
/* We should check if the file exists and we have permission to write into that file */
@@ -1912,8 +1918,10 @@ cleanup:
if (passwd)
free(passwd);
- if (encrypted_passwd.value)
+ if (encrypted_passwd.value) {
+ memset(encrypted_passwd.value, 0, encrypted_passwd.len);
free(encrypted_passwd.value);
+ }
if (pfile)
fclose(pfile);
@@ -1949,6 +1957,7 @@ kdb5_ldap_stash_service_password(argc, argv)
FILE *pfile = NULL;
krb5_boolean print_usage = FALSE;
krb5_data hexpasswd = {0, 0, NULL};
+ mode_t old_mode = 0;
/*
* Format:
@@ -2047,16 +2056,17 @@ done:
ret = tohex(pwd, &hexpasswd);
if(ret != 0){
- if(hexpasswd.length != 0)
- free(hexpasswd.data);
com_err(me, ret, "Failed to convert the password to hexadecimal");
+ memset(passwd, 0, passwd_len);
goto cleanup;
}
}
+ memset(passwd, 0, passwd_len);
/* TODO: file lock for the service passowrd file */
/* set password in the file */
+ old_mode = umask(0177);
pfile = fopen(file_name, "a+");
if (pfile == NULL) {
com_err(me, errno, "Failed to open file %s: %s", file_name,
@@ -2064,6 +2074,7 @@ done:
goto cleanup;
}
rewind (pfile);
+ umask(old_mode);
while (fgets (line, MAX_LEN, pfile) != NULL) {
if ((str = strstr (line, service_object)) != NULL) {
@@ -2162,6 +2173,11 @@ done:
cleanup:
+ if(hexpasswd.length != 0) {
+ memset(hexpasswd.data, 0, hexpasswd.length);
+ free(hexpasswd.data);
+ }
+
if (service_object)
free(service_object);
diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M
index 20dc3e726..5ff7615f1 100644
--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M
+++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M
@@ -29,7 +29,7 @@ a Kerberos realm.
Specifies the SSL port number of the LDAP server.
.SH COMMANDS
.TP
-\fBcreate\fP [\fB\-subtree\fP\ \fIsubtree_dn\fP] [\fB\-sscope\fP\ \fIsearch_scope\fP] [\fB\-enctypes\fP\ \fIsupported_enc_types\fP] [\fB\-defenctype\fP\ \fIdefault_enc_type\fP] [\fB\-salttypes\fP\ \fIsupported_salt_types\fP] [\fB\-defsalttype\fP\ \fIdefault_salt_type\fP] [\fB\-k\fP\ \fImkeytype\fP] [\fB\-m\fP|\fB\-P\fP\ \fIpassword\fP|\fB\-sf\fP\ \fIstashfilename\fP] [\fB\-r\fP\ \fIrealm\fP] [\fB\-kdcdn\fP\ \fIkdc_service_list\fP] [\fB\-admindn\fP\ \fIadmin_service_list\fP] [\fB\-pwddn\fP\ \fIpasswd_service_list\fP] [\fB\-maxtktlife\fP\ \fImax_ticket_life\fP] [\fB\-maxrenewlife\fP\ \fImax_renewable_ticket_life\fP] [\fIticket_flags\fP]
+\fBcreate\fP [\fB\-subtree\fP\ \fIsubtree_dn\fP] [\fB\-sscope\fP\ \fIsearch_scope\fP] [\fB\-k\fP\ \fImkeytype\fP] [\fB\-m\fP|\fB\-P\fP\ \fIpassword\fP|\fB\-sf\fP\ \fIstashfilename\fP] [\fB\-r\fP\ \fIrealm\fP] [\fB\-kdcdn\fP\ \fIkdc_service_list\fP] [\fB\-admindn\fP\ \fIadmin_service_list\fP] [\fB\-pwddn\fP\ \fIpasswd_service_list\fP] [\fB\-maxtktlife\fP\ \fImax_ticket_life\fP] [\fB\-maxrenewlife\fP\ \fImax_renewable_ticket_life\fP] [\fIticket_flags\fP]
Creates realm in directory. Options:
.RS
.TP
@@ -41,18 +41,6 @@ Specifies the scope for searching the principals under the
.IR subtree .
The possible values are 1 or one (one level), 2 or sub (subtree).
.TP
-\fB\-enctypes\fP\ \fIsupported_enc_types\fP
-Specifies the encryption types supported by the realm. This is a colon-separated list.
-.TP
-\fB\-defenctype\fP\ \fIdefault_enc_type\fP
-Specifies the default encryption type for the realm. This is also a part of supported enctypes list.
-.TP
-\fB\-salttypes\fP\ \fIsupported_salt_types\fP
-Specifies the salt types supported by the realm. This is a colon-separated list.
-.TP
-\fB\-defsalttype\fP\ \fIdefault_salt_type\fP
-Specifies the default salt types for the realm.
-.TP
\fB\-k\fP\ \fImkeytype\fP
Specifies the key type of the master key in the database; the default is
that given in
@@ -235,7 +223,7 @@ Re-enter KDC database master key to verify:
.RE
.TP
-\fBmodify\fP [\fB\-subtree\fP\ \fIsubtree_dn\fP] [\fB\-sscope\fP\ \fIsearch_scope\fP] [\fB\-enctypes\fP\ \fIsupported_enc_types\fP | [\fB\-clearenctypes\fP\ \fIenc_type_list\fP] [\fB\-addenctypes\fP\ \fIenc_type_list\fP]] [\fB\-defenctype\fP\ \fIdefault_enc_type\fP] [\fB\-salttypes\fP\ \fIsupported_salt_types\fP | [\fB\-clearsalttypes\fP\ \fIsalt_type_list\fP] [\fB\-addsalttypes\fP\ \fIsalt_type_list\fP]] [\fB\-defsalttype\fP\ \fIdefault_salt_type\fP] [\fB\-r\fP\ \fIrealm\fP] [\fB\-kdcdn\fP\ \fIkdc_service_list\fP | [\fB\-clearkdcdn\fP\ \fIkdc_service_list\fP] [\fB\-addkdcdn\fP\ \fIkdc_service_list\fP]] [\fB\-admindn\fP\ \fIadmin_service_list\fP | [\fB\-clearadmindn\fP\ \fIadmin_service_list\fP] [\fB\-addadmindn\fP\ \fIadmin_service_list\fP]] [\fB\-pwddn\fP\ \fIpasswd_service_list\fP | [\fB\-clearpwddn\fP\ \fIpasswd_service_list\fP] [\fB\-addpwddn\fP\ \fIpasswd_service_list\fP]] [\fB\-maxtktlife\fP\ \fImax_ticket_life\fP] [\fB\-maxrenewlife\fP\ \fImax_renewable_ticket_life\fP] [\fIticket_flags\fP]
+\fBmodify\fP [\fB\-subtree\fP\ \fIsubtree_dn\fP] [\fB\-sscope\fP\ \fIsearch_scope\fP] [\fB\-r\fP\ \fIrealm\fP] [\fB\-kdcdn\fP\ \fIkdc_service_list\fP | [\fB\-clearkdcdn\fP\ \fIkdc_service_list\fP] [\fB\-addkdcdn\fP\ \fIkdc_service_list\fP]] [\fB\-admindn\fP\ \fIadmin_service_list\fP | [\fB\-clearadmindn\fP\ \fIadmin_service_list\fP] [\fB\-addadmindn\fP\ \fIadmin_service_list\fP]] [\fB\-pwddn\fP\ \fIpasswd_service_list\fP | [\fB\-clearpwddn\fP\ \fIpasswd_service_list\fP] [\fB\-addpwddn\fP\ \fIpasswd_service_list\fP]] [\fB\-maxtktlife\fP\ \fImax_ticket_life\fP] [\fB\-maxrenewlife\fP\ \fImax_renewable_ticket_life\fP] [\fIticket_flags\fP]
Modifies the attributes of a realm. Options:
.RS
@@ -248,34 +236,6 @@ Specifies the scope for searching the principals under the
.IR subtree .
The possible values are 1 or one (one level), 2 or sub (subtree).
.TP
-\fB\-enctypes\fP\ \fIsupported_enc_types\fP
-Specifies the encryption types supported by the realm. This is a colon-separated list.
-.TP
-\fB\-clearenctypes\fP\ \fIenc_type_list\fP
-Specifies the encryption types that need to be removed from the supported encryption types
-of the realm. This is a colon-separated list.
-.TP
-\fB\-addenctypes\fP\ \fIenc_type_list\fP
-Specifies the encryption types that need to be added to the supported encryption types of the
-realm. This is a colon-separated list.
-.TP
-\fB\-defenctype\fP\ \fIdefault_enc_type\fP
-Specifies the default encryption type for the realm.
-.TP
-\fB\-salttypes\fP\ \fIsupported_salt_types\fP
-Specifies the salt types supported by the realm. This is a colon-separated list.
-.TP
-\fB\-clearsalttypes\fP\ \fIsalt_type_list\fP
-Specifies the salt types that need to be removed from the supported salt types of the realm.
-This is a colon-separated list.
-.TP
-\fB\-addsalttypes\fP\ \fIsalt_type_list\fP
-Specifies the salt types that need to be added to the supported salt types of the realm. This
-is a colon-separated list.
-.TP
-\fB\-defsalttype\fP\ \fIdefault_salt_type\fP
-Specifies the default salt type for the realm.
-.TP
\fB\-maxtktlife\fP\ \fImax_ticket_life\fP
Specifies maximum ticket life for principals in this realm.
.TP
@@ -476,14 +436,6 @@ Password for "cn=admin,o=org":
Realm Name: ATHENA.MIT.EDU
Subtree: ou=users,o=org
SearchScope: ONE
- Supported Enc Types: DES cbc mode with RSA-MD5
- Triple DES cbc mode with HMAC/sha1
- Default Enc Type: Triple DES cbc mode with HMAC/sha1
- Supported Salt Types: Version 5
- Version 4
- Special
- AFS version 3
- Default Salt Type: Version 5
Maximum ticket life: 0 days 01:00:00
Maximum renewable life: 0 days 10:00:00
Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c
index 889151531..4b07b2754 100644
--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c
+++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c
@@ -107,7 +107,7 @@ krb5_boolean manual_mkey = FALSE;
void usage()
{
fprintf(stderr, "Usage: "
-"kdb5_util [-D user_dn [-w passwd]] [-h ldap_server] [-p ldap_port]\n"
+"kdb5_ldap_util [-D user_dn [-w passwd]] [-h ldap_server] [-p ldap_port]\n"
"\tcmd [cmd_options]\n"
/* Create realm */
@@ -116,8 +116,6 @@ void usage()
"\t\t[-kdcdn kdc_service_list] [-admindn admin_service_list]\n"
"\t\t[-pwddn passwd_service_list]\n"
#endif
-"\t\t[-enctypes supported_enc_types] [-defenctype default_enc_type]\n"
-"\t\t[-salttypes supported_salt_types] [-defsalttype default_salt_type]\n"
"\t\t[-m|-P password|-sf stashfilename] [-k mkeytype]\n"
"\t\t[-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life]\n"
"\t\t[ticket_flags] [-r realm]\n"
@@ -131,10 +129,6 @@ void usage()
"\t\t[-addadmindn admin_service_list]] [-pwddn passwd_service_list |\n"
"\t\t[-clearpwddn passwd_service_list] [-addpwddn passwd_service_list]]\n"
#endif
-"\t\t[-enctypes supported_enc_types | [-clearenctypes enc_type_list]\n"
-"\t\t[-addenctypes enc_type_list]] [-defenctype default_enc_type]\n"
-"\t\t[-salttypes supported_salt_types | [-clearsalttypes salt_type_list]\n"
-"\t\t[-addsalttypes salt_type_list]] [-defsalttype default_salt_type]\n"
"\t\t[-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life]\n"
"\t\t[ticket_flags] [-r realm]\n"
/* View realm */
@@ -508,6 +502,8 @@ int main(argc, argv)
goto cleanup;
}
+ ldap_context->kcontext = util_context;
+
/* If LDAP parameters are specified, replace them with the values from config */
if (ldapmask & CMD_LDAP_D) {
/* If password is not specified, prompt for it */
generated by cgit (git 2.34.1) at 2026-01-08 11:47:16 +0000